From 7f9cc6a9a85e93c79a29af4178b855412e2b0ced Mon Sep 17 00:00:00 2001 From: Rafi594 Date: Sun, 3 Feb 2019 15:05:38 +0100 Subject: [PATCH 01/12] Add fail2ban --- conf/nginx.conf | 1 + scripts/experimental_helper.sh | 268 +++++++++++++++++++++++++++++++++ scripts/install | 5 + scripts/restore | 5 + scripts/upgrade | 5 + 5 files changed, 284 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index 36617de..64873d7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -5,6 +5,7 @@ location __PATH__/ { proxy_buffering off; fastcgi_param REMOTE_USER $remote_user; client_max_body_size 50M; + proxy_set_header X-Real-IP $remote_addr; # Force https if ($scheme = http) { diff --git a/scripts/experimental_helper.sh b/scripts/experimental_helper.sh index 600a653..7564ede 100644 --- a/scripts/experimental_helper.sh +++ b/scripts/experimental_helper.sh @@ -58,4 +58,272 @@ ynh_check_starting () { echo "" ynh_clean_check_starting +} + +# Fail2ban + +# Need also the helper https://github.com/YunoHost-Apps/Experimental_helpers/blob/master/ynh_handle_getopts_args/ynh_handle_getopts_args + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: -l, --logpath= - Log file to be checked by fail2ban +# | arg: -r, --failregex= - Failregex to be looked for by fail2ban +# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: -p, --ports= - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Declare an array to define the options of this helper. + declare -Ar args_array=( [l]=logpath= [r]=failregex= [m]=max_retry= [p]=ports= ) + local logpath + local failregex + local max_retry + local ports + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + max_retry=${max_retry:-3} + ports=${ports:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + if [ "$(lsb_release --codename --short)" != "jessie" ]; then + systemctl reload fail2ban + else + systemctl restart fail2ban + fi +} + +# Internal helper design to allow helpers to use getopts to manage their arguments +# +# example: function my_helper() +# { +# declare -Ar args_array=( [a]=arg1= [b]=arg2= [c]=arg3 ) +# local arg1 +# local arg2 +# local arg3 +# ynh_handle_getopts_args "$@" +# +# [...] +# } +# my_helper --arg1 "val1" -b val2 -c +# +# usage: ynh_handle_getopts_args "$@" +# | arg: $@ - Simply "$@" to tranfert all the positionnal arguments to the function +# +# This helper need an array, named "args_array" with all the arguments used by the helper +# that want to use ynh_handle_getopts_args +# Be carreful, this array has to be an associative array, as the following example: +# declare -Ar args_array=( [a]=arg1 [b]=arg2= [c]=arg3 ) +# Let's explain this array: +# a, b and c are short options, -a, -b and -c +# arg1, arg2 and arg3 are the long options associated to the previous short ones. --arg1, --arg2 and --arg3 +# For each option, a short and long version has to be defined. +# Let's see something more significant +# declare -Ar args_array=( [u]=user [f]=finalpath= [d]=database ) +# +# NB: Because we're using 'declare' without -g, the array will be declared as a local variable. +# +# Please keep in mind that the long option will be used as a variable to store the values for this option. +# For the previous example, that means that $finalpath will be fill with the value given as argument for this option. +# +# Also, in the previous example, finalpath has a '=' at the end. That means this option need a value. +# So, the helper has to be call with --finalpath /final/path, --finalpath=/final/path or -f /final/path, the variable $finalpath will get the value /final/path +# If there's many values for an option, -f /final /path, the value will be separated by a ';' $finalpath=/final;/path +# For an option without value, like --user in the example, the helper can be called only with --user or -u. $user will then get the value 1. +# +# To keep a retrocompatibility, a package can still call a helper, using getopts, with positional arguments. +# The "legacy mode" will manage the positional arguments and fill the variable in the same order than they are given in $args_array. +# e.g. for `my_helper "val1" val2`, arg1 will be filled with val1, and arg2 with val2. +ynh_handle_getopts_args () { + # Manage arguments only if there's some provided + set +x + if [ $# -ne 0 ] + then + # Store arguments in an array to keep each argument separated + local arguments=("$@") + + # For each option in the array, reduce to short options for getopts (e.g. for [u]=user, --user will be -u) + # And built parameters string for getopts + # ${!args_array[@]} is the list of all keys in the array (A key is 'u' in [u]=user, user is a value) + local getopts_parameters="" + local key="" + for key in "${!args_array[@]}" + do + # Concatenate each keys of the array to build the string of arguments for getopts + # Will looks like 'abcd' for -a -b -c -d + # If the value of a key finish by =, it's an option with additionnal values. (e.g. --user bob or -u bob) + # Check the last character of the value associate to the key + if [ "${args_array[$key]: -1}" = "=" ] + then + # For an option with additionnal values, add a ':' after the letter for getopts. + getopts_parameters="${getopts_parameters}${key}:" + else + getopts_parameters="${getopts_parameters}${key}" + fi + # Check each argument given to the function + local arg="" + # ${#arguments[@]} is the size of the array + for arg in `seq 0 $(( ${#arguments[@]} - 1 ))` + do + # And replace long option (value of the key) by the short option, the key itself + # (e.g. for [u]=user, --user will be -u) + # Replace long option with = + arguments[arg]="${arguments[arg]//--${args_array[$key]}/-${key} }" + # And long option without = + arguments[arg]="${arguments[arg]//--${args_array[$key]%=}/-${key}}" + done + done + + # Read and parse all the arguments + # Use a function here, to use standart arguments $@ and be able to use shift. + parse_arg () { + # Read all arguments, until no arguments are left + while [ $# -ne 0 ] + do + # Initialize the index of getopts + OPTIND=1 + # Parse with getopts only if the argument begin by -, that means the argument is an option + # getopts will fill $parameter with the letter of the option it has read. + local parameter="" + getopts ":$getopts_parameters" parameter || true + + if [ "$parameter" = "?" ] + then + ynh_die "Invalid argument: -${OPTARG:-}" + elif [ "$parameter" = ":" ] + then + ynh_die "-$OPTARG parameter requires an argument." + else + local shift_value=1 + # Use the long option, corresponding to the short option read by getopts, as a variable + # (e.g. for [u]=user, 'user' will be used as a variable) + # Also, remove '=' at the end of the long option + # The variable name will be stored in 'option_var' + local option_var="${args_array[$parameter]%=}" + # If this option doesn't take values + # if there's a '=' at the end of the long option name, this option takes values + if [ "${args_array[$parameter]: -1}" != "=" ] + then + # 'eval ${option_var}' will use the content of 'option_var' + eval ${option_var}=1 + else + # Read all other arguments to find multiple value for this option. + # Load args in a array + local all_args=("$@") + + # If the first argument is longer than 2 characters, + # There's a value attached to the option, in the same array cell + if [ ${#all_args[0]} -gt 2 ]; then + # Remove the option and the space, so keep only the value itself. + all_args[0]="${all_args[0]#-${parameter} }" + # Reduce the value of shift, because the option has been removed manually + shift_value=$(( shift_value - 1 )) + fi + + # Then read the array value per value + for i in `seq 0 $(( ${#all_args[@]} - 1 ))` + do + # If this argument is an option, end here. + if [ "${all_args[$i]:0:1}" == "-" ] || [ -z "${all_args[$i]}" ] + then + # Ignore the first value of the array, which is the option itself + if [ "$i" -ne 0 ]; then + break + fi + else + # Declare the content of option_var as a variable. + eval ${option_var}="" + # Else, add this value to this option + # Each value will be separated by ';' + if [ -n "${!option_var}" ] + then + # If there's already another value for this option, add a ; before adding the new value + eval ${option_var}+="\;" + fi + eval ${option_var}+=\"${all_args[$i]}\" + shift_value=$(( shift_value + 1 )) + fi + done + fi + fi + + # Shift the parameter and its argument(s) + shift $shift_value + done + } + + # LEGACY MODE + # Check if there's getopts arguments + if [ "${arguments[0]:0:1}" != "-" ] + then + # If not, enter in legacy mode and manage the arguments as positionnal ones. + echo "! Helper used in legacy mode !" + for i in `seq 0 $(( ${#arguments[@]} -1 ))` + do + # Use getopts_parameters as a list of key of the array args_array + # Remove all ':' in getopts_parameters + getopts_parameters=${getopts_parameters//:} + # Get the key from getopts_parameters, by using the key according to the position of the argument. + key=${getopts_parameters:$i:1} + # Use the long option, corresponding to the key, as a variable + # (e.g. for [u]=user, 'user' will be used as a variable) + # Also, remove '=' at the end of the long option + # The variable name will be stored in 'option_var' + local option_var="${args_array[$key]%=}" + + # Store each value given as argument in the corresponding variable + # The values will be stored in the same order than $args_array + eval ${option_var}+=\"${arguments[$i]}\" + done + else + # END LEGACY MODE + # Call parse_arg and pass the modified list of args as an array of arguments. + parse_arg "${arguments[@]}" + fi + fi + set -x } \ No newline at end of file diff --git a/scripts/install b/scripts/install index 9fee527..7e86e05 100644 --- a/scripts/install +++ b/scripts/install @@ -94,6 +94,11 @@ ynh_replace_string "__ADMIN__" "$admin" ../conf/login_source.sql ynh_replace_string "__APP__" "$app" ../conf/login_source.sql ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ../conf/login_source.sql +#================================================= +# SETUP FAIL2BAN +#================================================= +ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index c3c06f5..b578fd5 100644 --- a/scripts/restore +++ b/scripts/restore @@ -48,6 +48,11 @@ ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ./db.sql systemctl daemon-reload systemctl enable "$app".service +#================================================= +# SETUP FAIL2BAN +#================================================= +ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 54b53b6..575c94e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -99,6 +99,11 @@ ynh_add_systemd_config # Modify Nginx configuration file and copy it to Nginx conf directory config_nginx +#================================================= +# SETUP FAIL2BAN +#================================================= +ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 + #================================================= # GENERIC FINALIZATION #================================================= From 9babd36be2e37904dc0113c43a78ed2262bd7a3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 14:17:11 +0200 Subject: [PATCH 02/12] Update to gitea v1.9.0 --- conf/source/arm.src | 4 ++-- conf/source/arm_1.8.src | 5 +++++ conf/source/armv7.src | 4 ++-- conf/source/armv7_1.8.src | 8 ++++++++ conf/source/i386.src | 4 ++-- conf/source/i386_1.8.src | 5 +++++ conf/source/x86-64.src | 4 ++-- conf/source/x86-64_1.8.src | 5 +++++ manifest.json | 2 +- scripts/upgrade | 4 ++++ 10 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 conf/source/arm_1.8.src create mode 100644 conf/source/armv7_1.8.src create mode 100644 conf/source/i386_1.8.src create mode 100644 conf/source/x86-64_1.8.src diff --git a/conf/source/arm.src b/conf/source/arm.src index 9d17643..ec5d91f 100644 --- a/conf/source/arm.src +++ b/conf/source/arm.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.2/gitea-1.8.2-linux-arm-6 -SOURCE_SUM=38ab6c0ac42e87370238c2482432420ff509b5a03d964712a984d4d603bb4c97 +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.9.0/gitea-1.9.0-linux-arm-6 +SOURCE_SUM=f2dff72ee94dd1c1bd2c067470469470ea079c47c07e862995cb85dc877ca389 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/arm_1.8.src b/conf/source/arm_1.8.src new file mode 100644 index 0000000..d5005b9 --- /dev/null +++ b/conf/source/arm_1.8.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.3/gitea-1.8.3-linux-arm-6 +SOURCE_SUM=920b74ec10be323e5dc684fe3b5c3b157bf6f1d6cca0ee1c4f9693f766d1574d +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/armv7.src b/conf/source/armv7.src index faf17e7..a48f59b 100644 --- a/conf/source/armv7.src +++ b/conf/source/armv7.src @@ -1,8 +1,8 @@ # The armv7 build is brocken # See : https://github.com/go-gitea/gitea/issues/6700 # Use temporary the armv6 binary -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.2/gitea-1.8.2-linux-arm-6 -SOURCE_SUM=38ab6c0ac42e87370238c2482432420ff509b5a03d964712a984d4d603bb4c97 +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.9.0/gitea-1.9.0-linux-arm-6 +SOURCE_SUM=f2dff72ee94dd1c1bd2c067470469470ea079c47c07e862995cb85dc877ca389 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/armv7_1.8.src b/conf/source/armv7_1.8.src new file mode 100644 index 0000000..918684d --- /dev/null +++ b/conf/source/armv7_1.8.src @@ -0,0 +1,8 @@ +# The armv7 build is brocken +# See : https://github.com/go-gitea/gitea/issues/6700 +# Use temporary the armv6 binary +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.3/gitea-1.8.3-linux-arm-6 +SOURCE_SUM=920b74ec10be323e5dc684fe3b5c3b157bf6f1d6cca0ee1c4f9693f766d1574d +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/i386.src b/conf/source/i386.src index fa9a6e6..be860f1 100644 --- a/conf/source/i386.src +++ b/conf/source/i386.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.2/gitea-1.8.2-linux-386 -SOURCE_SUM=762ab39855958f61165a1332a34d2a227f527acdc3bf60aa91c5a3e4e4e906ce +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.9.0/gitea-1.9.0-linux-386 +SOURCE_SUM=861125e85b95a90bb84279641ad60ee3c9570dd8b0d134d8419812ba7571af71 SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/i386_1.8.src b/conf/source/i386_1.8.src new file mode 100644 index 0000000..256641b --- /dev/null +++ b/conf/source/i386_1.8.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.3/gitea-1.8.3-linux-386 +SOURCE_SUM=e58f4a88b01a4880f97ae32a92e869d978a434a9a876c6a3f4e4a5721e8c4bd6 +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/conf/source/x86-64.src b/conf/source/x86-64.src index 329b91f..5da34a0 100644 --- a/conf/source/x86-64.src +++ b/conf/source/x86-64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.2/gitea-1.8.2-linux-amd64 -SOURCE_SUM=a843f2fe526b62ad1e698b80f6193d8c42a3920b35542de014af44d1eb998141 +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.9.0/gitea-1.9.0-linux-amd64 +SOURCE_SUM=8a2e02cee40086effd99058054af8fb1eee9344fad865e0c7292107833da78cc SOURCE_SUM_PRG=sha256sum SOURCE_FILENAME=gitea SOURCE_EXTRACT=false diff --git a/conf/source/x86-64_1.8.src b/conf/source/x86-64_1.8.src new file mode 100644 index 0000000..d5d2530 --- /dev/null +++ b/conf/source/x86-64_1.8.src @@ -0,0 +1,5 @@ +SOURCE_URL=https://github.com/go-gitea/gitea/releases/download/v1.8.3/gitea-1.8.3-linux-amd64 +SOURCE_SUM=7bb28b21cce4bdf0a24e6f6b21c064afa56d84904052dd55afdf59c419d49988 +SOURCE_SUM_PRG=sha256sum +SOURCE_FILENAME=gitea +SOURCE_EXTRACT=false diff --git a/manifest.json b/manifest.json index 37df4e4..b860b78 100644 --- a/manifest.json +++ b/manifest.json @@ -9,7 +9,7 @@ }, "url": "http://gitea.io", "license": "MIT", - "version": "1.8.0~ynh1", + "version": "1.9.0~ynh1", "maintainer": { "name": "rafi59", "email": "rafi59_dev@srvmaison.fr.nf" diff --git a/scripts/upgrade b/scripts/upgrade index 127e9bd..71cd1df 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -155,6 +155,10 @@ case $upstream_version in ynh_setup_source $final_path source/${architecture}_1.7 restart_gitea ;& +"1.7."* ) + ynh_setup_source $final_path source/${architecture}_1.8 + restart_gitea +;& esac # Install gitea From e84cd55ccb04cd316e78ca5fe628c66ffd0e105a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 15:03:05 +0200 Subject: [PATCH 03/12] Update requirement --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 37df4e4..8731e41 100644 --- a/manifest.json +++ b/manifest.json @@ -20,7 +20,7 @@ "mysql" ], "requirements": { - "yunohost": ">= 2.7.9" + "yunohost": ">= 3.6.4" }, "arguments": { "install" : [ From 4f8a085d1ca4ec0bb4e71e2b4f4113a3262b729a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 15:06:04 +0200 Subject: [PATCH 04/12] Remove config in remove script --- scripts/remove | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/remove b/scripts/remove index 8207695..6ca92c1 100644 --- a/scripts/remove +++ b/scripts/remove @@ -45,4 +45,7 @@ ynh_remove_systemd_config # Remove monitor yunohost service remove "$app" +# Remove fail2ban config +ynh_remove_fail2ban_config + true # Do not fail if remove after install error From b91900cf6e7d78995d0e6e973c30cd3fbd9cbba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 15:06:08 +0200 Subject: [PATCH 05/12] Clean code --- scripts/install | 2 -- scripts/restore | 2 -- scripts/upgrade | 4 +--- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/scripts/install b/scripts/install index 016bd26..2d4f975 100644 --- a/scripts/install +++ b/scripts/install @@ -99,9 +99,7 @@ ynh_replace_string "__ADMIN__" "$admin" ../conf/login_source.sql ynh_replace_string "__APP__" "$app" ../conf/login_source.sql ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ../conf/login_source.sql -#================================================= # SETUP FAIL2BAN -#================================================= ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 #================================================= diff --git a/scripts/restore b/scripts/restore index 60f8e96..3618823 100644 --- a/scripts/restore +++ b/scripts/restore @@ -54,9 +54,7 @@ ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ./db.sql systemctl daemon-reload systemctl enable "$app".service -#================================================= # SETUP FAIL2BAN -#================================================= ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 24b32a6..9526ab1 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -157,12 +157,10 @@ case $upstream_version in ;& esac -# Install gitea +# Install gitea source ynh_setup_source $final_path source/$architecture -#================================================= # SETUP FAIL2BAN -#================================================= ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 #================================================= From 288aed693adcd1c753dd9ff6d0b692ccf7567def Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 15:08:31 +0200 Subject: [PATCH 06/12] Use getop for fail2ban --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 2d4f975..f635a2e 100644 --- a/scripts/install +++ b/scripts/install @@ -100,7 +100,7 @@ ynh_replace_string "__APP__" "$app" ../conf/login_source.sql ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ../conf/login_source.sql # SETUP FAIL2BAN -ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index 3618823..d2fedda 100644 --- a/scripts/restore +++ b/scripts/restore @@ -55,7 +55,7 @@ systemctl daemon-reload systemctl enable "$app".service # SETUP FAIL2BAN -ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 9526ab1..04b45f5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -161,7 +161,7 @@ esac ynh_setup_source $final_path source/$architecture # SETUP FAIL2BAN -ynh_add_fail2ban_config "/var/log/$app/$app.log" ".*Failed authentication attempt for .* from " 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION From c734163ed7d05658cbaa31b3d28d3d0e85540486 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 1 Aug 2019 15:32:59 +0200 Subject: [PATCH 07/12] Fix check starting service --- scripts/change_url | 3 ++- scripts/install | 5 +++-- scripts/restore | 3 ++- scripts/upgrade | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index 87eea15..6486964 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -26,6 +26,7 @@ dbpass=$(ynh_app_setting_get "$app" mysqlpwd) admin=$(ynh_app_setting_get "$app" adminusername) key=$(ynh_app_setting_get "$app" secret_key) port=$(ynh_app_setting_get "$app" web_port) +upstream_version=$(ynh_app_setting_get $app upstream_version) #================================================= # STANDARD MODIFICATIONS @@ -50,7 +51,7 @@ config_nginx config_gitea # RELOAD services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "systemd" -a restart +ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -a restart -t 5 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/install b/scripts/install index 40deb45..3e6d8f1 100644 --- a/scripts/install +++ b/scripts/install @@ -19,6 +19,7 @@ domain=$YNH_APP_ARG_DOMAIN path_url=$(ynh_normalize_url_path $YNH_APP_ARG_PATH) admin=$YNH_APP_ARG_ADMIN is_public=$YNH_APP_ARG_IS_PUBLIC +upstream_version=$(ynh_app_upstream_version) # Check domain/path availability ynh_webpath_available $domain $path_url || ynh_die "$domain is not available as domain, please use an other domain." @@ -113,10 +114,10 @@ yunohost service add "$app" --log "/var/log/$app/$app.log" ynh_use_logrotate "/var/log/$app" # Save Version -ynh_app_setting_set $app upstream_version $(ynh_app_upstream_version) +ynh_app_setting_set $app upstream_version $upstream_version # Reload services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "systemd" +ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/restore b/scripts/restore index c13cf0d..8abb1d1 100644 --- a/scripts/restore +++ b/scripts/restore @@ -20,6 +20,7 @@ path_url=$(ynh_app_setting_get "$app" path) dbpass=$(ynh_app_setting_get "$app" mysqlpwd) admin=$(ynh_app_setting_get "$app" adminusername) port=$(ynh_app_setting_get "$app" web_port) +upstream_version=$(ynh_app_setting_get $app upstream_version) # Check domain/path availability with app helper ynh_webpath_available $domain $path_url || ynh_die "$domain is not available as domain, please use an other domain." @@ -69,5 +70,5 @@ yunohost service add "$app" --log /var/log/"$app"/"$app".log # Reload services systemctl reload nginx.service -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "systemd" +ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 sleep 1 diff --git a/scripts/upgrade b/scripts/upgrade index 71cd1df..07ec290 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -178,7 +178,7 @@ ynh_app_setting_set $app upstream_version $(ynh_app_upstream_version) set_access_settings # Reload services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "systemd" +ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. From 9e2c149643a55a8215ab91ebca498050304a94cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 5 Aug 2019 16:51:46 +0200 Subject: [PATCH 08/12] Change the log managment (also for fail2ban support) --- conf/app.ini | 25 ++++++++++++++++++++++++- scripts/change_url | 2 +- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 5 files changed, 28 insertions(+), 5 deletions(-) diff --git a/conf/app.ini b/conf/app.ini index e06c763..9d2f924 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -2,6 +2,7 @@ APP_NAME = Gitea RUN_USER = __APP__ RUN_MODE = prod + [database] DB_TYPE = mysql HOST = 127.0.0.1:3306 @@ -10,9 +11,12 @@ USER = __DB_USER__ PASSWD = __DB_PASSWORD__ SSL_MODE = disable PATH = data/gitea.db +LOG_SQL = false + [repository] ROOT = __REPOS_PATH__ FORCE_PRIVATE = false + [server] DOMAIN = __DOMAIN__ HTTP_PORT = __PORT__ @@ -22,11 +26,13 @@ SSH_PORT = __SSH_PORT_ OFFLINE_MODE = false APP_DATA_PATH = __DATA_PATH__ LANDING_PAGE = explore + [mailer] ENABLED = true HOST = 127.0.0.1:25 FROM = "Gitea" SKIP_VERIFY = true + [service] REGISTER_EMAIL_CONFIRM = false ENABLE_NOTIFY_MAIL = true @@ -35,16 +41,33 @@ ENABLE_CAPTCHA = false REQUIRE_SIGNIN_VIEW = false ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTERATION = false + [picture] AVATAR_UPLOAD_PATH = __DATA_PATH__/avatars + [attachment] PATH = __DATA_PATH__/attachments + [session] PROVIDER = memory + [log] MODE = file -LEVEL = Warn +LEVEL = Info ROOT_PATH = /var/log/__APP__ + +REDIRECT_MACARON_LOG= true +MACARON = file + +ROUTER_LOG_LEVEL = Warn +ROUTER = file + +ENABLE_ACCESS_LOG = Warn +ACCESS = file + +ENABLE_XORM_LOG = Warn +XORM = file + [security] INSTALL_LOCK = true SECRET_KEY = __KEY__ diff --git a/scripts/change_url b/scripts/change_url index 6486964..cba3629 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -51,7 +51,7 @@ config_nginx config_gitea # RELOAD services -ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -a restart -t 5 +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -a restart sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/install b/scripts/install index 3e6d8f1..ebcf97e 100644 --- a/scripts/install +++ b/scripts/install @@ -117,7 +117,7 @@ ynh_use_logrotate "/var/log/$app" ynh_app_setting_set $app upstream_version $upstream_version # Reload services -ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/restore b/scripts/restore index 8abb1d1..7bc7e3a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -70,5 +70,5 @@ yunohost service add "$app" --log /var/log/"$app"/"$app".log # Reload services systemctl reload nginx.service -ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" sleep 1 diff --git a/scripts/upgrade b/scripts/upgrade index 07ec290..e112428 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -178,7 +178,7 @@ ynh_app_setting_set $app upstream_version $(ynh_app_upstream_version) set_access_settings # Reload services -ynh_systemd_action -l "Gitea v$upstream_version built with GNU Make .*, go.* : bindata, sqlite, sqlite_unlock_notify" -p "systemd" -t 5 +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. From f2e84f11223f7e8db2b4290fc53400b684af7378 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 5 Aug 2019 22:58:17 +0200 Subject: [PATCH 09/12] Add timeout to 5 second, to bypass when the log was written before it was catched --- scripts/change_url | 2 +- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index cba3629..088387b 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -51,7 +51,7 @@ config_nginx config_gitea # RELOAD services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -a restart +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -a restart -t 10 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/install b/scripts/install index ebcf97e..93e6a92 100644 --- a/scripts/install +++ b/scripts/install @@ -117,7 +117,7 @@ ynh_use_logrotate "/var/log/$app" ynh_app_setting_set $app upstream_version $upstream_version # Reload services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -t 10 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. diff --git a/scripts/restore b/scripts/restore index 7bc7e3a..9adcfb4 100644 --- a/scripts/restore +++ b/scripts/restore @@ -70,5 +70,5 @@ yunohost service add "$app" --log /var/log/"$app"/"$app".log # Reload services systemctl reload nginx.service -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -t 10 sleep 1 diff --git a/scripts/upgrade b/scripts/upgrade index e112428..d8928ad 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -178,7 +178,7 @@ ynh_app_setting_set $app upstream_version $(ynh_app_upstream_version) set_access_settings # Reload services -ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" +ynh_systemd_action -l "Serving \[::\]:$port with pid" -p "/var/log/$app/gitea.log" -t 10 sleep 1 # Store the checksum with the 'INTERNAL_TOKEN' value. From b6dcf3d9c35514fb84f2addef3e20588e1650283 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 7 Sep 2019 11:02:15 +0200 Subject: [PATCH 10/12] Fix log path --- scripts/install | 2 +- scripts/restore | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 93e6a92..74eb776 100644 --- a/scripts/install +++ b/scripts/install @@ -108,7 +108,7 @@ ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ../conf/login_source.sql set_access_settings # Add gitea to YunoHost's monitored services -yunohost service add "$app" --log "/var/log/$app/$app.log" +yunohost service add "$app" --log "/var/log/$app/gitea.log" # Configure logrotate ynh_use_logrotate "/var/log/$app" diff --git a/scripts/restore b/scripts/restore index 9adcfb4..82bb8d4 100644 --- a/scripts/restore +++ b/scripts/restore @@ -66,7 +66,7 @@ set_permission ynh_use_logrotate "/var/log/$app" # Add gitea to YunoHost's monitored services -yunohost service add "$app" --log /var/log/"$app"/"$app".log +yunohost service add "$app" --log /var/log/"$app"/gitea.log # Reload services systemctl reload nginx.service From 6f65be494c5efa7fc19239b8e0d92b99e696b0a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 7 Sep 2019 11:05:06 +0200 Subject: [PATCH 11/12] Fix log path for fail2ban --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index f635a2e..73d1b0c 100644 --- a/scripts/install +++ b/scripts/install @@ -100,7 +100,7 @@ ynh_replace_string "__APP__" "$app" ../conf/login_source.sql ynh_mysql_connect_as "$dbuser" "$dbpass" "$dbname" < ../conf/login_source.sql # SETUP FAIL2BAN -ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/gitea.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index d2fedda..b2a1bb0 100644 --- a/scripts/restore +++ b/scripts/restore @@ -55,7 +55,7 @@ systemctl daemon-reload systemctl enable "$app".service # SETUP FAIL2BAN -ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/gitea.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 04b45f5..bbe0730 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -161,7 +161,7 @@ esac ynh_setup_source $final_path source/$architecture # SETUP FAIL2BAN -ynh_add_fail2ban_config --logpath "/var/log/$app/$app.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 +ynh_add_fail2ban_config --logpath "/var/log/$app/gitea.log" --failregex ".*Failed authentication attempt for .* from " --max_retry 5 #================================================= # GENERIC FINALIZATION From a975fa6c539c41a690b332c4ed0f86f32ee1759f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sat, 7 Sep 2019 12:58:51 +0200 Subject: [PATCH 12/12] Fix helper ynh_backup_if_checksum_is_different --- scripts/experimental_helper.sh | 36 ++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/scripts/experimental_helper.sh b/scripts/experimental_helper.sh index 6ce0371..060f3ab 100644 --- a/scripts/experimental_helper.sh +++ b/scripts/experimental_helper.sh @@ -393,3 +393,39 @@ ynh_handle_app_migration () { migration_process=1 fi } + +# Verify the checksum and backup the file if it's different +# This helper is primarily meant to allow to easily backup personalised/manually +# modified config files. +# +# $app should be defined when calling this helper +# +# usage: ynh_backup_if_checksum_is_different --file=file +# | arg: -f, --file - The file on which the checksum test will be perfomed. +# | ret: the name of a backup file, or nothing +# +# Requires YunoHost version 2.6.4 or higher. +ynh_backup_if_checksum_is_different () { + # Declare an array to define the options of this helper. + local legacy_args=f + declare -Ar args_array=( [f]=file= ) + local file + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + + local checksum_setting_name=checksum_${file//[\/ ]/_} # Replace all '/' and ' ' by '_' + local checksum_value=$(ynh_app_setting_get --app=$app --key=$checksum_setting_name) + # backup_file_checksum isn't declare as local, so it can be reuse by ynh_store_file_checksum + backup_file_checksum="" + if [ -n "$checksum_value" ] + then # Proceed only if a value was stored into the app settings + if [ -e $file ] && ! echo "$checksum_value $file" | sudo md5sum -c --status + then # If the checksum is now different + backup_file_checksum="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')" + sudo mkdir -p "$(dirname "$backup_file_checksum")" + sudo cp -a "$file" "$backup_file_checksum" # Backup the current file + ynh_print_warn "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file_checksum" + echo "$backup_file_checksum" # Return the name of the backup file + fi + fi +}