Merge pull request #28 from YunoHost-Apps/testing

Release v0.7.16.0~ynh1

README.md

@@ -1,29 +1,50 @@
-diaspora_ynh
-==========
+<!--
+N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
+It shall NOT be edited by hand.
+-->
 
-[![Integration level](https://dash.yunohost.org/integration/diaspora.svg)](https://dash.yunohost.org/appci/app/diaspora) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.maintain.svg)[![Shipped version](https://img.shields.io/github/v/release/yunohost-apps/diaspora_ynh)](https://github.com/yunohost-apps/diaspora_ynh/releases)
+# Diaspora for YunoHost
 
-[![Install diaspora with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=diaspora)
+[![Integration level](https://dash.yunohost.org/integration/diaspora.svg)](https://dash.yunohost.org/appci/app/diaspora) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.maintain.svg)  
+[![Install Diaspora with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=diaspora)
+
+*[Lire ce readme en français.](./README_fr.md)*
+
+> *This package allows you to install Diaspora quickly and simply on a YunoHost server.
+If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.*
 
 ## Overview
 
-> *This package allow you to install diaspora* quickly and simply on a YunoHost server.  
-If you don't have YunoHost, please see [here](https://yunohost.org/#/install) to know how to install and enjoy it.*
+Distributed social networking service
+
+**Shipped version:** 0.7.16.0~ynh1
+
+
 
-**Shipped version:** 0.7.13.0
+## Disclaimers / important information
 
-Notes
---------------
+- There is currently no LDAP integration
+- the installation is very long, especially the frontend building step
+- As upstream doesn't support it, there is no possibility to change the endpoint/url of diaspora\*. Please choose it carefully!
 
-Before installing, you have to:
+## Documentation and resources
 
-- get a dedicated domain (must install under web root like **https://diaspora.example.com/** not **https://example.com/diaspora/**)
-- get a valid SSL certificate
+* Official app website: https://diasporafoundation.org/
+* Official user documentation: https://wiki.diasporafoundation.org/FAQ_for_users
+* Official admin documentation: https://wiki.diasporafoundation.org/FAQ_for_pod_maintainers
+* Upstream app code repository: https://github.com/diaspora/diaspora
+* YunoHost documentation for this app: https://yunohost.org/app_diaspora
+* Report a bug: https://github.com/YunoHost-Apps/diaspora_ynh/issues
 
-Installation effects:
+## Developer info
 
-- Thank you for being patient as deployment time can take up to about 1 hour (raspberry pi).
-- The installation directory can take up to 900MB and app start time can be take 5 minutes
+Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing).
 
+To try the testing branch, please proceed like that.
+```
+sudo yunohost app install https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing --debug
+or
+sudo yunohost app upgrade diaspora -u https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing --debug
+```
 
-Report a bug: https://github.com/YunoHost-Apps/diaspora_ynh/issues
+**More info regarding app packaging:** https://yunohost.org/packaging_apps

README_fr.md

@@ -0,0 +1,46 @@
+# Diaspora pour YunoHost
+
+[![Niveau d'intégration](https://dash.yunohost.org/integration/diaspora.svg)](https://dash.yunohost.org/appci/app/diaspora) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/diaspora.maintain.svg)  
+[![Installer Diaspora avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=diaspora)
+
+*[Read this readme in english.](./README.md)*
+*[Lire ce readme en français.](./README_fr.md)*
+
+> *Ce package vous permet d'installer Diaspora rapidement et simplement sur un serveur YunoHost.
+Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
+
+## Vue d'ensemble
+
+Service de réseau social distribué
+
+**Version incluse :** 0.7.16.0~ynh1
+
+
+
+## Avertissements / informations importantes
+
+- Il n'y a pas d'intégration LDAP pour le moment.
+- L'installation est très longue, en particulier l'étape de build du frontend.
+- le projet amont ne supporte pas les changements d'url, ainsi l'application yunohost ne supporte pas non plus cette action.
+
+## Documentations et ressources
+
+* Site officiel de l'app : https://diasporafoundation.org/
+* Documentation officielle utilisateur : https://wiki.diasporafoundation.org/FAQ_for_users
+* Documentation officielle de l'admin : https://wiki.diasporafoundation.org/FAQ_for_pod_maintainers
+* Dépôt de code officiel de l'app : https://github.com/diaspora/diaspora
+* Documentation YunoHost pour cette app : https://yunohost.org/app_diaspora
+* Signaler un bug : https://github.com/YunoHost-Apps/diaspora_ynh/issues
+
+## Informations pour les développeurs
+
+Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing).
+
+Pour essayer la branche testing, procédez comme suit.
+```
+sudo yunohost app install https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing --debug
+ou
+sudo yunohost app upgrade diaspora -u https://github.com/YunoHost-Apps/diaspora_ynh/tree/testing --debug
+```
+
+**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps

check_process

@@ -10,15 +10,10 @@
 		setup_root=1
 		setup_nourl=0
 		upgrade=1
-		upgrade=1	from_commit=0.7.13.0-ynh1
-		upgrade=1	from_commit=0.7.13.0-ynh2
 		backup_restore=1
 		multi_instance=1
 		port_already_use=0
 		change_url=0 # not supported upstream
-;;; Levels
-	# If the level 5 (Package linter) is forced to 1. Please add justifications here.
-	Level 5=auto
 ;;; Options
 	Email=
 	Notification=none

conf/diaspora_sidekiq.service

@@ -9,5 +9,35 @@ WorkingDirectory=__FINALPATH__/diaspora
 ExecStart=/bin/bash -lc "bin/bundle exec sidekiq"
 Restart=always
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=__APP__.target

conf/diaspora_web.service

@@ -11,5 +11,36 @@ ExecStart=/bin/bash -lc "bin/bundle exec unicorn -c config/unicorn.rb -E product
 ExecReload=/bin/kill -USR2 $MAINPID
 Restart=always
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+
 [Install]
 WantedBy=__APP__.target

doc/DISCLAIMER.md

@@ -0,0 +1,3 @@
+- There is currently no LDAP integration
+- the installation is very long, especially the frontend building step
+- As upstream doesn't support it, there is no possibility to change the endpoint/url of diaspora\*. Please choose it carefully!

doc/DISCLAIMER_fr.md

@@ -0,0 +1,3 @@
+- Il n'y a pas d'intégration LDAP pour le moment.
+- L'installation est très longue, en particulier l'étape de build du frontend.
+- le projet amont ne supporte pas les changements d'url, ainsi l'application yunohost ne supporte pas non plus cette action.

manifest.json

@@ -1,55 +1,52 @@
 {
-  "name": "Diaspora",
-  "id": "diaspora",
-  "url": "https://diasporafoundation.org",
-  "packaging_format": 1,
-  "description": {
-    "en": "Distributed social networking service",
-    "fr": "Service de réseau social distribué"
-  },
-  "license": "AGPL-3.0",
-  "version": "0.7.14.0~ynh1",
-  "maintainer": {
-    "name": "rafi59",
-    "email": ""
-  },
-  "requirements": {
-    "yunohost": ">= 3.7.0"
-  },
-  "multi_instance": true,
-  "services": [
-    "nginx",
-    "postgresql"
-     ],
-     "arguments": {
-       "install" : [
-         {
-           "name": "domain",
-           "type": "domain",
-           "ask": {
-             "en": "Choose a domain for diaspora* (it needs its own domain)",
-             "fr": "Choisissez un domaine pour diaspora* (diaspora* a besoin de son propre domaine)"
-           },
-           "example": "domain.org"
-         },
-         {
-           "name": "admin",
-           "type": "user",
-           "ask": {
-             "en": "Choose the diaspora* administrator (must be an existing YunoHost user)",
-             "fr": "Choisissez l'administrateur de diaspora* (doit être un utilisateur YunoHost)"
-           },
-           "example": "johndoe"
-         },
-         {
-           "name": "admin_password",
-           "type": "password",
-           "ask": {
-             "en": "Admin password. Must contain at least 10 characters, one lowercase letter, one uppercase letter, one number, and one symbol (e.g. '~!@#$%^&*()').",
-             "fr": "Mot de passe pour l’administrateur. Doit contenir au moins 10 caractères, une majuscule, une minuscule, un chiffre, et une ponctuation (ex. '~!@#$%^&*()')."
-           },
-           "optional": false
-         }
-       ]
-     }
+    "name": "Diaspora",
+    "id": "diaspora",
+    "packaging_format": 1,
+    "description": {
+        "en": "Distributed social networking service",
+        "fr": "Service de réseau social distribué"
+    },
+    "version": "0.7.16.0~ynh1",
+    "url": "https://diasporafoundation.org",
+    "upstream": {
+        "license": "AGPL-3.0",
+        "website": "https://diasporafoundation.org/",
+        "admindoc": "https://wiki.diasporafoundation.org/FAQ_for_pod_maintainers",
+        "userdoc": "https://wiki.diasporafoundation.org/FAQ_for_users",
+        "code": "https://github.com/diaspora/diaspora"
+    },
+    "license": "AGPL-3.0",
+    "maintainer": {
+        "name": "rafi59",
+        "email": ""
+    },
+    "requirements": {
+        "yunohost": ">= 4.3.0"
+    },
+    "multi_instance": true,
+    "services": [
+        "nginx",
+        "postgresql"
+    ],
+    "arguments": {
+        "install" : [
+            {
+                "name": "domain",
+                "type": "domain"
+            },
+            {
+                "name": "admin",
+                "type": "user"
+            },
+            {
+                "name": "admin_password",
+                "type": "password",
+                "ask": {
+                    "en": "Admin password. Must contain at least 10 characters, one lowercase letter, one uppercase letter, one number, and one symbol (e.g. '~!@#$%^&*()').",
+                    "fr": "Mot de passe pour l’administrateur. Doit contenir au moins 10 caractères, une majuscule, une minuscule, un chiffre, et une ponctuation (ex. '~!@#$%^&*()')."
+                },
+                "optional": false
+            }
+        ]
+    }
 }

scripts/_common.sh

@@ -2,4 +2,4 @@
 pkg_dependencies="build-essential cmake libssl-dev libcurl4-dev libxml2-dev libxslt-dev imagemagick ghostscript curl libmagickwand-dev git libpq-dev redis-server nodejs postgresql bison "
 ruby_build_dependencies="bison libffi-dev libgdbm-dev libncurses5-dev libsqlite3-dev libyaml-dev pkg-config sqlite3 zlib1g-dev libgmp-dev libreadline-dev libssl-dev libjemalloc-dev"
 
-current_tag="v0.7.14.0"
+current_tag="v0.7.16.0"

scripts/backup

@@ -18,7 +18,7 @@ ynh_abort_if_errors
 #=================================================
 # LOAD SETTINGS
 #=================================================
-ynh_script_progression --message="Loading installation settings..."
+ynh_print_info --message="Loading installation settings..."
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -30,18 +30,21 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # clean folder
 ynh_secure_remove --file="$final_path/backup"
 mkdir -p $final_path/backup
+
 #=================================================
 # BACKUP DIASPORA DATABASE
 #=================================================
-ynh_script_progression --message="Backup Diaspora DB..." --weight=10
+ynh_print_info --message="Backup Diaspora DB..."
+
 db_pass=$(ynh_app_setting_get --app=$app --key=psqlpwd)
 dump_file="$final_path/backup/$app.dump"
 pg_dump -d "dbname=$app user=$app password=$db_pass host=localhost" -Fc -f $dump_file
 ynh_backup --src_path="$dump_file"
+
 #=================================================
 # BACKUP DIASPORA UPLOADS
 #=================================================
-ynh_script_progression --message="Backup uploads..." --weight=10
+
 if [ -x $final_path/diaspora/public/uploads ]; then
   ynh_backup --src_path="$final_path/diaspora/public/uploads"
 else
@@ -51,11 +54,11 @@ fi
 #=================================================
 # BACKUP CONF FILES
 #=================================================
-ynh_script_progression --message="Backup configuration files of Diaspora..."
+
 ynh_backup --src_path="$final_path/diaspora/config/database.yml"
 ynh_backup --src_path="$final_path/diaspora/config/diaspora.yml"
 
 #=================================================
 # END OF SCRIPT
 #=================================================
-ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last
+ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."