This git-repo contains the files needed to create accompanying RPM files for CentOS/RHEL8 (el8).
The compiled SElinux policy module should also work on Fedora, and maybe even earlier versions of CentOS.
A complete version of the resulting RPM file can be found in my technoholics-repo. It can be found here: https://dev.techno.holics.at/technoholics-repo/
- Download technoholics-repo-release-20210620-1.el8.noarch.rpm
- Install access to the techno.holics.at repository via yum install https://dev.techno.holics.at/technoholics-repo/el8/technoholics-repo-release-20210620-1.el8.noarch.rpm
- If needed, the gpg key used for signing the RPM packages can be found here: https://dev.techno.holics.at/holics-repo/RPM-GPG-KEY-holicsrepo
- Now install the calibre-server_selinux and preferrably also the calibre-server-utils packages. yum install calibre-server_selinux calibre-server-utils
- Now follow the following instructions under FIRST SETUP as needed.
This selinux policy module can be used in two modes:
- more secure: calibre and its data runs in /opt/calibre/ and respectively /opt/home/calibre/; tmp files go into locked down calibre-only /opt/home/calibre/tmp/
- much less secure: calibre runs in /home/calibre/ and respectively /home//Calibre Library; tmp files go into systemwide /tmp/
- Setup directories:
mkdir -p /opt/home/calibre/{.cache,.config,tmp,Calibre Library}/ /opt/calibre/
To use calibre-only temp files:
mkdir -p /opt/home/calibre/tmp
Alternatively you can put these in /opt/calibre/tmp/ .
- Create environment file to include in Initscript / SystemD unit file, that points to the temp directory Calibre should use:
cat<<EOF >/etc/sysconfig/calibre-server
TEMP="/opt/home/calibre/tmp"
EOF
Nothing to do.
Example SystemD unit file:
cat<<EOF > /etc/systemd/system/calibre-server.service
[Unit]
Description=Calibre server headless edition
#After=remote-fs.target
After=network-online.target time-sync.target
Wants=network-online.target
[Service]
Type=simple
User=calibre
#Restart=yes
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=yes
#SuccessExitStatus=5 6
EnvironmentFile=/etc/sysconfig/calibre-server
WorkingDirectory=/opt/home/calibre/Calibre Library/
ExecStart=/opt/calibre/calibre-server --port=9080 --log=/var/log/calibre-server.log "/opt/home/calibre/Calibre Library/"
WantedBy=multi-user.target
EOF
Remember to adapt the WorkingDirectory and ExecStart parameter, if your Calibre Library is not in /opt/home/calibre/Calibre Library/.
.. and activate the new SystemD unit file by reloading the daemon:
systemctl daemon-reload
- Reset SElinux contexts on the affected directories (can be used as debug, too, i.e. if something that should work doesn't work)
restorecon -vR /opt/ /home/
- Restart calibre-server
service calibre-server restart
- Test your calibre-server by heading your browser to: http://your.hostname:9080/ Calibre should be shown to you.
You can now be done with this.
- Or you can alternatively hide your calibre-server from direct internet access by setting up a reverse proxy (Apache or NginX) in front of it.
For Apache your (presumably) configuration would have to be extended like so:
cat<<EOF >> yourconf.conf
AllowEncodedSlashes On
ProxyPass "/" "http://127.0.0.1:9080/"
ProxyPassReverse "/" "http://127.0.0.1:9080/"
EOF
- If you also want to password-protect the calibre instance, you can also add this to your virtualhost configuration.
cat<<EOF >> yourconf.conf
Allow from all
AuthType Basic
AuthName "Calibre-auth"
AuthUserFile /etc/httpd/.htpasswd.users
Require user calibre
EOF
Remember to create a user in /etc/httpd/.htpasswd.users by using the htpasswd command:
htpasswd /etc/httpd/.htpasswd.users calibre
Congrats, you now should have a better secured calibre-server instance running with SElinux and HTTP Basic authentication behind a reverse proxy!
Do not put anything of value in /opt/calibre/ !
The default update script under https://download.calibre-ebook.com/linux-installer.sh will happily delete /opt/calibre/ completely and start from scratch, even if it means killing the installer itself.
It is a mean script of the type "let's hope noone ever roots my webserver and adds stuff to the installer script.. or edits calibre files manually".
Creating an rpm, deb, etc. would have been much better.. or if everything else fails, at least they could have used npm.
Thus for now, be very wary of using thge original calibre-update script on any machine, you still want to use lateron.
The following script MIGHT do things a little more safely.
This file should be at /opt/calibre/calibre-update.sh after installing the SElinux module.
This file should be at /opt/calibre/calibre_safer_installer.patch after installing the SElinux module.