makary/my_webapp_ynh
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Optionnal sftp

Browse source
This commit is contained in:
Maniack Crudelis 2020-03-25 20:44:32 +01:00
parent 6e33fd4c24
commit f2e31fa492
8 changed files with 170 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
conf/ssh_regenconf_hook Normal file
View file

@ -0,0 +1,50 @@
#!/bin/bash
force=${2:-0} # 0/1 --force argument
dryrun=${3:-0} # 0/1 --dry-run argument
pending_conf=$4 # Path of the pending conf file
# https://github.com/YunoHost/yunohost/blob/c7eaeca6486e6240c832b8863791f8b03520a0f0/data/hooks/conf_regen/43-dnsmasq
do_pre_regen() {
if [ $dryrun -eq 0 ]
then
# Remove added lines into the sshd config
sed -i "/##-> __APP__/,/##<- __APP__/d" /etc/ssh/sshd_config
fi
}
do_post_regen() {
# Harden SSH connection for the user
if ! grep --quiet "^##-> __APP__$" /etc/ssh/sshd_config
then
echo "##-> __APP__
# Hardening user connection
Match User __USER__
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
PasswordAuthentication yes
##<- __APP__" | tee -a "/etc/ssh/sshd_config" >/dev/null
# Reload sshd
systemctl reload ssh
fi
}
case "$1" in
pre)
do_pre_regen
;;
post)
do_post_regen
;;
*)
echo "Hook called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0

10
manifest.json
View file

@ -42,9 +42,19 @@
"example": "/site", "example": "/site",
"default": "/site" "default": "/site"
}, },
{
"name": "with_sftp",
"type": "boolean",
"ask": {
"en": "Do you need a SFTP access?",
"fr": "Avez-vous besoin d'un accès SFTP ?"
},
"default": true
},
{ {
"name": "password", "name": "password",
"type": "password", "type": "password",
"optional": true,
"ask": { "ask": {
"en": "Set the password for the SFTP access. ≥ 5 character", "en": "Set the password for the SFTP access. ≥ 5 character",
"fr": "Définissez le mot de passe pour l'accès SFTP. ≥ cinq charactères" "fr": "Définissez le mot de passe pour l'accès SFTP. ≥ cinq charactères"

12
scripts/backup
View file

@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
domain=$(ynh_app_setting_get --app=$app --key=domain) domain=$(ynh_app_setting_get --app=$app --key=domain)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
#================================================= #=================================================
# STANDARD BACKUP STEPS # STANDARD BACKUP STEPS
@ -60,6 +61,17 @@ if [ $with_mysql -eq 1 ]; then
ynh_mysql_dump_db --database="$db_name" > db.sql ynh_mysql_dump_db --database="$db_name" > db.sql
fi fi
#=================================================
# BACKUP SPECIFIC FILES
#=================================================
if [ $with_sftp -eq 1 ]
then
ynh_script_progression --message="Backup specific files..."
ynh_backup "/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
fi
#================================================= #=================================================
# END OF SCRIPT # END OF SCRIPT
#================================================= #=================================================

56
scripts/install
View file

@ -24,6 +24,7 @@ ynh_abort_if_errors
domain=$YNH_APP_ARG_DOMAIN domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH path_url=$YNH_APP_ARG_PATH
password=$YNH_APP_ARG_PASSWORD password=$YNH_APP_ARG_PASSWORD
with_sftp=$YNH_APP_ARG_WITH_SFTP
is_public=$YNH_APP_ARG_IS_PUBLIC is_public=$YNH_APP_ARG_IS_PUBLIC
with_mysql=$YNH_APP_ARG_WITH_MYSQL with_mysql=$YNH_APP_ARG_WITH_MYSQL
@ -39,10 +40,13 @@ ynh_script_progression --message="Validating installation parameters..." --weigh
final_path=/var/www/$app final_path=/var/www/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder" test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
# Check password strength if [ $with_sftp -eq 1 ]
if [ ${#password} -le 5 ]
then then
ynh_die --message="The password is too weak, it must be longer than 5 characters" # Check password strength
if [ ${#password} -le 5 ]
then
ynh_die --message="The password is too weak, it must be longer than 5 characters"
fi
fi fi
# Register (book) web path # Register (book) web path
@ -58,7 +62,7 @@ ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=is_public --value=$is_public
ynh_app_setting_set --app=$app --key=with_mysql --value=$with_mysql ynh_app_setting_set --app=$app --key=with_mysql --value=$with_mysql
ynh_app_setting_set --app=$app --key=password --value="$password" ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp
ynh_app_setting_set --app=$app --key=user --value=$user ynh_app_setting_set --app=$app --key=user --value=$user
ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=final_path --value=$final_path
@ -94,35 +98,47 @@ ynh_script_progression --message="Configuring system user..."
# Create a standard user (not a system user for sftp) # Create a standard user (not a system user for sftp)
ynh_system_user_exists --username=$user || \ ynh_system_user_exists --username=$user || \
useradd -d "$final_path" -M --user-group "$user" useradd -d "$final_path" -M --user-group "$user"
# Add the password to this user if [ $with_sftp -eq 1 ]
chpasswd <<< "${user}:${password}" then
# Add the password to this user
ynh_print_OFF; chpasswd <<< "${user}:${password}"; ynh_print_ON
ynh_print_OFF; ynh_app_setting_set --app=$app --key=password --value="$password"; ynh_print_ON
fi
#================================================= #=================================================
# SPECIFIC SETUP # SPECIFIC SETUP
#================================================= #=================================================
# CONFIGURE SSH # CONFIGURE SSH
#================================================= #=================================================
ynh_script_progression --message="Configuring ssh..." if [ $with_sftp -eq 1 ]
then
ynh_script_progression --message="Configuring ssh..."
# Harden SSH connection for the user cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app
echo "##-> ${app}
# Hardening user connection
Match User ${user}
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
ynh_systemd_action --service_name=ssh --action=reload ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
yunohost tools regen-conf ssh
fi
#================================================= #=================================================
# MODIFY A CONFIG FILE # MODIFY A CONFIG FILE
#================================================= #=================================================
ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html mkdir -p "$final_path/www"
ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=../sources/www/index.html
if [ $with_sftp -eq 1 ]
then
ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html
ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=../sources/www/index.html
# Copy files to the right place
cp "../sources/www/index.html" "$final_path/www/index.html"
else
# Copy files to the right place
cp "../sources/www/index_no_sftp.html" "$final_path/www/index.html"
fi
if [ $with_mysql -eq 1 ]; then if [ $with_mysql -eq 1 ]; then
# Store the database access # Store the database access

13
scripts/remove
View file

@ -18,6 +18,7 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain) domain=$(ynh_app_setting_get --app=$app --key=domain)
with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
user=$(ynh_app_setting_get --app=$app --key=user) user=$(ynh_app_setting_get --app=$app --key=user)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
@ -66,10 +67,16 @@ ynh_remove_fpm_config
#================================================= #=================================================
# REMOVE THE CUSTOM SSH CONFIG # REMOVE THE CUSTOM SSH CONFIG
#================================================= #=================================================
ynh_script_progression --message="Removing the custom ssh config"
sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config if [ $with_sftp -eq 1 ]
ynh_systemd_action --service_name=ssh --action=reload then
ynh_script_progression --message="Removing the custom ssh config..."
sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config
ynh_systemd_action --service_name=ssh --action=reload
# Remove regen-conf hook
ynh_secure_remove --file="/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
fi
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION

30
scripts/restore
View file

@ -29,6 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
password=$(ynh_app_setting_get --app=$app --key=password) password=$(ynh_app_setting_get --app=$app --key=password)
with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
user=$(ynh_app_setting_get --app=$app --key=user) user=$(ynh_app_setting_get --app=$app --key=user)
#================================================= #=================================================
@ -76,8 +77,14 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
# Create a standard user (not a system user for sftp) # Create a standard user (not a system user for sftp)
ynh_system_user_exists --username=$user || \ ynh_system_user_exists --username=$user || \
useradd -d "$final_path" -M --user-group "$user" useradd -d "$final_path" -M --user-group "$user"
# Add the password to this user
chpasswd <<< "${user}:${password}" ynh_print_OFF
if [ -n "$password" ]
then
# Add the password to this user
chpasswd <<< "${user}:${password}"
fi
ynh_print_ON
#================================================= #=================================================
# RESTORE USER RIGHTS # RESTORE USER RIGHTS
@ -100,20 +107,15 @@ ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
#================================================= #=================================================
# CONFIGURE SSH # CONFIGURE SSH
#================================================= #=================================================
ynh_script_progression --message="Configuring ssh..."
# Harden SSH connection for the user if [ $with_sftp -eq 1 ]
echo "##-> ${app} then
# Hardening user connection ynh_script_progression --message="Configuring ssh..."
Match User ${user}
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
ynh_systemd_action --service_name=ssh --action=reload ynh_restore_file "/usr/share/yunohost/hooks/conf_regen/90-ssh_$app"
yunohost tools regen-conf ssh
fi
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION

39
scripts/upgrade
View file

@ -24,6 +24,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql)
password=$(ynh_app_setting_get --app=$app --key=password) password=$(ynh_app_setting_get --app=$app --key=password)
with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp)
user=$(ynh_app_setting_get --app=$app --key=user) user=$(ynh_app_setting_get --app=$app --key=user)
admin_mail_html=$(ynh_app_setting_get --app=$app --key=admin_mail_html) admin_mail_html=$(ynh_app_setting_get --app=$app --key=admin_mail_html)
@ -69,6 +70,13 @@ if [ -z "$fpm_usage" ]; then
fpm_usage=low fpm_usage=low
ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage ynh_app_setting_set --app=$app --key=fpm_usage --value=$fpm_usage
fi fi
# If with_sftp doesn't exist, create it
if [ -z "$with_sftp" ]; then
with_sftp=1
ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp
fi
#================================================= #=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#================================================= #=================================================
@ -114,8 +122,11 @@ ynh_script_progression --message="Making sure dedicated system user exists..." -
# Create a standard user (not a system user for sftp) # Create a standard user (not a system user for sftp)
ynh_system_user_exists --username=$user || \ ynh_system_user_exists --username=$user || \
useradd -d "$final_path" -M --user-group "$user" useradd -d "$final_path" -M --user-group "$user"
# Add the password to this user if [ $with_sftp -eq 1 ]
chpasswd <<< "${user}:${password}" then
# Add the password to this user
ynh_print_OFF; chpasswd <<< "${user}:${password}"; ynh_print_ON
fi
# Change the user group for previous my_webapp install script # Change the user group for previous my_webapp install script
groupadd -f "$user" groupadd -f "$user"
@ -148,22 +159,18 @@ fi
#================================================= #=================================================
# CONFIGURE SSH # CONFIGURE SSH
#================================================= #=================================================
ynh_script_progression --message="Configuring ssh..." --time --weight=1
# Remove the previous config for upgrading it if [ $with_sftp -eq 1 ]
sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config then
# Harden SSH connection for the user ynh_script_progression --message="Configuring ssh..." --weight=1
echo "##-> ${app}
# Hardening user connection
Match User ${user}
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
##<- ${app}" | tee -a /etc/ssh/sshd_config >/dev/null
ynh_systemd_action --service_name=ssh --action=reload cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app
yunohost tools regen-conf ssh
fi
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION

13
sources/www/index_no_sftp.html Normal file
View file

@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
<title>Custom Web App</title>
</head>
<body>
<h1>It works!</h1>
<p>Congratulation, you have just installed your custom web app.</p>
<p>As a reward, here is a random cat picture:</p>
<img src="https://thecatapi.com/api/images/get?format=src&type=gif">
</body>
</html>