From 008a113068fa8613c4560e1329b5de8dd7584b7a Mon Sep 17 00:00:00 2001 From: NorbiPeti Date: Tue, 28 May 2024 00:00:22 +0200 Subject: [PATCH] Fix reachability & prepare - Added placeholder Nginx configs for the subdomains - Added additional URLs to the SSO permissions --- conf/nginx.groups.conf | 14 ++++++++++++++ conf/nginx.share.conf | 14 ++++++++++++++ manifest.toml | 11 ++++++++++- scripts/_common.sh | 17 +++++++++++++++-- scripts/install | 23 ++++++++++++----------- 5 files changed, 65 insertions(+), 14 deletions(-) create mode 100644 conf/nginx.groups.conf create mode 100644 conf/nginx.share.conf diff --git a/conf/nginx.groups.conf b/conf/nginx.groups.conf new file mode 100644 index 0000000..f0fc921 --- /dev/null +++ b/conf/nginx.groups.conf @@ -0,0 +1,14 @@ +location / { # TODO + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + client_max_body_size 1M; # default is 1M + + proxy_connect_timeout 10m; + proxy_send_timeout 10m; + proxy_read_timeout 10m; + send_timeout 10m; + + proxy_pass http://127.0.0.1:__PORT__; +} \ No newline at end of file diff --git a/conf/nginx.share.conf b/conf/nginx.share.conf new file mode 100644 index 0000000..f0fc921 --- /dev/null +++ b/conf/nginx.share.conf @@ -0,0 +1,14 @@ +location / { # TODO + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + client_max_body_size 1M; # default is 1M + + proxy_connect_timeout 10m; + proxy_send_timeout 10m; + proxy_read_timeout 10m; + send_timeout 10m; + + proxy_pass http://127.0.0.1:__PORT__; +} \ No newline at end of file diff --git a/manifest.toml b/manifest.toml index 1f66f96..0460ba9 100644 --- a/manifest.toml +++ b/manifest.toml @@ -39,6 +39,9 @@ ram.runtime = "50M" type = "email" ask.en = "Administrator E-mail" help.en = "Provide an E-mail address where users can contact you" + [install.init_main_permission] + type = "group" + default = "visitors" [resources] [resources.sources.main] @@ -50,6 +53,9 @@ ram.runtime = "50M" [resources.sources.prosody-modules] url = "https://hg.prosody.im/prosody-modules/archive/095030677ae6.tar.gz" sha256 = "8c2a51ef72cbe86a3b2a8e5c4d8656ee1d167f153223b481b5e8c4c5ed85f11d" + [resources.sources.snikket-portal] + url = "https://github.com/snikket-im/snikket-web-portal/archive/7c0310a141d45d71ccf4505f56267d2f4213ca08.tar.gz" + sha256 = "3b0afaf99c7360b5813cf7e10021827fa9bd13e40e169ef68004ffec3bb6fa92" [resources.system_user] @@ -67,10 +73,13 @@ ram.runtime = "50M" server.default=5269 server.exposed="TCP" server.fixed=true - main.default=5280 + http.default=5280 + main.default=80 # TODO: Need to remove/disable Metronome *before* installation starts because of the port allocation here [resources.permissions] + main.url = "/" + main.additional_urls = [ "groups.__DOMAIN__/", "share.__DOMAIN__/" ] [resources.apt] packages = "libicu-dev, libidn11-dev, libssl-dev, openssl, txt2man, lua-luaossl, lua-readline, dns-root-data, lua-dbi-sqlite3" diff --git a/scripts/_common.sh b/scripts/_common.sh index 2559035..599a569 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -18,12 +18,25 @@ install_certificates() { domains=("$domain" "groups.$domain" "share.$domain") for d in "${domains[@]}" do - cp "/etc/yunohost/certs/$d/crt.pem" "/etc/snikket/certs/${d}.crt" - cp "/etc/yunohost/certs/$d/key.pem" "/etc/snikket/certs/${d}.key" + error_message="No certificate found for domain $d! Please set up the domain and install a Let's Encrypt certificate for it." + cp "/etc/yunohost/certs/$d/crt.pem" "/etc/snikket/certs/${d}.crt" || ynh_print_warn --message="$error_message" + cp "/etc/yunohost/certs/$d/key.pem" "/etc/snikket/certs/${d}.key" || ynh_print_warn --message="$error_message" done chown $app /etc/snikket/certs/* } +### Add Nginx configuration for other domains. This is necessary because at the moment Snikket requires two additional +### subdomains to function fully. Does not reload Nginx configuration. +### Usage: add_extra_nginx_config +add_extra_nginx_config() { + local extra_domain="$1" + local finalnginxconf="/etc/nginx/conf.d/$extra_domain.d/$app.conf" + + ynh_add_config --template="nginx.$extra_domain.conf" --destination="$finalnginxconf" + + ynh_store_file_checksum --file="$finalnginxconf" +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index c15d10e..9187d01 100755 --- a/scripts/install +++ b/scripts/install @@ -61,14 +61,15 @@ ynh_secure_remove --file="$builddir" ynh_script_progression --message="Adding Prosody configuration..." config_path=/etc/$app -ynh_app_setting_set --app=$app --key=config_path --value=$config_path -mkdir -p $config_path -mkdir -p $config_path/{certs,conf.avail,conf.d} -mkdir -p $config_path/firewall -# TODO: ynh_replace_string -sed -i -e 's#/snikket/prosody#/var/lib/snikket#g' "$snikketdir/ansible/files/prosody.cfg.lua" -sed -i -e 's#/var/run/prosody/prosody.pid#/var/run/snikket/prosody.pid#g' "$snikketdir/ansible/files/prosody.cfg.lua" -sed -i -e 's#/etc/prosody/#/etc/snikket/#g' "$snikketdir/ansible/files/prosody.cfg.lua" +ynh_app_setting_set --app=$app --key=config_path --value="$config_path" +mkdir -p "$config_path" +mkdir -p "$config_path"/{certs,conf.avail,conf.d} +mkdir -p "$config_path"/firewall + +prosody_config="$snikketdir/ansible/files/prosody.cfg.lua" +ynh_replace_string --match_string="/snikket/prosody" --replace_string="/var/lib/snikket" --target_file="$prosody_config" +ynh_replace_string --match_string="/var/run/prosody/prosody.pid" --replace_string="/var/run/snikket/prosody.pid" --target_file="$prosody_config" +ynh_replace_string --match_string="/etc/prosody/" --replace_string="/etc/snikket/" --target_file="$prosody_config" ynh_add_config --template="$snikketdir/ansible/files/prosody.cfg.lua" --destination="$config_path/prosody.cfg.lua" ynh_add_config --template="$snikketdir/ansible/files/restricted_users.pfw" --destination="$config_path/restricted_users.pfw" @@ -120,7 +121,7 @@ EOF #================================================= ynh_script_progression --message="Installing certificates..." -# Create a dedicated systemd config +# Install certificates for Prosody to use (taken from the web certs) install_certificates #================================================= @@ -154,7 +155,7 @@ ynh_use_logrotate #================================================= ynh_script_progression --message="Integrating service in YunoHost..." -yunohost service add $app --description="Chat that is simple, secure, and private" --log="/var/log/$app/$app.log" +yunohost service add "$app" --description="Chat that is simple, secure, and private" --log="/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE @@ -162,7 +163,7 @@ yunohost service add $app --description="Chat that is simple, secure, and privat ynh_script_progression --message="Starting a systemd service..." # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" #================================================= # END OF SCRIPT