diff --git a/conf/web.service b/conf/web.service new file mode 100644 index 0000000..441a809 --- /dev/null +++ b/conf/web.service @@ -0,0 +1,75 @@ +[Unit] +### see man systemd.unit +Description=Snikket Web Server +After=network.target remote-fs.target +Documentation=https://snikket.org/service/help/ + +[Service] +### See man systemd.service ### +# With this configuration, systemd takes care of daemonization +# so Prosody should be configured with daemonize = false +Type=simple + +# Not sure if this is needed for 'simple' +RuntimeDirectory=snikket + +# Load environment file used by Snikket +EnvironmentFile=/etc/snikket/environment + +# Start by executing the main executable +ExecStart=__INSTALL_DIR__/snikket_web/.venv/bin/python3 -m hypercorn -b localhost:__PORT__ --access-logfile=- --log-file=- 'snikket_web:create_app()' + +ExecReload=/bin/kill -HUP $MAINPID + +# Restart on crashes +Restart=on-abnormal + +# Set O_NONBLOCK flag on sockets passed via socket activation +NonBlocking=true + +### See man systemd.exec ### + +WorkingDirectory=__INSTALL_DIR__ + +User=__APP__ +Group=__APP__ + +# Nice=0 + +# Set stdin to /dev/null since Prosody does not need it +StandardInput=null + +# Direct stdout/-err to journald for use with log = "*stdout" +StandardOutput=journal +StandardError=inherit + +# This usually defaults to 4k or so +# LimitNOFILE=1M + +## Interesting protection methods +# Finding a useful combo of these settings would be nice +# +# Needs read access to /etc/prosody for config +# Needs write access to /var/lib/prosody for storing data (for internal storage) +# Needs write access to /var/log/prosody for writing logs (depending on config) +# Needs read access to code and libraries loaded + +# ReadWriteDirectories=/var/lib/prosody /var/log/prosody +# InaccessibleDirectories=/boot /home /media /mnt /root /srv +# ReadOnlyDirectories=/usr /etc/prosody + +# PrivateTmp=true +# PrivateDevices=true +# PrivateNetwork=false + +# ProtectSystem=full +# ProtectHome=true +# ProtectKernelTunables=true +# ProtectControlGroups=true +# SystemCallFilter= + +# This should break LuaJIT +# MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/manifest.toml b/manifest.toml index 0460ba9..93eb493 100644 --- a/manifest.toml +++ b/manifest.toml @@ -54,8 +54,10 @@ ram.runtime = "50M" url = "https://hg.prosody.im/prosody-modules/archive/095030677ae6.tar.gz" sha256 = "8c2a51ef72cbe86a3b2a8e5c4d8656ee1d167f153223b481b5e8c4c5ed85f11d" [resources.sources.snikket-portal] - url = "https://github.com/snikket-im/snikket-web-portal/archive/7c0310a141d45d71ccf4505f56267d2f4213ca08.tar.gz" - sha256 = "3b0afaf99c7360b5813cf7e10021827fa9bd13e40e169ef68004ffec3bb6fa92" + url = "snikket/snikket-web-portal:dev" + sha256 = "a43d2131ac32ebdc2394675bf33ea75a9e2996e13ea352398909a30feab27c16" + format = "docker" + prefetch = false # Prefetch doesn't seem to be supported with Docker images [resources.system_user] @@ -74,15 +76,16 @@ ram.runtime = "50M" server.exposed="TCP" server.fixed=true http.default=5280 - main.default=80 + main.exposed="TCP" # TODO: Need to remove/disable Metronome *before* installation starts because of the port allocation here + # TODO: Or switch to using prosody_ynh as a dependency [resources.permissions] main.url = "/" main.additional_urls = [ "groups.__DOMAIN__/", "share.__DOMAIN__/" ] [resources.apt] - packages = "libicu-dev, libidn11-dev, libssl-dev, openssl, txt2man, lua-luaossl, lua-readline, dns-root-data, lua-dbi-sqlite3" + packages = "libicu-dev, libidn11-dev, libssl-dev, openssl, txt2man, lua-luaossl, lua-readline, dns-root-data, lua-dbi-sqlite3, build-essential, python3-dev, python3-pip, python3-venv" packages_from_raw_bash = """ if [[ $YNH_DEBIAN_VERSION == "bullseye" ]]; then echo "lua5.2, lua5.2-expat, lua5.2-socket, lua5.2-sec, lua5.2-unbound, liblua5.2-dev, lua-busted"; diff --git a/scripts/install b/scripts/install index 9187d01..5ab0f70 100755 --- a/scripts/install +++ b/scripts/install @@ -34,6 +34,9 @@ ynh_setup_source --dest_dir="$snikketdir" moddir="$(mktemp -d)" ynh_setup_source --dest_dir="$moddir" --source_id=prosody-modules +portaldir="$(mktemp -d)" +ynh_setup_source --dest_dir="$portaldir" --source_id=snikket-portal + #================================================= # SPECIFIC SETUP #================================================= @@ -53,8 +56,6 @@ pushd "$builddir" popd popd -ynh_secure_remove --file="$builddir" - #================================================= # ADD A CONFIGURATION #================================================= @@ -102,6 +103,26 @@ do cp -r "$snikketdir/snikket-modules/$module" "/etc/$app/modules/$module" done < "../sources/snikket-modules.txt" +#================================================= +# SETUP SNIKKET ADMIN PORTAL +#================================================= +ynh_script_progression --message="Installing admin portal..." +cp -r "${portaldir}/opt/snikket-web-portal/snikket_web/" "$install_dir/" +pushd "$install_dir/snikket_web" + python -m venv .venv + cp -r "$portaldir"/usr/lib/python3/dist-packages/* .venv/lib/python*/site-packages/ + cp -r "$portaldir"/usr/local/lib/python3.11/dist-packages/* .venv/lib/python*/site-packages/ +popd + +#================================================= +# CLEAN TEMPORARY FILES +#================================================= +ynh_script_progression --message="Cleaning temporary files..." +ynh_secure_remove --file="$builddir" +ynh_secure_remove --file="$snikketdir" +ynh_secure_remove --file="$moddir" +ynh_secure_remove --file="$portaldir" + #================================================= # SETUP SNIKKET CONFIG #================================================= @@ -114,6 +135,10 @@ SNIKKET_ADMIN_EMAIL=${admin} SNIKKET_TWEAK_TURNSERVER=0 ENV_SNIKKET_TWEAK_INTERNAL_HTTP_PORT=${port} ENV_SNIKKET_PROXY65_PORT=${port_file} + +SNIKKET_WEB_DOMAIN=${domain} +SNIKKET_WEB_PROSODY_ENDPOINT=http://localhost:$port_http +SNIKKET_WEB_SECRET_KEY=TODO EOF #================================================= @@ -131,6 +156,9 @@ ynh_script_progression --message="Adding system configurations..." # Create a dedicated systemd config ynh_add_systemd_config +yunohost service add "$app" --description="Chat that is simple, secure, and private" --log="/var/log/$app/$app.log" +ynh_add_systemd_config --service="$app-web" --template="web.service" +yunohost service add "$app-web" --description="Chat that is simple, secure, and private" --log="/var/log/$app-web/$app-web.log" # Create a dedicated NGINX config using the conf/nginx.conf template ynh_add_nginx_config @@ -150,13 +178,6 @@ chown -R $app:$app "/var/lib/$app" # Use logrotate to manage application logfile(s) ynh_use_logrotate -#================================================= -# INTEGRATE SERVICE IN YUNOHOST -#================================================= -ynh_script_progression --message="Integrating service in YunoHost..." - -yunohost service add "$app" --description="Chat that is simple, secure, and private" --log="/var/log/$app/$app.log" - #================================================= # START SYSTEMD SERVICE #================================================= @@ -164,6 +185,7 @@ ynh_script_progression --message="Starting a systemd service..." # Start a systemd service ynh_systemd_action --service_name="$app" --action="start" --log_path="/var/log/$app/$app.log" +ynh_systemd_action --service_name="$app-web" --action="start" --log_path="/var/log/$app/$app-web.log" #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 01bcae1..0029451 100755 --- a/scripts/remove +++ b/scripts/remove @@ -20,10 +20,12 @@ if ynh_exec_warn_less yunohost service status $app >/dev/null then ynh_script_progression --message="Removing $app service integration..." yunohost service remove $app + yunohost service remove $app-web fi # Remove the dedicated systemd config ynh_remove_systemd_config +ynh_remove_systemd_config --service=$app-web # Remove the app-specific logrotate config ynh_remove_logrotate