From 9b6200b04a1d6e52c5e26fc36b980b102d1c94b5 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Fri, 6 Dec 2024 13:56:57 +0100 Subject: Upgrade sources - `main` v4.3.2: https://github.com/mastodon/mastodon/releases/tag/v4.3.2 --- manifest.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifest.toml b/manifest.toml index d41094e..7dfed7b 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Mastodon" description.en = "Libre and federated social network" description.fr = "Réseau social libre et fédéré" -version = "4.2.13~ynh1" +version = "4.3.2~ynh1" maintainers = ["Tagada"] @@ -52,8 +52,8 @@ ram.runtime = "500M" [resources] [resources.sources] [resources.sources.main] - url = "https://github.com/mastodon/mastodon/archive/refs/tags/v4.2.13.tar.gz" - sha256 = "a8f2576ac97bc8ab39e952408f5fcdb11aa8b15f0b988dab6147a8e5aa8b112d" + url = "https://github.com/mastodon/mastodon/archive/refs/tags/v4.3.2.tar.gz" + sha256 = "d4ad908ad4793c6df761438cf6ee51d08a28cd74a1554bcc0f71718f88cce0ac" autoupdate.strategy = "latest_github_release" [resources.system_user] -- cgit v1.2.3-70-g09d2 From f42e0062f5ed2fc63443111c811fbfb2f3ad0700 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Fri, 6 Dec 2024 13:57:02 +0100 Subject: Auto-update READMEs --- ALL_README.md | 1 + README.md | 6 ++++-- README_es.md | 6 ++++-- README_eu.md | 6 ++++-- README_fr.md | 6 ++++-- README_gl.md | 6 ++++-- README_id.md | 6 ++++-- README_nl.md | 6 ++++-- README_pl.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README_ru.md | 6 ++++-- README_zh_Hans.md | 6 ++++-- 11 files changed, 90 insertions(+), 18 deletions(-) create mode 100644 README_pl.md diff --git a/ALL_README.md b/ALL_README.md index df3708b..c93d620 100644 --- a/ALL_README.md +++ b/ALL_README.md @@ -7,5 +7,6 @@ - [Le o README en galego](README_gl.md) - [Baca README dalam bahasa bahasa Indonesia](README_id.md) - [Lees de README in het Nederlands](README_nl.md) +- [Przeczytaj README w języku polski](README_pl.md) - [Прочитать README на русский](README_ru.md) - [阅读中文(简体)的 README](README_zh_Hans.md) diff --git a/README.md b/README.md index 998a4bd..44f02f4 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,9 @@ It shall NOT be edited by hand. # Mastodon for YunoHost -[![Integration level](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Working status](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Integration level](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Working status](https://apps.yunohost.org/badge/state/mastodon) +![Maintenance status](https://apps.yunohost.org/badge/maintained/mastodon) [![Install Mastodon with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Shipped version:** 4.2.13~ynh1 +**Shipped version:** 4.3.2~ynh1 **Demo:** diff --git a/README_es.md b/README_es.md index 54ccf3c..dc43ee9 100644 --- a/README_es.md +++ b/README_es.md @@ -5,7 +5,9 @@ No se debe editar a mano. # Mastodon para Yunohost -[![Nivel de integración](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Estado funcional](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Estado En Mantención](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Nivel de integración](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Estado funcional](https://apps.yunohost.org/badge/state/mastodon) +![Estado En Mantención](https://apps.yunohost.org/badge/maintained/mastodon) [![Instalar Mastodon con Yunhost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Versión actual:** 4.2.13~ynh1 +**Versión actual:** 4.3.2~ynh1 **Demo:** diff --git a/README_eu.md b/README_eu.md index c478d4a..aa24037 100644 --- a/README_eu.md +++ b/README_eu.md @@ -5,7 +5,9 @@ EZ editatu eskuz. # Mastodon YunoHost-erako -[![Integrazio maila](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Funtzionamendu egoera](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Mantentze egoera](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Integrazio maila](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Funtzionamendu egoera](https://apps.yunohost.org/badge/state/mastodon) +![Mantentze egoera](https://apps.yunohost.org/badge/maintained/mastodon) [![Instalatu Mastodon YunoHost-ekin](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Paketatutako bertsioa:** 4.2.13~ynh1 +**Paketatutako bertsioa:** 4.3.2~ynh1 **Demoa:** diff --git a/README_fr.md b/README_fr.md index 8cd7ffd..507032a 100644 --- a/README_fr.md +++ b/README_fr.md @@ -5,7 +5,9 @@ Il NE doit PAS être modifié à la main. # Mastodon pour YunoHost -[![Niveau d’intégration](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Niveau d’intégration](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Statut du fonctionnement](https://apps.yunohost.org/badge/state/mastodon) +![Statut de maintenance](https://apps.yunohost.org/badge/maintained/mastodon) [![Installer Mastodon avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -21,7 +23,7 @@ C'est une alternative décentralisée aux plates-formes commerciales comme Twitt Mastodon évite ainsi les risques qu'une seule société monopolise votre communication à des fins commerciales. -**Version incluse :** 4.2.13~ynh1 +**Version incluse :** 4.3.2~ynh1 **Démo :** diff --git a/README_gl.md b/README_gl.md index b0d4b60..57994fa 100644 --- a/README_gl.md +++ b/README_gl.md @@ -5,7 +5,9 @@ NON debe editarse manualmente. # Mastodon para YunoHost -[![Nivel de integración](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Estado de funcionamento](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Estado de mantemento](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Nivel de integración](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Estado de funcionamento](https://apps.yunohost.org/badge/state/mastodon) +![Estado de mantemento](https://apps.yunohost.org/badge/maintained/mastodon) [![Instalar Mastodon con YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Versión proporcionada:** 4.2.13~ynh1 +**Versión proporcionada:** 4.3.2~ynh1 **Demo:** diff --git a/README_id.md b/README_id.md index 3ecefa5..5b134f5 100644 --- a/README_id.md +++ b/README_id.md @@ -5,7 +5,9 @@ Ini TIDAK boleh diedit dengan tangan. # Mastodon untuk YunoHost -[![Tingkat integrasi](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Status kerja](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Status pemeliharaan](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Tingkat integrasi](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Status kerja](https://apps.yunohost.org/badge/state/mastodon) +![Status pemeliharaan](https://apps.yunohost.org/badge/maintained/mastodon) [![Pasang Mastodon dengan YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Versi terkirim:** 4.2.13~ynh1 +**Versi terkirim:** 4.3.2~ynh1 **Demo:** diff --git a/README_nl.md b/README_nl.md index 2b97a1b..c5439b8 100644 --- a/README_nl.md +++ b/README_nl.md @@ -5,7 +5,9 @@ Hij mag NIET handmatig aangepast worden. # Mastodon voor Yunohost -[![Integratieniveau](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Mate van functioneren](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Onderhoudsstatus](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Integratieniveau](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Mate van functioneren](https://apps.yunohost.org/badge/state/mastodon) +![Onderhoudsstatus](https://apps.yunohost.org/badge/maintained/mastodon) [![Mastodon met Yunohost installeren](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Geleverde versie:** 4.2.13~ynh1 +**Geleverde versie:** 4.3.2~ynh1 **Demo:** diff --git a/README_pl.md b/README_pl.md new file mode 100644 index 0000000..b876f93 --- /dev/null +++ b/README_pl.md @@ -0,0 +1,53 @@ + + +# Mastodon dla YunoHost + +[![Poziom integracji](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Status działania](https://apps.yunohost.org/badge/state/mastodon) +![Status utrzymania](https://apps.yunohost.org/badge/maintained/mastodon) + +[![Zainstaluj Mastodon z YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) + +*[Przeczytaj plik README w innym języku.](./ALL_README.md)* + +> *Ta aplikacja pozwala na szybką i prostą instalację Mastodon na serwerze YunoHost.* +> *Jeżeli nie masz YunoHost zapoznaj się z [poradnikiem](https://yunohost.org/install) instalacji.* + +## Przegląd + +Mastodon is a free, open-source microblogging social network. +It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. + + +**Dostarczona wersja:** 4.3.2~ynh1 + +**Demo:** + +## Zrzuty ekranu + +![Zrzut ekranu z Mastodon](./doc/screenshots/mastodon.png) + +## Dokumentacja i zasoby + +- Oficjalna strona aplikacji: +- Oficjalna dokumentacja dla administratora: +- Repozytorium z kodem źródłowym: +- Sklep YunoHost: +- Zgłaszanie błędów: + +## Informacje od twórców + +Wyślij swój pull request do [gałęzi `testing`](https://github.com/YunoHost-Apps/mastodon_ynh/tree/testing). + +Aby wypróbować gałąź `testing` postępuj zgodnie z instrukcjami: + +```bash +sudo yunohost app install https://github.com/YunoHost-Apps/mastodon_ynh/tree/testing --debug +lub +sudo yunohost app upgrade mastodon -u https://github.com/YunoHost-Apps/mastodon_ynh/tree/testing --debug +``` + +**Więcej informacji o tworzeniu paczek aplikacji:** diff --git a/README_ru.md b/README_ru.md index 00ab7c2..649ec1b 100644 --- a/README_ru.md +++ b/README_ru.md @@ -5,7 +5,9 @@ # Mastodon для YunoHost -[![Уровень интеграции](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![Состояние работы](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![Состояние сопровождения](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![Уровень интеграции](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![Состояние работы](https://apps.yunohost.org/badge/state/mastodon) +![Состояние сопровождения](https://apps.yunohost.org/badge/maintained/mastodon) [![Установите Mastodon с YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**Поставляемая версия:** 4.2.13~ynh1 +**Поставляемая версия:** 4.3.2~ynh1 **Демо-версия:** diff --git a/README_zh_Hans.md b/README_zh_Hans.md index e9476cb..9b2aff4 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -5,7 +5,9 @@ # YunoHost 上的 Mastodon -[![集成程度](https://dash.yunohost.org/integration/mastodon.svg)](https://ci-apps.yunohost.org/ci/apps/mastodon/) ![工作状态](https://ci-apps.yunohost.org/ci/badges/mastodon.status.svg) ![维护状态](https://ci-apps.yunohost.org/ci/badges/mastodon.maintain.svg) +[![集成程度](https://apps.yunohost.org/badge/integration/mastodon)](https://ci-apps.yunohost.org/ci/apps/mastodon/) +![工作状态](https://apps.yunohost.org/badge/state/mastodon) +![维护状态](https://apps.yunohost.org/badge/maintained/mastodon) [![使用 YunoHost 安装 Mastodon](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mastodon) @@ -20,7 +22,7 @@ Mastodon is a free, open-source microblogging social network. It is a decentralized alternative to commercial platforms like Twitter and avoids the risks of a single company monopolizing your communication for commercial purposes. -**分发版本:** 4.2.13~ynh1 +**分发版本:** 4.3.2~ynh1 **演示:** -- cgit v1.2.3-70-g09d2 From 3b0275ba5b773feca70ed92db8c8f240e93107ce Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 28 Dec 2024 01:29:20 +0100 Subject: Implement yarn 4.5, new active_record_encryption and mastodon default services --- conf/.env.production.sample | 21 ++++++++++++---- conf/mastodon-sidekiq.service | 36 +++++++++++++++------------- conf/mastodon-streaming.service | 36 +++++++++++++++------------- conf/mastodon-web.service | 36 +++++++++++++++------------- manifest.toml | 7 +----- scripts/_common.sh | 2 +- scripts/install | 53 +++++++++++++++++++++++++---------------- scripts/upgrade | 26 ++++++++++++++++---- tests.toml | 4 ++++ 9 files changed, 135 insertions(+), 86 deletions(-) diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 7005b5d..2abf6c5 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -1,5 +1,5 @@ # This is a sample configuration file. You can generate your configuration -# with the `rake mastodon:setup` interactive setup wizard, but to customize +# with the `bundle exec rails mastodon:setup` interactive setup wizard, but to customize # your setup even further, you'll need to edit it manually. This sample does # not demonstrate all available configuration options. Please look at # https://docs.joinmastodon.org/admin/config/ for the full documentation. @@ -41,14 +41,25 @@ ES_ENABLED=false # Secrets # ------- -# Make sure to use `rake secret` to generate secrets +# Make sure to use `bundle exec rails secret` to generate secrets # ------- SECRET_KEY_BASE=__SECRET_KEY_BASE__ OTP_SECRET=__OTP_SECRET__ +# Encryption secrets +# ------------------ +# Must be available (and set to same values) for all server processes +# These are private/secret values, do not share outside hosting environment +# Use `bin/rails db:encryption:init` to generate fresh secrets +# Do not change these secrets once in use, as this would cause data loss and other issues +# ------------------ +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=__ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY__ +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=__ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT__ +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=__ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY__ + # Web Push # -------- -# Generate with `rake mastodon:webpush:generate_vapid_key` +# Generate with `bundle exec rails mastodon:webpush:generate_vapid_key` # -------- VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__ VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__ @@ -104,5 +115,5 @@ LDAP_TLS_NO_VERIFY=true # Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml # to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800). # ----------------------- -IP_RETENTION_PERIOD=1209600 -SESSION_RETENTION_PERIOD=1209600 +IP_RETENTION_PERIOD=31556952 +SESSION_RETENTION_PERIOD=31556952 diff --git a/conf/mastodon-sidekiq.service b/conf/mastodon-sidekiq.service index 14bd592..ad5a6a0 100644 --- a/conf/mastodon-sidekiq.service +++ b/conf/mastodon-sidekiq.service @@ -6,10 +6,10 @@ After=network.target Type=simple User=__APP__ WorkingDirectory=__INSTALL_DIR__/live -Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="DB_POOL=25" Environment="MALLOC_ARENA_MAX=2" +Environment="__LD_PRELOAD__" Environment="__YNH_RUBY_LOAD_PATH__" ExecStart=__INSTALL_DIR__/live/bin/bundle exec sidekiq -c 25 TimeoutSec=15 @@ -17,22 +17,26 @@ Restart=always StandardOutput=append:/var/log/__APP__/__APP__-sidekiq.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=no -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index f63945e..f29e527 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -1,5 +1,5 @@ [Unit] -Description=__APP__-streaming +Description=__APP__-streaming on port __PORT_STREAM_ After=network.target [Service] @@ -16,22 +16,26 @@ Restart=always StandardOutput=append:/var/log/__APP__/__APP__-streaming.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps diff --git a/conf/mastodon-web.service b/conf/mastodon-web.service index 133fc3b..4804b16 100644 --- a/conf/mastodon-web.service +++ b/conf/mastodon-web.service @@ -6,9 +6,9 @@ After=network.target Type=simple User=__APP__ WorkingDirectory=__INSTALL_DIR__/live -Environment="__LD_PRELOAD__" Environment="RAILS_ENV=production" Environment="PORT=__PORT_WEB__" +Environment="__LD_PRELOAD__" Environment="__YNH_RUBY_LOAD_PATH__" ExecStart=__INSTALL_DIR__/live/bin/bundle exec puma -C config/puma.rb ExecReload=/bin/kill -SIGUSR1 $MAINPID @@ -17,22 +17,26 @@ Restart=always StandardOutput=append:/var/log/__APP__/__APP__-web.log StandardError=inherit -# Sandboxing options to harden security -# Depending on specificities of your service/app, you may need to tweak these -# .. but this should be a good baseline -# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -DevicePolicy=closed +# Proc filesystem +# Capabilities +# Security +NoNewPrivileges=true +# Sandboxing ProtectSystem=full -ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes +PrivateTmp=true +PrivateDevices=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_INET +RestrictAddressFamilies=AF_INET6 +RestrictAddressFamilies=AF_NETLINK +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +LockPersonality=true +RestrictRealtime=true +DevicePolicy=closed +# System Call Filtering SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps diff --git a/manifest.toml b/manifest.toml index 7dfed7b..1c4aefd 100644 --- a/manifest.toml +++ b/manifest.toml @@ -75,12 +75,7 @@ ram.runtime = "500M" stream.default = 4000 [resources.apt] - packages = "imagemagick, ffmpeg, libpq-dev, libxml2-dev, libxslt1-dev, file, git, git-core, g++, libprotobuf-dev, protobuf-compiler, pkg-config, gcc, autoconf, bison, build-essential, libssl-dev, libyaml-dev, libreadline6-dev, zlib1g-dev, libncurses5-dev, libffi-dev, libgdbm6, libgdbm-dev, redis-tools, redis-server, rsync, postgresql, postgresql-contrib, libidn11-dev, libicu-dev, libjemalloc-dev, curl, apt-transport-https" - - [resources.apt.extras.yarn] - repo = "deb https://dl.yarnpkg.com/debian/ stable main" - key = "https://dl.yarnpkg.com/debian/pubkey.gpg" - packages = "yarn" + packages = "imagemagick, ffmpeg, libvips-tools, libpq-dev, libxml2-dev, libxslt1-dev, file, git, git-core, g++, libprotobuf-dev, protobuf-compiler, pkg-config, gcc, autoconf, bison, build-essential, libssl-dev, libyaml-dev, libreadline6-dev, zlib1g-dev, libncurses5-dev, libffi-dev, libgdbm6, libgdbm-dev, redis-tools, redis-server, rsync, postgresql, postgresql-contrib, libidn11-dev, libicu-dev, libjemalloc-dev, curl, apt-transport-https" [resources.database] type = "postgresql" diff --git a/scripts/_common.sh b/scripts/_common.sh index a2ba0b8..d354663 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,7 +5,7 @@ #================================================= memory_needed="2560" -ruby_version=3.2.3 +ruby_version=3.3.5 nodejs_version=20 # Workaround for Mastodon on Bullseye diff --git a/scripts/install b/scripts/install index 1385a30..dfcbb27 100644 --- a/scripts/install +++ b/scripts/install @@ -69,22 +69,19 @@ ynh_app_setting_set --app="$app" --key=secret_key_base --value="$secret_key_base otp_secret=$(ynh_string_random --length=128) ynh_app_setting_set --app="$app" --key=otp_secret --value="$otp_secret" -# We need rake to build vapid keys, we generate them later once the app is installed +# We need bundle exec rails to build vapid keys, we generate them later once the app is installed vapid_private_key="" vapid_public_key="" +# We need `bin/rails db:encryption:init` to generate fresh secrets, we generate them later once the app is installed +active_record_encryption_deterministic_key="" +active_record_encryption_key_derivation_salt="" +active_record_encryption_primary_key="" + ynh_add_config --template=".env.production.sample" --destination="$config" chmod 400 "$config" chown $app:$app "$config" -ynh_replace_string --match_string="registrations_mode: 'open'" --replace_string="registrations_mode: 'none'" --target_file="$install_dir/live/config/settings.yml" -ynh_replace_string --match_string="min_invite_role: 'admin'" --replace_string="min_invite_role: 'none'" --target_file="$install_dir/live/config/settings.yml" - -ynh_store_file_checksum --file="$install_dir/live/config/settings.yml" - -chmod 400 "$install_dir/live/config/settings.yml" -chown $app:$app "$install_dir/live/config/settings.yml" - #================================================= # BUILD APP #================================================= @@ -97,31 +94,45 @@ pushd "$install_dir/live" ynh_gem install bundler --no-document ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config deployment 'true' ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config without 'development test' - ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true + ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true --quiet ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle install -j$(getconf _NPROCESSORS_ONLN) - # Building assets ynh_use_nodejs - ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile --production --network-timeout 600000 + env $ynh_node_load_PATH corepack enable + echo Y | ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn workspaces focus --production + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn install --immutable echo "SAFETY_ASSURED=1">> $config - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet # Generate vapid keys - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt - # Create the first admin user - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=Owner > /dev/null + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails mastodon:webpush:generate_vapid_key > vapid_key.txt + # Generate active record encryption + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:encryption:init > active_record_encryption.txt popd -# Re-generate config with vapid keys -vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "$install_dir/live/key.txt") +# Re-generate config with vapid keys and active record encryption +vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "$install_dir/live/vapid_key.txt") ynh_app_setting_set --app="$app" --key=vapid_private_key --value="$vapid_private_key" -vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "$install_dir/live/key.txt") +vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K.+" "$install_dir/live/vapid_key.txt") ynh_app_setting_set --app="$app" --key=vapid_public_key --value="$vapid_public_key" -ynh_secure_remove --file="$install_dir/live/key.txt" +ynh_secure_remove --file="$install_dir/live/vapid_key.txt" +active_record_encryption_deterministic_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=\K.+" "$install_dir/live/active_record_encryption.txt") +ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key" +active_record_encryption_key_derivation_salt=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=\K.+" "$install_dir/live/active_record_encryption.txt") +ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt" +active_record_encryption_primary_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=\K.+" "$install_dir/live/active_record_encryption.txt") +ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key" +ynh_secure_remove --file="$install_dir/live/active_record_encryption.txt" ynh_delete_file_checksum --file="$config" ynh_add_config --template=".env.production.sample" --destination="$config" chmod 400 "$config" chown $app:$app "$config" +pushd "$install_dir/live" + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet + # Create the first admin user + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=Owner > /dev/null + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl accounts approve "$admin" > /dev/null +popd + #================================================= # SYSTEM CONFIGURATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index c889e65..10e37c9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -124,9 +124,9 @@ pushd "$install_dir/live" ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle config set force_ruby_platform true --quiet ynh_exec_as $app $ynh_ruby_load_path $ld_preload bin/bundle install -j$(getconf _NPROCESSORS_ONLN) ynh_use_nodejs - ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile --production --network-timeout 600000 - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile + env $ynh_node_load_PATH corepack enable + echo Y | ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn workspaces focus --production + ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH yarn install --immutable popd chown "$app:www-data" "$install_dir" @@ -163,6 +163,21 @@ ynh_use_logrotate --non-append #================================================= ynh_script_progression --message="Updating a config file..." --weight=1 +if ynh_compare_current_package_version --comparison lt --version "4.3.2~ynh1"; then + pushd "$install_dir/live" + ynh_use_ruby + # Generate active record encryption + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:encryption:init > active_record_encryption.txt + active_record_encryption_deterministic_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=\K.+" "$install_dir/live/active_record_encryption.txt") + ynh_app_setting_set --app="$app" --key=active_record_encryption_deterministic_key --value="$active_record_encryption_deterministic_key" + active_record_encryption_key_derivation_salt=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=\K.+" "$install_dir/live/active_record_encryption.txt") + ynh_app_setting_set --app="$app" --key=active_record_encryption_key_derivation_salt --value="$active_record_encryption_key_derivation_salt" + active_record_encryption_primary_key=$(grep -oP "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=\K.+" "$install_dir/live/active_record_encryption.txt") + ynh_app_setting_set --app="$app" --key=active_record_encryption_primary_key --value="$active_record_encryption_primary_key" + ynh_secure_remove --file="$install_dir/live/active_record_encryption.txt" + popd +fi + language="$(echo $language | head -c 2)" ynh_add_config --template=".env.production.sample" --destination="$config" @@ -177,8 +192,9 @@ ynh_script_progression --message="Applying migrations..." --weight=1 pushd "$install_dir/live" ynh_use_ruby - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/tootctl cache clear + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean --quiet + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet popd #================================================= diff --git a/tests.toml b/tests.toml index c1f2069..c983544 100644 --- a/tests.toml +++ b/tests.toml @@ -1,3 +1,5 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json + test_format = 1.0 [default] @@ -24,3 +26,5 @@ test_format = 1.0 test_upgrade_from.43504e6.args.is_public=1 test_upgrade_from.43504e6.args.admin="john" test_upgrade_from.43504e6.args.language="fr_FR" + + test_upgrade_from.8102fffa52a4e3279bba9fbdafb3a0e5b1fe3e17.name = "Upgrade from 4.2.13~ynh1" -- cgit v1.2.3-70-g09d2 From ae23701d446549aca12e5e3bd31a8dc15a65ff86 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sun, 29 Dec 2024 17:21:26 +0100 Subject: Update mastodon-streaming.service --- conf/mastodon-streaming.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/mastodon-streaming.service b/conf/mastodon-streaming.service index f29e527..963a316 100644 --- a/conf/mastodon-streaming.service +++ b/conf/mastodon-streaming.service @@ -1,5 +1,5 @@ [Unit] -Description=__APP__-streaming on port __PORT_STREAM_ +Description=__APP__-streaming on port __PORT_STREAM__ After=network.target [Service] -- cgit v1.2.3-70-g09d2 From d3cb68ee5ca50f2d4edb7183a36dcaf47b731df1 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sun, 29 Dec 2024 18:29:59 +0100 Subject: fix missing ld_preload --- scripts/_common.sh | 41 +++++++++++++++++------------------------ 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index d354663..0dbcc15 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,30 +8,23 @@ memory_needed="2560" ruby_version=3.3.5 nodejs_version=20 -# Workaround for Mastodon on Bullseye -# See https://github.com/mastodon/mastodon/issues/15751#issuecomment-873594463 -if [ "$(lsb_release --codename --short)" = "bullseye" ]; -then - case $YNH_ARCH in - amd64) - ld_preload="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so" - ;; - arm64) - ld_preload="LD_PRELOAD=/usr/lib/aarch64-linux-gnu/libjemalloc.so" - ;; - armhf) - ld_preload="LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/libjemalloc.so" - ;; - armel) - ld_preload="LD_PRELOAD=/usr/lib/arm-linux-gnueabi/libjemalloc.so" - ;; - i386) - ld_preload="LD_PRELOAD=/usr/lib/i386-linux-gnu/libjemalloc.so" - ;; - esac -else - ld_preload="" -fi +case $YNH_ARCH in + amd64) + ld_preload="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so" + ;; + arm64) + ld_preload="LD_PRELOAD=/usr/lib/aarch64-linux-gnu/libjemalloc.so" + ;; + armhf) + ld_preload="LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/libjemalloc.so" + ;; + armel) + ld_preload="LD_PRELOAD=/usr/lib/arm-linux-gnueabi/libjemalloc.so" + ;; + i386) + ld_preload="LD_PRELOAD=/usr/lib/i386-linux-gnu/libjemalloc.so" + ;; +esac #================================================= # PERSONAL HELPERS -- cgit v1.2.3-70-g09d2 From e071d0c0df548925a54385c809d52f916bbe74e2 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sun, 29 Dec 2024 22:51:19 +0100 Subject: Fix upgrade --- scripts/upgrade | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 10e37c9..531c766 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -97,18 +97,12 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= +ynh_script_progression "Upgrading source files..." -if [ "$upgrade_type" == "UPGRADE_APP" ] -then - ynh_script_progression --message="Upgrading source files..." --weight=1 +# Download, check integrity, uncompress and patch the source from manifest.toml +ynh_setup_source --dest_dir="$install_dir/live" --full_replace=1 --keep="public/system .env.production" - # Download Mastodon - ynh_setup_source --dest_dir="$install_dir/live" --keep="public/system/" - - chmod 750 "$install_dir" - chmod -R o-rwx "$install_dir" - chown -R $app:www-data "$install_dir" -fi +chown -R $app:www-data "$install_dir" #================================================= # BUILD ASSETS @@ -193,7 +187,6 @@ ynh_script_progression --message="Applying migrations..." --weight=1 pushd "$install_dir/live" ynh_use_ruby ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean --quiet ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet popd -- cgit v1.2.3-70-g09d2 From 66959014e9b5981410ac638926c214e866bfb2ef Mon Sep 17 00:00:00 2001 From: yalh76 Date: Mon, 30 Dec 2024 21:23:19 +0100 Subject: Revert "Fix upgrade" This reverts commit e071d0c0df548925a54385c809d52f916bbe74e2. --- scripts/upgrade | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 531c766..10e37c9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -97,12 +97,18 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= -ynh_script_progression "Upgrading source files..." -# Download, check integrity, uncompress and patch the source from manifest.toml -ynh_setup_source --dest_dir="$install_dir/live" --full_replace=1 --keep="public/system .env.production" +if [ "$upgrade_type" == "UPGRADE_APP" ] +then + ynh_script_progression --message="Upgrading source files..." --weight=1 -chown -R $app:www-data "$install_dir" + # Download Mastodon + ynh_setup_source --dest_dir="$install_dir/live" --keep="public/system/" + + chmod 750 "$install_dir" + chmod -R o-rwx "$install_dir" + chown -R $app:www-data "$install_dir" +fi #================================================= # BUILD ASSETS @@ -187,6 +193,7 @@ ynh_script_progression --message="Applying migrations..." --weight=1 pushd "$install_dir/live" ynh_use_ruby ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet + ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean --quiet ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet popd -- cgit v1.2.3-70-g09d2 From 0595ab38e0e46f6e2b68a1404f3bb5ce8528a5d0 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Mon, 30 Dec 2024 21:24:21 +0100 Subject: Update upgrade --- scripts/upgrade | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 10e37c9..f7a3573 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -102,8 +102,8 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Upgrading source files..." --weight=1 - # Download Mastodon - ynh_setup_source --dest_dir="$install_dir/live" --keep="public/system/" + # Download, check integrity, uncompress and patch the source from manifest.toml + ynh_setup_source --dest_dir="$install_dir/live" --full_replace=1 --keep="public/system .env.production" chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" @@ -193,7 +193,6 @@ ynh_script_progression --message="Applying migrations..." --weight=1 pushd "$install_dir/live" ynh_use_ruby ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails db:migrate --quiet - ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:clean --quiet ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path $ld_preload bin/bundle exec rails assets:precompile --quiet popd -- cgit v1.2.3-70-g09d2