From 4325834c7af35fc15d65e00e5ca6033ab94452dc Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 21 Mar 2019 04:30:44 +0100 Subject: provide a .env.production file --- conf/.env.production.sample | 232 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 conf/.env.production.sample (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample new file mode 100644 index 0000000..ee65015 --- /dev/null +++ b/conf/.env.production.sample @@ -0,0 +1,232 @@ +# Service dependencies +# You may set REDIS_URL instead for more advanced options +# You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers +REDIS_HOST=localhost +REDIS_PORT=6379 +# You may set DATABASE_URL instead for more advanced options +DB_HOST=localhost +DB_USER=__DB_USER__ +DB_NAME=__DB_NAME__ +DB_PASS=__DB_PWD__ +DB_PORT=5432 +# Optional ElasticSearch configuration +# ES_ENABLED=true +# ES_HOST=es +# ES_PORT=9200 + +# Federation +# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation. +# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com. +LOCAL_DOMAIN=__DOMAIN__ + +# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links) + +# Use this only if you need to run mastodon on a different domain than the one used for federation. +# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md +# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING. +# WEB_DOMAIN=mastodon.example.com + +# Use this if you want to have several aliases handler@example1.com +# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not +# be added. Comma separated values +# ALTERNATE_DOMAINS=example1.com,example2.com + +# Application secrets +# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose) +SECRET_KEY_BASE=__SECRET_KEY_BASE__ +OTP_SECRET=__OTP_SECRET__ + +# VAPID keys (used for push notifications +# You can generate the keys using the following command (first is the private key, second is the public one) +# You should only generate this once per instance. If you later decide to change it, all push subscription will +# be invalidated, requiring the users to access the website again to resubscribe. +# +# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) +# +# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html +VAPID_PRIVATE_KEY= +VAPID_PUBLIC_KEY= + +# Registrations +# Single user mode will disable registrations and redirect frontpage to the first profile +# SINGLE_USER_MODE=true +# Prevent registrations with following e-mail domains +# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc +# Only allow registrations with the following e-mail domains +# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc + +# Optionally change default language +DEFAULT_LOCALE=__LANGUAGE__ + +# E-mail configuration +# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers +# If you want to use an SMTP server without authentication (e.g local Postfix relay) +# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and +# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough). +SMTP_SERVER=localhost +SMTP_PORT=25 +#SMTP_LOGIN= +#SMTP_PASSWORD= +SMTP_FROM_ADDRESS=__SMTP_FROM_ADDRESS__ +#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN +#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail +SMTP_AUTH_METHOD=none +#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt +SMTP_OPENSSL_VERIFY_MODE=none +#SMTP_ENABLE_STARTTLS_AUTO=true +#SMTP_TLS=true + +# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files. +# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system +# PAPERCLIP_ROOT_URL=/system + +# Optional asset host for multi-server setups +# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN +# if WEB_DOMAIN is not set. For example, the server may have the +# following header field: +# Access-Control-Allow-Origin: https://example.com/ +# CDN_HOST=https://assets.example.com + +# S3 (optional) +# The attachment host must allow cross origin request from WEB_DOMAIN or +# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the +# following header field: +# Access-Control-Allow-Origin: https://192.168.1.123:9000/ +# S3_ENABLED=true +# S3_BUCKET= +# AWS_ACCESS_KEY_ID= +# AWS_SECRET_ACCESS_KEY= +# S3_REGION= +# S3_PROTOCOL=http +# S3_HOSTNAME=192.168.1.123:9000 + +# S3 (Minio Config (optional) Please check Minio instance for details) +# The attachment host must allow cross origin request - see the description +# above. +# S3_ENABLED=true +# S3_BUCKET= +# AWS_ACCESS_KEY_ID= +# AWS_SECRET_ACCESS_KEY= +# S3_REGION= +# S3_PROTOCOL=https +# S3_HOSTNAME= +# S3_ENDPOINT= +# S3_SIGNATURE_VERSION= + +# Swift (optional) +# The attachment host must allow cross origin request - see the description +# above. +# SWIFT_ENABLED=true +# SWIFT_USERNAME= +# For Keystone V3, the value for SWIFT_TENANT should be the project name +# SWIFT_TENANT= +# SWIFT_PASSWORD= +# Some OpenStack V3 providers require PROJECT_ID (optional) +# SWIFT_PROJECT_ID= +# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid +# issues with token rate-limiting during high load. +# SWIFT_AUTH_URL= +# SWIFT_CONTAINER= +# SWIFT_OBJECT_URL= +# SWIFT_REGION= +# Defaults to 'default' +# SWIFT_DOMAIN_NAME= +# Defaults to 60 seconds. Set to 0 to disable +# SWIFT_CACHE_TTL= + +# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare) +# S3_ALIAS_HOST= + +# Streaming API integration +# STREAMING_API_BASE_URL= + +# Advanced settings +# If you need to use pgBouncer, you need to disable prepared statements: +# PREPARED_STATEMENTS=false + +# Cluster number setting for streaming API server. +# If you comment out following line, cluster number will be `numOfCpuCores - 1`. +STREAMING_CLUSTER_NUM=1 + +# Docker mastodon user +# If you use Docker, you may want to assign UID/GID manually. +# UID=1000 +# GID=1000 + +# LDAP authentication (optional) +# LDAP_ENABLED=true +# LDAP_HOST=localhost +# LDAP_PORT=389 +# LDAP_METHOD=simple_tls +# LDAP_BASE= +# LDAP_BIND_DN= +# LDAP_PASSWORD= +# LDAP_UID=cn +# LDAP_SEARCH_FILTER="%{uid}=%{email}" + +# PAM authentication (optional) +# PAM authentication uses for the email generation the "email" pam variable +# and optional as fallback PAM_DEFAULT_SUFFIX +# The pam environment variable "email" is provided by: +# https://github.com/devkral/pam_email_extractor +# PAM_ENABLED=true +# Fallback email domain for email address generation (LOCAL_DOMAIN by default) +# PAM_EMAIL_DOMAIN=example.com +# Name of the pam service (pam "auth" section is evaluated) +# PAM_DEFAULT_SERVICE=rpam +# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default) +# PAM_CONTROLLED_SERVICE=rpam + +# Global OAuth settings (optional) : +# If you have only one strategy, you may want to enable this +# OAUTH_REDIRECT_AT_SIGN_IN=true + +# Optional CAS authentication (cf. omniauth-cas) : +# CAS_ENABLED=true +# CAS_URL=https://sso.myserver.com/ +# CAS_HOST=sso.myserver.com/ +# CAS_PORT=443 +# CAS_SSL=true +# CAS_VALIDATE_URL= +# CAS_CALLBACK_URL= +# CAS_LOGOUT_URL= +# CAS_LOGIN_URL= +# CAS_UID_FIELD='user' +# CAS_CA_PATH= +# CAS_DISABLE_SSL_VERIFICATION=false +# CAS_UID_KEY='user' +# CAS_NAME_KEY='name' +# CAS_EMAIL_KEY='email' +# CAS_NICKNAME_KEY='nickname' +# CAS_FIRST_NAME_KEY='firstname' +# CAS_LAST_NAME_KEY='lastname' +# CAS_LOCATION_KEY='location' +# CAS_IMAGE_KEY='image' +# CAS_PHONE_KEY='phone' + +# Optional SAML authentication (cf. omniauth-saml) +# SAML_ENABLED=true +# SAML_ACS_URL= +# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback +# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO +# SAML_IDP_CERT= +# SAML_IDP_CERT_FINGERPRINT= +# SAML_NAME_IDENTIFIER_FORMAT= +# SAML_CERT= +# SAML_PRIVATE_KEY= +# SAML_SECURITY_WANT_ASSERTION_SIGNED=true +# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true +# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true +# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" +# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241" +# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42" +# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4" +# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1" +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED= +# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL= + +# Use HTTP proxy for outgoing request (optional) +# http_proxy=http://gateway.local:8118 +# Access control for hidden service. +# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true -- cgit v1.2.3-70-g09d2 From e7df7cc8d71cbde6e4a74552298a83c579751163 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 22 Mar 2019 23:24:05 +0100 Subject: Add VAPID Keys generation --- conf/.env.production.sample | 21 ++++++++++----------- scripts/install | 1 + 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index ee65015..2093267 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -36,17 +36,6 @@ LOCAL_DOMAIN=__DOMAIN__ SECRET_KEY_BASE=__SECRET_KEY_BASE__ OTP_SECRET=__OTP_SECRET__ -# VAPID keys (used for push notifications -# You can generate the keys using the following command (first is the private key, second is the public one) -# You should only generate this once per instance. If you later decide to change it, all push subscription will -# be invalidated, requiring the users to access the website again to resubscribe. -# -# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) -# -# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html -VAPID_PRIVATE_KEY= -VAPID_PUBLIC_KEY= - # Registrations # Single user mode will disable registrations and redirect frontpage to the first profile # SINGLE_USER_MODE=true @@ -230,3 +219,13 @@ STREAMING_CLUSTER_NUM=1 # http_proxy=http://gateway.local:8118 # Access control for hidden service. # ALLOW_ACCESS_TO_HIDDEN_SERVICE=true + + +# VAPID keys (used for push notifications +# You can generate the keys using the following command (first is the private key, second is the public one) +# You should only generate this once per instance. If you later decide to change it, all push subscription will +# be invalidated, requiring the users to access the website again to resubscribe. +# +# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) +# +# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html diff --git a/scripts/install b/scripts/install index 0d85c74..2c12cf4 100644 --- a/scripts/install +++ b/scripts/install @@ -193,6 +193,7 @@ pushd "$final_path/live" sudo -u "$app" echo "SAFETY_ASSURED=1">> .env.production sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate --quiet sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails assets:precompile --quiet + sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key >> "${final_path}/live/.env.production" sudo -u "$app" env PATH=$PATH RAILS_ENV=production bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=admin > acc.txt popd -- cgit v1.2.3-70-g09d2 From 5cd0ad6b49991cf45a74b4a6c9db3e3bb5e4ebb4 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Fri, 22 Mar 2019 23:43:29 +0100 Subject: LDAP implementation --- conf/.env.production.sample | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 2093267..8f248fa 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -143,14 +143,14 @@ STREAMING_CLUSTER_NUM=1 # GID=1000 # LDAP authentication (optional) -# LDAP_ENABLED=true -# LDAP_HOST=localhost -# LDAP_PORT=389 +LDAP_ENABLED=true +LDAP_HOST=localhost +LDAP_PORT=389 # LDAP_METHOD=simple_tls -# LDAP_BASE= +LDAP_BASE=ou=users,dc=yunohost,dc=org # LDAP_BIND_DN= # LDAP_PASSWORD= -# LDAP_UID=cn +LDAP_UID=uid # LDAP_SEARCH_FILTER="%{uid}=%{email}" # PAM authentication (optional) -- cgit v1.2.3-70-g09d2 From 86301f170d2d0b3de9943561f37c3015faf732ce Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 23 Mar 2019 01:24:41 +0100 Subject: fix LDAP_BIND_DN --- conf/.env.production.sample | 4 ++-- scripts/install | 33 +++++++++------------------------ scripts/remove | 7 +++++++ scripts/upgrade | 3 --- 4 files changed, 18 insertions(+), 29 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 8f248fa..c42c821 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -148,8 +148,8 @@ LDAP_HOST=localhost LDAP_PORT=389 # LDAP_METHOD=simple_tls LDAP_BASE=ou=users,dc=yunohost,dc=org -# LDAP_BIND_DN= -# LDAP_PASSWORD= +LDAP_BIND_DN=uid=__APP__,ou=users,dc=yunohost,dc=org +LDAP_PASSWORD=__LDAP_PASSWORD__ LDAP_UID=uid # LDAP_SEARCH_FILTER="%{uid}=%{email}" diff --git a/scripts/install b/scripts/install index 1fd4cdb..fc6afcc 100644 --- a/scripts/install +++ b/scripts/install @@ -66,11 +66,6 @@ ynh_app_setting_set $app language $language #================================================= ynh_print_info "Configuring firewall..." -### Use these lines if you have to open a port for the application -### `ynh_find_port` will find the first available port starting from the given port. -### If you're not using these lines: -### - Remove the section "CLOSE A PORT" in the remove script - # Find a free port port_web=$(ynh_find_port 3000) port_stream=$(ynh_find_port 4000) @@ -125,10 +120,6 @@ ynh_psql_execute_as_root \ #================================================= ynh_print_info "Setting up source files..." -### `ynh_setup_source` is used to install an app from a zip or tar.gz file, -### downloaded from an upstream source, like a git repository. -### `ynh_setup_source` use the file conf/app.src - ynh_app_setting_set $app final_path $final_path # Download, check integrity, uncompress and patch the source from app.src mkdir $final_path @@ -139,8 +130,6 @@ ynh_setup_source "$final_path/live" #================================================= ynh_print_info "Configuring nginx web server..." -### `ynh_add_nginx_config` will use the file conf/nginx.conf - # Create a dedicated nginx config ynh_replace_string "__PORT_WEB__" "$port_web" "../conf/nginx.conf" ynh_replace_string "__PORT_STREAM__" "$port_stream" "../conf/nginx.conf" @@ -179,15 +168,22 @@ language="$(echo $language | head -c 2)" ynh_replace_string "__LANGUAGE__" "$language" "$final_path/live/.env.production" paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) -secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) -otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "PAPERCLIP_SECRET=" "PAPERCLIP_SECRET=$paperclip_secret" "${final_path}/live/.env.production" +secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "__SECRET_KEY_BASE__" "$secret_key_base" "$final_path/live/.env.production" + +otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.production" ynh_replace_string "__SMTP_FROM_ADDRESS__" "$admin_mail" "${final_path}/live/.env.production" +ynh_user_exists $app || ynh_die "LDAP User $app already exist" +ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) +yunohost user create username f $app -l $app -m $app@$domain -p $ldap_password -q 0 +ynh_replace_string "__APP__" "$app" "${final_path}/live/.env.production" +ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" + #================================================= # INSTALLING MASTODON #================================================= @@ -223,17 +219,6 @@ sudo cp -f ../conf/cron /etc/cron.d/$app #================================================= ynh_print_info "Configuring a systemd service..." -### `ynh_systemd_config` is used to configure a systemd script for an app. -### It can be used for apps that use sysvinit (with adaptation) or systemd. -### Have a look at the app to be sure this app needs a systemd script. -### `ynh_systemd_config` will use the file conf/systemd.service -### If you're not using these lines: -### - You can remove those files in conf/. -### - Remove the section "BACKUP SYSTEMD" in the backup script -### - Remove also the section "STOP AND REMOVE SERVICE" in the remove script -### - As well as the section "RESTORE SYSTEMD" in the restore script -### - And the section "SETUP SYSTEMD" in the upgrade script - # Create a dedicated systemd config ynh_replace_string "__PORT_WEB__" "$port_web" "../conf/mastodon-web.service" ynh_replace_string "__PORT_STREAM__" "$port_stream" "../conf/mastodon-streaming.service" diff --git a/scripts/remove b/scripts/remove index 3436bce..73a9bf7 100644 --- a/scripts/remove +++ b/scripts/remove @@ -99,6 +99,13 @@ ynh_remove_nginx_config #================================================= # SPECIFIC REMOVE +#================================================= +# REMOVE LDAP USER +#================================================= + +# Remove $app LDAP User +yunohost user delete $app --purge + #================================================= # REMOVE THE CRON FILE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 01f0a49..668b7cf 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -176,9 +176,6 @@ pushd "$final_path/live" sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate popd -### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. -### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. -ynh_backup_if_checksum_is_different "${final_path}/live/.env.production" # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "${final_path}/live/.env.production" -- cgit v1.2.3-70-g09d2 From d4eac065f751c0f7f566ee41d689d9232654b8e7 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 23 Mar 2019 01:54:06 +0100 Subject: Fix LDAP User --- conf/.env.production.sample | 2 +- scripts/install | 13 ++++++--- scripts/upgrade | 69 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 78 insertions(+), 6 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index c42c821..68249e1 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -148,7 +148,7 @@ LDAP_HOST=localhost LDAP_PORT=389 # LDAP_METHOD=simple_tls LDAP_BASE=ou=users,dc=yunohost,dc=org -LDAP_BIND_DN=uid=__APP__,ou=users,dc=yunohost,dc=org +LDAP_BIND_DN=uid=__LDAP_USER__,ou=users,dc=yunohost,dc=org LDAP_PASSWORD=__LDAP_PASSWORD__ LDAP_UID=uid # LDAP_SEARCH_FILTER="%{uid}=%{email}" diff --git a/scripts/install b/scripts/install index fc6afcc..1e8ee50 100644 --- a/scripts/install +++ b/scripts/install @@ -163,26 +163,31 @@ ynh_replace_string "__DB_USER__" "$app" "$final_path/live/.env.production" ynh_replace_string "__DB_NAME__" "$db_name" "$final_path/live/.env.production" ynh_replace_string "__DB_PWD__" "$db_pwd" "$final_path/live/.env.production" ynh_replace_string "__DOMAIN__" "$domain" "$final_path/live/.env.production" +ynh_replace_string "__SMTP_FROM_ADDRESS__" "$admin_mail" "${final_path}/live/.env.production" language="$(echo $language | head -c 2)" ynh_replace_string "__LANGUAGE__" "$language" "$final_path/live/.env.production" paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "PAPERCLIP_SECRET=" "PAPERCLIP_SECRET=$paperclip_secret" "${final_path}/live/.env.production" +ynh_app_setting_set "$app" paperclip_secret "$paperclip_secret" secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "__SECRET_KEY_BASE__" "$secret_key_base" "$final_path/live/.env.production" +ynh_app_setting_set "$app" secret_key_base "$secret_key_base" otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.production" +ynh_app_setting_set "$app" otp_secret "$otp_secret" -ynh_replace_string "__SMTP_FROM_ADDRESS__" "$admin_mail" "${final_path}/live/.env.production" - -ynh_user_exists $app || ynh_die "LDAP User $app already exist" +ldap_user="$app_ldap" +ynh_user_exists $ldap_user || ynh_die "LDAP User $app already exist" ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) yunohost user create username f $app -l $app -m $app@$domain -p $ldap_password -q 0 -ynh_replace_string "__APP__" "$app" "${final_path}/live/.env.production" +ynh_replace_string "__LDAP_USER__" "$ldap_user" "${final_path}/live/.env.production" ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" +ynh_app_setting_set "$app" ldap_user "$ldap_user" +ynh_app_setting_set "$app" ldap_password "$ldap_password" #================================================= # INSTALLING MASTODON diff --git a/scripts/upgrade b/scripts/upgrade index 668b7cf..0e0b84d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,9 +27,16 @@ language=$(ynh_app_setting_get $app language) db_name=$(ynh_app_setting_get $app db_name) db_pwd=$(ynh_app_setting_get $app db_pwd) +admin_mail=$(ynh_user_get_info $admin 'mail') port_web=$(ynh_app_setting_get "$app" port_web) port_stream=$(ynh_app_setting_get "$app" port_stream) +paperclip_secret=$(ynh_app_setting_get "$app" paperclip_secret) +secret_key_base=$(ynh_app_setting_get "$app" secret_key_base) +otp_secret=$(ynh_app_setting_get "$app" otp_secret) +ldap_user=$(ynh_app_setting_get "$app" ldap_user) +ldap_password=$(ynh_app_setting_get "$app" ldap_password) + #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -62,6 +69,33 @@ if [[ -z "$db_pwd" ]]; then ynh_replace_string "DB_PASS=" "DB_PASS=${db_pwd}" "${final_path}/live/.env.production" fi +# If paperclip_secret doesn't exist, retrieve it or create it +if [[ -z "$paperclip_secret" ]]; then + paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + ynh_app_setting_set "$app" paperclip_secret "$paperclip_secret" +fi + +# If secret_key_base doesn't exist, retrieve it or create it +if [[ -z "$secret_key_base" ]]; then + secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + ynh_app_setting_set "$app" secret_key_base "$secret_key_base" +fi + +# If otp_secret doesn't exist, retrieve it or create it +if [[ -z "$otp_secret" ]]; then + otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + ynh_app_setting_set "$app" otp_secret "$otp_secret" +fi + +# If ldap_password doesn't exist, retrieve it or create it +if [[ -z "$ldap_user" ]]; then + ynh_user_exists $ldap_user || ynh_die "LDAP User $app already exist" + ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + yunohost user create username f $app -l $app -m $app@$domain -p $ldap_password -q 0 + ynh_app_setting_set "$app" ldap_user "$ldap_user" + ynh_app_setting_set "$app" ldap_password "$ldap_password" +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -156,6 +190,39 @@ ynh_install_ruby --ruby_version=2.6.0 /opt/rbenv/versions/2.6.0/bin/gem update --system #/opt/rbenv/versions/2.6.0/bin/gem install bundler +#================================================= +# MODIFY A CONFIG FILE +#================================================= + +cp -f ../conf/.env.production.sample "$final_path/live/.env.production" +ynh_replace_string "__DB_USER__" "$app" "$final_path/live/.env.production" +ynh_replace_string "__DB_NAME__" "$db_name" "$final_path/live/.env.production" +ynh_replace_string "__DB_PWD__" "$db_pwd" "$final_path/live/.env.production" +ynh_replace_string "__DOMAIN__" "$domain" "$final_path/live/.env.production" +ynh_replace_string "__SMTP_FROM_ADDRESS__" "$admin_mail" "${final_path}/live/.env.production" + +language="$(echo $language | head -c 2)" +ynh_replace_string "__LANGUAGE__" "$language" "$final_path/live/.env.production" + +paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) +ynh_replace_string "PAPERCLIP_SECRET=" "PAPERCLIP_SECRET=$paperclip_secret" "${final_path}/live/.env.production" +ynh_app_setting_set "$app" paperclip_secret "$paperclip_secret" + +secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) +ynh_replace_string "__SECRET_KEY_BASE__" "$secret_key_base" "$final_path/live/.env.production" +ynh_app_setting_set "$app" secret_key_base "$secret_key_base" + +otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) +ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.production" +ynh_app_setting_set "$app" otp_secret "$otp_secret" + +ynh_user_exists $app || ynh_die "LDAP User $app already exist" +ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) +yunohost user create username f $app -l $app -m $app@$domain -p $ldap_password -q 0 +ynh_replace_string "__APP__" "$app" "${final_path}/live/.env.production" +ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" +ynh_app_setting_set "$app" ldap_password "$ldap_password" + #================================================= # UPGRADE MASTODON #================================================= @@ -182,7 +249,7 @@ ynh_store_file_checksum "${final_path}/live/.env.production" #================================================= # SETUP CRON JOB FOR REMOVING CACHE #================================================= -ynh_print_info "Setuping a cron job for remiving cache..." +ynh_print_info "Setuping a cron job for removing cache..." ynh_replace_string "__FINAL_PATH__" "$final_path" ../conf/cron ynh_replace_string "__USER__" "$app" ../conf/cron -- cgit v1.2.3-70-g09d2 From d1a1e67008d0838257528344d56b285ad7a39f34 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 23 Mar 2019 02:58:59 +0100 Subject: fix key for upgrade --- conf/.env.production.sample | 21 +++++++++++---------- scripts/install | 17 ++++++++++++++--- scripts/upgrade | 27 ++++++++++++++++++++++++--- 3 files changed, 49 insertions(+), 16 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 68249e1..6606352 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -36,6 +36,17 @@ LOCAL_DOMAIN=__DOMAIN__ SECRET_KEY_BASE=__SECRET_KEY_BASE__ OTP_SECRET=__OTP_SECRET__ +# VAPID keys (used for push notifications +# You can generate the keys using the following command (first is the private key, second is the public one) +# You should only generate this once per instance. If you later decide to change it, all push subscription will +# be invalidated, requiring the users to access the website again to resubscribe. +# +# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) +# +# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html +VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__ +VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__ + # Registrations # Single user mode will disable registrations and redirect frontpage to the first profile # SINGLE_USER_MODE=true @@ -219,13 +230,3 @@ LDAP_UID=uid # http_proxy=http://gateway.local:8118 # Access control for hidden service. # ALLOW_ACCESS_TO_HIDDEN_SERVICE=true - - -# VAPID keys (used for push notifications -# You can generate the keys using the following command (first is the private key, second is the public one) -# You should only generate this once per instance. If you later decide to change it, all push subscription will -# be invalidated, requiring the users to access the website again to resubscribe. -# -# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose) -# -# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html diff --git a/scripts/install b/scripts/install index bc2229c..2d43ce7 100644 --- a/scripts/install +++ b/scripts/install @@ -181,8 +181,8 @@ ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.product ynh_app_setting_set "$app" otp_secret "$otp_secret" ldap_user="${app}ldap" -ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) -yunohost user create username -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0 +ldap_password=$(head -n32 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c32) +yunohost user create $ldap_user -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0 ynh_replace_string "__LDAP_USER__" "$ldap_user" "${final_path}/live/.env.production" ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" ynh_app_setting_set "$app" ldap_user "$ldap_user" @@ -202,13 +202,24 @@ pushd "$final_path/live" sudo -u "$app" echo "SAFETY_ASSURED=1">> .env.production sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate --quiet sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails assets:precompile --quiet - sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key >> "${final_path}/live/.env.production" + sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt sudo -u "$app" env PATH=$PATH RAILS_ENV=production bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=admin > acc.txt popd admin_pass=$( tail -1 $final_path/live/acc.txt | head -1 | cut -c 15- ) ynh_secure_remove "$final_path/live/acc.txt" +vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K\w+" "$final_path/live/key.txt") +vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K\w+" "$final_path/live/key.txt") + +ynh_replace_string "__VAPID_PRIVATE_KEY__" "$vapid_private_key" "${final_path}/live/.env.production" +ynh_replace_string "__VAPID_PUBLIC_KEY__" "$vapid_public_key" "${final_path}/live/.env.production" + +ynh_app_setting_set "$app" vapid_private_key "$vapid_private_key" +ynh_app_setting_set "$app" vapid_public_key "$vapid_public_key" + +ynh_secure_remove "$final_path/live/key.txt" + #================================================= # SETUP CRON JOB FOR REMOVING CACHE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index fbe9ec7..c906570 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -36,6 +36,8 @@ secret_key_base=$(ynh_app_setting_get "$app" secret_key_base) otp_secret=$(ynh_app_setting_get "$app" otp_secret) ldap_user=$(ynh_app_setting_get "$app" ldap_user) ldap_password=$(ynh_app_setting_get "$app" ldap_password) +vapid_private_key=$(ynh_app_setting_get "$app" vapid_private_key) +vapid_public_key=$(ynh_app_setting_get "$app" vapid_public_key) #================================================= # ENSURE DOWNWARD COMPATIBILITY @@ -71,19 +73,28 @@ fi # If paperclip_secret doesn't exist, retrieve it or create it if [[ -z "$paperclip_secret" ]]; then - paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + paperclip_secret=$(grep -oP "PAPERCLIP_SECRET=\K\w+" test) + if [[ -z "$paperclip_secret" ]]; then + paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + fi ynh_app_setting_set "$app" paperclip_secret "$paperclip_secret" fi # If secret_key_base doesn't exist, retrieve it or create it if [[ -z "$secret_key_base" ]]; then - secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + secret_key_base=$(grep -oP "SECRET_KEY_BASE=\K\w+" test) + if [[ -z "$secret_key_base" ]]; then + secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + fi ynh_app_setting_set "$app" secret_key_base "$secret_key_base" fi # If otp_secret doesn't exist, retrieve it or create it if [[ -z "$otp_secret" ]]; then - otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + otp_secret=$(grep -oP "OTP_SECRET=\K\w+" test) + if [[ -z "$otp_secret" ]]; then + otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) + fi ynh_app_setting_set "$app" otp_secret "$otp_secret" fi @@ -234,6 +245,16 @@ pushd "$final_path/live" sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate popd +# If vapid_private_key doesn't exist, retrieve it or create it +if [[ -z "$vapid_private_key" ]]; then + sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt + vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K\w+" "$final_path/live/key.txt") + vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K\w+" "$final_path/live/key.txt") + ynh_app_setting_set "$app" vapid_private_key "$vapid_private_key" + ynh_app_setting_set "$app" vapid_public_key "$vapid_public_key" + ynh_secure_remove "$final_path/live/key.txt" +fi + # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "${final_path}/live/.env.production" -- cgit v1.2.3-70-g09d2 From 37e462d1adacc1f011aedac4209bccae36535275 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sat, 23 Mar 2019 03:33:44 +0100 Subject: removed LDAP Mastodon LDAP need authentication Wasn't able to create a dedicated user --- conf/.env.production.sample | 14 +++++++------- scripts/install | 8 -------- scripts/remove | 7 ------- scripts/upgrade | 15 --------------- 4 files changed, 7 insertions(+), 37 deletions(-) (limited to 'conf/.env.production.sample') diff --git a/conf/.env.production.sample b/conf/.env.production.sample index 6606352..d6bd0c6 100644 --- a/conf/.env.production.sample +++ b/conf/.env.production.sample @@ -154,14 +154,14 @@ STREAMING_CLUSTER_NUM=1 # GID=1000 # LDAP authentication (optional) -LDAP_ENABLED=true -LDAP_HOST=localhost -LDAP_PORT=389 +# LDAP_ENABLED=true +# LDAP_HOST=localhost +# LDAP_PORT=389 # LDAP_METHOD=simple_tls -LDAP_BASE=ou=users,dc=yunohost,dc=org -LDAP_BIND_DN=uid=__LDAP_USER__,ou=users,dc=yunohost,dc=org -LDAP_PASSWORD=__LDAP_PASSWORD__ -LDAP_UID=uid +# LDAP_BASE=ou=users,dc=yunohost,dc=org +# LDAP_BIND_DN=uid=__LDAP_USER__,ou=users,dc=yunohost,dc=org +# LDAP_PASSWORD=__LDAP_PASSWORD__ +# LDAP_UID=uid # LDAP_SEARCH_FILTER="%{uid}=%{email}" # PAM authentication (optional) diff --git a/scripts/install b/scripts/install index 2d43ce7..feb0a70 100644 --- a/scripts/install +++ b/scripts/install @@ -180,14 +180,6 @@ otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.production" ynh_app_setting_set "$app" otp_secret "$otp_secret" -ldap_user="${app}ldap" -ldap_password=$(head -n32 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c32) -yunohost user create $ldap_user -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0 -ynh_replace_string "__LDAP_USER__" "$ldap_user" "${final_path}/live/.env.production" -ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" -ynh_app_setting_set "$app" ldap_user "$ldap_user" -ynh_app_setting_set "$app" ldap_password "$ldap_password" - #================================================= # INSTALLING MASTODON #================================================= diff --git a/scripts/remove b/scripts/remove index 73a9bf7..3436bce 100644 --- a/scripts/remove +++ b/scripts/remove @@ -99,13 +99,6 @@ ynh_remove_nginx_config #================================================= # SPECIFIC REMOVE -#================================================= -# REMOVE LDAP USER -#================================================= - -# Remove $app LDAP User -yunohost user delete $app --purge - #================================================= # REMOVE THE CRON FILE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index c906570..c5f19f3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -34,8 +34,6 @@ port_stream=$(ynh_app_setting_get "$app" port_stream) paperclip_secret=$(ynh_app_setting_get "$app" paperclip_secret) secret_key_base=$(ynh_app_setting_get "$app" secret_key_base) otp_secret=$(ynh_app_setting_get "$app" otp_secret) -ldap_user=$(ynh_app_setting_get "$app" ldap_user) -ldap_password=$(ynh_app_setting_get "$app" ldap_password) vapid_private_key=$(ynh_app_setting_get "$app" vapid_private_key) vapid_public_key=$(ynh_app_setting_get "$app" vapid_public_key) @@ -98,16 +96,6 @@ if [[ -z "$otp_secret" ]]; then ynh_app_setting_set "$app" otp_secret "$otp_secret" fi -# If ldap_password doesn't exist, retrieve it or create it -if [[ -z "$ldap_user" ]]; then - ldap_user="${app}ldap" - ynh_user_exists $ldap_user || ynh_die "LDAP User $ldap_user already exist" - ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128) - yunohost user create username -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0 - ynh_app_setting_set "$app" ldap_user "$ldap_user" - ynh_app_setting_set "$app" ldap_password "$ldap_password" -fi - #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -222,9 +210,6 @@ ynh_replace_string "__SECRET_KEY_BASE__" "$secret_key_base" "$final_path/live/.e ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.production" -ynh_replace_string "__LDAP_USER__" "$ldap_user" "${final_path}/live/.env.production" -ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password" "${final_path}/live/.env.production" - #================================================= # UPGRADE MASTODON #================================================= -- cgit v1.2.3-70-g09d2