Daemon (#127)

* add schema

* add daemon

* finalization

* fixes

* systemd config renamed to $app-daemon

* fixes

* fixes

* gorgotten yunohost service remove "$app"

* fixes

* fix StandardOutput

* fix this damn pidfile

* better comment for posterity

* fix yunohost service remove

* update config files

* fix domain name change

* use the provided config file template at install

* Auto-update README

* post install: show explicitely the admin login (email)

* trying to fix the systemd config

* fix pidfile config indentation

* add log path

* remove irrelevant comment

* delete an eventual remaining daemon.pid at restoration

* fixes

* fix a typo for all_users

* adding comment: "Removing the cron..."

* use ynh_secure_remove instead of rm

* add pre upgrade message about the daemon

* fix service name

* comment

---------

Co-authored-by: yunohost-bot <yunohost@yunohost.org>

conf/addon.config.php

@@ -1,6 +1,7 @@
 <?php
 // Addon configuration
-// Copy this configuration file to addon.config.php and edit it if you want to configure addons, see below example for the twitter addon
+// LDAP config for YunoHost
+
 return [
 	'ldapauth' => [
 		'ldap_server' => 'localhost',

conf/local-sample.config.php

@@ -1,20 +1,8 @@
 <?php
 
 // Local configuration
+// Docs: https://github.com/friendica/friendica/blob/stable/static/settings.config.php
 
-/* If automatic system installation fails:
- *
- * Copy this file to local.config.php
- *
- * Why local.config.php? Because it contains sensitive information which could
- * give somebody complete control of your database. Apache's default
- * configuration will interpret any .php file as a script and won't show the values
- *
- * Then set the following for your MySQL installation
- *
- * If you're unsure about what any of the config keys below do, please check the static/defaults.config.php file for
- * detailed documentation of their data type and behavior.
- */
 
 return [
 	'database' => [
@@ -37,11 +25,17 @@
 		'sitename' => 'Friendica Social Network',
 		'register_policy' => \Friendica\Module\Register::OPEN,
 		'max_import_size' => 200000,
+		'register_text' => '',
 	],
 	'system' => [
 		'url' => 'https://__DOMAIN__',
 		'basepath' => '__INSTALL_DIR__',
 		'default_timezone' => '__TIMEZONE__',
 		'language' => '__LANGUAGE__',
+		'pidfile' => '__INSTALL_DIR__/daemon.pid',
+		// Blocks search for users who are not logged in to prevent crawlers from blocking your system.
+		'local_search' => false,
+		'logfile' => '/var/log/friendica/friendica.log',
+		'loglevel' => 'notice',
 	],
 ];

conf/systemd.service

@@ -0,0 +1,59 @@
+[Unit]
+Description=Friendica daemon
+After=network.target mariadb.service
+Requires=network.target remote-fs.target nss-lookup.target
+
+[Service]
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/
+Type=simple
+StandardOutput=append:/var/log/__APP__/daemon.log
+StandardError=inherit
+ExecStart=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php start
+ExecStop=/usr/bin/php__PHPVERSION__ __INSTALL_DIR__/bin/daemon.php stop
+PIDFile=__INSTALL_DIR__/daemon.pid
+PrivateTmp=true
+InaccessibleDirectories=/home /root /boot /opt /mnt /media
+ReadOnlyDirectories=/etc /usr
+Restart=always
+RestartSec=10
+StartLimitBurst=1
+StartLimitIntervalSec=10
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+[Install]
+WantedBy=multi-user.target

doc/POST_INSTALL.md

@@ -0,0 +1 @@
+You can now login to <https://__DOMAIN__> using `__EMAIL__` and your usual YunoHost password.

doc/POST_INSTALL_fr.md

@@ -0,0 +1 @@
+Vous pouvez désormais vous connecter à <https://__DOMAIN__> en utilisant `__EMAIL__` et votre mot de passe YunoHost habituel.

doc/PRE_UPGRADE.d/2023.12~ynh3.md

@@ -0,0 +1 @@
+This update will make your Friendica instance use a daemon to handle background tasks, instead of a cron.

manifest.toml

@@ -64,7 +64,7 @@ ram.runtime = "50M"
 [resources.permissions]
 main.url = "/"
 main.show_tile = true
-main.allowed = [ "visitors", "all-users" ]
+main.allowed = [ "visitors", "all_users" ]
 main.protected = true
 
 [resources.apt]

scripts/backup

@@ -54,7 +54,8 @@ ynh_backup --src_path="/etc/logrotate.d/$app"
 # BACKUP VARIOUS FILES
 #=================================================
 
-ynh_backup --src_path="/etc/cron.d/$app"
+ynh_backup --src_path="/var/log/$app"
+ynh_backup --src_path="/etc/systemd/system/$app-daemon.service"
 
 #=================================================
 # BACKUP THE MYSQL DATABASE

scripts/change_url

@@ -16,6 +16,15 @@ ynh_script_progression --message="Updating NGINX web server configuration..." --
 
 ynh_change_url_nginx_config
 
+#=================================================
+# MODIFY URL IN FRIENDICA CONF
+#=================================================
+
+ynh_print_info --message="Updating the Friendica config..."
+
+ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php"
+ynh_store_file_checksum --file="$install_dir/config/local.config.php"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/install

@@ -48,12 +48,12 @@ ynh_script_progression --message="Adding system configurations related to $app..
 # Create a dedicated PHP-FPM configy
 ynh_add_fpm_config
 
+ynh_add_systemd_config --service="$app-daemon"
+
 # Create a dedicated nginx config
 ynh_add_nginx_config
 
-ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
-chown root: "/etc/cron.d/$app"
-chmod 644 "/etc/cron.d/$app"
+yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
 
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate
@@ -79,15 +79,19 @@ pushd "$install_dir"
 	ynh_exec_as "$app" "php$phpversion" bin/composer.phar install --no-dev --quiet
 
 	# Install application
-	ynh_exec_as "$app" "php$phpversion" bin/console.php autoinstall\
-		--dbhost "localhost" --dbdata "$db_name" --dbuser "$db_user" --dbpass "$db_pwd"\
-		--admin "$email" --tz "$timezone" --lang "$language" --url "https://$domain"
+	ynh_exec_as "$app" "php$phpversion" bin/console.php -f "$install_dir/config/local.config.php"
 
 	# Enable LDAP Auth addon
 	ynh_exec_as "$app" "php$phpversion" bin/console.php addon enable ldapauth
-
 popd
 
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --weight=1
+
+ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/remove

@@ -11,6 +11,17 @@ source /usr/share/yunohost/helpers
 
 #=================================================
 # REMOVE SYSTEM CONFIGURATIONS
+#=================================================
+# REMOVE SERVICE INTEGRATION IN YUNOHOST
+#=================================================
+
+# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
+if ynh_exec_warn_less yunohost service status "$app" >/dev/null
+then
+	ynh_script_progression --message="Removing $app service integration..." --weight=1
+	yunohost service remove "$app-daemon"
+fi
+
 #=================================================
 # REMOVE SYSTEMD SERVICE 
 #=================================================
@@ -27,7 +38,7 @@ ynh_remove_logrotate
 
 ynh_remove_fail2ban_config
 
-ynh_secure_remove --file="/etc/cron.d/$app"
+ynh_remove_systemd_config --service="$app-daemon"
 
 #=================================================
 # END OF SCRIPT

scripts/restore

@@ -17,6 +17,9 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
 
 ynh_restore_file --origin_path="$install_dir"
 
+if [ -f "$install_dir/daemon.pid" ]; then ynh_secure_remove --file="$install_dir/daemon.pid"; fi
+
+chmod -R o-rwx "$install_dir"
 chown -R "$app:www-data" "$install_dir"
 chmod -R 775 "$install_dir/view/smarty3"
 
@@ -38,14 +41,19 @@ ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
 
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
+ynh_restore_file --origin_path="/etc/systemd/system/$app-daemon.service"
+systemctl enable "$app-daemon.service" --quiet
+
+yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
+
+ynh_restore_file --origin_path="/var/log/$app"
+
 ynh_restore_file --origin_path="/etc/logrotate.d/$app"
 
 ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
 ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
 ynh_systemd_action --action=restart --service_name=fail2ban
 
-ynh_restore_file --origin_path="/etc/cron.d/$app"
-
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
@@ -57,6 +65,8 @@ ynh_systemd_action --service_name="php$phpversion-fpm" --action=reload
 
 ynh_systemd_action --service_name=nginx --action=reload
 
+ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
+
 #==============
 # FINALIZATION
 #==============

scripts/upgrade

@@ -20,7 +20,7 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
-ynh_systemd_action --service_name="$app" --action="stop" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name="$app-daemon" --action="stop" --log_path="/var/log/$app/daemon.log"
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -51,9 +51,14 @@ ynh_add_fpm_config
 
 ynh_use_logrotate --non-append
 
-ynh_add_config --template="cron" --destination="/etc/cron.d/$app"
-chown root: "/etc/cron.d/$app"
-chmod 644 "/etc/cron.d/$app"
+if [ -f "/etc/cron.d/$app" ]; then
+  ynh_print_info --message="Removing the legacy cron..."
+  ynh_secure_remove --file="/etc/cron.d/$app"
+fi
+
+ynh_add_systemd_config --service="$app-daemon"
+
+yunohost service add "$app-daemon" --description="Friendica daemon" --log="/var/log/$app/daemon.log"
 
 # Create a dedicated Fail2Ban config
 ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="^.*authenticate\: failed login attempt.*\"ip\"\:\"<HOST>\".*$"
@@ -65,7 +70,16 @@ ynh_script_progression --message="Updating a configuration file..." --weight=1
 
 # fix the url if necessary (there should be no trailing slash)
 if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "'url' => 'https://$domain'," "$install_dir/config/local.config.php"; then
+  ynh_print_info --message="Patching the Friendica config file: fix the domain setting..."
   ynh_replace_string --match_string="'url' => 'https://.*'," --replace_string="'url' => 'https://$domain'," --target_file="$install_dir/config/local.config.php"
+  ynh_store_file_checksum --file="$install_dir/config/local.config.php"
+fi
+
+# add the path to the pidfile if missing
+if [ -f "$install_dir/config/local.config.php" ] && ! grep -q -e "pidfile" "$install_dir/config/local.config.php"; then
+  ynh_print_info --message="Patching the Friendica config file: add the PID file path for the daemon..."
+  ynh_replace_string --match_string="'basepath' => '$install_dir'," --replace_string="'basepath' => '$install_dir',\n                'pidfile' => '$install_dir/daemon.pid'," --target_file="$install_dir/config/local.config.php"
+  ynh_store_file_checksum --file="$install_dir/config/local.config.php"
 fi
 
 #=================================================
@@ -78,6 +92,13 @@ pushd "$install_dir"
  	ynh_exec_as "$app" "php$phpversion" bin/console.php dbstructure update
 popd
 
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --weight=1
+
+ynh_systemd_action --service_name="$app-daemon" --action="start" --log_path="/var/log/$app/daemon.log"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

tests.toml

@@ -1,3 +1,5 @@
+#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/tests.v1.schema.json
+
 test_format = 1.0
 
 [default]