Restore microservices service

YunoHost-Apps · Jun 15, 2024 · a88071a · a88071a
1 parent 8467950
commit a88071a
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 11 deletions.
diff --git a/conf/immich-microservices.service b/conf/immich-microservices.service
@@ -0,0 +1,54 @@
+[Unit]
+Description=Immich microservices
+Documentation=https://github.com/immich-app/immich
+Requires=redis-server.service
+Requires=postgresql.service
+After=network.target
+PartOf=immich-server.service
+Before=immich-server.service
+
+[Service]
+Type=simple
+Restart=on-failure
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/app
+Environment="__YNH_NODE_LOAD_PATH__"
+EnvironmentFile=__INSTALL_DIR__/env-server
+ExecStart=__YNH_NODE__ __INSTALL_DIR__/app/dist/main microservices
+StandardOutput=append:/var/log/__APP__/__APP__-microservices.log
+StandardError=inherit
+Restart=on-failure
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
+[Install]
+WantedBy=immich-server.service
diff --git a/conf/immich-server.service b/conf/immich-server.service
@@ -4,6 +4,7 @@ Documentation=https://github.com/immich-app/immich
 Requires=redis-server.service
 Requires=postgresql.service
 Requires=immich-machine-learning.service
+Requires=immich-microservices.service
 After=network.target
 
 [Service]

diff --git a/scripts/backup b/scripts/backup
@@ -28,6 +28,7 @@ ynh_backup --src_path="$data_dir" --is_big
 ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_backup --src_path="/etc/systemd/system/$app-server.service"
+ynh_backup --src_path="/etc/systemd/system/$app-microservices.service"
 ynh_backup --src_path="/etc/systemd/system/$app-machine-learning.service"
 
 ynh_backup --src_path="/etc/logrotate.d/$app"

diff --git a/scripts/change_url b/scripts/change_url
@@ -11,6 +11,7 @@ source /usr/share/yunohost/helpers
 #=================================================
 ynh_script_progression --message="Stopping $app's systemd service..." --weight=1
 
+ynh_systemd_action --service_name="$app-microservices" --action="stop" --log_path="/var/log/$app/$app-microservices.log"
 ynh_systemd_action --service_name="$app-machine-learning" --action="stop" --log_path="/var/log/$app/$app-machine-learning.log"
 ynh_systemd_action --service_name="$app-server" --action="stop" --log_path="/var/log/$app/$app-server.log"
 
@@ -30,6 +31,7 @@ ynh_change_url_nginx_config
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
+ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log"
 ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log"
 ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log"
 

diff --git a/scripts/install b/scripts/install
@@ -72,9 +72,11 @@ ynh_script_progression --message="Adding system configurations related to $app..
 ynh_add_nginx_config
 
 ynh_add_systemd_config --service="$app-server" --template="immich-server.service"
+ynh_add_systemd_config --service="$app-microservices" --template="immich-microservices.service"
 ynh_add_systemd_config --service="$app-machine-learning" --template="immich-machine-learning.service"
 
 yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log"
+yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log"
 yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log"
 
 ynh_multimedia_build_main_dir
@@ -89,6 +91,7 @@ ynh_add_fail2ban_config --logpath="/var/log/$app/$app-server.log" --failregex="$
 #=================================================
 ynh_script_progression --message="Starting a systemd service..."
 
+ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log"
 ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log"
 ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log"
 

diff --git a/scripts/remove b/scripts/remove
@@ -15,12 +15,16 @@ ynh_script_progression --message="Removing system configurations related to $app
 if ynh_exec_warn_less yunohost service status "$app-server" >/dev/null; then
 	yunohost service remove "$app-server"
 fi
+if ynh_exec_warn_less yunohost service status "$app-microservices" >/dev/null; then
+	yunohost service remove "$app-microservices"
+fi
 if ynh_exec_warn_less yunohost service status "$app-machine-learning" >/dev/null; then
 	yunohost service remove "$app-machine-learning"
 fi
 
 # Remove the dedicated systemd config
 ynh_remove_systemd_config --service="immich-server"
+ynh_remove_systemd_config --service="immich-microservices"
 ynh_remove_systemd_config --service="immich-machine-learning"
 
 # Remove the app-specific fail2ban config

diff --git a/scripts/restore b/scripts/restore
@@ -59,12 +59,15 @@ ynh_script_progression --message="Restoring system configurations related to $ap
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_restore_file --origin_path="/etc/systemd/system/$app-server.service"
+ynh_restore_file --origin_path="/etc/systemd/system/$app-microservices.service"
 ynh_restore_file --origin_path="/etc/systemd/system/$app-machine-learning.service"
 
 systemctl enable "$app-server.service" --quiet
+systemctl enable "$app-microservices.service" --quiet
 systemctl enable "$app-machine-learning.service" --quiet
 
 yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log"
+yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log"
 yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log"
 
 ynh_multimedia_build_main_dir
@@ -86,6 +89,7 @@ ynh_restore_file --origin_path="/var/log/$app/"
 #=================================================
 ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1
 
+ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log"
 ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log"
 ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log"
 

diff --git a/scripts/upgrade b/scripts/upgrade
@@ -12,22 +12,13 @@ source /usr/share/yunohost/helpers
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
 ynh_systemd_action --service_name="$app-server" --action="stop"
+ynh_systemd_action --service_name="$app-microservices" --action="stop"
 ynh_systemd_action --service_name="$app-machine-learning" --action="stop"
 
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
-ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
-
-if ynh_compare_current_package_version --comparison lt --version 1.106.4~ynh1
-then
-	ynh_systemd_action --service_name="$app-microservices" --action="stop"
-	if ynh_exec_warn_less yunohost service status "$app-microservices" >/dev/null; then
-		yunohost service remove "$app-microservices"
-	fi
-	ynh_remove_systemd_config --service="immich-microservices"
-	ynh_secure_remove --file="/var/log/$app/$app-microservices.log"
-fi
+#ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -85,8 +76,10 @@ ynh_script_progression --message="Upgrading system configurations related to $ap
 ynh_add_nginx_config
 
 ynh_add_systemd_config --service="$app-server" --template="immich-server.service"
+ynh_add_systemd_config --service="$app-microservices" --template="immich-microservices.service"
 ynh_add_systemd_config --service="$app-machine-learning" --template="immich-machine-learning.service"
 
+yunohost service add "$app-microservices" --description="Immich Microservices" --log="/var/log/$app/$app-microservices.log"
 yunohost service add "$app-machine-learning" --description="Immich Machine Learning" --log="/var/log/$app/$app-machine-learning.log"
 yunohost service add "$app-server" --description="Immich Server" --log="/var/log/$app/$app-server.log"
 
@@ -101,6 +94,7 @@ ynh_add_fail2ban_config --logpath="/var/log/$app/$app-server.log" --failregex="$
 # START SYSTEMD SERVICE
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
+ynh_systemd_action --service_name="$app-microservices" --action="start" --line_match="Immich Microservices is listening" --log_path="/var/log/$app/$app-microservices.log"
 ynh_systemd_action --service_name="$app-machine-learning" --action="start" --line_match="Application startup complete" --log_path="/var/log/$app/$app-machine-learning.log"
 ynh_systemd_action --service_name="$app-server" --action="start" --line_match="Immich Server is listening" --log_path="/var/log/$app/$app-server.log"