nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-27 10:44:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/plinth/modules/searx/__init__.py
James Valleroy 0e698eb4b4
apache: Use a Uwsgi native socket systemd unit for each app 
[Sunil]:

- Drop Uwsgi component entirely. After the changes, it mostly looks like Daemon
component minus some features. One change that Uwsgi component does is when
component is disabled, it also stops and disables the .service unit. Stopping
the service is useful and we can add this to Daemon component.

- Use /run instead of /var/run/ as 1) /var/run is a symlink to /run 2) /run/
path is what is listed in uwsgi-app@.socket unit file.

- Implement upgrade for apps from older version. Disable and mask uwsgi init.d
script. Enable the daemon component if the webserver component is enabled.

- Update manifest files to deal with .socket units instead of 'uwsgi' service.
Backup the /var/lib/private directories as that is actual directory to backup
with DynamicUser=yes.

- For bepasty load the configuration as a systemd provided credential since
DynamicUser=yes.

- Remove the /var/lib/private directories during uninstall.

- Don't create user/group for bepasty as it is not needed with DynamicUser=yes.

Tests:

- Radicale

  - Functional tests pass

  - Freshly install radicale.

  - Web interface works.

  - Create and edit calendars

  - Path of the storage directory is in /var/lib/private/radicale (after
  accessing web interface)

  - Permissions on the storage folder and files inside are set to nobody:nobody.

  - Uninstall removes the /var/lib/private/radicale directory.

  - Create a calender and backup the app. Uninstall the app. Re-install the app.
  The calendar is not available. After restoring the backup, the calendar is
  available.

  - Install radicale without patch and create a calendar. Apply patches and
  start plinth.service. Setup is run. UWSGI is disabled and masked. Service is
  running. Old calender is visible.

  - Install radicale without patch. Disable and apply patches and start
  plinth.service. Setup is run. UWSGI is disabled and masked. Service is not
  running. Enabling the service works.

  - After upgrade, data storage path got migrated to /var/lib/private/radicale.
  Old data is accessible.

  - After upgrade the directory is still owned by radicale:radicale.

  - Freshly install radicale with patch and restore an old backup. The data is
  available in the web interface and data was migrated to
  /var/lib/private/radicale.

- Bepasty

  - Functional tests pass

  - Freshly install bepasy.

  - Enabling and disabling rapidly works.

  - Uploading files works.

  - Path of the storage directory is /var/lib/private/bepasty.

  - Permissions on the storage folder are as expect 755 but on the parent are
  700.

  - Permissions on the stored files are 644 and owned by nobody:nobody.

  - Uninstall removes the /var/lib/private/bepasty directory.

  - Upload a picture and backup the app. Uninstall the app. Re-install the app.
  The uploaded file is not available. After restoring the backup, the uploaded
  file is available.

  - Install bepasty without patch and upload a file. Apply patches and start
  plinth.service. Setup is run. UWSGI is disabled and masked. Service is
  running. Old uploaded picture is visible.

  - Install bepasty without patch. Disable app. Apply patches and start
  plinth.service. Setup is run. UWSGI is disabled and masked. Service is not
  running. Enabling the service works.

  - After upgrade, data storage path got migrated to /var/lib/private/bepasty.
  Old data is accessible.

  - After upgrade the directory is still owned by bepasty:bepasty.

  - Freshly install bepasty with patch and restore an old backup. The uploaded
  file is available in the web interface and data was migrated to
  /var/lib/private/bepasty.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-21 07:45:51 -07:00

155 lines
5.4 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""FreedomBox app to configure Searx."""
import os
from django.utils.translation import gettext_lazy as _
from plinth import app as app_module
from plinth import frontpage, menu
from plinth.config import DropinConfigs
from plinth.daemon import Daemon
from plinth.modules.apache.components import Webserver
from plinth.modules.backups.components import BackupRestore
from plinth.modules.firewall.components import Firewall
from plinth.modules.users.components import UsersAndGroups
from plinth.package import Packages
from plinth.privileged import service as service_privileged
from . import manifest, privileged
_description = [
_('Searx is a privacy-respecting Internet metasearch engine. '
'It aggregrates and displays results from multiple search engines.'),
_('Searx can be used to avoid tracking and profiling by search engines. '
'It stores no cookies by default.')
]
class SearxApp(app_module.App):
"""FreedomBox app for Searx."""
app_id = 'searx'
_version = 7
def __init__(self) -> None:
"""Create components for the app."""
super().__init__()
groups = {'web-search': _('Search the web')}
info = app_module.Info(
app_id=self.app_id, version=self._version, name=_('Searx'),
icon_filename='searx', description=_description,
manual_page='Searx', clients=manifest.clients, tags=manifest.tags,
donation_url='https://searx.me/static/donate.html')
self.add(info)
menu_item = menu.Menu('menu-searx', info.name, info.icon_filename,
info.tags, 'searx:index', parent_url_name='apps')
self.add(menu_item)
shortcut = frontpage.Shortcut(
'shortcut-searx', info.name, icon=info.icon_filename,
url='/searx/', clients=info.clients, tags=info.tags,
login_required=(not is_public_access_enabled()),
allowed_groups=list(groups))
self.add(shortcut)
# Include libjs-bootstrap to prevent accidental uninstall (see
# issue #2298).
packages = Packages('packages-searx', ['searx', 'libjs-bootstrap'])
self.add(packages)
dropin_configs = DropinConfigs('dropin-configs-searx', [
'/etc/apache2/conf-available/searx-freedombox-auth.conf',
'/etc/apache2/conf-available/searx-freedombox.conf',
])
self.add(dropin_configs)
firewall = Firewall('firewall-searx', info.name,
ports=['http', 'https'], is_external=True)
self.add(firewall)
webserver = Webserver('webserver-searx', 'searx-freedombox',
urls=['https://{host}/searx/'])
self.add(webserver)
webserver = SearxWebserverAuth('webserver-searx-auth',
'searx-freedombox-auth')
self.add(webserver)
daemon = Daemon('daemon-searx', 'uwsgi-app@searx.socket')
self.add(daemon)
users_and_groups = UsersAndGroups('users-and-groups-searx',
groups=groups)
self.add(users_and_groups)
backup_restore = BackupRestore('backup-restore-searx',
**manifest.backup)
self.add(backup_restore)
def set_shortcut_login_required(self, login_required):
"""Change the login_required property of shortcut."""
self.get_component('shortcut-searx').login_required = login_required
def setup(self, old_version):
"""Install and configure the app."""
super().setup(old_version)
privileged.setup()
if not old_version or old_version < 3:
privileged.disable_public_access()
self.enable()
self.set_shortcut_login_required(True)
if old_version and old_version <= 6:
webserver = self.get_component('webserver-searx')
daemon = self.get_component('daemon-searx')
if webserver.is_enabled():
daemon.enable()
# Vanquish the old uwsgi init.d script.
service_privileged.disable('uwsgi')
service_privileged.mask('uwsgi')
def uninstall(self):
"""De-configure and uninstall the app."""
super().uninstall()
privileged.uninstall()
class SearxWebserverAuth(Webserver):
"""Component to handle Searx authentication webserver configuration."""
def is_enabled(self):
"""Return if configuration is enabled or public access is enabled."""
return is_public_access_enabled() or super().is_enabled()
def enable(self):
"""Enable apache configuration only if public access is disabled."""
if not is_public_access_enabled():
super().enable()
def is_public_access_enabled():
"""Check whether public access is enabled for Searx."""
return os.path.exists(manifest.PUBLIC_ACCESS_SETTING_FILE)
def enable_public_access():
"""Allow Searx app to be accessed by anyone with access."""
privileged.enable_public_access()
app = app_module.App.get('searx')
app.get_component('webserver-searx-auth').disable()
app.set_shortcut_login_required(False)
def disable_public_access():
"""Allow Searx app to be accessed by logged-in users only."""
privileged.disable_public_access()
app = app_module.App.get('searx')
app.get_component('webserver-searx-auth').enable()
app.set_shortcut_login_required(True)
Reference in New Issue View Git Blame Copy Permalink