Modify tcms service, expect to run on an AF_UNIX socket now

.gitignore

@@ -29,5 +29,6 @@ totp/
 nginx/tcms.conf
 fail2ban/tcms-jail.conf
 logs/
+run/
 *-shm
 *-wal

Installer.mk

@@ -21,7 +21,6 @@ install-service:
 	mkdir -p ~/.config/systemd/user
 	cp service-files/systemd.unit ~/.config/systemd/user/tCMS.service
 	sed -ie 's#__REPLACEME__#$(shell pwd)#g' ~/.config/systemd/user/tCMS.service
-	sed -ie 's#__PORT__#$(PORT)#g' ~/.config/systemd/user/tCMS.service
 	systemctl --user daemon-reload
 	systemctl --user enable tCMS
 	systemctl --user start tCMS
@@ -85,10 +84,13 @@ fail2ban:
 .PHONY: nginx
 nginx:
 	[ -n "$$SERVER_NAME" ] || ( echo "Please set the SERVER_NAME environment variable before running (e.g. test.test)" && /bin/false )
-	[ -n "$$SERVER_PORT" ] || ( echo "Please set the SERVER_PORT environment variable before running (e.g. 5000)" && /bin/false )
 	sed 's/\%SERVER_NAME\%/$(SERVER_NAME)/g' nginx/tcms.conf.tmpl > nginx/tcms.conf.intermediate
-	sed 's/\%SERVER_PORT\%/$(SERVER_PORT)/g' nginx/tcms.conf.intermediate > nginx/tcms.conf
+	sed 's/\%SERVER_SOCK\%/$(shell pwd)/g' nginx/tcms.conf.intermediate > nginx/tcms.conf
 	rm nginx/tcms.conf.intermediate
+	mkdir run
+	chown $(USER):www-data run
+	touch run/tcms.sock
+	chown $(USER):www-data run/tcms.sock
 	sudo mkdir -p '/var/www/$(SERVER_NAME)'
 	sudo mkdir -p '/var/www/mail.$(SERVER_NAME)'
 	sudo mkdir -p '/etc/letsencrypt/live/$(SERVER_NAME)'

nginx/tcms.conf.tmpl

@@ -8,7 +8,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem;
 
     location / {
-        proxy_pass http://127.0.0.1:%SERVER_PORT%;
+        proxy_pass http://unix:%SERVER_SOCK%/run/tcms.sock:/;
         proxy_set_header Host            $host;
         proxy_set_header X-Forwarded-For $remote_addr;
     }
@@ -26,7 +26,7 @@ server {
     server_name %SERVER_NAME% www.%SERVER_NAME%;
 
     location / {
-        proxy_pass http://127.0.0.1:%SERVER_PORT%;
+        proxy_pass http://unix:%SERVER_SOCK%/run/tcms.sock:/;
         proxy_set_header Host            $host;
         proxy_set_header X-Forwarded-For $remote_addr;
     }

service-files/systemd.unit

@@ -5,5 +5,9 @@ Description=tCMS
 WantedBy=default.target
 
 [Service]
-ExecStart=starman -p __PORT__ __REPLACEME__/www/server.psgi
+User=__DOMAIN__
+ExecStart=starman --listen __REPLACEME__/run/tcms.sock __REPLACEME__/www/server.psgi
 WorkingDirectory= __REPLACEME__/
+Restart=always
+OOMPolicy=stop
+ExecReload=kill -HUP $MAINPID

ufw/setup-rules

@@ -0,0 +1,41 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+use Data::Dumper;
+
+my $DRY_RUN = $ARGV[0] ? 1 : 0;
+
+# Build rules, apply rules.
+
+# Enable every available service.
+# Don't use tCMS on hosts that do anything else with.
+my $list = qx{ufw app list};
+my @apps = split(/\n/, $list);
+shift @apps;
+@apps = map { s/^\s+//; $_ } @apps;
+
+# Sane defaults
+my @rules = (
+    [qw{enable}],
+    [qw{default deny outgoing}],
+    [qw{default deny incoming}],
+);
+
+# Allow, but rate limit
+foreach my $app (@apps) {
+    push(@rules,
+        ["allow", $app],
+        ["limit", $app],
+    );
+}
+
+@rules = map { unshift(@{$_}, '--dry-run'); $_ } @rules if $DRY_RUN;
+@rules = map { unshift(@{$_}, 'ufw'); $_ } @rules;
+
+print Dumper(\@rules);
+
+foreach my $rule (@rules) {
+    system(@$rule);
+}