From 5c9dc5fdf8ef8f744e0af7d4ca165219461495fa Mon Sep 17 00:00:00 2001
From: George Rawlinson <george@rawlinson.net.nz>
Date: Wed, 19 May 2021 01:58:28 +0000
Subject: [PATCH] upgpkg: homebridge-config-ui-x 4.41.1-2

* Fixed incorrect license.
* Removed unnecessary dependencies.
* Removed environment file in favour of environment variables in the
systemd service file.
* Added an install file with post_{install,upgrade} functions.
* Hardened systemd service.
* Removed login shell for homebridge user account.
---
 .SRCINFO                       | 16 ++++--------
 PKGBUILD                       | 43 +++++++++++++++-----------------
 environment.conf               |  7 ------
 homebridge-config-ui-x.install | 32 ++++++++++++++++++++++++
 systemd.service                | 45 ++++++++++++++++++++++++++--------
 sysusers.conf                  |  2 +-
 6 files changed, 93 insertions(+), 52 deletions(-)
 delete mode 100644 environment.conf
 create mode 100644 homebridge-config-ui-x.install

diff --git a/.SRCINFO b/.SRCINFO
index 0ec5cb2b74fe..108deb2422b4 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,29 +1,23 @@
 pkgbase = homebridge-config-ui-x
 	pkgdesc = Web-based management tool for Homebridge
 	pkgver = 4.41.1
-	pkgrel = 1
+	pkgrel = 2
 	url = https://github.com/oznu/homebridge-config-ui-x
+	install = homebridge-config-ui-x.install
 	arch = any
-	license = Apache
-	makedepends = git
+	license = MIT
 	makedepends = npm
-	makedepends = python
-	makedepends = node-gyp
-	depends = nodejs
-	depends = avahi
 	depends = homebridge
 	options = !emptydirs
 	options = !strip
 	source = homebridge-config-ui-x-4.41.1.tar.gz::https://github.com/oznu/homebridge-config-ui-x/archive/4.41.1.tar.gz
 	source = systemd.service
-	source = environment.conf
 	source = tmpfiles.conf
 	source = sysusers.conf
 	b2sums = 30e27e383e08af0fa1c6525531143280c0c54e081378001abde17bcf038874c7c6a2654b2c37b82fbe85cb75ccdd6ed42890eaef0c940ac4547aec8c75348e25
-	b2sums = 4cba429db47cc84567b08bbeb5a7e3238870df66cfbca241ece4b98354c4af0180688e3de6528b1fcc0cf6f3e19a645c08bf6457ee5c69d3f1609102363b2039
-	b2sums = 178bf94ccaac2dbcbb908c98e724da60656766eb6058583e644ea6cd7014f928cb5ad018ebc37c17429ad0a3daf09d3903b51c0da3a40282163a3ff4fa78e5a0
+	b2sums = a0861270612dfe3ee33fab9fda23ab351625a76bfc006d44f39387c8b4fd7b67b7937d8c6dc94dbb584fe6e3fa657fd8754d3c823f2a2dd3d93f210d6b5d8102
 	b2sums = c60e965907e85b4a6dac12b60419b5446085794bdbdba0221c41e7557ff520c3688ff79b1219e17ac982d585f2cf616140717b44f8ad2a5e5a72fd360617be65
-	b2sums = 87e6a3ddcd70bd926d17ec33b007dea4108b7386714404a12647508766189c7bf863ab47515396d2ea149da791053beacb6854fa0b57fc409c09cc6aeaffd7e5
+	b2sums = 17039410c1e7aa8efd781a6a9acd31084a632998f0ea57f0df40fa028d12527b24bec71fdf28691b8e23fbfdef10c9b327875477ee113ffa9ad022d84a35552e
 
 pkgname = homebridge-config-ui-x
 
diff --git a/PKGBUILD b/PKGBUILD
index 009104e13fab..29a2281845ce 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,35 +2,33 @@
 
 pkgname=homebridge-config-ui-x
 pkgver=4.41.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Web-based management tool for Homebridge"
 arch=('any')
 url="https://github.com/oznu/homebridge-config-ui-x"
-license=('Apache')
-depends=('nodejs' 'avahi' 'homebridge')
-makedepends=(
-  'git'
-  'npm'
-  'python'
-  'node-gyp'
-)
+license=('MIT')
+depends=('homebridge')
+makedepends=('npm')
 options=('!emptydirs' '!strip')
 source=(
   "$pkgname-$pkgver.tar.gz::$url/archive/$pkgver.tar.gz"
   'systemd.service'
-  'environment.conf'
   'tmpfiles.conf'
   'sysusers.conf'
 )
+install="$pkgname.install"
 b2sums=('30e27e383e08af0fa1c6525531143280c0c54e081378001abde17bcf038874c7c6a2654b2c37b82fbe85cb75ccdd6ed42890eaef0c940ac4547aec8c75348e25'
-        '4cba429db47cc84567b08bbeb5a7e3238870df66cfbca241ece4b98354c4af0180688e3de6528b1fcc0cf6f3e19a645c08bf6457ee5c69d3f1609102363b2039'
-        '178bf94ccaac2dbcbb908c98e724da60656766eb6058583e644ea6cd7014f928cb5ad018ebc37c17429ad0a3daf09d3903b51c0da3a40282163a3ff4fa78e5a0'
+        'a0861270612dfe3ee33fab9fda23ab351625a76bfc006d44f39387c8b4fd7b67b7937d8c6dc94dbb584fe6e3fa657fd8754d3c823f2a2dd3d93f210d6b5d8102'
         'c60e965907e85b4a6dac12b60419b5446085794bdbdba0221c41e7557ff520c3688ff79b1219e17ac982d585f2cf616140717b44f8ad2a5e5a72fd360617be65'
-        '87e6a3ddcd70bd926d17ec33b007dea4108b7386714404a12647508766189c7bf863ab47515396d2ea149da791053beacb6854fa0b57fc409c09cc6aeaffd7e5')
+        '17039410c1e7aa8efd781a6a9acd31084a632998f0ea57f0df40fa028d12527b24bec71fdf28691b8e23fbfdef10c9b327875477ee113ffa9ad022d84a35552e')
 
 build() {
   cd "$pkgname-$pkgver"
   
+  # NOTE: package is built this way because the dist/ directory is not
+  # included in the source, only in npm source due to a prepublish script
+  # which does not get installed correctly if the npm source is used.
+
   # install dependencies
   npm install
   
@@ -49,22 +47,21 @@ build() {
 
 package() {
   cd "$pkgname-$pkgver"
-  npm install --global --prefix "$pkgdir/usr" "$srcdir/$pkgname-$pkgver/$pkgname-$pkgver.tgz"
-
-  # Non-deterministic race in npm gives 777 permissions to random directories.
-  # See https://github.com/npm/cli/issues/1103 for details.
-  find "$pkgdir/usr" -type d -exec chmod 755 {} +
+  npm install --global --prefix "$pkgdir/usr" "$pkgname-$pkgver.tgz"
 
   # npm gives ownership of ALL FILES to build user
   # https://bugs.archlinux.org/task/63396
   chown -R root:root "$pkgdir"
  
   # license
-  install -vDm644 -t "$pkgdir/usr/share/licenses/$pkgname" "$pkgdir/usr/lib/node_modules/$pkgname/LICENSE"
+  install -vDm644 -t "$pkgdir/usr/share/licenses/$pkgname" \
+    "$pkgdir/usr/lib/node_modules/$pkgname/LICENSE"
 
   # systemd integration
-  install -vDm644 "$srcdir/sysusers.conf" "$pkgdir/usr/lib/sysusers.d/homebridge.conf"
-  install -vDm644 "$srcdir/tmpfiles.conf" "$pkgdir/usr/lib/tmpfiles.d/homebridge.conf"
-  install -vDm644 "$srcdir/systemd.service" "$pkgdir/usr/lib/systemd/system/homebridge.service"
-  install -vDm644 "$srcdir/environment.conf" "$pkgdir/etc/conf.d/homebridge"
+  install -vDm644 "$srcdir/sysusers.conf" \
+    "$pkgdir/usr/lib/sysusers.d/homebridge.conf"
+  install -vDm644 "$srcdir/tmpfiles.conf" \
+    "$pkgdir/usr/lib/tmpfiles.d/homebridge.conf"
+  install -vDm644 "$srcdir/systemd.service" \
+    "$pkgdir/usr/lib/systemd/system/homebridge.service"
 }
diff --git a/environment.conf b/environment.conf
deleted file mode 100644
index 5dbeaa104ba8..000000000000
--- a/environment.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-HOMEBRIDGE_OPTS="-I -U /var/lib/homebridge"
-UIX_STORAGE_PATH="/var/lib/homebridge"
-
-# To enable web terminals via homebridge-config-ui-x uncomment the following line
-# HOMEBRIDGE_CONFIG_UI_TERMINAL=1
-
-DISABLE_OPENCOLLECTIVE=true
diff --git a/homebridge-config-ui-x.install b/homebridge-config-ui-x.install
new file mode 100644
index 000000000000..c90da78b4335
--- /dev/null
+++ b/homebridge-config-ui-x.install
@@ -0,0 +1,32 @@
+post_install() {
+	cat <<-EOF
+
+	Start homebridge + ui with systemd:
+
+	$ systemctl enable --now homebridge
+
+	Caveats:
+
+	1) /usr/bin/hb-service places files all over the system, and it will
+	also modify /etc/sudoers. It is also capable of installing an
+	alternative binary of Node.js. It is recommended to *never* use it.
+
+	2) Installing or upgrading plugins from the web ui invokes npm install
+	globally, which is terrible opsec. It is recommended to instead package
+	any plugins and make them available on the AUR.
+
+	3) To give permissions to the web ui to poweroff/reboot the machine,
+	create a drop-in file in /etc/sudoers.d similar to:
+
+	homebridge ALL=(ALL) NOPASSWD:SETENV: /usr/bin/shutdown
+
+	4) The web ui runs commands with sudo in various places.
+
+	You have been warned.
+
+	EOF
+}
+
+post_upgrade() {
+	post_install
+}
diff --git a/systemd.service b/systemd.service
index fa825398b043..fbc436116079 100644
--- a/systemd.service
+++ b/systemd.service
@@ -1,21 +1,46 @@
 [Unit]
 Description=Homebridge
-Wants=network-online.target
+Requires=network-online.target
 After=syslog.target network-online.target
 
 [Service]
-Type=simple
+Environment=HOMEBRIDGE_OPTS="-I -U /var/lib/homebridge"
+Environment=UIX_STORAGE_PATH="/var/lib/homebridge"
+ExecStart=/usr/bin/hb-service run $HOMEBRIDGE_OPTS
 User=homebridge
 Group=homebridge
-PermissionsStartOnly=true
-WorkingDirectory=/var/lib/homebridge
-EnvironmentFile=/etc/conf.d/homebridge
-ExecStart=/usr/bin/hb-service run $HOMEBRIDGE_OPTS
 Restart=always
-RestartSec=3
-KillMode=process
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_SYS_ADMIN
-AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE
+RestartSec=5s
+WorkingDirectory=/var/lib/homebridge
+ReadWritePaths=/var/lib/homebridge
+NoNewPrivileges=yes
+UMask=0077
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateMounts=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictNamespaces=yes
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # causes status=1/FAILURE
+LockPersonality=yes
+#MemoryDenyWriteExecute=yes # causes issues with V8
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target
diff --git a/sysusers.conf b/sysusers.conf
index 0f2ee824a755..ae80d8865d23 100644
--- a/sysusers.conf
+++ b/sysusers.conf
@@ -1 +1 @@
-u homebridge - "Homebridge user" /var/lib/homebridge /bin/bash
+u homebridge - "Homebridge user" /var/lib/homebridge