kresus

Liste des banques disponibles

Installation sur debian 10

INSTALLATION DE NODEJS ET YARN

curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
sudo apt-get install -y nodejs

curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
sudo echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt-get update && sudo apt-get install yarn

INSTALLATION WEBOOB

sudo apt-get update && sudo apt-get install git python3-dev python3-pip libffi-dev libxml2-dev libxslt-dev libyaml-dev libtiff-dev libjpeg-dev libwebp-dev python3-pil python3-lxml autotools-dev automake autoconf libtool

Ajouter une tache cron qui vous permet de garder weboob à jour (il va être créé par la suite)

23 23 * * * cd /home/kresus/weboob && git pull origin master

CREATION UTILISATEUR KRESUS

sudo adduser kresus --disabled-password
sudo chsh kresus

Utiliser l’utilisateur kresus

sudo su kresus -s /bin/bash

Installer la dernière version git de weboob

git clone https://git.weboob.org/weboob/weboob.git /home/kresus/weboob
cd /home/kresus/weboob && sudo pip3 install .

RÉCUPÉRER ET LANCER L’INSTALLATION DE KRESUS

git clone https://framagit.org/kresusapp/kresus /home/kresus/app
cd /home/kresus/app && npm install prebuild && npm install

PERSONNALISATION DES VARIABLES

Personnaliser le /home/kresus/app/config.ini avec vos variables

DROIT SUR config.ini

chmod 600 /home/kresus/app/config.ini

Construisez la version de production

NODE_ENV=production make build

Tester si l’installation est fonctionnelle

NODE_ENV=production KRESUS_PYTHON_EXEC=python3 KRESUS_WEBOOB_DIR=/usr/bin/weboob node bin/kresus.js

AJOUTER UN SERVICE KRESUS

vim /etc/systemd/system/kresus.service
[Unit]
Description=Gestionnaire de finances personnelles
After=network.target
[Service]
WorkingDirectory=/home/kresus/app
Environment=NODE_ENV=production
Environment=KRESUS_PYTHON_EXEC=python3
Environment=KRESUS_WEBOOB_DIR=/home/kresus/weboob
ExecStart=/usr/bin/node bin/kresus.js -c config.ini

Type=simple
Restart=always

User=kresus

StandardOutput=journal
StandardError=inherit
SyslogIdentifier=kresus
[Install]
WantedBy=multi-user.target

Adapter les chemins si besoin

RELANCER LES DAEMON, ACTIVER AU DÉMARRAGE ET DÉMARRER KRESUS

sudo systemctl daemon-reload
sudo systemctl enable kresus.service
sudo systemctl start kresus.service

Editer le vhost nginx

server {
    listen      80;
    server_name DOMAIN;
    return 301  https://DOMAIN$request_uri;
}

server {
    listen      443 ssl http2;
    server_name DOMAIN;

    auth_basic Authentication;
    auth_basic_user_file /etc/nginx/.kresus_htpasswd; # Replace me!

    # Let's Encrypt:
    ssl_certificate     /etc/letsencrypt/live/DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;

    # SSL configuration :
    #
    # More details to generate this file:
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/

    # drop SSLv3 (POODLE vulnerability)
        ssl_protocols         TLSv1.2;
    # Recommanded ciphers
        ssl_ciphers           'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    # enables server-side protection from BEAST attacks
        ssl_prefer_server_ciphers on;
    # enable session resumption to improve https performance
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 5m;
        ssl_session_tickets off;
    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    # DISABLED
    #    ssl_dhparam /etc/nginx/dhparam.pem;

    ### force timeouts if one of backend is died ##
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

    ### Set headers ####
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

    ### Most PHP, Python, Rails, Java App can use this header ###
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

    ### By default we don't want to redirect it ####
        proxy_redirect     off;

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    # 15768000 seconds = 6 months
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

    # LOGS
    gzip on;
    access_log /var/log/nginx/DOMAIN_access.log;
    error_log  /var/log/nginx/DOMAIN_error.log;

    location / {
        client_max_body_size  8M;
        send_timeout          600;
        proxy_connect_timeout 600;
        proxy_send_timeout    600;
        proxy_read_timeout    600;
        proxy_pass http://SOCKET; }
}

AJOUT D’UNE AUTHENTIFICATION D’ACCÈS

sudo htpasswd -c /etc/nginx/.kresus_htpasswd USER

TEST DE LA CONFIGURATION DE NGINX ET RELOAD

nginx -t
systemctl reload nginx