diff --git a/README.md b/README.md
index 5f6a8f7..8362ed5 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ It shall NOT be edited by hand.
# Commento for YunoHost
-[](https://dash.yunohost.org/appci/app/commento)  
+[](https://dash.yunohost.org/appci/app/commento)  
[](https://install-app.yunohost.org/?app=commento)
*[Lire ce readme en français.](./README_fr.md)*
@@ -37,25 +37,26 @@ Commento++ allows you to foster discussion on your website – if you have a blo
## Screenshots
-
+
## Documentation and resources
-* Official app website: https://commento.io/
-* Official admin documentation: https://docs.commento.io/
-* Upstream app code repository: https://github.com/souramoo/commentoplusplus
-* YunoHost documentation for this app: https://yunohost.org/app_commento
-* Report a bug: https://github.com/YunoHost-Apps/commento_ynh/issues
+* Official app website:
+* Official admin documentation:
+* Upstream app code repository:
+* YunoHost documentation for this app:
+* Report a bug:
## Developer info
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/commento_ynh/tree/testing).
To try the testing branch, please proceed like that.
-```
+
+``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/commento_ynh/tree/testing --debug
or
sudo yunohost app upgrade commento -u https://github.com/YunoHost-Apps/commento_ynh/tree/testing --debug
```
-**More info regarding app packaging:** https://yunohost.org/packaging_apps
\ No newline at end of file
+**More info regarding app packaging:**
diff --git a/README_fr.md b/README_fr.md
index 19372ed..2b149f0 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -1,10 +1,14 @@
+
+
# Commento pour YunoHost
-[](https://dash.yunohost.org/appci/app/commento)  
+[](https://dash.yunohost.org/appci/app/commento)  
[](https://install-app.yunohost.org/?app=commento)
*[Read this readme in english.](./README.md)*
-*[Lire ce readme en français.](./README_fr.md)*
> *Ce package vous permet d'installer Commento rapidement et simplement sur un serveur YunoHost.
Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
@@ -33,25 +37,26 @@ Commento++ allows you to foster discussion on your website – if you have a blo
## Captures d'écran
-
+
## Documentations et ressources
-* Site officiel de l'app : https://commento.io/
-* Documentation officielle de l'admin : https://docs.commento.io/
-* Dépôt de code officiel de l'app : https://github.com/souramoo/commentoplusplus
-* Documentation YunoHost pour cette app : https://yunohost.org/app_commento
-* Signaler un bug : https://github.com/YunoHost-Apps/commento_ynh/issues
+* Site officiel de l'app :
+* Documentation officielle de l'admin :
+* Dépôt de code officiel de l'app :
+* Documentation YunoHost pour cette app :
+* Signaler un bug :
## Informations pour les développeurs
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/commento_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
-```
+
+``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/commento_ynh/tree/testing --debug
ou
sudo yunohost app upgrade commento -u https://github.com/YunoHost-Apps/commento_ynh/tree/testing --debug
```
-**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps
\ No newline at end of file
+**Plus d'infos sur le packaging d'applications :**
diff --git a/conf/systemd.service b/conf/systemd.service
index 247766d..c7480a8 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -9,5 +9,39 @@ Group=__APP__
Environment=COMMENTO_CONFIG_FILE=__FINALPATH__/commento.env
ExecStart=__FINALPATH__/commento
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
[Install]
WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 33c2442..4395811 100644
--- a/manifest.json
+++ b/manifest.json
@@ -21,7 +21,7 @@
"email": ""
},
"requirements": {
- "yunohost": ">= 4.3.0"
+ "yunohost": ">= 11.0.9"
},
"multi_instance": true,
"services": [
diff --git a/scripts/upgrade b/scripts/upgrade
index f52e171..aed38d9 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -90,7 +90,7 @@ then
ynh_script_progression --message="Upgrading source files..." --weight=1
# Download, check integrity, uncompress and patch the source from app.src
- ynh_setup_source --dest_dir="$final_path" #--keep="$final_path/commento.env"
+ ynh_setup_source --dest_dir="$final_path" #--keep="commento.env"
fi
chmod 750 "$final_path"