Merge pull request #202 from YunoHost-Apps/systemd

5.6.0

README.md

@@ -18,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored.
 
-**Shipped version:** 5.3.0~ynh1
+**Shipped version:** 5.6.0~ynh1
 
 **Demo:** https://cryptpad.fr/
 

README_fr.md

@@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
 
 CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. 
 
-**Version incluse :** 5.3.0~ynh1
+**Version incluse :** 5.6.0~ynh1
 
 **Démo :** https://cryptpad.fr/
 

conf/config.js

@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors
+//
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
 /* globals module */
 
 /*  DISCLAIMER:
@@ -11,7 +15,7 @@
     Support requests for such setups should be directed to their authors.
 
     If you're having difficulty difficulty configuring your instance
-    we suggest that you join the project's IRC/Matrix channel.
+    we suggest that you join the project's Matrix channel.
 
     If you don't have any difficulty configuring your instance and you'd like to
     support us for the work that went into making it pain-free we are quite happy
@@ -45,21 +49,13 @@ module.exports = {
  *  In such a case this should be also handled by NGINX, as documented in
  *  cryptpad/docs/example.nginx.conf (see the $main_domain variable)
  *
- *  Note: you may provide multiple origins for the purpose of accessing
- *  a development instance via different URLs, like so:
- *  httpUnsafeOrigin: 'http://127.0.0.1:3000/ http://localhost:3000/',
- *
- *  Such configuration is not recommended for production instances,
- *  as the development team does not actively test such configuration
- *  and it may have unintended consequences in practice.
- *
  */
     httpUnsafeOrigin: 'https://__DOMAIN__',
 
 /*  httpSafeOrigin is the URL that is used for the 'sandbox' described above.
  *  If you're testing or developing with CryptPad on your local machine then
  *  it is appropriate to leave this blank. The default behaviour is to serve
- *  the main domain over port 3000 and to serve the content over port 3001.
+ *  the main domain over port 3000 and to serve the sandbox content over port 3001.
  *
  *  This is not appropriate in a production environment where invasive networks
  *  may filter traffic going over abnormal ports.
@@ -70,14 +66,17 @@ module.exports = {
  *  This value corresponds to the $sandbox_domain variable
  *  in the example nginx file.
  *
+ *  Note that in order for the sandboxing system to be effective
+ *  httpSafeOrigin must be different from httpUnsafeOrigin.
+ *
  *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
  */
     httpSafeOrigin: "https://__SANDBOXDOMAIN__",
 
 /*  httpAddress specifies the address on which the nodejs server
- *  should be accessible. By default it will listen on 127.0.0.1
- *  (IPv4 localhost on most systems). If you want it to listen on
- *  all addresses, including IPv6, set this to '::'.
+ *  should be accessible. By default it will listen on localhost
+ *  (IPv4 & IPv6 if enabled). If you want it to listen on
+ *  a specific address, specify it here. e.g '192.168.0.1'
  *
  */
     httpAddress: '::',
@@ -97,6 +96,19 @@ module.exports = {
  */
     httpSafePort: __PORT_PORTI__,
 
+/*  Websockets need to be exposed on a separate port from the rest of
+ *  the platform's HTTP traffic. Port 3003 is used by default.
+ *  You can change this to a different port if it is in use by a
+ *  different service, but under most circumstances you can leave this
+ *  commented and it will work.
+ *
+ *  In production environments, your reverse proxy (usually NGINX)
+ *  will need to forward websocket traffic (/cryptpad_websocket)
+ *  to this port.
+ *
+ */
+    // websocketPort: 3003,
+
 /*  CryptPad will launch a child process for every core available
  *  in order to perform CPU-intensive tasks in parallel.
  *  Some host environments may have a very large number of cores available
@@ -105,6 +117,28 @@ module.exports = {
  */
     // maxWorkers: 4,
 
+    /* =====================
+     *       Sessions
+     * ===================== */
+
+    /*  Accounts can be protected with an OTP (One Time Password) system
+     *  to add a second authentication layer. Such accounts use a session
+     *  with a given lifetime after which they are logged out and need
+     *  to be re-authenticated. You can configure the lifetime of these
+     *  sessions here.
+     *
+     *  defaults to 7 days
+     */
+    //otpSessionExpiration: 7*24, // hours
+
+    /*  Registered users can be forced to protect their account
+     *  with a Multi-factor Authentication (MFA) tool like a TOTP
+     *  authenticator application.
+     *
+     *  defaults to false
+     */
+    //enforceMFA: false,
+
     /* =====================
      *         Admin
      * ===================== */
@@ -115,12 +149,17 @@ module.exports = {
      *  To give access to the admin panel to a user account, just add their public signing
      *  key, which can be found on the settings page for registered users.
      *  Entries should be strings separated by a comma.
+     *  adminKeys: [
+     *      "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+     *      "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]",
+     *  ]
+     *
      */
-/*
+
     adminKeys: [
-        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+        
     ],
-*/
+
 
     /*  CryptPad's administration panel includes a "support" tab
      *  wherein administrators with a secret key can view messages

conf/nginx.conf

@@ -4,67 +4,147 @@ set $allowed_origins "https://${sandbox_domain}";
 set $api_domain "__DOMAIN__";
 set $files_domain "__DOMAIN__";
 ssl_ecdh_curve secp384r1;
-more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+
+more_set_headers "X-XSS-Protection: 1; mode=block";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
+more_set_headers "Access-Control-Allow-Credentials: true";
+# more_set_headers "X-Frame-Options: SAMEORIGIN";
+
+# Enable SharedArrayBuffer in Firefox (for .xlsx export)
 more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
 more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
+
+# Insert the path to your CryptPad repository root here
 root __INSTALL_DIR__/;
 index index.html;
 error_page 404 /customize.dist/404.html;
-if ($uri ~ ^(\/|.*\/|.*\.html)$) {
-    set $cacheControl no-cache;
-}
+
+# any static assets loaded with "ver=" in their URL will be cached for a year
 if ($args ~ ver=) {
     set $cacheControl max-age=31536000;
 }
+# This rule overrides the above caching directive and makes things somewhat less efficient.
+# We had inverted them as an optimization, but Safari 16 introduced a bug that interpreted
+# some important headers incorrectly when loading these files from cache.
+# This is why we can't have nice things :(
+if ($uri ~ ^(\/|.*\/|.*\.html)$) {
+    set $cacheControl no-cache;
+}
+
+# Will not set any header if it is emptystring
 more_set_headers "Cache-Control: $cacheControl";
+
+# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
 set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
+
+# connect-src restricts URLs which can be loaded using script interfaces
+# if you have configured your instance to use a dedicated $files_domain or $api_domain
+# you will need to add them below as: https://${files_domain} and https://${api_domain}
 set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}";
+
+# fonts can be loaded from data-URLs or the main domain
 set $fontSrc    "'self' data: https://${main_domain}";
+
+# images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
 set $imgSrc     "'self' data: blob: https://${main_domain}";
+
+# frame-src specifies valid sources for nested browsing contexts.
+# this prevents loading any iframes from anywhere other than the sandbox domain
 set $frameSrc   "'self' https://${sandbox_domain} blob:";
+
+# specifies valid sources for loading media using video or audio
 set $mediaSrc   "blob:";
+
+# defines valid sources for webworkers and nested browser contexts
+# deprecated in favour of worker-src and frame-src
 set $childSrc   "https://${main_domain}";
+
+# specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
+# supercedes child-src but is unfortunately not yet universally supported.
 set $workerSrc  "'self'";
+
+# script-src specifies valid sources for javascript, including inline handlers
 set $scriptSrc  "'self' resource: https://${main_domain}";
+
+# frame-ancestors specifies which origins can embed your CryptPad instance
+# this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work
+# if you have enabled remote embedding via the admin panel then this must be more permissive.
+# note: cryptpad.fr permits web pages served via https: and vector: (element desktop app)
 set $frameAncestors "'self' https://${main_domain}";
+ # set $frameAncestors "'self' https: vector:";
+
 set $unsafe 0;
+# the following assets are loaded via the sandbox domain
+# they unfortunately still require exceptions to the sandboxing to work correctly.
 if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
 if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
+
+# everything except the sandbox domain is a privileged scope, as they might be used to handle keys
 if ($host != $sandbox_domain) { set $unsafe 0; }
+ # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
+# because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
+# the use of some modern APIs that we require when javascript is run in a cross-origin context.
+# We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
 if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
+
+# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
 if ($unsafe) {
     set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
 }
+
+# Finally, set all the rules you composed above.
 more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
+
 location ^~ /cryptpad_websocket {
     proxy_pass http://127.0.0.1:__PORT__;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    # WebSocket support (nginx 1.4)
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection upgrade;
 }
+
 location ^~ /customize.dist/ {
     # This is needed in order to prevent infinite recursion between /customize/ and the root
 }
+# try to load customizeable content via /customize/ and fall back to the default content
+# located at /customize.dist/
+# This is what allows you to override behaviour.
 location ^~ /customize/ {
     rewrite ^/customize/(.*)$ $1 break;
     try_files /customize/$uri /customize.dist/$uri;
 }
+
+# /api/config is loaded once per page load and is used to retrieve
+# the caching variable which is applied to every other resource
+# which is loaded during that session.
 location ~ ^/api/.*$ {
     proxy_pass http://127.0.0.1:__PORT__;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_hide_header Cross-Origin-Resource-Policy;
+
+    # These settings prevent both NGINX and the API server
+    # from setting the same headers and creating duplicates
+    proxy_hide_header "Cross-Origin-Resource-Policy";
     more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
-    proxy_hide_header Cross-Origin-Embedder-Policy;
+    proxy_hide_header "Cross-Origin-Embedder-Policy";
     more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
 }
-location ^~ /blob/ {
+
+# Requests for blobs and blocks are now proxied to the API server
+# This simplifies NGINX path configuration in the event they are being hosted in a non-standard location
+# or with odd unexpected permissions. Serving blobs in this manner also means that it will be possible to
+# enforce access control for them, though this is not yet implemented.
+# Access control (via TOTP 2FA) has been added to blocks, so they can be handled with the same directives.
+location ~ ^/(blob|block)/.*$ {
     if ($request_method = 'OPTIONS') {
         more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
+        more_set_headers "Access-Control-Allow-Credentials: true";
         more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
         more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range";
         more_set_headers "Access-Control-Max-Age: 1728000";
@@ -72,20 +152,23 @@ location ^~ /blob/ {
         more_set_headers "Content-Length: 0";
         return 204;
     }
-    more_set_headers "X-Content-Type-Options: nosniff";
-    more_set_headers "Cache-Control: max-age=31536000'";
-    more_set_headers "Access-Control-Allow-Origin: ${allowed_origins}";
-    more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
-    more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
-    more_set_headers "Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length";
-    try_files $uri =404;
+    # Since we are proxying to the API server these headers can get duplicated
+    # so we hide them
+    proxy_hide_header 'X-Content-Type-Options';
+    proxy_hide_header 'Access-Control-Allow-Origin';
+    proxy_hide_header 'Permissions-Policy';
+    proxy_hide_header 'X-XSS-Protection';
+    proxy_hide_header 'Cross-Origin-Resource-Policy';
+    proxy_hide_header 'Cross-Origin-Embedder-Policy';
+    proxy_pass http://127.0.0.1:__PORT__;
 }
-location ^~ /block/ {
-    more_set_headers "X-Content-Type-Options: nosniff";
-    more_set_headers "Cache-Control: max-age=0";
-    try_files $uri =404;
-}
-location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
+
+# The nodejs server has some built-in forwarding rules to prevent
+# URLs like /pad from resulting in a 404. This simply adds a trailing slash
+# to a variety of applications.
+location ~ ^/(register|login|recovery|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup|diagram)$ {
     rewrite ^(.*)$ $1/ redirect;
 }
+
+# Finally, serve anything the above exceptions don't govern.
 try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;

conf/systemd.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=CryptPad: Zero Knowledge realtime collaborative editor.
+Description=CryptPad: Zero Knowledge realtime collaborative editor
 After=syslog.target network.target
 
 [Service]
@@ -11,6 +11,10 @@ Environment=PATH=__ENV_PATH__
 Environment=NODE_ENV=production
 ExecStart=__YNH_NPM__ start
 Restart=always
+RestartSec=2
+StandardOutput=journal
+StandardError=journal+console
+LimitNOFILE=1000000
 
 # Sandboxing options to harden security
 # Depending on specificities of your service/app, you may need to tweak these 

doc/ADMIN.md

@@ -1,9 +1,9 @@
-We have added the mandatory sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !!
+We have added the mandatory sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it!
 
 Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
 
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
-2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
+2. Paste this key in `__INSTALL_DIR__/config/config.js` in the following array (uncomment and replace the placeholder):
 ``` 
 adminKeys: [
         "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",

doc/ADMIN_fr.md

@@ -5,7 +5,7 @@ Nous avons ajouté le domaine obligatoire sandbox pour vous mais vous devez enco
 Une fois CryptPad installé, créez un compte via le bouton S'inscrire sur la page d'accueil. Pour faire de ce compte un administrateur d'instance :
 
 1. Copiez la clé publique trouvée dans le menu utilisateur (avatar en haut à droite) > Paramètres > Compte > Clé de signature publique
-2. Collez cette clé dans `/var/www/cryptpad/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) :
+2. Collez cette clé dans `__INSTALL_DIR__/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) :
 ``` 
 adminKeys: [
         "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",

doc/POST_INSTALL.md

@@ -7,7 +7,7 @@ Once CryptPad is installed, create an account via the Sign Up button on the home
 To make this account an instance administrator:
 
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
-2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
+2. Paste this key in `__INSTALL_DIR__/config/config.js` in the following array (uncomment and replace the placeholder):
 
 ```
 adminKeys: [

doc/POST_UPGRADE.md

@@ -3,7 +3,7 @@ If not already done, then you can please open CryptPad domain: https://__DOMAIN_
 
 Create an account via the Register button on the home page. To make this account an instance administrator:
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
-2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
+2. Paste this key in `__INSTALL_DIR__/config/config.js in the following array (uncomment and replace the placeholder):
 adminKeys: [
         "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
 ],

manifest.toml

@@ -5,7 +5,7 @@ name = "CryptPad"
 description.en = "Zero Knowledge realtime collaborative office suite"
 description.fr = "Suite bureautique chiffrée pour la collaboration en temps réel"
 
-version = "5.3.0~ynh1"
+version = "5.6.0~ynh1"
 
 maintainers = ["ddataa"]
 
@@ -22,8 +22,11 @@ fund = "https://opencollective.com/cryptpad/contribute?language=fr"
 yunohost = ">= 11.2"
 architectures = "all"
 multi_instance = false
+
 ldap = false
+
 sso = false
+
 disk = "50M"
 ram.build = "350M"
 ram.runtime = "50M"
@@ -45,8 +48,8 @@ ram.runtime = "50M"
 
 [resources]
         [resources.sources.main]
-        url = "https://github.com/xwiki-labs/cryptpad/archive/refs/tags/5.3.0.tar.gz"
-        sha256 = "470e75203e7080d19482bacf6216c50ec13070fc7d0ff2e4fc855f57668fb919"
+        url = "https://github.com/xwiki-labs/cryptpad/archive/refs/tags/5.6.0.tar.gz"
+        sha256 = "85a1b1781df750e250402fb095125e58b329feab4e542abb57fd886a616a0cfb"
         autoupdate.strategy = "latest_github_tag"
 
     [resources.ports]

scripts/_common.sh

@@ -4,7 +4,7 @@
 # COMMON VARIABLES
 #=================================================
 
-nodejs_version="16.14.2"
+nodejs_version="20"
 
 #=================================================
 # PERSONAL HELPERS

scripts/change_url

@@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
 
 #=================================================
 # MODIFY URL IN NGINX CONF
@@ -32,7 +32,7 @@ ynh_change_url_nginx_config
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================
 # END OF SCRIPT

scripts/install

@@ -34,7 +34,7 @@ fi
 
 ynh_app_setting_set --app=$app --key=sandboxdomain --value=$sandboxdomain
 
-ynh_script_progression --message="Setting up sandobx domain : $sandboxdomain" --weight=1
+ynh_script_progression --message="Setting up sandbox domain: $sandboxdomain" --weight=1
 
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
@@ -77,9 +77,9 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
-ynh_script_progression --message="Adding a configuration file..."
+ynh_script_progression --message="Adding a configuration file..." --weight=1
 
-ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js"
+ynh_add_config --template="config.js" --destination="$install_dir/config/config.js"
 
 chmod 600 "$install_dir/config/config.js"
 chown $app "$install_dir/config/config.js"
@@ -87,15 +87,13 @@ chown $app "$install_dir/config/config.js"
 #=================================================
 # INSTALL CRYPTPAD
 #=================================================
-ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60
+ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=30
 
 pushd "$install_dir"
 	ynh_use_nodejs
-	ynh_exec_warn_less npm install --allow-root
-	ynh_exec_warn_less npm install -g bower
-	ynh_exec_warn_less bower install --allow-root
-	ynh_exec_warn_less bower update --allow-root
-	ynh_exec_warn_less npm run build
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm ci
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run install:components
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run build
 popd
 
 #=================================================

scripts/remove

@@ -16,24 +16,16 @@ source /usr/share/yunohost/helpers
 #=================================================
 ynh_script_progression --message="Removing system configurations related to $app..." --weight=1
 
-# Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
 if ynh_exec_warn_less yunohost service status $app >/dev/null
 then
 	ynh_script_progression --message="Removing $app service integration..." --weight=3
 	yunohost service remove $app
 fi
 
-# Remove the dedicated systemd config
 ynh_remove_systemd_config
 
-# Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
-#=================================================
-# REMOVE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Removing dependencies..." --weight=3
-
 ynh_remove_nodejs
 
 #=================================================
@@ -56,12 +48,12 @@ if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 		sandboxdomain=sandbox-$domain
 	fi
 	
-	ynh_script_progression --message="Removing sandbox domain : $sandboxdomain" --weight=1
+	ynh_script_progression --message="Removing sandbox domain: $sandboxdomain" --weight=1
 	
 	if yunohost domain list | grep -q $sandboxdomain
-	then #if domain exist we remove it
+	then # if domain exist we remove it
 		yunohost domain remove $sandboxdomain
-		# we clean the nginx configuration we added
+		# we clean the NGINX configuration we added
 		ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/"
 	fi
 fi

scripts/restore

@@ -6,7 +6,6 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
-# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts
 source ../settings/scripts/_common.sh
 source /usr/share/yunohost/helpers
 
@@ -56,7 +55,7 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
 #=================================================
 ynh_script_progression --message="Reloading NGINX web server and $app's service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 ynh_systemd_action --service_name=nginx --action=reload
 

scripts/upgrade

@@ -29,7 +29,7 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -39,7 +39,6 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..." --weight=1
 
-	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$install_dir" #--keep="config/config.js"
 	
 	chmod -R o-rwx "$install_dir"
@@ -69,7 +68,7 @@ if [[ $domain == *".local" ]]; then
 	sandboxdomain=sandbox-$domain
 fi
 
-ynh_script_progression --message="Setting up sandobx domain: $sandboxdomain" --weight=1
+ynh_script_progression --message="Setting up sandbox domain: $sandboxdomain" --weight=1
 
 # We don't test that in CI
 if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
@@ -80,6 +79,13 @@ if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
 	fi
 fi
 
+#=================================================
+# UPGRADE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Upgrading dependencies..." --weight=6
+
+ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -89,30 +95,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
 ynh_add_nginx_config
 
 env_path="$PATH"
-#=================================================
-# UPGRADE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Upgrading dependencies..." --weight=6
-
-ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version
-
-#=================================================
-# INSTALL CRYPTPAD
-#=================================================
-ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60
-
-pushd "$install_dir" 
-	ynh_exec_warn_less npm install --allow-root
-	ynh_exec_warn_less npm install -g bower
-	ynh_exec_warn_less bower update --allow-root
-	ynh_exec_warn_less npm i
-	ynh_exec_warn_less npm run build
-popd
-
-#=================================================
-# CREATE SYSTEMD SERVICE
-#=================================================
-# Create a dedicated systemd config
 ynh_add_systemd_config
 
 yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log"
@@ -122,17 +104,29 @@ yunohost service add $app --description="Zero Knowledge realtime collaborative e
 #=================================================
 ynh_script_progression --message="Updating a configuration file..." --weight=1
 
-ynh_add_config --template="../conf/config.js" --destination="$install_dir/config/config.js"
+ynh_add_config --template="config.js" --destination="$install_dir/config/config.js"
 
 chmod 600 "$install_dir/config/config.js"
 chown $app "$install_dir/config/config.js"
 
+#=================================================
+# INSTALL CRYPTPAD
+#=================================================
+ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=30
+
+pushd "$install_dir"
+	ynh_use_nodejs
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm ci
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run install:components
+	ynh_exec_warn_less sudo -u $app env $ynh_node_load_PATH $ynh_npm run build
+popd
+
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================
 # COPY NGINX CONF IN SANDBOX DOMAIN

tests.toml

@@ -6,6 +6,6 @@ test_format = 1.0
     # Commits to test upgrade from
     # -------------------------------
 
-    test_upgrade_from.2a54cd03.name = "Upgrade from 4.10.0"
-
     test_upgrade_from.1e360398.name = "Upgrade from 4.12.0"
+
+    test_upgrade_from.7a024ca1.name = "Upgrade from 5.3.0"