Merge pull request #145 from YunoHost-Apps/testing

Testing

README.md

@@ -5,7 +5,8 @@ It shall NOT be edited by hand.
 
 # CryptPad for YunoHost
 
-[![Integration level](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad) ![Working status](https://ci-apps.yunohost.org/ci/badges/cryptpad.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/cryptpad.maintain.svg)  
+[![Integration level](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad) ![Working status](https://ci-apps.yunohost.org/ci/badges/cryptpad.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/cryptpad.maintain.svg)
+
 [![Install CryptPad with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=cryptpad)
 
 *[Lire ce readme en français.](./README_fr.md)*
@@ -17,7 +18,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored.
 
-**Shipped version:** 4.12.0~ynh2
+**Shipped version:** 5.2.1~ynh1
 
 **Demo:** https://cryptpad.fr/
 

README_fr.md

@@ -5,25 +5,26 @@ It shall NOT be edited by hand.
 
 # CryptPad pour YunoHost
 
-[![Niveau d'intégration](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/cryptpad.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/cryptpad.maintain.svg)  
+[![Niveau d’intégration](https://dash.yunohost.org/integration/cryptpad.svg)](https://dash.yunohost.org/appci/app/cryptpad) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/cryptpad.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/cryptpad.maintain.svg)
+
 [![Installer CryptPad avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=cryptpad)
 
 *[Read this readme in english.](./README.md)*
 
-> *Ce package vous permet d'installer CryptPad rapidement et simplement sur un serveur YunoHost.
-Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
+> *Ce package vous permet d’installer CryptPad rapidement et simplement sur un serveur YunoHost.
+Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l’installer et en profiter.*
 
-## Vue d'ensemble
+## Vue d’ensemble
 
 CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. 
 
-**Version incluse :** 4.12.0~ynh2
+**Version incluse :** 5.2.1~ynh1
 
 **Démo :** https://cryptpad.fr/
 
-## Captures d'écran
+## Captures d’écran
 
-![Capture d'écran de CryptPad](./doc/screenshots/screenshot.png)
+![Capture d’écran de CryptPad](./doc/screenshots/screenshot.png)
 
 ## Avertissements / informations importantes
 
@@ -43,9 +44,9 @@ adminKeys: [
 
 ## Documentations et ressources
 
-* Site officiel de l'app : <https://cryptpad.fr/>
-* Documentation officielle de l'admin : <https://docs.cryptpad.fr/en/>
-* Dépôt de code officiel de l'app : <https://github.com/xwiki-labs/cryptpad>
+* Site officiel de l’app : <https://cryptpad.fr/>
+* Documentation officielle de l’admin : <https://docs.cryptpad.fr/en/>
+* Dépôt de code officiel de l’app : <https://github.com/xwiki-labs/cryptpad>
 * Documentation YunoHost pour cette app : <https://yunohost.org/app_cryptpad>
 * Signaler un bug : <https://github.com/YunoHost-Apps/cryptpad_ynh/issues>
 
@@ -61,4 +62,4 @@ ou
 sudo yunohost app upgrade cryptpad -u https://github.com/YunoHost-Apps/cryptpad_ynh/tree/testing --debug
 ```
 
-**Plus d'infos sur le packaging d'applications :** <https://yunohost.org/packaging_apps>
+**Plus d’infos sur le packaging d’applications :** <https://yunohost.org/packaging_apps>

check_process

@@ -13,6 +13,8 @@
 		upgrade=1
 		#4.10.0
 		upgrade=1	from_commit=2a54cd03f90c93b07150a64644ffc7f208110a18
+		#4.12.0
+		upgrade=1	from_commit=1e36039893dc35533b320257ca7f93ef1d07a164
 		backup_restore=1
 		multi_instance=0
 		port_already_use=0
@@ -23,3 +25,6 @@ Notification=none
 ;;; Upgrade options
 	; commit=2a54cd03f90c93b07150a64644ffc7f208110a18
 		name=update to 4.10.0
+;;; Upgrade options
+	; commit=1e36039893dc35533b320257ca7f93ef1d07a164
+		name=update to 4.12.0

conf/app.src

@@ -1,6 +1,6 @@
-SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.11.0.tar.gz
-SOURCE_SUM=e529b484c297f73227f991971189c51f64da1ab53fc78334d1fb08e320d4385e
+SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/5.2.1.tar.gz
+SOURCE_SUM=945abe5bae0da25a4e2ef8e02730aaa5bb5e5a0b8bfd7a23a09ec38422d7c47f
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=cryptpad.tar.gz
+SOURCE_FILENAME=cryptpad.tar.gz

conf/config.js

@@ -72,7 +72,7 @@ module.exports = {
  *
  *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
  */
-    // httpSafeOrigin: "https://some-other-domain.xyz",
+    httpSafeOrigin: "https://__SANDBOXDOMAIN__",
 
 /*  httpAddress specifies the address on which the nodejs server
  *  should be accessible. By default it will listen on 127.0.0.1
@@ -324,5 +324,5 @@ module.exports = {
      *  such as Docker.
      *
      */
-    installMethod: 'unspecified',
-};
+    installMethod: 'yunohost',
+};

conf/nginx.conf

@@ -1,19 +1,94 @@
-#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location __PATH__/ {
-
-  proxy_pass http://127.0.0.1:__PORT__;
-  proxy_redirect    off;
-  proxy_set_header  Host $host;
-  proxy_set_header  X-Real-IP $remote_addr;
-  proxy_set_header  X-Forwarded-Proto $scheme;
-  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header  X-Forwarded-Host $server_name;
-
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
-
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
-  more_clear_input_headers 'Accept-Encoding';
+set $main_domain "__DOMAIN__";
+set $sandbox_domain "__SANDBOXDOMAIN__";
+set $allowed_origins "https://${sandbox_domain}";
+set $api_domain "__DOMAIN__";
+set $files_domain "__DOMAIN__";
+ssl_ecdh_curve secp384r1;
+more_set_headers "Strict-Transport-Security: 'max-age=31536000; includeSubDomains' always";
+more_set_headers "X-XSS-Protection: '1; mode=block'";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
+more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
+root /var/www/cryptpad;
+index index.html;
+error_page 404 /customize.dist/404.html;
+if ($uri ~ ^(\/|.*\/|.*\.html)$) {
+    set $cacheControl no-cache;
 }
+if ($args ~ ver=) {
+    set $cacheControl max-age=31536000;
+}
+more_set_headers "Cache-Control: $cacheControl";
+set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
+set $connectSrc "'self' blob: https://${main_domain} https://${sandbox_domain} wss://${main_domain}";
+set $fontSrc    "'self' data: https://${main_domain}";
+set $imgSrc     "'self' data: blob: https://${main_domain}";
+set $frameSrc   "'self' https://${sandbox_domain} blob:";
+set $mediaSrc   "blob:";
+set $childSrc   "https://${main_domain}";
+set $workerSrc  "'self'";
+set $scriptSrc  "'self' resource: https://${main_domain}";
+set $frameAncestors "'self' https://${main_domain}";
+set $unsafe 0;
+if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
+if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
+if ($host != $sandbox_domain) { set $unsafe 0; }
+if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
+if ($unsafe) {
+    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
+}
+more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
+location ^~ /cryptpad_websocket {
+    proxy_pass http://localhost:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection upgrade;
+}
+location ^~ /customize.dist/ {
+    # This is needed in order to prevent infinite recursion between /customize/ and the root
+}
+location ^~ /customize/ {
+    rewrite ^/customize/(.*)$ $1 break;
+    try_files /customize/$uri /customize.dist/$uri;
+}
+location ~ ^/api/.*$ {
+    proxy_pass http://localhost:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_hide_header Cross-Origin-Resource-Policy;
+    more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
+    proxy_hide_header Cross-Origin-Embedder-Policy;
+    more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
+}
+location ^~ /blob/ {
+    if ($request_method = 'OPTIONS') {
+        more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+        more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
+        more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'";
+        more_set_headers "Access-Control-Max-Age: 1728000";
+        more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
+        more_set_headers "Content-Length: 0";
+        return 204;
+    }
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "Cache-Control: max-age=31536000'";
+    more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+    more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
+    more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
+    more_set_headers "Access-Control-Expose-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
+    try_files $uri =404;
+}
+location ^~ /block/ {
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "Cache-Control: max-age=0";
+    try_files $uri =404;
+}
+location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
+    rewrite ^(.*)$ $1/ redirect;
+}
+try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;

manifest.json

@@ -3,17 +3,18 @@
     "id": "cryptpad",
     "packaging_format": 1,
     "description": {
-        "en": "Zero Knowledge realtime collaborative editor",
-        "fr": "Éditeur chiffré collaboratif en temps réel"
+        "en": "Zero Knowledge realtime collaborative office suite",
+        "fr": "Suite bureautique chiffrée pour la collaboration en temps réel"
     },
-    "version": "4.12.0~ynh2",
+    "version": "5.2.1~ynh1",
     "url": "https://cryptpad.fr/",
     "upstream": {
         "license": "AGPL-3.0-only",
         "website": "https://cryptpad.fr/",
         "demo": "https://cryptpad.fr/",
         "admindoc": "https://docs.cryptpad.fr/en/",
-        "code": "https://github.com/xwiki-labs/cryptpad"
+        "code": "https://github.com/xwiki-labs/cryptpad",
+        "cpe": "cpe:2.3:a:xwiki:cryptpad"
     },
     "license": "AGPL-3.0-only",
     "maintainer": {
@@ -22,7 +23,7 @@
         "url": "https://frju365.yunohost.support"
     },
     "requirements": {
-        "yunohost": ">= 4.3.0"
+        "yunohost": ">= 11.1.6"
     },
     "multi_instance": false,
     "services": [
@@ -53,4 +54,4 @@
             }
         ]
     }
-}
+}

scripts/_common.sh

@@ -4,7 +4,7 @@
 # COMMON VARIABLES
 #=================================================
 
-nodejs_version="14"
+nodejs_version="16.14.2"
 
 #=================================================
 # PERSONAL HELPERS

scripts/install

@@ -66,6 +66,31 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 porti=$(ynh_find_port --port=$(($port + 1)))
 ynh_app_setting_set --app=$app --key=porti --value=$porti
 
+#=================================================
+# CREATE A SANDBOX DOMAIN
+#=================================================
+
+# if the main domain for the app is a root domain, we create a correct sandbox subdomain
+if [[ $domain == *"."* ]]; then
+	sandboxdomain=sandbox.$domain
+fi
+# if the main domain for the app is already a sub-domain, we create a correct sandbox domain
+if [[ $domain == *"."*"."* ]]; then
+	sandboxdomain=sandbox-$domain
+fi
+# if the main domain for the app is a .local root domain, we create a correct sandbox subdomain
+if [[ $domain == *".local" ]]; then
+	sandboxdomain=sandbox-$domain
+fi
+
+ynh_script_progression --message="Setting up sandobx domain : $sandboxdomain" --weight=1
+
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	yunohost domain add $sandboxdomain
+	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
+fi
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -131,6 +156,8 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install --allow-root
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower install --allow-root
+	ynh_exec_warn_less bower update --allow-root
+	ynh_exec_warn_less npm run build
 popd
 
 #=================================================
@@ -161,6 +188,30 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi
 
+# We authorize access to sandbox domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
+fi
+
+#=================================================
+# APPLY FOLDER RIGHTS
+#=================================================
+chgrp -R www-data $final_path
+
+#=================================================
+# COPY NGINX CONF IN SANDBOX DOMAIN
+#=================================================
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
+fi
+
+#=================================================
+# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (normal?)
+#=================================================
+ynh_systemd_action --service_name=yunohost-api --action=reload
+
 #=================================================
 # RELOAD NGINX
 #=================================================
@@ -175,9 +226,14 @@ ynh_script_progression --message="Sending a readme for the admin..." --weight=1
 
 message="CryptPad was successfully installed :)
 
-Please open your $app domain: https://$domain$path_url
+READ CAREFULLY !!
 
-Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+We have added a sandbox domain : $sandboxdomain for you but you still need to configure your DNS and generate the Let's Encrypt Certificates for it.
+You will need also to restart CryptPad service after this is done.
+
+Then you can please open your $app domain: https://$domain$path_url
+Once CryptPad is installed, create an account via the Sign Up button on the home page which will take you to the Register page.
+To make this account an instance administrator:
 
 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):

scripts/remove

@@ -64,6 +64,42 @@ ynh_script_progression --message="Removing dependencies..." --weight=3
 
 ynh_remove_nodejs
 
+#=================================================
+# REMOVE SANDBOX DOMAIN
+#=================================================
+
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	
+	# if the main domain for the app is a root domain, we create a correct sandbox subdomain
+	if [[ $domain == *"."* ]]; then
+		sandboxdomain=sandbox.$domain
+	fi
+	# if the main domain for the app is already a sub-domain, we create a correct sandbox domain
+	if [[ $domain == *"."*"."* ]]; then
+		sandboxdomain=sandbox-$domain
+	fi
+	# if the main domain for the app is a .local root domain, we create a correct sandbox subdomain
+	if [[ $domain == *".local" ]]; then
+		sandboxdomain=sandbox-$domain
+	fi
+	
+	ynh_script_progression --message="Removing sandbox domain : $sandboxdomain" --weight=1
+	
+	if yunohost domain list | grep -q $sandboxdomain
+	then #if domain exist we remove it
+		yunohost domain remove $sandboxdomain
+		# we clean the nginx configuration we added
+		ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/"
+	fi
+fi
+
+
+#=================================================
+# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (bug core?)
+#=================================================
+#ynh_systemd_action --service_name=yunohost-api --action=reload
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================

scripts/restore

@@ -68,6 +68,11 @@ chmod -R o-rwx "$final_path"
 chown -R $app:$app "$final_path"
 chmod 600 "$final_path/config/config.js"
 
+#=================================================
+# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
+#=================================================
+chgrp -R www-data $final_path
+
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================

scripts/upgrade

@@ -90,13 +90,42 @@ then
 	ynh_script_progression --message="Upgrading source files..." --weight=1
 
 	# Download, check integrity, uncompress and patch the source from app.src
-	ynh_setup_source --dest_dir="$final_path" --keep="$final_path/config/config.js"
+	ynh_setup_source --dest_dir="$final_path" --keep="config/config.js customize/"
 	
 	chmod 750 "$final_path"
 	chmod -R o-rwx "$final_path"
 	chown -R $app:$app "$final_path"
 fi
 
+#=================================================
+# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
+#=================================================
+chgrp -R www-data $final_path
+
+#=================================================
+# CREATE A SANDBOX DOMAIN
+#=================================================
+# if the main domain for the app is a root domain, we create a correct sandbox subdomain
+if [[ $domain == *"."* ]]; then
+	sandboxdomain=sandbox.$domain
+fi
+# if the main domain for the app is already a sub-domain, we create a correct sandbox domain
+if [[ $domain == *"."*"."* ]]; then
+	sandboxdomain=sandbox-$domain
+fi
+# if the main domain for the app is a .local root domain, we create a correct sandbox subdomain
+if [[ $domain == *".local" ]]; then
+	sandboxdomain=sandbox-$domain
+fi
+
+ynh_script_progression --message="Setting up sandobx domain : $sandboxdomain" --weight=1
+
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	yunohost domain add $sandboxdomain
+	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
+fi
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -122,6 +151,7 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower update --allow-root
 	ynh_exec_warn_less npm i
+	ynh_exec_warn_less npm run build
 popd
 
 #=================================================
@@ -142,6 +172,11 @@ ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 
 yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log"
 
+#=================================================
+# ADD UPGRADED CONFIG WITH SANDBOX
+#=================================================
+ynh_add_config --template="../conf/config.js" --destination="$final_path/config/config.js"
+
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
@@ -149,6 +184,20 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"
 
+#=================================================
+# COPY NGINX CONF IN SANDBOX DOMAIN
+#=================================================
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
+fi
+
+# We authorize access to sandbox domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
+fi
+
 #=================================================
 # RELOAD NGINX
 #=================================================
@@ -156,6 +205,25 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1
 
 ynh_systemd_action --service_name=nginx --action=reload
 
+#=================================================
+# SEND A README FOR THE ADMIN
+#=================================================
+ynh_script_progression --message="Sending a readme for the admin..." --weight=1
+
+message="CryptPad was successfully upgraded :)
+We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !!
+If not already done, then you can please open your $app domain: https://$domain$path_url
+Create an account via the Register button on the home page. To make this account an instance administrator:
+1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
+2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+If you are facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/cryptpad_ynh"
+
+ynh_send_readme_to_admin "$message"
+
+
 #=================================================
 # END OF SCRIPT
 #=================================================