[ref] Protect webadmin, mv BMA and webadmin paths to make the CI happy

\# Protect webadmin

Modify 'main' permission group to protect the webadmin to the admin

Create 'apis' permission publicly accessible to make BMA and WS2P APIs
accessible to whole Internet and set --auth_header=false

\# Nginx misconfiguration

BMA is exposed on port 10901
The webadmin on port 9220
this explains why BMA was not accessible
because it was redirected to the webadmin
Was probably done to solve following problem with the CI

\# Move BMA to /bma and webadmin to root path '/'

Move the WebAdmin from '/webadmin' to '/' root path
Move BMA from '/' to '/bma/' path

In order to have passing access test on the root path with the CI
BMA returns a 502 HTTP error since no synchronization have been performed
therefore there is nothing to be displayed

Cesium and Silkaj support connection to BMA endpoint with a path in

\## TODOs in Duniter v1
There is no synchronization possible to duniter_ynh BMA api,
since Duniter doesn’t support specifying a path to 'sync' command

Can’t define a custom BMAS endpoint with /bma path in
The endpoint doesn’t stay, it seems its overwritten by the fact that when
specifying port 443, BMAS endpoint get created and overwrites this one
ynh_exec_as duniter duniter config --addep "BMAS $domain 443 /bma"
This is not as important as having a correct WS2P endpoint defined
for inter-node connection
Nice to have for BMA endpoint discovery

\# Clean Nginx config
Define once by moving WS, and SSOwat panel support to the common part
Remove /modules path, not really used anymore
Replace 127.0.0.1 by localhost

conf/nginx.conf

@@ -14,32 +14,22 @@ location / {
   proxy_read_timeout 86400s; 
   proxy_send_timeout 86400s;
 
+  # Include SSOWAT user panel
+  access_by_lua_file /usr/share/ssowat/access.lua;
+
   location ~ \.(js|css|woff|woff2|ttf|png) {
     proxy_pass http://localhost:9220;
-    access_by_lua_file /usr/share/ssowat/access.lua;
-  }
-	
-  location /webui {
-    proxy_pass http://localhost:9220/;
-    access_by_lua_file /usr/share/ssowat/access.lua;
-    # Include SSOWAT user panel.
-    include conf.d/yunohost_panel.conf.inc;
   }
 
   location ~ /webmin {
     proxy_pass http://localhost:9220$uri;
-    access_by_lua_file /usr/share/ssowat/access.lua;
   }
-	
-  location ~ /modules {
-    proxy_pass http://localhost:9220;
-    access_by_lua_file /usr/share/ssowat/access.lua;
+
+  location ~ ^/bma(.*)$ {
+    proxy_pass http://localhost:__PORT__$1$is_args$args;
   }
 
   location /ws2p {
-    proxy_pass http://127.0.0.1:20901;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
+    proxy_pass http://localhost:20901;
   }
 }

scripts/install

@@ -134,8 +134,12 @@ ynh_systemd_action --service_name=$app --action="start" --log_path=systemd
 #=================================================
 ynh_script_progression --message="Configuring permissions…"
 
-# Make app public
-ynh_permission_update --permission="main" --add="visitors"
+# Change main group to protect sensitive sub-routes (client, API) to Duniter web admin interface, give access to choosen admin
+ynh_permission_update --permission "main" --add "$admin" --remove "all_users"
+ynh_permission_url --permission "main" --add_url "/webmin"
+
+# Create apis permission group to public to allow BMA and WS2P APIs accessible to visitors
+ynh_permission_create --permission "apis" --url "/bma" --additional_urls "/ws2p" --auth_header=false --allowed "visitors"
 
 #=================================================
 # RELOAD NGINX