Merge branch 'testing' into git

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,55 @@
+---
+name: Bug report
+about: When creating a bug report, please use the following template to provide all the relevant information and help debugging efficiently.
+
+---
+
+**How to post a meaningful bug report**
+1. *Read this whole template first.*
+2. *Determine if you are on the right place:*
+   - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!*
+   - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.*
+   - *When in doubt, post here and we will figure it out together.*
+3. *Delete the italic comments as you write over them below, and remove this guide.*
+--- 
+
+### Describe the bug
+
+*A clear and concise description of what the bug is.*
+
+### Context
+
+- Hardware: *VPS bought online / Old laptop or computer / Raspberry Pi at home / Internet Cube with VPN / Other ARM board / ...*
+- YunoHost version: x.x.x
+- I have access to my server: *Through SSH | through the webadmin | direct access via keyboard / screen | ...*
+- Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: *no / yes*
+  - If yes, please explain:
+- Using, or trying to install package version/branch:
+- If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`*
+
+### Steps to reproduce
+
+- *If you performed a command from the CLI, the command itself is enough. For example:*
+    ```sh
+    sudo yunohost app install the_app
+    ```
+- *If you used the webadmin, please perform the equivalent command from the CLI first.*
+- *If the error occurs in your browser, explain what you did:*
+   1. *Go to '...'*
+   2. *Click on '...'*
+   3. *Scroll down to '...'*
+   4. *See error*
+
+### Expected behavior
+
+*A clear and concise description of what you expected to happen. You can remove this section if the command above is enough to understand your intent.*
+
+### Logs
+
+*When an operation fails, YunoHost provides a simple way to share the logs.*
+- *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.*
+- *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.*
+
+*After sharing the log, please copypaste directly the link provided by YunoHost (to help readability, no need to copypaste the entire content of the log here, just the link is enough...)*
+
+*If applicable and useful, add screenshots to help explain your problem.*

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+## Problem
+
+- *Description of why you made this PR*
+
+## Solution
+
+- *And how do you fix that problem*
+
+## PR Status
+
+- [ ] Code finished and ready to be reviewed/tested
+- [ ] The fix/enhancement were manually tested (if applicable)
+
+## Automatic tests
+
+Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

.github/workflows/updater.sh

@@ -0,0 +1,144 @@
+#!/bin/bash
+
+#=================================================
+# PACKAGE UPDATING HELPER
+#=================================================
+
+# This script is meant to be run by GitHub Actions
+# The YunoHost-Apps organisation offers a template Action to run this script periodically
+# Since each app is different, maintainers can adapt its contents so as to perform
+# automatic actions when a new upstream release is detected.
+
+# Remove this exit command when you are ready to run this Action
+#exit 1
+
+#=================================================
+# FETCHING LATEST RELEASE AND ITS ASSETS
+#=================================================
+
+# Fetching information
+current_version=$(cat manifest.json | jq -j '.version|split("~")[0]')
+repo=$(cat manifest.json | jq -j '.upstream.code|split("https://github.com/")[1]')
+# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions)
+version=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '.[] | select( .prerelease != true ) | .tag_name' | sort -V | tail -1)
+
+if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then
+    version=${version:1}
+fi
+
+# x86-64 and enterprise assets are hosted on Mattermost's servers.
+assets=()
+assets+=("https://releases.mattermost.com/$version/mattermost-team-$version-linux-amd64.tar.gz")
+assets+=("https://releases.mattermost.com/$version/mattermost-enterprise-$version-linux-amd64.tar.gz")
+
+# ARM and ARM64 are published in another repository (with a leading "v" for version tags)
+other_repo="SmartHoneybee/ubiquitous-memory"
+other_assets=($(curl --silent "https://api.github.com/repos/$other_repo/releases" | jq -r '[ .[] | select(.tag_name=="'v$version'").assets[].browser_download_url ] | join(" ") | @sh' | tr -d "'"))
+
+# Setting up the environment variables
+echo "Current version: $current_version"
+echo "Latest release from upstream: $version"
+echo "VERSION=$version" >> $GITHUB_ENV
+# For the time being, let's assume the script will fail
+echo "PROCEED=false" >> $GITHUB_ENV
+
+# Proceed only if the retrieved version is greater than the current one
+if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then
+    echo "::warning ::No new version available"
+    exit 0
+# Proceed only if a PR for this new version does not already exist
+elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then
+    echo "::warning ::A branch already exists for this update"
+    exit 0
+fi
+# Proceed only if all the binaries have been found
+if (( ${#other_assets[@]} == 0 )); then
+    echo "::warning ::$other_repo has not released anything for v$version"
+    exit 0
+else
+    assets+=( ${other_assets[@]} )
+fi
+
+# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.)
+echo "${#assets[@]} available asset(s)"
+
+#=================================================
+# UPDATE SOURCE FILES
+#=================================================
+
+# Here we use the $assets variable to get the resources published in the upstream release.
+# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like.
+
+# Let's loop over the array of assets URLs
+for asset_url in ${assets[@]}; do
+
+echo "Handling asset at $asset_url"
+
+# Assign the asset to a source file in conf/ directory
+# Here we base the source file name upon a unique keyword in the assets url (admin vs. update)
+# Leave $src empty to ignore the asset
+case $asset_url in
+  *".tar.gz"*)
+    src="app"
+    ;;
+  *)
+    src=""
+    ;;
+esac
+
+# If $src is not empty, let's process the asset
+if [ ! -z "$src" ]; then
+
+# Create the temporary directory
+tempdir="$(mktemp -d)"
+
+# Download sources and calculate checksum
+filename=${asset_url##*/}
+curl --silent -4 -L $asset_url -o "$tempdir/$filename"
+checksum=$(sha256sum "$tempdir/$filename" | head -c 64)
+
+# Delete temporary directory
+rm -rf $tempdir
+
+# Get extension
+if [[ $filename == *.tar.gz ]]; then
+  extension=tar.gz
+else
+  extension=${filename##*.}
+fi
+
+# Rewrite source file
+cat <<EOT > conf/$src.src
+SOURCE_URL=$asset_url
+SOURCE_SUM=$checksum
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=tar.gz
+SOURCE_IN_SUBDIR=true
+EOT
+echo "... conf/$src.src updated"
+
+else
+echo "... asset ignored"
+fi
+
+done
+
+#=================================================
+# SPECIFIC UPDATE STEPS
+#=================================================
+
+# Any action on the app's source code can be done.
+# The GitHub Action workflow takes care of committing all changes after this script ends.
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+
+# Replace new version in manifest
+echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json
+
+# No need to update the README, yunohost-bot takes care of it
+
+# The Action will proceed only if the PROCEED environment variable is set to true
+echo "PROCEED=true" >> $GITHUB_ENV
+exit 0

.github/workflows/updater.yml

@@ -0,0 +1,49 @@
+# This workflow allows GitHub Actions to automagically update your app whenever a new upstream release is detected.
+# You need to enable Actions in your repository settings, and fetch this Action from the YunoHost-Apps organization.
+# This file should be enough by itself, but feel free to tune it to your needs.
+# It calls updater.sh, which is where you should put the app-specific update steps.
+name: Check for new upstream releases
+on:
+  # Allow to manually trigger the workflow
+  workflow_dispatch:
+  # Run it every day at 6:00 UTC
+  schedule:
+    - cron:  '0 6 * * *'
+jobs:
+  updater:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch the source code
+        uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run the updater script
+        id: run_updater
+        run: |
+          # Setting up Git user
+          git config --global user.name 'yunohost-bot'
+          git config --global user.email 'yunohost-bot@users.noreply.github.com'
+          # Run the updater script
+          /bin/bash .github/workflows/updater.sh
+      - name: Commit changes
+        id: commit
+        if: ${{ env.PROCEED == 'true' }}
+        run: |
+          git commit -am "Upgrade to v$VERSION"
+      - name: Create Pull Request
+        id: cpr
+        if: ${{ env.PROCEED == 'true' }}
+        uses: peter-evans/create-pull-request@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update to version ${{ env.VERSION }}
+          committer: 'yunohost-bot <yunohost-bot@users.noreply.github.com>'
+          author: 'yunohost-bot <yunohost-bot@users.noreply.github.com>'
+          signoff: false
+          branch: ci-auto-update-v${{ env.VERSION }}
+          base: testing
+          delete-branch: true
+          title: 'Upgrade to version ${{ env.VERSION }}'
+          body: |
+            Upgrade to v${{ env.VERSION }}
+          draft: false

README.md

@@ -15,16 +15,28 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 ## Overview
 
-Online editor providing collaborative editing in real-time.
+Etherpad is a real-time collaborative editor scalable to thousands of simultaneous real time users. It provides full data export capabilities, and runs on your server, under your control.
 
-**Shipped version:** 1.8.14~ynh1
+
+**Shipped version:** 1.8.15~ynh1
 
 **Demo:** https://video.etherpad.com/
 
+## Screenshots
+
+![](./doc/screenshots/etherpad.gif)
+
+## Disclaimers / important information
+
+## Configuration
+
+You can access Etherpad's admin panel at `domain.tld/admin`. The configuration file for Etherpad is at the path `/var/www/etherpad/settings.json`.
+
+Online editor providing collaborative editing in real-time.
+
 ## Documentation and resources
 
 * Official app website: https://etherpad.org/
-* Official user documentation: https://yunohost.org/en/app_etherpad
 * Official admin documentation: http://etherpad.org/doc/v1.8.14
 * Upstream app code repository: https://github.com/ether/etherpad-lite
 * YunoHost documentation for this app: https://yunohost.org/app_etherpad

README_fr.md

@@ -11,16 +11,27 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Vue d'ensemble
 
-Éditeur en ligne fournissant l'édition collaborative en temps réel.
+Etherpad est un éditeur collaboratif en temps réel évolutif pour des milliers d'utilisateurs simultanés en temps réel. Il fournit des capacités complètes d'exportation de données et s'exécute sur votre serveur, sous votre contrôle. 
 
-**Version incluse :** 1.8.14~ynh1
+**Version incluse :** 1.8.15~ynh1
 
 **Démo :** https://video.etherpad.com/
 
+## Captures d'écran
+
+![](./doc/screenshots/etherpad.gif)
+
+## Avertissements / informations importantes
+
+## Configuration
+
+Vous pouvez accéder au panneau d'administration d'Etherpad à l'adresse `domain.tld/admin`. Le fichier de configuration d'Etherpad est `/var/www/etherpad/settings.json`.
+
+*Skin Builder* (accessible à l'adresse `domain.tld/pad/p/test#skinvariantsbuilder`) vous permet de personnaliser l'apparence de votre pad. Il vous donnera un paramètre à copier dans votre fichier de configuration `/var/www/etherpad/settings.json`.
+
 ## Documentations et ressources
 
 * Site officiel de l'app : https://etherpad.org/
-* Documentation officielle utilisateur : https://yunohost.org/en/app_etherpad
 * Documentation officielle de l'admin : http://etherpad.org/doc/v1.8.14
 * Dépôt de code officiel de l'app : https://github.com/ether/etherpad-lite
 * Documentation YunoHost pour cette app : https://yunohost.org/app_etherpad

check_process

@@ -6,6 +6,7 @@
 		language="fr"
 		is_public=1
 		password="password"
+		export="libreoffice"
 	; Checks
 		pkg_linter=1
 		setup_sub_dir=1
@@ -14,6 +15,7 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
+		upgrade=1	from_commit=96653aee9379d579a655777ac274355f4afca61c
 		backup_restore=1
 		multi_instance=1
 		change_url=1
@@ -21,6 +23,6 @@
 Email=
 Notification=none
 ;;; Upgrade options
-	; commit=CommitHash
+	; commit=96653aee9379d579a655777ac274355f4afca61c
-		name=Name and date of the commit.
+		name=Merge pull request #6 from YunoHost-Apps/testing
 		manifest_arg=domain=DOMAIN&path=PATH&admin=USER&language=fr&is_public=1&password=pass&port=9001&

conf/nginx.conf

@@ -1,17 +1,13 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
 location __PATH__/ {
 
-  # Force usage of https
-  if ($scheme = http) {
-    rewrite ^ https://$server_name$request_uri? permanent;
-  }
-
   proxy_pass         http://127.0.0.1:__PORT__/;
   proxy_set_header   Host $host;
   proxy_pass_header  Server;
 
   # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
   proxy_buffering off;
+  more_set_headers "X-Frame-Options : ALLOWALL";
   proxy_set_header X-Real-IP $remote_addr;       # http://wiki.nginx.org/HttpProxyModule
   proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
   proxy_set_header X-Forwarded-Proto $scheme;    # for EP to set secure cookie flag when https is used

conf/settings.json

@@ -15,6 +15,31 @@
  *
  * This is useful, for example, when running in a Docker container.
  *
+ * DETAILED RULES:
+ *   - If the environment variable is set to the string "true" or "false", the
+ *     value becomes Boolean true or false.
+ *   - If the environment variable is set to the string "null", the value
+ *     becomes null.
+ *   - If the environment variable is set to the string "undefined", the setting
+ *     is removed entirely, except when used as the member of an array in which
+ *     case it becomes null.
+ *   - If the environment variable is set to a string representation of a finite
+ *     number, the string is converted to that number.
+ *   - If the environment variable is set to any other string, including the
+ *     empty string, the value is that string.
+ *   - If the environment variable is unset and a default value is provided, the
+ *     value is as if the environment variable was set to the provided default:
+ *       - "${UNSET_VAR:}" becomes the empty string.
+ *       - "${UNSET_VAR:foo}" becomes the string "foo".
+ *       - "${UNSET_VAR:true}" and "${UNSET_VAR:false}" become true and false.
+ *       - "${UNSET_VAR:null}" becomes null.
+ *       - "${UNSET_VAR:undefined}" causes the setting to be removed (or be set
+ *         to null, if used as a member of an array).
+ *   - If the environment variable is unset and no default value is provided,
+ *     the value becomes null. THIS BEHAVIOR MAY CHANGE IN A FUTURE VERSION OF
+ *     ETHERPAD; if you want the default value to be null, you should explicitly
+ *     specify "null" as the default value.
+ *
  * EXAMPLE:
  *    "port":     "${PORT:9001}"
  *    "minify":   "${MINIFY}"
@@ -71,10 +96,12 @@
   "title": "Etherpad",
 
   /*
-   * favicon default name
+   * Pathname of the favicon you want to use. If null, the skin's favicon is
-   * alternatively, set up a fully specified Url to your own favicon
+   * used if one is provided by the skin, otherwise the default Etherpad favicon
+   * is used. If this is a relative path it is interpreted as relative to the
+   * Etherpad root directory.
    */
-  "favicon": "favicon.ico",
+  "favicon": null,
 
   /*
    * Skin name.
@@ -232,12 +259,6 @@
    */
   "editOnly": false,
 
-  /*
-   * If set to true, those users who have a valid session will automatically be
-   * granted access to password protected pads.
-   */
-  "sessionNoPassword": false,
-
   /*
    * If true, all css & js will be minified before sending to the client.
    *
@@ -308,6 +329,24 @@
    */
   "trustProxy": false,
 
+  /*
+   * Settings controlling the session cookie issued by Etherpad.
+   */
+  "cookie": {
+    /*
+     * Value of the SameSite cookie property. "Lax" is recommended unless
+     * Etherpad will be embedded in an iframe from another site, in which case
+     * this must be set to "None". Note: "None" will not work (the browser will
+     * not send the cookie to Etherpad) unless https is used to access Etherpad
+     * (either directly or via a reverse proxy with "trustProxy" set to true).
+     *
+     * "Strict" is not recommended because it has few security benefits but
+     * significant usability drawbacks vs. "Lax". See
+     * https://stackoverflow.com/q/41841880 for discussion.
+     */
+    "sameSite": "Lax"
+  },
+
   /*
    * Privacy: disable IP logging
    */
@@ -362,11 +401,62 @@
     "percentageToScrollWhenUserPressesArrowUp": 0
   },
 
+  /*
+   * User accounts. These accounts are used by:
+   *   - default HTTP basic authentication if no plugin handles authentication
+   *   - some but not all authentication plugins
+   *   - some but not all authorization plugins
+   *
+   * User properties:
+   *   - password: The user's password. Some authentication plugins will ignore
+   *     this.
+   *   - is_admin: true gives access to /admin. Defaults to false. If you do not
+   *     uncomment this, /admin will not be available!
+   *   - readOnly: If true, this user will not be able to create new pads or
+   *     modify existing pads. Defaults to false.
+   *   - canCreate: If this is true and readOnly is false, this user can create
+   *     new pads. Defaults to true.
+   *
+   * Authentication and authorization plugins may define additional properties.
+   *
+   * WARNING: passwords should not be stored in plaintext in this file.
+   *          If you want to mitigate this, please install ep_hash_auth and
+   *          follow the section "secure your installation" in README.md
+   */
+
+  /*
+  "users": {
+    "admin": {
+      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
+      // 2) please note that if password is null, the user will not be created
+      "password": "changeme1",
+      "is_admin": true
+    },
+    "user": {
+      // 1) "password" can be replaced with "hash" if you install ep_hash_auth
+      // 2) please note that if password is null, the user will not be created
+      "password": "changeme1",
+      "is_admin": false
+    }
+  },
+  */
+
   /*
    * Restrict socket.io transport methods
    */
   "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 
+  "socketIo": {
+    /*
+     * Maximum permitted client message size (in bytes). All messages from
+     * clients that are larger than this will be rejected. Large values make it
+     * possible to paste large amounts of text, and plugins may require a larger
+     * value to work properly, but increasing the value increases susceptibility
+     * to denial of service attacks (malicious clients can exhaust memory).
+     */
+    "maxHttpBufferSize": 10000
+  },
+
   /*
    * Allow Load Testing tools to hit the Etherpad Instance.
    *
@@ -374,6 +464,11 @@
    */
   "loadTest": false,
 
+  /**
+  * Disable dump of objects preventing a clean exit
+  */
+  "dumpOnUncleanExit": false,
+
   /*
    * Disable indentation on new line when previous line ends with some special
    * chars (':', '[', '(', '{')
@@ -408,21 +503,8 @@
    */
   "importMaxFileSize": 52428800, // 50 * 1024 * 1024
 
-
   /*
-   * From Etherpad 1.8.3 onwards import was restricted to authors who had
+   * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited
-   * content within the pad.
-   *
-   * This setting will override that restriction and allow any user to import
-   * without the requirement to add content to a pad.
-   *
-   * This setting is useful for when you use a plugin for authentication so you
-   * can already trust each user.
-   */
-  "allowAnyoneToImport": false, 
-
-  /*
-   * From Etherpad 1.9.0 onwards, when Etherpad is in production mode commits from individual users are rate limited
    *
    * The default is to allow at most 10 changes per IP in a 1 second window.
    * After that the change is rejected.
@@ -433,7 +515,7 @@
     // duration of the rate limit window (seconds)
     "duration": 1,
 
-    // maximum number of chanes per IP to allow during the rate limit window
+    // maximum number of changes per IP to allow during the rate limit window
     "points": 10
   },
 
@@ -477,58 +559,9 @@
    */
   "loglevel": "INFO",
 
-  /*
-   * Logging configuration. See log4js documentation for further information:
-   * https://github.com/nomiddlename/log4js-node
-   *
-   * You can add as many appenders as you want here.
-   */
-  "logconfig" :
-    { "appenders": [
-        { "type": "console"
-        //, "category": "access"// only logs pad access
-        }
-
-      /*
-      , { "type": "file"
-      , "filename": "your-log-file-here.log"
-      , "maxLogSize": 1024
-      , "backups": 3 // how many log files there're gonna be at max
-      //, "category": "test" // only log a specific category
-        }
-      */
-
-      /*
-      , { "type": "logLevelFilter"
-        , "level": "warn" // filters out all log messages that have a lower level than "error"
-        , "appender":
-          {  Use whatever appender you want here  }
-        }
-      */
-
-      /*
-      , { "type": "logLevelFilter"
-        , "level": "error" // filters out all log messages that have a lower level than "error"
-        , "appender":
-          { "type": "smtp"
-          , "subject": "An error occurred in your EPL instance!"
-          , "recipients": "bar@blurdybloop.com, baz@blurdybloop.com"
-          , "sendInterval": 300 // 60 * 5 = 5 minutes -- will buffer log messages; set to 0 to send a mail for every message
-          , "transport": "SMTP", "SMTP": { // see https://github.com/andris9/Nodemailer#possible-transport-methods
-              "host": "smtp.example.com", "port": 465,
-              "secureConnection": true,
-              "auth": {
-                  "user": "foo@example.com",
-                  "pass": "bar_foo"
-              }
-            }
-          }
-        }
-      */
-
-      ]
-    }, // logconfig
-
   /* Override any strings found in locale directories */
-  "customLocaleStrings": {}
+  "customLocaleStrings": {},
+
+  /* Disable Admin UI tests */
+  "enableAdminUITests": false
 }

conf/systemd.service

@@ -12,5 +12,35 @@ Environment="__YNH_NODE_LOAD_PATH__"
 ExecStart=__FINALPATH__/src/bin/run.sh
 Restart=always
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

doc/DESCRIPTION.md

@@ -0,0 +1 @@
+Etherpad is a real-time collaborative editor scalable to thousands of simultaneous real time users. It provides full data export capabilities, and runs on your server, under your control.

doc/DESCRIPTION_fr.md

@@ -0,0 +1 @@
+Etherpad est un éditeur collaboratif en temps réel évolutif pour des milliers d'utilisateurs simultanés en temps réel. Il fournit des capacités complètes d'exportation de données et s'exécute sur votre serveur, sous votre contrôle. 

doc/DISCLAIMER.md

@@ -0,0 +1,5 @@
+## Configuration
+
+You can access Etherpad's admin panel at `domain.tld/admin`. The configuration file for Etherpad is at the path `/var/www/etherpad/settings.json`.
+
+*Skin Builder* (accessible at this address `domain.tld/pad/p/test#skinvariantsbuilder`) allows you to customize the skin of your pad. It will give you a parameter to copy into your configuration file `/var/www/etherpad/settings.json`.

doc/DISCLAIMER_fr.md

@@ -0,0 +1,5 @@
+## Configuration
+
+Vous pouvez accéder au panneau d'administration d'Etherpad à l'adresse `domain.tld/admin`. Le fichier de configuration d'Etherpad est `/var/www/etherpad/settings.json`.
+
+*Skin Builder* (accessible à l'adresse `domain.tld/pad/p/test#skinvariantsbuilder`) vous permet de personnaliser l'apparence de votre pad. Il vous donnera un paramètre à copier dans votre fichier de configuration `/var/www/etherpad/settings.json`.

manifest.json

@@ -3,10 +3,10 @@
     "id": "etherpad",
     "packaging_format": 1,
     "description": {
-        "en": "Online editor providing collaborative editing in real-time.",
+        "en": "Online editor providing collaborative editing in real-time",
-        "fr": "Éditeur en ligne fournissant l'édition collaborative en temps réel."
+        "fr": "Éditeur en ligne fournissant l'édition collaborative en temps réel"
     },
-    "version": "1.8.14~ynh1",
+    "version": "1.8.15~ynh1",
     "url": "https://etherpad.org/",
     "upstream": {
         "license": "Apache-2.0",
@@ -31,8 +31,7 @@
         "install" : [
             {
                 "name": "domain",
-                "type": "domain",
+                "type": "domain"
-                "example": "example.com"
             },
             {
                 "name": "path",
@@ -49,6 +48,16 @@
             },
                 "default": true
             },
+            {
+                "name": "export",
+                "type": "string",
+                "ask": {
+                    "en": "Use AbiWord (~260 Mo) or LibreOffice (~400 Mo) (more stable) to expand export possibilities (PDF, doc)?",
+                    "fr": "Utiliser AbiWord (~260 Mo) ou LibreOffice (~400 Mo) (plus stable) pour étendre les possibilités d'export (PDF, doc) ?"
+                },
+                "choices" : ["none", "abiword", "libreoffice"],
+                "default" : "none"
+            },
             {
                 "name": "language",
                 "type": "string",
@@ -56,18 +65,16 @@
                     "en": "Choose the application language",
                     "fr": "Choisissez la langue de l'application"
                 },
-                "choices": ["de", "en", "es", "fr", "it", "pt"],
+                "choices": ["de", "en", "es", "fr", "it"],
                 "default": "en"
             },
             {
                 "name": "admin",
-                "type": "user",
+                "type": "user"
-                "example": "johndoe"
             },
             {
                 "name": "password",
-                "type": "password",
+                "type": "password"
-                "example": "Choose a password"
             }
         ]
     }

scripts/_common.sh

@@ -7,7 +7,13 @@
 # dependencies used by the app
 pkg_dependencies="postgresql postgresql-contrib"
 
-nodejs_version=14
+nodejs_version=16
+
+# Dependencies for AbiWord
+abiword_app_depencencies="abiword"
+
+# Dependencies for LibreOffice
+libreoffice_app_dependencies="unoconv libreoffice-writer"
 
 #=================================================
 # PERSONAL HELPERS

scripts/backup

@@ -43,6 +43,14 @@ ynh_backup --src_path="$final_path"
 
 ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
+#=================================================
+# SPECIFIC BACKUP
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+
+ynh_backup --src_path="/etc/logrotate.d/$app"
+
 #=================================================
 # BACKUP SYSTEMD
 #=================================================

scripts/change_url

@@ -70,7 +70,7 @@ fi
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..." --weight=2
 
-ynh_systemd_action --service_name=$app --action=stop --log_path="systemd"
+ynh_systemd_action --service_name=$app --action=stop --log_path=systemd
 
 #=================================================
 # MODIFY URL IN NGINX CONF

scripts/install

@@ -29,6 +29,7 @@ admin=$YNH_APP_ARG_ADMIN
 is_public=$YNH_APP_ARG_IS_PUBLIC
 language=$YNH_APP_ARG_LANGUAGE
 password=$YNH_APP_ARG_PASSWORD
+export=$YNH_APP_ARG_EXPORT
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -53,6 +54,7 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
 ynh_app_setting_set --app=$app --key=language --value=$language
 ynh_app_setting_set --app=$app --key=password --value=$password
+ynh_app_setting_set --app=$app --key=export --value=$export
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -68,12 +70,26 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
-ynh_script_progression --message="Installing dependencies..." --weight=12
+ynh_script_progression --message="Installing dependencies..." --weight=6
 
 ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies
 
 ynh_install_nodejs --nodejs_version=$nodejs_version
 
+if [ "$export" = "abiword" ]; then
+	ynh_install_app_dependencies $abiword_app_depencencies
+elif [ "$export" = "libreoffice" ]; then
+	ynh_install_app_dependencies $libreoffice_app_dependencies
+fi
+
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=4
+
+# Create a system user
+ynh_system_user_create --username=$app --home_dir=$final_path
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@@ -88,6 +104,7 @@ ynh_system_user_create --username=$app --home_dir=$final_path
 ynh_script_progression --message="Creating a PostgreSQL database..." --weight=5
 
 db_name=$(ynh_sanitize_dbid --db_name=$app)
+db_user=$db_name
 ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 ynh_psql_test_if_first_run
 ynh_psql_setup_db --db_user=$db_name --db_name=$db_name
@@ -99,8 +116,6 @@ ynh_script_progression --message="Setting up source files..." --weight=1
 
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 # Download, check integrity, uncompress and patch the source from app.src
-#ynh_setup_source --dest_dir="$final_path"
-
 git clone --branch master https://github.com/ether/etherpad-lite.git "$final_path" --quiet
 
 chmod 750 "$final_path"
@@ -118,23 +133,41 @@ ynh_add_nginx_config
 #=================================================
 # INSTALL ETHERPAD
 #=================================================
-ynh_script_progression --message="Installing Etherpad..." --weight=90
+ynh_script_progression --message="Installing Etherpad..." --weight=60
 
 chown -R $app $final_path
 
-pushd "$final_path" || ynh_die
+pushd $final_path
  	ynh_use_nodejs
-	ynh_exec_as $app env "$ynh_node_load_PATH" src/bin/installDeps.sh
+ 	ynh_exec_warn_less ynh_exec_as $app env $ynh_node_load_PATH src/bin/installDeps.sh
-	#ynh_exec_warn_less ynh_exec_as $app env "$ynh_node_load_PATH" npm install --no-save --legacy-peer-deps ep_automatic_logut ep_countable ep_spellcheck ep_delete_empty_pads ep_subscript_and_superscript ep_headings2 ep_author_hover ep_markdown ep_comments_page ep_align ep_font_color
+popd
- popd || ynh_die
 
 #=================================================
 # MODIFY A CONFIG FILE
 #=================================================
 ynh_script_progression --message="Configuring Etherpad..." --weight=6
 
-ynh_add_config --template="../conf/settings.json" --destination="$final_path/settings.json"
+cp ../conf/settings.json $final_path/settings.json
+
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$final_path/settings.json"
+ynh_replace_string --match_string="__LANGUAGE__" --replace_string="$language" --target_file="$final_path/settings.json"
+if [ "$export" = "abiword" ]
+then
+	# Get AbiWord binary path
+	abiword_path=`which abiword`
+	# Set the path of AbiWord into Etherpad config
+	ynh_replace_string --match_string="\"abiword\" : null" --replace_string="\"abiword\" : \"$abiword_path\"" --target_file="$final_path/settings.json"
+elif [ "$export" = "libreoffice" ]
+then
+	# Get soffice binary path
+	soffice_path=`which soffice`
+	# Set the path of soffice into Etherpad config
+	ynh_replace_string --match_string="\"soffice\" : null" --replace_string="\"soffice\" : \"$soffice_path\"" --target_file="$final_path/settings.json"
+fi
+ynh_store_file_checksum --file="$final_path/settings.json"
+
 ynh_add_config --template="../conf/credentials.json" --destination="$final_path/credentials.json"
+
 chmod 400 $final_path/credentials.json
 
 #=================================================
@@ -145,6 +178,16 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=4
 # Create a dedicated systemd config
 ynh_add_systemd_config
 
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# SETUP LOGROTATE
+#=================================================
+ynh_script_progression --message="Configuring log rotation..." --weight=1
+
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate
+
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
@@ -171,8 +214,7 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi
 
-# Only the admin can access the admin panel of the app (if the app has an admin panel)
+ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
-ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
 
 #=================================================
 # RELOAD NGINX

scripts/remove

@@ -18,9 +18,10 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 port=$(ynh_app_setting_get --app=$app --key=port)
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 db_user=$db_name
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+export=$(ynh_app_setting_get --app=$app --key=export)
 
 #=================================================
 # STANDARD REMOVE
@@ -43,6 +44,32 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
 # Remove the dedicated systemd config
 ynh_remove_systemd_config
 
+#=================================================
+# REMOVE LOGROTATE CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing logrotate configuration..." --weight=1
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+
+if [ "$export" != "none" ]
+then
+	ynh_script_progression --message="Removing dependencies..." --weight=20
+	# Remove metapackage and its dependencies
+	ynh_exec_warn_less ynh_remove_app_dependencies
+fi
+
+#=================================================
+# REMOVE NODEJS
+#=================================================
+ynh_script_progression --message="Removing NodeJS version for Etherpad..." --weight=3
+
+ynh_remove_nodejs
+
 #=================================================
 # REMOVE THE POSTQRESQL DATABASE
 #=================================================
@@ -67,6 +94,16 @@ ynh_script_progression --message="Removing NGINX web server configuration..." --
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
+#=================================================
+# SPECIFIC REMOVE
+#=================================================
+# REMOVE VARIOUS FILES
+#=================================================
+ynh_script_progression --message="Removing various files..." --weight=1
+
+# Remove the log files
+ynh_secure_remove --file="/var/log/$app"
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================

scripts/restore

@@ -38,8 +38,6 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=2
 
-ynh_webpath_available --domain=$domain --path_url=$path_url \
-	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 
@@ -66,10 +64,11 @@ ynh_script_progression --message="Restoring the app main directory..." --weight=
 
 ynh_restore_file --origin_path="$final_path"
 
+# Restore permissions on app files
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
-chmod 400 "$final_path/credentials.json"
+chmod 400 $final_path/credentials.json
 
 #=================================================
 # REINSTALL DEPENDENCIES
@@ -91,13 +90,6 @@ ynh_psql_test_if_first_run
 ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
 ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name
 
-#=================================================
-# INTEGRATE SERVICE IN YUNOHOST
-#=================================================
-ynh_script_progression --message="Integrating service in YunoHost..." --weight=3
-
-yunohost service add $app --description="Collaborative editor" --log="/var/log/$app/$app.log"
-
 #=================================================
 # RESTORE SYSTEMD
 #=================================================
@@ -106,6 +98,20 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
+#=================================================
+# RESTORE THE LOGROTATE CONFIGURATION
+#=================================================
+ynh_script_progression --message="Restoring the logrotate configuration..." --weight=1
+
+ynh_restore_file --origin_path="/etc/logrotate.d/$app"
+
+#=================================================
+# INTEGRATE SERVICE IN YUNOHOST
+#=================================================
+ynh_script_progression --message="Integrating service in YunoHost..." --weight=3
+
+yunohost service add $app --description="Collaborative editor" --log="/var/log/$app/$app.log"
+
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================

scripts/upgrade

@@ -32,6 +32,20 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
 
 upgrade_type=$(ynh_check_app_version_changed)
 
+#=================================================
+# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
+#=================================================
+ynh_script_progression --message="Backing up Etherpad before upgrading (may take a while)..." --weight=1
+
+# Backup the current version of the app
+ynh_backup_before_upgrade
+ynh_clean_setup () {
+	# restore it if the upgrade fails
+	ynh_restore_upgradebackup
+}
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
@@ -66,14 +80,13 @@ fi
 #=================================================
 ynh_script_progression --message="Backing up Etherpad before upgrading (may take a while)..." --weight=1
 
-# Backup the current version of the app
+	ynh_app_setting_delete --app=$app --key=is_public
-ynh_backup_before_upgrade
+fi
-ynh_clean_setup () {
+
-	# restore it if the upgrade fails
+if ! ynh_permission_exists --permission="admin"; then
-	ynh_restore_upgradebackup
+	# Create the required permissions
-}
+	ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
-# Exit if an error occurs during the execution of the script
+fi
-ynh_abort_if_errors
 
 #=================================================
 # STANDARD UPGRADE STEPS
@@ -131,12 +144,14 @@ chown -R $app:www-data "$final_path"
 chmod 400 $final_path/credentials.json
 
 #=================================================
-# SETUP SYSTEMD
+# SETUP LOGROTATE
 #=================================================
-ynh_script_progression --message="Upgrading systemd configuration..." --weight=2
+ynh_script_progression --message="Upgrading logrotate configuration..." --weight=1
 
 # Create a dedicated systemd config
 ynh_add_systemd_config
+# Use logrotate to manage app-specific logfile(s)
+ynh_use_logrotate --non-append
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST