diff --git a/README.md b/README.md
index 7313020..6c62e45 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ It shall NOT be edited by hand.
# Facilmap for YunoHost
-[](https://dash.yunohost.org/appci/app/facilmap)  
+[](https://dash.yunohost.org/appci/app/facilmap)  
[](https://install-app.yunohost.org/?app=facilmap)
*[Lire ce readme en français.](./README_fr.md)*
@@ -17,32 +17,33 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
Collaborative maps and routing with a straightforward interface
-**Shipped version:** 3.4.0~ynh1
+**Shipped version:** 3.4.0~ynh2
**Demo:** https://facilmap.org/
## Screenshots
-
+
## Documentation and resources
-* Official app website: https://facilmap.org/
-* Official user documentation: https://docs.facilmap.org/users/
-* Official admin documentation: https://docs.facilmap.org/developers/
-* Upstream app code repository: https://github.com/FacilMap/facilmap
-* YunoHost documentation for this app: https://yunohost.org/app_facilmap
-* Report a bug: https://github.com/YunoHost-Apps/facilmap_ynh/issues
+* Official app website:
+* Official user documentation:
+* Official admin documentation:
+* Upstream app code repository:
+* YunoHost documentation for this app:
+* Report a bug:
## Developer info
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing).
To try the testing branch, please proceed like that.
-```
+
+``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing --debug
or
sudo yunohost app upgrade facilmap -u https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing --debug
```
-**More info regarding app packaging:** https://yunohost.org/packaging_apps
\ No newline at end of file
+**More info regarding app packaging:**
diff --git a/README_fr.md b/README_fr.md
index 03ac7e9..b1a83ef 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -1,44 +1,49 @@
+
+
# Facilmap pour YunoHost
-[](https://dash.yunohost.org/appci/app/facilmap)  
+[](https://dash.yunohost.org/appci/app/facilmap)  
[](https://install-app.yunohost.org/?app=facilmap)
*[Read this readme in english.](./README.md)*
-*[Lire ce readme en français.](./README_fr.md)*
-> *Ce package vous permet d'installer Facilmap rapidement et simplement sur un serveur YunoHost.
-Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
+> *Ce package vous permet d’installer Facilmap rapidement et simplement sur un serveur YunoHost.
+Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l’installer et en profiter.*
-## Vue d'ensemble
+## Vue d’ensemble
Carte collaborative avec une interface simple et pratique
-**Version incluse :** 3.4.0~ynh1
+**Version incluse :** 3.4.0~ynh2
**Démo :** https://facilmap.org/
-## Captures d'écran
+## Captures d’écran
-
+
## Documentations et ressources
-* Site officiel de l'app : https://facilmap.org/
-* Documentation officielle utilisateur : https://docs.facilmap.org/users/
-* Documentation officielle de l'admin : https://docs.facilmap.org/developers/
-* Dépôt de code officiel de l'app : https://github.com/FacilMap/facilmap
-* Documentation YunoHost pour cette app : https://yunohost.org/app_facilmap
-* Signaler un bug : https://github.com/YunoHost-Apps/facilmap_ynh/issues
+* Site officiel de l’app :
+* Documentation officielle utilisateur :
+* Documentation officielle de l’admin :
+* Dépôt de code officiel de l’app :
+* Documentation YunoHost pour cette app :
+* Signaler un bug :
## Informations pour les développeurs
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
-```
+
+``` bash
sudo yunohost app install https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing --debug
ou
sudo yunohost app upgrade facilmap -u https://github.com/YunoHost-Apps/facilmap_ynh/tree/testing --debug
```
-**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps
\ No newline at end of file
+**Plus d’infos sur le packaging d’applications :**
\ No newline at end of file
diff --git a/conf/systemd.service b/conf/systemd.service
index 09bd16c..321217d 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -16,21 +16,40 @@ StandardError=syslog
SyslogIdentifier=__APP__
Restart=always
-; Some security directives (inspired from peertube_ynh package)
-; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectClock=yes
+ProtectHostname=yes
+ProtectProc=invisible
ProtectSystem=full
-; Sets up a new /dev mount for the process and only adds API pseudo devices
-; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
-; by default because it may not work on devices like the Raspberry Pi.
-PrivateDevices=false
-; Ensures that the service process and all its children can never gain new
-; privileges through execve().
-NoNewPrivileges=true
-; This makes /home, /root, and /run/user inaccessible and empty for processes invoked
-; by this unit. Make sure that you do not depend on data inside these folders.
-ProtectHome=false
-; Drops the sys admin capability from the daemon.
-CapabilityBoundingSet=~CAP_SYS_ADMIN
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
[Install]
WantedBy=multi-user.target
diff --git a/manifest.json b/manifest.json
index 3f539da..2f62a40 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
"en": "Collaborative maps and routing with a straightforward interface",
"fr": "Carte collaborative avec une interface simple et pratique"
},
- "version": "3.4.0~ynh1",
+ "version": "3.4.0~ynh2",
"url": "https://github.com/FacilMap/facilmap",
"upstream": {
"license": "AGPL-3.0",
@@ -23,7 +23,7 @@
"url": "https://squeak.eauchat.org"
},
"requirements": {
- "yunohost": ">= 4.3.0"
+ "yunohost": ">= 11.0.9"
},
"multi_instance": true,
"services": [