last changes from example_ynh

.github/workflows/updater.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+
+#=================================================
+# PACKAGE UPDATING HELPER
+#=================================================
+
+# This script is meant to be run by GitHub Actions
+# The YunoHost-Apps organisation offers a template Action to run this script periodically
+# Since each app is different, maintainers can adapt its contents so as to perform
+# automatic actions when a new upstream release is detected.
+
+# Remove this exit command when you are ready to run this Action
+exit 1
+
+#=================================================
+# FETCHING LATEST RELEASE AND ITS ASSETS
+#=================================================
+
+# Fetching information
+current_version=$(cat manifest.json | jq -j '.version|split("~")[0]')
+repo=$(cat manifest.json | jq -j '.upstream.code|split("https://github.com/")[1]')
+# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions)
+version=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '.[] | select( .prerelease != true ) | .tag_name' | sort -V | tail -1)
+assets=($(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '[ .[] | select(.tag_name=="'$version'").assets[].browser_download_url ] | join(" ") | @sh' | tr -d "'"))
+
+# Later down the script, we assume the version has only digits and dots
+# Sometimes the release name starts with a "v", so let's filter it out.
+# You may need more tweaks here if the upstream repository has different naming conventions. 
+if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then
+    version=${version:1}
+fi
+
+# Setting up the environment variables
+echo "Current version: $current_version"
+echo "Latest release from upstream: $version"
+echo "VERSION=$version" >> $GITHUB_ENV
+# For the time being, let's assume the script will fail
+echo "PROCEED=false" >> $GITHUB_ENV
+
+# Proceed only if the retrieved version is greater than the current one
+if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then
+    echo "::warning ::No new version available"
+    exit 0
+# Proceed only if a PR for this new version does not already exist
+elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then
+    echo "::warning ::A branch already exists for this update"
+    exit 0
+fi
+
+# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.)
+echo "${#assets[@]} available asset(s)"
+
+#=================================================
+# UPDATE SOURCE FILES
+#=================================================
+
+# Here we use the $assets variable to get the resources published in the upstream release.
+# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like.
+
+# Let's loop over the array of assets URLs
+for asset_url in ${assets[@]}; do
+
+echo "Handling asset at $asset_url"
+
+# Assign the asset to a source file in conf/ directory
+# Here we base the source file name upon a unique keyword in the assets url (admin vs. update)
+# Leave $src empty to ignore the asset
+case $asset_url in
+  *"admin"*)
+    src="app"
+    ;;
+  *"update"*)
+    src="app-upgrade"
+    ;;
+  *)
+    src=""
+    ;;
+esac
+
+# If $src is not empty, let's process the asset
+if [ ! -z "$src" ]; then
+
+# Create the temporary directory
+tempdir="$(mktemp -d)"
+
+# Download sources and calculate checksum
+filename=${asset_url##*/}
+curl --silent -4 -L $asset_url -o "$tempdir/$filename"
+checksum=$(sha256sum "$tempdir/$filename" | head -c 64)
+
+# Delete temporary directory
+rm -rf $tempdir
+
+# Get extension
+if [[ $filename == *.tar.gz ]]; then
+  extension=tar.gz
+else
+  extension=${filename##*.}
+fi
+
+# Rewrite source file
+cat <<EOT > conf/$src.src
+SOURCE_URL=$asset_url
+SOURCE_SUM=$checksum
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=$extension
+SOURCE_IN_SUBDIR=true
+SOURCE_FILENAME=
+EOT
+echo "... conf/$src.src updated"
+
+else
+echo "... asset ignored"
+fi
+
+done
+
+#=================================================
+# SPECIFIC UPDATE STEPS
+#=================================================
+
+# Any action on the app's source code can be done.
+# The GitHub Action workflow takes care of committing all changes after this script ends.
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+
+# Replace new version in manifest
+echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json
+
+# No need to update the README, yunohost-bot takes care of it
+
+# The Action will proceed only if the PROCEED environment variable is set to true
+echo "PROCEED=true" >> $GITHUB_ENV
+exit 0

conf/.env.production.sample

@@ -4,6 +4,12 @@
 # not demonstrate all available configuration options. Please look at
 # https://docs.joinmastodon.org/admin/config/ for the full documentation.
 
+# Note that this file accepts slightly different syntax depending on whether
+# you are using `docker-compose` or not. In particular, if you use
+# `docker-compose`, the value of each declared variable will be taken verbatim,
+# including surrounding quotes.
+# See: https://github.com/mastodon/mastodon/issues/16895
+
 # Federation
 # ----------
 # This identifies your server and cannot be changed safely later

conf/glitchsoc-sidekiq.service

@@ -14,5 +14,35 @@ TimeoutSec=15
 Restart=always
 StandardError=syslog
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

conf/glitchsoc-streaming.service

@@ -15,5 +15,35 @@ TimeoutSec=15
 Restart=always
 StandardError=syslog
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

conf/glitchsoc-web.service

@@ -14,5 +14,35 @@ TimeoutSec=15
 Restart=always
 StandardError=syslog
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

scripts/backup

@@ -59,7 +59,7 @@ ynh_backup --src_path="/etc/systemd/system/$app-sidekiq.service"
 ynh_backup --src_path="/etc/systemd/system/$app-streaming.service"
 
 #=================================================
-# BACKUP A CRON FILE
+# BACKUP VARIOUS FILES
 #=================================================
 
 ynh_backup --src_path="/etc/cron.d/$app"

scripts/install

@@ -83,7 +83,7 @@ ynh_exec_warn_less ynh_install_ruby --ruby_version=$RUBY_VERSION
 ynh_script_progression --message="Configuring system user..."
 
 # Create a system user
-ynh_system_user_create --username=$app --home_dir="$final_path"
+ynh_system_user_create --username=$app --home_dir=$final_path
 
 #=================================================
 # CREATE A POSTGRESQL DATABASE
@@ -96,6 +96,7 @@ db_name=$(ynh_sanitize_dbid --db_name="${app}_production")
 db_user=$(ynh_sanitize_dbid --db_name=$app)
 db_pwd=$(ynh_string_random --length=30)
 ynh_app_setting_set --app=$app --key=db_name --value=$db_name
+ynh_app_setting_set --app=$app --key=db_user --value=$db_user
 ynh_app_setting_set --app=$app --key=db_pwd --value=$db_pwd
 ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
 ynh_psql_execute_as_root --sql="ALTER USER $db_user CREATEDB;"
@@ -119,7 +120,7 @@ chown -R $app:www-data "$final_path"
 ynh_script_progression --message="Configuring NGINX web server..."
 
 # Create a dedicated NGINX config
-ynh_add_nginx_config 'port_web port_stream'
+ynh_add_nginx_config
 
 #=================================================
 # SPECIFIC SETUP
@@ -153,7 +154,7 @@ popd
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
-ynh_script_progression --message="Adding a config file..."
+ynh_script_progression --message="Adding a configuration file..."
 
 config="$final_path/live/.env.production"
 
@@ -200,17 +201,17 @@ ynh_add_systemd_config --service="$app-streaming" --template="glitchsoc-streamin
 ynh_script_progression --message="Installing Glitch-Soc..."
 
 pushd "$final_path/live"
-	sudo -u $app $ynh_ruby_load_path bin/bundle config deployment 'true'
-	sudo -u $app $ynh_ruby_load_path bin/bundle config without 'development test'
-	sudo -u $app $ynh_ruby_load_path bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle config deployment 'true'
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle config without 'development test'
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
 	ynh_use_nodejs
-	ynh_exec_warn_less sudo -u $app $ynh_node_load_PATH yarn install --pure-lockfile
+	ynh_exec_warn_less ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile
 	echo "SAFETY_ASSURED=1">> $config
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails db:setup --quiet
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:precompile --quiet
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=admin > /dev/null
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl accounts modify "$admin" --approve
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails db:setup --quiet
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:precompile --quiet
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=admin > /dev/null
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl accounts modify "$admin" --approve
 popd
 
 vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K.+" "$final_path/live/key.txt")

scripts/remove

@@ -18,7 +18,7 @@ app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-db_user=$(ynh_sanitize_dbid --db_name=$app)
+db_user=$(ynh_app_setting_get --app=$app --key=db_user)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 
 #=================================================
@@ -64,17 +64,6 @@ ynh_script_progression --message="Removing the PostgreSQL database..."
 # Remove a database if it exists, along with the associated user
 ynh_psql_remove_db --db_user=$db_user --db_name=$db_name
 
-#=================================================
-# REMOVE DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Removing dependencies..."
-
-# Remove metapackage and its dependencies
-ynh_remove_ruby
-ynh_remove_nodejs
-ynh_remove_app_dependencies
-ynh_remove_extra_repo
-
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
@@ -91,12 +80,23 @@ ynh_script_progression --message="Removing NGINX web server configuration..."
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Removing dependencies..."
+
+# Remove metapackage and its dependencies
+ynh_remove_ruby
+ynh_remove_nodejs
+ynh_remove_app_dependencies
+ynh_remove_extra_repo
+
 #=================================================
 # SPECIFIC REMOVE
 #=================================================
-# REMOVE THE CRON FILE
+# REMOVE VARIOUS FILES
 #=================================================
-ynh_script_progression --message="Removing the cron file..."
+ynh_script_progression --message="Removing various files..."
 
 # Remove a cron file
 ynh_secure_remove --file="/etc/cron.d/$app"

scripts/restore

@@ -31,7 +31,7 @@ domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-db_user=$(ynh_sanitize_dbid --db_name=$app)
+db_user=$(ynh_app_setting_get --app=$app --key=db_user)
 db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 
 #=================================================
@@ -39,7 +39,8 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..."
 
-test ! -d $final_path || ynh_die --message="There is already a directory: $final_path "
+test ! -d $final_path \
+	|| ynh_die --message="There is already a directory: $final_path "
 
 #=================================================
 # STANDARD RESTORATION STEPS
@@ -56,7 +57,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 ynh_script_progression --message="Recreating the dedicated system user..."
 
 # Create the dedicated user (if not existing)
-ynh_system_user_create --username=$app --home_dir="$final_path"
+ynh_system_user_create --username=$app --home_dir=$final_path
 
 #=================================================
 # RESTORE THE APP MAIN DIR
@@ -71,6 +72,27 @@ chown -R $app:www-data "$final_path"
 
 #=================================================
 # SPECIFIC RESTORATION
+#=================================================
+# REINSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Reinstalling dependencies..."
+
+# Define and install dependencies
+ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies
+ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$NODEJS_VERSION
+ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"
+ynh_install_ruby --ruby_version=$RUBY_VERSION
+
+#=================================================
+# RESTORE THE POSTGRESQL DATABASE
+#=================================================
+ynh_script_progression --message="Restoring the PostgreSQL database..."
+
+ynh_psql_test_if_first_run
+ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
+ynh_psql_execute_as_root --sql="ALTER USER $db_user CREATEDB;"
+ynh_psql_execute_file_as_root --file="./db.sql" --database="$db_name"
+
 #=================================================
 # ADD SWAP IF NEEDED
 #=================================================
@@ -87,23 +109,6 @@ fi
 ynh_script_progression --message="Adding $swap_needed Mo to swap..."
 ynh_add_swap --size=$swap_needed
 
-#=================================================
-# RESTORE THE CRON FILE
-#=================================================
-ynh_script_progression --message="Restoring the cron file..."
-
-ynh_restore_file --origin_path="/etc/cron.d/$app"
-
-#=================================================
-# REINSTALL DEPENDENCIES
-#=================================================
-ynh_script_progression --message="Reinstalling dependencies..."
-
-ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies
-ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$NODEJS_VERSION
-ynh_exec_warn_less ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"
-ynh_exec_warn_less ynh_install_ruby --ruby_version=$RUBY_VERSION
-
 #=================================================
 # INSTALLING RUBY AND BUNDLER
 #=================================================
@@ -116,14 +121,11 @@ pushd "$final_path/live"
 popd
 
 #=================================================
-# RESTORE THE POSTGRESQL DATABASE
+# RESTORE VARIOUS FILES
 #=================================================
-ynh_script_progression --message="Restoring the PostgreSQL database..."
+ynh_script_progression --message="Restoring various files..."
 
-ynh_psql_test_if_first_run
-ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
-ynh_psql_execute_as_root --sql="ALTER USER $db_user CREATEDB;"
-ynh_psql_execute_file_as_root --file="./db.sql" --database="$db_name"
+ynh_restore_file --origin_path="/etc/cron.d/$app"
 
 #=================================================
 # RESTORE SYSTEMD

scripts/upgrade

@@ -23,7 +23,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 language=$(ynh_app_setting_get --app=$app --key=language)
 redis_namespace=$(ynh_app_setting_get --app=$app --key=db_name)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
-db_user=$(ynh_sanitize_dbid --db_name=$app)
+db_user=$(ynh_app_setting_get --app=$app --key=db_user)
 db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 admin_mail=$(ynh_user_get_info --username=$admin --key='mail')
 port_web=$(ynh_app_setting_get --app=$app --key=port_web)
@@ -43,6 +43,32 @@ ynh_script_progression --message="Checking version..."
 
 upgrade_type=$(ynh_check_app_version_changed)
 
+#=================================================
+# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
+#=================================================
+ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
+
+# Backup the current version of the app
+ynh_backup_before_upgrade
+ynh_clean_setup () {
+	ynh_clean_check_starting
+	# Restore it if the upgrade fails
+	ynh_restore_upgradebackup
+}
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# STANDARD UPGRADE STEPS
+#=================================================
+# STOP SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Stopping a systemd service..."
+
+ynh_systemd_action --service_name=${app}-web --action="stop" --log_path=systemd --line_match="Stopped"
+ynh_systemd_action --service_name=${app}-sidekiq --action="stop" --log_path=systemd --line_match="Stopped"
+ynh_systemd_action --service_name=${app}-streaming --action="stop" --log_path=systemd --line_match="Stopped"
+
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
@@ -72,6 +98,12 @@ if [[ -z "$port_stream" ]]; then
 	ynh_app_setting_set --app=$app --key=port_stream --value=$port_stream
 fi
 
+# If db_user doesn't exist, create it, needed for old install
+if [[ -z "$db_user" ]]; then
+	db_user=$(ynh_sanitize_dbid --db_name=$app)
+	ynh_app_setting_set --app=$app --key=db_user --value=$db_user
+fi
+
 # If db_pwd doesn't exist, create it, needed for old install
 if [[ -z "$db_pwd" ]]; then
 	db_pwd=$(ynh_string_random)
@@ -119,39 +151,13 @@ fi
 #Remove previous added repository
 ynh_remove_extra_repo
 
-#=================================================
-# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
-#=================================================
-ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
-
-# Backup the current version of the app
-ynh_backup_before_upgrade
-ynh_clean_setup () {
-	ynh_clean_check_starting
-	# Restore it if the upgrade fails
-	ynh_restore_upgradebackup
-}
-# Exit if an error occurs during the execution of the script
-ynh_abort_if_errors
-
-#=================================================
-# STANDARD UPGRADE STEPS
-#=================================================
-# STOP SYSTEMD SERVICE
-#=================================================
-ynh_script_progression --message="Stopping a systemd service..."
-
-ynh_systemd_action --service_name=${app}-web --action="stop" --log_path=systemd --line_match="Stopped"
-ynh_systemd_action --service_name=${app}-sidekiq --action="stop" --log_path=systemd --line_match="Stopped"
-ynh_systemd_action --service_name=${app}-streaming --action="stop" --log_path=systemd --line_match="Stopped"
-
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
 ynh_script_progression --message="Making sure dedicated system user exists..."
 
 # Create a dedicated user (if not existing)
-ynh_system_user_create --username=$app --home_dir="$final_path"
+ynh_system_user_create --username=$app --home_dir=$final_path
 
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
@@ -193,7 +199,7 @@ chown -R $app:www-data "$final_path"
 ynh_script_progression --message="Upgrading NGINX web server configuration..."
 
 # Create a dedicated NGINX config
-ynh_add_nginx_config 'port_web port_stream'
+ynh_add_nginx_config
 
 #=================================================
 # UPGRADE DEPENDENCIES
@@ -262,15 +268,15 @@ ynh_add_systemd_config --service="$app-streaming" --template="glitchsoc-streamin
 ynh_script_progression --message="Upgrading Glitch-Soc..."
 
 pushd "$final_path/live"
-	sudo -u $app $ynh_ruby_load_path bin/bundle config deployment 'true'
-	sudo -u $app $ynh_ruby_load_path bin/bundle config without 'development test'
-	sudo -u $app $ynh_ruby_load_path bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle config deployment 'true'
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle config without 'development test'
+	ynh_exec_as $app $ynh_ruby_load_path bin/bundle install -j$(getconf _NPROCESSORS_ONLN)
 	ynh_use_nodejs
-	sudo -u $app $ynh_node_load_PATH yarn install --pure-lockfile
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:clean
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:precompile
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails db:migrate
-	ynh_exec_warn_less sudo -u $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl cache clear
+	ynh_exec_as $app $ynh_node_load_PATH yarn install --pure-lockfile
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:clean
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails assets:precompile
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/bundle exec rails db:migrate
+	ynh_exec_warn_less ynh_exec_as $app RAILS_ENV=production $ynh_ruby_load_path bin/tootctl cache clear
 popd
 
 #=================================================