From fa47d482e00b3af8ccb2c814ce54eee3bc1fc35e Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Wed, 29 Sep 2021 21:41:07 +0200
Subject: [PATCH] Testing (#60)

* Harden systemd
---
 README.md             | 10 ++++++++--
 README_fr.md          |  9 +++++++--
 conf/systemd.service  | 30 ++++++++++++++++++++++++++++++
 doc/DESCRIPTION.md    |  6 ++++++
 doc/DESCRIPTION_fr.md |  6 ++++++
 manifest.json         |  5 ++---
 scripts/restore       |  2 --
 scripts/upgrade       |  1 -
 8 files changed, 59 insertions(+), 10 deletions(-)
 create mode 100644 doc/DESCRIPTION.md
 create mode 100644 doc/DESCRIPTION_fr.md

diff --git a/README.md b/README.md
index 74c2d3f..e82f9a6 100644
--- a/README.md
+++ b/README.md
@@ -15,9 +15,15 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 ## Overview
 
-Alternative front-end to YouTube
+Invidious is an interface allowing access to Youtube videos without going through youtube.com
+In addition to constituting an advantage in terms of confidentiality (the data does not pass directly through the services of the giant), this interface offers several features:
+- Audio only mode,
+- Dark mode,
+- Ability to display Reddit comments instead of YouTube comments,
+- Ability to subscribe to channels without creating a Google account 
 
-**Shipped version:** 21.08.22~ynh1
+
+**Shipped version:** 21.09.29~ynh1
 
 **Demo:** https://invidious.site/
 
diff --git a/README_fr.md b/README_fr.md
index be3e5fa..24b4257 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -11,9 +11,14 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Vue d'ensemble
 
-Front-end alternatif à YouTube
+Invidious est une interface permettant d'accéder aux vidéos Youtube sans passer par youtube.com
+En plus de constituer un avantage sur le plan de la confidentialité (les données ne transitent pas directement par les services du géant), cette interface offre plusieurs fonctionnalités :
+- Mode audio seul,
+- Mode sombre,
+- Possibilité d'afficher les commentaires Reddit plutôt que les commentaires YouTube,
+- Possibilité de s'abonner aux chaines sans créer de compte Google
 
-**Version incluse :** 21.08.22~ynh1
+**Version incluse :** 21.09.29~ynh1
 
 **Démo :** https://invidious.site/
 
diff --git a/conf/systemd.service b/conf/systemd.service
index aeb78f0..0b5480b 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -12,5 +12,35 @@ ExecStart=__FINALPATH__/invidious -o invidious.log
 RestartSec=2s
 Restart=always
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target
diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md
new file mode 100644
index 0000000..a89e725
--- /dev/null
+++ b/doc/DESCRIPTION.md
@@ -0,0 +1,6 @@
+Invidious is an interface allowing access to Youtube videos without going through youtube.com
+In addition to constituting an advantage in terms of confidentiality (the data does not pass directly through the services of the giant), this interface offers several features:
+- Audio only mode,
+- Dark mode,
+- Ability to display Reddit comments instead of YouTube comments,
+- Ability to subscribe to channels without creating a Google account 
diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md
new file mode 100644
index 0000000..6ce01db
--- /dev/null
+++ b/doc/DESCRIPTION_fr.md
@@ -0,0 +1,6 @@
+Invidious est une interface permettant d'accéder aux vidéos Youtube sans passer par youtube.com
+En plus de constituer un avantage sur le plan de la confidentialité (les données ne transitent pas directement par les services du géant), cette interface offre plusieurs fonctionnalités :
+- Mode audio seul,
+- Mode sombre,
+- Possibilité d'afficher les commentaires Reddit plutôt que les commentaires YouTube,
+- Possibilité de s'abonner aux chaines sans créer de compte Google
\ No newline at end of file
diff --git a/manifest.json b/manifest.json
index cf84a6a..5626f76 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Alternative front-end to YouTube",
         "fr": "Front-end alternatif à YouTube"
     },
-    "version": "21.08.22~ynh1",
+    "version": "21.09.29~ynh1",
     "url": "https://invidio.us/",
     "upstream": {
         "license": "GPL-3.0-only",
@@ -30,8 +30,7 @@
         "install" : [
             {
                 "name": "domain",
-                "type": "domain",
-                "example": "domain.org"
+                "type": "domain"
             },
             {
                 "name": "is_public",
diff --git a/scripts/restore b/scripts/restore
index 3c08df3..c9e13b6 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -38,8 +38,6 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=2
 
-ynh_webpath_available --domain=$domain --path_url=$path_url \
-	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 
diff --git a/scripts/upgrade b/scripts/upgrade
index 6d68f6e..6f8734e 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -118,7 +118,6 @@ fi
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
-chmod 600 $final_path/config/config.yml
 
 #=================================================
 # NGINX CONFIGURATION