Testing (#60)

* Harden systemd

README.md

@@ -15,9 +15,15 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 ## Overview
 
-Alternative front-end to YouTube
+Invidious is an interface allowing access to Youtube videos without going through youtube.com
+In addition to constituting an advantage in terms of confidentiality (the data does not pass directly through the services of the giant), this interface offers several features:
+- Audio only mode,
+- Dark mode,
+- Ability to display Reddit comments instead of YouTube comments,
+- Ability to subscribe to channels without creating a Google account 
 
-**Shipped version:** 21.08.22~ynh1
+
+**Shipped version:** 21.09.29~ynh1
 
 **Demo:** https://invidious.site/
 

README_fr.md

@@ -11,9 +11,14 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Vue d'ensemble
 
-Front-end alternatif à YouTube
+Invidious est une interface permettant d'accéder aux vidéos Youtube sans passer par youtube.com
+En plus de constituer un avantage sur le plan de la confidentialité (les données ne transitent pas directement par les services du géant), cette interface offre plusieurs fonctionnalités :
+- Mode audio seul,
+- Mode sombre,
+- Possibilité d'afficher les commentaires Reddit plutôt que les commentaires YouTube,
+- Possibilité de s'abonner aux chaines sans créer de compte Google
 
-**Version incluse :** 21.08.22~ynh1
+**Version incluse :** 21.09.29~ynh1
 
 **Démo :** https://invidious.site/
 

conf/systemd.service

@@ -12,5 +12,35 @@ ExecStart=__FINALPATH__/invidious -o invidious.log
 RestartSec=2s
 Restart=always
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

doc/DESCRIPTION.md

@@ -0,0 +1,6 @@
+Invidious is an interface allowing access to Youtube videos without going through youtube.com
+In addition to constituting an advantage in terms of confidentiality (the data does not pass directly through the services of the giant), this interface offers several features:
+- Audio only mode,
+- Dark mode,
+- Ability to display Reddit comments instead of YouTube comments,
+- Ability to subscribe to channels without creating a Google account 

doc/DESCRIPTION_fr.md

@@ -0,0 +1,6 @@
+Invidious est une interface permettant d'accéder aux vidéos Youtube sans passer par youtube.com
+En plus de constituer un avantage sur le plan de la confidentialité (les données ne transitent pas directement par les services du géant), cette interface offre plusieurs fonctionnalités :
+- Mode audio seul,
+- Mode sombre,
+- Possibilité d'afficher les commentaires Reddit plutôt que les commentaires YouTube,
+- Possibilité de s'abonner aux chaines sans créer de compte Google

manifest.json

@@ -6,7 +6,7 @@
         "en": "Alternative front-end to YouTube",
         "fr": "Front-end alternatif à YouTube"
     },
-    "version": "21.08.22~ynh1",
+    "version": "21.09.29~ynh1",
     "url": "https://invidio.us/",
     "upstream": {
         "license": "GPL-3.0-only",
@@ -30,8 +30,7 @@
         "install" : [
             {
                 "name": "domain",
-                "type": "domain",
+                "type": "domain"
-                "example": "domain.org"
             },
             {
                 "name": "is_public",

scripts/restore

@@ -38,8 +38,6 @@ db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
 #=================================================
 ynh_script_progression --message="Validating restoration parameters..." --weight=2
 
-ynh_webpath_available --domain=$domain --path_url=$path_url \
-	|| ynh_die --message="Path not available: ${domain}${path_url}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 

scripts/upgrade

@@ -118,7 +118,6 @@ fi
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
-chmod 600 $final_path/config/config.yml
 
 #=================================================
 # NGINX CONFIGURATION