Merge pull request #90 from Jules-Bertholet/patch-1

Specify user and group in systemd unit file
2024-09-03 19:26:35 +02:00 · 2021-06-23 10:57:13 +02:00 · 2021-06-23 10:57:13 +02:00 · d6143d6662
commit d6143d6662
parent eda5597a90 d6a50a8f6d
15 changed files with 1713 additions and 84 deletions
--- a/conf/app-sudoers
+++ b/conf/app-sudoers
@ -0,0 +1 @@
+__APP__ ALL=(%__APP__.main) NOPASSWD: __FINALPATH__/.venv/bin/sudospawner
--- a/conf/jupyter_server_config.py
+++ b/conf/jupyter_server_config.py
--- a/conf/jupyterhub_config.py
+++ b/conf/jupyterhub_config.py
@ -171,7 +171,7 @@ c.JupyterHub.bind_url = 'http://:__PORT____PATH__'
 #c.JupyterHub.cookie_secret_file = 'jupyterhub_cookie_secret'

 ## The location of jupyterhub data files (e.g. /usr/local/share/jupyterhub)
-#c.JupyterHub.data_files_path = '/opt/jupyterlab/.venv/share/jupyterhub'
+c.JupyterHub.data_files_path = '__FINAL_PATH__/.venv/share/jupyterhub'

 ## Include any kwargs to pass to the database connection. See
 #  sqlalchemy.create_engine for details.
@ -469,7 +469,7 @@ c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:__PORT_HTTP_PROXY__'
 #    - default: jupyterhub.spawner.LocalProcessSpawner
 #    - simple: jupyterhub.spawner.SimpleLocalProcessSpawner
 #    - localprocess: jupyterhub.spawner.LocalProcessSpawner
-#c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner'
+c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'

 ## Path to SSL certificate file for the public facing interface of the proxy
 #  
@ -685,7 +685,7 @@ c.Spawner.default_url = '/lab'
 #  This whitelist is used to ensure that sensitive information in the JupyterHub
 #  process's environment (such as `CONFIGPROXY_AUTH_TOKEN`) is not passed to the
 #  single-user server's process.
-#c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL']
+c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL', 'JUPYTERHUB_SINGLEUSER_APP']

 ## Extra environment variables to set for the single-user server's process.
 #  
@ -762,7 +762,7 @@ c.Spawner.default_url = '/lab'
 #  
 #  Note that this does *not* prevent users from accessing files outside of this
 #  path! They can do so with many other means.
-#c.Spawner.notebook_dir = ''
+c.Spawner.notebook_dir = '~'

 ## An HTML form for options a user can specify on launching their server.
 #  
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -13,4 +13,4 @@ location __PATH__/ {
 	# Include SSOWAT user panel.
 	include conf.d/yunohost_panel.conf.inc;
 	more_clear_input_headers 'Accept-Encoding';
-}
+}
--- a/conf/sudospawner-singleuser
+++ b/conf/sudospawner-singleuser
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -e
+
+if [ __ENABLE_EXTENSIONS__ -eq 1 ]; then
+	export JUPYTERLAB_DIR="$HOME/.local/share/__APP__/lab"
+	export PATH="__NODEJS_PATH__:$PATH"
+fi
+
+
+# Delegate the notebook server launch to the jupyterhub-singleuser script.
+# this is how most sudospawner-singleuser scripts should end.
+exec "$(dirname "$0")/jupyterhub-singleuser" $@
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -6,10 +6,13 @@ After=syslog.target network.target
 Environment="LC_ALL=C.UTF-8"
 Environment="LANG=C.UTF-8"
 Environment="PATH=__NODE_PATH__:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment="JUPYTERHUB_SINGLEUSER_APP=jupyter_server.serverapp.ServerApp"
+User=__APP__
+Group=__APP__
 ExecStart=/usr/local/bin/pipenv run jupyterhub -f __FINALPATH__/config/jupyterhub_config.py
 Restart=always
 RestartSec=10
 WorkingDirectory=__FINALPATH__

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/hooks/post_user_create
+++ b/hooks/post_user_create
@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+source /usr/share/yunohost/helpers
+
+app="${0//.\/50-}"
+user=$1
+
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
+
+ynh_use_nodejs
+
+if [ $enable_extensions -eq 1 ]; then
+	export JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+	node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+	sudo -u $user env "PATH=$node_path:$PATH" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+fi
--- a/manifest.json
+++ b/manifest.json
@ -14,7 +14,7 @@
        "email": "pierre@kayou.io"
    },
    "requirements": {
-        "yunohost": ">= 4.1.7"
+        "yunohost": ">= 4.2.4"
    },
    "multi_instance": true,
    "services": [
@ -51,6 +51,15 @@
                    "fr": "Activer le terminal dans le lab ?"
                },
                "default": true
+            },
+            {
+                "name": "enable_extensions",
+                "type": "boolean",
+                "ask": {
+                    "en": "Allow users to install extensions?",
+                    "fr": "Permettre aux utilisateurs d'installer des extensions ?"
+                },
+                "default": true
            }
        ]
    }
--- a/scripts/backup
+++ b/scripts/backup
@ -27,8 +27,15 @@ ynh_print_info --message="Loading installation settings..."

 app=$YNH_APP_INSTANCE_NAME

-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-domain=$(ynh_app_setting_get --app=$app --key=domain)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"

 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
@ -55,6 +62,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"

 ynh_backup --src_path="/etc/systemd/system/$app.service"

+#=================================================
+# BACKUP SUDOERS
+#=================================================
+
+ynh_backup --src_path="/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # END OF SCRIPT
 #=================================================
--- a/scripts/change_url
+++ b/scripts/change_url
@ -19,19 +19,22 @@ old_path=$YNH_APP_OLD_PATH
 new_domain=$YNH_APP_NEW_DOMAIN
 new_path=$YNH_APP_NEW_PATH

-app=$YNH_APP_INSTANCE_NAME
-
 #=================================================
 # LOAD SETTINGS
 #=================================================
 ynh_script_progression --message="Loading installation settings..." 

-# Needed for helper "ynh_add_nginx_config"
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-port=$(ynh_app_setting_get --app=$app --key=port)
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
-admin=$(ynh_app_setting_get --app=$app --key=admin)
+app=$YNH_APP_INSTANCE_NAME
+
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"

 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
@ -113,7 +116,21 @@ fi
 domain=$new_domain
 path=${new_path%/}

-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+mkdir -p "$final_path/config"
+
+ynh_use_nodejs
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"
+
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"

 #=================================================
 # GENERIC FINALISATION
--- a/scripts/install
+++ b/scripts/install
@ -28,6 +28,7 @@ path_url=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
 admin=$YNH_APP_ARG_ADMIN
 enable_terminal=$YNH_APP_ARG_ENABLE_TERMINAL
+enable_extensions=$YNH_APP_ARG_ENABLE_EXTENSIONS

 app=$YNH_APP_INSTANCE_NAME

@ -36,7 +37,7 @@ app=$YNH_APP_INSTANCE_NAME
 #=================================================
 ynh_script_progression --message="Validating installation parameters..." --weight=1

-final_path=/opt/$app
+final_path=/opt/yunohost/$app
 test ! -e "$final_path" || ynh_die --message="This path already contains a folder"

 # Register (book) web path
@ -51,6 +52,7 @@ ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
 ynh_app_setting_set --app=$app --key=enable_terminal --value=$enable_terminal
+ynh_app_setting_set --app=$app --key=enable_extensions --value=$enable_extensions

 #=================================================
 # STANDARD MODIFICATIONS
@ -68,6 +70,14 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 ynh_app_setting_set --app=$app --key=port_hub --value=$port_hub
 ynh_app_setting_set --app=$app --key=port_http_proxy --value=$port_http_proxy

+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=1
+
+# Create a system user
+ynh_system_user_create --username=$app
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@ -88,12 +98,16 @@ ynh_script_progression --message="Setting up source files..." --weight=64

 ynh_app_setting_set --app=$app --key=final_path --value=$final_path

-mkdir -p $final_path
-
-pushd $final_path
-
-PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true  ynh_exec_warn_less python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq --three
+# Set permissions to app files
+mkdir -p "$final_path/.venv"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"

+pushd "$final_path"
+	sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyter-server jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1
+	sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 popd

 #=================================================
@ -104,14 +118,6 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1
 # Create a dedicated nginx config
 ynh_add_nginx_config

-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Configuring system user..." --weight=1
-
-# Create a system user
-ynh_system_user_create --username=$app
-
 #=================================================
 # SPECIFIC SETUP
 #=================================================
@ -129,12 +135,12 @@ ynh_add_systemd_config
 #=================================================

 mkdir -p "$final_path/config"
+path="${path_url%/}"

-path=${path_url%/}
-
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"

 #=================================================
 # GENERIC FINALIZATION
@ -143,8 +149,27 @@ ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$f
 #=================================================

 # Set permissions to app files
-chown -R root: $final_path/
-chown -R $admin: $final_path/.venv/
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
+#=================================================
+# BUILD USER LABS
+#=================================================
+ynh_script_progression --message="Building JupyterLab for each user..." --weight=10
+
+if [ $enable_extensions -eq 1 ]; then
+	ynh_use_nodejs
+	for user in $(ynh_user_list); do
+		JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+		node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+		sudo -u $user env "PATH=$node_path" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+	done
+fi

 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
@ -166,8 +191,7 @@ ynh_systemd_action --service_name=$app --action="start" --line_match="JupyterHub
 ynh_script_progression --message="Configuring permissions..." --weight=4

 # Make app public if necessary
-if [ $is_public -eq 1 ]
-then
+if [ $is_public -eq 1 ]; then
 	ynh_permission_update --permission="main" --add="visitors"
 fi

--- a/scripts/remove
+++ b/scripts/remove
@ -16,11 +16,15 @@ ynh_script_progression --message="Loading installation settings..." --weight=1

 app=$YNH_APP_INSTANCE_NAME

-domain=$(ynh_app_setting_get --app=$app --key=domain)
-port=$(ynh_app_setting_get --app=$app --key=port)
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"

 #=================================================
 # STANDARD REMOVE
@ -69,6 +73,36 @@ ynh_script_progression --message="Removing NGINX web server configuration..." --
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config

+#=================================================
+# REMOVE SUDOERS CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing sudoers configuration..." --weight=1
+
+# Remove the dedicated NGINX config
+ynh_secure_remove "/etc/sudoers.d/$app-sudoers"
+
+#=================================================
+# CLOSE A PORT
+#=================================================
+
+if yunohost firewall list | grep -q "\- $port$"
+then
+	ynh_script_progression --message="Closing port $port..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port
+fi
+
+if yunohost firewall list | grep -q "\- $port_hub$"
+then
+	ynh_script_progression --message="Closing port $port_hub..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port_hub
+fi
+
+if yunohost firewall list | grep -q "\- $port_http_proxy$"
+then
+	ynh_script_progression --message="Closing port $port_http_proxy..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port_http_proxy
+fi
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -27,10 +27,15 @@ ynh_script_progression --message="Loading settings..." --weight=1

 app=$YNH_APP_INSTANCE_NAME

-admin=$(ynh_app_setting_get --app=$app --key=admin)
-domain=$(ynh_app_setting_get --app=$app --key=domain)
-path_url=$(ynh_app_setting_get --app=$app --key=path)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"

 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@ -50,13 +55,6 @@ test ! -d $final_path \

 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"

-#=================================================
-# RESTORE THE APP MAIN DIR
-#=================================================
-ynh_script_progression --message="Restoring the app main directory..." --weight=5
-
-ynh_restore_file --origin_path="$final_path"
-
 #=================================================
 # RECREATE THE DEDICATED USER
 #=================================================
@ -65,13 +63,25 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
 # Create the dedicated user (if not existing)
 ynh_system_user_create --username=$app

+#=================================================
+# RESTORE THE APP MAIN DIR
+#=================================================
+ynh_script_progression --message="Restoring the app main directory..." --weight=5
+
+ynh_restore_file --origin_path="$final_path"
+
 #=================================================
 # RESTORE USER RIGHTS
 #=================================================

 # Restore permissions on app files
-chown -R root: $final_path/
-chown -R $admin: $final_path/.venv/
+mkdir -p "$final_path/.venv"
+
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"

 #=================================================
 # SPECIFIC RESTORATION
@ -97,6 +107,22 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet

+#=================================================
+# RESTORE SUDOERS
+#=================================================
+ynh_script_progression --message="Restoring sudoers configuration..." --weight=2
+
+ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers"
+
+# Set permissions on app files
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -16,14 +16,15 @@ ynh_script_progression --message="Loading installation settings..." --weight=3

 app=$YNH_APP_INSTANCE_NAME

-domain=$(ynh_app_setting_get --app=$app --key=domain)
-path_url=$(ynh_app_setting_get --app=$app --key=path)
-admin=$(ynh_app_setting_get --app=$app --key=admin)
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
-port=$(ynh_app_setting_get --app=$app --key=port)
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
-enable_terminal=$(ynh_app_setting_get --app=$app --key=enable_terminal)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"

 #=================================================
 # CHECK VERSION
@ -36,9 +37,15 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..."

+if [ -z "$enable_extensions" ]; then
+	enable_extensions=0
+	ynh_app_setting_set --app=$app --key=enable_extensions --value=$enable_extensions
+fi
+
+
 # If final_path doesn't exist, create it
 if [ -z "$final_path" ]; then
-	final_path=/opt/$app
+	final_path=/opt/yunohost/$app

 	mkdir -p $final_path

@ -114,15 +121,16 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..." --weight=160

-	# Download, check integrity, uncompress and patch the source from app.src
-	mkdir -p $final_path
-
-	pushd $final_path
-
-	PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true  ynh_exec_warn_less python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq
-
-	ynh_exec_warn_less python3 -m pipenv run jupyterhub upgrade-db
+	# Set permissions to app files
+	mkdir -p "$final_path/.venv"
+	chown -R $app:$app "$final_path"
+	chmod -R g=u,g-w,o-rwx "$final_path"
+	setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+	setfacl -n -m g:$app.main:x "$final_path"

+	pushd "$final_path"
+		sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyter-server jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1
+		sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 	popd
 fi

@ -133,12 +141,12 @@ fi
 #=================================================

 mkdir -p "$final_path/config"
+path="${path_url%/}"

-path=${path_url%/}
-
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"

 #=================================================
 # SETUP SYSTEMD
@ -157,8 +165,28 @@ ynh_add_systemd_config
 #=================================================

 # Set permissions on app files
-chown -R root: $final_path/
-chown -R $admin: $final_path/.venv/
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
+
+#=================================================
+# BUILD USER LABS
+#=================================================
+ynh_script_progression --message="Building JupyterLab for each user..." --weight=10
+
+if [ $enable_extensions -eq 1 ]; then
+	ynh_use_nodejs
+	for user in $(ynh_user_list); do
+		JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+		node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+		sudo -u $user env "PATH=$node_path" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+	done
+fi

 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
--- a/update_config_files.md
+++ b/update_config_files.md
@ -6,7 +6,7 @@ Install the new version of the app with:
 sudo yunohost app install https://github.com/YunoHost-Apps/jupyterlab_ynh/tree/testing  
 ```

-Navigate to the installation path (`/opt/jupyterlab` by default), and run :
+Navigate to the installation path (`/opt/yunohost/jupyterlab` by default), and run :

 ```bash
 pipenv shell
				`@ -0,0 +1 @@`
				`__APP__ ALL=(%__APP__.main) NOPASSWD: __FINALPATH__/.venv/bin/sudospawner`