Merge pull request #90 from Jules-Bertholet/patch-1

Specify user and group in systemd unit file

conf/app-sudoers

@@ -0,0 +1 @@
+__APP__ ALL=(%__APP__.main) NOPASSWD: __FINALPATH__/.venv/bin/sudospawner

conf/jupyterhub_config.py

@@ -171,7 +171,7 @@ c.JupyterHub.bind_url = 'http://:__PORT____PATH__'
 #c.JupyterHub.cookie_secret_file = 'jupyterhub_cookie_secret'
 
 ## The location of jupyterhub data files (e.g. /usr/local/share/jupyterhub)
-#c.JupyterHub.data_files_path = '/opt/jupyterlab/.venv/share/jupyterhub'
+c.JupyterHub.data_files_path = '__FINAL_PATH__/.venv/share/jupyterhub'
 
 ## Include any kwargs to pass to the database connection. See
 #  sqlalchemy.create_engine for details.
@@ -469,7 +469,7 @@ c.ConfigurableHTTPProxy.api_url = 'http://127.0.0.1:__PORT_HTTP_PROXY__'
 #    - default: jupyterhub.spawner.LocalProcessSpawner
 #    - simple: jupyterhub.spawner.SimpleLocalProcessSpawner
 #    - localprocess: jupyterhub.spawner.LocalProcessSpawner
-#c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner'
+c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
 
 ## Path to SSL certificate file for the public facing interface of the proxy
 #  
@@ -685,7 +685,7 @@ c.Spawner.default_url = '/lab'
 #  This whitelist is used to ensure that sensitive information in the JupyterHub
 #  process's environment (such as `CONFIGPROXY_AUTH_TOKEN`) is not passed to the
 #  single-user server's process.
-#c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL']
+c.Spawner.env_keep = ['PATH', 'PYTHONPATH', 'CONDA_ROOT', 'CONDA_DEFAULT_ENV', 'VIRTUAL_ENV', 'LANG', 'LC_ALL', 'JUPYTERHUB_SINGLEUSER_APP']
 
 ## Extra environment variables to set for the single-user server's process.
 #  
@@ -762,7 +762,7 @@ c.Spawner.default_url = '/lab'
 #  
 #  Note that this does *not* prevent users from accessing files outside of this
 #  path! They can do so with many other means.
-#c.Spawner.notebook_dir = ''
+c.Spawner.notebook_dir = '~'
 
 ## An HTML form for options a user can specify on launching their server.
 #  

conf/nginx.conf

@@ -13,4 +13,4 @@ location __PATH__/ {
 	# Include SSOWAT user panel.
 	include conf.d/yunohost_panel.conf.inc;
 	more_clear_input_headers 'Accept-Encoding';
-}
+}

conf/sudospawner-singleuser

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -e
+
+if [ __ENABLE_EXTENSIONS__ -eq 1 ]; then
+	export JUPYTERLAB_DIR="$HOME/.local/share/__APP__/lab"
+	export PATH="__NODEJS_PATH__:$PATH"
+fi
+
+
+# Delegate the notebook server launch to the jupyterhub-singleuser script.
+# this is how most sudospawner-singleuser scripts should end.
+exec "$(dirname "$0")/jupyterhub-singleuser" $@

conf/systemd.service

@@ -6,10 +6,13 @@ After=syslog.target network.target
 Environment="LC_ALL=C.UTF-8"
 Environment="LANG=C.UTF-8"
 Environment="PATH=__NODE_PATH__:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment="JUPYTERHUB_SINGLEUSER_APP=jupyter_server.serverapp.ServerApp"
+User=__APP__
+Group=__APP__
 ExecStart=/usr/local/bin/pipenv run jupyterhub -f __FINALPATH__/config/jupyterhub_config.py
 Restart=always
 RestartSec=10
 WorkingDirectory=__FINALPATH__
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

hooks/post_user_create

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+source /usr/share/yunohost/helpers
+
+app="${0//.\/50-}"
+user=$1
+
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
+
+ynh_use_nodejs
+
+if [ $enable_extensions -eq 1 ]; then
+	export JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+	node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+	sudo -u $user env "PATH=$node_path:$PATH" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+fi

manifest.json

@@ -14,7 +14,7 @@
         "email": "pierre@kayou.io"
     },
     "requirements": {
-        "yunohost": ">= 4.1.7"
+        "yunohost": ">= 4.2.4"
     },
     "multi_instance": true,
     "services": [
@@ -51,6 +51,15 @@
                     "fr": "Activer le terminal dans le lab ?"
                 },
                 "default": true
+            },
+            {
+                "name": "enable_extensions",
+                "type": "boolean",
+                "ask": {
+                    "en": "Allow users to install extensions?",
+                    "fr": "Permettre aux utilisateurs d'installer des extensions ?"
+                },
+                "default": true
             }
         ]
     }

scripts/backup

@@ -27,8 +27,15 @@ ynh_print_info --message="Loading installation settings..."
 
 app=$YNH_APP_INSTANCE_NAME
 
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
-domain=$(ynh_app_setting_get --app=$app --key=domain)
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
 
 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
@@ -55,6 +62,12 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_backup --src_path="/etc/systemd/system/$app.service"
 
+#=================================================
+# BACKUP SUDOERS
+#=================================================
+
+ynh_backup --src_path="/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/change_url

@@ -19,19 +19,22 @@ old_path=$YNH_APP_OLD_PATH
 new_domain=$YNH_APP_NEW_DOMAIN
 new_path=$YNH_APP_NEW_PATH
 
-app=$YNH_APP_INSTANCE_NAME
-
 #=================================================
 # LOAD SETTINGS
 #=================================================
 ynh_script_progression --message="Loading installation settings..." 
 
-# Needed for helper "ynh_add_nginx_config"
+app=$YNH_APP_INSTANCE_NAME
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+
-port=$(ynh_app_setting_get --app=$app --key=port)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
-admin=$(ynh_app_setting_get --app=$app --key=admin)
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
 
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
@@ -113,7 +116,21 @@ fi
 domain=$new_domain
 path=${new_path%/}
 
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+mkdir -p "$final_path/config"
+
+ynh_use_nodejs
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"
+
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
 
 #=================================================
 # GENERIC FINALISATION

scripts/install

@@ -28,6 +28,7 @@ path_url=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
 admin=$YNH_APP_ARG_ADMIN
 enable_terminal=$YNH_APP_ARG_ENABLE_TERMINAL
+enable_extensions=$YNH_APP_ARG_ENABLE_EXTENSIONS
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -36,7 +37,7 @@ app=$YNH_APP_INSTANCE_NAME
 #=================================================
 ynh_script_progression --message="Validating installation parameters..." --weight=1
 
-final_path=/opt/$app
+final_path=/opt/yunohost/$app
 test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
 
 # Register (book) web path
@@ -51,6 +52,7 @@ ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=admin --value=$admin
 ynh_app_setting_set --app=$app --key=enable_terminal --value=$enable_terminal
+ynh_app_setting_set --app=$app --key=enable_extensions --value=$enable_extensions
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -68,6 +70,14 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 ynh_app_setting_set --app=$app --key=port_hub --value=$port_hub
 ynh_app_setting_set --app=$app --key=port_http_proxy --value=$port_http_proxy
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=1
+
+# Create a system user
+ynh_system_user_create --username=$app
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@@ -88,12 +98,16 @@ ynh_script_progression --message="Setting up source files..." --weight=64
 
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 
-mkdir -p $final_path
+# Set permissions to app files
-
+mkdir -p "$final_path/.venv"
-pushd $final_path
+chown -R $app:$app "$final_path"
-
+chmod -R g=u,g-w,o-rwx "$final_path"
-PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true  ynh_exec_warn_less python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq --three
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
 
+pushd "$final_path"
+	sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyter-server jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1
+	sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 popd
 
 #=================================================
@@ -104,14 +118,6 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1
 # Create a dedicated nginx config
 ynh_add_nginx_config
 
-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Configuring system user..." --weight=1
-
-# Create a system user
-ynh_system_user_create --username=$app
-
 #=================================================
 # SPECIFIC SETUP
 #=================================================
@@ -129,12 +135,12 @@ ynh_add_systemd_config
 #=================================================
 
 mkdir -p "$final_path/config"
+path="${path_url%/}"
 
-path=${path_url%/}
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
-
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -143,8 +149,27 @@ ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$f
 #=================================================
 
 # Set permissions to app files
-chown -R root: $final_path/
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
-chown -R $admin: $final_path/.venv/
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
+#=================================================
+# BUILD USER LABS
+#=================================================
+ynh_script_progression --message="Building JupyterLab for each user..." --weight=10
+
+if [ $enable_extensions -eq 1 ]; then
+	ynh_use_nodejs
+	for user in $(ynh_user_list); do
+		JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+		node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+		sudo -u $user env "PATH=$node_path" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+	done
+fi
 
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
@@ -166,8 +191,7 @@ ynh_systemd_action --service_name=$app --action="start" --line_match="JupyterHub
 ynh_script_progression --message="Configuring permissions..." --weight=4
 
 # Make app public if necessary
-if [ $is_public -eq 1 ]
+if [ $is_public -eq 1 ]; then
-then
 	ynh_permission_update --permission="main" --add="visitors"
 fi
 

scripts/remove

@@ -16,11 +16,15 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 
 app=$YNH_APP_INSTANCE_NAME
 
-domain=$(ynh_app_setting_get --app=$app --key=domain)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
-port=$(ynh_app_setting_get --app=$app --key=port)
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
 
 #=================================================
 # STANDARD REMOVE
@@ -69,6 +73,36 @@ ynh_script_progression --message="Removing NGINX web server configuration..." --
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
+#=================================================
+# REMOVE SUDOERS CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing sudoers configuration..." --weight=1
+
+# Remove the dedicated NGINX config
+ynh_secure_remove "/etc/sudoers.d/$app-sudoers"
+
+#=================================================
+# CLOSE A PORT
+#=================================================
+
+if yunohost firewall list | grep -q "\- $port$"
+then
+	ynh_script_progression --message="Closing port $port..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port
+fi
+
+if yunohost firewall list | grep -q "\- $port_hub$"
+then
+	ynh_script_progression --message="Closing port $port_hub..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port_hub
+fi
+
+if yunohost firewall list | grep -q "\- $port_http_proxy$"
+then
+	ynh_script_progression --message="Closing port $port_http_proxy..."
+	ynh_exec_warn_less yunohost firewall disallow TCP $port_http_proxy
+fi
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================

scripts/restore

@@ -27,10 +27,15 @@ ynh_script_progression --message="Loading settings..." --weight=1
 
 app=$YNH_APP_INSTANCE_NAME
 
-admin=$(ynh_app_setting_get --app=$app --key=admin)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
-domain=$(ynh_app_setting_get --app=$app --key=domain)
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
-path_url=$(ynh_app_setting_get --app=$app --key=path)
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
+port="$(ynh_app_setting_get --app=$app --key=port)"
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
 
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@@ -50,13 +55,6 @@ test ! -d $final_path \
 
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 
-#=================================================
-# RESTORE THE APP MAIN DIR
-#=================================================
-ynh_script_progression --message="Restoring the app main directory..." --weight=5
-
-ynh_restore_file --origin_path="$final_path"
-
 #=================================================
 # RECREATE THE DEDICATED USER
 #=================================================
@@ -65,13 +63,25 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei
 # Create the dedicated user (if not existing)
 ynh_system_user_create --username=$app
 
+#=================================================
+# RESTORE THE APP MAIN DIR
+#=================================================
+ynh_script_progression --message="Restoring the app main directory..." --weight=5
+
+ynh_restore_file --origin_path="$final_path"
+
 #=================================================
 # RESTORE USER RIGHTS
 #=================================================
 
 # Restore permissions on app files
-chown -R root: $final_path/
+mkdir -p "$final_path/.venv"
-chown -R $admin: $final_path/.venv/
+
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
 
 #=================================================
 # SPECIFIC RESTORATION
@@ -97,6 +107,22 @@ ynh_script_progression --message="Restoring the systemd configuration..." --weig
 ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 systemctl enable $app.service --quiet
 
+#=================================================
+# RESTORE SUDOERS
+#=================================================
+ynh_script_progression --message="Restoring sudoers configuration..." --weight=2
+
+ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers"
+
+# Set permissions on app files
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL
 #=================================================

scripts/upgrade

@@ -16,14 +16,15 @@ ynh_script_progression --message="Loading installation settings..." --weight=3
 
 app=$YNH_APP_INSTANCE_NAME
 
-domain=$(ynh_app_setting_get --app=$app --key=domain)
+domain="$(ynh_app_setting_get --app=$app --key=domain)"
-path_url=$(ynh_app_setting_get --app=$app --key=path)
+path_url="$(ynh_app_setting_get --app=$app --key=path)"
-admin=$(ynh_app_setting_get --app=$app --key=admin)
+admin="$(ynh_app_setting_get --app=$app --key=admin)"
-final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+final_path="$(ynh_app_setting_get --app=$app --key=final_path)"
-port=$(ynh_app_setting_get --app=$app --key=port)
+port="$(ynh_app_setting_get --app=$app --key=port)"
-port_hub=$(ynh_app_setting_get --app=$app --key=port_hub)
+port_hub="$(ynh_app_setting_get --app=$app --key=port_hub)"
-port_http_proxy=$(ynh_app_setting_get --app=$app --key=port_http_proxy)
+port_http_proxy="$(ynh_app_setting_get --app=$app --key=port_http_proxy)"
-enable_terminal=$(ynh_app_setting_get --app=$app --key=enable_terminal)
+enable_terminal="$(ynh_app_setting_get --app=$app --key=enable_terminal)"
+enable_extensions="$(ynh_app_setting_get --app=$app --key=enable_extensions)"
 
 #=================================================
 # CHECK VERSION
@@ -36,9 +37,15 @@ upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..."
 
+if [ -z "$enable_extensions" ]; then
+	enable_extensions=0
+	ynh_app_setting_set --app=$app --key=enable_extensions --value=$enable_extensions
+fi
+
+
 # If final_path doesn't exist, create it
 if [ -z "$final_path" ]; then
-	final_path=/opt/$app
+	final_path=/opt/yunohost/$app
 
 	mkdir -p $final_path
 
@@ -114,15 +121,16 @@ if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..." --weight=160
 
-	# Download, check integrity, uncompress and patch the source from app.src
+	# Set permissions to app files
-	mkdir -p $final_path
+	mkdir -p "$final_path/.venv"
-
+	chown -R $app:$app "$final_path"
-	pushd $final_path
+	chmod -R g=u,g-w,o-rwx "$final_path"
-
+	setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
-	PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true  ynh_exec_warn_less python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyterhub-ldapauthenticator pyzmq
+	setfacl -n -m g:$app.main:x "$final_path"
-
-	ynh_exec_warn_less python3 -m pipenv run jupyterhub upgrade-db
 
+	pushd "$final_path"
+		sudo -u $app PIPENV_VENV_IN_PROJECT="enabled" PIPENV_SKIP_LOCK=true python3 -m pipenv install jupyterlab==$jupyterlab_version jupyterhub notebook jupyter-server jupyterhub-ldapauthenticator pyzmq sudospawner --three 2>&1
+		sudo -u $app python3 -m pipenv run jupyterhub upgrade-db 2>&1
 	popd
 fi
 
@@ -133,12 +141,12 @@ fi
 #=================================================
 
 mkdir -p "$final_path/config"
+path="${path_url%/}"
 
-path=${path_url%/}
+ynh_add_config --template="jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
-
+ynh_add_config --template="jupyter_server_config.py" --destination="$final_path/config/jupyter_server_config.py"
-ynh_add_config --template="../conf/jupyterhub_config.py" --destination="$final_path/config/jupyterhub_config.py"
+ynh_add_config --template="app-sudoers" --destination="/etc/sudoers.d/$app-sudoers"
-
+ynh_add_config --template="sudospawner-singleuser" --destination="$final_path/.venv/bin/sudospawner-singleuser"
-ynh_add_config --template="../conf/jupyter_notebook_config.py" --destination="$final_path/config/jupyter_notebook_config.py"
 
 #=================================================
 # SETUP SYSTEMD
@@ -157,8 +165,28 @@ ynh_add_systemd_config
 #=================================================
 
 # Set permissions on app files
-chown -R root: $final_path/
+chmod 550 "$final_path/.venv/bin/sudospawner-singleuser"
-chown -R $admin: $final_path/.venv/
+chown -R $app:$app "$final_path"
+chmod -R g=u,g-w,o-rwx "$final_path"
+setfacl -nR -m g:$app.main:rx -m d:g:$app.main:rx "$final_path/.venv"
+setfacl -n -m g:$app.main:x "$final_path"
+chown root:root "/etc/sudoers.d/$app-sudoers"
+chmod 440 "/etc/sudoers.d/$app-sudoers"
+
+
+#=================================================
+# BUILD USER LABS
+#=================================================
+ynh_script_progression --message="Building JupyterLab for each user..." --weight=10
+
+if [ $enable_extensions -eq 1 ]; then
+	ynh_use_nodejs
+	for user in $(ynh_user_list); do
+		JUPYTERLAB_DIR="$(getent passwd $user | cut -d: -f6)/.local/share/$app/lab"
+		node_path="$nodejs_path:$(sudo -u $user sh -c 'echo $PATH')"
+		sudo -u $user env "PATH=$node_path" "$final_path/.venv/bin/jupyter" lab build --app-dir="$JUPYTERLAB_DIR"
+	done
+fi
 
 #=================================================
 # ADVERTISE SERVICE IN ADMIN PANEL

update_config_files.md

@@ -6,7 +6,7 @@ Install the new version of the app with:
 sudo yunohost app install https://github.com/YunoHost-Apps/jupyterlab_ynh/tree/testing  
 ```
 
-Navigate to the installation path (`/opt/jupyterlab` by default), and run :
+Navigate to the installation path (`/opt/yunohost/jupyterlab` by default), and run :
 
 ```bash
 pipenv shell