From a444a1b2d10c4766edc64130fd294f1baa73ac14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sat, 9 Jul 2022 12:30:52 +0200
Subject: [PATCH 1/4] Update manifest.json

---
 manifest.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifest.json b/manifest.json
index fb43671..9ceeb39 100644
--- a/manifest.json
+++ b/manifest.json
@@ -9,13 +9,13 @@
     "version": "20220709~ynh1",
     "url": "https://github.com/hnhx/librex",
     "upstream": {
-        "license": "AGPL-3.0",
+        "license": "AGPL-3.0-only",
         "website": "https://github.com/hnhx/librex",
         "demo": "https://librex.beparanoid.de",
         "admindoc": "https://github.com/hnhx/librex/wiki",
         "code": "https://github.com/hnhx/librex"
     },
-    "license": "AGPL-3.0",
+    "license": "AGPL-3.0-only",
     "maintainer": {
         "name": "eric_G",
         "email": ""

From 92ae409935014aba11f818778d542d9982b2fb69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sat, 9 Jul 2022 12:36:21 +0200
Subject: [PATCH 2/4] Fix

---
 scripts/change_url | 10 ++++++++++
 scripts/install    |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/scripts/change_url b/scripts/change_url
index b286df6..da25297 100644
--- a/scripts/change_url
+++ b/scripts/change_url
@@ -100,6 +100,16 @@ then
 	ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi
 
+#=================================================
+# SPECIFIC MODIFICATIONS
+#=================================================
+
+domain="$new_domain"
+ynh_add_config --template="../conf/opensearch.xml.example" --destination="$final_path/opensearch.xml"
+
+chmod 400 "$final_path/opensearch.xml"
+chown $app:$app "$final_path/opensearch.xml"
+
 #=================================================
 # GENERIC FINALISATION
 #=================================================
diff --git a/scripts/install b/scripts/install
index b322054..25c9590 100755
--- a/scripts/install
+++ b/scripts/install
@@ -105,6 +105,8 @@ ynh_add_config --template="../conf/opensearch.xml.example" --destination="$final
 
 chmod 400 "$final_path/config.php"
 chown $app:$app "$final_path/config.php"
+chmod 400 "$final_path/opensearch.xml"
+chown $app:$app "$final_path/opensearch.xml"
 
 #=================================================
 # SETUP SYSTEMD

From a08445145e48e973bd78d48037c56cae8c93adce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sat, 9 Jul 2022 12:37:15 +0200
Subject: [PATCH 3/4] Update systemd.service

---
 conf/systemd.service | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index 21f2d3c..99fa4d2 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -11,5 +11,35 @@ ExecStart=__FINALPATH__/auto_updater.sh
 Restart=always
 RestartSec=10s
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 [Install]
 WantedBy=multi-user.target

From 178800850ed427776838c7eba0d24b2dd7d9a732 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sun, 10 Jul 2022 20:22:41 +0200
Subject: [PATCH 4/4] Update upgrade

---
 scripts/upgrade | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/upgrade b/scripts/upgrade
index d160be5..a3484e3 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 
 fpm_footprint=$(ynh_app_setting_get --app=$app --key=fpm_footprint)
 fpm_usage=$(ynh_app_setting_get --app=$app --key=fpm_usage)