Merge branch 'master' into testing

conf/amd64.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.3.0/listmonk_2.3.0_linux_amd64.tar.gz
-SOURCE_SUM=4ad9ff7a04e13c9f8609c705e4850046ae8a3c9a03b0c4ac04e3c1d1c8fe8b7a
+SOURCE_URL=https://github.com/knadh/listmonk/releases/download/v2.2.0/listmonk_2.2.0_linux_amd64.tar.gz
+SOURCE_SUM=c2bdccd073d768d2b8dfbfad6469c5b41cf39b44a20c263cbaebf15876463709
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=false

conf/app.src

@@ -1,5 +1,5 @@
-SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.3.0.tar.gz
-SOURCE_SUM=54cab80ca16dbf58ce40b7fc1ae88a9f8ed4c9d9a54387a77b1a90cb4dba3404
+SOURCE_URL=https://github.com/knadh/listmonk/archive/refs/tags/v2.2.0.tar.gz
+SOURCE_SUM=e3f1cc89972cafaab78cda38be54ab3fc115fd7846e2e7dae1b19fff002e1c77
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true

conf/config.toml

@@ -9,8 +9,8 @@ address = "127.0.0.1:__PORT__"
 # be replaced with a better multi-user, role-based authentication system.
 # IMPORTANT: Leave both values empty to disable authentication on admin
 # only where an external authentication is already setup.
-admin_username = ""
-admin_password = ""
+admin_username = "__ADMIN__"
+admin_password = "__PASSWORD__"
 
 # Database.
 [db]

conf/systemd.service

@@ -1,48 +1,14 @@
 [Unit]
 Description=Listmonk: newsletter and mailing list manager
 Documentation=https://listmonk.app/docs/
-ConditionPathExists=__FINALPATH__/config.toml
-After=network.target
 
 [Service]
 Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/
-ExecStartPre=/usr/bin/mkdir -p "__FINALPATH__/uploads"
-ExecStartPre=__FINALPATH__/listmonk --config __FINALPATH__/config.toml --upgrade --yes
 ExecStart=__FINALPATH__/listmonk
 Restart=always
 
-# Sandboxing options to harden security
-# Depending on specificities of your service/app, you may need to tweak these
-# .. but this should be a good baseline
-# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-NoNewPrivileges=yes
-PrivateTmp=yes
-PrivateDevices=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-RestrictNamespaces=yes
-RestrictRealtime=yes
-DevicePolicy=closed
-ProtectSystem=full
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-LockPersonality=yes
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
-
-# Denying access to capabilities that should not be relevant for webapps
-# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
-CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
-CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
-CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
-CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
-CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
-CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
-CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
-CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
-
 [Install]
 WantedBy=multi-user.target

manifest.json

@@ -38,6 +38,14 @@
                 "name": "is_public",
                 "type": "boolean",
                 "default": true
+            },
+            {
+                "name": "admin",
+                "type": "user"
+            },
+            {
+                "name": "password",
+                "type": "password"
             }
         ]
     }

scripts/install

@@ -28,8 +28,8 @@ ynh_abort_if_errors
 domain=$YNH_APP_ARG_DOMAIN
 path_url="/"
 is_public=$YNH_APP_ARG_IS_PUBLIC
-admin=""
-password=""
+admin=$YNH_APP_ARG_ADMIN
+password=$YNH_APP_ARG_PASSWORD
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -209,12 +209,12 @@ then
 fi
 
 # Only the admin can access the admin panel of the app (if the app has an admin panel)
-ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false
+ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
 
 # Everyone can access the API part
 # We don't want to display the tile in the SSO so we put --show_tile="false"
 # And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true"
-ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"
+ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
 
 #=================================================
 # RELOAD NGINX

scripts/upgrade

@@ -70,12 +70,12 @@ fi
 
 if ! ynh_permission_exists --permission="admin"; then
 	# Create the required permissions
-	ynh_permission_create --permission="admin" --url="/admin" --additional_urls="/admin /api" --allowed=$admin --auth_header=false
+	ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin --auth_header=false
 fi
 
 # Create a permission if needed
 if ! ynh_permission_exists --permission="api"; then
-	ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"
+	ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
 fi
 
 if ynh_compare_current_package_version --comparison le --version 2.3.0~ynh3
@@ -100,7 +100,6 @@ then
 	ynh_permission_create --permission="api" --url="/public" --additional_urls="/api/public" --allowed="visitors" --show_tile="false" --protected="true"
 fi
 
-
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@@ -116,10 +115,11 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
 if [ "$upgrade_type" == "UPGRADE_APP" ]
 then
 	ynh_script_progression --message="Upgrading source files..." --weight=5
+
 	# Download, check integrity, uncompress and patch the source from app.src
 	if [ $YNH_ARCH == "armhf" ] || [ $YNH_ARCH == "arm64" ]
 	then
-		ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml uploads"
+		ynh_setup_source --dest_dir="$final_path/build" --keep="$final_path/config.toml"
 		# Install Nodejs
 		ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version
 		# Install Yarn
@@ -139,7 +139,7 @@ then
 		ynh_remove_nodejs
 		ynh_secure_remove --file="$final_path/build"
 	else
-		ynh_setup_source --dest_dir="$final_path"  --source_id=$YNH_ARCH --keep="$final_path/config.toml uploads"
+		ynh_setup_source --dest_dir="$final_path"  --source_id=$YNH_ARCH --keep="$final_path/config.toml"
 	fi
 fi
 
@@ -166,12 +166,12 @@ ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies
 #=================================================
 # UPDATE A CONFIG FILE
 #=================================================
-ynh_script_progression --message="Updating a configuration file..." --time --weight=1
+# ynh_script_progression --message="Updating a configuration file..." --time --weight=1
 
-ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml"
+# ynh_add_config --template="../conf/config.toml" --destination="$final_path/config.toml"
 
-chmod 400 "$final_path/config.toml"
-chown $app:$app "$final_path/config.toml"
+# chmod 400 "$final_path/config.toml"
+# chown $app:$app "$final_path/config.toml"
 
 #=================================================
 # DATABASE CONFIGURATION