conf files update

conf/app.src

@@ -1,6 +1,5 @@
-SOURCE_URL=https://framagit.org/luc/lufi/-/archive/7efebff4bfa3722796a80a783fb332d6e50d41de/lufi-7efebff4bfa3722796a80a783fb332d6e50d41de.tar.gz
+SOURCE_URL=https://framagit.org/fiat-tux/hat-softwares/lufi/-/archive/0.03.5/lufi-0.03.5.tar.gz
-SOURCE_SUM=cf69c08ae7aa2e696b5c275fc7d3bedf74946361e0114f819266c43ce33fac72
+SOURCE_SUM=aeb4bb4e7b4d5a7a12a7b8a49578e98c4ef8b6cb606b266b4531767a6ea6debe
 SOURCE_SUM_PRG=sha256sum
-SOURCE_FORMAT=zip
+SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=

conf/lufi.conf.template

@@ -6,19 +6,31 @@
     # see http://mojolicio.us/perldoc/Mojo/Server/Hypnotoad for a full list of settings
     hypnotoad => {
         # array of IP addresses and ports you want to listen to
+        # you can specify a unix socket too, like 'http+unix://%2Ftmp%2Flufi.sock'
         listen => ['http://127.0.0.1:__PORT__'],
-        # if you use Lufi behind a reverse proxy like Nginx, you want ro set proxy to 1
+        # if you use Lufi behind a reverse proxy like Nginx, you want to set proxy to 1
         # if you use Lufi directly, let it commented
-        proxy  => 1,    
+        proxy  => 1,
+
+        # Please read http://mojolicious.org/perldoc/Mojo/Server/Hypnotoad#workers
+        # to adjust this to your server
+        workers => 30,
+        clients => 1,
     },
 
     # put a way to contact you here and uncomment it
+    # you can put some HTML in it
     # MANDATORY
-    contact => 'webmaster@__DOMAIN__',
+    contact       => '<a href="mailto:webmaster@__DOMAIN__">Contact page</a>',
+
+    # put an URL or an email address to receive file reports and uncomment it
+    # it's for make reporting illegal files easy for users
+    # MANDATORY
+    report => 'webmaster@__DOMAIN__',
 
     # array of random strings used to encrypt cookies
     # optional, default is ['fdjsofjoihrei'], PLEASE, CHANGE IT
-    secrets => ['__SECRET__'],
+    secrets        => ['__SECRET__'],
 
     # choose a theme. See the available themes in `themes` directory
     # optional, default is 'default'
@@ -43,7 +55,7 @@
     # max file size, in octets
     # you can write it 100*1024*1024
     # optional, no default
-    #max_file_size     => 104857600,
+    max_file_size     => __MAX_FILE_SIZE__*1024*1024,
 
     # if you want to have piwik statistics, provide a piwik image tracker
     # only the image tracker is allowed, no javascript
@@ -78,7 +90,7 @@
     # example: you want to have Lufi under https://example.org/lufi/
     # => set prefix to '/lufi' or to '/lufi/', it doesn't matter
     # optional, defaut is /
-    prefix => '__PATH__',
+    prefix        => '__PATH__',
 
     # array of authorized domains for API calls.
     # if you want to authorize everyone to use the API: ['*']
@@ -102,12 +114,48 @@
     # Optional, default to no-reply@lufi.io
     #mail_sender => 'no-reply@lufi.io',
 
+    # choose what database you want to use
+    # valid choices are sqlite, postgresql and mysql (all lowercase)
+    # optional, default is sqlite
+    dbtype => 'postgresql',
+
+    # SQLite ONLY - only used if dbtype is set to sqlite
     # define a path to the SQLite database
     # you can define it relative to lufi directory or set an absolute path
     # remember that it has to be in a directory writable by Lufi user
     # optional, default is lufi.db
     #db_path           => 'lufi.db',
 
+    # PostgreSQL ONLY - only used if dbtype is set to postgresql
+    # these are the credentials to access the PostgreSQL database
+    # mandatory if you choosed postgresql as dbtype
+    pgdb => {
+        database => '__DB_NAME__',
+        host     => 'localhost',
+        # optional, default is 5432
+        #port     => 5432,
+        user     => '__DB_USER__',
+        pwd      => '__DB_PWD__',
+        # https://mojolicious.org/perldoc/Mojo/Pg#max_connections
+        # optional, default is 1
+        #max_connections => 1,
+    },
+
+    # MySQL ONLY - only used if dbtype is set to mysql
+    # these are the credentials to access the MySQL database
+    # mandatory if you choosed mysql as dbtype
+    #mysqldb => {
+    #    database => 'lufi',
+    #    host     => 'localhost',
+    #    # optional, default is 3306
+    #    #port     => 3306,
+    #    user     => 'DBUSER',
+    #    pwd      => 'DBPASSWORD',
+    #    # https://metacpan.org/pod/Mojo::mysql#max_connections
+    #    # optional, default is 5 (set to 0 to disable persistent connections)
+    #    #max_connections => 5,
+    #},
+
     # define a path to the upload directory, where the uploaded files will be stored
     # you can define it relative to lufi directory or set an absolute path
     # remember that it has to be in a directory writable by Lufi user
@@ -118,20 +166,79 @@
     # set `ldap` if you want that only authenticated users can upload files
     # please note that everybody can still download files
     # optional, no default
-    #ldap => {
+    __IS_PUBLIC__ldap => {
-    #    uri         => 'ldaps://ldap.example.org',
+    __IS_PUBLIC__    uri         => 'ldap://localhost:389',                      # server URI
-    #    user_tree   => 'ou=users,dc=example,dc=org',
+    __IS_PUBLIC__    user_tree   => 'dc=yunohost,dc=org',                        # search base DN
-    #    bind_dn     => ',ou=users,dc=example,dc=org',
+    __IS_PUBLIC__    bind_dn     => 'ou=users,dc=yunohost,dc=org',               # search bind DN
-    #    bind_user   => 'uid=ldap_user',
+    __IS_PUBLIC__    #bind_pwd    => 'secr3t',                                   # search bind password
-    #    bind_pwd    => 'secr3t',
+    __IS_PUBLIC__    user_attr   => 'uid',                                       # user attribute (uid, mail, sAMAccountName, etc.)
-    #    user_filter => '!(uid=ldap_user)'
+    __IS_PUBLIC__    #user_filter => '(!(uid=ldap_user))',                       # user filter (to exclude some users, etc.)
-    #},
+    __IS_PUBLIC__    # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls
+    __IS_PUBLIC__    # don't set or uncomment if you don't want to configure it
+    __IS_PUBLIC__    #start_tls => {
+    __IS_PUBLIC__    #   verify     => 'optional',
+    __IS_PUBLIC__    #   clientcert => '/etc/ssl/certs/ca-bundle.pem'
+    __IS_PUBLIC__    #}
+    __IS_PUBLIC__},
+
+    # set `htpasswd` if you want to use an htpasswd file instead of ldap
+    # see 'man htpasswd' to know how to create such file
+    #htpasswd => 'lufi.passwd',
 
     # if you've set ldap above, the session will last `session_duration` seconds before
     # the user needs to reauthenticate
     # optional, default is 3600
     #session_duration => 3600,
 
+    # allow to add a password on files, asked before allowing to download files
+    # optional, default is 0
+    allow_pwd_on_files => 1,
+
+    # force all files to be in "Burn after reading mode"
+    # optional, default is 0
+    #force_burn_after_reading => 0,
+
+    # if set, the files' URLs will always use this domain
+    # optional, no default
+    #fixed_domain => 'example.org',
+
+    # abuse reasons
+    # set an integer in the abuse field of a file in the database and it will not be downloadable anymore
+    # the reason will be displayed to the downloader, according to the reasons you will configure here.
+    # optional, no default
+    #abuse => {
+    #   0 => 'Copyright infringment',
+    #   1 => 'Illegal content',
+    #},
+
+    # Content-Security-Policy header that will be sent by Lufi
+    # Set to '' to disable CSP header
+    # https://content-security-policy.com/ provides a good documentation about CSP.
+    # https://report-uri.com/home/generate provides a tool to generate a CSP header.
+    # optional, default is "base-uri 'self'; connect-src 'self' ws://YOUR_HOST; default-src 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' blob:; media-src blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    #csp => "",
+
+    # X-Frame-Options header that will be sent by Lufi
+    # Valid values are: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM https://example.com/'
+    # Set to '' to disable X-Frame-Options header
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+    # Please note that this will add a "frame-ancestors" directive to the CSP header (see above) accordingly
+    # to the chosen setting (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+    # optional, default is 'DENY'
+    #x_frame_options => 'DENY',
+
+    # X-Content-Type-Options that will be sent by Lufi
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+    # Set to '' to disable X-Content-Type-Options header
+    # optional, default is 'nosniff'
+    #x_content_type_options => 'nosniff',
+
+    # X-XSS-Protection that will be sent by Lufi
+    # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+    # Set to '' to disable X-XSS-Protection header
+    # optional, default is '1; mode=block'
+    #x_xss_protection => '1; mode=block',
+
     #########################
     # Lufi cron jobs settings
     #########################
@@ -144,13 +251,13 @@
     # max size of the files directory, in octets
     # used by script/lufi cron watch to trigger an action
     # optional, no default
-    max_total_size => 1024*1024*1024,
+    #max_total_size    => 10*1024*1024*1024,
 
     # default action when files directory is over max_total_size (used with script/lufi cron watch)
     # valid values are 'warn', 'stop-upload' and 'delete'
     # please, see readme
     # optional, default is 'warn'
-    policy_when_full => 'stop-upload',
+    #policy_when_full  => 'warn',
 
     # images which are not viewed since delete_no_longer_viewed_files days will be deleted by the cron cleanfiles task
     # if delete_no_longer_viewed_files is not set, the no longer viewed files will NOT be deleted

conf/nginx.conf

@@ -3,37 +3,30 @@ location __PATH__ {
         rewrite ^ https://$server_name$request_uri? permanent;
     }
 
-    # This is important for user's privacy !
+    access_log /var/log/nginx/lufi.access.log;
-    access_log off;
     error_log /var/log/nginx/lufi.error.log;
 
     # This is important ! Make it OK with your Lutim configuration
-    client_max_body_size 40M;
+    client_max_body_size __MAX_FILE_SIZE__M;
 
-    if ($request_uri ~* ^/(img|css|font|js)/) {
+    proxy_pass http://127.0.0.1:__PORT__;
-         add_header Expires "Thu, 31 Dec 2037 23:55:55 GMT";
-         add_header Cache-Control "public, max-age=315360000";
-    }
-
-    proxy_pass http://127.0.0.1:__PORT____PATH__;
 
     # Really important ! Lufi uses WebSocket, it won't work without this
     proxy_set_header Upgrade $http_upgrade ;
     proxy_set_header Connection "upgrade" ;
 
-    proxy_http_version 1.1;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Remote-Port $remote_port;
+    proxy_set_header X-Forwarded-Proto $scheme;
 
     # If you want to log the remote port of the file senders, you'll need that
     proxy_set_header X-Remote-Port $remote_port;
 
-    proxy_set_header X-Forwarded-Proto $scheme;
-
     # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrite$
     proxy_redirect     off;
 
-    #--PRIVATE--# Include SSOWAT user panel.
+    # Include SSOWAT user panel.
-    #--PRIVATE--include conf.d/yunohost_panel.conf.inc;
+    include conf.d/yunohost_panel.conf.inc;
 }

conf/systemd.service

@@ -5,15 +5,15 @@ Requires=network.target
 After=network.target
 
 [Service]
-Type=forking
+Type=simple
 User=__APP__
 Group=__APP__
 RemainAfterExit=yes
 WorkingDirectory=__FINALPATH__
 PIDFile=__FINALPATH__script/hypnotoad.pid
-ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi >> /var/log/lufi/production.log 2>&1
+ExecStart=/usr/local/bin/carton exec hypnotoad script/lufi
-ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi >> /var/log/lufi/production.log 2>&1
+ExecStop=/usr/local/bin/carton exec hypnotoad -s script/lufi
-ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi >> /var/log/lufi/production.log 2>&1
+ExecReload=/usr/local/bin/carton exec hypnotoad script/lufi
 
 [Install]
 WantedBy=multi-user.target