Fix restore script, linter issues and harden systemd script

conf/systemd.service

@@ -9,5 +9,39 @@ Group=__APP__
 WorkingDirectory=__INSTALL_DIR__/
 ExecStart=__INSTALL_DIR__/bin/python3 -m mautrix_telegram
 
+# Optional hardening to improve security
+ReadWritePaths=__INSTALL_DIR__/ /var/log/__APP__
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target

scripts/restore

@@ -42,17 +42,6 @@ ynh_script_progression --message="Restoring the PostgreSQL database..." --weight
 
 ynh_psql_execute_file_as_root --file="./db.sql" --database=$db_name
 
-#=================================================
-# INSTALL MAUTRIX-BRIDGE PYTHON MODULE
-#=================================================
-ynh_script_progression --message="Installing Mautrix-Bridge Python Module..." --weight=6
-
-mkdir -p /var/log/$app
-# Configure Mautrix-Bridge
-python3 -m venv $install_dir
-export HOME=$install_dir
-$install_dir/bin/pip3 install --upgrade pip setuptools wheel
-
 #=================================================
 # REGISTER SYNAPSE APP-SERVICE
 #=================================================

scripts/upgrade

@@ -84,8 +84,6 @@ ynh_backup_if_checksum_is_different --file="$install_dir/config.yaml"
 # as_token hs_token are autogenerated, save them before regenerating the config
 as_token=$(grep "as_token:" "$install_dir/config.yaml" | sed -r "s/ *as_token: *//")
 hs_token=$(grep "hs_token:" "$install_dir/config.yaml" | sed -r "s/ *hs_token: *//")
-# ynh_replace_string --match_string=__AS_TOKEN__ --replace_string="$as_token" --target_file="$install_dir/config.yaml"
-# ynh_replace_string --match_string=__HS_TOKEN__ --replace_string="$hs_token" --target_file="$install_dir/config.yaml"
 is_encryption_enabled="$encryption"
 
 if [ $encryption -eq 1 ]; then