From 768ffa2ad1fd9bf8b7e6bdfde712e9faaf9bb4c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sun, 3 Jul 2022 11:17:13 +0200
Subject: [PATCH 1/5] Update systemd.service

---
 conf/systemd.service | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/conf/systemd.service b/conf/systemd.service
index dd0805e..1b8e860 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -20,5 +20,35 @@ Environment=ADMIN_PASS=__PASSWORD__
 Environment=ADMIN_EMAIL=__EMAIL__
 Environment=OVERWRITE_SETTING_Show_Setup_Wizard=completed
 
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
+
 [Install]
 WantedBy=multi-user.target

From a356554bcf653b1231f27e1f5de857def7bd773e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sun, 3 Jul 2022 11:17:41 +0200
Subject: [PATCH 2/5] Update systemd.service

---
 conf/systemd.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index 1b8e860..ae02c6d 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -27,7 +27,7 @@ Environment=OVERWRITE_SETTING_Show_Setup_Wizard=completed
 NoNewPrivileges=yes
 PrivateTmp=yes
 PrivateDevices=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
 DevicePolicy=closed

From 2eb89499c3ffd1a7fddecb4a7ee82acb63ad2dd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sun, 3 Jul 2022 14:03:02 +0200
Subject: [PATCH 3/5] add info

---
 doc/DESCRIPTION.md    | 2 +-
 doc/DESCRIPTION_fr.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md
index 0370b47..dc13e3a 100644
--- a/doc/DESCRIPTION.md
+++ b/doc/DESCRIPTION.md
@@ -3,7 +3,7 @@ Rocket.Chat is an open-source fully customizable communications platform develop
 ### Features
 
 - End to End Encryption
-- LDAP/Active Directory
+- LDAP/Active Directory (manual setup)
 - Multifactor Authentication
 - Customizable User Permission
 - Mobile Apps for [iOS](https://apps.apple.com/app/rocket-chat/id1148741252) and [Android](https://play.google.com/store/apps/details?id=chat.rocket.android)
diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md
index de7aca6..e61cdac 100644
--- a/doc/DESCRIPTION_fr.md
+++ b/doc/DESCRIPTION_fr.md
@@ -3,7 +3,7 @@ Rocket.Chat est une plate-forme de communication open source entièrement person
 ### Fonctionnalités
 
 - Chiffrement de bout en bout
-- LDAP
+- LDAP (configuration manuelle)
 - Authentification multifacteur
 - Autorisation utilisateur personnalisable
 - Applications mobiles pour [iOS](https://apps.apple.com/app/rocket-chat/id1148741252) et [Android](https://play.google.com/store/apps/details?id=chat.rocket.android)

From b3c73eaf373e5dfaeacb99a7b13e9ceb55010b54 Mon Sep 17 00:00:00 2001
From: yunohost-bot <yunohost@yunohost.org>
Date: Sun, 3 Jul 2022 12:03:12 +0000
Subject: [PATCH 4/5] Auto-update README

---
 README.md    | 2 +-
 README_fr.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index e446d45..3d034c8 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Rocket.Chat is an open-source fully customizable communications platform develop
 ### Features
 
 - End to End Encryption
-- LDAP/Active Directory
+- LDAP/Active Directory (manual setup)
 - Multifactor Authentication
 - Customizable User Permission
 - Mobile Apps for [iOS](https://apps.apple.com/app/rocket-chat/id1148741252) and [Android](https://play.google.com/store/apps/details?id=chat.rocket.android)
diff --git a/README_fr.md b/README_fr.md
index 57b5c1d..0c7750c 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -20,7 +20,7 @@ Rocket.Chat est une plate-forme de communication open source entièrement person
 ### Fonctionnalités
 
 - Chiffrement de bout en bout
-- LDAP
+- LDAP (configuration manuelle)
 - Authentification multifacteur
 - Autorisation utilisateur personnalisable
 - Applications mobiles pour [iOS](https://apps.apple.com/app/rocket-chat/id1148741252) et [Android](https://play.google.com/store/apps/details?id=chat.rocket.android)

From 489fa3a4b2af318f3da0f8a09a01e3e24190bfab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89ric=20Gaspar?=
 <46165813+ericgaspar@users.noreply.github.com>
Date: Sun, 3 Jul 2022 14:06:20 +0200
Subject: [PATCH 5/5] Add missing weight

---
 scripts/install | 4 ++--
 scripts/remove  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/install b/scripts/install
index 1e0f18e..f282a67 100644
--- a/scripts/install
+++ b/scripts/install
@@ -92,7 +92,7 @@ ynh_system_user_create --username=$app --home_dir="$final_path"
 #=================================================
 # CREATE A MONGODB DATABASE
 #=================================================
-ynh_script_progression --message="Creating a MongoDB database..."
+ynh_script_progression --message="Creating a MongoDB database..." --weight=2
 
 db_name=$(ynh_sanitize_dbid --db_name=$app)
 db_user=$db_name
@@ -168,7 +168,7 @@ ynh_use_logrotate
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
-ynh_script_progression --message="Integrating service in YunoHost..."
+ynh_script_progression --message="Integrating service in YunoHost..." --weight=1
 
 yunohost service add $app --description="Team collaboration communication platform"
 
diff --git a/scripts/remove b/scripts/remove
index 38d4ad6..1a25eba 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -54,7 +54,7 @@ ynh_remove_logrotate
 #=================================================
 # REMOVE THE MONGODB DATABASE
 #=================================================
-ynh_script_progression --message="Removing the MongoDB database..."
+ynh_script_progression --message="Removing the MongoDB database..." --weight=3
 
 ynh_replace_string --match_string="engine: wiredTiger" --replace_string="#  engine:" --target_file=$MONGO_CE_CONFIG
 ynh_replace_string --match_string="replication:" --replace_string="#replication:" --target_file=$MONGO_CE_CONFIG