Fix

conf/nginx.conf

@@ -1,15 +1,16 @@
 location / {
 
-  proxy_pass        http://127.0.0.1:__PORT__;
+  proxy_pass        https://127.0.0.1:__PORT__;
   proxy_redirect    off;
   proxy_set_header  Host $host;
   proxy_set_header  X-Real-IP $remote_addr;
   proxy_set_header  X-Forwarded-Proto $scheme;
   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header  X-Forwarded-Host $server_name;
-  proxy_set_header  Connection '';
+  
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
 
   # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;

conf/systemd.service

@@ -1,7 +1,6 @@
 [Unit]
 Description=Shiori: Simple bookmark manager
-Requires=network-online.target
-After=network-online.target
+Environment="SHIORI_DIR=__DATADIR__"
 
 [Service]
 Type=simple
@@ -9,9 +8,52 @@ User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/
 ExecStart=__FINALPATH__/shiori serve --port __PORT__
+Restart=always
+
 Environment="SHIORI_DIR=__DATADIR__"
-StandardOutput=append:/var/log/__APP__/__APP__.log
-StandardError=inherit
+DynamicUser=true
+PrivateUsers=true
+ProtectHome=true
+ProtectKernelLogs=true
+RestrictAddressFamilies=AF_INET AF_INET6
+StateDirectory=shiori
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown
+SystemCallFilter=~@keyring
+SystemCallFilter=~@memlock
+SystemCallFilter=~@setuid
+DeviceAllow=
+
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectKernelTunables=true
+ProtectSystem=full
+ProtectClock=true
+ProtectKernelModules=true
+ProtectProc=noaccess
+ProtectHostname=true
+ProcSubset=pid
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@obsolete
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target

doc/DISCLAIMER.md

@@ -1,4 +1,4 @@
-First connection credentials are:
+The default account is `shiori` with password `gopher`. It is removed once another 'owner' account is created.
 
 - username: `shiori`
 - password: `gopher`

scripts/install

@@ -138,7 +138,7 @@ yunohost service add $app --description="Simple bookmark manager" --log="/var/lo
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
 # Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================
 # SETUP SSOWAT

scripts/restore

@@ -115,7 +115,7 @@ yunohost service add $app --description="Simple bookmark manager" --log="/var/lo
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -120,7 +120,7 @@ yunohost service add $app --description="Simple bookmark manager" --log="/var/lo
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1
 
-ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd"
 
 #=================================================
 # RELOAD NGINX