Merge pull request #239 from YunoHost-Apps/permissions

Permissions

check_process

@@ -3,7 +3,7 @@
         domain="domain.tld"    (DOMAIN)
         path="/_matrix/static/"	(PATH)
         is_public=1 (PUBLIC|public=1|private=0)
-        server_name="domain2.tld"    (DOMAIN)
+        server_name="domain.tld"    (DOMAIN)
     ; Checks
         pkg_linter=1
         setup_sub_dir=1
@@ -14,6 +14,7 @@
         upgrade=1
         upgrade=1   from_commit=0705f4ffb4f7538a1aa33a801f95766ee23367db
         upgrade=1   from_commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
+        upgrade=1   from_commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
         backup_restore=1
         multi_instance=1
         incorrect_path=0
@@ -26,3 +27,5 @@
         name=Fix postgresql helper from old_version_for_CI_2 branch
     ; commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
         name=Migrate from self signed certificate to cert managed by Yunohost from old_version_for_CI_3 branch
+    ; commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
+        name=Before permission implementation

conf/add_sso_conf.py

@@ -1,28 +0,0 @@
-import json
-import sys
-
-domain = sys.argv[1]
-server_name = sys.argv[2]
-
-with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile:
-    data = json.load(jsonFile)
-
-    if "skipped_urls" not in data:
-        data["skipped_urls"] = []
-    if "protected_urls" not in data:
-        data["protected_urls"] = []
-
-    # Remove entry without the domain specified
-    if "/_matrix" in data["skipped_urls"]:
-        data["skipped_urls"].remove("/_matrix")
-
-    if domain + "/_matrix" not in data["skipped_urls"]:
-        data["skipped_urls"].append(domain + "/_matrix")
-    if server_name + "/.well-known/matrix/" not in data["skipped_urls"]:
-        data["skipped_urls"].append(server_name + "/.well-known/matrix/")
-
-    if domain +  "/_matrix/cas_server.php/login" not in data["protected_urls"]:
-        data["protected_urls"].append(domain + "/_matrix/cas_server.php/login")
-
-with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile:
-    jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

conf/homeserver.yaml

@@ -184,7 +184,7 @@ listeners:
   # will also need to give Synapse a TLS key and certificate: see the TLS section
   # below.)
   #
-  - port: __TLS_PORT__
+  - port: __SYNAPSE_TLS_PORT__
     type: http
     tls: true
     resources:
@@ -489,7 +489,7 @@ database:
     args:
         user: __SYNAPSE_DB_USER__
         password: __SYNAPSE_DB_PWD__
-        database: matrix___APP__
+        database: __SYNAPSE_DB_NAME__
         host: localhost
         cp_min: 5
         cp_max: 10
@@ -768,7 +768,7 @@ turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DO
 
 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: "__TURNPWD__"
+turn_shared_secret: "__TURNSERVER_PWD__"
 
 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -884,7 +884,7 @@ enable_registration: __ALLOWED_ACCESS__
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-registration_shared_secret: "__REGISTRATION_SECRET__"
+registration_shared_secret: "__REGISTRATION_SHARED_SECRET__"
 
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@@ -1030,7 +1030,7 @@ report_stats: __REPORT_STATS__
 # the registration_shared_secret is used, if one is given; otherwise,
 # a secret key is derived from the signing key.
 #
-macaroon_secret_key: "__MACAROON_SECRET_KEY__"
+__MACAROON_SECRET_KEY_PARAM__
 
 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent

conf/nginx.conf

@@ -8,7 +8,7 @@ location __PATH__ {
         location __PATH__/cas_server.php {
             alias /var/www/__APP__/;
             fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-            fastcgi_pass unix:/run/php7.0-fpm-__NAME__.sock;
+            fastcgi_pass unix:/run/php__PHPVERSION__-fpm-__NAME__.sock;
             include fastcgi_params;
             fastcgi_param REMOTE_USER $remote_user;
             fastcgi_param PATH_INFO $fastcgi_path_info;

conf/php-fpm.conf

@@ -30,7 +30,7 @@ group = matrix-__USER__
 ;                            specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php7.0-fpm-__NAMETOCHANGE__.sock
+listen = /run/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
 
 ; Set listen(2) backlog. A value of '-1' means unlimited.
 ; Default Value: 128 (-1 on FreeBSD and OpenBSD)

conf/remove_sso_conf.py

@@ -1,15 +0,0 @@
-import json
-import sys
-
-domain = sys.argv[1]
-server_name = sys.argv[2]
-
-with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile:
-    data = json.load(jsonFile)
-
-    data["skipped_urls"].remove(domain + "/_matrix")
-    data["skipped_urls"].remove(server_name + "/.well-known/matrix/")
-    data["protected_urls"].remove(domain + "/_matrix/cas_server.php/login")
-
-with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile:
-    jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

conf/server_name.conf

@@ -1,5 +1,5 @@
 location /.well-known/matrix/server {
-    return 200 '{"m.server": "__DOMAIN__:__PORT__"}';
+    return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}';
     add_header Content-Type application/json;
     add_header Access-Control-Allow-Origin '*';
 }
@@ -7,7 +7,7 @@ location /.well-known/matrix/server {
 location /.well-known/matrix/client {
     return 200 '{
         "m.homeserver": { "base_url": "https://__DOMAIN__" },
-        "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER_ADDR__"},
+        "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"},
         "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ }
     }';
     add_header Content-Type application/json;

conf/turnserver.conf

@@ -1,10 +1,10 @@
 lt-cred-mech
 use-auth-secret
-static-auth-secret=__TURNPWD__
+static-auth-secret=__TURNSERVER_PWD__
 realm=__DOMAIN__
 
-tls-listening-port=__TLS_PORT__
-alt-tls-listening-port=__TLS_ALT_PORT__
+tls-listening-port=__TURNSERVER_TLS_PORT__
+alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__
 min-port=49153
 max-port=49193
 cli-port=__CLI_PORT__
@@ -26,3 +26,5 @@ no-cli
 log-file=/var/log/matrix-__APP__/turnserver.log
 pidfile=/run/coturn-__APP__/turnserver.pid
 simple-log
+
+__TURN_EXTERNAL_IP__

manifest.json

@@ -6,7 +6,7 @@
 		"en": "Instant messaging server which uses Matrix",
 		"fr": "Un serveur de messagerie instantané basé sur Matrix"
 	},
-	"version": "1.28.0~ynh1",
+	"version": "1.28.0~ynh2",
 	"url": "http://matrix.org",
 	"license": "Apache-2.0",
 	"maintainer": {
@@ -14,7 +14,7 @@
 		"email": "josue@tille.ch"
 	},
 	"requirements": {
-		"yunohost": ">= 3.7.0.4"
+		"yunohost": ">= 4.1"
 	},
 	"multi_instance": true,
 	"services": [

pull_request_template.md

@@ -10,15 +10,3 @@
 - [ ] Fix or enhancement tested.
 - [ ] Upgrade from last version tested.
 - [ ] Can be reviewed and tested.
-
-## Validation
----
-*Minor decision*
-- **Upgrade previous version** : 
-- [ ] **Code review** : 
-- [ ] **Approval (LGTM)** : 
-- [ ] **Approval (LGTM)** : 
-- **CI succeeded** : 
-[![Build Status](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/badge/icon)](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/)  
-*Please replace '-NUM-' in this link by the PR number.*  
-When the PR is marked as ready to merge, you have to wait for 3 days before really merging it.

scripts/_common.sh

@@ -11,7 +11,6 @@ install_sources() {
 
     mkdir -p $final_path
     chown $synapse_user:root -R $final_path
-    chown $synapse_user:root -R $data_path
 
     if [ -n "$(uname -m | grep arm)" ]
     then
@@ -37,17 +36,12 @@ install_sources() {
             sudo -u "$synapse_user" env PATH=$PATH rustup update
         else
             sudo -u "$synapse_user" bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain=stable'
-            mv $data_path/.cargo $final_path/
-            mv $data_path/.rustup $final_path/
-            ln -s $final_path/.cargo $data_path/.cargo
-            ln -s $final_path/.rustup $data_path/.rustup
         fi
     
         # Install virtualenv if it don't exist
         test -e $final_path/bin/python3 || python3 -m venv $final_path
 
         # Install synapse in virtualenv
-        ynh_replace_string --match_string=__FINAL_PATH__ --replace_string=$final_path --target_file=$final_path/bin/activate
 
         # We set all necessary environement variable to create a python virtualenvironnement.
         set +u;

scripts/backup

@@ -39,6 +39,7 @@ fi
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
 final_www_path="/var/www/$app"
 data_path="/home/yunohost.app/matrix-$app"

scripts/change_url

@@ -46,6 +46,7 @@ ynh_print_ON
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
 
 # Check if the new path stay /_matrix if not exit
@@ -79,12 +80,7 @@ ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf"
 # Create .well-known redirection for access by federation
 if yunohost --output-as plain domain list | grep -q "^$server_name$"
 then
-    cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
-    ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
+    ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
 fi
 
 #=================================================
@@ -96,59 +92,35 @@ ynh_script_progression --message="Updating synapse config..." --weight=2
 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
 # For any update do it in all files
 
-homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
-
-ynh_backup_if_checksum_is_different --file="$homeserver_config_path"
-ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml
-
-cp ../conf/homeserver.yaml "$homeserver_config_path"
-cp ../conf/log.yaml /etc/matrix-$app/log.yaml
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
-ynh_print_OFF
-ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
 if [ -z $macaroon_secret_key ]; then
     # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
     # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
     # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
     # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
-    ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
+    macaroon_secret_key_param='# macaroon_secret_key: ""'
 else
-    ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
+    macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 fi
-ynh_print_ON
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
 
 if [ $is_public -eq 0 ]
 then
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path"
+    allowed_access=False
+    sso_enabled=True
 else
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path"
+    allowed_access=True
+    sso_enabled=False
 fi
 
-ynh_store_file_checksum --file="$homeserver_config_path"
-ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml"
+ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
+ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
 
 #=================================================
-# SETUP SSOWAT
+# SETUP PERMISSIONS
 #=================================================
 
-python3 ../conf/remove_sso_conf.py $domain $server_name
-python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
+ynh_script_progression --message="Configuring permissions..." --weight=1
+ynh_permission_url --permission=server_api --clear_urls
+ynh_permission_url --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
 
 #=================================================
 # RELOAD SERVICES

scripts/config

@@ -114,53 +114,32 @@ apply_config() {
     # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
     # For any update do it in all files
 
-    homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
-
-    ynh_backup_if_checksum_is_different "$homeserver_config_path"
-
-    cp ../conf/homeserver.yaml "$homeserver_config_path"
-
-    ynh_replace_string --match_string __APP__ --replace_string $app --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __DOMAIN__ --replace_string $domain --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __SERVER_NAME__ --replace_string $server_name --target_file "$homeserver_config_path"   
-    ynh_replace_string --match_string __SYNAPSE_DB_USER__ --replace_string $synapse_db_user --target_file "$homeserver_config_path"
-    ynh_replace_special_string --match_string __SYNAPSE_DB_PWD__ --replace_string $synapse_db_pwd --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __PORT__ --replace_string $port --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __TLS_PORT__ --replace_string $synapse_tls_port --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __TURNSERVER_TLS_PORT__ --replace_string $turnserver_tls_port --target_file "$homeserver_config_path"
-    ynh_replace_special_string --match_string __TURNPWD__ --replace_string $turnserver_pwd --target_file "$homeserver_config_path"
-    ynh_replace_special_string --match_string __REGISTRATION_SECRET__ --replace_string "$registration_shared_secret" --target_file "$homeserver_config_path"
-    ynh_replace_special_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string __REPORT_STATS__ --replace_string "$report_stats" --target_file "$homeserver_config_path"
-    ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
-    if [ -n $macaroon_secret_key ]; then
-        # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
-        # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
-        # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
-        # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
-        ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
+    if [ -z $macaroon_secret_key ]; then
+    # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
+    # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
+    # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
+    # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
+    macaroon_secret_key_param='# macaroon_secret_key: ""'
     else
-        ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
+        macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
     fi
 
     if [ $is_public -eq 0 ]
     then
-        ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path"
-        ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path"
+        allowed_access=False
+        sso_enabled=True
     else
-        ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path"
-        ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path"
+        allowed_access=True
+        sso_enabled=False
     fi
 
+    ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
+    ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
+
     # Create .well-known redirection for access by federation
     if yunohost --output-as plain domain list | grep -q "^$server_name$"
     then
-        cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
-        ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-        ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-        ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-        ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-        ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
+        ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
     fi
 
     ynh_store_file_checksum --file "$homeserver_config_path"

scripts/install

@@ -37,6 +37,7 @@ app=$YNH_APP_INSTANCE_NAME
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
 report_stats="false"
 allow_public_rooms="false"
@@ -150,7 +151,7 @@ ynh_install_app_dependencies $dependances
 #=================================================
 ynh_script_progression --message="Configuring system user..." --weight=3
 
-ynh_system_user_create --username=$synapse_user --home_dir=$data_path
+ynh_system_user_create --username=$synapse_user --home_dir=$final_path
 adduser $synapse_user ssl-cert
 adduser turnserver ssl-cert
 
@@ -256,12 +257,7 @@ ynh_add_fpm_config
 # Create .well-known redirection for access by federation
 if yunohost --output-as plain domain list | grep -q "^$server_name$"
 then
-    cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
-    ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
+    ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
 fi
 
 # Create a dedicated nginx config
@@ -273,51 +269,27 @@ ynh_add_nginx_config app
 ynh_script_progression --message="Configuring synapse..." --weight=2
 
 # Find password for turnserver and database
-ynh_print_OFF
 turnserver_pwd=$(ynh_string_random --length=30)
 ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
-ynh_print_ON
 
 # Configure Synapse
 
 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
 # For any update do it in all files
 
-homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
-
-cp ../conf/homeserver.yaml "$homeserver_config_path"
-cp ../conf/log.yaml /etc/matrix-$app/log.yaml
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
-ynh_print_OFF
-ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
-ynh_print_ON
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
+macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 
 if [ $is_public -eq 0 ]
 then
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path"
+    allowed_access=False
+    sso_enabled=True
 else
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path"
+    allowed_access=True
+    sso_enabled=False
 fi
 
-ynh_store_file_checksum --file="$homeserver_config_path"
-ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml"
+ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
+ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
 
 #=================================================
 # SET COTURN CONFIG
@@ -327,35 +299,23 @@ ynh_script_progression --message="Configuring coturn..." --weight=1
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-coturn_config_path="/etc/matrix-$app/coturn.conf"
-
-cp ../conf/turnserver.conf "$coturn_config_path"
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
-ynh_print_OFF
-ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
-ynh_print_ON
-
 # Get public IP and set as external IP for coturn
 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
 public_ip4="$(curl ip.yunohost.org)" || true
 public_ip6="$(curl ipv6.yunohost.org)" || true
 
+turn_external_ip=""
 if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
 then
-    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip4"
 fi
 
 if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
 then
-    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip6"
 fi
 
-ynh_store_file_checksum --file="$coturn_config_path"
+ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
 
 #=================================================
 # SETUP LOGROTATE
@@ -371,22 +331,22 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app"
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-cp ../sources/Coturn_config_rotate.sh $final_path/
-cp ../sources/update_synapse_for_appservice.sh $final_path/
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh"
+ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
+ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
 
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
-# SETUP SSOWAT
+# SETUP PERMISSIONS
 #=================================================
-ynh_script_progression --message="Configuring SSOwat..." --weight=1
+ynh_script_progression --message="Configuring permissions..." --weight=1
 
-# Open access to server without a button the home
-# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls".
-python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
-ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login
+ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
+ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true
+
+ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
+                      --label="Server access for client apps." --show_tile=false --allowed=visitors \
+                      --auth_header=false --protected=true
 
 #=================================================
 # UPDATE HOOKS

scripts/remove

@@ -31,6 +31,7 @@ turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tl
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
 final_www_path="/var/www/$app"
 
@@ -75,13 +76,6 @@ ynh_script_progression --message="Removing dependencies" --weight=15
 # Remove metapackage and its dependencies
 ynh_remove_app_dependencies
 
-#=================================================
-# SETUP SSOWAT
-#=================================================
-
-# Remove the skipped url
-python3 ../conf/remove_sso_conf.py $domain $server_name
-
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================

scripts/remove_sso_conf_persistent.py

@@ -0,0 +1,39 @@
+import json
+import sys
+
+with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile:
+    data = json.load(jsonFile)
+
+    for domain in ("", sys.argv[1], sys.argv[2]):
+        for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"):
+            url = domain + path
+            try:
+                uri_list = data["skipped_urls"]
+                while url in uri_list:
+                    uri_list.remove(url)     
+            except:
+                pass
+
+            try:
+                uri_list = data["protected_urls"]
+                while url in uri_list:
+                    uri_list.remove(url)     
+            except:
+                pass
+
+            try:
+                uri_list = data["permissions"]["custom_protected"]["uris"]
+                while url in uri_list:
+                    uri_list.remove(url)     
+            except:
+                pass
+
+            try:
+                uri_list = data["permissions"]["custom_skipped"]["uris"]
+                while url in uri_list:
+                    uri_list.remove(url)     
+            except:
+                pass
+
+with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile:
+    jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

scripts/restore

@@ -36,6 +36,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
 turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
 turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
+phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 ynh_print_OFF
 synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
 ynh_print_ON
@@ -47,6 +48,7 @@ ynh_print_ON
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
 final_www_path="/var/www/$app"
 data_path="/home/yunohost.app/matrix-$app"
@@ -78,7 +80,7 @@ ynh_install_app_dependencies $dependances
 ynh_script_progression --message="Recreating the dedicated system user..." --weight=3
 
 # Create the dedicated user (if not existing)
-ynh_system_user_create --username=$synapse_user --home_dir=$data_path
+ynh_system_user_create --username=$synapse_user --home_dir=$final_path
 adduser $synapse_user ssl-cert
 adduser turnserver ssl-cert
 
@@ -170,35 +172,23 @@ ynh_print_ON
 # WARNING : these commands are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-coturn_config_path="/etc/matrix-$app/coturn.conf"
-
-cp ../settings/conf/turnserver.conf "$coturn_config_path"
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
-ynh_print_OFF
-ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
-ynh_print_ON
-
 # Get public IP and set as external IP for coturn
 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
 public_ip4="$(curl ip.yunohost.org)" || true
 public_ip6="$(curl ipv6.yunohost.org)" || true
 
+turn_external_ip=""
 if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
 then
-    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip4"
 fi
 
 if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
 then
-    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip6"
 fi
 
-ynh_store_file_checksum --file="$coturn_config_path"
+ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
 
 #=================================================
 # OPEN THE PORT
@@ -209,15 +199,6 @@ ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
 ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
 ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
 
-#=================================================
-# SETUP SSOWAT
-#=================================================
-ynh_script_progression --message="Configuring SSOwat..."
-
-# Open access to server without a button the home
-# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls".
-python3 ../settings/conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
-
 #=================================================
 # SETUP LOGROTATE
 #=================================================
@@ -233,6 +214,7 @@ ynh_use_logrotate --logfile /var/log/matrix-$app
 
 # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
 # For any update do it in all files
+ynh_script_progression --message="Configuring file permission..."
 chown $synapse_user:root -R $final_path
 chmod 770 $final_path/Coturn_config_rotate.sh
 chmod 700 $final_path/update_synapse_for_appservice.sh
@@ -280,7 +262,7 @@ ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore"
 #=================================================
 ynh_script_progression --message="Reloading nginx web server..."
 
-systemctl reload php7.0-fpm
+ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
 ynh_systemd_action --service_name=nginx --action=reload
 
 #=================================================

scripts/upgrade

@@ -50,16 +50,12 @@ ynh_print_ON
 synapse_user="matrix-$app"
 synapse_db_name="matrix_$app"
 synapse_db_user="matrix_$app"
+synapse_db_name="matrix_$app"
 upstream_version=$(ynh_app_upstream_version)
+upgrade_type=$(ynh_check_app_version_changed)
 final_www_path="/var/www/$app"
 data_path="/home/yunohost.app/matrix-$app"
 
-#=================================================
-# CHECK VERSION
-#=================================================
-
-upgrade_type=$(ynh_check_app_version_changed)
-
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
@@ -147,8 +143,10 @@ if [ -e "/var/lib/matrix-$app" ]; then
         mv "$data_path" "$old_data_dir_path"
     fi
     mv "/var/lib/matrix-$app" "$data_path"
+fi
+if ! grep -q "$final_path" /etc/passwd; then
     # matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin
-    sed --in-place -r "s@matrix-$app\:x\:(\n*:\n*)\:\:/var/lib/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:(\n*:\n*)\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
+    sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
 fi
 
 #=================================================
@@ -192,14 +190,17 @@ then
     ynh_script_progression --message="Generating synapse secret..." --weight=1
 
     # Go in virtualenvironnement
-    PS1=${PS1:-}
+    set +u
     source $final_path/bin/activate
+    set -u
 
     # Generate config and keys
     python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
 
     # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
+    set +u;
     deactivate
+    set -u;
 
     # Get random values from config
     ynh_print_OFF
@@ -221,52 +222,27 @@ ynh_script_progression --message="Updating synapse config..." --weight=2
 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
 # For any update do it in all files
 
-homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
-
-ynh_backup_if_checksum_is_different --file="$homeserver_config_path"
-ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml
-
-cp ../conf/homeserver.yaml "$homeserver_config_path"
-cp ../conf/log.yaml /etc/matrix-$app/log.yaml
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
-ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
-ynh_print_OFF
-ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
-ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
 if [ -z $macaroon_secret_key ]; then
     # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
     # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
     # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
     # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
-    ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
+    macaroon_secret_key_param='# macaroon_secret_key: ""'
 else
-    ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
+    macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
 fi
-ynh_print_ON
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
 
 if [ $is_public -eq 0 ]
 then
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path"
+    allowed_access=False
+    sso_enabled=True
 else
-    ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path"
-    ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path"
+    allowed_access=True
+    sso_enabled=False
 fi
 
-ynh_store_file_checksum --file="$homeserver_config_path"
-ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml"
+ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
+ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
 
 #=================================================
 # MIGRATION 2 : MULTINSTANCE SUPPORT
@@ -283,10 +259,6 @@ then
     # Disable default config for turnserver and create a new service
     systemctl stop coturn.service
 
-    # Set by default the system config for coturn
-    echo "" > /etc/turnserver.conf
-    ynh_replace_string --match_string="TURNSERVER_ENABLED=1" --replace_string="TURNSERVER_ENABLED=0" --target_file=/etc/default/coturn
-
     # Set a port for each service in turnserver
     turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
     cli_port=$(ynh_find_port --port=5766)
@@ -347,13 +319,7 @@ ynh_add_fpm_config
 # Create .well-known redirection for access by federation
 if yunohost --output-as plain domain list | grep -q "^$server_name$"
 then
-    ynh_backup_if_checksum_is_different --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
-    ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
-    ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
+    ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
 fi
 
 # Create a dedicated nginx config
@@ -369,35 +335,23 @@ ynh_script_progression --message="Updating coturn config..." --weight=1
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-coturn_config_path="/etc/matrix-$app/coturn.conf"
-
-cp ../conf/turnserver.conf "$coturn_config_path"
-
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
-ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
-ynh_print_OFF
-ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
-ynh_print_ON
-
 # Get public IP and set as external IP for coturn
 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
 public_ip4="$(curl ip.yunohost.org)" || true
 public_ip6="$(curl ipv6.yunohost.org)" || true
 
+turn_external_ip=""
 if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
 then
-    echo "external-ip=$public_ip4" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip4"
 fi
 
 if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
 then
-    echo "external-ip=$public_ip6" >> "$coturn_config_path"
+    turn_external_ip+="\nexternal-ip=$public_ip6"
 fi
 
-ynh_store_file_checksum --file="$coturn_config_path"
+ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
 
 #=================================================
 # ADD SCRIPT FOR COTURN CRON AND APP SERVICE
@@ -406,10 +360,8 @@ ynh_store_file_checksum --file="$coturn_config_path"
 # WARNING : theses command are used in INSTALL, UPGRADE
 # For any update do it in all files
 
-cp ../sources/Coturn_config_rotate.sh $final_path/
-cp ../sources/update_synapse_for_appservice.sh $final_path/
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
-ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh"
+ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
+ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
 
 # Ensure app-service folder has exists and the config file exit (Migration)
 mkdir -p /etc/matrix-$app/app-service
@@ -447,14 +399,26 @@ ynh_add_fail2ban_config --use_template
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
-# SETUP SSOWAT
+# SETUP PERMISSIONS
 #=================================================
-ynh_script_progression --message="Configuring SSOwat..." --weight=1
+ynh_script_progression --message="Configuring permissions..." --weight=1
+ynh_legacy_permissions_delete_all
 
-# Open access to server without a button the home
-# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls".
-python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
-ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login
+ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
+ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true
+
+if ! ynh_permission_exists --permission=server_api; then
+    ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
+                          --label="Server access for client apps." --show_tile=false --allowed=visitors \
+                          --auth_header=false --protected=true
+    python3 remove_sso_conf_persistent.py $domain $server_name \
+        || ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually."
+else
+    ynh_permission_url --permission=server_api --url=$domain/_matrix --add_url=$server_name/.well-known/matrix \
+                       --auth_header=false
+    ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \
+                          --protected=true
+fi
 
 #=================================================
 # SECURE FILES AND DIRECTORIES

sources/Coturn_config_rotate.sh

@@ -4,11 +4,13 @@ app_instance=__APP__
 
 source /usr/share/yunohost/helpers
 
-external_IP_line="external-ip=__IPV4__,__IPV6__"
-
+coturn_config_path="/etc/matrix-$app_instance/coturn.conf"
 public_ip4="$(curl ip.yunohost.org)" || true
 public_ip6="$(curl ipv6.yunohost.org)" || true
 
+old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path)
+perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path
+
 if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
 then
     echo "external-ip=$public_ip4" >> "$coturn_config_path"
@@ -19,8 +21,6 @@ then
     echo "external-ip=$public_ip6" >> "$coturn_config_path"
 fi
 
-old_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
-ynh_replace_string "^external-ip=.*\$" "$external_IP_line" "/etc/matrix-$app_instance/coturn.conf"
 new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
 
 setfacl -R -m user:turnserver:rX  /etc/matrix-$app_instance