Merge pull request #2 from YunoHost-Apps/testing

Testing
2024-09-04 01:15:56 +02:00 · 2023-01-22 09:12:54 +01:00 · 2023-01-22 09:12:54 +01:00 · ef29051938
commit ef29051938
parent c1c023146d 731612e9b3
13 changed files with 67 additions and 1786 deletions
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@ It shall NOT be edited by hand.
 # TrustyHash for YunoHost
-[![Integration level](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)  
+[![Integration level](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![Working status](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)  
 [![Install TrustyHash with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=trustyhash)
 *[Lire ce readme en français.](./README_fr.md)*
@ -15,61 +15,11 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 ## Overview
 # TrustyHash - A Trustable Hash Calculator
 TrustyHash is a small [client-side](https://unhosted.org/) web application that
 computes SHA-256 hash values on both local files and on remote URLs, with a
 strong emphasis on a process that will allow you to trust the results. Works
 offline!
 TrustyHash homepage: https://github.com/sprin/TrustyHash
 [Use it here](https://sprin.github.io/TrustyHash/)
 ## How is this useful?
 Integrity: "We have in hand the same set of sequences of bits that came into
 existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
 "Friends don't let friends use unverified downloads."
 This fills a need for a verifiable, web-based hash calculator written in free
 JavaScript. If you already use the command-line hash utilities on your
 system, you should continue to use those. This is targeted towards users who do
 not have or are unable to use the hash utilities on their local systems. While
 universal command-line-literacy is a good goal, the concepts of file integrity and
 authenticity and the ability to use tools for verification are perhaps more
 fundamental.
 Integrity is the first link in secure systems, and key to determining
 authenticity. If we trust the association between an author and the hash value
 of a file they created, perhaps because we trust them and they gave us the
 hash in person, we can authenticate whether a file we believe to be the same
 really did come from them. We can achieve the same result if the author had
 used a signing key, and signed and distributed a hash value along with the
 file, and we could trust the association between a particular key and the
 author - albeit with somewhat more complexity and caveats (eg, has the signing
 key been kept private?).
 In a few words, this tool aims to enable verification of integrity and
 authenticity claims in an accessible way that depends only on a trusted hash
 value and the correctness and integrity of the TrustyHash app and the browser
 it executes in. See the section "Trust" below for recommendations on
 how to verify integrity of this application.
 ## Usage
 Local files can be opened from a file select dialog, or dragged into the "drop
 area". Remote URLs can be entered, and if the remote server allows cross-origin
 GET requests via
 [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
 the file will be downloaded to the browser, with the option of saving locally.
 It's recommended to save the application, verify the integrity, and use the
 saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
 HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
 section on "Trust" below.
 **Shipped version:** 1.0~ynh1
@ -77,314 +27,26 @@ section on "Trust" below.
 ## Screenshots
-![](./doc/screenshots/example.jpg)
+![Screenshot of TrustyHash](./doc/screenshots/example.jpg)
 ## Disclaimers / important information
 ## Trust
 This app does the hash calculation in the browser using the
 [WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
 This means we can trust the hash calculation under the following assumptions:
 - The integrity of the application has been preserved when it executes in the
   browser.
 - The browser and any extensions can be trusted.
 ### Integrity of the TrustyHash itself
 Because the application itself is a single HTML file which can be saved locally,
 there are various means for verifying integrity.
 #### Trusted Hash Utility
 The most reliable way to verify is to compute the hash of the HTML file with a
 trusted hash utility on the local system, and compare against the values
 published below.
 #### Code Audit
 Someone familiar with JavaScript can spend a few minutes reading the concise
 source to be assured that the program does what it claims to.
 #### No Hash Utility, Can't Audit Code?
 Hmm, no trusted hash utility, can't audit the code... you just can't give up
 and use your copy of TrustyHash without trusting it! While you could try some
 half-measure like getting some kind of consensus on the hash value of
 TrustyHash from untrusted hash utilities on the web, maybe other copies of
 TrustyHash found elsewhere... ultimately if you really need to trust
 TrustyHash, you've got to be a bit more rigorous.
 Without knowing a thing about JavaScript until this moment, you can create a
 very small, simple program in about 5 minutes, that while not as nice as
 TrustyHash perhaps, will get the job of hashing a local file done. As long as
 you can follow along as the following code is explained, and you can be pretty
 confident the code is not doing anything fishy, you can use this to verify
 TrustyHash itself. I'll show you the whole program up-front before I explain
 it - see, 5 minutes, no more!
 ```
 <!doctype html>
 <html>
 <body>
 <script>
 var fileinput = document.createElement('input')
 fileinput.type = 'file'
 fileinput.onchange = function(){
 var reader = new FileReader()
 reader.readAsArrayBuffer(this.files[0]);
 reader.onload = function(){
 crypto.subtle.digest("SHA-256", this.result)
 .then(function(buffer) {
 var hexCodes = []
 var view = new DataView(buffer)
 for (var i = 0; i < view.byteLength; i += 1) {
 var stringValue = view.getUint8(i).toString(16)
 var paddedValue = ('0' + stringValue).slice(-2)
 hexCodes.push(paddedValue)}
 alert(hexCodes.join(""))})}}
 document.body.appendChild(fileinput)
 </script>
 </body>
 </html>
 ```
 JavaScript programmers may take offense with the lack of conventional
 formatting above, but I'm trying to making this easy to re-type for someone who
 shouldn't need to be concerned with formatting conventions.
 Now a more-or-less line-by-line explanation:
 ```
 <!doctype html>
 <html>
 <body>
 <input type="file">
 <script>
 ```
 These lines declare an HTML document with a file input and a script. HTML
 technically requires a `<head>` element, but I'm trying to save you a bit of
 typing. Now let's get into the JavaScript itself:
 ```
 document.querySelector('input').onchange = function(){
 ```
 This says, when a file is selected via the file input...
 ```
 var reader = new FileReader()
 ```
 ...create a reader to read the file.
 ```
 reader.readAsArrayBuffer(this.files[0])
 ```
 Read the file into memory.
 ```
 reader.onload = function(){
 ```
 When the reader finishes...
 ```
 crypto.subtle.digest("SHA-256", this.result)
 ```
 Hash the buffer with SHA-256.
 ```
 .then(function(buffer) {
 ```
 When hashing finishes, we have an unprintable object, called a buffer...
 ```
 var hexCodes = []
 ```
 ...that we want to turn in to printable hex codes, which is just a way to
 represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
 are the standard representation of SHA-256 hash values.
 ```
 var view = new DataView(buffer)
 ```
 We create a view so we can read the buffer in chunks.
 ```
 for (var i = 0; i < view.byteLength; i += 1) {
 ```
 With each byte-size chunk...
 ```
 var stringValue = view.getUint8(i).toString(16)
 ```
 ...convert each chunk to a number and get a string, which is just something we
 can print. The string will be one or two hex digits.
 ```
 var paddedValue = ('0' + stringValue).slice(-2)
 ```
 To correctly print the string as a hex code, we need to add a zero to the front
 in case the number is less than two hex digits, keeping the last two digits.
 ```
 hexCodes.push(paddedValue)}
 ```
 Keep the string we just created before moving on to the next chunk.
 ```
 alert(hexCodes.join(""))})}}
 ```
 Join all the strings created from each chunk together and pop it up on the
 screen. That's it!
 ```
 </script>
 </body>
 </html>
 ```
 Oh, and we need these lines to formally close the HTML document.
 If you followed all that, put this code into a file called
 `TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
 rather than copy-pasting, since there are a bunch of sneaky ways someone could
 trick you into copy-pasting something besides what you see on a web page. If
 creating HTML files by hand is a bit confusing, you can save [the file I
 created for
 you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
 as long as you promise you will make sure the code matches the above after you
 have saved it. One way to do this is to open the file in a browser, right-click
 and select "View Page Source".
 Open the `TrustyHashLite.html` file in your browser, click the file input
 button, select the `TrustyHash.html` you saved earlier. If the printed hex code
 matches the published hash values, congratulations, you just wrote a program
 that computes SHA-256 hashes *and* used it to validate TrustyHash!
 ### Hash Values
 TODO: Publish hash value for 1.0.0
 ### Integrity of the Browser
 In order to trust the results of TrustyHash, we need to trust the browser that
 it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
 able to modify the result the user sees?
 If one is able to see the source of the browser and deterministic, reproducible
 builds are possible, then we can start to form a strong basis of trust. Closed
 source browsers must be excluded - the vendor is not able to assert a strong
 claim of *what* they are distributing. At best, they may be able to publish
 complete specifications for all functionality, but users still must trust the
 vendor ultimately to actually implement the specifications as claimed. The
 point is moot since no closed-source browser vendor publishes complete
 specifications anyway.
 Currently, open-source browsers are little better off. Deterministic builds are
 still a work-in-progress for all popular open-source browsers
 ([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
 [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
 [Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
 Without deterministic builds, we must still trust the vendor ultimately to
 build and distribute what they say they are building. If we trust the vendor
 when they say, "deterministic builds are hard, we are working on it", and we
 can trust them to secure their build environment, then we can take the signed
 hash values they publish to represent the objects built from the published
 sources.
 So then there are three realistic ways we might have a trusted browser on our
 systems:
 - A verified open-source browser was bundled with our trusted operating system
   distro.
 - We installed an open-source browser from a trusted package manager that
   handled checking verification for us.
 - We downloaded the open-source browser directly from the vendor and checked
   the signatures/hashes ourselves.
 The third possible way, which is only feasible for a tiny fraction of extremely
 diligent users, is to build the browser from source, rebuilding whenever
 security updates are pushed to users.
 Since the majority of browser users do not use an operating system that bundles
 a verified open-source browser nor supplies a package manager which can
 download and verify an open-source browser for them, this leaves manually
 verifying. Because no operating system makes it easy or obvious to verify
 signed downloads and awareness of the importance of verification is very low,
 we have to conclude that the majority of browser users have very little basis
 for trusting their browser. Similar arguments can be made for the operating
 system as a whole.
 So where does that leave us? Is running any program inside a browser with any
 degre of trust hopeless for the vast majority of users? I would say that we may
 be forced to accept some uncertainty that a program such as TrustyHash will
 produce the correct results in an untrusted browser. If we accept this
 uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
 operating system. This, I think, is the real value of TrustyHash - to bootstrap
 trust on a system by providing the best possible effort at producing trusted
 hash values in an accessible way.
 ## Deployment
 The entire application is packaged in a single, brief HTML file. Simply deploy
 the file under the web server root directory.
 ## Why only SHA-256?
 SHA-256 remains the de facto standard for verifying files via hash in 2016.
 Here are some popular projects have standardized on SHA-256 for verifying
 release materials:
 - [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
 - [OpenBSD](http://man.openbsd.org/signify)
 - [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
 - [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
 - [Fedora](https://getfedora.org/verify)
 In the interests of standardization and keeping things simple, only SHA-256
 will be shown. A possible addition to this project is to allow the user to
 select other hash algorithms, with SHA-256 remaining the default.
 ## Limitations
 When the application is retrieved on an HTTPS connection, the application
 cannot fetch HTTP URLs due to restrictions against [mixed active
 content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
 A workaround for this is to save the page locally and open the local copy in
 the browser, as recommended anyway.
 ## Documentation and resources
-* Official app website: https://github.com/sprin/TrustyHash
+* Official app website: <https://github.com/sprin/TrustyHash>
-* Official user documentation: https://github.com/sprin/TrustyHash
+* Official user documentation: <https://github.com/sprin/TrustyHash>
-* Upstream app code repository: https://github.com/sprin/TrustyHash
+* Upstream app code repository: <https://github.com/sprin/TrustyHash>
-* YunoHost documentation for this app: https://yunohost.org/app_trustyhash
+* YunoHost documentation for this app: <https://yunohost.org/app_trustyhash>
-* Report a bug: https://github.com/YunoHost-Apps/trustyhash_ynh/issues
+* Report a bug: <https://github.com/YunoHost-Apps/trustyhash_ynh/issues>
 ## Developer info
 Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing).
 To try the testing branch, please proceed like that.
-```
+
 ``` bash
 sudo yunohost app install https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
 or
 sudo yunohost app upgrade trustyhash -u https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
 ```
-**More info regarding app packaging:** https://yunohost.org/packaging_apps
+**More info regarding app packaging:** <https://yunohost.org/packaging_apps>
--- a/README_fr.md
+++ b/README_fr.md
@ -1,71 +1,25 @@
 <!--
 N.B.: This README was automatically generated by https://github.com/YunoHost/apps/tree/master/tools/README-generator
 It shall NOT be edited by hand.
 -->
 # TrustyHash pour YunoHost
-[![Niveau d'intégration](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)  
+[![Niveau d'intégration](https://dash.yunohost.org/integration/trustyhash.svg)](https://dash.yunohost.org/appci/app/trustyhash) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/trustyhash.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/trustyhash.maintain.svg)  
 [![Installer TrustyHash avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=trustyhash)
 *[Read this readme in english.](./README.md)*
 *[Lire ce readme en français.](./README_fr.md)*
 > *Ce package vous permet d'installer TrustyHash rapidement et simplement sur un serveur YunoHost.
 Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.*
 ## Vue d'ensemble
 # TrustyHash - A Trustable Hash Calculator
 TrustyHash is a small [client-side](https://unhosted.org/) web application that
 computes SHA-256 hash values on both local files and on remote URLs, with a
 strong emphasis on a process that will allow you to trust the results. Works
 offline!
 TrustyHash homepage: https://github.com/sprin/TrustyHash
 [Use it here](https://sprin.github.io/TrustyHash/)
 ## How is this useful?
 Integrity: "We have in hand the same set of sequences of bits that came into
 existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
 "Friends don't let friends use unverified downloads."
 This fills a need for a verifiable, web-based hash calculator written in free
 JavaScript. If you already use the command-line hash utilities on your
 system, you should continue to use those. This is targeted towards users who do
 not have or are unable to use the hash utilities on their local systems. While
 universal command-line-literacy is a good goal, the concepts of file integrity and
 authenticity and the ability to use tools for verification are perhaps more
 fundamental.
 Integrity is the first link in secure systems, and key to determining
 authenticity. If we trust the association between an author and the hash value
 of a file they created, perhaps because we trust them and they gave us the
 hash in person, we can authenticate whether a file we believe to be the same
 really did come from them. We can achieve the same result if the author had
 used a signing key, and signed and distributed a hash value along with the
 file, and we could trust the association between a particular key and the
 author - albeit with somewhat more complexity and caveats (eg, has the signing
 key been kept private?).
 In a few words, this tool aims to enable verification of integrity and
 authenticity claims in an accessible way that depends only on a trusted hash
 value and the correctness and integrity of the TrustyHash app and the browser
 it executes in. See the section "Trust" below for recommendations on
 how to verify integrity of this application.
 ## Usage
 Local files can be opened from a file select dialog, or dragged into the "drop
 area". Remote URLs can be entered, and if the remote server allows cross-origin
 GET requests via
 [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
 the file will be downloaded to the browser, with the option of saving locally.
 It's recommended to save the application, verify the integrity, and use the
 saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
 HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
 section on "Trust" below.
 **Version incluse :** 1.0~ynh1
@ -73,314 +27,26 @@ section on "Trust" below.
 ## Captures d'écran
-![](./doc/screenshots/example.jpg)
+![Capture d'écran de TrustyHash](./doc/screenshots/example.jpg)
 ## Avertissements / informations importantes
 ## Trust
 This app does the hash calculation in the browser using the
 [WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
 This means we can trust the hash calculation under the following assumptions:
 - The integrity of the application has been preserved when it executes in the
   browser.
 - The browser and any extensions can be trusted.
 ### Integrity of the TrustyHash itself
 Because the application itself is a single HTML file which can be saved locally,
 there are various means for verifying integrity.
 #### Trusted Hash Utility
 The most reliable way to verify is to compute the hash of the HTML file with a
 trusted hash utility on the local system, and compare against the values
 published below.
 #### Code Audit
 Someone familiar with JavaScript can spend a few minutes reading the concise
 source to be assured that the program does what it claims to.
 #### No Hash Utility, Can't Audit Code?
 Hmm, no trusted hash utility, can't audit the code... you just can't give up
 and use your copy of TrustyHash without trusting it! While you could try some
 half-measure like getting some kind of consensus on the hash value of
 TrustyHash from untrusted hash utilities on the web, maybe other copies of
 TrustyHash found elsewhere... ultimately if you really need to trust
 TrustyHash, you've got to be a bit more rigorous.
 Without knowing a thing about JavaScript until this moment, you can create a
 very small, simple program in about 5 minutes, that while not as nice as
 TrustyHash perhaps, will get the job of hashing a local file done. As long as
 you can follow along as the following code is explained, and you can be pretty
 confident the code is not doing anything fishy, you can use this to verify
 TrustyHash itself. I'll show you the whole program up-front before I explain
 it - see, 5 minutes, no more!
 ```
 <!doctype html>
 <html>
 <body>
 <script>
 var fileinput = document.createElement('input')
 fileinput.type = 'file'
 fileinput.onchange = function(){
 var reader = new FileReader()
 reader.readAsArrayBuffer(this.files[0]);
 reader.onload = function(){
 crypto.subtle.digest("SHA-256", this.result)
 .then(function(buffer) {
 var hexCodes = []
 var view = new DataView(buffer)
 for (var i = 0; i < view.byteLength; i += 1) {
 var stringValue = view.getUint8(i).toString(16)
 var paddedValue = ('0' + stringValue).slice(-2)
 hexCodes.push(paddedValue)}
 alert(hexCodes.join(""))})}}
 document.body.appendChild(fileinput)
 </script>
 </body>
 </html>
 ```
 JavaScript programmers may take offense with the lack of conventional
 formatting above, but I'm trying to making this easy to re-type for someone who
 shouldn't need to be concerned with formatting conventions.
 Now a more-or-less line-by-line explanation:
 ```
 <!doctype html>
 <html>
 <body>
 <input type="file">
 <script>
 ```
 These lines declare an HTML document with a file input and a script. HTML
 technically requires a `<head>` element, but I'm trying to save you a bit of
 typing. Now let's get into the JavaScript itself:
 ```
 document.querySelector('input').onchange = function(){
 ```
 This says, when a file is selected via the file input...
 ```
 var reader = new FileReader()
 ```
 ...create a reader to read the file.
 ```
 reader.readAsArrayBuffer(this.files[0])
 ```
 Read the file into memory.
 ```
 reader.onload = function(){
 ```
 When the reader finishes...
 ```
 crypto.subtle.digest("SHA-256", this.result)
 ```
 Hash the buffer with SHA-256.
 ```
 .then(function(buffer) {
 ```
 When hashing finishes, we have an unprintable object, called a buffer...
 ```
 var hexCodes = []
 ```
 ...that we want to turn in to printable hex codes, which is just a way to
 represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
 are the standard representation of SHA-256 hash values.
 ```
 var view = new DataView(buffer)
 ```
 We create a view so we can read the buffer in chunks.
 ```
 for (var i = 0; i < view.byteLength; i += 1) {
 ```
 With each byte-size chunk...
 ```
 var stringValue = view.getUint8(i).toString(16)
 ```
 ...convert each chunk to a number and get a string, which is just something we
 can print. The string will be one or two hex digits.
 ```
 var paddedValue = ('0' + stringValue).slice(-2)
 ```
 To correctly print the string as a hex code, we need to add a zero to the front
 in case the number is less than two hex digits, keeping the last two digits.
 ```
 hexCodes.push(paddedValue)}
 ```
 Keep the string we just created before moving on to the next chunk.
 ```
 alert(hexCodes.join(""))})}}
 ```
 Join all the strings created from each chunk together and pop it up on the
 screen. That's it!
 ```
 </script>
 </body>
 </html>
 ```
 Oh, and we need these lines to formally close the HTML document.
 If you followed all that, put this code into a file called
 `TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
 rather than copy-pasting, since there are a bunch of sneaky ways someone could
 trick you into copy-pasting something besides what you see on a web page. If
 creating HTML files by hand is a bit confusing, you can save [the file I
 created for
 you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
 as long as you promise you will make sure the code matches the above after you
 have saved it. One way to do this is to open the file in a browser, right-click
 and select "View Page Source".
 Open the `TrustyHashLite.html` file in your browser, click the file input
 button, select the `TrustyHash.html` you saved earlier. If the printed hex code
 matches the published hash values, congratulations, you just wrote a program
 that computes SHA-256 hashes *and* used it to validate TrustyHash!
 ### Hash Values
 TODO: Publish hash value for 1.0.0
 ### Integrity of the Browser
 In order to trust the results of TrustyHash, we need to trust the browser that
 it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
 able to modify the result the user sees?
 If one is able to see the source of the browser and deterministic, reproducible
 builds are possible, then we can start to form a strong basis of trust. Closed
 source browsers must be excluded - the vendor is not able to assert a strong
 claim of *what* they are distributing. At best, they may be able to publish
 complete specifications for all functionality, but users still must trust the
 vendor ultimately to actually implement the specifications as claimed. The
 point is moot since no closed-source browser vendor publishes complete
 specifications anyway.
 Currently, open-source browsers are little better off. Deterministic builds are
 still a work-in-progress for all popular open-source browsers
 ([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
 [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
 [Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
 Without deterministic builds, we must still trust the vendor ultimately to
 build and distribute what they say they are building. If we trust the vendor
 when they say, "deterministic builds are hard, we are working on it", and we
 can trust them to secure their build environment, then we can take the signed
 hash values they publish to represent the objects built from the published
 sources.
 So then there are three realistic ways we might have a trusted browser on our
 systems:
 - A verified open-source browser was bundled with our trusted operating system
   distro.
 - We installed an open-source browser from a trusted package manager that
   handled checking verification for us.
 - We downloaded the open-source browser directly from the vendor and checked
   the signatures/hashes ourselves.
 The third possible way, which is only feasible for a tiny fraction of extremely
 diligent users, is to build the browser from source, rebuilding whenever
 security updates are pushed to users.
 Since the majority of browser users do not use an operating system that bundles
 a verified open-source browser nor supplies a package manager which can
 download and verify an open-source browser for them, this leaves manually
 verifying. Because no operating system makes it easy or obvious to verify
 signed downloads and awareness of the importance of verification is very low,
 we have to conclude that the majority of browser users have very little basis
 for trusting their browser. Similar arguments can be made for the operating
 system as a whole.
 So where does that leave us? Is running any program inside a browser with any
 degre of trust hopeless for the vast majority of users? I would say that we may
 be forced to accept some uncertainty that a program such as TrustyHash will
 produce the correct results in an untrusted browser. If we accept this
 uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
 operating system. This, I think, is the real value of TrustyHash - to bootstrap
 trust on a system by providing the best possible effort at producing trusted
 hash values in an accessible way.
 ## Deployment
 The entire application is packaged in a single, brief HTML file. Simply deploy
 the file under the web server root directory.
 ## Why only SHA-256?
 SHA-256 remains the de facto standard for verifying files via hash in 2016.
 Here are some popular projects have standardized on SHA-256 for verifying
 release materials:
 - [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
 - [OpenBSD](http://man.openbsd.org/signify)
 - [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
 - [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
 - [Fedora](https://getfedora.org/verify)
 In the interests of standardization and keeping things simple, only SHA-256
 will be shown. A possible addition to this project is to allow the user to
 select other hash algorithms, with SHA-256 remaining the default.
 ## Limitations
 When the application is retrieved on an HTTPS connection, the application
 cannot fetch HTTP URLs due to restrictions against [mixed active
 content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
 A workaround for this is to save the page locally and open the local copy in
 the browser, as recommended anyway.
 ## Documentations et ressources
-* Site officiel de l'app : https://github.com/sprin/TrustyHash
+* Site officiel de l'app : <https://github.com/sprin/TrustyHash>
-* Documentation officielle utilisateur : https://github.com/sprin/TrustyHash
+* Documentation officielle utilisateur : <https://github.com/sprin/TrustyHash>
-* Dépôt de code officiel de l'app : https://github.com/sprin/TrustyHash
+* Dépôt de code officiel de l'app : <https://github.com/sprin/TrustyHash>
-* Documentation YunoHost pour cette app : https://yunohost.org/app_trustyhash
+* Documentation YunoHost pour cette app : <https://yunohost.org/app_trustyhash>
-* Signaler un bug : https://github.com/YunoHost-Apps/trustyhash_ynh/issues
+* Signaler un bug : <https://github.com/YunoHost-Apps/trustyhash_ynh/issues>
 ## Informations pour les développeurs
 Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing).
 Pour essayer la branche testing, procédez comme suit.
-```
+
 ``` bash
 sudo yunohost app install https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
 ou
 sudo yunohost app upgrade trustyhash -u https://github.com/YunoHost-Apps/trustyhash_ynh/tree/testing --debug
 ```
-**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps
+**Plus d'infos sur le packaging d'applications :** <https://yunohost.org/packaging_apps>
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -2,9 +2,8 @@
 location __PATH__/ {
  # Path to source
-  alias __FINALPATH__/ ;
+  alias __FINALPATH__/;
 ### Example PHP configuration (remove it if not used)
  index index.html;
  # Include SSOWAT user panel.
--- a/doc/DESCRIPTION.md
+++ b/doc/DESCRIPTION.md
@ -1,54 +1,4 @@
 # TrustyHash - A Trustable Hash Calculator
 TrustyHash is a small [client-side](https://unhosted.org/) web application that
 computes SHA-256 hash values on both local files and on remote URLs, with a
 strong emphasis on a process that will allow you to trust the results. Works
 offline!
 TrustyHash homepage: https://github.com/sprin/TrustyHash
 [Use it here](https://sprin.github.io/TrustyHash/)
 ## How is this useful?
 Integrity: "We have in hand the same set of sequences of bits that came into
 existence when the object was created" - [Lynch](http://www.clir.org/pubs/reports/pub92/lynch.html)
 "Friends don't let friends use unverified downloads."
 This fills a need for a verifiable, web-based hash calculator written in free
 JavaScript. If you already use the command-line hash utilities on your
 system, you should continue to use those. This is targeted towards users who do
 not have or are unable to use the hash utilities on their local systems. While
 universal command-line-literacy is a good goal, the concepts of file integrity and
 authenticity and the ability to use tools for verification are perhaps more
 fundamental.
 Integrity is the first link in secure systems, and key to determining
 authenticity. If we trust the association between an author and the hash value
 of a file they created, perhaps because we trust them and they gave us the
 hash in person, we can authenticate whether a file we believe to be the same
 really did come from them. We can achieve the same result if the author had
 used a signing key, and signed and distributed a hash value along with the
 file, and we could trust the association between a particular key and the
 author - albeit with somewhat more complexity and caveats (eg, has the signing
 key been kept private?).
 In a few words, this tool aims to enable verification of integrity and
 authenticity claims in an accessible way that depends only on a trusted hash
 value and the correctness and integrity of the TrustyHash app and the browser
 it executes in. See the section "Trust" below for recommendations on
 how to verify integrity of this application.
 ## Usage
 Local files can be opened from a file select dialog, or dragged into the "drop
 area". Remote URLs can be entered, and if the remote server allows cross-origin
 GET requests via
 [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS),
 the file will be downloaded to the browser, with the option of saving locally.
 It's recommended to save the application, verify the integrity, and use the
 saved copy from then on. To save from the browser, use "Save Page" > "Web Page,
 HTML Only", and use a filename of `TrustyHash.html`. To verify, read the
 section on "Trust" below.
--- a/doc/DISCLAIMER.md
+++ b/doc/DISCLAIMER.md
@ -1,286 +0,0 @@
 ## Trust
 This app does the hash calculation in the browser using the
 [WebCryptoAPI](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest).
 This means we can trust the hash calculation under the following assumptions:
 - The integrity of the application has been preserved when it executes in the
   browser.
 - The browser and any extensions can be trusted.
 ### Integrity of the TrustyHash itself
 Because the application itself is a single HTML file which can be saved locally,
 there are various means for verifying integrity.
 #### Trusted Hash Utility
 The most reliable way to verify is to compute the hash of the HTML file with a
 trusted hash utility on the local system, and compare against the values
 published below.
 #### Code Audit
 Someone familiar with JavaScript can spend a few minutes reading the concise
 source to be assured that the program does what it claims to.
 #### No Hash Utility, Can't Audit Code?
 Hmm, no trusted hash utility, can't audit the code... you just can't give up
 and use your copy of TrustyHash without trusting it! While you could try some
 half-measure like getting some kind of consensus on the hash value of
 TrustyHash from untrusted hash utilities on the web, maybe other copies of
 TrustyHash found elsewhere... ultimately if you really need to trust
 TrustyHash, you've got to be a bit more rigorous.
 Without knowing a thing about JavaScript until this moment, you can create a
 very small, simple program in about 5 minutes, that while not as nice as
 TrustyHash perhaps, will get the job of hashing a local file done. As long as
 you can follow along as the following code is explained, and you can be pretty
 confident the code is not doing anything fishy, you can use this to verify
 TrustyHash itself. I'll show you the whole program up-front before I explain
 it - see, 5 minutes, no more!
 ```
 <!doctype html>
 <html>
 <body>
 <script>
 var fileinput = document.createElement('input')
 fileinput.type = 'file'
 fileinput.onchange = function(){
 var reader = new FileReader()
 reader.readAsArrayBuffer(this.files[0]);
 reader.onload = function(){
 crypto.subtle.digest("SHA-256", this.result)
 .then(function(buffer) {
 var hexCodes = []
 var view = new DataView(buffer)
 for (var i = 0; i < view.byteLength; i += 1) {
 var stringValue = view.getUint8(i).toString(16)
 var paddedValue = ('0' + stringValue).slice(-2)
 hexCodes.push(paddedValue)}
 alert(hexCodes.join(""))})}}
 document.body.appendChild(fileinput)
 </script>
 </body>
 </html>
 ```
 JavaScript programmers may take offense with the lack of conventional
 formatting above, but I'm trying to making this easy to re-type for someone who
 shouldn't need to be concerned with formatting conventions.
 Now a more-or-less line-by-line explanation:
 ```
 <!doctype html>
 <html>
 <body>
 <input type="file">
 <script>
 ```
 These lines declare an HTML document with a file input and a script. HTML
 technically requires a `<head>` element, but I'm trying to save you a bit of
 typing. Now let's get into the JavaScript itself:
 ```
 document.querySelector('input').onchange = function(){
 ```
 This says, when a file is selected via the file input...
 ```
 var reader = new FileReader()
 ```
 ...create a reader to read the file.
 ```
 reader.readAsArrayBuffer(this.files[0])
 ```
 Read the file into memory.
 ```
 reader.onload = function(){
 ```
 When the reader finishes...
 ```
 crypto.subtle.digest("SHA-256", this.result)
 ```
 Hash the buffer with SHA-256.
 ```
 .then(function(buffer) {
 ```
 When hashing finishes, we have an unprintable object, called a buffer...
 ```
 var hexCodes = []
 ```
 ...that we want to turn in to printable hex codes, which is just a way to
 represent a number using only the characters 0 to 9 and 'a' to 'f'. Hex codes
 are the standard representation of SHA-256 hash values.
 ```
 var view = new DataView(buffer)
 ```
 We create a view so we can read the buffer in chunks.
 ```
 for (var i = 0; i < view.byteLength; i += 1) {
 ```
 With each byte-size chunk...
 ```
 var stringValue = view.getUint8(i).toString(16)
 ```
 ...convert each chunk to a number and get a string, which is just something we
 can print. The string will be one or two hex digits.
 ```
 var paddedValue = ('0' + stringValue).slice(-2)
 ```
 To correctly print the string as a hex code, we need to add a zero to the front
 in case the number is less than two hex digits, keeping the last two digits.
 ```
 hexCodes.push(paddedValue)}
 ```
 Keep the string we just created before moving on to the next chunk.
 ```
 alert(hexCodes.join(""))})}}
 ```
 Join all the strings created from each chunk together and pop it up on the
 screen. That's it!
 ```
 </script>
 </body>
 </html>
 ```
 Oh, and we need these lines to formally close the HTML document.
 If you followed all that, put this code into a file called
 `TrustyHashLite.html` and open it up in your browser. I recommend re-typing,
 rather than copy-pasting, since there are a bunch of sneaky ways someone could
 trick you into copy-pasting something besides what you see on a web page. If
 creating HTML files by hand is a bit confusing, you can save [the file I
 created for
 you](https://raw.githubusercontent.com/sprin/TrustyHash/master/TrustyHashLite.html)
 as long as you promise you will make sure the code matches the above after you
 have saved it. One way to do this is to open the file in a browser, right-click
 and select "View Page Source".
 Open the `TrustyHashLite.html` file in your browser, click the file input
 button, select the `TrustyHash.html` you saved earlier. If the printed hex code
 matches the published hash values, congratulations, you just wrote a program
 that computes SHA-256 hashes *and* used it to validate TrustyHash!
 ### Hash Values
 TODO: Publish hash value for 1.0.0
 ### Integrity of the Browser
 In order to trust the results of TrustyHash, we need to trust the browser that
 it runs in. Is the implementation of WebCryptoAPI to be trusted? Are extensions
 able to modify the result the user sees?
 If one is able to see the source of the browser and deterministic, reproducible
 builds are possible, then we can start to form a strong basis of trust. Closed
 source browsers must be excluded - the vendor is not able to assert a strong
 claim of *what* they are distributing. At best, they may be able to publish
 complete specifications for all functionality, but users still must trust the
 vendor ultimately to actually implement the specifications as claimed. The
 point is moot since no closed-source browser vendor publishes complete
 specifications anyway.
 Currently, open-source browsers are little better off. Deterministic builds are
 still a work-in-progress for all popular open-source browsers
 ([Tor Browser](https://blog.torproject.org/category/tags/deterministic-builds),
 [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=885777),
 [Chromium](https://bugs.chromium.org/p/chromium/issues/detail?id=314403).
 Without deterministic builds, we must still trust the vendor ultimately to
 build and distribute what they say they are building. If we trust the vendor
 when they say, "deterministic builds are hard, we are working on it", and we
 can trust them to secure their build environment, then we can take the signed
 hash values they publish to represent the objects built from the published
 sources.
 So then there are three realistic ways we might have a trusted browser on our
 systems:
 - A verified open-source browser was bundled with our trusted operating system
   distro.
 - We installed an open-source browser from a trusted package manager that
   handled checking verification for us.
 - We downloaded the open-source browser directly from the vendor and checked
   the signatures/hashes ourselves.
 The third possible way, which is only feasible for a tiny fraction of extremely
 diligent users, is to build the browser from source, rebuilding whenever
 security updates are pushed to users.
 Since the majority of browser users do not use an operating system that bundles
 a verified open-source browser nor supplies a package manager which can
 download and verify an open-source browser for them, this leaves manually
 verifying. Because no operating system makes it easy or obvious to verify
 signed downloads and awareness of the importance of verification is very low,
 we have to conclude that the majority of browser users have very little basis
 for trusting their browser. Similar arguments can be made for the operating
 system as a whole.
 So where does that leave us? Is running any program inside a browser with any
 degre of trust hopeless for the vast majority of users? I would say that we may
 be forced to accept some uncertainty that a program such as TrustyHash will
 produce the correct results in an untrusted browser. If we accept this
 uncertainty, we can use TrustyHash to bootstrap trust for a new browser or even
 operating system. This, I think, is the real value of TrustyHash - to bootstrap
 trust on a system by providing the best possible effort at producing trusted
 hash values in an accessible way.
 ## Deployment
 The entire application is packaged in a single, brief HTML file. Simply deploy
 the file under the web server root directory.
 ## Why only SHA-256?
 SHA-256 remains the de facto standard for verifying files via hash in 2016.
 Here are some popular projects have standardized on SHA-256 for verifying
 release materials:
 - [Tor Browser](https://www.torproject.org/docs/verifying-signatures.html#BuildVerification)
 - [OpenBSD](http://man.openbsd.org/signify)
 - [FreeBSD](https://www.freebsd.org/releases/10.2R/signatures.html)
 - [Centos](http://mirror.centos.org/centos/7/isos/x86_64/sha256sum.txt)
 - [Fedora](https://getfedora.org/verify)
 In the interests of standardization and keeping things simple, only SHA-256
 will be shown. A possible addition to this project is to allow the user to
 select other hash algorithms, with SHA-256 remaining the default.
 ## Limitations
 When the application is retrieved on an HTTPS connection, the application
 cannot fetch HTTP URLs due to restrictions against [mixed active
 content](https://developer.mozilla.org/en-US/docs/Security/Mixed_content#Mixed_active_content]).
 A workaround for this is to save the page locally and open the local copy in
 the browser, as recommended anyway.
--- a/manifest.json
+++ b/manifest.json
@ -3,14 +3,13 @@
    "id": "trustyhash",
    "packaging_format": 1,
    "description": {
-        "en": "a small client-side web application that computes SHA-256 hash values on both local files and on remote URLs. Works offline!",
+        "en": "SHA-256 Hash Calculator",
-        "fr": "une petite application Web côté client qui calcule les valeurs de hachage SHA-256 sur les fichiers locaux et sur les URL distantes. Fonctionne hors ligne !"
+        "fr": "Calculateur de hachage SHA-256"
    },
-    "version": "1.0~ynh1",
+    "version": "1.0~ynh2",
    "url": "https://github.com/sprin/TrustyHash",
    "upstream": {
        "license": "MIT",
        "website": "https://github.com/sprin/TrustyHash",
        "demo": "https://sprin.github.io/TrustyHash/",        
        "userdoc": "https://github.com/sprin/TrustyHash",
        "code": "https://github.com/sprin/TrustyHash"
@ -21,12 +20,12 @@
        "email": ""
    },
    "requirements": {
-        "yunohost": ">= 4.3.0"
+        "yunohost": ">= 11.0.9"
    },
    "multi_instance": true,
    "services": [
        "nginx",
-        "php7.3-fpm"
+        "php7.4-fpm"
    ],
    "arguments": {
        "install" : [
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -5,7 +5,7 @@
 #=================================================
 # dependencies used by the app
-YNH_PHP_VERSION="7.3"
+YNH_PHP_VERSION="7.4"
 #=================================================
 # PERSONAL HELPERS
--- a/scripts/backup
+++ b/scripts/backup
@ -30,20 +30,13 @@ app=$YNH_APP_INSTANCE_NAME
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 # db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 # datadir=$(ynh_app_setting_get --app=$app --key=datadir)
 #=================================================
 # DECLARE DATA AND CONF FILES TO BACKUP
 #=================================================
 ynh_print_info --message="Declaring files to be backed up..."
 ### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs
 ### to be backuped and not an actual copy of any file. The actual backup that
 ### creates and fill the archive with the files happens in the core after this
 ### script is called. Hence ynh_backups calls takes basically 0 seconds to run.
 #=================================================
 # BACKUP THE APP MAIN DIR
 #=================================================
@ -68,45 +61,6 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
 ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
 #=================================================
 # BACKUP FAIL2BAN CONFIGURATION
 #=================================================
 # ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
 # ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
 #=================================================
 # SPECIFIC BACKUP
 #=================================================
 # BACKUP LOGROTATE
 #=================================================
 # ynh_backup --src_path="/etc/logrotate.d/$app"
 #=================================================
 # BACKUP SYSTEMD
 #=================================================
 # ynh_backup --src_path="/etc/systemd/system/$app.service"
 #=================================================
 # BACKUP VARIOUS FILES
 #=================================================
 # ynh_backup --src_path="/etc/cron.d/$app"
 # ynh_backup --src_path="/etc/$app/"
 #=================================================
 # BACKUP THE MYSQL DATABASE
 #=================================================
 # ynh_print_info --message="Backing up the MySQL database..."
 ### (However, things like MySQL dumps *do* take some time to run, though the
 ### copy of the generated dump to the archive still happens later)
 # ynh_mysql_dump_db --database="$db_name" > db.sql
 #=================================================
 # END OF SCRIPT
 #=================================================
--- a/scripts/change_url
+++ b/scripts/change_url
@ -29,11 +29,6 @@ ynh_script_progression --message="Loading installation settings..."  --weight=1
 # Needed for helper "ynh_add_nginx_config"
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # Add settings here as needed by your application
 #db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 #db_user=$db_name
 #db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd)
 #=================================================
 # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
 #=================================================
@ -67,15 +62,6 @@ then
 	change_path=1
 fi
 #=================================================
 # STANDARD MODIFICATIONS
 #=================================================
 # STOP SYSTEMD SERVICE
 #=================================================
 ynh_script_progression --message="Stopping a systemd service..."  --weight=1
 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
 #=================================================
 # MODIFY URL IN NGINX CONF
 #=================================================
@ -105,21 +91,6 @@ then
 	ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
 fi
 #=================================================
 # SPECIFIC MODIFICATIONS
 #=================================================
 # ...
 #=================================================
 #=================================================
 # GENERIC FINALISATION
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 # ynh_script_progression --message="Starting a systemd service..."  --weight=1
 # ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
 #=================================================
 # RELOAD NGINX
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -28,38 +28,13 @@ domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 phpversion=$YNH_PHP_VERSION
 # is_public=$YNH_APP_ARG_IS_PUBLIC
 # language=$YNH_APP_ARG_LANGUAGE
 # admin=$YNH_APP_ARG_ADMIN
 # password=$YNH_APP_ARG_PASSWORD
 ### If it's a multi-instance app, meaning it can be installed several times independently
 ### The id of the app as stated in the manifest is available as $YNH_APP_ID
 ### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2"...)
 ### The app instance name is available as $YNH_APP_INSTANCE_NAME
 ###    - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample
 ###    - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2
 ###    - ynhexample__{N} for the subsequent installations, with N=3,4...
 ### The app instance name is probably what interests you most, since this is
 ### guaranteed to be unique. This is a good unique identifier to define installation path,
 ### db names...
 app=$YNH_APP_INSTANCE_NAME
 #=================================================
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
 ### About --weight and 
 ### ynh_script_progression will show to your final users the progression of each scripts.
 ### In order to do that, --weight will represent the relative time of execution compared to the other steps in the script.
 ###  is a packager option, it will show you the execution time since the previous call.
 ### This option should be removed before releasing your app.
 ### Use the execution time, given by , to estimate the weight of a step.
 ### A common way to do it is to set a weight equal to the execution time in second +1.
 ### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call.
 ynh_script_progression --message="Validating installation parameters..." --weight=1
 ### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
 ### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app"
 final_path=/var/www/$app
 test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
@ -76,48 +51,6 @@ ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=phpversion --value=$phpversion
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 # ynh_app_setting_set --app=$app --key=language --value=$language
 # ynh_app_setting_set --app=$app --key=admin --value=$admin
 #=================================================
 # STANDARD MODIFICATIONS
 #=================================================
 # FIND AND OPEN A PORT
 #=================================================
 # ynh_script_progression --message="Finding an available port..."  --weight=1
 ### Use these lines if you have to open a port for the application
 ### `ynh_find_port` will find the first available port starting from the given port.
 ### If you're not using these lines:
 ###		- Remove the section "CLOSE A PORT" in the remove script
 # Find an available port
 # port=$(ynh_find_port --port=8095)
 # ynh_app_setting_set --app=$app --key=port --value=$port
 # Optional: Expose this port publicly
 # (N.B.: you only need to do this if the app actually needs to expose the port publicly.
 # If you do this and the app doesn't actually need you are CREATING SECURITY HOLES IN THE SERVER !)
 # Open the port
 # ynh_script_progression --message="Configuring firewall..."  --weight=1
 # ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
 # ynh_script_progression --message="Installing dependencies..."  --weight=1
 ### `ynh_install_app_dependencies` allows you to add any "apt" dependencies to the package.
 ### Those deb packages will be installed as dependencies of this package.
 ### If you're not using this helper:
 ###		- Remove the section "REMOVE DEPENDENCIES" in the remove script
 ###		- Remove the variable "pkg_dependencies" in _common.sh
 ###		- As well as the section "REINSTALL DEPENDENCIES" in the restore script
 ###		- And the section "UPGRADE DEPENDENCIES" in the upgrade script
 # ynh_install_app_dependencies $pkg_dependencies
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -126,280 +59,34 @@ ynh_script_progression --message="Configuring system user..."  --weight=1
 # Create a system user
 ynh_system_user_create --username=$app --home_dir="$final_path"
 #=================================================
 # CREATE A MYSQL DATABASE
 #=================================================
 # ynh_script_progression --message="Creating a MySQL database..."  --weight=1
 ### Use these lines if you need a database for the application.
 ### `ynh_mysql_setup_db` will create a database, an associated user and a ramdom password.
 ### The password will be stored as 'mysqlpwd' into the app settings,
 ### and will be available as $db_pwd
 ### If you're not using these lines:
 ###		- Remove the section "BACKUP THE MYSQL DATABASE" in the backup script
 ###		- Remove also the section "REMOVE THE MYSQL DATABASE" in the remove script
 ###		- As well as the section "RESTORE THE MYSQL DATABASE" in the restore script
 # db_name=$(ynh_sanitize_dbid --db_name=$app)
 # db_user=$db_name
 # ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 # ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
 ynh_script_progression --message="Setting up source files..." --weight=1
 ### `ynh_setup_source` is used to install an app from a zip or tar.gz file,
 ### downloaded from an upstream source, like a git repository.
 ### `ynh_setup_source` use the file conf/app.src
 ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source --dest_dir="$final_path"
 # FIXME: this should be managed by the core in the future
 # Here, as a packager, you may have to tweak the ownerhsip/permissions
 # such that the appropriate users (e.g. maybe www-data) can access
 # files in some cases.
 # But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
 # this will be treated as a security issue.
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
 ynh_script_progression --message="Configuring NGINX web server..."  --weight=1
 ### `ynh_add_nginx_config` will use the file conf/nginx.conf
 # Create a dedicated NGINX config
 ynh_add_nginx_config
 #=================================================
 # PHP-FPM CONFIGURATION
 #=================================================
 ynh_script_progression --message="Configuring PHP-FPM..." --weight=1
 ### `ynh_add_fpm_config` is used to set up a PHP config.
 ### You can remove it if your app doesn't use PHP.
 ### `ynh_add_fpm_config` will use the files conf/php-fpm.conf
 ### If you're not using these lines:
 ###		- You can remove these files in conf/.
 ###		- Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script
 ###		- Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script
 ###		- As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script
 ###		  with the reload at the end of the script.
 ###		- And the section "PHP-FPM CONFIGURATION" in the upgrade script
 # Create a dedicated PHP-FPM config
 ynh_add_fpm_config
 #=================================================
-# SPECIFIC SETUP
+# NGINX CONFIGURATION
 #=================================================
 # ...
 #=================================================
 ynh_script_progression --message="Configuring NGINX web server..." --weight=1
-#=================================================
+# Create a dedicated NGINX config
-# CREATE DATA DIRECTORY
+ynh_add_nginx_config
 #=================================================
 # ynh_script_progression --message="Creating a data directory..."  --weight=1
 ### Use these lines if you need to create a directory to store "persistent files" for the application.
 ### Usually this directory is used to store uploaded files or any file that won't be updated during 
 ### an upgrade and that won't be deleted during app removal unless "--purge" option is used.
 ### If you're not using these lines:
 ###		- Remove the section "BACKUP THE DATA DIR" in the backup script
 ###		- Remove the section "RESTORE THE DATA DIRECTORY" in the restore script
 ###     - As well as the section "REMOVE DATA DIR" in the remove script
 # datadir=/home/yunohost.app/$app
 # ynh_app_setting_set --app=$app --key=datadir --value=$datadir
 # mkdir -p $datadir
 # FIXME: this should be managed by the core in the future
 # Here, as a packager, you may have to tweak the ownerhsip/permissions
 # such that the appropriate users (e.g. maybe www-data) can access
 # files in some cases.
 # But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
 # this will be treated as a security issue.
 # chmod 750 "$datadir"
 # chmod -R o-rwx "$datadir"
 # chown -R $app:www-data "$datadir"
 #=================================================
 # ADD A CONFIGURATION
 #=================================================
 # ynh_script_progression --message="Adding a configuration file..."  --weight=1
 ### You can add specific configuration files.
 ###
 ### Typically, put your template conf file in ../conf/your_config_file
 ### The template may contain strings such as __FOO__ or __FOO_BAR__,
 ### which will automatically be replaced by the values of $foo and $foo_bar
 ###
 ### ynh_add_config will also keep track of the config file's checksum,
 ### which later during upgrade may allow to automatically backup the config file
 ### if it's found that the file was manually modified
 ###
 ### Check the documentation of `ynh_add_config` for more info.
 # ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
 # FIXME: this should be handled by the core in the future
 # You may need to use chmod 600 instead of 400,
 # for example if the app is expected to be able to modify its own config
 # chmod 400 "$final_path/some_config_file"
 # chown $app:$app "$final_path/some_config_file"
 ### For more complex cases where you want to replace stuff using regexes,
 ### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
 ### When doing so, you also need to manually call ynh_store_file_checksum
 ###
 ### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file"
 ### ynh_store_file_checksum --file="$final_path/some_config_file"
 #=================================================
 # SETUP SYSTEMD
 #=================================================
 # ynh_script_progression --message="Configuring a systemd service..."  --weight=1
 ### `ynh_systemd_config` is used to configure a systemd script for an app.
 ### It can be used for apps that use sysvinit (with adaptation) or systemd.
 ### Have a look at the app to be sure this app needs a systemd script.
 ### `ynh_systemd_config` will use the file conf/systemd.service
 ### If you're not using these lines:
 ###		- You can remove those files in conf/.
 ###		- Remove the section "BACKUP SYSTEMD" in the backup script
 ###		- Remove also the section "STOP AND REMOVE SERVICE" in the remove script
 ###		- As well as the section "RESTORE SYSTEMD" in the restore script
 ###		- And the section "SETUP SYSTEMD" in the upgrade script
 # Create a dedicated systemd config
 # ynh_add_systemd_config
 #=================================================
 # SETUP APPLICATION WITH CURL
 #=================================================
 ### Use these lines only if the app installation needs to be finalized through
 ### web forms. We generally don't want to ask the final user,
 ### so we're going to use curl to automatically fill the fields and submit the
 ### forms.
 # Set the app as temporarily public for curl call
 # ynh_script_progression --message="Configuring SSOwat..."  --weight=1
 # Making the app public for curl
 # ynh_permission_update --permission="main" --add="visitors"
 # Installation with curl
 # ynh_script_progression --message="Finalizing installation..."  --weight=1
 # ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3"
 # Remove the public access
 # ynh_permission_update --permission="main" --remove="visitors"
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 # SETUP LOGROTATE
 #=================================================
 # ynh_script_progression --message="Configuring log rotation..."  --weight=1
 ### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
 ### Use this helper only if there is effectively a log file for this app.
 ### If you're not using this helper:
 ###		- Remove the section "BACKUP LOGROTATE" in the backup script
 ###		- Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
 ###		- As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
 ###		- And the section "SETUP LOGROTATE" in the upgrade script
 # Use logrotate to manage application logfile(s)
 # ynh_use_logrotate
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
 # ynh_script_progression --message="Integrating service in YunoHost..."  --weight=1
 ### `yunohost service add` integrates a service in YunoHost. It then gets
 ### displayed in the admin interface and through the others `yunohost service` commands.
 ### (N.B.: this line only makes sense if the app adds a service to the system!)
 ### If you're not using these lines:
 ###		- You can remove these files in conf/.
 ###		- Remove the section "REMOVE SERVICE INTEGRATION IN YUNOHOST" in the remove script
 ###		- As well as the section "INTEGRATE SERVICE IN YUNOHOST" in the restore script
 ###		- And the section "INTEGRATE SERVICE IN YUNOHOST" in the upgrade script
 # yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
 ### Additional options starting with 3.8:
 ###
 ### --needs_exposed_ports "$port" a list of ports that needs to be publicly exposed
 ###                               which will then be checked by YunoHost's diagnosis system
 ###                               (N.B. DO NOT USE THIS is the port is only internal!!!)
 ###
 ### --test_status "some command"  a custom command to check the status of the service
 ###                               (only relevant if 'systemctl status' doesn't do a good job)
 ###
 ### --test_conf "some command"    some command similar to "nginx -t" that validates the conf of the service
 ###
 ### Re-calling 'yunohost service add' during the upgrade script is the right way
 ### to proceed if you later realize that you need to enable some flags that
 ### weren't enabled on old installs (be careful it'll override the existing
 ### service though so you should re-provide all relevant flags when doing so)
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 # ynh_script_progression --message="Starting a systemd service..."  --weight=1
 ### `ynh_systemd_action` is used to start a systemd service for an app.
 ### Only needed if you have configure a systemd service
 ### If you're not using these lines:
 ###		- Remove the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the backup script
 ###		- As well as the section "START SYSTEMD SERVICE" in the restore script
 ###		- As well as the section"STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the upgrade script
 ###		- And the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the change_url script
 # Start a systemd service
 # ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
 #=================================================
 # SETUP FAIL2BAN
 #=================================================
 # ynh_script_progression --message="Configuring Fail2Ban..."  --weight=1
 # Create a dedicated Fail2Ban config
 # ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
 #=================================================
 # SETUP SSOWAT
 #=================================================
 # ynh_script_progression --message="Configuring permissions..."  --weight=1
 # Make app public if necessary
 # if [ $is_public -eq 1 ]
 # then
 	# Everyone can access the app.
 	# The "main" permission is automatically created before the install script.
 #	ynh_permission_update --permission="main" --add="visitors"
 # fi
 ### N.B. : the following extra permissions only make sense if your app
 ### does have for example an admin interface or an API.
 # Only the admin can access the admin panel of the app (if the app has an admin panel)
 # ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
 # Everyone can access the API part
 # We don't want to display the tile in the SSO so we put --show_tile="false"
 # And we don't want the YunoHost admin to be able to remove visitors group to this permission, so we put --protected="true"
 # ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
 #=================================================
 # RELOAD NGINX
--- a/scripts/remove
+++ b/scripts/remove
@ -17,48 +17,7 @@ ynh_script_progression --message="Loading installation settings..."  --weight=1
 app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 # port=$(ynh_app_setting_get --app=$app --key=port)
 # db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 # db_user=$db_name
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # datadir=$(ynh_app_setting_get --app=$app --key=datadir)
 #=================================================
 # STANDARD REMOVE
 #=================================================
 # REMOVE SERVICE INTEGRATION IN YUNOHOST
 #=================================================
 # Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
 # if ynh_exec_warn_less yunohost service status $app >/dev/null
 # then
 # 	ynh_script_progression --message="Removing $app service integration..."  --weight=1
 # 	yunohost service remove $app
 # fi
 #=================================================
 # STOP AND REMOVE SERVICE
 #=================================================
 # ynh_script_progression --message="Stopping and removing the systemd service..."  --weight=1
 # Remove the dedicated systemd config
 # ynh_remove_systemd_config
 #=================================================
 # REMOVE LOGROTATE CONFIGURATION
 #=================================================
 # ynh_script_progression --message="Removing logrotate configuration..."  --weight=1
 # Remove the app-specific logrotate config
 # ynh_remove_logrotate
 #=================================================
 # REMOVE THE MYSQL DATABASE
 #=================================================
 # ynh_script_progression --message="Removing the MySQL database..."  --weight=1
 # Remove a database if it exists, along with the associated user
 # ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
 #=================================================
 # REMOVE APP MAIN DIR
@ -68,25 +27,6 @@ ynh_script_progression --message="Removing app main directory..."  --weight=1
 # Remove the app directory securely
 ynh_secure_remove --file="$final_path"
 #=================================================
 # REMOVE DATA DIR
 #=================================================
 # Remove the data directory if --purge option is used
 # if [ "${YNH_APP_PURGE:-0}" -eq 1 ]
 # then
 # 	ynh_script_progression --message="Removing app data directory..."  --weight=1
 # 	ynh_secure_remove --file="$datadir"
 # fi
 #=================================================
 # REMOVE NGINX CONFIGURATION
 #=================================================
 ynh_script_progression --message="Removing NGINX web server configuration..."  --weight=1
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 #=================================================
 # REMOVE PHP-FPM CONFIGURATION
 #=================================================
@ -96,46 +36,12 @@ ynh_script_progression --message="Removing PHP-FPM configuration..."  --weight=1
 ynh_remove_fpm_config
 #=================================================
-# REMOVE DEPENDENCIES
+# REMOVE NGINX CONFIGURATION
 #=================================================
-# ynh_script_progression --message="Removing dependencies..."  --weight=1
+ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
-# Remove metapackage and its dependencies
+# Remove the dedicated NGINX config
-# ynh_remove_app_dependencies
+ynh_remove_nginx_config
 #=================================================
 # CLOSE A PORT
 #=================================================
 # if yunohost firewall list | grep -q "\- $port$"
 # then
 # 	ynh_script_progression --message="Closing port $port..."  --weight=1
 # 	ynh_exec_warn_less yunohost firewall disallow TCP $port
 # fi
 #=================================================
 # REMOVE FAIL2BAN CONFIGURATION
 #=================================================
 # ynh_script_progression --message="Removing Fail2Ban configuration..."  --weight=1
 # Remove the dedicated Fail2Ban config
 # ynh_remove_fail2ban_config
 #=================================================
 # SPECIFIC REMOVE
 #=================================================
 # REMOVE VARIOUS FILES
 #=================================================
 # ynh_script_progression --message="Removing various files..."  --weight=1
 # Remove a cron file
 # ynh_secure_remove --file="/etc/cron.d/$app"
 # Remove a directory securely
 # ynh_secure_remove --file="/etc/$app"
 # Remove the log files
 # ynh_secure_remove --file="/var/log/$app"
 #=================================================
 # GENERIC FINALIZATION
--- a/scripts/restore
+++ b/scripts/restore
@ -31,10 +31,7 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 # db_user=$db_name
 phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
 # datadir=$(ynh_app_setting_get --app=$app --key=datadir)
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@ -68,35 +65,10 @@ ynh_script_progression --message="Restoring the app main directory..."  --weight
 ynh_restore_file --origin_path="$final_path"
 # FIXME: this should be managed by the core in the future
 # Here, as a packager, you may have to tweak the ownerhsip/permissions
 # such that the appropriate users (e.g. maybe www-data) can access
 # files in some cases.
 # But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
 # this will be treated as a security issue.
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
 #=================================================
 # RESTORE THE DATA DIRECTORY
 #=================================================
 # ynh_script_progression --message="Restoring the data directory..."  --weight=1
 # ynh_restore_file --origin_path="$datadir" --not_mandatory
 # mkdir -p $datadir
 # FIXME: this should be managed by the core in the future
 # Here, as a packager, you may have to tweak the ownerhsip/permissions
 # such that the appropriate users (e.g. maybe www-data) can access
 # files in some cases.
 # But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
 # this will be treated as a security issue.
 # chmod 750 "$datadir"
 # chmod -R o-rwx "$datadir"
 # chown -R $app:www-data "$datadir"
 #=================================================
 # RESTORE THE PHP-FPM CONFIGURATION
 #=================================================
@ -104,72 +76,6 @@ ynh_script_progression --message="Restoring the PHP-FPM configuration..."  --wei
 ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
 #=================================================
 # RESTORE FAIL2BAN CONFIGURATION
 #=================================================
 # ynh_script_progression --message="Restoring the Fail2Ban configuration..."  --weight=1
 # ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
 # ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
 # ynh_systemd_action --action=restart --service_name=fail2ban
 #=================================================
 # SPECIFIC RESTORATION
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
 # ynh_script_progression --message="Reinstalling dependencies..."  --weight=1
 # Define and install dependencies
 # ynh_install_app_dependencies $pkg_dependencies
 #=================================================
 # RESTORE THE MYSQL DATABASE
 #=================================================
 # ynh_script_progression --message="Restoring the MySQL database..."  --weight=1
 # db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
 # ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
 # ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
 #=================================================
 # RESTORE VARIOUS FILES
 #=================================================
 # ynh_script_progression --message="Restoring various files..."  --weight=1
 # ynh_restore_file --origin_path="/etc/cron.d/$app"
 # ynh_restore_file --origin_path="/etc/$app/"
 #=================================================
 # RESTORE SYSTEMD
 #=================================================
 # ynh_script_progression --message="Restoring the systemd configuration..."  --weight=1
 # ynh_restore_file --origin_path="/etc/systemd/system/$app.service"
 # systemctl enable $app.service --quiet
 #=================================================
 # RESTORE THE LOGROTATE CONFIGURATION
 #=================================================
 # ynh_script_progression --message="Restoring the logrotate configuration..."  --weight=1
 # ynh_restore_file --origin_path="/etc/logrotate.d/$app"
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
 # ynh_script_progression --message="Integrating service in YunoHost..."  --weight=1
 # yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 # ynh_script_progression --message="Starting a systemd service..."  --weight=1
 # ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -18,21 +18,12 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get --app=$app --key=domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 # language=$(ynh_app_setting_get --app=$app --key=language)
 # admin=$(ynh_app_setting_get --app=$app --key=admin)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 #=================================================
 # CHECK VERSION
 #=================================================
 ### This helper will compare the version of the currently installed app and the version of the upstream package.
 ### $upgrade_type can have 2 different values
 ### - UPGRADE_APP if the upstream app version has changed
 ### - UPGRADE_PACKAGE if only the YunoHost package has changed
 ### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
 ### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
 upgrade_type=$(ynh_check_app_version_changed)
 #=================================================
@ -49,41 +40,11 @@ ynh_clean_setup () {
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
 # STOP SYSTEMD SERVICE
 #=================================================
 # ynh_script_progression --message="Stopping a systemd service..."  --weight=1
 # ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
 #
 # N.B. : the followings setting migrations snippets are provided as *EXAMPLES*
 # of what you may want to do in some cases (e.g. a setting was not defined on
 # some legacy installs and you therefore want to initiaze stuff during upgrade)
 #
 # If db_name doesn't exist, create it
 #if [ -z "$db_name" ]; then
 #	db_name=$(ynh_sanitize_dbid --db_name=$app)
 #	ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 #fi
 # If final_path doesn't exist, create it
 #if [ -z "$final_path" ]; then
 #	final_path=/var/www/$app
 #	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 #fi
 ### If nobody installed your app before 4.1,
 ### then you may safely remove these lines
 # Cleaning legacy permissions
 if ynh_legacy_permissions_exists; then
 	ynh_legacy_permissions_delete_all
@ -91,16 +52,6 @@ if ynh_legacy_permissions_exists; then
 	ynh_app_setting_delete --app=$app --key=is_public
 fi
 # if ! ynh_permission_exists --permission="admin"; then
 	# Create the required permissions
 #	ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin
 # fi
 # Create a permission if needed
 # if ! ynh_permission_exists --permission="api"; then
 #	ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --show_tile="false" --protected="true"
 # fi
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -121,31 +72,10 @@ then
 	ynh_setup_source --dest_dir="$final_path"
 fi
 # FIXME: this should be managed by the core in the future
 # Here, as a packager, you may have to tweak the ownerhsip/permissions
 # such that the appropriate users (e.g. maybe www-data) can access
 # files in some cases.
 # But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
 # this will be treated as a security issue.
 chmod 750 "$final_path"
 chmod -R o-rwx "$final_path"
 chown -R $app:www-data "$final_path"
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
 ynh_script_progression --message="Upgrading NGINX web server configuration..."  --weight=1
 # Create a dedicated NGINX config
 ynh_add_nginx_config
 #=================================================
 # UPGRADE DEPENDENCIES
 #=================================================
 # ynh_script_progression --message="Upgrading dependencies..."  --weight=1
 # ynh_install_app_dependencies $pkg_dependencies
 #=================================================
 # PHP-FPM CONFIGURATION
 #=================================================
@ -155,75 +85,12 @@ ynh_script_progression --message="Upgrading PHP-FPM configuration..."  --weight=
 ynh_add_fpm_config
 #=================================================
-# SPECIFIC UPGRADE
+# NGINX CONFIGURATION
 #=================================================
 # ...
 #=================================================
 ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1
-#=================================================
+# Create a dedicated NGINX config
-# UPDATE A CONFIG FILE
+ynh_add_nginx_config
 #=================================================
 # ynh_script_progression --message="Updating a configuration file..."  --weight=1
 ### Same as during install
 ###
 ### The file will automatically be backed-up if it's found to be manually modified (because
 ### ynh_add_config keeps track of the file's checksum)
 # ynh_add_config --template="some_config_file" --destination="$final_path/some_config_file"
 # FIXME: this should be handled by the core in the future
 # You may need to use chmod 600 instead of 400,
 # for example if the app is expected to be able to modify its own config
 # chmod 400 "$final_path/some_config_file"
 # chown $app:$app "$final_path/some_config_file"
 ### For more complex cases where you want to replace stuff using regexes,
 ### you shoud rely on ynh_replace_string (which is basically a wrapper for sed)
 ### When doing so, you also need to manually call ynh_store_file_checksum
 ###
 ### ynh_replace_string --match_string="match_string" --replace_string="replace_string" --target_file="$final_path/some_config_file"
 ### ynh_store_file_checksum --file="$final_path/some_config_file"
 #=================================================
 # SETUP SYSTEMD
 #=================================================
 # ynh_script_progression --message="Upgrading systemd configuration..."  --weight=1
 # Create a dedicated systemd config
 # ynh_add_systemd_config
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
 # SETUP LOGROTATE
 #=================================================
 # ynh_script_progression --message="Upgrading logrotate configuration..."  --weight=1
 # Use logrotate to manage app-specific logfile(s)
 # ynh_use_logrotate --non-append
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
 # ynh_script_progression --message="Integrating service in YunoHost..."  --weight=1
 # yunohost service add $app --description="A short description of the app" --log="/var/log/$app/$app.log"
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
 # ynh_script_progression --message="Starting a systemd service..."  --weight=1
 # ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/$app.log"
 #=================================================
 # UPGRADE FAIL2BAN
 #=================================================
 # ynh_script_progression --message="Reconfiguring Fail2Ban..."  --weight=1
 # Create a dedicated Fail2Ban config
 # ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"
 #=================================================
 # RELOAD NGINX