2024-09-03 20:06:31 +02:00
248 changed files with 15898 additions and 11070 deletions
--- a/.github/workflows/autoblack.yml
+++ b/.github/workflows/autoblack.yml
@ -1,35 +0,0 @@
 name: Check / auto apply Black
 on:
  push:
      branches:
          - dev
 jobs:
  black:
    name: Check / auto apply black
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check files using the black formatter
        uses: psf/black@stable
        id: black
        with:
          options: "."
        continue-on-error: true
      - shell: pwsh
        id: check_files_changed
        run: |
          # Diff HEAD with the previous commit
          $diff = git diff
          $HasDiff = $diff.Length -gt 0
          Write-Host "::set-output name=files_changed::$HasDiff"
      - name: Create Pull Request
        if: steps.check_files_changed.outputs.files_changed == 'true'
        uses: peter-evans/create-pull-request@v6
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          title: "Format Python code with Black"
          commit-message: ":art: Format Python code with Black"
          body: |
            This pull request uses the [psf/black](https://github.com/psf/black) formatter.
          base: ${{ github.head_ref }} # Creates pull request onto pull request or commit branch
          branch: actions/black
--- a/.github/workflows/i18n.yml
+++ b/.github/workflows/i18n.yml
@ -1,29 +0,0 @@
 name: Autoreformat locale files
 on:
  push:
      branches:
          - dev
 jobs:
  i18n:
    name: Autoreformat locale files
    runs-on: ubuntu-latest
    steps:
        - uses: actions/checkout@v4
        - name: Apply reformating scripts
          id: action_reformat
          run: |
              python3 test/remove_stale_i18n_strings.py
              python3 test/autofix_locale_format.py
              python3 test/reformat_locales.py
              git diff -w --exit-code
        - name: Create Pull Request
          if: ${{ failure() }}
          uses: peter-evans/create-pull-request@v6
          with:
            token: ${{ secrets.GITHUB_TOKEN }}
            title: "Reformat locale files"
            commit-message: ":robot: Reformat locale files"
            body: |
              Automatic pull request using the scripts in `test/`
            base: ${{ github.head_ref }}
            branch: actions/i18nreformat
--- a/.github/workflows/tox.yml
+++ b/.github/workflows/tox.yml
@ -1,49 +0,0 @@
 name: Tests
 on:
  push:
      branches:
          - dev
          - bullseye
  pull_request:
 jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [3.9]
    steps:
    - uses: actions/checkout@v4
    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v5
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install apt dependencies
      run: sudo apt install ldap-utils slapd libsasl2-dev libldap2-dev libssl-dev
    - name: Install tox
      run: |
        python -m pip install --upgrade pip
        pip install tox tox-gh-actions
    - name: Test with tox
      run: tox -e py39-pytest
  invalidcode:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [3.9]
    steps:
    - uses: actions/checkout@v4
    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v5
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install tox
      run: |
        python -m pip install --upgrade pip
        pip install tox tox-gh-actions
    - name: Linter
      run: tox -e py39-invalidcode
    - name: Mypy
      run: tox -e py39-mypy
--- a/.gitignore
+++ b/.gitignore
@ -1,8 +1,5 @@
 *.py[co]
 # Documentation
 doc/_build/
 # Packages
 *.egg
 *.egg-info
@ -13,7 +10,6 @@ dist
 build
 eggs
 parts
 bin
 cache
 var
 sdist
@ -34,11 +30,5 @@ pip-log.txt
 # Mr Developer
 .mr.developer.cfg
-# Moulinette
+# moulinette lib
-doc/*.json
+src/yunohost/locales
 moulinette/package.py
 # track only test namespace
 lib/**
 !lib/test
 data/actionsmap/**
 !data/actionsmap/test.yml
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@ -1,70 +0,0 @@
 Moulinette contributors
 =======================
 YunoHost is built and maintained by the YunoHost project community.
 Everyone is encouraged to submit issues and changes, and to contribute in other ways -- see https://yunohost.org/contribute to find out how.
 --
 Initial Moulinette was built by Kload & jerome, for YunoHost v2.
 Most of actual Moulinette code was written by jerome, with help of numerous contributors.
 Translation is made by a bunch of lovely people all over the world.
 We would like to thank anyone who ever helped the YunoHost project <3
 Moulinette Contributors
 -----------------------
 - Kload
 - Jérôme Lebleu
 - Adrien 'beudbeud' Beudin
 - titoko
 - Laurent 'Bram' Peuch
 - Julien 'ju' Malik
 - npze
 - lmangani
 - Valentin 'zamentur' / 'ljf' Grimaud
 - dblugeon
 Moulinette Translators
 ----------------------
 If you want to help translation, please visit https://translate.yunohost.org/projects/yunohost/yunohost/
 ### Dutch
 - marut
 ### English
 - Anmol
 ### French
 - Bobo
 - Laurent Peuch
 - Jean-Baptiste Holcroft
 - Jérôme Lebleu
 ### German
 - David Bartke
 - Felix Bartels
 - Marvin Gärtner
 ### Hindi
 - Anmol
 ### Portuguese
 - frju
 ### Spanish
 - Juanu
--- a/85
+++ b/85
@ -7,15 +7,15 @@
                            Preamble
-  The GNU Affero General Public License is a free, copyleft license
+  The GNU Affero General Public License is a free, copyleft license for
-for software and other kinds of works, specifically designed to ensure
+software and other kinds of works, specifically designed to ensure
 cooperation with the community in the case of network server software.
-  The licenses for most software and other practical works are
+  The licenses for most software and other practical works are designed
-designed to take away your freedom to share and change the works.  By
+to take away your freedom to share and change the works.  By contrast,
-contrast, our General Public Licenses are intended to guarantee your
+our General Public Licenses are intended to guarantee your freedom to
-freedom to share and change all versions of a program--to make sure it
+share and change all versions of a program--to make sure it remains free
-remains free software for all its users.
+software for all its users.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@ -60,12 +60,11 @@ modification follow.
  0. Definitions.
-  "This License" refers to version 3 of the GNU Affero General Public
+  "This License" refers to version 3 of the GNU Affero General Public License.
-License.
+
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
  "Copyright" also means copyright-like laws that apply to other kinds
 of works, such as semiconductor masks.
  "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
@ -377,12 +376,12 @@ that material) supplement the terms of this License with terms:
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further restriction,
+governed by this License along with a term that is a further
-you may remove that term.  If a license document contains a further
+restriction, you may remove that term.  If a license document contains
-restriction but permits relicensing or conveying under this License, you
+a further restriction but permits relicensing or conveying under this
-may add to a covered work material governed by the terms of that license
+License, you may add to a covered work material governed by the terms
-document, provided that the further restriction does not survive such
+of that license document, provided that the further restriction does
-relicensing or conveying.
+not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
@ -551,34 +550,34 @@ shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
-  Notwithstanding any other provision of this License, you have permission
+  Notwithstanding any other provision of this License, you have
-to link or combine any covered work with a work licensed under version 3
+permission to link or combine any covered work with a work licensed
-of the GNU General Public License into a single combined work, and to
+under version 3 of the GNU General Public License into a single
-convey the resulting work.  The terms of this License will continue to
+combined work, and to convey the resulting work.  The terms of this
-apply to the part which is the covered work, but the work with which it is
+License will continue to apply to the part which is the covered work,
-combined will remain governed by version 3 of the GNU General Public
+but the work with which it is combined will remain governed by version
-License.
+3 of the GNU General Public License.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new
+the GNU Affero General Public License from time to time.  Such new versions
-versions will be similar in spirit to the present version, but may differ
+will be similar in spirit to the present version, but may differ in detail to
-in detail to address new problems or concerns.
+address new problems or concerns.
  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero
+Program specifies that a certain numbered version of the GNU Affero General
-General Public License "or any later version" applies to it, you have
+Public License "or any later version" applies to it, you have the
-the option of following the terms and conditions either of that
+option of following the terms and conditions either of that numbered
-numbered version or of any later version published by the Free
+version or of any later version published by the Free Software
-Software Foundation.  If the Program does not specify a version number
+Foundation.  If the Program does not specify a version number of the
-of the GNU Affero General Public License, you may choose any version
+GNU Affero General Public License, you may choose any version ever published
-ever published by the Free Software Foundation.
+by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that
+versions of the GNU Affero General Public License can be used, that proxy's
-proxy's public statement of acceptance of a version permanently
+public statement of acceptance of a version permanently authorizes you
-authorizes you to choose that version for the Program.
+to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
@ -617,9 +616,9 @@ an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
-                       END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
-              How to Apply These Terms to Your New Programs
+            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@ -634,9 +633,9 @@ the "copyright" line and a pointer to where the full notice is found.
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as
+    it under the terms of the GNU Affero General Public License as published
-    published by the Free Software Foundation, either version 3 of the
+    by the Free Software Foundation, either version 3 of the License, or
-    License, or (at your option) any later version.
+    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
--- a/README.md
+++ b/README.md
@ -1,46 +1,2 @@
-<h1 align="center">Moulinette</h1>
+Please report issues here (no registration needed):
-
+https://dev.yunohost.org/projects/yunohost/issues
 <div align="center">
 ![Version](https://img.shields.io/github/v/tag/yunohost/moulinette?label=version&sort=semver)
 [![Tests status](https://github.com/YunoHost/moulinette/actions/workflows/tox.yml/badge.svg)](https://github.com/YunoHost/moulinette/actions/workflows/tox.yml)
 [![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/YunoHost/moulinette.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/YunoHost/moulinette/context:python)
 [![GitHub license](https://img.shields.io/github/license/YunoHost/moulinette)](https://github.com/YunoHost/moulinette/blob/dev/LICENSE)
 Moulinette is a small Python framework meant to easily create programs with unified CLI and API.
 In particular, it is used as a base framework for the YunoHost project.
 </div>
 Issues
 ------
 - [Please report issues on YunoHost bugtracker](https://github.com/YunoHost/issues).
 Overview
 --------
 Moulinette allows to create a YAML "actionmaps" that describes what commands are available. Moulinette will automatically make these commands available through the CLI and Web API, and will be mapped to a python function. Moulinette also provide some general helpers, for example for logging, i18n, authentication, or common file system operations.
 <div align="center"><img src="doc/actionsmap.png" width="700" /></div>
 Translation
 -----------
 You can help translate Moulinette on our [translation platform](https://translate.yunohost.org/engage/yunohost/?utm_source=widget)
 <div align="center"><img src="https://translate.yunohost.org/widgets/yunohost/-/moulinette/horizontal-auto.svg" alt="Translation status" /></div>
 Developpers
 -----------
 - You can learn how to get started with developing on YunoHost by reading [this piece of documentation](https://yunohost.org/dev).
 - Specific doc for moulinette: https://moulinette.readthedocs.org
 - Run tests with:
 ```
 $ pip install tox
 $ tox
 ```
--- a/bin/yunohost
+++ b/bin/yunohost
@ -0,0 +1,208 @@
 #! /usr/bin/python
 # -*- coding: utf-8 -*-
 import os
 import sys
 import argparse
 # Either we are in a development environment or not
 IN_DEVEL = False
 # Level for which loggers will log
 LOGGERS_LEVEL = 'INFO'
 TTY_LOG_LEVEL = 'SUCCESS'
 # Handlers that will be used by loggers
 #  - file: log to the file LOG_DIR/LOG_FILE
 #  - tty: log to current tty
 LOGGERS_HANDLERS = ['file', 'tty']
 # Directory and file to be used by logging
 LOG_DIR = '/var/log/yunohost'
 LOG_FILE = 'yunohost-cli.log'
 # Check and load - as needed - development environment
 if not __file__.startswith('/usr/'):
    IN_DEVEL = True
 if IN_DEVEL:
    basedir = os.path.abspath('%s/../' % os.path.dirname(__file__))
    if os.path.isdir(os.path.join(basedir, 'moulinette')):
        sys.path.insert(0, basedir)
    LOG_DIR = os.path.join(basedir, 'log')
 import moulinette
 from moulinette.actionsmap import ActionsMap
 from moulinette.interfaces.cli import colorize, get_locale
 # Initialization & helpers functions -----------------------------------
 def _die(message, title='Error:'):
    """Print error message and exit"""
    print('%s %s' % (colorize(title, 'red'), message))
    sys.exit(1)
 def _parse_cli_args():
    """Parse additional arguments for the cli"""
    parser = argparse.ArgumentParser(add_help=False)
    parser.add_argument('--no-cache',
        action='store_false', default=True, dest='use_cache',
        help="Don't use actions map cache",
    )
    parser.add_argument('--output-as',
        choices=['json', 'plain', 'none'], default=None,
        help="Output result in another format",
    )
    parser.add_argument('--debug',
        action='store_true', default=False,
        help="Log and print debug messages",
    )
    parser.add_argument('--verbose',
        action='store_true', default=False,
        help="Be more verbose in the output",
    )
    parser.add_argument('--quiet',
        action='store_true', default=False,
        help="Don't produce any output",
    )
    parser.add_argument('--admin-password',
        default=None, dest='password', metavar='PASSWORD',
        help="The admin password to use to authenticate",
    )
    # deprecated arguments
    parser.add_argument('--plain',
        action='store_true', default=False, help=argparse.SUPPRESS
    )
    parser.add_argument('--json',
        action='store_true', default=False, help=argparse.SUPPRESS
    )
    opts, args = parser.parse_known_args()
    # output compatibility
    if opts.plain:
        opts.output_as = 'plain'
    elif opts.json:
        opts.output_as = 'json'
    return (parser, opts, args)
 def _init_moulinette(debug=False, verbose=False, quiet=False):
    """Configure logging and initialize the moulinette"""
    # Define loggers handlers
    handlers = set(LOGGERS_HANDLERS)
    if quiet and 'tty' in handlers:
        handlers.remove('tty')
    elif verbose and 'tty' not in handlers:
        handlers.append('tty')
    root_handlers = set(handlers)
    if not debug and 'tty' in root_handlers:
        root_handlers.remove('tty')
    # Define loggers level
    level = LOGGERS_LEVEL
    tty_level = TTY_LOG_LEVEL
    if verbose:
        tty_level = 'INFO'
    if debug:
        tty_level = level = 'DEBUG'
    # Custom logging configuration
    logging = {
        'version': 1,
        'disable_existing_loggers': True,
        'formatters': {
            'tty-debug': {
                'format': '%(relativeCreated)-4d %(fmessage)s'
            },
            'precise': {
                'format': '%(asctime)-15s %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
            },
        },
        'filters': {
            'action': {
                '()': 'moulinette.utils.log.ActionFilter',
            },
        },
        'handlers': {
            'tty': {
                'level': tty_level,
                'class': 'moulinette.interfaces.cli.TTYHandler',
                'formatter': 'tty-debug' if debug else '',
            },
            'file': {
                'class': 'logging.FileHandler',
                'formatter': 'precise',
                'filename': '%s/%s' % (LOG_DIR, LOG_FILE),
                'filters': ['action'],
            },
        },
        'loggers': {
            'yunohost': {
                'level': level,
                'handlers': handlers,
                'propagate': False,
            },
            'moulinette': {
                'level': level,
                'handlers': [],
                'propagate': True,
            },
            'moulinette.interface': {
                'level': level,
                'handlers': handlers,
                'propagate': False,
            },
        },
        'root': {
            'level': level,
            'handlers': root_handlers,
        },
    }
    # Create log directory
    if not os.path.isdir(LOG_DIR):
        try:
            os.makedirs(LOG_DIR, 0750)
        except os.error as e:
            _die(str(e))
    # Initialize moulinette
    moulinette.init(logging_config=logging, _from_source=IN_DEVEL)
 def _retrieve_namespaces():
    """Return the list of namespaces to load"""
    ret = ['yunohost']
    for n in ActionsMap.get_namespaces():
        # Append YunoHost modules
        if n.startswith('ynh_'):
            ret.append(n)
    return ret
 # Main action ----------------------------------------------------------
 if __name__ == '__main__':
    parser, opts, args = _parse_cli_args()
    _init_moulinette(opts.debug, opts.verbose, opts.quiet)
    # Check that YunoHost is installed
    if not os.path.isfile('/etc/yunohost/installed') and \
       (len(args) < 2 or (args[0] +' '+ args[1] != 'tools postinstall' and \
                          args[0] +' '+ args[1] != 'backup restore')):
        # Init i18n
        m18n.load_namespace('yunohost')
        m18n.set_locale(get_locale())
        # Print error and exit
        _die(m18n.n('yunohost_not_installed'), m18n.g('error'))
    # Execute the action
    ret = moulinette.cli(
        _retrieve_namespaces(), args,
        use_cache=opts.use_cache, output_as=opts.output_as,
        password=opts.password, parser_kwargs={'top_parser': parser}
    )
    sys.exit(ret)
--- a/bin/yunohost-api
+++ b/bin/yunohost-api
@ -0,0 +1,203 @@
 #! /usr/bin/python
 # -*- coding: utf-8 -*-
 import os
 import sys
 import argparse
 # Either we are in a development environment or not
 IN_DEVEL = False
 # Default server configuration
 DEFAULT_HOST = 'localhost'
 DEFAULT_PORT = 6787
 # Level for which loggers will log
 LOGGERS_LEVEL = 'INFO'
 # Handlers that will be used by loggers
 #  - file: log to the file LOG_DIR/LOG_FILE
 #  - api: serve logs through the api
 #  - console: log to stderr
 LOGGERS_HANDLERS = ['file', 'api']
 # Directory and file to be used by logging
 LOG_DIR = '/var/log/yunohost'
 LOG_FILE = 'yunohost-api.log'
 # Check and load - as needed - development environment
 if not __file__.startswith('/usr/'):
    IN_DEVEL = True
 if IN_DEVEL:
    basedir = os.path.abspath('%s/../' % os.path.dirname(__file__))
    if os.path.isdir(os.path.join(basedir, 'moulinette')):
        sys.path.insert(0, basedir)
    LOG_DIR = os.path.join(basedir, 'log')
 import moulinette
 from moulinette.actionsmap import ActionsMap
 from moulinette.interfaces.cli import colorize
 # Initialization & helpers functions -----------------------------------
 def _die(message, title='Error:'):
    """Print error message and exit"""
    print('%s %s' % (colorize(title, 'red'), message))
    sys.exit(1)
 def _parse_api_args():
    """Parse main arguments for the api"""
    parser = argparse.ArgumentParser(add_help=False,
        description="Run the YunoHost API to manage your server.",
    )
    srv_group = parser.add_argument_group('server configuration')
    srv_group.add_argument('-h', '--host',
        action='store', default=DEFAULT_HOST,
        help="Host to listen on (default: %s)" % DEFAULT_HOST,
    )
    srv_group.add_argument('-p', '--port',
        action='store', default=DEFAULT_PORT, type=int,
        help="Port to listen on (default: %d)" % DEFAULT_PORT,
    )
    srv_group.add_argument('--no-websocket',
        action='store_true', default=True, dest='use_websocket',
        help="Serve without WebSocket support, used to handle "
        "asynchronous responses such as the messages",
    )
    glob_group = parser.add_argument_group('global arguments')
    glob_group.add_argument('--no-cache',
        action='store_false', default=True, dest='use_cache',
        help="Don't use actions map cache",
    )
    glob_group.add_argument('--debug',
        action='store_true', default=False,
        help="Set log level to DEBUG",
    )
    glob_group.add_argument('--verbose',
        action='store_true', default=False,
        help="Be verbose in the output",
    )
    glob_group.add_argument('--help',
        action='help', help="Show this help message and exit",
    )
    return parser.parse_args()
 def _init_moulinette(use_websocket=True, debug=False, verbose=False):
    """Configure logging and initialize the moulinette"""
    # Define loggers handlers
    handlers = set(LOGGERS_HANDLERS)
    if not use_websocket and 'api' in handlers:
        handlers.remove('api')
    if verbose and 'console' not in handlers:
        handlers.add('console')
    root_handlers = handlers - set(['api'])
    # Define loggers level
    level = LOGGERS_LEVEL
    if debug:
        level = 'DEBUG'
    # Custom logging configuration
    logging = {
        'version': 1,
        'disable_existing_loggers': True,
        'formatters': {
            'console': {
                'format': '%(relativeCreated)-5d %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
            },
            'precise': {
                'format': '%(asctime)-15s %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
            },
        },
        'filters': {
            'action': {
                '()': 'moulinette.utils.log.ActionFilter',
            },
        },
        'handlers': {
            'api': {
                'class': 'moulinette.interfaces.api.APIQueueHandler',
            },
            'file': {
                'class': 'logging.handlers.WatchedFileHandler',
                'formatter': 'precise',
                'filename': '%s/%s' % (LOG_DIR, LOG_FILE),
                'filters': ['action'],
            },
            'console': {
                'class': 'logging.StreamHandler',
                'formatter': 'console',
                'stream': 'ext://sys.stdout',
                'filters': ['action'],
            },
        },
        'loggers': {
            'yunohost': {
                'level': level,
                'handlers': handlers,
                'propagate': False,
            },
            'moulinette': {
                'level': level,
                'handlers': [],
                'propagate': True,
            },
        },
        'root': {
            'level': level,
            'handlers': root_handlers,
        },
    }
    # Create log directory
    if not os.path.isdir(LOG_DIR):
        try:
            os.makedirs(LOG_DIR, 0750)
        except os.error as e:
            _die(str(e))
    # Initialize moulinette
    moulinette.init(logging_config=logging, _from_source=IN_DEVEL)
 def _retrieve_namespaces():
    """Return the list of namespaces to load"""
    ret = ['yunohost']
    for n in ActionsMap.get_namespaces():
        # Append YunoHost modules
        if n.startswith('ynh_'):
            ret.append(n)
    return ret
 # Callbacks for additional routes --------------------------------------
 def is_installed():
    """
    Check whether YunoHost is installed or not
    """
    installed = False
    if os.path.isfile('/etc/yunohost/installed'):
        installed = True
    return { 'installed': installed }
 # Main action ----------------------------------------------------------
 if __name__ == '__main__':
    opts = _parse_api_args()
    _init_moulinette(opts.use_websocket, opts.debug, opts.verbose)
    # Run the server
    from yunohost.utils.packages import ynh_packages_version
    ret = moulinette.api(
        _retrieve_namespaces(),
        host=opts.host, port=opts.port, routes={
            ('GET', '/installed'): is_installed,
            ('GET', '/version'): ynh_packages_version,
        }, use_cache=opts.use_cache, use_websocket=opts.use_websocket
    )
    sys.exit(ret)
--- a/bin/yunopaste
+++ b/bin/yunopaste
@ -0,0 +1,77 @@
 #!/bin/bash
 set -e
 set -u
 PASTE_URL="https://paste.yunohost.org"
 _die() {
  printf "Error: %s\n" "$*"
  exit 1
 }
 check_dependencies() {
  curl -V > /dev/null 2>&1 || _die "This script requires curl."
 }
 paste_data() {
  json=$(curl -X POST -s -d "$1" "${PASTE_URL}/documents")
  [[ -z "$json" ]] && _die "Unable to post the data to the server."
  key=$(echo "$json" \
    | python -c 'import json,sys;o=json.load(sys.stdin);print o["key"]' \
        2>/dev/null)
  [[ -z "$key" ]] && _die "Unable to parse the server response."
  echo "${PASTE_URL}/${key}"
 }
 usage() {
  printf "Usage: ${0} [OPTION]...
 Read from input stream and paste the data to the YunoHost
 Haste server.
 For example, to paste the output of the YunoHost diagnosis, you
 can simply execute the following:
  yunohost tools diagnosis | ${0}
 It will return the URL where you can access the pasted data.
 Options:
  -h, --help   show this help message and exit
 "
 }
 main() {
  # parse options
  while (( ${#} )); do
    case "${1}" in
      --help|-h)
        usage
        exit 0
        ;;
      *)
        echo "Unknown parameter detected: ${1}" >&2
        echo >&2
        usage >&2
        exit 1
        ;;
    esac
    shift 1
  done
  # check input stream
  read -t 0 || {
    echo -e "Invalid usage: No input is provided.\n" >&2
    usage
    exit 1
  }
  paste_data "$(cat)"
 }
 check_dependencies
 main "${@}"
--- a/data/actionsmap/yunohost.yml
+++ b/data/actionsmap/yunohost.yml
--- a/data/bash-completion.d/yunohost
+++ b/data/bash-completion.d/yunohost
@ -0,0 +1,12 @@
 #
 # Bash completion for yunohost
 #
 _python_argcomplete() {
    local IFS=''
    COMPREPLY=( $(IFS="$IFS"                   COMP_LINE="$COMP_LINE"                   COMP_POINT="$COMP_POINT"                   _ARGCOMPLETE_COMP_WORDBREAKS="$COMP_WORDBREAKS"                   _ARGCOMPLETE=1                   "$1" 8>&1 9>&2 1>/dev/null 2>/dev/null) )
    if [[ $? != 0 ]]; then
        unset COMPREPLY
    fi
 }
 complete -o nospace -o default -F _python_argcomplete "yunohost"
--- a/data/helpers
+++ b/data/helpers
@ -0,0 +1,7 @@
 # -*- shell-script -*-
 # TODO : use --regex to validate against a namespace
 for helper in $(run-parts --list /usr/share/yunohost/helpers.d 2>/dev/null) ; do
    [ -r $helper ] && . $helper || true
 done
--- a/data/helpers.d/filesystem
+++ b/data/helpers.d/filesystem
@ -0,0 +1,41 @@
 CAN_BIND=1
 # Bind a directory or copy it on error
 #
 # usage: ynh_bind_or_cp srcdir destdir as_root
 # | arg: srcdir - directory to bind or copy
 # | arg: destdir - mountpoint or destination directory
 # | arg: as_root - 1 to execute commands as root
 ynh_bind_or_cp() {
    SRCDIR=$1
    DESTDIR=$2
    SUDO_CMD="sudo"
    [[ "$3" != "1" ]] && SUDO_CMD=""
    if [[ $CAN_BIND == 1 ]]; then
        $SUDO_CMD mkdir -p $DESTDIR
        $SUDO_CMD mount --bind "$SRCDIR" "$DESTDIR"
        if [[ $? == 0 ]]; then
            for m in $(mount | grep " $SRCDIR" | awk '{ print $3 }'); do
                $SUDO_CMD mount --bind "$m" "${DESTDIR}${m#${SRCDIR}}"
            done
            return
        fi
        echo "Error: bind mounting seems to be disabled on your system."
        echo "You have maybe to check your apparmor configuration."
        CAN_BIND=0
    fi
    $SUDO_CMD cp -r "$SRCDIR" "$DESTDIR"
 }
 # Create a directory under /tmp
 #
 # usage: ynh_mkdir_tmp
 # | ret: the created directory path
 ynh_mkdir_tmp() {
    TMPDIR="/tmp/$(ynh_string_random 6)"
    while [ -d $TMPDIR ]; do
        TMPDIR="/tmp/$(ynh_string_random 6)"
    done
    mkdir -p "$TMPDIR" && echo "$TMPDIR"
 }
--- a/data/helpers.d/ip
+++ b/data/helpers.d/ip
@ -0,0 +1,52 @@
 # Validate an IP address
 #
 # example: ynh_validate_ip 4 111.222.333.444
 #
 # usage: ynh_validate_ip <family> <ip_address>
 #
 # exit code : 0 for valid ip addresses, 1 otherwise
 ynh_validate_ip()
 {
  # http://stackoverflow.com/questions/319279/how-to-validate-ip-address-in-python#319298
  IP_ADDRESS_FAMILY=$1
  IP_ADDRESS=$2
  [ "$IP_ADDRESS_FAMILY" == "4" ] || [ "$IP_ADDRESS_FAMILY" == "6" ] || return 1
  python /dev/stdin << EOF
 import socket
 import sys
 family = { "4" : socket.AF_INET, "6" : socket.AF_INET6 }
 try:
    socket.inet_pton(family["$IP_ADDRESS_FAMILY"], "$IP_ADDRESS")
 except socket.error:
    sys.exit(1)
 sys.exit(0)
 EOF
 }
 # Validate an IPv4 address
 #
 # example: ynh_validate_ip4 111.222.333.444
 #
 # usage: ynh_validate_ip4 <ip_address>
 #
 # exit code : 0 for valid ipv4 addresses, 1 otherwise
 ynh_validate_ip4()
 {
  ynh_validate_ip 4 $1
 }
 # Validate an IPv6 address
 #
 # example: ynh_validate_ip6 2000:dead:beef::1
 #
 # usage: ynh_validate_ip6 <ip_address>
 #
 # exit code : 0 for valid ipv6 addresses, 1 otherwise
 ynh_validate_ip6()
 {
  ynh_validate_ip 6 $1
 }
--- a/data/helpers.d/mysql
+++ b/data/helpers.d/mysql
@ -0,0 +1,92 @@
 MYSQL_ROOT_PWD_FILE=/etc/yunohost/mysql
 # Open a connection as a user
 #
 # example: ynh_mysql_connect_as 'user' 'pass' <<< "UPDATE ...;"
 # example: ynh_mysql_connect_as 'user' 'pass' < /path/to/file.sql
 #
 # usage: ynh_mysql_connect_as user pwd [db]
 # | arg: user - the user name to connect as
 # | arg: pwd - the user password
 # | arg: db - the database to connect to
 ynh_mysql_connect_as() {
    mysql -u "$1" --password="$2" -B "${3:-}"
 }
 # Execute a command as root user
 #
 # usage: ynh_mysql_execute_as_root sql [db]
 # | arg: sql - the SQL command to execute
 # | arg: db - the database to connect to
 ynh_mysql_execute_as_root() {
    ynh_mysql_connect_as "root" "$(sudo cat $MYSQL_ROOT_PWD_FILE)" \
        "${2:-}" <<< "$1"
 }
 # Execute a command from a file as root user
 #
 # usage: ynh_mysql_execute_file_as_root sql [db]
 # | arg: file - the file containing SQL commands
 # | arg: db - the database to connect to
 ynh_mysql_execute_file_as_root() {
    ynh_mysql_connect_as "root" "$(sudo cat $MYSQL_ROOT_PWD_FILE)" \
        "${2:-}" < "$1"
 }
 # Create a database and grant optionnaly privilegies to a user
 #
 # usage: ynh_mysql_create_db db [user [pwd]]
 # | arg: db - the database name to create
 # | arg: user - the user to grant privilegies
 # | arg: pwd - the password to identify user by
 ynh_mysql_create_db() {
    db=$1
    sql="CREATE DATABASE ${db};"
    # grant all privilegies to user
    if [[ $# -gt 1 ]]; then
        sql+=" GRANT ALL PRIVILEGES ON ${db}.* TO '${2}'@'localhost'"
        [[ -n ${3:-} ]] && sql+=" IDENTIFIED BY '${3}'"
        sql+=" WITH GRANT OPTION;"
    fi
    ynh_mysql_execute_as_root "$sql"
 }
 # Drop a database
 #
 # usage: ynh_mysql_drop_db db
 # | arg: db - the database name to drop
 ynh_mysql_drop_db() {
    ynh_mysql_execute_as_root "DROP DATABASE ${1};"
 }
 # Dump a database
 #
 # example: ynh_mysql_dump_db 'roundcube' > ./dump.sql
 #
 # usage: ynh_mysql_dump_db db
 # | arg: db - the database name to dump
 # | ret: the mysqldump output
 ynh_mysql_dump_db() {
    mysqldump -u "root" -p"$(sudo cat $MYSQL_ROOT_PWD_FILE)" "$1"
 }
 # Create a user
 #
 # usage: ynh_mysql_create_user user pwd [host]
 # | arg: user - the user name to create
 # | arg: pwd - the password to identify user by
 ynh_mysql_create_user() {
    ynh_mysql_execute_as_root \
        "CREATE USER '${1}'@'localhost' IDENTIFIED BY '${2}';"
 }
 # Drop a user
 #
 # usage: ynh_mysql_drop_user user
 # | arg: user - the user name to drop
 ynh_mysql_drop_user() {
    ynh_mysql_execute_as_root "DROP USER '${1}'@'localhost';"
 }
--- a/data/helpers.d/package
+++ b/data/helpers.d/package
@ -0,0 +1,94 @@
 # Check either a package is installed or not
 #
 # example: ynh_package_is_installed 'yunohost' && echo "ok"
 #
 # usage: ynh_package_is_installed name
 # | arg: name - the package name to check
 ynh_package_is_installed() {
    dpkg-query -W -f '${Status}' "$1" 2>/dev/null \
        | grep -c "ok installed" &>/dev/null
 }
 # Get the version of an installed package
 #
 # example: version=$(ynh_package_version 'yunohost')
 #
 # usage: ynh_package_version name
 # | arg: name - the package name to get version
 # | ret: the version or an empty string
 ynh_package_version() {
    if ynh_package_is_installed "$1"; then
        dpkg-query -W -f '${Version}' "$1" 2>/dev/null
    else
        echo ''
    fi
 }
 # Update package index files
 #
 # usage: ynh_package_update
 ynh_package_update() {
    sudo apt-get -y -qq update
 }
 # Install package(s)
 #
 # usage: ynh_package_install name [name [...]]
 # | arg: name - the package name to install
 ynh_package_install() {
    sudo apt-get -y -qq install $@
 }
 # Build and install a package from an equivs control file
 #
 # example: generate an empty control file with `equivs-control`, adjust its
 #          content and use helper to build and install the package:
 #              ynh_package_install_from_equivs /path/to/controlfile
 #
 # usage: ynh_package_install_from_equivs controlfile
 # | arg: controlfile - path of the equivs control file
 ynh_package_install_from_equivs() {
    controlfile=$1
    # install equivs package as needed
    ynh_package_is_installed 'equivs' \
        || ynh_package_install equivs
    # retrieve package information
    pkgname=$(grep '^Package: ' $controlfile | cut -d' ' -f 2)
    pkgversion=$(grep '^Version: ' $controlfile | cut -d' ' -f 2)
    [[ -z "$pkgname" || -z "$pkgversion" ]] \
        && echo "Invalid control file" && exit 1
    # update packages cache
    ynh_package_update
    # build and install the package
    TMPDIR=$(ynh_mkdir_tmp)
    (cp "$controlfile" "${TMPDIR}/control" \
     && cd "$TMPDIR" \
     && equivs-build ./control 1>/dev/null \
     && sudo dpkg --force-depends \
          -i "./${pkgname}_${pkgversion}_all.deb" 2>&1 \
     && sudo apt-get -f -y -qq install) \
        && ([[ -n "$TMPDIR" ]] && rm -rf $TMPDIR)
    # check if the package is actually installed
    ynh_package_is_installed "$pkgname"
 }
 # Remove package(s)
 #
 # usage: ynh_package_remove name [name [...]]
 # | arg: name - the package name to remove
 ynh_package_remove() {
    sudo apt-get -y -qq remove $@
 }
 # Remove package(s) and their uneeded dependencies
 #
 # usage: ynh_package_autoremove name [name [...]]
 # | arg: name - the package name to remove
 ynh_package_autoremove() {
    sudo apt-get -y -qq autoremove $@
 }
--- a/data/helpers.d/setting
+++ b/data/helpers.d/setting
@ -0,0 +1,27 @@
 # Get an application setting
 #
 # usage: ynh_app_setting_get app key
 # | arg: app - the application id
 # | arg: key - the setting to get
 ynh_app_setting_get() {
    sudo yunohost app setting "$1" "$2" --output-as plain --quiet
 }
 # Set an application setting
 #
 # usage: ynh_app_setting_set app key value
 # | arg: app - the application id
 # | arg: key - the setting name to set
 # | arg: value - the setting value to set
 ynh_app_setting_set() {
    sudo yunohost app setting "$1" "$2" -v "$3" --quiet
 }
 # Delete an application setting
 #
 # usage: ynh_app_setting_delete app key
 # | arg: app - the application id
 # | arg: key - the setting to delete
 ynh_app_setting_delete() {
    sudo yunohost app setting -d "$1" "$2" --quiet
 }
--- a/data/helpers.d/string
+++ b/data/helpers.d/string
@ -0,0 +1,11 @@
 # Generate a random string
 #
 # example: pwd=$(ynh_string_random 8)
 #
 # usage: ynh_string_random [length]
 # | arg: length - the string length to generate (default: 24)
 ynh_string_random() {
    dd if=/dev/urandom bs=1 count=200 2> /dev/null \
      | tr -c -d '[A-Za-z0-9]' \
      | sed -n 's/\(.\{'"${1:-24}"'\}\).*/\1/p'
 }
--- a/data/helpers.d/user
+++ b/data/helpers.d/user
@ -0,0 +1,40 @@
 # Check if a YunoHost user exists
 #
 # example: ynh_user_exists 'toto' || exit 1
 #
 # usage: ynh_user_exists username
 # | arg: username - the username to check
 ynh_user_exists() {
    sudo yunohost user list --output-as json | grep -q "\"username\": \"${1}\""
 }
 # Retrieve a YunoHost user information
 #
 # example: mail=$(ynh_user_get_info 'toto' 'mail')
 #
 # usage: ynh_user_get_info username key
 # | arg: username - the username to retrieve info from
 # | arg: key - the key to retrieve
 # | ret: string - the key's value
 ynh_user_get_info() {
    sudo yunohost user info "$1" --output-as plain | ynh_get_plain_key "$2"
 }
 # Get the list of YunoHost users
 #
 # example: for u in $(ynh_user_list); do ...
 #
 # usage: ynh_user_list
 # | ret: string - one username per line
 ynh_user_list() {
    sudo yunohost user list --output-as plain --quiet \
      | awk '/^##username$/{getline; print}'
 }
 # Check if a user exists on the system
 #
 # usage: ynh_system_user_exists username
 # | arg: username - the username to check
 ynh_system_user_exists() {
    getent passwd "$1" &>/dev/null
 }
--- a/data/helpers.d/utils
+++ b/data/helpers.d/utils
@ -0,0 +1,26 @@
 # Extract a key from a plain command output
 #
 # example: yunohost user info tata --output-as plain | ynh_get_plain_key mail
 #
 # usage: ynh_get_plain_key key [subkey [subsubkey ...]]
 # | ret: string - the key's value
 ynh_get_plain_key() {
    prefix="#"
    founded=0
    key=$1
    shift
    while read line; do
        if [[ "$founded" == "1" ]] ; then
            [[ "$line" =~ ^${prefix}[^#] ]] && return
            echo $line
        elif [[ "$line" =~ ^${prefix}${key}$ ]]; then
            if [[ -n "${1:-}" ]]; then
                prefix+="#"
                key=$1
                shift
            else
                founded=1
            fi
        fi
    done
 }
--- a/data/hooks/backup/05-conf_ldap
+++ b/data/hooks/backup/05-conf_ldap
@ -0,0 +1,14 @@
 backup_dir="${1}/conf/ldap"
 sudo mkdir -p "$backup_dir"
 # Fix for first jessie yunohost where slapd.conf is called slapd-yuno.conf
 # without slapcat doesn't work
 [[ ! -f /etc/ldap/slapd.conf ]] \
  && sudo mv /etc/ldap/slapd-yuno.conf /etc/ldap/slapd.conf
 # Back up the configuration
 sudo cp -a /etc/ldap/slapd.conf "${backup_dir}/slapd.conf"
 sudo slapcat -b cn=config -l "${backup_dir}/cn=config.master.ldif"
 # Back up the database
 sudo slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
--- a/data/hooks/backup/08-conf_ssh
+++ b/data/hooks/backup/08-conf_ssh
@ -0,0 +1,8 @@
 backup_dir="$1/conf/ssh"
 sudo mkdir -p $backup_dir
 if [ -d /etc/ssh/ ]; then
    sudo cp -a /etc/ssh/. $backup_dir
 else
    echo "SSH is not installed"
 fi
--- a/data/hooks/backup/11-conf_ynh_mysql
+++ b/data/hooks/backup/11-conf_ynh_mysql
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ynh/mysql"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/yunohost/mysql "${backup_dir}/root_pwd"
--- a/data/hooks/backup/14-conf_ssowat
+++ b/data/hooks/backup/14-conf_ssowat
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ssowat"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/ssowat/. $backup_dir
--- a/data/hooks/backup/17-data_home
+++ b/data/hooks/backup/17-data_home
@ -0,0 +1,10 @@
 backup_dir="$1/data/home"
 sudo mkdir -p $backup_dir
 . /usr/share/yunohost/helpers
 for f in $(find /home/* -type d -prune | awk -F/ '{print $NF}'); do
    if [[ ! "$f" =~ ^yunohost|lost\+found ]]; then
        ynh_bind_or_cp "/home/$f" "${backup_dir}/$f" 1
    fi
 done
--- a/data/hooks/backup/20-conf_ynh_firewall
+++ b/data/hooks/backup/20-conf_ynh_firewall
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ynh/firewall"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/yunohost/firewall* $backup_dir
--- a/data/hooks/backup/21-conf_ynh_certs
+++ b/data/hooks/backup/21-conf_ynh_certs
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ynh/certs"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/yunohost/certs/. $backup_dir
--- a/data/hooks/backup/23-data_mail
+++ b/data/hooks/backup/23-data_mail
@ -0,0 +1,5 @@
 backup_dir="$1/data/mail"
 . /usr/share/yunohost/helpers
 ynh_bind_or_cp /var/mail $backup_dir 1
--- a/data/hooks/backup/26-conf_xmpp
+++ b/data/hooks/backup/26-conf_xmpp
@ -0,0 +1,5 @@
 backup_dir="$1/conf/xmpp"
 sudo mkdir -p $backup_dir/{etc,var}
 sudo cp -a /etc/metronome/. $backup_dir/etc
 sudo cp -a /var/lib/metronome/. $backup_dir/var
--- a/data/hooks/backup/29-conf_nginx
+++ b/data/hooks/backup/29-conf_nginx
@ -0,0 +1,4 @@
 backup_dir="$1/conf/nginx"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/nginx/conf.d/. $backup_dir
--- a/data/hooks/backup/32-conf_cron
+++ b/data/hooks/backup/32-conf_cron
@ -0,0 +1,4 @@
 backup_dir="$1/conf/cron"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/cron.d/yunohost* $backup_dir/
--- a/data/hooks/backup/40-conf_ynh_currenthost
+++ b/data/hooks/backup/40-conf_ynh_currenthost
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ynh"
 sudo mkdir -p $backup_dir
 sudo cp -a /etc/yunohost/current_host "${backup_dir}/current_host"
--- a/data/hooks/conf_regen/01-yunohost
+++ b/data/hooks/conf_regen/01-yunohost
@ -0,0 +1,111 @@
 #!/bin/bash
 set -e
 services_path="/etc/yunohost/services.yml"
 do_init_regen() {
  if [[ $EUID -ne 0 ]]; then
    echo "You must be root to run this script" 1>&2
    exit 1
  fi
  cd /usr/share/yunohost/templates/yunohost
  [[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost
  # set default current_host
  [[ -f /etc/yunohost/current_host ]] \
    || echo "yunohost.org" > /etc/yunohost/current_host
  # copy default services and firewall
  [[ -f $services_path ]] \
    || cp services.yml "$services_path"
  [[ -f /etc/yunohost/firewall.yml ]] \
    || cp firewall.yml /etc/yunohost/firewall.yml
  # allow users to access /media directory
  [[ -d /etc/skel/media ]] \
    || (mkdir -p /media && ln -s /media /etc/skel/media)
 }
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/yunohost
  # update services.yml
  if [[ -f $services_path ]]; then
      tmp_services_path="${services_path}-tmp"
      new_services_path="${services_path}-new"
      sudo cp "$services_path" "$tmp_services_path"
      _update_services "$new_services_path" || {
        sudo mv "$tmp_services_path" "$services_path"
        exit 1
      }
      if [[ -f $new_services_path ]]; then
          # replace services.yml with new one
          sudo mv "$new_services_path" "$services_path"
          sudo mv "$tmp_services_path" "${services_path}-old"
      else
          sudo rm -f "$tmp_services_path"
      fi
  else
      sudo cp services.yml /etc/yunohost/services.yml
  fi
 }
 _update_services() {
  sudo python2 - << EOF
 import yaml
 with open('services.yml') as f:
    new_services = yaml.load(f)
 with open('/etc/yunohost/services.yml') as f:
    services = yaml.load(f)
 updated = False
 for service, conf in new_services.items():
    # remove service with empty conf
    if not conf:
        if service in services:
            print("removing '{0}' from services".format(service))
            del services[service]
            updated = True
    # add new service
    elif not services.get(service, None):
        print("adding '{0}' to services".format(service))
        services[service] = conf
        updated = True
    # update service conf
    else:
        conffiles = services[service].pop('conffiles', {})
        if services[service] != conf:
            print("update '{0}' service".format(service))
            services[service].update(conf)
            updated = True
        if conffiles:
            services[service]['conffiles'] = conffiles
 if updated:
    with open('/etc/yunohost/services.yml-new', 'w') as f:
        yaml.safe_dump(services, f, default_flow_style=False)
 EOF
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    ;;
  init)
    do_init_regen
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/02-ssl
+++ b/data/hooks/conf_regen/02-ssl
@ -0,0 +1,93 @@
 #!/bin/bash
 set -e
 ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
 do_init_regen() {
  if [[ $EUID -ne 0 ]]; then
    echo "You must be root to run this script" 1>&2
    exit 1
  fi
  # create certs and SSL directories
  mkdir -p "/etc/yunohost/certs/yunohost.org"
  mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}
  # initialize some files
  [[ -f "${ssl_dir}/serial" ]] \
    || echo "00" > "${ssl_dir}/serial"
  [[ -f "${ssl_dir}/index.txt" ]] \
    || touch "${ssl_dir}/index.txt"
  openssl_conf="/usr/share/yunohost/templates/ssl/openssl.cnf"
  # create default certificates
  if [[ ! -f /etc/yunohost/certs/yunohost.org/ca.pem ]]; then
      openssl req -x509 -new -config "$openssl_conf" \
        -days 3650 -out "${ssl_dir}/ca/cacert.pem" \
        -keyout "${ssl_dir}/ca/cakey.pem" -nodes -batch 2>&1
      cp "${ssl_dir}/ca/cacert.pem" \
        /etc/yunohost/certs/yunohost.org/ca.pem
      ln -sf /etc/yunohost/certs/yunohost.org/ca.pem \
        /etc/ssl/certs/ca-yunohost_crt.pem
      update-ca-certificates
  fi
  if [[ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]]; then
      openssl req -new -config "$openssl_conf" \
        -days 730 -out "${ssl_dir}/certs/yunohost_csr.pem" \
        -keyout "${ssl_dir}/certs/yunohost_key.pem" -nodes -batch 2>&1
      openssl ca -config "$openssl_conf" \
        -days 730 -in "${ssl_dir}/certs/yunohost_csr.pem" \
        -out "${ssl_dir}/certs/yunohost_crt.pem" -batch 2>&1
      last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
      chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
      chmod 640 "$last_cert"
      cp "${ssl_dir}/certs/yunohost_key.pem" \
        /etc/yunohost/certs/yunohost.org/key.pem
      cp "$last_cert" \
        /etc/yunohost/certs/yunohost.org/crt.pem
      ln -sf /etc/yunohost/certs/yunohost.org/crt.pem \
        /etc/ssl/certs/yunohost_crt.pem
      ln -sf /etc/yunohost/certs/yunohost.org/key.pem \
        /etc/ssl/private/yunohost_key.pem
  fi
 }
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/ssl
  install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
 }
 do_post_regen() {
  regen_conf_files=$1
  # TODO: regenerate certificates if conf changed?
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  init)
    do_init_regen
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@ -0,0 +1,45 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/ssh
  # only overwrite SSH configuration on an ISO installation
  if [[ ! -f /etc/yunohost/from_script ]]; then
      # do not listen to IPv6 if unavailable
      [[ -f /proc/net/if_inet6 ]] \
        || sed -i "s/ListenAddress ::/#ListenAddress ::/g" sshd_config
      install -D -m 644 sshd_config "${pending_dir}/etc/ssh/sshd_config"
  fi
 }
 do_post_regen() {
  regen_conf_files=$1
  if [[ ! -f /etc/yunohost/from_script ]]; then
    [[ -z "$regen_conf_files" ]] \
      || sudo service ssh restart
  fi
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/06-slapd
+++ b/data/hooks/conf_regen/06-slapd
@ -0,0 +1,118 @@
 #!/bin/bash
 set -e
 do_init_regen() {
  if [[ $EUID -ne 0 ]]; then
      echo "You must be root to run this script" 1>&2
      exit 1
  fi
  do_pre_regen ""
  # fix some permissions
  chown root:openldap /etc/ldap/slapd.conf
  chown -R openldap:openldap /etc/ldap/schema/
  # check the slapd config file at first
  slaptest -Q -u -f /etc/ldap/slapd.conf
  # regenerate LDAP config directory from slapd.conf
  rm -Rf /etc/ldap/slapd.d
  mkdir /etc/ldap/slapd.d
  slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1
  chown -R openldap:openldap /etc/ldap/slapd.d/
  service slapd restart
 }
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/slapd
  # remove legacy configuration file
  [ ! -f /etc/ldap/slapd-yuno.conf ] \
    || touch "${pending_dir}/etc/ldap/slapd-yuno.conf"
  # create needed directories
  ldap_dir="${pending_dir}/etc/ldap"
  schema_dir="${ldap_dir}/schema"
  mkdir -p "$ldap_dir" "$schema_dir"
  # copy configuration files
  cp -a ldap.conf slapd.conf "$ldap_dir"
  cp -a sudo.schema mailserver.schema "$schema_dir"
  install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
 }
 do_post_regen() {
  regen_conf_files=$1
  # fix some permissions
  sudo chown root:openldap /etc/ldap/slapd.conf
  sudo chown -R openldap:openldap /etc/ldap/schema/
  sudo chown -R openldap:openldap /etc/ldap/slapd.d/
  [ -z "$regen_conf_files" ] && exit 0
  # retrieve current and new backends
  curr_backend=$(sudo slapcat -n 0 \
                   | sed -n 's/^dn: olcDatabase={1}\(.*\),cn=config$/\1/p')
  new_backend=$(grep '^database' /etc/ldap/slapd.conf | awk '{print $2}')
  # save current database in case of a backend change
  backend_change=0
  backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)"
  if [[ -n "$curr_backend" && "$curr_backend" != "$new_backend" ]]; then
      backend_change=1
      sudo mkdir -p "$backup_dir"
      sudo slapcat -b dc=yunohost,dc=org \
        -l "${backup_dir}/dc=yunohost-dc=org.ldif"
  fi
  # check the slapd config file at first
  sudo slaptest -Q -u -f /etc/ldap/slapd.conf
  if [[ $backend_change -eq 1 ]]; then
      # regenerate LDAP config directory and import database as root
      # since the admin user may be unavailable
      sudo sh -c "rm -Rf /etc/ldap/slapd.d;
  mkdir /etc/ldap/slapd.d;
  slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d;
  chown -R openldap:openldap /etc/ldap/slapd.d;
  slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
    -l '${backup_dir}/dc=yunohost-dc=org.ldif';
  chown -R openldap:openldap /var/lib/ldap" 2>&1
  else
      # regenerate LDAP config directory from slapd.conf
      sudo rm -Rf /etc/ldap/slapd.d
      sudo mkdir /etc/ldap/slapd.d
      sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1
      sudo chown -R openldap:openldap /etc/ldap/slapd.d/
  fi
  sudo service slapd force-reload
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  init)
    do_init_regen
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/09-nslcd
+++ b/data/hooks/conf_regen/09-nslcd
@ -0,0 +1,36 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/nslcd
  install -D -m 644 nslcd.conf "${pending_dir}/etc/nslcd.conf"
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service nslcd restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/12-metronome
+++ b/data/hooks/conf_regen/12-metronome
@ -0,0 +1,76 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/metronome
  # create directories for pending conf
  metronome_dir="${pending_dir}/etc/metronome"
  metronome_conf_dir="${metronome_dir}/conf.d"
  mkdir -p "$metronome_conf_dir"
  # retrieve variables
  main_domain=$(cat /etc/yunohost/current_host)
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # install main conf file
  cat metronome.cfg.lua \
    | sed "s/{{ main_domain }}/${main_domain}/g" \
    > "${metronome_dir}/metronome.cfg.lua"
  # add domain conf files
  for domain in $domain_list; do
    cat domain.tpl.cfg.lua \
      | sed "s/{{ domain }}/${domain}/g" \
      > "${metronome_conf_dir}/${domain}.cfg.lua"
  done
  # remove old domain conf files
  conf_files=$(ls -1 /etc/metronome/conf.d \
                 | awk '/^[^\.]+\.[^\.]+.*\.cfg\.lua$/ { print $1 }')
  for file in $conf_files; do
    domain=${file%.cfg.lua}
    [[ $domain_list =~ $domain ]] \
      || touch "${metronome_conf_dir}/${file}"
  done
 }
 do_post_regen() {
  regen_conf_files=$1
  # fix some permissions
  sudo chown -R metronome: /var/lib/metronome/
  sudo chown -R metronome: /etc/metronome/conf.d/
  # retrieve variables
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # create metronome directories for domains
  for domain in $domain_list; do
    sudo mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
  done
  [[ -z "$regen_conf_files" ]] \
    || sudo service metronome restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/15-nginx
+++ b/data/hooks/conf_regen/15-nginx
@ -0,0 +1,101 @@
 #!/bin/bash
 set -e
 do_init_regen() {
  if [[ $EUID -ne 0 ]]; then
    echo "You must be root to run this script" 1>&2
    exit 1
  fi
  do_pre_regen ""
 }
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/nginx
  nginx_dir="${pending_dir}/etc/nginx"
  nginx_conf_dir="${nginx_dir}/conf.d"
  mkdir -p "$nginx_conf_dir"
  # install plain conf files
  cp plain/* "$nginx_conf_dir"
  # probably run with init: just disable default site, restart NGINX and exit
  if [[ -z "$pending_dir" ]]; then
    rm -f "${nginx_dir}/sites-enabled/default"
    service nginx restart
    exit 0
  fi
  # retrieve variables
  main_domain=$(cat /etc/yunohost/current_host)
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # add domain conf files
  for domain in $domain_list; do
    domain_conf_dir="${nginx_conf_dir}/${domain}.d"
    mkdir -p "$domain_conf_dir"
    # NGINX server configuration
    cat server.tpl.conf \
      | sed "s/{{ domain }}/${domain}/g" \
      > "${nginx_conf_dir}/${domain}.conf"
    [[ $main_domain != $domain ]] \
      && touch "${domain_conf_dir}/yunohost_local.conf" \
      || cp yunohost_local.conf "${domain_conf_dir}/yunohost_local.conf"
  done
  # remove old domain conf files
  conf_files=$(ls -1 /etc/nginx/conf.d \
                 | awk '/^[^\.]+\.[^\.]+.*\.conf$/ { print $1 }')
  for file in $conf_files; do
    domain=${file%.conf}
    [[ $domain_list =~ $domain ]] \
      || touch "${nginx_conf_dir}/${file}"
  done
  # disable default site
  mkdir -p "${nginx_dir}/sites-enabled"
  touch "${nginx_dir}/sites-enabled/default"
 }
 do_post_regen() {
  regen_conf_files=$1
  [ -z "$regen_conf_files" ] && exit 0
  # retrieve variables
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # create NGINX conf directories for domains
  for domain in $domain_list; do
    sudo mkdir -p "/etc/nginx/conf.d/${domain}.d"
  done
  sudo service nginx restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  init)
    do_init_regen
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/19-postfix
+++ b/data/hooks/conf_regen/19-postfix
@ -0,0 +1,56 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/postfix
  postfix_dir="${pending_dir}/etc/postfix"
  mkdir -p "$postfix_dir"
  # install plain conf files
  cp plain/* "$postfix_dir"
  # prepare main.cf conf file
  main_domain=$(cat /etc/yunohost/current_host)
  cat main.cf \
    | sed "s/{{ main_domain }}/${main_domain}/g" \
    > "${postfix_dir}/main.cf"
  # adapt it for IPv4-only hosts
  if [ ! -f /proc/net/if_inet6 ]; then
    sed -i \
      's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \
      "${postfix_dir}/main.cf"
    sed -i \
      's/inet_interfaces = all/&\ninet_protocols = ipv4/' \
      "${postfix_dir}/main.cf"
  fi
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service postfix restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/25-dovecot
+++ b/data/hooks/conf_regen/25-dovecot
@ -0,0 +1,69 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/dovecot
  dovecot_dir="${pending_dir}/etc/dovecot"
  mkdir -p "${dovecot_dir}/global_script"
  # copy simple conf files
  cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf"
  cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve"
  # prepare dovecot.conf conf file
  main_domain=$(cat /etc/yunohost/current_host)
  cat dovecot.conf \
    | sed "s/{{ main_domain }}/${main_domain}/g" \
    > "${dovecot_dir}/dovecot.conf"
  # adapt it for IPv4-only hosts
  if [ ! -f /proc/net/if_inet6 ]; then
    sed -i \
      's/^\(listen =\).*/\1 */' \
      "${dovecot_dir}/dovecot.conf"
  fi
 }
 do_post_regen() {
  regen_conf_files=$1
  # create vmail user
  id vmail > /dev/null 2>&1 \
    || sudo adduser --system --ingroup mail --uid 500 vmail
  # fix permissions
  sudo chown -R vmail:mail /etc/dovecot/global_script
  sudo chmod 770 /etc/dovecot/global_script
  [ -z "$regen_conf_files" ] && exit 0
  # compile sieve script
  [[ "$regen_conf_files" =~ dovecot\.sieve ]] && {
    sudo sievec /etc/dovecot/global_script/dovecot.sieve
    sudo chown -R vmail:mail /etc/dovecot/global_script
  }
  sudo service dovecot restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/28-rmilter
+++ b/data/hooks/conf_regen/28-rmilter
@ -0,0 +1,69 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/rmilter
  install -D -m 644 rmilter.conf \
    "${pending_dir}/etc/rmilter.conf"
  install -D -m 644 rmilter.socket \
    "${pending_dir}/etc/systemd/system/rmilter.socket"
 }
 do_post_regen() {
  regen_conf_files=$1
  # retrieve variables
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # create DKIM directory
  sudo mkdir -p /etc/dkim
  # create DKIM key for domains
  for domain in $domain_list; do
    domain_key="/etc/dkim/${domain}.mail.key"
    [ ! -f $domain_key ] && {
      sudo opendkim-genkey --domain="$domain" \
          --selector=mail --directory=/etc/dkim
      sudo mv /etc/dkim/mail.private "$domain_key"
      sudo mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
    }
  done
  # fix DKIM keys permissions
  sudo chown _rmilter /etc/dkim/*.mail.key
  sudo chmod 400 /etc/dkim/*.mail.key
  [ -z "$regen_conf_files" ] && exit 0
  # reload systemd daemon
  [[ "$regen_conf_files" =~ rmilter\.socket ]] && {
    sudo systemctl -q daemon-reload
  }
  # ensure that the socket is listening and stop the service - it will be
  # started again by the socket as needed
  sudo systemctl -q start rmilter.socket
  sudo systemctl -q stop rmilter.service 2>&1 || true
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/31-rspamd
+++ b/data/hooks/conf_regen/31-rspamd
@ -0,0 +1,50 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/rspamd
  install -D -m 644 metrics.local.conf \
      "${pending_dir}/etc/rspamd/local.d/metrics.conf"
  install -D -m 644 rspamd.sieve \
      "${pending_dir}/etc/dovecot/global_script/rspamd.sieve"
 }
 do_post_regen() {
  regen_conf_files=$1
  [ -z "$regen_conf_files" ] && exit 0
  # compile sieve script
  [[ "$regen_conf_files" =~ rspamd\.sieve ]] && {
    sudo sievec /etc/dovecot/global_script/rspamd.sieve
    sudo chown -R vmail:mail /etc/dovecot/global_script
    sudo systemctl restart dovecot
  }
  # ensure that the socket is listening and stop the service - it will be
  # started again by the socket as needed
  sudo systemctl -q start rspamd.socket
  sudo systemctl -q stop rspamd.service 2>&1 || true
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/34-mysql
+++ b/data/hooks/conf_regen/34-mysql
@ -0,0 +1,82 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/mysql
  install -D -m 644 my.cnf "${pending_dir}/etc/mysql/my.cnf"
 }
 do_post_regen() {
  regen_conf_files=$1
  if [ ! -f /etc/yunohost/mysql ]; then
      . /usr/share/yunohost/helpers.d/string
      # ensure that mysql is running
      service mysql status >/dev/null 2>&1 \
        || service mysql start
      # generate and set new root password
      mysql_password=$(ynh_string_random 10)
      sudo mysqladmin -s -u root -pyunohost password "$mysql_password" || {
        if [ $FORCE -eq 1 ]; then
            . /usr/share/yunohost/helpers.d/package
            echo "It seems that you have already configured MySQL." \
              "YunoHost needs to have a root access to MySQL to runs its" \
              "applications, and is going to reset the MySQL root password." \
              "You can find this new password in /etc/yunohost/mysql." >&2
            # retrieve MySQL package provider
            ynh_package_is_installed "mariadb-server-10.0" \
              && mysql_pkg="mariadb-server-10.0" \
              || mysql_pkg="mysql-server-5.5"
            # set new password with debconf
            sudo debconf-set-selections << EOF
 $mysql_pkg mysql-server/root_password password $mysql_password
 $mysql_pkg mysql-server/root_password_again password $mysql_password
 EOF
            # reconfigure Debian package
            sudo dpkg-reconfigure -freadline -u "$mysql_pkg" 2>&1
        else
            echo "It seems that you have already configured MySQL." \
              "YunoHost needs to have a root access to MySQL to runs its" \
              "applications, but the MySQL root password is unknown." \
              "You must either pass --force to reset the password or" \
              "put the current one into the file /etc/yunohost/mysql." >&2
            exit 1
        fi
      }
      # store new root password
      echo "$mysql_password" | sudo tee /etc/yunohost/mysql
      sudo chmod 400 /etc/yunohost/mysql
  fi
  [[ -z "$regen_conf_files" ]] \
    || sudo service mysql restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/37-avahi-daemon
+++ b/data/hooks/conf_regen/37-avahi-daemon
@ -0,0 +1,37 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/avahi-daemon
  install -D -m 644 avahi-daemon.conf \
    "${pending_dir}/etc/avahi/avahi-daemon.conf"
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service avahi-daemon restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/40-glances
+++ b/data/hooks/conf_regen/40-glances
@ -0,0 +1,36 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/glances
  install -D -m 644 glances.default "${pending_dir}/etc/default/glances"
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service glances restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/43-dnsmasq
+++ b/data/hooks/conf_regen/43-dnsmasq
@ -0,0 +1,66 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  # source ip helpers
  . /usr/share/yunohost/helpers.d/ip
  cd /usr/share/yunohost/templates/dnsmasq
  # create directory for pending conf
  dnsmasq_dir="${pending_dir}/etc/dnsmasq.d"
  mkdir -p "$dnsmasq_dir"
  # retrieve variables
  ipv4=$(curl -s -4 https://ip.yunohost.org 2>/dev/null || true)
  ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1'
  ipv6=$(curl -s -6 http://ip6.yunohost.org 2>/dev/null || true)
  ynh_validate_ip6 "$ipv6" || ipv6=''
  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
  # add domain conf files
  for domain in $domain_list; do
    cat domain.tpl \
      | sed "s/{{ domain }}/${domain}/g" \
      | sed "s/{{ ip }}/${ipv4}/g" \
      > "${dnsmasq_dir}/${domain}"
    [[ -n $ipv6 ]] \
      && echo "address=/${domain}/${ipv6}" >> "${dnsmasq_dir}/${domain}"
  done
  # remove old domain conf files
  conf_files=$(ls -1 /etc/dnsmasq.d \
                 | awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }')
  for domain in $conf_files; do
    [[ $domain_list =~ $domain ]] \
      || touch "${dnsmasq_dir}/${domain}"
  done
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service dnsmasq restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/46-nsswitch
+++ b/data/hooks/conf_regen/46-nsswitch
@ -0,0 +1,36 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/nsswitch
  install -D -m 644 nsswitch.conf "${pending_dir}/etc/nsswitch.conf"
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service nscd restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/conf_regen/52-fail2ban
+++ b/data/hooks/conf_regen/52-fail2ban
@ -0,0 +1,40 @@
 #!/bin/bash
 set -e
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/fail2ban
  fail2ban_dir="${pending_dir}/etc/fail2ban"
  mkdir -p "${fail2ban_dir}/filter.d"
  cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
  cp jail.conf "${fail2ban_dir}/jail.conf"
 }
 do_post_regen() {
  regen_conf_files=$1
  [[ -z "$regen_conf_files" ]] \
    || sudo service fail2ban restart
 }
 FORCE=${2:-0}
 DRY_RUN=${3:-0}
 case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/hooks/post_backup_create/99-umount
+++ b/data/hooks/post_backup_create/99-umount
@ -0,0 +1,13 @@
 tmp_dir=$1
 retcode=$2
 FAILURE=0
 # Iterate over inverted ordered mountpoints to prevent issues
 for m in $(mount | grep " ${tmp_dir}" | awk '{ print $3 }' | tac); do
    sudo umount $m
    [[ $? != 0 ]] && FAILURE=1
 done
 exit $FAILURE
--- a/data/hooks/restore/05-conf_ldap
+++ b/data/hooks/restore/05-conf_ldap
@ -0,0 +1,58 @@
 backup_dir="${1}/conf/ldap"
 if [[ $EUID -ne 0 ]]; then
    # We need to execute this script as root, since the ldap
    # service will be shut down during the operation (and sudo
    # won't be available)
    sudo /bin/bash $(readlink -f $0) $1
 else
    service slapd stop || true
    # Create a directory for backup
    TMPDIR="/tmp/$(date +%s)"
    mkdir -p "$TMPDIR"
    die() {
        state=$1
        error=$2
        # Restore saved configuration and database
        [[ $state -ge 1 ]] \
          && (rm -rf /etc/ldap/slapd.d &&
              mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d)
        [[ $state -ge 2 ]] \
          && (rm -rf /var/lib/ldap &&
              mv "${TMPDIR}/ldap" /var/lib/ldap)
        chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap
        service slapd start
        rm -rf "$TMPDIR"
        # Print an error message and exit
        printf "%s" "$error" 1>&2
        exit 1
    }
    # Restore the configuration
    mv /etc/ldap/slapd.d "$TMPDIR"
    mkdir -p /etc/ldap/slapd.d
    cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf
    slapadd -F /etc/ldap/slapd.d -b cn=config \
        -l "${backup_dir}/cn=config.master.ldif" \
      || die 1 "Unable to restore LDAP configuration"
    chown -R openldap: /etc/ldap/slapd.d
    # Restore the database
    mv /var/lib/ldap "$TMPDIR"
    mkdir -p /var/lib/ldap
    slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
        -l "${backup_dir}/dc=yunohost-dc=org.ldif" \
      || die 2 "Unable to restore LDAP database"
    chown -R openldap: /var/lib/ldap
    service slapd start
    rm -rf "$TMPDIR"
 fi
--- a/data/hooks/restore/08-conf_ssh
+++ b/data/hooks/restore/08-conf_ssh
@ -0,0 +1,9 @@
 backup_dir="$1/conf/ssh"
 if [ -d /etc/ssh/ ]; then
    sudo cp -a $backup_dir/. /etc/ssh
    sudo service ssh restart
 else
    echo "SSH is not installed"
 fi
--- a/data/hooks/restore/11-conf_ynh_mysql
+++ b/data/hooks/restore/11-conf_ynh_mysql
@ -0,0 +1,42 @@
 backup_dir="$1/conf/ynh/mysql"
 # ensure that mysql is running
 service mysql status >/dev/null 2>&1 \
  || service mysql start
 # retrieve current and new password
 [ -f /etc/yunohost/mysql ] \
  && curr_pwd=$(sudo cat /etc/yunohost/mysql) \
  || curr_pwd="yunohost"
 new_pwd=$(sudo cat "${backup_dir}/root_pwd" || sudo cat "${backup_dir}/mysql")
 # attempt to change it
 sudo mysqladmin -s -u root -p"$curr_pwd" password "$new_pwd" || {
  . /usr/share/yunohost/helpers.d/package
  echo "It seems that you have already configured MySQL." \
    "YunoHost needs to have a root access to MySQL to runs its" \
    "applications, and is going to reset the MySQL root password." \
    "You can find this new password in /etc/yunohost/mysql." >&2
  # retrieve MySQL package provider
  ynh_package_is_installed "mariadb-server-10.0" \
    && mysql_pkg="mariadb-server-10.0" \
    || mysql_pkg="mysql-server-5.5"
  # set new password with debconf
  sudo debconf-set-selections << EOF
 $mysql_pkg mysql-server/root_password password $new_pwd
 $mysql_pkg mysql-server/root_password_again password $new_pwd
 EOF
  # reconfigure Debian package
  sudo dpkg-reconfigure -freadline -u "$mysql_pkg" 2>&1
 }
 # store new root password
 echo "$new_pwd" | sudo tee /etc/yunohost/mysql
 sudo chmod 400 /etc/yunohost/mysql
 # reload the grant tables
 sudo mysqladmin -s -u root -p"$new_pwd" reload
--- a/data/hooks/restore/14-conf_ssowat
+++ b/data/hooks/restore/14-conf_ssowat
@ -0,0 +1,3 @@
 backup_dir="$1/conf/ssowat"
 sudo cp -a $backup_dir/. /etc/ssowat
--- a/data/hooks/restore/17-data_home
+++ b/data/hooks/restore/17-data_home
@ -0,0 +1,3 @@
 backup_dir="$1/data/home"
 sudo cp -a $backup_dir/. /home
--- a/data/hooks/restore/20-conf_ynh_firewall
+++ b/data/hooks/restore/20-conf_ynh_firewall
@ -0,0 +1,4 @@
 backup_dir="$1/conf/ynh/firewall"
 sudo cp -a $backup_dir/. /etc/yunohost
 sudo yunohost firewall reload
--- a/data/hooks/restore/21-conf_ynh_certs
+++ b/data/hooks/restore/21-conf_ynh_certs
@ -0,0 +1,8 @@
 backup_dir="$1/conf/ynh/certs"
 sudo mkdir -p /etc/yunohost/certs/
 sudo cp -a $backup_dir/. /etc/yunohost/certs/
 sudo yunohost app ssowatconf
 sudo service nginx reload
 sudo service metronome reload
--- a/data/hooks/restore/23-data_mail
+++ b/data/hooks/restore/23-data_mail
@ -0,0 +1,7 @@
 backup_dir="$1/data/mail"
 sudo cp -a $backup_dir/. /var/mail/ || echo 'No mail found'
 # Restart services to use migrated certs
 sudo service postfix restart
 sudo service dovecot restart
--- a/data/hooks/restore/26-conf_xmpp
+++ b/data/hooks/restore/26-conf_xmpp
@ -0,0 +1,7 @@
 backup_dir="$1/conf/xmpp"
 sudo cp -a $backup_dir/etc/. /etc/metronome
 sudo cp -a $backup_dir/var/. /var/lib/metronome
 # Restart to apply new conf and certs
 sudo service metronome restart
--- a/data/hooks/restore/29-conf_nginx
+++ b/data/hooks/restore/29-conf_nginx
@ -0,0 +1,7 @@
 backup_dir="$1/conf/nginx"
 # Copy all conf except apps specific conf located in DOMAIN.d
 sudo find $backup_dir/ -mindepth 1 -maxdepth 1 -name '*.d' -or -exec sudo cp -a {} /etc/nginx/conf.d/ \;
 # Restart to use new conf and certs
 sudo service nginx restart
--- a/data/hooks/restore/32-conf_cron
+++ b/data/hooks/restore/32-conf_cron
@ -0,0 +1,6 @@
 backup_dir="$1/conf/cron"
 sudo cp -a $backup_dir/. /etc/cron.d
 # Restart just in case
 sudo service cron restart
--- a/data/hooks/restore/40-conf_ynh_currenthost
+++ b/data/hooks/restore/40-conf_ynh_currenthost
@ -0,0 +1,3 @@
 backup_dir="$1/conf/ynh"
 sudo cp -a "${backup_dir}/current_host" /etc/yunohost/current_host
--- a/data/other/ldap_scheme.yml
+++ b/data/other/ldap_scheme.yml
@ -0,0 +1,56 @@
 parents:
    ou=users:
        ou: users
        objectClass:
            - organizationalUnit
            - top
    ou=domains:
        ou: domains
        objectClass:
            - organizationalUnit
            - top
    ou=apps:
        ou: apps
        objectClass:
            - organizationalUnit
            - top
    ou=groups:
        ou: groups
        objectClass:
            - organizationalUnit
            - top
    ou=sudo:
        ou: sudo
        objectClass:
            - organizationalUnit
            - top
 children:
    cn=admins,ou=groups:
        cn: admins
        gidNumber: "4001"
        memberUid: admin
        objectClass:
            - posixGroup
            - top
    cn=sftpusers,ou=groups:
        cn: sftpusers
        gidNumber: "4002"
        memberUid: admin
        objectClass:
            - posixGroup
            - top
    cn=admin,ou=sudo:
        cn: admin
        sudoUser: admin
        sudoHost: ALL
        sudoCommand: ALL
        sudoOption: "!authenticate"
        objectClass:
            - sudoRole
            - top
--- a/data/templates/avahi-daemon/avahi-daemon.conf
+++ b/data/templates/avahi-daemon/avahi-daemon.conf
@ -0,0 +1,68 @@
 # This file is part of avahi.
 #
 # avahi is free software; you can redistribute it and/or modify it
 # under the terms of the GNU Lesser General Public License as
 # published by the Free Software Foundation; either version 2 of the
 # License, or (at your option) any later version.
 #
 # avahi is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
 # License for more details.
 #
 # You should have received a copy of the GNU Lesser General Public
 # License along with avahi; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
 # USA.
 # See avahi-daemon.conf(5) for more information on this configuration
 # file!
 [server]
 host-name=yunohost
 domain-name=local
 #browse-domains=0pointer.de, zeroconf.org
 use-ipv4=yes
 use-ipv6=yes
 #allow-interfaces=eth0
 #deny-interfaces=eth1
 #check-response-ttl=no
 #use-iff-running=no
 #enable-dbus=yes
 #disallow-other-stacks=no
 #allow-point-to-point=no
 #cache-entries-max=4096
 #clients-max=4096
 #objects-per-client-max=1024
 #entries-per-entry-group-max=32
 ratelimit-interval-usec=1000000
 ratelimit-burst=1000
 [wide-area]
 enable-wide-area=yes
 [publish]
 #disable-publishing=no
 #disable-user-service-publishing=no
 #add-service-cookie=no
 #publish-addresses=yes
 #publish-hinfo=yes
 #publish-workstation=yes
 #publish-domain=yes
 #publish-dns-servers=192.168.50.1, 192.168.50.2
 #publish-resolv-conf-dns-servers=yes
 #publish-aaaa-on-ipv4=yes
 #publish-a-on-ipv6=no
 [reflector]
 #enable-reflector=no
 #reflect-ipv=no
 [rlimits]
 #rlimit-as=
 rlimit-core=0
 rlimit-data=4194304
 rlimit-fsize=0
 rlimit-nofile=768
 rlimit-stack=4194304
 rlimit-nproc=3
--- a/data/templates/dnsmasq/domain.tpl
+++ b/data/templates/dnsmasq/domain.tpl
@ -0,0 +1,7 @@
 resolv-file=
 address=/{{ domain }}/{{ ip }}
 txt-record={{ domain }},"v=spf1 mx a -all"
 mx-host={{ domain }},{{ domain }},5
 srv-host=_xmpp-client._tcp.{{ domain }},{{ domain }},5222,0,5
 srv-host=_xmpp-server._tcp.{{ domain }},{{ domain }},5269,0,5
 srv-host=_jabber._tcp.{{ domain }},{{ domain }},5269,0,5
--- a/data/templates/dovecot/dovecot-ldap.conf
+++ b/data/templates/dovecot/dovecot-ldap.conf
@ -0,0 +1,9 @@
 hosts = 127.0.0.1
 auth_bind = yes
 ldap_version = 3
 base = ou=users,dc=yunohost,dc=org
 user_attrs = uidNumber=500,gidNumber=8,mailuserquota=quota_rule=*:bytes=%$
 user_filter = (&(objectClass=inetOrgPerson)(uid=%n))
 pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
 default_pass_scheme = SSHA
--- a/data/templates/dovecot/dovecot.conf
+++ b/data/templates/dovecot/dovecot.conf
@ -0,0 +1,91 @@
 # 2.1.7: /etc/dovecot/dovecot.conf
 # OS: Linux 3.2.0-3-686-pae i686 Debian wheezy/sid ext4
 listen = *, ::
 auth_mechanisms = plain login
 login_greeting = Dovecot ready!!
 mail_gid = 8
 mail_home = /var/mail/%n
 mail_location = maildir:/var/mail/%n
 mail_uid = 500
 passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
 }
 protocols = imap sieve
 mail_plugins = $mail_plugins quota
 service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-master {
    group = mail
    mode = 0660
    user = vmail
  }
 }
 protocol sieve {
 }
 ssl_ca = </etc/yunohost/certs/{{ main_domain }}/ca.pem
 ssl_cert = </etc/yunohost/certs/{{ main_domain }}/crt.pem
 ssl_key = </etc/yunohost/certs/{{ main_domain }}/key.pem
 ssl_protocols = !SSLv2 !SSLv3
 userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
 }
 protocol imap {
  imap_client_workarounds =
  mail_plugins = $mail_plugins imap_quota antispam
 }
 protocol lda {
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugins = quota sieve
  postmaster_address = postmaster@{{ main_domain }}
 }
 plugin {
  sieve = /var/mail/sievescript/%n/.dovecot.sieve
  sieve_dir = /var/mail/sievescript/%n/scripts/
  sieve_before = /etc/dovecot/global_script/
 }
 plugin {
  antispam_debug_target = syslog
  antispam_verbose_debug = 0
  antispam_backend = pipe
  antispam_spam = Junk;SPAM
  antispam_trash = Trash
  antispam_pipe_program = /usr/bin/rspamc
  antispam_pipe_program_args = -h;localhost:11334;-P;q1
  antispam_pipe_program_spam_arg = learn_spam
  antispam_pipe_program_notspam_arg = learn_ham
 }
 plugin {
  autosubscribe = Trash
  autosubscribe2 = Junk
 }
 plugin {
  quota = maildir:User quota
  quota_rule2 = SPAM:ignore
  quota_rule3 = Trash:ignore
 }
 plugin {
  quota_warning = storage=95%% quota-warning 95 %u
  quota_warning2 = storage=80%% quota-warning 80 %u
  quota_warning3 = -storage=100%% quota-warning below %u # user is no longer over quota
 }
 service quota-warning {
  executable = script /usr/bin/quota-warning.sh
  user = vmail
  unix_listener quota-warning {
  }
 }
--- a/data/templates/dovecot/dovecot.sieve
+++ b/data/templates/dovecot/dovecot.sieve
@ -0,0 +1,4 @@
 require "fileinto"; 
    if header :contains "X-Spam-Flag" "YES" { 
        fileinto "Junk"; 
    }
--- a/data/templates/fail2ban/jail.conf
+++ b/data/templates/fail2ban/jail.conf
@ -0,0 +1,584 @@
 # Fail2Ban configuration file.
 #
 # This file was composed for Debian systems from the original one
 # provided now under /usr/share/doc/fail2ban/examples/jail.conf
 # for additional examples.
 #
 # Comments: use '#' for comment lines and ';' for inline comments
 #
 # To avoid merges during upgrades DO NOT MODIFY THIS FILE
 # and rather provide your changes in /etc/fail2ban/jail.local
 #
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
 ignoreip = 127.0.0.1/8
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
 #
 # ignorecommand = /path/to/command <ip>
 ignorecommand =
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
 findtime = 600
 maxretry = 3
 # "backend" specifies the backend used to get files modification.
 # Available options are "pyinotify", "gamin", "polling" and "auto".
 # This option can be overridden in each jail as well.
 #
 # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 #            If pyinotify is not installed, Fail2ban will use auto.
 # gamin:     requires Gamin (a file alteration monitor) to be installed.
 #            If Gamin is not installed, Fail2ban will use auto.
 # polling:   uses a polling algorithm which does not require external libraries.
 # auto:      will try to use the following backends, in order:
 #            pyinotify, gamin, polling.
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
 #   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
 #
 # yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
 # warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
 usedns = warn
 #
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = root@localhost
 #
 # Name of the sender for mta actions
 sendername = Fail2Ban
 # Email address of the sender
 sender = fail2ban@localhost
 #
 # ACTIONS
 #
 # Default banning action (e.g. iptables, iptables-new,
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport
 # email action. Since 0.8.1 upstream fail2ban uses sendmail
 # MTA for the mailing. Change mta configuration parameter to mail
 # if you want to revert to conventional 'mail'.
 mta = sendmail
 # Default protocol
 protocol = tcp
 # Specify chain where jumps would need to be added in iptables-* actions
 chain = INPUT
 #
 # Action shortcuts. To be used to define action parameter
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section
 action = %(action_)s
 #
 # JAILS
 #
 # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
 # was shipped in Debian. Enable any defined here jail by including
 #
 # [SECTION_NAME]
 # enabled = true
 #
 # in /etc/fail2ban/jail.local.
 #
 # Optionally you may override any other parameter (e.g. banaction,
 # action, port, logpath, etc) in that section within jail.local
 [ssh]
 enabled  = true
 port     = ssh
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 6
 [dropbear]
 enabled  = false
 port     = ssh
 filter   = dropbear
 logpath  = /var/log/auth.log
 maxretry = 6
 # Generic filter for pam. Has to be used with action which bans all ports
 # such as iptables-allports, shorewall
 [pam-generic]
 enabled  = true
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 filter   = pam-generic
 # port actually must be irrelevant but lets leave it all for some possible uses
 port     = all
 banaction = iptables-allports
 port     = anyport
 logpath  = /var/log/auth.log
 maxretry = 6
 [xinetd-fail]
 enabled   = false
 filter    = xinetd-fail
 port      = all
 banaction = iptables-multiport-log
 logpath   = /var/log/daemon.log
 maxretry  = 2
 [ssh-ddos]
 enabled  = false
 port     = ssh
 filter   = sshd-ddos
 logpath  = /var/log/auth.log
 maxretry = 6
 # Here we use blackhole routes for not requiring any additional kernel support
 # to store large volumes of banned IPs
 [ssh-route]
 enabled = false
 filter = sshd
 action = route
 logpath = /var/log/sshd.log
 maxretry = 6
 # Here we use a combination of Netfilter/Iptables and IPsets
 # for storing large volumes of banned IPs
 #
 # IPset comes in two versions. See ipset -V for which one to use
 # requires the ipset package and kernel support.
 [ssh-iptables-ipset4]
 enabled  = false
 port     = ssh
 filter   = sshd
 banaction = iptables-ipset-proto4
 logpath  = /var/log/sshd.log
 maxretry = 6
 [ssh-iptables-ipset6]
 enabled  = false
 port     = ssh
 filter   = sshd
 banaction = iptables-ipset-proto6
 logpath  = /var/log/sshd.log
 maxretry = 6
 #
 # HTTP servers
 #
 [apache]
 enabled  = false
 port     = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 # default action is now multiport, so apache-multiport jail was left
 # for compatibility with previous (<0.7.6-2) releases
 [apache-multiport]
 enabled   = false
 port      = http,https
 filter    = apache-auth
 logpath   = /var/log/apache*/*error.log
 maxretry  = 6
 [apache-noscript]
 enabled  = false
 port     = http,https
 filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 [apache-overflows]
 enabled  = false
 port     = http,https
 filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 [apache-modsecurity]
 enabled  = false
 filter   = apache-modsecurity
 port     = http,https
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 [apache-nohome]
 enabled  = false
 filter   = apache-nohome
 port     = http,https
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
 [php-url-fopen]
 enabled = false
 port    = http,https
 filter  = php-url-fopen
 logpath = /var/www/*/logs/access_log
 # A simple PHP-fastcgi jail which works with lighttpd.
 # If you run a lighttpd server, then you probably will
 # find these kinds of messages in your error_log:
 #   ALERT – tried to register forbidden variable ‘GLOBALS’
 #   through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
 [lighttpd-fastcgi]
 enabled = false
 port    = http,https
 filter  = lighttpd-fastcgi
 logpath = /var/log/lighttpd/error.log
 # Same as above for mod_auth
 # It catches wrong authentifications
 [lighttpd-auth]
 enabled = false
 port    = http,https
 filter  = suhosin
 logpath = /var/log/lighttpd/error.log
 [nginx-http-auth]
 enabled = false
 filter  = nginx-http-auth
 port    = http,https
 logpath = /var/log/nginx/error.log
 # Monitor roundcube server
 [roundcube-auth]
 enabled  = false
 filter   = roundcube-auth
 port     = http,https
 logpath  = /var/log/roundcube/userlogins
 [sogo-auth]
 enabled  = false
 filter   = sogo-auth
 port     = http, https
 # without proxy this would be:
 # port    = 20000
 logpath  = /var/log/sogo/sogo.log
 #
 # FTP servers
 #
 [vsftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = vsftpd
 logpath  = /var/log/vsftpd.log
 # or overwrite it in jails.local to be
 # logpath = /var/log/auth.log
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 maxretry = 6
 [proftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 [pure-ftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = pure-ftpd
 logpath  = /var/log/syslog
 maxretry = 6
 [wuftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = wuftpd
 logpath  = /var/log/syslog
 maxretry = 6
 #
 # Mail servers
 #
 [postfix]
 enabled  = true
 port     = smtp,ssmtp,submission
 filter   = postfix
 logpath  = /var/log/mail.log
 [couriersmtp]
 enabled  = false
 port     = smtp,ssmtp,submission
 filter   = couriersmtp
 logpath  = /var/log/mail.log
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned
 #
 [courierauth]
 enabled  = false
 port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
 filter   = courierlogin
 logpath  = /var/log/mail.log
 [sasl]
 enabled  = true
 port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
 filter   = postfix-sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = /var/log/mail.log
 [dovecot]
 enabled = true
 port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
 filter  = dovecot
 logpath = /var/log/mail.log
 # To log wrong MySQL access attempts add to /etc/my.cnf:
 # log-error=/var/log/mysqld.log
 # log-warning = 2
 [mysqld-auth]
 enabled  = false
 filter   = mysqld-auth
 port     = 3306
 logpath  = /var/log/mysqld.log
 # DNS Servers
 # These jails block attacks against named (bind9). By default, logging is off
 # with bind9 installation. You will need something like this:
 #
 # logging {
 #     channel security_file {
 #         file "/var/log/named/security.log" versions 3 size 30m;
 #         severity dynamic;
 #         print-time yes;
 #     };
 #     category security {
 #         security_file;
 #     };
 # };
 #
 # in your named.conf to provide proper logging
 # !!! WARNING !!!
 #   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 #   Please DO NOT USE this jail unless you know what you are doing.
 #[named-refused-udp]
 #
 #enabled  = false
 #port     = domain,953
 #protocol = udp
 #filter   = named-refused
 #logpath  = /var/log/named/security.log
 [named-refused-tcp]
 enabled  = false
 port     = domain,953
 protocol = tcp
 filter   = named-refused
 logpath  = /var/log/named/security.log
 [freeswitch]
 enabled  = false
 filter   = freeswitch
 logpath  = /var/log/freeswitch.log
 maxretry = 10
 action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
 [ejabberd-auth]
 enabled  = false
 filter   = ejabberd-auth
 port     = xmpp-client
 protocol = tcp
 logpath  = /var/log/ejabberd/ejabberd.log
 # Multiple jails, 1 per protocol, are necessary ATM:
 # see https://github.com/fail2ban/fail2ban/issues/37
 [asterisk-tcp]
 enabled  = false
 filter   = asterisk
 port     = 5060,5061
 protocol = tcp
 logpath  = /var/log/asterisk/messages
 [asterisk-udp]
 enabled  = false
 filter	 = asterisk
 port     = 5060,5061
 protocol = udp
 logpath  = /var/log/asterisk/messages
 # Jail for more extended banning of persistent abusers
 # !!! WARNING !!!
 #   Make sure that your loglevel specified in fail2ban.conf/.local
 #   is not at DEBUG level -- which might then cause fail2ban to fall into
 #   an infinite loop constantly feeding itself with non-informative lines
 [recidive]
 enabled  = false
 filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
 # See the IMPORTANT note in action.d/blocklist_de.conf for when to
 # use this action
 #
 # Report block via blocklist.de fail2ban reporting service API
 # See action.d/blocklist_de.conf for more information
 [ssh-blocklist]
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
           blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
 logpath  = /var/log/sshd.log
 maxretry = 20
 # consider low maxretry and a long bantime
 # nobody except your own Nagios server should ever probe nrpe
 [nagios]
 enabled  = false
 filter   = nagios
 action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1
 [nginx]
 enabled = true
 port    = http,https
 filter  = apache-auth
 logpath = /var/log/nginx*/*error.log
 maxretry = 6
 [nginx-noscript]
 enabled = false
 port    = http,https
 filter  = apache-noscript
 logpath = /var/log/nginx*/*error.log
 maxretry = 6
 [nginx-overflows]
 enabled = false
 port    = http,https
 filter  = apache-overflows
 logpath = /var/log/nginx*/*error.log
 maxretry = 4
 [yunohost]
 enabled  = true
 port     = http,https
 protocol = tcp
 filter   = yunohost
 logpath  = /var/log/nginx/*.log
--- a/data/templates/fail2ban/yunohost.conf
+++ b/data/templates/fail2ban/yunohost.conf
@ -0,0 +1,24 @@
 # Fail2Ban configuration file
 #
 # Author: Adrien Beudin
 #
 # $Revision: 2 $
 #
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #
 failregex = access.lua:[1-9]+: authenticate\(\): Connection failed for: .*, client: <HOST>
            ^<HOST> -.*\"POST /yunohost/api/login HTTP/1.1\" 401 22
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
--- a/data/templates/glances/glances.default
+++ b/data/templates/glances/glances.default
@ -0,0 +1,5 @@
 # Default is to launch glances with '-s' option.
 DAEMON_ARGS="-s -B 127.0.0.1"
 # Change to 'true' to have glances running at startup
 RUN="true"
--- a/data/templates/metronome/domain.tpl.cfg.lua
+++ b/data/templates/metronome/domain.tpl.cfg.lua
@ -0,0 +1,15 @@
 VirtualHost "{{ domain }}"
  ssl = {
        key = "/etc/yunohost/certs/{{ domain }}/key.pem";
        certificate = "/etc/yunohost/certs/{{ domain }}/crt.pem";
  }
  authentication = "ldap2"
  ldap = {
     hostname      = "localhost",
     user = {
       basedn        = "ou=users,dc=yunohost,dc=org",
       filter        = "(&(objectClass=posixAccount)(mail=*@{{ domain }}))",
       usernamefield = "mail",
       namefield     = "cn",
       },
  }
--- a/data/templates/metronome/metronome.cfg.lua
+++ b/data/templates/metronome/metronome.cfg.lua
@ -0,0 +1,193 @@
 -- ** Metronome's config file example **
 -- 
 -- The format is exactly equal to Prosody's:
 --
 -- Lists are written { "like", "this", "one" } 
 -- Lists can also be of { 1, 2, 3 } numbers, etc. 
 -- Either commas, or semi-colons; may be used as seperators.
 --
 -- A table is a list of values, except each value has a name. An 
 -- example would be:
 --
 -- ssl = { key = "keyfile.key", certificate = "certificate.crt" }
 --
 -- Tip: You can check that the syntax of this file is correct when you have finished
 -- by running: luac -p metronome.cfg.lua
 -- If there are any errors, it will let you know what and where they are, otherwise it 
 -- will keep quiet.
 ---------- Server-wide settings ----------
 -- Settings in this section apply to the whole server and are the default settings
 -- for any virtual hosts
 -- Server PID
 pidfile = "/var/run/metronome/metronome.pid"
 -- HTTP server
 http_ports = { 5290 }
 http_interfaces = { "127.0.0.1", "::1" }
 --https_ports = { 5291 }
 --https_interfaces = { "127.0.0.1", "::1" }
 -- Enable IPv6
 use_ipv6 = true
 -- This is the list of modules Metronome will load on startup.
 -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
 modules_enabled = {
    -- Generally required
        "roster"; -- Allow users to have a roster. Recommended ;)
        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
        "tls"; -- Add support for secure TLS on c2s/s2s connections
        "dialback"; -- s2s dialback support
        "disco"; -- Service discovery
        --"discoitems"; -- Service discovery items
        --"extdisco"; -- External Service Discovery
    -- Not essential, but recommended
        "private"; -- Private XML storage (for room bookmarks, etc.)
        "vcard"; -- Allow users to set vCards
        "privacy"; -- Support privacy lists
    -- These are commented by default as they have a performance impact
        --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
    -- Nice to have
        "version"; -- Replies to server version requests
        "uptime"; -- Report how long server has been running
        "time"; -- Let others know the time here on this server
        "ping"; -- Replies to XMPP pings with pongs
        "pep"; -- Enables users to publish their mood, activity, playing music and more
        "message_carbons"; -- Allow clients to keep in sync with messages send on other resources
        "register"; -- Allow users to register on this server using a client and change passwords
        "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client
    -- Admin interfaces
        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
        "admin_telnet"; -- Opens telnet console interface on localhost port 5582
    -- HTTP modules
        "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
        --"websockets"; -- Enable WebSocket clients
        --"http_files"; -- Serve static files from a directory over HTTP
    -- Other specific functionality
 --        "bidi"; -- Bidirectional Streams for S2S connections
 --        "stream_management"; -- Stream Management support
        --"groups"; -- Shared roster support
        --"announce"; -- Send announcement to all online users
        --"welcome"; -- Welcome users who register accounts
        --"watchregistrations"; -- Alert admins of registrations
        --"motd"; -- Send a message to users when they log in
        "mam"; -- Nice archive management
        --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
        "offline"; -- Store offline messages
        "c2s"; -- Handle client connections
        "s2s"; -- Handle server-to-server connections
    -- Debian: do not remove this module, or you lose syslog
    -- support
        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
 };
 -- Discovery items
 disco_items = {
    { "muc.{{ main_domain }}" },
    { "pubsub.{{ main_domain }}" },
    { "vjud.{{ main_domain }}" }
 };
 -- BOSH configuration (mod_bosh)
 bosh_max_inactivity = 30
 consider_bosh_secure = true
 cross_domain_bosh = true
 -- Disable account creation by default, for security
 allow_registration = false
 -- SSL/TLS configuration
 ssl = {
    options = {
        "no_sslv2",
        "no_sslv3",
        "no_ticket",
        "no_compression",
        "cipher_server_preference"
    };
 }
 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.
 c2s_require_encryption = true
 -- Force servers to use encrypted connections? This option will
 -- prevent servers from connecting unless they are using encryption.
 s2s_require_encryption = true
 -- Allow servers to use an unauthenticated encryption channel
 s2s_allow_encryption = true
 allow_unencrypted_plain_auth = false;
 s2s_secure = true
 s2s_secure_auth = false
 --anonymous_login = false
 -- Use LDAP storage backend for all stores
 storage = "ldap"
 -- Logging configuration
 log = {
    info = "/var/log/metronome/metronome.log"; -- Change 'info' to 'debug' for verbose logging
    error = "/var/log/metronome/metronome.err";
    -- "*syslog"; -- Uncomment this for logging to syslog
    -- "*console"; -- Log to the console, useful for debugging with daemonize=false
 }
 ------ Components ------
 -- You can specify components to add hosts that provide special services,
 -- like multi-user conferences, and transports.
 ---Set up a local BOSH service
 Component "localhost" "http"
    modules_enabled = { "bosh" }
 ---Set up a MUC (multi-user chat) room server
 Component "muc.{{ main_domain }}" "muc"
    name = "{{ main_domain }} Chatrooms"
    modules_enabled = {
        "muc_limits";
        "muc_log";
        "muc_log_http";
    }
    muc_event_rate = 0.5
    muc_burst_factor = 10
    muc_log_http_config = {
        url_base = "logs";
        theme = "metronome";
    }
 ---Set up a PubSub server
 Component "pubsub.{{ main_domain }}" "pubsub"
    name = "{{ main_domain }} Publish/Subscribe"
    unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server)
 ---Set up a VJUD service
 Component "vjud.{{ main_domain }}" "vjud"
    ud_disco_name = "{{ main_domain }} User Directory"
 ----------- Virtual hosts -----------
 -- You need to add a VirtualHost entry for each domain you wish Metronome to serve.
 -- Settings under each VirtualHost entry apply *only* to that host.
 Include "conf.d/*.cfg.lua"
--- a/data/templates/mysql/my.cnf
+++ b/data/templates/mysql/my.cnf
@ -0,0 +1,92 @@
 # Example MySQL config file for small systems.
 #
 # This is for a system with little memory (<= 64M) where MySQL is only used
 # from time to time and it's important that the mysqld daemon
 # doesn't use much resources.
 #
 # MySQL programs look for option files in a set of
 # locations which depend on the deployment platform.
 # You can copy this option file to one of those
 # locations. For information about these locations, see:
 # http://dev.mysql.com/doc/mysql/en/option-files.html
 #
 # In this file, you can use all long options that a program supports.
 # If you want to know which options a program supports, run the program
 # with the "--help" option.
 # The following options will be passed to all MySQL clients
 [client]
 #password       = your_password
 port            = 3306
 socket          = /var/run/mysqld/mysqld.sock
 # Here follows entries for some specific programs
 # The MySQL server
 [mysqld]
 port            = 3306
 socket          = /var/run/mysqld/mysqld.sock
 skip-external-locking
 key_buffer_size = 16K
 max_allowed_packet = 1M
 table_open_cache = 4
 sort_buffer_size = 64K
 read_buffer_size = 256K
 read_rnd_buffer_size = 256K
 net_buffer_length = 2K
 thread_stack = 128K
 # to avoid corruption on powerfailure
 default-storage-engine=innodb
 # Don't listen on a TCP/IP port at all. This can be a security enhancement,
 # if all processes that need to connect to mysqld run on the same host.
 # All interaction with mysqld must be made via Unix sockets or named pipes.
 # Note that using this option without enabling named pipes on Windows
 # (using the "enable-named-pipe" option) will render mysqld useless!
 # 
 #skip-networking
 server-id       = 1
 # Uncomment the following if you want to log updates
 #log-bin=mysql-bin
 # binary logging format - mixed recommended
 #binlog_format=mixed
 # Causes updates to non-transactional engines using statement format to be
 # written directly to binary log. Before using this option make sure that
 # there are no dependencies between transactional and non-transactional
 # tables such as in the statement INSERT INTO t_myisam SELECT * FROM
 # t_innodb; otherwise, slaves may diverge from the master.
 #binlog_direct_non_transactional_updates=TRUE
 # Uncomment the following if you are using InnoDB tables
 #innodb_data_home_dir = /var/lib/mysql
 #innodb_data_file_path = ibdata1:10M:autoextend
 #innodb_log_group_home_dir = /var/lib/mysql
 # You can set .._buffer_pool_size up to 50 - 80 %
 # of RAM but beware of setting memory usage too high
 #innodb_buffer_pool_size = 16M
 #innodb_additional_mem_pool_size = 2M
 # Set .._log_file_size to 25 % of buffer pool size
 #innodb_log_file_size = 5M
 #innodb_log_buffer_size = 8M
 #innodb_flush_log_at_trx_commit = 1
 #innodb_lock_wait_timeout = 50
 [mysqldump]
 quick
 max_allowed_packet = 16M
 [mysql]
 no-auto-rehash
 # Remove the next comment character if you are not familiar with SQL
 #safe-updates
 [myisamchk]
 key_buffer_size = 8M
 sort_buffer_size = 8M
 [mysqlhotcopy]
 interactive-timeout
--- a/data/templates/nginx/plain/global.conf
+++ b/data/templates/nginx/plain/global.conf
@ -0,0 +1 @@
 server_tokens off;
--- a/data/templates/nginx/plain/ssowat.conf
+++ b/data/templates/nginx/plain/ssowat.conf
@ -0,0 +1,3 @@
 lua_shared_dict cache 10m;
 init_by_lua_file   /usr/share/ssowat/init.lua;
 server_names_hash_bucket_size 64;
--- a/data/templates/nginx/plain/yunohost_admin.conf
+++ b/data/templates/nginx/plain/yunohost_admin.conf
@ -0,0 +1,44 @@
 server {
    listen 80 default_server;
    listen [::]:80 default_server;
    location / {
        return 302 https://$http_host/yunohost/admin;
    }
    location /yunohost/admin {
        return 301 https://$http_host$request_uri;
    }
 }
 server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
    add_header Strict-Transport-Security "max-age=31536000;";
    location / {
        return 302 https://$http_host/yunohost/admin;
    }
    location /yunohost {
        # Block crawlers bot
        if ($http_user_agent ~ (crawl|Googlebot|Slurp|spider|bingbot|tracker|click|parser|spider|facebookexternalhit) ) {
            return 403;
        }
        # Redirect most of 404 to maindomain.tld/yunohost/sso
        access_by_lua_file /usr/share/ssowat/access.lua;
    }
    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;
 }
--- a/data/templates/nginx/plain/yunohost_admin.conf.inc
+++ b/data/templates/nginx/plain/yunohost_admin.conf.inc
@ -0,0 +1,11 @@
 location /yunohost/admin {
    alias /usr/share/yunohost/admin/;
    default_type text/html;
    index index.html;
    # Short cache on handlebars templates
    location ~* \.(?:ms)$ {
      expires 5m;
      add_header Cache-Control "public";
    }
 }
--- a/data/templates/nginx/plain/yunohost_api.conf.inc
+++ b/data/templates/nginx/plain/yunohost_api.conf.inc
@ -0,0 +1,17 @@
 location /yunohost/api/ {
    proxy_read_timeout 3600s;
    proxy_pass http://127.0.0.1:6787/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    # Custom 502 error page
    error_page 502 /yunohost/api/error/502;
 }
 # Yunohost admin output complete 502 error page, so use only plain text.
 location = /yunohost/api/error/502 {
    return 502 '502 - Bad Gateway';
    add_header Content-Type text/plain;
    internal;
 }
--- a/data/templates/nginx/plain/yunohost_panel.conf.inc
+++ b/data/templates/nginx/plain/yunohost_panel.conf.inc
@ -0,0 +1,2 @@
 sub_filter </head> '<script type="text/javascript" src="/ynhpanel.js"></script></head>';
 sub_filter_once on;
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@ -0,0 +1,46 @@
 server {
    listen 80;
    listen [::]:80;
    server_name {{ domain }};
    access_by_lua_file /usr/share/ssowat/access.lua;
    include conf.d/{{ domain }}.d/*.conf;
    location /yunohost/admin {
        return 301 https://$http_host$request_uri;
    }
    access_log /var/log/nginx/{{ domain }}-access.log;
    error_log /var/log/nginx/{{ domain }}-error.log;
 }
 server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name {{ domain }};
    ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
    add_header Strict-Transport-Security "max-age=31536000;";
    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;
    access_by_lua_file /usr/share/ssowat/access.lua;
    include conf.d/{{ domain }}.d/*.conf;
    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;
    access_log /var/log/nginx/{{ domain }}-access.log;
    error_log /var/log/nginx/{{ domain }}-error.log;
 }
--- a/data/templates/nginx/yunohost_local.conf
+++ b/data/templates/nginx/yunohost_local.conf
@ -0,0 +1 @@
 server_name $server_name yunohost.local;
--- a/data/templates/nslcd/nslcd.conf
+++ b/data/templates/nslcd/nslcd.conf
@ -0,0 +1,25 @@
 # /etc/nslcd.conf
 # nslcd configuration file. See nslcd.conf(5)
 # for details.
 # The user and group nslcd should run as.
 uid nslcd
 gid nslcd
 # The location at which the LDAP server(s) should be reachable.
 uri ldap://localhost/
 # The search base that will be used for all queries.
 base dc=yunohost,dc=org
 # The LDAP protocol version to use.
 #ldap_version 3
 # The search scope.
 #scope sub
 # Build a full list of non-LDAP users on startup.
 nss_initgroups_ignoreusers ALLLOCAL
 # The minimum numeric user id to lookup.
 nss_min_uid 1000
--- a/data/templates/nsswitch/nsswitch.conf
+++ b/data/templates/nsswitch/nsswitch.conf
@ -0,0 +1,21 @@
 # /etc/nsswitch.conf
 #
 # Example configuration of GNU Name Service Switch functionality.
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 passwd:         compat ldap
 group:          compat ldap
 shadow:         compat ldap
 gshadow:        files
 hosts:          files mdns4_minimal [NOTFOUND=return] dns
 networks:       files
 protocols:      db files
 services:       db files
 ethers:         db files
 rpc:            db files
 netgroup:       nis
 sudoers:	files ldap
--- a/data/templates/postfix/main.cf
+++ b/data/templates/postfix/main.cf
@ -0,0 +1,148 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 # Debian specific:  Specifying a file name will cause the first
 # line of that file to be used as the name.  The Debian default
 # is /etc/mailname.
 #myorigin = /etc/mailname
 smtpd_banner = $myhostname Service ready
 biff = no
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 readme_directory = no
 # -- TLS for incoming connections
 # By default, TLS is disabled in the Postfix SMTP server, so no difference to
 # plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
 smtpd_tls_security_level=may
 # Sending AUTH data over an unencrypted channel poses a security risk.
 # When TLS layer encryption is optional ("smtpd_tls_security_level = may"), it
 # may however still be useful to only offer AUTH when TLS is active. To maintain
 # compatibility with non-TLS clients, the default is to accept AUTH without
 # encryption. In order to change this behavior, we set "smtpd_tls_auth_only = yes".
 smtpd_tls_auth_only=yes
 smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem
 smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem
 smtpd_tls_CAfile = /etc/yunohost/certs/{{ main_domain }}/ca.pem
 smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_loglevel=1
 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtpd_tls_mandatory_ciphers=high
 smtpd_tls_eecdh_grade = ultra
 # -- TLS for outgoing connections
 # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
 smtp_tls_mandatory_ciphers= $smtpd_tls_mandatory_ciphers
 smtp_tls_loglevel=1
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 myhostname = {{ main_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 mydomain = {{ main_domain }}
 mydestination = localhost
 relayhost = 
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_command = procmail -a "$EXTENSION"
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
 #### Fit to the maximum message size allowed by GMail or Yahoo ####
 message_size_limit = 26214400
 # Virtual Domains Control 
 virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf 
 virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf 
 virtual_mailbox_base = 
 virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf 
 virtual_alias_domains = 
 virtual_minimum_uid = 100 
 virtual_uid_maps = static:vmail 
 virtual_gid_maps = static:mail
 # Dovecot LDA 
 virtual_transport = dovecot 
 dovecot_destination_recipient_limit = 1
 # Enable SASL authentication for the smtpd daemon 
 smtpd_sasl_auth_enable = yes 
 smtpd_sasl_type = dovecot 
 smtpd_sasl_path = private/auth 
 # Fix some outlook's bugs 
 broken_sasl_auth_clients = yes 
 # Reject anonymous connections 
 smtpd_sasl_security_options = noanonymous 
 smtpd_sasl_local_domain =
 # Wait until the RCPT TO command before evaluating restrictions 
 smtpd_delay_reject = yes 
 # Basics Restrictions 
 smtpd_helo_required = yes 
 strict_rfc821_envelopes = yes 
 # Requirements for the connecting server 
 smtpd_client_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_rbl_client bl.spamcop.net, 
    reject_rbl_client cbl.abuseat.org, 
    reject_rbl_client zen.spamhaus.org, 
    permit 
 # Requirements for the HELO statement 
 smtpd_helo_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_hostname, 
    reject_invalid_hostname, 
    permit 
 # Requirements for the sender address 
 smtpd_sender_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_sender, 
    reject_unknown_sender_domain,
    permit 
 # Requirement for the recipient address 
 smtpd_recipient_restrictions = 
    permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_non_fqdn_recipient, 
    reject_unknown_recipient_domain, 
    reject_unauth_destination,
    permit
 # SRS
 sender_canonical_maps = regexp:/etc/postfix/sender_canonical
 sender_canonical_classes = envelope_sender
 # Ignore some headers
 smtp_header_checks = regexp:/etc/postfix/header_checks
 smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
 # Rmilter
 milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_protocol = 6
 smtpd_milters = inet:localhost:11000
 # Skip email without checking if milter has died
 milter_default_action = accept
--- a/data/templates/postfix/plain/header_checks
+++ b/data/templates/postfix/plain/header_checks
@ -0,0 +1,4 @@
 /^X-Originating-IP:/ IGNORE
 /^Received:/ IGNORE
 /^User-Agent:/ IGNORE
 /^X-Mailer:/ IGNORE
--- a/data/templates/postfix/plain/ldap-accounts.cf
+++ b/data/templates/postfix/plain/ldap-accounts.cf
@ -0,0 +1,5 @@
 server_host = localhost
 server_port = 389
 search_base = dc=yunohost,dc=org
 query_filter = (&(objectClass=mailAccount)(mail=%s))
 result_attribute = uid
--- a/data/templates/postfix/plain/ldap-aliases.cf
+++ b/data/templates/postfix/plain/ldap-aliases.cf
@ -0,0 +1,5 @@
 server_host = localhost
 server_port = 389
 search_base = dc=yunohost,dc=org
 query_filter = (&(objectClass=mailAccount)(mail=%s))
 result_attribute = maildrop
--- a/data/templates/postfix/plain/ldap-domains.cf
+++ b/data/templates/postfix/plain/ldap-domains.cf
@ -0,0 +1,5 @@
 server_host = localhost
 server_port = 389
 search_base = ou=domains,dc=yunohost,dc=org
 query_filter = (&(objectClass=mailDomain)(virtualdomain=%s))
 result_attribute = virtualdomain
--- a/data/templates/postfix/plain/master.cf
+++ b/data/templates/postfix/plain/master.cf
@ -0,0 +1,118 @@
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master").
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 smtp      inet  n       -       -       -       -       smtpd
 submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 smtps     inet  n       -       -       -       -       smtpd
  -o header_checks=pcre:/etc/postfix/header_checks
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       -       -       -       qmqpd
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 qmgr      fifo  n       -       n       300     1       qmgr
 #qmgr     fifo  n       -       -       300     1       oqmgr
 tlsmgr    unix  -       -       -       1000?   1       tlsmgr
 rewrite   unix  -       -       -       -       -       trivial-rewrite
 bounce    unix  -       -       -       -       0       bounce
 defer     unix  -       -       -       -       0       bounce
 trace     unix  -       -       -       -       0       bounce
 verify    unix  -       -       -       -       1       verify
 flush     unix  n       -       -       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       -       -       -       smtp
 # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
 relay     unix  -       -       -       -       -       smtp
 	-o smtp_fallback_relay=
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       -       -       -       showq
 error     unix  -       -       -       -       -       error
 retry     unix  -       -       -       -       -       error
 discard   unix  -       -       -       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       -       -       -       lmtp
 anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 #
 # ====================================================================
 # Interfaces to non-Postfix software. Be sure to examine the manual
 # pages of the non-Postfix software to find out what options it wants.
 #
 # Many of the following services use the Postfix pipe(8) delivery
 # agent.  See the pipe(8) man page for information about ${recipient}
 # and other message envelope options.
 # ====================================================================
 #
 # maildrop. See the Postfix MAILDROP_README file for details.
 # Also specify in main.cf: maildrop_destination_recipient_limit=1
 #
 maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
 #
 # ====================================================================
 #
 # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
 #
 # Specify in cyrus.conf:
 #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
 #
 # Specify in main.cf one or more of the following:
 #  mailbox_transport = lmtp:inet:localhost
 #  virtual_transport = lmtp:inet:localhost
 #
 # ====================================================================
 #
 # Cyrus 2.1.5 (Amos Gouaux)
 # Also specify in main.cf: cyrus_destination_recipient_limit=1
 #
 #cyrus     unix  -       n       n       -       -       pipe
 #  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
 #
 # ====================================================================
 # Old example of delivery via Cyrus.
 #
 #old-cyrus unix  -       n       n       -       -       pipe
 #  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
 #
 # ====================================================================
 #
 # See the Postfix UUCP_README file for configuration details.
 #
 uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
 #
 # Other external delivery methods.
 #
 ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
 bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
 scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
 mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
 # Dovecot LDA 
 dovecot    unix  -       n       n       -       -       pipe 
    flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} -m ${extension}
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (yes)   (never) (100)
 # ==========================================================================
 # Added using postfix-add-filter script:
--- a/data/templates/postfix/plain/sender_canonical
+++ b/data/templates/postfix/plain/sender_canonical
@ -0,0 +1 @@
 /^(.*)@(.*)$/     ${1}
--- a/data/templates/postfix/plain/smtp_reply_filter
+++ b/data/templates/postfix/plain/smtp_reply_filter
@ -0,0 +1,8 @@
 # Google Mail bounces email sent via IPv6, while this works ok with IPv4.
 #
 # Convert Google Mail IPv6 complaint permanent error into a temporary error.
 # Turn 550 error containing gsmtp in the message into 450 error.
 # This way Postfix will attempt to deliver this e-mail using another MX
 # (via IPv4).
 #
 /^5(\d\d )5(.*information. \S+ - gsmtp.*)/ 4${1}4$2
--- a/data/templates/rmilter/rmilter.conf
+++ b/data/templates/rmilter/rmilter.conf
@ -0,0 +1,18 @@
 # systemd-specific settings for rmilter
 .include /etc/rmilter.conf.common
 # pidfile - path to pid file
 pidfile = /run/rmilter/rmilter.pid;
 # rmilter is socket-activated under systemd
 bind_socket = fd:3;
 # DKIM signing
 dkim {
    domain {
        key = /etc/dkim;
        domain = "*";
        selector = "mail";
    };
 };
--- a/data/templates/rmilter/rmilter.socket
+++ b/data/templates/rmilter/rmilter.socket
@ -0,0 +1,5 @@
 .include /lib/systemd/system/rmilter.socket
 [Socket]
 ListenStream=
 ListenStream=127.0.0.1:11000
--- a/data/templates/rspamd/metrics.local.conf
+++ b/data/templates/rspamd/metrics.local.conf
@ -0,0 +1,8 @@
 # Metrics settings
 # This define overridden options.
 actions {
  reject = 21;
  add_header = 8;
  greylist = 4;
 }
--- a/data/templates/rspamd/rspamd.sieve
+++ b/data/templates/rspamd/rspamd.sieve
@ -0,0 +1,4 @@
 require ["fileinto"];
 if header :is "X-Spam" "yes" {
    fileinto "Junk";
 }
--- a/data/templates/slapd/ldap.conf
+++ b/data/templates/slapd/ldap.conf
@ -0,0 +1,18 @@
 #
 # LDAP Defaults
 #
 # See ldap.conf(5) for details
 # This file should be world readable but not world writable.
 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
 # TLS certificates (needed for GnuTLS)
 TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
 sudoers_base ou=sudo,dc=yunohost,dc=org
--- a/data/templates/slapd/mailserver.schema
+++ b/data/templates/slapd/mailserver.schema
@ -0,0 +1,88 @@
 ## LDAP Schema Yunohost EMAIL
 ## Version 0.1
 ## Adrien Beudin
 # Attributes
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.1
        NAME 'maildrop'
        DESC 'Mail addresses where mails are forwarded -- ie forwards'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.2
        NAME 'mailalias'
        DESC 'Mail addresses accepted by this account -- ie aliases'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.3
        NAME 'mailenable'
        DESC 'Mail Account validity'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{8})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.4
        NAME 'mailbox'
        DESC 'Mailbox path where mails are delivered'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.5
        NAME 'virtualdomain'
        DESC 'A mail domain name'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.6
        NAME 'virtualdomaindescription'
        DESC 'Virtual domain description'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512})
 attributetype ( 1.3.6.1.4.1.40328.1.20.2.7
        NAME 'mailuserquota'
        DESC 'Mailbox quota for a user'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{16} SINGLE-VALUE )
 # Mail Account Objectclass
 objectclass ( 1.3.6.1.4.1.40328.1.1.2.1
        NAME 'mailAccount'
        DESC 'Mail Account'
        SUP top
        AUXILIARY
        MUST (
            mail
            )
        MAY (
            mailalias $ maildrop $ mailenable $ mailbox $ mailuserquota 
            )
        )
 # Mail Domain Objectclass
 objectclass ( 1.3.6.1.4.1.40328.1.1.2.2
        NAME 'mailDomain'
        DESC 'Domain mail entry'
        SUP top
        STRUCTURAL
        MUST (
            virtualdomain
            )
        MAY (
            virtualdomaindescription $ mailuserquota
            )
        )
 # Mail Group Objectclass
 objectclass ( 1.3.6.1.4.1.40328.1.1.2.3
        NAME 'mailGroup' SUP top AUXILIARY
        DESC 'Mail Group'
        MUST ( mail )
        )
--- a/data/templates/slapd/slapd.conf
+++ b/data/templates/slapd/slapd.conf
@ -0,0 +1,112 @@
 # This is the main slapd configuration file. See slapd.conf(5) for more
 # info on the configuration options.
 #######################################################################
 # Global Directives:
 # Features to permit
 #allow bind_v2
 # Schema and objectClass definitions
 include         /etc/ldap/schema/core.schema
 include         /etc/ldap/schema/cosine.schema
 include         /etc/ldap/schema/nis.schema
 include         /etc/ldap/schema/inetorgperson.schema
 include         /etc/ldap/schema/mailserver.schema
 include         /etc/ldap/schema/sudo.schema
 # Where the pid file is put. The init.d script
 # will not stop the server if you change this.
 pidfile         /var/run/slapd/slapd.pid
 # List of arguments that were passed to the server
 argsfile        /var/run/slapd/slapd.args
 # Read slapd.conf(5) for possible values
 loglevel        none
 # Hashes to be used in generation of user passwords
 password-hash   {SSHA}
 # Where the dynamically loaded modules are stored
 modulepath	/usr/lib/ldap
 moduleload	back_mdb
 moduleload      memberof
 # The maximum number of entries that is returned for a search operation
 sizelimit 500
 # The tool-threads parameter sets the actual amount of cpu's that is used
 # for indexing.
 tool-threads 1
 #######################################################################
 # Specific Backend Directives for mdb:
 # Backend specific directives apply to this backend until another
 # 'backend' directive occurs
 backend		mdb
 #######################################################################
 # Specific Directives for database #1, of type mdb:
 # Database specific directives apply to this databasse until another
 # 'database' directive occurs
 database        mdb
 # The base of your directory in database #1
 suffix          "dc=yunohost,dc=org"
 # rootdn directive for specifying a superuser on the database. This is needed
 # for syncrepl.
 # rootdn          "cn=admin,dc=yunohost,dc=org"
 # Where the database file are physically stored for database #1
 directory       "/var/lib/ldap"
 # Indexing options for database #1
 index  objectClass         eq
 index  uid                 eq,sub
 index  entryCSN,entryUUID  eq
 # Save the time that the entry gets modified, for database #1
 lastmod         on
 # Checkpoint the BerkeleyDB database periodically in case of system
 # failure and to speed slapd shutdown.
 checkpoint      512 30
 # The userPassword by default can be changed
 # by the entry owning it if they are authenticated.
 # Others should not be able to see it, except the
 # admin entry below
 # These access lines apply to database #1 only
 access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=yunohost,dc=org" write
        by anonymous auth
        by self write
        by * none
 # Personnal information can be changed by the entry
 # owning it if they are authenticated.
 # Others should be able to see it.
 access to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
        by dn="cn=admin,dc=yunohost,dc=org" write
        by self write
        by * read
 # Ensure read access to the base for things like
 # supportedSASLMechanisms.  Without this you may
 # have problems with SASL not knowing what
 # mechanisms are available and the like.
 # Note that this is covered by the 'access to *'
 # ACL below too but if you change that as people
 # are wont to do you'll still need this if you
 # want SASL (and possible other things) to work 
 # happily.
 access to dn.base="" by * read
 # The admin dn has full write access, everyone else
 # can read everything.
 access to *
        by dn="cn=admin,dc=yunohost,dc=org" write
        by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
        by * read
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,3 @@`
							`backup_dir="$1/conf/ssowat"`

							`sudo cp -a $backup_dir/. /etc/ssowat`
		`@ -0,0 +1,3 @@`
							`backup_dir="$1/data/home"`

							`sudo cp -a $backup_dir/. /home`
		`@ -0,0 +1,3 @@`
							`backup_dir="$1/conf/ynh"`

							`sudo cp -a "${backup_dir}/current_host" /etc/yunohost/current_host`
		`@ -0,0 +1,2 @@`
							`sub_filter </head> '<script type="text/javascript" src="/ynhpanel.js"></script></head>';`
							`sub_filter_once on;`