.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,22 @@
+## The problem
+
+...
+
+## Solution
+
+...
+
+## PR Status
+
+...
+
+## How to test
+
+...
+
+## Validation
+
+- [ ] Principle agreement 0/2 : 
+- [ ] Quick review 0/1 : 
+- [ ] Simple test 0/1 : 
+- [ ] Deep review 0/1 : 

.github/workflows/autoblack.yml

@@ -1,35 +0,0 @@
-name: Check / auto apply Black
-on:
-  push:
-      branches:
-          - dev
-jobs:
-  black:
-    name: Check / auto apply black
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Check files using the black formatter
-        uses: psf/black@stable
-        id: black
-        with:
-          options: "."
-        continue-on-error: true
-      - shell: pwsh
-        id: check_files_changed
-        run: |
-          # Diff HEAD with the previous commit
-          $diff = git diff
-          $HasDiff = $diff.Length -gt 0
-          Write-Host "::set-output name=files_changed::$HasDiff"
-      - name: Create Pull Request
-        if: steps.check_files_changed.outputs.files_changed == 'true'
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          title: "Format Python code with Black"
-          commit-message: ":art: Format Python code with Black"
-          body: |
-            This pull request uses the [psf/black](https://github.com/psf/black) formatter.
-          base: ${{ github.head_ref }} # Creates pull request onto pull request or commit branch
-          branch: actions/black

.github/workflows/i18n.yml

@@ -1,29 +0,0 @@
-name: Autoreformat locale files
-on:
-  push:
-      branches:
-          - dev
-jobs:
-  i18n:
-    name: Autoreformat locale files
-    runs-on: ubuntu-latest
-    steps:
-        - uses: actions/checkout@v4
-        - name: Apply reformating scripts
-          id: action_reformat
-          run: |
-              python3 test/remove_stale_i18n_strings.py
-              python3 test/autofix_locale_format.py
-              python3 test/reformat_locales.py
-              git diff -w --exit-code
-        - name: Create Pull Request
-          if: ${{ failure() }}
-          uses: peter-evans/create-pull-request@v6
-          with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            title: "Reformat locale files"
-            commit-message: ":robot: Reformat locale files"
-            body: |
-              Automatic pull request using the scripts in `test/`
-            base: ${{ github.head_ref }}
-            branch: actions/i18nreformat

.github/workflows/tox.yml

@@ -1,49 +0,0 @@
-name: Tests
-
-on:
-  push:
-      branches:
-          - dev
-          - bullseye
-  pull_request:
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: [3.9]
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install apt dependencies
-      run: sudo apt install ldap-utils slapd libsasl2-dev libldap2-dev libssl-dev
-    - name: Install tox
-      run: |
-        python -m pip install --upgrade pip
-        pip install tox tox-gh-actions
-    - name: Test with tox
-      run: tox -e py39-pytest
-
-  invalidcode:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: [3.9]
-    steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install tox
-      run: |
-        python -m pip install --upgrade pip
-        pip install tox tox-gh-actions
-    - name: Linter
-      run: tox -e py39-invalidcode
-    - name: Mypy
-      run: tox -e py39-mypy

.gitignore

@@ -1,8 +1,5 @@
 *.py[co]
 
-# Documentation
-doc/_build/
-
 # Packages
 *.egg
 *.egg-info
@@ -13,7 +10,6 @@ dist
 build
 eggs
 parts
-bin
 cache
 var
 sdist
@@ -34,11 +30,5 @@ pip-log.txt
 # Mr Developer
 .mr.developer.cfg
 
-# Moulinette
-doc/*.json
-moulinette/package.py
-# track only test namespace
-lib/**
-!lib/test
-data/actionsmap/**
-!data/actionsmap/test.yml
+# moulinette lib
+src/yunohost/locales

.travis.yml

@@ -0,0 +1,5 @@
+language: python
+install: "pip install pytest pyyaml"
+python:
+    - "2.7"
+script: "py.test tests"

CONTRIBUTORS.md

@@ -1,70 +1,101 @@
-Moulinette contributors
-=======================
+YunoHost core contributors
+==========================
 
 YunoHost is built and maintained by the YunoHost project community.
 Everyone is encouraged to submit issues and changes, and to contribute in other ways -- see https://yunohost.org/contribute to find out how.
 
 --
 
-Initial Moulinette was built by Kload & jerome, for YunoHost v2.
+Initial YunoHost core was built by Kload & beudbeud, for YunoHost v2.
 
-Most of actual Moulinette code was written by jerome, with help of numerous contributors.
+Most of code was written by Kload and jerome, with help of numerous contributors.
 
 Translation is made by a bunch of lovely people all over the world.
 
 We would like to thank anyone who ever helped the YunoHost project <3
 
 
-Moulinette Contributors
------------------------
+YunoHost core Contributors
+--------------------------
 
-- Kload
 - Jérôme Lebleu
-- Adrien 'beudbeud' Beudin
-- titoko
+- Kload
 - Laurent 'Bram' Peuch
 - Julien 'ju' Malik
-- npze
-- lmangani
+- opi
+- Aleks
+- Adrien 'beudbeud' Beudin
+- M5oul
 - Valentin 'zamentur' / 'ljf' Grimaud
-- dblugeon
+- Jocelyn Delalande
+- infertux
+- Taziden
+- ZeHiro
+- Josue-T
+- nahoj
+- a1ex
+- JimboJoe
+- vetetix
+- jellium
+- Sebastien 'sebian' Badia
+- lmangani
+- Julien Vaubourg
+- thardev
+- zimo2001
 
 
-Moulinette Translators
-----------------------
+YunoHost core Translators
+-------------------------
 
 If you want to help translation, please visit https://translate.yunohost.org/projects/yunohost/yunohost/
 
 
 ### Dutch
 
+- DUBWiSE
+- Jeroen Keerl
 - marut
 
 ### English
 
-- Anmol
+- Bugsbane
+- rokaz
 
 ### French
 
-- Bobo
-- Laurent Peuch
+- aoz roon
+- Genma
 - Jean-Baptiste Holcroft
+- Jean P.
 - Jérôme Lebleu
+- Lapineige
+- paddy
+
 
 ### German
 
-- David Bartke
+- david.bartke
+- Fabian Gruber
 - Felix Bartels
-- Marvin Gärtner
+- Jeroen Keerl
+- martin kistner
+- Philip Gatzka
 
 ### Hindi
 
 - Anmol
 
+### Italian
+
+- bricabrac
+- Thomas Bille
+
 ### Portuguese
 
-- frju
+- Deleted User
+- Trollken
 
 ### Spanish
 
 - Juanu
+

LICENSE

@@ -7,15 +7,15 @@
 
                             Preamble
 
-  The GNU Affero General Public License is a free, copyleft license
-for software and other kinds of works, specifically designed to ensure
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
 cooperation with the community in the case of network server software.
 
-  The licenses for most software and other practical works are
-designed to take away your freedom to share and change the works.  By
-contrast, our General Public Licenses are intended to guarantee your
-freedom to share and change all versions of a program--to make sure it
-remains free software for all its users.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
 
   When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@@ -60,12 +60,11 @@ modification follow.
 
   0. Definitions.
 
-  "This License" refers to version 3 of the GNU Affero General Public
-License.
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
 
-  "Copyright" also means copyright-like laws that apply to other kinds
-of works, such as semiconductor masks.
- 
   "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
@@ -377,12 +376,12 @@ that material) supplement the terms of this License with terms:
   All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further restriction,
-you may remove that term.  If a license document contains a further
-restriction but permits relicensing or conveying under this License, you
-may add to a covered work material governed by the terms of that license
-document, provided that the further restriction does not survive such
-relicensing or conveying.
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
 
   If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
@@ -551,34 +550,34 @@ shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
 
-  Notwithstanding any other provision of this License, you have permission
-to link or combine any covered work with a work licensed under version 3
-of the GNU General Public License into a single combined work, and to
-convey the resulting work.  The terms of this License will continue to
-apply to the part which is the covered work, but the work with which it is
-combined will remain governed by version 3 of the GNU General Public
-License.
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
 
   14. Revised Versions of this License.
 
   The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new
-versions will be similar in spirit to the present version, but may differ
-in detail to address new problems or concerns.
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
 
   Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero
-General Public License "or any later version" applies to it, you have
-the option of following the terms and conditions either of that
-numbered version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number
-of the GNU Affero General Public License, you may choose any version
-ever published by the Free Software Foundation.
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
 
   If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that
-proxy's public statement of acceptance of a version permanently
-authorizes you to choose that version for the Program.
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
 
   Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
@@ -617,9 +616,9 @@ an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
 
-                       END OF TERMS AND CONDITIONS
+                     END OF TERMS AND CONDITIONS
 
-              How to Apply These Terms to Your New Programs
+            How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
@@ -634,9 +633,9 @@ the "copyright" line and a pointer to where the full notice is found.
     Copyright (C) <year>  <name of author>
 
     This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as
-    published by the Free Software Foundation, either version 3 of the
-    License, or (at your option) any later version.
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
 
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of

README.md

@@ -1,46 +1,42 @@
-<h1 align="center">Moulinette</h1>
+# YunoHost core
 
-<div align="center">
- 
-![Version](https://img.shields.io/github/v/tag/yunohost/moulinette?label=version&sort=semver)
-[![Tests status](https://github.com/YunoHost/moulinette/actions/workflows/tox.yml/badge.svg)](https://github.com/YunoHost/moulinette/actions/workflows/tox.yml)
-[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/YunoHost/moulinette.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/YunoHost/moulinette/context:python)
-[![GitHub license](https://img.shields.io/github/license/YunoHost/moulinette)](https://github.com/YunoHost/moulinette/blob/dev/LICENSE)
+- [YunoHost project website](https://yunohost.org)
 
- 
-Moulinette is a small Python framework meant to easily create programs with unified CLI and API.
+This repository is the core of YunoHost code.
 
-In particular, it is used as a base framework for the YunoHost project.
- 
-</div>
-
-Issues
-------
+<a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">
+<img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />
+</a>
 
+## Issues
 - [Please report issues on YunoHost bugtracker](https://github.com/YunoHost/issues).
 
-Overview
---------
+## Contribute
+- You can develop on this repository using [ynh-dev tool](https://github.com/YunoHost/ynh-dev) with `use-git`  sub-command.
+- On this repository we are [following this workflow](https://yunohost.org/#/build_system_en): `stable <— testing <— branch`.
+- Note: if you modify python scripts, you will have to modifiy the actions map.
 
-Moulinette allows to create a YAML "actionmaps" that describes what commands are available. Moulinette will automatically make these commands available through the CLI and Web API, and will be mapped to a python function. Moulinette also provide some general helpers, for example for logging, i18n, authentication, or common file system operations.
+## Repository content
+- [YunoHost core Python 2.7 scripts](https://github.com/YunoHost/yunohost/tree/stable/src/yunohost).
+- [An actionsmap](https://github.com/YunoHost/yunohost/blob/stable/data/actionsmap/yunohost.yml) used by moulinette.
+- [Services configuration templates](https://github.com/YunoHost/yunohost/tree/stable/data/templates).
+- [Hooks](https://github.com/YunoHost/yunohost/tree/stable/data/hooks).
+- [Locales](https://github.com/YunoHost/yunohost/tree/stable/locales) for translations of `yunohost` command.
+- [Shell helpers](https://github.com/YunoHost/yunohost/tree/stable/data/helpers.d) for [application packaging](https://yunohost.org/#/packaging_apps_helpers_en).
+- [Modules for the XMPP server Metronome](https://github.com/YunoHost/yunohost/tree/stable/lib/metronome/modules).
+- [Debian files](https://github.com/YunoHost/yunohost/tree/stable/debian) for package creation.
 
-<div align="center"><img src="doc/actionsmap.png" width="700" /></div>
+## How does it works?
+- Python core scripts are accessible through two interfaces thanks to the [moulinette framework](https://github.com/YunoHost/moulinette):
+ - [CLI](https://en.wikipedia.org/wiki/Command-line_interface) for `yunohost` command.
+ - [API](https://en.wikipedia.org/wiki/Application_programming_interface) for [web administration module](https://github.com/YunoHost/yunohost-admin) (other modules could be implemented).
+- You can find more details about how YunoHost works on this [documentation (in french)](https://yunohost.org/#/package_list_fr).
 
-Translation
------------
+## Dependencies
+- [Python 2.7](https://www.python.org/download/releases/2.7)
+- [Moulinette](https://github.com/YunoHost/moulinette)
+- [Bash](https://www.gnu.org/software/bash/bash.html)
+- [Debian Jessie](https://www.debian.org/releases/jessie)
 
-You can help translate Moulinette on our [translation platform](https://translate.yunohost.org/engage/yunohost/?utm_source=widget)
-
-<div align="center"><img src="https://translate.yunohost.org/widgets/yunohost/-/moulinette/horizontal-auto.svg" alt="Translation status" /></div>
-
-Developpers
------------
-
-- You can learn how to get started with developing on YunoHost by reading [this piece of documentation](https://yunohost.org/dev).
-- Specific doc for moulinette: https://moulinette.readthedocs.org
-- Run tests with:
-
-```
-$ pip install tox
-$ tox
-```
+## License
+As [other components of YunoHost core code](https://yunohost.org/#/faq_en), this repository is under GNU AGPL v.3 license.

bin/yunohost

@@ -0,0 +1,215 @@
+#! /usr/bin/python
+# -*- coding: utf-8 -*-
+
+import os
+import sys
+import argparse
+
+# Either we are in a development environment or not
+IN_DEVEL = False
+
+# Level for which loggers will log
+LOGGERS_LEVEL = 'DEBUG'
+TTY_LOG_LEVEL = 'INFO'
+
+# Handlers that will be used by loggers
+#  - file: log to the file LOG_DIR/LOG_FILE
+#  - tty: log to current tty
+LOGGERS_HANDLERS = ['file', 'tty']
+
+# Directory and file to be used by logging
+LOG_DIR = '/var/log/yunohost'
+LOG_FILE = 'yunohost-cli.log'
+
+# Check and load - as needed - development environment
+if not __file__.startswith('/usr/'):
+    IN_DEVEL = True
+if IN_DEVEL:
+    basedir = os.path.abspath('%s/../' % os.path.dirname(__file__))
+    if os.path.isdir(os.path.join(basedir, 'moulinette')):
+        sys.path.insert(0, basedir)
+    LOG_DIR = os.path.join(basedir, 'log')
+
+
+import moulinette
+from moulinette.actionsmap import ActionsMap
+from moulinette.interfaces.cli import colorize, get_locale
+
+
+# Initialization & helpers functions -----------------------------------
+
+def _die(message, title='Error:'):
+    """Print error message and exit"""
+    print('%s %s' % (colorize(title, 'red'), message))
+    sys.exit(1)
+
+def _parse_cli_args():
+    """Parse additional arguments for the cli"""
+    parser = argparse.ArgumentParser(add_help=False)
+    parser.add_argument('--no-cache',
+        action='store_false', default=True, dest='use_cache',
+        help="Don't use actions map cache",
+    )
+    parser.add_argument('--output-as',
+        choices=['json', 'plain', 'none'], default=None,
+        help="Output result in another format",
+    )
+    parser.add_argument('--debug',
+        action='store_true', default=False,
+        help="Log and print debug messages",
+    )
+    parser.add_argument('--quiet',
+        action='store_true', default=False,
+        help="Don't produce any output",
+    )
+    parser.add_argument('--timeout',
+        type=int, default=None,
+        help="Number of seconds before this command will timeout because it can't acquire the lock (meaning that another command is currently running), by default there is no timeout and the command will wait until it can get the lock",
+    )
+    parser.add_argument('--admin-password',
+        default=None, dest='password', metavar='PASSWORD',
+        help="The admin password to use to authenticate",
+    )
+    # deprecated arguments
+    parser.add_argument('--plain',
+        action='store_true', default=False, help=argparse.SUPPRESS
+    )
+    parser.add_argument('--json',
+        action='store_true', default=False, help=argparse.SUPPRESS
+    )
+
+    opts, args = parser.parse_known_args()
+
+    # output compatibility
+    if opts.plain:
+        opts.output_as = 'plain'
+    elif opts.json:
+        opts.output_as = 'json'
+
+    return (parser, opts, args)
+
+def _init_moulinette(debug=False, quiet=False):
+    """Configure logging and initialize the moulinette"""
+    # Define loggers handlers
+    handlers = set(LOGGERS_HANDLERS)
+    if quiet and 'tty' in handlers:
+        handlers.remove('tty')
+    elif 'tty' not in handlers:
+        handlers.append('tty')
+
+    root_handlers = set(handlers)
+    if not debug and 'tty' in root_handlers:
+        root_handlers.remove('tty')
+
+    # Define loggers level
+    level = LOGGERS_LEVEL
+    tty_level = TTY_LOG_LEVEL
+    if debug:
+        tty_level = 'DEBUG'
+
+    # Custom logging configuration
+    logging = {
+        'version': 1,
+        'disable_existing_loggers': True,
+        'formatters': {
+            'tty-debug': {
+                'format': '%(relativeCreated)-4d %(fmessage)s'
+            },
+            'precise': {
+                'format': '%(asctime)-15s %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
+            },
+        },
+        'filters': {
+            'action': {
+                '()': 'moulinette.utils.log.ActionFilter',
+            },
+        },
+        'handlers': {
+            'tty': {
+                'level': tty_level,
+                'class': 'moulinette.interfaces.cli.TTYHandler',
+                'formatter': 'tty-debug' if debug else '',
+            },
+            'file': {
+                'class': 'logging.FileHandler',
+                'formatter': 'precise',
+                'filename': '%s/%s' % (LOG_DIR, LOG_FILE),
+                'filters': ['action'],
+            },
+        },
+        'loggers': {
+            'yunohost': {
+                'level': level,
+                'handlers': handlers,
+                'propagate': False,
+            },
+            'moulinette': {
+                'level': level,
+                'handlers': [],
+                'propagate': True,
+            },
+            'moulinette.interface': {
+                'level': level,
+                'handlers': handlers,
+                'propagate': False,
+            },
+        },
+        'root': {
+            'level': level,
+            'handlers': root_handlers,
+        },
+    }
+
+    # Create log directory
+    if not os.path.isdir(LOG_DIR):
+        try:
+            os.makedirs(LOG_DIR, 0750)
+        except os.error as e:
+            _die(str(e))
+
+    # Initialize moulinette
+    moulinette.init(logging_config=logging, _from_source=IN_DEVEL)
+
+def _retrieve_namespaces():
+    """Return the list of namespaces to load"""
+    ret = ['yunohost']
+    for n in ActionsMap.get_namespaces():
+        # Append YunoHost modules
+        if n.startswith('ynh_'):
+            ret.append(n)
+    return ret
+
+
+# Main action ----------------------------------------------------------
+
+if __name__ == '__main__':
+    if os.geteuid() != 0:
+        # since moulinette isn't initialized, we can't use m18n here
+        sys.stderr.write("\033[1;31mError:\033[0m yunohost command must be " \
+                         "run as root or with sudo.\n")
+        sys.exit(1)
+
+    parser, opts, args = _parse_cli_args()
+    _init_moulinette(opts.debug, opts.quiet)
+
+    # Check that YunoHost is installed
+    if not os.path.isfile('/etc/yunohost/installed') and \
+       (len(args) < 2 or (args[0] +' '+ args[1] != 'tools postinstall' and \
+                          args[0] +' '+ args[1] != 'backup restore')):
+
+        from moulinette import m18n
+        # Init i18n
+        m18n.load_namespace('yunohost')
+        m18n.set_locale(get_locale())
+
+        # Print error and exit
+        _die(m18n.n('yunohost_not_installed'), m18n.g('error'))
+
+    # Execute the action
+    ret = moulinette.cli(
+        _retrieve_namespaces(), args,
+        use_cache=opts.use_cache, output_as=opts.output_as,
+        password=opts.password, parser_kwargs={'top_parser': parser},
+        timeout=opts.timeout,
+    )
+    sys.exit(ret)

bin/yunohost-api

@@ -0,0 +1,203 @@
+#! /usr/bin/python
+# -*- coding: utf-8 -*-
+
+import os
+import sys
+import argparse
+
+# Either we are in a development environment or not
+IN_DEVEL = False
+
+# Default server configuration
+DEFAULT_HOST = 'localhost'
+DEFAULT_PORT = 6787
+
+# Level for which loggers will log
+LOGGERS_LEVEL = 'INFO'
+
+# Handlers that will be used by loggers
+#  - file: log to the file LOG_DIR/LOG_FILE
+#  - api: serve logs through the api
+#  - console: log to stderr
+LOGGERS_HANDLERS = ['file', 'api']
+
+# Directory and file to be used by logging
+LOG_DIR = '/var/log/yunohost'
+LOG_FILE = 'yunohost-api.log'
+
+# Check and load - as needed - development environment
+if not __file__.startswith('/usr/'):
+    IN_DEVEL = True
+if IN_DEVEL:
+    basedir = os.path.abspath('%s/../' % os.path.dirname(__file__))
+    if os.path.isdir(os.path.join(basedir, 'moulinette')):
+        sys.path.insert(0, basedir)
+    LOG_DIR = os.path.join(basedir, 'log')
+
+
+import moulinette
+from moulinette.actionsmap import ActionsMap
+from moulinette.interfaces.cli import colorize
+
+
+# Initialization & helpers functions -----------------------------------
+
+def _die(message, title='Error:'):
+    """Print error message and exit"""
+    print('%s %s' % (colorize(title, 'red'), message))
+    sys.exit(1)
+
+def _parse_api_args():
+    """Parse main arguments for the api"""
+    parser = argparse.ArgumentParser(add_help=False,
+        description="Run the YunoHost API to manage your server.",
+    )
+    srv_group = parser.add_argument_group('server configuration')
+    srv_group.add_argument('-h', '--host',
+        action='store', default=DEFAULT_HOST,
+        help="Host to listen on (default: %s)" % DEFAULT_HOST,
+    )
+    srv_group.add_argument('-p', '--port',
+        action='store', default=DEFAULT_PORT, type=int,
+        help="Port to listen on (default: %d)" % DEFAULT_PORT,
+    )
+    srv_group.add_argument('--no-websocket',
+        action='store_true', default=True, dest='use_websocket',
+        help="Serve without WebSocket support, used to handle "
+        "asynchronous responses such as the messages",
+    )
+    glob_group = parser.add_argument_group('global arguments')
+    glob_group.add_argument('--no-cache',
+        action='store_false', default=True, dest='use_cache',
+        help="Don't use actions map cache",
+    )
+    glob_group.add_argument('--debug',
+        action='store_true', default=False,
+        help="Set log level to DEBUG",
+    )
+    glob_group.add_argument('--verbose',
+        action='store_true', default=False,
+        help="Be verbose in the output",
+    )
+    glob_group.add_argument('--help',
+        action='help', help="Show this help message and exit",
+    )
+
+    return parser.parse_args()
+
+def _init_moulinette(use_websocket=True, debug=False, verbose=False):
+    """Configure logging and initialize the moulinette"""
+    # Define loggers handlers
+    handlers = set(LOGGERS_HANDLERS)
+    if not use_websocket and 'api' in handlers:
+        handlers.remove('api')
+    if verbose and 'console' not in handlers:
+        handlers.add('console')
+    root_handlers = handlers - set(['api'])
+
+    # Define loggers level
+    level = LOGGERS_LEVEL
+    if debug:
+        level = 'DEBUG'
+
+    # Custom logging configuration
+    logging = {
+        'version': 1,
+        'disable_existing_loggers': True,
+        'formatters': {
+            'console': {
+                'format': '%(relativeCreated)-5d %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
+            },
+            'precise': {
+                'format': '%(asctime)-15s %(levelname)-8s %(name)s %(funcName)s - %(fmessage)s'
+            },
+        },
+        'filters': {
+            'action': {
+                '()': 'moulinette.utils.log.ActionFilter',
+            },
+        },
+        'handlers': {
+            'api': {
+                'class': 'moulinette.interfaces.api.APIQueueHandler',
+            },
+            'file': {
+                'class': 'logging.handlers.WatchedFileHandler',
+                'formatter': 'precise',
+                'filename': '%s/%s' % (LOG_DIR, LOG_FILE),
+                'filters': ['action'],
+            },
+            'console': {
+                'class': 'logging.StreamHandler',
+                'formatter': 'console',
+                'stream': 'ext://sys.stdout',
+                'filters': ['action'],
+            },
+        },
+        'loggers': {
+            'yunohost': {
+                'level': level,
+                'handlers': handlers,
+                'propagate': False,
+            },
+            'moulinette': {
+                'level': level,
+                'handlers': [],
+                'propagate': True,
+            },
+        },
+        'root': {
+            'level': level,
+            'handlers': root_handlers,
+        },
+    }
+
+    # Create log directory
+    if not os.path.isdir(LOG_DIR):
+        try:
+            os.makedirs(LOG_DIR, 0750)
+        except os.error as e:
+            _die(str(e))
+
+    # Initialize moulinette
+    moulinette.init(logging_config=logging, _from_source=IN_DEVEL)
+
+def _retrieve_namespaces():
+    """Return the list of namespaces to load"""
+    ret = ['yunohost']
+    for n in ActionsMap.get_namespaces():
+        # Append YunoHost modules
+        if n.startswith('ynh_'):
+            ret.append(n)
+    return ret
+
+
+# Callbacks for additional routes --------------------------------------
+
+def is_installed():
+    """
+    Check whether YunoHost is installed or not
+
+    """
+    installed = False
+    if os.path.isfile('/etc/yunohost/installed'):
+        installed = True
+    return { 'installed': installed }
+
+
+# Main action ----------------------------------------------------------
+
+if __name__ == '__main__':
+    opts = _parse_api_args()
+    _init_moulinette(opts.use_websocket, opts.debug, opts.verbose)
+
+    # Run the server
+    from yunohost.utils.packages import ynh_packages_version
+    ret = moulinette.api(
+        _retrieve_namespaces(),
+        host=opts.host, port=opts.port, routes={
+            ('GET', '/installed'): is_installed,
+            ('GET', '/version'): ynh_packages_version,
+        }, use_cache=opts.use_cache, use_websocket=opts.use_websocket
+    )
+    sys.exit(ret)

bin/yunopaste

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+set -e
+set -u
+
+PASTE_URL="https://paste.yunohost.org"
+
+_die() {
+  printf "Error: %s\n" "$*"
+  exit 1
+}
+
+check_dependencies() {
+  curl -V > /dev/null 2>&1 || _die "This script requires curl."
+}
+
+paste_data() {
+  json=$(curl -X POST -s -d "$1" "${PASTE_URL}/documents")
+  [[ -z "$json" ]] && _die "Unable to post the data to the server."
+
+  key=$(echo "$json" \
+    | python -c 'import json,sys;o=json.load(sys.stdin);print o["key"]' \
+        2>/dev/null)
+  [[ -z "$key" ]] && _die "Unable to parse the server response."
+
+  echo "${PASTE_URL}/${key}"
+}
+
+usage() {
+  printf "Usage: ${0} [OPTION]...
+
+Read from input stream and paste the data to the YunoHost
+Haste server.
+
+For example, to paste the output of the YunoHost diagnosis, you
+can simply execute the following:
+  yunohost tools diagnosis | ${0}
+
+It will return the URL where you can access the pasted data.
+
+Options:
+  -h, --help   show this help message and exit
+"
+}
+
+main() {
+  # parse options
+  while (( ${#} )); do
+    case "${1}" in
+      --help|-h)
+        usage
+        exit 0
+        ;;
+      *)
+        echo "Unknown parameter detected: ${1}" >&2
+        echo >&2
+        usage >&2
+        exit 1
+        ;;
+    esac
+
+    shift 1
+  done
+
+  # check input stream
+  read -t 0 || {
+    echo -e "Invalid usage: No input is provided.\n" >&2
+    usage
+    exit 1
+  }
+
+  paste_data "$(cat)"
+}
+
+check_dependencies
+
+main "${@}"

bin/yunoprompt

@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Fetch ips
+ip=$(hostname --all-ip-address)
+
+# Fetch SSH fingerprints
+i=0
+for key in /etc/ssh/ssh_host_*_key.pub ; do 
+    output=$(ssh-keygen -l -f $key)
+    fingerprint[$i]=" - $(echo $output | cut -d' ' -f2) $(echo $output| cut -d' ' -f4)"
+    i=$(($i + 1))
+done
+
+#
+# Build the logo
+#
+
+LOGO=$(cat << 'EOF'
+  __   __  __   __  __    _  _______  __   __  _______  _______  _______
+ |  | |  ||  | |  ||  |  | ||       ||  | |  ||       ||       ||       |
+ |  |_|  ||  | |  ||   |_| ||   _   ||  |_|  ||   _   ||  _____||_     _|
+ |       ||  |_|  ||       ||  | |  ||       ||  | |  || |_____   |   |
+ |_     _||       ||  _    ||  |_|  ||   _   ||  |_|  ||_____  |  |   |
+   |   |  |       || | |   ||       ||  | |  ||       | _____| |  |   |
+   |___|  |_______||_|  |__||_______||__| |__||_______||_______|  |___|
+EOF
+)
+
+# ' Put a quote in comment to make vim happy about syntax highlighting :s
+
+#
+# Build the actual message
+#
+
+LOGO_AND_FINGERPRINTS=$(cat << EOF
+
+$LOGO
+
+ IP: ${ip}
+ SSH fingerprints:
+ ${fingerprint[0]}
+ ${fingerprint[1]}
+ ${fingerprint[2]}
+ ${fingerprint[3]}
+ ${fingerprint[4]}
+
+EOF
+)
+
+if [[ -f /etc/yunohost/installed ]]
+then
+    echo "$LOGO_AND_FINGERPRINTS" > /etc/issue
+else
+    sleep 5
+    chvt 2
+    echo "$LOGO_AND_FINGERPRINTS"
+    echo -e "\e[m Post-installation \e[0m"
+    echo "Congratulations! YunoHost has been successfully installed.\nTwo more steps are required to activate the services of your server."
+    read -p "Proceed to post-installation? (y/n) " -n 1
+    RESULT=1
+    while [ $RESULT -gt 0 ]; do
+        if [[ $REPLY =~ ^[Nn]$ ]]; then
+            chvt 1
+            exit 0
+        fi
+        echo -e "\n"
+        /usr/bin/yunohost tools postinstall
+        let RESULT=$?
+        if [ $RESULT -gt 0 ]; then
+            echo -e "\n"
+            read -p "Retry? (y/n) " -n 1
+        fi
+    done
+fi

data/bash-completion.d/yunohost

@@ -0,0 +1,12 @@
+#
+# Bash completion for yunohost
+#
+
+_python_argcomplete() {
+    local IFS=''
+    COMPREPLY=( $(IFS="$IFS"                   COMP_LINE="$COMP_LINE"                   COMP_POINT="$COMP_POINT"                   _ARGCOMPLETE_COMP_WORDBREAKS="$COMP_WORDBREAKS"                   _ARGCOMPLETE=1                   "$1" 8>&1 9>&2 1>/dev/null 2>/dev/null) )
+    if [[ $? != 0 ]]; then
+        unset COMPREPLY
+    fi
+}
+complete -o nospace -o default -F _python_argcomplete "yunohost"

data/helpers

@@ -0,0 +1,7 @@
+# -*- shell-script -*-
+
+# TODO : use --regex to validate against a namespace
+for helper in $(run-parts --list /usr/share/yunohost/helpers.d 2>/dev/null) ; do
+    [ -r $helper ] && . $helper || true
+done
+

data/helpers.d/backend

@@ -0,0 +1,239 @@
+# Use logrotate to manage the logfile
+#
+# usage: ynh_use_logrotate [logfile] [--non-append]
+# | arg: logfile - absolute path of logfile
+# | arg: --non-append - (Option) Replace the config file instead of appending this new config.
+#
+# If no argument provided, a standard directory will be use. /var/log/${app}
+# You can provide a path with the directory only or with the logfile.
+# /parentdir/logdir
+# /parentdir/logdir/logfile.log
+#
+# It's possible to use this helper several times, each config will be added to the same logrotate config file.
+# Unless you use the option --non-append
+ynh_use_logrotate () {
+	local customtee="tee -a"
+	if [ $# -gt 0 ] && [ "$1" == "--non-append" ]; then
+		customtee="tee"
+		# Destroy this argument for the next command.
+		shift
+	elif [ $# -gt 1 ] && [ "$2" == "--non-append" ]; then
+		customtee="tee"
+	fi
+	if [ $# -gt 0 ]; then
+		if [ "$(echo ${1##*.})" == "log" ]; then	# Keep only the extension to check if it's a logfile
+			local logfile=$1	# In this case, focus logrotate on the logfile
+		else
+			local logfile=$1/*.log	# Else, uses the directory and all logfile into it.
+		fi
+	else
+		local logfile="/var/log/${app}/*.log" # Without argument, use a defaut directory in /var/log
+	fi
+	cat > ./${app}-logrotate << EOF	# Build a config file for logrotate
+$logfile {
+		# Rotate if the logfile exceeds 100Mo
+	size 100M
+		# Keep 12 old log maximum
+	rotate 12
+		# Compress the logs with gzip
+	compress
+		# Compress the log at the next cycle. So keep always 2 non compressed logs
+	delaycompress
+		# Copy and truncate the log to allow to continue write on it. Instead of move the log.
+	copytruncate
+		# Do not do an error if the log is missing
+	missingok
+		# Not rotate if the log is empty
+	notifempty
+		# Keep old logs in the same dir
+	noolddir
+}
+EOF
+	sudo mkdir -p $(dirname "$logfile")	# Create the log directory, if not exist
+	cat ${app}-logrotate | sudo $customtee /etc/logrotate.d/$app > /dev/null	# Append this config to the existing config file, or replace the whole config file (depending on $customtee)
+}
+
+# Remove the app's logrotate config.
+#
+# usage: ynh_remove_logrotate
+ynh_remove_logrotate () {
+	if [ -e "/etc/logrotate.d/$app" ]; then
+		sudo rm "/etc/logrotate.d/$app"
+	fi
+}
+
+# Create a dedicated systemd config
+#
+# usage: ynh_add_systemd_config [service] [template]
+# | arg: service - Service name (optionnal, $app by default)
+# | arg: template - Name of template file (optionnal, this is 'systemd' by default, meaning ./conf/systemd.service will be used as template)
+#
+# This will use the template ../conf/<templatename>.service
+# to generate a systemd config, by replacing the following keywords
+# with global variables that should be defined before calling
+# this helper :
+#
+#   __APP__       by  $app
+#   __FINALPATH__ by  $final_path
+#
+ynh_add_systemd_config () {
+	local service_name="${1:-$app}"
+
+	finalsystemdconf="/etc/systemd/system/$service_name.service"
+	ynh_backup_if_checksum_is_different "$finalsystemdconf"
+	sudo cp ../conf/${2:-systemd.service} "$finalsystemdconf"
+
+	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
+	# Substitute in a nginx config file only if the variable is not empty
+	if test -n "${final_path:-}"; then
+		ynh_replace_string "__FINALPATH__" "$final_path" "$finalsystemdconf"
+	fi
+	if test -n "${app:-}"; then
+		ynh_replace_string "__APP__" "$app" "$finalsystemdconf"
+	fi
+	ynh_store_file_checksum "$finalsystemdconf"
+
+	sudo chown root: "$finalsystemdconf"
+	sudo systemctl enable $service_name
+	sudo systemctl daemon-reload
+}
+
+# Remove the dedicated systemd config
+#
+# usage: ynh_remove_systemd_config [service]
+# | arg: service - Service name (optionnal, $app by default)
+#
+ynh_remove_systemd_config () {
+	local service_name="${1:-$app}"
+
+	local finalsystemdconf="/etc/systemd/system/$service_name.service"
+	if [ -e "$finalsystemdconf" ]; then
+		sudo systemctl stop $service_name
+		sudo systemctl disable $service_name
+		ynh_secure_remove "$finalsystemdconf"
+		sudo systemctl daemon-reload
+	fi
+}
+
+# Create a dedicated nginx config
+#
+# usage: ynh_add_nginx_config "list of others variables to replace"
+#
+# | arg: list of others variables to replace separeted by a space
+# |      for example : 'path_2 port_2 ...'
+#
+# This will use a template in ../conf/nginx.conf
+#   __PATH__      by  $path_url
+#   __DOMAIN__    by  $domain
+#   __PORT__      by  $port
+#   __NAME__      by  $app
+#   __FINALPATH__ by  $final_path
+#
+#  And dynamic variables (from the last example) :
+#   __PATH_2__    by $path_2
+#   __PORT_2__    by $port_2
+#
+ynh_add_nginx_config () {
+	finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf"
+	local others_var=${1:-}
+	ynh_backup_if_checksum_is_different "$finalnginxconf"
+	sudo cp ../conf/nginx.conf "$finalnginxconf"
+
+	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
+	# Substitute in a nginx config file only if the variable is not empty
+	if test -n "${path_url:-}"; then
+		# path_url_slash_less is path_url, or a blank value if path_url is only '/'
+		local path_url_slash_less=${path_url%/}
+		ynh_replace_string "__PATH__/" "$path_url_slash_less/" "$finalnginxconf"
+		ynh_replace_string "__PATH__" "$path_url" "$finalnginxconf"
+	fi
+	if test -n "${domain:-}"; then
+		ynh_replace_string "__DOMAIN__" "$domain" "$finalnginxconf"
+	fi
+	if test -n "${port:-}"; then
+		ynh_replace_string "__PORT__" "$port" "$finalnginxconf"
+	fi
+	if test -n "${app:-}"; then
+		ynh_replace_string "__NAME__" "$app" "$finalnginxconf"
+	fi
+	if test -n "${final_path:-}"; then
+		ynh_replace_string "__FINALPATH__" "$final_path" "$finalnginxconf"
+	fi
+
+	# Replace all other variable given as arguments
+	for var_to_replace in $others_var
+	do
+		# ${var_to_replace^^} make the content of the variable on upper-cases
+		# ${!var_to_replace} get the content of the variable named $var_to_replace 
+		ynh_replace_string "__${var_to_replace^^}__" "${!var_to_replace}" "$finalnginxconf"
+	done
+	
+	if [ "${path_url:-}" != "/" ]
+	then
+		ynh_replace_string "^#sub_path_only" "" "$finalnginxconf"
+	else
+		ynh_replace_string "^#root_path_only" "" "$finalnginxconf"
+	fi
+
+	ynh_store_file_checksum "$finalnginxconf"
+
+	sudo systemctl reload nginx
+}
+
+# Remove the dedicated nginx config
+#
+# usage: ynh_remove_nginx_config
+ynh_remove_nginx_config () {
+	ynh_secure_remove "/etc/nginx/conf.d/$domain.d/$app.conf"
+	sudo systemctl reload nginx
+}
+
+# Create a dedicated php-fpm config
+#
+# usage: ynh_add_fpm_config
+ynh_add_fpm_config () {
+	# Configure PHP-FPM 7.0 by default
+	local fpm_config_dir="/etc/php/7.0/fpm"
+	local fpm_service="php7.0-fpm"
+	# Configure PHP-FPM 5 on Debian Jessie
+	if [ "$(ynh_get_debian_release)" == "jessie" ]; then
+		fpm_config_dir="/etc/php5/fpm"
+		fpm_service="php5-fpm"
+	fi
+	ynh_app_setting_set $app fpm_config_dir "$fpm_config_dir"
+	ynh_app_setting_set $app fpm_service "$fpm_service"
+	finalphpconf="$fpm_config_dir/pool.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalphpconf"
+	sudo cp ../conf/php-fpm.conf "$finalphpconf"
+	ynh_replace_string "__NAMETOCHANGE__" "$app" "$finalphpconf"
+	ynh_replace_string "__FINALPATH__" "$final_path" "$finalphpconf"
+	ynh_replace_string "__USER__" "$app" "$finalphpconf"
+	sudo chown root: "$finalphpconf"
+	ynh_store_file_checksum "$finalphpconf"
+
+	if [ -e "../conf/php-fpm.ini" ]
+	then
+		finalphpini="$fpm_config_dir/conf.d/20-$app.ini"
+		ynh_backup_if_checksum_is_different "$finalphpini"
+		sudo cp ../conf/php-fpm.ini "$finalphpini"
+		sudo chown root: "$finalphpini"
+		ynh_store_file_checksum "$finalphpini"
+	fi
+	sudo systemctl reload $fpm_service
+}
+
+# Remove the dedicated php-fpm config
+#
+# usage: ynh_remove_fpm_config
+ynh_remove_fpm_config () {
+	local fpm_config_dir=$(ynh_app_setting_get $app fpm_config_dir)
+	local fpm_service=$(ynh_app_setting_get $app fpm_service)
+	# Assume php version 5 if not set
+	if [ -z "$fpm_config_dir" ]; then
+		fpm_config_dir="/etc/php5/fpm"
+		fpm_service="php5-fpm"
+	fi
+	ynh_secure_remove "$fpm_config_dir/pool.d/$app.conf"
+	ynh_secure_remove "$fpm_config_dir/conf.d/20-$app.ini" 2>&1
+	sudo systemctl reload $fpm_service
+}

data/helpers.d/filesystem

@@ -0,0 +1,328 @@
+CAN_BIND=${CAN_BIND:-1}
+
+# Add a file or a directory to the list of paths to backup
+# 
+# Note: this helper could be used in backup hook or in backup script inside an
+# app package
+#
+# Details: ynh_backup writes SRC and the relative DEST into a CSV file. And it
+# creates the parent destination directory 
+# 
+# If DEST is ended by a slash it complete this path with the basename of SRC.
+#
+# usage: ynh_backup src [dest [is_big [arg]]]
+# | arg: src - file or directory to bind or symlink or copy. it shouldn't be in
+# the backup dir. 
+# | arg: dest - destination file or directory inside the
+# backup dir
+# | arg: is_big - 1 to indicate data are big (mail, video, image ...)
+# | arg: arg - Deprecated arg
+#
+# example:
+# # Wordpress app context
+#
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
+# # => This line will be added into CSV file
+# # "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/etc/nginx/conf.d/$domain.d/$app.conf"
+#
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "conf/nginx.conf"
+# # => "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/conf/nginx.conf"
+#
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "conf/"
+# # => "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/conf/$app.conf"
+# 
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "conf"
+# # => "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/conf"
+#
+# #Deprecated usages (maintained for retro-compatibility)
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "${backup_dir}/conf/nginx.conf"
+# # => "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/conf/nginx.conf"
+#
+# ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "/conf/"
+# # => "/etc/nginx/conf.d/$domain.d/$app.conf","apps/wordpress/conf/$app.conf"
+#
+ynh_backup() {
+    # TODO find a way to avoid injection by file strange naming !
+    local SRC_PATH="$1"
+    local DEST_PATH="${2:-}"
+    local IS_BIG="${3:-0}"
+    BACKUP_CORE_ONLY=${BACKUP_CORE_ONLY:-0}
+
+    # If backing up core only (used by ynh_backup_before_upgrade),
+    # don't backup big data items
+    if [ "$IS_BIG" == "1" ] && [ "$BACKUP_CORE_ONLY" == "1" ] ; then
+      echo "$SRC_PATH will not be saved, because backup_core_only is set." >&2
+      return 0
+    fi
+    
+    # ==============================================================================
+    # Format correctly source and destination paths
+    # ==============================================================================
+    # Be sure the source path is not empty
+    [[ -e "${SRC_PATH}" ]] || {
+        echo "Source path '${SRC_PATH}' does not exist" >&2
+        return 1
+    }
+
+    # Transform the source path as an absolute path
+    # If it's a dir remove the ending /
+    SRC_PATH=$(realpath "$SRC_PATH")
+
+    # If there is no destination path, initialize it with the source path
+    # relative to "/".
+    # eg: SRC_PATH=/etc/yunohost -> DEST_PATH=etc/yunohost
+    if [[ -z "$DEST_PATH" ]]; then
+
+        DEST_PATH="${SRC_PATH#/}"
+
+    else
+        if [[ "${DEST_PATH:0:1}" == "/" ]]; then
+
+            # If the destination path is an absolute path, transform it as a path
+            # relative to the current working directory ($YNH_CWD)
+            #
+            # If it's an app backup script that run this helper, YNH_CWD is equal to
+            # $YNH_BACKUP_DIR/apps/APP_INSTANCE_NAME/backup/
+            #
+            # If it's a system part backup script, YNH_CWD is equal to $YNH_BACKUP_DIR
+            DEST_PATH="${DEST_PATH#$YNH_CWD/}"
+
+            # Case where $2 is an absolute dir but doesn't begin with $YNH_CWD
+            [[ "${DEST_PATH:0:1}" == "/" ]] \
+                && DEST_PATH="${DEST_PATH#/}"
+        fi
+
+        # Complete DEST_PATH if ended by a /
+        [[ "${DEST_PATH: -1}" == "/" ]] \
+            &&  DEST_PATH="${DEST_PATH}/$(basename $SRC_PATH)"
+    fi
+
+    # Check if DEST_PATH already exists in tmp archive
+    [[ ! -e "${DEST_PATH}" ]] || {
+        echo "Destination path '${DEST_PATH}' already exist" >&2
+        return 1
+    }
+
+    # Add the relative current working directory to the destination path
+    local REL_DIR="${YNH_CWD#$YNH_BACKUP_DIR}"
+    REL_DIR="${REL_DIR%/}/"
+    DEST_PATH="${REL_DIR}${DEST_PATH}"
+    DEST_PATH="${DEST_PATH#/}"
+    # ==============================================================================
+
+    # ==============================================================================
+    # Write file to backup into backup_list
+    # ==============================================================================
+    local SRC=$(echo "${SRC_PATH}" | sed -r 's/"/\"\"/g')
+    local DEST=$(echo "${DEST_PATH}" | sed -r 's/"/\"\"/g')
+    echo "\"${SRC}\",\"${DEST}\"" >> "${YNH_BACKUP_CSV}"
+
+    # ==============================================================================
+
+    # Create the parent dir of the destination path
+    # It's for retro compatibility, some script consider ynh_backup creates this dir
+    mkdir -p $(dirname "$YNH_BACKUP_DIR/${DEST_PATH}")
+}
+
+# Restore all files linked to the restore hook or to the restore app script
+#
+# usage: ynh_restore
+#
+ynh_restore () {
+    # Deduce the relative path of $YNH_CWD
+    local REL_DIR="${YNH_CWD#$YNH_BACKUP_DIR/}"
+    REL_DIR="${REL_DIR%/}/"
+
+    # For each destination path begining by $REL_DIR
+    cat ${YNH_BACKUP_CSV} | tr -d $'\r' | grep -ohP "^\".*\",\"$REL_DIR.*\"$" | \
+    while read line; do
+        local ORIGIN_PATH=$(echo "$line" | grep -ohP "^\"\K.*(?=\",\".*\"$)")
+        local ARCHIVE_PATH=$(echo "$line" | grep -ohP "^\".*\",\"$REL_DIR\K.*(?=\"$)")
+        ynh_restore_file "$ARCHIVE_PATH" "$ORIGIN_PATH"
+    done
+}
+
+# Return the path in the archive where has been stocked the origin path
+#
+# [internal]
+#
+# usage: _get_archive_path ORIGIN_PATH
+_get_archive_path () {
+    # For security reasons we use csv python library to read the CSV
+    sudo python -c "
+import sys
+import csv
+with open(sys.argv[1], 'r') as backup_file:
+    backup_csv = csv.DictReader(backup_file, fieldnames=['source', 'dest'])
+    for row in backup_csv:
+        if row['source']==sys.argv[2].strip('\"'):
+            print row['dest']
+            sys.exit(0)
+    raise Exception('Original path for %s not found' % sys.argv[2])
+    "  "${YNH_BACKUP_CSV}" "$1"
+    return $?
+}
+
+# Restore a file or a directory 
+#
+# Use the registered path in backup_list by ynh_backup to restore the file at
+# the good place.
+#
+# usage: ynh_restore_file ORIGIN_PATH [ DEST_PATH ]
+# | arg: ORIGIN_PATH - Path where was located the file or the directory before
+# to be backuped or relative path to $YNH_CWD where it is located in the backup archive
+# | arg: DEST_PATH   - Path where restore the file or the dir, if unspecified,
+# the destination will be ORIGIN_PATH or if the ORIGIN_PATH doesn't exist in
+# the archive, the destination will be searched into backup.csv
+#
+# If DEST_PATH already exists and is lighter than 500 Mo, a backup will be made in 
+# /home/yunohost.conf/backup/. Otherwise, the existing file is removed.
+#
+# examples:
+# ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
+# # if apps/wordpress/etc/nginx/conf.d/$domain.d/$app.conf exists, restore it into
+# # /etc/nginx/conf.d/$domain.d/$app.conf
+# # if no, search a correspondance in the csv (eg: conf/nginx.conf) and restore it into
+# # /etc/nginx/conf.d/$domain.d/$app.conf
+#
+# # DON'T GIVE THE ARCHIVE PATH:
+# ynh_restore_file "conf/nginx.conf"
+#
+ynh_restore_file () {
+    local ORIGIN_PATH="/${1#/}"
+    local ARCHIVE_PATH="$YNH_CWD${ORIGIN_PATH}"
+    # Default value for DEST_PATH = /$ORIGIN_PATH
+    local DEST_PATH="${2:-$ORIGIN_PATH}"
+
+    # If ARCHIVE_PATH doesn't exist, search for a corresponding path in CSV
+    if [ ! -d "$ARCHIVE_PATH" ] && [ ! -f "$ARCHIVE_PATH" ] && [ ! -L "$ARCHIVE_PATH" ]; then
+        ARCHIVE_PATH="$YNH_BACKUP_DIR/$(_get_archive_path \"$ORIGIN_PATH\")"
+    fi
+
+    # Move the old directory if it already exists
+    if [[ -e "${DEST_PATH}" ]]
+    then
+        # Check if the file/dir size is less than 500 Mo
+        if [[ $(du -sb ${DEST_PATH} | cut -d"/" -f1) -le "500000000" ]]
+        then
+            local backup_file="/home/yunohost.conf/backup/${DEST_PATH}.backup.$(date '+%Y%m%d.%H%M%S')"
+            mkdir -p "$(dirname "$backup_file")"
+            mv "${DEST_PATH}" "$backup_file"	# Move the current file or directory
+        else
+            ynh_secure_remove ${DEST_PATH}
+        fi
+    fi
+
+    # Restore ORIGIN_PATH into DEST_PATH
+    mkdir -p $(dirname "$DEST_PATH")
+
+    # Do a copy if it's just a mounting point
+    if mountpoint -q $YNH_BACKUP_DIR; then
+        if [[ -d "${ARCHIVE_PATH}" ]]; then
+            ARCHIVE_PATH="${ARCHIVE_PATH}/."
+            mkdir -p "$DEST_PATH"
+        fi
+        cp -a "$ARCHIVE_PATH" "${DEST_PATH}"
+    # Do a move if YNH_BACKUP_DIR is already a copy
+    else
+        mv "$ARCHIVE_PATH" "${DEST_PATH}"
+    fi
+}
+
+# Deprecated helper since it's a dangerous one!
+#
+# [internal]
+#
+ynh_bind_or_cp() {
+    local AS_ROOT=${3:-0}
+    local NO_ROOT=0
+    [[ "${AS_ROOT}" = "1" ]] || NO_ROOT=1
+    echo "This helper is deprecated, you should use ynh_backup instead" >&2
+    ynh_backup "$1" "$2" 1
+}
+
+# Create a directory under /tmp
+#
+# [internal]
+#
+# Deprecated helper
+#
+# usage: ynh_mkdir_tmp
+# | ret: the created directory path
+ynh_mkdir_tmp() {
+    echo "The helper ynh_mkdir_tmp is deprecated." >&2
+    echo "You should use 'mktemp -d' instead and manage permissions \
+properly with chmod/chown." >&2
+    local TMP_DIR=$(mktemp -d)
+
+    # Give rights to other users could be a security risk.
+    # But for retrocompatibility we need it. (This helpers is deprecated)
+    chmod 755 $TMP_DIR
+    echo $TMP_DIR
+}
+
+# Calculate and store a file checksum into the app settings
+#
+# $app should be defined when calling this helper
+#
+# usage: ynh_store_file_checksum file
+# | arg: file - The file on which the checksum will performed, then stored.
+ynh_store_file_checksum () {
+	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
+	ynh_app_setting_set $app $checksum_setting_name $(sudo md5sum "$1" | cut -d' ' -f1)
+}
+
+# Verify the checksum and backup the file if it's different
+# This helper is primarily meant to allow to easily backup personalised/manually 
+# modified config files.
+#
+# $app should be defined when calling this helper
+#
+# usage: ynh_backup_if_checksum_is_different file
+# | arg: file - The file on which the checksum test will be perfomed.
+#
+# | ret: Return the name a the backup file, or nothing
+ynh_backup_if_checksum_is_different () {
+	local file=$1
+	local checksum_setting_name=checksum_${file//[\/ ]/_}	# Replace all '/' and ' ' by '_'
+	local checksum_value=$(ynh_app_setting_get $app $checksum_setting_name)
+	if [ -n "$checksum_value" ]
+	then	# Proceed only if a value was stored into the app settings
+		if ! echo "$checksum_value $file" | sudo md5sum -c --status
+		then	# If the checksum is now different
+			local backup_file="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')"
+			sudo mkdir -p "$(dirname "$backup_file")"
+			sudo cp -a "$file" "$backup_file"	# Backup the current file
+			echo "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file" >&2
+			echo "$backup_file"	# Return the name of the backup file
+		fi
+	fi
+}
+
+# Remove a file or a directory securely
+#
+# usage: ynh_secure_remove path_to_remove
+# | arg: path_to_remove - File or directory to remove
+ynh_secure_remove () {
+	local path_to_remove=$1
+	local forbidden_path=" \
+	/var/www \
+	/home/yunohost.app"
+
+	if [[ "$forbidden_path" =~ "$path_to_remove" \
+		# Match all paths or subpaths in $forbidden_path
+		|| "$path_to_remove" =~ ^/[[:alnum:]]+$ \
+		# Match all first level paths from / (Like /var, /root, etc...)
+		|| "${path_to_remove:${#path_to_remove}-1}" = "/" ]]
+		# Match if the path finishes by /. Because it seems there is an empty variable
+	then
+		echo "Avoid deleting $path_to_remove." >&2
+	else
+		if [ -e "$path_to_remove" ]
+		then
+			sudo rm -R "$path_to_remove"
+		else
+			echo "$path_to_remove wasn't deleted because it doesn't exist." >&2
+		fi
+	fi
+}

data/helpers.d/ip

@@ -0,0 +1,52 @@
+# Validate an IP address
+#
+# usage: ynh_validate_ip [family] [ip_address]
+# | ret: 0 for valid ip addresses, 1 otherwise
+#
+# example: ynh_validate_ip 4 111.222.333.444
+#
+ynh_validate_ip()
+{
+  # http://stackoverflow.com/questions/319279/how-to-validate-ip-address-in-python#319298
+
+  local IP_ADDRESS_FAMILY=$1
+  local IP_ADDRESS=$2
+
+  [ "$IP_ADDRESS_FAMILY" == "4" ] || [ "$IP_ADDRESS_FAMILY" == "6" ] || return 1
+
+  python /dev/stdin << EOF
+import socket
+import sys
+family = { "4" : socket.AF_INET, "6" : socket.AF_INET6 }
+try:
+    socket.inet_pton(family["$IP_ADDRESS_FAMILY"], "$IP_ADDRESS")
+except socket.error:
+    sys.exit(1)
+sys.exit(0)
+EOF
+}
+
+# Validate an IPv4 address
+#
+# example: ynh_validate_ip4 111.222.333.444
+#
+# usage: ynh_validate_ip4 <ip_address>
+# | ret: 0 for valid ipv4 addresses, 1 otherwise
+#
+ynh_validate_ip4()
+{
+  ynh_validate_ip 4 $1
+}
+
+
+# Validate an IPv6 address
+#
+# example: ynh_validate_ip6 2000:dead:beef::1
+#
+# usage: ynh_validate_ip6 <ip_address>
+# | ret: 0 for valid ipv6 addresses, 1 otherwise
+#
+ynh_validate_ip6()
+{
+  ynh_validate_ip 6 $1
+}

data/helpers.d/mysql

@@ -0,0 +1,172 @@
+MYSQL_ROOT_PWD_FILE=/etc/yunohost/mysql
+
+# Open a connection as a user
+#
+# example: ynh_mysql_connect_as 'user' 'pass' <<< "UPDATE ...;"
+# example: ynh_mysql_connect_as 'user' 'pass' < /path/to/file.sql
+#
+# usage: ynh_mysql_connect_as user pwd [db]
+# | arg: user - the user name to connect as
+# | arg: pwd - the user password
+# | arg: db - the database to connect to
+ynh_mysql_connect_as() {
+    mysql -u "$1" --password="$2" -B "${3:-}"
+}
+
+# Execute a command as root user
+#
+# usage: ynh_mysql_execute_as_root sql [db]
+# | arg: sql - the SQL command to execute
+# | arg: db - the database to connect to
+ynh_mysql_execute_as_root() {
+    ynh_mysql_connect_as "root" "$(sudo cat $MYSQL_ROOT_PWD_FILE)" \
+        "${2:-}" <<< "$1"
+}
+
+# Execute a command from a file as root user
+#
+# usage: ynh_mysql_execute_file_as_root file [db]
+# | arg: file - the file containing SQL commands
+# | arg: db - the database to connect to
+ynh_mysql_execute_file_as_root() {
+    ynh_mysql_connect_as "root" "$(sudo cat $MYSQL_ROOT_PWD_FILE)" \
+        "${2:-}" < "$1"
+}
+
+# Create a database and grant optionnaly privilegies to a user
+#
+# [internal]
+#
+# usage: ynh_mysql_create_db db [user [pwd]]
+# | arg: db - the database name to create
+# | arg: user - the user to grant privilegies
+# | arg: pwd - the password to identify user by
+ynh_mysql_create_db() {
+    local db=$1
+
+    local sql="CREATE DATABASE ${db};"
+
+    # grant all privilegies to user
+    if [[ $# -gt 1 ]]; then
+        sql+=" GRANT ALL PRIVILEGES ON ${db}.* TO '${2}'@'localhost'"
+        [[ -n ${3:-} ]] && sql+=" IDENTIFIED BY '${3}'"
+        sql+=" WITH GRANT OPTION;"
+    fi
+
+    ynh_mysql_execute_as_root "$sql"
+}
+
+# Drop a database
+#
+# [internal]
+#
+# If you intend to drop the database *and* the associated user,
+# consider using ynh_mysql_remove_db instead.
+#
+# usage: ynh_mysql_drop_db db
+# | arg: db - the database name to drop
+ynh_mysql_drop_db() {
+    ynh_mysql_execute_as_root "DROP DATABASE ${1};"
+}
+
+# Dump a database
+#
+# example: ynh_mysql_dump_db 'roundcube' > ./dump.sql
+#
+# usage: ynh_mysql_dump_db db
+# | arg: db - the database name to dump
+# | ret: the mysqldump output
+ynh_mysql_dump_db() {
+    mysqldump -u "root" -p"$(sudo cat $MYSQL_ROOT_PWD_FILE)" --single-transaction --skip-dump-date "$1"
+}
+
+# Create a user
+#
+# [internal]
+#
+# usage: ynh_mysql_create_user user pwd [host]
+# | arg: user - the user name to create
+# | arg: pwd - the password to identify user by
+ynh_mysql_create_user() {
+    ynh_mysql_execute_as_root \
+        "CREATE USER '${1}'@'localhost' IDENTIFIED BY '${2}';"
+}
+
+# Check if a mysql user exists
+#
+# usage: ynh_mysql_user_exists user
+# | arg: user - the user for which to check existence
+ynh_mysql_user_exists()
+{
+   local user=$1
+   if [[ -z $(ynh_mysql_execute_as_root "SELECT User from mysql.user WHERE User = '$user';") ]]
+   then
+      return 1
+   else
+      return 0
+   fi
+}
+
+# Drop a user
+#
+# [internal]
+#
+# usage: ynh_mysql_drop_user user
+# | arg: user - the user name to drop
+ynh_mysql_drop_user() {
+    ynh_mysql_execute_as_root "DROP USER '${1}'@'localhost';"
+}
+
+# Create a database, an user and its password. Then store the password in the app's config
+#
+# After executing this helper, the password of the created database will be available in $db_pwd
+# It will also be stored as "mysqlpwd" into the app settings.
+#
+# usage: ynh_mysql_setup_db user name [pwd]
+# | arg: user - Owner of the database
+# | arg: name - Name of the database
+# | arg: pwd - Password of the database. If not given, a password will be generated
+ynh_mysql_setup_db () {
+	local db_user="$1"
+	local db_name="$2"
+	local new_db_pwd=$(ynh_string_random)	# Generate a random password
+	# If $3 is not given, use new_db_pwd instead for db_pwd.
+	db_pwd="${3:-$new_db_pwd}"
+	ynh_mysql_create_db "$db_name" "$db_user" "$db_pwd"	# Create the database
+	ynh_app_setting_set $app mysqlpwd $db_pwd	# Store the password in the app's config
+}
+
+# Remove a database if it exists, and the associated user
+#
+# usage: ynh_mysql_remove_db user name
+# | arg: user - Owner of the database
+# | arg: name - Name of the database
+ynh_mysql_remove_db () {
+	local db_user="$1"
+	local db_name="$2"
+	local mysql_root_password=$(sudo cat $MYSQL_ROOT_PWD_FILE)
+	if mysqlshow -u root -p$mysql_root_password | grep -q "^| $db_name"; then	# Check if the database exists
+		echo "Removing database $db_name" >&2
+		ynh_mysql_drop_db $db_name	# Remove the database	
+	else
+		echo "Database $db_name not found" >&2
+	fi
+
+	# Remove mysql user if it exists
+        if $(ynh_mysql_user_exists $db_user); then
+		ynh_mysql_drop_user $db_user
+	fi
+}
+
+# Sanitize a string intended to be the name of a database
+# (More specifically : replace - and . by _)
+#
+# example: dbname=$(ynh_sanitize_dbid $app)
+#
+# usage: ynh_sanitize_dbid name
+# | arg: name - name to correct/sanitize
+# | ret: the corrected name
+ynh_sanitize_dbid () {
+	local dbid=${1//[-.]/_}	# We should avoid having - and . in the name of databases. They are replaced by _
+	echo $dbid
+}

data/helpers.d/network

@@ -0,0 +1,67 @@
+# Normalize the url path syntax
+# Handle the slash at the beginning of path and its absence at ending
+# Return a normalized url path
+#
+# example: url_path=$(ynh_normalize_url_path $url_path)
+#          ynh_normalize_url_path example -> /example
+#          ynh_normalize_url_path /example -> /example
+#          ynh_normalize_url_path /example/ -> /example
+#          ynh_normalize_url_path / -> /
+#
+# usage: ynh_normalize_url_path path_to_normalize
+# | arg: url_path_to_normalize - URL path to normalize before using it
+ynh_normalize_url_path () {
+	local path_url=$1
+	test -n "$path_url" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing."
+	if [ "${path_url:0:1}" != "/" ]; then    # If the first character is not a /
+		path_url="/$path_url"    # Add / at begin of path variable
+	fi
+	if [ "${path_url:${#path_url}-1}" == "/" ] && [ ${#path_url} -gt 1 ]; then    # If the last character is a / and that not the only character.
+		path_url="${path_url:0:${#path_url}-1}"	# Delete the last character
+	fi
+	echo $path_url
+}
+
+# Find a free port and return it
+#
+# example: port=$(ynh_find_port 8080)
+#
+# usage: ynh_find_port begin_port
+# | arg: begin_port - port to start to search
+ynh_find_port () {
+	local port=$1
+	test -n "$port" || ynh_die "The argument of ynh_find_port must be a valid port."
+	while netcat -z 127.0.0.1 $port       # Check if the port is free
+	do
+		port=$((port+1))	# Else, pass to next port
+	done
+	echo $port
+}
+
+# Check availability of a web path
+#
+# example: ynh_webpath_available some.domain.tld /coffee
+#
+# usage: ynh_webpath_available domain path
+# | arg: domain - the domain/host of the url
+# | arg: path - the web path to check the availability of
+ynh_webpath_available () {
+	local domain=$1
+	local path=$2
+	sudo yunohost domain url-available $domain $path
+}
+
+# Register/book a web path for an app
+#
+# example: ynh_webpath_register wordpress some.domain.tld /coffee
+#
+# usage: ynh_webpath_register app domain path
+# | arg: app - the app for which the domain should be registered
+# | arg: domain - the domain/host of the web path
+# | arg: path - the web path to be registered
+ynh_webpath_register () {
+	local app=$1
+	local domain=$2
+	local path=$3
+	sudo yunohost app register-url $app $domain $path
+}

data/helpers.d/nodejs

@@ -0,0 +1,196 @@
+n_install_dir="/opt/node_n"
+node_version_path="$n_install_dir/n/versions/node"
+# N_PREFIX is the directory of n, it needs to be loaded as a environment variable.
+export N_PREFIX="$n_install_dir"
+
+# Install Node version management
+#
+# [internal]
+#
+# usage: ynh_install_n
+ynh_install_n () {
+	echo "Installation of N - Node.js version management" >&2
+	# Build an app.src for n
+	mkdir -p "../conf"
+	echo "SOURCE_URL=https://github.com/tj/n/archive/v2.1.7.tar.gz
+SOURCE_SUM=2ba3c9d4dd3c7e38885b37e02337906a1ee91febe6d5c9159d89a9050f2eea8f" > "../conf/n.src"
+	# Download and extract n
+	ynh_setup_source "$n_install_dir/git" n
+	# Install n
+	(cd "$n_install_dir/git"
+	PREFIX=$N_PREFIX make install 2>&1)
+}
+
+# Load the version of node for an app, and set variables.
+#
+# ynh_use_nodejs has to be used in any app scripts before using node for the first time.
+#
+# 2 variables are available:
+#   - $nodejs_path: The absolute path of node for the chosen version.
+#   - $nodejs_version: Just the version number of node for this app. Stored as 'nodejs_version' in settings.yml.
+# And 2 alias stored in variables:
+#   - $nodejs_use_version: An old variable, not used anymore. Keep here to not break old apps
+#     NB: $PATH will contain the path to node, it has to be propagated to any other shell which needs to use it.
+#     That's means it has to be added to any systemd script.
+#
+# usage: ynh_use_nodejs
+ynh_use_nodejs () {
+	nodejs_version=$(ynh_app_setting_get $app nodejs_version)
+
+	nodejs_use_version="echo \"Deprecated command, should be removed\""
+
+	# Get the absolute path of this version of node
+	nodejs_path="$node_version_path/$nodejs_version/bin"
+
+	# Load the path of this version of node in $PATH
+	[[ :$PATH: == *":$nodejs_path"* ]] || PATH="$nodejs_path:$PATH"
+}
+
+# Install a specific version of nodejs
+#
+# n (Node version management) uses the PATH variable to store the path of the version of node it is going to use.
+# That's how it changes the version
+#
+# ynh_install_nodejs will install the version of node provided as argument by using n.
+#
+# usage: ynh_install_nodejs [nodejs_version]
+# | arg: nodejs_version - Version of node to install.
+#        If possible, prefer to use major version number (e.g. 8 instead of 8.10.0).
+#        The crontab will handle the update of minor versions when needed.
+ynh_install_nodejs () {
+	# Use n, https://github.com/tj/n to manage the nodejs versions
+	nodejs_version="$1"
+
+	# Create $n_install_dir
+	mkdir -p "$n_install_dir"
+
+	# Load n path in PATH
+	CLEAR_PATH="$n_install_dir/bin:$PATH"
+	# Remove /usr/local/bin in PATH in case of node prior installation
+	PATH=$(echo $CLEAR_PATH | sed 's@/usr/local/bin:@@')
+
+	# Move an existing node binary, to avoid to block n.
+	test -x /usr/bin/node && mv /usr/bin/node /usr/bin/node_n
+	test -x /usr/bin/npm && mv /usr/bin/npm /usr/bin/npm_n
+
+	# If n is not previously setup, install it
+	if ! test $(n --version > /dev/null 2>&1)
+	then
+		ynh_install_n
+	fi
+
+	# Modify the default N_PREFIX in n script
+	ynh_replace_string "^N_PREFIX=\${N_PREFIX-.*}$" "N_PREFIX=\${N_PREFIX-$N_PREFIX}" "$n_install_dir/bin/n"
+
+	# Restore /usr/local/bin in PATH
+	PATH=$CLEAR_PATH
+
+	# And replace the old node binary.
+	test -x /usr/bin/node_n && mv /usr/bin/node_n /usr/bin/node
+	test -x /usr/bin/npm_n && mv /usr/bin/npm_n /usr/bin/npm
+
+	# Install the requested version of nodejs
+	n $nodejs_version
+
+	# Find the last "real" version for this major version of node.
+	real_nodejs_version=$(find $node_version_path/$nodejs_version* -maxdepth 0 | sort --version-sort | tail --lines=1)
+	real_nodejs_version=$(basename $real_nodejs_version)
+
+	# Create a symbolic link for this major version if the file doesn't already exist
+	if [ ! -e "$node_version_path/$nodejs_version" ]
+	then
+		ln --symbolic --force --no-target-directory $node_version_path/$real_nodejs_version $node_version_path/$nodejs_version
+	fi
+
+	# Store the ID of this app and the version of node requested for it
+	echo "$YNH_APP_ID:$nodejs_version" | tee --append "$n_install_dir/ynh_app_version"
+
+	# Store nodejs_version into the config of this app
+	ynh_app_setting_set $app nodejs_version $nodejs_version
+
+	# Build the update script and set the cronjob
+	ynh_cron_upgrade_node
+
+	ynh_use_nodejs
+}
+
+# Remove the version of node used by the app.
+#
+# This helper will check if another app uses the same version of node,
+# if not, this version of node will be removed.
+# If no other app uses node, n will be also removed.
+#
+# usage: ynh_remove_nodejs
+ynh_remove_nodejs () {
+	nodejs_version=$(ynh_app_setting_get $app nodejs_version)
+
+	# Remove the line for this app
+	sed --in-place "/$YNH_APP_ID:$nodejs_version/d" "$n_install_dir/ynh_app_version"
+
+	# If no other app uses this version of nodejs, remove it.
+	if ! grep --quiet "$nodejs_version" "$n_install_dir/ynh_app_version"
+	then
+		$n_install_dir/bin/n rm $nodejs_version
+	fi
+
+	# If no other app uses n, remove n
+	if [ ! -s "$n_install_dir/ynh_app_version" ]
+	then
+		ynh_secure_remove "$n_install_dir"
+		ynh_secure_remove "/usr/local/n"
+	fi
+}
+
+# Set a cron design to update your node versions
+#
+# [internal]
+#
+# This cron will check and update all minor node versions used by your apps.
+#
+# usage: ynh_cron_upgrade_node
+ynh_cron_upgrade_node () {
+	# Build the update script
+	cat > "$n_install_dir/node_update.sh" << EOF
+#!/bin/bash
+
+version_path="$node_version_path"
+n_install_dir="$n_install_dir"
+
+# Log the date
+date
+
+# List all real installed version of node
+all_real_version="\$(find \$version_path/* -maxdepth 0 -type d | sed "s@\$version_path/@@g")"
+
+# Keep only the major version number of each line
+all_real_version=\$(echo "\$all_real_version" | sed 's/\..*\$//')
+
+# Remove double entries
+all_real_version=\$(echo "\$all_real_version" | sort --unique)
+
+# Read each major version
+while read version
+do
+	echo "Update of the version \$version"
+	sudo \$n_install_dir/bin/n \$version
+
+	# Find the last "real" version for this major version of node.
+	real_nodejs_version=\$(find \$version_path/\$version* -maxdepth 0 | sort --version-sort | tail --lines=1)
+	real_nodejs_version=\$(basename \$real_nodejs_version)
+
+	# Update the symbolic link for this version
+	sudo ln --symbolic --force --no-target-directory \$version_path/\$real_nodejs_version \$version_path/\$version
+done <<< "\$(echo "\$all_real_version")"
+EOF
+
+	chmod +x "$n_install_dir/node_update.sh"
+
+	# Build the cronjob
+	cat > "/etc/cron.daily/node_update" << EOF
+#!/bin/bash
+
+$n_install_dir/node_update.sh >> $n_install_dir/node_update.log
+EOF
+
+	chmod +x "/etc/cron.daily/node_update"
+}

data/helpers.d/package

@@ -0,0 +1,170 @@
+# Check either a package is installed or not
+#
+# example: ynh_package_is_installed 'yunohost' && echo "ok"
+#
+# usage: ynh_package_is_installed name
+# | arg: name - the package name to check
+ynh_package_is_installed() {
+    dpkg-query -W -f '${Status}' "$1" 2>/dev/null \
+        | grep -c "ok installed" &>/dev/null
+}
+
+# Get the version of an installed package
+#
+# example: version=$(ynh_package_version 'yunohost')
+#
+# usage: ynh_package_version name
+# | arg: name - the package name to get version
+# | ret: the version or an empty string
+ynh_package_version() {
+    if ynh_package_is_installed "$1"; then
+        dpkg-query -W -f '${Version}' "$1" 2>/dev/null
+    else
+        echo ''
+    fi
+}
+
+# APT wrapper for non-interactive operation
+#
+# [internal]
+#
+# usage: ynh_apt update
+ynh_apt() {
+    DEBIAN_FRONTEND=noninteractive sudo apt-get -y $@
+}
+
+# Update package index files
+#
+# usage: ynh_package_update
+ynh_package_update() {
+    ynh_apt update
+}
+
+# Install package(s)
+#
+# usage: ynh_package_install name [name [...]]
+# | arg: name - the package name to install
+ynh_package_install() {
+    ynh_apt --no-remove -o Dpkg::Options::=--force-confdef \
+            -o Dpkg::Options::=--force-confold install $@
+}
+
+# Remove package(s)
+#
+# usage: ynh_package_remove name [name [...]]
+# | arg: name - the package name to remove
+ynh_package_remove() {
+    ynh_apt remove $@
+}
+
+# Remove package(s) and their uneeded dependencies
+#
+# usage: ynh_package_autoremove name [name [...]]
+# | arg: name - the package name to remove
+ynh_package_autoremove() {
+    ynh_apt autoremove $@
+}
+
+# Purge package(s) and their uneeded dependencies
+#
+# usage: ynh_package_autopurge name [name [...]]
+# | arg: name - the package name to autoremove and purge
+ynh_package_autopurge() {
+    ynh_apt autoremove --purge $@
+}
+
+# Build and install a package from an equivs control file
+#
+# [internal]
+#
+# example: generate an empty control file with `equivs-control`, adjust its
+#          content and use helper to build and install the package:
+#              ynh_package_install_from_equivs /path/to/controlfile
+#
+# usage: ynh_package_install_from_equivs controlfile
+# | arg: controlfile - path of the equivs control file
+ynh_package_install_from_equivs () {
+    local controlfile=$1
+
+    # Check if the equivs package is installed. Or install it.
+    ynh_package_is_installed 'equivs' \
+        || ynh_package_install equivs
+
+    # retrieve package information
+    local pkgname=$(grep '^Package: ' $controlfile | cut -d' ' -f 2)	# Retrieve the name of the debian package
+    local pkgversion=$(grep '^Version: ' $controlfile | cut -d' ' -f 2)	# And its version number
+    [[ -z "$pkgname" || -z "$pkgversion" ]] \
+        && echo "Invalid control file" && exit 1	# Check if this 2 variables aren't empty.
+
+    # Update packages cache
+    ynh_package_update
+
+    # Build and install the package
+    local TMPDIR=$(mktemp -d)
+
+    # Force the compatibility level at 10, levels below are deprecated 
+    echo 10 > /usr/share/equivs/template/debian/compat
+
+    # Note that the cd executes into a sub shell
+    # Create a fake deb package with equivs-build and the given control file
+    # Install the fake package without its dependencies with dpkg
+    # Install missing dependencies with ynh_package_install
+    (cp "$controlfile" "${TMPDIR}/control" && cd "$TMPDIR" \
+     && equivs-build ./control 1>/dev/null \
+     && sudo dpkg --force-depends \
+          -i "./${pkgname}_${pkgversion}_all.deb" 2>&1 \
+     && ynh_package_install -f) || ynh_die "Unable to install dependencies"
+    [[ -n "$TMPDIR" ]] && rm -rf $TMPDIR	# Remove the temp dir.
+
+    # check if the package is actually installed
+    ynh_package_is_installed "$pkgname"
+}
+
+# Define and install dependencies with a equivs control file
+# This helper can/should only be called once per app
+#
+# usage: ynh_install_app_dependencies dep [dep [...]]
+# | arg: dep - the package name to install in dependence
+#   You can give a choice between some package with this syntax : "dep1|dep2"
+#   Example : ynh_install_app_dependencies dep1 dep2 "dep3|dep4|dep5"
+#   This mean in the dependence tree : dep1 & dep2 & (dep3 | dep4 | dep5)
+ynh_install_app_dependencies () {
+    local dependencies=$@
+    local dependencies=${dependencies// /, }
+    local dependencies=${dependencies//|/ | }
+    local manifest_path="../manifest.json"
+    if [ ! -e "$manifest_path" ]; then
+    	manifest_path="../settings/manifest.json"	# Into the restore script, the manifest is not at the same place
+    fi
+
+    local version=$(grep '\"version\": ' "$manifest_path" | cut -d '"' -f 4)	# Retrieve the version number in the manifest file.
+    if [ ${#version} -eq 0 ]; then
+        version="1.0"
+    fi
+    local dep_app=${app//_/-}	# Replace all '_' by '-'
+
+    cat > /tmp/${dep_app}-ynh-deps.control << EOF	# Make a control file for equivs-build
+Section: misc
+Priority: optional
+Package: ${dep_app}-ynh-deps
+Version: ${version}
+Depends: ${dependencies}
+Architecture: all
+Description: Fake package for ${app} (YunoHost app) dependencies
+ This meta-package is only responsible of installing its dependencies.
+EOF
+    ynh_package_install_from_equivs /tmp/${dep_app}-ynh-deps.control \
+        || ynh_die "Unable to install dependencies"	# Install the fake package and its dependencies
+    rm /tmp/${dep_app}-ynh-deps.control
+    ynh_app_setting_set $app apt_dependencies $dependencies
+}
+
+# Remove fake package and its dependencies
+#
+# Dependencies will removed only if no other package need them.
+#
+# usage: ynh_remove_app_dependencies
+ynh_remove_app_dependencies () {
+    local dep_app=${app//_/-}	# Replace all '_' by '-'
+    ynh_package_autopurge ${dep_app}-ynh-deps	# Remove the fake package and its dependencies if they not still used.
+}

data/helpers.d/print

@@ -0,0 +1,23 @@
+# Print a message to stderr and exit
+# usage: ynh_die MSG [RETCODE]
+ynh_die() {
+  echo "$1" 1>&2
+  exit "${2:-1}"
+}
+
+# Ignore the yunohost-cli log to prevent errors with conditionals commands
+#
+# [internal]
+#
+# usage: ynh_no_log COMMAND
+#
+# Simply duplicate the log, execute the yunohost command and replace the log without the result of this command
+# It's a very badly hack...
+ynh_no_log() {
+  local ynh_cli_log=/var/log/yunohost/yunohost-cli.log
+  sudo cp -a ${ynh_cli_log} ${ynh_cli_log}-move
+  eval $@
+  local exit_code=$?
+  sudo mv ${ynh_cli_log}-move ${ynh_cli_log}
+  return $?
+}

data/helpers.d/psql

@@ -0,0 +1,148 @@
+# Create a master password and set up global settings
+# Please always call this script in install and restore scripts
+#
+# usage: ynh_psql_test_if_first_run
+ynh_psql_test_if_first_run() {
+	if [ -f /etc/yunohost/psql ];
+	then
+		echo "PostgreSQL is already installed, no need to create master password"
+	else
+		local pgsql="$(ynh_string_random)"
+		echo "$pgsql" > /etc/yunohost/psql
+
+		if [ -e /etc/postgresql/9.4/ ]
+		then
+			local pg_hba=/etc/postgresql/9.4/main/pg_hba.conf
+		elif [ -e /etc/postgresql/9.6/ ]
+		then
+			local pg_hba=/etc/postgresql/9.6/main/pg_hba.conf
+		else
+			ynh_die "postgresql shoud be 9.4 or 9.6"
+		fi
+
+		systemctl start postgresql
+		sudo --login --user=postgres psql -c"ALTER user postgres WITH PASSWORD '$pgsql'" postgres
+
+		# force all user to connect to local database using passwords
+		# https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html#EXAMPLE-PG-HBA.CONF
+		# Note: we can't use peer since YunoHost create users with nologin
+		#  See: https://github.com/YunoHost/yunohost/blob/unstable/data/helpers.d/user
+		sed -i '/local\s*all\s*all\s*peer/i \
+			local all all password' "$pg_hba"
+		systemctl enable postgresql
+		systemctl reload postgresql
+	fi
+}
+
+# Open a connection as a user
+#
+# example: ynh_psql_connect_as 'user' 'pass' <<< "UPDATE ...;"
+# example: ynh_psql_connect_as 'user' 'pass' < /path/to/file.sql
+#
+# usage: ynh_psql_connect_as user pwd [db]
+# | arg: user - the user name to connect as
+# | arg: pwd - the user password
+# | arg: db - the database to connect to
+ynh_psql_connect_as() {
+	local user="$1"
+	local pwd="$2"
+	local db="$3"
+	sudo --login --user=postgres PGUSER="$user" PGPASSWORD="$pwd" psql "$db"
+}
+
+# # Execute a command as root user
+#
+# usage: ynh_psql_execute_as_root sql [db]
+# | arg: sql - the SQL command to execute
+ynh_psql_execute_as_root () {
+	local sql="$1"
+	sudo --login --user=postgres psql <<< "$sql"
+}
+
+# Execute a command from a file as root user
+#
+# usage: ynh_psql_execute_file_as_root file [db]
+# | arg: file - the file containing SQL commands
+# | arg: db - the database to connect to
+ynh_psql_execute_file_as_root() {
+	local file="$1"
+	local db="$2"
+	sudo --login --user=postgres psql "$db" < "$file"
+}
+
+# Create a database, an user and its password. Then store the password in the app's config
+#
+# After executing this helper, the password of the created database will be available in $db_pwd
+# It will also be stored as "psqlpwd" into the app settings.
+#
+# usage: ynh_psql_setup_db user name [pwd]
+# | arg: user - Owner of the database
+# | arg: name - Name of the database
+# | arg: pwd - Password of the database. If not given, a password will be generated
+ynh_psql_setup_db () {
+	local db_user="$1"
+	local db_name="$2"
+	local new_db_pwd=$(ynh_string_random)	# Generate a random password
+	# If $3 is not given, use new_db_pwd instead for db_pwd.
+	local db_pwd="${3:-$new_db_pwd}"
+	ynh_psql_create_db "$db_name" "$db_user" "$db_pwd"	# Create the database
+	ynh_app_setting_set "$app" psqlpwd "$db_pwd"	# Store the password in the app's config
+}
+
+# Create a database and grant privilegies to a user
+#
+# usage: ynh_psql_create_db db [user [pwd]]
+# | arg: db - the database name to create
+# | arg: user - the user to grant privilegies
+# | arg: pwd  - the user password
+ynh_psql_create_db() {
+	local db="$1"
+	local user="$2"
+	local pwd="$3"
+	ynh_psql_create_user "$user" "$pwd"
+	sudo --login --user=postgres createdb --owner="$user" "$db"
+}
+
+# Drop a database
+#
+# usage: ynh_psql_drop_db db
+# | arg: db - the database name to drop
+# | arg: user - the user to drop
+ynh_psql_remove_db() {
+	local db="$1"
+	local user="$2"
+	sudo --login --user=postgres dropdb "$db"
+	ynh_psql_drop_user "$user"
+}
+
+# Dump a database
+#
+# example: ynh_psql_dump_db 'roundcube' > ./dump.sql
+#
+# usage: ynh_psql_dump_db db
+# | arg: db - the database name to dump
+# | ret: the psqldump output
+ynh_psql_dump_db() {
+	local db="$1"
+	sudo --login --user=postgres pg_dump "$db"
+}
+
+
+# Create a user
+#
+# usage: ynh_psql_create_user user pwd [host]
+# | arg: user - the user name to create
+ynh_psql_create_user() {
+	local user="$1"
+	local pwd="$2"
+	sudo --login --user=postgres psql -c"CREATE USER $user WITH PASSWORD '$pwd'" postgres
+}
+
+# Drop a user
+#
+# usage: ynh_psql_drop_user user
+# | arg: user - the user name to drop
+ynh_psql_drop_user() {
+	local user="$1"
+	sudo --login --user=postgres dropuser "$user"
+}

data/helpers.d/setting

@@ -0,0 +1,27 @@
+# Get an application setting
+#
+# usage: ynh_app_setting_get app key
+# | arg: app - the application id
+# | arg: key - the setting to get
+ynh_app_setting_get() {
+    sudo yunohost app setting "$1" "$2" --output-as plain --quiet
+}
+
+# Set an application setting
+#
+# usage: ynh_app_setting_set app key value
+# | arg: app - the application id
+# | arg: key - the setting name to set
+# | arg: value - the setting value to set
+ynh_app_setting_set() {
+    sudo yunohost app setting "$1" "$2" --value="$3" --quiet
+}
+
+# Delete an application setting
+#
+# usage: ynh_app_setting_delete app key
+# | arg: app - the application id
+# | arg: key - the setting to delete
+ynh_app_setting_delete() {
+    sudo yunohost app setting -d "$1" "$2" --quiet
+}

data/helpers.d/string

@@ -0,0 +1,59 @@
+# Generate a random string
+#
+# example: pwd=$(ynh_string_random 8)
+#
+# usage: ynh_string_random [length]
+# | arg: length - the string length to generate (default: 24)
+ynh_string_random() {
+    dd if=/dev/urandom bs=1 count=200 2> /dev/null \
+      | tr -c -d 'A-Za-z0-9' \
+      | sed -n 's/\(.\{'"${1:-24}"'\}\).*/\1/p'
+}
+
+# Substitute/replace a string (or expression) by another in a file
+#
+# usage: ynh_replace_string match_string replace_string target_file
+# | arg: match_string - String to be searched and replaced in the file
+# | arg: replace_string - String that will replace matches
+# | arg: target_file - File in which the string will be replaced.
+#
+# As this helper is based on sed command, regular expressions and
+# references to sub-expressions can be used
+# (see sed manual page for more information)
+ynh_replace_string () {
+	local delimit=@
+	local match_string=$1
+	local replace_string=$2
+	local workfile=$3
+  
+	# Escape the delimiter if it's in the string.
+	match_string=${match_string//${delimit}/"\\${delimit}"}
+	replace_string=${replace_string//${delimit}/"\\${delimit}"}
+
+	sudo sed --in-place "s${delimit}${match_string}${delimit}${replace_string}${delimit}g" "$workfile"
+}
+
+# Substitute/replace a special string by another in a file
+#
+# usage: ynh_replace_special_string match_string replace_string target_file
+# | arg: match_string - String to be searched and replaced in the file
+# | arg: replace_string - String that will replace matches
+# | arg: target_file - File in which the string will be replaced.
+#
+# This helper will use ynh_replace_string, but as you can use special
+# characters, you can't use some regular expressions and sub-expressions.
+ynh_replace_special_string () {
+	local match_string=$1
+	local replace_string=$2
+	local workfile=$3
+
+  # Escape any backslash to preserve them as simple backslash.
+  match_string=${match_string//\\/"\\\\"}
+  replace_string=${replace_string//\\/"\\\\"}
+
+	# Escape the & character, who has a special function in sed.
+	match_string=${match_string//&/"\&"}
+	replace_string=${replace_string//&/"\&"}
+
+	ynh_replace_string "$match_string" "$replace_string" "$workfile"
+}

data/helpers.d/system

@@ -0,0 +1,55 @@
+# Manage a fail of the script
+#
+# [internal]
+#
+# usage: 
+# ynh_exit_properly is used only by the helper ynh_abort_if_errors.
+# You should not use it directly.
+# Instead, add to your script:
+# ynh_clean_setup () {
+#        instructions...
+# }
+#
+# This function provide a way to clean some residual of installation that not managed by remove script.
+#
+# It prints a warning to inform that the script was failed, and execute the ynh_clean_setup function if used in the app script
+#
+ynh_exit_properly () {
+	local exit_code=$?
+	if [ "$exit_code" -eq 0 ]; then
+			exit 0	# Exit without error if the script ended correctly
+	fi
+
+	trap '' EXIT	# Ignore new exit signals
+	set +eu	# Do not exit anymore if a command fail or if a variable is empty
+
+	echo -e "!!\n  $app's script has encountered an error. Its execution was cancelled.\n!!" >&2
+
+	if type -t ynh_clean_setup > /dev/null; then	# Check if the function exist in the app script.
+		ynh_clean_setup	# Call the function to do specific cleaning for the app.
+	fi
+
+	ynh_die	# Exit with error status
+}
+
+# Exits if an error occurs during the execution of the script.
+#
+# usage: ynh_abort_if_errors
+#
+# This configure the rest of the script execution such that, if an error occurs
+# or if an empty variable is used, the execution of the script stops
+# immediately and a call to `ynh_clean_setup` is triggered if it has been
+# defined by your script.
+#
+ynh_abort_if_errors () {
+	set -eu	# Exit if a command fail, and if a variable is used unset.
+	trap ynh_exit_properly EXIT	# Capturing exit signals on shell script
+}
+
+# Fetch the Debian release codename
+#
+# usage: ynh_get_debian_release
+# | ret: The Debian release codename (i.e. jessie, stretch, ...)
+ynh_get_debian_release () {
+	echo $(lsb_release --codename --short)
+}

data/helpers.d/user

@@ -0,0 +1,71 @@
+# Check if a YunoHost user exists
+#
+# example: ynh_user_exists 'toto' || exit 1
+#
+# usage: ynh_user_exists username
+# | arg: username - the username to check
+ynh_user_exists() {
+    sudo yunohost user list --output-as json | grep -q "\"username\": \"${1}\""
+}
+
+# Retrieve a YunoHost user information
+#
+# example: mail=$(ynh_user_get_info 'toto' 'mail')
+#
+# usage: ynh_user_get_info username key
+# | arg: username - the username to retrieve info from
+# | arg: key - the key to retrieve
+# | ret: string - the key's value
+ynh_user_get_info() {
+    sudo yunohost user info "$1" --output-as plain | ynh_get_plain_key "$2"
+}
+
+# Get the list of YunoHost users
+#
+# example: for u in $(ynh_user_list); do ...
+#
+# usage: ynh_user_list
+# | ret: string - one username per line
+ynh_user_list() {
+    sudo yunohost user list --output-as plain --quiet \
+      | awk '/^##username$/{getline; print}'
+}
+
+# Check if a user exists on the system
+#
+# usage: ynh_system_user_exists username
+# | arg: username - the username to check
+ynh_system_user_exists() {
+    getent passwd "$1" &>/dev/null
+}
+
+# Create a system user
+#
+# usage: ynh_system_user_create user_name [home_dir]
+# | arg: user_name - Name of the system user that will be create
+# | arg: home_dir - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home
+ynh_system_user_create () {
+	if ! ynh_system_user_exists "$1"	# Check if the user exists on the system
+	then	# If the user doesn't exist
+		if [ $# -ge 2 ]; then	# If a home dir is mentioned
+			local user_home_dir="-d $2"
+		else
+			local user_home_dir="--no-create-home"
+		fi
+		sudo useradd $user_home_dir --system --user-group $1 --shell /usr/sbin/nologin || ynh_die "Unable to create $1 system account"
+	fi
+}
+
+# Delete a system user
+#
+# usage: ynh_system_user_delete user_name
+# | arg: user_name - Name of the system user that will be create
+ynh_system_user_delete () {
+    if ynh_system_user_exists "$1"	# Check if the user exists on the system
+    then
+		echo "Remove the user $1" >&2
+		sudo userdel $1
+	else
+		echo "The user $1 was not found" >&2
+    fi
+}

data/helpers.d/utils

@@ -0,0 +1,259 @@
+# Extract a key from a plain command output
+#
+# example: yunohost user info tata --output-as plain | ynh_get_plain_key mail
+#
+# usage: ynh_get_plain_key key [subkey [subsubkey ...]]
+# | ret: string - the key's value
+ynh_get_plain_key() {
+    local prefix="#"
+    local founded=0
+    local key=$1
+    shift
+    while read line; do
+        if [[ "$founded" == "1" ]] ; then
+            [[ "$line" =~ ^${prefix}[^#] ]] && return
+            echo $line
+        elif [[ "$line" =~ ^${prefix}${key}$ ]]; then
+            if [[ -n "${1:-}" ]]; then
+                prefix+="#"
+                key=$1
+                shift
+            else
+                founded=1
+            fi
+        fi
+    done
+}
+
+# Restore a previous backup if the upgrade process failed
+#
+# usage:
+# ynh_backup_before_upgrade
+# ynh_clean_setup () {
+# 	ynh_restore_upgradebackup
+# }
+# ynh_abort_if_errors
+#
+ynh_restore_upgradebackup () {
+	echo "Upgrade failed." >&2
+	local app_bck=${app//_/-}	# Replace all '_' by '-'
+
+  	NO_BACKUP_UPGRADE=${NO_BACKUP_UPGRADE:-0}
+
+	if [ "$NO_BACKUP_UPGRADE" -eq 0 ]
+	then	
+		# Check if an existing backup can be found before removing and restoring the application.
+		if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$backup_number
+		then
+			# Remove the application then restore it
+			sudo yunohost app remove $app
+			# Restore the backup
+			sudo yunohost backup restore $app_bck-pre-upgrade$backup_number --apps $app --force
+			ynh_die "The app was restored to the way it was before the failed upgrade."
+		fi
+	else
+      		echo "\$NO_BACKUP_UPGRADE is set, that means there's no backup to restore. You have to fix this upgrade by yourself !" >&2
+  	fi
+}
+
+# Make a backup in case of failed upgrade
+#
+# usage:
+# ynh_backup_before_upgrade
+# ynh_clean_setup () {
+# 	ynh_restore_upgradebackup
+# }
+# ynh_abort_if_errors
+#
+ynh_backup_before_upgrade () {
+	if [ ! -e "/etc/yunohost/apps/$app/scripts/backup" ]
+	then
+		echo "This app doesn't have any backup script." >&2
+		return
+	fi
+	backup_number=1
+	local old_backup_number=2
+	local app_bck=${app//_/-}	# Replace all '_' by '-'
+	NO_BACKUP_UPGRADE=${NO_BACKUP_UPGRADE:-0}
+
+        if [ "$NO_BACKUP_UPGRADE" -eq 0 ]
+        then
+		# Check if a backup already exists with the prefix 1
+		if sudo yunohost backup list | grep -q $app_bck-pre-upgrade1
+		then
+			# Prefix becomes 2 to preserve the previous backup
+			backup_number=2
+			old_backup_number=1
+		fi
+
+		# Create backup
+		sudo BACKUP_CORE_ONLY=1 yunohost backup create --apps $app --name $app_bck-pre-upgrade$backup_number
+		if [ "$?" -eq 0 ]
+		then
+			# If the backup succeeded, remove the previous backup
+			if sudo yunohost backup list | grep -q $app_bck-pre-upgrade$old_backup_number
+			then
+				# Remove the previous backup only if it exists
+				sudo yunohost backup delete $app_bck-pre-upgrade$old_backup_number > /dev/null
+			fi
+		else
+			ynh_die "Backup failed, the upgrade process was aborted."
+		fi
+        else
+                echo "\$NO_BACKUP_UPGRADE is set, backup will be avoided. Be careful, this upgrade is going to be operated without a security backup"
+        fi
+}
+
+# Download, check integrity, uncompress and patch the source from app.src
+#
+# The file conf/app.src need to contains:
+#
+# SOURCE_URL=Address to download the app archive
+# SOURCE_SUM=Control sum
+# # (Optional) Program to check the integrity (sha256sum, md5sum...)
+# # default: sha256
+# SOURCE_SUM_PRG=sha256
+# # (Optional) Archive format
+# # default: tar.gz
+# SOURCE_FORMAT=tar.gz
+# # (Optional) Put false if sources are directly in the archive root
+# # default: true
+# SOURCE_IN_SUBDIR=false
+# # (Optionnal) Name of the local archive (offline setup support)
+# # default: ${src_id}.${src_format}
+# SOURCE_FILENAME=example.tar.gz 
+# # (Optional) If it set as false don't extract the source.
+# # (Useful to get a debian package or a python wheel.)
+# # default: true
+# SOURCE_EXTRACT=(true|false)
+#
+# Details:
+# This helper downloads sources from SOURCE_URL if there is no local source
+# archive in /opt/yunohost-apps-src/APP_ID/SOURCE_FILENAME
+#
+# Next, it checks the integrity with "SOURCE_SUM_PRG -c --status" command.
+#
+# If it's ok, the source archive will be uncompressed in $dest_dir. If the
+# SOURCE_IN_SUBDIR is true, the first level directory of the archive will be
+# removed.
+#
+# Finally, patches named sources/patches/${src_id}-*.patch and extra files in
+# sources/extra_files/$src_id will be applied to dest_dir
+#
+#
+# usage: ynh_setup_source dest_dir [source_id]
+# | arg: dest_dir  - Directory where to setup sources
+# | arg: source_id - Name of the app, if the package contains more than one app
+ynh_setup_source () {
+    local dest_dir=$1
+    local src_id=${2:-app} # If the argument is not given, source_id equals "app"
+
+    # Load value from configuration file (see above for a small doc about this file
+    # format)
+    local src_url=$(grep 'SOURCE_URL=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_sum=$(grep 'SOURCE_SUM=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_sumprg=$(grep 'SOURCE_SUM_PRG=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_format=$(grep 'SOURCE_FORMAT=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_extract=$(grep 'SOURCE_EXTRACT=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_in_subdir=$(grep 'SOURCE_IN_SUBDIR=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+    local src_filename=$(grep 'SOURCE_FILENAME=' "$YNH_CWD/../conf/${src_id}.src" | cut -d= -f2-)
+
+    # Default value
+    src_sumprg=${src_sumprg:-sha256sum}
+    src_in_subdir=${src_in_subdir:-true}
+    src_format=${src_format:-tar.gz}
+    src_format=$(echo "$src_format" | tr '[:upper:]' '[:lower:]')
+    src_extract=${src_extract:-true}
+    if [ "$src_filename" = "" ] ; then
+        src_filename="${src_id}.${src_format}"
+    fi
+    local local_src="/opt/yunohost-apps-src/${YNH_APP_ID}/${src_filename}"
+
+    if test -e "$local_src"
+    then    # Use the local source file if it is present
+        cp $local_src $src_filename
+    else    # If not, download the source
+        wget -nv -O $src_filename $src_url
+    fi
+
+    # Check the control sum
+    echo "${src_sum} ${src_filename}" | ${src_sumprg} -c --status \
+        || ynh_die "Corrupt source"
+
+    # Extract source into the app dir
+    mkdir -p "$dest_dir"
+    
+    if ! "$src_extract"
+    then
+        mv $src_filename $dest_dir
+    elif [ "$src_format" = "zip" ]
+    then 
+        # Zip format
+        # Using of a temp directory, because unzip doesn't manage --strip-components
+        if $src_in_subdir ; then
+            local tmp_dir=$(mktemp -d)
+            unzip -quo $src_filename -d "$tmp_dir"
+            cp -a $tmp_dir/*/. "$dest_dir"
+            ynh_secure_remove "$tmp_dir"
+        else
+            unzip -quo $src_filename -d "$dest_dir"
+        fi
+    else
+        local strip=""
+        if $src_in_subdir ; then
+            strip="--strip-components 1"
+        fi
+        if [[ "$src_format" =~ ^tar.gz|tar.bz2|tar.xz$ ]] ; then
+            tar -xf $src_filename -C "$dest_dir" $strip
+        else
+            ynh_die "Archive format unrecognized."
+        fi
+    fi
+
+    # Apply patches
+    if (( $(find $YNH_CWD/../sources/patches/ -type f -name "${src_id}-*.patch" 2> /dev/null | wc -l) > "0" )); then
+        local old_dir=$(pwd)
+        (cd "$dest_dir" \
+            && for p in $YNH_CWD/../sources/patches/${src_id}-*.patch; do \
+                patch -p1 < $p; done) \
+            || ynh_die "Unable to apply patches"
+        cd $old_dir
+    fi
+
+    # Add supplementary files
+    if test -e "$YNH_CWD/../sources/extra_files/${src_id}"; then
+        cp -a $YNH_CWD/../sources/extra_files/$src_id/. "$dest_dir"
+    fi
+}
+
+# Curl abstraction to help with POST requests to local pages (such as installation forms)
+#
+# $domain and $path_url should be defined externally (and correspond to the domain.tld and the /path (of the app?))
+#
+# example: ynh_local_curl "/install.php?installButton" "foo=$var1" "bar=$var2"
+# 
+# usage: ynh_local_curl "page_uri" "key1=value1" "key2=value2" ...
+# | arg: page_uri    - Path (relative to $path_url) of the page where POST data will be sent
+# | arg: key1=value1 - (Optionnal) POST key and corresponding value
+# | arg: key2=value2 - (Optionnal) Another POST key and corresponding value
+# | arg: ...         - (Optionnal) More POST keys and values
+ynh_local_curl () {
+	# Define url of page to curl
+	local full_page_url=https://localhost$path_url$1
+
+	# Concatenate all other arguments with '&' to prepare POST data
+	local POST_data=""
+	local arg=""
+	for arg in "${@:2}"
+	do
+		POST_data="${POST_data}${arg}&"
+	done
+	if [ -n "$POST_data" ]
+	then
+		# Add --data arg and remove the last character, which is an unecessary '&'
+		POST_data="--data ${POST_data::-1}"
+	fi
+
+	# Curl the URL
+	curl --silent --show-error -kL -H "Host: $domain" --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url"
+}

data/hooks/backup/05-conf_ldap

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ldap"
+
+# Backup the configuration
+ynh_backup "/etc/ldap/slapd.conf" "${backup_dir}/slapd.conf"
+sudo slapcat -b cn=config -l "${backup_dir}/cn=config.master.ldif"
+
+# Backup the database
+sudo slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"

data/hooks/backup/08-conf_ssh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ssh"
+
+# Backup the configuration
+if [ -d /etc/ssh/ ]; then
+    ynh_backup "/etc/ssh" "$backup_dir"
+else
+    echo "SSH is not installed"
+fi

data/hooks/backup/11-conf_ynh_mysql

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ynh/mysql"
+
+# Save MySQL root password
+ynh_backup "/etc/yunohost/mysql" "${backup_dir}/root_pwd"

data/hooks/backup/14-conf_ssowat

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ssowat"
+
+# Backup the configuration
+ynh_backup "/etc/ssowat" "$backup_dir"

data/hooks/backup/17-data_home

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/data/home"
+
+# Backup user home
+for f in $(find /home/* -type d -prune | awk -F/ '{print $NF}'); do
+    if [[ ! "$f" =~ ^yunohost|lost\+found ]]; then
+        ynh_backup "/home/$f" "${backup_dir}/$f" 1
+    fi
+done

data/hooks/backup/20-conf_ynh_firewall

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ynh/firewall"
+
+# Backup the configuration
+ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"

data/hooks/backup/21-conf_ynh_certs

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ynh/certs"
+
+# Backup certificates
+ynh_backup "/etc/yunohost/certs" "$backup_dir"

data/hooks/backup/23-data_mail

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/data/mail"
+
+# Backup mails
+ynh_backup /var/mail "$backup_dir" 1

data/hooks/backup/26-conf_xmpp

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/xmpp"
+
+# Backup the configuration
+ynh_backup /etc/metronome "${backup_dir}/etc"
+ynh_backup /var/lib/metronome "${backup_dir}/var"

data/hooks/backup/29-conf_nginx

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/nginx"
+
+# Backup the configuration
+ynh_backup "/etc/nginx/conf.d" "$backup_dir"

data/hooks/backup/32-conf_cron

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/cron"
+
+# Backup the configuration
+for f in $(ls -1B /etc/cron.d/yunohost*); do
+  ynh_backup "$f" "${backup_dir}/${f##*/}"
+done

data/hooks/backup/40-conf_ynh_currenthost

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Exit hook on subcommand error or unset variable
+set -eu
+
+# Source YNH helpers
+source /usr/share/yunohost/helpers.d/filesystem
+
+# Backup destination
+backup_dir="${1}/conf/ynh"
+
+# Backup the configuration
+ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"

data/hooks/conf_regen/01-yunohost

@@ -0,0 +1,132 @@
+#!/bin/bash
+
+set -e
+
+services_path="/etc/yunohost/services.yml"
+
+do_init_regen() {
+  if [[ $EUID -ne 0 ]]; then
+    echo "You must be root to run this script" 1>&2
+    exit 1
+  fi
+
+  cd /usr/share/yunohost/templates/yunohost
+
+  [[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost
+
+  # set default current_host
+  [[ -f /etc/yunohost/current_host ]] \
+    || echo "yunohost.org" > /etc/yunohost/current_host
+
+  # copy default services and firewall
+  [[ -f $services_path ]] \
+    || cp services.yml "$services_path"
+  [[ -f /etc/yunohost/firewall.yml ]] \
+    || cp firewall.yml /etc/yunohost/firewall.yml
+
+  # allow users to access /media directory
+  [[ -d /etc/skel/media ]] \
+    || (mkdir -p /media && ln -s /media /etc/skel/media)
+}
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/yunohost
+
+  # update services.yml
+  if [[ -f $services_path ]]; then
+      tmp_services_path="${services_path}-tmp"
+      new_services_path="${services_path}-new"
+      sudo cp "$services_path" "$tmp_services_path"
+      _update_services "$new_services_path" || {
+        sudo mv "$tmp_services_path" "$services_path"
+        exit 1
+      }
+      if [[ -f $new_services_path ]]; then
+          # replace services.yml with new one
+          sudo mv "$new_services_path" "$services_path"
+          sudo mv "$tmp_services_path" "${services_path}-old"
+      else
+          sudo rm -f "$tmp_services_path"
+      fi
+  else
+      sudo cp services.yml /etc/yunohost/services.yml
+  fi
+
+  mkdir -p "$pending_dir"/etc/etckeeper/
+  cp etckeeper.conf "$pending_dir"/etc/etckeeper/
+}
+
+_update_services() {
+  sudo python2 - << EOF
+import yaml
+
+
+with open('services.yml') as f:
+    new_services = yaml.load(f)
+
+with open('/etc/yunohost/services.yml') as f:
+    services = yaml.load(f)
+
+updated = False
+
+
+for service, conf in new_services.items():
+    # remove service with empty conf
+    if conf is None:
+        if service in services:
+            print("removing '{0}' from services".format(service))
+            del services[service]
+            updated = True
+
+    # add new service
+    elif not services.get(service, None):
+        print("adding '{0}' to services".format(service))
+        services[service] = conf
+        updated = True
+
+    # update service conf
+    else:
+        conffiles = services[service].pop('conffiles', {})
+
+        # status need to be removed
+        if "status" not in conf and "status" in services[service]:
+            print("update '{0}' service status access".format(service))
+            del services[service]["status"]
+            updated = True
+
+        if services[service] != conf:
+            print("update '{0}' service".format(service))
+            services[service].update(conf)
+            updated = True
+
+        if conffiles:
+            services[service]['conffiles'] = conffiles
+
+
+if updated:
+    with open('/etc/yunohost/services.yml-new', 'w') as f:
+        yaml.safe_dump(services, f, default_flow_style=False)
+EOF
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    ;;
+  init)
+    do_init_regen
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/02-ssl

@@ -0,0 +1,118 @@
+#!/bin/bash
+
+set -e
+
+ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
+
+do_init_regen() {
+  if [[ $EUID -ne 0 ]]; then
+    echo "You must be root to run this script" 1>&2
+    exit 1
+  fi
+
+  LOGFILE="/tmp/yunohost-ssl-init"
+
+  echo "Initializing a local SSL certification authority ..."
+  echo "(logs available in $LOGFILE)"
+
+  rm -f $LOGFILE
+  touch $LOGFILE
+
+  # create certs and SSL directories
+  mkdir -p "/etc/yunohost/certs/yunohost.org"
+  mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}
+
+  # initialize some files
+  [[ -f "${ssl_dir}/serial" ]] \
+    || echo "00" > "${ssl_dir}/serial"
+  [[ -f "${ssl_dir}/index.txt" ]] \
+    || touch "${ssl_dir}/index.txt"
+
+  openssl_conf="/usr/share/yunohost/templates/ssl/openssl.cnf"
+
+  # create default certificates
+  if [[ ! -f /etc/yunohost/certs/yunohost.org/ca.pem ]]; then
+      echo -e "\n# Creating the CA key (?)\n" >>$LOGFILE
+      openssl req -x509 -new -config "$openssl_conf" \
+        -days 3650 -out "${ssl_dir}/ca/cacert.pem" \
+        -keyout "${ssl_dir}/ca/cakey.pem" -nodes -batch >>$LOGFILE 2>&1
+      cp "${ssl_dir}/ca/cacert.pem" \
+        /etc/yunohost/certs/yunohost.org/ca.pem
+      ln -sf /etc/yunohost/certs/yunohost.org/ca.pem \
+        /etc/ssl/certs/ca-yunohost_crt.pem
+      update-ca-certificates
+  fi
+
+  if [[ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]]; then
+      echo -e "\n# Creating initial key and certificate (?)\n" >>$LOGFILE
+      openssl req -new -config "$openssl_conf" \
+        -days 730 -out "${ssl_dir}/certs/yunohost_csr.pem" \
+        -keyout "${ssl_dir}/certs/yunohost_key.pem" -nodes -batch >>$LOGFILE 2>&1
+      openssl ca -config "$openssl_conf" \
+        -days 730 -in "${ssl_dir}/certs/yunohost_csr.pem" \
+        -out "${ssl_dir}/certs/yunohost_crt.pem" -batch >>$LOGFILE 2>&1
+
+      last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
+      chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
+      chmod 640 "$last_cert"
+
+      cp "${ssl_dir}/certs/yunohost_key.pem" \
+        /etc/yunohost/certs/yunohost.org/key.pem
+      cp "$last_cert" \
+        /etc/yunohost/certs/yunohost.org/crt.pem
+      ln -sf /etc/yunohost/certs/yunohost.org/crt.pem \
+        /etc/ssl/certs/yunohost_crt.pem
+      ln -sf /etc/yunohost/certs/yunohost.org/key.pem \
+        /etc/ssl/private/yunohost_key.pem
+  fi
+}
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/ssl
+
+  install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  # Ensure that index.txt exists
+  index_txt=/usr/share/yunohost/yunohost-config/ssl/yunoCA/index.txt
+  [[ -f "${index_txt}" ]] || {
+    if [[ -f "${index_txt}.saved" ]]; then
+      # use saved database from 2.2
+      sudo cp "${index_txt}.saved" "${index_txt}"
+    elif [[ -f "${index_txt}.old" ]]; then
+      # ... or use the state-1 database
+      sudo cp "${index_txt}.old" "${index_txt}"
+    else
+      # ... or create an empty one
+      sudo touch "${index_txt}"
+    fi
+  }
+
+  # TODO: regenerate certificates if conf changed?
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  init)
+    do_init_regen
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/03-ssh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/ssh
+
+  # only overwrite SSH configuration on an ISO installation
+  if [[ ! -f /etc/yunohost/from_script ]]; then
+      # do not listen to IPv6 if unavailable
+      [[ -f /proc/net/if_inet6 ]] \
+        || sed -i "s/ListenAddress ::/#ListenAddress ::/g" sshd_config
+
+      install -D -m 644 sshd_config "${pending_dir}/etc/ssh/sshd_config"
+  fi
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  if [[ ! -f /etc/yunohost/from_script ]]; then
+    [[ -z "$regen_conf_files" ]] \
+      || sudo service ssh restart
+  fi
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/06-slapd

@@ -0,0 +1,143 @@
+#!/bin/bash
+
+set -e
+
+tmp_backup_dir_file="/tmp/slapd-backup-dir.txt"
+
+do_init_regen() {
+  if [[ $EUID -ne 0 ]]; then
+      echo "You must be root to run this script" 1>&2
+      exit 1
+  fi
+
+  do_pre_regen ""
+
+  # fix some permissions
+  chown root:openldap /etc/ldap/slapd.conf
+  chown -R openldap:openldap /etc/ldap/schema/
+
+  # check the slapd config file at first
+  slaptest -Q -u -f /etc/ldap/slapd.conf
+
+  # regenerate LDAP config directory from slapd.conf
+  rm -Rf /etc/ldap/slapd.d
+  mkdir /etc/ldap/slapd.d
+  slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1
+  chown -R openldap:openldap /etc/ldap/slapd.d/
+
+  service slapd restart
+}
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/slapd
+
+  # create needed directories
+  ldap_dir="${pending_dir}/etc/ldap"
+  schema_dir="${ldap_dir}/schema"
+  mkdir -p "$ldap_dir" "$schema_dir"
+
+  # remove legacy configuration file
+  [ ! -f /etc/ldap/slapd-yuno.conf ] \
+    || touch "${pending_dir}/etc/ldap/slapd-yuno.conf"
+
+  # remove temporary backup file
+  sudo rm -f "$tmp_backup_dir_file"
+
+  # retrieve current and new backends
+  curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}')
+  new_backend=$(grep '^database' slapd.conf | awk '{print $2}')
+
+  # save current database before any conf changes
+  if [[ -n "$curr_backend" && "$curr_backend" != "$new_backend" ]]; then
+    backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)"
+    sudo mkdir -p "$backup_dir"
+    sudo slapcat -b dc=yunohost,dc=org \
+      -l "${backup_dir}/dc=yunohost-dc=org.ldif"
+    echo "$backup_dir" > "$tmp_backup_dir_file"
+  fi
+
+  # copy configuration files
+  cp -a ldap.conf slapd.conf "$ldap_dir"
+  cp -a sudo.schema mailserver.schema "$schema_dir"
+
+  install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  # ensure that slapd.d exists
+  sudo mkdir -p /etc/ldap/slapd.d
+
+  # fix some permissions
+  sudo chown root:openldap /etc/ldap/slapd.conf
+  sudo chown -R openldap:openldap /etc/ldap/schema/
+  sudo chown -R openldap:openldap /etc/ldap/slapd.d/
+
+  [ -z "$regen_conf_files" ] && exit 0
+
+  # check the slapd config file at first
+  sudo slaptest -Q -u -f /etc/ldap/slapd.conf
+
+  # check if a backup should be restored
+  backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true)
+  if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then
+      # regenerate LDAP config directory and import database as root
+      # since the admin user may be unavailable
+      sudo sh -c "rm -Rf /etc/ldap/slapd.d;
+  mkdir /etc/ldap/slapd.d;
+  slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d;
+  chown -R openldap:openldap /etc/ldap/slapd.d;
+  slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
+    -l '${backup_dir}/dc=yunohost-dc=org.ldif';
+  chown -R openldap:openldap /var/lib/ldap" 2>&1
+  else
+      # regenerate LDAP config directory from slapd.conf
+      sudo rm -Rf /etc/ldap/slapd.d
+      sudo mkdir /etc/ldap/slapd.d
+      sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1
+      sudo chown -R openldap:openldap /etc/ldap/slapd.d/
+  fi
+
+  sudo service slapd force-reload
+
+  # on slow hardware/vm this regen conf would exit before the admin user that
+  # is stored in ldap is available because ldap seems to slow to restart
+  # so we'll wait either until we are able to log as admin or until a timeout
+  # is reached
+  # we need to do this because the next hooks executed after this one during
+  # postinstall requires to run as admin thus breaking postinstall on slow
+  # hardware which mean yunohost can't be correctly installed on those hardware
+  # and this sucks
+  # wait a maximum time of 5 minutes
+  # yes, force-reload behave like a restart
+  number_of_wait=0
+  while ! sudo su admin -c '' && ((number_of_wait < 60))
+  do
+      sleep 5
+      ((number_of_wait += 1))
+  done
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  init)
+    do_init_regen
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/09-nslcd

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/nslcd
+
+  install -D -m 644 nslcd.conf "${pending_dir}/etc/nslcd.conf"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service nslcd restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/12-metronome

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/metronome
+
+  # create directories for pending conf
+  metronome_dir="${pending_dir}/etc/metronome"
+  metronome_conf_dir="${metronome_dir}/conf.d"
+  mkdir -p "$metronome_conf_dir"
+
+  # retrieve variables
+  main_domain=$(cat /etc/yunohost/current_host)
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # install main conf file
+  cat metronome.cfg.lua \
+    | sed "s/{{ main_domain }}/${main_domain}/g" \
+    > "${metronome_dir}/metronome.cfg.lua"
+
+  # add domain conf files
+  for domain in $domain_list; do
+    cat domain.tpl.cfg.lua \
+      | sed "s/{{ domain }}/${domain}/g" \
+      > "${metronome_conf_dir}/${domain}.cfg.lua"
+  done
+
+  # remove old domain conf files
+  conf_files=$(ls -1 /etc/metronome/conf.d \
+                 | awk '/^[^\.]+\.[^\.]+.*\.cfg\.lua$/ { print $1 }')
+  for file in $conf_files; do
+    domain=${file%.cfg.lua}
+    [[ $domain_list =~ $domain ]] \
+      || touch "${metronome_conf_dir}/${file}"
+  done
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  # fix some permissions
+  sudo chown -R metronome: /var/lib/metronome/
+  sudo chown -R metronome: /etc/metronome/conf.d/
+
+  # retrieve variables
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # create metronome directories for domains
+  for domain in $domain_list; do
+    sudo mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
+  done
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service metronome restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/15-nginx

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+set -e
+
+do_init_regen() {
+  if [[ $EUID -ne 0 ]]; then
+    echo "You must be root to run this script" 1>&2
+    exit 1
+  fi
+
+  do_pre_regen ""
+}
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/nginx
+
+  nginx_dir="${pending_dir}/etc/nginx"
+  nginx_conf_dir="${nginx_dir}/conf.d"
+  mkdir -p "$nginx_conf_dir"
+
+  # install plain conf files
+  cp plain/* "$nginx_conf_dir"
+
+  # probably run with init: just disable default site, restart NGINX and exit
+  if [[ -z "$pending_dir" ]]; then
+    rm -f "${nginx_dir}/sites-enabled/default"
+    service nginx restart
+    exit 0
+  fi
+
+  # retrieve variables
+  main_domain=$(cat /etc/yunohost/current_host)
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # add domain conf files
+  for domain in $domain_list; do
+    domain_conf_dir="${nginx_conf_dir}/${domain}.d"
+    mkdir -p "$domain_conf_dir"
+
+    # NGINX server configuration
+    cat server.tpl.conf \
+      | sed "s/{{ domain }}/${domain}/g" \
+      > "${nginx_conf_dir}/${domain}.conf"
+
+    [[ $main_domain != $domain ]] \
+      && touch "${domain_conf_dir}/yunohost_local.conf" \
+      || cp yunohost_local.conf "${domain_conf_dir}/yunohost_local.conf"
+  done
+
+  # remove old domain conf files
+  conf_files=$(ls -1 /etc/nginx/conf.d \
+                 | awk '/^[^\.]+\.[^\.]+.*\.conf$/ { print $1 }')
+  for file in $conf_files; do
+    domain=${file%.conf}
+    [[ $domain_list =~ $domain ]] \
+      || touch "${nginx_conf_dir}/${file}"
+  done
+
+  # disable default site
+  mkdir -p "${nginx_dir}/sites-enabled"
+  touch "${nginx_dir}/sites-enabled/default"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [ -z "$regen_conf_files" ] && exit 0
+
+  # retrieve variables
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # create NGINX conf directories for domains
+  for domain in $domain_list; do
+    sudo mkdir -p "/etc/nginx/conf.d/${domain}.d"
+  done
+
+  # Reload nginx configuration
+  sudo service nginx reload
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  init)
+    do_init_regen
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/19-postfix

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/postfix
+
+  postfix_dir="${pending_dir}/etc/postfix"
+  mkdir -p "$postfix_dir"
+
+  # install plain conf files
+  cp plain/* "$postfix_dir"
+
+  # prepare main.cf conf file
+  main_domain=$(cat /etc/yunohost/current_host)
+  cat main.cf \
+    | sed "s/{{ main_domain }}/${main_domain}/g" \
+    > "${postfix_dir}/main.cf"
+
+  # adapt it for IPv4-only hosts
+  if [ ! -f /proc/net/if_inet6 ]; then
+    sed -i \
+      's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \
+      "${postfix_dir}/main.cf"
+    sed -i \
+      's/inet_interfaces = all/&\ninet_protocols = ipv4/' \
+      "${postfix_dir}/main.cf"
+  fi
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service postfix restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/25-dovecot

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/dovecot
+
+  dovecot_dir="${pending_dir}/etc/dovecot"
+  mkdir -p "${dovecot_dir}/global_script"
+
+  # copy simple conf files
+  cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf"
+  cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve"
+
+  # prepare dovecot.conf conf file
+  main_domain=$(cat /etc/yunohost/current_host)
+  cat dovecot.conf \
+    | sed "s/{{ main_domain }}/${main_domain}/g" \
+    > "${dovecot_dir}/dovecot.conf"
+
+  # adapt it for IPv4-only hosts
+  if [ ! -f /proc/net/if_inet6 ]; then
+    sed -i \
+      's/^\(listen =\).*/\1 */' \
+      "${dovecot_dir}/dovecot.conf"
+  fi
+
+  mkdir -p "${dovecot_dir}/yunohost.d"
+  cp pre-ext.conf "${dovecot_dir}/yunohost.d"
+  cp post-ext.conf "${dovecot_dir}/yunohost.d"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  sudo mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d"
+  sudo mkdir -p "/etc/dovecot/yunohost.d/post-ext.d"
+
+  # create vmail user
+  id vmail > /dev/null 2>&1 \
+    || sudo adduser --system --ingroup mail --uid 500 vmail
+
+  # fix permissions
+  sudo chown -R vmail:mail /etc/dovecot/global_script
+  sudo chmod 770 /etc/dovecot/global_script
+  sudo chown root:mail /var/mail
+  sudo chmod 1775 /var/mail
+
+  [ -z "$regen_conf_files" ] && exit 0
+
+  # compile sieve script
+  [[ "$regen_conf_files" =~ dovecot\.sieve ]] && {
+    sudo sievec /etc/dovecot/global_script/dovecot.sieve
+    sudo chown -R vmail:mail /etc/dovecot/global_script
+  }
+
+  sudo service dovecot restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/31-rspamd

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/rspamd
+
+  install -D -m 644 metrics.local.conf \
+      "${pending_dir}/etc/rspamd/local.d/metrics.conf"
+  install -D -m 644 dkim_signing.conf \
+      "${pending_dir}/etc/rspamd/local.d/dkim_signing.conf"
+  install -D -m 644 rspamd.sieve \
+      "${pending_dir}/etc/dovecot/global_script/rspamd.sieve"
+}
+
+do_post_regen() {
+
+  ##
+  ## DKIM key generation
+  ##
+
+  # create DKIM directory with proper permission
+  sudo mkdir -p /etc/dkim
+  sudo chown _rspamd /etc/dkim
+
+  # retrieve domain list
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # create DKIM key for domains
+  for domain in $domain_list; do
+    domain_key="/etc/dkim/${domain}.mail.key"
+    [ ! -f "$domain_key" ] && {
+      # We use a 1024 bit size because nsupdate doesn't seem to be able to
+      # handle 2048...
+      sudo opendkim-genkey --domain="$domain" \
+          --selector=mail --directory=/etc/dkim -b 1024
+      sudo mv /etc/dkim/mail.private "$domain_key"
+      sudo mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
+    }
+  done
+
+  # fix DKIM keys permissions
+  sudo chown _rspamd /etc/dkim/*.mail.key
+  sudo chmod 400 /etc/dkim/*.mail.key
+
+  regen_conf_files=$1
+  [ -z "$regen_conf_files" ] && exit 0
+
+  # compile sieve script
+  [[ "$regen_conf_files" =~ rspamd\.sieve ]] && {
+    sudo sievec /etc/dovecot/global_script/rspamd.sieve
+    sudo chown -R vmail:mail /etc/dovecot/global_script
+    sudo systemctl restart dovecot
+  }
+
+  # Restart rspamd due to the upgrade
+  # https://rspamd.com/announce/2016/08/01/rspamd-1.3.1.html 
+  sudo systemctl -q restart rspamd.service 
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/34-mysql

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+set -e
+MYSQL_PKG="mariadb-server-10.1"
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/mysql
+
+  install -D -m 644 my.cnf "${pending_dir}/etc/mysql/my.cnf"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  if [ ! -f /etc/yunohost/mysql ]; then
+      . /usr/share/yunohost/helpers.d/string
+
+      # ensure that mysql is running
+      sudo systemctl -q is-active mysql.service \
+        || sudo service mysql start
+
+      # generate and set new root password
+      mysql_password=$(ynh_string_random 10)
+      sudo mysqladmin -s -u root -pyunohost password "$mysql_password" || {
+        if [ $FORCE -eq 1 ]; then
+            . /usr/share/yunohost/helpers.d/package
+
+            echo "It seems that you have already configured MySQL." \
+              "YunoHost needs to have a root access to MySQL to runs its" \
+              "applications, and is going to reset the MySQL root password." \
+              "You can find this new password in /etc/yunohost/mysql." >&2
+
+            # set new password with debconf
+            sudo debconf-set-selections << EOF
+$MYSQL_PKG mysql-server/root_password password $mysql_password
+$MYSQL_PKG mysql-server/root_password_again password $mysql_password
+EOF
+
+            # reconfigure Debian package
+            sudo dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1
+        else
+            echo "It seems that you have already configured MySQL." \
+              "YunoHost needs to have a root access to MySQL to runs its" \
+              "applications, but the MySQL root password is unknown." \
+              "You must either pass --force to reset the password or" \
+              "put the current one into the file /etc/yunohost/mysql." >&2
+            exit 1
+        fi
+      }
+
+      # store new root password
+      echo "$mysql_password" | sudo tee /etc/yunohost/mysql
+      sudo chmod 400 /etc/yunohost/mysql
+  fi
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service mysql restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/37-avahi-daemon

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/avahi-daemon
+
+  install -D -m 644 avahi-daemon.conf \
+    "${pending_dir}/etc/avahi/avahi-daemon.conf"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service avahi-daemon restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/40-glances

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/glances
+
+  install -D -m 644 glances.default "${pending_dir}/etc/default/glances"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service glances restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/43-dnsmasq

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  # source ip helpers
+  . /usr/share/yunohost/helpers.d/ip
+
+  cd /usr/share/yunohost/templates/dnsmasq
+
+  # create directory for pending conf
+  dnsmasq_dir="${pending_dir}/etc/dnsmasq.d"
+  mkdir -p "$dnsmasq_dir"
+  etcdefault_dir="${pending_dir}/etc/default"
+  mkdir -p "$etcdefault_dir"
+
+  # add general conf files
+  cp plain/etcdefault ${pending_dir}/etc/default/dnsmasq
+  cp plain/dnsmasq.conf ${pending_dir}/etc/dnsmasq.conf
+
+  # add resolver file
+  cat plain/resolv.dnsmasq.conf | grep "^nameserver" | shuf > ${pending_dir}/etc/resolv.dnsmasq.conf
+
+  # retrieve variables
+  ipv4=$(curl -s -4 https://ip.yunohost.org 2>/dev/null || true)
+  ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1'
+  ipv6=$(curl -s -6 https://ip6.yunohost.org 2>/dev/null || true)
+  ynh_validate_ip6 "$ipv6" || ipv6=''
+  domain_list=$(sudo yunohost domain list --output-as plain --quiet)
+
+  # add domain conf files
+  for domain in $domain_list; do
+    cat domain.tpl \
+      | sed "s/{{ domain }}/${domain}/g" \
+      | sed "s/{{ ip }}/${ipv4}/g" \
+      > "${dnsmasq_dir}/${domain}"
+    [[ -n $ipv6 ]] \
+      && echo "address=/${domain}/${ipv6}" >> "${dnsmasq_dir}/${domain}"
+  done
+
+  # remove old domain conf files
+  conf_files=$(ls -1 /etc/dnsmasq.d \
+                 | awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }')
+  for domain in $conf_files; do
+    [[ $domain_list =~ $domain ]] \
+      || touch "${dnsmasq_dir}/${domain}"
+  done
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service dnsmasq restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/46-nsswitch

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/nsswitch
+
+  install -D -m 644 nsswitch.conf "${pending_dir}/etc/nsswitch.conf"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service unscd restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/conf_regen/52-fail2ban

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+do_pre_regen() {
+  pending_dir=$1
+
+  cd /usr/share/yunohost/templates/fail2ban
+
+  fail2ban_dir="${pending_dir}/etc/fail2ban"
+  mkdir -p "${fail2ban_dir}/filter.d"
+  mkdir -p "${fail2ban_dir}/jail.d"
+
+  cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
+  cp jail.conf "${fail2ban_dir}/jail.conf"
+  cp yunohost-jails.conf "${fail2ban_dir}/jail.d/"
+}
+
+do_post_regen() {
+  regen_conf_files=$1
+
+  [[ -z "$regen_conf_files" ]] \
+    || sudo service fail2ban restart
+}
+
+FORCE=${2:-0}
+DRY_RUN=${3:-0}
+
+case "$1" in
+  pre)
+    do_pre_regen $4
+    ;;
+  post)
+    do_post_regen $4
+    ;;
+  *)
+    echo "hook called with unknown argument \`$1'" >&2
+    exit 1
+    ;;
+esac
+
+exit 0

data/hooks/restore/05-conf_ldap

@@ -0,0 +1,58 @@
+backup_dir="${1}/conf/ldap"
+
+if [[ $EUID -ne 0 ]]; then
+
+    # We need to execute this script as root, since the ldap
+    # service will be shut down during the operation (and sudo
+    # won't be available)
+    sudo /bin/bash $(readlink -f $0) $1
+
+else
+
+    service slapd stop || true
+
+    # Create a directory for backup
+    TMPDIR="/tmp/$(date +%s)"
+    mkdir -p "$TMPDIR"
+
+    die() {
+        state=$1
+        error=$2
+
+        # Restore saved configuration and database
+        [[ $state -ge 1 ]] \
+          && (rm -rf /etc/ldap/slapd.d &&
+              mv "${TMPDIR}/slapd.d" /etc/ldap/slapd.d)
+        [[ $state -ge 2 ]] \
+          && (rm -rf /var/lib/ldap &&
+              mv "${TMPDIR}/ldap" /var/lib/ldap)
+        chown -R openldap: /etc/ldap/slapd.d /var/lib/ldap
+
+        service slapd start
+        rm -rf "$TMPDIR"
+
+        # Print an error message and exit
+        printf "%s" "$error" 1>&2
+        exit 1
+    }
+
+    # Restore the configuration
+    mv /etc/ldap/slapd.d "$TMPDIR"
+    mkdir -p /etc/ldap/slapd.d
+    cp -a "${backup_dir}/slapd.conf" /etc/ldap/slapd.conf
+    slapadd -F /etc/ldap/slapd.d -b cn=config \
+        -l "${backup_dir}/cn=config.master.ldif" \
+      || die 1 "Unable to restore LDAP configuration"
+    chown -R openldap: /etc/ldap/slapd.d
+
+    # Restore the database
+    mv /var/lib/ldap "$TMPDIR"
+    mkdir -p /var/lib/ldap
+    slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org \
+        -l "${backup_dir}/dc=yunohost-dc=org.ldif" \
+      || die 2 "Unable to restore LDAP database"
+    chown -R openldap: /var/lib/ldap
+
+    service slapd start
+    rm -rf "$TMPDIR"
+fi

data/hooks/restore/08-conf_ssh

@@ -0,0 +1,9 @@
+backup_dir="$1/conf/ssh"
+
+if [ -d /etc/ssh/ ]; then
+    sudo cp -a $backup_dir/. /etc/ssh
+    sudo service ssh restart
+else
+    echo "SSH is not installed"
+fi
+

data/hooks/restore/11-conf_ynh_mysql

@@ -0,0 +1,42 @@
+backup_dir="$1/conf/ynh/mysql"
+MYSQL_PKG="mariadb-server-10.1"
+
+# ensure that mysql is running
+service mysql status >/dev/null 2>&1 \
+  || service mysql start
+
+# retrieve current and new password
+[ -f /etc/yunohost/mysql ] \
+  && curr_pwd=$(sudo cat /etc/yunohost/mysql)
+new_pwd=$(sudo cat "${backup_dir}/root_pwd" || sudo cat "${backup_dir}/mysql")
+[ -z "$curr_pwd" ] && curr_pwd="yunohost"
+[ -z "$new_pwd" ] && {
+    . /usr/share/yunohost/helpers.d/string
+    new_pwd=$(ynh_string_random 10)
+}
+
+# attempt to change it
+sudo mysqladmin -s -u root -p"$curr_pwd" password "$new_pwd" || {
+  . /usr/share/yunohost/helpers.d/package
+
+  echo "It seems that you have already configured MySQL." \
+    "YunoHost needs to have a root access to MySQL to runs its" \
+    "applications, and is going to reset the MySQL root password." \
+    "You can find this new password in /etc/yunohost/mysql." >&2
+
+  # set new password with debconf
+  sudo debconf-set-selections << EOF
+$MYSQL_PKG mysql-server/root_password password $new_pwd
+$MYSQL_PKG mysql-server/root_password_again password $new_pwd
+EOF
+
+  # reconfigure Debian package
+  sudo dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1
+}
+
+# store new root password
+echo "$new_pwd" | sudo tee /etc/yunohost/mysql
+sudo chmod 400 /etc/yunohost/mysql
+
+# reload the grant tables
+sudo mysqladmin -s -u root -p"$new_pwd" reload

data/hooks/restore/14-conf_ssowat

@@ -0,0 +1,3 @@
+backup_dir="$1/conf/ssowat"
+
+sudo cp -a $backup_dir/. /etc/ssowat

data/hooks/restore/17-data_home

@@ -0,0 +1,3 @@
+backup_dir="$1/data/home"
+
+sudo cp -a $backup_dir/. /home

data/hooks/restore/20-conf_ynh_firewall

@@ -0,0 +1,4 @@
+backup_dir="$1/conf/ynh/firewall"
+
+sudo cp -a $backup_dir/. /etc/yunohost
+sudo yunohost firewall reload

data/hooks/restore/21-conf_ynh_certs

@@ -0,0 +1,8 @@
+backup_dir="$1/conf/ynh/certs"
+
+sudo mkdir -p /etc/yunohost/certs/
+
+sudo cp -a $backup_dir/. /etc/yunohost/certs/
+sudo yunohost app ssowatconf
+sudo service nginx reload
+sudo service metronome reload

data/hooks/restore/23-data_mail

@@ -0,0 +1,7 @@
+backup_dir="$1/data/mail"
+
+sudo cp -a $backup_dir/. /var/mail/ || echo 'No mail found'
+
+# Restart services to use migrated certs
+sudo service postfix restart
+sudo service dovecot restart

data/hooks/restore/26-conf_xmpp

@@ -0,0 +1,7 @@
+backup_dir="$1/conf/xmpp"
+
+sudo cp -a $backup_dir/etc/. /etc/metronome
+sudo cp -a $backup_dir/var/. /var/lib/metronome
+
+# Restart to apply new conf and certs
+sudo service metronome restart

data/hooks/restore/29-conf_nginx

@@ -0,0 +1,7 @@
+backup_dir="$1/conf/nginx"
+
+# Copy all conf except apps specific conf located in DOMAIN.d
+sudo find $backup_dir/ -mindepth 1 -maxdepth 1 -name '*.d' -or -exec sudo cp -a {} /etc/nginx/conf.d/ \;
+
+# Restart to use new conf and certs
+sudo service nginx restart

data/hooks/restore/32-conf_cron

@@ -0,0 +1,6 @@
+backup_dir="$1/conf/cron"
+
+sudo cp -a $backup_dir/. /etc/cron.d
+
+# Restart just in case
+sudo service cron restart

data/hooks/restore/40-conf_ynh_currenthost

@@ -0,0 +1,3 @@
+backup_dir="$1/conf/ynh"
+
+sudo cp -a "${backup_dir}/current_host" /etc/yunohost/current_host

data/other/ldap_scheme.yml

@@ -0,0 +1,56 @@
+parents:
+    ou=users:
+        ou: users
+        objectClass:
+            - organizationalUnit
+            - top
+
+    ou=domains:
+        ou: domains
+        objectClass:
+            - organizationalUnit
+            - top
+
+    ou=apps:
+        ou: apps
+        objectClass:
+            - organizationalUnit
+            - top
+
+    ou=groups:
+        ou: groups
+        objectClass:
+            - organizationalUnit
+            - top
+    ou=sudo:
+        ou: sudo
+        objectClass:
+            - organizationalUnit
+            - top
+
+children:
+    cn=admins,ou=groups:
+        cn: admins
+        gidNumber: "4001"
+        memberUid: admin
+        objectClass:
+            - posixGroup
+            - top
+
+    cn=sftpusers,ou=groups:
+        cn: sftpusers
+        gidNumber: "4002"
+        memberUid: admin
+        objectClass:
+            - posixGroup
+            - top
+
+    cn=admin,ou=sudo:
+        cn: admin
+        sudoUser: admin
+        sudoHost: ALL
+        sudoCommand: ALL
+        sudoOption: "!authenticate"
+        objectClass:
+            - sudoRole
+            - top

data/other/yunoprompt.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=YunoHost boot prompt
+After=getty@tty2.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/yunoprompt
+StandardInput=tty
+TTYPath=/dev/tty2
+TTYReset=yes
+TTYVHangup=yes
+
+[Install]
+WantedBy=default.target

data/templates/avahi-daemon/avahi-daemon.conf

@@ -0,0 +1,68 @@
+# This file is part of avahi.
+#
+# avahi is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+#
+# avahi is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with avahi; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA.
+
+# See avahi-daemon.conf(5) for more information on this configuration
+# file!
+
+[server]
+host-name=yunohost
+domain-name=local
+#browse-domains=0pointer.de, zeroconf.org
+use-ipv4=yes
+use-ipv6=yes
+#allow-interfaces=eth0
+#deny-interfaces=eth1
+#check-response-ttl=no
+#use-iff-running=no
+#enable-dbus=yes
+#disallow-other-stacks=no
+#allow-point-to-point=no
+#cache-entries-max=4096
+#clients-max=4096
+#objects-per-client-max=1024
+#entries-per-entry-group-max=32
+ratelimit-interval-usec=1000000
+ratelimit-burst=1000
+
+[wide-area]
+enable-wide-area=yes
+
+[publish]
+#disable-publishing=no
+#disable-user-service-publishing=no
+#add-service-cookie=no
+#publish-addresses=yes
+#publish-hinfo=yes
+#publish-workstation=yes
+#publish-domain=yes
+#publish-dns-servers=192.168.50.1, 192.168.50.2
+#publish-resolv-conf-dns-servers=yes
+#publish-aaaa-on-ipv4=yes
+#publish-a-on-ipv6=no
+
+[reflector]
+#enable-reflector=no
+#reflect-ipv=no
+
+[rlimits]
+#rlimit-as=
+rlimit-core=0
+rlimit-data=4194304
+rlimit-fsize=0
+rlimit-nofile=768
+rlimit-stack=4194304
+rlimit-nproc=3

data/templates/dnsmasq/domain.tpl

@@ -0,0 +1,5 @@
+address=/{{ domain }}/{{ ip }}
+txt-record={{ domain }},"v=spf1 mx a -all"
+mx-host={{ domain }},{{ domain }},5
+srv-host=_xmpp-client._tcp.{{ domain }},{{ domain }},5222,0,5
+srv-host=_xmpp-server._tcp.{{ domain }},{{ domain }},5269,0,5

data/templates/dnsmasq/plain/dnsmasq.conf

@@ -0,0 +1,6 @@
+domain-needed
+expand-hosts
+
+listen-address=127.0.0.1
+resolv-file=/etc/resolv.dnsmasq.conf
+cache-size=256

data/templates/dnsmasq/plain/etcdefault

@@ -0,0 +1,33 @@
+# This file has five functions: 
+# 1) to completely disable starting dnsmasq, 
+# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` 
+# 3) to select an alternative config file
+#    by setting DNSMASQ_OPTS to --conf-file=<file>
+# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for
+#    more configuration variables.
+# 5) to stop the resolvconf package from controlling dnsmasq's
+#    idea of which upstream nameservers to use.
+# For upgraders from very old versions, all the shell variables set 
+# here in previous versions are still honored by the init script
+# so if you just keep your old version of this file nothing will break.
+
+#DOMAIN_SUFFIX=`dnsdomainname`
+#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt"
+
+# Whether or not to run the dnsmasq daemon; set to 0 to disable.
+ENABLED=1
+
+# By default search this drop directory for configuration options.
+# Libvirt leaves a file here to make the system dnsmasq play nice.
+# Comment out this line if you don't want this. The dpkg-* are file
+# endings which cause dnsmasq to skip that file. This avoids pulling
+# in backups made by dpkg.
+CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
+
+# If the resolvconf package is installed, dnsmasq will use its output 
+# rather than the contents of /etc/resolv.conf to find upstream 
+# nameservers. Uncommenting this line inhibits this behaviour.
+# Note that including a "resolv-file=<filename>" line in 
+# /etc/dnsmasq.conf is not enough to override resolvconf if it is
+# installed: the line below must be uncommented.
+IGNORE_RESOLVCONF=yes

data/templates/dnsmasq/plain/resolv.dnsmasq.conf

@@ -0,0 +1,31 @@
+# This file will be used to generate /etc/resolv.dnsmasq.conf
+# To avoid that every instance rely on the first server as primary
+# server, this list is *shuffled* during every regen-conf of dnsmasq
+# In the possibility where the first nameserver is down, dnsmasq
+# will automatically switch to the next as primary server.
+
+# List taken from
+# http://diyisp.org/dokuwiki/doku.php?id=technical:dnsresolver
+
+# (FR) FDN
+nameserver 80.67.169.12
+nameserver 80.67.169.40
+# (FR) LDN
+nameserver 80.67.188.188
+# (FR) ARN
+nameserver 89.234.141.66
+# (FR) gozmail / grifon
+nameserver 89.234.186.18
+# (DE) FoeBud / Digital Courage
+nameserver 85.214.20.141
+# (FR) Aquilenet [added manually, following comments from @sachaz]
+nameserver 141.255.128.100
+nameserver 141.255.128.101
+# (DE) CCC Berlin
+nameserver 213.73.91.35
+# (DE) Ideal-Hosting
+nameserver 84.200.69.80
+nameserver 84.200.70.40
+# (DK) censurfridns
+nameserver 91.239.100.100
+nameserver 89.233.43.71

data/templates/dovecot/dovecot-ldap.conf

@@ -0,0 +1,9 @@
+hosts = 127.0.0.1
+auth_bind = yes
+ldap_version = 3
+base = ou=users,dc=yunohost,dc=org
+user_attrs = uidNumber=500,gidNumber=8,mailuserquota=quota_rule=*:bytes=%$
+user_filter = (&(objectClass=inetOrgPerson)(uid=%n))
+pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))
+default_pass_scheme = SSHA
+

data/templates/dovecot/dovecot.conf

@@ -0,0 +1,96 @@
+!include yunohost.d/pre-ext.conf
+
+listen = *, ::
+auth_mechanisms = plain login
+
+mail_gid = 8
+mail_home = /var/mail/%n
+mail_location = maildir:/var/mail/%n
+mail_uid = 500
+
+protocols = imap sieve
+
+mail_plugins = $mail_plugins quota
+
+
+ssl = yes
+ssl_cert = </etc/yunohost/certs/{{ main_domain }}/crt.pem
+ssl_key = </etc/yunohost/certs/{{ main_domain }}/key.pem
+ssl_protocols = !SSLv3
+
+passdb {
+  args = /etc/dovecot/dovecot-ldap.conf
+  driver = ldap
+}
+
+userdb {
+  args = /etc/dovecot/dovecot-ldap.conf
+  driver = ldap
+}
+
+protocol imap {
+  imap_client_workarounds =
+  mail_plugins = $mail_plugins imap_quota antispam
+}
+
+
+protocol lda {
+  auth_socket_path = /var/run/dovecot/auth-master
+  mail_plugins = quota sieve
+  postmaster_address = postmaster@{{ main_domain }}
+}
+
+protocol sieve {
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    group = postfix
+    mode = 0660
+    user = postfix
+  }
+  unix_listener auth-master {
+    group = mail
+    mode = 0660
+    user = vmail
+  }
+}
+
+service quota-warning {
+  executable = script /usr/bin/quota-warning.sh
+  user = vmail
+  unix_listener quota-warning {
+  }
+}
+
+plugin {
+  sieve = /var/mail/sievescript/%n/.dovecot.sieve
+  sieve_dir = /var/mail/sievescript/%n/scripts/
+  sieve_before = /etc/dovecot/global_script/
+}
+
+plugin {
+  antispam_debug_target = syslog
+  antispam_verbose_debug = 0
+  antispam_backend = pipe
+  antispam_spam = Junk;SPAM
+  antispam_trash = Trash
+  antispam_pipe_program = /usr/bin/rspamc
+  antispam_pipe_program_args = -h;localhost:11334;-P;q1
+  antispam_pipe_program_spam_arg = learn_spam
+  antispam_pipe_program_notspam_arg = learn_ham
+}
+
+plugin {
+  quota = maildir:User quota
+  quota_rule2 = SPAM:ignore
+  quota_rule3 = Trash:ignore
+}
+
+plugin {
+  quota_warning = storage=95%% quota-warning 95 %u
+  quota_warning2 = storage=80%% quota-warning 80 %u
+  quota_warning3 = -storage=100%% quota-warning below %u # user is no longer over quota
+}
+
+!include yunohost.d/post-ext.conf

data/templates/dovecot/dovecot.sieve

@@ -0,0 +1,4 @@
+require "fileinto"; 
+    if header :contains "X-Spam-Flag" "YES" { 
+        fileinto "Junk"; 
+    }

data/templates/dovecot/post-ext.conf

@@ -0,0 +1 @@
+!include_try post-ext.d/*.conf

data/templates/dovecot/pre-ext.conf

@@ -0,0 +1 @@
+!include_try pre-ext.d/*.conf

data/templates/fail2ban/jail.conf

@@ -0,0 +1,855 @@
+#
+# WARNING: heavily refactored in 0.9.0 release.  Please review and
+#          customize settings for your setup.
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in jail.local file,
+#           or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space (and/or comma) separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+#              If pyinotify is not installed, Fail2ban will use auto.
+# gamin:     requires Gamin (a file alteration monitor) to be installed.
+#              If Gamin is not installed, Fail2ban will use auto.
+# polling:   uses a polling algorithm which does not require external libraries.
+# systemd:   uses systemd python library to access the systemd journal.
+#              Specifying "logpath" is not valid for this backend.
+#              See "journalmatch" in the jails associated filter config
+# auto:      will try to use the following backends, in order:
+#              pyinotify, gamin, polling.
+#
+# Note: if systemd backend is chosen as the default but you enable a jail
+#       for which logs are present only in its own log files, specify some other
+#       backend for that jail (e.g. polling) and provide empty value for
+#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a DNS lookup will be performed.
+# warn:  if a hostname is encountered, a DNS lookup will be performed,
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+#   This is used to decode the lines from the log file.
+#   Typical examples:  "ascii", "utf-8"
+#
+#   auto:   will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+#  By default all jails are disabled, and it should stay this way.
+#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true:  jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+#  By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+# 
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+# [Init]
+# blocklist_de_apikey = {api key from registration]
+#
+action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+
+[sshd-ddos]
+# This jail corresponds to the standard configuration in Fail2ban.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+
+[dropbear]
+
+port     = ssh
+logpath  = %(dropbear_log)s
+backend  = %(dropbear_backend)s
+
+
+[selinux-ssh]
+
+port     = ssh
+logpath  = %(auditd_log)s
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port     = http,https
+logpath  = %(apache_access_log)s
+bantime  = 172800
+maxretry = 1
+
+
+[apache-noscript]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-overflows]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port     = http,https
+logpath  = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-shellshock]
+
+port    = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+
+[openhab-auth]
+
+filter = openhab
+action = iptables-allports[name=NoAuthFailures]
+logpath = /opt/openhab/logs/request.log
+
+
+[nginx-http-auth]
+
+port    = http,https
+logpath = %(nginx_error_log)s
+
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+port     = http,https
+logpath  = %(nginx_error_log)s
+maxretry = 2
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port    = http,https
+logpath = %(nginx_access_log)s
+          %(apache_access_log)s
+
+
+[suhosin]
+
+port    = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port    = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port     = http,https
+logpath  = %(roundcube_errors_log)s
+
+
+[openwebmail]
+
+port     = http,https
+logpath  = /var/log/openwebmail.log
+
+
+[horde]
+
+port     = http,https
+logpath  = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port     = http,https
+logpath  = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port    = 20000
+port     = http,https
+logpath  = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath  = /var/log/tine20/tine20.log
+port     = http,https
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port     = http,https
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+[guacamole]
+
+port     = http,https
+logpath  = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+port = 2812
+logpath  = /var/log/monit
+
+
+[webmin-auth]
+
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[froxlor-auth]
+
+port    = http,https
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port     =  80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port    = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
+
+
+[pure-ftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(pureftpd_log)s
+backend  = %(pureftpd_backend)s
+
+
+[gssftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+
+[wuftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(wuftpd_log)s
+backend  = %(wuftpd_backend)s
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port     = smtp,465,submission
+logpath  = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix]
+
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+
+[postfix-rbl]
+
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[sendmail-reject]
+
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[qmail-rbl]
+
+filter  = qmail
+port    = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[sieve]
+
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[solid-pop3d]
+
+port    = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port     = smtp,465,submission,imaps,pop3,pop3s
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix-sasl]
+
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+
+[perdition]
+
+port   = imap,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[uwimap-auth]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter   = named-refused
+# port     = domain,953
+# protocol = udp
+# logpath  = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port     = domain,953
+logpath  = /var/log/named/security.log
+
+
+[nsd]
+
+port     = 53
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port     = 5060,5061
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port     = 5060,5061
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+
+
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+[mongodb-auth]
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+#    is not at DEBUG level -- which might then cause fail2ban to fall into
+#    an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+#    to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath  = /var/log/fail2ban.log
+banaction = %(banaction_allports)s
+bantime  = 604800  ; 1 week
+findtime = 86400   ; 1 day
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath   = %(syslog_daemon)s
+backend   = %(syslog_backend)s
+maxretry  = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port    = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
+backend  = %(syslog_backend)s
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+banaction = %(banaction_allports)s
+
+[directadmin]
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+logpath  = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port         = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in jail.local
+knocking_url = /knocking/
+filter       = apache-pass[knocking_url="%(knocking_url)s"]
+# access log of the website with HTTP auth
+logpath      = %(apache_access_log)s
+blocktype    = RETURN
+returntype   = DROP
+bantime      = 3600
+maxretry     = 1
+findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
+           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
+logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharingd]
+# For Mac OS Screen Sharing Service (VNC)
+logpath  = /var/log/system.log
+logencoding = utf-8
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+logpath  = /var/log/haproxy.log
+
+[slapd]
+port    = ldap,ldaps
+filter  = slapd
+logpath = /var/log/slapd.log

data/templates/fail2ban/yunohost-jails.conf

@@ -0,0 +1,32 @@
+[sshd]
+enabled = true
+
+[sshd-ddos]
+enabled = true
+
+[nginx-http-auth]
+enabled = true
+
+[postfix]
+enabled = true
+
+[dovecot]
+enabled = true
+
+[postfix-sasl]
+enabled = true
+
+[recidive]
+enabled = true
+
+[pam-generic]
+enabled = true
+
+[yunohost]
+enabled  = true
+port     = http,https
+protocol = tcp
+filter   = yunohost
+logpath  = /var/log/nginx/*error.log
+           /var/log/nginx/*access.log
+maxretry = 6

data/templates/fail2ban/yunohost.conf

@@ -0,0 +1,24 @@
+# Fail2Ban configuration file
+#
+# Author: Adrien Beudin
+#
+# $Revision: 2 $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = helpers.lua:[0-9]+: authenticate\(\): Connection failed for: .*, client: <HOST>
+            ^<HOST> -.*\"POST /yunohost/api/login HTTP/1.1\" 401
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

data/templates/glances/glances.default

@@ -0,0 +1,5 @@
+# Default is to launch glances with '-s' option.
+DAEMON_ARGS="-s -B 127.0.0.1"
+
+# Change to 'true' to have glances running at startup
+RUN="true"

data/templates/metronome/domain.tpl.cfg.lua

@@ -0,0 +1,15 @@
+VirtualHost "{{ domain }}"
+  ssl = {
+        key = "/etc/yunohost/certs/{{ domain }}/key.pem";
+        certificate = "/etc/yunohost/certs/{{ domain }}/crt.pem";
+  }
+  authentication = "ldap2"
+  ldap = {
+     hostname      = "localhost",
+     user = {
+       basedn        = "ou=users,dc=yunohost,dc=org",
+       filter        = "(&(objectClass=posixAccount)(mail=*@{{ domain }}))",
+       usernamefield = "mail",
+       namefield     = "cn",
+       },
+  }

data/templates/metronome/metronome.cfg.lua

@@ -0,0 +1,193 @@
+-- ** Metronome's config file example **
+-- 
+-- The format is exactly equal to Prosody's:
+--
+-- Lists are written { "like", "this", "one" } 
+-- Lists can also be of { 1, 2, 3 } numbers, etc. 
+-- Either commas, or semi-colons; may be used as seperators.
+--
+-- A table is a list of values, except each value has a name. An 
+-- example would be:
+--
+-- ssl = { key = "keyfile.key", certificate = "certificate.crt" }
+--
+-- Tip: You can check that the syntax of this file is correct when you have finished
+-- by running: luac -p metronome.cfg.lua
+-- If there are any errors, it will let you know what and where they are, otherwise it 
+-- will keep quiet.
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- Server PID
+pidfile = "/var/run/metronome/metronome.pid"
+
+-- HTTP server
+http_ports = { 5290 }
+http_interfaces = { "127.0.0.1", "::1" }
+
+--https_ports = { 5291 }
+--https_interfaces = { "127.0.0.1", "::1" }
+
+-- Enable IPv6
+use_ipv6 = true
+
+-- This is the list of modules Metronome will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+modules_enabled = {
+
+    -- Generally required
+        "roster"; -- Allow users to have a roster. Recommended ;)
+        "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+        "tls"; -- Add support for secure TLS on c2s/s2s connections
+        "dialback"; -- s2s dialback support
+        "disco"; -- Service discovery
+        --"discoitems"; -- Service discovery items
+        --"extdisco"; -- External Service Discovery
+
+    -- Not essential, but recommended
+        "private"; -- Private XML storage (for room bookmarks, etc.)
+        "vcard"; -- Allow users to set vCards
+        "privacy"; -- Support privacy lists
+
+    -- These are commented by default as they have a performance impact
+        --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
+
+    -- Nice to have
+        "version"; -- Replies to server version requests
+        "uptime"; -- Report how long server has been running
+        "time"; -- Let others know the time here on this server
+        "ping"; -- Replies to XMPP pings with pongs
+        "pep"; -- Enables users to publish their mood, activity, playing music and more
+        "message_carbons"; -- Allow clients to keep in sync with messages send on other resources
+        "register"; -- Allow users to register on this server using a client and change passwords
+        "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client
+
+    -- Admin interfaces
+        "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+        "admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+    -- HTTP modules
+        "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+        --"websockets"; -- Enable WebSocket clients
+        --"http_files"; -- Serve static files from a directory over HTTP
+
+    -- Other specific functionality
+--        "bidi"; -- Bidirectional Streams for S2S connections
+--        "stream_management"; -- Stream Management support
+        --"groups"; -- Shared roster support
+        --"announce"; -- Send announcement to all online users
+        --"welcome"; -- Welcome users who register accounts
+        --"watchregistrations"; -- Alert admins of registrations
+        --"motd"; -- Send a message to users when they log in
+        "mam"; -- Nice archive management
+        --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+        "offline"; -- Store offline messages
+        "c2s"; -- Handle client connections
+        "s2s"; -- Handle server-to-server connections
+
+    -- Debian: do not remove this module, or you lose syslog
+    -- support
+        "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+};
+
+-- Discovery items
+disco_items = {
+    { "muc.{{ main_domain }}" },
+    { "pubsub.{{ main_domain }}" },
+    { "vjud.{{ main_domain }}" }
+};
+
+-- BOSH configuration (mod_bosh)
+bosh_max_inactivity = 30
+consider_bosh_secure = true
+cross_domain_bosh = true
+
+-- Disable account creation by default, for security
+allow_registration = false
+
+-- SSL/TLS configuration
+ssl = {
+    options = {
+        "no_sslv2",
+        "no_sslv3",
+        "no_ticket",
+        "no_compression",
+        "cipher_server_preference"
+    };
+}
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+c2s_require_encryption = true
+
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from connecting unless they are using encryption.
+s2s_require_encryption = true
+
+-- Allow servers to use an unauthenticated encryption channel
+s2s_allow_encryption = true
+
+allow_unencrypted_plain_auth = false;
+
+s2s_secure = true
+s2s_secure_auth = false
+
+--anonymous_login = false
+
+-- Use LDAP storage backend for all stores
+storage = "ldap"
+
+-- Logging configuration
+log = {
+    info = "/var/log/metronome/metronome.log"; -- Change 'info' to 'debug' for verbose logging
+    error = "/var/log/metronome/metronome.err";
+    -- "*syslog"; -- Uncomment this for logging to syslog
+    -- "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+
+
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+
+---Set up a local BOSH service
+Component "localhost" "http"
+    modules_enabled = { "bosh" }
+
+---Set up a MUC (multi-user chat) room server
+Component "muc.{{ main_domain }}" "muc"
+    name = "{{ main_domain }} Chatrooms"
+
+    modules_enabled = {
+        "muc_limits";
+        "muc_log";
+        "muc_log_http";
+    }
+
+    muc_event_rate = 0.5
+    muc_burst_factor = 10
+
+    muc_log_http_config = {
+        url_base = "logs";
+        theme = "metronome";
+    }
+
+---Set up a PubSub server
+Component "pubsub.{{ main_domain }}" "pubsub"
+    name = "{{ main_domain }} Publish/Subscribe"
+
+    unrestricted_node_creation = true -- Anyone can create a PubSub node (from any server)
+
+---Set up a VJUD service
+Component "vjud.{{ main_domain }}" "vjud"
+    ud_disco_name = "{{ main_domain }} User Directory"
+
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Metronome to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+Include "conf.d/*.cfg.lua"
+

data/templates/mysql/my.cnf

@@ -0,0 +1,92 @@
+# Example MySQL config file for small systems.
+#
+# This is for a system with little memory (<= 64M) where MySQL is only used
+# from time to time and it's important that the mysqld daemon
+# doesn't use much resources.
+#
+# MySQL programs look for option files in a set of
+# locations which depend on the deployment platform.
+# You can copy this option file to one of those
+# locations. For information about these locations, see:
+# http://dev.mysql.com/doc/mysql/en/option-files.html
+#
+# In this file, you can use all long options that a program supports.
+# If you want to know which options a program supports, run the program
+# with the "--help" option.
+
+# The following options will be passed to all MySQL clients
+[client]
+#password       = your_password
+port            = 3306
+socket          = /var/run/mysqld/mysqld.sock
+
+# Here follows entries for some specific programs
+
+# The MySQL server
+[mysqld]
+port            = 3306
+socket          = /var/run/mysqld/mysqld.sock
+skip-external-locking
+key_buffer_size = 16K
+max_allowed_packet = 1M
+table_open_cache = 4
+sort_buffer_size = 64K
+read_buffer_size = 256K
+read_rnd_buffer_size = 256K
+net_buffer_length = 2K
+thread_stack = 128K
+
+# to avoid corruption on powerfailure
+default-storage-engine=innodb
+
+# Don't listen on a TCP/IP port at all. This can be a security enhancement,
+# if all processes that need to connect to mysqld run on the same host.
+# All interaction with mysqld must be made via Unix sockets or named pipes.
+# Note that using this option without enabling named pipes on Windows
+# (using the "enable-named-pipe" option) will render mysqld useless!
+# 
+#skip-networking
+server-id       = 1
+
+# Uncomment the following if you want to log updates
+#log-bin=mysql-bin
+
+# binary logging format - mixed recommended
+#binlog_format=mixed
+
+# Causes updates to non-transactional engines using statement format to be
+# written directly to binary log. Before using this option make sure that
+# there are no dependencies between transactional and non-transactional
+# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
+# t_innodb; otherwise, slaves may diverge from the master.
+#binlog_direct_non_transactional_updates=TRUE
+
+# Uncomment the following if you are using InnoDB tables
+#innodb_data_home_dir = /var/lib/mysql
+#innodb_data_file_path = ibdata1:10M:autoextend
+#innodb_log_group_home_dir = /var/lib/mysql
+# You can set .._buffer_pool_size up to 50 - 80 %
+# of RAM but beware of setting memory usage too high
+#innodb_buffer_pool_size = 16M
+#innodb_additional_mem_pool_size = 2M
+# Set .._log_file_size to 25 % of buffer pool size
+#innodb_log_file_size = 5M
+#innodb_log_buffer_size = 8M
+#innodb_flush_log_at_trx_commit = 1
+#innodb_lock_wait_timeout = 50
+
+[mysqldump]
+quick
+max_allowed_packet = 16M
+
+[mysql]
+no-auto-rehash
+# Remove the next comment character if you are not familiar with SQL
+#safe-updates
+
+[myisamchk]
+key_buffer_size = 8M
+sort_buffer_size = 8M
+
+[mysqlhotcopy]
+interactive-timeout

data/templates/nginx/plain/global.conf

@@ -0,0 +1,2 @@
+server_tokens off;
+gzip_types text/css text/javascript application/javascript;

data/templates/nginx/plain/ssowat.conf

@@ -0,0 +1,3 @@
+lua_shared_dict cache 10m;
+init_by_lua_file   /usr/share/ssowat/init.lua;
+server_names_hash_bucket_size 64;

data/templates/nginx/plain/yunohost_admin.conf

@@ -0,0 +1,78 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 302 https://$http_host/yunohost/admin;
+    }
+
+    location /yunohost/admin {
+        return 301 https://$http_host$request_uri;
+    }
+}
+
+server {
+    # Disabling http2 for now as it's causing weird issues with curl
+    #listen 443 ssl http2 default_server;
+    #listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate /etc/yunohost/certs/yunohost.org/crt.pem;
+    ssl_certificate_key /etc/yunohost/certs/yunohost.org/key.pem;
+    ssl_session_timeout 5m;
+    ssl_session_cache shared:SSL:50m;
+
+    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
+    # (this doesn't work on jessie though ...?)
+    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+
+    # As suggested by https://cipherli.st/
+    ssl_ecdh_curve secp384r1;
+
+    ssl_prefer_server_ciphers on;
+
+    # Ciphers with intermediate compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+    # Ciphers with modern compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
+    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
+    #ssl_protocols TLSv1.2;
+    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+    # Uncomment the following directive after DH generation
+    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
+    #ssl_dhparam /etc/ssl/private/dh2048.pem;
+    
+    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    # https://observatory.mozilla.org/ 
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
+    add_header 'Referrer-Policy' 'same-origin';
+    add_header Content-Security-Policy "upgrade-insecure-requests; object-src 'none'; script-src https: 'unsafe-eval'";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    location / {
+        return 302 https://$http_host/yunohost/admin;
+    }
+
+    location /yunohost {
+        # Block crawlers bot
+        if ($http_user_agent ~ (crawl|Googlebot|Slurp|spider|bingbot|tracker|click|parser|spider|facebookexternalhit) ) {
+            return 403;
+        }
+
+        # Redirect most of 404 to maindomain.tld/yunohost/sso
+        access_by_lua_file /usr/share/ssowat/access.lua;
+    }
+
+    include conf.d/yunohost_admin.conf.inc;
+    include conf.d/yunohost_api.conf.inc;
+}

data/templates/nginx/plain/yunohost_admin.conf.inc

@@ -0,0 +1,14 @@
+# Avoid the nginx path/alias traversal weakness ( #1037 )
+rewrite ^/yunohost/admin$ /yunohost/admin/ permanent;
+
+location /yunohost/admin/ {
+    alias /usr/share/yunohost/admin/;
+    default_type text/html;
+    index index.html;
+
+    # Short cache on handlebars templates
+    location ~* \.(?:ms)$ {
+      expires 5m;
+      add_header Cache-Control "public";
+    }
+}

data/templates/nginx/plain/yunohost_api.conf.inc

@@ -0,0 +1,17 @@
+location /yunohost/api/ {
+    proxy_read_timeout 3600s;
+    proxy_pass http://127.0.0.1:6787/;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    # Custom 502 error page
+    error_page 502 /yunohost/api/error/502;
+}
+
+# Yunohost admin output complete 502 error page, so use only plain text.
+location = /yunohost/api/error/502 {
+    return 502 '502 - Bad Gateway';
+    add_header Content-Type text/plain;
+    internal;
+}

data/templates/nginx/plain/yunohost_panel.conf.inc

@@ -0,0 +1,8 @@
+# Insert YunoHost panel
+sub_filter </head> '<script type="text/javascript" src="/ynhpanel.js"></script></head>';
+sub_filter_once on;
+# Apply to other mime types than text/html
+sub_filter_types application/xhtml+xml;
+# Prevent YunoHost panel files from being blocked by specific app rules
+location ~ ynhpanel\.(js|json|css) {
+}

data/templates/nginx/server.tpl.conf

@@ -0,0 +1,76 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ domain }};
+
+    access_by_lua_file /usr/share/ssowat/access.lua;
+
+    include conf.d/{{ domain }}.d/*.conf;
+
+    location /yunohost/admin {
+        return 301 https://$http_host$request_uri;
+    }
+
+    access_log /var/log/nginx/{{ domain }}-access.log;
+    error_log /var/log/nginx/{{ domain }}-error.log;
+}
+
+server {
+    # Disabling http2 for now as it's causing weird issues with curl
+    #listen 443 ssl http2;
+    #listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ domain }};
+
+    ssl_certificate /etc/yunohost/certs/{{ domain }}/crt.pem;
+    ssl_certificate_key /etc/yunohost/certs/{{ domain }}/key.pem;
+    ssl_session_timeout 5m;
+    ssl_session_cache shared:SSL:50m;
+
+    # As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
+    # (this doesn't work on jessie though ...?)
+    # ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+
+    # As suggested by https://cipherli.st/
+    ssl_ecdh_curve secp384r1;
+
+    ssl_prefer_server_ciphers on;
+
+    # Ciphers with intermediate compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+    # Ciphers with modern compatibility
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
+    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
+    #ssl_protocols TLSv1.2;
+    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+    # Uncomment the following directive after DH generation
+    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
+    #ssl_dhparam /etc/ssl/private/dh2048.pem;
+
+    # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
+    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
+    # https://observatory.mozilla.org/ 
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
+    add_header Content-Security-Policy "upgrade-insecure-requests";
+    add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    access_by_lua_file /usr/share/ssowat/access.lua;
+
+    include conf.d/{{ domain }}.d/*.conf;
+
+    include conf.d/yunohost_admin.conf.inc;
+    include conf.d/yunohost_api.conf.inc;
+
+    access_log /var/log/nginx/{{ domain }}-access.log;
+    error_log /var/log/nginx/{{ domain }}-error.log;
+}

data/templates/nginx/yunohost_local.conf

@@ -0,0 +1 @@
+server_name $server_name yunohost.local;

data/templates/nslcd/nslcd.conf

@@ -0,0 +1,25 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri ldap://localhost/
+
+# The search base that will be used for all queries.
+base dc=yunohost,dc=org
+
+# The LDAP protocol version to use.
+#ldap_version 3
+
+# The search scope.
+#scope sub
+
+# Build a full list of non-LDAP users on startup.
+nss_initgroups_ignoreusers ALLLOCAL
+
+# The minimum numeric user id to lookup.
+nss_min_uid 1000

data/templates/nsswitch/nsswitch.conf

@@ -0,0 +1,21 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         compat ldap
+group:          compat ldap
+shadow:         compat ldap
+gshadow:        files
+
+hosts:          files myhostname mdns4_minimal [NOTFOUND=return] dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+sudoers:	files ldap

data/templates/postfix/main.cf

@@ -0,0 +1,154 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname Service ready
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# -- TLS for incoming connections
+# By default, TLS is disabled in the Postfix SMTP server, so no difference to
+# plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
+smtpd_tls_security_level=may
+
+# Sending AUTH data over an unencrypted channel poses a security risk.
+# When TLS layer encryption is optional ("smtpd_tls_security_level = may"), it
+# may however still be useful to only offer AUTH when TLS is active. To maintain
+# compatibility with non-TLS clients, the default is to accept AUTH without
+# encryption. In order to change this behavior, we set "smtpd_tls_auth_only = yes".
+smtpd_tls_auth_only=yes
+smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem
+smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem
+smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtpd_tls_loglevel=1
+smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
+smtpd_tls_mandatory_ciphers=high
+smtpd_tls_eecdh_grade = ultra
+
+# -- TLS for outgoing connections
+# Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
+smtp_tls_mandatory_ciphers= $smtpd_tls_mandatory_ciphers
+smtp_tls_loglevel=1
+
+# Configure Root CA certificates
+# (for example, avoids getting "Untrusted TLS connection established to" messages in logs)
+smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ main_domain }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydomain = {{ main_domain }}
+mydestination = localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+#### Fit to the maximum message size to 30mb, more than allowed by GMail or Yahoo ####
+message_size_limit = 31457280
+
+# Virtual Domains Control 
+virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf 
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf 
+virtual_mailbox_base = 
+virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf 
+virtual_alias_domains = 
+virtual_minimum_uid = 100 
+virtual_uid_maps = static:vmail 
+virtual_gid_maps = static:mail
+smtpd_sender_login_maps= ldap:/etc/postfix/ldap-accounts.cf
+
+# Dovecot LDA 
+virtual_transport = dovecot 
+dovecot_destination_recipient_limit = 1
+
+# Enable SASL authentication for the smtpd daemon 
+smtpd_sasl_auth_enable = yes 
+smtpd_sasl_type = dovecot 
+smtpd_sasl_path = private/auth 
+# Fix some outlook's bugs 
+broken_sasl_auth_clients = yes 
+# Reject anonymous connections 
+smtpd_sasl_security_options = noanonymous 
+smtpd_sasl_local_domain =
+
+
+# Wait until the RCPT TO command before evaluating restrictions 
+smtpd_delay_reject = yes 
+ 
+# Basics Restrictions 
+smtpd_helo_required = yes 
+strict_rfc821_envelopes = yes 
+ 
+# Requirements for the connecting server 
+smtpd_client_restrictions = 
+    permit_mynetworks, 
+    permit_sasl_authenticated, 
+    reject_rbl_client bl.spamcop.net, 
+    reject_rbl_client cbl.abuseat.org, 
+    reject_rbl_client zen.spamhaus.org, 
+    permit 
+ 
+# Requirements for the HELO statement 
+smtpd_helo_restrictions = 
+    permit_mynetworks, 
+    permit_sasl_authenticated, 
+    reject_non_fqdn_hostname, 
+    reject_invalid_hostname, 
+    permit 
+ 
+# Requirements for the sender address 
+smtpd_sender_restrictions =
+    reject_sender_login_mismatch, 
+    permit_mynetworks, 
+    permit_sasl_authenticated, 
+    reject_non_fqdn_sender, 
+    reject_unknown_sender_domain,
+    permit 
+ 
+# Requirement for the recipient address 
+smtpd_recipient_restrictions = 
+    permit_mynetworks, 
+    permit_sasl_authenticated, 
+    reject_non_fqdn_recipient, 
+    reject_unknown_recipient_domain, 
+    reject_unauth_destination,
+    permit
+
+# SRS
+sender_canonical_maps = regexp:/etc/postfix/sender_canonical
+sender_canonical_classes = envelope_sender
+
+# Ignore some headers
+smtp_header_checks = regexp:/etc/postfix/header_checks
+
+smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter
+
+# Rmilter
+milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
+milter_protocol = 6
+smtpd_milters = inet:localhost:11332
+
+# Skip email without checking if milter has died
+milter_default_action = accept