YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'dev' of https://github.com/YunoHost/yunohost into fix-1463-make-upnp-great-again

Browse source
This commit is contained in:
David Buscher 2022-02-06 10:46:33 +00:00
commit 457f264a53
286 changed files with 6611 additions and 6359 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
.codeclimate.yml Normal file
View file

@ -0,0 +1,24 @@
---
version: "2"
plugins:
duplication:
enabled: true
config:
languages:
python:
python_version: 3
shellcheck:
enabled: true
pep8:
enabled: true
fixme:
enabled: true
sonar-python:
enabled: true
config:
tests_patterns:
- bin/*
- data/**
- doc/*
- src/**
- tests/**

2
.coveragerc
View file

@ -1,2 +1,2 @@
[report]
omit=src/yunohost/tests/*,src/yunohost/vendor/*,/usr/lib/moulinette/yunohost/*
omit=src/tests/*,src/vendor/*,/usr/lib/moulinette/yunohost/*

4
.gitignore vendored
View file

@ -31,7 +31,7 @@ pip-log.txt
.mr.developer.cfg
# moulinette lib
src/yunohost/locales
src/locales
# Test
src/yunohost/tests/apps
src/tests/apps

16
.gitlab-ci.yml
View file

@ -2,7 +2,7 @@
stages:
- build
- install
- tests
- test
- lint
- doc
- translation
@ -13,12 +13,25 @@ default:
# All jobs are interruptible by default
interruptible: true
code_quality:
tags:
- docker
code_quality_html:
extends: code_quality
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
# see: https://docs.gitlab.com/ee/ci/yaml/#switch-between-branch-pipelines-and-merge-request-pipelines
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # If we move to gitlab one day
- if: $CI_PIPELINE_SOURCE == "external_pull_request_event" # For github PR
- if: $CI_COMMIT_TAG # For tags
- if: $CI_COMMIT_REF_NAME == "ci-format-$CI_DEFAULT_BRANCH" # Ignore black formatting branch created by the CI
when: never
- if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "push" # If it's not the default branch and if it's a push, then do not trigger a build
when: never
- when: always
@ -27,4 +40,5 @@ variables:
YNH_BUILD_DIR: "ynh-build"
include:
- template: Code-Quality.gitlab-ci.yml
- local: .gitlab/ci/*.gitlab-ci.yml

2
.gitlab/ci/build.gitlab-ci.yml
View file

@ -5,11 +5,13 @@
YNH_SOURCE: "https://github.com/yunohost"
before_script:
- mkdir -p $YNH_BUILD_DIR
- DEBIAN_FRONTEND=noninteractive apt update
artifacts:
paths:
- $YNH_BUILD_DIR/*.deb
.build_script: &build_script
- DEBIAN_FRONTEND=noninteractive apt --assume-yes -o Dpkg::Options::="--force-confold" install devscripts --no-install-recommends
- cd $YNH_BUILD_DIR/$PACKAGE
- VERSION=$(dpkg-parsechangelog -S Version 2>/dev/null)
- VERSION_NIGHTLY="${VERSION}+$(date +%Y%m%d%H%M)"

31
.gitlab/ci/lint.gitlab-ci.yml
View file

@ -3,38 +3,29 @@
########################################
# later we must fix lint and format-check jobs and remove "allow_failure"
---
lint37:
lint39:
stage: lint
image: "before-install"
needs: []
allow_failure: true
script:
- tox -e py37-lint
- tox -e py39-lint
invalidcode37:
invalidcode39:
stage: lint
image: "before-install"
needs: []
script:
- tox -e py37-invalidcode
- tox -e py39-invalidcode
mypy:
stage: lint
image: "before-install"
needs: []
script:
- tox -e py37-mypy
- tox -e py39-mypy
format-check:
stage: lint
image: "before-install"
allow_failure: true
needs: []
script:
- tox -e py37-black-check
format-run:
black:
stage: lint
image: "before-install"
needs: []
@ -47,11 +38,11 @@ format-run:
script:
# create a local branch that will overwrite distant one
- git checkout -b "ci-format-${CI_COMMIT_REF_NAME}" --no-track
- tox -e py37-black-run
- tox -e py39-black-run
- '[ $(git diff | wc -l) != 0 ] || exit 0' # stop if there is nothing to commit
- git commit -am "[CI] Format code" || true
- git commit -am "[CI] Format code with Black" || true
- git push -f origin "ci-format-${CI_COMMIT_REF_NAME}":"ci-format-${CI_COMMIT_REF_NAME}"
- hub pull-request -m "[CI] Format code" -b Yunohost:dev -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
- hub pull-request -m "[CI] Format code with Black" -b Yunohost:$CI_COMMIT_REF_NAME -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
only:
refs:
- dev
variables:
- $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

96
.gitlab/ci/test.gitlab-ci.yml
View file

@ -1,9 +1,10 @@
.install_debs: &install_debs
- apt-get update -o Acquire::Retries=3
- DEBIAN_FRONTEND=noninteractive SUDO_FORCE_REMOVE=yes apt --assume-yes -o Dpkg::Options::="--force-confold" --allow-downgrades install ./$YNH_BUILD_DIR/*.deb
- pip3 install -U mock pip pytest pytest-cov pytest-mock pytest-sugar requests-mock tox ansi2html black jinja2
.test-stage:
stage: tests
stage: test
image: "after-install"
variables:
PYTEST_ADDOPTS: "--color=yes"
@ -11,7 +12,7 @@
- *install_debs
cache:
paths:
- src/yunohost/tests/apps
- src/tests/apps
key: "$CI_JOB_STAGE-$CI_COMMIT_REF_SLUG"
needs:
- job: build-yunohost
@ -22,13 +23,12 @@
artifacts: true
- job: upgrade
########################################
# TESTS
########################################
full-tests:
stage: tests
stage: test
image: "before-install"
variables:
PYTEST_ADDOPTS: "--color=yes"
@ -36,7 +36,7 @@ full-tests:
- *install_debs
- yunohost tools postinstall -d domain.tld -p the_password --ignore-dyndns --force-diskspace
script:
- python3 -m pytest --cov=yunohost tests/ src/yunohost/tests/ data/hooks/diagnosis/ --junitxml=report.xml
- python3 -m pytest --cov=yunohost tests/ src/tests/ src/diagnosers/ --junitxml=report.xml
- cd tests
- bash test_helpers.sh
needs:
@ -50,31 +50,13 @@ full-tests:
reports:
junit: report.xml
test-i18n-keys:
extends: .test-stage
script:
- python3 -m pytest tests/test_i18n_keys.py
only:
changes:
- locales/en.json
- src/yunohost/*.py
- data/hooks/diagnosis/*.py
test-translation-format-consistency:
extends: .test-stage
script:
- python3 -m pytest tests/test_translation_format_consistency.py
only:
changes:
- locales/*
test-actionmap:
extends: .test-stage
script:
- python3 -m pytest tests/test_actionmap.py
only:
changes:
- data/actionsmap/*.yml
- share/actionsmap.yml
test-helpers:
extends: .test-stage
@ -83,126 +65,126 @@ test-helpers:
- bash test_helpers.sh
only:
changes:
- data/helpers.d/*
- helpers/*
test-domains:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_domains.py
- python3 -m pytest src/tests/test_domains.py
only:
changes:
- src/yunohost/domain.py
- src/domain.py
test-dns:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_dns.py
- python3 -m pytest src/tests/test_dns.py
only:
changes:
- src/yunohost/dns.py
- src/yunohost/utils/dns.py
- src/dns.py
- src/utils/dns.py
test-apps:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_apps.py
- python3 -m pytest src/tests/test_apps.py
only:
changes:
- src/yunohost/app.py
- src/app.py
test-appscatalog:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_app_catalog.py
- python3 -m pytest src/tests/test_app_catalog.py
only:
changes:
- src/yunohost/app_calalog.py
- src/app_calalog.py
test-appurl:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_appurl.py
- python3 -m pytest src/tests/test_appurl.py
only:
changes:
- src/yunohost/app.py
- src/app.py
test-questions:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_questions.py
- python3 -m pytest src/tests/test_questions.py
only:
changes:
- src/yunohost/utils/config.py
- src/utils/config.py
test-app-config:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_app_config.py
- python3 -m pytest src/tests/test_app_config.py
only:
changes:
- src/yunohost/app.py
- src/yunohost/utils/config.py
- src/app.py
- src/utils/config.py
test-changeurl:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_changeurl.py
- python3 -m pytest src/tests/test_changeurl.py
only:
changes:
- src/yunohost/app.py
- src/app.py
test-backuprestore:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_backuprestore.py
- python3 -m pytest src/tests/test_backuprestore.py
only:
changes:
- src/yunohost/backup.py
- src/backup.py
test-permission:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_permission.py
- python3 -m pytest src/tests/test_permission.py
only:
changes:
- src/yunohost/permission.py
- src/permission.py
test-settings:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_settings.py
- python3 -m pytest src/tests/test_settings.py
only:
changes:
- src/yunohost/settings.py
- src/settings.py
test-user-group:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_user-group.py
- python3 -m pytest src/tests/test_user-group.py
only:
changes:
- src/yunohost/user.py
- src/user.py
test-regenconf:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_regenconf.py
- python3 -m pytest src/tests/test_regenconf.py
only:
changes:
- src/yunohost/regenconf.py
- src/regenconf.py
test-service:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_service.py
- python3 -m pytest src/tests/test_service.py
only:
changes:
- src/yunohost/service.py
- src/service.py
test-ldapauth:
extends: .test-stage
script:
- python3 -m pytest src/yunohost/tests/test_ldapauth.py
- python3 -m pytest src/tests/test_ldapauth.py
only:
changes:
- src/yunohost/authenticators/*.py
- src/authenticators/*.py

24
.gitlab/ci/translation.gitlab-ci.yml
View file

@ -1,6 +1,15 @@
########################################
# TRANSLATION
########################################
test-i18n-keys:
stage: translation
script:
- python3 maintenance/missing_i18n_keys.py --check
only:
changes:
- locales/en.json
- src/*.py
- src/diagnosers/*.py
autofix-translated-strings:
stage: translation
@ -10,18 +19,17 @@ autofix-translated-strings:
- apt-get update -y && apt-get install git hub -y
- git config --global user.email "yunohost@yunohost.org"
- git config --global user.name "$GITHUB_USER"
- git remote set-url origin https://$GITHUB_TOKEN:x-oauth-basic@github.com/YunoHost/yunohost.git
- hub clone --branch ${CI_COMMIT_REF_NAME} "https://$GITHUB_TOKEN:x-oauth-basic@github.com/YunoHost/yunohost.git" github_repo
- cd github_repo
script:
- cd tests # Maybe move this script location to another folder?
# create a local branch that will overwrite distant one
- git checkout -b "ci-autofix-translated-strings-${CI_COMMIT_REF_NAME}" --no-track
- python3 remove_stale_translated_strings.py
- python3 autofix_locale_format.py
- python3 reformat_locales.py
- '[ $(git diff -w | wc -l) != 0 ] || exit 0' # stop if there is nothing to commit
- python3 maintenance/missing_i18n_keys.py --fix
- python3 maintenance/autofix_locale_format.py
- '[ $(git diff | wc -l) != 0 ] || exit 0' # stop if there is nothing to commit
- git commit -am "[CI] Reformat / remove stale translated strings" || true
- git push -f origin "HEAD":"ci-remove-stale-translated-strings-${CI_COMMIT_REF_NAME}"
- hub pull-request -m "[CI] Reformat / remove stale translated strings" -b Yunohost:dev -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
- git push -f origin "ci-autofix-translated-strings-${CI_COMMIT_REF_NAME}":"ci-remove-stale-translated-strings-${CI_COMMIT_REF_NAME}"
- hub pull-request -m "[CI] Reformat / remove stale translated strings" -b Yunohost:$CI_COMMIT_REF_NAME -p || true # GITHUB_USER and GITHUB_TOKEN registered here https://gitlab.com/yunohost/yunohost/-/settings/ci_cd
only:
variables:
- $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

4
.lgtm.yml Normal file
View file

@ -0,0 +1,4 @@
extraction:
python:
python_setup:
version: "3"

1
README.md
View file

@ -9,6 +9,7 @@
![Version](https://img.shields.io/github/v/tag/yunohost/yunohost?label=version&sort=semver)
[![Build status](https://shields.io/gitlab/pipeline/yunohost/yunohost/dev)](https://gitlab.com/yunohost/yunohost/-/pipelines)
![Test coverage](https://img.shields.io/gitlab/coverage/yunohost/yunohost/dev)
[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/YunoHost/yunohost.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/YunoHost/yunohost/context:python)
[![GitHub license](https://img.shields.io/github/license/YunoHost/yunohost)](https://github.com/YunoHost/yunohost/blob/dev/LICENSE)
[![Mastodon Follow](https://img.shields.io/mastodon/follow/28084)](https://mastodon.social/@yunohost)

53
bin/yunohost
View file

@ -4,45 +4,48 @@
import os
import sys
import argparse
sys.path.insert(0, "/usr/lib/moulinette/")
import yunohost
def _parse_cli_args():
"""Parse additional arguments for the cli"""
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('--output-as',
choices=['json', 'plain', 'none'], default=None,
help="Output result in another format"
parser.add_argument(
"--output-as",
choices=["json", "plain", "none"],
default=None,
help="Output result in another format",
)
parser.add_argument('--debug',
action='store_true', default=False,
help="Log and print debug messages"
parser.add_argument(
"--debug",
action="store_true",
default=False,
help="Log and print debug messages",
)
parser.add_argument('--quiet',
action='store_true', default=False,
help="Don't produce any output"
parser.add_argument(
"--quiet", action="store_true", default=False, help="Don't produce any output"
)
parser.add_argument('--timeout',
type=int, default=None,
help="Number of seconds before this command will timeout because it can't acquire the lock (meaning that another command is currently running), by default there is no timeout and the command will wait until it can get the lock"
parser.add_argument(
"--timeout",
type=int,
default=None,
help="Number of seconds before this command will timeout because it can't acquire the lock (meaning that another command is currently running), by default there is no timeout and the command will wait until it can get the lock",
)
# deprecated arguments
parser.add_argument('--plain',
action='store_true', default=False, help=argparse.SUPPRESS
parser.add_argument(
"--plain", action="store_true", default=False, help=argparse.SUPPRESS
)
parser.add_argument('--json',
action='store_true', default=False, help=argparse.SUPPRESS
parser.add_argument(
"--json", action="store_true", default=False, help=argparse.SUPPRESS
)
opts, args = parser.parse_known_args()
# output compatibility
if opts.plain:
opts.output_as = 'plain'
opts.output_as = "plain"
elif opts.json:
opts.output_as = 'json'
opts.output_as = "json"
return (parser, opts, args)
@ -54,10 +57,12 @@ if os.environ["PATH"] != default_path:
# Main action ----------------------------------------------------------
if __name__ == '__main__':
if __name__ == "__main__":
if os.geteuid() != 0:
sys.stderr.write("\033[1;31mError:\033[0m yunohost command must be "
"run as root or with sudo.\n")
sys.stderr.write(
"\033[1;31mError:\033[0m yunohost command must be "
"run as root or with sudo.\n"
)
sys.exit(1)
parser, opts, args = _parse_cli_args()
@ -69,5 +74,5 @@ if __name__ == '__main__':
output_as=opts.output_as,
timeout=opts.timeout,
args=args,
parser=parser
parser=parser,
)

41
bin/yunohost-api
View file

@ -1,44 +1,53 @@
#! /usr/bin/python3
# -*- coding: utf-8 -*-
import sys
import argparse
sys.path.insert(0, "/usr/lib/moulinette/")
import yunohost
# Default server configuration
DEFAULT_HOST = 'localhost'
DEFAULT_HOST = "localhost"
DEFAULT_PORT = 6787
def _parse_api_args():
"""Parse main arguments for the api"""
parser = argparse.ArgumentParser(add_help=False,
parser = argparse.ArgumentParser(
add_help=False,
description="Run the YunoHost API to manage your server.",
)
srv_group = parser.add_argument_group('server configuration')
srv_group.add_argument('-h', '--host',
action='store', default=DEFAULT_HOST,
srv_group = parser.add_argument_group("server configuration")
srv_group.add_argument(
"-h",
"--host",
action="store",
default=DEFAULT_HOST,
help="Host to listen on (default: %s)" % DEFAULT_HOST,
)
srv_group.add_argument('-p', '--port',
action='store', default=DEFAULT_PORT, type=int,
srv_group.add_argument(
"-p",
"--port",
action="store",
default=DEFAULT_PORT,
type=int,
help="Port to listen on (default: %d)" % DEFAULT_PORT,
)
glob_group = parser.add_argument_group('global arguments')
glob_group.add_argument('--debug',
action='store_true', default=False,
glob_group = parser.add_argument_group("global arguments")
glob_group.add_argument(
"--debug",
action="store_true",
default=False,
help="Set log level to DEBUG",
)
glob_group.add_argument('--help',
action='help', help="Show this help message and exit",
glob_group.add_argument(
"--help",
action="help",
help="Show this help message and exit",
)
return parser.parse_args()
if __name__ == '__main__':
if __name__ == "__main__":
opts = _parse_api_args()
# Run the server
yunohost.api(debug=opts.debug, host=opts.host, port=opts.port)

45
bin/yunomdns
View file

@ -21,8 +21,20 @@ def get_network_local_interfaces() -> Dict[str, Dict[str, List[str]]]:
interfaces = {
adapter.name: {
"ipv4": [ip.ip for ip in adapter.ips if ip.is_IPv4 and ip_address(ip.ip).is_private],
"ipv6": [ip.ip[0] for ip in adapter.ips if ip.is_IPv6 and ip_address(ip.ip[0]).is_private and not ip_address(ip.ip[0]).is_link_local],
"ipv4": [
ip.ip
for ip in adapter.ips
if ip.is_IPv4
and ip_address(ip.ip).is_private
and not ip_address(ip.ip).is_link_local
],
"ipv6": [
ip.ip[0]
for ip in adapter.ips
if ip.is_IPv6
and ip_address(ip.ip[0]).is_private
and not ip_address(ip.ip[0]).is_link_local
],
}
for adapter in ifaddr.get_adapters()
if adapter.name != "lo"
@ -33,7 +45,6 @@ def get_network_local_interfaces() -> Dict[str, Dict[str, List[str]]]:
# Listener class, to detect duplicates on the network
# Stores the list of servers in its list property
class Listener:
def __init__(self):
self.list = []
@ -66,14 +77,18 @@ def main() -> bool:
return False
if "interfaces" not in config:
config["interfaces"] = [interface
for interface, local_ips in interfaces.items()
if local_ips["ipv4"]]
config["interfaces"] = [
interface
for interface, local_ips in interfaces.items()
if local_ips["ipv4"]
]
if "ban_interfaces" in config:
config["interfaces"] = [interface
for interface in config["interfaces"]
if interface not in config["ban_interfaces"]]
config["interfaces"] = [
interface
for interface in config["interfaces"]
if interface not in config["ban_interfaces"]
]
# Let's discover currently published .local domains accross the network
zc = Zeroconf()
@ -103,14 +118,18 @@ def main() -> bool:
return domain_i
config['domains'] = [find_domain_not_already_published(domain) for domain in config['domains']]
config["domains"] = [
find_domain_not_already_published(domain) for domain in config["domains"]
]
zcs: Dict[Zeroconf, List[ServiceInfo]] = {}
for interface in config["interfaces"]:
if interface not in interfaces:
print(f"Interface {interface} listed in config file is not present on system.")
print(
f"Interface {interface} listed in config file is not present on system."
)
continue
# Only broadcast IPv4 because IPv6 is buggy ... because we ain't using python3-ifaddr >= 0.1.7
@ -149,7 +168,9 @@ def main() -> bool:
print("Registering...")
for zc, infos in zcs.items():
for info in infos:
zc.register_service(info, allow_name_change=True, cooperating_responders=True)
zc.register_service(
info, allow_name_change=True, cooperating_responders=True
)
try:
print("Registered. Press Ctrl+C or stop service to stop.")

10
conf/dnsmasq/dnsmasq.conf.tpl Normal file
View file

@ -0,0 +1,10 @@
domain-needed
expand-hosts
localise-queries
{% set interfaces = wireless_interfaces.strip().split(' ') %}
{% for interface in interfaces %}
interface={{ interface }}
{% endfor %}
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

7
data/templates/dnsmasq/domain.tpl → conf/dnsmasq/domain.tpl
View file

@ -1,5 +1,8 @@
host-record={{ domain }},{{ ipv4 }}
host-record=xmpp-upload.{{ domain }},{{ ipv4 }}
{% set interfaces_list = interfaces.split(' ') %}
{% for interface in interfaces_list %}
interface-name={{ domain }},{{ interface }}
interface-name=xmpp-upload.{{ domain }},{{ interface }}
{% endfor %}
{% if ipv6 %}
host-record={{ domain }},{{ ipv6 }}
host-record=xmpp-upload.{{ domain }},{{ ipv6 }}

0
data/templates/dnsmasq/plain/etcdefault → conf/dnsmasq/plain/etcdefault
View file

0
data/templates/dnsmasq/plain/resolv.dnsmasq.conf → conf/dnsmasq/plain/resolv.dnsmasq.conf
View file

0
data/templates/dovecot/dovecot-ldap.conf → conf/dovecot/dovecot-ldap.conf
View file

21
data/templates/dovecot/dovecot.conf → conf/dovecot/dovecot.conf
View file

@ -21,9 +21,14 @@ ssl = required
ssl_cert = </etc/yunohost/certs/{{ main_domain }}/crt.pem
ssl_key = </etc/yunohost/certs/{{ main_domain }}/key.pem
{% for domain in domain_list.split() %}{% if domain != main_domain %}
local_name {{ domain }} {
ssl_cert = </etc/yunohost/certs/{{ domain }}/crt.pem
ssl_key = </etc/yunohost/certs/{{ domain }}/key.pem
}{% endif %}{% endfor %}
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dh = </usr/share/yunohost/other/ffdhe2048.pem
ssl_dh = </usr/share/yunohost/ffdhe2048.pem
# intermediate configuration
ssl_min_protocol = TLSv1.2
@ -78,6 +83,20 @@ service quota-warning {
}
}
service stats {
unix_listener stats-reader {
user = vmail
group = mail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = mail
mode = 0660
}
}
plugin {
sieve = /var/mail/sievescript/%n/.dovecot.sieve
sieve_dir = /var/mail/sievescript/%n/scripts/

0
data/templates/dovecot/dovecot.sieve → conf/dovecot/dovecot.sieve
View file

0
data/templates/dovecot/post-ext.conf → conf/dovecot/post-ext.conf
View file

0
data/templates/dovecot/pre-ext.conf → conf/dovecot/pre-ext.conf
View file

0
data/templates/fail2ban/jail.conf → conf/fail2ban/jail.conf
View file

0
data/templates/fail2ban/yunohost-jails.conf → conf/fail2ban/yunohost-jails.conf
View file

0
data/templates/fail2ban/yunohost.conf → conf/fail2ban/yunohost.conf
View file

5
data/templates/mdns/yunomdns.service → conf/mdns/yunomdns.service
View file

@ -1,6 +1,7 @@
[Unit]
Description=YunoHost mDNS service
After=network.target
Wants=network-online.target
After=network-online.target
[Service]
User=mdns
@ -8,7 +9,7 @@ Group=mdns
Type=simple
Environment=PYTHONUNBUFFERED=1
ExecStart=/usr/bin/yunomdns
StandardOutput=syslog
StandardOutput=journal
[Install]
WantedBy=default.target

0
data/templates/metronome/domain.tpl.cfg.lua → conf/metronome/domain.tpl.cfg.lua
View file

0
data/templates/metronome/metronome.cfg.lua → conf/metronome/metronome.cfg.lua
View file

0
lib/metronome/modules/ldap.lib.lua → conf/metronome/modules/ldap.lib.lua
View file

0
lib/metronome/modules/mod_auth_ldap2.lua → conf/metronome/modules/mod_auth_ldap2.lua
View file

0
lib/metronome/modules/mod_legacyauth.lua → conf/metronome/modules/mod_legacyauth.lua
View file

0
lib/metronome/modules/mod_storage_ldap.lua → conf/metronome/modules/mod_storage_ldap.lua
View file

0
lib/metronome/modules/vcard.lib.lua → conf/metronome/modules/vcard.lib.lua
View file

0
data/templates/nginx/autoconfig.tpl.xml → conf/nginx/autoconfig.tpl.xml
View file

0
data/templates/nginx/plain/acme-challenge.conf.inc → conf/nginx/plain/acme-challenge.conf.inc
View file

0
data/templates/nginx/plain/global.conf → conf/nginx/plain/global.conf
View file

0
data/templates/nginx/plain/ssowat.conf → conf/nginx/plain/ssowat.conf
View file

0
data/templates/nginx/plain/yunohost_panel.conf.inc → conf/nginx/plain/yunohost_panel.conf.inc
View file

0
data/templates/nginx/plain/yunohost_sso.conf.inc → conf/nginx/plain/yunohost_sso.conf.inc
View file

0
data/templates/nginx/redirect_to_admin.conf → conf/nginx/redirect_to_admin.conf
View file

6
data/templates/nginx/security.conf.inc → conf/nginx/security.conf.inc
View file

@ -18,7 +18,7 @@ ssl_prefer_server_ciphers off;
# Pre-defined FFDHE group (RFC 7919)
# From https://ssl-config.mozilla.org/ffdhe2048.txt
# https://security.stackexchange.com/a/149818
ssl_dhparam /usr/share/yunohost/other/ffdhe2048.pem;
ssl_dhparam /usr/share/yunohost/ffdhe2048.pem;
{% endif %}
@ -26,11 +26,11 @@ ssl_dhparam /usr/share/yunohost/other/ffdhe2048.pem;
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
{% if experimental == "True" %}
more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data:";
more_set_headers "Content-Security-Policy : upgrade-insecure-requests; default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
{% else %}
more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'";
{% endif %}
more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval' ";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "X-XSS-Protection : 1; mode=block";
more_set_headers "X-Download-Options : noopen";

0
data/templates/nginx/server.tpl.conf → conf/nginx/server.tpl.conf
View file

0
data/templates/nginx/yunohost_admin.conf → conf/nginx/yunohost_admin.conf
View file

6
data/templates/nginx/yunohost_admin.conf.inc → conf/nginx/yunohost_admin.conf.inc
View file

@ -13,6 +13,12 @@ location /yunohost/admin/ {
deny all;
{% endif %}
location = /yunohost/admin/index.html {
etag off;
expires off;
more_set_headers "Cache-Control: no-store, no-cache, must-revalidate";
}
more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none'; img-src 'self' data:;";
more_set_headers "Content-Security-Policy-Report-Only:";
}

0
data/templates/nginx/yunohost_api.conf.inc → conf/nginx/yunohost_api.conf.inc
View file

0
data/templates/nslcd/nslcd.conf → conf/nslcd/nslcd.conf
View file

0
data/templates/nsswitch/nsswitch.conf → conf/nsswitch/nsswitch.conf
View file

9
data/templates/postfix/main.cf → conf/postfix/main.cf
View file

@ -23,8 +23,11 @@ smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem
smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem
smtpd_tls_chain_files =
/etc/yunohost/certs/{{ main_domain }}/key.pem,
/etc/yunohost/certs/{{ main_domain }}/crt.pem
tls_server_chain_sni_maps = hash:/etc/postfix/sni
{% if compatibility == "intermediate" %}
# generated 2020-08-18, Mozilla Guideline v5.6, Postfix 3.4.14, OpenSSL 1.1.1d, intermediate configuration
@ -36,7 +39,7 @@ smtpd_tls_mandatory_ciphers = medium
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = /usr/share/yunohost/other/ffdhe2048.pem
smtpd_tls_dh1024_param_file = /usr/share/yunohost/ffdhe2048.pem
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
{% else %}

0
data/templates/postfix/plain/header_checks → conf/postfix/plain/header_checks
View file

0
data/templates/postfix/plain/ldap-accounts.cf → conf/postfix/plain/ldap-accounts.cf
View file

0
data/templates/postfix/plain/ldap-aliases.cf → conf/postfix/plain/ldap-aliases.cf
View file

0
data/templates/postfix/plain/ldap-domains.cf → conf/postfix/plain/ldap-domains.cf
View file

0
data/templates/postfix/plain/master.cf → conf/postfix/plain/master.cf
View file

0
data/templates/postfix/plain/sender_canonical → conf/postfix/plain/sender_canonical
View file

0
data/templates/postfix/plain/smtp_reply_filter → conf/postfix/plain/smtp_reply_filter
View file

0
data/templates/postfix/postsrsd → conf/postfix/postsrsd
View file

2
conf/postfix/sni Normal file
View file

@ -0,0 +1,2 @@
{% for domain in domain_list.split() %}{{ domain }} /etc/yunohost/certs/{{ domain }}/key.pem /etc/yunohost/certs/{{ domain }}/crt.pem
{% endfor %}

0
data/templates/rspamd/dkim_signing.conf → conf/rspamd/dkim_signing.conf
View file

0
data/templates/rspamd/metrics.local.conf → conf/rspamd/metrics.local.conf
View file

0
data/templates/rspamd/milter_headers.conf → conf/rspamd/milter_headers.conf
View file

0
data/templates/rspamd/rspamd.sieve → conf/rspamd/rspamd.sieve
View file

0
data/templates/slapd/config.ldif → conf/slapd/config.ldif
View file

0
data/templates/slapd/db_init.ldif → conf/slapd/db_init.ldif
View file

0
data/templates/slapd/ldap.conf → conf/slapd/ldap.conf
View file

0
data/templates/slapd/mailserver.ldif → conf/slapd/mailserver.ldif
View file

0
data/templates/slapd/permission.ldif → conf/slapd/permission.ldif
View file

0
data/templates/slapd/slapd.default → conf/slapd/slapd.default
View file

0
data/templates/slapd/sudo.ldif → conf/slapd/sudo.ldif
View file

0
data/templates/slapd/systemd-override.conf → conf/slapd/systemd-override.conf
View file

10
data/templates/ssh/sshd_config → conf/ssh/sshd_config
View file

@ -2,6 +2,8 @@
# by YunoHost
Protocol 2
# PLEASE: if you wish to change the ssh port properly in YunoHost, use this command:
# yunohost settings set security.ssh.port -v <port>
Port {{ port }}
{% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@ -53,9 +55,13 @@ PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
# Change to no to disable tunnelled clear text passwords
# (i.e. everybody will need to authenticate using ssh keys)
# PLEASE: if you wish to force everybody to authenticate using ssh keys, run this command:
# yunohost settings set security.ssh.password_authentication -v no
{% if password_authentication == "False" %}
PasswordAuthentication no
{% else %}
#PasswordAuthentication yes
{% endif %}
# Post-login stuff
Banner /etc/issue.net

4
data/templates/ssl/openssl.cnf → conf/ssl/openssl.cnf
View file

@ -5,7 +5,7 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = /usr/share/yunohost/yunohost-config/ssl
HOME = /usr/share/yunohost/ssl
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
@ -34,7 +34,7 @@ default_ca = Yunohost # The default ca section
####################################################################
[ Yunohost ]
dir = /usr/share/yunohost/yunohost-config/ssl/yunoCA # Where everything is kept
dir = /usr/share/yunohost/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.

0
data/templates/yunohost/dpkg-origins → conf/yunohost/dpkg-origins
View file

0
data/templates/yunohost/firewall.yml → conf/yunohost/firewall.yml
View file

0
data/templates/yunohost/proc-hidepid.service → conf/yunohost/proc-hidepid.service
View file

16
data/templates/yunohost/services.yml → conf/yunohost/services.yml
View file

@ -12,24 +12,31 @@ metronome:
log: [/var/log/metronome/metronome.log,/var/log/metronome/metronome.err]
needs_exposed_ports: [5222, 5269]
category: xmpp
ignore_if_package_is_not_installed: metronome
mysql:
log: [/var/log/mysql.log,/var/log/mysql.err,/var/log/mysql/error.log]
actual_systemd_service: mariadb
category: database
ignore_if_package_is_not_installed: mariadb-server
nginx:
log: /var/log/nginx
test_conf: nginx -t
needs_exposed_ports: [80, 443]
category: web
php7.3-fpm:
log: /var/log/php7.3-fpm.log
test_conf: php-fpm7.3 --test
category: web
# Yunohost will dynamically add installed php-fpm services (7.3, 7.4, 8.0, ...) in services.py
#php7.4-fpm:
# log: /var/log/php7.4-fpm.log
# test_conf: php-fpm7.4 --test
# category: web
postfix:
log: [/var/log/mail.log,/var/log/mail.err]
actual_systemd_service: postfix@-
needs_exposed_ports: [25, 587]
category: email
postgresql:
actual_systemd_service: 'postgresql@13-main'
category: database
ignore_if_package_is_not_installed: postgresql-13
redis-server:
log: /var/log/redis/redis-server.log
category: database
@ -68,5 +75,6 @@ spamassassin: null
rmilter: null
php5-fpm: null
php7.0-fpm: null
php7.3-fpm: null
nslcd: null
avahi-daemon: null

4
debian/yunohost-api.service → conf/yunohost/yunohost-api.service
View file

@ -4,9 +4,7 @@ After=network.target
[Service]
Type=simple
Environment=DAEMON_OPTS=
EnvironmentFile=-/etc/default/yunohost-api
ExecStart=/usr/bin/yunohost-api $DAEMON_OPTS
ExecStart=/usr/bin/yunohost-api
Restart=always
RestartSec=5
TimeoutStopSec=30

0
debian/yunohost-firewall.service → conf/yunohost/yunohost-firewall.service
View file

0
data/templates/yunohost/yunoprompt.service → conf/yunohost/yunoprompt.service
View file

240
data/hooks/conf_regen/01-yunohost
View file

@ -1,240 +0,0 @@
#!/bin/bash
set -e
do_init_regen() {
if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2
exit 1
fi
cd /usr/share/yunohost/templates/yunohost
[[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost
# set default current_host
[[ -f /etc/yunohost/current_host ]] \
|| echo "yunohost.org" > /etc/yunohost/current_host
# copy default services and firewall
[[ -f /etc/yunohost/firewall.yml ]] \
|| cp firewall.yml /etc/yunohost/firewall.yml
# allow users to access /media directory
[[ -d /etc/skel/media ]] \
|| (mkdir -p /media && ln -s /media /etc/skel/media)
# Cert folders
mkdir -p /etc/yunohost/certs
chown -R root:ssl-cert /etc/yunohost/certs
chmod 750 /etc/yunohost/certs
# App folders
mkdir -p /etc/yunohost/apps
chmod 700 /etc/yunohost/apps
mkdir -p /home/yunohost.app
chmod 755 /home/yunohost.app
# Domain settings
mkdir -p /etc/yunohost/domains
chmod 700 /etc/yunohost/domains
# Backup folders
mkdir -p /home/yunohost.backup/archives
chmod 750 /home/yunohost.backup/archives
chown root:root /home/yunohost.backup/archives # This is later changed to admin:root once admin user exists
# Empty ssowat json persistent conf
echo "{}" > '/etc/ssowat/conf.json.persistent'
chmod 644 /etc/ssowat/conf.json.persistent
chown root:root /etc/ssowat/conf.json.persistent
# Empty service conf
touch /etc/yunohost/services.yml
mkdir -p /var/cache/yunohost/repo
chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost
cp yunoprompt.service /etc/systemd/system/yunoprompt.service
cp dpkg-origins /etc/dpkg/origins/yunohost
# Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
}
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/yunohost
# Legacy code that can be removed once on bullseye
touch /etc/yunohost/services.yml
yunohost tools shell -c "from yunohost.service import _get_services, _save_services; _save_services(_get_services())"
mkdir -p $pending_dir/etc/systemd/system
mkdir -p $pending_dir/etc/cron.d/
mkdir -p $pending_dir/etc/cron.daily/
# add cron job for diagnosis to be ran at 7h and 19h + a random delay between
# 0 and 20min, meant to avoid every instances running their diagnosis at
# exactly the same time, which may overload the diagnosis server.
cat > $pending_dir/etc/cron.d/yunohost-diagnosis << EOF
SHELL=/bin/bash
0 7,19 * * * root : YunoHost Automatic Diagnosis; sleep \$((RANDOM\\%1200)); yunohost diagnosis run --email > /dev/null 2>/dev/null || echo "Running the automatic diagnosis failed miserably"
EOF
# Cron job that upgrade the app list everyday
cat > $pending_dir/etc/cron.daily/yunohost-fetch-apps-catalog << EOF
#!/bin/bash
(sleep \$((RANDOM%3600)); yunohost tools update --apps > /dev/null) &
EOF
# Cron job that renew lets encrypt certificates if there's any that needs renewal
cat > $pending_dir/etc/cron.daily/yunohost-certificate-renew << EOF
#!/bin/bash
yunohost domain cert renew --email
EOF
# If we subscribed to a dyndns domain, add the corresponding cron
# - delay between 0 and 60 secs to spread the check over a 1 min window
# - do not run the command if some process already has the lock, to avoid queuing hundreds of commands...
if ls -l /etc/yunohost/dyndns/K*.private 2>/dev/null
then
cat > $pending_dir/etc/cron.d/yunohost-dyndns << EOF
SHELL=/bin/bash
*/10 * * * * root : YunoHost DynDNS update; sleep \$((RANDOM\\%60)); test -e /var/run/moulinette_yunohost.lock || yunohost dyndns update >> /dev/null
EOF
fi
# legacy stuff to avoid yunohost reporting etckeeper as manually modified
# (this make sure that the hash is null / file is flagged as to-delete)
mkdir -p $pending_dir/etc/etckeeper
touch $pending_dir/etc/etckeeper/etckeeper.conf
# Skip ntp if inside a container (inspired from the conf of systemd-timesyncd)
mkdir -p ${pending_dir}/etc/systemd/system/ntp.service.d/
echo "
[Unit]
ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container
" > ${pending_dir}/etc/systemd/system/ntp.service.d/ynh-override.conf
# Make nftable conflict with yunohost-firewall
mkdir -p ${pending_dir}/etc/systemd/system/nftables.service.d/
cat > ${pending_dir}/etc/systemd/system/nftables.service.d/ynh-override.conf << EOF
[Unit]
# yunohost-firewall and nftables conflict with each other
Conflicts=yunohost-firewall.service
ConditionFileIsExecutable=!/etc/init.d/yunohost-firewall
ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
EOF
# Don't suspend computer on LidSwitch
mkdir -p ${pending_dir}/etc/systemd/logind.conf.d/
cat > ${pending_dir}/etc/systemd/logind.conf.d/ynh-override.conf << EOF
[Login]
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
HandleLidSwitchExternalPower=ignore
EOF
cp yunoprompt.service ${pending_dir}/etc/systemd/system/yunoprompt.service
if [[ "$(yunohost settings get 'security.experimental.enabled')" == "True" ]]
then
cp proc-hidepid.service ${pending_dir}/etc/systemd/system/proc-hidepid.service
else
touch ${pending_dir}/etc/systemd/system/proc-hidepid.service
fi
mkdir -p ${pending_dir}/etc/dpkg/origins/
cp dpkg-origins ${pending_dir}/etc/dpkg/origins/yunohost
}
do_post_regen() {
regen_conf_files=$1
######################
# Enfore permissions #
######################
chmod 750 /home/admin
chmod 750 /home/yunohost.conf
chmod 750 /home/yunohost.backup
chmod 750 /home/yunohost.backup/archives
chown root:root /home/yunohost.conf
chown admin:root /home/yunohost.backup
chown admin:root /home/yunohost.backup/archives
# Certs
# We do this with find because there could be a lot of them...
chown -R root:ssl-cert /etc/yunohost/certs
chmod 750 /etc/yunohost/certs
find /etc/yunohost/certs/ -type f -exec chmod 640 {} \;
find /etc/yunohost/certs/ -type d -exec chmod 750 {} \;
find /etc/cron.*/yunohost-* -type f -exec chmod 755 {} \;
find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \;
find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \;
chown root:root /var/cache/yunohost
chmod 700 /var/cache/yunohost
chown root:root /var/cache/moulinette
chmod 700 /var/cache/moulinette
setfacl -m g:all_users:--- /var/www
setfacl -m g:all_users:--- /var/log/nginx
setfacl -m g:all_users:--- /etc/yunohost
setfacl -m g:all_users:--- /etc/ssowat
for USER in $(yunohost user list --quiet --output-as json | jq -r '.users | .[] | .username')
do
[ ! -e "/home/$USER" ] || setfacl -m g:all_users:--- /home/$USER
done
# Domain settings
mkdir -p /etc/yunohost/domains
# Misc configuration / state files
chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
# Apps folder, custom hooks folder
[[ ! -e /etc/yunohost/hooks.d ]] || (chown root /etc/yunohost/hooks.d && chmod 700 /etc/yunohost/hooks.d)
[[ ! -e /etc/yunohost/apps ]] || (chown root /etc/yunohost/apps && chmod 700 /etc/yunohost/apps)
[[ ! -e /etc/yunohost/domains ]] || (chown root /etc/yunohost/domains && chmod 700 /etc/yunohost/domains)
# Create ssh.app and sftp.app groups if they don't exist yet
grep -q '^ssh.app:' /etc/group || groupadd ssh.app
grep -q '^sftp.app:' /etc/group || groupadd sftp.app
# Propagates changes in systemd service config overrides
[[ ! "$regen_conf_files" =~ "ntp.service.d/ynh-override.conf" ]] || { systemctl daemon-reload; systemctl restart ntp; }
[[ ! "$regen_conf_files" =~ "nftables.service.d/ynh-override.conf" ]] || systemctl daemon-reload
[[ ! "$regen_conf_files" =~ "login.conf.d/ynh-override.conf" ]] || systemctl daemon-reload
if [[ "$regen_conf_files" =~ "yunoprompt.service" ]]
then
systemctl daemon-reload
action=$([[ -e /etc/systemd/system/yunoprompt.service ]] && echo 'enable' || echo 'disable')
systemctl $action yunoprompt --quiet --now
fi
if [[ "$regen_conf_files" =~ "proc-hidepid.service" ]]
then
systemctl daemon-reload
action=$([[ -e /etc/systemd/system/proc-hidepid.service ]] && echo 'enable' || echo 'disable')
systemctl $action proc-hidepid --quiet --now
fi
# Change dpkg vendor
# see https://wiki.debian.org/Derivatives/Guidelines#Vendor
readlink -f /etc/dpkg/origins/default | grep -q debian \
&& rm -f /etc/dpkg/origins/default \
&& ln -s /etc/dpkg/origins/yunohost /etc/dpkg/origins/default
}
do_$1_regen ${@:2}

122
data/hooks/conf_regen/02-ssl
View file

@ -1,122 +0,0 @@
#!/bin/bash
set -e
ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
ynh_ca="/etc/yunohost/certs/yunohost.org/ca.pem"
ynh_crt="/etc/yunohost/certs/yunohost.org/crt.pem"
ynh_key="/etc/yunohost/certs/yunohost.org/key.pem"
openssl_conf="/usr/share/yunohost/templates/ssl/openssl.cnf"
regen_local_ca() {
domain="$1"
echo -e "\n# Creating local certification authority with domain=$domain\n"
# create certs and SSL directories
mkdir -p "/etc/yunohost/certs/yunohost.org"
mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}
pushd ${ssl_dir}
# (Update the serial so that it's specific to this very instance)
# N.B. : the weird RANDFILE thing comes from:
# https://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean
RANDFILE=.rnd openssl rand -hex 19 > serial
rm -f index.txt
touch index.txt
cp /usr/share/yunohost/templates/ssl/openssl.cnf openssl.ca.cnf
sed -i "s/yunohost.org/${domain}/g" openssl.ca.cnf
openssl req -x509 \
-new \
-config openssl.ca.cnf \
-days 3650 \
-out ca/cacert.pem \
-keyout ca/cakey.pem \
-nodes \
-batch \
-subj /CN=${domain}/O=${domain%.*} 2>&1
chmod 640 ca/cacert.pem
chmod 640 ca/cakey.pem
cp ca/cacert.pem $ynh_ca
ln -sf "$ynh_ca" /etc/ssl/certs/ca-yunohost_crt.pem
update-ca-certificates
popd
}
do_init_regen() {
LOGFILE=/tmp/yunohost-ssl-init
echo "" > $LOGFILE
chown root:root $LOGFILE
chmod 640 $LOGFILE
# Make sure this conf exists
mkdir -p ${ssl_dir}
cp /usr/share/yunohost/templates/ssl/openssl.cnf ${ssl_dir}/openssl.ca.cnf
# create default certificates
if [[ ! -f "$ynh_ca" ]]; then
regen_local_ca yunohost.org >>$LOGFILE
fi
if [[ ! -f "$ynh_crt" ]]; then
echo -e "\n# Creating initial key and certificate \n" >>$LOGFILE
openssl req -new \
-config "$openssl_conf" \
-days 730 \
-out "${ssl_dir}/certs/yunohost_csr.pem" \
-keyout "${ssl_dir}/certs/yunohost_key.pem" \
-nodes -batch &>>$LOGFILE
openssl ca \
-config "$openssl_conf" \
-days 730 \
-in "${ssl_dir}/certs/yunohost_csr.pem" \
-out "${ssl_dir}/certs/yunohost_crt.pem" \
-batch &>>$LOGFILE
chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"
cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
fi
chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/
chmod o-rwx /etc/yunohost/certs/yunohost.org/
install -D -m 644 $openssl_conf "${ssl_dir}/openssl.cnf"
}
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/ssl
install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
}
do_post_regen() {
regen_conf_files=$1
current_local_ca_domain=$(openssl x509 -in $ynh_ca -text | tr ',' '\n' | grep Issuer | awk '{print $4}')
main_domain=$(cat /etc/yunohost/current_host)
if [[ "$current_local_ca_domain" != "$main_domain" ]]
then
regen_local_ca $main_domain
# Idk how useful this is, but this was in the previous python code (domain.main_domain())
ln -sf /etc/yunohost/certs/$domain/crt.pem /etc/ssl/certs/yunohost_crt.pem
ln -sf /etc/yunohost/certs/$domain/key.pem /etc/ssl/private/yunohost_key.pem
fi
}
do_$1_regen ${@:2}

202
data/hooks/conf_regen/06-slapd
View file

@ -1,202 +0,0 @@
#!/bin/bash
set -e
tmp_backup_dir_file="/root/slapd-backup-dir.txt"
config="/usr/share/yunohost/templates/slapd/config.ldif"
db_init="/usr/share/yunohost/templates/slapd/db_init.ldif"
do_init_regen() {
if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2
exit 1
fi
do_pre_regen ""
# Drop current existing slapd data
rm -rf /var/backups/*.ldapdb
rm -rf /var/backups/slapd-*
debconf-set-selections << EOF
slapd slapd/password1 password yunohost
slapd slapd/password2 password yunohost
slapd slapd/domain string yunohost.org
slapd shared/organization string yunohost.org
slapd slapd/allow_ldap_v2 boolean false
slapd slapd/invalid_config boolean true
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean true
slapd slapd/no_configuration boolean false
slapd slapd/purge_database boolean false
EOF
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure slapd -u
# Enforce permissions
chown -R openldap:openldap /etc/ldap/schema/
usermod -aG ssl-cert openldap
# (Re-)init data according to default ldap entries
echo ' Initializing LDAP with YunoHost DB structure'
rm -rf /etc/ldap/slapd.d
mkdir -p /etc/ldap/slapd.d
slapadd -F /etc/ldap/slapd.d -b cn=config -l "$config" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /etc/ldap/slapd.d
rm -rf /var/lib/ldap
mkdir -p /var/lib/ldap
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "$db_init" 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
chown -R openldap: /var/lib/ldap
nscd -i group || true
nscd -i passwd || true
systemctl restart slapd
# We don't use mkhomedir_helper because 'admin' may not be recognized
# when this script is ran in a chroot (e.g. ISO install)
# We also refer to admin as uid 1007 for the same reason
if [ ! -d /home/admin ]
then
cp -r /etc/skel /home/admin
chown -R 1007:1007 /home/admin
fi
}
_regenerate_slapd_conf() {
# Validate the new slapd config
# To do so, we have to use the .ldif to generate the config directory
# so we use a temporary directory slapd_new.d
rm -Rf /etc/ldap/slapd_new.d
mkdir /etc/ldap/slapd_new.d
slapadd -b cn=config -l "$config" -F /etc/ldap/slapd_new.d/ 2>&1 \
| grep -v "none elapsed\|Closing DB" || true
# Actual validation (-Q is for quiet, -u is for dry-run)
slaptest -Q -u -F /etc/ldap/slapd_new.d
# "Commit" / apply the new config (meaning we delete the old one and replace
# it with the new one)
rm -Rf /etc/ldap/slapd.d
mv /etc/ldap/slapd_new.d /etc/ldap/slapd.d
chown -R openldap:openldap /etc/ldap/slapd.d/
}
do_pre_regen() {
pending_dir=$1
# remove temporary backup file
rm -f "$tmp_backup_dir_file"
# Define if we need to migrate from hdb to mdb
curr_backend=$(grep '^database' /etc/ldap/slapd.conf 2>/dev/null | awk '{print $2}')
if [ -e /etc/ldap/slapd.conf ] && [ -n "$curr_backend" ] && \
[ $curr_backend != 'mdb' ]; then
backup_dir="/var/backups/dc=yunohost,dc=org-${curr_backend}-$(date +%s)"
mkdir -p "$backup_dir"
slapcat -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
echo "$backup_dir" > "$tmp_backup_dir_file"
fi
# create needed directories
ldap_dir="${pending_dir}/etc/ldap"
schema_dir="${ldap_dir}/schema"
mkdir -p "$ldap_dir" "$schema_dir"
# remove legacy configuration file
[ ! -f /etc/ldap/slapd-yuno.conf ] || touch "${ldap_dir}/slapd-yuno.conf"
[ ! -f /etc/ldap/slapd.conf ] || touch "${ldap_dir}/slapd.conf"
[ ! -f /etc/ldap/schema/yunohost.schema ] || touch "${schema_dir}/yunohost.schema"
cd /usr/share/yunohost/templates/slapd
# copy configuration files
cp -a ldap.conf "$ldap_dir"
cp -a sudo.ldif mailserver.ldif permission.ldif "$schema_dir"
mkdir -p ${pending_dir}/etc/systemd/system/slapd.service.d/
cp systemd-override.conf ${pending_dir}/etc/systemd/system/slapd.service.d/ynh-override.conf
install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
}
do_post_regen() {
regen_conf_files=$1
# fix some permissions
echo "Enforce permissions on ldap/slapd directories and certs ..."
# penldap user should be in the ssl-cert group to let it access the certificate for TLS
usermod -aG ssl-cert openldap
chown -R openldap:openldap /etc/ldap/schema/
chown -R openldap:openldap /etc/ldap/slapd.d/
# If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/slapd.service.d/ynh-override.conf$"
then
systemctl daemon-reload
systemctl restart slapd
sleep 3
fi
# For some reason, old setups don't have the admins group defined...
if ! slapcat | grep -q 'cn=admins,ou=groups,dc=yunohost,dc=org'
then
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org <<< \
"dn: cn=admins,ou=groups,dc=yunohost,dc=org
cn: admins
gidNumber: 4001
memberUid: admin
objectClass: posixGroup
objectClass: top"
chown -R openldap: /var/lib/ldap
systemctl restart slapd
nscd -i group
fi
[ -z "$regen_conf_files" ] && exit 0
# regenerate LDAP config directory from slapd.conf
echo "Regenerate LDAP config directory from config.ldif"
_regenerate_slapd_conf
# If there's a backup, re-import its data
backup_dir=$(cat "$tmp_backup_dir_file" 2>/dev/null || true)
if [[ -n "$backup_dir" && -f "${backup_dir}/dc=yunohost-dc=org.ldif" ]]; then
# regenerate LDAP config directory and import database as root
echo "Import the database using slapadd"
slapadd -F /etc/ldap/slapd.d -b dc=yunohost,dc=org -l "${backup_dir}/dc=yunohost-dc=org.ldif"
chown -R openldap:openldap /var/lib/ldap 2>&1
fi
echo "Running slapdindex"
su openldap -s "/bin/bash" -c "/usr/sbin/slapindex"
echo "Reloading slapd"
systemctl force-reload slapd
# on slow hardware/vm this regen conf would exit before the admin user that
# is stored in ldap is available because ldap seems to slow to restart
# so we'll wait either until we are able to log as admin or until a timeout
# is reached
# we need to do this because the next hooks executed after this one during
# postinstall requires to run as admin thus breaking postinstall on slow
# hardware which mean yunohost can't be correctly installed on those hardware
# and this sucks
# wait a maximum time of 5 minutes
# yes, force-reload behave like a restart
number_of_wait=0
while ! su admin -c '' && ((number_of_wait < 60))
do
sleep 5
((number_of_wait += 1))
done
}
do_$1_regen ${@:2}

25
data/hooks/conf_regen/09-nslcd
View file

@ -1,25 +0,0 @@
#!/bin/bash
set -e
do_init_regen() {
do_pre_regen ""
systemctl restart nslcd
}
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/nslcd
install -D -m 644 nslcd.conf "${pending_dir}/etc/nslcd.conf"
}
do_post_regen() {
regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \
|| systemctl restart nslcd
}
do_$1_regen ${@:2}

57
data/hooks/conf_regen/10-apt
View file

@ -1,57 +0,0 @@
#!/bin/bash
set -e
do_pre_regen() {
pending_dir=$1
mkdir --parents "${pending_dir}/etc/apt/preferences.d"
packages_to_refuse_from_sury="php php-fpm php-mysql php-xml php-zip php-mbstring php-ldap php-gd php-curl php-bz2 php-json php-sqlite3 php-intl openssl libssl1.1 libssl-dev"
for package in $packages_to_refuse_from_sury
do
echo "
Package: $package
Pin: origin \"packages.sury.org\"
Pin-Priority: -1" >> "${pending_dir}/etc/apt/preferences.d/extra_php_version"
done
echo "
# PLEASE READ THIS WARNING AND DON'T EDIT THIS FILE
# You are probably reading this file because you tried to install apache2 or
# bind9. These 2 packages conflict with YunoHost.
# Installing apache2 will break nginx and break the entire YunoHost ecosystem
# on your server, therefore don't remove those lines!
# You have been warned.
Package: apache2
Pin: release *
Pin-Priority: -1
Package: apache2-bin
Pin: release *
Pin-Priority: -1
# Also bind9 will conflict with dnsmasq.
# Same story as for apache2.
# Don't install it, don't remove those lines.
Package: bind9
Pin: release *
Pin-Priority: -1
" >> "${pending_dir}/etc/apt/preferences.d/ban_packages"
}
do_post_regen() {
regen_conf_files=$1
# Make sure php7.3 is the default version when using php in cli
update-alternatives --set php /usr/bin/php7.3
}
do_$1_regen ${@:2}

73
data/hooks/conf_regen/12-metronome
View file

@ -1,73 +0,0 @@
#!/bin/bash
set -e
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/metronome
# create directories for pending conf
metronome_dir="${pending_dir}/etc/metronome"
metronome_conf_dir="${metronome_dir}/conf.d"
mkdir -p "$metronome_conf_dir"
# retrieve variables
main_domain=$(cat /etc/yunohost/current_host)
# install main conf file
cat metronome.cfg.lua \
| sed "s/{{ main_domain }}/${main_domain}/g" \
> "${metronome_dir}/metronome.cfg.lua"
# add domain conf files
for domain in $YNH_DOMAINS; do
cat domain.tpl.cfg.lua \
| sed "s/{{ domain }}/${domain}/g" \
> "${metronome_conf_dir}/${domain}.cfg.lua"
done
# remove old domain conf files
conf_files=$(ls -1 /etc/metronome/conf.d \
| awk '/^[^\.]+\.[^\.]+.*\.cfg\.lua$/ { print $1 }')
for file in $conf_files; do
domain=${file%.cfg.lua}
[[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${metronome_conf_dir}/${file}"
done
}
do_post_regen() {
regen_conf_files=$1
# retrieve variables
main_domain=$(cat /etc/yunohost/current_host)
# FIXME : small optimization to do to avoid calling a yunohost command ...
# maybe another env variable like YNH_MAIN_DOMAINS idk
domain_list=$(yunohost domain list --exclude-subdomains --output-as plain --quiet)
# create metronome directories for domains
for domain in $domain_list; do
mkdir -p "/var/lib/metronome/${domain//./%2e}/pep"
# http_upload directory must be writable by metronome and readable by nginx
mkdir -p "/var/xmpp-upload/${domain}/upload"
# sgid bit allows that file created in that dir will be owned by www-data
# despite the fact that metronome ain't in the www-data group
chmod g+s "/var/xmpp-upload/${domain}/upload"
done
# fix some permissions
[ ! -e '/var/xmpp-upload' ] || chown -R metronome:www-data "/var/xmpp-upload/"
[ ! -e '/var/xmpp-upload' ] || chmod 750 "/var/xmpp-upload/"
# metronome should be in ssl-cert group to let it access SSL certificates
usermod -aG ssl-cert metronome
chown -R metronome: /var/lib/metronome/
chown -R metronome: /etc/metronome/conf.d/
[[ -z "$regen_conf_files" ]] \
|| systemctl restart metronome
}
do_$1_regen ${@:2}

152
data/hooks/conf_regen/15-nginx
View file

@ -1,152 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_init_regen() {
if [[ $EUID -ne 0 ]]; then
echo "You must be root to run this script" 1>&2
exit 1
fi
cd /usr/share/yunohost/templates/nginx
nginx_dir="/etc/nginx"
nginx_conf_dir="${nginx_dir}/conf.d"
mkdir -p "$nginx_conf_dir"
# install plain conf files
cp plain/* "$nginx_conf_dir"
# probably run with init: just disable default site, restart NGINX and exit
rm -f "${nginx_dir}/sites-enabled/default"
export compatibility="intermediate"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
mkdir -p $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
# Restart nginx if conf looks good, otherwise display error and exit unhappy
nginx -t 2>/dev/null || { nginx -t; exit 1; }
systemctl restart nginx || { journalctl --no-pager --lines=10 -u nginx >&2; exit 1; }
exit 0
}
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/nginx
nginx_dir="${pending_dir}/etc/nginx"
nginx_conf_dir="${nginx_dir}/conf.d"
mkdir -p "$nginx_conf_dir"
# install / update plain conf files
cp plain/* "$nginx_conf_dir"
# remove the panel overlay if this is specified in settings
panel_overlay=$(yunohost settings get 'ssowat.panel_overlay.enabled')
if [ "$panel_overlay" == "false" ] || [ "$panel_overlay" == "False" ]
then
echo "#" > "${nginx_conf_dir}/yunohost_panel.conf.inc"
fi
# retrieve variables
main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations
export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')"
export compatibility="$(yunohost settings get 'security.nginx.compatibility')"
export experimental="$(yunohost settings get 'security.experimental.enabled')"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
cert_status=$(yunohost domain cert status --json)
# add domain conf files
for domain in $YNH_DOMAINS; do
domain_conf_dir="${nginx_conf_dir}/${domain}.d"
mkdir -p "$domain_conf_dir"
mail_autoconfig_dir="${pending_dir}/var/www/.well-known/${domain}/autoconfig/mail/"
mkdir -p "$mail_autoconfig_dir"
# NGINX server configuration
export domain
export domain_cert_ca=$(echo $cert_status \
| jq ".certificates.\"$domain\".CA_type" \
| tr -d '"')
ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf"
ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml"
touch "${domain_conf_dir}/yunohost_local.conf" # Clean legacy conf files
done
export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.allowlist.enabled)
if [ "$webadmin_allowlist_enabled" == "True" ]
then
export webadmin_allowlist=$(yunohost settings get security.webadmin.allowlist)
fi
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost_admin.conf"
mkdir -p $nginx_conf_dir/default.d/
cp "redirect_to_admin.conf" $nginx_conf_dir/default.d/
# remove old domain conf files
conf_files=$(ls -1 /etc/nginx/conf.d \
| awk '/^[^\.]+\.[^\.]+.*\.conf$/ { print $1 }')
for file in $conf_files; do
domain=${file%.conf}
[[ $YNH_DOMAINS =~ $domain ]] \
|| touch "${nginx_conf_dir}/${file}"
done
# remove old mail-autoconfig files
autoconfig_files=$(ls -1 /var/www/.well-known/*/autoconfig/mail/config-v1.1.xml 2>/dev/null || true)
for file in $autoconfig_files; do
domain=$(basename $(readlink -f $(dirname $file)/../..))
[[ $YNH_DOMAINS =~ $domain ]] \
|| (mkdir -p "$(dirname ${pending_dir}/${file})" && touch "${pending_dir}/${file}")
done
# disable default site
mkdir -p "${nginx_dir}/sites-enabled"
touch "${nginx_dir}/sites-enabled/default"
}
do_post_regen() {
regen_conf_files=$1
[ -z "$regen_conf_files" ] && exit 0
# create NGINX conf directories for domains
for domain in $YNH_DOMAINS; do
mkdir -p "/etc/nginx/conf.d/${domain}.d"
done
# Get rid of legacy lets encrypt snippets
for domain in $YNH_DOMAINS; do
# If the legacy letsencrypt / acme-challenge domain-specific snippet is still there
if [ -e /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf ]
then
# And if we're effectively including the new domain-independant snippet now
if grep -q "include /etc/nginx/conf.d/acme-challenge.conf.inc;" /etc/nginx/conf.d/${domain}.conf
then
# Delete the old domain-specific snippet
rm /etc/nginx/conf.d/${domain}.d/000-acmechallenge.conf
fi
fi
done
# Reload nginx if conf looks good, otherwise display error and exit unhappy
nginx -t 2>/dev/null || { nginx -t; exit 1; }
pgrep nginx && systemctl reload nginx || { journalctl --no-pager --lines=10 -u nginx >&2; exit 1; }
}
do_$1_regen ${@:2}

83
data/hooks/conf_regen/19-postfix
View file

@ -1,83 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/postfix
postfix_dir="${pending_dir}/etc/postfix"
mkdir -p "$postfix_dir"
default_dir="${pending_dir}/etc/default/"
mkdir -p "$default_dir"
# install plain conf files
cp plain/* "$postfix_dir"
# prepare main.cf conf file
main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations
export compatibility="$(yunohost settings get 'security.postfix.compatibility')"
# Add possibility to specify a relay
# Could be useful with some isp with no 25 port open or more complex setup
export relay_port=""
export relay_user=""
export relay_host="$(yunohost settings get 'smtp.relay.host')"
if [ -n "${relay_host}" ]
then
relay_port="$(yunohost settings get 'smtp.relay.port')"
relay_user="$(yunohost settings get 'smtp.relay.user')"
relay_password="$(yunohost settings get 'smtp.relay.password')"
# Avoid to display "Relay account paswword" to other users
touch ${postfix_dir}/sasl_passwd
chmod 750 ${postfix_dir}/sasl_passwd
# Avoid "postmap: warning: removing zero-length database file"
chown postfix ${pending_dir}/etc/postfix
chown postfix ${pending_dir}/etc/postfix/sasl_passwd
cat <<< "[${relay_host}]:${relay_port} ${relay_user}:${relay_password}" > ${postfix_dir}/sasl_passwd
postmap ${postfix_dir}/sasl_passwd
fi
export main_domain
export domain_list="$YNH_DOMAINS"
ynh_render_template "main.cf" "${postfix_dir}/main.cf"
cat postsrsd \
| sed "s/{{ main_domain }}/${main_domain}/g" \
| sed "s/{{ domain_list }}/${YNH_DOMAINS}/g" \
> "${default_dir}/postsrsd"
# adapt it for IPv4-only hosts
ipv6="$(yunohost settings get 'smtp.allow_ipv6')"
if [ "$ipv6" == "False" ] || [ ! -f /proc/net/if_inet6 ]; then
sed -i \
's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \
"${postfix_dir}/main.cf"
sed -i \
's/inet_interfaces = all/&\ninet_protocols = ipv4/' \
"${postfix_dir}/main.cf"
fi
}
do_post_regen() {
regen_conf_files=$1
if [ -e /etc/postfix/sasl_passwd ]
then
chmod 750 /etc/postfix/sasl_passwd*
chown postfix:root /etc/postfix/sasl_passwd*
fi
[[ -z "$regen_conf_files" ]] \
|| { systemctl restart postfix && systemctl restart postsrsd; }
}
do_$1_regen ${@:2}

66
data/hooks/conf_regen/25-dovecot
View file

@ -1,66 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/dovecot
dovecot_dir="${pending_dir}/etc/dovecot"
mkdir -p "${dovecot_dir}/global_script"
# copy simple conf files
cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf"
cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve"
export pop3_enabled="$(yunohost settings get 'pop3.enabled')"
export main_domain=$(cat /etc/yunohost/current_host)
ynh_render_template "dovecot.conf" "${dovecot_dir}/dovecot.conf"
# adapt it for IPv4-only hosts
if [ ! -f /proc/net/if_inet6 ]; then
sed -i \
's/^\(listen =\).*/\1 */' \
"${dovecot_dir}/dovecot.conf"
fi
mkdir -p "${dovecot_dir}/yunohost.d"
cp pre-ext.conf "${dovecot_dir}/yunohost.d"
cp post-ext.conf "${dovecot_dir}/yunohost.d"
}
do_post_regen() {
regen_conf_files=$1
mkdir -p "/etc/dovecot/yunohost.d/pre-ext.d"
mkdir -p "/etc/dovecot/yunohost.d/post-ext.d"
# create vmail user
id vmail > /dev/null 2>&1 \
|| adduser --system --ingroup mail --uid 500 vmail --home /var/vmail --no-create-home
# Delete legacy home for vmail that existed in the past but was empty, poluting /home/
[ ! -e /home/vmail ] || rmdir --ignore-fail-on-non-empty /home/vmail
# fix permissions
chown -R vmail:mail /etc/dovecot/global_script
chmod 770 /etc/dovecot/global_script
chown root:mail /var/mail
chmod 1775 /var/mail
[ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ dovecot\.sieve ]] && {
sievec /etc/dovecot/global_script/dovecot.sieve
chown -R vmail:mail /etc/dovecot/global_script
}
systemctl restart dovecot
}
do_$1_regen ${@:2}

62
data/hooks/conf_regen/31-rspamd
View file

@ -1,62 +0,0 @@
#!/bin/bash
set -e
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/rspamd
install -D -m 644 metrics.local.conf \
"${pending_dir}/etc/rspamd/local.d/metrics.conf"
install -D -m 644 dkim_signing.conf \
"${pending_dir}/etc/rspamd/local.d/dkim_signing.conf"
install -D -m 644 rspamd.sieve \
"${pending_dir}/etc/dovecot/global_script/rspamd.sieve"
}
do_post_regen() {
##
## DKIM key generation
##
# create DKIM directory with proper permission
mkdir -p /etc/dkim
chown _rspamd /etc/dkim
# create DKIM key for domains
for domain in $YNH_DOMAINS; do
domain_key="/etc/dkim/${domain}.mail.key"
[ ! -f "$domain_key" ] && {
# We use a 1024 bit size because nsupdate doesn't seem to be able to
# handle 2048...
opendkim-genkey --domain="$domain" \
--selector=mail --directory=/etc/dkim -b 1024
mv /etc/dkim/mail.private "$domain_key"
mv /etc/dkim/mail.txt "/etc/dkim/${domain}.mail.txt"
}
done
# fix DKIM keys permissions
chown _rspamd /etc/dkim/*.mail.key
chmod 400 /etc/dkim/*.mail.key
[ ! -e /var/log/rspamd ] || chown -R _rspamd:_rspamd /var/log/rspamd
regen_conf_files=$1
[ -z "$regen_conf_files" ] && exit 0
# compile sieve script
[[ "$regen_conf_files" =~ rspamd\.sieve ]] && {
sievec /etc/dovecot/global_script/rspamd.sieve
chown -R vmail:mail /etc/dovecot/global_script
systemctl restart dovecot
}
# Restart rspamd due to the upgrade
# https://rspamd.com/announce/2016/08/01/rspamd-1.3.1.html
systemctl -q restart rspamd.service
}
do_$1_regen ${@:2}

72
data/hooks/conf_regen/34-mysql
View file

@ -1,72 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/mysql
install -D -m 644 my.cnf "${pending_dir}/etc/mysql/my.cnf"
}
do_post_regen() {
regen_conf_files=$1
if [[ ! -d /var/lib/mysql/mysql ]]
then
# dpkg-reconfigure will initialize mysql (if it ain't already)
# It enabled auth_socket for root, so no need to define any root password...
# c.f. : cat /var/lib/dpkg/info/mariadb-server-10.3.postinst | grep install_db -C3
MYSQL_PKG="$(dpkg --list | sed -ne 's/^ii \(mariadb-server-[[:digit:].]\+\) .*$/\1/p')"
dpkg-reconfigure -freadline -u "$MYSQL_PKG" 2>&1
systemctl -q is-active mariadb.service \
|| systemctl start mariadb
sleep 5
echo "" | mysql && echo "Can't connect to mysql using unix_socket auth ... something went wrong during initial configuration of mysql !?" >&2
fi
# Legacy code to get rid of /etc/yunohost/mysql ...
# Nowadays, we can simply run mysql while being run as root of unix_socket/auth_socket is enabled...
if [ -f /etc/yunohost/mysql ]; then
# This is a trick to check if we're able to use mysql without password
# Expect instances installed in stretch to already have unix_socket
#configured, but not old instances from the jessie/wheezy era
if ! echo "" | mysql 2>/dev/null
then
password="$(cat /etc/yunohost/mysql)"
# Enable plugin unix_socket for root on localhost
mysql -u root -p"$password" <<< "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH unix_socket WITH GRANT OPTION;"
fi
# If now we're able to login without password, drop the mysql password
if echo "" | mysql 2>/dev/null
then
rm /etc/yunohost/mysql
else
echo "Can't connect to mysql using unix_socket auth ... something went wrong while trying to get rid of mysql password !?" >&2
fi
fi
# mysql is supposed to be an alias to mariadb... but in some weird case is not
# c.f. https://forum.yunohost.org/t/mysql-ne-fonctionne-pas/11661
# Playing with enable/disable allows to recreate the proper symlinks.
if [ ! -e /etc/systemd/system/mysql.service ]
then
systemctl stop mysql -q
systemctl disable mysql -q
systemctl disable mariadb -q
systemctl enable mariadb -q
systemctl is-active mariadb -q || systemctl start mariadb
fi
[[ -z "$regen_conf_files" ]] \
|| systemctl restart mysql
}
do_$1_regen ${@:2}

13
data/hooks/conf_regen/35-redis
View file

@ -1,13 +0,0 @@
#!/bin/bash
do_pre_regen() {
:
}
do_post_regen() {
# Enforce these damn permissions because for some reason in some weird cases
# they are spontaneously replaced by root:root -_-
chown -R redis:adm /var/log/redis
}
do_$1_regen ${@:2}

57
data/hooks/conf_regen/37-mdns
View file

@ -1,57 +0,0 @@
#!/bin/bash
set -e
_generate_config() {
echo "domains:"
echo " - yunohost.local"
for domain in $YNH_DOMAINS
do
# Only keep .local domains (don't keep
[[ "$domain" =~ [^.]+\.[^.]+\.local$ ]] && echo "Subdomain $domain cannot be handled by Bonjour/Zeroconf/mDNS" >&2
[[ "$domain" =~ ^[^.]+\.local$ ]] || continue
echo " - $domain"
done
}
do_init_regen() {
do_pre_regen
do_post_regen /etc/systemd/system/yunomdns.service
systemctl enable yunomdns
}
do_pre_regen() {
pending_dir="$1"
cd /usr/share/yunohost/templates/mdns
mkdir -p ${pending_dir}/etc/systemd/system/
cp yunomdns.service ${pending_dir}/etc/systemd/system/
getent passwd mdns &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group mdns
mkdir -p ${pending_dir}/etc/yunohost
_generate_config > ${pending_dir}/etc/yunohost/mdns.yml
}
do_post_regen() {
regen_conf_files="$1"
chown mdns:mdns /etc/yunohost/mdns.yml
# If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/yunomdns.service$"
then
systemctl daemon-reload
fi
# Legacy stuff to enable the new yunomdns service on legacy systems
if [[ -e /etc/avahi/avahi-daemon.conf ]] && grep -q 'yunohost' /etc/avahi/avahi-daemon.conf
then
systemctl enable yunomdns
fi
[[ -z "$regen_conf_files" ]] \
|| systemctl restart yunomdns
}
do_$1_regen ${@:2}

86
data/hooks/conf_regen/43-dnsmasq
View file

@ -1,86 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/dnsmasq
# create directory for pending conf
dnsmasq_dir="${pending_dir}/etc/dnsmasq.d"
mkdir -p "$dnsmasq_dir"
etcdefault_dir="${pending_dir}/etc/default"
mkdir -p "$etcdefault_dir"
# add general conf files
cp plain/etcdefault ${pending_dir}/etc/default/dnsmasq
cp plain/dnsmasq.conf ${pending_dir}/etc/dnsmasq.conf
# add resolver file
cat plain/resolv.dnsmasq.conf | grep "^nameserver" | shuf > ${pending_dir}/etc/resolv.dnsmasq.conf
# retrieve variables
ipv4=$(curl -s -4 https://ip.yunohost.org 2>/dev/null || true)
ynh_validate_ip4 "$ipv4" || ipv4='127.0.0.1'
ipv6=$(curl -s -6 https://ip6.yunohost.org 2>/dev/null || true)
ynh_validate_ip6 "$ipv6" || ipv6=''
export ipv4
export ipv6
# add domain conf files
for domain in $YNH_DOMAINS; do
[[ ! $domain =~ \.local$ ]] || continue
export domain
ynh_render_template "domain.tpl" "${dnsmasq_dir}/${domain}"
done
# remove old domain conf files
conf_files=$(ls -1 /etc/dnsmasq.d \
| awk '/^[^\.]+\.[^\.]+.*$/ { print $1 }')
for domain in $conf_files; do
if [[ ! $YNH_DOMAINS =~ $domain ]] && [[ ! $domain =~ \.local$ ]]
then
touch "${dnsmasq_dir}/${domain}"
fi
done
}
do_post_regen() {
regen_conf_files=$1
# Fuck it, those domain/search entries from dhclient are usually annoying
# lying shit from the ISP trying to MiTM
if grep -q -E "^ *(domain|search)" /run/resolvconf/resolv.conf
then
if grep -q -E "^ *(domain|search)" /run/resolvconf/interface/*.dhclient 2>/dev/null
then
sed -E "s/^(domain|search)/#\1/g" -i /run/resolvconf/interface/*.dhclient
fi
grep -q '^supersede domain-name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-name "";' >> /etc/dhcp/dhclient.conf
grep -q '^supersede domain-search "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede domain-search "";' >> /etc/dhcp/dhclient.conf
grep -q '^supersede name "";' /etc/dhcp/dhclient.conf 2>/dev/null || echo 'supersede name "";' >> /etc/dhcp/dhclient.conf
systemctl restart resolvconf
fi
# Some stupid things like rabbitmq-server used by onlyoffice won't work if
# the *short* hostname doesn't exists in /etc/hosts -_-
short_hostname=$(hostname -s)
grep -q "127.0.0.1.*$short_hostname" /etc/hosts || echo -e "\n127.0.0.1\t$short_hostname" >>/etc/hosts
[[ -n "$regen_conf_files" ]] || return
# Remove / disable services likely to conflict with dnsmasq
for SERVICE in systemd-resolved bind9
do
systemctl is-enabled $SERVICE &>/dev/null && systemctl disable $SERVICE 2>/dev/null
systemctl is-active $SERVICE &>/dev/null && systemctl stop $SERVICE
done
systemctl restart dnsmasq
}
do_$1_regen ${@:2}

25
data/hooks/conf_regen/46-nsswitch
View file

@ -1,25 +0,0 @@
#!/bin/bash
set -e
do_init_regen() {
do_pre_regen ""
systemctl restart unscd
}
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/nsswitch
install -D -m 644 nsswitch.conf "${pending_dir}/etc/nsswitch.conf"
}
do_post_regen() {
regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \
|| systemctl restart unscd
}
do_$1_regen ${@:2}

30
data/hooks/conf_regen/52-fail2ban
View file

@ -1,30 +0,0 @@
#!/bin/bash
set -e
. /usr/share/yunohost/helpers
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/fail2ban
fail2ban_dir="${pending_dir}/etc/fail2ban"
mkdir -p "${fail2ban_dir}/filter.d"
mkdir -p "${fail2ban_dir}/jail.d"
cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
cp jail.conf "${fail2ban_dir}/jail.conf"
export ssh_port="$(yunohost settings get 'security.ssh.port')"
ynh_render_template "yunohost-jails.conf" "${fail2ban_dir}/jail.d/yunohost-jails.conf"
}
do_post_regen() {
regen_conf_files=$1
[[ -z "$regen_conf_files" ]] \
|| systemctl reload fail2ban
}
do_$1_regen ${@:2}

9
data/hooks/restore/18-data_multimedia
View file

@ -1,9 +0,0 @@
#!/bin/bash
# Exit hook on subcommand error or unset variable
set -eu
# Source YNH helpers
source /usr/share/yunohost/helpers
ynh_restore_file --origin_path="/home/yunohost.multimedia" --not_mandatory

6
data/templates/dnsmasq/plain/dnsmasq.conf
View file

@ -1,6 +0,0 @@
domain-needed
expand-hosts
listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

92
data/templates/mysql/my.cnf
View file

@ -1,92 +0,0 @@
# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
#
# MySQL programs look for option files in a set of
# locations which depend on the deployment platform.
# You can copy this option file to one of those
# locations. For information about these locations, see:
# http://dev.mysql.com/doc/mysql/en/option-files.html
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.
# The following options will be passed to all MySQL clients
[client]
#password = your_password
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here follows entries for some specific programs
# The MySQL server
[mysqld]
port = 3306
socket = /var/run/mysqld/mysqld.sock
skip-external-locking
key_buffer_size = 16K
max_allowed_packet = 16M
table_open_cache = 4
sort_buffer_size = 4M
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 128K
# to avoid corruption on powerfailure
default-storage-engine=innodb
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (using the "enable-named-pipe" option) will render mysqld useless!
#
#skip-networking
server-id = 1
# Uncomment the following if you want to log updates
#log-bin=mysql-bin
# binary logging format - mixed recommended
#binlog_format=mixed
# Causes updates to non-transactional engines using statement format to be
# written directly to binary log. Before using this option make sure that
# there are no dependencies between transactional and non-transactional
# tables such as in the statement INSERT INTO t_myisam SELECT * FROM
# t_innodb; otherwise, slaves may diverge from the master.
#binlog_direct_non_transactional_updates=TRUE
# Uncomment the following if you are using InnoDB tables
#innodb_data_home_dir = /var/lib/mysql
#innodb_data_file_path = ibdata1:10M:autoextend
#innodb_log_group_home_dir = /var/lib/mysql
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
#innodb_buffer_pool_size = 16M
#innodb_additional_mem_pool_size = 2M
# Set .._log_file_size to 25 % of buffer pool size
#innodb_log_file_size = 5M
#innodb_log_buffer_size = 8M
#innodb_flush_log_at_trx_commit = 1
#innodb_lock_wait_timeout = 50
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[myisamchk]
key_buffer_size = 8M
sort_buffer_size = 8M
[mysqlhotcopy]
interactive-timeout

239
debian/changelog vendored
View file

@ -1,3 +1,242 @@
yunohost (11.0.4) testing; urgency=low
- [mod] certificate: drop unused 'staging' LE mode (4b78e8e3)
- [fix] cli: bash_completion was broken ([#1423](https://github.com/YunoHost/yunohost/pull/1423))
- [enh] mdns: Wait for network to be fully up to start the service ([#1425](https://github.com/YunoHost/yunohost/pull/1425))
- [fix] regenconf: make some systemctl enable/disable quiet (bccff1b4, 345e50ae)
- [fix] configpanels: Compute choices for the yunohost admin when installing an app ([#1427](https://github.com/YunoHost/yunohost/pull/1427))
- [fix] configpanels: optimize _get_toml for domains to not load the whole DNS section stuff when just getting a simple info from another section (bf6252ac)
- [fix] configpanel: oopsies, could only change the default app for domain configs :P (0a59f863)
- [fix] php73_to_php74: another search&replace for synapse (f0a01ba2)
- [fix] php73_to_php74: stopping php7.3 before starting 7.4 should be more robust in case confs are conflicting (9ae7ec59)
- [i18n] Translations updated for French, Ukrainian
Thanks to all contributors <3 ! (Éric Gaspar, Kay0u, Tagadda, tituspijean, Tymofii-Lytvynenko)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sat, 29 Jan 2022 19:19:44 +0100
yunohost (11.0.3) testing; urgency=low
- [enh] mail: Add SNI support for postfix and dovecot ([#1413](https://github.com/YunoHost/yunohost/pull/1413))
- [fix] services: fix a couple edge cases (4571c5b2)
- [fix] services: Do not save php-fpm services in services.yml (5d0f8021)
- [fix] diagnosis: diagnosers were run in a funky order ([#1418](https://github.com/YunoHost/yunohost/pull/1418))
- [fix] configpanels: config_get should return possible choices for domain, user questions (and other dynamic-choices questions) ([#1420](https://github.com/YunoHost/yunohost/pull/1420))
- [enh] apps/domain: Clarify the default app mecanism, handle it fron domain config panel ([#1406](https://github.com/YunoHost/yunohost/pull/1406))
- [fix] apps: When no main app permission found, fallback to default label instead of having a 'None' label to prevent the webadmin from displaying an empty app list (07396b8b)
- [i18n] Translations updated for Galician
Thanks to all contributors <3 ! (José M, Kay0u, Tagadda, tituspijean)
-- Alexandre Aubin <alex.aubin@mailoo.org> Tue, 25 Jan 2022 13:06:10 +0100
yunohost (11.0.2) testing; urgency=low
- [mod] Various tweaks for Python 3.9, PHP 7.4, PostgreSQL 13, and other changes related to Buster->Bullseye ecosystem
- [mod] debian: Moved mysql, php, and metronome from Depends to Recommends ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
- [mod] apt: **Add sury by default** ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
- [enh] mysql: **Drop super old mysql config, now rely on Debian default** ([44c972f...144126f](https://github.com/YunoHost/yunohost/compare/44c972f2dd65...144126f56a3d))
- [enh] regenconf/helpers: Better integration for postgresql ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
- [mod] quality: **Rework repository code architecture** ([#1377](https://github.com/YunoHost/yunohost/pull/1377))
- [mod] quality: **Rework where yunohost files are deployed** (yunohost now a much closer to a python lib with files in /usr/lib/python3/dist-packages/yunohost/, and other "common" files are in /usr/share/yunohost) ([#1377](https://github.com/YunoHost/yunohost/pull/1377))
- [enh] upgrade: Try to implement **a smarter self-upgrade mechanism to prevent/limit API downtime and related UX issues** ([#1374](https://github.com/YunoHost/yunohost/pull/1374))
- [mod] regenconf: store tmp files in /var/cache/yunohost/ instead of the misleading /home/yunohost.conf folder (00d535a6)
- [mod] dyndns: rewrite tsig keygen + nsupdate using full python, now that dnssec-keygen doesnt support hmacsha512 anymore (63a84f53)
- [mod] app: During app scripts (and all stuff run in hook_exec), do not inject the HOME variable if it exists. This aims to prevent inconsistencies between CLI (where HOME usually is defined) and API (where HOME doesnt exists) (f43e567b)
- [mod] quality: **Drop legacy commands or arguments** listed below
- Drop `--other_vars` options in ynh_add_fail2ban_config and systemd_config helpers
- Drop deprecated/superold `ynh_bind_or_cp`, `ynh_mkdir_tmp`, `ynh_get_plain_key` helpers
- Drop obsolete `yunohost-reset-ldap-password` command
- Drop obsolete `yunohost dyndns installcron` and `removecron` commands
- Drop deprecated `yunohost service regen-conf` command (see `tools regen-conf` instead)
- Drop deprecated `yunohost app fetchlist` command
- Drop obsolete `yunohost app add/remove/clearaccess` commands
- Drop deprecated `--installed` and `--filter` options in `yunohost app list`
- Drop deprecated `--apps` and `--system` options in `yunohost tools update/upgrade` (no double dashes anymore)
- Drop deprecated `--status` and `--log_type` options in `yunohost service add`
- Drop deprecated `--mail` option in `yunohost user create`
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 19 Jan 2022 20:52:39 +0100
yunohost (4.4.0) testing; urgency=low
- [enh] Add buster->bullseye migration
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 19 Jan 2022 20:45:22 +0100
yunohost (4.3.6.2) stable; urgency=low
- [fix] apt helpers: fix bug when var is empty... (7920cc62)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 19 Jan 2022 20:30:25 +0100
yunohost (4.3.6.1) stable; urgency=low
- [fix] dnsmasq: ensure interface is up ([#1410](https://github.com/YunoHost/yunohost/pull/1410))
- [fix] apt helpers: fix ynh_install_app_dependencies when an app change his default phpversion (6ea32728)
- [fix] certificates: fix edge case where None is returned, triggering 'NoneType has no attribute get' (019839db)
- [i18n] Translations updated for German
Thanks to all contributors <3 ! (Gregor, Kay0u)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 19 Jan 2022 20:05:13 +0100
yunohost (4.3.6) stable; urgency=low
- [enh] ssh: add a new setting to manage PasswordAuthentication in sshd_config ([#1388](https://github.com/YunoHost/yunohost/pull/1388))
- [enh] upgrades: filter more boring apt messages (3cc1a0a5)
- [fix] ynh_add_config: crons should be owned by root, otherwise they probably don't run? (0973301b)
- [fix] domains: force cert install during domain_add ([#1404](https://github.com/YunoHost/yunohost/pull/1404))
- [fix] logs: remove 'args' for metadata, may contain unredacted secrets in edge cases
- [fix] helpers, apt: upgrade apt dependencies from extra repos ([#1407](https://github.com/YunoHost/yunohost/pull/1407))
- [fix] diagnosis: incorrect dns check (relative vs absolute) for CNAME on subdomain (d81b85a4)
- [i18n] Translations updated for Dutch, French, Galician, German, Spanish, Ukrainian
Thanks to all contributors <3 ! (Boudewijn, Christian Wehrli, Éric Gaspar, Germain Edy, José M, Kay0u, Kayou, ljf, Tagada, Tymofii-Lytvynenko)
-- Alexandre Aubin <alex.aubin@mailoo.org> Fri, 14 Jan 2022 01:29:58 +0100
yunohost (4.3.5) stable; urgency=low
- [fix] backup: bug in backup_delete when compress_tar_archives is True ([#1381](https://github.com/YunoHost/yunohost/pull/1381))
- [fix] helpers logrorate: remove permission tweak .. code was not working as expected. To be re-addressed some day ... (0fc209ac)
- [fix] i18n: consistency for deprecation for --apps in 'yunohost tools update/upgrade' ([#1392](https://github.com/YunoHost/yunohost/pull/1392))
- [fix] apps: typo when deleting superfluous question keys ([#1393](https://github.com/YunoHost/yunohost/pull/1393))
- [fix] diagnosis: typo in dns record diagnoser (a615528c)
- [fix] diagnosis: tweak treshold for suspiciously high number of auth failure because too many people getting report about it idk (76abbf03)
- [enh] quality: apply pyupgrade ([#1395](https://github.com/YunoHost/yunohost/pull/1395))
- [enh] quality: add lgtm/code quality badge ([#1396](https://github.com/YunoHost/yunohost/pull/1396))
- [i18n] Translations updated for Dutch, French, Galician, German, Indonesian, Russian, Spanish, Ukrainian
Thanks to all contributors <3 ! (Boudewijn, Bram, Christian Wehrli, Colin Wawrik, Éric Gaspar, Ilya, José M, Juan Alberto González, Kay0u, liimee, Moutonjr Geoff, tituspijean, Tymofii Lytvynenko, Valentin von Guttenberg)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 29 Dec 2021 01:01:33 +0100
yunohost (4.3.4.2) stable; urgency=low
- [fix] yunomdns: Ignore ipv4 link-local addresses (6854f23c)
- [fix] backup: Fix path for multimedia restore ([#1386](https://github.com/YunoHost/yunohost/pull/1386))
- [fix] helpers apt/php: typo in extra php-fpm yunohost service integration (47f3c00d)
- [enh] helpers: Update n to 8.0.1 (d1ab1f67)
Thanks to all contributors <3 ! (ericgaspar, Kayou)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 08 Dec 2021 22:04:04 +0100
yunohost (4.3.4.1) stable; urgency=low
- [fix] regenconf: Force permission on /etc/resolv.dnsmasq.conf to fix an issue on some setup with umask=027 (5881938c)
- [fix] regenconf: Typo in custom mdns alias regen conf (b3df36dd)
- [fix] regenconf: Try to fix the return line bug in dnsmasq conf ([#1385](https://github.com/YunoHost/yunohost/pull/1385))
Thanks to all contributors <3 ! (ljf)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sat, 27 Nov 2021 21:15:29 +0100
yunohost (4.3.4) stable; urgency=low
- [fix] apps: Allow tilde in username/organization for repo URLs ([#1382](https://github.com/YunoHost/yunohost/pull/1382))
- [fix] misc: /etc/yunohost permissions broken on some setups (6488b4f6)
- [fix] mdns: Don't add yunohost.local in config if it's already among the yunohost domains (c4962834)
- [enh] dnsmasq: Tweak conf for better support of some stuff like the hotspot app ([#1383](https://github.com/YunoHost/yunohost/pull/1383))
Thanks to all contributors <3 ! (ljf, tituspijean)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sat, 27 Nov 2021 00:53:16 +0100
yunohost (4.3.3) stable; urgency=low
- [fix] log: fix dump_script_log_extract_for_debugging displaying wrong log snippet during failed upgrade ([#1376](https://github.com/YunoHost/yunohost/pull/1376))
- [fix] certificate: fix stupid certificate/diagnosis issue with subdomains of ynh domains (7c569d16)
- [fix] diagnosis: Read DNS Blacklist answer and compare it against list of non-BL codes ([#1375](https://github.com/YunoHost/yunohost/pull/1375))
- [enh] helpers: Update n to 8.0.0 ([#1372](https://github.com/YunoHost/yunohost/pull/1372))
- [fix] helpers: Make ynh_add_fpm_config more robust to some edge cases (51d5dca0)
- [fix] backup: conf_ynh_settings backup/restore hook, /etc/yunohost/domains may not exist (38f5352f)
- [i18n] Translations updated for Basque, Chinese (Simplified), Indonesian, Italian, Ukrainian
Thanks to all contributors <3 ! (dagangtie, ericgaspar, Félix Piédallu, Flavio Cristoforetti, liimee, punkrockgirl, Romain Thouvenin, Tommi, Tymofii-Lytvynenko)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sun, 14 Nov 2021 22:55:16 +0100
yunohost (4.3.2.2) stable; urgency=low
- [fix] nginx: Try to fix again the webadmin cache hell (74e2a51e)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sat, 06 Nov 2021 17:39:58 +0100
yunohost (4.3.2.1) stable; urgency=low
- [enh] mdns: Add possibility to manually add .local aliases via /etc/yunohost/mdns.aliases (meant for internetcube) (3da2df6e)
- [fix] debian: Fix conflict with redis-server (6558b23d)
- [fix] nginx: Refine experimental CSP header (in the end still gotta enable unsafe-inline and unsafe-eval for a bunch of things, but better than no policy at all...) (1cc3e440)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sat, 06 Nov 2021 16:58:07 +0100
yunohost (4.3.2) stable; urgency=low
- Release as stable
- [i18n] Translations updated for Basque, Occitan
Thanks to all contributors <3 ! (punkrockgirl, Quentí)
-- Alexandre Aubin <alex.aubin@mailoo.org> Fri, 05 Nov 2021 02:32:56 +0100
yunohost (4.3.1.8) testing; urgency=low
- [enh] dyndns: Drop some YAGNI + improve IPv6-only support + resilience w.r.t. ns0 / ns1 being down (a61d0231, [#1367](https://github.com/YunoHost/yunohost/pull/1367))
- [fix] helpers: improve composer debug when it can't install dependencies (4ebcaf8d)
- [enh] helpers: allow to get/set/delete app settings without explicitly passing app id everytime... (fcd2ef9d)
- [fix] helpers: Don't say the 'app was restored' when restore failed after failed upgrade (019d207c)
- [enh] helpers: temporarily auto-add visitors during ynh_local_curl if needed ([#1370](https://github.com/YunoHost/yunohost/pull/1370))
- [enh] apps: Add YNH_ARCH to app script env for easier debugging and arch check in script (85eb43a7)
- [mod] misc fixes/enh (2687121f, 146fba7d, 86a9cb37, 4e917b5e, 974ea71f, edc5295d, ba489bfc)
- [i18n] Translations updated for Basque, French, Spanish
Thanks to all contributors <3 ! (ljf, Page Asgardius, ppr, punkrockgirl)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 03 Nov 2021 18:35:18 +0100
yunohost (4.3.1.7) testing; urgency=low
- [fix] configpanel: Misc technical fixes ... (341059d0, 9c22329e)
- [i18n] Translations updated for Basque, French
Thanks to all contributors <3 ! (ljf, ppr, punkrockgirl)
-- Alexandre Aubin <alex.aubin@mailoo.org> Tue, 19 Oct 2021 15:30:50 +0200
yunohost (4.3.1.6) testing; urgency=low
- [fix] configpanel: Various technical fixes (07c1ddce, eae826b2, ff69067d)
- [i18n] Translations updated for Basque, Galician, German, Russian, Ukrainian
Thanks to all contributors <3 ! (Colin Wawrik, Daniel, José M, ljf, punkrockgirl, Semen Turchikhin, Tymofii-Lytvynenko)
-- Alexandre Aubin <alex.aubin@mailoo.org> Mon, 18 Oct 2021 18:50:00 +0200
yunohost (4.3.1.5) testing; urgency=low
- [enh] configpanel: Add hook mecanism between questions (9f7fb61b)
- [fix] configpanel: Issue with visible-if context missing between section
- [mod] Force-disable old avahi-daemon (af3d6dd7, 3a07a780)
Thanks to all contributors <3 ! (ljf)
-- Alexandre Aubin <alex.aubin@mailoo.org> Sun, 17 Oct 2021 20:44:33 +0200
yunohost (4.3.1.4) testing; urgency=low
- [mod] codequality: Safer, clearer ynh_secure_remove ([#1357](https://github.com/YunoHost/yunohost/pull/1357))
- [mod] codequality: Lint/autoformat helpers, hooks and debian scripts ([#1356](https://github.com/YunoHost/yunohost/pull/1356))
- [mod] helpers: Flag ynh_print_ON/OFF as internal to not advertise them in the doc (fe959bd7)
- [fix] helpers: Eval mecanism in ynh_exec_* lead to epic bugs ([#1358](https://github.com/YunoHost/yunohost/pull/1358))
- [enh] dyndns: validate that we're connected to the internet before triggering yunohost dyndns update (55bacd74)
- [enh] regenconf/dyndns: Delete dyndns cron in regenconf if no dyndns domain found (cb835a2d)
- [fix] regenconf/dovecot: add conf snippet to get rid of stupid stats-writer errors in mail.log (dab3dc6f)
- [enh] regenconf/dnsmasq: Don't generate dnsmasq conf for .local domains (df02f898)
-- Alexandre Aubin <alex.aubin@mailoo.org> Wed, 13 Oct 2021 15:41:21 +0200
yunohost (4.3.1.3) testing; urgency=low
- [fix] app: repo url branch names may contain dots (38cff4a9)

1
debian/compat vendored
View file

@ -1 +0,0 @@
9

35
debian/control vendored
View file

@ -2,7 +2,7 @@ Source: yunohost
Section: utils
Priority: extra
Maintainer: YunoHost Contributors <contrib@yunohost.org>
Build-Depends: debhelper (>=9), dh-systemd, dh-python, python3-all (>= 3.7), python3-yaml, python3-jinja2
Build-Depends: debhelper (>=9), debhelper-compat (= 13), dh-python, python3-all (>= 3.7), python3-yaml, python3-jinja2
Standards-Version: 3.9.6
Homepage: https://yunohost.org/
@ -10,15 +10,15 @@ Package: yunohost
Essential: yes
Architecture: all
Depends: ${python3:Depends}, ${misc:Depends}
, moulinette (>= 4.3), ssowat (>= 4.3)
, moulinette (>= 11.0), ssowat (>= 11.0)
, python3-psutil, python3-requests, python3-dnspython, python3-openssl
, python3-miniupnpc, python3-dbus, python3-jinja2
, python3-toml, python3-packaging, python3-publicsuffix,
, python3-ldap, python3-zeroconf, python3-lexicon,
, python3-toml, python3-packaging, python3-publicsuffix2
, python3-ldap, python3-zeroconf (>= 0.36), python3-lexicon,
, python-is-python3
, nginx, nginx-extras (>=1.18)
, apt, apt-transport-https, apt-utils, dirmngr
, php7.3-common, php7.3-fpm, php7.3-ldap, php7.3-intl
, mariadb-server, php7.3-mysql
, openssh-server, iptables, fail2ban, dnsutils, bind9utils
, openssh-server, iptables, fail2ban, bind9-dnsutils
, openssl, ca-certificates, netcat-openbsd, iproute2
, slapd, ldap-utils, sudo-ldap, libnss-ldapd, unscd, libpam-ldapd
, dnsmasq, resolvconf, libnss-myhostname
@ -26,28 +26,29 @@ Depends: ${python3:Depends}, ${misc:Depends}
, dovecot-core, dovecot-ldap, dovecot-lmtpd, dovecot-managesieved, dovecot-antispam
, rspamd, opendkim-tools, postsrsd, procmail, mailutils
, redis-server
, metronome (>=3.14.0)
, acl
, git, curl, wget, cron, unzip, jq, bc, at
, lsb-release, haveged, fake-hwclock, equivs, lsof, whois
Recommends: yunohost-admin
, ntp, inetutils-ping | iputils-ping
, bash-completion, rsyslog
, php7.3-gd, php7.3-curl, php-gettext
, php7.4-common, php7.4-fpm, php7.4-ldap, php7.4-intl
, mariadb-server, php7.4-mysql
, php7.4-gd, php7.4-curl, php-php-gettext
, python3-pip
, unattended-upgrades
, libdbd-ldap-perl, libnet-dns-perl
Suggests: htop, vim, rsync, acpi-support-base, udisks2
, metronome (>=3.14.0)
Conflicts: iptables-persistent
, apache2
, bind9
, nginx-extras (>= 1.16)
, openssl (>= 1.1.1g)
, slapd (>= 2.4.49)
, dovecot-core (>= 1:2.3.7)
, redis-server (>= 5:5.0.7)
, fail2ban (>= 0.11)
, iptables (>= 1.8.3)
, nginx-extras (>= 1.19)
, openssl (>= 1.1.1l-1)
, slapd (>= 2.4.58)
, dovecot-core (>= 1:2.3.14)
, redis-server (>= 5:6.1)
, fail2ban (>= 0.11.3)
, iptables (>= 1.8.8)
Description: manageable and configured self-hosting server
YunoHost aims to make self-hosting accessible to everyone. It configures
an email, Web and IM server alongside a LDAP base. It also provides

Some files were not shown because too many files have changed in this diff Show more