From eb89fc04b1f1cdc274a49e43bedc86b3900651eb Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Thu, 25 Apr 2019 20:09:57 +0200
Subject: [PATCH] Split 'backend' into fail2ban, logrotate, nginx, php, systemd

---
 data/helpers.d/backend   | 463 ---------------------------------------
 data/helpers.d/fail2ban  | 151 +++++++++++++
 data/helpers.d/logrotate | 103 +++++++++
 data/helpers.d/nginx     |  76 +++++++
 data/helpers.d/php       |  67 ++++++
 data/helpers.d/systemd   |  70 ++++++
 6 files changed, 467 insertions(+), 463 deletions(-)
 delete mode 100644 data/helpers.d/backend
 create mode 100644 data/helpers.d/fail2ban
 create mode 100644 data/helpers.d/logrotate
 create mode 100644 data/helpers.d/nginx
 create mode 100644 data/helpers.d/php
 create mode 100644 data/helpers.d/systemd

diff --git a/data/helpers.d/backend b/data/helpers.d/backend
deleted file mode 100644
index 305c016ad..000000000
--- a/data/helpers.d/backend
+++ /dev/null
@@ -1,463 +0,0 @@
-#!/bin/bash
-
-# Use logrotate to manage the logfile
-#
-# usage: ynh_use_logrotate [--logfile=/log/file] [--nonappend] [--specific_user=user/group]
-# | arg: -l, --logfile - absolute path of logfile
-# | arg: -n, --nonappend - (optional) Replace the config file instead of appending this new config.
-# | arg: -u, --specific_user : run logrotate as the specified user and group. If not specified logrotate is runned as root.
-#
-# If no --logfile is provided, /var/log/${app} will be used as default.
-# logfile can be just a directory, or a full path to a logfile :
-# /parentdir/logdir
-# /parentdir/logdir/logfile.log
-#
-# It's possible to use this helper multiple times, each config will be added to
-# the same logrotate config file.  Unless you use the option --non-append
-#
-# Requires YunoHost version 2.6.4 or higher.
-ynh_use_logrotate () {
-	# Declare an array to define the options of this helper.
-	local legacy_args=lnuya
-	declare -Ar args_array=( [l]=logfile= [n]=nonappend [u]=specific_user= [y]=non [a]=append )
-	# [y]=non [a]=append are only for legacy purpose, to not fail on the old option '--non-append'
-	local logfile
-	local nonappend
-	local specific_user
-	# Manage arguments with getopts
-	ynh_handle_getopts_args "$@"
-	local logfile="${logfile:-}"
-	local nonappend="${nonappend:-0}"
-	local specific_user="${specific_user:-}"
-
-	# LEGACY CODE - PRE GETOPTS
-	if [ $# -gt 0 ] && [ "$1" == "--non-append" ]; then
-		nonappend=1
-		# Destroy this argument for the next command.
-		shift
-	elif [ $# -gt 1 ] && [ "$2" == "--non-append" ]; then
-		nonappend=1
-	fi
-
-	if [ $# -gt 0 ] && [ "$(echo ${1:0:1})" != "-" ]; then
-		if [ "$(echo ${1##*.})" == "log" ]; then	# Keep only the extension to check if it's a logfile
-			local logfile=$1	# In this case, focus logrotate on the logfile
-		else
-			local logfile=$1/*.log	# Else, uses the directory and all logfile into it.
-		fi
-	fi
-	# LEGACY CODE
-
-	local customtee="tee -a"
-	if [ "$nonappend" -eq 1 ]; then
-		customtee="tee"
-	fi
-	if [ -n "$logfile" ]
-	then
-		if [ "$(echo ${logfile##*.})" != "log" ]; then	# Keep only the extension to check if it's a logfile
-			local logfile="$logfile/*.log"	# Else, uses the directory and all logfile into it.
-		fi
-	else
-		logfile="/var/log/${app}/*.log" # Without argument, use a defaut directory in /var/log
-	fi
-	local su_directive=""
-	if [[ -n $specific_user ]]; then
-		su_directive="	# Run logorotate as specific user - group
-	su ${specific_user%/*} ${specific_user#*/}"
-	fi
-
-	cat > ./${app}-logrotate << EOF	# Build a config file for logrotate
-$logfile {
-		# Rotate if the logfile exceeds 100Mo
-	size 100M
-		# Keep 12 old log maximum
-	rotate 12
-		# Compress the logs with gzip
-	compress
-		# Compress the log at the next cycle. So keep always 2 non compressed logs
-	delaycompress
-		# Copy and truncate the log to allow to continue write on it. Instead of move the log.
-	copytruncate
-		# Do not do an error if the log is missing
-	missingok
-		# Not rotate if the log is empty
-	notifempty
-		# Keep old logs in the same dir
-	noolddir
-	$su_directive
-}
-EOF
-	sudo mkdir -p $(dirname "$logfile")	# Create the log directory, if not exist
-	cat ${app}-logrotate | sudo $customtee /etc/logrotate.d/$app > /dev/null	# Append this config to the existing config file, or replace the whole config file (depending on $customtee)
-}
-
-# Remove the app's logrotate config.
-#
-# usage: ynh_remove_logrotate
-#
-# Requires YunoHost version 2.6.4 or higher.
-ynh_remove_logrotate () {
-	if [ -e "/etc/logrotate.d/$app" ]; then
-		sudo rm "/etc/logrotate.d/$app"
-	fi
-}
-
-# Create a dedicated systemd config
-#
-# usage: ynh_add_systemd_config [--service=service] [--template=template]
-# | arg: -s, --service - Service name (optionnal, $app by default)
-# | arg: -t, --template - Name of template file (optionnal, this is 'systemd' by default, meaning ./conf/systemd.service will be used as template)
-#
-# This will use the template ../conf/<templatename>.service
-# to generate a systemd config, by replacing the following keywords
-# with global variables that should be defined before calling
-# this helper :
-#
-#   __APP__       by  $app
-#   __FINALPATH__ by  $final_path
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_add_systemd_config () {
-	# Declare an array to define the options of this helper.
-	local legacy_args=st
-	declare -Ar args_array=( [s]=service= [t]=template= )
-	local service
-	local template
-	# Manage arguments with getopts
-	ynh_handle_getopts_args "$@"
-	local service="${service:-$app}"
-	local template="${template:-systemd.service}"
-
-	finalsystemdconf="/etc/systemd/system/$service.service"
-	ynh_backup_if_checksum_is_different --file="$finalsystemdconf"
-	sudo cp ../conf/$template "$finalsystemdconf"
-
-	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
-	# Substitute in a nginx config file only if the variable is not empty
-	if test -n "${final_path:-}"; then
-		ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalsystemdconf"
-	fi
-	if test -n "${app:-}"; then
-		ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$finalsystemdconf"
-	fi
-	ynh_store_file_checksum --file="$finalsystemdconf"
-
-	sudo chown root: "$finalsystemdconf"
-	sudo systemctl enable $service
-	sudo systemctl daemon-reload
-}
-
-# Remove the dedicated systemd config
-#
-# usage: ynh_remove_systemd_config [--service=service]
-# | arg: -s, --service - Service name (optionnal, $app by default)
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_remove_systemd_config () {
-	# Declare an array to define the options of this helper.
-	local legacy_args=s
-	declare -Ar args_array=( [s]=service= )
-	local service
-	# Manage arguments with getopts
-	ynh_handle_getopts_args "$@"
-	local service="${service:-$app}"
-
-	local finalsystemdconf="/etc/systemd/system/$service.service"
-	if [ -e "$finalsystemdconf" ]; then
-		ynh_systemd_action --service_name=$service --action=stop
-		systemctl disable $service
-		ynh_secure_remove --file="$finalsystemdconf"
-		systemctl daemon-reload
-	fi
-}
-
-# Create a dedicated nginx config
-#
-# usage: ynh_add_nginx_config "list of others variables to replace"
-#
-# | arg: list - (Optional) list of others variables to replace separated by spaces. For example : 'path_2 port_2 ...'
-#
-# This will use a template in ../conf/nginx.conf
-#   __PATH__      by  $path_url
-#   __DOMAIN__    by  $domain
-#   __PORT__      by  $port
-#   __NAME__      by  $app
-#   __FINALPATH__ by  $final_path
-#
-#  And dynamic variables (from the last example) :
-#   __PATH_2__    by $path_2
-#   __PORT_2__    by $port_2
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_add_nginx_config () {
-	finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf"
-	local others_var=${1:-}
-	ynh_backup_if_checksum_is_different --file="$finalnginxconf"
-	sudo cp ../conf/nginx.conf "$finalnginxconf"
-
-	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
-	# Substitute in a nginx config file only if the variable is not empty
-	if test -n "${path_url:-}"; then
-		# path_url_slash_less is path_url, or a blank value if path_url is only '/'
-		local path_url_slash_less=${path_url%/}
-		ynh_replace_string --match_string="__PATH__/" --replace_string="$path_url_slash_less/" --target_file="$finalnginxconf"
-		ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$finalnginxconf"
-	fi
-	if test -n "${domain:-}"; then
-		ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$finalnginxconf"
-	fi
-	if test -n "${port:-}"; then
-		ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$finalnginxconf"
-	fi
-	if test -n "${app:-}"; then
-		ynh_replace_string --match_string="__NAME__" --replace_string="$app" --target_file="$finalnginxconf"
-	fi
-	if test -n "${final_path:-}"; then
-		ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalnginxconf"
-	fi
-
-	# Replace all other variable given as arguments
-	for var_to_replace in $others_var
-	do
-		# ${var_to_replace^^} make the content of the variable on upper-cases
-		# ${!var_to_replace} get the content of the variable named $var_to_replace 
-		ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalnginxconf"
-	done
-	
-	if [ "${path_url:-}" != "/" ]
-	then
-		ynh_replace_string --match_string="^#sub_path_only" --replace_string="" --target_file="$finalnginxconf"
-	else
-		ynh_replace_string --match_string="^#root_path_only" --replace_string="" --target_file="$finalnginxconf"
-	fi
-
-	ynh_store_file_checksum --file="$finalnginxconf"
-
-	ynh_systemd_action --service_name=nginx --action=reload
-}
-
-# Remove the dedicated nginx config
-#
-# usage: ynh_remove_nginx_config
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_remove_nginx_config () {
-	ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/$app.conf"
-	ynh_systemd_action --service_name=nginx --action=reload
-}
-
-# Create a dedicated php-fpm config
-#
-# usage: ynh_add_fpm_config [--phpversion=7.X]
-# | arg: -v, --phpversion - Version of php to use.
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_add_fpm_config () {
-	# Declare an array to define the options of this helper.
-	local legacy_args=v
-	declare -Ar args_array=( [v]=phpversion= )
-	local phpversion
-	# Manage arguments with getopts
-	ynh_handle_getopts_args "$@"
-
-	# Configure PHP-FPM 7.0 by default
-	phpversion="${phpversion:-7.0}"
-
-	local fpm_config_dir="/etc/php/$phpversion/fpm"
-	local fpm_service="php${phpversion}-fpm"
-	# Configure PHP-FPM 5 on Debian Jessie
-	if [ "$(ynh_get_debian_release)" == "jessie" ]; then
-		fpm_config_dir="/etc/php5/fpm"
-		fpm_service="php5-fpm"
-	fi
-	ynh_app_setting_set --app=$app --key=fpm_config_dir --value="$fpm_config_dir"
-	ynh_app_setting_set --app=$app --key=fpm_service --value="$fpm_service"
-	finalphpconf="$fpm_config_dir/pool.d/$app.conf"
-	ynh_backup_if_checksum_is_different --file="$finalphpconf"
-	sudo cp ../conf/php-fpm.conf "$finalphpconf"
-	ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf"
-	ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf"
-	ynh_replace_string --match_string="__USER__" --replace_string="$app" --target_file="$finalphpconf"
-	ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf"
-	sudo chown root: "$finalphpconf"
-	ynh_store_file_checksum --file="$finalphpconf"
-
-	if [ -e "../conf/php-fpm.ini" ]
-	then
-		echo "Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." >&2
-		finalphpini="$fpm_config_dir/conf.d/20-$app.ini"
-		ynh_backup_if_checksum_is_different "$finalphpini"
-		sudo cp ../conf/php-fpm.ini "$finalphpini"
-		sudo chown root: "$finalphpini"
-		ynh_store_file_checksum "$finalphpini"
-	fi
-	ynh_systemd_action --service_name=$fpm_service --action=reload
-}
-
-# Remove the dedicated php-fpm config
-#
-# usage: ynh_remove_fpm_config
-#
-# Requires YunoHost version 2.7.2 or higher.
-ynh_remove_fpm_config () {
-	local fpm_config_dir=$(ynh_app_setting_get --app=$app --key=fpm_config_dir)
-	local fpm_service=$(ynh_app_setting_get --app=$app --key=fpm_service)
-	# Assume php version 7 if not set
-	if [ -z "$fpm_config_dir" ]; then
-		fpm_config_dir="/etc/php/7.0/fpm"
-		fpm_service="php7.0-fpm"
-	fi
-	ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf"
-	ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" 2>&1
-	ynh_systemd_action --service_name=$fpm_service --action=reload
-}
-
-# Create a dedicated fail2ban config (jail and filter conf files)
-#
-# usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports]
-# | arg: -l, --logpath=   - Log file to be checked by fail2ban
-# | arg: -r, --failregex= - Failregex to be looked for by fail2ban
-# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3
-# | arg: -p, --ports=     - Ports blocked for a banned IP address - default: http,https
-#
-# -----------------------------------------------------------------------------
-#
-# usage 2: ynh_add_fail2ban_config --use_template [--others_var="list of others variables to replace"]
-# | arg: -t, --use_template - Use this helper in template mode
-# | arg: -v, --others_var=  - List of others variables to replace separeted by a space
-# |                           for example : 'var_1 var_2 ...'
-#
-# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
-#   __APP__      by  $app
-#
-#  You can dynamically replace others variables by example :
-#   __VAR_1__    by $var_1
-#   __VAR_2__    by $var_2
-#
-# Generally your template will look like that by example (for synapse):
-#
-# f2b_jail.conf:
-#     [__APP__]
-#     enabled = true
-#     port = http,https
-#     filter = __APP__
-#     logpath = /var/log/__APP__/logfile.log
-#     maxretry = 3
-#
-# f2b_filter.conf:
-#     [INCLUDES]
-#     before = common.conf
-#     [Definition]
-#
-#     # Part of regex definition (just used to make more easy to make the global regex)
-#     __synapse_start_line = .? \- synapse\..+ \-
-#
-#    # Regex definition.
-#    failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
-#
-#     ignoreregex =
-#
-# -----------------------------------------------------------------------------
-#
-# Note about the "failregex" option:
-#          regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-#
-#          You can find some more explainations about how to make a regex here :
-#          https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
-#
-# Note that the logfile need to exist before to call this helper !!
-#
-# To validate your regex you can test with this command:
-# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
-#
-# Requires YunoHost version 3.?.? or higher.
-ynh_add_fail2ban_config () {
-  # Declare an array to define the options of this helper.
-  local legacy_args=lrmptv
-  declare -Ar args_array=( [l]=logpath= [r]=failregex= [m]=max_retry= [p]=ports= [t]=use_template [v]=others_var=)
-  local logpath
-  local failregex
-  local max_retry
-  local ports
-  local others_var
-  local use_template
-  # Manage arguments with getopts
-  ynh_handle_getopts_args "$@"
-  use_template="${use_template:-0}"
-  max_retry=${max_retry:-3}
-  ports=${ports:-http,https}
-
-  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
-  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
-  ynh_backup_if_checksum_is_different "$finalfail2banjailconf"
-  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf"
-
-  if [ $use_template -eq 1 ]
-  then
-    # Usage 2, templates
-    cp ../conf/f2b_jail.conf $finalfail2banjailconf
-    cp ../conf/f2b_filter.conf $finalfail2banfilterconf
-
-    if [ -n "${app:-}" ]
-    then
-      ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf"
-      ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf"
-    fi
-
-    # Replace all other variable given as arguments
-    for var_to_replace in ${others_var:-}; do
-      # ${var_to_replace^^} make the content of the variable on upper-cases
-      # ${!var_to_replace} get the content of the variable named $var_to_replace
-      ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf"
-      ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf"
-    done
-
-  else
-    # Usage 1, no template. Build a config file from scratch.
-    test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
-    test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
-
-    tee $finalfail2banjailconf <<EOF
-[$app]
-enabled = true
-port = $ports
-filter = $app
-logpath = $logpath
-maxretry = $max_retry
-EOF
-
-    tee $finalfail2banfilterconf <<EOF
-[INCLUDES]
-before = common.conf
-[Definition]
-failregex = $failregex
-ignoreregex =
-EOF
-  fi
-
-  # Common to usage 1 and 2.
-  ynh_store_file_checksum "$finalfail2banjailconf"
-  ynh_store_file_checksum "$finalfail2banfilterconf"
-
-  ynh_systemd_action --service_name=fail2ban --action=reload
-
-  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
-  if [[ -n "$fail2ban_error" ]]; then
-    ynh_print_err --message="Fail2ban failed to load the jail for $app"
-    ynh_print_warn --message="${fail2ban_error#*WARNING}"
-  fi
-}
-
-# Remove the dedicated fail2ban config (jail and filter conf files)
-#
-# usage: ynh_remove_fail2ban_config
-#
-# Requires YunoHost version 3.?.? or higher.
-ynh_remove_fail2ban_config () {
-  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
-  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
-  ynh_systemd_action --service_name=fail2ban --action=reload
-}
diff --git a/data/helpers.d/fail2ban b/data/helpers.d/fail2ban
new file mode 100644
index 000000000..85f568520
--- /dev/null
+++ b/data/helpers.d/fail2ban
@@ -0,0 +1,151 @@
+#!/bin/bash
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports]
+# | arg: -l, --logpath=   - Log file to be checked by fail2ban
+# | arg: -r, --failregex= - Failregex to be looked for by fail2ban
+# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: -p, --ports=     - Ports blocked for a banned IP address - default: http,https
+#
+# -----------------------------------------------------------------------------
+#
+# usage 2: ynh_add_fail2ban_config --use_template [--others_var="list of others variables to replace"]
+# | arg: -t, --use_template - Use this helper in template mode
+# | arg: -v, --others_var=  - List of others variables to replace separeted by a space
+# |                           for example : 'var_1 var_2 ...'
+#
+# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
+#   __APP__      by  $app
+#
+#  You can dynamically replace others variables by example :
+#   __VAR_1__    by $var_1
+#   __VAR_2__    by $var_2
+#
+# Generally your template will look like that by example (for synapse):
+#
+# f2b_jail.conf:
+#     [__APP__]
+#     enabled = true
+#     port = http,https
+#     filter = __APP__
+#     logpath = /var/log/__APP__/logfile.log
+#     maxretry = 3
+#
+# f2b_filter.conf:
+#     [INCLUDES]
+#     before = common.conf
+#     [Definition]
+#
+#     # Part of regex definition (just used to make more easy to make the global regex)
+#     __synapse_start_line = .? \- synapse\..+ \-
+#
+#    # Regex definition.
+#    failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
+#
+#     ignoreregex =
+#
+# -----------------------------------------------------------------------------
+#
+# Note about the "failregex" option:
+#          regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#
+#          You can find some more explainations about how to make a regex here :
+#          https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
+#
+# Note that the logfile need to exist before to call this helper !!
+#
+# To validate your regex you can test with this command:
+# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
+#
+# Requires YunoHost version 3.?.? or higher.
+ynh_add_fail2ban_config () {
+  # Declare an array to define the options of this helper.
+  local legacy_args=lrmptv
+  declare -Ar args_array=( [l]=logpath= [r]=failregex= [m]=max_retry= [p]=ports= [t]=use_template [v]=others_var=)
+  local logpath
+  local failregex
+  local max_retry
+  local ports
+  local others_var
+  local use_template
+  # Manage arguments with getopts
+  ynh_handle_getopts_args "$@"
+  use_template="${use_template:-0}"
+  max_retry=${max_retry:-3}
+  ports=${ports:-http,https}
+
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf"
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf"
+
+  if [ $use_template -eq 1 ]
+  then
+    # Usage 2, templates
+    cp ../conf/f2b_jail.conf $finalfail2banjailconf
+    cp ../conf/f2b_filter.conf $finalfail2banfilterconf
+
+    if [ -n "${app:-}" ]
+    then
+      ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf"
+      ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf"
+    fi
+
+    # Replace all other variable given as arguments
+    for var_to_replace in ${others_var:-}; do
+      # ${var_to_replace^^} make the content of the variable on upper-cases
+      # ${!var_to_replace} get the content of the variable named $var_to_replace
+      ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf"
+      ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf"
+    done
+
+  else
+    # Usage 1, no template. Build a config file from scratch.
+    test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+    test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+
+    tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+    tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+  fi
+
+  # Common to usage 1 and 2.
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+
+  ynh_systemd_action --service_name=fail2ban --action=reload
+
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [[ -n "$fail2ban_error" ]]; then
+    ynh_print_err --message="Fail2ban failed to load the jail for $app"
+    ynh_print_warn --message="${fail2ban_error#*WARNING}"
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+#
+# Requires YunoHost version 3.?.? or higher.
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  ynh_systemd_action --service_name=fail2ban --action=reload
+}
diff --git a/data/helpers.d/logrotate b/data/helpers.d/logrotate
new file mode 100644
index 000000000..47ce46cf6
--- /dev/null
+++ b/data/helpers.d/logrotate
@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Use logrotate to manage the logfile
+#
+# usage: ynh_use_logrotate [--logfile=/log/file] [--nonappend] [--specific_user=user/group]
+# | arg: -l, --logfile - absolute path of logfile
+# | arg: -n, --nonappend - (optional) Replace the config file instead of appending this new config.
+# | arg: -u, --specific_user : run logrotate as the specified user and group. If not specified logrotate is runned as root.
+#
+# If no --logfile is provided, /var/log/${app} will be used as default.
+# logfile can be just a directory, or a full path to a logfile :
+# /parentdir/logdir
+# /parentdir/logdir/logfile.log
+#
+# It's possible to use this helper multiple times, each config will be added to
+# the same logrotate config file.  Unless you use the option --non-append
+#
+# Requires YunoHost version 2.6.4 or higher.
+ynh_use_logrotate () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=lnuya
+	declare -Ar args_array=( [l]=logfile= [n]=nonappend [u]=specific_user= [y]=non [a]=append )
+	# [y]=non [a]=append are only for legacy purpose, to not fail on the old option '--non-append'
+	local logfile
+	local nonappend
+	local specific_user
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	local logfile="${logfile:-}"
+	local nonappend="${nonappend:-0}"
+	local specific_user="${specific_user:-}"
+
+	# LEGACY CODE - PRE GETOPTS
+	if [ $# -gt 0 ] && [ "$1" == "--non-append" ]; then
+		nonappend=1
+		# Destroy this argument for the next command.
+		shift
+	elif [ $# -gt 1 ] && [ "$2" == "--non-append" ]; then
+		nonappend=1
+	fi
+
+	if [ $# -gt 0 ] && [ "$(echo ${1:0:1})" != "-" ]; then
+		if [ "$(echo ${1##*.})" == "log" ]; then	# Keep only the extension to check if it's a logfile
+			local logfile=$1	# In this case, focus logrotate on the logfile
+		else
+			local logfile=$1/*.log	# Else, uses the directory and all logfile into it.
+		fi
+	fi
+	# LEGACY CODE
+
+	local customtee="tee -a"
+	if [ "$nonappend" -eq 1 ]; then
+		customtee="tee"
+	fi
+	if [ -n "$logfile" ]
+	then
+		if [ "$(echo ${logfile##*.})" != "log" ]; then	# Keep only the extension to check if it's a logfile
+			local logfile="$logfile/*.log"	# Else, uses the directory and all logfile into it.
+		fi
+	else
+		logfile="/var/log/${app}/*.log" # Without argument, use a defaut directory in /var/log
+	fi
+	local su_directive=""
+	if [[ -n $specific_user ]]; then
+		su_directive="	# Run logorotate as specific user - group
+	su ${specific_user%/*} ${specific_user#*/}"
+	fi
+
+	cat > ./${app}-logrotate << EOF	# Build a config file for logrotate
+$logfile {
+		# Rotate if the logfile exceeds 100Mo
+	size 100M
+		# Keep 12 old log maximum
+	rotate 12
+		# Compress the logs with gzip
+	compress
+		# Compress the log at the next cycle. So keep always 2 non compressed logs
+	delaycompress
+		# Copy and truncate the log to allow to continue write on it. Instead of move the log.
+	copytruncate
+		# Do not do an error if the log is missing
+	missingok
+		# Not rotate if the log is empty
+	notifempty
+		# Keep old logs in the same dir
+	noolddir
+	$su_directive
+}
+EOF
+	sudo mkdir -p $(dirname "$logfile")	# Create the log directory, if not exist
+	cat ${app}-logrotate | sudo $customtee /etc/logrotate.d/$app > /dev/null	# Append this config to the existing config file, or replace the whole config file (depending on $customtee)
+}
+
+# Remove the app's logrotate config.
+#
+# usage: ynh_remove_logrotate
+#
+# Requires YunoHost version 2.6.4 or higher.
+ynh_remove_logrotate () {
+	if [ -e "/etc/logrotate.d/$app" ]; then
+		sudo rm "/etc/logrotate.d/$app"
+	fi
+}
diff --git a/data/helpers.d/nginx b/data/helpers.d/nginx
new file mode 100644
index 000000000..ce6b61d3c
--- /dev/null
+++ b/data/helpers.d/nginx
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# Create a dedicated nginx config
+#
+# usage: ynh_add_nginx_config "list of others variables to replace"
+#
+# | arg: list - (Optional) list of others variables to replace separated by spaces. For example : 'path_2 port_2 ...'
+#
+# This will use a template in ../conf/nginx.conf
+#   __PATH__      by  $path_url
+#   __DOMAIN__    by  $domain
+#   __PORT__      by  $port
+#   __NAME__      by  $app
+#   __FINALPATH__ by  $final_path
+#
+#  And dynamic variables (from the last example) :
+#   __PATH_2__    by $path_2
+#   __PORT_2__    by $port_2
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_add_nginx_config () {
+	finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf"
+	local others_var=${1:-}
+	ynh_backup_if_checksum_is_different --file="$finalnginxconf"
+	sudo cp ../conf/nginx.conf "$finalnginxconf"
+
+	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
+	# Substitute in a nginx config file only if the variable is not empty
+	if test -n "${path_url:-}"; then
+		# path_url_slash_less is path_url, or a blank value if path_url is only '/'
+		local path_url_slash_less=${path_url%/}
+		ynh_replace_string --match_string="__PATH__/" --replace_string="$path_url_slash_less/" --target_file="$finalnginxconf"
+		ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$finalnginxconf"
+	fi
+	if test -n "${domain:-}"; then
+		ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$finalnginxconf"
+	fi
+	if test -n "${port:-}"; then
+		ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$finalnginxconf"
+	fi
+	if test -n "${app:-}"; then
+		ynh_replace_string --match_string="__NAME__" --replace_string="$app" --target_file="$finalnginxconf"
+	fi
+	if test -n "${final_path:-}"; then
+		ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalnginxconf"
+	fi
+
+	# Replace all other variable given as arguments
+	for var_to_replace in $others_var
+	do
+		# ${var_to_replace^^} make the content of the variable on upper-cases
+		# ${!var_to_replace} get the content of the variable named $var_to_replace 
+		ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalnginxconf"
+	done
+	
+	if [ "${path_url:-}" != "/" ]
+	then
+		ynh_replace_string --match_string="^#sub_path_only" --replace_string="" --target_file="$finalnginxconf"
+	else
+		ynh_replace_string --match_string="^#root_path_only" --replace_string="" --target_file="$finalnginxconf"
+	fi
+
+	ynh_store_file_checksum --file="$finalnginxconf"
+
+	ynh_systemd_action --service_name=nginx --action=reload
+}
+
+# Remove the dedicated nginx config
+#
+# usage: ynh_remove_nginx_config
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_remove_nginx_config () {
+	ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/$app.conf"
+	ynh_systemd_action --service_name=nginx --action=reload
+}
diff --git a/data/helpers.d/php b/data/helpers.d/php
new file mode 100644
index 000000000..c9e3ba9ed
--- /dev/null
+++ b/data/helpers.d/php
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Create a dedicated php-fpm config
+#
+# usage: ynh_add_fpm_config [--phpversion=7.X]
+# | arg: -v, --phpversion - Version of php to use.
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_add_fpm_config () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=v
+	declare -Ar args_array=( [v]=phpversion= )
+	local phpversion
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+
+	# Configure PHP-FPM 7.0 by default
+	phpversion="${phpversion:-7.0}"
+
+	local fpm_config_dir="/etc/php/$phpversion/fpm"
+	local fpm_service="php${phpversion}-fpm"
+	# Configure PHP-FPM 5 on Debian Jessie
+	if [ "$(ynh_get_debian_release)" == "jessie" ]; then
+		fpm_config_dir="/etc/php5/fpm"
+		fpm_service="php5-fpm"
+	fi
+	ynh_app_setting_set --app=$app --key=fpm_config_dir --value="$fpm_config_dir"
+	ynh_app_setting_set --app=$app --key=fpm_service --value="$fpm_service"
+	finalphpconf="$fpm_config_dir/pool.d/$app.conf"
+	ynh_backup_if_checksum_is_different --file="$finalphpconf"
+	sudo cp ../conf/php-fpm.conf "$finalphpconf"
+	ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf"
+	ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf"
+	ynh_replace_string --match_string="__USER__" --replace_string="$app" --target_file="$finalphpconf"
+	ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf"
+	sudo chown root: "$finalphpconf"
+	ynh_store_file_checksum --file="$finalphpconf"
+
+	if [ -e "../conf/php-fpm.ini" ]
+	then
+		echo "Packagers ! Please do not use a separate php ini file, merge your directives in the pool file instead." >&2
+		finalphpini="$fpm_config_dir/conf.d/20-$app.ini"
+		ynh_backup_if_checksum_is_different "$finalphpini"
+		sudo cp ../conf/php-fpm.ini "$finalphpini"
+		sudo chown root: "$finalphpini"
+		ynh_store_file_checksum "$finalphpini"
+	fi
+	ynh_systemd_action --service_name=$fpm_service --action=reload
+}
+
+# Remove the dedicated php-fpm config
+#
+# usage: ynh_remove_fpm_config
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_remove_fpm_config () {
+	local fpm_config_dir=$(ynh_app_setting_get --app=$app --key=fpm_config_dir)
+	local fpm_service=$(ynh_app_setting_get --app=$app --key=fpm_service)
+	# Assume php version 7 if not set
+	if [ -z "$fpm_config_dir" ]; then
+		fpm_config_dir="/etc/php/7.0/fpm"
+		fpm_service="php7.0-fpm"
+	fi
+	ynh_secure_remove --file="$fpm_config_dir/pool.d/$app.conf"
+	ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" 2>&1
+	ynh_systemd_action --service_name=$fpm_service --action=reload
+}
diff --git a/data/helpers.d/systemd b/data/helpers.d/systemd
new file mode 100644
index 000000000..54a376cd6
--- /dev/null
+++ b/data/helpers.d/systemd
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# Create a dedicated systemd config
+#
+# usage: ynh_add_systemd_config [--service=service] [--template=template]
+# | arg: -s, --service - Service name (optionnal, $app by default)
+# | arg: -t, --template - Name of template file (optionnal, this is 'systemd' by default, meaning ./conf/systemd.service will be used as template)
+#
+# This will use the template ../conf/<templatename>.service
+# to generate a systemd config, by replacing the following keywords
+# with global variables that should be defined before calling
+# this helper :
+#
+#   __APP__       by  $app
+#   __FINALPATH__ by  $final_path
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_add_systemd_config () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=st
+	declare -Ar args_array=( [s]=service= [t]=template= )
+	local service
+	local template
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	local service="${service:-$app}"
+	local template="${template:-systemd.service}"
+
+	finalsystemdconf="/etc/systemd/system/$service.service"
+	ynh_backup_if_checksum_is_different --file="$finalsystemdconf"
+	sudo cp ../conf/$template "$finalsystemdconf"
+
+	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
+	# Substitute in a nginx config file only if the variable is not empty
+	if test -n "${final_path:-}"; then
+		ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalsystemdconf"
+	fi
+	if test -n "${app:-}"; then
+		ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$finalsystemdconf"
+	fi
+	ynh_store_file_checksum --file="$finalsystemdconf"
+
+	sudo chown root: "$finalsystemdconf"
+	sudo systemctl enable $service
+	sudo systemctl daemon-reload
+}
+
+# Remove the dedicated systemd config
+#
+# usage: ynh_remove_systemd_config [--service=service]
+# | arg: -s, --service - Service name (optionnal, $app by default)
+#
+# Requires YunoHost version 2.7.2 or higher.
+ynh_remove_systemd_config () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=s
+	declare -Ar args_array=( [s]=service= )
+	local service
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	local service="${service:-$app}"
+
+	local finalsystemdconf="/etc/systemd/system/$service.service"
+	if [ -e "$finalsystemdconf" ]; then
+		ynh_systemd_action --service_name=$service --action=stop
+		systemctl disable $service
+		ynh_secure_remove --file="$finalsystemdconf"
+		systemctl daemon-reload
+	fi
+}