Update YunoHost template

generated_templates/yunohost_django_package/django_example_ynh/.github/workflows/package_linter.yml

@@ -1,3 +1,5 @@
+
+
 name: YunoHost apps package linter
 
 on:
@@ -21,18 +23,16 @@ jobs:
         with:
           python-version: '3.11'
 
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install toml
-
       - name: 'Clone YunoHost apps package linter'
         run: |
           git clone --depth=1 https://github.com/YunoHost/package_linter ~/package_linter
 
       - name: 'Install requirements'
-        run: pip3 install toml
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade toml jsonschema pyparsing six
 
       - name: 'Run linter'
         run: |
           ~/package_linter/package_linter.py .
+

generated_templates/yunohost_django_package/django_example_ynh/conf/manage.py

@@ -1,4 +1,4 @@
-#!__DATA_DIR__/venv/bin/python3
+#!__DATA_DIR__/.venv/bin/python
 
 import os
 import sys

generated_templates/yunohost_django_package/django_example_ynh/conf/setup_user.py

@@ -1,6 +1,6 @@
 def setup_project_user(user):
     """
-    Setup user for the project.
+    All users used the Django admin, so we need to set the "staff" user flag.
     Called from django_yunohost_integration.sso_auth
     """
     user.is_staff = True

generated_templates/yunohost_django_package/django_example_ynh/conf/systemd.service

@@ -1,17 +1,54 @@
 [Unit]
 Description=__APP__ server
-After=redis.service postgresql.service
+After=network.target redis.service postgresql.service
 
 [Service]
 User=__APP__
-Group=__APP__
 WorkingDirectory=__DATA_DIR__/
 
-ExecStart=__DATA_DIR__/venv/bin/gunicorn --config __DATA_DIR__/gunicorn.conf.py wsgi
+ExecStart=__DATA_DIR__/.venv/bin/gunicorn --config __DATA_DIR__/gunicorn.conf.py wsgi
 
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier=__APP__-server
+
+#____________________________________________________________________________________
+# Below copy&paste from:
+# https://github.com/YunoHost-Apps/homeassistant_ynh/blob/master/conf/systemd.service
+
+
+RestartForceExitStatus=100
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:__LOG_FILE__
+StandardError=inherit
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+#CANT BE ACTIVATED FOR __APP__ #PrivateDevices=yes
+#CANT BE ACTIVATED FOR __APP__ #RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+#CANT BE ACTIVATED FOR __APP__ (see issue #40) #DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG
 
 [Install]
 WantedBy=multi-user.target

generated_templates/yunohost_django_package/django_example_ynh/django_example_ynh/tests/test_django_project.py

@@ -80,7 +80,7 @@ def test_create_unknown_user(self):
         assert user.username == 'test'
         assert user.is_active is True
         assert user.is_staff is True  # Set by: conf.setup_user.setup_project_user
-        assert user.is_superuser is True
+        assert user.is_superuser is True  # Set by: conf.setup_user.setup_project_user
 
         self.assert_html_parts(
             response,
@@ -110,7 +110,7 @@ def test_wrong_auth_user(self):
         assert user.username == 'test'
         assert user.is_active is True
         assert user.is_staff is True  # Set by: conf.setup_user.setup_project_user
-        assert user.is_superuser is True
+        assert user.is_superuser is True  # Set by: conf.setup_user.setup_project_user
 
         assert AccessLog.objects.count() == 1
 
@@ -135,7 +135,7 @@ def test_wrong_cookie(self):
         assert user.username == 'test'
         assert user.is_active is True
         assert user.is_staff is True  # Set by: conf.setup_user.setup_project_user
-        assert user.is_superuser is True
+        assert user.is_superuser is True  # Set by: conf.setup_user.setup_project_user
 
         assert AccessLog.objects.count() == 1
 
@@ -162,7 +162,7 @@ def test_wrong_authorization_user(self):
         assert user.username == 'test'
         assert user.is_active is True
         assert user.is_staff is True  # Set by: conf.setup_user.setup_project_user
-        assert user.is_superuser is True
+        assert user.is_superuser is True  # Set by: conf.setup_user.setup_project_user
 
         assert AccessLog.objects.count() == 1
 

generated_templates/yunohost_django_package/django_example_ynh/manifest.toml

@@ -13,16 +13,14 @@ maintainers = ["John Doh"]
 [upstream]
 # https://yunohost.org/en/packaging_manifest#upstream-section
 license = "GPL-3.0-or-later"
-# website = "https://github.com/YunoHost-Apps/django_example_ynh" # If the app has no proper website, just remove the 'website' key entirely
-admindoc = "https://github.com/YunoHost-Apps/django_example_ynh"
-userdoc = "https://github.com/john-doh/django_example"
-code = "https://github.com/YunoHost-Apps/django_example_ynh"
+code = "https://github.com/john-doh/django_example"
 
 
 
 [integration]
 # https://yunohost.org/en/packaging_manifest#integration-section
 yunohost = ">=11.2"
+helpers_version = "2.1" # https://yunohost.org/en/packaging_apps_helpers_v2.1
 architectures = "all"
 multi_instance = true
 ldap = true
@@ -49,7 +47,6 @@ ram.runtime = "50M" # **estimate** minimum ram requirement. e.g. 50M, 400M, 1G,
     [install.admin]
     # this is a generic question - ask strings are automatically handled by Yunohost's core
     type = "user"
-    default = "admin"
 
     [install.init_main_permission]
     type = "group"
@@ -84,6 +81,7 @@ ram.runtime = "50M" # **estimate** minimum ram requirement. e.g. 50M, 400M, 1G,
     # https://yunohost.org/en/packaging_apps_resources#install-dir
     # This will create/remove the install dir as /var/www/$app/
     # and store the corresponding setting $install_dir and template variable __INSTALL_DIR__
+    group = "www-data:r-x" # static files served by nginx
 
     [resources.data_dir]
     # https://yunohost.org/en/packaging_apps_resources#data-dir

generated_templates/yunohost_django_package/django_example_ynh/requirements.dev.txt

@@ -80,9 +80,9 @@ boolean-py==4.0 \
     --hash=sha256:17b9a181630e43dde1851d42bef546d616d5d9b4480357514597e78b203d06e4 \
     --hash=sha256:2876f2051d7d6394a531d82dc6eb407faa0b01a0a0b3083817ccd7323b8d96bd
     # via license-expression
-build==1.2.1 \
-    --hash=sha256:526263f4870c26f26c433545579475377b2b7588b6f1eac76a001e873ae3e19d \
-    --hash=sha256:75e10f767a433d9a86e50d83f418e83efc18ede923ee5ff7df93b6cb0306c5d4
+build==1.2.2 \
+    --hash=sha256:119b2fb462adef986483438377a13b2f42064a2a3a4161f24a0cca698a07ac8c \
+    --hash=sha256:277ccc71619d98afdd841a0e96ac9fe1593b823af481d3b0cea748e8894e0613
     # via pip-tools
 bx-django-utils==79 \
     --hash=sha256:cb66087d4e9396281acf5a4394b749cff3062b66082d5726f6a8a342fdd35d0e \
@@ -642,9 +642,9 @@ mdurl==0.1.2 \
     --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \
     --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba
     # via markdown-it-py
-more-itertools==10.4.0 \
-    --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \
-    --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923
+more-itertools==10.5.0 \
+    --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \
+    --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6
     # via
     #   jaraco-classes
     #   jaraco-functools
@@ -1106,9 +1106,9 @@ typeguard==4.3.0 \
     --hash=sha256:4d24c5b39a117f8a895b9da7a9b3114f04eb63bade45a4492de49b175b6f7dfa \
     --hash=sha256:92ee6a0aec9135181eae6067ebd617fd9de8d75d714fb548728a4933b1dea651
     # via django_example_ynh (pyproject.toml)
-types-python-dateutil==2.9.0.20240821 \
-    --hash=sha256:9649d1dcb6fef1046fb18bebe9ea2aa0028b160918518c34589a46045f6ebd98 \
-    --hash=sha256:f5889fcb4e63ed4aaa379b44f93c32593d50b9a94c9a60a0c854d8cc3511cd57
+types-python-dateutil==2.9.0.20240906 \
+    --hash=sha256:27c8cc2d058ccb14946eebcaaa503088f4f6dbc4fb6093d3d456a49aef2753f6 \
+    --hash=sha256:9706c3b68284c25adffc47319ecc7947e5bb86b3773f843c73906fd598bc176e
     # via arrow
 typing-extensions==4.12.2 \
     --hash=sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d \

generated_templates/yunohost_django_package/django_example_ynh/scripts/_common.sh

@@ -38,31 +38,21 @@ log_file="${log_path}/${app}.log"
 # HELPERS
 #=================================================
 
-
 #==================================================================================
-# install_python.py downloads, builds and installs a Python interpreter, but:
-#
-# - only if the system Python is not the required major version
-# - only once (if the required major version is not already build and installed)
-#
-# Origin of this script is:
-#    https://github.com/jedie/manageprojects/blob/main/manageprojects/install_python.py
-# More info:
-#    https://github.com/jedie/manageprojects/blob/main/docs/install_python.md
-# See also:
-#    https://forum.yunohost.org/t/use-newer-python-than-3-9/22568
+# Until we get a newer Python in YunoHost, see:
+# https://forum.yunohost.org/t/use-newer-python-than-3-9/22568
 #==================================================================================
 PY_REQUIRED_MAJOR=3.11
 
 myynh_install_python() {
-    ynh_print_info --message="Install latest Python v${PY_REQUIRED_MAJOR}..."
+    ynh_print_info "Install latest Python v${PY_REQUIRED_MAJOR}..."
 
-    ynh_exec_warn_less python3 "$data_dir/install_python.py" -vv ${PY_REQUIRED_MAJOR}
+    ynh_hide_warnings python3 "$data_dir/install_python.py" -vv ${PY_REQUIRED_MAJOR}
 	py_app_version=$(python3 "$data_dir/install_python.py" ${PY_REQUIRED_MAJOR})
 
 	# Print some version information:
-	ynh_print_info --message="Python version: $($py_app_version -VV)"
-	ynh_print_info --message="Pip version: $($py_app_version -m pip -V)"
+	ynh_print_info "Python version: $($py_app_version -VV)"
+	ynh_print_info "Pip version: $($py_app_version -m pip -V)"
 }
 #==================================================================================
 #==================================================================================
@@ -71,47 +61,36 @@ myynh_setup_python_venv() {
     # Install Python if needed:
     myynh_install_python
 
+    ynh_print_info "Create Python virtualenv for $app..."
+
     # Create a virtualenv with python installed by myynh_install_python():
     # Skip pip because of: https://github.com/YunoHost/issues/issues/1960
-    ynh_exec_as $app $py_app_version -m venv --clear --upgrade-deps "$data_dir/venv"
+    ynh_exec_as_app $py_app_version -m venv --clear --upgrade-deps "$data_dir/.venv"
 
 	# Print some version information:
-	ynh_print_info --message="venv Python version: $($data_dir/venv/bin/python3 -VV)"
-	ynh_print_info --message="venv Pip version: $($data_dir/venv/bin/python3 -m pip -V)"
-
-    # run source in a 'sub shell'
-    (
-        set +o nounset
-        source "$data_dir/venv/bin/activate"
-        set -o nounset
-        set -x
-        ynh_exec_as $app $data_dir/venv/bin/pip3 install --upgrade pip
-        ynh_exec_as $app $data_dir/venv/bin/pip3 install --no-deps -r "$data_dir/requirements.txt"
-    )
+	ynh_print_info "venv Python version: $($data_dir/.venv/bin/python3 -VV)"
+	ynh_print_info "venv Pip version: $($data_dir/.venv/bin/python3 -m pip -V)"
+
+    ynh_print_info "Install $app dependencies in virtualenv..."
+    ynh_exec_as_app $data_dir/.venv/bin/pip3 install --upgrade pip wheel setuptools
+    ynh_exec_as_app $data_dir/.venv/bin/pip3 install --no-deps -r "$data_dir/requirements.txt"
 }
 
 myynh_setup_log_file() {
-    (
-        set -x
+    mkdir -p "$(dirname "$log_file")"
+    touch "$log_file"
 
-        mkdir -p "$(dirname "$log_file")"
-        touch "$log_file"
-
-        chown -c -R $app:$app "$log_path"
-        chmod -c o-rwx "$log_path"
-    )
+    chown -c -R $app:$app "$log_path"
+    chmod -c u+rwx,o-rwx "$log_path"
 }
 
 myynh_fix_file_permissions() {
-    (
-        set -x
-
-        # /var/www/$app/
-        chown -c -R "$app:www-data" "$install_dir"
-        chmod -c o-rwx "$install_dir"
-
-        # /home/yunohost.app/$app/
-        chown -c -R "$app:" "$data_dir"
-        chmod -c o-rwx "$data_dir"
-    )
+    # /var/www/$app/
+    # static files served by nginx, so use www-data group:
+    chown -c -R "$app:www-data" "$install_dir"
+    chmod -c u+rwx,g+rx,o-rwx "$install_dir"
+
+    # /home/yunohost.app/$app/
+    chown -c -R "$app:$app" "$data_dir"
+    chmod -c u+rwx,g+rwx,o-rwx "$data_dir"
 }