diff --git a/LICENSE b/LICENSE
index e69de29..94a9ed0 100644
--- a/LICENSE
+++ b/LICENSE
@@ -0,0 +1,674 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+.
+
+ The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License. But first, please read
+.
diff --git a/check_process b/check_process
index 8ccceb6..6a6bdbb 100644
--- a/check_process
+++ b/check_process
@@ -1,35 +1,22 @@
-;; Test complet sans multisite
- auto_remove=1
- ; Manifest
- domain="domain.tld" (DOMAIN)
- path="/path" (PATH)
- ip4ranges="10.0.0.8/24"
- dynamic_ip=0
- ; Checks
- pkg_linter=1
- setup_sub_dir=1
- setup_root=1
- setup_nourl=0
- setup_private=1
- setup_public=0
- upgrade=1
- backup_restore=1
- multi_instance=0
- wrong_user=0
- wrong_path=1
- incorrect_path=1
- corrupt_source=0
- fail_download_source=0
- port_already_use=0
- final_path_already_use=0
+;; Test complet
+ ; Manifest
+ domain="domain.tld" (DOMAIN)
+ path="/path" (PATH)
+ ip4ranges="10.0.0.8/24"
+ ; Checks
+ pkg_linter=1
+ setup_sub_dir=1
+ setup_root=1
+ setup_nourl=0
+ setup_private=1
+ setup_public=0
+ upgrade=1
+ backup_restore=1
+ multi_instance=0
+ wrong_user=0
+ port_already_use=0
;;; Levels
- Level 1=auto
- Level 2=auto
- Level 3=auto
- Level 4=0
- Level 5=auto
- Level 6=auto
- Level 7=auto
- Level 8=0
- Level 9=0
- Level 10=0
+ Level 5=auto
+;;; Options
+Email=
+Notification=none
diff --git a/conf/config-cli.ovpn.j2 b/conf/config-cli.ovpn
similarity index 89%
rename from conf/config-cli.ovpn.j2
rename to conf/config-cli.ovpn
index b69ef98..2402cc8 100644
--- a/conf/config-cli.ovpn.j2
+++ b/conf/config-cli.ovpn
@@ -7,7 +7,7 @@ persist-key
persist-tun
comp-lzo
verb 3
-remote {{ domain }} {{ port }}
+remote __DOMAIN__ __PORT__
route-delay
reneg-sec 0
tls-version-min 1.2
@@ -18,11 +18,11 @@ redirect-gateway
script-security 2
--auth-user-pass
-{{ ca_yunohost }}
+__CA_YUNOHOST__
#user openvpn
#group openvpn
key-direction 1
-{{ ta_key }}
+__TA_KEY__
diff --git a/conf/config.ovpn.j2 b/conf/config.ovpn
similarity index 90%
rename from conf/config.ovpn.j2
rename to conf/config.ovpn
index 94e1a17..ec5e690 100644
--- a/conf/config.ovpn.j2
+++ b/conf/config.ovpn
@@ -10,7 +10,7 @@ tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
-remote {{ domain }} {{ port }}
+remote __DOMAIN__ __PORT__
route-delay
reneg-sec 0
redirect-gateway
@@ -22,9 +22,9 @@ verb 3
#user openvpn
#group openvpn
-{{ ca_yunohost }}
+__CA_YUNOHOST__
key-direction 1
-{{ ta_key }}
+__TA_KEY__
diff --git a/conf/fail2ban-filter.conf b/conf/f2b_filter.conf
similarity index 100%
rename from conf/fail2ban-filter.conf
rename to conf/f2b_filter.conf
diff --git a/conf/f2b_jail.conf b/conf/f2b_jail.conf
new file mode 100644
index 0000000..e975754
--- /dev/null
+++ b/conf/f2b_jail.conf
@@ -0,0 +1,6 @@
+[__APP__]
+enabled = true
+protocol = udp
+port = __PORT__
+filter = __APP__
+logpath = /var/log/__APP__/server.log
diff --git a/conf/fail2ban-jail.conf.j2 b/conf/fail2ban-jail.conf.j2
deleted file mode 100644
index e57e3c3..0000000
--- a/conf/fail2ban-jail.conf.j2
+++ /dev/null
@@ -1,6 +0,0 @@
-[{{ app }}]
-enabled = true
-protocol = udp
-port = {{ port }}
-filter = {{ app }}
-logpath = /var/log/{{ app }}/server.log
diff --git a/conf/nginx.conf b/conf/nginx.conf
new file mode 100644
index 0000000..e23f49e
--- /dev/null
+++ b/conf/nginx.conf
@@ -0,0 +1,29 @@
+#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+location __PATH__/ {
+
+ # Path to source
+ alias __FINALPATH__/ ;
+
+ # Force usage of https
+ if ($scheme = http) {
+ rewrite ^ https://$server_name$request_uri? permanent;
+ }
+
+ index index.php;
+
+ try_files $uri $uri/ index.php;
+ location ~ [^/]\.php(/|$) {
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock;
+
+ fastcgi_index index.php;
+ include fastcgi_params;
+ fastcgi_param HTTPS on;
+ fastcgi_param REMOTE_USER $remote_user;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param SCRIPT_FILENAME $request_filename;
+ }
+
+ # Include SSOWAT user panel.
+ include conf.d/yunohost_panel.conf.inc;
+}
diff --git a/conf/nginx.conf.j2 b/conf/nginx.conf.j2
deleted file mode 100644
index e8beeb9..0000000
--- a/conf/nginx.conf.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-location {{ path }} {
- alias {{ local_path }}/;
- if ($scheme = http) {
- rewrite ^ https://$server_name$request_uri? permanent;
- }
- index index.php;
- try_files $uri $uri/ index.php;
- location ~ [^/]\.php(/|$) {
- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
- fastcgi_pass unix:/var/run/php5-fpm-{{ app }}.sock;
- fastcgi_index index.php;
- include fastcgi_params;
- fastcgi_param HTTPS on;
- fastcgi_param REMOTE_USER $remote_user;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param SCRIPT_FILENAME $request_filename;
- }
- include conf.d/yunohost_panel.conf.inc;
-}
diff --git a/conf/php-fpm.conf.j2 b/conf/php-fpm.conf
similarity index 86%
rename from conf/php-fpm.conf.j2
rename to conf/php-fpm.conf
index 33d5453..2b5d7b2 100644
--- a/conf/php-fpm.conf.j2
+++ b/conf/php-fpm.conf
@@ -1,10 +1,11 @@
; Start a new pool named 'www'.
-; the variable $pool can we used in any directive and will be replaced by the
+; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
-[{{ app }}]
+[__NAMETOCHANGE__]
; Per pool prefix
; It only applies on the following directives:
+; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
@@ -19,33 +20,40 @@
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
-user = {{ webuser }}
-group = {{ webuser }}
+user = __USER__
+group = __USER__
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
-; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
+; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
-; 'port' - to listen on a TCP socket to all addresses on a
-; specific port;
+; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+; a specific port;
+; 'port' - to listen on a TCP socket to all addresses
+; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
-listen = /var/run/php5-fpm-{{ app }}.sock
+listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock
; Set listen(2) backlog.
-; Default Value: 128 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 128
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
+; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
-
-; List of ipv4 addresses of FastCGI clients which are allowed to connect.
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
@@ -59,7 +67,13 @@ listen.group = www-data
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
-; priority = -19
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
@@ -96,7 +110,7 @@ pm = dynamic
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
-pm.max_children = 10
+pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
@@ -117,12 +131,12 @@ pm.max_spare_servers = 3
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
-
+
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
-pm.max_requests = 500
+;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
@@ -170,7 +184,7 @@ pm.max_requests = 500
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
-; Example:
+; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
@@ -215,14 +229,14 @@ pm.max_requests = 500
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
-; It's available in: ${prefix}/share/fpm/status.html
+; It's available in: /usr/share/php/7.0/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
-; Default Value: not set
+; Default Value: not set
;pm.status_path = /status
-
+
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
@@ -275,7 +289,7 @@ pm.max_requests = 500
; - %{megabytes}M
; - %{mega}M
; %n: pool name
-; %o: ouput header
+; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
@@ -283,7 +297,7 @@ pm.max_requests = 500
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
-; %q: the query string
+; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
@@ -291,72 +305,85 @@ pm.max_requests = 500
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
+; The strftime(3) format must be encapsuled in a %{}t tag
+; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
+
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
-slowlog = /var/log/nginx/{{ app }}.slow.log
-
+;slowlog = log/$pool.log.slow
+
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
-request_slowlog_timeout = 5s
-
+;request_slowlog_timeout = 0
+
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
request_terminate_timeout = 1d
-
+
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
-
+
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
-
+
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
+; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
-;chroot =
-
+;chroot =
+
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
-chdir = {{ local_path }}
-
+chdir = __FINALPATH__
+
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
-catch_workers_output = yes
+;catch_workers_output = yes
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
-; exectute php code.
+; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5
-
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
@@ -370,7 +397,7 @@ catch_workers_output = yes
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
-; be overwritten from PHP call 'ini_set'.
+; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
@@ -391,3 +418,16 @@ catch_workers_output = yes
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
+; Common values to change to increase file upload limit
+; php_admin_value[upload_max_filesize] = 50M
+; php_admin_value[post_max_size] = 50M
+; php_admin_flag[mail.add_x_header] = Off
+
+; Other common parameters
+; php_admin_value[max_execution_time] = 600
+; php_admin_value[max_input_time] = 300
+; php_admin_value[memory_limit] = 256M
+; php_admin_flag[short_open_tag] = On
+
+php_admin_value[upload_max_filesize] = 30M
+php_admin_value[post_max_size] = 30M
diff --git a/conf/php-fpm.ini b/conf/php-fpm.ini
deleted file mode 100644
index a4538e8..0000000
--- a/conf/php-fpm.ini
+++ /dev/null
@@ -1,3 +0,0 @@
-upload_max_filesize=30M
-post_max_size=30M
-; max_execution_time=60
diff --git a/conf/yunohost.conf.j2 b/conf/yunohost.conf
similarity index 90%
rename from conf/yunohost.conf.j2
rename to conf/yunohost.conf
index d523a90..2f2ad70 100644
--- a/conf/yunohost.conf.j2
+++ b/conf/yunohost.conf
@@ -11,8 +11,8 @@ persist-tun
# SERVER
mode server
-{% if dedicated_ip!="" %}local {{ dedicated_ip }}{% endif %}
-port {{ port }}
+# local __DEDICATED_IP__
+port __PORT__
dev tun
max-clients 30
@@ -20,10 +20,10 @@ max-clients 30
# TLS
tls-server
-ca /etc/yunohost/certs/{{ domain }}/ca.pem
-cert /etc/yunohost/certs/{{ domain }}/crt.pem
-key /etc/yunohost/certs/{{ domain }}/key.pem
-dh /etc/yunohost/certs/{{ domain }}/dh.pem
+ca /etc/yunohost/certs/__DOMAIN__/ca.pem
+cert /etc/yunohost/certs/__DOMAIN__/crt.pem
+key /etc/yunohost/certs/__DOMAIN__/key.pem
+dh /etc/yunohost/certs/__DOMAIN__/dh.pem
; When a client connects, check its certificate hasn't been revoked.
; Must be accessible without root privileges
crl-verify /etc/openvpn/crl.pem
diff --git a/manifest.json b/manifest.json
index c1f09c1..9eb93e1 100644
--- a/manifest.json
+++ b/manifest.json
@@ -1,30 +1,27 @@
{
- "name": "OpenVPN",
- "id": "openvpn",
- "packaging_format": 1,
- "version": "2.3.4-3",
- "description": {
- "en": "Your Secure and Private Tunnel to the Internet",
- "fr": "Votre tunnel privé et sécurisé vers Internet"
- },
- "requirements": {
- "yunohost": ">= 2.4"
- },
- "license": "GPL-2.0",
- "url": "http://openvpn.net",
- "maintainer": {
- "name": "sebian",
- "email": "seb@fooboozoo.fr",
- "url": "https://github.com/YunoHost-Apps/openvpn_ynh"
- },
- "multi_instance": false,
- "services": [
- "nginx",
- "php5-fpm",
- "slapd",
- "openvpn"
- ],
- "arguments": {
+ "name": "OpenVPN",
+ "id": "openvpn",
+ "packaging_format": 1,
+ "description": {
+ "en": "Your Secure and Private Tunnel to the Internet",
+ "fr": "Votre tunnel privé et sécurisé vers Internet"
+ },
+ "version": "2.3.4-3",
+ "url": "http://openvpn.net",
+ "license": "GPL-2.0",
+ "maintainer": {
+ "name": "No maintainer"
+ },
+ "requirements": {
+ "yunohost": ">= 3.5"
+ },
+ "multi_instance": false,
+ "services": [
+ "nginx",
+ "php7.0-fpm",
+ "openvpn"
+ ],
+ "arguments": {
"install" : [
{
"name": "domain",
diff --git a/scripts/_common.sh b/scripts/_common.sh
index a9f1267..131c2f2 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -1,642 +1,8 @@
#!/bin/bash
-# App package root directory should be the parent folder
-PKG_DIR=$(cd ../; pwd)
-
-
-
-
-#============================================================
-# Specific to openvpn
-#============================================================
-
-check_iptables () {
- # Check if iptables is working
- if ! sudo iptables -L > /dev/null 2>&1; then
- err "iptables is not available in your environment, aborting..."
- exit 1
- fi
-}
-
-check_tun_available () {
- # Ensure tun device is available
- #if [[ ! -c /dev/net/tun ]]; then
- # err "OpenVPN requires tun support, aborting..."
- # exit 1
- #fi
- return 0
-}
-
-check_ip4 () {
- _255='(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)'
- regex=(${_255}\.){3}${_255}
- if [[ $1 =~ ^${regex}$ ]]; then
- return 0
- else
- err "Bad Ipv4 format, aborting..."
- exit 1
- fi
- exit 1
-}
-
-check_ip4ranges () {
- _255='(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)'
- ip4regex=(${_255}\.){3}${_255}
- rangeip4regex="${ip4regex}(/(3[0-2]|[1-2][0-9]|[1-9]))?"
- regex="${rangeip4regex}([[:space:]]+${rangeip4regex})*"
- if [[ $1 =~ ^${regex}$ ]]; then
- return 0
- else
- err "Bad Ipv4 ranges format, aborting..."
- exit 1
- fi
- exit 1
-}
-
-
-configure_firewall () {
- ip4ranges=$(ynh_app_setting_get $app ip4ranges | tr " " "\n")
- iface=$(ynh_app_setting_get $app iface)
- sudo iptables -t filter -$1 FORWARD -i "${iface}" -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- for ip4range in $ip4ranges
- do
- if [[ "$1" = "A" ]];then
- if ! (sudo /sbin/iptables -L -t nat | grep $ip4range | grep MASQUERADE > /dev/null 2>&1); then
- sudo iptables -t nat -$1 POSTROUTING -s $ip4range -o "${iface}" -j MASQUERADE
- sudo iptables -t filter -$1 FORWARD -s $ip4range -o "${iface}" -j ACCEPT
- fi
- elif [[ "$1" = "D" ]]; then
- if (sudo /sbin/iptables -L -t nat | grep $ip4range | grep MASQUERADE > /dev/null 2>&1); then
- sudo iptables -t nat -$1 POSTROUTING -s $ip4range -o "${iface}" -j MASQUERADE
- sudo iptables -t filter -$1 FORWARD -s $ip4range -o "${iface}" -j ACCEPT
- fi
- fi
- done
-}
-
-add_firewall_rules () {
- configure_firewall A
-}
-
-rm_firewall_rules () {
- configure_firewall D
-}
-
-deduce_gateway () {
-
- first_ip4_range=$(echo $ip4ranges | cut -f1 -d" ")
- first_ip=$(netmask -r $first_ip4_range | cut -f1 -d"-" )
- first_ip=$( netmask -x $first_ip )
- first_ip=$(( $first_ip + 1 ))
- export first_ip4=$( netmask $first_ip )
- export last_ip4=$(netmask -r $first_ip4_range | cut -f2 -d"-" )
- first_ip4_range=$(netmask -s $first_ip4_range)
- export gateway_ip4=$(echo $first_ip4_range | cut -f1 -d"/")
- export gateway_mask=$(echo $first_ip4_range | cut -f2 -d"/")
-}
-
-install_files () {
- # Make directories and set rights
- sudo mkdir -p /etc/openvpn/auth \
- /etc/openvpn/users \
- "${local_path}" \
- /var/log/openvpn
- sudo touch /var/log/openvpn/status.log
- sudo touch /var/log/openvpn/server.log
- sudo touch /etc/openvpn/users_settings.csv
-
- # Copy web files
- sudo cp -a ../sources/. $local_path
-
- # Configurations
- set +x
- export ca_yunohost=$(sudo cat /etc/ssl/certs/ca-yunohost_crt.pem)
- export ta_key=$(sudo cat /etc/openvpn/ta.key)
- set -x
- ynh_configure yunohost.conf "/etc/openvpn/yunohost.conf"
- ynh_configure config.ovpn "${local_path}/${domain}.conf"
- ynh_configure config-cli.ovpn "${local_path}/${domain}.ovpn"
- ynh_configure fail2ban-jail.conf "/etc/fail2ban/jail.d/${app}.conf"
- sudo cp ../conf/ldap.conf /etc/openvpn/auth/
- sudo ln -s /etc/ssl/certs/ca-yunohost_crt.pem "${local_path}/ca.crt"
- sudo cp ../conf/fail2ban-filter.conf /etc/fail2ban/filter.d/$app.conf
- sudo cp ../conf/logrotate.conf /etc/logrotate.d/$app.conf
- sudo cp ../conf/handler.sh /etc/openvpn/handler.sh
- sudo cp ../conf/sudoers /etc/sudoers.d/openvpn
- sudo touch /etc/openvpn/crl.pem
- echo "$ip4ranges" | sudo tee /etc/openvpn/ip4ranges
-
- # IP forwarding
- sudo cp ../conf/sysctl /etc/sysctl.d/openvpn.conf
-
-}
-
-setup_and_restart () {
- # Find gateway ip and mask and save it
- deduce_gateway
- ynh_save_args gateway_ip4 gateway_mask
-
- # Open port in firewall
- if [ -z $dedicated_ip ]; then
- sudo yunohost firewall allow Both $port > /dev/null 2>&1
- fi
-
- # Create user
- ynh_system_user_create "$user" "/etc/openvpn/"
- ynh_system_user_create "$webuser" "$local_path"
-
- # Copy files
- install_files
- sudo sysctl -p /etc/sysctl.d/openvpn.conf
-
- # Permissions
- ynh_set_default_perm "${local_path}" $webuser
- sudo chown -R $webuser:www-data "${local_path}"
- sudo chmod 640 "${local_path}/${domain}.conf"
- sudo chmod 640 "${local_path}/${domain}.ovpn"
- sudo chown -R $user: /var/log/openvpn
- sudo chown -R $user: /etc/openvpn
- sudo chmod 640 /etc/openvpn/users_settings.csv
- sudo chmod u+x /etc/openvpn/handler.sh
- # Add OpenVPN to YunoHost's monitored services
- sudo yunohost service add openvpn --log /var/log/openvpn/status.log
-
- # Ensure that tun device is still available, otherwise try to create it manually
- if [[ ! -c /dev/net/tun ]]; then
- sudo mkdir -p /dev/net
- sudo mknod /dev/net/tun c 10 200
- sudo chmod 666 /dev/net/tun
- fi
-
- # Add masquerade rules
- add_firewall_rules
-
- # Let's go !
- sudo yunohost service enable openvpn
- sudo yunohost service start openvpn
-
- ynh_configure_php_fpm
- ynh_configure_nginx
-}
-
-
-
-#============================================================
-# Common helpers
-#============================================================
-
-ynh_check_var () {
- test -n "$1" || ynh_die "$2"
-}
-
-ynh_exit_properly () {
- exit_code=$?
- if [ "$exit_code" -eq 0 ]; then
- exit 0
- fi
- trap '' EXIT
- set +eu
- echo -e "\e[91m \e[1m"
- err "$app script has encountered an error."
-
- if type -t CLEAN_SETUP > /dev/null; then
- CLEAN_SETUP
- fi
-
- ynh_die
-}
-
-# Activate signal capture
-# Exit if a command fail, and if a variable is used unset.
-# Capturing exit signals on shell script
-#
-# example: CLEAN_SETUP () {
-# # Clean residual file un remove by remove script
-# }
-# ynh_trap_on
-ynh_trap_on () {
- set -eu
- trap ynh_exit_properly EXIT # Capturing exit signals on shell script
-}
-
-ynh_export () {
- local ynh_arg=""
- for var in $@;
- do
- ynh_arg=$(echo $var | awk '{print toupper($0)}')
- ynh_arg="YNH_APP_ARG_$ynh_arg"
- export $var=${!ynh_arg}
- done
-}
-
-# Check availability of a web path
-#
-# example: ynh_path_validity $domain$path
-#
-# usage: ynh_path_validity $domain_and_path
-# | arg: domain_and_path - complete path to check
-ynh_path_validity () {
- sudo yunohost app checkurl $1 -a $app
-}
-
-# Normalize the url path syntax
-# Handle the slash at the beginning of path and its absence at ending
-# Return a normalized url path
-#
-# example: url_path=$(ynh_normalize_url_path $url_path)
-# ynh_normalize_url_path example -> /example
-# ynh_normalize_url_path /example -> /example
-# ynh_normalize_url_path /example/ -> /example
-#
-# usage: ynh_normalize_url_path path_to_normalize
-# | arg: url_path_to_normalize - URL path to normalize before using it
-ynh_normalize_url_path () {
- path=$1
- test -n "$path" || ynh_die "ynh_normalize_url_path expect a URL path as first argument and received nothing."
- if [ "${path:0:1}" != "/" ]; then # If the first character is not a /
- path="/$path" # Add / at begin of path variable
- fi
- if [ "${path:${#path}-1}" == "/" ] && [ ${#path} -gt 1 ]; then # If the last character is a / and that not the only character.
- path="${path:0:${#path}-1}" # Delete the last character
- fi
- echo $path
-}
-
-# Check the path doesn't exist
-# usage: ynh_local_path_available PATH
-ynh_local_path_available () {
- if [ -e "$1" ]
- then
- ynh_die "This path '$1' already contains a folder"
- fi
-}
-
-# Save listed var in YunoHost app settings
-# usage: ynh_save_args VARNAME1 [VARNAME2 [...]]
-ynh_save_args () {
- for var in $@;
- do
- ynh_app_setting_set $app $var "${!var}"
- done
-}
-
-# Create a database, an user and its password. Then store the password in the app's config
-#
-# User of database will be store in db_user's variable.
-# Name of database will be store in db_name's variable.
-# And password in db_pwd's variable.
-#
-# usage: ynh_mysql_generate_db user name
-# | arg: user - Proprietary of the database
-# | arg: name - Name of the database
-ynh_mysql_generate_db () {
- export db_user=${1//[-.]/_} # Mariadb doesn't support - and . in the name of databases. It will be replace by _
- export db_name=${2//[-.]/_}
-
- export db_pwd=$(ynh_string_random) # Generate a random password
- ynh_check_var "$db_pwd" "db_pwd empty"
-
- ynh_mysql_create_db "$db_name" "$db_user" "$db_pwd" # Create the database
-
- ynh_app_setting_set $app mysqlpwd $db_pwd # Store the password in the app's config
-}
-
-# Execute a command as another user
-# usage: ynh_exec_as USER COMMAND [ARG ...]
-ynh_exec_as() {
- local USER=$1
- shift 1
-
- if [[ $USER = $(whoami) ]]; then
- eval "$@"
- else
- # use sudo twice to be root and be allowed to use another user
- sudo sudo -u "$USER" "$@"
- fi
-}
-
-# Get sources, setup it into dest directory and deploy patches
-# Try to find locally the sources and download it if missing.
-# Check the integrity with an hash program (default: sha256sum)
-# Source hash and location are get from a "SOURCE_ID.src" file,
-# by default the SOURCE_ID is "app".
-# Patches should be located in a "patches" dir, they should be
-# named like "SOURCE_ID-*.patch".
-#
-# example: ynh_setup_source "/var/www/limesurvey/" "limesurvey"
-#
-# usage: ynh_setup_source DEST_DIR [USER [SOURCE_ID]]
-
-ynh_setup_source () {
- local DEST=$1
- local AS_USER=${2:-admin}
- local SOURCE_ID=${3:-app}
- local SOURCE_FILE="$YNH_APP_ID.tar.gz"
- local SUM_PRG="sha256sum"
- source ../$SOURCE_ID.src
- local LOCAL_SOURCE="/opt/yunohost-apps-src/$YNH_APP_ID/$SOURCE_FILE"
-
- if test -e $LOCAL_SOURCE; then
- cp $LOCAL_SOURCE $SOURCE_FILE
- else
- wget -nv $SOURCE_URL -O $SOURCE_FILE
- fi
- echo "$SOURCE_SUM $SOURCE_FILE" |$SUM_PRG -c --status \
- || ynh_die "Corrupt source"
-
- sudo mkdir -p "$DEST"
- sudo chown $AS_USER: "$DEST"
- if [ "$(echo ${SOURCE_FILE##*.})" == "gz" ]; then
- ynh_exec_as "$AS_USER" tar xf $SOURCE_FILE -C "$DEST" --strip-components 1
- elif [ "$(echo ${SOURCE_FILE##*.})" == "bz2" ]; then
- ynh_exec_as "$AS_USER" tar xjf $SOURCE_FILE -C "$DEST" --strip-components 1
- elif [ "$(echo ${SOURCE_FILE##*.})" == "zip" ]; then
- mkdir -p "/tmp/$SOURCE_FILE"
- ynh_exec_as "$AS_USER" unzip -q $SOURCE_FILE -d "/tmp/$SOURCE_FILE"
- ynh_exec_as "$AS_USER" mv "/tmp/$SOURCE_FILE"/./. "$DEST"
- rmdir "$/tmp/$SOURCE_FILE"
- else
- false
- fi
-
- # Apply patches
- if [ -f ${PKG_DIR}/patches/$SOURCE_ID-*.patch ]; then
- (cd "$DEST" \
- && for p in ${PKG_DIR}/patches/$SOURCE_ID-*.patch; do \
- ynh_exec_as "$AS_USER" patch -p1 < $p; done) \
- || ynh_die "Unable to apply patches"
-
- fi
-
- # Apply persistent modules (upgrade only)
- ynh_restore_persistent modules
-
- # Apply persistent data (upgrade only)
- ynh_restore_persistent data
-
-}
-
-# TODO support SOURCE_ID
-ynh_save_persistent () {
- local TYPE=$1
- local DIR=/tmp/ynh-persistent/$TYPE/$app/app
- sudo mkdir -p $DIR
- sudo touch $DIR/dir_names
- shift
- i=1
- for PERSISTENT_DIR in $@;
- do
- if [ -e $local_path/$PERSISTENT_DIR ]; then
- sudo mv $local_path/$PERSISTENT_DIR $DIR/$i
- sudo su -c "echo -n '$PERSISTENT_DIR ' >> $DIR/dir_names"
- ((i++))
- fi
- done
-}
-
-# TODO support SOURCE_ID
-ynh_restore_persistent () {
- local TYPE=$1
- local DIR=/tmp/ynh-persistent/$TYPE/$app/app
- shift
- if [ -d $DIR ]; then
- i=1
- for PERSISTENT_DIR in $(cat $DIR/dir_names);
- do
- if [ "$TYPE" = "modules" ]; then
- for updated_subdir in $(ls $local_path/$PERSISTENT_DIR);
- do
- sudo rm -Rf $DIR/$i/$updated_subdir
- done
- fi
- if [ -d $DIR/$i ]; then
- sudo mv $DIR/$i/* $local_path/$PERSISTENT_DIR/ 2> /dev/null || true
- else
- sudo mv $DIR/$i $local_path/$PERSISTENT_DIR 2> /dev/null || true
- fi
- ((i++))
- done
- sudo rm -Rf $DIR
- fi
-
-}
-ynh_mv_to_home () {
- local APP_PATH="/home/yunohost.app/$app/"
- local DATA_PATH="$1"
- sudo mkdir -p "$APP_PATH"
- sudo chown $app: "$APP_PATH"
- ynh_exec_as "$app" mv "$DATA_PATH" "$APP_PATH"
- ynh_exec_as "$app" ln -s "$APP_PATH$DATA_PATH" "$DATA_PATH"
-
-}
-
-ynh_set_default_perm () {
- local DIRECTORY=$1
- local USER=$2
- # Set permissions
- sudo chown -R $USER:$USER $DIRECTORY
- sudo chmod -R 664 $DIRECTORY
- sudo find $DIRECTORY -type d -print0 | xargs -0 sudo chmod 775 \
- || echo "No file to modify"
-
-}
-ynh_sso_access () {
- ynh_app_setting_set $app unprotected_uris "/"
-
- if [[ $is_public -eq 0 ]]; then
- ynh_app_setting_set $app protected_uris "$1"
- fi
- sudo yunohost app ssowatconf
-}
-
-ynh_exit_if_up_to_date () {
- if [ "${version}" = "${last_version}" ]; then
- info "Up-to-date, nothing to do"
- exit 0
- fi
-}
-
-log() {
- echo "${1}"
-}
-
-info() {
- log "[INFO] ${1}"
-}
-
-warn() {
- log "[WARN] ${1}"
-}
-
-err() {
- log "[ERR] ${1}"
-}
-
-to_logs() {
-
- # When yunohost --verbose or bash -x
- if $_ISVERBOSE; then
- cat
- else
- cat > /dev/null
- fi
-}
-
-ynh_read_json () {
- sudo python3 -c "import sys, json;print(json.load(open('$1'))['$2'])"
-}
-
-ynh_read_manifest () {
- if [ -f '../manifest.json' ] ; then
- ynh_read_json '../manifest.json' "$1"
- else
- ynh_read_json '../settings/manifest.json' "$1"
- fi
-}
-
-ynh_app_dependencies (){
- export dependencies=$1
- export project_url=$(ynh_read_manifest 'url')
- export version=$(ynh_read_manifest 'version')
- export dep_app=${app/__/-}
- mkdir -p ../conf
- cat > ../conf/app-ynh-deps.control.j2 << EOF
-Section: misc
-Priority: optional
-Homepage: {{ project_url }}
-Standards-Version: 3.9.2
-
-Package: {{ dep_app }}-ynh-deps
-Version: {{ version }}
-Depends: {{ dependencies }}
-Architecture: all
-Description: meta package for {{ app }} (YunoHost app) dependencies
- This meta-package is only responsible of installing its dependencies.
-EOF
-
- ynh_configure app-ynh-deps.control ./$dep_app-ynh-deps.control
- ynh_package_install_from_equivs ./$dep_app-ynh-deps.control \
- || ynh_die "Unable to install dependencies"
-}
-
-
-
-
-# Create a system user
-#
-# usage: ynh_system_user_create user_name [home_dir]
-# | arg: user_name - Name of the system user that will be create
-# | arg: home_dir - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home
-ynh_system_user_create () {
- if ! ynh_system_user_exists "$1" # Check if the user exists on the system
- then # If the user doesn't exist
- if [ $# -ge 2 ]; then # If a home dir is mentioned
- user_home_dir="-d $2"
- else
- user_home_dir="--no-create-home"
- fi
- sudo useradd $user_home_dir --system --user-group $1 --shell /usr/sbin/nologin || ynh_die "Unable to create $1 system account"
- fi
-}
-
-# Delete a system user
-#
-# usage: ynh_system_user_delete user_name
-# | arg: user_name - Name of the system user that will be create
-ynh_system_user_delete () {
- if ynh_system_user_exists "$1" # Check if the user exists on the system
- then
- sudo userdel $1
- else
- echo "The user $1 was not found" >&2
- fi
-}
-
-
-ynh_configure () {
- local TEMPLATE=$1
- local DEST=$2
- type j2 2>/dev/null || sudo pip install j2cli jinja2
- j2 "${PKG_DIR}/conf/$TEMPLATE.j2" > "${PKG_DIR}/conf/$TEMPLATE"
- sudo cp "${PKG_DIR}/conf/$TEMPLATE" "$DEST"
-}
-
-ynh_configure_nginx () {
- ynh_configure nginx.conf /etc/nginx/conf.d/$domain.d/$app.conf
- sudo service nginx reload
-}
-
-ynh_configure_php_fpm () {
- finalphpconf=/etc/php5/fpm/pool.d/$app.conf
- ynh_configure php-fpm.conf /etc/php5/fpm/pool.d/$app.conf
- sudo chown root: $finalphpconf
-
- finalphpini=/etc/php5/fpm/conf.d/20-$app.ini
- sudo cp ../conf/php-fpm.ini $finalphpini
- sudo chown root: $finalphpini
-
- sudo service php5-fpm reload
-}
-
-# Find a free port and return it
-#
-# example: port=$(ynh_find_port 8080)
-#
-# usage: ynh_find_port begin_port
-# | arg: begin_port - port to start to search
-ynh_find_port () {
- port=$1
- test -n "$port" || ynh_die "The argument of ynh_find_port must be a valid port."
- while netcat -z 127.0.0.1 $port # Check if the port is free
- do
- port=$((port+1)) # Else, pass to next port
- done
- echo $port
-}
-
-
-### REMOVE SCRIPT
-
-# Remove a database if it exist and the associated user
-#
-# usage: ynh_mysql_remove_db user name
-# | arg: user - Proprietary of the database
-# | arg: name - Name of the database
-ynh_mysql_remove_db () {
- if mysqlshow -u root -p$(sudo cat $MYSQL_ROOT_PWD_FILE) | grep -q "^| $2"; then # Check if the database exist
- ynh_mysql_drop_db $2 # Remove the database
- ynh_mysql_drop_user $1 # Remove the associated user to database
- else
- echo "Database $2 not found" >&2
- fi
-}
-
-ynh_rm_nginx_conf () {
- if [ -e "/etc/nginx/conf.d/$domain.d/$app.conf" ]; then
- sudo rm "/etc/nginx/conf.d/$domain.d/$app.conf"
- sudo service nginx reload
- fi
-}
-
-ynh_rm_php_fpm_conf () {
- if [ -e "/etc/php5/fpm/pool.d/$app.conf" ]; then
- sudo rm "/etc/php5/fpm/pool.d/$app.conf"
- fi
- if [ -e "/etc/php5/fpm/conf.d/20-$app.ini" ]; then
- sudo rm "/etc/php5/fpm/conf.d/20-$app.ini"
- fi
- sudo service php5-fpm reload
-}
-
-REMOVE_LOGROTATE_CONF () {
- if [ -e "/etc/logrotate.d/$app" ]; then
- sudo rm "/etc/logrotate.d/$app"
- fi
-}
-
-ynh_secure_rm () {
- [[ "/var/www /opt /home/yunohost.app" =~ $1 ]] \
- || (test -n "$1" && sudo rm -Rf $1 )
-}
-
+#=================================================
+# COMMON VARIABLES
+#=================================================
+# dependencies used by the app
+pkg_dependencies="openvpn openvpn-auth-ldap netmask"
diff --git a/scripts/backup b/scripts/backup
index f47607a..e63d081 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -1,39 +1,83 @@
#!/bin/bash
-# causes the shell to exit if any subcommand or pipeline returns a non-zero status
-set -e
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
-# Source YNH helpers
-. /usr/share/yunohost/helpers
+#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts
+source ../settings/scripts/_common.sh
+source /usr/share/yunohost/helpers
-backup_dir=$1
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
+
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_script_progression --message="Loading installation settings..." --time --weight=1
-# Get app instance name
app=$YNH_APP_INSTANCE_NAME
-# Retrieve arguments
-domain=$(ynh_app_setting_get $app domain)
-path=$(ynh_app_setting_get $app path)
-local_path=$(ynh_app_setting_get $app local_path)
-
-my_ynh_backup () {
- ynh_backup $@
- echo $2 $1 >> $backup_dir/list
-}
-
-# Copy the app files
-my_ynh_backup "$local_path" "sources"
-my_ynh_backup "/etc/openvpn" "etc"
-my_ynh_backup "/etc/yunohost/certs/${domain}/dh.pem" "certs/dh.pem"
-
-# Copy the conf files
-my_ynh_backup "/etc/sysctl.d/openvpn.conf" "conf/sysctl"
-my_ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf" "conf/nginx.conf"
-my_ynh_backup "/etc/php5/fpm/pool.d/$app.conf" "conf/php-fpm.conf"
-my_ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini" "conf/php-fpm.ini"
-my_ynh_backup "/etc/fail2ban/jail.d/${app}.conf" "conf/fail2ban-jail.conf"
-my_ynh_backup "/etc/fail2ban/filter.d/$app.conf" "conf/fail2ban-filter.conf"
-my_ynh_backup "/etc/logrotate.d/$app.conf" "conf/logrotate.conf"
-
-# Copy log
-my_ynh_backup "/var/log/openvpn" "log"
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+domain=$(ynh_app_setting_get --app=$app --key=domain)
+
+#=================================================
+# STANDARD BACKUP STEPS
+#=================================================
+# BACKUP THE APP MAIN DIR
+#=================================================
+ynh_script_progression --message="Backing up the main app directory..." --time --weight=1
+
+ynh_backup --src_path="$final_path"
+
+#=================================================
+# BACKUP THE NGINX CONFIGURATION
+#=================================================
+ynh_script_progression --message="Backing up nginx web server configuration..." --time --weight=1
+
+ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
+
+#=================================================
+# BACKUP THE PHP-FPM CONFIGURATION
+#=================================================
+ynh_script_progression --message="Backing up php-fpm configuration..." --time --weight=1
+
+ynh_backup --src_path="/etc/php/7.0/fpm/pool.d/$app.conf"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+ynh_script_progression --message="Backing up fail2ban configuration..." --time --weight=1
+
+ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
+ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
+
+#=================================================
+# SPECIFIC BACKUP
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+ynh_script_progression --message="Backing up logrotate configuration..." --time --weight=1
+
+ynh_backup --src_path="/etc/logrotate.d/$app"
+
+#=================================================
+# BACKUP SPECIFIC FILES
+#=================================================
+
+ynh_backup --src_path="/etc/openvpn"
+ynh_backup --src_path="/etc/yunohost/certs/$domain/dh.pem"
+ynh_backup --src_path="/etc/sysctl.d/openvpn.conf"
+ynh_backup --src_path="/var/log/openvpn"
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --time --last
diff --git a/scripts/install b/scripts/install
index 82e8801..bf75791 100644
--- a/scripts/install
+++ b/scripts/install
@@ -1,46 +1,359 @@
#!/bin/bash
-source /usr/share/yunohost/helpers
+
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
+
source _common.sh
+source /usr/share/yunohost/helpers
+
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
+
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# RETRIEVE ARGUMENTS FROM THE MANIFEST
+#=================================================
+
+domain=$YNH_APP_ARG_DOMAIN
+path_url=$YNH_APP_ARG_PATH
+dedicated_ip=$YNH_APP_ARG_DEDICATED_IP
+ip4ranges=$YNH_APP_ARG_IP4RANGES
+
+### If it's a multi-instance app, meaning it can be installed several times independently
+### The id of the app as stated in the manifest is available as $YNH_APP_ID
+### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2", ...)
+### The app instance name is available as $YNH_APP_INSTANCE_NAME
+### - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample
+### - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2
+### - ynhexample__{N} for the subsequent installations, with N=3,4, ...
+### The app instance name is probably what interests you most, since this is
+### guaranteed to be unique. This is a good unique identifier to define installation path,
+### db names, ...
+app=$YNH_APP_INSTANCE_NAME
+
+#=================================================
+# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
+#=================================================
+### About --weight and --time
+### ynh_script_progression will show to your final users the progression of each scripts.
+### In order to do that, --weight will represent the relative time of execution compared to the other steps in the script.
+### --time is a packager option, it will show you the execution time since the previous call.
+### This option should be removed before releasing your app.
+### Use the execution time, given by --time, to estimate the weight of a step.
+### A common way to do it is to set a weight equal to the execution time in second +1.
+### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call.
+ynh_script_progression --message="Validating installation parameters..." --time --weight=1
+
+### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app".
+### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app"
+final_path=/var/www/$app
+test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
-ynh_trap_on
+# Register (book) web path
+ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
-export app=$YNH_APP_INSTANCE_NAME
-export user=$app
-export webuser="${user}web"
-# Retrieve arguments
-ynh_export domain path ip4ranges dedicated_ip
-ynh_find_port 1194
-export port=$port
-export local_path=/var/www/$app
-export iface=$(ip r|awk '/default/ { print $5 }')
+# Check if iptables is working
+if ! iptables -L > /dev/null 2>&1
+then
+ ynh_die --message="iptables is not available in your environment, aborting..."
+fi
+
+# Check IPv4 range argument
+_255='(25[0-5]|2[0-4][0-9]|1?[0-9][0-9]?)'
+ip4regex=(${_255}\.){3}${_255}
+rangeip4regex="${ip4regex}(/(3[0-2]|[1-2][0-9]|[1-9]))?"
+regex="${rangeip4regex}([[:space:]]+${rangeip4regex})*"
+if [[ $ip4ranges =~ ^${regex}$ ]]
+then
+ echo "IPv4 ranges format ok"
+else
+ ynh_die --message="Bad Ipv4 ranges format, aborting..."
+fi
#=================================================
-# CHECK IF THE APP CAN BE INSTALLED WITH THIS ARGS
+# STORE SETTINGS FROM MANIFEST
#=================================================
-ynh_check_var "$app" "app name not set"
-#ynh_user_exists "$admin" || ynh_die "User does not exist: $admin"
-ynh_normalize_url_path "$path"
-ynh_path_validity "$domain$path"
-ynh_local_path_available "$local_path"
-check_iptables
-check_tun_available
-check_ip4ranges $ip4ranges
+ynh_script_progression --message="Storing installation settings..." --time --weight=1
+ynh_app_setting_set --app=$app --key=domain --value=$domain
+ynh_app_setting_set --app=$app --key=path --value=$path_url
+ynh_app_setting_set --app=$app --key=dedicated_ip --value=$dedicated_ip
#=================================================
-# SETUP THE APP BY MODIFYING THE SYSTEM
+# STANDARD MODIFICATIONS
+#=================================================
+# FIND AND OPEN A PORT
#=================================================
-ynh_save_args ip4ranges port local_path iface dedicated_ip
-# Install official debian package
-ynh_app_dependencies openvpn,openvpn-auth-ldap,netmask
+if [ -z "$dedicated_ip" ]
+then
+ ynh_script_progression --message="Configuring firewall..." --time --weight=1
+
+ ### Use these lines if you have to open a port for the application
+ ### `ynh_find_port` will find the first available port starting from the given port.
+ ### If you're not using these lines:
+ ### - Remove the section "CLOSE A PORT" in the remove script
+
+ # Find a free port
+ port=$(ynh_find_port --port=1194)
+ # Open this port
+ ynh_exec_warn_less yunohost firewall allow --no-upnp Both $port
+ ynh_app_setting_set --app=$app --key=port --value=$port
+fi
+
+#=================================================
+# INSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Installing dependencies..." --time --weight=1
+
+### `ynh_install_app_dependencies` allows you to add any "apt" dependencies to the package.
+### Those deb packages will be installed as dependencies of this package.
+### If you're not using this helper:
+### - Remove the section "REMOVE DEPENDENCIES" in the remove script
+### - Remove the variable "pkg_dependencies" in _common.sh
+### - As well as the section "REINSTALL DEPENDENCIES" in the restore script
+### - And the section "UPGRADE DEPENDENCIES" in the upgrade script
+
+ynh_install_app_dependencies $pkg_dependencies
+
+#=================================================
+# DOWNLOAD, CHECK AND UNPACK SOURCE
+#=================================================
+ynh_script_progression --message="Setting up source files..." --time --weight=1
+
+ynh_app_setting_set --app=$app --key=final_path --value=$final_path
+
+mkdir -p "$final_path"
+# Copy extra source files
+cp -a $YNH_CWD/../sources/extra_files/app/. "$final_path"
+
+#=================================================
+# NGINX CONFIGURATION
+#=================================================
+ynh_script_progression --message="Configuring nginx web server..." --time --weight=1
+
+### `ynh_add_nginx_config` will use the file conf/nginx.conf
+
+# Create a dedicated nginx config
+ynh_add_nginx_config
+
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --time --weight=1
+
+# Create system users
+ynh_system_user_create --username=$app --home_dir="/etc/openvpn/"
+webuser=${app}web
+ynh_system_user_create --username=$webuser --home_dir="$final_path"
+
+#=================================================
+# PHP-FPM CONFIGURATION
+#=================================================
+ynh_script_progression --message="Configuring php-fpm..." --time --weight=1
+
+### `ynh_add_fpm_config` is used to set up a PHP config.
+### You can remove it if your app doesn't use PHP.
+### `ynh_add_fpm_config` will use the files conf/php-fpm.conf
+### If you're not using these lines:
+### - You can remove these files in conf/.
+### - Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script
+### - Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script
+### - As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script
+### With the reload at the end of the script.
+### - And the section "PHP-FPM CONFIGURATION" in the upgrade script
+
+# Create a dedicated php-fpm config
+ynh_add_fpm_config
+
+#=================================================
+# SPECIFIC SETUP
+#=================================================
+# STUFF NOT YET SORTED...
+#=================================================
+
+iface=$(ip r|awk '/default/ { print $5 }')
+ynh_app_setting_set --app=$app --key=iface --value=$iface
+
# Create DH for main domain
dh_size=1024
-info "Generate dhparam(${dh_size}) file, this step may be long..."
-sudo openssl dhparam -out "/etc/yunohost/certs/${domain}/dh.pem" $dh_size > /dev/null
-sudo openvpn --genkey --secret /etc/openvpn/ta.key
+ynh_print_info "Generate dhparam($dh_size) file, this step may be long..."
+openssl dhparam -out "/etc/yunohost/certs/$domain/dh.pem" $dh_size > /dev/null
+openvpn --genkey --secret /etc/openvpn/ta.key
+
+
+# Find gateway ip and mask and save it
+first_ip4_range=$(echo $ip4ranges | cut -f1 -d" ")
+first_ip=$(netmask -r $first_ip4_range | cut -f1 -d"-" )
+first_ip=$( netmask -x $first_ip )
+first_ip=$(( $first_ip + 1 ))
+first_ip4=$( netmask $first_ip )
+last_ip4=$(netmask -r $first_ip4_range | cut -f2 -d"-" )
+first_ip4_range=$(netmask -s $first_ip4_range)
+gateway_ip4=$(echo $first_ip4_range | cut -f1 -d"/")
+gateway_mask=$(echo $first_ip4_range | cut -f2 -d"/")
+
+ynh_app_setting_set --app=$app --key=gateway_ip4 --value=$gateway_ip4
+ynh_app_setting_set --app=$app --key=gateway_mask --value=$gateway_mask
+
+
+# Make directories and set rights
+mkdir -p /etc/openvpn/auth \
+ /etc/openvpn/users \
+ /var/log/openvpn
+
+touch /var/log/openvpn/status.log
+touch /var/log/openvpn/server.log
+touch /etc/openvpn/users_settings.csv
+
+# Configurations
+conf_file="/etc/openvpn/yunohost.conf"
+cp ../conf/yunohost.conf "$conf_file"
+if [ -n "$dedicated_ip" ]; then
+ ynh_replace_string --match_string="^# local __DEDICATED_IP__" --replace_string="local $dedicated_ip" --target_file="$conf_file"
+fi
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$conf_file"
+ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$conf_file"
+
+conf_file="$final_path/$domain.conf"
+cp ../conf/config.ovpn "$conf_file"
+ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$conf_file"
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$conf_file"
+# Temp fix for getopts -> https://github.com/YunoHost/yunohost/pull/752
+ca_yunohost=$(cat /etc/ssl/certs/ca-yunohost_crt.pem)
+ynh_replace_special_string --match_string="__CA_YUNOHOST__" --replace_string="${ca_yunohost//-/\\-}" --target_file="$conf_file"
+ynh_replace_string --match_string="__TA_KEY__" --replace_string="$(cat /etc/openvpn/ta.key)" --target_file="$conf_file"
+
+conf_file="$final_path/$domain.ovpn"
+cp ../conf/config-cli.ovpn "$conf_file"
+ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$conf_file"
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$conf_file"
+ynh_replace_special_string --match_string="__CA_YUNOHOST__" --replace_string="${ca_yunohost//-/\\-}" --target_file="$conf_file"
+ynh_replace_string --match_string="__TA_KEY__" --replace_string="$(cat /etc/openvpn/ta.key)" --target_file="$conf_file"
+
+cp ../conf/ldap.conf /etc/openvpn/auth/
+ln -s /etc/ssl/certs/ca-yunohost_crt.pem "$final_path/ca.crt"
+cp ../conf/handler.sh /etc/openvpn/handler.sh
+cp ../conf/sudoers /etc/sudoers.d/openvpn
+touch /etc/openvpn/crl.pem
+echo "$ip4ranges" > /etc/openvpn/ip4ranges
+
+# IP forwarding
+cp ../conf/sysctl /etc/sysctl.d/openvpn.conf
+sysctl -p /etc/sysctl.d/openvpn.conf
+
+# Ensure that tun device is still available, otherwise try to create it manually
+if [ ! -c /dev/net/tun ]
+then
+ mkdir -p /dev/net
+ mknod /dev/net/tun c 10 200
+ chmod 666 /dev/net/tun
+fi
+
+# Add masquerade rules
+ip4ranges_iptable=$(echo "$ip4ranges" | tr " " "\n")
+iptables -t filter -A FORWARD -i "$iface" -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+for ip4range in $ip4ranges_iptable
+do
+ if ! (sudo /sbin/iptables -L -t nat | grep $ip4range | grep MASQUERADE > /dev/null 2>&1); then
+ sudo iptables -t nat -A POSTROUTING -s $ip4range -o "$iface" -j MASQUERADE
+ sudo iptables -t filter -A FORWARD -s $ip4range -o "$iface" -j ACCEPT
+ fi
+done
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# SECURE FILES AND DIRECTORIES
+#=================================================
+
+### For security reason, any app should set the permissions to root: before anything else.
+### Then, if write authorization is needed, any access should be given only to directories
+### that really need such authorization.
+
+# Set permissions
+chown -R $webuser: "$final_path"
+chmod -R 664 "$final_path"
+find "$final_path" -type d -print0 | xargs -0 chmod 775
+
+chown -R $webuser:www-data "$final_path"
+chmod 640 "$final_path/$domain.conf"
+chmod 640 "$final_path/$domain.ovpn"
+chown -R $app: /var/log/openvpn
+chown -R $app: /etc/openvpn
+chmod 640 /etc/openvpn/users_settings.csv
+chmod u+x /etc/openvpn/handler.sh
+
+#=================================================
+# SETUP LOGROTATE
+#=================================================
+ynh_script_progression --message="Configuring log rotation..." --time --weight=1
+
+# Use logrotate to manage application logfile(s)
+cp ../conf/logrotate.conf /etc/logrotate.d/$app.conf
+
+#=================================================
+# ADVERTISE SERVICE IN ADMIN PANEL
+#=================================================
+
+### `yunohost service add` is a CLI yunohost command to add a service in the admin panel.
+### You'll find the service in the 'services' section of YunoHost admin panel.
+### This CLI command would be useless if the app does not have any services (systemd or sysvinit)
+### If you're not using these lines:
+### - You can remove these files in conf/.
+### - Remove the section "REMOVE SERVICE FROM ADMIN PANEL" in the remove script
+### - As well as the section "ADVERTISE SERVICE IN ADMIN PANEL" in the restore script
+
+yunohost service add openvpn --log "/var/log/openvpn/status.log"
+# if using yunohost version 3.2 or more in the 'manifest.json', a description can be added
+#yunohost service add $app --description "$app daemon for XXX" --log "/var/log/$app/$app.log"
+
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --time --weight=1
+
+### `ynh_systemd_action` is used to start a systemd service for an app.
+### Only needed if you have configure a systemd service
+### If you're not using these lines:
+### - Remove the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the backup script
+### - As well as the section "START SYSTEMD SERVICE" in the restore script
+### - As well as the section"STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the upgrade script
+### - And the section "STOP SYSTEMD SERVICE" and "START SYSTEMD SERVICE" in the change_url script
+
+yunohost service enable openvpn
+
+# Start a systemd service
+ynh_systemd_action --service_name=openvpn --action=start
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+ynh_script_progression --message="Configuring fail2ban..." --time --weight=1
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=fail2ban-jail.conf
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file=fail2ban-jail.conf
+
+# Create a dedicated fail2ban config
+ynh_add_fail2ban_config --use_template
+
+#=================================================
+# RELOAD NGINX
+#=================================================
+ynh_script_progression --message="Reloading nginx web server..." --time --weight=1
+
+ynh_systemd_action --service_name=nginx --action=reload
+
+#=================================================
+# END OF SCRIPT
+#=================================================
-# Install configured files and restart services
-setup_and_restart
+ynh_script_progression --message="Installation of $app completed" --time --last
diff --git a/scripts/remove b/scripts/remove
index 98e2f89..48167d0 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -1,50 +1,158 @@
#!/bin/bash
-source /usr/share/yunohost/helpers
+
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
+
source _common.sh
+source /usr/share/yunohost/helpers
+
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_script_progression --message="Loading installation settings..." --time --weight=1
app=$YNH_APP_INSTANCE_NAME
-user=$app
-webuser="${user}web"
-local_path=$(ynh_app_setting_get $app local_path)
-domain=$(sudo yunohost app setting $app domain)
+domain=$(ynh_app_setting_get --app=$app --key=domain)
+port=$(ynh_app_setting_get --app=$app --key=port)
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+ip4ranges=$(ynh_app_setting_get --app=$app --key=ip4ranges)
+iface=$(ynh_app_setting_get --app=$app --key=iface)
+
+#=================================================
+# STANDARD REMOVE
+#=================================================
+# REMOVE SERVICE FROM ADMIN PANEL
+#=================================================
+
+# Remove a service from the admin panel, added by `yunohost service add`
+if ynh_exec_warn_less yunohost service status openvpn >/dev/null
+then
+ ynh_script_progression --message="Removing openvpn service..." --time --weight=1
+ yunohost service remove openvpn
+fi
+
+#=================================================
+# STOP AND REMOVE SERVICE
+#=================================================
+ynh_script_progression --message="Stopping the systemd service..." --time --weight=1
+
+ynh_systemd_action --service_name=openvpn --action=stop
+
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Removing dependencies..." --time --weight=1
+
+# Remove metapackage and its dependencies
+ynh_remove_app_dependencies
+
+#=================================================
+# REMOVE APP MAIN DIR
+#=================================================
+ynh_script_progression --message="Removing app main directory..." --time --weight=1
+
+# Remove the app directory securely
+ynh_secure_remove --file="$final_path"
+
+#=================================================
+# REMOVE NGINX CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing nginx web server configuration..." --time --weight=1
+
+# Remove the dedicated nginx config
+ynh_remove_nginx_config
+
+#=================================================
+# REMOVE PHP-FPM CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing php-fpm configuration..." --time --weight=1
+
+# Remove the dedicated php-fpm config
+ynh_remove_fpm_config
+
+#=================================================
+# REMOVE LOGROTATE CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing logrotate configuration..." --time --weight=1
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
+#=================================================
+# CLOSE A PORT
+#=================================================
+
+if yunohost firewall list | grep -q "\- $port$"
+then
+ ynh_script_progression --message="Closing port $port..."
+ ynh_exec_warn_less yunohost firewall disallow TCP $port
+fi
+
+# Remove masquerade rules
+ip4ranges_iptable=$(echo "$ip4ranges" | tr " " "\n")
+iptables -t filter -D FORWARD -i "$iface" -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+for ip4range in $ip4ranges_iptable
+do
+ if ! (sudo /sbin/iptables -L -t nat | grep $ip4range | grep MASQUERADE > /dev/null 2>&1); then
+ sudo iptables -t nat -D POSTROUTING -s $ip4range -o "$iface" -j MASQUERADE
+ sudo iptables -t filter -D FORWARD -s $ip4range -o "$iface" -j ACCEPT
+ fi
+done
+
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+ynh_script_progression --message="Removing fail2ban configuration..." --time --weight=1
-sudo service openvpn stop
+# Remove the dedicated fail2ban config
+ynh_remove_fail2ban_config
-sudo rm -f /etc/yunohost/hooks.d/post_iptable_rules/*openvpn
-sudo yunohost firewall disallow UDP 1194 > /dev/null 2>&1
-rm_firewall_rules
+#=================================================
+# SPECIFIC REMOVE
+#=================================================
+# NOT SORTED STUFF
+#=================================================
-sudo sysctl net.ipv4.ip_forward=0
-sudo yunohost service remove openvpn
+sysctl net.ipv4.ip_forward=0
-# We don't delete all /etc/openvpn because it could be used by vpnclient_ynh
-sudo rm -rf /etc/openvpn/yunohost.conf \
- /etc/openvpn/auth \
- /etc/openvpn/ta.key \
- /etc/openvpn/users \
- /etc/openvpn/handler.sh \
- /etc/openvpn/ip4_attribution.csv \
- /etc/sysctl.d/openvpn.conf
+ynh_secure_remove --file="/etc/openvpn/yunohost.conf"
+ynh_secure_remove --file="/etc/openvpn/auth"
+ynh_secure_remove --file="/etc/openvpn/ta.key"
+ynh_secure_remove --file="/etc/openvpn/users"
+ynh_secure_remove --file="/etc/openvpn/handler.sh"
+ynh_secure_remove --file="/etc/openvpn/ip4_attribution.csv"
+ynh_secure_remove --file="/etc/sysctl.d/openvpn.conf"
# TODO: May be we shouldn't remove it
-sudo rm -rf /var/log/openvpn
+ynh_secure_remove --file="/var/log/openvpn"
+ynh_secure_remove --file="/etc/yunohost/certs/$domain/dh.pem"
+ynh_secure_remove --file="/etc/nginx/conf.d/$domain.d/openvpn.conf"
+ynh_secure_remove --file="/var/log/openvpn"
+ynh_secure_remove --file="/var/log/openvpn"
+ynh_secure_remove --file="/var/log/openvpn"
+ynh_secure_remove --file="/var/log/openvpn"
-ynh_secure_rm "$local_path"
-ynh_secure_rm "/etc/yunohost/certs/${domain}/dh.pem"
-ynh_secure_rm "/etc/nginx/conf.d/${domain}.d/openvpn.conf"
-ynh_secure_rm "/etc/logrotate.d/$app.conf"
-ynh_secure_rm "/etc/fail2ban/filter.d/$app.conf"
-ynh_secure_rm "/etc/fail2ban/jail.d/${app}.conf"
+# Remove hook files
+ynh_secure_remove --file="/etc/yunohost/hooks.d/post_iptable_rules/*openvpn"
-ynh_rm_nginx_conf
-ynh_rm_php_fpm_conf
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# REMOVE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Removing the dedicated system users..." --time --weight=1
-ynh_system_user_delete "$user"
-ynh_system_user_delete "$webuser"
+# Delete a system user
+ynh_system_user_delete --username=$app
+ynh_system_user_delete --username=${app}web
-dep_app=${app/__/-}
-ynh_package_remove $dep_app-ynh-deps
+#=================================================
+# END OF SCRIPT
+#=================================================
-sudo yunohost app ssowatconf
+ynh_script_progression --message="Removal of $app completed" --time --last
diff --git a/scripts/restore b/scripts/restore
index ffc1f28..674b4bc 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -1,36 +1,184 @@
#!/bin/bash
-source /usr/share/yunohost/helpers
+
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
+
+#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts
source ../settings/scripts/_common.sh
+source /usr/share/yunohost/helpers
-ynh_trap_on
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
-export app=$YNH_APP_INSTANCE_NAME
-export user=$app
-export webuser="${user}web"
+ynh_clean_setup () {
+ #### Remove this function if there's nothing to clean before calling the remove script.
+ true
+}
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
-export domain=$(ynh_app_setting_get $app domain)
-export path=$(ynh_app_setting_get $app path)
-export local_path=$(ynh_app_setting_get $app local_path)
-export iface=$(ynh_app_setting_get $app iface)
-export port=$(ynh_app_setting_get $app port)
-export ip4ranges=$(ynh_app_setting_get $app ip4ranges)
-export dynamic_ip=$(ynh_app_setting_get $app dynamic_ip)
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_script_progression --message="Loading settings..." --time --weight=1
+
+app=$YNH_APP_INSTANCE_NAME
+
+domain=$(ynh_app_setting_get --app=$app --key=domain)
+path_url=$(ynh_app_setting_get --app=$app --key=path)
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+ip4ranges=$(ynh_app_setting_get --app=$app --key=$ip4ranges)
+iface=$(ynh_app_setting_get --app=$app --key=$iface)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
-ynh_check_restore
-check_iptables
-check_tun_available
+ynh_script_progression --message="Validating restoration parameters..." --time --weight=1
+
+ynh_webpath_available --domain=$domain --path_url=$path_url \
+ || ynh_die --message="Path not available: ${domain}${path_url}"
+test ! -d $final_path \
+ || ynh_die --message="There is already a directory: $final_path "
+
+
+# Check if iptables is working
+if ! iptables -L > /dev/null 2>&1
+then
+ ynh_die --message="iptables is not available in your environment, aborting..."
+fi
+
+#=================================================
+# STANDARD RESTORATION STEPS
+#=================================================
+# RESTORE THE NGINX CONFIGURATION
+#=================================================
+
+ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
-#=================================================
-# RESTORE THE APP BY MODIFYING THE SYSTEM
#=================================================
-# Install official debian package
-ynh_app_dependencies openvpn,openvpn-auth-ldap,netmask
+# RESTORE THE APP MAIN DIR
+#=================================================
+ynh_script_progression --message="Restoring the app main directory..." --time --weight=1
-install_files () {
- ynh_restore
-}
+ynh_restore_file --origin_path="$final_path"
+
+#=================================================
+# RECREATE THE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Recreating the dedicated system user..." --time --weight=1
+
+# Create the dedicated user (if not existing)
+ynh_system_user_create --username=$app --home_dir="/etc/openvpn/"
+webuser=${app}web
+ynh_system_user_create --username=$webuser --home_dir="$final_path"
+
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+
+# Restore permissions on app files
+chown -R $webuser: "$final_path"
+
+chown -R $webuser:www-data "$final_path"
+chown -R $app: /var/log/openvpn
+chown -R $app: /etc/openvpn
+
+#=================================================
+# RESTORE THE PHP-FPM CONFIGURATION
+#=================================================
+
+ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
+
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+ynh_script_progression --message="Restoring the fail2ban configuration..." --time --weight=1
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+ynh_systemd_action --action=restart --service_name=fail2ban
+
+#=================================================
+# SPECIFIC RESTORATION
+#=================================================
+# REINSTALL DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Reinstalling dependencies..." --time --weight=1
+
+# Define and install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
+#=================================================
+# ADVERTISE SERVICE IN ADMIN PANEL
+#=================================================
+
+yunohost service add $app --log "/var/log/$app/$app.log"
+
+#=================================================
+# STUFF NOT YET SORTED...
+#=================================================
+
+# Ensure that tun device is still available, otherwise try to create it manually
+if [ ! -c /dev/net/tun ]
+then
+ mkdir -p /dev/net
+ mknod /dev/net/tun c 10 200
+ chmod 666 /dev/net/tun
+fi
+
+# Add masquerade rules
+ip4ranges_iptable=$(echo "$ip4ranges" | tr " " "\n")
+iptables -t filter -A FORWARD -i "$iface" -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+for ip4range in $ip4ranges_iptable
+do
+ if ! (sudo /sbin/iptables -L -t nat | grep $ip4range | grep MASQUERADE > /dev/null 2>&1); then
+ sudo iptables -t nat -A POSTROUTING -s $ip4range -o "$iface" -j MASQUERADE
+ sudo iptables -t filter -A FORWARD -s $ip4range -o "$iface" -j ACCEPT
+ fi
+done
+
+#=================================================
+# RESTORE THE LOGROTATE CONFIGURATION
+#=================================================
+
+ynh_restore_file --origin_path="/etc/logrotate.d/$app"
+
+#=================================================
+# RESTORE SPECIFIC FILES
+#=================================================
+
+ynh_restore_file --origin_path="/etc/openvpn"
+ynh_restore_file --origin_path="/etc/yunohost/certs/$domain/dh.pem"
+ynh_restore_file --origin_path="/etc/sysctl.d/openvpn.conf"
+ynh_restore_file --origin_path="/var/log/openvpn"
+sysctl -p /etc/sysctl.d/openvpn.conf
+
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --time --weight=1
+
+yunohost service enable openvpn
+
+# Start a systemd service
+ynh_systemd_action --service_name=openvpn --action=start
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# RELOAD NGINX AND PHP-FPM
+#=================================================
+ynh_script_progression --message="Reloading nginx web server and php-fpm..." --time --weight=1
+
+ynh_systemd_action --service_name=php7.0-fpm --action=reload
+ynh_systemd_action --service_name=nginx --action=reload
+
+#=================================================
+# END OF SCRIPT
+#=================================================
-setup_and_restart
+ynh_script_progression --message="Restoration completed for $app" --time --last
diff --git a/scripts/upgrade b/scripts/upgrade
index a13b438..edf2380 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -1,57 +1,182 @@
#!/bin/bash
-source /usr/share/yunohost/helpers
+
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
+
source _common.sh
+source /usr/share/yunohost/helpers
-ynh_trap_on
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_script_progression --message="Loading installation settings..." --time --weight=1
-export app=$YNH_APP_INSTANCE_NAME
-export user=$app
-export webuser="${user}web"
+app=$YNH_APP_INSTANCE_NAME
-export domain=$(ynh_app_setting_get $app domain)
-domain=${prefix:-$(cat /etc/yunohost/current_host)}
-export path=$(ynh_app_setting_get $app path)
-path=${path:-/openvpn/}
-export local_path=$(ynh_app_setting_get $app local_path)
-local_path=${local_path:-/var/www/$app}
-export iface=$(ynh_app_setting_get $app iface)
-iface=${iface:-$(ip r|awk '/default/ { print $5 }')}
-export port=$(ynh_app_setting_get $app port)
-port=${port:-1194}
-export ip4ranges=$(ynh_app_setting_get $app ip4ranges)
-ip4ranges=${ip4ranges:-10.0.0.8/24}
-export dynamic_ip=$(ynh_app_setting_get $app dynamic_ip)
-dynamic_ip=${dynamic_ip:-false}
+domain=$(ynh_app_setting_get --app=$app --key=domain)
+path_url=$(ynh_app_setting_get --app=$app --key=path)
+final_path=$(ynh_app_setting_get --app=$app --key=final_path)
+#=================================================
+# CHECK VERSION
+#=================================================
-version=$(ynh_read_json "/etc/yunohost/apps/$app/manifest.json" 'version' 2> /dev/null || echo '2.3.4-1')
-last_version=$(ynh_read_manifest 'version')
+### This helper will compare the version of the currently installed app and the version of the upstream package.
+### $upgrade_type can have 2 different values
+### - UPGRADE_APP if the upstream app version has changed
+### - UPGRADE_PACKAGE if only the YunoHost package has changed
+### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
+### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
+upgrade_type=$(ynh_check_app_version_changed)
-ynh_exit_if_up_to_date
-ynh_check_var "$app" "app name not set"
-ynh_normalize_url_path "$path"
+#=================================================
+# ENSURE DOWNWARD COMPATIBILITY
+#=================================================
+ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1
-if [ "${version}" = "2.3.4-1" ]; then
- ynh_save_args domain path ip4ranges port local_path iface dynamic_ip
+# If final_path doesn't exist, create it
+if [ -z "$final_path" ]; then
+ final_path=/var/www/$app
+ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
+fi
- # Install official debian package
- ynh_app_dependencies openvpn,openvpn-auth-ldap,netmask
+#=================================================
+# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
+#=================================================
+ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --time --weight=1
- # Delete old cron (replace by a iptables hooks)
- sudo rm -f /etc/openvpn/yunohost.cron
+# Backup the current version of the app
+ynh_backup_before_upgrade
+ynh_clean_setup () {
+ # restore it if the upgrade fails
+ ynh_restore_upgradebackup
+}
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
- # Install configured files and restart services
- setup_and_restart
+#=================================================
+# CHECK THE PATH
+#=================================================
- sudo mv /var/log/openvpn.log /var/log/openvpn/status.log
-fi
+# Normalize the URL path syntax
+# N.B. : this is for app installations before YunoHost 2.7
+# where this value might be something like /foo/ or foo/
+# instead of /foo ....
+# If nobody installed your app before 2.7, then you may
+# safely remove this line
+path_url=$(ynh_normalize_url_path --path_url=$path_url)
+
+#=================================================
+# STANDARD UPGRADE STEPS
+#=================================================
+# STOP SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
+
+ynh_systemd_action --service_name=openvpn --action=stop
+
+#=================================================
+# DOWNLOAD, CHECK AND UNPACK SOURCE
+#=================================================
-if [ "${version}" = "2.3.4-2" ]; then
- sudo touch /etc/openvpn/crl.pem
- sudo mkdir -p /etc/openvpn/users
- sudo touch /etc/openvpn/ip4_attribution.csv
- sudo cp ../conf/handler.sh /etc/openvpn/handler.sh
- sudo chown -R $user: /etc/openvpn
- sudo chmod 640 /etc/openvpn/ip4_attribution.csv
- sudo chmod u+x /etc/openvpn/handler.sh
+if [ "$upgrade_type" == "UPGRADE_APP" ]
+then
+ ynh_script_progression --message="Upgrading source files..." --time --weight=1
+
+ # Copy extra source files
+ cp -a $YNH_CWD/../sources/extra_files/app/. "$final_path"
fi
+
+#=================================================
+# NGINX CONFIGURATION
+#=================================================
+ynh_script_progression --message="Upgrading nginx web server configuration..." --time --weight=1
+
+# Create a dedicated nginx config
+ynh_add_nginx_config
+
+#=================================================
+# UPGRADE DEPENDENCIES
+#=================================================
+ynh_script_progression --message="Upgrading dependencies..." --time --weight=1
+
+ynh_install_app_dependencies $pkg_dependencies
+
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Making sure dedicated system users exists..." --time --weight=1
+
+# Create a dedicated user (if not existing)
+ynh_system_user_create --username=$app --home_dir="/etc/openvpn/"
+webuser=${app}web
+ynh_system_user_create --username=$webuser --home_dir="$final_path"
+
+#=================================================
+# PHP-FPM CONFIGURATION
+#=================================================
+ynh_script_progression --message="Upgrading php-fpm configuration..." --time --weight=1
+
+# Create a dedicated php-fpm config
+ynh_add_fpm_config
+
+#=================================================
+# SPECIFIC UPGRADE
+#=================================================
+# ...
+#=================================================
+
+
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# UPGRADE FAIL2BAN
+#=================================================
+ynh_script_progression --message="Configuring fail2ban..." --time --weight=1
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=fail2ban-jail.conf
+ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file=fail2ban-jail.conf
+
+# Create a dedicated fail2ban config
+ynh_add_fail2ban_config --use_template
+
+#=================================================
+# SECURE FILES AND DIRECTORIES
+#=================================================
+
+# Set permissions on app files
+chown -R $webuser: "$final_path"
+chmod -R 664 "$final_path"
+find "$final_path" -type d -print0 | xargs -0 chmod 775
+
+chown -R $webuser:www-data "$final_path"
+chmod 640 "$final_path/$domain.conf"
+chmod 640 "$final_path/$domain.ovpn"
+chown -R $app: /var/log/openvpn
+chown -R $app: /etc/openvpn
+chmod 640 /etc/openvpn/users_settings.csv
+chmod u+x /etc/openvpn/handler.sh
+
+#=================================================
+# START SYSTEMD SERVICE
+#=================================================
+ynh_script_progression --message="Starting a systemd service..." --time --weight=1
+
+ynh_systemd_action --service_name=openvpn --action=start
+
+#=================================================
+# RELOAD NGINX
+#=================================================
+ynh_script_progression --message="Reloading nginx web server..." --time --weight=1
+
+ynh_systemd_action --service_name=nginx --action=reload
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_script_progression --message="Upgrade of $app completed" --time --last
diff --git a/sources/assets/css/main.css b/sources/extra_files/app/assets/css/main.css
similarity index 100%
rename from sources/assets/css/main.css
rename to sources/extra_files/app/assets/css/main.css
diff --git a/sources/assets/img/Ovpntech_logo-s_REVISED.png b/sources/extra_files/app/assets/img/Ovpntech_logo-s_REVISED.png
similarity index 100%
rename from sources/assets/img/Ovpntech_logo-s_REVISED.png
rename to sources/extra_files/app/assets/img/Ovpntech_logo-s_REVISED.png
diff --git a/sources/index.php b/sources/extra_files/app/index.php
similarity index 100%
rename from sources/index.php
rename to sources/extra_files/app/index.php