Pour sudo yunohost tools regen-conf --dry-run --with-diff :
Warning: The configuration file '/etc/ldap/slapd.ldif' has been manually modified and will not be updated
Warning: The configuration file '/etc/nginx/conf.d/yunohost_admin.conf.inc' has been manually modified and will not be updated
Warning: The configuration file '/etc/nginx/conf.d/yunohost_api.conf.inc' has been manually modified and will not be updated
Warning: The configuration file '/etc/nginx/conf.d/surunairdepizza.fr.conf' has been manually modified and will not be updated
Warning: The configuration file '/etc/postfix/main.cf' has been manually modified and will not be updated
Success! The configuration would have been updated for category 'dnsmasq'
Warning: The configuration file '/etc/nsswitch.conf' has been manually modified and will not be updated
dnsmasq:
applied:
/etc/resolv.dnsmasq.conf:
diff: @@ -1,20 +1,20 @@
-nameserver 2001:67c:28a4::
-nameserver 2a00:5881:8100:1000::3
+nameserver 2001:1608:10:25::9249:d69b
+nameserver 185.233.100.101
nameserver 2a0c:e300::101
-nameserver 80.67.169.12
-nameserver 2a0c:e300::100
-nameserver 89.234.141.66
-nameserver 2001:910:800::40
-nameserver 185.233.100.101
-nameserver 84.200.70.40
nameserver 91.239.100.100
nameserver 2001:910:800::12
+nameserver 2a00:5881:8100:1000::3
+nameserver 2a01:3a0:53:53::
+nameserver 194.150.168.168
+nameserver 89.234.141.66
+nameserver 84.200.69.80
+nameserver 80.67.169.12
+nameserver 80.67.169.40
+nameserver 2001:67c:28a4::
+nameserver 2a0c:e300::100
+nameserver 2001:910:800::40
+nameserver 185.233.100.100
+nameserver 84.200.70.40
nameserver 2001:1608:10:25::1c04:b12f
-nameserver 194.150.168.168
nameserver 195.160.173.53
-nameserver 80.67.169.40
-nameserver 185.233.100.100
-nameserver 2a01:3a0:53:53::
nameserver 89.233.43.71
-nameserver 84.200.69.80
-nameserver 2001:1608:10:25::9249:d69b
status: updated
pending:
nginx:
applied:
pending:
/etc/nginx/conf.d/surunairdepizza.fr.conf:
diff: @@ -6,34 +6,41 @@
server {
listen 80;
listen [::]:80;
- server_name surunairdepizza.fr xmpp-upload.surunairdepizza.fr;
+ server_name surunairdepizza.fr;
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/acme-challenge.conf.inc;
- include /etc/nginx/conf.d/surunairdepizza.fr.d/*.conf;
-
- location /yunohost {
- return 301 https://$http_host$request_uri;
+ location ^~ '/.well-known/ynh-diagnosis/' {
+ alias /var/www/.well-known/ynh-diagnosis/;
}
- location ^~ '/.well-known/ynh-diagnosis/' {
- alias /tmp/.well-known/ynh-diagnosis/;
- }
-
+
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/surunairdepizza.fr/autoconfig/mail/;
}
-
+
+
+
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+
+
+
+ include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
access_log /var/log/nginx/surunairdepizza.fr-access.log;
error_log /var/log/nginx/surunairdepizza.fr-error.log;
}
server {
+
listen 443 ssl http2;
listen [::]:443 ssl http2;
+
server_name surunairdepizza.fr;
include /etc/nginx/conf.d/security.conf.inc;
@@ -49,13 +56,15 @@
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/surunairdepizza.fr/crt.pem;
- resolver 127.0.0.1 127.0.1.1 valid=300s;
+ resolver 1.1.1.1 9.9.9.9 valid=300s;
resolver_timeout 5s;
+
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/surunairdepizza.fr/autoconfig/mail/;
}
+
access_by_lua_file /usr/share/ssowat/access.lua;
@@ -64,50 +73,9 @@
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
include /etc/nginx/conf.d/yunohost_api.conf.inc;
+ include /etc/nginx/conf.d/yunohost_http_errors.conf.inc;
access_log /var/log/nginx/surunairdepizza.fr-access.log;
error_log /var/log/nginx/surunairdepizza.fr-error.log;
}
-# vhost dedicated to XMPP http_upload
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name xmpp-upload.surunairdepizza.fr;
- root /dev/null;
-
- location /upload/ {
- alias /var/xmpp-upload/surunairdepizza.fr/upload/;
- # Pass all requests to metronome, except for GET and HEAD requests.
- limit_except GET HEAD {
- proxy_pass http://localhost:5290;
- }
-
- include proxy_params;
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'Authorization';
- add_header 'Access-Control-Allow-Credentials' 'true';
- client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
- }
-
- include /etc/nginx/conf.d/security.conf.inc;
-
- ssl_certificate /etc/yunohost/certs/surunairdepizza.fr/crt.pem;
- ssl_certificate_key /etc/yunohost/certs/surunairdepizza.fr/key.pem;
-
-
- more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
-
-
- # OCSP settings
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/yunohost/certs/surunairdepizza.fr/crt.pem;
- resolver 127.0.0.1 127.0.1.1 valid=300s;
- resolver_timeout 5s;
-
-
- access_log /var/log/nginx/xmpp-upload.surunairdepizza.fr-access.log;
- error_log /var/log/nginx/xmpp-upload.surunairdepizza.fr-error.log;
-}
status: modified
/etc/nginx/conf.d/yunohost_admin.conf.inc:
diff: @@ -5,17 +5,19 @@
alias /usr/share/yunohost/admin/;
default_type text/html;
index index.html;
- allow all;
+
- more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://raw.githubusercontent.com https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none';";
+ location = /yunohost/admin/index.html {
+ etag off;
+ expires off;
+ more_set_headers "Cache-Control: no-store, no-cache, must-revalidate";
+ }
+
+ location /yunohost/admin/applogos/ {
+ alias /usr/share/yunohost/applogos/;
+ }
+
+ more_set_headers "Content-Security-Policy: upgrade-insecure-requests; default-src 'self'; connect-src 'self' https://paste.yunohost.org wss://$host; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; object-src 'none'; img-src 'self' data:;";
more_set_headers "Content-Security-Policy-Report-Only:";
-
- # Short cache on handlebars templates
- location ~* \.(?:ms)$ {
- expires 5m;
- add_header Cache-Control "public";
- }
-}
-
-
+}
status: modified
/etc/nginx/conf.d/yunohost_api.conf.inc:
diff: @@ -4,9 +4,8 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
- proxy_set_header Host $http_host;
-
- allow all;
+ proxy_set_header Host $host;
+
# Custom 502 error page
@@ -18,5 +17,4 @@
return 502 '502 - Bad Gateway';
add_header Content-Type text/plain;
internal;
-}
-
+}
status: modified
nsswitch:
applied:
pending:
/etc/nsswitch.conf:
diff: @@ -5,7 +5,7 @@
shadow: files ldap
gshadow: files
-hosts: files myhostname dns
+hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
status: modified
postfix:
applied:
pending:
/etc/postfix/main.cf:
diff: @@ -82,21 +82,25 @@
inet_interfaces = all
#### Fit to the maximum message size to 25mb, more than allowed by GMail or Yahoo ####
-# /!\ This size is the size of the attachment in base64.
+# /!\ This size is the size of the attachment in base64.
# BASE64_SIZE_IN_BYTE = ORIGINAL_SIZE_IN_MEGABYTE * 1,37 *1024*1024 + 980
# See https://serverfault.com/questions/346895/postfix-mail-size-counting
message_size_limit = 35914708
# Virtual Domains Control
virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf
-virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf
+virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts.cf,hash:/etc/postfix/app_senders_login_maps
virtual_mailbox_base =
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf,ldap:/etc/postfix/ldap-groups.cf
virtual_alias_domains =
virtual_minimum_uid = 100
virtual_uid_maps = static:vmail
virtual_gid_maps = static:mail
-smtpd_sender_login_maps= ldap:/etc/postfix/ldap-accounts.cf
+smtpd_sender_login_maps = unionmap:{
+ # Regular Yunohost accounts
+ ldap:/etc/postfix/ldap-accounts.cf,
+ # Extra maps for app system users who need to send emails
+ hash:/etc/postfix/app_senders_login_maps }
# Dovecot LDA
virtual_transport = dovecot
@@ -124,7 +128,9 @@
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
- reject_rbl_client bl.spamcop.net,
+ reject_rbl_client bl.spamcop.net,
+ reject_rbl_client cbl.abuseat.org,
+ reject_rbl_client zen.spamhaus.org,
permit
# Requirements for the HELO statement
@@ -185,3 +191,6 @@
# and after to send spam
disable_vrfy_command = yes
+
+
+
status: modified
slapd:
applied:
pending:
/etc/ldap/slapd.ldif:
diff: @@ -1,235 +0,0 @@
-# OpenLDAP server configuration for Yunohost
-# ------------------------------------------
-#
-# Because of the Yunohost's regen-conf mechanism, it is NOT POSSIBLE to
-# edit the config database using an LDAP request.
-#
-# If you wish to edit the config database, you should edit THIS file
-# and update the config database based on this file.
-#
-# Config database customization:
-# 1. Edit this file as you want.
-# 2. Apply your modifications. For this just run this following command in a shell:
-# $ /usr/share/yunohost/hooks/conf_regen/06-slapd apply_config
-#
-# Note that if you customize this file, YunoHost's regen-conf will NOT
-# overwrite this file. But that also means that you should be careful about
-# upgrades, because they may ship important/necessary changes to this
-# configuration that you will have to propagate yourself.
-
-#
-# Main configuration
-#
-dn: cn=config
-objectClass: olcGlobal
-cn: config
-olcConfigFile: /etc/ldap/slapd.conf
-olcConfigDir: /etc/ldap/slapd.d/
-# List of arguments that were passed to the server
-olcArgsFile: /var/run/slapd/slapd.args
-#
-olcAttributeOptions: lang-
-olcAuthzPolicy: none
-olcConcurrency: 0
-olcConnMaxPending: 100
-olcConnMaxPendingAuth: 1000
-olcIdleTimeout: 0
-olcIndexSubstrIfMaxLen: 4
-olcIndexSubstrIfMinLen: 2
-olcIndexSubstrAnyLen: 4
-olcIndexSubstrAnyStep: 2
-olcIndexIntLen: 4
-olcListenerThreads: 1
-olcLocalSSF: 71
-# Read slapd.conf(5) for possible values
-olcLogLevel: None
-# Where the pid file is put. The init.d script
-# will not stop the server if you change this.
-olcPidFile: /var/run/slapd/slapd.pid
-olcReverseLookup: FALSE
-olcThreads: 16
-# TLS Support
-olcTLSCertificateFile: /etc/yunohost/certs/yunohost.org/crt.pem
-olcTLSCertificateKeyFile: /etc/yunohost/certs/yunohost.org/key.pem
-olcTLSVerifyClient: never
-olcTLSProtocolMin: 0.0
-# The tool-threads parameter sets the actual amount of cpu's that is used
-# for indexing.
-olcToolThreads: 1
-structuralObjectClass: olcGlobal
-
-#
-# Schema and objectClass definitions
-#
-dn: cn=schema,cn=config
-objectClass: olcSchemaConfig
-cn: schema
-
-include: file:///etc/ldap/schema/core.ldif
-include: file:///etc/ldap/schema/cosine.ldif
-include: file:///etc/ldap/schema/nis.ldif
-include: file:///etc/ldap/schema/inetorgperson.ldif
-include: file:///etc/ldap/schema/mailserver.ldif
-include: file:///etc/ldap/schema/sudo.ldif
-include: file:///etc/ldap/schema/permission.ldif
-
-#
-# Module management
-#
-dn: cn=module{0},cn=config
-objectClass: olcModuleList
-cn: module{0}
-# Where the dynamically loaded modules are stored
-olcModulePath: /usr/lib/ldap
-olcModuleLoad: {0}back_mdb
-olcModuleLoad: {1}memberof
-structuralObjectClass: olcModuleList
-
-#
-# Frontend database
-#
-dn: olcDatabase={-1}frontend,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
-olcDatabase: {-1}frontend
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcSchemaDN: cn=Subschema
-# Hashes to be used in generation of user passwords
-olcPasswordHash: {SSHA}
-structuralObjectClass: olcDatabaseConfig
-
-#
-# Config database Configuration (#0)
-#
-dn: olcDatabase={0}config,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {0}config
-# Give access to root user.
-# This give the possiblity to the admin to customize the LDAP configuration
-olcAccess: {0}to * by * none
-olcAddContentAcl: TRUE
-olcLastMod: TRUE
-olcRootDN: cn=config
-structuralObjectClass: olcDatabaseConfig
-
-#
-# Main database Configuration (#1)
-#
-dn: olcDatabase={1}mdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcMdbConfig
-olcDatabase: {1}mdb
-# The base of your directory in database #1
-olcSuffix: dc=yunohost,dc=org
-#
-# The userPassword by default can be changed
-# by the entry owning it if they are authenticated.
-# Others should not be able to see it, except the
-# admin entry below
-# These access lines apply to database #1 only
-olcAccess: {0}to attrs=userPassword,shadowLastChange
- by dn.base="cn=admin,dc=yunohost,dc=org" write
- by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
- by anonymous auth
- by self write
- by * none
-#
-# Personnal information can be changed by the entry
-# owning it if they are authenticated.
-# Others should be able to see it.
-olcAccess: {1}to attrs=cn,gecos,givenName,mail,maildrop,displayName,sn
- by dn.base="cn=admin,dc=yunohost,dc=org" write
- by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
- by self write
- by * read
-#
-# Ensure read access to the base for things like
-# supportedSASLMechanisms. Without this you may
-# have problems with SASL not knowing what
-# mechanisms are available and the like.
-# Note that this is covered by the 'access to *'
-# ACL below too but if you change that as people
-# are wont to do you'll still need this if you
-# want SASL (and possible other things) to work
-# happily.
-olcAccess: {2}to dn.base=""
- by * read
-#
-# The admin dn has full write access, everyone else
-# can read everything.
-olcAccess: {3}to *
- by dn.base="cn=admin,dc=yunohost,dc=org" write
- by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
- by group/groupOfNames/member.exact="cn=admin,ou=groups,dc=yunohost,dc=org" write
- by * read
-#
-olcAddContentAcl: FALSE
-# Save the time that the entry gets modified, for database #1
-olcLastMod: TRUE
-# Where the database file are physically stored for database #1
-olcDbDirectory: /var/lib/ldap
-# Checkpoint the BerkeleyDB database periodically in case of system
-# failure and to speed slapd shutdown.
-olcDbCheckpoint: 512 30
-olcDbNoSync: FALSE
-# Indexing options for database #1
-olcDbIndex: objectClass eq
-olcDbIndex: entryUUID eq
-olcDbIndex: entryCSN eq
-olcDbIndex: cn eq
-olcDbIndex: uid eq,sub
-olcDbIndex: uidNumber eq
-olcDbIndex: gidNumber eq
-olcDbIndex: sudoUser eq,sub
-olcDbIndex: member eq
-olcDbIndex: mail eq
-olcDbIndex: memberUid eq
-olcDbIndex: uniqueMember eq
-olcDbIndex: virtualdomain eq
-olcDbIndex: permission eq
-olcDbMaxSize: 10485760
-structuralObjectClass: olcMdbConfig
-
-#
-# Configure Memberof Overlay (used for Yunohost permission)
-#
-
-# Link user <-> group
-dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {0}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: groupOfNamesYnh
-olcMemberOfMemberAD: member
-olcMemberOfMemberOfAD: memberOf
-structuralObjectClass: olcMemberOf
-
-# Link permission <-> groupes
-dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {1}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: permissionYnh
-olcMemberOfMemberAD: groupPermission
-olcMemberOfMemberOfAD: permission
-structuralObjectClass: olcMemberOf
-
-# Link permission <-> user
-dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
-objectClass: olcOverlayConfig
-objectClass: olcMemberOf
-olcOverlay: {2}memberof
-olcMemberOfDangling: error
-olcMemberOfDanglingError: constraintViolation
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: permissionYnh
-olcMemberOfMemberAD: inheritPermission
-olcMemberOfMemberOfAD: permission
-structuralObjectClass: olcMemberOf
status: modified
yunohost:
applied:
pending:
/etc/systemd/system/ntp.service.d/ynh-override.conf:
diff: @@ -1,3 +0,0 @@
-[Unit]
-ConditionCapability=CAP_SYS_TIME
-ConditionVirtualization=!container
status: modified
Pour sudo yunohost app list
sudo yunohost app list
apps:
0:
description: Browsing, reading and downloading eBooks using a Calibre database
domain_path: hub.domaine.tld/calibre
id: calibreweb
name: Calibre-web
version: 0.96.24~ynh1
1:
description: Manage MySQL databases over the web
domain_path: chat.domaine.tld/phpmyadmin
id: phpmyadmin
name: phpMyAdmin
version: 5.2.1~ynh1
2:
description: Open Source Webmail software
domain_path: hub.domaine.tld/webmail
id: roundcube
name: Roundcube
version: 1.6.10~ynh1
3:
description: Instant messaging server which uses Matrix
domain_path: hub.domaine.tld/
id: synapse
name: Synapse
version: 1.105.1~ynh1
4:
description: Create a beautiful blog or website easily
domain_path: domaine.tld/
id: wordpress
name: WordPress
version: 6.7.2~ynh1
5:
description: Create a beautiful blog or website easily
domain_path: domaine.tld/
id: wordpress__2
name: WordPressPizza
version: 6.7.2~ynh1
6:
description: Create a beautiful blog or website easily
domain_path: domaine.tld/
id: wordpress__3
name: WordPressComite
version: 6.7.2~ynh1
Pour sudo ls /etc/yunohost/apps
calibreweb roundcube wordpress wordpress__3
phpmyadmin synapse wordpress__2