Fix cipher connexion pour vpn svnet

Brutal refactoring for more logging and readability of the script because debugging is hell

CHANGES.md

@@ -0,0 +1,48 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is (partially) based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## Unreleasead
+
+## 1.4.1 - 2020-04-04
+
+- [fix] ynh-vpnclient-loadcubefile.sh broken with ssowat 3.7.x (#60)
+
+## 1.4.0 - 2019-03-18
+
+- refactoring scripts
+
+
+## 1.3.1 - 2018-12-19
+
+- [mod] Bug fixes and code cleaning
+
+
+## 1.3.0 - 2018-12-02
+
+- [fix] Create a dedicated system user with proper sudo permissions. (#41)
+- [fix] CSRF vulnerability (#43)
+
+
+## 1.2.1 - 2018-09-10
+
+- [fix] user/group = www-data in php-fpm config.
+
+
+## 1.2.0 - 2018-09-06
+
+- [fix] upgrade script is now functional
+- [mod] lots of refactoring to apply app packaging best-practices
+
+
+## 1.1.1 - 2018-04-06
+
+- [fix] Sync the date with http if ntp can't (#37)
+
+
+## 0.0.0 - 2016-05-14
+
+First release
+

README.md

@@ -1,4 +1,8 @@
-# VPN Client
+# VPN Client [![Build Status](https://travis-ci.org/labriqueinternet/vpnclient_ynh.svg?branch=master)](https://travis-ci.org/labriqueinternet/vpnclient_ynh) [![Integration level](https://dash.yunohost.org/integration/vpnclient.svg)](https://dash.yunohost.org/appci/app/vpnclient)
+[![Install LaBriqueInterNet VPNclient with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=vpnclient)
+
+This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
+
 ## Overview
 
 VPN Client app for [YunoHost](http://yunohost.org/).
@@ -9,8 +13,6 @@ VPN Client app for [YunoHost](http://yunohost.org/).
 * Useful to easily move your server anywhere.
 * With the [Hotspot app for YunoHost](https://github.com/labriqueinternet/hotspot_ynh), you can broadcast your VPN access by wifi to use a clean internet connection (depending on your VPN provider) on your laptop (or those of your friends) without having to configure it.
 
-This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.net)" project but can be used independently.
-
 ## Features
 
 * Authentication based on certificates or login (or both), with or without shared-secret (*ta.key*)
@@ -22,12 +24,9 @@ This YunoHost app is a part of the "[La Brique Internet](http://labriqueinter.ne
 * Strong firewalling (internet access and self-hosted services only available through the VPN)
 * Advanced mode for editing the default OpenVPN configuration
 * Auto-configuration mode, with [dot cube files](http://internetcu.be/dotcubefiles.html)
-* Web interface ([screenshot](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png))
+* Web interface
 
-## Prerequisites
+## Screenshot
 
-* Debian Jessie
-* YunoHost >= 2.2.0
-* Yunohost-Moulinette >= 2.4.0 (firewalling)
+![Screenshot of the web interface](https://raw.githubusercontent.com/labriqueinternet/vpnclient_ynh/master/screenshot.png)
 
-**[BUG REPORTS SHOULD BE OPEN HERE](https://dev.yunohost.org)**

check_process

@@ -0,0 +1,33 @@
+;; Test complet
+    ; Manifest
+        domain="domain.tld" (DOMAIN)
+        path="/vpnconfig"   (PATH)
+    ; Checks
+        pkg_linter=1
+        setup_sub_dir=1
+        setup_root=1
+        setup_nourl=0
+        setup_private=1
+        setup_public=0
+        upgrade=1
+        upgrade=1   from_commit=623d8a30453a26ee21aa2ce1142674a2ffdb85b9
+        upgrade=1   from_commit=73aa672346e40fc1857aef7441c449f0bd322082
+        backup_restore=1
+        multi_instance=0
+        incorrect_path=1
+        port_already_use=0
+        change_url=0
+;;; Levels
+    Level 1=auto
+    Level 2=auto
+    Level 3=auto
+    Level 4=na
+    Level 5=auto
+    Level 6=auto
+    Level 7=auto
+    Level 8=0
+    Level 9=0
+    Level 10=0
+;;; Options
+Email=pitchum@gramaton.org
+Notification=down

conf/nginx.conf

@@ -1,34 +1,41 @@
-# VPN Client app for YunoHost 
+# VPN Client app for YunoHost
 # Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
 # Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-# 
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
-# 
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Affero General Public License for more details.
-# 
+#
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-location <TPL:NGINX_LOCATION> {
-  alias <TPL:NGINX_REALPATH>;
+#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
+location __PATH__/ {
 
+  # Path to source
+  alias __FINALPATH__/ ;
+
+  # Force usage of https
   if ($scheme = http) {
     rewrite ^ https://$server_name$request_uri? permanent;
   }
 
+  # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
   client_max_body_size 10G;
+
   index index.php;
+
   try_files $uri $uri/ index.php;
 
   location ~ [^/]\.php(/|$) {
     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-    fastcgi_pass unix:/var/run/php5-fpm-<TPL:PHP_NAME>.sock;
+    fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_read_timeout 600;
@@ -37,5 +44,6 @@ location <TPL:NGINX_LOCATION> {
     fastcgi_param SCRIPT_FILENAME $request_filename;
   }
 
+  # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;
 }

conf/openvpn_client.conf.tpl

@@ -40,3 +40,6 @@ log-append /var/log/openvpn-client.log
 # Routing
 route-ipv6 2000::/3
 redirect-gateway def1 bypass-dhcp
+
+# Cipher
+cipher AES-256-CBC

conf/php-fpm.conf

@@ -1,24 +1,24 @@
-; VPN Client app for YunoHost 
+; VPN Client app for YunoHost
 ; Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
 ; Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-; 
+;
 ; This program is free software: you can redistribute it and/or modify
 ; it under the terms of the GNU Affero General Public License as published by
 ; the Free Software Foundation, either version 3 of the License, or
 ; (at your option) any later version.
-; 
+;
 ; This program is distributed in the hope that it will be useful,
 ; but WITHOUT ANY WARRANTY; without even the implied warranty of
 ; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 ; GNU Affero General Public License for more details.
-; 
+;
 ; You should have received a copy of the GNU Affero General Public License
 ; along with this program.  If not, see <http://www.gnu.org/licenses/>.
- 
-; Start a new pool named '<TPL:PHP_NAME>'.
+
+; Start a new pool named 'www'.
 ; the variable $pool can we used in any directive and will be replaced by the
 ; pool name ('www' here)
-[<TPL:PHP_NAME>]
+[__NAMETOCHANGE__]
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -28,7 +28,7 @@
 ;                            specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /var/run/php5-fpm-<TPL:PHP_NAME>.sock
+listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
@@ -42,8 +42,8 @@ listen.mode = 0600
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
-user = <TPL:PHP_USER>
-group = <TPL:PHP_GROUP>
+user = __USER__
+group = __USER__
 
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
@@ -157,7 +157,7 @@ request_slowlog_timeout = 0
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
-slowlog = /var/log/nginx/<TPL:PHP_NAME>.slow.log
+slowlog = /var/log/nginx/[__NAMETOCHANGE__].slow.log
 
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
@@ -171,7 +171,7 @@ rlimit_core = 0
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
-chdir = <TPL:NGINX_REALPATH>
+chdir = __FINALPATH__
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.

conf/sudoers.conf

@@ -0,0 +1,13 @@
+Cmnd_Alias VPNCLIENTTASKS = /bin/systemctl stop ynh-vpnclient, \
+                            /bin/systemctl start ynh-vpnclient, \
+                            /usr/local/bin/ynh-vpnclient *
+
+Cmnd_Alias YUNOHOST = /usr/bin/yunohost app setting vpnclient *,\
+                      /usr/bin/yunohost app info hotspot *
+
+Cmnd_Alias HOTSPOT = /bin/systemctl stop ynh-hotspot,\
+                     /bin/systemctl start ynh-hotspot,\
+                     /usr/bin/yunohost app setting hotspot *
+
+__VPNCLIENT_SYSUSER__ ALL = NOPASSWD: /bin/grep, VPNCLIENTTASKS, YUNOHOST, HOTSPOT
+

conf/ynh-vpnclient

@@ -17,8 +17,44 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# Functions
-## State functions
+###################################################################################
+# Logging helpers                                                                 #
+###################################################################################
+
+LOGFILE="/var/log/ynh-vpnclient.log"
+touch $LOGFILE
+chown root:root $LOGFILE
+chmod 600 $LOGFILE
+
+function success()
+{
+  echo "[ OK ] $1" | tee -a $LOGFILE
+}
+
+function info()
+{
+  echo "[INFO] $1" | tee -a $LOGFILE
+}
+
+function warn()
+{
+  echo "[WARN] $1" | tee -a $LOGFILE >&2
+}
+
+function error()
+{
+  echo "[FAIL] $1" | tee -a $LOGFILE >&2
+}
+
+function critical()
+{
+  echo "[CRIT] $1" | tee -a $LOGFILE >&2
+  exit 1
+}
+
+###################################################################################
+# IPv6 and route config stuff                                                     #
+###################################################################################
 
 has_nativeip6() {
   ip -6 route | grep -q default\ via
@@ -28,27 +64,24 @@ has_ip6delegatedprefix() {
   [ "${ynh_ip6_addr}" != none ]
 }
 
-has_hotspot_app() {
-  [ -e /tmp/.ynh-hotspot-started ]
-}
-
-is_hotspot_knowme() {
-  hotspot_vpnclient=$(ynh_setting_get hotspot vpnclient)
-
-  [ "${hotspot_vpnclient}" == yes ]
-}
-
-is_firewall_set() {
-  wired_device=${1}
-
-  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
-  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
-}
-
 is_ip6addr_set() {
   ip address show dev tun0 2> /dev/null | grep -q "${ynh_ip6_addr}/128"
 }
 
+set_ip6addr() {
+  info "Adding IPv6 from VPN configuration"
+  ip address add "${ynh_ip6_addr}/128" dev tun0
+}
+
+unset_ip6addr() {
+  info "Removing IPv6 from VPN configuration"
+  ip address delete "${ynh_ip6_addr}/128" dev tun0
+}
+
+#
+# Server IPv6 route
+#
+
 is_serverip6route_set() {
   server_ip6=${1}
 
@@ -59,51 +92,55 @@ is_serverip6route_set() {
   fi
 }
 
-is_dns_set() {
-  [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
-  && ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf )
-}
-
-is_openvpn_running() {
-  systemctl is-active openvpn@client.service &> /dev/null
-}
-
-is_running() {
-  ((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
-  && ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
-  && is_dns_set && is_firewall_set && is_openvpn_running
-}
-
-## Setters
-
-set_ip6addr() {
-  ip address add "${ynh_ip6_addr}/128" dev tun0
-}
-
-set_firewall() {
-  wired_device=${1}
-
-  cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
-
-  sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-
-  yunohost firewall reload
-}
-
 set_serverip6route() {
   server_ip6=${1}
   ip6_gw=${2}
   wired_device=${3}
 
+  info "Adding IPv6 server route"
   ip route add "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
 }
 
+
+unset_serverip6route() {
+  server_ip6=${1}
+  ip6_gw=${2}
+  wired_device=${3}
+
+  info "Removing IPv6 server route"
+  ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
+}
+
+
+###################################################################################
+# Hotspot app                                                                     #
+###################################################################################
+
+has_hotspot_app() {
+  [ -e /tmp/.ynh-hotspot-started ]
+}
+
+is_hotspot_knowme() {
+  hotspot_vpnclient=$(ynh_setting_get hotspot vpnclient)
+
+  [ "${hotspot_vpnclient}" == yes ]
+}
+
+###################################################################################
+# DNS rules                                                                       #
+###################################################################################
+
+is_dns_set() {
+  # FIXME : having the ynh_dns0 in the resolv.dnsmasq.conf is not necessarily good enough
+  # We want it to be the only one (with ynh_dns1) but nowadays for example ARN's resolver is
+  # in the default list from yunohost...
+  [ -e /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient ]\
+  && ( grep -q ${ynh_dns0} /etc/resolv.conf || grep -q ${ynh_dns0} /etc/resolv.dnsmasq.conf )
+}
+
 set_dns() {
+  info "Enforcing custom DNS resolvers from vpnclient"
+
   resolvconf=/etc/resolv.conf
   [ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
 
@@ -117,7 +154,92 @@ EOF
   bash /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
 }
 
+unset_dns() {
+  resolvconf=/etc/resolv.conf
+  [ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
+
+  info "Removing custom DNS resolvers from vpnclient"
+  rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
+  mv "${resolvconf}.ynh" "${resolvconf}"
+
+  # FIXME : this situation happened to a user ...
+  # We could try to force regen the dns conf 
+  # (though for now it's tightly coupled to dnsmasq)
+  grep -q "^nameserver" "${resolvconf}" || error "${resolvconf} does not have any nameserver line !?"
+}
+
+###################################################################################
+# Firewall rules management                                                       #
+###################################################################################
+
+is_firewall_set() {
+  wired_device=${1}
+
+  ip6tables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"\
+  && iptables -w -nvL OUTPUT | grep vpnclient_out | grep -q "${wired_device}"
+}
+
+set_firewall() {
+  info "Adding vpnclient custom rules to the firewall"
+
+  wired_device=${1}
+
+  cp /etc/yunohost/hooks.d/{90-vpnclient.tpl,post_iptable_rules/90-vpnclient}
+
+  sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  sed "s|<TPL:SERVER_PORT>|${ynh_server_port}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  sed "s|<TPL:PROTO>|${ynh_server_proto}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  sed "s|<TPL:WIRED_DEVICE>|${wired_device}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  sed "s|<TPL:DNS0>|${ynh_dns0}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  sed "s|<TPL:DNS1>|${ynh_dns1}|g" -i /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+
+  info "Restarting yunohost firewall..."
+  yunohost firewall reload && success "Firewall restarted!"
+}
+
+unset_firewall() {
+  info "Cleaning vpnclient custom rules from the firewall"
+  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
+  info "Restarting yunohost firewall..."
+  yunohost firewall reload && success "Firewall restarted!"
+}
+
+###################################################################################
+# Time sync                                                                       #
+###################################################################################
+
+sync_time() {
+  info "Now synchronizing time using ntp..."
+  systemctl stop ntp
+  timeout 20 ntpd -qg &> /dev/null
+  
+  # Some networks drop ntp port (udp 123). 
+  # Try to get the date with an http request on the internetcube web site
+  if [ $? -ne 0 ]; then
+    info "ntp synchronization failed, falling back to curl method"
+    http_date=`curl -sD - labriqueinter.net | grep '^Date:' | cut -d' ' -f3-6`
+    http_date_seconds=`date -d "${http_date}" +%s`
+    curr_date_seconds=`date +%s`
+
+    # Set the new date if it's greater than the current date
+    # So it does if 1970 year or if old fake-hwclock date is used
+    if [ $http_date_seconds -ge $curr_date_seconds ]; then
+      date -s "${http_date}"
+    fi
+  fi 
+  systemctl start ntp
+}
+
+###################################################################################
+# OpenVPN client start/stop procedures                                            #
+###################################################################################
+
+is_openvpn_running() {
+  systemctl is-active openvpn@client.service &> /dev/null
+}
+
 start_openvpn() {
+
   ip6_gw=${1}
   server_ip6=${2}
 
@@ -129,8 +251,13 @@ start_openvpn() {
     [ "${ynh_server_proto}" == tcp ] && proto=tcp-client
   fi
 
+  # Unset firewall to let DNS and NTP resolution works
+  # Firewall is reset after vpn is mounted (more details on #1016)
+  unset_firewall
+
   sync_time
 
+  info "Preparing openvpn configuration..."
   cp /etc/openvpn/client.conf{.tpl,}
 
   sed "s|<TPL:SERVER_NAME>|${ynh_server_name}|g" -i /etc/openvpn/client.conf
@@ -161,47 +288,51 @@ start_openvpn() {
     sed 's|^<TPL:LOGIN_COMMENT>||' -i /etc/openvpn/client.conf
   fi
 
+  info "Now actually starting OpenVPN client..."
   systemctl start openvpn@client.service
-}
 
-## Unsetters
+  if [ ! $? -eq 0 ]
+  then
+    tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
+	critical "Failed to start OpenVPN :/"
+  else
+    info "OpenVPN client started ... waiting for tun0 interface to show up"
+  fi
 
-unset_ip6addr() {
-  ip address delete "${ynh_ip6_addr}/128" dev tun0
-}
-
-unset_firewall() {
-  rm -f /etc/yunohost/hooks.d/post_iptable_rules/90-vpnclient
-  yunohost firewall reload
-}
-
-unset_serverip6route() {
-  server_ip6=${1}
-  ip6_gw=${2}
-  wired_device=${3}
-
-  ip route delete "${server_ip6}/128" via "${ip6_gw}" dev "${wired_device}"
-}
-
-unset_dns() {
-  resolvconf=/etc/resolv.conf
-  [ -e /etc/resolv.dnsmasq.conf ] && resolvconf=/etc/resolv.dnsmasq.conf
-
-  rm -f /etc/dhcp/dhclient-exit-hooks.d/ynh-vpnclient
-  mv "${resolvconf}.ynh" "${resolvconf}"
+  for attempt in $(seq 0 20)
+  do
+    sleep 1
+    if ip link show dev tun0 &> /dev/null
+    then
+       success "tun0 interface is up!"
+       return 0
+    fi
+  done
+  
+  error "Tun0 interface did not show up ... most likely an issue happening in OpenVPN client ... below is an extract of the log that might be relevant to pinpoint the issue"
+  tail -n 20 /var/log/openvpn-client.log | tee -a $LOGFILE
+  stop_openvpn
+  critical "Failed to start OpenVPN client : tun0 interface did not show up"
 }
 
 stop_openvpn() {
+  # FIXME : isn't openvpn@client ? (idk)
+  info "Stopping OpenVPN service"
   systemctl stop openvpn.service
+
+  for attempt in $(seq 0 20)
+  do
+    if ip link show dev tun0 &> /dev/null
+    then
+       info "(Waiting for tun0 to disappear if it was up)"
+       sleep 1
+    fi
+  done
 }
 
-## Tools
-
-sync_time() {
-  systemctl stop ntp
-  ntpd -qg &> /dev/null
-  systemctl start ntp
-}
+###################################################################################
+# Yunohost settings interface                                                     #
+###################################################################################
 
 ynh_setting_get() {
   app=${1}
@@ -218,36 +349,41 @@ ynh_setting_set() {
   yunohost app setting "${app}" "${setting}" -v "${value}"
 }
 
+###################################################################################
+# The actual ynh vpnclient management thing                                       #
+###################################################################################
+
+is_running() {
+  ((has_nativeip6 && is_serverip6route_set "${new_server_ip6}") || ! has_nativeip6)\
+  && ((! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set) || has_hotspot_app || ! has_ip6delegatedprefix)\
+  && is_dns_set && is_firewall_set && is_openvpn_running
+}
+
+
 if [ "$1" != restart ]; then
 
-  # Restart php5-fpm at the first start (it needs to be restarted after the slapd start)
+  # Restart php-fpm at the first start (it needs to be restarted after the slapd start)
   if [ ! -e /tmp/.ynh-vpnclient-boot ]; then
     touch /tmp/.ynh-vpnclient-boot
-    systemctl restart php5-fpm
+    systemctl restart php7.0-fpm
   fi
 
   # Check configuration consistency
 
   if [[ ! "${1}" =~ stop ]]; then
-    exitcode=0
-
     if [ ! -e /etc/openvpn/keys/ca-server.crt ]; then
-      echo "[WARN] You need a CA server (you can add it through the web admin)"
-      exitcode=1
+      critical "You need a CA server (you can add it through the web admin)"
     fi
 
     empty=$(find /etc/openvpn/keys/ -empty -name credentials &> /dev/null | wc -l)
     if [ "${empty}" -gt 0 -a ! -e /etc/openvpn/keys/user.key ]; then
-      echo "[WARN] You need either a client certificate, either a username, or both (you can add one through the web admin)"
-      exitcode=1
+      critical "You need either a client certificate, either a username, or both (you can add one through the web admin)"
     fi
-
-    [ "${exitcode}" -ne 0 ] && exit ${exitcode}
   fi
 
   # Variables
 
-  echo -n "Retrieving Yunohost settings... "
+  info "Retrieving Yunohost settings... "
 
   ynh_service_enabled=$(ynh_setting_get vpnclient service_enabled)
   ynh_server_name=$(ynh_setting_get vpnclient server_name)
@@ -267,201 +403,210 @@ if [ "$1" != restart ]; then
   new_server_ip6=$(host "${ynh_server_name}" 2> /dev/null | awk '/IPv6/ { print $NF; }')
 
   if [ -z "${new_server_ip6}" ]; then
+    # FIXME wtf is this hardcoded IP ...
     new_server_ip6=$(host "${ynh_server_name}" 80.67.188.188 2> /dev/null | awk '/IPv6/ { print $NF; }')
   fi
 
-  echo "OK"
+  success "Settings retrieved"
 
 fi
 
-# Script
+###################################################################################
+# Start / stop / restart / status handling                                        #
+###################################################################################
 
 case "${1}" in
+
+  # ########## #
+  #  Starting  #
+  # ########## #
+
   start)
+
     if is_running; then
-      echo "Already started"
+      info "Service is already running"
+      exit 0
     elif [ "${ynh_service_enabled}" -eq 0 ]; then
-      echo "Disabled service"
-    else
-      echo "[vpnclient] Starting..."
-      touch /tmp/.ynh-vpnclient-started
-
-      # Run openvpn
-      if ! is_openvpn_running; then
-        echo "Run openvpn"
-
-        start_openvpn "${new_ip6_gw}" "${new_server_ip6}"
-
-        if [ ! $? -eq 0 ]; then
-          exit 1
-        fi
-
-        i=0; false || while [ $? -ne 0 ]; do
-          sleep 1 && (( i++ ))
-          [ ${i} -gt 20 ] && stop_openvpn
-          [ ${i} -gt 20 ] && exit 1
-          ip link show dev tun0 &> /dev/null
-        done
-      fi
-
-      # Check old state of the server ipv6 route
-      if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
-           -a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
-           -o "${new_wired_device}" != "${old_wired_device}" \) ]\
-         && is_serverip6route_set "${old_server_ip6}"; then
-
-        unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
-      fi
-
-      # Set the new server ipv6 route
-      if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"; then
-        echo "Set IPv6 server route"
-        set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
-      fi
-
-      # Set the ipv6 address
-      if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set; then
-        echo "Set IPv6 address"
-        set_ip6addr
-      fi
-
-      # Set host DNS resolvers
-      if ! is_dns_set; then
-        echo "Set host DNS resolvers"
-        set_dns
-      fi
-
-      # Set ipv6/ipv4 firewall
-      if ! is_firewall_set "${new_wired_device}"; then
-        echo "Set IPv6/IPv4 firewall"
-        set_firewall "${new_wired_device}"
-      fi
-
-      # Update dynamic settings
-      ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
-      ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
-      ynh_setting_set vpnclient wired_device "${new_wired_device}"
-
-      # Fix configuration
-      if has_hotspot_app && ! is_hotspot_knowme; then
-        ynh-hotspot start
-      fi
+      warn "Service is disabled, not starting it"
+      exit 0
     fi
+
+    info "[vpnclient] Starting..."
+    touch /tmp/.ynh-vpnclient-started
+
+    # Run openvpn
+    if is_openvpn_running;
+    then
+      info "(openvpn is already running)"
+    else
+      start_openvpn "${new_ip6_gw}" "${new_server_ip6}"
+    fi
+
+    # Check old state of the server ipv6 route
+    if [ ! -z "${old_server_ip6}" -a ! -z "${old_ip6_gw}" -a ! -z "${old_wired_device}"\
+         -a \( "${new_server_ip6}" != "${old_server_ip6}" -o "${new_ip6_gw}" != "${old_ip6_gw}"\
+         -o "${new_wired_device}" != "${old_wired_device}" \) ]\
+       && is_serverip6route_set "${old_server_ip6}"
+    then
+       unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
+    fi
+
+    # Set the new server ipv6 route
+    if has_nativeip6 && ! is_serverip6route_set "${new_server_ip6}"
+    then
+      set_serverip6route "${new_server_ip6}" "${new_ip6_gw}" "${new_wired_device}"
+    fi
+
+    # Set the ipv6 address
+    if ! has_hotspot_app && has_ip6delegatedprefix && ! is_ip6addr_set
+    then
+      set_ip6addr
+    fi
+
+    # Set host DNS resolvers
+    if ! is_dns_set
+    then
+       set_dns
+    fi
+
+    # Set ipv6/ipv4 firewall
+    if ! is_firewall_set "${new_wired_device}"
+    then
+      set_firewall "${new_wired_device}"
+    fi
+
+    # Update dynamic settings
+    info "Saving settings..."
+    ynh_setting_set vpnclient server_ip6 "${new_server_ip6}"
+    ynh_setting_set vpnclient ip6_gw "${new_ip6_gw}"
+    ynh_setting_set vpnclient wired_device "${new_wired_device}"
+
+    # Fix configuration
+    if has_hotspot_app && ! is_hotspot_knowme; then
+      info "Now starting the hotspot"
+      ynh-hotspot start
+    fi
+
+    success "YunoHost VPN client started!"
   ;;
+
+  # ########## #
+  #  Stopping  #
+  # ########## #
+
   stop)
-    echo "[vpnclient] Stopping..."
+    info "[vpnclient] Stopping..."
     rm -f /tmp/.ynh-vpnclient-started
 
     if ! has_hotspot_app && has_ip6delegatedprefix && is_ip6addr_set; then
-      echo "Unset IPv6 address"
       unset_ip6addr
     fi
 
     if is_serverip6route_set "${old_server_ip6}"; then
-      echo "Unset IPv6 server route"
       unset_serverip6route "${old_server_ip6}" "${old_ip6_gw}" "${old_wired_device}"
     fi
 
-    if is_firewall_set "${old_wired_device}"; then
-      echo "Unset IPv6/IPv4 firewall"
-      unset_firewall
-    fi
+    is_firewall_set "${old_wired_device}" && unset_firewall
 
-    if is_dns_set; then
-      echo "Unset forced host DNS resolvers"
-      unset_dns
-    fi
+    is_dns_set && unset_dns
 
-    if is_openvpn_running; then
-      echo "Stop openvpn"
-      stop_openvpn
-
-      i=0; true && while [ $? -eq 0 ]; do
-        sleep 1 && (( i++ ))
-        [ ${i} -gt 20 ] && exit 1
-        ip link show dev tun0 &> /dev/null
-      done
-    fi
+    is_openvpn_running && stop_openvpn
 
     # Fix configuration
     if has_hotspot_app && is_hotspot_knowme; then
+      info "Now starting the hotspot"
       ynh-hotspot start
     fi
   ;;
+
+  # ########## #
+  #  Restart   #
+  # ########## #
+
   restart)
     $0 stop
     $0 start
   ;;
+
+  # ########## #
+  #   Status   #
+  # ########## #
+
   status)
     exitcode=0
 
     if [ "${ynh_service_enabled}" -eq 0 ]; then
-      echo "[ERR] VPN Client Service disabled"
+      error "VPN Client Service disabled"
       exitcode=1
     fi
 
-    echo "[INFO] Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
-    echo "[INFO] Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
+    info "Autodetected internet interface: ${new_wired_device} (last start: ${old_wired_device})"
+    info "Autodetected IPv6 address for the VPN server: ${new_server_ip6} (last start: ${old_server_ip6})"
 
     if has_ip6delegatedprefix; then
-      echo "[INFO] IPv6 delegated prefix found"
-      echo "[INFO] IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
+      info "IPv6 delegated prefix found"
+      info "IPv6 address computed from the delegated prefix: ${ynh_ip6_addr}"
 
       if ! has_hotspot_app; then
-        echo "[INFO] No Hotspot app detected"
+        info "No Hotspot app detected"
 
         if is_ip6addr_set; then
-          echo "[OK] IPv6 address correctly set"
+          success "IPv6 address correctly set"
         else
-          echo "[ERR] No IPv6 address set"
+          error "No IPv6 address set"
           exitcode=1
         fi
       else
-        echo "[INFO] Hotspot app detected"
-        echo "[INFO] No IPv6 address to set"
+        info "Hotspot app detected"
+        info "No IPv6 address to set"
       fi
     else
-      echo "[INFO] No IPv6 delegated prefix found"
+      info "No IPv6 delegated prefix found"
     fi
 
     if has_nativeip6; then
-      echo "[INFO] Native IPv6 detected"
-      echo "[INFO] Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
+      info "Native IPv6 detected"
+      info "Autodetected native IPv6 gateway: ${new_ip6_gw} (last start: ${old_ip6_gw})"
 
       if is_serverip6route_set "${new_server_ip6}"; then
-        echo "[OK] IPv6 server route correctly set"
+        success "IPv6 server route correctly set"
       else
-        echo "[ERR] No IPv6 server route set"
+        error "No IPv6 server route set"
         exitcode=1
       fi
     else
-      echo "[INFO] No native IPv6 detected"
-      echo "[INFO] No IPv6 server route to set"
+      info "No native IPv6 detected"
+      info "No IPv6 server route to set"
     fi
 
     if is_firewall_set "${new_wired_device}"; then
-      echo "[OK] IPv6/IPv4 firewall set"
+      success "IPv6/IPv4 firewall set"
     else
-      echo "[ERR] No IPv6/IPv4 firewall set"
+      info "No IPv6/IPv4 firewall set"
       exitcode=1
     fi
 
     if is_dns_set; then
-      echo "[OK] Host DNS correctly set"
+      success "Host DNS correctly set"
     else
-      echo "[ERR] No host DNS set"
+      error "No host DNS set"
       exitcode=1
     fi
 
     if is_openvpn_running; then
-      echo "[OK] Openvpn is running"
+      success "Openvpn is running"
     else
-      echo "[ERR] Openvpn is not running"
+      error "Openvpn is not running"
       exitcode=1
     fi
 
     exit ${exitcode}
   ;;
+
+  # ########## #
+  #    Halp    #
+  # ########## #
+
   *)
     echo "Usage: $0 {start|stop|restart|status}"
     exit 1

conf/ynh-vpnclient-loadcubefile.sh

@@ -86,7 +86,7 @@ ynh_service_enabled=$(ynh_setting vpnclient service_enabled)
 
 # SSO login
 
-curl -kLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -c "${tmpdir}/cookies" 2> /dev/null | grep -q Logout
+curl -D - -skLe "https://${ynh_domain}/yunohost/sso/" --data-urlencode "user=${ynh_user}" --data-urlencode "password=${ynh_password}" "https://${ynh_domain}/yunohost/sso/" --resolve "${ynh_domain}:443:127.0.0.1" -o /dev/null -c "${tmpdir}/cookies" 2> /dev/null | grep -q "set-cookie: SSOwAuthUser=${ynh_user}"
 
 if [ $? -ne 0 ]; then
   echo "[ERROR] SSO login failed" >&2
@@ -96,7 +96,7 @@ fi
 
 # Upload cube file
 
-output=$(curl -kL -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
+output=$(curl -kL -H "X-Requested-With: yunohost-config" -F "service_enabled=${ynh_service_enabled}" -F _method=put -F "cubefile=@${cubefile_path}" "https://${ynh_domain}/${ynh_path}/?/settings" --resolve "${ynh_domain}:443:127.0.0.1" -b "${tmpdir}/cookies" 2> /dev/null | grep RETURN_MSG | sed 's/<!-- RETURN_MSG -->//' | sed 's/<\/?[^>]\+>//g' | sed 's/^ \+//g')
 
 
 # Configure IPv6 Delegated Prefix on Hotspot

manifest.json

@@ -1,32 +1,43 @@
 {
   "name": "VPN Client",
   "id": "vpnclient",
+  "packaging_format": 1,
+  "version": "1.4.1",
   "description": {
-    "en": "VPN Client",
-    "fr": "Client VPN"
+    "en": "Tunnel the internet traffic through a VPN",
+    "fr": "Fais passer le traffic internet à travers un VPN"
   },
-  "license": "AGPL-3",
-  "developer": {
-    "name": "Julien Vaubourg",
-    "email": "julien@vaubourg.com",
-    "url": "http://julien.vaubourg.com"
+  "url": "https://labriqueinter.net",
+  "license": "AGPL-3.0",
+  "maintainer": {
+    "name": "pitchum",
+    "email": "pitchum@users.noreply.github.com"
   },
-  "multi_instance": "false",
+  "multi_instance": false,
+  "requirements": {
+    "yunohost": ">= 3.2.0"
+  },
+  "services": [
+    "nginx",
+    "php7.0-fpm"
+  ],
   "arguments": {
-    "install" : [
+    "install": [
       {
         "name": "domain",
+        "type": "domain",
         "ask": {
-            "en": "Choose a domain for the web administration",
-            "fr": "Choisissez un domaine pour l'administration web"
+          "en": "Choose a domain for the web administration",
+          "fr": "Choisissez un domaine pour l'administration web"
         },
         "example": "domain.org"
       },
       {
         "name": "path",
+        "type": "path",
         "ask": {
-            "en": "Choose a path for the web administration",
-            "fr": "Choisissez un chemin pour l'administration web"
+          "en": "Choose a path for the web administration",
+          "fr": "Choisissez un chemin pour l'administration web"
         },
         "example": "/vpnadmin",
         "default": "/vpnadmin"

scripts/_common.sh

@@ -0,0 +1,205 @@
+#!/bin/bash
+#
+# Common variables and helpers
+#
+
+pkg_dependencies="php7.0-fpm sipcalc dnsutils openvpn curl fake-hwclock"
+
+service_name="ynh-vpnclient"
+service_checker_name=$service_name"-checker"
+
+to_logs() {
+
+  # When yunohost --verbose or bash -x
+  if $_ISVERBOSE; then
+    cat
+  else
+    cat > /dev/null
+  fi
+}
+
+# Experimental helpers
+# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest
+read_json () {
+    python3 -c "import sys, json;print(json.load(open('$1'))['$2'])"
+}
+
+# Experimental helper
+# Cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/72b0bc77c68d4a4a2bf4e95663dbc05e4a762a0a/ynh_read_manifest/ynh_read_manifest
+read_manifest () {
+    if [ -f '../manifest.json' ] ; then
+        read_json '../manifest.json' "$1"
+    else
+        read_json '../settings/manifest.json' "$1"
+    fi
+}
+
+# Experimental helper
+# cf. https://github.com/YunoHost-Apps/Experimental_helpers/blob/master/ynh_abort_if_up_to_date/ynh_abort_if_up_to_date
+ynh_abort_if_up_to_date () {
+    version=$(read_json "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" 'version' 2> /dev/null || echo '20160501-7')
+    last_version=$(read_manifest 'version')
+    if [ "${version}" = "${last_version}" ]; then
+        ynh_print_info "Up-to-date, nothing to do"
+        ynh_die "" 0
+    fi
+}
+
+# Read the value of a key in a ynh manifest file
+#
+# usage: ynh_read_manifest manifest key
+# | arg: manifest - Path of the manifest to read
+# | arg: key - Name of the key to find
+ynh_read_manifest () {
+    manifest="$1"
+    key="$2"
+    python3 -c "import sys, json;print(json.load(open('$manifest', encoding='utf-8'))['$key'])"
+}
+
+# Read the upstream version from the manifest
+# The version number in the manifest is defined by <upstreamversion>~ynh<packageversion>
+# For example : 4.3-2~ynh3
+# This include the number before ~ynh
+# In the last example it return 4.3-2
+#
+# usage: ynh_app_upstream_version
+ynh_app_upstream_version () {
+    manifest_path="../manifest.json"
+    if [ ! -e "$manifest_path" ]; then
+        manifest_path="../settings/manifest.json"   # Into the restore script, the manifest is not at the same place
+    fi
+    version_key=$(ynh_read_manifest "$manifest_path" "version")
+    echo "${version_key/~ynh*/}"
+}
+
+# Read package version from the manifest
+# The version number in the manifest is defined by <upstreamversion>~ynh<packageversion>
+# For example : 4.3-2~ynh3
+# This include the number after ~ynh
+# In the last example it return 3
+#
+# usage: ynh_app_package_version
+ynh_app_package_version () {
+    manifest_path="../manifest.json"
+    if [ ! -e "$manifest_path" ]; then
+        manifest_path="../settings/manifest.json"   # Into the restore script, the manifest is not at the same place
+    fi
+    version_key=$(ynh_read_manifest "$manifest_path" "version")
+    echo "${version_key/*~ynh/}"
+}
+
+# Exit without error if the package is up to date
+#
+# This helper should be used to avoid an upgrade of a package
+# when it's not needed.
+#
+# To force an upgrade, even if the package is up to date,
+# you have to set the variable YNH_FORCE_UPGRADE before.
+# example: YNH_FORCE_UPGRADE=1 yunohost app upgrade MyApp
+#
+# usage: ynh_abort_if_up_to_date
+ynh_abort_if_up_to_date () {
+    local force_upgrade=${YNH_FORCE_UPGRADE:-0}
+    local package_check=${PACKAGE_CHECK_EXEC:-0}
+
+    local version=$(ynh_read_manifest "/etc/yunohost/apps/$YNH_APP_INSTANCE_NAME/manifest.json" "version" || echo 1.0)
+    local last_version=$(ynh_read_manifest "../manifest.json" "version" || echo 1.0)
+    if [ "$version" = "$last_version" ]
+    then
+        if [ "$force_upgrade" != "0" ]
+        then
+            echo "Upgrade forced by YNH_FORCE_UPGRADE." >&2
+            unset YNH_FORCE_UPGRADE
+        elif [ "$package_check" != "0" ]
+        then
+            echo "Upgrade forced for package check." >&2
+        else
+            ynh_die "Up-to-date, nothing to do" 0
+        fi
+    fi
+}
+
+# Operations needed by both 'install' and 'upgrade' scripts
+function vpnclient_deploy_files_and_services()
+{
+  local domain=$1
+  local app=$2
+  local service_name=$3
+  local sysuser="${app}"
+  local service_checker_name="$service_name-checker"
+
+  # Ensure vpnclient_ynh has its own system user
+  if ! ynh_system_user_exists ${sysuser}
+  then
+    ynh_system_user_create ${sysuser}
+  fi
+
+  # Ensure the system user has enough permissions
+  install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
+  ynh_replace_string "__VPNCLIENT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
+
+  # Install IPv6 scripts
+  install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
+  install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
+
+  # Install command-line cube file loader
+  install -o root -g root -m 0755 ../conf/$service_name-loadcubefile.sh /usr/local/bin/
+
+  # Copy confs
+  mkdir -pm 0755 /var/log/nginx/
+  chown root:${sysuser} /etc/openvpn/
+  chmod 775 /etc/openvpn/
+  mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
+
+  install -b -o root -g ${sysuser} -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
+  install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
+  install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
+  install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
+
+  # Copy web sources
+  mkdir -pm 0755 /var/www/${app}/
+  cp -a ../sources/* /var/www/${app}/
+
+  chown -R root: /var/www/${app}/
+  chmod -R 0644 /var/www/${app}/*
+  find /var/www/${app}/ -type d -exec chmod +x {} \;
+
+  # Create certificates directory
+  mkdir -pm 0770 /etc/openvpn/keys/
+  chown root:${sysuser} /etc/openvpn/keys/
+
+  #=================================================
+  # NGINX CONFIGURATION
+  #=================================================
+  ynh_print_info "Configuring nginx web server..."
+
+  ynh_add_nginx_config
+
+  #=================================================
+  # PHP-FPM CONFIGURATION
+  #=================================================
+  ynh_print_info "Configuring php-fpm..."
+
+  ynh_add_fpm_config
+
+  #=================================================
+
+  # Fix sources
+  ynh_replace_string "__PATH__" "${path_url}" "/var/www/${app}/config.php"
+
+  # Copy init script
+  install -o root -g root -m 0755 ../conf/$service_name /usr/local/bin/
+
+  # Copy checker timer
+  install -o root -g root -m 0755 ../conf/$service_checker_name.sh /usr/local/bin/
+  install -o root -g root -m 0644 ../conf/$service_checker_name.timer /etc/systemd/system/
+
+  #=================================================
+  # SETUP SYSTEMD
+  #=================================================
+  ynh_print_info "Configuring a systemd service..."
+
+  ynh_add_systemd_config $service_name "$service_name.service"
+
+  ynh_add_systemd_config $service_checker_name "$service_checker_name.service"
+}

scripts/backup

@@ -1,9 +1,83 @@
 #!/bin/bash
 
-backup_dir="${1}/apps/vpnclient"
-mkdir -p "${backup_dir}/"
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
 
-sudo cp -a /etc/openvpn/keys/ "${backup_dir}/"
-sudo cp -a /etc/openvpn/client.conf.tpl "${backup_dir}/"
+source ../settings/scripts/_common.sh
+source /usr/share/yunohost/helpers
 
-exit 0
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
+
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_print_info "Loading installation settings..."
+
+app=$YNH_APP_INSTANCE_NAME
+
+final_path=$(ynh_app_setting_get $app final_path)
+domain=$(ynh_app_setting_get $app domain)
+
+#=================================================
+# STANDARD BACKUP STEPS
+#=================================================
+# BACKUP THE APP MAIN DIR
+#=================================================
+ynh_print_info "Backing up the main app directory..."
+
+ynh_backup "$final_path"
+
+ynh_backup "/etc/sudoers.d/${app}_ynh"
+
+ynh_backup "/usr/local/bin/ipv6_expanded"
+ynh_backup "/usr/local/bin/ipv6_compressed"
+ynh_backup "/usr/local/bin/$service_name-loadcubefile.sh"
+
+ynh_backup "/etc/yunohost/hooks.d/90-vpnclient.tpl"
+
+ynh_backup "/etc/openvpn/client.conf.tpl"
+ynh_backup "/etc/openvpn/client.conf.tpl.restore"
+ynh_backup "/etc/openvpn/keys/"
+
+ynh_backup "/usr/local/bin/$service_name"
+ynh_backup "/usr/local/bin/$service_checker_name.sh"
+
+#=================================================
+# BACKUP THE NGINX CONFIGURATION
+#=================================================
+ynh_print_info "Backing up nginx web server configuration..."
+
+ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
+
+#=================================================
+# BACKUP THE PHP-FPM CONFIGURATION
+#=================================================
+ynh_print_info "Backing up php-fpm configuration..."
+
+ynh_backup "/etc/php/7.0/fpm/pool.d/$app.conf"
+
+#=================================================
+# SPECIFIC BACKUP
+#=================================================
+# BACKUP SYSTEMD
+#=================================================
+ynh_print_info "Backing up systemd configuration..."
+
+ynh_backup "/etc/systemd/system/$service_name.service"
+ynh_backup "/etc/systemd/system/$service_checker_name.service"
+ynh_backup "/etc/systemd/system/$service_checker_name.timer"
+ynh_backup "/etc/systemd/system/openvpn@.service"
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_print_info "Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

scripts/helpers

@@ -1,39 +0,0 @@
-#!/bin/bash
-
-source /usr/share/yunohost/helpers
-
-#
-# Helper to start/stop/.. a systemd service from a yunohost context,
-# *and* the systemd service itself needs to be able to run yunohost
-# commands.
-# 
-# Hence the need to release the lock during the operation
-#
-# usage : ynh_systemctl yolo restart
-#
-function ynh_systemctl()
-{
-  local ACTION="$1"
-  local SERVICE="$2"
-  local LOCKFILE="/var/run/moulinette_yunohost.lock"
-
-  # Launch the action
-  sudo systemctl "$ACTION" "$SERVICE" &
-  local SYSCTLACTION=$!
-
-  # Save and release the lock...
-  cp $LOCKFILE $LOCKFILE.bkp.$$
-  rm $LOCKFILE
-  
-  # Wait for the end of the action
-  wait $SYSCTLACTION
-
-  # Make sure the lock is released...
-  while [ -f $LOCKFILE ]
-  do
-    sleep 0.1
-  done
-
-  # Restore the old lock
-  mv $LOCKFILE.bkp.$$ $LOCKFILE
-}

scripts/install

@@ -1,153 +1,112 @@
 #!/bin/bash
 
-# VPN Client app for YunoHost 
+# VPN Client app for YunoHost
 # Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
 # Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-# 
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
-# 
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Affero General Public License for more details.
-# 
+#
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# This is an upgrade?
-upgrade=$([ "${VPNCLIENT_UPGRADE}" == 1 ] && echo true || echo false)
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
+
+source /usr/share/yunohost/helpers
+source _common.sh
+
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
+
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# RETRIEVE ARGUMENTS FROM THE MANIFEST
+#=================================================
 
 # Retrieve arguments
-domain=${1}
-url_path=${2}
+domain=$YNH_APP_ARG_DOMAIN
+path_url=$(ynh_normalize_url_path "$YNH_APP_ARG_PATH")
+app=$YNH_APP_INSTANCE_NAME
+final_path="/var/www/$app"
 
-if ! $upgrade; then
-  source ./helpers
-  source ./prerequisites
-fi
+#=================================================
+# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
+#=================================================
+ynh_print_info "Validating installation parameters..."
 
-# Check domain/path availability
-ynh_webpath_register vpnclient $domain $url_path || exit 1
+# Check destination directory
+test ! -e "$final_path" || ynh_die "Path is already in use: ${final_path}."
 
-# Install packages
-packages='php5-fpm sipcalc dnsutils openvpn curl'
-export DEBIAN_FRONTEND=noninteractive
+# Register (book) web path
+ynh_webpath_register "$app" "$domain" "$path_url"
 
-sudo apt-get --assume-yes --force-yes install ${packages}
+#=================================================
+# STORE SETTINGS FROM MANIFEST
+#=================================================
+ynh_print_info "Storing installation settings..."
 
-if [ $? -ne 0 ]; then
-  sudo apt-get update
-  sudo apt-get --assume-yes --force-yes install ${packages}
-fi
+ynh_app_setting_set "$app" domain "$domain"
+ynh_app_setting_set "$app" final_path "$final_path"
 
-if ! $upgrade; then
+#=================================================
+# STANDARD MODIFICATIONS
+#=================================================
+# INSTALL DEPENDENCIES
+#=================================================
+ynh_print_info "Installing dependencies..."
 
-  # Save arguments
-  sudo yunohost app setting vpnclient service_enabled -v 0
-  sudo yunohost app setting vpnclient server_name -v none
-  sudo yunohost app setting vpnclient server_port -v 1194
-  sudo yunohost app setting vpnclient server_proto -v udp
-  sudo yunohost app setting vpnclient ip6_addr -v none
-  sudo yunohost app setting vpnclient ip6_net -v none
-  sudo yunohost app setting vpnclient login_user -v "${login_user}"
-  sudo yunohost app setting vpnclient login_passphrase -v "${login_passphrase}"
-  sudo yunohost app setting vpnclient dns0 -v 89.234.141.66
-  sudo yunohost app setting vpnclient dns1 -v 2001:913::8
+ynh_install_app_dependencies "$pkg_dependencies"
 
-fi
+#=================================================
+# DEPLOY FILES FROM PACKAGE
+#=================================================
+ynh_print_info "Deploy files from package..."
 
-# Install IPv6 scripts
-sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
-sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
+vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}"
 
-# Install command-line cube file loader
-sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-loadcubefile.sh /usr/local/bin/
-
-# Copy confs
-sudo mkdir -pm 0755 /var/log/nginx/
-sudo chown root:admins /etc/openvpn/
-sudo chmod 775 /etc/openvpn/
-sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
-
-sudo install -b -o root -g admins -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
-sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
-sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
-sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/vpnadmin.conf
-sudo install -b -o root -g root -m 0755 ../conf/hook_post-iptable-rules /etc/yunohost/hooks.d/90-vpnclient.tpl
-sudo install -b -o root -g root -m 0644 ../conf/openvpn@.service /etc/systemd/system/
-
-# Copy web sources
-sudo mkdir -pm 0755 /var/www/vpnadmin/
-sudo cp -a ../sources/* /var/www/vpnadmin/
-
-sudo chown -R root: /var/www/vpnadmin/
-sudo chmod -R 0644 /var/www/vpnadmin/*
-sudo find /var/www/vpnadmin/ -type d -exec chmod +x {} \;
-
-# Create certificates directory
-sudo mkdir -pm 0770 /etc/openvpn/keys/
-sudo chown root:admins /etc/openvpn/keys/
-
-# Fix confs
-## nginx
-sudo sed "s|<TPL:NGINX_LOCATION>|${url_path}|g" -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
-sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
-sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
-
-## php-fpm
-sudo sed 's|<TPL:PHP_NAME>|vpnadmin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
-sudo sed 's|<TPL:PHP_USER>|admin|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
-sudo sed 's|<TPL:PHP_GROUP>|admins|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
-sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/vpnadmin/|g' -i /etc/php5/fpm/pool.d/vpnadmin.conf
-
-# Fix sources
-sudo sed "s|<TPL:NGINX_LOCATION>|${url_path}|g" -i /var/www/vpnadmin/config.php
-
-# Copy init script
-sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient /usr/local/bin/
-sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient.service /etc/systemd/system/
-
-# Copy checker timer
-sudo install -o root -g root -m 0755 ../conf/ynh-vpnclient-checker.sh /usr/local/bin/
-sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.service /etc/systemd/system/
-sudo install -o root -g root -m 0644 ../conf/ynh-vpnclient-checker.timer /etc/systemd/system/
+#=================================================
+# RELOAD SERVICES
+#=================================================
+ynh_print_info "Reloading services..."
 
 # Set default inits
 # The boot order of these services are important, so they are disabled by default
-# and the ynh-vpnclient service handles them.
-sudo systemctl disable openvpn
-sudo systemctl stop openvpn
+# and the vpnclient service handles them.
+systemctl disable openvpn
+systemctl stop openvpn
 
-sudo systemctl enable php5-fpm
-sudo systemctl restart php5-fpm
+systemctl restart php7.0-fpm
+systemctl reload nginx
 
-sudo systemctl reload nginx
+# main service
 
-sudo systemctl enable ynh-vpnclient
-sudo yunohost service add ynh-vpnclient
+yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
+yunohost service enable $service_name
 
-ynh_systemctl start ynh-vpnclient-checker.service
-sudo systemctl enable ynh-vpnclient-checker.service
-ynh_systemctl start ynh-vpnclient-checker.timer
-sudo systemctl enable ynh-vpnclient-checker.timer
+# checker service
 
-if ! $upgrade; then
-  ynh_systemctl start ynh-vpnclient
+yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
+yunohost service start $service_checker_name
+yunohost service enable $service_checker_name
+systemctl start $service_checker_name.timer
+systemctl enable $service_checker_name.timer
 
-  # Check configuration consistency
-  
-  if [ -z "${crt_server_ca_path}" ]; then
-    echo "WARNING: VPN Client is not started because you need to define a server CA through the web admin" >&2
-  fi
-  
-  if [ -z "${crt_client_key_path}" -a -z "${login_user}" ]; then
-    echo "WARNING: VPN Client is not started because you need either a client certificate, either a username (or both)" >&2
-  fi
-fi
+#=================================================
+# END OF SCRIPT
+#=================================================
 
-sudo yunohost app ssowatconf
-
-exit 0
+ynh_print_info "Installation of $app completed"

scripts/prerequisites

@@ -1,8 +0,0 @@
-# Source me
-
-# Check YunoHost version (firewall hook in Moulinette)
-ynh_version=$(sudo dpkg -l yunohost | grep ii | awk '{ print $3 }' | sed 's/\.//g')
-
-if [ "${ynh_version}" -lt 240 ]; then
-  echo "WARN: You need a YunoHost's version equals or greater than 2.4.0 for activating the firewalling" >&2
-fi

scripts/remove

@@ -1,53 +1,124 @@
 #!/bin/bash
 
-# VPN Client app for YunoHost 
+# VPN Client app for YunoHost
 # Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
 # Contribute at https://github.com/labriqueinternet/vpnclient_ynh
-# 
+#
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
-# 
+#
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Affero General Public License for more details.
-# 
+#
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-source ./helpers
+#=================================================
+# GENERIC STARTING
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
 
-# Retrieve arguments
-domain=$(sudo yunohost app setting vpnclient domain)
+source _common.sh
+source /usr/share/yunohost/helpers
 
-# The End
-ynh_systemctl stop ynh-vpnclient-checker.service
-sudo systemctl disable ynh-vpnclient-checker.service
-ynh_systemctl stop ynh-vpnclient-checker.timer && sleep 1
-sudo systemctl disable ynh-vpnclient-checker.timer
-ynh_systemctl stop ynh-vpnclient
-sudo systemctl disable ynh-vpnclient
-sudo yunohost service remove ynh-vpnclient
-sudo rm -f /etc/systemd/system/ynh-vpnclient* /usr/local/bin/ynh-vpnclient*
-sudo rm -f /tmp/.ynh-vpnclient-*
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_print_info "Loading installation settings..."
 
-# Remove confs
-sudo rm -f /etc/openvpn/client.conf{.tpl,.tpl.restore,}
-sudo rm -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf
-sudo rm -f /etc/php5/fpm/pool.d/vpnadmin.conf
-sudo rm -f /etc/yunohost/hooks.d/90-vpnclient.tpl
-sudo rm -f /etc/systemd/system/openvpn@.service
+app=$YNH_APP_INSTANCE_NAME
+domain=$(ynh_app_setting_get $app domain)
 
-# Remove certificates
-sudo rm -rf /etc/openvpn/keys/
+#=================================================
+# STOP AND REMOVE SERVICES
+#=================================================
+ynh_print_info "Stopping and removing services"
 
-# Restart services
-sudo systemctl restart php5-fpm
-sudo systemctl reload nginx
+yunohost service stop $service_checker_name
+yunohost service disable $service_checker_name
+yunohost service remove $service_checker_name
+systemctl stop $service_checker_name.timer && sleep 1
+systemctl disable $service_checker_name.timer
+
+yunohost service stop $service_name
+yunohost service disable $service_name
+yunohost service remove $service_name
+
+for FILE in $(ls /etc/systemd/system/$service_name* /usr/local/bin/ynh-vpnclient* /tmp/.ynh-vpnclient-*)
+do
+    ynh_secure_remove "$FILE"
+done
+
+#=================================================
+# REMOVE NGINX CONFIGURATION
+#=================================================
+ynh_print_info "Removing nginx web server configuration"
+
+# Remove the dedicated nginx config
+ynh_remove_nginx_config
+
+#=================================================
+# REMOVE PHP-FPM CONFIGURATION
+#=================================================
+ynh_print_info "Removing php-fpm configuration"
+
+# Remove the dedicated php-fpm config
+ynh_remove_fpm_config
+
+#=================================================
+# SPECIFIC REMOVE
+#================================================
+ynh_print_info "Removing openvpn configuration"
+
+# Remove openvpn configurations
+ynh_secure_remove /etc/openvpn/client.conf
+ynh_secure_remove /etc/openvpn/client.conf.tpl
+ynh_secure_remove /etc/openvpn/client.conf.tpl.restore
+
+# Remove YunoHost hook
+ynh_secure_remove /etc/yunohost/hooks.d/90-vpnclient.tpl
+
+# Remove openvpn service
+ynh_secure_remove /etc/systemd/system/openvpn@.service
+
+# Remove openvpn certificates
+ynh_secure_remove /etc/openvpn/keys
+
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+ynh_print_info "Removing dependencies"
+ynh_remove_app_dependencies
 
 # Remove sources
-sudo rm -rf /var/www/vpnadmin/
+ynh_secure_remove "/var/www/${app}"
 
-exit 0
+# Reload systemd configuration
+systemctl daemon-reload
+
+# Restart services
+# (this must happen before deleting the user, otherwise the user is
+# being used by one of the php pool process)
+systemctl restart php7.0-fpm
+systemctl reload nginx
+
+#=================================================
+# REMOVE DEDICATED USER
+#=================================================
+
+ynh_print_info "Removing the dedicated system user"
+
+# Delete a system user
+ynh_system_user_delete ${app}
+ynh_secure_remove "/etc/sudoers.d/${app}_ynh"
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_print_info "Removal of $app completed"

scripts/restore

@@ -1,21 +1,136 @@
 #!/bin/bash
 
-backup_dir="${1}/apps/vpnclient"
+#=================================================
+# GENERIC START
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
 
-sudo mkdir -p /etc/openvpn/
-sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
-sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
-sudo chown -R root:admins /etc/openvpn/keys/
+source ../settings/scripts/_common.sh
+source /usr/share/yunohost/helpers
 
-gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
-tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)
+#=================================================
+# MANAGE SCRIPT FAILURE
+#=================================================
 
-git clone https://github.com/labriqueinternet/vpnclient_ynh.git "${tmpdir}/"
-git --work-tree "${tmpdir}/" --git-dir "${tmpdir}/.git/" reset --hard "${gitcommit}"
+# Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
 
-cd "${tmpdir}/scripts/"
-bash ./upgrade 
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_print_info "Loading settings..."
 
-sudo rm -r "${tmpdir}/"
+app=$YNH_APP_INSTANCE_NAME
 
-exit 0
+domain=$(ynh_app_setting_get $app domain)
+path_url=$(ynh_app_setting_get $app path)
+final_path=$(ynh_app_setting_get $app final_path)
+
+#=================================================
+# CHECK IF THE APP CAN BE RESTORED
+#=================================================
+ynh_print_info "Validating restoration parameters..."
+
+ynh_webpath_available $domain $path_url \
+	|| ynh_die "Path not available: ${domain}${path_url}"
+test ! -d $final_path \
+	|| ynh_die "There is already a directory: $final_path "
+
+#=================================================
+# STANDARD RESTORATION STEPS
+#=================================================
+# RESTORE THE NGINX CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
+
+#=================================================
+# RESTORE THE APP MAIN DIR
+#=================================================
+ynh_print_info "Restoring the app main directory..."
+
+ynh_restore_file "$final_path"
+
+ynh_restore_file "/etc/sudoers.d/${app}_ynh"
+
+ynh_restore_file "/usr/local/bin/ipv6_expanded"
+ynh_restore_file "/usr/local/bin/ipv6_compressed"
+ynh_restore_file "/usr/local/bin/$service_name-loadcubefile.sh"
+
+ynh_restore_file "/etc/yunohost/hooks.d/90-vpnclient.tpl"
+
+ynh_restore_file "/etc/openvpn/client.conf.tpl"
+ynh_restore_file "/etc/openvpn/client.conf.tpl.restore"
+ynh_restore_file "/etc/openvpn/keys/"
+
+ynh_restore_file "/usr/local/bin/$service_name"
+ynh_restore_file "/usr/local/bin/$service_checker_name.sh"
+
+#=================================================
+# RECREATE THE DEDICATED USER
+#=================================================
+ynh_print_info "Recreating the dedicated system user..."
+
+# Create the dedicated user (if not existing)
+ynh_system_user_create $app
+
+#=================================================
+# RESTORE USER RIGHTS
+#=================================================
+
+# Restore permissions on app files
+chown -R $app: $final_path
+
+#=================================================
+# RESTORE THE PHP-FPM CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/php/7.0/fpm/pool.d/$app.conf"
+
+#=================================================
+# SPECIFIC RESTORATION
+#=================================================
+# REINSTALL DEPENDENCIES
+#=================================================
+ynh_print_info "Reinstalling dependencies..."
+
+# Define and install dependencies
+ynh_install_app_dependencies "$pkg_dependencies"
+
+#=================================================
+# RESTORE SYSTEMD
+#=================================================
+ynh_print_info "Restoring the systemd configuration..."
+
+ynh_restore_file "/etc/systemd/system/$service_name.service"
+ynh_restore_file "/etc/systemd/system/$service_checker_name.service"
+ynh_restore_file "/etc/systemd/system/$service_checker_name.timer"
+ynh_restore_file "/etc/systemd/system/openvpn@.service"
+systemctl daemon-reload
+systemctl enable "$service_name.service"
+systemctl enable "$service_checker_name.service"
+systemctl enable "openvpn@.service"
+
+#=================================================
+# ADVERTISE SERVICE IN ADMIN PANEL
+#=================================================
+
+yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
+yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# RELOAD NGINX AND PHP-FPM
+#=================================================
+ynh_print_info "Reloading nginx web server and php-fpm..."
+
+systemctl restart php7.0-fpm
+systemctl reload nginx
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_print_info "Restoration completed for $app"

scripts/upgrade

@@ -1,47 +1,134 @@
 #!/bin/bash
 
-ynh_setting() {
-  app=${1}
-  setting=${2}
+#=================================================
+# GENERIC STARTING
+#=================================================
+# IMPORT GENERIC HELPERS
+#=================================================
 
-  sudo grep "^${setting}:" "/etc/yunohost/apps/${app}/settings.yml" | sed s/^[^:]\\+:\\s*[\"\']\\?// | sed s/\\s*[\"\']\$//
-}
+source _common.sh
+source /usr/share/yunohost/helpers
 
-source ./helpers
-source ./prerequisites
+#=================================================
+# LOAD SETTINGS
+#=================================================
+ynh_print_info "Loading installation settings..."
 
-domain=$(ynh_setting vpnclient domain)
-path=$(ynh_setting vpnclient path)
-server_name=$(ynh_setting vpnclient server_name)
+app=$YNH_APP_INSTANCE_NAME
 
-sudo mkdir -m 0700 -p /var/cache/labriqueinternet/vpnclient/
-sudo tar czf "/var/cache/labriqueinternet/vpnclient/rollback_$(date +%Y-%m-%d-%H%M%S).tgz" /etc/openvpn/ /etc/yunohost/apps/vpnclient/ &> /dev/null
+domain=$(ynh_app_setting_get $app domain)
+path_url=$(ynh_app_setting_get $app path)
+is_public=$(ynh_app_setting_get $app is_public)
+final_path=$(ynh_app_setting_get $app final_path)
 
-tmpdir=$(mktemp -dp /tmp/ vpnclient-upgrade-XXXXX)
-sudo cp -a /etc/yunohost/apps/vpnclient/settings.yml "${tmpdir}/"
-sudo cp -a /etc/openvpn/keys/ "${tmpdir}/"
+#=================================================
+# SPECIAL UPGRADE FOR VERSIONS < 1.2.0
+#=================================================
 
-if [ ! -e /etc/openvpn/client.conf.tpl.restore ] || ! cmp -s /etc/openvpn/client.conf.tpl{,.restore}; then
-  sudo cp -a /etc/openvpn/client.conf.tpl "${tmpdir}/"
+# Apply renaming that occured in v1.2.0 ("vpnadmin" -> "${app}")
+if [ -f /etc/nginx/conf.d/${domain}.d/vpnadmin.conf ]; then
+  ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
+  ynh_replace_string "vpnadmin.sock" "${app}.sock" "/etc/nginx/conf.d/${domain}.d/vpnadmin.conf"
+  mv /etc/nginx/conf.d/${domain}.d/vpnadmin.conf /etc/nginx/conf.d/${domain}.d/${app}.conf
 fi
 
-export VPNCLIENT_UPGRADE=1
-sudo bash /etc/yunohost/apps/vpnclient/scripts/remove &> /dev/null
-bash ./install "${domain}" "${path}" "${server_name}"
-
-sudo rmdir /etc/openvpn/keys/
-sudo cp -a "${tmpdir}/keys/" /etc/openvpn/keys/
-sudo cp -a "${tmpdir}/settings.yml" /etc/yunohost/apps/vpnclient/
-sudo cp -a "${tmpdir}/client.conf.tpl" /etc/openvpn/ 2> /dev/null
-sudo rm -r "${tmpdir}/"
-
-# Changes
-
-if [ -z "$(ynh_setting vpnclient dns0)" ]; then
-  sudo yunohost app setting vpnclient dns0 -v 89.234.141.66
-  sudo yunohost app setting vpnclient dns1 -v 2001:913::8
+if [ -f /etc/php5/fpm/pool.d/vpnadmin.conf ]; then
+  ynh_replace_string "/var/www/vpnadmin/" "/var/www/${app}/" /etc/php5/fpm/pool.d/vpnadmin.conf
+  ynh_replace_string "vpnadmin.sock" "${app}.sock"  /etc/php5/fpm/pool.d/vpnadmin.conf
+  mv /etc/php5/fpm/pool.d/vpnadmin.conf /etc/php/7.0/fpm/pool.d/${app}.conf
 fi
 
-ynh_systemctl start ynh-vpnclient
+if [ -d /var/www/vpnadmin ]; then
+  mv /var/www/vpnadmin /var/www/${app}
+fi
 
-exit 0
+## Versions known to have a buggy backup script
+#buggy_versions="1.0.0 1.0.1 1.1.0"
+#curr_version=$(read_manifest version)
+#if echo $buggy_versions | grep -w $curr_version > /dev/null; then
+#  echo "Your current version of ${app} is very old: ${curr_version}. Please ignore the next warning." >&2
+#fi
+#
+##=================================================
+## BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
+##=================================================
+#
+#ynh_backup_before_upgrade
+#ynh_clean_setup () {
+#    ynh_restore_upgradebackup
+#}
+## Exit if an error occurs during the execution of the script
+ynh_abort_if_errors
+
+#=================================================
+# DO UPGRADE
+#=================================================
+# INSTALL DEPENDENCIES
+#=================================================
+ynh_print_info "Installing dependencies..."
+
+ynh_install_app_dependencies "$pkg_dependencies"
+
+#=================================================
+# DEPLOY FILES FROM PACKAGE
+#=================================================
+
+# Keep a copy of existing config files before overwriting them
+tmpdir=$(mktemp -d /tmp/vpnclient-upgrade-XXX)
+cp -r /etc/openvpn/client* ${tmpdir}
+
+# Deploy files from package
+vpnclient_deploy_files_and_services "${domain}" "${app}" "${service_name}"
+
+# Restore previously existing config files
+cp -r ${tmpdir}/client* /etc/openvpn/
+ynh_secure_remove ${tmpdir}
+
+#=================================================
+# RELOAD RELEVANT SERVICES
+#=================================================
+ynh_print_info "Reload services..."
+
+systemctl reload php7.0-fpm
+systemctl reload nginx
+
+### Make sure that the yunohost services have a description and need-lock enabled
+
+# main service
+yunohost service add $service_name --description "Tunnels the internet traffic through a VPN" --need_lock
+
+# checker service
+yunohost service add $service_checker_name --description "Makes sure that the VPN service is running" --need_lock
+
+# Reload systemd configuration
+
+systemctl daemon-reload
+
+### Restart services
+
+# restart main service if needed
+
+if systemctl is-active $service_name >/dev/null;
+then
+    yunohost service restart $service_name
+fi
+
+# restart checker service if needed
+
+if systemctl is-active $service_checker_name >/dev/null;
+then
+    yunohost service restart $service_checker_name
+fi
+
+# restart checker service timer
+
+if systemctl is-active $service_name.timer >/dev/null;
+then
+    yunohost service restart $service_checker_name.timer
+fi
+
+#=================================================
+# END OF SCRIPT
+#=================================================
+
+ynh_print_info "Upgrade of $app completed"

sources/config.php

@@ -1,19 +1,19 @@
 <?php
 
-/* VPN Client app for YunoHost 
+/* VPN Client app for YunoHost
  * Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
  * Contribute at https://github.com/labriqueinternet/vpnclient_ynh
- * 
+ *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
  * (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Affero General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU Affero General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
@@ -22,11 +22,11 @@
 function configure() {
   option('env', ENV_PRODUCTION);
   option('debug', false);
-  option('base_uri', '<TPL:NGINX_LOCATION>/');
+  option('base_uri', '__PATH__/');
 
   layout('layout.html.php');
 
-  define('PUBLIC_DIR', '<TPL:NGINX_LOCATION>/public');
+  define('PUBLIC_DIR', '__PATH__/public');
 }
 
 // Before routing

sources/controller.php

@@ -117,6 +117,11 @@ dispatch('/', function() {
 });
 
 dispatch_put('/settings', function() {
+
+  if(!isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
+    throw new Exception('CSRF protection');
+  }
+
   $service_enabled = isset($_POST['service_enabled']) ? 1 : 0;
 
   if($service_enabled == 1) {

sources/public/js/custom.js

@@ -28,7 +28,7 @@ function tabsClick() {
   return false;
 }
 
-$(document).ready(function() {
+function ready() {
   $('.btn-group').button();
   $('[data-toggle="tooltip"]').tooltip();
 
@@ -73,11 +73,29 @@ $(document).ready(function() {
     $(choosertxtid).val($(this).val().replace(/^.*[\/\\]/, ''));
   });
 
-  $('#save').click(function() {
-    $(this).prop('disabled', true);
+  $('#form').on("submit", function(event) {
+    event.preventDefault()
+    $('#save').prop('disabled', true);
     $('#save-loading').show();
-    $('#form').submit();
-  });
+    $.ajax({
+        url: this.action,
+        type: this.method,
+        contentType: false,
+        processData: false,
+        cache: false,
+        data: new FormData(this),
+        headers: {
+          'X-Requested-With': 'jQuery',
+        },
+        timeout: 5000,
+        dataType: "html",
+        // success: function() {}, // XXX will never happen because the VPN connection will be restarted after the form is posted.
+        complete: function() {
+          console.log("Forcing page reload after a few seconds...");
+          setTimeout(function() {document.location.reload();}, 45000)
+        },
+    });
+  })
 
   $('#status .close').click(function() {
     $(this).parent().hide();
@@ -110,4 +128,6 @@ $(document).ready(function() {
       $('.enabled').show('slow');
     }
   });
-});
+}
+
+$(document).ready(ready)

sources/views/settings.html.php

@@ -200,7 +200,7 @@
               <div class="form-group">
                 <label for="login_passphrase" class="col-sm-3 control-label"><?= _('Password') ?></label>
                 <div class="col-sm-9">
-                  <input type="text" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" />
+                  <input type="password" data-toggle="tooltip" data-title="<?= _('Leave empty if not necessary') ?>" class="form-control" name="login_passphrase" id="login_passphrase" placeholder="XVCwSbDkxnqQ" value="<?= $login_passphrase ?>" />
                 </div>
               </div>
             </div>