Merge pull request #76 from Gildas-GH/pictrs

Bugfix and reimplement Pictrs

README.md

@@ -19,7 +19,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 Lemmy is similar to sites like Reddit, Lobste.rs, or Hacker News: you subscribe to forums you're interested in, post links and discussions, then vote, and comment on them. Behind the scenes, it is very different; anyone can easily run a server, and all these servers are federated (think email), and connected to the same universe, called the Fediverse.
 
 
-**Shipped version:** 0.18.5~ynh1
+**Shipped version:** 0.18.2~ynh1
 
 **Demo:** https://lemmy.ml/
 
@@ -32,6 +32,7 @@ Lemmy is similar to sites like Reddit, Lobste.rs, or Hacker News: you subscribe
 * Official app website: <https://join-lemmy.org/>
 * Official admin documentation: <https://join-lemmy.org/docs/en/>
 * Upstream app code repository: <https://github.com/LemmyNet/lemmy>
+* YunoHost Store: <https://apps.yunohost.org/app/lemmy>
 * Report a bug: <https://github.com/YunoHost-Apps/lemmy_ynh/issues>
 
 ## Developer info

README_fr.md

@@ -18,7 +18,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
 
 Lemmy est similaire à des sites comme Reddit, Lobste.rs ou Hacker News : vous vous abonnez aux forums qui vous intéressent, publiez des liens et des discussions, puis votez et commentez-les. Dans les coulisses, c'est très différent ; n'importe qui peut facilement exécuter un serveur, et tous ces serveurs sont fédérés (pensez au courrier électronique) et connectés au même univers, appelé Fediverse.
 
-**Version incluse :** 0.18.5~ynh1
+**Version incluse :** 0.18.2~ynh1
 
 **Démo :** https://lemmy.ml/
 
@@ -31,6 +31,7 @@ Lemmy est similaire à des sites comme Reddit, Lobste.rs ou Hacker News : vous v
 * Site officiel de l’app : <https://join-lemmy.org/>
 * Documentation officielle de l’admin : <https://join-lemmy.org/docs/en/>
 * Dépôt de code officiel de l’app : <https://github.com/LemmyNet/lemmy>
+* YunoHost Store: <https://apps.yunohost.org/app/lemmy>
 * Signaler un bug : <https://github.com/YunoHost-Apps/lemmy_ynh/issues>
 
 ## Informations pour les développeurs

conf/lemmy.hjson

@@ -66,18 +66,26 @@
     # Can be easy, medium, or hard
     difficulty: "medium"
   }
+  # Settings related to activitypub federation
+  # Pictrs image server configuration.
+  pictrs: {
+    # Address where pictrs is available (for image hosting)
+    url: "http://127.0.0.1:__PORT_PICTRS__/"
+    # Set a custom pictrs API key. ( Required for deleting images )
+    #api_key: "string"
+  }
   # Email sending configuration. All options except login/password are mandatory
   email: {
     # Hostname and port of the smtp server
-    smtp_server: "127.0.0.1:25"
+    smtp_server: "__MAIN_DOMAIN__:587"
     # Login name for smtp server
-    smtp_login: ""
+    smtp_login: "__APP__"
     # Password to login to the smtp server
-    smtp_password: ""
+    smtp_password: "__MAIL_PWD__"
     # Address to send emails from, eg [email protected]
-    smtp_from_address: "lemmy@__DOMAIN__"
+    smtp_from_address: "__APP__@__DOMAIN__"
     # Whether or not smtp connections should use tls. Can be none, tls, or starttls
-    tls_type: "none"
+    tls_type: "starttls"
   }
   # the domain name of your instance (mandatory)
   hostname: "__DOMAIN__"
@@ -87,9 +95,6 @@
   port: __PORT__
   # Whether the site is available over TLS. Needs to be true for federation to work.
   tls_enabled: true
-  # Address where pictrs is available (for image hosting)
-  ###pictrs_url: "http://127.0.0.1:"
-  slur_filter: "(\bThis\b)|(\bis\b)|(\bsample\b)"
   # Maximum length of local community and user names
   actor_name_max_length: 20
   # Maximum number of HTTP requests allowed to handle a single incoming activity (or a single object fetch through the search).

conf/pict-rs.service

@@ -0,0 +1,46 @@
+[Unit]
+Description=Pict-RS: A simple image hosting service for __APP__
+After=network.target
+
+[Service]
+Type=simple
+User=__APP__
+Group=__APP__
+WorkingDirectory=__INSTALL_DIR__/pict-rs/
+Environment=PATH=__PICTRS_PATH__
+ExecStart=__INSTALL_DIR__/pict-rs/pict-rs -c __INSTALL_DIR__/pict-rs/pict-rs.toml run
+StandardOutput=append:/var/log/__APP__/__APP__-pict-rs.log
+StandardError=inherit
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
+[Install]
+WantedBy=multi-user.target