Sunday, March 30, 2025
apps@conference.yunohost.org
March
Mon Tue Wed Thu Fri Sat Sun
          1
 2
3
 4
 5
 6
 7
 8
 9
10
 11
 12
 13
 14
 15
 16
17 18
 19
 20
 21
 22
 23
24
 25
 26
 27
 28
 29
 30
31
            

[01:05:31] <Yunohost Git/Infra notifications> [mastodon_ynh] y​alh76 closed [issue #494](https://github.com/YunoHost-Apps/mastodon_ynh/issues/494): upgrade takes very long time
[05:37:28] <Yunohost Git/Infra notifications> [vaultwarden_ynh] O​niriCorpe closed [issue #225](https://github.com/YunoHost-Apps/vaultwarden_ynh/issues/225): Vaultwarden fails to install
[12:39:45] <Yunohost Git/Infra notifications> [apps] y​unohost-bot labeled Wishlist on [pull request #2897](https://github.com/YunoHost/apps/pull/2897): Add Reactive Resume to wishlist
[12:39:45] <Yunohost Git/Infra notifications> [apps] y​unohost-bot opened [pull request #2897](https://github.com/YunoHost/apps/pull/2897): Add Reactive Resume to wishlist
[15:39:32] <m606> hello, I am confused on the following point: could there sometimes be `ynh_add_systemd_config` without `yunohost service add` ?
[15:39:44] <m606> in install script ?
[15:46:53] <m606> or does https://github.com/YunoHost/example_ynh/blob/8b0736e5c31dfc3c11fe9a0fb8d56cba7ccac939/scripts/install#L128 considers that `ynh_add_systemd_config` is actually about creating a service ?
[15:56:19] <Salamandar> seems like no
[15:56:49] <Salamandar> ```
for app in */; do
if grep -q ynh_add_systemd_config "$app/scripts/install" && ! grep -q "service add" "$app/scripts/install"; then
echo "$app"
fi
done
```
returns nothing
[15:58:20] <Salamandar> But there could be `yunohost service add` without `ynh_add_systemd_config`
[15:58:30] <Salamandar> for example transmission is installed via deb
[15:59:30] <Salamandar> crap that doesn't handle helpers v2.1
[16:02:35] <m606> thanks!
[16:11:26] <m606> can I have a service with such line ?
```
ExecStart=PASSED_ADDRESS=":__PORT__" PASSED_STORE_TYPE="dir" PASSED_STORE_DIR_PATH="__DATA_DIR__" __INSTALL_DIR__/passed
```
I see no example in Yunohost-Apps defined variables before the binary. Should I instead do something like
```
ExecStart=/usr/bin/env bash -c "PATH=__FINALPATH__/venv/bin:$PATH nice -n 16 __FINALPATH__/photonix/manage.py watch_photos"
```
https://github.com/YunoHost-Apps/photonix_ynh/blob/0ae637d3f2ff9c9668f6cdd849d7fdf5a9e17f85/conf/watch_photos.service#L11
[16:12:00] <m606> ?
[16:12:23] <Aleks (he/him/il/lui)> ugh why not use systemd environment variables
[16:13:14] <Aleks (he/him/il/lui)> https://github.com/YunoHost-Apps/mastodon_ynh/blob/master/conf/mastodon-web.service#L9
[17:22:37] <m606> my install script encounters an error at `ynh_config_add_fail2ban --logpath="/var/log/nginx/${domain}-error.log" --failregex="Regex to match into the log for a failed login"`
`journalctl -xeu fail2ban.service` shows (YNH 12.1.4):
```
Mar 30 16:58:11 mydomain.tld fail2ban-client[434792]: 2025-03-30 16:58:11,126 fail2ban.configreader [434792]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Mar 30 16:58:47 mydomain.tld fail2ban-client[434792]: 2025-03-30 16:58:47,287 fail2ban [434792]: ERROR NOK: ("No failure-id group in 'Regex to match into the log for a failed login'",)
Mar 30 16:58:47 mydomain.tld fail2ban-client[434792]: No failure-id group in 'Regex to match into the log for a failed login'
Mar 30 16:58:47 mydomain.tld systemd[1]: fail2ban.service: Control process exited, code=exited, status=255/EXCEPTION
```
Should there be fail2ban config anytime? Or sometimes there should not ? I see `dendrite_ynh` has no F2B for instance: https://github.com/YunoHost-Apps/dendrite_ynh/blob/master/scripts/install

In my case it is a web app within a binary (written in Go)
[17:24:38] <Aleks (he/him/il/lui)> `--failregex="Regex to match into the log for a failed login"`
[17:24:40] <Aleks (he/him/il/lui)> 😭
[17:24:55] <Aleks (he/him/il/lui)> this is supposed to be ... a regex 😭
[17:26:36] <Aleks (he/him/il/lui)> theoretically speaking, i guess there should be a fail2ban conf everytime the app is likely to handle authentication itself somehow, such as it displays a login form somewhere and an attacker could attempt to brute-force it
[17:27:33] <Aleks (he/him/il/lui)> for example the nextcloud login form ... though maybe nextcloud has a ratelimit of its own so one could argue fail2ban would be redundant in that case, idk
[17:30:04] <Aleks (he/him/il/lui)> but anyway the current paradigm of "packagers should craft their own regex" is madness, my guess is that most of the time we want to catch a 40x (or maybe 50x) error on some `POST /login` route and packagers should only have to specify which route is used for login
[17:30:16] <Aleks (he/him/il/lui)> otherwise it's just way too complex to craft a correct regex
[17:35:11] <m606> > <@Alekswag:matrix.org> theoretically speaking, i guess there should be a fail2ban conf everytime the app is likely to handle authentication itself somehow, such as it displays a login form somewhere and an attacker could attempt to brute-force it

ok thanks, I guess my app with no login form doesn't need it then
[17:42:47] <m606> well I should have actually read the helper doc which makes it clearer 😑... but yes without a sample log yet available (if it was meaningful for that app) I wouldn't know what exactly the regex should do, though I could have managed the regex crafting.
The approach you suggest seems simpler indeed. Maybe failregex could then be an optional parameter then.
[17:42:57] <m606> well I should have actually read the helper doc which makes it clearer 😑... but yes without a sample log yet available (if it was meaningful for that app) I wouldn't know what exactly the regex should do, though I could have managed the regex crafting.
The approach you suggest seems simpler indeed. Maybe failregex could then be an optional parameter.
[19:32:39] <m606> hmm now my app gets built & installed correctly, but I can't access it via https://mydomain.tld/app (404 error):
`/etc/nginx/conf.d/{mydomain.tld}.d/{app}.conf`
is
```
rewrite ^/passed$ /passed/ permanent;
location /passed/ {

proxy_pass http://127.0.0.1:49515;
}
```
`__PORT__` has been replaced to the correct port, as shows app service's log:
```
2025/03/30 19:21:35 Listening on :49515.
```
[19:33:37] <m606> (I also tried that nginx conf with no difference)
```
rewrite ^/passed$ /passed/ permanent;
location /passed/ {

proxy_pass http://127.0.0.1:49515;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# Common parameter to increase upload size limit in conjunction with dedicated php-fpm file
client_max_body_size 10M;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
```
[19:36:17] <m606> app service log shows no error, and if I run the binary on local machine with default settings (uses port 3000 as default), I can access it via https://127.0.0.1:3000
[19:44:22] <m606> here is the app service log: https://paste.yunohost.org/ipoyocites.txt
One strange thing is that it seems to route to different ports... I can't find what could cause that...
[19:44:42] <Aleks (he/him/il/lui)> can you try installing it on the root of the domain ?
[19:45:00] <m606> let me try and revert
[19:48:30] <Yunohost Git/Infra notifications> [synapse_ynh] J​osue-T created new branch fix_upgrade_missing_secrets
[19:48:45] <Yunohost Git/Infra notifications> [synapse_ynh] J​osue-T pushed 1 commit to fix_upgrade_missing_secrets: Fix upgrade ([be5c414d](https://github.com/YunoHost-Apps/synapse_ynh/commit/be5c414d4d5778163512a34de048cab5a797d4ca))
[19:50:03] <Yunohost Git/Infra notifications> [synapse_ynh] J​osue-T [commented](https://github.com/YunoHost-Apps/synapse_ynh/issues/524#issuecomment-2764717793) on [issue #524](https://github.com/YunoHost-Apps/synapse_ynh/issues/524) homeserver.py --generate-config error: So can you try the upgrade with this command and then share me the log. Even if it works, I really would like to underst...
[19:50:28] <m606> > <@Alekswag:matrix.org> can you try installing it on the root of the domain ?

hmm it works fine on the root! Would that be a limitation from the app?
[19:50:53] <Aleks (he/him/il/lui)> could be, i think in some apps there's a setting to specify that the app is installed on a subpath
[19:54:21] <Aleks (he/him/il/lui)> it does require that the developers did implement the small tweaks to handle it
[20:22:18] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux created new branch 24.04.13.2
[20:27:06] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux pushed 1 commit to 24.04.13.2: upgrade to 24.04.13.2 ([ac0dcd82](https://github.com/YunoHost-Apps/collabora_ynh/commit/ac0dcd821ba35817b76463d97dfcdddff1734893))
[20:27:29] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux opened [pull request #100](https://github.com/YunoHost-Apps/collabora_ynh/pull/100): 24.04.13.2
[20:53:30] <m606> yes so actually I'm setting following env var `PASSED_ADDRESS=":__PORT__"` which defaults to `PASSED_ADDRESS=":3000"`
But I guess it should rather be something like `PASSED_ADDRESS=":__DOMAIN__:__PORT__/__PATH__"`, which does not work for now. I'll check with upstream dev
[21:01:04] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux [commented](https://github.com/YunoHost-Apps/collabora_ynh/pull/100#issuecomment-2764743279) on [issue #100](https://github.com/YunoHost-Apps/collabora_ynh/pull/100) 24.04.13.2: seems ok, even if shitload of warnings with bullseye CI (was already like this ).
[21:59:10] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux merged [pull request #100](https://github.com/YunoHost-Apps/collabora_ynh/pull/100): 24.04.13.2
[21:59:40] <Yunohost Git/Infra notifications> [collabora_ynh] r​odinux opened [pull request #101](https://github.com/YunoHost-Apps/collabora_ynh/pull/101): Testing
[22:19:27] <Yunohost Git/Infra notifications> [piped_ynh] y​unohost-bot opened [pull request #196](https://github.com/YunoHost-Apps/piped_ynh/pull/196): Upgrade to v2025.03.30
[22:20:43] <Yunohost Git/Infra notifications> [searxng_ynh] y​unohost-bot opened [pull request #382](https://github.com/YunoHost-Apps/searxng_ynh/pull/382): Upgrade to v2025.03.29
[22:25:34] <Yunohost Git/Infra notifications> Autoupdater just ran, here are the results:

- 11 pending update PRs
- 20 new apps PRs
- 15 failed apps updates: appflowy, autobd, jenkins, khatru-pyramid, kiwix, languagetool, lemmy, localai, misskey, ofbiz, opencloud, phpldapadmin, pixelfedglitch, snweb, stremio

See the full log here: https://paste.yunohost.org/raw/ubosusurek
[23:06:49] <Yunohost Git/Infra notifications> y​alh76 created repository solidtime_ynh https://github.com/YunoHost-Apps/solidtime_ynh
[23:06:52] <Yunohost Git/Infra notifications> y​alh76 edited repository solidtime_ynh https://github.com/YunoHost-Apps/solidtime_ynh