.ci/Containerfile.functional-tests-stable

@@ -16,7 +16,7 @@ RUN apt-get dist-upgrade -y
 
 # Install freedombox package so that plint:plinth user/group are created etc.
 RUN apt-get install -y freedombox/trixie-backports
-RUN systemctl disable plinth.service
+RUN systemctl mask plinth.service
 
 # Don't ask for the secret in first wizard
 RUN rm -f /var/lib/plinth/firstboot-wizard-secret

.ci/functional-tests.yml

@@ -16,7 +16,8 @@
     - apt-get update
     - apt-get -y install make
     - make provision-dev
-    - make wait-while-first-setup
+    - sudo -u plinth ./run --develop > plinth.log 2>&1 &
+    - while ! grep -q "Setup finished" plinth.log; do sleep 1; echo -n .; done
   script:
     - FREDOMBOX_URL=https://localhost FREEDOMBOX_SSH_PORT=22 FREEDOMBOX_SAMBA_PORT=445 pytest -v --durations=10 --include-functional --splinter-headless --instafail --template=html1/index.html --report=functional-tests.html
   artifacts:

.vagrant-scripts/plinth-user-permissions.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+# -*- mode: python -*-
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""Set required permissions for user "plinth" to run plinth in dev setup."""
+
+import pathlib
+
+content = '''
+Cmnd_Alias FREEDOMBOX_ACTION_DEV = /usr/share/plinth/actions/actions, /freedombox/actions/actions
+Defaults!FREEDOMBOX_ACTION_DEV closefrom_override
+plinth ALL=(ALL:ALL) NOPASSWD:SETENV : FREEDOMBOX_ACTION_DEV
+fbx    ALL=(ALL:ALL) NOPASSWD : ALL
+'''
+
+sudoers_file = pathlib.Path('/etc/sudoers.d/01-freedombox-development')
+sudoers_file.write_text(content)

HACKING.md

@@ -66,7 +66,7 @@ development environment inside a systemd-nspawn container.
     folder: (This step requires at least 16GB of free disk space)
 
     ```bash
-    host$ ./container start
+    host$ ./container up
     ```
 
 1. To run unit tests:
@@ -97,20 +97,20 @@ development environment inside a systemd-nspawn container.
    1. Using an environment variable.
 
    ```bash
-   host$ DISTRIBUTION=stable ./container start
+   host$ DISTRIBUTION=stable ./container up
    host$ DISTRIBUTION=stable ./container ssh
    ```
 
    ```bash
    host$ export DISTRIBUTION=stable
-   host$ ./container start
+   host$ ./container up
    host$ ./container ssh
    ```
 
    2. Using the `--distribution` option for each command.
 
    ```bash
-   host$ ./container start --distribution=stable
+   host$ ./container up --distribution=stable
    host$ ./container ssh --distribution=stable
    ```
 
@@ -131,7 +131,7 @@ used simultaneously as they all use different disk images.
     example, to bring up a virtual machine instead of a container run:
 
     ```bash
-    host$ ./container start --machine-type=vm
+    host$ ./container up --machine-type=vm
     ```
 
 #### Using after Setup
@@ -143,12 +143,12 @@ directory:
 guest$ cd /freedombox
 ```
 
-FreedomBox Service runs as plinth.service in the container. This service
-restarts when it detects a change to the source code file. This provides a quick
-feedback cycle during development. To watch service logs run:
+Run the development version of FreedomBox Service in the container using the
+following command. This command continuously deploys your code changes into the
+container providing a quick feedback cycle during development.
 
 ```bash
-guest$ sudo freedombox-logs
+guest$ freedombox-develop
 ```
 
 If you have changed any system configuration files during your development,
@@ -156,17 +156,16 @@ you will need to run the following to install those files properly on to the
 system and their changes to reflect properly.
 
 ```bash
-guest$ sudo make build install ;
-guest$ sudo systemctl restart plinth.service
+guest$ sudo make build install
 ```
 
 Note: This development container has automatic upgrades disabled by default.
 
 #### Troubleshooting
 
-* Sometimes `host$ ./container destroy && ./container start` doesn't work. In such
+* Sometimes `host$ ./container destroy && ./container up` doesn't work. In such
   cases, try to delete the hidden `.container` folder and then `host$
-  ./container start`.
+  ./container up`.
 * Not all kinds of changes are automatically updated. Try `guest$ sudo mount -o
   remount /freedombox`.
 * I am getting an error that says `lo` is not managed by Network Manager
@@ -178,7 +177,7 @@ Note: This development container has automatic upgrades disabled by default.
     ```bash
     host$ sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
     host$ sudo service network-manager restart
-    host$ ./container destroy && ./container start
+    host$ ./container destroy && ./container up
     ```
 * File/directory not found errors when running tests can be fixed by clearing `__pycache__` directories.
 
@@ -374,12 +373,13 @@ After logging into the virtual machine (VM), the source code is available in
 vm$ cd /freedombox
 ```
 
-FreedomBox Service runs as plinth.service in the virtual machine. This service
-restarts when it detects a change to the source code file. This provides a quick
-feedback cycle during development. To watch service logs run:
+Run the development version of FreedomBox Service (Plinth) from your source
+directory in the virtual machine using the following command. This command
+continuously deploys your code changes into the virtual machine providing a
+quick feedback cycle during development.
 
 ```bash
-vm$ sudo freedombox-logs
+vm$ freedombox-develop
 ```
 
 If you have changed any system configuration files during your development,
@@ -416,7 +416,7 @@ for more details.
 ### Translating literals (contributing translations)
 
 The easiest way to start translating is with your browser, by using
-[Weblate](https://hosted.weblate.org/projects/freedombox/freedombox/).
+[Weblate](https://hosted.weblate.org/projects/freedombox/plinth/).
 Your changes will automatically get pushed to the code repository.
 
 Alternatively, you can directly edit the `.po` file in your language directory

INSTALL.md

@@ -35,7 +35,7 @@ FreedomBox [Manual](https://wiki.debian.org/FreedomBox/Manual/)'s
 
 3.  Access FreedomBox UI:
 
-    UI should be accessible at http://localhost:8000/freedombox
+    UI should be accessible at http://localhost:8000/plinth
 
 If you are installing FreedomBox Service (Plinth) for development purposes, see
 HACKING.md instead.

Makefile

@@ -20,9 +20,7 @@ DISABLED_APPS_TO_REMOVE := \
     repro \
     tahoe \
     mldonkey \
-    i2p \
-    ttrss \
-    sso
+    i2p
 
 APP_FILES_TO_REMOVE := $(foreach app,$(DISABLED_APPS_TO_REMOVE),$(ENABLED_APPS_PATH)/$(app))
 
@@ -102,12 +100,11 @@ install:
         $(INSTALL) -d $(DESTDIR)$${lib_dir} && \
 	rm -rf $(DESTDIR)$${lib_dir}/plinth $(DESTDIR)$${lib_dir}/plinth*.dist-info && \
         mv $${temp}/plinth $${temp}/plinth*.dist-info $(DESTDIR)$${lib_dir} && \
-	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/licenses/COPYING.md && \
+	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/COPYING.md && \
 	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/direct_url.json && \
         $(INSTALL) -D -t $(BIN_DIR) bin/plinth
 	$(INSTALL) -D -t $(LIB_DIR)/freedombox bin/freedombox-privileged
 	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-cmd
-	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-change-password
 
 	# Static web server files
 	rm -rf $(STATIC_FILES_DIRECTORY)
@@ -164,16 +161,6 @@ Environment=PYTHONPATH=/freedombox/
 endef
 export DEVELOP_SERVICE_CONF
 
-define DEVELOP_LOGS_SCRIPT
-#!/usr/bin/bash
-
-set -e
-set -x
-
-journalctl --follow --unit=plinth.service --unit=freedombox-privileged.service
-endef
-export DEVELOP_LOGS_SCRIPT
-
 # Run basic setup for a developer environment (VM or container)
 provision-dev:
 	# Install newer build dependencies if any
@@ -183,15 +170,9 @@ provision-dev:
 	# Install latest code over .deb
 	$(MAKE) build install
 
-	# Configure privileged and web daemon for development setup
+	# Configure privileged daemon for development setup
 	mkdir -p /etc/systemd/system/freedombox-privileged.service.d/
 	echo "$$DEVELOP_SERVICE_CONF" > /etc/systemd/system/freedombox-privileged.service.d/develop.conf
-	mkdir -p /etc/systemd/system/plinth.service.d/
-	echo "$$DEVELOP_SERVICE_CONF" > /etc/systemd/system/plinth.service.d/develop.conf
-
-	# Create a command to easily watch service logs
-	echo "$$DEVELOP_LOGS_SCRIPT" > /usr/bin/freedombox-logs
-	chmod 755 /usr/bin/freedombox-logs
 
 	# Reload newer systemd units, ignore failure
 	-systemctl daemon-reload
@@ -202,10 +183,6 @@ provision-dev:
 	-test -d /run/systemd/system && \
 		systemctl enable --now freedombox-privileged.socket
 
-	# Enable and restart plinth service if it is running
-	-systemctl enable plinth.service
-	-systemctl restart plinth.service
-
 	# Stop any ongoing upgrade, ignore failure
 	-killall -9 unattended-upgr
 
@@ -230,12 +207,6 @@ provision-dev:
 	DEBIAN_FRONTEND=noninteractive apt-get install --yes ncurses-term \
 	    sshpass bash-completion
 
-wait-while-first-setup:
-	while [ x$$(curl -k https://localhost/freedombox/status/ 2> /dev/null | \
-	    json_pp 2> /dev/null | grep 'is_first_setup_running' | \
-            tr -d '[:space:]' | cut -d':' -f2 ) != 'xfalse' ] ; do \
-	    sleep 1; echo -n .; done
-
 .PHONY: \
     build \
     check \
@@ -248,5 +219,4 @@ wait-while-first-setup:
     configure \
     install \
     provision \
-    update-translations \
-    wait-while-first-setup
+    update-translations

README.md

@@ -62,7 +62,7 @@ See the [HACKING.md](https://salsa.debian.org/freedombox-team/freedombox/blob/ma
 
 # Localization
 
-[![Translation status](https://hosted.weblate.org/widget/freedombox/horizontal-auto.svg)](https://hosted.weblate.org/engage/freedombox/)
+[![Translation status](https://hosted.weblate.org/widgets/freedombox/-/287x66-white.png)](https://hosted.weblate.org/engage/freedombox/?utm_source=widget)
 
 # License
 

Vagrantfile

@@ -6,13 +6,13 @@ require 'etc'
 
 Vagrant.configure(2) do |config|
   config.vm.box = "freedombox/freedombox-testing-dev"
-  config.vm.network "public_network"
+  config.vm.network "forwarded_port", guest: 443, host: 4430
+  config.vm.network "forwarded_port", guest: 445, host: 4450
   config.vm.synced_folder ".", "/freedombox", owner: "plinth", group: "plinth"
   config.vm.provider "virtualbox" do |vb|
     vb.cpus = Etc.nprocessors
     vb.memory = 2048
     vb.linked_clone = true
-    vb.customize ["modifyvm", :id, "--firmware", "efi"]
   end
   config.vm.provision "shell", run: 'always', inline: <<-SHELL
     # Disable automatic upgrades
@@ -24,18 +24,24 @@ Vagrant.configure(2) do |config|
   config.vm.provision "shell", inline: <<-SHELL
     cd /freedombox/
     make provision-dev
+
+    echo 'alias freedombox-develop="cd /freedombox; sudo -u plinth /freedombox/run --develop"' >> /home/vagrant/.bashrc
   SHELL
   config.vm.provision "tests", run: "never", type: "shell", path: "plinth/tests/functional/install.sh"
   config.vm.post_up_message = "FreedomBox virtual machine is ready
-for development. To get the IP address:
+for development. You can run the development version of Plinth using
+the following command.
 $ vagrant ssh
-$ ip address show
-
-FreedomBox interface will be available at https://<ip address>/freedombox
-(with an invalid SSL certificate). To watch logs:
-$ vagrant ssh
-$ sudo freedombox-logs
+$ freedombox-develop
+Plinth will be available at https://localhost:4430/plinth (with
+an invalid SSL certificate).
 "
 
+  config.trigger.after [:up, :resume, :reload] do |trigger|
+    trigger.info = "Set plinth user permissions for development environment"
+    trigger.run_remote = {
+      path: ".vagrant-scripts/plinth-user-permissions.py"
+    }
+  end
   config.vm.boot_timeout=1200
 end

bin/freedombox-change-password

@@ -1,61 +0,0 @@
-#!/usr/bin/python3
-# SPDX-License-Identifier: AGPL-3.0-or-later
-"""
-Utility to change user password in FreedomBox's Django database.
-
-Usage:
-$ freedombox-change-password <username>
-"""
-
-import argparse
-import getpass
-import sys
-
-import plinth.web_framework
-from plinth.modules.users import privileged
-
-
-def main():
-    """Ask for new password, setup Django and update a user's password."""
-    try:
-        plinth.web_framework.init()
-    except Exception:
-        _print('Error initializing Django.')
-        return
-
-    parser = argparse.ArgumentParser()
-    parser.add_argument('username',
-                        help='Username of the account to change password for')
-    args = parser.parse_args()
-
-    username = args.username
-    password = getpass.getpass('Enter new password: ')
-
-    try:
-        _change_password(username, password)
-        privileged._set_user_password(username, password)
-        privileged._set_samba_user(username, password)
-        _print('Password updated in web interface, LDAP, and samba databases.')
-    except Exception as exception:
-        _print('Error setting password:', str(exception))
-
-
-def _print(*args, **kwargs):
-    """Write to stderr."""
-    print(*args, **kwargs, file=sys.stderr)
-
-
-def _change_password(username: str, password: str):
-    """Update the password in SQLite database file."""
-    from django.contrib.auth.models import User
-    try:
-        user = User.objects.get(username=username)
-        user.set_password(password)
-        user.save()
-    except User.DoesNotExist:
-        _print('User account does not exist:', username)
-        raise
-
-
-if __name__ == '__main__':
-    main()

container

@@ -196,6 +196,9 @@ cd /freedombox/
 sudo apt-get -y install make
 sudo make provision-dev
 
+echo 'alias freedombox-develop="cd /freedombox; sudo -u plinth /freedombox/run --develop"' \
+  >> /home/fbx/.bashrc
+
 # Make some pytest related files and directories writable to the fbx user
 sudo touch geckodriver.log
 sudo chmod a+rw geckodriver.log
@@ -227,7 +230,6 @@ fi
 
 echo "> In machine: Upgrade packages"
 apt-get update
-apt-mark hold freedombox freedombox-doc-en freedombox-doc-es
 DEBIAN_FRONTEND=noninteractive apt-get -yq --with-new-pkgs upgrade
 
 # Install requirements for tests if not already installed as root
@@ -239,7 +241,25 @@ fi
 # Run the plinth server if functional tests are requested
 if [[ "{pytest_command}" =~ "--include-functional" ]]
 then
-    make -C /freedombox wait-while-first-setup
+    is_plinth_running=0
+    ps -ax -o cmd | grep -q "^sudo -u plinth /freedombox/run" && \
+    is_plinth_running=1
+    ps -ax -o cmd | grep -q "^/usr/bin/python3 /usr/bin/plinth" && \
+    is_plinth_running=1
+
+    if [[ $is_plinth_running -eq 1 ]]
+    then
+        echo "> In machine: Plinth is already running"
+    else
+        echo -n "> In machine: Starting plinth ... "
+        sudo -u plinth /freedombox/run --develop > plinth.log 2>&1 &
+        while ! grep -q "Setup finished" plinth.log
+        do
+            sleep 1
+            echo -n .
+        done
+        echo
+    fi
 
     if [[ "{pytest_command}" != *"--splinter-headless"* ]]
     then
@@ -475,18 +495,14 @@ def parse_arguments() -> argparse.Namespace:
             help='Type of the machine, container to virtual machine, to run '
             'operation on')
 
-    # Start
-    subparser = subparsers.add_parser('start', help='Bring up the container',
-                                      formatter_class=formatter_class,
-                                      aliases=['up'])
+    # Up
+    subparser = subparsers.add_parser('up', help='Bring up the container',
+                                      formatter_class=formatter_class)
     _add_common_args(subparser)
     subparser.add_argument('--image-size', default='16G',
                            help='Disk image size to resize to after download')
     subparser.add_argument('--hkp-client', choices=('gpg', 'wget'),
                            default='gpg', help='Client for key retrieval')
-    subparser.add_argument(
-        '--skip-install', action='store_true',
-        help='Skip running make provision-dev in the container')
 
     # Print IP address
     subparser = subparsers.add_parser(
@@ -510,8 +526,7 @@ def parse_arguments() -> argparse.Namespace:
 
     # Stop
     subparser = subparsers.add_parser('stop', help='Stop the container',
-                                      formatter_class=formatter_class,
-                                      aliases=['down'])
+                                      formatter_class=formatter_class)
     _add_common_args(subparser)
 
     # Destroy
@@ -689,27 +704,10 @@ def _verify_signature(hkp_client: str, data_file: pathlib.Path,
 
 def _extract_image(compressed_file: pathlib.Path):
     """Extract the image file."""
-    # Strip the .xz extension, then replace .img with .raw
-    decompressed_file = compressed_file.with_suffix('').with_suffix('.raw')
-    older_image = compressed_file.with_suffix('')
-
+    decompressed_file = compressed_file.with_suffix('')
     if decompressed_file.exists():
         return decompressed_file
 
-    # Rename older image and its corresponding state files.
-    if older_image.exists():
-        logger.info('Renaming .img file to .raw')
-        older_image.rename(decompressed_file)
-
-        for ext in ['.setup', '.provisioned']:
-            old_state = older_image.with_suffix(older_image.suffix + ext)
-            new_state = decompressed_file.with_suffix(
-                decompressed_file.suffix + ext)
-            if old_state.exists():
-                old_state.rename(new_state)
-
-        return decompressed_file
-
     logger.info('Decompressing file %s', compressed_file)
     partial_file = compressed_file.with_suffix('.partial')
     with partial_file.open('w', encoding='utf-8') as file_handle:
@@ -732,8 +730,7 @@ def _get_compressed_image_path(distribution: str) -> pathlib.Path:
 def _get_image_file(distribution: str) -> pathlib.Path:
     """Return the path of the image file."""
     compressed_image = _get_compressed_image_path(distribution)
-    # Strip the .xz extension, then replace .img with .raw
-    return compressed_image.with_suffix('').with_suffix('.raw')
+    return compressed_image.with_suffix('')
 
 
 def _get_project_folder() -> pathlib.Path:
@@ -967,7 +964,7 @@ def _setup_ssh(image_file: pathlib.Path):
     _runc(image_file, ['chown', 'fbx:fbx', '/home/fbx/.ssh/authorized_keys'])
 
 
-def _setup_image(image_file: pathlib.Path, skip_install: bool = False):
+def _setup_image(image_file: pathlib.Path):
     """Prepare the image for execution."""
     setup_file = image_file.with_suffix(image_file.suffix + '.setup')
     if setup_file.exists():
@@ -979,10 +976,9 @@ def _setup_image(image_file: pathlib.Path, skip_install: bool = False):
     _runc(image_file, ['tee', '/etc/apt/apt.conf.d/20auto-upgrades'],
           input=contents.encode())
 
-    if not skip_install:
-        logger.info('In image: Disabling FreedomBox service')
-        _runc(image_file, ['systemctl', 'disable', 'plinth'],
-              stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+    logger.info('In image: Disabling FreedomBox service')
+    _runc(image_file, ['systemctl', 'disable', 'plinth'],
+          stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
 
     logger.info('In image: Creating virtiofs mount at /freedombox')
     mount = '''[Unit]
@@ -1040,19 +1036,15 @@ def _is_provisioned(distribution: str) -> bool:
     return provision_file.exists()
 
 
-def _provision(image_file: pathlib.Path, machine_type: str, distribution: str,
-               skip_install: bool = False):
+def _provision(image_file: pathlib.Path, machine_type: str, distribution: str):
     """Run app setup inside the container."""
     if _is_provisioned(distribution):
         return
 
-    if skip_install:
-        logger.info('Skipping provision step (--skip-install)')
-    else:
-        machine = Machine.get_instance(machine_type, distribution)
-        ssh_command = machine.get_ssh_command()
-        subprocess.run(ssh_command + ['bash'], check=True,
-                       input=PROVISION_SCRIPT.encode())
+    machine = Machine.get_instance(machine_type, distribution)
+    ssh_command = machine.get_ssh_command()
+    subprocess.run(ssh_command + ['bash'], check=True,
+                   input=PROVISION_SCRIPT.encode())
 
     provision_file = image_file.with_suffix(image_file.suffix + '.provisioned')
     provision_file.touch()
@@ -1082,7 +1074,7 @@ Folder overlay        :    (host, read-only){project_folder}
 
 SSH easily            : {script} ssh {options}
 Run tests             : {script} run-tests {options} [ --pytest-args ... ]
-Watch FreedomBox logs : sudo freedombox-logs
+Run FreedomBox inside : freedombox-develop
 
 Web access            : https://{ip_address}/
 Ports access          : Any port on {ip_address}
@@ -1091,7 +1083,7 @@ Terminal login        : sudo machinectl login fbx-{distribution}
 Open a root shell     : sudo machinectl shell fbx-{distribution}
 Shutdown              : {script} stop {options}
 Destroy               : {script} destroy {options}
-Reset                 : {script} destroy {options}; {script} start {options}'''
+Reset                 : {script} destroy {options}; {script} up {options}'''
     logger.info(message)
 
 
@@ -1355,8 +1347,9 @@ VirtualEthernet=yes
             if result.returncode:
                 raise Exception(f'Image file {image_link} is not a symlink.')
 
-        # May be linked to wrong place (such as old .img file)
-        subprocess.run(['sudo', 'rm', '--force', str(image_link)], check=False)
+            subprocess.run(['sudo', 'rm', '--force',
+                            str(image_link)], check=False)
+
         subprocess.run([
             'sudo', 'ln', '--symbolic',
             str(image_file.resolve()),
@@ -1487,7 +1480,7 @@ class VM(Machine):
         qcow_image.unlink(missing_ok=True)
 
 
-def subcommand_start(arguments: argparse.Namespace):
+def subcommand_up(arguments: argparse.Namespace):
     """Download, setup and bring up the container."""
     machine = Machine.get_instance(arguments.machine_type,
                                    arguments.distribution)
@@ -1501,11 +1494,10 @@ def subcommand_start(arguments: argparse.Namespace):
                                       arguments.hkp_client)
     _resize_disk_image(image_file, arguments.image_size,
                        arguments.distribution)
-    _setup_image(image_file, arguments.skip_install)
+    _setup_image(image_file)
     machine.setup()
     machine.launch()
-    _provision(image_file, arguments.machine_type, arguments.distribution,
-               arguments.skip_install)
+    _provision(image_file, arguments.machine_type, arguments.distribution)
     _print_banner(arguments.machine_type, arguments.distribution)
 
 
@@ -1592,13 +1584,7 @@ def main():
     logging.basicConfig(level='INFO', format='> %(message)s')
     arguments = parse_arguments()
 
-    aliases = {
-        'up': 'start',
-        'down': 'stop',
-    }
-
-    subcommand: str = arguments.subcommand.replace('-', '_')
-    subcommand = aliases.get(subcommand, subcommand)
+    subcommand = arguments.subcommand.replace('-', '_')
     subcommand_method = globals()['subcommand_' + subcommand]
     subcommand_method(arguments)
 

data/etc/apache2/conf-available/freedombox-tls.conf

@@ -12,7 +12,6 @@
     # Don't redirect for onion sites as it is not needed and leads to
     # unnecessary warning.
     RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
-    RewriteCond %{REQUEST_URI} !^/freedombox/apache/discover-idp/$ [NC]
     ReWriteCond %{HTTPS} !=on
     RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 </LocationMatch>

data/etc/apache2/conf-available/freedombox.conf

@@ -39,16 +39,58 @@
 </If>
 
 ##
-## Redirect traffic on home to /freedombox as part of turning the machine
+## Redirect traffic on home to /plinth as part of turning the machine
 ## into FreedomBox server.  Plinth then acts as a portal to reach all
 ## other services.
 ##
 <IfFile !/etc/apache2/conf-enabled/freedombox-apache-homepage.conf>
-    RedirectMatch "^/$" "/freedombox"
+    RedirectMatch "^/$" "/plinth"
 </IfFile>
 
 ##
-## On all sites, provide FreedomBox on a default path: /freedombox
+## Disable sending Referer (sic) header from FreedomBox web interface to
+## external websites. This improves privacy by not disclosing FreedomBox
+## domains/URLs to external domains. Apps such as blogs which want to popularize
+## themselves with referrer header may still do so.
+##
+## A strict Content Security Policy.
+## - @fonts are allowed only from FreedomBox itself.
+## - <frame>/<iframe> sources are disabled.
+## - <img> sources are allowed only from FreedomBox itself.
+## - Manifest file is not allowed as there is none yet.
+## - <audio>, <video>, <track> tags are not allowed yet.
+## - <object>, <embed>, <applet> tags are not allowed yet.
+## - Allow JS from FreedomBox itself (no inline and attribute scripts).
+## - Allow inline CSS and CSS files from Freedombox itself.
+## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
+## - All other fetch sources including Ajax are not allowed from FreedomBox
+##   itself.
+## - <base> tag is not allowed.
+## - No plugins types are alllowed since object-src is 'none'.
+## - Form action should be to FreedomBox itself.
+## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
+## - When serving HTTPS, don't allow HTTP assets.
+##
+## Enable strict sandboxing enabled with some exceptions:
+## - Allow running Javascript.
+## - Allow popups as sometimes we use <a target=_blank>
+## - Allow popups to have different sandbox requirements as we launch apps' web
+##   clients.
+## - Allow forms to support configuration forms.
+## - Allow policies to treat same origin differently from other origins
+## - Allow downloads such as backup tarballs.
+##
+## Disable browser guessing of MIME types. FreedoBox already sets good content
+## types for all the common file types.
+##
+<LocationMatch "^/(plinth|freedombox)">
+    Header set Referrer-Policy 'same-origin'
+    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self' data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set X-Content-Type-Options 'nosniff'
+</LocationMatch>
+
+##
+## On all sites, provide FreedomBox on a default path: /plinth
 ##
 ## Requires the following Apache modules to be enabled:
 ##   mod_headers
@@ -56,8 +98,7 @@
 ##   mod_proxy_http
 ##
 <Location /freedombox>
-    ProxyPass        http://127.0.0.1:8000/freedombox
-    ProxyPreserveHost On
+    ProxyPass        http://127.0.0.1:8000/plinth
     ## Send the scheme from user's request to enable Plinth to redirect
     ## URLs, set cookies, set absolute URLs (if any) properly.
     RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
@@ -71,20 +112,7 @@
     RequestHeader    unset X-Forwarded-For
 </Location>
 <Location /plinth>
-    ProxyPass        http://127.0.0.1:8000/freedombox
-    ProxyPreserveHost On
-    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
-    RequestHeader    unset X-Forwarded-For
-</Location>
-<Location /.well-known/openid-configuration>
-    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/openid-configuration
-    ProxyPreserveHost On
-    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
-    RequestHeader    unset X-Forwarded-For
-</Location>
-<Location /.well-known/jwks.json>
-    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/jwks.json
-    ProxyPreserveHost On
+    ProxyPass        http://127.0.0.1:8000/plinth
     RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
     RequestHeader    unset X-Forwarded-For
 </Location>
@@ -96,7 +124,7 @@
 <Location ~ ^/favicon\.ico$>
     <IfModule mod_rewrite.c>
         RewriteEngine On
-        RewriteRule /favicon\.ico$ "/freedombox/static/theme/img/favicon.ico" [PT]
+        RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
     </IfModule>
 </Location>
 

debian/changelog

@@ -1,535 +1,3 @@
-freedombox (26.5) unstable; urgency=medium
-
-  [ OwlGale ]
-  * Translated using Weblate (Russian)
-
-  [ Frederico Gomes ]
-  * wireguard: Remove client entry for F-Droid which is not available
-  * wireguard: Update windows client link
-  * wireguard: Add button for direct APK download
-  * wireguard: Add entries for Homebrew and RPM packages
-  * clients: Fix formatting of package row in table
-  * wireguard: Fix freedombox VPN IP for services
-
-  [ Sunil Mohan Adapa ]
-  * clients: Fix show empty clients in Desktop section
-  * apache: Minor improvement to getting the request host
-  * letsencrypt: Don't perform operations on apps that are not installed
-  * tests: functional: Drop undefined 'sso' pytest mark
-  * ui: Simplify SVG app icons for using them inline in HTML
-  * ui: Use inline SVG images for app icons for dark mode adaptation
-  * html: Drop type attribute value of text/javascript
-  * html: Drop trailing slash from void elements
-  * clients: Use SVG icons when showing external links
-  * ui: Use inline SVG icons for system and help section page
-  * ui: Add rest of the icons used from fork-awesome set
-  * ui: Use inline SVG icons for breadcrumbs
-  * ui: Use inline SVG icons for app toolbar
-  * ui: Use inline SVG icons for notification dropdown
-  * ui: Use inline SVG icons for internal zone message
-  * names: Use inline SVG icons for main app page
-  * featherwiki: Use inline SVG icons for app
-  * tiddlywiki: Use inline SVG icons for app
-  * wireguard: Use inline SVG icons
-  * dynamicdns: Use inline SVG icons
-  * help: Use inline SVG icons
-  * ui: Use inline SVG icons for port forwarding info
-  * power: Use inline SVG icons
-  * pagekite: Use inline SVG icons
-  * pagekite: Fix issue with adding custom services
-  * ikiwiki: Use inline SVG icons
-  * samba: Use inline SVG icons
-  * miniflux: Use inline SVG icons
-  * users: Use inline SVG icons
-  * email: Use inline SVG icons
-  * help: Use inline SVG icons
-  * matrixsynapse: Use inline SVG icons
-  * bepasty: Use inline SVG icons
-  * calibre: Use inline SVG icons
-  * kiwix: Use inline SVG icons
-  * security: Use inline SVG icons
-  * sharing: Use inline SVG icons
-  * snapshot: Use inline SVG icons
-  * diagnostics: Use inline SVG icons
-  * storage: Use inline SVG icons
-  * gitweb: Use inline SVG icons
-  * ui: Use inline SVG icons for tag search
-  * ui: Use inline SVG icons for clients launch buttons
-  * networks: Use inline SVG icons
-  * firstboot: Use inline SVG icons
-  * ui: Use inline SVG icons for app's service-not-running message
-  * ui: Use inline SVG icons for app's log page
-  * ui: Use inline SVG icons for operation waiting notification
-  * backups: Use inline SVG icons
-  * ui: Use inline SVG icons for app install page
-  * ui: Use inline SVG icons for all collapse buttons
-  * ui: Use inline SVG icons for all spinners
-  * ui: Use inline SVG icons for all error/warn/info/success messages
-  * ui: Better placement for dropdown indicator in dropdown button
-  * ui: Use inline SVG icons for navigation bar at the top
-  * upgrades: Use inline SVG icons
-  * ui: Use inline SVG icons for theme switcher menu
-  * ui: Drop fonts-fork-awesome as dependency
-  * ui: Rename 'plinth_extras' template tags module to 'extras'
-  * janus: Drop unused reference to font-awesome
-  * doc: Reduce verbosity when building documentation
-  * app: Fix build issue with Django 5.x (Closes: #1131272)
-  * apache: Increase OpenID Connect RP session timeout activity
-  * action_utils: Stop associated service when stopping a socket unit
-  * action_utils: Don't restart web interface when installing an app
-
-  [ Daniel Wiik ]
-  * Translated using Weblate (Swedish)
-
-  [ Joseph Nuthalapati ]
-  * container: Add option to skip install
-  * container: Fix image extension to .raw for systemd v260
-
-  [ James Valleroy ]
-  * apache: Use a Uwsgi native socket systemd unit for each app
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
-  [ Ettore Atalan ]
-  * Translated using Weblate (German)
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 23 Mar 2026 20:25:07 -0400
-
-freedombox (26.4.2) unstable; urgency=medium
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ OwlGale ]
-  * Translated using Weblate (Russian)
-
- -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:27:13 -0400
-
-freedombox (26.4.1) unstable; urgency=high
-
-  [ 大王叫我来巡山 ]
-  * Translated using Weblate (Chinese (Simplified Han script))
-
-  [ Besnik Bleta ]
-  * Translated using Weblate (Albanian)
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ James Valleroy ]
-  * container: Hold freedombox packages during test setup
-  * Vagrantfile: Enable public network for bridged networking
-  * doc: Fetch latest manual
-
-  [ Sunil Mohan Adapa ]
-  * d/control: Trim deps for nocheck build profile (Closes: #1129521)
-  * apache2: Disable pubtkt authentication module
-
- -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:09:38 -0400
-
-freedombox (26.4) unstable; urgency=medium
-
-  [ Joseph Nuthalapati ]
-  * ui: Dismiss notifications without page reload
-
-  [ Sunil Mohan Adapa ]
-  * ui: Refactor notification delete buttons to avoid repeating code
-  * ui: Add animation for notification dismissal
-  * actions, privileged_daemon: Drop some unused global statements
-  * backups: Avoid some repeated text in form help text
-  * backups: Fix issue with Javascript in add remote location form
-  * backups: Show/hide form elements instead of disabling for simplicity
-  * backups: Tweak appearance of add remote location form
-  * backups: tests: Simplify functional test using more classes
-  * backups: Minor refactoring
-  * backups: Simplify handling of migration to SSH keys
-  * backups: Create .ssh folder before creating SSH key
-  * backups: Fix showing proper error for incorrect passphrase
-  * backups: Create a better comment in the generated SSH key file
-  * backups: Fix type checking errors
-  * action_utils: Implement utility to change umask temporarily
-  * quassel: Explicitly set permissions on the domain configuration file
-  * letsencrypt: When copying certificate reset the umask reliably
-  * doc/dev: Set new theme for developer documentation
-  * action_utils: Fix issue with type checking a generator
-  * tests: functional: Increase systemd rate limits for starting units
-  * js: When page load fails during install, show it to user
-  * tests: functional: Fix reloading error page during install/uninstall
-  * locale/de: Fix several translations with HTML links (German)
-  * locale/bg: Fix several translations with HTML links (Bulgarian)
-  * bin: Add tool to change FreedomBox password in Django database
-  * ejabberd: Fix setting up certificates for multiple domains
-  * gitweb: Fix issue with running post init due to missing method
-  * wireguard: Fix format when showing multiple endpoints of the server
-  * wireguard: Fix showing default route setting in server edit form
-  * wireguard: Show status of default route in server information page
-  * wireguard: Accept/use netmask with IP address for server connection
-  * README/HACKING: Update weblate project path to /freedombox
-  * *: Remove some absolute file paths in SVGs
-  * matrixsynapse: Update apache config to proxy Synapse client API
-  * cfg: Drop unused config_dir option
-  * cfg: Drop unused actions_dir option
-  * Vagrantfile: Drop unnecessary sudo configuration for actions
-  * pyproject: Use new format to specify licenses
-  * action_utils: Drop support for link-local IPv6 addresses
-  * debian: Ensure that gbp creates a clean tarball prior to build
-  * syncthing: tests: Fix tests by allowing rapid restarts
-  * web_server: Log requests to WSGI app
-  * *: Update URL base from /plinth to /freedombox
-  * tests: functional: Fix expecting FreedomBox to be home page
-  * web_framework: Allow FreedomBox apps to override templates
-  * templates: Allow building pages without navigation bar and footer
-  * apache: Preserve host header when proxying to service
-  * oidc: New app to implement OpenID Connect Provider
-  * oidc: Style the page for authorizing an OIDC app
-  * apache: Implement protecting apps using OpenID Connect
-  * featherwiki: Use OpenID Connect instead of pubtkt based SSO
-  * syncthing: Use OpenID Connect instead of pubtkt based SSO
-  * searx: Use OpenID Connect instead of pubtkt based SSO
-  * rssbridge: Use OpenID Connect instead of pubtkt based SSO
-  * email: Use OpenID Connect instead of pubtkt based SSO
-  * calibre: Use OpenID Connect instead of pubtkt based SSO
-  * deluge: Use OpenID Connect instead of pubtkt based SSO
-  * gitweb: Use OpenID Connect instead of pubtkt based SSO
-  * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
-  * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
-  * transmission: Use OpenID Connect instead of pubtkt based SSO
-  * doc/dev: Use OpenID Connect instead of pubtkt based SSO
-  * sharing: Use OpenID Connect instead of pubtkt based SSO
-  * sso: Merge into users module, drop pubtkt related code
-  * apache: Fix diagnosing URLs protected by OpenID Connect
-
-  [ 大王叫我来巡山 ]
-  * Translated using Weblate (Chinese (Simplified Han script))
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ Coucouf ]
-  * Translated using Weblate (French)
-  * Translated using Weblate (French)
-
-  [ Besnik Bleta ]
-  * Translated using Weblate (Albanian)
-
-  [ Dietmar ]
-  * Translated using Weblate (German)
-
-  [ James Valleroy ]
-  * backups: Generate SSH client key if needed
-  * backups: Display SSH public key when adding remote
-  * backups: Copy SSH client public key to remote
-  * backups: Use SSH key instead of password
-  * backups: Use selected SSH credential for remote
-  * backups: Test adding/removing remote location
-  * backups: Arrange form for adding remote location
-  * backups: Migrate to SSH key auth when mounting
-  * Translated using Weblate (Greek)
-  * mumble: murmurd renamed to mumble-server
-  * Translated using Weblate (Tamil)
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-  * apache: Fix check_url test
-
-  [ Frederico Gomes ]
-  * container: Align terminology in printed banner
-  * wireguard: filter .local addresses from showClient view
-  * wireguard: improved server section UX flow
-  * wireguard: show server vpn ip in show client page
-  * wireguard: Fix split tunneling
-  * miniflux: Revert workaround for a packaging bug with DB connection
-  * db: Create a utility to get credentials from dbconfig
-  * miniflux: Get credentials from dbconfig-common directly
-
-  [ Pierfrancesco Passerini ]
-  * Translated using Weblate (Italian)
-
-  [ Daniel Wiik ]
-  * Translated using Weblate (Swedish)
-  * Translated using Weblate (Swedish)
-
-  [ kosagi ]
-  * Translated using Weblate (Catalan)
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ Isak ]
-  * Translated using Weblate (Swedish)
-
-  [ Βασίλης Χατζηκαμάρης ]
-  * Translated using Weblate (Greek)
-
-  [ Benedek Nagy ]
-  * doc/dev: always have an up-to-date copyright year
-
-  [ தமிழ்நேரம் ]
-  * Translated using Weblate (Tamil)
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Mar 2026 21:35:46 -0500
-
-freedombox (26.3) unstable; urgency=medium
-
-  [ Frederico Gomes ]
-  * wireguard: Add 'Start Server' button
-  * docs: Update container script usage
-  * wireguard: Show next available client IP in Add Client form
-  * wireguard: Show server endpoint on main app page
-
-  [ James Valleroy ]
-  * wireguard: Update functional tests to handle Start Server button
-  * lintian: Remove mismatched overrides
-  * Makefile: Fix removing extra license file
-  * debian: Follows policy 4.7.3
-  * debian: Remove default Rules-Requires-Root
-  * debian: Remove preinst script
-  * debian: Update copyright years
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
-  [ Ettore Atalan ]
-  * Translated using Weblate (German)
-
-  [ Sunil Mohan Adapa ]
-  * debian: Ignore lintian warning: service file missing Install section
-  * wireguard: Remove NM connections when app is uninstalled
-  * ui: Use HTMX to update notifications on partial page updates
-
-  [ Joseph Nuthalapati ]
-  * ui: Add HTMX as a dependency
-  * ui: Use HTMX to eliminate full page reloads
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ Pierfrancesco Passerini ]
-  * Translated using Weblate (Italian)
-
-  [ 大王叫我来巡山 ]
-  * Translated using Weblate (Chinese (Simplified Han script))
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Feb 2026 20:41:30 -0500
-
-freedombox (26.2) unstable; urgency=medium
-
-  [ Pierfrancesco Passerini ]
-  * Translated using Weblate (Italian)
-
-  [ Priit Jõerüüt ]
-  * Translated using Weblate (Estonian)
-
-  [ Joseph Nuthalapati ]
-  * notifications: Close dropdown when clicking outside
-  * gitweb: Fix deleting last repo disables app
-
-  [ James Valleroy ]
-  * doc: Fetch latest manual
-
- -- James Valleroy <jvalleroy@mailbox.org>  Tue, 20 Jan 2026 20:26:42 -0500
-
-freedombox (26.1) unstable; urgency=medium
-
-  [ Besnik Bleta ]
-  * Translated using Weblate (Albanian)
-
-  [ 109247019824 ]
-  * Translated using Weblate (Bulgarian)
-
-  [ Максим Горпиніч ]
-  * Translated using Weblate (Ukrainian)
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ Priit Jõerüüt ]
-  * Translated using Weblate (Estonian)
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ OwlGale ]
-  * Translated using Weblate (Russian)
-
-  [ Roman Akimov ]
-  * Translated using Weblate (Russian)
-
-  [ Dietmar ]
-  * Translated using Weblate (German)
-  * Translated using Weblate (Italian)
-
-  [ Coucouf ]
-  * Translated using Weblate (French)
-
-  [ Ettore Atalan ]
-  * Translated using Weblate (German)
-
-  [ 大王叫我来巡山 ]
-  * Translated using Weblate (Chinese (Simplified Han script))
-
-  [ Pierfrancesco Passerini ]
-  * Translated using Weblate (Italian)
-
-  [ Joseph Nuthalapati ]
-  * container: Add aliases for start/stop commands
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 05 Jan 2026 20:09:02 -0500
-
-freedombox (25.17.1) unstable; urgency=medium
-
-  [ James Valleroy ]
-  * vagrant: Enable EFI firmware
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ Besnik Bleta ]
-  * Translated using Weblate (Albanian)
-
-  [ Максим Горпиніч ]
-  * Translated using Weblate (Ukrainian)
-
-  [ 109247019824 ]
-  * Translated using Weblate (Bulgarian)
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ Benedek Nagy ]
-  * transmission: remove obsolete apache redirects
-  * minetest: Rename Minetest to Luanti
-
-  [ Priit Jõerüüt ]
-  * Translated using Weblate (Estonian)
-
-  [ OwlGale ]
-  * Translated using Weblate (Russian)
-
-  [ Diego Roversi ]
-  * Translated using Weblate (Italian)
-
-  [ Pierfrancesco Passerini ]
-  * Translated using Weblate (Italian)
-
-  [ Sunil Mohan Adapa ]
-  * minetest: Remove legacy code, use new name, conf, etc.
-  * transmission: Deal with changes in latest forky package
-  * backups: Set proper permissions for backups-data directory
-
-  [ bsurajpatra ]
-  * Translated using Weblate (Hindi)
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 15 Dec 2025 20:35:00 -0500
-
-freedombox (25.17) unstable; urgency=medium
-
-  [ James Valleroy ]
-  * homeassistant: Fix spelling in tests
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
-  [ OwlGale ]
-  * Translated using Weblate (Russian)
-
-  [ kosagi ]
-  * Translated using Weblate (Catalan)
-
-  [ Coucouf ]
-  * Translated using Weblate (French)
-
-  [ Sunil Mohan Adapa ]
-  * ui: Implement a toggle menu for setting dark mode
-  * upgrades: Use bootstrap spinner button instead of custom styling
-  * ui: Use default button style for tag buttons
-  * ui: Fix dark theme color for form help text
-  * ui: Fix dark theme colors for default button style
-  * ui: Fix dark theme color for disabled form elements
-  * ui: Dark theme color for tags text in an app card
-  * ui: Drop colors defined in Bootstrap 5.3
-  * ui: Fix dark theme colors for running status indicator
-  * ui: Minor CSS refactor to use variables
-  * ui: Fix dark theme color for select-all button
-  * ui: Fix dark theme colors for app enable/disable toggle button
-  * privileged: Don't log exception that are expected
-
-  [ Priit Jõerüüt ]
-  * Translated using Weblate (Estonian)
-
-  [ Joseph Nuthalapati ]
-  * l10n: Fix python-brace-format error in Estonian
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 08 Dec 2025 20:50:56 -0500
-
-freedombox (25.16) unstable; urgency=medium
-
-  [ Burak Yavuz ]
-  * Translated using Weblate (Turkish)
-
-  [ 大王叫我来巡山 ]
-  * Translated using Weblate (Chinese (Simplified Han script))
-
-  [ Jiří Podhorecký ]
-  * Translated using Weblate (Czech)
-
-  [ Максим Горпиніч ]
-  * Translated using Weblate (Ukrainian)
-
-  [ Besnik Bleta ]
-  * Translated using Weblate (Albanian)
-
-  [ Dietmar ]
-  * Translated using Weblate (German)
-  * Translated using Weblate (Italian)
-
-  [ Sunil Mohan Adapa ]
-  * middleware: Implement middleware for common headers such as CSP
-  * janus: Allow app to be installed from Debian unstable
-  * janus: Relax content security policy for the video room
-  * janus: Update the video room code from latest upstream
-  * package: Prevent freedombox's deps from removal during app uninstall
-  * dynamicdns: Use only IPv4 for GnuDIP protocol
-  * jsxc: Fix missing dependencies
-  * jsxc: Update content security policy to prevent style errors
-
-  [ Roman Akimov ]
-  * Translated using Weblate (Russian)
-
-  [ James Valleroy ]
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 24 Nov 2025 20:30:35 -0500
-
-freedombox (25.15) unstable; urgency=medium
-
-  [ Coucouf ]
-  * Translated using Weblate (French)
-
-  [ Sunil Mohan Adapa ]
-  * views: Implement an API to retrieve the readiness status in JSON
-  * main: Allow setting development mode from environment
-  * Run service using systemd even for development
-  * README: Use the Weblate's language chart widget
-  * help: Fix serving images from help pages
-  * matrixsynapse: Clarify how to change domain name in status section
-  * matrixsynapse: Explain federation and link to testing tool
-  * matrixsynapse: Explicitly set the trusted key server to matrix.org
-  * ttrss: Remove app not available in Trixie
-
-  [ Dietmar ]
-  * Translated using Weblate (German)
-  * Translated using Weblate (Italian)
-
-  [ James Valleroy ]
-  * locale: Update translation strings
-  * doc: Fetch latest manual
-
- -- James Valleroy <jvalleroy@mailbox.org>  Mon, 10 Nov 2025 20:48:49 -0500
-
 freedombox (25.14) unstable; urgency=medium
 
   [ Coucouf ]

debian/control

@@ -1,5 +1,6 @@
 Source: freedombox
 Section: web
+Priority: optional
 Maintainer: FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
 Uploaders:
  Tzafrir Cohen <tzafrir@debian.org>,
@@ -14,53 +15,52 @@ Build-Depends:
  dblatex,
  dh-python,
  docbook-xsl,
- e2fsprogs <!nocheck>,
+ e2fsprogs,
  gir1.2-nm-1.0,
- libjs-bootstrap5 <!nocheck>,
- libjs-htmx <!nocheck>,
+ libjs-bootstrap5,
 # Older libjs-bootstrap5 does not have proper dependency on popper.js >= 2.0
- node-popper2 <!nocheck>,
+ node-popper2,
  pybuild-plugin-pyproject,
  python3-all:any,
- python3-apt <!nocheck>,
+ python3-apt,
  python3-augeas,
- python3-bootstrapform <!nocheck>,
+ python3-bootstrapform,
  python3-build,
  python3-cherrypy3,
- python3-configobj <!nocheck>,
- python3-cryptography <!nocheck>,
+ python3-configobj,
+ python3-cryptography,
  python3-dbus,
- python3-django <!nocheck>,
- python3-django-axes <!nocheck>,
- python3-django-captcha <!nocheck>,
+ python3-django,
+ python3-django-axes,
+ python3-django-captcha,
 # Explictly depend on ipware as it is optional dependecy of django-axes
- python3-django-ipware <!nocheck>,
- python3-django-oauth-toolkit <!nocheck>,
- python3-django-stronghold <!nocheck>,
+ python3-django-ipware,
+ python3-django-stronghold,
  python3-gi,
  python3-markupsafe,
- python3-mypy <!nocheck>,
- python3-pampy <!nocheck>,
+ python3-mypy,
+ python3-pampy,
  python3-pexpect,
  python3-pip,
  python3-psutil,
- python3-pytest <!nocheck>,
- python3-pytest-cov <!nocheck>,
- python3-pytest-django <!nocheck>,
- python3-pytest-runner <!nocheck>,
+ python3-pytest,
+ python3-pytest-cov,
+ python3-pytest-django,
+ python3-pytest-runner,
  python3-requests,
  python3-ruamel.yaml,
  python3-setuptools,
  python3-systemd,
- python3-typeshed <!nocheck>,
+ python3-typeshed,
  python3-yaml,
- sshpass <!nocheck>,
+ sshpass,
  xmlto,
  xsltproc
-Standards-Version: 4.7.3
+Standards-Version: 4.6.2
 Homepage: https://salsa.debian.org/freedombox-team/freedombox
 Vcs-Git: https://salsa.debian.org/freedombox-team/freedombox.git
 Vcs-Browser: https://salsa.debian.org/freedombox-team/freedombox
+Rules-Requires-Root: no
 
 Package: freedombox
 Breaks:
@@ -78,6 +78,7 @@ Depends:
  bind9-dnsutils,
  curl,
  debconf,
+ fonts-fork-awesome,
 # sgdisk is used in storage app to expand GPT disks
  gdisk,
  gettext,
@@ -88,7 +89,6 @@ Depends:
 # For gdbus used to call hooks into service
  libglib2.0-bin,
  libjs-bootstrap5,
- libjs-htmx,
  lsof,
  netcat-openbsd,
  network-manager,
@@ -108,7 +108,6 @@ Depends:
  python3-django-captcha,
 # Explictly depend on ipware as it is optional dependecy of django-axes
  python3-django-ipware,
- python3-django-oauth-toolkit,
  python3-django-stronghold,
  python3-gi,
  python3-markupsafe,

debian/copyright

@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://salsa.debian.org/freedombox-team/freedombox
 
 Files: *
-Copyright: 2011-2026 FreedomBox Authors
+Copyright: 2011-2025 FreedomBox Authors
 License: AGPL-3+
 
 Files: plinth/modules/jsxc/static/icons/jsxc.png
@@ -38,11 +38,6 @@ Copyright: Marie Van den Broeck (https://thenounproject.com/marie49/)
 Comment: https://thenounproject.com/icon/162372/
 License: CC-BY-SA-3.0
 
-Files: static/themes/default/js/color-modes.js
-Copyright: 2011-2025 The Bootstrap Authors
-Comment: https://getbootstrap.com/docs/5.3/customize/color-modes/
-License: CC-BY-3.0
-
 Files: plinth/modules/bepasty/static/icons/bepasty.svg
 Copyright: (c) 2014 by the Bepasty Team, see the AUTHORS file.
 Comment: https://github.com/bepasty/bepasty-server/blob/master/src/bepasty/static/app/bepasty.svg
@@ -79,7 +74,6 @@ Files: plinth/modules/ejabberd/static/icons/ejabberd.png
        plinth/modules/rssbridge/static/icons/rssbridge.svg
        plinth/modules/zoph/static/icons/zoph.png
        plinth/modules/zoph/static/icons/zoph.svg
-       static/themes/default/img/application.svg
        static/themes/default/img/network-connection.svg
        static/themes/default/img/network-connection-vertical.svg
        static/themes/default/img/network-ethernet.svg
@@ -101,6 +95,14 @@ Copyright: 2020 Adwaita Icon Theme Authors, GNOME Project
 Comment: https://github.com/GNOME/adwaita-icon-theme/ http://www.gnome.org
 License: LGPL-3 or CC-BY-SA-3.0-US
 
+Files: static/themes/default/icons/f-droid.png
+       static/themes/default/icons/f-droid.svg
+Copyright: 2012 William Theaker
+           2013 Robert Martinez
+           2015 Andrew Nayenko
+Comment: https://gitlab.com/fdroid/artwork/blob/master/fdroid-logo-2015/fdroid-logo.svg
+License: CC-BY-SA-3.0 or GPL-3+
+
 Files: plinth/modules/featherwiki/static/icons/featherwiki.png
        plinth/modules/featherwiki/static/icons/featherwiki.svg
 Copyright: 2022 Robbie Antenesse <dev@alamantus.com>
@@ -113,6 +115,15 @@ Copyright: 2010 Git Authors
 Comment: https://github.com/git/git/blob/master/gitweb/static/git-logo.png
 License: GPL-2
 
+Files: static/themes/default/icons/google-play.png
+Copyright: Chameleon Design (https://thenounproject.com/Chamedesign/)
+Comment: https://thenounproject.com/icon/887917/
+License: CC-BY-3.0-US
+
+Files: static/themes/default/icons/gnu-linux.png
+Copyright: 2017 Cowemoji
+License: CC0-1.0
+
 Files: plinth/modules/homeassistant/static/icons/homeassistant.png
        plinth/modules/homeassistant/static/icons/homeassistant.svg
 Copyright: Home Assistant Core Developers
@@ -132,10 +143,7 @@ License: ISC
 
 Files: plinth/modules/janus/static/icons/janus.png
        plinth/modules/janus/static/icons/janus.svg
-       plinth/modules/janus/static/janus-video-room.css
-       plinth/modules/janus/static/janus-video-room.js
-       plinth/modules/janus/templates/janus_video_room.html
-Copyright: 2014-2025 Meetecho
+Copyright: 2014-2022 Meetecho
 License: GPL-3 with OpenSSL exception
 
 Files: plinth/modules/kiwix/static/icons/kiwix.png
@@ -144,6 +152,12 @@ Copyright: 2020 The other Kiwix guy
 Comment: https://commons.wikimedia.org/wiki/File:Kiwix_logo_v3.svg
 License: CC-BY-SA-4.0
 
+Files: static/themes/default/icons/macos.png
+       static/themes/default/icons/macos.svg
+Copyright: Vectors Market (https://thenounproject.com/vectorsmarket/)
+Comment: https://thenounproject.com/icon/1203053/
+License: CC-BY-SA-3.0
+
 Files: plinth/modules/matrixsynapse/static/icons/matrixsynapse.png
 Copyright: 2017 Kishan Raval
 Comment: https://github.com/thekishanraval/Logos
@@ -161,7 +175,7 @@ License: CC-BY-SA-3.0
 
 Files: plinth/modules/minetest/static/icons/minetest.svg
 Copyright: 2015 Calinou, Nils Dagsson Moskopp
-Comment: https://github.com/luanti-org/luanti/blob/master/misc/luanti.svg
+Comment: https://github.com/minetest/minetest/blob/master/misc/minetest.svg
 License: CC-BY-SA-3.0
 
 Files: plinth/modules/miniflux/static/icons/miniflux.png
@@ -304,6 +318,15 @@ Copyright: Transmission Authors
 Comment: https://github.com/transmission/transmission/blob/master/gtk/icons/hicolor_apps_scalable_transmission.svg
 License: GPL-3
 
+Files: plinth/modules/ttrss/static/icons/ttrss.png
+Copyright: Mark James <mjames@gmail.com>
+License: CC-BY-3.0
+
+Files: plinth/modules/ttrss/static/icons/ttrss.svg
+Copyright: 2005 Andrew Dolgov
+Comment: https://git.tt-rss.org/fox/tt-rss/src/master/images/favicon-72px.png
+License: GPL-3+
+
 Files: plinth/modules/upgrades/data/usr/share/augeas/lenses/aptsources.aug
        plinth/modules/upgrades/data/usr/share/augeas/lenses/tests/test_aptsources.aug
 Copyright: 2007-2025 David Lutterkort
@@ -317,6 +340,12 @@ Copyright: 2011-2021 WordPress Contributors
 Comment: https://github.com/WordPress/wordpress-develop/blob/master/src/wp-admin/images/wordpress-logo.svg
 License: GPL-2+
 
+Files: static/themes/default/icons/windows.png
+       static/themes/default/icons/windows.svg
+Copyright: 2007 ruli (https://thenounproject.com/2007ruli/)
+Comment: https://thenounproject.com/icon/1206946/
+License: CC-BY-SA-3.0
+
 Files: plinth/modules/wireguard/static/icons/wireguard.png
        plinth/modules/wireguard/static/icons/wireguard.svg
 Copyright: 2019 WireGuard LLC
@@ -328,88 +357,9 @@ Copyright: 2008 GNOME icon artists
 Comment: https://commons.wikimedia.org/wiki/File:Gnome-computer.svg
 License: LGPL-3+ or CC-BY-SA-3.0
 
-Files: static/themes/default/icons/adjust.svg
-       static/themes/default/icons/android.svg
-       static/themes/default/icons/arrow-right.svg
-       static/themes/default/icons/ban.svg
-       static/themes/default/icons/bar-chart.svg
-       static/themes/default/icons/bars.svg
-       static/themes/default/icons/bell-o.svg
-       static/themes/default/icons/book.svg
-       static/themes/default/icons/check-circle.svg
-       static/themes/default/icons/check.svg
-       static/themes/default/icons/chevron-right.svg
-       static/themes/default/icons/clock-o.svg
-       static/themes/default/icons/cog.svg
-       static/themes/default/icons/comments.svg
-       static/themes/default/icons/compass.svg
-       static/themes/default/icons/debian.svg
-       static/themes/default/icons/download.svg
-       static/themes/default/icons/eject.svg
-       static/themes/default/icons/exclamation-triangle.svg
-       static/themes/default/icons/external-link.svg
-       static/themes/default/icons/eye-slash.svg
-       static/themes/default/icons/eye.svg
-       static/themes/default/icons/f-droid.svg
-       static/themes/default/icons/files-o.svg
-       static/themes/default/icons/film.svg
-       static/themes/default/icons/flag.svg
-       static/themes/default/icons/freedombox.svg
-       static/themes/default/icons/frown-o.svg
-       static/themes/default/icons/globe-w.svg
-       static/themes/default/icons/gnu-linux.svg
-       static/themes/default/icons/google-play.svg
-       static/themes/default/icons/hdd-o.svg
-       static/themes/default/icons/heartbeat.svg
-       static/themes/default/icons/heart.svg
-       static/themes/default/icons/home.svg
-       static/themes/default/icons/hourglass-o.svg
-       static/themes/default/icons/info-circle.svg
-       static/themes/default/icons/key.svg
-       static/themes/default/icons/life-ring.svg
-       static/themes/default/icons/line-chart.svg
-       static/themes/default/icons/lock.svg
-       static/themes/default/icons/macos.svg
-       static/themes/default/icons/moon.svg
-       static/themes/default/icons/pencil-square-o.svg
-       static/themes/default/icons/plus.svg
-       static/themes/default/icons/poweroff.svg
-       static/themes/default/icons/question-circle.svg
-       static/themes/default/icons/refresh.svg
-       static/themes/default/icons/repeat.svg
-       static/themes/default/icons/rocket.svg
-       static/themes/default/icons/shield.svg
-       static/themes/default/icons/signal.svg
-       static/themes/default/icons/smile-o.svg
-       static/themes/default/icons/spinner.svg
-       static/themes/default/icons/star.svg
-       static/themes/default/icons/sun.svg
-       static/themes/default/icons/tags.svg
-       static/themes/default/icons/tag.svg
-       static/themes/default/icons/terminal.svg
-       static/themes/default/icons/th.svg
-       static/themes/default/icons/times.svg
-       static/themes/default/icons/trash-o.svg
-       static/themes/default/icons/trash.svg
-       static/themes/default/icons/upload.svg
-       static/themes/default/icons/user.svg
-       static/themes/default/icons/users.svg
-       static/themes/default/icons/wifi.svg
-       static/themes/default/icons/windows.svg
-       static/themes/default/icons/wrench.svg
-Copyright: 2018, Fork Awesome
-Comment: https://github.com/ForkAwesome/Fork-Awesome/tree/master/src/icons/svg/
-License: OFL-1.1
-
-Files: static/themes/default/icons/fedora.svg
-       static/themes/default/icons/homebrew.svg
-Copyright: 2026, Simple Icons
-Comment: https://github.com/simple-icons/simple-icons/
-License: CC0-1.0
-
 Files: debian/*
 Copyright: 2013 Tzafrir Cohen
-           2013-2026 FreedomBox Authors
+           2013-2024 FreedomBox Authors
 License: GPL-2+
 
 License: AGPL-3+
@@ -2898,94 +2848,3 @@ License: Zlib
  .
  3. This notice may not be removed or altered from any source
  distribution.
-
-License: OFL-1.1
- This Font Software is licensed under the SIL Open Font License,
- Version 1.1.
- .
- This license is copied below, and is also available with a FAQ at:
- http://scripts.sil.org/OFL
- .
- SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
- .
- PREAMBLE The goals of the Open Font License (OFL) are to stimulate
- worldwide development of collaborative font projects, to support the font
- creation efforts of academic and linguistic communities, and to provide
- a free and open framework in which fonts may be shared and improved in
- partnership with others.
- .
- The OFL allows the licensed fonts to be used, studied, modified and
- redistributed freely as long as they are not sold by themselves.
- The fonts, including any derivative works, can be bundled, embedded,
- redistributed and/or sold with any software provided that any reserved
- names are not used by derivative works.  The fonts and derivatives,
- however, cannot be released under any other type of license.  The
- requirement for fonts to remain under this license does not apply to
- any document created using the fonts or their derivatives.
- .
- DEFINITIONS
- "Font Software" refers to the set of files released by the Copyright
- Holder(s) under this license and clearly marked as such.
- This may include source files, build scripts and documentation.
- .
- "Reserved Font Name" refers to any names specified as such after the
- copyright statement(s).
- .
- "Original Version" refers to the collection of Font Software components
- as distributed by the Copyright Holder(s).
- .
- "Modified Version" refers to any derivative made by adding to, deleting,
- or substituting ? in part or in whole ?
- any of the components of the Original Version, by changing formats or
- by porting the Font Software to a new environment.
- .
- "Author" refers to any designer, engineer, programmer, technical writer
- or other person who contributed to the Font Software.
- .
- PERMISSION & CONDITIONS
- .
- Permission is hereby granted, free of charge, to any person obtaining a
- copy of the Font Software, to use, study, copy, merge, embed, modify,
- redistribute, and sell modified and unmodified copies of the Font
- Software, subject to the following conditions:
- .
- 1) Neither the Font Software nor any of its individual components, in
-    Original or Modified Versions, may be sold by itself.
- .
- 2) Original or Modified Versions of the Font Software may be bundled,
-    redistributed and/or sold with any software, provided that each copy
-    contains the above copyright notice and this license. These can be
-    included either as stand-alone text files, human-readable headers or
-    in the appropriate machine-readable metadata fields within text or
-    binary files as long as those fields can be easily viewed by the user.
- .
- 3) No Modified Version of the Font Software may use the Reserved Font
-    Name(s) unless explicit written permission is granted by the
-    corresponding Copyright Holder. This restriction only applies to the
-    primary font name as presented to the users.
- .
- 4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
-    Software shall not be used to promote, endorse or advertise any
-    Modified Version, except to acknowledge the contribution(s) of the
-    Copyright Holder(s) and the Author(s) or with their explicit written
-    permission.
- .
- 5) The Font Software, modified or unmodified, in part or in whole, must
-    be distributed entirely under this license, and must not be distributed
-    under any other license. The requirement for fonts to remain under
-    this license does not apply to any document created using the Font
-    Software.
- .
- TERMINATION
- This license becomes null and void if any of the above conditions are not met.
- .
- DISCLAIMER
- THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
- MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
- OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT.  IN NO EVENT SHALL THE
- COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
- DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER
- DEALINGS IN THE FONT SOFTWARE.

debian/freedombox.lintian-overrides

@@ -24,7 +24,3 @@ freedombox: package-contains-documentation-outside-usr-share-doc [usr/lib/python
 # meant for user. However, don't install to /usr/libexec and follow systemd
 # convention instead.
 freedombox: executable-in-usr-lib [usr/lib/freedombox/freedombox-privileged]
-
-# [Install] section is missing for the privileged daemon service because it is
-# socket activated.
-freedombox: systemd-service-file-missing-install-key [usr/lib/systemd/system/freedombox-privileged.service]

debian/freedombox.preinst

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+    upgrade)
+        # Handle removing freedombox-setup-repositories.timer from 20.5.
+        if dpkg --compare-versions "$2" le 20.7; then
+            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
+               deb-systemd-invoke stop freedombox-setup-repositories.timer >/dev/null 2>/dev/null || true
+            fi
+
+            if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge freedombox-setup-repositories.timer >/dev/null || true
+                deb-systemd-helper unmask freedombox-setup-repositories.timer >/dev/null || true
+            fi
+
+            if [ -d /run/systemd/system ]; then
+                systemctl daemon-reload
+            fi
+        fi
+
+        # Handle removing freedombox-udiskie.service from 20.9.
+        if dpkg --compare-versions "$2" le 20.9; then
+            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
+                deb-systemd-invoke stop freedombox-udiskie.service >/dev/null 2>/dev/null || true
+            fi
+
+            if [ -x "/usr/bin/deb-systemd-helper" ]; then
+                deb-systemd-helper purge freedombox-udiskie.service >/dev/null || true
+                deb-systemd-helper unmask freedombox-udiskie.service >/dev/null || true
+            fi
+
+            if [ -d /run/systemd/system ]; then
+                systemctl daemon-reload
+            fi
+        fi
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0

debian/gbp.conf

@@ -1,9 +1,6 @@
 [DEFAULT]
 debian-branch = main
 
-[buildpackage]
-export-dir = ../build-area/
-
 [dch]
 git-log = --no-merges
 multimaint-merge = True

debian/source/lintian-overrides

@@ -5,4 +5,7 @@
 very-long-line-length-in-source-file * [doc/manual/*.raw.wiki:*]
 
 # Misc. files which can't be fixed to have short line lengths.
+very-long-line-length-in-source-file * [plinth/modules/deluge/tests/data/sample.torrent:*]
+very-long-line-length-in-source-file * [plinth/modules/transmission/tests/data/sample.torrent:*]
+very-long-line-length-in-source-file * [doc/visual_design/FreedomBox-Logo.7z:*]
 very-long-line-length-in-source-file * [COPYING.md:*]

doc/Makefile

@@ -109,25 +109,20 @@ manual-pages-xml:=$(patsubst %.raw.wiki, %.xml, $(manual-pages-raw-wiki))
 manual-pages: $(manual-pages-part-html)
 
 $(manual-pdfs): %.pdf: %.xml
-	@echo "[PDF]       $<"
-	@xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $< 2> /dev/null
+	xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $<
 
 $(manual-pages-part-html): %.part.html: %.xml
-	@echo "[XSLT]      $<"
-	@xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< 2> /dev/null | \
+	xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< | \
 	perl -pe 'BEGIN {undef $$/} s/.*<body[^>]*>(.*)<\/body\s*>.*/$$1/si' > $@
-	@rm -f docbook.css
+	@rm -f $(dir $@)docbook.css
 
 $(manual-xmls) $(manual-pages-xml): %.xml: %.raw.wiki $(SCRIPTS_DIR)/wikiparser.py
-	@echo "[WIKIPARSE] $<"
-	@$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
+	$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
 
 %.1: %.xml
-	@echo "[MAN]       $<"
-	@xmlto man $< 2> /dev/null
+	xmlto man $<
 
 .PHONY: clean
 clean:
-	@echo "[RM]        {part-htmls} {xmls} {manuals} {outputs}"
-	@rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
-	@rm -f $(OUTPUTS)
+	rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
+	rm -f $(OUTPUTS)

doc/dev/README.rst

@@ -19,7 +19,6 @@ Install the following Debian packages:
 
 * python3-sphinx
 * python3-sphinx-autobuild
-* python3-sphinx-book-theme
 * python3-django
 * python3-django-axes
 * python3-django-captcha

doc/dev/_templates/layout.html

@@ -0,0 +1,15 @@
+{%- extends "alabaster/layout.html" %}
+
+{%- block footer %}
+  <div class="footer">
+    {% if show_copyright %}&copy;{{ copyright }} | {% endif %}
+    Licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">
+    CC BY-SA 4.0</a> license
+    {%- if show_source and has_source and sourcename %}
+      {% if show_copyright or theme_show_powered_by %}|{% endif %}
+      <a href="{{ pathto('_sources/' + sourcename, true)|e }}"
+         rel="nofollow">{{ _('Page source') }}</a>
+    {%- endif %}
+  </div>
+
+{% endblock %}

doc/dev/conf.py

@@ -15,7 +15,6 @@ list see the documentation: http://www.sphinx-doc.org/en/master/config
 #
 import os
 import sys
-from datetime import datetime
 
 import django
 
@@ -27,7 +26,7 @@ django.setup()
 
 # pylint: disable=invalid-name
 project = 'FreedomBox'
-copyright = f'2021-{datetime.now().year}'
+copyright = '2021-2025, FreedomBox Authors'
 author = 'FreedomBox Authors'
 
 # The short X.Y version
@@ -83,23 +82,15 @@ pygments_style = None
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'sphinx_book_theme'
+html_theme = 'alabaster'
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #
 html_theme_options = {
-    'home_page_in_toc': True,
-    'repository_provider': 'gitlab',
-    'repository_url': 'https://salsa.debian.org/freedombox-team/freedombox/',
-    'use_edit_page_button': True,
-    'use_source_button': True,
-    'use_repository_button': True,
-    'use_issues_button': True,
-    'path_to_docs': 'doc/dev/',
-    'extra_footer': 'Licensed under the <a href="https://creativecommons.org/'
-                    'licenses/by-sa/4.0/">CC BY-SA 4.0</a> license.',
+    'fixed_sidebar': True,
+    'show_related': True,
 }
 
 # Add any paths that contain custom static files (such as style sheets) here,
@@ -230,4 +221,3 @@ autodoc_mock_imports = [
 ]
 
 html_favicon = './_static/favicon.ico'
-html_logo = './_static/logo.svg'

doc/dev/reference/components/webserver.rst

@@ -8,3 +8,6 @@ Webserver
 
 .. autoclass:: plinth.modules.apache.components.WebserverRoot
    :members:
+
+.. autoclass:: plinth.modules.apache.components.Uwsgi
+   :members:

doc/dev/tutorial/components.rst

@@ -291,8 +291,10 @@ file ``transmission-plinth.conf``, add the following.
 
   <Location /transmission>
       ...
-      Use AuthOpenIDConnect
-      Use RequireGroup bit-torrent
+      Include          includes/freedombox-single-sign-on.conf
+      <IfModule mod_auth_pubtkt.c>
+          TKTAuthToken "admin" "bit-torrent"
+      </IfModule>
   </Location>
 
 Showing a shortcut in the front page

doc/manual/en/APU.raw.wiki

@@ -2,7 +2,7 @@
 
 {{attachment:apu1d.jpg|PC Engines APU 1D|width=632,height=319}}
 
-[[https://www.pcengines.ch/apu.htm|PC Engines APU]] boards are single board computers with 3 Gigabit ethernet ports, a powerful AMD64 APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for [[http://www.pcengines.ch/apu1d.htm|APU1D]] and [[http://www.pcengines.ch/apu3b2.htm|APU3B ]] models and are expected to work also well on the other, very similar versions.
+[[http://www.pcengines.ch/apu1d.htm|PC Engines APU 1D]] is a single board computer with 3 Gigabit ethernet ports, a powerful AMD APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for it.
 
 '''Important:''' Read [[FreedomBox/Hardware|general advice]] about hardware before building a !FreedomBox with this single board computer.
 
@@ -21,26 +21,21 @@ Although untested, the following similar hardware is also likely to work well wi
   * [[http://www.pcengines.ch/apu2c4.htm|apu2c4]]
   * [[http://www.pcengines.ch/apu3a2.htm|apu3a2]]
   * [[http://www.pcengines.ch/apu3a4.htm|apu3a4]]
+  * [[http://www.pcengines.ch/apu3b2.htm|apu3b2]]
   * [[http://www.pcengines.ch/apu3b4.htm|apu3b4]]
 
-=== Installation ===
+=== Download ===
 
 !FreedomBox disk [[FreedomBox/Download|images]] for this hardware are available.  Follow the instructions on the [[FreedomBox/Download|download]] page to create a !FreedomBox SD card, USB disk, SSD or hard drive and boot into !FreedomBox.  Pick the image meant for all amd64 machines.
 
 An alternative to downloading these images is to [[InstallingDebianOn/Alix3d2|install Debian]] on the APU and then [[FreedomBox/Hardware/Debian|install FreedomBox]] on it.
 
-An [[https://github.com/huubsch/APU-Installation-HomeAssistant-Freedombox|installation manual]] tested on the APU3B is available on GitHub, including flashing with UEFI-BIOS
-
 === Networking ===
 
 The first network port, the left most one in the above picture, is configured by !FreedomBox to be an upstream Internet link and the remaining 2 ports are configured for local computers to connect to.
 
 === Availability ===
 
-PCEngines announced the [[https://www.pcengines.ch/eol.htm|phase-out]] of these boards in June 2023.
-
-In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boards]] : coreboot + SeaBIOS and coreboot+UEFI.
-
  * Price: 110 - 170 USD (depending on the board and supplier)
  * [[http://www.pcengines.ch/order.htm|PC Engines]]
  * [[http://www.pcengines.ch/order.htm|Full list of suppliers]]
@@ -48,17 +43,18 @@ In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boar
 === Hardware ===
 
  * Open Hardware: No
- * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]; [[https://teklager.se/en/amd-gx-412tc-cpu-specification/|GX-412TC]], 1 GHz quad core (depending on model)
- * RAM: 2 GB DDR3-1066 DRAM - 4 GB (depending on model)
- * Storage: SD card, External USB, mSATA module
+ * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]
+ * RAM: 2 GB DDR3-1066 DRAM
+ * Storage: SD card, External USB
  * Architecture: amd64
  * Ethernet: 3 Gigabit Ethernet ports
- * WiFi: wle200nx / wle600vx / wle900vx miniPCI express wireless modules
- * SATA: 1 mSATA-module and 1 SATA
+ * !WiFi: None, use a [[FreedomBox/Hardware/USBWiFi|USB WiFi device]]
+ * SATA: 1 m-SATA and 1 SATA
 
 === Non-Free Status ===
 
  * Non-free blobs required: No
+ * !WiFi: Not available
  * Boot firmware: [[http://www.pcengines.ch/apu1d.htm|Coreboot]]
 
 ## END_INCLUDE
@@ -66,4 +62,4 @@ In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boar
 <<Include(FreedomBox/Portal)>>
 
 ----
-CategoryFreedomBox CategoryFreedomBox
+CategoryFreedomBox

doc/manual/en/Hardware.raw.wiki

@@ -12,17 +12,7 @@ In addition to supporting various single board computers and other devices, any
 
 == Recommended Hardware ==
 
-=== Libre Crafts FreedomBox ===
-
-Libre Crafts in an endeavor from the !FreedomBox developers themselves to bring you a powerful !FreedomBox device capable of hosting even the most demanding home server needs. The device is crafted, tested, and delivered to you by !FreedomBox developers. Your purchase helps !FreedomBox development.
-
-This hardware features a powerful CPU, plenty of main memory, a fast OS disk, ability to add two high capacity hard disk drives, dual multi-gigabit Ethernet ports, all with a low power consumption. Use it to host all your photos, to backup all home devices, as a NAS, as home automation hub, as a desktop computer, and more all at once. 
-
-||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:libre-crafts.png|Libre Crafts FreedomBox|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|Libre Crafts FreedomBox]] ||
-
-=== Olimex's FreedomBox Pioneer Edition ===
-
-On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
+On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This is the recommended pre-installed hardware for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 
 The kit includes all the hardware needed for launching a !FreedomBox home server on an Olimex A20-OLinuXino-LIME2 board. This product provides the perfect combination of open source hardware and free and open source software. By purchasing this product, you also support the !FreedomBox Foundation's efforts to create and promote its free and open source server software.
 

doc/manual/en/HomeAssistant.raw.wiki

@@ -21,7 +21,7 @@ Home Assistant app is considered experimental in !FreedomBox as it is fairly new
 
 === Hardware ===
 
-Home Assistant can detect, configure, and use various devices on the local network. For example, if a device is connected using Wi-Fi or LAN to the same network as !FreedomBox, Home Assistant can detect, configure, and use the device. Other home automation protocols such as Thread, !ZigBee, and Z-Wave are also supported but require additional hardware to be connected to your !FreedomBox. For example, if you have a door sensor that speaks !ZigBee, you need to attach a !ZigBee USB dongle to your !FreedomBox. Home Assistant can then detect and use the door sensor on the !ZigBee network. '''Note:''' if you attach any such hardware to FreedomBox after you install the Home Assistant app, then you need to disable and re-enable the Home Assistant app before the hardware can be discovered and used by Home Assistant.
+Home Assistant can detect, configure, and use various devices on the local network. For example, if a device is connected using Wi-Fi or LAN to the same network as !FreedomBox, Home Assistant can detect, configure, and use the device. Other home automation protocols such as Thread, !ZigBee, and Z-Wave are also supported but require additional hardware to be connected to your !FreedomBox. For example, if you have a door sensor that speaks !ZigBee, you need to attach a !ZigBee USB dongle to your !FreedomBox. Home Assistant can then detect and use the door sensor on the !ZigBee network.
 
 Home Assistant is a comprehensive solution for your home automation needs supporting thousands of devices. You can check whether a device is supported by Home Assistant by visiting the [[https://www.home-assistant.io/integrations/|integrations]] page. Other devices which are not listed may also be supported when they are similar to supported devices. It is recommended that you purchase hardware that advertises support for Home Assistant.
 

doc/manual/en/PioneerEdition.raw.wiki

@@ -25,8 +25,7 @@ The [[https://www.olimex.com/Products/OLinuXino/Home-Server/Pioneer-FreedomBox-H
  * an optional storage add-on for hard disk (HDD) or solid-state drive (SSD)
 
 === Recommended Hardware ===
-
-This is a hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
+This is the hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
 
 (Building your own !FreedomBox means some technical stuff like choosing and buying the right components, downloading the image and preparing the SD card).
 

doc/manual/en/ReleaseNotes.raw.wiki

@@ -8,262 +8,6 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 
 The following are the release notes for each !FreedomBox version.
 
-== FreedomBox 26.5 (2026-03-23) ==
-
-=== Highlights ===
-
- * action_utils: Don't restart web interface when installing an app
- * apache: Use a Uwsgi native socket systemd unit for each app
- * ui: Use inline SVG icons for all apps
- * wireguard: Fix freedombox VPN IP for services
-
-=== Other Changes ===
-
- * action_utils: Stop associated service when stopping a socket unit
- * apache: Increase OpenID Connect RP session timeout activity
- * apache: Minor improvement to getting the request host
- * app: Fix build issue with Django 5.x
- * clients: Fix formatting of package row in table
- * clients: Fix show empty clients in Desktop section
- * clients: Use SVG icons when showing external links
- * container: Add option to skip install
- * container: Fix image extension to .raw for systemd v260
- * doc: Reduce verbosity when building documentation
- * html: Drop trailing slash from void elements
- * html: Drop type attribute value of text/javascript
- * janus: Drop unused reference to font-awesome
- * letsencrypt: Don't perform operations on apps that are not installed
- * locale: Update translations for German, Russian, Swedish
- * pagekite: Fix issue with adding custom services
- * tests: functional: Drop undefined 'sso' pytest mark
- * ui: Add rest of the icons used from fork-awesome set
- * ui: Better placement for dropdown indicator in dropdown button
- * ui: Drop fonts-fork-awesome as dependency
- * ui: Rename 'plinth_extras' template tags module to 'extras'
- * ui: Simplify SVG app icons for using them inline in HTML
- * ui: Use inline SVG icons for buttons, messages, spinners, etc.
- * wireguard: Add button for direct APK download
- * wireguard: Add entries for Homebrew and RPM packages
- * wireguard: Remove client entry for F-Droid which is not available
- * wireguard: Update windows client link
-
-== FreedomBox 26.4.2 (2026-03-08) ==
-
-=== Highlights ===
-
- * apache2: Disable pubtkt authentication module
-
-=== Other Changes ===
-
- * container: Hold freedombox packages during test setup
- * d/control: Trim deps for nocheck build profile
- * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
- * Vagrantfile: Enable public network for bridged networking
-
-== FreedomBox 26.4 (2026-03-02) ==
-
-=== Highlights ===
-
- * backups: Enable key-based SSH authentication for remote backups
- * oidc: New app to implement OpenID Connect Provider
- * apache: Implement protecting apps using OpenID Connect
- * wireguard: Improve server section user experience flow
-
-=== Other Changes ===
-
- * *: Remove some absolute file paths in SVGs
- * *: Update URL base from /plinth to /freedombox
- * README/HACKING: Update weblate project path to /freedombox
- * Vagrantfile: Drop unnecessary sudo configuration for actions
- * action_utils: Drop support for link-local IPv6 addresses
- * action_utils: Fix issue with type checking a generator
- * action_utils: Implement utility to change umask temporarily
- * actions, privileged_daemon: Drop some unused global statements
- * apache: Fix diagnosing URLs protected by OpenID Connect
- * apache: Preserve host header when proxying to service
- * backups: Arrange form for adding remote location
- * backups: Avoid some repeated text in form help text
- * backups: Copy SSH client public key to remote
- * backups: Create .ssh folder before creating SSH key
- * backups: Create a better comment in the generated SSH key file
- * backups: Display SSH public key when adding remote
- * backups: Fix issue with Javascript in add remote location form
- * backups: Fix showing proper error for incorrect passphrase
- * backups: Fix type checking errors
- * backups: Generate SSH client key if needed
- * backups: Migrate to SSH key auth when mounting
- * backups: Minor refactoring
- * backups: Show/hide form elements instead of disabling for simplicity
- * backups: Simplify handling of migration to SSH keys
- * backups: Test adding/removing remote location
- * backups: Tweak appearance of add remote location form
- * backups: Use SSH key instead of password
- * backups: Use selected SSH credential for remote
- * backups: tests: Simplify functional test using more classes
- * bin: Add tool to change !FreedomBox password in Django database
- * calibre: Use OpenID Connect instead of pubtkt based SSO
- * cfg: Drop unused actions_dir option
- * cfg: Drop unused config_dir option
- * container: Align terminology in printed banner
- * db: Create a utility to get credentials from dbconfig
- * debian: Ensure that gbp creates a clean tarball prior to build
- * deluge: Use OpenID Connect instead of pubtkt based SSO
- * doc/dev: Set new theme for developer documentation
- * doc/dev: Use OpenID Connect instead of pubtkt based SSO
- * doc/dev: always have an up-to-date copyright year
- * ejabberd: Fix setting up certificates for multiple domains
- * email: Use OpenID Connect instead of pubtkt based SSO
- * featherwiki: Use OpenID Connect instead of pubtkt based SSO
- * gitweb: Fix issue with running post init due to missing method
- * gitweb: Use OpenID Connect instead of pubtkt based SSO
- * js: When page load fails during install, show it to user
- * letsencrypt: When copying certificate reset the umask reliably
- * locale/bg: Fix several translations with HTML links (Bulgarian)
- * locale/de: Fix several translations with HTML links (German)
- * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
- * matrixsynapse: Update apache config to proxy Synapse client API
- * miniflux: Get credentials from dbconfig-common directly
- * miniflux: Revert workaround for a packaging bug with DB connection
- * mumble: murmurd renamed to mumble-server
- * oidc: Style the page for authorizing an OIDC app
- * pyproject: Use new format to specify licenses
- * quassel: Explicitly set permissions on the domain configuration file
- * rssbridge: Use OpenID Connect instead of pubtkt based SSO
- * searx: Use OpenID Connect instead of pubtkt based SSO
- * sharing: Use OpenID Connect instead of pubtkt based SSO
- * sso: Merge into users module, drop pubtkt related code
- * syncthing: Use OpenID Connect instead of pubtkt based SSO
- * syncthing: tests: Fix tests by allowing rapid restarts
- * templates: Allow building pages without navigation bar and footer
- * tests: functional: Fix expecting !FreedomBox to be home page
- * tests: functional: Fix reloading error page during install/uninstall
- * tests: functional: Increase systemd rate limits for starting units
- * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
- * transmission: Use OpenID Connect instead of pubtkt based SSO
- * ui: Add animation for notification dismissal
- * ui: Dismiss notifications without page reload
- * ui: Refactor notification delete buttons to avoid repeating code
- * web_framework: Allow !FreedomBox apps to override templates
- * web_server: Log requests to WSGI app
- * wireguard: Accept/use netmask with IP address for server connection
- * wireguard: Fix format when showing multiple endpoints of the server
- * wireguard: Fix showing default route setting in server edit form
- * wireguard: Fix split tunneling
- * wireguard: Show status of default route in server information page
- * wireguard: filter .local addresses from showClient view
- * wireguard: show server vpn ip in show client page
- * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
-
-== FreedomBox 26.3 (2026-02-02) ==
-
-=== Highlights ===
-
- * ui: Use HTMX to eliminate full page reloads
- * wireguard: Add 'Start Server' button to help with client setup
-
-=== Other Changes ===
-
- * debian: Follows policy 4.7.3
- * debian: Ignore lintian warning: service file missing Install section
- * debian: Remove default Rules-Requires-Root
- * debian: Remove preinst script
- * debian: Update copyright years
- * docs: Update container script usage
- * lintian: Remove mismatched overrides
- * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
- * Makefile: Fix removing extra license file
- * ui: Add HTMX as a dependency
- * ui: Use HTMX to update notifications on partial page updates
- * wireguard: Remove NM connections when app is uninstalled
- * wireguard: Show next available client IP in Add Client form
- * wireguard: Update functional tests to handle Start Server button
- * wireguard: Show server endpoint on main app page
-
-== FreedomBox 26.2 (2026-01-20) ==
-
- * gitweb: Fix deleting last repo disables app
- * locale: Update translations for Estonian, Italian
- * notifications: Close dropdown when clicking outside
-
-== FreedomBox 26.1 (2026-01-05) ==
-
- * container: Add aliases for start/stop commands
- * locale: Update translations for Albanian, Bulgarian, Chinese (Simplified Han script), Czech, Estonian, French, German, Italian, Russian, Turkish, Ukrainian
-
-== FreedomBox 25.17.1 (2025-12-15) ==
-
-=== Highlights ===
-
- * backups: Set proper permissions for backups-data directory
- * minetest: Rename Minetest to Luanti
-
-=== Other Changes ===
-
- * locale: Update translations for Albanian, Bulgarian, Czech, Estonian, Hindi, Italian, Russian, Turkish, Ukrainian
- * minetest: Remove legacy code, use new name, conf, etc.
- * transmission: Deal with changes in latest forky package
- * transmission: Remove obsolete apache redirects
- * vagrant: Enable EFI firmware
-
-== FreedomBox 25.17 (2025-12-08) ==
-
-=== Highlights ===
-
- * ui: Implement a toggle menu for setting dark mode
-
-=== Other Changes ===
-
- * homeassistant: Fix spelling in tests
- * locale: Fix python-brace-format error in Estonian
- * locale: Update translations for Catalan, Estonian, French, Russian
- * privileged: Don't log exception that are expected
- * ui: Dark theme color for tags text in an app card
- * ui: Drop colors defined in Bootstrap 5.3
- * ui: Fix dark theme color for disabled form elements
- * ui: Fix dark theme color for form help text
- * ui: Fix dark theme color for select-all button
- * ui: Fix dark theme colors for app enable/disable toggle button
- * ui: Fix dark theme colors for default button style
- * ui: Fix dark theme colors for running status indicator
- * ui: Minor CSS refactor to use variables
- * ui: Use default button style for tag buttons
- * upgrades: Use bootstrap spinner button instead of custom styling
-
-== FreedomBox 25.16 (2025-11-24) ==
-
-=== Highlights ===
-
- * dynamicdns: Use only IPv4 for GnuDIP protocol
- * janus: Allow app to be installed from Debian unstable
- * jsxc: Fix missing dependencies
-
-=== Other Changes ===
-
- * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, German, Italian, Russian, Turkish, Ukrainian
- * janus: Relax content security policy for the video room
- * janus: Update the video room code from latest upstream
- * jsxc: Update content security policy to prevent style errors
- * middleware: Implement middleware for common headers such as CSP
- * package: Prevent freedombox's deps from removal during app uninstall
-
-== FreedomBox 25.15 (2025-11-10) ==
-
-=== Highlights ===
-
- * help: Fix serving images from help pages
- * matrixsynapse: Explain federation and link to testing tool
-
-=== Other Changes ===
-
- * locale: Update translations for French, German, Italian
- * main: Allow setting development mode from environment
- * matrixsynapse: Clarify how to change domain name in status section
- * matrixsynapse: Explicitly set the trusted key server to matrix.org
- * README: Use the Weblate's language chart widget
- * Run service using systemd even for development
- * ttrss: Remove app not available in Trixie
- * views: Implement an API to retrieve the readiness status in JSON
-
 == FreedomBox 25.14 (2025-10-27) ==
 
  * Enable private tmp and join namespaces for the two daemons

doc/manual/en/Sharing.raw.wiki

@@ -20,13 +20,15 @@ The content can be shared publicly or restricted to the users of listed allowed
 
 === Setting Up Shares ===
 
- * In !FreedomBox web interface, enable the Sharing App. Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of the !FreedomBox web interface. Many shares can coexist in the same server.
- * Add a new share
-   * Give it a name (an thereby the URL) with which the users will ask for the content. In the example above it would be called ''content_name''.
-   * The Disk Path of the content to be served. This path is relative to ''root'' on your !FreedomBox. For instance ''/var/lib/freedombox/sharing/content_name'' might be a choice.
-   * Sharing mode. On restricted mode, it also has the list of allowed groups. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
- * Create the directory specified under ''Disk Path'' on your !FreedomBox through ''Cockpit'', ''Nautilus'' or remote login.
- * Make sure the user, who will provide the content, has write access to that directory for instance by making him the owner of that directory. 
+For the users to access the content through their browser it must exist and have a share. A share is an entry in the Sharing app relating:
+ * the Name (an thereby the URL) with which the users will ask for the content,
+ * the Disk Path of the content to be served and
+ * the sharing mode. On restricted mode, it also has the list of allowed groups.
+Many shares can coexist in the same server.
+
+Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of !FreedomBox web interface. Sharing app is an easy to use web application with an evident interface.
+
+Each share has its own sharing mode (public or restricted) setting. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
 
 === Providing/Updating Content ===
 

doc/manual/en/TinyTinyRSS.raw.wiki

@@ -11,7 +11,7 @@
 == Tiny Tiny RSS (News Feed Reader) ==
 ||<tablestyle="float: right;"> {{attachment:TinyTinyRSS-icon_en_V01.png|Tiny Tiny RSS icon}} ||
 
-'''Available since''': This app is no longer available since Debian Trixie. Please migrate to [[FreedomBox/Manual/Miniflux|Miniflux]] or [[FreedomBox/Manual/Nextcloud|Nextcloud News]].
+'''Available since''': version 0.9
 
 Tiny Tiny RSS is a news feed (RSS/Atom) reader and aggregator, designed to allow reading news from any location, while feeling as close to a real desktop application as possible.
 

doc/manual/en/Upgrades.raw.wiki

@@ -89,7 +89,7 @@ Here are some tips before you begin manual update to next stable release:
    * Radicale
  * Some packages may not be available after upgrade to next release. Please migrate to a similar application before or after the upgrade process. For upgrade to Debian 13 "trixie", the following apps are no longer available:
    * Janus. Use audio/video calling over Matrix or XMPP or audio calling over Mumble. This app will likely become available in future again.
-   * TT-RSS. Migrate to Miniflux or Nextcloud News.
+   * TT-RSS. Migrate to Miniflux.
    * Searx.
 
 To initiate the distribution update process, go to ''Software Update'' in ''System'' section. Then ''Enable auto-update'' and ''Enable auto-update to next stable release'' option. Then click on the ''Distribution Update'' button. Then click the ''Start Distribution Update'' button. The process may take several hours if your OS is on a slow disk such as an SD card. !FreedomBox web UI may not be available during upgrade. Refresh the page if the page errors out. Finally, allow more time for post-upgrade processes and restart the machine.

doc/manual/en/VirtualBox.raw.wiki

@@ -22,11 +22,12 @@ Follow the instructions on the [[FreedomBox/Download|download]] page to download
 
  1. Decompress the downloaded VDI image (tool for [[http://www.7-zip.org/|Windows]], [[http://unarchiver.c3.cx/unarchiver|Mac]]).
 
- 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image). {{attachment:virtualbox-create-1.png|VirtualBox Name and OS dialog}}
+ 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image).
+{{attachment:virtualbox_os_type.png|VirtualBox Name and OS dialog}}
 
- 1. In the ''Hardware'' dialog choose ''Enable EFI (special OSes only)''. You may increase the Base Memory and Processors if desired. {{attachment:virtualbox-create-2.png|VirtualBox Hardware dialog}}
+ 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1.
 
- 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1. {{attachment:virtualbox-create-3.png|VirtualBox Hard disk selector}} {{attachment:virtualbox-create-4.png|VirtualBox Hard disk dialog}}
+{{attachment:virtualbox_harddisk_file.png|VirtualBox Hard disk dialog}}
 
  1. When created, go to the virtual machine's Settings -> [Network] -> [Adapter 1]->[Attached to:] and choose the network type your want the machine to use according to the explanation in Network Configuration below. The recommended type is the ''Bridged adapter'' option, but be aware that this exposes the !FreedomBox's services to your entire local network.
 

doc/manual/es/APU.raw.wiki

@@ -2,7 +2,7 @@
 
 {{attachment:apu1d.jpg|PC Engines APU 1D|width=632,height=319}}
 
-[[https://www.pcengines.ch/apu.htm|PC Engines APU]] boards are single board computers with 3 Gigabit ethernet ports, a powerful AMD64 APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for [[http://www.pcengines.ch/apu1d.htm|APU1D]] and [[http://www.pcengines.ch/apu3b2.htm|APU3B ]] models and are expected to work also well on the other, very similar versions.
+[[http://www.pcengines.ch/apu1d.htm|PC Engines APU 1D]] is a single board computer with 3 Gigabit ethernet ports, a powerful AMD APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for it.
 
 '''Important:''' Read [[FreedomBox/Hardware|general advice]] about hardware before building a !FreedomBox with this single board computer.
 
@@ -21,26 +21,21 @@ Although untested, the following similar hardware is also likely to work well wi
   * [[http://www.pcengines.ch/apu2c4.htm|apu2c4]]
   * [[http://www.pcengines.ch/apu3a2.htm|apu3a2]]
   * [[http://www.pcengines.ch/apu3a4.htm|apu3a4]]
+  * [[http://www.pcengines.ch/apu3b2.htm|apu3b2]]
   * [[http://www.pcengines.ch/apu3b4.htm|apu3b4]]
 
-=== Installation ===
+=== Download ===
 
 !FreedomBox disk [[FreedomBox/Download|images]] for this hardware are available.  Follow the instructions on the [[FreedomBox/Download|download]] page to create a !FreedomBox SD card, USB disk, SSD or hard drive and boot into !FreedomBox.  Pick the image meant for all amd64 machines.
 
 An alternative to downloading these images is to [[InstallingDebianOn/Alix3d2|install Debian]] on the APU and then [[FreedomBox/Hardware/Debian|install FreedomBox]] on it.
 
-An [[https://github.com/huubsch/APU-Installation-HomeAssistant-Freedombox|installation manual]] tested on the APU3B is available on GitHub, including flashing with UEFI-BIOS
-
 === Networking ===
 
 The first network port, the left most one in the above picture, is configured by !FreedomBox to be an upstream Internet link and the remaining 2 ports are configured for local computers to connect to.
 
 === Availability ===
 
-PCEngines announced the [[https://www.pcengines.ch/eol.htm|phase-out]] of these boards in June 2023.
-
-In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boards]] : coreboot + SeaBIOS and coreboot+UEFI.
-
  * Price: 110 - 170 USD (depending on the board and supplier)
  * [[http://www.pcengines.ch/order.htm|PC Engines]]
  * [[http://www.pcengines.ch/order.htm|Full list of suppliers]]
@@ -48,17 +43,18 @@ In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boar
 === Hardware ===
 
  * Open Hardware: No
- * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]; [[https://teklager.se/en/amd-gx-412tc-cpu-specification/|GX-412TC]], 1 GHz quad core (depending on model)
- * RAM: 2 GB DDR3-1066 DRAM - 4 GB (depending on model)
- * Storage: SD card, External USB, mSATA module
+ * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]
+ * RAM: 2 GB DDR3-1066 DRAM
+ * Storage: SD card, External USB
  * Architecture: amd64
  * Ethernet: 3 Gigabit Ethernet ports
- * WiFi: wle200nx / wle600vx / wle900vx miniPCI express wireless modules
- * SATA: 1 mSATA-module and 1 SATA
+ * !WiFi: None, use a [[FreedomBox/Hardware/USBWiFi|USB WiFi device]]
+ * SATA: 1 m-SATA and 1 SATA
 
 === Non-Free Status ===
 
  * Non-free blobs required: No
+ * !WiFi: Not available
  * Boot firmware: [[http://www.pcengines.ch/apu1d.htm|Coreboot]]
 
 ## END_INCLUDE
@@ -66,4 +62,4 @@ In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boar
 <<Include(FreedomBox/Portal)>>
 
 ----
-CategoryFreedomBox CategoryFreedomBox
+CategoryFreedomBox

doc/manual/es/Hardware.raw.wiki

@@ -11,19 +11,8 @@ Además de soportar varios SBC's (single board computers) y otros dispositivos,
 
 == Hardware Recomendado ==
 
-=== Libre Crafts FreedomBox ===
+El 22 de Abril de 2019, la ''!FreedomBox Foundation'' anunció que los kits ''Pioneer Edition !FreedomBox Home Server'' salían a la [[https://freedomboxfoundation.org/buy/|venta]]. Este es el hardware preinstalado recomendado para todos los usuarios que no quieran construirse su propia (máquina) !FreedomBox eligiendo los componentes adecuados, descargando la imagen y preparando una tarjeta SD con (el software) !FreedomBox.
 
-Libre Crafts es una iniviativa de los propios desarrolladores de !FreedomBox para proporcionar una !FreedomBox potente capaz de alojar las necesidades más exigentes de un servidor casero.
-Los propios desarrolladores de !FreedomBox la montan. prueban y entregan. Tu compra ayuda al desarrollo de !FreedomBox.
-
-Esta máquina lleva un procesador potente, mucha memoria,  CPU, un disco de sitema operativo rápido, posibilidad de añador discos duros de alta capacidad, puertos Ethernet multi-gigabit duales, todo ello con bajo consumo.
-Úsalo para alojar todas tus fotos, las copias de respaldo de tus otros dispositivos, como NAS, como centro de control de domótica, como ordenador de sobremesa, y más, todo a la vez. 
-
-||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:FreedomBox/libre-crafts.png|FreedomBox de Libre Crafts|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|FreedomBox de Libre Crafts]] ||
-
-=== Olimex's FreedomBox Pioneer Edition ===
-
-On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 El kit incluye todo el hardware necesario para arrancar un servidor casero !FreedomBox sobre una placa ''Olimex A20-OLinuXino-LIME2''. Este producto proporciona la combinación perfecta de hardware de fuentes abiertas y software libre. Al comprar este producto, soportas también los esfuerzos de la ''!FreedomBox Foundation'' para crear y promover su software de servidor libre.
 
 ||<style="text-align: center;"> [[es/FreedomBox/Hardware/PioneerEdition|{{attachment:FreedomBox/Hardware/pioneer-edition_thumb.jpg|Kits de servidor doméstico FreedomBox edición Pioneer|width=320,height=257}}]]<<BR>> [[es/FreedomBox/Hardware/PioneerEdition|Kits de servidor doméstico FreedomBox edición Pioneer]] ||

doc/manual/es/HomeAssistant.raw.wiki

@@ -20,7 +20,7 @@ La app Home Assistant se considera experimental en !FreedomBox, ya que es nueva
 
 === Hardware ===
 
-Home Assistant puede detectar, configurar, y usar varios dispositivos de la red local. Por ejemplo, si un dispositivo se conecta mediante Wi-Fi o LAN a la misma red que !FreedomBox, Home Assistant puede detectarlo, configurarlo, y usarlo. También se soportan otros protocolos de automatización como Thread, !ZigBee, y Z-Wave, pero requieren hardware adicional para conectarlos a tu !FreedomBox. Por ejemplo, si tienes un sensor de puerta que habla !ZigBee, necesitas conectar un adaptador !ZigBee USB a tu !FreedomBox. Home Assistant podrá entonces detectar y usar el  sensor de puerta en la red de !ZigBee.  '''Nota:''' Si conectas hardware como este a tu FreedomBox después de instalar la aplicación Home Assistant tendrás que deshabilitarla y volverla a habilitar para que lo detecte y lo use.
+Home Assistant puede detectar, configurar, y usar varios dispositivos de la red local. Por ejemplo, si un dispositivo se conecta mediante Wi-Fi o LAN a la misma red que !FreedomBox, Home Assistant puede detectarlo, configurarlo, y usarlo. También se soportan otros protocolos de automatización como Thread, !ZigBee, y Z-Wave, pero requieren hardware adicional para conectarlos a tu !FreedomBox. Por ejemplo, si tienes un sensor de puerta que habla !ZigBee, necesitas conectar un adaptador !ZigBee USB a tu !FreedomBox. Home Assistant podrá entonces detectar y usar el  sensor de puerta en la red de !ZigBee.
 
 Home Assistant es una solución completa si tu automatización del hogar necesita soportar miles de dispositivos. Puedes consultar si Home Assistant soporta un dispositivo visitando su página de [[https://www.home-assistant.io/integrations/|integraciones]]. Otros dispositivos similares a los soportados podrían estarlo aunque no figuren en la lista. Se recomienda comprar hardware etiquetado como compatible con Home Assistant.
 

doc/manual/es/PioneerEdition.raw.wiki

@@ -16,7 +16,7 @@ Los servidores caseros !FreedomBox Pioneer Edition los fabrica y vende Olimex, u
 == Características del Producto ==
 
 === HW Recomendado ===
-Éste es un hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
+Éste es el hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
 
 (Construir tu propia !FreedomBox implica algunos tecnicismos como elegir y comprar los componentes adecuados, descargar la imágen y preparar una tarjeta SD).
 

doc/manual/es/QuickStart.raw.wiki

@@ -22,25 +22,8 @@ Alternativamente podrías optar por montarlo tu mismo reuniendo todas las piezas
      * '''Nota:''' En la mayoría de computadoras monoplaca no esperes un efecto de salida en un monitor si lo conectas por HDMI porque el núcleo (kernel) del sistema podría no reconocerlo. Mira más abajo para aprender cómo acceder y controlar tu !FreedomBox desde la red.
   1. En el primer arranque !FreedomBox ejecutará su configuración inicial (las versiones más antiguas de !FreedomBox se reinician tras este paso). Este proceso podría llevar varios minutos en algunas máquinas. Después de darle unos 10 minutos aproximadamente, sigue con el siguiente paso.
   1. Después de que tu !FreedomBox haya finalizado su configuración inicial puedes acceder a su interfaz web mediante tu navegador web.
-     * Si tu ordenador soporta mDNS (GNU/Linux, Mac OSX o Windows con software mDNS instalado), puedes navegar a: http://freedombox.local/ (o a http://<el-hostname-que-estableciste-durante-la-instalación>.local/)
-     * Si tu ordenador está conectado a un monitor y !FreedomBox puede escribir en él, la petición de credenciales muestra la dirección de la web:
-     {{{
-     Debian GNU/Linux 13 freedombox tty1
-
-     FreedomBox
-
-     To start using FreedomBox and to create an account, access using a web browser
-     one of the following URLs.
-
-     http://freedombox.local/
-     http://192.168.0.2/
-     http://[fe80::7207:12ff:fe34:5678]/
-
-     ...
-
-     freedombox login:
-     }}}
      * Si tu ordenador está conectado directamente a tu !FreedomBox a través de un segundo puerto ''Ethernet'' de la red local, puedes navegar a http://freedombox/ o a http://10.42.0.1/.
+     * Si tu ordenador soporta mDNS (GNU/Linux, Mac OSX o Windows con software mDNS instalado), puedes navegar a: http://freedombox.local/ (o a http://<el-hostname-que-estableciste-durante-la-instalación>.local/)
      * Si te manejas con el interfaz web de tu router, puedes buscar allí la dirección IP de tu !FreedomBox y navegar a ella.
      * Si no están disponibles ninguno de estos métodos necesitarás averiguar la dirección IP de tu !FreedomBox. Puedes usar el programa "nmap" de tu ordenador para encontrar su dirección IP:
      {{{

doc/manual/es/ReleaseNotes.raw.wiki

@@ -8,262 +8,6 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 
 The following are the release notes for each !FreedomBox version.
 
-== FreedomBox 26.5 (2026-03-23) ==
-
-=== Highlights ===
-
- * action_utils: Don't restart web interface when installing an app
- * apache: Use a Uwsgi native socket systemd unit for each app
- * ui: Use inline SVG icons for all apps
- * wireguard: Fix freedombox VPN IP for services
-
-=== Other Changes ===
-
- * action_utils: Stop associated service when stopping a socket unit
- * apache: Increase OpenID Connect RP session timeout activity
- * apache: Minor improvement to getting the request host
- * app: Fix build issue with Django 5.x
- * clients: Fix formatting of package row in table
- * clients: Fix show empty clients in Desktop section
- * clients: Use SVG icons when showing external links
- * container: Add option to skip install
- * container: Fix image extension to .raw for systemd v260
- * doc: Reduce verbosity when building documentation
- * html: Drop trailing slash from void elements
- * html: Drop type attribute value of text/javascript
- * janus: Drop unused reference to font-awesome
- * letsencrypt: Don't perform operations on apps that are not installed
- * locale: Update translations for German, Russian, Swedish
- * pagekite: Fix issue with adding custom services
- * tests: functional: Drop undefined 'sso' pytest mark
- * ui: Add rest of the icons used from fork-awesome set
- * ui: Better placement for dropdown indicator in dropdown button
- * ui: Drop fonts-fork-awesome as dependency
- * ui: Rename 'plinth_extras' template tags module to 'extras'
- * ui: Simplify SVG app icons for using them inline in HTML
- * ui: Use inline SVG icons for buttons, messages, spinners, etc.
- * wireguard: Add button for direct APK download
- * wireguard: Add entries for Homebrew and RPM packages
- * wireguard: Remove client entry for F-Droid which is not available
- * wireguard: Update windows client link
-
-== FreedomBox 26.4.2 (2026-03-08) ==
-
-=== Highlights ===
-
- * apache2: Disable pubtkt authentication module
-
-=== Other Changes ===
-
- * container: Hold freedombox packages during test setup
- * d/control: Trim deps for nocheck build profile
- * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
- * Vagrantfile: Enable public network for bridged networking
-
-== FreedomBox 26.4 (2026-03-02) ==
-
-=== Highlights ===
-
- * backups: Enable key-based SSH authentication for remote backups
- * oidc: New app to implement OpenID Connect Provider
- * apache: Implement protecting apps using OpenID Connect
- * wireguard: Improve server section user experience flow
-
-=== Other Changes ===
-
- * *: Remove some absolute file paths in SVGs
- * *: Update URL base from /plinth to /freedombox
- * README/HACKING: Update weblate project path to /freedombox
- * Vagrantfile: Drop unnecessary sudo configuration for actions
- * action_utils: Drop support for link-local IPv6 addresses
- * action_utils: Fix issue with type checking a generator
- * action_utils: Implement utility to change umask temporarily
- * actions, privileged_daemon: Drop some unused global statements
- * apache: Fix diagnosing URLs protected by OpenID Connect
- * apache: Preserve host header when proxying to service
- * backups: Arrange form for adding remote location
- * backups: Avoid some repeated text in form help text
- * backups: Copy SSH client public key to remote
- * backups: Create .ssh folder before creating SSH key
- * backups: Create a better comment in the generated SSH key file
- * backups: Display SSH public key when adding remote
- * backups: Fix issue with Javascript in add remote location form
- * backups: Fix showing proper error for incorrect passphrase
- * backups: Fix type checking errors
- * backups: Generate SSH client key if needed
- * backups: Migrate to SSH key auth when mounting
- * backups: Minor refactoring
- * backups: Show/hide form elements instead of disabling for simplicity
- * backups: Simplify handling of migration to SSH keys
- * backups: Test adding/removing remote location
- * backups: Tweak appearance of add remote location form
- * backups: Use SSH key instead of password
- * backups: Use selected SSH credential for remote
- * backups: tests: Simplify functional test using more classes
- * bin: Add tool to change !FreedomBox password in Django database
- * calibre: Use OpenID Connect instead of pubtkt based SSO
- * cfg: Drop unused actions_dir option
- * cfg: Drop unused config_dir option
- * container: Align terminology in printed banner
- * db: Create a utility to get credentials from dbconfig
- * debian: Ensure that gbp creates a clean tarball prior to build
- * deluge: Use OpenID Connect instead of pubtkt based SSO
- * doc/dev: Set new theme for developer documentation
- * doc/dev: Use OpenID Connect instead of pubtkt based SSO
- * doc/dev: always have an up-to-date copyright year
- * ejabberd: Fix setting up certificates for multiple domains
- * email: Use OpenID Connect instead of pubtkt based SSO
- * featherwiki: Use OpenID Connect instead of pubtkt based SSO
- * gitweb: Fix issue with running post init due to missing method
- * gitweb: Use OpenID Connect instead of pubtkt based SSO
- * js: When page load fails during install, show it to user
- * letsencrypt: When copying certificate reset the umask reliably
- * locale/bg: Fix several translations with HTML links (Bulgarian)
- * locale/de: Fix several translations with HTML links (German)
- * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
- * matrixsynapse: Update apache config to proxy Synapse client API
- * miniflux: Get credentials from dbconfig-common directly
- * miniflux: Revert workaround for a packaging bug with DB connection
- * mumble: murmurd renamed to mumble-server
- * oidc: Style the page for authorizing an OIDC app
- * pyproject: Use new format to specify licenses
- * quassel: Explicitly set permissions on the domain configuration file
- * rssbridge: Use OpenID Connect instead of pubtkt based SSO
- * searx: Use OpenID Connect instead of pubtkt based SSO
- * sharing: Use OpenID Connect instead of pubtkt based SSO
- * sso: Merge into users module, drop pubtkt related code
- * syncthing: Use OpenID Connect instead of pubtkt based SSO
- * syncthing: tests: Fix tests by allowing rapid restarts
- * templates: Allow building pages without navigation bar and footer
- * tests: functional: Fix expecting !FreedomBox to be home page
- * tests: functional: Fix reloading error page during install/uninstall
- * tests: functional: Increase systemd rate limits for starting units
- * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
- * transmission: Use OpenID Connect instead of pubtkt based SSO
- * ui: Add animation for notification dismissal
- * ui: Dismiss notifications without page reload
- * ui: Refactor notification delete buttons to avoid repeating code
- * web_framework: Allow !FreedomBox apps to override templates
- * web_server: Log requests to WSGI app
- * wireguard: Accept/use netmask with IP address for server connection
- * wireguard: Fix format when showing multiple endpoints of the server
- * wireguard: Fix showing default route setting in server edit form
- * wireguard: Fix split tunneling
- * wireguard: Show status of default route in server information page
- * wireguard: filter .local addresses from showClient view
- * wireguard: show server vpn ip in show client page
- * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
-
-== FreedomBox 26.3 (2026-02-02) ==
-
-=== Highlights ===
-
- * ui: Use HTMX to eliminate full page reloads
- * wireguard: Add 'Start Server' button to help with client setup
-
-=== Other Changes ===
-
- * debian: Follows policy 4.7.3
- * debian: Ignore lintian warning: service file missing Install section
- * debian: Remove default Rules-Requires-Root
- * debian: Remove preinst script
- * debian: Update copyright years
- * docs: Update container script usage
- * lintian: Remove mismatched overrides
- * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
- * Makefile: Fix removing extra license file
- * ui: Add HTMX as a dependency
- * ui: Use HTMX to update notifications on partial page updates
- * wireguard: Remove NM connections when app is uninstalled
- * wireguard: Show next available client IP in Add Client form
- * wireguard: Update functional tests to handle Start Server button
- * wireguard: Show server endpoint on main app page
-
-== FreedomBox 26.2 (2026-01-20) ==
-
- * gitweb: Fix deleting last repo disables app
- * locale: Update translations for Estonian, Italian
- * notifications: Close dropdown when clicking outside
-
-== FreedomBox 26.1 (2026-01-05) ==
-
- * container: Add aliases for start/stop commands
- * locale: Update translations for Albanian, Bulgarian, Chinese (Simplified Han script), Czech, Estonian, French, German, Italian, Russian, Turkish, Ukrainian
-
-== FreedomBox 25.17.1 (2025-12-15) ==
-
-=== Highlights ===
-
- * backups: Set proper permissions for backups-data directory
- * minetest: Rename Minetest to Luanti
-
-=== Other Changes ===
-
- * locale: Update translations for Albanian, Bulgarian, Czech, Estonian, Hindi, Italian, Russian, Turkish, Ukrainian
- * minetest: Remove legacy code, use new name, conf, etc.
- * transmission: Deal with changes in latest forky package
- * transmission: Remove obsolete apache redirects
- * vagrant: Enable EFI firmware
-
-== FreedomBox 25.17 (2025-12-08) ==
-
-=== Highlights ===
-
- * ui: Implement a toggle menu for setting dark mode
-
-=== Other Changes ===
-
- * homeassistant: Fix spelling in tests
- * locale: Fix python-brace-format error in Estonian
- * locale: Update translations for Catalan, Estonian, French, Russian
- * privileged: Don't log exception that are expected
- * ui: Dark theme color for tags text in an app card
- * ui: Drop colors defined in Bootstrap 5.3
- * ui: Fix dark theme color for disabled form elements
- * ui: Fix dark theme color for form help text
- * ui: Fix dark theme color for select-all button
- * ui: Fix dark theme colors for app enable/disable toggle button
- * ui: Fix dark theme colors for default button style
- * ui: Fix dark theme colors for running status indicator
- * ui: Minor CSS refactor to use variables
- * ui: Use default button style for tag buttons
- * upgrades: Use bootstrap spinner button instead of custom styling
-
-== FreedomBox 25.16 (2025-11-24) ==
-
-=== Highlights ===
-
- * dynamicdns: Use only IPv4 for GnuDIP protocol
- * janus: Allow app to be installed from Debian unstable
- * jsxc: Fix missing dependencies
-
-=== Other Changes ===
-
- * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, German, Italian, Russian, Turkish, Ukrainian
- * janus: Relax content security policy for the video room
- * janus: Update the video room code from latest upstream
- * jsxc: Update content security policy to prevent style errors
- * middleware: Implement middleware for common headers such as CSP
- * package: Prevent freedombox's deps from removal during app uninstall
-
-== FreedomBox 25.15 (2025-11-10) ==
-
-=== Highlights ===
-
- * help: Fix serving images from help pages
- * matrixsynapse: Explain federation and link to testing tool
-
-=== Other Changes ===
-
- * locale: Update translations for French, German, Italian
- * main: Allow setting development mode from environment
- * matrixsynapse: Clarify how to change domain name in status section
- * matrixsynapse: Explicitly set the trusted key server to matrix.org
- * README: Use the Weblate's language chart widget
- * Run service using systemd even for development
- * ttrss: Remove app not available in Trixie
- * views: Implement an API to retrieve the readiness status in JSON
-
 == FreedomBox 25.14 (2025-10-27) ==
 
  * Enable private tmp and join namespaces for the two daemons

doc/manual/es/Sharing.raw.wiki

@@ -19,15 +19,15 @@ El contenido se puede compartir públicamente o restringido a usuarios de una li
 
 === Editando comparticiones ===
 
-Cada compartición tiene su propio ajuste de modo de compartición (pública o restringida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
+Para que los usuarios accedan al contenido mediante su navegador debe existir y tener una compartición. Una compartición es una entrada en la aplicación Sharing que relaciona:
+ * El Nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido,
+ * el Ruta de acceso al contenido a servir y
+ * el modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados.
+En el mismo servidor pueden coexistir múltiples comparticiones.
 
- * In el interfaz web de !FreedomBox, habilita la App ''Sharing''. Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicaciones del interfaz web de !FreedomBox. En el mismo servidor pueden coexistir múltiples comparticiones.
- * Añadir una nueva compartición:
-   * Dale un nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido, En el ejemplo anterior se llamaría  ''nombre del contenido''.
-   * La Ruta completa de acceso al contenido a servir. Por ejemplo ''/var/lib/freedombox/sharing/nombre_del_contenido''.
-   * El modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados. Solo los grupos reconocidos por el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La app no ofrecerá los grupos creados sólo en la línea de órdenes. 
- * Crea el directorio especificado en ''Ruta de Disco'' en !FreedomBox mediante ''Cockpit'', ''Nautilus'' o ingreso remoto.
- * Asegúrate de que el usuario que proporcione el contenido tiene permiso para escribir en el directorio, por ejemplo, haciéndole dueño del directorio. 
+Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicacions del interfaz web de !FreedomBox. La aplicación ''Sharing'' es una aplicación web fácil de usar y con un interfaz evidente.
+
+Cada compartición tiene su priopio ajuste de modo de compartición (pública o restrigida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
 
 === Provisionar/actualizar el contenido ===
 

doc/manual/es/TinyTinyRSS.raw.wiki

@@ -9,7 +9,7 @@
 == Tiny Tiny RSS (Lector de Feeds de Noticias) ==
 ||<tablestyle="float: right;"> {{attachment:FreedomBox/Manual/TinyTinyRSS/TinyTinyRSS-icon_en_V01.png|Tiny Tiny RSS icon}} ||
 
-'''Disponible desde''': Desde Debian Trixie esta aplicación ya no está disponible. Por favor, migra a [[es/FreedomBox/Manual/Miniflux|Miniflux]] or [[es/FreedomBox/Manual/Nextcloud|Nextcloud News]].
+'''Disponible desde''': versión 0.9
 
 ''Tiny Tiny RSS'' es un lector y agregador de ''feeds'' de noticias (RSS/Atom) diseñado para leer noticias desde cualquier lugar con una experiencia lo más parecida posible a una aplicación de escritorio.
 

doc/manual/es/Upgrades.raw.wiki

@@ -86,7 +86,7 @@ Para la mayoría de los usuarios se recomienda la autoactualización. Si no obst
 
 Algunos paquetes podrían no estar disponibles tras una actualización de publicación. Por favor, migra a una aplicación similar. Al actualizar a Debian 13 "trixie", las siguentes aplicaciones dejan de estar disponibles:
    * Janus. Usa Matrix o XMPP para llamadas de video o Mumble para audio. Esta app probáblemente vuelva a estar disponible en el futuro.
-   * TT-RSS. Migra a Miniflux o a Nextcloud News.
+   * TT-RSS. Migra a Miniflux.
    * Searx.
 
 Para iniciar el proceso de actualización de publicación, ve a ''Actualización de Software'' en la sección ''Sistema''. Luego ''Habilitar autoactualización'' y la opción ''Habilitar autoactualización a la siguiente publicación estable''. Entonces haz clic en el botón ''Actualización de Distibución''. Y luego en ''Iniciar Actualización de Distibución''. El proceso podría llegar varias horas si tu sistema operativo reside en un almacenamiento lento como una tarjeta SD. El interfaz web de !FreedomBox podría estar indisponible durante la actualización. Refresca la página si muestra errores. Finalmente, espera a los procesos de post-actualización y reinicia la máquina.

doc/manual/es/VirtualBox.raw.wiki

@@ -22,11 +22,12 @@ Follow the instructions on the [[FreedomBox/Download|download]] page to download
 
  1. Decompress the downloaded VDI image (tool for [[http://www.7-zip.org/|Windows]], [[http://unarchiver.c3.cx/unarchiver|Mac]]).
 
- 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image). {{attachment:virtualbox-create-1.png|VirtualBox Name and OS dialog}}
+ 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image).
+{{attachment:virtualbox_os_type.png|VirtualBox Name and OS dialog}}
 
- 1. In the ''Hardware'' dialog choose ''Enable EFI (special OSes only)''. You may increase the Base Memory and Processors if desired. {{attachment:virtualbox-create-2.png|VirtualBox Hardware dialog}}
+ 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1.
 
- 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1. {{attachment:virtualbox-create-3.png|VirtualBox Hard disk selector}} {{attachment:virtualbox-create-4.png|VirtualBox Hard disk dialog}}
+{{attachment:virtualbox_harddisk_file.png|VirtualBox Hard disk dialog}}
 
  1. When created, go to the virtual machine's Settings -> [Network] -> [Adapter 1]->[Attached to:] and choose the network type your want the machine to use according to the explanation in Network Configuration below. The recommended type is the ''Bridged adapter'' option, but be aware that this exposes the !FreedomBox's services to your entire local network.
 

doc/plinth.xml

@@ -73,8 +73,8 @@
           <para>
             This the URL fragment under which Plinth will provide its services.
             Plinth is shipped with a default value of
-            <filename>/freedombox</filename>. This means that Plinth will be
-            available as http://localhost:8000/freedombox by default.
+            <filename>/plinth</filename>. This means that Plinth will be
+            available as http://localhost:8000/plinth by default.
           </para>
         </listitem>
       </varlistentry>
@@ -194,7 +194,7 @@
       <synopsis>$ plinth --server_dir='/myurl'</synopsis>
       <para>
         Run Plinth with the '/myurl' prefix. Note that Apache forwards requests
-        to '/freedombox' by default, so /myurl is not accessible outside of your
+        to '/plinth' by default, so /myurl is not accessible outside of your
         FreedomBox without adapting the apache configuration.
       </para>
     </example>

doc/scripts/wikiparser.py

@@ -13,7 +13,7 @@ from pathlib import Path
 from xml.sax.saxutils import escape
 
 BASE_URL = 'https://wiki.debian.org/'
-LOCAL_BASE = '/freedombox/help/manual/{lang}/'
+LOCAL_BASE = '/plinth/help/manual/{lang}/'
 ICONS_DIR = 'icons'
 
 DEFAULT_LANGUAGE = 'en'
@@ -624,21 +624,21 @@ def resolve_url(url, context):
 
     Locally available page in default language => shortcut to local copy:
     >>> resolve_url('FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/freedombox/help/manual/en/Contribute#'
+    '/plinth/help/manual/en/Contribute#'
 
     Translated available page => shortcut to local copy:
     >>> resolve_url('es/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/freedombox/help/manual/es/Contribute#'
+    '/plinth/help/manual/es/Contribute#'
 
     Available page in default language refferred as translated => shortcut to
     local copy:
     >>> resolve_url('en/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/freedombox/help/manual/en/Contribute#'
+    '/plinth/help/manual/en/Contribute#'
 
     Unrecognized language => handle considering it as default language:
     >>> resolve_url('missing/FreedomBox/Contribute', {'language': '', \
     'title': ''})
-    '/freedombox/help/manual/en/Contribute#'
+    '/plinth/help/manual/en/Contribute#'
     """
 
     # Process first all easy, straight forward cases:
@@ -1191,11 +1191,11 @@ from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>')
     [Paragraph([PlainText('a')]), Paragraph([PlainText('b ')])]
     >>> parse_wiki('{{{#!wiki caution\\n\\nOnce some other app is set as the \
 home page, you can only navigate to the !FreedomBox Service (Plinth) by \
-typing https://myfreedombox.rocks/freedombox/ into the browser. <<BR>>\\n\
+typing https://myfreedombox.rocks/plinth/ into the browser. <<BR>>\\n\
 ''/freedombox'' can also be used as an alias to ''/plinth''\\n}}}')
     [Admonition('caution', [Paragraph([PlainText('Once some other app is set \
 as the home page, you can only navigate to the FreedomBox Service (Plinth) by \
-typing '), Url('https://myfreedombox.rocks/freedombox/'), PlainText(' into the \
+typing '), Url('https://myfreedombox.rocks/plinth/'), PlainText(' into the \
 browser. ')]), Paragraph([PlainText('/freedombox can also be used as an alias \
 to /plinth ')])])]
 
@@ -1761,7 +1761,7 @@ Features introduction</ulink>'
 
     >>> generate_inner_docbook([Link('../../Contribute', \
 [PlainText('Contribute')])], context={'title': 'FreedomBox/Manual/Hardware'})
-    '<ulink url="/freedombox/help/manual/en/Contribute#">\
+    '<ulink url="/plinth/help/manual/en/Contribute#">\
 Contribute</ulink>'
 
     >>> generate_inner_docbook([Link('/Code', \
@@ -1772,9 +1772,9 @@ Code</ulink>'
     >>> generate_inner_docbook([Link('DebianBug:1234', [PlainText('Bug')])])
     '<ulink url="https://bugs.debian.org/1234#">Bug</ulink>'
 
-    >>> generate_inner_docbook([Link('DebianPkg:freedombox', \
+    >>> generate_inner_docbook([Link('DebianPkg:plinth', \
 [PlainText('Plinth')])])
-    '<ulink url="https://packages.debian.org/freedombox#">Plinth</ulink>'
+    '<ulink url="https://packages.debian.org/plinth#">Plinth</ulink>'
 
     >>> generate_inner_docbook([Link('AliothList:freedombox-discuss', \
 [PlainText('Discuss')])])
@@ -1911,7 +1911,7 @@ PlainText(' on it. ')])])
     '<para>An alternative to downloading these images is to \
 <ulink url="https://wiki.debian.org/InstallingDebianOn/TI/BeagleBone#">\
  install Debian</ulink> on the BeagleBone and then \
-<ulink url="/freedombox/help/manual/en/Debian#">install \
+<ulink url="/plinth/help/manual/en/Debian#">install \
 FreedomBox</ulink> on it. </para>'
 
     >>> generate_inner_docbook([Paragraph([PlainText('After Roundcube is \

plinth/__init__.py

@@ -3,4 +3,4 @@
 Package init file.
 """
 
-__version__ = '26.5'
+__version__ = '25.14'

plinth/__main__.py

@@ -3,7 +3,6 @@
 
 import argparse
 import logging
-import os
 import sys
 import threading
 
@@ -122,8 +121,7 @@ def main():
     arguments = parse_arguments()
 
     cfg.read()
-    if arguments.develop or os.getenv('FREEDOMBOX_DEVELOP', '') == '1':
-        cfg.develop = True
+    if arguments.develop:
         # Use the config in the current working directory
         cfg.read_file(cfg.get_develop_config_path())
 

plinth/action_utils.py

@@ -10,7 +10,6 @@ import shutil
 import subprocess
 import tempfile
 from contextlib import contextmanager
-from typing import Generator
 
 import augeas
 
@@ -18,6 +17,9 @@ from . import actions
 
 logger = logging.getLogger(__name__)
 
+UWSGI_ENABLED_PATH = '/etc/uwsgi/apps-enabled/{config_name}.ini'
+UWSGI_AVAILABLE_PATH = '/etc/uwsgi/apps-available/{config_name}.ini'
+
 # Flag on disk to indicate if freedombox package was held by
 # plinth. This is a backup in case the process is interrupted and hold
 # is not released.
@@ -120,14 +122,6 @@ def service_disable(service_name: str, check: bool = False):
     except subprocess.CalledProcessError:
         pass
 
-    if service_name.endswith('.socket'):
-        # Instead, may need to query the unit for associated .service file.
-        base_name = service_name.rpartition('.')[0]
-        try:
-            service_stop(f'{base_name}.service', check=check)
-        except subprocess.CalledProcessError:
-            pass
-
 
 def service_mask(service_name: str, check: bool = False):
     """Mask a service"""
@@ -315,6 +309,43 @@ class WebserverChange:
         self.actions_required.add(action_required)
 
 
+def uwsgi_is_enabled(config_name):
+    """Return whether a uwsgi config is enabled."""
+    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
+    return os.path.exists(enabled_path)
+
+
+def uwsgi_enable(config_name):
+    """Enable a uwsgi configuration that runs under uwsgi."""
+    if uwsgi_is_enabled(config_name):
+        return
+
+    # uwsgi is started/stopped using init script. We don't know if it can
+    # handle some configuration already running against newly enabled
+    # configuration. So, stop first before enabling new configuration.
+    service_stop('uwsgi')
+
+    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
+    available_path = UWSGI_AVAILABLE_PATH.format(config_name=config_name)
+    os.symlink(available_path, enabled_path)
+
+    service_enable('uwsgi')
+    service_start('uwsgi')
+
+
+def uwsgi_disable(config_name):
+    """Disable a uwsgi configuration that runs under uwsgi."""
+    if not uwsgi_is_enabled(config_name):
+        return
+
+    # If uwsgi is restarted later, it won't stop the just disabled
+    # configuration due to how init scripts are written for uwsgi.
+    service_stop('uwsgi')
+    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
+    os.unlink(enabled_path)
+    service_start('uwsgi')
+
+
 def get_addresses() -> list[dict[str, str | bool]]:
     """Return a list of IP addresses and hostnames."""
     addresses = get_ip_addresses()
@@ -339,13 +370,12 @@ def get_addresses() -> list[dict[str, str | bool]]:
         'url_address': hostname
     })
 
-    # When a hostname is resolved to IPv6 address, it may likely be link-local
-    # address. Link local IPv6 addresses are valid only for a given link and
-    # need to be scoped with interface name such as '%eth0' to work. Browsers
-    # refused to implement support for link-local addresses (with zone IDs) in
-    # URLs due to platform specific parsing rules and other implementation
-    # difficulties. mod_auth_openidc does not support them either.
+    # XXX: When a hostname is resolved to IPv6 address, it may likely
+    # be link-local address.  Link local IPv6 addresses are valid only
+    # for a given link and need to be scoped with interface name such
+    # as '%eth0' to work.  Tools such as curl don't seem to handle
     # this correctly.
+    # addresses.append({'kind': '6', 'address': hostname, 'numeric': False})
 
     return addresses
 
@@ -367,15 +397,13 @@ def get_ip_addresses() -> list[dict[str, str | bool]]:
         }
 
         if address['kind'] == '6' and address['numeric']:
-            address['url_address'] = '[{0}]'.format(address['address'])
+            if address['scope'] != 'link':
+                address['url_address'] = '[{0}]'.format(address['address'])
+            else:
+                address['url_address'] = '[{0}%{1}]'.format(
+                    address['url_address'], address['interface'])
 
-        if address['scope'] != 'link':
-            # Do not include link local addresses. Browsers refused to
-            # implement support for link-local addresses (with zone IDs) in
-            # URLs due to platform specific parsing rules and other
-            # implementation difficulties. mod_auth_openidc does not support
-            # them either.
-            addresses.append(address)
+        addresses.append(address)
 
     return addresses
 
@@ -437,31 +465,9 @@ def is_disk_image():
     return os.path.exists('/var/lib/freedombox/is-freedombox-disk-image')
 
 
-def run_apt_command(arguments, enable_triggers: bool = False,
-                    allow_freedombox_restart=False):
+def run_apt_command(arguments, enable_triggers: bool = False):
     """Run apt-get with provided arguments."""
-    command = []
-    if not allow_freedombox_restart:
-        # Don't restart the freedombox web service. This configuration is only
-        # used when apt command is invoked from freedombox web service itself
-        # (such as during an app's installation/uninstallation).
-        #
-        # If this is not done, a freedombox web service restart is attempted.
-        # needsrestart will wait until the restart is completed. apt command
-        # will wait until needsrestart is completed. The restart mechanism in
-        # service will wait until all currently running threads are completed.
-        # One thread that has invoked this apt command will not finish as it
-        # waits for apt command to finish. This results in a deadlock. Avoid
-        # this by not attempting to restart freedombox web service when apt
-        # command is invoked from freedombox web service.
-        mount_path = '/etc/needrestart/conf.d/freedombox-self.conf'
-        orig_path = f'/usr/share/freedombox{mount_path}'
-        command = [
-            'systemd-run', '--pipe',
-            f'--property=BindReadOnlyPaths={orig_path}:{mount_path}'
-        ]
-
-    command += ['apt-get', '--assume-yes', '--quiet=2'] + arguments
+    command = ['apt-get', '--assume-yes', '--quiet=2'] + arguments
 
     env = os.environ.copy()
     env['DEBIAN_FRONTEND'] = 'noninteractive'
@@ -832,13 +838,3 @@ def run(command, **kwargs):
         raise exception
 
     return process
-
-
-@contextmanager
-def umask(mask) -> Generator:
-    """Set the umask temporarily for a operation and then revert it."""
-    old_umask = os.umask(mask)
-    try:
-        yield
-    finally:
-        os.umask(old_umask)

plinth/actions.py

@@ -130,9 +130,6 @@ def run_privileged_method(func, module_name, action_name, args, kwargs):
     if raw_output:
         request['raw_output'] = raw_output
 
-    if not log_error:
-        request['log_error'] = False
-
     client_socket = _request_to_server(request)
 
     if raw_output:
@@ -369,6 +366,7 @@ class JSONEncoder(json.JSONEncoder):
 
 def _setup_thread_storage():
     """Setup collection of stdout/stderr from any process in this thread."""
+    global thread_storage
     thread_storage.stdout = b''
     thread_storage.stderr = b''
 
@@ -379,12 +377,14 @@ def _clear_thread_storage():
     Python documentation is silent on whether thread local storage will be
     cleaned up after a thread terminates.
     """
+    global thread_storage
     thread_storage.stdout = None
     thread_storage.stderr = None
 
 
 def get_return_value_from_exception(exception):
     """Return the value to return from server when an exception is raised."""
+    global thread_storage
     return_value = {
         'result': 'exception',
         'exception': {
@@ -424,19 +424,14 @@ def privileged_handle_json_request(
                                                       bool):
             raise TypeError('Incorrect "raw_output" parameter')
 
-        if 'log_error' in request and not isinstance(request['log_error'],
-                                                     bool):
-            raise TypeError('Incorrect "log_error" parameter')
-
         return request
 
     try:
         request = _parse_request()
-        log_error = request.get('log_error', True)
         arguments = {'args': request['args'], 'kwargs': request['kwargs']}
         _setup_thread_storage()
         return_value = _privileged_call(request['module'], request['action'],
-                                        arguments, log_error)
+                                        arguments)
 
         if isinstance(return_value, io.BufferedReader):
             raw_output = request.get('raw_output', False)
@@ -457,7 +452,7 @@ def privileged_handle_json_request(
     return json.dumps(return_value, cls=JSONEncoder)
 
 
-def _privileged_call(module_name, action_name, arguments, log_error=True):
+def _privileged_call(module_name, action_name, arguments):
     """Import the module and run action as superuser"""
     if '.' in module_name:
         raise SyntaxError('Invalid module name')
@@ -505,12 +500,11 @@ def _privileged_call(module_name, action_name, arguments, log_error=True):
         return_value = {'result': 'success', 'return': return_values}
     except Exception as exception:
         return_value = get_return_value_from_exception(exception)
-        if log_error:
-            logger.exception(
-                'Error running action: %s..%s(..): %s\nstdout:\n%s\n'
-                'stderr:\n%s\n', module_name, action_name, exception,
-                return_value['exception']['stdout'],
-                return_value['exception']['stderr'])
+        logger.exception(
+            'Error running action: %s..%s(..): %s\nstdout:\n%s\nstderr:\n%s\n',
+            module_name, action_name, exception,
+            return_value['exception']['stdout'],
+            return_value['exception']['stderr'])
 
     return return_value
 

plinth/app.py

@@ -574,19 +574,10 @@ class Info(FollowerComponent):
         except ImproperlyConfigured:
             # Hack to allow apps to be instantiated without Django
             # initialization as required by privileged process.
-            def _make_str(tag):
-                """Return the string without casting."""
-                if not isinstance(tag, Promise):
-                    return tag
-
-                # Django 4.2
-                if hasattr(tag, '_proxy____args'):
-                    return tag._proxy____args[0]
-
-                # Django 5.x
-                return tag._args[0]
-
-            return [_make_str(tag) for tag in self._tags]
+            return [
+                tag._proxy____args[0] if isinstance(tag, Promise) else tag
+                for tag in self._tags
+            ]
 
 
 class EnableState(LeaderComponent):

plinth/cfg.py

@@ -12,11 +12,13 @@ logger = logging.getLogger(__name__)
 
 # [Path] section
 file_root = '/usr/share/plinth'
+config_dir = '/etc/plinth'
 data_dir = '/var/lib/plinth'
 custom_static_dir = '/var/www/plinth/custom/static'
 store_file = data_dir + '/plinth.sqlite3'
+actions_dir = '/usr/share/plinth/actions'
 doc_dir = '/usr/share/freedombox'
-server_dir = '/freedombox'
+server_dir = '/plinth'
 
 # [Network] section
 host = '127.0.0.1'
@@ -109,9 +111,11 @@ def read_file(config_path):
 
     config_items = (
         ('Path', 'file_root', 'string'),
+        ('Path', 'config_dir', 'string'),
         ('Path', 'data_dir', 'string'),
         ('Path', 'custom_static_dir', 'string'),
         ('Path', 'store_file', 'string'),
+        ('Path', 'actions_dir', 'string'),
         ('Path', 'doc_dir', 'string'),
         ('Path', 'server_dir', 'string'),
         ('Network', 'host', 'string'),

plinth/clients.py

@@ -44,8 +44,7 @@ def _check(client, condition):
 def _client_has_desktop(client):
     """Filter to find out whether an application has desktop clients"""
     return _check(
-        client, lambda platform: platform.get('os') in enum_values(Desktop_OS)
-        and platform.get('type') != 'package')
+        client, lambda platform: platform.get('os') in enum_values(Desktop_OS))
 
 
 def _client_has_mobile(client):
@@ -117,7 +116,7 @@ def _validate_platform_package(platform):
 
 def _validate_platform_download(platform):
     """Validate a platform of type download."""
-    assert platform['os'] in enum_values(Desktop_OS) + enum_values(Mobile_OS)
+    assert platform['os'] in enum_values(Desktop_OS)
     assert isinstance(platform['url'], (str, Promise))
 
 

plinth/conftest.py

@@ -64,10 +64,10 @@ def fixture_load_cfg():
     """Load test configuration."""
     from plinth import cfg
 
-    keys = ('file_root', 'data_dir', 'custom_static_dir', 'store_file',
-            'doc_dir', 'server_dir', 'host', 'port', 'use_x_forwarded_for',
-            'use_x_forwarded_host', 'secure_proxy_ssl_header', 'box_name',
-            'develop')
+    keys = ('file_root', 'config_dir', 'data_dir', 'custom_static_dir',
+            'store_file', 'actions_dir', 'doc_dir', 'server_dir', 'host',
+            'port', 'use_x_forwarded_for', 'use_x_forwarded_host',
+            'secure_proxy_ssl_header', 'box_name', 'develop')
     saved_state = {}
     for key in keys:
         saved_state[key] = getattr(cfg, key)

plinth/db/dbconfig.py

@@ -1,40 +0,0 @@
-# SPDX-License-Identifier: AGPL-3.0-or-later
-"""Utilities for parsing dbconfig-common files with Augeas."""
-
-import pathlib
-
-import augeas
-
-
-def get_credentials(dbconfig_path: str) -> dict[str, str]:
-    """Parse dbconfig-common file with Augeas Shellvars lens."""
-    if not pathlib.Path(dbconfig_path).is_file():
-        raise FileNotFoundError(f'DB config not found: {dbconfig_path}')
-
-    aug = _load_augeas(dbconfig_path)
-
-    required = ['dbc_dbuser', 'dbc_dbpass', 'dbc_dbname']
-    credentials = {}
-    for key in required + ['dbc_dbserver']:
-        credentials[key] = aug.get(key).strip('\'"')
-
-    if not all(credentials.get(key) for key in required):
-        raise ValueError('Missing required dbconfig-common credentials')
-
-    return {
-        'user': credentials['dbc_dbuser'],
-        'password': credentials['dbc_dbpass'],
-        'database': credentials['dbc_dbname'],
-        'host': credentials['dbc_dbserver'] or 'localhost'
-    }
-
-
-def _load_augeas(config_path: str):
-    """Initialize Augeas."""
-    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
-                        augeas.Augeas.NO_MODL_AUTOLOAD)
-    pathstr = str(config_path)
-    aug.transform('Shellvars', pathstr)
-    aug.set('/augeas/context', f'/files{pathstr}')
-    aug.load()
-    return aug

plinth/db/postgres.py

@@ -93,6 +93,7 @@ def dump_database(backup_file: str | pathlib.Path, database_name: str):
     file if it exists.
     """
     backup_path = pathlib.Path(backup_file)
+    backup_path.parent.mkdir(parents=True, exist_ok=True)
     with action_utils.service_ensure_running('postgresql'):
         with open(backup_path, 'w', encoding='utf-8') as file_handle:
             _run_as([

plinth/develop.config

@@ -1,3 +1,5 @@
 [Path]
 file_root = %(parent_parent_dir)s
+config_dir = %(file_root)s/data/etc/plinth
+actions_dir = %(file_root)s/actions
 doc_dir = %(file_root)s/doc

plinth/locale/README

@@ -10,7 +10,7 @@ translating the PO file from your language directory.
 Introducing yourself is important since some work may have been done
 already on Debian translators discussion lists and Weblate
 localization platform.
-https://hosted.weblate.org/projects/freedombox/freedombox/
+https://hosted.weblate.org/projects/freedombox/plinth/
 https://www.debian.org/MailingLists/subscribe
 
 ## Wiki: translators landing page