wireguard: Enable FB to connect to a server using IPv6

This MR enables FreedomBox to connect as a "client" to a WireGuard "server" using IPv6. - Validate IPv4/6 with ip_interface - Created helper functions to build NM settings for IPv4/6 - Modify get_settings to include settings for either IP version 4 or 6 - Created helper function to get NM address info - Modify get_nm_info to work with IPv4 and IPv6 - Modified tests to use validate_ip_address_with_network - Added IPv6 valid and invalid patterns to tests Tested: - IPv4 works unchanged - IPv6 parsing + NM settings generation works - IPv6 display in Show Server UI Not tested: - Needs IPv6 WireGuard server for full connectivity test Closes: #1762 Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
debian/control: Add !nocheck for python3-segno
2026-05-27 10:44:33 +00:00 · 2026-05-26 18:41:20 -04:00 · 2026-05-23 09:34:02 -04:00 · 2026-05-23 08:55:51 -04:00 · 2026-05-23 08:55:48 -04:00 · 2026-05-23 08:55:46 -04:00
562 changed files with 63702 additions and 47838 deletions
--- a/.ci/Containerfile.functional-tests-stable
+++ b/.ci/Containerfile.functional-tests-stable
@ -16,7 +16,7 @@ RUN apt-get dist-upgrade -y
 # Install freedombox package so that plint:plinth user/group are created etc.
 RUN apt-get install -y freedombox/trixie-backports
-RUN systemctl mask plinth.service
+RUN systemctl disable plinth.service
 # Don't ask for the secret in first wizard
 RUN rm -f /var/lib/plinth/firstboot-wizard-secret
--- a/.ci/functional-tests.yml
+++ b/.ci/functional-tests.yml
@ -16,8 +16,7 @@
    - apt-get update
    - apt-get -y install make
    - make provision-dev
-    - sudo -u plinth ./run --develop > plinth.log 2>&1 &
+    - make wait-while-first-setup
    - while ! grep -q "Setup finished" plinth.log; do sleep 1; echo -n .; done
  script:
    - FREDOMBOX_URL=https://localhost FREEDOMBOX_SSH_PORT=22 FREEDOMBOX_SAMBA_PORT=445 pytest -v --durations=10 --include-functional --splinter-headless --instafail --template=html1/index.html --report=functional-tests.html
  artifacts:
--- a/.vagrant-scripts/plinth-user-permissions.py
+++ b/.vagrant-scripts/plinth-user-permissions.py
@ -1,16 +0,0 @@
 #!/usr/bin/python3
 # -*- mode: python -*-
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """Set required permissions for user "plinth" to run plinth in dev setup."""
 import pathlib
 content = '''
 Cmnd_Alias FREEDOMBOX_ACTION_DEV = /usr/share/plinth/actions/actions, /freedombox/actions/actions
 Defaults!FREEDOMBOX_ACTION_DEV closefrom_override
 plinth ALL=(ALL:ALL) NOPASSWD:SETENV : FREEDOMBOX_ACTION_DEV
 fbx    ALL=(ALL:ALL) NOPASSWD : ALL
 '''
 sudoers_file = pathlib.Path('/etc/sudoers.d/01-freedombox-development')
 sudoers_file.write_text(content)
--- a/HACKING.md
+++ b/HACKING.md
@ -66,7 +66,7 @@ development environment inside a systemd-nspawn container.
    folder: (This step requires at least 16GB of free disk space)
    ```bash
-    host$ ./container up
+    host$ ./container start
    ```
 1. To run unit tests:
@ -97,20 +97,20 @@ development environment inside a systemd-nspawn container.
   1. Using an environment variable.
   ```bash
-   host$ DISTRIBUTION=stable ./container up
+   host$ DISTRIBUTION=stable ./container start
   host$ DISTRIBUTION=stable ./container ssh
   ```
   ```bash
   host$ export DISTRIBUTION=stable
-   host$ ./container up
+   host$ ./container start
   host$ ./container ssh
   ```
   2. Using the `--distribution` option for each command.
   ```bash
-   host$ ./container up --distribution=stable
+   host$ ./container start --distribution=stable
   host$ ./container ssh --distribution=stable
   ```
@ -131,7 +131,7 @@ used simultaneously as they all use different disk images.
    example, to bring up a virtual machine instead of a container run:
    ```bash
-    host$ ./container up --machine-type=vm
+    host$ ./container start --machine-type=vm
    ```
 #### Using after Setup
@ -143,12 +143,12 @@ directory:
 guest$ cd /freedombox
 ```
-Run the development version of FreedomBox Service in the container using the
+FreedomBox Service runs as plinth.service in the container. This service
-following command. This command continuously deploys your code changes into the
+restarts when it detects a change to the source code file. This provides a quick
-container providing a quick feedback cycle during development.
+feedback cycle during development. To watch service logs run:
 ```bash
-guest$ freedombox-develop
+guest$ sudo freedombox-logs
 ```
 If you have changed any system configuration files during your development,
@ -156,16 +156,17 @@ you will need to run the following to install those files properly on to the
 system and their changes to reflect properly.
 ```bash
-guest$ sudo make build install
+guest$ sudo make build install ;
 guest$ sudo systemctl restart plinth.service
 ```
 Note: This development container has automatic upgrades disabled by default.
 #### Troubleshooting
-* Sometimes `host$ ./container destroy && ./container up` doesn't work. In such
+* Sometimes `host$ ./container destroy && ./container start` doesn't work. In such
  cases, try to delete the hidden `.container` folder and then `host$
-  ./container up`.
+  ./container start`.
 * Not all kinds of changes are automatically updated. Try `guest$ sudo mount -o
  remount /freedombox`.
 * I am getting an error that says `lo` is not managed by Network Manager
@ -177,7 +178,7 @@ Note: This development container has automatic upgrades disabled by default.
    ```bash
    host$ sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
    host$ sudo service network-manager restart
-    host$ ./container destroy && ./container up
+    host$ ./container destroy && ./container start
    ```
 * File/directory not found errors when running tests can be fixed by clearing `__pycache__` directories.
@ -373,13 +374,12 @@ After logging into the virtual machine (VM), the source code is available in
 vm$ cd /freedombox
 ```
-Run the development version of FreedomBox Service (Plinth) from your source
+FreedomBox Service runs as plinth.service in the virtual machine. This service
-directory in the virtual machine using the following command. This command
+restarts when it detects a change to the source code file. This provides a quick
-continuously deploys your code changes into the virtual machine providing a
+feedback cycle during development. To watch service logs run:
 quick feedback cycle during development.
 ```bash
-vm$ freedombox-develop
+vm$ sudo freedombox-logs
 ```
 If you have changed any system configuration files during your development,
@ -416,7 +416,7 @@ for more details.
 ### Translating literals (contributing translations)
 The easiest way to start translating is with your browser, by using
-[Weblate](https://hosted.weblate.org/projects/freedombox/plinth/).
+[Weblate](https://hosted.weblate.org/projects/freedombox/freedombox/).
 Your changes will automatically get pushed to the code repository.
 Alternatively, you can directly edit the `.po` file in your language directory
--- a/INSTALL.md
+++ b/INSTALL.md
@ -35,7 +35,7 @@ FreedomBox [Manual](https://wiki.debian.org/FreedomBox/Manual/)'s
 3.  Access FreedomBox UI:
-    UI should be accessible at http://localhost:8000/plinth
+    UI should be accessible at http://localhost:8000/freedombox
 If you are installing FreedomBox Service (Plinth) for development purposes, see
 HACKING.md instead.
--- a/38
+++ b/38
@ -20,7 +20,9 @@ DISABLED_APPS_TO_REMOVE := \
    repro \
    tahoe \
    mldonkey \
-    i2p
+    i2p \
    ttrss \
    sso
 APP_FILES_TO_REMOVE := $(foreach app,$(DISABLED_APPS_TO_REMOVE),$(ENABLED_APPS_PATH)/$(app))
@ -100,11 +102,12 @@ install:
        $(INSTALL) -d $(DESTDIR)$${lib_dir} && \
 	rm -rf $(DESTDIR)$${lib_dir}/plinth $(DESTDIR)$${lib_dir}/plinth*.dist-info && \
        mv $${temp}/plinth $${temp}/plinth*.dist-info $(DESTDIR)$${lib_dir} && \
-	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/COPYING.md && \
+	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/licenses/COPYING.md && \
 	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/direct_url.json && \
        $(INSTALL) -D -t $(BIN_DIR) bin/plinth
 	$(INSTALL) -D -t $(LIB_DIR)/freedombox bin/freedombox-privileged
 	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-cmd
 	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-change-password
 	# Static web server files
 	rm -rf $(STATIC_FILES_DIRECTORY)
@ -161,6 +164,16 @@ Environment=PYTHONPATH=/freedombox/
 endef
 export DEVELOP_SERVICE_CONF
 define DEVELOP_LOGS_SCRIPT
 #!/usr/bin/bash
 set -e
 set -x
 journalctl --follow --unit=plinth.service --unit=freedombox-privileged.service
 endef
 export DEVELOP_LOGS_SCRIPT
 # Run basic setup for a developer environment (VM or container)
 provision-dev:
 	# Install newer build dependencies if any
@ -170,9 +183,15 @@ provision-dev:
 	# Install latest code over .deb
 	$(MAKE) build install
-	# Configure privileged daemon for development setup
+	# Configure privileged and web daemon for development setup
 	mkdir -p /etc/systemd/system/freedombox-privileged.service.d/
 	echo "$$DEVELOP_SERVICE_CONF" > /etc/systemd/system/freedombox-privileged.service.d/develop.conf
 	mkdir -p /etc/systemd/system/plinth.service.d/
 	echo "$$DEVELOP_SERVICE_CONF" > /etc/systemd/system/plinth.service.d/develop.conf
 	# Create a command to easily watch service logs
 	echo "$$DEVELOP_LOGS_SCRIPT" > /usr/bin/freedombox-logs
 	chmod 755 /usr/bin/freedombox-logs
 	# Reload newer systemd units, ignore failure
 	-systemctl daemon-reload
@ -183,6 +202,10 @@ provision-dev:
 	-test -d /run/systemd/system && \
 		systemctl enable --now freedombox-privileged.socket
 	# Enable and restart plinth service if it is running
 	-systemctl enable plinth.service
 	-systemctl restart plinth.service
 	# Stop any ongoing upgrade, ignore failure
 	-killall -9 unattended-upgr
@ -207,6 +230,12 @@ provision-dev:
 	DEBIAN_FRONTEND=noninteractive apt-get install --yes ncurses-term \
 	    sshpass bash-completion
 wait-while-first-setup:
 	while [ x$$(curl -k https://localhost/freedombox/status/ 2> /dev/null | \
 	    json_pp 2> /dev/null | grep 'is_first_setup_running' | \
            tr -d '[:space:]' | cut -d':' -f2 ) != 'xfalse' ] ; do \
 	    sleep 1; echo -n .; done
 .PHONY: \
    build \
    check \
@ -219,4 +248,5 @@ provision-dev:
    configure \
    install \
    provision \
-    update-translations
+    update-translations \
    wait-while-first-setup
--- a/README.md
+++ b/README.md
@ -62,7 +62,7 @@ See the [HACKING.md](https://salsa.debian.org/freedombox-team/freedombox/blob/ma
 # Localization
-[![Translation status](https://hosted.weblate.org/widgets/freedombox/-/287x66-white.png)](https://hosted.weblate.org/engage/freedombox/?utm_source=widget)
+[![Translation status](https://hosted.weblate.org/widget/freedombox/horizontal-auto.svg)](https://hosted.weblate.org/engage/freedombox/)
 # License
--- a/24
+++ b/24
@ -6,13 +6,13 @@ require 'etc'
 Vagrant.configure(2) do |config|
  config.vm.box = "freedombox/freedombox-testing-dev"
-  config.vm.network "forwarded_port", guest: 443, host: 4430
+  config.vm.network "public_network"
  config.vm.network "forwarded_port", guest: 445, host: 4450
  config.vm.synced_folder ".", "/freedombox", owner: "plinth", group: "plinth"
  config.vm.provider "virtualbox" do |vb|
    vb.cpus = Etc.nprocessors
    vb.memory = 2048
    vb.linked_clone = true
    vb.customize ["modifyvm", :id, "--firmware", "efi"]
  end
  config.vm.provision "shell", run: 'always', inline: <<-SHELL
    # Disable automatic upgrades
@ -24,24 +24,18 @@ Vagrant.configure(2) do |config|
  config.vm.provision "shell", inline: <<-SHELL
    cd /freedombox/
    make provision-dev
    echo 'alias freedombox-develop="cd /freedombox; sudo -u plinth /freedombox/run --develop"' >> /home/vagrant/.bashrc
  SHELL
  config.vm.provision "tests", run: "never", type: "shell", path: "plinth/tests/functional/install.sh"
  config.vm.post_up_message = "FreedomBox virtual machine is ready
-for development. You can run the development version of Plinth using
+for development. To get the IP address:
 the following command.
 $ vagrant ssh
-$ freedombox-develop
+$ ip address show
-Plinth will be available at https://localhost:4430/plinth (with
+
-an invalid SSL certificate).
+FreedomBox interface will be available at https://<ip address>/freedombox
 (with an invalid SSL certificate). To watch logs:
 $ vagrant ssh
 $ sudo freedombox-logs
 "
  config.trigger.after [:up, :resume, :reload] do |trigger|
    trigger.info = "Set plinth user permissions for development environment"
    trigger.run_remote = {
      path: ".vagrant-scripts/plinth-user-permissions.py"
    }
  end
  config.vm.boot_timeout=1200
 end
--- a/bin/freedombox-change-password
+++ b/bin/freedombox-change-password
@ -0,0 +1,61 @@
 #!/usr/bin/python3
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """
 Utility to change user password in FreedomBox's Django database.
 Usage:
 $ freedombox-change-password <username>
 """
 import argparse
 import getpass
 import sys
 import plinth.web_framework
 from plinth.modules.users import privileged
 def main():
    """Ask for new password, setup Django and update a user's password."""
    try:
        plinth.web_framework.init()
    except Exception:
        _print('Error initializing Django.')
        return
    parser = argparse.ArgumentParser()
    parser.add_argument('username',
                        help='Username of the account to change password for')
    args = parser.parse_args()
    username = args.username
    password = getpass.getpass('Enter new password: ')
    try:
        _change_password(username, password)
        privileged._set_user_password(username, password)
        privileged._set_samba_user(username, password)
        _print('Password updated in web interface, LDAP, and samba databases.')
    except Exception as exception:
        _print('Error setting password:', str(exception))
 def _print(*args, **kwargs):
    """Write to stderr."""
    print(*args, **kwargs, file=sys.stderr)
 def _change_password(username: str, password: str):
    """Update the password in SQLite database file."""
    from django.contrib.auth.models import User
    try:
        user = User.objects.get(username=username)
        user.set_password(password)
        user.save()
    except User.DoesNotExist:
        _print('User account does not exist:', username)
        raise
 if __name__ == '__main__':
    main()
--- a/92
+++ b/92
@ -196,9 +196,6 @@ cd /freedombox/
 sudo apt-get -y install make
 sudo make provision-dev
 echo 'alias freedombox-develop="cd /freedombox; sudo -u plinth /freedombox/run --develop"' \
  >> /home/fbx/.bashrc
 # Make some pytest related files and directories writable to the fbx user
 sudo touch geckodriver.log
 sudo chmod a+rw geckodriver.log
@ -230,6 +227,7 @@ fi
 echo "> In machine: Upgrade packages"
 apt-get update
 apt-mark hold freedombox freedombox-doc-en freedombox-doc-es
 DEBIAN_FRONTEND=noninteractive apt-get -yq --with-new-pkgs upgrade
 # Install requirements for tests if not already installed as root
@ -241,25 +239,7 @@ fi
 # Run the plinth server if functional tests are requested
 if [[ "{pytest_command}" =~ "--include-functional" ]]
 then
-    is_plinth_running=0
+    make -C /freedombox wait-while-first-setup
    ps -ax -o cmd | grep -q "^sudo -u plinth /freedombox/run" && \
    is_plinth_running=1
    ps -ax -o cmd | grep -q "^/usr/bin/python3 /usr/bin/plinth" && \
    is_plinth_running=1
    if [[ $is_plinth_running -eq 1 ]]
    then
        echo "> In machine: Plinth is already running"
    else
        echo -n "> In machine: Starting plinth ... "
        sudo -u plinth /freedombox/run --develop > plinth.log 2>&1 &
        while ! grep -q "Setup finished" plinth.log
        do
            sleep 1
            echo -n .
        done
        echo
    fi
    if [[ "{pytest_command}" != *"--splinter-headless"* ]]
    then
@ -495,14 +475,18 @@ def parse_arguments() -> argparse.Namespace:
            help='Type of the machine, container to virtual machine, to run '
            'operation on')
-    # Up
+    # Start
-    subparser = subparsers.add_parser('up', help='Bring up the container',
+    subparser = subparsers.add_parser('start', help='Bring up the container',
-                                      formatter_class=formatter_class)
+                                      formatter_class=formatter_class,
                                      aliases=['up'])
    _add_common_args(subparser)
    subparser.add_argument('--image-size', default='16G',
                           help='Disk image size to resize to after download')
    subparser.add_argument('--hkp-client', choices=('gpg', 'wget'),
                           default='gpg', help='Client for key retrieval')
    subparser.add_argument(
        '--skip-install', action='store_true',
        help='Skip running make provision-dev in the container')
    # Print IP address
    subparser = subparsers.add_parser(
@ -526,7 +510,8 @@ def parse_arguments() -> argparse.Namespace:
    # Stop
    subparser = subparsers.add_parser('stop', help='Stop the container',
-                                      formatter_class=formatter_class)
+                                      formatter_class=formatter_class,
                                      aliases=['down'])
    _add_common_args(subparser)
    # Destroy
@ -704,10 +689,27 @@ def _verify_signature(hkp_client: str, data_file: pathlib.Path,
 def _extract_image(compressed_file: pathlib.Path):
    """Extract the image file."""
-    decompressed_file = compressed_file.with_suffix('')
+    # Strip the .xz extension, then replace .img with .raw
    decompressed_file = compressed_file.with_suffix('').with_suffix('.raw')
    older_image = compressed_file.with_suffix('')
    if decompressed_file.exists():
        return decompressed_file
    # Rename older image and its corresponding state files.
    if older_image.exists():
        logger.info('Renaming .img file to .raw')
        older_image.rename(decompressed_file)
        for ext in ['.setup', '.provisioned']:
            old_state = older_image.with_suffix(older_image.suffix + ext)
            new_state = decompressed_file.with_suffix(
                decompressed_file.suffix + ext)
            if old_state.exists():
                old_state.rename(new_state)
        return decompressed_file
    logger.info('Decompressing file %s', compressed_file)
    partial_file = compressed_file.with_suffix('.partial')
    with partial_file.open('w', encoding='utf-8') as file_handle:
@ -730,7 +732,8 @@ def _get_compressed_image_path(distribution: str) -> pathlib.Path:
 def _get_image_file(distribution: str) -> pathlib.Path:
    """Return the path of the image file."""
    compressed_image = _get_compressed_image_path(distribution)
-    return compressed_image.with_suffix('')
+    # Strip the .xz extension, then replace .img with .raw
    return compressed_image.with_suffix('').with_suffix('.raw')
 def _get_project_folder() -> pathlib.Path:
@ -964,7 +967,7 @@ def _setup_ssh(image_file: pathlib.Path):
    _runc(image_file, ['chown', 'fbx:fbx', '/home/fbx/.ssh/authorized_keys'])
-def _setup_image(image_file: pathlib.Path):
+def _setup_image(image_file: pathlib.Path, skip_install: bool = False):
    """Prepare the image for execution."""
    setup_file = image_file.with_suffix(image_file.suffix + '.setup')
    if setup_file.exists():
@ -976,6 +979,7 @@ def _setup_image(image_file: pathlib.Path):
    _runc(image_file, ['tee', '/etc/apt/apt.conf.d/20auto-upgrades'],
          input=contents.encode())
    if not skip_install:
        logger.info('In image: Disabling FreedomBox service')
        _runc(image_file, ['systemctl', 'disable', 'plinth'],
              stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
@ -1036,11 +1040,15 @@ def _is_provisioned(distribution: str) -> bool:
    return provision_file.exists()
-def _provision(image_file: pathlib.Path, machine_type: str, distribution: str):
+def _provision(image_file: pathlib.Path, machine_type: str, distribution: str,
               skip_install: bool = False):
    """Run app setup inside the container."""
    if _is_provisioned(distribution):
        return
    if skip_install:
        logger.info('Skipping provision step (--skip-install)')
    else:
        machine = Machine.get_instance(machine_type, distribution)
        ssh_command = machine.get_ssh_command()
        subprocess.run(ssh_command + ['bash'], check=True,
@ -1074,7 +1082,7 @@ Folder overlay        :    (host, read-only){project_folder}
 SSH easily            : {script} ssh {options}
 Run tests             : {script} run-tests {options} [ --pytest-args ... ]
-Run FreedomBox inside : freedombox-develop
+Watch FreedomBox logs : sudo freedombox-logs
 Web access            : https://{ip_address}/
 Ports access          : Any port on {ip_address}
@ -1083,7 +1091,7 @@ Terminal login        : sudo machinectl login fbx-{distribution}
 Open a root shell     : sudo machinectl shell fbx-{distribution}
 Shutdown              : {script} stop {options}
 Destroy               : {script} destroy {options}
-Reset                 : {script} destroy {options}; {script} up {options}'''
+Reset                 : {script} destroy {options}; {script} start {options}'''
    logger.info(message)
@ -1347,9 +1355,8 @@ VirtualEthernet=yes
            if result.returncode:
                raise Exception(f'Image file {image_link} is not a symlink.')
-            subprocess.run(['sudo', 'rm', '--force',
+        # May be linked to wrong place (such as old .img file)
-                            str(image_link)], check=False)
+        subprocess.run(['sudo', 'rm', '--force', str(image_link)], check=False)
        subprocess.run([
            'sudo', 'ln', '--symbolic',
            str(image_file.resolve()),
@ -1480,7 +1487,7 @@ class VM(Machine):
        qcow_image.unlink(missing_ok=True)
-def subcommand_up(arguments: argparse.Namespace):
+def subcommand_start(arguments: argparse.Namespace):
    """Download, setup and bring up the container."""
    machine = Machine.get_instance(arguments.machine_type,
                                   arguments.distribution)
@ -1494,10 +1501,11 @@ def subcommand_up(arguments: argparse.Namespace):
                                      arguments.hkp_client)
    _resize_disk_image(image_file, arguments.image_size,
                       arguments.distribution)
-    _setup_image(image_file)
+    _setup_image(image_file, arguments.skip_install)
    machine.setup()
    machine.launch()
-    _provision(image_file, arguments.machine_type, arguments.distribution)
+    _provision(image_file, arguments.machine_type, arguments.distribution,
               arguments.skip_install)
    _print_banner(arguments.machine_type, arguments.distribution)
@ -1584,7 +1592,13 @@ def main():
    logging.basicConfig(level='INFO', format='> %(message)s')
    arguments = parse_arguments()
-    subcommand = arguments.subcommand.replace('-', '_')
+    aliases = {
        'up': 'start',
        'down': 'stop',
    }
    subcommand: str = arguments.subcommand.replace('-', '_')
    subcommand = aliases.get(subcommand, subcommand)
    subcommand_method = globals()['subcommand_' + subcommand]
    subcommand_method(arguments)
--- a/data/etc/apache2/conf-available/freedombox-tls.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls.conf
@ -12,6 +12,7 @@
    # Don't redirect for onion sites as it is not needed and leads to
    # unnecessary warning.
    RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
    RewriteCond %{REQUEST_URI} !^/freedombox/apache/discover-idp/$ [NC]
    ReWriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 </LocationMatch>
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@ -39,58 +39,16 @@
 </If>
 ##
-## Redirect traffic on home to /plinth as part of turning the machine
+## Redirect traffic on home to /freedombox as part of turning the machine
 ## into FreedomBox server.  Plinth then acts as a portal to reach all
 ## other services.
 ##
 <IfFile !/etc/apache2/conf-enabled/freedombox-apache-homepage.conf>
-    RedirectMatch "^/$" "/plinth"
+    RedirectMatch "^/$" "/freedombox"
 </IfFile>
 ##
-## Disable sending Referer (sic) header from FreedomBox web interface to
+## On all sites, provide FreedomBox on a default path: /freedombox
 ## external websites. This improves privacy by not disclosing FreedomBox
 ## domains/URLs to external domains. Apps such as blogs which want to popularize
 ## themselves with referrer header may still do so.
 ##
 ## A strict Content Security Policy.
 ## - @fonts are allowed only from FreedomBox itself.
 ## - <frame>/<iframe> sources are disabled.
 ## - <img> sources are allowed only from FreedomBox itself.
 ## - Manifest file is not allowed as there is none yet.
 ## - <audio>, <video>, <track> tags are not allowed yet.
 ## - <object>, <embed>, <applet> tags are not allowed yet.
 ## - Allow JS from FreedomBox itself (no inline and attribute scripts).
 ## - Allow inline CSS and CSS files from Freedombox itself.
 ## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
 ## - All other fetch sources including Ajax are not allowed from FreedomBox
 ##   itself.
 ## - <base> tag is not allowed.
 ## - No plugins types are alllowed since object-src is 'none'.
 ## - Form action should be to FreedomBox itself.
 ## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
 ## - When serving HTTPS, don't allow HTTP assets.
 ##
 ## Enable strict sandboxing enabled with some exceptions:
 ## - Allow running Javascript.
 ## - Allow popups as sometimes we use <a target=_blank>
 ## - Allow popups to have different sandbox requirements as we launch apps' web
 ##   clients.
 ## - Allow forms to support configuration forms.
 ## - Allow policies to treat same origin differently from other origins
 ## - Allow downloads such as backup tarballs.
 ##
 ## Disable browser guessing of MIME types. FreedoBox already sets good content
 ## types for all the common file types.
 ##
 <LocationMatch "^/(plinth|freedombox)">
    Header set Referrer-Policy 'same-origin'
    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self' data:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
    Header set X-Content-Type-Options 'nosniff'
 </LocationMatch>
 ##
 ## On all sites, provide FreedomBox on a default path: /plinth
 ##
 ## Requires the following Apache modules to be enabled:
 ##   mod_headers
@ -98,7 +56,8 @@
 ##   mod_proxy_http
 ##
 <Location /freedombox>
-    ProxyPass        http://127.0.0.1:8000/plinth
+    ProxyPass        http://127.0.0.1:8000/freedombox
    ProxyPreserveHost On
    ## Send the scheme from user's request to enable Plinth to redirect
    ## URLs, set cookies, set absolute URLs (if any) properly.
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
@ -112,7 +71,20 @@
    RequestHeader    unset X-Forwarded-For
 </Location>
 <Location /plinth>
-    ProxyPass        http://127.0.0.1:8000/plinth
+    ProxyPass        http://127.0.0.1:8000/freedombox
    ProxyPreserveHost On
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
    RequestHeader    unset X-Forwarded-For
 </Location>
 <Location /.well-known/openid-configuration>
    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/openid-configuration
    ProxyPreserveHost On
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
    RequestHeader    unset X-Forwarded-For
 </Location>
 <Location /.well-known/jwks.json>
    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/jwks.json
    ProxyPreserveHost On
    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
    RequestHeader    unset X-Forwarded-For
 </Location>
@ -124,7 +96,7 @@
 <Location ~ ^/favicon\.ico$>
    <IfModule mod_rewrite.c>
        RewriteEngine On
-        RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
+        RewriteRule /favicon\.ico$ "/freedombox/static/theme/img/favicon.ico" [PT]
    </IfModule>
 </Location>
--- a/data/usr/lib/systemd/system/plinth.service
+++ b/data/usr/lib/systemd/system/plinth.service
@ -17,8 +17,6 @@ RestartSec=5
 ExecReload=/bin/kill -HUP $MAINPID
 User=plinth
 Group=plinth
 StandardOutput=null
 StandardError=null
 NotifyAccess=main
 # Uploaded files in /var/tmp/ are shared with FreedomBox privileged service by
 # joining namespaces.
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,644 @@
 freedombox (26.8) unstable; urgency=medium
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ Dietmar ]
  * Translated using Weblate (German)
  [ Sunil Mohan Adapa ]
  * api: Drop access-info API
  [ James Valleroy ]
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 11 May 2026 20:32:09 -0400
 freedombox (26.7.1) unstable; urgency=medium
  [ Frederico Gomes ]
  * radicale: Enable lc_username for case-insensitive auth
  [ Sunil Mohan Adapa ]
  * radicale, bepasty: Fix issue with failed diagnostic test
  * radicale: Fix issue with parsing new configuration file
  * radicale: tests: functional: Better checking for well-known URLs
  [ James Valleroy ]
  * locale: Update translation strings
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Tue, 28 Apr 2026 18:26:38 -0400
 freedombox (26.7) unstable; urgency=medium
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
  [ Dietmar ]
  * Translated using Weblate (German)
  * Translated using Weblate (Italian)
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ bittin1ddc447d824349b2 ]
  * Translated using Weblate (Swedish)
  [ Coucouf ]
  * Translated using Weblate (French)
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ James Valleroy ]
  * debian: tests: Add test to access interface status
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 20 Apr 2026 20:25:51 -0400
 freedombox (26.6) unstable; urgency=medium
  [ Coucouf ]
  * Translated using Weblate (French)
  [ Dietmar ]
  * Translated using Weblate (Italian)
  * Translated using Weblate (German)
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ bsurajpatra ]
  * Translated using Weblate (Hindi)
  [ Sunil Mohan Adapa ]
  * service: Capture stdout/stderr when running as systemd unit
  * views: Add a decorator to handle exceptions in JSON views
  * d/control: Add fido2 library as dependency
  * users: Add support for registering, editing, and deleting passkeys
  * users: Add support for logging in with passkeys
  * users: Add link to guide on passkeys
  [ James Valleroy ]
  * locale: Update translation strings
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 06 Apr 2026 20:41:35 -0400
 freedombox (26.5.1) unstable; urgency=medium
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ Sunil Mohan Adapa ]
  * debian/control: Fix building with nocheck profile (Closes: #1131956)
  * debian/copyright: Drop a removed file, correct path for another
  * web_server: Fix locating SVG icons on production setup (Closes: #1131892)
 -- James Valleroy <jvalleroy@mailbox.org>  Thu, 26 Mar 2026 18:21:43 -0400
 freedombox (26.5) unstable; urgency=medium
  [ OwlGale ]
  * Translated using Weblate (Russian)
  [ Frederico Gomes ]
  * wireguard: Remove client entry for F-Droid which is not available
  * wireguard: Update windows client link
  * wireguard: Add button for direct APK download
  * wireguard: Add entries for Homebrew and RPM packages
  * clients: Fix formatting of package row in table
  * wireguard: Fix freedombox VPN IP for services
  [ Sunil Mohan Adapa ]
  * clients: Fix show empty clients in Desktop section
  * apache: Minor improvement to getting the request host
  * letsencrypt: Don't perform operations on apps that are not installed
  * tests: functional: Drop undefined 'sso' pytest mark
  * ui: Simplify SVG app icons for using them inline in HTML
  * ui: Use inline SVG images for app icons for dark mode adaptation
  * html: Drop type attribute value of text/javascript
  * html: Drop trailing slash from void elements
  * clients: Use SVG icons when showing external links
  * ui: Use inline SVG icons for system and help section page
  * ui: Add rest of the icons used from fork-awesome set
  * ui: Use inline SVG icons for breadcrumbs
  * ui: Use inline SVG icons for app toolbar
  * ui: Use inline SVG icons for notification dropdown
  * ui: Use inline SVG icons for internal zone message
  * names: Use inline SVG icons for main app page
  * featherwiki: Use inline SVG icons for app
  * tiddlywiki: Use inline SVG icons for app
  * wireguard: Use inline SVG icons
  * dynamicdns: Use inline SVG icons
  * help: Use inline SVG icons
  * ui: Use inline SVG icons for port forwarding info
  * power: Use inline SVG icons
  * pagekite: Use inline SVG icons
  * pagekite: Fix issue with adding custom services
  * ikiwiki: Use inline SVG icons
  * samba: Use inline SVG icons
  * miniflux: Use inline SVG icons
  * users: Use inline SVG icons
  * email: Use inline SVG icons
  * help: Use inline SVG icons
  * matrixsynapse: Use inline SVG icons
  * bepasty: Use inline SVG icons
  * calibre: Use inline SVG icons
  * kiwix: Use inline SVG icons
  * security: Use inline SVG icons
  * sharing: Use inline SVG icons
  * snapshot: Use inline SVG icons
  * diagnostics: Use inline SVG icons
  * storage: Use inline SVG icons
  * gitweb: Use inline SVG icons
  * ui: Use inline SVG icons for tag search
  * ui: Use inline SVG icons for clients launch buttons
  * networks: Use inline SVG icons
  * firstboot: Use inline SVG icons
  * ui: Use inline SVG icons for app's service-not-running message
  * ui: Use inline SVG icons for app's log page
  * ui: Use inline SVG icons for operation waiting notification
  * backups: Use inline SVG icons
  * ui: Use inline SVG icons for app install page
  * ui: Use inline SVG icons for all collapse buttons
  * ui: Use inline SVG icons for all spinners
  * ui: Use inline SVG icons for all error/warn/info/success messages
  * ui: Better placement for dropdown indicator in dropdown button
  * ui: Use inline SVG icons for navigation bar at the top
  * upgrades: Use inline SVG icons
  * ui: Use inline SVG icons for theme switcher menu
  * ui: Drop fonts-fork-awesome as dependency
  * ui: Rename 'plinth_extras' template tags module to 'extras'
  * janus: Drop unused reference to font-awesome
  * doc: Reduce verbosity when building documentation
  * app: Fix build issue with Django 5.x (Closes: #1131272)
  * apache: Increase OpenID Connect RP session timeout activity
  * action_utils: Stop associated service when stopping a socket unit
  * action_utils: Don't restart web interface when installing an app
  [ Daniel Wiik ]
  * Translated using Weblate (Swedish)
  [ Joseph Nuthalapati ]
  * container: Add option to skip install
  * container: Fix image extension to .raw for systemd v260
  [ James Valleroy ]
  * apache: Use a Uwsgi native socket systemd unit for each app
  * locale: Update translation strings
  * doc: Fetch latest manual
  [ Ettore Atalan ]
  * Translated using Weblate (German)
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 23 Mar 2026 20:25:07 -0400
 freedombox (26.4.2) unstable; urgency=medium
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ OwlGale ]
  * Translated using Weblate (Russian)
 -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:27:13 -0400
 freedombox (26.4.1) unstable; urgency=high
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ James Valleroy ]
  * container: Hold freedombox packages during test setup
  * Vagrantfile: Enable public network for bridged networking
  * doc: Fetch latest manual
  [ Sunil Mohan Adapa ]
  * d/control: Trim deps for nocheck build profile (Closes: #1129521)
  * apache2: Disable pubtkt authentication module
 -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:09:38 -0400
 freedombox (26.4) unstable; urgency=medium
  [ Joseph Nuthalapati ]
  * ui: Dismiss notifications without page reload
  [ Sunil Mohan Adapa ]
  * ui: Refactor notification delete buttons to avoid repeating code
  * ui: Add animation for notification dismissal
  * actions, privileged_daemon: Drop some unused global statements
  * backups: Avoid some repeated text in form help text
  * backups: Fix issue with Javascript in add remote location form
  * backups: Show/hide form elements instead of disabling for simplicity
  * backups: Tweak appearance of add remote location form
  * backups: tests: Simplify functional test using more classes
  * backups: Minor refactoring
  * backups: Simplify handling of migration to SSH keys
  * backups: Create .ssh folder before creating SSH key
  * backups: Fix showing proper error for incorrect passphrase
  * backups: Create a better comment in the generated SSH key file
  * backups: Fix type checking errors
  * action_utils: Implement utility to change umask temporarily
  * quassel: Explicitly set permissions on the domain configuration file
  * letsencrypt: When copying certificate reset the umask reliably
  * doc/dev: Set new theme for developer documentation
  * action_utils: Fix issue with type checking a generator
  * tests: functional: Increase systemd rate limits for starting units
  * js: When page load fails during install, show it to user
  * tests: functional: Fix reloading error page during install/uninstall
  * locale/de: Fix several translations with HTML links (German)
  * locale/bg: Fix several translations with HTML links (Bulgarian)
  * bin: Add tool to change FreedomBox password in Django database
  * ejabberd: Fix setting up certificates for multiple domains
  * gitweb: Fix issue with running post init due to missing method
  * wireguard: Fix format when showing multiple endpoints of the server
  * wireguard: Fix showing default route setting in server edit form
  * wireguard: Show status of default route in server information page
  * wireguard: Accept/use netmask with IP address for server connection
  * README/HACKING: Update weblate project path to /freedombox
  * *: Remove some absolute file paths in SVGs
  * matrixsynapse: Update apache config to proxy Synapse client API
  * cfg: Drop unused config_dir option
  * cfg: Drop unused actions_dir option
  * Vagrantfile: Drop unnecessary sudo configuration for actions
  * pyproject: Use new format to specify licenses
  * action_utils: Drop support for link-local IPv6 addresses
  * debian: Ensure that gbp creates a clean tarball prior to build
  * syncthing: tests: Fix tests by allowing rapid restarts
  * web_server: Log requests to WSGI app
  * *: Update URL base from /plinth to /freedombox
  * tests: functional: Fix expecting FreedomBox to be home page
  * web_framework: Allow FreedomBox apps to override templates
  * templates: Allow building pages without navigation bar and footer
  * apache: Preserve host header when proxying to service
  * oidc: New app to implement OpenID Connect Provider
  * oidc: Style the page for authorizing an OIDC app
  * apache: Implement protecting apps using OpenID Connect
  * featherwiki: Use OpenID Connect instead of pubtkt based SSO
  * syncthing: Use OpenID Connect instead of pubtkt based SSO
  * searx: Use OpenID Connect instead of pubtkt based SSO
  * rssbridge: Use OpenID Connect instead of pubtkt based SSO
  * email: Use OpenID Connect instead of pubtkt based SSO
  * calibre: Use OpenID Connect instead of pubtkt based SSO
  * deluge: Use OpenID Connect instead of pubtkt based SSO
  * gitweb: Use OpenID Connect instead of pubtkt based SSO
  * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
  * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
  * transmission: Use OpenID Connect instead of pubtkt based SSO
  * doc/dev: Use OpenID Connect instead of pubtkt based SSO
  * sharing: Use OpenID Connect instead of pubtkt based SSO
  * sso: Merge into users module, drop pubtkt related code
  * apache: Fix diagnosing URLs protected by OpenID Connect
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Coucouf ]
  * Translated using Weblate (French)
  * Translated using Weblate (French)
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ Dietmar ]
  * Translated using Weblate (German)
  [ James Valleroy ]
  * backups: Generate SSH client key if needed
  * backups: Display SSH public key when adding remote
  * backups: Copy SSH client public key to remote
  * backups: Use SSH key instead of password
  * backups: Use selected SSH credential for remote
  * backups: Test adding/removing remote location
  * backups: Arrange form for adding remote location
  * backups: Migrate to SSH key auth when mounting
  * Translated using Weblate (Greek)
  * mumble: murmurd renamed to mumble-server
  * Translated using Weblate (Tamil)
  * locale: Update translation strings
  * doc: Fetch latest manual
  * apache: Fix check_url test
  [ Frederico Gomes ]
  * container: Align terminology in printed banner
  * wireguard: filter .local addresses from showClient view
  * wireguard: improved server section UX flow
  * wireguard: show server vpn ip in show client page
  * wireguard: Fix split tunneling
  * miniflux: Revert workaround for a packaging bug with DB connection
  * db: Create a utility to get credentials from dbconfig
  * miniflux: Get credentials from dbconfig-common directly
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ Daniel Wiik ]
  * Translated using Weblate (Swedish)
  * Translated using Weblate (Swedish)
  [ kosagi ]
  * Translated using Weblate (Catalan)
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ Isak ]
  * Translated using Weblate (Swedish)
  [ Βασίλης Χατζηκαμάρης ]
  * Translated using Weblate (Greek)
  [ Benedek Nagy ]
  * doc/dev: always have an up-to-date copyright year
  [ தமிழ்நேரம் ]
  * Translated using Weblate (Tamil)
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Mar 2026 21:35:46 -0500
 freedombox (26.3) unstable; urgency=medium
  [ Frederico Gomes ]
  * wireguard: Add 'Start Server' button
  * docs: Update container script usage
  * wireguard: Show next available client IP in Add Client form
  * wireguard: Show server endpoint on main app page
  [ James Valleroy ]
  * wireguard: Update functional tests to handle Start Server button
  * lintian: Remove mismatched overrides
  * Makefile: Fix removing extra license file
  * debian: Follows policy 4.7.3
  * debian: Remove default Rules-Requires-Root
  * debian: Remove preinst script
  * debian: Update copyright years
  * locale: Update translation strings
  * doc: Fetch latest manual
  [ Ettore Atalan ]
  * Translated using Weblate (German)
  [ Sunil Mohan Adapa ]
  * debian: Ignore lintian warning: service file missing Install section
  * wireguard: Remove NM connections when app is uninstalled
  * ui: Use HTMX to update notifications on partial page updates
  [ Joseph Nuthalapati ]
  * ui: Add HTMX as a dependency
  * ui: Use HTMX to eliminate full page reloads
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Feb 2026 20:41:30 -0500
 freedombox (26.2) unstable; urgency=medium
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ Priit Jõerüüt ]
  * Translated using Weblate (Estonian)
  [ Joseph Nuthalapati ]
  * notifications: Close dropdown when clicking outside
  * gitweb: Fix deleting last repo disables app
  [ James Valleroy ]
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Tue, 20 Jan 2026 20:26:42 -0500
 freedombox (26.1) unstable; urgency=medium
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ 109247019824 ]
  * Translated using Weblate (Bulgarian)
  [ Максим Горпиніч ]
  * Translated using Weblate (Ukrainian)
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Priit Jõerüüt ]
  * Translated using Weblate (Estonian)
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ OwlGale ]
  * Translated using Weblate (Russian)
  [ Roman Akimov ]
  * Translated using Weblate (Russian)
  [ Dietmar ]
  * Translated using Weblate (German)
  * Translated using Weblate (Italian)
  [ Coucouf ]
  * Translated using Weblate (French)
  [ Ettore Atalan ]
  * Translated using Weblate (German)
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ Joseph Nuthalapati ]
  * container: Add aliases for start/stop commands
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 05 Jan 2026 20:09:02 -0500
 freedombox (25.17.1) unstable; urgency=medium
  [ James Valleroy ]
  * vagrant: Enable EFI firmware
  * locale: Update translation strings
  * doc: Fetch latest manual
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ Максим Горпиніч ]
  * Translated using Weblate (Ukrainian)
  [ 109247019824 ]
  * Translated using Weblate (Bulgarian)
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ Benedek Nagy ]
  * transmission: remove obsolete apache redirects
  * minetest: Rename Minetest to Luanti
  [ Priit Jõerüüt ]
  * Translated using Weblate (Estonian)
  [ OwlGale ]
  * Translated using Weblate (Russian)
  [ Diego Roversi ]
  * Translated using Weblate (Italian)
  [ Pierfrancesco Passerini ]
  * Translated using Weblate (Italian)
  [ Sunil Mohan Adapa ]
  * minetest: Remove legacy code, use new name, conf, etc.
  * transmission: Deal with changes in latest forky package
  * backups: Set proper permissions for backups-data directory
  [ bsurajpatra ]
  * Translated using Weblate (Hindi)
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 15 Dec 2025 20:35:00 -0500
 freedombox (25.17) unstable; urgency=medium
  [ James Valleroy ]
  * homeassistant: Fix spelling in tests
  * locale: Update translation strings
  * doc: Fetch latest manual
  [ OwlGale ]
  * Translated using Weblate (Russian)
  [ kosagi ]
  * Translated using Weblate (Catalan)
  [ Coucouf ]
  * Translated using Weblate (French)
  [ Sunil Mohan Adapa ]
  * ui: Implement a toggle menu for setting dark mode
  * upgrades: Use bootstrap spinner button instead of custom styling
  * ui: Use default button style for tag buttons
  * ui: Fix dark theme color for form help text
  * ui: Fix dark theme colors for default button style
  * ui: Fix dark theme color for disabled form elements
  * ui: Dark theme color for tags text in an app card
  * ui: Drop colors defined in Bootstrap 5.3
  * ui: Fix dark theme colors for running status indicator
  * ui: Minor CSS refactor to use variables
  * ui: Fix dark theme color for select-all button
  * ui: Fix dark theme colors for app enable/disable toggle button
  * privileged: Don't log exception that are expected
  [ Priit Jõerüüt ]
  * Translated using Weblate (Estonian)
  [ Joseph Nuthalapati ]
  * l10n: Fix python-brace-format error in Estonian
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 08 Dec 2025 20:50:56 -0500
 freedombox (25.16) unstable; urgency=medium
  [ Burak Yavuz ]
  * Translated using Weblate (Turkish)
  [ 大王叫我来巡山 ]
  * Translated using Weblate (Chinese (Simplified Han script))
  [ Jiří Podhorecký ]
  * Translated using Weblate (Czech)
  [ Максим Горпиніч ]
  * Translated using Weblate (Ukrainian)
  [ Besnik Bleta ]
  * Translated using Weblate (Albanian)
  [ Dietmar ]
  * Translated using Weblate (German)
  * Translated using Weblate (Italian)
  [ Sunil Mohan Adapa ]
  * middleware: Implement middleware for common headers such as CSP
  * janus: Allow app to be installed from Debian unstable
  * janus: Relax content security policy for the video room
  * janus: Update the video room code from latest upstream
  * package: Prevent freedombox's deps from removal during app uninstall
  * dynamicdns: Use only IPv4 for GnuDIP protocol
  * jsxc: Fix missing dependencies
  * jsxc: Update content security policy to prevent style errors
  [ Roman Akimov ]
  * Translated using Weblate (Russian)
  [ James Valleroy ]
  * locale: Update translation strings
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 24 Nov 2025 20:30:35 -0500
 freedombox (25.15) unstable; urgency=medium
  [ Coucouf ]
  * Translated using Weblate (French)
  [ Sunil Mohan Adapa ]
  * views: Implement an API to retrieve the readiness status in JSON
  * main: Allow setting development mode from environment
  * Run service using systemd even for development
  * README: Use the Weblate's language chart widget
  * help: Fix serving images from help pages
  * matrixsynapse: Clarify how to change domain name in status section
  * matrixsynapse: Explain federation and link to testing tool
  * matrixsynapse: Explicitly set the trusted key server to matrix.org
  * ttrss: Remove app not available in Trixie
  [ Dietmar ]
  * Translated using Weblate (German)
  * Translated using Weblate (Italian)
  [ James Valleroy ]
  * locale: Update translation strings
  * doc: Fetch latest manual
 -- James Valleroy <jvalleroy@mailbox.org>  Mon, 10 Nov 2025 20:48:49 -0500
 freedombox (25.14) unstable; urgency=medium
  [ Coucouf ]
--- a/debian/control
+++ b/debian/control
@ -1,6 +1,5 @@
 Source: freedombox
 Section: web
 Priority: optional
 Maintainer: FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
 Uploaders:
 Tzafrir Cohen <tzafrir@debian.org>,
@ -12,55 +11,59 @@ Uploaders:
 James Valleroy <jvalleroy@mailbox.org>,
 Build-Depends:
 debhelper-compat (= 13),
 dh-sequence-installsysusers,
 dblatex,
 dh-python,
 docbook-xsl,
- e2fsprogs,
+ e2fsprogs <!nocheck>,
 gir1.2-nm-1.0,
- libjs-bootstrap5,
+ libjs-bootstrap5 <!nocheck>,
 libjs-htmx <!nocheck>,
 # Older libjs-bootstrap5 does not have proper dependency on popper.js >= 2.0
- node-popper2,
+ node-popper2 <!nocheck>,
 pybuild-plugin-pyproject,
 python3-all:any,
- python3-apt,
+ python3-apt <!nocheck>,
 python3-augeas,
- python3-bootstrapform,
+ python3-bootstrapform <!nocheck>,
 python3-build,
 python3-cherrypy3,
- python3-configobj,
+ python3-configobj <!nocheck>,
- python3-cryptography,
+ python3-cryptography <!nocheck>,
 python3-dbus,
 python3-django,
- python3-django-axes,
+ python3-django-axes <!nocheck>,
- python3-django-captcha,
+ python3-django-captcha <!nocheck>,
 # Explictly depend on ipware as it is optional dependecy of django-axes
- python3-django-ipware,
+ python3-django-ipware <!nocheck>,
- python3-django-stronghold,
+ python3-django-oauth-toolkit <!nocheck>,
 python3-django-stronghold <!nocheck>,
 python3-fido2 <!nocheck>,
 python3-gi,
 python3-markupsafe,
- python3-mypy,
+ python3-mypy <!nocheck>,
- python3-pampy,
+ python3-pampy <!nocheck>,
 python3-pexpect,
 python3-pip,
 python3-psutil,
- python3-pytest,
+ python3-pytest <!nocheck>,
- python3-pytest-cov,
+ python3-pytest-cov <!nocheck>,
- python3-pytest-django,
+ python3-pytest-django <!nocheck>,
- python3-pytest-runner,
+ python3-pytest-runner <!nocheck>,
 python3-requests,
 python3-ruamel.yaml,
 python3-segno <!nocheck>,
 python3-setuptools,
 python3-systemd,
- python3-typeshed,
+ python3-typeshed <!nocheck>,
 python3-yaml,
- sshpass,
+ sshpass <!nocheck>,
 xmlto,
 xsltproc
-Standards-Version: 4.6.2
+Standards-Version: 4.7.3
 Homepage: https://salsa.debian.org/freedombox-team/freedombox
 Vcs-Git: https://salsa.debian.org/freedombox-team/freedombox.git
 Vcs-Browser: https://salsa.debian.org/freedombox-team/freedombox
 Rules-Requires-Root: no
 Package: freedombox
 Breaks:
@ -73,12 +76,10 @@ Depends:
 ${python3:Depends},
 ${misc:Depends},
 ${freedombox:Depends},
 adduser,
 augeas-tools,
 bind9-dnsutils,
 curl,
 debconf,
 fonts-fork-awesome,
 # sgdisk is used in storage app to expand GPT disks
 gdisk,
 gettext,
@ -89,6 +90,7 @@ Depends:
 # For gdbus used to call hooks into service
 libglib2.0-bin,
 libjs-bootstrap5,
 libjs-htmx,
 lsof,
 netcat-openbsd,
 network-manager,
@ -108,7 +110,9 @@ Depends:
 python3-django-captcha,
 # Explictly depend on ipware as it is optional dependecy of django-axes
 python3-django-ipware,
 python3-django-oauth-toolkit,
 python3-django-stronghold,
 python3-fido2,
 python3-gi,
 python3-markupsafe,
 python3-pampy,
--- a/debian/copyright
+++ b/debian/copyright
@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://salsa.debian.org/freedombox-team/freedombox
 Files: *
-Copyright: 2011-2025 FreedomBox Authors
+Copyright: 2011-2026 FreedomBox Authors
 License: AGPL-3+
 Files: plinth/modules/jsxc/static/icons/jsxc.png
@ -32,12 +32,16 @@ Copyright: 2012 FreedomBox Foundation
 Comment: Original Author: Robert Martinez
 License: GPL-3+
-Files: static/themes/default/icons/app-store.png
+Files: static/themes/default/icons/app-store.svg
       static/themes/default/icons/app-store.svg
 Copyright: Marie Van den Broeck (https://thenounproject.com/marie49/)
 Comment: https://thenounproject.com/icon/162372/
 License: CC-BY-SA-3.0
 Files: static/themes/default/js/color-modes.js
 Copyright: 2011-2025 The Bootstrap Authors
 Comment: https://getbootstrap.com/docs/5.3/customize/color-modes/
 License: CC-BY-3.0
 Files: plinth/modules/bepasty/static/icons/bepasty.svg
 Copyright: (c) 2014 by the Bepasty Team, see the AUTHORS file.
 Comment: https://github.com/bepasty/bepasty-server/blob/master/src/bepasty/static/app/bepasty.svg
@ -74,6 +78,7 @@ Files: plinth/modules/ejabberd/static/icons/ejabberd.png
       plinth/modules/rssbridge/static/icons/rssbridge.svg
       plinth/modules/zoph/static/icons/zoph.png
       plinth/modules/zoph/static/icons/zoph.svg
       static/themes/default/img/application.svg
       static/themes/default/img/network-connection.svg
       static/themes/default/img/network-connection-vertical.svg
       static/themes/default/img/network-ethernet.svg
@ -95,14 +100,6 @@ Copyright: 2020 Adwaita Icon Theme Authors, GNOME Project
 Comment: https://github.com/GNOME/adwaita-icon-theme/ http://www.gnome.org
 License: LGPL-3 or CC-BY-SA-3.0-US
 Files: static/themes/default/icons/f-droid.png
       static/themes/default/icons/f-droid.svg
 Copyright: 2012 William Theaker
           2013 Robert Martinez
           2015 Andrew Nayenko
 Comment: https://gitlab.com/fdroid/artwork/blob/master/fdroid-logo-2015/fdroid-logo.svg
 License: CC-BY-SA-3.0 or GPL-3+
 Files: plinth/modules/featherwiki/static/icons/featherwiki.png
       plinth/modules/featherwiki/static/icons/featherwiki.svg
 Copyright: 2022 Robbie Antenesse <dev@alamantus.com>
@ -115,15 +112,6 @@ Copyright: 2010 Git Authors
 Comment: https://github.com/git/git/blob/master/gitweb/static/git-logo.png
 License: GPL-2
 Files: static/themes/default/icons/google-play.png
 Copyright: Chameleon Design (https://thenounproject.com/Chamedesign/)
 Comment: https://thenounproject.com/icon/887917/
 License: CC-BY-3.0-US
 Files: static/themes/default/icons/gnu-linux.png
 Copyright: 2017 Cowemoji
 License: CC0-1.0
 Files: plinth/modules/homeassistant/static/icons/homeassistant.png
       plinth/modules/homeassistant/static/icons/homeassistant.svg
 Copyright: Home Assistant Core Developers
@ -143,7 +131,10 @@ License: ISC
 Files: plinth/modules/janus/static/icons/janus.png
       plinth/modules/janus/static/icons/janus.svg
-Copyright: 2014-2022 Meetecho
+       plinth/modules/janus/static/janus-video-room.css
       plinth/modules/janus/static/janus-video-room.js
       plinth/modules/janus/templates/janus_video_room.html
 Copyright: 2014-2025 Meetecho
 License: GPL-3 with OpenSSL exception
 Files: plinth/modules/kiwix/static/icons/kiwix.png
@ -152,12 +143,6 @@ Copyright: 2020 The other Kiwix guy
 Comment: https://commons.wikimedia.org/wiki/File:Kiwix_logo_v3.svg
 License: CC-BY-SA-4.0
 Files: static/themes/default/icons/macos.png
       static/themes/default/icons/macos.svg
 Copyright: Vectors Market (https://thenounproject.com/vectorsmarket/)
 Comment: https://thenounproject.com/icon/1203053/
 License: CC-BY-SA-3.0
 Files: plinth/modules/matrixsynapse/static/icons/matrixsynapse.png
 Copyright: 2017 Kishan Raval
 Comment: https://github.com/thekishanraval/Logos
@ -175,7 +160,7 @@ License: CC-BY-SA-3.0
 Files: plinth/modules/minetest/static/icons/minetest.svg
 Copyright: 2015 Calinou, Nils Dagsson Moskopp
-Comment: https://github.com/minetest/minetest/blob/master/misc/minetest.svg
+Comment: https://github.com/luanti-org/luanti/blob/master/misc/luanti.svg
 License: CC-BY-SA-3.0
 Files: plinth/modules/miniflux/static/icons/miniflux.png
@ -318,15 +303,6 @@ Copyright: Transmission Authors
 Comment: https://github.com/transmission/transmission/blob/master/gtk/icons/hicolor_apps_scalable_transmission.svg
 License: GPL-3
 Files: plinth/modules/ttrss/static/icons/ttrss.png
 Copyright: Mark James <mjames@gmail.com>
 License: CC-BY-3.0
 Files: plinth/modules/ttrss/static/icons/ttrss.svg
 Copyright: 2005 Andrew Dolgov
 Comment: https://git.tt-rss.org/fox/tt-rss/src/master/images/favicon-72px.png
 License: GPL-3+
 Files: plinth/modules/upgrades/data/usr/share/augeas/lenses/aptsources.aug
       plinth/modules/upgrades/data/usr/share/augeas/lenses/tests/test_aptsources.aug
 Copyright: 2007-2025 David Lutterkort
@ -340,12 +316,6 @@ Copyright: 2011-2021 WordPress Contributors
 Comment: https://github.com/WordPress/wordpress-develop/blob/master/src/wp-admin/images/wordpress-logo.svg
 License: GPL-2+
 Files: static/themes/default/icons/windows.png
       static/themes/default/icons/windows.svg
 Copyright: 2007 ruli (https://thenounproject.com/2007ruli/)
 Comment: https://thenounproject.com/icon/1206946/
 License: CC-BY-SA-3.0
 Files: plinth/modules/wireguard/static/icons/wireguard.png
       plinth/modules/wireguard/static/icons/wireguard.svg
 Copyright: 2019 WireGuard LLC
@ -357,9 +327,88 @@ Copyright: 2008 GNOME icon artists
 Comment: https://commons.wikimedia.org/wiki/File:Gnome-computer.svg
 License: LGPL-3+ or CC-BY-SA-3.0
 Files: static/themes/default/icons/adjust.svg
       static/themes/default/icons/android.svg
       static/themes/default/icons/arrow-right.svg
       static/themes/default/icons/ban.svg
       static/themes/default/icons/bar-chart.svg
       static/themes/default/icons/bars.svg
       static/themes/default/icons/bell-o.svg
       static/themes/default/icons/book.svg
       static/themes/default/icons/check-circle.svg
       static/themes/default/icons/check.svg
       static/themes/default/icons/chevron-right.svg
       static/themes/default/icons/clock-o.svg
       static/themes/default/icons/cog.svg
       static/themes/default/icons/comments.svg
       static/themes/default/icons/compass.svg
       static/themes/default/icons/debian.svg
       static/themes/default/icons/download.svg
       static/themes/default/icons/eject.svg
       static/themes/default/icons/exclamation-triangle.svg
       static/themes/default/icons/external-link.svg
       static/themes/default/icons/eye-slash.svg
       static/themes/default/icons/eye.svg
       static/themes/default/icons/f-droid.svg
       static/themes/default/icons/files-o.svg
       static/themes/default/icons/film.svg
       static/themes/default/icons/flag.svg
       static/themes/default/icons/freedombox.svg
       static/themes/default/icons/frown-o.svg
       static/themes/default/icons/globe-w.svg
       static/themes/default/icons/gnu-linux.svg
       static/themes/default/icons/google-play.svg
       static/themes/default/icons/hdd-o.svg
       static/themes/default/icons/heartbeat.svg
       static/themes/default/icons/heart.svg
       static/themes/default/icons/home.svg
       static/themes/default/icons/hourglass-o.svg
       static/themes/default/icons/info-circle.svg
       static/themes/default/icons/key.svg
       static/themes/default/icons/life-ring.svg
       static/themes/default/icons/line-chart.svg
       static/themes/default/icons/lock.svg
       static/themes/default/icons/macos.svg
       static/themes/default/icons/moon.svg
       static/themes/default/icons/pencil-square-o.svg
       static/themes/default/icons/plus.svg
       static/themes/default/icons/power-off.svg
       static/themes/default/icons/question-circle.svg
       static/themes/default/icons/refresh.svg
       static/themes/default/icons/repeat.svg
       static/themes/default/icons/rocket.svg
       static/themes/default/icons/shield.svg
       static/themes/default/icons/signal.svg
       static/themes/default/icons/smile-o.svg
       static/themes/default/icons/spinner.svg
       static/themes/default/icons/star.svg
       static/themes/default/icons/sun.svg
       static/themes/default/icons/tags.svg
       static/themes/default/icons/tag.svg
       static/themes/default/icons/terminal.svg
       static/themes/default/icons/th.svg
       static/themes/default/icons/times.svg
       static/themes/default/icons/trash-o.svg
       static/themes/default/icons/trash.svg
       static/themes/default/icons/upload.svg
       static/themes/default/icons/user.svg
       static/themes/default/icons/users.svg
       static/themes/default/icons/wifi.svg
       static/themes/default/icons/windows.svg
       static/themes/default/icons/wrench.svg
 Copyright: 2018, Fork Awesome
 Comment: https://github.com/ForkAwesome/Fork-Awesome/tree/master/src/icons/svg/
 License: OFL-1.1
 Files: static/themes/default/icons/fedora.svg
       static/themes/default/icons/homebrew.svg
 Copyright: 2026, Simple Icons
 Comment: https://github.com/simple-icons/simple-icons/
 License: CC0-1.0
 Files: debian/*
 Copyright: 2013 Tzafrir Cohen
-           2013-2024 FreedomBox Authors
+           2013-2026 FreedomBox Authors
 License: GPL-2+
 License: AGPL-3+
@ -2848,3 +2897,94 @@ License: Zlib
 .
 3. This notice may not be removed or altered from any source
 distribution.
 License: OFL-1.1
 This Font Software is licensed under the SIL Open Font License,
 Version 1.1.
 .
 This license is copied below, and is also available with a FAQ at:
 http://scripts.sil.org/OFL
 .
 SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
 .
 PREAMBLE The goals of the Open Font License (OFL) are to stimulate
 worldwide development of collaborative font projects, to support the font
 creation efforts of academic and linguistic communities, and to provide
 a free and open framework in which fonts may be shared and improved in
 partnership with others.
 .
 The OFL allows the licensed fonts to be used, studied, modified and
 redistributed freely as long as they are not sold by themselves.
 The fonts, including any derivative works, can be bundled, embedded,
 redistributed and/or sold with any software provided that any reserved
 names are not used by derivative works.  The fonts and derivatives,
 however, cannot be released under any other type of license.  The
 requirement for fonts to remain under this license does not apply to
 any document created using the fonts or their derivatives.
 .
 DEFINITIONS
 "Font Software" refers to the set of files released by the Copyright
 Holder(s) under this license and clearly marked as such.
 This may include source files, build scripts and documentation.
 .
 "Reserved Font Name" refers to any names specified as such after the
 copyright statement(s).
 .
 "Original Version" refers to the collection of Font Software components
 as distributed by the Copyright Holder(s).
 .
 "Modified Version" refers to any derivative made by adding to, deleting,
 or substituting ? in part or in whole ?
 any of the components of the Original Version, by changing formats or
 by porting the Font Software to a new environment.
 .
 "Author" refers to any designer, engineer, programmer, technical writer
 or other person who contributed to the Font Software.
 .
 PERMISSION & CONDITIONS
 .
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of the Font Software, to use, study, copy, merge, embed, modify,
 redistribute, and sell modified and unmodified copies of the Font
 Software, subject to the following conditions:
 .
 1) Neither the Font Software nor any of its individual components, in
    Original or Modified Versions, may be sold by itself.
 .
 2) Original or Modified Versions of the Font Software may be bundled,
    redistributed and/or sold with any software, provided that each copy
    contains the above copyright notice and this license. These can be
    included either as stand-alone text files, human-readable headers or
    in the appropriate machine-readable metadata fields within text or
    binary files as long as those fields can be easily viewed by the user.
 .
 3) No Modified Version of the Font Software may use the Reserved Font
    Name(s) unless explicit written permission is granted by the
    corresponding Copyright Holder. This restriction only applies to the
    primary font name as presented to the users.
 .
 4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
    Software shall not be used to promote, endorse or advertise any
    Modified Version, except to acknowledge the contribution(s) of the
    Copyright Holder(s) and the Author(s) or with their explicit written
    permission.
 .
 5) The Font Software, modified or unmodified, in part or in whole, must
    be distributed entirely under this license, and must not be distributed
    under any other license. The requirement for fonts to remain under
    this license does not apply to any document created using the Font
    Software.
 .
 TERMINATION
 This license becomes null and void if any of the above conditions are not met.
 .
 DISCLAIMER
 THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
 OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT.  IN NO EVENT SHALL THE
 COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
 DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER
 DEALINGS IN THE FONT SOFTWARE.
--- a/debian/freedombox.lintian-overrides
+++ b/debian/freedombox.lintian-overrides
@ -24,3 +24,7 @@ freedombox: package-contains-documentation-outside-usr-share-doc [usr/lib/python
 # meant for user. However, don't install to /usr/libexec and follow systemd
 # convention instead.
 freedombox: executable-in-usr-lib [usr/lib/freedombox/freedombox-privileged]
 # [Install] section is missing for the privileged daemon service because it is
 # socket activated.
 freedombox: systemd-service-file-missing-install-key [usr/lib/systemd/system/freedombox-privileged.service]
--- a/debian/freedombox.postinst
+++ b/debian/freedombox.postinst
@ -13,21 +13,9 @@ sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth
 case "$1" in
    configure)
        if ! getent group plinth >/dev/null; then
            addgroup --system --quiet plinth
        fi
        if ! getent passwd plinth >/dev/null; then
            adduser --system --quiet --ingroup plinth --no-create-home --home /var/lib/plinth plinth
        fi
        chown plinth: /var/lib/plinth
        chown plinth: /var/lib/plinth/sessions
        if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then
            umask 377
            base64 < /dev/urandom | head -c 16 | sed -e 's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret
            chown plinth:plinth /var/lib/plinth/firstboot-wizard-secret
            db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret)
            db_input high plinth/firstboot_wizard_secret || true
            db_go
--- a/debian/freedombox.postrm
+++ b/debian/freedombox.postrm
@ -4,7 +4,6 @@ set -e
 case "$1" in
 purge)
    deluser --system --quiet plinth || true
    rm -rf /var/lib/plinth
    # Remove legacy directory too
--- a/debian/freedombox.preinst
+++ b/debian/freedombox.preinst
@ -1,43 +0,0 @@
 #!/bin/sh
 set -e
 case "$1" in
    upgrade)
        # Handle removing freedombox-setup-repositories.timer from 20.5.
        if dpkg --compare-versions "$2" le 20.7; then
            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
               deb-systemd-invoke stop freedombox-setup-repositories.timer >/dev/null 2>/dev/null || true
            fi
            if [ -x "/usr/bin/deb-systemd-helper" ]; then
                deb-systemd-helper purge freedombox-setup-repositories.timer >/dev/null || true
                deb-systemd-helper unmask freedombox-setup-repositories.timer >/dev/null || true
            fi
            if [ -d /run/systemd/system ]; then
                systemctl daemon-reload
            fi
        fi
        # Handle removing freedombox-udiskie.service from 20.9.
        if dpkg --compare-versions "$2" le 20.9; then
            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
                deb-systemd-invoke stop freedombox-udiskie.service >/dev/null 2>/dev/null || true
            fi
            if [ -x "/usr/bin/deb-systemd-helper" ]; then
                deb-systemd-helper purge freedombox-udiskie.service >/dev/null || true
                deb-systemd-helper unmask freedombox-udiskie.service >/dev/null || true
            fi
            if [ -d /run/systemd/system ]; then
                systemctl daemon-reload
            fi
        fi
        ;;
 esac
 #DEBHELPER#
 exit 0
--- a/debian/freedombox.sysusers
+++ b/debian/freedombox.sysusers
@ -0,0 +1 @@
 u! plinth - "FreedomBox service" /var/lib/plinth
--- a/debian/freedombox.tmpfiles
+++ b/debian/freedombox.tmpfiles
@ -0,0 +1,3 @@
 d /var/lib/plinth 0755 plinth plinth
 d /var/lib/plinth/sessions 0755 plinth plinth
 Z /var/lib/plinth/firstboot-wizard-secret 0400 plinth plinth
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@ -1,6 +1,9 @@
 [DEFAULT]
 debian-branch = main
 [buildpackage]
 export-dir = ../build-area/
 [dch]
 git-log = --no-merges
 multimaint-merge = True
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@ -5,7 +5,4 @@
 very-long-line-length-in-source-file * [doc/manual/*.raw.wiki:*]
 # Misc. files which can't be fixed to have short line lengths.
 very-long-line-length-in-source-file * [plinth/modules/deluge/tests/data/sample.torrent:*]
 very-long-line-length-in-source-file * [plinth/modules/transmission/tests/data/sample.torrent:*]
 very-long-line-length-in-source-file * [doc/visual_design/FreedomBox-Logo.7z:*]
 very-long-line-length-in-source-file * [COPYING.md:*]
--- a/debian/tests/access-web-interface
+++ b/debian/tests/access-web-interface
@ -0,0 +1,16 @@
 #!/bin/sh
 set -e
 # Wait for FreedomBox setup to complete.
 sleep 30
 journalctl --unit=plinth --unit=freedombox-privileged
 # Get FreedomBox status
 curl --location --cookie "" --fail --write-out "%{response_code}" --insecure \
     --stderr - https://localhost/freedombox/status/
 # Access FreedomBox interface
 curl --location --cookie "" --fail --write-out "%{response_code}" --insecure \
     --stderr - https://localhost/freedombox/
--- a/debian/tests/control
+++ b/debian/tests/control
@ -16,3 +16,13 @@ Restrictions: needs-root, breaks-testbed
 Test-Command: PYTHONPATH='/usr/lib/python3/dist-packages/' py.test-3 -p no:cacheprovider --cov=plinth --cov-report=html:debci/htmlcov --cov-report=term
 Depends: e2fsprogs, git, python3-pytest, python3-pytest-cov, python3-pytest-django, @
 Restrictions: breaks-testbed
 #
 # Try to access the FreedomBox web interface.
 #
 # iptables package installs alternatives files, with iptables-nft as default alternative.
 # Without it, firewalld has this error: INVALID_IPV: 'ipv4' is not a valid backend or is unavailable
 #
 Tests: access-web-interface
 Depends: iptables, @
 Restrictions: needs-root, isolation-machine, breaks-testbed
--- a/doc/Makefile
+++ b/doc/Makefile
@ -109,20 +109,25 @@ manual-pages-xml:=$(patsubst %.raw.wiki, %.xml, $(manual-pages-raw-wiki))
 manual-pages: $(manual-pages-part-html)
 $(manual-pdfs): %.pdf: %.xml
-	xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $<
+	@echo "[PDF]       $<"
 	@xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $< 2> /dev/null
 $(manual-pages-part-html): %.part.html: %.xml
-	xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< | \
+	@echo "[XSLT]      $<"
 	@xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< 2> /dev/null | \
 	perl -pe 'BEGIN {undef $$/} s/.*<body[^>]*>(.*)<\/body\s*>.*/$$1/si' > $@
-	@rm -f $(dir $@)docbook.css
+	@rm -f docbook.css
 $(manual-xmls) $(manual-pages-xml): %.xml: %.raw.wiki $(SCRIPTS_DIR)/wikiparser.py
-	$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
+	@echo "[WIKIPARSE] $<"
 	@$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
 %.1: %.xml
-	xmlto man $<
+	@echo "[MAN]       $<"
 	@xmlto man $< 2> /dev/null
 .PHONY: clean
 clean:
-	rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
+	@echo "[RM]        {part-htmls} {xmls} {manuals} {outputs}"
-	rm -f $(OUTPUTS)
+	@rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
 	@rm -f $(OUTPUTS)
--- a/doc/dev/README.rst
+++ b/doc/dev/README.rst
@ -19,6 +19,7 @@ Install the following Debian packages:
 * python3-sphinx
 * python3-sphinx-autobuild
 * python3-sphinx-book-theme
 * python3-django
 * python3-django-axes
 * python3-django-captcha
--- a/doc/dev/_static/logo.svg
+++ b/doc/dev/_static/logo.svg
--- a/doc/dev/_templates/layout.html
+++ b/doc/dev/_templates/layout.html
@ -1,15 +0,0 @@
 {%- extends "alabaster/layout.html" %}
 {%- block footer %}
  <div class="footer">
    {% if show_copyright %}&copy;{{ copyright }} | {% endif %}
    Licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">
    CC BY-SA 4.0</a> license
    {%- if show_source and has_source and sourcename %}
      {% if show_copyright or theme_show_powered_by %}|{% endif %}
      <a href="{{ pathto('_sources/' + sourcename, true)|e }}"
         rel="nofollow">{{ _('Page source') }}</a>
    {%- endif %}
  </div>
 {% endblock %}
--- a/doc/dev/conf.py
+++ b/doc/dev/conf.py
@ -15,6 +15,7 @@ list see the documentation: http://www.sphinx-doc.org/en/master/config
 #
 import os
 import sys
 from datetime import datetime
 import django
@ -26,7 +27,7 @@ django.setup()
 # pylint: disable=invalid-name
 project = 'FreedomBox'
-copyright = '2021-2025, FreedomBox Authors'
+copyright = f'2021-{datetime.now().year}'
 author = 'FreedomBox Authors'
 # The short X.Y version
@ -82,15 +83,23 @@ pygments_style = None
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'alabaster'
+html_theme = 'sphinx_book_theme'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #
 html_theme_options = {
-    'fixed_sidebar': True,
+    'home_page_in_toc': True,
-    'show_related': True,
+    'repository_provider': 'gitlab',
    'repository_url': 'https://salsa.debian.org/freedombox-team/freedombox/',
    'use_edit_page_button': True,
    'use_source_button': True,
    'use_repository_button': True,
    'use_issues_button': True,
    'path_to_docs': 'doc/dev/',
    'extra_footer': 'Licensed under the <a href="https://creativecommons.org/'
                    'licenses/by-sa/4.0/">CC BY-SA 4.0</a> license.',
 }
 # Add any paths that contain custom static files (such as style sheets) here,
@ -221,3 +230,4 @@ autodoc_mock_imports = [
 ]
 html_favicon = './_static/favicon.ico'
 html_logo = './_static/logo.svg'
--- a/doc/dev/reference/components/webserver.rst
+++ b/doc/dev/reference/components/webserver.rst
@ -8,6 +8,3 @@ Webserver
 .. autoclass:: plinth.modules.apache.components.WebserverRoot
   :members:
 .. autoclass:: plinth.modules.apache.components.Uwsgi
   :members:
--- a/doc/dev/tutorial/components.rst
+++ b/doc/dev/tutorial/components.rst
@ -291,10 +291,8 @@ file ``transmission-plinth.conf``, add the following.
  <Location /transmission>
      ...
-      Include          includes/freedombox-single-sign-on.conf
+      Use AuthOpenIDConnect
-      <IfModule mod_auth_pubtkt.c>
+      Use RequireGroup bit-torrent
          TKTAuthToken "admin" "bit-torrent"
      </IfModule>
  </Location>
 Showing a shortcut in the front page
--- a/doc/manual/en/APU.raw.wiki
+++ b/doc/manual/en/APU.raw.wiki
@ -2,7 +2,7 @@
 {{attachment:apu1d.jpg|PC Engines APU 1D|width=632,height=319}}
-[[http://www.pcengines.ch/apu1d.htm|PC Engines APU 1D]] is a single board computer with 3 Gigabit ethernet ports, a powerful AMD APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for it.
+[[https://www.pcengines.ch/apu.htm|PC Engines APU]] boards are single board computers with 3 Gigabit ethernet ports, a powerful AMD64 APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for [[http://www.pcengines.ch/apu1d.htm|APU1D]] and [[http://www.pcengines.ch/apu3b2.htm|APU3B ]] models and are expected to work also well on the other, very similar versions.
 '''Important:''' Read [[FreedomBox/Hardware|general advice]] about hardware before building a !FreedomBox with this single board computer.
@ -21,21 +21,26 @@ Although untested, the following similar hardware is also likely to work well wi
  * [[http://www.pcengines.ch/apu2c4.htm|apu2c4]]
  * [[http://www.pcengines.ch/apu3a2.htm|apu3a2]]
  * [[http://www.pcengines.ch/apu3a4.htm|apu3a4]]
  * [[http://www.pcengines.ch/apu3b2.htm|apu3b2]]
  * [[http://www.pcengines.ch/apu3b4.htm|apu3b4]]
-=== Download ===
+=== Installation ===
 !FreedomBox disk [[FreedomBox/Download|images]] for this hardware are available.  Follow the instructions on the [[FreedomBox/Download|download]] page to create a !FreedomBox SD card, USB disk, SSD or hard drive and boot into !FreedomBox.  Pick the image meant for all amd64 machines.
 An alternative to downloading these images is to [[InstallingDebianOn/Alix3d2|install Debian]] on the APU and then [[FreedomBox/Hardware/Debian|install FreedomBox]] on it.
 An [[https://github.com/huubsch/APU-Installation-HomeAssistant-Freedombox|installation manual]] tested on the APU3B is available on GitHub, including flashing with UEFI-BIOS
 === Networking ===
 The first network port, the left most one in the above picture, is configured by !FreedomBox to be an upstream Internet link and the remaining 2 ports are configured for local computers to connect to.
 === Availability ===
 PCEngines announced the [[https://www.pcengines.ch/eol.htm|phase-out]] of these boards in June 2023.
 In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boards]] : coreboot + SeaBIOS and coreboot+UEFI.
 * Price: 110 - 170 USD (depending on the board and supplier)
 * [[http://www.pcengines.ch/order.htm|PC Engines]]
 * [[http://www.pcengines.ch/order.htm|Full list of suppliers]]
@ -43,18 +48,17 @@ The first network port, the left most one in the above picture, is configured by
 === Hardware ===
 * Open Hardware: No
- * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]
+ * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]; [[https://teklager.se/en/amd-gx-412tc-cpu-specification/|GX-412TC]], 1 GHz quad core (depending on model)
- * RAM: 2 GB DDR3-1066 DRAM
+ * RAM: 2 GB DDR3-1066 DRAM - 4 GB (depending on model)
- * Storage: SD card, External USB
+ * Storage: SD card, External USB, mSATA module
 * Architecture: amd64
 * Ethernet: 3 Gigabit Ethernet ports
- * !WiFi: None, use a [[FreedomBox/Hardware/USBWiFi|USB WiFi device]]
+ * WiFi: wle200nx / wle600vx / wle900vx miniPCI express wireless modules
- * SATA: 1 m-SATA and 1 SATA
+ * SATA: 1 mSATA-module and 1 SATA
 === Non-Free Status ===
 * Non-free blobs required: No
 * !WiFi: Not available
 * Boot firmware: [[http://www.pcengines.ch/apu1d.htm|Coreboot]]
 ## END_INCLUDE
@ -62,4 +66,4 @@ The first network port, the left most one in the above picture, is configured by
 <<Include(FreedomBox/Portal)>>
 ----
-CategoryFreedomBox
+CategoryFreedomBox CategoryFreedomBox
--- a/doc/manual/en/Hardware.raw.wiki
+++ b/doc/manual/en/Hardware.raw.wiki
@ -12,7 +12,17 @@ In addition to supporting various single board computers and other devices, any
 == Recommended Hardware ==
-On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This is the recommended pre-installed hardware for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
+=== Libre Crafts FreedomBox ===
 Libre Crafts in an endeavor from the !FreedomBox developers themselves to bring you a powerful !FreedomBox device capable of hosting even the most demanding home server needs. The device is crafted, tested, and delivered to you by !FreedomBox developers. Your purchase helps !FreedomBox development.
 This hardware features a powerful CPU, plenty of main memory, a fast OS disk, ability to add two high capacity hard disk drives, dual multi-gigabit Ethernet ports, all with a low power consumption. Use it to host all your photos, to backup all home devices, as a NAS, as home automation hub, as a desktop computer, and more all at once. 
 ||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:libre-crafts.png|Libre Crafts FreedomBox|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|Libre Crafts FreedomBox]] ||
 === Olimex's FreedomBox Pioneer Edition ===
 On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 The kit includes all the hardware needed for launching a !FreedomBox home server on an Olimex A20-OLinuXino-LIME2 board. This product provides the perfect combination of open source hardware and free and open source software. By purchasing this product, you also support the !FreedomBox Foundation's efforts to create and promote its free and open source server software.
--- a/doc/manual/en/HomeAssistant.raw.wiki
+++ b/doc/manual/en/HomeAssistant.raw.wiki
@ -21,7 +21,7 @@ Home Assistant app is considered experimental in !FreedomBox as it is fairly new
 === Hardware ===
-Home Assistant can detect, configure, and use various devices on the local network. For example, if a device is connected using Wi-Fi or LAN to the same network as !FreedomBox, Home Assistant can detect, configure, and use the device. Other home automation protocols such as Thread, !ZigBee, and Z-Wave are also supported but require additional hardware to be connected to your !FreedomBox. For example, if you have a door sensor that speaks !ZigBee, you need to attach a !ZigBee USB dongle to your !FreedomBox. Home Assistant can then detect and use the door sensor on the !ZigBee network.
+Home Assistant can detect, configure, and use various devices on the local network. For example, if a device is connected using Wi-Fi or LAN to the same network as !FreedomBox, Home Assistant can detect, configure, and use the device. Other home automation protocols such as Thread, !ZigBee, and Z-Wave are also supported but require additional hardware to be connected to your !FreedomBox. For example, if you have a door sensor that speaks !ZigBee, you need to attach a !ZigBee USB dongle to your !FreedomBox. Home Assistant can then detect and use the door sensor on the !ZigBee network. '''Note:''' if you attach any such hardware to FreedomBox after you install the Home Assistant app, then you need to disable and re-enable the Home Assistant app before the hardware can be discovered and used by Home Assistant.
 Home Assistant is a comprehensive solution for your home automation needs supporting thousands of devices. You can check whether a device is supported by Home Assistant by visiting the [[https://www.home-assistant.io/integrations/|integrations]] page. Other devices which are not listed may also be supported when they are similar to supported devices. It is recommended that you purchase hardware that advertises support for Home Assistant.
--- a/doc/manual/en/Passkeys.raw.wiki
+++ b/doc/manual/en/Passkeys.raw.wiki
@ -0,0 +1,117 @@
 #language en
 ##TAG:TRANSLATION-HEADER-START
 ~- [[FreedomBox/Guide/Passkeys|English]] - [[es/FreedomBox/Guide/Passkeys|Español]] - [[DebianWiki/EditorGuide#translation|(+)]] -~
 ##TAG:TRANSLATION-HEADER-END
 <<TableOfContents>>
 ## BEGIN_INCLUDE
 == Use Passkeys to Improve Login Security ==
 {{{#!wiki tip
 Passkeys are strongly recommended over passwords.
 }}}
 '''Available since''': !FreedomBox 26.6
 !FreedomBox allows users to login to their account with passkeys. Passkeys are way to verify user's identity using digital signatures. They are a more secure alternative to passwords. Secret information is kept with the user on their phone, laptop, or a hardware token and unlocked using a PIN, fingerprint, or face ID. No secrets are stored on the server. The server knows only the public information that can be used to verify user's signatures.
 === How do passkeys work? ===
 After the user logs into their account, one or more passkeys can be added to the account from the 'Manage Passkeys' page. At the time of adding passkeys, the passkey hardware (or authenticator), will generate a public and private key pair that is tied to the domain and user account. The private key is kept in the hardware and public key is provided to the server. The server stores the public key along with user account. Later when a user is trying to log in to their account, the server sends a long randomly generated string to the authenticator called the challenge. The hardware digitally signs the challenge using the private key and sends it to the server. The server is able to verify that the signature is made by the holder of private key by just using the public key that it has (this is a feature of public/private key pairs). Once verified, the server logs into the user account associated with that public key.
 During this process, the browser acts as a trusted intermediary between the passkey hardware and the server. It ensures that the user is verified by providing PIN, fingerprint, face ID, etc. It also ensures that a passkey is only used with the domain it is meant for.
 === Better security ===
 Passkeys provide better security than passwords:
 * '''Multi-factor authentication''': During registration of a passkey and during login, !FreedomBox requests that the browser verify the user. This means the user will need to unlock the authenticator device by providing a PIN, fingerprint, face ID, etc. This acts as one of the authentication factors: "something you know" or "something your are". Another authentication factor is "something that you have": the hardware that stores your passkey (such as Solokey, Nitrokey, or Yubikey) or a phone. Together, this is similar to using a password along with a second factor authentication. So, passkeys can replace two-factor authentication while being much more convenient and easier to use.
 * '''No reuse''': Passkeys are never reused. For each domain a separate passkey is generated and used. Browsers ensure that passkey for a domain is never used with another domain. Unlike reused passwords, when a website or a service is compromised, adversaries can't use that to gain access to your account in different website or service. This also prevents phishing attacks were adversarial websites pretend to be legitimate ones.
 * '''No secrets on the server''': The website allowing use of passkeys for login does not store any secret information. It only stores the public key part of the passkey. If this information is obtained by an adversary, they will not be able to login to the website. Only the private key stored on the authenticator device can be used to login to the website (since only a private key can create signatures needed for login process).
 * '''No guessing''': The secret part of a passkey is much more impractical to guess compared to a password. There is no risk that someone will be able to guess your password and access your account. There is no risk that you might accidentally set a predictable password.
 * '''Convenience''': Users don't need to remember username, email, or a secret to login to a website. They don't need to receive OTP via text or email, use TOTP app, or confirm login using a mobile app. After clicking on the 'Login with passkey' button, they unlock their authenticator using a PIN, fingerprint, or face ID. Then they physically tap on the authenticator (if necessary). The user is then logged in. There are fewer things to remember. Even the PIN for a hardware authenticator is typically easier to remember than a password. This convenience encourages users to use this mechanism, ultimately leading to better security.
 === Hardware Needed for Passkeys ===
 {{{#!wiki tip
 '''[[https://solokeys.com/|Solokeys]]''' are recommend for passkey storage by the !FreedomBox project.
 * The [[https://github.com/solokeys/solo2|firmware]] (the OS for the hardware) is free software.
 * The [[https://github.com/solokeys/solo2-hw|hardware]] designs are free too.
 * The Solokeys team and the !FreedomBox team collaborate.
 }}}
 There are many ways to get started with passkeys:
 * '''Separate passkey hardware''': The recommended way to store passkeys is on a specific hardware key. In this setup, the private key part of the passkey never leaves the hardware device. They are also typically built such that it is hard for an adversary with physical access the device to extract passkey from it. Another advantage of these devices is that the hardware can be used with all your existing devices such as phones, laptops, and desktops. These devices interact with phones and desktops using USB, Bluetooth, or NFC tap. In case of NFC, the device works with proximity from the phone without additional power. When using a separate hardware, however, you must have a backup way of logging into your account in the event that you loose the hardware device. This could be an additional passkey hardware or a password. See the section on backup below.
 * '''Builtin passkey hardware''': When a separate hardware device is not available, specialized hardware, such as a TPM, built into the computer is preferable. This setup will still ensure that passkeys do not leave the hardware. One disadvantage of this approach is that the passkey only works with that device and you will need register each device you use separately.
 * '''Password managers''': As a last resort, one could use password managers that support passkeys and work with your browser or OS. Android, iOS, and Windows offer such password managers. Passkeys stored in password managers are typically synchronized to the cloud and a breach of that service/account could result in compromise of all your accounts. However, they work across multiple devices and you typically don't have to worry about loosing a single hardware device. 
 === Naming Your Passkey ===
 In !FreedomBox, when a passkey is added to your account, it by default named as 'Key 1'. The next one will be named 'Key 2' and so on. However, it is good practice to name them such that you know which device they are stored on. For example, you can name them 'Key on Primary Solokey', 'Key on Android Phone', etc. If a device is lost, you can login to your account and remove that key from the list of passkeys associated with your account.
 === Multiple Domains ===
 Each passkey is strictly tied to a domain and never used for another domain. This necessary to ensure that a malicious domain does not impersonate a legitimate domain. Hence, if your !FreedomBox is configured with multiple domains, then the browser and hardware authenticator device will treat them as separate accounts for the purpose of authentication with passkeys. This means you need to register separate passkeys for each of your domains.
 For example, assume your !FreedomBox has two domains configured mydomain1.fbx.one and mydomain2.example. Visit mydomain1.fbx.one, log in to your account, and add a passkey. This passkey will be tied to this domain. When you are trying to log in, the passkey will work if you are accessing mydomain1.fbx.one but it won't work when accessing mydomain2.example. To make the second domain work, you need to add a second passkey while accessing your !FreedomBox with the domain name mydomain2.example. Two passkeys are then stored in your hardware token. First one will be tied to mydomain1.fbx.one and will only be used when accessing that domain. Second one will be tied to mydomain2.example and will only be used when accessing that domain.
 === Multiple User Accounts ===
 When you use a passkey hardware for multiple user accounts on the same !FreedomBox, separate passkeys will be created for each of the accounts. Each passkey will be assigned the username of the account it is tied to. This information is stored in the passkey as well as the server. During login, the browser will prompt to select the user account you want to log into. If only a single passkey exists for a given domain name, then the selection dialog is not shown and user will login to the account corresponding to the passkey.
 === Backup for Passkey ===
 In case the device storing your passkey is lost, you need alternate ways to login to you account:
 1. You can register and maintain two passkeys on two separate devices. For example, your primary passkey could be on a Solokey hardware token and the second passkey could be on an Android phone or another Solokey hardware token. If one is lost, you can login with the other. This is the recommended approach.
 1. !FreedomBox continues to support passwords even after passkeys are registered.  So, if a passkey device is lost, you can login with a password.
 1. If you forget your password and if your user account is not the only administrator account on the !FreedomBox, you can ask an administrator to reset your password. After that you can register a new passkey stored on a new device.
 === Supported Platforms ===
 Passkeys are based on WebAuthn, a standard published by World Wide Web Consortium. So, !FreedomBox's implementation is expected to work wherever passkeys work. It has been tested as follows:
 || '''OS/Device''' || '''Browser''' || '''Authenticator''' || '''Result''' ||
 || GNU/Linux || Firefox || Solokeys || Pass ||
 || GNU/Linux || Firefox || Yubikey || Pass ||
 || GNU/Linux || Chromium || Solokeys || Pass ||
 || GNU/Linux || GNOME Web || - || Fail (Browser does not support Webauthn) ||
 || Windows || Firefox || Windows Hello || Pass ||
 || Windows || Firefox || Solokeys || Pass ||
 || Windows || Firefox || Android Phone || Pass ||
 || Windows || Chrome || Windows Hello || Pass ||
 || Windows || Chrome || Solokeys || Pass ||
 || Windows || Chrome || Android Phone || Pass ||
 || Windows || Edge || Windows Hello || Pass ||
 || Windows || Edge || Solokeys || Pass ||
 || Windows || Edge || Android Phone || Pass ||
 || Android || Firefox || Google Password Manager || Pass ||
 || Android || Firefox || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
 || Android || Firefox || Solokeys NFC || Fail (Need to understand NFC setup) ||
 || Android || Firefox || Another device || Untested ||
 || Android || Chrome || Google Password Manager || Pass ||
 || Android || Chrome || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
 || Android || Chrome || Solokeys NFC || Fail (Need to understand NFC setup) ||
 || Android || Chrome || Another device || Untested ||
 ## END_INCLUDE
 Back to [[FreedomBox/Features|Features introduction]] or [[FreedomBox/Manual|manual]] pages.
 <<Include(FreedomBox/Portal)>>
 ----
 CategoryFreedomBox
--- a/doc/manual/en/PioneerEdition.raw.wiki
+++ b/doc/manual/en/PioneerEdition.raw.wiki
@ -25,7 +25,8 @@ The [[https://www.olimex.com/Products/OLinuXino/Home-Server/Pioneer-FreedomBox-H
 * an optional storage add-on for hard disk (HDD) or solid-state drive (SSD)
 === Recommended Hardware ===
-This is the hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
+
 This is a hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
 (Building your own !FreedomBox means some technical stuff like choosing and buying the right components, downloading the image and preparing the SD card).
--- a/doc/manual/en/ReleaseNotes.raw.wiki
+++ b/doc/manual/en/ReleaseNotes.raw.wiki
@ -8,6 +8,301 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 The following are the release notes for each !FreedomBox version.
 == FreedomBox 26.8 (2026-05-11) ==
 * locale: Update translations for German, Italian
 * api: Drop access-info API
 == FreedomBox 26.7.1 (2026-04-28) ==
 * radicale, bepasty: Fix issue with failed diagnostic test
 * radicale: Enable lc_username for case-insensitive auth
 * radicale: Fix issue with parsing new configuration file
 * radicale: tests: functional: Better checking for well-known URLs
 == FreedomBox 26.7 (2026-04-20) ==
 * debian: tests: Add test to access interface status
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, German, Italian, Swedish, Turkish
 == FreedomBox 26.6 (2026-04-06) ==
 === Highlights ===
 * users: Add support for logging in with passkeys
 === Other Changes ===
 * d/control: Add fido2 library as dependency
 * locale: Update translations for French, German, Hindi, Italian
 * service: Capture stdout/stderr when running as systemd unit
 * users: Add link to guide on passkeys
 * users: Add support for registering, editing, and deleting passkeys
 * views: Add a decorator to handle exceptions in JSON views
 == FreedomBox 26.5.1 (2026-03-26) ==
 * debian/control: Fix building with nocheck profile
 * debian/copyright: Drop a removed file, correct path for another
 * locale: Update translations for Albanian, Turkish
 * web_server: Fix locating SVG icons on production setup
 == FreedomBox 26.5 (2026-03-23) ==
 === Highlights ===
 * action_utils: Don't restart web interface when installing an app
 * apache: Use a Uwsgi native socket systemd unit for each app
 * ui: Use inline SVG icons for all apps
 * wireguard: Fix freedombox VPN IP for services
 === Other Changes ===
 * action_utils: Stop associated service when stopping a socket unit
 * apache: Increase OpenID Connect RP session timeout activity
 * apache: Minor improvement to getting the request host
 * app: Fix build issue with Django 5.x
 * clients: Fix formatting of package row in table
 * clients: Fix show empty clients in Desktop section
 * clients: Use SVG icons when showing external links
 * container: Add option to skip install
 * container: Fix image extension to .raw for systemd v260
 * doc: Reduce verbosity when building documentation
 * html: Drop trailing slash from void elements
 * html: Drop type attribute value of text/javascript
 * janus: Drop unused reference to font-awesome
 * letsencrypt: Don't perform operations on apps that are not installed
 * locale: Update translations for German, Russian, Swedish
 * pagekite: Fix issue with adding custom services
 * tests: functional: Drop undefined 'sso' pytest mark
 * ui: Add rest of the icons used from fork-awesome set
 * ui: Better placement for dropdown indicator in dropdown button
 * ui: Drop fonts-fork-awesome as dependency
 * ui: Rename 'plinth_extras' template tags module to 'extras'
 * ui: Simplify SVG app icons for using them inline in HTML
 * ui: Use inline SVG icons for buttons, messages, spinners, etc.
 * wireguard: Add button for direct APK download
 * wireguard: Add entries for Homebrew and RPM packages
 * wireguard: Remove client entry for F-Droid which is not available
 * wireguard: Update windows client link
 == FreedomBox 26.4.2 (2026-03-08) ==
 === Highlights ===
 * apache2: Disable pubtkt authentication module
 === Other Changes ===
 * container: Hold freedombox packages during test setup
 * d/control: Trim deps for nocheck build profile
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
 * Vagrantfile: Enable public network for bridged networking
 == FreedomBox 26.4 (2026-03-02) ==
 === Highlights ===
 * backups: Enable key-based SSH authentication for remote backups
 * oidc: New app to implement OpenID Connect Provider
 * apache: Implement protecting apps using OpenID Connect
 * wireguard: Improve server section user experience flow
 === Other Changes ===
 * *: Remove some absolute file paths in SVGs
 * *: Update URL base from /plinth to /freedombox
 * README/HACKING: Update weblate project path to /freedombox
 * Vagrantfile: Drop unnecessary sudo configuration for actions
 * action_utils: Drop support for link-local IPv6 addresses
 * action_utils: Fix issue with type checking a generator
 * action_utils: Implement utility to change umask temporarily
 * actions, privileged_daemon: Drop some unused global statements
 * apache: Fix diagnosing URLs protected by OpenID Connect
 * apache: Preserve host header when proxying to service
 * backups: Arrange form for adding remote location
 * backups: Avoid some repeated text in form help text
 * backups: Copy SSH client public key to remote
 * backups: Create .ssh folder before creating SSH key
 * backups: Create a better comment in the generated SSH key file
 * backups: Display SSH public key when adding remote
 * backups: Fix issue with Javascript in add remote location form
 * backups: Fix showing proper error for incorrect passphrase
 * backups: Fix type checking errors
 * backups: Generate SSH client key if needed
 * backups: Migrate to SSH key auth when mounting
 * backups: Minor refactoring
 * backups: Show/hide form elements instead of disabling for simplicity
 * backups: Simplify handling of migration to SSH keys
 * backups: Test adding/removing remote location
 * backups: Tweak appearance of add remote location form
 * backups: Use SSH key instead of password
 * backups: Use selected SSH credential for remote
 * backups: tests: Simplify functional test using more classes
 * bin: Add tool to change !FreedomBox password in Django database
 * calibre: Use OpenID Connect instead of pubtkt based SSO
 * cfg: Drop unused actions_dir option
 * cfg: Drop unused config_dir option
 * container: Align terminology in printed banner
 * db: Create a utility to get credentials from dbconfig
 * debian: Ensure that gbp creates a clean tarball prior to build
 * deluge: Use OpenID Connect instead of pubtkt based SSO
 * doc/dev: Set new theme for developer documentation
 * doc/dev: Use OpenID Connect instead of pubtkt based SSO
 * doc/dev: always have an up-to-date copyright year
 * ejabberd: Fix setting up certificates for multiple domains
 * email: Use OpenID Connect instead of pubtkt based SSO
 * featherwiki: Use OpenID Connect instead of pubtkt based SSO
 * gitweb: Fix issue with running post init due to missing method
 * gitweb: Use OpenID Connect instead of pubtkt based SSO
 * js: When page load fails during install, show it to user
 * letsencrypt: When copying certificate reset the umask reliably
 * locale/bg: Fix several translations with HTML links (Bulgarian)
 * locale/de: Fix several translations with HTML links (German)
 * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
 * matrixsynapse: Update apache config to proxy Synapse client API
 * miniflux: Get credentials from dbconfig-common directly
 * miniflux: Revert workaround for a packaging bug with DB connection
 * mumble: murmurd renamed to mumble-server
 * oidc: Style the page for authorizing an OIDC app
 * pyproject: Use new format to specify licenses
 * quassel: Explicitly set permissions on the domain configuration file
 * rssbridge: Use OpenID Connect instead of pubtkt based SSO
 * searx: Use OpenID Connect instead of pubtkt based SSO
 * sharing: Use OpenID Connect instead of pubtkt based SSO
 * sso: Merge into users module, drop pubtkt related code
 * syncthing: Use OpenID Connect instead of pubtkt based SSO
 * syncthing: tests: Fix tests by allowing rapid restarts
 * templates: Allow building pages without navigation bar and footer
 * tests: functional: Fix expecting !FreedomBox to be home page
 * tests: functional: Fix reloading error page during install/uninstall
 * tests: functional: Increase systemd rate limits for starting units
 * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
 * transmission: Use OpenID Connect instead of pubtkt based SSO
 * ui: Add animation for notification dismissal
 * ui: Dismiss notifications without page reload
 * ui: Refactor notification delete buttons to avoid repeating code
 * web_framework: Allow !FreedomBox apps to override templates
 * web_server: Log requests to WSGI app
 * wireguard: Accept/use netmask with IP address for server connection
 * wireguard: Fix format when showing multiple endpoints of the server
 * wireguard: Fix showing default route setting in server edit form
 * wireguard: Fix split tunneling
 * wireguard: Show status of default route in server information page
 * wireguard: filter .local addresses from showClient view
 * wireguard: show server vpn ip in show client page
 * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
 == FreedomBox 26.3 (2026-02-02) ==
 === Highlights ===
 * ui: Use HTMX to eliminate full page reloads
 * wireguard: Add 'Start Server' button to help with client setup
 === Other Changes ===
 * debian: Follows policy 4.7.3
 * debian: Ignore lintian warning: service file missing Install section
 * debian: Remove default Rules-Requires-Root
 * debian: Remove preinst script
 * debian: Update copyright years
 * docs: Update container script usage
 * lintian: Remove mismatched overrides
 * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
 * Makefile: Fix removing extra license file
 * ui: Add HTMX as a dependency
 * ui: Use HTMX to update notifications on partial page updates
 * wireguard: Remove NM connections when app is uninstalled
 * wireguard: Show next available client IP in Add Client form
 * wireguard: Update functional tests to handle Start Server button
 * wireguard: Show server endpoint on main app page
 == FreedomBox 26.2 (2026-01-20) ==
 * gitweb: Fix deleting last repo disables app
 * locale: Update translations for Estonian, Italian
 * notifications: Close dropdown when clicking outside
 == FreedomBox 26.1 (2026-01-05) ==
 * container: Add aliases for start/stop commands
 * locale: Update translations for Albanian, Bulgarian, Chinese (Simplified Han script), Czech, Estonian, French, German, Italian, Russian, Turkish, Ukrainian
 == FreedomBox 25.17.1 (2025-12-15) ==
 === Highlights ===
 * backups: Set proper permissions for backups-data directory
 * minetest: Rename Minetest to Luanti
 === Other Changes ===
 * locale: Update translations for Albanian, Bulgarian, Czech, Estonian, Hindi, Italian, Russian, Turkish, Ukrainian
 * minetest: Remove legacy code, use new name, conf, etc.
 * transmission: Deal with changes in latest forky package
 * transmission: Remove obsolete apache redirects
 * vagrant: Enable EFI firmware
 == FreedomBox 25.17 (2025-12-08) ==
 === Highlights ===
 * ui: Implement a toggle menu for setting dark mode
 === Other Changes ===
 * homeassistant: Fix spelling in tests
 * locale: Fix python-brace-format error in Estonian
 * locale: Update translations for Catalan, Estonian, French, Russian
 * privileged: Don't log exception that are expected
 * ui: Dark theme color for tags text in an app card
 * ui: Drop colors defined in Bootstrap 5.3
 * ui: Fix dark theme color for disabled form elements
 * ui: Fix dark theme color for form help text
 * ui: Fix dark theme color for select-all button
 * ui: Fix dark theme colors for app enable/disable toggle button
 * ui: Fix dark theme colors for default button style
 * ui: Fix dark theme colors for running status indicator
 * ui: Minor CSS refactor to use variables
 * ui: Use default button style for tag buttons
 * upgrades: Use bootstrap spinner button instead of custom styling
 == FreedomBox 25.16 (2025-11-24) ==
 === Highlights ===
 * dynamicdns: Use only IPv4 for GnuDIP protocol
 * janus: Allow app to be installed from Debian unstable
 * jsxc: Fix missing dependencies
 === Other Changes ===
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, German, Italian, Russian, Turkish, Ukrainian
 * janus: Relax content security policy for the video room
 * janus: Update the video room code from latest upstream
 * jsxc: Update content security policy to prevent style errors
 * middleware: Implement middleware for common headers such as CSP
 * package: Prevent freedombox's deps from removal during app uninstall
 == FreedomBox 25.15 (2025-11-10) ==
 === Highlights ===
 * help: Fix serving images from help pages
 * matrixsynapse: Explain federation and link to testing tool
 === Other Changes ===
 * locale: Update translations for French, German, Italian
 * main: Allow setting development mode from environment
 * matrixsynapse: Clarify how to change domain name in status section
 * matrixsynapse: Explicitly set the trusted key server to matrix.org
 * README: Use the Weblate's language chart widget
 * Run service using systemd even for development
 * ttrss: Remove app not available in Trixie
 * views: Implement an API to retrieve the readiness status in JSON
 == FreedomBox 25.14 (2025-10-27) ==
 * Enable private tmp and join namespaces for the two daemons
--- a/doc/manual/en/Sharing.raw.wiki
+++ b/doc/manual/en/Sharing.raw.wiki
@ -20,15 +20,13 @@ The content can be shared publicly or restricted to the users of listed allowed
 === Setting Up Shares ===
-For the users to access the content through their browser it must exist and have a share. A share is an entry in the Sharing app relating:
+ * In !FreedomBox web interface, enable the Sharing App. Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of the !FreedomBox web interface. Many shares can coexist in the same server.
- * the Name (an thereby the URL) with which the users will ask for the content,
+ * Add a new share
- * the Disk Path of the content to be served and
+   * Give it a name (an thereby the URL) with which the users will ask for the content. In the example above it would be called ''content_name''.
- * the sharing mode. On restricted mode, it also has the list of allowed groups.
+   * The Disk Path of the content to be served. This path is relative to ''root'' on your !FreedomBox. For instance ''/var/lib/freedombox/sharing/content_name'' might be a choice.
-Many shares can coexist in the same server.
+   * Sharing mode. On restricted mode, it also has the list of allowed groups. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
-
+ * Create the directory specified under ''Disk Path'' on your !FreedomBox through ''Cockpit'', ''Nautilus'' or remote login.
-Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of !FreedomBox web interface. Sharing app is an easy to use web application with an evident interface.
+ * Make sure the user, who will provide the content, has write access to that directory for instance by making him the owner of that directory. 
 Each share has its own sharing mode (public or restricted) setting. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
 === Providing/Updating Content ===
--- a/doc/manual/en/TinyTinyRSS.raw.wiki
+++ b/doc/manual/en/TinyTinyRSS.raw.wiki
@ -11,7 +11,7 @@
 == Tiny Tiny RSS (News Feed Reader) ==
 ||<tablestyle="float: right;"> {{attachment:TinyTinyRSS-icon_en_V01.png|Tiny Tiny RSS icon}} ||
-'''Available since''': version 0.9
+'''Available since''': This app is no longer available since Debian Trixie. Please migrate to [[FreedomBox/Manual/Miniflux|Miniflux]] or [[FreedomBox/Manual/Nextcloud|Nextcloud News]].
 Tiny Tiny RSS is a news feed (RSS/Atom) reader and aggregator, designed to allow reading news from any location, while feeling as close to a real desktop application as possible.
--- a/doc/manual/en/Upgrades.raw.wiki
+++ b/doc/manual/en/Upgrades.raw.wiki
@ -89,7 +89,7 @@ Here are some tips before you begin manual update to next stable release:
   * Radicale
 * Some packages may not be available after upgrade to next release. Please migrate to a similar application before or after the upgrade process. For upgrade to Debian 13 "trixie", the following apps are no longer available:
   * Janus. Use audio/video calling over Matrix or XMPP or audio calling over Mumble. This app will likely become available in future again.
-   * TT-RSS. Migrate to Miniflux.
+   * TT-RSS. Migrate to Miniflux or Nextcloud News.
   * Searx.
 To initiate the distribution update process, go to ''Software Update'' in ''System'' section. Then ''Enable auto-update'' and ''Enable auto-update to next stable release'' option. Then click on the ''Distribution Update'' button. Then click the ''Start Distribution Update'' button. The process may take several hours if your OS is on a slow disk such as an SD card. !FreedomBox web UI may not be available during upgrade. Refresh the page if the page errors out. Finally, allow more time for post-upgrade processes and restart the machine.
--- a/doc/manual/en/Users.raw.wiki
+++ b/doc/manual/en/Users.raw.wiki
@ -1,6 +1,11 @@
 #language en
 ##For Translators - to have a constantly up to date translation header in you page, you can just add a line like the following (with the comment's character at the start of the line removed)
 ## <<Include(sudo, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
 ##TAG:TRANSLATION-HEADER-START
 ~- [[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[es/FreedomBox/Manual/Users|Español]] -~
 ##TAG:TRANSLATION-HEADER-END
 ----
 <<TableOfContents()>>
@ -8,25 +13,25 @@
 == Users and Groups ==
-You can grant access to your !FreedomBox for other users. Provide the Username with a password and assign a group to it. Currently the groups
+This app can be used to create, edit, and remove user accounts on !FreedomBox. Many apps with web interface in !FreedomBox support single sign-on using OpenID Connect. This means that if you are logged into !FreedomBox web interface, there is no need to login to the app separately. Other apps support using the !FreedomBox user accounts via LDAP. Finally, there are some apps that manage their own user accounts separate from the accounts you have in !FreedomBox.
 Access to an app is allowed if the user accessing the app is part of the app's group. You can grant access to apps in !FreedomBox for specific users by adding them to the following groups:
 * admin
 * bit-torrent
 * calibre
 * ed2k
 * feed-reader
 * freedombox-share
 * freedombox-ssh
 * git-access
- * minidlna
+ * kiwix
- * syncthing
+ * syncthing-access
 * vpn
 * web-search
 * wiki
 are supported. 
-The user will be able to log in to services that support single sign-on through LDAP, if they are in the appropriate group.
+Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo). A user's groups can also be changed later.
-Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo).
+!FreedomBox supports logging in with passkeys. Passkeys are a secure alternative to passwords and are the recommended way of authenticating to !FreedomBox. Read more in the [[FreedomBox/Guide/Passkeys|FreedomBox's guide to passkeys]].
 A user's groups can also be changed later.
 It is also possible to set an SSH public key which will allow this user to securely log in to the system without using a password. You may enter multiple keys, one on each line. Blank lines and lines starting with # will be ignored.
--- a/doc/manual/en/VirtualBox.raw.wiki
+++ b/doc/manual/en/VirtualBox.raw.wiki
@ -22,12 +22,11 @@ Follow the instructions on the [[FreedomBox/Download|download]] page to download
 1. Decompress the downloaded VDI image (tool for [[http://www.7-zip.org/|Windows]], [[http://unarchiver.c3.cx/unarchiver|Mac]]).
- 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image).
+ 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image). {{attachment:virtualbox-create-1.png|VirtualBox Name and OS dialog}}
 {{attachment:virtualbox_os_type.png|VirtualBox Name and OS dialog}}
- 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1.
+ 1. In the ''Hardware'' dialog choose ''Enable EFI (special OSes only)''. You may increase the Base Memory and Processors if desired. {{attachment:virtualbox-create-2.png|VirtualBox Hardware dialog}}
-{{attachment:virtualbox_harddisk_file.png|VirtualBox Hard disk dialog}}
+ 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1. {{attachment:virtualbox-create-3.png|VirtualBox Hard disk selector}} {{attachment:virtualbox-create-4.png|VirtualBox Hard disk dialog}}
 1. When created, go to the virtual machine's Settings -> [Network] -> [Adapter 1]->[Attached to:] and choose the network type your want the machine to use according to the explanation in Network Configuration below. The recommended type is the ''Bridged adapter'' option, but be aware that this exposes the !FreedomBox's services to your entire local network.
--- a/doc/manual/en/freedombox-manual.raw.wiki
+++ b/doc/manual/en/freedombox-manual.raw.wiki
@ -83,6 +83,7 @@
 <<Include(FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Guides =
 <<Include(FreedomBox/Guide/Passkeys,               , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(FreedomBox/Guide/ExposeLocalService,     , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Hardware =
--- a/doc/manual/en/images/libre-crafts.png
+++ b/doc/manual/en/images/libre-crafts.png
--- a/doc/manual/en/images/virtualbox-create-1.png
+++ b/doc/manual/en/images/virtualbox-create-1.png
--- a/doc/manual/en/images/virtualbox-create-2.png
+++ b/doc/manual/en/images/virtualbox-create-2.png
--- a/doc/manual/en/images/virtualbox-create-3.png
+++ b/doc/manual/en/images/virtualbox-create-3.png
--- a/doc/manual/en/images/virtualbox-create-4.png
+++ b/doc/manual/en/images/virtualbox-create-4.png
--- a/doc/manual/en/images/virtualbox_harddisk_file.png
+++ b/doc/manual/en/images/virtualbox_harddisk_file.png
--- a/doc/manual/en/images/virtualbox_os_type.png
+++ b/doc/manual/en/images/virtualbox_os_type.png
--- a/doc/manual/es/APU.raw.wiki
+++ b/doc/manual/es/APU.raw.wiki
@ -2,7 +2,7 @@
 {{attachment:apu1d.jpg|PC Engines APU 1D|width=632,height=319}}
-[[http://www.pcengines.ch/apu1d.htm|PC Engines APU 1D]] is a single board computer with 3 Gigabit ethernet ports, a powerful AMD APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for it.
+[[https://www.pcengines.ch/apu.htm|PC Engines APU]] boards are single board computers with 3 Gigabit ethernet ports, a powerful AMD64 APU and Coreboot firmware.  !FreedomBox images built for AMD64 machines are tested to work well for [[http://www.pcengines.ch/apu1d.htm|APU1D]] and [[http://www.pcengines.ch/apu3b2.htm|APU3B ]] models and are expected to work also well on the other, very similar versions.
 '''Important:''' Read [[FreedomBox/Hardware|general advice]] about hardware before building a !FreedomBox with this single board computer.
@ -21,21 +21,26 @@ Although untested, the following similar hardware is also likely to work well wi
  * [[http://www.pcengines.ch/apu2c4.htm|apu2c4]]
  * [[http://www.pcengines.ch/apu3a2.htm|apu3a2]]
  * [[http://www.pcengines.ch/apu3a4.htm|apu3a4]]
  * [[http://www.pcengines.ch/apu3b2.htm|apu3b2]]
  * [[http://www.pcengines.ch/apu3b4.htm|apu3b4]]
-=== Download ===
+=== Installation ===
 !FreedomBox disk [[FreedomBox/Download|images]] for this hardware are available.  Follow the instructions on the [[FreedomBox/Download|download]] page to create a !FreedomBox SD card, USB disk, SSD or hard drive and boot into !FreedomBox.  Pick the image meant for all amd64 machines.
 An alternative to downloading these images is to [[InstallingDebianOn/Alix3d2|install Debian]] on the APU and then [[FreedomBox/Hardware/Debian|install FreedomBox]] on it.
 An [[https://github.com/huubsch/APU-Installation-HomeAssistant-Freedombox|installation manual]] tested on the APU3B is available on GitHub, including flashing with UEFI-BIOS
 === Networking ===
 The first network port, the left most one in the above picture, is configured by !FreedomBox to be an upstream Internet link and the remaining 2 ports are configured for local computers to connect to.
 === Availability ===
 PCEngines announced the [[https://www.pcengines.ch/eol.htm|phase-out]] of these boards in June 2023.
 In 2024 [[https://pcengines.github.io/|Dasharo announced the support of APU-boards]] : coreboot + SeaBIOS and coreboot+UEFI.
 * Price: 110 - 170 USD (depending on the board and supplier)
 * [[http://www.pcengines.ch/order.htm|PC Engines]]
 * [[http://www.pcengines.ch/order.htm|Full list of suppliers]]
@ -43,18 +48,17 @@ The first network port, the left most one in the above picture, is configured by
 === Hardware ===
 * Open Hardware: No
- * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]
+ * CPU: [[http://www.amd.com/en-gb/products/embedded/processors/g-series|AMD G series T40E]]; [[https://teklager.se/en/amd-gx-412tc-cpu-specification/|GX-412TC]], 1 GHz quad core (depending on model)
- * RAM: 2 GB DDR3-1066 DRAM
+ * RAM: 2 GB DDR3-1066 DRAM - 4 GB (depending on model)
- * Storage: SD card, External USB
+ * Storage: SD card, External USB, mSATA module
 * Architecture: amd64
 * Ethernet: 3 Gigabit Ethernet ports
- * !WiFi: None, use a [[FreedomBox/Hardware/USBWiFi|USB WiFi device]]
+ * WiFi: wle200nx / wle600vx / wle900vx miniPCI express wireless modules
- * SATA: 1 m-SATA and 1 SATA
+ * SATA: 1 mSATA-module and 1 SATA
 === Non-Free Status ===
 * Non-free blobs required: No
 * !WiFi: Not available
 * Boot firmware: [[http://www.pcengines.ch/apu1d.htm|Coreboot]]
 ## END_INCLUDE
@ -62,4 +66,4 @@ The first network port, the left most one in the above picture, is configured by
 <<Include(FreedomBox/Portal)>>
 ----
-CategoryFreedomBox
+CategoryFreedomBox CategoryFreedomBox
--- a/doc/manual/es/Hardware.raw.wiki
+++ b/doc/manual/es/Hardware.raw.wiki
@ -11,8 +11,19 @@ Además de soportar varios SBC's (single board computers) y otros dispositivos,
 == Hardware Recomendado ==
-El 22 de Abril de 2019, la ''!FreedomBox Foundation'' anunció que los kits ''Pioneer Edition !FreedomBox Home Server'' salían a la [[https://freedomboxfoundation.org/buy/|venta]]. Este es el hardware preinstalado recomendado para todos los usuarios que no quieran construirse su propia (máquina) !FreedomBox eligiendo los componentes adecuados, descargando la imagen y preparando una tarjeta SD con (el software) !FreedomBox.
+=== Libre Crafts FreedomBox ===
 Libre Crafts es una iniviativa de los propios desarrolladores de !FreedomBox para proporcionar una !FreedomBox potente capaz de alojar las necesidades más exigentes de un servidor casero.
 Los propios desarrolladores de !FreedomBox la montan. prueban y entregan. Tu compra ayuda al desarrollo de !FreedomBox.
 Esta máquina lleva un procesador potente, mucha memoria,  CPU, un disco de sitema operativo rápido, posibilidad de añador discos duros de alta capacidad, puertos Ethernet multi-gigabit duales, todo ello con bajo consumo.
 Úsalo para alojar todas tus fotos, las copias de respaldo de tus otros dispositivos, como NAS, como centro de control de domótica, como ordenador de sobremesa, y más, todo a la vez. 
 ||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:FreedomBox/libre-crafts.png|FreedomBox de Libre Crafts|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|FreedomBox de Libre Crafts]] ||
 === Olimex's FreedomBox Pioneer Edition ===
 On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 El kit incluye todo el hardware necesario para arrancar un servidor casero !FreedomBox sobre una placa ''Olimex A20-OLinuXino-LIME2''. Este producto proporciona la combinación perfecta de hardware de fuentes abiertas y software libre. Al comprar este producto, soportas también los esfuerzos de la ''!FreedomBox Foundation'' para crear y promover su software de servidor libre.
 ||<style="text-align: center;"> [[es/FreedomBox/Hardware/PioneerEdition|{{attachment:FreedomBox/Hardware/pioneer-edition_thumb.jpg|Kits de servidor doméstico FreedomBox edición Pioneer|width=320,height=257}}]]<<BR>> [[es/FreedomBox/Hardware/PioneerEdition|Kits de servidor doméstico FreedomBox edición Pioneer]] ||
--- a/doc/manual/es/HomeAssistant.raw.wiki
+++ b/doc/manual/es/HomeAssistant.raw.wiki
@ -20,7 +20,7 @@ La app Home Assistant se considera experimental en !FreedomBox, ya que es nueva
 === Hardware ===
-Home Assistant puede detectar, configurar, y usar varios dispositivos de la red local. Por ejemplo, si un dispositivo se conecta mediante Wi-Fi o LAN a la misma red que !FreedomBox, Home Assistant puede detectarlo, configurarlo, y usarlo. También se soportan otros protocolos de automatización como Thread, !ZigBee, y Z-Wave, pero requieren hardware adicional para conectarlos a tu !FreedomBox. Por ejemplo, si tienes un sensor de puerta que habla !ZigBee, necesitas conectar un adaptador !ZigBee USB a tu !FreedomBox. Home Assistant podrá entonces detectar y usar el  sensor de puerta en la red de !ZigBee.
+Home Assistant puede detectar, configurar, y usar varios dispositivos de la red local. Por ejemplo, si un dispositivo se conecta mediante Wi-Fi o LAN a la misma red que !FreedomBox, Home Assistant puede detectarlo, configurarlo, y usarlo. También se soportan otros protocolos de automatización como Thread, !ZigBee, y Z-Wave, pero requieren hardware adicional para conectarlos a tu !FreedomBox. Por ejemplo, si tienes un sensor de puerta que habla !ZigBee, necesitas conectar un adaptador !ZigBee USB a tu !FreedomBox. Home Assistant podrá entonces detectar y usar el  sensor de puerta en la red de !ZigBee.  '''Nota:''' Si conectas hardware como este a tu FreedomBox después de instalar la aplicación Home Assistant tendrás que deshabilitarla y volverla a habilitar para que lo detecte y lo use.
 Home Assistant es una solución completa si tu automatización del hogar necesita soportar miles de dispositivos. Puedes consultar si Home Assistant soporta un dispositivo visitando su página de [[https://www.home-assistant.io/integrations/|integraciones]]. Otros dispositivos similares a los soportados podrían estarlo aunque no figuren en la lista. Se recomienda comprar hardware etiquetado como compatible con Home Assistant.
--- a/doc/manual/es/Manual.raw.wiki
+++ b/doc/manual/es/Manual.raw.wiki
@ -83,6 +83,7 @@
 <<Include(FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Guides =
 <<Include(FreedomBox/Guide/Passkeys,               , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(FreedomBox/Guide/ExposeLocalService,     , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Hardware =
--- a/doc/manual/es/Passkeys.raw.wiki
+++ b/doc/manual/es/Passkeys.raw.wiki
@ -0,0 +1,174 @@
 #language es
 <<Include(FreedomBox/Guide/Passkeys, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
 <<TableOfContents>>
 ## BEGIN_INCLUDE
 == Usa claves de acceso (passkeys) para mejorar la seguridad de inicio de sesión ==
 {{{#!wiki tip
 Se recomiendan encarecidamente las claves de acceso frente a las contraseñas.
 }}}
 '''Disponible desde''': !FreedomBox 26.6
 !FreedomBox permite a los usuarios iniciar sesión en su cuenta con claves de acceso.
 Las claves de acceso son una forma de verificar la identidad del usuario usando firmas digitales. Son una alternativa más segura que las contraseñas.
 La información secreta se conserva con el usuario en su teléfono, portátil o en un token hardware y se desbloquea mediante un PIN, huella dactilar o reconocimiento facial.
 No se almacenan secretos en el servidor. El servidor solo conoce la información pública que puede usarse para verificar las firmas del usuario.
 === ¿Cómo funcionan las claves de acceso? ===
 Después de que el usuario inicie sesión en su cuenta, se puede añadir una o más claves de acceso a la cuenta desde la página "Administrar claves de acceso".
 Al añadir una clave de acceso, el hardware de la clave de acceso (o autenticador) generará un par de claves pública/privada vinculado al dominio y a la cuenta de usuario.
 La clave privada se mantiene en el hardware y la clave pública se proporciona al servidor. El servidor almacena la clave pública junto con la cuenta de usuario.
 Más tarde, cuando un usuario intenta iniciar sesión en su cuenta, el servidor envía una larga cadena aleatoria al autenticador llamada santo (santo y seña).
 El hardware firma digitalmente el santo con la clave privada y la envía (la seña) al servidor.
 El servidor puede verificar que la firma la ha hecho el poseedor de la clave privada usando solo la clave pública que tiene (esto es una propiedad de los pares de claves pública/privada).
 Una vez verificada, el servidor inicia sesión en la cuenta de usuario asociada a esa clave pública.
 Durante este proceso, el navegador actúa como intermediario de confianza entre el hardware de la clave de acceso y el servidor.
 Garantiza que el usuario se verifique proporcionando PIN, huella, reconocimiento facial, etc.
 También garantiza que una clave de acceso solo se use con el dominio para el que está destinada.
 === Mejor seguridad ===
 Las claves de acceso ofrecen mayor seguridad que las contraseñas:
 * '''Autenticación multifactor''': Durante el registro de una clave de acceso y durante el inicio de sesión,
   !FreedomBox solicita que el navegador verifique al usuario.
   Esto significa que el usuario necesitará desbloquear el dispositivo autenticador proporcionando un PIN, huella o reconocimiento facial.
   Esto actúa como uno de los factores de autenticación: "algo que sabes" o "algo que eres".
   Otro factor de autenticación es "algo que tienes": el hardware que almacena tu clave de acceso (como Solokey, Nitrokey o Yubikey) o un teléfono.
   Juntos, esto es similar a usar una contraseña con un segundo factor de autenticación.
   Por tanto, las claves de acceso pueden reemplazar la autenticación en dos pasos siendo mucho más cómodas y fáciles de usar.
 * '''Sin reutilización''': Las claves de acceso nunca se reutilizan. Para cada dominio se genera y usa una clave de acceso separada.
   Los navegadores aseguran que la clave de acceso de un dominio nunca se use con otro dominio.
   A diferencia de las contraseñas reutilizadas, cuando un sitio web o servicio se ve comprometido, los maleantes no pueden usar eso para acceder a tu cuenta en otro sitio o servicio.
   Esto también previene ataques de phishing donde sitios impotores se hacen pasar por sitios legítimos.
 * '''No hay secretos en el servidor''': El sitio que permite el uso de claves de acceso para el inicio de sesión no almacena información secreta.
   Solo guarda la parte pública de la clave de acceso. Si esta información es obtenida por un adversario, no podrá iniciar sesión en el sitio.
   Solo la clave privada almacenada en el dispositivo autenticador puede usarse para iniciar sesión
   (ya que solo una clave privada puede crear las firmas necesarias para el proceso de inicio de sesión).
 * '''No adivinación''': La parte secreta de una clave de acceso es mucho más dificil de adivinar que una contraseña.
   No existe el riesgo de que alguien adivine tu contraseña y acceda a tu cuenta.
   No existe el riesgo de que configures accidentalmente una contraseña predecible.
 * '''Comodidad''': Los usuarios no necesitan recordar nombre de usuario, correo electrónico o un secreto para iniciar sesión en un sitio.
   No necesitan recibir OTP por SMS o correo, usar una app TOTP ni confirmar el inicio desde una app móvil.
   Tras hacer clic en el botón "Login mediante clave de acceso", desbloquean su autenticador con un PIN, huella o reconocimiento facial.
   Luego tocan físicamente el autenticador (si es necesario). El usuario queda entonces autenticado. Hay menos cosas que recordar.
   Incluso el PIN de un autenticador hardware suele ser más fácil de recordar que una contraseña.
   Esta comodidad anima a los usuarios a usar este mecanismo, lo que a la larga mejora la seguridad.
 === Hardware necesario para claves de acceso  ===
 {{{#!wiki tip
 '''El proyecto !FreedomBox recomienda [[https://solokeys.com/|Solokeys]]''' para el almacenamiento de claves de acceso:
 * El [[https://github.com/solokeys/solo2|firmware]] (el sistema operativo del hardware) es software libre.
 * Los [[https://github.com/solokeys/solo2-hw|diseños del hardware]] también son libres.
 * El equipo de Solokeys y el equipo de !FreedomBox colaboran entre sí.
 }}}
 Hay varias formas de empezar con claves de acceso:
 * '''Hardware de claves de acceso separado''': La forma recomendada de almacenar claves de acceso es en una llave hardware específica.
   En esta configuración, la clave privada de la clave de acceso nunca abandona el dispositivo hardware.
   Además, suelen estar diseñadas para que sea difícil para un atacante con acceso físico extraer la clave de acceso.
   Otra ventaja de estos dispositivos es que pueden utilizarse con todos tus dispositivos existentes, como teléfonos, portátiles y escritorios.
   Estos dispositivos interactúan con teléfonos y equipos mediante USB, Bluetooth o NFC.
   En caso de NFC, el dispositivo funciona por proximidad con el teléfono sin energía adicional.
   Al usar un hardware separado, sin embargo, debes tener un método de respaldo para iniciar sesión si pierdes el dispositivo hardware.
   Esto puede ser otra clave de acceso en otro hardware o una contraseña. Ver la sección de copia de seguridad más abajo.
 * '''Hardware empotrado para claves de acceso''': Cuando no hay un dispositivo hardware separado, es preferible el hardware especializado, como un TPM, integrado en el equipo.
   Esta configuración seguirá asegurando que las claves de acceso no abandonen el hardware.
   Una desventaja es que la clave de acceso solo funciona con ese equipo y tendrás que registrar cada dispositivo que uses por separado.
 * '''Administradores de contraseñas''': Como último recurso, se pueden usar gestores de contraseñas que soporten claves de acceso y funcionen con tu navegador o sistema operativo.
   Android, iOS y Windows ofrecen administradores así.
   Las claves de acceso guardadas en administradores suelen sincronizarse con la nube y una brecha en ese servicio/cuenta podría comprometer todas tus cuentas.
   Sin embargo, funcionan en múltiples dispositivos y normalmente no tienes que preocuparte por perder un solo dispositivo hardware.
 === Nombrar tu clave de acceso ===
 En !FreedomBox, cuando se añade una clave de acceso a tu cuenta, por defecto se nombra 'Key 1'. La siguiente se llamará 'Key 2' y así sucesivamente.
 Sin embargo, es buena práctica nombrarlas para saber en qué dispositivo están almacenadas. Por ejemplo, puedes llamarlas 'Clave del Solokey primario', 'Clave del tfn Android', etc.
 Si se pierde un dispositivo, puedes iniciar sesión y eliminar esa clave de la lista de claves de acceso asociadas a tu cuenta.
 === Múltiples dominios ===
 Cada clave de acceso está estrictamente ligada a un dominio y nunca se usa para otro dominio. Esto es necesario para evitar que un dominio impostor pueda suplantar a uno legítimo.
 Por tanto, si tu !FreedomBox está configurada con múltiples dominios, el navegador y el dispositivo autenticador tratarán cada dominio como cuentas separadas a efectos de autenticación con claves de acceso.
 Esto significa que debes registrar claves de acceso separadas para cada uno de tus dominios.
 Por ejemplo, supón que tu !FreedomBox tiene configurados los dominios midominio1.fbx.one y midominio2.ejemplo.
 Visita midominio1.fbx.one, inicia sesión en tu cuenta y añade una clave de acceso. Esta clave de acceso quedará ligada a ese dominio.
 Cuando intentes iniciar sesión, la clave de acceso funcionará si accedes a midominio1.fbx.one pero no funcionará al acceder a midominio2.ejemplo.
 Para hacer que el segundo dominio funcione, necesitas añadir una segunda clave de acceso mientras accedes a tu !FreedomBox con el nombre de dominio midominio2.ejemplo.
 Entonces se almacenarán dos claves de acceso en tu token hardware. La primera estará ligada a midominio1.fbx.one y solo se usará cuando accedas a ese dominio.
 La segunda estará ligada a midominio2.ejemplo y solo se usará cuando accedas a ese dominio.
 === Múltiples cuentas de usuario ===
 Cuando usas un hardware de claves de acceso para varias cuentas de usuario en el mismo !FreedomBox, se crearán claves de acceso separadas para cada cuenta.
 A cada clave de acceso se le asignará el nombre de usuario de la cuenta a la que esté ligada. Esta información se almacena en la clave de acceso así como en el servidor.
 Durante el inicio de sesión, el navegador te pedirá que selecciones la cuenta de usuario a la que quieres acceder.
 Si solo existe una clave de acceso para un dominio dado, no se mostrará el diálogo de selección y el usuario iniciará sesión en la cuenta correspondiente a esa clave de acceso.
 === Copia de seguridad de la clave de acceso ===
 En caso de pérdida del dispositivo que almacena tu clave de acceso, necesitas métodos alternativos para iniciar sesión en tu cuenta:
 1. Puedes registrar y mantener dos claves de acceso en dos dispositivos separados. Por ejemplo, tu clave de acceso primaria podría estar en un token Solokey y
    la segunda en un teléfono Android o en otro token Solokey. Si uno se pierde, puedes iniciar sesión con el otro. Este es el método recomendado.
 1. !FreedomBox sigue soportando contraseñas incluso después de registrar claves de acceso.
    Así que, si se pierde un dispositivo con clave de acceso, puedes iniciar sesión con una contraseña.
 1. Si olvidas tu contraseña y tu cuenta no es la única cuenta administradora en el !FreedomBox, puedes pedir a un administrador que restablezca tu contraseña.
    Después de eso podrás registrar una nueva clave de acceso almacenada en un nuevo dispositivo.
 === Plataformas compatibles ===
 Las passkeys se basan en WebAuthn, un estándar publicado por el World Wide Web Consortium.
 Por tanto, la implementación de !FreedomBox debería funcionar allí donde funcionen las clave de acceso. Se ha probado de la siguiente manera:
 || '''SO/Dispositivo''' || '''Navegador''' || '''Autenticador''' || '''Resultado''' ||
 || GNU/Linux || Firefox || Solokeys || Ok ||
 || GNU/Linux || Firefox || Yubikey || Ok ||
 || GNU/Linux || Chromium || Solokeys || Ok ||
 || GNU/Linux || GNOME Web || - || KO (El navegador no soporta WebAuthn) ||
 || Windows || Firefox || Windows Hello || Ok ||
 || Windows || Firefox || Solokeys || Ok ||
 || Windows || Firefox || Android Phone || Ok ||
 || Windows || Chrome || Windows Hello || Ok ||
 || Windows || Chrome || Solokeys || Ok ||
 || Windows || Chrome || Android Phone || Ok ||
 || Windows || Edge || Windows Hello || Ok ||
 || Windows || Edge || Solokeys || Ok ||
 || Windows || Edge || Android Phone || Ok ||
 || Android || Firefox || Google Password Manager || Ok ||
 || Android || Firefox || Solokeys USB || KO (No se detecta el toque tras introducir el PIN) ||
 || Android || Firefox || Solokeys NFC || KO (Es necesario entender la configuración NFC) ||
 || Android || Firefox || Otro dispositivo || Sin probar ||
 || Android || Chrome || Google Password Manager || Ok ||
 || Android || Chrome || Solokeys USB || KO (No se detecta el toque tras introducir el PIN) ||
 || Android || Chrome || Solokeys NFC || KO (Es necesario entender la configuración NFC) ||
 || Android || Chrome || Otro dispositivo || Sin probar ||
 ## END_INCLUDE
 Volver a la [[es/FreedomBox/Features|descripción de Funcionalidades]] o a las páginas del [[es/FreedomBox/Manual|manual]].
 <<Include(es/FreedomBox/Portal)>>
 ----
 CategoryFreedomBox
--- a/doc/manual/es/PioneerEdition.raw.wiki
+++ b/doc/manual/es/PioneerEdition.raw.wiki
@ -16,7 +16,7 @@ Los servidores caseros !FreedomBox Pioneer Edition los fabrica y vende Olimex, u
 == Características del Producto ==
 === HW Recomendado ===
-Éste es el hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
+Éste es un hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
 (Construir tu propia !FreedomBox implica algunos tecnicismos como elegir y comprar los componentes adecuados, descargar la imágen y preparar una tarjeta SD).
--- a/doc/manual/es/QuickStart.raw.wiki
+++ b/doc/manual/es/QuickStart.raw.wiki
@ -22,8 +22,25 @@ Alternativamente podrías optar por montarlo tu mismo reuniendo todas las piezas
     * '''Nota:''' En la mayoría de computadoras monoplaca no esperes un efecto de salida en un monitor si lo conectas por HDMI porque el núcleo (kernel) del sistema podría no reconocerlo. Mira más abajo para aprender cómo acceder y controlar tu !FreedomBox desde la red.
  1. En el primer arranque !FreedomBox ejecutará su configuración inicial (las versiones más antiguas de !FreedomBox se reinician tras este paso). Este proceso podría llevar varios minutos en algunas máquinas. Después de darle unos 10 minutos aproximadamente, sigue con el siguiente paso.
  1. Después de que tu !FreedomBox haya finalizado su configuración inicial puedes acceder a su interfaz web mediante tu navegador web.
     * Si tu ordenador está conectado directamente a tu !FreedomBox a través de un segundo puerto ''Ethernet'' de la red local, puedes navegar a http://freedombox/ o a http://10.42.0.1/.
     * Si tu ordenador soporta mDNS (GNU/Linux, Mac OSX o Windows con software mDNS instalado), puedes navegar a: http://freedombox.local/ (o a http://<el-hostname-que-estableciste-durante-la-instalación>.local/)
     * Si tu ordenador está conectado a un monitor y !FreedomBox puede escribir en él, la petición de credenciales muestra la dirección de la web:
     {{{
     Debian GNU/Linux 13 freedombox tty1
     FreedomBox
     To start using FreedomBox and to create an account, access using a web browser
     one of the following URLs.
     http://freedombox.local/
     http://192.168.0.2/
     http://[fe80::7207:12ff:fe34:5678]/
     ...
     freedombox login:
     }}}
     * Si tu ordenador está conectado directamente a tu !FreedomBox a través de un segundo puerto ''Ethernet'' de la red local, puedes navegar a http://freedombox/ o a http://10.42.0.1/.
     * Si te manejas con el interfaz web de tu router, puedes buscar allí la dirección IP de tu !FreedomBox y navegar a ella.
     * Si no están disponibles ninguno de estos métodos necesitarás averiguar la dirección IP de tu !FreedomBox. Puedes usar el programa "nmap" de tu ordenador para encontrar su dirección IP:
     {{{
--- a/doc/manual/es/ReleaseNotes.raw.wiki
+++ b/doc/manual/es/ReleaseNotes.raw.wiki
@ -8,6 +8,301 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 The following are the release notes for each !FreedomBox version.
 == FreedomBox 26.8 (2026-05-11) ==
 * locale: Update translations for German, Italian
 * api: Drop access-info API
 == FreedomBox 26.7.1 (2026-04-28) ==
 * radicale, bepasty: Fix issue with failed diagnostic test
 * radicale: Enable lc_username for case-insensitive auth
 * radicale: Fix issue with parsing new configuration file
 * radicale: tests: functional: Better checking for well-known URLs
 == FreedomBox 26.7 (2026-04-20) ==
 * debian: tests: Add test to access interface status
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, German, Italian, Swedish, Turkish
 == FreedomBox 26.6 (2026-04-06) ==
 === Highlights ===
 * users: Add support for logging in with passkeys
 === Other Changes ===
 * d/control: Add fido2 library as dependency
 * locale: Update translations for French, German, Hindi, Italian
 * service: Capture stdout/stderr when running as systemd unit
 * users: Add link to guide on passkeys
 * users: Add support for registering, editing, and deleting passkeys
 * views: Add a decorator to handle exceptions in JSON views
 == FreedomBox 26.5.1 (2026-03-26) ==
 * debian/control: Fix building with nocheck profile
 * debian/copyright: Drop a removed file, correct path for another
 * locale: Update translations for Albanian, Turkish
 * web_server: Fix locating SVG icons on production setup
 == FreedomBox 26.5 (2026-03-23) ==
 === Highlights ===
 * action_utils: Don't restart web interface when installing an app
 * apache: Use a Uwsgi native socket systemd unit for each app
 * ui: Use inline SVG icons for all apps
 * wireguard: Fix freedombox VPN IP for services
 === Other Changes ===
 * action_utils: Stop associated service when stopping a socket unit
 * apache: Increase OpenID Connect RP session timeout activity
 * apache: Minor improvement to getting the request host
 * app: Fix build issue with Django 5.x
 * clients: Fix formatting of package row in table
 * clients: Fix show empty clients in Desktop section
 * clients: Use SVG icons when showing external links
 * container: Add option to skip install
 * container: Fix image extension to .raw for systemd v260
 * doc: Reduce verbosity when building documentation
 * html: Drop trailing slash from void elements
 * html: Drop type attribute value of text/javascript
 * janus: Drop unused reference to font-awesome
 * letsencrypt: Don't perform operations on apps that are not installed
 * locale: Update translations for German, Russian, Swedish
 * pagekite: Fix issue with adding custom services
 * tests: functional: Drop undefined 'sso' pytest mark
 * ui: Add rest of the icons used from fork-awesome set
 * ui: Better placement for dropdown indicator in dropdown button
 * ui: Drop fonts-fork-awesome as dependency
 * ui: Rename 'plinth_extras' template tags module to 'extras'
 * ui: Simplify SVG app icons for using them inline in HTML
 * ui: Use inline SVG icons for buttons, messages, spinners, etc.
 * wireguard: Add button for direct APK download
 * wireguard: Add entries for Homebrew and RPM packages
 * wireguard: Remove client entry for F-Droid which is not available
 * wireguard: Update windows client link
 == FreedomBox 26.4.2 (2026-03-08) ==
 === Highlights ===
 * apache2: Disable pubtkt authentication module
 === Other Changes ===
 * container: Hold freedombox packages during test setup
 * d/control: Trim deps for nocheck build profile
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
 * Vagrantfile: Enable public network for bridged networking
 == FreedomBox 26.4 (2026-03-02) ==
 === Highlights ===
 * backups: Enable key-based SSH authentication for remote backups
 * oidc: New app to implement OpenID Connect Provider
 * apache: Implement protecting apps using OpenID Connect
 * wireguard: Improve server section user experience flow
 === Other Changes ===
 * *: Remove some absolute file paths in SVGs
 * *: Update URL base from /plinth to /freedombox
 * README/HACKING: Update weblate project path to /freedombox
 * Vagrantfile: Drop unnecessary sudo configuration for actions
 * action_utils: Drop support for link-local IPv6 addresses
 * action_utils: Fix issue with type checking a generator
 * action_utils: Implement utility to change umask temporarily
 * actions, privileged_daemon: Drop some unused global statements
 * apache: Fix diagnosing URLs protected by OpenID Connect
 * apache: Preserve host header when proxying to service
 * backups: Arrange form for adding remote location
 * backups: Avoid some repeated text in form help text
 * backups: Copy SSH client public key to remote
 * backups: Create .ssh folder before creating SSH key
 * backups: Create a better comment in the generated SSH key file
 * backups: Display SSH public key when adding remote
 * backups: Fix issue with Javascript in add remote location form
 * backups: Fix showing proper error for incorrect passphrase
 * backups: Fix type checking errors
 * backups: Generate SSH client key if needed
 * backups: Migrate to SSH key auth when mounting
 * backups: Minor refactoring
 * backups: Show/hide form elements instead of disabling for simplicity
 * backups: Simplify handling of migration to SSH keys
 * backups: Test adding/removing remote location
 * backups: Tweak appearance of add remote location form
 * backups: Use SSH key instead of password
 * backups: Use selected SSH credential for remote
 * backups: tests: Simplify functional test using more classes
 * bin: Add tool to change !FreedomBox password in Django database
 * calibre: Use OpenID Connect instead of pubtkt based SSO
 * cfg: Drop unused actions_dir option
 * cfg: Drop unused config_dir option
 * container: Align terminology in printed banner
 * db: Create a utility to get credentials from dbconfig
 * debian: Ensure that gbp creates a clean tarball prior to build
 * deluge: Use OpenID Connect instead of pubtkt based SSO
 * doc/dev: Set new theme for developer documentation
 * doc/dev: Use OpenID Connect instead of pubtkt based SSO
 * doc/dev: always have an up-to-date copyright year
 * ejabberd: Fix setting up certificates for multiple domains
 * email: Use OpenID Connect instead of pubtkt based SSO
 * featherwiki: Use OpenID Connect instead of pubtkt based SSO
 * gitweb: Fix issue with running post init due to missing method
 * gitweb: Use OpenID Connect instead of pubtkt based SSO
 * js: When page load fails during install, show it to user
 * letsencrypt: When copying certificate reset the umask reliably
 * locale/bg: Fix several translations with HTML links (Bulgarian)
 * locale/de: Fix several translations with HTML links (German)
 * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
 * matrixsynapse: Update apache config to proxy Synapse client API
 * miniflux: Get credentials from dbconfig-common directly
 * miniflux: Revert workaround for a packaging bug with DB connection
 * mumble: murmurd renamed to mumble-server
 * oidc: Style the page for authorizing an OIDC app
 * pyproject: Use new format to specify licenses
 * quassel: Explicitly set permissions on the domain configuration file
 * rssbridge: Use OpenID Connect instead of pubtkt based SSO
 * searx: Use OpenID Connect instead of pubtkt based SSO
 * sharing: Use OpenID Connect instead of pubtkt based SSO
 * sso: Merge into users module, drop pubtkt related code
 * syncthing: Use OpenID Connect instead of pubtkt based SSO
 * syncthing: tests: Fix tests by allowing rapid restarts
 * templates: Allow building pages without navigation bar and footer
 * tests: functional: Fix expecting !FreedomBox to be home page
 * tests: functional: Fix reloading error page during install/uninstall
 * tests: functional: Increase systemd rate limits for starting units
 * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
 * transmission: Use OpenID Connect instead of pubtkt based SSO
 * ui: Add animation for notification dismissal
 * ui: Dismiss notifications without page reload
 * ui: Refactor notification delete buttons to avoid repeating code
 * web_framework: Allow !FreedomBox apps to override templates
 * web_server: Log requests to WSGI app
 * wireguard: Accept/use netmask with IP address for server connection
 * wireguard: Fix format when showing multiple endpoints of the server
 * wireguard: Fix showing default route setting in server edit form
 * wireguard: Fix split tunneling
 * wireguard: Show status of default route in server information page
 * wireguard: filter .local addresses from showClient view
 * wireguard: show server vpn ip in show client page
 * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
 == FreedomBox 26.3 (2026-02-02) ==
 === Highlights ===
 * ui: Use HTMX to eliminate full page reloads
 * wireguard: Add 'Start Server' button to help with client setup
 === Other Changes ===
 * debian: Follows policy 4.7.3
 * debian: Ignore lintian warning: service file missing Install section
 * debian: Remove default Rules-Requires-Root
 * debian: Remove preinst script
 * debian: Update copyright years
 * docs: Update container script usage
 * lintian: Remove mismatched overrides
 * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
 * Makefile: Fix removing extra license file
 * ui: Add HTMX as a dependency
 * ui: Use HTMX to update notifications on partial page updates
 * wireguard: Remove NM connections when app is uninstalled
 * wireguard: Show next available client IP in Add Client form
 * wireguard: Update functional tests to handle Start Server button
 * wireguard: Show server endpoint on main app page
 == FreedomBox 26.2 (2026-01-20) ==
 * gitweb: Fix deleting last repo disables app
 * locale: Update translations for Estonian, Italian
 * notifications: Close dropdown when clicking outside
 == FreedomBox 26.1 (2026-01-05) ==
 * container: Add aliases for start/stop commands
 * locale: Update translations for Albanian, Bulgarian, Chinese (Simplified Han script), Czech, Estonian, French, German, Italian, Russian, Turkish, Ukrainian
 == FreedomBox 25.17.1 (2025-12-15) ==
 === Highlights ===
 * backups: Set proper permissions for backups-data directory
 * minetest: Rename Minetest to Luanti
 === Other Changes ===
 * locale: Update translations for Albanian, Bulgarian, Czech, Estonian, Hindi, Italian, Russian, Turkish, Ukrainian
 * minetest: Remove legacy code, use new name, conf, etc.
 * transmission: Deal with changes in latest forky package
 * transmission: Remove obsolete apache redirects
 * vagrant: Enable EFI firmware
 == FreedomBox 25.17 (2025-12-08) ==
 === Highlights ===
 * ui: Implement a toggle menu for setting dark mode
 === Other Changes ===
 * homeassistant: Fix spelling in tests
 * locale: Fix python-brace-format error in Estonian
 * locale: Update translations for Catalan, Estonian, French, Russian
 * privileged: Don't log exception that are expected
 * ui: Dark theme color for tags text in an app card
 * ui: Drop colors defined in Bootstrap 5.3
 * ui: Fix dark theme color for disabled form elements
 * ui: Fix dark theme color for form help text
 * ui: Fix dark theme color for select-all button
 * ui: Fix dark theme colors for app enable/disable toggle button
 * ui: Fix dark theme colors for default button style
 * ui: Fix dark theme colors for running status indicator
 * ui: Minor CSS refactor to use variables
 * ui: Use default button style for tag buttons
 * upgrades: Use bootstrap spinner button instead of custom styling
 == FreedomBox 25.16 (2025-11-24) ==
 === Highlights ===
 * dynamicdns: Use only IPv4 for GnuDIP protocol
 * janus: Allow app to be installed from Debian unstable
 * jsxc: Fix missing dependencies
 === Other Changes ===
 * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, German, Italian, Russian, Turkish, Ukrainian
 * janus: Relax content security policy for the video room
 * janus: Update the video room code from latest upstream
 * jsxc: Update content security policy to prevent style errors
 * middleware: Implement middleware for common headers such as CSP
 * package: Prevent freedombox's deps from removal during app uninstall
 == FreedomBox 25.15 (2025-11-10) ==
 === Highlights ===
 * help: Fix serving images from help pages
 * matrixsynapse: Explain federation and link to testing tool
 === Other Changes ===
 * locale: Update translations for French, German, Italian
 * main: Allow setting development mode from environment
 * matrixsynapse: Clarify how to change domain name in status section
 * matrixsynapse: Explicitly set the trusted key server to matrix.org
 * README: Use the Weblate's language chart widget
 * Run service using systemd even for development
 * ttrss: Remove app not available in Trixie
 * views: Implement an API to retrieve the readiness status in JSON
 == FreedomBox 25.14 (2025-10-27) ==
 * Enable private tmp and join namespaces for the two daemons
--- a/doc/manual/es/Sharing.raw.wiki
+++ b/doc/manual/es/Sharing.raw.wiki
@ -19,15 +19,15 @@ El contenido se puede compartir públicamente o restringido a usuarios de una li
 === Editando comparticiones ===
-Para que los usuarios accedan al contenido mediante su navegador debe existir y tener una compartición. Una compartición es una entrada en la aplicación Sharing que relaciona:
+Cada compartición tiene su propio ajuste de modo de compartición (pública o restringida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
 * El Nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido,
 * el Ruta de acceso al contenido a servir y
 * el modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados.
 En el mismo servidor pueden coexistir múltiples comparticiones.
-Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicacions del interfaz web de !FreedomBox. La aplicación ''Sharing'' es una aplicación web fácil de usar y con un interfaz evidente.
+ * In el interfaz web de !FreedomBox, habilita la App ''Sharing''. Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicaciones del interfaz web de !FreedomBox. En el mismo servidor pueden coexistir múltiples comparticiones.
-
+ * Añadir una nueva compartición:
-Cada compartición tiene su priopio ajuste de modo de compartición (pública o restrigida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
+   * Dale un nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido, En el ejemplo anterior se llamaría  ''nombre del contenido''.
   * La Ruta completa de acceso al contenido a servir. Por ejemplo ''/var/lib/freedombox/sharing/nombre_del_contenido''.
   * El modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados. Solo los grupos reconocidos por el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La app no ofrecerá los grupos creados sólo en la línea de órdenes. 
 * Crea el directorio especificado en ''Ruta de Disco'' en !FreedomBox mediante ''Cockpit'', ''Nautilus'' o ingreso remoto.
 * Asegúrate de que el usuario que proporcione el contenido tiene permiso para escribir en el directorio, por ejemplo, haciéndole dueño del directorio. 
 === Provisionar/actualizar el contenido ===
--- a/doc/manual/es/TinyTinyRSS.raw.wiki
+++ b/doc/manual/es/TinyTinyRSS.raw.wiki
@ -9,7 +9,7 @@
 == Tiny Tiny RSS (Lector de Feeds de Noticias) ==
 ||<tablestyle="float: right;"> {{attachment:FreedomBox/Manual/TinyTinyRSS/TinyTinyRSS-icon_en_V01.png|Tiny Tiny RSS icon}} ||
-'''Disponible desde''': versión 0.9
+'''Disponible desde''': Desde Debian Trixie esta aplicación ya no está disponible. Por favor, migra a [[es/FreedomBox/Manual/Miniflux|Miniflux]] or [[es/FreedomBox/Manual/Nextcloud|Nextcloud News]].
 ''Tiny Tiny RSS'' es un lector y agregador de ''feeds'' de noticias (RSS/Atom) diseñado para leer noticias desde cualquier lugar con una experiencia lo más parecida posible a una aplicación de escritorio.
--- a/doc/manual/es/Upgrades.raw.wiki
+++ b/doc/manual/es/Upgrades.raw.wiki
@ -86,7 +86,7 @@ Para la mayoría de los usuarios se recomienda la autoactualización. Si no obst
 Algunos paquetes podrían no estar disponibles tras una actualización de publicación. Por favor, migra a una aplicación similar. Al actualizar a Debian 13 "trixie", las siguentes aplicaciones dejan de estar disponibles:
   * Janus. Usa Matrix o XMPP para llamadas de video o Mumble para audio. Esta app probáblemente vuelva a estar disponible en el futuro.
-   * TT-RSS. Migra a Miniflux.
+   * TT-RSS. Migra a Miniflux o a Nextcloud News.
   * Searx.
 Para iniciar el proceso de actualización de publicación, ve a ''Actualización de Software'' en la sección ''Sistema''. Luego ''Habilitar autoactualización'' y la opción ''Habilitar autoactualización a la siguiente publicación estable''. Entonces haz clic en el botón ''Actualización de Distibución''. Y luego en ''Iniciar Actualización de Distibución''. El proceso podría llegar varias horas si tu sistema operativo reside en un almacenamiento lento como una tarjeta SD. El interfaz web de !FreedomBox podría estar indisponible durante la actualización. Refresca la página si muestra errores. Finalmente, espera a los procesos de post-actualización y reinicia la máquina.
--- a/doc/manual/es/Users.raw.wiki
+++ b/doc/manual/es/Users.raw.wiki
@ -1,6 +1,6 @@
 #language es
-~- [[DebianWiki/EditorGuide#translation|Translation(s)]]: [[FreedomBox/Manual/Users|English]] - Español -~
+<<Include(FreedomBox/Manual/Users, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
 <<TableOfContents()>>
@ -9,25 +9,36 @@
 == Usuarios y Grupos ==
 Puedes otorgar acceso a tu !FreedomBox a otros usuarios. Proporciona el nombre del usuario y su contraseña y asignale un grupo. Actualmente se soportan los grupos
 Esta app puede usarse para crear, editar y eliminar cuentas de usuario en !FreedomBox. Muchas apps con interfaz web en !FreedomBox admiten inicio de sesión único mediante OpenID Connect.
 Esto significa que si has iniciado sesión en la interfaz web de !FreedomBox, no es necesario iniciar sesión de forma separada en la app.
 Otras apps permiten usar las cuentas de !FreedomBox mediante LDAP.
 Finalmente, hay algunas apps que gestionan sus propias cuentas de usuario de forma independiente a las cuentas que tengas en !FreedomBox.
 Puedes otorgar acceso a tu FreedomBox a otros usuarios. Proporciona el nombre del usuario y su contraseña y asignale un grupo. Actualmente se soportan los grupos:
 * admin
 * bit-torrent
 * calibre
 * ed2k
 * feed-reader
 * freedombox-share
 * freedombox-ssh
 * git-access
- * minidlna
+ * kiwix
- * syncthing
+ * syncthing-access
 * vpn
 * web-search
 * wiki
-El usuario podrá ingresar a los servicios que soporten ingreso único (single-sign-on) mediante LDAP si figuran en el grupo apropriado.
+Los usuarios del grupo admin podrán ingresar en todos los servicios.
 También podrán acceder al sistema vía SSH y tendrán privilegios administrativos (sudo).
 Los grupos de un usuario pueden modificarse más adelante.
-Los usuarios del grupo `admin` podrán ingresar en todos los servicios. También pueden ingresar al sistema por SSH y escalar a privilegios administrativos (sudo).
+!FreedomBox admite el inicio de sesión con claves de acceso.
 Las claves de acceso son una alternativa más segura que las contraseñas y son la forma recomendada de autenticarse en !FreedomBox.
 Lee más en la [[FreedomBox/Guide/Passkeys|guía de claves de acceso de FreedomBox]].
-Estas características se pueden cambiar más tarde. 
+Asimismo es posible establecer una clave pública SSH que permitirá al usuario ingresar al sistema de modo seguro sin emplear su contraseña. Puedes dar de alta varias claves, una en cada línea. Las líneas en blanco o que comiencen por # se ignoran.
 Asimismo es posible establecer una clave pública SSH que permitirá al usuario ingresar al sistema de modo seguro sin emplear su contraseña. Pueder dar de alta varias claves, una en cada línea. Las líneas en blanco o que comiencen por # se ignoran.
 El idioma de la interfaz se puede establecer individualmente para cada usuario. Por omisión se emplea el del navegador.
--- a/doc/manual/es/VirtualBox.raw.wiki
+++ b/doc/manual/es/VirtualBox.raw.wiki
@ -22,12 +22,11 @@ Follow the instructions on the [[FreedomBox/Download|download]] page to download
 1. Decompress the downloaded VDI image (tool for [[http://www.7-zip.org/|Windows]], [[http://unarchiver.c3.cx/unarchiver|Mac]]).
- 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image).
+ 1. Create a new VM in the !VirtualBox UI with OS type ''Linux'' and Version ''Debian'' (32/64-bit according to the downloaded image). {{attachment:virtualbox-create-1.png|VirtualBox Name and OS dialog}}
 {{attachment:virtualbox_os_type.png|VirtualBox Name and OS dialog}}
- 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1.
+ 1. In the ''Hardware'' dialog choose ''Enable EFI (special OSes only)''. You may increase the Base Memory and Processors if desired. {{attachment:virtualbox-create-2.png|VirtualBox Hardware dialog}}
-{{attachment:virtualbox_harddisk_file.png|VirtualBox Hard disk dialog}}
+ 1. In the ''Hard disk'' dialog choose ''Use an existing virtual hard disk file'' and select the .vdi file you extracted in step 1. {{attachment:virtualbox-create-3.png|VirtualBox Hard disk selector}} {{attachment:virtualbox-create-4.png|VirtualBox Hard disk dialog}}
 1. When created, go to the virtual machine's Settings -> [Network] -> [Adapter 1]->[Attached to:] and choose the network type your want the machine to use according to the explanation in Network Configuration below. The recommended type is the ''Bridged adapter'' option, but be aware that this exposes the !FreedomBox's services to your entire local network.
--- a/doc/manual/es/freedombox-manual.raw.wiki
+++ b/doc/manual/es/freedombox-manual.raw.wiki
@ -80,6 +80,7 @@
 <<Include(es/FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Guías =
 <<Include(es/FreedomBox/Guide/Passkeys,          , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(es/FreedomBox/Guide/ExposeLocalService,, from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 = Hardware =
--- a/doc/manual/es/images/libre-crafts.png
+++ b/doc/manual/es/images/libre-crafts.png
--- a/doc/manual/es/images/virtualbox-create-1.png
+++ b/doc/manual/es/images/virtualbox-create-1.png
--- a/doc/manual/es/images/virtualbox-create-2.png
+++ b/doc/manual/es/images/virtualbox-create-2.png
--- a/doc/manual/es/images/virtualbox-create-3.png
+++ b/doc/manual/es/images/virtualbox-create-3.png
--- a/doc/manual/es/images/virtualbox-create-4.png
+++ b/doc/manual/es/images/virtualbox-create-4.png
--- a/doc/manual/es/images/virtualbox_harddisk_file.png
+++ b/doc/manual/es/images/virtualbox_harddisk_file.png
--- a/doc/manual/es/images/virtualbox_os_type.png
+++ b/doc/manual/es/images/virtualbox_os_type.png
--- a/doc/plinth.xml
+++ b/doc/plinth.xml
@ -73,8 +73,8 @@
          <para>
            This the URL fragment under which Plinth will provide its services.
            Plinth is shipped with a default value of
-            <filename>/plinth</filename>. This means that Plinth will be
+            <filename>/freedombox</filename>. This means that Plinth will be
-            available as http://localhost:8000/plinth by default.
+            available as http://localhost:8000/freedombox by default.
          </para>
        </listitem>
      </varlistentry>
@ -194,7 +194,7 @@
      <synopsis>$ plinth --server_dir='/myurl'</synopsis>
      <para>
        Run Plinth with the '/myurl' prefix. Note that Apache forwards requests
-        to '/plinth' by default, so /myurl is not accessible outside of your
+        to '/freedombox' by default, so /myurl is not accessible outside of your
        FreedomBox without adapting the apache configuration.
      </para>
    </example>
--- a/doc/scripts/wikiparser.py
+++ b/doc/scripts/wikiparser.py
@ -13,7 +13,7 @@ from pathlib import Path
 from xml.sax.saxutils import escape
 BASE_URL = 'https://wiki.debian.org/'
-LOCAL_BASE = '/plinth/help/manual/{lang}/'
+LOCAL_BASE = '/freedombox/help/manual/{lang}/'
 ICONS_DIR = 'icons'
 DEFAULT_LANGUAGE = 'en'
@ -624,21 +624,21 @@ def resolve_url(url, context):
    Locally available page in default language => shortcut to local copy:
    >>> resolve_url('FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
    Translated available page => shortcut to local copy:
    >>> resolve_url('es/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/es/Contribute#'
+    '/freedombox/help/manual/es/Contribute#'
    Available page in default language refferred as translated => shortcut to
    local copy:
    >>> resolve_url('en/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
    Unrecognized language => handle considering it as default language:
    >>> resolve_url('missing/FreedomBox/Contribute', {'language': '', \
    'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
    """
    # Process first all easy, straight forward cases:
@ -1191,11 +1191,11 @@ from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>')
    [Paragraph([PlainText('a')]), Paragraph([PlainText('b ')])]
    >>> parse_wiki('{{{#!wiki caution\\n\\nOnce some other app is set as the \
 home page, you can only navigate to the !FreedomBox Service (Plinth) by \
-typing https://myfreedombox.rocks/plinth/ into the browser. <<BR>>\\n\
+typing https://myfreedombox.rocks/freedombox/ into the browser. <<BR>>\\n\
 ''/freedombox'' can also be used as an alias to ''/plinth''\\n}}}')
    [Admonition('caution', [Paragraph([PlainText('Once some other app is set \
 as the home page, you can only navigate to the FreedomBox Service (Plinth) by \
-typing '), Url('https://myfreedombox.rocks/plinth/'), PlainText(' into the \
+typing '), Url('https://myfreedombox.rocks/freedombox/'), PlainText(' into the \
 browser. ')]), Paragraph([PlainText('/freedombox can also be used as an alias \
 to /plinth ')])])]
@ -1761,7 +1761,7 @@ Features introduction</ulink>'
    >>> generate_inner_docbook([Link('../../Contribute', \
 [PlainText('Contribute')])], context={'title': 'FreedomBox/Manual/Hardware'})
-    '<ulink url="/plinth/help/manual/en/Contribute#">\
+    '<ulink url="/freedombox/help/manual/en/Contribute#">\
 Contribute</ulink>'
    >>> generate_inner_docbook([Link('/Code', \
@ -1772,9 +1772,9 @@ Code</ulink>'
    >>> generate_inner_docbook([Link('DebianBug:1234', [PlainText('Bug')])])
    '<ulink url="https://bugs.debian.org/1234#">Bug</ulink>'
-    >>> generate_inner_docbook([Link('DebianPkg:plinth', \
+    >>> generate_inner_docbook([Link('DebianPkg:freedombox', \
 [PlainText('Plinth')])])
-    '<ulink url="https://packages.debian.org/plinth#">Plinth</ulink>'
+    '<ulink url="https://packages.debian.org/freedombox#">Plinth</ulink>'
    >>> generate_inner_docbook([Link('AliothList:freedombox-discuss', \
 [PlainText('Discuss')])])
@ -1911,7 +1911,7 @@ PlainText(' on it. ')])])
    '<para>An alternative to downloading these images is to \
 <ulink url="https://wiki.debian.org/InstallingDebianOn/TI/BeagleBone#">\
 install Debian</ulink> on the BeagleBone and then \
-<ulink url="/plinth/help/manual/en/Debian#">install \
+<ulink url="/freedombox/help/manual/en/Debian#">install \
 FreedomBox</ulink> on it. </para>'
    >>> generate_inner_docbook([Paragraph([PlainText('After Roundcube is \
--- a/plinth/init.py
+++ b/plinth/init.py
@ -3,4 +3,4 @@
 Package init file.
 """
-__version__ = '25.14'
+__version__ = '26.8'
--- a/plinth/main.py
+++ b/plinth/main.py
@ -3,6 +3,7 @@
 import argparse
 import logging
 import os
 import sys
 import threading
@ -121,7 +122,8 @@ def main():
    arguments = parse_arguments()
    cfg.read()
-    if arguments.develop:
+    if arguments.develop or os.getenv('FREEDOMBOX_DEVELOP', '') == '1':
        cfg.develop = True
        # Use the config in the current working directory
        cfg.read_file(cfg.get_develop_config_path())
--- a/plinth/action_utils.py
+++ b/plinth/action_utils.py
@ -10,6 +10,7 @@ import shutil
 import subprocess
 import tempfile
 from contextlib import contextmanager
 from typing import Generator
 import augeas
@ -17,9 +18,6 @@ from . import actions
 logger = logging.getLogger(__name__)
 UWSGI_ENABLED_PATH = '/etc/uwsgi/apps-enabled/{config_name}.ini'
 UWSGI_AVAILABLE_PATH = '/etc/uwsgi/apps-available/{config_name}.ini'
 # Flag on disk to indicate if freedombox package was held by
 # plinth. This is a backup in case the process is interrupted and hold
 # is not released.
@ -137,25 +135,62 @@ def service_start(service_name: str, check: bool = False):
    """Start a service with systemd."""
    service_action(service_name, 'start', check=check)
    # When starting a .socket unit, there is not need to start the .service
    # unit as it will be automatically started when a request is received on
    # the socket.
 def _get_service_unit(socket_name: str) -> str:
    """Return the .service unit name for a .socket unit."""
    # Instead, may need to query the unit for associated .service file.
    base_name = socket_name.rpartition('.')[0]
    return f'{base_name}.service'
 def service_stop(service_name: str, check: bool = False):
    """Stop a service with systemd."""
    service_action(service_name, 'stop', check=check)
    # When stopping a .socket unit, most of the time, we must also stop
    # .service unit. This frees up resources when disabling the app. It also
    # stops using resources that are being backed up.
    if service_name.endswith('.socket'):
        service_action(_get_service_unit(service_name), 'stop', check=check)
 def service_restart(service_name: str, check: bool = False):
    """Restart a service with systemd."""
    if not service_name.endswith('.socket'):
        service_action(service_name, 'restart', check=check)
    else:
        # When restarting a .socket unit, most of the time, we actually want to
        # restart the corresponding .service unit. This reloads the
        # configuration changes as needed. To restart, all we need to do stop
        # the service. It will be automatically started again by .socket unit.
        service_action(_get_service_unit(service_name), 'stop', check=check)
 def service_try_restart(service_name: str, check: bool = False):
    """Try to restart a service with systemd."""
    if not service_name.endswith('.socket'):
        service_action(service_name, 'try-restart', check=check)
    else:
        # When try-restarting a .socket unit, most of the time, we actually
        # want to restart the corresponding .service unit. This reloads the
        # configuration changes as needed. To restart, all we need to do stop
        # the service. It will be automatically started again by .socket unit.
        service_action(_get_service_unit(service_name), 'stop', check=check)
 def service_reload(service_name: str, check: bool = False):
    """Reload a service with systemd."""
    if not service_name.endswith('.socket'):
        service_action(service_name, 'reload', check=check)
    else:
        # When reloading a .socket unit, most of the time, we actually want to
        # reload the corresponding .service unit. This reloads the
        # configuration changes as needed.
        service_action(_get_service_unit(service_name), 'reload', check=check)
 def service_try_reload_or_restart(service_name: str, check: bool = False):
@ -163,7 +198,14 @@ def service_try_reload_or_restart(service_name: str, check: bool = False):
    Do nothing if service is not running.
    """
    if not service_name.endswith('.socket'):
        service_action(service_name, 'try-reload-or-restart', check=check)
    else:
        # When reloading a .socket unit, most of the time, we actually want to
        # reload the corresponding .service unit. This reloads the
        # configuration changes as needed.
        service_action(_get_service_unit(service_name),
                       'try-reload-or-restart', check=check)
 def service_reset_failed(service_name: str, check: bool = False):
@ -309,43 +351,6 @@ class WebserverChange:
        self.actions_required.add(action_required)
 def uwsgi_is_enabled(config_name):
    """Return whether a uwsgi config is enabled."""
    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
    return os.path.exists(enabled_path)
 def uwsgi_enable(config_name):
    """Enable a uwsgi configuration that runs under uwsgi."""
    if uwsgi_is_enabled(config_name):
        return
    # uwsgi is started/stopped using init script. We don't know if it can
    # handle some configuration already running against newly enabled
    # configuration. So, stop first before enabling new configuration.
    service_stop('uwsgi')
    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
    available_path = UWSGI_AVAILABLE_PATH.format(config_name=config_name)
    os.symlink(available_path, enabled_path)
    service_enable('uwsgi')
    service_start('uwsgi')
 def uwsgi_disable(config_name):
    """Disable a uwsgi configuration that runs under uwsgi."""
    if not uwsgi_is_enabled(config_name):
        return
    # If uwsgi is restarted later, it won't stop the just disabled
    # configuration due to how init scripts are written for uwsgi.
    service_stop('uwsgi')
    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
    os.unlink(enabled_path)
    service_start('uwsgi')
 def get_addresses() -> list[dict[str, str | bool]]:
    """Return a list of IP addresses and hostnames."""
    addresses = get_ip_addresses()
@ -370,12 +375,13 @@ def get_addresses() -> list[dict[str, str | bool]]:
        'url_address': hostname
    })
-    # XXX: When a hostname is resolved to IPv6 address, it may likely
+    # When a hostname is resolved to IPv6 address, it may likely be link-local
-    # be link-local address.  Link local IPv6 addresses are valid only
+    # address. Link local IPv6 addresses are valid only for a given link and
-    # for a given link and need to be scoped with interface name such
+    # need to be scoped with interface name such as '%eth0' to work. Browsers
-    # as '%eth0' to work.  Tools such as curl don't seem to handle
+    # refused to implement support for link-local addresses (with zone IDs) in
    # URLs due to platform specific parsing rules and other implementation
    # difficulties. mod_auth_openidc does not support them either.
    # this correctly.
    # addresses.append({'kind': '6', 'address': hostname, 'numeric': False})
    return addresses
@ -397,12 +403,14 @@ def get_ip_addresses() -> list[dict[str, str | bool]]:
        }
        if address['kind'] == '6' and address['numeric']:
            if address['scope'] != 'link':
            address['url_address'] = '[{0}]'.format(address['address'])
            else:
                address['url_address'] = '[{0}%{1}]'.format(
                    address['url_address'], address['interface'])
        if address['scope'] != 'link':
            # Do not include link local addresses. Browsers refused to
            # implement support for link-local addresses (with zone IDs) in
            # URLs due to platform specific parsing rules and other
            # implementation difficulties. mod_auth_openidc does not support
            # them either.
            addresses.append(address)
    return addresses
@ -465,9 +473,31 @@ def is_disk_image():
    return os.path.exists('/var/lib/freedombox/is-freedombox-disk-image')
-def run_apt_command(arguments, enable_triggers: bool = False):
+def run_apt_command(arguments, enable_triggers: bool = False,
                    allow_freedombox_restart=False):
    """Run apt-get with provided arguments."""
-    command = ['apt-get', '--assume-yes', '--quiet=2'] + arguments
+    command = []
    if not allow_freedombox_restart:
        # Don't restart the freedombox web service. This configuration is only
        # used when apt command is invoked from freedombox web service itself
        # (such as during an app's installation/uninstallation).
        #
        # If this is not done, a freedombox web service restart is attempted.
        # needsrestart will wait until the restart is completed. apt command
        # will wait until needsrestart is completed. The restart mechanism in
        # service will wait until all currently running threads are completed.
        # One thread that has invoked this apt command will not finish as it
        # waits for apt command to finish. This results in a deadlock. Avoid
        # this by not attempting to restart freedombox web service when apt
        # command is invoked from freedombox web service.
        mount_path = '/etc/needrestart/conf.d/freedombox-self.conf'
        orig_path = f'/usr/share/freedombox{mount_path}'
        command = [
            'systemd-run', '--pipe',
            f'--property=BindReadOnlyPaths={orig_path}:{mount_path}'
        ]
    command += ['apt-get', '--assume-yes', '--quiet=2'] + arguments
    env = os.environ.copy()
    env['DEBIAN_FRONTEND'] = 'noninteractive'
@ -838,3 +868,13 @@ def run(command, **kwargs):
        raise exception
    return process
@contextmanager
 def umask(mask) -> Generator:
    """Set the umask temporarily for a operation and then revert it."""
    old_umask = os.umask(mask)
    try:
        yield
    finally:
        os.umask(old_umask)
--- a/plinth/actions.py
+++ b/plinth/actions.py
@ -130,6 +130,9 @@ def run_privileged_method(func, module_name, action_name, args, kwargs):
    if raw_output:
        request['raw_output'] = raw_output
    if not log_error:
        request['log_error'] = False
    client_socket = _request_to_server(request)
    if raw_output:
@ -366,7 +369,6 @@ class JSONEncoder(json.JSONEncoder):
 def _setup_thread_storage():
    """Setup collection of stdout/stderr from any process in this thread."""
    global thread_storage
    thread_storage.stdout = b''
    thread_storage.stderr = b''
@ -377,14 +379,12 @@ def _clear_thread_storage():
    Python documentation is silent on whether thread local storage will be
    cleaned up after a thread terminates.
    """
    global thread_storage
    thread_storage.stdout = None
    thread_storage.stderr = None
 def get_return_value_from_exception(exception):
    """Return the value to return from server when an exception is raised."""
    global thread_storage
    return_value = {
        'result': 'exception',
        'exception': {
@ -424,14 +424,19 @@ def privileged_handle_json_request(
                                                      bool):
            raise TypeError('Incorrect "raw_output" parameter')
        if 'log_error' in request and not isinstance(request['log_error'],
                                                     bool):
            raise TypeError('Incorrect "log_error" parameter')
        return request
    try:
        request = _parse_request()
        log_error = request.get('log_error', True)
        arguments = {'args': request['args'], 'kwargs': request['kwargs']}
        _setup_thread_storage()
        return_value = _privileged_call(request['module'], request['action'],
-                                        arguments)
+                                        arguments, log_error)
        if isinstance(return_value, io.BufferedReader):
            raw_output = request.get('raw_output', False)
@ -452,7 +457,7 @@ def privileged_handle_json_request(
    return json.dumps(return_value, cls=JSONEncoder)
-def _privileged_call(module_name, action_name, arguments):
+def _privileged_call(module_name, action_name, arguments, log_error=True):
    """Import the module and run action as superuser"""
    if '.' in module_name:
        raise SyntaxError('Invalid module name')
@ -500,9 +505,10 @@ def _privileged_call(module_name, action_name, arguments):
        return_value = {'result': 'success', 'return': return_values}
    except Exception as exception:
        return_value = get_return_value_from_exception(exception)
        if log_error:
            logger.exception(
-            'Error running action: %s..%s(..): %s\nstdout:\n%s\nstderr:\n%s\n',
+                'Error running action: %s..%s(..): %s\nstdout:\n%s\n'
-            module_name, action_name, exception,
+                'stderr:\n%s\n', module_name, action_name, exception,
                return_value['exception']['stdout'],
                return_value['exception']['stderr'])
--- a/plinth/app.py
+++ b/plinth/app.py
@ -574,10 +574,19 @@ class Info(FollowerComponent):
        except ImproperlyConfigured:
            # Hack to allow apps to be instantiated without Django
            # initialization as required by privileged process.
-            return [
+            def _make_str(tag):
-                tag._proxy____args[0] if isinstance(tag, Promise) else tag
+                """Return the string without casting."""
-                for tag in self._tags
+                if not isinstance(tag, Promise):
-            ]
+                    return tag
                # Django 4.2
                if hasattr(tag, '_proxy____args'):
                    return tag._proxy____args[0]
                # Django 5.x
                return tag._args[0]
            return [_make_str(tag) for tag in self._tags]
 class EnableState(LeaderComponent):
--- a/plinth/cfg.py
+++ b/plinth/cfg.py
@ -12,13 +12,11 @@ logger = logging.getLogger(__name__)
 # [Path] section
 file_root = '/usr/share/plinth'
 config_dir = '/etc/plinth'
 data_dir = '/var/lib/plinth'
 custom_static_dir = '/var/www/plinth/custom/static'
 store_file = data_dir + '/plinth.sqlite3'
 actions_dir = '/usr/share/plinth/actions'
 doc_dir = '/usr/share/freedombox'
-server_dir = '/plinth'
+server_dir = '/freedombox'
 # [Network] section
 host = '127.0.0.1'
@ -111,11 +109,9 @@ def read_file(config_path):
    config_items = (
        ('Path', 'file_root', 'string'),
        ('Path', 'config_dir', 'string'),
        ('Path', 'data_dir', 'string'),
        ('Path', 'custom_static_dir', 'string'),
        ('Path', 'store_file', 'string'),
        ('Path', 'actions_dir', 'string'),
        ('Path', 'doc_dir', 'string'),
        ('Path', 'server_dir', 'string'),
        ('Network', 'host', 'string'),
--- a/plinth/clients.py
+++ b/plinth/clients.py
@ -44,7 +44,8 @@ def _check(client, condition):
 def _client_has_desktop(client):
    """Filter to find out whether an application has desktop clients"""
    return _check(
-        client, lambda platform: platform.get('os') in enum_values(Desktop_OS))
+        client, lambda platform: platform.get('os') in enum_values(Desktop_OS)
        and platform.get('type') != 'package')
 def _client_has_mobile(client):
@ -116,7 +117,7 @@ def _validate_platform_package(platform):
 def _validate_platform_download(platform):
    """Validate a platform of type download."""
-    assert platform['os'] in enum_values(Desktop_OS)
+    assert platform['os'] in enum_values(Desktop_OS) + enum_values(Mobile_OS)
    assert isinstance(platform['url'], (str, Promise))
--- a/plinth/conftest.py
+++ b/plinth/conftest.py
@ -64,10 +64,10 @@ def fixture_load_cfg():
    """Load test configuration."""
    from plinth import cfg
-    keys = ('file_root', 'config_dir', 'data_dir', 'custom_static_dir',
+    keys = ('file_root', 'data_dir', 'custom_static_dir', 'store_file',
-            'store_file', 'actions_dir', 'doc_dir', 'server_dir', 'host',
+            'doc_dir', 'server_dir', 'host', 'port', 'use_x_forwarded_for',
-            'port', 'use_x_forwarded_for', 'use_x_forwarded_host',
+            'use_x_forwarded_host', 'secure_proxy_ssl_header', 'box_name',
-            'secure_proxy_ssl_header', 'box_name', 'develop')
+            'develop')
    saved_state = {}
    for key in keys:
        saved_state[key] = getattr(cfg, key)
--- a/plinth/db/dbconfig.py
+++ b/plinth/db/dbconfig.py
@ -0,0 +1,40 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 """Utilities for parsing dbconfig-common files with Augeas."""
 import pathlib
 import augeas
 def get_credentials(dbconfig_path: str) -> dict[str, str]:
    """Parse dbconfig-common file with Augeas Shellvars lens."""
    if not pathlib.Path(dbconfig_path).is_file():
        raise FileNotFoundError(f'DB config not found: {dbconfig_path}')
    aug = _load_augeas(dbconfig_path)
    required = ['dbc_dbuser', 'dbc_dbpass', 'dbc_dbname']
    credentials = {}
    for key in required + ['dbc_dbserver']:
        credentials[key] = aug.get(key).strip('\'"')
    if not all(credentials.get(key) for key in required):
        raise ValueError('Missing required dbconfig-common credentials')
    return {
        'user': credentials['dbc_dbuser'],
        'password': credentials['dbc_dbpass'],
        'database': credentials['dbc_dbname'],
        'host': credentials['dbc_dbserver'] or 'localhost'
    }
 def _load_augeas(config_path: str):
    """Initialize Augeas."""
    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
                        augeas.Augeas.NO_MODL_AUTOLOAD)
    pathstr = str(config_path)
    aug.transform('Shellvars', pathstr)
    aug.set('/augeas/context', f'/files{pathstr}')
    aug.load()
    return aug
--- a/plinth/db/postgres.py
+++ b/plinth/db/postgres.py
@ -93,7 +93,6 @@ def dump_database(backup_file: str | pathlib.Path, database_name: str):
    file if it exists.
    """
    backup_path = pathlib.Path(backup_file)
    backup_path.parent.mkdir(parents=True, exist_ok=True)
    with action_utils.service_ensure_running('postgresql'):
        with open(backup_path, 'w', encoding='utf-8') as file_handle:
            _run_as([
--- a/plinth/develop.config
+++ b/plinth/develop.config
@ -1,5 +1,3 @@
 [Path]
 file_root = %(parent_parent_dir)s
 config_dir = %(file_root)s/data/etc/plinth
 actions_dir = %(file_root)s/actions
 doc_dir = %(file_root)s/doc
--- a/plinth/locale/README
+++ b/plinth/locale/README
@ -10,7 +10,7 @@ translating the PO file from your language directory.
 Introducing yourself is important since some work may have been done
 already on Debian translators discussion lists and Weblate
 localization platform.
-https://hosted.weblate.org/projects/freedombox/plinth/
+https://hosted.weblate.org/projects/freedombox/freedombox/
 https://www.debian.org/MailingLists/subscribe
 ## Wiki: translators landing page
--- a/plinth/locale/ar/LC_MESSAGES/django.po
+++ b/plinth/locale/ar/LC_MESSAGES/django.po
--- a/plinth/locale/ar_SA/LC_MESSAGES/django.po
+++ b/plinth/locale/ar_SA/LC_MESSAGES/django.po
--- a/plinth/locale/be/LC_MESSAGES/django.po
+++ b/plinth/locale/be/LC_MESSAGES/django.po
--- a/plinth/locale/bg/LC_MESSAGES/django.po
+++ b/plinth/locale/bg/LC_MESSAGES/django.po
--- a/plinth/locale/bn/LC_MESSAGES/django.po
+++ b/plinth/locale/bn/LC_MESSAGES/django.po
--- a/plinth/locale/ca/LC_MESSAGES/django.po
+++ b/plinth/locale/ca/LC_MESSAGES/django.po
--- a/plinth/locale/cs/LC_MESSAGES/django.po
+++ b/plinth/locale/cs/LC_MESSAGES/django.po
--- a/plinth/locale/da/LC_MESSAGES/django.po
+++ b/plinth/locale/da/LC_MESSAGES/django.po
--- a/plinth/locale/de/LC_MESSAGES/django.po
+++ b/plinth/locale/de/LC_MESSAGES/django.po
--- a/plinth/locale/django.pot
+++ b/plinth/locale/django.pot
--- a/plinth/locale/el/LC_MESSAGES/django.po
+++ b/plinth/locale/el/LC_MESSAGES/django.po
--- a/plinth/locale/es/LC_MESSAGES/django.po
+++ b/plinth/locale/es/LC_MESSAGES/django.po
--- a/plinth/locale/et/LC_MESSAGES/django.po
+++ b/plinth/locale/et/LC_MESSAGES/django.po
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`u! plinth - "FreedomBox service" /var/lib/plinth`