Release v26.9.1 to unstable

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>

.vagrant-scripts/plinth-user-permissions.py

@@ -1,16 +0,0 @@
-#!/usr/bin/python3
-# -*- mode: python -*-
-# SPDX-License-Identifier: AGPL-3.0-or-later
-"""Set required permissions for user "plinth" to run plinth in dev setup."""
-
-import pathlib
-
-content = '''
-Cmnd_Alias FREEDOMBOX_ACTION_DEV = /usr/share/plinth/actions/actions, /freedombox/actions/actions
-Defaults!FREEDOMBOX_ACTION_DEV closefrom_override
-plinth ALL=(ALL:ALL) NOPASSWD:SETENV : FREEDOMBOX_ACTION_DEV
-fbx    ALL=(ALL:ALL) NOPASSWD : ALL
-'''
-
-sudoers_file = pathlib.Path('/etc/sudoers.d/01-freedombox-development')
-sudoers_file.write_text(content)

HACKING.md

@@ -66,7 +66,7 @@ development environment inside a systemd-nspawn container.
     folder: (This step requires at least 16GB of free disk space)
 
     ```bash
-    host$ ./container up
+    host$ ./container start
     ```
 
 1. To run unit tests:
@@ -97,20 +97,20 @@ development environment inside a systemd-nspawn container.
    1. Using an environment variable.
 
    ```bash
-   host$ DISTRIBUTION=stable ./container up
+   host$ DISTRIBUTION=stable ./container start
    host$ DISTRIBUTION=stable ./container ssh
    ```
 
    ```bash
    host$ export DISTRIBUTION=stable
-   host$ ./container up
+   host$ ./container start
    host$ ./container ssh
    ```
 
    2. Using the `--distribution` option for each command.
 
    ```bash
-   host$ ./container up --distribution=stable
+   host$ ./container start --distribution=stable
    host$ ./container ssh --distribution=stable
    ```
 
@@ -131,7 +131,7 @@ used simultaneously as they all use different disk images.
     example, to bring up a virtual machine instead of a container run:
 
     ```bash
-    host$ ./container up --machine-type=vm
+    host$ ./container start --machine-type=vm
     ```
 
 #### Using after Setup
@@ -164,9 +164,9 @@ Note: This development container has automatic upgrades disabled by default.
 
 #### Troubleshooting
 
-* Sometimes `host$ ./container destroy && ./container up` doesn't work. In such
+* Sometimes `host$ ./container destroy && ./container start` doesn't work. In such
   cases, try to delete the hidden `.container` folder and then `host$
-  ./container up`.
+  ./container start`.
 * Not all kinds of changes are automatically updated. Try `guest$ sudo mount -o
   remount /freedombox`.
 * I am getting an error that says `lo` is not managed by Network Manager
@@ -178,7 +178,7 @@ Note: This development container has automatic upgrades disabled by default.
     ```bash
     host$ sudo touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
     host$ sudo service network-manager restart
-    host$ ./container destroy && ./container up
+    host$ ./container destroy && ./container start
     ```
 * File/directory not found errors when running tests can be fixed by clearing `__pycache__` directories.
 
@@ -416,7 +416,7 @@ for more details.
 ### Translating literals (contributing translations)
 
 The easiest way to start translating is with your browser, by using
-[Weblate](https://hosted.weblate.org/projects/freedombox/plinth/).
+[Weblate](https://hosted.weblate.org/projects/freedombox/freedombox/).
 Your changes will automatically get pushed to the code repository.
 
 Alternatively, you can directly edit the `.po` file in your language directory

INSTALL.md

@@ -35,7 +35,7 @@ FreedomBox [Manual](https://wiki.debian.org/FreedomBox/Manual/)'s
 
 3.  Access FreedomBox UI:
 
-    UI should be accessible at http://localhost:8000/plinth
+    UI should be accessible at http://localhost:8000/freedombox
 
 If you are installing FreedomBox Service (Plinth) for development purposes, see
 HACKING.md instead.

Makefile

@@ -21,7 +21,8 @@ DISABLED_APPS_TO_REMOVE := \
     tahoe \
     mldonkey \
     i2p \
-    ttrss
+    ttrss \
+    sso
 
 APP_FILES_TO_REMOVE := $(foreach app,$(DISABLED_APPS_TO_REMOVE),$(ENABLED_APPS_PATH)/$(app))
 
@@ -101,11 +102,12 @@ install:
         $(INSTALL) -d $(DESTDIR)$${lib_dir} && \
 	rm -rf $(DESTDIR)$${lib_dir}/plinth $(DESTDIR)$${lib_dir}/plinth*.dist-info && \
         mv $${temp}/plinth $${temp}/plinth*.dist-info $(DESTDIR)$${lib_dir} && \
-	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/COPYING.md && \
+	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/licenses/COPYING.md && \
 	rm -f $(DESTDIR)$${lib_dir}/plinth*.dist-info/direct_url.json && \
         $(INSTALL) -D -t $(BIN_DIR) bin/plinth
 	$(INSTALL) -D -t $(LIB_DIR)/freedombox bin/freedombox-privileged
 	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-cmd
+	$(INSTALL) -D -t $(BIN_DIR) bin/freedombox-change-password
 
 	# Static web server files
 	rm -rf $(STATIC_FILES_DIRECTORY)
@@ -229,7 +231,7 @@ provision-dev:
 	    sshpass bash-completion
 
 wait-while-first-setup:
-	while [ x$$(curl -k https://localhost/plinth/status/ 2> /dev/null | \
+	while [ x$$(curl -k https://localhost/freedombox/status/ 2> /dev/null | \
 	    json_pp 2> /dev/null | grep 'is_first_setup_running' | \
             tr -d '[:space:]' | cut -d':' -f2 ) != 'xfalse' ] ; do \
 	    sleep 1; echo -n .; done

Vagrantfile

@@ -6,8 +6,7 @@ require 'etc'
 
 Vagrant.configure(2) do |config|
   config.vm.box = "freedombox/freedombox-testing-dev"
-  config.vm.network "forwarded_port", guest: 443, host: 4430
+  config.vm.network "public_network"
-  config.vm.network "forwarded_port", guest: 445, host: 4450
   config.vm.synced_folder ".", "/freedombox", owner: "plinth", group: "plinth"
   config.vm.provider "virtualbox" do |vb|
     vb.cpus = Etc.nprocessors
@@ -28,17 +27,15 @@ Vagrant.configure(2) do |config|
   SHELL
   config.vm.provision "tests", run: "never", type: "shell", path: "plinth/tests/functional/install.sh"
   config.vm.post_up_message = "FreedomBox virtual machine is ready
-for development. Plinth will be available at https://localhost:4430/plinth
+for development. To get the IP address:
+$ vagrant ssh
+$ ip address show
+
+FreedomBox interface will be available at https://<ip address>/freedombox
 (with an invalid SSL certificate). To watch logs:
 $ vagrant ssh
 $ sudo freedombox-logs
 "
 
-  config.trigger.after [:up, :resume, :reload] do |trigger|
-    trigger.info = "Set plinth user permissions for development environment"
-    trigger.run_remote = {
-      path: ".vagrant-scripts/plinth-user-permissions.py"
-    }
-  end
   config.vm.boot_timeout=1200
 end

bin/freedombox-change-password

@@ -0,0 +1,61 @@
+#!/usr/bin/python3
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""
+Utility to change user password in FreedomBox's Django database.
+
+Usage:
+$ freedombox-change-password <username>
+"""
+
+import argparse
+import getpass
+import sys
+
+import plinth.web_framework
+from plinth.modules.users import privileged
+
+
+def main():
+    """Ask for new password, setup Django and update a user's password."""
+    try:
+        plinth.web_framework.init()
+    except Exception:
+        _print('Error initializing Django.')
+        return
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument('username',
+                        help='Username of the account to change password for')
+    args = parser.parse_args()
+
+    username = args.username
+    password = getpass.getpass('Enter new password: ')
+
+    try:
+        _change_password(username, password)
+        privileged._set_user_password(username, password)
+        privileged._set_samba_user(username, password)
+        _print('Password updated in web interface, LDAP, and samba databases.')
+    except Exception as exception:
+        _print('Error setting password:', str(exception))
+
+
+def _print(*args, **kwargs):
+    """Write to stderr."""
+    print(*args, **kwargs, file=sys.stderr)
+
+
+def _change_password(username: str, password: str):
+    """Update the password in SQLite database file."""
+    from django.contrib.auth.models import User
+    try:
+        user = User.objects.get(username=username)
+        user.set_password(password)
+        user.save()
+    except User.DoesNotExist:
+        _print('User account does not exist:', username)
+        raise
+
+
+if __name__ == '__main__':
+    main()

container

@@ -227,6 +227,7 @@ fi
 
 echo "> In machine: Upgrade packages"
 apt-get update
+apt-mark hold freedombox freedombox-doc-en freedombox-doc-es
 DEBIAN_FRONTEND=noninteractive apt-get -yq --with-new-pkgs upgrade
 
 # Install requirements for tests if not already installed as root
@@ -483,6 +484,9 @@ def parse_arguments() -> argparse.Namespace:
                            help='Disk image size to resize to after download')
     subparser.add_argument('--hkp-client', choices=('gpg', 'wget'),
                            default='gpg', help='Client for key retrieval')
+    subparser.add_argument(
+        '--skip-install', action='store_true',
+        help='Skip running make provision-dev in the container')
 
     # Print IP address
     subparser = subparsers.add_parser(
@@ -685,10 +689,27 @@ def _verify_signature(hkp_client: str, data_file: pathlib.Path,
 
 def _extract_image(compressed_file: pathlib.Path):
     """Extract the image file."""
-    decompressed_file = compressed_file.with_suffix('')
+    # Strip the .xz extension, then replace .img with .raw
+    decompressed_file = compressed_file.with_suffix('').with_suffix('.raw')
+    older_image = compressed_file.with_suffix('')
+
     if decompressed_file.exists():
         return decompressed_file
 
+    # Rename older image and its corresponding state files.
+    if older_image.exists():
+        logger.info('Renaming .img file to .raw')
+        older_image.rename(decompressed_file)
+
+        for ext in ['.setup', '.provisioned']:
+            old_state = older_image.with_suffix(older_image.suffix + ext)
+            new_state = decompressed_file.with_suffix(
+                decompressed_file.suffix + ext)
+            if old_state.exists():
+                old_state.rename(new_state)
+
+        return decompressed_file
+
     logger.info('Decompressing file %s', compressed_file)
     partial_file = compressed_file.with_suffix('.partial')
     with partial_file.open('w', encoding='utf-8') as file_handle:
@@ -711,7 +732,8 @@ def _get_compressed_image_path(distribution: str) -> pathlib.Path:
 def _get_image_file(distribution: str) -> pathlib.Path:
     """Return the path of the image file."""
     compressed_image = _get_compressed_image_path(distribution)
-    return compressed_image.with_suffix('')
+    # Strip the .xz extension, then replace .img with .raw
+    return compressed_image.with_suffix('').with_suffix('.raw')
 
 
 def _get_project_folder() -> pathlib.Path:
@@ -945,7 +967,7 @@ def _setup_ssh(image_file: pathlib.Path):
     _runc(image_file, ['chown', 'fbx:fbx', '/home/fbx/.ssh/authorized_keys'])
 
 
-def _setup_image(image_file: pathlib.Path):
+def _setup_image(image_file: pathlib.Path, skip_install: bool = False):
     """Prepare the image for execution."""
     setup_file = image_file.with_suffix(image_file.suffix + '.setup')
     if setup_file.exists():
@@ -957,6 +979,7 @@ def _setup_image(image_file: pathlib.Path):
     _runc(image_file, ['tee', '/etc/apt/apt.conf.d/20auto-upgrades'],
           input=contents.encode())
 
+    if not skip_install:
         logger.info('In image: Disabling FreedomBox service')
         _runc(image_file, ['systemctl', 'disable', 'plinth'],
               stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
@@ -1017,11 +1040,15 @@ def _is_provisioned(distribution: str) -> bool:
     return provision_file.exists()
 
 
-def _provision(image_file: pathlib.Path, machine_type: str, distribution: str):
+def _provision(image_file: pathlib.Path, machine_type: str, distribution: str,
+               skip_install: bool = False):
     """Run app setup inside the container."""
     if _is_provisioned(distribution):
         return
 
+    if skip_install:
+        logger.info('Skipping provision step (--skip-install)')
+    else:
         machine = Machine.get_instance(machine_type, distribution)
         ssh_command = machine.get_ssh_command()
         subprocess.run(ssh_command + ['bash'], check=True,
@@ -1064,7 +1091,7 @@ Terminal login        : sudo machinectl login fbx-{distribution}
 Open a root shell     : sudo machinectl shell fbx-{distribution}
 Shutdown              : {script} stop {options}
 Destroy               : {script} destroy {options}
-Reset                 : {script} destroy {options}; {script} up {options}'''
+Reset                 : {script} destroy {options}; {script} start {options}'''
     logger.info(message)
 
 
@@ -1328,9 +1355,8 @@ VirtualEthernet=yes
             if result.returncode:
                 raise Exception(f'Image file {image_link} is not a symlink.')
 
-            subprocess.run(['sudo', 'rm', '--force',
+        # May be linked to wrong place (such as old .img file)
-                            str(image_link)], check=False)
+        subprocess.run(['sudo', 'rm', '--force', str(image_link)], check=False)
-
         subprocess.run([
             'sudo', 'ln', '--symbolic',
             str(image_file.resolve()),
@@ -1475,10 +1501,11 @@ def subcommand_start(arguments: argparse.Namespace):
                                       arguments.hkp_client)
     _resize_disk_image(image_file, arguments.image_size,
                        arguments.distribution)
-    _setup_image(image_file)
+    _setup_image(image_file, arguments.skip_install)
     machine.setup()
     machine.launch()
-    _provision(image_file, arguments.machine_type, arguments.distribution)
+    _provision(image_file, arguments.machine_type, arguments.distribution,
+               arguments.skip_install)
     _print_banner(arguments.machine_type, arguments.distribution)
 
 

data/etc/apache2/conf-available/freedombox-tls.conf

@@ -12,6 +12,7 @@
     # Don't redirect for onion sites as it is not needed and leads to
     # unnecessary warning.
     RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
+    RewriteCond %{REQUEST_URI} !^/freedombox/apache/discover-idp/$ [NC]
     ReWriteCond %{HTTPS} !=on
     RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 </LocationMatch>

data/etc/apache2/conf-available/freedombox.conf

@@ -39,16 +39,16 @@
 </If>
 
 ##
-## Redirect traffic on home to /plinth as part of turning the machine
+## Redirect traffic on home to /freedombox as part of turning the machine
 ## into FreedomBox server.  Plinth then acts as a portal to reach all
 ## other services.
 ##
 <IfFile !/etc/apache2/conf-enabled/freedombox-apache-homepage.conf>
-    RedirectMatch "^/$" "/plinth"
+    RedirectMatch "^/$" "/freedombox"
 </IfFile>
 
 ##
-## On all sites, provide FreedomBox on a default path: /plinth
+## On all sites, provide FreedomBox on a default path: /freedombox
 ##
 ## Requires the following Apache modules to be enabled:
 ##   mod_headers
@@ -56,7 +56,8 @@
 ##   mod_proxy_http
 ##
 <Location /freedombox>
-    ProxyPass        http://127.0.0.1:8000/plinth
+    ProxyPass        http://127.0.0.1:8000/freedombox
+    ProxyPreserveHost On
     ## Send the scheme from user's request to enable Plinth to redirect
     ## URLs, set cookies, set absolute URLs (if any) properly.
     RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
@@ -70,7 +71,20 @@
     RequestHeader    unset X-Forwarded-For
 </Location>
 <Location /plinth>
-    ProxyPass        http://127.0.0.1:8000/plinth
+    ProxyPass        http://127.0.0.1:8000/freedombox
+    ProxyPreserveHost On
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+    RequestHeader    unset X-Forwarded-For
+</Location>
+<Location /.well-known/openid-configuration>
+    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/openid-configuration
+    ProxyPreserveHost On
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+    RequestHeader    unset X-Forwarded-For
+</Location>
+<Location /.well-known/jwks.json>
+    ProxyPass        http://127.0.0.1:8000/freedombox/o/.well-known/jwks.json
+    ProxyPreserveHost On
     RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
     RequestHeader    unset X-Forwarded-For
 </Location>
@@ -82,7 +96,7 @@
 <Location ~ ^/favicon\.ico$>
     <IfModule mod_rewrite.c>
         RewriteEngine On
-        RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
+        RewriteRule /favicon\.ico$ "/freedombox/static/theme/img/favicon.ico" [PT]
     </IfModule>
 </Location>
 

data/usr/lib/systemd/system/plinth.service

@@ -17,8 +17,6 @@ RestartSec=5
 ExecReload=/bin/kill -HUP $MAINPID
 User=plinth
 Group=plinth
-StandardOutput=null
-StandardError=null
 NotifyAccess=main
 # Uploaded files in /var/tmp/ are shared with FreedomBox privileged service by
 # joining namespaces.

debian/changelog

@@ -1,3 +1,486 @@
+freedombox (26.9.1) unstable; urgency=medium
+
+  [ 大王叫我来巡山 ]
+  * Translated using Weblate (Chinese (Simplified Han script))
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Besnik Bleta ]
+  * Translated using Weblate (Albanian)
+
+  [ Jiří Podhorecký ]
+  * Translated using Weblate (Czech)
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ Coucouf ]
+  * Translated using Weblate (French)
+
+  [ Sunil Mohan Adapa ]
+  * matrixsynapse: Allow installing new dependencies
+
+  [ James Valleroy ]
+  * wireguard: Move segno import inside method
+  * wireguard: Get config for both download and qr actions
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 15 Jun 2026 20:46:29 -0400
+
+freedombox (26.9) unstable; urgency=medium
+
+  [ Sunil Mohan Adapa ]
+  * syncthing: Use systemd-sysusers for creating a system user account
+  * infinoted: Use systemd-sysusers for creating a system user account
+  * bepasty: Don't remove old system user and group
+
+  [ Luca Boccassi ]
+  * Stop deleting system user on remove/purge
+  * Install and use sysusers.d/tmpfiles.d config files
+
+  [ Hosted Weblate user 151773 ]
+  * Translated using Weblate (German)
+
+  [ jay ]
+  * Translated using Weblate (Dutch)
+
+  [ Frederico Gomes ]
+  * wireguard: Auto-generate client keypairs
+  * wireguard: Provide download and QR code for client config
+  * wireguard: Enable connection to a server using IPv6
+
+  [ James Valleroy ]
+  * debian/control: Add !nocheck for python3-segno
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 01 Jun 2026 21:17:46 -0400
+
+freedombox (26.8) unstable; urgency=medium
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ Dietmar ]
+  * Translated using Weblate (German)
+
+  [ Sunil Mohan Adapa ]
+  * api: Drop access-info API
+
+  [ James Valleroy ]
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 11 May 2026 20:32:09 -0400
+
+freedombox (26.7.1) unstable; urgency=medium
+
+  [ Frederico Gomes ]
+  * radicale: Enable lc_username for case-insensitive auth
+
+  [ Sunil Mohan Adapa ]
+  * radicale, bepasty: Fix issue with failed diagnostic test
+  * radicale: Fix issue with parsing new configuration file
+  * radicale: tests: functional: Better checking for well-known URLs
+
+  [ James Valleroy ]
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Tue, 28 Apr 2026 18:26:38 -0400
+
+freedombox (26.7) unstable; urgency=medium
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Besnik Bleta ]
+  * Translated using Weblate (Albanian)
+
+  [ 大王叫我来巡山 ]
+  * Translated using Weblate (Chinese (Simplified Han script))
+
+  [ Dietmar ]
+  * Translated using Weblate (German)
+  * Translated using Weblate (Italian)
+
+  [ Jiří Podhorecký ]
+  * Translated using Weblate (Czech)
+
+  [ bittin1ddc447d824349b2 ]
+  * Translated using Weblate (Swedish)
+
+  [ Coucouf ]
+  * Translated using Weblate (French)
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ James Valleroy ]
+  * debian: tests: Add test to access interface status
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 20 Apr 2026 20:25:51 -0400
+
+freedombox (26.6) unstable; urgency=medium
+
+  [ Coucouf ]
+  * Translated using Weblate (French)
+
+  [ Dietmar ]
+  * Translated using Weblate (Italian)
+  * Translated using Weblate (German)
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ bsurajpatra ]
+  * Translated using Weblate (Hindi)
+
+  [ Sunil Mohan Adapa ]
+  * service: Capture stdout/stderr when running as systemd unit
+  * views: Add a decorator to handle exceptions in JSON views
+  * d/control: Add fido2 library as dependency
+  * users: Add support for registering, editing, and deleting passkeys
+  * users: Add support for logging in with passkeys
+  * users: Add link to guide on passkeys
+
+  [ James Valleroy ]
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 06 Apr 2026 20:41:35 -0400
+
+freedombox (26.5.1) unstable; urgency=medium
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Besnik Bleta ]
+  * Translated using Weblate (Albanian)
+
+  [ Sunil Mohan Adapa ]
+  * debian/control: Fix building with nocheck profile (Closes: #1131956)
+  * debian/copyright: Drop a removed file, correct path for another
+  * web_server: Fix locating SVG icons on production setup (Closes: #1131892)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Thu, 26 Mar 2026 18:21:43 -0400
+
+freedombox (26.5) unstable; urgency=medium
+
+  [ OwlGale ]
+  * Translated using Weblate (Russian)
+
+  [ Frederico Gomes ]
+  * wireguard: Remove client entry for F-Droid which is not available
+  * wireguard: Update windows client link
+  * wireguard: Add button for direct APK download
+  * wireguard: Add entries for Homebrew and RPM packages
+  * clients: Fix formatting of package row in table
+  * wireguard: Fix freedombox VPN IP for services
+
+  [ Sunil Mohan Adapa ]
+  * clients: Fix show empty clients in Desktop section
+  * apache: Minor improvement to getting the request host
+  * letsencrypt: Don't perform operations on apps that are not installed
+  * tests: functional: Drop undefined 'sso' pytest mark
+  * ui: Simplify SVG app icons for using them inline in HTML
+  * ui: Use inline SVG images for app icons for dark mode adaptation
+  * html: Drop type attribute value of text/javascript
+  * html: Drop trailing slash from void elements
+  * clients: Use SVG icons when showing external links
+  * ui: Use inline SVG icons for system and help section page
+  * ui: Add rest of the icons used from fork-awesome set
+  * ui: Use inline SVG icons for breadcrumbs
+  * ui: Use inline SVG icons for app toolbar
+  * ui: Use inline SVG icons for notification dropdown
+  * ui: Use inline SVG icons for internal zone message
+  * names: Use inline SVG icons for main app page
+  * featherwiki: Use inline SVG icons for app
+  * tiddlywiki: Use inline SVG icons for app
+  * wireguard: Use inline SVG icons
+  * dynamicdns: Use inline SVG icons
+  * help: Use inline SVG icons
+  * ui: Use inline SVG icons for port forwarding info
+  * power: Use inline SVG icons
+  * pagekite: Use inline SVG icons
+  * pagekite: Fix issue with adding custom services
+  * ikiwiki: Use inline SVG icons
+  * samba: Use inline SVG icons
+  * miniflux: Use inline SVG icons
+  * users: Use inline SVG icons
+  * email: Use inline SVG icons
+  * help: Use inline SVG icons
+  * matrixsynapse: Use inline SVG icons
+  * bepasty: Use inline SVG icons
+  * calibre: Use inline SVG icons
+  * kiwix: Use inline SVG icons
+  * security: Use inline SVG icons
+  * sharing: Use inline SVG icons
+  * snapshot: Use inline SVG icons
+  * diagnostics: Use inline SVG icons
+  * storage: Use inline SVG icons
+  * gitweb: Use inline SVG icons
+  * ui: Use inline SVG icons for tag search
+  * ui: Use inline SVG icons for clients launch buttons
+  * networks: Use inline SVG icons
+  * firstboot: Use inline SVG icons
+  * ui: Use inline SVG icons for app's service-not-running message
+  * ui: Use inline SVG icons for app's log page
+  * ui: Use inline SVG icons for operation waiting notification
+  * backups: Use inline SVG icons
+  * ui: Use inline SVG icons for app install page
+  * ui: Use inline SVG icons for all collapse buttons
+  * ui: Use inline SVG icons for all spinners
+  * ui: Use inline SVG icons for all error/warn/info/success messages
+  * ui: Better placement for dropdown indicator in dropdown button
+  * ui: Use inline SVG icons for navigation bar at the top
+  * upgrades: Use inline SVG icons
+  * ui: Use inline SVG icons for theme switcher menu
+  * ui: Drop fonts-fork-awesome as dependency
+  * ui: Rename 'plinth_extras' template tags module to 'extras'
+  * janus: Drop unused reference to font-awesome
+  * doc: Reduce verbosity when building documentation
+  * app: Fix build issue with Django 5.x (Closes: #1131272)
+  * apache: Increase OpenID Connect RP session timeout activity
+  * action_utils: Stop associated service when stopping a socket unit
+  * action_utils: Don't restart web interface when installing an app
+
+  [ Daniel Wiik ]
+  * Translated using Weblate (Swedish)
+
+  [ Joseph Nuthalapati ]
+  * container: Add option to skip install
+  * container: Fix image extension to .raw for systemd v260
+
+  [ James Valleroy ]
+  * apache: Use a Uwsgi native socket systemd unit for each app
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+  [ Ettore Atalan ]
+  * Translated using Weblate (German)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 23 Mar 2026 20:25:07 -0400
+
+freedombox (26.4.2) unstable; urgency=medium
+
+  [ Jiří Podhorecký ]
+  * Translated using Weblate (Czech)
+
+  [ OwlGale ]
+  * Translated using Weblate (Russian)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:27:13 -0400
+
+freedombox (26.4.1) unstable; urgency=high
+
+  [ 大王叫我来巡山 ]
+  * Translated using Weblate (Chinese (Simplified Han script))
+
+  [ Besnik Bleta ]
+  * Translated using Weblate (Albanian)
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Jiří Podhorecký ]
+  * Translated using Weblate (Czech)
+
+  [ James Valleroy ]
+  * container: Hold freedombox packages during test setup
+  * Vagrantfile: Enable public network for bridged networking
+  * doc: Fetch latest manual
+
+  [ Sunil Mohan Adapa ]
+  * d/control: Trim deps for nocheck build profile (Closes: #1129521)
+  * apache2: Disable pubtkt authentication module
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Sun, 08 Mar 2026 15:09:38 -0400
+
+freedombox (26.4) unstable; urgency=medium
+
+  [ Joseph Nuthalapati ]
+  * ui: Dismiss notifications without page reload
+
+  [ Sunil Mohan Adapa ]
+  * ui: Refactor notification delete buttons to avoid repeating code
+  * ui: Add animation for notification dismissal
+  * actions, privileged_daemon: Drop some unused global statements
+  * backups: Avoid some repeated text in form help text
+  * backups: Fix issue with Javascript in add remote location form
+  * backups: Show/hide form elements instead of disabling for simplicity
+  * backups: Tweak appearance of add remote location form
+  * backups: tests: Simplify functional test using more classes
+  * backups: Minor refactoring
+  * backups: Simplify handling of migration to SSH keys
+  * backups: Create .ssh folder before creating SSH key
+  * backups: Fix showing proper error for incorrect passphrase
+  * backups: Create a better comment in the generated SSH key file
+  * backups: Fix type checking errors
+  * action_utils: Implement utility to change umask temporarily
+  * quassel: Explicitly set permissions on the domain configuration file
+  * letsencrypt: When copying certificate reset the umask reliably
+  * doc/dev: Set new theme for developer documentation
+  * action_utils: Fix issue with type checking a generator
+  * tests: functional: Increase systemd rate limits for starting units
+  * js: When page load fails during install, show it to user
+  * tests: functional: Fix reloading error page during install/uninstall
+  * locale/de: Fix several translations with HTML links (German)
+  * locale/bg: Fix several translations with HTML links (Bulgarian)
+  * bin: Add tool to change FreedomBox password in Django database
+  * ejabberd: Fix setting up certificates for multiple domains
+  * gitweb: Fix issue with running post init due to missing method
+  * wireguard: Fix format when showing multiple endpoints of the server
+  * wireguard: Fix showing default route setting in server edit form
+  * wireguard: Show status of default route in server information page
+  * wireguard: Accept/use netmask with IP address for server connection
+  * README/HACKING: Update weblate project path to /freedombox
+  * *: Remove some absolute file paths in SVGs
+  * matrixsynapse: Update apache config to proxy Synapse client API
+  * cfg: Drop unused config_dir option
+  * cfg: Drop unused actions_dir option
+  * Vagrantfile: Drop unnecessary sudo configuration for actions
+  * pyproject: Use new format to specify licenses
+  * action_utils: Drop support for link-local IPv6 addresses
+  * debian: Ensure that gbp creates a clean tarball prior to build
+  * syncthing: tests: Fix tests by allowing rapid restarts
+  * web_server: Log requests to WSGI app
+  * *: Update URL base from /plinth to /freedombox
+  * tests: functional: Fix expecting FreedomBox to be home page
+  * web_framework: Allow FreedomBox apps to override templates
+  * templates: Allow building pages without navigation bar and footer
+  * apache: Preserve host header when proxying to service
+  * oidc: New app to implement OpenID Connect Provider
+  * oidc: Style the page for authorizing an OIDC app
+  * apache: Implement protecting apps using OpenID Connect
+  * featherwiki: Use OpenID Connect instead of pubtkt based SSO
+  * syncthing: Use OpenID Connect instead of pubtkt based SSO
+  * searx: Use OpenID Connect instead of pubtkt based SSO
+  * rssbridge: Use OpenID Connect instead of pubtkt based SSO
+  * email: Use OpenID Connect instead of pubtkt based SSO
+  * calibre: Use OpenID Connect instead of pubtkt based SSO
+  * deluge: Use OpenID Connect instead of pubtkt based SSO
+  * gitweb: Use OpenID Connect instead of pubtkt based SSO
+  * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
+  * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
+  * transmission: Use OpenID Connect instead of pubtkt based SSO
+  * doc/dev: Use OpenID Connect instead of pubtkt based SSO
+  * sharing: Use OpenID Connect instead of pubtkt based SSO
+  * sso: Merge into users module, drop pubtkt related code
+  * apache: Fix diagnosing URLs protected by OpenID Connect
+
+  [ 大王叫我来巡山 ]
+  * Translated using Weblate (Chinese (Simplified Han script))
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Coucouf ]
+  * Translated using Weblate (French)
+  * Translated using Weblate (French)
+
+  [ Besnik Bleta ]
+  * Translated using Weblate (Albanian)
+
+  [ Dietmar ]
+  * Translated using Weblate (German)
+
+  [ James Valleroy ]
+  * backups: Generate SSH client key if needed
+  * backups: Display SSH public key when adding remote
+  * backups: Copy SSH client public key to remote
+  * backups: Use SSH key instead of password
+  * backups: Use selected SSH credential for remote
+  * backups: Test adding/removing remote location
+  * backups: Arrange form for adding remote location
+  * backups: Migrate to SSH key auth when mounting
+  * Translated using Weblate (Greek)
+  * mumble: murmurd renamed to mumble-server
+  * Translated using Weblate (Tamil)
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+  * apache: Fix check_url test
+
+  [ Frederico Gomes ]
+  * container: Align terminology in printed banner
+  * wireguard: filter .local addresses from showClient view
+  * wireguard: improved server section UX flow
+  * wireguard: show server vpn ip in show client page
+  * wireguard: Fix split tunneling
+  * miniflux: Revert workaround for a packaging bug with DB connection
+  * db: Create a utility to get credentials from dbconfig
+  * miniflux: Get credentials from dbconfig-common directly
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ Daniel Wiik ]
+  * Translated using Weblate (Swedish)
+  * Translated using Weblate (Swedish)
+
+  [ kosagi ]
+  * Translated using Weblate (Catalan)
+
+  [ Jiří Podhorecký ]
+  * Translated using Weblate (Czech)
+
+  [ Isak ]
+  * Translated using Weblate (Swedish)
+
+  [ Βασίλης Χατζηκαμάρης ]
+  * Translated using Weblate (Greek)
+
+  [ Benedek Nagy ]
+  * doc/dev: always have an up-to-date copyright year
+
+  [ தமிழ்நேரம் ]
+  * Translated using Weblate (Tamil)
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Mar 2026 21:35:46 -0500
+
+freedombox (26.3) unstable; urgency=medium
+
+  [ Frederico Gomes ]
+  * wireguard: Add 'Start Server' button
+  * docs: Update container script usage
+  * wireguard: Show next available client IP in Add Client form
+  * wireguard: Show server endpoint on main app page
+
+  [ James Valleroy ]
+  * wireguard: Update functional tests to handle Start Server button
+  * lintian: Remove mismatched overrides
+  * Makefile: Fix removing extra license file
+  * debian: Follows policy 4.7.3
+  * debian: Remove default Rules-Requires-Root
+  * debian: Remove preinst script
+  * debian: Update copyright years
+  * locale: Update translation strings
+  * doc: Fetch latest manual
+
+  [ Ettore Atalan ]
+  * Translated using Weblate (German)
+
+  [ Sunil Mohan Adapa ]
+  * debian: Ignore lintian warning: service file missing Install section
+  * wireguard: Remove NM connections when app is uninstalled
+  * ui: Use HTMX to update notifications on partial page updates
+
+  [ Joseph Nuthalapati ]
+  * ui: Add HTMX as a dependency
+  * ui: Use HTMX to eliminate full page reloads
+
+  [ Burak Yavuz ]
+  * Translated using Weblate (Turkish)
+
+  [ Pierfrancesco Passerini ]
+  * Translated using Weblate (Italian)
+
+  [ 大王叫我来巡山 ]
+  * Translated using Weblate (Chinese (Simplified Han script))
+
+ -- James Valleroy <jvalleroy@mailbox.org>  Mon, 02 Feb 2026 20:41:30 -0500
+
 freedombox (26.2) unstable; urgency=medium
 
   [ Pierfrancesco Passerini ]

debian/control

@@ -1,6 +1,5 @@
 Source: freedombox
 Section: web
-Priority: optional
 Maintainer: FreedomBox packaging team <freedombox-pkg-team@lists.alioth.debian.org>
 Uploaders:
  Tzafrir Cohen <tzafrir@debian.org>,
@@ -12,55 +11,59 @@ Uploaders:
  James Valleroy <jvalleroy@mailbox.org>,
 Build-Depends:
  debhelper-compat (= 13),
+ dh-sequence-installsysusers,
  dblatex,
  dh-python,
  docbook-xsl,
- e2fsprogs,
+ e2fsprogs <!nocheck>,
  gir1.2-nm-1.0,
- libjs-bootstrap5,
+ libjs-bootstrap5 <!nocheck>,
+ libjs-htmx <!nocheck>,
 # Older libjs-bootstrap5 does not have proper dependency on popper.js >= 2.0
- node-popper2,
+ node-popper2 <!nocheck>,
  pybuild-plugin-pyproject,
  python3-all:any,
- python3-apt,
+ python3-apt <!nocheck>,
  python3-augeas,
- python3-bootstrapform,
+ python3-bootstrapform <!nocheck>,
  python3-build,
  python3-cherrypy3,
- python3-configobj,
+ python3-configobj <!nocheck>,
- python3-cryptography,
+ python3-cryptography <!nocheck>,
  python3-dbus,
  python3-django,
- python3-django-axes,
+ python3-django-axes <!nocheck>,
- python3-django-captcha,
+ python3-django-captcha <!nocheck>,
 # Explictly depend on ipware as it is optional dependecy of django-axes
- python3-django-ipware,
+ python3-django-ipware <!nocheck>,
- python3-django-stronghold,
+ python3-django-oauth-toolkit <!nocheck>,
+ python3-django-stronghold <!nocheck>,
+ python3-fido2 <!nocheck>,
  python3-gi,
  python3-markupsafe,
- python3-mypy,
+ python3-mypy <!nocheck>,
- python3-pampy,
+ python3-pampy <!nocheck>,
  python3-pexpect,
  python3-pip,
  python3-psutil,
- python3-pytest,
+ python3-pytest <!nocheck>,
- python3-pytest-cov,
+ python3-pytest-cov <!nocheck>,
- python3-pytest-django,
+ python3-pytest-django <!nocheck>,
- python3-pytest-runner,
+ python3-pytest-runner <!nocheck>,
  python3-requests,
  python3-ruamel.yaml,
+ python3-segno <!nocheck>,
  python3-setuptools,
  python3-systemd,
- python3-typeshed,
+ python3-typeshed <!nocheck>,
  python3-yaml,
- sshpass,
+ sshpass <!nocheck>,
  xmlto,
  xsltproc
-Standards-Version: 4.6.2
+Standards-Version: 4.7.3
 Homepage: https://salsa.debian.org/freedombox-team/freedombox
 Vcs-Git: https://salsa.debian.org/freedombox-team/freedombox.git
 Vcs-Browser: https://salsa.debian.org/freedombox-team/freedombox
-Rules-Requires-Root: no
 
 Package: freedombox
 Breaks:
@@ -73,12 +76,10 @@ Depends:
  ${python3:Depends},
  ${misc:Depends},
  ${freedombox:Depends},
- adduser,
  augeas-tools,
  bind9-dnsutils,
  curl,
  debconf,
- fonts-fork-awesome,
 # sgdisk is used in storage app to expand GPT disks
  gdisk,
  gettext,
@@ -89,6 +90,7 @@ Depends:
 # For gdbus used to call hooks into service
  libglib2.0-bin,
  libjs-bootstrap5,
+ libjs-htmx,
  lsof,
  netcat-openbsd,
  network-manager,
@@ -108,7 +110,9 @@ Depends:
  python3-django-captcha,
 # Explictly depend on ipware as it is optional dependecy of django-axes
  python3-django-ipware,
+ python3-django-oauth-toolkit,
  python3-django-stronghold,
+ python3-fido2,
  python3-gi,
  python3-markupsafe,
  python3-pampy,

debian/copyright

@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://salsa.debian.org/freedombox-team/freedombox
 
 Files: *
-Copyright: 2011-2025 FreedomBox Authors
+Copyright: 2011-2026 FreedomBox Authors
 License: AGPL-3+
 
 Files: plinth/modules/jsxc/static/icons/jsxc.png
@@ -32,8 +32,7 @@ Copyright: 2012 FreedomBox Foundation
 Comment: Original Author: Robert Martinez
 License: GPL-3+
 
-Files: static/themes/default/icons/app-store.png
+Files: static/themes/default/icons/app-store.svg
-       static/themes/default/icons/app-store.svg
 Copyright: Marie Van den Broeck (https://thenounproject.com/marie49/)
 Comment: https://thenounproject.com/icon/162372/
 License: CC-BY-SA-3.0
@@ -79,6 +78,7 @@ Files: plinth/modules/ejabberd/static/icons/ejabberd.png
        plinth/modules/rssbridge/static/icons/rssbridge.svg
        plinth/modules/zoph/static/icons/zoph.png
        plinth/modules/zoph/static/icons/zoph.svg
+       static/themes/default/img/application.svg
        static/themes/default/img/network-connection.svg
        static/themes/default/img/network-connection-vertical.svg
        static/themes/default/img/network-ethernet.svg
@@ -100,14 +100,6 @@ Copyright: 2020 Adwaita Icon Theme Authors, GNOME Project
 Comment: https://github.com/GNOME/adwaita-icon-theme/ http://www.gnome.org
 License: LGPL-3 or CC-BY-SA-3.0-US
 
-Files: static/themes/default/icons/f-droid.png
-       static/themes/default/icons/f-droid.svg
-Copyright: 2012 William Theaker
-           2013 Robert Martinez
-           2015 Andrew Nayenko
-Comment: https://gitlab.com/fdroid/artwork/blob/master/fdroid-logo-2015/fdroid-logo.svg
-License: CC-BY-SA-3.0 or GPL-3+
-
 Files: plinth/modules/featherwiki/static/icons/featherwiki.png
        plinth/modules/featherwiki/static/icons/featherwiki.svg
 Copyright: 2022 Robbie Antenesse <dev@alamantus.com>
@@ -120,15 +112,6 @@ Copyright: 2010 Git Authors
 Comment: https://github.com/git/git/blob/master/gitweb/static/git-logo.png
 License: GPL-2
 
-Files: static/themes/default/icons/google-play.png
-Copyright: Chameleon Design (https://thenounproject.com/Chamedesign/)
-Comment: https://thenounproject.com/icon/887917/
-License: CC-BY-3.0-US
-
-Files: static/themes/default/icons/gnu-linux.png
-Copyright: 2017 Cowemoji
-License: CC0-1.0
-
 Files: plinth/modules/homeassistant/static/icons/homeassistant.png
        plinth/modules/homeassistant/static/icons/homeassistant.svg
 Copyright: Home Assistant Core Developers
@@ -160,12 +143,6 @@ Copyright: 2020 The other Kiwix guy
 Comment: https://commons.wikimedia.org/wiki/File:Kiwix_logo_v3.svg
 License: CC-BY-SA-4.0
 
-Files: static/themes/default/icons/macos.png
-       static/themes/default/icons/macos.svg
-Copyright: Vectors Market (https://thenounproject.com/vectorsmarket/)
-Comment: https://thenounproject.com/icon/1203053/
-License: CC-BY-SA-3.0
-
 Files: plinth/modules/matrixsynapse/static/icons/matrixsynapse.png
 Copyright: 2017 Kishan Raval
 Comment: https://github.com/thekishanraval/Logos
@@ -339,12 +316,6 @@ Copyright: 2011-2021 WordPress Contributors
 Comment: https://github.com/WordPress/wordpress-develop/blob/master/src/wp-admin/images/wordpress-logo.svg
 License: GPL-2+
 
-Files: static/themes/default/icons/windows.png
-       static/themes/default/icons/windows.svg
-Copyright: 2007 ruli (https://thenounproject.com/2007ruli/)
-Comment: https://thenounproject.com/icon/1206946/
-License: CC-BY-SA-3.0
-
 Files: plinth/modules/wireguard/static/icons/wireguard.png
        plinth/modules/wireguard/static/icons/wireguard.svg
 Copyright: 2019 WireGuard LLC
@@ -356,9 +327,88 @@ Copyright: 2008 GNOME icon artists
 Comment: https://commons.wikimedia.org/wiki/File:Gnome-computer.svg
 License: LGPL-3+ or CC-BY-SA-3.0
 
+Files: static/themes/default/icons/adjust.svg
+       static/themes/default/icons/android.svg
+       static/themes/default/icons/arrow-right.svg
+       static/themes/default/icons/ban.svg
+       static/themes/default/icons/bar-chart.svg
+       static/themes/default/icons/bars.svg
+       static/themes/default/icons/bell-o.svg
+       static/themes/default/icons/book.svg
+       static/themes/default/icons/check-circle.svg
+       static/themes/default/icons/check.svg
+       static/themes/default/icons/chevron-right.svg
+       static/themes/default/icons/clock-o.svg
+       static/themes/default/icons/cog.svg
+       static/themes/default/icons/comments.svg
+       static/themes/default/icons/compass.svg
+       static/themes/default/icons/debian.svg
+       static/themes/default/icons/download.svg
+       static/themes/default/icons/eject.svg
+       static/themes/default/icons/exclamation-triangle.svg
+       static/themes/default/icons/external-link.svg
+       static/themes/default/icons/eye-slash.svg
+       static/themes/default/icons/eye.svg
+       static/themes/default/icons/f-droid.svg
+       static/themes/default/icons/files-o.svg
+       static/themes/default/icons/film.svg
+       static/themes/default/icons/flag.svg
+       static/themes/default/icons/freedombox.svg
+       static/themes/default/icons/frown-o.svg
+       static/themes/default/icons/globe-w.svg
+       static/themes/default/icons/gnu-linux.svg
+       static/themes/default/icons/google-play.svg
+       static/themes/default/icons/hdd-o.svg
+       static/themes/default/icons/heartbeat.svg
+       static/themes/default/icons/heart.svg
+       static/themes/default/icons/home.svg
+       static/themes/default/icons/hourglass-o.svg
+       static/themes/default/icons/info-circle.svg
+       static/themes/default/icons/key.svg
+       static/themes/default/icons/life-ring.svg
+       static/themes/default/icons/line-chart.svg
+       static/themes/default/icons/lock.svg
+       static/themes/default/icons/macos.svg
+       static/themes/default/icons/moon.svg
+       static/themes/default/icons/pencil-square-o.svg
+       static/themes/default/icons/plus.svg
+       static/themes/default/icons/power-off.svg
+       static/themes/default/icons/question-circle.svg
+       static/themes/default/icons/refresh.svg
+       static/themes/default/icons/repeat.svg
+       static/themes/default/icons/rocket.svg
+       static/themes/default/icons/shield.svg
+       static/themes/default/icons/signal.svg
+       static/themes/default/icons/smile-o.svg
+       static/themes/default/icons/spinner.svg
+       static/themes/default/icons/star.svg
+       static/themes/default/icons/sun.svg
+       static/themes/default/icons/tags.svg
+       static/themes/default/icons/tag.svg
+       static/themes/default/icons/terminal.svg
+       static/themes/default/icons/th.svg
+       static/themes/default/icons/times.svg
+       static/themes/default/icons/trash-o.svg
+       static/themes/default/icons/trash.svg
+       static/themes/default/icons/upload.svg
+       static/themes/default/icons/user.svg
+       static/themes/default/icons/users.svg
+       static/themes/default/icons/wifi.svg
+       static/themes/default/icons/windows.svg
+       static/themes/default/icons/wrench.svg
+Copyright: 2018, Fork Awesome
+Comment: https://github.com/ForkAwesome/Fork-Awesome/tree/master/src/icons/svg/
+License: OFL-1.1
+
+Files: static/themes/default/icons/fedora.svg
+       static/themes/default/icons/homebrew.svg
+Copyright: 2026, Simple Icons
+Comment: https://github.com/simple-icons/simple-icons/
+License: CC0-1.0
+
 Files: debian/*
 Copyright: 2013 Tzafrir Cohen
-           2013-2024 FreedomBox Authors
+           2013-2026 FreedomBox Authors
 License: GPL-2+
 
 License: AGPL-3+
@@ -2847,3 +2897,94 @@ License: Zlib
  .
  3. This notice may not be removed or altered from any source
  distribution.
+
+License: OFL-1.1
+ This Font Software is licensed under the SIL Open Font License,
+ Version 1.1.
+ .
+ This license is copied below, and is also available with a FAQ at:
+ http://scripts.sil.org/OFL
+ .
+ SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+ .
+ PREAMBLE The goals of the Open Font License (OFL) are to stimulate
+ worldwide development of collaborative font projects, to support the font
+ creation efforts of academic and linguistic communities, and to provide
+ a free and open framework in which fonts may be shared and improved in
+ partnership with others.
+ .
+ The OFL allows the licensed fonts to be used, studied, modified and
+ redistributed freely as long as they are not sold by themselves.
+ The fonts, including any derivative works, can be bundled, embedded,
+ redistributed and/or sold with any software provided that any reserved
+ names are not used by derivative works.  The fonts and derivatives,
+ however, cannot be released under any other type of license.  The
+ requirement for fonts to remain under this license does not apply to
+ any document created using the fonts or their derivatives.
+ .
+ DEFINITIONS
+ "Font Software" refers to the set of files released by the Copyright
+ Holder(s) under this license and clearly marked as such.
+ This may include source files, build scripts and documentation.
+ .
+ "Reserved Font Name" refers to any names specified as such after the
+ copyright statement(s).
+ .
+ "Original Version" refers to the collection of Font Software components
+ as distributed by the Copyright Holder(s).
+ .
+ "Modified Version" refers to any derivative made by adding to, deleting,
+ or substituting ? in part or in whole ?
+ any of the components of the Original Version, by changing formats or
+ by porting the Font Software to a new environment.
+ .
+ "Author" refers to any designer, engineer, programmer, technical writer
+ or other person who contributed to the Font Software.
+ .
+ PERMISSION & CONDITIONS
+ .
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of the Font Software, to use, study, copy, merge, embed, modify,
+ redistribute, and sell modified and unmodified copies of the Font
+ Software, subject to the following conditions:
+ .
+ 1) Neither the Font Software nor any of its individual components, in
+    Original or Modified Versions, may be sold by itself.
+ .
+ 2) Original or Modified Versions of the Font Software may be bundled,
+    redistributed and/or sold with any software, provided that each copy
+    contains the above copyright notice and this license. These can be
+    included either as stand-alone text files, human-readable headers or
+    in the appropriate machine-readable metadata fields within text or
+    binary files as long as those fields can be easily viewed by the user.
+ .
+ 3) No Modified Version of the Font Software may use the Reserved Font
+    Name(s) unless explicit written permission is granted by the
+    corresponding Copyright Holder. This restriction only applies to the
+    primary font name as presented to the users.
+ .
+ 4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+    Software shall not be used to promote, endorse or advertise any
+    Modified Version, except to acknowledge the contribution(s) of the
+    Copyright Holder(s) and the Author(s) or with their explicit written
+    permission.
+ .
+ 5) The Font Software, modified or unmodified, in part or in whole, must
+    be distributed entirely under this license, and must not be distributed
+    under any other license. The requirement for fonts to remain under
+    this license does not apply to any document created using the Font
+    Software.
+ .
+ TERMINATION
+ This license becomes null and void if any of the above conditions are not met.
+ .
+ DISCLAIMER
+ THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+ OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT.  IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+ DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER
+ DEALINGS IN THE FONT SOFTWARE.

debian/freedombox.lintian-overrides

@@ -24,3 +24,7 @@ freedombox: package-contains-documentation-outside-usr-share-doc [usr/lib/python
 # meant for user. However, don't install to /usr/libexec and follow systemd
 # convention instead.
 freedombox: executable-in-usr-lib [usr/lib/freedombox/freedombox-privileged]
+
+# [Install] section is missing for the privileged daemon service because it is
+# socket activated.
+freedombox: systemd-service-file-missing-install-key [usr/lib/systemd/system/freedombox-privileged.service]

debian/freedombox.postinst

@@ -13,21 +13,9 @@ sed -i 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth
 
 case "$1" in
     configure)
-        if ! getent group plinth >/dev/null; then
-            addgroup --system --quiet plinth
-        fi
-
-        if ! getent passwd plinth >/dev/null; then
-            adduser --system --quiet --ingroup plinth --no-create-home --home /var/lib/plinth plinth
-        fi
-
-        chown plinth: /var/lib/plinth
-        chown plinth: /var/lib/plinth/sessions
-
         if [ ! -e '/var/lib/freedombox/is-freedombox-disk-image' ]; then
             umask 377
             base64 < /dev/urandom | head -c 16 | sed -e 's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret
-            chown plinth:plinth /var/lib/plinth/firstboot-wizard-secret
             db_subst plinth/firstboot_wizard_secret secret $(cat /var/lib/plinth/firstboot-wizard-secret)
             db_input high plinth/firstboot_wizard_secret || true
             db_go

debian/freedombox.postrm

@@ -4,7 +4,6 @@ set -e
 
 case "$1" in
 purge)
-    deluser --system --quiet plinth || true
     rm -rf /var/lib/plinth
 
     # Remove legacy directory too

debian/freedombox.preinst

@@ -1,43 +0,0 @@
-#!/bin/sh
-
-set -e
-
-case "$1" in
-    upgrade)
-        # Handle removing freedombox-setup-repositories.timer from 20.5.
-        if dpkg --compare-versions "$2" le 20.7; then
-            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
-               deb-systemd-invoke stop freedombox-setup-repositories.timer >/dev/null 2>/dev/null || true
-            fi
-
-            if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge freedombox-setup-repositories.timer >/dev/null || true
-                deb-systemd-helper unmask freedombox-setup-repositories.timer >/dev/null || true
-            fi
-
-            if [ -d /run/systemd/system ]; then
-                systemctl daemon-reload
-            fi
-        fi
-
-        # Handle removing freedombox-udiskie.service from 20.9.
-        if dpkg --compare-versions "$2" le 20.9; then
-            if [ -x "/usr/bin/deb-systemd-invoke" ]; then
-                deb-systemd-invoke stop freedombox-udiskie.service >/dev/null 2>/dev/null || true
-            fi
-
-            if [ -x "/usr/bin/deb-systemd-helper" ]; then
-                deb-systemd-helper purge freedombox-udiskie.service >/dev/null || true
-                deb-systemd-helper unmask freedombox-udiskie.service >/dev/null || true
-            fi
-
-            if [ -d /run/systemd/system ]; then
-                systemctl daemon-reload
-            fi
-        fi
-        ;;
-esac
-
-#DEBHELPER#
-
-exit 0

debian/freedombox.sysusers

@@ -0,0 +1 @@
+u! plinth - "FreedomBox service" /var/lib/plinth

debian/freedombox.tmpfiles

@@ -0,0 +1,3 @@
+d /var/lib/plinth 0755 plinth plinth
+d /var/lib/plinth/sessions 0755 plinth plinth
+Z /var/lib/plinth/firstboot-wizard-secret 0400 plinth plinth

debian/gbp.conf

@@ -1,6 +1,9 @@
 [DEFAULT]
 debian-branch = main
 
+[buildpackage]
+export-dir = ../build-area/
+
 [dch]
 git-log = --no-merges
 multimaint-merge = True

debian/source/lintian-overrides

@@ -5,7 +5,4 @@
 very-long-line-length-in-source-file * [doc/manual/*.raw.wiki:*]
 
 # Misc. files which can't be fixed to have short line lengths.
-very-long-line-length-in-source-file * [plinth/modules/deluge/tests/data/sample.torrent:*]
-very-long-line-length-in-source-file * [plinth/modules/transmission/tests/data/sample.torrent:*]
-very-long-line-length-in-source-file * [doc/visual_design/FreedomBox-Logo.7z:*]
 very-long-line-length-in-source-file * [COPYING.md:*]

debian/tests/access-web-interface

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+# Wait for FreedomBox setup to complete.
+sleep 30
+
+journalctl --unit=plinth --unit=freedombox-privileged
+
+# Get FreedomBox status
+curl --location --cookie "" --fail --write-out "%{response_code}" --insecure \
+     --stderr - https://localhost/freedombox/status/
+
+# Access FreedomBox interface
+curl --location --cookie "" --fail --write-out "%{response_code}" --insecure \
+     --stderr - https://localhost/freedombox/

debian/tests/control

@@ -16,3 +16,13 @@ Restrictions: needs-root, breaks-testbed
 Test-Command: PYTHONPATH='/usr/lib/python3/dist-packages/' py.test-3 -p no:cacheprovider --cov=plinth --cov-report=html:debci/htmlcov --cov-report=term
 Depends: e2fsprogs, git, python3-pytest, python3-pytest-cov, python3-pytest-django, @
 Restrictions: breaks-testbed
+
+#
+# Try to access the FreedomBox web interface.
+#
+# iptables package installs alternatives files, with iptables-nft as default alternative.
+# Without it, firewalld has this error: INVALID_IPV: 'ipv4' is not a valid backend or is unavailable
+#
+Tests: access-web-interface
+Depends: iptables, @
+Restrictions: needs-root, isolation-machine, breaks-testbed

doc/Makefile

@@ -109,20 +109,25 @@ manual-pages-xml:=$(patsubst %.raw.wiki, %.xml, $(manual-pages-raw-wiki))
 manual-pages: $(manual-pages-part-html)
 
 $(manual-pdfs): %.pdf: %.xml
-	xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $<
+	@echo "[PDF]       $<"
+	@xmlto $(XMLTO_DEBUG_FLAGS) --with-dblatex pdf -o $(dir $@) $< 2> /dev/null
 
 $(manual-pages-part-html): %.part.html: %.xml
-	xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< | \
+	@echo "[XSLT]      $<"
+	@xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/xhtml5/docbook.xsl $< 2> /dev/null | \
 	perl -pe 'BEGIN {undef $$/} s/.*<body[^>]*>(.*)<\/body\s*>.*/$$1/si' > $@
-	@rm -f $(dir $@)docbook.css
+	@rm -f docbook.css
 
 $(manual-xmls) $(manual-pages-xml): %.xml: %.raw.wiki $(SCRIPTS_DIR)/wikiparser.py
-	$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
+	@echo "[WIKIPARSE] $<"
+	@$(SCRIPTS_DIR)/wikiparser.py $< | xmllint --format - > $@
 
 %.1: %.xml
-	xmlto man $<
+	@echo "[MAN]       $<"
+	@xmlto man $< 2> /dev/null
 
 .PHONY: clean
 clean:
-	rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
+	@echo "[RM]        {part-htmls} {xmls} {manuals} {outputs}"
-	rm -f $(OUTPUTS)
+	@rm -f $(manual-pages-part-html) $(manual-pages-xml) $(manual-xmls)
+	@rm -f $(OUTPUTS)

doc/dev/README.rst

@@ -19,6 +19,7 @@ Install the following Debian packages:
 
 * python3-sphinx
 * python3-sphinx-autobuild
+* python3-sphinx-book-theme
 * python3-django
 * python3-django-axes
 * python3-django-captcha

doc/dev/_templates/layout.html

@@ -1,15 +0,0 @@
-{%- extends "alabaster/layout.html" %}
-
-{%- block footer %}
-  <div class="footer">
-    {% if show_copyright %}&copy;{{ copyright }} | {% endif %}
-    Licensed under the <a href="https://creativecommons.org/licenses/by-sa/4.0/">
-    CC BY-SA 4.0</a> license
-    {%- if show_source and has_source and sourcename %}
-      {% if show_copyright or theme_show_powered_by %}|{% endif %}
-      <a href="{{ pathto('_sources/' + sourcename, true)|e }}"
-         rel="nofollow">{{ _('Page source') }}</a>
-    {%- endif %}
-  </div>
-
-{% endblock %}

doc/dev/conf.py

@@ -15,6 +15,7 @@ list see the documentation: http://www.sphinx-doc.org/en/master/config
 #
 import os
 import sys
+from datetime import datetime
 
 import django
 
@@ -26,7 +27,7 @@ django.setup()
 
 # pylint: disable=invalid-name
 project = 'FreedomBox'
-copyright = '2021-2025, FreedomBox Authors'
+copyright = f'2021-{datetime.now().year}'
 author = 'FreedomBox Authors'
 
 # The short X.Y version
@@ -82,15 +83,23 @@ pygments_style = None
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'alabaster'
+html_theme = 'sphinx_book_theme'
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #
 html_theme_options = {
-    'fixed_sidebar': True,
+    'home_page_in_toc': True,
-    'show_related': True,
+    'repository_provider': 'gitlab',
+    'repository_url': 'https://salsa.debian.org/freedombox-team/freedombox/',
+    'use_edit_page_button': True,
+    'use_source_button': True,
+    'use_repository_button': True,
+    'use_issues_button': True,
+    'path_to_docs': 'doc/dev/',
+    'extra_footer': 'Licensed under the <a href="https://creativecommons.org/'
+                    'licenses/by-sa/4.0/">CC BY-SA 4.0</a> license.',
 }
 
 # Add any paths that contain custom static files (such as style sheets) here,
@@ -221,3 +230,4 @@ autodoc_mock_imports = [
 ]
 
 html_favicon = './_static/favicon.ico'
+html_logo = './_static/logo.svg'

doc/dev/reference/components/webserver.rst

@@ -8,6 +8,3 @@ Webserver
 
 .. autoclass:: plinth.modules.apache.components.WebserverRoot
    :members:
-
-.. autoclass:: plinth.modules.apache.components.Uwsgi
-   :members:

doc/dev/tutorial/components.rst

@@ -291,10 +291,8 @@ file ``transmission-plinth.conf``, add the following.
 
   <Location /transmission>
       ...
-      Include          includes/freedombox-single-sign-on.conf
+      Use AuthOpenIDConnect
-      <IfModule mod_auth_pubtkt.c>
+      Use RequireGroup bit-torrent
-          TKTAuthToken "admin" "bit-torrent"
-      </IfModule>
   </Location>
 
 Showing a shortcut in the front page

doc/manual/en/Hardware.raw.wiki

@@ -12,7 +12,17 @@ In addition to supporting various single board computers and other devices, any
 
 == Recommended Hardware ==
 
-On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This is the recommended pre-installed hardware for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
+=== Libre Crafts FreedomBox ===
+
+Libre Crafts in an endeavor from the !FreedomBox developers themselves to bring you a powerful !FreedomBox device capable of hosting even the most demanding home server needs. The device is crafted, tested, and delivered to you by !FreedomBox developers. Your purchase helps !FreedomBox development.
+
+This hardware features a powerful CPU, plenty of main memory, a fast OS disk, ability to add two high capacity hard disk drives, dual multi-gigabit Ethernet ports, all with a low power consumption. Use it to host all your photos, to backup all home devices, as a NAS, as home automation hub, as a desktop computer, and more all at once. 
+
+||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:libre-crafts.png|Libre Crafts FreedomBox|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|Libre Crafts FreedomBox]] ||
+
+=== Olimex's FreedomBox Pioneer Edition ===
+
+On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 
 The kit includes all the hardware needed for launching a !FreedomBox home server on an Olimex A20-OLinuXino-LIME2 board. This product provides the perfect combination of open source hardware and free and open source software. By purchasing this product, you also support the !FreedomBox Foundation's efforts to create and promote its free and open source server software.
 

doc/manual/en/OrangePiZero.raw.wiki

@@ -12,7 +12,7 @@
 
 === Availability ===
 
- * [[https://www.aliexpress.com/store/group/Allwinner-H2/1553371_516093180.html|AliExpress]]
+ * [[https://www.aliexpress.com/item/3256803323773726.html|AliExpress]]
 
 === Hardware ===
 

doc/manual/en/Passkeys.raw.wiki

@@ -0,0 +1,117 @@
+#language en
+
+##TAG:TRANSLATION-HEADER-START
+~- [[FreedomBox/Guide/Passkeys|English]] - [[es/FreedomBox/Guide/Passkeys|Español]] - [[DebianWiki/EditorGuide#translation|(+)]] -~
+##TAG:TRANSLATION-HEADER-END
+
+<<TableOfContents>>
+
+## BEGIN_INCLUDE
+
+== Use Passkeys to Improve Login Security ==
+
+{{{#!wiki tip
+Passkeys are strongly recommended over passwords.
+}}}
+
+'''Available since''': !FreedomBox 26.6
+
+!FreedomBox allows users to login to their account with passkeys. Passkeys are way to verify user's identity using digital signatures. They are a more secure alternative to passwords. Secret information is kept with the user on their phone, laptop, or a hardware token and unlocked using a PIN, fingerprint, or face ID. No secrets are stored on the server. The server knows only the public information that can be used to verify user's signatures.
+
+=== How do passkeys work? ===
+
+After the user logs into their account, one or more passkeys can be added to the account from the 'Manage Passkeys' page. At the time of adding passkeys, the passkey hardware (or authenticator), will generate a public and private key pair that is tied to the domain and user account. The private key is kept in the hardware and public key is provided to the server. The server stores the public key along with user account. Later when a user is trying to log in to their account, the server sends a long randomly generated string to the authenticator called the challenge. The hardware digitally signs the challenge using the private key and sends it to the server. The server is able to verify that the signature is made by the holder of private key by just using the public key that it has (this is a feature of public/private key pairs). Once verified, the server logs into the user account associated with that public key.
+
+During this process, the browser acts as a trusted intermediary between the passkey hardware and the server. It ensures that the user is verified by providing PIN, fingerprint, face ID, etc. It also ensures that a passkey is only used with the domain it is meant for.
+
+=== Better security ===
+
+Passkeys provide better security than passwords:
+
+ * '''Multi-factor authentication''': During registration of a passkey and during login, !FreedomBox requests that the browser verify the user. This means the user will need to unlock the authenticator device by providing a PIN, fingerprint, face ID, etc. This acts as one of the authentication factors: "something you know" or "something your are". Another authentication factor is "something that you have": the hardware that stores your passkey (such as Solokey, Nitrokey, or Yubikey) or a phone. Together, this is similar to using a password along with a second factor authentication. So, passkeys can replace two-factor authentication while being much more convenient and easier to use.
+
+ * '''No reuse''': Passkeys are never reused. For each domain a separate passkey is generated and used. Browsers ensure that passkey for a domain is never used with another domain. Unlike reused passwords, when a website or a service is compromised, adversaries can't use that to gain access to your account in different website or service. This also prevents phishing attacks were adversarial websites pretend to be legitimate ones.
+
+ * '''No secrets on the server''': The website allowing use of passkeys for login does not store any secret information. It only stores the public key part of the passkey. If this information is obtained by an adversary, they will not be able to login to the website. Only the private key stored on the authenticator device can be used to login to the website (since only a private key can create signatures needed for login process).
+
+ * '''No guessing''': The secret part of a passkey is much more impractical to guess compared to a password. There is no risk that someone will be able to guess your password and access your account. There is no risk that you might accidentally set a predictable password.
+
+ * '''Convenience''': Users don't need to remember username, email, or a secret to login to a website. They don't need to receive OTP via text or email, use TOTP app, or confirm login using a mobile app. After clicking on the 'Login with passkey' button, they unlock their authenticator using a PIN, fingerprint, or face ID. Then they physically tap on the authenticator (if necessary). The user is then logged in. There are fewer things to remember. Even the PIN for a hardware authenticator is typically easier to remember than a password. This convenience encourages users to use this mechanism, ultimately leading to better security.
+
+=== Hardware Needed for Passkeys ===
+
+{{{#!wiki tip
+'''[[https://solokeys.com/|Solokeys]]''' are recommend for passkey storage by the !FreedomBox project.
+
+ * The [[https://github.com/solokeys/solo2|firmware]] (the OS for the hardware) is free software.
+ * The [[https://github.com/solokeys/solo2-hw|hardware]] designs are free too.
+ * The Solokeys team and the !FreedomBox team collaborate.
+}}}
+
+There are many ways to get started with passkeys:
+
+ * '''Separate passkey hardware''': The recommended way to store passkeys is on a specific hardware key. In this setup, the private key part of the passkey never leaves the hardware device. They are also typically built such that it is hard for an adversary with physical access the device to extract passkey from it. Another advantage of these devices is that the hardware can be used with all your existing devices such as phones, laptops, and desktops. These devices interact with phones and desktops using USB, Bluetooth, or NFC tap. In case of NFC, the device works with proximity from the phone without additional power. When using a separate hardware, however, you must have a backup way of logging into your account in the event that you loose the hardware device. This could be an additional passkey hardware or a password. See the section on backup below.
+
+ * '''Builtin passkey hardware''': When a separate hardware device is not available, specialized hardware, such as a TPM, built into the computer is preferable. This setup will still ensure that passkeys do not leave the hardware. One disadvantage of this approach is that the passkey only works with that device and you will need register each device you use separately.
+
+ * '''Password managers''': As a last resort, one could use password managers that support passkeys and work with your browser or OS. Android, iOS, and Windows offer such password managers. Passkeys stored in password managers are typically synchronized to the cloud and a breach of that service/account could result in compromise of all your accounts. However, they work across multiple devices and you typically don't have to worry about loosing a single hardware device. 
+
+=== Naming Your Passkey ===
+
+In !FreedomBox, when a passkey is added to your account, it by default named as 'Key 1'. The next one will be named 'Key 2' and so on. However, it is good practice to name them such that you know which device they are stored on. For example, you can name them 'Key on Primary Solokey', 'Key on Android Phone', etc. If a device is lost, you can login to your account and remove that key from the list of passkeys associated with your account.
+
+=== Multiple Domains ===
+
+Each passkey is strictly tied to a domain and never used for another domain. This necessary to ensure that a malicious domain does not impersonate a legitimate domain. Hence, if your !FreedomBox is configured with multiple domains, then the browser and hardware authenticator device will treat them as separate accounts for the purpose of authentication with passkeys. This means you need to register separate passkeys for each of your domains.
+
+For example, assume your !FreedomBox has two domains configured mydomain1.fbx.one and mydomain2.example. Visit mydomain1.fbx.one, log in to your account, and add a passkey. This passkey will be tied to this domain. When you are trying to log in, the passkey will work if you are accessing mydomain1.fbx.one but it won't work when accessing mydomain2.example. To make the second domain work, you need to add a second passkey while accessing your !FreedomBox with the domain name mydomain2.example. Two passkeys are then stored in your hardware token. First one will be tied to mydomain1.fbx.one and will only be used when accessing that domain. Second one will be tied to mydomain2.example and will only be used when accessing that domain.
+
+=== Multiple User Accounts ===
+
+When you use a passkey hardware for multiple user accounts on the same !FreedomBox, separate passkeys will be created for each of the accounts. Each passkey will be assigned the username of the account it is tied to. This information is stored in the passkey as well as the server. During login, the browser will prompt to select the user account you want to log into. If only a single passkey exists for a given domain name, then the selection dialog is not shown and user will login to the account corresponding to the passkey.
+
+=== Backup for Passkey ===
+
+In case the device storing your passkey is lost, you need alternate ways to login to you account:
+
+ 1. You can register and maintain two passkeys on two separate devices. For example, your primary passkey could be on a Solokey hardware token and the second passkey could be on an Android phone or another Solokey hardware token. If one is lost, you can login with the other. This is the recommended approach.
+
+ 1. !FreedomBox continues to support passwords even after passkeys are registered.  So, if a passkey device is lost, you can login with a password.
+
+ 1. If you forget your password and if your user account is not the only administrator account on the !FreedomBox, you can ask an administrator to reset your password. After that you can register a new passkey stored on a new device.
+
+=== Supported Platforms ===
+
+Passkeys are based on WebAuthn, a standard published by World Wide Web Consortium. So, !FreedomBox's implementation is expected to work wherever passkeys work. It has been tested as follows:
+
+|| '''OS/Device''' || '''Browser''' || '''Authenticator''' || '''Result''' ||
+|| GNU/Linux || Firefox || Solokeys || Pass ||
+|| GNU/Linux || Firefox || Yubikey || Pass ||
+|| GNU/Linux || Chromium || Solokeys || Pass ||
+|| GNU/Linux || GNOME Web || - || Fail (Browser does not support Webauthn) ||
+|| Windows || Firefox || Windows Hello || Pass ||
+|| Windows || Firefox || Solokeys || Pass ||
+|| Windows || Firefox || Android Phone || Pass ||
+|| Windows || Chrome || Windows Hello || Pass ||
+|| Windows || Chrome || Solokeys || Pass ||
+|| Windows || Chrome || Android Phone || Pass ||
+|| Windows || Edge || Windows Hello || Pass ||
+|| Windows || Edge || Solokeys || Pass ||
+|| Windows || Edge || Android Phone || Pass ||
+|| Android || Firefox || Google Password Manager || Pass ||
+|| Android || Firefox || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
+|| Android || Firefox || Solokeys NFC || Fail (Need to understand NFC setup) ||
+|| Android || Firefox || Another device || Untested ||
+|| Android || Chrome || Google Password Manager || Pass ||
+|| Android || Chrome || Solokeys USB || Fail (Touch is not detected after PIN entry) ||
+|| Android || Chrome || Solokeys NFC || Fail (Need to understand NFC setup) ||
+|| Android || Chrome || Another device || Untested ||
+
+## END_INCLUDE
+
+Back to [[FreedomBox/Features|Features introduction]] or [[FreedomBox/Manual|manual]] pages.
+
+<<Include(FreedomBox/Portal)>>
+
+----
+CategoryFreedomBox

doc/manual/en/PioneerEdition.raw.wiki

@@ -25,7 +25,8 @@ The [[https://www.olimex.com/Products/OLinuXino/Home-Server/Pioneer-FreedomBox-H
  * an optional storage add-on for hard disk (HDD) or solid-state drive (SSD)
 
 === Recommended Hardware ===
-This is the hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
+
+This is a hardware recommended for all users who just want a turn-key !FreedomBox, and '''don't''' want to '''build''' their own one.
 
 (Building your own !FreedomBox means some technical stuff like choosing and buying the right components, downloading the image and preparing the SD card).
 

doc/manual/en/ReleaseNotes.raw.wiki

@@ -8,6 +8,240 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 
 The following are the release notes for each !FreedomBox version.
 
+== FreedomBox 26.9.1 (2026-06-15) ==
+
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, Italian, Turkish
+ * matrixsynapse: Allow installing new dependencies
+ * wireguard: Get config for both download and qr actions
+ * wireguard: Move segno import inside method
+
+== FreedomBox 26.9 (2026-06-01) ==
+
+=== Highlights ===
+
+ * wireguard: Auto-generate client keypairs
+ * wireguard: Provide download and QR code for client config
+
+=== Other Changes ===
+
+ * bepasty: Don't remove old system user and group
+ * debian: Install and use sysusers.d/tmpfiles.d config files
+ * debian: Stop deleting system user on remove/purge
+ * infinoted: Use systemd-sysusers for creating a system user account
+ * locale: Update translations for Dutch, German
+ * syncthing: Use systemd-sysusers for creating a system user account
+ * wireguard: Enable !FreedomBox to connect to a server using IPv6
+
+== FreedomBox 26.8 (2026-05-11) ==
+
+ * locale: Update translations for German, Italian
+ * api: Drop access-info API
+
+== FreedomBox 26.7.1 (2026-04-28) ==
+
+ * radicale, bepasty: Fix issue with failed diagnostic test
+ * radicale: Enable lc_username for case-insensitive auth
+ * radicale: Fix issue with parsing new configuration file
+ * radicale: tests: functional: Better checking for well-known URLs
+
+== FreedomBox 26.7 (2026-04-20) ==
+
+ * debian: tests: Add test to access interface status
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, German, Italian, Swedish, Turkish
+
+== FreedomBox 26.6 (2026-04-06) ==
+
+=== Highlights ===
+
+ * users: Add support for logging in with passkeys
+
+=== Other Changes ===
+
+ * d/control: Add fido2 library as dependency
+ * locale: Update translations for French, German, Hindi, Italian
+ * service: Capture stdout/stderr when running as systemd unit
+ * users: Add link to guide on passkeys
+ * users: Add support for registering, editing, and deleting passkeys
+ * views: Add a decorator to handle exceptions in JSON views
+
+== FreedomBox 26.5.1 (2026-03-26) ==
+
+ * debian/control: Fix building with nocheck profile
+ * debian/copyright: Drop a removed file, correct path for another
+ * locale: Update translations for Albanian, Turkish
+ * web_server: Fix locating SVG icons on production setup
+
+== FreedomBox 26.5 (2026-03-23) ==
+
+=== Highlights ===
+
+ * action_utils: Don't restart web interface when installing an app
+ * apache: Use a Uwsgi native socket systemd unit for each app
+ * ui: Use inline SVG icons for all apps
+ * wireguard: Fix freedombox VPN IP for services
+
+=== Other Changes ===
+
+ * action_utils: Stop associated service when stopping a socket unit
+ * apache: Increase OpenID Connect RP session timeout activity
+ * apache: Minor improvement to getting the request host
+ * app: Fix build issue with Django 5.x
+ * clients: Fix formatting of package row in table
+ * clients: Fix show empty clients in Desktop section
+ * clients: Use SVG icons when showing external links
+ * container: Add option to skip install
+ * container: Fix image extension to .raw for systemd v260
+ * doc: Reduce verbosity when building documentation
+ * html: Drop trailing slash from void elements
+ * html: Drop type attribute value of text/javascript
+ * janus: Drop unused reference to font-awesome
+ * letsencrypt: Don't perform operations on apps that are not installed
+ * locale: Update translations for German, Russian, Swedish
+ * pagekite: Fix issue with adding custom services
+ * tests: functional: Drop undefined 'sso' pytest mark
+ * ui: Add rest of the icons used from fork-awesome set
+ * ui: Better placement for dropdown indicator in dropdown button
+ * ui: Drop fonts-fork-awesome as dependency
+ * ui: Rename 'plinth_extras' template tags module to 'extras'
+ * ui: Simplify SVG app icons for using them inline in HTML
+ * ui: Use inline SVG icons for buttons, messages, spinners, etc.
+ * wireguard: Add button for direct APK download
+ * wireguard: Add entries for Homebrew and RPM packages
+ * wireguard: Remove client entry for F-Droid which is not available
+ * wireguard: Update windows client link
+
+== FreedomBox 26.4.2 (2026-03-08) ==
+
+=== Highlights ===
+
+ * apache2: Disable pubtkt authentication module
+
+=== Other Changes ===
+
+ * container: Hold freedombox packages during test setup
+ * d/control: Trim deps for nocheck build profile
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
+ * Vagrantfile: Enable public network for bridged networking
+
+== FreedomBox 26.4 (2026-03-02) ==
+
+=== Highlights ===
+
+ * backups: Enable key-based SSH authentication for remote backups
+ * oidc: New app to implement OpenID Connect Provider
+ * apache: Implement protecting apps using OpenID Connect
+ * wireguard: Improve server section user experience flow
+
+=== Other Changes ===
+
+ * *: Remove some absolute file paths in SVGs
+ * *: Update URL base from /plinth to /freedombox
+ * README/HACKING: Update weblate project path to /freedombox
+ * Vagrantfile: Drop unnecessary sudo configuration for actions
+ * action_utils: Drop support for link-local IPv6 addresses
+ * action_utils: Fix issue with type checking a generator
+ * action_utils: Implement utility to change umask temporarily
+ * actions, privileged_daemon: Drop some unused global statements
+ * apache: Fix diagnosing URLs protected by OpenID Connect
+ * apache: Preserve host header when proxying to service
+ * backups: Arrange form for adding remote location
+ * backups: Avoid some repeated text in form help text
+ * backups: Copy SSH client public key to remote
+ * backups: Create .ssh folder before creating SSH key
+ * backups: Create a better comment in the generated SSH key file
+ * backups: Display SSH public key when adding remote
+ * backups: Fix issue with Javascript in add remote location form
+ * backups: Fix showing proper error for incorrect passphrase
+ * backups: Fix type checking errors
+ * backups: Generate SSH client key if needed
+ * backups: Migrate to SSH key auth when mounting
+ * backups: Minor refactoring
+ * backups: Show/hide form elements instead of disabling for simplicity
+ * backups: Simplify handling of migration to SSH keys
+ * backups: Test adding/removing remote location
+ * backups: Tweak appearance of add remote location form
+ * backups: Use SSH key instead of password
+ * backups: Use selected SSH credential for remote
+ * backups: tests: Simplify functional test using more classes
+ * bin: Add tool to change !FreedomBox password in Django database
+ * calibre: Use OpenID Connect instead of pubtkt based SSO
+ * cfg: Drop unused actions_dir option
+ * cfg: Drop unused config_dir option
+ * container: Align terminology in printed banner
+ * db: Create a utility to get credentials from dbconfig
+ * debian: Ensure that gbp creates a clean tarball prior to build
+ * deluge: Use OpenID Connect instead of pubtkt based SSO
+ * doc/dev: Set new theme for developer documentation
+ * doc/dev: Use OpenID Connect instead of pubtkt based SSO
+ * doc/dev: always have an up-to-date copyright year
+ * ejabberd: Fix setting up certificates for multiple domains
+ * email: Use OpenID Connect instead of pubtkt based SSO
+ * featherwiki: Use OpenID Connect instead of pubtkt based SSO
+ * gitweb: Fix issue with running post init due to missing method
+ * gitweb: Use OpenID Connect instead of pubtkt based SSO
+ * js: When page load fails during install, show it to user
+ * letsencrypt: When copying certificate reset the umask reliably
+ * locale/bg: Fix several translations with HTML links (Bulgarian)
+ * locale/de: Fix several translations with HTML links (German)
+ * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
+ * matrixsynapse: Update apache config to proxy Synapse client API
+ * miniflux: Get credentials from dbconfig-common directly
+ * miniflux: Revert workaround for a packaging bug with DB connection
+ * mumble: murmurd renamed to mumble-server
+ * oidc: Style the page for authorizing an OIDC app
+ * pyproject: Use new format to specify licenses
+ * quassel: Explicitly set permissions on the domain configuration file
+ * rssbridge: Use OpenID Connect instead of pubtkt based SSO
+ * searx: Use OpenID Connect instead of pubtkt based SSO
+ * sharing: Use OpenID Connect instead of pubtkt based SSO
+ * sso: Merge into users module, drop pubtkt related code
+ * syncthing: Use OpenID Connect instead of pubtkt based SSO
+ * syncthing: tests: Fix tests by allowing rapid restarts
+ * templates: Allow building pages without navigation bar and footer
+ * tests: functional: Fix expecting !FreedomBox to be home page
+ * tests: functional: Fix reloading error page during install/uninstall
+ * tests: functional: Increase systemd rate limits for starting units
+ * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
+ * transmission: Use OpenID Connect instead of pubtkt based SSO
+ * ui: Add animation for notification dismissal
+ * ui: Dismiss notifications without page reload
+ * ui: Refactor notification delete buttons to avoid repeating code
+ * web_framework: Allow !FreedomBox apps to override templates
+ * web_server: Log requests to WSGI app
+ * wireguard: Accept/use netmask with IP address for server connection
+ * wireguard: Fix format when showing multiple endpoints of the server
+ * wireguard: Fix showing default route setting in server edit form
+ * wireguard: Fix split tunneling
+ * wireguard: Show status of default route in server information page
+ * wireguard: filter .local addresses from showClient view
+ * wireguard: show server vpn ip in show client page
+ * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
+
+== FreedomBox 26.3 (2026-02-02) ==
+
+=== Highlights ===
+
+ * ui: Use HTMX to eliminate full page reloads
+ * wireguard: Add 'Start Server' button to help with client setup
+
+=== Other Changes ===
+
+ * debian: Follows policy 4.7.3
+ * debian: Ignore lintian warning: service file missing Install section
+ * debian: Remove default Rules-Requires-Root
+ * debian: Remove preinst script
+ * debian: Update copyright years
+ * docs: Update container script usage
+ * lintian: Remove mismatched overrides
+ * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
+ * Makefile: Fix removing extra license file
+ * ui: Add HTMX as a dependency
+ * ui: Use HTMX to update notifications on partial page updates
+ * wireguard: Remove NM connections when app is uninstalled
+ * wireguard: Show next available client IP in Add Client form
+ * wireguard: Update functional tests to handle Start Server button
+ * wireguard: Show server endpoint on main app page
+
 == FreedomBox 26.2 (2026-01-20) ==
 
  * gitweb: Fix deleting last repo disables app

doc/manual/en/Sharing.raw.wiki

@@ -20,15 +20,13 @@ The content can be shared publicly or restricted to the users of listed allowed
 
 === Setting Up Shares ===
 
-For the users to access the content through their browser it must exist and have a share. A share is an entry in the Sharing app relating:
+ * In !FreedomBox web interface, enable the Sharing App. Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of the !FreedomBox web interface. Many shares can coexist in the same server.
- * the Name (an thereby the URL) with which the users will ask for the content,
+ * Add a new share
- * the Disk Path of the content to be served and
+   * Give it a name (an thereby the URL) with which the users will ask for the content. In the example above it would be called ''content_name''.
- * the sharing mode. On restricted mode, it also has the list of allowed groups.
+   * The Disk Path of the content to be served. This path is relative to ''root'' on your !FreedomBox. For instance ''/var/lib/freedombox/sharing/content_name'' might be a choice.
-Many shares can coexist in the same server.
+   * Sharing mode. On restricted mode, it also has the list of allowed groups. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
-
+ * Create the directory specified under ''Disk Path'' on your !FreedomBox through ''Cockpit'', ''Nautilus'' or remote login.
-Only admins can create, edit or remove shares. They'll find the Sharing app in the Apps section of !FreedomBox web interface. Sharing app is an easy to use web application with an evident interface.
+ * Make sure the user, who will provide the content, has write access to that directory for instance by making him the owner of that directory. 
-
-Each share has its own sharing mode (public or restricted) setting. Only groups recognized by !FreedomBox service can be combined in the list of allowed groups. Groups created in the CLI won't be offered by the Sharing app. 
 
 === Providing/Updating Content ===
 

doc/manual/en/Users.raw.wiki

@@ -1,6 +1,11 @@
 #language en
 
+##For Translators - to have a constantly up to date translation header in you page, you can just add a line like the following (with the comment's character at the start of the line removed)
+## <<Include(sudo, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
+##TAG:TRANSLATION-HEADER-START
 ~- [[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[es/FreedomBox/Manual/Users|Español]] -~
+##TAG:TRANSLATION-HEADER-END
+----
 
 <<TableOfContents()>>
 
@@ -8,25 +13,25 @@
 
 == Users and Groups ==
 
-You can grant access to your !FreedomBox for other users. Provide the Username with a password and assign a group to it. Currently the groups
+This app can be used to create, edit, and remove user accounts on !FreedomBox. Many apps with web interface in !FreedomBox support single sign-on using OpenID Connect. This means that if you are logged into !FreedomBox web interface, there is no need to login to the app separately. Other apps support using the !FreedomBox user accounts via LDAP. Finally, there are some apps that manage their own user accounts separate from the accounts you have in !FreedomBox.
+
+Access to an app is allowed if the user accessing the app is part of the app's group. You can grant access to apps in !FreedomBox for specific users by adding them to the following groups:
  * admin
  * bit-torrent
  * calibre
- * ed2k
  * feed-reader
  * freedombox-share
+ * freedombox-ssh
  * git-access
- * minidlna
+ * kiwix
- * syncthing
+ * syncthing-access
+ * vpn
  * web-search
  * wiki
-are supported. 
 
-The user will be able to log in to services that support single sign-on through LDAP, if they are in the appropriate group.
+Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo). A user's groups can also be changed later.
 
-Users in the admin group will be able to log in to all services. They can also log in to the system through SSH and have administrative privileges (sudo).
+!FreedomBox supports logging in with passkeys. Passkeys are a secure alternative to passwords and are the recommended way of authenticating to !FreedomBox. Read more in the [[FreedomBox/Guide/Passkeys|FreedomBox's guide to passkeys]].
-
-A user's groups can also be changed later.
 
 It is also possible to set an SSH public key which will allow this user to securely log in to the system without using a password. You may enter multiple keys, one on each line. Blank lines and lines starting with # will be ignored.
 

doc/manual/en/freedombox-manual.raw.wiki

@@ -83,6 +83,7 @@
 <<Include(FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Guides =
+<<Include(FreedomBox/Guide/Passkeys,               , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(FreedomBox/Guide/ExposeLocalService,     , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Hardware =

doc/manual/es/Hardware.raw.wiki

@@ -11,8 +11,19 @@ Además de soportar varios SBC's (single board computers) y otros dispositivos,
 
 == Hardware Recomendado ==
 
-El 22 de Abril de 2019, la ''!FreedomBox Foundation'' anunció que los kits ''Pioneer Edition !FreedomBox Home Server'' salían a la [[https://freedomboxfoundation.org/buy/|venta]]. Este es el hardware preinstalado recomendado para todos los usuarios que no quieran construirse su propia (máquina) !FreedomBox eligiendo los componentes adecuados, descargando la imagen y preparando una tarjeta SD con (el software) !FreedomBox.
+=== Libre Crafts FreedomBox ===
 
+Libre Crafts es una iniviativa de los propios desarrolladores de !FreedomBox para proporcionar una !FreedomBox potente capaz de alojar las necesidades más exigentes de un servidor casero.
+Los propios desarrolladores de !FreedomBox la montan. prueban y entregan. Tu compra ayuda al desarrollo de !FreedomBox.
+
+Esta máquina lleva un procesador potente, mucha memoria,  CPU, un disco de sitema operativo rápido, posibilidad de añador discos duros de alta capacidad, puertos Ethernet multi-gigabit duales, todo ello con bajo consumo.
+Úsalo para alojar todas tus fotos, las copias de respaldo de tus otros dispositivos, como NAS, como centro de control de domótica, como ordenador de sobremesa, y más, todo a la vez. 
+
+||<style="text-align: center;"> [[FreedomBox/Hardware/LibreCrafts|{{attachment:FreedomBox/libre-crafts.png|FreedomBox de Libre Crafts|height=300}}]]<<BR>> [[FreedomBox/Hardware/LibreCrafts|FreedomBox de Libre Crafts]] ||
+
+=== Olimex's FreedomBox Pioneer Edition ===
+
+On April 22nd, 2019, the !FreedomBox Foundation announced the [[https://freedomboxfoundation.org/buy/|sales]] of the Pioneer Edition !FreedomBox Home Server Kits. This pre-installed hardware is for all users who don't wish to build their own !FreedomBox by choosing the right components, downloading the image and preparing an SD card with !FreedomBox.
 El kit incluye todo el hardware necesario para arrancar un servidor casero !FreedomBox sobre una placa ''Olimex A20-OLinuXino-LIME2''. Este producto proporciona la combinación perfecta de hardware de fuentes abiertas y software libre. Al comprar este producto, soportas también los esfuerzos de la ''!FreedomBox Foundation'' para crear y promover su software de servidor libre.
 
 ||<style="text-align: center;"> [[es/FreedomBox/Hardware/PioneerEdition|{{attachment:FreedomBox/Hardware/pioneer-edition_thumb.jpg|Kits de servidor doméstico FreedomBox edición Pioneer|width=320,height=257}}]]<<BR>> [[es/FreedomBox/Hardware/PioneerEdition|Kits de servidor doméstico FreedomBox edición Pioneer]] ||

doc/manual/es/Manual.raw.wiki

@@ -83,6 +83,7 @@
 <<Include(FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Guides =
+<<Include(FreedomBox/Guide/Passkeys,               , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(FreedomBox/Guide/ExposeLocalService,     , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Hardware =

doc/manual/es/OrangePiZero.raw.wiki

@@ -12,7 +12,7 @@
 
 === Availability ===
 
- * [[https://www.aliexpress.com/store/group/Allwinner-H2/1553371_516093180.html|AliExpress]]
+ * [[https://www.aliexpress.com/item/3256803323773726.html|AliExpress]]
 
 === Hardware ===
 

doc/manual/es/Passkeys.raw.wiki

@@ -0,0 +1,174 @@
+#language es
+
+<<Include(FreedomBox/Guide/Passkeys, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
+
+<<TableOfContents>>
+
+## BEGIN_INCLUDE
+
+== Usa claves de acceso (passkeys) para mejorar la seguridad de inicio de sesión ==
+
+{{{#!wiki tip
+Se recomiendan encarecidamente las claves de acceso frente a las contraseñas.
+}}}
+
+'''Disponible desde''': !FreedomBox 26.6
+
+!FreedomBox permite a los usuarios iniciar sesión en su cuenta con claves de acceso.
+Las claves de acceso son una forma de verificar la identidad del usuario usando firmas digitales. Son una alternativa más segura que las contraseñas.
+La información secreta se conserva con el usuario en su teléfono, portátil o en un token hardware y se desbloquea mediante un PIN, huella dactilar o reconocimiento facial.
+No se almacenan secretos en el servidor. El servidor solo conoce la información pública que puede usarse para verificar las firmas del usuario.
+
+=== ¿Cómo funcionan las claves de acceso? ===
+
+Después de que el usuario inicie sesión en su cuenta, se puede añadir una o más claves de acceso a la cuenta desde la página "Administrar claves de acceso".
+Al añadir una clave de acceso, el hardware de la clave de acceso (o autenticador) generará un par de claves pública/privada vinculado al dominio y a la cuenta de usuario.
+La clave privada se mantiene en el hardware y la clave pública se proporciona al servidor. El servidor almacena la clave pública junto con la cuenta de usuario.
+Más tarde, cuando un usuario intenta iniciar sesión en su cuenta, el servidor envía una larga cadena aleatoria al autenticador llamada santo (santo y seña).
+El hardware firma digitalmente el santo con la clave privada y la envía (la seña) al servidor.
+El servidor puede verificar que la firma la ha hecho el poseedor de la clave privada usando solo la clave pública que tiene (esto es una propiedad de los pares de claves pública/privada).
+Una vez verificada, el servidor inicia sesión en la cuenta de usuario asociada a esa clave pública.
+
+Durante este proceso, el navegador actúa como intermediario de confianza entre el hardware de la clave de acceso y el servidor.
+Garantiza que el usuario se verifique proporcionando PIN, huella, reconocimiento facial, etc.
+También garantiza que una clave de acceso solo se use con el dominio para el que está destinada.
+
+=== Mejor seguridad ===
+
+Las claves de acceso ofrecen mayor seguridad que las contraseñas:
+
+ * '''Autenticación multifactor''': Durante el registro de una clave de acceso y durante el inicio de sesión,
+   !FreedomBox solicita que el navegador verifique al usuario.
+   Esto significa que el usuario necesitará desbloquear el dispositivo autenticador proporcionando un PIN, huella o reconocimiento facial.
+   Esto actúa como uno de los factores de autenticación: "algo que sabes" o "algo que eres".
+   Otro factor de autenticación es "algo que tienes": el hardware que almacena tu clave de acceso (como Solokey, Nitrokey o Yubikey) o un teléfono.
+   Juntos, esto es similar a usar una contraseña con un segundo factor de autenticación.
+   Por tanto, las claves de acceso pueden reemplazar la autenticación en dos pasos siendo mucho más cómodas y fáciles de usar.
+
+ * '''Sin reutilización''': Las claves de acceso nunca se reutilizan. Para cada dominio se genera y usa una clave de acceso separada.
+   Los navegadores aseguran que la clave de acceso de un dominio nunca se use con otro dominio.
+   A diferencia de las contraseñas reutilizadas, cuando un sitio web o servicio se ve comprometido, los maleantes no pueden usar eso para acceder a tu cuenta en otro sitio o servicio.
+   Esto también previene ataques de phishing donde sitios impotores se hacen pasar por sitios legítimos.
+
+ * '''No hay secretos en el servidor''': El sitio que permite el uso de claves de acceso para el inicio de sesión no almacena información secreta.
+   Solo guarda la parte pública de la clave de acceso. Si esta información es obtenida por un adversario, no podrá iniciar sesión en el sitio.
+   Solo la clave privada almacenada en el dispositivo autenticador puede usarse para iniciar sesión
+   (ya que solo una clave privada puede crear las firmas necesarias para el proceso de inicio de sesión).
+
+ * '''No adivinación''': La parte secreta de una clave de acceso es mucho más dificil de adivinar que una contraseña.
+   No existe el riesgo de que alguien adivine tu contraseña y acceda a tu cuenta.
+   No existe el riesgo de que configures accidentalmente una contraseña predecible.
+
+ * '''Comodidad''': Los usuarios no necesitan recordar nombre de usuario, correo electrónico o un secreto para iniciar sesión en un sitio.
+   No necesitan recibir OTP por SMS o correo, usar una app TOTP ni confirmar el inicio desde una app móvil.
+   Tras hacer clic en el botón "Login mediante clave de acceso", desbloquean su autenticador con un PIN, huella o reconocimiento facial.
+   Luego tocan físicamente el autenticador (si es necesario). El usuario queda entonces autenticado. Hay menos cosas que recordar.
+   Incluso el PIN de un autenticador hardware suele ser más fácil de recordar que una contraseña.
+   Esta comodidad anima a los usuarios a usar este mecanismo, lo que a la larga mejora la seguridad.
+
+=== Hardware necesario para claves de acceso  ===
+
+{{{#!wiki tip
+'''El proyecto !FreedomBox recomienda [[https://solokeys.com/|Solokeys]]''' para el almacenamiento de claves de acceso:
+
+ * El [[https://github.com/solokeys/solo2|firmware]] (el sistema operativo del hardware) es software libre.
+ * Los [[https://github.com/solokeys/solo2-hw|diseños del hardware]] también son libres.
+ * El equipo de Solokeys y el equipo de !FreedomBox colaboran entre sí.
+}}}
+
+Hay varias formas de empezar con claves de acceso:
+
+ * '''Hardware de claves de acceso separado''': La forma recomendada de almacenar claves de acceso es en una llave hardware específica.
+   En esta configuración, la clave privada de la clave de acceso nunca abandona el dispositivo hardware.
+   Además, suelen estar diseñadas para que sea difícil para un atacante con acceso físico extraer la clave de acceso.
+   Otra ventaja de estos dispositivos es que pueden utilizarse con todos tus dispositivos existentes, como teléfonos, portátiles y escritorios.
+   Estos dispositivos interactúan con teléfonos y equipos mediante USB, Bluetooth o NFC.
+   En caso de NFC, el dispositivo funciona por proximidad con el teléfono sin energía adicional.
+   Al usar un hardware separado, sin embargo, debes tener un método de respaldo para iniciar sesión si pierdes el dispositivo hardware.
+   Esto puede ser otra clave de acceso en otro hardware o una contraseña. Ver la sección de copia de seguridad más abajo.
+
+ * '''Hardware empotrado para claves de acceso''': Cuando no hay un dispositivo hardware separado, es preferible el hardware especializado, como un TPM, integrado en el equipo.
+   Esta configuración seguirá asegurando que las claves de acceso no abandonen el hardware.
+   Una desventaja es que la clave de acceso solo funciona con ese equipo y tendrás que registrar cada dispositivo que uses por separado.
+
+ * '''Administradores de contraseñas''': Como último recurso, se pueden usar gestores de contraseñas que soporten claves de acceso y funcionen con tu navegador o sistema operativo.
+   Android, iOS y Windows ofrecen administradores así.
+   Las claves de acceso guardadas en administradores suelen sincronizarse con la nube y una brecha en ese servicio/cuenta podría comprometer todas tus cuentas.
+   Sin embargo, funcionan en múltiples dispositivos y normalmente no tienes que preocuparte por perder un solo dispositivo hardware.
+
+=== Nombrar tu clave de acceso ===
+
+En !FreedomBox, cuando se añade una clave de acceso a tu cuenta, por defecto se nombra 'Key 1'. La siguiente se llamará 'Key 2' y así sucesivamente.
+Sin embargo, es buena práctica nombrarlas para saber en qué dispositivo están almacenadas. Por ejemplo, puedes llamarlas 'Clave del Solokey primario', 'Clave del tfn Android', etc.
+Si se pierde un dispositivo, puedes iniciar sesión y eliminar esa clave de la lista de claves de acceso asociadas a tu cuenta.
+
+=== Múltiples dominios ===
+
+Cada clave de acceso está estrictamente ligada a un dominio y nunca se usa para otro dominio. Esto es necesario para evitar que un dominio impostor pueda suplantar a uno legítimo.
+Por tanto, si tu !FreedomBox está configurada con múltiples dominios, el navegador y el dispositivo autenticador tratarán cada dominio como cuentas separadas a efectos de autenticación con claves de acceso.
+Esto significa que debes registrar claves de acceso separadas para cada uno de tus dominios.
+
+Por ejemplo, supón que tu !FreedomBox tiene configurados los dominios midominio1.fbx.one y midominio2.ejemplo.
+Visita midominio1.fbx.one, inicia sesión en tu cuenta y añade una clave de acceso. Esta clave de acceso quedará ligada a ese dominio.
+Cuando intentes iniciar sesión, la clave de acceso funcionará si accedes a midominio1.fbx.one pero no funcionará al acceder a midominio2.ejemplo.
+Para hacer que el segundo dominio funcione, necesitas añadir una segunda clave de acceso mientras accedes a tu !FreedomBox con el nombre de dominio midominio2.ejemplo.
+Entonces se almacenarán dos claves de acceso en tu token hardware. La primera estará ligada a midominio1.fbx.one y solo se usará cuando accedas a ese dominio.
+La segunda estará ligada a midominio2.ejemplo y solo se usará cuando accedas a ese dominio.
+
+=== Múltiples cuentas de usuario ===
+
+Cuando usas un hardware de claves de acceso para varias cuentas de usuario en el mismo !FreedomBox, se crearán claves de acceso separadas para cada cuenta.
+A cada clave de acceso se le asignará el nombre de usuario de la cuenta a la que esté ligada. Esta información se almacena en la clave de acceso así como en el servidor.
+Durante el inicio de sesión, el navegador te pedirá que selecciones la cuenta de usuario a la que quieres acceder.
+Si solo existe una clave de acceso para un dominio dado, no se mostrará el diálogo de selección y el usuario iniciará sesión en la cuenta correspondiente a esa clave de acceso.
+
+=== Copia de seguridad de la clave de acceso ===
+
+En caso de pérdida del dispositivo que almacena tu clave de acceso, necesitas métodos alternativos para iniciar sesión en tu cuenta:
+
+ 1. Puedes registrar y mantener dos claves de acceso en dos dispositivos separados. Por ejemplo, tu clave de acceso primaria podría estar en un token Solokey y
+    la segunda en un teléfono Android o en otro token Solokey. Si uno se pierde, puedes iniciar sesión con el otro. Este es el método recomendado.
+
+ 1. !FreedomBox sigue soportando contraseñas incluso después de registrar claves de acceso.
+    Así que, si se pierde un dispositivo con clave de acceso, puedes iniciar sesión con una contraseña.
+
+ 1. Si olvidas tu contraseña y tu cuenta no es la única cuenta administradora en el !FreedomBox, puedes pedir a un administrador que restablezca tu contraseña.
+    Después de eso podrás registrar una nueva clave de acceso almacenada en un nuevo dispositivo.
+
+=== Plataformas compatibles ===
+
+Las passkeys se basan en WebAuthn, un estándar publicado por el World Wide Web Consortium.
+Por tanto, la implementación de !FreedomBox debería funcionar allí donde funcionen las clave de acceso. Se ha probado de la siguiente manera:
+
+|| '''SO/Dispositivo''' || '''Navegador''' || '''Autenticador''' || '''Resultado''' ||
+|| GNU/Linux || Firefox || Solokeys || Ok ||
+|| GNU/Linux || Firefox || Yubikey || Ok ||
+|| GNU/Linux || Chromium || Solokeys || Ok ||
+|| GNU/Linux || GNOME Web || - || KO (El navegador no soporta WebAuthn) ||
+|| Windows || Firefox || Windows Hello || Ok ||
+|| Windows || Firefox || Solokeys || Ok ||
+|| Windows || Firefox || Android Phone || Ok ||
+|| Windows || Chrome || Windows Hello || Ok ||
+|| Windows || Chrome || Solokeys || Ok ||
+|| Windows || Chrome || Android Phone || Ok ||
+|| Windows || Edge || Windows Hello || Ok ||
+|| Windows || Edge || Solokeys || Ok ||
+|| Windows || Edge || Android Phone || Ok ||
+|| Android || Firefox || Google Password Manager || Ok ||
+|| Android || Firefox || Solokeys USB || KO (No se detecta el toque tras introducir el PIN) ||
+|| Android || Firefox || Solokeys NFC || KO (Es necesario entender la configuración NFC) ||
+|| Android || Firefox || Otro dispositivo || Sin probar ||
+|| Android || Chrome || Google Password Manager || Ok ||
+|| Android || Chrome || Solokeys USB || KO (No se detecta el toque tras introducir el PIN) ||
+|| Android || Chrome || Solokeys NFC || KO (Es necesario entender la configuración NFC) ||
+|| Android || Chrome || Otro dispositivo || Sin probar ||
+
+## END_INCLUDE
+
+Volver a la [[es/FreedomBox/Features|descripción de Funcionalidades]] o a las páginas del [[es/FreedomBox/Manual|manual]].
+
+
+<<Include(es/FreedomBox/Portal)>>
+
+----
+CategoryFreedomBox

doc/manual/es/PioneerEdition.raw.wiki

@@ -16,7 +16,7 @@ Los servidores caseros !FreedomBox Pioneer Edition los fabrica y vende Olimex, u
 == Características del Producto ==
 
 === HW Recomendado ===
-Éste es el hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
+Éste es un hardware recomendado para los usuarios que quieran simplemente una !FreedomBox llave en mano, y '''no''' quieran '''construirse''' una.
 
 (Construir tu propia !FreedomBox implica algunos tecnicismos como elegir y comprar los componentes adecuados, descargar la imágen y preparar una tarjeta SD).
 

doc/manual/es/ReleaseNotes.raw.wiki

@@ -8,6 +8,240 @@ For more technical details, see the [[https://salsa.debian.org/freedombox-team/f
 
 The following are the release notes for each !FreedomBox version.
 
+== FreedomBox 26.9.1 (2026-06-15) ==
+
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, Italian, Turkish
+ * matrixsynapse: Allow installing new dependencies
+ * wireguard: Get config for both download and qr actions
+ * wireguard: Move segno import inside method
+
+== FreedomBox 26.9 (2026-06-01) ==
+
+=== Highlights ===
+
+ * wireguard: Auto-generate client keypairs
+ * wireguard: Provide download and QR code for client config
+
+=== Other Changes ===
+
+ * bepasty: Don't remove old system user and group
+ * debian: Install and use sysusers.d/tmpfiles.d config files
+ * debian: Stop deleting system user on remove/purge
+ * infinoted: Use systemd-sysusers for creating a system user account
+ * locale: Update translations for Dutch, German
+ * syncthing: Use systemd-sysusers for creating a system user account
+ * wireguard: Enable !FreedomBox to connect to a server using IPv6
+
+== FreedomBox 26.8 (2026-05-11) ==
+
+ * locale: Update translations for German, Italian
+ * api: Drop access-info API
+
+== FreedomBox 26.7.1 (2026-04-28) ==
+
+ * radicale, bepasty: Fix issue with failed diagnostic test
+ * radicale: Enable lc_username for case-insensitive auth
+ * radicale: Fix issue with parsing new configuration file
+ * radicale: tests: functional: Better checking for well-known URLs
+
+== FreedomBox 26.7 (2026-04-20) ==
+
+ * debian: tests: Add test to access interface status
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, French, German, Italian, Swedish, Turkish
+
+== FreedomBox 26.6 (2026-04-06) ==
+
+=== Highlights ===
+
+ * users: Add support for logging in with passkeys
+
+=== Other Changes ===
+
+ * d/control: Add fido2 library as dependency
+ * locale: Update translations for French, German, Hindi, Italian
+ * service: Capture stdout/stderr when running as systemd unit
+ * users: Add link to guide on passkeys
+ * users: Add support for registering, editing, and deleting passkeys
+ * views: Add a decorator to handle exceptions in JSON views
+
+== FreedomBox 26.5.1 (2026-03-26) ==
+
+ * debian/control: Fix building with nocheck profile
+ * debian/copyright: Drop a removed file, correct path for another
+ * locale: Update translations for Albanian, Turkish
+ * web_server: Fix locating SVG icons on production setup
+
+== FreedomBox 26.5 (2026-03-23) ==
+
+=== Highlights ===
+
+ * action_utils: Don't restart web interface when installing an app
+ * apache: Use a Uwsgi native socket systemd unit for each app
+ * ui: Use inline SVG icons for all apps
+ * wireguard: Fix freedombox VPN IP for services
+
+=== Other Changes ===
+
+ * action_utils: Stop associated service when stopping a socket unit
+ * apache: Increase OpenID Connect RP session timeout activity
+ * apache: Minor improvement to getting the request host
+ * app: Fix build issue with Django 5.x
+ * clients: Fix formatting of package row in table
+ * clients: Fix show empty clients in Desktop section
+ * clients: Use SVG icons when showing external links
+ * container: Add option to skip install
+ * container: Fix image extension to .raw for systemd v260
+ * doc: Reduce verbosity when building documentation
+ * html: Drop trailing slash from void elements
+ * html: Drop type attribute value of text/javascript
+ * janus: Drop unused reference to font-awesome
+ * letsencrypt: Don't perform operations on apps that are not installed
+ * locale: Update translations for German, Russian, Swedish
+ * pagekite: Fix issue with adding custom services
+ * tests: functional: Drop undefined 'sso' pytest mark
+ * ui: Add rest of the icons used from fork-awesome set
+ * ui: Better placement for dropdown indicator in dropdown button
+ * ui: Drop fonts-fork-awesome as dependency
+ * ui: Rename 'plinth_extras' template tags module to 'extras'
+ * ui: Simplify SVG app icons for using them inline in HTML
+ * ui: Use inline SVG icons for buttons, messages, spinners, etc.
+ * wireguard: Add button for direct APK download
+ * wireguard: Add entries for Homebrew and RPM packages
+ * wireguard: Remove client entry for F-Droid which is not available
+ * wireguard: Update windows client link
+
+== FreedomBox 26.4.2 (2026-03-08) ==
+
+=== Highlights ===
+
+ * apache2: Disable pubtkt authentication module
+
+=== Other Changes ===
+
+ * container: Hold freedombox packages during test setup
+ * d/control: Trim deps for nocheck build profile
+ * locale: Update translations for Albanian, Chinese (Simplified Han script), Czech, Russian, Turkish
+ * Vagrantfile: Enable public network for bridged networking
+
+== FreedomBox 26.4 (2026-03-02) ==
+
+=== Highlights ===
+
+ * backups: Enable key-based SSH authentication for remote backups
+ * oidc: New app to implement OpenID Connect Provider
+ * apache: Implement protecting apps using OpenID Connect
+ * wireguard: Improve server section user experience flow
+
+=== Other Changes ===
+
+ * *: Remove some absolute file paths in SVGs
+ * *: Update URL base from /plinth to /freedombox
+ * README/HACKING: Update weblate project path to /freedombox
+ * Vagrantfile: Drop unnecessary sudo configuration for actions
+ * action_utils: Drop support for link-local IPv6 addresses
+ * action_utils: Fix issue with type checking a generator
+ * action_utils: Implement utility to change umask temporarily
+ * actions, privileged_daemon: Drop some unused global statements
+ * apache: Fix diagnosing URLs protected by OpenID Connect
+ * apache: Preserve host header when proxying to service
+ * backups: Arrange form for adding remote location
+ * backups: Avoid some repeated text in form help text
+ * backups: Copy SSH client public key to remote
+ * backups: Create .ssh folder before creating SSH key
+ * backups: Create a better comment in the generated SSH key file
+ * backups: Display SSH public key when adding remote
+ * backups: Fix issue with Javascript in add remote location form
+ * backups: Fix showing proper error for incorrect passphrase
+ * backups: Fix type checking errors
+ * backups: Generate SSH client key if needed
+ * backups: Migrate to SSH key auth when mounting
+ * backups: Minor refactoring
+ * backups: Show/hide form elements instead of disabling for simplicity
+ * backups: Simplify handling of migration to SSH keys
+ * backups: Test adding/removing remote location
+ * backups: Tweak appearance of add remote location form
+ * backups: Use SSH key instead of password
+ * backups: Use selected SSH credential for remote
+ * backups: tests: Simplify functional test using more classes
+ * bin: Add tool to change !FreedomBox password in Django database
+ * calibre: Use OpenID Connect instead of pubtkt based SSO
+ * cfg: Drop unused actions_dir option
+ * cfg: Drop unused config_dir option
+ * container: Align terminology in printed banner
+ * db: Create a utility to get credentials from dbconfig
+ * debian: Ensure that gbp creates a clean tarball prior to build
+ * deluge: Use OpenID Connect instead of pubtkt based SSO
+ * doc/dev: Set new theme for developer documentation
+ * doc/dev: Use OpenID Connect instead of pubtkt based SSO
+ * doc/dev: always have an up-to-date copyright year
+ * ejabberd: Fix setting up certificates for multiple domains
+ * email: Use OpenID Connect instead of pubtkt based SSO
+ * featherwiki: Use OpenID Connect instead of pubtkt based SSO
+ * gitweb: Fix issue with running post init due to missing method
+ * gitweb: Use OpenID Connect instead of pubtkt based SSO
+ * js: When page load fails during install, show it to user
+ * letsencrypt: When copying certificate reset the umask reliably
+ * locale/bg: Fix several translations with HTML links (Bulgarian)
+ * locale/de: Fix several translations with HTML links (German)
+ * locale: Update translations for Albanian, Catalan, Chinese (Simplified Han script), Czech, French, German, Greek, Italian, Swedish, Tamil, Turkish
+ * matrixsynapse: Update apache config to proxy Synapse client API
+ * miniflux: Get credentials from dbconfig-common directly
+ * miniflux: Revert workaround for a packaging bug with DB connection
+ * mumble: murmurd renamed to mumble-server
+ * oidc: Style the page for authorizing an OIDC app
+ * pyproject: Use new format to specify licenses
+ * quassel: Explicitly set permissions on the domain configuration file
+ * rssbridge: Use OpenID Connect instead of pubtkt based SSO
+ * searx: Use OpenID Connect instead of pubtkt based SSO
+ * sharing: Use OpenID Connect instead of pubtkt based SSO
+ * sso: Merge into users module, drop pubtkt related code
+ * syncthing: Use OpenID Connect instead of pubtkt based SSO
+ * syncthing: tests: Fix tests by allowing rapid restarts
+ * templates: Allow building pages without navigation bar and footer
+ * tests: functional: Fix expecting !FreedomBox to be home page
+ * tests: functional: Fix reloading error page during install/uninstall
+ * tests: functional: Increase systemd rate limits for starting units
+ * tiddlywiki: Use OpenID Connect instead of pubtkt based SSO
+ * transmission: Use OpenID Connect instead of pubtkt based SSO
+ * ui: Add animation for notification dismissal
+ * ui: Dismiss notifications without page reload
+ * ui: Refactor notification delete buttons to avoid repeating code
+ * web_framework: Allow !FreedomBox apps to override templates
+ * web_server: Log requests to WSGI app
+ * wireguard: Accept/use netmask with IP address for server connection
+ * wireguard: Fix format when showing multiple endpoints of the server
+ * wireguard: Fix showing default route setting in server edit form
+ * wireguard: Fix split tunneling
+ * wireguard: Show status of default route in server information page
+ * wireguard: filter .local addresses from showClient view
+ * wireguard: show server vpn ip in show client page
+ * wordpress: Use OpenID Connect instead of pubtkt based SSO when private
+
+== FreedomBox 26.3 (2026-02-02) ==
+
+=== Highlights ===
+
+ * ui: Use HTMX to eliminate full page reloads
+ * wireguard: Add 'Start Server' button to help with client setup
+
+=== Other Changes ===
+
+ * debian: Follows policy 4.7.3
+ * debian: Ignore lintian warning: service file missing Install section
+ * debian: Remove default Rules-Requires-Root
+ * debian: Remove preinst script
+ * debian: Update copyright years
+ * docs: Update container script usage
+ * lintian: Remove mismatched overrides
+ * locale: Update translations for Chinese (Simplified Han script), German, Italian, Turkish
+ * Makefile: Fix removing extra license file
+ * ui: Add HTMX as a dependency
+ * ui: Use HTMX to update notifications on partial page updates
+ * wireguard: Remove NM connections when app is uninstalled
+ * wireguard: Show next available client IP in Add Client form
+ * wireguard: Update functional tests to handle Start Server button
+ * wireguard: Show server endpoint on main app page
+
 == FreedomBox 26.2 (2026-01-20) ==
 
  * gitweb: Fix deleting last repo disables app

doc/manual/es/Sharing.raw.wiki

@@ -19,15 +19,15 @@ El contenido se puede compartir públicamente o restringido a usuarios de una li
 
 === Editando comparticiones ===
 
-Para que los usuarios accedan al contenido mediante su navegador debe existir y tener una compartición. Una compartición es una entrada en la aplicación Sharing que relaciona:
+Cada compartición tiene su propio ajuste de modo de compartición (pública o restringida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
- * El Nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido,
- * el Ruta de acceso al contenido a servir y
- * el modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados.
-En el mismo servidor pueden coexistir múltiples comparticiones.
 
-Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicacions del interfaz web de !FreedomBox. La aplicación ''Sharing'' es una aplicación web fácil de usar y con un interfaz evidente.
+ * In el interfaz web de !FreedomBox, habilita la App ''Sharing''. Sólo los administradores pueden crear, editar o eliminar comparticiones. Encontrarán la aplicación ''Sharing'' en la sección Aplicaciones del interfaz web de !FreedomBox. En el mismo servidor pueden coexistir múltiples comparticiones.
-
+ * Añadir una nueva compartición:
-Cada compartición tiene su priopio ajuste de modo de compartición (pública o restrigida). Sólo los grupos que reconoce el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La aplicación ''Sharing'' no ofrecerá los grupos creados en el interfaz de línea de órdenes. 
+   * Dale un nombre (y por tanto la URL) que usarán los usuarios para solicitar el contenido, En el ejemplo anterior se llamaría  ''nombre del contenido''.
+   * La Ruta completa de acceso al contenido a servir. Por ejemplo ''/var/lib/freedombox/sharing/nombre_del_contenido''.
+   * El modo de compartición. Si es restringido, también contendrá la lista de grupos autorizados. Solo los grupos reconocidos por el servicio !FreedomBox se pueden combinar en la lista de grupos autorizados. La app no ofrecerá los grupos creados sólo en la línea de órdenes. 
+ * Crea el directorio especificado en ''Ruta de Disco'' en !FreedomBox mediante ''Cockpit'', ''Nautilus'' o ingreso remoto.
+ * Asegúrate de que el usuario que proporcione el contenido tiene permiso para escribir en el directorio, por ejemplo, haciéndole dueño del directorio. 
 
 === Provisionar/actualizar el contenido ===
 

doc/manual/es/Users.raw.wiki

@@ -1,6 +1,6 @@
 #language es
 
-~- [[DebianWiki/EditorGuide#translation|Translation(s)]]: [[FreedomBox/Manual/Users|English]] - Español -~
+<<Include(FreedomBox/Manual/Users, ,from="^##TAG:TRANSLATION-HEADER-START",to="^##TAG:TRANSLATION-HEADER-END")>>
 
 <<TableOfContents()>>
 
@@ -9,25 +9,36 @@
 == Usuarios y Grupos ==
 
 Puedes otorgar acceso a tu !FreedomBox a otros usuarios. Proporciona el nombre del usuario y su contraseña y asignale un grupo. Actualmente se soportan los grupos
+Esta app puede usarse para crear, editar y eliminar cuentas de usuario en !FreedomBox. Muchas apps con interfaz web en !FreedomBox admiten inicio de sesión único mediante OpenID Connect.
+Esto significa que si has iniciado sesión en la interfaz web de !FreedomBox, no es necesario iniciar sesión de forma separada en la app.
+Otras apps permiten usar las cuentas de !FreedomBox mediante LDAP.
+Finalmente, hay algunas apps que gestionan sus propias cuentas de usuario de forma independiente a las cuentas que tengas en !FreedomBox.
+
+
+
+Puedes otorgar acceso a tu FreedomBox a otros usuarios. Proporciona el nombre del usuario y su contraseña y asignale un grupo. Actualmente se soportan los grupos:
  * admin
  * bit-torrent
  * calibre
- * ed2k
  * feed-reader
  * freedombox-share
+ * freedombox-ssh
  * git-access
- * minidlna
+ * kiwix
- * syncthing
+ * syncthing-access
+ * vpn
  * web-search
  * wiki
 
-El usuario podrá ingresar a los servicios que soporten ingreso único (single-sign-on) mediante LDAP si figuran en el grupo apropriado.
+Los usuarios del grupo admin podrán ingresar en todos los servicios.
+También podrán acceder al sistema vía SSH y tendrán privilegios administrativos (sudo).
+Los grupos de un usuario pueden modificarse más adelante.
 
-Los usuarios del grupo `admin` podrán ingresar en todos los servicios. También pueden ingresar al sistema por SSH y escalar a privilegios administrativos (sudo).
+!FreedomBox admite el inicio de sesión con claves de acceso.
+Las claves de acceso son una alternativa más segura que las contraseñas y son la forma recomendada de autenticarse en !FreedomBox.
+Lee más en la [[FreedomBox/Guide/Passkeys|guía de claves de acceso de FreedomBox]].
 
-Estas características se pueden cambiar más tarde. 
+Asimismo es posible establecer una clave pública SSH que permitirá al usuario ingresar al sistema de modo seguro sin emplear su contraseña. Puedes dar de alta varias claves, una en cada línea. Las líneas en blanco o que comiencen por # se ignoran.
-
-Asimismo es posible establecer una clave pública SSH que permitirá al usuario ingresar al sistema de modo seguro sin emplear su contraseña. Pueder dar de alta varias claves, una en cada línea. Las líneas en blanco o que comiencen por # se ignoran.
 
 El idioma de la interfaz se puede establecer individualmente para cada usuario. Por omisión se emplea el del navegador.
 

doc/manual/es/freedombox-manual.raw.wiki

@@ -80,6 +80,7 @@
 <<Include(es/FreedomBox/Manual/Users,            , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Guías =
+<<Include(es/FreedomBox/Guide/Passkeys,          , from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 <<Include(es/FreedomBox/Guide/ExposeLocalService,, from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>
 
 = Hardware =

doc/plinth.xml

@@ -73,8 +73,8 @@
           <para>
             This the URL fragment under which Plinth will provide its services.
             Plinth is shipped with a default value of
-            <filename>/plinth</filename>. This means that Plinth will be
+            <filename>/freedombox</filename>. This means that Plinth will be
-            available as http://localhost:8000/plinth by default.
+            available as http://localhost:8000/freedombox by default.
           </para>
         </listitem>
       </varlistentry>
@@ -194,7 +194,7 @@
       <synopsis>$ plinth --server_dir='/myurl'</synopsis>
       <para>
         Run Plinth with the '/myurl' prefix. Note that Apache forwards requests
-        to '/plinth' by default, so /myurl is not accessible outside of your
+        to '/freedombox' by default, so /myurl is not accessible outside of your
         FreedomBox without adapting the apache configuration.
       </para>
     </example>

doc/scripts/wikiparser.py

@@ -13,7 +13,7 @@ from pathlib import Path
 from xml.sax.saxutils import escape
 
 BASE_URL = 'https://wiki.debian.org/'
-LOCAL_BASE = '/plinth/help/manual/{lang}/'
+LOCAL_BASE = '/freedombox/help/manual/{lang}/'
 ICONS_DIR = 'icons'
 
 DEFAULT_LANGUAGE = 'en'
@@ -624,21 +624,21 @@ def resolve_url(url, context):
 
     Locally available page in default language => shortcut to local copy:
     >>> resolve_url('FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
 
     Translated available page => shortcut to local copy:
     >>> resolve_url('es/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/es/Contribute#'
+    '/freedombox/help/manual/es/Contribute#'
 
     Available page in default language refferred as translated => shortcut to
     local copy:
     >>> resolve_url('en/FreedomBox/Contribute', {'language': '', 'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
 
     Unrecognized language => handle considering it as default language:
     >>> resolve_url('missing/FreedomBox/Contribute', {'language': '', \
     'title': ''})
-    '/plinth/help/manual/en/Contribute#'
+    '/freedombox/help/manual/en/Contribute#'
     """
 
     # Process first all easy, straight forward cases:
@@ -1191,11 +1191,11 @@ from="## BEGIN_INCLUDE", to="## END_INCLUDE")>>')
     [Paragraph([PlainText('a')]), Paragraph([PlainText('b ')])]
     >>> parse_wiki('{{{#!wiki caution\\n\\nOnce some other app is set as the \
 home page, you can only navigate to the !FreedomBox Service (Plinth) by \
-typing https://myfreedombox.rocks/plinth/ into the browser. <<BR>>\\n\
+typing https://myfreedombox.rocks/freedombox/ into the browser. <<BR>>\\n\
 ''/freedombox'' can also be used as an alias to ''/plinth''\\n}}}')
     [Admonition('caution', [Paragraph([PlainText('Once some other app is set \
 as the home page, you can only navigate to the FreedomBox Service (Plinth) by \
-typing '), Url('https://myfreedombox.rocks/plinth/'), PlainText(' into the \
+typing '), Url('https://myfreedombox.rocks/freedombox/'), PlainText(' into the \
 browser. ')]), Paragraph([PlainText('/freedombox can also be used as an alias \
 to /plinth ')])])]
 
@@ -1761,7 +1761,7 @@ Features introduction</ulink>'
 
     >>> generate_inner_docbook([Link('../../Contribute', \
 [PlainText('Contribute')])], context={'title': 'FreedomBox/Manual/Hardware'})
-    '<ulink url="/plinth/help/manual/en/Contribute#">\
+    '<ulink url="/freedombox/help/manual/en/Contribute#">\
 Contribute</ulink>'
 
     >>> generate_inner_docbook([Link('/Code', \
@@ -1772,9 +1772,9 @@ Code</ulink>'
     >>> generate_inner_docbook([Link('DebianBug:1234', [PlainText('Bug')])])
     '<ulink url="https://bugs.debian.org/1234#">Bug</ulink>'
 
-    >>> generate_inner_docbook([Link('DebianPkg:plinth', \
+    >>> generate_inner_docbook([Link('DebianPkg:freedombox', \
 [PlainText('Plinth')])])
-    '<ulink url="https://packages.debian.org/plinth#">Plinth</ulink>'
+    '<ulink url="https://packages.debian.org/freedombox#">Plinth</ulink>'
 
     >>> generate_inner_docbook([Link('AliothList:freedombox-discuss', \
 [PlainText('Discuss')])])
@@ -1911,7 +1911,7 @@ PlainText(' on it. ')])])
     '<para>An alternative to downloading these images is to \
 <ulink url="https://wiki.debian.org/InstallingDebianOn/TI/BeagleBone#">\
  install Debian</ulink> on the BeagleBone and then \
-<ulink url="/plinth/help/manual/en/Debian#">install \
+<ulink url="/freedombox/help/manual/en/Debian#">install \
 FreedomBox</ulink> on it. </para>'
 
     >>> generate_inner_docbook([Paragraph([PlainText('After Roundcube is \

plinth/__init__.py

@@ -3,4 +3,4 @@
 Package init file.
 """
 
-__version__ = '26.2'
+__version__ = '26.9.1'

plinth/action_utils.py

@@ -10,6 +10,7 @@ import shutil
 import subprocess
 import tempfile
 from contextlib import contextmanager
+from typing import Generator
 
 import augeas
 
@@ -17,9 +18,6 @@ from . import actions
 
 logger = logging.getLogger(__name__)
 
-UWSGI_ENABLED_PATH = '/etc/uwsgi/apps-enabled/{config_name}.ini'
-UWSGI_AVAILABLE_PATH = '/etc/uwsgi/apps-available/{config_name}.ini'
-
 # Flag on disk to indicate if freedombox package was held by
 # plinth. This is a backup in case the process is interrupted and hold
 # is not released.
@@ -137,25 +135,62 @@ def service_start(service_name: str, check: bool = False):
     """Start a service with systemd."""
     service_action(service_name, 'start', check=check)
 
+    # When starting a .socket unit, there is not need to start the .service
+    # unit as it will be automatically started when a request is received on
+    # the socket.
+
+
+def _get_service_unit(socket_name: str) -> str:
+    """Return the .service unit name for a .socket unit."""
+    # Instead, may need to query the unit for associated .service file.
+    base_name = socket_name.rpartition('.')[0]
+    return f'{base_name}.service'
+
 
 def service_stop(service_name: str, check: bool = False):
     """Stop a service with systemd."""
     service_action(service_name, 'stop', check=check)
 
+    # When stopping a .socket unit, most of the time, we must also stop
+    # .service unit. This frees up resources when disabling the app. It also
+    # stops using resources that are being backed up.
+    if service_name.endswith('.socket'):
+        service_action(_get_service_unit(service_name), 'stop', check=check)
+
 
 def service_restart(service_name: str, check: bool = False):
     """Restart a service with systemd."""
+    if not service_name.endswith('.socket'):
         service_action(service_name, 'restart', check=check)
+    else:
+        # When restarting a .socket unit, most of the time, we actually want to
+        # restart the corresponding .service unit. This reloads the
+        # configuration changes as needed. To restart, all we need to do stop
+        # the service. It will be automatically started again by .socket unit.
+        service_action(_get_service_unit(service_name), 'stop', check=check)
 
 
 def service_try_restart(service_name: str, check: bool = False):
     """Try to restart a service with systemd."""
+    if not service_name.endswith('.socket'):
         service_action(service_name, 'try-restart', check=check)
+    else:
+        # When try-restarting a .socket unit, most of the time, we actually
+        # want to restart the corresponding .service unit. This reloads the
+        # configuration changes as needed. To restart, all we need to do stop
+        # the service. It will be automatically started again by .socket unit.
+        service_action(_get_service_unit(service_name), 'stop', check=check)
 
 
 def service_reload(service_name: str, check: bool = False):
     """Reload a service with systemd."""
+    if not service_name.endswith('.socket'):
         service_action(service_name, 'reload', check=check)
+    else:
+        # When reloading a .socket unit, most of the time, we actually want to
+        # reload the corresponding .service unit. This reloads the
+        # configuration changes as needed.
+        service_action(_get_service_unit(service_name), 'reload', check=check)
 
 
 def service_try_reload_or_restart(service_name: str, check: bool = False):
@@ -163,7 +198,14 @@ def service_try_reload_or_restart(service_name: str, check: bool = False):
 
     Do nothing if service is not running.
     """
+    if not service_name.endswith('.socket'):
         service_action(service_name, 'try-reload-or-restart', check=check)
+    else:
+        # When reloading a .socket unit, most of the time, we actually want to
+        # reload the corresponding .service unit. This reloads the
+        # configuration changes as needed.
+        service_action(_get_service_unit(service_name),
+                       'try-reload-or-restart', check=check)
 
 
 def service_reset_failed(service_name: str, check: bool = False):
@@ -309,43 +351,6 @@ class WebserverChange:
         self.actions_required.add(action_required)
 
 
-def uwsgi_is_enabled(config_name):
-    """Return whether a uwsgi config is enabled."""
-    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
-    return os.path.exists(enabled_path)
-
-
-def uwsgi_enable(config_name):
-    """Enable a uwsgi configuration that runs under uwsgi."""
-    if uwsgi_is_enabled(config_name):
-        return
-
-    # uwsgi is started/stopped using init script. We don't know if it can
-    # handle some configuration already running against newly enabled
-    # configuration. So, stop first before enabling new configuration.
-    service_stop('uwsgi')
-
-    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
-    available_path = UWSGI_AVAILABLE_PATH.format(config_name=config_name)
-    os.symlink(available_path, enabled_path)
-
-    service_enable('uwsgi')
-    service_start('uwsgi')
-
-
-def uwsgi_disable(config_name):
-    """Disable a uwsgi configuration that runs under uwsgi."""
-    if not uwsgi_is_enabled(config_name):
-        return
-
-    # If uwsgi is restarted later, it won't stop the just disabled
-    # configuration due to how init scripts are written for uwsgi.
-    service_stop('uwsgi')
-    enabled_path = UWSGI_ENABLED_PATH.format(config_name=config_name)
-    os.unlink(enabled_path)
-    service_start('uwsgi')
-
-
 def get_addresses() -> list[dict[str, str | bool]]:
     """Return a list of IP addresses and hostnames."""
     addresses = get_ip_addresses()
@@ -370,12 +375,13 @@ def get_addresses() -> list[dict[str, str | bool]]:
         'url_address': hostname
     })
 
-    # XXX: When a hostname is resolved to IPv6 address, it may likely
+    # When a hostname is resolved to IPv6 address, it may likely be link-local
-    # be link-local address.  Link local IPv6 addresses are valid only
+    # address. Link local IPv6 addresses are valid only for a given link and
-    # for a given link and need to be scoped with interface name such
+    # need to be scoped with interface name such as '%eth0' to work. Browsers
-    # as '%eth0' to work.  Tools such as curl don't seem to handle
+    # refused to implement support for link-local addresses (with zone IDs) in
+    # URLs due to platform specific parsing rules and other implementation
+    # difficulties. mod_auth_openidc does not support them either.
     # this correctly.
-    # addresses.append({'kind': '6', 'address': hostname, 'numeric': False})
 
     return addresses
 
@@ -397,12 +403,14 @@ def get_ip_addresses() -> list[dict[str, str | bool]]:
         }
 
         if address['kind'] == '6' and address['numeric']:
-            if address['scope'] != 'link':
             address['url_address'] = '[{0}]'.format(address['address'])
-            else:
-                address['url_address'] = '[{0}%{1}]'.format(
-                    address['url_address'], address['interface'])
 
+        if address['scope'] != 'link':
+            # Do not include link local addresses. Browsers refused to
+            # implement support for link-local addresses (with zone IDs) in
+            # URLs due to platform specific parsing rules and other
+            # implementation difficulties. mod_auth_openidc does not support
+            # them either.
             addresses.append(address)
 
     return addresses
@@ -465,9 +473,31 @@ def is_disk_image():
     return os.path.exists('/var/lib/freedombox/is-freedombox-disk-image')
 
 
-def run_apt_command(arguments, enable_triggers: bool = False):
+def run_apt_command(arguments, enable_triggers: bool = False,
+                    allow_freedombox_restart=False):
     """Run apt-get with provided arguments."""
-    command = ['apt-get', '--assume-yes', '--quiet=2'] + arguments
+    command = []
+    if not allow_freedombox_restart:
+        # Don't restart the freedombox web service. This configuration is only
+        # used when apt command is invoked from freedombox web service itself
+        # (such as during an app's installation/uninstallation).
+        #
+        # If this is not done, a freedombox web service restart is attempted.
+        # needsrestart will wait until the restart is completed. apt command
+        # will wait until needsrestart is completed. The restart mechanism in
+        # service will wait until all currently running threads are completed.
+        # One thread that has invoked this apt command will not finish as it
+        # waits for apt command to finish. This results in a deadlock. Avoid
+        # this by not attempting to restart freedombox web service when apt
+        # command is invoked from freedombox web service.
+        mount_path = '/etc/needrestart/conf.d/freedombox-self.conf'
+        orig_path = f'/usr/share/freedombox{mount_path}'
+        command = [
+            'systemd-run', '--pipe',
+            f'--property=BindReadOnlyPaths={orig_path}:{mount_path}'
+        ]
+
+    command += ['apt-get', '--assume-yes', '--quiet=2'] + arguments
 
     env = os.environ.copy()
     env['DEBIAN_FRONTEND'] = 'noninteractive'
@@ -838,3 +868,13 @@ def run(command, **kwargs):
         raise exception
 
     return process
+
+
+@contextmanager
+def umask(mask) -> Generator:
+    """Set the umask temporarily for a operation and then revert it."""
+    old_umask = os.umask(mask)
+    try:
+        yield
+    finally:
+        os.umask(old_umask)

plinth/actions.py

@@ -369,7 +369,6 @@ class JSONEncoder(json.JSONEncoder):
 
 def _setup_thread_storage():
     """Setup collection of stdout/stderr from any process in this thread."""
-    global thread_storage
     thread_storage.stdout = b''
     thread_storage.stderr = b''
 
@@ -380,14 +379,12 @@ def _clear_thread_storage():
     Python documentation is silent on whether thread local storage will be
     cleaned up after a thread terminates.
     """
-    global thread_storage
     thread_storage.stdout = None
     thread_storage.stderr = None
 
 
 def get_return_value_from_exception(exception):
     """Return the value to return from server when an exception is raised."""
-    global thread_storage
     return_value = {
         'result': 'exception',
         'exception': {

plinth/app.py

@@ -574,10 +574,19 @@ class Info(FollowerComponent):
         except ImproperlyConfigured:
             # Hack to allow apps to be instantiated without Django
             # initialization as required by privileged process.
-            return [
+            def _make_str(tag):
-                tag._proxy____args[0] if isinstance(tag, Promise) else tag
+                """Return the string without casting."""
-                for tag in self._tags
+                if not isinstance(tag, Promise):
-            ]
+                    return tag
+
+                # Django 4.2
+                if hasattr(tag, '_proxy____args'):
+                    return tag._proxy____args[0]
+
+                # Django 5.x
+                return tag._args[0]
+
+            return [_make_str(tag) for tag in self._tags]
 
 
 class EnableState(LeaderComponent):

plinth/cfg.py

@@ -12,13 +12,11 @@ logger = logging.getLogger(__name__)
 
 # [Path] section
 file_root = '/usr/share/plinth'
-config_dir = '/etc/plinth'
 data_dir = '/var/lib/plinth'
 custom_static_dir = '/var/www/plinth/custom/static'
 store_file = data_dir + '/plinth.sqlite3'
-actions_dir = '/usr/share/plinth/actions'
 doc_dir = '/usr/share/freedombox'
-server_dir = '/plinth'
+server_dir = '/freedombox'
 
 # [Network] section
 host = '127.0.0.1'
@@ -111,11 +109,9 @@ def read_file(config_path):
 
     config_items = (
         ('Path', 'file_root', 'string'),
-        ('Path', 'config_dir', 'string'),
         ('Path', 'data_dir', 'string'),
         ('Path', 'custom_static_dir', 'string'),
         ('Path', 'store_file', 'string'),
-        ('Path', 'actions_dir', 'string'),
         ('Path', 'doc_dir', 'string'),
         ('Path', 'server_dir', 'string'),
         ('Network', 'host', 'string'),

plinth/clients.py

@@ -44,7 +44,8 @@ def _check(client, condition):
 def _client_has_desktop(client):
     """Filter to find out whether an application has desktop clients"""
     return _check(
-        client, lambda platform: platform.get('os') in enum_values(Desktop_OS))
+        client, lambda platform: platform.get('os') in enum_values(Desktop_OS)
+        and platform.get('type') != 'package')
 
 
 def _client_has_mobile(client):
@@ -116,7 +117,7 @@ def _validate_platform_package(platform):
 
 def _validate_platform_download(platform):
     """Validate a platform of type download."""
-    assert platform['os'] in enum_values(Desktop_OS)
+    assert platform['os'] in enum_values(Desktop_OS) + enum_values(Mobile_OS)
     assert isinstance(platform['url'], (str, Promise))
 
 

plinth/conftest.py

@@ -64,10 +64,10 @@ def fixture_load_cfg():
     """Load test configuration."""
     from plinth import cfg
 
-    keys = ('file_root', 'config_dir', 'data_dir', 'custom_static_dir',
+    keys = ('file_root', 'data_dir', 'custom_static_dir', 'store_file',
-            'store_file', 'actions_dir', 'doc_dir', 'server_dir', 'host',
+            'doc_dir', 'server_dir', 'host', 'port', 'use_x_forwarded_for',
-            'port', 'use_x_forwarded_for', 'use_x_forwarded_host',
+            'use_x_forwarded_host', 'secure_proxy_ssl_header', 'box_name',
-            'secure_proxy_ssl_header', 'box_name', 'develop')
+            'develop')
     saved_state = {}
     for key in keys:
         saved_state[key] = getattr(cfg, key)

plinth/db/dbconfig.py

@@ -0,0 +1,40 @@
+# SPDX-License-Identifier: AGPL-3.0-or-later
+"""Utilities for parsing dbconfig-common files with Augeas."""
+
+import pathlib
+
+import augeas
+
+
+def get_credentials(dbconfig_path: str) -> dict[str, str]:
+    """Parse dbconfig-common file with Augeas Shellvars lens."""
+    if not pathlib.Path(dbconfig_path).is_file():
+        raise FileNotFoundError(f'DB config not found: {dbconfig_path}')
+
+    aug = _load_augeas(dbconfig_path)
+
+    required = ['dbc_dbuser', 'dbc_dbpass', 'dbc_dbname']
+    credentials = {}
+    for key in required + ['dbc_dbserver']:
+        credentials[key] = aug.get(key).strip('\'"')
+
+    if not all(credentials.get(key) for key in required):
+        raise ValueError('Missing required dbconfig-common credentials')
+
+    return {
+        'user': credentials['dbc_dbuser'],
+        'password': credentials['dbc_dbpass'],
+        'database': credentials['dbc_dbname'],
+        'host': credentials['dbc_dbserver'] or 'localhost'
+    }
+
+
+def _load_augeas(config_path: str):
+    """Initialize Augeas."""
+    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
+                        augeas.Augeas.NO_MODL_AUTOLOAD)
+    pathstr = str(config_path)
+    aug.transform('Shellvars', pathstr)
+    aug.set('/augeas/context', f'/files{pathstr}')
+    aug.load()
+    return aug

plinth/develop.config

@@ -1,5 +1,3 @@
 [Path]
 file_root = %(parent_parent_dir)s
-config_dir = %(file_root)s/data/etc/plinth
-actions_dir = %(file_root)s/actions
 doc_dir = %(file_root)s/doc

plinth/locale/README

@@ -10,7 +10,7 @@ translating the PO file from your language directory.
 Introducing yourself is important since some work may have been done
 already on Debian translators discussion lists and Weblate
 localization platform.
-https://hosted.weblate.org/projects/freedombox/plinth/
+https://hosted.weblate.org/projects/freedombox/freedombox/
 https://www.debian.org/MailingLists/subscribe
 
 ## Wiki: translators landing page