ConfigLMM 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e1dcd8d8d61d199700f39e2298c45ffaedfcb12822a833ebd16423120c4526c
-  data.tar.gz: ea7e2be4c9ea59a2babe325a8d63c1440aae67f147106d4b30e17839c0d6abda
+  metadata.gz: '0078988f4f9bf52b61e5de21839b6ab1da6c56e24e4999987b9818cab6b5c7ca'
+  data.tar.gz: 429aed3d4f1a83271175022c479408db601b85c0f991163d0f87527a6fe55135
 SHA512:
-  metadata.gz: 32fcd1db26c56ce7787a4515ce1d653cf96cf9a812f56ac7bcaa94465bcad4fa0a3082f2420cf6bdea7ae7b8e6229c8d416b3be7e4157eb37d3ea11cd4c7a42c
-  data.tar.gz: fcd652884fe0f191739e830315da87f066507fd719e38b60bdfeb35030116de97ac9eaabf913b9e75f2e33c95a85dafc77539eba985be6968a80f136d545c186
+  metadata.gz: afc93dc18858dd5102963d65c27adf37891a69e3cd80a768d2fc8c08c64ccb8cc50478a594a18c3769de7efc6c921d75fc92357fa948ace10091b010a932e6f6
+  data.tar.gz: 615fdfbd8cb389fefa0aacd51e6b2cf3739e7e7305d0ed389dec481d79a12cb1289e12a4b3224faf092c8c858cfd357c95e803d584024feb0225409b0d8cca69

data/CHANGELOG.md

@@ -1,5 +1,67 @@
-## [Unreleased]
+
+## [0.3.0] - 2024-08-13
+
+Implement:
+- systemd UserCgroups
+- Authentik - https://goauthentik.io/
+- WireGuard - https://www.wireguard.com/
+- Dovecot - https://www.dovecot.org/
+- Nextcloud - https://nextcloud.com/
+- Vaultwarden - https://github.com/dani-garcia/vaultwarden
+- Linux: fstab tmpfs
+- Linux: Network config
+- Linux: deployLocal() and Execute commands
+- SSH settings
+- Odoo - https://www.odoo.com/
+- GitLab - https://about.gitlab.com/
+- Partial UVdesk - https://www.uvdesk.com/en/ticket-management-system/
+- Peppermint - https://peppermint.sh/
+- Cassandra - https://cassandra.apache.org/_/index.html
+
+Other improvements:
+- Add bootstrap.sh script
+- PowerDNS
+- GoDaddy
+- Nginx
+- PostgreSQL: Support Logical Replication
+- Postfix
+- gollum
+- Linux: Users SSHKey
+- PostgreSQL
+- Valkey
+
+## [0.2.0] - 2024-07-19
+
+- openSUSE - https://www.opensuse.org/
+- libvirt - https://libvirt.org/
+- More Linux configs (including SSH)
+- postfix - https://www.postfix.org/
+- PostgreSQL - https://www.postgresql.org/
 
 ## [0.1.0] - 2024-06-06
 
 - Initial release
+- PorkbunDNS - https://porkbun.com/
+- TonicDNS - https://www.tonic.to/
+- PowerDNS - https://www.powerdns.com/
+- GoDaddy - https://www.godaddy.com/
+- Linux
+- ArubaInstant - https://www.arubanetworks.com/
+- ArchiSteamFarm - https://github.com/JustArchiNET/ArchiSteamFarm
+- Bitmagnet - https://bitmagnet.io/
+- Gollum - https://github.com/gollum/gollum
+- Grafana - https://grafana.com/
+- IPFS - https://ipfs.tech/
+- InfluxDB - https://www.influxdata.com/
+- Jackett - https://github.com/Jackett/Jackett/
+- Jellyfin - https://jellyfin.org/
+- Mastodon - https://github.com/mastodon/mastodon
+- Matrix - https://matrix.org/
+- Netdata - https://www.netdata.cloud/
+- Nextcloud - https://nextcloud.com/
+- Odoo - https://www.odoo.com/
+- Pterodactyl - https://pterodactyl.io/
+- qBittorrent - https://www.qbittorrent.org/
+- Scrutiny - https://github.com/AnalogJ/scrutiny
+- Sunshine - https://app.lizardbyte.dev/Sunshine/
+- Vaultwarden - https://github.com/dani-garcia/vaultwarden

data/Examples/Implemented.mm.yaml

@@ -43,9 +43,53 @@ GoDaddy:
 
 Linux:
     Type: Linux
+    Location: qemu:///session
+    AlternativeLocation: ssh://example.org/
+    Distro: openSUSE Leap
+    CPU: 2
+    RAM: 4 GiB
+    Storage: 30 GiB
+    Tmpfs: 1G
+    Domain: example.org
     Hosts:
         127.0.0.1:
             - example.org
+    Apps:
+        - sshd
+        - fish
+        - vim
+    Users:
+        root:
+            Shell: fish
+            SSHKey: yes
+            AuthorizedKeys:
+                - ~/.ssh/id_ed25519.pub
+    SSH:
+        Config:
+            Example:
+                User: root
+                HostName: example.org
+    Sysctl:
+        vm.overcommit_memory: 1 # Need for ValKey
+        net.ipv4.ip_forward: 1 # Need for Wanguard
+    Network:
+        IP: 192.168.1.2/24
+        Gateway: 192.168.1.1
+        DNS: 192.168.1.1
+    Execute:
+        sh: echo Hello World from ConfigLMM > /tmp/hello
+
+SSH:
+    Type: SSH
+    Location: ssh://example.org/
+    Port: 1234
+    Settings:
+        PasswordAuthentication: no
+
+Systemd:
+    Type: systemd
+    Location: ssh://example.org/
+    UserCgroups: yes # Need for Podman
 
 # https://www.arubanetworks.com/
 ArubaInstant:
@@ -58,11 +102,39 @@ ArchiSteamFarm:
     Type: ArchiSteamFarm
     Domain: ASF.example.org
 
+# https://goauthentik.io/
+Authentik:
+    Type: Authentik
+    Location: ssh://example.org/
+    Domain: auth.example.org
+
 # https://bitmagnet.io/
 Bitmagnet:
     Type: Bitmagnet
     Domain: bitmagnet.example.org
 
+# https://cassandra.apache.org/_/index.html
+Cassandra:
+    Type: Cassandra
+    Location: ssh://example.org/
+    ClusterName: Cluster
+
+# https://www.dovecot.org/
+Dovecot:
+    Type: Dovecot
+    Location: ssh://example.org/
+
+# https://about.gitlab.com/
+GitLab:
+    Type: GitLab
+    Location: ssh://example.org/
+    Domain: git.example.org
+    SMTP:
+        HostName: email.example.org
+        Port: 465
+        User: git@example.org
+        TLS: yes
+
 # https://github.com/gollum/gollum
 Gollum:
     Type: Gollum
@@ -114,11 +186,45 @@ Netdata:
 Nextcloud:
     Type: Nextcloud
     Domain: nextcloud.example.org
+    Database:
+        Type: pgsql
+        HostName: localhost
 
 # https://www.odoo.com/
 Odoo:
     Type: Odoo
     Domain: odoo.example.org
+    Database:
+        HostName: db.example.org
+
+# https://peppermint.sh/
+Peppermint:
+    Type: Peppermint
+    Location: ssh://example.org/
+    Domain: Peppermint.example.org
+
+# https://www.postfix.org/
+Postfix:
+    Type: Postfix
+    Location: ssh://example.org/
+    AlternativePort: 2525
+    SMTP: unix
+    ForwardAll: example.com
+    ForwardDovecot: yes
+    Settings:
+        inet_interfaces: $myhostname, localhost
+
+PostgreSQL:
+    Type: PostgreSQL
+    Location: ssh://example.org/
+    ListenAll: yes
+    Users:
+        replication:
+            Replication: yes
+            Password: ${ENV:POSTGRES_REPLICATION_PASSWORD}
+    Subscriptions:
+        db:
+            Connection: user=replication dbname=db password=${ENV:POSTGRES_REPLICATION_PASSWORD}
 
 # https://pterodactyl.io/
 Pterodactyl:
@@ -149,7 +255,21 @@ Sunshine:
     Type: Sunshine
     Domain: sunshine.example.org
 
+# https://valkey.io/ (Redis fork)
+Valkey:
+    Type: Valkey
+    Location: ssh://example.org/
+
 # https://github.com/dani-garcia/vaultwarden
 Vaultwarden:
     Type: Vaultwarden
     Domain: vaultwarden.example.org
+
+# https://www.wireguard.com/
+WireGuard:
+    Type: WireGuard
+    Location: ssh://example.org/
+    Address: 172.20.0.1/20
+    Peers:
+        example:
+            Endpoint: example.example.org

data/Examples/Keys.ini

@@ -1,6 +1,8 @@
 ARUBA_INSTANT_PASSWORD=
 GITHUB_TOKEN=
 GODADDY_SECRET=
+LINUX_ROOT_PASSWORD=
+LINUX_ROOT_PASSWORD_HASH=
 PORKBUN_API_KEY=
 PORKBUN_SECRET_API_KEY=
 POWERDNS_API_KEY=

data/Examples/Linux.mm.yaml

@@ -1,16 +1,27 @@
 Linux:
-    Type: ArchLinux
+    Type: Linux
+    Distro: ArchLinux
     Apps:
         - fish
         - vim
     Users:
-        - user1:
+        user1:
             Admin: Yes
             Shell: fish
-        - user2:
+            AuthorizedKeys:
+                - ~/.ssh/id_ed25519.pub
+        user2:
             Admin: Yes
             Shell: fish
             Comment: Other user
+    Domain: example.org
     Hosts:
         127.0.0.1:
             - example.org
+    SSH:
+        Config:
+            Example:
+                User: root
+                HostName: example.org
+    Sysctl:
+        vm.overcommit_memory: 1

data/Plugins/Apps/Authentik/Authentik-Server.container

@@ -0,0 +1,18 @@
+
+[Unit]
+Description=Authentik Server container
+After=local-fs.target
+
+[Container]
+Image=ghcr.io/goauthentik/server:latest
+Exec=server
+EnvironmentFile=/var/lib/authentik/.config/containers/systemd/Authentik.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:19000:9000
+PublishPort=127.0.0.1:19300:9300
+UserNS=keep-id:uid=1000,gid=1000
+Volume=/var/lib/authentik/media:/media
+Volume=/var/lib/authentik/templates:/templates
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Authentik/Authentik-Worker.container

@@ -0,0 +1,17 @@
+
+[Unit]
+Description=Authentik Worker container
+After=local-fs.target
+
+[Container]
+Image=ghcr.io/goauthentik/server:latest
+Exec=worker
+EnvironmentFile=/var/lib/authentik/.config/containers/systemd/Authentik.env
+Network=slirp4netns:allow_host_loopback=true
+UserNS=keep-id:uid=1000,gid=1000
+Volume=/var/lib/authentik/media:/media
+Volume=/var/lib/authentik/templates:/templates
+Volume=/var/lib/authentik/certs:/certs
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Authentik/Authentik.conf.erb

@@ -0,0 +1,35 @@
+
+# Upstream where your authentik server is hosted.
+upstream authentik {
+    server localhost:19000;
+
+    # Improve performance by keeping some connections alive.
+    keepalive 10;
+}
+
+server {
+    <% if config['NginxVersion'] >= 1.25 %>
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+    <% end %>
+
+    include config-lmm/ssl.conf;
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/authentik.access.log;
+    error_log   /var/log/nginx/authentik.error.log;
+
+    # Proxy site
+    location / {
+        proxy_pass http://authentik;
+        include config-lmm/proxy.conf;
+    }
+}

data/Plugins/Apps/Authentik/Authentik.lmm.rb

@@ -0,0 +1,73 @@
+
+module ConfigLMM
+    module LMM
+        class Authentik < Framework::NginxApp
+
+            USER = 'authentik'
+            HOME_DIR = '/var/lib/authentik'
+            HOST_IP = '10.0.2.2'
+
+            def actionAuthentikBuild(id, target, state, context, options)
+                self.writeNginxConfig(__dir__, 'Authentik', id, target, state, context, options)
+            end
+
+            def actionAuthentikDeploy(id, target, activeState, context, options)
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    case uri.scheme
+                    when 'ssh'
+                        self.class.sshStart(uri) do |ssh|
+                            self.prepareConfig(target, ssh)
+
+                            dbPassword = self.configurePostgreSQL(target['Database'], ssh)
+                            distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                            Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'Authentik IdP and SSO', distroInfo, ssh)
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/media'")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/templates'")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/certs'")
+
+                            path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_SECRET_KEY=#{SecureRandom.urlsafe_base64(60)}' > #{path}/Authentik.env")
+                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_REDIS__HOST=#{HOST_IP}' >> #{path}/Authentik.env")
+                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_POSTGRESQL__HOST=#{HOST_IP}' >> #{path}/Authentik.env")
+                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_POSTGRESQL__PASSWORD=#{dbPassword}' >> #{path}/Authentik.env")
+                            self.class.sshExec!(ssh, "chown #{USER}:#{USER} #{path}/Authentik.env")
+                            self.class.sshExec!(ssh, "chmod 600 #{path}/Authentik.env")
+
+                            ssh.scp.upload!(__dir__ + '/Authentik-Server.container', path)
+                            ssh.scp.upload!(__dir__ + '/Authentik-Worker.container', path)
+                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ daemon-reload")
+                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ start Authentik-Server")
+                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ start Authentik-Worker")
+
+                            Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
+                            self.writeNginxConfig(__dir__, 'Authentik', id, target, state, context, options)
+                            self.deployNginxConfig(id, target, activeState, context, options)
+                            Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+                        end
+                    else
+                        raise Framework::PluginProcessError.new("#{id}: Unknown protocol: #{uri.scheme}!")
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def prepareConfig(target, ssh)
+              target['Database'] ||= {}
+
+              raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+              Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+              self.class.prepareNginxConfig(target, ssh)
+            end
+
+            def configurePostgreSQL(settings, ssh)
+                password = SecureRandom.alphanumeric(20)
+                PostgreSQL.createRemoteUserAndDBOverSSH(settings, USER, password, ssh)
+                password
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Cassandra/Cassandra.lmm.rb

@@ -0,0 +1,41 @@
+
+module ConfigLMM
+    module LMM
+        class Cassandra < Framework::Plugin
+            PACKAGE_NAME = 'Cassandra'
+            SERVICE_NAME = 'cassandra'
+
+            def actionCassandraDeploy(id, target, activeState, context, options)
+                plugins[:Linux].ensurePackage(PACKAGE_NAME, target['Location'])
+                plugins[:Linux].ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        configFile = '/etc/cassandra/cassandra.yaml'
+                        if distroInfo['Name'] == 'openSUSE Leap'
+                            configFile = '/etc/cassandra/conf/cassandra.yaml'
+                        end
+
+                        cmd = "sed -i 's|^uuid_sstable_identifiers_enabled:.*|uuid_sstable_identifiers_enabled: true|' #{configFile}"
+                        self.class.sshExec!(ssh, cmd)
+                        if target['ClusterName']
+                            cmd = "sed -i 's|^cluster_name:.*|cluster_name: #{target['ClusterName']}|' #{configFile}"
+                            self.class.sshExec!(ssh, cmd)
+                        end
+                    end
+                else
+                    # TODO
+                end
+
+                plugins[:Linux].startService(SERVICE_NAME, target['Location'])
+            end
+
+        end
+
+    end
+end
+

data/Plugins/Apps/Dovecot/Dovecot.lmm.rb

@@ -0,0 +1,165 @@
+
+module ConfigLMM
+    module LMM
+        class Dovecot < Framework::Plugin
+            PACKAGE_NAME = 'Dovecot'
+            SERVICE_NAME = 'dovecot'
+            DOVECOT_DIR = '/etc/dovecot/'
+            EMAIL_HOME = '/var/lib/email'
+            EMAIL_USER = 'email'
+
+            def actionDovecotDeploy(id, target, activeState, context, options)
+                plugins[:Linux].ensurePackage(PACKAGE_NAME, target['Location'])
+                plugins[:Linux].ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{EMAIL_HOME}' --create-home --comment 'Dovecot EMail' #{EMAIL_USER}"
+                        self.class.sshExec!(ssh, addUserCmd, true)
+                        uid = self.class.sshExec!(ssh, "id -u #{EMAIL_USER}").strip
+
+                        cmd = "sed -i 's|^#mail_uid =.*|mail_uid = #{uid}|' #{DOVECOT_DIR}conf.d/10-mail.conf"
+                        self.class.sshExec!(ssh, cmd)
+                        cmd = "sed -i 's|^#mail_gid =.*|mail_gid = #{uid}|' #{DOVECOT_DIR}conf.d/10-mail.conf"
+                        self.class.sshExec!(ssh, cmd)
+                        cmd = "sed -i 's|^#mail_location =.*|mail_location = maildir:~/Mail|' #{DOVECOT_DIR}conf.d/10-mail.conf"
+                        self.class.sshExec!(ssh, cmd)
+
+                        updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/10-mail.conf', options) do |configLines|
+                            configLines << "mail_home = #{EMAIL_HOME}/emails/%u\n"
+                            configLines << "first_valid_uid = #{uid}\n"
+                            configLines << "last_valid_uid = #{uid}\n"
+                        end
+
+                        self.class.cutConfigSection(DOVECOT_DIR + 'conf.d/10-master.conf', 'service lmtp', options, ssh)
+                        updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/10-master.conf', options) do |configLines|
+                            configLines << "service lmtp {\n"
+                            configLines << "    unix_listener lmtp {\n"
+                            configLines << "        user = postfix\n"
+                            configLines << "        group = postfix\n"
+                            configLines << "        mode = 0600\n"
+                            configLines << "    }\n"
+                            configLines << "}\n"
+                        end
+
+                        self.class.cutConfigSection(DOVECOT_DIR + 'conf.d/15-mailboxes.conf', 'namespace inbox', options, ssh)
+                        updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/15-mailboxes.conf', options) do |configLines|
+                            configLines << "namespace inbox {\n"
+                            configLines << "    mailbox Drafts {\n"
+                            configLines << "        special_use = \\Drafts\n"
+                            configLines << "        auto = subscribe\n"
+                            configLines << "    }\n"
+                            #configLines << "    mailbox Junk {\n"
+                            #configLines << "        special_use = \\Junk\n"
+                            #configLines << "        auto = subscribe\n"
+                            #configLines << "    }\n"
+                            configLines << "    mailbox Trash {\n"
+                            configLines << "        special_use = \\Trash\n"
+                            configLines << "        auto = subscribe\n"
+                            configLines << "    }\n"
+                            configLines << "    mailbox Sent {\n"
+                            configLines << "        special_use = \\Sent\n"
+                            configLines << "        auto = subscribe\n"
+                            configLines << "    }\n"
+                            configLines << "}\n"
+                        end
+
+                        self.class.sshExec!(ssh, "firewall-cmd -q --add-service='imaps'")
+                        self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-service='imaps'")
+
+                        cmd = "sed -i 's|^!include auth-system.conf.ext|#!include auth-system.conf.ext|' #{DOVECOT_DIR}conf.d/10-auth.conf"
+                        self.class.sshExec!(ssh, cmd)
+
+                        if target['OAuth2']
+                            cmd = "sed -i 's|auth_mechanisms =.*|auth_mechanisms = xoauth2 oauthbearer|' #{DOVECOT_DIR}conf.d/10-auth.conf"
+                            self.class.sshExec!(ssh, cmd)
+
+                            updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/10-auth.conf', options) do |configLines|
+                                configLines << "userdb {\n"
+                                configLines << "    driver = static\n"
+                                configLines << "    args = allow_all_users=yes\n"
+                                configLines << "}\n"
+                                configLines << "passdb {\n"
+                                configLines << "    driver = oauth2\n"
+                                configLines << "    mechanisms = xoauth2 oauthbearer\n"
+                                configLines << "    args = #{DOVECOT_DIR}dovecot-oauth2.conf.ext\n"
+                                configLines << "}\n"
+                            end
+
+                            updateRemoteFile(ssh, DOVECOT_DIR + 'dovecot-oauth2.conf.ext', options) do |configLines|
+                                # Need v2.3.16+
+                                #configLines << "openid_configuration_url = #{target['OAuth2']['OIDC']}\n"
+                                if target['OAuth2']['TokenInfo']
+                                    configLines << "tokeninfo_url = #{target['OAuth2']['TokenInfo']}\n"
+                                end
+                                if target['OAuth2']['Introspection']
+                                    configLines << "introspection_url = #{target['OAuth2']['Introspection']}\n"
+                                end
+                                if target['OAuth2']['ClientID']
+                                    configLines << "client_id = #{target['OAuth2']['ClientID']}\n"
+                                end
+                                if ENV['DOVECOT_OAUTH2_SECRET']
+                                    configLines << "client_secret = #{ENV['DOVECOT_OAUTH2_SECRET']}\n"
+                                end
+                            end
+                        else
+                            cmd = "sed -i 's|auth_mechanisms =.*|auth_mechanisms = plain|' #{DOVECOT_DIR}conf.d/10-auth.conf"
+                            self.class.sshExec!(ssh, cmd)
+
+                            updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/10-auth.conf', options) do |configLines|
+                                configLines << "auth_username_format = %u\n"
+                                configLines << "userdb {\n"
+                                configLines << "    driver = static\n"
+                                configLines << "    args = allow_all_users=yes\n"
+                                configLines << "}\n"
+                                configLines << "passdb {\n"
+                                configLines << "    driver = passwd-file\n"
+                                configLines << "    args = #{DOVECOT_DIR}passwords\n"
+                                configLines << "}\n"
+                            end
+                            self.class.sshExec!(ssh, "touch #{DOVECOT_DIR}passwords")
+                            self.class.sshExec!(ssh, "chown dovecot:dovecot #{DOVECOT_DIR}passwords")
+                            self.class.sshExec!(ssh, "chmod 600 #{DOVECOT_DIR}passwords")
+                        end
+
+                        certDir = Framework::LinuxApp.createCertificateOverSSH(ssh)
+                        updateRemoteFile(ssh, DOVECOT_DIR + 'conf.d/10-ssl.conf', options) do |configLines|
+                            configLines << "ssl_cert = <#{certDir}fullchain.pem\n"
+                            configLines << "ssl_key = <#{certDir}privkey.pem\n"
+                        end
+                    end
+                else
+                    # TODO
+                end
+
+                plugins[:Linux].startService(SERVICE_NAME, target['Location'])
+            end
+
+            def self.cutConfigSection(file, sectionStart, options, ssh)
+                localFile = options['output'] + '/' + SecureRandom.alphanumeric(10)
+                File.write(localFile, '')
+                self.sshExec!(ssh, "touch #{file}")
+                ssh.scp.download!(file, localFile)
+                fileData = File.read(localFile)
+                position = fileData.index(sectionStart)
+                if position
+                    # Find the index of the closing brace of the section
+                    # We use a regular expression to find the next non-nested closing brace
+                    match = fileData[position..-1].match(/(?<=\{)(.*?)(^\})/m)
+                    if match
+                        fileData = fileData[0...position] + fileData[(position + match.end(0))..-1]
+                    else
+                        fileData = fileData[0...position]
+                    end
+                    File.write(localFile, fileData)
+                    ssh.scp.upload!(localFile, file)
+                end
+            end
+        end
+
+    end
+end

data/Plugins/Apps/GitLab/GitLab.conf.erb

@@ -0,0 +1,26 @@
+
+server {
+    <% if config['NginxVersion'] >= 1.25 %>
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+    <% end %>
+
+    include config-lmm/ssl.conf;
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/gitlab.access.log;
+    error_log   /var/log/nginx/gitlab.error.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:18100;
+        include config-lmm/proxy.conf;
+    }
+}