ConfigLMM 0.1.0

data/Plugins/Apps/Mastodon/Mastodon.lmm.rb

@@ -0,0 +1,23 @@
+
+module ConfigLMM
+    module LMM
+        class Mastodon < Framework::NginxApp
+
+            def actionMastodonBuild(id, target, state, context, options)
+                writeNginxConfig(__dir__, 'Mastodon', id, target, state, context, options)
+            end
+
+            def actionMastodonDiff(id, target, activeState, context, options)
+                # TODO
+            end
+
+            def actionMastodonDeploy(id, target, activeState, context, options)
+                if !target['Location'] || target['Location'] == '@me'
+                    deployNginxConfig(id, target, activeState, context, options)
+                    activeState['Location'] = '@me'
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Matrix/Matrix.conf.erb

@@ -0,0 +1,36 @@
+
+server {
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        listen       <%= config['Port'] %> ssl;
+        listen  [::]:<%= config['Port'] %> ssl;
+        http2 on;
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    # For the federation port
+    #listen 8448 ssl http2 default_server;
+    #listen [::]:8448 ssl http2 default_server;
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/matrix.access.log;
+    error_log   /var/log/nginx/matrix.error.log;
+
+    include config-lmm/private.conf;
+    include config-lmm/errors.conf;
+
+    location ~ ^(/_matrix|/_synapse/client) {
+        # note: do not add a path (even a single /) after the port in `proxy_pass`,
+        # otherwise nginx will canonicalise the URI and cause signature verification
+        # errors.
+        proxy_pass http://localhost:8008;
+        include config-lmm/proxy.conf;
+
+        # Nginx by default only allows file uploads up to 1M in size
+        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+        client_max_body_size 50M;
+    }
+}

data/Plugins/Apps/Matrix/Matrix.lmm.rb

@@ -0,0 +1,23 @@
+
+module ConfigLMM
+    module LMM
+        class Matrix < Framework::NginxApp
+
+            def actionMatrixBuild(id, target, state, context, options)
+                writeNginxConfig(__dir__, 'Matrix', id, target, state, context, options)
+            end
+
+            def actionMatrixDiff(id, target, activeState, context, options)
+                # TODO
+            end
+
+            def actionMatrixDeploy(id, target, activeState, context, options)
+                if !target['Location'] || target['Location'] == '@me'
+                    deployNginxConfig(id, target, activeState, context, options)
+                    activeState['Location'] = '@me'
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Netdata/Netdata.conf.erb

@@ -0,0 +1,37 @@
+
+upstream netdata {
+    server 127.0.0.1:19999;
+}
+
+server {
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        listen       <%= config['Port'] %> ssl;
+        listen  [::]:<%= config['Port'] %> ssl;
+        http2 on;
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/netdata.access.log;
+    error_log   /var/log/nginx/netdata.error.log;
+
+    include config-lmm/private.conf;
+    include config-lmm/errors.conf;
+
+    location /stub_status {
+        stub_status;
+        allow 127.0.0.0/8;
+        allow ::1/128;
+        include config-lmm/private.conf;
+    }
+
+    location / {
+        root /usr/share/nginx/html;
+        include config-lmm/proxy.conf;
+        proxy_pass http://netdata;
+    }
+}

data/Plugins/Apps/Netdata/Netdata.lmm.rb

@@ -0,0 +1,23 @@
+
+module ConfigLMM
+    module LMM
+        class Netdata < Framework::NginxApp
+
+            def actionNetdataBuild(id, target, state, context, options)
+                writeNginxConfig(__dir__, 'Netdata', id, target, state, context, options)
+            end
+
+            def actionNetdataDiff(id, target, activeState, context, options)
+                # TODO
+            end
+
+            def actionNetdataDeploy(id, target, activeState, context, options)
+                if !target['Location'] || target['Location'] == '@me'
+                    deployNginxConfig(id, target, activeState, context, options)
+                    activeState['Location'] = '@me'
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Nextcloud/Nextcloud.conf.erb

@@ -0,0 +1,165 @@
+
+
+
+upstream nextcloud
+{
+    server unix:/run/php-fpm/nextcloud.sock;
+}
+
+server
+{
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        listen       <%= config['Port'] %> ssl;
+        listen  [::]:<%= config['Port'] %> ssl;
+        http2 on;
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/nextcloud.access.log;
+    error_log   /var/log/nginx/nextcloud.error.log;
+
+    root /usr/share/webapps/nextcloud;
+
+    include config-lmm/private.conf;
+    include config-lmm/errors.conf;
+
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
+    fastcgi_buffers 64 4K;
+
+
+    # The settings allows you to optimize the HTTP2 bandwidth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The rules in this block are an adaptation of the rules
+        # in `.htaccess` that concern `/.well-known`.
+
+        location = /.well-known/carddav { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/)
+    {
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+
+        fastcgi_pass nextcloud;
+        include fastcgi.conf;
+
+        # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS on;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_buffer_size 16k;
+        fastcgi_buffers 4 16k;
+        #fastcgi_connect_timeout 300;
+        fastcgi_send_timeout 300;
+        fastcgi_read_timeout 300;
+
+        fastcgi_intercept_errors off;
+        fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
+    }
+
+    # Serve static files
+    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        try_files $uri /index.php$request_uri;
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$assetImmutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+
+}

data/Plugins/Apps/Nextcloud/Nextcloud.lmm.rb

@@ -0,0 +1,23 @@
+
+module ConfigLMM
+    module LMM
+        class Nextcloud < Framework::NginxApp
+
+            def actionNextcloudBuild(id, target, state, context, options)
+                writeNginxConfig(__dir__, 'Nextcloud', id, target, state, context, options)
+            end
+
+            def actionNextcloudDiff(id, target, activeState, context, options)
+                # TODO
+            end
+
+            def actionNextcloudDeploy(id, target, activeState, context, options)
+                if !target['Location'] || target['Location'] == '@me'
+                    deployNginxConfig(id, target, activeState, context, options)
+                    activeState['Location'] = '@me'
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Nginx/config-lmm/errors.conf

@@ -0,0 +1,31 @@
+
+# add one directive for each http status code
+error_page 301 /_errors_/HTTP301.$errorExtension;
+error_page 302 /_errors_/HTTP302.$errorExtension;
+error_page 303 /_errors_/HTTP303.$errorExtension;
+error_page 307 /_errors_/HTTP307.$errorExtension;
+error_page 308 /_errors_/HTTP308.$errorExtension;
+error_page 400 /_errors_/HTTP400.$errorExtension;
+error_page 401 /_errors_/HTTP401.$errorExtension;
+# error_page 402 /_errors_/HTTP402.$errorExtension;
+error_page 403 /_errors_/HTTP403.$errorExtension;
+error_page 404 /_errors_/HTTP404.$errorExtension;
+error_page 405 /_errors_/HTTP405.$errorExtension;
+error_page 500 /_errors_/HTTP500.$errorExtension;
+error_page 501 /_errors_/HTTP501.$errorExtension;
+error_page 502 /_errors_/HTTP502.$errorExtension;
+error_page 503 /_errors_/HTTP503.$errorExtension;
+error_page 504 /_errors_/HTTP504.$errorExtension;
+error_page 520 /_errors_/HTTP520.$errorExtension;
+error_page 521 /_errors_/HTTP521.$errorExtension;
+error_page 533 /_errors_/HTTP533.$errorExtension;
+
+location /_errors_/ {
+    include config/public.conf;
+
+    alias /srv/http/errors/;
+    internal;
+}
+
+add_header Location $upstream_http_location;
+add_header Set-Cookie $upstream_http_set_cookie;

data/Plugins/Apps/Nginx/config-lmm/private.conf

@@ -0,0 +1,6 @@
+
+allow 127.0.0.0/8;
+allow 192.168.0.0/24;
+allow 10.0.0.0/8;
+allow ::1/128;
+deny all;

data/Plugins/Apps/Nginx/config-lmm/proxy.conf

@@ -0,0 +1,15 @@
+
+proxy_http_version 1.1;
+
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Protocol $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connectionUpgrade;
+
+# proxy_set_header Proxy "";
+proxy_pass_header Server;

data/Plugins/Apps/Nginx/config-lmm/public.conf

@@ -0,0 +1,3 @@
+
+allow all;
+auth_basic off;

data/Plugins/Apps/Nginx/config-lmm/ssl.conf

@@ -0,0 +1,18 @@
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+
+# modern configuration
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;

data/Plugins/Apps/Nginx/main.conf

@@ -0,0 +1,30 @@
+
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name _;
+
+    include config-lmm/errors.conf;
+
+    deny all;
+}
+
+server {
+    listen 443 ssl reuseport;
+    listen [::]:443 ssl reuseport;
+    http2 on;
+
+    server_name _;
+
+    deny all;
+
+    ssl_early_data on;
+
+    ssl_certificate "/etc/letsencrypt/live/<%= certName %>/fullchain.pem";
+    ssl_certificate_key "/etc/letsencrypt/live/<%= certName %>/privkey.pem";
+    ssl_trusted_certificate "/etc/letsencrypt/live/<%= certName %>/chain.pem";
+
+    include config-lmm/errors.conf;
+    include config-lmm/security.conf;
+    include config-lmm/ssl.conf;
+}

data/Plugins/Apps/Nginx/nginx.conf

@@ -0,0 +1,90 @@
+
+load_module "/usr/lib/nginx/modules/ngx_http_passenger_module.so";
+#load_module "/usr/lib/nginx/modules/ngx_http_stub_status_module.so";
+
+#user http;
+worker_processes  4;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+error_log    /var/log/nginx/error.log info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    server_tokens off;
+
+    types_hash_max_size 4096;
+    types_hash_bucket_size 64;
+    proxy_headers_hash_max_size 512;
+    proxy_headers_hash_bucket_size 128;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile       on;
+    tcp_nopush     on;
+    resolver 127.0.0.53;
+
+    gzip  on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_min_length 256;
+
+    # do not remove ETag headers
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+
+    gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+
+    charset utf-8;
+    charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
+    proxy_intercept_errors on;
+    fastcgi_intercept_errors on;
+
+    map $http_accept $errorExtension
+    {
+        default                    html;
+        ~application/json          json;
+        ~application/activity+json json;
+    }
+
+    map $http_upgrade $connectionUpgrade
+    {
+        default upgrade;
+        ''      '';
+    }
+
+    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
+    map $arg_v $assetImmutable
+    {
+        "" "";
+        default ", immutable";
+    }
+
+    passenger_ruby /usr/bin/ruby;
+    passenger_root /usr/lib/passenger;
+
+    root /srv/http/root;
+
+    include /etc/nginx/main.conf;
+
+    # Load modular configuration files from the /etc/nginx/servers directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/servers/*.conf;
+    include /etc/nginx/servers-lmm/*.conf;
+}

data/Plugins/Apps/Nginx/nginx.lmm.rb

@@ -0,0 +1,62 @@
+
+module ConfigLMM
+    module LMM
+        class Nginx < Framework::NginxApp
+
+            CONFIG_DIR = '/etc/nginx/'
+            HTTP_DIR = '/srv/http/'
+
+            def actionNginxBuild(id, target, activeState, context, options)
+                dir = options['output'] + '/nginx/'
+                mkdir(dir, options[:dry])
+                copy(__dir__ + '/config-lmm', dir, options[:dry])
+                # TODO, maybe evaluate them as template?
+                copy(__dir__ + '/nginx.conf', dir, options[:dry])
+                copy(__dir__ + '/main.conf', dir, options[:dry])
+                mkdir(options['output'] + HTTP_DIR + 'root', options[:dry])
+                mkdir(options['output'] + HTTP_DIR + 'errors', options[:dry])
+            end
+
+            # TODO
+            # def actionNginxDiff(id, target, activeState, context, options)
+            #     I think we need nginx config parser to implement this
+            # end
+
+            def actionNginxDeploy(id, target, activeState, context, options)
+                dir = options['output'] + '/nginx/'
+
+                if !target['Location'] || target['Location'] == '@me'
+                    copy(dir + '/config-lmm', CONFIG_DIR, options[:dry])
+                    copyNotPresent(dir + '/nginx.conf', CONFIG_DIR, options[:dry])
+                    copyNotPresent(dir + '/main.conf', CONFIG_DIR, options[:dry])
+                    copyNotPresent(dir + '/servers-lmm', CONFIG_DIR, options['dry'])
+                    mkdir(HTTP_DIR + 'root', options[:dry])
+                    mkdir(HTTP_DIR + 'errors', options[:dry])
+                end
+                # Consider:
+                # * Deploy on current host
+                # * Deploy on remote host thru SSH (eg. VPS)
+                # * Using already existing solution like Chef/Puppet/Ansible/etc
+                # * Provision from some Cloud provider
+                # We implement this as we go - what people actually use
+            end
+
+            def actionNginxProxyBuild(id, target, activeState, context, options)
+                updateTargetConfig(target)
+
+                template = ERB.new(File.read(__dir__ + '/proxy.conf.erb'))
+                renderTemplate(template, target, options['output'] + '/nginx/servers-lmm/' + target['Name'] + '.conf', options)
+
+                actionNginxBuild(id, target, activeState, context, options)
+            end
+
+            def actionNginxProxyDeploy(id, target, activeState, context, options)
+                if !target['Location'] || target['Location'] == '@me'
+                    deployNginxConfig(id, target, activeState, context, options)
+                    activeState['Location'] = '@me'
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Nginx/proxy.conf.erb

@@ -0,0 +1,31 @@
+# DON'T EDIT THIS FILE DIRECTLY
+# IT WAS GENERATED BY CONFIGLMM
+
+server {
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        listen       <%= config['Port'] %> ssl;
+        listen  [::]:<%= config['Port'] %> ssl;
+        http2 on;
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/<%= config['Name'].downcase %>.access.log;
+    error_log   /var/log/nginx/<%= config['Name'].downcase %>.error.log;
+
+    include config-lmm/errors.conf;
+
+    <% if config['Private'] %>
+        include config-lmm/private.conf;
+    <% end %>
+
+    location / {
+        proxy_pass <%= config['Proxy'] %>;
+
+        include config-lmm/proxy.conf;
+    }
+}

data/Plugins/Apps/Odoo/Odoo.conf.erb

@@ -0,0 +1,44 @@
+
+upstream odoo {
+    server 127.0.0.1:8069;
+}
+
+server {
+
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        listen       <%= config['Port'] %> ssl;
+        listen  [::]:<%= config['Port'] %> ssl;
+        http2 on;
+        include config/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    root        /usr/share/nginx/html;
+    index       index.html index.htm;
+    access_log  /var/log/nginx/odoo.access.log;
+    error_log   /var/log/nginx/odoo.error.log;
+
+    include config/private.conf;
+    include config/errors.conf;
+
+    location / {
+        proxy_pass  http://odoo;
+        # force timeouts if the backend dies
+        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+        proxy_redirect off;
+
+        include config/proxy.conf;
+    }
+
+    # cache some static data in memory for 60mins
+    location ~* /web/static/ {
+        proxy_cache_valid 200 60m;
+        proxy_buffering on;
+        expires 864000;
+        proxy_pass http://odoo;
+    }
+}