ConfigLMM 0.2.0 → 0.3.0

data/Plugins/Apps/Nextcloud/Nextcloud.conf.erb

@@ -1,9 +1,11 @@
 
-
-
 upstream nextcloud
 {
+<% if config['Server'] %>
+    server <%= config['Server'] %>;
+<% else %>
     server unix:/run/php-fpm/nextcloud.sock;
+<% end %>
 }
 
 server
@@ -12,13 +14,22 @@ server
         listen       <%= config['Port'] %>;
         listen  [::]:<%= config['Port'] %>;
     <% else %>
-        listen       <%= config['Port'] %> ssl;
-        listen  [::]:<%= config['Port'] %> ssl;
-        http2 on;
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
         include config-lmm/ssl.conf;
     <% end %>
 
-    <%= config['Domain'] %>;
+    server_name <%= config['Domain'] %>;
 
     access_log  /var/log/nginx/nextcloud.access.log;
     error_log   /var/log/nginx/nextcloud.error.log;
@@ -133,17 +144,23 @@ server
         fastcgi_max_temp_file_size 0;
     }
 
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
     # Serve static files
     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
         # HTTP response headers borrowed from Nextcloud `.htaccess`
-        add_header Cache-Control                     "public, max-age=15778463$assetImmutable";
         add_header Referrer-Policy                   "no-referrer"       always;
         add_header X-Content-Type-Options            "nosniff"           always;
         add_header X-Frame-Options                   "SAMEORIGIN"        always;
         add_header X-Permitted-Cross-Domain-Policies "none"              always;
         add_header X-Robots-Tag                      "noindex, nofollow" always;
         add_header X-XSS-Protection                  "1; mode=block"     always;
+        add_header Cache-Control                     "public, max-age=15778463$assetImmutable";
+        add_header X-XSS-Protection                  "1; mode=block"     always;
         access_log off;     # Optional: Don't log access to assets
     }
 
@@ -153,9 +170,30 @@ server
         access_log off;     # Optional: Don't log access to assets
     }
 
-    # Rule borrowed from `.htaccess`
-    location /remote {
-        return 301 /remote.php$request_uri;
+    location /wapps/ {
+        alias /var/lib/nextcloud/apps/;
+
+        # Serve static files
+        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+            try_files $uri /index.php$request_uri;
+            # HTTP response headers borrowed from Nextcloud `.htaccess`
+            add_header Referrer-Policy                   "no-referrer"       always;
+            add_header X-Content-Type-Options            "nosniff"           always;
+            add_header X-Frame-Options                   "SAMEORIGIN"        always;
+            add_header X-Permitted-Cross-Domain-Policies "none"              always;
+            add_header X-Robots-Tag                      "noindex, nofollow" always;
+            add_header X-XSS-Protection                  "1; mode=block"     always;
+            add_header Cache-Control                     "public, max-age=15778463$assetImmutable";
+            add_header X-XSS-Protection                  "1; mode=block"     always;
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
     }
 
     location / {

data/Plugins/Apps/Nextcloud/Nextcloud.lmm.rb

@@ -3,6 +3,10 @@ module ConfigLMM
     module LMM
         class Nextcloud < Framework::NginxApp
 
+            USER = 'nextcloud'
+            HOME_DIR = '/var/lib/nextcloud'
+            PACKAGE_NAME = 'Nextcloud'
+
             def actionNextcloudBuild(id, target, state, context, options)
                 writeNginxConfig(__dir__, 'Nextcloud', id, target, state, context, options)
             end
@@ -12,8 +16,61 @@ module ConfigLMM
             end
 
             def actionNextcloudDeploy(id, target, activeState, context, options)
-                if !target['Location'] || target['Location'] == '@me'
-                    deployNginxConfig(id, target, activeState, context, options)
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+                    self.class.sshStart(uri) do |ssh|
+                        if !target.key?('Proxy') || target['Proxy'] != 'only'
+                            Framework::LinuxApp.ensurePackages([PHP_FPM::PHPFPM_PACKAGE], ssh)
+                            Framework::LinuxApp.ensureServiceAutoStartOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+                            distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
+                            addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{HOME_DIR}' --create-home --comment 'Nextcloud' #{USER}"
+                            self.class.sshExec!(ssh, addUserCmd, true)
+                            self.class.sshExec!(ssh, "mkdir -p /var/log/php/ /var/lib/nextcloud/apps/ /var/lib/nextcloud/data/")
+                            self.class.sshExec!(ssh, "touch /var/log/php/nextcloud.errors.log")
+                            self.class.sshExec!(ssh, "touch /var/log/php/nextcloud.mail.log")
+                            self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/nextcloud.errors.log")
+                            self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/nextcloud.mail.log")
+                            PHP_FPM::fixConfigFileOverSSH(distroInfo, ssh)
+
+                            webappsDir = PHP_FPM::webappsDir(distroInfo)
+                            configDir = webappsDir + 'nextcloud/config/'
+                            if !self.class.remoteFilePresent?(configDir + 'config.php', ssh)
+                                self.class.uploadNotPresent(__dir__ + '/config.php', configDir, ssh)
+                                self.class.sshExec!(ssh, "sed -i \"s|'instanceid' .*|'instanceid' => '#{SecureRandom.alphanumeric(10)}',|\" #{configDir}config.php")
+                                self.class.sshExec!(ssh, "touch #{configDir}CAN_INSTALL")
+                                self.class.sshExec!(ssh, "sed -i 's|/usr/share/webapps/|#{webappsDir}|' #{configDir}config.php")
+                            end
+                            self.class.sshExec!(ssh, "chown -R nextcloud:nextcloud #{configDir}")
+                            self.class.sshExec!(ssh, "chown -R nextcloud:nextcloud /var/lib/nextcloud/")
+
+                            target['Database'] ||= {}
+                            if !target['Database']['Type'] || target['Database']['Type'] == 'pgsql'
+                                PostgreSQL.createRemoteUserAndDBOverSSH(target['Database'], USER, nil, ssh)
+                            end
+
+                            target['User'] = USER unless target['User']
+                            name = 'nextcloud'
+                            self.updateRemoteFile(ssh, PHP_FPM.configDir(distroInfo) + name + '.conf', options, false, ';') do |configLines|
+                                PHP_FPM.writeConfig(name, target, distroInfo, configLines)
+                            end
+
+                            Framework::LinuxApp.startServiceOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+                        end
+                        if !target.key?('Proxy') || target['Proxy']
+                            self.class.prepareNginxConfig(target, ssh)
+                            self.writeNginxConfig(__dir__, 'Nextcloud', id, target, state, context, options)
+                            distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
+                            webappsDir = PHP_FPM::webappsDir(distroInfo)
+                            nginxFile = options['output'] + '/nginx/servers-lmm/Nextcloud.conf'
+                            `sed -i 's|root .*|root #{webappsDir}nextcloud;|' #{nginxFile}`
+                            deployNginxConfig(id, target, activeState, context, options)
+                        end
+                    end
+                else
+                    if !target.key?('Proxy') || target['Proxy']
+                        deployNginxConfig(id, target, activeState, context, options)
+                    end
                     activeState['Location'] = '@me'
                 end
             end

data/Plugins/Apps/Nextcloud/config.php

@@ -0,0 +1,18 @@
+<?php
+
+$CONFIG = [
+    'instanceid' => '',
+    'datadirectory' => '/var/lib/nextcloud/data/',
+    'apps_paths' => [
+        [
+            'path'=> '/usr/share/webapps/nextcloud/apps',
+            'url' => '/apps',
+            'writable' => false,
+        ],
+        [
+            'path'=> '/var/lib/nextcloud/apps',
+            'url' => '/wapps',
+            'writable' => true,
+        ],
+    ]
+];

data/Plugins/Apps/Nginx/conf.d/configlmm.conf

@@ -0,0 +1,62 @@
+
+server_tokens off;
+
+tcp_nopush     on;
+
+# Needed for OCSP stapling
+resolver 127.0.0.53;
+
+
+# types_hash_max_size 4096;
+# types_hash_bucket_size 64;
+# proxy_headers_hash_max_size 512;
+# proxy_headers_hash_bucket_size 128;
+
+
+gzip  on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_min_length 256;
+
+# do not remove ETag headers
+gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+
+gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+
+charset utf-8;
+charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
+proxy_intercept_errors on;
+fastcgi_intercept_errors on;
+
+map $http_accept $errorExtension
+{
+    default                    html;
+    ~application/json          json;
+    ~application/activity+json json;
+}
+
+map $http_upgrade $connectionUpgrade
+{
+    default upgrade;
+    ''      '';
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $assetImmutable
+{
+    "" "";
+    default ", immutable";
+}
+
+root /srv/www/root;
+
+ssl_certificate "/etc/letsencrypt/live/Wildcard/fullchain.pem";
+ssl_certificate_key "/etc/letsencrypt/live/Wildcard/privkey.pem";
+ssl_trusted_certificate "/etc/letsencrypt/live/Wildcard/chain.pem";
+
+# Load modular configuration files from the /etc/nginx/servers directory.
+# See http://nginx.org/en/docs/ngx_core_module.html#include
+# for more information.
+include servers-lmm/*.conf;

data/Plugins/Apps/Nginx/config-lmm/errors.conf

@@ -23,7 +23,7 @@ error_page 533 /_errors_/HTTP533.$errorExtension;
 location /_errors_/ {
     include config-lmm/public.conf;
 
-    alias /srv/http/errors/;
+    alias /srv/www/errors/;
     internal;
 }
 

data/Plugins/Apps/Nginx/main.conf.erb

@@ -0,0 +1,31 @@
+
+server {
+    listen       80 default_server;
+    listen  [::]:80 default_server;
+    server_name _;
+
+    include config-lmm/errors.conf;
+
+    deny all;
+}
+
+server {
+    <% if config['NginxVersion'] >= 1.25 %>
+        listen 443 default_server ssl reuseport;
+        listen [::]:443 default_server ssl reuseport;
+        http2 on;
+    <% else %>
+        listen 443 default_server ssl reuseport http2;
+        listen [::]:443 default_server ssl reuseport http2;
+    <% end %>
+
+    server_name _;
+
+    deny all;
+
+    ssl_early_data on;
+
+    include config-lmm/errors.conf;
+    include config-lmm/security.conf;
+    include config-lmm/ssl.conf;
+}

data/Plugins/Apps/Nginx/nginx.conf

@@ -1,90 +1,25 @@
 
-load_module "/usr/lib/nginx/modules/ngx_http_passenger_module.so";
-#load_module "/usr/lib/nginx/modules/ngx_http_stub_status_module.so";
-
-#user http;
 worker_processes  4;
 
-#error_log  logs/error.log;
-#error_log  logs/error.log  notice;
-#error_log  logs/error.log  info;
 error_log    /var/log/nginx/error.log info;
 
-#pid        logs/nginx.pid;
-
-
 events {
     worker_connections  1024;
+    use epoll;
 }
 
-
 http {
     include       mime.types;
     default_type  application/octet-stream;
-    server_tokens off;
-
-    types_hash_max_size 4096;
-    types_hash_bucket_size 64;
-    proxy_headers_hash_max_size 512;
-    proxy_headers_hash_bucket_size 128;
-
-    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-    #                  '$status $body_bytes_sent "$http_referer" '
-    #                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-    #access_log  logs/access.log  main;
 
     sendfile       on;
-    tcp_nopush     on;
-    resolver 127.0.0.53;
-
-    gzip  on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 6;
-    gzip_min_length 256;
-
-    # do not remove ETag headers
-    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-
-    gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
-
-    charset utf-8;
-    charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
-    proxy_intercept_errors on;
-    fastcgi_intercept_errors on;
-
-    map $http_accept $errorExtension
-    {
-        default                    html;
-        ~application/json          json;
-        ~application/activity+json json;
-    }
-
-    map $http_upgrade $connectionUpgrade
-    {
-        default upgrade;
-        ''      '';
-    }
-
-    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
-    map $arg_v $assetImmutable
-    {
-        "" "";
-        default ", immutable";
-    }
-
-    passenger_ruby /usr/bin/ruby;
-    passenger_root /usr/lib/passenger;
 
-    root /srv/http/root;
+    include conf.d/*.conf;
 
     include /etc/nginx/main.conf;
 
     # Load modular configuration files from the /etc/nginx/servers directory.
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
-    include /etc/nginx/servers/*.conf;
-    include /etc/nginx/servers-lmm/*.conf;
+    include vhosts.d/*.conf;
 }

data/Plugins/Apps/Nginx/nginx.lmm.rb

@@ -2,19 +2,21 @@
 module ConfigLMM
     module LMM
         class Nginx < Framework::NginxApp
-
-            CONFIG_DIR = '/etc/nginx/'
-            HTTP_DIR = '/srv/http/'
+            CERTBOT_PACKAGE = 'CertBotNginx'
+            REPOS_CACHE = '~/.cache/configlmm/repos'
+            ERROR_PAGES_REPO = 'https://github.com/HttpErrorPages/HttpErrorPages.git'
 
             def actionNginxBuild(id, target, activeState, context, options)
+
                 dir = options['output'] + '/nginx/'
-                mkdir(dir, options[:dry])
+                mkdir(dir + 'conf.d', options[:dry])
+                mkdir(dir + 'servers-lmm', options[:dry])
                 copy(__dir__ + '/config-lmm', dir, options[:dry])
-                # TODO, maybe evaluate them as template?
                 copy(__dir__ + '/nginx.conf', dir, options[:dry])
-                copy(__dir__ + '/main.conf', dir, options[:dry])
-                mkdir(options['output'] + HTTP_DIR + 'root', options[:dry])
-                mkdir(options['output'] + HTTP_DIR + 'errors', options[:dry])
+                copy(__dir__ + '/conf.d/configlmm.conf', dir + 'conf.d/', options[:dry])
+
+                mkdir(options['output'] + WWW_DIR + 'root', options[:dry])
+                mkdir(options['output'] + WWW_DIR + 'errors', options[:dry])
             end
 
             # TODO
@@ -25,13 +27,68 @@ module ConfigLMM
             def actionNginxDeploy(id, target, activeState, context, options)
                 dir = options['output'] + '/nginx/'
 
-                if !target['Location'] || target['Location'] == '@me'
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+                    self.class.sshStart(uri) do |ssh|
+                        Framework::LinuxApp.ensurePackages([CERTBOT_PACKAGE], ssh)
+                        self.class.prepareNginxConfig(target, ssh)
+
+                        self.class.sshExec!(ssh, "mkdir -p #{CONFIG_DIR}conf.d")
+                        self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}root")
+                        self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}errors")
+                        ssh.scp.upload!(dir + 'nginx.conf', CONFIG_DIR + 'nginx.conf')
+                        ssh.scp.upload!(dir + 'conf.d/configlmm.conf', CONFIG_DIR + 'conf.d/configlmm.conf')
+                        resolverIP = self.class.sshExec!(ssh, "cat /etc/resolv.conf | grep 'nameserver' | grep -v ':' | cut -d ' ' -f 2").strip
+                        self.class.sshExec!(ssh, "sed -i 's|^resolver .*|resolver #{resolverIP};|' /etc/nginx/conf.d/configlmm.conf")
+
+                        self.class.uploadFolder(dir + 'config-lmm', CONFIG_DIR, ssh)
+                        self.class.uploadFolder(dir + 'servers-lmm', CONFIG_DIR, ssh)
+
+                        template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
+                        renderTemplate(template, target, dir + 'main.conf', options)
+                        ssh.scp.upload!(dir + 'main.conf', CONFIG_DIR + 'main.conf')
+
+                        if !self.class.remoteFilePresent?(WWW_DIR + 'errors/HTTP500.html', ssh)
+                            errorPages = File.expand_path(REPOS_CACHE + '/HttpErrorPages')
+                            if !File.exist?(errorPages)
+                                mkdir(File.expand_path(REPOS_CACHE), false)
+                                begin
+                                    Framework::LinuxApp.ensurePackages(['git', 'Yarn'], '@me')
+                                rescue error
+                                    prompt.say(error, :color => :red)
+                                end
+                                `cd #{REPOS_CACHE} && git clone --quiet #{ERROR_PAGES_REPO} > /dev/null`
+                            end
+                            `cd #{errorPages} && yarn install --silent`
+                            `cd #{errorPages} && yarn run static config-dist.json > /dev/null`
+                            `cd #{errorPages} && cp -R dist errors`
+                            self.class.uploadFolder(errorPages + '/errors', WWW_DIR, ssh)
+                        end
+
+                        Framework::LinuxApp.createCertificateOverSSH(ssh)
+                    end
+                else
+                    self.class.prepareNginxConfig(target, nil)
+
                     copy(dir + '/config-lmm', CONFIG_DIR, options[:dry])
-                    copyNotPresent(dir + '/nginx.conf', CONFIG_DIR, options[:dry])
-                    copyNotPresent(dir + '/main.conf', CONFIG_DIR, options[:dry])
-                    copyNotPresent(dir + '/servers-lmm', CONFIG_DIR, options['dry'])
-                    mkdir(HTTP_DIR + 'root', options[:dry])
-                    mkdir(HTTP_DIR + 'errors', options[:dry])
+                    copy(dir + '/nginx.conf', CONFIG_DIR, options[:dry])
+
+                    copy(dir + '/servers-lmm', CONFIG_DIR, options['dry'])
+                    mkdir(WWW_DIR + 'root', options[:dry])
+                    mkdir(WWW_DIR + 'errors', options[:dry])
+
+                    template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
+                    renderTemplate(template, target, dir + 'main.conf', options)
+                    copy(dir + '/main.conf', CONFIG_DIR, options[:dry])
+
+                    dir = "/etc/letsencrypt/live/Wildcard/"
+                    `mkdir -p #{dir}`
+                    if !File.exist?(dir + 'fullchain.pem')
+                        `openssl req -x509 -noenc -days 90 -newkey rsa:2048 -keyout #{dir}privkey.pem -out #{dir}fullchain.pem -subj "/C=US/O=ConfigLMM/CN=Wildcard"`
+                         `cp #{dir}fullchain.pem #{dir}chain.pem`
+                    end
+
                 end
                 # Consider:
                 # * Deploy on current host

data/Plugins/Apps/Odoo/Odoo.conf.erb

@@ -1,29 +1,46 @@
 
 upstream odoo {
-    server 127.0.0.1:8069;
+    <% if config['Server'] %>
+        server <%= config['Server'] %>;
+    <% else %>
+        server 127.0.0.1:8069;
+    <% end %>
 }
 
 server {
 
-    <% if !config['TLS'] %>
-        listen       <%= config['Port'] %>;
-        listen  [::]:<%= config['Port'] %>;
-    <% else %>
-        listen       <%= config['Port'] %> ssl;
-        listen  [::]:<%= config['Port'] %> ssl;
+    <% if config['NginxVersion'] >= 1.25 %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl;
+            listen  [::]:<%= config['Port'] %> ssl;
+
+            include config-lmm/ssl.conf;
+        <% end %>
         http2 on;
-        include config/ssl.conf;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl http2;
+            listen  [::]:<%= config['Port'] %> ssl http2;
+
+            include config-lmm/ssl.conf;
+        <% end %>
     <% end %>
 
     server_name <%= config['Domain'] %>;
 
-    root        /usr/share/nginx/html;
-    index       index.html index.htm;
     access_log  /var/log/nginx/odoo.access.log;
     error_log   /var/log/nginx/odoo.error.log;
 
-    include config/private.conf;
-    include config/errors.conf;
+    include config-lmm/errors.conf;
 
     location / {
         proxy_pass  http://odoo;
@@ -31,7 +48,7 @@ server {
         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
         proxy_redirect off;
 
-        include config/proxy.conf;
+        include config-lmm/proxy.conf;
     }
 
     # cache some static data in memory for 60mins

data/Plugins/Apps/Odoo/Odoo.container

@@ -0,0 +1,17 @@
+
+[Unit]
+Description=Odoo container
+After=local-fs.target
+
+[Container]
+Image=odoo:latest
+EnvironmentFile=/var/lib/odoo/.config/containers/systemd/Odoo.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=0.0.0.0:8069:8069
+UserNS=keep-id:uid=101,gid=101
+Volume=/var/lib/odoo/config:/etc/odoo
+Volume=/var/lib/odoo/data:/var/lib/odoo
+Volume=/var/lib/odoo/addons:/mnt/extra-addons
+
+[Install]
+WantedBy=multi-user.target default.target