ConfigLMM 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -0
- data/Examples/Implemented.mm.yaml +75 -1
- data/Plugins/Apps/Authentik/Authentik-Server.container +18 -0
- data/Plugins/Apps/Authentik/Authentik-Worker.container +17 -0
- data/Plugins/Apps/Authentik/Authentik.conf.erb +35 -0
- data/Plugins/Apps/Authentik/Authentik.lmm.rb +73 -0
- data/Plugins/Apps/Cassandra/Cassandra.lmm.rb +41 -0
- data/Plugins/Apps/Dovecot/Dovecot.lmm.rb +148 -0
- data/Plugins/Apps/GitLab/GitLab.conf.erb +26 -0
- data/Plugins/Apps/GitLab/GitLab.container +17 -0
- data/Plugins/Apps/GitLab/GitLab.lmm.rb +75 -0
- data/Plugins/Apps/Nextcloud/Nextcloud.conf.erb +48 -10
- data/Plugins/Apps/Nextcloud/Nextcloud.lmm.rb +59 -2
- data/Plugins/Apps/Nextcloud/config.php +18 -0
- data/Plugins/Apps/Nginx/conf.d/configlmm.conf +62 -0
- data/Plugins/Apps/Nginx/config-lmm/errors.conf +1 -1
- data/Plugins/Apps/Nginx/main.conf.erb +31 -0
- data/Plugins/Apps/Nginx/nginx.conf +3 -68
- data/Plugins/Apps/Nginx/nginx.lmm.rb +71 -14
- data/Plugins/Apps/Odoo/Odoo.conf.erb +30 -13
- data/Plugins/Apps/Odoo/Odoo.container +17 -0
- data/Plugins/Apps/Odoo/Odoo.lmm.rb +62 -2
- data/Plugins/Apps/Odoo/odoo.conf +37 -0
- data/Plugins/Apps/PHP-FPM/PHP-FPM.lmm.rb +95 -0
- data/Plugins/Apps/Peppermint/Peppermint.conf.erb +64 -0
- data/Plugins/Apps/Peppermint/Peppermint.container +14 -0
- data/Plugins/Apps/Peppermint/Peppermint.lmm.rb +58 -0
- data/Plugins/Apps/Postfix/Postfix.lmm.rb +139 -31
- data/Plugins/Apps/Postfix/smtpd.conf +3 -0
- data/Plugins/Apps/PostgreSQL/PostgreSQL.lmm.rb +172 -23
- data/Plugins/Apps/SSH/SSH.lmm.rb +51 -0
- data/Plugins/Apps/UVdesk/UVdesk.conf.erb +52 -0
- data/Plugins/Apps/UVdesk/UVdesk.lmm.rb +85 -0
- data/Plugins/Apps/Valkey/Valkey.lmm.rb +2 -1
- data/Plugins/Apps/Vaultwarden/Vaultwarden.conf.erb +35 -18
- data/Plugins/Apps/Vaultwarden/Vaultwarden.container +16 -0
- data/Plugins/Apps/Vaultwarden/Vaultwarden.lmm.rb +42 -3
- data/Plugins/Apps/gollum/gollum.conf.erb +45 -18
- data/Plugins/Apps/gollum/gollum.container +12 -0
- data/Plugins/Apps/gollum/gollum.lmm.rb +39 -10
- data/Plugins/OS/Linux/Distributions.yaml +10 -0
- data/Plugins/OS/Linux/Linux.lmm.rb +145 -12
- data/Plugins/OS/Linux/Packages.yaml +42 -4
- data/Plugins/OS/Linux/WireGuard/WireGuard.lmm.rb +108 -0
- data/Plugins/OS/Linux/WireGuard/wg0.conf.erb +15 -0
- data/Plugins/OS/Linux/systemd/systemd.lmm.rb +28 -0
- data/Plugins/OS/Linux/systemd/user-0.slice +9 -0
- data/Plugins/OS/Linux/systemd/user@.service.d/delegate.conf +3 -0
- data/Plugins/Platforms/GoDaddy/GoDaddy.lmm.rb +6 -2
- data/Plugins/Services/DNS/PowerDNS.lmm.rb +69 -6
- data/README.md +6 -0
- data/bootstrap.sh +54 -0
- data/lib/ConfigLMM/Framework/plugins/dns.rb +1 -2
- data/lib/ConfigLMM/Framework/plugins/linuxApp.rb +157 -35
- data/lib/ConfigLMM/Framework/plugins/nginxApp.rb +24 -6
- data/lib/ConfigLMM/Framework/plugins/plugin.rb +52 -12
- data/lib/ConfigLMM/version.rb +1 -1
- metadata +31 -3
- data/Plugins/Apps/Nginx/main.conf +0 -30
@@ -1,9 +1,11 @@
|
|
1
1
|
|
2
|
-
|
3
|
-
|
4
2
|
upstream nextcloud
|
5
3
|
{
|
4
|
+
<% if config['Server'] %>
|
5
|
+
server <%= config['Server'] %>;
|
6
|
+
<% else %>
|
6
7
|
server unix:/run/php-fpm/nextcloud.sock;
|
8
|
+
<% end %>
|
7
9
|
}
|
8
10
|
|
9
11
|
server
|
@@ -12,13 +14,22 @@ server
|
|
12
14
|
listen <%= config['Port'] %>;
|
13
15
|
listen [::]:<%= config['Port'] %>;
|
14
16
|
<% else %>
|
15
|
-
|
16
|
-
|
17
|
-
|
17
|
+
<% if config['NginxVersion'] >= 1.25 %>
|
18
|
+
listen <%= config['Port'] %> ssl;
|
19
|
+
listen [::]:<%= config['Port'] %> ssl;
|
20
|
+
http2 on;
|
21
|
+
http3 on;
|
22
|
+
quic_retry on;
|
23
|
+
add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
|
24
|
+
<% else %>
|
25
|
+
listen <%= config['Port'] %> ssl http2;
|
26
|
+
listen [::]:<%= config['Port'] %> ssl http2;
|
27
|
+
<% end %>
|
28
|
+
|
18
29
|
include config-lmm/ssl.conf;
|
19
30
|
<% end %>
|
20
31
|
|
21
|
-
<%= config['Domain'] %>;
|
32
|
+
server_name <%= config['Domain'] %>;
|
22
33
|
|
23
34
|
access_log /var/log/nginx/nextcloud.access.log;
|
24
35
|
error_log /var/log/nginx/nextcloud.error.log;
|
@@ -133,17 +144,23 @@ server
|
|
133
144
|
fastcgi_max_temp_file_size 0;
|
134
145
|
}
|
135
146
|
|
147
|
+
# Rule borrowed from `.htaccess`
|
148
|
+
location /remote {
|
149
|
+
return 301 /remote.php$request_uri;
|
150
|
+
}
|
151
|
+
|
136
152
|
# Serve static files
|
137
153
|
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
|
138
154
|
try_files $uri /index.php$request_uri;
|
139
155
|
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
140
|
-
add_header Cache-Control "public, max-age=15778463$assetImmutable";
|
141
156
|
add_header Referrer-Policy "no-referrer" always;
|
142
157
|
add_header X-Content-Type-Options "nosniff" always;
|
143
158
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
144
159
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
145
160
|
add_header X-Robots-Tag "noindex, nofollow" always;
|
146
161
|
add_header X-XSS-Protection "1; mode=block" always;
|
162
|
+
add_header Cache-Control "public, max-age=15778463$assetImmutable";
|
163
|
+
add_header X-XSS-Protection "1; mode=block" always;
|
147
164
|
access_log off; # Optional: Don't log access to assets
|
148
165
|
}
|
149
166
|
|
@@ -153,9 +170,30 @@ server
|
|
153
170
|
access_log off; # Optional: Don't log access to assets
|
154
171
|
}
|
155
172
|
|
156
|
-
|
157
|
-
|
158
|
-
|
173
|
+
location /wapps/ {
|
174
|
+
alias /var/lib/nextcloud/apps/;
|
175
|
+
|
176
|
+
# Serve static files
|
177
|
+
location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
|
178
|
+
try_files $uri /index.php$request_uri;
|
179
|
+
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
180
|
+
add_header Referrer-Policy "no-referrer" always;
|
181
|
+
add_header X-Content-Type-Options "nosniff" always;
|
182
|
+
add_header X-Frame-Options "SAMEORIGIN" always;
|
183
|
+
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
184
|
+
add_header X-Robots-Tag "noindex, nofollow" always;
|
185
|
+
add_header X-XSS-Protection "1; mode=block" always;
|
186
|
+
add_header Cache-Control "public, max-age=15778463$assetImmutable";
|
187
|
+
add_header X-XSS-Protection "1; mode=block" always;
|
188
|
+
access_log off; # Optional: Don't log access to assets
|
189
|
+
}
|
190
|
+
|
191
|
+
location ~ \.woff2?$ {
|
192
|
+
try_files $uri /index.php$request_uri;
|
193
|
+
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
194
|
+
access_log off; # Optional: Don't log access to assets
|
195
|
+
}
|
196
|
+
|
159
197
|
}
|
160
198
|
|
161
199
|
location / {
|
@@ -3,6 +3,10 @@ module ConfigLMM
|
|
3
3
|
module LMM
|
4
4
|
class Nextcloud < Framework::NginxApp
|
5
5
|
|
6
|
+
USER = 'nextcloud'
|
7
|
+
HOME_DIR = '/var/lib/nextcloud'
|
8
|
+
PACKAGE_NAME = 'Nextcloud'
|
9
|
+
|
6
10
|
def actionNextcloudBuild(id, target, state, context, options)
|
7
11
|
writeNginxConfig(__dir__, 'Nextcloud', id, target, state, context, options)
|
8
12
|
end
|
@@ -12,8 +16,61 @@ module ConfigLMM
|
|
12
16
|
end
|
13
17
|
|
14
18
|
def actionNextcloudDeploy(id, target, activeState, context, options)
|
15
|
-
if
|
16
|
-
|
19
|
+
if target['Location'] && target['Location'] != '@me'
|
20
|
+
uri = Addressable::URI.parse(target['Location'])
|
21
|
+
raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
|
22
|
+
self.class.sshStart(uri) do |ssh|
|
23
|
+
if !target.key?('Proxy') || target['Proxy'] != 'only'
|
24
|
+
Framework::LinuxApp.ensurePackages([PHP_FPM::PHPFPM_PACKAGE], ssh)
|
25
|
+
Framework::LinuxApp.ensureServiceAutoStartOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
|
26
|
+
distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
|
27
|
+
addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{HOME_DIR}' --create-home --comment 'Nextcloud' #{USER}"
|
28
|
+
self.class.sshExec!(ssh, addUserCmd, true)
|
29
|
+
self.class.sshExec!(ssh, "mkdir -p /var/log/php/ /var/lib/nextcloud/apps/ /var/lib/nextcloud/data/")
|
30
|
+
self.class.sshExec!(ssh, "touch /var/log/php/nextcloud.errors.log")
|
31
|
+
self.class.sshExec!(ssh, "touch /var/log/php/nextcloud.mail.log")
|
32
|
+
self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/nextcloud.errors.log")
|
33
|
+
self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/nextcloud.mail.log")
|
34
|
+
PHP_FPM::fixConfigFileOverSSH(distroInfo, ssh)
|
35
|
+
|
36
|
+
webappsDir = PHP_FPM::webappsDir(distroInfo)
|
37
|
+
configDir = webappsDir + 'nextcloud/config/'
|
38
|
+
if !self.class.remoteFilePresent?(configDir + 'config.php', ssh)
|
39
|
+
self.class.uploadNotPresent(__dir__ + '/config.php', configDir, ssh)
|
40
|
+
self.class.sshExec!(ssh, "sed -i \"s|'instanceid' .*|'instanceid' => '#{SecureRandom.alphanumeric(10)}',|\" #{configDir}config.php")
|
41
|
+
self.class.sshExec!(ssh, "touch #{configDir}CAN_INSTALL")
|
42
|
+
self.class.sshExec!(ssh, "sed -i 's|/usr/share/webapps/|#{webappsDir}|' #{configDir}config.php")
|
43
|
+
end
|
44
|
+
self.class.sshExec!(ssh, "chown -R nextcloud:nextcloud #{configDir}")
|
45
|
+
self.class.sshExec!(ssh, "chown -R nextcloud:nextcloud /var/lib/nextcloud/")
|
46
|
+
|
47
|
+
target['Database'] ||= {}
|
48
|
+
if !target['Database']['Type'] || target['Database']['Type'] == 'pgsql'
|
49
|
+
PostgreSQL.createRemoteUserAndDBOverSSH(target['Database'], USER, nil, ssh)
|
50
|
+
end
|
51
|
+
|
52
|
+
target['User'] = USER unless target['User']
|
53
|
+
name = 'nextcloud'
|
54
|
+
self.updateRemoteFile(ssh, PHP_FPM.configDir(distroInfo) + name + '.conf', options, false, ';') do |configLines|
|
55
|
+
PHP_FPM.writeConfig(name, target, distroInfo, configLines)
|
56
|
+
end
|
57
|
+
|
58
|
+
Framework::LinuxApp.startServiceOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
|
59
|
+
end
|
60
|
+
if !target.key?('Proxy') || target['Proxy']
|
61
|
+
self.class.prepareNginxConfig(target, ssh)
|
62
|
+
self.writeNginxConfig(__dir__, 'Nextcloud', id, target, state, context, options)
|
63
|
+
distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
|
64
|
+
webappsDir = PHP_FPM::webappsDir(distroInfo)
|
65
|
+
nginxFile = options['output'] + '/nginx/servers-lmm/Nextcloud.conf'
|
66
|
+
`sed -i 's|root .*|root #{webappsDir}nextcloud;|' #{nginxFile}`
|
67
|
+
deployNginxConfig(id, target, activeState, context, options)
|
68
|
+
end
|
69
|
+
end
|
70
|
+
else
|
71
|
+
if !target.key?('Proxy') || target['Proxy']
|
72
|
+
deployNginxConfig(id, target, activeState, context, options)
|
73
|
+
end
|
17
74
|
activeState['Location'] = '@me'
|
18
75
|
end
|
19
76
|
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
<?php
|
2
|
+
|
3
|
+
$CONFIG = [
|
4
|
+
'instanceid' => '',
|
5
|
+
'datadirectory' => '/var/lib/nextcloud/data/',
|
6
|
+
'apps_paths' => [
|
7
|
+
[
|
8
|
+
'path'=> '/usr/share/webapps/nextcloud/apps',
|
9
|
+
'url' => '/apps',
|
10
|
+
'writable' => false,
|
11
|
+
],
|
12
|
+
[
|
13
|
+
'path'=> '/var/lib/nextcloud/apps',
|
14
|
+
'url' => '/wapps',
|
15
|
+
'writable' => true,
|
16
|
+
],
|
17
|
+
]
|
18
|
+
];
|
@@ -0,0 +1,62 @@
|
|
1
|
+
|
2
|
+
server_tokens off;
|
3
|
+
|
4
|
+
tcp_nopush on;
|
5
|
+
|
6
|
+
# Needed for OCSP stapling
|
7
|
+
resolver 127.0.0.53;
|
8
|
+
|
9
|
+
|
10
|
+
# types_hash_max_size 4096;
|
11
|
+
# types_hash_bucket_size 64;
|
12
|
+
# proxy_headers_hash_max_size 512;
|
13
|
+
# proxy_headers_hash_bucket_size 128;
|
14
|
+
|
15
|
+
|
16
|
+
gzip on;
|
17
|
+
gzip_vary on;
|
18
|
+
gzip_proxied any;
|
19
|
+
gzip_comp_level 6;
|
20
|
+
gzip_min_length 256;
|
21
|
+
|
22
|
+
# do not remove ETag headers
|
23
|
+
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
24
|
+
|
25
|
+
gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
26
|
+
|
27
|
+
|
28
|
+
charset utf-8;
|
29
|
+
charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
|
30
|
+
proxy_intercept_errors on;
|
31
|
+
fastcgi_intercept_errors on;
|
32
|
+
|
33
|
+
map $http_accept $errorExtension
|
34
|
+
{
|
35
|
+
default html;
|
36
|
+
~application/json json;
|
37
|
+
~application/activity+json json;
|
38
|
+
}
|
39
|
+
|
40
|
+
map $http_upgrade $connectionUpgrade
|
41
|
+
{
|
42
|
+
default upgrade;
|
43
|
+
'' '';
|
44
|
+
}
|
45
|
+
|
46
|
+
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
|
47
|
+
map $arg_v $assetImmutable
|
48
|
+
{
|
49
|
+
"" "";
|
50
|
+
default ", immutable";
|
51
|
+
}
|
52
|
+
|
53
|
+
root /srv/www/root;
|
54
|
+
|
55
|
+
ssl_certificate "/etc/letsencrypt/live/Wildcard/fullchain.pem";
|
56
|
+
ssl_certificate_key "/etc/letsencrypt/live/Wildcard/privkey.pem";
|
57
|
+
ssl_trusted_certificate "/etc/letsencrypt/live/Wildcard/chain.pem";
|
58
|
+
|
59
|
+
# Load modular configuration files from the /etc/nginx/servers directory.
|
60
|
+
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
61
|
+
# for more information.
|
62
|
+
include servers-lmm/*.conf;
|
@@ -0,0 +1,31 @@
|
|
1
|
+
|
2
|
+
server {
|
3
|
+
listen 80 default_server;
|
4
|
+
listen [::]:80 default_server;
|
5
|
+
server_name _;
|
6
|
+
|
7
|
+
include config-lmm/errors.conf;
|
8
|
+
|
9
|
+
deny all;
|
10
|
+
}
|
11
|
+
|
12
|
+
server {
|
13
|
+
<% if config['NginxVersion'] >= 1.25 %>
|
14
|
+
listen 443 default_server ssl reuseport;
|
15
|
+
listen [::]:443 default_server ssl reuseport;
|
16
|
+
http2 on;
|
17
|
+
<% else %>
|
18
|
+
listen 443 default_server ssl reuseport http2;
|
19
|
+
listen [::]:443 default_server ssl reuseport http2;
|
20
|
+
<% end %>
|
21
|
+
|
22
|
+
server_name _;
|
23
|
+
|
24
|
+
deny all;
|
25
|
+
|
26
|
+
ssl_early_data on;
|
27
|
+
|
28
|
+
include config-lmm/errors.conf;
|
29
|
+
include config-lmm/security.conf;
|
30
|
+
include config-lmm/ssl.conf;
|
31
|
+
}
|
@@ -1,90 +1,25 @@
|
|
1
1
|
|
2
|
-
load_module "/usr/lib/nginx/modules/ngx_http_passenger_module.so";
|
3
|
-
#load_module "/usr/lib/nginx/modules/ngx_http_stub_status_module.so";
|
4
|
-
|
5
|
-
#user http;
|
6
2
|
worker_processes 4;
|
7
3
|
|
8
|
-
#error_log logs/error.log;
|
9
|
-
#error_log logs/error.log notice;
|
10
|
-
#error_log logs/error.log info;
|
11
4
|
error_log /var/log/nginx/error.log info;
|
12
5
|
|
13
|
-
#pid logs/nginx.pid;
|
14
|
-
|
15
|
-
|
16
6
|
events {
|
17
7
|
worker_connections 1024;
|
8
|
+
use epoll;
|
18
9
|
}
|
19
10
|
|
20
|
-
|
21
11
|
http {
|
22
12
|
include mime.types;
|
23
13
|
default_type application/octet-stream;
|
24
|
-
server_tokens off;
|
25
|
-
|
26
|
-
types_hash_max_size 4096;
|
27
|
-
types_hash_bucket_size 64;
|
28
|
-
proxy_headers_hash_max_size 512;
|
29
|
-
proxy_headers_hash_bucket_size 128;
|
30
|
-
|
31
|
-
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
32
|
-
# '$status $body_bytes_sent "$http_referer" '
|
33
|
-
# '"$http_user_agent" "$http_x_forwarded_for"';
|
34
|
-
|
35
|
-
#access_log logs/access.log main;
|
36
14
|
|
37
15
|
sendfile on;
|
38
|
-
tcp_nopush on;
|
39
|
-
resolver 127.0.0.53;
|
40
|
-
|
41
|
-
gzip on;
|
42
|
-
gzip_vary on;
|
43
|
-
gzip_proxied any;
|
44
|
-
gzip_comp_level 6;
|
45
|
-
gzip_min_length 256;
|
46
|
-
|
47
|
-
# do not remove ETag headers
|
48
|
-
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
49
|
-
|
50
|
-
gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
51
|
-
|
52
|
-
|
53
|
-
charset utf-8;
|
54
|
-
charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
|
55
|
-
proxy_intercept_errors on;
|
56
|
-
fastcgi_intercept_errors on;
|
57
|
-
|
58
|
-
map $http_accept $errorExtension
|
59
|
-
{
|
60
|
-
default html;
|
61
|
-
~application/json json;
|
62
|
-
~application/activity+json json;
|
63
|
-
}
|
64
|
-
|
65
|
-
map $http_upgrade $connectionUpgrade
|
66
|
-
{
|
67
|
-
default upgrade;
|
68
|
-
'' '';
|
69
|
-
}
|
70
|
-
|
71
|
-
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
|
72
|
-
map $arg_v $assetImmutable
|
73
|
-
{
|
74
|
-
"" "";
|
75
|
-
default ", immutable";
|
76
|
-
}
|
77
|
-
|
78
|
-
passenger_ruby /usr/bin/ruby;
|
79
|
-
passenger_root /usr/lib/passenger;
|
80
16
|
|
81
|
-
|
17
|
+
include conf.d/*.conf;
|
82
18
|
|
83
19
|
include /etc/nginx/main.conf;
|
84
20
|
|
85
21
|
# Load modular configuration files from the /etc/nginx/servers directory.
|
86
22
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
87
23
|
# for more information.
|
88
|
-
include
|
89
|
-
include /etc/nginx/servers-lmm/*.conf;
|
24
|
+
include vhosts.d/*.conf;
|
90
25
|
}
|
@@ -2,19 +2,21 @@
|
|
2
2
|
module ConfigLMM
|
3
3
|
module LMM
|
4
4
|
class Nginx < Framework::NginxApp
|
5
|
-
|
6
|
-
|
7
|
-
|
5
|
+
CERTBOT_PACKAGE = 'CertBotNginx'
|
6
|
+
REPOS_CACHE = '~/.cache/configlmm/repos'
|
7
|
+
ERROR_PAGES_REPO = 'https://github.com/HttpErrorPages/HttpErrorPages.git'
|
8
8
|
|
9
9
|
def actionNginxBuild(id, target, activeState, context, options)
|
10
|
+
|
10
11
|
dir = options['output'] + '/nginx/'
|
11
|
-
mkdir(dir, options[:dry])
|
12
|
+
mkdir(dir + 'conf.d', options[:dry])
|
13
|
+
mkdir(dir + 'servers-lmm', options[:dry])
|
12
14
|
copy(__dir__ + '/config-lmm', dir, options[:dry])
|
13
|
-
# TODO, maybe evaluate them as template?
|
14
15
|
copy(__dir__ + '/nginx.conf', dir, options[:dry])
|
15
|
-
copy(__dir__ + '/
|
16
|
-
|
17
|
-
mkdir(options['output'] +
|
16
|
+
copy(__dir__ + '/conf.d/configlmm.conf', dir + 'conf.d/', options[:dry])
|
17
|
+
|
18
|
+
mkdir(options['output'] + WWW_DIR + 'root', options[:dry])
|
19
|
+
mkdir(options['output'] + WWW_DIR + 'errors', options[:dry])
|
18
20
|
end
|
19
21
|
|
20
22
|
# TODO
|
@@ -25,13 +27,68 @@ module ConfigLMM
|
|
25
27
|
def actionNginxDeploy(id, target, activeState, context, options)
|
26
28
|
dir = options['output'] + '/nginx/'
|
27
29
|
|
28
|
-
if
|
30
|
+
if target['Location'] && target['Location'] != '@me'
|
31
|
+
uri = Addressable::URI.parse(target['Location'])
|
32
|
+
raise Framework::PluginProcessError.new("Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
|
33
|
+
self.class.sshStart(uri) do |ssh|
|
34
|
+
Framework::LinuxApp.ensurePackages([CERTBOT_PACKAGE], ssh)
|
35
|
+
self.class.prepareNginxConfig(target, ssh)
|
36
|
+
|
37
|
+
self.class.sshExec!(ssh, "mkdir -p #{CONFIG_DIR}conf.d")
|
38
|
+
self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}root")
|
39
|
+
self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}errors")
|
40
|
+
ssh.scp.upload!(dir + 'nginx.conf', CONFIG_DIR + 'nginx.conf')
|
41
|
+
ssh.scp.upload!(dir + 'conf.d/configlmm.conf', CONFIG_DIR + 'conf.d/configlmm.conf')
|
42
|
+
resolverIP = self.class.sshExec!(ssh, "cat /etc/resolv.conf | grep 'nameserver' | grep -v ':' | cut -d ' ' -f 2").strip
|
43
|
+
self.class.sshExec!(ssh, "sed -i 's|^resolver .*|resolver #{resolverIP};|' /etc/nginx/conf.d/configlmm.conf")
|
44
|
+
|
45
|
+
self.class.uploadFolder(dir + 'config-lmm', CONFIG_DIR, ssh)
|
46
|
+
self.class.uploadFolder(dir + 'servers-lmm', CONFIG_DIR, ssh)
|
47
|
+
|
48
|
+
template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
|
49
|
+
renderTemplate(template, target, dir + 'main.conf', options)
|
50
|
+
ssh.scp.upload!(dir + 'main.conf', CONFIG_DIR + 'main.conf')
|
51
|
+
|
52
|
+
if !self.class.remoteFilePresent?(WWW_DIR + 'errors/HTTP500.html', ssh)
|
53
|
+
errorPages = File.expand_path(REPOS_CACHE + '/HttpErrorPages')
|
54
|
+
if !File.exist?(errorPages)
|
55
|
+
mkdir(File.expand_path(REPOS_CACHE), false)
|
56
|
+
begin
|
57
|
+
Framework::LinuxApp.ensurePackages(['git', 'Yarn'], '@me')
|
58
|
+
rescue error
|
59
|
+
prompt.say(error, :color => :red)
|
60
|
+
end
|
61
|
+
`cd #{REPOS_CACHE} && git clone --quiet #{ERROR_PAGES_REPO} > /dev/null`
|
62
|
+
end
|
63
|
+
`cd #{errorPages} && yarn install --silent`
|
64
|
+
`cd #{errorPages} && yarn run static config-dist.json > /dev/null`
|
65
|
+
`cd #{errorPages} && cp -R dist errors`
|
66
|
+
self.class.uploadFolder(errorPages + '/errors', WWW_DIR, ssh)
|
67
|
+
end
|
68
|
+
|
69
|
+
Framework::LinuxApp.createCertificateOverSSH(ssh)
|
70
|
+
end
|
71
|
+
else
|
72
|
+
self.class.prepareNginxConfig(target, nil)
|
73
|
+
|
29
74
|
copy(dir + '/config-lmm', CONFIG_DIR, options[:dry])
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
mkdir(
|
34
|
-
mkdir(
|
75
|
+
copy(dir + '/nginx.conf', CONFIG_DIR, options[:dry])
|
76
|
+
|
77
|
+
copy(dir + '/servers-lmm', CONFIG_DIR, options['dry'])
|
78
|
+
mkdir(WWW_DIR + 'root', options[:dry])
|
79
|
+
mkdir(WWW_DIR + 'errors', options[:dry])
|
80
|
+
|
81
|
+
template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
|
82
|
+
renderTemplate(template, target, dir + 'main.conf', options)
|
83
|
+
copy(dir + '/main.conf', CONFIG_DIR, options[:dry])
|
84
|
+
|
85
|
+
dir = "/etc/letsencrypt/live/Wildcard/"
|
86
|
+
`mkdir -p #{dir}`
|
87
|
+
if !File.exist?(dir + 'fullchain.pem')
|
88
|
+
`openssl req -x509 -noenc -days 90 -newkey rsa:2048 -keyout #{dir}privkey.pem -out #{dir}fullchain.pem -subj "/C=US/O=ConfigLMM/CN=Wildcard"`
|
89
|
+
`cp #{dir}fullchain.pem #{dir}chain.pem`
|
90
|
+
end
|
91
|
+
|
35
92
|
end
|
36
93
|
# Consider:
|
37
94
|
# * Deploy on current host
|
@@ -1,29 +1,46 @@
|
|
1
1
|
|
2
2
|
upstream odoo {
|
3
|
-
|
3
|
+
<% if config['Server'] %>
|
4
|
+
server <%= config['Server'] %>;
|
5
|
+
<% else %>
|
6
|
+
server 127.0.0.1:8069;
|
7
|
+
<% end %>
|
4
8
|
}
|
5
9
|
|
6
10
|
server {
|
7
11
|
|
8
|
-
<% if
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
12
|
+
<% if config['NginxVersion'] >= 1.25 %>
|
13
|
+
<% if !config['TLS'] %>
|
14
|
+
listen <%= config['Port'] %>;
|
15
|
+
listen [::]:<%= config['Port'] %>;
|
16
|
+
<% else %>
|
17
|
+
listen <%= config['Port'] %> ssl;
|
18
|
+
listen [::]:<%= config['Port'] %> ssl;
|
19
|
+
|
20
|
+
include config-lmm/ssl.conf;
|
21
|
+
<% end %>
|
14
22
|
http2 on;
|
15
|
-
|
23
|
+
http3 on;
|
24
|
+
quic_retry on;
|
25
|
+
add_header Alt-Svc 'h3=":443"; ma=86400';
|
26
|
+
<% else %>
|
27
|
+
<% if !config['TLS'] %>
|
28
|
+
listen <%= config['Port'] %>;
|
29
|
+
listen [::]:<%= config['Port'] %>;
|
30
|
+
<% else %>
|
31
|
+
listen <%= config['Port'] %> ssl http2;
|
32
|
+
listen [::]:<%= config['Port'] %> ssl http2;
|
33
|
+
|
34
|
+
include config-lmm/ssl.conf;
|
35
|
+
<% end %>
|
16
36
|
<% end %>
|
17
37
|
|
18
38
|
server_name <%= config['Domain'] %>;
|
19
39
|
|
20
|
-
root /usr/share/nginx/html;
|
21
|
-
index index.html index.htm;
|
22
40
|
access_log /var/log/nginx/odoo.access.log;
|
23
41
|
error_log /var/log/nginx/odoo.error.log;
|
24
42
|
|
25
|
-
include config/
|
26
|
-
include config/errors.conf;
|
43
|
+
include config-lmm/errors.conf;
|
27
44
|
|
28
45
|
location / {
|
29
46
|
proxy_pass http://odoo;
|
@@ -31,7 +48,7 @@ server {
|
|
31
48
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
|
32
49
|
proxy_redirect off;
|
33
50
|
|
34
|
-
include config/proxy.conf;
|
51
|
+
include config-lmm/proxy.conf;
|
35
52
|
}
|
36
53
|
|
37
54
|
# cache some static data in memory for 60mins
|
@@ -0,0 +1,17 @@
|
|
1
|
+
|
2
|
+
[Unit]
|
3
|
+
Description=Odoo container
|
4
|
+
After=local-fs.target
|
5
|
+
|
6
|
+
[Container]
|
7
|
+
Image=odoo:latest
|
8
|
+
EnvironmentFile=/var/lib/odoo/.config/containers/systemd/Odoo.env
|
9
|
+
Network=slirp4netns:allow_host_loopback=true
|
10
|
+
PublishPort=0.0.0.0:8069:8069
|
11
|
+
UserNS=keep-id:uid=101,gid=101
|
12
|
+
Volume=/var/lib/odoo/config:/etc/odoo
|
13
|
+
Volume=/var/lib/odoo/data:/var/lib/odoo
|
14
|
+
Volume=/var/lib/odoo/addons:/mnt/extra-addons
|
15
|
+
|
16
|
+
[Install]
|
17
|
+
WantedBy=multi-user.target default.target
|