ConfigLMM 0.2.0 → 0.4.0

data/Plugins/Apps/GitLab/GitLab.lmm.rb

@@ -0,0 +1,100 @@
+
+module ConfigLMM
+    module LMM
+        class GitLab < Framework::NginxApp
+
+            HOME_DIR = '/var/lib/gitlab'
+            IMAGE_ID = 'docker.io/gitlab/gitlab-ce:latest'
+
+            def actionGitLabDeploy(id, target, activeState, context, options)
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        self.prepareConfig(target, ssh)
+
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/config", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/logs", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/data", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/backups", ssh)
+
+                        path = '/etc/containers/systemd'
+                        ssh.scp.upload!(__dir__ + '/GitLab.container', path)
+
+                        if !target.key?('Proxy') || target['Proxy']
+                            deployNginxProxyConfig('http://127.0.0.1:18100', 'GitLab', id, target, activeState, state, context, options, ssh)
+                        elsif target.key?('Proxy') && target['Proxy'] == false
+                            self.class.exec("sed -i 's|PublishPort=127.0.0.1:18100:|PublishPort=0.0.0.0:18100:|' #{path}/GitLab.container", ssh)
+                            Framework::LinuxApp.firewallAddPort('18100/tcp', ssh)
+                        end
+
+                        Framework::LinuxApp.reloadServiceManager(ssh)
+                        Framework::LinuxApp.restartService('GitLab', ssh)
+
+                        configFile = HOME_DIR + '/config/gitlab.rb'
+                        while !self.class.remoteFilePresent?(configFile, ssh)
+                            sleep(2)
+                        end
+                        updateRemoteFile(ssh, configFile, options, true) do |fileLines|
+                            fileLines << "external_url 'https://#{target['Domain']}'\n"
+                            fileLines << "letsencrypt['enable'] = false\n"
+                            fileLines << "nginx['listen_port'] = 80\n"
+                            fileLines << "nginx['listen_https'] = false\n"
+                            fileLines << "registry_nginx['listen_port'] = 80\n"
+                            fileLines << "registry_nginx['listen_https'] = false\n"
+                            fileLines << "mattermost_nginx['listen_port'] = 80\n"
+                            fileLines << "mattermost_nginx['listen_https'] = false\n"
+                            if target['SMTP']
+                                fileLines << "gitlab_rails['smtp_address'] = '#{target['SMTP']['HostName']}'\n"
+                                fileLines << "gitlab_rails['smtp_port'] = '#{target['SMTP']['Port']}'\n"
+                                fileLines << "gitlab_rails['smtp_user_name'] = '#{target['SMTP']['User']}'\n"
+                                if target['SMTP']['TLS']
+                                    fileLines << "gitlab_rails['smtp_tls'] = true\n"
+                                    fileLines << "gitlab_rails['smtp_openssl_verify_mode'] = 'peer'\n"
+                                end
+                            end
+                        end
+
+                        Framework::LinuxApp.restartService('GitLab', ssh)
+                    end
+                else
+                    # TODO
+                end
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def prepareConfig(target, ssh)
+              raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+              Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+              self.class.prepareNginxConfig(target, ssh)
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:GitLab, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['Proxy'].nil? || item['Proxy']
+                        self.cleanupNginxConfig('GitLab', id, state, context, options, ssh)
+                        self.class.reload(ssh, options[:dry])
+                    end
+                    Framework::LinuxApp.firewallRemovePort('18100/tcp', ssh, options[:dry])
+                    Framework::LinuxApp.stopService('GitLab', ssh, options[:dry])
+                    rm('/etc/containers/systemd/GitLab.container', options[:dry], ssh)
+                    self.class.exec("podman rmi #{IMAGE_ID}", ssh, true, options[:dry])
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                    if options[:destroy]
+                        rm('/var/lib/gitlab', options[:dry], ssh)
+                        rm('/var/log/nginx/gitlab.access.log', options[:dry], ssh)
+                        rm('/var/log/nginx/gitlab.error.log', options[:dry], ssh)
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
+            end
+
+        end
+
+    end
+end
+

data/Plugins/Apps/LetsEncrypt/LetsEncrypt.lmm.rb

@@ -0,0 +1,57 @@
+
+module ConfigLMM
+    module LMM
+        class LetsEncrypt < Framework::LinuxApp
+
+            PACKAGE_NAME = 'CertBotNginx'
+            CONFIG_DIR = '/etc/letsencrypt/'
+
+            def actionLetsEncryptDeploy(id, target, activeState, context, options)
+                self.ensurePackage(PACKAGE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        ssh.scp.upload!(__dir__ + '/rfc2136.ini', CONFIG_DIR)
+                        ssh.scp.upload!(__dir__ + '/renew-certificates.service', '/etc/systemd/system/')
+                        ssh.scp.upload!(__dir__ + '/renew-certificates.timer', '/etc/systemd/system/')
+                        self.class.exec("mkdir -p #{CONFIG_DIR}renewal-hooks/deploy", ssh)
+                        target['Hooks'].to_a.each do |hook|
+                            ssh.scp.upload!(__dir__ + '/hooks/' + hook + '.sh', "#{CONFIG_DIR}renewal-hooks/deploy/")
+                        end
+                        self.class.exec("chmod +x #{CONFIG_DIR}renewal-hooks/deploy/*.sh", ssh)
+                        self.class.exec("sed -i 's|$IP|#{target['DNS']['IP']}|' #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        self.class.exec("sed -i 's|$SECRET|#{ENV['LETSENCRYPT_DNS_SECRET']}|' #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        self.class.exec("chmod 600 #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        if target['Domain']
+                            createCertificate('Wildcard', target['Domain'], target, ssh)
+                        end
+                        target['Certificates'].to_h.each do |name, domain|
+                            createCertificate(name, domain, target, ssh)
+                        end
+
+                        self.class.exec("systemctl daemon-reload", ssh)
+                        self.class.exec("systemctl enable renew-certificates.timer", ssh)
+                        self.class.exec("systemctl start renew-certificates.timer", ssh)
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def createCertificate(name, domain, target, ssh)
+                domains = ['--domains "' + Addressable::IDNA.to_ascii(domain) + '"']
+                if domain.start_with?('*.')
+                    domains << '--domains "' + Addressable::IDNA.to_ascii(domain[2..-1]) + '"'
+                end
+                extra = ''
+                extra = '--dns-rfc2136-propagation-seconds ' + target['DNS']['Propagation'].to_s if target['DNS']['Propagation']
+                self.class.exec("certbot certonly --dns-rfc2136 --dns-rfc2136-credentials=/etc/letsencrypt/rfc2136.ini #{extra} --non-interactive --agree-tos --email #{target['EMail']} --cert-name '#{name}' #{domains.join(' ')}", ssh)
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/LetsEncrypt/hooks/dovecot.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload dovecot

data/Plugins/Apps/LetsEncrypt/hooks/nginx.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload nginx

data/Plugins/Apps/LetsEncrypt/hooks/postfix.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload postfix

data/Plugins/Apps/LetsEncrypt/renew-certificates.service

@@ -0,0 +1,7 @@
+
+[Unit]
+Description=Renew certificates
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew

data/Plugins/Apps/LetsEncrypt/renew-certificates.timer

@@ -0,0 +1,12 @@
+
+[Unit]
+Description=Renew certificates
+
+[Timer]
+OnCalendar=*-*-1/2 04:20
+AccuracySec=12h
+RandomizedDelaySec=24h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

data/Plugins/Apps/LetsEncrypt/rfc2136.ini

@@ -0,0 +1,11 @@
+
+# Target DNS server
+dns_rfc2136_server = $IP
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = configlmm.
+# TSIG key secret
+dns_rfc2136_secret = $SECRET
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512

data/Plugins/Apps/MariaDB/MariaDB.lmm.rb

@@ -0,0 +1,115 @@
+require_relative '../../OS/Linux/Linux.lmm.rb'
+
+module ConfigLMM
+    module LMM
+        class MariaDB < Framework::LinuxApp
+            PACKAGE_NAME = 'MariaDB'
+            SERVICE_NAME = 'mariadb'
+            USER_NAME = 'mariadb'
+
+            def actionMariaDBDeploy(id, target, activeState, context, options)
+                self.ensurePackage(PACKAGE_NAME, target['Location'])
+                self.ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+                self.startService(SERVICE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        self.class.secureInstallation(ssh)
+                        if target['Listen']
+                            self.class.exec("sed -i 's|bind-address .*|bind-address = #{target['Listen']}|' /etc/my.cnf", ssh)
+                            self.class.restartService(SERVICE_NAME, ssh)
+                        end
+                    end
+                else
+                    # TODO
+                end
+
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:MariaDB, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    Framework::LinuxApp.stopService(SERVICE_NAME, ssh, options[:dry])
+                    Framework::LinuxApp.disableService(SERVICE_NAME, ssh, options[:dry])
+                    Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                end
+            end
+
+            def self.secureInstallation(ssh)
+                status = {}
+                output = ''
+                channel = ssh.exec("mariadb-secure-installation", status: status) do |channel, stream, data|
+                    output += data
+                    channel.send_data("\n")  # Empty root password
+                    channel.send_data("Y\n") # unix_socket authentication
+                    channel.send_data("N\n") # change the root password
+                    channel.send_data("Y\n") # remove anonymous users
+                    channel.send_data("Y\n") # disallow root login remotely
+                    channel.send_data("Y\n") # remove test database
+                    channel.send_data("Y\n") # reload privileges
+                end
+                channel.wait
+                if !status[:exit_code].zero?
+                    $stderr.puts(output)
+                    raise Framework::PluginProcessError.new("mariadb-secure-installation failed!")
+                end
+            end
+
+            def self.createRemoteUserAndDB(settings, user, password, ssh = nil)
+                self.executeRemotely(settings, ssh) do |ssh|
+                    host = 'localhost'
+                    host = '%' if settings['HostName'] != 'localhost'
+                    self.createUserAndDB(user, password, host, ssh)
+                end
+            end
+
+            def self.executeRemotely(settings, ssh = nil)
+                settings['HostName'] = 'localhost' unless settings['HostName']
+                if settings['HostName'] == 'localhost'
+                    yield(ssh)
+                else
+                    self.sshStart("ssh://#{settings['HostName']}/") do |ssh|
+                        yield(ssh)
+                    end
+                end
+            end
+
+            def self.createUserAndDB(user, password, host, ssh = nil)
+                self.executeSQL("CREATE USER '#{user}'@'#{host}'", nil, ssh, true)
+                self.executeSQL("ALTER USER '#{user}'@'#{host}' IDENTIFIED BY '#{password}'", nil, ssh)
+                self.executeSQL("CREATE DATABASE #{user}", nil, ssh, true)
+                self.executeSQL("GRANT ALL PRIVILEGES ON #{user}.* TO '#{user}'@'#{host}'", nil, ssh)
+            end
+
+            def self.createAdmin(ssh)
+                self.executeSQL("CREATE USER 'admin'@'%'", nil, ssh, true)
+                password = SecureRandom.alphanumeric(20)
+                self.executeSQL("ALTER USER 'admin'@'%' IDENTIFIED BY '#{password}'", nil, ssh)
+                self.executeSQL("GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION", nil, ssh)
+                password
+            end
+
+            def self.dropAdmin(ssh)
+                self.executeSQL("DROP USER 'admin'@'%'", nil, ssh, true)
+            end
+
+            def self.tableExist?(db, table, ssh)
+                table = self.executeSQL("SHOW TABLES LIKE '#{table}'", db, ssh).strip
+                !table.empty?
+            end
+
+            def self.executeSQL(sql, db = nil, ssh = nil, allowFailure = false, dry = false)
+                db = '' unless db
+                cmd = " mariadb #{db} --execute=\"#{sql.gsub('"', '\\"')};\""
+                self.exec(cmd, ssh, allowFailure, dry)
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/Matrix/Element.container

@@ -0,0 +1,14 @@
+
+[Unit]
+Description=Matrix (Element) container
+After=local-fs.target
+
+[Container]
+Image=docker.io/vectorim/element-web:latest
+EnvironmentFile=/var/lib/matrix/.config/containers/systemd/Matrix.env
+PublishPort=127.0.0.1:18300:80
+Volume=/var/lib/matrix/config.json:/app/config.json
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Matrix/Matrix.conf.erb

@@ -1,12 +1,56 @@
 
 server {
+
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/matrix.access.log;
+    error_log   /var/log/nginx/matrix.error.log;
+
+    include config-lmm/errors.conf;
+
+    location / {
+        proxy_pass http://localhost:18300;
+        include config-lmm/proxy.conf;
+    }
+}
+
+server {
+
     <% if !config['TLS'] %>
         listen       <%= config['Port'] %>;
         listen  [::]:<%= config['Port'] %>;
     <% else %>
-        listen       <%= config['Port'] %> ssl;
-        listen  [::]:<%= config['Port'] %> ssl;
-        http2 on;
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
         include config-lmm/ssl.conf;
     <% end %>
 
@@ -14,12 +58,11 @@ server {
     #listen 8448 ssl http2 default_server;
     #listen [::]:8448 ssl http2 default_server;
 
-    server_name <%= config['Domain'] %>;
+    server_name <%= config['SynapseDomain'] %>;
 
     access_log  /var/log/nginx/matrix.access.log;
     error_log   /var/log/nginx/matrix.error.log;
 
-    include config-lmm/private.conf;
     include config-lmm/errors.conf;
 
     location ~ ^(/_matrix|/_synapse/client) {
@@ -28,6 +71,7 @@ server {
         # errors.
         proxy_pass http://localhost:8008;
         include config-lmm/proxy.conf;
+        proxy_intercept_errors off;
 
         # Nginx by default only allows file uploads up to 1M in size
         # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml

data/Plugins/Apps/Matrix/Matrix.lmm.rb

@@ -3,6 +3,9 @@ module ConfigLMM
     module LMM
         class Matrix < Framework::NginxApp
 
+            USER = 'matrix'
+            HOME_DIR = '/var/lib/matrix'
+
             def actionMatrixBuild(id, target, state, context, options)
                 writeNginxConfig(__dir__, 'Matrix', id, target, state, context, options)
             end
@@ -12,12 +15,94 @@ module ConfigLMM
             end
 
             def actionMatrixDeploy(id, target, activeState, context, options)
-                if !target['Location'] || target['Location'] == '@me'
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+                raise Framework::PluginProcessError.new('ServerName field must be set!') unless target['ServerName']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        dbPassword = self.configurePostgreSQL(target['Database'], ssh)
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+
+                        Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'Matrix', distroInfo, ssh)
+                        self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/data'")
+
+                        path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                        self.class.exec("touch #{path}/Matrix.env", ssh)
+
+                        self.class.exec("chown #{USER}:#{USER} #{path}/Matrix.env", ssh)
+                        self.class.exec("chmod 600 #{path}/Matrix.env", ssh)
+
+                        ssh.scp.upload!(__dir__ + '/homeserver.yaml', HOME_DIR + '/data/')
+                        ssh.scp.upload!(__dir__ + '/log.config', HOME_DIR + '/data/')
+                        ssh.scp.upload!(__dir__ + '/config.json', HOME_DIR + '/')
+                        self.class.exec("chown -R #{USER}:#{USER} #{HOME_DIR}/data", ssh)
+
+                        self.class.exec("sed -i 's|$SERVER_NAME|#{target['ServerName']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        self.class.exec("sed -i 's|$SYNAPSE_DOMAIN|#{target['SynapseDomain'].downcase}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        self.class.exec("sed -i 's|$DB_PASSWORD|#{dbPassword}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        self.class.exec("sed -i 's|$SECRET1|#{SecureRandom.urlsafe_base64(45)}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        self.class.exec("sed -i 's|$SECRET2|#{SecureRandom.urlsafe_base64(45)}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        self.class.exec("sed -i 's|$SECRET3|#{SecureRandom.urlsafe_base64(45)}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+
+                        self.class.exec("sed -i 's|$SYNAPSE_DOMAIN|#{target['SynapseDomain']}|' #{HOME_DIR}/config.json", ssh)
+                        self.class.exec("sed -i 's|$SERVER_NAME|#{target['ServerName']}|' #{HOME_DIR}/config.json", ssh)
+
+                        if target['SMTP']
+                            host = target['SMTP']['Host']
+                            host = HOST_IP if ['localhost', '127.0.0.1'].include?(host)
+                            self.class.exec("sed -i 's|smtp_host:.*|smtp_host: #{host}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|smtp_port:.*|smtp_port: #{target['SMTP']['Port']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|smtp_user:.*|smtp_user: #{target['SMTP']['Username']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|smtp_pass:.*|smtp_pass: #{ENV['MATRIX_SMTP_PASSWORD']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|notif_from:.*|notif_from: #{target['SMTP']['From']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+
+                            if target['SMTP']['Port'] == 465
+                                self.class.exec("sed -i 's|force_tls:.*|force_tls: true|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            end
+                        else
+                            self.class.exec("sed -i 's|email:|ignore_email:|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        end
+
+                        if target['OIDC']
+                            self.class.exec("sed -i 's|$OIDC_ISSUER|#{target['OIDC']['Issuer']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|$CLIENT_ID|#{ENV['MATRIX_OIDC_CLIENT_ID']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|$CLIENT_SECRET|#{ENV['MATRIX_OIDC_CLIENT_SECRET']}|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                            self.class.exec("sed -i 's|enabled: true|enabled: false|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        else
+                            self.class.exec("sed -i 's|oidc_providers:|ignore_oidc_providers:|' #{HOME_DIR}/data/homeserver.yaml", ssh)
+                        end
+
+                        ssh.scp.upload!(__dir__ + '/Synapse.container', path)
+                        ssh.scp.upload!(__dir__ + '/Element.container', path)
+                        self.class.exec("systemctl --user --machine=#{USER}@ daemon-reload", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart Synapse", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart Element", ssh)
+
+                        Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
+                        self.class.prepareNginxConfig(target, ssh)
+                        self.writeNginxConfig(__dir__, 'Matrix', id, target, state, context, options)
+                        self.deployNginxConfig(id, target, activeState, context, options)
+                        Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+
+                    end
+                else
                     deployNginxConfig(id, target, activeState, context, options)
                     activeState['Location'] = '@me'
                 end
             end
 
+            def configurePostgreSQL(settings, ssh)
+                password = SecureRandom.alphanumeric(20)
+                PostgreSQL.createRemoteUserAndDBOverSSH(settings, USER, password, ssh)
+                password
+            end
+
         end
     end
 end

data/Plugins/Apps/Matrix/Synapse.container

@@ -0,0 +1,17 @@
+
+
+[Unit]
+Description=Matrix (Synapse) container
+After=local-fs.target
+
+[Container]
+Image=docker.io/matrixdotorg/synapse:latest
+EnvironmentFile=/var/lib/matrix/.config/containers/systemd/Matrix.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:8008:8008
+UserNS=keep-id:uid=991,gid=991
+Volume=/var/lib/matrix/data:/data
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Matrix/config.json

@@ -0,0 +1,50 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://$SYNAPSE_DOMAIN",
+            "server_name": "$SERVER_NAME"
+        },
+        "m.identity_server": {
+            "base_url": "https://matrix.org"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "default_widget_height": 280,
+    "default_country_code": "GB",
+    "show_labs_settings": false,
+    "features": {},
+    "default_federate": true,
+    "default_theme": "light",
+    "room_directory": {
+        "servers": ["matrix.org"]
+    },
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "setting_defaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferred_domain": "meet.element.io"
+    },
+    "element_call": {
+        "url": "https://call.element.io",
+        "participant_limit": 8,
+        "brand": "Element Call"
+    },
+    "map_style_url": "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"
+}

data/Plugins/Apps/Matrix/homeserver.yaml

@@ -0,0 +1,70 @@
+# Configuration file for Synapse.
+#
+# This is a YAML file: see [1] for a quick introduction. Note in particular
+# that *indentation is important*: all the elements of a list or dictionary
+# should have the same indentation.
+#
+# [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html
+#
+# For more information on how to configure Synapse, including a complete accounting of
+# each option, go to docs/usage/configuration/config_documentation.md or
+# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html
+server_name: $SERVER_NAME
+public_baseurl: https://$SYNAPSE_DOMAIN/
+pid_file: /data/homeserver.pid
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+
+database:
+  name: psycopg2
+  allow_unsafe_locale: true
+  args:
+    user: matrix
+    password: $DB_PASSWORD
+    dbname: matrix
+    host: 10.0.2.2
+
+email:
+    smtp_host: 10.0.2.2
+    smtp_port: 25
+    smtp_user:
+    smtp_pass:
+    force_tls: false
+    notif_from:
+
+password_config:
+   enabled: true
+
+oidc_providers:
+  - idp_id: OIDC
+    idp_name: OIDC
+    discover: true
+    issuer: $OIDC_ISSUER
+    client_id: $CLIENT_ID
+    client_secret: $CLIENT_SECRET
+    scopes:
+      - "openid"
+      - "profile"
+      - "email"
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name|capitalize }}"
+
+log_config: "/data/log.config"
+media_store_path: /data/media_store
+registration_shared_secret: $SECRET1
+report_stats: false
+macaroon_secret_key: $SECRET2
+form_secret: $SECRET3
+report_stats: false
+signing_key_path: "/data/signing.key"
+trusted_key_servers:
+  - server_name: "matrix.org"
+suppress_key_server_warning: true