ConfigLMM 0.2.0 → 0.4.0

data/Plugins/Apps/Roundcube/Roundcube.conf.erb

@@ -0,0 +1,75 @@
+
+upstream roundcube
+{
+<% if config['Server'] %>
+    server <%= config['Server'] %>;
+<% else %>
+    server unix:/run/php-fpm/roundcube.sock;
+<% end %>
+}
+
+server
+{
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/roundcube.access.log;
+    error_log   /var/log/nginx/roundcube.error.log;
+
+    index index.php;
+    root /usr/share/webapps/roundcubemail;
+
+    include config-lmm/private.conf;
+    include config-lmm/errors.conf;
+
+    location / {
+        try_files $uri $uri/ $uri/index.php;
+    }
+
+    location ~ \.php$
+    {
+        fastcgi_pass roundcube;
+        include fastcgi.conf;
+
+        try_files $uri =404;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+
+        fastcgi_intercept_errors off;
+    }
+
+    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$
+    {
+        deny all;
+    }
+
+    location ~ ^/(bin|SQL)/
+    {
+        deny all;
+    }
+
+    location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$
+    {
+        access_log        off;
+        expires           360d;
+    }
+}

data/Plugins/Apps/Roundcube/Roundcube.lmm.rb

@@ -0,0 +1,145 @@
+
+module ConfigLMM
+    module LMM
+        class Roundcube < Framework::NginxApp
+
+            USER = 'roundcube'
+            HOME_DIR = '/var/lib/roundcube'
+            PACKAGE_NAME = 'Roundcube'
+
+            def actionRoundcubeDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        Framework::LinuxApp.ensurePackages([PHP_FPM::PHPFPM_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+                        distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
+                        addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{HOME_DIR}' --create-home --comment 'Roundcube' #{USER}"
+                        self.class.exec(addUserCmd, ssh, true)
+                        self.class.exec("chmod o-rwx #{HOME_DIR}", ssh)
+
+                        self.class.exec("touch /var/log/php/roundcube.errors.log", ssh)
+                        self.class.exec("touch /var/log/php/roundcube.mail.log", ssh)
+                        self.class.exec("chown #{USER}:#{USER} /var/log/php/roundcube.errors.log", ssh)
+                        self.class.exec("chown #{USER}:#{USER} /var/log/php/roundcube.mail.log", ssh)
+                        self.class.exec("chown -R #{USER}:#{USER} /var/log/roundcubemail /var/lib/roundcubemail", ssh)
+                        PHP_FPM::fixConfigFileOverSSH(distroInfo, ssh)
+
+                        roundcubeBaseDir = '/usr/share/webapps/roundcubemail'
+                        if distroInfo['Name'] == 'openSUSE Leap'
+                            roundcubeBaseDir = '/srv/www/roundcubemail'
+                        end
+
+                        self.class.exec("sed -i 's|$config\\[\\'des_key\\'\\].*|$config\\[\\'des_key\\'\\] = \\'#{SecureRandom.alphanumeric(24)}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        self.class.exec("sed -i 's|$config\\[\\'product_name\\'\\].*|$config\\[\\'product_name\\'\\] = \\'Webmail\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+
+                        if target['IMAP']['Host']
+                            protocol = ''
+                            if target['IMAP']['Port'] == 993
+                                protocol = 'ssl://'
+                            end
+                            self.class.exec("sed -i 's|$config\\[\\'imap_host\\'\\].*|$config\\[\\'imap_host\\'\\] = \\'#{protocol}#{target['IMAP']['Host']}:#{target['IMAP']['Port']}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        if target['SMTP']['Host']
+                            protocol = ''
+                            if target['SMTP']['Port'] == 465
+                                protocol = 'ssl://'
+                            end
+                            self.class.exec("sed -i 's|$config\\[\\'smtp_host\\'\\].*|$config\\[\\'smtp_host\\'\\] = \\'#{protocol}#{target['SMTP']['Host']}:#{target['SMTP']['Port']}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        target['Database'] ||= {}
+                        activeState['Database'] = target['Database']
+                        if !target['Database']['Type'] || target['Database']['Type'] == 'pgsql'
+                            password = SecureRandom.alphanumeric(20)
+                            PostgreSQL.createRemoteUserAndDBOverSSH(target['Database'], USER, password, ssh)
+                            self.class.exec("sed -i 's|$config\\[\\'db_dsnw\\'\\].*|$config\\[\\'db_dsnw\\'\\] = \\'pgsql://#{USER}:#{password}@#{target['Database']['HostName']}/#{USER}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        self.updateRemoteFile(ssh, roundcubeBaseDir + '/config/config.inc.php', options, false, '//') do |configLines|
+                            if target['Settings']
+                                target['Settings'].each do |name, value|
+                                    configLines << "$config['#{name}'] = '#{value}';\n"
+                                end
+                            end
+                            configLines << "$config['login_lc'] = 0;\n"
+                            configLines << "$config['enable_installer'] = true;\n"
+                        end
+
+                        target['User'] = USER unless target['User']
+                        name = 'roundcube'
+                        target['PHP-FPM'] ||= {}
+                        if distroInfo['Name'] == 'openSUSE Leap'
+                            target['PHP-FPM']['chdir'] = roundcubeBaseDir
+                        end
+                        self.updateRemoteFile(ssh, PHP_FPM.configDir(distroInfo) + name + '.conf', options, false, ';') do |configLines|
+                            PHP_FPM.writeConfig(name, target, distroInfo, configLines)
+                        end
+
+                        Framework::LinuxApp.startServiceOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+
+                        if !target.key?('Proxy') || target['Proxy']
+                            self.class.ensurePackage(ssh)
+                            self.class.prepareNginxConfig(target, ssh)
+                            self.writeNginxConfig(__dir__, 'Roundcube', id, target, state, context, options)
+                            if distroInfo['Name'] == 'openSUSE Leap'
+                                nginxFile = options['output'] + '/nginx/servers-lmm/Roundcube.conf'
+                                `sed -i 's|root .*|root #{roundcubeBaseDir}/public_html;|' #{nginxFile}`
+                            end
+                            self.deployNginxConfig(id, target, activeState, context, options)
+                            Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+                            self.class.reload(ssh)
+                        end
+
+                        self.class.exec("curl 'https://#{target['Domain']}/installer/index.php?_step=3' -X POST --data-raw 'initdb=Initialize+database'", ssh)
+                        self.class.exec("rm -f #{roundcubeBaseDir}/public_html/installer", ssh)
+                        self.class.exec("sed -i 's|$config\\[\\'enable_installer\\'\\].*|$config\\[\\'enable_installer\\'\\] = false;|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                    end
+                else
+                    # TODO
+                end
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Roundcube, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    cleanupConfig(item, id, state, context, options, ssh)
+                end
+            end
+
+            def cleanupConfig(item, id, state, context, options, ssh = nil)
+                if item['Proxy'].nil? || item['Proxy']
+                    self.cleanupNginxConfig('Roundcube', id, state, context, options, ssh)
+                    self.class.reload(ssh, options[:dry])
+                end
+                distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                rm(PHP_FPM.configDir(distroInfo) + 'roundcube.conf', options[:dry], ssh)
+                Framework::LinuxApp.reloadService(PHP_FPM::PHPFPM_SERVICE, ssh, options[:dry])
+                Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+                state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                if options[:destroy]
+                    item['Database'] ||= {}
+                    if !item['Database']['Type'] || item['Database']['Type'] == 'pgsql'
+                        PostgreSQL.dropUserAndDB(item['Database'], USER, ssh, options[:dry])
+                    end
+                    Framework::LinuxApp.deleteUserAndGroup(USER, ssh, options[:dry])
+                    rm('/var/log/roundcubemail', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.access.log', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.errors.log', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.mail.log', options[:dry], ssh)
+                    rm('/var/log/nginx/roundcube.access.log', options[:dry], ssh)
+                    rm('/var/log/nginx/roundcube.error.log', options[:dry], ssh)
+                    state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/SSH/SSH.lmm.rb

@@ -0,0 +1,51 @@
+
+module ConfigLMM
+    module LMM
+        class SSH < Framework::LinuxApp
+
+            CONFIG_FILE = '/etc/ssh/sshd_config'
+
+            def actionSSHDeploy(id, target, activeState, context, options)
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        if target['Port']
+                            self.class.sshExec!(ssh, "sed -i 's|^Port |#Port |' #{CONFIG_FILE}")
+                        end
+                        if target['ListenAddress']
+                            self.class.sshExec!(ssh, "sed -i 's|^ListenAddress |#ListenAddress |' #{CONFIG_FILE}")
+                        end
+                        target['Settings'].to_h.each do |name, value|
+                            self.class.sshExec!(ssh, "sed -i 's|^#{name} |##{name} |' #{CONFIG_FILE}")
+                        end
+                        updateRemoteFile(ssh, CONFIG_FILE, options) do |configLines|
+                            if target['Port']
+                                configLines << "Port #{target['Port']}\n"
+                            end
+                            if target['ListenAddress']
+                                configLines << "ListenAddress #{target['ListenAddress']}\n"
+                            end
+                            target['Settings'].to_h.each do |name, value|
+                                value = 'yes' if value.is_a?(TrueClass)
+                                value = 'no' if value.is_a?(FalseClass)
+                                configLines << "#{name} #{value}\n"
+                            end
+                            configLines
+                        end
+                        if target['Port']
+                          Framework::LinuxApp.firewallAddPortOverSSH(target['Port'].to_s + '/tcp', uri)
+                        end
+                    end
+                else
+                    # TODO
+                end
+
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/Tunnel/tunnel.lmm.rb

@@ -0,0 +1,63 @@
+
+module ConfigLMM
+    module LMM
+        class Tunnel < Framework::NginxApp
+
+            def actionTunnelDeploy(id, target, activeState, context, options)
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        Framework::LinuxApp.ensurePackage('socat', ssh)
+
+                        port = target['Port']
+                        activeState['Port'] = port
+                        activeState['UDP'] = target['UDP']
+                        if target['UDP']
+                            name = "tunnelUDP-#{port}"
+                            ssh.scp.upload!(__dir__ + '/tunnelUDP.service', "/etc/systemd/system/#{name}.service")
+                            ssh.scp.upload!(__dir__ + '/tunnelUDP.socket', "/etc/systemd/system/#{name}.socket")
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.service", ssh)
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.socket", ssh)
+                            self.class.exec("sed -i 's|$REMOTE|#{target['Remote']}|' /etc/systemd/system/#{name}.service", ssh)
+                        else
+                            name = "tunnelTCP-#{port}"
+                            ssh.scp.upload!(__dir__ + '/tunnelTCP.service', "/etc/systemd/system/#{name}.service")
+                            ssh.scp.upload!(__dir__ + '/tunnelTCP.socket', "/etc/systemd/system/#{name}.socket")
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.service", ssh)
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.socket", ssh)
+                            self.class.exec("sed -i 's|$REMOTE|#{target['Remote']}|' /etc/systemd/system/#{name}.service", ssh)
+                        end
+
+                        Framework::LinuxApp.reloadServiceManager(ssh)
+                        Framework::LinuxApp.ensureServiceAutoStart(name + '.socket', ssh)
+                        Framework::LinuxApp.stopService(name + '.service', ssh)
+                        Framework::LinuxApp.startService(name + '.socket', ssh)
+                    end
+                else
+                    # TODO
+                end
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Tunnel, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['UDP']
+                        name = "tunnelUDP-#{item['Port']}"
+                    else
+                        name = "tunnelTCP-#{item['Port']}"
+                    end
+                    Framework::LinuxApp.stopService(name + '.socket', ssh)
+                    Framework::LinuxApp.disableService(name + '.socket', ssh)
+                    rm("/etc/systemd/system/#{name}.service", options[:dry], ssh)
+                    rm("/etc/systemd/system/#{name}.socket", options[:dry], ssh)
+                    state.item(id)['Status'] = State::STATUS_DESTROYED
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Tunnel/tunnelTCP.service

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=Forward TCP $PORT to remote
+
+[Service]
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd $REMOTE
+
+[Install]
+WantedBy=multi-user.target

data/Plugins/Apps/Tunnel/tunnelTCP.socket

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=TCP tunnel listening on local port $PORT
+
+[Socket]
+ListenStream=$PORT
+
+[Install]
+WantedBy=sockets.target

data/Plugins/Apps/Tunnel/tunnelUDP.service

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=Forward UDP $PORT to remote
+
+[Service]
+ExecStart=/usr/bin/socat UDP-RECVFROM:$PORT,reuseaddr,fork UDP-SENDTO:$REMOTE
+
+[Install]
+WantedBy=multi-user.target

data/Plugins/Apps/Tunnel/tunnelUDP.socket

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=UDP tunnel listening on local port $PORT
+
+[Socket]
+ListenDatagram=$PORT
+
+[Install]
+WantedBy=sockets.target

data/Plugins/Apps/UVdesk/UVdesk.conf.erb

@@ -0,0 +1,52 @@
+
+upstream uvdesk
+{
+<% if config['Server'] %>
+    server <%= config['Server'] %>;
+<% else %>
+    server unix:/run/php-fpm/uvdesk.sock;
+<% end %>
+}
+
+server
+{
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/uvdesk.access.log;
+    error_log   /var/log/nginx/uvdesk.error.log;
+
+    root /srv/uvdesk/public;
+    index index.php;
+
+    include config-lmm/errors.conf;
+
+    location ~ \.php(?:$|/)
+    {
+        fastcgi_pass uvdesk;
+        include fastcgi.conf;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+
+}

data/Plugins/Apps/UVdesk/UVdesk.lmm.rb

@@ -0,0 +1,85 @@
+
+module ConfigLMM
+    module LMM
+        class UVdesk < Framework::NginxApp
+
+            USER = 'uvdesk'
+            HOME_DIR = '/srv/uvdesk'
+            DOWNLOAD_URL = 'https://cdn.uvdesk.com/uvdesk/downloads/opensource/uvdesk-community-current-stable.zip'
+
+            def actionUVdeskDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        dbPassword = self.configureMariaDB(target['Database'], ssh)
+
+                        Framework::LinuxApp.ensurePackages([PHP_FPM::PHPFPM_PACKAGE, 'php-pecl', 'make'], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{HOME_DIR}' --create-home --comment 'UVdesk' #{USER}"
+                        self.class.sshExec!(ssh, addUserCmd, true)
+                        if !self.class.remoteFilePresent?(HOME_DIR + '/public/index.php', ssh)
+                            self.class.sshExec!(ssh, "curl #{DOWNLOAD_URL} > /tmp/uvdesk.zip")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'cd ~ && unzip /tmp/uvdesk.zip'")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mv ~/uvdesk-*/* ~/'")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mv ~/uvdesk-*/.[!.]* ~/'")
+                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'rm -r ~/uvdesk-*'")
+                            self.class.sshExec!(ssh, 'rm -f /tmp/uvdesk.zip')
+                        end
+
+                        self.class.sshExec!(ssh, "mkdir -p /var/log/php/")
+                        self.class.sshExec!(ssh, "touch /var/log/php/uvdesk.errors.log")
+                        self.class.sshExec!(ssh, "touch /var/log/php/uvdesk.mail.log")
+                        self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/uvdesk.errors.log")
+                        self.class.sshExec!(ssh, "chown #{USER}:#{USER} /var/log/php/uvdesk.mail.log")
+                        PHP_FPM::fixConfigFileOverSSH(distroInfo, ssh)
+
+                        target['User'] = USER unless target['User']
+                        target['PHP-FPM'] ||= {}
+                        target['PHP-FPM']['chdir'] = HOME_DIR unless target['PHP-FPM']['chdir']
+                        name = 'uvdesk'
+                        self.updateRemoteFile(ssh, PHP_FPM.configDir(distroInfo) + name + '.conf', options, false, ';') do |configLines|
+                            PHP_FPM.writeConfig(name, target, distroInfo, configLines)
+                        end
+
+
+                        PHP_FPM.enableExtensionOverSSH('mysqli', distroInfo, ssh)
+                        PHP_FPM.enableExtensionOverSSH('mbstring', distroInfo, ssh) # Needed by mailparse
+
+                        imapPackage = 'imap'
+                        imapPackage = 'imap-1.0.0' if distroInfo['Name'] == 'openSUSE Leap'
+                        PHP_FPM.peclInstallOverSSH(imapPackage, ssh)
+                        PHP_FPM.enableExtensionOverSSH('imap', distroInfo, ssh)
+
+                        PHP_FPM.peclInstallOverSSH('mailparse', ssh)
+                        PHP_FPM.enableExtensionOverSSH('mailparse', distroInfo, ssh)
+
+                        Framework::LinuxApp.startServiceOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+
+                        Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
+                        self.class.prepareNginxConfig(target, ssh)
+                        self.writeNginxConfig(__dir__, 'UVdesk', id, target, state, context, options)
+                        self.deployNginxConfig(id, target, activeState, context, options)
+                        Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def configureMariaDB(settings, ssh)
+                password = SecureRandom.alphanumeric(20)
+                # TODO
+                password
+            end
+
+        end
+    end
+end
+

data/Plugins/Apps/Valkey/Valkey.lmm.rb

@@ -13,7 +13,7 @@ module ConfigLMM
 
                 if target['Location'] && target['Location'] != '@me'
                     self.class.sshStart(target['Location']) do |ssh|
-                        distroId = self.class.distroIDfromSSH(ssh)
+                        distroId = self.class.distroID(ssh)
                         if distroId == SUSE_ID
                             serviceName = 'redis@redis'
                             self.class.sshExec!(ssh, "touch #{CONFIG_FILE}")
@@ -24,7 +24,14 @@ module ConfigLMM
                             target['Settings']['dir'] = '/var/lib/redis/default/'
                         end
 
+                        if ENV[id + '-VALKEY_PASSWORD']
+                            target['Settings']['requirepass'] = ENV[id + '-VALKEY_PASSWORD']
+                        elsif ENV['VALKEY_PASSWORD']
+                            target['Settings']['requirepass'] = ENV['VALKEY_PASSWORD']
+                        end
+
                         if target['Settings']
+                            target['Settings']['bind'] = '127.0.0.1' unless target['Settings']['bind']
                             updateRemoteFile(ssh, CONFIG_FILE, options, false) do |configLines|
                                 target['Settings'].each do |name, value|
                                     configLines << "#{name} #{value}\n"
@@ -32,6 +39,9 @@ module ConfigLMM
                                 configLines
                             end
                         end
+
+                        self.class.exec("chgrp redis #{CONFIG_FILE}", ssh)
+                        self.class.exec("chmod 640 #{CONFIG_FILE}", ssh)
                     end
                 else
                     if target['Settings']
@@ -43,10 +53,33 @@ module ConfigLMM
                             configLines
                         end
                     end
+                    self.class.exec("chgrp redis #{CONFIG_FILE}", ssh)
+                    self.class.exec("chmod 640 #{CONFIG_FILE}", nil)
                 end
 
                 self.ensureServiceAutoStart(serviceName, target['Location'])
                 self.startService(serviceName, target['Location'])
+
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Valkey, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    serviceName = 'redis'
+                    distroId = self.class.distroID(ssh)
+                    serviceName = 'redis@redis' if distroId == SUSE_ID
+
+                    Framework::LinuxApp.stopService(serviceName, ssh, options[:dry])
+                    Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                    if options[:destroy]
+                        rm('/etc/redis', options[:dry], ssh)
+
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
             end
 
         end

data/Plugins/Apps/Vaultwarden/Vaultwarden.conf.erb

@@ -1,22 +1,39 @@
 
 upstream vaultwarden {
-    server 127.0.0.1:8000;
-}
-
-upstream vaultwarden-websocket {
-    server 127.0.0.1:3012;
+    <% if config['Server'] %>
+        server <%= config['Server'] %>;
+    <% else %>
+        server 127.0.0.1:18000;
+    <% end %>
+    keepalive 2;
 }
 
 server {
 
-    <% if !config['TLS'] %>
-        listen       <%= config['Port'] %>;
-        listen  [::]:<%= config['Port'] %>;
-    <% else %>
-        listen       <%= config['Port'] %> ssl;
-        listen  [::]:<%= config['Port'] %> ssl;
+    <% if config['NginxVersion'] >= 1.25 %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl;
+            listen  [::]:<%= config['Port'] %> ssl;
+
+            include config-lmm/ssl.conf;
+        <% end %>
         http2 on;
-        include config-lmm/ssl.conf;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl http2;
+            listen  [::]:<%= config['Port'] %> ssl http2;
+
+            include config-lmm/ssl.conf;
+        <% end %>
     <% end %>
 
     server_name <%= config['Domain'] %>;
@@ -37,12 +54,12 @@ server {
         include config-lmm/proxy.conf;
     }
 
-    location /notifications/ {
-        proxy_pass http://vaultwarden-websocket/;
+    #location /notifications/ {
+    #    proxy_pass http://127.0.0.1:3012/;
 
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        include config-lmm/proxy.conf;
-    }
+    #    proxy_set_header Upgrade $http_upgrade;
+    #    proxy_set_header Connection "upgrade";
+    #    include config-lmm/proxy.conf;
+    #}
 
 }