ConfigLMM 0.3.0 → 0.4.0

data/Plugins/Apps/ERPNext/ERPNext.lmm.rb

@@ -0,0 +1,193 @@
+
+module ConfigLMM
+    module LMM
+        class ERPNext < Framework::NginxApp
+
+            USER = 'erpnext'
+            HOME_DIR = '/var/lib/erpnext'
+            VERSION = '15'
+            FRAPPE_REPO = 'https://github.com/frappe/frappe_docker.git'
+            IMAGE_ID = 'ConfigLM.moe/erpnext:v' + VERSION
+
+            def actionERPNextBuild(id, target, activeState, context, options)
+                buildContainer(id, target, options)
+            end
+
+            def buildContainer(id, target, options)
+                begin
+                    Framework::LinuxApp.ensurePackage('git', '@me', 'git')
+                    Framework::LinuxApp.ensurePackage('Podman', '@me', 'podman')
+                rescue RuntimeError => error
+                    prompt.say(error, :color => :red)
+                end
+                frappe = File.expand_path(REPOS_CACHE + '/frappe_docker')
+                if !File.exist?(frappe)
+                    mkdir(File.expand_path(REPOS_CACHE), false)
+                    self.class.exec('cd #{REPOS_CACHE} && git clone --quiet #{FRAPPE_REPO}')
+                else
+                    self.class.exec('cd #{REPOS_CACHE}/frappe_docker && git pull --quiet')
+                end
+                self.class.exec('cd #{REPOS_CACHE}/frappe_docker && git checkout . --quiet')
+
+                if !self.class.cmdSuccess?("podman image exists #{IMAGE_ID}")
+                    appsJSON = Base64.urlsafe_encode64(File.read(__dir__ + '/sites/apps.json').gsub('$VERSION', VERSION))
+                    self.class.exec("cd #{REPOS_CACHE}/frappe_docker && podman build --tag=#{IMAGE_ID} --build-arg APPS_JSON_BASE64=#{appsJSON} --build-arg FRAPPE_BRANCH=version-#{VERSION}  --file images/custom/Containerfile .")
+                end
+            end
+
+            def actionERPNextDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') if (!target.key?('Proxy') || target['Proxy']) && !target['Domain']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        activeState['Database'] = target['Database']
+                        dbPassword = self.configureMariaDB(target['Database'], activeState, ssh)
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'ERPNext', distroInfo, ssh)
+                        self.class.exec("su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/sites ~/logs'", ssh)
+
+                        cmd = self.class.cmdSSH(uri)
+                        self.class.exec("podman image save ConfigLM.moe/erpnext:v#{VERSION} | #{cmd} 'cat > #{HOME_DIR}/erpnext.tar'")
+                        self.class.exec("su --login #{USER} --shell /usr/bin/sh --command 'podman image load --input erpnext.tar'", ssh)
+                        self.class.exec("rm -f #{HOME_DIR}/erpnext.tar", ssh)
+
+                        path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                        self.class.exec(" echo 'FRAPPE_DB_PASSWORD=#{dbPassword}' > #{path}/ERPNext.env", ssh)
+                        self.class.exec("echo 'FRAPPE_SITE_NAME_HEADER=erpnext' >> #{path}/ERPNext.env", ssh)
+                        #self.class.exec("echo 'UPSTREAM_REAL_IP_ADDRESS=127.0.0.1' >> #{path}/ERPNext.env", ssh)
+                        #self.class.exec("echo 'UPSTREAM_REAL_IP_RECURSIVE=on' >> #{path}/ERPNext.env", ssh)
+                        self.class.exec("echo 'BACKEND=10.90.50.10:8000' >> #{path}/ERPNext.env", ssh)
+                        self.class.exec("echo 'SOCKETIO=10.90.50.11:9000' >> #{path}/ERPNext.env", ssh)
+
+                        self.class.exec("chown #{USER}:#{USER} #{path}/ERPNext.env", ssh)
+                        self.class.exec("chmod 600 #{path}/ERPNext.env", ssh)
+
+                        ssh.scp.upload!(__dir__ + '/sites/apps.txt', HOME_DIR + '/sites/')
+                        ssh.scp.upload!(__dir__ + '/sites/common_site_config.json', HOME_DIR + '/sites/')
+
+                        if target['Database'] && target['Database']['HostName']
+                            self.class.exec("sed -i 's|\"10.0.2.2\"|\"#{target['Database']['HostName']}\"|' #{HOME_DIR}/sites/common_site_config.json", ssh)
+                        end
+
+                        if target['Valkey']
+                            self.class.exec("sed -i 's|10.0.2.2:6379|#{target['Valkey']}|' #{HOME_DIR}/sites/common_site_config.json", ssh)
+                        end
+
+                        valkeyPassword = ENV[id + '-VALKEY_PASSWORD'] || ENV['VALKEY_PASSWORD']
+                        if valkeyPassword
+                            self.class.exec("sed -i 's|\"use_rq_auth\": false|\"use_rq_auth\": true|' #{HOME_DIR}/sites/common_site_config.json", ssh)
+                            self.class.exec("sed -i 's|$VALKEY_PASSWORD|#{valkeyPassword}|' #{HOME_DIR}/sites/common_site_config.json", ssh)
+                        end
+
+                        self.class.exec("chown -R #{USER}:#{USER} " + HOME_DIR + '/sites', ssh)
+
+                        ssh.scp.upload!(__dir__ + '/ERPNext.network', path)
+                        ssh.scp.upload!(__dir__ + '/ERPNext.container', path)
+                        ssh.scp.upload!(__dir__ + '/ERPNext-Queue.container', path)
+                        ssh.scp.upload!(__dir__ + '/ERPNext-Scheduler.container', path)
+                        ssh.scp.upload!(__dir__ + '/ERPNext-Websocket.container', path)
+                        ssh.scp.upload!(__dir__ + '/ERPNext-Frontend.container', path)
+                        self.class.exec("sed -i 's|$VERSION|#{VERSION}|' #{path}/ERPNext.container", ssh)
+                        self.class.exec("sed -i 's|$VERSION|#{VERSION}|' #{path}/ERPNext-Queue.container", ssh)
+                        self.class.exec("sed -i 's|$VERSION|#{VERSION}|' #{path}/ERPNext-Scheduler.container", ssh)
+                        self.class.exec("sed -i 's|$VERSION|#{VERSION}|' #{path}/ERPNext-Websocket.container", ssh)
+                        self.class.exec("sed -i 's|$VERSION|#{VERSION}|' #{path}/ERPNext-Frontend.container", ssh)
+
+                        if !target.key?('Proxy') || target['Proxy']
+                            deployNginxProxyConfig('http://127.0.0.1:18400', 'ERPNext', id, target, activeState, state, context, options, ssh)
+                        elsif target.key?('Proxy') && target['Proxy'] == false
+                            self.class.exec("sed -i 's|PublishPort=127.0.0.1:18400:|PublishPort=0.0.0.0:18400:|' #{path}ERPNext-Frontend.container", ssh)
+                            Framework::LinuxApp.firewallAddPort('18400/tcp', ssh)
+                        end
+
+                        self.class.exec("systemctl --user --machine=#{USER}@ daemon-reload", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext-network", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext", ssh)
+
+                        containers = JSON.parse(self.class.exec("su --login #{USER} --shell /usr/bin/sh --command 'podman ps --format json --filter name=^ERPNext$'", ssh).strip)
+                        raise 'Failed to find container!' if containers.empty?
+
+                        MariaDB.executeRemotely(target['Database'], ssh) do |sshDB|
+                            if !MariaDB.tableExist?(USER, 'tabUser', sshDB)
+                                adminPassword = SecureRandom.alphanumeric(20)
+                                self.class.exec("rm -rf " + HOME_DIR + '/sites/erpnext', ssh)
+                                #self.class.exec(" su --login #{USER} --shell /usr/bin/sh --command \"podman exec #{containers.first['Id']} sh -c 'bench new-site --no-setup-db --db-name erpnext --db-user erpnext --admin-password #{adminPassword} --install-app erpnext --set-default erpnext'\"", ssh)
+                                dbAdminPassword = MariaDB.createAdmin(sshDB)
+                                MariaDB.executeSQL("DROP DATABASE #{USER}", nil, sshDB)
+                                self.class.exec(" su --login #{USER} --shell /usr/bin/sh --command \" podman exec #{containers.first['Id']} sh -c ' bench new-site --db-root-username admin --db-root-password #{dbAdminPassword} --db-name erpnext --admin-password #{adminPassword} --install-app erpnext --set-default erpnext'\"", ssh)
+                                MariaDB.dropAdmin(sshDB)
+                                self.class.exec("su --login #{USER} --shell /usr/bin/sh --command \"podman exec #{containers.first['Id']} sh -c 'bench --site erpnext install-app hrms'\"", ssh)
+                                prompt.say("Administrator password: #{adminPassword}", :color => :magenta)
+                            end
+                        end
+
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext-Queue", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext-Scheduler", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext-Websocket", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart ERPNext-Frontend", ssh)
+
+
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def configureMariaDB(settings, activeState, ssh)
+                password = SecureRandom.alphanumeric(20)
+                MariaDB.createRemoteUserAndDB(settings, USER, password, ssh)
+                password
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:ERPNext, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['Proxy'].nil? || item['Proxy']
+                        self.cleanupNginxConfig('ERPNext', id, state, context, options, ssh)
+                        self.class.reload(ssh, options[:dry])
+                    end
+                    Framework::LinuxApp.firewallRemovePort('18400/tcp', ssh, options[:dry])
+
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext", ssh, true, options[:dry])
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext-Frontend", ssh, true, options[:dry])
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext-Websocket", ssh, true, options[:dry])
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext-Scheduler", ssh, true, options[:dry])
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext-Queue", ssh, true, options[:dry])
+                    self.class.exec("systemctl --user --machine=#{USER}@ stop ERPNext-network", ssh, true, options[:dry])
+
+                    path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                    rm(path + 'ERPNext.network', options[:dry], ssh)
+                    rm(path + 'ERPNext.container', options[:dry], ssh)
+                    rm(path + 'ERPNext-Queue.container', options[:dry], ssh)
+                    rm(path + 'ERPNext-Scheduler.container', options[:dry], ssh)
+                    rm(path + 'ERPNext-Websocket.container', options[:dry], ssh)
+                    rm(path + 'ERPNext-Frontend.container', options[:dry], ssh)
+
+                    self.class.exec("podman rmi #{IMAGE_ID}", ssh, true, options[:dry])
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                    if options[:destroy]
+                        item['Database'] ||= {}
+                        MariaDB.executeRemotely(item['Database'], ssh) do |sshDB|
+                            MariaDB.executeSQL("DROP DATABASE #{USER}", nil, sshDB, true, options[:dry])
+                        end
+                        Framework::LinuxApp.deleteUserAndGroup(USER, ssh, options[:dry])
+                        rm(HOME_DIR, options[:dry], ssh)
+                        rm('/var/log/nginx/erpnext.access.log', options[:dry], ssh)
+                        rm('/var/log/nginx/erpnext.error.log', options[:dry], ssh)
+
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
+            end
+
+        end
+    end
+end
+
+

data/Plugins/Apps/ERPNext/ERPNext.network

@@ -0,0 +1,12 @@
+
+[Unit]
+Description=ERPNext network
+After=network-online.target
+
+[Network]
+NetworkName=ERPNext
+Subnet=10.90.50.0/28
+Gateway=10.90.50.1
+
+[Install]
+WantedBy=default.target

data/Plugins/Apps/ERPNext/sites/apps.json

@@ -0,0 +1,10 @@
+[
+  {
+    "url": "https://github.com/frappe/erpnext",
+    "branch": "version-$VERSION"
+  },
+  {
+    "url": "https://github.com/frappe/hrms",
+    "branch": "version-$VERSION"
+  }
+]

data/Plugins/Apps/ERPNext/sites/apps.txt

@@ -0,0 +1,3 @@
+erpnext
+frappe
+hrms

data/Plugins/Apps/ERPNext/sites/common_site_config.json

@@ -0,0 +1,11 @@
+{
+    "db_host": "10.0.2.2",
+    "db_port": 3306,
+    "redis_cache": "redis://default:$VALKEY_PASSWORD@10.0.2.2:6379",
+    "redis_queue": "redis://default:$VALKEY_PASSWORD@10.0.2.2:6379",
+    "redis_socketio": "redis://default:$VALKEY_PASSWORD@10.0.2.2:6379",
+    "use_rq_auth": false,
+    "rq_password": "$VALKEY_PASSWORD",
+    "rq_username": "default",
+    "socketio_port": 9000
+}

data/Plugins/Apps/GitLab/GitLab.container

@@ -1,10 +1,10 @@
 
 [Unit]
 Description=GitLab container
-After=local-fs.target
+After=local-fs.target firewalld.service
 
 [Container]
-Image=gitlab/gitlab-ce:nightly
+Image=docker.io/gitlab/gitlab-ce:latest
 PublishPort=127.0.0.1:18100:80
 PublishPort=0.0.0.0:22:22
 Volume=/var/lib/gitlab/config:/etc/gitlab
@@ -12,6 +12,7 @@ Volume=/var/lib/gitlab/logs:/var/log/gitlab
 Volume=/var/lib/gitlab/data:/var/opt/gitlab
 Volume=/var/lib/gitlab/backups:/var/opt/gitlab/backups
 ShmSize=256M
+AutoUpdate=registry
 
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/GitLab/GitLab.lmm.rb

@@ -4,6 +4,7 @@ module ConfigLMM
         class GitLab < Framework::NginxApp
 
             HOME_DIR = '/var/lib/gitlab'
+            IMAGE_ID = 'docker.io/gitlab/gitlab-ce:latest'
 
             def actionGitLabDeploy(id, target, activeState, context, options)
 
@@ -15,22 +16,25 @@ module ConfigLMM
                         self.prepareConfig(target, ssh)
 
                         distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
-                        self.class.sshExec!(ssh, "mkdir -p #{HOME_DIR}/config")
-                        self.class.sshExec!(ssh, "mkdir -p #{HOME_DIR}/logs")
-                        self.class.sshExec!(ssh, "mkdir -p #{HOME_DIR}/data")
-                        self.class.sshExec!(ssh, "mkdir -p #{HOME_DIR}/backups")
+                        self.class.exec("mkdir -p #{HOME_DIR}/config", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/logs", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/data", ssh)
+                        self.class.exec("mkdir -p #{HOME_DIR}/backups", ssh)
 
                         path = '/etc/containers/systemd'
                         ssh.scp.upload!(__dir__ + '/GitLab.container', path)
-                        self.class.sshExec!(ssh, "systemctl daemon-reload")
-                        self.class.sshExec!(ssh, "systemctl start GitLab")
 
-                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
-                        self.writeNginxConfig(__dir__, 'GitLab', id, target, state, context, options)
-                        self.deployNginxConfig(id, target, activeState, context, options)
-                        Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+                        if !target.key?('Proxy') || target['Proxy']
+                            deployNginxProxyConfig('http://127.0.0.1:18100', 'GitLab', id, target, activeState, state, context, options, ssh)
+                        elsif target.key?('Proxy') && target['Proxy'] == false
+                            self.class.exec("sed -i 's|PublishPort=127.0.0.1:18100:|PublishPort=0.0.0.0:18100:|' #{path}/GitLab.container", ssh)
+                            Framework::LinuxApp.firewallAddPort('18100/tcp', ssh)
+                        end
+
+                        Framework::LinuxApp.reloadServiceManager(ssh)
+                        Framework::LinuxApp.restartService('GitLab', ssh)
 
-                        configFile = '/var/lib/gitlab/config/gitlab.rb'
+                        configFile = HOME_DIR + '/config/gitlab.rb'
                         while !self.class.remoteFilePresent?(configFile, ssh)
                             sleep(2)
                         end
@@ -54,11 +58,12 @@ module ConfigLMM
                             end
                         end
 
-                        self.class.sshExec!(ssh, "systemctl restart GitLab")
+                        Framework::LinuxApp.restartService('GitLab', ssh)
                     end
                 else
                     # TODO
                 end
+                activeState['Status'] = State::STATUS_DEPLOYED
             end
 
             def prepareConfig(target, ssh)
@@ -68,6 +73,26 @@ module ConfigLMM
               self.class.prepareNginxConfig(target, ssh)
             end
 
+            def cleanup(configs, state, context, options)
+                cleanupType(:GitLab, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['Proxy'].nil? || item['Proxy']
+                        self.cleanupNginxConfig('GitLab', id, state, context, options, ssh)
+                        self.class.reload(ssh, options[:dry])
+                    end
+                    Framework::LinuxApp.firewallRemovePort('18100/tcp', ssh, options[:dry])
+                    Framework::LinuxApp.stopService('GitLab', ssh, options[:dry])
+                    rm('/etc/containers/systemd/GitLab.container', options[:dry], ssh)
+                    self.class.exec("podman rmi #{IMAGE_ID}", ssh, true, options[:dry])
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                    if options[:destroy]
+                        rm('/var/lib/gitlab', options[:dry], ssh)
+                        rm('/var/log/nginx/gitlab.access.log', options[:dry], ssh)
+                        rm('/var/log/nginx/gitlab.error.log', options[:dry], ssh)
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
+            end
+
         end
 
     end

data/Plugins/Apps/LetsEncrypt/LetsEncrypt.lmm.rb

@@ -0,0 +1,57 @@
+
+module ConfigLMM
+    module LMM
+        class LetsEncrypt < Framework::LinuxApp
+
+            PACKAGE_NAME = 'CertBotNginx'
+            CONFIG_DIR = '/etc/letsencrypt/'
+
+            def actionLetsEncryptDeploy(id, target, activeState, context, options)
+                self.ensurePackage(PACKAGE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        ssh.scp.upload!(__dir__ + '/rfc2136.ini', CONFIG_DIR)
+                        ssh.scp.upload!(__dir__ + '/renew-certificates.service', '/etc/systemd/system/')
+                        ssh.scp.upload!(__dir__ + '/renew-certificates.timer', '/etc/systemd/system/')
+                        self.class.exec("mkdir -p #{CONFIG_DIR}renewal-hooks/deploy", ssh)
+                        target['Hooks'].to_a.each do |hook|
+                            ssh.scp.upload!(__dir__ + '/hooks/' + hook + '.sh', "#{CONFIG_DIR}renewal-hooks/deploy/")
+                        end
+                        self.class.exec("chmod +x #{CONFIG_DIR}renewal-hooks/deploy/*.sh", ssh)
+                        self.class.exec("sed -i 's|$IP|#{target['DNS']['IP']}|' #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        self.class.exec("sed -i 's|$SECRET|#{ENV['LETSENCRYPT_DNS_SECRET']}|' #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        self.class.exec("chmod 600 #{CONFIG_DIR}/rfc2136.ini", ssh)
+                        if target['Domain']
+                            createCertificate('Wildcard', target['Domain'], target, ssh)
+                        end
+                        target['Certificates'].to_h.each do |name, domain|
+                            createCertificate(name, domain, target, ssh)
+                        end
+
+                        self.class.exec("systemctl daemon-reload", ssh)
+                        self.class.exec("systemctl enable renew-certificates.timer", ssh)
+                        self.class.exec("systemctl start renew-certificates.timer", ssh)
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def createCertificate(name, domain, target, ssh)
+                domains = ['--domains "' + Addressable::IDNA.to_ascii(domain) + '"']
+                if domain.start_with?('*.')
+                    domains << '--domains "' + Addressable::IDNA.to_ascii(domain[2..-1]) + '"'
+                end
+                extra = ''
+                extra = '--dns-rfc2136-propagation-seconds ' + target['DNS']['Propagation'].to_s if target['DNS']['Propagation']
+                self.class.exec("certbot certonly --dns-rfc2136 --dns-rfc2136-credentials=/etc/letsencrypt/rfc2136.ini #{extra} --non-interactive --agree-tos --email #{target['EMail']} --cert-name '#{name}' #{domains.join(' ')}", ssh)
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/LetsEncrypt/hooks/dovecot.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload dovecot

data/Plugins/Apps/LetsEncrypt/hooks/nginx.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload nginx

data/Plugins/Apps/LetsEncrypt/hooks/postfix.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+systemctl reload postfix

data/Plugins/Apps/LetsEncrypt/renew-certificates.service

@@ -0,0 +1,7 @@
+
+[Unit]
+Description=Renew certificates
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew

data/Plugins/Apps/LetsEncrypt/renew-certificates.timer

@@ -0,0 +1,12 @@
+
+[Unit]
+Description=Renew certificates
+
+[Timer]
+OnCalendar=*-*-1/2 04:20
+AccuracySec=12h
+RandomizedDelaySec=24h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

data/Plugins/Apps/LetsEncrypt/rfc2136.ini

@@ -0,0 +1,11 @@
+
+# Target DNS server
+dns_rfc2136_server = $IP
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = configlmm.
+# TSIG key secret
+dns_rfc2136_secret = $SECRET
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512

data/Plugins/Apps/MariaDB/MariaDB.lmm.rb

@@ -0,0 +1,115 @@
+require_relative '../../OS/Linux/Linux.lmm.rb'
+
+module ConfigLMM
+    module LMM
+        class MariaDB < Framework::LinuxApp
+            PACKAGE_NAME = 'MariaDB'
+            SERVICE_NAME = 'mariadb'
+            USER_NAME = 'mariadb'
+
+            def actionMariaDBDeploy(id, target, activeState, context, options)
+                self.ensurePackage(PACKAGE_NAME, target['Location'])
+                self.ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+                self.startService(SERVICE_NAME, target['Location'])
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+                        self.class.secureInstallation(ssh)
+                        if target['Listen']
+                            self.class.exec("sed -i 's|bind-address .*|bind-address = #{target['Listen']}|' /etc/my.cnf", ssh)
+                            self.class.restartService(SERVICE_NAME, ssh)
+                        end
+                    end
+                else
+                    # TODO
+                end
+
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:MariaDB, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    Framework::LinuxApp.stopService(SERVICE_NAME, ssh, options[:dry])
+                    Framework::LinuxApp.disableService(SERVICE_NAME, ssh, options[:dry])
+                    Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                end
+            end
+
+            def self.secureInstallation(ssh)
+                status = {}
+                output = ''
+                channel = ssh.exec("mariadb-secure-installation", status: status) do |channel, stream, data|
+                    output += data
+                    channel.send_data("\n")  # Empty root password
+                    channel.send_data("Y\n") # unix_socket authentication
+                    channel.send_data("N\n") # change the root password
+                    channel.send_data("Y\n") # remove anonymous users
+                    channel.send_data("Y\n") # disallow root login remotely
+                    channel.send_data("Y\n") # remove test database
+                    channel.send_data("Y\n") # reload privileges
+                end
+                channel.wait
+                if !status[:exit_code].zero?
+                    $stderr.puts(output)
+                    raise Framework::PluginProcessError.new("mariadb-secure-installation failed!")
+                end
+            end
+
+            def self.createRemoteUserAndDB(settings, user, password, ssh = nil)
+                self.executeRemotely(settings, ssh) do |ssh|
+                    host = 'localhost'
+                    host = '%' if settings['HostName'] != 'localhost'
+                    self.createUserAndDB(user, password, host, ssh)
+                end
+            end
+
+            def self.executeRemotely(settings, ssh = nil)
+                settings['HostName'] = 'localhost' unless settings['HostName']
+                if settings['HostName'] == 'localhost'
+                    yield(ssh)
+                else
+                    self.sshStart("ssh://#{settings['HostName']}/") do |ssh|
+                        yield(ssh)
+                    end
+                end
+            end
+
+            def self.createUserAndDB(user, password, host, ssh = nil)
+                self.executeSQL("CREATE USER '#{user}'@'#{host}'", nil, ssh, true)
+                self.executeSQL("ALTER USER '#{user}'@'#{host}' IDENTIFIED BY '#{password}'", nil, ssh)
+                self.executeSQL("CREATE DATABASE #{user}", nil, ssh, true)
+                self.executeSQL("GRANT ALL PRIVILEGES ON #{user}.* TO '#{user}'@'#{host}'", nil, ssh)
+            end
+
+            def self.createAdmin(ssh)
+                self.executeSQL("CREATE USER 'admin'@'%'", nil, ssh, true)
+                password = SecureRandom.alphanumeric(20)
+                self.executeSQL("ALTER USER 'admin'@'%' IDENTIFIED BY '#{password}'", nil, ssh)
+                self.executeSQL("GRANT ALL PRIVILEGES ON *.* TO 'admin'@'%' WITH GRANT OPTION", nil, ssh)
+                password
+            end
+
+            def self.dropAdmin(ssh)
+                self.executeSQL("DROP USER 'admin'@'%'", nil, ssh, true)
+            end
+
+            def self.tableExist?(db, table, ssh)
+                table = self.executeSQL("SHOW TABLES LIKE '#{table}'", db, ssh).strip
+                !table.empty?
+            end
+
+            def self.executeSQL(sql, db = nil, ssh = nil, allowFailure = false, dry = false)
+                db = '' unless db
+                cmd = " mariadb #{db} --execute=\"#{sql.gsub('"', '\\"')};\""
+                self.exec(cmd, ssh, allowFailure, dry)
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/Matrix/Element.container

@@ -0,0 +1,14 @@
+
+[Unit]
+Description=Matrix (Element) container
+After=local-fs.target
+
+[Container]
+Image=docker.io/vectorim/element-web:latest
+EnvironmentFile=/var/lib/matrix/.config/containers/systemd/Matrix.env
+PublishPort=127.0.0.1:18300:80
+Volume=/var/lib/matrix/config.json:/app/config.json
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target