ConfigLMM 0.3.0 → 0.4.0

data/Plugins/Apps/Odoo/Odoo.container

@@ -4,7 +4,7 @@ Description=Odoo container
 After=local-fs.target
 
 [Container]
-Image=odoo:latest
+Image=docker.io/odoo:latest
 EnvironmentFile=/var/lib/odoo/.config/containers/systemd/Odoo.env
 Network=slirp4netns:allow_host_loopback=true
 PublishPort=0.0.0.0:8069:8069
@@ -12,6 +12,7 @@ UserNS=keep-id:uid=101,gid=101
 Volume=/var/lib/odoo/config:/etc/odoo
 Volume=/var/lib/odoo/data:/var/lib/odoo
 Volume=/var/lib/odoo/addons:/mnt/extra-addons
+AutoUpdate=registry
 
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Odoo/Odoo.lmm.rb

@@ -71,7 +71,7 @@ module ConfigLMM
             def configurePostgreSQL(settings, ssh)
                 user = USER
                 password = SecureRandom.alphanumeric(20)
-                PostgreSQL.executeRemotelyOverSSH(settings, ssh) do |ssh|
+                PostgreSQL.executeRemotely(settings, ssh) do |ssh|
                     self.class.sshExec!(ssh, "su --login #{PostgreSQL::USER_NAME} --command 'createuser --createdb #{user}'", true)
                     PostgreSQL.executeSQL("ALTER USER #{user} WITH PASSWORD '#{password}'", nil, ssh)
                 end

data/Plugins/Apps/OpenVidu/Ingress.container

@@ -0,0 +1,18 @@
+
+[Unit]
+Description=LiveKit Ingress container
+After=local-fs.target
+
+[Container]
+Image=docker.io/livekit/ingress:latest
+EnvironmentFile=/var/lib/openvidu/.config/containers/systemd/OpenVidu.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:1935:1935
+PublishPort=127.0.0.1:8085:8085
+PublishPort=127.0.0.1:7895:7895/udp
+UserNS=keep-id:uid=1000,gid=1000
+Volume=/var/lib/openvidu/ingress.yaml:/etc/ingress.yaml
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/OpenVidu/OpenVidu.conf.erb

@@ -0,0 +1,34 @@
+
+server {
+    <% if config['NginxVersion'] >= 1.25 %>
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+    <% end %>
+
+    include config-lmm/ssl.conf;
+
+    server_name <%= config['Domain'] %>;
+
+    <% if config['CertName'] %>
+        ssl_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/<%= config['CertName'] %>/privkey.pem";
+        ssl_trusted_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/chain.pem";
+    <% end %>
+
+    access_log  /var/log/nginx/openvidu.access.log;
+    error_log   /var/log/nginx/openvidu.error.log;
+
+    # Proxy site
+    location / {
+        proxy_pass http://127.0.0.1:7880;
+        include config-lmm/proxy.conf;
+    }
+
+}

data/Plugins/Apps/OpenVidu/OpenVidu.container

@@ -0,0 +1,16 @@
+
+[Unit]
+Description=OpenVidu container
+After=local-fs.target
+
+[Container]
+Image=docker.io/openvidu/openvidu-server:main
+Exec=--config /etc/livekit.yaml --bind=$BindIP
+EnvironmentFile=/var/lib/openvidu/.config/containers/systemd/OpenVidu.env
+Network=host
+UserNS=keep-id:uid=1000,gid=1000
+Volume=/var/lib/openvidu/livekit.yaml:/etc/livekit.yaml
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/OpenVidu/OpenVidu.lmm.rb

@@ -0,0 +1,90 @@
+
+module ConfigLMM
+    module LMM
+        class OpenVidu < Framework::NginxApp
+
+            USER = 'openvidu'
+            HOME_DIR = '/var/lib/openvidu'
+            HOST_IP = '10.0.2.2'
+
+            def actionOpenViduDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+                raise Framework::PluginProcessError.new('CallDomain field must be set!') unless target['CallDomain']
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'OpenVidu', distroInfo, ssh)
+
+                        secretKey = SecureRandom.alphanumeric(40)
+                        bindIp = target['BindIP']
+                        bindIp = '127.0.0.1' unless bindIp
+
+                        path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                        self.class.exec("echo 'INGRESS_CONFIG_FILE=/etc/ingress.yaml' > #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'LIVEKIT_URL=wss://#{target['Domain']}' >> #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'LIVEKIT_API_KEY=Main' >> #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'LIVEKIT_API_SECRET=#{secretKey}' >> #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'CALL_PRIVATE_ACCESS=true' >> #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'CALL_USER=guest' >> #{path}/OpenVidu.env", ssh)
+                        callSecret = SecureRandom.alphanumeric(20)
+                        prompt.say("OpenVidu Call guest password: #{callSecret}", :color => :magenta)
+                        self.class.exec("echo 'CALL_SECRET=#{callSecret}' >> #{path}/OpenVidu.env", ssh)
+                        self.class.exec("echo 'CALL_ADMIN_USER=admin' >> #{path}/OpenVidu.env", ssh)
+                        callAdminSecret = SecureRandom.alphanumeric(20)
+                        prompt.say("OpenVidu Call admin password: #{callAdminSecret}", :color => :magenta)
+                        self.class.exec("echo 'CALL_ADMIN_SECRET=#{callAdminSecret}' >> #{path}/OpenVidu.env", ssh)
+
+                        ssh.scp.upload!(__dir__ + '/livekit.yaml', HOME_DIR)
+                        ssh.scp.upload!(__dir__ + '/ingress.yaml', HOME_DIR)
+
+                        self.class.exec("sed -i 's|$SECRET|#{secretKey}|'  #{HOME_DIR}/livekit.yaml", ssh)
+
+                        if target['Valkey']
+                            self.class.exec("sed -i 's|10.0.2.2|#{target['Valkey']['Host']}|'  #{HOME_DIR}/ingress.yaml", ssh) if target['Valkey']['Host']
+                        end
+                        if ENV['VALKEY_PASSWORD']
+                            self.class.exec("sed -i 's|password:|password: #{ENV['VALKEY_PASSWORD']}|'  #{HOME_DIR}/ingress.yaml", ssh)
+                        end
+
+                        self.class.exec("chown #{USER}:#{USER} #{path}/OpenVidu.env #{HOME_DIR}/livekit.yaml #{HOME_DIR}/ingress.yaml", ssh)
+                        self.class.exec("chmod 600 #{path}/OpenVidu.env #{HOME_DIR}/livekit.yaml #{HOME_DIR}/ingress.yaml", ssh)
+
+                        ssh.scp.upload!(__dir__ + '/OpenVidu.container', path)
+                        ssh.scp.upload!(__dir__ + '/OpenViduCall.container', path)
+                        ssh.scp.upload!(__dir__ + '/Ingress.container', path)
+
+                        self.class.exec("sed -i 's|$BindIP|#{bindIp}|'  #{path}/OpenVidu.container", ssh)
+
+                        Framework::LinuxApp.firewallAddPortOverSSH('7881/tcp', ssh)
+                        Framework::LinuxApp.firewallAddPortOverSSH('7900-7999/udp', ssh)
+                        Framework::LinuxApp.firewallAddPortOverSSH('45000-55000/udp', ssh)
+
+                        self.class.exec("systemctl --user --machine=#{USER}@ daemon-reload", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart OpenVidu", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart OpenViduCall", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart Ingress", ssh)
+
+                        Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
+                        self.class.prepareNginxConfig(target, ssh)
+                        target['CallDomain'] = Addressable::IDNA.to_ascii(target['CallDomain'])
+                        self.writeNginxConfig(__dir__, 'OpenVidu', id, target, state, context, options)
+                        self.writeNginxConfig(__dir__, 'OpenViduCall', id, target, state, context, options)
+                        self.deployNginxConfig(id, target, activeState, context, options)
+                        Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+
+                    end
+                else
+                    # TODO
+                end
+            end
+
+        end
+    end
+end
+

data/Plugins/Apps/OpenVidu/OpenViduCall.conf.erb

@@ -0,0 +1,35 @@
+
+server {
+    <% if config['NginxVersion'] >= 1.25 %>
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+    <% end %>
+
+    include config-lmm/ssl.conf;
+
+    server_name <%= config['CallDomain'] %>;
+
+    <% if config['CallCertName'] %>
+        ssl_certificate "/etc/letsencrypt/live/<%= config['CallCertName'] %>/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/<%= config['CallCertName'] %>/privkey.pem";
+        ssl_trusted_certificate "/etc/letsencrypt/live/<%= config['CallCertName'] %>/chain.pem";
+    <% end %>
+
+    access_log  /var/log/nginx/openvidu-call.access.log;
+    error_log   /var/log/nginx/openvidu-call.error.log;
+
+    # Proxy site
+    location / {
+        proxy_pass http://127.0.0.1:6080;
+        include config-lmm/proxy.conf;
+    }
+
+}
+

data/Plugins/Apps/OpenVidu/OpenViduCall.container

@@ -0,0 +1,15 @@
+
+
+[Unit]
+Description=OpenVidu Call container
+After=local-fs.target
+
+[Container]
+Image=docker.io/openvidu/openvidu-call:main
+EnvironmentFile=/var/lib/openvidu/.config/containers/systemd/OpenVidu.env
+PublishPort=127.0.0.1:6080:6080
+UserNS=keep-id:uid=1000,gid=1000
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/OpenVidu/ingress.yaml

@@ -0,0 +1,10 @@
+redis:
+    address: 10.0.2.2:6379
+    username: ""
+    password:
+
+cpu_cost:
+    rtmp_cpu_cost: 2
+    whip_cpu_cost: 2
+    whip_bypass_transcoding_cpu_cost: 0.1
+    url_cpu_cost: 2

data/Plugins/Apps/OpenVidu/livekit.yaml

@@ -0,0 +1,13 @@
+keys:
+    Main: $SECRET
+
+rtc:
+    tcp_port: 7881
+    port_range_start: 7900
+    port_range_end: 7999
+
+turn:
+    enabled: true
+    udp_port: 3478
+    relay_range_start: 45000
+    relay_range_end: 55000

data/Plugins/Apps/Peppermint/Peppermint.conf.erb

@@ -1,9 +1,5 @@
 
 server {
-    listen 80;
-    listen [::]:80;
-    server_name peppermint.example.com;
-    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
 
     <% if !config['TLS'] %>
         listen       <%= config['Port'] %>;

data/Plugins/Apps/Peppermint/Peppermint.container

@@ -4,11 +4,12 @@ Description=Peppermint Ticket Management container
 After=local-fs.target
 
 [Container]
-Image=pepperlabs/peppermint:latest
+Image=docker.io/pepperlabs/peppermint:latest
 EnvironmentFile=/var/lib/peppermint/.config/containers/systemd/Peppermint.env
 Network=slirp4netns:allow_host_loopback=true
 PublishPort=127.0.0.1:13000:3000
 PublishPort=127.0.0.1:15003:5003
+AutoUpdate=registry
 
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Postfix/Postfix.lmm.rb

@@ -12,9 +12,13 @@ module ConfigLMM
                 plugins[:Linux].ensurePackages([PACKAGE_NAME, 'CyrusSASL'], target['Location'])
                 plugins[:Linux].ensureServiceAutoStart(SERVICE_NAME, target['Location'])
 
+                activeState['Instance'] = target['Instance']
+                activeState['AlternativePort'] = target['AlternativePort']
                 deploySettings(target, target['Location'], options)
 
                 plugins[:Linux].startService(SERVICE_NAME, target['Location'])
+
+                activeState['Status'] = State::STATUS_DEPLOYED
             end
 
             def deploySettings(target, location, options)
@@ -91,14 +95,11 @@ module ConfigLMM
 
 
                         if target['AlternativePort']
-                            self.class.sshExec!(ssh, "firewall-cmd -q --add-port='#{target['AlternativePort']}/tcp'")
-                            self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-port='#{target['AlternativePort']}/tcp'")
+                            Framework::LinuxApp.firewallAddPort("#{target['AlternativePort']}/tcp", ssh)
                         else
-                            self.class.sshExec!(ssh, "firewall-cmd -q --add-service='smtp'")
-                            self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-service='smtp'")
+                            Framework::LinuxApp.firewallAddService('smtp', ssh)
                         end
-                        self.class.sshExec!(ssh, "firewall-cmd -q --add-service='smtps'")
-                        self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-service='smtps'")
+                        Framework::LinuxApp.firewallAddService('smtps', ssh)
 
                         ssh.scp.upload!(__dir__ + '/smtpd.conf', '/etc/sasl2/smtpd.conf')
                         self.class.sshExec!(ssh, "touch /etc/sasldb2")
@@ -178,6 +179,31 @@ module ConfigLMM
                 end
             end
 
+            def cleanup(configs, state, context, options)
+                cleanupType(:Postfix, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    instances = self.class.exec('postmulti -l | wc -l', ssh, true).strip.to_i
+                    if instances <= 1
+                        Framework::LinuxApp.stopService(SERVICE_NAME, ssh, options[:dry])
+                        Framework::LinuxApp.firewallRemoveService('smtps', ssh, options[:dry])
+                        if item['AlternativePort']
+                            Framework::LinuxApp.firewallRemovePort("#{item['AlternativePort']}/tcp", ssh, options[:dry])
+                        else
+                            Framework::LinuxApp.firewallRemoveService('smtp', ssh, options[:dry])
+                        end
+                        Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                        state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                        if options[:destroy]
+                            rm('/etc/postfix', options[:dry], ssh)
+
+                            state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                        end
+                    else
+                        prompt.say('Postfix multiple instance cleanup not implemented!', :color => :red)
+                    end
+                end
+            end
         end
 
     end

data/Plugins/Apps/PostgreSQL/PostgreSQL.lmm.rb

@@ -12,26 +12,60 @@ module ConfigLMM
             CONFIG_FILE = 'data/postgresql.conf'
 
             def actionPostgreSQLDeploy(id, target, activeState, context, options)
-                self.ensurePackage(PACKAGE_NAME, target['Location'])
-                self.ensureServiceAutoStart(SERVICE_NAME, target['Location'])
-                self.startService(SERVICE_NAME, target['Location'])
+                target['Deploy'] = !!(target['ListenAll'] || target['Listen'] || target['Settings']) unless target.key?('Deploy')
+                activeState['Deploy'] = target['Deploy']
+                activeState['Users'] = target['Users']
+                activeState['Databases'] = target['Databases']
+                activeState['Publications'] = target['Publications']
+                activeState['Subscriptions'] = target['Subscriptions']
+
+                if target['Deploy']
+                    self.ensurePackage(PACKAGE_NAME, target['Location'])
+                    self.ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+                    self.startService(SERVICE_NAME, target['Location'])
+                end
 
                 if target['Location'] && target['Location'] != '@me'
                     uri = Addressable::URI.parse(target['Location'])
                     raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
 
                     self.class.sshStart(uri) do |ssh|
-                        self.updateSettingsOverSSH(target, ssh, options)
-                        self.class.sshExec!(ssh, "su --login #{USER_NAME} --command 'pg_ctl reload'")
+                        if target['Deploy']
+                            self.updateSettingsOverSSH(target, ssh, options)
+                            self.class.sshExec!(ssh, "su --login #{USER_NAME} --command 'pg_ctl reload'")
+                        end
                         self.class.createUsersOverSSH(target, ssh)
                         self.class.createDatabasesOverSSH(target, ssh)
                         self.class.createPublicationsOverSSH(target, ssh)
                         self.class.createSubscriptionsOverSSH(target, ssh)
                     end
                 else
-                    `pg_ctl reload`
+                    if target['Deploy']
+                        `pg_ctl reload`
+                    end
                 end
 
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:PostgreSQL, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['Deploy']
+                        Framework::LinuxApp.stopService(SERVICE_NAME, ssh, options[:dry])
+                        Framework::LinuxApp.disableService(SERVICE_NAME, ssh, options[:dry])
+                        Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                        state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                        if options[:destroy]
+                            Framework::LinuxApp.deleteUserAndGroup(USER_NAME, ssh, options[:dry])
+
+                            state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                        end
+                    else
+                        # TODO
+                    end
+                end
             end
 
             def updateListenLocal(target)
@@ -154,6 +188,26 @@ module ConfigLMM
                 self.sshExec!(ssh, cmd)
             end
 
+            def self.updateOwner(db, owner, ssh)
+                sql = "SELECT tablename FROM pg_tables WHERE NOT schemaname IN ('pg_catalog', 'information_schema')"
+                tables = self.executeSQL(sql, db, ssh, false, ['--csv', '--tuples-only']).strip.lines
+                tables.each do |table|
+                    self.executeSQL("ALTER TABLE public.#{table} OWNER TO #{owner};", db, ssh)
+                end
+
+                sql = "SELECT sequence_name FROM information_schema.sequences WHERE NOT sequence_schema IN ('pg_catalog', 'information_schema')"
+                sequences = self.executeSQL(sql, db, ssh, false, ['--csv', '--tuples-only']).strip.lines
+                sequences.each do |sequence|
+                    self.executeSQL("ALTER SEQUENCE public.#{sequence} OWNER TO #{owner};", db, ssh)
+                end
+
+                sql = "SELECT table_name FROM information_schema.views WHERE NOT table_schema IN ('pg_catalog', 'information_schema')"
+                views = self.executeSQL(sql, db, ssh, false, ['--csv', '--tuples-only']).strip.lines
+                views.each do |view|
+                    self.executeSQL("ALTER VIEW public.#{view} OWNER TO #{owner};", db, ssh)
+                end
+            end
+
             def updateConfigOverSSH(ssh, cmd)
                 dir = ''
                 distroID = self.class.distroID(ssh)
@@ -163,12 +217,27 @@ module ConfigLMM
             end
 
             def self.createRemoteUserAndDBOverSSH(settings, user, password, ssh)
-                    self.executeRemotelyOverSSH(settings, ssh) do |ssh|
-                        self.createUserAndDBOverSSH(user, password, ssh)
+                self.executeRemotely(settings, ssh) do |ssh|
+                    self.createUserAndDBOverSSH(user, password, ssh)
+                end
+            end
+
+            def self.dropUserAndDB(settings, user, ssh, dry)
+                self.executeRemotely(settings, ssh) do |ssh|
+                    self.exec("su --login #{USER_NAME} --command 'dropdb #{user}'", ssh, true, dry)
+                    self.exec("su --login #{USER_NAME} --command 'dropuser #{user}'", ssh, true, dry)
+                end
+            end
+
+            def self.createExtensions(settings, db, extensions, ssh)
+                self.executeRemotely(settings, ssh) do |ssh|
+                    extensions.each do |extension|
+                        self.executeSQL("CREATE EXTENSION #{extension}", db, ssh, true)
                     end
+                end
             end
 
-            def self.executeRemotelyOverSSH(settings, ssh)
+            def self.executeRemotely(settings, ssh = nil)
                 settings['HostName'] = 'localhost' unless settings['HostName']
                 if settings['HostName'] == 'localhost'
                     yield(ssh)
@@ -199,10 +268,10 @@ module ConfigLMM
                 end
             end
 
-            def self.executeSQL(sql, db, ssh = nil, allowFailure = false)
+            def self.executeSQL(sql, db, ssh = nil, allowFailure = false, options = [])
                 if ssh
                     db = 'postgres' unless db
-                    cmd = " su --login #{USER_NAME} --command ' psql --dbname=#{db} --command=\"#{sql.gsub("'", "\\\\'")};\"'"
+                    cmd = " su --login #{USER_NAME} --command ' psql #{options.join(' ')} --dbname=#{db} --command=\"#{sql.gsub("'", "'\"'\"'")};\"'"
                     self.sshExec!(ssh, cmd, allowFailure)
                 else
                     # TODO

data/Plugins/Apps/Roundcube/Roundcube.conf.erb

@@ -0,0 +1,75 @@
+
+upstream roundcube
+{
+<% if config['Server'] %>
+    server <%= config['Server'] %>;
+<% else %>
+    server unix:/run/php-fpm/roundcube.sock;
+<% end %>
+}
+
+server
+{
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/roundcube.access.log;
+    error_log   /var/log/nginx/roundcube.error.log;
+
+    index index.php;
+    root /usr/share/webapps/roundcubemail;
+
+    include config-lmm/private.conf;
+    include config-lmm/errors.conf;
+
+    location / {
+        try_files $uri $uri/ $uri/index.php;
+    }
+
+    location ~ \.php$
+    {
+        fastcgi_pass roundcube;
+        include fastcgi.conf;
+
+        try_files $uri =404;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+
+        fastcgi_intercept_errors off;
+    }
+
+    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$
+    {
+        deny all;
+    }
+
+    location ~ ^/(bin|SQL)/
+    {
+        deny all;
+    }
+
+    location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$
+    {
+        access_log        off;
+        expires           360d;
+    }
+}