ConfigLMM 0.3.0 → 0.4.0

data/Plugins/Apps/Roundcube/Roundcube.lmm.rb

@@ -0,0 +1,145 @@
+
+module ConfigLMM
+    module LMM
+        class Roundcube < Framework::NginxApp
+
+            USER = 'roundcube'
+            HOME_DIR = '/var/lib/roundcube'
+            PACKAGE_NAME = 'Roundcube'
+
+            def actionRoundcubeDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        Framework::LinuxApp.ensurePackages([PHP_FPM::PHPFPM_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+                        distroInfo = Framework::LinuxApp.ensurePackages([PACKAGE_NAME], ssh)
+                        addUserCmd = "#{distroInfo['CreateServiceUser']} --home-dir '#{HOME_DIR}' --create-home --comment 'Roundcube' #{USER}"
+                        self.class.exec(addUserCmd, ssh, true)
+                        self.class.exec("chmod o-rwx #{HOME_DIR}", ssh)
+
+                        self.class.exec("touch /var/log/php/roundcube.errors.log", ssh)
+                        self.class.exec("touch /var/log/php/roundcube.mail.log", ssh)
+                        self.class.exec("chown #{USER}:#{USER} /var/log/php/roundcube.errors.log", ssh)
+                        self.class.exec("chown #{USER}:#{USER} /var/log/php/roundcube.mail.log", ssh)
+                        self.class.exec("chown -R #{USER}:#{USER} /var/log/roundcubemail /var/lib/roundcubemail", ssh)
+                        PHP_FPM::fixConfigFileOverSSH(distroInfo, ssh)
+
+                        roundcubeBaseDir = '/usr/share/webapps/roundcubemail'
+                        if distroInfo['Name'] == 'openSUSE Leap'
+                            roundcubeBaseDir = '/srv/www/roundcubemail'
+                        end
+
+                        self.class.exec("sed -i 's|$config\\[\\'des_key\\'\\].*|$config\\[\\'des_key\\'\\] = \\'#{SecureRandom.alphanumeric(24)}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        self.class.exec("sed -i 's|$config\\[\\'product_name\\'\\].*|$config\\[\\'product_name\\'\\] = \\'Webmail\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+
+                        if target['IMAP']['Host']
+                            protocol = ''
+                            if target['IMAP']['Port'] == 993
+                                protocol = 'ssl://'
+                            end
+                            self.class.exec("sed -i 's|$config\\[\\'imap_host\\'\\].*|$config\\[\\'imap_host\\'\\] = \\'#{protocol}#{target['IMAP']['Host']}:#{target['IMAP']['Port']}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        if target['SMTP']['Host']
+                            protocol = ''
+                            if target['SMTP']['Port'] == 465
+                                protocol = 'ssl://'
+                            end
+                            self.class.exec("sed -i 's|$config\\[\\'smtp_host\\'\\].*|$config\\[\\'smtp_host\\'\\] = \\'#{protocol}#{target['SMTP']['Host']}:#{target['SMTP']['Port']}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        target['Database'] ||= {}
+                        activeState['Database'] = target['Database']
+                        if !target['Database']['Type'] || target['Database']['Type'] == 'pgsql'
+                            password = SecureRandom.alphanumeric(20)
+                            PostgreSQL.createRemoteUserAndDBOverSSH(target['Database'], USER, password, ssh)
+                            self.class.exec("sed -i 's|$config\\[\\'db_dsnw\\'\\].*|$config\\[\\'db_dsnw\\'\\] = \\'pgsql://#{USER}:#{password}@#{target['Database']['HostName']}/#{USER}\\';|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                        end
+
+                        self.updateRemoteFile(ssh, roundcubeBaseDir + '/config/config.inc.php', options, false, '//') do |configLines|
+                            if target['Settings']
+                                target['Settings'].each do |name, value|
+                                    configLines << "$config['#{name}'] = '#{value}';\n"
+                                end
+                            end
+                            configLines << "$config['login_lc'] = 0;\n"
+                            configLines << "$config['enable_installer'] = true;\n"
+                        end
+
+                        target['User'] = USER unless target['User']
+                        name = 'roundcube'
+                        target['PHP-FPM'] ||= {}
+                        if distroInfo['Name'] == 'openSUSE Leap'
+                            target['PHP-FPM']['chdir'] = roundcubeBaseDir
+                        end
+                        self.updateRemoteFile(ssh, PHP_FPM.configDir(distroInfo) + name + '.conf', options, false, ';') do |configLines|
+                            PHP_FPM.writeConfig(name, target, distroInfo, configLines)
+                        end
+
+                        Framework::LinuxApp.startServiceOverSSH(PHP_FPM::PHPFPM_SERVICE, ssh)
+
+                        if !target.key?('Proxy') || target['Proxy']
+                            self.class.ensurePackage(ssh)
+                            self.class.prepareNginxConfig(target, ssh)
+                            self.writeNginxConfig(__dir__, 'Roundcube', id, target, state, context, options)
+                            if distroInfo['Name'] == 'openSUSE Leap'
+                                nginxFile = options['output'] + '/nginx/servers-lmm/Roundcube.conf'
+                                `sed -i 's|root .*|root #{roundcubeBaseDir}/public_html;|' #{nginxFile}`
+                            end
+                            self.deployNginxConfig(id, target, activeState, context, options)
+                            Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+                            self.class.reload(ssh)
+                        end
+
+                        self.class.exec("curl 'https://#{target['Domain']}/installer/index.php?_step=3' -X POST --data-raw 'initdb=Initialize+database'", ssh)
+                        self.class.exec("rm -f #{roundcubeBaseDir}/public_html/installer", ssh)
+                        self.class.exec("sed -i 's|$config\\[\\'enable_installer\\'\\].*|$config\\[\\'enable_installer\\'\\] = false;|' #{roundcubeBaseDir}/config/config.inc.php", ssh)
+                    end
+                else
+                    # TODO
+                end
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Roundcube, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    cleanupConfig(item, id, state, context, options, ssh)
+                end
+            end
+
+            def cleanupConfig(item, id, state, context, options, ssh = nil)
+                if item['Proxy'].nil? || item['Proxy']
+                    self.cleanupNginxConfig('Roundcube', id, state, context, options, ssh)
+                    self.class.reload(ssh, options[:dry])
+                end
+                distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                rm(PHP_FPM.configDir(distroInfo) + 'roundcube.conf', options[:dry], ssh)
+                Framework::LinuxApp.reloadService(PHP_FPM::PHPFPM_SERVICE, ssh, options[:dry])
+                Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+                state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                if options[:destroy]
+                    item['Database'] ||= {}
+                    if !item['Database']['Type'] || item['Database']['Type'] == 'pgsql'
+                        PostgreSQL.dropUserAndDB(item['Database'], USER, ssh, options[:dry])
+                    end
+                    Framework::LinuxApp.deleteUserAndGroup(USER, ssh, options[:dry])
+                    rm('/var/log/roundcubemail', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.access.log', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.errors.log', options[:dry], ssh)
+                    rm('/var/log/php/roundcube.mail.log', options[:dry], ssh)
+                    rm('/var/log/nginx/roundcube.access.log', options[:dry], ssh)
+                    rm('/var/log/nginx/roundcube.error.log', options[:dry], ssh)
+                    state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Tunnel/tunnel.lmm.rb

@@ -0,0 +1,63 @@
+
+module ConfigLMM
+    module LMM
+        class Tunnel < Framework::NginxApp
+
+            def actionTunnelDeploy(id, target, activeState, context, options)
+
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        Framework::LinuxApp.ensurePackage('socat', ssh)
+
+                        port = target['Port']
+                        activeState['Port'] = port
+                        activeState['UDP'] = target['UDP']
+                        if target['UDP']
+                            name = "tunnelUDP-#{port}"
+                            ssh.scp.upload!(__dir__ + '/tunnelUDP.service', "/etc/systemd/system/#{name}.service")
+                            ssh.scp.upload!(__dir__ + '/tunnelUDP.socket', "/etc/systemd/system/#{name}.socket")
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.service", ssh)
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.socket", ssh)
+                            self.class.exec("sed -i 's|$REMOTE|#{target['Remote']}|' /etc/systemd/system/#{name}.service", ssh)
+                        else
+                            name = "tunnelTCP-#{port}"
+                            ssh.scp.upload!(__dir__ + '/tunnelTCP.service', "/etc/systemd/system/#{name}.service")
+                            ssh.scp.upload!(__dir__ + '/tunnelTCP.socket', "/etc/systemd/system/#{name}.socket")
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.service", ssh)
+                            self.class.exec("sed -i 's|$PORT|#{port}|' /etc/systemd/system/#{name}.socket", ssh)
+                            self.class.exec("sed -i 's|$REMOTE|#{target['Remote']}|' /etc/systemd/system/#{name}.service", ssh)
+                        end
+
+                        Framework::LinuxApp.reloadServiceManager(ssh)
+                        Framework::LinuxApp.ensureServiceAutoStart(name + '.socket', ssh)
+                        Framework::LinuxApp.stopService(name + '.service', ssh)
+                        Framework::LinuxApp.startService(name + '.socket', ssh)
+                    end
+                else
+                    # TODO
+                end
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Tunnel, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    if item['UDP']
+                        name = "tunnelUDP-#{item['Port']}"
+                    else
+                        name = "tunnelTCP-#{item['Port']}"
+                    end
+                    Framework::LinuxApp.stopService(name + '.socket', ssh)
+                    Framework::LinuxApp.disableService(name + '.socket', ssh)
+                    rm("/etc/systemd/system/#{name}.service", options[:dry], ssh)
+                    rm("/etc/systemd/system/#{name}.socket", options[:dry], ssh)
+                    state.item(id)['Status'] = State::STATUS_DESTROYED
+                end
+            end
+
+        end
+    end
+end

data/Plugins/Apps/Tunnel/tunnelTCP.service

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=Forward TCP $PORT to remote
+
+[Service]
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd $REMOTE
+
+[Install]
+WantedBy=multi-user.target

data/Plugins/Apps/Tunnel/tunnelTCP.socket

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=TCP tunnel listening on local port $PORT
+
+[Socket]
+ListenStream=$PORT
+
+[Install]
+WantedBy=sockets.target

data/Plugins/Apps/Tunnel/tunnelUDP.service

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=Forward UDP $PORT to remote
+
+[Service]
+ExecStart=/usr/bin/socat UDP-RECVFROM:$PORT,reuseaddr,fork UDP-SENDTO:$REMOTE
+
+[Install]
+WantedBy=multi-user.target

data/Plugins/Apps/Tunnel/tunnelUDP.socket

@@ -0,0 +1,9 @@
+
+[Unit]
+Description=UDP tunnel listening on local port $PORT
+
+[Socket]
+ListenDatagram=$PORT
+
+[Install]
+WantedBy=sockets.target

data/Plugins/Apps/Valkey/Valkey.lmm.rb

@@ -24,6 +24,12 @@ module ConfigLMM
                             target['Settings']['dir'] = '/var/lib/redis/default/'
                         end
 
+                        if ENV[id + '-VALKEY_PASSWORD']
+                            target['Settings']['requirepass'] = ENV[id + '-VALKEY_PASSWORD']
+                        elsif ENV['VALKEY_PASSWORD']
+                            target['Settings']['requirepass'] = ENV['VALKEY_PASSWORD']
+                        end
+
                         if target['Settings']
                             target['Settings']['bind'] = '127.0.0.1' unless target['Settings']['bind']
                             updateRemoteFile(ssh, CONFIG_FILE, options, false) do |configLines|
@@ -33,6 +39,9 @@ module ConfigLMM
                                 configLines
                             end
                         end
+
+                        self.class.exec("chgrp redis #{CONFIG_FILE}", ssh)
+                        self.class.exec("chmod 640 #{CONFIG_FILE}", ssh)
                     end
                 else
                     if target['Settings']
@@ -44,10 +53,33 @@ module ConfigLMM
                             configLines
                         end
                     end
+                    self.class.exec("chgrp redis #{CONFIG_FILE}", ssh)
+                    self.class.exec("chmod 640 #{CONFIG_FILE}", nil)
                 end
 
                 self.ensureServiceAutoStart(serviceName, target['Location'])
                 self.startService(serviceName, target['Location'])
+
+                activeState['Status'] = State::STATUS_DEPLOYED
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Valkey, configs, state, context, options) do |item, id, state, context, options, ssh|
+                    serviceName = 'redis'
+                    distroId = self.class.distroID(ssh)
+                    serviceName = 'redis@redis' if distroId == SUSE_ID
+
+                    Framework::LinuxApp.stopService(serviceName, ssh, options[:dry])
+                    Framework::LinuxApp.removePackage(PACKAGE_NAME, ssh, options[:dry])
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                    if options[:destroy]
+                        rm('/etc/redis', options[:dry], ssh)
+
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
             end
 
         end

data/Plugins/Apps/Vaultwarden/Vaultwarden.lmm.rb

@@ -8,6 +8,7 @@ module ConfigLMM
             NAME = 'Vaultwarden'
             USER = 'vaultwarden'
             HOME_DIR = '/var/lib/vaultwarden'
+            SERVICE_PORT = '18000'
 
             def actionVaultwardenBuild(id, target, state, context, options)
                 writeNginxConfig(__dir__, NAME, id, target, state, context, options)
@@ -46,6 +47,9 @@ module ConfigLMM
                             ssh.scp.upload!(__dir__ + '/Vaultwarden.container', path)
                             self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ daemon-reload")
                             self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ start Vaultwarden")
+                            if target['Proxy'] != 'only'
+                                Framework::LinuxApp.firewallAddPortOverSSH(SERVICE_PORT + '/tcp', ssh)
+                            end
                         end
                         if !target.key?('Proxy') || !!target['Proxy']
                             self.class.prepareNginxConfig(target, ssh)

data/Plugins/Apps/Wiki.js/Wiki.js.conf.erb

@@ -0,0 +1,42 @@
+
+server {
+
+    <% if !config['TLS'] %>
+        listen       <%= config['Port'] %>;
+        listen  [::]:<%= config['Port'] %>;
+    <% else %>
+        <% if config['NginxVersion'] >= 1.25 %>
+            listen <%= config['Port'] %> ssl;
+            listen [::]:<%= config['Port'] %> ssl;
+            http2 on;
+            http3 on;
+            quic_retry on;
+            add_header Alt-Svc 'h3=":<%= config['Port'] %>"; ma=86400';
+        <% else %>
+            listen <%= config['Port'] %> ssl http2;
+            listen [::]:<%= config['Port'] %> ssl http2;
+        <% end %>
+
+        include config-lmm/ssl.conf;
+    <% end %>
+
+    server_name <%= config['Domain'] %>;
+
+    access_log  /var/log/nginx/wikijs.access.log;
+    error_log   /var/log/nginx/wikijs.error.log;
+
+    include config-lmm/errors.conf;
+    include config-lmm/security.conf;
+
+    location / {
+        <% if config['Server'] %>
+            proxy_pass <%= config['Server'] %>;
+        <% else %>
+            proxy_pass http://127.0.0.1:13200;
+        <% end %>
+
+        include config-lmm/proxy.conf;
+    }
+
+}
+

data/Plugins/Apps/Wiki.js/Wiki.js.container

@@ -0,0 +1,15 @@
+
+[Unit]
+Description=Wiki.js container
+After=local-fs.target
+
+[Container]
+Image=docker.io/requarks/wiki:latest
+EnvironmentFile=/var/lib/wikijs/.config/containers/systemd/Wiki.js.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:13200:3000
+UserNS=keep-id:uid=1000,gid=1000
+AutoUpdate=registry
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Wiki.js/Wiki.js.lmm.rb

@@ -0,0 +1,61 @@
+
+module ConfigLMM
+    module LMM
+        class WikiJS < Framework::NginxApp
+
+            USER = 'wikijs'
+            HOME_DIR = '/var/lib/wikijs'
+            HOST_IP = '10.0.2.2'
+
+            def actionWikiJSDeploy(id, target, activeState, context, options)
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+                target['Database'] ||= {}
+                if target['Location'] && target['Location'] != '@me'
+                    uri = Addressable::URI.parse(target['Location'])
+                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
+
+                    self.class.sshStart(uri) do |ssh|
+
+                        dbPassword = self.configurePostgreSQL(target['Database'], ssh)
+                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
+                        Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'Wiki.js', distroInfo, ssh)
+
+                        path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
+                        self.class.exec("echo 'DB_TYPE=postgres' > #{path}/Wiki.js.env", ssh)
+                        self.class.exec("echo 'DB_HOST=#{HOST_IP}' >> #{path}/Wiki.js.env", ssh)
+                        self.class.exec("echo 'DB_PORT=5432' >> #{path}/Wiki.js.env", ssh)
+                        self.class.exec("echo 'DB_USER=#{USER}' >> #{path}/Wiki.js.env", ssh)
+                        self.class.exec("echo 'DB_NAME=#{USER}' >> #{path}/Wiki.js.env", ssh)
+                        self.class.exec(" echo 'DB_PASS=#{dbPassword}' >> #{path}/Wiki.js.env", ssh)
+
+                        self.class.exec("chown #{USER}:#{USER} #{path}/Wiki.js.env", ssh)
+                        self.class.exec("chmod 600 #{path}/Wiki.js.env", ssh)
+
+                        ssh.scp.upload!(__dir__ + '/Wiki.js.container', path)
+                        self.class.exec("systemctl --user --machine=#{USER}@ daemon-reload", ssh)
+                        self.class.exec("systemctl --user --machine=#{USER}@ restart Wiki.js", ssh)
+
+                        Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
+                        Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
+                        self.class.prepareNginxConfig(target, ssh)
+                        self.writeNginxConfig(__dir__, 'Wiki.js', id, target, state, context, options)
+                        self.deployNginxConfig(id, target, activeState, context, options)
+                        Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
+
+                    end
+                else
+                    # TODO
+                end
+            end
+
+            def configurePostgreSQL(settings, ssh)
+                password = SecureRandom.alphanumeric(20)
+                PostgreSQL.createRemoteUserAndDBOverSSH(settings, USER, password, ssh)
+                password
+            end
+
+        end
+    end
+end
+

data/Plugins/Apps/gollum/gollum.conf.erb

@@ -36,7 +36,10 @@ server {
     access_log  /var/log/nginx/gollum.access.log;
     error_log   /var/log/nginx/gollum.error.log;
 
-    include config-lmm/private.conf;
+    <% if config['AuthentikDomain'].nil? %>
+        include config-lmm/private.conf;
+    <% end %>
+
     include config-lmm/errors.conf;
 
     <% if config['CertName'] %>
@@ -62,7 +65,42 @@ server {
         location / {
             proxy_pass <%= config['Server'] %>;
 
+            <% if config['AuthentikDomain'] %>
+                error_page       401 = @authenticate;
+                include config-lmm/errors.conf;
+
+                auth_request     /outpost.goauthentik.io/auth/nginx;
+
+                # translate headers from the outposts back to the actual upstream
+                auth_request_set $authentik_username $upstream_http_x_authentik_username;
+                auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
+                auth_request_set $authentik_email $upstream_http_x_authentik_email;
+                auth_request_set $authentik_name $upstream_http_x_authentik_name;
+                auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
+
+                proxy_set_header REMOTE_USER $authentik_username;
+                proxy_set_header REMOTE_GROUPS $authentik_groups;
+                proxy_set_header REMOTE_EMAIL $authentik_email;
+                proxy_set_header REMOTE_NAME $authentik_name;
+                proxy_set_header REMOTE_UID $authentik_uid;
+            <% end %>
+
             include config-lmm/proxy.conf;
         }
     <% end %>
+
+    <% if config['AuthentikDomain'] %>
+        location /outpost.goauthentik.io {
+            proxy_pass              https://<%= config['AuthentikDomain'] %>/outpost.goauthentik.io;
+            proxy_ssl_protocols     TLSv1.2 TLSv1.3;
+            proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
+            proxy_pass_request_body off;
+            proxy_set_header        Content-Length "";
+        }
+
+        location @authenticate {
+            internal;
+            return 302 /outpost.goauthentik.io/start?rd=$request_uri;
+        }
+    <% end %>
 }

data/Plugins/Apps/gollum/gollum.container

@@ -3,10 +3,13 @@ Description=gollum container
 After=local-fs.target
 
 [Container]
-Image=gollumwiki/gollum:master
+Image=docker.io/gollumwiki/gollum:master
+Exec=--config=/config/config.rb
 PublishPort=0.0.0.0:14567:4567
 UserNS=keep-id:uid=1000,gid=1000
 Volume=/srv/gollum/repo:/wiki
+Volume=/srv/gollum/config:/config
+AutoUpdate=registry
 
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/gollum/gollum.lmm.rb

@@ -6,12 +6,12 @@ module ConfigLMM
             NAME = 'gollum'
             USER = 'gollum'
             GOLLUM_PATH = '/srv/gollum'
-            HOME_DIR = '/var/lib/authentik'
+            GOLLUM_PORT = '14567'
 
             def actionGollumBuild(id, target, activeState, context, options)
                 writeNginxConfig(__dir__, NAME, id, target, activeState, context, options)
                 targetDir = options['output'] + GOLLUM_PATH
-                mkdir(targetDir, options['dry'])
+                mkdir(targetDir + '/config', options['dry'])
                 copy(__dir__ + '/config.ru', targetDir, options['dry'])
                 `git init #{targetDir}/repo`
             end
@@ -36,12 +36,20 @@ module ConfigLMM
                         if !target.key?('Proxy') || target['Proxy'] != 'only'
                             distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
                             Framework::LinuxApp.configurePodmanServiceOverSSH(USER, GOLLUM_PATH, 'gollum', distroInfo, ssh)
+                            if target['Config']
+                                `cp #{target['Config']} #{options['output'] + GOLLUM_PATH}/config/config.rb`
+                            else
+                                `touch #{options['output'] + GOLLUM_PATH}/config/config.rb`
+                            end
                             self.class.uploadFolder(options['output'] + GOLLUM_PATH, '/srv', ssh)
                             path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', GOLLUM_PATH)
                             ssh.scp.upload!(__dir__ + '/gollum.container', path)
                             self.class.sshExec!(ssh, "chown -R #{USER}:#{USER} #{GOLLUM_PATH}")
                             self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ daemon-reload")
-                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ start gollum")
+                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ restart gollum")
+                            if target['Proxy'] != 'only'
+                                Framework::LinuxApp.firewallAddPortOverSSH(GOLLUM_PORT + '/tcp', ssh)
+                            end
                         end
                     end
                 else

data/Plugins/OS/Linux/Debian/preseed.cfg.erb

@@ -0,0 +1,62 @@
+#_preseed_V1
+
+d-i debian-installer/locale string en_US
+d-i keyboard-configuration/xkb-keymap select us
+
+<% if config['Network'].is_a?(Hash) %>
+d-i netcfg/disable_autoconfig boolean true
+d-i netcfg/dhcp_failed note
+d-i netcfg/dhcp_options select Configure network manually
+
+d-i netcfg/get_ipaddress string <%= config['Network']['IP'].split('/').first %>
+d-i netcfg/get_netmask string <%= [((1 << 32) - 1) << (32 - config['Network']['IP'].split('/').last.to_i)].pack('N').bytes.join('.') %>
+d-i netcfg/get_gateway string <%= config['Network']['Gateway'] %>
+d-i netcfg/get_nameservers string <%= config['Network']['DNS'] %>
+d-i netcfg/confirm_static boolean true
+<% end %>
+
+d-i netcfg/get_hostname string <%= Addressable::IDNA.to_ascii(config['Domain']) %>
+
+d-i passwd/make-user boolean false
+
+<% if config['Users'].to_h['root'].to_h['PasswordHash'] %>
+d-i passwd/root-password-crypted password <%= config['Users']['root']['PasswordHash'] %>
+<% elsif config['Users'].to_h['root'].to_h['Password'] %>
+d-i passwd/root-password password <%= config['Users']['root']['Password'] %>
+<% end %>
+
+d-i time/zone string UTC
+
+d-i partman-auto/method string regular
+d-i partman-auto/choose_recipe select atomic
+d-i partman/choose_partition select finish
+d-i partman/confirm_nooverwrite boolean true
+
+d-i base-installer/install-recommends boolean false
+d-i apt-setup/cdrom/set-first boolean false
+d-i apt-setup/non-free-firmware boolean true
+d-i apt-setup/non-free boolean true
+d-i apt-setup/contrib boolean true
+d-i apt-setup/use_mirror boolean true
+d-i mirror/country string US
+d-i mirror/http/mirror select deb.debian.org
+d-i mirror/http/proxy string
+
+d-i pkgsel/run_tasksel boolean false
+
+<% if !config['Apps'].to_a.empty? %>
+d-i pkgsel/include string <%= config['Apps'].map(&:downcase).join(' ') %>
+<% end %>
+
+d-i pkgsel/upgrade select full-upgrade
+
+popularity-contest popularity-contest/participate boolean false
+
+d-i grub-installer/only_debian boolean true
+d-i grub-installer/bootdev  string default
+
+d-i finish-install/reboot_in_progress note
+
+<% if !config['Users'].to_h['root'].to_h['AuthorizedKeys'].empty? %>
+d-i preseed/late_command string in-target sh -c "echo '<%= config['Users']['root']['AuthorizedKeys'].first %>' > /root/.ssh/authorized_keys"
+<% end %>