ConfigLMM 0.3.0 → 0.5.0

data/Plugins/OS/Linux/Packages.yaml

@@ -6,21 +6,31 @@ Arch Linux:
     CyrusSASL: cyrus-sasl
     Dovecot: dovecot
     firewalld: firewalld
+    go: go
+    MariaDB: mariadb
     Nextcloud: nextcloud
     nginx: nginx
+    nodejs: nodejs
+    otelcol-contrib: AUR|otelcol-contrib
     PHP-FPM: php-fpm
     php-pecl: php-pecl
-    Podman: podman
+    pnpm: pnpm
+    Podman:
+        - podman
+        - fuse-overlayfs
     PostgreSQL: postgresql
     Postfix: postfix
     PowerDNS: powerdns
+    Roundcube: roundcubemail
+    socat: socat
     sshd: openssh
     Valkey: redis
     WireGuard: wireguard-tools
+    xorriso: libisoburn
     Yarn: yarn
 
 openSUSE Leap:
-    Cassandra: home:davispuh:branches:server:database|cassandra
+    Cassandra: server:database|cassandra
     CertBotNginx:
         - python3-certbot-nginx
         - certbot-systemd-timer
@@ -28,24 +38,78 @@ openSUSE Leap:
     CyrusSASL: cyrus-sasl-plain
     Dovecot: dovecot
     firewalld: firewalld
+    go: go
+    MariaDB: mariadb
     Nextcloud: server:php:applications|nextcloud
     nginx: nginx
+    nodejs: nodejs-default
+    otelcol-contrib: GitHub|open-telemetry/opentelemetry-collector-releases:otelcol-contrib_*_linux_amd64.rpm
     PHP-FPM:
         - php8-devel
         - php8-mbstring
         - php8-fpm
+        - php8-imagick
         - php8-redis
         - php8-pgsql
         - php8-mysql
     php-pecl: php8-pecl
+    pnpm: GitHub|pnpm/pnpm:pnpm-linux-x64
     Podman: podman
-    PostgreSQL: postgresql-server
+    PostgreSQL:
+        - postgresql-server
+        - postgresql-contrib
     Postfix: postfix
     PowerDNS:
+        - pdns
         - pdns-backend-geoip
         - pdns-backend-sqlite3
         - pdns-backend-postgresql
+    Roundcube: roundcubemail
+    socat: socat
     sshd: openssh
     Valkey: redis
     WireGuard: wireguard-tools
+    xorriso: xorriso
     Yarn: yarn
+
+Debian:
+    Cassandra: https://debian.cassandra.apache.org 41x main|cassandra
+    CertBotNginx:
+        - certbot
+        - python3-certbot-dns-rfc2136
+    CyrusSASL: libsasl2-modules
+    Dovecot:
+        - dovecot-imapd
+        - dovecot-lmtpd
+        - dovecot-submissiond
+    firewalld: firewalld
+    go: golang
+    MariaDB: mariadb-server
+    Nextcloud:
+    nginx: nginx
+    nodejs: nodejs
+    otelcol-contrib: GitHub|open-telemetry/opentelemetry-collector-releases:otelcol-contrib_*_linux_amd64.deb
+    PHP-FPM:
+        - php-mbstring
+        - php-fpm
+        - php-imagick
+        - php-redis
+        - php-pgsql
+        - php-mysql
+    php-pecl:
+    pnpm: GitHub|pnpm/pnpm:pnpm-linux-x64
+    Podman: podman
+    PostgreSQL: postgresql
+    Postfix: postfix-lmdb
+    PowerDNS:
+        - pdns-server
+        - pdns-backend-geoip
+        - pdns-backend-sqlite3
+        - pdns-backend-pgsql
+    Roundcube: roundcube-pgsql
+    socat: socat
+    sshd: openssh-server
+    Valkey: redis
+    WireGuard: wireguard
+    xorriso: xorriso
+    Yarn: yarnpkg

data/Plugins/OS/Linux/Proxmox/answer.toml.erb

@@ -0,0 +1,30 @@
+[global]
+keyboard = "en-us"
+country = "us"
+fqdn = "<%= Addressable::IDNA.to_ascii(config['Domain']) %>"
+mailto = "<%= config['EMail'] %>"
+timezone = "UTC"
+root_password = "<%= config['Users'].to_h['root'].to_h['Password'] %>"
+<% if !config['Users'].to_h['root'].to_h['AuthorizedKeys'].to_a.empty? %>
+root_ssh_keys = [
+  <% config['Users']['root']['AuthorizedKeys'].each do |entry| %>
+    "<%= entry %>"
+  <% end %>
+]
+<% end %>
+
+[network]
+<% if config['Network'].is_a?(Hash) %>
+source = "from-answer"
+cidr = "<%= config['Network']['IP'] %>"
+dns = "<%= config['Network']['DNS'] %>"
+gateway = "<%= config['Network']['Gateway'] %>"
+filter.IFINDEX = "2"
+<% else %>
+source = "from-dhcp"
+<% end %>
+
+[disk-setup]
+filesystem = "btrfs"
+btrfs.raid = "raid1"
+disk_list = ["vda"]

data/Plugins/OS/Linux/Services.yaml

@@ -0,0 +1,8 @@
+Arch Linux:
+    sshd: sshd
+
+openSUSE Leap:
+    sshd: sshd
+
+Debian:
+    sshd: ssh

data/Plugins/OS/Linux/Shell.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+require 'open3'
+
+module ConfigLMM
+    module LMM
+        class LinuxShell
+
+            attr_reader :connection
+            attr_reader :user
+
+            def initialize(connection, user)
+                @connection = connection
+                @user = user
+            end
+
+            def distroID
+                @connection.distroID
+            end
+
+            def updateFile(*args, &block)
+                @connection.updateFile(*args, &block)
+            end
+
+            def exec(command, allowFailure = false, options = {})
+                cmd = "su --login #{@user.shellescape} --shell /usr/bin/sh --command #{command.shellescape}"
+                if options[:hide]
+                    cmd = ' ' + cmd
+                end
+                @connection.exec(cmd, allowFailure, options)
+            end
+
+            def rm(*args)
+                @connection.rm(*args)
+            end
+
+            def fileWrite(target, data, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                self.exec("#{hide}echo #{data.shellescape} > #{target}", false, options)
+            end
+
+            def fileAppend(target, data, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                self.exec("#{hide}echo #{data.shellescape} >> #{target}", false, options)
+            end
+
+            def fileMerge(target, file, options = {})
+                self.exec("cat #{file.shellescape} >> #{target}", false, options)
+            end
+
+            def fileReplace(target, placeholder, result, options = {})
+                hide = ''
+                hide = ' ' if options[:hide]
+                pattern = "s|#{placeholder}|#{result.gsub('\\', '\\\\\\').gsub('&', '\\\\&').gsub('|', '\\\\|')}|"
+                self.exec("#{hide}sed -i #{pattern.shellescape} #{target}", false, options)
+            end
+
+            def createDirs(options, *paths)
+                exec("mkdir -p #{paths.join(' ')}", false, options)
+            end
+
+            def self.escapeSingleQuotes(command)
+                command.gsub("'", "'\"'\"'")
+            end
+        end
+    end
+end

data/Plugins/OS/Linux/Syslinux/default

@@ -0,0 +1,8 @@
+
+default auto
+prompt   0
+timeout  1
+
+label auto
+  kernel linux
+  append initrd=initrd splash=silent $OPTIONS

data/Plugins/OS/Linux/WireGuard/WireGuard.lmm.rb

@@ -13,42 +13,64 @@ module ConfigLMM
 
             def actionWireGuardDeploy(id, target, activeState, context, options)
                 self.prepareConfig(target)
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                    self.class.sshStart(uri) do |ssh|
-                        sharedKey = self.class.sshExec!(ssh, "firewall-cmd -q --permanent --add-port='#{PORT}'/udp")
-                        sharedKey = self.class.sshExec!(ssh, "firewall-cmd -q --permanent --zone=trusted --add-source=#{SUBNET}")
-                        sharedKey = self.class.sshExec!(ssh, "firewall-cmd -q --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE")
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.firewallAddPort("#{PORT}/udp", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --zone=trusted --add-source=#{SUBNET}", options)
+                        linuxConnection.exec("firewall-cmd -q --zone=trusted --add-source=#{SUBNET}", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", options)
+                        linuxConnection.exec("firewall-cmd -q --direct --add-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", options)
 
-                        self.class.ensurePackages([WIREGUARD_PACKAGE], ssh)
-                        self.class.ensureServiceAutoStartOverSSH(SERVICE_NAME, ssh)
+                        linuxConnection.ensurePackage(WIREGUARD_PACKAGE, options)
+                        linuxConnection.ensureServiceAutoStart(SERVICE_NAME, options)
 
                         dir = options['output'] + '/' + id + '/etc/wireguard/'
                         mkdir(dir, false)
                         template = ERB.new(File.read(__dir__ + '/wg0.conf.erb'))
 
-                        if self.class.remoteFilePresent?(CONFIG_FILE, ssh)
+                        target = target.dup
+                        target['PrivateKey'] = context.secrets.load(target['SecretId'], 'PRIVATEKEY')
+                        if target['PrivateKey'].nil?
+                            target['PrivateKey'] = genkey(connection, options)
+                            if !options['dry']
+                                context.secrets.store(target['SecretId'], 'PRIVATEKEY', target['PrivateKey'])
+                                context.secrets.print("Private Key", target['PrivateKey'])
+                            end
+                        end
+
+                        if connection.filePresent?(CONFIG_FILE, { **options, 'dry' => false })
                             # TODO Implement adding and removing peers
                         else
-                            if !target['PrivateKey']
-                                target['PrivateKey'] = ENV['WIREGUARD_PRIVATEKEY_' + id]
-                                if !target['PrivateKey']
-                                    target['PrivateKey'] = genkeyOverSSH(ssh)
-                                end
-                            end
-                            publicKey = pubkeyOverSSH(target['PrivateKey'], ssh)
-                            self.class.sshExec!(ssh, "echo '#{publicKey}' > /etc/wireguard/pubkey")
+                            publicKey = pubkey(target['PrivateKey'], connection, options)
+                            context.secrets.store(target['SecretId'], 'PUBLICKEY', publicKey) unless options['dry']
+                            connection.exec("echo '#{publicKey}' > /etc/wireguard/pubkey", false, options)
+
                             target['Peers'].each do |name, data|
-                                if !data['PublicKey']
-                                    data['PrivateKey'] = genkeyOverSSH(ssh)
-                                    data['PublicKey'] = pubkeyOverSSH(data['PrivateKey'], ssh)
-                                end
-                                if !data['PresharedKey']
-                                    data['PresharedKey'] = ENV['WIREGUARD_PRESHAREDKEY_' + id + '_' + name]
-                                    if !data['PresharedKey']
-                                        data['PresharedKey'] = genpskOverSSH(ssh)
+                                if data['SecretId']
+                                    data['PublicKey'] = context.secrets.load(data['SecretId'], 'PUBLICKEY')
+                                    data['PrivateKey'] = context.secrets.load(data['SecretId'], 'PRIVATEKEY')
+                                    if data['PublicKey'].nil?
+                                        data['PrivateKey'] = genkey(connection, options)
+                                        data['PublicKey'] = pubkey(data['PrivateKey'], connection, options)
+                                        if !options['dry']
+                                            context.secrets.store(data['SecretId'], 'PRIVATEKEY', data['PrivateKey'])
+                                            context.secrets.store(data['SecretId'], 'PUBLICKEY', data['PublicKey'])
+                                        end
+                                    end
+                                    sharedSecretId = "#{target['SecretId'].upcase}_#{data['SecretId'].upcase}"
+                                    data['PresharedKey'] = context.secrets.load(sharedSecretId, 'PRESHAREDKEY')
+                                    if data['PresharedKey'].nil?
+                                        sharedSecretId2 = "#{data['SecretId'].upcase}_#{target['SecretId'].upcase}"
+                                        data['PresharedKey'] = context.secrets.load(sharedSecretId2, 'PRESHAREDKEY')
+                                        if data['PresharedKey'].nil?
+                                            data['PresharedKey'] = genpsk(connection, options)
+                                            context.secrets.store(sharedSecretId, 'PRESHAREDKEY', data['PresharedKey']) unless options['dry']
+                                        end
                                     end
+                                else
+                                    data['PrivateKey'] = genkey(connection, options)
+                                    data['PublicKey'] = pubkey(data['PrivateKey'], connection, options)
+                                    data['PresharedKey'] = genpsk(connection, options)
                                 end
                             end
 
@@ -65,7 +87,7 @@ module ConfigLMM
                                         psk = otherData[pskIdB]
                                     else
                                         pskIdA = 'PresharedKey_' + name + '_' + otherName
-                                        data[pskIdA] = genpskOverSSH(ssh)
+                                        data[pskIdA] = genpsk(connection, options)
                                         psk = data[pskIdA]
                                     end
                                     templateData['Peers'][otherName] = { 'PublicKey' => otherData['PublicKey'], 'PresharedKey' => psk }
@@ -75,33 +97,64 @@ module ConfigLMM
                             end
 
                             renderTemplate(template, target, dir + 'wg0.conf', options)
-                            ssh.scp.upload!(dir + 'wg0.conf', CONFIG_FILE)
+                            connection.upload(dir + 'wg0.conf', CONFIG_FILE, options)
                         end
 
+                        linuxConnection.restartService(SERVICE_NAME, options)
                     end
-                else
-                    # TODO
                 end
-                self.startService(SERVICE_NAME, target['Location'])
             end
 
-            def genkeyOverSSH(ssh)
-              self.class.sshExec!(ssh, 'wg genkey')
+            def cleanup(configs, state, context, options)
+                cleanupType(:WireGuard, configs, state, context, options) do |item, id, state, context, options, connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.stopService(SERVICE_NAME, options[:dry])
+                        linuxConnection.disableService(SERVICE_NAME, options[:dry])
+                        linuxConnection.removePackage(WIREGUARD_PACKAGE, options[:dry])
+
+                        linuxConnection.firewallRemovePort("#{PORT}/udp", options)
+                        linuxConnection.exec("firewall-cmd -q --permanent --zone=trusted --remove-source=#{SUBNET}", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --zone=trusted --remove-source=#{SUBNET}", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", false, options[:dry])
+                        linuxConnection.exec("firewall-cmd -q --direct --remove-rule ipv4 nat POSTROUTING 0 -s #{SUBNET} ! -d #{SUBNET} -j MASQUERADE", false, options[:dry])
+                    end
+
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                    if options[:destroy]
+                        connection.rm('/etc/wireguard', options[:dry])
+
+                        state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                    end
+                end
+            end
+
+            def genkey(connection, options)
+                key = connection.exec('wg genkey', false, options).strip
+                if options['dry']
+                    key = connection.exec('wg genkey', false, { **options, 'dry' => false }).strip
+                end
+                key
             end
 
-            def genpskOverSSH(ssh)
-              self.class.sshExec!(ssh, 'wg genpsk')
+            def genpsk(connection, options)
+                key = connection.exec('wg genpsk', false, options).strip
+                if options['dry']
+                    key = connection.exec('wg genpsk', false, { **options, 'dry' => false }).strip
+                end
+                key
             end
 
-            def pubkeyOverSSH(privateKey, ssh)
-              self.class.sshExec!(ssh, " echo '#{privateKey}' | wg pubkey")
+            def pubkey(privateKey, connection, options)
+                key = connection.exec(" echo '#{privateKey}' | wg pubkey", false, { **options, hide: true }).strip
+                if options['dry']
+                    key = connection.exec(" echo '#{privateKey}' | wg pubkey", false, { **options, 'dry' => false, hide: true }).strip
+                end
+                key
             end
 
             def prepareConfig(target)
                 target['Address'] = '172.20.0.1' unless target['Address']
-                target['Peers'].each do |name, data|
-                    data['AllowedIPs'] = SUBNET unless data['AllowedIPs']
-                end
             end
         end
     end

data/Plugins/OS/Linux/WireGuard/wg0.conf.erb

@@ -12,4 +12,7 @@ AllowedIPs = <%= peer['AllowedIPs'] %>
 <% if peer['Endpoint'] %>
 Endpoint = <%= peer['Endpoint'] %>:51820
 <% end %>
+<% if peer['PersistentKeepalive'] %>
+PersistentKeepalive = <%= peer['PersistentKeepalive'] %>
+<% end %>
 <% end %>

data/Plugins/OS/Linux/openSUSE/autoinst.xml.erb

@@ -31,9 +31,35 @@
     <dns t="map">
       <hostname><%= config['HostName'] %></hostname>
       <% if config['Domain'] %>
-        <domain><%= config['Domain'] %></domain>
+        <domain><%= Addressable::IDNA.to_ascii(config['Domain']) %></domain>
+      <% end %>
+      <% if config['DefaultNetwork']['DNS'] %>
+        <nameservers config:type="list">
+          <nameserver><%= config['DefaultNetwork']['DNS'] %></nameserver>
+        </nameservers>
       <% end %>
     </dns>
+    <% if config['DefaultNetwork']['IP'] %>
+      <interfaces config:type="list">
+        <interface>
+          <bootproto><%= config['DefaultNetwork']['IP'] == 'dhcp' ? 'dhcp' : 'static' %></bootproto>
+          <name>eth0</name>
+          <% if config['DefaultNetwork']['IP'] != 'dhcp' %><ipaddr><%= config['DefaultNetwork']['IP'] %></ipaddr><% end %>
+          <startmode>auto</startmode>
+        </interface>
+      </interfaces>
+    <% end %>
+    <% if config['DefaultNetwork']['Gateway'] %>
+      <routing>
+        <routes config:type="list">
+          <route>
+            <destination>default</destination>
+            <device>eth0</device>
+            <gateway><%= config['DefaultNetwork']['Gateway'] %></gateway>
+          </route>
+        </routes>
+      </routing>
+    <% end %>
   </networking>
   <software t="map">
     <% if !config['Apps'].to_a.empty? %>
@@ -49,7 +75,7 @@
       <% if !config['Services'].to_a.empty? %>
         <enable t="list">
           <% config['Services'].each do |service| %>
-            <service><%= service %></service>
+            <service><%= service.to_s %></service>
           <% end %>
         </enable>
       <% end %>
@@ -62,7 +88,7 @@
     <users config:type="list">
       <% config['Users'].each do |user, info| %>
         <user>
-          <username>root</username>
+          <username><%= user %></username>
           <% if info['PasswordHash'] %>
             <encrypted config:type="boolean">true</encrypted>
             <user_password><%= info['PasswordHash'] %></user_password>

data/Plugins/OS/Linux/systemd/systemd.lmm.rb

@@ -7,20 +7,22 @@ module ConfigLMM
             USER_SERVICE_DIR = '/etc/systemd/system/user@.service.d/'
 
             def actionSystemdDeploy(id, target, activeState, context, options)
-                if target['Location'] && target['Location'] != '@me'
-                    if target['UserCgroups']
-                        uri = Addressable::URI.parse(target['Location'])
-                        raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                        self.class.sshStart(uri) do |ssh|
-                            self.class.sshExec!(ssh, "mkdir -p #{USER_SERVICE_DIR}")
-                            ssh.scp.upload!(__dir__ + '/user-0.slice', SYSTEMD_CONFIG_PATH)
-                            ssh.scp.upload!(__dir__ + '/user@.service.d/delegate.conf', USER_SERVICE_DIR)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        if target['UserCgroups']
+                            linuxConnection.createDirs(options, USER_SERVICE_DIR)
+                            linuxConnection.upload(__dir__ + '/user-0.slice', SYSTEMD_CONFIG_PATH, options)
+                            linuxConnection.upload(__dir__ + '/user@.service.d/delegate.conf', USER_SERVICE_DIR, options)
+                        end
+                        if target['InstallServices']
+                            target['InstallServices'].each do |file, data|
+                                linuxConnection.upload(file, SYSTEMD_CONFIG_PATH, options)
+                                linuxConnection.reloadServiceManager(options)
+                                linuxConnection.ensureServiceAutoStart(File.basename(file), options)
+                            end
                         end
                     end
-                else
-                    # TODO
                 end
-
             end
 
         end

data/Plugins/OS/Routers/Aruba/ArubaInstant.lmm.rb

@@ -46,7 +46,7 @@ module ConfigLMM
                     end
 
                     creds = parseLocation(target['Location'])
-                    password = ENV['ARUBA_INSTANT_PASSWORD']
+                    password = context.secrets.load(target['SecretId'], 'PASSWORD')
 
                     # Couldn't get it working with net-ssh gem so using `ssh` as workaround
                     # Net::SSH.start(creds[:hostname], creds[:user], password: password, port: creds[:port]) do |ssh|
@@ -128,14 +128,15 @@ module ConfigLMM
             end
 
             def authenticate(actionMethod, target, activeState, context, options)
-                if ENV['ARUBA_INSTANT_PASSWORD'].to_s.empty? || ENV['ARUBA_INSTANT_PASSWORD'].to_s.empty?
-                    prompt.error('Set your Aruba Instant SSH password to ARUBA_INSTANT_PASSWORD as Environment Variable')
-                    raise Framework::PluginPrerequisite.new('Need ARUBA_INSTANT_PASSWORD')
+                authSecret = context.secrets.load(target['SecretId'], 'PASSWORD')
+                if authSecret.to_s.empty?
+                    prompt.error("Set your Aruba Instant SSH password in #{target['SecretId']}_PASSWORD")
+                    raise Framework::PluginPrerequisite.new('Need Aruba Instant password!')
                 else
                     if !target['Location']
                         raise Framework::PluginProcessError.new('Location must be provided!')
                     end
-                    checkSSHAuth!(target['Location'], ENV['ARUBA_INSTANT_PASSWORD'])
+                    checkSSHAuth!(target['Location'], authSecret)
                 end
                 true
             end