ConfigLMM 0.3.0 → 0.5.0

data/Plugins/Apps/MariaDB/MariaDB.lmm.rb

@@ -0,0 +1,122 @@
+require_relative '../../OS/Linux/Linux.lmm.rb'
+require_relative 'Connection'
+
+module ConfigLMM
+    module LMM
+        class MariaDB < Framework::LinuxApp
+            PACKAGE_NAME = 'MariaDB'
+            SERVICE_NAME = :mariadb
+            USER_NAME = 'mariadb'
+
+            def actionMariaDBDeploy(id, target, activeState, context, options)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.ensurePackage(PACKAGE_NAME, options)
+                        linuxConnection.ensureServiceAutoStart(SERVICE_NAME, options)
+                        linuxConnection.startService(SERVICE_NAME, options)
+
+                        self.class.secureInstallation(connection)
+                        linuxConnection.exec("sed -i 's|^log-error |#log-error |' /etc/my.cnf", false, options)
+                        if target['Listen']
+                            linuxConnection.exec("sed -i 's|bind-address .*|bind-address = #{target['Listen']}|' /etc/my.cnf", false, options)
+                            linuxConnection.restartService(SERVICE_NAME, options)
+                        end
+                    end
+                end
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:MariaDB, configs, state, context, options) do |item, id, state, context, options, connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.stopService(SERVICE_NAME, options)
+                        linuxConnection.disableService(SERVICE_NAME, options)
+                        linuxConnection.removePackage(PACKAGE_NAME, options)
+                    end
+                    state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+                end
+            end
+
+            def self.secureInstallation(connection)
+                status = {}
+                output = ''
+                # TODO: FIXME to work with non-ssh connection aswell
+                channel = connection.tunnel.ssh.exec("mariadb-secure-installation", status: status) do |channel, stream, data|
+                    output += data
+                    channel.send_data("\n")  # Empty root password
+                    channel.send_data("Y\n") # unix_socket authentication
+                    channel.send_data("N\n") # change the root password
+                    channel.send_data("Y\n") # remove anonymous users
+                    channel.send_data("Y\n") # disallow root login remotely
+                    channel.send_data("Y\n") # remove test database
+                    channel.send_data("Y\n") # reload privileges
+                end
+                channel.wait
+                if !status[:exit_code].zero?
+                    $stderr.puts(output)
+                    raise Framework::PluginProcessError.new("mariadb-secure-installation failed!")
+                end
+            end
+
+            # DEPRECATED
+            def self.createRemoteUserAndDB(settings, user, password, ssh = nil)
+                self.executeRemotely(settings, ssh) do |connection|
+                    host = 'localhost'
+                    host = '%' if settings['HostName'] != 'localhost'
+                    self.createUserAndDB(user, password, host, connection)
+                end
+            end
+
+            def self.withConnection(settings, linuxConnection)
+                if settings['HostName'].nil? || settings['HostName'] == 'localhost'
+                    settings['HostName'] = 'localhost'
+                    yield(MariaDBConnection.new(linuxConnection, settings))
+                else
+                    IO::Connection.tunnel("ssh://#{settings['HostName']}/", {}, {}, linuxConnection.prompt, linuxConnection.logger) do |connection|
+                        yield(MariaDBConnection.new(connection, settings))
+                    end
+                end
+            end
+
+            # DEPRECATED
+            def self.executeRemotely(settings, connectionOrSSH = nil)
+                prompt = TTY::Prompt.new
+                logger = TTY::Logger.new
+                settings['HostName'] = 'localhost' unless settings['HostName']
+                if settings['HostName'] == 'localhost'
+                    connection = connectionOrSSH
+                    if connectionOrSSH.nil?
+                        connection = IO::Connection.new(:Local, IO::Local.new(prompt, logger), prompt, logger)
+                    elsif !connectionOrSSH.is_a?(IO::Connection)
+                        connection = IO::Connection.new(:SSH, SSH.new(prompt, logger, connectionOrSSH), prompt, logger)
+                    end
+                    yield(connection)
+                else
+                    self.sshStart("ssh://#{settings['HostName']}/") do |ssh|
+                        yield(IO::Connection.new(:SSH, SSH.new(prompt, logger, ssh), prompt, logger))
+                    end
+                end
+            end
+
+            # DEPRECATED
+            def self.createUserAndDB(user, password, host, connectionOrSSH = nil)
+                self.executeSQL("CREATE USER '#{user}'@'#{host}'", nil, connectionOrSSH, true)
+                self.executeSQL("ALTER USER '#{user}'@'#{host}' IDENTIFIED BY '#{password}'", nil, connectionOrSSH)
+                self.executeSQL("CREATE DATABASE #{user}", nil, connectionOrSSH, true)
+                self.executeSQL("GRANT ALL PRIVILEGES ON #{user}.* TO '#{user}'@'#{host}'", nil, connectionOrSSH)
+            end
+
+            # DEPRECATED
+            def self.executeSQL(sql, db = nil, connectionOrSSH = nil, allowFailure = false, dry = false)
+                db = '' unless db
+                cmd = " mariadb #{db} --execute=\"#{sql.gsub('"', '\\"')};\""
+                if connectionOrSSH.is_a?(IO::Connection)
+                    connectionOrSSH.exec(cmd, allowFailure, dry)
+                else
+                    self.exec(cmd, connectionOrSSH, allowFailure, dry)
+                end
+            end
+
+        end
+
+    end
+end

data/Plugins/Apps/Mastodon/Mastodon-Sidekiq.container

@@ -0,0 +1,22 @@
+
+[Unit]
+Description=Mastodon Sidekiq container
+After=local-fs.target
+
+[Container]
+ContainerName=Mastodon-Sidekiq
+Image=ghcr.io/mastodon/mastodon:latest
+Exec=bundle exec sidekiq
+EnvironmentFile=/var/lib/mastodon/.config/containers/systemd/Mastodon.env
+Network=slirp4netns:allow_host_loopback=true
+UserNS=keep-id:uid=991,gid=991
+Volume=/var/lib/mastodon/system:/mastodon/public/system
+LogDriver=journald
+AutoUpdate=registry
+
+[Service]
+TimeoutStartSec=6min
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Mastodon/Mastodon-Streaming.container

@@ -0,0 +1,20 @@
+
+[Unit]
+Description=Mastodon Streaming container
+After=local-fs.target
+
+[Container]
+ContainerName=Mastodon-Streaming
+Image=ghcr.io/mastodon/mastodon-streaming:latest
+EnvironmentFile=/var/lib/mastodon/.config/containers/systemd/Mastodon.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:14000:4000
+LogDriver=journald
+AutoUpdate=registry
+
+[Service]
+TimeoutStartSec=6min
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Mastodon/Mastodon.conf.erb

@@ -1,6 +1,6 @@
 
 upstream mastodon {
-    server unix:///run/mastodon.sock fail_timeout=0;
+    server <%= config['Server'] %>:13600 fail_timeout=0;
 }
 
 upstream mastodon-streaming {
@@ -8,70 +8,59 @@ upstream mastodon-streaming {
     # to ensure load is distributed evenly.
     least_conn;
 
-    server 127.0.0.1:4000 fail_timeout=0;
+    server <%= config['Server'] %>:14000 fail_timeout=0;
     # Uncomment these lines for load-balancing multiple instances of streaming for scaling,
-    # this assumes your running the streaming server on ports 4000, 4001, and 4002:
-    # server 127.0.0.1:4001 fail_timeout=0;
-    # server 127.0.0.1:4002 fail_timeout=0;
+    # this assumes your running the streaming server on ports 14000, 14001, and 14002:
+    # server <%= config['Server'] %>:14001 fail_timeout=0;
+    # server <%= config['Server'] %>:14002 fail_timeout=0;
 }
 
-# proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
-
 server {
-    <% if !config['TLS'] %>
-        listen       <%= config['Port'] %>;
-        listen  [::]:<%= config['Port'] %>;
-    <% else %>
-        listen       <%= config['Port'] %> ssl;
-        listen  [::]:<%= config['Port'] %> ssl;
+
+    <% if config['NginxVersion'] >= 1.25 %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl;
+            listen  [::]:<%= config['Port'] %> ssl;
+
+            include config-lmm/ssl.conf;
+        <% end %>
         http2 on;
-        include config-lmm/ssl.conf;
+        http3 on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+    <% else %>
+        <% if !config['TLS'] %>
+            listen       <%= config['Port'] %>;
+            listen  [::]:<%= config['Port'] %>;
+        <% else %>
+            listen       <%= config['Port'] %> ssl http2;
+            listen  [::]:<%= config['Port'] %> ssl http2;
+
+            include config-lmm/ssl.conf;
+        <% end %>
     <% end %>
 
     server_name <%= config['Domain'] %>;
 
-    access_log  /var/log/nginx/mastodon.access.log;
-    error_log   /var/log/nginx/mastodon.error.log;
+    <% if config['CertName'] %>
+        ssl_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/<%= config['CertName'] %>/privkey.pem";
+        ssl_trusted_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/chain.pem";
+    <% end %>
 
     client_max_body_size 99M;
 
     include config-lmm/errors.conf;
 
-    # proxy_redirect off;
-    # proxy_cache CACHE;
-    # proxy_cache_valid 200 7d;
-    # proxy_cache_valid 410 24h;
-    # proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
-    # add_header X-Cached $upstream_cache_status;
-
-    root /var/lib/mastodon/public;
-
     location / {
-        try_files $uri @mastodon;
-    }
-
-    location @mastodon {
         proxy_pass http://mastodon;
         include config-lmm/proxy.conf;
     }
 
-    location ~ ^/assets|avatars|emoji|headers|packs|shortcuts|sounds/ {
-
-        add_header Cache-Control "public, max-age=2419200, must-revalidate";
-        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-        try_files $uri =404;
-    }
-
-    location ~ ^/system/ {
-        add_header Cache-Control "public, max-age=2419200, immutable";
-        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
-        #add_header X-Content-Type-Options nosniff;
-        add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
-        try_files $uri =404;
-    }
-
     location ^~ /api/v1/streaming {
-
         proxy_buffering off;
         proxy_cache off;
         proxy_pass http://mastodon-streaming;

data/Plugins/Apps/Mastodon/Mastodon.container

@@ -0,0 +1,28 @@
+
+[Unit]
+Description=Mastodon container
+After=local-fs.target
+
+[Container]
+ContainerName=Mastodon
+Image=ghcr.io/mastodon/mastodon:latest
+# Need newer Podman
+# Entrypoint=/entrypoint.sh
+PodmanArgs=--entrypoint /entrypoint.sh
+Exec=server
+EnvironmentFile=/var/lib/mastodon/.config/containers/systemd/Mastodon.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=127.0.0.1:13600:3000
+UserNS=keep-id:uid=991,gid=991
+Volume=/var/lib/mastodon/system:/mastodon/public/system
+Volume=/var/lib/mastodon/.configlmm/entrypoint.sh:/entrypoint.sh
+Volume=/var/lib/mastodon/.configlmm/configlmm.rake:/mastodon/lib/tasks/configlmm.rake
+LogDriver=journald
+AutoUpdate=registry
+
+[Service]
+TimeoutStartSec=6min
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target default.target

data/Plugins/Apps/Mastodon/Mastodon.lmm.rb

@@ -1,10 +1,22 @@
 
+require 'base64'
+require 'openssl'
+require 'public_suffix'
+
 module ConfigLMM
     module LMM
-        class Mastodon < Framework::NginxApp
+        class Mastodon < Framework::Plugin
+
+            NAME = 'Mastodon'
+            USER = 'mastodon'
+            HOME_DIR = '/var/lib/mastodon'
+            PORT = '13600'
+            STREAMING_PORT = '14000'
 
             def actionMastodonBuild(id, target, state, context, options)
-                writeNginxConfig(__dir__, 'Mastodon', id, target, state, context, options)
+                Nginx.withConnection(local) do |nginxConnection|
+                    nginxConnection.writeConfig(__dir__, NAME, target, state, context, options)
+                end
             end
 
             def actionMastodonDiff(id, target, activeState, context, options)
@@ -12,9 +24,232 @@ module ConfigLMM
             end
 
             def actionMastodonDeploy(id, target, activeState, context, options)
-                if !target['Location'] || target['Location'] == '@me'
-                    deployNginxConfig(id, target, activeState, context, options)
-                    activeState['Location'] = '@me'
+                raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        if !target.key?('Proxy') || target['Proxy'] == false
+                            deployService(linuxConnection, target, activeState, context, options)
+                        end
+
+                        deployNginxConfig(linuxConnection, target, activeState, context, options)
+                    end
+                end
+            end
+
+            def deployService(linuxConnection, target, activeState, context, options)
+                target['Database'] ||= {}
+                dbPassword = self.configurePostgreSQL(target['Database'], linuxConnection, options)
+
+                Podman.ensurePresent(linuxConnection, options)
+                Podman.createUser(USER, HOME_DIR, 'Mastodon', linuxConnection, options)
+                linuxConnection.withUserShell(USER) do |shell|
+                    shell.createDirs(options, '~/system', '~/.configlmm')
+                end
+
+                path = Podman.containersPath(HOME_DIR)
+
+                localDomain = PublicSuffix.domain(target['Domain'])
+                raise Framework::PluginProcessError.new('Invalid Domain!') unless localDomain
+
+                localDomain = target['LocalDomain'] if target['LocalDomain']
+                linuxConnection.fileWrite("#{path}/Mastodon.env", "LOCAL_DOMAIN=#{Addressable::IDNA.to_ascii(localDomain)}", options)
+
+                webDomain = nil
+                if localDomain != target['Domain']
+                    webDomain = target['Domain']
+                end
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "WEB_DOMAIN=#{Addressable::IDNA.to_ascii(webDomain)}", options) if webDomain
+
+                secretKeyBase = context.secrets.load(target['SecretId'], 'SECRET_KEY_BASE')
+                if !secretKeyBase
+                    secretKeyBase = SecureRandom.hex(64)
+                    context.secrets.store(target['SecretId'], 'SECRET_KEY_BASE', secretKeyBase) unless options['dry']
+                end
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "SECRET_KEY_BASE=#{secretKeyBase}", { **options, hide: true })
+
+                otpSecret = context.secrets.load(target['SecretId'], 'OTP_SECRET')
+                if !otpSecret
+                    otpSecret = SecureRandom.hex(64)
+                    context.secrets.store(target['SecretId'], 'OTP_SECRET', otpSecret) unless options['dry']
+                end
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "OTP_SECRET=#{otpSecret}", { **options, hide: true })
+
+                deterministicKey = context.secrets.load(target['SecretId'], 'ENCRYPTION_DETERMINISTIC_KEY')
+                if !deterministicKey
+                    deterministicKey = SecureRandom.alphanumeric(32)
+                    context.secrets.store(target['SecretId'], 'ENCRYPTION_DETERMINISTIC_KEY', deterministicKey) unless options['dry']
+                end
+
+                keySalt = context.secrets.load(target['SecretId'], 'KEY_DERIVATION_SALT')
+                if !keySalt
+                    keySalt = SecureRandom.alphanumeric(32)
+                    context.secrets.store(target['SecretId'], 'KEY_DERIVATION_SALT', keySalt) unless options['dry']
+                end
+
+                primaryKey = context.secrets.load(target['SecretId'], 'ENCRYPTION_PRIMARY_KEY')
+                if !primaryKey
+                    primaryKey = SecureRandom.alphanumeric(32)
+                    context.secrets.store(target['SecretId'], 'ENCRYPTION_PRIMARY_KEY', primaryKey) unless options['dry']
+                end
+
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=#{deterministicKey}", { **options, hide: true })
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=#{keySalt}", { **options, hide: true })
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=#{primaryKey}", { **options, hide: true })
+
+                vapidPrivateKey = context.secrets.load(target['SecretId'], 'VAPID_PRIVATE_KEY')
+                vapidPublicKey = context.secrets.load(target['SecretId'], 'VAPID_PUBLIC_KEY')
+                if !vapidPrivateKey || !vapidPublicKey
+                    curve = OpenSSL::PKey::EC.generate('prime256v1')
+                    vapidPrivateKey = Base64.urlsafe_encode64(curve.public_key.to_bn.to_s(2))
+                    vapidPublicKey = Base64.urlsafe_encode64(curve.private_key.to_s(2))
+                    context.secrets.store(target['SecretId'], 'VAPID_PRIVATE_KEY', vapidPrivateKey) unless options['dry']
+                    context.secrets.store(target['SecretId'], 'VAPID_PUBLIC_KEY', vapidPublicKey) unless options['dry']
+                end
+
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "VAPID_PRIVATE_KEY=#{vapidPrivateKey}", { **options, hide: true })
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "VAPID_PUBLIC_KEY=#{vapidPublicKey}", { **options, hide: true })
+
+                databaseHost = Podman.updateHost(target['Database'].to_h['HostName'])
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "DB_HOST=#{databaseHost}", options)
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "DB_PORT=#{target['Database']['Port']}", options) if target['Database'].to_h['Port']
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "DB_USER=#{USER}", options)
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "DB_NAME=#{USER}", options)
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "DB_PASS=#{dbPassword}", { **options, hide: true })
+
+                valkeyHost = Podman.updateHost(target['Valkey'].to_h['Host'])
+                linuxConnection.fileAppend("#{path}/Mastodon.env", "REDIS_HOST=#{valkeyHost}", options)
+                if target['Valkey'].to_h['SecretId']
+                    valkeyPassword = context.secrets.load(target['Valkey']['SecretId'], 'VALKEY_PASSWORD')
+                    if !valkeyPassword.nil?
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "REDIS_PASSWORD=#{valkeyPassword}", { **options, hide: true })
+                    end
+                end
+
+                if target['Admin'].to_h['Username']
+                    linuxConnection.fileAppend("#{path}/Mastodon.env", "ADMIN_USERNAME=#{target['Admin']['Username']}", options)
+                end
+
+                if target['Admin'].to_h['EMail']
+                    adminPassword = context.secrets.load(target['SecretId'], 'ADMIN_PASSWORD')
+                    if adminPassword.nil?
+                        adminPassword = SecureRandom.alphanumeric(20)
+                        context.secrets.store(target['SecretId'], 'ADMIN_PASSWORD', adminPassword)
+                        context.secrets.print("Mastodon Admin '#{target['Admin']['EMail']}' password", adminPassword)
+                    end
+                    linuxConnection.fileAppend("#{path}/Mastodon.env", "ADMIN_EMAIL=#{target['Admin']['EMail']}", options)
+                    linuxConnection.fileAppend("#{path}/Mastodon.env", "ADMIN_PASSWORD=#{adminPassword}", options)
+                end
+
+                if !target['SMTP'].to_h.empty?
+                    emailHost = Podman.updateHost(target['SMTP']['Host'])
+
+                    linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_SERVER=#{emailHost}", options)
+
+                    if target['SMTP']['Port']
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_PORT=#{target['SMTP']['Port']}", options)
+                    end
+
+                    if target['SMTP']['Username']
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_LOGIN=#{target['SMTP']['Username']}", options)
+                    end
+
+                    if target['SMTP']['SecretId']
+                        smtpPassword = context.secrets.load(target['SMTP']['SecretId'], target['SMTP']['Username'].upcase + '_PASSWORD')
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_PASSWORD=#{smtpPassword}", { **options, hide: true })
+                    end
+
+                    if target['SMTP']['Port'] == 465
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_TLS=true", options)
+                    end
+
+                    if target['SMTP']['From']
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "SMTP_FROM_ADDRESS=#{target['SMTP']['From']}", options)
+                    end
+                end
+
+                if !target['Settings'].to_h.empty?
+                    target['Settings'].each do |name, value|
+                        linuxConnection.fileAppend("#{path}/Mastodon.env", "#{name}=#{value}", options)
+                    end
+                end
+
+                linuxConnection.setUserGroup("#{path}/Mastodon.env", USER, USER, options)
+                linuxConnection.setPrivate("#{path}/Mastodon.env", options)
+
+                linuxConnection.upload(__dir__ + '/configlmm.rake', HOME_DIR + '/.configlmm/', options)
+                linuxConnection.upload(__dir__ + '/entrypoint.sh', HOME_DIR + '/.configlmm/', options)
+                linuxConnection.makeExecutable(HOME_DIR + '/.configlmm/entrypoint.sh', options)
+
+                linuxConnection.upload(__dir__ + '/Mastodon.container', path, options)
+                linuxConnection.upload(__dir__ + '/Mastodon-Sidekiq.container', path, options)
+                linuxConnection.upload(__dir__ + '/Mastodon-Streaming.container', path, options)
+
+                if target['Proxy'] == false
+                    linuxConnection.fileReplace("#{path}/Mastodon.container", 'PublishPort=127.0.0.1:', 'PublishPort=0.0.0.0:', options)
+                    linuxConnection.fileReplace("#{path}/Mastodon-Streaming.container", 'PublishPort=127.0.0.1:', 'PublishPort=0.0.0.0:', options)
+                    linuxConnection.firewallAddPort("#{PORT}/tcp", options)
+                    linuxConnection.firewallAddPort("#{STREAMING_PORT}/tcp", options)
+                end
+
+                linuxConnection.reloadUserServices(USER, options)
+                linuxConnection.restartUserService(USER, 'Mastodon', options)
+                linuxConnection.restartUserService(USER, 'Mastodon-Sidekiq', options)
+                linuxConnection.restartUserService(USER, 'Mastodon-Streaming', options)
+            end
+
+            def deployNginxConfig(linuxConnection, target, activeState, context, options)
+                if !target.key?('Proxy') || target['Proxy']
+                    Nginx.withConnection(linuxConnection) do |nginxConnection|
+                        target['Server'] = '127.0.0.1' unless target['Server']
+                        nginxConnection.provision(__dir__, 'Mastodon', target, activeState, context, options)
+                    end
+                end
+            end
+
+            def configurePostgreSQL(dbSettings, linuxConnection, options)
+                password = SecureRandom.alphanumeric(20)
+                PostgreSQL.withConnection(dbSettings, linuxConnection) do |postgresConnection|
+                    postgresConnection.createUserAndDB(USER, password, options)
+                end
+                password
+            end
+
+            def cleanup(configs, state, context, options)
+                cleanupType(:Mastodon, configs, state, context, options) do |item, id, state, context, options, connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+
+                        if !item['Config'].key?('Proxy') || item['Config']['Proxy']
+                            Nginx.withConnection(linuxConnection) do |nginxConnection|
+                                nginxConnection.cleanupConfig('Mastodon', context, options)
+                                nginxConnection.reload(options)
+                            end
+                        elsif item['Config'].key?('Proxy') && item['Config']['Proxy'] == false
+                            linuxConnection.firewallRemovePort("#{PORT}/tcp", options)
+                            linuxConnection.firewallRemovePort("#{STREAMING_PORT}/tcp", options)
+                        end
+
+                        if !item['Config'].key?('Proxy') || item['Config']['Proxy'] == false
+                            linuxConnection.stopUserService(USER, 'Mastodon-Sidekiq', options)
+                            linuxConnection.stopUserService(USER, 'Mastodon-Streaming', options)
+                            linuxConnection.stopUserService(USER, 'Mastodon', options)
+
+                            path = Podman.containersPath(HOME_DIR)
+                            linuxConnection.rm(path + '/Mastodon.container', options[:dry])
+                            linuxConnection.rm(path + '/Mastodon-Streaming.container', options[:dry])
+                            linuxConnection.rm(path + '/Mastodon-Sidekiq.container', options[:dry])
+
+                            state.item(id)['Status'] = State::STATUS_DELETED unless options[:dry]
+
+                            if options[:destroy]
+                                linuxConnection.deleteUserAndGroup(USER, options)
+                                linuxConnection.rm(HOME_DIR, options[:dry])
+                                state.item(id)['Status'] = State::STATUS_DESTROYED unless options[:dry]
+                            end
+                        else
+                            state.item(id)['Status'] = options[:destroy] ? State::STATUS_DESTROYED : State::STATUS_DELETED unless options[:dry]
+                        end
+                    end
                 end
             end
 

data/Plugins/Apps/Mastodon/configlmm.rake

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# Based on https://github.com/mastodon/mastodon/blob/main/lib/tasks/mastodon.rake#L7
+
+namespace :configlmm do
+    desc 'Configure the instance for production use'
+    task :setup do
+        username = 'admin'
+        username = ENV['ADMIN_USERNAME'] if ENV['ADMIN_USERNAME']
+        emailLocal, emailDomain = ENV['ADMIN_EMAIL'].to_s.split('@')
+        password = ENV['ADMIN_PASSWORD']
+
+        if !emailLocal.to_s.empty? && !emailDomain.to_s.empty? && !password.to_s.empty?
+            require_relative '../../config/environment'
+            require 'addressable/idna'
+
+            email = emailLocal + '@' + Addressable::IDNA.to_ascii(emailDomain)
+            user = User.where('LOWER(email) = ?', email.downcase).first
+            account = Account.where('LOWER(username) = ?', username.downcase).first
+            if !user && !account
+                owner_role = UserRole.find_by(name: 'Owner')
+                user = User.new(email: email, password: password, confirmed_at: Time.now.utc, account_attributes: { username: username }, bypass_invite_request_check: true, role: owner_role)
+                user.save(validate: false)
+                user.approve!
+
+                Setting.site_contact_username = username
+            end
+        end
+    end
+end

data/Plugins/Apps/Mastodon/entrypoint.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/sh
+
+set -o errexit
+set -o nounset
+
+cmd="/usr/bin/tini"
+
+if [ $# -gt 0 ] && [ "$1" = "server" ]; then
+    bin/rails db:prepare
+    bin/rails configlmm:setup
+    unset ADMIN_PASSWORD
+
+    exec $cmd -- bundle exec puma -C config/puma.rb
+else
+    exec $cmd -- "$@"
+fi

data/Plugins/Apps/Matrix/Element.container

@@ -0,0 +1,19 @@
+
+[Unit]
+Description=Matrix (Element) container
+After=local-fs.target
+
+[Container]
+ContainerName=Element
+Image=docker.io/vectorim/element-web:latest
+EnvironmentFile=/var/lib/matrix/.config/containers/systemd/Matrix.env
+PublishPort=127.0.0.1:18300:80
+Volume=/var/lib/matrix/config.json:/app/config.json
+LogDriver=journald
+AutoUpdate=registry
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target default.target