ConfigLMM 0.4.0 → 0.5.0

data/Plugins/Apps/Nginx/Connection.rb

@@ -0,0 +1,93 @@
+
+module ConfigLMM
+    module LMM
+        class NginxConnection
+
+            NGINX_PACKAGE = 'nginx'
+            CONFIG_DIR = '/etc/nginx/'
+            WWW_DIR = '/srv/www/'
+
+            attr_reader :connection
+            attr_reader :nginxVersion
+
+            def initialize(connection)
+                @connection = connection
+            end
+
+            def nginxVersion
+                # Allow to fail when nginx is not installed
+                @nginxVersion ||= connection.exec('nginx -v', true).strip.split('/')[1].to_f
+            end
+
+            def reload(options)
+                connection.reloadService(:nginx, options)
+            end
+
+            def writeConfig(dir, name, target, activeState, context, options)
+                outputFolder = options['output']
+
+                config = prepareConfig(target)
+
+                config['NginxVersion'] = nginxVersion
+                template = ERB.new(File.read(dir + '/' + name + '.conf.erb'))
+                name = config['ConfigName'] if config['ConfigName']
+                connection.local.renderTemplate(template, config, outputFolder + '/nginx/servers-lmm/' + name.to_s + '.conf', options)
+            end
+
+            def deployAllConfigs(target, activeState, context, options)
+                outputFolder = options['output'] + '/nginx/servers-lmm'
+
+                connection.createDirs(options, CONFIG_DIR)
+                connection.uploadFolder(outputFolder, CONFIG_DIR, options)
+                if target['TLS']
+                    connection.firewallAddService('https', options)
+                else
+                    connection.firewallAddService('http', options)
+                end
+                reload(options)
+            end
+
+            def cleanupConfig(name, context, options)
+                connection.rm('/etc/nginx/servers-lmm/' + name + '.conf', options['dry'])
+            end
+
+            def provision(dir, configName, target, activeState, context, options)
+                connection.ensurePackage(NGINX_PACKAGE, options)
+                connection.ensureServiceAutoStart(:nginx, options)
+                writeConfig(dir, configName, target, activeState, context, options)
+                connection.startService(:nginx, options)
+                deployAllConfigs(target, activeState, context, options)
+                reload(options)
+            end
+
+            def provisionProxy(server, name, target, activeState, context, options)
+                target = target.dup
+                target['Proxy'] = server
+                target['Name'] = name if name
+                target['ConfigName'] = target['Name']
+                provision(__dir__, 'proxy', target, activeState, context, options)
+            end
+
+            private
+
+            def prepareConfig(target)
+                config = target.dup
+                config['TLS'] = true if config['TLS'].nil?
+
+                if !config['Port']
+                    config['Port'] = config['TLS'] ? 443 : 80
+                end
+                if config['Domain']
+                    config['Domain'] = Addressable::IDNA.to_ascii(config['Domain'])
+                end
+                if config['Server'] && !config['Server'].start_with?('/') && !config['Server'].include?(':/')
+                    config['Server'] = Addressable::IDNA.to_ascii(config['Server'])
+                end
+                if config['AuthentikDomain']
+                    config['AuthentikDomain'] = Addressable::IDNA.to_ascii(config['AuthentikDomain'])
+                end
+                config
+            end
+        end
+    end
+end

data/Plugins/Apps/Nginx/conf.d/configlmm.conf

@@ -12,31 +12,72 @@ resolver 127.0.0.53;
 # proxy_headers_hash_max_size 512;
 # proxy_headers_hash_bucket_size 128;
 
+log_format json escape=json '{'
+    '"time":$msec,'
+    '"time_iso8601":"$time_iso8601",'
+    '"remote_addr":"$remote_addr",'
+    '"remote_port":$remote_port,'
+    '"remote_user":"$remote_user",'
+    '"request":"$request",'
+    '"status":$status,'
+    '"method":"$request_method",'
+    '"scheme":"$scheme",'
+    '"host":"$http_host",'
+    '"uri":"$uri",'
+    '"request_uri":"$request_uri",'
+    '"query_string":"$query_string",'
+    '"request_filename":"$request_filename",'
+    '"request_length":$request_length,'
+    '"content_length":"$content_length",'
+    '"content_type":"$content_type",'
+    '"bytes_sent":$bytes_sent,'
+    '"body_bytes_sent":$body_bytes_sent,'
+    '"server_name":"$server_name",'
+    '"server_port":$server_port,'
+    '"server_protocol":"$server_protocol",'
+    '"http_referer":"$http_referer",'
+    '"http_user_agent":"$http_user_agent",'
+    '"http_accept_language":"$http_accept_language",'
+    '"http_x_forwarded_for":"$http_x_forwarded_for",'
+    '"http_x_real_ip":"$http_x_real_ip",'
+    '"request_time":$request_time,'
+    '"upstream_addr":"$upstream_addr",'
+    '"upstream_status":"$upstream_status",'
+    '"upstream_http_etag":"$upstream_http_etag",'
+    '"upstream_http_last_modified":"$upstream_http_last_modified",'
+    '"upstream_connect_time":"$upstream_connect_time",'
+    '"upstream_header_time":"$upstream_header_time",'
+    '"upstream_response_time":"$upstream_response_time",'
+    '"proxy_protocol_addr":"$proxy_protocol_addr",'
+    '"proxy_protocol_port":"$proxy_protocol_port",'
+    '"connection_time":$connection_time,'
+    '"connection_requests":$connection_requests'
+'}';
+
+access_log /var/log/nginx/access.json json;
 
 gzip  on;
+gzip_static  on;
 gzip_vary on;
 gzip_proxied any;
 gzip_comp_level 6;
 gzip_min_length 256;
 
-# do not remove ETag headers
-gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-
 gzip_types application/atom+xml text/javascript text/xml application/xml+rss application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-
 charset utf-8;
 charset_types text/css text/plain text/xml text/javascript text/vnd.wap.wml application/json application/javascript application/xml application/xml+rss application/rss+xm image/svg+xml;
 proxy_intercept_errors on;
 fastcgi_intercept_errors on;
 
-map '' $WithHost {
-    default '';
+map '' $ProxyHost {
+    default $host;
+    ~. '';
 }
 
-map "$WithHost" $ProxyHost {
-    default $host;
-    ~. $WithHost;
+map '' $ProxyForwardedHost {
+    default $http_host;
+    ~. '';
 }
 
 map $http_accept $errorExtension

data/Plugins/Apps/Nginx/conf.d/languages.conf

@@ -0,0 +1,21 @@
+
+# Here we include only those languages that are supported
+# by https://github.com/ConfigLMM/HttpErrorPages/tree/configlmm/i18n
+
+map $http_accept_language $userLanguage
+{
+    default      en_US;
+    ~*^es-VE     es_VE;
+    ~*^es        es_VE; # Fallback
+    ~*^fr-FR     fr_FR;
+    ~*^fr        fr_FR;
+    ~*^it-IT     it_IT;
+    ~*^it        it_IT;
+    ~*^lv-LV     lv_LV;
+    ~*^lv        lv_LV;
+    ~*^pl        pl_PL;
+    ~*^pt-BR     pt_BR;
+    ~*^pt        pt_BR;
+    ~*^zh-CN     zh_CN;
+    ~*^zh        zh_CN;
+}

data/Plugins/Apps/Nginx/config-lmm/errors.conf

@@ -1,30 +1,35 @@
 
 # add one directive for each http status code
-error_page 301 /_errors_/HTTP301.$errorExtension;
+error_page 301 /_errors_/HTTP301.$userLanguage.$errorExtension;
 
 # Looks like enabling custom 302 can be problematic
 # due to apps using multiple Set-Cookie headers
 # for example this breaks BookStack
 # so lets not use it by default
-#error_page 302 /_errors_/HTTP302.$errorExtension;
-
-error_page 303 /_errors_/HTTP303.$errorExtension;
-error_page 307 /_errors_/HTTP307.$errorExtension;
-error_page 308 /_errors_/HTTP308.$errorExtension;
-error_page 400 /_errors_/HTTP400.$errorExtension;
-error_page 401 /_errors_/HTTP401.$errorExtension;
-# error_page 402 /_errors_/HTTP402.$errorExtension;
-error_page 403 /_errors_/HTTP403.$errorExtension;
-error_page 404 /_errors_/HTTP404.$errorExtension;
-error_page 405 /_errors_/HTTP405.$errorExtension;
-error_page 500 /_errors_/HTTP500.$errorExtension;
-error_page 501 /_errors_/HTTP501.$errorExtension;
-error_page 502 /_errors_/HTTP502.$errorExtension;
-error_page 503 /_errors_/HTTP503.$errorExtension;
-error_page 504 /_errors_/HTTP504.$errorExtension;
-error_page 520 /_errors_/HTTP520.$errorExtension;
-error_page 521 /_errors_/HTTP521.$errorExtension;
-error_page 533 /_errors_/HTTP533.$errorExtension;
+#error_page 302 /_errors_/HTTP302.$userLanguage.$errorExtension;
+
+error_page 303 /_errors_/HTTP303.$userLanguage.$errorExtension;
+
+# Some applications (eg. Umami) misuse this status
+# code and don't actually expect redirect...
+#error_page 307 /_errors_/HTTP307.$userLanguage.$errorExtension;
+
+error_page 308 /_errors_/HTTP308.$userLanguage.$errorExtension;
+error_page 400 /_errors_/HTTP400.$userLanguage.$errorExtension;
+error_page 401 /_errors_/HTTP401.$userLanguage.$errorExtension;
+# error_page 402 /_errors_/HTTP402.$userLanguage.$errorExtension;
+error_page 403 /_errors_/HTTP403.$userLanguage.$errorExtension;
+error_page 404 /_errors_/HTTP404.$userLanguage.$errorExtension;
+error_page 405 /_errors_/HTTP405.$userLanguage.$errorExtension;
+error_page 497 /_errors_/HTTP497.$userLanguage.$errorExtension;
+error_page 500 /_errors_/HTTP500.$userLanguage.$errorExtension;
+error_page 501 /_errors_/HTTP501.$userLanguage.$errorExtension;
+error_page 502 /_errors_/HTTP502.$userLanguage.$errorExtension;
+error_page 503 /_errors_/HTTP503.$userLanguage.$errorExtension;
+error_page 504 /_errors_/HTTP504.$userLanguage.$errorExtension;
+error_page 520 /_errors_/HTTP520.$userLanguage.$errorExtension;
+error_page 521 /_errors_/HTTP521.$userLanguage.$errorExtension;
+error_page 533 /_errors_/HTTP533.$userLanguage.$errorExtension;
 
 location /_errors_/ {
     include config-lmm/public.conf;

data/Plugins/Apps/Nginx/config-lmm/gateway-errors.conf

@@ -0,0 +1,20 @@
+
+error_page 497 /_errors_/HTTP497.$userLanguage.$errorExtension;
+
+error_page 502 /_errors_/HTTP502.$userLanguage.$errorExtension;
+error_page 503 /_errors_/HTTP503.$userLanguage.$errorExtension;
+error_page 504 /_errors_/HTTP504.$userLanguage.$errorExtension;
+
+error_page 520 /_errors_/HTTP520.$userLanguage.$errorExtension;
+error_page 521 /_errors_/HTTP521.$userLanguage.$errorExtension;
+error_page 533 /_errors_/HTTP533.$userLanguage.$errorExtension;
+
+location /_errors_/ {
+    include config-lmm/public.conf;
+
+    add_header Location $upstream_http_location;
+    add_header Set-Cookie $upstream_http_set_cookie;
+
+    alias /srv/www/errors/;
+    internal;
+}

data/Plugins/Apps/Nginx/config-lmm/proxy.conf

@@ -6,7 +6,7 @@ proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Protocol $scheme;
-proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-Host $ProxyForwardedHost;
 
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection $connectionUpgrade;

data/Plugins/Apps/Nginx/main.conf.erb

@@ -6,7 +6,9 @@ server {
 
     include config-lmm/errors.conf;
 
-    deny all;
+    location / {
+        return 308 https://$host$request_uri;
+    }
 }
 
 server {
@@ -21,11 +23,13 @@ server {
 
     server_name _;
 
-    deny all;
-
     ssl_early_data on;
 
     include config-lmm/errors.conf;
     include config-lmm/security.conf;
     include config-lmm/ssl.conf;
+
+    location / {
+        return 403;
+    }
 }

data/Plugins/Apps/Nginx/nginx.conf

@@ -1,7 +1,7 @@
 
 worker_processes  4;
 
-error_log    /var/log/nginx/error.log info;
+error_log stderr info;
 
 events {
     worker_connections  1024;
@@ -18,7 +18,7 @@ http {
 
     include /etc/nginx/main.conf;
 
-    # Load modular configuration files from the /etc/nginx/servers directory.
+    # Load modular configuration files from the /etc/nginx/vhosts.d directory.
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
     include vhosts.d/*.conf;

data/Plugins/Apps/Nginx/nginx.lmm.rb

@@ -1,21 +1,24 @@
 
+require_relative 'Connection'
+
 module ConfigLMM
     module LMM
         class Nginx < Framework::NginxApp
-            CERTBOT_PACKAGE = 'CertBotNginx'
-            ERROR_PAGES_REPO = 'https://github.com/HttpErrorPages/HttpErrorPages.git'
+            PACKAGE_NAME = 'Nginx'
+            SERVICE_NAME = :nginx
+            ERROR_PAGES_REPO = 'https://github.com/ConfigLMM/HttpErrorPages.git'
 
             def actionNginxBuild(id, target, activeState, context, options)
-
                 dir = options['output'] + '/nginx/'
-                mkdir(dir + 'conf.d', options[:dry])
-                mkdir(dir + 'servers-lmm', options[:dry])
-                copy(__dir__ + '/config-lmm', dir, options[:dry])
-                copy(__dir__ + '/nginx.conf', dir, options[:dry])
-                copy(__dir__ + '/conf.d/configlmm.conf', dir + 'conf.d/', options[:dry])
-
-                mkdir(options['output'] + WWW_DIR + 'root', options[:dry])
-                mkdir(options['output'] + WWW_DIR + 'errors', options[:dry])
+                local.mkdir(dir + 'conf.d', options[:dry])
+                local.mkdir(dir + 'servers-lmm', options[:dry])
+                local.copy(__dir__ + '/config-lmm', dir, options[:dry])
+                local.copy(__dir__ + '/nginx.conf', dir, options[:dry])
+                local.copy(__dir__ + '/conf.d/configlmm.conf', dir + 'conf.d/', options[:dry])
+                local.copy(__dir__ + '/conf.d/languages.conf', dir + 'conf.d/', options[:dry])
+
+                local.mkdir(options['output'] + NginxConnection::WWW_DIR + 'root', options[:dry])
+                local.mkdir(options['output'] + NginxConnection::WWW_DIR + 'errors', options[:dry])
             end
 
             # TODO
@@ -26,80 +29,93 @@ module ConfigLMM
             def actionNginxDeploy(id, target, activeState, context, options)
                 dir = options['output'] + '/nginx/'
 
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    raise Framework::PluginProcessError.new("Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                    self.class.sshStart(uri) do |ssh|
-                        Framework::LinuxApp.ensurePackages([CERTBOT_PACKAGE], ssh)
-                        self.class.prepareNginxConfig(target, ssh)
-
-                        self.class.sshExec!(ssh, "mkdir -p #{CONFIG_DIR}conf.d")
-                        self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}root")
-                        self.class.sshExec!(ssh, "mkdir -p #{WWW_DIR}errors")
-                        ssh.scp.upload!(dir + 'nginx.conf', CONFIG_DIR + 'nginx.conf')
-                        ssh.scp.upload!(dir + 'conf.d/configlmm.conf', CONFIG_DIR + 'conf.d/configlmm.conf')
-                        resolverIP = self.class.sshExec!(ssh, "cat /etc/resolv.conf | grep 'nameserver' | grep -v ':' | head -n 1 | cut -d ' ' -f 2").strip
-                        self.class.sshExec!(ssh, "sed -i 's|^resolver .*|resolver #{resolverIP};|' /etc/nginx/conf.d/configlmm.conf")
-
-                        self.class.uploadFolder(dir + 'config-lmm', CONFIG_DIR, ssh)
-                        self.class.uploadFolder(dir + 'servers-lmm', CONFIG_DIR, ssh)
-
-                        template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
-                        renderTemplate(template, target, dir + 'main.conf', options)
-                        ssh.scp.upload!(dir + 'main.conf', CONFIG_DIR + 'main.conf')
-
-                        if !self.class.remoteFilePresent?(WWW_DIR + 'errors/HTTP500.html', ssh)
-                            errorPages = File.expand_path(REPOS_CACHE + '/HttpErrorPages')
-                            if !File.exist?(errorPages)
-                                mkdir(File.expand_path(REPOS_CACHE), false)
-                                begin
-                                    Framework::LinuxApp.ensurePackages(['git', 'Yarn'], '@me')
-                                rescue RuntimeError => error
-                                    prompt.say(error, :color => :red)
-                                end
-                                `cd #{REPOS_CACHE} && git clone --quiet #{ERROR_PAGES_REPO} > /dev/null`
-                            end
-                            `cd #{errorPages} && yarn install --silent`
-                            `cd #{errorPages} && yarn run static config-dist.json > /dev/null`
-                            `cd #{errorPages} && cp -R dist errors`
-                            self.class.uploadFolder(errorPages + '/errors', WWW_DIR, ssh)
-                        end
+                # Consider:
+                # * Deploy on current host
+                # * Deploy on remote host thru SSH (eg. VPS)
+                # * Using already existing solution like Chef/Puppet/Ansible/etc
+                # * Provision from some Cloud provider
+                # We implement this as we go - what people actually use
 
-                        Framework::LinuxApp.createCertificateOverSSH(ssh)
-                    end
-                else
-                    self.class.prepareNginxConfig(target, nil)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        self.class.withConnection(linuxConnection) do |nginxConnection|
+                            target['Deploy'] = true unless target.key?('Deploy')
 
-                    copy(dir + '/config-lmm', CONFIG_DIR, options[:dry])
-                    copy(dir + '/nginx.conf', CONFIG_DIR, options[:dry])
+                            if target['Deploy']
+                                linuxConnection.ensurePackage(PACKAGE_NAME, options)
 
-                    copy(dir + '/servers-lmm', CONFIG_DIR, options['dry'])
-                    mkdir(WWW_DIR + 'root', options[:dry])
-                    mkdir(WWW_DIR + 'errors', options[:dry])
+                                linuxConnection.createDirs(options, "#{NginxConnection::CONFIG_DIR}conf.d", "#{NginxConnection::WWW_DIR}root", "#{NginxConnection::WWW_DIR}errors")
 
-                    template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
-                    renderTemplate(template, target, dir + 'main.conf', options)
-                    copy(dir + '/main.conf', CONFIG_DIR, options[:dry])
+                                linuxConnection.upload(dir + 'nginx.conf', NginxConnection::CONFIG_DIR + 'nginx.conf', options)
+                                linuxConnection.upload(dir + 'conf.d/configlmm.conf', NginxConnection::CONFIG_DIR + 'conf.d/configlmm.conf', options)
+                                linuxConnection.upload(dir + 'conf.d/languages.conf', NginxConnection::CONFIG_DIR + 'conf.d/languages.conf', options)
 
-                    dir = "/etc/letsencrypt/live/Wildcard/"
-                    `mkdir -p #{dir}`
-                    if !File.exist?(dir + 'fullchain.pem')
-                        `openssl req -x509 -noenc -days 90 -newkey rsa:2048 -keyout #{dir}privkey.pem -out #{dir}fullchain.pem -subj "/C=US/O=ConfigLMM/CN=Wildcard"`
-                         `cp #{dir}fullchain.pem #{dir}chain.pem`
-                    end
+                                if options['dry']
+                                    linuxConnection.exec("cat /etc/resolv.conf | grep 'nameserver' | grep -v ':' | head -n 1 | cut -d ' ' -f 2", { **options, 'dry': true })
+                                end
+                                resolverIP = linuxConnection.exec("cat /etc/resolv.conf | grep 'nameserver' | grep -v ':' | head -n 1 | cut -d ' ' -f 2", { **options, 'dry': false }).strip
+
+                                linuxConnection.fileReplace('/etc/nginx/conf.d/configlmm.conf', '^resolver .*', "resolver #{resolverIP};", options)
+
+                                linuxConnection.uploadFolder(dir + 'config-lmm', NginxConnection::CONFIG_DIR, options)
+                                linuxConnection.uploadFolder(dir + 'servers-lmm', NginxConnection::CONFIG_DIR, options)
+
+                                target = target.dup
+                                target['NginxVersion'] = nginxConnection.nginxVersion
+                                template = ERB.new(File.read(__dir__ + '/main.conf.erb'))
+                                local.renderTemplate(template, target, dir + 'main.conf', options)
+                                linuxConnection.upload(dir + 'main.conf', NginxConnection::CONFIG_DIR + 'main.conf', options)
+
+                                if !linuxConnection.filePresent?(NginxConnection::WWW_DIR + 'errors/HTTP500.en_US.html', { **options, 'dry' => false })
+                                    errorPages = File.expand_path(REPOS_CACHE + '/HttpErrorPages')
+                                    if !File.exist?(errorPages)
+                                        local.mkdir(File.expand_path(REPOS_CACHE), options['dry'])
+                                        begin
+                                            Linux.withConnection(local) do |localLinux|
+                                                localLinux.ensurePackages(['git'], options) unless localLinux.hasBinaries?(['git'], options)
+                                            end
+                                        rescue RuntimeError => error
+                                            prompt.say(error, :color => :red)
+                                        end
+                                        local.exec("cd #{REPOS_CACHE} && git clone --quiet #{ERROR_PAGES_REPO}", false, options)
+                                        local.exec("cd #{errorPages} && cp -R dist errors", false, options)
+                                    else
+                                        local.exec("cd #{REPOS_CACHE}/HttpErrorPages && git pull", false, options)
+                                        local.exec("cd #{errorPages} && cp -R dist errors", false, options)
+                                    end
+                                    linuxConnection.uploadFolder(errorPages + '/errors', NginxConnection::WWW_DIR, options)
+                                end
+
+                                linuxConnection.createWildecardCertificate(options)
+                            end
 
+                            if target['Servers']
+                                target['Servers'].each do |source|
+                                    name = File.basename(source)
+                                    linuxConnection.upload(source, NginxConnection::CONFIG_DIR + 'servers-lmm/' + name, options)
+                                end
+                            end
+
+                            if target['Deploy']
+                                linuxConnection.ensureServiceAutoStart(SERVICE_NAME, options)
+                                linuxConnection.startService(SERVICE_NAME, options)
+
+                                linuxConnection.firewallAddService('http', options)
+                                linuxConnection.firewallAddService('https', options)
+                            else
+                                linuxConnection.reloadService(SERVICE_NAME, options)
+                            end
+                        end
+                    end
                 end
-                # Consider:
-                # * Deploy on current host
-                # * Deploy on remote host thru SSH (eg. VPS)
-                # * Using already existing solution like Chef/Puppet/Ansible/etc
-                # * Provision from some Cloud provider
-                # We implement this as we go - what people actually use
             end
 
             def actionNginxProxyBuild(id, target, activeState, context, options)
                 target['ConfigName'] = target['Name']
-                writeNginxConfig(__dir__, 'proxy', id, target, activeState, context, options)
+
+                self.class.withConnection(local) do |nginxConnection|
+                    nginxConnection.writeConfig(__dir__, 'proxy', target, activeState, context, options)
+                end
                 actionNginxBuild(id, target, activeState, context, options)
             end
 
@@ -107,17 +123,19 @@ module ConfigLMM
                 raise Framework::PluginProcessError.new('Proxy field must be set!') unless target['Proxy']
 
                 target['ConfigName'] = target['Name']
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-                    self.class.sshStart(uri) do |ssh|
-                        useNginxProxy(__dir__, 'proxy', id, target, activeState, state, context, options, ssh)
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        self.class.withConnection(linuxConnection) do |nginxConnection|
+                            nginxConnection.provision(__dir__, 'proxy', target, activeState, context, options)
+                        end
                     end
-                else
-                    useNginxProxy(__dir__, 'proxy', id, target, activeState, state, context, options, ssh)
                 end
             end
 
+            def self.withConnection(linuxConnection)
+                yield(NginxConnection.new(linuxConnection))
+            end
+
         end
     end
 end

data/Plugins/Apps/Nginx/proxy.conf.erb

@@ -23,10 +23,18 @@ server {
 
     server_name <%= config['Domain'] %>;
 
-    access_log  /var/log/nginx/<%= config['Name'].downcase %>.access.log;
-    error_log   /var/log/nginx/<%= config['Name'].downcase %>.error.log;
+    <% if config['CertName'] %>
+        ssl_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/<%= config['CertName'] %>/privkey.pem";
+        ssl_trusted_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/chain.pem";
+    <% end %>
+
+    <% if !config.key?('HandleErrors') || config['HandleErrors'] %>
+        include config-lmm/errors.conf;
+    <% else %>
+       include config-lmm/gateway-errors.conf;
+    <% end %>
 
-    include config-lmm/errors.conf;
     include config-lmm/security.conf;
 
     <% if config['Private'] %>

data/Plugins/Apps/Odoo/Odoo.conf.erb

@@ -37,9 +37,6 @@ server {
 
     server_name <%= config['Domain'] %>;
 
-    access_log  /var/log/nginx/odoo.access.log;
-    error_log   /var/log/nginx/odoo.error.log;
-
     include config-lmm/errors.conf;
 
     location / {

data/Plugins/Apps/Odoo/Odoo.container

@@ -4,6 +4,7 @@ Description=Odoo container
 After=local-fs.target
 
 [Container]
+ContainerName=Odoo
 Image=docker.io/odoo:latest
 EnvironmentFile=/var/lib/odoo/.config/containers/systemd/Odoo.env
 Network=slirp4netns:allow_host_loopback=true
@@ -12,7 +13,11 @@ UserNS=keep-id:uid=101,gid=101
 Volume=/var/lib/odoo/config:/etc/odoo
 Volume=/var/lib/odoo/data:/var/lib/odoo
 Volume=/var/lib/odoo/addons:/mnt/extra-addons
+LogDriver=journald
 AutoUpdate=registry
 
+[Service]
+Restart=on-failure
+
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Odoo/Odoo.lmm.rb

@@ -64,16 +64,15 @@ module ConfigLMM
                     if !target.key?('Proxy') || target['Proxy'] == true || target['Proxy'] == 'only'
                         deployNginxConfig(id, target, activeState, context, options)
                     end
-                    activeState['Location'] = '@me'
                 end
             end
 
-            def configurePostgreSQL(settings, ssh)
+            def configurePostgreSQL(settings, connection)
                 user = USER
                 password = SecureRandom.alphanumeric(20)
-                PostgreSQL.executeRemotely(settings, ssh) do |ssh|
-                    self.class.sshExec!(ssh, "su --login #{PostgreSQL::USER_NAME} --command 'createuser --createdb #{user}'", true)
-                    PostgreSQL.executeSQL("ALTER USER #{user} WITH PASSWORD '#{password}'", nil, ssh)
+                PostgreSQL.executeRemotely(settings, connection) do |connection|
+                    connection.exec("su --login #{PostgreSQL::USER_NAME} --command 'createuser --createdb #{user}'", true)
+                    PostgreSQL.executeSQL("ALTER USER #{user} WITH PASSWORD '#{password}'", nil, connection)
                 end
                 password
             end