ConfigLMM 0.4.0 → 0.5.0

data/Plugins/Apps/ArchiSteamFarm/ArchiSteamFarm.lmm.rb

@@ -10,7 +10,6 @@ module ConfigLMM
             def actionArchiSteamFarmDeploy(id, target, activeState, context, options)
                 if !target['Location'] || target['Location'] == '@me'
                     deployNginxConfig(id, target, activeState, context, options)
-                    activeState['Location'] = '@me'
                 end
             end
 

data/Plugins/Apps/Authentik/Authentik-ProxyOutpost.container

@@ -4,11 +4,17 @@ Description=Authentik Proxy Outpost container
 After=local-fs.target
 
 [Container]
-Image=ghcr.io/goauthentik/proxy:latest
+ContainerName=Authentik-ProxyOutpost
+Image=ghcr.io/goauthentik/proxy:2025.2
 EnvironmentFile=/var/lib/authentik/.config/containers/systemd/ProxyOutpost.env
+Network=slirp4netns:allow_host_loopback=true
 PublishPort=127.0.0.1:19010:9000
 UserNS=keep-id:uid=1000,gid=1000
+LogDriver=journald
 AutoUpdate=registry
 
+[Service]
+Restart=on-failure
+
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Authentik/Authentik-Server.container

@@ -4,7 +4,8 @@ Description=Authentik Server container
 After=local-fs.target
 
 [Container]
-Image=ghcr.io/goauthentik/server:latest
+ContainerName=Authentik-Server
+Image=ghcr.io/goauthentik/server:2025.2
 Exec=server
 EnvironmentFile=/var/lib/authentik/.config/containers/systemd/Authentik.env
 Network=slirp4netns:allow_host_loopback=true
@@ -13,7 +14,11 @@ PublishPort=127.0.0.1:19300:9300
 UserNS=keep-id:uid=1000,gid=1000
 Volume=/var/lib/authentik/media:/media
 Volume=/var/lib/authentik/templates:/templates
+LogDriver=journald
 AutoUpdate=registry
 
+[Service]
+Restart=on-failure
+
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Authentik/Authentik-Worker.container

@@ -4,7 +4,8 @@ Description=Authentik Worker container
 After=local-fs.target
 
 [Container]
-Image=ghcr.io/goauthentik/server:latest
+ContainerName=Authentik-Worker
+Image=ghcr.io/goauthentik/server:2025.2
 Exec=worker
 EnvironmentFile=/var/lib/authentik/.config/containers/systemd/Authentik.env
 Network=slirp4netns:allow_host_loopback=true
@@ -12,7 +13,11 @@ UserNS=keep-id:uid=1000,gid=1000
 Volume=/var/lib/authentik/media:/media
 Volume=/var/lib/authentik/templates:/templates
 Volume=/var/lib/authentik/certs:/certs
+LogDriver=journald
 AutoUpdate=registry
 
+[Service]
+Restart=on-failure
+
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/Authentik/Authentik.conf.erb

@@ -1,7 +1,7 @@
 
 # Upstream where your authentik server is hosted.
-upstream authentik {
-    server localhost:19000;
+upstream <%= config['Name'] %> {
+    server <%= config['Server'] %>:19000;
 
     # Improve performance by keeping some connections alive.
     keepalive 10;
@@ -20,22 +20,27 @@ server {
         listen [::]:443 ssl http2;
     <% end %>
 
+    include config-lmm/gateway-errors.conf;
+    include config-lmm/security.conf;
     include config-lmm/ssl.conf;
 
     server_name <%= config['Domain'] %>;
 
-    access_log  /var/log/nginx/authentik.access.log;
-    error_log   /var/log/nginx/authentik.error.log;
+    <% if config['CertName'] %>
+        ssl_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/fullchain.pem";
+        ssl_certificate_key "/etc/letsencrypt/live/<%= config['CertName'] %>/privkey.pem";
+        ssl_trusted_certificate "/etc/letsencrypt/live/<%= config['CertName'] %>/chain.pem";
+    <% end %>
 
-    # Proxy site
     location / {
-        proxy_pass http://authentik;
+        proxy_pass http://<%= config['Name'] %>;
         include config-lmm/proxy.conf;
     }
 
     <% if config['Outposts'].to_a.include?('Proxy') %>
         location /outpost.goauthentik.io {
-            proxy_pass http://localhost:19010/outpost.goauthentik.io;
+            proxy_pass http://<%= config['Server'] %>:19010/outpost.goauthentik.io;
+            set $ProxyForwardedHost $http_x_authentik_host;
             include config-lmm/proxy.conf;
         }
     <% end %>

data/Plugins/Apps/Authentik/Authentik.lmm.rb

@@ -1,92 +1,257 @@
 
+require 'json'
+
 module ConfigLMM
     module LMM
-        class Authentik < Framework::NginxApp
+        class Authentik < Framework::Plugin
 
             USER = 'authentik'
             HOME_DIR = '/var/lib/authentik'
-            HOST_IP = '10.0.2.2'
 
             def actionAuthentikBuild(id, target, state, context, options)
-                self.writeNginxConfig(__dir__, 'Authentik', id, target, state, context, options)
+                Nginx.withConnection(local) do |nginxConnection|
+                    nginxConnection.writeConfig(__dir__, 'Authentik', target, state, context, options)
+                end
             end
 
             def actionAuthentikDeploy(id, target, activeState, context, options)
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    case uri.scheme
-                    when 'ssh'
-                        self.class.sshStart(uri) do |ssh|
-                            self.prepareConfig(target, ssh)
-
-                            dbPassword = self.configurePostgreSQL(target['Database'], ssh)
-                            distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
-                            Framework::LinuxApp.configurePodmanServiceOverSSH(USER, HOME_DIR, 'Authentik IdP and SSO', distroInfo, ssh)
-                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/media'")
-                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/templates'")
-                            self.class.sshExec!(ssh, "su --login #{USER} --shell /bin/sh --command 'mkdir -p ~/certs'")
-
-                            path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
-                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_SECRET_KEY=#{SecureRandom.urlsafe_base64(60)}' > #{path}/Authentik.env")
-                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_REDIS__HOST=#{HOST_IP}' >> #{path}/Authentik.env")
-                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_POSTGRESQL__HOST=#{HOST_IP}' >> #{path}/Authentik.env")
-                            self.class.sshExec!(ssh, " echo 'AUTHENTIK_POSTGRESQL__PASSWORD=#{dbPassword}' >> #{path}/Authentik.env")
-                            self.class.sshExec!(ssh, "chown #{USER}:#{USER} #{path}/Authentik.env")
-                            self.class.sshExec!(ssh, "chmod 600 #{path}/Authentik.env")
-
-                            ssh.scp.upload!(__dir__ + '/Authentik-Server.container', path)
-                            ssh.scp.upload!(__dir__ + '/Authentik-Worker.container', path)
-                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ daemon-reload")
-                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ restart Authentik-Server")
-                            self.class.sshExec!(ssh, "systemctl --user --machine=#{USER}@ restart Authentik-Worker")
-
-                            Framework::LinuxApp.ensureServiceAutoStartOverSSH(NGINX_PACKAGE, ssh)
-                            self.writeNginxConfig(__dir__, 'Authentik', id, target, state, context, options)
-                            self.deployNginxConfig(id, target, activeState, context, options)
-                            Framework::LinuxApp.startServiceOverSSH(NGINX_PACKAGE, ssh)
-
-                            self.deployProxyOutpost(target, ssh)
+
+                if target['Location'].start_with?('http')
+                    apiURL = target['Location']
+                    configureAuthentik(apiURL, id, target, activeState, context, options)
+                else
+                    deployServerAndReverseProxy(id, target, activeState, context, options)
+                end
+            end
+
+            def deployServerAndReverseProxy(id, target, activeState, context, options)
+
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        target['Database'] ||= {}
+                        target['Deploy'] = true unless target.key?('Deploy')
+
+                        if target['Deploy']
+                            if !target.key?('Proxy') || target['Proxy'] == false
+                                self.deployServer(linuxConnection, target, activeState, context, options)
+                                self.deployProxyOutpost(target, linuxConnection, options)
+                            end
+
+                            self.deployReverseProxy(id, linuxConnection, target, activeState, context, options)
                         end
-                    else
-                        raise Framework::PluginProcessError.new("#{id}: Unknown protocol: #{uri.scheme}!")
                     end
-                else
-                    # TODO
                 end
+
+                apiURL = "https://#{target['Domain']}/"
+                configureAuthentik(apiURL, id, target, activeState, context, options)
             end
 
-            def deployProxyOutpost(target, ssh = nil)
-                return unless target['Outposts'].to_a.include?('Proxy')
+            def deployServer(linuxConnection, target, activeState, context, options)
+                dbPassword = self.configurePostgreSQL(target['Database'], linuxConnection, options)
+
+                Podman.ensurePresent(linuxConnection, options)
+                Podman.createUser(USER, HOME_DIR, 'Authentik IdP and SSO', linuxConnection, options)
+                linuxConnection.withUserShell(USER) do |shell|
+                    shell.createDirs(options, '~/media', '~/templates', '~/certs')
+                end
+
+                path = Podman.containersPath(HOME_DIR)
+                secretKey = context.secrets.load(target['SecretId'], 'SECRET_KEY')
+                if secretKey.nil?
+                    secretKey = SecureRandom.urlsafe_base64(60)
+                    context.secrets.store(target['SecretId'], 'SECRET_KEY', secretKey) unless options['dry']
+                end
+                linuxConnection.fileWrite("#{path}/Authentik.env", "AUTHENTIK_SECRET_KEY=#{secretKey}", { **options, hide: true })
+
+                valkeyHost = Podman.updateHost(target['Valkey'].to_h['Host'])
+                linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_REDIS__HOST=#{valkeyHost}", options)
+                if target['Valkey'].to_h['SecretId']
+                    valkeyPassword = context.secrets.load(target['Valkey']['SecretId'], 'VALKEY_PASSWORD')
+                    if !valkeyPassword.nil?
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_REDIS__PASSWORD=#{valkeyPassword}", { **options, hide: true })
+                    end
+                end
+
+                postgresHost = Podman.updateHost(target['Database'].to_h['HostName'])
+                linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_POSTGRESQL__HOST=#{postgresHost}", options)
+                linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_POSTGRESQL__PASSWORD=#{dbPassword}", { **options, hide: true })
+
+                if !target['SMTP'].to_h.empty?
+                    host = target['SMTP']['Host']
+                    host = Podman::HOST_IP if host.to_s.empty? || ['localhost', '127.0.0.1'].include?(host)
+
+                    linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__HOST=#{host}", options)
+
+                    if target['SMTP']['Port']
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__PORT=#{target['SMTP']['Port']}", options)
+                    end
+
+                    if target['SMTP']['Username']
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__USERNAME=#{target['SMTP']['Username']}", options)
+                    end
 
-                path = Framework::LinuxApp::SYSTEMD_CONTAINERS_PATH.gsub('~', HOME_DIR)
-                self.class.exec("echo 'AUTHENTIK_HOST=https://#{target['Domain'].downcase}' > #{path}/ProxyOutpost.env", ssh)
-                self.class.exec("echo 'AUTHENTIK_INSECURE=false' >> #{path}/ProxyOutpost.env", ssh)
-                self.class.exec(" echo 'AUTHENTIK_TOKEN=#{ENV['AUTHENTIK_TOKEN']}' >> #{path}/ProxyOutpost.env", ssh)
-                self.class.exec("chown #{USER}:#{USER} #{path}/ProxyOutpost.env", ssh)
-                self.class.exec("chmod 600 #{path}/ProxyOutpost.env", ssh)
+                    if target['SMTP']['SecretId']
+                        smtpPassword = context.secrets.load(target['SMTP']['SecretId'], target['SMTP']['Username'].upcase + '_PASSWORD')
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__PASSWORD=#{smtpPassword}", { **options, hide: true })
+                    end
+
+                    if target['SMTP']['Port'] == 465
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__USE_TLS=true", options)
+                    end
 
-                if ssh.nil?
-                    self.class.exec("cp #{__dir__ + '/Authentik-ProxyOutpost.container'} #{path}/")
+                    if target['SMTP']['From']
+                        linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__FROM=#{target['SMTP']['From']}", options)
+                    end
                 else
-                    ssh.scp.upload!(__dir__ + '/Authentik-ProxyOutpost.container', path)
+                    linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_EMAIL__HOST=#{Podman::HOST_IP}", options)
                 end
 
-                self.class.exec("systemctl --user --machine=#{USER}@ daemon-reload", ssh)
-                self.class.exec("systemctl --user --machine=#{USER}@ restart Authentik-ProxyOutpost", ssh)
+                adminPassword = context.secrets.load(target['SecretId'], 'ADMIN_PASSWORD')
+                if adminPassword.nil?
+                    raise 'Missing Authentik Admin.EMail' unless target['Admin'].to_h.key?('EMail')
+                    adminPassword = SecureRandom.urlsafe_base64(30)
+                    if !options['dry']
+                        context.secrets.store(target['SecretId'], 'ADMIN_PASSWORD', adminPassword)
+                        context.secrets.print("Authentik Admin password", adminPassword)
+                    end
+                end
+                if target['Admin'].to_h.key?('EMail')
+                    email = target['Admin']['EMail']
+                    linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_BOOTSTRAP_EMAIL=#{email}", options)
+                    linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_BOOTSTRAP_PASSWORD=#{adminPassword}", { **options, hide: true })
+                end
+
+                adminToken = context.secrets.load(target['SecretId'], 'ADMIN_TOKEN')
+                if adminToken.nil?
+                    adminToken = SecureRandom.urlsafe_base64(60)
+                    if !options['dry']
+                        context.secrets.store(target['SecretId'], 'ADMIN_TOKEN', adminToken) unless options['dry']
+                        context.secrets.print("Authentik Admin token", adminToken)
+                    end
+                end
+                linuxConnection.fileAppend("#{path}/Authentik.env", "AUTHENTIK_BOOTSTRAP_TOKEN=#{adminToken}", { **options, hide: true })
+
+                linuxConnection.setUserGroup("#{path}/Authentik.env", USER, USER, options)
+                linuxConnection.setPrivate("#{path}/Authentik.env", options)
+
+                linuxConnection.upload(__dir__ + '/Authentik-Server.container', path, options)
+                linuxConnection.upload(__dir__ + '/Authentik-Worker.container', path, options)
+
+                if target['Proxy'] == false
+                    linuxConnection.fileReplace("#{path}/Authentik-Server.container", 'PublishPort=127.0.0.1:19000:', 'PublishPort=0.0.0.0:19000:', options)
+                    linuxConnection.firewallAddPort('19000/tcp', options)
+                end
+
+                linuxConnection.reloadUserServices(USER, options)
+                linuxConnection.restartUserService(USER, 'Authentik-Server', options)
+                linuxConnection.restartUserService(USER, 'Authentik-Worker', options)
+            end
+
+            def deployReverseProxy(id, linuxConnection, target, activeState, context, options)
+                if !target.key?('Proxy') || target['Proxy']
+                    raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+                    Nginx.withConnection(linuxConnection) do |nginxConnection|
+                        target['Server'] = '127.0.0.1' unless target['Server']
+                        target['ConfigName'] = target['Name']
+                        nginxConnection.provision(__dir__, 'Authentik', target, activeState, context, options)
+                    end
+                end
             end
 
-            def prepareConfig(target, ssh)
-              target['Database'] ||= {}
+            def configureAuthentik(apiURL, id, target, activeState, context, options)
+                if target['Groups'] || target['Providers'] || target['Applications']
+                    prompt.say('Configuring specified settings for Authentik is not implemented! You\'ll have to configure those manually.', :color => :magenta)
+                end
+            end
 
-              raise Framework::PluginProcessError.new('Domain field must be set!') unless target['Domain']
+            def waitTilReady(baseURL, target, linuxConnection, options)
+                if !options['dry']
+                    timeout = 3600 # 1h
+                    loop do
+                        begin
+                            linuxConnection.exec("curl --no-progress-meter --show-error --fail #{baseURL}/", false, options)
+                            break
+                        rescue
+                            timeout -= 30
+                        end
+                        raise "Timeout while waiting #{baseURL}/ to be ready!" if timeout <= 0
+                        sleep(30)
+                    end
+                end
+            end
 
-              Framework::LinuxApp.ensurePackages([NGINX_PACKAGE], ssh)
-              self.class.prepareNginxConfig(target, ssh)
+            def viewToken(baseURL, target, tokenIdentifier, adminToken, linuxConnection, options)
+                url = "#{baseURL}/api/v3/core/tokens/#{tokenIdentifier}/view_key/"
+                result = linuxConnection.http(url, options, { 'Authorization' => 'Bearer ' + adminToken })
+                data = JSON.parse(result)
+                return nil unless data['key']
+                data['key']
             end
 
-            def configurePostgreSQL(settings, ssh)
+            def loadProxyOutpostToken(baseURL, target, linuxConnection, options)
+                return '' if options['dry']
+                adminToken = context.secrets.load(target['SecretId'], 'ADMIN_TOKEN')
+                if adminToken.nil?
+                    prompt.say("Authentik Admin token missing! You need to set secret: #{context.secrets.getID(target['SecretId'], 'ADMIN_TOKEN')}", :color => :magenta)
+                    raise 'Authentik Admin token missing!'
+                end
+                url = "#{baseURL}/api/v3/outposts/instances/?name__iexact=authentik+Embedded+Outpost"
+                result = JSON.parse(linuxConnection.http(url, options, { 'Authorization' => 'Bearer ' + adminToken }))
+                if result['results'].to_a.empty?
+                    prompt.say(result, :color => :red)
+                    raise 'Failed to get Embedded Proxy Outpost info!'
+                end
+
+                tokenIdentifier = result['results'][0]['token_identifier']
+                tokenValue = viewToken(baseURL, target, tokenIdentifier, adminToken, linuxConnection, options)
+                raise 'Failed to get Embedded Proxy Outpost token!' if tokenValue.nil?
+                context.secrets.store(target['SecretId'], 'PROXYOUTPOST_TOKEN', tokenValue)
+                tokenValue
+            end
+
+            def deployProxyOutpost(target, linuxConnection, options)
+                return unless target['Outposts'].to_a.include?('Proxy')
+
+                proxyOutpostToken = context.secrets.load(target['SecretId'], 'PROXYOUTPOST_TOKEN')
+                if proxyOutpostToken.nil?
+                    baseURL = "http://127.0.0.1:19000"
+                    waitTilReady(baseURL, target, linuxConnection, options)
+                    proxyOutpostToken = loadProxyOutpostToken(baseURL, target, linuxConnection, options)
+                end
+
+                Podman.ensurePresent(linuxConnection, options)
+                path = Podman.containersPath(HOME_DIR)
+                linuxConnection.fileWrite("#{path}/ProxyOutpost.env", "AUTHENTIK_HOST=https://#{target['Domain'].downcase}", options)
+                linuxConnection.fileAppend("#{path}/ProxyOutpost.env", 'AUTHENTIK_INSECURE=false', options)
+                linuxConnection.fileAppend("#{path}/ProxyOutpost.env", "AUTHENTIK_TOKEN=#{proxyOutpostToken}", { **options, hide: true })
+                valkeyHost = Podman.updateHost(target['Valkey'].to_h['Host'])
+                linuxConnection.fileAppend("#{path}/ProxyOutpost.env", "AUTHENTIK_REDIS__HOST=#{valkeyHost}", options)
+                if target['Valkey'].to_h['SecretId']
+                    valkeyPassword = context.secrets.load(target['Valkey']['SecretId'], 'VALKEY_PASSWORD')
+                    if !valkeyPassword.nil?
+                        linuxConnection.fileAppend("#{path}/ProxyOutpost.env", "AUTHENTIK_REDIS__PASSWORD=#{valkeyPassword}", { **options, hide: true })
+                    end
+                end
+
+                linuxConnection.setUserGroup("#{path}/ProxyOutpost.env", USER, USER, options)
+                linuxConnection.setPrivate("#{path}/ProxyOutpost.env", options)
+
+                linuxConnection.upload(__dir__ + '/Authentik-ProxyOutpost.container', path)
+
+                if target['Proxy'] == false
+                    linuxConnection.fileReplace("#{path}/Authentik-ProxyOutpost.container", 'PublishPort=127.0.0.1:19010:', 'PublishPort=0.0.0.0:19010:', options)
+                    linuxConnection.firewallAddPort('19010/tcp', options)
+                end
+
+                linuxConnection.reloadUserServices(USER, options)
+                linuxConnection.restartUserService(USER, 'Authentik-ProxyOutpost', options)
+            end
+
+            def configurePostgreSQL(dbSettings, linuxConnection, options)
                 password = SecureRandom.alphanumeric(20)
-                PostgreSQL.createRemoteUserAndDBOverSSH(settings, USER, password, ssh)
+                PostgreSQL.withConnection(dbSettings, linuxConnection) do |postgresConnection|
+                    postgresConnection.createUserAndDB(USER, password, options)
+                end
                 password
             end
 

data/Plugins/Apps/BookStack/BookStack.conf.erb

@@ -22,9 +22,6 @@ server {
 
     server_name <%= config['Domain'] %>;
 
-    access_log  /var/log/nginx/bookstack.access.log;
-    error_log   /var/log/nginx/bookstack.error.log;
-
     include config-lmm/errors.conf;
     include config-lmm/security.conf;
 

data/Plugins/Apps/BookStack/BookStack.container

@@ -4,12 +4,17 @@ Description=BookStack container
 After=local-fs.target
 
 [Container]
+ContainerName=BookStack
 Image=ghcr.io/linuxserver/bookstack:latest
 EnvironmentFile=/var/lib/bookstack/.config/containers/systemd/BookStack.env
 Network=slirp4netns:allow_host_loopback=true
 PublishPort=127.0.0.1:18200:80
 Volume=/var/lib/bookstack/config:/config
+LogDriver=journald
 AutoUpdate=registry
 
+[Service]
+Restart=on-failure
+
 [Install]
 WantedBy=multi-user.target default.target

data/Plugins/Apps/BookStack/BookStack.lmm.rb

@@ -30,10 +30,16 @@ module ConfigLMM
                         self.class.exec(" echo 'APP_URL=https://#{target['Domain']}' >> #{path}/BookStack.env", ssh)
 
                         if target['OIDC'] && target['OIDC']['Issuer']
+
+                            secretId = target['OIDC']['SecretId']
+                            secretId = target['SecretId'] unless secretId
+                            clientId = context.secrets.load(secretId, 'OIDC_CLIENT_ID')
+                            clientSecret = context.secrets.load(secretId, 'OIDC_CLIENT_SECRET')
+
                             self.class.exec(" echo 'AUTH_METHOD=oidc' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'AUTH_AUTO_INITIATE=true' >> #{path}/BookStack.env", ssh)
-                            self.class.exec(" echo 'OIDC_CLIENT_ID=#{ENV['BOOKSTACK_OIDC_CLIENT_ID']}' >> #{path}/BookStack.env", ssh)
-                            self.class.exec(" echo 'OIDC_CLIENT_SECRET=#{ENV['BOOKSTACK_OIDC_CLIENT_SECRET']}' >> #{path}/BookStack.env", ssh)
+                            self.class.exec(" echo 'OIDC_CLIENT_ID=#{clientId}' >> #{path}/BookStack.env", ssh)
+                            self.class.exec(" echo 'OIDC_CLIENT_SECRET=#{clientSecret}' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'OIDC_ISSUER=#{target['OIDC']['Issuer']}' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'OIDC_ISSUER_DISCOVER=true' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'OIDC_USER_TO_GROUPS=true' >> #{path}/BookStack.env", ssh)
@@ -45,7 +51,12 @@ module ConfigLMM
                             self.class.exec(" echo 'MAIL_HOST=#{host}' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'MAIL_PORT=#{target['SMTP']['Port']}' >> #{path}/BookStack.env", ssh)
                             self.class.exec(" echo 'MAIL_USERNAME=#{target['SMTP']['Username']}' >> #{path}/BookStack.env", ssh)
-                            self.class.exec(" echo 'MAIL_PASSWORD=#{ENV['BOOKSTACK_SMTP_PASSWORD']}' >> #{path}/BookStack.env", ssh)
+
+                            if target['SMTP']['SecretId'] && target['SMTP']['Username']
+                                smtpPassword = context.secrets.load(target['SMTP']['SecretId'], target['SMTP']['Username'].upcase + '_PASSWORD')
+                                self.class.exec(" echo 'MAIL_PASSWORD=#{smtpPassword}' >> #{path}/BookStack.env", ssh)
+                            end
+
                             self.class.exec(" echo 'MAIL_FROM=#{target['SMTP']['From']}' >> #{path}/BookStack.env", ssh)
                         end
 

data/Plugins/Apps/Cassandra/Cassandra.lmm.rb

@@ -6,36 +6,26 @@ module ConfigLMM
             SERVICE_NAME = 'cassandra'
 
             def actionCassandraDeploy(id, target, activeState, context, options)
-                plugins[:Linux].ensurePackage(PACKAGE_NAME, target['Location'])
-                plugins[:Linux].ensureServiceAutoStart(SERVICE_NAME, target['Location'])
+                self.withConnection(target['Location'], target) do |connection|
+                    Linux.withConnection(connection) do |linuxConnection|
+                        linuxConnection.ensurePackage(PACKAGE_NAME, options)
+                        linuxConnection.ensureServiceAutoStart(SERVICE_NAME, options)
 
-                if target['Location'] && target['Location'] != '@me'
-                    uri = Addressable::URI.parse(target['Location'])
-                    raise Framework::PluginProcessError.new("#{id}: Unknown Protocol: #{uri.scheme}!") if uri.scheme != 'ssh'
-
-                    self.class.sshStart(uri) do |ssh|
-                        distroInfo = Framework::LinuxApp.currentDistroInfo(ssh)
-                        configFile = '/etc/cassandra/cassandra.yaml'
-                        if distroInfo['Name'] == 'openSUSE Leap'
+                        if linuxConnection.distroInfo['Name'] == 'openSUSE Leap'
                             configFile = '/etc/cassandra/conf/cassandra.yaml'
                         end
 
-                        cmd = "sed -i 's|^uuid_sstable_identifiers_enabled:.*|uuid_sstable_identifiers_enabled: true|' #{configFile}"
-                        self.class.sshExec!(ssh, cmd)
+                        linuxConnection.fileReplace(configFile, '^uuid_sstable_identifiers_enabled:.*', 'uuid_sstable_identifiers_enabled: true', options)
                         if target['ClusterName']
-                            cmd = "sed -i 's|^cluster_name:.*|cluster_name: #{target['ClusterName']}|' #{configFile}"
-                            self.class.sshExec!(ssh, cmd)
+                            linuxConnection.fileReplace(configFile, '^cluster_name:.*', "cluster_name: #{target['ClusterName']}", options)
                         end
+
+                        linuxConnection.restartService(SERVICE_NAME, options)
                     end
-                else
-                    # TODO
                 end
-
-                plugins[:Linux].startService(SERVICE_NAME, target['Location'])
             end
 
         end
 
     end
 end
-

data/Plugins/Apps/ClickHouse/ClickHouse.container

@@ -0,0 +1,28 @@
+
+[Unit]
+Description=ClickHouse container
+After=local-fs.target
+
+[Container]
+ContainerName=ClickHouse
+Image=docker.io/clickhouse/clickhouse-server:latest
+EnvironmentFile=/var/lib/clickhouse/.config/containers/systemd/ClickHouse.env
+Network=slirp4netns:allow_host_loopback=true
+PublishPort=0.0.0.0:8123:8123
+PublishPort=0.0.0.0:19100:9000
+UserNS=keep-id:uid=1000,gid=1000
+Volume=/var/lib/clickhouse/server/config.d:/etc/clickhouse-server/config.d
+Volume=/var/lib/clickhouse/server/users.d:/etc/clickhouse-server/users.d
+Volume=/var/lib/clickhouse/data:/var/lib/clickhouse
+Volume=/var/lib/clickhouse/logs:/var/log/clickhouse-server
+LogDriver=journald
+AddCapability=IPC_LOCK
+AddCapability=SYS_NICE
+AutoUpdate=registry
+
+[Service]
+TimeoutStartSec=6min
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target default.target