orchestration 0.3.8 → 0.3.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8569b93a7b22313b5633bb0d396a31c8a718f24eaa09f7968a8facd20a749934
-  data.tar.gz: 14c9f928ebb9e19d4d5d437aa6e72c65d7c1cc3bfa56ff69ab42a81e23ce71c4
+  metadata.gz: 48a584dcfdfa1f9ef091d686a4ac83dac0fa56beea18a57fcd932e0e0afa4bab
+  data.tar.gz: 0fbb58d5067366eb986978285abc1f910c898f33eba18a7647a08455a583d226
 SHA512:
-  metadata.gz: 9297540aa796b86d44bb62f4e34c94a44bc24463f66dd01d2f744e016eb0598085a80cf5393c7c4932293918db9e3f6110cfa6150eb989432c01d5cf907df72a
-  data.tar.gz: affd54e64411b8f4f3be7096fc0525f25c50a1b46b4b3f01ae1588032cfe4c7e640fdc2c49890b1b63979da4fd3a8be5ed832af37760dbb5b774e0c28a994460
+  metadata.gz: 58e95bf102d2895a83eab7d14850a119492e17b427e81e05d373eeeda4459cabd1ed09038ba796140886399a750da2ef6bc7f2bf684ece9cca18a2e7f0a63219
+  data.tar.gz: 27d28ed0408efe5e88c323793b3feda57a5c29d9076aa6b28f78ee6da84e9fa609609e7e9cebee0e97ad309037b011434805b1b5670954eacda1031fb97bbeea

data/.gitignore

@@ -25,3 +25,5 @@ spec/dummy/config/unicorn.rb
 orchestration-*.gem
 
 .byebug_history
+
+TODO

data/README.md

@@ -11,7 +11,7 @@ _Orchestration_ is a toolkit for testing, building, and deploying _Ruby_ (includ
 Add _Orchestration_ to your Gemfile:
 
 ```ruby
-gem 'orchestration', '~> 0.3.8'
+gem 'orchestration', '~> 0.3.9'
 ```
 
 Install:

data/config/locales/en.yml

@@ -18,9 +18,9 @@ en:
       ready: "Mongo is ready."
       bad_config: "Unable to parse Mongo config: %{path}. Expected section for one of: %{expected}"
 
-    nginx_proxy:
-      waiting: "Waiting for Nginx proxy: %{config}"
-      ready: "Nginx proxy is ready."
+    haproxy:
+      waiting: "Waiting for HAProxy: %{config}"
+      ready: "HAProxy is ready."
 
     rabbitmq:
       waiting: "Waiting for RabbitMQ: %{config}"
@@ -53,8 +53,8 @@ en:
       mongo:
         wait: "Wait for Mongo to become available"
 
-      nginx_proxy:
-        wait: "Wait for Nginx proxy to become available"
+      haproxy:
+        wait: "Wait for HAProxy to become available"
 
       rabbitmq:
         wait: "Wait for RabbitMQ to become available"

data/lib/orchestration/docker_compose/app_service.rb

@@ -11,11 +11,7 @@ module Orchestration
       def definition
         {
           'image' => '${DOCKER_ORGANIZATION}/${DOCKER_REPOSITORY}',
-          'environment' => environment,
-          'expose' => [8080],
-          'volumes' => [
-            "#{@config.env.public_volume}:/app/public/:ro"
-          ]
+          'environment' => environment
         }
       end
 
@@ -23,17 +19,18 @@ module Orchestration
 
       def environment
         {
-          'DATABASE_URL' => @config.database_url,
           'RAILS_LOG_TO_STDOUT' => '1',
+          'RAILS_SERVE_STATIC_FILES' => '1',
           'UNICORN_PRELOAD_APP' => '1',
           'UNICORN_TIMEOUT' => '60',
           'UNICORN_WORKER_PROCESSES' => '8',
-          'VIRTUAL_PORT' => '8080'
+          'SERVICE_PORTS' => '8080'
         }.merge(inherited_environment)
       end
 
       def inherited_environment
         {
+          'DATABASE_URL' => nil,
           'HOST_UID' => nil,
           'RAILS_ENV' => nil,
           'SECRET_KEY_BASE' => nil,

data/lib/orchestration/docker_compose/configuration.rb

@@ -18,7 +18,7 @@ module Orchestration
       end
 
       def volumes
-        public_volume.merge(database_volume).merge(mongo_volume)
+        {}.merge(database_volume).merge(mongo_volume)
       end
 
       private
@@ -29,7 +29,7 @@ module Orchestration
           database: DatabaseService,
           mongo: MongoService,
           rabbitmq: RabbitMQService,
-          nginx_proxy: NginxProxyService
+          haproxy: HAProxyService
         }
       end
 
@@ -42,10 +42,6 @@ module Orchestration
         end.compact
       end
 
-      def public_volume
-        { @env.public_volume => {} }
-      end
-
       def database_volume
         return {} unless services.key?('database')
 

data/lib/orchestration/docker_compose/database_service.rb

@@ -35,7 +35,7 @@ module Orchestration
       end
 
       def volumes
-        return {} if @environment == :test
+        return {} unless @environment == :development
 
         { 'volumes' => ["#{volume}:#{@config.adapter.data_dir}"] }
       end

data/lib/orchestration/docker_compose/{nginx_proxy_service.rb → haproxy_service.rb}

@@ -2,7 +2,7 @@
 
 module Orchestration
   module DockerCompose
-    class NginxProxyService
+    class HAProxyService
       def initialize(config, environment)
         @environment = environment
         @config = config
@@ -10,11 +10,13 @@ module Orchestration
 
       def definition
         {
-          'image' => 'rubyorchestration/nginx-proxy',
+          'deploy' => {
+            'placement' => { 'constraints' => ['node.role == manager'] }
+          },
+          'image' => 'dockercloud/haproxy',
           'ports' => %w[${LISTEN_PORT}:80],
           'volumes' => [
-            '/var/run/docker.sock:/tmp/docker.sock:ro',
-            "#{@config.env.public_volume}:/var/www/public/:ro"
+            '/var/run/docker.sock:/var/run/docker.sock:ro'
           ]
         }
       end

data/lib/orchestration/docker_compose/install_generator.rb

@@ -53,7 +53,7 @@ module Orchestration
         {
           'version' => compose_config(environment).version,
           'services' => services(environment)
-        }.merge('volumes' => volumes(environment))
+        }
       end
 
       def services(environment)
@@ -79,7 +79,7 @@ module Orchestration
         when :test, :development
           %i[database mongo rabbitmq]
         when :production
-          %i[nginx_proxy app database mongo rabbitmq]
+          %i[haproxy app database mongo rabbitmq]
         when nil
           []
         else
@@ -99,7 +99,7 @@ module Orchestration
           database: Orchestration::Services::Database::Configuration,
           mongo: Orchestration::Services::Mongo::Configuration,
           rabbitmq: Orchestration::Services::RabbitMQ::Configuration,
-          nginx_proxy: Orchestration::Services::NginxProxy::Configuration
+          haproxy: Orchestration::Services::HAProxy::Configuration
         }.fetch(service).new(@env)
       end
 

data/lib/orchestration/docker_compose.rb

@@ -11,5 +11,5 @@ require 'orchestration/docker_compose/configuration'
 require 'orchestration/docker_compose/app_service'
 require 'orchestration/docker_compose/database_service'
 require 'orchestration/docker_compose/mongo_service'
-require 'orchestration/docker_compose/nginx_proxy_service'
+require 'orchestration/docker_compose/haproxy_service'
 require 'orchestration/docker_compose/rabbitmq_service'

data/lib/orchestration/services/configuration_base.rb

@@ -32,9 +32,9 @@ module Orchestration
       end
 
       def local_port
-        key = @service_name == 'app' ? 'nginx_proxy' : @service_name
+        key = @service_name == 'app' ? 'haproxy' : @service_name
 
-        return ENV.fetch('LISTEN_PORT', '3000').to_i if key == 'nginx_proxy'
+        return ENV.fetch('LISTEN_PORT', '3000').to_i if key == 'haproxy'
 
         @env.docker_compose_config
             .fetch('services')

data/lib/orchestration/services/{nginx_proxy → haproxy}/configuration.rb

@@ -2,11 +2,11 @@
 
 module Orchestration
   module Services
-    module NginxProxy
+    module HAProxy
       class Configuration
         include ConfigurationBase
 
-        self.service_name = 'nginx_proxy'
+        self.service_name = 'haproxy'
 
         def initialize(env, service_name = nil)
           super
@@ -14,7 +14,7 @@ module Orchestration
         end
 
         def friendly_config
-          "[nginx_proxy] #{host}:#{local_port}"
+          "[haproxy] #{host}:#{local_port}"
         end
       end
     end

data/lib/orchestration/services/{nginx_proxy → haproxy}/healthcheck.rb

@@ -2,7 +2,7 @@
 
 module Orchestration
   module Services
-    module NginxProxy
+    module HAProxy
       class Healthcheck
         include HealthcheckBase
 

data/lib/orchestration/services/haproxy.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Orchestration
+  module Services
+    module HAProxy
+    end
+  end
+end
+
+require 'orchestration/services/haproxy/configuration'
+require 'orchestration/services/haproxy/healthcheck'

data/lib/orchestration/services.rb

@@ -12,5 +12,5 @@ require 'orchestration/services/app'
 require 'orchestration/services/database'
 require 'orchestration/services/listener'
 require 'orchestration/services/mongo'
-require 'orchestration/services/nginx_proxy'
+require 'orchestration/services/haproxy'
 require 'orchestration/services/rabbitmq'

data/lib/orchestration/templates/deploy.mk.erb

@@ -9,40 +9,45 @@ endif
 
 verify-environment:
 ifndef VIRTUAL_HOST
-        @$(error `VIRTUAL_HOST` must be defined in environment)
+  @$(error `VIRTUAL_HOST` must be defined in environment)
 endif
 
 ifndef LISTEN_PORT
-        @$(error `LISTEN_PORT` must be defined in environment)
+  @$(error `LISTEN_PORT` must be defined in environment)
 endif
 
 ifndef env
-        @$(error Either `env`, `RACK_ENV` or `RAILS_ENV` must be defined in environment)
+  @$(error Either `env`, `RACK_ENV` or `RAILS_ENV` must be defined in environment)
 endif
 
+project_name:=%%REPOSITORY%%_${env}
 compose_base:=env HOST_UID=$(shell id -u) \
               DOCKER_ORGANIZATION=%%ORGANIZATION%% \
               DOCKER_REPOSITORY=%%REPOSITORY%%:%%VERSION%% \
               docker-compose \
-              -p %%REPOSITORY%%_${env} \
+              -p ${project_name} \
               -f docker-compose.yml
 
 compose:=${compose_base} -f docker-compose.production.yml -f docker-compose.override.yml
 
 .PHONY: deploy
 deploy:
-	@echo "Deploying application to Docker swarm..."
-	@${compose} config | docker stack deploy -c - %%REPOSITORY%%_${env}
+ifndef manager
+	@$(error Missing `manager` parameter: `make deploy manager=swarm-manager.example.com`)
+else
+	@tar -cf - . | ssh ${manager} 'cd $$(mktemp -d) ; chmod 0700 . ; cat - | tar -x ; make deploy-stack ; rm -r $$(pwd)'
+endif
 
-.PHONY: stop
-stop:
-	@echo "Stopping containers..."
-	@${compose} down
+.PHONY: deploy-stack
+deploy-stack:
+	@${compose} config | docker stack deploy --prune --with-registry-auth -c - ${project_name}
 
-.PHONY: start
-start:
-	@echo "Launching application..."
-	@${compose} up -d --scale app=$${instances:-1}
+.PHONY: console
+service := app
+command := /bin/bash
+console:
+	@echo "Creating temporary container..."
+	@${compose} run --rm ${service} ${command}
 
 .PHONY: config
 config:
@@ -53,8 +58,13 @@ pull:
 	@${compose} pull
 
 .PHONY: logs
+service := app
 logs:
-	@${compose} logs -f
+ifndef manager
+        @$(error Missing `manager` parameter: `make logs manager=swarm-manager.example.com`)
+else
+	ssh ${manager} "docker service logs -f ${project_name}_${service}"
+endif
 
 .PHONY: migrate
 migrate:

data/lib/orchestration/templates/env.erb

@@ -1,6 +1,5 @@
-# Set VIRTUAL_HOST to whatever host(s) your application will be available on.
-# See https://github.com/jwilder/nginx-proxy for more details on this variable.
-VIRTUAL_HOST=localhost
-
-# Set the port your application will be available on (via Nginx proxy)
+# Your application will be available on this port when deployed to the Swarm:
 LISTEN_PORT=3000
+
+# Comma-separated list of hostnames your application will be available on:
+VIRTUAL_HOST=localhost

data/lib/orchestration/templates/orchestration.mk.erb

@@ -5,11 +5,13 @@ SHELL:=/bin/bash
 -include .env
 export
 
-ifneq (,$(RAILS_ENV))
+ifneq (,$(env))
+  env:=$(env)
+else ifneq (,$(RAILS_ENV))
   env:=$(RAILS_ENV)
 else ifneq (,$(RACK_ENV))
   env:=$(RACK_ENV)
-else ifeq (,$(env))
+else
   env:=development
 endif
 
@@ -92,13 +94,15 @@ bundle:
 .PHONY: migrate
 migrate:
 	@echo "Running migrations..."
-ifeq (${env},$(filter ${env},test development))
 	@(${rake} db:create && ${rake} db:migrate) || ${rake} db:migrate
-else
-	@${compose} run --rm app bin/rake db:migrate RAILS_ENV=${env}
-endif
 	@echo "Migrations complete."
 
+.PHONY: migrate-container
+migrate-container:
+	@echo "[app] Running migrations..."
+	@${compose} run --rm app make migrate env=${env}
+	@echo "[app] Migrations complete."
+
 ### Service healthcheck commands ###
 
 .PHONY: wait
@@ -132,10 +136,10 @@ endif
 
 ## Production wait commands
 
-.PHONY: wait-nginx_proxy
-wait-nginx_proxy:
+.PHONY: wait-haproxy
+wait-haproxy:
 ifneq (${env},$(filter ${env},test development))
-	@${rake} orchestration:nginx_proxy:wait LISTEN_PORT=${LISTEN_PORT}
+	@${rake} orchestration:haproxy:wait LISTEN_PORT=${LISTEN_PORT}
 endif
 
 .PHONY: wait-app

data/lib/orchestration/terminal.rb

@@ -22,6 +22,7 @@ module Orchestration
     def write(desc, message, color_name = nil, newline = true)
       output = newline ? "#{message}\n" : message.to_s
       STDOUT.print colorize(desc, output, color_name)
+      STDOUT.flush
     end
 
     def read(message, default = nil)

data/lib/orchestration/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Orchestration
-  VERSION = '0.3.8'
+  VERSION = '0.3.9'
 end

data/lib/tasks/orchestration.rake

@@ -29,10 +29,10 @@ namespace :orchestration do
     end
   end
 
-  namespace :nginx_proxy do
-    desc I18n.t('orchestration.rake.nginx_proxy.wait')
+  namespace :haproxy do
+    desc I18n.t('orchestration.rake.haproxy.wait')
     task :wait do
-      Orchestration::Services::NginxProxy::Healthcheck.start
+      Orchestration::Services::HAProxy::Healthcheck.start
     end
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: orchestration
 version: !ruby/object:Gem::Version
-  version: 0.3.8
+  version: 0.3.9
 platform: ruby
 authors:
 - Bob Farrell
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2019-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -325,7 +325,6 @@ files:
 - Makefile
 - README.md
 - Rakefile
-- TODO
 - bin/console
 - bin/rspec
 - bin/rubocop
@@ -338,9 +337,9 @@ files:
 - lib/orchestration/docker_compose/app_service.rb
 - lib/orchestration/docker_compose/configuration.rb
 - lib/orchestration/docker_compose/database_service.rb
+- lib/orchestration/docker_compose/haproxy_service.rb
 - lib/orchestration/docker_compose/install_generator.rb
 - lib/orchestration/docker_compose/mongo_service.rb
-- lib/orchestration/docker_compose/nginx_proxy_service.rb
 - lib/orchestration/docker_compose/rabbitmq_service.rb
 - lib/orchestration/environment.rb
 - lib/orchestration/errors.rb
@@ -360,6 +359,9 @@ files:
 - lib/orchestration/services/database/adapters/sqlite3.rb
 - lib/orchestration/services/database/configuration.rb
 - lib/orchestration/services/database/healthcheck.rb
+- lib/orchestration/services/haproxy.rb
+- lib/orchestration/services/haproxy/configuration.rb
+- lib/orchestration/services/haproxy/healthcheck.rb
 - lib/orchestration/services/healthcheck_base.rb
 - lib/orchestration/services/listener.rb
 - lib/orchestration/services/listener/configuration.rb
@@ -367,9 +369,6 @@ files:
 - lib/orchestration/services/mongo.rb
 - lib/orchestration/services/mongo/configuration.rb
 - lib/orchestration/services/mongo/healthcheck.rb
-- lib/orchestration/services/nginx_proxy.rb
-- lib/orchestration/services/nginx_proxy/configuration.rb
-- lib/orchestration/services/nginx_proxy/healthcheck.rb
 - lib/orchestration/services/rabbitmq.rb
 - lib/orchestration/services/rabbitmq/configuration.rb
 - lib/orchestration/services/rabbitmq/healthcheck.rb
@@ -380,7 +379,6 @@ files:
 - lib/orchestration/templates/docker-compose.override.yml.erb
 - lib/orchestration/templates/entrypoint.sh.erb
 - lib/orchestration/templates/env.erb
-- lib/orchestration/templates/nginx.tmpl.erb
 - lib/orchestration/templates/orchestration.mk.erb
 - lib/orchestration/templates/unicorn.rb.erb
 - lib/orchestration/templates/yaml.bash.erb

data/TODO

@@ -1,24 +0,0 @@
-Refactor docker-compose services - these really belong in
-lib/orchestration/services/<service-name>/docker_compose.rb
-
-Add default logging section to each service ?
-
-Redis support
-
-Use `Paint` instead of `Colorize` for colouring output - better licensing and no
-monkeypatching `String` etc.
-
-Make unicorn `config.rb` resilient to database connectivity failures
-
-Group healthcheck rake tasks - run all at once in the same process. Create a
-master process that generates config files and calls each healthcheck in batch.
-
-Provide a way of declaratively configuring bespoke healthchecks.
-
-Auto-healthcheck any services with a local port bind using the Listener
-healthcheck.
-
-Add remote Docker swarm management.
-https://github.com/mikejmoore/docker-swarm-sdk
-
-Add scp and ssh execution of docker-compose bundle to servers.

data/lib/orchestration/services/nginx_proxy.rb

@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-module Orchestration
-  module Services
-    module NginxProxy
-    end
-  end
-end
-
-require 'orchestration/services/nginx_proxy/configuration'
-require 'orchestration/services/nginx_proxy/healthcheck'

data/lib/orchestration/templates/nginx.tmpl.erb

@@ -1,364 +0,0 @@
-{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
-
-{{ define "upstream" }}
-	{{ if .Address }}
-		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
-		{{ if and .Container.Node.ID .Address.HostPort }}
-			# {{ .Container.Node.Name }}/{{ .Container.Name }}
-			server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
-		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
-		{{ else if .Network }}
-			# {{ .Container.Name }}
-			server {{ .Network.IP }}:{{ .Address.Port }};
-		{{ end }}
-	{{ else if .Network }}
-		# {{ .Container.Name }}
-		{{ if .Network.IP }}
-			server {{ .Network.IP }} down;
-		{{ else }}
-			server 127.0.0.1 down;
-		{{ end }}
-	{{ end }}
-	
-{{ end }}
-
-# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
-# scheme used to connect to this server
-map $http_x_forwarded_proto $proxy_x_forwarded_proto {
-  default $http_x_forwarded_proto;
-  ''      $scheme;
-}
-
-# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
-# server port the client connected to
-map $http_x_forwarded_port $proxy_x_forwarded_port {
-  default $http_x_forwarded_port;
-  ''      $server_port;
-}
-
-# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
-# Connection header that may have been passed to this server
-map $http_upgrade $proxy_connection {
-  default upgrade;
-  '' close;
-}
-
-# Apply fix for very long server names
-server_names_hash_bucket_size 128;
-
-# Default dhparam
-{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
-ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
-{{ end }}
-
-# Set appropriate X-Forwarded-Ssl header
-map $scheme $proxy_x_forwarded_ssl {
-  default off;
-  https on;
-}
-
-gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-log_format vhost '$host $remote_addr - $remote_user [$time_local] '
-                 '"$request" $status $body_bytes_sent '
-                 '"$http_referer" "$http_user_agent"';
-
-access_log off;
-
-{{ if $.Env.RESOLVERS }}
-resolver {{ $.Env.RESOLVERS }};
-{{ end }}
-
-{{ if (exists "/etc/nginx/proxy.conf") }}
-include /etc/nginx/proxy.conf;
-{{ else }}
-# HTTP 1.1 support
-proxy_http_version 1.1;
-proxy_buffering off;
-proxy_set_header Host $http_host;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection $proxy_connection;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
-proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
-proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
-
-# Mitigate httpoxy attack (see README for details)
-proxy_set_header Proxy "";
-{{ end }}
-
-{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
-server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
-	listen 80;
-	{{ if $enable_ipv6 }}
-	listen [::]:80;
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-	return 503;
-}
-
-{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
-server {
-	server_name _; # This is just an invalid value which will never trigger on a real hostname.
-	listen 443 ssl http2;
-	{{ if $enable_ipv6 }}
-	listen [::]:443 ssl http2;
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-	return 503;
-
-	ssl_session_tickets off;
-	ssl_certificate /etc/nginx/certs/default.crt;
-	ssl_certificate_key /etc/nginx/certs/default.key;
-}
-{{ end }}
-
-{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
-
-{{ $host := trim $host }}
-{{ $is_regexp := hasPrefix "~" $host }}
-{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
-
-# {{ $host }}
-upstream {{ $upstream_name }} {
-
-{{ range $container := $containers }}
-	{{ $addrLen := len $container.Addresses }}
-
-	{{ range $knownNetwork := $CurrentContainer.Networks }}
-		{{ range $containerNetwork := $container.Networks }}
-			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
-				## Can be connected with "{{ $containerNetwork.Name }}" network
-
-				{{/* If only 1 port exposed, use that */}}
-				{{ if eq $addrLen 1 }}
-					{{ $address := index $container.Addresses 0 }}
-					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
-				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
-				{{ else }}
-					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
-					{{ $address := where $container.Addresses "Port" $port | first }}
-					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
-				{{ end }}
-			{{ else }}
-				# Cannot connect to network of this container
-				server 127.0.0.1 down;
-			{{ end }}
-		{{ end }}
-	{{ end }}
-{{ end }}
-}
-
-{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
-{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
-
-{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
-{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
-
-{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
-{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
-
-{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
-{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
-
-{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
-{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
-
-{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
-{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
-
-{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
-{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
-
-
-{{/* Get the first cert name defined by containers w/ the same vhost */}}
-{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
-
-{{/* Get the best matching cert  by name for the vhost. */}}
-{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
-
-{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
-{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
-{{ $vhostCert := trimSuffix ".key" $vhostCert }}
-
-{{/* Use the cert specified on the container or fallback to the best vhost match */}}
-{{ $cert := (coalesce $certName $vhostCert) }}
-
-{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
-
-{{ if $is_https }}
-
-{{ if eq $https_method "redirect" }}
-server {
-	server_name {{ $host }};
-	listen 80 {{ $default_server }};
-	{{ if $enable_ipv6 }}
-	listen [::]:80 {{ $default_server }};
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-	return 301 https://$host$request_uri;
-}
-{{ end }}
-
-server {
-	server_name {{ $host }};
-	listen 443 ssl http2 {{ $default_server }};
-	{{ if $enable_ipv6 }}
-	listen [::]:443 ssl http2 {{ $default_server }};
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-
-	{{ if eq $network_tag "internal" }}
-	# Only allow traffic from internal clients
-	include /etc/nginx/network_internal.conf;
-	{{ end }}
-
-	{{ if eq $ssl_policy "Mozilla-Modern" }}
-	ssl_protocols TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-	{{ else if eq $ssl_policy "Mozilla-Intermediate" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
-	{{ else if eq $ssl_policy "Mozilla-Old" }}
-	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
-	{{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }}
-	ssl_protocols TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
-	{{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }}
-	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
-	{{ else if eq $ssl_policy "AWS-2016-08" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
-	{{ else if eq $ssl_policy "AWS-2015-05" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
-	{{ else if eq $ssl_policy "AWS-2015-03" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
-	{{ else if eq $ssl_policy "AWS-2015-02" }}
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
-	{{ end }}
-
-	ssl_prefer_server_ciphers on;
-	ssl_session_timeout 5m;
-	ssl_session_cache shared:SSL:50m;
-	ssl_session_tickets off;
-
-	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
-	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
-
-	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
-	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
-	{{ end }}
-
-	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
-	ssl_stapling on;
-	ssl_stapling_verify on;
-	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
-	{{ end }}
-
-	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
-	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
-	{{ end }}
-
-	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
-	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
-	{{ else if (exists "/etc/nginx/vhost.d/default") }}
-	include /etc/nginx/vhost.d/default;
-	{{ end }}
-
-        root /var/www/public;
-        try_files $uri @application;
-
-	location @application {
-		{{ if eq $proto "uwsgi" }}
-		include uwsgi_params;
-		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
-		{{ else if eq $proto "fastcgi" }}
-		root   {{ trim $vhost_root }};
-		include fastcgi.conf;
-		fastcgi_pass {{ trim $upstream_name }};
-		{{ else }}
-		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
-		{{ end }}
-
-		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
-		auth_basic	"Restricted {{ $host }}";
-		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
-		{{ end }}
-		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
-		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
-		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
-		include /etc/nginx/vhost.d/default_location;
-		{{ end }}
-	}
-}
-
-{{ end }}
-
-{{ if or (not $is_https) (eq $https_method "noredirect") }}
-
-server {
-	server_name {{ $host }};
-	listen 80 {{ $default_server }};
-	{{ if $enable_ipv6 }}
-	listen [::]:80 {{ $default_server }};
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-
-	{{ if eq $network_tag "internal" }}
-	# Only allow traffic from internal clients
-	include /etc/nginx/network_internal.conf;
-	{{ end }}
-
-	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
-	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
-	{{ else if (exists "/etc/nginx/vhost.d/default") }}
-	include /etc/nginx/vhost.d/default;
-	{{ end }}
-
-        root /var/www/public;
-        try_files $uri @application;
-
-	location @application {
-		{{ if eq $proto "uwsgi" }}
-		include uwsgi_params;
-		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
-		{{ else if eq $proto "fastcgi" }}
-		root   {{ trim $vhost_root }};
-		include fastcgi.conf;
-		fastcgi_pass {{ trim $upstream_name }};
-		{{ else }}
-		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
-		{{ end }}
-
-		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
-		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
-		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
-		include /etc/nginx/vhost.d/default_location;
-		{{ end }}
-	}
-}
-
-{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
-server {
-	server_name {{ $host }};
-	listen 443 ssl http2 {{ $default_server }};
-	{{ if $enable_ipv6 }}
-	listen [::]:443 ssl http2 {{ $default_server }};
-	{{ end }}
-	access_log /var/log/nginx/access.log vhost;
-	return 500;
-
-	ssl_certificate /etc/nginx/certs/default.crt;
-	ssl_certificate_key /etc/nginx/certs/default.key;
-}
-{{ end }}
-
-{{ end }}
-{{ end }}