smartcloud 0.0.31

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 982fbbbb8176cc3e83d15e4000cf69ca284802aff03fffa2fc2c62c95d22a6c4
+  data.tar.gz: fd1a7457d386875d511ea14230c2ddf3b478c6e83525a4195f546559f3468963
+SHA512:
+  metadata.gz: 159495e559ed7b9df8ac7da9223a376f1d4d6dffc2ce139277218130c34602cbf593c93dd0c13065f6e1df3e29efa37b52e42fff76dd71d8e4c54de4c5e45ef3
+  data.tar.gz: 77cc97f167f992fd2c9d346744925665bc4c96671c3caefcb694bcb1a5b1eff9819554b544983e7a67e97cadc4b4293a3cc38c618fd1b94da06150dc9ea29157

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Timeboard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,79 @@
+# SmartCloud
+Smartcloud is a full-stack deployment framework for Rails optimized for programmer happiness and peaceful administration. It encourages natural simplicity by favoring convention over configuration.
+
+Deploy your Rails apps to your own server with - git push production master
+
+## How it Works
+
+After you run the below commands, you get.
+1. Setup of basic best practices of setting up and securing a VPS server.
+2. Setup and installation of Docker.
+3. Setup and installation of docker based Mysql, Solr, Nginx, App Runner.
+4. Deployment of your Rails apps to your own server with - git push production master
+
+## Setup a New Machine - Ubuntu 18.04 LTS
+1. Getting Started with Linode:
+```
+https://www.linode.com/docs/getting-started/
+```
+2. How to Secure Your Server:
+```
+https://www.linode.com/docs/security/securing-your-server/
+```
+
+## Install SmartCloud
+1. Install Ruby:
+```
+$ sudo apt-get install ruby-full
+```
+2. Add gem executables to PATH (remember to check ruby version in the path):
+```
+$ echo 'export PATH="$PATH:$HOME/.gem/ruby/2.5.0/bin"' >> ~/.bashrc && source ~/.bashrc
+```
+3. Install smartcloud for current user:
+```
+$ gem install smartcloud --user-install
+```
+4. Initialize smartcloud:
+```
+$ smartcloud init
+```
+
+<!--
+## TODO - Setup Machine
+1. Getting Started and Securing your Server:
+```
+$ smartcloud machine install
+```
+-->
+
+## Install Docker
+1. Run docker install command:
+```
+$ smartcloud docker install
+```
+2. Add UFW rules for Docker as specified at the end of installation.
+
+## Starting Grids as per Choice
+1. Start mysql grid:
+```
+$ smartcloud grids mysql up
+```
+2. Start solr grid:
+```
+$ smartcloud grids solr up
+```
+3. Start nginx grid:
+```
+$ smartcloud grids nginx up
+```
+4. Start runner grid:
+```
+$ smartcloud grids runner up
+```
+
+## TODO - Creating New App
+1. Creating a new bare app on the server:
+```
+$ smartcloud apps create <USERNAME> <APPNAME>
+```

data/bin/runner

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+
+require 'smartcloud'
+
+if ARGV[0] == 'prereceive'
+	raise "Please provide appname, username, oldrev, newrev and refname" unless ARGV[1] && ARGV[2] && ARGV[3] && ARGV[4] && ARGV[5]
+	Smartcloud::Grids::Runner.prereceive_app(ARGV[1], ARGV[2], ARGV[3], ARGV[4], ARGV[5])
+elsif ARGV[0] == 'apps'
+	raise "Please provide appname" unless ARGV[2]
+	if ARGV[1] == 'create'
+		raise "Please provide username" unless ARGV[3]
+		Smartcloud::Grids::Runner.create_app(ARGV[2], ARGV[3])
+	elsif ARGV[1] == 'start'
+		Smartcloud::Grids::Runner.start_app(ARGV[2])
+	elsif ARGV[1] == 'stop'
+		Smartcloud::Grids::Runner.stop_app(ARGV[2])
+	elsif ARGV[1] == 'destroy'
+		Smartcloud::Grids::Runner.destroy_app(ARGV[2])
+	end
+end

data/bin/smartcloud

@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+require 'smartcloud'
+
+if ARGV[0] == 'init'
+	Smartcloud::Boot.init
+elsif !Smartcloud::Boot.initialized?
+	puts "Smartcloud has not been initialized. Please run command 'smartcloud init'."
+	exit
+end
+
+if ARGV[0] == 'docker'
+	if ARGV[1] == 'install'
+		Smartcloud::Docker.install
+	elsif ARGV[1] == 'uninstall'
+		Smartcloud::Docker.uninstall
+	end
+elsif ARGV[0] == 'grids'
+	if ARGV[1] == 'runner'
+		if ARGV[2] == 'up'
+			Smartcloud::Grids::Runner.up
+		elsif ARGV[2] == 'down'
+			Smartcloud::Grids::Runner.down
+		end
+	elsif ARGV[1] == 'mysql'
+		if ARGV[2] == 'up'
+			Smartcloud::Grids::Mysql.up(ARGV[3])
+		elsif ARGV[2] == 'down'
+			Smartcloud::Grids::Mysql.down
+		end
+	elsif ARGV[1] == 'nginx'
+		if ARGV[2] == 'up'
+			Smartcloud::Grids::Nginx.up(ARGV[3])
+		elsif ARGV[2] == 'down'
+			Smartcloud::Grids::Nginx.down
+		end
+	elsif ARGV[1] == 'solr'
+		if ARGV[2] == 'up'
+			Smartcloud::Grids::Solr.up(ARGV[3])
+		elsif ARGV[2] == 'down'
+			Smartcloud::Grids::Solr.down
+		elsif ARGV[2] == 'create_core'
+			Smartcloud::Grids::Solr.create_core(ARGV[3])
+		elsif ARGV[2] == 'destroy_core'
+			Smartcloud::Grids::Solr.destroy_core(ARGV[3])
+		end
+	end
+# elsif ARGV[0] == 'user'
+# 	if ARGV[1] == 'create'
+# 		Smartcloud::User.create(ARGV[2], ARGV[3], ARGV[4])
+# 	elsif ARGV[1] == 'destroy'
+# 		Smartcloud::User.destroy(ARGV[2], ARGV[3])
+# 	end
+end

data/lib/smartcloud.rb

@@ -0,0 +1,16 @@
+require "ostruct"
+
+# The main Smartcloud driver
+module Smartcloud
+	def self.config
+		@@config ||= OpenStruct.new
+	end
+end
+
+Smartcloud.config.root_path = File.expand_path('../..', __FILE__)
+Smartcloud.config.user_home_path = File.expand_path('~')
+if File.exist?("#{Smartcloud.config.user_home_path}/.smartcloud/config/environment.rb")
+	require "#{Smartcloud.config.user_home_path}/.smartcloud/config/environment"
+end
+
+require 'smartcloud/boot'

data/lib/smartcloud/boot.rb

@@ -0,0 +1,93 @@
+require 'securerandom'
+require "tempfile"
+
+# The main Smartcloud Boot driver
+module Smartcloud
+	class Boot
+		def initialize
+		end
+
+		def self.init
+			# Copy Template for dotsmartcloud
+			unless self.initialized?
+				puts "Initializing Smartcloud ...\n\n"
+
+				begin
+					print "Enter top-level apps domain to be used for subdomains of your apps. [Recommended: yourdomain.com]: "
+					config_apps_domain = STDIN.gets.chomp
+					raise if config_apps_domain.empty?
+				rescue
+					retry
+				end
+
+				begin
+					print "Enter sysadmin email id. [Recommended: admin@#{config_apps_domain}]: "
+					config_sysadmin_email = STDIN.gets.chomp
+					raise if config_sysadmin_email.empty?
+				rescue
+					retry
+				end
+
+				begin
+					print "Enter username for your git grid user. [Recommended: git@#{config_apps_domain}]: "
+					username = STDIN.gets.chomp
+					raise if username.empty?
+				rescue
+					retry
+				end
+
+				print "Enter password for your git grid user. (leave blank to generate automatically) [Recommended: Minimum 8 characters with numbers and symbols]: "
+				password = STDIN.gets.chomp
+				if password.empty?
+					password = SecureRandom.base64(8)
+				end
+
+				# Copy dotsmartcloud template to user home directory
+				FileUtils.cp_r("#{Smartcloud.config.root_path}/lib/smartcloud/templates/dotsmartcloud", "#{Smartcloud.config.user_home_path}/.smartcloud")
+
+				# modifying environment.rb file
+				tempFile = Tempfile.new("#{Smartcloud.config.user_home_path}/.smartcloud/config/environmentTemp.rb")
+				File.open("#{Smartcloud.config.user_home_path}/.smartcloud/config/environment.rb", "r").each_line do |line|
+					if line =~ /Smartcloud.config.apps_domain/
+						tempFile.puts "Smartcloud.config.apps_domain = \"#{config_apps_domain}\""
+					elsif line =~ /Smartcloud.config.git_domain/
+						tempFile.puts "Smartcloud.config.git_domain = \"git.#{config_apps_domain}\""
+					elsif line =~ /Smartcloud.config.sysadmin_email/
+						tempFile.puts "Smartcloud.config.sysadmin_email = \"#{config_sysadmin_email}\""
+					else
+						tempFile.puts line
+					end
+				end
+				tempFile.close
+				FileUtils.mv(tempFile.path, "#{Smartcloud.config.user_home_path}/.smartcloud/config/environment.rb")			
+
+				# Reload the updated environment.rb file as it is required by methods below
+				require "#{Smartcloud.config.user_home_path}/.smartcloud/config/environment.rb"
+				
+				# creating user for git grid at config.git_domain
+				Smartcloud::User.create(Smartcloud.config.git_domain, username, password)
+
+				puts "\nIMPORTANT NOTE: Please ensure that the required top-level apps domain '#{Smartcloud.config.apps_domain}' and git domain '#{Smartcloud.config.git_domain}' is pointing to this server using DNS Records before proceeding."
+				puts "IMPORTANT NOTE: Your git grid password is #{password} for username #{username}"
+
+				puts "\nInitializing Smartcloud ... done"
+			else
+				puts "Already Initialized. Please go to #{Smartcloud.config.user_home_path}/.smartcloud/config to make configuration changes."
+			end
+		end
+
+		def self.initialized?
+			Dir.exist? "#{Smartcloud.config.user_home_path}/.smartcloud"
+		end
+	end
+end
+
+require 'smartcloud/machine'
+require 'smartcloud/docker'
+
+require 'smartcloud/grids/nginx'
+require 'smartcloud/grids/runner'
+require 'smartcloud/grids/solr'
+require 'smartcloud/grids/mysql'
+
+require 'smartcloud/user'

data/lib/smartcloud/docker.rb

@@ -0,0 +1,120 @@
+# The main Smartcloud Docker driver
+module Smartcloud
+	class Docker
+		def initialize
+		end
+
+		# Installing Docker!
+		#
+		# Example:
+		#   >> Docker.install
+		#   => Installation Complete
+		#
+		# Arguments:
+		#   none
+		def self.install
+			puts "-----> Installing Docker"
+			system("sudo apt-get update")
+			system("sudo apt-get install apt-transport-https ca-certificates curl software-properties-common")
+			system("curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -")
+			system("sudo apt-key fingerprint 0EBFCD88")
+			system("sudo add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"")
+			system("sudo apt-get update")
+			system("sudo apt-get install docker-ce")
+			system("sudo usermod -aG docker $USER")
+			system("docker run --rm hello-world")
+
+			puts "-----> Installing Docker Compose"
+			system("sudo curl -L --fail https://github.com/docker/compose/releases/download/1.24.0/run.sh -o /usr/local/bin/docker-compose")
+			system("sudo chmod +x /usr/local/bin/docker-compose")
+			system("docker-compose --version")
+			system("sudo curl -L https://raw.githubusercontent.com/docker/compose/1.24.0/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose")
+
+			self.add_ufw_rules
+
+			puts "-----> Installation Complete"
+		end
+
+		# Uninstalling Docker!
+		#
+		# Example:
+		#   >> Docker.uninstall
+		#   => Uninstallation Complete
+		#
+		# Arguments:
+		#   none
+		def self.uninstall
+			puts "-----> Uninstalling Docker Compose"
+			system("sudo rm /usr/local/bin/docker-compose")
+
+			puts "-----> Uninstalling Docker"
+			system("sudo apt-get purge docker-ce")
+			system("sudo rm -rf /var/lib/docker")
+
+			self.remove_ufw_rules
+
+			puts "-----> Uninstallation Complete"
+			puts "-----> You must delete any edited configuration files manually."
+		end
+
+		def self.running?
+			if system("docker info", [:out, :err] => File::NULL)
+				true
+			else
+				puts "Error: Docker daemon is not running. Have you installed docker? Please ensure docker daemon is running and try again."
+				false
+			end
+		end
+
+		def self.add_ufw_rules
+			puts '-----> Add the following rules to the end of the file /etc/ufw/after.rules and reload ufw using - sudo ufw reload'
+			puts '# BEGIN UFW AND DOCKER
+			*filter
+			:ufw-user-forward - [0:0]
+			:DOCKER-USER - [0:0]
+			-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+			-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
+			-A DOCKER-USER -i eth0 -j ufw-user-forward
+			-A DOCKER-USER -i eth0 -j DROP
+			COMMIT
+			# END UFW AND DOCKER'
+
+			# puts "-----> Adding UFW rules for Docker"
+			# interface_name = system("ip route show | sed -e 's/^default via [0-9.]* dev \(\w\+\).*/\1/'")
+			# puts interface_name
+
+			# system("sed '/^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d' '/etc/ufw/after.rules'")
+			# system("sudo tee -a '/etc/ufw/after.rules' > /dev/null <<EOT
+			# # BEGIN UFW AND DOCKER
+			# *filter
+			# :ufw-user-forward - [0:0]
+			# :DOCKER-USER - [0:0]
+			# -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+			# -A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
+			# -A DOCKER-USER -i eth0 -j ufw-user-forward
+			# -A DOCKER-USER -i eth0 -j DROP
+			# COMMIT
+			# # END UFW AND DOCKER
+			# EOT")
+			# system("sudo ufw reload")
+		end
+
+		def self.remove_ufw_rules
+			puts '-----> Remove the following rules at the end of the file /etc/ufw/after.rules and reload ufw using - sudo ufw reload'
+			puts '# BEGIN UFW AND DOCKER
+			*filter
+			:ufw-user-forward - [0:0]
+			:DOCKER-USER - [0:0]
+			-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+			-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
+			-A DOCKER-USER -i eth0 -j ufw-user-forward
+			-A DOCKER-USER -i eth0 -j DROP
+			COMMIT
+			# END UFW AND DOCKER'
+
+			# puts "-----> Removing UFW rules for Docker"
+			# system("sed '/^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d' '/etc/ufw/after.rules'")
+			# system("sudo ufw reload")
+		end
+	end
+end

data/lib/smartcloud/grids/grid-nginx/fastcgi.conf

@@ -0,0 +1,9 @@
+client_max_body_size 0; # Git pushes can be massive, just to make sure nginx doesn't suddenly cut the connection add this.
+
+include fastcgi_params; # Include the default fastcgi configs
+
+fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; # Tells fastcgi to pass the request to the git http backend executable.
+fastcgi_param GIT_HTTP_EXPORT_ALL "";
+fastcgi_param GIT_PROJECT_ROOT /.smartcloud/grids/grid-runner/apps/repositories; # is the location of all of your git repositories.
+fastcgi_param PATH_INFO $uri; # Takes the capture group from our location directive and gives git that.
+fastcgi_param REMOTE_USER $remote_user; # Forward REMOTE_USER as we want to know when we are authenticated

data/lib/smartcloud/grids/grid-nginx/nginx.tmpl

@@ -0,0 +1,373 @@
+{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
+
+{{ define "upstream" }}
+	{{ if .Address }}
+		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
+		{{ if and .Container.Node.ID .Address.HostPort }}
+			# {{ .Container.Node.Name }}/{{ .Container.Name }}
+			server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
+		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
+		{{ else if .Network }}
+			# {{ .Container.Name }}
+			server {{ .Network.IP }}:{{ .Address.Port }};
+		{{ end }}
+	{{ else if .Network }}
+		# {{ .Container.Name }}
+		{{ if .Network.IP }}
+			server {{ .Network.IP }} down;
+		{{ else }}
+			server 127.0.0.1 down;
+		{{ end }}
+	{{ end }}
+	
+{{ end }}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+# Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+
+access_log off;
+server_tokens off;
+
+# Default is client_max_body_size 1M
+client_max_body_size 5M;
+
+{{ if $.Env.RESOLVERS }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
+{{ if (exists "/etc/nginx/proxy.conf") }}
+include /etc/nginx/proxy.conf;
+{{ else }}
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+{{ end }}
+
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 80;
+	{{ if $enable_ipv6 }}
+	listen [::]:80;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+
+{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 443 ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+
+{{ $host := trim $host }}
+{{ $is_regexp := hasPrefix "~" $host }}
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+# {{ $host }}
+upstream {{ $upstream_name }} {
+
+{{ range $container := $containers }}
+	{{ $addrLen := len $container.Addresses }}
+
+	{{ range $knownNetwork := $CurrentContainer.Networks }}
+		{{ range $containerNetwork := $container.Networks }}
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
+				## Can be connected with "{{ $containerNetwork.Name }}" network
+
+				{{/* If only 1 port exposed, use that */}}
+				{{ if eq $addrLen 1 }}
+					{{ $address := index $container.Addresses 0 }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
+				{{ else }}
+					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
+					{{ $address := where $container.Addresses "Port" $port | first }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
+			{{ end }}
+		{{ end }}
+	{{ end }}
+{{ end }}
+}
+
+{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
+{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
+
+{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
+
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
+
+{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
+{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
+
+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
+
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
+
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
+
+
+{{/* Get the first cert name defined by containers w/ the same vhost */}}
+{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
+
+{{/* Get the best matching cert  by name for the vhost. */}}
+{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
+
+{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}
+
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
+{{ $cert := (coalesce $certName $vhostCert) }}
+
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+
+{{ if $is_https }}
+
+{{ if eq $https_method "redirect" }}
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 301 https://$host$request_uri;
+}
+{{ end }}
+
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if eq $ssl_policy "Mozilla-Modern" }}
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	{{ else if eq $ssl_policy "Mozilla-Intermediate" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
+	{{ else if eq $ssl_policy "Mozilla-Old" }}
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
+	{{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }}
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
+	{{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }}
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+	{{ else if eq $ssl_policy "AWS-2016-08" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-05" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-03" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-02" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
+	{{ end }}
+
+	ssl_prefer_server_ciphers on;
+	ssl_session_timeout 5m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
+	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
+	{{ end }}
+
+	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi.conf;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		set {{`$proxy_pass_url`}} {{ trim $proto }}://{{ trim $upstream_name }};
+		if ({{`$cookie_appenv`}}) {
+			set {{`$proxy_pass_url`}} {{ trim $proto }}://{{`$cookie_appenv`}}.{{ trim $upstream_name }};
+		}
+		proxy_pass {{`$proxy_pass_url`}};
+		{{ end }}
+
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ end }}
+
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
+
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi.conf;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		set {{`$proxy_pass_url`}} {{ trim $proto }}://{{ trim $upstream_name }};
+		if ({{`$cookie_appenv`}}) {
+			set {{`$proxy_pass_url`}} {{ trim $proto }}://{{`$cookie_appenv`}}.{{ trim $upstream_name }};
+		}
+		proxy_pass {{`$proxy_pass_url`}};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 500;
+
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ end }}
+{{ end }}