smartmachine 0.6.0 → 0.7.0

data/lib/smart_machine/logger.rb

@@ -0,0 +1,35 @@
+require "logger"
+
+$stdout.sync = true
+
+module SmartMachine
+	module Logger
+	  def logger
+	    @logger ||= SmartMachine::Logger.logger_for(self.class.name)
+	  end
+
+	  # Use a hash class-ivar to cache a unique Logger per class:
+	  @loggers = {}
+
+	  def self.included(base)
+		class << base
+			def logger
+			  @logger ||= SmartMachine::Logger.logger_for(self.name)
+			end
+		end
+	  end
+
+	  class << self
+	    def logger_for(classname)
+	      @loggers[classname] ||= configure_logger_for(classname)
+	    end
+
+	    def configure_logger_for(classname)
+	      logger = ::Logger.new($stdout)
+		  logger.level = ::Logger.const_get("#{SmartMachine.config.logger_level}".upcase)
+	      logger.progname = classname
+	      logger
+	    end
+	  end
+	end
+end

data/lib/smart_machine/machine.rb

@@ -0,0 +1,192 @@
+require "net/ssh"
+
+# The main SmartMachine Machine driver
+module SmartMachine
+	class Machine < SmartMachine::Base
+		def initialize
+		end
+
+		def create(*args)
+			args.flatten!
+
+			raise "Please specify a machine name" if args.empty?
+
+			name = args.shift
+			pathname = File.expand_path "./#{name}"
+
+			self.setup_dotsmartmachine(pathname)
+
+			puts "New machine #{name} has been created."
+		end
+
+		def init_local(*args)
+			args.flatten!
+
+			pathname = File.expand_path "~/.smartmachine"
+
+			if args.delete("--force")
+				puts "Removing all the data to reinitialize."
+				FileUtils.rmtree(pathname)
+			end
+
+			if Dir.exist?(pathname)
+				puts "SmartMachine Local already initialized. If you want to delete all the data and reinitialize, please use the --force option."
+				return
+			end
+
+			self.setup_dotsmartmachine(pathname)
+
+			puts "SmartMachine Local Initialised."
+		end
+
+		def installer(*args)
+			args.flatten!
+
+			action = args.shift
+
+			if args.empty? || args.include?("docker")
+				docker = SmartMachine::Docker.new
+				docker.public_send(action)
+			end
+
+			if args.empty? || args.include?("engine")
+				engine = SmartMachine::Engine.new
+				engine.public_send(action)
+			end
+
+			if args.empty? || args.include?("buildpacker")
+				buildpacker = SmartMachine::Buildpacker.new
+				buildpacker.public_send(action)
+			end
+
+			if args.empty? || args.include?("prereceiver")
+				prereceiver = SmartMachine::Grids::Prereceiver.new
+				prereceiver.public_send(action)
+			end
+
+			if args.empty? || args.include?("elasticsearch")
+				elasticsearch = SmartMachine::Grids::Elasticsearch.new
+				elasticsearch.public_send(action)
+			end
+		end
+
+		def grids(*args)
+			args.flatten!
+
+			if args.delete("--local")
+				exec "smartmachine runner grids #{args.join(" ")}"
+			else
+				ssh = SmartMachine::SSH.new
+				ssh.run "smartmachine runner grids #{args.join(" ")}"
+			end
+		end
+
+		def apps(*args)
+			args.flatten!
+
+			if args.delete("--local")
+				exec "smartmachine runner apps #{args.join(" ")}"
+			else
+				ssh = SmartMachine::SSH.new
+				ssh.run "smartmachine runner apps #{args.join(" ")}"
+			end
+		end
+
+		def ps(*args)
+			args.flatten!
+
+			if args.delete("--local")
+				exec "docker ps #{args.join(' ')}"
+			else
+				ssh = SmartMachine::SSH.new
+				ssh.run "docker ps #{args.join(' ')}"
+			end
+		end
+
+		def logs(*args)
+			args.flatten!
+
+			if args.delete("--local")
+				exec "docker logs #{args.join(' ')}"
+			else
+				ssh = SmartMachine::SSH.new
+				ssh.run "docker logs #{args.join(' ')}"
+			end
+		end
+
+		def ssh
+			ssh = SmartMachine::SSH.new
+			ssh.login
+		end
+
+		def getting_started
+			# puts 'You may be prompted to make a menu selection when the Grub package is updated on Ubuntu. If prompted, select keep the local version currently installed.'
+
+			# apt-get update && apt-get upgrade
+
+			# hostnamectl set-hostname example_hostname
+
+			# /etc/hosts
+			# 127.0.0.1 localhost.localdomain localhost
+			# 203.0.113.10 hostname.example.com hostname
+			# 2600:3c01::a123:b456:c789:d012 hostname.example.com hostname
+			# Add DNS records for IPv4 and IPv6 for ip addresses and their fully qualified domain names FQDN
+
+			# dpkg-reconfigure tzdata
+			# date
+		end
+
+		def securing_your_server
+			# sudo apt install unattended-upgrades
+
+			# sudo nano /etc/apt/apt.conf.d/20auto-upgrades
+			# APT::Periodic::Update-Package-Lists "1";
+			# APT::Periodic::Download-Upgradeable-Packages "1";
+			# APT::Periodic::AutocleanInterval "7";
+			# APT::Periodic::Unattended-Upgrade "1";
+
+			# sudo apt install apticron
+			# /etc/apticron/apticron.conf
+			# EMAIL="root@example.com"
+
+			# adduser example_user
+			# adduser example_user sudo
+
+			# mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
+			# scp ~/.ssh/id_rsa.pub example_user@203.0.113.10:~/.ssh/authorized_keys
+			# sudo chmod -R 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
+
+			# sudo nano /etc/ssh/sshd_config
+			# PermitRootLogin no
+			# PasswordAuthentication no
+			# echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
+			# sudo systemctl restart sshd
+
+			# sudo apt-get update && sudo apt-get upgrade -y
+			# sudo apt-get install fail2ban
+			# sudo apt-get install sendmail
+			# sudo ufw allow ssh
+			# sudo ufw enable
+			# sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
+			# sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+			# Change destmail, sendername, sender
+			# Change action = %(action_mwl)s
+			# sudo fail2ban-client reload
+			# sudo fail2ban-client status
+		end
+
+		def in_local_machine_dir?
+			File.file?("./config/master.key")
+		end
+
+		def setup_dotsmartmachine(pathname)
+			FileUtils.mkdir pathname
+			FileUtils.cp_r "#{SmartMachine.config.root_path}/lib/smart_machine/templates/dotsmartmachine/.", pathname
+			FileUtils.chdir pathname do
+				credentials = SmartMachine::Credentials.new
+				credentials.create
+				system("git init && git add . && git commit -m 'initial commit'")
+			end	
+		end
+	end
+end

data/lib/smart_machine/ssh.rb

@@ -0,0 +1,43 @@
+require "net/ssh"
+
+# The main SmartMachine SSH driver
+module SmartMachine
+	class SSH < SmartMachine::Base
+		def initialize
+		end
+
+		def run(*commands)
+			commands.flatten!
+			Net::SSH.start(SmartMachine.credentials.machine[:address], SmartMachine.credentials.machine[:username], { port: SmartMachine.credentials.machine[:port], password: SmartMachine.credentials.machine[:password] }) do |ssh|
+				channel = ssh.open_channel do |channel, success|
+					channel.request_pty do |channel, success|
+						channel.exec commands.join(';') do |channel, success|
+							raise "Could not execute command" unless success
+
+							channel.on_data do |channel, data|
+								$stdout.print data
+
+								if data =~ /^\[sudo\] password for /
+									channel.send_data "#{SmartMachine.credentials.machine[:password]}\n"
+								end
+							end
+
+							channel.on_extended_data do |channel, type, data|
+								$stderr.print data
+							end
+
+							channel.on_close do |channel|
+								# puts "done!"
+							end
+						end
+					end
+				end
+				channel.wait
+			end
+		end
+
+		def login
+			exec "ssh #{SmartMachine.credentials.machine[:username]}@#{SmartMachine.credentials.machine[:address]}"
+		end
+	end
+end

data/lib/smart_machine/sync.rb

@@ -0,0 +1,108 @@
+module SmartMachine
+	class Sync < SmartMachine::Base
+
+		def run(**params)
+			puts "-----> Syncing SmartMachine"
+
+			only = params[:only] ? Array(params[:only]).flatten : [:push, :pull]
+
+			pull if only.include? :pull
+			yield if block_given?
+			push if only.include? :push
+
+			puts "-----> Syncing SmartMachine Complete"
+		end
+
+		private
+
+		def pull
+			print "-----> Sync pulling ... "
+			system("rsync -azumv --delete --include={#{pull_files_list}} --exclude=* -e ssh #{SmartMachine.credentials.machine[:username]}@#{SmartMachine.credentials.machine[:address]}:~/.smartmachine/ .")
+			puts "done"
+		end
+
+		def push
+			print "-----> Sync pushing ... "
+			system("rsync -azumv --delete --include={#{push_files_list}} --exclude=* -e ssh ./ #{SmartMachine.credentials.machine[:username]}@#{SmartMachine.credentials.machine[:address]}:~/.smartmachine")
+			puts "done"
+		end
+
+		def pull_files_list
+			files = [
+				'apps/***',
+
+				'bin/***',
+
+				'grids',
+
+				'grids/elasticsearch',
+				'grids/elasticsearch/data/***',
+				'grids/elasticsearch/logs/***',
+
+				'grids/minio',
+				'grids/minio/data/***',
+
+				'grids/mysql',
+				'grids/mysql/data/***',
+
+				'grids/nginx',
+				'grids/nginx/certificates/***',
+
+				'grids/solr',
+				'grids/solr/solr/***',
+			]
+			files.join(',')
+		end
+
+		def push_files_list
+			files = [
+				'apps',
+				'apps/containers',
+				'apps/containers/.keep',
+				'apps/repositories',
+				'apps/repositories/.keep',
+
+				'config',
+				'config/credentials.yml.enc',
+				'config/environment.rb',
+
+				'grids',
+
+				'grids/elasticsearch',
+				'grids/elasticsearch/data',
+				'grids/elasticsearch/data/.keep',
+				'grids/elasticsearch/logs',
+				'grids/elasticsearch/logs/.keep',
+
+				'grids/minio',
+				'grids/minio/data',
+				'grids/minio/data/.keep',
+
+				'grids/mysql',
+				'grids/mysql/data',
+				'grids/mysql/data/.keep',
+
+				'grids/nginx',
+				'grids/nginx/certificates',
+				'grids/nginx/certificates/.keep',
+				'grids/nginx/htpasswd/***',
+				'grids/nginx/fastcgi.conf',
+				'grids/nginx/nginx.tmpl',
+
+				'grids/prereceiver',
+				'grids/prereceiver/pre-receive',
+
+				'grids/redis',
+				'grids/redis/data',
+				'grids/redis/data/.keep',
+
+				'grids/solr',
+				'grids/solr/solr',
+				'grids/solr/solr/.keep',
+
+				'tmp/***',
+			]
+			files.join(',')
+		end
+	end
+end

data/lib/smart_machine/templates/dotsmartmachine/config/environment.rb

@@ -0,0 +1,18 @@
+# => NOTE: Ensure that the specified top-level domains are pointing to this server ip address using DNS records.
+# => Be sure to restart your server when you modify this file.
+
+# Top-level naked domain to be used for subdomains of apps.
+SmartMachine.config.apps_domain = "yourdomain.com"
+
+# domain to be used for git prereceiver
+SmartMachine.config.git_domain = "git.yourdomain.com"
+
+# Sysadmin email id.
+SmartMachine.config.sysadmin_email = "admin@yourdomain.com"
+
+# letsencrypt test boolean to be used
+SmartMachine.config.letsencrypt_test = false
+
+# logger level
+# DEBUG, INFO, WARN, ERROR, FATAL, UNKNOWN
+SmartMachine.config.logger_level = "INFO"

data/lib/smart_machine/templates/dotsmartmachine/config/users.yml

@@ -0,0 +1,4 @@
+# The username and password will be used by nginx to provide htpasswd based authentication for each of the domains specified.
+
+git.yourdomain.com:
+  yourname@yourdomain.com: yourpassword

data/lib/smart_machine/templates/dotsmartmachine/grids/nginx/fastcgi.conf

@@ -0,0 +1,11 @@
+client_max_body_size 0; # Git pushes can be massive, just to make sure nginx doesn't suddenly cut the connection add this. Setting to 0 disables checking of client_max_body_size
+fastcgi_buffering off; # disables buffering of responses from the FastCGI server on nginx
+
+include fastcgi_params; # Include the default fastcgi configs
+
+fastcgi_param NO_BUFFERING 1; # disables buffering on fcgiwrap
+fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; # Tells fastcgi to pass the request to the git http backend executable.
+fastcgi_param PATH_INFO $uri; # Takes the capture group from our location directive and gives git that.
+fastcgi_param REMOTE_USER $remote_user; # Forward REMOTE_USER as we want to know when we are authenticated
+
+# IMPORTANT NOTE: Other required fastcgi_params have been defined as environment variables in the prereceiver container and hence need not be passed here.

data/lib/smart_machine/templates/dotsmartmachine/grids/nginx/nginx.tmpl

@@ -0,0 +1,373 @@
+{{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}
+
+{{ define "upstream" }}
+	{{ if .Address }}
+		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
+		{{ if and .Container.Node.ID .Address.HostPort }}
+			# {{ .Container.Node.Name }}/{{ .Container.Name }}
+			server {{ .Container.Node.Address.IP }}:{{ .Address.HostPort }};
+		{{/* If there is no swarm node or the port is not published on host, use container's IP:PORT */}}
+		{{ else if .Network }}
+			# {{ .Container.Name }}
+			server {{ .Network.IP }}:{{ .Address.Port }};
+		{{ end }}
+	{{ else if .Network }}
+		# {{ .Container.Name }}
+		{{ if .Network.IP }}
+			server {{ .Network.IP }} down;
+		{{ else }}
+			server 127.0.0.1 down;
+		{{ end }}
+	{{ end }}
+	
+{{ end }}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+# Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+log_format vhost '$host $remote_addr - $remote_user [$time_local] '
+                 '"$request" $status $body_bytes_sent '
+                 '"$http_referer" "$http_user_agent"';
+
+access_log off;
+server_tokens off;
+
+# Default is client_max_body_size 1M
+client_max_body_size 5M;
+
+{{ if $.Env.RESOLVERS }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
+{{ if (exists "/etc/nginx/proxy.conf") }}
+include /etc/nginx/proxy.conf;
+{{ else }}
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+{{ end }}
+
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 80;
+	{{ if $enable_ipv6 }}
+	listen [::]:80;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+}
+
+{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name _; # This is just an invalid value which will never trigger on a real hostname.
+	listen 443 ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2;
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 503;
+
+	ssl_session_tickets off;
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}
+
+{{ $host := trim $host }}
+{{ $is_regexp := hasPrefix "~" $host }}
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+# {{ $host }}
+upstream {{ $upstream_name }} {
+
+{{ range $container := $containers }}
+	{{ $addrLen := len $container.Addresses }}
+
+	{{ range $knownNetwork := $CurrentContainer.Networks }}
+		{{ range $containerNetwork := $container.Networks }}
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
+				## Can be connected with "{{ $containerNetwork.Name }}" network
+
+				{{/* If only 1 port exposed, use that */}}
+				{{ if eq $addrLen 1 }}
+					{{ $address := index $container.Addresses 0 }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{/* If more than one port exposed, use the one matching VIRTUAL_PORT env var, falling back to standard web port 80 */}}
+				{{ else }}
+					{{ $port := coalesce $container.Env.VIRTUAL_PORT "80" }}
+					{{ $address := where $container.Addresses "Port" $port | first }}
+					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
+				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
+			{{ end }}
+		{{ end }}
+	{{ end }}
+{{ end }}
+}
+
+{{ $default_host := or ($.Env.DEFAULT_HOST) "" }}
+{{ $default_server := index (dict $host "" $default_host "default_server") $host }}
+
+{{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
+
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}
+
+{{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
+{{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}
+
+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to "Mozilla-Intermediate" */}}
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "Mozilla-Intermediate" }}
+
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
+
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
+
+
+{{/* Get the first cert name defined by containers w/ the same vhost */}}
+{{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}
+
+{{/* Get the best matching cert  by name for the vhost. */}}
+{{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}
+
+{{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}
+
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
+{{ $cert := (coalesce $certName $vhostCert) }}
+
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+
+{{ if $is_https }}
+
+{{ if eq $https_method "redirect" }}
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 301 https://$host$request_uri;
+}
+{{ end }}
+
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if eq $ssl_policy "Mozilla-Modern" }}
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	{{ else if eq $ssl_policy "Mozilla-Intermediate" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
+	{{ else if eq $ssl_policy "Mozilla-Old" }}
+	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
+	{{ else if eq $ssl_policy "AWS-TLS-1-2-2017-01" }}
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
+	{{ else if eq $ssl_policy "AWS-TLS-1-1-2017-01" }}
+	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+	{{ else if eq $ssl_policy "AWS-2016-08" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-05" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-03" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
+	{{ else if eq $ssl_policy "AWS-2015-02" }}
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
+	{{ end }}
+
+	ssl_prefer_server_ciphers on;
+	ssl_session_timeout 5m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+
+	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
+	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.dhparam.pem" $cert)) }}
+	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
+	{{ end }}
+
+	{{ if (and (ne $https_method "noredirect") (ne $hsts "off")) }}
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi.conf;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		set {{`$proxy_pass_url`}} {{ trim $proto }}://{{ trim $upstream_name }};
+		if ({{`$cookie_appenv`}}) {
+			set {{`$proxy_pass_url`}} {{ trim $proto }}://{{`$cookie_appenv`}}.{{ trim $upstream_name }};
+		}
+		proxy_pass {{`$proxy_pass_url`}};
+		{{ end }}
+
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ end }}
+
+{{ if or (not $is_https) (eq $https_method "noredirect") }}
+
+server {
+	server_name {{ $host }};
+	listen 80 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
+	{{ else if (exists "/etc/nginx/vhost.d/default") }}
+	include /etc/nginx/vhost.d/default;
+	{{ end }}
+
+	location / {
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi.conf;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else }}
+		set {{`$proxy_pass_url`}} {{ trim $proto }}://{{ trim $upstream_name }};
+		if ({{`$cookie_appenv`}}) {
+			set {{`$proxy_pass_url`}} {{ trim $proto }}://{{`$cookie_appenv`}}.{{ trim $upstream_name }};
+		}
+		proxy_pass {{`$proxy_pass_url`}};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
+		auth_basic	"Restricted {{ $host }}";
+		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
+		{{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
+	}
+}
+
+{{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+server {
+	server_name {{ $host }};
+	listen 443 ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:443 ssl http2 {{ $default_server }};
+	{{ end }}
+	access_log /var/log/nginx/access.log vhost;
+	return 500;
+
+	ssl_certificate /etc/nginx/certs/default.crt;
+	ssl_certificate_key /etc/nginx/certs/default.key;
+}
+{{ end }}
+
+{{ end }}
+{{ end }}