@drumee/setup-infra 1.0.0

package/templates/etc/prosody/defaults/prosody.cfg.lua

@@ -0,0 +1,225 @@
+{{ $LOG_LEVEL := .Env.LOG_LEVEL | default "info" }}
+{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
+{{ $ENABLE_IPV6 := .Env.ENABLE_IPV6 | default "true" | toBool -}}
+{{ $GC_TYPE := .Env.GC_TYPE | default "incremental" -}}
+{{ $GC_INC_TH := .Env.GC_INC_TH | default 150 -}}
+{{ $GC_INC_SPEED := .Env.GC_INC_SPEED | default 250 -}}
+{{ $GC_INC_STEP_SIZE := .Env.GC_INC_STEP_SIZE | default 13 -}}
+{{ $GC_GEN_MIN_TH := .Env.GC_GEN_MIN_TH | default 20 -}}
+{{ $GC_GEN_MAX_TH := .Env.GC_GEN_MAX_TH | default 100 -}}
+
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at http://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running: luac -p prosody.cfg.lua
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see http://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: http://prosody.im/doc/libevent
+--use_libevent = true;
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation on modules can be found at: http://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"vcard"; -- Allow users to set vCards
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- These are commented by default as they have a performance impact
+		--"privacy"; -- Support privacy lists
+		--"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"pep"; -- Enables users to publish their mood, activity, playing music and more
+		"register"; -- Allow users to register on this server using a client and change passwords
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+		--"groups"; -- Shared roster support
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+        {{ if .Env.GLOBAL_MODULES }}
+        "{{ join "\";\n\"" (splitList "," .Env.GLOBAL_MODULES) }}";
+        {{ end }}
+};
+
+component_ports = { }
+https_ports = { }
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	"s2s"; -- Handle server-to-server connections
+};
+
+-- Disable account creation by default, for security
+-- For more information see http://prosody.im/doc/creating_accounts
+allow_registration = false;
+
+-- Enable rate limits for incoming client and server connections
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+--Prosody garbage collector settings
+--For more information see https://prosody.im/doc/advanced_gc
+{{ if eq $GC_TYPE "generational" }}
+gc = {
+    mode = "generational";
+    minor_threshold = {{ $GC_GEN_MIN_TH }};
+    major_threshold = {{ $GC_GEN_MAX_TH }};
+}
+{{ else }}
+gc = {
+	mode = "incremental";
+	threshold = {{ $GC_INC_TH }};
+	speed = {{ $GC_INC_SPEED }};
+	step_size = {{ $GC_INC_STEP_SIZE }};
+}
+{{ end }}
+
+pidfile = "/config/data/prosody.pid";
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+
+-- set c2s port
+c2s_ports = { {{ $XMPP_PORT }} } -- Listen on specific c2s port
+{{ if $ENABLE_IPV6 }}
+c2s_interfaces = { "*", "::" }
+{{ else }}
+c2s_interfaces = { "*" }
+{{ end }}
+
+-- Force certificate authentication for server-to-server connections?
+-- This provides ideal security, but requires servers you communicate
+-- with to support encryption AND present valid, trusted certificates.
+-- NOTE: Your version of LuaSec must support certificate verification!
+-- For more information see http://prosody.im/doc/s2s#security
+
+s2s_secure_auth = false
+
+-- Many servers don't support encryption or have invalid or self-signed
+-- certificates. You can list domains here that will not be required to
+-- authenticate using certificates. They will be authenticated using DNS.
+
+--s2s_insecure_domains = { "gmail.com" }
+
+-- Even if you leave s2s_secure_auth disabled, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+-- To allow Prosody to offer secure authentication mechanisms to clients, the
+-- default provider stores passwords in plaintext. If you do not trust your
+-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
+-- for information about using the hashed backend.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See http://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
+-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+-- Logging configuration
+-- For advanced logging see http://prosody.im/doc/logging
+--
+-- Debian:
+--  Logs info and higher to /var/log
+--  Logs errors to syslog also
+log = {
+	{ levels = {min = "{{ $LOG_LEVEL }}"}, timestamps = "%Y-%m-%d %X", to = "console"};
+}
+
+{{ if .Env.GLOBAL_CONFIG }}
+{{ join "\n" (splitList "\\n" .Env.GLOBAL_CONFIG) }}
+{{ end }}
+
+-- Enable use of native prosody 0.11 support for epoll over select
+network_backend = "epoll";
+-- Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512.
+network_settings = {
+  tcp_backlog = 511;
+}
+unbound = {
+    resolvconf = true
+}
+
+http_ports = { 5280 }
+{{ if $ENABLE_IPV6 }}
+http_interfaces = { "*", "::" }
+{{ else }}
+http_interfaces = { "*" }
+{{ end }}
+
+data_path = "/config/data"
+
+smacks_max_unacked_stanzas = 5;
+smacks_hibernation_time = 60;
+smacks_max_hibernated_sessions = 1;
+smacks_max_old_sessions = 1;
+
+Include "conf.d/*.cfg.lua"

package/templates/etc/prosody/defaults/saslauthd.conf

@@ -0,0 +1,30 @@
+{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" -}}
+{{ $PROSODY_AUTH_TYPE := .Env.PROSODY_AUTH_TYPE | default $AUTH_TYPE }}
+{{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
+
+{{ if eq $PROSODY_AUTH_TYPE "ldap" }}
+ldap_servers: {{ .Env.LDAP_URL }}
+ldap_search_base: {{ .Env.LDAP_BASE }}
+{{ if .Env.LDAP_BINDDN | default "" }}
+ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
+ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
+{{ end }}
+ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
+ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
+  {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
+ldap_tls_key: /config/certs/{{ $XMPP_DOMAIN }}.key
+ldap_tls_cert: /config/certs/{{ $XMPP_DOMAIN }}.crt
+    {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
+ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
+    {{ end }}
+    {{ if .Env.LDAP_TLS_CIPHERS }}
+ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
+    {{ end }}
+  {{ end }}
+{{ end }}
+{{ if .Env.LDAP_START_TLS | default "0" | toBool }}
+ldap_start_tls: yes
+{{ end }}

package/templates/etc/prosody/prosody.cfg.lua.tpl

@@ -0,0 +1,203 @@
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at http://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running: luac -p prosody.cfg.lua
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+
+
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see http://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { }
+
+-- Enable use of libevent for better performance under high load
+-- For more information see: http://prosody.im/doc/libevent
+--use_libevent = true;
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation on modules can be found at: http://prosody.im/doc/modules
+modules_enabled = {
+
+	-- Generally required
+		"roster"; -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+		"tls"; -- Add support for secure TLS on c2s/s2s connections
+		"dialback"; -- s2s dialback support
+		"disco"; -- Service discovery
+
+	-- Not essential, but recommended
+		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"vcard"; -- Allow users to set vCards
+		"limits"; -- Enable bandwidth limiting for XMPP connections
+
+	-- These are commented by default as they have a performance impact
+		--"privacy"; -- Support privacy lists
+		--"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
+
+	-- Nice to have
+		"version"; -- Replies to server version requests
+		"uptime"; -- Report how long server has been running
+		"time"; -- Let others know the time here on this server
+		"ping"; -- Replies to XMPP pings with pongs
+		"pep"; -- Enables users to publish their mood, activity, playing music and more
+		"register"; -- Allow users to register on this server using a client and change passwords
+
+	-- Admin interfaces
+		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+
+	-- HTTP modules
+		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"http_files"; -- Serve static files from a directory over HTTP
+
+	-- Other specific functionality
+		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+		--"groups"; -- Shared roster support
+		--"announce"; -- Send announcement to all online users
+		--"welcome"; -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+		--"motd"; -- Send a message to users when they log in
+		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+        
+};
+
+component_ports = { }
+
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+	-- "offline"; -- Store offline messages
+	-- "c2s"; -- Handle client connections
+	"s2s"; -- Handle server-to-server connections
+};
+
+-- Disable account creation by default, for security
+-- For more information see http://prosody.im/doc/creating_accounts
+allow_registration = false;
+
+-- Enable rate limits for incoming client and server connections
+limits = {
+  c2s = {
+    rate = "10kb/s";
+  };
+  s2sin = {
+    rate = "30kb/s";
+  };
+}
+
+--Prosody garbage collector settings
+--For more information see https://prosody.im/doc/advanced_gc
+
+gc = {
+	mode = "incremental";
+	threshold = 150;
+	speed = 250;
+	step_size = 13;
+}
+
+
+pidfile = "/var/run/prosody/prosody.pid";
+
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+
+c2s_require_encryption = false
+
+-- set c2s port
+c2s_ports = { 5222 } -- Listen on specific c2s port
+
+c2s_interfaces = { "*", "::" }
+
+
+-- Force certificate authentication for server-to-server connections?
+-- This provides ideal security, but requires servers you communicate
+-- with to support encryption AND present valid, trusted certificates.
+-- NOTE: Your version of LuaSec must support certificate verification!
+-- For more information see http://prosody.im/doc/s2s#security
+
+s2s_secure_auth = false
+
+-- Many servers don't support encryption or have invalid or self-signed
+-- certificates. You can list domains here that will not be required to
+-- authenticate using certificates. They will be authenticated using DNS.
+
+--s2s_insecure_domains = { "gmail.com" }
+
+-- Even if you leave s2s_secure_auth disabled, you can still require valid
+-- certificates for some domains by specifying a list here.
+
+--s2s_secure_domains = { "jabber.org" }
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+-- To allow Prosody to offer secure authentication mechanisms to clients, the
+-- default provider stores passwords in plaintext. If you do not trust your
+-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
+-- for information about using the hashed backend.
+
+authentication = "internal_hashed"
+
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See http://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
+-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+-- Logging configuration
+-- For advanced logging see http://prosody.im/doc/logging
+--
+-- Debian:
+--  Logs info and higher to /var/log
+--  Logs errors to syslog also
+log = {
+    debug = "/var/log/prosody/prosody.log";
+    error = "/var/log/prosody/prosody.err";
+--	{ levels = {min = "info"}, timestamps = "%Y-%m-%d %X", to = "console"};
+}
+
+trusted_proxies = { "127.0.0.1", "::1", "172.17.0.2"}
+
+-- Enable use of native prosody 0.11 support for epoll over select
+network_backend = "epoll";
+-- Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512.
+network_settings = {
+  tcp_backlog = 511;
+}
+unbound = {
+    resolvconf = true
+}
+
+http_ports = { 5280 }
+http_interfaces = { "127.0.0.1" }
+https_ports = { 5281 }
+https_interfaces = { "*", "::" }
+
+
+data_path = "/etc/drumee/credential/prosody/data"
+
+smacks_max_unacked_stanzas = 5;
+smacks_hibernation_time = 60;
+smacks_max_hibernated_sessions = 1;
+smacks_max_old_sessions = 1;
+
+Include "conf.d/*.cfg.lua"

package/templates/etc/turnserver.conf.tpl

@@ -0,0 +1,46 @@
+# jitsi-meet coturn config. Do not modify this line
+use-auth-secret
+keep-address-family
+static-auth-secret=<%= turn_sercret %>
+realm=<%= jitsi_domain %>
+cert=<%= acme_dir %>/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.cer
+pkey=<%= acme_dir %>/certs/<%= jitsi_domain %>_ecc/<%= jitsi_domain %>.key
+external-ip=<%= public_ip4 %> / <%= public_ip6 %>
+no-multicast-peers
+no-cli
+#no-loopback-peers
+#no-tcp-relay
+no-tcp
+listening-port=3478
+tls-listening-port=5349
+no-tlsv1
+no-tlsv1_1
+# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
+cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+# without it there are errors when running on Ubuntu 20.04
+dh2066
+# jitsi-meet coturn relay disable config. Do not modify this line
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+denied-peer-ip=::1
+denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+syslog

package/templates/index.js

@@ -0,0 +1,102 @@
+_ = require("lodash");
+Shell = require("shelljs");
+const { mkdirSync, existsSync, writeSync, openSync, close, readFileSync } = require("fs");
+const { env } = process;
+const { resolve, join, dirname } = require("path");
+const ARGV = require('minimist')(process.argv.slice(2));
+
+/**
+ * 
+ * @param {*} p 
+ * @returns 
+ */
+function chroot(p) {
+  let root = ARGV.chroot || env.dev_root;
+  if (root) {
+    if (p) return join(root, p);
+    return join(root);
+  }
+  if (p) return join("/", p);
+  return ('/');
+}
+
+/**
+ * 
+ */
+function makedir(dname) {
+  if (!existsSync(dname)) {
+    //console.log(`Should make dir ${dname}`);
+    mkdirSync(dname, { recursive: true });
+  }
+};
+
+
+
+/**
+ * 
+ * @param {*} err 
+ */
+function __error(err) {
+  if (err) throw err;
+};
+
+
+/**
+ * 
+ */
+function render(data, name, parse) {
+  let tpl = resolve(__dirname, "templates", name + ".tpl");
+  if (/\/templates$/.test(__dirname))
+    tpl = resolve(__dirname, name + ".tpl");
+  if (!existsSync(tpl)) {
+    tpl = resolve(__dirname, name);
+  }
+  //console.log("RENDERING", __dirname, name, tpl);
+  let str = readFileSync(tpl);
+  try {
+    let res = _.template(String(str).toString())(data);
+    if (parse && typeof res === "string") {
+      return JSON.parse(res);
+    }
+    return res;
+  } catch (e) {
+    console.error(`Failed to render from template ${tpl}`);
+    console.error("------------\n", e);
+  }
+};
+
+/**
+ *
+ * @param {*} data
+ * @param {*} fn
+ * @param {*} tpl_name
+ * @param {*} chr
+ * @returns
+ */
+function write(data, fn, tpl_name, chr) {
+  let filename = chroot(fn);
+  makedir(dirname(filename));
+  let d = new Date();
+  data.date = d.toISOString().split('T')[0];
+
+  console.log("Writing config into " + filename);
+  let fd = openSync(filename, "w+");
+  if (ARGV.readonly) {
+    console.log("Readonly", fn, tpl_name);
+    return
+  }
+
+  if (_.isEmpty(tpl_name)) {
+    writeSync(fd, data);
+  } else {
+    writeSync(fd, render(data, tpl_name));
+  }
+  close(fd, __error);
+}
+
+
+module.exports = {
+  write,
+  chroot,
+  render
+};

package/templates/schema/utils/configs.init.sql.tpl

@@ -0,0 +1,20 @@
+-- -------------------------------------------------------------
+-- ! DO NOT EDIT !
+-- Config file automatically generated by <infra-setup>
+-- Date : <%= date %>
+-- -------------------------------------------------------------
+
+DROP TABLE IF EXISTS `configs`;
+CREATE TABLE `configs` (
+  `name` varchar(64) NOT NULL DEFAULT '',
+  `value` varchar(2048) DEFAULT NULL,
+  `type` varchar(64) NOT NULL DEFAULT '',
+  PRIMARY KEY (`name`)
+) ENGINE=MEMORY DEFAULT CHARSET=utf8;
+
+insert into configs values('db_host', "localhost", 'varchar');
+insert into configs values('fs_host', "localhost", 'varchar');
+insert into configs values('icon', "<%= default_ico %>/", 'varchar');
+insert into configs values('page_length', "20", 'integer');
+insert into configs values('mfs_root', "<%= data_dir %>/mfs/", 'varchar');
+

package/templates/schema/utils/configs.update.sql.tpl

@@ -0,0 +1,19 @@
+-- -------------------------------------------------------------
+-- ! DO NOT EDIT !
+-- Config file automatically generated by <infra-setup>
+-- Date : <%= date %>
+-- -------------------------------------------------------------
+
+CREATE TABLE IF NOT EXISTS `configs` (
+  `name` varchar(64) NOT NULL DEFAULT '',
+  `value` varchar(2048) DEFAULT NULL,
+  `type` varchar(64) NOT NULL DEFAULT '',
+  PRIMARY KEY (`name`)
+) ENGINE=MEMORY DEFAULT CHARSET=utf8;
+
+replace into configs values('db_host', "localhost", 'varchar');
+replace into configs values('fs_host', "localhost", 'varchar');
+replace into configs values('icon', "<%= default_ico %>/", 'varchar');
+replace into configs values('page_length', '15', 'integer');
+replace into configs values('mfs_root', "<%= data_dir %>/mfs/", 'varchar');
+

package/templates/server/ecosystem.config.js.tpl

@@ -0,0 +1,8 @@
+/* -------------------------------------------------------------
+# !!!!!!! DO NOT EDIT !!!!!!!!
+# Config file automatically generated by <infra-setup>
+# Purpose  : Provide route (instance) to Nginx
+# Date     : <%= date %>
+# ------------------------------------------------------------- */
+
+module.exports = require("<%= ecosystem %>");