.gitignore

-.vagrant
-docker-haproxy-confd
+*.swp

CHANGELOG.md

+# 1.2.0
+
+* Add app admin email as argument in provision #189 
+* Handle git branches when provisioning #174 
+* REPO mode to retrieve application recipe #187 
+
+
+# 0.3.0
+
+* adds automation script for user provisionning
+* moves backup to duplicity
+* big simplification
+* some fixes
+
+# 0.2.4
+
+* improve tests
+* wordpess version 4.1
+* Internal modifications
+  * rename project
+  * rename images
+  * integrate dockerfiles to the project
+  * add hotfixes
+
+# 0.2.3
+
+* fixes backup
+* better tests
+* import dump.sql when relevant
+
+# 0.2.2
+
+* add Known as an application
+
+# 0.2.1
+
+* draft instructions for how to add an application (whether server-wide or per-user)
+* several bugfixes
+
+# 0.2.0
+
+* a separation between /data/domains and /data/runtime, making site immigration much easier
+* the wordpress image and the mysql image it depends on
+* the backup service which commits all user content, including a mysql dump, to a private git repo, and pushes that out to a remote destination every hour
+* the nginx image from 0.1.0 split into static and static-git
+
+
+# 0.1.0
+
+* Static webhosting
+  * based on haproxy with nginx backends
+  * all running as Docker containers
+  * SNI-capable (multiple https domains on one single IPv4 address)
+  * pulls in content from any git repo, then updates every 10 minutes
+  * can be run redundantly in round-robin DNS setup
+
+* email forwarder
+  * based on postfix
+  * stateless apart from simple configuration files
+  * can be run redundantly on multiple MX handlers
+
+* automated administration
+  * Docker containers are orchestrated with etcd and systemd
+  * script to deploy it on a remote coreos server
+  * script for adding a site from a git repo
+  * script for adding an empty placeholder site
+  * docs describing how to use these scripts
+  * Vagrantfile for using it inside vagrant

INSTALL.cloud.md

+# Instructions to install libre.sh
+
+## Recommendation
+- you'd need API key on Namecheap (if you want to automatically buy and configure domain name)
+
+## Installation
+
+These instructions depend a bit on your cloud provider.
+
+### [Digital Ocean](https://m.do.co/c/1b468ce0671f)
+
+ 1. Install [doctl](https://github.com/digitalocean/doctl/)
+ 2. Issue the following command:
+
+```
+doctl compute droplet create libre.sh --user-data-file ./user_data --wait --ssh-keys $KEY_ID --size 1gb --region lon1 --image coreos-stable
+```
+
+### Provider with user_data support
+
+If you use a cloud provider that support `user_data`, like [Scaleway](http://scaleway.com/), just use [this user_data](https://raw.githubusercontent.com/indiehosters/libre.sh/master/user_data).
+
+### Hetzner
+
+You can also buy a baremetal at [Hetzner](https://serverboerse.de/index.php?country=EN) as they are the cheapest options around. Follow these [instructions](INSTALL_HETZNER.md) in this case.
+
+### Provider without user_data support
+
+Use boot a live cd, and issue that command:
+
+```
+wget https://raw.github.com/coreos/init/master/bin/coreos-install
+bash coreos-install -d /dev/sda -c user_data
+```
+
+And voila, your first libre.sh node is ready!

INSTALL_HETZNER.md

+# Instructions to install libre.sh
+
+## Recommendation
+- ssd on /dev/sda
+- hdd on /dev/sdb
+- hdd on /dev/sdc
+- API key on Namecheap (if you want to automatically buy domain name)
+
+# Installation
+
+First, you need a server.
+We recommend [Hetzner](https://serverboerse.de/index.php?country=EN) as they are the cheapest options around.
+You can filter servers with ssd.
+
+These instructions can also work on any VM/VPS/Hardware.
+
+## Install the system
+
+```
+IP=
+
+ssh -o "StrictHostKeyChecking no" root@$IP
+
+hostname=
+ssh_public_key=""
+
+fdisk -l #find your ssd
+
+# Setup raid
+cat > /etc/mdadm.conf << EOF
+MAILADDR dev@null.org
+EOF
+mdadm --create --verbose /dev/md0 --level=mirror --raid-devices=2 /dev/sdb /dev/sdc
+mkfs.ext4 /dev/md0
+
+cat > cloud-config.tmp << EOF
+#cloud-config
+
+hostname: "$hostname"
+ssh_authorized_keys:
+  - $ssh_public_key
+EOF
+
+apt-get install gawk
+wget https://raw.github.com/coreos/init/master/bin/coreos-install
+bash coreos-install -d /dev/sda -c cloud-config.tmp
+
+reboot
+```
+
+```
+ssh core@$IP
+
+#configure mdmonitor.
+
+sudo su -
+
+mdadm --examine --scan > /etc/mdadm.conf
+vim /etc/mdadm.conf
+#ADD your mail
+MAILADDR xxx@xxx.org
+
+# Start service
+systemctl start  mdmonitor.service
+
+cat > /etc/systemd/system/data.mount << EOF
+[Mount]
+What=/dev/md0
+Where=/data
+Type=ext4
+EOF
+
+wget https://raw.githubusercontent.com/indiehosters/libre.sh/master/user_data -O /var/lib/coreos-install/user_data
+
+coreos-cloudinit /var/lib/coreos-install/user_data

INSTALL_LINUX.md

+# Instructions to install libre.sh on linux with Systemd
+
+## Recommendation
+- Systemd distro (ubuntu server 18.04.3 or debian 9 )
+
+# Installation
+Where basicly reproduce what the user_data do for us.
+
+as root
+
+# configure sshd (Optional)
+Don't forget to create the user core and adding your ssh key before
+You could also remove AllowUsers core or/and change the username.
+
+```
+cat > /etc/ssh/sshd_config <<EOF
+UsePrivilegeSeparation sandbox
+Subsystem sftp internal-sftp
+PermitRootLogin no
+AllowUsers core
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+EOF
+chmod 600 /etc/ssh/sshd_config
+systemctl restart sshd
+```
+
+# add kernel parameter (optional but recommended )
+
+```
+cat > /etc/sysctl.d/libresh.conf <<EOF
+fs.aio-max-nr=1048576
+vm.max_map_count=262144
+vm.overcommit_memory=1
+EOF
+chmod 644 /etc/sysctl.d/libresh.conf
+sysctl -p /etc/sysctl.d/libresh.conf
+
+echo never > /sys/kernel/mm/transparent_hugepage/enabled
+```
+
+# define Localhost (should not be needed but... )
+
+```
+cat > /etc/hosts <<EOF
+127.0.0.1 localhost
+255.255.255.255 broadcasthost
+::1 localhost
+EOF
+```
+
+# define envrionment
+
+```
+cat > /etc/environment <<EOF
+NAMECHEAP_URL="namecheap.com"
+NAMECHEAP_API_USER="pierreo"
+NAMECHEAP_API_KEY=
+IP="curl -s http://icanhazip.com/"
+FirstName="Pierre"
+LastName="Ozoux"
+Address=""
+PostalCode=""
+Country="Portugal"
+Phone="+351.967184553"
+EmailAddress="pierre@ozoux.net"
+City="Lisbon"
+CountryCode="PT"
+BACKUP_DESTINATION=root@xxxxx:port
+MAIL_USER=
+MAIL_PASS=
+MAIL_HOST=mail.indie.host
+MAIL_PORT=587
+EOF
+```
+
+# install docker
+
+*Current tested version : 19.03.5 see https://docs.docker.com/install/linux/docker-ce/ubuntu/ .*  
+
+# install docker-compose
+
+*Remark I did a variante to find the last version of DockerCompose and download it*
+
+```
+mkdir -p /opt/bin &&\
+dockerComposeVersion=$(curl -s https://api.github.com/repos/docker/compose/releases/latest|grep tag_name|cut -d'"' -f4) &&\
+curl -L https://github.com/docker/compose/releases/download/$dockerComposeVersion/docker-compose-`uname -s`-`uname -m` > /opt/bin/docker-compose &&\
+chmod +x /opt/bin/docker-compose
+```
+# install Libre.sh
+
+```
+git clone https://lab.libreho.st/libre.sh/compose.libre.sh /libre.sh &&\
+mkdir -p /{data,system} &&\
+mkdir -p /data/trash &&\
+cp /libre.sh/unit-files/* /etc/systemd/system && systemctl daemon-reload &&\
+systemctl enable web-net.service &&\
+systemctl start web-net.service &&\
+mkdir -p /opt/bin &&\
+cp /libre.sh/utils/* /opt/bin/
+```
+
+# add /opt/bin path
+
+```
+cat > /etc/profile.d/libre.sh <<EOF
+export PATH=$PATH:/opt/bin
+EOF
+chmod 644 /etc/profile.d/libre.sh
+```

README.md

-## IndieHosters
-
-This repository contains the confd and bash scripts we use to control our servers.
-It can run inside Vagrant (see below; FIXME: check whether these instruction currently work) or
-[deploy to a server](doc/getting-started-as-a-hoster.md) (FIXME: update those instructions to
-prescribe less folder structure, explain static https+smtp hosting, and check if they currently
-work).
-
-## Prerequisites to running this code with Vagrant:
-- [vagrant](http://www.vagrantup.com/)
-- [virtualbox](https://www.virtualbox.org/)
-- nfs
-  - run `apt-get install nfs-kernel-server`, or your OS equivalent
-- optional: [vagrant-hostsupdater](https://github.com/cogitatio/vagrant-hostsupdater)
-  - run `vagrant plugin install vagrant-hostsupdater` to install
-
-## Get started:
-
-```bash
-vagrant up
+# libre.sh Version 1.2
+[![Backers on Open Collective](https://opencollective.com/libresh/backers/badge.svg)](#backers)
+ [![Sponsors on Open Collective](https://opencollective.com/libresh/sponsors/badge.svg)](#sponsors) 
+
+## Introduction
+
+An ecosystem to ease  free software hosting \o/
+
+We are working on bootstrapping an ecosystem of tools to facilitate the hosting of free software.
+Think of it as
+ - [ISPconfig](https://www.ispconfig.org/)
+ - FLOSS [cpanel](https://www.cpanel.net/products/)
+ - [cloudron](https://cloudron.io/) with email
+
+
+  * Libre.sh V1 (Stable) is using docker-compose 
+  * Libre.sh V2 (Alpha) is using [kubernetes](https://kubernetes.io/).
+
+
+This ecosystem can be deployed on [Raspberries](https://kubecloud.io/setting-up-a-kubernetes-1-11-raspberry-pi-cluster-using-kubeadm-952bbda329c8) or on popular cloud providers and scale globally or anything in between. 
+We can affirm that V2 scales globally because it is based on kubernetes, a tool developped from the experience of Google hosting containers at scale.
+
+## Installation
+
+
+
+To install it, follow the instructions in `INSTALL_LINUX.md` : https://lab.libreho.st/libre.sh/compose.libre.sh/blob/master/INSTALL_LINUX.md
+
+Or run our installer script 
+
+https://lab.libreho.st/libre.sh/compose.libre.sh/raw/master/install.linux.sh
+
+### What is libre.sh
+
+libre.sh is a little framework to host Docker. It is simple and modular and respect the convention over configuration paradigm.
+
+This is aimed at Hosters to manage a huge amount of different web application, and a quantity of domain names related with emails and so on.
+
+It is currently installed at 3 different hosters in production and hosting ~20 different web applications, with ~500 containers.
+
+Once well installed, in one bash command, you'll be able to:
+ - buy a domain name
+ - configure DNS for it
+ - configure email for it
+ - configure dkim for that domain
+ - configure dmarc for that domain
+ - configure autoconfig for that domain
+ - install and start a web application on that domain (WordPress, Nextcloud, piwik...)
+ - provision a TLS cert on that domain
+
+Amazing, right?
+
+### Modular
+
+The PaaS is really modular, that's why it contains the strict necessary, then you'll probably want to add `system` modules or `applications`.
+
+It contains 2 [unit-files](https://lab.libreho.st/libre.sh/compose.libre.sh/tree/master/unit-files) to manage system modules and applications, start them at boot, and load the appropriate environment.
+
+### Support
+
+You can use the following channels to request community support:
+ - [mailinglist/forum](https://forum.indie.host/t/about-the-libre-sh-category/71)
+ - [chat](https://chat.indie.host/channel/libre.sh)
+
+For paid support, just send an inquiry to support@libre.sh.
+
+You can also watch the Fosdem Video : [Video Fosdem](https://fosdem.org/2017/schedule/event/libre_sh/)
+
+All of this is hosted by libre.sh :)
+
+## System modules
+
+Here is a list of modules supported:
+ - https proxy:
+ - [HAProxy](https://lab.libreho.st/libre.sh/compose/haproxy)
+ - [Nginx](https://lab.libreho.st/libre.sh/compose/nginx)
+ - [monitoring](https://lab.libreho.st/libre.sh/compose/monitoring)
+ - [git-puller](https://lab.libreho.st/libre.sh/compose/git-puller)
+
+Go to their respective page for more details.
+
+### To install and start a module:
+
+```
+cd /system/
+git clone https://lab.libreho.st/libre.sh/compose/[module]
+cd module
+libre enable
+libre start
 ```
 
-Wait for the provisioning to finish (~5mins), and go to your browser: https://indiehosters.dev
-If the process fails, for instance due to network problems, you can retry by running `vagrant provision`.
+## Applications
+
+### List of supported applications
+
+| Application  | Latest Version             | Comments   |
+|--------------|---------------------------|------------|
+| wordpress    | 5.9   |  Includes the support of SMTP email though libresh variables       |
+| dolibarr     | 15.0.3   | need manual deletion of the install.lock to upgrade        |
 
-### If you want to add another nginx instance apart from indiehosters.dev:
 
-```bash
-vagrant ssh
-sudo sh /data/indiehosters/scripts/activate-user.sh example.dev nginx https://github.com/indiehosters/website-static.git
+### Installation
+
+To install application `wordpress` on `example.org`, first make point example.org to your server IP, and then, just run:
+
+```
+libre provision -a wordpress -u example.org -s
 ```
-Check https://example.dev in your bowser!
 
-### Cleaning up
+- -u   [arg] URL to process. Required.
+- -a   [arg] Application to install. (wordpress in REPO_MODE)
+- -t   [arg] Checkout a specific tag or branch from the application repo. default to master
+- -e   [arg] Specify the email of the application admin 
+- -s         Start the application right away.
+- -b         Buys the associated domain name.
+- -i         Configure OpenDKIM.
+- -c         Configures DNS if possible.
 
-To clean up stuff from previous runs of your VM, you can do:
+## To debug a module or an application:
 
-```bash
-vagrant destroy
-vagrant up
 ```
+libre ps
+libre logs -f --tail=100
+libre stop
+libre restart
+```
+
+## Contributing
+
+If you have any issue (something not working, missing doc), please do report an issue here! Thanks
+
+This system is used in production at [IndieHosters](https://indiehosters.net/) so it is maintained. If you use it, please tell us, and we'll be really happy to update this README!
+
+You can help us by:
+ - starring this project
+ - sending us a thanks email
+ - reporting bugs
+ - writing documentation/blog on how you got up and running in 5mins
+ - writing more documentation
+ - sending us cake :) We loove cake!
+
+## Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+<a href="https://github.com/indiehosters/libre.sh/graphs/contributors"><img src="https://opencollective.com/libresh/contributors.svg?width=890&button=false" /></a>
+
+
+## Backers
+
+Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/libresh#backer)]
+
+<a href="https://opencollective.com/libresh#backers" target="_blank"><img src="https://opencollective.com/libresh/backers.svg?width=890"></a>
+
+
+## Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/libresh#sponsor)]
+
+<a href="https://opencollective.com/libresh/sponsor/0/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/0/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/1/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/1/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/2/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/2/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/3/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/3/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/4/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/4/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/5/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/5/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/6/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/6/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/7/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/7/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/8/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/8/avatar.svg"></a>
+<a href="https://opencollective.com/libresh/sponsor/9/website" target="_blank"><img src="https://opencollective.com/libresh/sponsor/9/avatar.svg"></a>
+
+
+## Other projects
+
+
+Simplifying web application hosting has always been a goal for a lot of other projects, here is some project that share goals with libre.sh
+
+
+
+ - Yunohost https://yunohost.org
+ - Sandstorm https://sandstorm.io/
+ - Cloudron https://git.cloudron.io/cloudron/box
+
+

ROADMAP.md

+# TL;DR
+
+ - k8s
+  - [ ] ceph
+  - [ ] flannel
+  - [ ] baremetal install
+
+# Object
+
+The aim of this document is to write the big lines of the future of libre.sh.
+
+# Version 1
+
+The current version, let's call it 1, is a nice opiniated framework on how to run a single host with docker-compose.
+It provides a list of packages and module compatible with this framework.
+The best features of this framework are:
+ - https only
+ - some integration between the tools (auto provisioning of emails for new applications)
+ - domain name buying (Namecheap api)
+ - dns configuration (Namecheap api)
+
+# Version 2 - k8s
+
+This roadmap will discuss about the migration to kubernetes (k8s).
+
+## Distributions
+
+There are various k8s distributions (Tectonic, deis, openshift..) and the aim of libre.sh is not to become yet another distribution.
+
+It would be nice if we could list them, evaluate them, and decide to use one of them or not.
+
+## Installation/Operation
+
+libre.sh should be opiniated on the way to install and operate the cluster.
+
+It should provide easy steps to install on baremetal first. We aim for libre software, and as such, we can't rely
+on cloud providers like gcloud, aws, or digital ocean.
+As a second priority, we should give easy instructions to deploy on any cloud providers, as people are free to choose their chains :)
+
+## Storage
+
+One big challenge in k8s cluster context is to provide an implementation of major cloud providers about [PersistantVolume](https://kubernetes.io/docs/user-guide/persistent-volumes/).
+In a libre cluster, this function would be achieved by a distributed file system technology.
+After some investigation, the choice would be to use ceph.
+There are already some work done on it like the [ceph-docker](https://github.com/ceph/ceph-docker/tree/master/examples) repo.
+
+## Network
+
+Another big challenge is network. k8s is strongly opiniated on what should be the network configuration.
+Ideally, we would use some IPsec to secure the links between machine in a context we can't trust the network (like at hetzner).
+There are 3 options:
+ - zerotier  
+ - tinc vpn
+ - flannel that might implement IPsec in a near future
+
+The cheapest in term of work would be to bet on flannel.
+
+## Packages
+
+There is now a way to create and distribute packages in a standard way.
+We can then remove the idea of modules and applications.
+They will all be packages.
+
+The k8s standard for that is [helm](http://helm.sh/). There is already a big list of packages.
+As for libre.sh, the idea would be to contribute the missing packages there.
+
+### opportunistic packages
+
+libre.sh would then be, just a repo of documentation on how to install, operate and manage a k8s cluster on baremetal.
+There is still a place where we can have a difference.
+
+This idea is called opportunistic package.
+This would be a package based on an official one.
+
+Let's take the example of WordPress.
+The libre.sh version of WordPress would be based on the official one.
+But it will have some mechanisms to discovers services available inside the cluster it is running on.
+
+These services could be:
+ - ldap
+ - piwik
+ - email
+
+So, when you install a new WordPress, it will try to discover opportunistically if there is a ldap service in the cluster,
+and if yes, configure WordPress to use this ldap service.
+
+This pattern will help make it happen:
+https://github.com/kubernetes-incubator/service-catalog

Vagrantfile

-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = "2"
-
-Vagrant.require_version ">= 1.5.0"
-
-# Size of the CoreOS cluster created by Vagrant
-$num_instances=1
-
-# Official CoreOS channel from which updates should be downloaded
-$update_channel='stable'
-
-# Setting for VirtualBox VMs
-$vb_memory = 1024
-$vb_cpus = 1
-
-BASE_IP_ADDR  = ENV['BASE_IP_ADDR'] || "192.168.65"
-HOSTNAME = ENV['HOSTNAME'] || "indiehosters.dev"
-
-Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "coreos-%s" % $update_channel
-  config.vm.box_version = ">= 308.0.1"
-  config.vm.box_url = "http://%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json" % $update_channel
-
-  (1..$num_instances).each do |i|
-    config.vm.define "core-#{i}" do |core|
-      core.vm.provider :virtualbox do |vb|
-        vb.memory = $vb_memory
-        vb.cpus = $vb_cpus
-        # On VirtualBox, we don't have guest additions or a functional vboxsf
-        # in CoreOS, so tell Vagrant that so it can be smarter.
-        vb.check_guest_additions = false
-        vb.functional_vboxsf = false
-      end
-       # plugin conflict
-      if Vagrant.has_plugin?("vagrant-vbguest") then
-        core.vbguest.auto_update = false
-      end
-
-      core.vm.hostname = HOSTNAME
-      core.hostsupdater.aliases = ["example.dev"]
-      core.vm.network :private_network, ip: "#{BASE_IP_ADDR}.#{i+1}"
-      core.vm.synced_folder ".", "/data/indiehosters", id: "coreos-indiehosters", :nfs => true, :mount_options => ['nolock,vers=3,udp']
-      core.vm.provision :file, source: "./cloud-config", destination: "/tmp/vagrantfile-user-data"
-      core.vm.provision :shell, inline: "mkdir -p /data/server-wide/haproxy/approved-certs; cp /data/indiehosters/scripts/unsecure-certs/*.pem /data/server-wide/haproxy/approved-certs"
-      core.vm.provision :shell, path: "./scripts/setup.sh", args: [HOSTNAME]
-    end
-  end
-end

cloud-config

-#cloud-config
-
-coreos:
-  update:
-    reboot-strategy: best-effort
-  etcd:
-    addr: 172.17.42.1:4001
-    peer-addr: 172.17.42.1:7001
-  units:
-    - name: etcd.service
-      command: start

confd/conf.d/crt-list.toml

-[template]
-src  = "crt-list.tmpl"
-dest = "/etc/haproxy/crt-list"
-keys = [
-  "/services"
-]
-reload_cmd = "/docker kill --signal=\"SIGUSR1\" haproxy"

confd/conf.d/haproxy.toml

-[template]
-src  = "haproxy.cfg.tmpl"
-dest = "/etc/haproxy/haproxy.cfg"
-keys = [
-  "/services"
-]
-reload_cmd = "/docker kill --signal=\"SIGUSR1\" haproxy"

confd/templates/crt-list.tmpl

-{{range $app := lsdir "/services"}}
-{{$hostnames := printf "/services/%s/*" $app}}
-  {{range gets $hostnames}}
-    {{$hostname := .Key}}
-/etc/haproxy/approved-certs/{{base $hostname}}.pem {{base $hostname}}
-  {{end}}
-{{end}}

confd/templates/haproxy.cfg.tmpl

-{{$default_service_value := getv "/services/default"}}
-{{$default_service := json $default_service_value}}
-{{$default_url := printf "/services/%s/%s" $default_service.app $default_service.hostname}}
-{{$default_value := getv $default_url}}
-{{$default := json $default_value}}
-{{$default := json $default_value}}
-global
-  maxconn 4096
-  user haproxy
-  group haproxy
-
-defaults
-  mode http
-  option httplog
-  option dontlognull
-  retries 3
-  timeout connect 5000
-  timeout client 50000
-  timeout server 50000
-
-frontend https-in
-mode http
-  bind *:443 ssl crt-list /etc/haproxy/crt-list crt /etc/haproxy/approved-certs/{{$default_service.hostname}}.pem
-  reqadd X-Forwarded-Proto:\ https
-{{range $app := lsdir "/services"}}
-{{$hostnames := printf "/services/%s/*" $app}}
-  {{range gets $hostnames}}
-    {{$hostname := .Key}}
-    {{$data := json .Value}}
-# {{base $hostname}}:
-  acl https_{{base $hostname}} hdr(host) -i {{base $hostname}}
-  acl https_{{base $hostname}} hdr(host) -i www.{{base $hostname}}
-  use_backend {{base $hostname}} if https_{{base $hostname}}
-  {{end}}
-{{end}}
-
-default_backend {{$default_service.hostname}}
-
-frontend http-in
-  bind *:80
-{{range $app := lsdir "/services"}}
-{{$hostnames := printf "/services/%s/*" $app}}
-  {{range gets $hostnames}}
-    {{$hostname := .Key}}
-    {{$data := json .Value}}
-# {{base $hostname}}:
-  acl is_{{base $hostname}} hdr(host) -i {{base $hostname}}
-  acl is_{{base $hostname}} hdr(host) -i www.{{base $hostname}}
-  use_backend {{base $hostname}} if is_{{base $hostname}}
-  {{end}}
-{{end}}
-
-{{range $app := lsdir "/services"}}
-{{$hostnames := printf "/services/%s/*" $app}}
-  {{range gets $hostnames}}
-    {{$hostname := .Key}}
-    {{$data := json .Value}}
-# {{base $hostname}}:
-backend {{base $hostname}}
-  cookie SERVERID insert nocache indirect
-  option httpclose
-  option forwardfor
-  server Server {{$data.ip}}:{{$data.port}} cookie Server
-  {{end}}
-{{end}}

data/server-wide/haproxy/approved-certs/indiehosters.dev.pem

------BEGIN CERTIFICATE-----
-MIIFljCCA34CCQDXgLjASWHpmDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
-UFQxETAPBgNVBAgTCFBvcnR1Z2FsMQ8wDQYDVQQHEwZMaXNib24xFTATBgNVBAoT
-DEluZGllSG9zdGVyczEZMBcGA1UEAxMQaW5kaWVob3N0ZXJzLmRldjEnMCUGCSqG
-SIb3DQEJARYYY29udGFjdEBpbmRpZWhvc3RlcnMubmV0MB4XDTE0MTAxMDE0MzY1
-NVoXDTE1MTAxMDE0MzY1NVowgYwxCzAJBgNVBAYTAlBUMREwDwYDVQQIEwhQb3J0
-dWdhbDEPMA0GA1UEBxMGTGlzYm9uMRUwEwYDVQQKEwxJbmRpZUhvc3RlcnMxGTAX
-BgNVBAMTEGluZGllaG9zdGVycy5kZXYxJzAlBgkqhkiG9w0BCQEWGGNvbnRhY3RA
-aW5kaWVob3N0ZXJzLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
-AKBOylYEoL1P3q7skTJsRA8yQj6fVHWHS3kPg6tcVavZawc6tRxIiDc41/EWjL7i
-Owb6io2UbKaD/g8695CFER9FvcW1iukrC/tUV5/AVd0SDcvS3RnGUndKh82HCNrM
-rUDU/XH8smEpfjuXrq0YPuiGbY1zSLQKirjYTiasJODfGkxSbobNfjdL7aEo+3HX
-BQq5mGIj9A4PYmeyFGkHCN8tRvf4lY1KfPJoWtDL4kmO4SFNZ4FAehH9AJ6vTN8y
-MFcHtFzpp2636TYTBQsLu48nrKs6MqOOyU0R/Ufw9QjiWDLo3Co6pcCTmVf16skO
-odg9BNdEhMXefpiEE1NOL6ZOkSUG5WSY0Q5Il649QcJOYzw2A0Nk3IOxoIexXat4
-siCgSlNfgyRmBn5HNcZo5aEDf9+3gEqFzEFSyH3ClIApC7RePbpPvsCAgpagBOXC
-PgO2w2VW9HfNHkwpF3Yqn7cqw0FQKwKREufVdnSvs9fgFlMZnqA3sMym8o99Fcvq
-WBaTuh54ePfNGmawPt1N8vUZUYXXOasWKmnjfan3S1rsNAf5M2ntLqEJRDwihdSm
-ZSO+B51hDO5jzHoqxHwA71CwUAp4hRO83xR6ziB1KR2834I/7LBzbpZ0EWm9adez
-8V+dwgBhTt0LYEUGLJN22XRi9d4RPhnRJpSLPV/h0Fa/AgMBAAEwDQYJKoZIhvcN
-AQEFBQADggIBAFzYeGiomhKZW//aUM4V4RLMVIf0B4uixSMxZGQIUWVtYckmyG2N
-t8qNBHAQ3gl811NqnqestIQ4DpGkNQRCv/iDa5OwdLJHTOQUxajUE/1xmidHtpzR
-ReBZvW48k0dLEM2gmIrt7qQwqqecjlWjvSQlvJxYWrn6TBAkFL6Quu8gfoPK9/cE
-HG/aRQ0PCywGV20LSZ+J03LN7MlACClgVTB7dJuWIN0dNi7TsqpIupk11ZQ3ybBY
-WPQmLnIiCAijL69kBmBynLvJT5XDy2C4ChyzZ5Y73CXhgJwCqOZJwbO7Doig9PZQ
-yVLtui18W3uVQ7ZlIxCAQUeFzSkZf3/XNlr2FkP+efw4LLGH8kiKMsyKuoLuthO1
-1YrXvI0sjuDOxQwrlNQ2CLVANLBpUMH2U1aiYbA6iICSHr8ORAc84StgG9mFLeyN
-w32/04MGPvZfset8gRCOuvA2sLTjylqh0IpaPWlnT77neqOFtETtzJ+3UuOcdfnN
-t2bxqimHT8WhBB823WajWlLdXcc902e9LLhe9M1/bwOqFIIlKDqtCndjyXpe/qhA
-s0YB8TqJLxJQqvdnmYiBFfGrDTgNBpjt6AKJHRGd4xgsYsmQ3zLJ0Z8mNNQhlLf/
-osGXa2s/ZX7ernfvSDQIOB70gohCLFtBok0unyBJhtHxXmZ7UmpuIanx
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAoE7KVgSgvU/eruyRMmxEDzJCPp9UdYdLeQ+Dq1xVq9lrBzq1
-HEiINzjX8RaMvuI7BvqKjZRspoP+Dzr3kIURH0W9xbWK6SsL+1RXn8BV3RINy9Ld
-GcZSd0qHzYcI2sytQNT9cfyyYSl+O5eurRg+6IZtjXNItAqKuNhOJqwk4N8aTFJu
-hs1+N0vtoSj7cdcFCrmYYiP0Dg9iZ7IUaQcI3y1G9/iVjUp88mha0MviSY7hIU1n
-gUB6Ef0Anq9M3zIwVwe0XOmnbrfpNhMFCwu7jyesqzoyo47JTRH9R/D1COJYMujc
-KjqlwJOZV/XqyQ6h2D0E10SExd5+mIQTU04vpk6RJQblZJjRDkiXrj1Bwk5jPDYD
-Q2Tcg7Ggh7Fdq3iyIKBKU1+DJGYGfkc1xmjloQN/37eASoXMQVLIfcKUgCkLtF49
-uk++wICClqAE5cI+A7bDZVb0d80eTCkXdiqftyrDQVArApES59V2dK+z1+AWUxme
-oDewzKbyj30Vy+pYFpO6Hnh4980aZrA+3U3y9RlRhdc5qxYqaeN9qfdLWuw0B/kz
-ae0uoQlEPCKF1KZlI74HnWEM7mPMeirEfADvULBQCniFE7zfFHrOIHUpHbzfgj/s
-sHNulnQRab1p17PxX53CAGFO3QtgRQYsk3bZdGL13hE+GdEmlIs9X+HQVr8CAwEA
-AQKCAgEAgDpF8sRE5ukqUHV+Nv0O+7DR+FFuN4x/PFjCk6GKDaodyGyXTgZenv1j
-Db9h2ZYQbSafCVy+A/v0jq42NG2cIo2gnLL4aEY8kU8HwAsTI4A7dNw4a1ONx0ng
-ku/+jzXFJ+S2ziS5cqrEBFryKBcKyugsXUbn0svT5sNuz9RGs3ECEialrkJVQVoE
-vDKR3p+Fsux+DZKAt3Zq2lNBrDkqSYpoCBXZWmlIxIXgjr9nRDt7rS3DK0ot2pGr
-m0LRlH8K17Kb/O4RNaj6bHyOPiWmY33yygwFUXr3XiSTmqYM+oxCzIYjBcxfpUjr
-EcbthOGlZ9h3NNHj+npcfRa4dpxF09c8gW2AVG+nXVhciZpcnLDZ5z/Nd/510axU
-0m0PlCPfh+3L5tiia9k7zlRxjyzER/GofNiJ6v8oo8YZFvhVdbBBQoGs8aadSLH9
-5Kf3fPwm8ZhmmOTVWbFJZul/3o0Ho3yFxMVMq86Qu8Pm+h6Q1Pn7yZsXMg/ECXP/
-/ErBaWA+zuBZkgCSbdZk58cxkN45PGWGkoHHACVUvCbG8IuYQ989JeCy5w01FgFV
-IXm4squNtWgyhLZgvkhl2Hnc4pR+iYJRgh+ouyv7nELQde7hpM6YJLLUpMfjo7r5
-lJyWasZtb9E4iEl4/JrdQYMJCDEyBfDN6sTKr1Ai2txjzQA4uOECggEBAM9LDpJ+
-RR+b1rdYgtS6VL5OR1bWUHSi1W9L8Xz20wSQGbRxfEJfWmSslOU0COXvA01eOxQ9
-OvHcWxISiHdiM3QxpYNtbsgATCQbsSgegMHpbaEgJPadEkUWxdWejbtpA1ypKmGg
-iFB5H5IIcz65wWNFC3g29wrXyBsRevi+K/PTbwOzOlad7AAcbuuHiv73wxi5xo1P
-i6IZfjgQMKzD9AJbACAAqyvg70XT+3vlIo5ABKOw1kLuejbNBaXd1af7OfVXReL7
-BGGJmG6IzI0qP9q7fX3Iq4Gx34Sf0TSomSyW4kxtsDMPXVURMU4ssxeshh0zYFsZ
-GQgsr36mOW5cvbkCggEBAMX5gJTrAW47GgObnQWtYIHRvYO0g7Ge1fN12VzHLiap
-3a3RfhEDTVKkiugO1GxRC1NY0tcDUwrUzS/00ovDZ/8dVqMHITFj6zfA8aX6vnzA
-TnoUWINawPxFBB6FrEuXyGIVbykinuvFyk+z/DzgKzL8X5MaLymYSV+eT+9jjLHO
-pJ37S86evkljq24Ow6KB1rKb8mMsk8GDZB4JalDdGWzlG1qJkHMg7ULkEHx2lDTW
-mcuHwRtMimFPCBGqH0i+p3O1IUkodJPNYbldrEfAkzRdD4lH9B+DNYBgxP4FWhY2
-d9DTHAGCa9ZV0HjnGgPOILRmV69+9yQhNhu5010qNDcCggEABq1VP9S/Z0A+z1MT
-i8SgvCyLUbm/h7JDC723fp34uBnoKg7JwN2PbNS+Sw+9BaMISTKy1nkOcAH4EQH1
-0Vqha6m5uh0JR3ny+erGbxNkdFqPhHQjnKn8j6snHjVoPVQpno94ZQKlwWnVYX/S
-LoAPQaJUtz+V/4xpzq1md6Kwib8SwVzBkU6u7mX8EKwiBwp2B1LcmWqphcQqc6XZ
-24bIUlcaDu3Wlag+LNKiNCByV4CqZZdpn2hNGXzLJMebfTizajqwbppFTtr+xPi1
-Fgr5WZNWfHm9RIU1PPFk7LxNisklau7RkSN6jyXpn6oC7s1I2KHyBZ0uWDwQPxUd
-nndwSQKCAQA/gmrdWwZ6djtCLQmSaKws+TvypFYbBPldwNCaEsubW6Lhv/LRQl3r
-xR1KlHdQyC757eS1VTuundW1LLTeYTFbhe3lHsRnM8ahfCQJOwcgvhBu2VgLy3Fd
-fEZ2BCvhlC+UR4wBhjm1KR5dsz+Xx9IT6SI/7oZysYfYRNEf2q+n2sK0a4lGH2ar
-5G16QQJBf6WAZsa7SfGcgqn7eMnCZytg456CzN6qEEYMz1z6kI+6450yzboFJ+i8
-jr3n7Mtcas0NMW4cKf477AcNkB9UZVLT2YbCY3LNKSpgpKqNUuozdgW51/+D/HLb
-r2vRXVHbJqUXOj2m7vQZgw34lwRXPtLBAoIBAChJgVltpcWKUWqltYXCQsdPPbb4
-DQMb4bb2vV2iON2kl+UlcCdhr0f5yWoAyKjs49lcHBN2Ny4zVR0vIu/IDeX47Fx7
-n0OfcFgcnqiqiFhXkWGcfU2JHq/q5tmk5M04aCgkFM8IyEsG6ZLoi849Km9r8quu
-VfclpJ6SsMGnWo/A2eIVP9GsfqRys9ZWKJ9inZRP5Lmx6pCZa12Mn6ey0h/kxOqh
-ruJQDdV0O4PsvZhTQFhahSVyNmSKnLguq3zsyBwKRsNI9TVXMv/hs0nnwfFgtBK1
-K61c7AL4+9dtAWEnuwqy/1srZEeBr/jgTqyFyr+GQFYUMuE/uXNKCDWlIRI=
------END RSA PRIVATE KEY-----

data/server-wide/postfix/destinations

-k2.michiel.indiehosters.net, indiehosters.net, 3pp.io

data/server-wide/postfix/forwards

-/.*@somedomain.com/ person1@gmail.com, person2@hotmail.com
-/michiel@somewhere-else.net/ me@forward.net

data/server-wide/postfix/hostname

-k2.michiel.indiehosters.net

deploy/add-site.sh

-#!/bin/sh
-if [ $# -ge 4 ]; then
-  SERVER=$1
-  DOMAIN=$2
-  PEMFILE=$3
-  GITREPO=$4
-else
-  echo "Usage: sh ./deploy/add-site.sh server domain pemfile gitrepo [user]"
-  exit 1
-fi
-if [ $# -ge 5 ]; then
-  USER=$5
-else
-  USER="core"
-fi
-echo "Adding $DOMAIN to $SERVER with cert from $PEMFILE"
-echo "Remote user is $USER"
-
-ssh $USER@$SERVER sudo mkdir -p /data/per-user/$DOMAIN/nginx/data
-scp $PEMFILE $USER@$SERVER:/data/server-wide/haproxy/approved-certs/$DOMAIN.pem
-ssh $USER@$SERVER sudo sh /data/indiehosters/scripts/activate-user.sh $DOMAIN nginx $GITREPO

deploy/approve-certs.sh

-#!/bin/sh
-for i in `deploy/list-sites.sh $1`; do
-  echo "Approving combined cert for $i";
-  cp ../orchestration/TLS/combined/$i.pem ../orchestration/TLS/approved-certs/$i.pem;
-  scp ../orchestration/TLS/approved-certs/$i.pem root@$1:/data/server-wide/haproxy/approved-certs/
-done

deploy/check-cert.sh

-#!/bin/sh
-if [ $# -eq 2 ]; then
-  CA=$2
-else
-  CA="startssl"
-fi
-echo "CA is $CA"
-
-echo Some information about cert ../orchestration/TLS/cert/$1.cert:
-openssl x509 -text -in ../orchestration/TLS/cert/$1.cert | head -50 | grep -v ^\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 
-
-#echo Some information about chain cert ../orchestration/TLS/chain/$2.pem:
-#openssl x509 -text -in ../orchestration/TLS/chain/$2.pem
-
-#echo Some information about key ../orchestration/TLS/key/$1.key:
-#openssl rsa -text -in ../orchestration/TLS/key/$1.key
-
-cat ../orchestration/TLS/cert/$1.cert ../orchestration/TLS/chain/$CA.pem ../orchestration/TLS/key/$1.key > ../orchestration/TLS/combined/$1.pem
-
-echo Running a test server on port 4433 on this server now \(please use your browser to check\):
-openssl s_server -cert ../orchestration/TLS/combined/$1.pem -www