relay check is always performed

When ensureCertificate renews the cert, the filename will match the
nginx config cert file. The current code detects that this implies
that the cert has not changed and thus does not update mail container.

Move the notification into ensureCertificate() itself. If we have a wildcard
cert and it gets renewed when installing a new app, then mail container will
still get it.

.eslintrc.json

@@ -0,0 +1,29 @@
+{
+    "env": {
+        "es6": true,
+        "node": true
+    },
+    "extends": "eslint:recommended",
+    "parserOptions": {
+        "ecmaVersion": 2017
+    },
+    "rules": {
+        "indent": [
+            "error",
+            4
+        ],
+        "linebreak-style": [
+            "error",
+            "unix"
+        ],
+        "quotes": [
+            "error",
+            "single"
+        ],
+        "semi": [
+            "error",
+            "always"
+        ],
+        "no-console": "off"
+    }
+}

.gitattributes

@@ -1,6 +1,7 @@
 # following files are skipped when exporting using git archive
 test export-ignore
-docs export-ignore
+.jshintrc export-ignore
+.gitlab export-ignore
 .gitattributes export-ignore
 .gitignore export-ignore
 

.gitignore

@@ -1,10 +1,8 @@
 node_modules/
 coverage/
 webadmin/dist/
-setup/splash/website/
 installer/src/certs/server.key
 
 # vim swap files
 *.swp
 
-

.gitlab/issue_templates/Bug.md

@@ -0,0 +1,6 @@
+Please do not use this issue tracker for support requests and bug reports.
+This issue tracker is used by the Cloudron development team to track actual
+bugs in the code.
+
+Please use the forum at https://forum.cloudron.io to report bugs. For
+confidential issues, please email us at support@cloudron.io.

.gitlab/issue_templates/Feature.md

@@ -0,0 +1,7 @@
+Please do not use this issue tracker for support requests and feature reports.
+This issue tracker is used by the Cloudron development team to track issues in
+the code.
+
+Please use the forum at https://forum.cloudron.io to report bugs. For
+confidential issues, please email us at support@cloudron.io.
+

.jshintrc

@@ -1,8 +0,0 @@
-{
-    "node": true,
-    "browser": true,
-    "unused": true,
-    "globalstrict": true,
-    "predef": [ "angular", "$" ],
-    "esnext": true
-}

CHANGES

@@ -1161,3 +1161,392 @@
 * Set max email recepient limit (in outgoing emails) to 500
 * Put terminal and app logs viewer to separate window
 
+[1.9.2]
+* Prepare Cloudron for supporting multiple domains
+* Add Cloudron restore UI
+* Do not put app in errored state if backup fails
+* Display backup progress in CaaS
+* Add Google Cloud Storage backend for backups
+* Update node to 8.9.3 LTS
+* Set max email recepient limit (in outgoing emails) to 500
+* Put terminal and app logs viewer to separate window
+
+[1.9.3]
+* Prepare Cloudron for supporting multiple domains
+* Add Cloudron restore UI
+* Do not put app in errored state if backup fails
+* Display backup progress in CaaS
+* Add Google Cloud Storage backend for backups
+* Update node to 8.9.3 LTS
+* Set max email recepient limit (in outgoing emails) to 500
+* Put terminal and app logs viewer to separate window
+
+[1.9.4]
+* Fix typo causing LE cert renewals to fail
+
+[1.10.0]
+* Migrate mailboxes to support multiple domains
+* Update addon containers to latest versions
+* Add DigitalOcean Spaces region Singapore 1 (SGP1)
+* Configure Exoscale SOS to use new SOS NG endpoint
+* Fix S3 storage backend CopySource encoding rules
+
+[1.10.1]
+* Migrate mailboxes to support multiple domains
+* Update addon containers to latest versions
+* Add DigitalOcean Spaces region Singapore 1 (SGP1)
+* Configure Exoscale SOS to use new SOS NG endpoint
+* Fix S3 storage backend CopySource encoding rules
+
+[1.10.2]
+* Migrate mailboxes to support multiple domains
+* Update addon containers to latest versions
+* Add DigitalOcean Spaces region Singapore 1 (SGP1)
+* Configure Exoscale SOS to use new SOS NG endpoint
+* Fix S3 storage backend CopySource encoding rules
+
+[1.11.0]
+* Update Haraka to 2.8.17 to fix various crashes
+* Report dependency error for clone if backup or domain was not found
+* Enable auto-updates for major versions
+
+[2.0.0]
+* Multi-domain support
+* Update Haraka to 2.8.18
+* Split box and app autoupdate pattern settings
+* Stop and disable any pre-installed postfix server
+* Migrate altDomain as a manual DNS provider
+* Use node's native dns resolve instead of dig
+* DNS records can now be a A record or a CNAME record
+* Fix generation of fallback certificates to include naked domain
+* Merge multi-string DKIM records
+* scheduler: do not start cron jobs all at once
+* scheduler: give cron jobs a grace period of 30 minutes to complete
+
+[2.0.1]
+* Multi-domain support
+* Update Haraka to 2.8.18
+* Split box and app autoupdate pattern settings
+* Stop and disable any pre-installed postfix server
+* Migrate altDomain as a manual DNS provider
+* Use node's native dns resolve instead of dig
+* DNS records can now be a A record or a CNAME record
+* Fix generation of fallback certificates to include naked domain
+* Merge multi-string DKIM records
+* scheduler: do not start cron jobs all at once
+* scheduler: give cron jobs a grace period of 30 minutes to complete
+* Rework the eventlog view
+* App clone now clones the robotsTxt and backup settings
+
+[2.1.0]
+* Make S3 backend work reliably with slow internet connections
+* Update docker to 18.03.0-ce
+* Finalize the Email and Mailbox API
+* Move mailbox settings from users to email view
+* mail: fix issue where hosts with valid SPF for a Cloudron domain are unable to send mail to Cloudron
+* mail: fix crash when bounce emails have a null sender
+* Add CSP header for dashboard
+* Add support for installing private docker images
+
+[2.1.1]
+* Make S3 backend work reliably with slow internet connections
+* Update docker to 18.03.0-ce
+* Finalize the Email and Mailbox API
+* Move mailbox settings from users to email view
+* mail: fix issue where hosts with valid SPF for a Cloudron domain are unable to send mail to Cloudron
+* mail: fix crash when bounce emails have a null sender
+* Add CSP header for dashboard
+* Add support for installing private docker images
+
+[2.2.0]
+* Add 2FA support for the admin dashboard
+* Cleanup scope management in REST API
+* Enhance user creation API to take a password
+* Relax restriction on mailbox names now that it is decoupled from user management
+
+[2.2.1]
+* Add 2FA support for the admin dashboard
+* Add Gandi & GoDaddy DNS providers
+* Fix zone detection logic on Route53 accounts with more than 100 zones
+* Warn using when disabling email
+* Cleanup scope management in REST API
+* Enhance user creation API to take a password
+* Relax restriction on mailbox names now that it is decoupled from user management
+* Fix issue where mail container incorrectly advertised CRAM-MD5 support
+
+[2.3.0]
+* Add Name.com DNS provider
+* Fix issue where account setup page was crashing
+* Add advanced DNS configuration UI
+* Preserve addon/database configuration across app updates and restores
+* ManageSieve port now offers STARTTLS
+
+[2.3.1]
+* Add Name.com DNS provider
+* Fix issue where account setup page was crashing
+* Add advanced DNS configuration UI
+* Preserve addon/database configuration across app updates and restores
+* ManageSieve port now offers STARTTLS
+* Allow mailbox name to be set for apps
+* Rework the Email server UI
+* Add the ability to manually trigger a backup of an application
+* Enable/disable mail from validation within UI
+* Allow setting app visibility for non-SSO apps
+* Add Clone UI
+
+[2.3.2]
+* Fix issue where multi-db apps were not provisioned correctly
+* Improve setup, restore views to have field labels
+
+[2.4.0]
+* Use custom logging backend to have more control over log rotation
+* Make user explicitly confirm that fs backup dir is on external storage
+* Update node to 8.11.2
+* Update docker to 18.03.1
+* Fix docker exec terminal resize issue
+* Make the mailbox name follow the apps new location, if the user did not set it explicitly
+* Add backups view
+
+[2.4.1]
+* Use custom logging backend to have more control over log rotation
+* Mail logs and box logs UI
+* Make user explicitly confirm that fs backup dir is on external storage
+* Update node to 8.11.2
+* Update docker to 18.03.1
+* Fix docker exec terminal resize issue
+* Make the mailbox name follow the apps new location, if the user did not set it explicitly
+* Add backups view
+
+[3.0.0]
+* Support alternate app domains with redirects
+* Allow hyphen in mailbox names
+* Fix issue where the UI timesout when relay server is not reachable
+* Add support for personal spaces
+* Add UI to edit users in the groups dialog
+* Add UI to set groups when creating a user
+* Open logs and terminal in a new tab instead of a window
+* Add button to view backup logs
+* Add Mailjet mail relay support
+* Encryption support for incremental backups
+* Display restore errors in the UI
+* Update Haraka to 2.8.19
+* GPG verify releases
+* Allow subdomains in location field
+
+[3.0.1]
+* Support alternate app domains with redirects
+* Allow hyphen in mailbox names
+* Fix issue where the UI timesout when relay server is not reachable
+* Add support for personal spaces
+* Add UI to edit users in the groups dialog
+* Add UI to set groups when creating a user
+* Open logs and terminal in a new tab instead of a window
+* Add button to view backup logs
+* Add Mailjet mail relay support
+* Encryption support for incremental backups
+* Display restore errors in the UI
+* Update Haraka to 2.8.19
+* GPG verify releases
+* Allow subdomains in location field
+
+[3.0.2]
+* Fix issue where normal users are shown apps they don't have access to
+* Re-configure email apps when email is enabled/disabled
+
+[3.1.0]
+* Add UDP support
+* Clicking invite button does not send an invite immediately
+* Implement docker addon
+* Automatically login after password reset and account setup
+* Make backup interval configurable
+* Fix alternate domain certificate renewal
+
+[3.1.1]
+* Fix caas domain migration
+
+[3.1.2]
+* Add UDP support
+* Clicking invite button does not send an invite immediately
+* Implement docker addon
+* Automatically login after password reset and account setup
+* Make backup interval configurable
+* Fix alternate domain certificate renewal
+* API token can now have a name
+
+[3.1.3]
+* Prevent dashboard domain from being deleted
+* Add alternateDomains to app install route
+* cloudflare: Fix crash when access denied
+
+[3.1.4]
+* Fix issue where support tab was redirecting
+
+[3.2.0]
+* Add DO Spaces SFO2 region
+* Wildcard DNS now validates the config
+* Add ACMEv2 support
+* Add Wildcard Let's Encrypt provider
+
+[3.2.1]
+* Add acme2 support. This provides DNS based validation removing inbound port 80 requirement
+* Add support for wildcard certificates
+* Allow mailbox name to be reset to the buit-in '.app' name
+* Fix permission issue when restoring a Cloudron
+* Fix a crash when restoring Cloudron
+* Allow alternate domains to be set in app installation REST API
+* Add SFO2 region for DigitalOcean Spaces
+* Show the title in port bindings instead of the long description
+
+[3.2.2]
+* Update Haraka to 2.8.20
+* (mail) Fix issue where LDAP connections where not cleaned up
+
+[3.3.0]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+
+[3.3.1]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+
+[3.3.2]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.3.3]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.3.4]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.4.0]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.1]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.2]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.3]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+* Fix issue where OOM mails are sent out without a rate limit
+
+[3.5.0]
+* Add UI to switch dashboard domain
+* Fix remote support button to not remove misparsed ssh keys
+* cloudflare: preseve domain proxying status
+* Fix issue where oom killer might kill the box code or the updater
+* Add contabo and netcup as supported providers
+* Allow full logs to be downloaded
+* Update Haraka to 2.8.22
+* Log events in the mail container
+* Fix issue where SpamAssassin and SPF checks were run for outbound email
+* Improve various eventlog messages
+* Track dyndns change events
+* Add new S3 regions - Paris/Stockholm/Osaka
+* Retry errored downloads during restore
+* Add user pagination UI
+* Add namecheap as supported DNS provider
+
+[3.5.1]
+* Add dashboard domain change event
+* Fix issue where notification email were sent from incorrect domain
+* Alert about configuration issues in the notification UI
+* Switching dashboard domain now updates MX, SPF records
+* Mailbox and lists UI is now always visible (but disabled) when incoming email is disabled
+* Fix issue where long passwords were not accepted
+* DNS and backup credential secrets are not returned in API calls anymore
+* Send notification when an app that went down, came back up
+
+[3.5.2]
+* Fix encoding of links in plain text email
+* Hide mail relay password
+* Do not return API tokens in REST API
+
+[3.5.3]
+* Make reboot required check server side
+* Update node to 10.15.1
+* Enable gzip compression for large objects
+* Update docker to 18.09
+* Add a way to lock specific settings
+* Add UI to copy app's backup id
+* Block platform updates based on app manifest constraints
+* Make crash logs viewable via the dashboard
+* Fix issue where uploading of filenames with brackets and plus was not working
+* Add notification for cert renewal and backup failures
+* Fix issue where mail container was not updated with the latest certificate
+

LICENSE

@@ -1,661 +1,35 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
+The Cloudron Subscription license
+Copyright (c) 2019 Cloudron UG
+
+With regard to the Cloudron Software:
+
+This software and associated documentation files (the "Software") may only be
+used in production, if you (and any entity that you represent) have agreed to,
+and are in compliance with, the Cloudron Subscription Terms of Service, available
+at https://cloudron.io/legal/terms.html (the “Subscription Terms”), or other
+agreement governing the use of the Software, as agreed by you and Cloudron,
+and otherwise have a valid Cloudron Subscription. Subject to the foregoing sentence,
+you are free to modify this Software and publish patches to the Software. You agree
+that Subscription and/or its licensors (as applicable) retain all right, title and
+interest in and to all such modifications and/or patches, and all such modifications
+and/or patches may only be used, copied, modified, displayed, distributed, or otherwise
+exploited with a valid Cloudron subscription. Notwithstanding the foregoing, you may copy
+and modify the Software for development and testing purposes, without requiring a
+subscription.  You agree that Cloudron and/or its licensors (as applicable) retain
+all right, title and interest in and to all such modifications.  You are not
+granted any other rights beyond what is expressly stated herein.  Subject to the
+foregoing, it is forbidden to copy, merge, publish, distribute, sublicense,
+and/or sell the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+For all third party components incorporated into the Cloudron Software, those
+components are licensed under the original license provided by the owner of the
+applicable component.
 
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    box
-    Copyright (C) 2016,2017 Cloudron UG
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published
-    by the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<http://www.gnu.org/licenses/>.

README.md

@@ -48,6 +48,11 @@ apps up-to-date and secure.
 * [Selfhosting](https://cloudron.io/documentation/installation/) - [Pricing](https://cloudron.io/pricing.html)
 * [Managed Hosting](https://cloudron.io/managed.html)
 
+**Note:** This repo is a small part of what gets installed on your server - there is
+the dashboard, database addons, graph container, base image etc. Cloudron also relies
+on external services such as the App Store for apps to be installed. As such, don't
+clone this repo and npm install and expect something to work.
+
 ## Documentation
 
 * [Documentation](https://cloudron.io/documentation/)
@@ -59,6 +64,6 @@ the containers in the Cloudron.
 
 ## Community
 
-* [Chat](https://chat.cloudron.io/)
+* [Forum](https://forum.cloudron.io/)
 * [Support](mailto:support@cloudron.io)
 

VERSION

@@ -0,0 +1 @@
+# release version. do not edit manually

baseimage/digitalocean.sh

@@ -29,7 +29,7 @@ function create_droplet() {
     local ssh_key_id="$1"
     local box_name="$2"
 
-    local image_region="sfo1"
+    local image_region="sfo2"
     local ubuntu_image_slug="ubuntu-16-04-x64"
     local box_size="1gb"
 

baseimage/initializeBaseUbuntuImage.sh

@@ -14,8 +14,11 @@ function die {
 
 export DEBIAN_FRONTEND=noninteractive
 
+# hold grub since updating it breaks on some VPS providers. also, dist-upgrade will trigger it
+apt-mark hold grub* >/dev/null
 apt-get -o Dpkg::Options::="--force-confdef" update -y
-apt-get -o Dpkg::Options::="--force-confdef" dist-upgrade -y
+apt-get -o Dpkg::Options::="--force-confdef" upgrade -y
+apt-mark unhold grub* >/dev/null
 
 echo "==> Installing required packages"
 
@@ -23,20 +26,26 @@ debconf-set-selections <<< 'mysql-server mysql-server/root_password password pas
 debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'
 
 # this enables automatic security upgrades (https://help.ubuntu.com/community/AutomaticSecurityUpdates)
+# resolvconf is needed for unbound to work property after disabling systemd-resolved in 18.04
+ubuntu_version=$(lsb_release -rs)
+ubuntu_codename=$(lsb_release -cs)
+gpg_package=$([[ "${ubuntu_version}" == "16.04" ]] && echo "gnupg" || echo "gpg")
 apt-get -y install \
     acl \
-    awscli \
     build-essential \
     cron \
     curl \
     dmsetup \
+    $gpg_package \
     iptables \
+    libpython2.7 \
     logrotate \
     mysql-server-5.7 \
     nginx-full \
     openssh-server \
     pwgen \
-    rcconf \
+    resolvconf \
+    sudo \
     swaks \
     unattended-upgrades \
     unbound \
@@ -47,10 +56,10 @@ apt-get -y install \
 cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
 
 echo "==> Installing node.js"
-mkdir -p /usr/local/node-8.9.3
-curl -sL https://nodejs.org/dist/v8.9.3/node-v8.9.3-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-8.9.3
-ln -sf /usr/local/node-8.9.3/bin/node /usr/bin/node
-ln -sf /usr/local/node-8.9.3/bin/npm /usr/bin/npm
+mkdir -p /usr/local/node-10.15.1
+curl -sL https://nodejs.org/dist/v10.15.1/node-v10.15.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.15.1
+ln -sf /usr/local/node-10.15.1/bin/node /usr/bin/node
+ln -sf /usr/local/node-10.15.1/bin/npm /usr/bin/npm
 apt-get install -y python   # Install python which is required for npm rebuild
 [[ "$(python --version 2>&1)" == "Python 2.7."* ]] || die "Expecting python version to be 2.7.x"
 
@@ -61,10 +70,13 @@ echo "==> Installing Docker"
 mkdir -p /etc/systemd/system/docker.service.d
 echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs --storage-driver=overlay2" > /etc/systemd/system/docker.service.d/cloudron.conf
 
-curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_17.09.0~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb
+# there are 3 packages for docker - containerd, CLI and the daemon
+curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/containerd.io_1.2.2-3_amd64.deb" -o /tmp/containerd.deb
+curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce-cli_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker-ce-cli.deb
+curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker.deb
 # apt install with install deps (as opposed to dpkg -i)
-apt install -y /tmp/docker.deb
-rm /tmp/docker.deb
+apt install -y /tmp/containerd.deb  /tmp/docker-ce-cli.deb /tmp/docker.deb
+rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb
 
 storage_driver=$(docker info | grep "Storage Driver" | sed 's/.*: //')
 if [[ "${storage_driver}" != "overlay2" ]]; then
@@ -72,8 +84,9 @@ if [[ "${storage_driver}" != "overlay2" ]]; then
     exit 1
 fi
 
+# do not upgrade grub because it might prompt user and break this script
 echo "==> Enable memory accounting"
-apt-get -y install grub2
+apt-get -y --no-upgrade install grub2-common
 sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
 update-grub
 
@@ -83,11 +96,12 @@ if [ ! -f "${arg_infraversionpath}/infra_version.js" ]; then
     exit 1
 fi
 
-images=$(node -e "var i = require('${arg_infraversionpath}/infra_version.js'); console.log(i.baseImages.join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
+images=$(node -e "var i = require('${arg_infraversionpath}/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
 
 echo -e "\tPulling docker images: ${images}"
 for image in ${images}; do
     docker pull "${image}"
+    docker pull "${image%@sha256:*}" # this will tag the image for readability
 done
 
 echo "==> Install collectd"
@@ -97,6 +111,11 @@ if ! apt-get install -y collectd collectd-utils; then
     sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf
 fi
 
+echo "==> Configuring host"
+sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
+timedatectl set-ntp 1
+timedatectl set-timezone UTC
+
 # Disable bind for good measure (on online.net, kimsufi servers these are pre-installed and conflicts with unbound)
 systemctl stop bind9 || true
 systemctl disable bind9 || true
@@ -105,3 +124,17 @@ systemctl disable bind9 || true
 systemctl stop dnsmasq || true
 systemctl disable dnsmasq || true
 
+# on ssdnodes postfix seems to run by default
+systemctl stop postfix || true
+systemctl disable postfix || true
+
+# on ubuntu 18.04, this is the default. this requires resolvconf for DNS to work further after the disable
+systemctl stop systemd-resolved || true
+systemctl disable systemd-resolved || true
+
+# ubuntu's default config for unbound does not work if ipv6 is disabled. this config is overwritten in start.sh
+# we need unbound to work as this is required for installer.sh to do any DNS requests
+ip6=$([[ -s /proc/net/if_inet6 ]] && echo "yes" || echo "no")
+echo -e "server:\n\tinterface: 127.0.0.1\n\tdo-ip6: ${ip6}" > /etc/unbound/unbound.conf.d/cloudron-network.conf
+systemctl restart unbound
+

box.js

@@ -2,17 +2,21 @@
 
 'use strict';
 
+// prefix all output with a timestamp
+// debug() already prefixes and uses process.stderr NOT console.*
+['log', 'info', 'warn', 'debug', 'error'].forEach(function (log) {
+    var orig = console[log];
+    console[log] = function () {
+        orig.apply(console, [new Date().toISOString()].concat(Array.prototype.slice.call(arguments)));
+    };
+});
+
 require('supererror')({ splatchError: true });
 
-// remove timestamp from debug() based output
-require('debug').formatArgs = function formatArgs(args) {
-    args[0] = this.namespace + ' ' + args[0];
-};
-
-var appHealthMonitor = require('./src/apphealthmonitor.js'),
-    async = require('async'),
+let async = require('async'),
     config = require('./src/config.js'),
     ldap = require('./src/ldap.js'),
+    dockerProxy = require('./src/dockerproxy.js'),
     server = require('./src/server.js');
 
 console.log();
@@ -25,6 +29,9 @@ console.log(' Version:                        ', config.version());
 console.log(' Admin Origin:                   ', config.adminOrigin());
 console.log(' Appstore API server origin:     ', config.apiServerOrigin());
 console.log(' Appstore Web server origin:     ', config.webServerOrigin());
+console.log(' SysAdmin Port:                  ', config.get('sysadminPort'));
+console.log(' LDAP Server Port:               ', config.get('ldapPort'));
+console.log(' Docker Proxy Port:              ', config.get('dockerProxyPort'));
 console.log();
 console.log('==========================================');
 console.log();
@@ -32,7 +39,7 @@ console.log();
 async.series([
     server.start,
     ldap.start,
-    appHealthMonitor.start,
+    dockerProxy.start
 ], function (error) {
     if (error) {
         console.error('Error starting server', error);
@@ -44,13 +51,19 @@ async.series([
 var NOOP_CALLBACK = function () { };
 
 process.on('SIGINT', function () {
+    console.log('Received SIGINT. Shutting down.');
+
     server.stop(NOOP_CALLBACK);
     ldap.stop(NOOP_CALLBACK);
+    dockerProxy.stop(NOOP_CALLBACK);
     setTimeout(process.exit.bind(process), 3000);
 });
 
 process.on('SIGTERM', function () {
+    console.log('Received SIGTERM. Shutting down.');
+
     server.stop(NOOP_CALLBACK);
     ldap.stop(NOOP_CALLBACK);
+    dockerProxy.stop(NOOP_CALLBACK);
     setTimeout(process.exit.bind(process), 3000);
 });

crashnotifierservice.js

@@ -2,15 +2,27 @@
 
 'use strict';
 
-var sendFailureLogs = require('./src/logcollector').sendFailureLogs;
+var database = require('./src/database.js');
 
+var crashNotifier = require('./src/crashnotifier.js');
+
+// This is triggered by systemd with the crashed unit name as argument
 function main() {
-    if (process.argv.length !== 3) return console.error('Usage: crashnotifier.js <processName>');
+    if (process.argv.length !== 3) return console.error('Usage: crashnotifier.js <unitName>');
 
-    var processName = process.argv[2];
-    console.log('Started crash notifier for', processName);
+    var unitName = process.argv[2];
+    console.log('Started crash notifier for', unitName);
 
-    sendFailureLogs(processName, { unit: processName });
+    // eventlog api needs the db
+    database.initialize(function (error) {
+        if (error) return console.error('Cannot connect to database. Unable to send crash log.', error);
+
+        crashNotifier.sendFailureLogs(unitName, function (error) {
+            if (error) console.error(error);
+
+            process.exit();
+        });
+    });
 }
 
 main();

gulpfile.js

@@ -1,257 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-var argv = require('yargs').argv,
-    autoprefixer = require('gulp-autoprefixer'),
-    concat = require('gulp-concat'),
-    cssnano = require('gulp-cssnano'),
-    ejs = require('gulp-ejs'),
-    gulp = require('gulp'),
-    rimraf = require('rimraf'),
-    sass = require('gulp-sass'),
-    serve = require('gulp-serve'),
-    sourcemaps = require('gulp-sourcemaps'),
-    uglify = require('gulp-uglify'),
-    url = require('url');
-
-gulp.task('3rdparty', function () {
-    gulp.src([
-        'webadmin/src/3rdparty/**/*.js',
-        'webadmin/src/3rdparty/**/*.map',
-        'webadmin/src/3rdparty/**/*.css',
-        'webadmin/src/3rdparty/**/*.otf',
-        'webadmin/src/3rdparty/**/*.eot',
-        'webadmin/src/3rdparty/**/*.svg',
-        'webadmin/src/3rdparty/**/*.gif',
-        'webadmin/src/3rdparty/**/*.ttf',
-        'webadmin/src/3rdparty/**/*.woff',
-        'webadmin/src/3rdparty/**/*.woff2'
-        ])
-        .pipe(gulp.dest('webadmin/dist/3rdparty/'))
-        .pipe(gulp.dest('setup/splash/website/3rdparty'));
-
-    gulp.src('node_modules/bootstrap-sass/assets/javascripts/bootstrap.min.js')
-        .pipe(gulp.dest('webadmin/dist/3rdparty/js'))
-        .pipe(gulp.dest('setup/splash/website/3rdparty/js'));
-});
-
-
-// --------------
-// JavaScript
-// --------------
-
-if (argv.help || argv.h) {
-    console.log('Supported arguments for "gulp develop":');
-    console.log(' --client-id <clientId>');
-    console.log(' --client-secret <clientSecret>');
-    console.log(' --api-origin <cloudron api uri>');
-
-    process.exit(1);
-}
-
-gulp.task('js', ['js-index', 'js-logs', 'js-terminal', 'js-setup', 'js-setupdns', 'js-restore', 'js-update'], function () {});
-
-var oauth = {
-    clientId: argv.clientId || 'cid-webadmin',
-    clientSecret: argv.clientSecret || 'unused',
-    apiOrigin: argv.apiOrigin || '',
-    apiOriginHostname: argv.apiOrigin ? url.parse(argv.apiOrigin).hostname : ''
-};
-
-console.log();
-console.log('Using OAuth credentials:');
-console.log(' ClientId:      %s', oauth.clientId);
-console.log(' ClientSecret:  %s', oauth.clientSecret);
-console.log(' Cloudron API:  %s', oauth.apiOrigin || 'default');
-console.log(' Cloudron Host: %s', oauth.apiOriginHostname);
-console.log();
-
-
-gulp.task('js-index', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src([
-        'webadmin/src/js/index.js',
-        'webadmin/src/js/client.js',
-        'webadmin/src/js/appstore.js',
-        'webadmin/src/js/main.js',
-        'webadmin/src/views/*.js'
-        ])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('index.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-gulp.task('js-logs', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/logs.js', 'webadmin/src/js/client.js'])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('logs.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-gulp.task('js-terminal', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/terminal.js', 'webadmin/src/js/client.js'])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('terminal.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-gulp.task('js-setup', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/setup.js', 'webadmin/src/js/client.js'])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('setup.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-gulp.task('js-setupdns', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/setupdns.js', 'webadmin/src/js/client.js'])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('setupdns.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-gulp.task('js-restore', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/restore.js', 'webadmin/src/js/client.js'])
-        .pipe(ejs({ oauth: oauth }, {}, { ext: '.js' }))
-        .pipe(sourcemaps.init())
-        .pipe(concat('restore.js', { newLine: ';' }))
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'));
-});
-
-
-gulp.task('js-update', function () {
-    // needs special treatment for error handling
-    var uglifyer = uglify();
-    uglifyer.on('error', function (error) {
-        console.error(error);
-    });
-
-    gulp.src(['webadmin/src/js/update.js'])
-        .pipe(sourcemaps.init())
-        .pipe(uglifyer)
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist/js'))
-        .pipe(gulp.dest('setup/splash/website/js'));
-});
-
-
-// --------------
-// HTML
-// --------------
-
-gulp.task('html', ['html-views', 'html-update', 'html-templates'], function () {
-    return gulp.src('webadmin/src/*.html').pipe(ejs({ apiOriginHostname: oauth.apiOriginHostname }, {}, { ext: '.html' })).pipe(gulp.dest('webadmin/dist'));
-});
-
-gulp.task('html-update', function () {
-    return gulp.src(['webadmin/src/update.html']).pipe(gulp.dest('setup/splash/website'));
-});
-
-gulp.task('html-views', function () {
-    return gulp.src('webadmin/src/views/**/*.html').pipe(gulp.dest('webadmin/dist/views'));
-});
-
-gulp.task('html-templates', function () {
-    return gulp.src('webadmin/src/templates/**/*.html').pipe(gulp.dest('webadmin/dist/templates'));
-});
-
-// --------------
-// CSS
-// --------------
-
-gulp.task('css', function () {
-    return gulp.src('webadmin/src/*.scss')
-        .pipe(sourcemaps.init())
-        .pipe(sass({ includePaths: ['node_modules/bootstrap-sass/assets/stylesheets/'] }).on('error', sass.logError))
-        .pipe(autoprefixer())
-        .pipe(cssnano())
-        .pipe(sourcemaps.write())
-        .pipe(gulp.dest('webadmin/dist'))
-        .pipe(gulp.dest('setup/splash/website'));
-});
-
-gulp.task('images', function () {
-    return gulp.src('webadmin/src/img/**')
-        .pipe(gulp.dest('webadmin/dist/img'));
-});
-
-// --------------
-// Utilities
-// --------------
-
-gulp.task('watch', ['default'], function () {
-    gulp.watch(['webadmin/src/*.scss'], ['css']);
-    gulp.watch(['webadmin/src/img/*'], ['images']);
-    gulp.watch(['webadmin/src/**/*.html'], ['html']);
-    gulp.watch(['webadmin/src/views/*.html'], ['html-views']);
-    gulp.watch(['webadmin/src/templates/*.html'], ['html-templates']);
-    gulp.watch(['webadmin/src/js/update.js'], ['js-update']);
-    gulp.watch(['webadmin/src/js/setup.js', 'webadmin/src/js/client.js'], ['js-setup']);
-    gulp.watch(['webadmin/src/js/setupdns.js', 'webadmin/src/js/client.js'], ['js-setupdns']);
-    gulp.watch(['webadmin/src/js/restore.js', 'webadmin/src/js/client.js'], ['js-restore']);
-    gulp.watch(['webadmin/src/js/logs.js', 'webadmin/src/js/client.js'], ['js-logs']);
-    gulp.watch(['webadmin/src/js/terminal.js', 'webadmin/src/js/client.js'], ['js-terminal']);
-    gulp.watch(['webadmin/src/js/index.js', 'webadmin/src/js/client.js', 'webadmin/src/js/appstore.js', 'webadmin/src/js/main.js', 'webadmin/src/views/*.js'], ['js-index']);
-    gulp.watch(['webadmin/src/3rdparty/**/*'], ['3rdparty']);
-});
-
-gulp.task('clean', function () {
-    rimraf.sync('webadmin/dist');
-    rimraf.sync('setup/splash/website');
-});
-
-gulp.task('default', ['clean', 'html', 'js', '3rdparty', 'images', 'css'], function () {});
-
-gulp.task('develop', ['watch'], serve({ root: 'webadmin/dist', port: 4000 }));

migrations/20160208031241-groups-add-table.js

@@ -1,7 +1,7 @@
 'use strict';
 
 exports.up = function(db, callback) {
-    var cmd = "CREATE TABLE groups(" +
+    var cmd = "CREATE TABLE userGroups(" +
                 "id VARCHAR(128) NOT NULL UNIQUE," +
                 "name VARCHAR(128) NOT NULL UNIQUE," +
                 "PRIMARY KEY(id))";
@@ -13,7 +13,7 @@ exports.up = function(db, callback) {
 };
 
 exports.down = function(db, callback) {
-    db.runSql('DROP TABLE groups', function (error) {
+    db.runSql('DROP TABLE userGroups', function (error) {
         if (error) console.error(error);
         callback(error);
     });

migrations/20160208100000-groupMembers-add-table.js

@@ -4,7 +4,7 @@ exports.up = function(db, callback) {
 	var cmd = "CREATE TABLE IF NOT EXISTS groupMembers(" +
     			"groupId VARCHAR(128) NOT NULL," +
     			"userId VARCHAR(128) NOT NULL," +
-    			"FOREIGN KEY(groupId) REFERENCES groups(id)," +
+    			"FOREIGN KEY(groupId) REFERENCES userGroups(id)," +
     			"FOREIGN KEY(userId) REFERENCES users(id));";
 
     db.runSql(cmd, function (error) {

migrations/20160208164735-groups-add-admin.js

@@ -7,7 +7,7 @@ var ADMIN_GROUP_ID = 'admin'; // see constants.js
 exports.up = function(db, callback) {
 	async.series([
 		db.runSql.bind(db, 'START TRANSACTION;'),
-		db.runSql.bind(db, 'INSERT INTO groups (id, name) VALUES (?, ?)', [ ADMIN_GROUP_ID, 'admin' ]),
+		db.runSql.bind(db, 'INSERT INTO userGroups (id, name) VALUES (?, ?)', [ ADMIN_GROUP_ID, 'admin' ]),
 		function migrateAdminFlag(done) {
 			db.all('SELECT * FROM users WHERE admin=1', function (error, results) {
 				if (error) return done(error);

migrations/20160921205726-mailboxes-add-ownerId.js

@@ -10,7 +10,7 @@ exports.up = function(db, callback) {
         function addGroupMailboxes(done) {
             console.log('Importing group mailboxes');
 
-            db.all('SELECT id, name FROM groups', function (error, results) {
+            db.all('SELECT id, name FROM userGroups', function (error, results) {
                 if (error) return done(error);
 
                 async.eachSeries(results, function (g, next) {

migrations/20171118000000-ensure-collation-utf8_bin.js

@@ -16,7 +16,7 @@ exports.up = function(db, callback) {
         db.runSql.bind(db, 'ALTER TABLE clients CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
         db.runSql.bind(db, 'ALTER TABLE eventlog CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
         db.runSql.bind(db, 'ALTER TABLE groupMembers CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
-        db.runSql.bind(db, 'ALTER TABLE groups CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
+        db.runSql.bind(db, 'ALTER TABLE userGroups CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
         db.runSql.bind(db, 'ALTER TABLE mailboxes CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
         db.runSql.bind(db, 'ALTER TABLE migrations CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
         db.runSql.bind(db, 'ALTER TABLE settings CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),

migrations/20171118000001-apps-add-domain.js

@@ -29,7 +29,7 @@ exports.up = function(db, callback) {
 
                 // this will be finally created once we have a domain when we create the owner in user.js
                 const ADMIN_GROUP_ID = 'admin'; // see constants.js
-                db.runSql('DELETE FROM groups WHERE id = ?', [ ADMIN_GROUP_ID ], function (error) {
+                db.runSql('DELETE FROM userGroups WHERE id = ?', [ ADMIN_GROUP_ID ], function (error) {
                     if (error) return done(error);
 
                     db.runSql('DELETE FROM mailboxes WHERE ownerId = ?', [ ADMIN_GROUP_ID ], done);

migrations/20180121061357-mail-create-table.js

@@ -0,0 +1,24 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE IF NOT EXISTS mail(' +
+                'domain VARCHAR(128) NOT NULL UNIQUE,' +
+                'enabled BOOLEAN DEFAULT 0,' +
+                'mailFromValidation BOOLEAN DEFAULT 1,' +
+                'catchAllJson TEXT,' +
+                'relayJson TEXT,' +
+                'FOREIGN KEY(domain) REFERENCES domains(domain),' +
+                'PRIMARY KEY(domain)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE mail', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180121062945-mail-migrate-settings.js

@@ -0,0 +1,34 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM domains', function (error, domains) {
+        if (error) return callback(error);
+        if (domains.length === 0) return callback();
+
+        db.all('SELECT * FROM settings', function (error, allSettings) {
+            if (error) return callback(error);
+
+            // defaults
+            var mailFromValidation = true;
+            var catchAll = [ ];
+            var relay = { provider: 'cloudron-smtp' };
+            var mailEnabled = false;
+
+            allSettings.forEach(function (setting) {
+                switch (setting.name) {
+                case 'mail_from_validation': mailFromValidation = !!setting.value; break;
+                case 'catch_all_address': catchAll = JSON.parse(setting.value); break;
+                case 'mail_relay': relay = JSON.parse(setting.value); break;
+                case 'mail_config': mailEnabled = JSON.parse(setting.value).enabled; break;
+                }
+            });
+
+            db.runSql('INSERT INTO mail (domain, enabled, mailFromValidation, catchAllJson, relayJson) VALUES (?, ?, ?, ?, ?)',
+                [ domains[0].domain, mailEnabled, mailFromValidation, JSON.stringify(catchAll), JSON.stringify(relay) ], callback);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180121124206-users-add-fallbackEmail.js

@@ -0,0 +1,44 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM users', [ ], function (error, users) {
+        if (error) return callback(error);
+
+        db.all('SELECT * FROM mail WHERE enabled=1', [ ], function (error, mailDomains) {
+            if (error) return callback(error);
+
+            async.series([
+                db.runSql.bind(db, 'START TRANSACTION;'),
+                db.runSql.bind(db, 'ALTER TABLE users DROP INDEX users_email'),
+                db.runSql.bind(db, 'ALTER TABLE users ADD COLUMN fallbackEmail VARCHAR(512) DEFAULT ""'),
+                function setDefaults(done) {
+                    async.eachSeries(users, function (user, iteratorCallback) {
+                        var defaultEmail = '';
+                        var fallbackEmail = '';
+
+                        if (mailDomains.length === 0) {
+                            defaultEmail = user.email;
+                            fallbackEmail = user.email;
+                        } else {
+                            defaultEmail = user.username ? (user.username + '@' + mailDomains[0].domain) : user.email;
+                            fallbackEmail = user.email;
+                        }
+
+                        db.runSql('UPDATE users SET email = ?, fallbackEmail = ? WHERE id = ?', [ defaultEmail, fallbackEmail, user.id ], iteratorCallback);
+                    }, done);
+                },
+                db.runSql.bind(db, 'ALTER TABLE users ADD UNIQUE users_email (email)'),
+                db.runSql.bind(db, 'COMMIT')
+            ], callback);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN fallbackEmail', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180131152200-domains-add-tlsConfigJson.js

@@ -0,0 +1,26 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM settings WHERE name = ?', [ 'tls_config' ], function (error, result) {
+        if (error) return callback(error);
+
+        var tlsConfig = (result[0] && result[0].value) ? JSON.parse(result[0].value) : { provider: 'letsencrypt-prod'};
+        tlsConfig.provider = tlsConfig.provider.replace(/$le\-/, 'letsencrypt-'); // old cloudrons had le-prod/le-staging
+
+        async.series([
+            db.runSql.bind(db, 'START TRANSACTION;'),
+            db.runSql.bind(db, 'ALTER TABLE domains ADD COLUMN tlsConfigJson TEXT'),
+            db.runSql.bind(db, 'UPDATE domains SET tlsConfigJson = ?', [ JSON.stringify(tlsConfig) ]),
+            db.runSql.bind(db, 'COMMIT')
+        ], callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE domains DROP COLUMN tlsConfigJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180202184625-download-caas-appstore-configs.js

@@ -0,0 +1,47 @@
+'use strict';
+
+var async = require('async'),
+    fs = require('fs'),
+    superagent = require('superagent');
+
+exports.up = function(db, callback) {
+    if (!fs.existsSync('/home/yellowtent/configs/cloudron.conf')) {
+        console.log('Unable to locate cloudron.conf');
+        return callback();
+    }
+
+    var config = JSON.parse(fs.readFileSync('/home/yellowtent/configs/cloudron.conf', 'utf8'));
+
+    if (config.provider !== 'caas' || !config.fqdn) {
+        console.log('Not caas (%s) or no fqdn', config.provider, config.fqdn);
+        return callback();
+    }
+
+    db.runSql('SELECT COUNT(*) AS total FROM users', function (error, result) {
+        if (error) return callback(error);
+
+        if (result[0].total === 0) {
+            console.log('This cloudron is not activated. It will automatically get appstore and caas configs from autoprovision logic');
+            return callback();
+        }
+
+        console.log('Downloading appstore and caas config');
+
+        superagent.get(config.apiServerOrigin + `/api/v1/boxes/${config.fqdn}/config`)
+            .query({ token: config.token })
+            .timeout(30 * 1000).end(function (error, result) {
+                if (error) return callback(error);
+
+                console.log('Adding %j config', result.body);
+
+                async.series([
+                    db.runSql.bind(db, 'INSERT settings (name, value) VALUES(?, ?)', [ 'appstore_config', JSON.stringify(result.body.appstoreConfig) ]),
+                    db.runSql.bind(db, 'INSERT settings (name, value) VALUES(?, ?)', [ 'caas_config', JSON.stringify(result.body.caasConfig) ])
+                ], callback);
+            });
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180207000000-split-autoupdate-pattern-setting.js

@@ -0,0 +1,24 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT * FROM settings WHERE name=?', ['autoupdate_pattern'], function (error, results) {
+        if (error || results.length === 0) return callback(error); // will use defaults from box code
+
+        // migrate the 'daily' update pattern
+        var appUpdatePattern = results[0].value;
+        if (appUpdatePattern === '00 00 1,3,5,23 * * *') appUpdatePattern = '00 30 1,3,5,23 * * *';
+
+        async.series([
+            db.runSql.bind(db, 'START TRANSACTION;'),
+            db.runSql.bind(db, 'DELETE FROM settings WHERE name=?', ['autoupdate_pattern']),
+            db.runSql.bind(db, 'INSERT settings (name, value) VALUES(?, ?)', ['app_autoupdate_pattern', appUpdatePattern]),
+            db.runSql.bind(db, 'COMMIT')
+        ], callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180207000001-migrate-altDomain-to-manual-domain.js

@@ -0,0 +1,121 @@
+'use strict';
+
+var async = require('async'),
+    crypto = require('crypto'),
+    fs = require('fs'),
+    os = require('os'),
+    path = require('path'),
+    safe = require('safetydance'),
+    tldjs = require('tldjs');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM apps', function (error, apps) {
+        if (error) return callback(error);
+
+        async.eachSeries(apps, function (app, callback) {
+            if (!app.altDomain) {
+                console.log('App %s does not use altDomain, skip', app.id);
+                return callback();
+            }
+
+            const domain = tldjs.getDomain(app.altDomain);
+            const subdomain = tldjs.getSubdomain(app.altDomain);
+            const mailboxName = (subdomain ? subdomain : JSON.parse(app.manifestJson).title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
+
+            console.log('App %s is on domain %s and subdomain %s with mailbox', app.id, domain, subdomain, mailboxName);
+
+            async.series([
+                // Add domain if not exists
+                function (callback) {
+                    const query = 'INSERT INTO domains (domain, zoneName, provider, configJson, tlsConfigJson) VALUES (?, ?, ?, ?, ?)';
+                    const args = [ domain, domain, 'manual', JSON.stringify({}), JSON.stringify({ provider: 'letsencrypt-prod' }) ];
+
+                    db.runSql(query, args, function (error) {
+                        if (error && error.code !== 'ER_DUP_ENTRY') return callback(error);
+
+                        console.log('Added domain %s', domain);
+
+                        // ensure we have a fallback cert for the newly added domain. This is the same as in reverseproxy.js
+                        // WARNING this will only work on the cloudron itself not during local testing!
+                        const certFilePath = `/home/yellowtent/boxdata/certs/${domain}.host.cert`;
+                        const keyFilePath = `/home/yellowtent/boxdata/certs/${domain}.host.key`;
+
+                        if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) { // generate it
+                            let opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
+                            let opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain}\n`;
+                            let configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
+                            let certCommand = `openssl req -x509 -newkey rsa:2048 -keyout ${keyFilePath} -out ${certFilePath} -days 3650 -subj /CN=*.${domain} -extensions SAN -config ${configFile} -nodes`;
+
+                            safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
+                            if (!safe.child_process.execSync(certCommand)) return callback(safe.error.message);
+                            safe.fs.unlinkSync(configFile);
+                        }
+
+                        callback();
+                    });
+                },
+                // Add domain to mail table if not exists
+                function (callback) {
+                    const query = 'INSERT INTO mail (domain, enabled, mailFromValidation, catchAllJson, relayJson) VALUES (?, ?, ?, ?, ?)';
+                    const args = [ domain, 0, 1, '[]', JSON.stringify({ provider: 'cloudron-smtp' }) ];
+
+                    db.runSql(query, args, function (error) {
+                        if (error && error.code !== 'ER_DUP_ENTRY') return callback(error);
+
+                        console.log('Added domain %s to mail table', domain);
+
+                        callback();
+                    });
+                },
+                // Remove old mailbox record if any
+                function (callback) {
+                    const query = 'DELETE FROM mailboxes WHERE ownerId=?';
+                    const args = [ app.id ];
+
+                    db.runSql(query, args, function (error) {
+                        if (error) return callback(error);
+
+                        console.log('Cleaned up mailbox record for app %s', app.id);
+
+                        callback();
+                    });
+                },
+                // Add new mailbox record
+                function (callback) {
+                    const query = 'INSERT INTO mailboxes (name, domain, ownerId, ownerType) VALUES (?, ?, ?, ?)';
+                    const args = [ mailboxName, domain, app.id, 'app' /* mailboxdb.TYPE_APP */ ];
+
+                    db.runSql(query, args, function (error) {
+                        if (error) return callback(error);
+
+                        console.log('Added mailbox record for app %s', app.id);
+
+                        callback();
+                    });
+                },
+                // Update app record
+                function (callback) {
+                    const query = 'UPDATE apps SET location=?, domain=?, altDomain=? WHERE id=?';
+                    const args = [ subdomain, domain, '', app.id ];
+
+                    db.runSql(query, args, function (error) {
+                        if (error) return error;
+
+                        console.log('Updated app %s with new domain', app.id);
+
+                        callback();
+                    });
+                }
+            ], callback);
+        }, function (error) {
+            if (error) return callback(error);
+
+            // finally drop the altDomain db field
+            db.runSql('ALTER TABLE apps DROP COLUMN altDomain', [], callback);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN altDomain VARCHAR(256)', [], callback);
+};

migrations/20180211052642-mailboxes-alter-domains-constraint.js

@@ -0,0 +1,19 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes DROP FOREIGN KEY mailboxes_domain_constraint'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD CONSTRAINT mailboxes_domain_constraint FOREIGN KEY(domain) REFERENCES mail(domain)'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes DROP FOREIGN KEY mailboxes_domain_constraint', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180405222626-mailboxes-add-members.js

@@ -0,0 +1,51 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    var users = { }, groupMembers = { };
+
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD COLUMN membersJson TEXT'),
+        function getUsers(done) {
+            db.all('SELECT * from users', [ ], function (error, results) {
+                if (error) return done(error);
+
+                results.forEach(function (result) { users[result.id] = result; });
+
+                done();
+            });
+        },
+        function getGroups(done) {
+            db.all('SELECT id, name, GROUP_CONCAT(groupMembers.userId) AS userIds ' +
+                ' FROM userGroups LEFT OUTER JOIN groupMembers ON userGroups.id = groupMembers.groupId ' +
+                ' GROUP BY userGroups.id', [ ], function (error, results) {
+                if (error) return done(error);
+
+                results.forEach(function (result) {
+                    var userIds = result.userIds ? result.userIds.split(',') : [];
+                    var members = userIds.map(function (id) { return users[id].username; });
+                    groupMembers[result.id] = members;
+                });
+
+                done();
+            });
+        },
+        function removeGroupIdAndSetMembers(done) {
+            async.eachSeries(Object.keys(groupMembers), function (gid, iteratorDone) {
+                console.log(`Migrating group id ${gid} to ${JSON.stringify(groupMembers[gid])}`);
+
+                db.runSql('UPDATE mailboxes SET membersJson = ?, ownerId = ? WHERE ownerId = ?', [ JSON.stringify(groupMembers[gid]), 'admin', gid ], iteratorDone);
+            }, done);
+        },
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes DROP COLUMN membersJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180408014539-mailboxes-add-type.js

@@ -0,0 +1,34 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD COLUMN type VARCHAR(16)'),
+        function addMailboxType(done) {
+            db.all('SELECT * from mailboxes', [ ], function (error, results) {
+                if (error) return done(error);
+
+                async.eachSeries(results, function (mailbox, iteratorCallback) {
+                    let type = 'mailbox';
+                    if (mailbox.aliasTarget) {
+                        type = 'alias';
+                    } else if (mailbox.membersJson) {
+                        type = 'list';
+                    }
+                    db.runSql('UPDATE mailboxes SET type = ? WHERE name = ? AND domain = ?', [ type, mailbox.name, mailbox.domain ], iteratorCallback);
+                }, done);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE mailboxes MODIFY type VARCHAR(16) NOT NULL'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes DROP COLUMN membersJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180425142932-user-add-twoFactorAuthenticationSecret.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE users ADD COLUMN twoFactorAuthenticationSecret VARCHAR(128) DEFAULT "", ADD COLUMN twoFactorAuthenticationEnabled BOOLEAN DEFAULT false', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP twoFactorAuthenticationSecret, DROP twoFactorAuthenticationEnabled', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180429235008-fixes-scopes.js

@@ -0,0 +1,21 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('UPDATE clients SET scope=? WHERE id=? OR id=? OR id=?', ['*', 'cid-webadmin', 'cid-sdk', 'cid-cli'], function (error) {
+        if (error) console.error(error);
+
+        db.runSql('UPDATE tokens SET scope=? WHERE scope LIKE ?', ['*', '%*%'], function (error) { // remove the roleSdk
+            if (error) console.error(error);
+
+            db.runSql('UPDATE tokens SET expires=? WHERE clientId=?', [ 1525636734905, 'cid-webadmin' ], function (error) { // force webadmin to get a new token
+                if (error) console.error(error);
+
+                callback(error);
+            });
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180511222705-apps-add-owner-id.js

@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE apps ADD COLUMN ownerId VARCHAR(128)'),
+        function (next) {
+            db.all('SELECT id FROM users ORDER BY createdAt LIMIT 1', [ ], function (error, results) {
+                if (error || results.length === 0) return next(error);
+
+                var ownerId = results[0].id;
+                db.runSql('UPDATE apps SET ownerId=?', [ ownerId ], next);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY ownerId VARCHAR(128) NOT NULL'),
+        db.runSql.bind(db, 'ALTER TABLE apps ADD CONSTRAINT apps_owner_constraint FOREIGN KEY(ownerId) REFERENCES users(id)'),
+        db.runSql.bind(db, 'COMMIT'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN ownerId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180627010633-apps-add-ts.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN ts TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN ts ', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180628162142-subdomains-create-table.js

@@ -0,0 +1,25 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE IF NOT EXISTS subdomains(' +
+                'appId VARCHAR(128) NOT NULL,' +
+                'domain VARCHAR(128) NOT NULL,' +
+                'subdomain VARCHAR(128) NOT NULL,' +
+                'type VARCHAR(128) NOT NULL,' +
+                'dnsRecordId VARCHAR(512),' +
+                'FOREIGN KEY(domain) REFERENCES domains(domain),' +
+                'FOREIGN KEY(appId) REFERENCES apps(id),' +
+                'UNIQUE (subdomain, domain)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE subdomains', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180628163616-migrate-app-subdomains.js

@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * from apps', [ ], function (error, results) {
+        if (error) return callback(error);
+
+        var queries = [
+            db.runSql.bind(db, 'START TRANSACTION;')
+        ];
+
+        results.forEach(function (app) {
+            queries.push(db.runSql.bind(db, 'INSERT INTO subdomains (appId, domain, subdomain, type, dnsRecordId) VALUES (?, ?, ?, ?, ?)', [ app.id, app.domain, app.location, 'primary', app.dnsRecordId ]));
+        });
+
+        queries.push(db.runSql.bind(db, 'COMMIT'));
+
+        async.series(queries, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DELETE FROM subdomains', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180629090543-remove-app-location-and-domain.js

@@ -0,0 +1,41 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP INDEX location_domain_unique_index, DROP FOREIGN KEY apps_domain_constraint, DROP COLUMN domain, DROP COLUMN location, DROP COLUMN dnsRecordId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.all('SELECT * from subdomains WHERE type = ?', [ 'primary' ], function (error, results) {
+        if (error) return callback(error);
+
+        var cmd = 'ALTER TABLE apps'
+        + ' ADD COLUMN location VARCHAR(128),'
+        + ' ADD COLUMN domain VARCHAR(128),'
+        + ' ADD COLUMN dnsRecordId VARCHAR(512)';
+
+        db.runSql(cmd, function (error) {
+            if (error) return callback(error);
+
+            var queries = [ db.runSql.bind(db, 'START TRANSACTION;') ];
+            results.forEach(function (d) {
+                queries.push(db.runSql.bind(db, 'UPDATE apps SET domain = ?, location = ?, dnsRecordId = ? WHERE id = ?', [ d.domain, d.subdomain, d.appId, d.dnsRecordId ]));
+            });
+            queries.push(db.runSql.bind(db, 'COMMIT'));
+
+            async.series(queries, function (error) {
+                if (error) return callback(error);
+
+                var cmd = 'ALTER TABLE apps'
+                + ' ADD CONSTRAINT apps_domain_constraint FOREIGN KEY(domain) REFERENCES domains(domain),'
+                + ' ADD UNIQUE location_domain_unique_index (location, domain)';
+
+                db.runSql(cmd, callback);
+            });
+        });
+    });
+};

migrations/20180629201251-remove-subdomains-dnsRecordId.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE subdomains DROP COLUMN dnsRecordId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE subdomains ADD COLUMN dnsRecordId VARCHAR(512)', function (error) {
+        if (error) return callback(error);
+        callback();
+    });
+};

migrations/20180726213634-users-add-admin.js

@@ -0,0 +1,34 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE users ADD COLUMN admin BOOLEAN DEFAULT 0', function (error) {
+        if (error) return callback(error);
+
+        db.all('SELECT userId FROM groupMembers WHERE groupId=?', [ 'admin' ], function (error, results) {
+            if (error) return callback(error);
+
+            if (results.length === 0) return callback();
+
+            async.eachSeries(results, function (result, iteratorDone) {
+                db.runSql('UPDATE users SET admin=1 WHERE id=?', [ result.userId ], iteratorDone);
+            }, function (error) {
+                if (error) return callback(error);
+
+                async.series([
+                    db.runSql.bind(db, 'DELETE FROM groupMembers WHERE groupId=?', [ 'admin' ]),
+                    db.runSql.bind(db, 'DELETE FROM userGroups WHERE id=?', [ 'admin' ])
+                ], callback);
+            });
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN admin', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20180807023917-expire-existing-tokens.js

@@ -0,0 +1,13 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('UPDATE tokens SET expires=? WHERE clientId=?', [ 1525636734905, 'cid-webadmin' ], function (error) { // force webadmin to get a new token
+        if (error) console.error(error);
+
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180813045042-appportbindings-add-type.js

@@ -0,0 +1,18 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings ADD COLUMN type VARCHAR(8) NOT NULL DEFAULT "tcp"'),
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP INDEX hostPort'), // this drops the unique constraint
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP PRIMARY KEY, ADD PRIMARY KEY(hostPort, type)')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP PRIMARY KEY, ADD PRIMARY KEY(hostPort)'),
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP COLUMN type')
+    ], callback);
+};

migrations/20180813045043-settings-set-default-intervalSecs.js

@@ -0,0 +1,16 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.all('SELECT value FROM settings WHERE name="backup_config"', function (error, results) {
+        if (error || results.length === 0) return callback(error);
+
+        var backupConfig = JSON.parse(results[0].value);
+        backupConfig.intervalSecs = 24 * 60 * 60;
+        db.runSql('UPDATE settings SET value=? WHERE name="backup_config"', [ JSON.stringify(backupConfig) ], callback);
+
+    });
+};
+
+exports.down = function(db, callback) {
+  callback();
+};

migrations/20180826004425-domains-hyphenate-caas.js

@@ -0,0 +1,23 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    // first check precondtion of domain entry in settings
+    db.all('SELECT * FROM domains', [ ], function (error, domains) {
+        if (error) return callback(error);
+
+        let caasDomains = domains.filter(function (d) { return d.provider === 'caas'; });
+
+        async.eachSeries(caasDomains, function (domain, iteratorCallback) {
+            let config = JSON.parse(domain.configJson);
+            config.hyphenatedSubdomains = true;
+
+            db.runSql('UPDATE domains SET configJson = ? WHERE domain = ?', [ JSON.stringify(config), domain.domain ], iteratorCallback);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20180827211107-tokens-add-name.js

@@ -0,0 +1,12 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE tokens ADD COLUMN name VARCHAR(64) DEFAULT ""', [], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE tokens DROP COLUMN name', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20180907025934-domains-migrate-wildcard.js

@@ -0,0 +1,21 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * from domains WHERE provider=?', [ 'manual' ], function (error, results) {
+        if (error) return callback(error);
+
+        async.eachSeries(results, function (result, iteratorDone) {
+            var config = JSON.parse(result.configJson || '{}');
+            if (!config.wildcard) return iteratorDone();
+            delete config.wildcard;
+
+            db.runSql('UPDATE domains SET provider=?, configJson=? WHERE domain=?', [ 'wildcard', JSON.stringify(config), result.domain ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20181011202336-appEnvVars-table.js

@@ -0,0 +1,21 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE IF NOT EXISTS appEnvVars(' +
+                'appId VARCHAR(128) NOT NULL,' +
+                'name TEXT NOT NULL,' +
+                'value TEXT NOT NULL,' +
+                'FOREIGN KEY(appId) REFERENCES apps(id)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE appEnvVars', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20181116191032-tasks-add-table.js

@@ -0,0 +1,27 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE tasks(' +
+            'id int NOT NULL AUTO_INCREMENT,' +
+            'type VARCHAR(32) NOT NULL,' +
+            'argsJson TEXT,' +
+            'percent INTEGER DEFAULT 0,' +
+            'message TEXT,' +
+            'errorMessage TEXT,' +
+            'result TEXT,' +
+            'creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,' +
+            'ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,' +
+            'PRIMARY KEY (id))';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE tasks', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20181203111504-rename-groups-to-userGroups.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT 1 FROM groups LIMIT 1', function (error) {
+        if (error) return callback(); // groups table does not exist
+
+        db.runSql('RENAME TABLE groups TO userGroups', function (error) {
+            if (error) console.error(error);
+            callback(error);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    // this is a one way renaming since the previous migration steps have been already updated to match the new name
+    callback();
+};

migrations/20181203122115-ensure-default-timestamps.js

@@ -0,0 +1,17 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY updateTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE eventlog MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE backups MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20181207042802-apps-add-mailboxName.js

@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE apps ADD COLUMN mailboxName VARCHAR(128)'),
+        db.runSql.bind(db, 'START TRANSACTION;'),
+
+        function migrateMailboxNames(done) {
+            db.all('SELECT * FROM mailboxes', function (error, mailboxes) {
+                if (error) return done(error);
+
+                async.eachSeries(mailboxes, function (mailbox, iteratorDone) {
+                    if (mailbox.ownerType !== 'app') return iteratorDone();
+
+                    db.runSql('UPDATE apps SET mailboxName = ? WHERE id = ?', [ mailbox.name, mailbox.ownerId ], iteratorDone);
+                }, done);
+            });
+        },
+
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20181207042803-mailboxes-remove-ownerType.js

@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+
+        function migrateMailboxNames(done) {
+            db.all('SELECT * FROM mailboxes', function (error, mailboxes) {
+                if (error) return done(error);
+
+                async.eachSeries(mailboxes, function (mailbox, iteratorDone) {
+                    if (mailbox.ownerType !== 'app') return iteratorDone();
+
+                    db.runSql('DELETE FROM mailboxes WHERE name = ?', [ mailbox.name ], iteratorDone);
+                }, done);
+            });
+        },
+
+        db.runSql.bind(db, 'COMMIT'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes DROP COLUMN ownerType')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20181207165827-apps-add-enableAutomaticUpdate.js

@@ -0,0 +1,16 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN enableAutomaticUpdate BOOLEAN DEFAULT 1', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN enableAutomaticUpdate', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20181217140321-notifications-add-table.js

@@ -0,0 +1,27 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE notifications(' +
+        'id int NOT NULL AUTO_INCREMENT,' +
+        'userId VARCHAR(128) NOT NULL,' +
+        'eventId VARCHAR(128) NOT NULL,' +
+        'title VARCHAR(512) NOT NULL,' +
+        'message TEXT,' +
+        'action VARCHAR(512) NOT NULL,' +
+        'acknowledged BOOLEAN DEFAULT false,' +
+        'creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,' +
+        'FOREIGN KEY(eventId) REFERENCES eventlog(id),' +
+        'PRIMARY KEY (id)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE notifications', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20190111214233-tasks-rename-result-to-resultJson.js

@@ -0,0 +1,16 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE tasks CHANGE result resultJson TEXT', [], function (error) {
+        if (error) console.error(error);
+
+        db.runSql('DELETE FROM tasks', callback); // empty tasks table since we have bad results format
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE tasks CHANGE resultJson result TEXT', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20190114230513-apps-add-dataDir.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN dataDir VARCHAR(256) UNIQUE', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN dataDir', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20190125221223-domains-add-locked.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE domains ADD COLUMN locked BOOLEAN DEFAULT 0', function (error) {
+        if (error) return callback(error);
+
+        callback();
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE domains DROP COLUMN locked', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20190206000000-notifications-drop-eventid-constraint.js

@@ -0,0 +1,22 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        // WARNING in the future always give constraints proper names to not rely on automatic ones
+        db.runSql.bind(db, 'ALTER TABLE notifications DROP FOREIGN KEY notifications_ibfk_1'),
+        db.runSql.bind(db, 'ALTER TABLE notifications MODIFY eventId VARCHAR(128)'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE notifications MODIFY eventId VARCHAR(128) NOT NULL'),
+        db.runSql.bind(db, 'ALTER TABLE notifications ADD FOREIGN KEY(eventId) REFERENCES eventlog(id)'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};

migrations/20190209042322-namecheap-rename-apiKey-to-token.js

@@ -0,0 +1,23 @@
+'use strict';
+
+let async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT * FROM domains', function (error, domains) {
+        if (error) return callback(error);
+
+        async.eachSeries(domains, function (domain, iteratorCallback) {
+            if (domain.provider !== 'namecheap') return iteratorCallback();
+
+            let config = JSON.parse(domain.configJson);
+            config.token = config.apiKey;
+            delete config.apiKey;
+
+            db.runSql('UPDATE domains SET configJson = ? WHERE domain = ?', [ JSON.stringify(config), domain.domain ], iteratorCallback);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20190213000125-apps-add-healthTime.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'ALTER TABLE apps ADD COLUMN healthTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN healthTime', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20190214222607-tokens-ensure-name.js

@@ -0,0 +1,18 @@
+'use strict';
+
+let async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT * FROM tokens WHERE clientId=?', ['cid-sdk'], function (error, tokens) {
+        if (error) console.error(error);
+
+        async.eachSeries(tokens, function (token, iteratorDone) {
+            if (token.name) return iteratorDone();
+            db.runSql('UPDATE tokens SET name=? WHERE accessToken=?', [ 'Unnamed-' + token.accessToken.slice(0,8), token.accessToken ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20190215215805-tokens-add-id.js

@@ -0,0 +1,29 @@
+'use strict';
+
+var async = require('async');
+var uuid = require('uuid');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+
+        db.runSql.bind(db, 'ALTER TABLE tokens ADD COLUMN id VARCHAR(128)'),
+
+        function (done) {
+            db.runSql('SELECT * FROM tokens', function (error, tokens) {
+                async.eachSeries(tokens, function (token, iteratorDone) {
+                    db.runSql('UPDATE tokens SET id=? WHERE accessToken=?', [ 'tid-'+uuid.v4(), token.accessToken ], iteratorDone);
+                }, done);
+            });
+        },
+
+        db.runSql.bind(db, 'ALTER TABLE tokens MODIFY id VARCHAR(128) NOT NULL UNIQUE'),
+        db.runSql.bind(db, 'COMMIT'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE tokens DROP COLUMN id'),
+    ], callback);
+};

migrations/20190221215805-settings-add-locked.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE settings ADD COLUMN locked BOOLEAN DEFAULT 0', function (error) {
+        if (error) return callback(error);
+
+        callback();
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE settings DROP COLUMN locked', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20190228225735-notifications-drop-action.js

@@ -0,0 +1,14 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE notifications DROP COLUMN action', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE notifications ADD COLUMN action VARCHAR(512) NOT NULL', callback);
+};

migrations/20190303024631-apps-default-mailboxName.js

@@ -0,0 +1,27 @@
+'use strict';
+
+var async = require('async'),
+    crypto = require('crypto'),
+    fs = require('fs'),
+    os = require('os'),
+    path = require('path'),
+    safe = require('safetydance'),
+    tldjs = require('tldjs');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * FROM apps, subdomains WHERE apps.id=subdomains.appId AND type="primary"', function (error, apps) {
+        if (error) return callback(error);
+
+        async.eachSeries(apps, function (app, iteratorDone) {
+            if (app.mailboxName) return iteratorDone();
+
+            const mailboxName = (app.subdomain ? app.subdomain : JSON.parse(app.manifestJson).title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
+
+            db.runSql('UPDATE apps SET mailboxName=? WHERE id=?', [ mailboxName, app.id ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/schema.sql

@@ -21,11 +21,15 @@ CREATE TABLE IF NOT EXISTS users(
     salt VARCHAR(512) NOT NULL,
     createdAt VARCHAR(512) NOT NULL,
     modifiedAt VARCHAR(512) NOT NULL,
-    admin INTEGER NOT NULL,
-    displayName VARCHAR(512) DEFAULT '',
+    displayName VARCHAR(512) DEFAULT "",
+    fallbackEmail VARCHAR(512) DEFAULT "",
+    twoFactorAuthenticationSecret VARCHAR(128) DEFAULT "",
+    twoFactorAuthenticationEnabled BOOLEAN DEFAULT false,
+    admin BOOLEAN DEFAULT false,
+
     PRIMARY KEY(id));
 
-CREATE TABLE IF NOT EXISTS groups(
+CREATE TABLE IF NOT EXISTS userGroups(
     id VARCHAR(128) NOT NULL UNIQUE,
     name VARCHAR(254) NOT NULL UNIQUE,
     PRIMARY KEY(id));
@@ -33,12 +37,14 @@ CREATE TABLE IF NOT EXISTS groups(
 CREATE TABLE IF NOT EXISTS groupMembers(
     groupId VARCHAR(128) NOT NULL,
     userId VARCHAR(128) NOT NULL,
-    FOREIGN KEY(groupId) REFERENCES groups(id),
+    FOREIGN KEY(groupId) REFERENCES userGroups(id),
     FOREIGN KEY(userId) REFERENCES users(id));
 
 CREATE TABLE IF NOT EXISTS tokens(
+    id VARCHAR(128) NOT NULL UNIQUE,
+    name VARCHAR(64) DEFAULT "", // description
     accessToken VARCHAR(128) NOT NULL UNIQUE,
-    identifier VARCHAR(128) NOT NULL,
+    identifier VARCHAR(128) NOT NULL, // resourceId: app id or user id
     clientId VARCHAR(128),
     scope VARCHAR(512) NOT NULL,
     expires BIGINT NOT NULL, // FIXME: make this a timestamp
@@ -46,7 +52,7 @@ CREATE TABLE IF NOT EXISTS tokens(
 
 CREATE TABLE IF NOT EXISTS clients(
     id VARCHAR(128) NOT NULL UNIQUE, // prefixed with cid- to identify token easily in auth routes
-    appId VARCHAR(128) NOT NULL,
+    appId VARCHAR(128) NOT NULL,     // name of the client (for external apps) or id of app (for built-in apps)
     type VARCHAR(16) NOT NULL,
     clientSecret VARCHAR(512) NOT NULL,
     redirectURI VARCHAR(512) NOT NULL,
@@ -60,33 +66,38 @@ CREATE TABLE IF NOT EXISTS apps(
     installationProgress TEXT,
     runState VARCHAR(512),
     health VARCHAR(128),
+    healthTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, // when the app last responded
     containerId VARCHAR(128),
     manifestJson TEXT,
     httpPort INTEGER,                        // this is the nginx proxy port and not manifest.httpPort
     location VARCHAR(128) NOT NULL,
     domain VARCHAR(128) NOT NULL,
-    dnsRecordId VARCHAR(512), // tracks any id that we got back to track dns updates
     accessRestrictionJson TEXT, // { users: [ ], groups: [ ] }
-    createdAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    updatedAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, // when the app was installed
+    updateTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,   // when the last app update was done
+    ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, // when this db record was updated (useful for UI caching)
     memoryLimit BIGINT DEFAULT 0,
-    altDomain VARCHAR(256),
     xFrameOptions VARCHAR(512),
     sso BOOLEAN DEFAULT 1, // whether user chose to enable SSO
     debugModeJson TEXT, // options for development mode
     robotsTxt TEXT,
     enableBackup BOOLEAN DEFAULT 1, // misnomer: controls automatic daily backups
+    enableAutomaticUpdate BOOLEAN DEFAULT 1,
+    mailboxName VARCHAR(128), // mailbox of this app. default allocated as '.app'
 
     // the following fields do not belong here, they can be removed when we use a queue for apptask
     restoreConfigJson VARCHAR(256), // used to pass backupId to restore from to apptask
-    oldConfigJson TEXT, // used to pass old config for apptask (configure, restore)
-    updateConfigJson TEXT, // used to pass new config for apptask (update)
+    oldConfigJson TEXT, // used to pass old config to apptask (configure, restore)
+    updateConfigJson TEXT, // used to pass new config to apptask (update)
 
-    FOREIGN KEY(domain) REFERENCES domains(domain),
+    ownerId VARCHAR(128),
+
+    FOREIGN KEY(ownerId) REFERENCES users(id),
     PRIMARY KEY(id));
 
 CREATE TABLE IF NOT EXISTS appPortBindings(
     hostPort INTEGER NOT NULL UNIQUE,
+    type VARCHAR(8) NOT NULL DEFAULT "tcp",
     environmentVariable VARCHAR(128) NOT NULL,
     appId VARCHAR(128) NOT NULL,
     FOREIGN KEY(appId) REFERENCES apps(id),
@@ -102,6 +113,7 @@ CREATE TABLE IF NOT EXISTS authcodes(
 CREATE TABLE IF NOT EXISTS settings(
     name VARCHAR(128) NOT NULL UNIQUE,
     value TEXT,
+    locked BOOLEAN,
     PRIMARY KEY(name));
 
 CREATE TABLE IF NOT EXISTS appAddonConfigs(
@@ -111,9 +123,15 @@ CREATE TABLE IF NOT EXISTS appAddonConfigs(
     value VARCHAR(512) NOT NULL,
     FOREIGN KEY(appId) REFERENCES apps(id));
 
+CREATE TABLE IF NOT EXISTS appEnvVars(
+    appId VARCHAR(128) NOT NULL,
+    name TEXT NOT NULL,
+    value TEXT NOT NULL,
+    FOREIGN KEY(appId) REFERENCES apps(id));
+
 CREATE TABLE IF NOT EXISTS backups(
     id VARCHAR(128) NOT NULL,
-    creationTime TIMESTAMP,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
     version VARCHAR(128) NOT NULL, /* app version or box version */
     type VARCHAR(16) NOT NULL, /* 'box' or 'app' */
     dependsOn TEXT, /* comma separate list of objects this backup depends on */
@@ -128,32 +146,86 @@ CREATE TABLE IF NOT EXISTS eventlog(
     action VARCHAR(128) NOT NULL,
     source TEXT, /* { userId, username, ip }. userId can be null for cron,sysadmin */
     data TEXT, /* free flowing json based on action */
-    creationTime TIMESTAMP, /* FIXME: precision must be TIMESTAMP(2) */
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
 
     PRIMARY KEY (id));
 
-/* Future fields:
-   * accessRestriction - to determine who can access it. So this has foreign keys
-   * quota - per mailbox quota
-*/
-CREATE TABLE IF NOT EXISTS mailboxes(
-    name VARCHAR(128) NOT NULL,
-    ownerId VARCHAR(128) NOT NULL, /* app id or user id or group id */
-    ownerType VARCHAR(16) NOT NULL, /* 'app' or 'user' or 'group' */
-    aliasTarget VARCHAR(128), /* the target name type is an alias */
-    creationTime TIMESTAMP,
-    domain VARCHAR(128),
-
-    FOREIGN KEY(domain) REFERENCES domains(domain),
-    PRIMARY KEY (name));
-
 CREATE TABLE IF NOT EXISTS domains(
     domain VARCHAR(128) NOT NULL UNIQUE, /* if this needs to be larger, InnoDB has a limit of 767 bytes for PRIMARY KEY values! */
     zoneName VARCHAR(128) NOT NULL, /* this mostly contains the domain itself again */
     provider VARCHAR(16) NOT NULL,
     configJson TEXT, /* JSON containing the dns backend provider config */
+    tlsConfigJson TEXT, /* JSON containing the tls provider config */
+    locked BOOLEAN,
 
     PRIMARY KEY (domain))
 
     /* the default db collation is utf8mb4_unicode_ci but for the app table domain constraint we have to use the old one */
     CHARACTER SET utf8 COLLATE utf8_bin;
+
+CREATE TABLE IF NOT EXISTS mail(
+    domain VARCHAR(128) NOT NULL UNIQUE,
+
+    enabled BOOLEAN DEFAULT 0, /* MDA enabled */
+    mailFromValidation BOOLEAN DEFAULT 1,
+    catchAllJson TEXT,
+    relayJson TEXT,
+
+    FOREIGN KEY(domain) REFERENCES domains(domain),
+    PRIMARY KEY(domain))
+
+    CHARACTER SET utf8 COLLATE utf8_bin;
+
+/* Future fields:
+   * accessRestriction - to determine who can access it. So this has foreign keys
+   * quota - per mailbox quota
+
+   NOTE: this table exists only real mailboxes. And has unique constraint to handle
+   conflict with aliases and mailbox names
+*/
+CREATE TABLE IF NOT EXISTS mailboxes(
+    name VARCHAR(128) NOT NULL,
+    type VARCHAR(16) NOT NULL, /* 'mailbox', 'alias', 'list' */
+    ownerId VARCHAR(128) NOT NULL, /* user id */
+    aliasTarget VARCHAR(128), /* the target name type is an alias */
+    membersJson TEXT, /* members of a group */
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    domain VARCHAR(128),
+
+    FOREIGN KEY(domain) REFERENCES mail(domain),
+    UNIQUE (name, domain));
+
+CREATE TABLE IF NOT EXISTS subdomains(
+    appId VARCHAR(128) NOT NULL,
+    domain VARCHAR(128) NOT NULL,
+    subdomain VARCHAR(128) NOT NULL,
+    type VARCHAR(128) NOT NULL,
+
+    FOREIGN KEY(domain) REFERENCES domains(domain),
+    FOREIGN KEY(appId) REFERENCES apps(id),
+    UNIQUE (subdomain, domain));
+
+CREATE TABLE IF NOT EXISTS tasks(
+    id int NOT NULL AUTO_INCREMENT,
+    type VARCHAR(32) NOT NULL,
+    percent INTEGER DEFAULT 0,
+    message TEXT,
+    errorMessage TEXT,
+    result TEXT,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+    PRIMARY KEY (id));
+
+CREATE TABLE IF NOT EXISTS notifications(
+    id int NOT NULL AUTO_INCREMENT,
+    userId VARCHAR(128) NOT NULL,
+    eventId VARCHAR(128), // reference to eventlog. can be null
+    title VARCHAR(512) NOT NULL,
+    message TEXT,
+    acknowledged BOOLEAN DEFAULT false,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    PRIMARY KEY (id)
+);
+
+CHARACTER SET utf8 COLLATE utf8_bin;

package.json

@@ -14,38 +14,39 @@
     "node": ">=4.0.0 <=4.1.1"
   },
   "dependencies": {
-    "@google-cloud/dns": "^0.7.0",
-    "@google-cloud/storage": "^1.2.1",
+    "@google-cloud/dns": "^0.7.2",
+    "@google-cloud/storage": "^1.7.0",
     "@sindresorhus/df": "^2.1.0",
-    "async": "^2.6.0",
-    "aws-sdk": "^2.151.0",
-    "body-parser": "^1.18.2",
-    "cloudron-manifestformat": "^2.10.0",
+    "async": "^2.6.2",
+    "aws-sdk": "^2.408.0",
+    "body-parser": "^1.18.3",
+    "cloudron-manifestformat": "^2.14.2",
+    "connect": "^3.6.6",
     "connect-ensure-login": "^0.1.1",
     "connect-lastmile": "^1.0.2",
     "connect-timeout": "^1.9.0",
-    "cookie-parser": "^1.3.5",
+    "cookie-parser": "^1.4.4",
     "cookie-session": "^1.3.2",
-    "cron": "^1.3.0",
+    "cron": "^1.6.0",
     "csurf": "^1.6.6",
-    "db-migrate": "^0.10.0-beta.24",
+    "db-migrate": "^0.11.5",
     "db-migrate-mysql": "^1.1.10",
     "debug": "^3.1.0",
-    "dockerode": "^2.5.3",
-    "ejs": "^2.5.7",
-    "ejs-cli": "^2.0.0",
-    "express": "^4.16.2",
+    "dockerode": "^2.5.8",
+    "ejs": "^2.6.1",
+    "ejs-cli": "^2.0.1",
+    "express": "^4.16.4",
     "express-session": "^1.15.6",
-    "hat": "0.0.3",
     "json": "^9.0.3",
-    "ldapjs": "^1.0.0",
+    "ldapjs": "^1.0.2",
     "lodash.chunk": "^4.2.0",
-    "mime": "^2.0.3",
-    "moment-timezone": "^0.5.14",
-    "morgan": "^1.9.0",
-    "multiparty": "^4.1.2",
+    "mime": "^2.3.1",
+    "moment-timezone": "^0.5.17",
+    "morgan": "^1.9.1",
+    "multiparty": "^4.1.4",
     "mysql": "^2.15.0",
-    "nodemailer": "^4.4.0",
+    "namecheap": "github:joshuakarjala/node-namecheap#464a952",
+    "nodemailer": "^4.6.5",
     "nodemailer-smtp-transport": "^2.7.4",
     "oauth2orize": "^1.11.0",
     "once": "^1.3.2",
@@ -55,57 +56,46 @@
     "passport-http-bearer": "^1.0.1",
     "passport-local": "^1.0.0",
     "passport-oauth2-client-password": "^0.1.2",
-    "password-generator": "^2.2.0",
     "progress-stream": "^2.0.0",
     "proxy-middleware": "^0.15.0",
-    "recursive-readdir": "^2.2.1",
-    "request": "^2.83.0",
-    "s3-block-read-stream": "^0.2.0",
+    "qrcode": "^1.2.0",
+    "readdirp": "^2.1.0",
+    "request": "^2.87.0",
+    "rimraf": "^2.6.2",
+    "s3-block-read-stream": "^0.5.0",
     "safetydance": "^0.7.1",
-    "semver": "^5.4.1",
-    "showdown": "^1.8.2",
+    "semver": "^5.5.0",
+    "showdown": "^1.8.6",
+    "speakeasy": "^2.0.0",
     "split": "^1.0.0",
-    "superagent": "^3.8.1",
-    "supererror": "^0.7.1",
-    "tar-fs": "^1.16.0",
-    "tar-stream": "^1.5.5",
-    "tldjs": "^2.2.0",
-    "underscore": "^1.7.0",
-    "uuid": "^3.1.0",
+    "superagent": "^3.8.3",
+    "supererror": "^0.7.2",
+    "tar-fs": "^1.16.2",
+    "tar-stream": "^1.6.1",
+    "tldjs": "^2.3.1",
+    "underscore": "^1.9.1",
+    "uuid": "^3.2.1",
     "valid-url": "^1.0.9",
-    "validator": "^9.1.1",
-    "ws": "^3.3.1"
+    "validator": "^10.3.0",
+    "ws": "^5.2.0"
   },
   "devDependencies": {
-    "bootstrap-sass": "^3.3.3",
     "expect.js": "*",
-    "gulp": "^3.9.1",
-    "gulp-autoprefixer": "^4.0.0",
-    "gulp-concat": "^2.4.3",
-    "gulp-cssnano": "^2.1.0",
-    "gulp-ejs": "^3.1.0",
-    "gulp-sass": "^3.1.0",
-    "gulp-serve": "^1.0.0",
-    "gulp-sourcemaps": "^2.6.1",
-    "gulp-uglify": "^3.0.0",
     "hock": "^1.3.2",
     "istanbul": "*",
     "js2xmlparser": "^3.0.0",
-    "mocha": "*",
+    "mocha": "^5.2.0",
     "mock-aws-s3": "git+https://github.com/cloudron-io/mock-aws-s3.git",
     "nock": "^9.0.14",
-    "node-sass": "^4.6.1",
-    "readdirp": "https://registry.npmjs.org/readdirp/-/readdirp-2.1.0.tgz",
-    "yargs": "^10.0.3"
+    "node-sass": "^4.11.0",
+    "recursive-readdir": "^2.2.2",
+    "sinon": "^7.2.2"
   },
   "scripts": {
-    "migrate_local": "DATABASE_URL=mysql://root:@localhost/box node_modules/.bin/db-migrate up",
-    "migrate_test": "BOX_ENV=test DATABASE_URL=mysql://root:@localhost/boxtest node_modules/.bin/db-migrate up",
-    "test": "npm run migrate_test && src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --exit -R spec ./src/test ./src/routes/test/[^a]*",
-    "test_all": "npm run migrate_test && src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --exit -R spec ./src/test ./src/routes/test",
+    "test": "src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --no-timeouts --exit -R spec ./src/test ./src/routes/test/[^a]*js",
     "postmerge": "/bin/true",
     "precommit": "/bin/true",
     "prepush": "npm test",
-    "webadmin": "node_modules/.bin/gulp"
+    "dashboard": "node_modules/.bin/gulp"
   }
 }

scripts/cloudron-provision

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400 --http1.1"
+
+ip=""
+dns_config=""
+tls_cert_file=""
+tls_key_file=""
+license_file=""
+backup_config=""
+
+args=$(getopt -o "" -l "ip:,backup-config:,license:,dns-config:,tls-cert:,tls-key:" -n "$0" -- "$@")
+eval set -- "${args}"
+
+while true; do
+    case "$1" in
+    --ip) ip="$2"; shift 2;;
+    --dns-config) dns_config="$2"; shift 2;;
+    --tls-cert) tls_cert_file="$2"; shift 2;;
+    --tls-key) tls_key_file="$2"; shift 2;;
+    --license) license_file="$2"; shift 2;;
+    --backup-config) backup_config="$2"; shift 2;;
+    --) break;;
+    *) echo "Unknown option $1"; exit 1;;
+    esac
+done
+
+# validate arguments in the absence of data
+if [[ -z "${ip}" ]]; then
+    echo "--ip is required"
+    exit 1
+fi
+
+if [[ -z "${dns_config}" ]]; then
+    echo "--dns-config is required"
+    exit 1
+fi
+
+if [[ ! -f "${license_file}" ]]; then
+    echo "--license must be a valid license file"
+    exit 1
+fi
+
+function get_status() {
+    key="$1"
+    if status=$($curl -q -f -k "https://${ip}/api/v1/cloudron/status" 2>/dev/null); then
+        currentValue=$(echo "${status}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin)[sys.argv[1]]))' "${key}")
+        echo "${currentValue}"
+        return 0
+    fi
+
+    return 1
+}
+
+function wait_for_status() {
+    key="$1"
+    expectedValue="$2"
+
+    echo "wait_for_status: $key to be $expectedValue"
+    while true; do
+        if currentValue=$(get_status "${key}"); then
+            echo "wait_for_status: $key is current: $currentValue expecting: $expectedValue"
+            if [[ "${currentValue}" == $expectedValue ]]; then
+                break
+            fi
+        fi
+        sleep 3
+    done
+}
+
+echo "=> Waiting for cloudron to be ready"
+wait_for_status "version" '*'
+
+domain=$(echo "${dns_config}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["domain"])')
+
+echo "Provisioning Cloudron ${domain}"
+if [[ -n "${tls_cert_file}" && -n "${tls_key_file}" ]]; then
+    tls_cert=$(cat "${tls_cert_file}" | awk '{printf "%s\\n", $0}')
+    tls_key=$(cat "${tls_key_file}" | awk '{printf "%s\\n", $0}')
+    fallback_cert=$(printf '{ "cert": "%s", "key": "%s", "provider": "fallback", "restricted": true }' "${tls_cert}" "${tls_key}")
+else
+    fallback_cert=None
+fi
+
+tls_config='{ "provider": "fallback" }'
+dns_config=$(echo "${dns_config}" | python3 -c "import json,sys;obj=json.load(sys.stdin);obj.update(tlsConfig=${tls_config});obj.update(fallbackCertficate=${fallback_cert});print(json.dumps(obj))")
+
+license=$(cat "${license_file}")
+
+if [[ -z "${backup_config:-}" ]]; then
+    backup_config='{ "provider": "filesystem", "backupFolder": "/var/backups", "format": "tgz" }'
+fi
+
+setupData=$(printf '{ "dnsConfig": %s, "autoconf": { "appstoreConfig": %s, "backupConfig": %s } }' "${dns_config}" "${license}" "${backup_config}")
+
+if ! setupResult=$($curl -kq -X POST -H "Content-Type: application/json" -d "${setupData}" https://${ip}/api/v1/cloudron/setup); then
+    echo "Failed to setup with ${setupData} ${setupResult}"
+    exit 1
+fi
+
+wait_for_status "webadminStatus" '*"tls": true*'
+
+echo "Cloudron is ready at https://my-${domain}"
+

scripts/cloudron-setup

@@ -2,19 +2,8 @@
 
 set -eu -o pipefail
 
-if [[ ${EUID} -ne 0 ]]; then
-    echo "This script should be run as root." > /dev/stderr
-    exit 1
-fi
-
-if [[ $(lsb_release -rs) != "16.04" ]]; then
-    echo "Cloudron requires Ubuntu 16.04" > /dev/stderr
-    exit 1
-fi
-
 # change this to a hash when we make a upgrade release
 readonly LOG_FILE="/var/log/cloudron-setup.log"
-readonly DATA_FILE="/root/cloudron-install-data.json"
 readonly MINIMUM_DISK_SIZE_GB="18" # this is the size of "/" and required to fit in docker images 18 is a safe bet for different reporting on 20GB min
 readonly MINIMUM_MEMORY="974"      # this is mostly reported for 1GB main memory (DO 992, EC2 990, Linode 989, Serverdiscounter.com 974)
 
@@ -26,6 +15,10 @@ readonly physical_memory=$(LC_ALL=C free -m | awk '/Mem:/ { print $2 }')
 readonly disk_size_bytes=$(LC_ALL=C df --output=size / | tail -n1)
 readonly disk_size_gb=$((${disk_size_bytes}/1024/1024))
 
+readonly RED='\033[31m'
+readonly GREEN='\033[32m'
+readonly DONE='\033[m'
+
 # verify the system has minimum requirements met
 if [[ "${rootfs_type}" != "ext4" ]]; then
     echo "Error: Cloudron requires '/' to be ext4" # see #364
@@ -42,97 +35,98 @@ if [[ "${disk_size_gb}" -lt "${MINIMUM_DISK_SIZE_GB}" ]]; then
     exit 1
 fi
 
+if systemctl -q is-active box; then
+    echo "Error: Cloudron is already installed. To reinstall, start afresh"
+    exit 1
+fi
+
 initBaseImage="true"
 # provisioning data
-domain=""
-adminLocation="my"
-zoneName=""
 provider=""
-tlsProvider="le-prod"
+edition=""
 requestedVersion=""
 apiServerOrigin="https://api.cloudron.io"
 webServerOrigin="https://cloudron.io"
-dataJson=""
-prerelease="false"
 sourceTarballUrl=""
 rebootServer="true"
-baseDataDir=""
 
-# these are here for pre-1.9 compat
-encryptionKey=""
-restoreUrl=""
-
-args=$(getopt -o "" -l "domain:,help,skip-baseimage-init,data:,data-dir:,provider:,encryption-key:,restore-url:,tls-provider:,version:,dns-provider:,env:,admin-location:,prerelease,skip-reboot,source-url:" -n "$0" -- "$@")
+args=$(getopt -o "" -l "help,skip-baseimage-init,provider:,version:,env:,edition:,skip-reboot" -n "$0" -- "$@")
 eval set -- "${args}"
 
 while true; do
     case "$1" in
-    --domain) domain="$2"; shift 2;;
-    --admin-location) adminLocation="$2"; shift 2;;
     --help) echo "See https://cloudron.io/documentation/installation/ on how to install Cloudron"; exit 0;;
     --provider) provider="$2"; shift 2;;
-    --encryption-key) encryptionKey="$2"; shift 2;;
-    --restore-url) restoreUrl="$2"; shift 2;;
-    --tls-provider) tlsProvider="$2"; shift 2;;
+    --edition) edition="$2"; shift 2;;
     --version) requestedVersion="$2"; shift 2;;
     --env)
         if [[ "$2" == "dev" ]]; then
             apiServerOrigin="https://api.dev.cloudron.io"
             webServerOrigin="https://dev.cloudron.io"
-            tlsProvider="le-staging"
-            prerelease="true"
         elif [[ "$2" == "staging" ]]; then
             apiServerOrigin="https://api.staging.cloudron.io"
             webServerOrigin="https://staging.cloudron.io"
-            tlsProvider="le-staging"
-            prerelease="true"
         fi
         shift 2;;
     --skip-baseimage-init) initBaseImage="false"; shift;;
     --skip-reboot) rebootServer="false"; shift;;
-    --data) dataJson="$2"; shift 2;;
-    --prerelease) prerelease="true"; shift;;
-    --source-url) sourceTarballUrl="$2"; version="0.0.1+custom"; shift 2;;
-    --data-dir) baseDataDir=$(realpath "$2"); shift 2;;
     --) break;;
     *) echo "Unknown option $1"; exit 1;;
     esac
 done
 
+# Only --help works as non-root
+if [[ ${EUID} -ne 0 ]]; then
+    echo "This script should be run as root." > /dev/stderr
+    exit 1
+fi
+
+# Only --help works with mismatched ubuntu
+ubuntu_version=$(lsb_release -rs)
+if [[ "${ubuntu_version}" != "16.04" && "${ubuntu_version}" != "18.04" ]]; then
+    echo "Cloudron requires Ubuntu 16.04 or 18.04" > /dev/stderr
+    exit 1
+fi
+
+# Can only write after we have confirmed script has root access
+echo "Running cloudron-setup with args : $@" > "${LOG_FILE}"
+
 # validate arguments in the absence of data
-if [[ -z "${dataJson}" ]]; then
-    if [[ -z "${provider}" ]]; then
-        echo "--provider is required (azure, cloudscale.ch, digitalocean, ec2, exoscale, lightsail, linode, ovh, rosehosting, scaleway, vultr or generic)"
-        exit 1
-    elif [[  \
-                "${provider}" != "ami" && \
-                "${provider}" != "azure" && \
-                "${provider}" != "cloudscale.ch" && \
-                "${provider}" != "digitalocean" && \
-                "${provider}" != "ec2" && \
-                "${provider}" != "exoscale" && \
-                "${provider}" != "gce" && \
-                "${provider}" != "lightsail" && \
-                "${provider}" != "linode" && \
-                "${provider}" != "ovh" && \
-                "${provider}" != "rosehosting" && \
-                "${provider}" != "scaleway" && \
-                "${provider}" != "vultr" && \
-                "${provider}" != "generic" \
-            ]]; then
-        echo "--provider must be one of: azure, cloudscale.ch, digitalocean, ec2, exoscale, gce, lightsail, linode, ovh, rosehosting, scaleway, vultr or generic"
-        exit 1
-    fi
+if [[ -z "${provider}" ]]; then
+    echo "--provider is required (azure, digitalocean, ec2, exoscale, gce, hetzner, lightsail, linode, netcup, ovh, rosehosting, scaleway, vultr or generic)"
+    exit 1
+elif [[  \
+            "${provider}" != "ami" && \
+            "${provider}" != "azure" && \
+            "${provider}" != "caas" && \
+            "${provider}" != "cloudscale" && \
+            "${provider}" != "contabo" && \
+            "${provider}" != "digitalocean" && \
+            "${provider}" != "digitalocean-mp" && \
+            "${provider}" != "ec2" && \
+            "${provider}" != "exoscale" && \
+            "${provider}" != "galaxygate" && \
+            "${provider}" != "digitalocean" && \
+            "${provider}" != "gce" && \
+            "${provider}" != "hetzner" && \
+            "${provider}" != "lightsail" && \
+            "${provider}" != "linode" && \
+            "${provider}" != "linode-stackscript" && \
+            "${provider}" != "netcup" && \
+            "${provider}" != "netcup-image" && \
+            "${provider}" != "ovh" && \
+            "${provider}" != "rosehosting" && \
+            "${provider}" != "scaleway" && \
+            "${provider}" != "vultr" && \
+            "${provider}" != "generic" \
+        ]]; then
+    echo "--provider must be one of: azure, cloudscale.ch, contabo, digitalocean, ec2, exoscale, galaxygate, gce, hetzner, lightsail, linode, netcup, ovh, rosehosting, scaleway, vultr or generic"
+    exit 1
+fi
 
-    if [[ "${tlsProvider}" != "fallback" && "${tlsProvider}" != "le-prod" && "${tlsProvider}" != "le-staging" ]]; then
-        echo "--tls-provider must be one of: le-prod, le-staging, fallback"
-        exit 1
-    fi
-
-    if [[ -n "${baseDataDir}" && ! -d "${baseDataDir}" ]]; then
-        echo "${baseDataDir} does not exist"
-        exit 1
-    fi
+if [[ -n "${edition}" && ! -f "LICENSE" ]]; then
+    echo "A LICENSE is required to use this edition. Please contact support@cloudron.io"
+    exit 1
 fi
 
 echo ""
@@ -143,90 +137,49 @@ echo ""
 echo " Follow setup logs in a second terminal with:"
 echo " $ tail -f ${LOG_FILE}"
 echo ""
-echo " Join us at https://chat.cloudron.io for any questions."
+echo " Join us at https://forum.cloudron.io for any questions."
 echo ""
 
 if [[ "${initBaseImage}" == "true" ]]; then
+    echo "=> Installing software-properties-common"
+    if ! apt-get install -y software-properties-common &>> "${LOG_FILE}"; then
+        echo "Could not install software-properties-common (for add-apt-repository below). See ${LOG_FILE}"
+        exit 1
+    fi
+
+    echo "=> Ensure required apt sources"
+    if ! add-apt-repository universe &>> "${LOG_FILE}"; then
+        echo "Could not add required apt sources (for nginx-full). See ${LOG_FILE}"
+        exit 1
+    fi
+
     echo "=> Updating apt and installing script dependencies"
     if ! apt-get update &>> "${LOG_FILE}"; then
-        echo "Could not update package repositories"
+        echo "Could not update package repositories. See ${LOG_FILE}"
         exit 1
     fi
 
     if ! apt-get install curl python3 ubuntu-standard -y &>> "${LOG_FILE}"; then
-        echo "Could not install setup dependencies (curl)"
+        echo "Could not install setup dependencies (curl). See ${LOG_FILE}"
         exit 1
     fi
 fi
 
 echo "=> Checking version"
-if [[ "${sourceTarballUrl}" == "" ]]; then
-    if ! releaseJson=$($curl -s "${apiServerOrigin}/api/v1/releases?prerelease=${prerelease}&boxVersion=${requestedVersion}"); then
-        echo "Failed to get release information"
-        exit 1
-    fi
-
-    if [[ "$requestedVersion" == "" ]]; then
-        version=$(echo "${releaseJson}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["version"])')
-    else
-        version="${requestedVersion}"
-    fi
-
-    if ! sourceTarballUrl=$(echo "${releaseJson}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["info"]["sourceTarballUrl"])'); then
-        echo "No source code for version '${requestedVersion:-latest}'"
-        exit 1
-    fi
+if ! releaseJson=$($curl -s "${apiServerOrigin}/api/v1/releases?boxVersion=${requestedVersion}"); then
+    echo "Failed to get release information"
+    exit 1
 fi
 
-# Build data
-# tlsConfig, dnsConfig, backupConfig are here for backward compat with < 1.9
-# from 1.9, we use autoprovision.json
-if [[ -z "${dataJson}" ]]; then
-    if [[ -z "${restoreUrl}" ]]; then
-        data=$(cat <<EOF
-    {
-        "fqdn": "${domain}",
-        "adminLocation": "${adminLocation}",
-        "adminFqdn": "${adminLocation}.${domain}",
-        "zoneName": "${zoneName}",
-        "provider": "${provider}",
-        "apiServerOrigin": "${apiServerOrigin}",
-        "webServerOrigin": "${webServerOrigin}",
-        "version": "${version}",
-        "tlsConfig": {
-            "provider": "${tlsProvider}"
-        },
-        "backupConfig" : {
-            "provider": "filesystem",
-            "backupFolder": "/var/backups",
-            "key": "${encryptionKey}",
-            "format": "tgz",
-            "retentionSecs": 172800
-        }
-    }
-EOF
-    )
-    else
-        data=$(cat <<EOF
-    {
-        "fqdn": "${domain}",
-        "adminLocation": "${adminLocation}",
-        "adminFqdn": "${adminLocation}.${domain}",
-        "zoneName": "${zoneName}",
-        "provider": "${provider}",
-        "apiServerOrigin": "${apiServerOrigin}",
-        "webServerOrigin": "${webServerOrigin}",
-        "restore": {
-            "url": "${restoreUrl}",
-            "key": "${encryptionKey}"
-        },
-        "version": "${version}"
-    }
-EOF
-    )
-    fi
+if [[ "$requestedVersion" == "" ]]; then
+    version=$(echo "${releaseJson}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["version"])')
 else
-    data="${dataJson}"
+    version="${requestedVersion}"
+fi
+
+if ! sourceTarballUrl=$(echo "${releaseJson}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["info"]["sourceTarballUrl"])'); then
+    echo "No source code for version '${requestedVersion:-latest}'"
+    exit 1
 fi
 
 echo "=> Downloading version ${version} ..."
@@ -246,43 +199,65 @@ if [[ "${initBaseImage}" == "true" ]]; then
     echo ""
 fi
 
+# NOTE: this install script only supports 3.x and above
 echo "=> Installing version ${version} (this takes some time) ..."
-echo "${data}" > "${DATA_FILE}"
-if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data-file "${DATA_FILE}" --data-dir "${baseDataDir}" &>> "${LOG_FILE}"; then
-    echo "Failed to install cloudron. See ${LOG_FILE} for details"
-    exit 1
+if [[ "${version}" =~ 3\.[0-2]+\.[0-9]+ ]]; then
+    readonly DATA_FILE="/root/cloudron-install-data.json"
+    data=$(cat <<EOF
+{
+    "provider": "${provider}",
+    "edition": "${edition}",
+    "apiServerOrigin": "${apiServerOrigin}",
+    "webServerOrigin": "${webServerOrigin}",
+    "version": "${version}"
+}
+EOF
+)
+    echo "${data}" > "${DATA_FILE}"
+
+    if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data-file "${DATA_FILE}" &>> "${LOG_FILE}"; then
+        echo "Failed to install cloudron. See ${LOG_FILE} for details"
+        exit 1
+    fi
+
+    rm "${DATA_FILE}"
+else
+    mkdir -p /etc/cloudron
+    cat > "/etc/cloudron/cloudron.conf" <<CONF_END
+{
+    "apiServerOrigin": "${apiServerOrigin}",
+    "webServerOrigin": "${webServerOrigin}",
+    "provider": "${provider}",
+    "edition": "${edition}"
+}
+CONF_END
+
+    if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" &>> "${LOG_FILE}"; then
+        echo "Failed to install cloudron. See ${LOG_FILE} for details"
+        exit 1
+    fi
 fi
-rm "${DATA_FILE}"
+
+[[ -f LICENSE ]] && cp LICENSE /etc/cloudron/LICENSE
 
 echo -n "=> Waiting for cloudron to be ready (this takes some time) ..."
 while true; do
     echo -n "."
     if status=$($curl -q -f "http://localhost:3000/api/v1/cloudron/status" 2>/dev/null); then
-        [[ -z "$domain" ]] && break # with no domain, we are up and running
-        [[ "$status" == *"\"tls\": true"* ]] && break # with a domain, wait for the cert
+        break # we are up and running
     fi
     sleep 10
 done
 
-autoprovision_data=$(cat <<EOF
-{
-    "tlsConfig": {
-        "provider": "${tlsProvider}"
-    }
-}
-EOF
-)
-
-echo "${autoprovision_data}" > /home/yellowtent/configs/autoprovision.json
-
-if [[ -n "${domain}" ]]; then
-    echo -e "\n\nVisit https://my.${domain} to finish setup once the server has rebooted.\n"
-else
-    echo -e "\n\nVisit https://<IP> to finish setup once the server has rebooted.\n"
-fi
+echo -e "\n\n${GREEN}Visit https://<IP> and accept the self-signed certificate to finish setup.${DONE}\n"
 
 if [[ "${rebootServer}" == "true" ]]; then
-    echo -e "\n\nRebooting this server now to let bootloader changes take effect.\n"
-    systemctl stop mysql # sometimes mysql ends up having corrupt privilege tables
-    systemctl reboot
+    systemctl stop box mysql # sometimes mysql ends up having corrupt privilege tables
+
+    read -p "The server has to be rebooted to apply all the settings. Reboot now ? [Y/n] " yn
+    yn=${yn:-y}
+    case $yn in
+        [Yy]* ) systemctl reboot;;
+        * ) exit;;
+    esac
 fi

scripts/cloudron-support

@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# This script collects diagnostic information to help debug server related issues
+# It also enables SSH access for the cloudron support team
+
+PASTEBIN="https://paste.cloudron.io"
+OUT="/tmp/cloudron-support.log"
+LINE="\n========================================================\n"
+CLOUDRON_SUPPORT_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQVilclYAIu+ioDp/sgzzFz6YU0hPcRYY7ze/LiF/lC7uQqK062O54BFXTvQ3ehtFZCx3bNckjlT2e6gB8Qq07OM66De4/S/g+HJW4TReY2ppSPMVNag0TNGxDzVH8pPHOysAm33LqT2b6L/wEXwC6zWFXhOhHjcMqXvi8Ejaj20H1HVVcf/j8qs5Thkp9nAaFTgQTPu8pgwD8wDeYX1hc9d0PYGesTADvo6HF4hLEoEnefLw7PaStEbzk2fD3j7/g5r5HcgQQXBe74xYZ/1gWOX2pFNuRYOBSEIrNfJEjFJsqk3NR1+ZoMGK7j+AZBR4k0xbrmncQLcQzl6MMDzkp support@cloudron.io"
+HELP_MESSAGE="
+This script collects diagnostic information to help debug server related issues
+
+ Options:
+   --enable-ssh    Enable SSH access for the Cloudron support team
+   --help          Show this message
+"
+
+# We require root
+if [[ ${EUID} -ne 0 ]]; then
+    echo "This script should be run as root." > /dev/stderr
+    exit 1
+fi
+
+enableSSH="false"
+
+args=$(getopt -o "" -l "help,enable-ssh" -n "$0" -- "$@")
+eval set -- "${args}"
+
+while true; do
+    case "$1" in
+    --help) echo -e "${HELP_MESSAGE}"; exit 0;;
+    --enable-ssh) enableSSH="true"; shift;;
+    --) break;;
+    *) echo "Unknown option $1"; exit 1;;
+    esac
+done
+
+# check if at least 10mb root partition space is available
+if [[ "`df --output="avail" / | sed -n 2p`" -lt "10240" ]]; then
+    echo "No more space left on /"
+    echo "This is likely the root case of the issue. Free up some space and also check other partitions below:"
+    echo ""
+    df -h
+    echo ""
+    echo "To recover from a full disk, follow the guide at https://cloudron.io/documentation/server/#recovery-after-disk-full"
+    exit 1
+fi
+
+# check for at least 5mb free /tmp space for the log file
+if [[ "`df --output="avail" /tmp | sed -n 2p`" -lt "5120" ]]; then
+    echo "Not enough space left on /tmp"
+    echo "Free up some space first by deleting files from /tmp"
+    exit 1
+fi
+
+echo -n "Generating Cloudron Support stats..."
+
+# clear file
+rm -rf $OUT
+
+ssh_port=$(cat /etc/ssh/sshd_config | grep "Port " | sed -e "s/.*Port //")
+if [[ $SUDO_USER == "" ]]; then
+    ssh_user="root"
+    ssh_folder="/root/.ssh/"
+    authorized_key_file="${ssh_folder}/authorized_keys"
+else
+    ssh_user="$SUDO_USER"
+    ssh_folder="/home/$SUDO_USER/.ssh/"
+    authorized_key_file="${ssh_folder}/authorized_keys"
+fi
+
+echo -e $LINE"SSH"$LINE >> $OUT
+echo "Username: ${ssh_user}" >> $OUT
+echo "Port:     ${ssh_port}" >> $OUT
+
+echo -e $LINE"cloudron.conf"$LINE >> $OUT
+cat /etc/cloudron/cloudron.conf &>> $OUT
+
+echo -e $LINE"Docker container"$LINE >> $OUT
+if ! timeout --kill-after 10s 15s docker ps -a &>> $OUT 2>&1; then
+    echo -e "Docker is not responding" >> $OUT
+fi
+
+echo -e $LINE"Filesystem stats"$LINE >> $OUT
+df -h &>> $OUT
+
+echo -e $LINE"System daemon status"$LINE >> $OUT
+systemctl status --lines=100 cloudron.target box mysql unbound cloudron-syslog nginx collectd docker &>> $OUT
+
+echo -e $LINE"Box logs"$LINE >> $OUT
+tail -n 100 /home/yellowtent/platformdata/logs/box.log &>> $OUT
+
+echo -e $LINE"Firewall chains"$LINE >> $OUT
+iptables -L &>> $OUT
+
+echo "Done"
+
+echo -n "Uploading information..."
+# for some reason not using $(cat $OUT) will not contain newlines!?
+paste_key=$(curl -X POST ${PASTEBIN}/documents --silent -d "$(cat $OUT)" | python3 -c "import sys, json; print(json.load(sys.stdin)['key'])")
+echo "Done"
+
+if [[ "${enableSSH}" == "true" ]]; then
+    echo -n "Enabling ssh access for the Cloudron support team..."
+    mkdir -p "${ssh_folder}"
+    echo "${CLOUDRON_SUPPORT_PUBLIC_KEY}" >> ${authorized_key_file}
+    chown -R ${ssh_user} "${ssh_folder}"
+    chmod 600 "${authorized_key_file}"
+    echo "Done"
+fi
+
+echo ""
+echo "Please email the following link to support@cloudron.io"
+echo ""
+echo "${PASTEBIN}/${paste_key}"

scripts/createReleaseTarball

@@ -7,80 +7,78 @@ set -eu
 [[ $(uname -s) == "Darwin" ]] && GNU_GETOPT="/usr/local/opt/gnu-getopt/bin/getopt" || GNU_GETOPT="getopt"
 readonly GNU_GETOPT
 
-args=$(${GNU_GETOPT} -o "" -l "revision:,output:" -n "$0" -- "$@")
+args=$(${GNU_GETOPT} -o "" -l "output:,version:" -n "$0" -- "$@")
 eval set -- "${args}"
 
 readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 
-commitish="HEAD"
 bundle_file=""
+version=""
 
 while true; do
     case "$1" in
-    --revision) commitish="$2"; shift 2;;
     --output) bundle_file="$2"; shift 2;;
+    --version) version="$2"; shift 2;;
     --) break;;
     *) echo "Unknown option $1"; exit 1;;
     esac
 done
 
+if [[ -z "${version}" ]]; then
+    echo "--version is required"
+    exit 1
+fi
+
 readonly TMPDIR=${TMPDIR:-/tmp} # why is this not set on mint?
 
 if ! $(cd "${SOURCE_DIR}" && git diff --exit-code >/dev/null); then
-    echo "You have local changes, stash or commit them to proceed"
+    echo "You have local changes in box, stash or commit them to proceed"
     exit 1
 fi
 
-if [[ "$(node --version)" != "v8.9.3" ]]; then
-    echo "This script requires node 8.9.3"
+if ! $(cd "${SOURCE_DIR}/../dashboard" && git diff --exit-code >/dev/null); then
+    echo "You have local changes in dashboard, stash or commit them to proceed"
     exit 1
 fi
 
-version=$(cd "${SOURCE_DIR}" && git rev-parse "${commitish}")
+if [[ "$(node --version)" != "v10.15.1" ]]; then
+    echo "This script requires node 10.15.1"
+    exit 1
+fi
+
+box_version=$(cd "${SOURCE_DIR}" && git rev-parse "HEAD")
+branch=$(git rev-parse --abbrev-ref HEAD)
+dashboard_version=$(cd "${SOURCE_DIR}/../dashboard" && git fetch && git rev-parse "${branch}")
 bundle_dir=$(mktemp -d -t box 2>/dev/null || mktemp -d box-XXXXXXXXXX --tmpdir=$TMPDIR)
-[[ -z "$bundle_file" ]] && bundle_file="${TMPDIR}/box-${version}.tar.gz"
+[[ -z "$bundle_file" ]] && bundle_file="${TMPDIR}/box-${box_version:0:10}-${dashboard_version:0:10}-${version}.tar.gz"
 
 chmod "o+rx,g+rx" "${bundle_dir}" # otherwise extracted tarball director won't be readable by others/group
-echo "Checking out code [${version}] into ${bundle_dir}"
-(cd "${SOURCE_DIR}" && git archive --format=tar ${version} | (cd "${bundle_dir}" && tar xf -))
+echo "==> Checking out code box version [${box_version}] and dashboard version [${dashboard_version}] into ${bundle_dir}"
+(cd "${SOURCE_DIR}" && git archive --format=tar ${box_version} | (cd "${bundle_dir}" && tar xf -))
+(cd "${SOURCE_DIR}/../dashboard" && git archive --format=tar ${dashboard_version} | (mkdir -p "${bundle_dir}/dashboard.build" && cd "${bundle_dir}/dashboard.build" && tar xf -))
+(cp "${SOURCE_DIR}/../dashboard/LICENSE" "${bundle_dir}")
+echo "${version}" > "${bundle_dir}/VERSION"
 
-if diff "${TMPDIR}/boxtarball.cache/package-lock.json.all" "${bundle_dir}/package-lock.json" >/dev/null 2>&1; then
-    echo "Reusing dev modules from cache"
-    cp -r "${TMPDIR}/boxtarball.cache/node_modules-all/." "${bundle_dir}/node_modules"
-else
-    echo "Installing modules with dev dependencies"
-    (cd "${bundle_dir}" && npm install)
+echo "==> Installing modules for dashboard asset generation"
+(cd "${bundle_dir}/dashboard.build" && npm install --production)
 
-    echo "Caching dev dependencies"
-    mkdir -p "${TMPDIR}/boxtarball.cache/node_modules-all"
-    rsync -a --delete "${bundle_dir}/node_modules/" "${TMPDIR}/boxtarball.cache/node_modules-all/"
-    cp "${bundle_dir}/package-lock.json" "${TMPDIR}/boxtarball.cache/package-lock.json.all"
-fi
+echo "==> Building dashboard assets"
+(cd "${bundle_dir}/dashboard.build" && ./node_modules/.bin/gulp --revision ${dashboard_version})
 
-echo "Building webadmin assets"
-(cd "${bundle_dir}" && ./node_modules/.bin/gulp)
+echo "==> Move built dashboard assets into destination"
+mkdir -p "${bundle_dir}/dashboard"
+mv "${bundle_dir}/dashboard.build/dist" "${bundle_dir}/dashboard/"
 
-echo "Remove intermediate files required at build-time only"
-rm -rf "${bundle_dir}/node_modules/"
-rm -rf "${bundle_dir}/webadmin/src"
-rm -rf "${bundle_dir}/gulpfile.js"
+echo "==> Cleanup dashboard build artifacts"
+rm -rf "${bundle_dir}/dashboard.build"
 
-if diff "${TMPDIR}/boxtarball.cache/package-lock.json.prod" "${bundle_dir}/package-lock.json" >/dev/null 2>&1; then
-    echo "Reusing prod modules from cache"
-    cp -r "${TMPDIR}/boxtarball.cache/node_modules-prod/." "${bundle_dir}/node_modules"
-else
-    echo "Installing modules for production"
-    (cd "${bundle_dir}" && npm install --production --no-optional)
+echo "==> Installing toplevel node modules"
+(cd "${bundle_dir}" && npm install --production --no-optional)
 
-    echo "Caching prod dependencies"
-    mkdir -p "${TMPDIR}/boxtarball.cache/node_modules-prod"
-    rsync -a --delete "${bundle_dir}/node_modules/" "${TMPDIR}/boxtarball.cache/node_modules-prod/"
-    cp "${bundle_dir}/package-lock.json" "${TMPDIR}/boxtarball.cache/package-lock.json.prod"
-fi
-
-echo "Create final tarball"
+echo "==> Create final tarball"
 (cd "${bundle_dir}" && tar czf "${bundle_file}" .)
-echo "Cleaning up ${bundle_dir}"
+
+echo "==> Cleaning up ${bundle_dir}"
 rm -rf "${bundle_dir}"
 
-echo "Tarball saved at ${bundle_file}"
+echo "==> Tarball saved at ${bundle_file}"

scripts/installer.sh

@@ -1,5 +1,9 @@
 #!/bin/bash
 
+# This script is run before the box code is switched. This means that we can
+# put network related/curl downloads here. If the script fails, the old code
+# will continue to run
+
 set -eu -o pipefail
 
 if [[ ${EUID} -ne 0 ]]; then
@@ -10,67 +14,57 @@ fi
 readonly USER=yellowtent
 readonly BOX_SRC_DIR=/home/${USER}/box
 readonly BASE_DATA_DIR=/home/${USER}
-readonly CLOUDRON_CONF=/home/yellowtent/configs/cloudron.conf
 
 readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
 readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 readonly box_src_tmp_dir="$(realpath ${script_dir}/..)"
 
-readonly is_update=$([[ -f "${CLOUDRON_CONF}" ]] && echo "yes" || echo "no")
+readonly ubuntu_version=$(lsb_release -rs)
+readonly ubuntu_codename=$(lsb_release -cs)
 
-arg_data=""
-arg_data_dir=""
-
-args=$(getopt -o "" -l "data:,data-file:,data-dir:" -n "$0" -- "$@")
-eval set -- "${args}"
-
-while true; do
-    case "$1" in
-    --data) arg_data="$2"; shift 2;;
-    --data-file) arg_data=$(cat $2); shift 2;;
-    --data-dir) arg_data_dir="$2"; shift 2;;
-    --) break;;
-    *) echo "Unknown option $1"; exit 1;;
-    esac
-done
+readonly is_update=$(systemctl is-active box && echo "yes" || echo "no")
 
 echo "==> installer: updating docker"
-if [[ $(docker version --format {{.Client.Version}}) != "17.09.0-ce" ]]; then
-    $curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_17.09.0~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb
+if [[ $(docker version --format {{.Client.Version}}) != "18.09.2" ]]; then
+    # there are 3 packages for docker - containerd, CLI and the daemon
+    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/containerd.io_1.2.2-3_amd64.deb" -o /tmp/containerd.deb
+    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce-cli_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker-ce-cli.deb
+    $curl -sL "https://download.docker.com/linux/ubuntu/dists/${ubuntu_codename}/pool/stable/amd64/docker-ce_18.09.2~3-0~ubuntu-${ubuntu_codename}_amd64.deb" -o /tmp/docker.deb
 
-    # https://download.docker.com/linux/ubuntu/dists/xenial/stable/binary-amd64/Packages
-    if [[ $(sha256sum /tmp/docker.deb | cut -d' ' -f1) != "d33f6eb134f0ab0876148bd96de95ea47d583d7f2cddfdc6757979453f9bd9bf" ]]; then
-        echo "docker binary download is corrupt"
-        exit 5
-    fi
-
-    echo "Waiting for all dpkg tasks to finish..."
+    echo "==> installer: Waiting for all dpkg tasks to finish..."
     while fuser /var/lib/dpkg/lock; do
         sleep 1
     done
 
     while ! dpkg --force-confold --configure -a; do
-        echo "Failed to fix packages. Retry"
+        echo "==> installer: Failed to fix packages. Retry"
         sleep 1
     done
 
-    while ! apt install -y /tmp/docker.deb; do
-        echo "Failed to install docker. Retry"
+    # the latest docker might need newer packages
+    while ! apt update -y; do
+        echo "==> installer: Failed to update packages. Retry"
         sleep 1
     done
 
-    rm /tmp/docker.deb
+    while ! apt install -y /tmp/containerd.deb  /tmp/docker-ce-cli.deb /tmp/docker.deb; do
+        echo "==> installer: Failed to install docker. Retry"
+        sleep 1
+    done
+
+    rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb
 fi
 
 echo "==> installer: updating node"
-if [[ "$(node --version)" != "v8.9.3" ]]; then
-    mkdir -p /usr/local/node-8.9.3
-    $curl -sL https://nodejs.org/dist/v8.9.3/node-v8.9.3-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-8.9.3
-    ln -sf /usr/local/node-8.9.3/bin/node /usr/bin/node
-    ln -sf /usr/local/node-8.9.3/bin/npm /usr/bin/npm
-    rm -rf /usr/local/node-6.11.5
+if [[ "$(node --version)" != "v10.15.1" ]]; then
+    mkdir -p /usr/local/node-10.15.1
+    $curl -sL https://nodejs.org/dist/v10.15.1/node-v10.15.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.15.1
+    ln -sf /usr/local/node-10.15.1/bin/node /usr/bin/node
+    ln -sf /usr/local/node-10.15.1/bin/npm /usr/bin/npm
+    rm -rf /usr/local/node-8.11.2 /usr/local/node-8.9.3
 fi
 
+# this is here (and not in updater.js) because rebuild requires the above node
 for try in `seq 1 10`; do
     # for reasons unknown, the dtrace package will fail. but rebuilding second time will work
 
@@ -78,32 +72,49 @@ for try in `seq 1 10`; do
     # however by default npm drops privileges for npm rebuild
     # https://docs.npmjs.com/misc/config#unsafe-perm
     if cd "${box_src_tmp_dir}" && npm rebuild --unsafe-perm; then break; fi
-    echo "Failed to rebuild, trying again"
+    echo "==> installer: Failed to rebuild, trying again"
     sleep 5
 done
 
 if [[ ${try} -eq 10 ]]; then
-    echo "npm rebuild failed"
+    echo "==> installer: npm rebuild failed, giving up"
     exit 4
 fi
 
+echo "==> installer: downloading new addon images"
+images=$(node -e "var i = require('${box_src_tmp_dir}/src/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
+
+echo -e "\tPulling docker images: ${images}"
+for image in ${images}; do
+    if ! docker pull "${image}"; then           # this pulls the image using the sha256
+        echo "==> installer: Could not pull ${image}"
+        exit 5
+    fi
+    if ! docker pull "${image%@sha256:*}"; then  # this will tag the image for readability
+        echo "==> installer: Could not pull ${image%@sha256:*}"
+        exit 6
+   fi
+done
+
+echo "==> installer: update cloudron-syslog"
+CLOUDRON_SYSLOG_DIR=/usr/local/cloudron-syslog
+CLOUDRON_SYSLOG="${CLOUDRON_SYSLOG_DIR}/bin/cloudron-syslog"
+CLOUDRON_SYSLOG_VERSION="1.0.3"
+while [[ ! -f "${CLOUDRON_SYSLOG}" || "$(${CLOUDRON_SYSLOG} --version)" != ${CLOUDRON_SYSLOG_VERSION} ]]; do
+    rm -rf "${CLOUDRON_SYSLOG_DIR}"
+    mkdir -p "${CLOUDRON_SYSLOG_DIR}"
+    if npm install --unsafe-perm -g --prefix "${CLOUDRON_SYSLOG_DIR}" cloudron-syslog@${CLOUDRON_SYSLOG_VERSION}; then break; fi
+    echo "===> installer: Failed to install cloudron-syslog, trying again"
+    sleep 5
+done
+
 if ! id "${USER}" 2>/dev/null; then
     useradd "${USER}" -m
 fi
 
 if [[ "${is_update}" == "yes" ]]; then
-    echo "Setting up update splash screen"
-    "${box_src_tmp_dir}/setup/splashpage.sh" --data "${arg_data}" || true # show splash from new code
-    ${BOX_SRC_DIR}/setup/stop.sh # stop the old code
-fi
-
-# setup links to data directory
-if [[ -n "${arg_data_dir}" ]]; then
-    echo "==> installer: setting up links to data directory"
-    mkdir "${arg_data_dir}/appsdata"
-    ln -s "${arg_data_dir}/appsdata" "${BASE_DATA_DIR}/appsdata"
-    mkdir "${arg_data_dir}/platformdata"
-    ln -s "${arg_data_dir}/platformdata" "${BASE_DATA_DIR}/platformdata"
+    echo "==> installer: stop cloudron.target service for update"
+    ${BOX_SRC_DIR}/setup/stop.sh
 fi
 
 # ensure we are not inside the source directory, which we will remove now
@@ -115,4 +126,4 @@ mv "${box_src_tmp_dir}" "${BOX_SRC_DIR}"
 chown -R "${USER}:${USER}" "${BOX_SRC_DIR}"
 
 echo "==> installer: calling box setup script"
-"${BOX_SRC_DIR}/setup/start.sh" --data "${arg_data}"
+"${BOX_SRC_DIR}/setup/start.sh"

setup/argparser.sh

@@ -1,81 +0,0 @@
-#!/bin/bash
-
-source_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-json="${source_dir}/../node_modules/.bin/json"
-
-# IMPORTANT: Fix cloudron.js:doUpdate if you add/remove any arg. keep these sorted for readability
-arg_api_server_origin=""
-arg_fqdn=""
-arg_admin_location=""
-arg_admin_fqdn=""
-arg_zone_name=""
-arg_is_custom_domain="false" # can be removed after 1.9
-arg_retire_reason=""
-arg_retire_info=""
-arg_token=""
-arg_version=""
-arg_web_server_origin=""
-arg_provider=""
-arg_is_demo="false"
-
-args=$(getopt -o "" -l "data:,retire-reason:,retire-info:" -n "$0" -- "$@")
-eval set -- "${args}"
-
-while true; do
-    case "$1" in
-    --retire-reason)
-        arg_retire_reason="$2"
-        shift 2
-        ;;
-    --retire-info)
-        arg_retire_info="$2"
-        shift 2
-        ;;
-    --data)
-        # these params must be valid in all cases
-        arg_fqdn=$(echo "$2" | $json fqdn)
-        arg_admin_fqdn=$(echo "$2" | $json adminFqdn)
-        arg_zone_name=$(echo "$2" | $json zoneName)
-        [[ "${arg_zone_name}" == "" ]] && arg_zone_name="${arg_fqdn}"
-
-        # can be removed after 1.9
-        arg_is_custom_domain=$(echo "$2" | $json isCustomDomain)
-        [[ "${arg_is_custom_domain}" == "" ]] && arg_is_custom_domain="true"
-
-        arg_admin_location=$(echo "$2" | $json adminLocation)
-        [[ "${arg_admin_location}" == "" ]] && arg_admin_location="my"
-
-        # only update/restore have this valid (but not migrate)
-        arg_api_server_origin=$(echo "$2" | $json apiServerOrigin)
-        [[ "${arg_api_server_origin}" == "" ]] && arg_api_server_origin="https://api.cloudron.io"
-        arg_web_server_origin=$(echo "$2" | $json webServerOrigin)
-        [[ "${arg_web_server_origin}" == "" ]] && arg_web_server_origin="https://cloudron.io"
-
-        # TODO check if and where this is used
-        arg_version=$(echo "$2" | $json version)
-
-        # read possibly empty parameters here
-        arg_is_demo=$(echo "$2" | $json isDemo)
-        [[ "${arg_is_demo}" == "" ]] && arg_is_demo="false"
-
-        arg_token=$(echo "$2" | $json token)
-
-        arg_provider=$(echo "$2" | $json provider)
-        [[ "${arg_provider}" == "" ]] && arg_provider="generic"
-
-        shift 2
-        ;;
-    --) break;;
-    *) echo "Unknown option $1"; exit 1;;
-    esac
-done
-
-echo "Parsed arguments:"
-echo "api server: ${arg_api_server_origin}"
-echo "fqdn: ${arg_fqdn}"
-echo "custom domain: ${arg_is_custom_domain}"
-# do not dump these as they might become available via logs API
-#echo "token: ${arg_token}"
-echo "version: ${arg_version}"
-echo "web server: ${arg_web_server_origin}"
-echo "provider: ${arg_provider}"

setup/splashpage.sh

@@ -1,48 +0,0 @@
-#!/bin/bash
-
-set -eu -o pipefail
-
-readonly SETUP_WEBSITE_DIR="/home/yellowtent/setup/website"
-
-script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-readonly box_src_dir="$(realpath ${script_dir}/..)"
-readonly PLATFORM_DATA_DIR="/home/yellowtent/platformdata"
-
-echo "Setting up nginx update page"
-
-if [[ ! -f "${PLATFORM_DATA_DIR}/nginx/applications/admin.conf" ]]; then
-    echo "No admin.conf found. This Cloudron has no domain yet. Skip splash setup"
-    exit
-fi
-
-source "${script_dir}/argparser.sh" "$@" # this injects the arg_* variables used below
-
-# keep this is sync with config.js appFqdn()
-admin_origin="https://${arg_admin_fqdn}"
-
-# copy the website
-rm -rf "${SETUP_WEBSITE_DIR}" && mkdir -p "${SETUP_WEBSITE_DIR}"
-cp -r "${script_dir}/splash/website/"* "${SETUP_WEBSITE_DIR}"
-
-# create nginx config
-readonly current_infra=$(node -e "console.log(require('${script_dir}/../src/infra_version.js').version);")
-existing_infra="none"
-[[ -f "${PLATFORM_DATA_DIR}/INFRA_VERSION" ]] && existing_infra=$(node -e "console.log(JSON.parse(require('fs').readFileSync('${PLATFORM_DATA_DIR}/INFRA_VERSION', 'utf8')).version);")
-if [[ "${arg_retire_reason}" != "" || "${existing_infra}" != "${current_infra}" ]]; then
-    echo "Showing progress bar on all subdomains in retired mode or infra update. retire: ${arg_retire_reason} existing: ${existing_infra} current: ${current_infra}"
-    rm -f ${PLATFORM_DATA_DIR}/nginx/applications/*
-    ${box_src_dir}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/appconfig.ejs" \
-        -O "{ \"vhost\": \"~^(.+)\$\", \"adminOrigin\": \"${admin_origin}\", \"endpoint\": \"splash\", \"sourceDir\": \"${SETUP_WEBSITE_DIR}\", \"certFilePath\": \"cert/host.cert\", \"keyFilePath\": \"cert/host.key\", \"xFrameOptions\": \"SAMEORIGIN\", \"robotsTxtQuoted\": null, \"hasIPv6\": false }" > "${PLATFORM_DATA_DIR}/nginx/applications/admin.conf"
-else
-    echo "Show progress bar only on admin domain for normal update"
-    ${box_src_dir}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/appconfig.ejs" \
-        -O "{ \"vhost\": \"${arg_admin_fqdn}\", \"adminOrigin\": \"${admin_origin}\", \"endpoint\": \"splash\", \"sourceDir\": \"${SETUP_WEBSITE_DIR}\", \"certFilePath\": \"cert/host.cert\", \"keyFilePath\": \"cert/host.key\", \"xFrameOptions\": \"SAMEORIGIN\", \"robotsTxtQuoted\": null, \"hasIPv6\": false }" > "${PLATFORM_DATA_DIR}/nginx/applications/admin.conf"
-fi
-
-if [[ "${arg_retire_reason}" == "migrate" ]]; then
-    echo "{ \"migrate\": { \"percent\": \"10\", \"message\": \"Migrating cloudron. This could take up to 15 minutes.\", \"info\": ${arg_retire_info} }, \"backup\": null, \"apiServerOrigin\": \"${arg_api_server_origin}\" }" > "${SETUP_WEBSITE_DIR}/progress.json"
-else
-    echo '{ "update": { "percent": "10", "message": "Updating cloudron software" }, "backup": null }' > "${SETUP_WEBSITE_DIR}/progress.json"
-fi
-
-nginx -s reload

setup/start.sh

@@ -2,6 +2,9 @@
 
 set -eu -o pipefail
 
+# This script is run after the box code is switched. This means that this script
+# should pretty much always succeed. No network logic/download code here.
+
 echo "==> Cloudron Start"
 
 readonly USER="yellowtent"
@@ -10,28 +13,12 @@ readonly BOX_SRC_DIR="${HOME_DIR}/box"
 readonly PLATFORM_DATA_DIR="${HOME_DIR}/platformdata" # platform data
 readonly APPS_DATA_DIR="${HOME_DIR}/appsdata" # app data
 readonly BOX_DATA_DIR="${HOME_DIR}/boxdata" # box data
-readonly CONFIG_DIR="${HOME_DIR}/configs"
-readonly SETUP_PROGRESS_JSON="${HOME_DIR}/setup/website/progress.json"
-
-readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
 
 readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly json="$(realpath ${script_dir}/../node_modules/.bin/json)"
+readonly ubuntu_version=$(lsb_release -rs)
 
-source "${script_dir}/argparser.sh" "$@" # this injects the arg_* variables used below
-
-set_progress() {
-    local percent="$1"
-    local message="$2"
-
-    echo "==> ${percent} - ${message}"
-    (echo "{ \"update\": { \"percent\": \"${percent}\", \"message\": \"${message}\" }, \"backup\": {} }" > "${SETUP_PROGRESS_JSON}") 2> /dev/null || true # as this will fail in non-update mode
-}
-
-set_progress "20" "Configuring host"
-sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
-timedatectl set-ntp 1
-timedatectl set-timezone UTC
-hostnamectl set-hostname "${arg_fqdn}"
+cp -f "${script_dir}/../scripts/cloudron-support" /usr/bin/cloudron-support
 
 echo "==> Configuring docker"
 cp "${script_dir}/start/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app
@@ -57,19 +44,6 @@ if [[ ! -f /etc/systemd/system/docker.service.d/cloudron.conf ]] || ! diff -q /e
 fi
 docker network create --subnet=172.18.0.0/16 cloudron || true
 
-# caas has ssh on port 202 and we disable password login
-if [[ "${arg_provider}" == "caas" ]]; then
-    # https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped
-    sed -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
-        -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \
-        -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \
-        -e 's/^#\?Port .*/Port 202/g' \
-        -i /etc/ssh/sshd_config
-
-    # required so we can connect to this machine since port 22 is blocked by iptables by now
-    systemctl reload sshd
-fi
-
 mkdir -p "${BOX_DATA_DIR}"
 mkdir -p "${APPS_DATA_DIR}"
 
@@ -80,11 +54,17 @@ mkdir -p "${PLATFORM_DATA_DIR}/graphite"
 mkdir -p "${PLATFORM_DATA_DIR}/mysql"
 mkdir -p "${PLATFORM_DATA_DIR}/postgresql"
 mkdir -p "${PLATFORM_DATA_DIR}/mongodb"
+mkdir -p "${PLATFORM_DATA_DIR}/redis"
 mkdir -p "${PLATFORM_DATA_DIR}/addons/mail"
 mkdir -p "${PLATFORM_DATA_DIR}/collectd/collectd.conf.d"
 mkdir -p "${PLATFORM_DATA_DIR}/logrotate.d"
 mkdir -p "${PLATFORM_DATA_DIR}/acme"
 mkdir -p "${PLATFORM_DATA_DIR}/backup"
+mkdir -p "${PLATFORM_DATA_DIR}/logs/backup" \
+         "${PLATFORM_DATA_DIR}/logs/updater" \
+         "${PLATFORM_DATA_DIR}/logs/tasks" \
+         "${PLATFORM_DATA_DIR}/logs/crash"
+mkdir -p "${PLATFORM_DATA_DIR}/update"
 
 mkdir -p "${BOX_DATA_DIR}/appicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
@@ -113,22 +93,22 @@ systemctl daemon-reload
 systemctl restart systemd-journald
 setfacl -n -m u:${USER}:r /var/log/journal/*/system.journal
 
-echo "==> Creating config directory"
-rm -rf "${CONFIG_DIR}" && mkdir "${CONFIG_DIR}"
-
 echo "==> Setting up unbound"
 # DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
 # We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
 # We listen on 0.0.0.0 because there is no way control ordering of docker (which creates the 172.18.0.0/16) and unbound
-# If IP6 is not enabled, dns queries seem to fail on some hosts
-echo -e "server:\n\tinterface: 0.0.0.0\n\tdo-ip6: yes\n\taccess-control: 127.0.0.1 allow\n\taccess-control: 172.18.0.1/16 allow\n\tcache-max-negative-ttl: 30\n\tcache-max-ttl: 300\n\t#logfile: /var/log/unbound.log\n\t#verbosity: 10" > /etc/unbound/unbound.conf.d/cloudron-network.conf
+# If IP6 is not enabled, dns queries seem to fail on some hosts. -s returns false if file missing or 0 size
+ip6=$([[ -s /proc/net/if_inet6 ]] && echo "yes" || echo "no")
+echo -e "server:\n\tinterface: 0.0.0.0\n\tdo-ip6: ${ip6}\n\taccess-control: 127.0.0.1 allow\n\taccess-control: 172.18.0.1/16 allow\n\tcache-max-negative-ttl: 30\n\tcache-max-ttl: 300\n\t#logfile: /var/log/unbound.log\n\t#verbosity: 10" > /etc/unbound/unbound.conf.d/cloudron-network.conf
 # update the root anchor after a out-of-disk-space situation (see #269)
 unbound-anchor -a /var/lib/unbound/root.key
 
 echo "==> Adding systemd services"
 cp -r "${script_dir}/start/systemd/." /etc/systemd/system/
+[[ "${ubuntu_version}" == "16.04" ]] && sed -e 's/MemoryMax/MemoryLimit/g' -i /etc/systemd/system/box.service
 systemctl daemon-reload
 systemctl enable unbound
+systemctl enable cloudron-syslog
 systemctl enable cloudron.target
 systemctl enable cloudron-firewall
 
@@ -141,6 +121,9 @@ systemctl enable --now cron
 # ensure unbound runs
 systemctl restart unbound
 
+# ensure cloudron-syslog runs
+systemctl restart cloudron-syslog
+
 echo "==> Configuring sudoers"
 rm -f /etc/sudoers.d/${USER}
 cp "${script_dir}/start/sudoers" /etc/sudoers.d/${USER}
@@ -155,6 +138,9 @@ echo "==> Configuring logrotate"
 if ! grep -q "^include ${PLATFORM_DATA_DIR}/logrotate.d" /etc/logrotate.conf; then
     echo -e "\ninclude ${PLATFORM_DATA_DIR}/logrotate.d\n" >> /etc/logrotate.conf
 fi
+cp "${script_dir}/start/logrotate/"* "${PLATFORM_DATA_DIR}/logrotate.d/"
+rm -f "${PLATFORM_DATA_DIR}/logrotate.d/box-logrotate" "${PLATFORM_DATA_DIR}/logrotate.d/app-logrotate" # remove pre 3.6 config files
+chown root:root "${PLATFORM_DATA_DIR}/logrotate.d/"
 
 echo "==> Adding motd message for admins"
 cp "${script_dir}/start/cloudron-motd" /etc/update-motd.d/92-cloudron
@@ -174,9 +160,6 @@ if ! grep -q "^Restart=" /etc/systemd/system/multi-user.target.wants/nginx.servi
 fi
 systemctl start nginx
 
-# bookkeep the version as part of data
-echo "{ \"version\": \"${arg_version}\", \"apiServerOrigin\": \"${arg_api_server_origin}\" }" > "${BOX_DATA_DIR}/version"
-
 # restart mysql to make sure it has latest config
 if [[ ! -f /etc/mysql/mysql.cnf ]] || ! diff -q "${script_dir}/start/mysql.cnf" /etc/mysql/mysql.cnf >/dev/null; then
     # wait for all running mysql jobs
@@ -199,42 +182,8 @@ readonly mysql_root_password="password"
 mysqladmin -u root -ppassword password password # reset default root password
 mysql -u root -p${mysql_root_password} -e 'CREATE DATABASE IF NOT EXISTS box'
 
-set_progress "40" "Migrating data"
-sudo -u "${USER}" -H bash <<EOF
-set -eu
-cd "${BOX_SRC_DIR}"
-BOX_ENV=cloudron DATABASE_URL=mysql://root:${mysql_root_password}@127.0.0.1/box "${BOX_SRC_DIR}/node_modules/.bin/db-migrate" up
-EOF
-
-if [[ -z "${arg_admin_fqdn:-}" ]]; then
-    # can be removed after 1.9
-    admin_fqdn=$([[ "${arg_is_custom_domain}" == "true" ]] && echo "${arg_admin_location}.${arg_fqdn}" ||  echo "${arg_admin_location}-${arg_fqdn}")
-else
-    admin_fqdn="${arg_admin_fqdn}"
-fi
-
-echo "==> Creating cloudron.conf"
-cat > "${CONFIG_DIR}/cloudron.conf" <<CONF_END
-{
-    "version": "${arg_version}",
-    "token": "${arg_token}",
-    "apiServerOrigin": "${arg_api_server_origin}",
-    "webServerOrigin": "${arg_web_server_origin}",
-    "fqdn": "${arg_fqdn}",
-    "adminFqdn": "${admin_fqdn}",
-    "adminLocation": "${arg_admin_location}",
-    "zoneName": "${arg_zone_name}",
-    "provider": "${arg_provider}",
-    "isDemo": ${arg_is_demo}
-}
-CONF_END
-
-echo "==> Creating config.json for webadmin"
-cat > "${BOX_SRC_DIR}/webadmin/dist/config.json" <<CONF_END
-{
-    "webServerOrigin": "${arg_web_server_origin}"
-}
-CONF_END
+echo "==> Migrating data"
+(cd "${BOX_SRC_DIR}" && BOX_ENV=cloudron DATABASE_URL=mysql://root:${mysql_root_password}@127.0.0.1/box "${BOX_SRC_DIR}/node_modules/.bin/db-migrate" up)
 
 if [[ ! -f "${BOX_DATA_DIR}/dhparams.pem" ]]; then
     echo "==> Generating dhparams (takes forever)"
@@ -245,10 +194,15 @@ else
 fi
 
 echo "==> Changing ownership"
-chown "${USER}:${USER}" -R "${CONFIG_DIR}"
-chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/logrotate.d" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup"
+# be careful of what is chown'ed here. subdirs like mysql,redis etc are owned by the containers and will stop working if perms change
+chown -R "${USER}" /etc/cloudron
+chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup" "${PLATFORM_DATA_DIR}/logs" "${PLATFORM_DATA_DIR}/update"
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}/INFRA_VERSION" 2>/dev/null || true
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}"
+chown "${USER}:${USER}" "${APPS_DATA_DIR}"
+
+# logrotate files have to be owned by root, this is here to fixup existing installations where we were resetting the owner to yellowtent
+chown root:root -R "${PLATFORM_DATA_DIR}/logrotate.d"
 
 # do not chown the boxdata/mail directory; dovecot gets upset
 chown "${USER}:${USER}" "${BOX_DATA_DIR}"
@@ -256,9 +210,9 @@ find "${BOX_DATA_DIR}" -mindepth 1 -maxdepth 1 -not -path "${BOX_DATA_DIR}/mail"
 chown "${USER}:${USER}" "${BOX_DATA_DIR}/mail"
 chown "${USER}:${USER}" -R "${BOX_DATA_DIR}/mail/dkim" # this is owned by box currently since it generates the keys
 
-set_progress "60" "Starting Cloudron"
+echo "==> Starting Cloudron"
 systemctl start cloudron.target
 
 sleep 2 # give systemd sometime to start the processes
 
-set_progress "90" "Almost done"
+echo "==> Almost done"

setup/start/cloudron-motd

@@ -1,15 +1,29 @@
-#!/bin/sh
-# motd hook to remind admins about updates
-printf "\t\t\tNOTE TO CLOUDRON ADMINS\n"
-printf "\t\t\t-----------------------\n"
-printf "Please do not run apt upgrade manually as it will update packages that\n"
-printf "Cloudron relies on and may break your installation. Ubuntu security updates\n"
-printf "are automatically installed on this server every night.\n"
-printf "\n"
-printf "Read more at https://cloudron.io/documentation/security/#os-updates\n"
+#!/bin/bash
 
-if grep -q "^PasswordAuthentication yes" /etc/ssh/sshd_config; then
-    printf "\nPlease disable password based SSH access to secure your server. Read more at\n"
-    printf "https://cloudron.io/documentation/security/#securing-ssh-access\n"
+printf "**********************************************************************\n\n"
+
+if [[ -z "$(ls -A /home/yellowtent/boxdata/mail/dkim)" ]]; then
+    printf "\t\t\tWELCOME TO CLOUDRON\n"
+    printf "\t\t\t-------------------\n"
+
+    printf '\n\e[1;32m%-6s\e[m\n\n' "Visit https://<IP> on your browser and accept the self-signed certificate to finish setup."
+    printf "Cloudron overview - https://cloudron.io/documentation/ \n"
+    printf "Cloudron setup - https://cloudron.io/documentation/installation/#setup \n"
+else
+    printf "\t\t\tNOTE TO CLOUDRON ADMINS\n"
+    printf "\t\t\t-----------------------\n"
+    printf "Please do not run apt upgrade manually as it will update packages that\n"
+    printf "Cloudron relies on and may break your installation. Ubuntu security updates\n"
+    printf "are automatically installed on this server every night.\n"
+    printf "\n"
+    printf "Read more at https://cloudron.io/documentation/security/#os-updates\n"
+
+    if grep -q "^PasswordAuthentication yes" /etc/ssh/sshd_config; then
+        printf "\nPlease disable password based SSH access to secure your server. Read more at\n"
+        printf "https://cloudron.io/documentation/security/#securing-ssh-access\n"
+    fi
 fi
 
+printf "\nFor help and more information, visit https://forum.cloudron.io\n\n"
+
+printf "**********************************************************************\n"

setup/start/logrotate/app

@@ -0,0 +1,10 @@
+# logrotate config for app and crash logs
+
+/home/yellowtent/platformdata/logs/*/*.log {
+    # only keep one rotated file, we currently do not send that over the api
+    rotate 1
+    size 10M
+    # we never compress so we can simply tail the files
+    nocompress
+    copytruncate
+}

setup/start/logrotate/box

@@ -0,0 +1,9 @@
+# logrotate config for box logs
+
+/home/yellowtent/platformdata/logs/box.log {
+    rotate 10
+    size 10M
+    # we never compress so we can simply tail the files
+    nocompress
+    copytruncate
+}

setup/start/sudoers

@@ -1,11 +1,17 @@
 # sudo logging breaks journalctl output with very long urls (systemd bug)
 Defaults !syslog
 
-Defaults!/home/yellowtent/box/src/scripts/createappdir.sh env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/createappdir.sh
+Defaults!/home/yellowtent/box/src/scripts/clearvolume.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/clearvolume.sh
 
-Defaults!/home/yellowtent/box/src/scripts/rmappdir.sh env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmappdir.sh
+Defaults!/home/yellowtent/box/src/scripts/mvvolume.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/mvvolume.sh
+
+Defaults!/home/yellowtent/box/src/scripts/mkdirvolume.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/mkdirvolume.sh
+
+Defaults!/home/yellowtent/box/src/scripts/rmaddondir.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmaddondir.sh
 
 Defaults!/home/yellowtent/box/src/scripts/reloadnginx.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/reloadnginx.sh
@@ -25,15 +31,21 @@ yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/retire.sh
 Defaults!/home/yellowtent/box/src/scripts/update.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/update.sh
 
-Defaults!/home/yellowtent/box/src/scripts/authorized_keys.sh env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/authorized_keys.sh
+Defaults!/home/yellowtent/box/src/scripts/remotesupport.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/remotesupport.sh
 
 Defaults!/home/yellowtent/box/src/scripts/configurelogrotate.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/configurelogrotate.sh
 
-Defaults!/home/yellowtent/box/src/backuptask.js env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD:SETENV: /home/yellowtent/box/src/backuptask.js
+Defaults!/home/yellowtent/box/src/scripts/backupupload.js env_keep="HOME BOX_ENV"
+Defaults!/home/yellowtent/box/src/scripts/backupupload.js closefrom_override
+yellowtent ALL=(root) NOPASSWD:SETENV: /home/yellowtent/box/src/scripts/backupupload.js
 
 Defaults!/home/yellowtent/box/src/scripts/restart.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restart.sh
 
+Defaults!/home/yellowtent/box/src/scripts/restartdocker.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restartdocker.sh
+
+Defaults!/home/yellowtent/box/src/scripts/restartunbound.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restartunbound.sh

setup/start/systemd/box.service

@@ -12,13 +12,17 @@ Wants=cloudron-resize-fs.service
 Type=idle
 WorkingDirectory=/home/yellowtent/box
 Restart=always
-ExecStart=/usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js
+; Systemd does not append logs when logging to files, we spawn a shell first and exec to replace it after setting up the pipes
+ExecStart=/bin/sh -c 'echo "Logging to /home/yellowtent/platformdata/logs/box.log"; exec /usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js >> /home/yellowtent/platformdata/logs/box.log 2>&1'
 Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
 ; kill apptask processes as well
 KillMode=control-group
+; Do not kill this process on OOM. Children inherit this score. Do not set it to -1000 so that MemoryMax can keep working
+OOMScoreAdjust=-999
 User=yellowtent
 Group=yellowtent
-MemoryLimit=200M
+; OOM killer is invoked in this unit beyond this. The start script replaces this with MemoryLimit for Ubuntu 16
+MemoryMax=400M
 TimeoutStopSec=5s
 StartLimitInterval=1
 StartLimitBurst=60

setup/start/systemd/cloudron-syslog.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Cloudron Syslog
+After=network.target
+
+[Service]
+ExecStart=/usr/local/cloudron-syslog/bin/cloudron-syslog --port 2514 --logdir /home/yellowtent/platformdata/logs
+WorkingDirectory=/usr/local/cloudron-syslog
+Environment="NODE_ENV=production"
+Restart=always
+User=yellowtent
+Group=yellowtent
+
+[Install]
+WantedBy=multi-user.target

src/accesscontrol.js

@@ -0,0 +1,142 @@
+'use strict';
+
+exports = module.exports = {
+    SCOPE_APPS_READ: 'apps:read',
+    SCOPE_APPS_MANAGE: 'apps:manage',
+    SCOPE_CLIENTS: 'clients',
+    SCOPE_CLOUDRON: 'cloudron',
+    SCOPE_DOMAINS_READ: 'domains:read',
+    SCOPE_DOMAINS_MANAGE: 'domains:manage',
+    SCOPE_MAIL: 'mail',
+    SCOPE_PROFILE: 'profile',
+    SCOPE_SETTINGS: 'settings',
+    SCOPE_USERS_READ: 'users:read',
+    SCOPE_USERS_MANAGE: 'users:manage',
+    VALID_SCOPES: [ 'apps', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted
+
+    SCOPE_ANY: '*',
+
+    validateScopeString: validateScopeString,
+    hasScopes: hasScopes,
+    canonicalScopeString: canonicalScopeString,
+    intersectScopes: intersectScopes,
+    validateToken: validateToken,
+    scopesForUser: scopesForUser
+};
+
+var assert = require('assert'),
+    config = require('./config.js'),
+    DatabaseError = require('./databaseerror.js'),
+    debug = require('debug')('box:accesscontrol'),
+    tokendb = require('./tokendb.js'),
+    users = require('./users.js'),
+    UsersError = users.UsersError,
+    _ = require('underscore');
+
+// returns scopes that does not have wildcards and is sorted
+function canonicalScopeString(scope) {
+    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');
+
+    return scope.split(',').sort().join(',');
+}
+
+function intersectScopes(allowedScopes, wantedScopes) {
+    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
+    assert(Array.isArray(wantedScopes), 'Expecting sorted array');
+
+    if (_.isEqual(allowedScopes, wantedScopes)) return allowedScopes; // quick path
+
+    let wantedScopesMap = new Map();
+    let results = [];
+
+    // make a map of scope -> [ subscopes ]
+    for (let w of wantedScopes) {
+        let parts = w.split(':');
+        let subscopes = wantedScopesMap.get(parts[0]) || new Set();
+        subscopes.add(parts[1] || '*');
+        wantedScopesMap.set(parts[0], subscopes);
+    }
+
+    for (let a of allowedScopes) {
+        let parts = a.split(':');
+        let as = parts[1] || '*';
+
+        let subscopes = wantedScopesMap.get(parts[0]);
+        if (!subscopes) continue;
+
+        if (subscopes.has('*') || subscopes.has(as)) {
+            results.push(a);
+        } else if (as === '*') {
+            results = results.concat(Array.from(subscopes).map(function (ss) { return `${a}:${ss}`; }));
+        }
+    }
+
+    return results;
+}
+
+function validateScopeString(scope) {
+    assert.strictEqual(typeof scope, 'string');
+
+    if (scope === '') return new Error('Empty scope not allowed');
+
+    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
+    // us not write a migration script every time we add a new scope
+    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
+    if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));
+
+    return null;
+}
+
+// tests if all requiredScopes are attached to the request
+function hasScopes(authorizedScopes, requiredScopes) {
+    assert(Array.isArray(authorizedScopes), 'Expecting array');
+    assert(Array.isArray(requiredScopes), 'Expecting array');
+
+    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;
+
+    for (var i = 0; i < requiredScopes.length; ++i) {
+        const scopeParts = requiredScopes[i].split(':');
+
+        // this allows apps:write if the token has a higher apps scope
+        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
+            debug('scope: missing scope "%s".', requiredScopes[i]);
+            return new Error('Missing required scope "' + requiredScopes[i] + '"');
+        }
+    }
+
+    return null;
+}
+
+function scopesForUser(user, callback) {
+    assert.strictEqual(typeof user, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (user.admin) return callback(null, exports.VALID_SCOPES);
+
+    callback(null, config.isSpacesEnabled() ? [ 'profile', 'apps', 'domains:read', 'users:read' ] : [ 'profile', 'apps:read' ]);
+}
+
+function validateToken(accessToken, callback) {
+    assert.strictEqual(typeof accessToken, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    tokendb.getByAccessToken(accessToken, function (error, token) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+        if (error) return callback(error); // this triggers 'internal error' in passport
+
+        users.get(token.identifier, function (error, user) {
+            if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+            if (error) return callback(error);
+
+            scopesForUser(user, function (error, userScopes) {
+                if (error) return callback(error);
+
+                var authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
+                const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI
+                var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo
+
+                callback(null, user, info);
+            });
+        });
+    });
+}

src/appconfig.ejs

@@ -66,8 +66,9 @@ server {
     # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_prefer_server_ciphers on;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
-    # ciphers according to https://weakdh.org/sysadmin.html
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
     add_header Strict-Transport-Security "max-age=15768000";
 
@@ -89,6 +90,19 @@ server {
     add_header Referrer-Policy "no-referrer-when-downgrade";
     proxy_hide_header Referrer-Policy;
 
+    # gzip responses that are > 50k and not images
+    gzip on;
+    gzip_min_length 50k;
+    gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json;
+
+    # enable for proxied requests as well
+    gzip_proxied any;
+
+<% if ( endpoint === 'admin' ) { -%>
+    # CSP headers for the admin/dashboard resources
+    add_header Content-Security-Policy "default-src 'none'; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
+<% } -%>
+
     proxy_http_version 1.1;
     proxy_intercept_errors on;
     proxy_read_timeout       3500;
@@ -106,7 +120,7 @@ server {
     proxy_set_header Connection $connection_upgrade;
 
     # only serve up the status page if we get proxy gateway errors
-    root <%= sourceDir %>/webadmin/dist;
+    root <%= sourceDir %>/dashboard/dist;
     error_page 502 503 504 /appstatus.html;
     location /appstatus.html {
         internal;
@@ -154,51 +168,22 @@ server {
         }
 
         # graphite paths (uncomment block below and visit /graphite/index.html)
+        # remember to comment out the CSP policy as well to access the graphite dashboard
         # location ~ ^/(graphite|content|metrics|dashboard|render|browser|composer)/ {
-        #     proxy_pass   http://127.0.0.1:8000;
+        #     proxy_pass   http://127.0.0.1:8417;
         #     client_max_body_size 1m;
         # }
 
         location / {
-            root   <%= sourceDir %>/webadmin/dist;
+            root   <%= sourceDir %>/dashboard/dist;
             index  index.html index.htm;
         }
 <% } else if ( endpoint === 'app' ) { %>
         proxy_pass http://127.0.0.1:<%= port %>;
-<% } else if ( endpoint === 'splash' ) { %>
-        root   <%= sourceDir %>;
-
-        error_page 503 /update.html;
-
-        location /update.html {
-            add_header Cache-Control no-cache;
-        }
-
-        location /theme.css {
-            add_header Cache-Control no-cache;
-        }
-
-        location /3rdparty/ {
-            add_header Cache-Control no-cache;
-        }
-
-        location /js/ {
-            add_header Cache-Control no-cache;
-        }
-
-        location /progress.json {
-            add_header Cache-Control no-cache;
-        }
-
-        location /api/v1/cloudron/progress {
-            add_header Cache-Control no-cache;
-            default_type application/json;
-            alias <%= sourceDir %>/progress.json;
-        }
-
-        location / {
-            return 503;
-        }
+<% } else if ( endpoint === 'redirect' ) { %>
+        # redirect everything to the app. this is temporary because there is no way
+        # to clear a permanent redirect on the browser
+        return 302 https://<%= redirectTo %>$request_uri;
 <% } %>
     }
 }

src/appdb.js

@@ -18,12 +18,16 @@ exports = module.exports = {
     getAddonConfigByName: getAddonConfigByName,
     unsetAddonConfig: unsetAddonConfig,
     unsetAddonConfigByAppId: unsetAddonConfigByAppId,
+    getAppIdByAddonConfigValue: getAppIdByAddonConfigValue,
 
     setHealth: setHealth,
     setInstallationCommand: setInstallationCommand,
     setRunCommand: setRunCommand,
     getAppStoreIds: getAppStoreIds,
 
+    setOwner: setOwner,
+    transferOwnership: transferOwnership,
+
     // installation codes (keep in sync in UI)
     ISTATE_PENDING_INSTALL: 'pending_install', // installs and fresh reinstalls
     ISTATE_PENDING_CLONE: 'pending_clone', // clone
@@ -39,7 +43,7 @@ exports = module.exports = {
     RSTATE_RUNNING: 'running',
     RSTATE_PENDING_START: 'pending_start',
     RSTATE_PENDING_STOP: 'pending_stop',
-    RSTATE_STOPPED: 'stopped', // app stopped by use
+    RSTATE_STOPPED: 'stopped', // app stopped by us
 
     // run codes (keep in sync in UI)
     HEALTH_HEALTHY: 'healthy',
@@ -47,6 +51,10 @@ exports = module.exports = {
     HEALTH_ERROR: 'error',
     HEALTH_DEAD: 'dead',
 
+    // subdomain table types
+    SUBDOMAIN_TYPE_PRIMARY: 'primary',
+    SUBDOMAIN_TYPE_REDIRECT: 'redirect',
+
     _clear: clear
 };
 
@@ -54,17 +62,19 @@ var assert = require('assert'),
     async = require('async'),
     database = require('./database.js'),
     DatabaseError = require('./databaseerror'),
-    mailboxdb = require('./mailboxdb.js'),
     safe = require('safetydance'),
     util = require('util');
 
 var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.installationProgress', 'apps.runState',
-    'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'apps.location', 'apps.domain', 'apps.dnsRecordId',
-    'apps.accessRestrictionJson', 'apps.restoreConfigJson', 'apps.oldConfigJson', 'apps.updateConfigJson', 'apps.memoryLimit', 
-    'apps.altDomain', 'apps.xFrameOptions', 'apps.sso', 'apps.debugModeJson', 'apps.robotsTxt', 'apps.enableBackup',
-    'apps.creationTime', 'apps.updateTime' ].join(',');
+    'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'subdomains.subdomain AS location', 'subdomains.domain',
+    'apps.accessRestrictionJson', 'apps.restoreConfigJson', 'apps.oldConfigJson', 'apps.updateConfigJson', 'apps.memoryLimit',
+    'apps.xFrameOptions', 'apps.sso', 'apps.debugModeJson', 'apps.robotsTxt', 'apps.enableBackup',
+    'apps.creationTime', 'apps.updateTime', 'apps.ownerId', 'apps.mailboxName', 'apps.enableAutomaticUpdate',
+    'apps.dataDir', 'apps.ts', 'apps.healthTime' ].join(',');
 
-var PORT_BINDINGS_FIELDS = [ 'hostPort', 'environmentVariable', 'appId' ].join(',');
+var PORT_BINDINGS_FIELDS = [ 'hostPort', 'type', 'environmentVariable', 'appId' ].join(',');
+
+const SUBDOMAIN_FIELDS = [ 'appId', 'domain', 'subdomain', 'type' ].join(',');
 
 function postProcess(result) {
     assert.strictEqual(typeof result, 'object');
@@ -89,14 +99,16 @@ function postProcess(result) {
     assert(result.environmentVariables === null || typeof result.environmentVariables === 'string');
 
     result.portBindings = { };
-    var hostPorts = result.hostPorts === null ? [ ] : result.hostPorts.split(',');
-    var environmentVariables = result.environmentVariables === null ? [ ] : result.environmentVariables.split(',');
+    let hostPorts = result.hostPorts === null ? [ ] : result.hostPorts.split(',');
+    let environmentVariables = result.environmentVariables === null ? [ ] : result.environmentVariables.split(',');
+    let portTypes = result.portTypes === null ? [ ] : result.portTypes.split(',');
 
     delete result.hostPorts;
     delete result.environmentVariables;
+    delete result.portTypes;
 
-    for (var i = 0; i < environmentVariables.length; i++) {
-        result.portBindings[environmentVariables[i]] = parseInt(hostPorts[i], 10);
+    for (let i = 0; i < environmentVariables.length; i++) {
+        result.portBindings[environmentVariables[i]] = { hostPort: parseInt(hostPorts[i], 10), type: portTypes[i] };
     }
 
     assert(result.accessRestrictionJson === null || typeof result.accessRestrictionJson === 'string');
@@ -109,10 +121,28 @@ function postProcess(result) {
 
     result.sso = !!result.sso; // make it bool
     result.enableBackup = !!result.enableBackup; // make it bool
+    result.enableAutomaticUpdate = !!result.enableAutomaticUpdate; // make it bool
 
     assert(result.debugModeJson === null || typeof result.debugModeJson === 'string');
     result.debugMode = safe.JSON.parse(result.debugModeJson);
     delete result.debugModeJson;
+
+    result.alternateDomains = result.alternateDomains || [];
+    result.alternateDomains.forEach(function (d) {
+        delete d.appId;
+        delete d.type;
+    });
+
+    let envNames = JSON.parse(result.envNames), envValues = JSON.parse(result.envValues);
+    delete result.envNames;
+    delete result.envValues;
+    result.env = {};
+    for (let i = 0; i < envNames.length; i++) { // NOTE: envNames is [ null ] when env of an app is empty
+        if (envNames[i]) result.env[envNames[i]] = envValues[i];
+    }
+
+    // in the db, we store dataDir as unique/nullable
+    result.dataDir = result.dataDir || '';
 }
 
 function get(id, callback) {
@@ -120,14 +150,25 @@ function get(id, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + ' FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE apps.id = ? GROUP BY apps.id', [ id ], function (error, result) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes, '
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE apps.id = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, id ], function (error, result) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
         if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
 
-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
     });
 }
 
@@ -136,14 +177,24 @@ function getByHttpPort(httpPort, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + '  FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE httpPort = ? GROUP BY apps.id', [ httpPort ], function (error, result) {
+    + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+    + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE httpPort = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, httpPort ], function (error, result) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
         if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
 
-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ result[0].id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
     });
 }
 
@@ -152,14 +203,24 @@ function getByContainerId(containerId, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + '  FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE containerId = ? GROUP BY apps.id', [ containerId ], function (error, result) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE containerId = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, containerId ], function (error, result) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
         if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
 
-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ result[0].id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
     });
 }
 
@@ -167,26 +228,44 @@ function getAll(callback) {
     assert.strictEqual(typeof callback, 'function');
 
     database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + ' FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
-        + ' GROUP BY apps.id ORDER BY apps.id', function (error, results) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' GROUP BY apps.id ORDER BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY ], function (error, results) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
-        results.forEach(postProcess);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE type = ?', [ exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
-        callback(null, results);
+            alternateDomains.forEach(function (d) {
+                var domain = results.find(function (a) { return d.appId === a.id; });
+                if (!domain) return;
+
+                domain.alternateDomains = domain.alternateDomains || [];
+                domain.alternateDomains.push(d);
+            });
+
+            results.forEach(postProcess);
+
+            callback(null, results);
+        });
     });
 }
 
-function add(id, appStoreId, manifest, location, domain, portBindings, data, callback) {
+function add(id, appStoreId, manifest, location, domain, ownerId, portBindings, data, callback) {
     assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof appStoreId, 'string');
     assert(manifest && typeof manifest === 'object');
     assert.strictEqual(typeof manifest.version, 'string');
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof ownerId, 'string');
     assert.strictEqual(typeof portBindings, 'object');
     assert(data && typeof data === 'object');
+    assert(typeof data.mailboxName === 'string' && data.mailboxName); // non-empty string
     assert.strictEqual(typeof callback, 'function');
 
     portBindings = portBindings || { };
@@ -196,36 +275,54 @@ function add(id, appStoreId, manifest, location, domain, portBindings, data, cal
     var accessRestriction = data.accessRestriction || null;
     var accessRestrictionJson = JSON.stringify(accessRestriction);
     var memoryLimit = data.memoryLimit || 0;
-    var altDomain = data.altDomain || null;
     var xFrameOptions = data.xFrameOptions || '';
     var installationState = data.installationState || exports.ISTATE_PENDING_INSTALL;
     var restoreConfigJson = data.restoreConfig ? JSON.stringify(data.restoreConfig) : null; // used when cloning
     var sso = 'sso' in data ? data.sso : null;
+    var robotsTxt = 'robotsTxt' in data ? data.robotsTxt : null;
     var debugModeJson = data.debugMode ? JSON.stringify(data.debugMode) : null;
+    var env = data.env || {};
+    const mailboxName = data.mailboxName;
 
     var queries = [];
+
     queries.push({
-        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, domain, accessRestrictionJson, memoryLimit, altDomain, xFrameOptions, restoreConfigJson, sso, debugModeJson) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-        args: [ id, appStoreId, manifestJson, installationState, location, domain, accessRestrictionJson, memoryLimit, altDomain, xFrameOptions, restoreConfigJson, sso, debugModeJson ]
+        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt, ownerId, mailboxName) ' +
+            ' VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
+        args: [ id, appStoreId, manifestJson, installationState, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt, ownerId, mailboxName ]
+    });
+
+    queries.push({
+        query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)',
+        args: [ id, domain, location, exports.SUBDOMAIN_TYPE_PRIMARY ]
     });
 
     Object.keys(portBindings).forEach(function (env) {
         queries.push({
-            query: 'INSERT INTO appPortBindings (environmentVariable, hostPort, appId) VALUES (?, ?, ?)',
-            args: [ env, portBindings[env], id ]
+            query: 'INSERT INTO appPortBindings (environmentVariable, hostPort, type, appId) VALUES (?, ?, ?, ?)',
+            args: [ env, portBindings[env].hostPort, portBindings[env].type, id ]
         });
     });
 
-    // only allocate a mailbox if mailboxName is set
-    if (data.mailboxName) {
+    Object.keys(env).forEach(function (name) {
         queries.push({
-            query: 'INSERT INTO mailboxes (name, domain, ownerId, ownerType) VALUES (?, ?, ?, ?)',
-            args: [ data.mailboxName, domain, id, mailboxdb.TYPE_APP ]
+            query: 'INSERT INTO appEnvVars (appId, name, value) VALUES (?, ?, ?)',
+            args: [ id, name, env[name] ]
+        });
+    });
+
+    if (data.alternateDomains) {
+        data.alternateDomains.forEach(function (d) {
+            queries.push({
+                query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)',
+                args: [ id, d.domain, d.subdomain, exports.SUBDOMAIN_TYPE_REDIRECT ]
+            });
         });
     }
 
     database.transaction(queries, function (error) {
         if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, error.message));
+        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'no such domain'));
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
 
         callback(null);
@@ -252,18 +349,19 @@ function getPortBindings(id, callback) {
 
         var portBindings = { };
         for (var i = 0; i < results.length; i++) {
-            portBindings[results[i].environmentVariable] = results[i].hostPort;
+            portBindings[results[i].environmentVariable] = { hostPort: results[i].hostPort, type: results[i].type };
         }
 
         callback(null, portBindings);
     });
 }
 
-function delPortBinding(hostPort, callback) {
+function delPortBinding(hostPort, type, callback) {
     assert.strictEqual(typeof hostPort, 'number');
+    assert.strictEqual(typeof type, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('DELETE FROM appPortBindings WHERE hostPort=?', [ hostPort ], function (error, result) {
+    database.query('DELETE FROM appPortBindings WHERE hostPort=? AND type=?', [ hostPort, type ], function (error, result) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
         if (result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
 
@@ -276,14 +374,15 @@ function del(id, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     var queries = [
-        { query: 'DELETE FROM mailboxes WHERE ownerId=?', args: [ id ] },
+        { query: 'DELETE FROM subdomains WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] },
+        { query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM apps WHERE id = ?', args: [ id ] }
     ];
 
     database.transaction(queries, function (error, results) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-        if (results[2].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+        if (results[3].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
 
         callback(null);
     });
@@ -293,8 +392,10 @@ function clear(callback) {
     assert.strictEqual(typeof callback, 'function');
 
     async.series([
+        database.query.bind(null, 'DELETE FROM subdomains'),
         database.query.bind(null, 'DELETE FROM appPortBindings'),
         database.query.bind(null, 'DELETE FROM appAddonConfigs'),
+        database.query.bind(null, 'DELETE FROM appEnvVars'),
         database.query.bind(null, 'DELETE FROM apps')
     ], function (error) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
@@ -313,6 +414,8 @@ function updateWithConstraints(id, app, constraints, callback) {
     assert.strictEqual(typeof callback, 'function');
     assert(!('portBindings' in app) || typeof app.portBindings === 'object');
     assert(!('accessRestriction' in app) || typeof app.accessRestriction === 'object' || app.accessRestriction === '');
+    assert(!('alternateDomains' in app) || Array.isArray(app.alternateDomains));
+    assert(!('env' in app) || typeof app.env === 'object');
 
     var queries = [ ];
 
@@ -321,8 +424,30 @@ function updateWithConstraints(id, app, constraints, callback) {
         // replace entries by app id
         queries.push({ query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] });
         Object.keys(portBindings).forEach(function (env) {
-            var values = [ portBindings[env], env, id ];
-            queries.push({ query: 'INSERT INTO appPortBindings (hostPort, environmentVariable, appId) VALUES(?, ?, ?)', args: values });
+            var values = [ portBindings[env].hostPort, portBindings[env].type, env, id ];
+            queries.push({ query: 'INSERT INTO appPortBindings (hostPort, type, environmentVariable, appId) VALUES(?, ?, ?, ?)', args: values });
+        });
+    }
+
+    if ('env' in app) {
+        queries.push({ query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] });
+
+        Object.keys(app.env).forEach(function (name) {
+            queries.push({
+                query: 'INSERT INTO appEnvVars (appId, name, value) VALUES (?, ?, ?)',
+                args: [ id, name, app.env[name] ]
+            });
+        });
+    }
+
+    if ('location' in app && 'domain' in app) { // must be updated together as they are unique together
+        queries.push({ query: 'UPDATE subdomains SET subdomain = ?, domain = ? WHERE appId = ? AND type = ?', args: [ app.location, app.domain, id, exports.SUBDOMAIN_TYPE_PRIMARY ]});
+    }
+
+    if ('alternateDomains' in app) {
+        queries.push({ query: 'DELETE FROM subdomains WHERE appId = ? AND type = ?', args: [ id, exports.SUBDOMAIN_TYPE_REDIRECT ]});
+        app.alternateDomains.forEach(function (d) {
+            queries.push({ query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)', args: [ id, d.domain, d.subdomain, exports.SUBDOMAIN_TYPE_REDIRECT ]});
         });
     }
 
@@ -331,7 +456,7 @@ function updateWithConstraints(id, app, constraints, callback) {
         if (p === 'manifest' || p === 'oldConfig' || p === 'updateConfig' || p === 'restoreConfig' || p === 'accessRestriction' || p === 'debugMode') {
             fields.push(`${p}Json = ?`);
             values.push(JSON.stringify(app[p]));
-        } else if (p !== 'portBindings') {
+        } else if (p !== 'portBindings' && p !== 'location' && p !== 'domain' && p !== 'alternateDomains' && p !== 'env') {
             fields.push(p + ' = ?');
             values.push(app[p]);
         }
@@ -352,12 +477,13 @@ function updateWithConstraints(id, app, constraints, callback) {
 }
 
 // not sure if health should influence runState
-function setHealth(appId, health, callback) {
+function setHealth(appId, health, healthTime, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof health, 'string');
+    assert(util.isDate(healthTime));
     assert.strictEqual(typeof callback, 'function');
 
-    var values = { health: health };
+    var values = { health, healthTime };
 
     var constraints = 'AND runState NOT LIKE "pending_%" AND installationState = "installed"';
 
@@ -490,6 +616,20 @@ function getAddonConfigByAppId(appId, callback) {
     });
 }
 
+function getAppIdByAddonConfigValue(addonId, name, value, callback) {
+    assert.strictEqual(typeof addonId, 'string');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof value, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('SELECT appId FROM appAddonConfigs WHERE addonId = ? AND name = ? AND value = ?', [ addonId, name, value ], function (error, results) {
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (results.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+
+        callback(null, results[0].appId);
+    });
+}
+
 function getAddonConfigByName(appId, addonId, name, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof addonId, 'string');
@@ -503,3 +643,31 @@ function getAddonConfigByName(appId, addonId, name, callback) {
         callback(null, results[0].value);
     });
 }
+
+function setOwner(appId, ownerId, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof ownerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('UPDATE apps SET ownerId=? WHERE appId=?', [ ownerId, appId ], function (error, results) {
+        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such user'));
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+
+        if (results.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such app'));
+
+        callback(null);
+    });
+}
+
+function transferOwnership(oldOwnerId, newOwnerId, callback) {
+    assert.strictEqual(typeof oldOwnerId, 'string');
+    assert.strictEqual(typeof newOwnerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('UPDATE apps SET ownerId=? WHERE ownerId=?', [ newOwnerId, oldOwnerId ], function (error) {
+        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such user'));
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+
+        callback(null);
+    });
+}

src/apphealthmonitor.js

@@ -5,32 +5,29 @@ var appdb = require('./appdb.js'),
     assert = require('assert'),
     async = require('async'),
     DatabaseError = require('./databaseerror.js'),
-    config = require('./config.js'),
     debug = require('debug')('box:apphealthmonitor'),
-    docker = require('./docker.js').connection,
-    mailer = require('./mailer.js'),
+    docker = require('./docker.js'),
+    eventlog = require('./eventlog.js'),
+    safe = require('safetydance'),
     superagent = require('superagent'),
     util = require('util');
 
 exports = module.exports = {
-    start: start,
-    stop: stop
+    run: run
 };
 
-var HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
-var UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
-var gHealthInfo = { }; // { time, emailSent }
-var gRunTimeout = null;
-var gDockerEventStream = null;
+const HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
+const UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
+
+const OOM_EVENT_LIMIT = 60 * 60 * 1000; // 60 minutes
+let gLastOomMailTime = Date.now() - (5 * 60 * 1000); // pretend we sent email 5 minutes ago
+
+const AUDIT_SOURCE = { userId: null, username: 'healthmonitor' };
 
 function debugApp(app) {
-    assert(!app || typeof app === 'object');
+    assert(typeof app === 'object');
 
-    var prefix = app ? app.intrinsicFqdn : '(no app)';
-    var manifestAppId = app ? app.manifest.id : '';
-    var id = app ? app.id : '';
-
-    debug(prefix + ' ' + manifestAppId + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)) + ' - ' + id);
+    debug(app.fqdn + ' ' + app.manifest.id + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)) + ' - ' + app.id);
 }
 
 function setHealth(app, health, callback) {
@@ -38,27 +35,29 @@ function setHealth(app, health, callback) {
     assert.strictEqual(typeof health, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    var now = new Date();
-
-    if (!(app.id in gHealthInfo)) { // add new apps to list
-        gHealthInfo[app.id] = { time: now, emailSent: false };
-    }
+    let now = new Date(), healthTime = app.healthTime, curHealth = app.health;
 
     if (health === appdb.HEALTH_HEALTHY) {
-        gHealthInfo[app.id].time = now;
-    } else if (Math.abs(now - gHealthInfo[app.id].time) > UNHEALTHY_THRESHOLD) {
-        if (gHealthInfo[app.id].emailSent) return callback(null);
+        healthTime = now;
+        if (curHealth && curHealth !== appdb.HEALTH_HEALTHY) { // app starts out with null health
+            debugApp(app, 'app switched from %s to healthy', curHealth);
 
-        debugApp(app, 'marking as unhealthy since not seen for more than %s minutes', UNHEALTHY_THRESHOLD/(60 * 1000));
+            // do not send mails for dev apps
+            if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_UP, AUDIT_SOURCE, { app: app });
+        }
+    } else if (Math.abs(now - healthTime) > UNHEALTHY_THRESHOLD) {
+        if (curHealth === appdb.HEALTH_HEALTHY) {
+            debugApp(app, 'marking as unhealthy since not seen for more than %s minutes', UNHEALTHY_THRESHOLD/(60 * 1000));
 
-        if (!app.debugMode) mailer.appDied(app); // do not send mails for dev apps
-        gHealthInfo[app.id].emailSent = true;
+            // do not send mails for dev apps
+            if (!app.debugMode) eventlog.add(eventlog.ACTION_APP_DOWN, AUDIT_SOURCE, { app: app });
+        }
     } else {
-        debugApp(app, 'waiting for sometime to update the app health');
+        debugApp(app, 'waiting for %s seconds to update the app health', (UNHEALTHY_THRESHOLD - Math.abs(now - healthTime))/1000);
         return callback(null);
     }
 
-    appdb.setHealth(app.id, health, function (error) {
+    appdb.setHealth(app.id, health, healthTime, function (error) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null); // app uninstalled?
         if (error) return callback(error);
 
@@ -71,16 +70,18 @@ function setHealth(app, health, callback) {
 
 // callback is called with error for fatal errors and not if health check failed
 function checkAppHealth(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
     if (app.installationState !== appdb.ISTATE_INSTALLED || app.runState !== appdb.RSTATE_RUNNING) {
         debugApp(app, 'skipped. istate:%s rstate:%s', app.installationState, app.runState);
         return callback(null);
     }
 
-    var container = docker.getContainer(app.containerId),
-        manifest = app.manifest;
+    const manifest = app.manifest;
 
-    container.inspect(function (err, data) {
-        if (err || !data || !data.State) {
+    docker.inspect(app.containerId, function (error, data) {
+        if (error || !data || !data.State) {
             debugApp(app, 'Error inspecting container');
             return setHealth(app, appdb.HEALTH_ERROR, callback);
         }
@@ -90,6 +91,9 @@ function checkAppHealth(app, callback) {
             return setHealth(app, appdb.HEALTH_DEAD, callback);
         }
 
+        // non-appstore apps may not have healthCheckPath
+        if (!manifest.healthCheckPath) return setHealth(app, appdb.HEALTH_HEALTHY, callback);
+
         // poll through docker network instead of nginx to bypass any potential oauth proxy
         var healthCheckUrl = 'http://127.0.0.1:' + app.httpPort + manifest.healthCheckPath;
         superagent
@@ -112,7 +116,71 @@ function checkAppHealth(app, callback) {
     });
 }
 
-function processApps(callback) {
+function getContainerInfo(containerId, callback) {
+    docker.inspect(containerId, function (error, result) {
+        if (error) return callback(error);
+
+        const appId = safe.query(result, 'Config.Labels.appId', null);
+
+        if (!appId) return callback(null, null /* app */, { name: result.Name }); // addon
+
+        apps.get(appId, callback); // don't get by container id as this can be an exec container
+    });
+}
+
+/*
+    OOM can be tested using stress tool like so:
+        docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
+        apt-get update && apt-get install stress
+        stress --vm 1 --vm-bytes 200M --vm-hang 0
+*/
+function processDockerEvents(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
+    assert.strictEqual(typeof callback, 'function');
+
+    const since = ((new Date().getTime() / 1000) - intervalSecs).toFixed(0);
+    const until = ((new Date().getTime() / 1000) - 1).toFixed(0);
+
+    docker.getEvents({ since: since, until: until, filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
+        if (error) return callback(error);
+
+        stream.setEncoding('utf8');
+        stream.on('data', function (data) {
+            const event = JSON.parse(data);
+            const containerId = String(event.id);
+
+            getContainerInfo(containerId, function (error, app, addon) {
+                const program = error ? containerId : (app ? app.fqdn : addon.name);
+                const now = Date.now();
+                const notifyUser = !(app && app.debugMode) && ((now - gLastOomMailTime) > OOM_EVENT_LIMIT);
+
+                debug('OOM %s notifyUser: %s. lastOomTime: %s (now: %s)', program, notifyUser, gLastOomMailTime, now);
+
+                // do not send mails for dev apps
+                if (notifyUser) {
+                    // app can be null for addon containers
+                    eventlog.add(eventlog.ACTION_APP_OOM, AUDIT_SOURCE, { event: event, containerId: containerId, addon: addon || null, app: app || null });
+
+                    gLastOomMailTime = now;
+                }
+            });
+        });
+
+        stream.on('error', function (error) {
+            debug('Error reading docker events', error);
+            callback();
+        });
+
+        stream.on('end', callback);
+
+        // safety hatch if 'until' doesn't work (there are cases where docker is working with a different time)
+        setTimeout(stream.destroy.bind(stream), 3000); // https://github.com/apocas/dockerode/issues/179
+    });
+}
+
+function processApp(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
     apps.getAll(function (error, result) {
         if (error) return callback(error);
 
@@ -130,79 +198,16 @@ function processApps(callback) {
     });
 }
 
-function run() {
-    processApps(function (error) {
-        if (error) console.error(error);
-
-        gRunTimeout = setTimeout(run, HEALTHCHECK_INTERVAL);
-    });
-}
-
-/*
-    OOM can be tested using stress tool like so:
-        docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
-        apt-get update && apt-get install stress
-        stress --vm 1 --vm-bytes 200M --vm-hang 0
-*/
-function processDockerEvents() {
-    // note that for some reason, the callback is called only on the first event
-    debug('Listening for docker events');
-    const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
-    var lastOomMailTime = new Date(new Date() - OOM_MAIL_LIMIT);
-
-    docker.getEvents({ filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
-        if (error) return console.error(error);
-
-        gDockerEventStream = stream;
-
-        stream.setEncoding('utf8');
-        stream.on('data', function (data) {
-            var ev = JSON.parse(data);
-            appdb.getByContainerId(ev.id, function (error, app) { // this can error for addons
-                var program = error || !app.appStoreId ? ev.id : app.appStoreId;
-                var context = JSON.stringify(ev);
-                var now = new Date();
-                if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';
-
-                debug('OOM Context: %s', context);
-
-                // do not send mails for dev apps
-                if ((!app || !app.debugMode) && (now - lastOomMailTime > OOM_MAIL_LIMIT)) {
-                    mailer.oomEvent(program, context); // app can be null if it's an addon crash
-                    lastOomMailTime = now;
-                }
-            });
-        });
-
-        stream.on('error', function (error) {
-            console.error('Error reading docker events', error);
-            gDockerEventStream = null; // TODO: reconnect?
-        });
-
-        stream.on('end', function () {
-            console.error('Docker event stream ended');
-            gDockerEventStream = null; // TODO: reconnect?
-        });
-    });
-}
-
-function start(callback) {
+function run(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('Starting apphealthmonitor');
+    async.series([
+        processApp, // this is first because docker.getEvents seems to get 'stuck' sometimes
+        processDockerEvents.bind(null, intervalSecs)
+    ], function (error) {
+        if (error) debug(error);
 
-    processDockerEvents();
-
-    run();
-
-    callback();
-}
-
-function stop(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    clearTimeout(gRunTimeout);
-    if (gDockerEventStream) gDockerEventStream.end();
-
-    callback();
+        callback();
+    });
 }

src/appstore.js

@@ -5,6 +5,7 @@ exports = module.exports = {
     unpurchase: unpurchase,
 
     getSubscription: getSubscription,
+    isFreePlan: isFreePlan,
 
     sendAliveStatus: sendAliveStatus,
 
@@ -13,16 +14,25 @@ exports = module.exports = {
 
     getAccount: getAccount,
 
+    registerCloudron: registerCloudron,
+    getCloudron: getCloudron,
+
     sendFeedback: sendFeedback,
 
     AppstoreError: AppstoreError
 };
 
-var assert = require('assert'),
+var apps = require('./apps.js'),
+    assert = require('assert'),
+    async = require('async'),
     config = require('./config.js'),
     debug = require('debug')('box:appstore'),
+    domains = require('./domains.js'),
     eventlog = require('./eventlog.js'),
+    mail = require('./mail.js'),
     os = require('os'),
+    safe = require('safetydance'),
+    semver = require('semver'),
     settings = require('./settings.js'),
     superagent = require('superagent'),
     util = require('util');
@@ -56,23 +66,12 @@ var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 function getAppstoreConfig(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    // Caas Cloudrons do not store appstore credentials in their local database
-    if (config.provider() === 'caas') {
-        var url = config.apiServerOrigin() + '/api/v1/exchangeBoxTokenWithUserToken';
-        superagent.post(url).query({ token: config.token() }).timeout(30 * 1000).end(function (error, result) {
-            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
-            if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));
+    settings.getAppstoreConfig(function (error, result) {
+        if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+        if (!result.token) return callback(new AppstoreError(AppstoreError.BILLING_REQUIRED));
 
-            callback(null, result.body);
-        });
-    } else {
-        settings.getAppstoreConfig(function (error, result) {
-            if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
-            if (!result.token) return callback(new AppstoreError(AppstoreError.BILLING_REQUIRED));
-
-            callback(null, result);
-        });
-    }
+        callback(null, result);
+    });
 }
 
 function getSubscription(callback) {
@@ -94,18 +93,21 @@ function getSubscription(callback) {
     });
 }
 
-function purchase(appId, appstoreId, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof appstoreId, 'string');
-    assert.strictEqual(typeof callback, 'function');
+function isFreePlan(subscription) {
+    return !subscription || subscription.plan.id === 'free';
+}
 
-    if (appstoreId === '') return callback(null);
+// See app.js install it will create a db record first but remove it again if appstore purchase fails
+function purchase(appId, data, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof data, 'object');
+    assert(data.appstoreId || data.manifestId);
+    assert.strictEqual(typeof callback, 'function');
 
     getAppstoreConfig(function (error, appstoreConfig) {
         if (error) return callback(error);
 
         var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/apps/' + appId;
-        var data = { appstoreId: appstoreId };
 
         superagent.post(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
             if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
@@ -119,13 +121,12 @@ function purchase(appId, appstoreId, callback) {
     });
 }
 
-function unpurchase(appId, appstoreId, callback) {
+function unpurchase(appId, data, callback) {
     assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof appstoreId, 'string');
+    assert.strictEqual(typeof data, 'object');
+    assert(data.appstoreId || data.manifestId);
     assert.strictEqual(typeof callback, 'function');
 
-    if (appstoreId === '') return callback(null);
-
     getAppstoreConfig(function (error, appstoreConfig) {
         if (error) return callback(error);
 
@@ -135,9 +136,9 @@ function unpurchase(appId, appstoreId, callback) {
             if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
             if (result.statusCode === 403 || result.statusCode === 401) return callback(new AppstoreError(AppstoreError.BILLING_REQUIRED));
             if (result.statusCode === 404) return callback(null);   // was never purchased
-            if (result.statusCode !== 201 && result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App purchase failed. %s %j', result.status, result.body)));
+            if (result.statusCode !== 201 && result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));
 
-            superagent.del(url).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
+            superagent.del(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
                 if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
                 if (result.statusCode === 403 || result.statusCode === 401) return callback(new AppstoreError(AppstoreError.BILLING_REQUIRED));
                 if (result.statusCode !== 204) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));
@@ -148,62 +149,87 @@ function unpurchase(appId, appstoreId, callback) {
     });
 }
 
-function sendAliveStatus(data, callback) {
+function sendAliveStatus(callback) {
     callback = callback || NOOP_CALLBACK;
 
-    settings.getAll(function (error, result) {
-        if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+    var allSettings, allDomains, mailDomains, loginEvents;
 
-        eventlog.getAllPaged(eventlog.ACTION_USER_LOGIN, null, 1, 1, function (error, loginEvents) {
-            if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+    async.series([
+        function (callback) {
+            settings.getAll(function (error, result) {
+                if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+                allSettings = result;
+                callback();
+            });
+        },
+        function (callback) {
+            domains.getAll(function (error, result) {
+                if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+                allDomains = result;
+                callback();
+            });
+        },
+        function (callback) {
+            mail.getDomains(function (error, result) {
+                if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+                mailDomains = result;
+                callback();
+            });
+        },
+        function (callback) {
+            eventlog.getAllPaged([ eventlog.ACTION_USER_LOGIN ], null, 1, 1, function (error, result) {
+                if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
+                loginEvents = result;
+                callback();
+            });
+        }
+    ], function (error) {
+        if (error) return callback(error);
 
-            var backendSettings = {
-                tlsConfig: {
-                    provider: result[settings.TLS_CONFIG_KEY].provider
-                },
-                backupConfig: {
-                    provider: result[settings.BACKUP_CONFIG_KEY].provider,
-                    hardlinks: !result[settings.BACKUP_CONFIG_KEY].noHardlinks
-                },
-                mailConfig: {
-                    enabled: result[settings.MAIL_CONFIG_KEY].enabled
-                },
-                mailRelay: {
-                    provider: result[settings.MAIL_RELAY_KEY].provider
-                },
-                mailCatchAll: {
-                    count: result[settings.CATCH_ALL_ADDRESS_KEY].length
-                },
-                autoupdatePattern: result[settings.AUTOUPDATE_PATTERN_KEY],
-                timeZone: result[settings.TIME_ZONE_KEY],
-            };
+        var backendSettings = {
+            backupConfig: {
+                provider: allSettings[settings.BACKUP_CONFIG_KEY].provider,
+                hardlinks: !allSettings[settings.BACKUP_CONFIG_KEY].noHardlinks
+            },
+            domainConfig: {
+                count: allDomains.length,
+                domains: Array.from(new Set(allDomains.map(function (d) { return { domain: d.domain, provider: d.provider }; })))
+            },
+            mailConfig: {
+                outboundCount: mailDomains.length,
+                inboundCount: mailDomains.filter(function (d) { return d.enabled; }).length,
+                catchAllCount: mailDomains.filter(function (d) { return d.catchAll.length !== 0; }).length,
+                relayProviders: Array.from(new Set(mailDomains.map(function (d) { return d.relay.provider; })))
+            },
+            appAutoupdatePattern: allSettings[settings.APP_AUTOUPDATE_PATTERN_KEY],
+            boxAutoupdatePattern: allSettings[settings.BOX_AUTOUPDATE_PATTERN_KEY],
+            timeZone: allSettings[settings.TIME_ZONE_KEY],
+        };
 
-            var data = {
-                domain: config.fqdn(),
-                version: config.version(),
-                adminFqdn: config.adminFqdn(),
-                provider: config.provider(),
-                backendSettings: backendSettings,
-                machine: {
-                    cpus: os.cpus(),
-                    totalmem: os.totalmem()
-                },
-                events: {
-                    lastLogin: loginEvents[0] ? (new Date(loginEvents[0].creationTime).getTime()) : 0
-                }
-            };
+        var data = {
+            version: config.version(),
+            adminFqdn: config.adminFqdn(),
+            provider: config.provider(),
+            backendSettings: backendSettings,
+            machine: {
+                cpus: os.cpus(),
+                totalmem: os.totalmem()
+            },
+            events: {
+                lastLogin: loginEvents[0] ? (new Date(loginEvents[0].creationTime).getTime()) : 0
+            }
+        };
 
-            getAppstoreConfig(function (error, appstoreConfig) {
-                if (error) return callback(error);
+        getAppstoreConfig(function (error, appstoreConfig) {
+            if (error) return callback(error);
 
-                var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/alive';
-                superagent.post(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
-                    if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
-                    if (result.statusCode === 404) return callback(new AppstoreError(AppstoreError.NOT_FOUND));
-                    if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Sending alive status failed. %s %j', result.status, result.body)));
+            var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/alive';
+            superagent.post(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
+                if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
+                if (result.statusCode === 404) return callback(new AppstoreError(AppstoreError.NOT_FOUND));
+                if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Sending alive status failed. %s %j', result.status, result.body)));
 
-                    callback(null);
-                });
+                callback(null);
             });
         });
     });
@@ -218,12 +244,25 @@ function getBoxUpdate(callback) {
         var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/boxupdate';
 
         superagent.get(url).query({ accessToken: appstoreConfig.token, boxVersion: config.version() }).timeout(10 * 1000).end(function (error, result) {
-            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
+            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
             if (result.statusCode === 204) return callback(null); // no update
-            if (result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+            if (result.statusCode !== 200 || !result.body) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
 
-            // { version, changelog, upgrade, sourceTarballUrl}
-            callback(null, result.body);
+            var updateInfo = result.body;
+
+            if (!semver.valid(updateInfo.version) || semver.gt(config.version(), updateInfo.version)) {
+                return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Invalid update version: %s %s', result.statusCode, result.text)));
+            }
+
+            // updateInfo: { version, changelog, sourceTarballUrl, sourceTarballSigUrl, boxVersionsUrl, boxVersionsSigUrl }
+            if (!updateInfo.version || typeof updateInfo.version !== 'string') return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad version): %s %s', result.statusCode, result.text)));
+            if (!updateInfo.changelog || !Array.isArray(updateInfo.changelog)) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad version): %s %s', result.statusCode, result.text)));
+            if (!updateInfo.sourceTarballUrl || typeof updateInfo.sourceTarballUrl !== 'string') return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad sourceTarballUrl): %s %s', result.statusCode, result.text)));
+            if (!updateInfo.sourceTarballSigUrl || typeof updateInfo.sourceTarballSigUrl !== 'string') return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad sourceTarballSigUrl): %s %s', result.statusCode, result.text)));
+            if (!updateInfo.boxVersionsUrl || typeof updateInfo.boxVersionsUrl !== 'string') return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad boxVersionsUrl): %s %s', result.statusCode, result.text)));
+            if (!updateInfo.boxVersionsSigUrl || typeof updateInfo.boxVersionsSigUrl !== 'string') return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response (bad boxVersionsSigUrl): %s %s', result.statusCode, result.text)));
+
+            callback(null, updateInfo);
         });
     });
 }
@@ -240,10 +279,21 @@ function getAppUpdate(app, callback) {
         superagent.get(url).query({ accessToken: appstoreConfig.token, boxVersion: config.version(), appId: app.appStoreId, appVersion: app.manifest.version }).timeout(10 * 1000).end(function (error, result) {
             if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
             if (result.statusCode === 204) return callback(null); // no update
-            if (result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+            if (result.statusCode !== 200 || !result.body) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+
+            const updateInfo = result.body;
+
+            // for the appstore, x.y.z is the same as x.y.z-0 but in semver, x.y.z > x.y.z-0
+            const curAppVersion = semver.prerelease(app.manifest.version) ? app.manifest.version : `${app.manifest.version}-0`;
+
+            // do some sanity checks
+            if (!safe.query(updateInfo, 'manifest.version') || semver.gt(curAppVersion, safe.query(updateInfo, 'manifest.version'))) {
+                debug('Skipping malformed update of app %s version: %s. got %j', app.id, curAppVersion, updateInfo);
+                return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Malformed update: %s %s', result.statusCode, result.text)));
+            }
 
             // { id, creationDate, manifest }
-            callback(null, result.body);
+            callback(null, updateInfo);
         });
     });
 }
@@ -266,6 +316,47 @@ function getAccount(callback) {
     });
 }
 
+function registerCloudron(adminDomain, userId, token, callback) {
+    assert.strictEqual(typeof adminDomain, 'string');
+    assert.strictEqual(typeof userId, 'string');
+    assert.strictEqual(typeof token, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const url = `${config.apiServerOrigin()}/api/v1/users/${userId}/cloudrons`;
+
+    superagent.post(url).send({ domain: adminDomain }).query({ accessToken: token }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
+        if (result.statusCode === 401) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'invalid appstore token'));
+        if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'unable to register cloudron'));
+
+        const cloudronId = safe.query(result.body, 'cloudron.id');
+        if (!cloudronId) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'Invalid response - no cloudron id'));
+
+        debug(`setAppstoreConfig: Cloudron registered with id ${cloudronId}`);
+
+        callback(null, cloudronId);
+    });
+}
+
+function getCloudron(appstoreConfig, callback) {
+    assert.strictEqual(typeof appstoreConfig, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const { userId, cloudronId, token } = appstoreConfig;
+
+    const url = config.apiServerOrigin() + '/api/v1/users/' + userId + '/cloudrons/' + cloudronId;
+
+    superagent.get(url).query({ accessToken: token }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
+        if (result.statusCode === 401) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'invalid appstore token'));
+        if (result.statusCode === 403) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'wrong user'));
+        if (result.statusCode === 404) return callback(new AppstoreError(AppstoreError.NOT_FOUND, error.message));
+        if (result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, 'unknown error'));
+
+        callback();
+    });
+}
+
 function sendFeedback(info, callback) {
     assert.strictEqual(typeof info, 'object');
     assert.strictEqual(typeof info.email, 'string');
@@ -275,16 +366,26 @@ function sendFeedback(info, callback) {
     assert.strictEqual(typeof info.description, 'string');
     assert.strictEqual(typeof callback, 'function');
 
+    function collectAppInfoIfNeeded(callback) {
+        if (!info.appId) return callback();
+        apps.get(info.appId, callback);
+    }
+
     getAppstoreConfig(function (error, appstoreConfig) {
         if (error) return callback(error);
 
-        var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/feedback';
+        collectAppInfoIfNeeded(function (error, result) {
+            if (error) console.error('Unable to get app info', error);
+            if (result) info.app = result;
 
-        superagent.post(url).query({ accessToken: appstoreConfig.token }).send(info).timeout(10 * 1000).end(function (error, result) {
-            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
-            if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+            var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/feedback';
 
-            callback(null);
+            superagent.post(url).query({ accessToken: appstoreConfig.token }).send(info).timeout(10 * 1000).end(function (error, result) {
+                if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
+                if (result.statusCode !== 201) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+
+                callback(null);
+            });
         });
     });
 }

src/apptask.js

@@ -8,60 +8,55 @@ exports = module.exports = {
 
     // exported for testing
     _reserveHttpPort: reserveHttpPort,
-    _configureNginx: configureNginx,
-    _unconfigureNginx: unconfigureNginx,
-    _createVolume: createVolume,
-    _deleteVolume: deleteVolume,
+    _configureReverseProxy: configureReverseProxy,
+    _unconfigureReverseProxy: unconfigureReverseProxy,
+    _createAppDir: createAppDir,
+    _deleteAppDir: deleteAppDir,
     _verifyManifest: verifyManifest,
     _registerSubdomain: registerSubdomain,
     _unregisterSubdomain: unregisterSubdomain,
-    _waitForDnsPropagation: waitForDnsPropagation,
-    _waitForAltDomainDnsPropagation: waitForAltDomainDnsPropagation
+    _waitForDnsPropagation: waitForDnsPropagation
 };
 
 require('supererror')({ splatchError: true });
 
-// remove timestamp from debug() based output
-require('debug').formatArgs = function formatArgs(args) {
-    args[0] = this.namespace + ' ' + args[0];
-};
-
 var addons = require('./addons.js'),
     appdb = require('./appdb.js'),
     apps = require('./apps.js'),
     assert = require('assert'),
     async = require('async'),
     backups = require('./backups.js'),
-    certificates = require('./certificates.js'),
     config = require('./config.js'),
     database = require('./database.js'),
     DatabaseError = require('./databaseerror.js'),
     debug = require('debug')('box:apptask'),
     docker = require('./docker.js'),
     domains = require('./domains.js'),
-    DomainError = domains.DomainError,
+    DomainsError = domains.DomainsError,
     ejs = require('ejs'),
     fs = require('fs'),
     manifestFormat = require('cloudron-manifestformat'),
+    mkdirp = require('mkdirp'),
     net = require('net'),
-    nginx = require('./nginx.js'),
     os = require('os'),
     path = require('path'),
     paths = require('./paths.js'),
+    reverseProxy = require('./reverseproxy.js'),
+    rimraf = require('rimraf'),
     safe = require('safetydance'),
     shell = require('./shell.js'),
     superagent = require('superagent'),
     sysinfo = require('./sysinfo.js'),
-    tld = require('tldjs'),
     util = require('util'),
     _ = require('underscore');
 
 var COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
     CONFIGURE_COLLECTD_CMD = path.join(__dirname, 'scripts/configurecollectd.sh'),
+    MV_VOLUME_CMD = path.join(__dirname, 'scripts/mvvolume.sh'),
     LOGROTATE_CONFIG_EJS = fs.readFileSync(__dirname + '/logrotate.ejs', { encoding: 'utf8' }),
-    CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh'),
-    RMAPPDIR_CMD = path.join(__dirname, 'scripts/rmappdir.sh'),
-    CREATEAPPDIR_CMD = path.join(__dirname, 'scripts/createappdir.sh');
+    CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh');
+
+var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 
 function initialize(callback) {
     assert.strictEqual(typeof callback, 'function');
@@ -72,8 +67,7 @@ function initialize(callback) {
 function debugApp(app) {
     assert.strictEqual(typeof app, 'object');
 
-    var prefix = app ? (app.intrinsicFqdn || '(bare)') : '(no app)';
-    debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
+    debug(app.fqdn + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }
 
 // updates the app object and the database
@@ -113,23 +107,19 @@ function reserveHttpPort(app, callback) {
     });
 }
 
-function configureNginx(app, callback) {
+function configureReverseProxy(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    certificates.ensureCertificate(app, function (error, certFilePath, keyFilePath) {
-        if (error) return callback(error);
-
-        nginx.configureApp(app, certFilePath, keyFilePath, callback);
-    });
+    reverseProxy.configureApp(app, { userId: null, username: 'apptask' }, callback);
 }
 
-function unconfigureNginx(app, callback) {
+function unconfigureReverseProxy(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     // TODO: maybe revoke the cert
-    nginx.unconfigureApp(app, callback);
+    reverseProxy.unconfigureApp(app, callback);
 }
 
 function createContainer(app, callback) {
@@ -146,32 +136,62 @@ function createContainer(app, callback) {
     });
 }
 
-function deleteContainers(app, callback) {
+function deleteContainers(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'deleting app containers (app, scheduler)');
 
-    docker.deleteContainers(app.id, function (error) {
+    docker.deleteContainers(app.id, options, function (error) {
         if (error) return callback(new Error('Error deleting container: ' + error));
 
         updateApp(app, { containerId: null }, callback);
     });
 }
 
-function createVolume(app, callback) {
+function createAppDir(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    shell.sudo('createVolume', [ CREATEAPPDIR_CMD, app.id ], callback);
+    mkdirp(path.join(paths.APPS_DATA_DIR, app.id), callback);
 }
 
-function deleteVolume(app, options, callback) {
+function deleteAppDir(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    shell.sudo('deleteVolume', [ RMAPPDIR_CMD, app.id, !!options.removeDirectory ], callback);
+    const appDataDir = path.join(paths.APPS_DATA_DIR, app.id);
+
+    // resolve any symlinked data dir
+    const stat = safe.fs.lstatSync(appDataDir);
+    if (!stat) return callback(null);
+
+    const resolvedAppDataDir = stat.isSymbolicLink() ? safe.fs.readlinkSync(appDataDir) : appDataDir;
+
+    if (safe.fs.existsSync(resolvedAppDataDir)) {
+        const entries = safe.fs.readdirSync(resolvedAppDataDir);
+        if (!entries) return callback(`Error listing ${resolvedAppDataDir}: ${safe.error.message}`);
+
+        // remove only files. directories inside app dir are currently volumes managed by the addons
+        // we cannot delete those dirs anyway because of perms
+        entries.forEach(function (entry) {
+            let stat = safe.fs.statSync(path.join(resolvedAppDataDir, entry));
+            if (stat && !stat.isDirectory()) safe.fs.unlinkSync(path.join(resolvedAppDataDir, entry));
+        });
+    }
+
+    // if this fails, it's probably because the localstorage/redis addons have not cleaned up properly
+    if (options.removeDirectory) {
+        if (stat.isSymbolicLink()) {
+            if (!safe.fs.unlinkSync(appDataDir)) return callback(safe.error.code === 'ENOENT' ? null : safe.error);
+        } else {
+            if (!safe.fs.rmdirSync(appDataDir)) return callback(safe.error.code === 'ENOENT' ? null : safe.error);
+        }
+    }
+
+    callback(null);
 }
 
 function addCollectdProfile(app, callback) {
@@ -181,7 +201,7 @@ function addCollectdProfile(app, callback) {
     var collectdConf = ejs.render(COLLECTD_CONFIG_EJS, { appId: app.id, containerId: app.containerId });
     fs.writeFile(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), collectdConf, function (error) {
         if (error) return callback(error);
-        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', app.id ], callback);
+        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', app.id ], {}, callback);
     });
 }
 
@@ -191,7 +211,7 @@ function removeCollectdProfile(app, callback) {
 
     fs.unlink(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), function (error) {
         if (error && error.code !== 'ENOENT') debugApp(app, 'Error removing collectd profile', error);
-        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', app.id ], callback);
+        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', app.id ], {}, callback);
     });
 }
 
@@ -210,7 +230,7 @@ function addLogrotateConfig(app, callback) {
         var tmpFilePath = path.join(os.tmpdir(), app.id + '.logrotate');
         fs.writeFile(tmpFilePath, logrotateConf, function (error) {
             if (error) return callback(error);
-            shell.sudo('addLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'add', app.id, tmpFilePath ], callback);
+            shell.sudo('addLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'add', app.id, tmpFilePath ], {}, callback);
         });
     });
 }
@@ -219,7 +239,7 @@ function removeLogrotateConfig(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    shell.sudo('removeLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'remove', app.id ], callback);
+    shell.sudo('removeLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'remove', app.id ], {}, callback);
 }
 
 function verifyManifest(manifest, callback) {
@@ -271,26 +291,27 @@ function registerSubdomain(app, overwrite, callback) {
         if (error) return callback(error);
 
         async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
-            debugApp(app, 'Registering subdomain location [%s] overwrite: %s', app.intrinsicFqdn, overwrite);
+            debugApp(app, 'Registering subdomain location [%s] overwrite: %s', app.fqdn, overwrite);
 
             // get the current record before updating it
-            domains.getDNSRecords(app.location, app.domain, 'A', function (error, values) {
+            domains.getDnsRecords(app.location, app.domain, 'A', function (error, values) {
                 if (error) return retryCallback(error);
 
                 // refuse to update any existing DNS record for custom domains that we did not create
                 if (values.length !== 0 && !overwrite) return retryCallback(null, new Error('DNS Record already exists'));
 
-                domains.upsertDNSRecords(app.location, app.domain, 'A', [ ip ], function (error, changeId) {
-                    if (error && (error.reason === DomainError.STILL_BUSY || error.reason === DomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+                domains.upsertDnsRecords(app.location, app.domain, 'A', [ ip ], function (error) {
+                    if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) {
+                        debug('Upsert error. Will retry.', error.message);
+                        return retryCallback(error); // try again
+                    }
 
-                    retryCallback(null, error || changeId);
+                    retryCallback(null, error);
                 });
             });
         }, function (error, result) {
             if (error || result instanceof Error) return callback(error || result);
-
-            // dnsRecordId tracks whether we created this DNS record so that we can unregister later
-            updateApp(app, { dnsRecordId: result }, callback);
+            callback(null);
         });
     });
 }
@@ -301,31 +322,97 @@ function unregisterSubdomain(app, location, domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!app.dnsRecordId) {
-        debugApp(app, 'Skip unregister of record not created by cloudron');
-        return callback(null);
-    }
-
     sysinfo.getPublicIp(function (error, ip) {
         if (error) return callback(error);
 
         async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
-            debugApp(app, 'Unregistering subdomain: %s', app.intrinsicFqdn);
+            debugApp(app, 'Unregistering subdomain: %s', app.fqdn);
 
-            domains.removeDNSRecords(location, domain, 'A', [ ip ], function (error) {
-                if (error && error.reason === DomainError.NOT_FOUND) return retryCallback(null, null); // domain can be not found if oldConfig.domain or restoreConfig.domain was removed
-                if (error && (error.reason === DomainError.STILL_BUSY || error.reason === DomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+            domains.removeDnsRecords(location, domain, 'A', [ ip ], function (error) {
+                if (error && error.reason === DomainsError.NOT_FOUND) return retryCallback(null, null); // domain can be not found if oldConfig.domain or restoreConfig.domain was removed
+                if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) return retryCallback(error); // try again
 
                 retryCallback(null, error);
             });
         }, function (error, result) {
             if (error || result instanceof Error) return callback(error || result);
-
-            updateApp(app, { dnsRecordId: null }, callback);
+            callback(null);
         });
     });
 }
 
+function registerAlternateDomains(app, overwrite, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof overwrite, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    sysinfo.getPublicIp(function (error, ip) {
+        if (error) return callback(error);
+
+        async.eachSeries(app.alternateDomains, function (domain, callback) {
+            async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
+                debugApp(app, 'Registering alternate subdomain [%s] overwrite: %s', (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain, overwrite);
+
+                // get the current record before updating it
+                domains.getDnsRecords(domain.subdomain, domain.domain, 'A', function (error, values) {
+                    if (error) return retryCallback(error);
+
+                    // refuse to update any existing DNS record for custom domains that we did not create
+                    if (values.length !== 0 && !overwrite) return retryCallback(null, new Error('DNS Record already exists'));
+
+                    domains.upsertDnsRecords(domain.subdomain, domain.domain, 'A', [ ip ], function (error) {
+                        if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) {
+                            debug('Upsert error. Will retry.', error.message);
+                            return retryCallback(error); // try again
+                        }
+                        retryCallback(null, error);
+                    });
+                });
+            }, function (error, result) {
+                if (error || result instanceof Error) return callback(error || result);
+                callback();
+            });
+        }, callback);
+    });
+}
+
+function unregisterAlternateDomains(app, all, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof all, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    let obsoleteDomains = [];
+    if (all) {
+        obsoleteDomains = app.alternateDomains;
+    } else if (app.oldConfig) { // oldConfig can be null during an infra update
+        obsoleteDomains = app.oldConfig.alternateDomains.filter(function (o) {
+            return !app.alternateDomains.some(function (n) { return n.subdomain === o.subdomain && n.domain === o.domain; });
+        });
+    }
+
+    if (obsoleteDomains.length === 0) return callback();
+
+    sysinfo.getPublicIp(function (error, ip) {
+        if (error) return callback(error);
+
+        async.eachSeries(obsoleteDomains, function (domain, callback) {
+            async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
+                debugApp(app, 'Unregistering subdomain: %s%s', domain.subdomain ? (domain.subdomain + '.') : '', domain.domain);
+
+                domains.removeDnsRecords(domain.subdomain, domain.domain, 'A', [ ip ], function (error) {
+                    if (error && error.reason === DomainsError.NOT_FOUND) return retryCallback(null, null);
+                    if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+
+                    retryCallback(null, error);
+                });
+            }, function (error, result) {
+                if (error || result instanceof Error) return callback(error || result);
+                callback();
+            });
+        }, callback);
+    });
+}
+
 function removeIcon(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -336,6 +423,18 @@ function removeIcon(app, callback) {
     });
 }
 
+function cleanupLogs(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    // note that redis container logs are cleaned up by the addon
+    rimraf(path.join(paths.LOG_DIR, app.id), function (error) {
+        if (error) debugApp(app, 'cannot cleanup logs: %s', error);
+
+        callback(null);
+    });
+}
+
 function waitForDnsPropagation(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -348,25 +447,28 @@ function waitForDnsPropagation(app, callback) {
     sysinfo.getPublicIp(function (error, ip) {
         if (error) return callback(error);
 
-        domains.waitForDNSRecord(app.intrinsicFqdn, app.domain, ip, 'A', { interval: 5000, times: 120 }, callback);
+        domains.waitForDnsRecord(app.location, app.domain, 'A', ip, { interval: 5000, times: 240 }, function (error) {
+            if (error) return callback(error);
+
+            // now wait for alternateDomains, if any
+            async.eachSeries(app.alternateDomains, function (domain, iteratorCallback) {
+                domains.waitForDnsRecord(domain.subdomain, domain.domain, 'A', ip, { interval: 5000, times: 240 }, iteratorCallback);
+            }, callback);
+        });
     });
 }
 
-function waitForAltDomainDnsPropagation(app, callback) {
-    if (!app.altDomain) return callback(null);
+function migrateDataDir(app, sourceDir, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof sourceDir, 'string');
+    assert.strictEqual(typeof callback, 'function');
 
-    // try for 10 minutes before giving up. this allows the user to "reconfigure" the app in the case where
-    // an app has an external domain and cloudron is migrated to custom domain.
-    var isNakedDomain = tld.getDomain(app.altDomain) === app.altDomain;
-    if (isNakedDomain) { // check naked domains with A record since CNAME records don't work there
-        sysinfo.getPublicIp(function (error, ip) {
-            if (error) return callback(error);
+    let resolvedSourceDir = apps.getDataDir(app, sourceDir);
+    let resolvedTargetDir = apps.getDataDir(app, app.dataDir);
 
-            domains.waitForDNSRecord(app.altDomain, tld.getDomain(app.altDomain), ip, 'A', { interval: 10000, times: 60 }, callback);
-        });
-    } else {
-        domains.waitForDNSRecord(app.altDomain, tld.getDomain(app.altDomain), app.intrinsicFqdn + '.', 'CNAME', { interval: 10000, times: 60 }, callback);
-    }
+    debug(`migrateDataDir: migrating data from ${resolvedSourceDir} to ${resolvedTargetDir}`);
+
+    shell.sudo('migrateDataDir', [ MV_VOLUME_CMD, resolvedSourceDir, resolvedTargetDir ], {}, callback);
 }
 
 // Ordering is based on the following rationale:
@@ -393,14 +495,18 @@ function install(app, callback) {
 
         // teardown for re-installs
         updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
-        unconfigureNginx.bind(null, app),
+        unconfigureReverseProxy.bind(null, app),
         removeCollectdProfile.bind(null, app),
         removeLogrotateConfig.bind(null, app),
         stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
-        // oldConfig can be null during upgrades
-        addons.teardownAddons.bind(null, app, app.oldConfig ? app.oldConfig.manifest.addons : app.manifest.addons),
-        deleteVolume.bind(null, app, { removeDirectory: false }), // do not remove any symlinked volume
+        deleteContainers.bind(null, app, { managedOnly: true }),
+        function teardownAddons(next) {
+            // when restoring, app does not require these addons anymore. remove carefully to preserve the db passwords
+            var addonsToRemove = !isRestoring ? app.manifest.addons : _.omit(app.oldConfig.manifest.addons, Object.keys(app.manifest.addons));
+
+            addons.teardownAddons(app, addonsToRemove, next);
+        },
+        deleteAppDir.bind(null, app, { removeDirectory: false }), // do not remove any symlinked appdata dir
 
         // for restore case
         function deleteImageIfChanged(done) {
@@ -417,11 +523,14 @@ function install(app, callback) {
         updateApp.bind(null, app, { installationProgress: '30, Registering subdomain' }),
         registerSubdomain.bind(null, app, isRestoring /* overwrite */),
 
+        updateApp.bind(null, app, { installationProgress: '35, Registering alternate domains'}),
+        registerAlternateDomains.bind(null, app, isRestoring /* overwrite */),
+
         updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
         docker.downloadImage.bind(null, app.manifest),
 
-        updateApp.bind(null, app, { installationProgress: '50, Creating volume' }),
-        createVolume.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '50, Creating app data directory' }),
+        createAppDir.bind(null, app),
 
         function restoreFromBackup(next) {
             if (!restoreConfig) {
@@ -431,8 +540,10 @@ function install(app, callback) {
                 ], next);
             } else {
                 async.series([
-                    updateApp.bind(null, app, { installationProgress: '60, Download backup and restoring addons' }),
-                    backups.restoreApp.bind(null, app, app.manifest.addons, restoreConfig),
+                    updateApp.bind(null, app, { installationProgress: '65, Download backup and restoring addons' }),
+                    addons.setupAddons.bind(null, app, app.manifest.addons),
+                    addons.clearAddons.bind(null, app, app.manifest.addons),
+                    backups.restoreApp.bind(null, app, app.manifest.addons, restoreConfig, (progress) => updateApp(app, { installationProgress: `65, Restore - ${progress.message}` }, NOOP_CALLBACK))
                 ], next);
             }
         },
@@ -451,11 +562,8 @@ function install(app, callback) {
         updateApp.bind(null, app, { installationProgress: '85, Waiting for DNS propagation' }),
         exports._waitForDnsPropagation.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '90, Waiting for External Domain setup' }),
-        exports._waitForAltDomainDnsPropagation.bind(null, app), // required when restoring and !restoreConfig
-
-        updateApp.bind(null, app, { installationProgress: '95, Configure nginx' }),
-        configureNginx.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '95, Configuring reverse proxy' }),
+        configureReverseProxy.bind(null, app),
 
         // done!
         function (callback) {
@@ -477,7 +585,7 @@ function backup(app, callback) {
 
     async.series([
         updateApp.bind(null, app, { installationProgress: '10, Backing up' }),
-        backups.backupApp.bind(null, app),
+        backups.backupApp.bind(null, app, (progress) => updateApp(app, { installationProgress: `30, ${progress.message}` }, NOOP_CALLBACK)),
 
         // done!
         function (callback) {
@@ -499,20 +607,21 @@ function configure(app, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     // oldConfig can be null during an infra update
-    var locationChanged = app.oldConfig && (app.oldConfig.intrinsicFqdn !== app.intrinsicFqdn);
+    const locationChanged = app.oldConfig && (app.oldConfig.fqdn !== app.fqdn);
+    const dataDirChanged = app.oldConfig && (app.oldConfig.dataDir !== app.dataDir);
 
     async.series([
         updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
-        unconfigureNginx.bind(null, app),
+        unconfigureReverseProxy.bind(null, app),
         removeCollectdProfile.bind(null, app),
         removeLogrotateConfig.bind(null, app),
         stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
+        deleteContainers.bind(null, app, { managedOnly: true }),
+        unregisterAlternateDomains.bind(null, app, false /* all */),
         function (next) {
             if (!locationChanged) return next();
 
-            // the config.fqdn() fallback can be removed after 1.9
-            unregisterSubdomain(app, app.oldConfig.location, app.oldConfig.domain || config.fqdn(), next);
+            unregisterSubdomain(app, app.oldConfig.location, app.oldConfig.domain, next);
         },
 
         reserveHttpPort.bind(null, app),
@@ -520,19 +629,29 @@ function configure(app, callback) {
         updateApp.bind(null, app, { installationProgress: '20, Downloading icon' }),
         downloadIcon.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '35, Registering subdomain' }),
+        updateApp.bind(null, app, { installationProgress: '30, Registering subdomain' }),
         registerSubdomain.bind(null, app, !locationChanged /* overwrite */), // if location changed, do not overwrite to detect conflicts
 
+        updateApp.bind(null, app, { installationProgress: '35, Registering alternate domains'}),
+        registerAlternateDomains.bind(null, app, true /* overwrite */), // figure out when to overwrite
+
         updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
         docker.downloadImage.bind(null, app.manifest),
 
-        updateApp.bind(null, app, { installationProgress: '45, Ensuring volume' }),
-        createVolume.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '45, Ensuring app data directory' }),
+        createAppDir.bind(null, app),
 
         // re-setup addons since they rely on the app's fqdn (e.g oauth)
         updateApp.bind(null, app, { installationProgress: '50, Setting up addons' }),
         addons.setupAddons.bind(null, app, app.manifest.addons),
 
+        // migrate dataDir
+        function (next) {
+            if (!dataDirChanged) return next();
+
+            migrateDataDir(app, app.oldConfig.dataDir, next);
+        },
+
         updateApp.bind(null, app, { installationProgress: '60, Creating container' }),
         createContainer.bind(null, app),
 
@@ -547,11 +666,8 @@ function configure(app, callback) {
         updateApp.bind(null, app, { installationProgress: '80, Waiting for DNS propagation' }),
         exports._waitForDnsPropagation.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '85, Waiting for External Domain setup' }),
-        exports._waitForAltDomainDnsPropagation.bind(null, app),
-
-        updateApp.bind(null, app, { installationProgress: '90, Configuring Nginx' }),
-        configureNginx.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '90, Configuring reverse proxy' }),
+        configureReverseProxy.bind(null, app),
 
         // done!
         function (callback) {
@@ -589,7 +705,7 @@ function update(app, callback) {
 
             async.series([
                 updateApp.bind(null, app, { installationProgress: '15, Backing up app' }),
-                backups.backupApp.bind(null, app)
+                backups.backupApp.bind(null, app, (progress) => updateApp(app, { installationProgress: `15, Backup - ${progress.message}` }, NOOP_CALLBACK))
             ], function (error) {
                 if (error) error.backupError = true;
                 next(error);
@@ -607,7 +723,7 @@ function update(app, callback) {
         removeCollectdProfile.bind(null, app),
         removeLogrotateConfig.bind(null, app),
         stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
+        deleteContainers.bind(null, app, { managedOnly: true }),
         function deleteImageIfChanged(done) {
             if (app.manifest.dockerImage === app.updateConfig.manifest.dockerImage) return done();
 
@@ -619,14 +735,14 @@ function update(app, callback) {
 
         // free unused ports
         function (next) {
-            // make sure we always have objects
-            var currentPorts = app.portBindings || {};
-            var newPorts = app.updateConfig.manifest.tcpPorts || {};
+            const currentPorts = app.portBindings || {};
+            const newTcpPorts = app.updateConfig.manifest.tcpPorts || {};
+            const newUdpPorts = app.updateConfig.manifest.udpPorts || {};
 
             async.each(Object.keys(currentPorts), function (portName, callback) {
-                if (newPorts[portName]) return callback(); // port still in use
+                if (newTcpPorts[portName] || newUdpPorts[portName]) return callback(); // port still in use
 
-                appdb.delPortBinding(currentPorts[portName], function (error) {
+                appdb.delPortBinding(currentPorts[portName], apps.PORT_TYPE_TCP, function (error) {
                     if (error && error.reason === DatabaseError.NOT_FOUND) console.error('Portbinding does not exist in database.');
                     else if (error) return next(error);
 
@@ -693,25 +809,29 @@ function uninstall(app, callback) {
         stopApp.bind(null, app),
 
         updateApp.bind(null, app, { installationProgress: '20, Deleting container' }),
-        deleteContainers.bind(null, app),
+        deleteContainers.bind(null, app, {}),
 
         updateApp.bind(null, app, { installationProgress: '30, Teardown addons' }),
         addons.teardownAddons.bind(null, app, app.manifest.addons),
 
-        updateApp.bind(null, app, { installationProgress: '40, Deleting volume' }),
-        deleteVolume.bind(null, app, { removeDirectory: true }),
+        updateApp.bind(null, app, { installationProgress: '40, Deleting app data directory' }),
+        deleteAppDir.bind(null, app, { removeDirectory: true }),
 
         updateApp.bind(null, app, { installationProgress: '50, Deleting image' }),
         docker.deleteImage.bind(null, app.manifest),
 
-        updateApp.bind(null, app, { installationProgress: '60, Unregistering subdomain' }),
+        updateApp.bind(null, app, { installationProgress: '60, Unregistering domains' }),
+        unregisterAlternateDomains.bind(null, app, true /* all */),
         unregisterSubdomain.bind(null, app, app.location, app.domain),
 
-        updateApp.bind(null, app, { installationProgress: '80, Cleanup icon' }),
+        updateApp.bind(null, app, { installationProgress: '70, Cleanup icon' }),
         removeIcon.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '90, Unconfiguring Nginx' }),
-        unconfigureNginx.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '80, Unconfiguring reverse proxy' }),
+        unconfigureReverseProxy.bind(null, app),
+
+        updateApp.bind(null, app, { installationProgress: '90, Cleanup logs' }),
+        cleanupLogs.bind(null, app),
 
         updateApp.bind(null, app, { installationProgress: '95, Remove app from database' }),
         appdb.del.bind(null, app.id)
@@ -801,6 +921,8 @@ function startTask(appId, callback) {
 if (require.main === module) {
     assert.strictEqual(process.argv.length, 3, 'Pass the appid as argument');
 
+    // add a separator for the log file
+    debug('------------------------------------------------------------');
     debug('Apptask for %s', process.argv[2]);
 
     process.on('SIGTERM', function () {

src/auth.js

@@ -1,125 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    initialize: initialize,
-    uninitialize: uninitialize,
-
-    accessTokenAuth: accessTokenAuth
-};
-
-var assert = require('assert'),
-    BasicStrategy = require('passport-http').BasicStrategy,
-    BearerStrategy = require('passport-http-bearer').Strategy,
-    clients = require('./clients'),
-    ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
-    ClientsError = clients.ClientsError,
-    DatabaseError = require('./databaseerror'),
-    debug = require('debug')('box:auth'),
-    LocalStrategy = require('passport-local').Strategy,
-    crypto = require('crypto'),
-    passport = require('passport'),
-    tokendb = require('./tokendb'),
-    user = require('./user'),
-    UserError = user.UserError,
-    _ = require('underscore');
-
-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-    
-    passport.serializeUser(function (user, callback) {
-        callback(null, user.id);
-    });
-    
-    passport.deserializeUser(function(userId, callback) {
-        user.get(userId, function (error, result) {
-            if (error) return callback(error);
-            
-            var md5 = crypto.createHash('md5').update(result.alternateEmail || result.email).digest('hex');
-            result.gravatar = 'https://www.gravatar.com/avatar/' + md5 + '.jpg?s=24&d=mm';
-            
-            callback(null, result);
-        });
-    });
-    
-    passport.use(new LocalStrategy(function (username, password, callback) {
-        if (username.indexOf('@') === -1) {
-            user.verifyWithUsername(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, _.pick(result, 'id', 'username', 'email', 'admin'));
-            });
-        } else {
-            user.verifyWithEmail(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, _.pick(result, 'id', 'username', 'email', 'admin'));
-            });
-        }
-    }));
-    
-    passport.use(new BasicStrategy(function (username, password, callback) {
-        if (username.indexOf('cid-') === 0) {
-            debug('BasicStrategy: detected client id %s instead of username:password', username);
-            // username is actually client id here
-            // password is client secret
-            clients.get(username, function (error, client) {
-                if (error && error.reason === ClientsError.NOT_FOUND) return callback(null, false);
-                if (error) return callback(error);
-                if (client.clientSecret != password) return callback(null, false);
-                return callback(null, client);
-            });
-        } else {
-            user.verifyWithUsername(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, result);
-            });
-        }
-    }));
-    
-    passport.use(new ClientPasswordStrategy(function (clientId, clientSecret, callback) {
-        clients.get(clientId, function(error, client) {
-            if (error && error.reason === ClientsError.NOT_FOUND) return callback(null, false);
-            if (error) { return callback(error); }
-            if (client.clientSecret != clientSecret) { return callback(null, false); }
-            return callback(null, client);
-        });
-    }));
-    
-    passport.use(new BearerStrategy(accessTokenAuth));
-    
-    callback(null);
-}
-
-function uninitialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-    
-    callback(null);
-}
-
-function accessTokenAuth(accessToken, callback) {
-    assert.strictEqual(typeof accessToken, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.get(accessToken, function (error, token) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, false);
-        if (error) return callback(error);
-        
-        // scopes here can define what capabilities that token carries
-        // passport put the 'info' object into req.authInfo, where we can further validate the scopes
-        var info = { scope: token.scope };
-        
-        user.get(token.identifier, function (error, user) {
-            if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-            if (error) return callback(error);
-            
-            callback(null, user, info);
-        });
-    });
-}

src/caas.js

@@ -1,27 +1,21 @@
 'use strict';
 
 exports = module.exports = {
-    changePlan: changePlan,
-    upgrade: upgrade,
+    verifySetupToken: verifySetupToken,
+    setupDone: setupDone,
+
     sendHeartbeat: sendHeartbeat,
-    getBoxAndUserDetails: getBoxAndUserDetails,
-    setPtrRecord: setPtrRecord
+    setPtrRecord: setPtrRecord,
+
+    CaasError: CaasError
 };
 
 var assert = require('assert'),
-    backups = require('./backups.js'),
     config = require('./config.js'),
     debug = require('debug')('box:caas'),
-    locker = require('./locker.js'),
-    path = require('path'),
-    progress = require('./progress.js'),
-    shell = require('./shell.js'),
+    settings = require('./settings.js'),
     superagent = require('superagent'),
-    util = require('util'),
-    _ = require('underscore');
-
-const RETIRE_CMD = path.join(__dirname, 'scripts/retire.sh');
-var gBoxAndUserDetails = null;         // cached cloudron details like region,size...
+    util = require('util');
 
 function CaasError(reason, errorOrMessage) {
     assert.strictEqual(typeof reason, 'string');
@@ -43,103 +37,58 @@ function CaasError(reason, errorOrMessage) {
 }
 util.inherits(CaasError, Error);
 CaasError.BAD_FIELD = 'Field error';
+CaasError.BAD_STATE = 'Bad state';
+CaasError.INVALID_TOKEN = 'Invalid Token';
 CaasError.INTERNAL_ERROR = 'Internal Error';
 CaasError.EXTERNAL_ERROR = 'External Error';
-CaasError.BAD_STATE = 'Bad state';
 
-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
-function retire(reason, info, callback) {
-    assert(reason === 'migrate' || reason === 'upgrade');
-    info = info || { };
-    callback = callback || NOOP_CALLBACK;
-
-    var data = {
-        apiServerOrigin: config.apiServerOrigin(),
-        adminFqdn: config.adminFqdn(),
-        fqdn: config.fqdn()
-    };
-    shell.sudo('retire', [ RETIRE_CMD, reason, JSON.stringify(info), JSON.stringify(data) ], callback);
-}
-
-function doMigrate(options, callback) {
-    assert.strictEqual(typeof options, 'object');
+function getCaasConfig(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    var error = locker.lock(locker.OP_MIGRATE);
-    if (error) return callback(new CaasError(CaasError.BAD_STATE, error.message));
+    settings.getCaasConfig(function (error, result) {
+        if (error) return callback(new CaasError(CaasError.INTERNAL_ERROR, error));
 
-    function unlock(error) {
-        debug('Failed to migrate', error);
-        locker.unlock(locker.OP_MIGRATE);
-        progress.set(progress.MIGRATE, -1, 'Backup failed: ' + error.message);
-    }
+        callback(null, result);
+    });
+}
 
-    progress.set(progress.MIGRATE, 10, 'Backing up for migration');
+function verifySetupToken(setupToken, callback) {
+    assert.strictEqual(typeof setupToken, 'string');
+    assert.strictEqual(typeof callback, 'function');
 
-    // initiate the migration in the background
-    backups.backupBoxAndApps({ userId: null, username: 'migrator' }, function (error) {
-        if (error) return unlock(error);
+    settings.getCaasConfig(function (error, caasConfig) {
+        if (error) return callback(new CaasError(CaasError.INTERNAL_ERROR, error));
 
-        debug('migrate: domain: %s size %s region %s', options.domain, options.size, options.region);
-
-        superagent
-            .post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/migrate')
-            .query({ token: config.token() })
-            .send(options)
+        superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId + '/setup/verify').query({ setupToken: setupToken })
             .timeout(30 * 1000)
             .end(function (error, result) {
-                if (error && !error.response) return unlock(error); // network error
-                if (result.statusCode === 409) return unlock(new CaasError(CaasError.BAD_STATE));
-                if (result.statusCode === 404) return unlock(new CaasError(CaasError.NOT_FOUND));
-                if (result.statusCode !== 202) return unlock(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+                if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
+                if (result.statusCode === 403) return callback(new CaasError(CaasError.INVALID_TOKEN));
+                if (result.statusCode === 409) return callback(new CaasError(CaasError.BAD_STATE, 'Already setup'));
+                if (result.statusCode !== 200) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
 
-                progress.set(progress.MIGRATE, 10, 'Migrating');
-
-                retire('migrate', _.pick(options, 'domain', 'size', 'region'));
+                callback(null);
             });
     });
-
-    callback(null);
 }
 
-function changePlan(options, callback) {
-    assert.strictEqual(typeof options, 'object');
+function setupDone(setupToken, callback) {
+    assert.strictEqual(typeof setupToken, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (config.isDemo()) return callback(new CaasError(CaasError.BAD_FIELD, 'Not allowed in demo mode'));
+    settings.getCaasConfig(function (error, caasConfig) {
+        if (error) return callback(new CaasError(CaasError.INTERNAL_ERROR, error));
 
-    doMigrate(options, callback);
-}
-
-// this function expects a lock
-function upgrade(boxUpdateInfo, callback) {
-    assert(boxUpdateInfo !== null && typeof boxUpdateInfo === 'object');
-
-    function upgradeError(e) {
-        progress.set(progress.UPDATE, -1, e.message);
-        callback(e);
-    }
-
-    progress.set(progress.UPDATE, 5, 'Backing up for upgrade');
-
-    backups.backupBoxAndApps({ userId: null, username: 'upgrader' }, function (error) {
-        if (error) return upgradeError(error);
-
-        superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/upgrade')
-            .query({ token: config.token() })
-            .send({ version: boxUpdateInfo.version })
+        // Now let the api server know we got activated
+        superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId + '/setup/done').query({ setupToken: setupToken })
             .timeout(30 * 1000)
             .end(function (error, result) {
-                if (error && !error.response) return upgradeError(new Error('Network error making upgrade request: ' + error));
-                if (result.statusCode !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));
+                if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
+                if (result.statusCode === 403) return callback(new CaasError(CaasError.INVALID_TOKEN));
+                if (result.statusCode === 409) return callback(new CaasError(CaasError.BAD_STATE, 'Already setup'));
+                if (result.statusCode !== 201) return callback(new CaasError(CaasError.EXTERNAL_ERROR, error));
 
-                progress.set(progress.UPDATE, 10, 'Updating base system');
-
-                // no need to unlock since this is the last thing we ever do on this box
-                callback();
-
-                retire('upgrade');
+                callback(null);
             });
     });
 }
@@ -147,48 +96,35 @@ function upgrade(boxUpdateInfo, callback) {
 function sendHeartbeat() {
     assert(config.provider() === 'caas', 'Heartbeat is only sent for managed cloudrons');
 
-    var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/heartbeat';
-    superagent.post(url).query({ token: config.token(), version: config.version() }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) debug('Network error sending heartbeat.', error);
-        else if (result.statusCode !== 200) debug('Server responded to heartbeat with %s %s', result.statusCode, result.text);
-        else debug('Heartbeat sent to %s', url);
-    });
-}
+    getCaasConfig(function (error, result) {
+        if (error) return debug('Caas config missing', error);
 
-function getBoxAndUserDetails(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    if (gBoxAndUserDetails) return callback(null, gBoxAndUserDetails);
-
-    if (config.provider() !== 'caas') return callback(null, {});
-
-    superagent
-        .get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn())
-        .query({ token: config.token() })
-        .timeout(30 * 1000)
-        .end(function (error, result) {
-            if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, 'Cannot reach appstore'));
-            if (result.statusCode !== 200) return callback(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
-
-            gBoxAndUserDetails = result.body;
-
-            return callback(null, gBoxAndUserDetails);
+        var url = config.apiServerOrigin() + '/api/v1/boxes/' + result.boxId + '/heartbeat';
+        superagent.post(url).query({ token: result.token, version: config.version() }).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) debug('Network error sending heartbeat.', error);
+            else if (result.statusCode !== 200) debug('Server responded to heartbeat with %s %s', result.statusCode, result.text);
+            else debug('Heartbeat sent to %s', url);
         });
+    });
 }
 
 function setPtrRecord(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    superagent
-        .post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/ptr')
-        .query({ token: config.token() })
-        .send({ domain: domain })
-        .timeout(5 * 1000)
-        .end(function (error, result) {
-            if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, 'Cannot reach appstore'));
-            if (result.statusCode !== 202) return callback(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+    getCaasConfig(function (error, result) {
+        if (error) return callback(error);
 
-            return callback(null);
-        });
+        superagent
+            .post(config.apiServerOrigin() + '/api/v1/boxes/' + result.boxId + '/ptr')
+            .query({ token: result.token })
+            .send({ domain: domain })
+            .timeout(5 * 1000)
+            .end(function (error, result) {
+                if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, 'Cannot reach appstore'));
+                if (result.statusCode !== 202) return callback(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+
+                return callback(null);
+            });
+    });
 }

src/cert/acme.js

@@ -1,479 +0,0 @@
-'use strict';
-
-var assert = require('assert'),
-    async = require('async'),
-    crypto = require('crypto'),
-    debug = require('debug')('box:cert/acme'),
-    execSync = require('safetydance').child_process.execSync,
-    fs = require('fs'),
-    parseLinks = require('parse-links'),
-    path = require('path'),
-    paths = require('../paths.js'),
-    safe = require('safetydance'),
-    superagent = require('superagent'),
-    util = require('util'),
-    _ = require('underscore');
-
-var CA_PROD = 'https://acme-v01.api.letsencrypt.org',
-    CA_STAGING = 'https://acme-staging.api.letsencrypt.org',
-    LE_AGREEMENT = 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf';
-
-exports = module.exports = {
-    getCertificate: getCertificate,
-
-    // testing
-    _name: 'acme'
-};
-
-function AcmeError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(AcmeError, Error);
-AcmeError.INTERNAL_ERROR = 'Internal Error';
-AcmeError.EXTERNAL_ERROR = 'External Error';
-AcmeError.ALREADY_EXISTS = 'Already Exists';
-AcmeError.NOT_COMPLETED = 'Not Completed';
-AcmeError.FORBIDDEN = 'Forbidden';
-
-// http://jose.readthedocs.org/en/latest/
-// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
-// https://community.letsencrypt.org/t/list-of-client-implementations/2103
-
-function Acme(options) {
-    assert.strictEqual(typeof options, 'object');
-
-    this.caOrigin = options.prod ? CA_PROD : CA_STAGING;
-    this.accountKeyPem = null; // Buffer
-    this.email = options.email;
-}
-
-Acme.prototype.getNonce = function (callback) {
-    superagent.get(this.caOrigin + '/directory').timeout(30 * 1000).end(function (error, response) {
-        if (error && !error.response) return callback(error);
-        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
-
-        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
-    });
-};
-
-// urlsafe base64 encoding (jose)
-function urlBase64Encode(string) {
-    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
-
-function b64(str) {
-    var buf = util.isBuffer(str) ? str : new Buffer(str);
-   return urlBase64Encode(buf.toString('base64'));
-}
-
-function getModulus(pem) {
-    assert(util.isBuffer(pem));
-
-    var stdout = execSync('openssl rsa -modulus -noout', { input: pem, encoding: 'utf8' });
-    if (!stdout) return null;
-    var match = stdout.match(/Modulus=([0-9a-fA-F]+)$/m);
-    if (!match) return null;
-    return Buffer.from(match[1], 'hex');
-}
-
-Acme.prototype.sendSignedRequest = function (url, payload, callback) {
-    assert.strictEqual(typeof url, 'string');
-    assert.strictEqual(typeof payload, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    assert(util.isBuffer(this.accountKeyPem));
-
-    var that = this;
-    var header = {
-        alg: 'RS256',
-        jwk: {
-            e: b64(Buffer.from([0x01, 0x00, 0x01])), // exponent - 65537
-            kty: 'RSA',
-            n: b64(getModulus(this.accountKeyPem))
-        }
-    };
-
-    var payload64 = b64(payload);
-
-    this.getNonce(function (error, nonce) {
-        if (error) return callback(error);
-
-        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
-
-        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
-
-        var signer = crypto.createSign('RSA-SHA256');
-        signer.update(protected64 + '.' + payload64, 'utf8');
-        var signature64 = urlBase64Encode(signer.sign(that.accountKeyPem, 'base64'));
-
-        var data = {
-            header: header,
-            protected: protected64,
-            payload: payload64,
-            signature: signature64
-        };
-
-        superagent.post(url).set('Content-Type', 'application/x-www-form-urlencoded').send(JSON.stringify(data)).timeout(30 * 1000).end(function (error, res) {
-            if (error && !error.response) return callback(error); // network errors
-
-            callback(null, res);
-        });
-    });
-};
-
-Acme.prototype.updateContact = function (registrationUri, callback) {
-    assert.strictEqual(typeof registrationUri, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('updateContact: %s %s', registrationUri, this.email);
-
-    // https://github.com/ietf-wg-acme/acme/issues/30
-    var payload = {
-        resource: 'reg',
-        contact: [ 'mailto:' + this.email ],
-        agreement: LE_AGREEMENT
-    };
-
-    var that = this;
-    this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 202, got %s %s', result.statusCode, result.text)));
-
-        debug('updateContact: contact of user updated to %s', that.email);
-
-        callback();
-    });
-};
-
-Acme.prototype.registerUser = function (callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-reg',
-        contact: [ 'mailto:' + this.email ],
-        agreement: LE_AGREEMENT
-    };
-
-    debug('registerUser: %s', this.email);
-
-    var that = this;
-    this.sendSignedRequest(this.caOrigin + '/acme/new-reg', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode === 409) return that.updateContact(result.headers.location, callback); // already exists
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerUser: registered user %s', that.email);
-
-        callback(null);
-    });
-};
-
-Acme.prototype.registerDomain = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-authz',
-        identifier: {
-            type: 'dns',
-            value: domain
-        }
-    };
-
-    debug('registerDomain: %s', domain);
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-authz', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
-        if (result.statusCode === 403) return callback(new AcmeError(AcmeError.FORBIDDEN, result.body.detail));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerDomain: registered %s', domain);
-
-        callback(null, result.body);
-    });
-};
-
-Acme.prototype.prepareHttpChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
-
-    var token = challenge.token;
-
-    assert(util.isBuffer(this.accountKeyPem));
-
-    var jwk = {
-        e: b64(Buffer.from([0x01, 0x00, 0x01])), // Exponent - 65537
-        kty: 'RSA',
-        n: b64(getModulus(this.accountKeyPem))
-    };
-
-    var shasum = crypto.createHash('sha256');
-    shasum.update(JSON.stringify(jwk));
-    var thumbprint = urlBase64Encode(shasum.digest('base64'));
-    var keyAuthorization = token + '.' + thumbprint;
-
-    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, token));
-
-    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, token), token + '.' + thumbprint, function (error) {
-        if (error) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, error));
-
-        callback();
-    });
-};
-
-Acme.prototype.notifyChallengeReady = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('notifyChallengeReady: %s was met', challenge.uri);
-
-    var keyAuthorization = fs.readFileSync(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), 'utf8');
-
-    var payload = {
-        resource: 'challenge',
-        keyAuthorization: keyAuthorization
-    };
-
-    this.sendSignedRequest(challenge.uri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
-
-        callback();
-    });
-};
-
-Acme.prototype.waitForChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('waitingForChallenge: %j', challenge);
-
-    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
-        debug('waitingForChallenge: getting status');
-
-        superagent.get(challenge.uri).timeout(30 * 1000).end(function (error, result) {
-            if (error && !error.response) {
-                debug('waitForChallenge: network error getting uri %s', challenge.uri);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, error.message)); // network error
-            }
-            if (result.statusCode !== 202) {
-                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
-            }
-
-            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
-
-            if (result.body.status === 'pending') return retryCallback(new AcmeError(AcmeError.NOT_COMPLETED));
-            else if (result.body.status === 'valid') return retryCallback();
-            else return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
-        });
-    }, function retryFinished(error) {
-        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
-        callback(error);
-    });
-};
-
-// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
-Acme.prototype.signCertificate = function (domain, csrDer, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert(util.isBuffer(csrDer));
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-
-    var payload = {
-        resource: 'new-cert',
-        csr: b64(csrDer)
-    };
-
-    debug('signCertificate: sending new-cert request');
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-cert', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
-        // 429 means we reached the cert limit for this domain
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        var certUrl = result.headers.location;
-
-        if (!certUrl) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.url'), certUrl, 'utf8'); // maybe use for renewal
-
-        return callback(null, result.headers.location);
-    });
-};
-
-Acme.prototype.createKeyAndCsr = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var csrFile = path.join(outdir, domain + '.csr');
-    var privateKeyFile = path.join(outdir, domain + '.key');
-
-    if (safe.fs.existsSync(privateKeyFile)) {
-        // in some old releases, csr file was corrupt. so always regenerate it
-        debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
-    } else {
-        var key = execSync('openssl genrsa 4096');
-        if (!key) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
-    }
-
-    var csrDer = execSync(util.format('openssl req -new -key %s -outform DER -subj /CN=%s', privateKeyFile, domain));
-    if (!csrDer) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error)); // bookkeeping
-
-    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
-
-    callback(null, csrDer);
-};
-
-// TODO: download the chain in a loop following 'up' header
-Acme.prototype.downloadChain = function (linkHeader, callback) {
-    if (!linkHeader) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Empty link header when downloading certificate chain');
-
-    debug('downloadChain: linkHeader %s', linkHeader);
-
-    var linkInfo = parseLinks(linkHeader);
-    if (!linkInfo || !linkInfo.up) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Failed to parse link header when downloading certificate chain');
-
-    var intermediateCertUrl = linkInfo.up.startsWith('https://') ? linkInfo.up : (this.caOrigin + linkInfo.up);
-
-    debug('downloadChain: downloading from %s', intermediateCertUrl);
-
-    superagent.get(intermediateCertUrl).buffer().parse(function (res, done) {
-        var data = [ ];
-        res.on('data', function(chunk) { data.push(chunk); });
-        res.on('end', function () { res.text = Buffer.concat(data); done(); });
-    }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
-
-        var chainDer = result.text;
-        var chainPem = execSync('openssl x509 -inform DER -outform PEM', { input: chainDer }); // this is really just base64 encoding with header
-        if (!chainPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        callback(null, chainPem);
-    });
-};
-
-Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof certUrl, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var that = this;
-
-    superagent.get(certUrl).buffer().parse(function (res, done) {
-        var data = [ ];
-        res.on('data', function(chunk) { data.push(chunk); });
-        res.on('end', function () { res.text = Buffer.concat(data); done(); });
-    }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode === 202) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, 'Retry not implemented yet'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
-
-        var certificateDer = result.text;
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.der'), certificateDer);
-        debug('downloadCertificate: cert der file for %s saved', domain);
-
-        var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { input: certificateDer }); // this is really just base64 encoding with header
-        if (!certificatePem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        that.downloadChain(result.header['link'], function (error, chainPem) {
-            if (error) return callback(error);
-
-            var certificateFile = path.join(outdir, domain + '.cert');
-            var fullChainPem = Buffer.concat([certificatePem, chainPem]);
-            if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-            debug('downloadCertificate: cert file for %s saved at %s', domain, certificateFile);
-
-            callback();
-        });
-    });
-};
-
-Acme.prototype.acmeFlow = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
-        debug('getCertificate: generating acme account key on first run');
-        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
-        if (!this.accountKeyPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
-    } else {
-        debug('getCertificate: using existing acme account key');
-        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
-    }
-
-    var that = this;
-    this.registerUser(function (error) {
-        if (error) return callback(error);
-
-        that.registerDomain(domain, function (error, result) {
-            if (error) return callback(error);
-
-            debug('acmeFlow: challenges: %j', result);
-
-            var httpChallenges = result.challenges.filter(function(x) { return x.type === 'http-01'; });
-            if (httpChallenges.length === 0) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'no http challenges'));
-            var challenge = httpChallenges[0];
-
-            async.waterfall([
-                that.prepareHttpChallenge.bind(that, challenge),
-                that.notifyChallengeReady.bind(that, challenge),
-                that.waitForChallenge.bind(that, challenge),
-                that.createKeyAndCsr.bind(that, domain),
-                that.signCertificate.bind(that, domain),
-                that.downloadCertificate.bind(that, domain)
-            ], callback);
-        });
-    });
-};
-
-Acme.prototype.getCertificate = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('getCertificate: start acme flow for %s from %s', domain, this.caOrigin);
-    this.acmeFlow(domain, function (error) {
-        if (error) return callback(error);
-
-        var outdir = paths.APP_CERTS_DIR;
-        callback(null, path.join(outdir, domain + '.cert'), path.join(outdir, domain + '.key'));
-    });
-};
-
-function getCertificate(domain, options, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var acme = new Acme(options || { });
-    acme.getCertificate(domain, callback);
-}

src/cert/acme2.js

@@ -0,0 +1,636 @@
+'use strict';
+
+var assert = require('assert'),
+    async = require('async'),
+    crypto = require('crypto'),
+    debug = require('debug')('box:cert/acme2'),
+    domains = require('../domains.js'),
+    fs = require('fs'),
+    path = require('path'),
+    paths = require('../paths.js'),
+    safe = require('safetydance'),
+    superagent = require('superagent'),
+    util = require('util'),
+    _ = require('underscore');
+
+const CA_PROD_DIRECTORY_URL = 'https://acme-v02.api.letsencrypt.org/directory',
+    CA_STAGING_DIRECTORY_URL = 'https://acme-staging-v02.api.letsencrypt.org/directory';
+
+exports = module.exports = {
+    getCertificate: getCertificate,
+
+    // testing
+    _name: 'acme',
+    _getChallengeSubdomain: getChallengeSubdomain
+};
+
+function Acme2Error(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(Acme2Error, Error);
+Acme2Error.INTERNAL_ERROR = 'Internal Error';
+Acme2Error.EXTERNAL_ERROR = 'External Error';
+Acme2Error.ALREADY_EXISTS = 'Already Exists';
+Acme2Error.NOT_COMPLETED = 'Not Completed';
+Acme2Error.FORBIDDEN = 'Forbidden';
+
+// http://jose.readthedocs.org/en/latest/
+// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
+// https://community.letsencrypt.org/t/list-of-client-implementations/2103
+
+function Acme2(options) {
+    assert.strictEqual(typeof options, 'object');
+
+    this.accountKeyPem = null; // Buffer
+    this.email = options.email;
+    this.keyId = null;
+    this.caDirectory = options.prod ? CA_PROD_DIRECTORY_URL : CA_STAGING_DIRECTORY_URL;
+    this.directory = {};
+    this.performHttpAuthorization = !!options.performHttpAuthorization;
+    this.wildcard = !!options.wildcard;
+}
+
+Acme2.prototype.getNonce = function (callback) {
+    superagent.get(this.directory.newNonce).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 204) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
+
+        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
+    });
+};
+
+// urlsafe base64 encoding (jose)
+function urlBase64Encode(string) {
+    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function b64(str) {
+    var buf = util.isBuffer(str) ? str : new Buffer(str);
+    return urlBase64Encode(buf.toString('base64'));
+}
+
+function getModulus(pem) {
+    assert(util.isBuffer(pem));
+
+    var stdout = safe.child_process.execSync('openssl rsa -modulus -noout', { input: pem, encoding: 'utf8' });
+    if (!stdout) return null;
+    var match = stdout.match(/Modulus=([0-9a-fA-F]+)$/m);
+    if (!match) return null;
+    return Buffer.from(match[1], 'hex');
+}
+
+Acme2.prototype.sendSignedRequest = function (url, payload, callback) {
+    assert.strictEqual(typeof url, 'string');
+    assert.strictEqual(typeof payload, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    assert(util.isBuffer(this.accountKeyPem));
+
+    const that = this;
+    let header = {
+        url: url,
+        alg: 'RS256'
+    };
+
+    // keyId is null when registering account
+    if (this.keyId) {
+        header.kid = this.keyId;
+    } else {
+        header.jwk = {
+            e: b64(Buffer.from([0x01, 0x00, 0x01])), // exponent - 65537
+            kty: 'RSA',
+            n: b64(getModulus(this.accountKeyPem))
+        };
+    }
+
+    var payload64 = b64(payload);
+
+    this.getNonce(function (error, nonce) {
+        if (error) return callback(error);
+
+        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
+
+        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
+
+        var signer = crypto.createSign('RSA-SHA256');
+        signer.update(protected64 + '.' + payload64, 'utf8');
+        var signature64 = urlBase64Encode(signer.sign(that.accountKeyPem, 'base64'));
+
+        var data = {
+            protected: protected64,
+            payload: payload64,
+            signature: signature64
+        };
+
+        superagent.post(url).set('Content-Type', 'application/jose+json').set('User-Agent', 'acme-cloudron').send(JSON.stringify(data)).timeout(30 * 1000).end(function (error, res) {
+            if (error && !error.response) return callback(error); // network errors
+
+            callback(null, res);
+        });
+    });
+};
+
+Acme2.prototype.updateContact = function (registrationUri, callback) {
+    assert.strictEqual(typeof registrationUri, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`updateContact: registrationUri: ${registrationUri} email: ${this.email}`);
+
+    // https://github.com/ietf-wg-acme/acme/issues/30
+    const payload = {
+        contact: [ 'mailto:' + this.email ]
+    };
+
+    const that = this;
+    this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        debug(`updateContact: contact of user updated to ${that.email}`);
+
+        callback();
+    });
+};
+
+Acme2.prototype.registerUser = function (callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        termsOfServiceAgreed: true
+    };
+
+    debug('registerUser: registering user');
+
+    var that = this;
+    this.sendSignedRequest(this.directory.newAccount, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering new account: ' + error.message));
+        // 200 if already exists. 201 for new accounts
+        if (result.statusCode !== 200 && result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register new account. Expecting 200 or 201, got %s %s', result.statusCode, result.text)));
+
+        debug(`registerUser: user registered keyid: ${result.headers.location}`);
+
+        that.keyId = result.headers.location;
+
+        that.updateContact(result.headers.location, callback);
+    });
+};
+
+Acme2.prototype.newOrder = function (domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        identifiers: [{
+            type: 'dns',
+            value: domain
+        }]
+    };
+
+    debug('newOrder: %s', domain);
+
+    this.sendSignedRequest(this.directory.newOrder, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
+        if (result.statusCode === 403) return callback(new Acme2Error(Acme2Error.FORBIDDEN, result.body.detail));
+        if (result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
+
+        debug('newOrder: created order %s %j', domain, result.body);
+
+        const order = result.body, orderUrl = result.headers.location;
+
+        if (!Array.isArray(order.authorizations)) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid authorizations in order'));
+        if (typeof order.finalize !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid finalize in order'));
+        if (typeof orderUrl !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid order location in order header'));
+
+        callback(null, order, orderUrl);
+    });
+};
+
+Acme2.prototype.waitForOrder = function (orderUrl, callback) {
+    assert.strictEqual(typeof orderUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`waitForOrder: ${orderUrl}`);
+
+    async.retry({ times: 15, interval: 20000 }, function (retryCallback) {
+        debug('waitForOrder: getting status');
+
+        superagent.get(orderUrl).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForOrder: network error getting uri %s', orderUrl);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForOrder: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForOrder: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending' || result.body.status === 'processing') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid' && result.body.certificate) return retryCallback(null, result.body.certificate);
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status or invalid response: ' + result.body));
+        });
+    }, callback);
+};
+
+Acme2.prototype.getKeyAuthorization = function (token) {
+    assert(util.isBuffer(this.accountKeyPem));
+
+    let jwk = {
+        e: b64(Buffer.from([0x01, 0x00, 0x01])), // Exponent - 65537
+        kty: 'RSA',
+        n: b64(getModulus(this.accountKeyPem))
+    };
+
+    let shasum = crypto.createHash('sha256');
+    shasum.update(JSON.stringify(jwk));
+    let thumbprint = urlBase64Encode(shasum.digest('base64'));
+    return token + '.' + thumbprint;
+};
+
+Acme2.prototype.notifyChallengeReady = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object'); // { type, status, url, token }
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('notifyChallengeReady: %s was met', challenge.url);
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    var payload = {
+        resource: 'challenge',
+        keyAuthorization: keyAuthorization
+    };
+
+    this.sendSignedRequest(challenge.url, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        callback();
+    });
+};
+
+Acme2.prototype.waitForChallenge = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('waitingForChallenge: %j', challenge);
+
+    async.retry({ times: 15, interval: 20000 }, function (retryCallback) {
+        debug('waitingForChallenge: getting status');
+
+        superagent.get(challenge.url).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForChallenge: network error getting uri %s', challenge.url);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid') return retryCallback();
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
+        });
+    }, function retryFinished(error) {
+        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
+        callback(error);
+    });
+};
+
+// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
+Acme2.prototype.signCertificate = function (domain, finalizationUrl, csrDer, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof finalizationUrl, 'string');
+    assert(util.isBuffer(csrDer));
+    assert.strictEqual(typeof callback, 'function');
+
+    const payload = {
+        csr: b64(csrDer)
+    };
+
+    debug('signCertificate: sending sign request');
+
+    this.sendSignedRequest(finalizationUrl, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
+        // 429 means we reached the cert limit for this domain
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        return callback(null);
+    });
+};
+
+Acme2.prototype.createKeyAndCsr = function (hostname, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+    const certName = hostname.replace('*.', '_.');
+    var csrFile = path.join(outdir, `${certName}.csr`);
+    var privateKeyFile = path.join(outdir, `${certName}.key`);
+
+    if (safe.fs.existsSync(privateKeyFile)) {
+        // in some old releases, csr file was corrupt. so always regenerate it
+        debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
+    } else {
+        var key = safe.child_process.execSync('openssl genrsa 4096');
+        if (!key) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
+    }
+
+    var csrDer = safe.child_process.execSync(`openssl req -new -key ${privateKeyFile} -outform DER -subj /CN=${hostname}`);
+    if (!csrDer) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); // bookkeeping
+
+    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
+
+    callback(null, csrDer);
+};
+
+Acme2.prototype.downloadCertificate = function (hostname, certUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof certUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+
+    superagent.get(certUrl).buffer().parse(function (res, done) {
+        var data = [ ];
+        res.on('data', function(chunk) { data.push(chunk); });
+        res.on('end', function () { res.text = Buffer.concat(data); done(); });
+    }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode === 202) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, 'Retry not implemented yet'));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        const fullChainPem = result.text;
+
+        const certName = hostname.replace('*.', '_.');
+        var certificateFile = path.join(outdir, `${certName}.cert`);
+        if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('downloadCertificate: cert file for %s saved at %s', hostname, certificateFile);
+
+        callback();
+    });
+};
+
+Acme2.prototype.prepareHttpChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let httpChallenges = authorization.challenges.filter(function(x) { return x.type === 'http-01'; });
+    if (httpChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no http challenges'));
+    let challenge = httpChallenges[0];
+
+    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
+
+    let keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), keyAuthorization, function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, error));
+
+        callback(null, challenge);
+    });
+};
+
+Acme2.prototype.cleanupHttpChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('cleanupHttpChallenge: unlinking %s', path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.unlink(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), callback);
+};
+
+function getChallengeSubdomain(hostname, domain) {
+    let challengeSubdomain;
+
+    if (hostname === domain) {
+        challengeSubdomain = '_acme-challenge';
+    } else if (hostname.includes('*')) { // wildcard
+        let subdomain = hostname.slice(0, -domain.length - 1);
+        challengeSubdomain = subdomain ? subdomain.replace('*', '_acme-challenge') : '_acme-challenge';
+    } else {
+        challengeSubdomain = '_acme-challenge.' + hostname.slice(0, -domain.length - 1);
+    }
+
+    debug(`getChallengeSubdomain: challenge subdomain for hostname ${hostname} at domain ${domain} is ${challengeSubdomain}`);
+
+    return challengeSubdomain;
+}
+
+Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let dnsChallenges = authorization.challenges.filter(function(x) { return x.type === 'dns-01'; });
+    if (dnsChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no dns challenges'));
+    let challenge = dnsChallenges[0];
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`prepareDnsChallenge: update ${challengeSubdomain} with ${txtValue}`);
+
+    domains.upsertDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+        domains.waitForDnsRecord(challengeSubdomain, domain, 'TXT', txtValue, { interval: 5000, times: 200 }, function (error) {
+            if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+            callback(null, challenge);
+        });
+    });
+};
+
+Acme2.prototype.cleanupDnsChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`cleanupDnsChallenge: remove ${challengeSubdomain} with ${txtValue}`);
+
+    domains.removeDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error));
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.prepareChallenge = function (hostname, domain, authorizationUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorizationUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const that = this;
+    superagent.get(authorizationUrl).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code getting authorization : ' + response.statusCode));
+
+        const authorization = response.body;
+
+        if (that.performHttpAuthorization) {
+            that.prepareHttpChallenge(hostname, domain, authorization, callback);
+        } else {
+            that.prepareDnsChallenge(hostname, domain, authorization, callback);
+        }
+    });
+};
+
+Acme2.prototype.cleanupChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (this.performHttpAuthorization) {
+        this.cleanupHttpChallenge(hostname, domain, challenge, callback);
+    } else {
+        this.cleanupDnsChallenge(hostname, domain, challenge, callback);
+    }
+};
+
+Acme2.prototype.acmeFlow = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
+        debug('getCertificate: generating acme account key on first run');
+        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
+        if (!this.accountKeyPem) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
+    } else {
+        debug('getCertificate: using existing acme account key');
+        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
+    }
+
+    var that = this;
+    this.registerUser(function (error) {
+        if (error) return callback(error);
+
+        that.newOrder(hostname, function (error, order, orderUrl) {
+            if (error) return callback(error);
+
+            async.eachSeries(order.authorizations, function (authorizationUrl, iteratorCallback) {
+                debug(`acmeFlow: authorizing ${authorizationUrl}`);
+
+                that.prepareChallenge(hostname, domain, authorizationUrl, function (error, challenge) {
+                    if (error) return iteratorCallback(error);
+
+                    async.waterfall([
+                        that.notifyChallengeReady.bind(that, challenge),
+                        that.waitForChallenge.bind(that, challenge),
+                        that.createKeyAndCsr.bind(that, hostname),
+                        that.signCertificate.bind(that, hostname, order.finalize),
+                        that.waitForOrder.bind(that, orderUrl),
+                        that.downloadCertificate.bind(that, hostname)
+                    ], function (error) {
+                        that.cleanupChallenge(hostname, domain, challenge, function (cleanupError) {
+                            if (cleanupError) debug('acmeFlow: ignoring error when cleaning up challenge:', cleanupError);
+
+                            iteratorCallback(error);
+                        });
+                    });
+                });
+            }, callback);
+        });
+    });
+};
+
+Acme2.prototype.getDirectory = function (callback) {
+    const that = this;
+
+    superagent.get(this.caDirectory).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching directory : ' + response.statusCode));
+
+        if (typeof response.body.newNonce !== 'string' ||
+            typeof response.body.newOrder !== 'string' ||
+            typeof response.body.newAccount !== 'string') return callback(new Error(`Invalid response body : ${response.body}`));
+
+        that.directory = response.body;
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.getCertificate = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`getCertificate: start acme flow for ${hostname} from ${this.caDirectory}`);
+
+    if (hostname !== domain && this.wildcard) { // bare domain is not part of wildcard SAN
+        hostname = domains.makeWildcard(hostname);
+        debug(`getCertificate: will get wildcard cert for ${hostname}`);
+    }
+
+    const that = this;
+    this.getDirectory(function (error) {
+        if (error) return callback(error);
+
+        that.acmeFlow(hostname, domain, function (error) {
+            if (error) return callback(error);
+
+            var outdir = paths.APP_CERTS_DIR;
+            const certName = hostname.replace('*.', '_.');
+            callback(null, path.join(outdir, `${certName}.cert`), path.join(outdir, `${certName}.key`));
+        });
+    });
+};
+
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var acme = new Acme2(options || { });
+    acme.getCertificate(hostname, domain, callback);
+}

src/cert/caas.js

@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
     debug = require('debug')('box:cert/caas.js');
 
-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('getCertificate: using fallback certificate', domain);
+    debug('getCertificate: using fallback certificate', hostname);
 
-    return callback(null, 'cert/host.cert', 'cert/host.key');
+    return callback(null, '', '');
 }

src/cert/fallback.js

@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
     debug = require('debug')('box:cert/fallback.js');
 
-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('getCertificate: using fallback certificate', domain);
+    debug('getCertificate: using fallback certificate', hostname);
 
     return callback(null, '', '');
 }

src/cert/interface.js

@@ -12,7 +12,8 @@ exports = module.exports = {
 
 var assert = require('assert');
 
-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');

src/certificates.js

@@ -1,447 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    CertificatesError: CertificatesError,
-
-    ensureFallbackCertificate: ensureFallbackCertificate,
-    setFallbackCertificate: setFallbackCertificate,
-    getFallbackCertificate: getFallbackCertificate,
-
-    validateCertificate: validateCertificate,
-    ensureCertificate: ensureCertificate,
-
-    setAdminCertificate: setAdminCertificate,
-    getAdminCertificate: getAdminCertificate,
-
-    renewAll: renewAll,
-
-    initialize: initialize,
-    uninitialize: uninitialize,
-
-    events: null,
-
-    EVENT_CERT_CHANGED: 'cert_changed',
-
-    // exported for testing
-    _getApi: getApi
-};
-
-var acme = require('./cert/acme.js'),
-    apps = require('./apps.js'),
-    assert = require('assert'),
-    async = require('async'),
-    caas = require('./cert/caas.js'),
-    config = require('./config.js'),
-    constants = require('./constants.js'),
-    debug = require('debug')('box:certificates'),
-    eventlog = require('./eventlog.js'),
-    fallback = require('./cert/fallback.js'),
-    fs = require('fs'),
-    mailer = require('./mailer.js'),
-    nginx = require('./nginx.js'),
-    path = require('path'),
-    paths = require('./paths.js'),
-    safe = require('safetydance'),
-    settings = require('./settings.js'),
-    user = require('./user.js'),
-    util = require('util');
-
-function CertificatesError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(CertificatesError, Error);
-CertificatesError.INTERNAL_ERROR = 'Internal Error';
-CertificatesError.INVALID_CERT = 'Invalid certificate';
-CertificatesError.NOT_FOUND = 'Not Found';
-
-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    exports.events = new (require('events').EventEmitter)();
-    callback();
-}
-
-function uninitialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    exports.events = null;
-    callback();
-}
-
-function getApi(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    settings.getTlsConfig(function (error, tlsConfig) {
-        if (error) return callback(error);
-
-        if (tlsConfig.provider === 'fallback') return callback(null, fallback, {});
-
-        // use acme if we have altDomain or the tlsConfig is not caas
-        var api = (app.altDomain || tlsConfig.provider !== 'caas') ? acme : caas;
-
-        var options = { };
-        if (tlsConfig.provider === 'caas') {
-            options.prod = true; // with altDomain, we will choose acme setting based on this
-        } else { // acme
-            options.prod = tlsConfig.provider.match(/.*-prod/) !== null;
-        }
-
-        // registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
-        // we cannot use admin@fqdn because the user might not have set it up.
-        // we simply update the account with the latest email we have each time when getting letsencrypt certs
-        // https://github.com/ietf-wg-acme/acme/issues/30
-        user.getOwner(function (error, owner) {
-            options.email = error ? 'support@cloudron.io' : (owner.alternateEmail || owner.email); // can error if not activated yet
-
-            callback(null, api, options);
-        });
-    });
-}
-
-function ensureFallbackCertificate(callback) {
-    // ensure a fallback certificate that much of our code requires
-    var certFilePath = path.join(paths.APP_CERTS_DIR, 'host.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, 'host.key');
-
-    var fallbackCertPath = path.join(paths.NGINX_CERT_DIR, 'host.cert');
-    var fallbackKeyPath = path.join(paths.NGINX_CERT_DIR, 'host.key');
-
-    if (fs.existsSync(fallbackCertPath) && fs.existsSync(fallbackKeyPath)) {
-        debug('ensureFallbackCertificate: pre-existing fallback certs');
-        return callback();
-    }
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) { // existing custom fallback certs (when restarting, restoring, updating)
-        debug('ensureFallbackCertificate: using fallback certs provided by user');
-        if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-        if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-        return callback();
-    }
-
-    // generate a self-signed cert. it's in backup dir so that we don't create a new cert across restarts
-    // FIXME: this cert does not cover the naked domain. needs SAN
-    if (config.fqdn()) {
-        debug('ensureFallbackCertificate: generating self-signed certificate');
-        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', keyFilePath, certFilePath, config.fqdn());
-        safe.child_process.execSync(certCommand);
-
-        if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-        if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-        return callback();
-    } else {
-        debug('ensureFallbackCertificate: cannot generate fallback certificate without domain');
-        return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, 'No domain set'));
-    }
-}
-
-function isExpiringSync(certFilePath, hours) {
-    assert.strictEqual(typeof certFilePath, 'string');
-    assert.strictEqual(typeof hours, 'number');
-
-    if (!fs.existsSync(certFilePath)) return 2; // not found
-
-    var result = safe.child_process.spawnSync('/usr/bin/openssl', [ 'x509', '-checkend', String(60 * 60 * hours), '-in', certFilePath ]);
-
-    debug('isExpiringSync: %s %s %s', certFilePath, result.stdout.toString('utf8').trim(), result.status);
-
-    return result.status === 1; // 1 - expired 0 - not expired
-}
-
-function renewAll(auditSource, callback) {
-    assert.strictEqual(typeof auditSource, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('renewAll: Checking certificates for renewal');
-
-    apps.getAll(function (error, allApps) {
-        if (error) return callback(error);
-
-        allApps.push({ intrinsicFqdn: config.adminFqdn() }); // inject fake webadmin app
-
-        var expiringApps = [ ];
-        for (var i = 0; i < allApps.length; i++) {
-            var appDomain = allApps[i].altDomain || allApps[i].instrincFqdn;
-
-            var certFilePath = path.join(paths.APP_CERTS_DIR, appDomain + '.user.cert');
-            var keyFilePath = path.join(paths.APP_CERTS_DIR, appDomain + '.user.key');
-
-            if (safe.fs.existsSync(certFilePath) && safe.fs.existsSync(keyFilePath)) {
-                debug('renewAll: existing user key file for %s. skipping', appDomain);
-                continue;
-            }
-
-            // check if we have an auto cert to be renewed
-            certFilePath = path.join(paths.APP_CERTS_DIR, appDomain + '.cert');
-            keyFilePath = path.join(paths.APP_CERTS_DIR, appDomain + '.key');
-
-            if (!safe.fs.existsSync(keyFilePath)) {
-                debug('renewAll: no existing key file for %s. skipping', appDomain);
-                continue;
-            }
-
-            if (isExpiringSync(certFilePath, 24 * 30)) { // expired or not found
-                expiringApps.push(allApps[i]);
-            }
-        }
-
-        debug('renewAll: %j needs to be renewed', expiringApps.map(function (app) { return app.altDomain || app.intrinsicFqdn; }));
-
-        async.eachSeries(expiringApps, function iterator(app, iteratorCallback) {
-            var domain = app.altDomain || app.intrinsicFqdn;
-
-            getApi(app, function (error, api, apiOptions) {
-                if (error) return callback(error);
-
-                debug('renewAll: renewing cert for %s with options %j', domain, apiOptions);
-
-                api.getCertificate(domain, apiOptions, function (error) {
-                    var certFilePath = path.join(paths.APP_CERTS_DIR, domain + '.cert');
-                    var keyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.key');
-
-                    var errorMessage = error ? error.message : '';
-                    eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: domain, errorMessage: errorMessage });
-
-                    if (error) {
-                        debug('renewAll: could not renew cert for %s because %s', domain, error);
-
-                        mailer.certificateRenewalError(domain, errorMessage);
-
-                        // check if we should fallback if we expire in the coming day
-                        if (!isExpiringSync(certFilePath, 24 * 1)) return iteratorCallback();
-
-                        debug('renewAll: using fallback certs for %s since it expires soon', domain, error);
-
-                        // if no cert was returned use fallback, the fallback provider will not provide any for example
-                        var fallbackCertFilePath = path.join(paths.NGINX_CERT_DIR, domain + '.cert');
-                        var fallbackKeyFilePath = path.join(paths.NGINX_CERT_DIR, domain + '.key');
-
-                        certFilePath = fs.existsSync(fallbackCertFilePath) ? fallbackCertFilePath : 'cert/host.cert';
-                        keyFilePath = fs.existsSync(fallbackKeyFilePath) ? fallbackKeyFilePath : 'cert/host.key';
-                    } else {
-                        debug('renewAll: certificate for %s renewed', domain);
-                    }
-
-                    // reconfigure and reload nginx. this is required for the case where we got a renewed cert after fallback
-                    var configureFunc = app.intrinsicFqdn === config.adminFqdn() ?
-                        nginx.configureAdmin.bind(null, certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn())
-                        : nginx.configureApp.bind(null, app, certFilePath, keyFilePath);
-
-                    configureFunc(function (ignoredError) {
-                        if (ignoredError) debug('fallbackExpiredCertificates: error reconfiguring app', ignoredError);
-
-                        exports.events.emit(exports.EVENT_CERT_CHANGED, domain);
-
-                        iteratorCallback(); // move to next app
-                    });
-                });
-            });
-        });
-    });
-}
-
-// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
-// servers certificate appears first (and not the intermediate cert)
-function validateCertificate(cert, key, fqdn) {
-    assert(cert === null || typeof cert === 'string');
-    assert(key === null || typeof key === 'string');
-    assert.strictEqual(typeof fqdn, 'string');
-
-    function matchesDomain(domain) {
-        if (typeof domain !== 'string') return false;
-        if (domain === fqdn) return true;
-        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
-
-        return false;
-    }
-
-    if (cert === null && key === null) return null;
-    if (!cert && key) return new Error('missing cert');
-    if (cert && !key) return new Error('missing key');
-
-    var result = safe.child_process.execSync('openssl x509 -noout -checkhost "' + fqdn + '"', { encoding: 'utf8', input: cert });
-    if (!result) return new Error('Invalid certificate. Unable to get certificate subject.');
-
-    // if no match, check alt names
-    if (result.indexOf('does match certificate') === -1) {
-        // https://github.com/drwetter/testssl.sh/pull/383
-        var cmd = 'openssl x509 -noout -text | grep -A3 "Subject Alternative Name" | \
-                   grep "DNS:" | \
-                   sed -e "s/DNS://g" -e "s/ //g" -e "s/,/ /g" -e "s/othername:<unsupported>//g"';
-        result = safe.child_process.execSync(cmd, { encoding: 'utf8', input: cert });
-        var altNames = result ? [ ] : result.trim().split(' '); // might fail if cert has no SAN
-        debug('validateCertificate: detected altNames as %j', altNames);
-
-        // check altNames
-        if (!altNames.some(matchesDomain)) return new Error(util.format('Certificate is not valid for this domain. Expecting %s in %j', fqdn, altNames));
-    }
-
-    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
-    var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
-    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
-    if (certModulus !== keyModulus) return new Error('Key does not match the certificate.');
-
-    // check expiration
-    result = safe.child_process.execSync('openssl x509 -checkend 0', { encoding: 'utf8', input: cert });
-    if (!result) return new Error('Certificate is expired.');
-
-    return null;
-}
-
-function setFallbackCertificate(cert, key, fqdn, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof fqdn, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = validateCertificate(cert, key, '*.' + fqdn);
-    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, fqdn + '.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, fqdn + '.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    // copy over fallback cert
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, fqdn + '.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, fqdn + '.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    exports.events.emit(exports.EVENT_CERT_CHANGED, '*.' + fqdn);
-
-    nginx.reload(function (error) {
-        if (error) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, error));
-
-        return callback(null);
-    });
-}
-
-function getFallbackCertificate(fqdn, callback) {
-    assert.strictEqual(typeof fqdn, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var cert = safe.fs.readFileSync(path.join(paths.NGINX_CERT_DIR, fqdn + '.cert'), 'utf-8');
-    var key = safe.fs.readFileSync(path.join(paths.NGINX_CERT_DIR, fqdn + '.key'), 'utf-8');
-
-    if (!cert || !key) return callback(new CertificatesError(CertificatesError.NOT_FOUND));
-
-    callback(null, { cert: cert, key: key });
-}
-
-function setAdminCertificate(cert, key, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var vhost = config.adminFqdn();
-    var certFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.user.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.user.key');
-
-    var error = validateCertificate(cert, key, vhost);
-    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    exports.events.emit(exports.EVENT_CERT_CHANGED, vhost);
-
-    nginx.configureAdmin(certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
-}
-
-function getAdminCertificatePath(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    var vhost = config.adminFqdn();
-    var certFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.user.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.user.key');
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, certFilePath, keyFilePath);
-
-    certFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.cert');
-    keyFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.key');
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) return callback(null, certFilePath, keyFilePath);
-
-    // any user fallback cert is always copied over to nginx cert dir
-    callback(null, path.join(paths.NGINX_CERT_DIR, 'host.cert'), path.join(paths.NGINX_CERT_DIR, 'host.key'));
-}
-
-function getAdminCertificate(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    getAdminCertificatePath(function (error, certFilePath, keyFilePath) {
-        if (error) return callback(error);
-
-        var cert = safe.fs.readFileSync(certFilePath);
-        if (!cert) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error));
-
-        var key = safe.fs.readFileSync(keyFilePath);
-        if (!cert) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error));
-
-        return callback(null, cert, key);
-    });
-}
-
-function ensureCertificate(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var domain = app.altDomain || app.intrinsicFqdn;
-
-    var certFilePath = path.join(paths.APP_CERTS_DIR, domain + '.user.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.user.key');
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
-        debug('ensureCertificate: %s. user certificate already exists at %s', domain, keyFilePath);
-        return callback(null, certFilePath, keyFilePath);
-    }
-
-    certFilePath = path.join(paths.APP_CERTS_DIR, domain + '.cert');
-    keyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.key');
-
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
-        debug('ensureCertificate: %s. certificate already exists at %s', domain, keyFilePath);
-
-        if (!isExpiringSync(certFilePath, 24 * 1)) return callback(null, certFilePath, keyFilePath);
-        debug('ensureCertificate: %s cert require renewal', domain);
-    } else {
-        debug('ensureCertificate: %s cert does not exist', domain);
-    }
-
-    getApi(app, function (error, api, apiOptions) {
-        if (error) return callback(error);
-
-        debug('ensureCertificate: getting certificate for %s with options %j', domain, apiOptions);
-
-        api.getCertificate(domain, apiOptions, function (error, certFilePath, keyFilePath) {
-            if (error) debug('ensureCertificate: could not get certificate. using fallback certs', error);
-
-            // if no cert was returned use fallback, the fallback provider will not provide any for example
-            if (!certFilePath || !keyFilePath) {
-                var fallbackCertFilePath = path.join(paths.NGINX_CERT_DIR, app.domain + '.cert');
-                var fallbackKeyFilePath = path.join(paths.NGINX_CERT_DIR, app.domain + '.key');
-
-                certFilePath = fs.existsSync(fallbackCertFilePath) ? fallbackCertFilePath : 'cert/host.cert';
-                keyFilePath = fs.existsSync(fallbackKeyFilePath) ? fallbackKeyFilePath : 'cert/host.key';
-            }
-
-            callback(null, certFilePath, keyFilePath);
-        });
-    });
-}