3.4.3 changes

track last oom time using a global variable
because it was a local variable, we were just sending out oom mails like crazy also, fixes an issue that if docker.getEvents gets stuck because docker does not respond then we do not do any health monitoring. i guess this can happen if the docker API gets stuck. (cherry picked from commit a536e9fc4b)
2018-12-16 21:07:53 -08:00 · 2018-12-16 21:07:14 -08:00 · 2018-12-16 18:44:46 -08:00 · 2018-12-15 09:28:18 -08:00 · 2018-12-14 17:35:54 -08:00 · 2018-12-13 09:41:52 -08:00
230 changed files with 20936 additions and 14128 deletions
@@ -0,0 +1,29 @@
+{
+    "env": {
+        "es6": true,
+        "node": true
+    },
+    "extends": "eslint:recommended",
+    "parserOptions": {
+        "ecmaVersion": 2017
+    },
+    "rules": {
+        "indent": [
+            "error",
+            4
+        ],
+        "linebreak-style": [
+            "error",
+            "unix"
+        ],
+        "quotes": [
+            "error",
+            "single"
+        ],
+        "semi": [
+            "error",
+            "always"
+        ],
+        "no-console": "off"
+    }
+}
@@ -1,6 +1,7 @@
 # following files are skipped when exporting using git archive
 test export-ignore
-docs export-ignore
+.jshintrc export-ignore
+.gitlab export-ignore
 .gitattributes export-ignore
 .gitignore export-ignore

@@ -6,4 +6,3 @@ installer/src/certs/server.key
 # vim swap files
 *.swp

-
@@ -0,0 +1,6 @@
+Please do not use this issue tracker for support requests and bug reports.
+This issue tracker is used by the Cloudron development team to track actual
+bugs in the code.
+
+Please use the forum at https://forum.cloudron.io to report bugs. For
+confidential issues, please email us at support@cloudron.io.
@@ -0,0 +1,7 @@
+Please do not use this issue tracker for support requests and feature reports.
+This issue tracker is used by the Cloudron development team to track issues in
+the code.
+
+Please use the forum at https://forum.cloudron.io to report bugs. For
+confidential issues, please email us at support@cloudron.io.
+
@@ -1,9 +0,0 @@
-{
-    "node": true,
-    "browser": true,
-    "unused": true,
-    "multistr": true,
-    "globalstrict": true,
-    "predef": [ "angular", "$" ],
-    "esnext": true
-}
@@ -1223,3 +1223,285 @@
 * scheduler: do not start cron jobs all at once
 * scheduler: give cron jobs a grace period of 30 minutes to complete

+[2.0.1]
+* Multi-domain support
+* Update Haraka to 2.8.18
+* Split box and app autoupdate pattern settings
+* Stop and disable any pre-installed postfix server
+* Migrate altDomain as a manual DNS provider
+* Use node's native dns resolve instead of dig
+* DNS records can now be a A record or a CNAME record
+* Fix generation of fallback certificates to include naked domain
+* Merge multi-string DKIM records
+* scheduler: do not start cron jobs all at once
+* scheduler: give cron jobs a grace period of 30 minutes to complete
+* Rework the eventlog view
+* App clone now clones the robotsTxt and backup settings
+
+[2.1.0]
+* Make S3 backend work reliably with slow internet connections
+* Update docker to 18.03.0-ce
+* Finalize the Email and Mailbox API
+* Move mailbox settings from users to email view
+* mail: fix issue where hosts with valid SPF for a Cloudron domain are unable to send mail to Cloudron
+* mail: fix crash when bounce emails have a null sender
+* Add CSP header for dashboard
+* Add support for installing private docker images
+
+[2.1.1]
+* Make S3 backend work reliably with slow internet connections
+* Update docker to 18.03.0-ce
+* Finalize the Email and Mailbox API
+* Move mailbox settings from users to email view
+* mail: fix issue where hosts with valid SPF for a Cloudron domain are unable to send mail to Cloudron
+* mail: fix crash when bounce emails have a null sender
+* Add CSP header for dashboard
+* Add support for installing private docker images
+
+[2.2.0]
+* Add 2FA support for the admin dashboard
+* Cleanup scope management in REST API
+* Enhance user creation API to take a password
+* Relax restriction on mailbox names now that it is decoupled from user management
+
+[2.2.1]
+* Add 2FA support for the admin dashboard
+* Add Gandi & GoDaddy DNS providers
+* Fix zone detection logic on Route53 accounts with more than 100 zones
+* Warn using when disabling email
+* Cleanup scope management in REST API
+* Enhance user creation API to take a password
+* Relax restriction on mailbox names now that it is decoupled from user management
+* Fix issue where mail container incorrectly advertised CRAM-MD5 support
+
+[2.3.0]
+* Add Name.com DNS provider
+* Fix issue where account setup page was crashing
+* Add advanced DNS configuration UI
+* Preserve addon/database configuration across app updates and restores
+* ManageSieve port now offers STARTTLS
+
+[2.3.1]
+* Add Name.com DNS provider
+* Fix issue where account setup page was crashing
+* Add advanced DNS configuration UI
+* Preserve addon/database configuration across app updates and restores
+* ManageSieve port now offers STARTTLS
+* Allow mailbox name to be set for apps
+* Rework the Email server UI
+* Add the ability to manually trigger a backup of an application
+* Enable/disable mail from validation within UI
+* Allow setting app visibility for non-SSO apps
+* Add Clone UI
+
+[2.3.2]
+* Fix issue where multi-db apps were not provisioned correctly
+* Improve setup, restore views to have field labels
+
+[2.4.0]
+* Use custom logging backend to have more control over log rotation
+* Make user explicitly confirm that fs backup dir is on external storage
+* Update node to 8.11.2
+* Update docker to 18.03.1
+* Fix docker exec terminal resize issue
+* Make the mailbox name follow the apps new location, if the user did not set it explicitly
+* Add backups view
+
+[2.4.1]
+* Use custom logging backend to have more control over log rotation
+* Mail logs and box logs UI
+* Make user explicitly confirm that fs backup dir is on external storage
+* Update node to 8.11.2
+* Update docker to 18.03.1
+* Fix docker exec terminal resize issue
+* Make the mailbox name follow the apps new location, if the user did not set it explicitly
+* Add backups view
+
+[3.0.0]
+* Support alternate app domains with redirects
+* Allow hyphen in mailbox names
+* Fix issue where the UI timesout when relay server is not reachable
+* Add support for personal spaces
+* Add UI to edit users in the groups dialog
+* Add UI to set groups when creating a user
+* Open logs and terminal in a new tab instead of a window
+* Add button to view backup logs
+* Add Mailjet mail relay support
+* Encryption support for incremental backups
+* Display restore errors in the UI
+* Update Haraka to 2.8.19
+* GPG verify releases
+* Allow subdomains in location field
+
+[3.0.1]
+* Support alternate app domains with redirects
+* Allow hyphen in mailbox names
+* Fix issue where the UI timesout when relay server is not reachable
+* Add support for personal spaces
+* Add UI to edit users in the groups dialog
+* Add UI to set groups when creating a user
+* Open logs and terminal in a new tab instead of a window
+* Add button to view backup logs
+* Add Mailjet mail relay support
+* Encryption support for incremental backups
+* Display restore errors in the UI
+* Update Haraka to 2.8.19
+* GPG verify releases
+* Allow subdomains in location field
+
+[3.0.2]
+* Fix issue where normal users are shown apps they don't have access to
+* Re-configure email apps when email is enabled/disabled
+
+[3.1.0]
+* Add UDP support
+* Clicking invite button does not send an invite immediately
+* Implement docker addon
+* Automatically login after password reset and account setup
+* Make backup interval configurable
+* Fix alternate domain certificate renewal
+
+[3.1.1]
+* Fix caas domain migration
+
+[3.1.2]
+* Add UDP support
+* Clicking invite button does not send an invite immediately
+* Implement docker addon
+* Automatically login after password reset and account setup
+* Make backup interval configurable
+* Fix alternate domain certificate renewal
+* API token can now have a name
+
+[3.1.3]
+* Prevent dashboard domain from being deleted
+* Add alternateDomains to app install route
+* cloudflare: Fix crash when access denied
+
+[3.1.4]
+* Fix issue where support tab was redirecting
+
+[3.2.0]
+* Add DO Spaces SFO2 region
+* Wildcard DNS now validates the config
+* Add ACMEv2 support
+* Add Wildcard Let's Encrypt provider
+
+[3.2.1]
+* Add acme2 support. This provides DNS based validation removing inbound port 80 requirement
+* Add support for wildcard certificates
+* Allow mailbox name to be reset to the buit-in '.app' name
+* Fix permission issue when restoring a Cloudron
+* Fix a crash when restoring Cloudron
+* Allow alternate domains to be set in app installation REST API
+* Add SFO2 region for DigitalOcean Spaces
+* Show the title in port bindings instead of the long description
+
+[3.2.2]
+* Update Haraka to 2.8.20
+* (mail) Fix issue where LDAP connections where not cleaned up
+
+[3.3.0]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+
+[3.3.1]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+
+[3.3.2]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.3.3]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.3.4]
+* Use new addons with REST APIs
+* Ubuntu 18.04 LTS support
+* Custom env vars can be set per application
+* Add a button to renew certs
+* Add better support for private builds
+* cloudflare: Fix crash when using bad email
+* cloudflare: HTTP proxying works now
+* add new exoscale-sos regions
+* Add UI to toggle dynamic DNS
+* Add support for hyphenated subdomains
+* Add domain, mail events to eventlog
+
+[3.4.0]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.1]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.2]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.3]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+* Fix issue where OOM mails are sent out without a rate limit
+
@@ -630,7 +630,7 @@ state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.

    box
-    Copyright (C) 2016,2017 Cloudron UG
+    Copyright (C) 2016,2017,2018 Cloudron UG

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published
@@ -48,6 +48,11 @@ apps up-to-date and secure.
 * [Selfhosting](https://cloudron.io/documentation/installation/) - [Pricing](https://cloudron.io/pricing.html)
 * [Managed Hosting](https://cloudron.io/managed.html)

+**Note:** This repo is a small part of what gets installed on your server - there is
+the dashboard, database addons, graph container, base image etc. Cloudron also relies
+on external services such as the App Store for apps to be installed. As such, don't
+clone this repo and npm install and expect something to work.
+
 ## Documentation

 * [Documentation](https://cloudron.io/documentation/)
@@ -0,0 +1 @@
+# release version. do not edit manually
@@ -14,8 +14,11 @@ function die {

 export DEBIAN_FRONTEND=noninteractive

+# hold grub since updating it breaks on some VPS providers. also, dist-upgrade will trigger it
+apt-mark hold grub* >/dev/null
 apt-get -o Dpkg::Options::="--force-confdef" update -y
-apt-get -o Dpkg::Options::="--force-confdef" dist-upgrade -y
+apt-get -o Dpkg::Options::="--force-confdef" upgrade -y
+apt-mark unhold grub* >/dev/null

 echo "==> Installing required packages"

@@ -23,6 +26,7 @@ debconf-set-selections <<< 'mysql-server mysql-server/root_password password pas
 debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password'

 # this enables automatic security upgrades (https://help.ubuntu.com/community/AutomaticSecurityUpdates)
+# resolvconf is needed for unbound to work property after disabling systemd-resolved in 18.04
 apt-get -y install \
    acl \
    awscli \
@@ -31,12 +35,14 @@ apt-get -y install \
    curl \
    dmsetup \
    iptables \
+    libpython2.7 \
    logrotate \
    mysql-server-5.7 \
    nginx-full \
    openssh-server \
    pwgen \
-    rcconf \
+    resolvconf \
+    sudo \
    swaks \
    unattended-upgrades \
    unbound \
@@ -61,7 +67,7 @@ echo "==> Installing Docker"
 mkdir -p /etc/systemd/system/docker.service.d
 echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/dockerd -H fd:// --log-driver=journald --exec-opt native.cgroupdriver=cgroupfs --storage-driver=overlay2" > /etc/systemd/system/docker.service.d/cloudron.conf

-curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_17.09.0~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb
+curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_18.03.1~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb
 # apt install with install deps (as opposed to dpkg -i)
 apt install -y /tmp/docker.deb
 rm /tmp/docker.deb
@@ -72,8 +78,9 @@ if [[ "${storage_driver}" != "overlay2" ]]; then
    exit 1
 fi

+# do not upgrade grub because it might prompt user and break this script
 echo "==> Enable memory accounting"
-apt-get -y install grub2
+apt-get -y --no-upgrade install grub2-common
 sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
 update-grub

@@ -83,11 +90,12 @@ if [ ! -f "${arg_infraversionpath}/infra_version.js" ]; then
    exit 1
 fi

-images=$(node -e "var i = require('${arg_infraversionpath}/infra_version.js'); console.log(i.baseImages.join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
+images=$(node -e "var i = require('${arg_infraversionpath}/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")

 echo -e "\tPulling docker images: ${images}"
 for image in ${images}; do
    docker pull "${image}"
+    docker pull "${image%@sha256:*}" # this will tag the image for readability
 done

 echo "==> Install collectd"
@@ -97,6 +105,11 @@ if ! apt-get install -y collectd collectd-utils; then
    sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf
 fi

+echo "==> Configuring host"
+sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
+timedatectl set-ntp 1
+timedatectl set-timezone UTC
+
 # Disable bind for good measure (on online.net, kimsufi servers these are pre-installed and conflicts with unbound)
 systemctl stop bind9 || true
 systemctl disable bind9 || true
@@ -109,3 +122,7 @@ systemctl disable dnsmasq || true
 systemctl stop postfix || true
 systemctl disable postfix || true

+# on ubuntu 18.04, this is the default. this requires resolvconf for DNS to work further after the disable
+systemctl stop systemd-resolved || true
+systemctl disable systemd-resolved || true
+
@@ -2,17 +2,21 @@

 'use strict';

+// prefix all output with a timestamp
+// debug() already prefixes and uses process.stderr NOT console.*
+['log', 'info', 'warn', 'debug', 'error'].forEach(function (log) {
+    var orig = console[log];
+    console[log] = function () {
+        orig.apply(console, [new Date().toISOString()].concat(Array.prototype.slice.call(arguments)));
+    };
+});
+
 require('supererror')({ splatchError: true });

-// remove timestamp from debug() based output
-require('debug').formatArgs = function formatArgs(args) {
-    args[0] = this.namespace + ' ' + args[0];
-};
-
-var appHealthMonitor = require('./src/apphealthmonitor.js'),
-    async = require('async'),
+let async = require('async'),
    config = require('./src/config.js'),
    ldap = require('./src/ldap.js'),
+    dockerProxy = require('./src/dockerproxy.js'),
    server = require('./src/server.js');

 console.log();
@@ -25,6 +29,9 @@ console.log(' Version:                        ', config.version());
 console.log(' Admin Origin:                   ', config.adminOrigin());
 console.log(' Appstore API server origin:     ', config.apiServerOrigin());
 console.log(' Appstore Web server origin:     ', config.webServerOrigin());
+console.log(' SysAdmin Port:                  ', config.get('sysadminPort'));
+console.log(' LDAP Server Port:               ', config.get('ldapPort'));
+console.log(' Docker Proxy Port:              ', config.get('dockerProxyPort'));
 console.log();
 console.log('==========================================');
 console.log();
@@ -32,7 +39,7 @@ console.log();
 async.series([
    server.start,
    ldap.start,
-    appHealthMonitor.start,
+    dockerProxy.start
 ], function (error) {
    if (error) {
        console.error('Error starting server', error);
@@ -44,13 +51,19 @@ async.series([
 var NOOP_CALLBACK = function () { };

 process.on('SIGINT', function () {
+    console.log('Received SIGINT. Shutting down.');
+
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
+    dockerProxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });

 process.on('SIGTERM', function () {
+    console.log('Received SIGTERM. Shutting down.');
+
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
+    dockerProxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });
@@ -1,7 +1,7 @@
 'use strict';

 exports.up = function(db, callback) {
-    var cmd = "CREATE TABLE groups(" +
+    var cmd = "CREATE TABLE userGroups(" +
                "id VARCHAR(128) NOT NULL UNIQUE," +
                "name VARCHAR(128) NOT NULL UNIQUE," +
                "PRIMARY KEY(id))";
@@ -13,7 +13,7 @@ exports.up = function(db, callback) {
 };

 exports.down = function(db, callback) {
-    db.runSql('DROP TABLE groups', function (error) {
+    db.runSql('DROP TABLE userGroups', function (error) {
        if (error) console.error(error);
        callback(error);
    });
@@ -4,7 +4,7 @@ exports.up = function(db, callback) {
 	var cmd = "CREATE TABLE IF NOT EXISTS groupMembers(" +
    			"groupId VARCHAR(128) NOT NULL," +
    			"userId VARCHAR(128) NOT NULL," +
-    			"FOREIGN KEY(groupId) REFERENCES groups(id)," +
+    			"FOREIGN KEY(groupId) REFERENCES userGroups(id)," +
    			"FOREIGN KEY(userId) REFERENCES users(id));";

    db.runSql(cmd, function (error) {
@@ -7,7 +7,7 @@ var ADMIN_GROUP_ID = 'admin'; // see constants.js
 exports.up = function(db, callback) {
 	async.series([
 		db.runSql.bind(db, 'START TRANSACTION;'),
-		db.runSql.bind(db, 'INSERT INTO groups (id, name) VALUES (?, ?)', [ ADMIN_GROUP_ID, 'admin' ]),
+		db.runSql.bind(db, 'INSERT INTO userGroups (id, name) VALUES (?, ?)', [ ADMIN_GROUP_ID, 'admin' ]),
 		function migrateAdminFlag(done) {
 			db.all('SELECT * FROM users WHERE admin=1', function (error, results) {
 				if (error) return done(error);
@@ -10,7 +10,7 @@ exports.up = function(db, callback) {
        function addGroupMailboxes(done) {
            console.log('Importing group mailboxes');

-            db.all('SELECT id, name FROM groups', function (error, results) {
+            db.all('SELECT id, name FROM userGroups', function (error, results) {
                if (error) return done(error);

                async.eachSeries(results, function (g, next) {
@@ -16,7 +16,7 @@ exports.up = function(db, callback) {
        db.runSql.bind(db, 'ALTER TABLE clients CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
        db.runSql.bind(db, 'ALTER TABLE eventlog CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
        db.runSql.bind(db, 'ALTER TABLE groupMembers CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
-        db.runSql.bind(db, 'ALTER TABLE groups CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
+        db.runSql.bind(db, 'ALTER TABLE userGroups CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
        db.runSql.bind(db, 'ALTER TABLE mailboxes CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
        db.runSql.bind(db, 'ALTER TABLE migrations CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
        db.runSql.bind(db, 'ALTER TABLE settings CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin'),
@@ -29,7 +29,7 @@ exports.up = function(db, callback) {

                // this will be finally created once we have a domain when we create the owner in user.js
                const ADMIN_GROUP_ID = 'admin'; // see constants.js
-                db.runSql('DELETE FROM groups WHERE id = ?', [ ADMIN_GROUP_ID ], function (error) {
+                db.runSql('DELETE FROM userGroups WHERE id = ?', [ ADMIN_GROUP_ID ], function (error) {
                    if (error) return done(error);

                    db.runSql('DELETE FROM mailboxes WHERE ownerId = ?', [ ADMIN_GROUP_ID ], done);
@@ -0,0 +1,51 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    var users = { }, groupMembers = { };
+
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD COLUMN membersJson TEXT'),
+        function getUsers(done) {
+            db.all('SELECT * from users', [ ], function (error, results) {
+                if (error) return done(error);
+
+                results.forEach(function (result) { users[result.id] = result; });
+
+                done();
+            });
+        },
+        function getGroups(done) {
+            db.all('SELECT id, name, GROUP_CONCAT(groupMembers.userId) AS userIds ' +
+                ' FROM userGroups LEFT OUTER JOIN groupMembers ON userGroups.id = groupMembers.groupId ' +
+                ' GROUP BY userGroups.id', [ ], function (error, results) {
+                if (error) return done(error);
+
+                results.forEach(function (result) {
+                    var userIds = result.userIds ? result.userIds.split(',') : [];
+                    var members = userIds.map(function (id) { return users[id].username; });
+                    groupMembers[result.id] = members;
+                });
+
+                done();
+            });
+        },
+        function removeGroupIdAndSetMembers(done) {
+            async.eachSeries(Object.keys(groupMembers), function (gid, iteratorDone) {
+                console.log(`Migrating group id ${gid} to ${JSON.stringify(groupMembers[gid])}`);
+
+                db.runSql('UPDATE mailboxes SET membersJson = ?, ownerId = ? WHERE ownerId = ?', [ JSON.stringify(groupMembers[gid]), 'admin', gid ], iteratorDone);
+            }, done);
+        },
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes DROP COLUMN membersJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,34 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD COLUMN type VARCHAR(16)'),
+        function addMailboxType(done) {
+            db.all('SELECT * from mailboxes', [ ], function (error, results) {
+                if (error) return done(error);
+
+                async.eachSeries(results, function (mailbox, iteratorCallback) {
+                    let type = 'mailbox';
+                    if (mailbox.aliasTarget) {
+                        type = 'alias';
+                    } else if (mailbox.membersJson) {
+                        type = 'list';
+                    }
+                    db.runSql('UPDATE mailboxes SET type = ? WHERE name = ? AND domain = ?', [ type, mailbox.name, mailbox.domain ], iteratorCallback);
+                }, done);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE mailboxes MODIFY type VARCHAR(16) NOT NULL'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes DROP COLUMN membersJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE users ADD COLUMN twoFactorAuthenticationSecret VARCHAR(128) DEFAULT "", ADD COLUMN twoFactorAuthenticationEnabled BOOLEAN DEFAULT false', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP twoFactorAuthenticationSecret, DROP twoFactorAuthenticationEnabled', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,21 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('UPDATE clients SET scope=? WHERE id=? OR id=? OR id=?', ['*', 'cid-webadmin', 'cid-sdk', 'cid-cli'], function (error) {
+        if (error) console.error(error);
+
+        db.runSql('UPDATE tokens SET scope=? WHERE scope LIKE ?', ['*', '%*%'], function (error) { // remove the roleSdk
+            if (error) console.error(error);
+
+            db.runSql('UPDATE tokens SET expires=? WHERE clientId=?', [ 1525636734905, 'cid-webadmin' ], function (error) { // force webadmin to get a new token
+                if (error) console.error(error);
+
+                callback(error);
+            });
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE apps ADD COLUMN ownerId VARCHAR(128)'),
+        function (next) {
+            db.all('SELECT id FROM users ORDER BY createdAt LIMIT 1', [ ], function (error, results) {
+                if (error || results.length === 0) return next(error);
+
+                var ownerId = results[0].id;
+                db.runSql('UPDATE apps SET ownerId=?', [ ownerId ], next);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY ownerId VARCHAR(128) NOT NULL'),
+        db.runSql.bind(db, 'ALTER TABLE apps ADD CONSTRAINT apps_owner_constraint FOREIGN KEY(ownerId) REFERENCES users(id)'),
+        db.runSql.bind(db, 'COMMIT'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN ownerId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN ts TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN ts ', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,25 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE IF NOT EXISTS subdomains(' +
+                'appId VARCHAR(128) NOT NULL,' +
+                'domain VARCHAR(128) NOT NULL,' +
+                'subdomain VARCHAR(128) NOT NULL,' +
+                'type VARCHAR(128) NOT NULL,' +
+                'dnsRecordId VARCHAR(512),' +
+                'FOREIGN KEY(domain) REFERENCES domains(domain),' +
+                'FOREIGN KEY(appId) REFERENCES apps(id),' +
+                'UNIQUE (subdomain, domain)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE subdomains', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * from apps', [ ], function (error, results) {
+        if (error) return callback(error);
+
+        var queries = [
+            db.runSql.bind(db, 'START TRANSACTION;')
+        ];
+
+        results.forEach(function (app) {
+            queries.push(db.runSql.bind(db, 'INSERT INTO subdomains (appId, domain, subdomain, type, dnsRecordId) VALUES (?, ?, ?, ?, ?)', [ app.id, app.domain, app.location, 'primary', app.dnsRecordId ]));
+        });
+
+        queries.push(db.runSql.bind(db, 'COMMIT'));
+
+        async.series(queries, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DELETE FROM subdomains', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,41 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP INDEX location_domain_unique_index, DROP FOREIGN KEY apps_domain_constraint, DROP COLUMN domain, DROP COLUMN location, DROP COLUMN dnsRecordId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.all('SELECT * from subdomains WHERE type = ?', [ 'primary' ], function (error, results) {
+        if (error) return callback(error);
+
+        var cmd = 'ALTER TABLE apps'
+        + ' ADD COLUMN location VARCHAR(128),'
+        + ' ADD COLUMN domain VARCHAR(128),'
+        + ' ADD COLUMN dnsRecordId VARCHAR(512)';
+
+        db.runSql(cmd, function (error) {
+            if (error) return callback(error);
+
+            var queries = [ db.runSql.bind(db, 'START TRANSACTION;') ];
+            results.forEach(function (d) {
+                queries.push(db.runSql.bind(db, 'UPDATE apps SET domain = ?, location = ?, dnsRecordId = ? WHERE id = ?', [ d.domain, d.subdomain, d.appId, d.dnsRecordId ]));
+            });
+            queries.push(db.runSql.bind(db, 'COMMIT'));
+
+            async.series(queries, function (error) {
+                if (error) return callback(error);
+
+                var cmd = 'ALTER TABLE apps'
+                + ' ADD CONSTRAINT apps_domain_constraint FOREIGN KEY(domain) REFERENCES domains(domain),'
+                + ' ADD UNIQUE location_domain_unique_index (location, domain)';
+
+                db.runSql(cmd, callback);
+            });
+        });
+    });
+};
@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE subdomains DROP COLUMN dnsRecordId', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE subdomains ADD COLUMN dnsRecordId VARCHAR(512)', function (error) {
+        if (error) return callback(error);
+        callback();
+    });
+};
@@ -0,0 +1,34 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE users ADD COLUMN admin BOOLEAN DEFAULT 0', function (error) {
+        if (error) return callback(error);
+
+        db.all('SELECT userId FROM groupMembers WHERE groupId=?', [ 'admin' ], function (error, results) {
+            if (error) return callback(error);
+
+            if (results.length === 0) return callback();
+
+            async.eachSeries(results, function (result, iteratorDone) {
+                db.runSql('UPDATE users SET admin=1 WHERE id=?', [ result.userId ], iteratorDone);
+            }, function (error) {
+                if (error) return callback(error);
+
+                async.series([
+                    db.runSql.bind(db, 'DELETE FROM groupMembers WHERE groupId=?', [ 'admin' ]),
+                    db.runSql.bind(db, 'DELETE FROM userGroups WHERE id=?', [ 'admin' ])
+                ], callback);
+            });
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN admin', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
@@ -0,0 +1,13 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('UPDATE tokens SET expires=? WHERE clientId=?', [ 1525636734905, 'cid-webadmin' ], function (error) { // force webadmin to get a new token
+        if (error) console.error(error);
+
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,18 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings ADD COLUMN type VARCHAR(8) NOT NULL DEFAULT "tcp"'),
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP INDEX hostPort'), // this drops the unique constraint
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP PRIMARY KEY, ADD PRIMARY KEY(hostPort, type)')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP PRIMARY KEY, ADD PRIMARY KEY(hostPort)'),
+        db.runSql.bind(db, 'ALTER TABLE appPortBindings DROP COLUMN type')
+    ], callback);
+};
@@ -0,0 +1,16 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.all('SELECT value FROM settings WHERE name="backup_config"', function (error, results) {
+        if (error || results.length === 0) return callback(error);
+
+        var backupConfig = JSON.parse(results[0].value);
+        backupConfig.intervalSecs = 24 * 60 * 60;
+        db.runSql('UPDATE settings SET value=? WHERE name="backup_config"', [ JSON.stringify(backupConfig) ], callback);
+
+    });
+};
+
+exports.down = function(db, callback) {
+  callback();
+};
@@ -0,0 +1,23 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    // first check precondtion of domain entry in settings
+    db.all('SELECT * FROM domains', [ ], function (error, domains) {
+        if (error) return callback(error);
+
+        let caasDomains = domains.filter(function (d) { return d.provider === 'caas'; });
+
+        async.eachSeries(caasDomains, function (domain, iteratorCallback) {
+            let config = JSON.parse(domain.configJson);
+            config.hyphenatedSubdomains = true;
+
+            db.runSql('UPDATE domains SET configJson = ? WHERE domain = ?', [ JSON.stringify(config), domain.domain ], iteratorCallback);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,12 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE tokens ADD COLUMN name VARCHAR(64) DEFAULT ""', [], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE tokens DROP COLUMN name', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,21 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    db.all('SELECT * from domains WHERE provider=?', [ 'manual' ], function (error, results) {
+        if (error) return callback(error);
+
+        async.eachSeries(results, function (result, iteratorDone) {
+            var config = JSON.parse(result.configJson || '{}');
+            if (!config.wildcard) return iteratorDone();
+            delete config.wildcard;
+
+            db.runSql('UPDATE domains SET provider=?, configJson=? WHERE domain=?', [ 'wildcard', JSON.stringify(config), result.domain ], iteratorDone);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,21 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE IF NOT EXISTS appEnvVars(' +
+                'appId VARCHAR(128) NOT NULL,' +
+                'name TEXT NOT NULL,' +
+                'value TEXT NOT NULL,' +
+                'FOREIGN KEY(appId) REFERENCES apps(id)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE appEnvVars', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,27 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    var cmd = 'CREATE TABLE tasks(' +
+            'id int NOT NULL AUTO_INCREMENT,' +
+            'type VARCHAR(32) NOT NULL,' +
+            'argsJson TEXT,' +
+            'percent INTEGER DEFAULT 0,' +
+            'message TEXT,' +
+            'errorMessage TEXT,' +
+            'result TEXT,' +
+            'creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,' +
+            'ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,' +
+            'PRIMARY KEY (id))';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE tasks', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT 1 FROM groups LIMIT 1', function (error) {
+        if (error) return callback(); // groups table does not exist
+
+        db.runSql('RENAME TABLE groups TO userGroups', function (error) {
+            if (error) console.error(error);
+            callback(error);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    // this is a one way renaming since the previous migration steps have been already updated to match the new name
+    callback();
+};
@@ -0,0 +1,17 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE apps MODIFY updateTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE eventlog MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE backups MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes MODIFY creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE apps ADD COLUMN mailboxName VARCHAR(128)'),
+        db.runSql.bind(db, 'START TRANSACTION;'),
+
+        function migrateMailboxNames(done) {
+            db.all('SELECT * FROM mailboxes', function (error, mailboxes) {
+                if (error) return done(error);
+
+                async.eachSeries(mailboxes, function (mailbox, iteratorDone) {
+                    if (mailbox.ownerType !== 'app') return iteratorDone();
+
+                    db.runSql('UPDATE apps SET mailboxName = ? WHERE id = ?', [ mailbox.name, mailbox.ownerId ], iteratorDone);
+                }, done);
+            });
+        },
+
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+
+        function migrateMailboxNames(done) {
+            db.all('SELECT * FROM mailboxes', function (error, mailboxes) {
+                if (error) return done(error);
+
+                async.eachSeries(mailboxes, function (mailbox, iteratorDone) {
+                    if (mailbox.ownerType !== 'app') return iteratorDone();
+
+                    db.runSql('DELETE FROM mailboxes WHERE name = ?', [ mailbox.name ], iteratorDone);
+                }, done);
+            });
+        },
+
+        db.runSql.bind(db, 'COMMIT'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes DROP COLUMN ownerType')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    callback();
+};
@@ -0,0 +1,16 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN enableAutomaticUpdate BOOLEAN DEFAULT 1', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN enableAutomaticUpdate', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
@@ -21,13 +21,15 @@ CREATE TABLE IF NOT EXISTS users(
    salt VARCHAR(512) NOT NULL,
    createdAt VARCHAR(512) NOT NULL,
    modifiedAt VARCHAR(512) NOT NULL,
-    admin INTEGER NOT NULL,
-    displayName VARCHAR(512) DEFAULT '',
-    fallbackEmail VARCHAR(512) DEFAULT ""
+    displayName VARCHAR(512) DEFAULT "",
+    fallbackEmail VARCHAR(512) DEFAULT "",
+    twoFactorAuthenticationSecret VARCHAR(128) DEFAULT "",
+    twoFactorAuthenticationEnabled BOOLEAN DEFAULT false,
+    admin BOOLEAN DEFAULT false,

    PRIMARY KEY(id));

-CREATE TABLE IF NOT EXISTS groups(
+CREATE TABLE IF NOT EXISTS userGroups(
    id VARCHAR(128) NOT NULL UNIQUE,
    name VARCHAR(254) NOT NULL UNIQUE,
    PRIMARY KEY(id));
@@ -35,10 +37,11 @@ CREATE TABLE IF NOT EXISTS groups(
 CREATE TABLE IF NOT EXISTS groupMembers(
    groupId VARCHAR(128) NOT NULL,
    userId VARCHAR(128) NOT NULL,
-    FOREIGN KEY(groupId) REFERENCES groups(id),
+    FOREIGN KEY(groupId) REFERENCES userGroups(id),
    FOREIGN KEY(userId) REFERENCES users(id));

 CREATE TABLE IF NOT EXISTS tokens(
+    name VARCHAR(64) DEFAULT "", // description
    accessToken VARCHAR(128) NOT NULL UNIQUE,
    identifier VARCHAR(128) NOT NULL,
    clientId VARCHAR(128),
@@ -48,7 +51,7 @@ CREATE TABLE IF NOT EXISTS tokens(

 CREATE TABLE IF NOT EXISTS clients(
    id VARCHAR(128) NOT NULL UNIQUE, // prefixed with cid- to identify token easily in auth routes
-    appId VARCHAR(128) NOT NULL,
+    appId VARCHAR(128) NOT NULL,     // name of the client (for external apps) or id of app (for built-in apps)
    type VARCHAR(16) NOT NULL,
    clientSecret VARCHAR(512) NOT NULL,
    redirectURI VARCHAR(512) NOT NULL,
@@ -67,27 +70,32 @@ CREATE TABLE IF NOT EXISTS apps(
    httpPort INTEGER,                        // this is the nginx proxy port and not manifest.httpPort
    location VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
-    dnsRecordId VARCHAR(512), // tracks any id that we got back to track dns updates
    accessRestrictionJson TEXT, // { users: [ ], groups: [ ] }
-    createdAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    updatedAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, // when the app was installed
+    updateTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,   // when the last app update was done
+    ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, // when this db record was updated (useful for UI caching)
    memoryLimit BIGINT DEFAULT 0,
    xFrameOptions VARCHAR(512),
    sso BOOLEAN DEFAULT 1, // whether user chose to enable SSO
    debugModeJson TEXT, // options for development mode
    robotsTxt TEXT,
    enableBackup BOOLEAN DEFAULT 1, // misnomer: controls automatic daily backups
+    enableAutomaticUpdate BOOLEAN DEFAULT 1,
+    mailboxName VARCHAR(128), // mailbox of this app

    // the following fields do not belong here, they can be removed when we use a queue for apptask
    restoreConfigJson VARCHAR(256), // used to pass backupId to restore from to apptask
    oldConfigJson TEXT, // used to pass old config to apptask (configure, restore)
    updateConfigJson TEXT, // used to pass new config to apptask (update)

-    FOREIGN KEY(domain) REFERENCES domains(domain),
+    ownerId VARCHAR(128),
+
+    FOREIGN KEY(ownerId) REFERENCES users(id),
    PRIMARY KEY(id));

 CREATE TABLE IF NOT EXISTS appPortBindings(
    hostPort INTEGER NOT NULL UNIQUE,
+    type VARCHAR(8) NOT NULL DEFAULT "tcp",
    environmentVariable VARCHAR(128) NOT NULL,
    appId VARCHAR(128) NOT NULL,
    FOREIGN KEY(appId) REFERENCES apps(id),
@@ -112,9 +120,15 @@ CREATE TABLE IF NOT EXISTS appAddonConfigs(
    value VARCHAR(512) NOT NULL,
    FOREIGN KEY(appId) REFERENCES apps(id));

+CREATE TABLE IF NOT EXISTS appEnvVars(
+    appId VARCHAR(128) NOT NULL,
+    name TEXT NOT NULL,
+    value TEXT NOT NULL,
+    FOREIGN KEY(appId) REFERENCES apps(id));
+
 CREATE TABLE IF NOT EXISTS backups(
    id VARCHAR(128) NOT NULL,
-    creationTime TIMESTAMP,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
    version VARCHAR(128) NOT NULL, /* app version or box version */
    type VARCHAR(16) NOT NULL, /* 'box' or 'app' */
    dependsOn TEXT, /* comma separate list of objects this backup depends on */
@@ -129,7 +143,7 @@ CREATE TABLE IF NOT EXISTS eventlog(
    action VARCHAR(128) NOT NULL,
    source TEXT, /* { userId, username, ip }. userId can be null for cron,sysadmin */
    data TEXT, /* free flowing json based on action */
-    creationTime TIMESTAMP, /* FIXME: precision must be TIMESTAMP(2) */
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,

    PRIMARY KEY (id));

@@ -161,15 +175,42 @@ CREATE TABLE IF NOT EXISTS mail(
 /* Future fields:
   * accessRestriction - to determine who can access it. So this has foreign keys
   * quota - per mailbox quota
+
+   NOTE: this table exists only real mailboxes. And has unique constraint to handle
+   conflict with aliases and mailbox names
 */
 CREATE TABLE IF NOT EXISTS mailboxes(
    name VARCHAR(128) NOT NULL,
-    ownerId VARCHAR(128) NOT NULL, /* app id or user id or group id */
-    ownerType VARCHAR(16) NOT NULL, /* 'app' or 'user' or 'group' */
+    type VARCHAR(16) NOT NULL, /* 'mailbox', 'alias', 'list' */
+    ownerId VARCHAR(128) NOT NULL, /* user id */
    aliasTarget VARCHAR(128), /* the target name type is an alias */
-    creationTime TIMESTAMP,
+    membersJson TEXT, /* members of a group */
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
    domain VARCHAR(128),

    FOREIGN KEY(domain) REFERENCES mail(domain),
    UNIQUE (name, domain));

+CREATE TABLE IF NOT EXISTS subdomains(
+    appId VARCHAR(128) NOT NULL,
+    domain VARCHAR(128) NOT NULL,
+    subdomain VARCHAR(128) NOT NULL,
+    type VARCHAR(128) NOT NULL,
+
+    FOREIGN KEY(domain) REFERENCES domains(domain),
+    FOREIGN KEY(appId) REFERENCES apps(id),
+    UNIQUE (subdomain, domain));
+
+CREATE TABLE IF NOT EXISTS tasks(
+    id int NOT NULL AUTO_INCREMENT,
+    type VARCHAR(32) NOT NULL,
+    percent INTEGER DEFAULT 0,
+    message TEXT,
+    errorMessage TEXT,
+    result TEXT,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+    PRIMARY KEY (id));
+
+    CHARACTER SET utf8 COLLATE utf8_bin;
+
@@ -14,38 +14,38 @@
    "node": ">=4.0.0 <=4.1.1"
  },
  "dependencies": {
-    "@google-cloud/dns": "^0.7.1",
-    "@google-cloud/storage": "^1.6.0",
+    "@google-cloud/dns": "^0.7.2",
+    "@google-cloud/storage": "^1.7.0",
    "@sindresorhus/df": "^2.1.0",
-    "async": "^2.6.0",
-    "aws-sdk": "^2.201.0",
-    "body-parser": "^1.18.2",
-    "cloudron-manifestformat": "^2.11.0",
+    "async": "^2.6.1",
+    "aws-sdk": "^2.253.1",
+    "body-parser": "^1.18.3",
+    "cloudron-manifestformat": "^2.14.2",
+    "connect": "^3.6.6",
    "connect-ensure-login": "^0.1.1",
    "connect-lastmile": "^1.0.2",
    "connect-timeout": "^1.9.0",
    "cookie-parser": "^1.3.5",
    "cookie-session": "^1.3.2",
-    "cron": "^1.3.0",
+    "cron": "^1.5.1",
    "csurf": "^1.6.6",
-    "db-migrate": "^0.10.5",
+    "db-migrate": "^0.11.1",
    "db-migrate-mysql": "^1.1.10",
    "debug": "^3.1.0",
-    "dockerode": "^2.5.4",
-    "ejs": "^2.5.7",
-    "ejs-cli": "^2.0.0",
-    "express": "^4.16.2",
+    "dockerode": "^2.5.5",
+    "ejs": "^2.6.1",
+    "ejs-cli": "^2.0.1",
+    "express": "^4.16.3",
    "express-session": "^1.15.6",
-    "hat": "0.0.3",
    "json": "^9.0.3",
    "ldapjs": "^1.0.2",
    "lodash.chunk": "^4.2.0",
-    "mime": "^2.2.0",
-    "moment-timezone": "^0.5.14",
+    "mime": "^2.3.1",
+    "moment-timezone": "^0.5.17",
    "morgan": "^1.9.0",
-    "multiparty": "^4.1.2",
+    "multiparty": "^4.1.4",
    "mysql": "^2.15.0",
-    "nodemailer": "^4.6.0",
+    "nodemailer": "^4.6.5",
    "nodemailer-smtp-transport": "^2.7.4",
    "oauth2orize": "^1.11.0",
    "once": "^1.3.2",
@@ -55,57 +55,47 @@
    "passport-http-bearer": "^1.0.1",
    "passport-local": "^1.0.0",
    "passport-oauth2-client-password": "^0.1.2",
-    "password-generator": "^2.2.0",
    "progress-stream": "^2.0.0",
    "proxy-middleware": "^0.15.0",
-    "recursive-readdir": "^2.2.1",
-    "request": "^2.83.0",
-    "s3-block-read-stream": "^0.2.0",
+    "qrcode": "^1.2.0",
+    "readdirp": "^2.1.0",
+    "request": "^2.87.0",
+    "rimraf": "^2.6.2",
+    "s3-block-read-stream": "^0.5.0",
    "safetydance": "^0.7.1",
    "semver": "^5.5.0",
-    "showdown": "^1.8.2",
+    "showdown": "^1.8.6",
+    "speakeasy": "^2.0.0",
    "split": "^1.0.0",
-    "superagent": "^3.8.1",
-    "supererror": "^0.7.1",
-    "tar-fs": "^1.16.0",
-    "tar-stream": "^1.5.5",
+    "superagent": "^3.8.3",
+    "supererror": "^0.7.2",
+    "tar-fs": "^1.16.2",
+    "tar-stream": "^1.6.1",
    "tldjs": "^2.3.1",
-    "underscore": "^1.7.0",
+    "underscore": "^1.9.1",
    "uuid": "^3.2.1",
    "valid-url": "^1.0.9",
-    "validator": "^9.4.1",
-    "ws": "^3.3.3"
+    "validator": "^10.3.0",
+    "ws": "^5.2.0"
  },
  "devDependencies": {
-    "bootstrap-sass": "^3.3.3",
    "expect.js": "*",
-    "gulp": "^3.9.1",
-    "gulp-autoprefixer": "^4.0.0",
-    "gulp-concat": "^2.4.3",
-    "gulp-cssnano": "^2.1.0",
-    "gulp-ejs": "^3.1.0",
-    "gulp-sass": "^3.1.0",
-    "gulp-serve": "^1.0.0",
-    "gulp-sourcemaps": "^2.6.1",
-    "gulp-uglify": "^3.0.0",
    "hock": "^1.3.2",
    "istanbul": "*",
    "js2xmlparser": "^3.0.0",
-    "mocha": "^5.0.1",
+    "mocha": "^5.2.0",
    "mock-aws-s3": "git+https://github.com/cloudron-io/mock-aws-s3.git",
    "nock": "^9.0.14",
    "node-sass": "^4.6.1",
-    "readdirp": "https://registry.npmjs.org/readdirp/-/readdirp-2.1.0.tgz",
-    "yargs": "^10.1.2"
+    "recursive-readdir": "^2.2.2"
  },
  "scripts": {
    "migrate_local": "DATABASE_URL=mysql://root:@localhost/box node_modules/.bin/db-migrate up",
    "migrate_test": "BOX_ENV=test DATABASE_URL=mysql://root:@localhost/boxtest node_modules/.bin/db-migrate up",
-    "test": "npm run migrate_test && src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --exit -R spec ./src/test ./src/routes/test/[^a]*",
-    "test_all": "npm run migrate_test && src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --exit -R spec ./src/test ./src/routes/test",
+    "test": "npm run migrate_test && src/test/setupTest && BOX_ENV=test ./node_modules/istanbul/lib/cli.js test $1 ./node_modules/mocha/bin/_mocha -- --no-timeouts --exit -R spec ./src/test ./src/routes/test",
    "postmerge": "/bin/true",
    "precommit": "/bin/true",
    "prepush": "npm test",
-    "webadmin": "node_modules/.bin/gulp"
+    "dashboard": "node_modules/.bin/gulp"
  }
 }
@@ -0,0 +1,106 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400 --http1.1"
+
+ip=""
+dns_config=""
+tls_cert_file=""
+tls_key_file=""
+license_file=""
+backup_config=""
+
+args=$(getopt -o "" -l "ip:,backup-config:,license:,dns-config:,tls-cert:,tls-key:" -n "$0" -- "$@")
+eval set -- "${args}"
+
+while true; do
+    case "$1" in
+    --ip) ip="$2"; shift 2;;
+    --dns-config) dns_config="$2"; shift 2;;
+    --tls-cert) tls_cert_file="$2"; shift 2;;
+    --tls-key) tls_key_file="$2"; shift 2;;
+    --license) license_file="$2"; shift 2;;
+    --backup-config) backup_config="$2"; shift 2;;
+    --) break;;
+    *) echo "Unknown option $1"; exit 1;;
+    esac
+done
+
+# validate arguments in the absence of data
+if [[ -z "${ip}" ]]; then
+    echo "--ip is required"
+    exit 1
+fi
+
+if [[ -z "${dns_config}" ]]; then
+    echo "--dns-config is required"
+    exit 1
+fi
+
+if [[ ! -f "${license_file}" ]]; then
+    echo "--license must be a valid license file"
+    exit 1
+fi
+
+function get_status() {
+    key="$1"
+    if status=$($curl -q -f -k "https://${ip}/api/v1/cloudron/status" 2>/dev/null); then
+        currentValue=$(echo "${status}" | python3 -c 'import sys, json; print(json.dumps(json.load(sys.stdin)[sys.argv[1]]))' "${key}")
+        echo "${currentValue}"
+        return 0
+    fi
+
+    return 1
+}
+
+function wait_for_status() {
+    key="$1"
+    expectedValue="$2"
+
+    echo "wait_for_status: $key to be $expectedValue"
+    while true; do
+        if currentValue=$(get_status "${key}"); then
+            echo "wait_for_status: $key is current: $currentValue expecting: $expectedValue"
+            if [[ "${currentValue}" == $expectedValue ]]; then
+                break
+            fi
+        fi
+        sleep 3
+    done
+}
+
+echo "=> Waiting for cloudron to be ready"
+wait_for_status "version" '*'
+
+domain=$(echo "${dns_config}" | python3 -c 'import json,sys;obj=json.load(sys.stdin);print(obj["domain"])')
+
+echo "Provisioning Cloudron ${domain}"
+if [[ -n "${tls_cert_file}" && -n "${tls_key_file}" ]]; then
+    tls_cert=$(cat "${tls_cert_file}" | awk '{printf "%s\\n", $0}')
+    tls_key=$(cat "${tls_key_file}" | awk '{printf "%s\\n", $0}')
+    fallback_cert=$(printf '{ "cert": "%s", "key": "%s", "provider": "fallback", "restricted": true }' "${tls_cert}" "${tls_key}")
+else
+    fallback_cert=None
+fi
+
+tls_config='{ "provider": "fallback" }'
+dns_config=$(echo "${dns_config}" | python3 -c "import json,sys;obj=json.load(sys.stdin);obj.update(tlsConfig=${tls_config});obj.update(fallbackCertficate=${fallback_cert});print(json.dumps(obj))")
+
+license=$(cat "${license_file}")
+
+if [[ -z "${backup_config:-}" ]]; then
+    backup_config='{ "provider": "filesystem", "backupFolder": "/var/backups", "format": "tgz" }'
+fi
+
+setupData=$(printf '{ "dnsConfig": %s, "autoconf": { "appstoreConfig": %s, "backupConfig": %s } }' "${dns_config}" "${license}" "${backup_config}")
+
+if ! setupResult=$($curl -kq -X POST -H "Content-Type: application/json" -d "${setupData}" https://${ip}/api/v1/cloudron/setup); then
+    echo "Failed to setup with ${setupData} ${setupResult}"
+    exit 1
+fi
+
+wait_for_status "webadminStatus" '*"tls": true*'
+
+echo "Cloudron is ready at https://my-${domain}"
+
@@ -2,19 +2,8 @@

 set -eu -o pipefail

-if [[ ${EUID} -ne 0 ]]; then
-    echo "This script should be run as root." > /dev/stderr
-    exit 1
-fi
-
-if [[ $(lsb_release -rs) != "16.04" ]]; then
-    echo "Cloudron requires Ubuntu 16.04" > /dev/stderr
-    exit 1
-fi
-
 # change this to a hash when we make a upgrade release
 readonly LOG_FILE="/var/log/cloudron-setup.log"
-readonly DATA_FILE="/root/cloudron-install-data.json"
 readonly MINIMUM_DISK_SIZE_GB="18" # this is the size of "/" and required to fit in docker images 18 is a safe bet for different reporting on 20GB min
 readonly MINIMUM_MEMORY="974"      # this is mostly reported for 1GB main memory (DO 992, EC2 990, Linode 989, Serverdiscounter.com 974)

@@ -46,48 +35,66 @@ if [[ "${disk_size_gb}" -lt "${MINIMUM_DISK_SIZE_GB}" ]]; then
    exit 1
 fi

+if systemctl -q is-active box; then
+    echo "Error: Cloudron is already installed. To reinstall, start afresh"
+    exit 1
+fi
+
 initBaseImage="true"
 # provisioning data
 provider=""
+edition=""
 requestedVersion=""
 apiServerOrigin="https://api.cloudron.io"
 webServerOrigin="https://cloudron.io"
-prerelease="false"
 sourceTarballUrl=""
 rebootServer="true"
 baseDataDir=""

-args=$(getopt -o "" -l "help,skip-baseimage-init,data-dir:,provider:,version:,env:,prerelease,skip-reboot" -n "$0" -- "$@")
+args=$(getopt -o "" -l "help,skip-baseimage-init,provider:,version:,env:,edition:,skip-reboot" -n "$0" -- "$@")
 eval set -- "${args}"

 while true; do
    case "$1" in
    --help) echo "See https://cloudron.io/documentation/installation/ on how to install Cloudron"; exit 0;;
    --provider) provider="$2"; shift 2;;
+    --edition) edition="$2"; shift 2;;
    --version) requestedVersion="$2"; shift 2;;
    --env)
        if [[ "$2" == "dev" ]]; then
            apiServerOrigin="https://api.dev.cloudron.io"
            webServerOrigin="https://dev.cloudron.io"
-            prerelease="true"
        elif [[ "$2" == "staging" ]]; then
            apiServerOrigin="https://api.staging.cloudron.io"
            webServerOrigin="https://staging.cloudron.io"
-            prerelease="true"
        fi
        shift 2;;
    --skip-baseimage-init) initBaseImage="false"; shift;;
    --skip-reboot) rebootServer="false"; shift;;
-    --prerelease) prerelease="true"; shift;;
-    --data-dir) baseDataDir=$(realpath "$2"); shift 2;;
    --) break;;
    *) echo "Unknown option $1"; exit 1;;
    esac
 done

+# Only --help works as non-root
+if [[ ${EUID} -ne 0 ]]; then
+    echo "This script should be run as root." > /dev/stderr
+    exit 1
+fi
+
+# Only --help works with mismatched ubuntu
+ubuntu_version=$(lsb_release -rs)
+if [[ "${ubuntu_version}" != "16.04" && "${ubuntu_version}" != "18.04" ]]; then
+    echo "Cloudron requires Ubuntu 16.04 or 18.04" > /dev/stderr
+    exit 1
+fi
+
+# Can only write after we have confirmed script has root access
+echo "Running cloudron-setup with args : $@" > "${LOG_FILE}"
+
 # validate arguments in the absence of data
 if [[ -z "${provider}" ]]; then
-    echo "--provider is required (azure, cloudscale, digitalocean, ec2, exoscale, hetzner, lightsail, linode, ovh, rosehosting, scaleway, vultr or generic)"
+    echo "--provider is required (azure, digitalocean, ec2, exoscale, gce, hetzner, lightsail, linode, netcup, ovh, rosehosting, scaleway, vultr or generic)"
    exit 1
 elif [[  \
            "${provider}" != "ami" && \
@@ -97,17 +104,20 @@ elif [[  \
            "${provider}" != "digitalocean" && \
            "${provider}" != "ec2" && \
            "${provider}" != "exoscale" && \
+            "${provider}" != "galaxygate" && \
+            "${provider}" != "digitalocean" && \
            "${provider}" != "gce" && \
            "${provider}" != "hetzner" && \
            "${provider}" != "lightsail" && \
            "${provider}" != "linode" && \
+            "${provider}" != "netcup" && \
            "${provider}" != "ovh" && \
            "${provider}" != "rosehosting" && \
            "${provider}" != "scaleway" && \
            "${provider}" != "vultr" && \
            "${provider}" != "generic" \
        ]]; then
-    echo "--provider must be one of: azure, cloudscale.ch, digitalocean, ec2, exoscale, gce, hetzner, lightsail, linode, ovh, rosehosting, scaleway, vultr or generic"
+    echo "--provider must be one of: azure, cloudscale.ch, digitalocean, ec2, exoscale, galaxygate, gce, hetzner, lightsail, linode, netcup, ovh, rosehosting, scaleway, vultr or generic"
    exit 1
 fi

@@ -128,20 +138,26 @@ echo " Join us at https://forum.cloudron.io for any questions."
 echo ""

 if [[ "${initBaseImage}" == "true" ]]; then
+    echo "=> Ensure required apt sources"
+    if ! add-apt-repository universe &>> "${LOG_FILE}"; then
+        echo "Could not add required apt sources (for nginx-full). See ${LOG_FILE}"
+        exit 1
+    fi
+
    echo "=> Updating apt and installing script dependencies"
    if ! apt-get update &>> "${LOG_FILE}"; then
-        echo "Could not update package repositories"
+        echo "Could not update package repositories. See ${LOG_FILE}"
        exit 1
    fi

    if ! apt-get install curl python3 ubuntu-standard -y &>> "${LOG_FILE}"; then
-        echo "Could not install setup dependencies (curl)"
+        echo "Could not install setup dependencies (curl). See ${LOG_FILE}"
        exit 1
    fi
 fi

 echo "=> Checking version"
-if ! releaseJson=$($curl -s "${apiServerOrigin}/api/v1/releases?prerelease=${prerelease}&boxVersion=${requestedVersion}"); then
+if ! releaseJson=$($curl -s "${apiServerOrigin}/api/v1/releases?boxVersion=${requestedVersion}"); then
    echo "Failed to get release information"
    exit 1
 fi
@@ -157,18 +173,6 @@ if ! sourceTarballUrl=$(echo "${releaseJson}" | python3 -c 'import json,sys;obj=
    exit 1
 fi

-# Build data
-# from 1.9, we use autoprovision.json
-data=$(cat <<EOF
-{
-    "provider": "${provider}",
-    "apiServerOrigin": "${apiServerOrigin}",
-    "webServerOrigin": "${webServerOrigin}",
-    "version": "${version}"
-}
-EOF
-)
-
 echo "=> Downloading version ${version} ..."
 box_src_tmp_dir=$(mktemp -dt box-src-XXXXXX)

@@ -186,13 +190,44 @@ if [[ "${initBaseImage}" == "true" ]]; then
    echo ""
 fi

+# NOTE: this install script only supports 3.x and above
 echo "=> Installing version ${version} (this takes some time) ..."
-echo "${data}" > "${DATA_FILE}"
-if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data-file "${DATA_FILE}" --data-dir "${baseDataDir}" &>> "${LOG_FILE}"; then
-    echo "Failed to install cloudron. See ${LOG_FILE} for details"
-    exit 1
+if [[ "${version}" =~ 3\.[0-2]+\.[0-9]+ ]]; then
+    readonly DATA_FILE="/root/cloudron-install-data.json"
+    data=$(cat <<EOF
+{
+    "provider": "${provider}",
+    "edition": "${edition}",
+    "apiServerOrigin": "${apiServerOrigin}",
+    "webServerOrigin": "${webServerOrigin}",
+    "version": "${version}"
+}
+EOF
+)
+    echo "${data}" > "${DATA_FILE}"
+
+    if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" --data-file "${DATA_FILE}" &>> "${LOG_FILE}"; then
+        echo "Failed to install cloudron. See ${LOG_FILE} for details"
+        exit 1
+    fi
+
+    rm "${DATA_FILE}"
+else
+    mkdir -p /etc/cloudron
+    cat > "/etc/cloudron/cloudron.conf" <<CONF_END
+{
+    "apiServerOrigin": "${apiServerOrigin}",
+    "webServerOrigin": "${webServerOrigin}",
+    "provider": "${provider}",
+    "edition": "${edition}"
+}
+CONF_END
+
+    if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" &>> "${LOG_FILE}"; then
+        echo "Failed to install cloudron. See ${LOG_FILE} for details"
+        exit 1
+    fi
 fi
-rm "${DATA_FILE}"

 echo -n "=> Waiting for cloudron to be ready (this takes some time) ..."
 while true; do
@@ -203,10 +238,15 @@ while true; do
    sleep 10
 done

-echo -e "\n\n${GREEN}Visit https://<IP> to finish setup once the server has rebooted.${DONE}"
+echo -e "\n\n${GREEN}Visit https://<IP> and accept the self-signed certificate to finish setup.${DONE}\n"

 if [[ "${rebootServer}" == "true" ]]; then
-    echo -e "\nRebooting this server now to let changes take effect.\n"
-    systemctl stop mysql # sometimes mysql ends up having corrupt privilege tables
-    systemctl reboot
+    systemctl stop box mysql # sometimes mysql ends up having corrupt privilege tables
+
+    read -p "This server has to rebooted to apply all the settings. Reboot now ? [Y/n] " yn
+    yn=${yn:-y}
+    case $yn in
+        [Yy]* ) systemctl reboot;;
+        * ) exit;;
+    esac
 fi
@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# This script collects diagnostic information to help debug server related issues
+# It also enables SSH access for the cloudron support team
+
+PASTEBIN="https://paste.cloudron.io"
+OUT="/tmp/cloudron-support.log"
+LINE="\n========================================================\n"
+CLOUDRON_SUPPORT_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQVilclYAIu+ioDp/sgzzFz6YU0hPcRYY7ze/LiF/lC7uQqK062O54BFXTvQ3ehtFZCx3bNckjlT2e6gB8Qq07OM66De4/S/g+HJW4TReY2ppSPMVNag0TNGxDzVH8pPHOysAm33LqT2b6L/wEXwC6zWFXhOhHjcMqXvi8Ejaj20H1HVVcf/j8qs5Thkp9nAaFTgQTPu8pgwD8wDeYX1hc9d0PYGesTADvo6HF4hLEoEnefLw7PaStEbzk2fD3j7/g5r5HcgQQXBe74xYZ/1gWOX2pFNuRYOBSEIrNfJEjFJsqk3NR1+ZoMGK7j+AZBR4k0xbrmncQLcQzl6MMDzkp support@cloudron.io"
+HELP_MESSAGE="
+This script collects diagnostic information to help debug server related issues
+
+ Options:
+   --enable-ssh    Enable SSH access for the Cloudron support team
+   --help          Show this message
+"
+
+# We require root
+if [[ ${EUID} -ne 0 ]]; then
+    echo "This script should be run as root." > /dev/stderr
+    exit 1
+fi
+
+enableSSH="false"
+
+args=$(getopt -o "" -l "help,enable-ssh" -n "$0" -- "$@")
+eval set -- "${args}"
+
+while true; do
+    case "$1" in
+    --help) echo -e "${HELP_MESSAGE}"; exit 0;;
+    --enable-ssh) enableSSH="true"; shift;;
+    --) break;;
+    *) echo "Unknown option $1"; exit 1;;
+    esac
+done
+
+# check if at least 10mb root partition space is available
+if [[ "`df --output="avail" / | sed -n 2p`" -lt "10240" ]]; then
+    echo "No more space left on /"
+    echo "This is likely the root case of the issue. Free up some space and also check other partitions below:"
+    echo ""
+    df -h
+    echo ""
+    echo "To recover from a full disk, follow the guide at https://cloudron.io/documentation/server/#recovery-after-disk-full"
+    exit 1
+fi
+
+# check for at least 5mb free /tmp space for the log file
+if [[ "`df --output="avail" /tmp | sed -n 2p`" -lt "5120" ]]; then
+    echo "Not enough space left on /tmp"
+    echo "Free up some space first by deleting files from /tmp"
+    exit 1
+fi
+
+echo -n "Generating Cloudron Support stats..."
+
+# clear file
+rm -rf $OUT
+
+ssh_port=$(cat /etc/ssh/sshd_config | grep "Port " | sed -e "s/.*Port //")
+if [[ $SUDO_USER == "" ]]; then
+    ssh_user="root"
+    ssh_folder="/root/.ssh/"
+    authorized_key_file="${ssh_folder}/authorized_keys"
+else
+    ssh_user="$SUDO_USER"
+    ssh_folder="/home/$SUDO_USER/.ssh/"
+    authorized_key_file="${ssh_folder}/authorized_keys"
+fi
+
+echo -e $LINE"SSH"$LINE >> $OUT
+echo "Username: ${ssh_user}" >> $OUT
+echo "Port:     ${ssh_port}" >> $OUT
+
+echo -e $LINE"cloudron.conf"$LINE >> $OUT
+cat /etc/cloudron/cloudron.conf &>> $OUT
+
+echo -e $LINE"Docker container"$LINE >> $OUT
+if ! timeout --kill-after 10s 15s docker ps -a &>> $OUT 2>&1; then
+    echo -e "Docker is not responding" >> $OUT
+fi
+
+echo -e $LINE"Filesystem stats"$LINE >> $OUT
+df -h &>> $OUT
+
+echo -e $LINE"System daemon status"$LINE >> $OUT
+systemctl status --lines=100 cloudron.target box mysql unbound cloudron-syslog nginx collectd docker &>> $OUT
+
+echo -e $LINE"Box logs"$LINE >> $OUT
+tail -n 100 /home/yellowtent/platformdata/logs/box.log &>> $OUT
+
+echo -e $LINE"Firewall chains"$LINE >> $OUT
+iptables -L &>> $OUT
+
+echo "Done"
+
+echo -n "Uploading information..."
+# for some reason not using $(cat $OUT) will not contain newlines!?
+paste_key=$(curl -X POST ${PASTEBIN}/documents --silent -d "$(cat $OUT)" | python3 -c "import sys, json; print(json.load(sys.stdin)['key'])")
+echo "Done"
+
+if [[ "${enableSSH}" == "true" ]]; then
+    echo -n "Enabling ssh access for the Cloudron support team..."
+    mkdir -p "${ssh_folder}"
+    echo "${CLOUDRON_SUPPORT_PUBLIC_KEY}" >> ${authorized_key_file}
+    chown -R ${ssh_user} "${ssh_folder}"
+    chmod 600 "${authorized_key_file}"
+    echo "Done"
+fi
+
+echo ""
+echo "Please email the following link to support@cloudron.io"
+echo ""
+echo "${PASTEBIN}/${paste_key}"
@@ -7,21 +7,28 @@ set -eu
 [[ $(uname -s) == "Darwin" ]] && GNU_GETOPT="/usr/local/opt/gnu-getopt/bin/getopt" || GNU_GETOPT="getopt"
 readonly GNU_GETOPT

-args=$(${GNU_GETOPT} -o "" -l "output:" -n "$0" -- "$@")
+args=$(${GNU_GETOPT} -o "" -l "output:,version:" -n "$0" -- "$@")
 eval set -- "${args}"

 readonly SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

 bundle_file=""
+version=""

 while true; do
    case "$1" in
    --output) bundle_file="$2"; shift 2;;
+    --version) version="$2"; shift 2;;
    --) break;;
    *) echo "Unknown option $1"; exit 1;;
    esac
 done

+if [[ -z "${version}" ]]; then
+    echo "--version is required"
+    exit 1
+fi
+
 readonly TMPDIR=${TMPDIR:-/tmp} # why is this not set on mint?

 if ! $(cd "${SOURCE_DIR}" && git diff --exit-code >/dev/null); then
@@ -29,69 +36,49 @@ if ! $(cd "${SOURCE_DIR}" && git diff --exit-code >/dev/null); then
    exit 1
 fi

-if ! $(cd "${SOURCE_DIR}/../webadmin" && git diff --exit-code >/dev/null); then
-    echo "You have local changes in webadmin, stash or commit them to proceed"
+if ! $(cd "${SOURCE_DIR}/../dashboard" && git diff --exit-code >/dev/null); then
+    echo "You have local changes in dashboard, stash or commit them to proceed"
    exit 1
 fi

-if [[ "$(node --version)" != "v8.9.3" ]]; then
-    echo "This script requires node 8.9.3"
+if [[ "$(node --version)" != "v8.11.2" ]]; then
+    echo "This script requires node 8.11.2"
    exit 1
 fi

 box_version=$(cd "${SOURCE_DIR}" && git rev-parse "HEAD")
 branch=$(git rev-parse --abbrev-ref HEAD)
-if [[ "${branch}" == "master" ]]; then
-    webadmin_version=$(cd "${SOURCE_DIR}/../webadmin" && git rev-parse "${branch}")
-else
-    webadmin_version=$(cd "${SOURCE_DIR}/../webadmin" && git fetch && git rev-parse "origin/${branch}")
-fi
+dashboard_version=$(cd "${SOURCE_DIR}/../dashboard" && git fetch && git rev-parse "${branch}")
 bundle_dir=$(mktemp -d -t box 2>/dev/null || mktemp -d box-XXXXXXXXXX --tmpdir=$TMPDIR)
-[[ -z "$bundle_file" ]] && bundle_file="${TMPDIR}/box-${box_version:0:10}-${webadmin_version:0:10}.tar.gz"
+[[ -z "$bundle_file" ]] && bundle_file="${TMPDIR}/box-${box_version:0:10}-${dashboard_version:0:10}-${version}.tar.gz"

 chmod "o+rx,g+rx" "${bundle_dir}" # otherwise extracted tarball director won't be readable by others/group
-echo "Checking out code box version [${box_version}] and webadmin version [${webadmin_version}] into ${bundle_dir}"
+echo "==> Checking out code box version [${box_version}] and dashboard version [${dashboard_version}] into ${bundle_dir}"
 (cd "${SOURCE_DIR}" && git archive --format=tar ${box_version} | (cd "${bundle_dir}" && tar xf -))
-(cd "${SOURCE_DIR}/../webadmin" && git archive --format=tar ${webadmin_version} | (cd "${bundle_dir}" && tar xf -))
-(cp "${SOURCE_DIR}/../webadmin/LICENSE" "${bundle_dir}")
+(cd "${SOURCE_DIR}/../dashboard" && git archive --format=tar ${dashboard_version} | (mkdir -p "${bundle_dir}/dashboard.build" && cd "${bundle_dir}/dashboard.build" && tar xf -))
+(cp "${SOURCE_DIR}/../dashboard/LICENSE" "${bundle_dir}")
+echo "${version}" > "${bundle_dir}/VERSION"

-if diff "${TMPDIR}/boxtarball.cache/package-lock.json.all" "${bundle_dir}/package-lock.json" >/dev/null 2>&1; then
-    echo "Reusing dev modules from cache"
-    cp -r "${TMPDIR}/boxtarball.cache/node_modules-all/." "${bundle_dir}/node_modules"
-else
-    echo "Installing modules with dev dependencies"
-    (cd "${bundle_dir}" && npm install)
+echo "==> Installing modules for dashboard asset generation"
+(cd "${bundle_dir}/dashboard.build" && npm install --production)

-    echo "Caching dev dependencies"
-    mkdir -p "${TMPDIR}/boxtarball.cache/node_modules-all"
-    rsync -a --delete "${bundle_dir}/node_modules/" "${TMPDIR}/boxtarball.cache/node_modules-all/"
-    cp "${bundle_dir}/package-lock.json" "${TMPDIR}/boxtarball.cache/package-lock.json.all"
-fi
+echo "==> Building dashboard assets"
+(cd "${bundle_dir}/dashboard.build" && ./node_modules/.bin/gulp --revision ${dashboard_version})

-echo "Building webadmin assets"
-(cd "${bundle_dir}" && ./node_modules/.bin/gulp)
+echo "==> Move built dashboard assets into destination"
+mkdir -p "${bundle_dir}/dashboard"
+mv "${bundle_dir}/dashboard.build/dist" "${bundle_dir}/dashboard/"

-echo "Remove intermediate files required at build-time only"
-rm -rf "${bundle_dir}/node_modules/"
-rm -rf "${bundle_dir}/webadmin/src"
-rm -rf "${bundle_dir}/gulpfile.js"
+echo "==> Cleanup dashboard build artifacts"
+rm -rf "${bundle_dir}/dashboard.build"

-if diff "${TMPDIR}/boxtarball.cache/package-lock.json.prod" "${bundle_dir}/package-lock.json" >/dev/null 2>&1; then
-    echo "Reusing prod modules from cache"
-    cp -r "${TMPDIR}/boxtarball.cache/node_modules-prod/." "${bundle_dir}/node_modules"
-else
-    echo "Installing modules for production"
-    (cd "${bundle_dir}" && npm install --production --no-optional)
+echo "==> Installing toplevel node modules"
+(cd "${bundle_dir}" && npm install --production --no-optional)

-    echo "Caching prod dependencies"
-    mkdir -p "${TMPDIR}/boxtarball.cache/node_modules-prod"
-    rsync -a --delete "${bundle_dir}/node_modules/" "${TMPDIR}/boxtarball.cache/node_modules-prod/"
-    cp "${bundle_dir}/package-lock.json" "${TMPDIR}/boxtarball.cache/package-lock.json.prod"
-fi
-
-echo "Create final tarball"
+echo "==> Create final tarball"
 (cd "${bundle_dir}" && tar czf "${bundle_file}" .)
-echo "Cleaning up ${bundle_dir}"
+
+echo "==> Cleaning up ${bundle_dir}"
 rm -rf "${bundle_dir}"

-echo "Tarball saved at ${bundle_file}"
+echo "==> Tarball saved at ${bundle_file}"
@@ -1,5 +1,9 @@
 #!/bin/bash

+# This script is run before the box code is switched. This means that we can
+# put network related/curl downloads here. If the script fails, the old code
+# will continue to run
+
 set -eu -o pipefail

 if [[ ${EUID} -ne 0 ]]; then
@@ -10,36 +14,19 @@ fi
 readonly USER=yellowtent
 readonly BOX_SRC_DIR=/home/${USER}/box
 readonly BASE_DATA_DIR=/home/${USER}
-readonly CLOUDRON_CONF=/home/yellowtent/configs/cloudron.conf

 readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
 readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 readonly box_src_tmp_dir="$(realpath ${script_dir}/..)"

-readonly is_update=$([[ -f "${CLOUDRON_CONF}" ]] && echo "yes" || echo "no")
-
-arg_data=""
-arg_data_dir=""
-
-args=$(getopt -o "" -l "data:,data-file:,data-dir:" -n "$0" -- "$@")
-eval set -- "${args}"
-
-while true; do
-    case "$1" in
-    --data) arg_data="$2"; shift 2;;
-    --data-file) arg_data=$(cat $2); shift 2;;
-    --data-dir) arg_data_dir="$2"; shift 2;;
-    --) break;;
-    *) echo "Unknown option $1"; exit 1;;
-    esac
-done
+readonly is_update=$(systemctl is-active box && echo "yes" || echo "no")

 echo "==> installer: updating docker"
-if [[ $(docker version --format {{.Client.Version}}) != "17.09.0-ce" ]]; then
-    $curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_17.09.0~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb
+if [[ $(docker version --format {{.Client.Version}}) != "18.03.1-ce" ]]; then
+    $curl -sL https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce_18.03.1~ce-0~ubuntu_amd64.deb -o /tmp/docker.deb

    # https://download.docker.com/linux/ubuntu/dists/xenial/stable/binary-amd64/Packages
-    if [[ $(sha256sum /tmp/docker.deb | cut -d' ' -f1) != "d33f6eb134f0ab0876148bd96de95ea47d583d7f2cddfdc6757979453f9bd9bf" ]]; then
+    if [[ $(sha256sum /tmp/docker.deb | cut -d' ' -f1) != "54f4c9268492a4fd2ec2e6bcc95553855b025f35dcc8b9f60ac34e0aa307279b" ]]; then
        echo "==> installer: docker binary download is corrupt"
        exit 5
    fi
@@ -54,6 +41,12 @@ if [[ $(docker version --format {{.Client.Version}}) != "17.09.0-ce" ]]; then
        sleep 1
    done

+    # the latest docker might need newer packages
+    while ! apt update -y; do
+        echo "==> installer: Failed to update packages. Retry"
+        sleep 1
+    done
+
    while ! apt install -y /tmp/docker.deb; do
        echo "==> installer: Failed to install docker. Retry"
        sleep 1
@@ -63,14 +56,15 @@ if [[ $(docker version --format {{.Client.Version}}) != "17.09.0-ce" ]]; then
 fi

 echo "==> installer: updating node"
-if [[ "$(node --version)" != "v8.9.3" ]]; then
-    mkdir -p /usr/local/node-8.9.3
-    $curl -sL https://nodejs.org/dist/v8.9.3/node-v8.9.3-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-8.9.3
-    ln -sf /usr/local/node-8.9.3/bin/node /usr/bin/node
-    ln -sf /usr/local/node-8.9.3/bin/npm /usr/bin/npm
+if [[ "$(node --version)" != "v8.11.2" ]]; then
+    mkdir -p /usr/local/node-8.11.2
+    $curl -sL https://nodejs.org/dist/v8.11.2/node-v8.11.2-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-8.11.2
+    ln -sf /usr/local/node-8.11.2/bin/node /usr/bin/node
+    ln -sf /usr/local/node-8.11.2/bin/npm /usr/bin/npm
    rm -rf /usr/local/node-6.11.5
 fi

+# this is here (and not in updater.js) because rebuild requires the above node
 for try in `seq 1 10`; do
    # for reasons unknown, the dtrace package will fail. but rebuilding second time will work

@@ -87,6 +81,33 @@ if [[ ${try} -eq 10 ]]; then
    exit 4
 fi

+echo "==> installer: downloading new addon images"
+images=$(node -e "var i = require('${box_src_tmp_dir}/src/infra_version.js'); console.log(i.baseImages.map(function (x) { return x.tag; }).join(' '), Object.keys(i.images).map(function (x) { return i.images[x].tag; }).join(' '));")
+
+echo -e "\tPulling docker images: ${images}"
+for image in ${images}; do
+    if ! docker pull "${image}"; then           # this pulls the image using the sha256
+        echo "==> installer: Could not pull ${image}"
+        exit 5
+    fi
+    if ! docker pull "${image%@sha256:*}"; then  # this will tag the image for readability
+        echo "==> installer: Could not pull ${image%@sha256:*}"
+        exit 6
+   fi
+done
+
+echo "==> installer: update cloudron-syslog"
+CLOUDRON_SYSLOG_DIR=/usr/local/cloudron-syslog
+CLOUDRON_SYSLOG="${CLOUDRON_SYSLOG_DIR}/bin/cloudron-syslog"
+CLOUDRON_SYSLOG_VERSION="1.0.3"
+while [[ ! -f "${CLOUDRON_SYSLOG}" || "$(${CLOUDRON_SYSLOG} --version)" != ${CLOUDRON_SYSLOG_VERSION} ]]; do
+    rm -rf "${CLOUDRON_SYSLOG_DIR}"
+    mkdir -p "${CLOUDRON_SYSLOG_DIR}"
+    if npm install --unsafe-perm -g --prefix "${CLOUDRON_SYSLOG_DIR}" cloudron-syslog@${CLOUDRON_SYSLOG_VERSION}; then break; fi
+    echo "===> installer: Failed to install cloudron-syslog, trying again"
+    sleep 5
+done
+
 if ! id "${USER}" 2>/dev/null; then
    useradd "${USER}" -m
 fi
@@ -96,15 +117,6 @@ if [[ "${is_update}" == "yes" ]]; then
    ${BOX_SRC_DIR}/setup/stop.sh
 fi

-# setup links to data directory
-if [[ -n "${arg_data_dir}" ]]; then
-    echo "==> installer: setting up links to data directory"
-    mkdir "${arg_data_dir}/appsdata"
-    ln -s "${arg_data_dir}/appsdata" "${BASE_DATA_DIR}/appsdata"
-    mkdir "${arg_data_dir}/platformdata"
-    ln -s "${arg_data_dir}/platformdata" "${BASE_DATA_DIR}/platformdata"
-fi
-
 # ensure we are not inside the source directory, which we will remove now
 cd /root

@@ -114,4 +126,4 @@ mv "${box_src_tmp_dir}" "${BOX_SRC_DIR}"
 chown -R "${USER}:${USER}" "${BOX_SRC_DIR}"

 echo "==> installer: calling box setup script"
-"${BOX_SRC_DIR}/setup/start.sh" --data "${arg_data}"
+"${BOX_SRC_DIR}/setup/start.sh"
@@ -1,71 +0,0 @@
-#!/bin/bash
-
-source_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-json="${source_dir}/../node_modules/.bin/json"
-
-arg_api_server_origin=""
-arg_fqdn=""         # remove after 1.10
-arg_admin_domain=""
-arg_admin_location=""
-arg_admin_fqdn=""
-arg_retire_reason=""
-arg_retire_info=""
-arg_version=""
-arg_web_server_origin=""
-arg_provider=""
-arg_is_demo="false"
-
-args=$(getopt -o "" -l "data:,retire-reason:,retire-info:" -n "$0" -- "$@")
-eval set -- "${args}"
-
-while true; do
-    case "$1" in
-    --retire-reason)
-        arg_retire_reason="$2"
-        shift 2
-        ;;
-    --retire-info)
-        arg_retire_info="$2"
-        shift 2
-        ;;
-    --data)
-        # these params must be valid in all cases
-        arg_fqdn=$(echo "$2" | $json fqdn)
-        arg_admin_fqdn=$(echo "$2" | $json adminFqdn)
-
-        arg_admin_location=$(echo "$2" | $json adminLocation)
-        [[ "${arg_admin_location}" == "" ]] && arg_admin_location="my"
-
-        arg_admin_domain=$(echo "$2" | $json adminDomain)
-        [[ "${arg_admin_domain}" == "" ]] && arg_admin_domain="${arg_fqdn}"
-
-        # only update/restore have this valid (but not migrate)
-        arg_api_server_origin=$(echo "$2" | $json apiServerOrigin)
-        [[ "${arg_api_server_origin}" == "" ]] && arg_api_server_origin="https://api.cloudron.io"
-        arg_web_server_origin=$(echo "$2" | $json webServerOrigin)
-        [[ "${arg_web_server_origin}" == "" ]] && arg_web_server_origin="https://cloudron.io"
-
-        # TODO check if and where this is used
-        arg_version=$(echo "$2" | $json version)
-
-        # read possibly empty parameters here
-        arg_is_demo=$(echo "$2" | $json isDemo)
-        [[ "${arg_is_demo}" == "" ]] && arg_is_demo="false"
-
-        arg_provider=$(echo "$2" | $json provider)
-        [[ "${arg_provider}" == "" ]] && arg_provider="generic"
-
-        shift 2
-        ;;
-    --) break;;
-    *) echo "Unknown option $1"; exit 1;;
-    esac
-done
-
-echo "Parsed arguments:"
-echo "api server: ${arg_api_server_origin}"
-echo "admin fqdn: ${arg_admin_fqdn}"
-echo "fqdn: ${arg_fqdn}"
-echo "version: ${arg_version}"
-echo "web server: ${arg_web_server_origin}"
-echo "provider: ${arg_provider}"
@@ -2,6 +2,9 @@

 set -eu -o pipefail

+# This script is run after the box code is switched. This means that this script
+# should pretty much always succeed. No network logic/download code here.
+
 echo "==> Cloudron Start"

 readonly USER="yellowtent"
@@ -12,17 +15,8 @@ readonly APPS_DATA_DIR="${HOME_DIR}/appsdata" # app data
 readonly BOX_DATA_DIR="${HOME_DIR}/boxdata" # box data
 readonly CONFIG_DIR="${HOME_DIR}/configs"

-readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
-
 readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
-source "${script_dir}/argparser.sh" "$@" # this injects the arg_* variables used below
-
-echo "==> Configuring host"
-sed -e 's/^#NTP=/NTP=0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf
-timedatectl set-ntp 1
-timedatectl set-timezone UTC
-hostnamectl set-hostname "${arg_admin_fqdn}"
+readonly json="$(realpath ${script_dir}/../node_modules/.bin/json)"

 echo "==> Configuring docker"
 cp "${script_dir}/start/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app
@@ -48,19 +42,6 @@ if [[ ! -f /etc/systemd/system/docker.service.d/cloudron.conf ]] || ! diff -q /e
 fi
 docker network create --subnet=172.18.0.0/16 cloudron || true

-# caas has ssh on port 202 and we disable password login
-if [[ "${arg_provider}" == "caas" ]]; then
-    # https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped
-    sed -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
-        -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \
-        -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \
-        -e 's/^#\?Port .*/Port 202/g' \
-        -i /etc/ssh/sshd_config
-
-    # required so we can connect to this machine since port 22 is blocked by iptables by now
-    systemctl reload sshd
-fi
-
 mkdir -p "${BOX_DATA_DIR}"
 mkdir -p "${APPS_DATA_DIR}"

@@ -71,11 +52,14 @@ mkdir -p "${PLATFORM_DATA_DIR}/graphite"
 mkdir -p "${PLATFORM_DATA_DIR}/mysql"
 mkdir -p "${PLATFORM_DATA_DIR}/postgresql"
 mkdir -p "${PLATFORM_DATA_DIR}/mongodb"
+mkdir -p "${PLATFORM_DATA_DIR}/redis"
 mkdir -p "${PLATFORM_DATA_DIR}/addons/mail"
 mkdir -p "${PLATFORM_DATA_DIR}/collectd/collectd.conf.d"
 mkdir -p "${PLATFORM_DATA_DIR}/logrotate.d"
 mkdir -p "${PLATFORM_DATA_DIR}/acme"
 mkdir -p "${PLATFORM_DATA_DIR}/backup"
+mkdir -p "${PLATFORM_DATA_DIR}/logs/backup" "${PLATFORM_DATA_DIR}/logs/updater" "${PLATFORM_DATA_DIR}/logs/tasks"
+mkdir -p "${PLATFORM_DATA_DIR}/update"

 mkdir -p "${BOX_DATA_DIR}/appicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
@@ -107,6 +91,11 @@ setfacl -n -m u:${USER}:r /var/log/journal/*/system.journal
 echo "==> Creating config directory"
 mkdir -p "${CONFIG_DIR}"

+# remove old cloudron.conf. Can be removed after 3.4
+rm -f "${CONFIG_DIR}/cloudron.conf"
+$json -f /etc/cloudron/cloudron.conf -I -e "delete this.version" # remove the version field
+chown -R "${USER}" /etc/cloudron
+
 echo "==> Setting up unbound"
 # DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
 # We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
@@ -120,6 +109,7 @@ echo "==> Adding systemd services"
 cp -r "${script_dir}/start/systemd/." /etc/systemd/system/
 systemctl daemon-reload
 systemctl enable unbound
+systemctl enable cloudron-syslog
 systemctl enable cloudron.target
 systemctl enable cloudron-firewall

@@ -132,6 +122,9 @@ systemctl enable --now cron
 # ensure unbound runs
 systemctl restart unbound

+# ensure cloudron-syslog runs
+systemctl restart cloudron-syslog
+
 echo "==> Configuring sudoers"
 rm -f /etc/sudoers.d/${USER}
 cp "${script_dir}/start/sudoers" /etc/sudoers.d/${USER}
@@ -146,6 +139,8 @@ echo "==> Configuring logrotate"
 if ! grep -q "^include ${PLATFORM_DATA_DIR}/logrotate.d" /etc/logrotate.conf; then
    echo -e "\ninclude ${PLATFORM_DATA_DIR}/logrotate.d\n" >> /etc/logrotate.conf
 fi
+cp "${script_dir}/start/box-logrotate" "${script_dir}/start/app-logrotate" "${PLATFORM_DATA_DIR}/logrotate.d/"
+chown root:root "${PLATFORM_DATA_DIR}/logrotate.d/box-logrotate" "${PLATFORM_DATA_DIR}/logrotate.d/app-logrotate"

 echo "==> Adding motd message for admins"
 cp "${script_dir}/start/cloudron-motd" /etc/update-motd.d/92-cloudron
@@ -163,14 +158,8 @@ if ! grep -q "^Restart=" /etc/systemd/system/multi-user.target.wants/nginx.servi
    echo -e "\n[Service]\nRestart=always\n" >> /etc/systemd/system/multi-user.target.wants/nginx.service
    systemctl daemon-reload
 fi
-# remove this migration after 1.10
-[[ -f /etc/nginx/cert/host.cert ]] && cp /etc/nginx/cert/host.cert "/etc/nginx/cert/${arg_admin_domain}.host.cert"
-[[ -f /etc/nginx/cert/host.key ]] && cp /etc/nginx/cert/host.key "/etc/nginx/cert/${arg_admin_domain}.host.key"
 systemctl start nginx

-# bookkeep the version as part of data
-echo "{ \"version\": \"${arg_version}\", \"apiServerOrigin\": \"${arg_api_server_origin}\" }" > "${BOX_DATA_DIR}/version"
-
 # restart mysql to make sure it has latest config
 if [[ ! -f /etc/mysql/mysql.cnf ]] || ! diff -q "${script_dir}/start/mysql.cnf" /etc/mysql/mysql.cnf >/dev/null; then
    # wait for all running mysql jobs
@@ -200,27 +189,6 @@ cd "${BOX_SRC_DIR}"
 BOX_ENV=cloudron DATABASE_URL=mysql://root:${mysql_root_password}@127.0.0.1/box "${BOX_SRC_DIR}/node_modules/.bin/db-migrate" up
 EOF

-echo "==> Creating cloudron.conf"
-cat > "${CONFIG_DIR}/cloudron.conf" <<CONF_END
-{
-    "version": "${arg_version}",
-    "apiServerOrigin": "${arg_api_server_origin}",
-    "webServerOrigin": "${arg_web_server_origin}",
-    "adminDomain": "${arg_admin_domain}",
-    "adminFqdn": "${arg_admin_fqdn}",
-    "adminLocation": "${arg_admin_location}",
-    "provider": "${arg_provider}",
-    "isDemo": ${arg_is_demo}
-}
-CONF_END
-
-echo "==> Creating config.json for webadmin"
-cat > "${BOX_SRC_DIR}/webadmin/dist/config.json" <<CONF_END
-{
-    "webServerOrigin": "${arg_web_server_origin}"
-}
-CONF_END
-
 if [[ ! -f "${BOX_DATA_DIR}/dhparams.pem" ]]; then
    echo "==> Generating dhparams (takes forever)"
    openssl dhparam -out "${BOX_DATA_DIR}/dhparams.pem" 2048
@@ -231,9 +199,14 @@ fi

 echo "==> Changing ownership"
 chown "${USER}:${USER}" -R "${CONFIG_DIR}"
-chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/logrotate.d" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup"
+# be careful of what is chown'ed here. subdirs like mysql,redis etc are owned by the containers and will stop working if perms change
+chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup" "${PLATFORM_DATA_DIR}/logs" "${PLATFORM_DATA_DIR}/update"
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}/INFRA_VERSION" 2>/dev/null || true
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}"
+chown "${USER}:${USER}" "${APPS_DATA_DIR}"
+
+# logrotate files have to be owned by root, this is here to fixup existing installations where we were resetting the owner to yellowtent
+chown root:root -R "${PLATFORM_DATA_DIR}/logrotate.d"

 # do not chown the boxdata/mail directory; dovecot gets upset
 chown "${USER}:${USER}" "${BOX_DATA_DIR}"
@@ -0,0 +1,10 @@
+# logrotate config for app logs
+
+/home/yellowtent/platformdata/logs/*/*.log {
+    # only keep one rotated file, we currently do not send that over the api
+    rotate 1
+    size 10M
+    # we never compress so we can simply tail the files
+    nocompress
+    copytruncate
+}
@@ -0,0 +1,9 @@
+# logrotate config for box logs
+
+/home/yellowtent/platformdata/logs/box.log {
+    rotate 10
+    size 10M
+    # we never compress so we can simply tail the files
+    nocompress
+    copytruncate
+}
@@ -66,8 +66,9 @@ server {
    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
-    # ciphers according to https://weakdh.org/sysadmin.html
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
    add_header Strict-Transport-Security "max-age=15768000";

@@ -89,6 +90,11 @@ server {
    add_header Referrer-Policy "no-referrer-when-downgrade";
    proxy_hide_header Referrer-Policy;

+<% if ( endpoint === 'admin' ) { -%>
+    # CSP headers for the admin/dashboard resources
+    add_header Content-Security-Policy "default-src 'none'; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
+<% } -%>
+
    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;
@@ -106,7 +112,7 @@ server {
    proxy_set_header Connection $connection_upgrade;

    # only serve up the status page if we get proxy gateway errors
-    root <%= sourceDir %>/webadmin/dist;
+    root <%= sourceDir %>/dashboard/dist;
    error_page 502 503 504 /appstatus.html;
    location /appstatus.html {
        internal;
@@ -154,17 +160,22 @@ server {
        }

        # graphite paths (uncomment block below and visit /graphite/index.html)
+        # remember to comment out the CSP policy as well to access the graphite dashboard
        # location ~ ^/(graphite|content|metrics|dashboard|render|browser|composer)/ {
-        #     proxy_pass   http://127.0.0.1:8000;
+        #     proxy_pass   http://127.0.0.1:8417;
        #     client_max_body_size 1m;
        # }

        location / {
-            root   <%= sourceDir %>/webadmin/dist;
+            root   <%= sourceDir %>/dashboard/dist;
            index  index.html index.htm;
        }
 <% } else if ( endpoint === 'app' ) { %>
        proxy_pass http://127.0.0.1:<%= port %>;
+<% } else if ( endpoint === 'redirect' ) { %>
+        # redirect everything to the app. this is temporary because there is no way
+        # to clear a permanent redirect on the browser
+        return 302 https://<%= redirectTo %>$request_uri;
 <% } %>
    }
 }
@@ -1,11 +1,11 @@
 # sudo logging breaks journalctl output with very long urls (systemd bug)
 Defaults !syslog

-Defaults!/home/yellowtent/box/src/scripts/createappdir.sh env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/createappdir.sh
+Defaults!/home/yellowtent/box/src/scripts/rmvolume.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmvolume.sh

-Defaults!/home/yellowtent/box/src/scripts/rmappdir.sh env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmappdir.sh
+Defaults!/home/yellowtent/box/src/scripts/rmaddondir.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmaddondir.sh

 Defaults!/home/yellowtent/box/src/scripts/reloadnginx.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/reloadnginx.sh
@@ -31,9 +31,15 @@ yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/authorized_keys
 Defaults!/home/yellowtent/box/src/scripts/configurelogrotate.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/configurelogrotate.sh

-Defaults!/home/yellowtent/box/src/backuptask.js env_keep="HOME BOX_ENV"
-yellowtent ALL=(root) NOPASSWD:SETENV: /home/yellowtent/box/src/backuptask.js
+Defaults!/home/yellowtent/box/src/scripts/backupupload.js env_keep="HOME BOX_ENV"
+Defaults!/home/yellowtent/box/src/scripts/backupupload.js closefrom_override
+yellowtent ALL=(root) NOPASSWD:SETENV: /home/yellowtent/box/src/scripts/backupupload.js

 Defaults!/home/yellowtent/box/src/scripts/restart.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restart.sh

+Defaults!/home/yellowtent/box/src/scripts/restartdocker.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restartdocker.sh
+
+Defaults!/home/yellowtent/box/src/scripts/restartunbound.sh env_keep="HOME BOX_ENV"
+yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/restartunbound.sh
@@ -12,7 +12,8 @@ Wants=cloudron-resize-fs.service
 Type=idle
 WorkingDirectory=/home/yellowtent/box
 Restart=always
-ExecStart=/usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js
+; Systemd does not append logs when logging to files, we spawn a shell first and exec to replace it after setting up the pipes
+ExecStart=/bin/sh -c 'echo "Logging to /home/yellowtent/platformdata/logs/box.log"; exec /usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js >> /home/yellowtent/platformdata/logs/box.log 2>&1'
 Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
 ; kill apptask processes as well
 KillMode=control-group
@@ -0,0 +1,14 @@
+[Unit]
+Description=Cloudron Syslog
+After=network.target
+
+[Service]
+ExecStart=/usr/local/cloudron-syslog/bin/cloudron-syslog --port 2514 --logdir /home/yellowtent/platformdata/logs
+WorkingDirectory=/usr/local/cloudron-syslog
+Environment="NODE_ENV=production"
+Restart=always
+User=yellowtent
+Group=yellowtent
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,143 @@
+'use strict';
+
+exports = module.exports = {
+    SCOPE_APPS_READ: 'apps:read',
+    SCOPE_APPS_MANAGE: 'apps:manage',
+    SCOPE_CLIENTS: 'clients',
+    SCOPE_CLOUDRON: 'cloudron',
+    SCOPE_DOMAINS_READ: 'domains:read',
+    SCOPE_DOMAINS_MANAGE: 'domains:manage',
+    SCOPE_MAIL: 'mail',
+    SCOPE_PROFILE: 'profile',
+    SCOPE_SETTINGS: 'settings',
+    SCOPE_USERS_READ: 'users:read',
+    SCOPE_USERS_MANAGE: 'users:manage',
+    SCOPE_APPSTORE: 'appstore',
+    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'users' ], // keep this sorted
+
+    SCOPE_ANY: '*',
+
+    validateScopeString: validateScopeString,
+    hasScopes: hasScopes,
+    canonicalScopeString: canonicalScopeString,
+    intersectScopes: intersectScopes,
+    validateToken: validateToken,
+    scopesForUser: scopesForUser
+};
+
+var assert = require('assert'),
+    config = require('./config.js'),
+    DatabaseError = require('./databaseerror.js'),
+    debug = require('debug')('box:accesscontrol'),
+    tokendb = require('./tokendb.js'),
+    users = require('./users.js'),
+    UsersError = users.UsersError,
+    _ = require('underscore');
+
+// returns scopes that does not have wildcards and is sorted
+function canonicalScopeString(scope) {
+    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');
+
+    return scope.split(',').sort().join(',');
+}
+
+function intersectScopes(allowedScopes, wantedScopes) {
+    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
+    assert(Array.isArray(wantedScopes), 'Expecting sorted array');
+
+    if (_.isEqual(allowedScopes, wantedScopes)) return allowedScopes; // quick path
+
+    let wantedScopesMap = new Map();
+    let results = [];
+
+    // make a map of scope -> [ subscopes ]
+    for (let w of wantedScopes) {
+        let parts = w.split(':');
+        let subscopes = wantedScopesMap.get(parts[0]) || new Set();
+        subscopes.add(parts[1] || '*');
+        wantedScopesMap.set(parts[0], subscopes);
+    }
+
+    for (let a of allowedScopes) {
+        let parts = a.split(':');
+        let as = parts[1] || '*';
+
+        let subscopes = wantedScopesMap.get(parts[0]);
+        if (!subscopes) continue;
+
+        if (subscopes.has('*') || subscopes.has(as)) {
+            results.push(a);
+        } else if (as === '*') {
+            results = results.concat(Array.from(subscopes).map(function (ss) { return `${a}:${ss}`; }));
+        }
+    }
+
+    return results;
+}
+
+function validateScopeString(scope) {
+    assert.strictEqual(typeof scope, 'string');
+
+    if (scope === '') return new Error('Empty scope not allowed');
+
+    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
+    // us not write a migration script every time we add a new scope
+    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
+    if (!allValid) return new Error('Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '));
+
+    return null;
+}
+
+// tests if all requiredScopes are attached to the request
+function hasScopes(authorizedScopes, requiredScopes) {
+    assert(Array.isArray(authorizedScopes), 'Expecting array');
+    assert(Array.isArray(requiredScopes), 'Expecting array');
+
+    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;
+
+    for (var i = 0; i < requiredScopes.length; ++i) {
+        const scopeParts = requiredScopes[i].split(':');
+
+        // this allows apps:write if the token has a higher apps scope
+        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
+            debug('scope: missing scope "%s".', requiredScopes[i]);
+            return new Error('Missing required scope "' + requiredScopes[i] + '"');
+        }
+    }
+
+    return null;
+}
+
+function scopesForUser(user, callback) {
+    assert.strictEqual(typeof user, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (user.admin) return callback(null, exports.VALID_SCOPES);
+
+    callback(null, config.isSpacesEnabled() ? [ 'profile', 'apps', 'domains:read', 'users:read' ] : [ 'profile', 'apps:read' ]);
+}
+
+function validateToken(accessToken, callback) {
+    assert.strictEqual(typeof accessToken, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    tokendb.get(accessToken, function (error, token) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+        if (error) return callback(error); // this triggers 'internal error' in passport
+
+        users.get(token.identifier, function (error, user) {
+            if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+            if (error) return callback(error);
+
+            scopesForUser(user, function (error, userScopes) {
+                if (error) return callback(error);
+
+                var authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
+                const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI
+                var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo
+
+                callback(null, user, info);
+            });
+        });
+    });
+}
@@ -18,12 +18,16 @@ exports = module.exports = {
    getAddonConfigByName: getAddonConfigByName,
    unsetAddonConfig: unsetAddonConfig,
    unsetAddonConfigByAppId: unsetAddonConfigByAppId,
+    getAppIdByAddonConfigValue: getAppIdByAddonConfigValue,

    setHealth: setHealth,
    setInstallationCommand: setInstallationCommand,
    setRunCommand: setRunCommand,
    getAppStoreIds: getAppStoreIds,

+    setOwner: setOwner,
+    transferOwnership: transferOwnership,
+
    // installation codes (keep in sync in UI)
    ISTATE_PENDING_INSTALL: 'pending_install', // installs and fresh reinstalls
    ISTATE_PENDING_CLONE: 'pending_clone', // clone
@@ -47,6 +51,10 @@ exports = module.exports = {
    HEALTH_ERROR: 'error',
    HEALTH_DEAD: 'dead',

+    // subdomain table types
+    SUBDOMAIN_TYPE_PRIMARY: 'primary',
+    SUBDOMAIN_TYPE_REDIRECT: 'redirect',
+
    _clear: clear
 };

@@ -54,17 +62,18 @@ var assert = require('assert'),
    async = require('async'),
    database = require('./database.js'),
    DatabaseError = require('./databaseerror'),
-    mailboxdb = require('./mailboxdb.js'),
    safe = require('safetydance'),
    util = require('util');

 var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.installationProgress', 'apps.runState',
-    'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'apps.location', 'apps.domain', 'apps.dnsRecordId',
+    'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'subdomains.subdomain AS location', 'subdomains.domain',
    'apps.accessRestrictionJson', 'apps.restoreConfigJson', 'apps.oldConfigJson', 'apps.updateConfigJson', 'apps.memoryLimit',
    'apps.xFrameOptions', 'apps.sso', 'apps.debugModeJson', 'apps.robotsTxt', 'apps.enableBackup',
-    'apps.creationTime', 'apps.updateTime' ].join(',');
+    'apps.creationTime', 'apps.updateTime', 'apps.ownerId', 'apps.mailboxName', 'apps.enableAutomaticUpdate', 'apps.ts' ].join(',');

-var PORT_BINDINGS_FIELDS = [ 'hostPort', 'environmentVariable', 'appId' ].join(',');
+var PORT_BINDINGS_FIELDS = [ 'hostPort', 'type', 'environmentVariable', 'appId' ].join(',');
+
+const SUBDOMAIN_FIELDS = [ 'appId', 'domain', 'subdomain', 'type' ].join(',');

 function postProcess(result) {
    assert.strictEqual(typeof result, 'object');
@@ -89,14 +98,16 @@ function postProcess(result) {
    assert(result.environmentVariables === null || typeof result.environmentVariables === 'string');

    result.portBindings = { };
-    var hostPorts = result.hostPorts === null ? [ ] : result.hostPorts.split(',');
-    var environmentVariables = result.environmentVariables === null ? [ ] : result.environmentVariables.split(',');
+    let hostPorts = result.hostPorts === null ? [ ] : result.hostPorts.split(',');
+    let environmentVariables = result.environmentVariables === null ? [ ] : result.environmentVariables.split(',');
+    let portTypes = result.portTypes === null ? [ ] : result.portTypes.split(',');

    delete result.hostPorts;
    delete result.environmentVariables;
+    delete result.portTypes;

-    for (var i = 0; i < environmentVariables.length; i++) {
-        result.portBindings[environmentVariables[i]] = parseInt(hostPorts[i], 10);
+    for (let i = 0; i < environmentVariables.length; i++) {
+        result.portBindings[environmentVariables[i]] = { hostPort: parseInt(hostPorts[i], 10), type: portTypes[i] };
    }

    assert(result.accessRestrictionJson === null || typeof result.accessRestrictionJson === 'string');
@@ -109,10 +120,25 @@ function postProcess(result) {

    result.sso = !!result.sso; // make it bool
    result.enableBackup = !!result.enableBackup; // make it bool
+    result.enableAutomaticUpdate = !!result.enableAutomaticUpdate; // make it bool

    assert(result.debugModeJson === null || typeof result.debugModeJson === 'string');
    result.debugMode = safe.JSON.parse(result.debugModeJson);
    delete result.debugModeJson;
+
+    result.alternateDomains = result.alternateDomains || [];
+    result.alternateDomains.forEach(function (d) {
+        delete d.appId;
+        delete d.type;
+    });
+
+    let envNames = JSON.parse(result.envNames), envValues = JSON.parse(result.envValues);
+    delete result.envNames;
+    delete result.envValues;
+    result.env = {};
+    for (let i = 0; i < envNames.length; i++) { // NOTE: envNames is [ null ] when env of an app is empty
+        if (envNames[i]) result.env[envNames[i]] = envValues[i];
+    }
 }

 function get(id, callback) {
@@ -120,14 +146,25 @@ function get(id, callback) {
    assert.strictEqual(typeof callback, 'function');

    database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + ' FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE apps.id = ? GROUP BY apps.id', [ id ], function (error, result) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes, '
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE apps.id = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, id ], function (error, result) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
        if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
    });
 }

@@ -136,14 +173,24 @@ function getByHttpPort(httpPort, callback) {
    assert.strictEqual(typeof callback, 'function');

    database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + '  FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE httpPort = ? GROUP BY apps.id', [ httpPort ], function (error, result) {
+    + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+    + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE httpPort = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, httpPort ], function (error, result) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
        if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ result[0].id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
    });
 }

@@ -152,14 +199,24 @@ function getByContainerId(containerId, callback) {
    assert.strictEqual(typeof callback, 'function');

    database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + '  FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE containerId = ? GROUP BY apps.id', [ containerId ], function (error, result) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' WHERE containerId = ? GROUP BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY, containerId ], function (error, result) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
        if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

-        postProcess(result[0]);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE appId = ? AND type = ?', [ result[0].id, exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

-        callback(null, result[0]);
+            result[0].alternateDomains = alternateDomains;
+            postProcess(result[0]);
+
+            callback(null, result[0]);
+        });
    });
 }

@@ -167,24 +224,41 @@ function getAll(callback) {
    assert.strictEqual(typeof callback, 'function');

    database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
-        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
-        + ' FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
-        + ' GROUP BY apps.id ORDER BY apps.id', function (error, results) {
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables, GROUP_CONCAT(appPortBindings.type) AS portTypes,'
+        + 'JSON_ARRAYAGG(appEnvVars.name) AS envNames, JSON_ARRAYAGG(appEnvVars.value) AS envValues'
+        + ' FROM apps'
+        + '  LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId'
+        + '  LEFT OUTER JOIN appEnvVars ON apps.id = appEnvVars.appId'
+        + '  LEFT OUTER JOIN subdomains ON apps.id = subdomains.appId AND subdomains.type = ?'
+        + ' GROUP BY apps.id ORDER BY apps.id', [ exports.SUBDOMAIN_TYPE_PRIMARY ], function (error, results) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

-        results.forEach(postProcess);
+        database.query('SELECT ' + SUBDOMAIN_FIELDS + ' FROM subdomains WHERE type = ?', [ exports.SUBDOMAIN_TYPE_REDIRECT ], function (error, alternateDomains) {
+            if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

-        callback(null, results);
+            alternateDomains.forEach(function (d) {
+                var domain = results.find(function (a) { return d.appId === a.id; });
+                if (!domain) return;
+
+                domain.alternateDomains = domain.alternateDomains || [];
+                domain.alternateDomains.push(d);
+            });
+
+            results.forEach(postProcess);
+
+            callback(null, results);
+        });
    });
 }

-function add(id, appStoreId, manifest, location, domain, portBindings, data, callback) {
+function add(id, appStoreId, manifest, location, domain, ownerId, portBindings, data, callback) {
    assert.strictEqual(typeof id, 'string');
    assert.strictEqual(typeof appStoreId, 'string');
    assert(manifest && typeof manifest === 'object');
    assert.strictEqual(typeof manifest.version, 'string');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof ownerId, 'string');
    assert.strictEqual(typeof portBindings, 'object');
    assert(data && typeof data === 'object');
    assert.strictEqual(typeof callback, 'function');
@@ -202,26 +276,42 @@ function add(id, appStoreId, manifest, location, domain, portBindings, data, cal
    var sso = 'sso' in data ? data.sso : null;
    var robotsTxt = 'robotsTxt' in data ? data.robotsTxt : null;
    var debugModeJson = data.debugMode ? JSON.stringify(data.debugMode) : null;
+    var env = data.env || {};
+    const mailboxName = data.mailboxName || null;

    var queries = [];
+
    queries.push({
-        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, domain, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt) ' +
+        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt, ownerId, mailboxName) ' +
            ' VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-        args: [ id, appStoreId, manifestJson, installationState, location, domain, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt ]
+        args: [ id, appStoreId, manifestJson, installationState, accessRestrictionJson, memoryLimit, xFrameOptions, restoreConfigJson, sso, debugModeJson, robotsTxt, ownerId, mailboxName ]
+    });
+
+    queries.push({
+        query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)',
+        args: [ id, domain, location, exports.SUBDOMAIN_TYPE_PRIMARY ]
    });

    Object.keys(portBindings).forEach(function (env) {
        queries.push({
-            query: 'INSERT INTO appPortBindings (environmentVariable, hostPort, appId) VALUES (?, ?, ?)',
-            args: [ env, portBindings[env], id ]
+            query: 'INSERT INTO appPortBindings (environmentVariable, hostPort, type, appId) VALUES (?, ?, ?, ?)',
+            args: [ env, portBindings[env].hostPort, portBindings[env].type, id ]
        });
    });

-    // only allocate a mailbox if mailboxName is set
-    if (data.mailboxName) {
+    Object.keys(env).forEach(function (name) {
        queries.push({
-            query: 'INSERT INTO mailboxes (name, domain, ownerId, ownerType) VALUES (?, ?, ?, ?)',
-            args: [ data.mailboxName, domain, id, mailboxdb.TYPE_APP ]
+            query: 'INSERT INTO appEnvVars (appId, name, value) VALUES (?, ?, ?)',
+            args: [ id, name, env[name] ]
+        });
+    });
+
+    if (data.alternateDomains) {
+        data.alternateDomains.forEach(function (d) {
+            queries.push({
+                query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)',
+                args: [ id, d.domain, d.subdomain, exports.SUBDOMAIN_TYPE_REDIRECT ]
+            });
        });
    }

@@ -254,18 +344,19 @@ function getPortBindings(id, callback) {

        var portBindings = { };
        for (var i = 0; i < results.length; i++) {
-            portBindings[results[i].environmentVariable] = results[i].hostPort;
+            portBindings[results[i].environmentVariable] = { hostPort: results[i].hostPort, type: results[i].type };
        }

        callback(null, portBindings);
    });
 }

-function delPortBinding(hostPort, callback) {
+function delPortBinding(hostPort, type, callback) {
    assert.strictEqual(typeof hostPort, 'number');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof callback, 'function');

-    database.query('DELETE FROM appPortBindings WHERE hostPort=?', [ hostPort ], function (error, result) {
+    database.query('DELETE FROM appPortBindings WHERE hostPort=? AND type=?', [ hostPort, type ], function (error, result) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
        if (result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

@@ -278,14 +369,15 @@ function del(id, callback) {
    assert.strictEqual(typeof callback, 'function');

    var queries = [
-        { query: 'DELETE FROM mailboxes WHERE ownerId=?', args: [ id ] },
+        { query: 'DELETE FROM subdomains WHERE appId = ?', args: [ id ] },
        { query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] },
+        { query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] },
        { query: 'DELETE FROM apps WHERE id = ?', args: [ id ] }
    ];

    database.transaction(queries, function (error, results) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-        if (results[2].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+        if (results[3].affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

        callback(null);
    });
@@ -295,8 +387,10 @@ function clear(callback) {
    assert.strictEqual(typeof callback, 'function');

    async.series([
+        database.query.bind(null, 'DELETE FROM subdomains'),
        database.query.bind(null, 'DELETE FROM appPortBindings'),
        database.query.bind(null, 'DELETE FROM appAddonConfigs'),
+        database.query.bind(null, 'DELETE FROM appEnvVars'),
        database.query.bind(null, 'DELETE FROM apps')
    ], function (error) {
        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
@@ -315,6 +409,8 @@ function updateWithConstraints(id, app, constraints, callback) {
    assert.strictEqual(typeof callback, 'function');
    assert(!('portBindings' in app) || typeof app.portBindings === 'object');
    assert(!('accessRestriction' in app) || typeof app.accessRestriction === 'object' || app.accessRestriction === '');
+    assert(!('alternateDomains' in app) || Array.isArray(app.alternateDomains));
+    assert(!('env' in app) || typeof app.env === 'object');

    var queries = [ ];

@@ -323,8 +419,30 @@ function updateWithConstraints(id, app, constraints, callback) {
        // replace entries by app id
        queries.push({ query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] });
        Object.keys(portBindings).forEach(function (env) {
-            var values = [ portBindings[env], env, id ];
-            queries.push({ query: 'INSERT INTO appPortBindings (hostPort, environmentVariable, appId) VALUES(?, ?, ?)', args: values });
+            var values = [ portBindings[env].hostPort, portBindings[env].type, env, id ];
+            queries.push({ query: 'INSERT INTO appPortBindings (hostPort, type, environmentVariable, appId) VALUES(?, ?, ?, ?)', args: values });
+        });
+    }
+
+    if ('env' in app) {
+        queries.push({ query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] });
+
+        Object.keys(app.env).forEach(function (name) {
+            queries.push({
+                query: 'INSERT INTO appEnvVars (appId, name, value) VALUES (?, ?, ?)',
+                args: [ id, name, app.env[name] ]
+            });
+        });
+    }
+
+    if ('location' in app && 'domain' in app) { // must be updated together as they are unique together
+        queries.push({ query: 'UPDATE subdomains SET subdomain = ?, domain = ? WHERE appId = ? AND type = ?', args: [ app.location, app.domain, id, exports.SUBDOMAIN_TYPE_PRIMARY ]});
+    }
+
+    if ('alternateDomains' in app) {
+        queries.push({ query: 'DELETE FROM subdomains WHERE appId = ? AND type = ?', args: [ id, exports.SUBDOMAIN_TYPE_REDIRECT ]});
+        app.alternateDomains.forEach(function (d) {
+            queries.push({ query: 'INSERT INTO subdomains (appId, domain, subdomain, type) VALUES (?, ?, ?, ?)', args: [ id, d.domain, d.subdomain, exports.SUBDOMAIN_TYPE_REDIRECT ]});
        });
    }

@@ -333,7 +451,7 @@ function updateWithConstraints(id, app, constraints, callback) {
        if (p === 'manifest' || p === 'oldConfig' || p === 'updateConfig' || p === 'restoreConfig' || p === 'accessRestriction' || p === 'debugMode') {
            fields.push(`${p}Json = ?`);
            values.push(JSON.stringify(app[p]));
-        } else if (p !== 'portBindings') {
+        } else if (p !== 'portBindings' && p !== 'location' && p !== 'domain' && p !== 'alternateDomains' && p !== 'env') {
            fields.push(p + ' = ?');
            values.push(app[p]);
        }
@@ -492,6 +610,20 @@ function getAddonConfigByAppId(appId, callback) {
    });
 }

+function getAppIdByAddonConfigValue(addonId, name, value, callback) {
+    assert.strictEqual(typeof addonId, 'string');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof value, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('SELECT appId FROM appAddonConfigs WHERE addonId = ? AND name = ? AND value = ?', [ addonId, name, value ], function (error, results) {
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (results.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+
+        callback(null, results[0].appId);
+    });
+}
+
 function getAddonConfigByName(appId, addonId, name, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof addonId, 'string');
@@ -505,3 +637,31 @@ function getAddonConfigByName(appId, addonId, name, callback) {
        callback(null, results[0].value);
    });
 }
+
+function setOwner(appId, ownerId, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof ownerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('UPDATE apps SET ownerId=? WHERE appId=?', [ ownerId, appId ], function (error, results) {
+        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such user'));
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+
+        if (results.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such app'));
+
+        callback(null);
+    });
+}
+
+function transferOwnership(oldOwnerId, newOwnerId, callback) {
+    assert.strictEqual(typeof oldOwnerId, 'string');
+    assert.strictEqual(typeof newOwnerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('UPDATE apps SET ownerId=? WHERE ownerId=?', [ newOwnerId, oldOwnerId ], function (error) {
+        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new DatabaseError(DatabaseError.NOT_FOUND, 'No such user'));
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+
+        callback(null);
+    });
+}
@@ -12,15 +12,15 @@ var appdb = require('./appdb.js'),
    util = require('util');

 exports = module.exports = {
-    start: start,
-    stop: stop
+    run: run
 };

-var HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
-var UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
-var gHealthInfo = { }; // { time, emailSent }
-var gRunTimeout = null;
-var gDockerEventStream = null;
+const HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
+const UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
+let gHealthInfo = { }; // { time, emailSent }
+
+const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
+let gLastOomMailTime = Date.now() - (5 * 60 * 1000); // pretend we sent email 5 minutes ago

 function debugApp(app) {
    assert(typeof app === 'object');
@@ -88,6 +88,9 @@ function checkAppHealth(app, callback) {
            return setHealth(app, appdb.HEALTH_DEAD, callback);
        }

+        // non-appstore apps may not have healthCheckPath
+        if (!manifest.healthCheckPath) return setHealth(app, appdb.HEALTH_HEALTHY, callback);
+
        // poll through docker network instead of nginx to bypass any potential oauth proxy
        var healthCheckUrl = 'http://127.0.0.1:' + app.httpPort + manifest.healthCheckPath;
        superagent
@@ -110,7 +113,58 @@ function checkAppHealth(app, callback) {
    });
 }

-function processApps(callback) {
+/*
+    OOM can be tested using stress tool like so:
+        docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
+        apt-get update && apt-get install stress
+        stress --vm 1 --vm-bytes 200M --vm-hang 0
+*/
+function processDockerEvents(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
+    assert.strictEqual(typeof callback, 'function');
+
+    const since = ((new Date().getTime() / 1000) - intervalSecs).toFixed(0);
+    const until = ((new Date().getTime() / 1000) - 1).toFixed(0);
+
+    docker.getEvents({ since: since, until: until, filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
+        if (error) return callback(error);
+
+        stream.setEncoding('utf8');
+        stream.on('data', function (data) {
+            var ev = JSON.parse(data);
+            appdb.getByContainerId(ev.id, function (error, app) { // this can error for addons
+                var program = error || !app.appStoreId ? ev.id : app.appStoreId;
+                var context = JSON.stringify(ev);
+                var now = Date.now();
+                if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';
+
+                const notifyUser = (!app || !app.debugMode) && (now - gLastOomMailTime > OOM_MAIL_LIMIT);
+
+                debug('OOM Context: %s. notifyUser: %s. lastOomTime: %s (now: %s)', context, notifyUser, gLastOomMailTime, now);
+
+                // do not send mails for dev apps
+                if (notifyUser) {
+                    mailer.oomEvent(program, context); // app can be null if it's an addon crash
+                    gLastOomMailTime = now;
+                }
+            });
+        });
+
+        stream.on('error', function (error) {
+            debug('Error reading docker events', error);
+            callback();
+        });
+
+        stream.on('end', callback);
+
+        // safety hatch if 'until' doesn't work (there are cases where docker is working with a different time)
+        setTimeout(stream.destroy.bind(stream), 3000); // https://github.com/apocas/dockerode/issues/179
+    });
+}
+
+function processApp(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
    apps.getAll(function (error, result) {
        if (error) return callback(error);

@@ -128,79 +182,16 @@ function processApps(callback) {
    });
 }

-function run() {
-    processApps(function (error) {
-        if (error) console.error(error);
-
-        gRunTimeout = setTimeout(run, HEALTHCHECK_INTERVAL);
-    });
-}
-
-/*
-    OOM can be tested using stress tool like so:
-        docker run -ti -m 100M cloudron/base:0.10.0 /bin/bash
-        apt-get update && apt-get install stress
-        stress --vm 1 --vm-bytes 200M --vm-hang 0
-*/
-function processDockerEvents() {
-    // note that for some reason, the callback is called only on the first event
-    debug('Listening for docker events');
-    const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
-    var lastOomMailTime = new Date(new Date() - OOM_MAIL_LIMIT);
-
-    docker.getEvents({ filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
-        if (error) return console.error(error);
-
-        gDockerEventStream = stream;
-
-        stream.setEncoding('utf8');
-        stream.on('data', function (data) {
-            var ev = JSON.parse(data);
-            appdb.getByContainerId(ev.id, function (error, app) { // this can error for addons
-                var program = error || !app.appStoreId ? ev.id : app.appStoreId;
-                var context = JSON.stringify(ev);
-                var now = new Date();
-                if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';
-
-                debug('OOM Context: %s', context);
-
-                // do not send mails for dev apps
-                if ((!app || !app.debugMode) && (now - lastOomMailTime > OOM_MAIL_LIMIT)) {
-                    mailer.oomEvent(program, context); // app can be null if it's an addon crash
-                    lastOomMailTime = now;
-                }
-            });
-        });
-
-        stream.on('error', function (error) {
-            console.error('Error reading docker events', error);
-            gDockerEventStream = null; // TODO: reconnect?
-        });
-
-        stream.on('end', function () {
-            console.error('Docker event stream ended');
-            gDockerEventStream = null; // TODO: reconnect?
-        });
-    });
-}
-
-function start(callback) {
+function run(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
    assert.strictEqual(typeof callback, 'function');

-    debug('Starting apphealthmonitor');
+    async.series([
+        processApp, // this is first because docker.getEvents seems to get 'stuck' sometimes
+        processDockerEvents.bind(null, intervalSecs)
+    ], function (error) {
+        if (error) debug(error);

-    processDockerEvents();
-
-    run();
-
-    callback();
-}
-
-function stop(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    clearTimeout(gRunTimeout);
-    if (gDockerEventStream) gDockerEventStream.end();
-
-    callback();
+        callback();
+    });
 }
@@ -4,6 +4,8 @@ exports = module.exports = {
    AppsError: AppsError,

    hasAccessTo: hasAccessTo,
+    removeInternalFields: removeInternalFields,
+    removeRestrictedFields: removeRestrictedFields,

    get: get,
    getByIpAddress: getByIpAddress,
@@ -40,14 +42,19 @@ exports = module.exports = {
    downloadFile: downloadFile,
    uploadFile: uploadFile,

+    setOwner: setOwner,
+    transferOwnership: transferOwnership,
+
+    PORT_TYPE_TCP: 'tcp',
+    PORT_TYPE_UDP: 'udp',
+
    // exported for testing
-    _validateHostname: validateHostname,
    _validatePortBindings: validatePortBindings,
-    _validateAccessRestriction: validateAccessRestriction
+    _validateAccessRestriction: validateAccessRestriction,
+    _translatePortBindings: translatePortBindings
 };

-var addons = require('./addons.js'),
-    appdb = require('./appdb.js'),
+var appdb = require('./appdb.js'),
    appstore = require('./appstore.js'),
    AppstoreError = require('./appstore.js').AppstoreError,
    assert = require('assert'),
@@ -61,11 +68,10 @@ var addons = require('./addons.js'),
    docker = require('./docker.js'),
    domaindb = require('./domaindb.js'),
    domains = require('./domains.js'),
-    DomainError = require('./domains.js').DomainError,
+    DomainsError = require('./domains.js').DomainsError,
    eventlog = require('./eventlog.js'),
    fs = require('fs'),
-    groups = require('./groups.js'),
-    mailboxdb = require('./mailboxdb.js'),
+    mail = require('./mail.js'),
    manifestFormat = require('cloudron-manifestformat'),
    os = require('os'),
    path = require('path'),
@@ -77,13 +83,13 @@ var addons = require('./addons.js'),
    split = require('split'),
    superagent = require('superagent'),
    taskmanager = require('./taskmanager.js'),
-    tld = require('tldjs'),
    TransformStream = require('stream').Transform,
    updateChecker = require('./updatechecker.js'),
    url = require('url'),
    util = require('util'),
    uuid = require('uuid'),
-    validator = require('validator');
+    validator = require('validator'),
+    _ = require('underscore');

 // http://dustinsenos.com/articles/customErrorsInNode
 // http://code.google.com/p/v8/wiki/JavaScriptStackTraceApi
@@ -118,45 +124,12 @@ AppsError.BILLING_REQUIRED = 'Billing Required';
 AppsError.ACCESS_DENIED = 'Access denied';
 AppsError.BAD_CERTIFICATE = 'Invalid certificate';

-// Hostname validation comes from RFC 1123 (section 2.1)
-// Domain name validation comes from RFC 2181 (Name syntax)
-// https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
-// We are validating the validity of the location-fqdn as host name (and not dns name)
-function validateHostname(location, domain, hostname) {
-    assert.strictEqual(typeof location, 'string');
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof hostname, 'string');
-
-    const RESERVED_LOCATIONS = [
-        constants.API_LOCATION,
-        constants.SMTP_LOCATION,
-        constants.IMAP_LOCATION
-    ];
-    if (RESERVED_LOCATIONS.indexOf(location) !== -1) return new AppsError(AppsError.BAD_FIELD, location + ' is reserved');
-
-    if (hostname === config.adminFqdn()) return new AppsError(AppsError.BAD_FIELD, location + ' is reserved');
-
-    // workaround https://github.com/oncletom/tld.js/issues/73
-    var tmp = hostname.replace('_', '-');
-    if (!tld.isValid(tmp)) return new AppsError(AppsError.BAD_FIELD, 'Hostname is not a valid domain name');
-
-    if (hostname.length > 253) return new AppsError(AppsError.BAD_FIELD, 'Hostname length exceeds 253 characters');
-
-    if (location) {
-        // label validation
-        if (location.length > 63) return new AppsError(AppsError.BAD_FIELD, 'Subdomain exceeds 63 characters');
-        if (location.match(/^[A-Za-z0-9-]+$/) === null) return new AppsError(AppsError.BAD_FIELD, 'Subdomain can only contain alphanumerics and hyphen');
-        if (location.startsWith('-') || location.endsWith('-')) return new AppsError(AppsError.BAD_FIELD, 'Subdomain cannot start or end with hyphen');
-    }
-
-    return null;
-}
-
 // validate the port bindings
-function validatePortBindings(portBindings, tcpPorts) {
+function validatePortBindings(portBindings, manifest) {
    assert.strictEqual(typeof portBindings, 'object');
+    assert.strictEqual(typeof manifest, 'object');

-    // keep the public ports in sync with firewall rules in scripts/initializeBaseUbuntuImage.sh
+    // keep the public ports in sync with firewall rules in setup/start/cloudron-firewall.sh
    // these ports are reserved even if we listen only on 127.0.0.1 because we setup HostIp to be 127.0.0.1
    // for custom tcp ports
    var RESERVED_PORTS = [
@@ -172,38 +145,72 @@ function validatePortBindings(portBindings, tcpPorts) {
        993, /* imaps */
        2003, /* graphite (lo) */
        2004, /* graphite (lo) */
-        2020, /* install server */
+        2020, /* mail server */
+        2514, /* cloudron-syslog (lo) */
        config.get('port'), /* app server (lo) */
        config.get('sysadminPort'), /* sysadmin app server (lo) */
        config.get('smtpPort'), /* internal smtp port (lo) */
        config.get('ldapPort'), /* ldap server (lo) */
        3306, /* mysql (lo) */
        4190, /* managesieve */
-        8000 /* graphite (lo) */
+        8000, /* ESXi monitoring */
+        8417, /* graphite (lo) */
    ];

    if (!portBindings) return null;

-    var env;
-    for (env in portBindings) {
-        if (!/^[a-zA-Z0-9_]+$/.test(env)) return new AppsError(AppsError.BAD_FIELD, env + ' is not valid environment variable');
+    for (let portName in portBindings) {
+        if (!/^[a-zA-Z0-9_]+$/.test(portName)) return new AppsError(AppsError.BAD_FIELD, `${portName} is not a valid environment variable`);

-        if (!Number.isInteger(portBindings[env])) return new AppsError(AppsError.BAD_FIELD, portBindings[env] + ' is not an integer');
-        if (RESERVED_PORTS.indexOf(portBindings[env]) !== -1) return new AppsError(AppsError.PORT_RESERVED, String(portBindings[env]));
-        if (portBindings[env] <= 1023 || portBindings[env] > 65535) return new AppsError(AppsError.BAD_FIELD, portBindings[env] + ' is not in permitted range');
+        const hostPort = portBindings[portName];
+        if (!Number.isInteger(hostPort)) return new AppsError(AppsError.BAD_FIELD, `${hostPort} is not an integer`);
+        if (RESERVED_PORTS.indexOf(hostPort) !== -1) return new AppsError(AppsError.PORT_RESERVED, String(hostPort));
+        if (hostPort <= 1023 || hostPort > 65535) return new AppsError(AppsError.BAD_FIELD, `${hostPort} is not in permitted range`);

    }

    // it is OK if there is no 1-1 mapping between values in manifest.tcpPorts and portBindings. missing values implies
    // that the user wants the service disabled
-    tcpPorts = tcpPorts || { };
-    for (env in portBindings) {
-        if (!(env in tcpPorts)) return new AppsError(AppsError.BAD_FIELD, 'Invalid portBindings ' + env);
+    const tcpPorts = manifest.tcpPorts || { };
+    const udpPorts = manifest.udpPorts || { };
+    for (let portName in portBindings) {
+        if (!(portName in tcpPorts) && !(portName in udpPorts)) return new AppsError(AppsError.BAD_FIELD, `Invalid portBindings ${portName}`);
    }

    return null;
 }

+function translatePortBindings(portBindings, manifest) {
+    assert.strictEqual(typeof portBindings, 'object');
+    assert.strictEqual(typeof manifest, 'object');
+
+    if (!portBindings) return null;
+
+    let result = {};
+    const tcpPorts = manifest.tcpPorts || { };
+
+    for (let portName in portBindings) {
+        const portType = portName in tcpPorts ? exports.PORT_TYPE_TCP : exports.PORT_TYPE_UDP;
+        result[portName] = { hostPort: portBindings[portName], type: portType };
+    }
+    return result;
+}
+
+function postProcess(app) {
+    let result = {};
+    for (let portName in app.portBindings) {
+        result[portName] = app.portBindings[portName].hostPort;
+    }
+    app.portBindings = result;
+}
+
+function addSpacesSuffix(location, user) {
+    if (user.admin || !config.isSpacesEnabled()) return location;
+
+    const spacesSuffix = user.username.replace(/\./g, '-');
+    return location === '' ? spacesSuffix : `${location}-${spacesSuffix}`;
+}
+
 function validateAccessRestriction(accessRestriction) {
    assert.strictEqual(typeof accessRestriction, 'object');

@@ -284,6 +291,16 @@ function validateBackupFormat(format) {
    return new AppsError(AppsError.BAD_FIELD, 'Invalid backup format');
 }

+function validateEnv(env) {
+    for (let key in env) {
+        if (key.length > 512) return new AppsError(AppsError.BAD_FIELD, 'Max env var key length is 512');
+        // http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap08.html
+        if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(key)) return new AppsError(AppsError.BAD_FIELD, `"${key}" is not a valid environment variable`);
+    }
+
+    return null;
+}
+
 function getDuplicateErrorDetails(location, portBindings, error) {
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof portBindings, 'object');
@@ -299,8 +316,8 @@ function getDuplicateErrorDetails(location, portBindings, error) {
    if (match[1] === location) return new AppsError(AppsError.ALREADY_EXISTS);

    // check if any of the port bindings conflict
-    for (var env in portBindings) {
-        if (portBindings[env] === parseInt(match[1])) return new AppsError(AppsError.PORT_CONFLICT, match[1]);
+    for (let portName in portBindings) {
+        if (portBindings[portName] === parseInt(match[1])) return new AppsError(AppsError.PORT_CONFLICT, match[1]);
    }

    return new AppsError(AppsError.ALREADY_EXISTS);
@@ -312,16 +329,32 @@ function getAppConfig(app) {
        manifest: app.manifest,
        location: app.location,
        domain: app.domain,
-        fqdn: app.fqdn,
        accessRestriction: app.accessRestriction,
        portBindings: app.portBindings,
        memoryLimit: app.memoryLimit,
        xFrameOptions: app.xFrameOptions || 'SAMEORIGIN',
        robotsTxt: app.robotsTxt,
-        sso: app.sso
+        sso: app.sso,
+        alternateDomains: app.alternateDomains || [],
+        env: app.env
    };
 }

+function removeInternalFields(app) {
+    return _.pick(app,
+        'id', 'appStoreId', 'installationState', 'installationProgress', 'runState', 'health',
+        'location', 'domain', 'fqdn', 'mailboxName',
+        'accessRestriction', 'manifest', 'portBindings', 'iconUrl', 'memoryLimit', 'xFrameOptions',
+        'sso', 'debugMode', 'robotsTxt', 'enableBackup', 'creationTime', 'updateTime', 'ts',
+        'alternateDomains', 'ownerId', 'env', 'enableAutomaticUpdate');
+}
+
+function removeRestrictedFields(app) {
+    return _.pick(app,
+        'id', 'appStoreId', 'installationState', 'installationProgress', 'runState', 'health', 'ownerId',
+        'location', 'domain', 'fqdn', 'manifest', 'portBindings', 'iconUrl', 'creationTime', 'ts');
+}
+
 function getIconUrlSync(app) {
    var iconPath = paths.APP_ICONS_DIR + '/' + app.id + '.png';
    return fs.existsSync(iconPath) ? '/api/v1/apps/' + app.id + '/icon' : null;
@@ -337,35 +370,34 @@ function hasAccessTo(app, user, callback) {
    // check user access
    if (app.accessRestriction.users.some(function (e) { return e === user.id; })) return callback(null, true);

-    // check group access
-    groups.getGroups(user.id, function (error, groupIds) {
-        if (error) return callback(null, false);
+    if (user.admin) return callback(null, true); // admins can always access any app

-        const isAdmin = groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1;
+    if (!app.accessRestriction.groups) return callback(null, false);

-        if (isAdmin) return callback(null, true); // admins can always access any app
+    if (app.accessRestriction.groups.some(function (gid) { return user.groupIds.indexOf(gid) !== -1; })) return callback(null, true);

-        if (!app.accessRestriction.groups) return callback(null, false);
-
-        if (app.accessRestriction.groups.some(function (gid) { return groupIds.indexOf(gid) !== -1; })) return callback(null, true);
-
-        callback(null, false);
-    });
+    callback(null, false);
 }

 function get(appId, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof callback, 'function');

-    appdb.get(appId, function (error, app) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+    domaindb.getAll(function (error, domainObjects) {
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-        domaindb.get(app.domain, function (error, result) {
+        appdb.get(appId, function (error, app) {
+            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

+            postProcess(app);
+
+            let domainObjectMap = {};
+            for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
+
            app.iconUrl = getIconUrlSync(app);
-            app.fqdn = domains.fqdn(app.location, app.domain, result.provider);
+            app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+            app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });

            callback(null, app);
        });
@@ -376,20 +408,33 @@ function getByIpAddress(ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

-    docker.getContainerIdByIp(ip, function (error, containerId) {
+    domaindb.getAll(function (error, domainObjects) {
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-        appdb.getByContainerId(containerId, function (error, app) {
-            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
+        let domainObjectMap = {};
+        for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
+
+        docker.getContainerIdByIp(ip, function (error, containerId) {
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-            domaindb.get(app.domain, function (error, result) {
+            appdb.getByContainerId(containerId, function (error, app) {
+                if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                app.iconUrl = getIconUrlSync(app);
-                app.fqdn = domains.fqdn(app.location, app.domain, result.provider);
+                postProcess(app);

-                callback(null, app);
+                domaindb.getAll(function (error, domainObjects) {
+                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+                    let domainObjectMap = {};
+                    for (let d of domainObjects) { domainObjectMap[d.domain] = d; }
+
+                    app.iconUrl = getIconUrlSync(app);
+                    app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+                    app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });
+
+                    callback(null, app);
+                });
            });
        });
    });
@@ -398,22 +443,28 @@ function getByIpAddress(ip, callback) {
 function getAll(callback) {
    assert.strictEqual(typeof callback, 'function');

-    appdb.getAll(function (error, apps) {
+    domaindb.getAll(function (error, domainObjects) {
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-        async.eachSeries(apps, function (app, iteratorDone) {
-            domaindb.get(app.domain, function (error, result) {
-                if (error) return iteratorDone(new AppsError(AppsError.INTERNAL_ERROR, error));
+        let domainObjectMap = {};
+        for (let d of domainObjects) { domainObjectMap[d.domain] = d; }

+        appdb.getAll(function (error, apps) {
+            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+            apps.forEach(postProcess);
+
+            async.eachSeries(apps, function (app, iteratorDone) {
                app.iconUrl = getIconUrlSync(app);
-                app.fqdn = domains.fqdn(app.location, app.domain, result.provider);
+                app.fqdn = domains.fqdn(app.location, domainObjectMap[app.domain]);
+                app.alternateDomains.forEach(function (ad) { ad.fqdn = domains.fqdn(ad.subdomain, domainObjectMap[ad.domain]); });

-                iteratorDone();
+                iteratorDone(null, app);
+            }, function (error) {
+                if (error) return callback(error);
+
+                callback(null, apps);
            });
-        }, function (error) {
-            if (error) return callback(error);
-
-            callback(null, apps);
        });
    });
 }
@@ -451,8 +502,13 @@ function downloadManifest(appStoreId, manifest, callback) {
    });
 }

-function install(data, auditSource, callback) {
+function mailboxNameForLocation(location, manifest) {
+    return (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
+}
+
+function install(data, user, auditSource, callback) {
    assert(data && typeof data === 'object');
+    assert(user && typeof user === 'object');
    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

@@ -469,8 +525,13 @@ function install(data, auditSource, callback) {
        debugMode = data.debugMode || null,
        robotsTxt = data.robotsTxt || null,
        enableBackup = 'enableBackup' in data ? data.enableBackup : true,
+        enableAutomaticUpdate = 'enableAutomaticUpdate' in data ? data.enableAutomaticUpdate : true,
        backupId = data.backupId || null,
-        backupFormat = data.backupFormat || 'tgz';
+        backupFormat = data.backupFormat || 'tgz',
+        ownerId = data.ownerId,
+        alternateDomains = data.alternateDomains || [],
+        env = data.env || {},
+        mailboxName = data.mailboxName || '';

    assert(data.appStoreId || data.manifest); // atleast one of them is required

@@ -483,7 +544,7 @@ function install(data, auditSource, callback) {
        error = checkManifestConstraints(manifest);
        if (error) return callback(error);

-        error = validatePortBindings(portBindings, manifest.tcpPorts);
+        error = validatePortBindings(portBindings, manifest);
        if (error) return callback(error);

        error = validateAccessRestriction(accessRestriction);
@@ -508,6 +569,16 @@ function install(data, auditSource, callback) {
        // if sso was unspecified, enable it by default if possible
        if (sso === null) sso = !!manifest.addons['ldap'] || !!manifest.addons['oauth'];

+        error = validateEnv(env);
+        if (error) return callback(error);
+
+        if (mailboxName) {
+            error = mail.validateName(mailboxName);
+            if (error) return callback(error);
+        } else {
+            mailboxName = mailboxNameForLocation(location, manifest);
+        }
+
        var appId = uuid.v4();

        if (icon) {
@@ -519,48 +590,62 @@ function install(data, auditSource, callback) {
        }

        domains.get(domain, function (error, domainObject) {
-            if (error && error.reason === DomainError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
+            if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));

-            var fqdn = domains.fqdn(location, domain, domainObject.provider);
+            location = addSpacesSuffix(location, user);
+            alternateDomains.forEach(function (ad) { ad.subdomain = addSpacesSuffix(ad.subdomain, user); }); // TODO: validate these

-            error = validateHostname(location, domain, fqdn);
-            if (error) return callback(error);
+            error = domains.validateHostname(location, domainObject);
+            if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));

            if (cert && key) {
-                error = reverseProxy.validateCertificate(fqdn, cert, key);
+                error = reverseProxy.validateCertificate(location, domainObject, { cert, key });
                if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
            }

            debug('Will install app with id : ' + appId);

-            appstore.purchase(appId, appStoreId, function (error) {
-                if (error && error.reason === AppstoreError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND));
-                if (error && error.reason === AppstoreError.BILLING_REQUIRED) return callback(new AppsError(AppsError.BILLING_REQUIRED, error.message));
-                if (error && error.reason === AppstoreError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error.message));
+            var data = {
+                accessRestriction: accessRestriction,
+                memoryLimit: memoryLimit,
+                xFrameOptions: xFrameOptions,
+                sso: sso,
+                debugMode: debugMode,
+                mailboxName: mailboxName,
+                restoreConfig: backupId ? { backupId: backupId, backupFormat: backupFormat } : null,
+                enableBackup: enableBackup,
+                enableAutomaticUpdate: enableAutomaticUpdate,
+                robotsTxt: robotsTxt,
+                alternateDomains: alternateDomains,
+                env: env
+            };
+
+            appdb.add(appId, appStoreId, manifest, location, domain, ownerId, translatePortBindings(portBindings, manifest), data, function (error) {
+                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
+                if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, error.message));
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                var data = {
-                    accessRestriction: accessRestriction,
-                    memoryLimit: memoryLimit,
-                    xFrameOptions: xFrameOptions,
-                    sso: sso,
-                    debugMode: debugMode,
-                    mailboxName: (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app',
-                    restoreConfig: backupId ? { backupId: backupId, backupFormat: backupFormat } : null,
-                    enableBackup: enableBackup,
-                    robotsTxt: robotsTxt
-                };
+                appstore.purchase(appId, { appstoreId: appStoreId, manifestId: manifest.id }, function (appstoreError) {
+                    // if purchase failed, rollback the appdb record
+                    if (appstoreError) {
+                        appdb.del(appId, function (error) {
+                            if (error) debug('install: Failed to rollback app installation.', error);

-                appdb.add(appId, appStoreId, manifest, location, domain, portBindings, data, function (error) {
-                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
-                    if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, error.message));
-                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                            if (appstoreError.reason === AppstoreError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, appstoreError.message));
+                            if (appstoreError && appstoreError.reason === AppstoreError.BILLING_REQUIRED) return callback(new AppsError(AppsError.BILLING_REQUIRED, appstoreError.message));
+                            if (appstoreError && appstoreError.reason === AppstoreError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, appstoreError.message));
+
+                            callback(new AppsError(AppsError.INTERNAL_ERROR, appstoreError));
+                        });
+
+                        return;
+                    }

                    // save cert to boxdata/certs
                    if (cert && key) {
-                        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, fqdn + '.user.cert'), cert)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving cert: ' + safe.error.message));
-                        if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, fqdn + '.user.key'), key)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving key: ' + safe.error.message));
+                        let error = reverseProxy.setAppCertificateSync(location, domainObject, { cert, key });
+                        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error setting cert: ' + error.message));
                    }

                    taskmanager.restartAppTask(appId);
@@ -579,21 +664,24 @@ function install(data, auditSource, callback) {
    });
 }

-function configure(appId, data, auditSource, callback) {
+function configure(appId, data, user, auditSource, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert(data && typeof data === 'object');
+    assert(user && typeof user === 'object');
    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

    get(appId, function (error, app) {
        if (error) return callback(error);

-        var domain, location, portBindings, values = { };
-        if ('location' in data) location = values.location = data.location.toLowerCase();
-        else location = app.location;
-
-        if ('domain' in data) domain = values.domain = data.domain.toLowerCase();
-        else domain = app.domain;
+        let domain, location, portBindings, values = { };
+        if ('location' in data && 'domain' in data) {
+            location = values.location = data.location.toLowerCase();
+            domain = values.domain = data.domain.toLowerCase();
+        } else {
+            location = app.location;
+            domain = app.domain;
+        }

        if ('accessRestriction' in data) {
            values.accessRestriction = data.accessRestriction;
@@ -602,9 +690,10 @@ function configure(appId, data, auditSource, callback) {
        }

        if ('portBindings' in data) {
-            portBindings = values.portBindings = data.portBindings;
-            error = validatePortBindings(values.portBindings, app.manifest.tcpPorts);
+            error = validatePortBindings(data.portBindings, app.manifest);
            if (error) return callback(error);
+            values.portBindings = translatePortBindings(data.portBindings, app.manifest);
+            portBindings = data.portBindings;
        } else {
            portBindings = app.portBindings;
        }
@@ -633,57 +722,71 @@ function configure(appId, data, auditSource, callback) {
            if (error) return callback(error);
        }

+        if ('mailboxName' in data) {
+            if (data.mailboxName) {
+                error = mail.validateName(data.mailboxName);
+                if (error) return callback(error);
+                values.mailboxName = data.mailboxName;
+            } else {
+                values.mailboxName = mailboxNameForLocation(location, app.manifest);
+            }
+        } else { // keep existing name or follow the new location
+            values.mailboxName = app.mailboxName.endsWith('.app') ? mailboxNameForLocation(location, app.manifest) : app.mailboxName;
+        }
+
+        if ('alternateDomains' in data) {
+            // TODO validate all subdomains [{ domain: '', subdomain: ''}]
+            values.alternateDomains = data.alternateDomains;
+            values.alternateDomains.forEach(function (ad) { ad.subdomain = addSpacesSuffix(ad.subdomain, user); }); // TODO: validate these
+        }
+
+        if ('env' in data) {
+            values.env = data.env;
+            error = validateEnv(data.env);
+            if (error) return callback(error);
+        }
+
        domains.get(domain, function (error, domainObject) {
-            if (error && error.reason === DomainError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
+            if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));

-            var fqdn = domains.fqdn(location, domain, domainObject.provider);
+            location = addSpacesSuffix(location, user);

-            error = validateHostname(location, domain, fqdn);
-            if (error) return callback(error);
+            error = domains.validateHostname(location, domainObject);
+            if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));

            // save cert to boxdata/certs. TODO: move this to apptask when we have a real task queue
            if ('cert' in data && 'key' in data) {
                if (data.cert && data.key) {
-                    error = reverseProxy.validateCertificate(fqdn, data.cert, data.key);
+                    error = reverseProxy.validateCertificate(location, domainObject, { cert: data.cert, key: data.key });
                    if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
-
-                    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.cert`), data.cert)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving cert: ' + safe.error.message));
-                    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.key`), data.key)) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error saving key: ' + safe.error.message));
-                } else { // remove existing cert/key
-                    if (!safe.fs.unlinkSync(path.join(paths.APP_CERTS_DIR, `${fqdn}.user.cert`))) debug('Error removing cert: ' + safe.error.message);
-                    if (!safe.fs.unlinkSync(path.join(paths.APP_CERTS_DIR, `${fqdn}..user.key`))) debug('Error removing key: ' + safe.error.message);
                }
+
+                error = reverseProxy.setAppCertificateSync(location, domainObject, { cert: data.cert, key: data.key });
+                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Error setting cert: ' + error.message));
            }

            if ('enableBackup' in data) values.enableBackup = data.enableBackup;
+            if ('enableAutomaticUpdate' in data) values.enableAutomaticUpdate = data.enableAutomaticUpdate;

            values.oldConfig = getAppConfig(app);

            debug('Will configure app with id:%s values:%j', appId, values);

-            var oldName = (app.location ? app.location : app.manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
-            var newName = (location ? location : app.manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
-            mailboxdb.updateName(oldName, values.oldConfig.domain, newName, domain, function (error) {
-                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new AppsError(AppsError.ALREADY_EXISTS, 'This mailbox is already taken'));
+            appdb.setInstallationCommand(appId, appdb.ISTATE_PENDING_CONFIGURE, values, function (error) {
+                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
                if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.BAD_STATE));
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                appdb.setInstallationCommand(appId, appdb.ISTATE_PENDING_CONFIGURE, values, function (error) {
-                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
-                    if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.BAD_STATE));
+                taskmanager.restartAppTask(appId);
+
+                // fetch fresh app object for eventlog
+                get(appId, function (error, result) {
                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                    taskmanager.restartAppTask(appId);
+                    eventlog.add(eventlog.ACTION_APP_CONFIGURE, auditSource, { appId: appId, app: result });

-                    // fetch fresh app object for eventlog
-                    get(appId, function (error, result) {
-                        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
-
-                        eventlog.add(eventlog.ACTION_APP_CONFIGURE, auditSource, { appId: appId, app: result });
-
-                        callback(null);
-                    });
+                    callback(null);
                });
            });
        });
@@ -760,12 +863,6 @@ function update(appId, data, auditSource, callback) {
    });
 }

-function appLogFilter(app) {
-    var names = [ app.id ].concat(addons.getContainerNamesSync(app, app.manifest.addons));
-
-    return names.map(function (name) { return 'CONTAINER_NAME=' + name; });
-}
-
 function getLogs(appId, options, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert(options && typeof options === 'object');
@@ -777,28 +874,35 @@ function getLogs(appId, options, callback) {
        if (error) return callback(error);

        var lines = options.lines || 100,
-            follow = !!options.follow,
-            format = options.format || 'json';
+            format = options.format || 'json',
+            follow = !!options.follow;

-        var args = [ '--no-pager', '--lines=' + lines ];
-        if (follow) args.push('--follow');
-        if (format == 'short') args.push('--output=short', '-a'); else args.push('--output=json');
-        args = args.concat(appLogFilter(app));
+        assert.strictEqual(typeof lines, 'number');
+        assert.strictEqual(typeof format, 'string');

-        var cp = spawn('/bin/journalctl', args);
+        var args = [ '--lines=' + lines ];
+        if (follow) args.push('--follow', '--retry', '--quiet'); // same as -F. to make it work if file doesn't exist, --quiet to not output file headers, which are no logs
+        args.push(path.join(paths.LOG_DIR, appId, 'apptask.log'));
+        args.push(path.join(paths.LOG_DIR, appId, 'app.log'));
+        if (app.manifest.addons && app.manifest.addons.redis) args.push(path.join(paths.LOG_DIR, `redis-${appId}/app.log`));
+
+        var cp = spawn('/usr/bin/tail', args);

        var transformStream = split(function mapper(line) {
            if (format !== 'json') return line + '\n';

-            var obj = safe.JSON.parse(line);
-            if (!obj) return undefined;
+            var data = line.split(' '); // logs are <ISOtimestamp> <msg>
+            var timestamp = (new Date(data[0])).getTime();
+            if (isNaN(timestamp)) timestamp = 0;
+            var message = line.slice(data[0].length+1);
+
+            // ignore faulty empty logs
+            if (!timestamp && !message) return;

-            var source = obj.CONTAINER_NAME.slice(app.id.length + 1);
            return JSON.stringify({
-                realtimeTimestamp: obj.__REALTIME_TIMESTAMP,
-                monotonicTimestamp: obj.__MONOTONIC_TIMESTAMP,
-                message: obj.MESSAGE,
-                source: source || 'main'
+                realtimeTimestamp: timestamp * 1000,
+                message: message,
+                source: appId
            }) + '\n';
        });

@@ -856,9 +960,10 @@ function restore(appId, data, auditSource, callback) {
    });
 }

-function clone(appId, data, auditSource, callback) {
+function clone(appId, data, user, auditSource, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof data, 'object');
+    assert(user && typeof user === 'object');
    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

@@ -867,12 +972,15 @@ function clone(appId, data, auditSource, callback) {
    var location = data.location.toLowerCase(),
        domain = data.domain.toLowerCase(),
        portBindings = data.portBindings || null,
-        backupId = data.backupId;
+        backupId = data.backupId,
+        ownerId = data.ownerId,
+        mailboxName = data.mailboxName || '';

    assert.strictEqual(typeof backupId, 'string');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof portBindings, 'object');
+    assert(ownerId === null || typeof ownerId === 'string');

    get(appId, function (error, app) {
        if (error) return callback(error);
@@ -884,43 +992,64 @@ function clone(appId, data, auditSource, callback) {

            if (!backupInfo.manifest) callback(new AppsError(AppsError.EXTERNAL_ERROR, 'Could not get restore config'));

+            const manifest = backupInfo.manifest;
+
            // re-validate because this new box version may not accept old configs
-            error = checkManifestConstraints(backupInfo.manifest);
+            error = checkManifestConstraints(manifest);
            if (error) return callback(error);

-            error = validatePortBindings(portBindings, backupInfo.manifest.tcpPorts);
+            error = validatePortBindings(portBindings, manifest);
            if (error) return callback(error);

+            if (mailboxName) {
+                error = mail.validateName(mailboxName);
+                if (error) return callback(error);
+            } else {
+                mailboxName = mailboxNameForLocation(location, manifest);
+            }
+
            domains.get(domain, function (error, domainObject) {
-                if (error && error.reason === DomainError.NOT_FOUND) return callback(new AppsError(AppsError.EXTERNAL_ERROR, 'No such domain'));
+                if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.EXTERNAL_ERROR, 'No such domain'));
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));

-                error = validateHostname(location, domain, domains.fqdn(location, domain, domainObject.provider));
-                if (error) return callback(error);
+                location = addSpacesSuffix(location, user);
+                error = domains.validateHostname(location, domainObject);
+                if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));

-                var newAppId = uuid.v4(), manifest = backupInfo.manifest;
+                var newAppId = uuid.v4();

-                appstore.purchase(newAppId, app.appStoreId, function (error) {
-                    if (error && error.reason === AppstoreError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND));
-                    if (error && error.reason === AppstoreError.BILLING_REQUIRED) return callback(new AppsError(AppsError.BILLING_REQUIRED, error.message));
-                    if (error && error.reason === AppstoreError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error.message));
+                var data = {
+                    installationState: appdb.ISTATE_PENDING_CLONE,
+                    memoryLimit: app.memoryLimit,
+                    accessRestriction: app.accessRestriction,
+                    xFrameOptions: app.xFrameOptions,
+                    restoreConfig: { backupId: backupId, backupFormat: backupInfo.format },
+                    sso: !!app.sso,
+                    mailboxName: mailboxName,
+                    enableBackup: app.enableBackup,
+                    robotsTxt: app.robotsTxt,
+                    env: app.env
+                };
+
+                appdb.add(newAppId, app.appStoreId, manifest, location, domain, ownerId, translatePortBindings(portBindings, manifest), data, function (error) {
+                    if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                    var data = {
-                        installationState: appdb.ISTATE_PENDING_CLONE,
-                        memoryLimit: app.memoryLimit,
-                        accessRestriction: app.accessRestriction,
-                        xFrameOptions: app.xFrameOptions,
-                        restoreConfig: { backupId: backupId, backupFormat: backupInfo.format },
-                        sso: !!app.sso,
-                        mailboxName: (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app',
-                        enableBackup: app.enableBackup,
-                        robotsTxt: app.robotsTxt
-                    };
+                    appstore.purchase(newAppId, { appstoreId: app.appStoreId, manifestId: manifest.id }, function (appstoreError) {
+                        // if purchase failed, rollback the appdb record
+                        if (appstoreError) {
+                            appdb.del(newAppId, function (error) {
+                                if (error) debug('install: Failed to rollback app installation.', error);

-                    appdb.add(newAppId, app.appStoreId, manifest, location, domain, portBindings, data, function (error) {
-                        if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location, portBindings, error));
-                        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                                if (appstoreError.reason === AppstoreError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, appstoreError.message));
+                                if (appstoreError && appstoreError.reason === AppstoreError.BILLING_REQUIRED) return callback(new AppsError(AppsError.BILLING_REQUIRED, appstoreError.message));
+                                if (appstoreError && appstoreError.reason === AppstoreError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, appstoreError.message));
+
+                                callback(new AppsError(AppsError.INTERNAL_ERROR, appstoreError));
+                            });
+
+                            return;
+                        }

                        taskmanager.restartAppTask(newAppId);

@@ -949,7 +1078,7 @@ function uninstall(appId, auditSource, callback) {
    get(appId, function (error, app) {
        if (error) return callback(error);

-        appstore.unpurchase(appId, app.appStoreId, function (error) {
+        appstore.unpurchase(appId, { appstoreId: app.appStoreId, manifestId: app.manifest.id }, function (error) {
            if (error && error.reason === AppstoreError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND));
            if (error && error.reason === AppstoreError.BILLING_REQUIRED) return callback(new AppsError(AppsError.BILLING_REQUIRED, error.message));
            if (error && error.reason === AppstoreError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error.message));
@@ -1047,6 +1176,8 @@ function exec(appId, options, callback) {
        };

        container.exec(execOptions, function (error, exec) {
+            if (error && error.statusCode === 409) return callback(new AppsError(AppsError.BAD_STATE, error.message)); // container restarting/not running
+
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
            var startOptions = {
                Detach: false,
@@ -1066,7 +1197,11 @@ function exec(appId, options, callback) {
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

                if (options.rows && options.columns) {
-                    exec.resize({ h: options.rows, w: options.columns }, function (error) { if (error) debug('Error resizing console', error); });
+                    // there is a race where resizing too early results in a 404 "no such exec"
+                    // https://git.cloudron.io/cloudron/box/issues/549
+                    setTimeout(function () {
+                        exec.resize({ h: options.rows, w: options.columns }, function (error) { if (error) debug('Error resizing console', error); });
+                    }, 2000);
                }

                return callback(null, stream);
@@ -1081,13 +1216,15 @@ function autoupdateApps(updateInfo, auditSource, callback) { // updateInfo is {
    assert.strictEqual(typeof callback, 'function');

    function canAutoupdateApp(app, newManifest) {
+        if (!app.enableAutomaticUpdate) return new Error('Automatic update disabled');
        if ((semver.major(app.manifest.version) !== 0) && (semver.major(app.manifest.version) !== semver.major(newManifest.version))) return new Error('Major version change'); // major changes are blocking

-        var newTcpPorts = newManifest.tcpPorts || { };
-        var portBindings = app.portBindings; // this is never null
+        const newTcpPorts = newManifest.tcpPorts || { };
+        const newUdpPorts = newManifest.udpPorts || { };
+        const portBindings = app.portBindings; // this is never null

-        for (var env in portBindings) {
-            if (!(env in newTcpPorts)) return new Error(env + ' was in use but new update removes it');
+        for (let portName in portBindings) {
+            if (!(portName in newTcpPorts) && !(portName in newUdpPorts)) return new Error(`${portName} was in use but new update removes it`);
        }

        // it's fine if one or more (unused) keys got removed
@@ -1174,7 +1311,7 @@ function restoreInstalledApps(callback) {

                debug(`marking ${app.fqdn} for restore using restore config ${JSON.stringify(restoreConfig)}`);

-                appdb.setInstallationCommand(app.id, appdb.ISTATE_PENDING_RESTORE, { restoreConfig: restoreConfig, oldConfig: null }, function (error) {
+                appdb.setInstallationCommand(app.id, appdb.ISTATE_PENDING_RESTORE, { restoreConfig: restoreConfig, oldConfig: getAppConfig(app) }, function (error) {
                    if (error) debug(`Error marking ${app.fqdn} for restore: ${JSON.stringify(error)}`);

                    iteratorDone(); // always succeed
@@ -1283,3 +1420,28 @@ function uploadFile(appId, sourceFilePath, destFilePath, callback) {
        callback(null);
    });
 }
+
+function setOwner(appId, ownerId, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    appdb.setOwner(appId, ownerId, function (error) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, error.message));
+        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+        callback();
+    });
+}
+
+function transferOwnership(oldOwnerId, newOwnerId, callback) {
+    assert.strictEqual(typeof oldOwnerId, 'string');
+    assert.strictEqual(typeof newOwnerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    appdb.transferOwnership(oldOwnerId, newOwnerId, function (error) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, error.message));
+        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+        callback();
+    });
+}
@@ -5,6 +5,7 @@ exports = module.exports = {
    unpurchase: unpurchase,

    getSubscription: getSubscription,
+    isFreePlan: isFreePlan,

    sendAliveStatus: sendAliveStatus,

@@ -89,18 +90,21 @@ function getSubscription(callback) {
    });
 }

-function purchase(appId, appstoreId, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof appstoreId, 'string');
-    assert.strictEqual(typeof callback, 'function');
+function isFreePlan(subscription) {
+    return !subscription || subscription.plan.id === 'free';
+}

-    if (appstoreId === '') return callback(null);
+// See app.js install it will create a db record first but remove it again if appstore purchase fails
+function purchase(appId, data, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof data, 'object');
+    assert(data.appstoreId || data.manifestId);
+    assert.strictEqual(typeof callback, 'function');

    getAppstoreConfig(function (error, appstoreConfig) {
        if (error) return callback(error);

        var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/apps/' + appId;
-        var data = { appstoreId: appstoreId };

        superagent.post(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
@@ -114,13 +118,12 @@ function purchase(appId, appstoreId, callback) {
    });
 }

-function unpurchase(appId, appstoreId, callback) {
+function unpurchase(appId, data, callback) {
    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof appstoreId, 'string');
+    assert.strictEqual(typeof data, 'object');
+    assert(data.appstoreId || data.manifestId);
    assert.strictEqual(typeof callback, 'function');

-    if (appstoreId === '') return callback(null);
-
    getAppstoreConfig(function (error, appstoreConfig) {
        if (error) return callback(error);

@@ -132,7 +135,7 @@ function unpurchase(appId, appstoreId, callback) {
            if (result.statusCode === 404) return callback(null);   // was never purchased
            if (result.statusCode !== 201 && result.statusCode !== 200) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));

-            superagent.del(url).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
+            superagent.del(url).send(data).query({ accessToken: appstoreConfig.token }).timeout(30 * 1000).end(function (error, result) {
                if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
                if (result.statusCode === 403 || result.statusCode === 401) return callback(new AppstoreError(AppstoreError.BILLING_REQUIRED));
                if (result.statusCode !== 204) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('App unpurchase failed. %s %j', result.status, result.body)));
@@ -164,7 +167,7 @@ function sendAliveStatus(callback) {
            });
        },
        function (callback) {
-            mail.getAll(function (error, result) {
+            mail.getDomains(function (error, result) {
                if (error) return callback(new AppstoreError(AppstoreError.INTERNAL_ERROR, error));
                mailDomains = result;
                callback();
@@ -238,17 +241,17 @@ function getBoxUpdate(callback) {
        var url = config.apiServerOrigin() + '/api/v1/users/' + appstoreConfig.userId + '/cloudrons/' + appstoreConfig.cloudronId + '/boxupdate';

        superagent.get(url).query({ accessToken: appstoreConfig.token, boxVersion: config.version() }).timeout(10 * 1000).end(function (error, result) {
-            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error));
+            if (error && !error.response) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, error.message));
            if (result.statusCode === 204) return callback(null); // no update
            if (result.statusCode !== 200 || !result.body) return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));

            var updateInfo = result.body;

            if (!semver.valid(updateInfo.version) || semver.gt(config.version(), updateInfo.version)) {
-                return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
+                return callback(new AppstoreError(AppstoreError.EXTERNAL_ERROR, util.format('Invalid update version: %s %s', result.statusCode, result.text)));
            }

-            // { version, changelog, upgrade, sourceTarballUrl}
+            // updateInfo: { version, changelog, upgrade, sourceTarballUrl, sourceTarballSigUrl, boxVersionsUrl, boxVersionsSigUrl }
            callback(null, updateInfo);
        });
    });
@@ -10,8 +10,8 @@ exports = module.exports = {
    _reserveHttpPort: reserveHttpPort,
    _configureReverseProxy: configureReverseProxy,
    _unconfigureReverseProxy: unconfigureReverseProxy,
-    _createVolume: createVolume,
-    _deleteVolume: deleteVolume,
+    _createAppDir: createAppDir,
+    _deleteAppDir: deleteAppDir,
    _verifyManifest: verifyManifest,
    _registerSubdomain: registerSubdomain,
    _unregisterSubdomain: unregisterSubdomain,
@@ -20,11 +20,6 @@ exports = module.exports = {

 require('supererror')({ splatchError: true });

-// remove timestamp from debug() based output
-require('debug').formatArgs = function formatArgs(args) {
-    args[0] = this.namespace + ' ' + args[0];
-};
-
 var addons = require('./addons.js'),
    appdb = require('./appdb.js'),
    apps = require('./apps.js'),
@@ -37,29 +32,30 @@ var addons = require('./addons.js'),
    debug = require('debug')('box:apptask'),
    docker = require('./docker.js'),
    domains = require('./domains.js'),
-    DomainError = domains.DomainError,
+    DomainsError = domains.DomainsError,
    ejs = require('ejs'),
    fs = require('fs'),
    manifestFormat = require('cloudron-manifestformat'),
+    mkdirp = require('mkdirp'),
    net = require('net'),
    os = require('os'),
    path = require('path'),
    paths = require('./paths.js'),
    reverseProxy = require('./reverseproxy.js'),
+    rimraf = require('rimraf'),
    safe = require('safetydance'),
    shell = require('./shell.js'),
    superagent = require('superagent'),
    sysinfo = require('./sysinfo.js'),
-    tld = require('tldjs'),
    util = require('util'),
    _ = require('underscore');

 var COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
    CONFIGURE_COLLECTD_CMD = path.join(__dirname, 'scripts/configurecollectd.sh'),
    LOGROTATE_CONFIG_EJS = fs.readFileSync(__dirname + '/logrotate.ejs', { encoding: 'utf8' }),
-    CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh'),
-    RMAPPDIR_CMD = path.join(__dirname, 'scripts/rmappdir.sh'),
-    CREATEAPPDIR_CMD = path.join(__dirname, 'scripts/createappdir.sh');
+    CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh');
+
+var NOOP_CALLBACK = function (error) { if (error) debug(error); };

 function initialize(callback) {
    assert.strictEqual(typeof callback, 'function');
@@ -139,6 +135,20 @@ function createContainer(app, callback) {
    });
 }

+// Only delete the main container of the app, not destroy any docker addon created ones
+function deleteMainContainer(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debugApp(app, 'deleting main app container');
+
+    docker.deleteContainer(app.containerId, function (error) {
+        if (error) return callback(new Error('Error deleting container: ' + error));
+
+        updateApp(app, { containerId: null }, callback);
+    });
+}
+
 function deleteContainers(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');
@@ -152,19 +162,47 @@ function deleteContainers(app, callback) {
    });
 }

-function createVolume(app, callback) {
+function createAppDir(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');

-    shell.sudo('createVolume', [ CREATEAPPDIR_CMD, app.id ], callback);
+    mkdirp(path.join(paths.APPS_DATA_DIR, app.id), callback);
 }

-function deleteVolume(app, options, callback) {
+function deleteAppDir(app, options, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

-    shell.sudo('deleteVolume', [ RMAPPDIR_CMD, app.id, !!options.removeDirectory ], callback);
+    const appDataDir = path.join(paths.APPS_DATA_DIR, app.id);
+
+    // resolve any symlinked data dir
+    const stat = safe.fs.lstatSync(appDataDir);
+    if (!stat) return callback(null);
+
+    const resolvedAppDataDir = stat.isSymbolicLink() ? safe.fs.readlinkSync(appDataDir) : appDataDir;
+
+    if (safe.fs.existsSync(resolvedAppDataDir)) {
+        const entries = safe.fs.readdirSync(resolvedAppDataDir);
+        if (!entries) return callback(`Error listing ${resolvedAppDataDir}: ${safe.error.message}`);
+
+        // remove only files. directories inside app dir are currently volumes managed by the addons
+        entries.forEach(function (entry) {
+            let stat = safe.fs.statSync(path.join(resolvedAppDataDir, entry));
+            if (stat && !stat.isDirectory()) safe.fs.unlinkSync(path.join(resolvedAppDataDir, entry));
+        });
+    }
+
+    // if this fails, it's probably because the localstorage/redis addons have not cleaned up properly
+    if (options.removeDirectory) {
+        if (stat.isSymbolicLink()) {
+            if (!safe.fs.unlinkSync(appDataDir)) return callback(safe.error.code === 'ENOENT' ? null : safe.error);
+        } else {
+            if (!safe.fs.rmdirSync(appDataDir)) return callback(safe.error.code === 'ENOENT' ? null : safe.error);
+        }
+    }
+
+    callback(null);
 }

 function addCollectdProfile(app, callback) {
@@ -174,7 +212,7 @@ function addCollectdProfile(app, callback) {
    var collectdConf = ejs.render(COLLECTD_CONFIG_EJS, { appId: app.id, containerId: app.containerId });
    fs.writeFile(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), collectdConf, function (error) {
        if (error) return callback(error);
-        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', app.id ], callback);
+        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', app.id ], {}, callback);
    });
 }

@@ -184,7 +222,7 @@ function removeCollectdProfile(app, callback) {

    fs.unlink(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), function (error) {
        if (error && error.code !== 'ENOENT') debugApp(app, 'Error removing collectd profile', error);
-        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', app.id ], callback);
+        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', app.id ], {}, callback);
    });
 }

@@ -203,7 +241,7 @@ function addLogrotateConfig(app, callback) {
        var tmpFilePath = path.join(os.tmpdir(), app.id + '.logrotate');
        fs.writeFile(tmpFilePath, logrotateConf, function (error) {
            if (error) return callback(error);
-            shell.sudo('addLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'add', app.id, tmpFilePath ], callback);
+            shell.sudo('addLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'add', app.id, tmpFilePath ], {}, callback);
        });
    });
 }
@@ -212,7 +250,7 @@ function removeLogrotateConfig(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');

-    shell.sudo('removeLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'remove', app.id ], callback);
+    shell.sudo('removeLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'remove', app.id ], {}, callback);
 }

 function verifyManifest(manifest, callback) {
@@ -273,17 +311,18 @@ function registerSubdomain(app, overwrite, callback) {
                // refuse to update any existing DNS record for custom domains that we did not create
                if (values.length !== 0 && !overwrite) return retryCallback(null, new Error('DNS Record already exists'));

-                domains.upsertDnsRecords(app.location, app.domain, 'A', [ ip ], function (error, changeId) {
-                    if (error && (error.reason === DomainError.STILL_BUSY || error.reason === DomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+                domains.upsertDnsRecords(app.location, app.domain, 'A', [ ip ], function (error) {
+                    if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) {
+                        debug('Upsert error. Will retry.', error.message);
+                        return retryCallback(error); // try again
+                    }

-                    retryCallback(null, error || changeId);
+                    retryCallback(null, error);
                });
            });
        }, function (error, result) {
            if (error || result instanceof Error) return callback(error || result);
-
-            // dnsRecordId tracks whether we created this DNS record so that we can unregister later
-            updateApp(app, { dnsRecordId: result }, callback);
+            callback(null);
        });
    });
 }
@@ -294,11 +333,6 @@ function unregisterSubdomain(app, location, domain, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof callback, 'function');

-    if (!app.dnsRecordId) {
-        debugApp(app, 'Skip unregister of record not created by cloudron');
-        return callback(null);
-    }
-
    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

@@ -306,19 +340,90 @@ function unregisterSubdomain(app, location, domain, callback) {
            debugApp(app, 'Unregistering subdomain: %s', app.fqdn);

            domains.removeDnsRecords(location, domain, 'A', [ ip ], function (error) {
-                if (error && error.reason === DomainError.NOT_FOUND) return retryCallback(null, null); // domain can be not found if oldConfig.domain or restoreConfig.domain was removed
-                if (error && (error.reason === DomainError.STILL_BUSY || error.reason === DomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+                if (error && error.reason === DomainsError.NOT_FOUND) return retryCallback(null, null); // domain can be not found if oldConfig.domain or restoreConfig.domain was removed
+                if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) return retryCallback(error); // try again

                retryCallback(null, error);
            });
        }, function (error, result) {
            if (error || result instanceof Error) return callback(error || result);
-
-            updateApp(app, { dnsRecordId: null }, callback);
+            callback(null);
        });
    });
 }

+function registerAlternateDomains(app, overwrite, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof overwrite, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    sysinfo.getPublicIp(function (error, ip) {
+        if (error) return callback(error);
+
+        async.eachSeries(app.alternateDomains, function (domain, callback) {
+            async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
+                debugApp(app, 'Registering alternate subdomain [%s] overwrite: %s', (domain.subdomain ? (domain.subdomain + '.') : '') + domain.domain, overwrite);
+
+                // get the current record before updating it
+                domains.getDnsRecords(domain.subdomain, domain.domain, 'A', function (error, values) {
+                    if (error) return retryCallback(error);
+
+                    // refuse to update any existing DNS record for custom domains that we did not create
+                    if (values.length !== 0 && !overwrite) return retryCallback(null, new Error('DNS Record already exists'));
+
+                    domains.upsertDnsRecords(domain.subdomain, domain.domain, 'A', [ ip ], function (error) {
+                        if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) {
+                            debug('Upsert error. Will retry.', error.message);
+                            return retryCallback(error); // try again
+                        }
+                        retryCallback(null, error);
+                    });
+                });
+            }, function (error, result) {
+                if (error || result instanceof Error) return callback(error || result);
+                callback();
+            });
+        }, callback);
+    });
+}
+
+function unregisterAlternateDomains(app, all, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof all, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    let obsoleteDomains = [];
+    if (all) {
+        obsoleteDomains = app.alternateDomains;
+    } else if (app.oldConfig) { // oldConfig can be null during an infra update
+        obsoleteDomains = app.oldConfig.alternateDomains.filter(function (o) {
+            return !app.alternateDomains.some(function (n) { return n.subdomain === o.subdomain && n.domain === o.domain; });
+        });
+    }
+
+    if (obsoleteDomains.length === 0) return callback();
+
+    sysinfo.getPublicIp(function (error, ip) {
+        if (error) return callback(error);
+
+        async.eachSeries(obsoleteDomains, function (domain, callback) {
+            async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
+                debugApp(app, 'Unregistering subdomain: %s%s', domain.subdomain ? (domain.subdomain + '.') : '', domain.domain);
+
+                domains.removeDnsRecords(domain.subdomain, domain.domain, 'A', [ ip ], function (error) {
+                    if (error && error.reason === DomainsError.NOT_FOUND) return retryCallback(null, null);
+                    if (error && (error.reason === DomainsError.STILL_BUSY || error.reason === DomainsError.EXTERNAL_ERROR)) return retryCallback(error); // try again
+
+                    retryCallback(null, error);
+                });
+            }, function (error, result) {
+                if (error || result instanceof Error) return callback(error || result);
+                callback();
+            });
+        }, callback);
+    });
+}
+
 function removeIcon(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');
@@ -329,6 +434,18 @@ function removeIcon(app, callback) {
    });
 }

+function cleanupLogs(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    // note that redis container logs are cleaned up by the addon
+    rimraf(path.join(paths.LOG_DIR, app.id), function (error) {
+        if (error) debugApp(app, 'cannot cleanup logs: %s', error);
+
+        callback(null);
+    });
+}
+
 function waitForDnsPropagation(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');
@@ -341,7 +458,14 @@ function waitForDnsPropagation(app, callback) {
    sysinfo.getPublicIp(function (error, ip) {
        if (error) return callback(error);

-        domains.waitForDnsRecord(app.fqdn, app.domain, ip, { interval: 5000, times: 120 }, callback);
+        domains.waitForDnsRecord(app.location, app.domain, 'A', ip, { interval: 5000, times: 240 }, function (error) {
+            if (error) return callback(error);
+
+            // now wait for alternateDomains, if any
+            async.eachSeries(app.alternateDomains, function (domain, iteratorCallback) {
+                domains.waitForDnsRecord(domain.subdomain, domain.domain, 'A', ip, { interval: 5000, times: 240 }, iteratorCallback);
+            }, callback);
+        });
    });
 }

@@ -373,10 +497,14 @@ function install(app, callback) {
        removeCollectdProfile.bind(null, app),
        removeLogrotateConfig.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
-        // oldConfig can be null during upgrades
-        addons.teardownAddons.bind(null, app, app.oldConfig ? app.oldConfig.manifest.addons : app.manifest.addons),
-        deleteVolume.bind(null, app, { removeDirectory: false }), // do not remove any symlinked volume
+        deleteMainContainer.bind(null, app),
+        function teardownAddons(next) {
+            // when restoring, app does not require these addons anymore. remove carefully to preserve the db passwords
+            var addonsToRemove = !isRestoring ? app.manifest.addons : _.omit(app.oldConfig.manifest.addons, Object.keys(app.manifest.addons));
+
+            addons.teardownAddons(app, addonsToRemove, next);
+        },
+        deleteAppDir.bind(null, app, { removeDirectory: false }), // do not remove any symlinked volume

        // for restore case
        function deleteImageIfChanged(done) {
@@ -393,11 +521,14 @@ function install(app, callback) {
        updateApp.bind(null, app, { installationProgress: '30, Registering subdomain' }),
        registerSubdomain.bind(null, app, isRestoring /* overwrite */),

+        updateApp.bind(null, app, { installationProgress: '35, Registering alternate domains'}),
+        registerAlternateDomains.bind(null, app, isRestoring /* overwrite */),
+
        updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
        docker.downloadImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '50, Creating volume' }),
-        createVolume.bind(null, app),
+        createAppDir.bind(null, app),

        function restoreFromBackup(next) {
            if (!restoreConfig) {
@@ -408,7 +539,9 @@ function install(app, callback) {
            } else {
                async.series([
                    updateApp.bind(null, app, { installationProgress: '60, Download backup and restoring addons' }),
-                    backups.restoreApp.bind(null, app, app.manifest.addons, restoreConfig),
+                    addons.setupAddons.bind(null, app, app.manifest.addons),
+                    addons.clearAddons.bind(null, app, app.manifest.addons),
+                    backups.restoreApp.bind(null, app, app.manifest.addons, restoreConfig, (progress) => updateApp(app, { installationProgress: progress.message }, NOOP_CALLBACK))
                ], next);
            }
        },
@@ -450,7 +583,7 @@ function backup(app, callback) {

    async.series([
        updateApp.bind(null, app, { installationProgress: '10, Backing up' }),
-        backups.backupApp.bind(null, app),
+        backups.backupApp.bind(null, app, (progress) => updateApp(app, { installationProgress: progress.message }, NOOP_CALLBACK)),

        // done!
        function (callback) {
@@ -480,26 +613,31 @@ function configure(app, callback) {
        removeCollectdProfile.bind(null, app),
        removeLogrotateConfig.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
+        deleteMainContainer.bind(null, app),
+        unregisterAlternateDomains.bind(null, app, false /* all */),
        function (next) {
            if (!locationChanged) return next();

            unregisterSubdomain(app, app.oldConfig.location, app.oldConfig.domain, next);
        },

+
        reserveHttpPort.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '20, Downloading icon' }),
        downloadIcon.bind(null, app),

-        updateApp.bind(null, app, { installationProgress: '35, Registering subdomain' }),
+        updateApp.bind(null, app, { installationProgress: '30, Registering subdomain' }),
        registerSubdomain.bind(null, app, !locationChanged /* overwrite */), // if location changed, do not overwrite to detect conflicts

+        updateApp.bind(null, app, { installationProgress: '35, Registering alternate domains'}),
+        registerAlternateDomains.bind(null, app, true /* overwrite */), // figure out when to overwrite
+
        updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
        docker.downloadImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '45, Ensuring volume' }),
-        createVolume.bind(null, app),
+        createAppDir.bind(null, app),

        // re-setup addons since they rely on the app's fqdn (e.g oauth)
        updateApp.bind(null, app, { installationProgress: '50, Setting up addons' }),
@@ -558,7 +696,7 @@ function update(app, callback) {

            async.series([
                updateApp.bind(null, app, { installationProgress: '15, Backing up app' }),
-                backups.backupApp.bind(null, app)
+                backups.backupApp.bind(null, app, (progress) => updateApp(app, { installationProgress: progress.message }, NOOP_CALLBACK))
            ], function (error) {
                if (error) error.backupError = true;
                next(error);
@@ -576,7 +714,7 @@ function update(app, callback) {
        removeCollectdProfile.bind(null, app),
        removeLogrotateConfig.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainers.bind(null, app),
+        deleteMainContainer.bind(null, app),
        function deleteImageIfChanged(done) {
            if (app.manifest.dockerImage === app.updateConfig.manifest.dockerImage) return done();

@@ -588,14 +726,14 @@ function update(app, callback) {

        // free unused ports
        function (next) {
-            // make sure we always have objects
-            var currentPorts = app.portBindings || {};
-            var newPorts = app.updateConfig.manifest.tcpPorts || {};
+            const currentPorts = app.portBindings || {};
+            const newTcpPorts = app.updateConfig.manifest.tcpPorts || {};
+            const newUdpPorts = app.updateConfig.manifest.udpPorts || {};

            async.each(Object.keys(currentPorts), function (portName, callback) {
-                if (newPorts[portName]) return callback(); // port still in use
+                if (newTcpPorts[portName] || newUdpPorts[portName]) return callback(); // port still in use

-                appdb.delPortBinding(currentPorts[portName], function (error) {
+                appdb.delPortBinding(currentPorts[portName], apps.PORT_TYPE_TCP, function (error) {
                    if (error && error.reason === DatabaseError.NOT_FOUND) console.error('Portbinding does not exist in database.');
                    else if (error) return next(error);

@@ -668,20 +806,24 @@ function uninstall(app, callback) {
        addons.teardownAddons.bind(null, app, app.manifest.addons),

        updateApp.bind(null, app, { installationProgress: '40, Deleting volume' }),
-        deleteVolume.bind(null, app, { removeDirectory: true }),
+        deleteAppDir.bind(null, app, { removeDirectory: true }),

        updateApp.bind(null, app, { installationProgress: '50, Deleting image' }),
        docker.deleteImage.bind(null, app.manifest),

-        updateApp.bind(null, app, { installationProgress: '60, Unregistering subdomain' }),
+        updateApp.bind(null, app, { installationProgress: '60, Unregistering domains' }),
+        unregisterAlternateDomains.bind(null, app, true /* all */),
        unregisterSubdomain.bind(null, app, app.location, app.domain),

-        updateApp.bind(null, app, { installationProgress: '80, Cleanup icon' }),
+        updateApp.bind(null, app, { installationProgress: '70, Cleanup icon' }),
        removeIcon.bind(null, app),

-        updateApp.bind(null, app, { installationProgress: '90, Unconfiguring reverse proxy' }),
+        updateApp.bind(null, app, { installationProgress: '80, Unconfiguring reverse proxy' }),
        unconfigureReverseProxy.bind(null, app),

+        updateApp.bind(null, app, { installationProgress: '90, Cleanup logs' }),
+        cleanupLogs.bind(null, app),
+
        updateApp.bind(null, app, { installationProgress: '95, Remove app from database' }),
        appdb.del.bind(null, app.id)
    ], function seriesDone(error) {
@@ -770,6 +912,8 @@ function startTask(appId, callback) {
 if (require.main === module) {
    assert.strictEqual(process.argv.length, 3, 'Pass the appid as argument');

+    // add a separator for the log file
+    debug('------------------------------------------------------------');
    debug('Apptask for %s', process.argv[2]);

    process.on('SIGTERM', function () {
@@ -1,125 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    initialize: initialize,
-    uninitialize: uninitialize,
-
-    accessTokenAuth: accessTokenAuth
-};
-
-var assert = require('assert'),
-    BasicStrategy = require('passport-http').BasicStrategy,
-    BearerStrategy = require('passport-http-bearer').Strategy,
-    clients = require('./clients'),
-    ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
-    ClientsError = clients.ClientsError,
-    DatabaseError = require('./databaseerror'),
-    debug = require('debug')('box:auth'),
-    LocalStrategy = require('passport-local').Strategy,
-    crypto = require('crypto'),
-    passport = require('passport'),
-    tokendb = require('./tokendb'),
-    user = require('./user'),
-    UserError = user.UserError,
-    _ = require('underscore');
-
-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    passport.serializeUser(function (user, callback) {
-        callback(null, user.id);
-    });
-
-    passport.deserializeUser(function(userId, callback) {
-        user.get(userId, function (error, result) {
-            if (error) return callback(error);
-
-            var md5 = crypto.createHash('md5').update(result.email).digest('hex');
-            result.gravatar = 'https://www.gravatar.com/avatar/' + md5 + '.jpg?s=24&d=mm';
-
-            callback(null, result);
-        });
-    });
-
-    passport.use(new LocalStrategy(function (username, password, callback) {
-        if (username.indexOf('@') === -1) {
-            user.verifyWithUsername(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, _.pick(result, 'id', 'username', 'email', 'admin'));
-            });
-        } else {
-            user.verifyWithEmail(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, _.pick(result, 'id', 'username', 'email', 'admin'));
-            });
-        }
-    }));
-
-    passport.use(new BasicStrategy(function (username, password, callback) {
-        if (username.indexOf('cid-') === 0) {
-            debug('BasicStrategy: detected client id %s instead of username:password', username);
-            // username is actually client id here
-            // password is client secret
-            clients.get(username, function (error, client) {
-                if (error && error.reason === ClientsError.NOT_FOUND) return callback(null, false);
-                if (error) return callback(error);
-                if (client.clientSecret != password) return callback(null, false);
-                return callback(null, client);
-            });
-        } else {
-            user.verifyWithUsername(username, password, function (error, result) {
-                if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-                if (error && error.reason === UserError.WRONG_PASSWORD) return callback(null, false);
-                if (error) return callback(error);
-                if (!result) return callback(null, false);
-                callback(null, result);
-            });
-        }
-    }));
-
-    passport.use(new ClientPasswordStrategy(function (clientId, clientSecret, callback) {
-        clients.get(clientId, function(error, client) {
-            if (error && error.reason === ClientsError.NOT_FOUND) return callback(null, false);
-            if (error) { return callback(error); }
-            if (client.clientSecret != clientSecret) { return callback(null, false); }
-            return callback(null, client);
-        });
-    }));
-
-    passport.use(new BearerStrategy(accessTokenAuth));
-
-    callback(null);
-}
-
-function uninitialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    callback(null);
-}
-
-function accessTokenAuth(accessToken, callback) {
-    assert.strictEqual(typeof accessToken, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.get(accessToken, function (error, token) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, false);
-        if (error) return callback(error);
-
-        // scopes here can define what capabilities that token carries
-        // passport put the 'info' object into req.authInfo, where we can further validate the scopes
-        var info = { scope: token.scope };
-
-        user.get(token.identifier, function (error, user) {
-            if (error && error.reason === UserError.NOT_FOUND) return callback(null, false);
-            if (error) return callback(error);
-
-            callback(null, user, info);
-        });
-    });
-}
@@ -10,9 +10,9 @@ exports = module.exports = {

    get: get,

+    startBackupTask: startBackupTask,
    ensureBackup: ensureBackup,

-    backup: backup,
    restore: restore,

    backupApp: backupApp,
@@ -53,19 +53,19 @@ var addons = require('./addons.js'),
    once = require('once'),
    path = require('path'),
    paths = require('./paths.js'),
-    progress = require('./progress.js'),
    progressStream = require('progress-stream'),
    safe = require('safetydance'),
    shell = require('./shell.js'),
    settings = require('./settings.js'),
+    superagent = require('superagent'),
    syncer = require('./syncer.js'),
    tar = require('tar-fs'),
+    tasks = require('./tasks.js'),
    util = require('util'),
    zlib = require('zlib');

-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
-var BACKUPTASK_CMD = path.join(__dirname, 'backuptask.js');
+const NOOP_CALLBACK = function (error) { if (error) debug(error); };
+const BACKUP_UPLOAD_CMD = path.join(__dirname, 'scripts/backupupload.js');

 function debugApp(app) {
    assert(typeof app === 'object');
@@ -123,6 +123,9 @@ function testConfig(backupConfig, callback) {

    if (backupConfig.format !== 'tgz' && backupConfig.format !== 'rsync') return callback(new BackupsError(BackupsError.BAD_FIELD, 'unknown format'));

+    // remember to adjust the cron ensureBackup task interval accordingly
+    if (backupConfig.intervalSecs < 6 * 60 * 60) return callback(new BackupsError(BackupsError.BAD_FIELD, 'Interval must be atleast 6 hours'));
+
    api(backupConfig.provider).testConfig(backupConfig, callback);
 }

@@ -157,7 +160,7 @@ function get(backupId, callback) {
    assert.strictEqual(typeof callback, 'function');

    backupdb.get(backupId, function (error, result) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new BackupsError(BackupsError.NOT_FOUND, error));
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new BackupsError(BackupsError.NOT_FOUND));
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

        callback(null, result);
@@ -177,9 +180,86 @@ function getBackupFilePath(backupConfig, backupId, format) {
    }
 }

-function log(detail) {
-    safe.fs.appendFileSync(paths.BACKUP_LOG_FILE, detail + '\n', 'utf8');
-    progress.setDetail(progress.BACKUP, detail);
+function encryptFilePath(filePath, key) {
+    assert.strictEqual(typeof filePath, 'string');
+    assert.strictEqual(typeof key, 'string');
+
+    var encryptedParts = filePath.split('/').map(function (part) {
+        const cipher = crypto.createCipher('aes-256-cbc', key);
+        let crypt = cipher.update(part);
+        crypt = Buffer.concat([ crypt, cipher.final() ]);
+
+        return crypt.toString('base64')     // ensures path is valid
+            .replace(/\//g, '-')            // replace '/' of base64 since it conflicts with path separator
+            .replace(/=/g,'');              // strip trailing = padding. this is only needed if we concat base64 strings, which we don't
+    });
+
+    return encryptedParts.join('/');
+}
+
+function decryptFilePath(filePath, key) {
+    assert.strictEqual(typeof filePath, 'string');
+    assert.strictEqual(typeof key, 'string');
+
+    let decryptedParts = [];
+    for (let part of filePath.split('/')) {
+        part = part + Array(part.length % 4).join('='); // add back = padding
+        part = part.replace(/-/g, '/');                 // replace with '/'
+
+        try {
+            let decrypt = crypto.createDecipher('aes-256-cbc', key);
+            let text = decrypt.update(Buffer.from(part, 'base64'));
+            text = Buffer.concat([ text, decrypt.final() ]);
+            decryptedParts.push(text.toString('utf8'));
+        } catch (error) {
+            debug(`Error decrypting file ${filePath} part ${part}:`, error);
+            return null;
+        }
+    }
+
+    return decryptedParts.join('/');
+}
+
+function createReadStream(sourceFile, key) {
+    assert.strictEqual(typeof sourceFile, 'string');
+    assert(key === null || typeof key === 'string');
+
+    var stream = fs.createReadStream(sourceFile);
+    var ps = progressStream({ time: 10000 }); // display a progress every 10 seconds
+
+    stream.on('error', function (error) {
+        debug('createReadStream: tar stream error.', error);
+        ps.emit('error', new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
+    });
+
+    if (key !== null) {
+        var encrypt = crypto.createCipher('aes-256-cbc', key);
+        encrypt.on('error', function (error) {
+            debug('createReadStream: encrypt stream error.', error);
+            ps.emit('error', new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
+        });
+        return stream.pipe(encrypt).pipe(ps);
+    } else {
+        return stream.pipe(ps);
+    }
+}
+
+function createWriteStream(destFile, key) {
+    assert.strictEqual(typeof destFile, 'string');
+    assert(key === null || typeof key === 'string');
+
+    var stream = fs.createWriteStream(destFile);
+
+    if (key !== null) {
+        var decrypt = crypto.createDecipher('aes-256-cbc', key);
+        decrypt.on('error', function (error) {
+            debug('createWriteStream: decrypt stream error.', error);
+        });
+        decrypt.pipe(stream);
+        return decrypt;
+    } else {
+        return stream;
+    }
 }

 function createTarPackStream(sourceDir, key) {
@@ -197,7 +277,7 @@ function createTarPackStream(sourceDir, key) {
    });

    var gzip = zlib.createGzip({});
-    var ps = progressStream({ time: 10000 }); // display a progress every 10 seconds
+    var ps = progressStream({ time: 10000 }); // emit 'pgoress' every 10 seconds

    pack.on('error', function (error) {
        debug('createTarPackStream: tar stream error.', error);
@@ -209,10 +289,6 @@ function createTarPackStream(sourceDir, key) {
        ps.emit('error', new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
    });

-    ps.on('progress', function(progress) {
-        debug('createTarPackStream: %s@%s', Math.round(progress.transferred/1024/1024) + 'M', Math.round(progress.speed/1024/1024) + 'Mbps');
-    });
-
    if (key !== null) {
        var encrypt = crypto.createCipher('aes-256-cbc', key);
        encrypt.on('error', function (error) {
@@ -225,28 +301,26 @@ function createTarPackStream(sourceDir, key) {
    }
 }

-function sync(backupConfig, backupId, dataDir, callback) {
+function sync(backupConfig, backupId, dataDir, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof backupId, 'string');
    assert.strictEqual(typeof dataDir, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    function setBackupProgress(message) {
-        debug(message);
-        safe.fs.writeFileSync(paths.BACKUP_RESULT_FILE, message);
-    }
-
    syncer.sync(dataDir, function processTask(task, iteratorCallback) {
        debug('sync: processing task: %j', task);
-        var backupFilePath = path.join(getBackupFilePath(backupConfig, backupId, backupConfig.format), task.path);
+        // the empty task.path is special to signify the directory
+        const destPath = task.path && backupConfig.key ? encryptFilePath(task.path, backupConfig.key) : task.path;
+        const backupFilePath = path.join(getBackupFilePath(backupConfig, backupId, backupConfig.format), destPath);

        if (task.operation === 'removedir') {
-            safe.fs.writeFileSync(paths.BACKUP_RESULT_FILE, `Removing directory ${task.path}`);
+            debug(`Removing directory ${backupFilePath}`);
            return api(backupConfig.provider).removeDir(backupConfig, backupFilePath)
-                .on('progress', setBackupProgress)
+                .on('progress', (message) => progressCallback({ message }))
                .on('done', iteratorCallback);
        } else if (task.operation === 'remove') {
-            setBackupProgress(`Removing ${task.path}`);
+            debug(`Removing ${backupFilePath}`);
            return api(backupConfig.provider).remove(backupConfig, backupFilePath, iteratorCallback);
        }

@@ -255,15 +329,24 @@ function sync(backupConfig, backupId, dataDir, callback) {
            retryCallback = once(retryCallback); // protect again upload() erroring much later after read stream error

            ++retryCount;
-            debug(`${task.operation} ${task.path} try ${retryCount}`);
+            progressCallback({ message: `${task.operation} ${task.path} try ${retryCount}` });
            if (task.operation === 'add') {
-                setBackupProgress(`Adding ${task.path}`);
-                var stream = fs.createReadStream(path.join(dataDir, task.path));
-                stream.on('error', function (error) { setBackupProgress(`read stream error for ${task.path}: ${error.message}`); retryCallback(); }); // ignore error if file disappears
-                api(backupConfig.provider).upload(backupConfig, backupFilePath, stream, retryCallback);
+                debug(`Adding ${task.path} position ${task.position} try ${retryCount}`);
+                var stream = createReadStream(path.join(dataDir, task.path), backupConfig.key || null);
+                stream.on('error', function (error) {
+                    debug(`read stream error for ${task.path}: ${error.message}`);
+                    retryCallback();
+                }); // ignore error if file disappears
+                stream.on('progress', function(progress) {
+                    progressCallback({ message: `Uploading ${task.path}: ${Math.round(progress.transferred/1024/1024)}M@${Math.round(progress.speed/1024/1024)}` });
+                });
+                api(backupConfig.provider).upload(backupConfig, backupFilePath, stream, function (error) {
+                    debug(error ? `Error uploading ${task.path} try ${retryCount}: ${error.message}` : `Uploaded ${task.path}`);
+                    retryCallback(error);
+                });
            }
        }, iteratorCallback);
-    }, 10 /* concurrency */, function (error) {
+    }, backupConfig.syncConcurrency || 10 /* concurrency */, function (error) {
        if (error) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));

        callback();
@@ -290,14 +373,15 @@ function saveFsMetadata(appDataDir, callback) {
    callback();
 }

-// this function is called via backuptask (since it needs root to traverse app's directory)
-function upload(backupId, format, dataDir, callback) {
+// this function is called via backupupload (since it needs root to traverse app's directory)
+function upload(backupId, format, dataDir, progressCallback, callback) {
    assert.strictEqual(typeof backupId, 'string');
    assert.strictEqual(typeof format, 'string');
    assert.strictEqual(typeof dataDir, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    debug('upload: id %s format %s dataDir %s', backupId, format, dataDir);
+    debug(`upload: id ${backupId} format ${format} dataDir ${dataDir}`);

    settings.getBackupConfig(function (error, backupConfig) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
@@ -307,6 +391,9 @@ function upload(backupId, format, dataDir, callback) {
                retryCallback = once(retryCallback); // protect again upload() erroring much later after tar stream error

                var tarStream = createTarPackStream(dataDir, backupConfig.key || null);
+                tarStream.on('progress', function(progress) {
+                    progressCallback({ message: `Uploading ${Math.round(progress.transferred/1024/1024)}M@${Math.round(progress.speed/1024/1024)}Mbps` });
+                });
                tarStream.on('error', retryCallback); // already returns BackupsError

                api(backupConfig.provider).upload(backupConfig, getBackupFilePath(backupConfig, backupId, format), tarStream, retryCallback);
@@ -314,7 +401,7 @@ function upload(backupId, format, dataDir, callback) {
        } else {
            async.series([
                saveFsMetadata.bind(null, dataDir),
-                sync.bind(null, backupConfig, backupId, dataDir)
+                sync.bind(null, backupConfig, backupId, dataDir, progressCallback)
            ], callback);
        }
    });
@@ -337,10 +424,6 @@ function tarExtract(inStream, destination, key, callback) {
        callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
    });

-    ps.on('progress', function(progress) {
-        debug('tarExtract: %s@%s', Math.round(progress.transferred/1024/1024) + 'M', Math.round(progress.speed/1024/1024) + 'Mbps');
-    });
-
    gunzip.on('error', function (error) {
        debug('tarExtract: gunzip stream error.', error);
        callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
@@ -360,19 +443,21 @@ function tarExtract(inStream, destination, key, callback) {
        var decrypt = crypto.createDecipher('aes-256-cbc', key);
        decrypt.on('error', function (error) {
            debug('tarExtract: decrypt stream error.', error);
-            callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
+            callback(new BackupsError(BackupsError.EXTERNAL_ERROR, `Failed to decrypt: ${error.message}`));
        });
        inStream.pipe(ps).pipe(decrypt).pipe(gunzip).pipe(extract);
    } else {
        inStream.pipe(ps).pipe(gunzip).pipe(extract);
    }
+
+    return ps;
 }

 function restoreFsMetadata(appDataDir, callback) {
    assert.strictEqual(typeof appDataDir, 'string');
    assert.strictEqual(typeof callback, 'function');

-    log('Recreating empty directories');
+    debug(`Recreating empty directories in ${appDataDir}`);

    var metadataJson = safe.fs.readFileSync(path.join(appDataDir, 'fsmetadata.json'), 'utf8');
    if (metadataJson === null) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, 'Error loading fsmetadata.txt:' + safe.error.message));
@@ -394,27 +479,67 @@ function restoreFsMetadata(appDataDir, callback) {
    });
 }

-function download(backupConfig, backupId, format, dataDir, callback) {
+function downloadDir(backupConfig, backupFilePath, destDir, progressCallback, callback) {
+    assert.strictEqual(typeof backupConfig, 'object');
+    assert.strictEqual(typeof backupFilePath, 'string');
+    assert.strictEqual(typeof destDir, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`downloadDir: ${backupFilePath} to ${destDir}`);
+
+    function downloadFile(entry, callback) {
+        let relativePath = path.relative(backupFilePath, entry.fullPath);
+        if (backupConfig.key) {
+            relativePath = decryptFilePath(relativePath, backupConfig.key);
+            if (!relativePath) return callback(new BackupsError(BackupsError.BAD_STATE, 'Unable to decrypt file'));
+        }
+        const destFilePath = path.join(destDir, relativePath);
+
+        mkdirp(path.dirname(destFilePath), function (error) {
+            if (error) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error.message));
+
+            api(backupConfig.provider).download(backupConfig, entry.fullPath, function (error, sourceStream) {
+                if (error) return callback(error);
+
+                sourceStream.on('error', callback);
+
+                let destStream = createWriteStream(destFilePath, backupConfig.key || null);
+                destStream.on('error', callback);
+
+                progressCallback({ message: `Downloading ${entry.fullPath} to ${destFilePath}` });
+
+                sourceStream.pipe(destStream, { end: true }).on('finish', callback);
+            });
+        });
+    }
+
+    api(backupConfig.provider).listDir(backupConfig, backupFilePath, 1000, function (entries, done) {
+        async.each(entries, downloadFile, done);
+    }, callback);
+}
+
+function download(backupConfig, backupId, format, dataDir, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof backupId, 'string');
    assert.strictEqual(typeof format, 'string');
    assert.strictEqual(typeof dataDir, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    safe.fs.unlinkSync(paths.BACKUP_LOG_FILE); // start fresh log file
-
-    log(`Downloading ${backupId} of format ${format} to ${dataDir}`);
+    debug(`download - Downloading ${backupId} of format ${format} to ${dataDir}`);

    if (format === 'tgz') {
        api(backupConfig.provider).download(backupConfig, getBackupFilePath(backupConfig, backupId, format), function (error, sourceStream) {
            if (error) return callback(error);

-            tarExtract(sourceStream, dataDir, backupConfig.key || null, callback);
+            let ps = tarExtract(sourceStream, dataDir, backupConfig.key || null, callback);
+            ps.on('progress', function (progress) {
+                progressCallback({ message: `Downloading ${Math.round(progress.transferred/1024/1024)}M@${Math.round(progress.speed/1024/1024)}Mbps` });
+            });
        });
    } else {
-        var events = api(backupConfig.provider).downloadDir(backupConfig, getBackupFilePath(backupConfig, backupId, format), dataDir);
-        events.on('progress', log);
-        events.on('done', function (error) {
+        downloadDir(backupConfig, getBackupFilePath(backupConfig, backupId, format), dataDir, progressCallback, function (error) {
            if (error) return callback(error);

            restoreFsMetadata(dataDir, callback);
@@ -422,26 +547,32 @@ function download(backupConfig, backupId, format, dataDir, callback) {
    }
 }

-function restore(backupConfig, backupId, callback) {
+function restore(backupConfig, backupId, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof backupId, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    download(backupConfig, backupId, backupConfig.format, paths.BOX_DATA_DIR, function (error) {
+    download(backupConfig, backupId, backupConfig.format, paths.BOX_DATA_DIR, progressCallback, function (error) {
        if (error) return callback(error);

+        debug('restore: download completed, importing database');
+
        database.importFromFile(`${paths.BOX_DATA_DIR}/box.mysqldump`, function (error) {
            if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

+            debug('restore: database imported');
+
            callback();
        });
    });
 }

-function restoreApp(app, addonsToRestore, restoreConfig, callback) {
+function restoreApp(app, addonsToRestore, restoreConfig, progressCallback, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof addonsToRestore, 'object');
    assert.strictEqual(typeof restoreConfig, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    var appDataDir = safe.fs.realpathSync(path.join(paths.APPS_DATA_DIR, app.id));
@@ -452,7 +583,7 @@ function restoreApp(app, addonsToRestore, restoreConfig, callback) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

        async.series([
-            download.bind(null, backupConfig, restoreConfig.backupId, restoreConfig.backupFormat, appDataDir),
+            download.bind(null, backupConfig, restoreConfig.backupId, restoreConfig.backupFormat, appDataDir, progressCallback),
            addons.restoreAddons.bind(null, app, addonsToRestore)
        ], function (error) {
            debug('restoreApp: time: %s', (new Date() - startTime)/1000);
@@ -462,44 +593,27 @@ function restoreApp(app, addonsToRestore, restoreConfig, callback) {
    });
 }

-function runBackupTask(backupId, format, dataDir, callback) {
+function runBackupUpload(backupId, format, dataDir, progressCallback, callback) {
    assert.strictEqual(typeof backupId, 'string');
    assert.strictEqual(typeof format, 'string');
    assert.strictEqual(typeof dataDir, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    var killTimerId = null, progressTimerId = null;
-
-    var logStream = fs.createWriteStream(paths.BACKUP_LOG_FILE, { flags: 'a' });
-    var cp = shell.sudo(`backup-${backupId}`, [ BACKUPTASK_CMD, backupId, format, dataDir ], { env: process.env, logStream: logStream }, function (error) {
-        clearTimeout(killTimerId);
-        clearInterval(progressTimerId);
-
-        cp = null;
+    let result = '';

+    shell.sudo(`backup-${backupId}`, [ BACKUP_UPLOAD_CMD, backupId, format, dataDir ], { preserveEnv: true, ipc: true }, function (error) {
        if (error && (error.code === null /* signal */ || (error.code !== 0 && error.code !== 50))) { // backuptask crashed
            return callback(new BackupsError(BackupsError.INTERNAL_ERROR, 'Backuptask crashed'));
        } else if (error && error.code === 50) { // exited with error
-            var result = safe.fs.readFileSync(paths.BACKUP_RESULT_FILE, 'utf8') || safe.error.message;
            return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, result));
        }

        callback();
-    });
-
-    progressTimerId = setInterval(function () {
-        var result = safe.fs.readFileSync(paths.BACKUP_RESULT_FILE, 'utf8');
-        if (result) progress.setDetail(progress.BACKUP, result);
-    }, 1000); // every second
-
-    killTimerId = setTimeout(function () {
-        debug('runBackupTask: backup task taking too long. killing');
-        cp.kill();
-    }, 4 * 60 * 60 * 1000); // 4 hours
-
-    logStream.on('error', function (error) {
-        debug('runBackupTask: error in logging stream', error);
-        cp.kill();
+    }).on('message', function (message) {
+        if (!message.result) return progressCallback(message);
+        debug(`runBackupUpload: result - ${message}`);
+        result = message.result;
    });
 }

@@ -525,10 +639,11 @@ function setSnapshotInfo(id, info, callback) {
    callback();
 }

-function snapshotBox(callback) {
+function snapshotBox(progressCallback, callback) {
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    log('Snapshotting box');
+    progressCallback({ message: 'Snapshotting box' });

    database.exportToFile(`${paths.BOX_DATA_DIR}/box.mysqldump`, function (error) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));
@@ -537,16 +652,17 @@ function snapshotBox(callback) {
    });
 }

-function uploadBoxSnapshot(backupConfig, callback) {
+function uploadBoxSnapshot(backupConfig, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    var startTime = new Date();

-    snapshotBox(function (error) {
+    snapshotBox(progressCallback, function (error) {
        if (error) return callback(error);

-        runBackupTask('snapshot/box', backupConfig.format, paths.BOX_DATA_DIR, function (error) {
+        runBackupUpload('snapshot/box', backupConfig.format, paths.BOX_DATA_DIR, progressCallback, function (error) {
            if (error) return callback(error);

            debug('uploadBoxSnapshot: time: %s secs', (new Date() - startTime)/1000);
@@ -556,10 +672,39 @@ function uploadBoxSnapshot(backupConfig, callback) {
    });
 }

-function rotateBoxBackup(backupConfig, timestamp, appBackupIds, callback) {
+
+function backupDone(apiConfig, backupId, appBackupIds, callback) {
+    assert.strictEqual(typeof apiConfig, 'object');
+    assert.strictEqual(typeof backupId, 'string');
+    assert(Array.isArray(appBackupIds));
+    assert.strictEqual(typeof callback, 'function');
+
+    if (apiConfig.provider !== 'caas') return callback();
+
+    debug('[%s] backupDone: %s apps %j', backupId, backupId, appBackupIds);
+
+    var url = config.apiServerOrigin() + '/api/v1/boxes/' + apiConfig.fqdn + '/backupDone';
+    var data = {
+        boxVersion: config.version(),
+        backupId: backupId,
+        appId: null,        // now unused
+        appVersion: null,   // now unused
+        appBackupIds: appBackupIds
+    };
+
+    superagent.post(url).send(data).query({ token: apiConfig.token }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error));
+        if (result.statusCode !== 200) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, result.text));
+
+        return callback(null);
+    });
+}
+
+function rotateBoxBackup(backupConfig, timestamp, appBackupIds, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof timestamp, 'string');
    assert(Array.isArray(appBackupIds));
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    var snapshotInfo = getSnapshotInfo('box');
@@ -569,13 +714,13 @@ function rotateBoxBackup(backupConfig, timestamp, appBackupIds, callback) {
    var backupId = util.format('%s/box_%s_v%s', timestamp, snapshotTime, config.version());
    const format = backupConfig.format;

-    log(`Rotating box backup to id ${backupId}`);
+    debug(`Rotating box backup to id ${backupId}`);

    backupdb.add({ id: backupId, version: config.version(), type: backupdb.BACKUP_TYPE_BOX, dependsOn: appBackupIds, manifest: null, format: format }, function (error) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

        var copy = api(backupConfig.provider).copy(backupConfig, getBackupFilePath(backupConfig, 'snapshot/box', format), getBackupFilePath(backupConfig, backupId, format));
-        copy.on('progress', log);
+        copy.on('progress', (message) => progressCallback({ message }));
        copy.on('done', function (copyBackupError) {
            const state = copyBackupError ? backupdb.BACKUP_STATE_ERROR : backupdb.BACKUP_STATE_NORMAL;

@@ -583,10 +728,9 @@ function rotateBoxBackup(backupConfig, timestamp, appBackupIds, callback) {
                if (copyBackupError) return callback(copyBackupError);
                if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

-                log(`Rotated box backup successfully as id ${backupId}`);
+                debug(`Rotated box backup successfully as id ${backupId}`);

-                // FIXME this is only needed for caas, hopefully we can remove that in the future
-                api(backupConfig.provider).backupDone(backupConfig, backupId, appBackupIds, function (error) {
+                backupDone(backupConfig, backupId, appBackupIds, function (error) {
                    if (error) return callback(error);

                    callback(null, backupId);
@@ -596,18 +740,19 @@ function rotateBoxBackup(backupConfig, timestamp, appBackupIds, callback) {
    });
 }

-function backupBoxWithAppBackupIds(appBackupIds, timestamp, callback) {
+function backupBoxWithAppBackupIds(appBackupIds, timestamp, progressCallback, callback) {
    assert(Array.isArray(appBackupIds));
    assert.strictEqual(typeof timestamp, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    settings.getBackupConfig(function (error, backupConfig) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

-        uploadBoxSnapshot(backupConfig, function (error) {
+        uploadBoxSnapshot(backupConfig, progressCallback, function (error) {
            if (error) return callback(error);

-            rotateBoxBackup(backupConfig, timestamp, appBackupIds, callback);
+            rotateBoxBackup(backupConfig, timestamp, appBackupIds, progressCallback, callback);
        });
    });
 }
@@ -621,11 +766,12 @@ function canBackupApp(app) {
            app.installationState === appdb.ISTATE_PENDING_UPDATE; // called from apptask
 }

-function snapshotApp(app, callback) {
+function snapshotApp(app, progressCallback, callback) {
    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

-    log(`Snapshotting app ${app.id}`);
+    progressCallback({ message: `Snapshotting app ${app.id}` });

    if (!safe.fs.writeFileSync(path.join(paths.APPS_DATA_DIR, app.id + '/config.json'), JSON.stringify(apps.getAppConfig(app)))) {
        return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, 'Error creating config.json: ' + safe.error.message));
@@ -638,10 +784,11 @@ function snapshotApp(app, callback) {
    });
 }

-function rotateAppBackup(backupConfig, app, timestamp, callback) {
+function rotateAppBackup(backupConfig, app, timestamp, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof timestamp, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    var snapshotInfo = getSnapshotInfo(app.id);
@@ -652,13 +799,13 @@ function rotateAppBackup(backupConfig, app, timestamp, callback) {
    var backupId = util.format('%s/app_%s_%s_v%s', timestamp, app.id, snapshotTime, manifest.version);
    const format = backupConfig.format;

-    log(`Rotating app backup of ${app.id} to id ${backupId}`);
+    debug(`Rotating app backup of ${app.id} to id ${backupId}`);

    backupdb.add({ id: backupId, version: manifest.version, type: backupdb.BACKUP_TYPE_APP, dependsOn: [ ], manifest: manifest, format: format }, function (error) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

        var copy = api(backupConfig.provider).copy(backupConfig, getBackupFilePath(backupConfig, `snapshot/app_${app.id}`, format), getBackupFilePath(backupConfig, backupId, format));
-        copy.on('progress', log);
+        copy.on('progress', (message) => progressCallback({ message }));
        copy.on('done', function (copyBackupError) {
            const state = copyBackupError ? backupdb.BACKUP_STATE_ERROR : backupdb.BACKUP_STATE_NORMAL;

@@ -666,7 +813,7 @@ function rotateAppBackup(backupConfig, app, timestamp, callback) {
                if (copyBackupError) return callback(copyBackupError);
                if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

-                log(`Rotated app backup of ${app.id} successfully to id ${backupId}`);
+                debug(`Rotated app backup of ${app.id} successfully to id ${backupId}`);

                callback(null, backupId);
            });
@@ -674,21 +821,22 @@ function rotateAppBackup(backupConfig, app, timestamp, callback) {
    });
 }

-function uploadAppSnapshot(backupConfig, app, callback) {
+function uploadAppSnapshot(backupConfig, app, progressCallback, callback) {
    assert.strictEqual(typeof backupConfig, 'object');
    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    if (!canBackupApp(app)) return callback(); // nothing to do

    var startTime = new Date();

-    snapshotApp(app, function (error) {
+    snapshotApp(app, progressCallback, function (error) {
        if (error) return callback(error);

        var backupId = util.format('snapshot/app_%s', app.id);
        var appDataDir = safe.fs.realpathSync(path.join(paths.APPS_DATA_DIR, app.id));
-        runBackupTask(backupId, backupConfig.format, appDataDir, function (error) {
+        runBackupUpload(backupId, backupConfig.format, appDataDir, progressCallback, function (error) {
            if (error) return callback(error);

            debugApp(app, 'uploadAppSnapshot: %s done time: %s secs', backupId, (new Date() - startTime)/1000);
@@ -698,9 +846,10 @@ function uploadAppSnapshot(backupConfig, app, callback) {
    });
 }

-function backupAppWithTimestamp(app, timestamp, callback) {
+function backupAppWithTimestamp(app, timestamp, progressCallback, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof timestamp, 'string');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    if (!canBackupApp(app)) return callback(); // nothing to do
@@ -708,110 +857,88 @@ function backupAppWithTimestamp(app, timestamp, callback) {
    settings.getBackupConfig(function (error, backupConfig) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

-        uploadAppSnapshot(backupConfig, app, function (error) {
+        uploadAppSnapshot(backupConfig, app, progressCallback, function (error) {
            if (error) return callback(error);

-            rotateAppBackup(backupConfig, app, timestamp, callback);
+            rotateAppBackup(backupConfig, app, timestamp, progressCallback, callback);
        });
    });
 }

-function backupApp(app, callback) {
+function backupApp(app, progressCallback, callback) {
    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
    assert.strictEqual(typeof callback, 'function');

    const timestamp = (new Date()).toISOString().replace(/[T.]/g, '-').replace(/[:Z]/g,'');
-    safe.fs.unlinkSync(paths.BACKUP_LOG_FILE); // start fresh log file

-    progress.set(progress.BACKUP, 10,  'Backing up ' + app.fqdn);
+    debug(`backupApp - Backing up ${app.fqdn} with timestamp ${timestamp}`);

-    backupAppWithTimestamp(app, timestamp, function (error) {
-        progress.set(progress.BACKUP, 100, error ? error.message : '');
-
-        callback(error);
-    });
+    backupAppWithTimestamp(app, timestamp, progressCallback, callback);
 }

-// this function expects you to have a lock
-function backupBoxAndApps(auditSource, callback) {
-    assert.strictEqual(typeof auditSource, 'object');
-
-    callback = callback || NOOP_CALLBACK;
+// this function expects you to have a lock. Unlike other progressCallback this also has a progress field
+function backupBoxAndApps(progressCallback, callback) {
+    assert.strictEqual(typeof progressCallback, 'function');
+    assert.strictEqual(typeof callback, 'function');

    var timestamp = (new Date()).toISOString().replace(/[T.]/g, '-').replace(/[:Z]/g,'');
-    safe.fs.unlinkSync(paths.BACKUP_LOG_FILE); // start fresh log file
-
-    eventlog.add(eventlog.ACTION_BACKUP_START, auditSource, { });

    apps.getAll(function (error, allApps) {
        if (error) return callback(new BackupsError(BackupsError.INTERNAL_ERROR, error));

-        var processed = 1;
-        var step = 100/(allApps.length+2);
+        let percent = 1;
+        let step = 100/(allApps.length+2);

        async.mapSeries(allApps, function iterator(app, iteratorCallback) {
-            progress.set(progress.BACKUP, step * processed,  'Backing up ' + app.fqdn);
-
-            ++processed;
+            progressCallback({ percent: percent, message: `Backing up ${app.fqdn}` });
+            percent += step;

            if (!app.enableBackup) {
-                progress.set(progress.BACKUP, step * processed, 'Skipped backup ' + app.fqdn);
+                debug(`Skipped backup ${app.fqdn}`);
                return iteratorCallback(null, null); // nothing to backup
            }

-            backupAppWithTimestamp(app, timestamp, function (error, backupId) {
+            backupAppWithTimestamp(app, timestamp, (progress) => progressCallback({ percent: percent, message: progress.message }), function (error, backupId) {
                if (error && error.reason !== BackupsError.BAD_STATE) {
                    debugApp(app, 'Unable to backup', error);
                    return iteratorCallback(error);
                }

-                progress.set(progress.BACKUP, step * processed, 'Backed up ' + app.fqdn);
+                debugApp(app, 'Backed up');

                iteratorCallback(null, backupId || null); // clear backupId if is in BAD_STATE and never backed up
            });
        }, function appsBackedUp(error, backupIds) {
-            if (error) {
-                progress.set(progress.BACKUP, 100, error.message);
-                return callback(error);
-            }
+            if (error) return callback(error);

            backupIds = backupIds.filter(function (id) { return id !== null; }); // remove apps in bad state that were never backed up

-            progress.set(progress.BACKUP, step * processed, 'Backing up system data');
+            progressCallback({ percent: percent, message: 'Backing up system data' });
+            percent += step;

-            backupBoxWithAppBackupIds(backupIds, timestamp, function (error, backupId) {
-                progress.set(progress.BACKUP, 100, error ? error.message : '');
-
-                eventlog.add(eventlog.ACTION_BACKUP_FINISH, auditSource, { errorMessage: error ? error.message : null, backupId: backupId, timestamp: timestamp });
-
-                callback(error, backupId);
-            });
+            backupBoxWithAppBackupIds(backupIds, timestamp, (progress) => progressCallback({ percent: percent, message: progress.message }), callback);
        });
    });
 }

-function backup(auditSource, callback) {
-    assert.strictEqual(typeof auditSource, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = locker.lock(locker.OP_FULL_BACKUP);
-    if (error) return callback(new BackupsError(BackupsError.BAD_STATE, error.message));
-
-    var startTime = new Date();
-    progress.set(progress.BACKUP, 0, 'Starting'); // ensure tools can 'wait' on progress
-
-    backupBoxAndApps(auditSource, function (error) { // start the backup operation in the background
-        if (error) {
-            debug('backup failed.', error);
-            mailer.backupFailed(error);
-        }
+function startBackupTask(auditSource, callback) {
+    let error = locker.lock(locker.OP_FULL_BACKUP);
+    if (error) return callback(error);

+    let task = tasks.startTask(tasks.TASK_BACKUP, [], auditSource);
+    task.on('error', (error) => callback(new BackupsError(BackupsError.INTERNAL_ERROR, error)));
+    task.on('start', (taskId) => {
+        eventlog.add(eventlog.ACTION_BACKUP_START, auditSource, { taskId });
+        callback(null, taskId);
+    });
+    task.on('finish', (error, result) => {
        locker.unlock(locker.OP_FULL_BACKUP);

-        debug('backup took %s seconds', (new Date() - startTime)/1000);
-    });
+        if (error) mailer.backupFailed(error);

-    callback(null);
+        eventlog.add(eventlog.ACTION_BACKUP_FINISH, auditSource, { errorMessage: error ? error.message : null, backupId: result });
+    });
 }

 function ensureBackup(auditSource, callback) {
@@ -822,15 +949,19 @@ function ensureBackup(auditSource, callback) {
    getByStatePaged(backupdb.BACKUP_STATE_NORMAL, 1, 1, function (error, backups) {
        if (error) {
            debug('Unable to list backups', error);
-            return callback(error); // no point trying to backup if appstore is down
+            return callback(error);
        }

-        if (backups.length !== 0 && (new Date() - new Date(backups[0].creationTime) < 23 * 60 * 60 * 1000)) { // ~1 day ago
-            debug('Previous backup was %j, no need to backup now', backups[0]);
-            return callback(null);
-        }
+        settings.getBackupConfig(function (error, backupConfig) {
+            if (error) return callback(error);

-        backup(auditSource, callback);
+            if (backups.length !== 0 && (new Date() - new Date(backups[0].creationTime) < (backupConfig.intervalSecs - 3600) * 1000)) { // adjust 1 hour
+                debug('Previous backup was %j, no need to backup now', backups[0]);
+                return callback(null);
+            }
+
+            startBackupTask(auditSource, callback);
+        });
    });
 }

@@ -4,29 +4,18 @@ exports = module.exports = {
    verifySetupToken: verifySetupToken,
    setupDone: setupDone,

-    changePlan: changePlan,
-    upgrade: upgrade,
    sendHeartbeat: sendHeartbeat,
-    getBoxAndUserDetails: getBoxAndUserDetails,
    setPtrRecord: setPtrRecord,

    CaasError: CaasError
 };

 var assert = require('assert'),
-    backups = require('./backups.js'),
    config = require('./config.js'),
    debug = require('debug')('box:caas'),
-    locker = require('./locker.js'),
-    path = require('path'),
-    progress = require('./progress.js'),
    settings = require('./settings.js'),
-    shell = require('./shell.js'),
    superagent = require('superagent'),
-    util = require('util'),
-    _ = require('underscore');
-
-const RETIRE_CMD = path.join(__dirname, 'scripts/retire.sh');
+    util = require('util');

 function CaasError(reason, errorOrMessage) {
    assert.strictEqual(typeof reason, 'string');
@@ -53,20 +42,6 @@ CaasError.INVALID_TOKEN = 'Invalid Token';
 CaasError.INTERNAL_ERROR = 'Internal Error';
 CaasError.EXTERNAL_ERROR = 'External Error';

-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
-function retire(reason, info, callback) {
-    assert(reason === 'migrate' || reason === 'upgrade');
-    info = info || { };
-    callback = callback || NOOP_CALLBACK;
-
-    var data = {
-        apiServerOrigin: config.apiServerOrigin(),
-        adminFqdn: config.adminFqdn()
-    };
-    shell.sudo('retire', [ RETIRE_CMD, reason, JSON.stringify(info), JSON.stringify(data) ], callback);
-}
-
 function getCaasConfig(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -117,96 +92,6 @@ function setupDone(setupToken, callback) {
            });
    });
 }
-function doMigrate(options, caasConfig, callback) {
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof caasConfig, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = locker.lock(locker.OP_MIGRATE);
-    if (error) return callback(new CaasError(CaasError.BAD_STATE, error.message));
-
-    function unlock(error) {
-        debug('Failed to migrate', error);
-        locker.unlock(locker.OP_MIGRATE);
-        progress.set(progress.MIGRATE, -1, 'Backup failed: ' + error.message);
-    }
-
-    progress.set(progress.MIGRATE, 10, 'Backing up for migration');
-
-    // initiate the migration in the background
-    backups.backupBoxAndApps({ userId: null, username: 'migrator' }, function (error) {
-        if (error) return unlock(error);
-
-        debug('migrate: domain: %s size %s region %s', options.domain, options.size, options.region);
-
-        superagent
-            .post(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId + '/migrate')
-            .query({ token: caasConfig.token })
-            .send(options)
-            .timeout(30 * 1000)
-            .end(function (error, result) {
-                if (error && !error.response) return unlock(error); // network error
-                if (result.statusCode === 409) return unlock(new CaasError(CaasError.BAD_STATE));
-                if (result.statusCode === 404) return unlock(new CaasError(CaasError.NOT_FOUND));
-                if (result.statusCode !== 202) return unlock(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
-
-                progress.set(progress.MIGRATE, 10, 'Migrating');
-
-                retire('migrate', _.pick(options, 'domain', 'size', 'region'));
-            });
-    });
-
-    callback(null);
-}
-
-function changePlan(options, callback) {
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (config.isDemo()) return callback(new CaasError(CaasError.BAD_FIELD, 'Not allowed in demo mode'));
-
-    getCaasConfig(function (error, result) {
-        if (error) return callback(error);
-
-        doMigrate(options, result, callback);
-    });
-}
-
-// this function expects a lock
-function upgrade(boxUpdateInfo, callback) {
-    assert(boxUpdateInfo !== null && typeof boxUpdateInfo === 'object');
-
-    function upgradeError(e) {
-        progress.set(progress.UPDATE, -1, e.message);
-        callback(e);
-    }
-
-    progress.set(progress.UPDATE, 5, 'Backing up for upgrade');
-
-    backups.backupBoxAndApps({ userId: null, username: 'upgrader' }, function (error) {
-        if (error) return upgradeError(error);
-
-        getCaasConfig(function (error, result) {
-            if (error) return upgradeError(error);
-
-            superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + result.boxId + '/upgrade')
-                .query({ token: result.token })
-                .send({ version: boxUpdateInfo.version })
-                .timeout(30 * 1000)
-                .end(function (error, result) {
-                    if (error && !error.response) return upgradeError(new Error('Network error making upgrade request: ' + error));
-                    if (result.statusCode !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));
-
-                    progress.set(progress.UPDATE, 10, 'Updating base system');
-
-                    // no need to unlock since this is the last thing we ever do on this box
-                    callback();
-
-                    retire('upgrade');
-                });
-        });
-    });
-}

 function sendHeartbeat() {
    assert(config.provider() === 'caas', 'Heartbeat is only sent for managed cloudrons');
@@ -223,27 +108,6 @@ function sendHeartbeat() {
    });
 }

-function getBoxAndUserDetails(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    if (config.provider() !== 'caas') return callback(null, {});
-
-    getCaasConfig(function (error, caasConfig) {
-        if (error) return callback(error);
-
-        superagent
-            .get(config.apiServerOrigin() + '/api/v1/boxes/' + caasConfig.boxId)
-            .query({ token: caasConfig.token })
-            .timeout(30 * 1000)
-            .end(function (error, result) {
-                if (error && !error.response) return callback(new CaasError(CaasError.EXTERNAL_ERROR, 'Cannot reach appstore'));
-                if (result.statusCode !== 200) return callback(new CaasError(CaasError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
-
-                return callback(null, result.body);
-            });
-    });
-}
-
 function setPtrRecord(domain, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -1,479 +0,0 @@
-'use strict';
-
-var assert = require('assert'),
-    async = require('async'),
-    crypto = require('crypto'),
-    debug = require('debug')('box:cert/acme'),
-    execSync = require('safetydance').child_process.execSync,
-    fs = require('fs'),
-    parseLinks = require('parse-links'),
-    path = require('path'),
-    paths = require('../paths.js'),
-    safe = require('safetydance'),
-    superagent = require('superagent'),
-    util = require('util'),
-    _ = require('underscore');
-
-var CA_PROD = 'https://acme-v01.api.letsencrypt.org',
-    CA_STAGING = 'https://acme-staging.api.letsencrypt.org',
-    LE_AGREEMENT = 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf';
-
-exports = module.exports = {
-    getCertificate: getCertificate,
-
-    // testing
-    _name: 'acme'
-};
-
-function AcmeError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(AcmeError, Error);
-AcmeError.INTERNAL_ERROR = 'Internal Error';
-AcmeError.EXTERNAL_ERROR = 'External Error';
-AcmeError.ALREADY_EXISTS = 'Already Exists';
-AcmeError.NOT_COMPLETED = 'Not Completed';
-AcmeError.FORBIDDEN = 'Forbidden';
-
-// http://jose.readthedocs.org/en/latest/
-// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
-// https://community.letsencrypt.org/t/list-of-client-implementations/2103
-
-function Acme(options) {
-    assert.strictEqual(typeof options, 'object');
-
-    this.caOrigin = options.prod ? CA_PROD : CA_STAGING;
-    this.accountKeyPem = null; // Buffer
-    this.email = options.email;
-}
-
-Acme.prototype.getNonce = function (callback) {
-    superagent.get(this.caOrigin + '/directory').timeout(30 * 1000).end(function (error, response) {
-        if (error && !error.response) return callback(error);
-        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
-
-        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
-    });
-};
-
-// urlsafe base64 encoding (jose)
-function urlBase64Encode(string) {
-    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
-
-function b64(str) {
-    var buf = util.isBuffer(str) ? str : new Buffer(str);
-   return urlBase64Encode(buf.toString('base64'));
-}
-
-function getModulus(pem) {
-    assert(util.isBuffer(pem));
-
-    var stdout = execSync('openssl rsa -modulus -noout', { input: pem, encoding: 'utf8' });
-    if (!stdout) return null;
-    var match = stdout.match(/Modulus=([0-9a-fA-F]+)$/m);
-    if (!match) return null;
-    return Buffer.from(match[1], 'hex');
-}
-
-Acme.prototype.sendSignedRequest = function (url, payload, callback) {
-    assert.strictEqual(typeof url, 'string');
-    assert.strictEqual(typeof payload, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    assert(util.isBuffer(this.accountKeyPem));
-
-    var that = this;
-    var header = {
-        alg: 'RS256',
-        jwk: {
-            e: b64(Buffer.from([0x01, 0x00, 0x01])), // exponent - 65537
-            kty: 'RSA',
-            n: b64(getModulus(this.accountKeyPem))
-        }
-    };
-
-    var payload64 = b64(payload);
-
-    this.getNonce(function (error, nonce) {
-        if (error) return callback(error);
-
-        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
-
-        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
-
-        var signer = crypto.createSign('RSA-SHA256');
-        signer.update(protected64 + '.' + payload64, 'utf8');
-        var signature64 = urlBase64Encode(signer.sign(that.accountKeyPem, 'base64'));
-
-        var data = {
-            header: header,
-            protected: protected64,
-            payload: payload64,
-            signature: signature64
-        };
-
-        superagent.post(url).set('Content-Type', 'application/x-www-form-urlencoded').send(JSON.stringify(data)).timeout(30 * 1000).end(function (error, res) {
-            if (error && !error.response) return callback(error); // network errors
-
-            callback(null, res);
-        });
-    });
-};
-
-Acme.prototype.updateContact = function (registrationUri, callback) {
-    assert.strictEqual(typeof registrationUri, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('updateContact: %s %s', registrationUri, this.email);
-
-    // https://github.com/ietf-wg-acme/acme/issues/30
-    var payload = {
-        resource: 'reg',
-        contact: [ 'mailto:' + this.email ],
-        agreement: LE_AGREEMENT
-    };
-
-    var that = this;
-    this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 202, got %s %s', result.statusCode, result.text)));
-
-        debug('updateContact: contact of user updated to %s', that.email);
-
-        callback();
-    });
-};
-
-Acme.prototype.registerUser = function (callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-reg',
-        contact: [ 'mailto:' + this.email ],
-        agreement: LE_AGREEMENT
-    };
-
-    debug('registerUser: %s', this.email);
-
-    var that = this;
-    this.sendSignedRequest(this.caOrigin + '/acme/new-reg', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode === 409) return that.updateContact(result.headers.location, callback); // already exists
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerUser: registered user %s', that.email);
-
-        callback(null);
-    });
-};
-
-Acme.prototype.registerDomain = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-authz',
-        identifier: {
-            type: 'dns',
-            value: domain
-        }
-    };
-
-    debug('registerDomain: %s', domain);
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-authz', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
-        if (result.statusCode === 403) return callback(new AcmeError(AcmeError.FORBIDDEN, result.body.detail));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerDomain: registered %s', domain);
-
-        callback(null, result.body);
-    });
-};
-
-Acme.prototype.prepareHttpChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
-
-    var token = challenge.token;
-
-    assert(util.isBuffer(this.accountKeyPem));
-
-    var jwk = {
-        e: b64(Buffer.from([0x01, 0x00, 0x01])), // Exponent - 65537
-        kty: 'RSA',
-        n: b64(getModulus(this.accountKeyPem))
-    };
-
-    var shasum = crypto.createHash('sha256');
-    shasum.update(JSON.stringify(jwk));
-    var thumbprint = urlBase64Encode(shasum.digest('base64'));
-    var keyAuthorization = token + '.' + thumbprint;
-
-    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, token));
-
-    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, token), token + '.' + thumbprint, function (error) {
-        if (error) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, error));
-
-        callback();
-    });
-};
-
-Acme.prototype.notifyChallengeReady = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('notifyChallengeReady: %s was met', challenge.uri);
-
-    var keyAuthorization = fs.readFileSync(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), 'utf8');
-
-    var payload = {
-        resource: 'challenge',
-        keyAuthorization: keyAuthorization
-    };
-
-    this.sendSignedRequest(challenge.uri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
-
-        callback();
-    });
-};
-
-Acme.prototype.waitForChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('waitingForChallenge: %j', challenge);
-
-    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
-        debug('waitingForChallenge: getting status');
-
-        superagent.get(challenge.uri).timeout(30 * 1000).end(function (error, result) {
-            if (error && !error.response) {
-                debug('waitForChallenge: network error getting uri %s', challenge.uri);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, error.message)); // network error
-            }
-            if (result.statusCode !== 202) {
-                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
-            }
-
-            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
-
-            if (result.body.status === 'pending') return retryCallback(new AcmeError(AcmeError.NOT_COMPLETED));
-            else if (result.body.status === 'valid') return retryCallback();
-            else return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
-        });
-    }, function retryFinished(error) {
-        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
-        callback(error);
-    });
-};
-
-// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
-Acme.prototype.signCertificate = function (domain, csrDer, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert(util.isBuffer(csrDer));
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-
-    var payload = {
-        resource: 'new-cert',
-        csr: b64(csrDer)
-    };
-
-    debug('signCertificate: sending new-cert request');
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-cert', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
-        // 429 means we reached the cert limit for this domain
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        var certUrl = result.headers.location;
-
-        if (!certUrl) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.url'), certUrl, 'utf8'); // maybe use for renewal
-
-        return callback(null, result.headers.location);
-    });
-};
-
-Acme.prototype.createKeyAndCsr = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var csrFile = path.join(outdir, domain + '.csr');
-    var privateKeyFile = path.join(outdir, domain + '.key');
-
-    if (safe.fs.existsSync(privateKeyFile)) {
-        // in some old releases, csr file was corrupt. so always regenerate it
-        debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
-    } else {
-        var key = execSync('openssl genrsa 4096');
-        if (!key) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
-    }
-
-    var csrDer = execSync(util.format('openssl req -new -key %s -outform DER -subj /CN=%s', privateKeyFile, domain));
-    if (!csrDer) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error)); // bookkeeping
-
-    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
-
-    callback(null, csrDer);
-};
-
-// TODO: download the chain in a loop following 'up' header
-Acme.prototype.downloadChain = function (linkHeader, callback) {
-    if (!linkHeader) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Empty link header when downloading certificate chain');
-
-    debug('downloadChain: linkHeader %s', linkHeader);
-
-    var linkInfo = parseLinks(linkHeader);
-    if (!linkInfo || !linkInfo.up) return new AcmeError(AcmeError.EXTERNAL_ERROR, 'Failed to parse link header when downloading certificate chain');
-
-    var intermediateCertUrl = linkInfo.up.startsWith('https://') ? linkInfo.up : (this.caOrigin + linkInfo.up);
-
-    debug('downloadChain: downloading from %s', intermediateCertUrl);
-
-    superagent.get(intermediateCertUrl).buffer().parse(function (res, done) {
-        var data = [ ];
-        res.on('data', function(chunk) { data.push(chunk); });
-        res.on('end', function () { res.text = Buffer.concat(data); done(); });
-    }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
-
-        var chainDer = result.text;
-        var chainPem = execSync('openssl x509 -inform DER -outform PEM', { input: chainDer }); // this is really just base64 encoding with header
-        if (!chainPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        callback(null, chainPem);
-    });
-};
-
-Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof certUrl, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var that = this;
-
-    superagent.get(certUrl).buffer().parse(function (res, done) {
-        var data = [ ];
-        res.on('data', function(chunk) { data.push(chunk); });
-        res.on('end', function () { res.text = Buffer.concat(data); done(); });
-    }).timeout(30 * 1000).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode === 202) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, 'Retry not implemented yet'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
-
-        var certificateDer = result.text;
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.der'), certificateDer);
-        debug('downloadCertificate: cert der file for %s saved', domain);
-
-        var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { input: certificateDer }); // this is really just base64 encoding with header
-        if (!certificatePem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        that.downloadChain(result.header['link'], function (error, chainPem) {
-            if (error) return callback(error);
-
-            var certificateFile = path.join(outdir, domain + '.cert');
-            var fullChainPem = Buffer.concat([certificatePem, chainPem]);
-            if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-            debug('downloadCertificate: cert file for %s saved at %s', domain, certificateFile);
-
-            callback();
-        });
-    });
-};
-
-Acme.prototype.acmeFlow = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
-        debug('getCertificate: generating acme account key on first run');
-        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
-        if (!this.accountKeyPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
-    } else {
-        debug('getCertificate: using existing acme account key');
-        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
-    }
-
-    var that = this;
-    this.registerUser(function (error) {
-        if (error) return callback(error);
-
-        that.registerDomain(domain, function (error, result) {
-            if (error) return callback(error);
-
-            debug('acmeFlow: challenges: %j', result);
-
-            var httpChallenges = result.challenges.filter(function(x) { return x.type === 'http-01'; });
-            if (httpChallenges.length === 0) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'no http challenges'));
-            var challenge = httpChallenges[0];
-
-            async.waterfall([
-                that.prepareHttpChallenge.bind(that, challenge),
-                that.notifyChallengeReady.bind(that, challenge),
-                that.waitForChallenge.bind(that, challenge),
-                that.createKeyAndCsr.bind(that, domain),
-                that.signCertificate.bind(that, domain),
-                that.downloadCertificate.bind(that, domain)
-            ], callback);
-        });
-    });
-};
-
-Acme.prototype.getCertificate = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('getCertificate: start acme flow for %s from %s', domain, this.caOrigin);
-    this.acmeFlow(domain, function (error) {
-        if (error) return callback(error);
-
-        var outdir = paths.APP_CERTS_DIR;
-        callback(null, path.join(outdir, domain + '.cert'), path.join(outdir, domain + '.key'));
-    });
-};
-
-function getCertificate(domain, options, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var acme = new Acme(options || { });
-    acme.getCertificate(domain, callback);
-}
@@ -0,0 +1,636 @@
+'use strict';
+
+var assert = require('assert'),
+    async = require('async'),
+    crypto = require('crypto'),
+    debug = require('debug')('box:cert/acme2'),
+    domains = require('../domains.js'),
+    fs = require('fs'),
+    path = require('path'),
+    paths = require('../paths.js'),
+    safe = require('safetydance'),
+    superagent = require('superagent'),
+    util = require('util'),
+    _ = require('underscore');
+
+const CA_PROD_DIRECTORY_URL = 'https://acme-v02.api.letsencrypt.org/directory',
+    CA_STAGING_DIRECTORY_URL = 'https://acme-staging-v02.api.letsencrypt.org/directory';
+
+exports = module.exports = {
+    getCertificate: getCertificate,
+
+    // testing
+    _name: 'acme',
+    _getChallengeSubdomain: getChallengeSubdomain
+};
+
+function Acme2Error(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(Acme2Error, Error);
+Acme2Error.INTERNAL_ERROR = 'Internal Error';
+Acme2Error.EXTERNAL_ERROR = 'External Error';
+Acme2Error.ALREADY_EXISTS = 'Already Exists';
+Acme2Error.NOT_COMPLETED = 'Not Completed';
+Acme2Error.FORBIDDEN = 'Forbidden';
+
+// http://jose.readthedocs.org/en/latest/
+// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
+// https://community.letsencrypt.org/t/list-of-client-implementations/2103
+
+function Acme2(options) {
+    assert.strictEqual(typeof options, 'object');
+
+    this.accountKeyPem = null; // Buffer
+    this.email = options.email;
+    this.keyId = null;
+    this.caDirectory = options.prod ? CA_PROD_DIRECTORY_URL : CA_STAGING_DIRECTORY_URL;
+    this.directory = {};
+    this.performHttpAuthorization = !!options.performHttpAuthorization;
+    this.wildcard = !!options.wildcard;
+}
+
+Acme2.prototype.getNonce = function (callback) {
+    superagent.get(this.directory.newNonce).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 204) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
+
+        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
+    });
+};
+
+// urlsafe base64 encoding (jose)
+function urlBase64Encode(string) {
+    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
+function b64(str) {
+    var buf = util.isBuffer(str) ? str : new Buffer(str);
+    return urlBase64Encode(buf.toString('base64'));
+}
+
+function getModulus(pem) {
+    assert(util.isBuffer(pem));
+
+    var stdout = safe.child_process.execSync('openssl rsa -modulus -noout', { input: pem, encoding: 'utf8' });
+    if (!stdout) return null;
+    var match = stdout.match(/Modulus=([0-9a-fA-F]+)$/m);
+    if (!match) return null;
+    return Buffer.from(match[1], 'hex');
+}
+
+Acme2.prototype.sendSignedRequest = function (url, payload, callback) {
+    assert.strictEqual(typeof url, 'string');
+    assert.strictEqual(typeof payload, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    assert(util.isBuffer(this.accountKeyPem));
+
+    const that = this;
+    let header = {
+        url: url,
+        alg: 'RS256'
+    };
+
+    // keyId is null when registering account
+    if (this.keyId) {
+        header.kid = this.keyId;
+    } else {
+        header.jwk = {
+            e: b64(Buffer.from([0x01, 0x00, 0x01])), // exponent - 65537
+            kty: 'RSA',
+            n: b64(getModulus(this.accountKeyPem))
+        };
+    }
+
+    var payload64 = b64(payload);
+
+    this.getNonce(function (error, nonce) {
+        if (error) return callback(error);
+
+        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
+
+        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
+
+        var signer = crypto.createSign('RSA-SHA256');
+        signer.update(protected64 + '.' + payload64, 'utf8');
+        var signature64 = urlBase64Encode(signer.sign(that.accountKeyPem, 'base64'));
+
+        var data = {
+            protected: protected64,
+            payload: payload64,
+            signature: signature64
+        };
+
+        superagent.post(url).set('Content-Type', 'application/jose+json').set('User-Agent', 'acme-cloudron').send(JSON.stringify(data)).timeout(30 * 1000).end(function (error, res) {
+            if (error && !error.response) return callback(error); // network errors
+
+            callback(null, res);
+        });
+    });
+};
+
+Acme2.prototype.updateContact = function (registrationUri, callback) {
+    assert.strictEqual(typeof registrationUri, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`updateContact: registrationUri: ${registrationUri} email: ${this.email}`);
+
+    // https://github.com/ietf-wg-acme/acme/issues/30
+    const payload = {
+        contact: [ 'mailto:' + this.email ]
+    };
+
+    const that = this;
+    this.sendSignedRequest(registrationUri, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to update contact. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        debug(`updateContact: contact of user updated to ${that.email}`);
+
+        callback();
+    });
+};
+
+Acme2.prototype.registerUser = function (callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        termsOfServiceAgreed: true
+    };
+
+    debug('registerUser: registering user');
+
+    var that = this;
+    this.sendSignedRequest(this.directory.newAccount, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering new account: ' + error.message));
+        // 200 if already exists. 201 for new accounts
+        if (result.statusCode !== 200 && result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register new account. Expecting 200 or 201, got %s %s', result.statusCode, result.text)));
+
+        debug(`registerUser: user registered keyid: ${result.headers.location}`);
+
+        that.keyId = result.headers.location;
+
+        that.updateContact(result.headers.location, callback);
+    });
+};
+
+Acme2.prototype.newOrder = function (domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var payload = {
+        identifiers: [{
+            type: 'dns',
+            value: domain
+        }]
+    };
+
+    debug('newOrder: %s', domain);
+
+    this.sendSignedRequest(this.directory.newOrder, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
+        if (result.statusCode === 403) return callback(new Acme2Error(Acme2Error.FORBIDDEN, result.body.detail));
+        if (result.statusCode !== 201) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
+
+        debug('newOrder: created order %s %j', domain, result.body);
+
+        const order = result.body, orderUrl = result.headers.location;
+
+        if (!Array.isArray(order.authorizations)) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid authorizations in order'));
+        if (typeof order.finalize !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid finalize in order'));
+        if (typeof orderUrl !== 'string') return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'invalid order location in order header'));
+
+        callback(null, order, orderUrl);
+    });
+};
+
+Acme2.prototype.waitForOrder = function (orderUrl, callback) {
+    assert.strictEqual(typeof orderUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`waitForOrder: ${orderUrl}`);
+
+    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
+        debug('waitForOrder: getting status');
+
+        superagent.get(orderUrl).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForOrder: network error getting uri %s', orderUrl);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForOrder: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForOrder: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending' || result.body.status === 'processing') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid' && result.body.certificate) return retryCallback(null, result.body.certificate);
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status or invalid response: ' + result.body));
+        });
+    }, callback);
+};
+
+Acme2.prototype.getKeyAuthorization = function (token) {
+    assert(util.isBuffer(this.accountKeyPem));
+
+    let jwk = {
+        e: b64(Buffer.from([0x01, 0x00, 0x01])), // Exponent - 65537
+        kty: 'RSA',
+        n: b64(getModulus(this.accountKeyPem))
+    };
+
+    let shasum = crypto.createHash('sha256');
+    shasum.update(JSON.stringify(jwk));
+    let thumbprint = urlBase64Encode(shasum.digest('base64'));
+    return token + '.' + thumbprint;
+};
+
+Acme2.prototype.notifyChallengeReady = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object'); // { type, status, url, token }
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('notifyChallengeReady: %s was met', challenge.url);
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    var payload = {
+        resource: 'challenge',
+        keyAuthorization: keyAuthorization
+    };
+
+    this.sendSignedRequest(challenge.url, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        callback();
+    });
+};
+
+Acme2.prototype.waitForChallenge = function (challenge, callback) {
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('waitingForChallenge: %j', challenge);
+
+    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
+        debug('waitingForChallenge: getting status');
+
+        superagent.get(challenge.url).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) {
+                debug('waitForChallenge: network error getting uri %s', challenge.url);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message)); // network error
+            }
+            if (result.statusCode !== 200) {
+                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
+                return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
+            }
+
+            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
+
+            if (result.body.status === 'pending') return retryCallback(new Acme2Error(Acme2Error.NOT_COMPLETED));
+            else if (result.body.status === 'valid') return retryCallback();
+            else return retryCallback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
+        });
+    }, function retryFinished(error) {
+        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
+        callback(error);
+    });
+};
+
+// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
+Acme2.prototype.signCertificate = function (domain, finalizationUrl, csrDer, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof finalizationUrl, 'string');
+    assert(util.isBuffer(csrDer));
+    assert.strictEqual(typeof callback, 'function');
+
+    const payload = {
+        csr: b64(csrDer)
+    };
+
+    debug('signCertificate: sending sign request');
+
+    this.sendSignedRequest(finalizationUrl, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
+        // 429 means we reached the cert limit for this domain
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        return callback(null);
+    });
+};
+
+Acme2.prototype.createKeyAndCsr = function (hostname, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+    const certName = hostname.replace('*.', '_.');
+    var csrFile = path.join(outdir, `${certName}.csr`);
+    var privateKeyFile = path.join(outdir, `${certName}.key`);
+
+    if (safe.fs.existsSync(privateKeyFile)) {
+        // in some old releases, csr file was corrupt. so always regenerate it
+        debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
+    } else {
+        var key = safe.child_process.execSync('openssl genrsa 4096');
+        if (!key) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+        if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
+    }
+
+    var csrDer = safe.child_process.execSync(`openssl req -new -key ${privateKeyFile} -outform DER -subj /CN=${hostname}`);
+    if (!csrDer) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+    if (!safe.fs.writeFileSync(csrFile, csrDer)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error)); // bookkeeping
+
+    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
+
+    callback(null, csrDer);
+};
+
+Acme2.prototype.downloadCertificate = function (hostname, certUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof certUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+
+    superagent.get(certUrl).buffer().parse(function (res, done) {
+        var data = [ ];
+        res.on('data', function(chunk) { data.push(chunk); });
+        res.on('end', function () { res.text = Buffer.concat(data); done(); });
+    }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode === 202) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, 'Retry not implemented yet'));
+        if (result.statusCode !== 200) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        const fullChainPem = result.text;
+
+        const certName = hostname.replace('*.', '_.');
+        var certificateFile = path.join(outdir, `${certName}.cert`);
+        if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        debug('downloadCertificate: cert file for %s saved at %s', hostname, certificateFile);
+
+        callback();
+    });
+};
+
+Acme2.prototype.prepareHttpChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let httpChallenges = authorization.challenges.filter(function(x) { return x.type === 'http-01'; });
+    if (httpChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no http challenges'));
+    let challenge = httpChallenges[0];
+
+    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
+
+    let keyAuthorization = this.getKeyAuthorization(challenge.token);
+
+    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), keyAuthorization, function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, error));
+
+        callback(null, challenge);
+    });
+};
+
+Acme2.prototype.cleanupHttpChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('cleanupHttpChallenge: unlinking %s', path.join(paths.ACME_CHALLENGES_DIR, challenge.token));
+
+    fs.unlink(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), callback);
+};
+
+function getChallengeSubdomain(hostname, domain) {
+    let challengeSubdomain;
+
+    if (hostname === domain) {
+        challengeSubdomain = '_acme-challenge';
+    } else if (hostname.includes('*')) { // wildcard
+        let subdomain = hostname.slice(0, -domain.length - 1);
+        challengeSubdomain = subdomain ? subdomain.replace('*', '_acme-challenge') : '_acme-challenge';
+    } else {
+        challengeSubdomain = '_acme-challenge.' + hostname.slice(0, -domain.length - 1);
+    }
+
+    debug(`getChallengeSubdomain: challenge subdomain for hostname ${hostname} at domain ${domain} is ${challengeSubdomain}`);
+
+    return challengeSubdomain;
+}
+
+Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorization, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('acmeFlow: challenges: %j', authorization);
+    let dnsChallenges = authorization.challenges.filter(function(x) { return x.type === 'dns-01'; });
+    if (dnsChallenges.length === 0) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, 'no dns challenges'));
+    let challenge = dnsChallenges[0];
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`prepareDnsChallenge: update ${challengeSubdomain} with ${txtValue}`);
+
+    domains.upsertDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+        domains.waitForDnsRecord(challengeSubdomain, domain, 'TXT', txtValue, { interval: 5000, times: 200 }, function (error) {
+            if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error.message));
+
+            callback(null, challenge);
+        });
+    });
+};
+
+Acme2.prototype.cleanupDnsChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const keyAuthorization = this.getKeyAuthorization(challenge.token);
+    let shasum = crypto.createHash('sha256');
+    shasum.update(keyAuthorization);
+
+    const txtValue = urlBase64Encode(shasum.digest('base64'));
+    let challengeSubdomain = getChallengeSubdomain(hostname, domain);
+
+    debug(`cleanupDnsChallenge: remove ${challengeSubdomain} with ${txtValue}`);
+
+    domains.removeDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
+        if (error) return callback(new Acme2Error(Acme2Error.EXTERNAL_ERROR, error));
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.prepareChallenge = function (hostname, domain, authorizationUrl, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof authorizationUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const that = this;
+    superagent.get(authorizationUrl).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code getting authorization : ' + response.statusCode));
+
+        const authorization = response.body;
+
+        if (that.performHttpAuthorization) {
+            that.prepareHttpChallenge(hostname, domain, authorization, callback);
+        } else {
+            that.prepareDnsChallenge(hostname, domain, authorization, callback);
+        }
+    });
+};
+
+Acme2.prototype.cleanupChallenge = function (hostname, domain, challenge, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof challenge, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (this.performHttpAuthorization) {
+        this.cleanupHttpChallenge(hostname, domain, challenge, callback);
+    } else {
+        this.cleanupDnsChallenge(hostname, domain, challenge, callback);
+    }
+};
+
+Acme2.prototype.acmeFlow = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
+        debug('getCertificate: generating acme account key on first run');
+        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
+        if (!this.accountKeyPem) return callback(new Acme2Error(Acme2Error.INTERNAL_ERROR, safe.error));
+
+        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
+    } else {
+        debug('getCertificate: using existing acme account key');
+        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
+    }
+
+    var that = this;
+    this.registerUser(function (error) {
+        if (error) return callback(error);
+
+        that.newOrder(hostname, function (error, order, orderUrl) {
+            if (error) return callback(error);
+
+            async.eachSeries(order.authorizations, function (authorizationUrl, iteratorCallback) {
+                debug(`acmeFlow: authorizing ${authorizationUrl}`);
+
+                that.prepareChallenge(hostname, domain, authorizationUrl, function (error, challenge) {
+                    if (error) return iteratorCallback(error);
+
+                    async.waterfall([
+                        that.notifyChallengeReady.bind(that, challenge),
+                        that.waitForChallenge.bind(that, challenge),
+                        that.createKeyAndCsr.bind(that, hostname),
+                        that.signCertificate.bind(that, hostname, order.finalize),
+                        that.waitForOrder.bind(that, orderUrl),
+                        that.downloadCertificate.bind(that, hostname)
+                    ], function (error) {
+                        that.cleanupChallenge(hostname, domain, challenge, function (cleanupError) {
+                            if (cleanupError) debug('acmeFlow: ignoring error when cleaning up challenge:', cleanupError);
+
+                            iteratorCallback(error);
+                        });
+                    });
+                });
+            }, callback);
+        });
+    });
+};
+
+Acme2.prototype.getDirectory = function (callback) {
+    const that = this;
+
+    superagent.get(this.caDirectory).timeout(30 * 1000).end(function (error, response) {
+        if (error && !error.response) return callback(error);
+        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching directory : ' + response.statusCode));
+
+        if (typeof response.body.newNonce !== 'string' ||
+            typeof response.body.newOrder !== 'string' ||
+            typeof response.body.newAccount !== 'string') return callback(new Error(`Invalid response body : ${response.body}`));
+
+        that.directory = response.body;
+
+        callback(null);
+    });
+};
+
+Acme2.prototype.getCertificate = function (hostname, domain, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`getCertificate: start acme flow for ${hostname} from ${this.caDirectory}`);
+
+    if (hostname !== domain && this.wildcard) { // bare domain is not part of wildcard SAN
+        hostname = domains.makeWildcard(hostname);
+        debug(`getCertificate: will get wildcard cert for ${hostname}`);
+    }
+
+    const that = this;
+    this.getDirectory(function (error) {
+        if (error) return callback(error);
+
+        that.acmeFlow(hostname, domain, function (error) {
+            if (error) return callback(error);
+
+            var outdir = paths.APP_CERTS_DIR;
+            const certName = hostname.replace('*.', '_.');
+            callback(null, path.join(outdir, `${certName}.cert`), path.join(outdir, `${certName}.key`));
+        });
+    });
+};
+
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var acme = new Acme2(options || { });
+    acme.getCertificate(hostname, domain, callback);
+}
@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
    debug = require('debug')('box:cert/caas.js');

-function getCertificate(vhost, options, callback) {
-    assert.strictEqual(typeof vhost, 'string');
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

-    debug('getCertificate: using fallback certificate', vhost);
+    debug('getCertificate: using fallback certificate', hostname);

    return callback(null, '', '');
 }
@@ -10,12 +10,13 @@ exports = module.exports = {
 var assert = require('assert'),
    debug = require('debug')('box:cert/fallback.js');

-function getCertificate(vhost, options, callback) {
-    assert.strictEqual(typeof vhost, 'string');
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
+    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

-    debug('getCertificate: using fallback certificate', vhost);
+    debug('getCertificate: using fallback certificate', hostname);

    return callback(null, '', '');
 }
@@ -12,7 +12,8 @@ exports = module.exports = {

 var assert = require('assert');

-function getCertificate(domain, options, callback) {
+function getCertificate(hostname, domain, options, callback) {
+    assert.strictEqual(typeof hostname, 'string');
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');
@@ -182,8 +182,8 @@ function clear(callback) {

 function addDefaultClients(callback) {
    async.series([
-        add.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', 'https://admin-localhost', 'cloudron,profile,users,apps,settings'),
-        add.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', 'https://admin-localhost', '*,roleSdk'),
-        add.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', 'https://admin-localhost', '*,roleSdk')
+        add.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', 'https://admin-localhost', '*'),
+        add.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', 'https://admin-localhost', '*'),
+        add.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', 'https://admin-localhost', '*')
    ], callback);
 }
@@ -8,26 +8,16 @@ exports = module.exports = {
    del: del,
    getAll: getAll,
    getByAppIdAndType: getByAppIdAndType,
-    getClientTokensByUserId: getClientTokensByUserId,
-    delClientTokensByUserId: delClientTokensByUserId,
+    getTokensByUserId: getTokensByUserId,
+    delTokensByUserId: delTokensByUserId,
    delByAppIdAndType: delByAppIdAndType,
-    addClientTokenByUserId: addClientTokenByUserId,
+    addTokenByUserId: addTokenByUserId,
    delToken: delToken,

+    issueDeveloperToken: issueDeveloperToken,
+
    addDefaultClients: addDefaultClients,

-    // keep this in sync with start.sh ADMIN_SCOPES that generates the cid-webadmin
-    SCOPE_APPS: 'apps',
-    SCOPE_DEVELOPER: 'developer', // obsolete
-    SCOPE_PROFILE: 'profile',
-    SCOPE_CLOUDRON: 'cloudron',
-    SCOPE_SETTINGS: 'settings',
-    SCOPE_USERS: 'users',
-
-    // roles are handled just like the above scopes, they are parallel to scopes
-    // scopes enclose API groups, roles specify the usage role
-    SCOPE_ROLE_SDK: 'roleSdk',
-
    // client type enums
    TYPE_EXTERNAL: 'external',
    TYPE_BUILT_IN: 'built-in',
@@ -39,10 +29,15 @@ var apps = require('./apps.js'),
    assert = require('assert'),
    async = require('async'),
    clientdb = require('./clientdb.js'),
+    constants = require('./constants.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:clients'),
-    hat = require('hat'),
+    eventlog = require('./eventlog.js'),
+    hat = require('./hat.js'),
+    accesscontrol = require('./accesscontrol.js'),
    tokendb = require('./tokendb.js'),
+    users = require('./users.js'),
+    UsersError = users.UsersError,
    util = require('util'),
    uuid = require('uuid');

@@ -73,7 +68,7 @@ ClientsError.NOT_FOUND = 'Not found';
 ClientsError.INTERNAL_ERROR = 'Internal Error';
 ClientsError.NOT_ALLOWED = 'Not allowed to remove this client';

-function validateName(name) {
+function validateClientName(name) {
    assert.strictEqual(typeof name, 'string');

    if (name.length < 1) return new ClientsError(ClientsError.BAD_FIELD, 'Name must be atleast 1 character');
@@ -84,24 +79,10 @@ function validateName(name) {
    return null;
 }

-function validateScope(scope) {
-    assert.strictEqual(typeof scope, 'string');
+function validateTokenName(name) {
+    assert.strictEqual(typeof name, 'string');

-    var VALID_SCOPES = [
-        exports.SCOPE_APPS,
-        exports.SCOPE_DEVELOPER,
-        exports.SCOPE_PROFILE,
-        exports.SCOPE_CLOUDRON,
-        exports.SCOPE_SETTINGS,
-        exports.SCOPE_USERS,
-        '*',    // includes all scopes, but not roles
-        exports.SCOPE_ROLE_SDK
-    ];
-
-    if (scope === '') return new ClientsError(ClientsError.INVALID_SCOPE, 'Empty scope not allowed');
-
-    var allValid = scope.split(',').every(function (s) { return VALID_SCOPES.indexOf(s) !== -1; });
-    if (!allValid) return new ClientsError(ClientsError.INVALID_SCOPE, 'Invalid scope. Available scopes are ' + VALID_SCOPES.join(', '));
+    if (name.length > 64) return new ClientsError(ClientsError.BAD_FIELD, 'Name too long');

    return null;
 }
@@ -113,14 +94,10 @@ function add(appId, type, redirectURI, scope, callback) {
    assert.strictEqual(typeof scope, 'string');
    assert.strictEqual(typeof callback, 'function');

-    // allow whitespace
-    scope = scope.split(',').map(function (s) { return s.trim(); }).join(',');
+    var error = accesscontrol.validateScopeString(scope);
+    if (error) return callback(new ClientsError(ClientsError.INVALID_SCOPE, error.message));

-    var error = validateScope(scope);
-    if (error) return callback(error);
-
-    // appId is also client name
-    error = validateName(appId);
+    error = validateClientName(appId);
    if (error) return callback(error);

    var id = 'cid-' + uuid.v4();
@@ -216,7 +193,7 @@ function getByAppIdAndType(appId, type, callback) {
    });
 }

-function getClientTokensByUserId(clientId, userId, callback) {
+function getTokensByUserId(clientId, userId, callback) {
    assert.strictEqual(typeof clientId, 'string');
    assert.strictEqual(typeof userId, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -235,7 +212,7 @@ function getClientTokensByUserId(clientId, userId, callback) {
    });
 }

-function delClientTokensByUserId(clientId, userId, callback) {
+function delTokensByUserId(clientId, userId, callback) {
    assert.strictEqual(typeof clientId, 'string');
    assert.strictEqual(typeof userId, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -275,31 +252,65 @@ function delByAppIdAndType(appId, type, callback) {
    });
 }

-function addClientTokenByUserId(clientId, userId, expiresAt, callback) {
+function addTokenByUserId(clientId, userId, expiresAt, options, callback) {
    assert.strictEqual(typeof clientId, 'string');
    assert.strictEqual(typeof userId, 'string');
    assert.strictEqual(typeof expiresAt, 'number');
+    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

+    const name = options.name || '';
+    let error = validateTokenName(name);
+    if (error) return callback(error);
+
    get(clientId, function (error, result) {
        if (error) return callback(error);

-        var token = tokendb.generateToken();
-
-        tokendb.add(token, userId, result.id, expiresAt, result.scope, function (error) {
+        users.get(userId, function (error, user) {
+            if (error && error.reason === UsersError.NOT_FOUND) return callback(new ClientsError(ClientsError.NOT_FOUND, 'No such user'));
            if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error));

-            callback(null, {
-                accessToken: token,
-                identifier: userId,
-                clientId: result.id,
-                scope: result.id,
-                expires: expiresAt
+            accesscontrol.scopesForUser(user, function (error, userScopes) {
+                if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error));
+
+                var scope = accesscontrol.canonicalScopeString(result.scope);
+                var authorizedScopes = accesscontrol.intersectScopes(userScopes, scope.split(','));
+
+                var token = tokendb.generateToken();
+
+                tokendb.add(token, userId, result.id, expiresAt, authorizedScopes.join(','), name, function (error) {
+                    if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error));
+
+                    callback(null, {
+                        accessToken: token,
+                        tokenScopes: authorizedScopes,
+                        identifier: userId,
+                        clientId: result.id,
+                        expires: expiresAt
+                    });
+                });
            });
        });
    });
 }

+// this issues a cid-cli token that does not require a password in various routes
+function issueDeveloperToken(userObject, auditSource, callback) {
+    assert.strictEqual(typeof userObject, 'object');
+    assert.strictEqual(typeof auditSource, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const expiresAt = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
+
+    addTokenByUserId('cid-cli', userObject.id, expiresAt, {}, function (error, result) {
+        if (error) return callback(error);
+
+        eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource, { userId: userObject.id, user: users.removePrivateFields(userObject) });
+
+        callback(null, result);
+    });
+}
+
 function delToken(clientId, tokenId, callback) {
    assert.strictEqual(typeof clientId, 'string');
    assert.strictEqual(typeof tokenId, 'string');
@@ -324,13 +335,10 @@ function addDefaultClients(origin, callback) {
    debug('Adding default clients');

    // The domain might have changed, therefor we have to update the record
-    // !!! This needs to be in sync with the webadmin, specifically login_callback.js
-    const ADMIN_SCOPES = 'cloudron,developer,profile,users,apps,settings';
-
    // id, appId, type, clientSecret, redirectURI, scope
    async.series([
-        clientdb.upsert.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', origin, ADMIN_SCOPES),
-        clientdb.upsert.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', origin, '*,roleSdk'),
-        clientdb.upsert.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*, roleSdk')
+        clientdb.upsert.bind(null, 'cid-webadmin', 'Settings', 'built-in', 'secret-webadmin', origin, '*'),
+        clientdb.upsert.bind(null, 'cid-sdk', 'SDK', 'built-in', 'secret-sdk', origin, '*'),
+        clientdb.upsert.bind(null, 'cid-cli', 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*')
    ], callback);
 }
@@ -8,47 +8,61 @@ exports = module.exports = {
    getConfig: getConfig,
    getDisks: getDisks,
    getLogs: getLogs,
+    getStatus: getStatus,

-    updateToLatest: updateToLatest,
    reboot: reboot,
+    isRebootRequired: isRebootRequired,

    onActivated: onActivated,

-    checkDiskSpace: checkDiskSpace
+    setDashboardDomain: setDashboardDomain,
+    renewCerts: renewCerts,
+
+    checkDiskSpace: checkDiskSpace,
+
+    configureWebadmin: configureWebadmin,
+    getWebadminStatus: getWebadminStatus
 };

 var assert = require('assert'),
    async = require('async'),
-    backups = require('./backups.js'),
-    caas = require('./caas.js'),
+    clients = require('./clients.js'),
    config = require('./config.js'),
    cron = require('./cron.js'),
    debug = require('debug')('box:cloudron'),
+    domains = require('./domains.js'),
+    DomainsError = require('./domains.js').DomainsError,
    df = require('@sindresorhus/df'),
-    eventlog = require('./eventlog.js'),
-    locker = require('./locker.js'),
+    fs = require('fs'),
    mailer = require('./mailer.js'),
    os = require('os'),
    path = require('path'),
    paths = require('./paths.js'),
    platform = require('./platform.js'),
-    progress = require('./progress.js'),
    reverseProxy = require('./reverseproxy.js'),
-    safe = require('safetydance'),
    settings = require('./settings.js'),
    shell = require('./shell.js'),
    spawn = require('child_process').spawn,
    split = require('split'),
-    updateChecker = require('./updatechecker.js'),
-    user = require('./user.js'),
-    util = require('util'),
-    _ = require('underscore');
+    sysinfo = require('./sysinfo.js'),
+    tasks = require('./tasks.js'),
+    users = require('./users.js'),
+    util = require('util');

-var REBOOT_CMD = path.join(__dirname, 'scripts/reboot.sh'),
-    UPDATE_CMD = path.join(__dirname, 'scripts/update.sh');
+var REBOOT_CMD = path.join(__dirname, 'scripts/reboot.sh');

 var NOOP_CALLBACK = function (error) { if (error) debug(error); };

+let gWebadminStatus = {
+    dns: false,
+    tls: false,
+    configuring: false,
+    restore: {
+        active: false,
+        error: null
+    }
+};
+
 function CloudronError(reason, errorOrMessage) {
    assert.strictEqual(typeof reason, 'string');
    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
@@ -73,41 +87,50 @@ CloudronError.INTERNAL_ERROR = 'Internal Error';
 CloudronError.EXTERNAL_ERROR = 'External Error';
 CloudronError.BAD_STATE = 'Bad state';
 CloudronError.ALREADY_UPTODATE = 'No Update Available';
-CloudronError.NOT_FOUND = 'Not found';
-CloudronError.SELF_UPGRADE_NOT_SUPPORTED = 'Self upgrade not supported';

 function initialize(callback) {
    assert.strictEqual(typeof callback, 'function');

-    async.series([
-        settings.initialize,
-        reverseProxy.configureDefaultServer,
-        cron.initialize, // required for caas heartbeat before activation
-        onActivated
-    ], callback);
+    cron.startPreActivationJobs(callback);
+
+    runStartupTasks();
 }

 function uninitialize(callback) {
    assert.strictEqual(typeof callback, 'function');

    async.series([
-        cron.uninitialize,
-        platform.stop,
-        settings.uninitialize
+        cron.stopJobs,
+        platform.stop
    ], callback);
 }

 function onActivated(callback) {
-    callback = callback || NOOP_CALLBACK;
+    assert.strictEqual(typeof callback, 'function');

    // Starting the platform after a user is available means:
    // 1. mail bounces can now be sent to the cloudron owner
    // 2. the restore code path can run without sudo (since mail/ is non-root)
-    user.count(function (error, count) {
-        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
-        if (!count) return callback(); // not activated
+    async.series([
+        platform.start,
+        cron.startPostActivationJobs
+    ], callback);
+}

-        platform.start(callback);
+// each of these tasks can fail. we will add some routes to fix/re-run them
+function runStartupTasks() {
+    // configure nginx to be reachable by IP
+    reverseProxy.configureDefaultServer(NOOP_CALLBACK);
+
+    // always generate webadmin config since we have no versioning mechanism for the ejs
+    configureWebadmin(NOOP_CALLBACK);
+
+    // check activation state and start the platform
+    users.isActivated(function (error, activated) {
+        if (error) return debug(error);
+        if (!activated) return debug('initialize: not activated yet'); // not activated
+
+        onActivated(NOOP_CALLBACK);
    });
 }

@@ -140,168 +163,35 @@ function getDisks(callback) {
 function getConfig(callback) {
    assert.strictEqual(typeof callback, 'function');

-    // result to not depend on the appstore
-    const BOX_AND_USER_TEMPLATE = {
-        box: {
-            region: null,
-            size: null,
-            plan: 'Custom Plan'
-        },
-        user: {
-            billing: false,
-            currency: ''
-        }
-    };
+    settings.getAll(function (error, allSettings) {
+        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

-    caas.getBoxAndUserDetails(function (error, result) {
-        if (error) debug('Failed to fetch cloudron details.', error.reason, error.message);
-
-        result = _.extend(BOX_AND_USER_TEMPLATE, result || {});
-
-        settings.getCloudronName(function (error, cloudronName) {
-            if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
-
-            callback(null, {
-                apiServerOrigin: config.apiServerOrigin(),
-                webServerOrigin: config.webServerOrigin(),
-                adminDomain: config.adminDomain(),
-                adminLocation: config.adminLocation(),
-                adminFqdn: config.adminFqdn(),
-                mailFqdn: config.mailFqdn(),
-                version: config.version(),
-                update: updateChecker.getUpdateInfo(),
-                progress: progress.getAll(),
-                isDemo: config.isDemo(),
-                region: result.box.region,
-                size: result.box.size,
-                billing: !!result.user.billing,
-                plan: result.box.plan,
-                currency: result.user.currency,
-                memory: os.totalmem(),
-                provider: config.provider(),
-                cloudronName: cloudronName
-            });
+        // be picky about what we send out here since this is sent for 'normal' users as well
+        callback(null, {
+            apiServerOrigin: config.apiServerOrigin(),
+            webServerOrigin: config.webServerOrigin(),
+            adminDomain: config.adminDomain(),
+            adminFqdn: config.adminFqdn(),
+            mailFqdn: config.mailFqdn(),
+            version: config.version(),
+            isDemo: config.isDemo(),
+            edition: config.edition(),
+            memory: os.totalmem(),
+            provider: config.provider(),
+            cloudronName: allSettings[settings.CLOUDRON_NAME_KEY]
        });
    });
 }

 function reboot(callback) {
-    shell.sudo('reboot', [ REBOOT_CMD ], callback);
+    shell.sudo('reboot', [ REBOOT_CMD ], {}, callback);
 }

-function update(boxUpdateInfo, auditSource, callback) {
-    assert.strictEqual(typeof boxUpdateInfo, 'object');
-    assert.strictEqual(typeof auditSource, 'object');
+function isRebootRequired(callback) {
    assert.strictEqual(typeof callback, 'function');

-    if (!boxUpdateInfo) return callback(null);
-
-    var error = locker.lock(locker.OP_BOX_UPDATE);
-    if (error) return callback(new CloudronError(CloudronError.BAD_STATE, error.message));
-
-    eventlog.add(eventlog.ACTION_UPDATE, auditSource, { boxUpdateInfo: boxUpdateInfo });
-
-    // ensure tools can 'wait' on progress
-    progress.set(progress.UPDATE, 0, 'Starting');
-
-    // initiate the update/upgrade but do not wait for it
-    if (boxUpdateInfo.upgrade) {
-        debug('Starting upgrade');
-        caas.upgrade(boxUpdateInfo, function (error) {
-            if (error) {
-                debug('Upgrade failed with error:', error);
-                locker.unlock(locker.OP_BOX_UPDATE);
-            }
-        });
-    } else {
-        debug('Starting update');
-        doUpdate(boxUpdateInfo, function (error) {
-            if (error) {
-                debug('Update failed with error:', error);
-                locker.unlock(locker.OP_BOX_UPDATE);
-            }
-        });
-    }
-
-    callback(null);
-}
-
-function updateToLatest(auditSource, callback) {
-    assert.strictEqual(typeof auditSource, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var boxUpdateInfo = updateChecker.getUpdateInfo().box;
-    if (!boxUpdateInfo) return callback(new CloudronError(CloudronError.ALREADY_UPTODATE, 'No update available'));
-    if (!boxUpdateInfo.sourceTarballUrl) return callback(new CloudronError(CloudronError.BAD_STATE, 'No automatic update available'));
-
-    // check if this is just a version number change
-    if (config.version().match(/[-+]/) !== null && config.version().replace(/[-+].*/, '') === boxUpdateInfo.version) {
-        doShortCircuitUpdate(boxUpdateInfo, function (error) {
-            if (error) debug('Short-circuit update failed', error);
-        });
-
-        return callback(null);
-    }
-
-    if (boxUpdateInfo.upgrade && config.provider() !== 'caas') return callback(new CloudronError(CloudronError.SELF_UPGRADE_NOT_SUPPORTED));
-
-    update(boxUpdateInfo, auditSource, callback);
-}
-
-function doShortCircuitUpdate(boxUpdateInfo, callback) {
-    assert(boxUpdateInfo !== null && typeof boxUpdateInfo === 'object');
-
-    debug('Starting short-circuit from prerelease version %s to release version %s', config.version(), boxUpdateInfo.version);
-    config.setVersion(boxUpdateInfo.version);
-    progress.clear(progress.UPDATE);
-    updateChecker.resetUpdateInfo();
-    callback();
-}
-
-function doUpdate(boxUpdateInfo, callback) {
-    assert(boxUpdateInfo && typeof boxUpdateInfo === 'object');
-
-    function updateError(e) {
-        progress.set(progress.UPDATE, -1, e.message);
-        callback(e);
-    }
-
-    progress.set(progress.UPDATE, 5, 'Backing up for update');
-
-    backups.backupBoxAndApps({ userId: null, username: 'updater' }, function (error) {
-        if (error) return updateError(error);
-
-        // NOTE: this data is opaque and will be passed through the installer.sh
-        var data= {
-            provider: config.provider(),
-            apiServerOrigin: config.apiServerOrigin(),
-            webServerOrigin: config.webServerOrigin(),
-            adminDomain: config.adminDomain(),
-            adminFqdn: config.adminFqdn(),
-            adminLocation: config.adminLocation(),
-            isDemo: config.isDemo(),
-
-            appstore: {
-                apiServerOrigin: config.apiServerOrigin()
-            },
-            caas: {
-                apiServerOrigin: config.apiServerOrigin(),
-                webServerOrigin: config.webServerOrigin()
-            },
-
-            version: boxUpdateInfo.version
-        };
-
-        debug('updating box %s %j', boxUpdateInfo.sourceTarballUrl, _.omit(data, 'tlsCert', 'tlsKey', 'token', 'appstore', 'caas'));
-
-        progress.set(progress.UPDATE, 5, 'Downloading and installing new version');
-
-        shell.sudo('update', [ UPDATE_CMD, boxUpdateInfo.sourceTarballUrl, JSON.stringify(data) ], function (error) {
-            if (error) return updateError(error);
-
-            // Do not add any code here. The installer script will stop the box code any instant
-        });
-    });
+    // https://serverfault.com/questions/92932/how-does-ubuntu-keep-track-of-the-system-restart-required-flag-in-motd
+    callback(null, fs.existsSync('/var/run/reboot-required'));
 }

 function checkDiskSpace(callback) {
@@ -346,42 +236,43 @@ function checkDiskSpace(callback) {
    });
 }

-function getLogs(options, callback) {
+function getLogs(unit, options, callback) {
+    assert.strictEqual(typeof unit, 'string');
    assert(options && typeof options === 'object');
    assert.strictEqual(typeof callback, 'function');

-    var units = options.units || [],
-        lines = options.lines || 100,
+    var lines = options.lines || 100,
        format = options.format || 'json',
        follow = !!options.follow;

-    assert(Array.isArray(units));
    assert.strictEqual(typeof lines, 'number');
    assert.strictEqual(typeof format, 'string');

-    debug('Getting logs for %j', units);
+    assert.strictEqual(typeof lines, 'number');
+    assert.strictEqual(typeof format, 'string');

-    var args = [ '--no-pager', '--lines=' + lines ];
-    units.forEach(function (u) {
-        if (u === 'box') args.push('--unit=box');
-        else if (u === 'mail') args.push('CONTAINER_NAME=mail');
-    });
-    if (format === 'short') args.push('--output=short', '-a'); else args.push('--output=json');
+    debug('Getting logs for %s as %s', unit, format);
+
+    let args = [ '--lines=' + lines ];
    if (follow) args.push('--follow');

-    var cp = spawn('/bin/journalctl', args);
+    // need to handle box.log without subdir
+    if (unit === 'box') args.push(path.join(paths.LOG_DIR, 'box.log'));
+    else args.push(path.join(paths.LOG_DIR, unit, 'app.log'));
+
+    var cp = spawn('/usr/bin/tail', args);

    var transformStream = split(function mapper(line) {
        if (format !== 'json') return line + '\n';

-        var obj = safe.JSON.parse(line);
-        if (!obj) return undefined;
+        var data = line.split(' '); // logs are <ISOtimestamp> <msg>
+        var timestamp = (new Date(data[0])).getTime();
+        if (isNaN(timestamp)) timestamp = 0;

        return JSON.stringify({
-            realtimeTimestamp: obj.__REALTIME_TIMESTAMP,
-            monotonicTimestamp: obj.__MONOTONIC_TIMESTAMP,
-            message: obj.MESSAGE,
-            source: obj.SYSLOG_IDENTIFIER || ''
+            realtimeTimestamp: timestamp * 1000,
+            message: line.slice(data[0].length+1),
+            source: unit
        }) + '\n';
    });

@@ -391,3 +282,108 @@ function getLogs(options, callback) {

    return callback(null, transformStream);
 }
+
+function configureWebadmin(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('configureWebadmin: adminDomain:%s status:%j', config.adminDomain(), gWebadminStatus);
+
+    if (process.env.BOX_ENV === 'test' || !config.adminDomain() || gWebadminStatus.configuring) return callback();
+
+    gWebadminStatus.configuring = true; // re-entracy guard
+
+    function configureReverseProxy(error) {
+        debug('configureReverseProxy: error %j', error || null);
+
+        reverseProxy.configureAdmin({ userId: null, username: 'setup' }, function (error) {
+            debug('configureWebadmin: done error: %j', error || {});
+            gWebadminStatus.configuring = false;
+
+            if (error) return callback(error);
+
+            gWebadminStatus.tls = true;
+
+            callback();
+        });
+    }
+
+    // update the DNS. configure nginx regardless of whether it succeeded so that
+    // box is accessible even if dns creds are invalid
+    sysinfo.getPublicIp(function (error, ip) {
+        if (error) return configureReverseProxy(error);
+
+        domains.upsertDnsRecords(config.adminLocation(), config.adminDomain(), 'A', [ ip ], function (error) {
+            debug('addWebadminDnsRecord: updated records with error:', error);
+            if (error) return configureReverseProxy(error);
+
+            domains.waitForDnsRecord(config.adminLocation(), config.adminDomain(), 'A', ip, { interval: 30000, times: 50000 }, function (error) {
+                if (error) return configureReverseProxy(error);
+
+                gWebadminStatus.dns = true;
+
+                configureReverseProxy();
+            });
+        });
+    });
+}
+
+function getWebadminStatus() {
+    return gWebadminStatus;
+}
+
+function getStatus(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    users.isActivated(function (error, activated) {
+        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
+
+        settings.getCloudronName(function (error, cloudronName) {
+            if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
+
+            callback(null, {
+                version: config.version(),
+                apiServerOrigin: config.apiServerOrigin(), // used by CaaS tool
+                provider: config.provider(),
+                cloudronName: cloudronName,
+                adminFqdn: config.adminDomain() ? config.adminFqdn() : null,
+                activated: activated,
+                edition: config.edition(),
+                webadminStatus: gWebadminStatus // only valid when !activated
+            });
+        });
+    });
+}
+
+function setDashboardDomain(domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`setDashboardDomain: ${domain}`);
+
+    domains.get(domain, function (error, result) {
+        if (error && error.reason === DomainsError.NOT_FOUND) return callback(new CloudronError(CloudronError.BAD_FIELD, 'No such domain'));
+        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
+
+        config.setAdminDomain(result.domain);
+        config.setAdminLocation('my');
+        config.setAdminFqdn('my' + (result.config.hyphenatedSubdomains ? '-' : '.') + result.domain);
+
+        clients.addDefaultClients(config.adminOrigin(), function (error) {
+            if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
+
+            callback(null);
+
+            configureWebadmin(NOOP_CALLBACK); // ## trigger as task
+        });
+    });
+}
+
+function renewCerts(options, auditSource, callback) {
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof auditSource, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    let task = tasks.startTask(tasks.TASK_RENEW_CERTS, [ options, auditSource ]);
+    task.on('error', (error) => callback(new CloudronError(CloudronError.INTERNAL_ERROR, error)));
+    task.on('start', (taskId) => callback(null, taskId));
+}
@@ -22,8 +22,8 @@ exports = module.exports = {
    setAdminFqdn: setAdminFqdn,
    setAdminLocation: setAdminLocation,
    version: version,
-    setVersion: setVersion,
    database: database,
+    edition: edition,

    // these values are derived
    adminOrigin: adminOrigin,
@@ -36,8 +36,12 @@ exports = module.exports = {
    hasIPv6: hasIPv6,
    dkimSelector: dkimSelector,

+    isManaged: isManaged,
    isDemo: isDemo,

+    // feature flags based on editions (these have a separate license from standard edition)
+    isSpacesEnabled: isSpacesEnabled,
+
    // for testing resets to defaults
    _reset: _reset
 };
@@ -52,31 +56,28 @@ var assert = require('assert'),
 // assert on unknown environment can't proceed
 assert(exports.CLOUDRON || exports.TEST, 'Unknown environment. This should not happen!');

-var homeDir = process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
-
 var data = { };

 function baseDir() {
+    const homeDir = process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
    if (exports.CLOUDRON) return homeDir;
    if (exports.TEST) return path.join(homeDir, '.cloudron_test');
+    // cannot reach
 }

-var cloudronConfigFileName = path.join(baseDir(), 'configs/cloudron.conf');
-
-// only tests can run without a config file on disk, they use the defaults with runtime overrides
-if (exports.CLOUDRON) assert(fs.existsSync(cloudronConfigFileName), 'No cloudron.conf found, cannot proceed');
+const cloudronConfigFileName = exports.CLOUDRON ? '/etc/cloudron/cloudron.conf' : path.join(baseDir(), 'cloudron.conf');

 function saveSync() {
    // only save values we want to have in the cloudron.conf, see start.sh
    var conf = {
-        version: data.version,
        apiServerOrigin: data.apiServerOrigin,
        webServerOrigin: data.webServerOrigin,
        adminDomain: data.adminDomain,
        adminFqdn: data.adminFqdn,
        adminLocation: data.adminLocation,
        provider: data.provider,
-        isDemo: data.isDemo
+        isDemo: data.isDemo,
+        edition: data.edition
    };

    fs.writeFileSync(cloudronConfigFileName, JSON.stringify(conf, null, 4)); // functions are ignored by JSON.stringify
@@ -96,13 +97,14 @@ function initConfig() {
    data.adminDomain = '';
    data.adminLocation = 'my';
    data.port = 3000;
-    data.version = null;
    data.apiServerOrigin = null;
    data.webServerOrigin = null;
    data.provider = 'generic';
    data.smtpPort = 2525; // this value comes from mail container
    data.sysadminPort = 3001;
    data.ldapPort = 3002;
+    data.dockerProxyPort = 3003;
+    data.edition = '';

    // keep in sync with start.sh
    data.database = {
@@ -115,7 +117,6 @@ function initConfig() {

    // overrides for local testings
    if (exports.TEST) {
-        data.version = '1.1.1-test';
        data.port = 5454;
        data.apiServerOrigin = 'http://localhost:6060'; // hock doesn't support https
        data.database.password = '';
@@ -204,11 +205,8 @@ function sysadminOrigin() {
 }

 function version() {
-    return get('version');
-}
-
-function setVersion(version) {
-    set('version', version);
+    if (exports.TEST) return '3.0.0-test';
+    return fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim();
 }

 function database() {
@@ -219,10 +217,18 @@ function isDemo() {
    return get('isDemo') === true;
 }

+function isSpacesEnabled() {
+    return get('edition') === 'education';
+}
+
 function provider() {
    return get('provider');
 }

+function isManaged() {
+    return edition() === 'hostingprovider';
+}
+
 function hasIPv6() {
    const IPV6_PROC_FILE = '/proc/net/if_inet6';
    return fs.existsSync(IPV6_PROC_FILE);
@@ -235,3 +241,6 @@ function dkimSelector() {
    return loc === 'my' ? 'cloudron' : `cloudron-${loc.replace(/\./g, '')}`;
 }

+function edition() {
+    return get('edition');
+}
@@ -19,12 +19,8 @@ exports = module.exports = {

    ADMIN_NAME: 'Settings',

-    ADMIN_CLIENT_ID: 'webadmin', // oauth client id
-
-    ADMIN_GROUP_NAME: 'admin',
-    ADMIN_GROUP_ID: 'admin',
-
    NGINX_ADMIN_CONFIG_FILE_NAME: 'admin.conf',
+    NGINX_DEFAULT_CONFIG_FILE_NAME: 'default.conf',

    GHOST_USER_FILE: '/tmp/cloudron_ghost.json',

@@ -1,11 +1,14 @@
 'use strict';

 exports = module.exports = {
-    initialize: initialize,
-    uninitialize: uninitialize
+    startPostActivationJobs: startPostActivationJobs,
+    startPreActivationJobs: startPreActivationJobs,
+
+    stopJobs: stopJobs
 };

-var apps = require('./apps.js'),
+var appHealthMonitor = require('./apphealthmonitor.js'),
+    apps = require('./apps.js'),
    appstore = require('./appstore.js'),
    assert = require('assert'),
    backups = require('./backups.js'),
@@ -19,9 +22,9 @@ var apps = require('./apps.js'),
    dyndns = require('./dyndns.js'),
    eventlog = require('./eventlog.js'),
    janitor = require('./janitor.js'),
-    reverseProxy = require('./reverseproxy.js'),
    scheduler = require('./scheduler.js'),
    settings = require('./settings.js'),
+    updater = require('./updater.js'),
    updateChecker = require('./updatechecker.js');

 var gJobs = {
@@ -39,11 +42,12 @@ var gJobs = {
    cleanupTokens: null,
    digestEmail: null,
    dockerVolumeCleaner: null,
-    dynamicDNS: null,
-    schedulerSync: null
+    dynamicDns: null,
+    schedulerSync: null,
+    appHealthMonitor: null
 };

-var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
+var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 var AUDIT_SOURCE = { userId: null, username: 'cron' };

 // cron format
@@ -54,9 +58,7 @@ var AUDIT_SOURCE = { userId: null, username: 'cron' };
 // Months: 0-11
 // Day of Week: 0-6

-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
+function startPreActivationJobs(callback) {
    if (config.provider() === 'caas') {
        // hack: send the first heartbeat only after we are running for 60 seconds
        // required as we end up sending a heartbeat and then cloudron-setup reboots the server
@@ -70,6 +72,12 @@ function initialize(callback) {
        });
    }

+    callback();
+}
+
+function startPostActivationJobs(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
    var randomHourMinute = Math.floor(60*Math.random());
    gJobs.alive = new CronJob({
        cronTime: '00 ' + randomHourMinute + ' * * * *', // every hour on a random minute
@@ -77,10 +85,10 @@ function initialize(callback) {
        start: true
    });

-    settings.events.on(settings.TIME_ZONE_KEY, recreateJobs);
-    settings.events.on(settings.APP_AUTOUPDATE_PATTERN_KEY, appAutoupdatePatternChanged);
-    settings.events.on(settings.BOX_AUTOUPDATE_PATTERN_KEY, boxAutoupdatePatternChanged);
-    settings.events.on(settings.DYNAMIC_DNS_KEY, dynamicDnsChanged);
+    settings.on(settings.TIME_ZONE_KEY, recreateJobs);
+    settings.on(settings.APP_AUTOUPDATE_PATTERN_KEY, appAutoupdatePatternChanged);
+    settings.on(settings.BOX_AUTOUPDATE_PATTERN_KEY, boxAutoupdatePatternChanged);
+    settings.on(settings.DYNAMIC_DNS_KEY, dynamicDnsChanged);

    settings.getAll(function (error, allSettings) {
        if (error) return callback(error);
@@ -101,7 +109,7 @@ function recreateJobs(tz) {

    if (gJobs.backup) gJobs.backup.stop();
    gJobs.backup = new CronJob({
-        cronTime: '00 00 */6 * * *', // every 6 hours. backups.ensureBackup() will only trigger a backup once per day
+        cronTime: '00 00 */6 * * *', // check every 6 hours
        onTick: backups.ensureBackup.bind(null, AUDIT_SOURCE, NOOP_CALLBACK),
        start: true,
        timeZone: tz
@@ -177,7 +185,7 @@ function recreateJobs(tz) {
    if (gJobs.certificateRenew) gJobs.certificateRenew.stop();
    gJobs.certificateRenew = new CronJob({
        cronTime: '00 00 */12 * * *', // every 12 hours
-        onTick: reverseProxy.renewAll.bind(null, AUDIT_SOURCE, NOOP_CALLBACK),
+        onTick: cloudron.renewCerts.bind(null, {}, AUDIT_SOURCE, NOOP_CALLBACK),
        start: true,
        timeZone: tz
    });
@@ -189,6 +197,14 @@ function recreateJobs(tz) {
        start: true,
        timeZone: tz
    });
+
+    if (gJobs.appHealthMonitor) gJobs.appHealthMonitor.stop();
+    gJobs.appHealthMonitor = new CronJob({
+        cronTime: '*/10 * * * * *', // every 10 seconds
+        onTick: appHealthMonitor.run.bind(null, 10, NOOP_CALLBACK),
+        start: true,
+        timeZone: tz
+    });
 }

 function boxAutoupdatePatternChanged(pattern) {
@@ -207,7 +223,7 @@ function boxAutoupdatePatternChanged(pattern) {
            var updateInfo = updateChecker.getUpdateInfo();
            if (updateInfo.box) {
                debug('Starting autoupdate to %j', updateInfo.box);
-                cloudron.updateToLatest(AUDIT_SOURCE, NOOP_CALLBACK);
+                updater.updateToLatest(AUDIT_SOURCE, NOOP_CALLBACK);
            } else {
                debug('No box auto updates available');
            }
@@ -250,25 +266,25 @@ function dynamicDnsChanged(enabled) {
    debug('Dynamic DNS setting changed to %s', enabled);

    if (enabled) {
-        gJobs.dynamicDNS = new CronJob({
+        gJobs.dynamicDns = new CronJob({
            cronTime: '00 */10 * * * *',
            onTick: dyndns.sync,
            start: true,
            timeZone: gJobs.boxUpdateCheckerJob.cronTime.zone // hack
        });
    } else {
-        if (gJobs.dynamicDNS) gJobs.dynamicDNS.stop();
-        gJobs.dynamicDNS = null;
+        if (gJobs.dynamicDns) gJobs.dynamicDns.stop();
+        gJobs.dynamicDns = null;
    }
 }

-function uninitialize(callback) {
+function stopJobs(callback) {
    assert.strictEqual(typeof callback, 'function');

-    settings.events.removeListener(settings.TIME_ZONE_KEY, recreateJobs);
-    settings.events.removeListener(settings.APP_AUTOUPDATE_PATTERN_KEY, appAutoupdatePatternChanged);
-    settings.events.removeListener(settings.BOX_AUTOUPDATE_PATTERN_KEY, boxAutoupdatePatternChanged);
-    settings.events.removeListener(settings.DYNAMIC_DNS_KEY, dynamicDnsChanged);
+    settings.removeListener(settings.TIME_ZONE_KEY, recreateJobs);
+    settings.removeListener(settings.APP_AUTOUPDATE_PATTERN_KEY, appAutoupdatePatternChanged);
+    settings.removeListener(settings.BOX_AUTOUPDATE_PATTERN_KEY, boxAutoupdatePatternChanged);
+    settings.removeListener(settings.DYNAMIC_DNS_KEY, dynamicDnsChanged);

    for (var job in gJobs) {
        if (!gJobs[job]) continue;
@@ -6,10 +6,6 @@ exports = module.exports = {
    query: query,
    transaction: transaction,

-    beginTransaction: beginTransaction,
-    rollback: rollback,
-    commit: commit,
-
    importFromFile: importFromFile,
    exportToFile: exportToFile,

@@ -27,21 +23,13 @@ var assert = require('assert'),
 var gConnectionPool = null,
    gDefaultConnection = null;

-function initialize(options, callback) {
-    if (typeof options === 'function') {
-        callback = options;
-        options = {
-            connectionLimit: 5
-        };
-    }
-
-    assert.strictEqual(typeof options.connectionLimit, 'number');
+function initialize(callback) {
    assert.strictEqual(typeof callback, 'function');

    if (gConnectionPool !== null) return callback(null);

    gConnectionPool  = mysql.createPool({
-        connectionLimit: options.connectionLimit,
+        connectionLimit: 5, // this has to be > 1 since we store one connection as 'default'. the rest for transactions
        host: config.database().hostname,
        user: config.database().username,
        password: config.database().password,
@@ -103,8 +91,7 @@ function clear(callback) {

    async.series([
        child_process.exec.bind(null, cmd),
-        require('./clientdb.js')._addDefaultClients,
-        require('./groupdb.js')._addDefaultGroups
+        require('./clientdb.js')._addDefaultClients
    ], callback);
 }

@@ -1,57 +0,0 @@
-/* jslint node: true */
-
-'use strict';
-
-exports = module.exports = {
-    DeveloperError: DeveloperError,
-
-    issueDeveloperToken: issueDeveloperToken
-};
-
-var assert = require('assert'),
-    clients = require('./clients.js'),
-    constants = require('./constants.js'),
-    eventlog = require('./eventlog.js'),
-    tokendb = require('./tokendb.js'),
-    user = require('./user.js'),
-    util = require('util');
-
-function DeveloperError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(DeveloperError, Error);
-DeveloperError.INTERNAL_ERROR = 'Internal Error';
-DeveloperError.EXTERNAL_ERROR = 'External Error';
-
-function issueDeveloperToken(userObject, ip, callback) {
-    assert.strictEqual(typeof userObject, 'object');
-    assert.strictEqual(typeof ip, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var token = tokendb.generateToken();
-    var expiresAt = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION;
-    var scopes = '*,' + clients.SCOPE_ROLE_SDK;
-
-    tokendb.add(token, userObject.id, 'cid-cli', expiresAt, scopes, function (error) {
-        if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error));
-
-        eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'cli', ip: ip }, { userId: userObject.id, user: user.removePrivateFields(userObject) });
-
-        callback(null, { token: token, expiresAt: new Date(expiresAt).toISOString() });
-    });
-}
@@ -28,44 +28,36 @@ function maybeSend(callback) {
        var pendingAppUpdates = updateInfo.apps || {};
        pendingAppUpdates = Object.keys(pendingAppUpdates).map(function (key) { return pendingAppUpdates[key]; });

-        appstore.getSubscription(function (error, result) {
-            if (error) debug('Error getting subscription:', error);
+        eventlog.getByCreationTime(new Date(new Date() - 7*86400000), function (error, events) {
+            if (error) return callback(error);

-            var hasSubscription = result && result.plan.id !== 'free' && result.plan.id !== 'undecided';
+            var appUpdates = events.filter(function (e) { return e.action === eventlog.ACTION_APP_UPDATE; }).map(function (e) { return e.data; });
+            var boxUpdates = events.filter(function (e) { return e.action === eventlog.ACTION_UPDATE; }).map(function (e) { return e.data; });
+            var certRenewals = events.filter(function (e) { return e.action === eventlog.ACTION_CERTIFICATE_RENEWAL; }).map(function (e) { return e.data; });
+            var usersAdded = events.filter(function (e) { return e.action === eventlog.ACTION_USER_ADD; }).map(function (e) { return e.data; });
+            var usersRemoved = events.filter(function (e) { return e.action === eventlog.ACTION_USER_REMOVE; }).map(function (e) { return e.data; });
+            var finishedBackups = events.filter(function (e) { return e.action === eventlog.ACTION_BACKUP_FINISH && !e.errorMessage; }).map(function (e) { return e.data; });

-            eventlog.getByCreationTime(new Date(new Date() - 7*86400000), function (error, events) {
-                if (error) return callback(error);
+            if (error) return callback(error);

-                var appUpdates = events.filter(function (e) { return e.action === eventlog.ACTION_APP_UPDATE; }).map(function (e) { return e.data; });
-                var boxUpdates = events.filter(function (e) { return e.action === eventlog.ACTION_UPDATE; }).map(function (e) { return e.data; });
-                var certRenewals = events.filter(function (e) { return e.action === eventlog.ACTION_CERTIFICATE_RENEWAL; }).map(function (e) { return e.data; });
-                var usersAdded = events.filter(function (e) { return e.action === eventlog.ACTION_USER_ADD; }).map(function (e) { return e.data; });
-                var usersRemoved = events.filter(function (e) { return e.action === eventlog.ACTION_USER_REMOVE; }).map(function (e) { return e.data; });
-                var finishedBackups = events.filter(function (e) { return e.action === eventlog.ACTION_BACKUP_FINISH && !e.errorMessage; }).map(function (e) { return e.data; });
+            var info = {
+                pendingAppUpdates: pendingAppUpdates,
+                pendingBoxUpdate: updateInfo.box || null,

-                if (error) return callback(error);
+                finishedAppUpdates: appUpdates,
+                finishedBoxUpdates: boxUpdates,

-                var info = {
-                    hasSubscription: hasSubscription,
+                certRenewals: certRenewals,
+                finishedBackups: finishedBackups, // only the successful backups
+                usersAdded: usersAdded,
+                usersRemoved: usersRemoved // unused because we don't have username to work with
+            };

-                    pendingAppUpdates: pendingAppUpdates,
-                    pendingBoxUpdate: updateInfo.box || null,
+            // always send digest for backup failure notification
+            debug('maybeSend: sending digest email', info);
+            mailer.sendDigest(info);

-                    finishedAppUpdates: appUpdates,
-                    finishedBoxUpdates: boxUpdates,
-
-                    certRenewals: certRenewals,
-                    finishedBackups: finishedBackups, // only the successful backups
-                    usersAdded: usersAdded,
-                    usersRemoved: usersRemoved // unused because we don't have username to work with
-                };
-
-                // always send digest for backup failure notification
-                debug('maybeSend: sending digest email', info);
-                mailer.sendDigest(info);
-
-                callback();
-            });
+            callback();
        });
    });
 }
@@ -11,7 +11,7 @@ exports = module.exports = {
 var assert = require('assert'),
    config = require('../config.js'),
    debug = require('debug')('box:dns/caas'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    superagent = require('superagent'),
    util = require('util');

@@ -45,12 +45,12 @@ function add(dnsConfig, zoneName, subdomain, type, values, callback) {
        .send(data)
        .timeout(30 * 1000)
        .end(function (error, result) {
-            if (error && !error.response) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-            if (result.statusCode === 400) return callback(new DomainError(DomainError.BAD_FIELD, result.body.message));
-            if (result.statusCode === 420) return callback(new DomainError(DomainError.STILL_BUSY));
-            if (result.statusCode !== 201) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 400) return callback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
+            if (result.statusCode === 420) return callback(new DomainsError(DomainsError.STILL_BUSY));
+            if (result.statusCode !== 201) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));

-            return callback(null, result.body.changeId);
+            return callback(null);
        });
 }

@@ -70,8 +70,8 @@ function get(dnsConfig, zoneName, subdomain, type, callback) {
        .query({ token: dnsConfig.token, type: type })
        .timeout(30 * 1000)
        .end(function (error, result) {
-            if (error && !error.response) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-            if (result.statusCode !== 200) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));

            return callback(null, result.body.values);
        });
@@ -109,11 +109,11 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
        .send(data)
        .timeout(30 * 1000)
        .end(function (error, result) {
-            if (error && !error.response) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-            if (result.statusCode === 400) return callback(new DomainError(DomainError.BAD_FIELD, result.body.message));
-            if (result.statusCode === 420) return callback(new DomainError(DomainError.STILL_BUSY));
-            if (result.statusCode === 404) return callback(new DomainError(DomainError.NOT_FOUND));
-            if (result.statusCode !== 204) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 400) return callback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
+            if (result.statusCode === 420) return callback(new DomainsError(DomainsError.STILL_BUSY));
+            if (result.statusCode === 404) return callback(new DomainsError(DomainsError.NOT_FOUND));
+            if (result.statusCode !== 204) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));

            return callback(null);
        });
@@ -126,10 +126,27 @@ function verifyDnsConfig(dnsConfig, domain, zoneName, ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

+    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
+
    var credentials = {
        token: dnsConfig.token,
-        fqdn: domain
+        fqdn: domain,
+        hyphenatedSubdomains: true  // this will ensure we always use them, regardless of passed-in configs
    };

-    return callback(null, credentials);
+    const testSubdomain = 'cloudrontestdns';
+
+    upsert(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error, changeId) {
+        if (error) return callback(error);
+
+        debug('verifyDnsConfig: Test A record added with change id %s', changeId);
+
+        del(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error) {
+            if (error) return callback(error);
+
+            debug('verifyDnsConfig: Test A record removed again');
+
+            callback(null, credentials);
+        });
+    });
 }
@@ -12,7 +12,7 @@ var assert = require('assert'),
    async = require('async'),
    debug = require('debug')('box:dns/cloudflare'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    superagent = require('superagent'),
    util = require('util'),
    _ = require('underscore');
@@ -24,20 +24,15 @@ function translateRequestError(result, callback) {
    assert.strictEqual(typeof result, 'object');
    assert.strictEqual(typeof callback, 'function');

-    if (result.statusCode === 404) return callback(new DomainError(DomainError.NOT_FOUND, util.format('%s %j', result.statusCode, 'API does not exist')));
-    if (result.statusCode === 422) return callback(new DomainError(DomainError.BAD_FIELD, result.body.message));
+    if (result.statusCode === 404) return callback(new DomainsError(DomainsError.NOT_FOUND, util.format('%s %j', result.statusCode, 'API does not exist')));
+    if (result.statusCode === 422) return callback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
    if ((result.statusCode === 400 || result.statusCode === 401 || result.statusCode === 403) && result.body.errors.length > 0) {
        let error = result.body.errors[0];
-        let message = error.message;
-        if (error.code === 6003) {
-            if (error.error_chain[0] && error.error_chain[0].code === 6103) message = 'Invalid API Key';
-            else message = 'Invalid credentials';
-        }
-
-        return callback(new DomainError(DomainError.ACCESS_DENIED, message));
+        let message = `message: ${error.message} statusCode: ${result.statusCode} code:${error.code}`;
+        return callback(new DomainsError(DomainsError.ACCESS_DENIED, message));
    }

-    callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+    callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 }

 function getZoneByName(dnsConfig, zoneName, callback) {
@@ -52,7 +47,7 @@ function getZoneByName(dnsConfig, zoneName, callback) {
        .end(function (error, result) {
            if (error && !error.response) return callback(error);
            if (result.statusCode !== 200 || result.body.success !== true) return translateRequestError(result, callback);
-            if (!result.body.result.length) return callback(new DomainError(DomainError.NOT_FOUND, util.format('%s %j', result.statusCode, result.body)));
+            if (!result.body.result.length) return callback(new DomainsError(DomainsError.NOT_FOUND, util.format('%s %j', result.statusCode, result.body)));

            callback(null, result.body.result[0]);
        });
@@ -112,7 +107,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                var priority = null;

                if (type === 'MX') {
-                    priority = value.split(' ')[0];
+                    priority = parseInt(value.split(' ')[0], 10);
                    value = value.split(' ')[1];
                }

@@ -152,11 +147,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                            callback(null);
                        });
                }
-            }, function (error) {
-                if (error) return callback(error);
-
-                callback(null, 'unused');
-            });
+            }, callback);
        });
    });
 }
@@ -233,8 +224,8 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

-    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainError(DomainError.BAD_FIELD, 'token must be a non-empty string'));
-    if (!dnsConfig.email || typeof dnsConfig.email !== 'string') return callback(new DomainError(DomainError.BAD_FIELD, 'email must be a non-empty string'));
+    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
+    if (!dnsConfig.email || typeof dnsConfig.email !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'email must be a non-empty string'));

    var credentials = {
        token: dnsConfig.token,
@@ -244,15 +235,15 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-        if (error && error.code === 'ENOTFOUND') return callback(new DomainError(DomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
-        if (error || !nameservers) return callback(new DomainError(DomainError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

        getZoneByName(dnsConfig, zoneName, function(error, result) {
            if (error) return callback(error);

            if (!_.isEqual(result.name_servers.sort(), nameservers.sort())) {
                debug('verifyDnsConfig: %j and %j do not match', nameservers, result.name_servers);
-                return callback(new DomainError(DomainError.BAD_FIELD, 'Domain nameservers are not set to Cloudflare'));
+                return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Cloudflare'));
            }

            const testSubdomain = 'cloudrontestdns';
@@ -12,7 +12,7 @@ var assert = require('assert'),
    async = require('async'),
    debug = require('debug')('box:dns/digitalocean'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    safe = require('safetydance'),
    superagent = require('superagent'),
    util = require('util');
@@ -39,10 +39,10 @@ function getInternal(dnsConfig, zoneName, subdomain, type, callback) {
            .set('Authorization', 'Bearer ' + dnsConfig.token)
            .timeout(30 * 1000)
            .end(function (error, result) {
-                if (error && !error.response) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-                if (result.statusCode === 404) return callback(new DomainError(DomainError.NOT_FOUND, formatError(result)));
-                if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainError(DomainError.ACCESS_DENIED, formatError(result)));
-                if (result.statusCode !== 200) return callback(new DomainError(DomainError.EXTERNAL_ERROR, formatError(result)));
+                if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+                if (result.statusCode === 404) return callback(new DomainsError(DomainsError.NOT_FOUND, formatError(result)));
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));

                matchingRecords = matchingRecords.concat(result.body.domain_records.filter(function (record) {
                    return (record.type === type && record.name === subdomain);
@@ -101,10 +101,10 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                    .send(data)
                    .timeout(30 * 1000)
                    .end(function (error, result) {
-                        if (error && !error.response) return iteratorCallback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new DomainError(DomainError.ACCESS_DENIED, formatError(result)));
-                        if (result.statusCode === 422) return iteratorCallback(new DomainError(DomainError.BAD_FIELD, result.body.message));
-                        if (result.statusCode !== 201) return iteratorCallback(new DomainError(DomainError.EXTERNAL_ERROR, formatError(result)));
+                        if (error && !error.response) return iteratorCallback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                        if (result.statusCode === 422) return iteratorCallback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
+                        if (result.statusCode !== 201) return iteratorCallback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));

                        recordIds.push(safe.query(result.body, 'domain_record.id'));

@@ -119,21 +119,17 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
                    // increment, as we have consumed the record
                        ++i;

-                        if (error && !error.response) return iteratorCallback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
-                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new DomainError(DomainError.ACCESS_DENIED, formatError(result)));
-                        if (result.statusCode === 422) return iteratorCallback(new DomainError(DomainError.BAD_FIELD, result.body.message));
-                        if (result.statusCode !== 200) return iteratorCallback(new DomainError(DomainError.EXTERNAL_ERROR, formatError(result)));
+                        if (error && !error.response) return iteratorCallback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                        if (result.statusCode === 422) return iteratorCallback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
+                        if (result.statusCode !== 200) return iteratorCallback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));

                        recordIds.push(safe.query(result.body, 'domain_record.id'));

                        return iteratorCallback(null);
                    });
            }
-        }, function (error) {
-            if (error) return callback(error);
-
-            callback(null, '' + recordIds[0]); // DO ids are integers
-        });
+        }, callback);
    });
 }

@@ -185,10 +181,10 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
            .set('Authorization', 'Bearer ' + dnsConfig.token)
            .timeout(30 * 1000)
            .end(function (error, result) {
-                if (error && !error.response) return callback(new DomainError(DomainError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+                if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
                if (result.statusCode === 404) return callback(null);
-                if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainError(DomainError.ACCESS_DENIED, formatError(result)));
-                if (result.statusCode !== 204) return callback(new DomainError(DomainError.EXTERNAL_ERROR, formatError(result)));
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                if (result.statusCode !== 204) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));

                debug('del: done');

@@ -204,6 +200,8 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

+    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
+
    var credentials = {
        token: dnsConfig.token
    };
@@ -211,12 +209,12 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-        if (error && error.code === 'ENOTFOUND') return callback(new DomainError(DomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
-        if (error || !nameservers) return callback(new DomainError(DomainError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

        if (nameservers.map(function (n) { return n.toLowerCase(); }).indexOf('ns1.digitalocean.com') === -1) {
            debug('verifyDnsConfig: %j does not contains DO NS', nameservers);
-            return callback(new DomainError(DomainError.BAD_FIELD, 'Domain nameservers are not set to Digital Ocean'));
+            return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Digital Ocean'));
        }

        const testSubdomain = 'cloudrontestdns';
@@ -0,0 +1,148 @@
+'use strict';
+
+exports = module.exports = {
+    upsert: upsert,
+    get: get,
+    del: del,
+    waitForDns: require('./waitfordns.js'),
+    verifyDnsConfig: verifyDnsConfig
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:dns/gandi'),
+    dns = require('../native-dns.js'),
+    DomainsError = require('../domains.js').DomainsError,
+    superagent = require('superagent'),
+    util = require('util');
+
+var GANDI_API = 'https://dns.api.gandi.net/api/v5';
+
+function formatError(response) {
+    return util.format(`Gandi DNS error [${response.statusCode}] ${response.body.message}`);
+}
+
+function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`upsert: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    var data = {
+        'rrset_ttl': 300, // this is the minimum allowed
+        'rrset_values': values // for mx records, value is already of the '<priority> <server>' format
+    };
+
+    superagent.put(`${GANDI_API}/domains/${zoneName}/records/${subdomain}/${type}`)
+        .set('X-Api-Key', dnsConfig.token)
+        .timeout(30 * 1000)
+        .send(data)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode === 400) return callback(new DomainsError(DomainsError.BAD_FIELD, formatError(result)));
+            if (result.statusCode !== 201) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            return callback(null);
+        });
+}
+
+function get(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`get: ${subdomain} in zone ${zoneName} of type ${type}`);
+
+    superagent.get(`${GANDI_API}/domains/${zoneName}/records/${subdomain}/${type}`)
+        .set('X-Api-Key', dnsConfig.token)
+        .timeout(30 * 1000)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode === 404) return callback(null, [ ]);
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            debug('get: %j', result.body);
+
+            return callback(null, result.body.rrset_values);
+        });
+}
+
+function del(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`del: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    superagent.del(`${GANDI_API}/domains/${zoneName}/records/${subdomain}/${type}`)
+        .set('X-Api-Key', dnsConfig.token)
+        .timeout(30 * 1000)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 404) return callback(null);
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode !== 204) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            debug('del: done');
+
+            return callback(null);
+        });
+}
+
+function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof fqdn, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a non-empty string'));
+
+    var credentials = {
+        token: dnsConfig.token
+    };
+
+    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here
+
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+
+        if (!nameservers.every(function (n) { return n.toLowerCase().indexOf('.gandi.net') !== -1; })) {
+            debug('verifyDnsConfig: %j does not contain Gandi NS', nameservers);
+            return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Gandi'));
+        }
+
+        const testSubdomain = 'cloudrontestdns';
+
+        upsert(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error, changeId) {
+            if (error) return callback(error);
+
+            debug('verifyDnsConfig: Test A record added with change id %s', changeId);
+
+            del(dnsConfig, zoneName, testSubdomain, 'A', [ ip ], function (error) {
+                if (error) return callback(error);
+
+                debug('verifyDnsConfig: Test A record removed again');
+
+                callback(null, credentials);
+            });
+        });
+    });
+}
@@ -11,7 +11,7 @@ exports = module.exports = {
 var assert = require('assert'),
    debug = require('debug')('box:dns/gcdns'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    GCDNS = require('@google-cloud/dns'),
    util = require('util'),
    _ = require('underscore');
@@ -19,19 +19,13 @@ var assert = require('assert'),
 function getDnsCredentials(dnsConfig) {
    assert.strictEqual(typeof dnsConfig, 'object');

-    var config = {
+    return {
        projectId: dnsConfig.projectId,
-        keyFilename: dnsConfig.keyFilename,
-        email: dnsConfig.email
-    };
-
-    if (dnsConfig.credentials) {
-        config.credentials = {
+        credentials: {
            client_email: dnsConfig.credentials.client_email,
            private_key: dnsConfig.credentials.private_key
-        };
-    }
-    return config;
+        }
+    };
 }

 function getZoneByName(dnsConfig, zoneName, callback) {
@@ -42,20 +36,20 @@ function getZoneByName(dnsConfig, zoneName, callback) {
    var gcdns = GCDNS(getDnsCredentials(dnsConfig));

    gcdns.getZones(function (error, zones) {
-        if (error && error.message === 'invalid_grant') return callback(new DomainError(DomainError.ACCESS_DENIED, 'The key was probably revoked'));
-        if (error && error.reason === 'No such domain') return callback(new DomainError(DomainError.NOT_FOUND, error.message));
-        if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-        if (error && error.code === 404) return callback(new DomainError(DomainError.NOT_FOUND, error.message));
+        if (error && error.message === 'invalid_grant') return callback(new DomainsError(DomainsError.ACCESS_DENIED, 'The key was probably revoked'));
+        if (error && error.reason === 'No such domain') return callback(new DomainsError(DomainsError.NOT_FOUND, error.message));
+        if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+        if (error && error.code === 404) return callback(new DomainsError(DomainsError.NOT_FOUND, error.message));
        if (error) {
            debug('gcdns.getZones', error);
-            return callback(new DomainError(DomainError.EXTERNAL_ERROR, error));
+            return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error));
        }

        var zone = zones.filter(function (zone) {
            return zone.metadata.dnsName.slice(0, -1) === zoneName;     // the zone name contains a '.' at the end
        })[0];

-        if (!zone) return callback(new DomainError(DomainError.NOT_FOUND, 'no such zone'));
+        if (!zone) return callback(new DomainsError(DomainsError.NOT_FOUND, 'no such zone'));

        callback(null, zone); //zone.metadata ~= {name="", dnsName="", nameServers:[]}
    });
@@ -77,10 +71,10 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
        var domain = (subdomain ? subdomain + '.' : '') + zoneName + '.';

        zone.getRecords({ type: type, name: domain }, function (error, oldRecords) {
-            if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
+            if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
            if (error) {
                debug('upsert->zone.getRecords', error);
-                return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+                return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
            }

            var newRecord = zone.record(type, {
@@ -90,14 +84,14 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
            });

            zone.createChange({ delete: oldRecords, add: newRecord }, function(error, change) {
-                if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-                if (error && error.code === 412) return callback(new DomainError(DomainError.STILL_BUSY, error.message));
+                if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+                if (error && error.code === 412) return callback(new DomainsError(DomainsError.STILL_BUSY, error.message));
                if (error) {
                    debug('upsert->zone.createChange', error);
-                    return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+                    return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
                }

-                callback(null, change.id);
+                callback(null);
            });
        });
    });
@@ -119,8 +113,8 @@ function get(dnsConfig, zoneName, subdomain, type, callback) {
        };

        zone.getRecords(params, function (error, records) {
-            if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, error));
+            if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error));
            if (records.length === 0) return callback(null, [ ]);

            return callback(null, records[0].data);
@@ -142,18 +136,18 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
        var domain = (subdomain ? subdomain + '.' : '') + zoneName + '.';

        zone.getRecords({ type: type, name: domain }, function(error, oldRecords) {
-            if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
+            if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
            if (error) {
                debug('del->zone.getRecords', error);
-                return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+                return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
            }

            zone.deleteRecords(oldRecords, function (error, change) {
-                if (error && error.code === 403) return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-                if (error && error.code === 412) return callback(new DomainError(DomainError.STILL_BUSY, error.message));
+                if (error && error.code === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+                if (error && error.code === 412) return callback(new DomainsError(DomainsError.STILL_BUSY, error.message));
                if (error) {
                    debug('del->zone.createChange', error);
-                    return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+                    return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
                }

                callback(null, change.id);
@@ -169,20 +163,25 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

+    if (typeof dnsConfig.projectId !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'projectId must be a string'));
+    if (!dnsConfig.credentials || typeof dnsConfig.credentials !== 'object') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials must be an object'));
+    if (typeof dnsConfig.credentials.client_email !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials.client_email must be a string'));
+    if (typeof dnsConfig.credentials.private_key !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'credentials.private_key must be a string'));
+
    var credentials = getDnsCredentials(dnsConfig);
    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-        if (error && error.code === 'ENOTFOUND') return callback(new DomainError(DomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
-        if (error || !resolvedNS) return callback(new DomainError(DomainError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

        getZoneByName(credentials, zoneName, function (error, zone) {
            if (error) return callback(error);

            var definedNS = zone.metadata.nameServers.sort().map(function(r) { return r.replace(/\.$/, ''); });
-            if (!_.isEqual(definedNS, resolvedNS.sort())) {
-                debug('verifyDnsConfig: %j and %j do not match', resolvedNS, definedNS);
-                return callback(new DomainError(DomainError.BAD_FIELD, 'Domain nameservers are not set to Google Cloud DNS'));
+            if (!_.isEqual(definedNS, nameservers.sort())) {
+                debug('verifyDnsConfig: %j and %j do not match', nameservers, definedNS);
+                return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Google Cloud DNS'));
            }

            const testSubdomain = 'cloudrontestdns';
@@ -0,0 +1,185 @@
+'use strict';
+
+exports = module.exports = {
+    upsert: upsert,
+    get: get,
+    del: del,
+    waitForDns: require('./waitfordns.js'),
+    verifyDnsConfig: verifyDnsConfig
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:dns/godaddy'),
+    dns = require('../native-dns.js'),
+    DomainsError = require('../domains.js').DomainsError,
+    superagent = require('superagent'),
+    util = require('util');
+
+// const GODADDY_API_OTE = 'https://api.ote-godaddy.com/v1/domains';
+const GODADDY_API = 'https://api.godaddy.com/v1/domains';
+
+// this is a workaround for godaddy not having a delete API
+// https://stackoverflow.com/questions/39347464/delete-record-libcloud-godaddy-api
+const GODADDY_INVALID_IP = '0.0.0.0';
+const GODADDY_INVALID_TXT = '""';
+
+function formatError(response) {
+    return util.format(`GoDaddy DNS error [${response.statusCode}] ${response.body.message}`);
+}
+
+function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`upsert: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    var records = [ ];
+    values.forEach(function (value) {
+        var record = { ttl: 600 }; // 600 is the min ttl
+
+        if (type === 'MX') {
+            record.priority = parseInt(value.split(' ')[0], 10);
+            record.data = value.split(' ')[1];
+        } else {
+            record.data = value;
+        }
+
+        records.push(record);
+    });
+
+    superagent.put(`${GODADDY_API}/${zoneName}/records/${type}/${subdomain}`)
+        .set('Authorization', `sso-key ${dnsConfig.apiKey}:${dnsConfig.apiSecret}`)
+        .timeout(30 * 1000)
+        .send(records)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode === 400) return callback(new DomainsError(DomainsError.BAD_FIELD, formatError(result))); // no such zone
+            if (result.statusCode === 422) return callback(new DomainsError(DomainsError.BAD_FIELD, formatError(result))); // conflict
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            return callback(null);
+        });
+}
+
+function get(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`get: ${subdomain} in zone ${zoneName} of type ${type}`);
+
+    superagent.get(`${GODADDY_API}/${zoneName}/records/${type}/${subdomain}`)
+        .set('Authorization', `sso-key ${dnsConfig.apiKey}:${dnsConfig.apiSecret}`)
+        .timeout(30 * 1000)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode === 404) return callback(null, [ ]);
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            debug('get: %j', result.body);
+
+            var values = result.body.map(function (record) { return record.data; });
+
+            if (values.length === 1 && values[0] === GODADDY_INVALID_IP) return callback(null, [ ]); // pretend this record doesn't exist
+
+            return callback(null, values);
+        });
+}
+
+function del(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`get: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    if (type !== 'A' && type !== 'TXT') return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, new Error('Record deletion is not supported by GoDaddy API')));
+
+    // check if the record exists at all so that we don't insert the "Dead" record for no reason
+    get(dnsConfig, zoneName, subdomain, type, function (error, values) {
+        if (error) return callback(error);
+        if (values.length === 0) return callback();
+
+        // godaddy does not have a delete API. so fill it up with an invalid IP that we can ignore in future get()
+        var records = [{
+            ttl: 600,
+            data: type === 'A' ? GODADDY_INVALID_IP : GODADDY_INVALID_TXT
+        }];
+
+        superagent.put(`${GODADDY_API}/${zoneName}/records/${type}/${subdomain}`)
+            .set('Authorization', `sso-key ${dnsConfig.apiKey}:${dnsConfig.apiSecret}`)
+            .send(records)
+            .timeout(30 * 1000)
+            .end(function (error, result) {
+                if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, util.format('Network error %s', error.message)));
+                if (result.statusCode === 404) return callback(null);
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+                debug('del: done');
+
+                return callback(null);
+            });
+    });
+}
+
+function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof fqdn, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!dnsConfig.apiKey || typeof dnsConfig.apiKey !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'apiKey must be a non-empty string'));
+    if (!dnsConfig.apiSecret || typeof dnsConfig.apiSecret !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'apiSecret must be a non-empty string'));
+
+    var credentials = {
+        apiKey: dnsConfig.apiKey,
+        apiSecret: dnsConfig.apiSecret
+    };
+
+    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here
+
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+
+        if (!nameservers.every(function (n) { return n.toLowerCase().indexOf('.domaincontrol.com') !== -1; })) {
+            debug('verifyDnsConfig: %j does not contain GoDaddy NS', nameservers);
+            return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to GoDaddy'));
+        }
+
+        const testSubdomain = 'cloudrontestdns';
+
+        upsert(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error, changeId) {
+            if (error) return callback(error);
+
+            debug('verifyDnsConfig: Test A record added with change id %s', changeId);
+
+            del(dnsConfig, zoneName, testSubdomain, 'A', [ ip ], function (error) {
+                if (error) return callback(error);
+
+                debug('verifyDnsConfig: Test A record removed again');
+
+                callback(null, credentials);
+            });
+        });
+    });
+}
@@ -15,7 +15,7 @@ exports = module.exports = {
 };

 var assert = require('assert'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    util = require('util');

 function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
@@ -26,7 +26,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
    assert(util.isArray(values));
    assert.strictEqual(typeof callback, 'function');

-    // Result: backend specific change id, to be passed into getChangeStatus()
+    // Result: none

    callback(new Error('not implemented'));
 }
@@ -11,7 +11,7 @@ exports = module.exports = {
 var assert = require('assert'),
    debug = require('debug')('box:dns/manual'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    util = require('util');

 function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
@@ -24,7 +24,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {

    debug('upsert: %s for zone %s of type %s with values %j', subdomain, zoneName, type, values);

-    return callback(null, 'noop-record-id');
+    return callback(null);
 }

 function get(dnsConfig, zoneName, subdomain, type, callback) {
@@ -57,8 +57,9 @@ function verifyDnsConfig(dnsConfig, domain, zoneName, ip, callback) {

    // Very basic check if the nameservers can be fetched
    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-        if (error || !nameservers) return callback(new DomainError(DomainError.BAD_FIELD, 'Unable to get nameservers'));
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

-        callback(null, { wildcard: !!dnsConfig.wildcard });
+        callback(null, {});
    });
 }
@@ -0,0 +1,246 @@
+'use strict';
+
+exports = module.exports = {
+    upsert: upsert,
+    get: get,
+    del: del,
+    waitForDns: require('./waitfordns.js'),
+    verifyDnsConfig: verifyDnsConfig
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:dns/namecom'),
+    dns = require('../native-dns.js'),
+    safe = require('safetydance'),
+    DomainsError = require('../domains.js').DomainsError,
+    superagent = require('superagent');
+
+const NAMECOM_API = 'https://api.name.com/v4';
+
+function formatError(response) {
+    return `Name.com DNS error [${response.statusCode}] ${response.text}`;
+}
+
+function addRecord(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(Array.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`add: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    var data = {
+        host: subdomain,
+        type: type,
+        ttl: 300    // 300 is the lowest
+    };
+
+    if (type === 'MX') {
+        data.priority = parseInt(values[0].split(' ')[0], 10);
+        data.answer = values[0].split(' ')[1];
+    } else {
+        data.answer = values[0];
+    }
+
+    superagent.post(`${NAMECOM_API}/domains/${zoneName}/records`)
+        .auth(dnsConfig.username, dnsConfig.token)
+        .timeout(30 * 1000)
+        .send(data)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Network error ${error.message}`));
+            if (result.statusCode === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            return callback(null, 'unused-id');
+        });
+}
+
+function updateRecord(dnsConfig, zoneName, recordId, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof recordId, 'number');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(Array.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`update:${recordId} on ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    var data = {
+        host: subdomain,
+        type: type,
+        ttl: 300    // 300 is the lowest
+    };
+
+    if (type === 'MX') {
+        data.priority = parseInt(values[0].split(' ')[0], 10);
+        data.answer = values[0].split(' ')[1];
+    } else {
+        data.answer = values[0];
+    }
+
+    superagent.put(`${NAMECOM_API}/domains/${zoneName}/records/${recordId}`)
+        .auth(dnsConfig.username, dnsConfig.token)
+        .timeout(30 * 1000)
+        .send(data)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Network error ${error.message}`));
+            if (result.statusCode === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            return callback(null);
+        });
+}
+
+function getInternal(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`getInternal: ${subdomain} in zone ${zoneName} of type ${type}`);
+
+    superagent.get(`${NAMECOM_API}/domains/${zoneName}/records`)
+        .auth(dnsConfig.username, dnsConfig.token)
+        .timeout(30 * 1000)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Network error ${error.message}`));
+            if (result.statusCode === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+            // name.com does not return the correct content-type
+            result.body = safe.JSON.parse(result.text);
+            if (!result.body.records) result.body.records = [];
+
+            result.body.records.forEach(function (r) {
+                // name.com api simply strips empty properties
+                r.host = r.host || '@';
+            });
+
+            var results = result.body.records.filter(function (r) {
+                return (r.host === subdomain && r.type === type);
+            });
+
+            debug('getInternal: %j', results);
+
+            return callback(null, results);
+        });
+}
+
+function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(Array.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`upsert: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    getInternal(dnsConfig, zoneName, subdomain, type, function (error, result) {
+        if (error) return callback(error);
+
+        if (result.length === 0) return addRecord(dnsConfig, zoneName, subdomain, type, values, callback);
+
+        return updateRecord(dnsConfig, zoneName, result[0].id, subdomain, type, values, callback);
+    });
+}
+
+function get(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    getInternal(dnsConfig, zoneName, subdomain, type, function (error, result) {
+        if (error) return callback(error);
+
+        var tmp = result.map(function (record) { return record.answer; });
+
+        debug('get: %j', tmp);
+
+        return callback(null, tmp);
+    });
+}
+
+function del(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(Array.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    subdomain = subdomain || '@';
+
+    debug(`del: ${subdomain} in zone ${zoneName} of type ${type} with values ${JSON.stringify(values)}`);
+
+    getInternal(dnsConfig, zoneName, subdomain, type, function (error, result) {
+        if (error) return callback(error);
+
+        if (result.length === 0) return callback();
+
+        superagent.del(`${NAMECOM_API}/domains/${zoneName}/records/${result[0].id}`)
+            .auth(dnsConfig.username, dnsConfig.token)
+            .timeout(30 * 1000)
+            .end(function (error, result) {
+                if (error && !error.response) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Network error ${error.message}`));
+                if (result.statusCode === 403) return callback(new DomainsError(DomainsError.ACCESS_DENIED, formatError(result)));
+                if (result.statusCode !== 200) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, formatError(result)));
+
+                return callback(null);
+            });
+    });
+}
+
+function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof fqdn, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (typeof dnsConfig.username !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'username must be a string'));
+    if (typeof dnsConfig.token !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'token must be a string'));
+
+    var credentials = {
+        username: dnsConfig.username,
+        token: dnsConfig.token
+    };
+
+    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here
+
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+
+        if (!nameservers.every(function (n) { return n.toLowerCase().indexOf('.name.com') !== -1; })) {
+            debug('verifyDnsConfig: %j does not contain Name.com NS', nameservers);
+            return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Name.com'));
+        }
+
+        const testSubdomain = 'cloudrontestdns';
+
+        upsert(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error, changeId) {
+            if (error) return callback(error);
+
+            debug('verifyDnsConfig: Test A record added with change id %s', changeId);
+
+            del(dnsConfig, zoneName, testSubdomain, 'A', [ ip ], function (error) {
+                if (error) return callback(error);
+
+                debug('verifyDnsConfig: Test A record removed again');
+
+                callback(null, credentials);
+            });
+        });
+    });
+}
@@ -22,7 +22,7 @@ function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {

    debug('upsert: %s for zone %s of type %s with values %j', subdomain, zoneName, type, values);

-    return callback(null, 'noop-record-id');
+    return callback(null);
 }

 function get(dnsConfig, zoneName, subdomain, type, callback) {
@@ -46,9 +46,10 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
    return callback();
 }

-function waitForDns(domain, zoneName, value, options, callback) {
+function waitForDns(domain, zoneName, type, value, options, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof value, 'string');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');
@@ -15,7 +15,7 @@ var assert = require('assert'),
    AWS = require('aws-sdk'),
    debug = require('debug')('box:dns/route53'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError,
+    DomainsError = require('../domains.js').DomainsError,
    util = require('util'),
    _ = require('underscore');

@@ -39,16 +39,25 @@ function getZoneByName(dnsConfig, zoneName, callback) {
    assert.strictEqual(typeof callback, 'function');

    var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
-    route53.listHostedZones({}, function (error, result) {
-        if (error && error.code === 'AccessDenied') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-        if (error && error.code === 'InvalidClientTokenId') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-        if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+
+    // backward compat for 2.2, where we only required access to "listHostedZones"
+    let listHostedZones;
+    if (dnsConfig.listHostedZonesByName) {
+        listHostedZones = route53.listHostedZonesByName.bind(route53, { MaxItems: '1', DNSName: zoneName + '.' });
+    } else {
+        listHostedZones = route53.listHostedZones.bind(route53, {}); // currently, this route does not support > 100 zones
+    }
+
+    listHostedZones(function (error, result) {
+        if (error && error.code === 'AccessDenied') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+        if (error && error.code === 'InvalidClientTokenId') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+        if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));

        var zone = result.HostedZones.filter(function (zone) {
            return zone.Name.slice(0, -1) === zoneName;     // aws zone name contains a '.' at the end
        })[0];

-        if (!zone) return callback(new DomainError(DomainError.NOT_FOUND, 'no such zone'));
+        if (!zone) return callback(new DomainsError(DomainsError.NOT_FOUND, 'no such zone'));

        callback(null, zone);
    });
@@ -64,9 +73,9 @@ function getHostedZone(dnsConfig, zoneName, callback) {

        var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
        route53.getHostedZone({ Id: zone.Id }, function (error, result) {
-            if (error && error.code === 'AccessDenied') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+            if (error && error.code === 'AccessDenied') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));

            callback(null, result);
        });
@@ -87,7 +96,7 @@ function add(dnsConfig, zoneName, subdomain, type, values, callback) {
        if (error) return callback(error);

        var fqdn = subdomain === '' ? zoneName : subdomain + '.' + zoneName;
-        var records = values.map(function (v) { return { Value: v }; });
+        var records = values.map(function (v) { return { Value: v }; });  // for mx records, value is already of the '<priority> <server>' format

        var params = {
            ChangeBatch: {
@@ -105,14 +114,14 @@ function add(dnsConfig, zoneName, subdomain, type, values, callback) {
        };

        var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
-        route53.changeResourceRecordSets(params, function(error, result) {
-            if (error && error.code === 'AccessDenied') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error && error.code === 'PriorRequestNotComplete') return callback(new DomainError(DomainError.STILL_BUSY, error.message));
-            if (error && error.code === 'InvalidChangeBatch') return callback(new DomainError(DomainError.BAD_FIELD, error.message));
-            if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+        route53.changeResourceRecordSets(params, function(error) {
+            if (error && error.code === 'AccessDenied') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'PriorRequestNotComplete') return callback(new DomainsError(DomainsError.STILL_BUSY, error.message));
+            if (error && error.code === 'InvalidChangeBatch') return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+            if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));

-            callback(null, result.ChangeInfo.Id);
+            callback(null);
        });
    });
 }
@@ -147,9 +156,9 @@ function get(dnsConfig, zoneName, subdomain, type, callback) {

        var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
        route53.listResourceRecordSets(params, function (error, result) {
-            if (error && error.code === 'AccessDenied') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+            if (error && error.code === 'AccessDenied') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
            if (result.ResourceRecordSets.length === 0) return callback(null, [ ]);
            if (result.ResourceRecordSets[0].Name !== params.StartRecordName || result.ResourceRecordSets[0].Type !== params.StartRecordType) return callback(null, [ ]);

@@ -193,23 +202,23 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {

        var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
        route53.changeResourceRecordSets(params, function(error) {
-            if (error && error.code === 'AccessDenied') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
-            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainError(DomainError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'AccessDenied') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
+            if (error && error.code === 'InvalidClientTokenId') return callback(new DomainsError(DomainsError.ACCESS_DENIED, error.message));
            if (error && error.message && error.message.indexOf('it was not found') !== -1) {
                debug('del: resource record set not found.', error);
-                return callback(new DomainError(DomainError.NOT_FOUND, error.message));
+                return callback(new DomainsError(DomainsError.NOT_FOUND, error.message));
            } else if (error && error.code === 'NoSuchHostedZone') {
                debug('del: hosted zone not found.', error);
-                return callback(new DomainError(DomainError.NOT_FOUND, error.message));
+                return callback(new DomainsError(DomainsError.NOT_FOUND, error.message));
            } else if (error && error.code === 'PriorRequestNotComplete') {
                debug('del: resource is still busy', error);
-                return callback(new DomainError(DomainError.STILL_BUSY, error.message));
+                return callback(new DomainsError(DomainsError.STILL_BUSY, error.message));
            } else if (error && error.code === 'InvalidChangeBatch') {
                debug('del: invalid change batch. No such record to be deleted.');
-                return callback(new DomainError(DomainError.NOT_FOUND, error.message));
+                return callback(new DomainsError(DomainsError.NOT_FOUND, error.message));
            } else if (error) {
                debug('del: error', error);
-                return callback(new DomainError(DomainError.EXTERNAL_ERROR, error.message));
+                return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, error.message));
            }

            callback(null);
@@ -224,25 +233,29 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {
    assert.strictEqual(typeof ip, 'string');
    assert.strictEqual(typeof callback, 'function');

+    if (!dnsConfig.accessKeyId || typeof dnsConfig.accessKeyId !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'accessKeyId must be a non-empty string'));
+    if (!dnsConfig.secretAccessKey || typeof dnsConfig.secretAccessKey !== 'string') return callback(new DomainsError(DomainsError.BAD_FIELD, 'secretAccessKey must be a non-empty string'));
+
    var credentials = {
        accessKeyId: dnsConfig.accessKeyId,
        secretAccessKey: dnsConfig.secretAccessKey,
        region: dnsConfig.region || 'us-east-1',
-        endpoint: dnsConfig.endpoint || null
+        endpoint: dnsConfig.endpoint || null,
+        listHostedZonesByName: true, // new/updated creds require this perm
    };

    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-        if (error && error.code === 'ENOTFOUND') return callback(new DomainError(DomainError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
-        if (error || !nameservers) return callback(new DomainError(DomainError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));

        getHostedZone(credentials, zoneName, function (error, zone) {
            if (error) return callback(error);

            if (!_.isEqual(zone.DelegationSet.NameServers.sort(), nameservers.sort())) {
                debug('verifyDnsConfig: %j and %j do not match', nameservers, zone.DelegationSet.NameServers);
-                return callback(new DomainError(DomainError.BAD_FIELD, 'Domain nameservers are not set to Route53'));
+                return callback(new DomainsError(DomainsError.BAD_FIELD, 'Domain nameservers are not set to Route53'));
            }

            const testSubdomain = 'cloudrontestdns';
@@ -252,7 +265,7 @@ function verifyDnsConfig(dnsConfig, fqdn, zoneName, ip, callback) {

                debug('verifyDnsConfig: Test A record added with change id %s', changeId);

-                del(dnsConfig, zoneName, testSubdomain, 'A', [ ip ], function (error) {
+                del(credentials, zoneName, testSubdomain, 'A', [ ip ], function (error) {
                    if (error) return callback(error);

                    debug('verifyDnsConfig: Test A record removed again');
@@ -6,7 +6,7 @@ var assert = require('assert'),
    async = require('async'),
    debug = require('debug')('box:dns/waitfordns'),
    dns = require('../native-dns.js'),
-    DomainError = require('../domains.js').DomainError;
+    DomainsError = require('../domains.js').DomainsError;

 function resolveIp(hostname, options, callback) {
    assert.strictEqual(typeof hostname, 'string');
@@ -30,8 +30,9 @@ function resolveIp(hostname, options, callback) {
    });
 }

-function isChangeSynced(domain, value, nameserver, callback) {
+function isChangeSynced(domain, type, value, nameserver, callback) {
    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof value, 'string');
    assert.strictEqual(typeof nameserver, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -44,20 +45,30 @@ function isChangeSynced(domain, value, nameserver, callback) {
        }

        async.every(nsIps, function (nsIp, iteratorCallback) {
-            resolveIp(domain, { server: nsIp, timeout: 5000 }, function (error, answer) {
+            const resolveOptions = { server: nsIp, timeout: 5000 };
+            const resolver = type === 'A' ? resolveIp.bind(null, domain) : dns.resolve.bind(null, domain, 'TXT');
+
+            resolver(resolveOptions, function (error, answer) {
                if (error && error.code === 'TIMEOUT') {
-                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) timed out when resolving ${domain}`);
+                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) timed out when resolving ${domain} (${type})`);
                    return iteratorCallback(null, true); // should be ok if dns server is down
                }

                if (error) {
-                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) errored when resolve ${domain}: ${error}`);
+                    debug(`isChangeSynced: NS ${nameserver} (${nsIp}) errored when resolve ${domain} (${type}): ${error}`);
                    return iteratorCallback(null, false);
                }

-                debug(`isChangeSynced: ${domain} was resolved to ${answer} at NS ${nameserver} (${nsIp}). Expecting ${value}`);
+                let match;
+                if (type === 'A') {
+                    match = answer.length === 1 && answer[0] === value;
+                } else if (type === 'TXT') { // answer is a 2d array of strings
+                    match = answer.some(function (a) { return value === a.join(''); });
+                }

-                iteratorCallback(null, answer.length === 1 && answer[0] === value);
+                debug(`isChangeSynced: ${domain} (${type}) was resolved to ${answer} at NS ${nameserver} (${nsIp}). Expecting ${value}. Match ${match}`);
+
+                iteratorCallback(null, match);
            });
        }, callback);

@@ -65,9 +76,10 @@ function isChangeSynced(domain, value, nameserver, callback) {
 }

 // check if IP change has propagated to every nameserver
-function waitForDns(domain, zoneName, value, options, callback) {
+function waitForDns(domain, zoneName, type, value, options, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof zoneName, 'string');
+    assert(type === 'A' || type === 'TXT');
    assert.strictEqual(typeof value, 'string');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');
@@ -80,12 +92,12 @@ function waitForDns(domain, zoneName, value, options, callback) {
        debug(`waitForDns (try ${attempt}): ${domain} to be ${value} in zone ${zoneName}`);

        dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
-            if (error || !nameservers) return retryCallback(error || new DomainError(DomainError.EXTERNAL_ERROR, 'Unable to get nameservers'));
+            if (error || !nameservers) return retryCallback(error || new DomainsError(DomainsError.EXTERNAL_ERROR, 'Unable to get nameservers'));

-            async.every(nameservers, isChangeSynced.bind(null, domain, value), function (error, synced) {
+            async.every(nameservers, isChangeSynced.bind(null, domain, type, value), function (error, synced) {
                debug('waitForDns: %s %s ns: %j', domain, synced ? 'done' : 'not done', nameservers);

-                retryCallback(synced ? null : new DomainError(DomainError.EXTERNAL_ERROR, 'ETRYAGAIN'));
+                retryCallback(synced ? null : new DomainsError(DomainsError.EXTERNAL_ERROR, 'ETRYAGAIN'));
            });
        });
    }, function retryDone(error) {
@@ -0,0 +1,79 @@
+'use strict';
+
+exports = module.exports = {
+    upsert: upsert,
+    get: get,
+    del: del,
+    waitForDns: require('./waitfordns.js'),
+    verifyDnsConfig: verifyDnsConfig
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:dns/manual'),
+    dns = require('../native-dns.js'),
+    DomainsError = require('../domains.js').DomainsError,
+    sysinfo = require('../sysinfo.js'),
+    util = require('util');
+
+function upsert(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('upsert: %s for zone %s of type %s with values %j', subdomain, zoneName, type, values);
+
+    return callback(null);
+}
+
+function get(dnsConfig, zoneName, subdomain, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    callback(null, [ ]); // returning ip confuses apptask into thinking the entry already exists
+}
+
+function del(dnsConfig, zoneName, subdomain, type, values, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    return callback();
+}
+
+function verifyDnsConfig(dnsConfig, domain, zoneName, ip, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // Very basic check if the nameservers can be fetched
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, 'Unable to resolve nameservers for this domain'));
+        if (error || !nameservers) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : 'Unable to get nameservers'));
+
+        const separator = dnsConfig.hyphenatedSubdomains ? '-' : '.';
+        const fqdn = `cloudrontest${separator}${domain}`;
+        dns.resolve(fqdn, 'A', { server: '127.0.0.1', timeout: 5000 }, function (error, result) {
+            if (error && error.code === 'ENOTFOUND') return callback(new DomainsError(DomainsError.BAD_FIELD, `Unable to resolve ${fqdn}`));
+            if (error || !result) return callback(new DomainsError(DomainsError.BAD_FIELD, error ? error.message : `Unable to resolve ${fqdn}`));
+
+            sysinfo.getPublicIp(function (error, ip) {
+                if (error) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Failed to detect IP of this server: ${error.message}`));
+
+                if (result.length !== 1 || ip !== result[0]) return callback(new DomainsError(DomainsError.EXTERNAL_ERROR, `Domain resolves to ${JSON.stringify(result)} instead of ${ip}`));
+
+                callback(null, {});
+            });
+        });
+    });
+}
@@ -1,7 +1,13 @@
 'use strict';

 exports = module.exports = {
+    DockerError: DockerError,
+
    connection: connectionInstance(),
+    setRegistryConfig: setRegistryConfig,
+
+    ping: ping,
+
    downloadImage: downloadImage,
    createContainer: createContainer,
    startContainer: startContainer,
@@ -16,21 +22,26 @@ exports = module.exports = {
    getContainerIdByIp: getContainerIdByIp,
    inspect: inspect,
    inspectByName: inspect,
-    execContainer: execContainer
+    memoryUsage: memoryUsage,
+    execContainer: execContainer,
+    createVolume: createVolume,
+    removeVolume: removeVolume,
+    clearVolume: clearVolume
 };

-function connectionInstance() {
+// timeout is optional
+function connectionInstance(timeout) {
    var Docker = require('dockerode');
    var docker;

    if (process.env.BOX_ENV === 'test') {
        // test code runs a docker proxy on this port
-        docker = new Docker({ host: 'http://localhost', port: 5687 });
+        docker = new Docker({ host: 'http://localhost', port: 5687, timeout: timeout });

        // proxy code uses this to route to the real docker
        docker.options = { socketPath: '/var/run/docker.sock' };
    } else {
-        docker = new Docker({ socketPath: '/var/run/docker.sock' });
+        docker = new Docker({ socketPath: '/var/run/docker.sock', timeout: timeout });
    }

    return docker;
@@ -43,57 +54,98 @@ var addons = require('./addons.js'),
    config = require('./config.js'),
    constants = require('./constants.js'),
    debug = require('debug')('box:docker.js'),
+    mkdirp = require('mkdirp'),
    once = require('once'),
+    path = require('path'),
+    paths = require('./paths.js'),
    safe = require('safetydance'),
+    shell = require('./shell.js'),
    spawn = child_process.spawn,
    util = require('util'),
    _ = require('underscore');

+const RMVOLUME_CMD = path.join(__dirname, 'scripts/rmvolume.sh');
+
+function DockerError(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(DockerError, Error);
+DockerError.INTERNAL_ERROR = 'Internal Error';
+DockerError.NOT_FOUND = 'Not found';
+DockerError.BAD_FIELD = 'Bad field';
+
 function debugApp(app, args) {
    assert(typeof app === 'object');

    debug(app.fqdn + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }

+function setRegistryConfig(auth, callback) {
+    assert.strictEqual(typeof auth, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const isLogin = !!auth.password;
+
+    // currently, auth info is not stashed in the db but maybe it should for restore to work?
+    const cmd = isLogin ? `docker login ${auth.serveraddress} --username ${auth.username} --password ${auth.password}` : `docker logout ${auth.serveraddress}`;
+
+    child_process.exec(cmd, { }, function (error, stdout, stderr) {
+        if (error) return callback(new DockerError(DockerError.BAD_FIELD, stderr));
+
+        callback();
+    });
+}
+
+function ping(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    // do not let the request linger
+    var docker = connectionInstance(1000);
+
+    docker.ping(function (error, result) {
+        if (error) return callback(new DockerError(DockerError.INTERNAL_ERROR, error));
+        if (result !== 'OK') return callback(new DockerError(DockerError.INTERNAL_ERROR, 'Unable to ping the docker daemon'));
+
+        callback(null);
+    });
+}
+
 function pullImage(manifest, callback) {
    var docker = exports.connection;

-    docker.pull(manifest.dockerImage, function (err, stream) {
-        if (err) return callback(new Error('Error connecting to docker. statusCode: ' + err.statusCode));
+    // Use docker CLI here to support downloading of private repos. for dockerode, we have to use
+    // https://github.com/apocas/dockerode#pull-from-private-repos
+    shell.spawn('pullImage', '/usr/bin/docker', [ 'pull', manifest.dockerImage ], {}, function (error) {
+        if (error) {
+            debug(`pullImage: Error pulling image ${manifest.dockerImage} of ${manifest.id}: ${error.message}`);
+            return callback(new Error('Failed to pull image'));
+        }

-        // https://github.com/dotcloud/docker/issues/1074 says each status message
-        // is emitted as a chunk
-        stream.on('data', function (chunk) {
-            var data = safe.JSON.parse(chunk) || { };
-            debug('pullImage %s: %j', manifest.id, data);
+        var image = docker.getImage(manifest.dockerImage);

-            // The information here is useless because this is per layer as opposed to per image
-            if (data.status) {
-            } else if (data.error) {
-                debug('pullImage error %s: %s', manifest.id, data.errorDetail.message);
-            }
-        });
+        image.inspect(function (err, data) {
+            if (err) return callback(new Error('Error inspecting image:' + err.message));
+            if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
+            if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));

-        stream.on('end', function () {
-            debug('downloaded image %s of %s successfully', manifest.dockerImage, manifest.id);
+            if (data.Config.ExposedPorts) debug('This image of %s exposes ports: %j', manifest.id, data.Config.ExposedPorts);

-            var image = docker.getImage(manifest.dockerImage);
-
-            image.inspect(function (err, data) {
-                if (err) return callback(new Error('Error inspecting image:' + err.message));
-                if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
-                if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));
-
-                if (data.Config.ExposedPorts) debug('This image of %s exposes ports: %j', manifest.id, data.Config.ExposedPorts);
-
-                callback(null);
-            });
-        });
-
-        stream.on('error', function (error) {
-            debug('error pulling image %s of %s: %j', manifest.dockerImage, manifest.id, error);
-
-            callback(error);
+            callback(null);
        });
    });
 }
@@ -130,8 +182,10 @@ function createSubcontainer(app, name, cmd, options, callback) {
    var manifest = app.manifest;
    var exposedPorts = {}, dockerPortBindings = { };
    var domain = app.fqdn;
+    // TODO: these should all have the CLOUDRON_ prefix
    var stdEnv = [
        'CLOUDRON=1',
+        'CLOUDRON_PROXY_IP=172.18.0.1',
        'WEBADMIN_ORIGIN=' + config.adminOrigin(),
        'API_ORIGIN=' + config.adminOrigin(),
        'APP_ORIGIN=https://' + domain,
@@ -144,16 +198,22 @@ function createSubcontainer(app, name, cmd, options, callback) {
    dockerPortBindings[manifest.httpPort + '/tcp'] = [ { HostIp: '127.0.0.1', HostPort: app.httpPort + '' } ];

    var portEnv = [];
-    for (var e in app.portBindings) {
-        var hostPort = app.portBindings[e];
-        var containerPort = manifest.tcpPorts[e].containerPort || hostPort;
+    for (let portName in app.portBindings) {
+        const hostPort = app.portBindings[portName];
+        const portType = portName in manifest.tcpPorts ? 'tcp' : 'udp';
+        const ports = portType == 'tcp' ? manifest.tcpPorts : manifest.udpPorts;

-        exposedPorts[containerPort + '/tcp'] = {};
-        portEnv.push(e + '=' + hostPort);
+        var containerPort = ports[portName].containerPort || hostPort;

-        dockerPortBindings[containerPort + '/tcp'] = [ { HostIp: '0.0.0.0', HostPort: hostPort + '' } ];
+        exposedPorts[`${containerPort}/${portType}`] = {};
+        portEnv.push(`${portName}=${hostPort}`);
+
+        dockerPortBindings[`${containerPort}/${portType}`] = [ { HostIp: '0.0.0.0', HostPort: hostPort + '' } ];
    }

+    let appEnv = [];
+    Object.keys(app.env).forEach(function (name) { appEnv.push(`${name}=${app.env[name]}`); });
+
    // first check db record, then manifest
    var memoryLimit = app.memoryLimit || manifest.memoryLimit || 0;

@@ -167,9 +227,6 @@ function createSubcontainer(app, name, cmd, options, callback) {
    // if required, we can make this a manifest and runtime argument later
    if (!isAppContainer) memoryLimit *= 2;

-    // apparmor is disabled on few servers
-    var enableSecurityOpt = config.CLOUDRON && safe(function () { return child_process.spawnSync('aa-enabled').status === 0; }, false);
-
    addons.getEnvironment(app, function (error, addonEnv) {
        if (error) return callback(new Error('Error getting addon environment : ' + error));

@@ -181,9 +238,10 @@ function createSubcontainer(app, name, cmd, options, callback) {
        var containerOptions = {
            name: name, // used for filtering logs
            Tty: isAppContainer,
+            Hostname: app.id, // set to something 'constant' so app containers can use this to communicate (across app updates)
            Image: app.manifest.dockerImage,
            Cmd: (isAppContainer && app.debugMode && app.debugMode.cmd) ? app.debugMode.cmd : cmd,
-            Env: stdEnv.concat(addonEnv).concat(portEnv),
+            Env: stdEnv.concat(addonEnv).concat(portEnv).concat(appEnv),
            ExposedPorts: isAppContainer ? exposedPorts : { },
            Volumes: { // see also ReadonlyRootfs
                '/tmp': {},
@@ -192,10 +250,19 @@ function createSubcontainer(app, name, cmd, options, callback) {
            Labels: {
                'fqdn': app.fqdn,
                'appId': app.id,
-                'isSubcontainer': String(!isAppContainer)
+                'isSubcontainer': String(!isAppContainer),
+                'isCloudronManaged': String(true)
            },
            HostConfig: {
-                Binds: addons.getBindsSync(app, app.manifest.addons),
+                Mounts: addons.getMountsSync(app, app.manifest.addons),
+                LogConfig: {
+                    Type: 'syslog',
+                    Config: {
+                        'tag': app.id,
+                        'syslog-address': 'udp://127.0.0.1:2514', // see apps.js:validatePortBindings()
+                        'syslog-format': 'rfc5424'
+                    }
+                },
                Memory: memoryLimit / 2,
                MemorySwap: memoryLimit, // Memory + Swap
                PortBindings: isAppContainer ? dockerPortBindings : { },
@@ -210,7 +277,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
                NetworkMode: 'cloudron',
                Dns: ['172.18.0.1'], // use internal dns
                DnsSearch: ['.'], // use internal dns
-                SecurityOpt: enableSecurityOpt ? [ 'apparmor=docker-cloudron-app' ] : null // profile available only on cloudron
+                SecurityOpt: [ 'apparmor=docker-cloudron-app' ]
            }
        };

@@ -358,7 +425,8 @@ function deleteImage(manifest, callback) {
    // just removes the tag). we used to remove the image by id. this is not required anymore because aliases are
    // not created anymore after https://github.com/docker/docker/pull/10571
    docker.getImage(dockerImage).remove(removeOptions, function (error) {
-        if (error && error.statusCode === 404) return callback(null);
+        if (error && error.statusCode === 400) return callback(null); // invalid image format. this can happen if user installed with a bad --docker-image
+        if (error && error.statusCode === 404) return callback(null); // not found
        if (error && error.statusCode === 409) return callback(null); // another container using the image

        if (error) debug('Error removing image %s : %j', dockerImage, error);
@@ -397,7 +465,23 @@ function inspect(containerId, callback) {
    var container = exports.connection.getContainer(containerId);

    container.inspect(function (error, result) {
-        if (error) return callback(error);
+        if (error && error.statusCode === 404) return callback(new DockerError(DockerError.NOT_FOUND));
+        if (error) return callback(new DockerError(DockerError.INTERNAL_ERROR, error));
+
+        callback(null, result);
+    });
+}
+
+function memoryUsage(containerId, callback) {
+    assert.strictEqual(typeof containerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var container = exports.connection.getContainer(containerId);
+
+    container.stats({ stream: false }, function (error, result) {
+        if (error && error.statusCode === 404) return callback(new DockerError(DockerError.NOT_FOUND));
+        if (error) return callback(new DockerError(DockerError.INTERNAL_ERROR, error));
+
        callback(null, result);
    });
 }
@@ -432,3 +516,66 @@ function execContainer(containerId, cmd, options, callback) {

    if (options.stdin) options.stdin.pipe(cp.stdin).on('error', callback);
 }
+
+function createVolume(app, name, subdir, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof subdir, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    let docker = exports.connection;
+
+    const volumeDataDir = path.join(paths.APPS_DATA_DIR, app.id, subdir);
+
+    const volumeOptions = {
+        Name: name,
+        Driver: 'local',
+        DriverOpts: { // https://github.com/moby/moby/issues/19990#issuecomment-248955005
+            type: 'none',
+            device: volumeDataDir,
+            o: 'bind'
+        },
+        Labels: {
+            'fqdn': app.fqdn,
+            'appId': app.id
+        },
+    };
+
+    mkdirp(volumeDataDir, function (error) {
+        if (error) return callback(new Error(`Error creating app data dir: ${error.message}`));
+
+        docker.createVolume(volumeOptions, function (error) {
+            if (error) return callback(error);
+
+            callback();
+        });
+    });
+}
+
+function clearVolume(app, name, subdir, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof subdir, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    shell.sudo('removeVolume', [ RMVOLUME_CMD, app.id, subdir ], {}, callback);
+}
+
+function removeVolume(app, name, subdir, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof subdir, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    let docker = exports.connection;
+
+    let volume = docker.getVolume(name);
+    volume.remove(function (error) {
+        if (error && error.statusCode !== 404) {
+            debug(`removeVolume: Error removing volume of ${app.id} ${error}`);
+            callback(error);
+        }
+
+        shell.sudo('removeVolume', [ RMVOLUME_CMD, app.id, subdir ], {}, callback);
+    });
+}
@@ -0,0 +1,178 @@
+'use strict';
+
+exports = module.exports = {
+    start: start,
+    stop: stop
+};
+
+var apps = require('./apps.js'),
+    AppsError = apps.AppsError,
+    assert = require('assert'),
+    config = require('./config.js'),
+    express = require('express'),
+    debug = require('debug')('box:dockerproxy'),
+    http = require('http'),
+    HttpError = require('connect-lastmile').HttpError,
+    middleware = require('./middleware'),
+    net = require('net'),
+    path = require('path'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
+    _ = require('underscore');
+
+var gHttpServer = null;
+
+function authorizeApp(req, res, next) {
+    // TODO add here some authorization
+    // - block apps not using the docker addon
+    // - block calls regarding platform containers
+    // - only allow managing and inspection of containers belonging to the app
+
+    // make the tests pass for now
+    if (config.TEST) {
+        req.app = { id: 'testappid' };
+        return next();
+    }
+
+    apps.getByIpAddress(req.connection.remoteAddress, function (error, app) {
+        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(401, 'Unauthorized'));
+        if (error) return next(new HttpError(500, error));
+
+        if (!('docker' in app.manifest.addons)) return next(new HttpError(401, 'Unauthorized'));
+
+        req.app = app;
+
+        next();
+    });
+}
+
+function attachDockerRequest(req, res, next) {
+    var options = {
+        socketPath: '/var/run/docker.sock',
+        method: req.method,
+        path: req.url,
+        headers: req.headers
+    };
+
+    req.dockerRequest = http.request(options, function (dockerResponse) {
+        res.writeHead(dockerResponse.statusCode, dockerResponse.headers);
+
+        // Force node to send out the headers, this is required for the /container/wait api to make the docker cli proceed
+        res.write(' ');
+
+        dockerResponse.on('error', function (error) { console.error('dockerResponse error:', error); });
+        dockerResponse.pipe(res, { end: true });
+    });
+
+    next();
+}
+
+function containersCreate(req, res, next) {
+    safe.set(req.body, 'HostConfig.NetworkMode', 'cloudron'); // overwrite the network the container lives in
+    safe.set(req.body, 'NetworkingConfig', {}); // drop any custom network configs
+    safe.set(req.body, 'Labels',  _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id }));    // overwrite the app id to track containers of an app
+    safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});
+
+    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data'),
+        dockerDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'docker');
+
+    debug('Original volume binds:', req.body.HostConfig.Binds);
+
+    let binds = [];
+    for (let bind of (req.body.HostConfig.Binds || [])) {
+        if (bind.startsWith(appDataDir)) binds.push(bind); // eclipse will inspect docker to find out the host folders and pass that to child containers
+        else if (bind.startsWith('/app/data')) binds.push(bind.replace(new RegExp('^/app/data'), appDataDir));
+        else binds.push(`${dockerDataDir}/${bind}`);
+    }
+
+    // cleanup the paths from potential double slashes
+    binds = binds.map(function (bind) { return bind.replace(/\/+/g, '/'); });
+
+    debug('Rewritten volume binds:', binds);
+    safe.set(req.body, 'HostConfig.Binds', binds);
+
+    let plainBody = JSON.stringify(req.body);
+
+    req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
+    req.dockerRequest.end(plainBody);
+}
+
+function process(req, res, next) {
+    // we have to rebuild the body since we consumed in in the parser
+    if (Object.keys(req.body).length !== 0) {
+        let plainBody = JSON.stringify(req.body);
+        req.dockerRequest.setHeader('Content-Length', Buffer.byteLength(plainBody));
+        req.dockerRequest.end(plainBody);
+    } else if (!req.readable) {
+        req.dockerRequest.end();
+    } else {
+        req.pipe(req.dockerRequest, { end: true });
+    }
+}
+
+function start(callback) {
+    assert.strictEqual(typeof callback, 'function');
+    assert(gHttpServer === null, 'Already started');
+
+    let json = middleware.json({ strict: true });
+    let router = new express.Router();
+    router.post('/:version/containers/create', containersCreate);
+
+    let proxyServer = express();
+
+    if (config.TEST) {
+        proxyServer.use(function (req, res, next) {
+            console.log('Proxying: ' + req.method, req.url);
+            next();
+        });
+    }
+
+    proxyServer.use(authorizeApp)
+        .use(attachDockerRequest)
+        .use(json)
+        .use(router)
+        .use(process)
+        .use(middleware.lastMile());
+
+    gHttpServer = http.createServer(proxyServer);
+    gHttpServer.listen(config.get('dockerProxyPort'), '0.0.0.0', callback);
+
+    debug(`startDockerProxy: started proxy on port ${config.get('dockerProxyPort')}`);
+
+    gHttpServer.on('upgrade', function (req, client, head) {
+        // Create a new tcp connection to the TCP server
+        var remote = net.connect('/var/run/docker.sock', function () {
+            var upgradeMessage = req.method + ' ' + req.url + ' HTTP/1.1\r\n' +
+                                `Host: ${req.headers.host}\r\n` +
+                                'Connection: Upgrade\r\n' +
+                                'Upgrade: tcp\r\n';
+
+            if (req.headers['content-type'] === 'application/json') {
+                // TODO we have to parse the immediate upgrade request body, but I don't know how
+                let plainBody = '{"Detach":false,"Tty":false}\r\n';
+                upgradeMessage += `Content-Type: application/json\r\n`;
+                upgradeMessage += `Content-Length: ${Buffer.byteLength(plainBody)}\r\n`;
+                upgradeMessage += '\r\n';
+                upgradeMessage += plainBody;
+            }
+
+            upgradeMessage += '\r\n';
+
+            // resend the upgrade event to the docker daemon, so it responds with the proper message through the pipes
+            remote.write(upgradeMessage);
+
+            // two-way pipes between client and docker daemon
+            client.pipe(remote).pipe(client);
+        });
+    });
+}
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    if (gHttpServer) gHttpServer.close();
+
+    gHttpServer = null;
+
+    callback();
+}
@@ -8,8 +8,7 @@ exports = module.exports = {
    getAll: getAll,
    update: update,
    del: del,
-
-    _clear: clear
+    clear: clear
 };

 var assert = require('assert'),
@@ -6,9 +6,10 @@ module.exports = exports = {
    getAll: getAll,
    update: update,
    del: del,
+    clear: clear,
+    isLocked: isLocked,

    fqdn: fqdn,
-    setAdmin: setAdmin,

    getDnsRecords: getDnsRecords,
    upsertDnsRecords: upsertDnsRecords,
@@ -16,28 +17,37 @@ module.exports = exports = {

    waitForDnsRecord: waitForDnsRecord,

-    DomainError: DomainError
+    removePrivateFields: removePrivateFields,
+    removeRestrictedFields: removeRestrictedFields,
+
+    validateHostname: validateHostname,
+
+    makeWildcard: makeWildcard,
+
+    parentDomain: parentDomain,
+
+    DomainsError: DomainsError,
+
+    // exported for testing
+    _getName: getName
 };

 var assert = require('assert'),
-    caas = require('./caas.js'),
    config = require('./config.js'),
+    constants = require('./constants.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:domains'),
    domaindb = require('./domaindb.js'),
-    path = require('path'),
+    eventlog = require('./eventlog.js'),
    reverseProxy = require('./reverseproxy.js'),
    ReverseProxyError = reverseProxy.ReverseProxyError,
    safe = require('safetydance'),
-    shell = require('./shell.js'),
    sysinfo = require('./sysinfo.js'),
    tld = require('tldjs'),
-    util = require('util');
+    util = require('util'),
+    _ = require('underscore');

-var RESTART_CMD = path.join(__dirname, 'scripts/restart.sh');
-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
-function DomainError(reason, errorOrMessage) {
+function DomainsError(reason, errorOrMessage) {
    assert.strictEqual(typeof reason, 'string');
    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');

@@ -55,17 +65,17 @@ function DomainError(reason, errorOrMessage) {
        this.nestedError = errorOrMessage;
    }
 }
-util.inherits(DomainError, Error);
+util.inherits(DomainsError, Error);

-DomainError.NOT_FOUND = 'No such domain';
-DomainError.ALREADY_EXISTS = 'Domain already exists';
-DomainError.EXTERNAL_ERROR = 'External error';
-DomainError.BAD_FIELD = 'Bad Field';
-DomainError.STILL_BUSY = 'Still busy';
-DomainError.IN_USE = 'In Use';
-DomainError.INTERNAL_ERROR = 'Internal error';
-DomainError.ACCESS_DENIED = 'Access denied';
-DomainError.INVALID_PROVIDER = 'provider must be route53, gcdns, digitalocean, cloudflare, noop, manual or caas';
+DomainsError.NOT_FOUND = 'No such domain';
+DomainsError.ALREADY_EXISTS = 'Domain already exists';
+DomainsError.EXTERNAL_ERROR = 'External error';
+DomainsError.BAD_FIELD = 'Bad Field';
+DomainsError.STILL_BUSY = 'Still busy';
+DomainsError.IN_USE = 'In Use';
+DomainsError.INTERNAL_ERROR = 'Internal error';
+DomainsError.ACCESS_DENIED = 'Access denied';
+DomainsError.INVALID_PROVIDER = 'provider must be route53, gcdns, digitalocean, gandi, cloudflare, namecom, noop, wildcard, manual or caas';

 // choose which subdomain backend we use for test purpose we use route53
 function api(provider) {
@@ -77,14 +87,23 @@ function api(provider) {
    case 'route53': return require('./dns/route53.js');
    case 'gcdns': return require('./dns/gcdns.js');
    case 'digitalocean': return require('./dns/digitalocean.js');
+    case 'gandi': return require('./dns/gandi.js');
+    case 'godaddy': return require('./dns/godaddy.js');
+    case 'namecom': return require('./dns/namecom.js');
    case 'noop': return require('./dns/noop.js');
    case 'manual': return require('./dns/manual.js');
+    case 'wildcard': return require('./dns/wildcard.js');
    default: return null;
    }
 }

-function verifyDnsConfig(config, domain, zoneName, provider, ip, callback) {
-    assert(config && typeof config === 'object'); // the dns config to test with
+function parentDomain(domain) {
+    assert.strictEqual(typeof domain, 'string');
+    return domain.replace(/^\S+?\./, ''); // +? means non-greedy
+}
+
+function verifyDnsConfig(dnsConfig, domain, zoneName, provider, ip, callback) {
+    assert(dnsConfig && typeof dnsConfig === 'object'); // the dns config to test with
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof zoneName, 'string');
    assert.strictEqual(typeof provider, 'string');
@@ -92,55 +111,133 @@ function verifyDnsConfig(config, domain, zoneName, provider, ip, callback) {
    assert.strictEqual(typeof callback, 'function');

    var backend = api(provider);
-    if (!backend) return callback(new DomainError(DomainError.INVALID_PROVIDER));
+    if (!backend) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid provider'));

-    api(provider).verifyDnsConfig(config, domain, zoneName, ip, callback);
+    api(provider).verifyDnsConfig(dnsConfig, domain, zoneName, ip, function (error, result) {
+        if (error && error.reason === DomainsError.ACCESS_DENIED) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Incorrect configuration. Access denied'));
+        if (error && error.reason === DomainsError.NOT_FOUND) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Zone not found'));
+        if (error && error.reason === DomainsError.EXTERNAL_ERROR) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Configuration error: ' + error.message));
+        if (error && error.reason === DomainsError.BAD_FIELD) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+        if (error && error.reason === DomainsError.INVALID_PROVIDER) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        result.hyphenatedSubdomains = !!dnsConfig.hyphenatedSubdomains;
+
+        callback(null, result);
+    });
 }

+function fqdn(location, domainObject) {
+    return location + (location ? (domainObject.config.hyphenatedSubdomains ? '-' : '.') : '') + domainObject.domain;
+}

-function add(domain, zoneName, provider, config, fallbackCertificate, tlsConfig, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof zoneName, 'string');
-    assert.strictEqual(typeof provider, 'string');
-    assert.strictEqual(typeof config, 'object');
-    assert.strictEqual(typeof fallbackCertificate, 'object');
+// Hostname validation comes from RFC 1123 (section 2.1)
+// Domain name validation comes from RFC 2181 (Name syntax)
+// https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names
+// We are validating the validity of the location-fqdn as host name (and not dns name)
+function validateHostname(location, domainObject) {
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof domainObject, 'object');
+
+    const hostname = fqdn(location, domainObject);
+
+    const RESERVED_LOCATIONS = [
+        constants.API_LOCATION,
+        constants.SMTP_LOCATION,
+        constants.IMAP_LOCATION
+    ];
+    if (RESERVED_LOCATIONS.indexOf(location) !== -1) return new DomainsError(DomainsError.BAD_FIELD, location + ' is reserved');
+
+    if (hostname === config.adminFqdn()) return new DomainsError(DomainsError.BAD_FIELD, location + ' is reserved');
+
+    // workaround https://github.com/oncletom/tld.js/issues/73
+    var tmp = hostname.replace('_', '-');
+    if (!tld.isValid(tmp)) return new DomainsError(DomainsError.BAD_FIELD, 'Hostname is not a valid domain name');
+
+    if (hostname.length > 253) return new DomainsError(DomainsError.BAD_FIELD, 'Hostname length exceeds 253 characters');
+
+    if (location) {
+        // label validation
+        if (location.split('.').some(function (p) { return p.length > 63 || p.length < 1; })) return new DomainsError(DomainsError.BAD_FIELD, 'Invalid subdomain length');
+        if (location.match(/^[A-Za-z0-9-.]+$/) === null) return new DomainsError(DomainsError.BAD_FIELD, 'Subdomain can only contain alphanumeric, hyphen and dot');
+        if (/^[-.]/.test(location)) return new DomainsError(DomainsError.BAD_FIELD, 'Subdomain cannot start or end with hyphen or dot');
+    }
+
+    if (domainObject.config.hyphenatedSubdomains) {
+        if (location.indexOf('.') !== -1) return new DomainsError(DomainsError.BAD_FIELD, 'Subdomain cannot contain a dot');
+    }
+
+    return null;
+}
+
+function validateTlsConfig(tlsConfig, dnsProvider) {
    assert.strictEqual(typeof tlsConfig, 'object');
+    assert.strictEqual(typeof dnsProvider, 'string');
+
+    switch (tlsConfig.provider) {
+    case 'letsencrypt-prod':
+    case 'letsencrypt-staging':
+    case 'fallback':
+    case 'caas':
+        break;
+    default:
+        return new DomainsError(DomainsError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback, letsencrypt-prod/staging');
+    }
+
+    if (tlsConfig.wildcard) {
+        if (!tlsConfig.provider.startsWith('letsencrypt')) return new DomainsError(DomainsError.BAD_FIELD, 'wildcard can only be set with letsencrypt');
+        if (dnsProvider === 'manual' || dnsProvider === 'noop' || dnsProvider === 'wildcard') return new DomainsError(DomainsError.BAD_FIELD, 'wildcard cert requires a programmable DNS backend');
+    }
+
+    return null;
+}
+
+function add(domain, data, auditSource, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof data.zoneName, 'string');
+    assert.strictEqual(typeof data.provider, 'string');
+    assert.strictEqual(typeof data.config, 'object');
+    assert.strictEqual(typeof data.fallbackCertificate, 'object');
+    assert.strictEqual(typeof data.tlsConfig, 'object');
    assert.strictEqual(typeof callback, 'function');

-    if (!tld.isValid(domain)) return callback(new DomainError(DomainError.BAD_FIELD, 'Invalid domain'));
+    let { zoneName, provider, config, fallbackCertificate, tlsConfig } = data;
+
+    if (!tld.isValid(domain)) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid domain'));
+    if (domain.endsWith('.')) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid domain'));

    if (zoneName) {
-        if (!tld.isValid(zoneName)) return callback(new DomainError(DomainError.BAD_FIELD, 'Invalid zoneName'));
+        if (!tld.isValid(zoneName)) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid zoneName'));
+        if (zoneName.endsWith('.')) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid zoneName'));
    } else {
        zoneName = tld.getDomain(domain) || domain;
    }

    if (fallbackCertificate) {
-        let error = reverseProxy.validateCertificate(`test.${domain}`, fallbackCertificate.cert, fallbackCertificate.key);
-        if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
+        let error = reverseProxy.validateCertificate('test', { domain, config }, fallbackCertificate);
+        if (error) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
+    } else {
+        fallbackCertificate = reverseProxy.generateFallbackCertificateSync({ domain, config });
+        if (fallbackCertificate.error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, fallbackCertificate.error));
    }

-    if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
-        return callback(new DomainError(DomainError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or le-*'));
-    }
+    let error = validateTlsConfig(tlsConfig, provider);
+    if (error) return callback(error);

    sysinfo.getPublicIp(function (error, ip) {
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, 'Error getting IP:' + error.message));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, 'Error getting IP:' + error.message));

-        verifyDnsConfig(config, domain, zoneName, provider, ip, function (error, result) {
-            if (error && error.reason === DomainError.ACCESS_DENIED) return callback(new DomainError(DomainError.BAD_FIELD, 'Error adding A record. Access denied'));
-            if (error && error.reason === DomainError.NOT_FOUND) return callback(new DomainError(DomainError.BAD_FIELD, 'Zone not found'));
-            if (error && error.reason === DomainError.EXTERNAL_ERROR) return callback(new DomainError(DomainError.BAD_FIELD, 'Error adding A record:' + error.message));
-            if (error && error.reason === DomainError.BAD_FIELD) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
-            if (error && error.reason === DomainError.INVALID_PROVIDER) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
-            if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        verifyDnsConfig(config, domain, zoneName, provider, ip, function (error, sanitizedConfig) {
+            if (error) return callback(error);

-            domaindb.add(domain, { zoneName: zoneName, provider: provider, config: result, tlsConfig: tlsConfig }, function (error) {
-                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new DomainError(DomainError.ALREADY_EXISTS));
-                if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+            domaindb.add(domain, { zoneName: zoneName, provider: provider, config: sanitizedConfig, tlsConfig: tlsConfig }, function (error) {
+                if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new DomainsError(DomainsError.ALREADY_EXISTS));
+                if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));

                reverseProxy.setFallbackCertificate(domain, fallbackCertificate, function (error) {
-                    if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+                    if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+                    eventlog.add(eventlog.ACTION_DOMAIN_ADD, auditSource, { domain, zoneName, provider });

                    callback();
                });
@@ -149,22 +246,28 @@ function add(domain, zoneName, provider, config, fallbackCertificate, tlsConfig,
    });
 }

+function isLocked(domain) {
+    return domain === config.adminDomain() && config.edition() === 'hostingprovider';
+}
+
 function get(domain, callback) {
    assert.strictEqual(typeof domain, 'string');
    assert.strictEqual(typeof callback, 'function');

    domaindb.get(domain, function (error, result) {
        // TODO try to find subdomain entries maybe based on zoneNames or so
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainError(DomainError.NOT_FOUND));
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        result.locked = isLocked(domain);

        reverseProxy.getFallbackCertificate(domain, function (error, bundle) {
-            if (error && error.reason !== ReverseProxyError.NOT_FOUND) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+            if (error && error.reason !== ReverseProxyError.NOT_FOUND) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));

            var cert = safe.fs.readFileSync(bundle.certFilePath, 'utf-8');
            var key = safe.fs.readFileSync(bundle.keyFilePath, 'utf-8');

-            if (!cert || !key) return callback(new DomainError(DomainError.INTERNAL_ERROR, 'unable to read certificates from disk'));
+            if (!cert || !key) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, 'unable to read certificates from disk'));

            result.fallbackCertificate = { cert: cert, key: key };

@@ -177,52 +280,60 @@ function getAll(callback) {
    assert.strictEqual(typeof callback, 'function');

    domaindb.getAll(function (error, result) {
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        result.forEach(function (r) { r.locked = isLocked(r.domain); });

        return callback(null, result);
    });
 }

-function update(domain, provider, config, fallbackCertificate, tlsConfig, callback) {
+function update(domain, data, auditSource, callback) {
    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof provider, 'string');
-    assert.strictEqual(typeof config, 'object');
-    assert.strictEqual(typeof fallbackCertificate, 'object');
-    assert.strictEqual(typeof tlsConfig, 'object');
+    assert.strictEqual(typeof data.zoneName, 'string');
+    assert.strictEqual(typeof data.provider, 'string');
+    assert.strictEqual(typeof data.config, 'object');
+    assert.strictEqual(typeof data.fallbackCertificate, 'object');
+    assert.strictEqual(typeof data.tlsConfig, 'object');
+    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

-    domaindb.get(domain, function (error, result) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainError(DomainError.NOT_FOUND));
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+    let { zoneName, provider, config, fallbackCertificate, tlsConfig } = data;
+
+    domaindb.get(domain, function (error, domainObject) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        if (zoneName) {
+            if (!tld.isValid(zoneName)) return callback(new DomainsError(DomainsError.BAD_FIELD, 'Invalid zoneName'));
+        } else {
+            zoneName = domainObject.zoneName;
+        }

        if (fallbackCertificate) {
-            let error = reverseProxy.validateCertificate(`test.${domain}`, fallbackCertificate.cert, fallbackCertificate.key);
-            if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
+            let error = reverseProxy.validateCertificate('test', domainObject, fallbackCertificate);
+            if (error) return callback(new DomainsError(DomainsError.BAD_FIELD, error.message));
        }

-        if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
-            return callback(new DomainError(DomainError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or letsencrypt-*'));
-        }
+        error = validateTlsConfig(tlsConfig, provider);
+        if (error) return callback(error);

        sysinfo.getPublicIp(function (error, ip) {
-            if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, 'Error getting IP:' + error.message));
+            if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, 'Error getting IP:' + error.message));

-            verifyDnsConfig(config, domain, result.zoneName, provider, ip, function (error, result) {
-                if (error && error.reason === DomainError.ACCESS_DENIED) return callback(new DomainError(DomainError.BAD_FIELD, 'Error adding A record. Access denied'));
-                if (error && error.reason === DomainError.NOT_FOUND) return callback(new DomainError(DomainError.BAD_FIELD, 'Zone not found'));
-                if (error && error.reason === DomainError.EXTERNAL_ERROR) return callback(new DomainError(DomainError.BAD_FIELD, 'Error adding A record:' + error.message));
-                if (error && error.reason === DomainError.BAD_FIELD) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
-                if (error && error.reason === DomainError.INVALID_PROVIDER) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
-                if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+            verifyDnsConfig(config, domain, zoneName, provider, ip, function (error, sanitizedConfig) {
+                if (error) return callback(error);

-                domaindb.update(domain, { provider: provider, config: result, tlsConfig: tlsConfig }, function (error) {
-                    if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainError(DomainError.NOT_FOUND));
-                    if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+                domaindb.update(domain, { zoneName: zoneName, provider: provider, config: sanitizedConfig, tlsConfig: tlsConfig }, function (error) {
+                    if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
+                    if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));

                    if (!fallbackCertificate) return callback();

                    reverseProxy.setFallbackCertificate(domain, fallbackCertificate, function (error) {
-                        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+                        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+                        eventlog.add(eventlog.ACTION_DOMAIN_UPDATE, auditSource, { domain, zoneName, provider });

                        callback();
                    });
@@ -232,28 +343,56 @@ function update(domain, provider, config, fallbackCertificate, tlsConfig, callba
    });
 }

-function del(domain, callback) {
+function del(domain, auditSource, callback) {
    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof auditSource, 'object');
    assert.strictEqual(typeof callback, 'function');

+    if (domain === config.adminDomain()) return callback(new DomainsError(DomainsError.IN_USE));
+
    domaindb.del(domain, function (error) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainError(DomainError.NOT_FOUND));
-        if (error && error.reason === DatabaseError.IN_USE) return callback(new DomainError(DomainError.IN_USE));
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
+        if (error && error.reason === DatabaseError.IN_USE) return callback(new DomainsError(DomainsError.IN_USE));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        eventlog.add(eventlog.ACTION_DOMAIN_REMOVE, auditSource, { domain });

        return callback(null);
    });
 }

-function getName(domain, subdomain) {
-    // support special caas domains
+function clear(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    domaindb.clear(function (error) {
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
+
+        return callback(null);
+    });
+}
+
+// returns the 'name' that needs to be inserted into zone
+function getName(domain, subdomain, type) {
+    // hack for supporting special caas domains. if we want to remove this, we have to fix the appstore domain API first
    if (domain.provider === 'caas') return subdomain;

-    if (domain.domain === domain.zoneName) return subdomain;
+    const part = domain.domain.slice(0, -domain.zoneName.length - 1);

-    var part = domain.domain.slice(0, -domain.zoneName.length - 1);
+    if (subdomain === '') return part;

-    return subdomain === '' ? part : subdomain + '.' + part;
+    if (!domain.config.hyphenatedSubdomains) return part ? `${subdomain}.${part}` : subdomain;
+
+    // hyphenatedSubdomains
+    if (type !== 'TXT') return `${subdomain}-${part}`;
+
+    if (subdomain.startsWith('_acme-challenge.')) {
+        return `${subdomain}-${part}`;
+    } else if (subdomain === '_acme-challenge') {
+        const up = part.replace(/^[^.]*\.?/, ''); // this gets the domain one level up
+        return up ? `${subdomain}.${up}` : subdomain;
+    } else {
+        return `${subdomain}.${part}`;
+    }
 }

 function getDnsRecords(subdomain, domain, type, callback) {
@@ -263,9 +402,9 @@ function getDnsRecords(subdomain, domain, type, callback) {
    assert.strictEqual(typeof callback, 'function');

    get(domain, function (error, result) {
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));

-        api(result.provider).get(result.config, result.zoneName, getName(result, subdomain), type, function (error, values) {
+        api(result.provider).get(result.config, result.zoneName, getName(result, subdomain, type), type, function (error, values) {
            if (error) return callback(error);

            callback(null, values);
@@ -273,6 +412,7 @@ function getDnsRecords(subdomain, domain, type, callback) {
    });
 }

+// note: for TXT records the values must be quoted
 function upsertDnsRecords(subdomain, domain, type, values, callback) {
    assert.strictEqual(typeof subdomain, 'string');
    assert.strictEqual(typeof domain, 'string');
@@ -283,12 +423,12 @@ function upsertDnsRecords(subdomain, domain, type, values, callback) {
    debug('upsertDNSRecord: %s on %s type %s values', subdomain, domain, type, values);

    get(domain, function (error, result) {
-        if (error) return callback(new DomainError(DomainError.INTERNAL_ERROR, error));
+        if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));

-        api(result.provider).upsert(result.config, result.zoneName, getName(result, subdomain), type, values, function (error, changeId) {
+        api(result.provider).upsert(result.config, result.zoneName, getName(result, subdomain, type), type, values, function (error) {
            if (error) return callback(error);

-            callback(null, changeId);
+            callback(null);
        });
    });
 }
@@ -305,55 +445,52 @@ function removeDnsRecords(subdomain, domain, type, values, callback) {
    get(domain, function (error, result) {
        if (error) return callback(error);

-        api(result.provider).del(result.config, result.zoneName, getName(result, subdomain), type, values, function (error) {
-            if (error && error.reason !== DomainError.NOT_FOUND) return callback(error);
+        api(result.provider).del(result.config, result.zoneName, getName(result, subdomain, type), type, values, function (error) {
+            if (error && error.reason !== DomainsError.NOT_FOUND) return callback(error);

            callback(null);
        });
    });
 }

-// only wait for A record
-function waitForDnsRecord(fqdn, domain, value, options, callback) {
-    assert.strictEqual(typeof fqdn, 'string');
+function waitForDnsRecord(subdomain, domain, type, value, options, callback) {
+    assert.strictEqual(typeof subdomain, 'string');
    assert.strictEqual(typeof domain, 'string');
+    assert(type === 'A' || type === 'TXT');
    assert.strictEqual(typeof value, 'string');
    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
    assert.strictEqual(typeof callback, 'function');

-    get(domain, function (error, result) {
+    get(domain, function (error, domainObject) {
        if (error) return callback(error);

-        api(result.provider).waitForDns(fqdn, result ? result.zoneName : domain, value, options, callback);
+        const hostname = fqdn(subdomain, domainObject);
+
+        api(domainObject.provider).waitForDns(hostname, domainObject.zoneName, type, value, options, callback);
    });
 }

-function setAdmin(domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('setAdmin domain:%s', domain);
-
-    get(domain, function (error, result) {
-        if (error) return callback(error);
-
-        var setPtrRecord = config.provider() === 'caas' ? caas.setPtrRecord : function (d, next) { next(); };
-
-        setPtrRecord(domain, function (error) {
-            if (error) return callback(new DomainError(DomainError.EXTERNAL_ERROR, 'Error setting PTR record:' + error.message));
-
-            config.setAdminDomain(result.domain);
-            config.setAdminLocation('my');
-            config.setAdminFqdn('my' + (result.provider === 'caas' ? '-' : '.') + result.domain);
-
-            callback();
-
-            shell.sudo('restart', [ RESTART_CMD ], NOOP_CALLBACK);
-        });
-    });
+// removes all fields that are strictly private and should never be returned by API calls
+function removePrivateFields(domain) {
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate', 'locked');
+    if (result.fallbackCertificate) delete result.fallbackCertificate.key;  // do not return the 'key'. in caas, this is private
+    return result;
 }

-function fqdn(location, domain, provider) {
-    return location + (location ? (provider !== 'caas' ? '.' : '-') : '') + domain;
+// removes all fields that are not accessible by a normal user
+function removeRestrictedFields(domain) {
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'locked');
+
+    // always ensure config object
+    result.config = { hyphenatedSubdomains: !!domain.config.hyphenatedSubdomains };
+
+    return result;
 }

+function makeWildcard(hostname) {
+    assert.strictEqual(typeof hostname, 'string');
+
+    let parts = hostname.split('.');
+    parts[0] = '*';
+    return parts.join('.');
+}
@@ -18,16 +18,35 @@ exports = module.exports = {
    ACTION_APP_UNINSTALL: 'app.uninstall',
    ACTION_APP_UPDATE: 'app.update',
    ACTION_APP_LOGIN: 'app.login',
+
    ACTION_BACKUP_FINISH: 'backup.finish',
    ACTION_BACKUP_START: 'backup.start',
    ACTION_BACKUP_CLEANUP: 'backup.cleanup',
+
+    ACTION_CERTIFICATE_NEW: 'certificate.new',
    ACTION_CERTIFICATE_RENEWAL: 'certificate.renew',
+
+    ACTION_DOMAIN_ADD: 'domain.add',
+    ACTION_DOMAIN_UPDATE: 'domain.update',
+    ACTION_DOMAIN_REMOVE: 'domain.remove',
+
+    ACTION_MAIL_ENABLED: 'mail.enabled',
+    ACTION_MAIL_DISABLED: 'mail.disabled',
+    ACTION_MAIL_MAILBOX_ADD: 'mail.box.add',
+    ACTION_MAIL_MAILBOX_REMOVE: 'mail.box.remove',
+    ACTION_MAIL_LIST_ADD: 'mail.list.add',
+    ACTION_MAIL_LIST_REMOVE: 'mail.list.remove',
+
+    ACTION_PROVISION: 'cloudron.provision',
+    ACTION_RESTORE: 'cloudron.restore', // unused
    ACTION_START: 'cloudron.start',
    ACTION_UPDATE: 'cloudron.update',
+
    ACTION_USER_ADD: 'user.add',
    ACTION_USER_LOGIN: 'user.login',
    ACTION_USER_REMOVE: 'user.remove',
-    ACTION_USER_UPDATE: 'user.update'
+    ACTION_USER_UPDATE: 'user.update',
+    ACTION_USER_TRANSFER: 'user.transfer',
 };

 var assert = require('assert'),
@@ -121,14 +140,7 @@ function cleanup(callback) {
    var d = new Date();
    d.setDate(d.getDate() - 10); // 10 days ago

-    // only cleanup high frequency events
-    var actions = [
-        exports.ACTION_USER_LOGIN,
-        exports.ACTION_BACKUP_START,
-        exports.ACTION_BACKUP_FINISH
-    ];
-
-    eventlogdb.delByCreationTime(d, actions, function (error) {
+    eventlogdb.delByCreationTime(d, function (error) {
        if (error) return callback(new EventLogError(EventLogError.INTERNAL_ERROR, error));

        callback(null);
--- a/Show More
+++ b/Show More