[WIP] Allow multiple installations of same blueprint (#88)

* Multi-install support, Blueprints and config changes. Initial commit

* Migrating jails to blueprints, first steps.
Tested Working:
- Transmission
- Lidarr
- Sonarr
- Radarr

fix lidarr config (+10 squashed commit)

Squashed commit:

[5f14653] always link ports folders

[f18f2f0] Optional (blueprint) ports mount
Fixes #89

[96ef7e7] chmod all the things

[129e707] same mistake... again...

[e1596dc] missing reference

[6da3567] Forgot one reference

[d78b5b6] Update wiki.yml

[cecc53a] Update filecheck.yml

[5244abd] basic settings changed.
More involved blueprints still need changes, such as: Bitwarden, nextcloud, Mariadb

[6568e92] jails -> blueprints

* Added Tested Working:
- KMS
- Plex
- Tautulli
- Organizr
- InfluxDB
- MariaDB

Many squashed small fixes included:
Make *.rc executable (+13 squashed commit)

Squashed commit:

[b28aa83] use .rc for rc.d config files

[e940a48] some mariadb cleanup

[dc27aff] testing another way

[83bd91b] Mariadb root password alter instead of update, initial config for unifi

[0ca3074] some light config cleanup

[a0d4352] also remove database from influxdb example config (db should be created when required)

[2c218cc] Prepare influxdb and remove unneeded content

[1b34109] more shellcheck fixups

[c96566c] Some shellcheck cleanup

[8969ca7] bitwarden mostly done, some work on nextcloud and unifi

[7f89bfa] initial mariadb patch

[dd7e85f] missed one problem

[f814cb7] Initial pseudo-compatibility patch for unifi

* Enable Bitwarden support and some small fixes/tweaks
Fixes #95

more bugs and typo's (+3 squashed commit)

Squashed commit:

[3b5213e] Bitwarden not correctly installing db

[b7438a5] yeah thats not gonna cut it... >.<

[e7987c2] some slight bitwarden tweaks

* Enable Unifi support and some small fixes/tweaks

small unifi cleanup. Unifi is working (+3 squashed commit)

Squashed commit:

[d906d2d] chmod unifi

[545e999] Add extra sanity, remove unneeded variables from example

[b8c0b24] Some small Unifi Tweaks

* Nextcloud Cleanup, Some fixes, Initial support for blueprintsystem
Fixes #96
Fixes #97
Fixes #98

some bloat and syntax fixes (+5 squashed commit)

Squashed commit:

[78f6428] Some more nextcloud cleanup and tweaks
- combines multiple variables for cert system selection (Fixes #98 )
- Default to self signed cert
- Force manual admin password

[7cacae4] slight fixes

[3d81cda] More cleanup

[50496cc] small mariadb fix and more nextcloud cleanup

[c1b2c20] Cleaning nextcloud
- Remove external DB (Fixes #97 )
- Remove Postgresql (Fixes #96 )
- Some preparation for blueprint

* Nextcloud done

and..  another... (+5 squashed commit)

Squashed commit:

[c65751b] caddy not installed right.

[e5da66b] more fixes

[a33300e] Damnit, two typo's same scentence

[4292a7a] another typo

[1b820cf] typo and example hotfix

* Introduce version checking for config file

blueprints/bitwarden/config.yml

@@ -0,0 +1,3 @@
+blueprint:
+  bitwarden:
+    pkgs: sqlite3 nginx git sudo vim-tiny bash node npm python27-2.7.17_1 mariadb104-client

blueprints/bitwarden/includes/bitwarden.rc

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# PROVIDE: bitwarden
+# REQUIRE: LOGIN DAEMON NETWORKING FILESYSTEMS
+# KEYWORD: jail rust
+
+. /etc/rc.subr
+
+name="bitwarden"
+
+
+rcvar=${name}_enable
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/daemon"
+command_args="-u bitwarden -c -f -P ${pidfile} -r /usr/local/share/bitwarden/bin/bitwarden_rs"
+load_rc_config $name
+run_rc_command "$1"

blueprints/bitwarden/includes/bitwarden.rc.conf

@@ -0,0 +1,13 @@
+export DATA_FOLDER="/config"
+export ENABLE_DB_WAL="false"
+export ROCKET_TLS="{certs="/config/ssl/bitwarden-ssl.crt",key="/config/ssl/bitwarden-ssl.key"}"
+export LOG_FILE="/config/bitwarden.log"
+export WEB_VAULT_FOLDER="/usr/local/share/bitwarden/web-vault"
+export LOG_LEVEL="trace"
+export WEBSOCKET_ENABLED="true"
+export DISABLE_ICON_DOWNLOAD=false
+export ICON_CACHE_FOLDER="/config/icon_cache"
+export ICON_CACHE_TTL=2592000
+export ICON_CACHE_NEGTTL=259200
+export ROCKET_WORKERS=20
+export ROCKET_PORT=8000

blueprints/bitwarden/install.sh

@@ -0,0 +1,119 @@
+#!/usr/local/bin/bash
+# This file contains the install script for bitwarden
+
+# Initialise defaults
+JAIL_IP="jail_${1}_ip4_addr"
+JAIL_IP="${!JAIL_IP%/*}"
+HOST_NAME="jail_${1}_host_name"
+
+DB_DATABASE="jail_${1}_db_database"
+DB_DATABASE="${!DB_DATABASE:-$1}"
+
+DB_USER="jail_${1}_db_user"
+DB_USER="${!DB_USER:-$DB_DATABASE}"
+
+# shellcheck disable=SC2154
+INSTALL_TYPE="jail_${1}_db_type"
+INSTALL_TYPE="${!INSTALL_TYPE:-mariadb}"
+
+DB_JAIL="jail_${1}_db_jail"
+# shellcheck disable=SC2154
+DB_HOST="jail_${!DB_JAIL}_ip4_addr"
+DB_HOST="${!DB_HOST%/*}:3306"
+
+# shellcheck disable=SC2154
+DB_PASSWORD="jail_${1}_db_password"
+DB_STRING="mysql://${DB_USER}:${!DB_PASSWORD}@${DB_HOST}/${DB_DATABASE}"
+# shellcheck disable=SC2154
+ADMIN_TOKEN="jail_${1}_admin_token"
+
+if [ -z "${!DB_PASSWORD}" ]; then
+	echo "db_password can't be empty"
+	exit 1
+fi
+
+if [ -z "${!DB_JAIL}" ]; then
+	echo "db_jail can't be empty"
+	exit 1
+fi
+
+if [ -z "${!JAIL_IP}" ]; then
+	echo "ip4_addr can't be empty"
+	exit 1
+fi
+
+if [ -z "${!ADMIN_TOKEN}" ]; then
+ADMIN_TOKEN=$(openssl rand -base64 16)
+fi
+
+# install latest rust version, pkg version is outdated and can't build bitwarden_rs
+iocage exec "${1}" "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y"
+
+# Install Bitwarden_rs
+iocage exec "${1}" mkdir -p /usr/local/share/bitwarden/src
+iocage exec "${1}" git clone https://github.com/dani-garcia/bitwarden_rs/ /usr/local/share/bitwarden/src
+TAG=$(iocage exec "${1}" "git -C /usr/local/share/bitwarden/src tag --sort=v:refname | tail -n1")
+iocage exec "${1}" "git -C /usr/local/share/bitwarden/src checkout ${TAG}"
+#TODO replace with: cargo build --features mysql --release
+if [ "${INSTALL_TYPE}" == "mariadb" ]; then
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo build --features mysql --release"
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql"
+else
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo build --features sqlite --release"
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo install diesel_cli --no-default-features --features sqlite-bundled"
+fi
+
+
+iocage exec "${1}" cp -r /usr/local/share/bitwarden/src/target/release /usr/local/share/bitwarden/bin
+
+# Download and install webvault
+WEB_RELEASE_URL=$(curl -Ls -o /dev/null -w "%{url_effective}" https://github.com/dani-garcia/bw_web_builds/releases/latest)
+WEB_TAG="${WEB_RELEASE_URL##*/}"
+iocage exec "${1}" "fetch http://github.com/dani-garcia/bw_web_builds/releases/download/$WEB_TAG/bw_web_$WEB_TAG.tar.gz -o /usr/local/share/bitwarden"
+iocage exec "${1}" "tar -xzvf /usr/local/share/bitwarden/bw_web_$WEB_TAG.tar.gz -C /usr/local/share/bitwarden/"
+iocage exec "${1}" rm /usr/local/share/bitwarden/bw_web_"$WEB_TAG".tar.gz
+
+# shellcheck disable=SC2154
+if [ -f "/mnt/${global_dataset_config}/${1}/ssl/bitwarden-ssl.crt" ]; then
+    echo "certificate exist... Skipping cert generation"
+else
+	"No ssl certificate present, generating self signed certificate"
+	if [ ! -d "/mnt/${global_dataset_config}/${1}/ssl" ]; then
+		echo "cert folder not existing... creating..."
+		iocage exec "${1}" mkdir /config/ssl
+	fi
+	openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout /mnt/"${global_dataset_config}"/"${1}"/ssl/bitwarden-ssl.key -out /mnt/"${global_dataset_config}"/"${1}"/ssl/bitwarden-ssl.crt
+fi
+
+if [ -f "/mnt/${global_dataset_config}/${1}/bitwarden.log" ]; then
+	echo "Reinstall of Bitwarden detected... using existing config and database"
+elif [ "${INSTALL_TYPE}" == "mariadb" ]; then
+	echo "No config detected, doing clean install, utilizing the Mariadb database ${DB_HOST}"
+	iocage exec "${!DB_JAIL}" mysql -u root -e "CREATE DATABASE ${DB_DATABASE};"
+	iocage exec "${!DB_JAIL}" mysql -u root -e "GRANT ALL ON ${DB_DATABASE}.* TO ${DB_USER}@${JAIL_IP} IDENTIFIED BY '${!DB_PASSWORD}';"
+	iocage exec "${!DB_JAIL}" mysqladmin reload
+else
+	echo "No config detected, doing clean install."
+fi
+
+iocage exec "${1}" "pw user add bitwarden -c bitwarden -u 725 -d /nonexistent -s /usr/bin/nologin"
+iocage exec "${1}" chown -R bitwarden:bitwarden /usr/local/share/bitwarden /config
+iocage exec "${1}" mkdir /usr/local/etc/rc.d /usr/local/etc/rc.conf.d
+# shellcheck disable=SC2154
+cp "${SCRIPT_DIR}"/blueprints/bitwarden/includes/bitwarden.rc /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.d/bitwarden
+cp "${SCRIPT_DIR}"/blueprints/bitwarden/includes/bitwarden.rc.conf /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+echo 'export DATABASE_URL="'"${DB_STRING}"'"' >> /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+echo 'export ADMIN_TOKEN="'"${!ADMIN_TOKEN}"'"' >> /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+
+if [ "${!ADMIN_TOKEN}" == "NONE" ]; then
+	echo "Admin_token set to NONE, disabling admin portal"
+else
+	echo "Admin_token set and admin portal enabled"
+	iocage exec "${1}" echo "${DB_NAME} Admin Token is ${!ADMIN_TOKEN}" > /root/"${1}"_admin_token.txt
+fi
+
+iocage exec "${1}" chmod u+x /usr/local/etc/rc.d/bitwarden
+iocage exec "${1}" sysrc "bitwarden_enable=YES"
+iocage exec "${1}" service bitwarden restart
+echo "Jail ${1} finished Bitwarden install."
+echo "Admin Token is ${!ADMIN_TOKEN}"

blueprints/bitwarden/readme.md

@@ -0,0 +1,69 @@
+# Bitwarden_RS
+
+
+## Original README from the Bitwarden_rs github:
+
+https://github.com/dani-garcia/bitwarden_rs
+
+# Bitwarden_RS
+### This is a Bitwarden server API implementation written in Rust compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+---
+
+[![Travis Build Status](https://travis-ci.org/dani-garcia/bitwarden_rs.svg?branch=master)](https://travis-ci.org/dani-garcia/bitwarden_rs)
+[![Docker Pulls](https://img.shields.io/docker/pulls/bitwardenrs/server.svg)](https://hub.docker.com/r/bitwardenrs/server)
+[![Dependency Status](https://deps.rs/repo/github/dani-garcia/bitwarden_rs/status.svg)](https://deps.rs/repo/github/dani-garcia/bitwarden_rs)
+[![GitHub Release](https://img.shields.io/github/release/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/releases/latest)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/bitwarden_rs.svg)](https://github.com/dani-garcia/bitwarden_rs/blob/master/LICENSE.txt)
+[![Matrix Chat](https://img.shields.io/matrix/bitwarden_rs:matrix.org.svg?logo=matrix)](https://matrix.to/#/#bitwarden_rs:matrix.org)
+
+Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/bitwarden_rs).
+
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+
+#### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
+
+---
+
+## Features
+
+Basically full implementation of Bitwarden API is provided including:
+
+ * Single user functionality
+ * Organizations support
+ * Attachments
+ * Vault API support
+ * Serving the static files for Vault interface
+ * Website icons API
+ * Authenticator and U2F support
+ * YubiKey and Duo support
+
+## Installation
+Pull the docker image and mount a volume from the host for persistent storage:
+
+```sh
+docker pull bitwardenrs/server:latest
+docker run -d --name bitwarden -v /bw-data/:/data/ -p 80:80 bitwardenrs/server:latest
+```
+This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
+
+**IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
+
+This can be configured in [bitwarden_rs directly](https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)).
+
+If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above).
+
+## Usage
+See the [bitwarden_rs wiki](https://github.com/dani-garcia/bitwarden_rs/wiki) for more information on how to configure and run the bitwarden_rs server.
+
+## Get in touch
+To ask a question, offer suggestions or new features or to get help configuring or installing the software, please [use the forum](https://bitwardenrs.discourse.group/).
+
+If you spot any bugs or crashes with bitwarden_rs itself, please [create an issue](https://github.com/dani-garcia/bitwarden_rs/issues/). Make sure there aren't any similar issues open, though!
+
+If you prefer to chat, we're usually hanging around at [#bitwarden_rs:matrix.org](https://matrix.to/#/#bitwarden_rs:matrix.org) room on Matrix. Feel free to join us!
+
+### Sponsors
+Thanks for your contribution to the project!
+
+- [@ChonoN](https://github.com/ChonoN)

blueprints/bitwarden/update.sh

@@ -0,0 +1,100 @@
+#!/usr/local/bin/bash
+# This file contains the update script for bitwarden
+# Due to it being build from scratch or downloaded directly to execution dir, 
+# Update for Bitwarden is pretty similair to installation
+
+# Initialise defaults
+JAIL_IP="jail_${1}_ip4_addr"
+JAIL_IP="${!JAIL_IP%/*}"
+HOST_NAME="jail_${1}_host_name"
+DB_DATABASE="jail_${1}_db_datavase"
+DB_USER="jail_${1}_db_user"
+# shellcheck disable=SC2154
+INSTALL_TYPE="jail_${1}_type"
+DB_JAIL="jail_${1}_db_jail"
+DB_JAIL="${!DB_JAIL}"
+# shellcheck disable=SC2154
+DB_HOST="${DB_JAIL}_ip4_addr"
+DB_HOST="${!DB_HOST%/*}:3306"
+# shellcheck disable=SC2154
+DB_PASSWORD="jail_${1}_db_password"
+DB_STRING="mysql://${!DB_USER}:${!DB_PASSWORD}@${DB_HOST}/${!DB_DATABASE}"
+# shellcheck disable=SC2154
+ADMIN_TOKEN="jail_${1}_admin_token"
+
+if [ -z "${!DB_USER}" ]; then
+	echo "db_user can't be empty"
+	exit 1
+fi
+
+if [ -z "${!DB_DATABASE}" ]; then
+	echo "db_database can't be empty"
+	exit 1
+fi
+
+if [ -z "${!DB_PASSWORD}" ]; then
+	echo "db_password can't be empty"
+	exit 1
+fi
+
+if [ -z "${!DB_JAIL}" ]; then
+	echo "db_jail can't be empty"
+	exit 1
+	fi
+
+if [ -z "${!JAIL_IP}" ]; then
+	echo "ip4_addr can't be empty"
+	exit 1
+fi
+
+if [ -z "${!ADMIN_TOKEN}" ]; then
+ADMIN_TOKEN=$(openssl rand -base64 16)
+fi
+
+iocage exec "${1}" service bitwarden stop
+
+# install latest rust version, pkg version is outdated and can't build bitwarden_rs
+iocage exec "${1}" "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y"
+
+# Install Bitwarden_rs
+iocage exec "${1}" "git -C /usr/local/share/bitwarden/src fetch"
+TAG=$(iocage exec "${1}" "git -C /usr/local/share/bitwarden/src tag --sort=v:refname | tail -n1")
+iocage exec "${1}" "git -C /usr/local/share/bitwarden/src checkout ${TAG}"
+#TODO replace with: cargo build --features mysql --release
+if [ "${INSTALL_TYPE}" == "mariadb" ]; then
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo build --features mysql --release"
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo install diesel_cli --no-default-features --features mysql"
+else
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo build --features sqlite --release"
+	iocage exec "${1}" "cd /usr/local/share/bitwarden/src && $HOME/.cargo/bin/cargo install diesel_cli --no-default-features --features sqlite-bundled"
+fi
+
+
+iocage exec "${1}" cp -r /usr/local/share/bitwarden/src/target/release /usr/local/share/bitwarden/bin
+
+# Download and install webvault
+WEB_RELEASE_URL=$(curl -Ls -o /dev/null -w "%{url_effective}" https://github.com/dani-garcia/bw_web_builds/releases/latest)
+WEB_TAG="${WEB_RELEASE_URL##*/}"
+iocage exec "${1}" "fetch http://github.com/dani-garcia/bw_web_builds/releases/download/$WEB_TAG/bw_web_$WEB_TAG.tar.gz -o /usr/local/share/bitwarden"
+iocage exec "${1}" "tar -xzvf /usr/local/share/bitwarden/bw_web_$WEB_TAG.tar.gz -C /usr/local/share/bitwarden/"
+iocage exec "${1}" rm /usr/local/share/bitwarden/bw_web_"$WEB_TAG".tar.gz
+
+iocage exec "${1}" chown -R bitwarden:bitwarden /usr/local/share/bitwarden /config
+# shellcheck disable=SC2154
+cp "${SCRIPT_DIR}"/blueprints/"${1}"/includes/bitwarden.rc /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.d/bitwarden
+cp "${SCRIPT_DIR}"/blueprints/"${1}"/includes/bitwarden.rc.conf /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+echo 'export DATABASE_URL="'"${DB_STRING}"'"' >> /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+echo 'export ADMIN_TOKEN="'"${!ADMIN_TOKEN}"'"' >> /mnt/"${global_dataset_iocage}"/jails/"${1}"/root/usr/local/etc/rc.conf.d/bitwarden
+
+if [ "${!ADMIN_TOKEN}" == "NONE" ]; then
+	echo "Admin_token set to NONE, disabling admin portal"
+else
+	echo "Admin_token set and admin portal enabled"
+	iocage exec "${1}" echo "${DB_NAME} Admin Token is ${!ADMIN_TOKEN}" > /root/"${1}"_admin_token.txt
+fi
+
+
+iocage exec "${1}" chmod u+x /usr/local/etc/rc.d/bitwarden
+iocage exec "${1}" service bitwarden restart
+echo "Jail ${1} finished Bitwarden update."
+echo "Admin Token is ${!ADMIN_TOKEN}"