Fix upgrade problem with otplib existing secrets

Bump @biomejs/biome from 2.3.12 to 2.3.13 in /backend in the dev-patch-updates group

.babelrc

@@ -1,12 +0,0 @@
-{
-  "presets": [
-    ["env", {
-      "targets": {
-        "browsers": ["Chrome >= 65"]
-      },
-      "debug": false,
-      "modules": false,
-      "useBuiltIns": "usage"
-    }]
-  ]
-}

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,55 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+<!--
+ 
+Are you in the right place?
+- If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
+- If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
+- If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.*
+
+-->
+
+**Checklist**
+- Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image?
+  - Yes / No
+- Are you sure you're not using someone else's docker image?
+  - Yes / No
+- Have you searched for similar issues (both open and closed)?
+  - Yes / No
+
+**Describe the bug**
+<!-- A clear and concise description of what the bug is. -->
+
+
+**Nginx Proxy Manager Version**
+<!-- What version of Nginx Proxy Manager is reported on the login page? -->
+
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+
+**Expected behavior**
+<!-- A clear and concise description of what you expected to happen. -->
+
+
+**Screenshots**
+<!-- If applicable, add screenshots to help explain your problem. -->
+
+
+**Operating System**
+<!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. -->
+
+
+**Additional context**
+<!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. -->

.github/ISSUE_TEMPLATE/dns_challenge_request.md

@@ -0,0 +1,18 @@
+---
+name: DNS challenge provider request
+about: Suggest a new provider to be available for a certificate DNS challenge
+title: ''
+labels: dns provider request
+assignees: ''
+
+---
+
+**What provider would you like to see added to NPM?**
+<!-- What is this provider called? -->
+
+
+**Have you checked if a certbot plugin exists?**
+<!-- 
+Currently NPM only supports DNS challenge providers for which a certbot plugin exists. 
+You can visit pypi.org, and search for a package with the name `certbot-dns-<privider>`.
+-->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,32 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+<!--
+
+Are you in the right place?
+- If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
+- If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
+- If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.*
+
+-->
+
+**Is your feature request related to a problem? Please describe.**
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+
+**Describe the solution you'd like**
+<!-- A clear and concise description of what you want to happen. -->
+
+
+**Describe alternatives you've considered**
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+
+**Additional context**
+<!-- Add any other context or screenshots about the feature request here. -->

.github/dependabot.yml

@@ -0,0 +1,104 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/test"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "docker"
+    directory: "/docker"
+    schedule:
+      interval: "weekly"
+    groups:
+      updates:
+        update-types:
+          - "patch"
+          - "minor"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/stale.yml

@@ -0,0 +1,21 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          stale-issue-label: 'stale'
+          stale-pr-label: 'stale'
+          stale-issue-message: 'Issue is now considered stale. If you want to keep it open, please comment :+1:'
+          stale-pr-message: 'PR is now considered stale. If you want to keep it open, please comment :+1:'
+          close-issue-message: 'Issue was closed due to inactivity.'
+          close-pr-message: 'PR was closed due to inactivity.'
+          days-before-stale: 182
+          days-before-close: 365
+          operations-per-run: 50

.gitignore

@@ -1,14 +1,10 @@
 .DS_Store
 .idea
+.qodo
 ._*
-node_modules
-core*
-config/development.json
-dist
-webpack_stats.html
-data/*
-yarn-error.log
-yarn.lock
-tmp
-certbot.log
-
+.vscode
+certbot-help.txt
+test/node_modules
+*/node_modules
+docker/dev/dnsrouter-config.json.tmp
+docker/dev/resolv.conf

.version

@@ -0,0 +1 @@
+2.13.7

Dockerfile

@@ -1,32 +0,0 @@
-FROM jc21/nginx-proxy-manager-base:latest
-
-MAINTAINER Jamie Curnow <jc@jc21.com>
-LABEL maintainer="Jamie Curnow <jc@jc21.com>"
-
-ENV SUPPRESS_NO_CONFIG_WARNING=1
-ENV S6_FIX_ATTRS_HIDDEN=1
-RUN echo "fs.file-max = 65535" > /etc/sysctl.conf
-
-# Nginx, Node and required packages should already be installed from the base image
-
-# root filesystem
-COPY rootfs /
-
-# s6 overlay
-RUN curl -L -o /tmp/s6-overlay-amd64.tar.gz "https://github.com/just-containers/s6-overlay/releases/download/v1.21.4.0/s6-overlay-amd64.tar.gz" \
-    && tar xzf /tmp/s6-overlay-amd64.tar.gz -C /
-
-# App
-ENV NODE_ENV=production
-
-ADD dist                /app/dist
-ADD node_modules        /app/node_modules
-ADD src/backend         /app/src/backend
-ADD package.json        /app/package.json
-ADD knexfile.js         /app/knexfile.js
-
-# Volumes
-VOLUME [ "/data", "/etc/letsencrypt" ]
-CMD [ "/init" ]
-
-HEALTHCHECK --interval=15s --timeout=3s CMD curl -f http://localhost:9876/health || exit 1

Dockerfile.armhf

@@ -1,32 +0,0 @@
-FROM jc21/nginx-proxy-manager-base:armhf
-
-MAINTAINER Jamie Curnow <jc@jc21.com>
-LABEL maintainer="Jamie Curnow <jc@jc21.com>"
-
-ENV SUPPRESS_NO_CONFIG_WARNING=1
-ENV S6_FIX_ATTRS_HIDDEN=1
-RUN echo "fs.file-max = 65535" > /etc/sysctl.conf
-
-# Nginx, Node and required packages should already be installed from the base image
-
-# root filesystem
-COPY rootfs /
-
-# s6 overlay
-RUN curl -L -o /tmp/s6-overlay-armhf.tar.gz "https://github.com/just-containers/s6-overlay/releases/download/v1.21.4.0/s6-overlay-armhf.tar.gz" \
-    && tar xzf /tmp/s6-overlay-armhf.tar.gz -C /
-
-# App
-ENV NODE_ENV=production
-
-ADD dist                /app/dist
-ADD node_modules        /app/node_modules
-ADD src/backend         /app/src/backend
-ADD package.json        /app/package.json
-ADD knexfile.js         /app/knexfile.js
-
-# Volumes
-VOLUME [ "/data", "/etc/letsencrypt" ]
-CMD [ "/init" ]
-
-HEALTHCHECK --interval=15s --timeout=3s CMD curl -f http://localhost:9876/health || exit 1

Jenkinsfile

@@ -1,124 +0,0 @@
-pipeline {
-  options {
-    buildDiscarder(logRotator(numToKeepStr: '10'))
-    disableConcurrentBuilds()
-  }
-  agent any
-  environment {
-    IMAGE_NAME          = "nginx-proxy-manager"
-    BASE_IMAGE_NAME     = "jc21/nginx-proxy-manager-base:v2"
-    TEMP_IMAGE_NAME     = "nginx-proxy-manager-build_${BUILD_NUMBER}"
-    TEMP_IMAGE_NAME_ARM = "nginx-proxy-manager-arm-build_${BUILD_NUMBER}"
-    TAG_VERSION         = getPackageVersion()
-    MAJOR_VERSION       = "2"
-  }
-  stages {
-    stage('Prepare') {
-      steps {
-        sh 'docker pull $DOCKER_CI_TOOLS'
-      }
-    }
-    stage('Build') {
-      parallel {
-        stage('x86_64') {
-          when {
-            branch 'master'
-          }
-          steps {
-            ansiColor('xterm') {
-              // Codebase
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME yarn --registry=$NPM_REGISTRY install'
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME npm run-script build'
-              sh 'rm -rf node_modules'
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME yarn --registry=$NPM_REGISTRY install --prod'
-              sh 'docker run --rm -v $(pwd):/data $DOCKER_CI_TOOLS node-prune'
-
-              // Docker Build
-              sh 'docker build --pull --no-cache --squash --compress -t $TEMP_IMAGE_NAME .'
-
-              // Private Registry
-              sh 'docker tag $TEMP_IMAGE_NAME $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$TAG_VERSION'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$TAG_VERSION'
-              sh 'docker tag $TEMP_IMAGE_NAME $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$MAJOR_VERSION'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$MAJOR_VERSION'
-              sh 'docker tag $TEMP_IMAGE_NAME $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:latest'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:latest'
-
-              // Dockerhub
-              sh 'docker tag $TEMP_IMAGE_NAME docker.io/jc21/$IMAGE_NAME:$TAG_VERSION'
-              sh 'docker tag $TEMP_IMAGE_NAME docker.io/jc21/$IMAGE_NAME:$MAJOR_VERSION'
-              sh 'docker tag $TEMP_IMAGE_NAME docker.io/jc21/$IMAGE_NAME:latest'
-
-              withCredentials([usernamePassword(credentialsId: 'jc21-dockerhub', passwordVariable: 'dpass', usernameVariable: 'duser')]) {
-                sh "docker login -u '${duser}' -p '$dpass'"
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:$TAG_VERSION'
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:$MAJOR_VERSION'
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:latest'
-              }
-
-              sh 'docker rmi $TEMP_IMAGE_NAME'
-            }
-          }
-        }
-        stage('armhf') {
-          when {
-            branch 'master'
-          }
-          agent {
-            label 'armhf'
-          }
-          steps {
-            ansiColor('xterm') {
-              // Codebase
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME-armhf yarn --registry=$NPM_REGISTRY install'
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME-armhf npm run-script build'
-              sh 'rm -rf node_modules'
-              sh 'docker run --rm -v $(pwd):/app -w /app $BASE_IMAGE_NAME-armhf yarn --registry=$NPM_REGISTRY install --prod'
-
-              // Docker Build
-              sh 'docker build --pull --no-cache --squash --compress -t $TEMP_IMAGE_NAME_ARM -f Dockerfile.armhf .'
-
-              // Private Registry
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$TAG_VERSION-armhf'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$TAG_VERSION-armhf'
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$MAJOR_VERSION-armhf'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:$MAJOR_VERSION-armhf'
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:latest-armhf'
-              sh 'docker push $DOCKER_PRIVATE_REGISTRY/$IMAGE_NAME:latest-armhf'
-
-              // Dockerhub
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM docker.io/jc21/$IMAGE_NAME:$TAG_VERSION-armhf'
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM docker.io/jc21/$IMAGE_NAME:$MAJOR_VERSION-armhf'
-              sh 'docker tag $TEMP_IMAGE_NAME_ARM docker.io/jc21/$IMAGE_NAME:latest-armhf'
-
-              withCredentials([usernamePassword(credentialsId: 'jc21-dockerhub', passwordVariable: 'dpass', usernameVariable: 'duser')]) {
-                sh "docker login -u '${duser}' -p '$dpass'"
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:$TAG_VERSION-armhf'
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:$MAJOR_VERSION-armhf'
-                sh 'docker push docker.io/jc21/$IMAGE_NAME:latest-armhf'
-              }
-
-              sh 'docker rmi $TEMP_IMAGE_NAME_ARM'
-            }
-          }
-        }
-      }
-    }
-  }
-  post {
-    success {
-      juxtapose event: 'success'
-      sh 'figlet "SUCCESS"'
-    }
-    failure {
-      juxtapose event: 'failure'
-      sh 'figlet "FAILURE"'
-    }
-  }
-}
-
-def getPackageVersion() {
-  ver = sh(script: 'docker run --rm -v $(pwd):/data $DOCKER_CI_TOOLS bash -c "cat /data/package.json|jq -r \'.version\'"', returnStdout: true)
-  return ver.trim()
-}
-

README.md

@@ -1,103 +1,108 @@
-![Nginx Proxy Manager](https://public.jc21.com/nginx-proxy-manager/github.png "Nginx Proxy Manager")
-
-# Nginx Proxy Manager
-
-![Version](https://img.shields.io/badge/version-2.0.2-green.svg?style=for-the-badge)
-![Stars](https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge)
-![Pulls](https://img.shields.io/docker/pulls/jc21/nginx-proxy-manager.svg?style=for-the-badge)
+<p align="center">
+	<img src="https://nginxproxymanager.com/github.png">
+	<br><br>
+	<img src="https://img.shields.io/badge/version-2.13.7-green.svg?style=for-the-badge">
+	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
+		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
+	</a>
+	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
+		<img src="https://img.shields.io/docker/pulls/jc21/nginx-proxy-manager.svg?style=for-the-badge">
+	</a>
+</p>
 
 This project comes as a pre-built docker image that enables you to easily forward to your websites
 running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt.
 
-----------
+- [Quick Setup](#quick-setup)
+- [Full Setup](https://nginxproxymanager.com/setup/)
+- [Screenshots](https://nginxproxymanager.com/screenshots/)
+
+## Project Goal
+
+I created this project to fill a personal need to provide users with an easy way to accomplish reverse
+proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
+While there might be advanced options they are optional and the project should be as simple as possible
+so that the barrier for entry here is low.
+
+<a href="https://www.buymeacoffee.com/jc21" target="_blank"><img src="http://public.jc21.com/github/by-me-a-coffee.png" alt="Buy Me A Coffee" style="height: 51px !important;width: 217px !important;" ></a>
 
-**WARNING: Version 2 a complete rewrite!** If you are using the `latest` docker tag and update to version 2
-without preparation, horrible things might happen. Refer to the [Importing Documentation](doc/IMPORTING.md). 
 
-----------
- 
 ## Features
 
 - Beautiful and Secure Admin Interface based on [Tabler](https://tabler.github.io/)
 - Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx
-- Free SSL using Let's Encrypt or provide your own custom SSL certificates 
+- Free SSL using Let's Encrypt or provide your own custom SSL certificates
 - Access Lists and basic HTTP Authentication for your hosts
 - Advanced Nginx configuration available for super users
 - User management, permissions and audit log
 
 
-## Screenshots
-
-[![Login](https://public.jc21.com/nginx-proxy-manager/v2/small/login.jpg "Login")](https://public.jc21.com/nginx-proxy-manager/v2/large/login.jpg)
-[![Dashboard](https://public.jc21.com/nginx-proxy-manager/v2/small/dashboard.jpg "Dashboard")](https://public.jc21.com/nginx-proxy-manager/v2/large/dashboard.jpg)
-[![Proxy Hosts](https://public.jc21.com/nginx-proxy-manager/v2/small/proxy-hosts.jpg "Proxy Hosts")](https://public.jc21.com/nginx-proxy-manager/v2/large/proxy-hosts.jpg)
-[![Proxy Host Settings](https://public.jc21.com/nginx-proxy-manager/v2/small/proxy-hosts-new1.jpg "Proxy Host Settings")](https://public.jc21.com/nginx-proxy-manager/v2/large/proxy-hosts-new1.jpg)
-[![Proxy Host SSL](https://public.jc21.com/nginx-proxy-manager/v2/small/proxy-hosts-new2.jpg "Proxy Host SSL")](https://public.jc21.com/nginx-proxy-manager/v2/large/proxy-hosts-new2.jpg)
-[![Redirection Hosts](https://public.jc21.com/nginx-proxy-manager/v2/small/redirection-hosts.jpg "Redirection Hosts")](https://public.jc21.com/nginx-proxy-manager/v2/large/redirection-hosts.jpg)
-[![Redirection Host Settings](https://public.jc21.com/nginx-proxy-manager/v2/small/redirection-hosts-new1.jpg "Redirection Host Settings")](https://public.jc21.com/nginx-proxy-manager/v2/large/redirection-hosts-new1.jpg)
-[![Streams](https://public.jc21.com/nginx-proxy-manager/v2/small/streams.jpg "Streams")](https://public.jc21.com/nginx-proxy-manager/v2/large/streams.jpg)
-[![Stream Settings](https://public.jc21.com/nginx-proxy-manager/v2/small/streams-new1.jpg "Stream Settings")](https://public.jc21.com/nginx-proxy-manager/v2/large/streams-new1.jpg)
-[![404 Hosts](https://public.jc21.com/nginx-proxy-manager/v2/small/dead-hosts.jpg "404 Hosts")](https://public.jc21.com/nginx-proxy-manager/v2/large/dead-hosts.jpg)
-[![404 Host Settings](https://public.jc21.com/nginx-proxy-manager/v2/small/dead-hosts-new1.jpg "404 Host Settings")](https://public.jc21.com/nginx-proxy-manager/v2/large/dead-hosts-new1.jpg)
-[![Certificates](https://public.jc21.com/nginx-proxy-manager/v2/small/certificates.jpg "Certificates")](https://public.jc21.com/nginx-proxy-manager/v2/large/certificates.jpg)
-[![Lets Encrypt Certificates](https://public.jc21.com/nginx-proxy-manager/v2/small/certificates-new1.jpg "Lets Encrypt Certificates")](https://public.jc21.com/nginx-proxy-manager/v2/large/certificates-new1.jpg)
-[![Custom Certificates](https://public.jc21.com/nginx-proxy-manager/v2/small/certificates-new2.jpg "Custom Certificates")](https://public.jc21.com/nginx-proxy-manager/v2/large/certificates-new2.jpg)
-[![Access Lists](https://public.jc21.com/nginx-proxy-manager/v2/small/access-lists.jpg "Access Lists")](https://public.jc21.com/nginx-proxy-manager/v2/large/access-lists.jpg)
-[![Access List Users](https://public.jc21.com/nginx-proxy-manager/v2/small/access-lists-new1.jpg "Access List Users")](https://public.jc21.com/nginx-proxy-manager/v2/large/access-lists-new1.jpg)
-[![Users](https://public.jc21.com/nginx-proxy-manager/v2/small/users.jpg "Users")](https://public.jc21.com/nginx-proxy-manager/v2/large/users.jpg)
-[![User Permissions](https://public.jc21.com/nginx-proxy-manager/v2/small/users-permissions.jpg "User Permissions")](https://public.jc21.com/nginx-proxy-manager/v2/large/users-permissions.jpg)
-[![Audit Log](https://public.jc21.com/nginx-proxy-manager/v2/small/audit-log.jpg "Audit Log")](https://public.jc21.com/nginx-proxy-manager/v2/large/audit-log.jpg)
-
-
-## Getting started
-
-Please consult the [installation instructions](doc/INSTALL.md) for a complete guide or
-if you just want to get up and running in the quickest time possible, grab all the files in the `doc/example/` folder and run `docker-compose up -d` 
-
-
-## Importing from Version 1?
-
-Here's a [guide for you to migrate your configuration](doc/IMPORTING.md). You should definitely read the [installation instructions](doc/INSTALL.md) first though.
-
-**Why should I?**
-
-Version 2 has the following improvements:
-
-- Management security and multiple user access
-- User permissions and visibility
-- Custom SSL certificate support
-- Audit log of changes
-- Broken nginx config detection
-- Multiple domains in Let's Encrypt certificates
-- Wildcard domain name support (not available with a Let's Encrypt certificate though)
-- It's super sexy
-
-
-## Administration
-
-When your docker container is running, connect to it on port `81` for the admin interface.
-
-[http://localhost:81](http://localhost:81)
-
-Note: Requesting SSL Certificates won't work until this project is accessible from the outside world, as explained below.
-
-
-### Default Administrator User
-
-```
-Email:    admin@example.com
-Password: changeme
-```
-
-Immediately after logging in with this default user you will be asked to modify your details and change your password.
-
-
 ## Hosting your home network
 
 I won't go in to too much detail here but here are the basics for someone new to this self-hosted world.
 
 1. Your home router will have a Port Forwarding section somewhere. Log in and find it
 2. Add port forwarding for port 80 and 443 to the server hosting this project
-3. Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS
-4. Use the Nginx Proxy Manager here as your gateway to forward to your other web based services
+3. Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or [Amazon Route53](https://github.com/jc21/route53-ddns)
+4. Use the Nginx Proxy Manager as your gateway to forward to your other web based services
 
+## Quick Setup
+
+1. Install Docker and Docker-Compose
+
+- [Docker Install documentation](https://docs.docker.com/install/)
+- [Docker-Compose Install documentation](https://docs.docker.com/compose/install/)
+
+2. Create a docker-compose.yml file similar to this:
+
+```yml
+services:
+  app:
+    image: 'docker.io/jc21/nginx-proxy-manager:latest'
+    restart: unless-stopped
+    ports:
+      - '80:80'
+      - '81:81'
+      - '443:443'
+    volumes:
+      - ./data:/data
+      - ./letsencrypt:/etc/letsencrypt
+```
+
+This is the bare minimum configuration required. See the [documentation](https://nginxproxymanager.com/setup/) for more.
+
+3. Bring up your stack by running
+
+```bash
+docker compose up -d
+```
+
+4. Log in to the Admin UI
+
+When your docker container is running, connect to it on port `81` for the admin interface.
+Sometimes this can take a little bit because of the entropy of keys.
+
+[http://127.0.0.1:81](http://127.0.0.1:81)
+
+
+## Contributing
+
+All are welcome to create pull requests for this project, against the `develop` branch. Official releases are created from the `master` branch.
+
+CI is used in this project. All PR's must pass before being considered. After passing,
+docker builds for PR's are available on dockerhub for manual verifications.
+
+Documentation within the `develop` branch is available for preview at
+[https://develop.nginxproxymanager.com](https://develop.nginxproxymanager.com)
+
+
+### Contributors
+
+Special thanks to [all of our contributors](https://github.com/NginxProxyManager/nginx-proxy-manager/graphs/contributors).
+
+
+## Getting Support
+
+1. [Found a bug?](https://github.com/NginxProxyManager/nginx-proxy-manager/issues)
+2. [Discussions](https://github.com/NginxProxyManager/nginx-proxy-manager/discussions)
+3. [Reddit](https://reddit.com/r/nginxproxymanager)

TODO.md

@@ -1,17 +0,0 @@
-# TODO 
-
-- Dashboard stats are caching instead of querying
-
-Next version:
-
-- UI Log tail
-- Enable/Disable a config
-
-Testing:
-
-- Access Levels
-  - Adding a proxy host without access to read certs or access lists 
-- Visibility
-- Forwarding
-- Cert renewals
-- Custom certs

backend/.gitignore

@@ -0,0 +1,8 @@
+config/development.json
+data/*
+yarn-error.log
+tmp
+certbot.log
+node_modules
+core.*
+

backend/app.js

@@ -0,0 +1,92 @@
+import bodyParser from "body-parser";
+import compression from "compression";
+import express from "express";
+import fileUpload from "express-fileupload";
+import { isDebugMode } from "./lib/config.js";
+import cors from "./lib/express/cors.js";
+import jwt from "./lib/express/jwt.js";
+import { debug, express as logger } from "./logger.js";
+import mainRoutes from "./routes/main.js";
+
+/**
+ * App
+ */
+const app = express();
+app.use(fileUpload());
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: true }));
+
+// Gzip
+app.use(compression());
+
+/**
+ * General Logging, BEFORE routes
+ */
+
+app.disable("x-powered-by");
+app.enable("trust proxy", ["loopback", "linklocal", "uniquelocal"]);
+app.enable("strict routing");
+
+// pretty print JSON when not live
+if (isDebugMode()) {
+	app.set("json spaces", 2);
+}
+
+// CORS for everything
+app.use(cors);
+
+// General security/cache related headers + server header
+app.use((_, res, next) => {
+	let x_frame_options = "DENY";
+
+	if (typeof process.env.X_FRAME_OPTIONS !== "undefined" && process.env.X_FRAME_OPTIONS) {
+		x_frame_options = process.env.X_FRAME_OPTIONS;
+	}
+
+	res.set({
+		"X-XSS-Protection": "1; mode=block",
+		"X-Content-Type-Options": "nosniff",
+		"X-Frame-Options": x_frame_options,
+		"Cache-Control": "no-cache, no-store, max-age=0, must-revalidate",
+		Pragma: "no-cache",
+		Expires: 0,
+	});
+	next();
+});
+
+app.use(jwt());
+app.use("/", mainRoutes);
+
+// production error handler
+// no stacktraces leaked to user
+app.use((err, req, res, _) => {
+	const payload = {
+		error: {
+			code: err.status,
+			message: err.public ? err.message : "Internal Error",
+		},
+	};
+
+	if (typeof err.message_i18n !== "undefined") {
+		payload.error.message_i18n = err.message_i18n;
+	}
+
+	if (isDebugMode() || (req.baseUrl + req.path).includes("nginx/certificates")) {
+		payload.debug = {
+			stack: typeof err.stack !== "undefined" && err.stack ? err.stack.split("\n") : null,
+			previous: err.previous,
+		};
+	}
+
+	// Not every error is worth logging - but this is good for now until it gets annoying.
+	if (typeof err.stack !== "undefined" && err.stack) {
+		debug(logger, err.stack);
+		if (typeof err.public === "undefined" || !err.public) {
+			logger.warn(err.message);
+		}
+	}
+
+	res.status(err.status || 500).send(payload);
+});
+
+export default app;

backend/biome.json

@@ -0,0 +1,91 @@
+{
+    "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
+    "vcs": {
+        "enabled": true,
+        "clientKind": "git",
+        "useIgnoreFile": true
+    },
+    "files": {
+        "ignoreUnknown": false,
+        "includes": [
+            "**/*.ts",
+            "**/*.tsx",
+            "**/*.js",
+            "**/*.jsx",
+            "!**/dist/**/*"
+        ]
+    },
+    "formatter": {
+        "enabled": true,
+        "indentStyle": "tab",
+        "indentWidth": 4,
+        "lineWidth": 120,
+        "formatWithErrors": true
+    },
+    "assist": {
+        "actions": {
+            "source": {
+                "organizeImports": {
+                    "level": "on",
+                    "options": {
+                        "groups": [
+                            ":BUN:",
+                            ":NODE:",
+                            [
+                                "npm:*",
+                                "npm:*/**"
+                            ],
+                            ":PACKAGE_WITH_PROTOCOL:",
+                            ":URL:",
+                            ":PACKAGE:",
+                            [
+                                "/src/*",
+                                "/src/**"
+                            ],
+                            [
+                                "/**"
+                            ],
+                            [
+                                "#*",
+                                "#*/**"
+                            ],
+                            ":PATH:"
+                        ]
+                    }
+                }
+            }
+        }
+    },
+    "linter": {
+        "enabled": true,
+        "rules": {
+            "recommended": true,
+            "correctness": {
+                "useUniqueElementIds": "off"
+            },
+            "suspicious": {
+                "noExplicitAny": "off"
+            },
+            "performance": {
+                "noDelete": "off"
+            },
+            "nursery": "off",
+            "a11y": {
+                "useSemanticElements": "off",
+                "useValidAnchor": "off"
+            },
+            "style": {
+                "noParameterAssign": "error",
+                "useAsConstAssertion": "error",
+                "useDefaultParameterLast": "error",
+                "useEnumInitializers": "error",
+                "useSelfClosingElements": "error",
+                "useSingleVarDeclarator": "error",
+                "noUnusedTemplateLiteral": "error",
+                "useNumberNamespace": "error",
+                "noInferrableTypes": "error",
+                "noUselessElse": "error"
+            }
+        }
+    }
+}

backend/certbot/README.md

@@ -0,0 +1,21 @@
+# Certbot dns-plugins
+
+This file contains info about available Certbot DNS plugins.
+This only works for plugins which use the standard argument structure, so:
+--authenticator <plugin-name> --<plugin-name>-credentials <FILE> --<plugin-name>-propagation-seconds <number>
+
+File Structure:
+
+```json
+{
+  "cloudflare": {
+    "display_name": "Name displayed to the user",
+    "package_name": "Package name in PyPi repo",
+    "version_requirement": "Optional package version requirements (e.g. ==1.3 or >=1.2,<2.0, see https://www.python.org/dev/peps/pep-0440/#version-specifiers)",
+    "dependencies": "Additional dependencies, space separated (as you would pass it to pip install)",
+    "credentials": "Template of the credentials file",
+    "full_plugin_name": "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'"
+  },
+  ...
+}
+```

backend/certbot/dns-plugins.json

@@ -0,0 +1,650 @@
+{
+	"acmedns": {
+		"name": "ACME-DNS",
+		"package_name": "certbot-dns-acmedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_acmedns_api_url = http://acmedns-server/\ndns_acmedns_registration_file = /data/acme-registration.json",
+		"full_plugin_name": "dns-acmedns"
+	},
+	"active24": {
+		"name": "Active24",
+		"package_name": "certbot-dns-active24",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_active24_api_key = <identifier>\ndns_active24_secret = <secret>",
+		"full_plugin_name": "dns-active24"
+	},
+	"aliyun": {
+		"name": "Aliyun",
+		"package_name": "certbot-dns-aliyun",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_aliyun_access_key = 12345678\ndns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef",
+		"full_plugin_name": "dns-aliyun"
+	},
+	"azure": {
+		"name": "Azure",
+		"package_name": "certbot-dns-azure",
+		"version": "~=2.6.1",
+		"dependencies": "azure-mgmt-dns==8.2.0",
+		"credentials": "# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.\n# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.\n# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.\n\n# Using a service principal (option 1)\ndns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\ndns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9\ndns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7\n\n# Using used assigned MSI (option 2)\n# dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\n\n# Using system assigned MSI (option 3)\n# dns_azure_msi_system_assigned = true\n\n# Zones (at least one always required)\ndns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1\ndns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2",
+		"full_plugin_name": "dns-azure"
+	},
+	"baidu": {
+		"name": "baidu",
+		"package_name": "certbot-dns-baidu",
+		"version": "~=0.1.1",
+		"dependencies": "",
+		"credentials": "dns_baidu_access_key = 12345678\ndns_baidu_secret_key = 1234567890abcdef1234567890abcdef",
+		"full_plugin_name": "dns-baidu"
+	},
+	"beget": {
+		"name":"Beget",
+		"package_name": "certbot-beget-plugin",
+		"version": "~=1.0.0.dev9",
+		"dependencies": "",
+		"credentials": "# Beget API credentials used by Certbot\nbeget_plugin_username = username\nbeget_plugin_password = password",
+		"full_plugin_name": "beget-plugin"
+	},
+	"bunny": {
+		"name": "bunny.net",
+		"package_name": "certbot-dns-bunny",
+		"version": "~=0.0.9",
+		"dependencies": "",
+		"credentials": "# Bunny API token used by Certbot (see https://dash.bunny.net/account/settings)\ndns_bunny_api_key = xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
+		"full_plugin_name": "dns-bunny"
+	},
+	"cdmon": {
+		"name": "cdmon",
+		"package_name": "certbot-dns-cdmon",
+		"version": "~=0.4.1",
+		"dependencies": "",
+		"credentials": "dns_cdmon_api_key=your-cdmon-api-token\ndns_cdmon_domain=your_domain_is_optional",
+		"full_plugin_name": "dns-cdmon"
+	},
+	"cloudflare": {
+		"name": "Cloudflare",
+		"package_name": "certbot-dns-cloudflare",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "# Cloudflare API token\ndns_cloudflare_api_token=0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-cloudflare"
+	},
+	"cloudns": {
+		"name": "ClouDNS",
+		"package_name": "certbot-dns-cloudns",
+		"version": "~=0.7.0",
+		"dependencies": "",
+		"credentials": "# Target user ID (see https://www.cloudns.net/api-settings/)\n\tdns_cloudns_auth_id=1234\n\t# Alternatively, one of the following two options can be set:\n\t# dns_cloudns_sub_auth_id=1234\n\t# dns_cloudns_sub_auth_user=foobar\n\n\t# API password\n\tdns_cloudns_auth_password=password1",
+		"full_plugin_name": "dns-cloudns"
+	},
+	"cloudxns": {
+		"name": "CloudXNS",
+		"package_name": "certbot-dns-cloudxns",
+		"version": "~=1.32.0",
+		"dependencies": "",
+		"credentials": "dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef\ndns_cloudxns_secret_key = 1122334455667788",
+		"full_plugin_name": "dns-cloudxns"
+	},
+	"constellix": {
+		"name": "Constellix",
+		"package_name": "certbot-dns-constellix",
+		"version": "~=0.2.1",
+		"dependencies": "",
+		"credentials": "dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595\ndns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b\ndns_constellix_endpoint = https://api.dns.constellix.com/v1",
+		"full_plugin_name": "dns-constellix"
+	},
+	"corenetworks": {
+		"name": "Core Networks",
+		"package_name": "certbot-dns-corenetworks",
+		"version": "~=0.1.4",
+		"dependencies": "",
+		"credentials": "dns_corenetworks_username = asaHB12r\ndns_corenetworks_password = secure_password",
+		"full_plugin_name": "dns-corenetworks"
+	},
+	"cpanel": {
+		"name": "cPanel",
+		"package_name": "certbot-dns-cpanel",
+		"version": "~=0.4.0",
+		"dependencies": "",
+		"credentials": "cpanel_url = https://cpanel.example.com:2083\ncpanel_username = your_username\ncpanel_password = your_password\ncpanel_token = your_api_token",
+		"full_plugin_name": "cpanel"
+	},
+	"ddnss": {
+		"name": "DDNSS",
+		"package_name": "certbot-dns-ddnss",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_ddnss_token = YOUR_DDNSS_API_TOKEN",
+		"full_plugin_name": "dns-ddnss"
+	},
+	"desec": {
+		"name": "deSEC",
+		"package_name": "certbot-dns-desec",
+		"version": "~=1.2.1",
+		"dependencies": "",
+		"credentials": "dns_desec_token = YOUR_DESEC_API_TOKEN\ndns_desec_endpoint = https://desec.io/api/v1/",
+		"full_plugin_name": "dns-desec"
+	},
+	"duckdns": {
+		"name": "DuckDNS",
+		"package_name": "certbot-dns-duckdns",
+		"version": "~=1.0",
+		"dependencies": "",
+		"credentials": "dns_duckdns_token=your-duckdns-token",
+		"full_plugin_name": "dns-duckdns"
+	},
+	"digitalocean": {
+		"name": "DigitalOcean",
+		"package_name": "certbot-dns-digitalocean",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff",
+		"full_plugin_name": "dns-digitalocean"
+	},
+	"directadmin": {
+		"name": "DirectAdmin",
+		"package_name": "certbot-dns-directadmin",
+		"version": "~=0.0.23",
+		"dependencies": "",
+		"credentials": "directadmin_url = https://my.directadminserver.com:2222\ndirectadmin_username = username\ndirectadmin_password = aSuperStrongPassword",
+		"full_plugin_name": "directadmin"
+	},
+	"dnsimple": {
+		"name": "DNSimple",
+		"package_name": "certbot-dns-dnsimple",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-dnsimple"
+	},
+	"dnsmadeeasy": {
+		"name": "DNS Made Easy",
+		"package_name": "certbot-dns-dnsmadeeasy",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a\ndns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55",
+		"full_plugin_name": "dns-dnsmadeeasy"
+	},
+	"dnsmulti": {
+		"name": "DnsMulti",
+		"package_name": "certbot-dns-multi",
+		"version": "~=4.9",
+		"dependencies": "",
+		"credentials": "# See https://go-acme.github.io/lego/dns/#dns-providers for list of providers and their settings\n# Example provider configuration for DreamHost\n# dns_multi_provider = dreamhost\n# DREAMHOST_API_KEY = ABCDEFG1234",
+		"full_plugin_name": "dns-multi"
+	},
+	"dnspod": {
+		"name": "DNSPod",
+		"package_name": "certbot-dns-dnspod",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_dnspod_email = \"email@example.com\"\ndns_dnspod_api_token = \"id,key\"",
+		"full_plugin_name": "dns-dnspod"
+	},
+	"domainoffensive": {
+		"name": "DomainOffensive (do.de)",
+		"package_name": "certbot-dns-domainoffensive",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_domainoffensive_api_token = YOUR_DO_DE_AUTH_TOKEN",
+		"full_plugin_name": "dns-domainoffensive"
+	},
+	"domeneshop": {
+		"name": "Domeneshop",
+		"package_name": "certbot-dns-domeneshop",
+		"version": "~=0.2.8",
+		"dependencies": "",
+		"credentials": "dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN\ndns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET",
+		"full_plugin_name": "dns-domeneshop"
+	},
+	"dynu": {
+		"name": "Dynu",
+		"package_name": "certbot-dns-dynu",
+		"version": "~=0.0.1",
+		"dependencies": "",
+		"credentials": "dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN",
+		"full_plugin_name": "dns-dynu"
+	},
+	"easydns": {
+		"name": "easyDNS",
+		"package_name": "certbot-dns-easydns",
+		"version": "~=0.1.2",
+		"dependencies": "",
+		"credentials": "dns_easydns_usertoken = YOUR_EASYDNS_USERTOKEN\ndns_easydns_userkey = YOUR_EASYDNS_USERKEY\ndns_easydns_endpoint = https://rest.easydns.net",
+		"full_plugin_name": "dns-easydns"
+	},
+	"eurodns": {
+		"name": "EuroDNS",
+		"package_name": "certbot-dns-eurodns",
+		"version": "~=0.0.4",
+		"dependencies": "",
+		"credentials": "dns_eurodns_applicationId = myuser\ndns_eurodns_apiKey = mysecretpassword\ndns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy",
+		"full_plugin_name": "dns-eurodns"
+	},
+	"firstdomains": {
+                "name": "First Domains",
+                "package_name": "certbot-dns-firstdomains",
+                "version": ">=1.0",
+                "dependencies": "",
+                "credentials": "dns_firstdomains_username = myremoteuser\ndns_firstdomains_password = verysecureremoteuserpassword",
+                "full_plugin_name": "dns-firstdomains"
+        },
+	"freedns": {
+		"name": "FreeDNS",
+		"package_name": "certbot-dns-freedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_freedns_username = myremoteuser\ndns_freedns_password = verysecureremoteuserpassword",
+		"full_plugin_name": "dns-freedns"
+	},
+	"gandi": {
+		"name": "Gandi Live DNS",
+		"package_name": "certbot-dns-gandi",
+		"version": "~=1.6.1",
+		"dependencies": "",
+		"credentials": "# Gandi personal access token\ndns_gandi_token=PERSONAL_ACCESS_TOKEN",
+		"full_plugin_name": "dns-gandi"
+	},
+	"gcore": {
+		"name": "Gcore DNS",
+		"package_name": "certbot-dns-gcore",
+		"version": "~=0.1.8",
+		"dependencies": "",
+		"credentials": "dns_gcore_apitoken = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-gcore"
+	},
+	"glesys": {
+		"name": "Glesys",
+		"package_name": "certbot-dns-glesys",
+		"version": "~=2.1.0",
+		"dependencies": "",
+		"credentials": "dns_glesys_user = CL00000\ndns_glesys_password = apikeyvalue",
+		"full_plugin_name": "dns-glesys"
+	},
+	"godaddy": {
+		"name": "GoDaddy",
+		"package_name": "certbot-dns-godaddy",
+		"version": "==2.8.0",
+		"dependencies": "",
+		"credentials": "dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567\ndns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-godaddy"
+	},
+	"google": {
+		"name": "Google",
+		"package_name": "certbot-dns-google",
+		"version": "=={{certbot-version}}",
+		"dependencies": "",
+		"credentials": "{\n\"type\": \"service_account\",\n...\n}",
+		"full_plugin_name": "dns-google"
+	},
+	"googledomains": {
+		"name": "GoogleDomainsDNS",
+		"package_name": "certbot-dns-google-domains",
+		"version": "~=0.1.5",
+		"dependencies": "",
+		"credentials": "dns_google_domains_access_token = 0123456789abcdef0123456789abcdef01234567\ndns_google_domains_zone = \"example.com\"",
+		"full_plugin_name": "dns-google-domains"
+	},
+	"he": {
+		"name": "Hurricane Electric",
+		"package_name": "certbot-dns-he",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_he_user = Me\ndns_he_pass = my HE password",
+		"full_plugin_name": "dns-he"
+	},
+	"he-ddns": {
+		"name": "Hurricane Electric - DDNS",
+		"package_name": "certbot-dns-he-ddns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_he_ddns_password = verysecurepassword",
+		"full_plugin_name": "dns-he-ddns"
+	},
+	"hetzner": {
+		"name": "Hetzner",
+		"package_name": "certbot-dns-hetzner",
+		"version": "~=1.0.4",
+		"dependencies": "",
+		"credentials": "dns_hetzner_api_token = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-hetzner"
+	},
+	"hetzner-cloud": {
+		"name": "Hetzner Cloud",
+		"package_name": "certbot-dns-hetzner-cloud",
+		"version": "~=1.0.4",
+		"dependencies": "",
+		"credentials": "dns_hetzner_cloud_api_token = your_api_token_here",
+		"full_plugin_name": "dns-hetzner-cloud"
+    },
+	"hostingnl": {
+		"name": "Hosting.nl",
+		"package_name": "certbot-dns-hostingnl",
+		"version": "~=0.1.5",
+		"dependencies": "",
+		"credentials": "dns_hostingnl_api_key = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-hostingnl"
+	},
+	"hover": {
+		"name": "Hover",
+		"package_name": "certbot-dns-hover",
+		"version": "~=1.2.1",
+		"dependencies": "",
+		"credentials": "dns_hover_hoverurl = https://www.hover.com\ndns_hover_username = hover-admin-username\ndns_hover_password = hover-admin-password\ndns_hover_totpsecret = 2fa-totp-secret",
+		"full_plugin_name": "dns-hover"
+	},
+	"infomaniak": {
+		"name": "Infomaniak",
+		"package_name": "certbot-dns-infomaniak",
+		"version": "~=0.2.2",
+		"dependencies": "",
+		"credentials": "dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+		"full_plugin_name": "dns-infomaniak"
+	},
+	"inwx": {
+		"name": "INWX",
+		"package_name": "certbot-dns-inwx",
+		"version": "~=2.1.2",
+		"dependencies": "",
+		"credentials": "dns_inwx_url = https://api.domrobot.com/xmlrpc/\ndns_inwx_username = your_username\ndns_inwx_password = your_password\ndns_inwx_shared_secret = your_shared_secret optional",
+		"full_plugin_name": "dns-inwx"
+	},
+	"ionos": {
+		"name": "IONOS",
+		"package_name": "certbot-dns-ionos",
+		"version": "==2022.11.24",
+		"dependencies": "",
+		"credentials": "dns_ionos_prefix = myapikeyprefix\ndns_ionos_secret = verysecureapikeysecret\ndns_ionos_endpoint = https://api.hosting.ionos.com",
+		"full_plugin_name": "dns-ionos"
+	},
+	"ispconfig": {
+		"name": "ISPConfig",
+		"package_name": "certbot-dns-ispconfig",
+		"version": "~=0.2.0",
+		"dependencies": "",
+		"credentials": "dns_ispconfig_username = myremoteuser\ndns_ispconfig_password = verysecureremoteuserpassword\ndns_ispconfig_endpoint = https://localhost:8080",
+		"full_plugin_name": "dns-ispconfig"
+	},
+	"isset": {
+		"name": "Isset",
+		"package_name": "certbot-dns-isset",
+		"version": "~=0.0.3",
+		"dependencies": "",
+		"credentials": "dns_isset_endpoint=\"https://customer.isset.net/api\"\ndns_isset_token=\"<token>\"",
+		"full_plugin_name": "dns-isset"
+	},
+	"joker": {
+		"name": "Joker",
+		"package_name": "certbot-dns-joker",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
+		"full_plugin_name": "dns-joker"
+	},
+	"kas": {
+        "name": "All-Inkl",
+        "package_name": "certbot-dns-kas",
+        "version": "~=0.1.1",
+        "dependencies": "kasserver",
+        "credentials": "dns_kas_user = your_kas_user\ndns_kas_password = your_kas_password",
+        "full_plugin_name": "dns-kas"
+    },
+	"leaseweb": {
+		"name": "LeaseWeb",
+		"package_name": "certbot-dns-leaseweb",
+		"version": "~=1.0.3",
+		"dependencies": "",
+		"credentials": "dns_leaseweb_api_token = 01234556789",
+		"full_plugin_name": "dns-leaseweb"
+	},
+	"linode": {
+		"name": "Linode",
+		"package_name": "certbot-dns-linode",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64\ndns_linode_version = [<blank>|3|4]",
+		"full_plugin_name": "dns-linode"
+	},
+	"loopia": {
+		"name": "Loopia",
+		"package_name": "certbot-dns-loopia",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_loopia_user = user@loopiaapi\ndns_loopia_password = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-loopia"
+	},
+	"luadns": {
+		"name": "LuaDNS",
+		"package_name": "certbot-dns-luadns",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_luadns_email = user@example.com\ndns_luadns_token = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-luadns"
+	},
+	"mchost24": {
+		"name": "MC-HOST24",
+		"package_name": "certbot-dns-mchost24",
+		"version": "",
+		"dependencies": "",
+		"credentials": "# Obtain API token using https://github.com/JoeJoeTV/mchost24-api-python\ndns_mchost24_api_token=<insert obtained API token here>",
+		"full_plugin_name": "dns-mchost24"
+	},
+	"mijnhost": {
+		"name": "mijn.host",
+		"package_name": "certbot-dns-mijn-host",
+		"version": "~=0.0.4",
+		"dependencies": "",
+		"credentials": "dns_mijn_host_api_key=0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-mijn-host"
+	},
+	"namecheap": {
+		"name": "Namecheap",
+		"package_name": "certbot-dns-namecheap",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_namecheap_username  = 123456\ndns_namecheap_api_key      = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-namecheap"
+	},
+	"netcup": {
+		"name": "netcup",
+		"package_name": "certbot-dns-netcup",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_netcup_customer_id  = 123456\ndns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567\ndns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-netcup"
+	},
+	"nicru": {
+		"name": "nic.ru",
+		"package_name": "certbot-dns-nicru",
+		"version": "~=1.0.3",
+		"dependencies": "",
+		"credentials": "dns_nicru_client_id = application-id\ndns_nicru_client_secret = application-token\ndns_nicru_username = 0001110/NIC-D\ndns_nicru_password = password\ndns_nicru_scope = .+:.+/zones/example.com(/.+)?\ndns_nicru_service = DNS_SERVICE_NAME\ndns_nicru_zone = example.com",
+		"full_plugin_name": "dns-nicru"
+	},
+	"njalla": {
+		"name": "Njalla",
+		"package_name": "certbot-dns-njalla",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_njalla_token = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-njalla"
+	},
+	"nsone": {
+		"name": "NS1",
+		"package_name": "certbot-dns-nsone",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-nsone"
+	},
+	"oci": {
+		"name": "Oracle Cloud Infrastructure DNS",
+		"package_name": "certbot-dns-oci",
+		"version": "~=0.3.6",
+		"dependencies": "oci",
+		"credentials": "[DEFAULT]\nuser = ocid1.user.oc1...\nfingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx\ntenancy = ocid1.tenancy.oc1...\nregion = us-ashburn-1\nkey_file = ~/.oci/oci_api_key.pem",
+		"full_plugin_name": "dns-oci"
+	},
+	"ovh": {
+		"name": "OVH",
+		"package_name": "certbot-dns-ovh",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_ovh_endpoint = ovh-eu\ndns_ovh_application_key = MDAwMDAwMDAwMDAw\ndns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw\ndns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-ovh"
+	},
+	"plesk": {
+		"name": "Plesk",
+		"package_name": "certbot-dns-plesk",
+		"version": "~=0.3.0",
+		"dependencies": "",
+		"credentials": "dns_plesk_username = your-username\ndns_plesk_password = secret\ndns_plesk_api_url = https://plesk-api-host:8443",
+		"full_plugin_name": "dns-plesk"
+	},
+	"porkbun": {
+		"name": "Porkbun",
+		"package_name": "certbot-dns-porkbun",
+		"version": "~=0.11.0",
+		"dependencies": "",
+		"credentials": "dns_porkbun_key=your-porkbun-api-key\ndns_porkbun_secret=your-porkbun-api-secret",
+		"full_plugin_name": "dns-porkbun"
+	},
+	"powerdns": {
+		"name": "PowerDNS",
+		"package_name": "certbot-dns-powerdns",
+		"version": "~=0.2.1",
+		"dependencies": "PyYAML==5.3.1",
+		"credentials": "dns_powerdns_api_url = https://api.mypowerdns.example.org\ndns_powerdns_api_key = AbCbASsd!@34",
+		"full_plugin_name": "dns-powerdns"
+	},
+	"regru": {
+		"name": "reg.ru",
+		"package_name": "certbot-regru",
+		"version": "~=1.0.2",
+		"dependencies": "",
+		"credentials": "dns_username=username\ndns_password=password",
+		"full_plugin_name": "dns"
+	},
+	"rfc2136": {
+		"name": "RFC 2136",
+		"package_name": "certbot-dns-rfc2136",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "# Target DNS server\ndns_rfc2136_server = 192.0.2.1\n# Target DNS port\ndns_rfc2136_port = 53\n# TSIG key name\ndns_rfc2136_name = keyname.\n# TSIG key secret\ndns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==\n# TSIG key algorithm\ndns_rfc2136_algorithm = HMAC-SHA512",
+		"full_plugin_name": "dns-rfc2136"
+	},
+	"rockenstein": {
+		"name": "rockenstein AG",
+		"package_name": "certbot-dns-rockenstein",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_rockenstein_token=<token>",
+		"full_plugin_name": "dns-rockenstein"
+	},
+	"route53": {
+		"name": "Route 53 (Amazon)",
+		"package_name": "certbot-dns-route53",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "[default]\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		"full_plugin_name": "dns-route53"
+	},
+	"simply": {
+		"name": "Simply",
+		"package_name": "certbot-dns-simply",
+		"version": "~=0.1.2",
+		"dependencies": "",
+		"credentials": "dns_simply_account_name = UExxxxxx\ndns_simply_api_key = DsHJdsjh2812872sahj",
+		"full_plugin_name": "dns-simply"
+	},
+	"spaceship": {
+		"name": "Spaceship",
+		"package_name": "certbot-dns-spaceship",
+		"version": "~=1.0.4",
+		"dependencies": "",
+		"credentials": "[spaceship]\napi_key=your_api_key\napi_secret=your_api_secret",
+		"full_plugin_name": "dns-spaceship"
+	},
+	"strato": {
+		"name": "Strato",
+		"package_name": "certbot-dns-strato",
+		"version": "~=0.2.2",
+		"dependencies": "",
+		"credentials": "dns_strato_username = user\ndns_strato_password = pass\n# uncomment if youre using two factor authentication:\n# dns_strato_totp_devicename = 2fa_device\n# dns_strato_totp_secret = 2fa_secret\n#\n# uncomment if domain name contains special characters\n# insert domain display name as seen on your account page here\n# dns_strato_domain_display_name = my-punicode-url.de\n#\n# if youre not using strato.de or another special endpoint you can customise it below\n# you will probably only need to adjust the host, but you can also change the complete endpoint url\n# dns_strato_custom_api_scheme = https\n# dns_strato_custom_api_host = www.strato.de\n# dns_strato_custom_api_port = 443\n# dns_strato_custom_api_path = \"/apps/CustomerService\"",
+		"full_plugin_name": "dns-strato"
+	},
+	        "selectelv2": {
+                "name": "Selectel api v2",
+                "package_name": "certbot-dns-selectel-api-v2",
+                "version": "~=0.3.0",
+                "dependencies": "",
+                "credentials": "dns_selectel_api_v2_account_id = your_account_id\ndns_selectel_api_v2_project_name = your_project\ndns_selectel_api_v2_username = your_username\ndns_selectel_api_v2_password = your_password",
+                "full_plugin_name": "dns-selectel-api-v2"
+        },
+	"timeweb": {
+		"name": "Timeweb Cloud",
+		"package_name": "certbot-dns-timeweb",
+		"version": "~=1.0.1",
+		"dependencies": "",
+		"credentials": "dns_timeweb_api_key = XXXXXXXXXXXXXXXXXXX",
+		"full_plugin_name": "dns-timeweb"
+	},
+	"transip": {
+		"name": "TransIP",
+		"package_name": "certbot-dns-transip",
+		"version": "~=0.5.2",
+		"dependencies": "",
+		"credentials": "dns_transip_username = my_username\ndns_transip_key_file = /etc/letsencrypt/transip-rsa.key",
+		"full_plugin_name": "dns-transip"
+	},
+	"tencentcloud": {
+		"name": "Tencent Cloud",
+		"package_name": "certbot-dns-tencentcloud",
+		"version": "~=2.0.2",
+		"dependencies": "",
+		"credentials": "dns_tencentcloud_secret_id  = TENCENT_CLOUD_SECRET_ID\ndns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY",
+		"full_plugin_name": "dns-tencentcloud"
+	},
+	"vultr": {
+		"name": "Vultr",
+		"package_name": "certbot-dns-vultr",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_vultr_key = YOUR_VULTR_API_KEY",
+		"full_plugin_name": "dns-vultr"
+	},
+	"websupport": {
+		"name": "Websupport.sk",
+		"package_name": "certbot-dns-websupport",
+		"version": "~=2.0.1",
+		"dependencies": "",
+		"credentials": "dns_websupport_identifier = <api_key>\ndns_websupport_secret_key = <secret>",
+		"full_plugin_name": "dns-websupport"
+	},
+	"wedos": {
+		"name": "Wedos",
+		"package_name": "certbot-dns-wedos",
+		"version": "~=2.2",
+		"dependencies": "",
+		"credentials": "dns_wedos_user = <wedos_registration>\ndns_wedos_auth = <wapi_password>",
+		"full_plugin_name": "dns-wedos"
+	},
+	"edgedns": {
+		"name": "Akamai Edge DNS",
+		"package_name": "certbot-plugin-edgedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "edgedns_client_secret = as3d1asd5d1a32sdfsdfs2d1asd5=\nedgedns_host = sdflskjdf-dfsdfsdf-sdfsdfsdf.luna.akamaiapis.net\nedgedns_access_token = kjdsi3-34rfsdfsdf-234234fsdfsdf\nedgedns_client_token = dkfjdf-342fsdfsd-23fsdfsdfsdf",
+		"full_plugin_name": "edgedns"
+	},
+	"zoneedit": {
+		"name": "ZoneEdit",
+		"package_name": "certbot-dns-zoneedit",
+		"version": "~=0.3.2",
+		"dependencies": "--no-deps dnspython",
+		"credentials": "dns_zoneedit_user = <login-user-id>\ndns_zoneedit_token = <dyn-authentication-token>",
+		"full_plugin_name": "dns-zoneedit"
+ 	}
+}

backend/config/default.json

@@ -1,6 +1,6 @@
 {
   "database": {
-    "engine": "mysql",
+    "engine": "mysql2",
     "host": "db",
     "name": "npm",
     "user": "npm",

backend/config/sqlite-test-db.json

@@ -0,0 +1,26 @@
+{
+  "database": {
+      "engine": "knex-native",
+      "knex": {
+        "client": "sqlite3",
+        "connection": {
+          "filename": "/app/config/mydb.sqlite"
+        },
+        "pool": {
+          "min": 0,
+          "max": 1,
+          "createTimeoutMillis": 3000,
+          "acquireTimeoutMillis": 30000,
+          "idleTimeoutMillis": 30000,
+          "reapIntervalMillis": 1000,
+          "createRetryIntervalMillis": 100,
+          "propagateCreateError": false
+        },
+        "migrations": {
+          "tableName": "migrations",
+          "stub": "src/backend/lib/migrate_template.js",
+          "directory": "src/backend/migrations"
+        }
+      }
+    }
+}

backend/db.js

@@ -0,0 +1,42 @@
+import knex from "knex";
+import {configGet, configHas} from "./lib/config.js";
+
+let instance = null;
+
+const generateDbConfig = () => {
+	if (!configHas("database")) {
+		throw new Error(
+			"Database config does not exist! Please read the instructions: https://nginxproxymanager.com/setup/",
+		);
+	}
+
+	const cfg = configGet("database");
+
+	if (cfg.engine === "knex-native") {
+		return cfg.knex;
+	}
+
+	return {
+		client: cfg.engine,
+		connection: {
+			host: cfg.host,
+			user: cfg.user,
+			password: cfg.password,
+			database: cfg.name,
+			port:     cfg.port,
+			...(cfg.ssl ? { ssl: cfg.ssl } : {})
+		},
+		migrations: {
+			tableName: "migrations",
+		},
+	};
+};
+
+const getInstance = () => {
+	if (!instance) {
+		instance = knex(generateDbConfig());
+	}
+	return instance;
+}
+
+export default getInstance;

backend/index.js

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+
+import app from "./app.js";
+import internalCertificate from "./internal/certificate.js";
+import internalIpRanges from "./internal/ip_ranges.js";
+import { global as logger } from "./logger.js";
+import { migrateUp } from "./migrate.js";
+import { getCompiledSchema } from "./schema/index.js";
+import setup from "./setup.js";
+
+const IP_RANGES_FETCH_ENABLED = process.env.IP_RANGES_FETCH_ENABLED !== "false";
+
+async function appStart() {
+	return migrateUp()
+		.then(setup)
+		.then(getCompiledSchema)
+		.then(() => {
+			if (!IP_RANGES_FETCH_ENABLED) {
+				logger.info("IP Ranges fetch is disabled by environment variable");
+				return;
+			}
+			logger.info("IP Ranges fetch is enabled");
+			return internalIpRanges.fetch().catch((err) => {
+				logger.error("IP Ranges fetch failed, continuing anyway:", err.message);
+			});
+		})
+		.then(() => {
+			internalCertificate.initTimer();
+			internalIpRanges.initTimer();
+
+			const server = app.listen(3000, () => {
+				logger.info(`Backend PID ${process.pid} listening on port 3000 ...`);
+
+				process.on("SIGTERM", () => {
+					logger.info(`PID ${process.pid} received SIGTERM`);
+					server.close(() => {
+						logger.info("Stopping.");
+						process.exit(0);
+					});
+				});
+			});
+		})
+		.catch((err) => {
+			logger.error(`Startup Error: ${err.message}`, err);
+			setTimeout(appStart, 1000);
+		});
+}
+
+try {
+	appStart();
+} catch (err) {
+	logger.fatal(err);
+	process.exit(1);
+}

backend/internal/2fa.js

@@ -0,0 +1,302 @@
+import crypto from "node:crypto";
+import bcrypt from "bcrypt";
+import { createGuardrails, generateSecret, generateURI, verify } from "otplib";
+import errs from "../lib/error.js";
+import authModel from "../models/auth.js";
+import internalUser from "./user.js";
+
+const APP_NAME = "Nginx Proxy Manager";
+const BACKUP_CODE_COUNT = 8;
+
+/**
+ * Generate backup codes
+ * @returns {Promise<{plain: string[], hashed: string[]}>}
+ */
+const generateBackupCodes = async () => {
+	const plain = [];
+	const hashed = [];
+
+	for (let i = 0; i < BACKUP_CODE_COUNT; i++) {
+		const code = crypto.randomBytes(4).toString("hex").toUpperCase();
+		plain.push(code);
+		const hash = await bcrypt.hash(code, 10);
+		hashed.push(hash);
+	}
+
+	return { plain, hashed };
+};
+
+const internal2fa = {
+	/**
+	 * Check if user has 2FA enabled
+	 * @param {number} userId
+	 * @returns {Promise<boolean>}
+	 */
+	isEnabled: async (userId) => {
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		return auth?.meta?.totp_enabled === true;
+	},
+
+	/**
+	 * Get 2FA status for user
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @returns {Promise<{enabled: boolean, backup_codes_remaining: number}>}
+	 */
+	getStatus: async (access, userId) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const enabled = auth?.meta?.totp_enabled === true;
+		let backup_codes_remaining = 0;
+
+		if (enabled) {
+			const backupCodes = auth.meta.backup_codes || [];
+			backup_codes_remaining = backupCodes.length;
+		}
+
+		return {
+			enabled,
+			backup_codes_remaining,
+		};
+	},
+
+	/**
+	 * Start 2FA setup - store pending secret
+	 *
+	 * @param   {Access}  access
+	 * @param   {number} userId
+	 * @returns {Promise<{secret: string, otpauth_url: string}>}
+	 */
+	startSetup: async (access, userId) => {
+		await access.can("users:password", userId);
+		const user = await internalUser.get(access, { id: userId });
+		const secret = generateSecret();
+		const otpauth_url = generateURI({
+			issuer: APP_NAME,
+			label: user.email,
+			secret: secret,
+		});
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+
+		// ensure user isn't already setup for 2fa
+		const enabled = auth?.meta?.totp_enabled === true;
+		if (enabled) {
+			throw new errs.ValidationError("2FA is already enabled");
+		}
+
+		const meta = auth.meta || {};
+		meta.totp_pending_secret = secret;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { secret, otpauth_url };
+	},
+
+	/**
+	 * Enable 2FA after verifying code
+	 *
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @param   {string}  code
+	 * @returns {Promise<{backup_codes: string[]}>}
+	 */
+	enable: async (access, userId, code) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const secret = auth?.meta?.totp_pending_secret || false;
+
+		if (!secret) {
+			throw new errs.ValidationError("No pending 2FA setup found");
+		}
+
+		const result = await verify({ token: code, secret });
+		if (!result.valid) {
+			throw new errs.ValidationError("Invalid verification code");
+		}
+
+		const { plain, hashed } = await generateBackupCodes();
+
+		const meta = {
+			...auth.meta,
+			totp_secret: secret,
+			totp_enabled: true,
+			totp_enabled_at: new Date().toISOString(),
+			backup_codes: hashed,
+		};
+		delete meta.totp_pending_secret;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { backup_codes: plain };
+	},
+
+	/**
+	 * Disable 2FA
+	 *
+	 * @param   {Access}  access
+	 * @param   {number} userId
+	 * @param   {string} code
+	 * @returns {Promise<void>}
+	 */
+	disable: async (access, userId, code) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+
+		const enabled = auth?.meta?.totp_enabled === true;
+		if (!enabled) {
+			throw new errs.ValidationError("2FA is not enabled");
+		}
+
+		const result = await verify({
+			token: code,
+			secret: auth.meta.totp_secret,
+		});
+
+		if (!result.valid) {
+			throw new errs.AuthError("Invalid verification code");
+		}
+
+		const meta = { ...auth.meta };
+		delete meta.totp_secret;
+		delete meta.totp_enabled;
+		delete meta.totp_enabled_at;
+		delete meta.backup_codes;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+	},
+
+	/**
+	 * Verify 2FA code for login
+	 *
+	 * @param   {number} userId
+	 * @param   {string} token
+	 * @returns {Promise<boolean>}
+	 */
+	verifyForLogin: async (userId, token) => {
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const secret = auth?.meta?.totp_secret || false;
+
+		if (!secret) {
+			return false;
+		}
+
+		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
+		// and the backup codes are 8 chars.
+		if (token.length === 6) {
+			const result = await verify({
+				token,
+				secret,
+				// These guardrails lower the minimum length requirement for secrets.
+				// In v12 of otplib the default minimum length is 10 and in v13 it is 16.
+				// Since there are 2fa secrets in the wild generated with v12 we need to allow shorter secrets
+				// so people won't be locked out when upgrading.
+				guardrails: createGuardrails({
+					MIN_SECRET_BYTES: 10,
+				}),
+			});
+
+			if (result.valid) {
+				return true;
+			}
+		}
+
+		// Try backup codes
+		const backupCodes = auth?.meta?.backup_codes || [];
+		for (let i = 0; i < backupCodes.length; i++) {
+			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
+			if (match) {
+				// Remove used backup code
+				const updatedCodes = [...backupCodes];
+				updatedCodes.splice(i, 1);
+				const meta = { ...auth.meta, backup_codes: updatedCodes };
+				await authModel
+					.query()
+					.where("id", auth.id)
+					.andWhere("user_id", userId)
+					.andWhere("type", "password")
+					.patch({ meta });
+				return true;
+			}
+		}
+
+		return false;
+	},
+
+	/**
+	 * Regenerate backup codes
+	 *
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @param   {string}  token
+	 * @returns {Promise<{backup_codes: string[]}>}
+	 */
+	regenerateBackupCodes: async (access, userId, token) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const enabled = auth?.meta?.totp_enabled === true;
+		const secret = auth?.meta?.totp_secret || false;
+
+		if (!enabled) {
+			throw new errs.ValidationError("2FA is not enabled");
+		}
+		if (!secret) {
+			throw new errs.ValidationError("No 2FA secret found");
+		}
+
+		const result = await verify({
+			token,
+			secret,
+		});
+
+		if (!result.valid) {
+			throw new errs.ValidationError("Invalid verification code");
+		}
+
+		const { plain, hashed } = await generateBackupCodes();
+
+		const meta = { ...auth.meta, backup_codes: hashed };
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { backup_codes: plain };
+	},
+
+	getUserPasswordAuth: async (userId) => {
+		const auth = await authModel
+			.query()
+			.where("user_id", userId)
+			.andWhere("type", "password")
+			.first();
+
+		if (!auth) {
+			throw new errs.ItemNotFoundError("Auth not found");
+		}
+
+		return auth;
+	},
+};
+
+export default internal2fa;

backend/internal/access-list.js

@@ -0,0 +1,488 @@
+import fs from "node:fs";
+import batchflow from "batchflow";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { access as logger } from "../logger.js";
+import accessListModel from "../models/access_list.js";
+import accessListAuthModel from "../models/access_list_auth.js";
+import accessListClientModel from "../models/access_list_client.js";
+import proxyHostModel from "../models/proxy_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalNginx from "./nginx.js";
+
+const omissions = () => {
+	return ["is_deleted"];
+};
+
+const internalAccessList = {
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: async (access, data) => {
+		await access.can("access_lists:create", data);
+		const row = await accessListModel
+			.query()
+			.insertAndFetch({
+				name: data.name,
+				satisfy_any: data.satisfy_any,
+				pass_auth: data.pass_auth,
+				owner_user_id: access.token.getUserId(1),
+			})
+			.then(utils.omitRow(omissions()));
+
+		data.id = row.id;
+
+		const promises = [];
+		// Items
+		data.items.map((item) => {
+			promises.push(
+				accessListAuthModel.query().insert({
+					access_list_id: row.id,
+					username: item.username,
+					password: item.password,
+				}),
+			);
+			return true;
+		});
+
+		// Clients
+		data.clients?.map((client) => {
+			promises.push(
+				accessListClientModel.query().insert({
+					access_list_id: row.id,
+					address: client.address,
+					directive: client.directive,
+				}),
+			);
+			return true;
+		});
+
+		await Promise.all(promises);
+
+		// re-fetch with expansions
+		const freshRow = await internalAccessList.get(
+			access,
+			{
+				id: data.id,
+				expand: ["owner", "items", "clients", "proxy_hosts.access_list.[clients,items]"],
+			},
+			true // skip masking
+		);
+
+		// Audit log
+		data.meta = _.assign({}, data.meta || {}, freshRow.meta);
+		await internalAccessList.build(freshRow);
+
+		if (Number.parseInt(freshRow.proxy_host_count, 10)) {
+			await internalNginx.bulkGenerateConfigs("proxy_host", freshRow.proxy_hosts);
+		}
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "access-list",
+			object_id: freshRow.id,
+			meta: internalAccessList.maskItems(data),
+		});
+
+		return internalAccessList.maskItems(freshRow);
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Integer} data.id
+	 * @param  {String}  [data.name]
+	 * @param  {String}  [data.items]
+	 * @return {Promise}
+	 */
+	update: async (access, data) => {
+		await access.can("access_lists:update", data.id);
+		const row = await internalAccessList.get(access, { id: data.id });
+		if (row.id !== data.id) {
+			// Sanity check that something crazy hasn't happened
+			throw new errs.InternalValidationError(
+				`Access List could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+			);
+		}
+
+		// patch name if specified
+		if (typeof data.name !== "undefined" && data.name) {
+			await accessListModel.query().where({ id: data.id }).patch({
+				name: data.name,
+				satisfy_any: data.satisfy_any,
+				pass_auth: data.pass_auth,
+			});
+		}
+
+		// Check for items and add/update/remove them
+		if (typeof data.items !== "undefined" && data.items) {
+			const promises = [];
+			const itemsToKeep = [];
+
+			data.items.map((item) => {
+				if (item.password) {
+					promises.push(
+						accessListAuthModel.query().insert({
+							access_list_id: data.id,
+							username: item.username,
+							password: item.password,
+						}),
+					);
+				} else {
+					// This was supplied with an empty password, which means keep it but don't change the password
+					itemsToKeep.push(item.username);
+				}
+				return true;
+			});
+
+			const query = accessListAuthModel.query().delete().where("access_list_id", data.id);
+
+			if (itemsToKeep.length) {
+				query.andWhere("username", "NOT IN", itemsToKeep);
+			}
+
+			await query;
+			// Add new items
+			if (promises.length) {
+				await Promise.all(promises);
+			}
+		}
+
+		// Check for clients and add/update/remove them
+		if (typeof data.clients !== "undefined" && data.clients) {
+			const clientPromises = [];
+			data.clients.map((client) => {
+				if (client.address) {
+					clientPromises.push(
+						accessListClientModel.query().insert({
+							access_list_id: data.id,
+							address: client.address,
+							directive: client.directive,
+						}),
+					);
+				}
+				return true;
+			});
+
+			const query = accessListClientModel.query().delete().where("access_list_id", data.id);
+			await query;
+			// Add new clitens
+			if (clientPromises.length) {
+				await Promise.all(clientPromises);
+			}
+		}
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "updated",
+			object_type: "access-list",
+			object_id: data.id,
+			meta: internalAccessList.maskItems(data),
+		});
+
+		// re-fetch with expansions
+		const freshRow = await internalAccessList.get(
+			access,
+			{
+				id: data.id,
+				expand: ["owner", "items", "clients", "proxy_hosts.[certificate,access_list.[clients,items]]"],
+			},
+			true // skip masking
+		);
+
+		await internalAccessList.build(freshRow)
+		if (Number.parseInt(freshRow.proxy_host_count, 10)) {
+			await internalNginx.bulkGenerateConfigs("proxy_host", freshRow.proxy_hosts);
+		}
+		await internalNginx.reload();
+		return internalAccessList.maskItems(freshRow);
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {Integer}  data.id
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @param  {Boolean}  [skipMasking]
+	 * @return {Promise}
+	 */
+	get: async (access, data, skipMasking) => {
+		const thisData = data || {};
+		const accessData = await access.can("access_lists:get", thisData.id)
+
+		const query = accessListModel
+			.query()
+			.select("access_list.*", accessListModel.raw("COUNT(proxy_host.id) as proxy_host_count"))
+			.leftJoin("proxy_host", function () {
+				this.on("proxy_host.access_list_id", "=", "access_list.id").andOn(
+					"proxy_host.is_deleted",
+					"=",
+					0,
+				);
+			})
+			.where("access_list.is_deleted", 0)
+			.andWhere("access_list.id", thisData.id)
+			.groupBy("access_list.id")
+			.allowGraph("[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]")
+			.first();
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("access_list.owner_user_id", access.token.getUserId(1));
+		}
+
+		if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+			query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+		}
+
+		let row = await query.then(utils.omitRow(omissions()));
+
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(thisData.id);
+		}
+		if (!skipMasking && typeof row.items !== "undefined" && row.items) {
+			row = internalAccessList.maskItems(row);
+		}
+		// Custom omissions
+		if (typeof data.omit !== "undefined" && data.omit !== null) {
+			row = _.omit(row, data.omit);
+		}
+		return row;
+	},
+
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @param   {Integer} data.id
+	 * @param   {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: async (access, data) => {
+		await access.can("access_lists:delete", data.id);
+		const row = await internalAccessList.get(access, {
+			id: data.id,
+			expand: ["proxy_hosts", "items", "clients"],
+		});
+
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+
+		// 1. update row to be deleted
+		// 2. update any proxy hosts that were using it (ignoring permissions)
+		// 3. reconfigure those hosts
+		// 4. audit log
+
+		// 1. update row to be deleted
+		await accessListModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				is_deleted: 1,
+			});
+
+		// 2. update any proxy hosts that were using it (ignoring permissions)
+		if (row.proxy_hosts) {
+			await proxyHostModel
+				.query()
+				.where("access_list_id", "=", row.id)
+				.patch({ access_list_id: 0 });
+
+			// 3. reconfigure those hosts, then reload nginx
+			// set the access_list_id to zero for these items
+			row.proxy_hosts.map((_val, idx) => {
+				row.proxy_hosts[idx].access_list_id = 0;
+				return true;
+			});
+
+			await internalNginx.bulkGenerateConfigs("proxy_host", row.proxy_hosts);
+		}
+
+		await internalNginx.reload();
+
+		// delete the htpasswd file
+		try {
+			fs.unlinkSync(internalAccessList.getFilename(row));
+		} catch (_err) {
+			// do nothing
+		}
+
+		// 4. audit log
+		await internalAuditLog.add(access, {
+			action: "deleted",
+			object_type: "access-list",
+			object_id: row.id,
+			meta: _.omit(internalAccessList.maskItems(row), ["is_deleted", "proxy_hosts"]),
+		});
+		return true;
+	},
+
+	/**
+	 * All Lists
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [searchQuery]
+	 * @returns {Promise}
+	 */
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("access_lists:list");
+
+		const query = accessListModel
+			.query()
+			.select("access_list.*", accessListModel.raw("COUNT(proxy_host.id) as proxy_host_count"))
+			.leftJoin("proxy_host", function () {
+				this.on("proxy_host.access_list_id", "=", "access_list.id").andOn(
+					"proxy_host.is_deleted",
+					"=",
+					0,
+				);
+			})
+			.where("access_list.is_deleted", 0)
+			.groupBy("access_list.id")
+			.allowGraph("[owner,items,clients]")
+			.orderBy("access_list.name", "ASC");
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("access_list.owner_user_id", access.token.getUserId(1));
+		}
+
+		// Query is used for searching
+		if (typeof searchQuery === "string") {
+			query.where(function () {
+				this.where("name", "like", `%${searchQuery}%`);
+			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (rows) {
+			rows.map((row, idx) => {
+				if (typeof row.items !== "undefined" && row.items) {
+					rows[idx] = internalAccessList.maskItems(row);
+				}
+				return true;
+			});
+		}
+		return rows;
+	},
+
+	/**
+	 * Count is used in reports
+	 *
+	 * @param   {Integer} userId
+	 * @param   {String}  visibility
+	 * @returns {Promise}
+	 */
+	getCount: async (userId, visibility) => {
+		const query = accessListModel
+			.query()
+			.count("id as count")
+			.where("is_deleted", 0);
+
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", userId);
+		}
+
+		const row = await query.first();
+		return Number.parseInt(row.count, 10);
+	},
+
+	/**
+	 * @param   {Object}  list
+	 * @returns {Object}
+	 */
+	maskItems: (list) => {
+		if (list && typeof list.items !== "undefined") {
+			list.items.map((val, idx) => {
+				let repeatFor = 8;
+				let firstChar = "*";
+
+				if (typeof val.password !== "undefined" && val.password) {
+					repeatFor = val.password.length - 1;
+					firstChar = val.password.charAt(0);
+				}
+
+				list.items[idx].hint = firstChar + "*".repeat(repeatFor);
+				list.items[idx].password = "";
+				return true;
+			});
+		}
+		return list;
+	},
+
+	/**
+	 * @param   {Object}  list
+	 * @param   {Integer} list.id
+	 * @returns {String}
+	 */
+	getFilename: (list) => {
+		return `/data/access/${list.id}`;
+	},
+
+	/**
+	 * @param   {Object}  list
+	 * @param   {Integer} list.id
+	 * @param   {String}  list.name
+	 * @param   {Array}   list.items
+	 * @returns {Promise}
+	 */
+	build: async (list) => {
+		logger.info(`Building Access file #${list.id} for: ${list.name}`);
+
+		const htpasswdFile = internalAccessList.getFilename(list);
+
+		// 1. remove any existing access file
+		try {
+			fs.unlinkSync(htpasswdFile);
+		} catch (_err) {
+			// do nothing
+		}
+
+		// 2. create empty access file
+		fs.writeFileSync(htpasswdFile, '', {encoding: 'utf8'});
+
+		// 3. generate password for each user
+		if (list.items.length) {
+			await new Promise((resolve, reject) => {
+				batchflow(list.items).sequential()
+					.each((_i, item, next) => {
+						if (item.password?.length) {
+							logger.info(`Adding: ${item.username}`);
+
+							utils.execFile('openssl', ['passwd', '-apr1', item.password])
+								.then((res) => {
+									try {
+										fs.appendFileSync(htpasswdFile, `${item.username}:${res}\n`, {encoding: 'utf8'});
+									} catch (err) {
+										reject(err);
+									}
+									next();
+								})
+								.catch((err) => {
+									logger.error(err);
+									next(err);
+								});
+						}
+					})
+					.error((err) => {
+						logger.error(err);
+						reject(err);
+					})
+					.end((results) => {
+						logger.success(`Built Access file #${list.id} for: ${list.name}`);
+						resolve(results);
+					});
+			});
+		}
+	}
+}
+
+export default internalAccessList;

backend/internal/audit-log.js

@@ -0,0 +1,102 @@
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import auditLogModel from "../models/audit-log.js";
+
+const internalAuditLog = {
+
+	/**
+	 * All logs
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [searchQuery]
+	 * @returns {Promise}
+	 */
+	getAll: async (access, expand, searchQuery) => {
+		await access.can("auditlog:list");
+
+		const query = auditLogModel
+			.query()
+			.orderBy("created_on", "DESC")
+			.orderBy("id", "DESC")
+			.limit(100)
+			.allowGraph("[user]");
+
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("meta"), "like", `%${searchQuery}`);
+			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		return await query;
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   [data]
+	 * @param  {Integer}  [data.id]          Defaults to the token user
+	 * @param  {Array}    [data.expand]
+	 * @return {Promise}
+	 */
+	get: async (access, data) => {
+		await access.can("auditlog:list");
+
+		const query = auditLogModel
+			.query()
+			.andWhere("id", data.id)
+			.allowGraph("[user]")
+			.first();
+
+		if (typeof data.expand !== "undefined" && data.expand !== null) {
+			query.withGraphFetched(`[${data.expand.join(", ")}]`);
+		}
+
+		const row = await query;
+
+		if (!row?.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+
+		return row;
+	},
+
+	/**
+	 * This method should not be publicly used, it doesn't check certain things. It will be assumed
+	 * that permission to add to audit log is already considered, however the access token is used for
+	 * default user id determination.
+	 *
+	 * @param   {Access}   access
+	 * @param   {Object}   data
+	 * @param   {String}   data.action
+	 * @param   {Number}   [data.user_id]
+	 * @param   {Number}   [data.object_id]
+	 * @param   {Number}   [data.object_type]
+	 * @param   {Object}   [data.meta]
+	 * @returns {Promise}
+	 */
+	add: async (access, data) => {
+		if (typeof data.user_id === "undefined" || !data.user_id) {
+			data.user_id = access.token.getUserId(1);
+		}
+
+		if (typeof data.action === "undefined" || !data.action) {
+			throw new errs.InternalValidationError("Audit log entry must contain an Action");
+		}
+
+		// Make sure at least 1 of the IDs are set and action
+		return await auditLogModel.query().insert({
+			user_id: data.user_id,
+			action: data.action,
+			object_type: data.object_type || "",
+			object_id: data.object_id || 0,
+			meta: data.meta || {},
+		});
+	},
+};
+
+export default internalAuditLog;

backend/internal/dead-host.js

@@ -0,0 +1,394 @@
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import deadHostModel from "../models/dead_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";
+
+const omissions = () => {
+	return ["is_deleted"];
+};
+
+const internalDeadHost = {
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: async (access, data) => {
+		const createCertificate = data.certificate_id === "new";
+
+		if (createCertificate) {
+			delete data.certificate_id;
+		}
+
+		await access.can("dead_hosts:create", data);
+
+		// Get a list of the domain names and check each of them against existing records
+		const domainNameCheckPromises = [];
+
+		data.domain_names.map((domain_name) => {
+			domainNameCheckPromises.push(internalHost.isHostnameTaken(domain_name));
+			return true;
+		});
+
+		await Promise.all(domainNameCheckPromises).then((check_results) => {
+			check_results.map((result) => {
+				if (result.is_taken) {
+					throw new errs.ValidationError(`${result.hostname} is already in use`);
+				}
+				return true;
+			});
+		});
+
+		// At this point the domains should have been checked
+		data.owner_user_id = access.token.getUserId(1);
+		const thisData = internalHost.cleanSslHstsData(data);
+
+		// Fix for db field not having a default value
+		// for this optional field.
+		if (typeof data.advanced_config === "undefined") {
+			thisData.advanced_config = "";
+		}
+
+		const row = await deadHostModel.query()
+			.insertAndFetch(thisData)
+			.then(utils.omitRow(omissions()));
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: thisData,
+		});
+
+		if (createCertificate) {
+			const cert = await internalCertificate.createQuickCertificate(access, data);
+
+			// update host with cert id
+			await internalDeadHost.update(access, {
+				id: row.id,
+				certificate_id: cert.id,
+			});
+		}
+
+		// re-fetch with cert
+		const freshRow = await internalDeadHost.get(access, {
+			id: row.id,
+			expand: ["certificate", "owner"],
+		});
+
+		// Sanity check
+		if (createCertificate && !freshRow.certificate_id) {
+			throw new errs.InternalValidationError("The host was created but the Certificate creation failed.");
+		}
+
+		// Configure nginx
+		await internalNginx.configure(deadHostModel, "dead_host", freshRow);
+
+		return freshRow;
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Number}  data.id
+	 * @return {Promise}
+	 */
+	update: async (access, data) => {
+		const createCertificate = data.certificate_id === "new";
+		if (createCertificate) {
+			delete data.certificate_id;
+		}
+
+		await access.can("dead_hosts:update", data.id);
+
+		// Get a list of the domain names and check each of them against existing records
+		const domainNameCheckPromises = [];
+		if (typeof data.domain_names !== "undefined") {
+			data.domain_names.map((domainName) => {
+				domainNameCheckPromises.push(internalHost.isHostnameTaken(domainName, "dead", data.id));
+				return true;
+			});
+
+			const checkResults = await Promise.all(domainNameCheckPromises);
+			checkResults.map((result) => {
+				if (result.is_taken) {
+					throw new errs.ValidationError(`${result.hostname} is already in use`);
+				}
+				return true;
+			});
+		}
+		const row = await internalDeadHost.get(access, { id: data.id });
+
+		if (row.id !== data.id) {
+			// Sanity check that something crazy hasn't happened
+			throw new errs.InternalValidationError(
+				`404 Host could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+			);
+		}
+
+		if (createCertificate) {
+			const cert = await internalCertificate.createQuickCertificate(access, {
+				domain_names: data.domain_names || row.domain_names,
+				meta: _.assign({}, row.meta, data.meta),
+			});
+
+			// update host with cert id
+			data.certificate_id = cert.id;
+		}
+
+		// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+		let thisData = _.assign(
+			{},
+			{
+				domain_names: row.domain_names,
+			},
+			data,
+		);
+
+		thisData = internalHost.cleanSslHstsData(thisData, row);
+
+
+		// do the row update
+		await deadHostModel
+			.query()
+			.where({id: data.id})
+			.patch(data);
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "updated",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: thisData,
+		});
+
+		const thisRow = await internalDeadHost
+			.get(access, {
+				id: thisData.id,
+				expand: ["owner", "certificate"],
+			});
+
+		// Configure nginx
+		const newMeta = await internalNginx.configure(deadHostModel, "dead_host", row);
+		row.meta = newMeta;
+		return _.omit(internalHost.cleanRowCertificateMeta(thisRow), omissions());
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {Number}   data.id
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @return {Promise}
+	 */
+	get: async (access, data) => {
+		const accessData = await access.can("dead_hosts:get", data.id);
+		const query = deadHostModel
+			.query()
+			.where("is_deleted", 0)
+			.andWhere("id", data.id)
+			.allowGraph("[owner,certificate]")
+			.first();
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
+		}
+
+		if (typeof data.expand !== "undefined" && data.expand !== null) {
+			query.withGraphFetched(`[${data.expand.join(", ")}]`);
+		}
+
+		const row = await query.then(utils.omitRow(omissions()));
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		// Custom omissions
+		if (typeof data.omit !== "undefined" && data.omit !== null) {
+			return _.omit(row, data.omit);
+		}
+		return row;
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: async (access, data) => {
+		await access.can("dead_hosts:delete", data.id)
+		const row = await internalDeadHost.get(access, { id: data.id });
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				is_deleted: 1,
+			});
+
+		// Delete Nginx Config
+		await internalNginx.deleteConfig("dead_host", row);
+		await internalNginx.reload();
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "deleted",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	enable: async (access, data) => {
+		await access.can("dead_hosts:update", data.id)
+		const row = await internalDeadHost.get(access, {
+			id: data.id,
+			expand: ["certificate", "owner"],
+		});
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		if (row.enabled) {
+			throw new errs.ValidationError("Host is already enabled");
+		}
+
+		row.enabled = 1;
+
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				enabled: 1,
+			});
+
+		// Configure nginx
+		await internalNginx.configure(deadHostModel, "dead_host", row);
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "enabled",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	disable: async (access, data) => {
+		await access.can("dead_hosts:update", data.id)
+		const row = await internalDeadHost.get(access, { id: data.id });
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		if (!row.enabled) {
+			throw new errs.ValidationError("Host is already disabled");
+		}
+
+		row.enabled = 0;
+
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				enabled: 0,
+			});
+
+		// Delete Nginx Config
+		await internalNginx.deleteConfig("dead_host", row);
+		await internalNginx.reload();
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "disabled",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
+	},
+
+	/**
+	 * All Hosts
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [searchQuery]
+	 * @returns {Promise}
+	 */
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("dead_hosts:list")
+		const query = deadHostModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[owner,certificate]")
+			.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
+		}
+
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("domain_names"), "like", `%${searchQuery}%`);
+			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+			internalHost.cleanAllRowsCertificateMeta(rows);
+		}
+		return rows;
+	},
+
+	/**
+	 * Report use
+	 *
+	 * @param   {Number}  user_id
+	 * @param   {String}  visibility
+	 * @returns {Promise}
+	 */
+	getCount: async (user_id, visibility) => {
+		const query = deadHostModel.query().count("id as count").where("is_deleted", 0);
+
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
+		}
+
+		const row = await query.first();
+		return Number.parseInt(row.count, 10);
+	},
+};
+
+export default internalDeadHost;

backend/internal/host.js

@@ -0,0 +1,234 @@
+import _ from "lodash";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import deadHostModel from "../models/dead_host.js";
+import proxyHostModel from "../models/proxy_host.js";
+import redirectionHostModel from "../models/redirection_host.js";
+
+const internalHost = {
+	/**
+	 * Makes sure that the ssl_* and hsts_* fields play nicely together.
+	 * ie: if there is no cert, then force_ssl is off.
+	 *     if force_ssl is off, then hsts_enabled is definitely off.
+	 *
+	 * @param   {object} data
+	 * @param   {object} [existing_data]
+	 * @returns {object}
+	 */
+	cleanSslHstsData: (data, existingData) => {
+		const combinedData = _.assign({}, existingData || {}, data);
+
+		if (!combinedData.certificate_id) {
+			combinedData.ssl_forced = false;
+			combinedData.http2_support = false;
+		}
+
+		if (!combinedData.ssl_forced) {
+			combinedData.hsts_enabled = false;
+		}
+
+		if (!combinedData.hsts_enabled) {
+			combinedData.hsts_subdomains = false;
+		}
+
+		return combinedData;
+	},
+
+	/**
+	 * used by the getAll functions of hosts, this removes the certificate meta if present
+	 *
+	 * @param   {Array}  rows
+	 * @returns {Array}
+	 */
+	cleanAllRowsCertificateMeta: (rows) => {
+		rows.map((_, idx) => {
+			if (typeof rows[idx].certificate !== "undefined" && rows[idx].certificate) {
+				rows[idx].certificate.meta = {};
+			}
+			return true;
+		});
+
+		return rows;
+	},
+
+	/**
+	 * used by the get/update functions of hosts, this removes the certificate meta if present
+	 *
+	 * @param   {Object}  row
+	 * @returns {Object}
+	 */
+	cleanRowCertificateMeta: (row) => {
+		if (typeof row.certificate !== "undefined" && row.certificate) {
+			row.certificate.meta = {};
+		}
+
+		return row;
+	},
+
+	/**
+	 * This returns all the host types with any domain listed in the provided domainNames array.
+	 * This is used by the certificates to temporarily disable any host that is using the domain
+	 *
+	 * @param   {Array}  domainNames
+	 * @returns {Promise}
+	 */
+	getHostsWithDomains: async (domainNames) => {
+		const responseObject = {
+			total_count: 0,
+			dead_hosts: [],
+			proxy_hosts: [],
+			redirection_hosts: [],
+		};
+
+		const proxyRes = await proxyHostModel.query().where("is_deleted", 0);
+		responseObject.proxy_hosts = internalHost._getHostsWithDomains(proxyRes, domainNames);
+		responseObject.total_count += responseObject.proxy_hosts.length;
+
+		const redirRes = await redirectionHostModel.query().where("is_deleted", 0);
+		responseObject.redirection_hosts = internalHost._getHostsWithDomains(redirRes, domainNames);
+		responseObject.total_count += responseObject.redirection_hosts.length;
+
+		const deadRes = await deadHostModel.query().where("is_deleted", 0);
+		responseObject.dead_hosts = internalHost._getHostsWithDomains(deadRes, domainNames);
+		responseObject.total_count += responseObject.dead_hosts.length;
+
+		return responseObject;
+	},
+
+	/**
+	 * Internal use only, checks to see if the domain is already taken by any other record
+	 *
+	 * @param   {String}   hostname
+	 * @param   {String}   [ignore_type]   'proxy', 'redirection', 'dead'
+	 * @param   {Integer}  [ignore_id]     Must be supplied if type was also supplied
+	 * @returns {Promise}
+	 */
+	isHostnameTaken: (hostname, ignore_type, ignore_id) => {
+		const promises = [
+			proxyHostModel
+				.query()
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
+			redirectionHostModel
+				.query()
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
+			deadHostModel
+				.query()
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
+		];
+
+		return Promise.all(promises).then((promises_results) => {
+			let is_taken = false;
+
+			if (promises_results[0]) {
+				// Proxy Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[0],
+						ignore_type === "proxy" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
+				}
+			}
+
+			if (promises_results[1]) {
+				// Redirection Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[1],
+						ignore_type === "redirection" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
+				}
+			}
+
+			if (promises_results[2]) {
+				// Dead Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[2],
+						ignore_type === "dead" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
+				}
+			}
+
+			return {
+				hostname: hostname,
+				is_taken: is_taken,
+			};
+		});
+	},
+
+	/**
+	 * Private call only
+	 *
+	 * @param   {String}  hostname
+	 * @param   {Array}   existingRows
+	 * @param   {Integer} [ignoreId]
+	 * @returns {Boolean}
+	 */
+	_checkHostnameRecordsTaken: (hostname, existingRows, ignoreId) => {
+		let isTaken = false;
+
+		if (existingRows?.length) {
+			existingRows.map((existingRow) => {
+				existingRow.domain_names.map((existingHostname) => {
+					// Does this domain match?
+					if (existingHostname.toLowerCase() === hostname.toLowerCase()) {
+						if (!ignoreId || ignoreId !== existingRow.id) {
+							isTaken = true;
+						}
+					}
+					return true;
+				});
+				return true;
+			});
+		}
+
+		return isTaken;
+	},
+
+	/**
+	 * Private call only
+	 *
+	 * @param   {Array}   hosts
+	 * @param   {Array}   domainNames
+	 * @returns {Array}
+	 */
+	_getHostsWithDomains: (hosts, domainNames) => {
+		const response = [];
+
+		if (hosts?.length) {
+			hosts.map((host) => {
+				let hostMatches = false;
+
+				domainNames.map((domainName) => {
+					host.domain_names.map((hostDomainName) => {
+						if (domainName.toLowerCase() === hostDomainName.toLowerCase()) {
+							hostMatches = true;
+						}
+						return true;
+					});
+					return true;
+				});
+
+				if (hostMatches) {
+					response.push(host);
+				}
+				return true;
+			});
+		}
+
+		return response;
+	},
+};
+
+export default internalHost;

backend/internal/ip_ranges.js

@@ -0,0 +1,158 @@
+import fs from "node:fs";
+import https from "node:https";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { ProxyAgent } from "proxy-agent";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { ipRanges as logger } from "../logger.js";
+import internalNginx from "./nginx.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const CLOUDFRONT_URL = "https://ip-ranges.amazonaws.com/ip-ranges.json";
+const CLOUDFARE_V4_URL = "https://www.cloudflare.com/ips-v4";
+const CLOUDFARE_V6_URL = "https://www.cloudflare.com/ips-v6";
+
+const regIpV4 = /^(\d+\.?){4}\/\d+/;
+const regIpV6 = /^(([\da-fA-F]+)?:)+\/\d+/;
+
+const internalIpRanges = {
+	interval_timeout: 1000 * 60 * 60 * 6, // 6 hours
+	interval: null,
+	interval_processing: false,
+	iteration_count: 0,
+
+	initTimer: () => {
+		logger.info("IP Ranges Renewal Timer initialized");
+		internalIpRanges.interval = setInterval(internalIpRanges.fetch, internalIpRanges.interval_timeout);
+	},
+
+	fetchUrl: (url) => {
+		const agent = new ProxyAgent();
+		return new Promise((resolve, reject) => {
+			logger.info(`Fetching ${url}`);
+			return https
+				.get(url, { agent }, (res) => {
+					res.setEncoding("utf8");
+					let raw_data = "";
+					res.on("data", (chunk) => {
+						raw_data += chunk;
+					});
+
+					res.on("end", () => {
+						resolve(raw_data);
+					});
+				})
+				.on("error", (err) => {
+					reject(err);
+				});
+		});
+	},
+
+	/**
+	 * Triggered at startup and then later by a timer, this will fetch the ip ranges from services and apply them to nginx.
+	 */
+	fetch: () => {
+		if (!internalIpRanges.interval_processing) {
+			internalIpRanges.interval_processing = true;
+			logger.info("Fetching IP Ranges from online services...");
+
+			let ip_ranges = [];
+
+			return internalIpRanges
+				.fetchUrl(CLOUDFRONT_URL)
+				.then((cloudfront_data) => {
+					const data = JSON.parse(cloudfront_data);
+
+					if (data && typeof data.prefixes !== "undefined") {
+						data.prefixes.map((item) => {
+							if (item.service === "CLOUDFRONT") {
+								ip_ranges.push(item.ip_prefix);
+							}
+							return true;
+						});
+					}
+
+					if (data && typeof data.ipv6_prefixes !== "undefined") {
+						data.ipv6_prefixes.map((item) => {
+							if (item.service === "CLOUDFRONT") {
+								ip_ranges.push(item.ipv6_prefix);
+							}
+							return true;
+						});
+					}
+				})
+				.then(() => {
+					return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL);
+				})
+				.then((cloudfare_data) => {
+					const items = cloudfare_data.split("\n").filter((line) => regIpV4.test(line));
+					ip_ranges = [...ip_ranges, ...items];
+				})
+				.then(() => {
+					return internalIpRanges.fetchUrl(CLOUDFARE_V6_URL);
+				})
+				.then((cloudfare_data) => {
+					const items = cloudfare_data.split("\n").filter((line) => regIpV6.test(line));
+					ip_ranges = [...ip_ranges, ...items];
+				})
+				.then(() => {
+					const clean_ip_ranges = [];
+					ip_ranges.map((range) => {
+						if (range) {
+							clean_ip_ranges.push(range);
+						}
+						return true;
+					});
+
+					return internalIpRanges.generateConfig(clean_ip_ranges).then(() => {
+						if (internalIpRanges.iteration_count) {
+							// Reload nginx
+							return internalNginx.reload();
+						}
+					});
+				})
+				.then(() => {
+					internalIpRanges.interval_processing = false;
+					internalIpRanges.iteration_count++;
+				})
+				.catch((err) => {
+					logger.fatal(err.message);
+					internalIpRanges.interval_processing = false;
+				});
+		}
+	},
+
+	/**
+	 * @param   {Array}  ip_ranges
+	 * @returns {Promise}
+	 */
+	generateConfig: (ip_ranges) => {
+		const renderEngine = utils.getRenderEngine();
+		return new Promise((resolve, reject) => {
+			let template = null;
+			const filename = "/etc/nginx/conf.d/include/ip_ranges.conf";
+			try {
+				template = fs.readFileSync(`${__dirname}/../templates/ip_ranges.conf`, { encoding: "utf8" });
+			} catch (err) {
+				reject(new errs.ConfigurationError(err.message));
+				return;
+			}
+
+			renderEngine
+				.parseAndRender(template, { ip_ranges: ip_ranges })
+				.then((config_text) => {
+					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
+					resolve(true);
+				})
+				.catch((err) => {
+					logger.warn(`Could not write ${filename}: ${err.message}`);
+					reject(new errs.ConfigurationError(err.message));
+				});
+		});
+	},
+};
+
+export default internalIpRanges;

backend/internal/nginx.js

@@ -0,0 +1,437 @@
+import fs from "node:fs";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { debug, nginx as logger } from "../logger.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const internalNginx = {
+	/**
+	 * This will:
+	 * - test the nginx config first to make sure it's OK
+	 * - create / recreate the config for the host
+	 * - test again
+	 * - IF OK:  update the meta with online status
+	 * - IF BAD: update the meta with offline status and remove the config entirely
+	 * - then reload nginx
+	 *
+	 * @param   {Object|String}  model
+	 * @param   {String}         host_type
+	 * @param   {Object}         host
+	 * @returns {Promise}
+	 */
+	configure: (model, host_type, host) => {
+		let combined_meta = {};
+
+		return internalNginx
+			.test()
+			.then(() => {
+				// Nginx is OK
+				// We're deleting this config regardless.
+				// Don't throw errors, as the file may not exist at all
+				// Delete the .err file too
+				return internalNginx.deleteConfig(host_type, host, false, true);
+			})
+			.then(() => {
+				return internalNginx.generateConfig(host_type, host);
+			})
+			.then(() => {
+				// Test nginx again and update meta with result
+				return internalNginx
+					.test()
+					.then(() => {
+						// nginx is ok
+						combined_meta = _.assign({}, host.meta, {
+							nginx_online: true,
+							nginx_err: null,
+						});
+
+						return model.query().where("id", host.id).patch({
+							meta: combined_meta,
+						});
+					})
+					.catch((err) => {
+						// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
+						// It will always look like this:
+						//   nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address)
+
+						const valid_lines = [];
+						const err_lines = err.message.split("\n");
+						err_lines.map((line) => {
+							if (line.indexOf("/var/log/nginx/error.log") === -1) {
+								valid_lines.push(line);
+							}
+							return true;
+						});
+
+						debug(logger, "Nginx test failed:", valid_lines.join("\n"));
+
+						// config is bad, update meta and delete config
+						combined_meta = _.assign({}, host.meta, {
+							nginx_online: false,
+							nginx_err: valid_lines.join("\n"),
+						});
+
+						return model
+							.query()
+							.where("id", host.id)
+							.patch({
+								meta: combined_meta,
+							})
+							.then(() => {
+								internalNginx.renameConfigAsError(host_type, host);
+							})
+							.then(() => {
+								return internalNginx.deleteConfig(host_type, host, true);
+							});
+					});
+			})
+			.then(() => {
+				return internalNginx.reload();
+			})
+			.then(() => {
+				return combined_meta;
+			});
+	},
+
+	/**
+	 * @returns {Promise}
+	 */
+	test: () => {
+		debug(logger, "Testing Nginx configuration");
+		return utils.execFile("/usr/sbin/nginx", ["-t", "-g", "error_log off;"]);
+	},
+
+	/**
+	 * @returns {Promise}
+	 */
+	reload: () => {
+		return internalNginx.test().then(() => {
+			logger.info("Reloading Nginx");
+			return utils.execFile("/usr/sbin/nginx", ["-s", "reload"]);
+		});
+	},
+
+	/**
+	 * @param   {String}  host_type
+	 * @param   {Integer} host_id
+	 * @returns {String}
+	 */
+	getConfigName: (host_type, host_id) => {
+		if (host_type === "default") {
+			return "/data/nginx/default_host/site.conf";
+		}
+		return `/data/nginx/${internalNginx.getFileFriendlyHostType(host_type)}/${host_id}.conf`;
+	},
+
+	/**
+	 * Generates custom locations
+	 * @param   {Object}  host
+	 * @returns {Promise}
+	 */
+	renderLocations: (host) => {
+		return new Promise((resolve, reject) => {
+			let template;
+
+			try {
+				template = fs.readFileSync(`${__dirname}/../templates/_location.conf`, { encoding: "utf8" });
+			} catch (err) {
+				reject(new errs.ConfigurationError(err.message));
+				return;
+			}
+
+			const renderEngine = utils.getRenderEngine();
+			let renderedLocations = "";
+
+			const locationRendering = async () => {
+				for (let i = 0; i < host.locations.length; i++) {
+					const locationCopy = Object.assign(
+						{},
+						{ access_list_id: host.access_list_id },
+						{ certificate_id: host.certificate_id },
+						{ ssl_forced: host.ssl_forced },
+						{ caching_enabled: host.caching_enabled },
+						{ block_exploits: host.block_exploits },
+						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
+						{ http2_support: host.http2_support },
+						{ hsts_enabled: host.hsts_enabled },
+						{ hsts_subdomains: host.hsts_subdomains },
+						{ access_list: host.access_list },
+						{ certificate: host.certificate },
+						host.locations[i],
+					);
+
+					if (locationCopy.forward_host.indexOf("/") > -1) {
+						const splitted = locationCopy.forward_host.split("/");
+
+						locationCopy.forward_host = splitted.shift();
+						locationCopy.forward_path = `/${splitted.join("/")}`;
+					}
+
+					renderedLocations += await renderEngine.parseAndRender(template, locationCopy);
+				}
+			};
+
+			locationRendering().then(() => resolve(renderedLocations));
+		});
+	},
+
+	/**
+	 * @param   {String}  host_type
+	 * @param   {Object}  host
+	 * @returns {Promise}
+	 */
+	generateConfig: (host_type, host_row) => {
+		// Prevent modifying the original object:
+		const host = JSON.parse(JSON.stringify(host_row));
+		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
+
+		debug(logger, `Generating ${nice_host_type} Config:`, JSON.stringify(host, null, 2));
+
+		const renderEngine = utils.getRenderEngine();
+
+		return new Promise((resolve, reject) => {
+			let template = null;
+			const filename = internalNginx.getConfigName(nice_host_type, host.id);
+
+			try {
+				template = fs.readFileSync(`${__dirname}/../templates/${nice_host_type}.conf`, { encoding: "utf8" });
+			} catch (err) {
+				reject(new errs.ConfigurationError(err.message));
+				return;
+			}
+
+			let locationsPromise;
+			let origLocations;
+
+			// Manipulate the data a bit before sending it to the template
+			if (nice_host_type !== "default") {
+				host.use_default_location = true;
+				if (typeof host.advanced_config !== "undefined" && host.advanced_config) {
+					host.use_default_location = !internalNginx.advancedConfigHasDefaultLocation(host.advanced_config);
+				}
+			}
+
+			// For redirection hosts, if the scheme is not http or https, set it to $scheme
+			if (nice_host_type === "redirection_host" && ['http', 'https'].indexOf(host.forward_scheme.toLowerCase()) === -1) {
+				host.forward_scheme = "$scheme";
+			}
+
+			if (host.locations) {
+				//logger.info ('host.locations = ' + JSON.stringify(host.locations, null, 2));
+				origLocations = [].concat(host.locations);
+				locationsPromise = internalNginx.renderLocations(host).then((renderedLocations) => {
+					host.locations = renderedLocations;
+				});
+
+				// Allow someone who is using / custom location path to use it, and skip the default / location
+				_.map(host.locations, (location) => {
+					if (location.path === "/") {
+						host.use_default_location = false;
+					}
+				});
+			} else {
+				locationsPromise = Promise.resolve();
+			}
+
+			// Set the IPv6 setting for the host
+			host.ipv6 = internalNginx.ipv6Enabled();
+
+			locationsPromise.then(() => {
+				renderEngine
+					.parseAndRender(template, host)
+					.then((config_text) => {
+						fs.writeFileSync(filename, config_text, { encoding: "utf8" });
+						debug(logger, "Wrote config:", filename, config_text);
+
+						// Restore locations array
+						host.locations = origLocations;
+
+						resolve(true);
+					})
+					.catch((err) => {
+						debug(logger, `Could not write ${filename}:`, err.message);
+						reject(new errs.ConfigurationError(err.message));
+					});
+			});
+		});
+	},
+
+	/**
+	 * This generates a temporary nginx config listening on port 80 for the domain names listed
+	 * in the certificate setup. It allows the letsencrypt acme challenge to be requested by letsencrypt
+	 * when requesting a certificate without having a hostname set up already.
+	 *
+	 * @param   {Object}  certificate
+	 * @returns {Promise}
+	 */
+	generateLetsEncryptRequestConfig: (certificate) => {
+		debug(logger, "Generating LetsEncrypt Request Config:", certificate);
+		const renderEngine = utils.getRenderEngine();
+
+		return new Promise((resolve, reject) => {
+			let template = null;
+			const filename = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;
+
+			try {
+				template = fs.readFileSync(`${__dirname}/../templates/letsencrypt-request.conf`, { encoding: "utf8" });
+			} catch (err) {
+				reject(new errs.ConfigurationError(err.message));
+				return;
+			}
+
+			certificate.ipv6 = internalNginx.ipv6Enabled();
+
+			renderEngine
+				.parseAndRender(template, certificate)
+				.then((config_text) => {
+					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
+					debug(logger, "Wrote config:", filename, config_text);
+					resolve(true);
+				})
+				.catch((err) => {
+					debug(logger, `Could not write ${filename}:`, err.message);
+					reject(new errs.ConfigurationError(err.message));
+				});
+		});
+	},
+
+	/**
+	 * A simple wrapper around unlinkSync that writes to the logger
+	 *
+	 * @param   {String}  filename
+	 */
+	deleteFile: (filename) => {
+		if (!fs.existsSync(filename)) {
+			return;
+		}
+		try {
+			debug(logger, `Deleting file: ${filename}`);
+			fs.unlinkSync(filename);
+		} catch (err) {
+			debug(logger, "Could not delete file:", JSON.stringify(err, null, 2));
+		}
+	},
+
+	/**
+	 *
+	 * @param   {String} host_type
+	 * @returns String
+	 */
+	getFileFriendlyHostType: (host_type) => {
+		return host_type.replace(/-/g, "_");
+	},
+
+	/**
+	 * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
+	 *
+	 * @param   {Object}  certificate
+	 * @returns {Promise}
+	 */
+	deleteLetsEncryptRequestConfig: (certificate) => {
+		const config_file = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;
+		return new Promise((resolve /*, reject*/) => {
+			internalNginx.deleteFile(config_file);
+			resolve();
+		});
+	},
+
+	/**
+	 * @param   {String}  host_type
+	 * @param   {Object}  [host]
+	 * @param   {Boolean} [delete_err_file]
+	 * @returns {Promise}
+	 */
+	deleteConfig: (host_type, host, delete_err_file) => {
+		const config_file = internalNginx.getConfigName(
+			internalNginx.getFileFriendlyHostType(host_type),
+			typeof host === "undefined" ? 0 : host.id,
+		);
+		const config_file_err = `${config_file}.err`;
+
+		return new Promise((resolve /*, reject*/) => {
+			internalNginx.deleteFile(config_file);
+			if (delete_err_file) {
+				internalNginx.deleteFile(config_file_err);
+			}
+			resolve();
+		});
+	},
+
+	/**
+	 * @param   {String}  host_type
+	 * @param   {Object}  [host]
+	 * @returns {Promise}
+	 */
+	renameConfigAsError: (host_type, host) => {
+		const config_file = internalNginx.getConfigName(
+			internalNginx.getFileFriendlyHostType(host_type),
+			typeof host === "undefined" ? 0 : host.id,
+		);
+		const config_file_err = `${config_file}.err`;
+
+		return new Promise((resolve /*, reject*/) => {
+			fs.unlink(config_file, () => {
+				// ignore result, continue
+				fs.rename(config_file, config_file_err, () => {
+					// also ignore result, as this is a debugging informative file anyway
+					resolve();
+				});
+			});
+		});
+	},
+
+	/**
+	 * @param   {String}  hostType
+	 * @param   {Array}   hosts
+	 * @returns {Promise}
+	 */
+	bulkGenerateConfigs: (hostType, hosts) => {
+		const promises = [];
+		hosts.map((host) => {
+			promises.push(internalNginx.generateConfig(hostType, host));
+			return true;
+		});
+
+		return Promise.all(promises);
+	},
+
+	/**
+	 * @param   {String}  host_type
+	 * @param   {Array}   hosts
+	 * @returns {Promise}
+	 */
+	bulkDeleteConfigs: (host_type, hosts) => {
+		const promises = [];
+		hosts.map((host) => {
+			promises.push(internalNginx.deleteConfig(host_type, host, true));
+			return true;
+		});
+
+		return Promise.all(promises);
+	},
+
+	/**
+	 * @param   {string}  config
+	 * @returns {boolean}
+	 */
+	advancedConfigHasDefaultLocation: (cfg) => !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im),
+
+	/**
+	 * @returns {boolean}
+	 */
+	ipv6Enabled: () => {
+		if (typeof process.env.DISABLE_IPV6 !== "undefined") {
+			const disabled = process.env.DISABLE_IPV6.toLowerCase();
+			return !(disabled === "on" || disabled === "true" || disabled === "1" || disabled === "yes");
+		}
+
+		return true;
+	},
+};
+
+export default internalNginx;

backend/internal/proxy-host.js

@@ -0,0 +1,474 @@
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import proxyHostModel from "../models/proxy_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";
+
+const omissions = () => {
+	return ["is_deleted", "owner.is_deleted"];
+};
+
+const internalProxyHost = {
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: (access, data) => {
+		let thisData = data;
+		const createCertificate = thisData.certificate_id === "new";
+
+		if (createCertificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("proxy_hosts:create", thisData)
+			.then(() => {
+				// Get a list of the domain names and check each of them against existing records
+				const domain_name_check_promises = [];
+
+				thisData.domain_names.map((domain_name) => {
+					domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name));
+					return true;
+				});
+
+				return Promise.all(domain_name_check_promises).then((check_results) => {
+					check_results.map((result) => {
+						if (result.is_taken) {
+							throw new errs.ValidationError(`${result.hostname} is already in use`);
+						}
+						return true;
+					});
+				});
+			})
+			.then(() => {
+				// At this point the domains should have been checked
+				thisData.owner_user_id = access.token.getUserId(1);
+				thisData = internalHost.cleanSslHstsData(thisData);
+
+				// Fix for db field not having a default value
+				// for this optional field.
+				if (typeof thisData.advanced_config === "undefined") {
+					thisData.advanced_config = "";
+				}
+
+				return proxyHostModel.query().insertAndFetch(thisData).then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, thisData)
+						.then((cert) => {
+							// update host with cert id
+							return internalProxyHost.update(access, {
+								id: row.id,
+								certificate_id: cert.id,
+							});
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// re-fetch with cert
+				return internalProxyHost.get(access, {
+					id: row.id,
+					expand: ["certificate", "owner", "access_list.[clients,items]"],
+				});
+			})
+			.then((row) => {
+				// Configure nginx
+				return internalNginx.configure(proxyHostModel, "proxy_host", row).then(() => {
+					return row;
+				});
+			})
+			.then((row) => {
+				// Audit log
+				thisData.meta = _.assign({}, thisData.meta || {}, row.meta);
+
+				// Add to audit log
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "proxy-host",
+						object_id: row.id,
+						meta: thisData,
+					})
+					.then(() => {
+						return row;
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Number}  data.id
+	 * @return {Promise}
+	 */
+	update: (access, data) => {
+		let thisData = data;
+		const create_certificate = thisData.certificate_id === "new";
+
+		if (create_certificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("proxy_hosts:update", thisData.id)
+			.then((/*access_data*/) => {
+				// Get a list of the domain names and check each of them against existing records
+				const domain_name_check_promises = [];
+
+				if (typeof thisData.domain_names !== "undefined") {
+					thisData.domain_names.map((domain_name) => {
+						return domain_name_check_promises.push(
+							internalHost.isHostnameTaken(domain_name, "proxy", thisData.id),
+						);
+					});
+
+					return Promise.all(domain_name_check_promises).then((check_results) => {
+						check_results.map((result) => {
+							if (result.is_taken) {
+								throw new errs.ValidationError(`${result.hostname} is already in use`);
+							}
+							return true;
+						});
+					});
+				}
+			})
+			.then(() => {
+				return internalProxyHost.get(access, { id: thisData.id });
+			})
+			.then((row) => {
+				if (row.id !== thisData.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`Proxy Host could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
+				}
+
+				if (create_certificate) {
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
+						.then((cert) => {
+							// update host with cert id
+							thisData.certificate_id = cert.id;
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					data,
+				);
+
+				thisData = internalHost.cleanSslHstsData(thisData, row);
+
+				return proxyHostModel
+					.query()
+					.where({ id: thisData.id })
+					.patch(thisData)
+					.then(utils.omitRow(omissions()))
+					.then((saved_row) => {
+						// Add to audit log
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "proxy-host",
+								object_id: row.id,
+								meta: thisData,
+							})
+							.then(() => {
+								return saved_row;
+							});
+					});
+			})
+			.then(() => {
+				return internalProxyHost
+					.get(access, {
+						id: thisData.id,
+						expand: ["owner", "certificate", "access_list.[clients,items]"],
+					})
+					.then((row) => {
+						if (!row.enabled) {
+							// No need to add nginx config if host is disabled
+							return row;
+						}
+						// Configure nginx
+						return internalNginx.configure(proxyHostModel, "proxy_host", row).then((new_meta) => {
+							row.meta = new_meta;
+							return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
+						});
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {Number}   data.id
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @return {Promise}
+	 */
+	get: (access, data) => {
+		const thisData = data || {};
+
+		return access
+			.can("proxy_hosts:get", thisData.id)
+			.then((access_data) => {
+				const query = proxyHostModel
+					.query()
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,access_list.[clients,items],certificate]")
+					.first();
+
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
+				}
+
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
+				}
+				const thisRow = internalHost.cleanRowCertificateMeta(row);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(row, thisData.omit);
+				}
+				return thisRow;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: (access, data) => {
+		return access
+			.can("proxy_hosts:delete", data.id)
+			.then(() => {
+				return internalProxyHost.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+
+				return proxyHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						is_deleted: 1,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("proxy_host", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "deleted",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	enable: (access, data) => {
+		return access
+			.can("proxy_hosts:update", data.id)
+			.then(() => {
+				return internalProxyHost.get(access, {
+					id: data.id,
+					expand: ["certificate", "owner", "access_list"],
+				});
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Host is already enabled");
+				}
+
+				row.enabled = 1;
+
+				return proxyHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 1,
+					})
+					.then(() => {
+						// Configure nginx
+						return internalNginx.configure(proxyHostModel, "proxy_host", row);
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "enabled",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	disable: (access, data) => {
+		return access
+			.can("proxy_hosts:update", data.id)
+			.then(() => {
+				return internalProxyHost.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Host is already disabled");
+				}
+
+				row.enabled = 0;
+
+				return proxyHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 0,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("proxy_host", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "disabled",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * All Hosts
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [search_query]
+	 * @returns {Promise}
+	 */
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("proxy_hosts:list");
+		const query = proxyHostModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[owner,access_list,certificate]")
+			.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
+		}
+
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("domain_names"), "like", `%${searchQuery}%`);
+			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+			return internalHost.cleanAllRowsCertificateMeta(rows);
+		}
+		return rows;
+	},
+
+	/**
+	 * Report use
+	 *
+	 * @param   {Number}  user_id
+	 * @param   {String}  visibility
+	 * @returns {Promise}
+	 */
+	getCount: (user_id, visibility) => {
+		const query = proxyHostModel.query().count("id as count").where("is_deleted", 0);
+
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
+		}
+
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
+};
+
+export default internalProxyHost;

backend/internal/redirection-host.js

@@ -0,0 +1,478 @@
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import redirectionHostModel from "../models/redirection_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";
+
+const omissions = () => {
+	return ["is_deleted"];
+};
+
+const internalRedirectionHost = {
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: (access, data) => {
+		let thisData = data || {};
+		const createCertificate = thisData.certificate_id === "new";
+
+		if (createCertificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("redirection_hosts:create", thisData)
+			.then((/*access_data*/) => {
+				// Get a list of the domain names and check each of them against existing records
+				const domain_name_check_promises = [];
+
+				thisData.domain_names.map((domain_name) => {
+					domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name));
+					return true;
+				});
+
+				return Promise.all(domain_name_check_promises).then((check_results) => {
+					check_results.map((result) => {
+						if (result.is_taken) {
+							throw new errs.ValidationError(`${result.hostname} is already in use`);
+						}
+						return true;
+					});
+				});
+			})
+			.then(() => {
+				// At this point the domains should have been checked
+				thisData.owner_user_id = access.token.getUserId(1);
+				thisData = internalHost.cleanSslHstsData(thisData);
+
+				// Fix for db field not having a default value
+				// for this optional field.
+				if (typeof data.advanced_config === "undefined") {
+					data.advanced_config = "";
+				}
+
+				return redirectionHostModel.query().insertAndFetch(thisData).then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, thisData)
+						.then((cert) => {
+							// update host with cert id
+							return internalRedirectionHost.update(access, {
+								id: row.id,
+								certificate_id: cert.id,
+							});
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// re-fetch with cert
+				return internalRedirectionHost.get(access, {
+					id: row.id,
+					expand: ["certificate", "owner"],
+				});
+			})
+			.then((row) => {
+				// Configure nginx
+				return internalNginx.configure(redirectionHostModel, "redirection_host", row).then(() => {
+					return row;
+				});
+			})
+			.then((row) => {
+				thisData.meta = _.assign({}, thisData.meta || {}, row.meta);
+
+				// Add to audit log
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "redirection-host",
+						object_id: row.id,
+						meta: thisData,
+					})
+					.then(() => {
+						return row;
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Number}  data.id
+	 * @return {Promise}
+	 */
+	update: (access, data) => {
+		let thisData = data || {};
+		const createCertificate = thisData.certificate_id === "new";
+
+		if (createCertificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("redirection_hosts:update", thisData.id)
+			.then((/*access_data*/) => {
+				// Get a list of the domain names and check each of them against existing records
+				const domain_name_check_promises = [];
+
+				if (typeof thisData.domain_names !== "undefined") {
+					thisData.domain_names.map((domain_name) => {
+						domain_name_check_promises.push(
+							internalHost.isHostnameTaken(domain_name, "redirection", thisData.id),
+						);
+						return true;
+					});
+
+					return Promise.all(domain_name_check_promises).then((check_results) => {
+						check_results.map((result) => {
+							if (result.is_taken) {
+								throw new errs.ValidationError(`${result.hostname} is already in use`);
+							}
+							return true;
+						});
+					});
+				}
+			})
+			.then(() => {
+				return internalRedirectionHost.get(access, { id: thisData.id });
+			})
+			.then((row) => {
+				if (row.id !== thisData.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`Redirection Host could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
+				}
+
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
+						.then((cert) => {
+							// update host with cert id
+							thisData.certificate_id = cert.id;
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					thisData,
+				);
+
+				thisData = internalHost.cleanSslHstsData(thisData, row);
+
+				return redirectionHostModel
+					.query()
+					.where({ id: thisData.id })
+					.patch(thisData)
+					.then((saved_row) => {
+						// Add to audit log
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "redirection-host",
+								object_id: row.id,
+								meta: thisData,
+							})
+							.then(() => {
+								return _.omit(saved_row, omissions());
+							});
+					});
+			})
+			.then(() => {
+				return internalRedirectionHost
+					.get(access, {
+						id: thisData.id,
+						expand: ["owner", "certificate"],
+					})
+					.then((row) => {
+						// Configure nginx
+						return internalNginx
+							.configure(redirectionHostModel, "redirection_host", row)
+							.then((new_meta) => {
+								row.meta = new_meta;
+								return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
+							});
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {Number}   data.id
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @return {Promise}
+	 */
+	get: (access, data) => {
+		const thisData = data || {};
+
+		return access
+			.can("redirection_hosts:get", thisData.id)
+			.then((access_data) => {
+				const query = redirectionHostModel
+					.query()
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,certificate]")
+					.first();
+
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
+				}
+
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				let thisRow = row;
+				if (!thisRow || !thisRow.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
+				}
+				thisRow = internalHost.cleanRowCertificateMeta(thisRow);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(thisRow, thisData.omit);
+				}
+				return thisRow;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: (access, data) => {
+		return access
+			.can("redirection_hosts:delete", data.id)
+			.then(() => {
+				return internalRedirectionHost.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+
+				return redirectionHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						is_deleted: 1,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("redirection_host", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "deleted",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	enable: (access, data) => {
+		return access
+			.can("redirection_hosts:update", data.id)
+			.then(() => {
+				return internalRedirectionHost.get(access, {
+					id: data.id,
+					expand: ["certificate", "owner"],
+				});
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Host is already enabled");
+				}
+
+				row.enabled = 1;
+
+				return redirectionHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 1,
+					})
+					.then(() => {
+						// Configure nginx
+						return internalNginx.configure(redirectionHostModel, "redirection_host", row);
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "enabled",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	disable: (access, data) => {
+		return access
+			.can("redirection_hosts:update", data.id)
+			.then(() => {
+				return internalRedirectionHost.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Host is already disabled");
+				}
+
+				row.enabled = 0;
+
+				return redirectionHostModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 0,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("redirection_host", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "disabled",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * All Hosts
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [search_query]
+	 * @returns {Promise}
+	 */
+	getAll: (access, expand, search_query) => {
+		return access
+			.can("redirection_hosts:list")
+			.then((access_data) => {
+				const query = redirectionHostModel
+					.query()
+					.where("is_deleted", 0)
+					.groupBy("id")
+					.allowGraph("[owner,certificate]")
+					.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
+				}
+
+				// Query is used for searching
+				if (typeof search_query === "string" && search_query.length > 0) {
+					query.where(function () {
+						this.where(castJsonIfNeed("domain_names"), "like", `%${search_query}%`);
+					});
+				}
+
+				if (typeof expand !== "undefined" && expand !== null) {
+					query.withGraphFetched(`[${expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRows(omissions()));
+			})
+			.then((rows) => {
+				if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+					return internalHost.cleanAllRowsCertificateMeta(rows);
+				}
+
+				return rows;
+			});
+	},
+
+	/**
+	 * Report use
+	 *
+	 * @param   {Number}  user_id
+	 * @param   {String}  visibility
+	 * @returns {Promise}
+	 */
+	getCount: (user_id, visibility) => {
+		const query = redirectionHostModel.query().count("id as count").where("is_deleted", 0);
+
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
+		}
+
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
+};
+
+export default internalRedirectionHost;

backend/internal/remote-version.js

@@ -0,0 +1,84 @@
+import https from "node:https";
+import { ProxyAgent } from "proxy-agent";
+import { debug, remoteVersion as logger } from "../logger.js";
+import pjson from "../package.json" with { type: "json" };
+
+const VERSION_URL = "https://api.github.com/repos/NginxProxyManager/nginx-proxy-manager/releases/latest";
+
+const internalRemoteVersion = {
+	cache_timeout: 1000 * 60 * 15, // 15 minutes
+	last_result: null,
+	last_fetch_time: null,
+
+	/**
+	 * Fetch the latest version info, using a cached result if within the cache timeout period.
+	 * @return {Promise<{current: string, latest: string, update_available: boolean}>} Version info
+	 */
+	get: async () => {
+		if (
+			!internalRemoteVersion.last_result ||
+			!internalRemoteVersion.last_fetch_time ||
+			Date.now() - internalRemoteVersion.last_fetch_time > internalRemoteVersion.cache_timeout
+		) {
+			const raw = await internalRemoteVersion.fetchUrl(VERSION_URL);
+			const data = JSON.parse(raw);
+			internalRemoteVersion.last_result = data;
+			internalRemoteVersion.last_fetch_time = Date.now();
+		} else {
+			debug(logger, "Using cached remote version result");
+		}
+
+		const latestVersion = internalRemoteVersion.last_result.tag_name;
+		const version = pjson.version.split("-").shift().split(".");
+		const currentVersion = `v${version[0]}.${version[1]}.${version[2]}`;
+		return {
+			current: currentVersion,
+			latest: latestVersion,
+			update_available: internalRemoteVersion.compareVersions(currentVersion, latestVersion),
+		};
+	},
+
+	fetchUrl: (url) => {
+		const agent = new ProxyAgent();
+		const headers = {
+			"User-Agent": `NginxProxyManager v${pjson.version}`,
+		};
+
+		return new Promise((resolve, reject) => {
+			logger.info(`Fetching ${url}`);
+			return https
+				.get(url, { agent, headers }, (res) => {
+					res.setEncoding("utf8");
+					let raw_data = "";
+					res.on("data", (chunk) => {
+						raw_data += chunk;
+					});
+					res.on("end", () => {
+						resolve(raw_data);
+					});
+				})
+				.on("error", (err) => {
+					reject(err);
+				});
+		});
+	},
+
+	compareVersions: (current, latest) => {
+		const cleanCurrent = current.replace(/^v/, "");
+		const cleanLatest = latest.replace(/^v/, "");
+
+		const currentParts = cleanCurrent.split(".").map(Number);
+		const latestParts = cleanLatest.split(".").map(Number);
+
+		for (let i = 0; i < Math.max(currentParts.length, latestParts.length); i++) {
+			const curr = currentParts[i] || 0;
+			const lat = latestParts[i] || 0;
+
+			if (lat > curr) return true;
+			if (lat < curr) return false;
+		}
+		return false;
+	},
+};
+
+export default internalRemoteVersion;

backend/internal/report.js

@@ -0,0 +1,37 @@
+import internalDeadHost from "./dead-host.js";
+import internalProxyHost from "./proxy-host.js";
+import internalRedirectionHost from "./redirection-host.js";
+import internalStream from "./stream.js";
+
+const internalReport = {
+	/**
+	 * @param  {Access}   access
+	 * @return {Promise}
+	 */
+	getHostsReport: (access) => {
+		return access
+			.can("reports:hosts", 1)
+			.then((access_data) => {
+				const userId = access.token.getUserId(1);
+
+				const promises = [
+					internalProxyHost.getCount(userId, access_data.permission_visibility),
+					internalRedirectionHost.getCount(userId, access_data.permission_visibility),
+					internalStream.getCount(userId, access_data.permission_visibility),
+					internalDeadHost.getCount(userId, access_data.permission_visibility),
+				];
+
+				return Promise.all(promises);
+			})
+			.then((counts) => {
+				return {
+					proxy: counts.shift(),
+					redirection: counts.shift(),
+					stream: counts.shift(),
+					dead: counts.shift(),
+				};
+			});
+	},
+};
+
+export default internalReport;

backend/internal/setting.js

@@ -0,0 +1,125 @@
+import fs from "node:fs";
+import errs from "../lib/error.js";
+import settingModel from "../models/setting.js";
+import internalNginx from "./nginx.js";
+
+const internalSetting = {
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {String}  data.id
+	 * @return {Promise}
+	 */
+	update: (access, data) => {
+		return access
+			.can("settings:update", data.id)
+			.then((/*access_data*/) => {
+				return internalSetting.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (row.id !== data.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`Setting could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+					);
+				}
+
+				return settingModel.query().where({ id: data.id }).patch(data);
+			})
+			.then(() => {
+				return internalSetting.get(access, {
+					id: data.id,
+				});
+			})
+			.then((row) => {
+				if (row.id === "default-site") {
+					// write the html if we need to
+					if (row.value === "html") {
+						fs.writeFileSync("/data/nginx/default_www/index.html", row.meta.html, { encoding: "utf8" });
+					}
+
+					// Configure nginx
+					return internalNginx
+						.deleteConfig("default")
+						.then(() => {
+							return internalNginx.generateConfig("default", row);
+						})
+						.then(() => {
+							return internalNginx.test();
+						})
+						.then(() => {
+							return internalNginx.reload();
+						})
+						.then(() => {
+							return row;
+						})
+						.catch((/*err*/) => {
+							internalNginx
+								.deleteConfig("default")
+								.then(() => {
+									return internalNginx.test();
+								})
+								.then(() => {
+									return internalNginx.reload();
+								})
+								.then(() => {
+									// I'm being slack here I know..
+									throw new errs.ValidationError("Could not reconfigure Nginx. Please check logs.");
+								});
+						});
+				}
+				return row;
+			});
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {String}   data.id
+	 * @return {Promise}
+	 */
+	get: (access, data) => {
+		return access
+			.can("settings:get", data.id)
+			.then(() => {
+				return settingModel.query().where("id", data.id).first();
+			})
+			.then((row) => {
+				if (row) {
+					return row;
+				}
+				throw new errs.ItemNotFoundError(data.id);
+			});
+	},
+
+	/**
+	 * This will only count the settings
+	 *
+	 * @param   {Access}  access
+	 * @returns {*}
+	 */
+	getCount: (access) => {
+		return access
+			.can("settings:list")
+			.then(() => {
+				return settingModel.query().count("id as count").first();
+			})
+			.then((row) => {
+				return Number.parseInt(row.count, 10);
+			});
+	},
+
+	/**
+	 * All settings
+	 *
+	 * @param   {Access}  access
+	 * @returns {Promise}
+	 */
+	getAll: (access) => {
+		return access.can("settings:list").then(() => {
+			return settingModel.query().orderBy("description", "ASC");
+		});
+	},
+};
+
+export default internalSetting;

backend/internal/stream.js

@@ -0,0 +1,427 @@
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import streamModel from "../models/stream.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";
+
+const omissions = () => {
+	return ["is_deleted", "owner.is_deleted", "certificate.is_deleted"];
+};
+
+const internalStream = {
+	/**
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: (access, data) => {
+		const create_certificate = data.certificate_id === "new";
+
+		if (create_certificate) {
+			delete data.certificate_id;
+		}
+
+		return access
+			.can("streams:create", data)
+			.then((/*access_data*/) => {
+				// TODO: At this point the existing ports should have been checked
+				data.owner_user_id = access.token.getUserId(1);
+
+				if (typeof data.meta === "undefined") {
+					data.meta = {};
+				}
+
+				// streams aren't routed by domain name so don't store domain names in the DB
+				const data_no_domains = structuredClone(data);
+				delete data_no_domains.domain_names;
+
+				return streamModel.query().insertAndFetch(data_no_domains).then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (create_certificate) {
+					return internalCertificate
+						.createQuickCertificate(access, data)
+						.then((cert) => {
+							// update host with cert id
+							return internalStream.update(access, {
+								id: row.id,
+								certificate_id: cert.id,
+							});
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// re-fetch with cert
+				return internalStream.get(access, {
+					id: row.id,
+					expand: ["certificate", "owner"],
+				});
+			})
+			.then((row) => {
+				// Configure nginx
+				return internalNginx.configure(streamModel, "stream", row).then(() => {
+					return row;
+				});
+			})
+			.then((row) => {
+				// Add to audit log
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "stream",
+						object_id: row.id,
+						meta: data,
+					})
+					.then(() => {
+						return row;
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Number}  data.id
+	 * @return {Promise}
+	 */
+	update: (access, data) => {
+		let thisData = data;
+		const create_certificate = thisData.certificate_id === "new";
+
+		if (create_certificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("streams:update", thisData.id)
+			.then((/*access_data*/) => {
+				// TODO: at this point the existing streams should have been checked
+				return internalStream.get(access, { id: thisData.id });
+			})
+			.then((row) => {
+				if (row.id !== thisData.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`Stream could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
+				}
+
+				if (create_certificate) {
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
+						.then((cert) => {
+							// update host with cert id
+							thisData.certificate_id = cert.id;
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					thisData,
+				);
+
+				return streamModel
+					.query()
+					.patchAndFetchById(row.id, thisData)
+					.then(utils.omitRow(omissions()))
+					.then((saved_row) => {
+						// Add to audit log
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "stream",
+								object_id: row.id,
+								meta: thisData,
+							})
+							.then(() => {
+								return saved_row;
+							});
+					});
+			})
+			.then(() => {
+				return internalStream.get(access, { id: thisData.id, expand: ["owner", "certificate"] }).then((row) => {
+					return internalNginx.configure(streamModel, "stream", row).then((new_meta) => {
+						row.meta = new_meta;
+						return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
+					});
+				});
+			});
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   data
+	 * @param  {Number}   data.id
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @return {Promise}
+	 */
+	get: (access, data) => {
+		const thisData = data || {};
+
+		return access
+			.can("streams:get", thisData.id)
+			.then((access_data) => {
+				const query = streamModel
+					.query()
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,certificate]")
+					.first();
+
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
+				}
+
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				let thisRow = row;
+				if (!thisRow || !thisRow.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
+				}
+				thisRow = internalHost.cleanRowCertificateMeta(thisRow);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(thisRow, thisData.omit);
+				}
+				return thisRow;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: (access, data) => {
+		return access
+			.can("streams:delete", data.id)
+			.then(() => {
+				return internalStream.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+
+				return streamModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						is_deleted: 1,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("stream", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "deleted",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	enable: (access, data) => {
+		return access
+			.can("streams:update", data.id)
+			.then(() => {
+				return internalStream.get(access, {
+					id: data.id,
+					expand: ["certificate", "owner"],
+				});
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Stream is already enabled");
+				}
+
+				row.enabled = 1;
+
+				return streamModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 1,
+					})
+					.then(() => {
+						// Configure nginx
+						return internalNginx.configure(streamModel, "stream", row);
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "enabled",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Number}  data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	disable: (access, data) => {
+		return access
+			.can("streams:update", data.id)
+			.then(() => {
+				return internalStream.get(access, { id: data.id });
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Stream is already disabled");
+				}
+
+				row.enabled = 0;
+
+				return streamModel
+					.query()
+					.where("id", row.id)
+					.patch({
+						enabled: 0,
+					})
+					.then(() => {
+						// Delete Nginx Config
+						return internalNginx.deleteConfig("stream", row).then(() => {
+							return internalNginx.reload();
+						});
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "disabled",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * All Streams
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [search_query]
+	 * @returns {Promise}
+	 */
+	getAll: (access, expand, search_query) => {
+		return access
+			.can("streams:list")
+			.then((access_data) => {
+				const query = streamModel
+					.query()
+					.where("is_deleted", 0)
+					.groupBy("id")
+					.allowGraph("[owner,certificate]")
+					.orderBy("incoming_port", "ASC");
+
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
+				}
+
+				// Query is used for searching
+				if (typeof search_query === "string" && search_query.length > 0) {
+					query.where(function () {
+						this.where(castJsonIfNeed("incoming_port"), "like", `%${search_query}%`);
+					});
+				}
+
+				if (typeof expand !== "undefined" && expand !== null) {
+					query.withGraphFetched(`[${expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRows(omissions()));
+			})
+			.then((rows) => {
+				if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+					return internalHost.cleanAllRowsCertificateMeta(rows);
+				}
+
+				return rows;
+			});
+	},
+
+	/**
+	 * Report use
+	 *
+	 * @param   {Number}  user_id
+	 * @param   {String}  visibility
+	 * @returns {Promise}
+	 */
+	getCount: (user_id, visibility) => {
+		const query = streamModel.query().count("id AS count").where("is_deleted", 0);
+
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
+		}
+
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
+};
+
+export default internalStream;

backend/internal/token.js

@@ -0,0 +1,237 @@
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { parseDatePeriod } from "../lib/helpers.js";
+import authModel from "../models/auth.js";
+import TokenModel from "../models/token.js";
+import userModel from "../models/user.js";
+import twoFactor from "./2fa.js";
+
+const ERROR_MESSAGE_INVALID_AUTH = "Invalid email or password";
+const ERROR_MESSAGE_INVALID_AUTH_I18N = "error.invalid-auth";
+const ERROR_MESSAGE_INVALID_2FA = "Invalid verification code";
+const ERROR_MESSAGE_INVALID_2FA_I18N = "error.invalid-2fa";
+
+export default {
+	/**
+	 * @param   {Object} data
+	 * @param   {String} data.identity
+	 * @param   {String} data.secret
+	 * @param   {String} [data.scope]
+	 * @param   {String} [data.expiry]
+	 * @param   {String} [issuer]
+	 * @returns {Promise}
+	 */
+	getTokenFromEmail: async (data, issuer) => {
+		const Token = TokenModel();
+
+		data.scope = data.scope || "user";
+		data.expiry = data.expiry || "1d";
+
+		const user = await userModel
+			.query()
+			.where("email", data.identity.toLowerCase().trim())
+			.andWhere("is_deleted", 0)
+			.andWhere("is_disabled", 0)
+			.first();
+
+		if (!user) {
+			throw new errs.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+		}
+
+		const auth = await authModel
+			.query()
+			.where("user_id", "=", user.id)
+			.where("type", "=", "password")
+			.first();
+
+		if (!auth) {
+			throw new errs.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+		}
+
+		const valid = await auth.verifyPassword(data.secret);
+		if (!valid) {
+			throw new errs.AuthError(
+				ERROR_MESSAGE_INVALID_AUTH,
+				ERROR_MESSAGE_INVALID_AUTH_I18N,
+			);
+		}
+
+		if (data.scope !== "user" && _.indexOf(user.roles, data.scope) === -1) {
+			// The scope requested doesn't exist as a role against the user,
+			// you shall not pass.
+			throw new errs.AuthError(`Invalid scope: ${data.scope}`);
+		}
+
+		// Check if 2FA is enabled
+		const has2FA = await twoFactor.isEnabled(user.id);
+		if (has2FA) {
+			// Return challenge token instead of full token
+			const challengeToken = await Token.create({
+				iss: issuer || "api",
+				attrs: {
+					id: user.id,
+				},
+				scope: ["2fa-challenge"],
+				expiresIn: "5m",
+			});
+
+			return {
+				requires_2fa: true,
+				challenge_token: challengeToken.token,
+			};
+		}
+
+		// Create a moment of the expiry expression
+		const expiry = parseDatePeriod(data.expiry);
+		if (expiry === null) {
+			throw new errs.AuthError(`Invalid expiry time: ${data.expiry}`);
+		}
+
+		const signed = await Token.create({
+			iss: issuer || "api",
+			attrs: {
+				id: user.id,
+			},
+			scope: [data.scope],
+			expiresIn: data.expiry,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiry.toISOString(),
+		};
+	},
+
+	/**
+	 * @param {Access} access
+	 * @param {Object} [data]
+	 * @param {String} [data.expiry]
+	 * @param {String} [data.scope]   Only considered if existing token scope is admin
+	 * @returns {Promise}
+	 */
+	getFreshToken: async (access, data) => {
+		const Token = TokenModel();
+		const thisData = data || {};
+
+		thisData.expiry = thisData.expiry || "1d";
+
+		if (access?.token.getUserId(0)) {
+			// Create a moment of the expiry expression
+			const expiry = parseDatePeriod(thisData.expiry);
+			if (expiry === null) {
+				throw new errs.AuthError(`Invalid expiry time: ${thisData.expiry}`);
+			}
+
+			const token_attrs = {
+				id: access.token.getUserId(0),
+			};
+
+			// Only admins can request otherwise scoped tokens
+			let scope = access.token.get("scope");
+			if (thisData.scope && access.token.hasScope("admin")) {
+				scope = [thisData.scope];
+
+				if (thisData.scope === "job-board" || thisData.scope === "worker") {
+					token_attrs.id = 0;
+				}
+			}
+
+			const signed = await Token.create({
+				iss: "api",
+				scope: scope,
+				attrs: token_attrs,
+				expiresIn: thisData.expiry,
+			});
+
+			return {
+				token: signed.token,
+				expires: expiry.toISOString(),
+			};
+		}
+		throw new error.AssertionFailedError("Existing token contained invalid user data");
+	},
+
+	/**
+	 * Verify 2FA code and return full token
+	 * @param {string} challengeToken
+	 * @param {string} code
+	 * @param {string} [expiry]
+	 * @returns {Promise}
+	 */
+	verify2FA: async (challengeToken, code, expiry) => {
+		const Token = TokenModel();
+		const tokenExpiry = expiry || "1d";
+
+		// Verify challenge token
+		let tokenData;
+		try {
+			tokenData = await Token.load(challengeToken);
+		} catch {
+			throw new errs.AuthError("Invalid or expired challenge token");
+		}
+
+		// Check scope
+		if (!tokenData.scope || tokenData.scope[0] !== "2fa-challenge") {
+			throw new errs.AuthError("Invalid challenge token");
+		}
+
+		const userId = tokenData.attrs?.id;
+		if (!userId) {
+			throw new errs.AuthError("Invalid challenge token");
+		}
+
+		// Verify 2FA code
+		const valid = await twoFactor.verifyForLogin(userId, code);
+		if (!valid) {
+			throw new errs.AuthError(
+				ERROR_MESSAGE_INVALID_2FA,
+				ERROR_MESSAGE_INVALID_2FA_I18N,
+			);
+		}
+
+		// Create full token
+		const expiryDate = parseDatePeriod(tokenExpiry);
+		if (expiryDate === null) {
+			throw new errs.AuthError(`Invalid expiry time: ${tokenExpiry}`);
+		}
+
+		const signed = await Token.create({
+			iss: "api",
+			attrs: {
+				id: userId,
+			},
+			scope: ["user"],
+			expiresIn: tokenExpiry,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiryDate.toISOString(),
+		};
+	},
+
+	/**
+	 * @param   {Object} user
+	 * @returns {Promise}
+	 */
+	getTokenFromUser: async (user) => {
+		const expire = "1d";
+		const Token = TokenModel();
+		const expiry = parseDatePeriod(expire);
+
+		const signed = await Token.create({
+			iss: "api",
+			attrs: {
+				id: user.id,
+			},
+			scope: ["user"],
+			expiresIn: expire,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiry.toISOString(),
+			user: user,
+		};
+	},
+};

backend/internal/user.js

@@ -0,0 +1,494 @@
+import gravatar from "gravatar";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import authModel from "../models/auth.js";
+import userModel from "../models/user.js";
+import userPermissionModel from "../models/user_permission.js";
+import internalAuditLog from "./audit-log.js";
+import internalToken from "./token.js";
+
+const omissions = () => {
+	return ["is_deleted", "permissions.id", "permissions.user_id", "permissions.created_on", "permissions.modified_on"];
+};
+
+const DEFAULT_AVATAR = gravatar.url("admin@example.com", { default: "mm" });
+
+const internalUser = {
+	/**
+	 * Create a user can happen unauthenticated only once and only when no active users exist.
+	 * Otherwise, a valid auth method is required.
+	 *
+	 * @param   {Access}  access
+	 * @param   {Object}  data
+	 * @returns {Promise}
+	 */
+	create: async (access, data) => {
+		const auth = data.auth || null;
+		delete data.auth;
+
+		data.avatar = data.avatar || "";
+		data.roles = data.roles || [];
+
+		if (typeof data.is_disabled !== "undefined") {
+			data.is_disabled = data.is_disabled ? 1 : 0;
+		}
+
+		await access.can("users:create", data);
+		data.avatar = gravatar.url(data.email, { default: "mm" });
+
+		let user = await userModel.query().insertAndFetch(data).then(utils.omitRow(omissions()));
+		if (auth) {
+			user = await authModel.query().insert({
+				user_id: user.id,
+				type: auth.type,
+				secret: auth.secret,
+				meta: {},
+			});
+		}
+
+		// Create permissions row as well
+		const isAdmin = data.roles.indexOf("admin") !== -1;
+
+		await userPermissionModel.query().insert({
+			user_id: user.id,
+			visibility: isAdmin ? "all" : "user",
+			proxy_hosts: "manage",
+			redirection_hosts: "manage",
+			dead_hosts: "manage",
+			streams: "manage",
+			access_lists: "manage",
+			certificates: "manage",
+		});
+
+		user = await internalUser.get(access, { id: user.id, expand: ["permissions"] });
+
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "user",
+			object_id: user.id,
+			meta: user,
+		});
+
+		return user;
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Integer} data.id
+	 * @param  {String}  [data.email]
+	 * @param  {String}  [data.name]
+	 * @return {Promise}
+	 */
+	update: (access, data) => {
+		if (typeof data.is_disabled !== "undefined") {
+			data.is_disabled = data.is_disabled ? 1 : 0;
+		}
+
+		return access
+			.can("users:update", data.id)
+			.then(() => {
+				// Make sure that the user being updated doesn't change their email to another user that is already using it
+				// 1. get user we want to update
+				return internalUser.get(access, { id: data.id }).then((user) => {
+					// 2. if email is to be changed, find other users with that email
+					if (typeof data.email !== "undefined") {
+						data.email = data.email.toLowerCase().trim();
+
+						if (user.email !== data.email) {
+							return internalUser.isEmailAvailable(data.email, data.id).then((available) => {
+								if (!available) {
+									throw new errs.ValidationError(`Email address already in use - ${data.email}`);
+								}
+								return user;
+							});
+						}
+					}
+
+					// No change to email:
+					return user;
+				});
+			})
+			.then((user) => {
+				if (user.id !== data.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
+				}
+
+				data.avatar = gravatar.url(data.email || user.email, { default: "mm" });
+				return userModel.query().patchAndFetchById(user.id, data).then(utils.omitRow(omissions()));
+			})
+			.then(() => {
+				return internalUser.get(access, { id: data.id });
+			})
+			.then((user) => {
+				// Add to audit log
+				return internalAuditLog
+					.add(access, {
+						action: "updated",
+						object_type: "user",
+						object_id: user.id,
+						meta: { ...data, id: user.id, name: user.name },
+					})
+					.then(() => {
+						return user;
+					});
+			});
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   [data]
+	 * @param  {Integer}  [data.id]          Defaults to the token user
+	 * @param  {Array}    [data.expand]
+	 * @param  {Array}    [data.omit]
+	 * @return {Promise}
+	 */
+	get: (access, data) => {
+		const thisData = data || {};
+
+		if (typeof thisData.id === "undefined" || !thisData.id) {
+			thisData.id = access.token.getUserId(0);
+		}
+
+		return access
+			.can("users:get", thisData.id)
+			.then(() => {
+				const query = userModel
+					.query()
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[permissions]")
+					.first();
+
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+				}
+
+				return query.then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
+				}
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(row, thisData.omit);
+				}
+
+				if (row.avatar === "") {
+					row.avatar = DEFAULT_AVATAR;
+				}
+
+				return row;
+			});
+	},
+
+	/**
+	 * Checks if an email address is available, but if a user_id is supplied, it will ignore checking
+	 * against that user.
+	 *
+	 * @param email
+	 * @param user_id
+	 */
+	isEmailAvailable: (email, user_id) => {
+		const query = userModel.query().where("email", "=", email.toLowerCase().trim()).where("is_deleted", 0).first();
+
+		if (typeof user_id !== "undefined") {
+			query.where("id", "!=", user_id);
+		}
+
+		return query.then((user) => {
+			return !user;
+		});
+	},
+
+	/**
+	 * @param {Access}  access
+	 * @param {Object}  data
+	 * @param {Integer} data.id
+	 * @param {String}  [data.reason]
+	 * @returns {Promise}
+	 */
+	delete: (access, data) => {
+		return access
+			.can("users:delete", data.id)
+			.then(() => {
+				return internalUser.get(access, { id: data.id });
+			})
+			.then((user) => {
+				if (!user) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+
+				// Make sure user can't delete themselves
+				if (user.id === access.token.getUserId(0)) {
+					throw new errs.PermissionError("You cannot delete yourself.");
+				}
+
+				return userModel
+					.query()
+					.where("id", user.id)
+					.patch({
+						is_deleted: 1,
+					})
+					.then(() => {
+						// Add to audit log
+						return internalAuditLog.add(access, {
+							action: "deleted",
+							object_type: "user",
+							object_id: user.id,
+							meta: _.omit(user, omissions()),
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	deleteAll: async () => {
+		await userModel
+			.query()
+			.patch({
+				is_deleted: 1,
+			});
+	},
+
+	/**
+	 * This will only count the users
+	 *
+	 * @param   {Access}  access
+	 * @param   {String}  [search_query]
+	 * @returns {*}
+	 */
+	getCount: (access, search_query) => {
+		return access
+			.can("users:list")
+			.then(() => {
+				const query = userModel.query().count("id as count").where("is_deleted", 0).first();
+
+				// Query is used for searching
+				if (typeof search_query === "string") {
+					query.where(function () {
+						this.where("user.name", "like", `%${search_query}%`).orWhere(
+							"user.email",
+							"like",
+							`%${search_query}%`,
+						);
+					});
+				}
+
+				return query;
+			})
+			.then((row) => {
+				return Number.parseInt(row.count, 10);
+			});
+	},
+
+	/**
+	 * All users
+	 *
+	 * @param   {Access}  access
+	 * @param   {Array}   [expand]
+	 * @param   {String}  [search_query]
+	 * @returns {Promise}
+	 */
+	getAll: async (access, expand, search_query) => {
+		await access.can("users:list");
+		const query = userModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[permissions]")
+			.orderBy("name", "ASC");
+
+		// Query is used for searching
+		if (typeof search_query === "string") {
+			query.where(function () {
+				this.where("name", "like", `%${search_query}%`).orWhere("email", "like", `%${search_query}%`);
+			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const res = await query;
+		return utils.omitRows(omissions())(res);
+	},
+
+	/**
+	 * @param   {Access} access
+	 * @param   {Integer} [id_requested]
+	 * @returns {[String]}
+	 */
+	getUserOmisionsByAccess: (access, idRequested) => {
+		let response = []; // Admin response
+
+		if (!access.token.hasScope("admin") && access.token.getUserId(0) !== idRequested) {
+			response = ["is_deleted"]; // Restricted response
+		}
+
+		return response;
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @param  {Integer} data.id
+	 * @param  {String}  data.type
+	 * @param  {String}  data.secret
+	 * @return {Promise}
+	 */
+	setPassword: (access, data) => {
+		return access
+			.can("users:password", data.id)
+			.then(() => {
+				return internalUser.get(access, { id: data.id });
+			})
+			.then((user) => {
+				if (user.id !== data.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
+				}
+
+				if (user.id === access.token.getUserId(0)) {
+					// they're setting their own password. Make sure their current password is correct
+					if (typeof data.current === "undefined" || !data.current) {
+						throw new errs.ValidationError("Current password was not supplied");
+					}
+
+					return internalToken
+						.getTokenFromEmail({
+							identity: user.email,
+							secret: data.current,
+						})
+						.then(() => {
+							return user;
+						});
+				}
+
+				return user;
+			})
+			.then((user) => {
+				// Get auth, patch if it exists
+				return authModel
+					.query()
+					.where("user_id", user.id)
+					.andWhere("type", data.type)
+					.first()
+					.then((existing_auth) => {
+						if (existing_auth) {
+							// patch
+							return authModel.query().where("user_id", user.id).andWhere("type", data.type).patch({
+								type: data.type, // This is required for the model to encrypt on save
+								secret: data.secret,
+							});
+						}
+						// insert
+						return authModel.query().insert({
+							user_id: user.id,
+							type: data.type,
+							secret: data.secret,
+							meta: {},
+						});
+					})
+					.then(() => {
+						// Add to Audit Log
+						return internalAuditLog.add(access, {
+							action: "updated",
+							object_type: "user",
+							object_id: user.id,
+							meta: {
+								name: user.name,
+								password_changed: true,
+								auth_type: data.type,
+							},
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param  {Access}  access
+	 * @param  {Object}  data
+	 * @return {Promise}
+	 */
+	setPermissions: (access, data) => {
+		return access
+			.can("users:permissions", data.id)
+			.then(() => {
+				return internalUser.get(access, { id: data.id });
+			})
+			.then((user) => {
+				if (user.id !== data.id) {
+					// Sanity check that something crazy hasn't happened
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
+				}
+
+				return user;
+			})
+			.then((user) => {
+				// Get perms row, patch if it exists
+				return userPermissionModel
+					.query()
+					.where("user_id", user.id)
+					.first()
+					.then((existing_auth) => {
+						if (existing_auth) {
+							// patch
+							return userPermissionModel
+								.query()
+								.where("user_id", user.id)
+								.patchAndFetchById(existing_auth.id, _.assign({ user_id: user.id }, data));
+						}
+						// insert
+						return userPermissionModel.query().insertAndFetch(_.assign({ user_id: user.id }, data));
+					})
+					.then((permissions) => {
+						// Add to Audit Log
+						return internalAuditLog.add(access, {
+							action: "updated",
+							object_type: "user",
+							object_id: user.id,
+							meta: {
+								name: user.name,
+								permissions: permissions,
+							},
+						});
+					});
+			})
+			.then(() => {
+				return true;
+			});
+	},
+
+	/**
+	 * @param {Access}   access
+	 * @param {Object}   data
+	 * @param {Integer}  data.id
+	 */
+	loginAs: (access, data) => {
+		return access
+			.can("users:loginas", data.id)
+			.then(() => {
+				return internalUser.get(access, data);
+			})
+			.then((user) => {
+				return internalToken.getTokenFromUser(user);
+			});
+	},
+};
+
+export default internalUser;

backend/knexfile.js

@@ -0,0 +1,19 @@
+module.exports = {
+	development: {
+		client:     'mysql2',
+		migrations: {
+			tableName: 'migrations',
+			stub:      'lib/migrate_template.js',
+			directory: 'migrations'
+		}
+	},
+
+	production: {
+		client:     'mysql2',
+		migrations: {
+			tableName: 'migrations',
+			stub:      'lib/migrate_template.js',
+			directory: 'migrations'
+		}
+	}
+};

backend/lib/access.js

@@ -0,0 +1,278 @@
+/**
+ * Some Notes: This is a friggin complicated piece of code.
+ *
+ * "scope" in this file means "where did this token come from and what is using it", so 99% of the time
+ * the "scope" is going to be "user" because it would be a user token. This is not to be confused with
+ * the "role" which could be "user" or "admin". The scope in fact, could be "worker" or anything else.
+ */
+
+import fs from "node:fs";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import Ajv from "ajv/dist/2020.js";
+import _ from "lodash";
+import { access as logger } from "../logger.js";
+import proxyHostModel from "../models/proxy_host.js";
+import TokenModel from "../models/token.js";
+import userModel from "../models/user.js";
+import permsSchema from "./access/permissions.json" with { type: "json" };
+import roleSchema from "./access/roles.json" with { type: "json" };
+import errs from "./error.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+export default function (tokenString) {
+	const Token = TokenModel();
+	let tokenData = null;
+	let initialised = false;
+	const objectCache = {};
+	let allowInternalAccess = false;
+	let userRoles = [];
+	let permissions = {};
+
+	/**
+	 * Loads the Token object from the token string
+	 *
+	 * @returns {Promise}
+	 */
+	this.init = async () => {
+		if (initialised) {
+			return;
+		}
+
+		if (!tokenString) {
+			throw new errs.PermissionError("Permission Denied");
+		}
+
+		tokenData = await Token.load(tokenString);
+
+		// At this point we need to load the user from the DB and make sure they:
+		// - exist (and not soft deleted)
+		// - still have the appropriate scopes for this token
+		// This is only required when the User ID is supplied or if the token scope has `user`
+		if (
+			tokenData.attrs.id ||
+			(typeof tokenData.scope !== "undefined" && _.indexOf(tokenData.scope, "user") !== -1)
+		) {
+			// Has token user id or token user scope
+			const user = await userModel
+				.query()
+				.where("id", tokenData.attrs.id)
+				.andWhere("is_deleted", 0)
+				.andWhere("is_disabled", 0)
+				.allowGraph("[permissions]")
+				.withGraphFetched("[permissions]")
+				.first();
+
+			if (user) {
+				// make sure user has all scopes of the token
+				// The `user` role is not added against the user row, so we have to just add it here to get past this check.
+				user.roles.push("user");
+
+				let ok = true;
+				_.forEach(tokenData.scope, (scope_item) => {
+					if (_.indexOf(user.roles, scope_item) === -1) {
+						ok = false;
+					}
+				});
+
+				if (!ok) {
+					throw new errs.AuthError("Invalid token scope for User");
+				}
+				initialised = true;
+				userRoles = user.roles;
+				permissions = user.permissions;
+			} else {
+				throw new errs.AuthError("User cannot be loaded for Token");
+			}
+		}
+		initialised = true;
+	};
+
+	/**
+	 * Fetches the object ids from the database, only once per object type, for this token.
+	 * This only applies to USER token scopes, as all other tokens are not really bound
+	 * by object scopes
+	 *
+	 * @param   {String} objectType
+	 * @returns {Promise}
+	 */
+	this.loadObjects = async (objectType) => {
+		let objects = null;
+
+		if (Token.hasScope("user")) {
+			if (typeof tokenData.attrs.id === "undefined" || !tokenData.attrs.id) {
+				throw new errs.AuthError("User Token supplied without a User ID");
+			}
+
+			const tokenUserId = tokenData.attrs.id ? tokenData.attrs.id : 0;
+
+			if (typeof objectCache[objectType] !== "undefined") {
+				objects = objectCache[objectType];
+			} else {
+				switch (objectType) {
+					// USERS - should only return yourself
+					case "users":
+						objects = tokenUserId ? [tokenUserId] : [];
+						break;
+
+					// Proxy Hosts
+					case "proxy_hosts": {
+						const query = proxyHostModel
+							.query()
+							.select("id")
+							.andWhere("is_deleted", 0);
+
+						if (permissions.visibility === "user") {
+							query.andWhere("owner_user_id", tokenUserId);
+						}
+
+						const rows = await query;
+						objects = [];
+						_.forEach(rows, (ruleRow) => {
+							objects.push(ruleRow.id);
+						});
+
+						// enum should not have less than 1 item
+						if (!objects.length) {
+							objects.push(0);
+						}
+						break;
+					}
+				}
+				objectCache[objectType] = objects;
+			}
+		}
+		return objects;
+	};
+
+	/**
+	 * Creates a schema object on the fly with the IDs and other values required to be checked against the permissionSchema
+	 *
+	 * @param   {String} permissionLabel
+	 * @returns {Object}
+	 */
+	this.getObjectSchema = async (permissionLabel) => {
+		const baseObjectType = permissionLabel.split(":").shift();
+
+		const schema = {
+			$id: "objects",
+			description: "Actor Properties",
+			type: "object",
+			additionalProperties: false,
+			properties: {
+				user_id: {
+					anyOf: [
+						{
+							type: "number",
+							enum: [Token.get("attrs").id],
+						},
+					],
+				},
+				scope: {
+					type: "string",
+					pattern: `^${Token.get("scope")}$`,
+				},
+			},
+		};
+
+		const result = await this.loadObjects(baseObjectType);
+		if (typeof result === "object" && result !== null) {
+			schema.properties[baseObjectType] = {
+				type: "number",
+				enum: result,
+				minimum: 1,
+			};
+		} else {
+			schema.properties[baseObjectType] = {
+				type: "number",
+				minimum: 1,
+			};
+		}
+
+		return schema;
+	};
+
+	// here:
+
+	return {
+		token: Token,
+
+		/**
+		 *
+		 * @param   {Boolean}  [allowInternal]
+		 * @returns {Promise}
+		 */
+		load: async (allowInternal) => {
+			if (tokenString) {
+				return await Token.load(tokenString);
+			}
+			allowInternalAccess = allowInternal;
+			return allowInternal || null;
+		},
+
+		reloadObjects: this.loadObjects,
+
+		/**
+		 *
+		 * @param {String}  permission
+		 * @param {*}       [data]
+		 * @returns {Promise}
+		 */
+		can: async (permission, data) => {
+			if (allowInternalAccess === true) {
+				return true;
+			}
+
+			try {
+				await this.init();
+				const objectSchema = await this.getObjectSchema(permission);
+
+				const dataSchema = {
+					[permission]: {
+						data: data,
+						scope: Token.get("scope"),
+						roles: userRoles,
+						permission_visibility: permissions.visibility,
+						permission_proxy_hosts: permissions.proxy_hosts,
+						permission_redirection_hosts: permissions.redirection_hosts,
+						permission_dead_hosts: permissions.dead_hosts,
+						permission_streams: permissions.streams,
+						permission_access_lists: permissions.access_lists,
+						permission_certificates: permissions.certificates,
+					},
+				};
+
+				const permissionSchema = {
+					$async: true,
+					$id: "permissions",
+					type: "object",
+					additionalProperties: false,
+					properties: {},
+				};
+
+				const rawData = fs.readFileSync(`${__dirname}/access/${permission.replace(/:/gim, "-")}.json`, {
+					encoding: "utf8",
+				});
+				permissionSchema.properties[permission] = JSON.parse(rawData);
+
+				const ajv = new Ajv({
+					verbose: true,
+					allErrors: true,
+					breakOnError: true,
+					coerceTypes: true,
+					schemas: [roleSchema, permsSchema, objectSchema, permissionSchema],
+				});
+
+				const valid = await ajv.validate("permissions", dataSchema);
+				return valid && dataSchema[permission];
+			} catch (err) {
+				err.permission = permission;
+				err.permission_data = data;
+				logger.error(permission, data, err.message);
+				throw errs.PermissionError("Permission Denied", err);
+			}
+		},
+	};
+}

backend/lib/access/access_lists-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_access_lists", "roles"],
+			"properties": {
+				"permission_access_lists": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/access_lists-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_access_lists", "roles"],
+			"properties": {
+				"permission_access_lists": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/access_lists-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_access_lists", "roles"],
+			"properties": {
+				"permission_access_lists": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/access_lists-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_access_lists", "roles"],
+			"properties": {
+				"permission_access_lists": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/access_lists-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_access_lists", "roles"],
+			"properties": {
+				"permission_access_lists": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/auditlog-list.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/certificates-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_certificates", "roles"],
+			"properties": {
+				"permission_certificates": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/certificates-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_certificates", "roles"],
+			"properties": {
+				"permission_certificates": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/certificates-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_certificates", "roles"],
+			"properties": {
+				"permission_certificates": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/certificates-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_certificates", "roles"],
+			"properties": {
+				"permission_certificates": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/certificates-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_certificates", "roles"],
+			"properties": {
+				"permission_certificates": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/dead_hosts-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_dead_hosts", "roles"],
+			"properties": {
+				"permission_dead_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/dead_hosts-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_dead_hosts", "roles"],
+			"properties": {
+				"permission_dead_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/dead_hosts-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_dead_hosts", "roles"],
+			"properties": {
+				"permission_dead_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/dead_hosts-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_dead_hosts", "roles"],
+			"properties": {
+				"permission_dead_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/dead_hosts-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_dead_hosts", "roles"],
+			"properties": {
+				"permission_dead_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/permissions.json

@@ -0,0 +1,13 @@
+{
+	"$id": "perms",
+	"definitions": {
+		"view": {
+			"type": "string",
+			"pattern": "^(view|manage)$"
+		},
+		"manage": {
+			"type": "string",
+			"pattern": "^(manage)$"
+		}
+	}
+}

backend/lib/access/proxy_hosts-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_proxy_hosts", "roles"],
+			"properties": {
+				"permission_proxy_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/proxy_hosts-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_proxy_hosts", "roles"],
+			"properties": {
+				"permission_proxy_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/proxy_hosts-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_proxy_hosts", "roles"],
+			"properties": {
+				"permission_proxy_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/proxy_hosts-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_proxy_hosts", "roles"],
+			"properties": {
+				"permission_proxy_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/proxy_hosts-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_proxy_hosts", "roles"],
+			"properties": {
+				"permission_proxy_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/redirection_hosts-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_redirection_hosts", "roles"],
+			"properties": {
+				"permission_redirection_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/redirection_hosts-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_redirection_hosts", "roles"],
+			"properties": {
+				"permission_redirection_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/redirection_hosts-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_redirection_hosts", "roles"],
+			"properties": {
+				"permission_redirection_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/redirection_hosts-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_redirection_hosts", "roles"],
+			"properties": {
+				"permission_redirection_hosts": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/redirection_hosts-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_redirection_hosts", "roles"],
+			"properties": {
+				"permission_redirection_hosts": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/reports-hosts.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/user"
+		}
+	]
+}

backend/lib/access/roles.json

@@ -0,0 +1,38 @@
+{
+	"$id": "roles",
+	"definitions": {
+		"admin": {
+			"type": "object",
+			"required": ["scope", "roles"],
+			"properties": {
+				"scope": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^user$"
+					}
+				},
+				"roles": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^admin$"
+					}
+				}
+			}
+		},
+		"user": {
+			"type": "object",
+			"required": ["scope"],
+			"properties": {
+				"scope": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^user$"
+					}
+				}
+			}
+		}
+	}
+}

backend/lib/access/settings-get.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/settings-list.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/settings-update.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/streams-create.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_streams", "roles"],
+			"properties": {
+				"permission_streams": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/streams-delete.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_streams", "roles"],
+			"properties": {
+				"permission_streams": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/streams-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_streams", "roles"],
+			"properties": {
+				"permission_streams": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/streams-list.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_streams", "roles"],
+			"properties": {
+				"permission_streams": {
+					"$ref": "perms#/definitions/view"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/streams-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["permission_streams", "roles"],
+			"properties": {
+				"permission_streams": {
+					"$ref": "perms#/definitions/manage"
+				},
+				"roles": {
+					"type": "array",
+					"items": {
+						"type": "string",
+						"enum": ["user"]
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/users-create.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/users-delete.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/users-get.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["data", "scope"],
+			"properties": {
+				"data": {
+					"$ref": "objects#/properties/users"
+				},
+				"scope": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^user$"
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/users-list.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/users-loginas.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/users-password.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["data", "scope"],
+			"properties": {
+				"data": {
+					"$ref": "objects#/properties/users"
+				},
+				"scope": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^user$"
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/access/users-permissions.json

@@ -0,0 +1,7 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		}
+	]
+}

backend/lib/access/users-update.json

@@ -0,0 +1,23 @@
+{
+	"anyOf": [
+		{
+			"$ref": "roles#/definitions/admin"
+		},
+		{
+			"type": "object",
+			"required": ["data", "scope"],
+			"properties": {
+				"data": {
+					"$ref": "objects#/properties/users"
+				},
+				"scope": {
+					"type": "array",
+					"contains": {
+						"type": "string",
+						"pattern": "^user$"
+					}
+				}
+			}
+		}
+	]
+}

backend/lib/certbot.js

@@ -0,0 +1,86 @@
+import batchflow from "batchflow";
+import dnsPlugins from "../certbot/dns-plugins.json" with { type: "json" };
+import { certbot as logger } from "../logger.js";
+import errs from "./error.js";
+import utils from "./utils.js";
+
+const CERTBOT_VERSION_REPLACEMENT = "$(certbot --version | grep -Eo '[0-9](\\.[0-9]+)+')";
+
+/**
+ * Installs a cerbot plugin given the key for the object from
+ * ../certbot/dns-plugins.json
+ *
+ * @param   {string}  pluginKey
+ * @returns {Object}
+ */
+const installPlugin = async (pluginKey) => {
+	if (typeof dnsPlugins[pluginKey] === "undefined") {
+		// throw Error(`Certbot plugin ${pluginKey} not found`);
+		throw new errs.ItemNotFoundError(pluginKey);
+	}
+
+	const plugin = dnsPlugins[pluginKey];
+	logger.start(`Installing ${pluginKey}...`);
+
+	plugin.version = plugin.version.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
+	plugin.dependencies = plugin.dependencies.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
+
+	// SETUPTOOLS_USE_DISTUTILS is required for certbot plugins to install correctly
+	// in new versions of Python
+	let env = Object.assign({}, process.env, { SETUPTOOLS_USE_DISTUTILS: "stdlib" });
+	if (typeof plugin.env === "object") {
+		env = Object.assign(env, plugin.env);
+	}
+
+	const cmd = `. /opt/certbot/bin/activate && pip install --no-cache-dir ${plugin.dependencies} ${plugin.package_name}${plugin.version}  && deactivate`;
+	return utils
+		.exec(cmd, { env })
+		.then((result) => {
+			logger.complete(`Installed ${pluginKey}`);
+			return result;
+		})
+		.catch((err) => {
+			throw err;
+		});
+};
+
+/**
+ * @param {array} pluginKeys
+ */
+const installPlugins = async (pluginKeys) => {
+	let hasErrors = false;
+
+	return new Promise((resolve, reject) => {
+		if (pluginKeys.length === 0) {
+			resolve();
+			return;
+		}
+
+		batchflow(pluginKeys)
+			.sequential()
+			.each((_i, pluginKey, next) => {
+				installPlugin(pluginKey)
+					.then(() => {
+						next();
+					})
+					.catch((err) => {
+						hasErrors = true;
+						next(err);
+					});
+			})
+			.error((err) => {
+				logger.error(err.message);
+			})
+			.end(() => {
+				if (hasErrors) {
+					reject(
+						new errs.CommandError("Some plugins failed to install. Please check the logs above", 1),
+					);
+				} else {
+					resolve();
+				}
+			});
+	});
+};
+
+export { installPlugins, installPlugin };

backend/lib/config.js

@@ -0,0 +1,259 @@
+import fs from "node:fs";
+import NodeRSA from "node-rsa";
+import { global as logger } from "../logger.js";
+
+const keysFile         = '/data/keys.json';
+const mysqlEngine      = 'mysql2';
+const postgresEngine   = 'pg';
+const sqliteClientName = 'better-sqlite3';
+
+let instance = null;
+
+// 1. Load from config file first (not recommended anymore)
+// 2. Use config env variables next
+const configure = () => {
+	const filename = `${process.env.NODE_CONFIG_DIR || "./config"}/${process.env.NODE_ENV || "default"}.json`;
+	if (fs.existsSync(filename)) {
+		let configData;
+		try {
+			// Load this json  synchronously
+			const rawData = fs.readFileSync(filename);
+			configData = JSON.parse(rawData);
+		} catch (_) {
+			// do nothing
+		}
+
+		if (configData?.database) {
+			logger.info(`Using configuration from file: ${filename}`);
+
+			// Migrate those who have "mysql" engine to "mysql2"
+			if (configData.database.engine === "mysql") {
+				configData.database.engine = mysqlEngine;
+			}
+
+			instance = configData;
+			instance.keys = getKeys();
+			return;
+		}
+	}
+
+	const toBool = (v) => /^(1|true|yes|on)$/i.test((v || '').trim());
+
+	const envMysqlHost                  = process.env.DB_MYSQL_HOST || null;
+	const envMysqlUser                  = process.env.DB_MYSQL_USER || null;
+	const envMysqlName                  = process.env.DB_MYSQL_NAME || null;
+	const envMysqlSSL                   = toBool(process.env.DB_MYSQL_SSL);
+	const envMysqlSSLRejectUnauthorized	= process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED === undefined ? true : toBool(process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED);
+	const envMysqlSSLVerifyIdentity		= process.env.DB_MYSQL_SSL_VERIFY_IDENTITY === undefined ? true : toBool(process.env.DB_MYSQL_SSL_VERIFY_IDENTITY);
+	if (envMysqlHost && envMysqlUser && envMysqlName) {
+		// we have enough mysql creds to go with mysql
+		logger.info("Using MySQL configuration");
+		instance = {
+			database: {
+				engine: mysqlEngine,
+				host: envMysqlHost,
+				port: process.env.DB_MYSQL_PORT || 3306,
+				user: envMysqlUser,
+				password: process.env.DB_MYSQL_PASSWORD,
+				name:     envMysqlName,
+				ssl:      envMysqlSSL ? { rejectUnauthorized: envMysqlSSLRejectUnauthorized, verifyIdentity: envMysqlSSLVerifyIdentity } : false,
+			},
+			keys: getKeys(),
+		};
+		return;
+	}
+
+	const envPostgresHost = process.env.DB_POSTGRES_HOST || null;
+	const envPostgresUser = process.env.DB_POSTGRES_USER || null;
+	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
+	if (envPostgresHost && envPostgresUser && envPostgresName) {
+		// we have enough postgres creds to go with postgres
+		logger.info("Using Postgres configuration");
+		instance = {
+			database: {
+				engine: postgresEngine,
+				host: envPostgresHost,
+				port: process.env.DB_POSTGRES_PORT || 5432,
+				user: envPostgresUser,
+				password: process.env.DB_POSTGRES_PASSWORD,
+				name: envPostgresName,
+			},
+			keys: getKeys(),
+		};
+		return;
+	}
+
+	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
+
+	logger.info(`Using Sqlite: ${envSqliteFile}`);
+	instance = {
+		database: {
+			engine: "knex-native",
+			knex: {
+				client: sqliteClientName,
+				connection: {
+					filename: envSqliteFile,
+				},
+				useNullAsDefault: true,
+			},
+		},
+		keys: getKeys(),
+	};
+};
+
+const getKeys = () => {
+	// Get keys from file
+	if (isDebugMode()) {
+		logger.debug("Checking for keys file:", keysFile);
+	}
+	if (!fs.existsSync(keysFile)) {
+		generateKeys();
+	} else if (process.env.DEBUG) {
+		logger.info("Keys file exists OK");
+	}
+	try {
+		// Load this json keysFile synchronously and return the json object
+		const rawData = fs.readFileSync(keysFile);
+		return JSON.parse(rawData);
+	} catch (err) {
+		logger.error(`Could not read JWT key pair from config file: ${keysFile}`, err);
+		process.exit(1);
+	}
+};
+
+const generateKeys = () => {
+	logger.info("Creating a new JWT key pair...");
+	// Now create the keys and save them in the config.
+	const key = new NodeRSA({ b: 2048 });
+	key.generateKeyPair();
+
+	const keys = {
+		key: key.exportKey("private").toString(),
+		pub: key.exportKey("public").toString(),
+	};
+
+	// Write keys config
+	try {
+		fs.writeFileSync(keysFile, JSON.stringify(keys, null, 2));
+	} catch (err) {
+		logger.error(`Could not write JWT key pair to config file: ${keysFile}: ${err.message}`);
+		process.exit(1);
+	}
+	logger.info(`Wrote JWT key pair to config file: ${keysFile}`);
+};
+
+/**
+ *
+ * @param   {string}  key   ie: 'database' or 'database.engine'
+ * @returns {boolean}
+ */
+const configHas = (key) => {
+	instance === null && configure();
+	const keys = key.split(".");
+	let level = instance;
+	let has = true;
+	keys.forEach((keyItem) => {
+		if (typeof level[keyItem] === "undefined") {
+			has = false;
+		} else {
+			level = level[keyItem];
+		}
+	});
+
+	return has;
+};
+
+/**
+ * Gets a specific key from the top level
+ *
+ * @param {string} key
+ * @returns {*}
+ */
+const configGet = (key) => {
+	instance === null && configure();
+	if (key && typeof instance[key] !== "undefined") {
+		return instance[key];
+	}
+	return instance;
+};
+
+/**
+ * Is this a sqlite configuration?
+ *
+ * @returns {boolean}
+ */
+const isSqlite = () => {
+	instance === null && configure();
+	return instance.database.knex && instance.database.knex.client === sqliteClientName;
+};
+
+/**
+ * Is this a mysql configuration?
+ *
+ * @returns {boolean}
+ */
+const isMysql = () => {
+	instance === null && configure();
+	return instance.database.engine === mysqlEngine;
+};
+
+/**
+ * Is this a postgres configuration?
+ *
+ * @returns {boolean}
+ */
+const isPostgres = () => {
+	instance === null && configure();
+	return instance.database.engine === postgresEngine;
+};
+
+/**
+ * Are we running in debug mdoe?
+ *
+ * @returns {boolean}
+ */
+const isDebugMode = () => !!process.env.DEBUG;
+
+/**
+ * Are we running in CI?
+ *
+ * @returns {boolean}
+ */
+const isCI = () => process.env.CI === 'true' && process.env.DEBUG === 'true';
+
+/**
+ * Returns a public key
+ *
+ * @returns {string}
+ */
+const getPublicKey = () => {
+	instance === null && configure();
+	return instance.keys.pub;
+};
+
+/**
+ * Returns a private key
+ *
+ * @returns {string}
+ */
+const getPrivateKey = () => {
+	instance === null && configure();
+	return instance.keys.key;
+};
+
+/**
+ * @returns {boolean}
+ */
+const useLetsencryptStaging = () => !!process.env.LE_STAGING;
+
+/**
+ * @returns {string|null}
+ */
+const useLetsencryptServer = () => {
+	if (process.env.LE_SERVER) {
+		return process.env.LE_SERVER;
+	}
+	return null;
+};
+
+export { isCI, configHas, configGet, isSqlite, isMysql, isPostgres, isDebugMode, getPrivateKey, getPublicKey, useLetsencryptStaging, useLetsencryptServer };

backend/lib/error.js

@@ -0,0 +1,103 @@
+import _ from "lodash";
+
+const errs = {
+	PermissionError: function (_, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = "Permission Denied";
+		this.public = true;
+		this.status = 403;
+	},
+
+	ItemNotFoundError: function (id, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = "Not Found";
+		if (id) {
+			this.message = `Not Found - ${id}`;
+		}
+		this.public = true;
+		this.status = 404;
+	},
+
+	AuthError: function (message, messageI18n, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.message_i18n = messageI18n;
+		this.public = true;
+		this.status = 400;
+	},
+
+	InternalError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.status = 500;
+		this.public = false;
+	},
+
+	InternalValidationError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.status = 400;
+		this.public = false;
+	},
+
+	ConfigurationError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.status = 400;
+		this.public = true;
+	},
+
+	CacheError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.message = message;
+		this.previous = previous;
+		this.status = 500;
+		this.public = false;
+	},
+
+	ValidationError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.public = true;
+		this.status = 400;
+	},
+
+	AssertionFailedError: function (message, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = message;
+		this.public = false;
+		this.status = 400;
+	},
+
+	CommandError: function (stdErr, code, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = stdErr;
+		this.code = code;
+		this.public = false;
+	},
+};
+
+_.forEach(errs, (err) => {
+	err.prototype = Object.create(Error.prototype);
+});
+
+export default errs;

backend/lib/express/cors.js

@@ -0,0 +1,17 @@
+export default (req, res, next) => {
+	if (req.headers.origin) {
+		res.set({
+			"Access-Control-Allow-Origin": req.headers.origin,
+			"Access-Control-Allow-Credentials": true,
+			"Access-Control-Allow-Methods": "OPTIONS, GET, POST",
+			"Access-Control-Allow-Headers":
+				"Content-Type, Cache-Control, Pragma, Expires, Authorization, X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit",
+			"Access-Control-Max-Age": 5 * 60,
+			"Access-Control-Expose-Headers": "X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit",
+		});
+		next();
+	} else {
+		// No origin
+		next();
+	}
+};

backend/lib/express/jwt-decode.js

@@ -0,0 +1,15 @@
+import Access from "../access.js";
+
+export default () => {
+	return async (_, res, next) => {
+		try {
+			res.locals.access = null;
+			const access = new Access(res.locals.token || null);
+			await access.load();
+			res.locals.access = access;
+			next();
+		} catch (err) {
+			next(err);
+		}
+	};
+};

backend/lib/express/jwt.js

@@ -0,0 +1,13 @@
+export default function () {
+	return (req, res, next) => {
+		if (req.headers.authorization) {
+			const parts = req.headers.authorization.split(" ");
+
+			if (parts && parts[0] === "Bearer" && parts[1]) {
+				res.locals.token = parts[1];
+			}
+		}
+
+		next();
+	};
+}

backend/lib/express/pagination.js

@@ -0,0 +1,55 @@
+import _  from "lodash";
+
+export default (default_sort, default_offset, default_limit, max_limit) => {
+	/**
+	 * This will setup the req query params with filtered data and defaults
+	 *
+	 * sort    will be an array of fields and their direction
+	 * offset  will be an int, defaulting to zero if no other default supplied
+	 * limit   will be an int, defaulting to 50 if no other default supplied, and limited to the max if that was supplied
+	 *
+	 */
+
+	return (req, _res, next) => {
+		req.query.offset =
+			typeof req.query.limit === "undefined" ? default_offset || 0 : Number.parseInt(req.query.offset, 10);
+		req.query.limit =
+			typeof req.query.limit === "undefined" ? default_limit || 50 : Number.parseInt(req.query.limit, 10);
+
+		if (max_limit && req.query.limit > max_limit) {
+			req.query.limit = max_limit;
+		}
+
+		// Sorting
+		let sort = typeof req.query.sort === "undefined" ? default_sort : req.query.sort;
+		const myRegexp = /.*\.(asc|desc)$/gi;
+		const sort_array = [];
+
+		sort = sort.split(",");
+		_.map(sort, (val) => {
+			const matches = myRegexp.exec(val);
+
+			if (matches !== null) {
+				const dir = matches[1];
+				sort_array.push({
+					field: val.substr(0, val.length - (dir.length + 1)),
+					dir: dir.toLowerCase(),
+				});
+			} else {
+				sort_array.push({
+					field: val,
+					dir: "asc",
+				});
+			}
+		});
+
+		// Sort will now be in this format:
+		// [
+		//    { field: 'field1', dir: 'asc' },
+		//    { field: 'field2', dir: 'desc' }
+		// ]
+
+		req.query.sort = sort_array;
+		next();
+	};
+};

backend/lib/express/user-id-from-me.js

@@ -0,0 +1,8 @@
+export default (req, res, next) => {
+	if (req.params.user_id === 'me' && res.locals.access) {
+		req.params.user_id = res.locals.access.token.get('attrs').id;
+	} else {
+		req.params.user_id = Number.parseInt(req.params.user_id, 10);
+	}
+	next();
+};

backend/lib/helpers.js

@@ -0,0 +1,58 @@
+import moment from "moment";
+import { ref } from "objection";
+import { isPostgres } from "./config.js";
+
+/**
+ * Takes an expression such as 30d and returns a moment object of that date in future
+ *
+ * Key      Shorthand
+ * ==================
+ * years         y
+ * quarters      Q
+ * months        M
+ * weeks         w
+ * days          d
+ * hours         h
+ * minutes       m
+ * seconds       s
+ * milliseconds  ms
+ *
+ * @param {String}  expression
+ * @returns {Object}
+ */
+const parseDatePeriod = (expression) => {
+	const matches = expression.match(/^([0-9]+)(y|Q|M|w|d|h|m|s|ms)$/m);
+	if (matches) {
+		return moment().add(matches[1], matches[2]);
+	}
+
+	return null;
+};
+
+const convertIntFieldsToBool = (obj, fields) => {
+	fields.forEach((field) => {
+		if (typeof obj[field] !== "undefined") {
+			obj[field] = obj[field] === 1;
+		}
+	});
+	return obj;
+};
+
+const convertBoolFieldsToInt = (obj, fields) => {
+	fields.forEach((field) => {
+		if (typeof obj[field] !== "undefined") {
+			obj[field] = obj[field] ? 1 : 0;
+		}
+	});
+	return obj;
+};
+
+/**
+ * Casts a column to json if using postgres
+ *
+ * @param {string} colName
+ * @returns {string|Objection.ReferenceBuilder}
+ */
+const castJsonIfNeed = (colName) => (isPostgres() ? ref(colName).castText() : colName);
+
+export { parseDatePeriod, convertIntFieldsToBool, convertBoolFieldsToInt, castJsonIfNeed };

backend/lib/migrate_template.js

@@ -0,0 +1,59 @@
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "identifier_for_migrate";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const up = (_knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);
+
+	// Create Table example:
+
+	/*
+	return knex.schema.createTable('notification', (table) => {
+		 table.increments().primary();
+		 table.string('name').notNull();
+		 table.string('type').notNull();
+		 table.integer('created_on').notNull();
+		 table.integer('modified_on').notNull();
+	 })
+		.then(function () {
+			logger.info('[' + migrateName + '] Notification Table created');
+		});
+	 */
+
+	logger.info(`[${migrateName}] Migrating Up Complete`);
+
+	return Promise.resolve(true);
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const down = (_knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);
+
+	// Drop table example:
+
+	/*
+	return knex.schema.dropTable('notification')
+		.then(() => {
+			logger.info(`[${migrateName}] Notification Table dropped`);
+		});
+	*/
+
+	logger.info(`[${migrateName}] Migrating Down Complete`);
+
+	return Promise.resolve(true);
+};
+
+export { up, down };

backend/lib/utils.js

@@ -0,0 +1,110 @@
+import { exec as nodeExec, execFile as nodeExecFile } from "node:child_process";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Liquid } from "liquidjs";
+import _ from "lodash";
+import { debug, global as logger } from "../logger.js";
+import errs from "./error.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const exec = async (cmd, options = {}) => {
+	debug(logger, "CMD:", cmd);
+	const { stdout, stderr } = await new Promise((resolve, reject) => {
+		const child = nodeExec(cmd, options, (isError, stdout, stderr) => {
+			if (isError) {
+				reject(new errs.CommandError(stderr, isError));
+			} else {
+				resolve({ stdout, stderr });
+			}
+		});
+
+		child.on("error", (e) => {
+			reject(new errs.CommandError(stderr, 1, e));
+		});
+	});
+	return stdout;
+};
+
+/**
+ * @param   {String} cmd
+ * @param   {Array}  args
+ * @param   {Object|undefined}  options
+ * @returns {Promise}
+ */
+const execFile = (cmd, args, options) => {
+	debug(logger, `CMD: ${cmd} ${args ? args.join(" ") : ""}`);
+	const opts = options || {};
+
+	return new Promise((resolve, reject) => {
+		nodeExecFile(cmd, args, opts, (err, stdout, stderr) => {
+			if (err && typeof err === "object") {
+				reject(new errs.CommandError(stderr, 1, err));
+			} else {
+				resolve(stdout.trim());
+			}
+		});
+	});
+};
+
+/**
+ * Used in objection query builder
+ *
+ * @param   {Array}  omissions
+ * @returns {Function}
+ */
+const omitRow = (omissions) => {
+	/**
+	 * @param   {Object} row
+	 * @returns {Object}
+	 */
+	return (row) => {
+		return _.omit(row, omissions);
+	};
+};
+
+/**
+ * Used in objection query builder
+ *
+ * @param   {Array}  omissions
+ * @returns {Function}
+ */
+const omitRows = (omissions) => {
+	/**
+	 * @param   {Array} rows
+	 * @returns {Object}
+	 */
+	return (rows) => {
+		rows.forEach((row, idx) => {
+			rows[idx] = _.omit(row, omissions);
+		});
+		return rows;
+	};
+};
+
+/**
+ * @returns {Object} Liquid render engine
+ */
+const getRenderEngine = () => {
+	const renderEngine = new Liquid({
+		root: `${__dirname}/../templates/`,
+	});
+
+	/**
+	 * nginxAccessRule expects the object given to have 2 properties:
+	 *
+	 * directive  string
+	 * address    string
+	 */
+	renderEngine.registerFilter("nginxAccessRule", (v) => {
+		if (typeof v.directive !== "undefined" && typeof v.address !== "undefined" && v.directive && v.address) {
+			return `${v.directive} ${v.address};`;
+		}
+		return "";
+	});
+
+	return renderEngine;
+};
+
+export default { exec, execFile, omitRow, omitRows, getRenderEngine };

backend/lib/validator/api.js

@@ -0,0 +1,45 @@
+import Ajv from "ajv/dist/2020.js";
+import errs from "../error.js";
+
+const ajv = new Ajv({
+	verbose: true,
+	allErrors: true,
+	allowUnionTypes: true,
+	strict: false,
+	coerceTypes: true,
+});
+
+/**
+ * @param {Object} schema
+ * @param {Object} payload
+ * @returns {Promise}
+ */
+const apiValidator = async (schema, payload /*, description*/) => {
+	if (!schema) {
+		throw new errs.ValidationError("Schema is undefined");
+	}
+
+	// Can't use falsy check here as valid payload could be `0` or `false`
+	if (typeof payload === "undefined") {
+		throw new errs.ValidationError("Payload is undefined");
+	}
+
+
+	const validate = ajv.compile(schema);
+
+	const valid = validate(payload);
+
+
+	if (valid && !validate.errors) {
+		return payload;
+	}
+
+
+
+	const message = ajv.errorsText(validate.errors);
+	const err = new errs.ValidationError(message);
+	err.debug = {validationErrors: validate.errors, payload};
+	throw err;
+};
+
+export default apiValidator;

backend/lib/validator/index.js

@@ -0,0 +1,45 @@
+import Ajv from 'ajv/dist/2020.js';
+import _ from "lodash";
+import commonDefinitions from "../../schema/common.json" with { type: "json" };
+import errs from "../error.js";
+
+RegExp.prototype.toJSON = RegExp.prototype.toString;
+
+const ajv = new Ajv({
+	verbose: true,
+	allErrors: true,
+	allowUnionTypes: true,
+	coerceTypes: true,
+	strict: false,
+	schemas: [commonDefinitions],
+});
+
+/**
+ *
+ * @param   {Object} schema
+ * @param   {Object} payload
+ * @returns {Promise}
+ */
+const validator = (schema, payload) => {
+	return new Promise((resolve, reject) => {
+		if (!payload) {
+			reject(new errs.InternalValidationError("Payload is falsy"));
+		} else {
+			try {
+				const validate = ajv.compile(schema);
+				const valid = validate(payload);
+
+				if (valid && !validate.errors) {
+					resolve(_.cloneDeep(payload));
+				} else {
+					const message = ajv.errorsText(validate.errors);
+					reject(new errs.InternalValidationError(message));
+				}
+			} catch (err) {
+				reject(err);
+			}
+		}
+	});
+};
+
+export default validator;

backend/logger.js

@@ -0,0 +1,26 @@
+import signale from "signale";
+import { isDebugMode } from "./lib/config.js";
+
+const opts = {
+	logLevel: "info",
+};
+
+const global = new signale.Signale({ scope: "Global   ", ...opts });
+const migrate = new signale.Signale({ scope: "Migrate  ", ...opts });
+const express = new signale.Signale({ scope: "Express  ", ...opts });
+const access = new signale.Signale({ scope: "Access   ", ...opts });
+const nginx = new signale.Signale({ scope: "Nginx    ", ...opts });
+const ssl = new signale.Signale({ scope: "SSL      ", ...opts });
+const certbot = new signale.Signale({ scope: "Certbot  ", ...opts });
+const importer = new signale.Signale({ scope: "Importer ", ...opts });
+const setup = new signale.Signale({ scope: "Setup    ", ...opts });
+const ipRanges = new signale.Signale({ scope: "IP Ranges", ...opts });
+const remoteVersion = new signale.Signale({ scope: "Remote Version", ...opts });
+
+const debug = (logger, ...args) => {
+	if (isDebugMode()) {
+		logger.debug(...args);
+	}
+};
+
+export { debug, global, migrate, express, access, nginx, ssl, certbot, importer, setup, ipRanges, remoteVersion };