Persian Locale

Merge pull request #4785 from NginxProxyManager/react
v2.13.0 React UI
2025-11-02 16:53:34 +00:00 · 2025-11-02 22:52:43 +10:00 · 2025-11-02 22:48:16 +10:00 · 2025-11-02 21:28:25 +10:00 · 2025-10-31 12:50:54 +10:00 · 2025-10-30 15:03:01 +10:00
787 changed files with 39126 additions and 43343 deletions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,21 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+  workflow_dispatch:
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          stale-issue-label: 'stale'
+          stale-pr-label: 'stale'
+          stale-issue-message: 'Issue is now considered stale. If you want to keep it open, please comment :+1:'
+          stale-pr-message: 'PR is now considered stale. If you want to keep it open, please comment :+1:'
+          close-issue-message: 'Issue was closed due to inactivity.'
+          close-pr-message: 'PR was closed due to inactivity.'
+          days-before-stale: 182
+          days-before-close: 365
+          operations-per-run: 50
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,10 @@
 .DS_Store
 .idea
+.qodo
 ._*
 .vscode
 certbot-help.txt
+test/node_modules
+*/node_modules
+docker/dev/dnsrouter-config.json.tmp
+docker/dev/resolv.conf
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.9.12
+2.13.0
--- a/333
+++ b/333
@@ -1,3 +1,9 @@
+import groovy.transform.Field
+
+@Field
+def shOutput = ""
+def buildxPushTags = ""
+
 pipeline {
 	agent {
 		label 'docker-multiarch'
@@ -8,14 +14,12 @@ pipeline {
 		ansiColor('xterm')
 	}
 	environment {
-		IMAGE                      = "nginx-proxy-manager"
+		IMAGE                      = 'nginx-proxy-manager'
 		BUILD_VERSION              = getVersion()
-		MAJOR_VERSION              = "2"
-		BRANCH_LOWER               = "${BRANCH_NAME.toLowerCase().replaceAll('/', '-')}"
-		COMPOSE_PROJECT_NAME       = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}"
-		COMPOSE_FILE               = 'docker/docker-compose.ci.yml'
+		MAJOR_VERSION              = '2'
+		BRANCH_LOWER               = "${BRANCH_NAME.toLowerCase().replaceAll('\\\\', '-').replaceAll('/', '-').replaceAll('\\.', '-')}"
+		BUILDX_NAME                = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}"
 		COMPOSE_INTERACTIVE_NO_CLI = 1
-		BUILDX_NAME                = "${COMPOSE_PROJECT_NAME}"
 	}
 	stages {
 		stage('Environment') {
@@ -26,7 +30,7 @@ pipeline {
 					}
 					steps {
 						script {
-							env.BUILDX_PUSH_TAGS = "-t docker.io/jc21/${IMAGE}:${BUILD_VERSION} -t docker.io/jc21/${IMAGE}:${MAJOR_VERSION} -t docker.io/jc21/${IMAGE}:latest"
+							buildxPushTags = "-t docker.io/jc21/${IMAGE}:${BUILD_VERSION} -t docker.io/jc21/${IMAGE}:${MAJOR_VERSION} -t docker.io/jc21/${IMAGE}:latest"
 						}
 					}
 				}
@@ -39,7 +43,7 @@ pipeline {
 					steps {
 						script {
 							// Defaults to the Branch name, which is applies to all branches AND pr's
-							env.BUILDX_PUSH_TAGS = "-t docker.io/jc21/${IMAGE}:github-${BRANCH_LOWER}"
+							buildxPushTags = "-t docker.io/nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}"
 						}
 					}
 				}
@@ -52,107 +56,153 @@ pipeline {
 						sh 'sed -i -E "s/(version-)[0-9]+\\.[0-9]+\\.[0-9]+(-green)/\\1${BUILD_VERSION}\\2/" README.md'
 					}
 				}
-			}
-		}
-		stage('Frontend') {
-			steps {
-				sh './scripts/frontend-build'
-			}
-		}
-		stage('Backend') {
-			steps {
-				echo 'Checking Syntax ...'
-				// See: https://github.com/yarnpkg/yarn/issues/3254
-				sh '''docker run --rm \\
-					-v "$(pwd)/backend:/app" \\
-					-v "$(pwd)/global:/app/global" \\
-					-w /app \\
-					node:latest \\
-					sh -c "yarn install && yarn eslint . && rm -rf node_modules"
-				'''
-
-				echo 'Docker Build ...'
-				sh '''docker build --pull --no-cache --squash --compress \\
-					-t "${IMAGE}:ci-${BUILD_NUMBER}" \\
-					-f docker/Dockerfile \\
-					--build-arg TARGETPLATFORM=linux/amd64 \\
-					--build-arg BUILDPLATFORM=linux/amd64 \\
-					--build-arg BUILD_VERSION="${BUILD_VERSION}" \\
-					--build-arg BUILD_COMMIT="${BUILD_COMMIT}" \\
-					--build-arg BUILD_DATE="$(date '+%Y-%m-%d %T %Z')" \\
-					.
-				'''
-			}
-		}
-		stage('Integration Tests Sqlite') {
-			steps {
-				// Bring up a stack
-				sh 'docker-compose up -d fullstack-sqlite'
-				sh './scripts/wait-healthy $(docker-compose ps -q fullstack-sqlite) 120'
-
-				// Run tests
-				sh 'rm -rf test/results'
-				sh 'docker-compose up cypress-sqlite'
-				// Get results
-				sh 'docker cp -L "$(docker-compose ps -q cypress-sqlite):/test/results" test/'
-			}
-			post {
-				always {
-					// Dumps to analyze later
-					sh 'mkdir -p debug'
-					sh 'docker-compose logs fullstack-sqlite | gzip > debug/docker_fullstack_sqlite.log.gz'
-					sh 'docker-compose logs db | gzip > debug/docker_db.log.gz'
-					// Cypress videos and screenshot artifacts
-					dir(path: 'test/results') {
-						archiveArtifacts allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml'
+				stage('Docker Login') {
+					steps {
+						withCredentials([usernamePassword(credentialsId: 'jc21-dockerhub', passwordVariable: 'dpass', usernameVariable: 'duser')]) {
+							sh 'docker login -u "${duser}" -p "${dpass}"'
+						}
 					}
-					junit 'test/results/junit/*'
 				}
 			}
 		}
-		stage('Integration Tests Mysql') {
-			steps {
-				// Bring up a stack
-				sh 'docker-compose up -d fullstack-mysql'
-				sh './scripts/wait-healthy $(docker-compose ps -q fullstack-mysql) 120'
-
-				// Run tests
-				sh 'rm -rf test/results'
-				sh 'docker-compose up cypress-mysql'
-				// Get results
-				sh 'docker cp -L "$(docker-compose ps -q cypress-mysql):/test/results" test/'
-			}
-			post {
-				always {
-					// Dumps to analyze later
-					sh 'mkdir -p debug'
-					sh 'docker-compose logs fullstack-mysql | gzip > debug/docker_fullstack_mysql.log.gz'
-					sh 'docker-compose logs db | gzip > debug/docker_db.log.gz'
-					// Cypress videos and screenshot artifacts
-					dir(path: 'test/results') {
-						archiveArtifacts allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml'
+		stage('Builds') {
+			parallel {
+				stage('Project') {
+					steps {
+						script {
+							// Frontend and Backend
+							def shStatusCode = sh(label: 'Checking and Building', returnStatus: true, script: '''
+								set -e
+								./scripts/ci/frontend-build > ${WORKSPACE}/tmp-sh-build 2>&1
+								./scripts/ci/test-and-build > ${WORKSPACE}/tmp-sh-build 2>&1
+							''')
+							shOutput = readFile "${env.WORKSPACE}/tmp-sh-build"
+							if (shStatusCode != 0) {
+								error "${shOutput}"
+							}
+						}
+					}
+					post {
+						always {
+							sh 'rm -f ${WORKSPACE}/tmp-sh-build'
+						}
+						failure {
+							npmGithubPrComment("CI Error:\n\n```\n${shOutput}\n```", true)
+						}
+					}
+				}
+				stage('Docs') {
+					steps {
+						dir(path: 'docs') {
+							sh 'yarn install'
+							sh 'yarn build'
+						}
 					}
-					junit 'test/results/junit/*'
 				}
 			}
 		}
-		stage('Docs') {
+		stage('Test Sqlite') {
+			environment {
+				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_sqlite"
+				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.sqlite.yml'
+			}
 			when {
 				not {
 					equals expected: 'UNSTABLE', actual: currentBuild.result
 				}
 			}
 			steps {
-				dir(path: 'docs') {
-					sh 'yarn install'
-					sh 'yarn build'
+				sh 'rm -rf ./test/results/junit/*'
+				sh './scripts/ci/fulltest-cypress'
+			}
+			post {
+				always {
+					// Dumps to analyze later
+					sh 'mkdir -p debug/sqlite'
+					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/sqlite/docker_fullstack.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q stepca) > debug/sqlite/docker_stepca.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns) > debug/sqlite/docker_pdns.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/sqlite/docker_pdns-db.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/sqlite/docker_dnsrouter.log 2>&1'
+					junit 'test/results/junit/*'
+					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
 				}
-
-				dir(path: 'docs/.vuepress/dist') {
-					sh 'tar -czf ../../docs.tgz *'
+				unstable {
+					dir(path: 'test/results') {
+						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
+					}
 				}
+			}
+		}
+		stage('Test Mysql') {
+			environment {
+				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_mysql"
+				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.mysql.yml'
+			}
+			when {
+				not {
+					equals expected: 'UNSTABLE', actual: currentBuild.result
+				}
+			}
+			steps {
+				sh 'rm -rf ./test/results/junit/*'
+				sh './scripts/ci/fulltest-cypress'
+			}
+			post {
+				always {
+					// Dumps to analyze later
+					sh 'mkdir -p debug/mysql'
+					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/mysql/docker_fullstack.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q stepca) > debug/mysql/docker_stepca.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns) > debug/mysql/docker_pdns.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/mysql/docker_pdns-db.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/mysql/docker_dnsrouter.log 2>&1'
+					junit 'test/results/junit/*'
+					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
+				}
+				unstable {
+					dir(path: 'test/results') {
+						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
+					}
+				}
+			}
+		}
+		stage('Test Postgres') {
+			environment {
+				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_postgres"
+				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.postgres.yml'
+			}
+			when {
+				not {
+					equals expected: 'UNSTABLE', actual: currentBuild.result
+				}
+			}
+			steps {
+				sh 'rm -rf ./test/results/junit/*'
+				sh './scripts/ci/fulltest-cypress'
+			}
+			post {
+				always {
+					// Dumps to analyze later
+					sh 'mkdir -p debug/postgres'
+					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/postgres/docker_fullstack.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q stepca) > debug/postgres/docker_stepca.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns) > debug/postgres/docker_pdns.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/postgres/docker_pdns-db.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/postgres/docker_dnsrouter.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q db-postgres) > debug/postgres/docker_db-postgres.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q authentik) > debug/postgres/docker_authentik.log 2>&1'
+					sh 'docker logs $(docker compose ps --all -q authentik-redis) > debug/postgres/docker_authentik-redis.log 2>&1'
+					sh 'docker logs $(docke rcompose ps --all -q authentik-ldap) > debug/postgres/docker_authentik-ldap.log 2>&1'

-				archiveArtifacts(artifacts: 'docs/docs.tgz', allowEmptyArchive: false)
+					junit 'test/results/junit/*'
+					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
+				}
+				unstable {
+					dir(path: 'test/results') {
+						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
+					}
+				}
 			}
 		}
 		stage('MultiArch Build') {
@@ -162,81 +212,64 @@ pipeline {
 				}
 			}
 			steps {
-				withCredentials([usernamePassword(credentialsId: 'jc21-dockerhub', passwordVariable: 'dpass', usernameVariable: 'duser')]) {
-					// Docker Login
-					sh "docker login -u '${duser}' -p '${dpass}'"
-					// Buildx with push from cache
-					sh "./scripts/buildx --push ${BUILDX_PUSH_TAGS}"
-				}
+				sh "./scripts/buildx --push ${buildxPushTags}"
 			}
 		}
-		stage('Docs Deploy') {
-			when {
-				allOf {
-					branch 'master'
-					not {
-						equals expected: 'UNSTABLE', actual: currentBuild.result
+		stage('Docs / Comment') {
+			parallel {
+				stage('Docs Job') {
+					when {
+						allOf {
+							branch pattern: "^(develop|master)\$", comparator: "REGEXP"
+							not {
+								equals expected: 'UNSTABLE', actual: currentBuild.result
+							}
+						}
+					}
+					steps {
+						build wait: false, job: 'nginx-proxy-manager-docs', parameters: [string(name: 'docs_branch', value: "$BRANCH_NAME")]
 					}
 				}
-			}
-			steps {
-				withCredentials([[$class: 'AmazonWebServicesCredentialsBinding', accessKeyVariable: 'AWS_ACCESS_KEY_ID', credentialsId: 'npm-s3-docs', secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']]) {
-					sh """docker run --rm \\
-						--name \${COMPOSE_PROJECT_NAME}-docs-upload \\
-						-e S3_BUCKET=jc21-npm-site \\
-						-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \\
-						-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \\
-						-v \$(pwd):/app \\
-						-w /app \\
-						jc21/ci-tools \\
-						scripts/docs-upload /app/docs/.vuepress/dist/
-					"""
+				stage('PR Comment') {
+					when {
+						allOf {
+							changeRequest()
+							not {
+								equals expected: 'UNSTABLE', actual: currentBuild.result
+							}
+						}
+					}
+					steps {
+						script {
+							npmGithubPrComment("""Docker Image for build ${BUILD_NUMBER} is available on [DockerHub](https://cloud.docker.com/repository/docker/nginxproxymanager/${IMAGE}-dev):
+```
+nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}
+```

-					sh """docker run --rm \\
-						--name \${COMPOSE_PROJECT_NAME}-docs-invalidate \\
-						-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \\
-						-e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \\
-						jc21/ci-tools \\
-						aws cloudfront create-invalidation --distribution-id EN1G6DEWZUTDT --paths '/*'
-					"""
-				}
-			}
-		}
-		stage('PR Comment') {
-			when {
-				allOf {
-					changeRequest()
-					not {
-						equals expected: 'UNSTABLE', actual: currentBuild.result
+> [!NOTE]
+> Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
+> This is a different docker image namespace than the official image.
+
+> [!WARNING]
+> Changes and additions to DNS Providers require verification by at least 2 members of the community!
+""", true)
+						}
 					}
 				}
 			}
-			steps {
-				script {
-					def comment = pullRequest.comment("This is an automated message from CI:\n\nDocker Image for build ${BUILD_NUMBER} is available on [DockerHub](https://cloud.docker.com/repository/docker/jc21/${IMAGE}) as `jc21/${IMAGE}:github-${BRANCH_LOWER}`\n\n**Note:** ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.")
-				}
-			}
 		}
 	}
 	post {
 		always {
-			sh 'docker-compose down --rmi all --remove-orphans --volumes -t 30'
 			sh 'echo Reverting ownership'
-			sh 'docker run --rm -v $(pwd):/data jc21/ci-tools chown -R $(id -u):$(id -g) /data'
-		}
-		success {
-			juxtapose event: 'success'
-			sh 'figlet "SUCCESS"'
+			sh 'docker run --rm -v "$(pwd):/data" jc21/ci-tools chown -R "$(id -u):$(id -g)" /data'
+			printResult(true)
 		}
 		failure {
-			archiveArtifacts(artifacts: 'debug/**.*', allowEmptyArchive: true)
-			juxtapose event: 'failure'
-			sh 'figlet "FAILURE"'
+			archiveArtifacts(artifacts: 'debug/**/*.*', allowEmptyArchive: true)
 		}
 		unstable {
-			archiveArtifacts(artifacts: 'debug/**.*', allowEmptyArchive: true)
-			juxtapose event: 'unstable'
-			sh 'figlet "UNSTABLE"'
+			archiveArtifacts(artifacts: 'debug/**/*.*', allowEmptyArchive: true)
 		}
 	}
 }
--- a/README.md
+++ b/README.md
@@ -1,22 +1,13 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.9.12-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.13.0-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/pulls/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
-	<a href="https://ci.nginxproxymanager.com/blue/organizations/jenkins/nginx-proxy-manager/branches/">
-		<img src="https://img.shields.io/jenkins/build?jobUrl=https%3A%2F%2Fci.nginxproxymanager.com%2Fjob%2Fnginx-proxy-manager%2Fjob%2Fmaster&style=for-the-badge">
-	</a>
-	<a href="https://gitter.im/nginx-proxy-manager/community">
-		<img alt="Gitter" src="https://img.shields.io/gitter/room/nginx-proxy-manager/community?style=for-the-badge">
-	</a>
-	<a href="https://reddit.com/r/nginxproxymanager">
-		<img alt="Reddit" src="https://img.shields.io/reddit/subreddit-subscribers/nginxproxymanager?label=Reddit%20Community&style=for-the-badge">
-	</a>
 </p>

 This project comes as a pre-built docker image that enables you to easily forward to your websites
@@ -28,7 +19,7 @@ running at home or otherwise, including free SSL, without having to know too muc

 ## Project Goal

-I created this project to fill a personal need to provide users with a easy way to accomplish reverse
+I created this project to fill a personal need to provide users with an easy way to accomplish reverse
 proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed.
 While there might be advanced options they are optional and the project should be as simple as possible
 so that the barrier for entry here is low.
@@ -65,10 +56,9 @@ I won't go in to too much detail here but here are the basics for someone new to
 2. Create a docker-compose.yml file similar to this:

 ```yml
-version: '3'
 services:
  app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'docker.io/jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
@@ -79,10 +69,12 @@ services:
      - ./letsencrypt:/etc/letsencrypt
 ```

+This is the bare minimum configuration required. See the [documentation](https://nginxproxymanager.com/setup/) for more.
+
 3. Bring up your stack by running

 ```bash
-docker-compose up -d
+docker compose up -d
 ```

 4. Log in to the Admin UI
@@ -92,406 +84,25 @@ Sometimes this can take a little bit because of the entropy of keys.

 [http://127.0.0.1:81](http://127.0.0.1:81)

-Default Admin User:
-```
-Email:    admin@example.com
-Password: changeme
-```

-Immediately after logging in with this default user you will be asked to modify your details and change your password.
+## Contributing
+
+All are welcome to create pull requests for this project, against the `develop` branch. Official releases are created from the `master` branch.
+
+CI is used in this project. All PR's must pass before being considered. After passing,
+docker builds for PR's are available on dockerhub for manual verifications.
+
+Documentation within the `develop` branch is available for preview at
+[https://develop.nginxproxymanager.com](https://develop.nginxproxymanager.com)


-## Contributors
+### Contributors

-Special thanks to the following contributors:
+Special thanks to [all of our contributors](https://github.com/NginxProxyManager/nginx-proxy-manager/graphs/contributors).

-<!-- prettier-ignore-start -->
-<!-- markdownlint-disable -->
-<table>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/Subv">
-				<img src="https://avatars1.githubusercontent.com/u/357072?s=460&u=d8adcdc91d749ae53e177973ed9b6bb6c4c894a3&v=4" width="80" alt=""/>
-				<br /><sub><b>Sebastian Valle</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Indemnity83">
-				<img src="https://avatars3.githubusercontent.com/u/35218?s=460&u=7082004ff35138157c868d7d9c683ccebfce5968&v=4" width="80" alt=""/>
-				<br /><sub><b>Kyle Klaus</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/theraw">
-				<img src="https://avatars1.githubusercontent.com/u/32969774?s=460&u=6b359971e15685fb0359e6a8c065a399b40dc228&v=4" width="80" alt=""/>
-				<br /><sub><b>ƬHE ЯAW</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/spalger">
-				<img src="https://avatars2.githubusercontent.com/u/1329312?s=400&u=565223e38f1c052afb4c5dcca3fcf1c63ba17ae7&v=4" width="80" alt=""/>
-				<br /><sub><b>Spencer</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Xantios">
-				<img src="https://avatars3.githubusercontent.com/u/1507836?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Xantios Krugor</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/dpanesso">
-				<img src="https://avatars2.githubusercontent.com/u/2687121?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>David Panesso</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/IronTooch">
-				<img src="https://avatars3.githubusercontent.com/u/27360514?s=460&u=69bf854a6647c55725f62ecb8d39249c6c0b2602&v=4" width="80" alt=""/>
-				<br /><sub><b>IronTooch</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/damianog">
-				<img src="https://avatars1.githubusercontent.com/u/2786682?s=460&u=76c6136fae797abb76b951cd8a246dcaecaf21af&v=4" width="80" alt=""/>
-				<br /><sub><b>Damiano</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/tfmm">
-				<img src="https://avatars3.githubusercontent.com/u/6880538?s=460&u=ce0160821cc4aa802df8395200f2d4956a5bc541&v=4" width="80" alt=""/>
-				<br /><sub><b>Russ</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/margaale">
-				<img src="https://avatars3.githubusercontent.com/u/20794934?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Marcelo Castagna</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Steven-Harris">
-				<img src="https://avatars2.githubusercontent.com/u/7720242?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Steven Harris</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/jlesage">
-				<img src="https://avatars0.githubusercontent.com/u/1791123?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Jocelyn Le Sage</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/cmer">
-				<img src="https://avatars0.githubusercontent.com/u/412?s=460&u=67dd8b2e3661bfd6f68ec1eaa5b9821bd8a321cd&v=4" width="80" alt=""/>
-				<br /><sub><b>Carl Mercier</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/the1ts">
-				<img src="https://avatars1.githubusercontent.com/u/84956?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Paul Mansfield</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/OhHeyAlan">
-				<img src="https://avatars0.githubusercontent.com/u/11955126?s=460&u=fbaa5a1a4f73ef8960132c703349bfd037fe2630&v=4" width="80" alt=""/>
-				<br /><sub><b>OhHeyAlan</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/dogmatic69">
-				<img src="https://avatars2.githubusercontent.com/u/94674?s=460&u=ca7647de53145c6283b6373ade5dc94ba99347db&v=4" width="80" alt=""/>
-				<br /><sub><b>Carl Sutton</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/tg44">
-				<img src="https://avatars0.githubusercontent.com/u/31839?s=460&u=ad32f4cadfef5e5fb09cdfa4b7b7b36a99ba6811&v=4" width="80" alt=""/>
-				<br /><sub><b>Gergő Törcsvári</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/vrenjith">
-				<img src="https://avatars3.githubusercontent.com/u/2093241?s=460&u=96ce93a9bebabdd0a60a2dc96cd093a41d5edaba&v=4" width="80" alt=""/>
-				<br /><sub><b>vrenjith</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/duhruh">
-				<img src="https://avatars2.githubusercontent.com/u/1133969?s=460&u=c0691e6131ec6d516416c1c6fcedb5034f877bbe&v=4" width="80" alt=""/>
-				<br /><sub><b>David Rivera</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/jipjan">
-				<img src="https://avatars2.githubusercontent.com/u/1384618?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Jaap-Jan de Wit</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/jmwebslave">
-				<img src="https://avatars2.githubusercontent.com/u/6118262?s=460&u=7db409c47135b1e141c366bbb03ed9fae6ac2638&v=4" width="80" alt=""/>
-				<br /><sub><b>James Morgan</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/chaptergy">
-				<img src="https://avatars2.githubusercontent.com/u/26956711?s=460&u=7d9adebabb6b4e7af7cb05d98d751087a372304b&v=4" width="80" alt=""/>
-				<br /><sub><b>chaptergy</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Philip-Mooney">
-				<img src="https://avatars0.githubusercontent.com/u/48624631?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Philip Mooney</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/WaterCalm">
-				<img src="https://avatars1.githubusercontent.com/u/23502129?s=400&v=4" width="80" alt=""/>
-				<br /><sub><b>WaterCalm</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/lebrou34">
-				<img src="https://avatars1.githubusercontent.com/u/16373103?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>lebrou34</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/lightglitch">
-				<img src="https://avatars0.githubusercontent.com/u/196953?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Mário Franco</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/klutchell">
-				<img src="https://avatars3.githubusercontent.com/u/20458272?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Kyle Harding</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/ahgraber">
-				<img src="https://avatars.githubusercontent.com/u/24922003?s=460&u=8376c9f00af9b6057ba4d2fb03b4f1b20a75277f&v=4" width="80" alt=""/>
-				<br /><sub><b>Alex Graber</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/MooBaloo">
-				<img src="https://avatars.githubusercontent.com/u/9493496?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>MooBaloo</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Shuro">
-				<img src="https://avatars.githubusercontent.com/u/944030?s=460&v=4" width="80" alt=""/>
-				<br /><sub><b>Shuro</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/lorisbergeron">
-				<img src="https://avatars.githubusercontent.com/u/51918567?s=460&u=778e4ff284b7d7304450f98421c99f79298371fb&v=4" width="80" alt=""/>
-				<br /><sub><b>Loris Bergeron</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/hepelayo">
-				<img src="https://avatars.githubusercontent.com/u/8243119?v=4" width="80" alt=""/>
-				<br /><sub><b>hepelayo</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/jonasled">
-				<img src="https://avatars.githubusercontent.com/u/46790650?v=4" width="80" alt=""/>
-				<br /><sub><b>Jonas Leder</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/stegmannb">
-				<img src="https://avatars.githubusercontent.com/u/12850482?v=4" width="80" alt=""/>
-				<br /><sub><b>Bastian Stegmann</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Stealthii">
-				<img src="https://avatars.githubusercontent.com/u/998920?v=4" width="80" alt=""/>
-				<br /><sub><b>Stealthii</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/thegamingninja">
-				<img src="https://avatars.githubusercontent.com/u/8020534?v=4" width="80" alt=""/>
-				<br /><sub><b>THEGamingninja</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/italobb">
-				<img src="https://avatars.githubusercontent.com/u/1801687?v=4" width="80" alt=""/>
-				<br /><sub><b>Italo Borssatto</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/GurjinderSingh">
-				<img src="https://avatars.githubusercontent.com/u/3470709?v=4" width="80" alt=""/>
-				<br /><sub><b>Gurjinder Singh</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/phantomski77">
-				<img src="https://avatars.githubusercontent.com/u/69464125?v=4" width="80" alt=""/>
-				<br /><sub><b>David Dosoudil</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/ijaron">
-				<img src="https://avatars.githubusercontent.com/u/5156472?v=4" width="80" alt=""/>
-				<br /><sub><b>ijaron</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/nielscil">
-				<img src="https://avatars.githubusercontent.com/u/9073152?v=4" width="80" alt=""/>
-				<br /><sub><b>Niels Bouma</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/ogarai">
-				<img src="https://avatars.githubusercontent.com/u/2949572?v=4" width="80" alt=""/>
-				<br /><sub><b>Orko Garai</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/baruffaldi">
-				<img src="https://avatars.githubusercontent.com/u/36949?v=4" width="80" alt=""/>
-				<br /><sub><b>Filippo Baruffaldi</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/bikram990">
-				<img src="https://avatars.githubusercontent.com/u/6782131?v=4" width="80" alt=""/>
-				<br /><sub><b>Bikramjeet Singh</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/razvanstoica89">
-				<img src="https://avatars.githubusercontent.com/u/28236583?v=4" width="80" alt=""/>
-				<br /><sub><b>Razvan Stoica</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/psharma04">
-				<img src="https://avatars.githubusercontent.com/u/22587474?v=4" width="80" alt=""/>
-				<br /><sub><b>RBXII3</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/demize">
-				<img src="https://avatars.githubusercontent.com/u/264914?v=4" width="80" alt=""/>
-				<br /><sub><b>demize</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/PUP-Loki">
-				<img src="https://avatars.githubusercontent.com/u/75944209?v=4" width="80" alt=""/>
-				<br /><sub><b>PUP-Loki</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/DSorlov">
-				<img src="https://avatars.githubusercontent.com/u/8133650?v=4" width="80" alt=""/>
-				<br /><sub><b>Daniel Sörlöv</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/Theyooo">
-				<img src="https://avatars.githubusercontent.com/u/58510131?v=4" width="80" alt=""/>
-				<br /><sub><b>Theyooo</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/mrdink">
-				<img src="https://avatars.githubusercontent.com/u/514751?v=4" width="80" alt=""/>
-				<br /><sub><b>Justin Peacock</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/ChrisTracy">
-				<img src="https://avatars.githubusercontent.com/u/58871574?v=4" width="80" alt=""/>
-				<br /><sub><b>Chris Tracy</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/Fuechslein">
-				<img src="https://avatars.githubusercontent.com/u/15112818?v=4" width="80" alt=""/>
-				<br /><sub><b>Fuechslein</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/nightah">
-				<img src="https://avatars.githubusercontent.com/u/3339418?v=4" width="80" alt=""/>
-				<br /><sub><b>Amir Zarrinkafsh</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/gabbe">
-				<img src="https://avatars.githubusercontent.com/u/156397?v=4" width="80" alt=""/>
-				<br /><sub><b>gabbe</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/bmbvenom">
-				<img src="https://avatars.githubusercontent.com/u/20530371?v=4" width="80" alt=""/>
-				<br /><sub><b>bmbvenom</b></sub>
-			</a>
-		</td>
-	</tr>
-	<tr>
-		<td align="center">
-			<a href="https://github.com/FMeinicke">
-				<img src="https://avatars.githubusercontent.com/u/42121639?v=4" width="80" alt=""/>
-				<br /><sub><b>Florian Meinicke</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/ssrahul96">
-				<img src="https://avatars.githubusercontent.com/u/15570570?v=4" width="80" alt=""/>
-				<br /><sub><b>Rahul Somasundaram</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/BjoernAkAManf">
-				<img src="https://avatars.githubusercontent.com/u/833043?v=4" width="80" alt=""/>
-				<br /><sub><b>Björn Heinrichs</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/realJoshByrnes">
-				<img src="https://avatars.githubusercontent.com/u/204185?v=4" width="80" alt=""/>
-				<br /><sub><b>Josh Byrnes</b></sub>
-			</a>
-		</td>
-		<td align="center">
-			<a href="https://github.com/bergi9">
-				<img src="https://avatars.githubusercontent.com/u/5556750?v=4" width="80" alt=""/>
-				<br /><sub><b>bergi9</b></sub>
-			</a>
-		</td>
-	</tr>
-</table>
-<!-- markdownlint-enable -->
-<!-- prettier-ignore-end -->
+
+## Getting Support
+
+1. [Found a bug?](https://github.com/NginxProxyManager/nginx-proxy-manager/issues)
+2. [Discussions](https://github.com/NginxProxyManager/nginx-proxy-manager/discussions)
+3. [Reddit](https://reddit.com/r/nginxproxymanager)
--- a/backend/.eslintrc.json
+++ b/backend/.eslintrc.json
@@ -1,73 +0,0 @@
-{
-	"env": {
-		"node": true,
-		"es6": true
-	},
-	"extends": [
-		"eslint:recommended"
-	],
-	"globals": {
-		"Atomics": "readonly",
-		"SharedArrayBuffer": "readonly"
-	},
-	"parserOptions": {
-		"ecmaVersion": 2018,
-		"sourceType": "module"
-	},
-	"plugins": [
-		"align-assignments"
-	],
-	"rules": {
-		"arrow-parens": [
-			"error",
-			"always"
-		],
-		"indent": [
-			"error",
-			"tab"
-		],
-		"linebreak-style": [
-			"error",
-			"unix"
-		],
-		"quotes": [
-			"error",
-			"single"
-		],
-		"semi": [
-			"error",
-			"always"
-		],
-		"key-spacing": [
-			"error",
-			{
-				"align": "value"
-			}
-		],
-		"comma-spacing": [
-			"error",
-			{
-				"before": false,
-				"after": true
-			}
-		],
-		"func-call-spacing": [
-			"error",
-			"never"
-		],
-		"keyword-spacing": [
-			"error",
-			{
-				"before": true
-			}
-		],
-		"no-irregular-whitespace": "error",
-		"no-unused-expressions": 0,
-		"align-assignments/align-assignments": [
-			2,
-			{
-				"requiresOnly": false
-			}
-		]
-	}
-}
--- a/backend/.prettierrc
+++ b/backend/.prettierrc
@@ -1,11 +0,0 @@
-{
-	"printWidth": 320,
-	"tabWidth": 4,
-	"useTabs": true,
-	"semi": true,
-	"singleQuote": true,
-	"bracketSpacing": true,
-	"jsxBracketSameLine": true,
-	"trailingComma": "all",
-	"proseWrap": "always"
-}
--- a/backend/.vscode/settings.json
+++ b/backend/.vscode/settings.json
@@ -1,8 +0,0 @@
-{
-	"editor.insertSpaces": false,
-	"editor.formatOnSave": true,
-	"files.trimTrailingWhitespace": true,
-	"editor.codeActionsOnSave": {
-		"source.fixAll.eslint": true
-	}
-}
--- a/backend/app.js
+++ b/backend/app.js
@@ -1,8 +1,12 @@
-const express     = require('express');
-const bodyParser  = require('body-parser');
-const fileUpload  = require('express-fileupload');
-const compression = require('compression');
-const log         = require('./logger').express;
+import bodyParser from "body-parser";
+import compression from "compression";
+import express from "express";
+import fileUpload from "express-fileupload";
+import { isDebugMode } from "./lib/config.js";
+import cors from "./lib/express/cors.js";
+import jwt from "./lib/express/jwt.js";
+import { express as logger } from "./logger.js";
+import mainRoutes from "./routes/main.js";

 /**
 * App
@@ -10,7 +14,7 @@ const log         = require('./logger').express;
 const app = express();
 app.use(fileUpload());
 app.use(bodyParser.json());
-app.use(bodyParser.urlencoded({extended: true}));
+app.use(bodyParser.urlencoded({ extended: true }));

 // Gzip
 app.use(compression());
@@ -19,71 +23,70 @@ app.use(compression());
 * General Logging, BEFORE routes
 */

-app.disable('x-powered-by');
-app.enable('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
-app.enable('strict routing');
+app.disable("x-powered-by");
+app.enable("trust proxy", ["loopback", "linklocal", "uniquelocal"]);
+app.enable("strict routing");

 // pretty print JSON when not live
-if (process.env.NODE_ENV !== 'production') {
-	app.set('json spaces', 2);
+if (isDebugMode()) {
+	app.set("json spaces", 2);
 }

 // CORS for everything
-app.use(require('./lib/express/cors'));
+app.use(cors);

 // General security/cache related headers + server header
-app.use(function (req, res, next) {
-	let x_frame_options = 'DENY';
+app.use((_, res, next) => {
+	let x_frame_options = "DENY";

-	if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
+	if (typeof process.env.X_FRAME_OPTIONS !== "undefined" && process.env.X_FRAME_OPTIONS) {
 		x_frame_options = process.env.X_FRAME_OPTIONS;
 	}

 	res.set({
-		'X-XSS-Protection':       '1; mode=block',
-		'X-Content-Type-Options': 'nosniff',
-		'X-Frame-Options':        x_frame_options,
-		'Cache-Control':          'no-cache, no-store, max-age=0, must-revalidate',
-		Pragma:                   'no-cache',
-		Expires:                  0
+		"X-XSS-Protection": "1; mode=block",
+		"X-Content-Type-Options": "nosniff",
+		"X-Frame-Options": x_frame_options,
+		"Cache-Control": "no-cache, no-store, max-age=0, must-revalidate",
+		Pragma: "no-cache",
+		Expires: 0,
 	});
 	next();
 });

-app.use(require('./lib/express/jwt')());
-app.use('/', require('./routes/api/main'));
+app.use(jwt());
+app.use("/", mainRoutes);

 // production error handler
 // no stacktraces leaked to user
-// eslint-disable-next-line
-app.use(function (err, req, res, next) {
-
-	let payload = {
+app.use((err, req, res, _) => {
+	const payload = {
 		error: {
-			code:    err.status,
-			message: err.public ? err.message : 'Internal Error'
-		}
+			code: err.status,
+			message: err.public ? err.message : "Internal Error",
+		},
 	};

-	if (process.env.NODE_ENV === 'development' || (req.baseUrl + req.path).includes('nginx/certificates')) {
+	if (typeof err.message_i18n !== "undefined") {
+		payload.error.message_i18n = err.message_i18n;
+	}
+
+	if (isDebugMode() || (req.baseUrl + req.path).includes("nginx/certificates")) {
 		payload.debug = {
-			stack:    typeof err.stack !== 'undefined' && err.stack ? err.stack.split('\n') : null,
-			previous: err.previous
+			stack: typeof err.stack !== "undefined" && err.stack ? err.stack.split("\n") : null,
+			previous: err.previous,
 		};
 	}

 	// Not every error is worth logging - but this is good for now until it gets annoying.
-	if (typeof err.stack !== 'undefined' && err.stack) {
-		if (process.env.NODE_ENV === 'development' || process.env.DEBUG) {
-			log.debug(err.stack);
-		} else if (typeof err.public == 'undefined' || !err.public) {
-			log.warn(err.message);
+	if (typeof err.stack !== "undefined" && err.stack) {
+		logger.debug(err.stack);
+		if (typeof err.public === "undefined" || !err.public) {
+			logger.warn(err.message);
 		}
 	}

-	res
-		.status(err.status || 500)
-		.send(payload);
+	res.status(err.status || 500).send(payload);
 });

-module.exports = app;
+export default app;
--- a/backend/biome.json
+++ b/backend/biome.json
@@ -0,0 +1,91 @@
+{
+    "$schema": "https://biomejs.dev/schemas/2.3.1/schema.json",
+    "vcs": {
+        "enabled": true,
+        "clientKind": "git",
+        "useIgnoreFile": true
+    },
+    "files": {
+        "ignoreUnknown": false,
+        "includes": [
+            "**/*.ts",
+            "**/*.tsx",
+            "**/*.js",
+            "**/*.jsx",
+            "!**/dist/**/*"
+        ]
+    },
+    "formatter": {
+        "enabled": true,
+        "indentStyle": "tab",
+        "indentWidth": 4,
+        "lineWidth": 120,
+        "formatWithErrors": true
+    },
+    "assist": {
+        "actions": {
+            "source": {
+                "organizeImports": {
+                    "level": "on",
+                    "options": {
+                        "groups": [
+                            ":BUN:",
+                            ":NODE:",
+                            [
+                                "npm:*",
+                                "npm:*/**"
+                            ],
+                            ":PACKAGE_WITH_PROTOCOL:",
+                            ":URL:",
+                            ":PACKAGE:",
+                            [
+                                "/src/*",
+                                "/src/**"
+                            ],
+                            [
+                                "/**"
+                            ],
+                            [
+                                "#*",
+                                "#*/**"
+                            ],
+                            ":PATH:"
+                        ]
+                    }
+                }
+            }
+        }
+    },
+    "linter": {
+        "enabled": true,
+        "rules": {
+            "recommended": true,
+            "correctness": {
+                "useUniqueElementIds": "off"
+            },
+            "suspicious": {
+                "noExplicitAny": "off"
+            },
+            "performance": {
+                "noDelete": "off"
+            },
+            "nursery": "off",
+            "a11y": {
+                "useSemanticElements": "off",
+                "useValidAnchor": "off"
+            },
+            "style": {
+                "noParameterAssign": "error",
+                "useAsConstAssertion": "error",
+                "useDefaultParameterLast": "error",
+                "useEnumInitializers": "error",
+                "useSelfClosingElements": "error",
+                "useSingleVarDeclarator": "error",
+                "noUnusedTemplateLiteral": "error",
+                "useNumberNamespace": "error",
+                "noInferrableTypes": "error",
+                "noUselessElse": "error"
+            }
+        }
+    }
+}
--- a/backend/certbot/README.md
+++ b/backend/certbot/README.md
@@ -0,0 +1,21 @@
+# Certbot dns-plugins
+
+This file contains info about available Certbot DNS plugins.
+This only works for plugins which use the standard argument structure, so:
+--authenticator <plugin-name> --<plugin-name>-credentials <FILE> --<plugin-name>-propagation-seconds <number>
+
+File Structure:
+
+```json
+{
+  "cloudflare": {
+    "display_name": "Name displayed to the user",
+    "package_name": "Package name in PyPi repo",
+    "version_requirement": "Optional package version requirements (e.g. ==1.3 or >=1.2,<2.0, see https://www.python.org/dev/peps/pep-0440/#version-specifiers)",
+    "dependencies": "Additional dependencies, space separated (as you would pass it to pip install)",
+    "credentials": "Template of the credentials file",
+    "full_plugin_name": "The full plugin name as used in the commandline with certbot, e.g. 'dns-njalla'"
+  },
+  ...
+}
+```
--- a/backend/certbot/dns-plugins.json
+++ b/backend/certbot/dns-plugins.json
@@ -0,0 +1,602 @@
+{
+	"acmedns": {
+		"name": "ACME-DNS",
+		"package_name": "certbot-dns-acmedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_acmedns_api_url = http://acmedns-server/\ndns_acmedns_registration_file = /data/acme-registration.json",
+		"full_plugin_name": "dns-acmedns"
+	},
+	"active24": {
+		"name": "Active24",
+		"package_name": "certbot-dns-active24",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_active24_api_key = <identifier>\ndns_active24_secret = <secret>",
+		"full_plugin_name": "dns-active24"
+	},
+	"aliyun": {
+		"name": "Aliyun",
+		"package_name": "certbot-dns-aliyun",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_aliyun_access_key = 12345678\ndns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef",
+		"full_plugin_name": "dns-aliyun"
+	},
+	"azure": {
+		"name": "Azure",
+		"package_name": "certbot-dns-azure",
+		"version": "~=1.2.0",
+		"dependencies": "",
+		"credentials": "# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.\n# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.\n# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.\n\n# Using a service principal (option 1)\ndns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\ndns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9\ndns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7\n\n# Using used assigned MSI (option 2)\n# dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\n\n# Using system assigned MSI (option 3)\n# dns_azure_msi_system_assigned = true\n\n# Zones (at least one always required)\ndns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1\ndns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2",
+		"full_plugin_name": "dns-azure"
+	},
+	"baidu": {
+		"name": "baidu",
+		"package_name": "certbot-dns-baidu",
+		"version": "~=0.1.1",
+		"dependencies": "",
+		"credentials": "dns_baidu_access_key = 12345678\ndns_baidu_secret_key = 1234567890abcdef1234567890abcdef",
+		"full_plugin_name": "dns-baidu"
+	},
+	"beget": {
+		"name":"Beget",
+		"package_name": "certbot-beget-plugin",
+		"version": "~=1.0.0.dev9",
+		"dependencies": "",
+		"credentials": "# Beget API credentials used by Certbot\nbeget_plugin_username = username\nbeget_plugin_password = password",
+		"full_plugin_name": "beget-plugin"
+	},
+	"bunny": {
+		"name": "bunny.net",
+		"package_name": "certbot-dns-bunny",
+		"version": "~=0.0.9",
+		"dependencies": "",
+		"credentials": "# Bunny API token used by Certbot (see https://dash.bunny.net/account/settings)\ndns_bunny_api_key = xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
+		"full_plugin_name": "dns-bunny"
+	},
+	"cdmon": {
+		"name": "cdmon",
+		"package_name": "certbot-dns-cdmon",
+		"version": "~=0.4.1",
+		"dependencies": "",
+		"credentials": "dns_cdmon_api_key=your-cdmon-api-token\ndns_cdmon_domain=your_domain_is_optional",
+		"full_plugin_name": "dns-cdmon"
+	},
+	"cloudflare": {
+		"name": "Cloudflare",
+		"package_name": "certbot-dns-cloudflare",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "# Cloudflare API token\ndns_cloudflare_api_token=0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-cloudflare"
+	},
+	"cloudns": {
+		"name": "ClouDNS",
+		"package_name": "certbot-dns-cloudns",
+		"version": "~=0.6.0",
+		"dependencies": "",
+		"credentials": "# Target user ID (see https://www.cloudns.net/api-settings/)\n\tdns_cloudns_auth_id=1234\n\t# Alternatively, one of the following two options can be set:\n\t# dns_cloudns_sub_auth_id=1234\n\t# dns_cloudns_sub_auth_user=foobar\n\n\t# API password\n\tdns_cloudns_auth_password=password1",
+		"full_plugin_name": "dns-cloudns"
+	},
+	"cloudxns": {
+		"name": "CloudXNS",
+		"package_name": "certbot-dns-cloudxns",
+		"version": "~=1.32.0",
+		"dependencies": "",
+		"credentials": "dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef\ndns_cloudxns_secret_key = 1122334455667788",
+		"full_plugin_name": "dns-cloudxns"
+	},
+	"constellix": {
+		"name": "Constellix",
+		"package_name": "certbot-dns-constellix",
+		"version": "~=0.2.1",
+		"dependencies": "",
+		"credentials": "dns_constellix_apikey = 5fb4e76f-ac91-43e5-f982458bc595\ndns_constellix_secretkey = 47d99fd0-32e7-4e07-85b46d08e70b\ndns_constellix_endpoint = https://api.dns.constellix.com/v1",
+		"full_plugin_name": "dns-constellix"
+	},
+	"corenetworks": {
+		"name": "Core Networks",
+		"package_name": "certbot-dns-corenetworks",
+		"version": "~=0.1.4",
+		"dependencies": "",
+		"credentials": "dns_corenetworks_username = asaHB12r\ndns_corenetworks_password = secure_password",
+		"full_plugin_name": "dns-corenetworks"
+	},
+	"cpanel": {
+		"name": "cPanel",
+		"package_name": "certbot-dns-cpanel",
+		"version": "~=0.4.0",
+		"dependencies": "",
+		"credentials": "cpanel_url = https://cpanel.example.com:2083\ncpanel_username = your_username\ncpanel_password = your_password\ncpanel_token = your_api_token",
+		"full_plugin_name": "cpanel"
+	},
+	"ddnss": {
+		"name": "DDNSS",
+		"package_name": "certbot-dns-ddnss",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_ddnss_token = YOUR_DDNSS_API_TOKEN",
+		"full_plugin_name": "dns-ddnss"
+	},
+	"desec": {
+		"name": "deSEC",
+		"package_name": "certbot-dns-desec",
+		"version": "~=1.2.1",
+		"dependencies": "",
+		"credentials": "dns_desec_token = YOUR_DESEC_API_TOKEN\ndns_desec_endpoint = https://desec.io/api/v1/",
+		"full_plugin_name": "dns-desec"
+	},
+	"duckdns": {
+		"name": "DuckDNS",
+		"package_name": "certbot-dns-duckdns",
+		"version": "~=1.0",
+		"dependencies": "",
+		"credentials": "dns_duckdns_token=your-duckdns-token",
+		"full_plugin_name": "dns-duckdns"
+	},
+	"digitalocean": {
+		"name": "DigitalOcean",
+		"package_name": "certbot-dns-digitalocean",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff",
+		"full_plugin_name": "dns-digitalocean"
+	},
+	"directadmin": {
+		"name": "DirectAdmin",
+		"package_name": "certbot-dns-directadmin",
+		"version": "~=0.0.23",
+		"dependencies": "",
+		"credentials": "directadmin_url = https://my.directadminserver.com:2222\ndirectadmin_username = username\ndirectadmin_password = aSuperStrongPassword",
+		"full_plugin_name": "directadmin"
+	},
+	"dnsimple": {
+		"name": "DNSimple",
+		"package_name": "certbot-dns-dnsimple",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-dnsimple"
+	},
+	"dnsmadeeasy": {
+		"name": "DNS Made Easy",
+		"package_name": "certbot-dns-dnsmadeeasy",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a\ndns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55",
+		"full_plugin_name": "dns-dnsmadeeasy"
+	},
+	"dnsmulti": {
+		"name": "DnsMulti",
+		"package_name": "certbot-dns-multi",
+		"version": "~=4.9",
+		"dependencies": "",
+		"credentials": "# See https://go-acme.github.io/lego/dns/#dns-providers for list of providers and their settings\n# Example provider configuration for DreamHost\n# dns_multi_provider = dreamhost\n# DREAMHOST_API_KEY = ABCDEFG1234",
+		"full_plugin_name": "dns-multi"
+	},
+	"dnspod": {
+		"name": "DNSPod",
+		"package_name": "certbot-dns-dnspod",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_dnspod_email = \"email@example.com\"\ndns_dnspod_api_token = \"id,key\"",
+		"full_plugin_name": "dns-dnspod"
+	},
+	"domainoffensive": {
+		"name": "DomainOffensive (do.de)",
+		"package_name": "certbot-dns-domainoffensive",
+		"version": "~=2.0.0",
+		"dependencies": "",
+		"credentials": "dns_domainoffensive_api_token = YOUR_DO_DE_AUTH_TOKEN",
+		"full_plugin_name": "dns-domainoffensive"
+	},
+	"domeneshop": {
+		"name": "Domeneshop",
+		"package_name": "certbot-dns-domeneshop",
+		"version": "~=0.2.8",
+		"dependencies": "",
+		"credentials": "dns_domeneshop_client_token=YOUR_DOMENESHOP_CLIENT_TOKEN\ndns_domeneshop_client_secret=YOUR_DOMENESHOP_CLIENT_SECRET",
+		"full_plugin_name": "dns-domeneshop"
+	},
+	"dynu": {
+		"name": "Dynu",
+		"package_name": "certbot-dns-dynu",
+		"version": "~=0.0.1",
+		"dependencies": "",
+		"credentials": "dns_dynu_auth_token = YOUR_DYNU_AUTH_TOKEN",
+		"full_plugin_name": "dns-dynu"
+	},
+	"easydns": {
+		"name": "easyDNS",
+		"package_name": "certbot-dns-easydns",
+		"version": "~=0.1.2",
+		"dependencies": "",
+		"credentials": "dns_easydns_usertoken = YOUR_EASYDNS_USERTOKEN\ndns_easydns_userkey = YOUR_EASYDNS_USERKEY\ndns_easydns_endpoint = https://rest.easydns.net",
+		"full_plugin_name": "dns-easydns"
+	},
+	"eurodns": {
+		"name": "EuroDNS",
+		"package_name": "certbot-dns-eurodns",
+		"version": "~=0.0.4",
+		"dependencies": "",
+		"credentials": "dns_eurodns_applicationId = myuser\ndns_eurodns_apiKey = mysecretpassword\ndns_eurodns_endpoint = https://rest-api.eurodns.com/user-api-gateway/proxy",
+		"full_plugin_name": "dns-eurodns"
+	},
+	"firstdomains": {
+                "name": "First Domains",
+                "package_name": "certbot-dns-firstdomains",
+                "version": ">=1.0",
+                "dependencies": "",
+                "credentials": "dns_firstdomains_username = myremoteuser\ndns_firstdomains_password = verysecureremoteuserpassword",
+                "full_plugin_name": "dns-firstdomains"
+        },
+	"freedns": {
+		"name": "FreeDNS",
+		"package_name": "certbot-dns-freedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_freedns_username = myremoteuser\ndns_freedns_password = verysecureremoteuserpassword",
+		"full_plugin_name": "dns-freedns"
+	},
+	"gandi": {
+		"name": "Gandi Live DNS",
+		"package_name": "certbot-dns-gandi",
+		"version": "~=1.6.1",
+		"dependencies": "",
+		"credentials": "# Gandi personal access token\ndns_gandi_token=PERSONAL_ACCESS_TOKEN",
+		"full_plugin_name": "dns-gandi"
+	},
+	"gcore": {
+		"name": "Gcore DNS",
+		"package_name": "certbot-dns-gcore",
+		"version": "~=0.1.8",
+		"dependencies": "",
+		"credentials": "dns_gcore_apitoken = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-gcore"
+	},
+	"godaddy": {
+		"name": "GoDaddy",
+		"package_name": "certbot-dns-godaddy",
+		"version": "==2.8.0",
+		"dependencies": "",
+		"credentials": "dns_godaddy_secret = 0123456789abcdef0123456789abcdef01234567\ndns_godaddy_key = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-godaddy"
+	},
+	"google": {
+		"name": "Google",
+		"package_name": "certbot-dns-google",
+		"version": "=={{certbot-version}}",
+		"dependencies": "",
+		"credentials": "{\n\"type\": \"service_account\",\n...\n}",
+		"full_plugin_name": "dns-google"
+	},
+	"googledomains": {
+		"name": "GoogleDomainsDNS",
+		"package_name": "certbot-dns-google-domains",
+		"version": "~=0.1.5",
+		"dependencies": "",
+		"credentials": "dns_google_domains_access_token = 0123456789abcdef0123456789abcdef01234567\ndns_google_domains_zone = \"example.com\"",
+		"full_plugin_name": "dns-google-domains"
+	},
+	"he": {
+		"name": "Hurricane Electric",
+		"package_name": "certbot-dns-he",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_he_user = Me\ndns_he_pass = my HE password",
+		"full_plugin_name": "dns-he"
+	},
+	"hetzner": {
+		"name": "Hetzner",
+		"package_name": "certbot-dns-hetzner",
+		"version": "~=1.0.4",
+		"dependencies": "",
+		"credentials": "dns_hetzner_api_token = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-hetzner"
+	},
+	"hostingnl": {
+		"name": "Hosting.nl",
+		"package_name": "certbot-dns-hostingnl",
+		"version": "~=0.1.5",
+		"dependencies": "",
+		"credentials": "dns_hostingnl_api_key = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-hostingnl"
+	},
+	"hover": {
+		"name": "Hover",
+		"package_name": "certbot-dns-hover",
+		"version": "~=1.2.1",
+		"dependencies": "",
+		"credentials": "dns_hover_hoverurl = https://www.hover.com\ndns_hover_username = hover-admin-username\ndns_hover_password = hover-admin-password\ndns_hover_totpsecret = 2fa-totp-secret",
+		"full_plugin_name": "dns-hover"
+	},
+	"infomaniak": {
+		"name": "Infomaniak",
+		"package_name": "certbot-dns-infomaniak",
+		"version": "~=0.2.2",
+		"dependencies": "",
+		"credentials": "dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+		"full_plugin_name": "dns-infomaniak"
+	},
+	"inwx": {
+		"name": "INWX",
+		"package_name": "certbot-dns-inwx",
+		"version": "~=2.1.2",
+		"dependencies": "",
+		"credentials": "dns_inwx_url = https://api.domrobot.com/xmlrpc/\ndns_inwx_username = your_username\ndns_inwx_password = your_password\ndns_inwx_shared_secret = your_shared_secret optional",
+		"full_plugin_name": "dns-inwx"
+	},
+	"ionos": {
+		"name": "IONOS",
+		"package_name": "certbot-dns-ionos",
+		"version": "==2022.11.24",
+		"dependencies": "",
+		"credentials": "dns_ionos_prefix = myapikeyprefix\ndns_ionos_secret = verysecureapikeysecret\ndns_ionos_endpoint = https://api.hosting.ionos.com",
+		"full_plugin_name": "dns-ionos"
+	},
+	"ispconfig": {
+		"name": "ISPConfig",
+		"package_name": "certbot-dns-ispconfig",
+		"version": "~=0.2.0",
+		"dependencies": "",
+		"credentials": "dns_ispconfig_username = myremoteuser\ndns_ispconfig_password = verysecureremoteuserpassword\ndns_ispconfig_endpoint = https://localhost:8080",
+		"full_plugin_name": "dns-ispconfig"
+	},
+	"isset": {
+		"name": "Isset",
+		"package_name": "certbot-dns-isset",
+		"version": "~=0.0.3",
+		"dependencies": "",
+		"credentials": "dns_isset_endpoint=\"https://customer.isset.net/api\"\ndns_isset_token=\"<token>\"",
+		"full_plugin_name": "dns-isset"
+	},
+	"joker": {
+		"name": "Joker",
+		"package_name": "certbot-dns-joker",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
+		"full_plugin_name": "dns-joker"
+	},
+	"leaseweb": {
+		"name": "LeaseWeb",
+		"package_name": "certbot-dns-leaseweb",
+		"version": "~=1.0.1",
+		"dependencies": "",
+		"credentials": "dns_leaseweb_api_token = 01234556789",
+		"full_plugin_name": "dns-leaseweb"
+	},
+	"linode": {
+		"name": "Linode",
+		"package_name": "certbot-dns-linode",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64\ndns_linode_version = [<blank>|3|4]",
+		"full_plugin_name": "dns-linode"
+	},
+	"loopia": {
+		"name": "Loopia",
+		"package_name": "certbot-dns-loopia",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_loopia_user = user@loopiaapi\ndns_loopia_password = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-loopia"
+	},
+	"luadns": {
+		"name": "LuaDNS",
+		"package_name": "certbot-dns-luadns",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_luadns_email = user@example.com\ndns_luadns_token = 0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-luadns"
+	},
+	"mijnhost": {
+		"name": "mijn.host",
+		"package_name": "certbot-dns-mijn-host",
+		"version": "~=0.0.4",
+		"dependencies": "",
+		"credentials": "dns_mijn_host_api_key=0123456789abcdef0123456789abcdef",
+		"full_plugin_name": "dns-mijn-host"
+	},
+	"namecheap": {
+		"name": "Namecheap",
+		"package_name": "certbot-dns-namecheap",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_namecheap_username  = 123456\ndns_namecheap_api_key      = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-namecheap"
+	},
+	"netcup": {
+		"name": "netcup",
+		"package_name": "certbot-dns-netcup",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_netcup_customer_id  = 123456\ndns_netcup_api_key      = 0123456789abcdef0123456789abcdef01234567\ndns_netcup_api_password = abcdef0123456789abcdef01234567abcdef0123",
+		"full_plugin_name": "dns-netcup"
+	},
+	"nicru": {
+		"name": "nic.ru",
+		"package_name": "certbot-dns-nicru",
+		"version": "~=1.0.3",
+		"dependencies": "",
+		"credentials": "dns_nicru_client_id = application-id\ndns_nicru_client_secret = application-token\ndns_nicru_username = 0001110/NIC-D\ndns_nicru_password = password\ndns_nicru_scope = .+:.+/zones/example.com(/.+)?\ndns_nicru_service = DNS_SERVICE_NAME\ndns_nicru_zone = example.com",
+		"full_plugin_name": "dns-nicru"
+	},
+	"njalla": {
+		"name": "Njalla",
+		"package_name": "certbot-dns-njalla",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_njalla_token = 0123456789abcdef0123456789abcdef01234567",
+		"full_plugin_name": "dns-njalla"
+	},
+	"nsone": {
+		"name": "NS1",
+		"package_name": "certbot-dns-nsone",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-nsone"
+	},
+	"oci": {
+		"name": "Oracle Cloud Infrastructure DNS",
+		"package_name": "certbot-dns-oci",
+		"version": "~=0.3.6",
+		"dependencies": "oci",
+		"credentials": "[DEFAULT]\nuser = ocid1.user.oc1...\nfingerprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx\ntenancy = ocid1.tenancy.oc1...\nregion = us-ashburn-1\nkey_file = ~/.oci/oci_api_key.pem",
+		"full_plugin_name": "dns-oci"
+	},
+	"ovh": {
+		"name": "OVH",
+		"package_name": "certbot-dns-ovh",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "dns_ovh_endpoint = ovh-eu\ndns_ovh_application_key = MDAwMDAwMDAwMDAw\ndns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw\ndns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw",
+		"full_plugin_name": "dns-ovh"
+	},
+	"plesk": {
+		"name": "Plesk",
+		"package_name": "certbot-dns-plesk",
+		"version": "~=0.3.0",
+		"dependencies": "",
+		"credentials": "dns_plesk_username = your-username\ndns_plesk_password = secret\ndns_plesk_api_url = https://plesk-api-host:8443",
+		"full_plugin_name": "dns-plesk"
+	},
+	"porkbun": {
+		"name": "Porkbun",
+		"package_name": "certbot-dns-porkbun",
+		"version": "~=0.9",
+		"dependencies": "",
+		"credentials": "dns_porkbun_key=your-porkbun-api-key\ndns_porkbun_secret=your-porkbun-api-secret",
+		"full_plugin_name": "dns-porkbun"
+	},
+	"powerdns": {
+		"name": "PowerDNS",
+		"package_name": "certbot-dns-powerdns",
+		"version": "~=0.2.1",
+		"dependencies": "PyYAML==5.3.1",
+		"credentials": "dns_powerdns_api_url = https://api.mypowerdns.example.org\ndns_powerdns_api_key = AbCbASsd!@34",
+		"full_plugin_name": "dns-powerdns"
+	},
+	"regru": {
+		"name": "reg.ru",
+		"package_name": "certbot-regru",
+		"version": "~=1.0.2",
+		"dependencies": "",
+		"credentials": "dns_username=username\ndns_password=password",
+		"full_plugin_name": "dns"
+	},
+	"rfc2136": {
+		"name": "RFC 2136",
+		"package_name": "certbot-dns-rfc2136",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "# Target DNS server\ndns_rfc2136_server = 192.0.2.1\n# Target DNS port\ndns_rfc2136_port = 53\n# TSIG key name\ndns_rfc2136_name = keyname.\n# TSIG key secret\ndns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==\n# TSIG key algorithm\ndns_rfc2136_algorithm = HMAC-SHA512",
+		"full_plugin_name": "dns-rfc2136"
+	},
+	"rockenstein": {
+		"name": "rockenstein AG",
+		"package_name": "certbot-dns-rockenstein",
+		"version": "~=1.0.0",
+		"dependencies": "",
+		"credentials": "dns_rockenstein_token=<token>",
+		"full_plugin_name": "dns-rockenstein"
+	},
+	"route53": {
+		"name": "Route 53 (Amazon)",
+		"package_name": "certbot-dns-route53",
+		"version": "=={{certbot-version}}",
+		"dependencies": "acme=={{certbot-version}}",
+		"credentials": "[default]\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		"full_plugin_name": "dns-route53"
+	},
+	"spaceship": {
+		"name": "Spaceship",
+		"package_name": "certbot-dns-spaceship",
+		"version": "~=1.0.4",
+		"dependencies": "",
+		"credentials": "[spaceship]\napi_key=your_api_key\napi_secret=your_api_secret",
+		"full_plugin_name": "dns-spaceship"
+	},
+	"strato": {
+		"name": "Strato",
+		"package_name": "certbot-dns-strato",
+		"version": "~=0.2.2",
+		"dependencies": "",
+		"credentials": "dns_strato_username = user\ndns_strato_password = pass\n# uncomment if youre using two factor authentication:\n# dns_strato_totp_devicename = 2fa_device\n# dns_strato_totp_secret = 2fa_secret\n#\n# uncomment if domain name contains special characters\n# insert domain display name as seen on your account page here\n# dns_strato_domain_display_name = my-punicode-url.de\n#\n# if youre not using strato.de or another special endpoint you can customise it below\n# you will probably only need to adjust the host, but you can also change the complete endpoint url\n# dns_strato_custom_api_scheme = https\n# dns_strato_custom_api_host = www.strato.de\n# dns_strato_custom_api_port = 443\n# dns_strato_custom_api_path = \"/apps/CustomerService\"",
+		"full_plugin_name": "dns-strato"
+	},
+	        "selectelv2": {
+                "name": "Selectel api v2",
+                "package_name": "certbot-dns-selectel-api-v2",
+                "version": "~=0.3.0",
+                "dependencies": "",
+                "credentials": "dns_selectel_api_v2_account_id = your_account_id\ndns_selectel_api_v2_project_name = your_project\ndns_selectel_api_v2_username = your_username\ndns_selectel_api_v2_password = your_password",
+                "full_plugin_name": "dns-selectel-api-v2"
+        },
+	"timeweb": {
+		"name": "Timeweb Cloud",
+		"package_name": "certbot-dns-timeweb",
+		"version": "~=1.0.1",
+		"dependencies": "",
+		"credentials": "dns_timeweb_api_key = XXXXXXXXXXXXXXXXXXX",
+		"full_plugin_name": "dns-timeweb"
+	},
+	"transip": {
+		"name": "TransIP",
+		"package_name": "certbot-dns-transip",
+		"version": "~=0.5.2",
+		"dependencies": "",
+		"credentials": "dns_transip_username = my_username\ndns_transip_key_file = /etc/letsencrypt/transip-rsa.key",
+		"full_plugin_name": "dns-transip"
+	},
+	"tencentcloud": {
+		"name": "Tencent Cloud",
+		"package_name": "certbot-dns-tencentcloud",
+		"version": "~=2.0.2",
+		"dependencies": "",
+		"credentials": "dns_tencentcloud_secret_id  = TENCENT_CLOUD_SECRET_ID\ndns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY",
+		"full_plugin_name": "dns-tencentcloud"
+	},
+	"vultr": {
+		"name": "Vultr",
+		"package_name": "certbot-dns-vultr",
+		"version": "~=1.1.0",
+		"dependencies": "",
+		"credentials": "dns_vultr_key = YOUR_VULTR_API_KEY",
+		"full_plugin_name": "dns-vultr"
+	},
+	"websupport": {
+		"name": "Websupport.sk",
+		"package_name": "certbot-dns-websupport",
+		"version": "~=2.0.1",
+		"dependencies": "",
+		"credentials": "dns_websupport_identifier = <api_key>\ndns_websupport_secret_key = <secret>",
+		"full_plugin_name": "dns-websupport"
+	},
+	"wedos": {
+		"name": "Wedos",
+		"package_name": "certbot-dns-wedos",
+		"version": "~=2.2",
+		"dependencies": "",
+		"credentials": "dns_wedos_user = <wedos_registration>\ndns_wedos_auth = <wapi_password>",
+		"full_plugin_name": "dns-wedos"
+	},
+	"edgedns": {
+		"name": "Akamai Edge DNS",
+		"package_name": "certbot-plugin-edgedns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "edgedns_client_secret = as3d1asd5d1a32sdfsdfs2d1asd5=\nedgedns_host = sdflskjdf-dfsdfsdf-sdfsdfsdf.luna.akamaiapis.net\nedgedns_access_token = kjdsi3-34rfsdfsdf-234234fsdfsdf\nedgedns_client_token = dkfjdf-342fsdfsd-23fsdfsdfsdf",
+		"full_plugin_name": "edgedns"
+	},
+	"zoneedit": {
+		"name": "ZoneEdit",
+		"package_name": "certbot-dns-zoneedit",
+		"version": "~=0.3.2",
+		"dependencies": "--no-deps dnspython",
+		"credentials": "dns_zoneedit_user = <login-user-id>\ndns_zoneedit_token = <dyn-authentication-token>",
+		"full_plugin_name": "dns-zoneedit"
+ 	}
+}
--- a/backend/config/default.json
+++ b/backend/config/default.json
@@ -1,6 +1,6 @@
 {
  "database": {
-    "engine": "mysql",
+    "engine": "mysql2",
    "host": "db",
    "name": "npm",
    "user": "npm",
--- a/backend/db.js
+++ b/backend/db.js
@@ -1,33 +1,32 @@
-const config = require('config');
+import knex from "knex";
+import {configGet, configHas} from "./lib/config.js";

-if (!config.has('database')) {
-	throw new Error('Database config does not exist! Please read the instructions: https://github.com/jc21/nginx-proxy-manager/blob/master/doc/INSTALL.md');
-}
+const generateDbConfig = () => {
+	if (!configHas("database")) {
+		throw new Error(
+			"Database config does not exist! Please read the instructions: https://nginxproxymanager.com/setup/",
+		);
+	}

-function generateDbConfig() {
-	if (config.database.engine === 'knex-native') {
-		return config.database.knex;
-	} else
-		return {
-			client:     config.database.engine,
-			connection: {
-				host:     config.database.host,
-				user:     config.database.user,
-				password: config.database.password,
-				database: config.database.name,
-				port:     config.database.port
-			},
-			migrations: {
-				tableName: 'migrations'
-			}
-		};
-}
+	const cfg = configGet("database");

+	if (cfg.engine === "knex-native") {
+		return cfg.knex;
+	}

-let data = generateDbConfig();
+	return {
+		client: cfg.engine,
+		connection: {
+			host: cfg.host,
+			user: cfg.user,
+			password: cfg.password,
+			database: cfg.name,
+			port: cfg.port,
+		},
+		migrations: {
+			tableName: "migrations",
+		},
+	};
+};

-if (typeof config.database.version !== 'undefined') {
-	data.version = config.database.version;
-}
-
-module.exports = require('knex')(data);
+export default knex(generateDbConfig());
--- a/backend/doc/api.swagger.json
+++ b/backend/doc/api.swagger.json
--- a/backend/index.js
+++ b/backend/index.js
@@ -1,135 +1,54 @@
 #!/usr/bin/env node

-const logger = require('./logger').global;
+import app from "./app.js";
+import internalCertificate from "./internal/certificate.js";
+import internalIpRanges from "./internal/ip_ranges.js";
+import { global as logger } from "./logger.js";
+import { migrateUp } from "./migrate.js";
+import { getCompiledSchema } from "./schema/index.js";
+import setup from "./setup.js";

-async function appStart () {
-	// Create config file db settings if environment variables have been set
-	await createDbConfigFromEnvironment();
+const IP_RANGES_FETCH_ENABLED = process.env.IP_RANGES_FETCH_ENABLED !== "false";

-	const migrate             = require('./migrate');
-	const setup               = require('./setup');
-	const app                 = require('./app');
-	const apiValidator        = require('./lib/validator/api');
-	const internalCertificate = require('./internal/certificate');
-	const internalIpRanges    = require('./internal/ip_ranges');
-
-	return migrate.latest()
+async function appStart() {
+	return migrateUp()
 		.then(setup)
+		.then(getCompiledSchema)
 		.then(() => {
-			return apiValidator.loadSchemas;
+			if (!IP_RANGES_FETCH_ENABLED) {
+				logger.info("IP Ranges fetch is disabled by environment variable");
+				return;
+			}
+			logger.info("IP Ranges fetch is enabled");
+			return internalIpRanges.fetch().catch((err) => {
+				logger.error("IP Ranges fetch failed, continuing anyway:", err.message);
+			});
 		})
-		.then(internalIpRanges.fetch)
 		.then(() => {
-
 			internalCertificate.initTimer();
 			internalIpRanges.initTimer();

 			const server = app.listen(3000, () => {
-				logger.info('Backend PID ' + process.pid + ' listening on port 3000 ...');
+				logger.info(`Backend PID ${process.pid} listening on port 3000 ...`);

-				process.on('SIGTERM', () => {
-					logger.info('PID ' + process.pid + ' received SIGTERM');
+				process.on("SIGTERM", () => {
+					logger.info(`PID ${process.pid} received SIGTERM`);
 					server.close(() => {
-						logger.info('Stopping.');
+						logger.info("Stopping.");
 						process.exit(0);
 					});
 				});
 			});
 		})
 		.catch((err) => {
-			logger.error(err.message);
+			logger.error(`Startup Error: ${err.message}`, err);
 			setTimeout(appStart, 1000);
 		});
 }

-async function createDbConfigFromEnvironment() {
-	return new Promise((resolve, reject) => {
-		const envMysqlHost = process.env.DB_MYSQL_HOST || null;
-		const envMysqlPort = process.env.DB_MYSQL_PORT || null;
-		const envMysqlUser = process.env.DB_MYSQL_USER || null;
-		const envMysqlName = process.env.DB_MYSQL_NAME || null;
-		let envSqliteFile  = process.env.DB_SQLITE_FILE || null;
-
-		const fs       = require('fs');
-		const filename = (process.env.NODE_CONFIG_DIR || './config') + '/' + (process.env.NODE_ENV || 'default') + '.json';
-		let configData = {};
-
-		try {
-			configData = require(filename);
-		} catch (err) {
-			// do nothing
-		}
-
-		if (configData.database && configData.database.engine && !configData.database.fromEnv) {
-			logger.info('Manual db configuration already exists, skipping config creation from environment variables');
-			resolve();
-			return;
-		}
-
-		if ((!envMysqlHost || !envMysqlPort || !envMysqlUser || !envMysqlName) && !envSqliteFile){
-			envSqliteFile = '/data/database.sqlite';
-			logger.info(`No valid environment variables for database provided, using default SQLite file '${envSqliteFile}'`);
-		}
-
-		if (envMysqlHost && envMysqlPort && envMysqlUser && envMysqlName) {
-			const newConfig = {
-				fromEnv:  true,
-				engine:   'mysql',
-				host:     envMysqlHost,
-				port:     envMysqlPort,
-				user:     envMysqlUser,
-				password: process.env.DB_MYSQL_PASSWORD,
-				name:     envMysqlName,
-			};
-
-			if (JSON.stringify(configData.database) === JSON.stringify(newConfig)) {
-				// Config is unchanged, skip overwrite
-				resolve();
-				return;
-			}
-
-			logger.info('Generating MySQL knex configuration from environment variables');
-			configData.database = newConfig;
-
-		} else {
-			const newConfig = {
-				fromEnv: true,
-				engine:  'knex-native',
-				knex:    {
-					client:     'sqlite3',
-					connection: {
-						filename: envSqliteFile
-					},
-					useNullAsDefault: true
-				}
-			};
-			if (JSON.stringify(configData.database) === JSON.stringify(newConfig)) {
-				// Config is unchanged, skip overwrite
-				resolve();
-				return;
-			}
-
-			logger.info('Generating SQLite knex configuration');
-			configData.database = newConfig;
-		}
-
-		// Write config
-		fs.writeFile(filename, JSON.stringify(configData, null, 2), (err) => {
-			if (err) {
-				logger.error('Could not write db config to config file: ' + filename);
-				reject(err);
-			} else {
-				logger.debug('Wrote db configuration to config file: ' + filename);
-				resolve();
-			}
-		});
-	});
-}
-
 try {
 	appStart();
 } catch (err) {
-	logger.error(err.message, err);
+	logger.fatal(err);
 	process.exit(1);
 }
-
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@@ -1,103 +1,94 @@
-const _                     = require('lodash');
-const fs                    = require('fs');
-const batchflow             = require('batchflow');
-const logger                = require('../logger').access;
-const error                 = require('../lib/error');
-const accessListModel       = require('../models/access_list');
-const accessListAuthModel   = require('../models/access_list_auth');
-const accessListClientModel = require('../models/access_list_client');
-const proxyHostModel        = require('../models/proxy_host');
-const internalAuditLog      = require('./audit-log');
-const internalNginx         = require('./nginx');
-const utils                 = require('../lib/utils');
+import fs from "node:fs";
+import batchflow from "batchflow";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { access as logger } from "../logger.js";
+import accessListModel from "../models/access_list.js";
+import accessListAuthModel from "../models/access_list_auth.js";
+import accessListClientModel from "../models/access_list_client.js";
+import proxyHostModel from "../models/proxy_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalNginx from "./nginx.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted"];
+};

 const internalAccessList = {
-
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
-	create: (access, data) => {
-		return access.can('access_lists:create', data)
-			.then((/*access_data*/) => {
-				return accessListModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch({
-						name:          data.name,
-						satisfy_any:   data.satisfy_any,
-						pass_auth:     data.pass_auth,
-						owner_user_id: access.token.getUserId(1)
-					});
+	create: async (access, data) => {
+		await access.can("access_lists:create", data);
+		const row = await accessListModel
+			.query()
+			.insertAndFetch({
+				name: data.name,
+				satisfy_any: data.satisfy_any,
+				pass_auth: data.pass_auth,
+				owner_user_id: access.token.getUserId(1),
 			})
-			.then((row) => {
-				data.id = row.id;
+			.then(utils.omitRow(omissions()));

-				let promises = [];
+		data.id = row.id;

-				// Now add the items
-				data.items.map((item) => {
-					promises.push(accessListAuthModel
-						.query()
-						.insert({
-							access_list_id: row.id,
-							username:       item.username,
-							password:       item.password
-						})
-					);
-				});
+		const promises = [];
+		// Items
+		data.items.map((item) => {
+			promises.push(
+				accessListAuthModel.query().insert({
+					access_list_id: row.id,
+					username: item.username,
+					password: item.password,
+				}),
+			);
+			return true;
+		});

-				// Now add the clients
-				if (typeof data.clients !== 'undefined' && data.clients) {
-					data.clients.map((client) => {
-						promises.push(accessListClientModel
-							.query()
-							.insert({
-								access_list_id: row.id,
-								address:        client.address,
-								directive:      client.directive
-							})
-						);
-					});
-				}
+		// Clients
+		data.clients?.map((client) => {
+			promises.push(
+				accessListClientModel.query().insert({
+					access_list_id: row.id,
+					address: client.address,
+					directive: client.directive,
+				}),
+			);
+			return true;
+		});

-				return Promise.all(promises);
-			})
-			.then(() => {
-				// re-fetch with expansions
-				return internalAccessList.get(access, {
-					id:     data.id,
-					expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.[clients,items]']
-				}, true /* <- skip masking */);
-			})
-			.then((row) => {
-				// Audit log
-				data.meta = _.assign({}, data.meta || {}, row.meta);
+		await Promise.all(promises);

-				return internalAccessList.build(row)
-					.then(() => {
-						if (row.proxy_host_count) {
-							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
-						}
-					})
-					.then(() => {
-						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'created',
-							object_type: 'access-list',
-							object_id:   row.id,
-							meta:        internalAccessList.maskItems(data)
-						});
-					})
-					.then(() => {
-						return internalAccessList.maskItems(row);
-					});
-			});
+		// re-fetch with expansions
+		const freshRow = await internalAccessList.get(
+			access,
+			{
+				id: data.id,
+				expand: ["owner", "items", "clients", "proxy_hosts.access_list.[clients,items]"],
+			},
+			true // skip masking
+		);
+
+		// Audit log
+		data.meta = _.assign({}, data.meta || {}, freshRow.meta);
+		await internalAccessList.build(freshRow);
+
+		if (Number.parseInt(freshRow.proxy_host_count, 10)) {
+			await internalNginx.bulkGenerateConfigs("proxy_host", freshRow.proxy_hosts);
+		}
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "access-list",
+			object_id: freshRow.id,
+			meta: internalAccessList.maskItems(data),
+		});
+
+		return internalAccessList.maskItems(freshRow);
 	},

 	/**
@@ -108,130 +99,107 @@ const internalAccessList = {
 	 * @param  {String}  [data.items]
 	 * @return {Promise}
 	 */
-	update: (access, data) => {
-		return access.can('access_lists:update', data.id)
-			.then((/*access_data*/) => {
-				return internalAccessList.get(access, {id: data.id});
-			})
-			.then((row) => {
-				if (row.id !== data.id) {
-					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('Access List could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
-				}
-			})
-			.then(() => {
-				// patch name if specified
-				if (typeof data.name !== 'undefined' && data.name) {
-					return accessListModel
-						.query()
-						.where({id: data.id})
-						.patch({
-							name:        data.name,
-							satisfy_any: data.satisfy_any,
-							pass_auth:   data.pass_auth,
-						});
-				}
-			})
-			.then(() => {
-				// Check for items and add/update/remove them
-				if (typeof data.items !== 'undefined' && data.items) {
-					let promises      = [];
-					let items_to_keep = [];
+	update: async (access, data) => {
+		await access.can("access_lists:update", data.id);
+		const row = await internalAccessList.get(access, { id: data.id });
+		if (row.id !== data.id) {
+			// Sanity check that something crazy hasn't happened
+			throw new errs.InternalValidationError(
+				`Access List could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+			);
+		}

-					data.items.map(function (item) {
-						if (item.password) {
-							promises.push(accessListAuthModel
-								.query()
-								.insert({
-									access_list_id: data.id,
-									username:       item.username,
-									password:       item.password
-								})
-							);
-						} else {
-							// This was supplied with an empty password, which means keep it but don't change the password
-							items_to_keep.push(item.username);
-						}
-					});
-
-					let query = accessListAuthModel
-						.query()
-						.delete()
-						.where('access_list_id', data.id);
-
-					if (items_to_keep.length) {
-						query.andWhere('username', 'NOT IN', items_to_keep);
-					}
-
-					return query
-						.then(() => {
-							// Add new items
-							if (promises.length) {
-								return Promise.all(promises);
-							}
-						});
-				}
-			})
-			.then(() => {
-				// Check for clients and add/update/remove them
-				if (typeof data.clients !== 'undefined' && data.clients) {
-					let promises = [];
-
-					data.clients.map(function (client) {
-						if (client.address) {
-							promises.push(accessListClientModel
-								.query()
-								.insert({
-									access_list_id: data.id,
-									address:        client.address,
-									directive:      client.directive
-								})
-							);
-						}
-					});
-
-					let query = accessListClientModel
-						.query()
-						.delete()
-						.where('access_list_id', data.id);
-
-					return query
-						.then(() => {
-							// Add new items
-							if (promises.length) {
-								return Promise.all(promises);
-							}
-						});
-				}
-			})
-			.then(internalNginx.reload)
-			.then(() => {
-				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'updated',
-					object_type: 'access-list',
-					object_id:   data.id,
-					meta:        internalAccessList.maskItems(data)
-				});
-			})
-			.then(() => {
-				// re-fetch with expansions
-				return internalAccessList.get(access, {
-					id:     data.id,
-					expand: ['owner', 'items', 'clients', 'proxy_hosts.access_list.[clients,items]']
-				}, true /* <- skip masking */);
-			})
-			.then((row) => {
-				return internalAccessList.build(row)
-					.then(() => {
-						if (row.proxy_host_count) {
-							return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
-						}
-					})
-					.then(() => {
-						return internalAccessList.maskItems(row);
-					});
+		// patch name if specified
+		if (typeof data.name !== "undefined" && data.name) {
+			await accessListModel.query().where({ id: data.id }).patch({
+				name: data.name,
+				satisfy_any: data.satisfy_any,
+				pass_auth: data.pass_auth,
 			});
+		}
+
+		// Check for items and add/update/remove them
+		if (typeof data.items !== "undefined" && data.items) {
+			const promises = [];
+			const itemsToKeep = [];
+
+			data.items.map((item) => {
+				if (item.password) {
+					promises.push(
+						accessListAuthModel.query().insert({
+							access_list_id: data.id,
+							username: item.username,
+							password: item.password,
+						}),
+					);
+				} else {
+					// This was supplied with an empty password, which means keep it but don't change the password
+					itemsToKeep.push(item.username);
+				}
+				return true;
+			});
+
+			const query = accessListAuthModel.query().delete().where("access_list_id", data.id);
+
+			if (itemsToKeep.length) {
+				query.andWhere("username", "NOT IN", itemsToKeep);
+			}
+
+			await query;
+			// Add new items
+			if (promises.length) {
+				await Promise.all(promises);
+			}
+		}
+
+		// Check for clients and add/update/remove them
+		if (typeof data.clients !== "undefined" && data.clients) {
+			const clientPromises = [];
+			data.clients.map((client) => {
+				if (client.address) {
+					clientPromises.push(
+						accessListClientModel.query().insert({
+							access_list_id: data.id,
+							address: client.address,
+							directive: client.directive,
+						}),
+					);
+				}
+				return true;
+			});
+
+			const query = accessListClientModel.query().delete().where("access_list_id", data.id);
+			await query;
+			// Add new clitens
+			if (clientPromises.length) {
+				await Promise.all(clientPromises);
+			}
+		}
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "updated",
+			object_type: "access-list",
+			object_id: data.id,
+			meta: internalAccessList.maskItems(data),
+		});
+
+		// re-fetch with expansions
+		const freshRow = await internalAccessList.get(
+			access,
+			{
+				id: data.id,
+				expand: ["owner", "items", "clients", "proxy_hosts.[certificate,access_list.[clients,items]]"],
+			},
+			true // skip masking
+		);
+
+		await internalAccessList.build(freshRow)
+		if (Number.parseInt(freshRow.proxy_host_count, 10)) {
+			await internalNginx.bulkGenerateConfigs("proxy_host", freshRow.proxy_hosts);
+		}
+		await internalNginx.reload();
+		return internalAccessList.maskItems(freshRow);
 	},

 	/**
@@ -240,52 +208,50 @@ const internalAccessList = {
 	 * @param  {Integer}  data.id
 	 * @param  {Array}    [data.expand]
 	 * @param  {Array}    [data.omit]
-	 * @param  {Boolean}  [skip_masking]
+	 * @param  {Boolean}  [skipMasking]
 	 * @return {Promise}
 	 */
-	get: (access, data, skip_masking) => {
-		if (typeof data === 'undefined') {
-			data = {};
+	get: async (access, data, skipMasking) => {
+		const thisData = data || {};
+		const accessData = await access.can("access_lists:get", thisData.id)
+
+		const query = accessListModel
+			.query()
+			.select("access_list.*", accessListModel.raw("COUNT(proxy_host.id) as proxy_host_count"))
+			.leftJoin("proxy_host", function () {
+				this.on("proxy_host.access_list_id", "=", "access_list.id").andOn(
+					"proxy_host.is_deleted",
+					"=",
+					0,
+				);
+			})
+			.where("access_list.is_deleted", 0)
+			.andWhere("access_list.id", thisData.id)
+			.groupBy("access_list.id")
+			.allowGraph("[owner,items,clients,proxy_hosts.[certificate,access_list.[clients,items]]]")
+			.first();
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("access_list.owner_user_id", access.token.getUserId(1));
 		}

-		return access.can('access_lists:get', data.id)
-			.then((access_data) => {
-				let query = accessListModel
-					.query()
-					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
-					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
-					.where('access_list.is_deleted', 0)
-					.andWhere('access_list.id', data.id)
-					.allowEager('[owner,items,clients,proxy_hosts.[*, access_list.[clients,items]]]')
-					.omit(['access_list.is_deleted'])
-					.first();
+		if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+			query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
+		}

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('access_list.owner_user_id', access.token.getUserId(1));
-				}
+		let row = await query.then(utils.omitRow(omissions()));

-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
-				}
-
-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
-			})
-			.then((row) => {
-				if (row) {
-					if (!skip_masking && typeof row.items !== 'undefined' && row.items) {
-						row = internalAccessList.maskItems(row);
-					}
-
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
-				}
-			});
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(thisData.id);
+		}
+		if (!skipMasking && typeof row.items !== "undefined" && row.items) {
+			row = internalAccessList.maskItems(row);
+		}
+		// Custom omissions
+		if (typeof data.omit !== "undefined" && data.omit !== null) {
+			row = _.omit(row, data.omit);
+		}
+		return row;
 	},

 	/**
@@ -295,73 +261,64 @@ const internalAccessList = {
 	 * @param   {String}  [data.reason]
 	 * @returns {Promise}
 	 */
-	delete: (access, data) => {
-		return access.can('access_lists:delete', data.id)
-			.then(() => {
-				return internalAccessList.get(access, {id: data.id, expand: ['proxy_hosts', 'items', 'clients']});
-			})
-			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				}
+	delete: async (access, data) => {
+		await access.can("access_lists:delete", data.id);
+		const row = await internalAccessList.get(access, {
+			id: data.id,
+			expand: ["proxy_hosts", "items", "clients"],
+		});

-				// 1. update row to be deleted
-				// 2. update any proxy hosts that were using it (ignoring permissions)
-				// 3. reconfigure those hosts
-				// 4. audit log
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}

-				// 1. update row to be deleted
-				return accessListModel
-					.query()
-					.where('id', row.id)
-					.patch({
-						is_deleted: 1
-					})
-					.then(() => {
-						// 2. update any proxy hosts that were using it (ignoring permissions)
-						if (row.proxy_hosts) {
-							return proxyHostModel
-								.query()
-								.where('access_list_id', '=', row.id)
-								.patch({access_list_id: 0})
-								.then(() => {
-									// 3. reconfigure those hosts, then reload nginx
+		// 1. update row to be deleted
+		// 2. update any proxy hosts that were using it (ignoring permissions)
+		// 3. reconfigure those hosts
+		// 4. audit log

-									// set the access_list_id to zero for these items
-									row.proxy_hosts.map(function (val, idx) {
-										row.proxy_hosts[idx].access_list_id = 0;
-									});
+		// 1. update row to be deleted
+		await accessListModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				is_deleted: 1,
+			});

-									return internalNginx.bulkGenerateConfigs('proxy_host', row.proxy_hosts);
-								})
-								.then(() => {
-									return internalNginx.reload();
-								});
-						}
-					})
-					.then(() => {
-						// delete the htpasswd file
-						let htpasswd_file = internalAccessList.getFilename(row);
+		// 2. update any proxy hosts that were using it (ignoring permissions)
+		if (row.proxy_hosts) {
+			await proxyHostModel
+				.query()
+				.where("access_list_id", "=", row.id)
+				.patch({ access_list_id: 0 });

-						try {
-							fs.unlinkSync(htpasswd_file);
-						} catch (err) {
-							// do nothing
-						}
-					})
-					.then(() => {
-						// 4. audit log
-						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'access-list',
-							object_id:   row.id,
-							meta:        _.omit(internalAccessList.maskItems(row), ['is_deleted', 'proxy_hosts'])
-						});
-					});
-			})
-			.then(() => {
+			// 3. reconfigure those hosts, then reload nginx
+			// set the access_list_id to zero for these items
+			row.proxy_hosts.map((_val, idx) => {
+				row.proxy_hosts[idx].access_list_id = 0;
 				return true;
 			});
+
+			await internalNginx.bulkGenerateConfigs("proxy_host", row.proxy_hosts);
+		}
+
+		await internalNginx.reload();
+
+		// delete the htpasswd file
+		try {
+			fs.unlinkSync(internalAccessList.getFilename(row));
+		} catch (_err) {
+			// do nothing
+		}
+
+		// 4. audit log
+		await internalAuditLog.add(access, {
+			action: "deleted",
+			object_type: "access-list",
+			object_id: row.id,
+			meta: _.omit(internalAccessList.maskItems(row), ["is_deleted", "proxy_hosts"]),
+		});
+		return true;
 	},

 	/**
@@ -369,73 +326,73 @@ const internalAccessList = {
 	 *
 	 * @param   {Access}  access
 	 * @param   {Array}   [expand]
-	 * @param   {String}  [search_query]
+	 * @param   {String}  [searchQuery]
 	 * @returns {Promise}
 	 */
-	getAll: (access, expand, search_query) => {
-		return access.can('access_lists:list')
-			.then((access_data) => {
-				let query = accessListModel
-					.query()
-					.select('access_list.*', accessListModel.raw('COUNT(proxy_host.id) as proxy_host_count'))
-					.joinRaw('LEFT JOIN `proxy_host` ON `proxy_host`.`access_list_id` = `access_list`.`id` AND `proxy_host`.`is_deleted` = 0')
-					.where('access_list.is_deleted', 0)
-					.groupBy('access_list.id')
-					.omit(['access_list.is_deleted'])
-					.allowEager('[owner,items,clients]')
-					.orderBy('access_list.name', 'ASC');
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("access_lists:list");

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('access_list.owner_user_id', access.token.getUserId(1));
-				}
-
-				// Query is used for searching
-				if (typeof search_query === 'string') {
-					query.where(function () {
-						this.where('name', 'like', '%' + search_query + '%');
-					});
-				}
-
-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
-				}
-
-				return query;
+		const query = accessListModel
+			.query()
+			.select("access_list.*", accessListModel.raw("COUNT(proxy_host.id) as proxy_host_count"))
+			.leftJoin("proxy_host", function () {
+				this.on("proxy_host.access_list_id", "=", "access_list.id").andOn(
+					"proxy_host.is_deleted",
+					"=",
+					0,
+				);
 			})
-			.then((rows) => {
-				if (rows) {
-					rows.map(function (row, idx) {
-						if (typeof row.items !== 'undefined' && row.items) {
-							rows[idx] = internalAccessList.maskItems(row);
-						}
-					});
-				}
+			.where("access_list.is_deleted", 0)
+			.groupBy("access_list.id")
+			.allowGraph("[owner,items,clients]")
+			.orderBy("access_list.name", "ASC");

-				return rows;
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("access_list.owner_user_id", access.token.getUserId(1));
+		}
+
+		// Query is used for searching
+		if (typeof searchQuery === "string") {
+			query.where(function () {
+				this.where("name", "like", `%${searchQuery}%`);
 			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (rows) {
+			rows.map((row, idx) => {
+				if (typeof row.items !== "undefined" && row.items) {
+					rows[idx] = internalAccessList.maskItems(row);
+				}
+				return true;
+			});
+		}
+		return rows;
 	},

 	/**
-	 * Report use
+	 * Count is used in reports
 	 *
-	 * @param   {Integer} user_id
+	 * @param   {Integer} userId
 	 * @param   {String}  visibility
 	 * @returns {Promise}
 	 */
-	getCount: (user_id, visibility) => {
-		let query = accessListModel
+	getCount: async (userId, visibility) => {
+		const query = accessListModel
 			.query()
-			.count('id as count')
-			.where('is_deleted', 0);
+			.count("id as count")
+			.where("is_deleted", 0);

-		if (visibility !== 'all') {
-			query.andWhere('owner_user_id', user_id);
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", userId);
 		}

-		return query.first()
-			.then((row) => {
-				return parseInt(row.count, 10);
-			});
+		const row = await query.first();
+		return Number.parseInt(row.count, 10);
 	},

 	/**
@@ -443,21 +400,21 @@ const internalAccessList = {
 	 * @returns {Object}
 	 */
 	maskItems: (list) => {
-		if (list && typeof list.items !== 'undefined') {
-			list.items.map(function (val, idx) {
-				let repeat_for = 8;
-				let first_char = '*';
+		if (list && typeof list.items !== "undefined") {
+			list.items.map((val, idx) => {
+				let repeatFor = 8;
+				let firstChar = "*";

-				if (typeof val.password !== 'undefined' && val.password) {
-					repeat_for = val.password.length - 1;
-					first_char = val.password.charAt(0);
+				if (typeof val.password !== "undefined" && val.password) {
+					repeatFor = val.password.length - 1;
+					firstChar = val.password.charAt(0);
 				}

-				list.items[idx].hint     = first_char + ('*').repeat(repeat_for);
-				list.items[idx].password = '';
+				list.items[idx].hint = firstChar + "*".repeat(repeatFor);
+				list.items[idx].password = "";
+				return true;
 			});
 		}
-
 		return list;
 	},

@@ -467,7 +424,7 @@ const internalAccessList = {
 	 * @returns {String}
 	 */
 	getFilename: (list) => {
-		return '/data/access/' + list.id;
+		return `/data/access/${list.id}`;
 	},

 	/**
@@ -477,58 +434,55 @@ const internalAccessList = {
 	 * @param   {Array}   list.items
 	 * @returns {Promise}
 	 */
-	build: (list) => {
-		logger.info('Building Access file #' + list.id + ' for: ' + list.name);
+	build: async (list) => {
+		logger.info(`Building Access file #${list.id} for: ${list.name}`);

-		return new Promise((resolve, reject) => {
-			let htpasswd_file = internalAccessList.getFilename(list);
+		const htpasswdFile = internalAccessList.getFilename(list);

-			// 1. remove any existing access file
-			try {
-				fs.unlinkSync(htpasswd_file);
-			} catch (err) {
-				// do nothing
-			}
+		// 1. remove any existing access file
+		try {
+			fs.unlinkSync(htpasswdFile);
+		} catch (_err) {
+			// do nothing
+		}

-			// 2. create empty access file
-			try {
-				fs.writeFileSync(htpasswd_file, '', {encoding: 'utf8'});
-				resolve(htpasswd_file);
-			} catch (err) {
-				reject(err);
-			}
-		})
-			.then((htpasswd_file) => {
-				// 3. generate password for each user
-				if (list.items.length) {
-					return new Promise((resolve, reject) => {
-						batchflow(list.items).sequential()
-							.each((i, item, next) => {
-								if (typeof item.password !== 'undefined' && item.password.length) {
-									logger.info('Adding: ' + item.username);
+		// 2. create empty access file
+		fs.writeFileSync(htpasswdFile, '', {encoding: 'utf8'});

-									utils.exec('/usr/bin/htpasswd -b "' + htpasswd_file + '" "' + item.username + '" "' + item.password + '"')
-										.then((/*result*/) => {
-											next();
-										})
-										.catch((err) => {
-											logger.error(err);
-											next(err);
-										});
-								}
-							})
-							.error((err) => {
-								logger.error(err);
-								reject(err);
-							})
-							.end((results) => {
-								logger.success('Built Access file #' + list.id + ' for: ' + list.name);
-								resolve(results);
-							});
+		// 3. generate password for each user
+		if (list.items.length) {
+			await new Promise((resolve, reject) => {
+				batchflow(list.items).sequential()
+					.each((_i, item, next) => {
+						if (item.password?.length) {
+							logger.info(`Adding: ${item.username}`);
+
+							utils.execFile('openssl', ['passwd', '-apr1', item.password])
+								.then((res) => {
+									try {
+										fs.appendFileSync(htpasswdFile, `${item.username}:${res}\n`, {encoding: 'utf8'});
+									} catch (err) {
+										reject(err);
+									}
+									next();
+								})
+								.catch((err) => {
+									logger.error(err);
+									next(err);
+								});
+						}
+					})
+					.error((err) => {
+						logger.error(err);
+						reject(err);
+					})
+					.end((results) => {
+						logger.success(`Built Access file #${list.id} for: ${list.name}`);
+						resolve(results);
 					});
-				}
 			});
+		}
 	}
-};
+}

-module.exports = internalAccessList;
+export default internalAccessList;
--- a/backend/internal/audit-log.js
+++ b/backend/internal/audit-log.js
@@ -1,5 +1,6 @@
-const error         = require('../lib/error');
-const auditLogModel = require('../models/audit-log');
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import auditLogModel from "../models/audit-log.js";

 const internalAuditLog = {

@@ -8,32 +9,60 @@ const internalAuditLog = {
 	 *
 	 * @param   {Access}  access
 	 * @param   {Array}   [expand]
-	 * @param   {String}  [search_query]
+	 * @param   {String}  [searchQuery]
 	 * @returns {Promise}
 	 */
-	getAll: (access, expand, search_query) => {
-		return access.can('auditlog:list')
-			.then(() => {
-				let query = auditLogModel
-					.query()
-					.orderBy('created_on', 'DESC')
-					.orderBy('id', 'DESC')
-					.limit(100)
-					.allowEager('[user]');
+	getAll: async (access, expand, searchQuery) => {
+		await access.can("auditlog:list");

-				// Query is used for searching
-				if (typeof search_query === 'string') {
-					query.where(function () {
-						this.where('meta', 'like', '%' + search_query + '%');
-					});
-				}
+		const query = auditLogModel
+			.query()
+			.orderBy("created_on", "DESC")
+			.orderBy("id", "DESC")
+			.limit(100)
+			.allowGraph("[user]");

-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
-				}
-
-				return query;
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("meta"), "like", `%${searchQuery}`);
 			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		return await query;
+	},
+
+	/**
+	 * @param  {Access}   access
+	 * @param  {Object}   [data]
+	 * @param  {Integer}  [data.id]          Defaults to the token user
+	 * @param  {Array}    [data.expand]
+	 * @return {Promise}
+	 */
+	get: async (access, data) => {
+		await access.can("auditlog:list");
+
+		const query = auditLogModel
+			.query()
+			.andWhere("id", data.id)
+			.allowGraph("[user]")
+			.first();
+
+		if (typeof data.expand !== "undefined" && data.expand !== null) {
+			query.withGraphFetched(`[${data.expand.join(", ")}]`);
+		}
+
+		const row = await query;
+
+		if (!row?.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+
+		return row;
 	},

 	/**
@@ -50,29 +79,24 @@ const internalAuditLog = {
 	 * @param   {Object}   [data.meta]
 	 * @returns {Promise}
 	 */
-	add: (access, data) => {
-		return new Promise((resolve, reject) => {
-			// Default the user id
-			if (typeof data.user_id === 'undefined' || !data.user_id) {
-				data.user_id = access.token.getUserId(1);
-			}
+	add: async (access, data) => {
+		if (typeof data.user_id === "undefined" || !data.user_id) {
+			data.user_id = access.token.getUserId(1);
+		}

-			if (typeof data.action === 'undefined' || !data.action) {
-				reject(new error.InternalValidationError('Audit log entry must contain an Action'));
-			} else {
-				// Make sure at least 1 of the IDs are set and action
-				resolve(auditLogModel
-					.query()
-					.insert({
-						user_id:     data.user_id,
-						action:      data.action,
-						object_type: data.object_type || '',
-						object_id:   data.object_id || 0,
-						meta:        data.meta || {}
-					}));
-			}
+		if (typeof data.action === "undefined" || !data.action) {
+			throw new errs.InternalValidationError("Audit log entry must contain an Action");
+		}
+
+		// Make sure at least 1 of the IDs are set and action
+		return await auditLogModel.query().insert({
+			user_id: data.user_id,
+			action: data.action,
+			object_type: data.object_type || "",
+			object_id: data.object_id || 0,
+			meta: data.meta || {},
 		});
-	}
+	},
 };

-module.exports = internalAuditLog;
+export default internalAuditLog;
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
--- a/backend/internal/dead-host.js
+++ b/backend/internal/dead-host.js
@@ -1,102 +1,96 @@
-const _                   = require('lodash');
-const error               = require('../lib/error');
-const deadHostModel       = require('../models/dead_host');
-const internalHost        = require('./host');
-const internalNginx       = require('./nginx');
-const internalAuditLog    = require('./audit-log');
-const internalCertificate = require('./certificate');
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import deadHostModel from "../models/dead_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted"];
+};

 const internalDeadHost = {
-
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
-	create: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
+	create: async (access, data) => {
+		const createCertificate = data.certificate_id === "new";

-		if (create_certificate) {
+		if (createCertificate) {
 			delete data.certificate_id;
 		}

-		return access.can('dead_hosts:create', data)
-			.then((/*access_data*/) => {
-				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+		await access.can("dead_hosts:create", data);

-				data.domain_names.map(function (domain_name) {
-					domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name));
-				});
+		// Get a list of the domain names and check each of them against existing records
+		const domainNameCheckPromises = [];

-				return Promise.all(domain_name_check_promises)
-					.then((check_results) => {
-						check_results.map(function (result) {
-							if (result.is_taken) {
-								throw new error.ValidationError(result.hostname + ' is already in use');
-							}
-						});
-					});
-			})
-			.then(() => {
-				// At this point the domains should have been checked
-				data.owner_user_id = access.token.getUserId(1);
-				data               = internalHost.cleanSslHstsData(data);
+		data.domain_names.map((domain_name) => {
+			domainNameCheckPromises.push(internalHost.isHostnameTaken(domain_name));
+			return true;
+		});

-				return deadHostModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch(data);
-			})
-			.then((row) => {
-				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, data)
-						.then((cert) => {
-							// update host with cert id
-							return internalDeadHost.update(access, {
-								id:             row.id,
-								certificate_id: cert.id
-							});
-						})
-						.then(() => {
-							return row;
-						});
-				} else {
-					return row;
+		await Promise.all(domainNameCheckPromises).then((check_results) => {
+			check_results.map((result) => {
+				if (result.is_taken) {
+					throw new errs.ValidationError(`${result.hostname} is already in use`);
 				}
-			})
-			.then((row) => {
-				// re-fetch with cert
-				return internalDeadHost.get(access, {
-					id:     row.id,
-					expand: ['certificate', 'owner']
-				});
-			})
-			.then((row) => {
-				// Configure nginx
-				return internalNginx.configure(deadHostModel, 'dead_host', row)
-					.then(() => {
-						return row;
-					});
-			})
-			.then((row) => {
-				data.meta = _.assign({}, data.meta || {}, row.meta);
-
-				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'created',
-					object_type: 'dead-host',
-					object_id:   row.id,
-					meta:        data
-				})
-					.then(() => {
-						return row;
-					});
+				return true;
 			});
+		});
+
+		// At this point the domains should have been checked
+		data.owner_user_id = access.token.getUserId(1);
+		const thisData = internalHost.cleanSslHstsData(data);
+
+		// Fix for db field not having a default value
+		// for this optional field.
+		if (typeof data.advanced_config === "undefined") {
+			thisData.advanced_config = "";
+		}
+
+		const row = await deadHostModel.query()
+			.insertAndFetch(thisData)
+			.then(utils.omitRow(omissions()));
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: thisData,
+		});
+
+		if (createCertificate) {
+			const cert = await internalCertificate.createQuickCertificate(access, data);
+
+			// update host with cert id
+			await internalDeadHost.update(access, {
+				id: row.id,
+				certificate_id: cert.id,
+			});
+		}
+
+		// re-fetch with cert
+		const freshRow = await internalDeadHost.get(access, {
+			id: row.id,
+			expand: ["certificate", "owner"],
+		});
+
+		// Sanity check
+		if (createCertificate && !freshRow.certificate_id) {
+			throw new errs.InternalValidationError("The host was created but the Certificate creation failed.");
+		}
+
+		// Configure nginx
+		await internalNginx.configure(deadHostModel, "dead_host", freshRow);
+
+		return freshRow;
 	},

 	/**
@@ -105,98 +99,85 @@ const internalDeadHost = {
 	 * @param  {Number}  data.id
 	 * @return {Promise}
 	 */
-	update: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
-
-		if (create_certificate) {
+	update: async (access, data) => {
+		const createCertificate = data.certificate_id === "new";
+		if (createCertificate) {
 			delete data.certificate_id;
 		}

-		return access.can('dead_hosts:update', data.id)
-			.then((/*access_data*/) => {
-				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+		await access.can("dead_hosts:update", data.id);

-				if (typeof data.domain_names !== 'undefined') {
-					data.domain_names.map(function (domain_name) {
-						domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name, 'dead', data.id));
-					});
-
-					return Promise.all(domain_name_check_promises)
-						.then((check_results) => {
-							check_results.map(function (result) {
-								if (result.is_taken) {
-									throw new error.ValidationError(result.hostname + ' is already in use');
-								}
-							});
-						});
-				}
-			})
-			.then(() => {
-				return internalDeadHost.get(access, {id: data.id});
-			})
-			.then((row) => {
-				if (row.id !== data.id) {
-					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('404 Host could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
-				}
-
-				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, {
-						domain_names: data.domain_names || row.domain_names,
-						meta:         _.assign({}, row.meta, data.meta)
-					})
-						.then((cert) => {
-							// update host with cert id
-							data.certificate_id = cert.id;
-						})
-						.then(() => {
-							return row;
-						});
-				} else {
-					return row;
-				}
-			})
-			.then((row) => {
-				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
-				data = _.assign({}, {
-					domain_names: row.domain_names
-				}, data);
-
-				data = internalHost.cleanSslHstsData(data, row);
-
-				return deadHostModel
-					.query()
-					.where({id: data.id})
-					.patch(data)
-					.then((saved_row) => {
-						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'dead-host',
-							object_id:   row.id,
-							meta:        data
-						})
-							.then(() => {
-								return _.omit(saved_row, omissions());
-							});
-					});
-			})
-			.then(() => {
-				return internalDeadHost.get(access, {
-					id:     data.id,
-					expand: ['owner', 'certificate']
-				})
-					.then((row) => {
-						// Configure nginx
-						return internalNginx.configure(deadHostModel, 'dead_host', row)
-							.then((new_meta) => {
-								row.meta = new_meta;
-								row      = internalHost.cleanRowCertificateMeta(row);
-								return _.omit(row, omissions());
-							});
-					});
+		// Get a list of the domain names and check each of them against existing records
+		const domainNameCheckPromises = [];
+		if (typeof data.domain_names !== "undefined") {
+			data.domain_names.map((domainName) => {
+				domainNameCheckPromises.push(internalHost.isHostnameTaken(domainName, "dead", data.id));
+				return true;
 			});
+
+			const checkResults = await Promise.all(domainNameCheckPromises);
+			checkResults.map((result) => {
+				if (result.is_taken) {
+					throw new errs.ValidationError(`${result.hostname} is already in use`);
+				}
+				return true;
+			});
+		}
+		const row = await internalDeadHost.get(access, { id: data.id });
+
+		if (row.id !== data.id) {
+			// Sanity check that something crazy hasn't happened
+			throw new errs.InternalValidationError(
+				`404 Host could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+			);
+		}
+
+		if (createCertificate) {
+			const cert = await internalCertificate.createQuickCertificate(access, {
+				domain_names: data.domain_names || row.domain_names,
+				meta: _.assign({}, row.meta, data.meta),
+			});
+
+			// update host with cert id
+			data.certificate_id = cert.id;
+		}
+
+		// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+		let thisData = _.assign(
+			{},
+			{
+				domain_names: row.domain_names,
+			},
+			data,
+		);
+
+		thisData = internalHost.cleanSslHstsData(thisData, row);
+
+
+		// do the row update
+		await deadHostModel
+			.query()
+			.where({id: data.id})
+			.patch(data);
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "updated",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: thisData,
+		});
+
+		const thisRow = await internalDeadHost
+			.get(access, {
+				id: thisData.id,
+				expand: ["owner", "certificate"],
+			});
+
+		// Configure nginx
+		const newMeta = await internalNginx.configure(deadHostModel, "dead_host", row);
+		row.meta = newMeta;
+		return _.omit(internalHost.cleanRowCertificateMeta(thisRow), omissions());
 	},

 	/**
@@ -207,43 +188,32 @@ const internalDeadHost = {
 	 * @param  {Array}    [data.omit]
 	 * @return {Promise}
 	 */
-	get: (access, data) => {
-		if (typeof data === 'undefined') {
-			data = {};
+	get: async (access, data) => {
+		const accessData = await access.can("dead_hosts:get", data.id);
+		const query = deadHostModel
+			.query()
+			.where("is_deleted", 0)
+			.andWhere("id", data.id)
+			.allowGraph("[owner,certificate]")
+			.first();
+
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
 		}

-		return access.can('dead_hosts:get', data.id)
-			.then((access_data) => {
-				let query = deadHostModel
-					.query()
-					.where('is_deleted', 0)
-					.andWhere('id', data.id)
-					.allowEager('[owner,certificate]')
-					.first();
+		if (typeof data.expand !== "undefined" && data.expand !== null) {
+			query.withGraphFetched(`[${data.expand.join(", ")}]`);
+		}

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
-				}
-
-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
-				}
-
-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
-			})
-			.then((row) => {
-				if (row) {
-					row = internalHost.cleanRowCertificateMeta(row);
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
-				}
-			});
+		const row = await query.then(utils.omitRow(omissions()));
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		// Custom omissions
+		if (typeof data.omit !== "undefined" && data.omit !== null) {
+			return _.omit(row, data.omit);
+		}
+		return row;
 	},

 	/**
@@ -253,42 +223,32 @@ const internalDeadHost = {
 	 * @param {String}  [data.reason]
 	 * @returns {Promise}
 	 */
-	delete: (access, data) => {
-		return access.can('dead_hosts:delete', data.id)
-			.then(() => {
-				return internalDeadHost.get(access, {id: data.id});
-			})
-			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				}
+	delete: async (access, data) => {
+		await access.can("dead_hosts:delete", data.id)
+		const row = await internalDeadHost.get(access, { id: data.id });
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}

-				return deadHostModel
-					.query()
-					.where('id', row.id)
-					.patch({
-						is_deleted: 1
-					})
-					.then(() => {
-						// Delete Nginx Config
-						return internalNginx.deleteConfig('dead_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
-					})
-					.then(() => {
-						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'dead-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
-						});
-					});
-			})
-			.then(() => {
-				return true;
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				is_deleted: 1,
 			});
+
+		// Delete Nginx Config
+		await internalNginx.deleteConfig("dead_host", row);
+		await internalNginx.reload();
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "deleted",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
 	},

 	/**
@@ -298,46 +258,39 @@ const internalDeadHost = {
 	 * @param {String}  [data.reason]
 	 * @returns {Promise}
 	 */
-	enable: (access, data) => {
-		return access.can('dead_hosts:update', data.id)
-			.then(() => {
-				return internalDeadHost.get(access, {
-					id:     data.id,
-					expand: ['certificate', 'owner']
-				});
-			})
-			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (row.enabled) {
-					throw new error.ValidationError('Host is already enabled');
-				}
+	enable: async (access, data) => {
+		await access.can("dead_hosts:update", data.id)
+		const row = await internalDeadHost.get(access, {
+			id: data.id,
+			expand: ["certificate", "owner"],
+		});
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		if (row.enabled) {
+			throw new errs.ValidationError("Host is already enabled");
+		}

-				row.enabled = 1;
+		row.enabled = 1;

-				return deadHostModel
-					.query()
-					.where('id', row.id)
-					.patch({
-						enabled: 1
-					})
-					.then(() => {
-						// Configure nginx
-						return internalNginx.configure(deadHostModel, 'dead_host', row);
-					})
-					.then(() => {
-						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'enabled',
-							object_type: 'dead-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
-						});
-					});
-			})
-			.then(() => {
-				return true;
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				enabled: 1,
 			});
+
+		// Configure nginx
+		await internalNginx.configure(deadHostModel, "dead_host", row);
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "enabled",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
 	},

 	/**
@@ -347,46 +300,37 @@ const internalDeadHost = {
 	 * @param {String}  [data.reason]
 	 * @returns {Promise}
 	 */
-	disable: (access, data) => {
-		return access.can('dead_hosts:update', data.id)
-			.then(() => {
-				return internalDeadHost.get(access, {id: data.id});
-			})
-			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (!row.enabled) {
-					throw new error.ValidationError('Host is already disabled');
-				}
+	disable: async (access, data) => {
+		await access.can("dead_hosts:update", data.id)
+		const row = await internalDeadHost.get(access, { id: data.id });
+		if (!row || !row.id) {
+			throw new errs.ItemNotFoundError(data.id);
+		}
+		if (!row.enabled) {
+			throw new errs.ValidationError("Host is already disabled");
+		}

-				row.enabled = 0;
+		row.enabled = 0;

-				return deadHostModel
-					.query()
-					.where('id', row.id)
-					.patch({
-						enabled: 0
-					})
-					.then(() => {
-						// Delete Nginx Config
-						return internalNginx.deleteConfig('dead_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
-					})
-					.then(() => {
-						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'disabled',
-							object_type: 'dead-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
-						});
-					});
-			})
-			.then(() => {
-				return true;
+		await deadHostModel
+			.query()
+			.where("id", row.id)
+			.patch({
+				enabled: 0,
 			});
+
+		// Delete Nginx Config
+		await internalNginx.deleteConfig("dead_host", row);
+		await internalNginx.reload();
+
+		// Add to audit log
+		await internalAuditLog.add(access, {
+			action: "disabled",
+			object_type: "dead-host",
+			object_id: row.id,
+			meta: _.omit(row, omissions()),
+		});
+		return true;
 	},

 	/**
@@ -394,44 +338,38 @@ const internalDeadHost = {
 	 *
 	 * @param   {Access}  access
 	 * @param   {Array}   [expand]
-	 * @param   {String}  [search_query]
+	 * @param   {String}  [searchQuery]
 	 * @returns {Promise}
 	 */
-	getAll: (access, expand, search_query) => {
-		return access.can('dead_hosts:list')
-			.then((access_data) => {
-				let query = deadHostModel
-					.query()
-					.where('is_deleted', 0)
-					.groupBy('id')
-					.omit(['is_deleted'])
-					.allowEager('[owner,certificate]')
-					.orderBy('domain_names', 'ASC');
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("dead_hosts:list")
+		const query = deadHostModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[owner,certificate]")
+			.orderBy(castJsonIfNeed("domain_names"), "ASC");

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
-				}
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
+		}

-				// Query is used for searching
-				if (typeof search_query === 'string') {
-					query.where(function () {
-						this.where('domain_names', 'like', '%' + search_query + '%');
-					});
-				}
-
-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
-				}
-
-				return query;
-			})
-			.then((rows) => {
-				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
-					return internalHost.cleanAllRowsCertificateMeta(rows);
-				}
-
-				return rows;
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("domain_names"), "like", `%${searchQuery}%`);
 			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+			internalHost.cleanAllRowsCertificateMeta(rows);
+		}
+		return rows;
 	},

 	/**
@@ -441,21 +379,16 @@ const internalDeadHost = {
 	 * @param   {String}  visibility
 	 * @returns {Promise}
 	 */
-	getCount: (user_id, visibility) => {
-		let query = deadHostModel
-			.query()
-			.count('id as count')
-			.where('is_deleted', 0);
+	getCount: async (user_id, visibility) => {
+		const query = deadHostModel.query().count("id as count").where("is_deleted", 0);

-		if (visibility !== 'all') {
-			query.andWhere('owner_user_id', user_id);
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
 		}

-		return query.first()
-			.then((row) => {
-				return parseInt(row.count, 10);
-			});
-	}
+		const row = await query.first();
+		return Number.parseInt(row.count, 10);
+	},
 };

-module.exports = internalDeadHost;
+export default internalDeadHost;
--- a/backend/internal/host.js
+++ b/backend/internal/host.js
@@ -1,10 +1,10 @@
-const _                    = require('lodash');
-const proxyHostModel       = require('../models/proxy_host');
-const redirectionHostModel = require('../models/redirection_host');
-const deadHostModel        = require('../models/dead_host');
+import _ from "lodash";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import deadHostModel from "../models/dead_host.js";
+import proxyHostModel from "../models/proxy_host.js";
+import redirectionHostModel from "../models/redirection_host.js";

 const internalHost = {
-
 	/**
 	 * Makes sure that the ssl_* and hsts_* fields play nicely together.
 	 * ie: if there is no cert, then force_ssl is off.
@@ -14,25 +14,23 @@ const internalHost = {
 	 * @param   {object} [existing_data]
 	 * @returns {object}
 	 */
-	cleanSslHstsData: function (data, existing_data) {
-		existing_data = existing_data === undefined ? {} : existing_data;
+	cleanSslHstsData: (data, existingData) => {
+		const combinedData = _.assign({}, existingData || {}, data);

-		let combined_data = _.assign({}, existing_data, data);
-
-		if (!combined_data.certificate_id) {
-			combined_data.ssl_forced    = false;
-			combined_data.http2_support = false;
+		if (!combinedData.certificate_id) {
+			combinedData.ssl_forced = false;
+			combinedData.http2_support = false;
 		}

-		if (!combined_data.ssl_forced) {
-			combined_data.hsts_enabled = false;
+		if (!combinedData.ssl_forced) {
+			combinedData.hsts_enabled = false;
 		}

-		if (!combined_data.hsts_enabled) {
-			combined_data.hsts_subdomains = false;
+		if (!combinedData.hsts_enabled) {
+			combinedData.hsts_subdomains = false;
 		}

-		return combined_data;
+		return combinedData;
 	},

 	/**
@@ -41,11 +39,12 @@ const internalHost = {
 	 * @param   {Array}  rows
 	 * @returns {Array}
 	 */
-	cleanAllRowsCertificateMeta: function (rows) {
-		rows.map(function (row, idx) {
-			if (typeof rows[idx].certificate !== 'undefined' && rows[idx].certificate) {
+	cleanAllRowsCertificateMeta: (rows) => {
+		rows.map((_, idx) => {
+			if (typeof rows[idx].certificate !== "undefined" && rows[idx].certificate) {
 				rows[idx].certificate.meta = {};
 			}
+			return true;
 		});

 		return rows;
@@ -57,8 +56,8 @@ const internalHost = {
 	 * @param   {Object}  row
 	 * @returns {Object}
 	 */
-	cleanRowCertificateMeta: function (row) {
-		if (typeof row.certificate !== 'undefined' && row.certificate) {
+	cleanRowCertificateMeta: (row) => {
+		if (typeof row.certificate !== "undefined" && row.certificate) {
 			row.certificate.meta = {};
 		}

@@ -66,54 +65,33 @@ const internalHost = {
 	},

 	/**
-	 * This returns all the host types with any domain listed in the provided domain_names array.
+	 * This returns all the host types with any domain listed in the provided domainNames array.
 	 * This is used by the certificates to temporarily disable any host that is using the domain
 	 *
-	 * @param   {Array}  domain_names
+	 * @param   {Array}  domainNames
 	 * @returns {Promise}
 	 */
-	getHostsWithDomains: function (domain_names) {
-		let promises = [
-			proxyHostModel
-				.query()
-				.where('is_deleted', 0),
-			redirectionHostModel
-				.query()
-				.where('is_deleted', 0),
-			deadHostModel
-				.query()
-				.where('is_deleted', 0)
-		];
+	getHostsWithDomains: async (domainNames) => {
+		const responseObject = {
+			total_count: 0,
+			dead_hosts: [],
+			proxy_hosts: [],
+			redirection_hosts: [],
+		};

-		return Promise.all(promises)
-			.then((promises_results) => {
-				let response_object = {
-					total_count:       0,
-					dead_hosts:        [],
-					proxy_hosts:       [],
-					redirection_hosts: []
-				};
+		const proxyRes = await proxyHostModel.query().where("is_deleted", 0);
+		responseObject.proxy_hosts = internalHost._getHostsWithDomains(proxyRes, domainNames);
+		responseObject.total_count += responseObject.proxy_hosts.length;

-				if (promises_results[0]) {
-					// Proxy Hosts
-					response_object.proxy_hosts  = internalHost._getHostsWithDomains(promises_results[0], domain_names);
-					response_object.total_count += response_object.proxy_hosts.length;
-				}
+		const redirRes = await redirectionHostModel.query().where("is_deleted", 0);
+		responseObject.redirection_hosts = internalHost._getHostsWithDomains(redirRes, domainNames);
+		responseObject.total_count += responseObject.redirection_hosts.length;

-				if (promises_results[1]) {
-					// Redirection Hosts
-					response_object.redirection_hosts = internalHost._getHostsWithDomains(promises_results[1], domain_names);
-					response_object.total_count      += response_object.redirection_hosts.length;
-				}
+		const deadRes = await deadHostModel.query().where("is_deleted", 0);
+		responseObject.dead_hosts = internalHost._getHostsWithDomains(deadRes, domainNames);
+		responseObject.total_count += responseObject.dead_hosts.length;

-				if (promises_results[2]) {
-					// Dead Hosts
-					response_object.dead_hosts   = internalHost._getHostsWithDomains(promises_results[2], domain_names);
-					response_object.total_count += response_object.dead_hosts.length;
-				}
-
-				return response_object;
-			});
+		return responseObject;
 	},

 	/**
@@ -124,112 +102,133 @@ const internalHost = {
 	 * @param   {Integer}  [ignore_id]     Must be supplied if type was also supplied
 	 * @returns {Promise}
 	 */
-	isHostnameTaken: function (hostname, ignore_type, ignore_id) {
-		let promises = [
+	isHostnameTaken: (hostname, ignore_type, ignore_id) => {
+		const promises = [
 			proxyHostModel
 				.query()
-				.where('is_deleted', 0)
-				.andWhere('domain_names', 'like', '%' + hostname + '%'),
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
 			redirectionHostModel
 				.query()
-				.where('is_deleted', 0)
-				.andWhere('domain_names', 'like', '%' + hostname + '%'),
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
 			deadHostModel
 				.query()
-				.where('is_deleted', 0)
-				.andWhere('domain_names', 'like', '%' + hostname + '%')
+				.where("is_deleted", 0)
+				.andWhere(castJsonIfNeed("domain_names"), "like", `%${hostname}%`),
 		];

-		return Promise.all(promises)
-			.then((promises_results) => {
-				let is_taken = false;
+		return Promise.all(promises).then((promises_results) => {
+			let is_taken = false;

-				if (promises_results[0]) {
-					// Proxy Hosts
-					if (internalHost._checkHostnameRecordsTaken(hostname, promises_results[0], ignore_type === 'proxy' && ignore_id ? ignore_id : 0)) {
-						is_taken = true;
-					}
+			if (promises_results[0]) {
+				// Proxy Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[0],
+						ignore_type === "proxy" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
 				}
+			}

-				if (promises_results[1]) {
-					// Redirection Hosts
-					if (internalHost._checkHostnameRecordsTaken(hostname, promises_results[1], ignore_type === 'redirection' && ignore_id ? ignore_id : 0)) {
-						is_taken = true;
-					}
+			if (promises_results[1]) {
+				// Redirection Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[1],
+						ignore_type === "redirection" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
 				}
+			}

-				if (promises_results[2]) {
-					// Dead Hosts
-					if (internalHost._checkHostnameRecordsTaken(hostname, promises_results[2], ignore_type === 'dead' && ignore_id ? ignore_id : 0)) {
-						is_taken = true;
-					}
+			if (promises_results[2]) {
+				// Dead Hosts
+				if (
+					internalHost._checkHostnameRecordsTaken(
+						hostname,
+						promises_results[2],
+						ignore_type === "dead" && ignore_id ? ignore_id : 0,
+					)
+				) {
+					is_taken = true;
 				}
+			}

-				return {
-					hostname: hostname,
-					is_taken: is_taken
-				};
-			});
+			return {
+				hostname: hostname,
+				is_taken: is_taken,
+			};
+		});
 	},

 	/**
 	 * Private call only
 	 *
 	 * @param   {String}  hostname
-	 * @param   {Array}   existing_rows
-	 * @param   {Integer} [ignore_id]
+	 * @param   {Array}   existingRows
+	 * @param   {Integer} [ignoreId]
 	 * @returns {Boolean}
 	 */
-	_checkHostnameRecordsTaken: function (hostname, existing_rows, ignore_id) {
-		let is_taken = false;
+	_checkHostnameRecordsTaken: (hostname, existingRows, ignoreId) => {
+		let isTaken = false;

-		if (existing_rows && existing_rows.length) {
-			existing_rows.map(function (existing_row) {
-				existing_row.domain_names.map(function (existing_hostname) {
+		if (existingRows?.length) {
+			existingRows.map((existingRow) => {
+				existingRow.domain_names.map((existingHostname) => {
 					// Does this domain match?
-					if (existing_hostname.toLowerCase() === hostname.toLowerCase()) {
-						if (!ignore_id || ignore_id !== existing_row.id) {
-							is_taken = true;
+					if (existingHostname.toLowerCase() === hostname.toLowerCase()) {
+						if (!ignoreId || ignoreId !== existingRow.id) {
+							isTaken = true;
 						}
 					}
+					return true;
 				});
+				return true;
 			});
 		}

-		return is_taken;
+		return isTaken;
 	},

 	/**
 	 * Private call only
 	 *
 	 * @param   {Array}   hosts
-	 * @param   {Array}   domain_names
+	 * @param   {Array}   domainNames
 	 * @returns {Array}
 	 */
-	_getHostsWithDomains: function (hosts, domain_names) {
-		let response = [];
+	_getHostsWithDomains: (hosts, domainNames) => {
+		const response = [];

-		if (hosts && hosts.length) {
-			hosts.map(function (host) {
-				let host_matches = false;
+		if (hosts?.length) {
+			hosts.map((host) => {
+				let hostMatches = false;

-				domain_names.map(function (domain_name) {
-					host.domain_names.map(function (host_domain_name) {
-						if (domain_name.toLowerCase() === host_domain_name.toLowerCase()) {
-							host_matches = true;
+				domainNames.map((domainName) => {
+					host.domain_names.map((hostDomainName) => {
+						if (domainName.toLowerCase() === hostDomainName.toLowerCase()) {
+							hostMatches = true;
 						}
+						return true;
 					});
+					return true;
 				});

-				if (host_matches) {
+				if (hostMatches) {
 					response.push(host);
 				}
+				return true;
 			});
 		}

 		return response;
-	}
-
+	},
 };

-module.exports = internalHost;
+export default internalHost;
--- a/backend/internal/ip_ranges.js
+++ b/backend/internal/ip_ranges.js
@@ -1,42 +1,51 @@
-const https         = require('https');
-const fs            = require('fs');
-const logger        = require('../logger').ip_ranges;
-const error         = require('../lib/error');
-const internalNginx = require('./nginx');
-const { Liquid }    = require('liquidjs');
+import fs from "node:fs";
+import https from "node:https";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { ipRanges as logger } from "../logger.js";
+import internalNginx from "./nginx.js";

-const CLOUDFRONT_URL   = 'https://ip-ranges.amazonaws.com/ip-ranges.json';
-const CLOUDFARE_V4_URL = 'https://www.cloudflare.com/ips-v4';
-const CLOUDFARE_V6_URL = 'https://www.cloudflare.com/ips-v6';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const CLOUDFRONT_URL = "https://ip-ranges.amazonaws.com/ip-ranges.json";
+const CLOUDFARE_V4_URL = "https://www.cloudflare.com/ips-v4";
+const CLOUDFARE_V6_URL = "https://www.cloudflare.com/ips-v6";
+
+const regIpV4 = /^(\d+\.?){4}\/\d+/;
+const regIpV6 = /^(([\da-fA-F]+)?:)+\/\d+/;

 const internalIpRanges = {
-
-	interval_timeout:    1000 * 60 * 60 * 6, // 6 hours
-	interval:            null,
+	interval_timeout: 1000 * 60 * 60 * 6, // 6 hours
+	interval: null,
 	interval_processing: false,
-	iteration_count:     0,
+	iteration_count: 0,

 	initTimer: () => {
-		logger.info('IP Ranges Renewal Timer initialized');
+		logger.info("IP Ranges Renewal Timer initialized");
 		internalIpRanges.interval = setInterval(internalIpRanges.fetch, internalIpRanges.interval_timeout);
 	},

 	fetchUrl: (url) => {
 		return new Promise((resolve, reject) => {
-			logger.info('Fetching ' + url);
-			return https.get(url, (res) => {
-				res.setEncoding('utf8');
-				let raw_data = '';
-				res.on('data', (chunk) => {
-					raw_data += chunk;
-				});
+			logger.info(`Fetching ${url}`);
+			return https
+				.get(url, (res) => {
+					res.setEncoding("utf8");
+					let raw_data = "";
+					res.on("data", (chunk) => {
+						raw_data += chunk;
+					});

-				res.on('end', () => {
-					resolve(raw_data);
+					res.on("end", () => {
+						resolve(raw_data);
+					});
+				})
+				.on("error", (err) => {
+					reject(err);
 				});
-			}).on('error', (err) => {
-				reject(err);
-			});
 		});
 	},

@@ -46,27 +55,30 @@ const internalIpRanges = {
 	fetch: () => {
 		if (!internalIpRanges.interval_processing) {
 			internalIpRanges.interval_processing = true;
-			logger.info('Fetching IP Ranges from online services...');
+			logger.info("Fetching IP Ranges from online services...");

 			let ip_ranges = [];

-			return internalIpRanges.fetchUrl(CLOUDFRONT_URL)
+			return internalIpRanges
+				.fetchUrl(CLOUDFRONT_URL)
 				.then((cloudfront_data) => {
-					let data = JSON.parse(cloudfront_data);
+					const data = JSON.parse(cloudfront_data);

-					if (data && typeof data.prefixes !== 'undefined') {
+					if (data && typeof data.prefixes !== "undefined") {
 						data.prefixes.map((item) => {
-							if (item.service === 'CLOUDFRONT') {
+							if (item.service === "CLOUDFRONT") {
 								ip_ranges.push(item.ip_prefix);
 							}
+							return true;
 						});
 					}

-					if (data && typeof data.ipv6_prefixes !== 'undefined') {
+					if (data && typeof data.ipv6_prefixes !== "undefined") {
 						data.ipv6_prefixes.map((item) => {
-							if (item.service === 'CLOUDFRONT') {
+							if (item.service === "CLOUDFRONT") {
 								ip_ranges.push(item.ipv6_prefix);
 							}
+							return true;
 						});
 					}
 				})
@@ -74,38 +86,38 @@ const internalIpRanges = {
 					return internalIpRanges.fetchUrl(CLOUDFARE_V4_URL);
 				})
 				.then((cloudfare_data) => {
-					let items = cloudfare_data.split('\n');
-					ip_ranges = [... ip_ranges, ... items];
+					const items = cloudfare_data.split("\n").filter((line) => regIpV4.test(line));
+					ip_ranges = [...ip_ranges, ...items];
 				})
 				.then(() => {
 					return internalIpRanges.fetchUrl(CLOUDFARE_V6_URL);
 				})
 				.then((cloudfare_data) => {
-					let items = cloudfare_data.split('\n');
-					ip_ranges = [... ip_ranges, ... items];
+					const items = cloudfare_data.split("\n").filter((line) => regIpV6.test(line));
+					ip_ranges = [...ip_ranges, ...items];
 				})
 				.then(() => {
-					let clean_ip_ranges = [];
+					const clean_ip_ranges = [];
 					ip_ranges.map((range) => {
 						if (range) {
 							clean_ip_ranges.push(range);
 						}
+						return true;
 					});

-					return internalIpRanges.generateConfig(clean_ip_ranges)
-						.then(() => {
-							if (internalIpRanges.iteration_count) {
-								// Reload nginx
-								return internalNginx.reload();
-							}
-						});
+					return internalIpRanges.generateConfig(clean_ip_ranges).then(() => {
+						if (internalIpRanges.iteration_count) {
+							// Reload nginx
+							return internalNginx.reload();
+						}
+					});
 				})
 				.then(() => {
 					internalIpRanges.interval_processing = false;
 					internalIpRanges.iteration_count++;
 				})
 				.catch((err) => {
-					logger.error(err.message);
+					logger.fatal(err.message);
 					internalIpRanges.interval_processing = false;
 				});
 		}
@@ -116,32 +128,29 @@ const internalIpRanges = {
 	 * @returns {Promise}
 	 */
 	generateConfig: (ip_ranges) => {
-		let renderEngine = new Liquid({
-			root: __dirname + '/../templates/'
-		});
-
+		const renderEngine = utils.getRenderEngine();
 		return new Promise((resolve, reject) => {
 			let template = null;
-			let filename = '/etc/nginx/conf.d/include/ip_ranges.conf';
+			const filename = "/etc/nginx/conf.d/include/ip_ranges.conf";
 			try {
-				template = fs.readFileSync(__dirname + '/../templates/ip_ranges.conf', {encoding: 'utf8'});
+				template = fs.readFileSync(`${__dirname}/../templates/ip_ranges.conf`, { encoding: "utf8" });
 			} catch (err) {
-				reject(new error.ConfigurationError(err.message));
+				reject(new errs.ConfigurationError(err.message));
 				return;
 			}

 			renderEngine
-				.parseAndRender(template, {ip_ranges: ip_ranges})
+				.parseAndRender(template, { ip_ranges: ip_ranges })
 				.then((config_text) => {
-					fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
+					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
 					resolve(true);
 				})
 				.catch((err) => {
-					logger.warn('Could not write ' + filename + ':', err.message);
-					reject(new error.ConfigurationError(err.message));
+					logger.warn(`Could not write ${filename}: ${err.message}`);
+					reject(new errs.ConfigurationError(err.message));
 				});
 		});
-	}
+	},
 };

-module.exports = internalIpRanges;
+export default internalIpRanges;
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -1,13 +1,15 @@
-const _          = require('lodash');
-const fs         = require('fs');
-const logger     = require('../logger').nginx;
-const utils      = require('../lib/utils');
-const error      = require('../lib/error');
-const { Liquid } = require('liquidjs');
-const debug_mode = process.env.NODE_ENV !== 'production' || !!process.env.DEBUG;
+import fs from "node:fs";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import { nginx as logger } from "../logger.js";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);

 const internalNginx = {
-
 	/**
 	 * This will:
 	 * - test the nginx config first to make sure it's OK
@@ -25,60 +27,63 @@ const internalNginx = {
 	configure: (model, host_type, host) => {
 		let combined_meta = {};

-		return internalNginx.test()
+		return internalNginx
+			.test()
 			.then(() => {
 				// Nginx is OK
 				// We're deleting this config regardless.
-				return internalNginx.deleteConfig(host_type, host); // Don't throw errors, as the file may not exist at all
+				// Don't throw errors, as the file may not exist at all
+				// Delete the .err file too
+				return internalNginx.deleteConfig(host_type, host, false, true);
 			})
 			.then(() => {
 				return internalNginx.generateConfig(host_type, host);
 			})
 			.then(() => {
 				// Test nginx again and update meta with result
-				return internalNginx.test()
+				return internalNginx
+					.test()
 					.then(() => {
 						// nginx is ok
 						combined_meta = _.assign({}, host.meta, {
 							nginx_online: true,
-							nginx_err:    null
+							nginx_err: null,
 						});

-						return model
-							.query()
-							.where('id', host.id)
-							.patch({
-								meta: combined_meta
-							});
+						return model.query().where("id", host.id).patch({
+							meta: combined_meta,
+						});
 					})
 					.catch((err) => {
 						// Remove the error_log line because it's a docker-ism false positive that doesn't need to be reported.
 						// It will always look like this:
 						//   nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (6: No such device or address)

-						let valid_lines = [];
-						let err_lines   = err.message.split('\n');
-						err_lines.map(function (line) {
-							if (line.indexOf('/var/log/nginx/error.log') === -1) {
+						const valid_lines = [];
+						const err_lines = err.message.split("\n");
+						err_lines.map((line) => {
+							if (line.indexOf("/var/log/nginx/error.log") === -1) {
 								valid_lines.push(line);
 							}
+							return true;
 						});

-						if (debug_mode) {
-							logger.error('Nginx test failed:', valid_lines.join('\n'));
-						}
+						logger.debug("Nginx test failed:", valid_lines.join("\n"));

 						// config is bad, update meta and delete config
 						combined_meta = _.assign({}, host.meta, {
 							nginx_online: false,
-							nginx_err:    valid_lines.join('\n')
+							nginx_err: valid_lines.join("\n"),
 						});

 						return model
 							.query()
-							.where('id', host.id)
+							.where("id", host.id)
 							.patch({
-								meta: combined_meta
+								meta: combined_meta,
+							})
+							.then(() => {
+								internalNginx.renameConfigAsError(host_type, host);
 							})
 							.then(() => {
 								return internalNginx.deleteConfig(host_type, host, true);
@@ -97,22 +102,18 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	test: () => {
-		if (debug_mode) {
-			logger.info('Testing Nginx configuration');
-		}
-
-		return utils.exec('/usr/sbin/nginx -t -g "error_log off;"');
+		logger.debug("Testing Nginx configuration");
+		return utils.execFile("/usr/sbin/nginx", ["-t", "-g", "error_log off;"]);
 	},

 	/**
 	 * @returns {Promise}
 	 */
 	reload: () => {
-		return internalNginx.test()
-			.then(() => {
-				logger.info('Reloading Nginx');
-				return utils.exec('/usr/sbin/nginx -s reload');
-			});
+		return internalNginx.test().then(() => {
+			logger.info("Reloading Nginx");
+			return utils.execFile("/usr/sbin/nginx", ["-s", "reload"]);
+		});
 	},

 	/**
@@ -121,13 +122,10 @@ const internalNginx = {
 	 * @returns {String}
 	 */
 	getConfigName: (host_type, host_id) => {
-		host_type = host_type.replace(new RegExp('-', 'g'), '_');
-
-		if (host_type === 'default') {
-			return '/data/nginx/default_host/site.conf';
+		if (host_type === "default") {
+			return "/data/nginx/default_host/site.conf";
 		}
-
-		return '/data/nginx/' + host_type + '/' + host_id + '.conf';
+		return `/data/nginx/${internalNginx.getFileFriendlyHostType(host_type)}/${host_id}.conf`;
 	},

 	/**
@@ -136,48 +134,49 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	renderLocations: (host) => {
-
-		//logger.info('host = ' + JSON.stringify(host, null, 2));
 		return new Promise((resolve, reject) => {
 			let template;

 			try {
-				template = fs.readFileSync(__dirname + '/../templates/_location.conf', {encoding: 'utf8'});
+				template = fs.readFileSync(`${__dirname}/../templates/_location.conf`, { encoding: "utf8" });
 			} catch (err) {
-				reject(new error.ConfigurationError(err.message));
+				reject(new errs.ConfigurationError(err.message));
 				return;
 			}

-			let renderer          = new Liquid({
-				root: __dirname + '/../templates/'
-			});
-			let renderedLocations = '';
+			const renderEngine = utils.getRenderEngine();
+			let renderedLocations = "";

 			const locationRendering = async () => {
 				for (let i = 0; i < host.locations.length; i++) {
-					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, 
-						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
-						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
-						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
-						{certificate: host.certificate}, host.locations[i]);
-			
-					if (locationCopy.forward_host.indexOf('/') > -1) {
-						const splitted = locationCopy.forward_host.split('/');
+					const locationCopy = Object.assign(
+						{},
+						{ access_list_id: host.access_list_id },
+						{ certificate_id: host.certificate_id },
+						{ ssl_forced: host.ssl_forced },
+						{ caching_enabled: host.caching_enabled },
+						{ block_exploits: host.block_exploits },
+						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
+						{ http2_support: host.http2_support },
+						{ hsts_enabled: host.hsts_enabled },
+						{ hsts_subdomains: host.hsts_subdomains },
+						{ access_list: host.access_list },
+						{ certificate: host.certificate },
+						host.locations[i],
+					);
+
+					if (locationCopy.forward_host.indexOf("/") > -1) {
+						const splitted = locationCopy.forward_host.split("/");

 						locationCopy.forward_host = splitted.shift();
-						locationCopy.forward_path = `/${splitted.join('/')}`;
+						locationCopy.forward_path = `/${splitted.join("/")}`;
 					}

-					//logger.info('locationCopy = ' + JSON.stringify(locationCopy, null, 2));
-
-					// eslint-disable-next-line
-					renderedLocations += await renderer.parseAndRender(template, locationCopy);
+					renderedLocations += await renderEngine.parseAndRender(template, locationCopy);
 				}
-
 			};

 			locationRendering().then(() => resolve(renderedLocations));
-			
 		});
 	},

@@ -186,27 +185,23 @@ const internalNginx = {
 	 * @param   {Object}  host
 	 * @returns {Promise}
 	 */
-	generateConfig: (host_type, host) => {
-		host_type = host_type.replace(new RegExp('-', 'g'), '_');
+	generateConfig: (host_type, host_row) => {
+		// Prevent modifying the original object:
+		const host = JSON.parse(JSON.stringify(host_row));
+		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);

-		if (debug_mode) {
-			logger.info('Generating ' + host_type + ' Config:', host);
-		}
+		logger.debug(`Generating ${nice_host_type} Config:`, JSON.stringify(host, null, 2));

-		// logger.info('host = ' + JSON.stringify(host, null, 2));
-
-		let renderEngine = new Liquid({
-			root: __dirname + '/../templates/'
-		});
+		const renderEngine = utils.getRenderEngine();

 		return new Promise((resolve, reject) => {
 			let template = null;
-			let filename = internalNginx.getConfigName(host_type, host.id);
+			const filename = internalNginx.getConfigName(nice_host_type, host.id);

 			try {
-				template = fs.readFileSync(__dirname + '/../templates/' + host_type + '.conf', {encoding: 'utf8'});
+				template = fs.readFileSync(`${__dirname}/../templates/${nice_host_type}.conf`, { encoding: "utf8" });
 			} catch (err) {
-				reject(new error.ConfigurationError(err.message));
+				reject(new errs.ConfigurationError(err.message));
 				return;
 			}

@@ -214,27 +209,26 @@ const internalNginx = {
 			let origLocations;

 			// Manipulate the data a bit before sending it to the template
-			if (host_type !== 'default') {
+			if (nice_host_type !== "default") {
 				host.use_default_location = true;
-				if (typeof host.advanced_config !== 'undefined' && host.advanced_config) {
+				if (typeof host.advanced_config !== "undefined" && host.advanced_config) {
 					host.use_default_location = !internalNginx.advancedConfigHasDefaultLocation(host.advanced_config);
 				}
 			}

 			if (host.locations) {
 				//logger.info ('host.locations = ' + JSON.stringify(host.locations, null, 2));
-				origLocations    = [].concat(host.locations);
+				origLocations = [].concat(host.locations);
 				locationsPromise = internalNginx.renderLocations(host).then((renderedLocations) => {
 					host.locations = renderedLocations;
 				});

 				// Allow someone who is using / custom location path to use it, and skip the default / location
 				_.map(host.locations, (location) => {
-					if (location.path === '/') {
+					if (location.path === "/") {
 						host.use_default_location = false;
 					}
 				});
-
 			} else {
 				locationsPromise = Promise.resolve();
 			}
@@ -246,11 +240,8 @@ const internalNginx = {
 				renderEngine
 					.parseAndRender(template, host)
 					.then((config_text) => {
-						fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
-
-						if (debug_mode) {
-							logger.success('Wrote config:', filename, config_text);
-						}
+						fs.writeFileSync(filename, config_text, { encoding: "utf8" });
+						logger.debug("Wrote config:", filename, config_text);

 						// Restore locations array
 						host.locations = origLocations;
@@ -258,11 +249,8 @@ const internalNginx = {
 						resolve(true);
 					})
 					.catch((err) => {
-						if (debug_mode) {
-							logger.warn('Could not write ' + filename + ':', err.message);
-						}
-
-						reject(new error.ConfigurationError(err.message));
+						logger.debug(`Could not write ${filename}:`, err.message);
+						reject(new errs.ConfigurationError(err.message));
 					});
 			});
 		});
@@ -277,22 +265,17 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	generateLetsEncryptRequestConfig: (certificate) => {
-		if (debug_mode) {
-			logger.info('Generating LetsEncrypt Request Config:', certificate);
-		}
-
-		let renderEngine = new Liquid({
-			root: __dirname + '/../templates/'
-		});
+		logger.debug("Generating LetsEncrypt Request Config:", certificate);
+		const renderEngine = utils.getRenderEngine();

 		return new Promise((resolve, reject) => {
 			let template = null;
-			let filename = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
+			const filename = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;

 			try {
-				template = fs.readFileSync(__dirname + '/../templates/letsencrypt-request.conf', {encoding: 'utf8'});
+				template = fs.readFileSync(`${__dirname}/../templates/letsencrypt-request.conf`, { encoding: "utf8" });
 			} catch (err) {
-				reject(new error.ConfigurationError(err.message));
+				reject(new errs.ConfigurationError(err.message));
 				return;
 			}

@@ -301,51 +284,53 @@ const internalNginx = {
 			renderEngine
 				.parseAndRender(template, certificate)
 				.then((config_text) => {
-					fs.writeFileSync(filename, config_text, {encoding: 'utf8'});
-
-					if (debug_mode) {
-						logger.success('Wrote config:', filename, config_text);
-					}
-
+					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
+					logger.debug("Wrote config:", filename, config_text);
 					resolve(true);
 				})
 				.catch((err) => {
-					if (debug_mode) {
-						logger.warn('Could not write ' + filename + ':', err.message);
-					}
-
-					reject(new error.ConfigurationError(err.message));
+					logger.debug(`Could not write ${filename}:`, err.message);
+					reject(new errs.ConfigurationError(err.message));
 				});
 		});
 	},

+	/**
+	 * A simple wrapper around unlinkSync that writes to the logger
+	 *
+	 * @param   {String}  filename
+	 */
+	deleteFile: (filename) => {
+		if (!fs.existsSync(filename)) {
+			return;
+		}
+		try {
+			logger.debug(`Deleting file: ${filename}`);
+			fs.unlinkSync(filename);
+		} catch (err) {
+			logger.debug("Could not delete file:", JSON.stringify(err, null, 2));
+		}
+	},
+
+	/**
+	 *
+	 * @param   {String} host_type
+	 * @returns String
+	 */
+	getFileFriendlyHostType: (host_type) => {
+		return host_type.replace(/-/g, "_");
+	},
+
 	/**
 	 * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig`
 	 *
 	 * @param   {Object}  certificate
-	 * @param   {Boolean} [throw_errors]
 	 * @returns {Promise}
 	 */
-	deleteLetsEncryptRequestConfig: (certificate, throw_errors) => {
-		return new Promise((resolve, reject) => {
-			try {
-				let config_file = '/data/nginx/temp/letsencrypt_' + certificate.id + '.conf';
-
-				if (debug_mode) {
-					logger.warn('Deleting nginx config: ' + config_file);
-				}
-
-				fs.unlinkSync(config_file);
-			} catch (err) {
-				if (debug_mode) {
-					logger.warn('Could not delete config:', err.message);
-				}
-
-				if (throw_errors) {
-					reject(err);
-				}
-			}
-
+	deleteLetsEncryptRequestConfig: (certificate) => {
+		const config_file = `/data/nginx/temp/letsencrypt_${certificate.id}.conf`;
+		return new Promise((resolve /*, reject*/) => {
+			internalNginx.deleteFile(config_file);
 			resolve();
 		});
 	},
@@ -353,44 +338,58 @@ const internalNginx = {
 	/**
 	 * @param   {String}  host_type
 	 * @param   {Object}  [host]
-	 * @param   {Boolean} [throw_errors]
+	 * @param   {Boolean} [delete_err_file]
 	 * @returns {Promise}
 	 */
-	deleteConfig: (host_type, host, throw_errors) => {
-		host_type = host_type.replace(new RegExp('-', 'g'), '_');
+	deleteConfig: (host_type, host, delete_err_file) => {
+		const config_file = internalNginx.getConfigName(
+			internalNginx.getFileFriendlyHostType(host_type),
+			typeof host === "undefined" ? 0 : host.id,
+		);
+		const config_file_err = `${config_file}.err`;

-		return new Promise((resolve, reject) => {
-			try {
-				let config_file = internalNginx.getConfigName(host_type, typeof host === 'undefined' ? 0 : host.id);
-
-				if (debug_mode) {
-					logger.warn('Deleting nginx config: ' + config_file);
-				}
-
-				fs.unlinkSync(config_file);
-			} catch (err) {
-				if (debug_mode) {
-					logger.warn('Could not delete config:', err.message);
-				}
-
-				if (throw_errors) {
-					reject(err);
-				}
+		return new Promise((resolve /*, reject*/) => {
+			internalNginx.deleteFile(config_file);
+			if (delete_err_file) {
+				internalNginx.deleteFile(config_file_err);
 			}
-
 			resolve();
 		});
 	},

 	/**
 	 * @param   {String}  host_type
+	 * @param   {Object}  [host]
+	 * @returns {Promise}
+	 */
+	renameConfigAsError: (host_type, host) => {
+		const config_file = internalNginx.getConfigName(
+			internalNginx.getFileFriendlyHostType(host_type),
+			typeof host === "undefined" ? 0 : host.id,
+		);
+		const config_file_err = `${config_file}.err`;
+
+		return new Promise((resolve /*, reject*/) => {
+			fs.unlink(config_file, () => {
+				// ignore result, continue
+				fs.rename(config_file, config_file_err, () => {
+					// also ignore result, as this is a debugging informative file anyway
+					resolve();
+				});
+			});
+		});
+	},
+
+	/**
+	 * @param   {String}  hostType
 	 * @param   {Array}   hosts
 	 * @returns {Promise}
 	 */
-	bulkGenerateConfigs: (host_type, hosts) => {
-		let promises = [];
-		hosts.map(function (host) {
-			promises.push(internalNginx.generateConfig(host_type, host));
+	bulkGenerateConfigs: (hostType, hosts) => {
+		const promises = [];
+		hosts.map((host) => {
+			promises.push(internalNginx.generateConfig(hostType, host));
+			return true;
 		});

 		return Promise.all(promises);
@@ -399,13 +398,13 @@ const internalNginx = {
 	/**
 	 * @param   {String}  host_type
 	 * @param   {Array}   hosts
-	 * @param   {Boolean} [throw_errors]
 	 * @returns {Promise}
 	 */
-	bulkDeleteConfigs: (host_type, hosts, throw_errors) => {
-		let promises = [];
-		hosts.map(function (host) {
-			promises.push(internalNginx.deleteConfig(host_type, host, throw_errors));
+	bulkDeleteConfigs: (host_type, hosts) => {
+		const promises = [];
+		hosts.map((host) => {
+			promises.push(internalNginx.deleteConfig(host_type, host, true));
+			return true;
 		});

 		return Promise.all(promises);
@@ -415,21 +414,19 @@ const internalNginx = {
 	 * @param   {string}  config
 	 * @returns {boolean}
 	 */
-	advancedConfigHasDefaultLocation: function (config) {
-		return !!config.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im);
-	},
+	advancedConfigHasDefaultLocation: (cfg) => !!cfg.match(/^(?:.*;)?\s*?location\s*?\/\s*?{/im),

 	/**
 	 * @returns {boolean}
 	 */
-	ipv6Enabled: function () {
-		if (typeof process.env.DISABLE_IPV6 !== 'undefined') {
+	ipv6Enabled: () => {
+		if (typeof process.env.DISABLE_IPV6 !== "undefined") {
 			const disabled = process.env.DISABLE_IPV6.toLowerCase();
-			return !(disabled === 'on' || disabled === 'true' || disabled === '1' || disabled === 'yes');
+			return !(disabled === "on" || disabled === "true" || disabled === "1" || disabled === "yes");
 		}

 		return true;
-	}
+	},
 };

-module.exports = internalNginx;
+export default internalNginx;
--- a/backend/internal/proxy-host.js
+++ b/backend/internal/proxy-host.js
@@ -1,99 +1,106 @@
-const _                   = require('lodash');
-const error               = require('../lib/error');
-const proxyHostModel      = require('../models/proxy_host');
-const internalHost        = require('./host');
-const internalNginx       = require('./nginx');
-const internalAuditLog    = require('./audit-log');
-const internalCertificate = require('./certificate');
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import proxyHostModel from "../models/proxy_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted", "owner.is_deleted"];
+};

 const internalProxyHost = {
-
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
 	create: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
+		let thisData = data;
+		const createCertificate = thisData.certificate_id === "new";

-		if (create_certificate) {
-			delete data.certificate_id;
+		if (createCertificate) {
+			delete thisData.certificate_id;
 		}

-		return access.can('proxy_hosts:create', data)
+		return access
+			.can("proxy_hosts:create", thisData)
 			.then(() => {
 				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+				const domain_name_check_promises = [];

-				data.domain_names.map(function (domain_name) {
+				thisData.domain_names.map((domain_name) => {
 					domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name));
+					return true;
 				});

-				return Promise.all(domain_name_check_promises)
-					.then((check_results) => {
-						check_results.map(function (result) {
-							if (result.is_taken) {
-								throw new error.ValidationError(result.hostname + ' is already in use');
-							}
-						});
+				return Promise.all(domain_name_check_promises).then((check_results) => {
+					check_results.map((result) => {
+						if (result.is_taken) {
+							throw new errs.ValidationError(`${result.hostname} is already in use`);
+						}
+						return true;
 					});
+				});
 			})
 			.then(() => {
 				// At this point the domains should have been checked
-				data.owner_user_id = access.token.getUserId(1);
-				data               = internalHost.cleanSslHstsData(data);
+				thisData.owner_user_id = access.token.getUserId(1);
+				thisData = internalHost.cleanSslHstsData(thisData);

-				return proxyHostModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch(data);
+				// Fix for db field not having a default value
+				// for this optional field.
+				if (typeof thisData.advanced_config === "undefined") {
+					thisData.advanced_config = "";
+				}
+
+				return proxyHostModel.query().insertAndFetch(thisData).then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, data)
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, thisData)
 						.then((cert) => {
 							// update host with cert id
 							return internalProxyHost.update(access, {
-								id:             row.id,
-								certificate_id: cert.id
+								id: row.id,
+								certificate_id: cert.id,
 							});
 						})
 						.then(() => {
 							return row;
 						});
-				} else {
-					return row;
 				}
+				return row;
 			})
 			.then((row) => {
 				// re-fetch with cert
 				return internalProxyHost.get(access, {
-					id:     row.id,
-					expand: ['certificate', 'owner', 'access_list.[clients,items]']
+					id: row.id,
+					expand: ["certificate", "owner", "access_list.[clients,items]"],
 				});
 			})
 			.then((row) => {
 				// Configure nginx
-				return internalNginx.configure(proxyHostModel, 'proxy_host', row)
-					.then(() => {
-						return row;
-					});
+				return internalNginx.configure(proxyHostModel, "proxy_host", row).then(() => {
+					return row;
+				});
 			})
 			.then((row) => {
 				// Audit log
-				data.meta = _.assign({}, data.meta || {}, row.meta);
+				thisData.meta = _.assign({}, thisData.meta || {}, row.meta);

 				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'created',
-					object_type: 'proxy-host',
-					object_id:   row.id,
-					meta:        data
-				})
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "proxy-host",
+						object_id: row.id,
+						meta: thisData,
+					})
 					.then(() => {
 						return row;
 					});
@@ -107,99 +114,110 @@ const internalProxyHost = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
+		let thisData = data;
+		const create_certificate = thisData.certificate_id === "new";

 		if (create_certificate) {
-			delete data.certificate_id;
+			delete thisData.certificate_id;
 		}

-		return access.can('proxy_hosts:update', data.id)
+		return access
+			.can("proxy_hosts:update", thisData.id)
 			.then((/*access_data*/) => {
 				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+				const domain_name_check_promises = [];

-				if (typeof data.domain_names !== 'undefined') {
-					data.domain_names.map(function (domain_name) {
-						domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name, 'proxy', data.id));
+				if (typeof thisData.domain_names !== "undefined") {
+					thisData.domain_names.map((domain_name) => {
+						return domain_name_check_promises.push(
+							internalHost.isHostnameTaken(domain_name, "proxy", thisData.id),
+						);
 					});

-					return Promise.all(domain_name_check_promises)
-						.then((check_results) => {
-							check_results.map(function (result) {
-								if (result.is_taken) {
-									throw new error.ValidationError(result.hostname + ' is already in use');
-								}
-							});
+					return Promise.all(domain_name_check_promises).then((check_results) => {
+						check_results.map((result) => {
+							if (result.is_taken) {
+								throw new errs.ValidationError(`${result.hostname} is already in use`);
+							}
+							return true;
 						});
+					});
 				}
 			})
 			.then(() => {
-				return internalProxyHost.get(access, {id: data.id});
+				return internalProxyHost.get(access, { id: thisData.id });
 			})
 			.then((row) => {
-				if (row.id !== data.id) {
+				if (row.id !== thisData.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('Proxy Host could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`Proxy Host could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
 				}

 				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, {
-						domain_names: data.domain_names || row.domain_names,
-						meta:         _.assign({}, row.meta, data.meta)
-					})
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
 						.then((cert) => {
 							// update host with cert id
-							data.certificate_id = cert.id;
+							thisData.certificate_id = cert.id;
 						})
 						.then(() => {
 							return row;
 						});
-				} else {
-					return row;
 				}
+				return row;
 			})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
-				data = _.assign({}, {
-					domain_names: row.domain_names
-				}, data);
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					data,
+				);

-				data = internalHost.cleanSslHstsData(data, row);
+				thisData = internalHost.cleanSslHstsData(thisData, row);

 				return proxyHostModel
 					.query()
-					.where({id: data.id})
-					.patch(data)
+					.where({ id: thisData.id })
+					.patch(thisData)
+					.then(utils.omitRow(omissions()))
 					.then((saved_row) => {
 						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'proxy-host',
-							object_id:   row.id,
-							meta:        data
-						})
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "proxy-host",
+								object_id: row.id,
+								meta: thisData,
+							})
 							.then(() => {
-								return _.omit(saved_row, omissions());
+								return saved_row;
 							});
 					});
 			})
 			.then(() => {
-				return internalProxyHost.get(access, {
-					id:     data.id,
-					expand: ['owner', 'certificate', 'access_list.[clients,items]']
-				})
+				return internalProxyHost
+					.get(access, {
+						id: thisData.id,
+						expand: ["owner", "certificate", "access_list.[clients,items]"],
+					})
 					.then((row) => {
 						if (!row.enabled) {
 							// No need to add nginx config if host is disabled
 							return row;
 						}
 						// Configure nginx
-						return internalNginx.configure(proxyHostModel, 'proxy_host', row)
-							.then((new_meta) => {
-								row.meta = new_meta;
-								row      = internalHost.cleanRowCertificateMeta(row);
-								return _.omit(row, omissions());
-							});
+						return internalNginx.configure(proxyHostModel, "proxy_host", row).then((new_meta) => {
+							row.meta = new_meta;
+							return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
+						});
 					});
 			});
 	},
@@ -213,41 +231,38 @@ const internalProxyHost = {
 	 * @return {Promise}
 	 */
 	get: (access, data) => {
-		if (typeof data === 'undefined') {
-			data = {};
-		}
+		const thisData = data || {};

-		return access.can('proxy_hosts:get', data.id)
+		return access
+			.can("proxy_hosts:get", thisData.id)
 			.then((access_data) => {
-				let query = proxyHostModel
+				const query = proxyHostModel
 					.query()
-					.where('is_deleted', 0)
-					.andWhere('id', data.id)
-					.allowEager('[owner,access_list,access_list.[clients,items],certificate]')
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,access_list.[clients,items],certificate]")
 					.first();

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
 				}

-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
 				}

-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
+				return query.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (row) {
-					row = internalHost.cleanRowCertificateMeta(row);
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
 				}
+				const thisRow = internalHost.cleanRowCertificateMeta(row);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(row, thisData.omit);
+				}
+				return thisRow;
 			});
 	},

@@ -259,35 +274,35 @@ const internalProxyHost = {
 	 * @returns {Promise}
 	 */
 	delete: (access, data) => {
-		return access.can('proxy_hosts:delete', data.id)
+		return access
+			.can("proxy_hosts:delete", data.id)
 			.then(() => {
-				return internalProxyHost.get(access, {id: data.id});
+				return internalProxyHost.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
 				}

 				return proxyHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						is_deleted: 1
+						is_deleted: 1,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('proxy_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("proxy_host", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'proxy-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "deleted",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -304,39 +319,41 @@ const internalProxyHost = {
 	 * @returns {Promise}
 	 */
 	enable: (access, data) => {
-		return access.can('proxy_hosts:update', data.id)
+		return access
+			.can("proxy_hosts:update", data.id)
 			.then(() => {
 				return internalProxyHost.get(access, {
-					id:     data.id,
-					expand: ['certificate', 'owner', 'access_list']
+					id: data.id,
+					expand: ["certificate", "owner", "access_list"],
 				});
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (row.enabled) {
-					throw new error.ValidationError('Host is already enabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Host is already enabled");
 				}

 				row.enabled = 1;

 				return proxyHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 1
+						enabled: 1,
 					})
 					.then(() => {
 						// Configure nginx
-						return internalNginx.configure(proxyHostModel, 'proxy_host', row);
+						return internalNginx.configure(proxyHostModel, "proxy_host", row);
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'enabled',
-							object_type: 'proxy-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "enabled",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -353,39 +370,40 @@ const internalProxyHost = {
 	 * @returns {Promise}
 	 */
 	disable: (access, data) => {
-		return access.can('proxy_hosts:update', data.id)
+		return access
+			.can("proxy_hosts:update", data.id)
 			.then(() => {
-				return internalProxyHost.get(access, {id: data.id});
+				return internalProxyHost.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (!row.enabled) {
-					throw new error.ValidationError('Host is already disabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Host is already disabled");
 				}

 				row.enabled = 0;

 				return proxyHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 0
+						enabled: 0,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('proxy_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("proxy_host", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'disabled',
-							object_type: 'proxy-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "disabled",
+							object_type: "proxy-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -402,41 +420,35 @@ const internalProxyHost = {
 	 * @param   {String}  [search_query]
 	 * @returns {Promise}
 	 */
-	getAll: (access, expand, search_query) => {
-		return access.can('proxy_hosts:list')
-			.then((access_data) => {
-				let query = proxyHostModel
-					.query()
-					.where('is_deleted', 0)
-					.groupBy('id')
-					.omit(['is_deleted'])
-					.allowEager('[owner,access_list,certificate]')
-					.orderBy('domain_names', 'ASC');
+	getAll: async (access, expand, searchQuery) => {
+		const accessData = await access.can("proxy_hosts:list");
+		const query = proxyHostModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[owner,access_list,certificate]")
+			.orderBy(castJsonIfNeed("domain_names"), "ASC");

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
-				}
+		if (accessData.permission_visibility !== "all") {
+			query.andWhere("owner_user_id", access.token.getUserId(1));
+		}

-				// Query is used for searching
-				if (typeof search_query === 'string') {
-					query.where(function () {
-						this.where('domain_names', 'like', '%' + search_query + '%');
-					});
-				}
-
-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
-				}
-
-				return query;
-			})
-			.then((rows) => {
-				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
-					return internalHost.cleanAllRowsCertificateMeta(rows);
-				}
-
-				return rows;
+		// Query is used for searching
+		if (typeof searchQuery === "string" && searchQuery.length > 0) {
+			query.where(function () {
+				this.where(castJsonIfNeed("domain_names"), "like", `%${searchQuery}%`);
 			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const rows = await query.then(utils.omitRows(omissions()));
+		if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+			return internalHost.cleanAllRowsCertificateMeta(rows);
+		}
+		return rows;
 	},

 	/**
@@ -447,20 +459,16 @@ const internalProxyHost = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		let query = proxyHostModel
-			.query()
-			.count('id as count')
-			.where('is_deleted', 0);
+		const query = proxyHostModel.query().count("id as count").where("is_deleted", 0);

-		if (visibility !== 'all') {
-			query.andWhere('owner_user_id', user_id);
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
 		}

-		return query.first()
-			.then((row) => {
-				return parseInt(row.count, 10);
-			});
-	}
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
 };

-module.exports = internalProxyHost;
+export default internalProxyHost;
--- a/backend/internal/redirection-host.js
+++ b/backend/internal/redirection-host.js
@@ -1,98 +1,105 @@
-const _                    = require('lodash');
-const error                = require('../lib/error');
-const redirectionHostModel = require('../models/redirection_host');
-const internalHost         = require('./host');
-const internalNginx        = require('./nginx');
-const internalAuditLog     = require('./audit-log');
-const internalCertificate  = require('./certificate');
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import redirectionHostModel from "../models/redirection_host.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted"];
+};

 const internalRedirectionHost = {
-
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
 	create: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
+		let thisData = data || {};
+		const createCertificate = thisData.certificate_id === "new";

-		if (create_certificate) {
-			delete data.certificate_id;
+		if (createCertificate) {
+			delete thisData.certificate_id;
 		}

-		return access.can('redirection_hosts:create', data)
+		return access
+			.can("redirection_hosts:create", thisData)
 			.then((/*access_data*/) => {
 				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+				const domain_name_check_promises = [];

-				data.domain_names.map(function (domain_name) {
+				thisData.domain_names.map((domain_name) => {
 					domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name));
+					return true;
 				});

-				return Promise.all(domain_name_check_promises)
-					.then((check_results) => {
-						check_results.map(function (result) {
-							if (result.is_taken) {
-								throw new error.ValidationError(result.hostname + ' is already in use');
-							}
-						});
+				return Promise.all(domain_name_check_promises).then((check_results) => {
+					check_results.map((result) => {
+						if (result.is_taken) {
+							throw new errs.ValidationError(`${result.hostname} is already in use`);
+						}
+						return true;
 					});
+				});
 			})
 			.then(() => {
 				// At this point the domains should have been checked
-				data.owner_user_id = access.token.getUserId(1);
-				data               = internalHost.cleanSslHstsData(data);
+				thisData.owner_user_id = access.token.getUserId(1);
+				thisData = internalHost.cleanSslHstsData(thisData);

-				return redirectionHostModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch(data);
+				// Fix for db field not having a default value
+				// for this optional field.
+				if (typeof data.advanced_config === "undefined") {
+					data.advanced_config = "";
+				}
+
+				return redirectionHostModel.query().insertAndFetch(thisData).then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, data)
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, thisData)
 						.then((cert) => {
 							// update host with cert id
 							return internalRedirectionHost.update(access, {
-								id:             row.id,
-								certificate_id: cert.id
+								id: row.id,
+								certificate_id: cert.id,
 							});
 						})
 						.then(() => {
 							return row;
 						});
-				} else {
-					return row;
 				}
+				return row;
 			})
 			.then((row) => {
 				// re-fetch with cert
 				return internalRedirectionHost.get(access, {
-					id:     row.id,
-					expand: ['certificate', 'owner']
+					id: row.id,
+					expand: ["certificate", "owner"],
 				});
 			})
 			.then((row) => {
 				// Configure nginx
-				return internalNginx.configure(redirectionHostModel, 'redirection_host', row)
-					.then(() => {
-						return row;
-					});
+				return internalNginx.configure(redirectionHostModel, "redirection_host", row).then(() => {
+					return row;
+				});
 			})
 			.then((row) => {
-				data.meta = _.assign({}, data.meta || {}, row.meta);
+				thisData.meta = _.assign({}, thisData.meta || {}, row.meta);

 				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'created',
-					object_type: 'redirection-host',
-					object_id:   row.id,
-					meta:        data
-				})
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "redirection-host",
+						object_id: row.id,
+						meta: thisData,
+					})
 					.then(() => {
 						return row;
 					});
@@ -106,94 +113,107 @@ const internalRedirectionHost = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
-		let create_certificate = data.certificate_id === 'new';
+		let thisData = data || {};
+		const createCertificate = thisData.certificate_id === "new";

-		if (create_certificate) {
-			delete data.certificate_id;
+		if (createCertificate) {
+			delete thisData.certificate_id;
 		}

-		return access.can('redirection_hosts:update', data.id)
+		return access
+			.can("redirection_hosts:update", thisData.id)
 			.then((/*access_data*/) => {
 				// Get a list of the domain names and check each of them against existing records
-				let domain_name_check_promises = [];
+				const domain_name_check_promises = [];

-				if (typeof data.domain_names !== 'undefined') {
-					data.domain_names.map(function (domain_name) {
-						domain_name_check_promises.push(internalHost.isHostnameTaken(domain_name, 'redirection', data.id));
+				if (typeof thisData.domain_names !== "undefined") {
+					thisData.domain_names.map((domain_name) => {
+						domain_name_check_promises.push(
+							internalHost.isHostnameTaken(domain_name, "redirection", thisData.id),
+						);
+						return true;
 					});

-					return Promise.all(domain_name_check_promises)
-						.then((check_results) => {
-							check_results.map(function (result) {
-								if (result.is_taken) {
-									throw new error.ValidationError(result.hostname + ' is already in use');
-								}
-							});
+					return Promise.all(domain_name_check_promises).then((check_results) => {
+						check_results.map((result) => {
+							if (result.is_taken) {
+								throw new errs.ValidationError(`${result.hostname} is already in use`);
+							}
+							return true;
 						});
+					});
 				}
 			})
 			.then(() => {
-				return internalRedirectionHost.get(access, {id: data.id});
+				return internalRedirectionHost.get(access, { id: thisData.id });
 			})
 			.then((row) => {
-				if (row.id !== data.id) {
+				if (row.id !== thisData.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('Redirection Host could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`Redirection Host could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
 				}

-				if (create_certificate) {
-					return internalCertificate.createQuickCertificate(access, {
-						domain_names: data.domain_names || row.domain_names,
-						meta:         _.assign({}, row.meta, data.meta)
-					})
+				if (createCertificate) {
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
 						.then((cert) => {
 							// update host with cert id
-							data.certificate_id = cert.id;
+							thisData.certificate_id = cert.id;
 						})
 						.then(() => {
 							return row;
 						});
-				} else {
-					return row;
 				}
+				return row;
 			})
 			.then((row) => {
 				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
-				data = _.assign({}, {
-					domain_names: row.domain_names
-				}, data);
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					thisData,
+				);

-				data = internalHost.cleanSslHstsData(data, row);
+				thisData = internalHost.cleanSslHstsData(thisData, row);

 				return redirectionHostModel
 					.query()
-					.where({id: data.id})
-					.patch(data)
+					.where({ id: thisData.id })
+					.patch(thisData)
 					.then((saved_row) => {
 						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'redirection-host',
-							object_id:   row.id,
-							meta:        data
-						})
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "redirection-host",
+								object_id: row.id,
+								meta: thisData,
+							})
 							.then(() => {
 								return _.omit(saved_row, omissions());
 							});
 					});
 			})
 			.then(() => {
-				return internalRedirectionHost.get(access, {
-					id:     data.id,
-					expand: ['owner', 'certificate']
-				})
+				return internalRedirectionHost
+					.get(access, {
+						id: thisData.id,
+						expand: ["owner", "certificate"],
+					})
 					.then((row) => {
 						// Configure nginx
-						return internalNginx.configure(redirectionHostModel, 'redirection_host', row)
+						return internalNginx
+							.configure(redirectionHostModel, "redirection_host", row)
 							.then((new_meta) => {
 								row.meta = new_meta;
-								row      = internalHost.cleanRowCertificateMeta(row);
-								return _.omit(row, omissions());
+								return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
 							});
 					});
 			});
@@ -208,41 +228,39 @@ const internalRedirectionHost = {
 	 * @return {Promise}
 	 */
 	get: (access, data) => {
-		if (typeof data === 'undefined') {
-			data = {};
-		}
+		const thisData = data || {};

-		return access.can('redirection_hosts:get', data.id)
+		return access
+			.can("redirection_hosts:get", thisData.id)
 			.then((access_data) => {
-				let query = redirectionHostModel
+				const query = redirectionHostModel
 					.query()
-					.where('is_deleted', 0)
-					.andWhere('id', data.id)
-					.allowEager('[owner,certificate]')
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,certificate]")
 					.first();

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
 				}

-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
 				}

-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
+				return query.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (row) {
-					row = internalHost.cleanRowCertificateMeta(row);
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
+				let thisRow = row;
+				if (!thisRow || !thisRow.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
 				}
+				thisRow = internalHost.cleanRowCertificateMeta(thisRow);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(thisRow, thisData.omit);
+				}
+				return thisRow;
 			});
 	},

@@ -254,35 +272,35 @@ const internalRedirectionHost = {
 	 * @returns {Promise}
 	 */
 	delete: (access, data) => {
-		return access.can('redirection_hosts:delete', data.id)
+		return access
+			.can("redirection_hosts:delete", data.id)
 			.then(() => {
-				return internalRedirectionHost.get(access, {id: data.id});
+				return internalRedirectionHost.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
 				}

 				return redirectionHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						is_deleted: 1
+						is_deleted: 1,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('redirection_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("redirection_host", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'redirection-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "deleted",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -299,39 +317,41 @@ const internalRedirectionHost = {
 	 * @returns {Promise}
 	 */
 	enable: (access, data) => {
-		return access.can('redirection_hosts:update', data.id)
+		return access
+			.can("redirection_hosts:update", data.id)
 			.then(() => {
 				return internalRedirectionHost.get(access, {
-					id:     data.id,
-					expand: ['certificate', 'owner']
+					id: data.id,
+					expand: ["certificate", "owner"],
 				});
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (row.enabled) {
-					throw new error.ValidationError('Host is already enabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Host is already enabled");
 				}

 				row.enabled = 1;

 				return redirectionHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 1
+						enabled: 1,
 					})
 					.then(() => {
 						// Configure nginx
-						return internalNginx.configure(redirectionHostModel, 'redirection_host', row);
+						return internalNginx.configure(redirectionHostModel, "redirection_host", row);
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'enabled',
-							object_type: 'redirection-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "enabled",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -348,39 +368,40 @@ const internalRedirectionHost = {
 	 * @returns {Promise}
 	 */
 	disable: (access, data) => {
-		return access.can('redirection_hosts:update', data.id)
+		return access
+			.can("redirection_hosts:update", data.id)
 			.then(() => {
-				return internalRedirectionHost.get(access, {id: data.id});
+				return internalRedirectionHost.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (!row.enabled) {
-					throw new error.ValidationError('Host is already disabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Host is already disabled");
 				}

 				row.enabled = 0;

 				return redirectionHostModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 0
+						enabled: 0,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('redirection_host', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("redirection_host", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'disabled',
-							object_type: 'redirection-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "disabled",
+							object_type: "redirection-host",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -398,35 +419,35 @@ const internalRedirectionHost = {
 	 * @returns {Promise}
 	 */
 	getAll: (access, expand, search_query) => {
-		return access.can('redirection_hosts:list')
+		return access
+			.can("redirection_hosts:list")
 			.then((access_data) => {
-				let query = redirectionHostModel
+				const query = redirectionHostModel
 					.query()
-					.where('is_deleted', 0)
-					.groupBy('id')
-					.omit(['is_deleted'])
-					.allowEager('[owner,certificate]')
-					.orderBy('domain_names', 'ASC');
+					.where("is_deleted", 0)
+					.groupBy("id")
+					.allowGraph("[owner,certificate]")
+					.orderBy(castJsonIfNeed("domain_names"), "ASC");

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
 				}

 				// Query is used for searching
-				if (typeof search_query === 'string') {
+				if (typeof search_query === "string" && search_query.length > 0) {
 					query.where(function () {
-						this.where('domain_names', 'like', '%' + search_query + '%');
+						this.where(castJsonIfNeed("domain_names"), "like", `%${search_query}%`);
 					});
 				}

-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
+				if (typeof expand !== "undefined" && expand !== null) {
+					query.withGraphFetched(`[${expand.join(", ")}]`);
 				}

-				return query;
+				return query.then(utils.omitRows(omissions()));
 			})
 			.then((rows) => {
-				if (typeof expand !== 'undefined' && expand !== null && expand.indexOf('certificate') !== -1) {
+				if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
 					return internalHost.cleanAllRowsCertificateMeta(rows);
 				}

@@ -442,20 +463,16 @@ const internalRedirectionHost = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		let query = redirectionHostModel
-			.query()
-			.count('id as count')
-			.where('is_deleted', 0);
+		const query = redirectionHostModel.query().count("id as count").where("is_deleted", 0);

-		if (visibility !== 'all') {
-			query.andWhere('owner_user_id', user_id);
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
 		}

-		return query.first()
-			.then((row) => {
-				return parseInt(row.count, 10);
-			});
-	}
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
 };

-module.exports = internalRedirectionHost;
+export default internalRedirectionHost;
--- a/backend/internal/report.js
+++ b/backend/internal/report.js
@@ -1,38 +1,37 @@
-const internalProxyHost       = require('./proxy-host');
-const internalRedirectionHost = require('./redirection-host');
-const internalDeadHost        = require('./dead-host');
-const internalStream          = require('./stream');
+import internalDeadHost from "./dead-host.js";
+import internalProxyHost from "./proxy-host.js";
+import internalRedirectionHost from "./redirection-host.js";
+import internalStream from "./stream.js";

 const internalReport = {
-
 	/**
 	 * @param  {Access}   access
 	 * @return {Promise}
 	 */
 	getHostsReport: (access) => {
-		return access.can('reports:hosts', 1)
+		return access
+			.can("reports:hosts", 1)
 			.then((access_data) => {
-				let user_id = access.token.getUserId(1);
+				const userId = access.token.getUserId(1);

-				let promises = [
-					internalProxyHost.getCount(user_id, access_data.visibility),
-					internalRedirectionHost.getCount(user_id, access_data.visibility),
-					internalStream.getCount(user_id, access_data.visibility),
-					internalDeadHost.getCount(user_id, access_data.visibility)
+				const promises = [
+					internalProxyHost.getCount(userId, access_data.visibility),
+					internalRedirectionHost.getCount(userId, access_data.visibility),
+					internalStream.getCount(userId, access_data.visibility),
+					internalDeadHost.getCount(userId, access_data.visibility),
 				];

 				return Promise.all(promises);
 			})
 			.then((counts) => {
 				return {
-					proxy:       counts.shift(),
+					proxy: counts.shift(),
 					redirection: counts.shift(),
-					stream:      counts.shift(),
-					dead:        counts.shift()
+					stream: counts.shift(),
+					dead: counts.shift(),
 				};
 			});
-
-	}
+	},
 };

-module.exports = internalReport;
+export default internalReport;
--- a/backend/internal/setting.js
+++ b/backend/internal/setting.js
@@ -1,10 +1,9 @@
-const fs            = require('fs');
-const error         = require('../lib/error');
-const settingModel  = require('../models/setting');
-const internalNginx = require('./nginx');
+import fs from "node:fs";
+import errs from "../lib/error.js";
+import settingModel from "../models/setting.js";
+import internalNginx from "./nginx.js";

 const internalSetting = {
-
 	/**
 	 * @param  {Access}  access
 	 * @param  {Object}  data
@@ -12,37 +11,38 @@ const internalSetting = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
-		return access.can('settings:update', data.id)
+		return access
+			.can("settings:update", data.id)
 			.then((/*access_data*/) => {
-				return internalSetting.get(access, {id: data.id});
+				return internalSetting.get(access, { id: data.id });
 			})
 			.then((row) => {
 				if (row.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('Setting could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`Setting could not be updated, IDs do not match: ${row.id} !== ${data.id}`,
+					);
 				}

-				return settingModel
-					.query()
-					.where({id: data.id})
-					.patch(data);
+				return settingModel.query().where({ id: data.id }).patch(data);
 			})
 			.then(() => {
 				return internalSetting.get(access, {
-					id: data.id
+					id: data.id,
 				});
 			})
 			.then((row) => {
-				if (row.id === 'default-site') {
+				if (row.id === "default-site") {
 					// write the html if we need to
-					if (row.value === 'html') {
-						fs.writeFileSync('/data/nginx/default_www/index.html', row.meta.html, {encoding: 'utf8'});
+					if (row.value === "html") {
+						fs.writeFileSync("/data/nginx/default_www/index.html", row.meta.html, { encoding: "utf8" });
 					}

 					// Configure nginx
-					return internalNginx.deleteConfig('default')
+					return internalNginx
+						.deleteConfig("default")
 						.then(() => {
-							return internalNginx.generateConfig('default', row);
+							return internalNginx.generateConfig("default", row);
 						})
 						.then(() => {
 							return internalNginx.test();
@@ -54,7 +54,8 @@ const internalSetting = {
 							return row;
 						})
 						.catch((/*err*/) => {
-							internalNginx.deleteConfig('default')
+							internalNginx
+								.deleteConfig("default")
 								.then(() => {
 									return internalNginx.test();
 								})
@@ -63,12 +64,11 @@ const internalSetting = {
 								})
 								.then(() => {
 									// I'm being slack here I know..
-									throw new error.ValidationError('Could not reconfigure Nginx. Please check logs.');
+									throw new errs.ValidationError("Could not reconfigure Nginx. Please check logs.");
 								});
 						});
-				} else {
-					return row;
 				}
+				return row;
 			});
 	},

@@ -79,19 +79,16 @@ const internalSetting = {
 	 * @return {Promise}
 	 */
 	get: (access, data) => {
-		return access.can('settings:get', data.id)
+		return access
+			.can("settings:get", data.id)
 			.then(() => {
-				return settingModel
-					.query()
-					.where('id', data.id)
-					.first();
+				return settingModel.query().where("id", data.id).first();
 			})
 			.then((row) => {
 				if (row) {
 					return row;
-				} else {
-					throw new error.ItemNotFoundError(data.id);
 				}
+				throw new errs.ItemNotFoundError(data.id);
 			});
 	},

@@ -102,15 +99,13 @@ const internalSetting = {
 	 * @returns {*}
 	 */
 	getCount: (access) => {
-		return access.can('settings:list')
+		return access
+			.can("settings:list")
 			.then(() => {
-				return settingModel
-					.query()
-					.count('id as count')
-					.first();
+				return settingModel.query().count("id as count").first();
 			})
 			.then((row) => {
-				return parseInt(row.count, 10);
+				return Number.parseInt(row.count, 10);
 			});
 	},

@@ -121,13 +116,10 @@ const internalSetting = {
 	 * @returns {Promise}
 	 */
 	getAll: (access) => {
-		return access.can('settings:list')
-			.then(() => {
-				return settingModel
-					.query()
-					.orderBy('description', 'ASC');
-			});
-	}
+		return access.can("settings:list").then(() => {
+			return settingModel.query().orderBy("description", "ASC");
+		});
+	},
 };

-module.exports = internalSetting;
+export default internalSetting;
--- a/backend/internal/stream.js
+++ b/backend/internal/stream.js
@@ -1,50 +1,85 @@
-const _                = require('lodash');
-const error            = require('../lib/error');
-const streamModel      = require('../models/stream');
-const internalNginx    = require('./nginx');
-const internalAuditLog = require('./audit-log');
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import utils from "../lib/utils.js";
+import streamModel from "../models/stream.js";
+import internalAuditLog from "./audit-log.js";
+import internalCertificate from "./certificate.js";
+import internalHost from "./host.js";
+import internalNginx from "./nginx.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted", "owner.is_deleted", "certificate.is_deleted"];
+};

 const internalStream = {
-
 	/**
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
 	create: (access, data) => {
-		return access.can('streams:create', data)
+		const create_certificate = data.certificate_id === "new";
+
+		if (create_certificate) {
+			delete data.certificate_id;
+		}
+
+		return access
+			.can("streams:create", data)
 			.then((/*access_data*/) => {
 				// TODO: At this point the existing ports should have been checked
 				data.owner_user_id = access.token.getUserId(1);

-				if (typeof data.meta === 'undefined') {
+				if (typeof data.meta === "undefined") {
 					data.meta = {};
 				}

-				return streamModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch(data);
+				// streams aren't routed by domain name so don't store domain names in the DB
+				const data_no_domains = structuredClone(data);
+				delete data_no_domains.domain_names;
+
+				return streamModel.query().insertAndFetch(data_no_domains).then(utils.omitRow(omissions()));
+			})
+			.then((row) => {
+				if (create_certificate) {
+					return internalCertificate
+						.createQuickCertificate(access, data)
+						.then((cert) => {
+							// update host with cert id
+							return internalStream.update(access, {
+								id: row.id,
+								certificate_id: cert.id,
+							});
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// re-fetch with cert
+				return internalStream.get(access, {
+					id: row.id,
+					expand: ["certificate", "owner"],
+				});
 			})
 			.then((row) => {
 				// Configure nginx
-				return internalNginx.configure(streamModel, 'stream', row)
-					.then(() => {
-						return internalStream.get(access, {id: row.id, expand: ['owner']});
-					});
+				return internalNginx.configure(streamModel, "stream", row).then(() => {
+					return row;
+				});
 			})
 			.then((row) => {
 				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'created',
-					object_type: 'stream',
-					object_id:   row.id,
-					meta:        data
-				})
+				return internalAuditLog
+					.add(access, {
+						action: "created",
+						object_type: "stream",
+						object_id: row.id,
+						meta: data,
+					})
 					.then(() => {
 						return row;
 					});
@@ -58,39 +93,78 @@ const internalStream = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
-		return access.can('streams:update', data.id)
+		let thisData = data;
+		const create_certificate = thisData.certificate_id === "new";
+
+		if (create_certificate) {
+			delete thisData.certificate_id;
+		}
+
+		return access
+			.can("streams:update", thisData.id)
 			.then((/*access_data*/) => {
 				// TODO: at this point the existing streams should have been checked
-				return internalStream.get(access, {id: data.id});
+				return internalStream.get(access, { id: thisData.id });
 			})
 			.then((row) => {
-				if (row.id !== data.id) {
+				if (row.id !== thisData.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('Stream could not be updated, IDs do not match: ' + row.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`Stream could not be updated, IDs do not match: ${row.id} !== ${thisData.id}`,
+					);
 				}

+				if (create_certificate) {
+					return internalCertificate
+						.createQuickCertificate(access, {
+							domain_names: thisData.domain_names || row.domain_names,
+							meta: _.assign({}, row.meta, thisData.meta),
+						})
+						.then((cert) => {
+							// update host with cert id
+							thisData.certificate_id = cert.id;
+						})
+						.then(() => {
+							return row;
+						});
+				}
+				return row;
+			})
+			.then((row) => {
+				// Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
+				thisData = _.assign(
+					{},
+					{
+						domain_names: row.domain_names,
+					},
+					thisData,
+				);
+
 				return streamModel
 					.query()
-					.omit(omissions())
-					.patchAndFetchById(row.id, data)
-					.then((saved_row) => {
-						return internalNginx.configure(streamModel, 'stream', saved_row)
-							.then(() => {
-								return internalStream.get(access, {id: row.id, expand: ['owner']});
-							});
-					})
+					.patchAndFetchById(row.id, thisData)
+					.then(utils.omitRow(omissions()))
 					.then((saved_row) => {
 						// Add to audit log
-						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'stream',
-							object_id:   row.id,
-							meta:        data
-						})
+						return internalAuditLog
+							.add(access, {
+								action: "updated",
+								object_type: "stream",
+								object_id: row.id,
+								meta: thisData,
+							})
 							.then(() => {
-								return _.omit(saved_row, omissions());
+								return saved_row;
 							});
 					});
+			})
+			.then(() => {
+				return internalStream.get(access, { id: thisData.id, expand: ["owner", "certificate"] }).then((row) => {
+					return internalNginx.configure(streamModel, "stream", row).then((new_meta) => {
+						row.meta = new_meta;
+						return _.omit(internalHost.cleanRowCertificateMeta(row), omissions());
+					});
+				});
 			});
 	},

@@ -103,40 +177,39 @@ const internalStream = {
 	 * @return {Promise}
 	 */
 	get: (access, data) => {
-		if (typeof data === 'undefined') {
-			data = {};
-		}
+		const thisData = data || {};

-		return access.can('streams:get', data.id)
+		return access
+			.can("streams:get", thisData.id)
 			.then((access_data) => {
-				let query = streamModel
+				const query = streamModel
 					.query()
-					.where('is_deleted', 0)
-					.andWhere('id', data.id)
-					.allowEager('[owner]')
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[owner,certificate]")
 					.first();

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
 				}

-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
 				}

-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
+				return query.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (row) {
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
+				let thisRow = row;
+				if (!thisRow || !thisRow.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
 				}
+				thisRow = internalHost.cleanRowCertificateMeta(thisRow);
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(thisRow, thisData.omit);
+				}
+				return thisRow;
 			});
 	},

@@ -148,35 +221,35 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	delete: (access, data) => {
-		return access.can('streams:delete', data.id)
+		return access
+			.can("streams:delete", data.id)
 			.then(() => {
-				return internalStream.get(access, {id: data.id});
+				return internalStream.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
 				}

 				return streamModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						is_deleted: 1
+						is_deleted: 1,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('stream', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("stream", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'stream',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "deleted",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -193,39 +266,41 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	enable: (access, data) => {
-		return access.can('streams:update', data.id)
+		return access
+			.can("streams:update", data.id)
 			.then(() => {
 				return internalStream.get(access, {
-					id:     data.id,
-					expand: ['owner']
+					id: data.id,
+					expand: ["certificate", "owner"],
 				});
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (row.enabled) {
-					throw new error.ValidationError('Host is already enabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (row.enabled) {
+					throw new errs.ValidationError("Stream is already enabled");
 				}

 				row.enabled = 1;

 				return streamModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 1
+						enabled: 1,
 					})
 					.then(() => {
 						// Configure nginx
-						return internalNginx.configure(streamModel, 'stream', row);
+						return internalNginx.configure(streamModel, "stream", row);
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'enabled',
-							object_type: 'stream',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "enabled",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -242,39 +317,40 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	disable: (access, data) => {
-		return access.can('streams:update', data.id)
+		return access
+			.can("streams:update", data.id)
 			.then(() => {
-				return internalStream.get(access, {id: data.id});
+				return internalStream.get(access, { id: data.id });
 			})
 			.then((row) => {
-				if (!row) {
-					throw new error.ItemNotFoundError(data.id);
-				} else if (!row.enabled) {
-					throw new error.ValidationError('Host is already disabled');
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(data.id);
+				}
+				if (!row.enabled) {
+					throw new errs.ValidationError("Stream is already disabled");
 				}

 				row.enabled = 0;

 				return streamModel
 					.query()
-					.where('id', row.id)
+					.where("id", row.id)
 					.patch({
-						enabled: 0
+						enabled: 0,
 					})
 					.then(() => {
 						// Delete Nginx Config
-						return internalNginx.deleteConfig('stream', row)
-							.then(() => {
-								return internalNginx.reload();
-							});
+						return internalNginx.deleteConfig("stream", row).then(() => {
+							return internalNginx.reload();
+						});
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'disabled',
-							object_type: 'stream-host',
-							object_id:   row.id,
-							meta:        _.omit(row, omissions())
+							action: "disabled",
+							object_type: "stream",
+							object_id: row.id,
+							meta: _.omit(row, omissions()),
 						});
 					});
 			})
@@ -292,32 +368,39 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	getAll: (access, expand, search_query) => {
-		return access.can('streams:list')
+		return access
+			.can("streams:list")
 			.then((access_data) => {
-				let query = streamModel
+				const query = streamModel
 					.query()
-					.where('is_deleted', 0)
-					.groupBy('id')
-					.omit(['is_deleted'])
-					.allowEager('[owner]')
-					.orderBy('incoming_port', 'ASC');
+					.where("is_deleted", 0)
+					.groupBy("id")
+					.allowGraph("[owner,certificate]")
+					.orderBy("incoming_port", "ASC");

-				if (access_data.permission_visibility !== 'all') {
-					query.andWhere('owner_user_id', access.token.getUserId(1));
+				if (access_data.permission_visibility !== "all") {
+					query.andWhere("owner_user_id", access.token.getUserId(1));
 				}

 				// Query is used for searching
-				if (typeof search_query === 'string') {
+				if (typeof search_query === "string" && search_query.length > 0) {
 					query.where(function () {
-						this.where('incoming_port', 'like', '%' + search_query + '%');
+						this.where(castJsonIfNeed("incoming_port"), "like", `%${search_query}%`);
 					});
 				}

-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
+				if (typeof expand !== "undefined" && expand !== null) {
+					query.withGraphFetched(`[${expand.join(", ")}]`);
 				}

-				return query;
+				return query.then(utils.omitRows(omissions()));
+			})
+			.then((rows) => {
+				if (typeof expand !== "undefined" && expand !== null && expand.indexOf("certificate") !== -1) {
+					return internalHost.cleanAllRowsCertificateMeta(rows);
+				}
+
+				return rows;
 			});
 	},

@@ -329,20 +412,16 @@ const internalStream = {
 	 * @returns {Promise}
 	 */
 	getCount: (user_id, visibility) => {
-		let query = streamModel
-			.query()
-			.count('id as count')
-			.where('is_deleted', 0);
+		const query = streamModel.query().count("id AS count").where("is_deleted", 0);

-		if (visibility !== 'all') {
-			query.andWhere('owner_user_id', user_id);
+		if (visibility !== "all") {
+			query.andWhere("owner_user_id", user_id);
 		}

-		return query.first()
-			.then((row) => {
-				return parseInt(row.count, 10);
-			});
-	}
+		return query.first().then((row) => {
+			return Number.parseInt(row.count, 10);
+		});
+	},
 };

-module.exports = internalStream;
+export default internalStream;
--- a/backend/internal/token.js
+++ b/backend/internal/token.js
@@ -1,12 +1,14 @@
-const _          = require('lodash');
-const error      = require('../lib/error');
-const userModel  = require('../models/user');
-const authModel  = require('../models/auth');
-const helpers    = require('../lib/helpers');
-const TokenModel = require('../models/token');
+import _ from "lodash";
+import errs from "../lib/error.js";
+import { parseDatePeriod } from "../lib/helpers.js";
+import authModel from "../models/auth.js";
+import TokenModel from "../models/token.js";
+import userModel from "../models/user.js";

-module.exports = {
+const ERROR_MESSAGE_INVALID_AUTH = "Invalid email or password";
+const ERROR_MESSAGE_INVALID_AUTH_I18N = "error.invalid-auth";

+export default {
 	/**
 	 * @param   {Object} data
 	 * @param   {String} data.identity
@@ -16,70 +18,66 @@ module.exports = {
 	 * @param   {String} [issuer]
 	 * @returns {Promise}
 	 */
-	getTokenFromEmail: (data, issuer) => {
-		let Token = new TokenModel();
+	getTokenFromEmail: async (data, issuer) => {
+		const Token = TokenModel();

-		data.scope  = data.scope || 'user';
-		data.expiry = data.expiry || '1d';
+		data.scope = data.scope || "user";
+		data.expiry = data.expiry || "1d";

-		return userModel
+		const user = await userModel
 			.query()
-			.where('email', data.identity)
-			.andWhere('is_deleted', 0)
-			.andWhere('is_disabled', 0)
-			.first()
-			.then((user) => {
-				if (user) {
-					// Get auth
-					return authModel
-						.query()
-						.where('user_id', '=', user.id)
-						.where('type', '=', 'password')
-						.first()
-						.then((auth) => {
-							if (auth) {
-								return auth.verifyPassword(data.secret)
-									.then((valid) => {
-										if (valid) {
+			.where("email", data.identity.toLowerCase().trim())
+			.andWhere("is_deleted", 0)
+			.andWhere("is_disabled", 0)
+			.first();

-											if (data.scope !== 'user' && _.indexOf(user.roles, data.scope) === -1) {
-												// The scope requested doesn't exist as a role against the user,
-												// you shall not pass.
-												throw new error.AuthError('Invalid scope: ' + data.scope);
-											}
+		if (!user) {
+			throw new errs.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+		}

-											// Create a moment of the expiry expression
-											let expiry = helpers.parseDatePeriod(data.expiry);
-											if (expiry === null) {
-												throw new error.AuthError('Invalid expiry time: ' + data.expiry);
-											}
+		const auth = await authModel
+			.query()
+			.where("user_id", "=", user.id)
+			.where("type", "=", "password")
+			.first();

-											return Token.create({
-												iss:   issuer || 'api',
-												attrs: {
-													id: user.id
-												},
-												scope:     [data.scope],
-												expiresIn: data.expiry
-											})
-												.then((signed) => {
-													return {
-														token:   signed.token,
-														expires: expiry.toISOString()
-													};
-												});
-										} else {
-											throw new error.AuthError('Invalid password');
-										}
-									});
-							} else {
-								throw new error.AuthError('No password auth for user');
-							}
-						});
-				} else {
-					throw new error.AuthError('No relevant user found');
-				}
-			});
+		if (!auth) {
+			throw new errs.AuthError(ERROR_MESSAGE_INVALID_AUTH);
+		}
+
+		const valid = await auth.verifyPassword(data.secret);
+		if (!valid) {
+			throw new errs.AuthError(
+				ERROR_MESSAGE_INVALID_AUTH,
+				ERROR_MESSAGE_INVALID_AUTH_I18N,
+			);
+		}
+
+		if (data.scope !== "user" && _.indexOf(user.roles, data.scope) === -1) {
+			// The scope requested doesn't exist as a role against the user,
+			// you shall not pass.
+			throw new errs.AuthError(`Invalid scope: ${data.scope}`);
+		}
+
+		// Create a moment of the expiry expression
+		const expiry = parseDatePeriod(data.expiry);
+		if (expiry === null) {
+			throw new errs.AuthError(`Invalid expiry time: ${data.expiry}`);
+		}
+
+		const signed = await Token.create({
+			iss: issuer || "api",
+			attrs: {
+				id: user.id,
+			},
+			scope: [data.scope],
+			expiresIn: data.expiry,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiry.toISOString(),
+		};
 	},

 	/**
@@ -89,74 +87,70 @@ module.exports = {
 	 * @param {String} [data.scope]   Only considered if existing token scope is admin
 	 * @returns {Promise}
 	 */
-	getFreshToken: (access, data) => {
-		let Token = new TokenModel();
+	getFreshToken: async (access, data) => {
+		const Token = TokenModel();
+		const thisData = data || {};

-		data        = data || {};
-		data.expiry = data.expiry || '1d';
-
-		if (access && access.token.getUserId(0)) {
+		thisData.expiry = thisData.expiry || "1d";

+		if (access?.token.getUserId(0)) {
 			// Create a moment of the expiry expression
-			let expiry = helpers.parseDatePeriod(data.expiry);
+			const expiry = parseDatePeriod(thisData.expiry);
 			if (expiry === null) {
-				throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+				throw new errs.AuthError(`Invalid expiry time: ${thisData.expiry}`);
 			}

-			let token_attrs = {
-				id: access.token.getUserId(0)
+			const token_attrs = {
+				id: access.token.getUserId(0),
 			};

 			// Only admins can request otherwise scoped tokens
-			let scope = access.token.get('scope');
-			if (data.scope && access.token.hasScope('admin')) {
-				scope = [data.scope];
+			let scope = access.token.get("scope");
+			if (thisData.scope && access.token.hasScope("admin")) {
+				scope = [thisData.scope];

-				if (data.scope === 'job-board' || data.scope === 'worker') {
+				if (thisData.scope === "job-board" || thisData.scope === "worker") {
 					token_attrs.id = 0;
 				}
 			}

-			return Token.create({
-				iss:       'api',
-				scope:     scope,
-				attrs:     token_attrs,
-				expiresIn: data.expiry
-			})
-				.then((signed) => {
-					return {
-						token:   signed.token,
-						expires: expiry.toISOString()
-					};
-				});
-		} else {
-			throw new error.AssertionFailedError('Existing token contained invalid user data');
+			const signed = await Token.create({
+				iss: "api",
+				scope: scope,
+				attrs: token_attrs,
+				expiresIn: thisData.expiry,
+			});
+
+			return {
+				token: signed.token,
+				expires: expiry.toISOString(),
+			};
 		}
+		throw new error.AssertionFailedError("Existing token contained invalid user data");
 	},

 	/**
 	 * @param   {Object} user
 	 * @returns {Promise}
 	 */
-	getTokenFromUser: (user) => {
-		const expire = '1d';
-		const Token  = new TokenModel();
-		const expiry = helpers.parseDatePeriod(expire);
+	getTokenFromUser: async (user) => {
+		const expire = "1d";
+		const Token = TokenModel();
+		const expiry = parseDatePeriod(expire);

-		return Token.create({
-			iss:   'api',
+		const signed = await Token.create({
+			iss: "api",
 			attrs: {
-				id: user.id
+				id: user.id,
 			},
-			scope:     ['user'],
-			expiresIn: expire
-		})
-			.then((signed) => {
-				return {
-					token:   signed.token,
-					expires: expiry.toISOString(),
-					user:    user
-				};
-			});
-	}
+			scope: ["user"],
+			expiresIn: expire,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiry.toISOString(),
+			user: user,
+		};
+	},
 };
--- a/backend/internal/user.js
+++ b/backend/internal/user.js
@@ -1,92 +1,76 @@
-const _                   = require('lodash');
-const error               = require('../lib/error');
-const userModel           = require('../models/user');
-const userPermissionModel = require('../models/user_permission');
-const authModel           = require('../models/auth');
-const gravatar            = require('gravatar');
-const internalToken       = require('./token');
-const internalAuditLog    = require('./audit-log');
+import gravatar from "gravatar";
+import _ from "lodash";
+import errs from "../lib/error.js";
+import utils from "../lib/utils.js";
+import authModel from "../models/auth.js";
+import userModel from "../models/user.js";
+import userPermissionModel from "../models/user_permission.js";
+import internalAuditLog from "./audit-log.js";
+import internalToken from "./token.js";

-function omissions () {
-	return ['is_deleted'];
-}
+const omissions = () => {
+	return ["is_deleted", "permissions.id", "permissions.user_id", "permissions.created_on", "permissions.modified_on"];
+};
+
+const DEFAULT_AVATAR = gravatar.url("admin@example.com", { default: "mm" });

 const internalUser = {
-
 	/**
+	 * Create a user can happen unauthenticated only once and only when no active users exist.
+	 * Otherwise, a valid auth method is required.
+	 *
 	 * @param   {Access}  access
 	 * @param   {Object}  data
 	 * @returns {Promise}
 	 */
-	create: (access, data) => {
-		let auth = data.auth || null;
+	create: async (access, data) => {
+		const auth = data.auth || null;
 		delete data.auth;

-		data.avatar = data.avatar || '';
-		data.roles  = data.roles || [];
+		data.avatar = data.avatar || "";
+		data.roles = data.roles || [];

-		if (typeof data.is_disabled !== 'undefined') {
+		if (typeof data.is_disabled !== "undefined") {
 			data.is_disabled = data.is_disabled ? 1 : 0;
 		}

-		return access.can('users:create', data)
-			.then(() => {
-				data.avatar = gravatar.url(data.email, {default: 'mm'});
+		await access.can("users:create", data);
+		data.avatar = gravatar.url(data.email, { default: "mm" });

-				return userModel
-					.query()
-					.omit(omissions())
-					.insertAndFetch(data);
-			})
-			.then((user) => {
-				if (auth) {
-					return authModel
-						.query()
-						.insert({
-							user_id: user.id,
-							type:    auth.type,
-							secret:  auth.secret,
-							meta:    {}
-						})
-						.then(() => {
-							return user;
-						});
-				} else {
-					return user;
-				}
-			})
-			.then((user) => {
-				// Create permissions row as well
-				let is_admin = data.roles.indexOf('admin') !== -1;
-
-				return userPermissionModel
-					.query()
-					.insert({
-						user_id:           user.id,
-						visibility:        is_admin ? 'all' : 'user',
-						proxy_hosts:       'manage',
-						redirection_hosts: 'manage',
-						dead_hosts:        'manage',
-						streams:           'manage',
-						access_lists:      'manage',
-						certificates:      'manage'
-					})
-					.then(() => {
-						return internalUser.get(access, {id: user.id, expand: ['permissions']});
-					});
-			})
-			.then((user) => {
-				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'created',
-					object_type: 'user',
-					object_id:   user.id,
-					meta:        user
-				})
-					.then(() => {
-						return user;
-					});
+		let user = await userModel.query().insertAndFetch(data).then(utils.omitRow(omissions()));
+		if (auth) {
+			user = await authModel.query().insert({
+				user_id: user.id,
+				type: auth.type,
+				secret: auth.secret,
+				meta: {},
 			});
+		}
+
+		// Create permissions row as well
+		const isAdmin = data.roles.indexOf("admin") !== -1;
+
+		await userPermissionModel.query().insert({
+			user_id: user.id,
+			visibility: isAdmin ? "all" : "user",
+			proxy_hosts: "manage",
+			redirection_hosts: "manage",
+			dead_hosts: "manage",
+			streams: "manage",
+			access_lists: "manage",
+			certificates: "manage",
+		});
+
+		user = await internalUser.get(access, { id: user.id, expand: ["permissions"] });
+
+		await internalAuditLog.add(access, {
+			action: "created",
+			object_type: "user",
+			object_id: user.id,
+			meta: user,
+		});
+
+		return user;
 	},

 	/**
@@ -98,65 +82,57 @@ const internalUser = {
 	 * @return {Promise}
 	 */
 	update: (access, data) => {
-		if (typeof data.is_disabled !== 'undefined') {
+		if (typeof data.is_disabled !== "undefined") {
 			data.is_disabled = data.is_disabled ? 1 : 0;
 		}

-		return access.can('users:update', data.id)
+		return access
+			.can("users:update", data.id)
 			.then(() => {
-
 				// Make sure that the user being updated doesn't change their email to another user that is already using it
 				// 1. get user we want to update
-				return internalUser.get(access, {id: data.id})
-					.then((user) => {
+				return internalUser.get(access, { id: data.id }).then((user) => {
+					// 2. if email is to be changed, find other users with that email
+					if (typeof data.email !== "undefined") {
+						data.email = data.email.toLowerCase().trim();

-						// 2. if email is to be changed, find other users with that email
-						if (typeof data.email !== 'undefined') {
-							data.email = data.email.toLowerCase().trim();
-
-							if (user.email !== data.email) {
-								return internalUser.isEmailAvailable(data.email, data.id)
-									.then((available) => {
-										if (!available) {
-											throw new error.ValidationError('Email address already in use - ' + data.email);
-										}
-
-										return user;
-									});
-							}
+						if (user.email !== data.email) {
+							return internalUser.isEmailAvailable(data.email, data.id).then((available) => {
+								if (!available) {
+									throw new errs.ValidationError(`Email address already in use - ${data.email}`);
+								}
+								return user;
+							});
 						}
+					}

-						// No change to email:
-						return user;
-					});
+					// No change to email:
+					return user;
+				});
 			})
 			.then((user) => {
 				if (user.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('User could not be updated, IDs do not match: ' + user.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
 				}

-				data.avatar = gravatar.url(data.email || user.email, {default: 'mm'});
-
-				return userModel
-					.query()
-					.omit(omissions())
-					.patchAndFetchById(user.id, data)
-					.then((saved_user) => {
-						return _.omit(saved_user, omissions());
-					});
+				data.avatar = gravatar.url(data.email || user.email, { default: "mm" });
+				return userModel.query().patchAndFetchById(user.id, data).then(utils.omitRow(omissions()));
 			})
 			.then(() => {
-				return internalUser.get(access, {id: data.id});
+				return internalUser.get(access, { id: data.id });
 			})
 			.then((user) => {
 				// Add to audit log
-				return internalAuditLog.add(access, {
-					action:      'updated',
-					object_type: 'user',
-					object_id:   user.id,
-					meta:        data
-				})
+				return internalAuditLog
+					.add(access, {
+						action: "updated",
+						object_type: "user",
+						object_id: user.id,
+						meta: { ...data, id: user.id, name: user.name },
+					})
 					.then(() => {
 						return user;
 					});
@@ -172,40 +148,42 @@ const internalUser = {
 	 * @return {Promise}
 	 */
 	get: (access, data) => {
-		if (typeof data === 'undefined') {
-			data = {};
+		const thisData = data || {};
+
+		if (typeof thisData.id === "undefined" || !thisData.id) {
+			thisData.id = access.token.getUserId(0);
 		}

-		if (typeof data.id === 'undefined' || !data.id) {
-			data.id = access.token.getUserId(0);
-		}
-
-		return access.can('users:get', data.id)
+		return access
+			.can("users:get", thisData.id)
 			.then(() => {
-				let query = userModel
+				const query = userModel
 					.query()
-					.where('is_deleted', 0)
-					.andWhere('id', data.id)
-					.allowEager('[permissions]')
+					.where("is_deleted", 0)
+					.andWhere("id", thisData.id)
+					.allowGraph("[permissions]")
 					.first();

-				// Custom omissions
-				if (typeof data.omit !== 'undefined' && data.omit !== null) {
-					query.omit(data.omit);
+				if (typeof thisData.expand !== "undefined" && thisData.expand !== null) {
+					query.withGraphFetched(`[${thisData.expand.join(", ")}]`);
 				}

-				if (typeof data.expand !== 'undefined' && data.expand !== null) {
-					query.eager('[' + data.expand.join(', ') + ']');
-				}
-
-				return query;
+				return query.then(utils.omitRow(omissions()));
 			})
 			.then((row) => {
-				if (row) {
-					return _.omit(row, omissions());
-				} else {
-					throw new error.ItemNotFoundError(data.id);
+				if (!row || !row.id) {
+					throw new errs.ItemNotFoundError(thisData.id);
 				}
+				// Custom omissions
+				if (typeof thisData.omit !== "undefined" && thisData.omit !== null) {
+					return _.omit(row, thisData.omit);
+				}
+
+				if (row.avatar === "") {
+					row.avatar = DEFAULT_AVATAR;
+				}
+
+				return row;
 			});
 	},

@@ -217,20 +195,15 @@ const internalUser = {
 	 * @param user_id
 	 */
 	isEmailAvailable: (email, user_id) => {
-		let query = userModel
-			.query()
-			.where('email', '=', email.toLowerCase().trim())
-			.where('is_deleted', 0)
-			.first();
+		const query = userModel.query().where("email", "=", email.toLowerCase().trim()).where("is_deleted", 0).first();

-		if (typeof user_id !== 'undefined') {
-			query.where('id', '!=', user_id);
+		if (typeof user_id !== "undefined") {
+			query.where("id", "!=", user_id);
 		}

-		return query
-			.then((user) => {
-				return !user;
-			});
+		return query.then((user) => {
+			return !user;
+		});
 	},

 	/**
@@ -241,33 +214,34 @@ const internalUser = {
 	 * @returns {Promise}
 	 */
 	delete: (access, data) => {
-		return access.can('users:delete', data.id)
+		return access
+			.can("users:delete", data.id)
 			.then(() => {
-				return internalUser.get(access, {id: data.id});
+				return internalUser.get(access, { id: data.id });
 			})
 			.then((user) => {
 				if (!user) {
-					throw new error.ItemNotFoundError(data.id);
+					throw new errs.ItemNotFoundError(data.id);
 				}

 				// Make sure user can't delete themselves
 				if (user.id === access.token.getUserId(0)) {
-					throw new error.PermissionError('You cannot delete yourself.');
+					throw new errs.PermissionError("You cannot delete yourself.");
 				}

 				return userModel
 					.query()
-					.where('id', user.id)
+					.where("id", user.id)
 					.patch({
-						is_deleted: 1
+						is_deleted: 1,
 					})
 					.then(() => {
 						// Add to audit log
 						return internalAuditLog.add(access, {
-							action:      'deleted',
-							object_type: 'user',
-							object_id:   user.id,
-							meta:        _.omit(user, omissions())
+							action: "deleted",
+							object_type: "user",
+							object_id: user.id,
+							meta: _.omit(user, omissions()),
 						});
 					});
 			})
@@ -276,6 +250,14 @@ const internalUser = {
 			});
 	},

+	deleteAll: async () => {
+		await userModel
+			.query()
+			.patch({
+				is_deleted: 1,
+			});
+	},
+
 	/**
 	 * This will only count the users
 	 *
@@ -284,26 +266,26 @@ const internalUser = {
 	 * @returns {*}
 	 */
 	getCount: (access, search_query) => {
-		return access.can('users:list')
+		return access
+			.can("users:list")
 			.then(() => {
-				let query = userModel
-					.query()
-					.count('id as count')
-					.where('is_deleted', 0)
-					.first();
+				const query = userModel.query().count("id as count").where("is_deleted", 0).first();

 				// Query is used for searching
-				if (typeof search_query === 'string') {
+				if (typeof search_query === "string") {
 					query.where(function () {
-						this.where('user.name', 'like', '%' + search_query + '%')
-							.orWhere('user.email', 'like', '%' + search_query + '%');
+						this.where("user.name", "like", `%${search_query}%`).orWhere(
+							"user.email",
+							"like",
+							`%${search_query}%`,
+						);
 					});
 				}

 				return query;
 			})
 			.then((row) => {
-				return parseInt(row.count, 10);
+				return Number.parseInt(row.count, 10);
 			});
 	},

@@ -315,31 +297,28 @@ const internalUser = {
 	 * @param   {String}  [search_query]
 	 * @returns {Promise}
 	 */
-	getAll: (access, expand, search_query) => {
-		return access.can('users:list')
-			.then(() => {
-				let query = userModel
-					.query()
-					.where('is_deleted', 0)
-					.groupBy('id')
-					.omit(['is_deleted'])
-					.allowEager('[permissions]')
-					.orderBy('name', 'ASC');
+	getAll: async (access, expand, search_query) => {
+		await access.can("users:list");
+		const query = userModel
+			.query()
+			.where("is_deleted", 0)
+			.groupBy("id")
+			.allowGraph("[permissions]")
+			.orderBy("name", "ASC");

-				// Query is used for searching
-				if (typeof search_query === 'string') {
-					query.where(function () {
-						this.where('name', 'like', '%' + search_query + '%')
-							.orWhere('email', 'like', '%' + search_query + '%');
-					});
-				}
-
-				if (typeof expand !== 'undefined' && expand !== null) {
-					query.eager('[' + expand.join(', ') + ']');
-				}
-
-				return query;
+		// Query is used for searching
+		if (typeof search_query === "string") {
+			query.where(function () {
+				this.where("name", "like", `%${search_query}%`).orWhere("email", "like", `%${search_query}%`);
 			});
+		}
+
+		if (typeof expand !== "undefined" && expand !== null) {
+			query.withGraphFetched(`[${expand.join(", ")}]`);
+		}
+
+		const res = await query;
+		return utils.omitRows(omissions())(res);
 	},

 	/**
@@ -347,11 +326,11 @@ const internalUser = {
 	 * @param   {Integer} [id_requested]
 	 * @returns {[String]}
 	 */
-	getUserOmisionsByAccess: (access, id_requested) => {
+	getUserOmisionsByAccess: (access, idRequested) => {
 		let response = []; // Admin response

-		if (!access.token.hasScope('admin') && access.token.getUserId(0) !== id_requested) {
-			response = ['roles', 'is_deleted']; // Restricted response
+		if (!access.token.hasScope("admin") && access.token.getUserId(0) !== idRequested) {
+			response = ["is_deleted"]; // Restricted response
 		}

 		return response;
@@ -366,26 +345,30 @@ const internalUser = {
 	 * @return {Promise}
 	 */
 	setPassword: (access, data) => {
-		return access.can('users:password', data.id)
+		return access
+			.can("users:password", data.id)
 			.then(() => {
-				return internalUser.get(access, {id: data.id});
+				return internalUser.get(access, { id: data.id });
 			})
 			.then((user) => {
 				if (user.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('User could not be updated, IDs do not match: ' + user.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
 				}

 				if (user.id === access.token.getUserId(0)) {
 					// they're setting their own password. Make sure their current password is correct
-					if (typeof data.current === 'undefined' || !data.current) {
-						throw new error.ValidationError('Current password was not supplied');
+					if (typeof data.current === "undefined" || !data.current) {
+						throw new errs.ValidationError("Current password was not supplied");
 					}

-					return internalToken.getTokenFromEmail({
-						identity: user.email,
-						secret:   data.current
-					})
+					return internalToken
+						.getTokenFromEmail({
+							identity: user.email,
+							secret: data.current,
+						})
 						.then(() => {
 							return user;
 						});
@@ -397,43 +380,36 @@ const internalUser = {
 				// Get auth, patch if it exists
 				return authModel
 					.query()
-					.where('user_id', user.id)
-					.andWhere('type', data.type)
+					.where("user_id", user.id)
+					.andWhere("type", data.type)
 					.first()
 					.then((existing_auth) => {
 						if (existing_auth) {
 							// patch
-							return authModel
-								.query()
-								.where('user_id', user.id)
-								.andWhere('type', data.type)
-								.patch({
-									type:   data.type, // This is required for the model to encrypt on save
-									secret: data.secret
-								});
-						} else {
-							// insert
-							return authModel
-								.query()
-								.insert({
-									user_id: user.id,
-									type:    data.type,
-									secret:  data.secret,
-									meta:    {}
-								});
+							return authModel.query().where("user_id", user.id).andWhere("type", data.type).patch({
+								type: data.type, // This is required for the model to encrypt on save
+								secret: data.secret,
+							});
 						}
+						// insert
+						return authModel.query().insert({
+							user_id: user.id,
+							type: data.type,
+							secret: data.secret,
+							meta: {},
+						});
 					})
 					.then(() => {
 						// Add to Audit Log
 						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'user',
-							object_id:   user.id,
-							meta:        {
-								name:             user.name,
+							action: "updated",
+							object_type: "user",
+							object_id: user.id,
+							meta: {
+								name: user.name,
 								password_changed: true,
-								auth_type:        data.type
-							}
+								auth_type: data.type,
+							},
 						});
 					});
 			})
@@ -448,14 +424,17 @@ const internalUser = {
 	 * @return {Promise}
 	 */
 	setPermissions: (access, data) => {
-		return access.can('users:permissions', data.id)
+		return access
+			.can("users:permissions", data.id)
 			.then(() => {
-				return internalUser.get(access, {id: data.id});
+				return internalUser.get(access, { id: data.id });
 			})
 			.then((user) => {
 				if (user.id !== data.id) {
 					// Sanity check that something crazy hasn't happened
-					throw new error.InternalValidationError('User could not be updated, IDs do not match: ' + user.id + ' !== ' + data.id);
+					throw new errs.InternalValidationError(
+						`User could not be updated, IDs do not match: ${user.id} !== ${data.id}`,
+					);
 				}

 				return user;
@@ -464,34 +443,30 @@ const internalUser = {
 				// Get perms row, patch if it exists
 				return userPermissionModel
 					.query()
-					.where('user_id', user.id)
+					.where("user_id", user.id)
 					.first()
 					.then((existing_auth) => {
 						if (existing_auth) {
 							// patch
 							return userPermissionModel
 								.query()
-								.where('user_id', user.id)
-								.patchAndFetchById(existing_auth.id, _.assign({user_id: user.id}, data));
-						} else {
-							// insert
-							return userPermissionModel
-								.query()
-								.insertAndFetch(_.assign({user_id: user.id}, data));
+								.where("user_id", user.id)
+								.patchAndFetchById(existing_auth.id, _.assign({ user_id: user.id }, data));
 						}
+						// insert
+						return userPermissionModel.query().insertAndFetch(_.assign({ user_id: user.id }, data));
 					})
 					.then((permissions) => {
 						// Add to Audit Log
 						return internalAuditLog.add(access, {
-							action:      'updated',
-							object_type: 'user',
-							object_id:   user.id,
-							meta:        {
-								name:        user.name,
-								permissions: permissions
-							}
+							action: "updated",
+							object_type: "user",
+							object_id: user.id,
+							meta: {
+								name: user.name,
+								permissions: permissions,
+							},
 						});
-
 					});
 			})
 			.then(() => {
@@ -505,14 +480,15 @@ const internalUser = {
 	 * @param {Integer}  data.id
 	 */
 	loginAs: (access, data) => {
-		return access.can('users:loginas', data.id)
+		return access
+			.can("users:loginas", data.id)
 			.then(() => {
 				return internalUser.get(access, data);
 			})
 			.then((user) => {
 				return internalToken.getTokenFromUser(user);
 			});
-	}
+	},
 };

-module.exports = internalUser;
+export default internalUser;
--- a/backend/knexfile.js
+++ b/backend/knexfile.js
@@ -1,6 +1,6 @@
 module.exports = {
 	development: {
-		client:     'mysql',
+		client:     'mysql2',
 		migrations: {
 			tableName: 'migrations',
 			stub:      'lib/migrate_template.js',
@@ -9,7 +9,7 @@ module.exports = {
 	},

 	production: {
-		client:     'mysql',
+		client:     'mysql2',
 		migrations: {
 			tableName: 'migrations',
 			stub:      'lib/migrate_template.js',
--- a/backend/lib/access.js
+++ b/backend/lib/access.js
@@ -4,91 +4,90 @@
 * "scope" in this file means "where did this token come from and what is using it", so 99% of the time
 * the "scope" is going to be "user" because it would be a user token. This is not to be confused with
 * the "role" which could be "user" or "admin". The scope in fact, could be "worker" or anything else.
- *
- *
 */

-const _              = require('lodash');
-const logger         = require('../logger').access;
-const validator      = require('ajv');
-const error          = require('./error');
-const userModel      = require('../models/user');
-const proxyHostModel = require('../models/proxy_host');
-const TokenModel     = require('../models/token');
-const roleSchema     = require('./access/roles.json');
-const permsSchema    = require('./access/permissions.json');
+import fs from "node:fs";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import Ajv from "ajv/dist/2020.js";
+import _ from "lodash";
+import { access as logger } from "../logger.js";
+import proxyHostModel from "../models/proxy_host.js";
+import TokenModel from "../models/token.js";
+import userModel from "../models/user.js";
+import permsSchema from "./access/permissions.json" with { type: "json" };
+import roleSchema from "./access/roles.json" with { type: "json" };
+import errs from "./error.js";

-module.exports = function (token_string) {
-	let Token                 = new TokenModel();
-	let token_data            = null;
-	let initialised           = false;
-	let object_cache          = {};
-	let allow_internal_access = false;
-	let user_roles            = [];
-	let permissions           = {};
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+export default function (tokenString) {
+	const Token = TokenModel();
+	let tokenData = null;
+	let initialised = false;
+	const objectCache = {};
+	let allowInternalAccess = false;
+	let userRoles = [];
+	let permissions = {};

 	/**
 	 * Loads the Token object from the token string
 	 *
 	 * @returns {Promise}
 	 */
-	this.init = () => {
-		return new Promise((resolve, reject) => {
-			if (initialised) {
-				resolve();
-			} else if (!token_string) {
-				reject(new error.PermissionError('Permission Denied'));
+	this.init = async () => {
+		if (initialised) {
+			return;
+		}
+
+		if (!tokenString) {
+			throw new errs.PermissionError("Permission Denied");
+		}
+
+		tokenData = await Token.load(tokenString);
+
+		// At this point we need to load the user from the DB and make sure they:
+		// - exist (and not soft deleted)
+		// - still have the appropriate scopes for this token
+		// This is only required when the User ID is supplied or if the token scope has `user`
+		if (
+			tokenData.attrs.id ||
+			(typeof tokenData.scope !== "undefined" && _.indexOf(tokenData.scope, "user") !== -1)
+		) {
+			// Has token user id or token user scope
+			const user = await userModel
+				.query()
+				.where("id", tokenData.attrs.id)
+				.andWhere("is_deleted", 0)
+				.andWhere("is_disabled", 0)
+				.allowGraph("[permissions]")
+				.withGraphFetched("[permissions]")
+				.first();
+
+			if (user) {
+				// make sure user has all scopes of the token
+				// The `user` role is not added against the user row, so we have to just add it here to get past this check.
+				user.roles.push("user");
+
+				let ok = true;
+				_.forEach(tokenData.scope, (scope_item) => {
+					if (_.indexOf(user.roles, scope_item) === -1) {
+						ok = false;
+					}
+				});
+
+				if (!ok) {
+					throw new errs.AuthError("Invalid token scope for User");
+				}
+				initialised = true;
+				userRoles = user.roles;
+				permissions = user.permissions;
 			} else {
-				resolve(Token.load(token_string)
-					.then((data) => {
-						token_data = data;
-
-						// At this point we need to load the user from the DB and make sure they:
-						// - exist (and not soft deleted)
-						// - still have the appropriate scopes for this token
-						// This is only required when the User ID is supplied or if the token scope has `user`
-
-						if (token_data.attrs.id || (typeof token_data.scope !== 'undefined' && _.indexOf(token_data.scope, 'user') !== -1)) {
-							// Has token user id or token user scope
-							return userModel
-								.query()
-								.where('id', token_data.attrs.id)
-								.andWhere('is_deleted', 0)
-								.andWhere('is_disabled', 0)
-								.allowEager('[permissions]')
-								.eager('[permissions]')
-								.first()
-								.then((user) => {
-									if (user) {
-										// make sure user has all scopes of the token
-										// The `user` role is not added against the user row, so we have to just add it here to get past this check.
-										user.roles.push('user');
-
-										let is_ok = true;
-										_.forEach(token_data.scope, (scope_item) => {
-											if (_.indexOf(user.roles, scope_item) === -1) {
-												is_ok = false;
-											}
-										});
-
-										if (!is_ok) {
-											throw new error.AuthError('Invalid token scope for User');
-										} else {
-											initialised = true;
-											user_roles  = user.roles;
-											permissions = user.permissions;
-										}
-
-									} else {
-										throw new error.AuthError('User cannot be loaded for Token');
-									}
-								});
-						} else {
-							initialised = true;
-						}
-					}));
+				throw new errs.AuthError("User cannot be loaded for Token");
 			}
-		});
+		}
+		initialised = true;
 	};

 	/**
@@ -96,141 +95,121 @@ module.exports = function (token_string) {
 	 * This only applies to USER token scopes, as all other tokens are not really bound
 	 * by object scopes
 	 *
-	 * @param   {String} object_type
+	 * @param   {String} objectType
 	 * @returns {Promise}
 	 */
-	this.loadObjects = (object_type) => {
-		return new Promise((resolve, reject) => {
-			if (Token.hasScope('user')) {
-				if (typeof token_data.attrs.id === 'undefined' || !token_data.attrs.id) {
-					reject(new error.AuthError('User Token supplied without a User ID'));
-				} else {
-					let token_user_id = token_data.attrs.id ? token_data.attrs.id : 0;
-					let query;
+	this.loadObjects = async (objectType) => {
+		let objects = null;

-					if (typeof object_cache[object_type] === 'undefined') {
-						switch (object_type) {
+		if (Token.hasScope("user")) {
+			if (typeof tokenData.attrs.id === "undefined" || !tokenData.attrs.id) {
+				throw new errs.AuthError("User Token supplied without a User ID");
+			}

-						// USERS - should only return yourself
-						case 'users':
-							resolve(token_user_id ? [token_user_id] : []);
-							break;
+			const tokenUserId = tokenData.attrs.id ? tokenData.attrs.id : 0;

-							// Proxy Hosts
-						case 'proxy_hosts':
-							query = proxyHostModel
-								.query()
-								.select('id')
-								.andWhere('is_deleted', 0);
+			if (typeof objectCache[objectType] !== "undefined") {
+				objects = objectCache[objectType];
+			} else {
+				switch (objectType) {
+					// USERS - should only return yourself
+					case "users":
+						objects = tokenUserId ? [tokenUserId] : [];
+						break;

-							if (permissions.visibility === 'user') {
-								query.andWhere('owner_user_id', token_user_id);
-							}
+					// Proxy Hosts
+					case "proxy_hosts": {
+						const query = proxyHostModel
+							.query()
+							.select("id")
+							.andWhere("is_deleted", 0);

-							resolve(query
-								.then((rows) => {
-									let result = [];
-									_.forEach(rows, (rule_row) => {
-										result.push(rule_row.id);
-									});
-
-									// enum should not have less than 1 item
-									if (!result.length) {
-										result.push(0);
-									}
-
-									return result;
-								})
-							);
-							break;
-
-							// DEFAULT: null
-						default:
-							resolve(null);
-							break;
+						if (permissions.visibility === "user") {
+							query.andWhere("owner_user_id", tokenUserId);
 						}
-					} else {
-						resolve(object_cache[object_type]);
+
+						const rows = await query;
+						objects = [];
+						_.forEach(rows, (ruleRow) => {
+							objects.push(ruleRow.id);
+						});
+
+						// enum should not have less than 1 item
+						if (!objects.length) {
+							objects.push(0);
+						}
+						break;
 					}
 				}
-			} else {
-				resolve(null);
+				objectCache[objectType] = objects;
 			}
-		})
-			.then((objects) => {
-				object_cache[object_type] = objects;
-				return objects;
-			});
+		}
+		return objects;
 	};

 	/**
 	 * Creates a schema object on the fly with the IDs and other values required to be checked against the permissionSchema
 	 *
-	 * @param   {String} permission_label
+	 * @param   {String} permissionLabel
 	 * @returns {Object}
 	 */
-	this.getObjectSchema = (permission_label) => {
-		let base_object_type = permission_label.split(':').shift();
+	this.getObjectSchema = async (permissionLabel) => {
+		const baseObjectType = permissionLabel.split(":").shift();

-		let schema = {
-			$id:                  'objects',
-			$schema:              'http://json-schema.org/draft-07/schema#',
-			description:          'Actor Properties',
-			type:                 'object',
+		const schema = {
+			$id: "objects",
+			description: "Actor Properties",
+			type: "object",
 			additionalProperties: false,
-			properties:           {
+			properties: {
 				user_id: {
 					anyOf: [
 						{
-							type: 'number',
-							enum: [Token.get('attrs').id]
-						}
-					]
+							type: "number",
+							enum: [Token.get("attrs").id],
+						},
+					],
 				},
 				scope: {
-					type:    'string',
-					pattern: '^' + Token.get('scope') + '$'
-				}
-			}
+					type: "string",
+					pattern: `^${Token.get("scope")}$`,
+				},
+			},
 		};

-		return this.loadObjects(base_object_type)
-			.then((object_result) => {
-				if (typeof object_result === 'object' && object_result !== null) {
-					schema.properties[base_object_type] = {
-						type:    'number',
-						enum:    object_result,
-						minimum: 1
-					};
-				} else {
-					schema.properties[base_object_type] = {
-						type:    'number',
-						minimum: 1
-					};
-				}
+		const result = await this.loadObjects(baseObjectType);
+		if (typeof result === "object" && result !== null) {
+			schema.properties[baseObjectType] = {
+				type: "number",
+				enum: result,
+				minimum: 1,
+			};
+		} else {
+			schema.properties[baseObjectType] = {
+				type: "number",
+				minimum: 1,
+			};
+		}

-				return schema;
-			});
+		return schema;
 	};

-	return {
+	// here:

+	return {
 		token: Token,

 		/**
 		 *
-		 * @param   {Boolean}  [allow_internal]
+		 * @param   {Boolean}  [allowInternal]
 		 * @returns {Promise}
 		 */
-		load: (allow_internal) => {
-			return new Promise(function (resolve/*, reject*/) {
-				if (token_string) {
-					resolve(Token.load(token_string));
-				} else {
-					allow_internal_access = allow_internal;
-					resolve(allow_internal_access || null);
-				}
-			});
+		load: async (allowInternal) => {
+			if (tokenString) {
+				return await Token.load(tokenString);
+			}
+			allowInternalAccess = allowInternal;
+			return allowInternal || null;
 		},

 		reloadObjects: this.loadObjects,
@@ -241,74 +220,59 @@ module.exports = function (token_string) {
 		 * @param {*}       [data]
 		 * @returns {Promise}
 		 */
-		can: (permission, data) => {
-			if (allow_internal_access === true) {
-				return Promise.resolve(true);
-				//return true;
-			} else {
-				return this.init()
-					.then(() => {
-						// Initialised, token decoded ok
-						return this.getObjectSchema(permission)
-							.then((objectSchema) => {
-								let data_schema = {
-									[permission]: {
-										data:                         data,
-										scope:                        Token.get('scope'),
-										roles:                        user_roles,
-										permission_visibility:        permissions.visibility,
-										permission_proxy_hosts:       permissions.proxy_hosts,
-										permission_redirection_hosts: permissions.redirection_hosts,
-										permission_dead_hosts:        permissions.dead_hosts,
-										permission_streams:           permissions.streams,
-										permission_access_lists:      permissions.access_lists,
-										permission_certificates:      permissions.certificates
-									}
-								};
-
-								let permissionSchema = {
-									$schema:              'http://json-schema.org/draft-07/schema#',
-									$async:               true,
-									$id:                  'permissions',
-									additionalProperties: false,
-									properties:           {}
-								};
-
-								permissionSchema.properties[permission] = require('./access/' + permission.replace(/:/gim, '-') + '.json');
-
-								// logger.info('objectSchema', JSON.stringify(objectSchema, null, 2));
-								// logger.info('permissionSchema', JSON.stringify(permissionSchema, null, 2));
-								// logger.info('data_schema', JSON.stringify(data_schema, null, 2));
-
-								let ajv = validator({
-									verbose:      true,
-									allErrors:    true,
-									format:       'full',
-									missingRefs:  'fail',
-									breakOnError: true,
-									coerceTypes:  true,
-									schemas:      [
-										roleSchema,
-										permsSchema,
-										objectSchema,
-										permissionSchema
-									]
-								});
-
-								return ajv.validate('permissions', data_schema)
-									.then(() => {
-										return data_schema[permission];
-									});
-							});
-					})
-					.catch((err) => {
-						err.permission      = permission;
-						err.permission_data = data;
-						logger.error(permission, data, err.message);
-
-						throw new error.PermissionError('Permission Denied', err);
-					});
+		can: async (permission, data) => {
+			if (allowInternalAccess === true) {
+				return true;
 			}
-		}
+
+			try {
+				await this.init();
+				const objectSchema = await this.getObjectSchema(permission);
+
+				const dataSchema = {
+					[permission]: {
+						data: data,
+						scope: Token.get("scope"),
+						roles: userRoles,
+						permission_visibility: permissions.visibility,
+						permission_proxy_hosts: permissions.proxy_hosts,
+						permission_redirection_hosts: permissions.redirection_hosts,
+						permission_dead_hosts: permissions.dead_hosts,
+						permission_streams: permissions.streams,
+						permission_access_lists: permissions.access_lists,
+						permission_certificates: permissions.certificates,
+					},
+				};
+
+				const permissionSchema = {
+					$async: true,
+					$id: "permissions",
+					type: "object",
+					additionalProperties: false,
+					properties: {},
+				};
+
+				const rawData = fs.readFileSync(`${__dirname}/access/${permission.replace(/:/gim, "-")}.json`, {
+					encoding: "utf8",
+				});
+				permissionSchema.properties[permission] = JSON.parse(rawData);
+
+				const ajv = new Ajv({
+					verbose: true,
+					allErrors: true,
+					breakOnError: true,
+					coerceTypes: true,
+					schemas: [roleSchema, permsSchema, objectSchema, permissionSchema],
+				});
+
+				const valid = await ajv.validate("permissions", dataSchema);
+				return valid && dataSchema[permission];
+			} catch (err) {
+				err.permission = permission;
+				err.permission_data = data;
+				logger.error(permission, data, err.message);
+				throw errs.PermissionError("Permission Denied", err);
+			}
+		},
 	};
-};
+}
--- a/backend/lib/access/permissions.json
+++ b/backend/lib/access/permissions.json
@@ -1,5 +1,4 @@
 {
-	"$schema": "http://json-schema.org/draft-07/schema#",
 	"$id": "perms",
 	"definitions": {
 		"view": {
--- a/backend/lib/access/roles.json
+++ b/backend/lib/access/roles.json
@@ -1,5 +1,4 @@
 {
-	"$schema": "http://json-schema.org/draft-07/schema#",
 	"$id": "roles",
 	"definitions": {
 		"admin": {
--- a/backend/lib/certbot.js
+++ b/backend/lib/certbot.js
@@ -0,0 +1,86 @@
+import batchflow from "batchflow";
+import dnsPlugins from "../certbot/dns-plugins.json" with { type: "json" };
+import { certbot as logger } from "../logger.js";
+import errs from "./error.js";
+import utils from "./utils.js";
+
+const CERTBOT_VERSION_REPLACEMENT = "$(certbot --version | grep -Eo '[0-9](\\.[0-9]+)+')";
+
+/**
+ * Installs a cerbot plugin given the key for the object from
+ * ../certbot/dns-plugins.json
+ *
+ * @param   {string}  pluginKey
+ * @returns {Object}
+ */
+const installPlugin = async (pluginKey) => {
+	if (typeof dnsPlugins[pluginKey] === "undefined") {
+		// throw Error(`Certbot plugin ${pluginKey} not found`);
+		throw new errs.ItemNotFoundError(pluginKey);
+	}
+
+	const plugin = dnsPlugins[pluginKey];
+	logger.start(`Installing ${pluginKey}...`);
+
+	plugin.version = plugin.version.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
+	plugin.dependencies = plugin.dependencies.replace(/{{certbot-version}}/g, CERTBOT_VERSION_REPLACEMENT);
+
+	// SETUPTOOLS_USE_DISTUTILS is required for certbot plugins to install correctly
+	// in new versions of Python
+	let env = Object.assign({}, process.env, { SETUPTOOLS_USE_DISTUTILS: "stdlib" });
+	if (typeof plugin.env === "object") {
+		env = Object.assign(env, plugin.env);
+	}
+
+	const cmd = `. /opt/certbot/bin/activate && pip install --no-cache-dir ${plugin.dependencies} ${plugin.package_name}${plugin.version}  && deactivate`;
+	return utils
+		.exec(cmd, { env })
+		.then((result) => {
+			logger.complete(`Installed ${pluginKey}`);
+			return result;
+		})
+		.catch((err) => {
+			throw err;
+		});
+};
+
+/**
+ * @param {array} pluginKeys
+ */
+const installPlugins = async (pluginKeys) => {
+	let hasErrors = false;
+
+	return new Promise((resolve, reject) => {
+		if (pluginKeys.length === 0) {
+			resolve();
+			return;
+		}
+
+		batchflow(pluginKeys)
+			.sequential()
+			.each((_i, pluginKey, next) => {
+				installPlugin(pluginKey)
+					.then(() => {
+						next();
+					})
+					.catch((err) => {
+						hasErrors = true;
+						next(err);
+					});
+			})
+			.error((err) => {
+				logger.error(err.message);
+			})
+			.end(() => {
+				if (hasErrors) {
+					reject(
+						new errs.CommandError("Some plugins failed to install. Please check the logs above", 1),
+					);
+				} else {
+					resolve();
+				}
+			});
+	});
+};
+
+export { installPlugins, installPlugin };
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -0,0 +1,244 @@
+import fs from "node:fs";
+import NodeRSA from "node-rsa";
+import { global as logger } from "../logger.js";
+
+const keysFile         = '/data/keys.json';
+const mysqlEngine      = 'mysql2';
+const postgresEngine   = 'pg';
+const sqliteClientName = 'sqlite3';
+
+let instance = null;
+
+// 1. Load from config file first (not recommended anymore)
+// 2. Use config env variables next
+const configure = () => {
+	const filename = `${process.env.NODE_CONFIG_DIR || "./config"}/${process.env.NODE_ENV || "default"}.json`;
+	if (fs.existsSync(filename)) {
+		let configData;
+		try {
+			// Load this json  synchronously
+			const rawData = fs.readFileSync(filename);
+			configData = JSON.parse(rawData);
+		} catch (_) {
+			// do nothing
+		}
+
+		if (configData?.database) {
+			logger.info(`Using configuration from file: ${filename}`);
+			instance = configData;
+			instance.keys = getKeys();
+			return;
+		}
+	}
+
+	const envMysqlHost = process.env.DB_MYSQL_HOST || null;
+	const envMysqlUser = process.env.DB_MYSQL_USER || null;
+	const envMysqlName = process.env.DB_MYSQL_NAME || null;
+	if (envMysqlHost && envMysqlUser && envMysqlName) {
+		// we have enough mysql creds to go with mysql
+		logger.info("Using MySQL configuration");
+		instance = {
+			database: {
+				engine: mysqlEngine,
+				host: envMysqlHost,
+				port: process.env.DB_MYSQL_PORT || 3306,
+				user: envMysqlUser,
+				password: process.env.DB_MYSQL_PASSWORD,
+				name: envMysqlName,
+			},
+			keys: getKeys(),
+		};
+		return;
+	}
+
+	const envPostgresHost = process.env.DB_POSTGRES_HOST || null;
+	const envPostgresUser = process.env.DB_POSTGRES_USER || null;
+	const envPostgresName = process.env.DB_POSTGRES_NAME || null;
+	if (envPostgresHost && envPostgresUser && envPostgresName) {
+		// we have enough postgres creds to go with postgres
+		logger.info("Using Postgres configuration");
+		instance = {
+			database: {
+				engine: postgresEngine,
+				host: envPostgresHost,
+				port: process.env.DB_POSTGRES_PORT || 5432,
+				user: envPostgresUser,
+				password: process.env.DB_POSTGRES_PASSWORD,
+				name: envPostgresName,
+			},
+			keys: getKeys(),
+		};
+		return;
+	}
+
+	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
+	logger.info(`Using Sqlite: ${envSqliteFile}`);
+	instance = {
+		database: {
+			engine: "knex-native",
+			knex: {
+				client: sqliteClientName,
+				connection: {
+					filename: envSqliteFile,
+				},
+				useNullAsDefault: true,
+			},
+		},
+		keys: getKeys(),
+	};
+};
+
+const getKeys = () => {
+	// Get keys from file
+	logger.debug("Cheecking for keys file:", keysFile);
+	if (!fs.existsSync(keysFile)) {
+		generateKeys();
+	} else if (process.env.DEBUG) {
+		logger.info("Keys file exists OK");
+	}
+	try {
+		// Load this json keysFile synchronously and return the json object
+		const rawData = fs.readFileSync(keysFile);
+		return JSON.parse(rawData);
+	} catch (err) {
+		logger.error(`Could not read JWT key pair from config file: ${keysFile}`, err);
+		process.exit(1);
+	}
+};
+
+const generateKeys = () => {
+	logger.info("Creating a new JWT key pair...");
+	// Now create the keys and save them in the config.
+	const key = new NodeRSA({ b: 2048 });
+	key.generateKeyPair();
+
+	const keys = {
+		key: key.exportKey("private").toString(),
+		pub: key.exportKey("public").toString(),
+	};
+
+	// Write keys config
+	try {
+		fs.writeFileSync(keysFile, JSON.stringify(keys, null, 2));
+	} catch (err) {
+		logger.error(`Could not write JWT key pair to config file: ${keysFile}: ${err.message}`);
+		process.exit(1);
+	}
+	logger.info(`Wrote JWT key pair to config file: ${keysFile}`);
+};
+
+/**
+ *
+ * @param   {string}  key   ie: 'database' or 'database.engine'
+ * @returns {boolean}
+ */
+const configHas = (key) => {
+	instance === null && configure();
+	const keys = key.split(".");
+	let level = instance;
+	let has = true;
+	keys.forEach((keyItem) => {
+		if (typeof level[keyItem] === "undefined") {
+			has = false;
+		} else {
+			level = level[keyItem];
+		}
+	});
+
+	return has;
+};
+
+/**
+ * Gets a specific key from the top level
+ *
+ * @param {string} key
+ * @returns {*}
+ */
+const configGet = (key) => {
+	instance === null && configure();
+	if (key && typeof instance[key] !== "undefined") {
+		return instance[key];
+	}
+	return instance;
+};
+
+/**
+ * Is this a sqlite configuration?
+ *
+ * @returns {boolean}
+ */
+const isSqlite = () => {
+	instance === null && configure();
+	return instance.database.knex && instance.database.knex.client === sqliteClientName;
+};
+
+/**
+ * Is this a mysql configuration?
+ *
+ * @returns {boolean}
+ */
+const isMysql = () => {
+	instance === null && configure();
+	return instance.database.engine === mysqlEngine;
+};
+
+/**
+ * Is this a postgres configuration?
+ *
+ * @returns {boolean}
+ */
+const isPostgres = () => {
+	instance === null && configure();
+	return instance.database.engine === postgresEngine;
+};
+
+/**
+ * Are we running in debug mdoe?
+ *
+ * @returns {boolean}
+ */
+const isDebugMode = () => !!process.env.DEBUG;
+
+/**
+ * Are we running in CI?
+ *
+ * @returns {boolean}
+ */
+const isCI = () => process.env.CI === 'true' && process.env.DEBUG === 'true';
+
+/**
+ * Returns a public key
+ *
+ * @returns {string}
+ */
+const getPublicKey = () => {
+	instance === null && configure();
+	return instance.keys.pub;
+};
+
+/**
+ * Returns a private key
+ *
+ * @returns {string}
+ */
+const getPrivateKey = () => {
+	instance === null && configure();
+	return instance.keys.key;
+};
+
+/**
+ * @returns {boolean}
+ */
+const useLetsencryptStaging = () => !!process.env.LE_STAGING;
+
+/**
+ * @returns {string|null}
+ */
+const useLetsencryptServer = () => {
+	if (process.env.LE_SERVER) {
+		return process.env.LE_SERVER;
+	}
+	return null;
+};
+
+export { isCI, configHas, configGet, isSqlite, isMysql, isPostgres, isDebugMode, getPrivateKey, getPublicKey, useLetsencryptStaging, useLetsencryptServer };
--- a/backend/lib/error.js
+++ b/backend/lib/error.js
@@ -1,90 +1,103 @@
-const _    = require('lodash');
-const util = require('util');
+import _ from "lodash";

-module.exports = {
-
-	PermissionError: function (message, previous) {
+const errs = {
+	PermissionError: function (_, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = 'Permission Denied';
-		this.public   = true;
-		this.status   = 403;
+		this.message = "Permission Denied";
+		this.public = true;
+		this.status = 403;
 	},

 	ItemNotFoundError: function (id, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = 'Item Not Found - ' + id;
-		this.public   = true;
-		this.status   = 404;
+		this.message = "Not Found";
+		if (id) {
+			this.message = `Not Found - ${id}`;
+		}
+		this.public = true;
+		this.status = 404;
 	},

-	AuthError: function (message, previous) {
+	AuthError: function (message, messageI18n, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.public   = true;
-		this.status   = 401;
+		this.message = message;
+		this.message_i18n = messageI18n;
+		this.public = true;
+		this.status = 400;
 	},

 	InternalError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.status   = 500;
-		this.public   = false;
+		this.message = message;
+		this.status = 500;
+		this.public = false;
 	},

 	InternalValidationError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.status   = 400;
-		this.public   = false;
+		this.message = message;
+		this.status = 400;
+		this.public = false;
 	},

 	ConfigurationError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.status   = 400;
-		this.public   = true;
+		this.message = message;
+		this.status = 400;
+		this.public = true;
 	},

 	CacheError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
-		this.message  = message;
+		this.name = this.constructor.name;
+		this.message = message;
 		this.previous = previous;
-		this.status   = 500;
-		this.public   = false;
+		this.status = 500;
+		this.public = false;
 	},

 	ValidationError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.public   = true;
-		this.status   = 400;
+		this.message = message;
+		this.public = true;
+		this.status = 400;
 	},

 	AssertionFailedError: function (message, previous) {
 		Error.captureStackTrace(this, this.constructor);
-		this.name     = this.constructor.name;
+		this.name = this.constructor.name;
 		this.previous = previous;
-		this.message  = message;
-		this.public   = false;
-		this.status   = 400;
-	}
+		this.message = message;
+		this.public = false;
+		this.status = 400;
+	},
+
+	CommandError: function (stdErr, code, previous) {
+		Error.captureStackTrace(this, this.constructor);
+		this.name = this.constructor.name;
+		this.previous = previous;
+		this.message = stdErr;
+		this.code = code;
+		this.public = false;
+	},
 };

-_.forEach(module.exports, function (error) {
-	util.inherits(error, Error);
+_.forEach(errs, (err) => {
+	err.prototype = Object.create(Error.prototype);
 });
+
+export default errs;
--- a/backend/lib/express/cors.js
+++ b/backend/lib/express/cors.js
@@ -1,40 +1,17 @@
-const validator = require('../validator');
-
-module.exports = function (req, res, next) {
-
+export default (req, res, next) => {
 	if (req.headers.origin) {
-
-		const originSchema = {
-			oneOf: [
-				{
-					type:    'string',
-					pattern: '^[a-z\\-]+:\\/\\/(?:[\\w\\-\\.]+(:[0-9]+)?/?)?$'
-				},
-				{
-					type:    'string',
-					pattern: '^[a-z\\-]+:\\/\\/(?:\\[([a-z0-9]{0,4}\\:?)+\\])?/?(:[0-9]+)?$'
-				}
-			]
-		};
-
-		// very relaxed validation....
-		validator(originSchema, req.headers.origin)
-			.then(function () {
-				res.set({
-					'Access-Control-Allow-Origin':      req.headers.origin,
-					'Access-Control-Allow-Credentials': true,
-					'Access-Control-Allow-Methods':     'OPTIONS, GET, POST',
-					'Access-Control-Allow-Headers':     'Content-Type, Cache-Control, Pragma, Expires, Authorization, X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit',
-					'Access-Control-Max-Age':           5 * 60,
-					'Access-Control-Expose-Headers':    'X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit'
-				});
-				next();
-			})
-			.catch(next);
-
+		res.set({
+			"Access-Control-Allow-Origin": req.headers.origin,
+			"Access-Control-Allow-Credentials": true,
+			"Access-Control-Allow-Methods": "OPTIONS, GET, POST",
+			"Access-Control-Allow-Headers":
+				"Content-Type, Cache-Control, Pragma, Expires, Authorization, X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit",
+			"Access-Control-Max-Age": 5 * 60,
+			"Access-Control-Expose-Headers": "X-Dataset-Total, X-Dataset-Offset, X-Dataset-Limit",
+		});
+		next();
 	} else {
 		// No origin
 		next();
 	}
-
 };
--- a/backend/lib/express/jwt-decode.js
+++ b/backend/lib/express/jwt-decode.js
@@ -1,15 +1,15 @@
-const Access = require('../access');
+import Access from "../access.js";

-module.exports = () => {
-	return function (req, res, next) {
-		res.locals.access = null;
-		let access        = new Access(res.locals.token || null);
-		access.load()
-			.then(() => {
-				res.locals.access = access;
-				next();
-			})
-			.catch(next);
+export default () => {
+	return async (_, res, next) => {
+		try {
+			res.locals.access = null;
+			const access = new Access(res.locals.token || null);
+			await access.load();
+			res.locals.access = access;
+			next();
+		} catch (err) {
+			next(err);
+		}
 	};
 };
-
--- a/backend/lib/express/jwt.js
+++ b/backend/lib/express/jwt.js
@@ -1,13 +1,13 @@
-module.exports = function () {
-	return function (req, res, next) {
+export default function () {
+	return (req, res, next) => {
 		if (req.headers.authorization) {
-			let parts = req.headers.authorization.split(' ');
+			const parts = req.headers.authorization.split(" ");

-			if (parts && parts[0] === 'Bearer' && parts[1]) {
+			if (parts && parts[0] === "Bearer" && parts[1]) {
 				res.locals.token = parts[1];
 			}
 		}

 		next();
 	};
-};
+}
--- a/backend/lib/express/pagination.js
+++ b/backend/lib/express/pagination.js
@@ -1,7 +1,6 @@
-let _ = require('lodash');
-
-module.exports = function (default_sort, default_offset, default_limit, max_limit) {
+import _  from "lodash";

+export default (default_sort, default_offset, default_limit, max_limit) => {
 	/**
 	 * This will setup the req query params with filtered data and defaults
 	 *
@@ -11,34 +10,35 @@ module.exports = function (default_sort, default_offset, default_limit, max_limi
 	 *
 	 */

-	return function (req, res, next) {
-
-		req.query.offset = typeof req.query.limit === 'undefined' ? default_offset || 0 : parseInt(req.query.offset, 10);
-		req.query.limit  = typeof req.query.limit === 'undefined' ? default_limit || 50 : parseInt(req.query.limit, 10);
+	return (req, _res, next) => {
+		req.query.offset =
+			typeof req.query.limit === "undefined" ? default_offset || 0 : Number.parseInt(req.query.offset, 10);
+		req.query.limit =
+			typeof req.query.limit === "undefined" ? default_limit || 50 : Number.parseInt(req.query.limit, 10);

 		if (max_limit && req.query.limit > max_limit) {
 			req.query.limit = max_limit;
 		}

 		// Sorting
-		let sort       = typeof req.query.sort === 'undefined' ? default_sort : req.query.sort;
-		let myRegexp   = /.*\.(asc|desc)$/ig;
-		let sort_array = [];
+		let sort = typeof req.query.sort === "undefined" ? default_sort : req.query.sort;
+		const myRegexp = /.*\.(asc|desc)$/gi;
+		const sort_array = [];

-		sort = sort.split(',');
-		_.map(sort, function (val) {
-			let matches = myRegexp.exec(val);
+		sort = sort.split(",");
+		_.map(sort, (val) => {
+			const matches = myRegexp.exec(val);

 			if (matches !== null) {
-				let dir = matches[1];
+				const dir = matches[1];
 				sort_array.push({
 					field: val.substr(0, val.length - (dir.length + 1)),
-					dir:   dir.toLowerCase()
+					dir: dir.toLowerCase(),
 				});
 			} else {
 				sort_array.push({
 					field: val,
-					dir:   'asc'
+					dir: "asc",
 				});
 			}
 		});
--- a/backend/lib/express/user-id-from-me.js
+++ b/backend/lib/express/user-id-from-me.js
@@ -1,9 +1,8 @@
-module.exports = (req, res, next) => {
+export default (req, res, next) => {
 	if (req.params.user_id === 'me' && res.locals.access) {
 		req.params.user_id = res.locals.access.token.get('attrs').id;
 	} else {
-		req.params.user_id = parseInt(req.params.user_id, 10);
+		req.params.user_id = Number.parseInt(req.params.user_id, 10);
 	}
-
 	next();
 };
--- a/backend/lib/helpers.js
+++ b/backend/lib/helpers.js
@@ -1,32 +1,58 @@
-const moment = require('moment');
+import moment from "moment";
+import { ref } from "objection";
+import { isPostgres } from "./config.js";

-module.exports = {
-
-	/**
-	 * Takes an expression such as 30d and returns a moment object of that date in future
-	 *
-	 * Key      Shorthand
-	 * ==================
-	 * years         y
-	 * quarters      Q
-	 * months        M
-	 * weeks         w
-	 * days          d
-	 * hours         h
-	 * minutes       m
-	 * seconds       s
-	 * milliseconds  ms
-	 *
-	 * @param {String}  expression
-	 * @returns {Object}
-	 */
-	parseDatePeriod: function (expression) {
-		let matches = expression.match(/^([0-9]+)(y|Q|M|w|d|h|m|s|ms)$/m);
-		if (matches) {
-			return moment().add(matches[1], matches[2]);
-		}
-
-		return null;
+/**
+ * Takes an expression such as 30d and returns a moment object of that date in future
+ *
+ * Key      Shorthand
+ * ==================
+ * years         y
+ * quarters      Q
+ * months        M
+ * weeks         w
+ * days          d
+ * hours         h
+ * minutes       m
+ * seconds       s
+ * milliseconds  ms
+ *
+ * @param {String}  expression
+ * @returns {Object}
+ */
+const parseDatePeriod = (expression) => {
+	const matches = expression.match(/^([0-9]+)(y|Q|M|w|d|h|m|s|ms)$/m);
+	if (matches) {
+		return moment().add(matches[1], matches[2]);
 	}

+	return null;
 };
+
+const convertIntFieldsToBool = (obj, fields) => {
+	fields.forEach((field) => {
+		if (typeof obj[field] !== "undefined") {
+			obj[field] = obj[field] === 1;
+		}
+	});
+	return obj;
+};
+
+const convertBoolFieldsToInt = (obj, fields) => {
+	fields.forEach((field) => {
+		if (typeof obj[field] !== "undefined") {
+			obj[field] = obj[field] ? 1 : 0;
+		}
+	});
+	return obj;
+};
+
+/**
+ * Casts a column to json if using postgres
+ *
+ * @param {string} colName
+ * @returns {string|Objection.ReferenceBuilder}
+ */
+const castJsonIfNeed = (colName) => (isPostgres() ? ref(colName).castText() : colName);
+
+export { parseDatePeriod, convertIntFieldsToBool, convertBoolFieldsToInt, castJsonIfNeed };
--- a/backend/lib/migrate_template.js
+++ b/backend/lib/migrate_template.js
@@ -1,33 +1,34 @@
-const migrate_name = 'identifier_for_migrate';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "identifier_for_migrate";

 /**
 * Migrate
 *
 * @see http://knexjs.org/#Schema
 *
- * @param {Object} knex
- * @param {Promise} Promise
+ * @param   {Object} knex
 * @returns {Promise}
 */
-exports.up = function (knex, Promise) {
-
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (_knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

 	// Create Table example:

-	/*return knex.schema.createTable('notification', (table) => {
+	/*
+	return knex.schema.createTable('notification', (table) => {
 		 table.increments().primary();
 		 table.string('name').notNull();
 		 table.string('type').notNull();
 		 table.integer('created_on').notNull();
 		 table.integer('modified_on').notNull();
 	 })
-	 .then(function () {
-		logger.info('[' + migrate_name + '] Notification Table created');
-	 });*/
+		.then(function () {
+			logger.info('[' + migrateName + '] Notification Table created');
+		});
+	 */

-	logger.info('[' + migrate_name + '] Migrating Up Complete');
+	logger.info(`[${migrateName}] Migrating Up Complete`);

 	return Promise.resolve(true);
 };
@@ -35,21 +36,24 @@ exports.up = function (knex, Promise) {
 /**
 * Undo Migrate
 *
- * @param {Object} knex
- * @param {Promise} Promise
+ * @param   {Object} knex
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+const down = (_knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

 	// Drop table example:

-	/*return knex.schema.dropTable('notification')
-	 .then(() => {
-		logger.info('[' + migrate_name + '] Notification Table dropped');
-	 });*/
+	/*
+	return knex.schema.dropTable('notification')
+		.then(() => {
+			logger.info(`[${migrateName}] Notification Table dropped`);
+		});
+	*/

-	logger.info('[' + migrate_name + '] Migrating Down Complete');
+	logger.info(`[${migrateName}] Migrating Down Complete`);

 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -1,20 +1,110 @@
-const exec = require('child_process').exec;
+import { exec as nodeExec, execFile as nodeExecFile } from "node:child_process";
+import { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+import { Liquid } from "liquidjs";
+import _ from "lodash";
+import { global as logger } from "../logger.js";
+import errs from "./error.js";

-module.exports = {
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const exec = async (cmd, options = {}) => {
+	logger.debug("CMD:", cmd);
+	const { stdout, stderr } = await new Promise((resolve, reject) => {
+		const child = nodeExec(cmd, options, (isError, stdout, stderr) => {
+			if (isError) {
+				reject(new errs.CommandError(stderr, isError));
+			} else {
+				resolve({ stdout, stderr });
+			}
+		});
+
+		child.on("error", (e) => {
+			reject(new errs.CommandError(stderr, 1, e));
+		});
+	});
+	return stdout;
+};
+
+/**
+ * @param   {String} cmd
+ * @param   {Array}  args
+ * @param   {Object|undefined}  options
+ * @returns {Promise}
+ */
+const execFile = (cmd, args, options) => {
+	logger.debug(`CMD: ${cmd} ${args ? args.join(" ") : ""}`);
+	const opts = options || {};
+
+	return new Promise((resolve, reject) => {
+		nodeExecFile(cmd, args, opts, (err, stdout, stderr) => {
+			if (err && typeof err === "object") {
+				reject(new errs.CommandError(stderr, 1, err));
+			} else {
+				resolve(stdout.trim());
+			}
+		});
+	});
+};
+
+/**
+ * Used in objection query builder
+ *
+ * @param   {Array}  omissions
+ * @returns {Function}
+ */
+const omitRow = (omissions) => {
+	/**
+	 * @param   {Object} row
+	 * @returns {Object}
+	 */
+	return (row) => {
+		return _.omit(row, omissions);
+	};
+};
+
+/**
+ * Used in objection query builder
+ *
+ * @param   {Array}  omissions
+ * @returns {Function}
+ */
+const omitRows = (omissions) => {
+	/**
+	 * @param   {Array} rows
+	 * @returns {Object}
+	 */
+	return (rows) => {
+		rows.forEach((row, idx) => {
+			rows[idx] = _.omit(row, omissions);
+		});
+		return rows;
+	};
+};
+
+/**
+ * @returns {Object} Liquid render engine
+ */
+const getRenderEngine = () => {
+	const renderEngine = new Liquid({
+		root: `${__dirname}/../templates/`,
+	});

 	/**
-	 * @param   {String} cmd
-	 * @returns {Promise}
+	 * nginxAccessRule expects the object given to have 2 properties:
+	 *
+	 * directive  string
+	 * address    string
 	 */
-	exec: function (cmd) {
-		return new Promise((resolve, reject) => {
-			exec(cmd, function (err, stdout, /*stderr*/) {
-				if (err && typeof err === 'object') {
-					reject(err);
-				} else {
-					resolve(stdout.trim());
-				}
-			});
-		});
-	}
+	renderEngine.registerFilter("nginxAccessRule", (v) => {
+		if (typeof v.directive !== "undefined" && typeof v.address !== "undefined" && v.directive && v.address) {
+			return `${v.directive} ${v.address};`;
+		}
+		return "";
+	});
+
+	return renderEngine;
 };
+
+export default { exec, execFile, omitRow, omitRows, getRenderEngine };
--- a/backend/lib/validator/api.js
+++ b/backend/lib/validator/api.js
@@ -1,13 +1,12 @@
-const error  = require('../error');
-const path   = require('path');
-const parser = require('json-schema-ref-parser');
+import Ajv from "ajv/dist/2020.js";
+import errs from "../error.js";

-const ajv = require('ajv')({
-	verbose:        true,
-	validateSchema: true,
-	allErrors:      false,
-	format:         'full',
-	coerceTypes:    true
+const ajv = new Ajv({
+	verbose: true,
+	allErrors: true,
+	allowUnionTypes: true,
+	strict: false,
+	coerceTypes: true,
 });

 /**
@@ -15,31 +14,32 @@ const ajv = require('ajv')({
 * @param {Object} payload
 * @returns {Promise}
 */
-function apiValidator (schema, payload/*, description*/) {
-	return new Promise(function Promise_apiValidator (resolve, reject) {
-		if (typeof payload === 'undefined') {
-			reject(new error.ValidationError('Payload is undefined'));
-		}
+const apiValidator = async (schema, payload /*, description*/) => {
+	if (!schema) {
+		throw new errs.ValidationError("Schema is undefined");
+	}

-		let validate = ajv.compile(schema);
-		let valid    = validate(payload);
+	// Can't use falsy check here as valid payload could be `0` or `false`
+	if (typeof payload === "undefined") {
+		throw new errs.ValidationError("Payload is undefined");
+	}

-		if (valid && !validate.errors) {
-			resolve(payload);
-		} else {
-			let message = ajv.errorsText(validate.errors);
-			let err     = new error.ValidationError(message);
-			err.debug   = [validate.errors, payload];
-			reject(err);
-		}
-	});
-}

-apiValidator.loadSchemas = parser
-	.dereference(path.resolve('schema/index.json'))
-	.then((schema) => {
-		ajv.addSchema(schema);
-		return schema;
-	});
+	const validate = ajv.compile(schema);

-module.exports = apiValidator;
+	const valid = validate(payload);
+
+
+	if (valid && !validate.errors) {
+		return payload;
+	}
+
+
+
+	const message = ajv.errorsText(validate.errors);
+	const err = new errs.ValidationError(message);
+	err.debug = {validationErrors: validate.errors, payload};
+	throw err;
+};
+
+export default apiValidator;
--- a/backend/lib/validator/index.js
+++ b/backend/lib/validator/index.js
@@ -1,17 +1,17 @@
-const _           = require('lodash');
-const error       = require('../error');
-const definitions = require('../../schema/definitions.json');
+import Ajv from 'ajv/dist/2020.js';
+import _ from "lodash";
+import commonDefinitions from "../../schema/common.json" with { type: "json" };
+import errs from "../error.js";

 RegExp.prototype.toJSON = RegExp.prototype.toString;

-const ajv = require('ajv')({
-	verbose:     true, //process.env.NODE_ENV === 'development',
-	allErrors:   true,
-	format:      'full',  // strict regexes for format checks
+const ajv = new Ajv({
+	verbose: true,
+	allErrors: true,
+	allowUnionTypes: true,
 	coerceTypes: true,
-	schemas:     [
-		definitions
-	]
+	strict: false,
+	schemas: [commonDefinitions],
 });

 /**
@@ -20,30 +20,26 @@ const ajv = require('ajv')({
 * @param   {Object} payload
 * @returns {Promise}
 */
-function validator (schema, payload) {
-	return new Promise(function (resolve, reject) {
+const validator = (schema, payload) => {
+	return new Promise((resolve, reject) => {
 		if (!payload) {
-			reject(new error.InternalValidationError('Payload is falsy'));
+			reject(new errs.InternalValidationError("Payload is falsy"));
 		} else {
 			try {
-				let validate = ajv.compile(schema);
+				const validate = ajv.compile(schema);
+				const valid = validate(payload);

-				let valid = validate(payload);
 				if (valid && !validate.errors) {
 					resolve(_.cloneDeep(payload));
 				} else {
-					let message = ajv.errorsText(validate.errors);
-					reject(new error.InternalValidationError(message));
+					const message = ajv.errorsText(validate.errors);
+					reject(new errs.InternalValidationError(message));
 				}
-
 			} catch (err) {
 				reject(err);
 			}
-
 		}
-
 	});
+};

-}
-
-module.exports = validator;
+export default validator;
--- a/backend/logger.js
+++ b/backend/logger.js
@@ -1,13 +1,18 @@
-const {Signale} = require('signale');
+import signale from "signale";

-module.exports = {
-	global:    new Signale({scope: 'Global   '}),
-	migrate:   new Signale({scope: 'Migrate  '}),
-	express:   new Signale({scope: 'Express  '}),
-	access:    new Signale({scope: 'Access   '}),
-	nginx:     new Signale({scope: 'Nginx    '}),
-	ssl:       new Signale({scope: 'SSL      '}),
-	import:    new Signale({scope: 'Importer '}),
-	setup:     new Signale({scope: 'Setup    '}),
-	ip_ranges: new Signale({scope: 'IP Ranges'})
+const opts = {
+	logLevel: "info",
 };
+
+const global = new signale.Signale({ scope: "Global   ", ...opts });
+const migrate = new signale.Signale({ scope: "Migrate  ", ...opts });
+const express = new signale.Signale({ scope: "Express  ", ...opts });
+const access = new signale.Signale({ scope: "Access   ", ...opts });
+const nginx = new signale.Signale({ scope: "Nginx    ", ...opts });
+const ssl = new signale.Signale({ scope: "SSL      ", ...opts });
+const certbot = new signale.Signale({ scope: "Certbot  ", ...opts });
+const importer = new signale.Signale({ scope: "Importer ", ...opts });
+const setup = new signale.Signale({ scope: "Setup    ", ...opts });
+const ipRanges = new signale.Signale({ scope: "IP Ranges", ...opts });
+
+export { global, migrate, express, access, nginx, ssl, certbot, importer, setup, ipRanges };
--- a/backend/migrate.js
+++ b/backend/migrate.js
@@ -1,15 +1,13 @@
-const db     = require('./db');
-const logger = require('./logger').migrate;
+import db from "./db.js";
+import { migrate as logger } from "./logger.js";

-module.exports = {
-	latest: function () {
-		return db.migrate.currentVersion()
-			.then((version) => {
-				logger.info('Current database version:', version);
-				return db.migrate.latest({
-					tableName: 'migrations',
-					directory: 'migrations'
-				});
-			});
-	}
+const migrateUp = async () => {
+	const version = await db.migrate.currentVersion();
+	logger.info("Current database version:", version);
+	return await db.migrate.latest({
+		tableName: "migrations",
+		directory: "migrations",
+	});
 };
+
+export { migrateUp };
--- a/backend/migrations/20180618015850_initial.js
+++ b/backend/migrations/20180618015850_initial.js
@@ -1,5 +1,6 @@
-const migrate_name = 'initial-schema';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "initial-schema";

 /**
 * Migrate
@@ -7,199 +8,199 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.createTable('auth', (table) => {
-		table.increments().primary();
-		table.dateTime('created_on').notNull();
-		table.dateTime('modified_on').notNull();
-		table.integer('user_id').notNull().unsigned();
-		table.string('type', 30).notNull();
-		table.string('secret').notNull();
-		table.json('meta').notNull();
-		table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-	})
+	return knex.schema
+		.createTable("auth", (table) => {
+			table.increments().primary();
+			table.dateTime("created_on").notNull();
+			table.dateTime("modified_on").notNull();
+			table.integer("user_id").notNull().unsigned();
+			table.string("type", 30).notNull();
+			table.string("secret").notNull();
+			table.json("meta").notNull();
+			table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] auth Table created');
+			logger.info(`[${migrateName}] auth Table created`);

-			return knex.schema.createTable('user', (table) => {
+			return knex.schema.createTable("user", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.integer('is_disabled').notNull().unsigned().defaultTo(0);
-				table.string('email').notNull();
-				table.string('name').notNull();
-				table.string('nickname').notNull();
-				table.string('avatar').notNull();
-				table.json('roles').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.integer("is_disabled").notNull().unsigned().defaultTo(0);
+				table.string("email").notNull();
+				table.string("name").notNull();
+				table.string("nickname").notNull();
+				table.string("avatar").notNull();
+				table.json("roles").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] user Table created');
+			logger.info(`[${migrateName}] user Table created`);

-			return knex.schema.createTable('user_permission', (table) => {
+			return knex.schema.createTable("user_permission", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('user_id').notNull().unsigned();
-				table.string('visibility').notNull();
-				table.string('proxy_hosts').notNull();
-				table.string('redirection_hosts').notNull();
-				table.string('dead_hosts').notNull();
-				table.string('streams').notNull();
-				table.string('access_lists').notNull();
-				table.string('certificates').notNull();
-				table.unique('user_id');
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("user_id").notNull().unsigned();
+				table.string("visibility").notNull();
+				table.string("proxy_hosts").notNull();
+				table.string("redirection_hosts").notNull();
+				table.string("dead_hosts").notNull();
+				table.string("streams").notNull();
+				table.string("access_lists").notNull();
+				table.string("certificates").notNull();
+				table.unique("user_id");
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] user_permission Table created');
+			logger.info(`[${migrateName}] user_permission Table created`);

-			return knex.schema.createTable('proxy_host', (table) => {
+			return knex.schema.createTable("proxy_host", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.json('domain_names').notNull();
-				table.string('forward_ip').notNull();
-				table.integer('forward_port').notNull().unsigned();
-				table.integer('access_list_id').notNull().unsigned().defaultTo(0);
-				table.integer('certificate_id').notNull().unsigned().defaultTo(0);
-				table.integer('ssl_forced').notNull().unsigned().defaultTo(0);
-				table.integer('caching_enabled').notNull().unsigned().defaultTo(0);
-				table.integer('block_exploits').notNull().unsigned().defaultTo(0);
-				table.text('advanced_config').notNull().defaultTo('');
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.json("domain_names").notNull();
+				table.string("forward_ip").notNull();
+				table.integer("forward_port").notNull().unsigned();
+				table.integer("access_list_id").notNull().unsigned().defaultTo(0);
+				table.integer("certificate_id").notNull().unsigned().defaultTo(0);
+				table.integer("ssl_forced").notNull().unsigned().defaultTo(0);
+				table.integer("caching_enabled").notNull().unsigned().defaultTo(0);
+				table.integer("block_exploits").notNull().unsigned().defaultTo(0);
+				table.text("advanced_config").notNull().defaultTo("");
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table created');
+			logger.info(`[${migrateName}] proxy_host Table created`);

-			return knex.schema.createTable('redirection_host', (table) => {
+			return knex.schema.createTable("redirection_host", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.json('domain_names').notNull();
-				table.string('forward_domain_name').notNull();
-				table.integer('preserve_path').notNull().unsigned().defaultTo(0);
-				table.integer('certificate_id').notNull().unsigned().defaultTo(0);
-				table.integer('ssl_forced').notNull().unsigned().defaultTo(0);
-				table.integer('block_exploits').notNull().unsigned().defaultTo(0);
-				table.text('advanced_config').notNull().defaultTo('');
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.json("domain_names").notNull();
+				table.string("forward_domain_name").notNull();
+				table.integer("preserve_path").notNull().unsigned().defaultTo(0);
+				table.integer("certificate_id").notNull().unsigned().defaultTo(0);
+				table.integer("ssl_forced").notNull().unsigned().defaultTo(0);
+				table.integer("block_exploits").notNull().unsigned().defaultTo(0);
+				table.text("advanced_config").notNull().defaultTo("");
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] redirection_host Table created');
+			logger.info(`[${migrateName}] redirection_host Table created`);

-			return knex.schema.createTable('dead_host', (table) => {
+			return knex.schema.createTable("dead_host", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.json('domain_names').notNull();
-				table.integer('certificate_id').notNull().unsigned().defaultTo(0);
-				table.integer('ssl_forced').notNull().unsigned().defaultTo(0);
-				table.text('advanced_config').notNull().defaultTo('');
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.json("domain_names").notNull();
+				table.integer("certificate_id").notNull().unsigned().defaultTo(0);
+				table.integer("ssl_forced").notNull().unsigned().defaultTo(0);
+				table.text("advanced_config").notNull().defaultTo("");
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] dead_host Table created');
+			logger.info(`[${migrateName}] dead_host Table created`);

-			return knex.schema.createTable('stream', (table) => {
+			return knex.schema.createTable("stream", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.integer('incoming_port').notNull().unsigned();
-				table.string('forward_ip').notNull();
-				table.integer('forwarding_port').notNull().unsigned();
-				table.integer('tcp_forwarding').notNull().unsigned().defaultTo(0);
-				table.integer('udp_forwarding').notNull().unsigned().defaultTo(0);
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.integer("incoming_port").notNull().unsigned();
+				table.string("forward_ip").notNull();
+				table.integer("forwarding_port").notNull().unsigned();
+				table.integer("tcp_forwarding").notNull().unsigned().defaultTo(0);
+				table.integer("udp_forwarding").notNull().unsigned().defaultTo(0);
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] stream Table created');
+			logger.info(`[${migrateName}] stream Table created`);

-			return knex.schema.createTable('access_list', (table) => {
+			return knex.schema.createTable("access_list", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.string('name').notNull();
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.string("name").notNull();
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list Table created');
+			logger.info(`[${migrateName}] access_list Table created`);

-			return knex.schema.createTable('certificate', (table) => {
+			return knex.schema.createTable("certificate", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('owner_user_id').notNull().unsigned();
-				table.integer('is_deleted').notNull().unsigned().defaultTo(0);
-				table.string('provider').notNull();
-				table.string('nice_name').notNull().defaultTo('');
-				table.json('domain_names').notNull();
-				table.dateTime('expires_on').notNull();
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("owner_user_id").notNull().unsigned();
+				table.integer("is_deleted").notNull().unsigned().defaultTo(0);
+				table.string("provider").notNull();
+				table.string("nice_name").notNull().defaultTo("");
+				table.json("domain_names").notNull();
+				table.dateTime("expires_on").notNull();
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] certificate Table created');
+			logger.info(`[${migrateName}] certificate Table created`);

-			return knex.schema.createTable('access_list_auth', (table) => {
+			return knex.schema.createTable("access_list_auth", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('access_list_id').notNull().unsigned();
-				table.string('username').notNull();
-				table.string('password').notNull();
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("access_list_id").notNull().unsigned();
+				table.string("username").notNull();
+				table.string("password").notNull();
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list_auth Table created');
+			logger.info(`[${migrateName}] access_list_auth Table created`);

-			return knex.schema.createTable('audit_log', (table) => {
+			return knex.schema.createTable("audit_log", (table) => {
 				table.increments().primary();
-				table.dateTime('created_on').notNull();
-				table.dateTime('modified_on').notNull();
-				table.integer('user_id').notNull().unsigned();
-				table.string('object_type').notNull().defaultTo('');
-				table.integer('object_id').notNull().unsigned().defaultTo(0);
-				table.string('action').notNull();
-				table.json('meta').notNull();
+				table.dateTime("created_on").notNull();
+				table.dateTime("modified_on").notNull();
+				table.integer("user_id").notNull().unsigned();
+				table.string("object_type").notNull().defaultTo("");
+				table.integer("object_id").notNull().unsigned().defaultTo(0);
+				table.string("action").notNull();
+				table.json("meta").notNull();
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] audit_log Table created');
+			logger.info(`[${migrateName}] audit_log Table created`);
 		});
-
 };

 /**
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down the initial data.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down the initial data.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20180929054513_websockets.js
+++ b/backend/migrations/20180929054513_websockets.js
@@ -1,5 +1,6 @@
-const migrate_name = 'websockets';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "websockets";

 /**
 * Migrate
@@ -7,29 +8,29 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.integer('allow_websocket_upgrade').notNull().unsigned().defaultTo(0);
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("allow_websocket_upgrade").notNull().unsigned().defaultTo(0);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);
 		});
-
 };

 /**
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
-};
+};
+
+export { up, down };
--- a/backend/migrations/20181019052346_forward_host.js
+++ b/backend/migrations/20181019052346_forward_host.js
@@ -1,5 +1,6 @@
-const migrate_name = 'forward_host';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "forward_host";

 /**
 * Migrate
@@ -7,17 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.renameColumn('forward_ip', 'forward_host');
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.renameColumn("forward_ip", "forward_host");
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);
 		});
 };

@@ -25,10 +26,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
-};
+};
+
+export { up, down };
--- a/backend/migrations/20181113041458_http2_support.js
+++ b/backend/migrations/20181113041458_http2_support.js
@@ -1,5 +1,6 @@
-const migrate_name = 'http2_support';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "http2_support";

 /**
 * Migrate
@@ -7,31 +8,31 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.integer('http2_support').notNull().unsigned().defaultTo(0);
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("http2_support").notNull().unsigned().defaultTo(0);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);

-			return knex.schema.table('redirection_host', function (redirection_host) {
-				redirection_host.integer('http2_support').notNull().unsigned().defaultTo(0);
+			return knex.schema.table("redirection_host", (redirection_host) => {
+				redirection_host.integer("http2_support").notNull().unsigned().defaultTo(0);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+			logger.info(`[${migrateName}] redirection_host Table altered`);

-			return knex.schema.table('dead_host', function (dead_host) {
-				dead_host.integer('http2_support').notNull().unsigned().defaultTo(0);
+			return knex.schema.table("dead_host", (dead_host) => {
+				dead_host.integer("http2_support").notNull().unsigned().defaultTo(0);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] dead_host Table altered');
+			logger.info(`[${migrateName}] dead_host Table altered`);
 		});
 };

@@ -39,11 +40,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };

+export { up, down };
--- a/backend/migrations/20181213013211_forward_scheme.js
+++ b/backend/migrations/20181213013211_forward_scheme.js
@@ -1,5 +1,6 @@
-const migrate_name = 'forward_scheme';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "forward_scheme";

 /**
 * Migrate
@@ -7,17 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.string('forward_scheme').notNull().defaultTo('http');
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.string("forward_scheme").notNull().defaultTo("http");
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);
 		});
 };

@@ -25,10 +26,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20190104035154_disabled.js
+++ b/backend/migrations/20190104035154_disabled.js
@@ -1,5 +1,6 @@
-const migrate_name = 'disabled';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "disabled";

 /**
 * Migrate
@@ -7,38 +8,38 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.integer('enabled').notNull().unsigned().defaultTo(1);
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("enabled").notNull().unsigned().defaultTo(1);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);

-			return knex.schema.table('redirection_host', function (redirection_host) {
-				redirection_host.integer('enabled').notNull().unsigned().defaultTo(1);
+			return knex.schema.table("redirection_host", (redirection_host) => {
+				redirection_host.integer("enabled").notNull().unsigned().defaultTo(1);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+			logger.info(`[${migrateName}] redirection_host Table altered`);

-			return knex.schema.table('dead_host', function (dead_host) {
-				dead_host.integer('enabled').notNull().unsigned().defaultTo(1);
+			return knex.schema.table("dead_host", (dead_host) => {
+				dead_host.integer("enabled").notNull().unsigned().defaultTo(1);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] dead_host Table altered');
+			logger.info(`[${migrateName}] dead_host Table altered`);

-			return knex.schema.table('stream', function (stream) {
-				stream.integer('enabled').notNull().unsigned().defaultTo(1);
+			return knex.schema.table("stream", (stream) => {
+				stream.integer("enabled").notNull().unsigned().defaultTo(1);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] stream Table altered');
+			logger.info(`[${migrateName}] stream Table altered`);
 		});
 };

@@ -46,10 +47,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20190215115310_customlocations.js
+++ b/backend/migrations/20190215115310_customlocations.js
@@ -1,5 +1,6 @@
-const migrate_name = 'custom_locations';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "custom_locations";

 /**
 * Migrate
@@ -8,17 +9,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.json('locations');
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.json("locations");
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);
 		});
 };

@@ -26,10 +27,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20190218060101_hsts.js
+++ b/backend/migrations/20190218060101_hsts.js
@@ -1,5 +1,6 @@
-const migrate_name = 'hsts';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "hsts";

 /**
 * Migrate
@@ -7,34 +8,34 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('proxy_host', function (proxy_host) {
-		proxy_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
-		proxy_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
-	})
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("hsts_enabled").notNull().unsigned().defaultTo(0);
+			proxy_host.integer("hsts_subdomains").notNull().unsigned().defaultTo(0);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] proxy_host Table altered');
+			logger.info(`[${migrateName}] proxy_host Table altered`);

-			return knex.schema.table('redirection_host', function (redirection_host) {
-				redirection_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
-				redirection_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
+			return knex.schema.table("redirection_host", (redirection_host) => {
+				redirection_host.integer("hsts_enabled").notNull().unsigned().defaultTo(0);
+				redirection_host.integer("hsts_subdomains").notNull().unsigned().defaultTo(0);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+			logger.info(`[${migrateName}] redirection_host Table altered`);

-			return knex.schema.table('dead_host', function (dead_host) {
-				dead_host.integer('hsts_enabled').notNull().unsigned().defaultTo(0);
-				dead_host.integer('hsts_subdomains').notNull().unsigned().defaultTo(0);
+			return knex.schema.table("dead_host", (dead_host) => {
+				dead_host.integer("hsts_enabled").notNull().unsigned().defaultTo(0);
+				dead_host.integer("hsts_subdomains").notNull().unsigned().defaultTo(0);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] dead_host Table altered');
+			logger.info(`[${migrateName}] dead_host Table altered`);
 		});
 };

@@ -42,10 +43,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20190227065017_settings.js
+++ b/backend/migrations/20190227065017_settings.js
@@ -1,5 +1,6 @@
-const migrate_name = 'settings';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "settings";

 /**
 * Migrate
@@ -7,11 +8,10 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

 	return knex.schema.createTable('setting', (table) => {
 		table.string('id').notNull().primary();
@@ -21,7 +21,7 @@ exports.up = function (knex/*, Promise*/) {
 		table.json('meta').notNull();
 	})
 		.then(() => {
-			logger.info('[' + migrate_name + '] setting Table created');
+			logger.info(`[${migrateName}] setting Table created`);
 		});
 };

@@ -29,10 +29,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down the initial data.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down the initial data.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20200410143839_access_list_client.js
+++ b/backend/migrations/20200410143839_access_list_client.js
@@ -1,5 +1,6 @@
-const migrate_name = 'access_list_client';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "access_list_client";

 /**
 * Migrate
@@ -7,32 +8,30 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	logger.info('[' + migrate_name + '] Migrating Up...');
+	return knex.schema
+		.createTable("access_list_client", (table) => {
+			table.increments().primary();
+			table.dateTime("created_on").notNull();
+			table.dateTime("modified_on").notNull();
+			table.integer("access_list_id").notNull().unsigned();
+			table.string("address").notNull();
+			table.string("directive").notNull();
+			table.json("meta").notNull();
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] access_list_client Table created`);

-	return knex.schema.createTable('access_list_client', (table) => {
-		table.increments().primary();
-		table.dateTime('created_on').notNull();
-		table.dateTime('modified_on').notNull();
-		table.integer('access_list_id').notNull().unsigned();
-		table.string('address').notNull();
-		table.string('directive').notNull();
-		table.json('meta').notNull();
-
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] access_list_client Table created');
-
-			return knex.schema.table('access_list', function (access_list) {
-				access_list.integer('satify_any').notNull().defaultTo(0);
+			return knex.schema.table("access_list", (access_list) => {
+				access_list.integer("satify_any").notNull().defaultTo(0);
 			});
 		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list Table altered');
+			logger.info(`[${migrateName}] access_list Table altered`);
 		});
 };

@@ -40,14 +39,14 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param {Object} knex
- * @param {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

-	return knex.schema.dropTable('access_list_client')
-		.then(() => {
-			logger.info('[' + migrate_name + '] access_list_client Table dropped');
-		});
+	return knex.schema.dropTable("access_list_client").then(() => {
+		logger.info(`[${migrateName}] access_list_client Table dropped`);
+	});
 };
+
+export { up, down };
--- a/backend/migrations/20200410143840_access_list_client_fix.js
+++ b/backend/migrations/20200410143840_access_list_client_fix.js
@@ -1,5 +1,6 @@
-const migrate_name = 'access_list_client_fix';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "access_list_client_fix";

 /**
 * Migrate
@@ -7,17 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('access_list', function (access_list) {
-		access_list.renameColumn('satify_any', 'satisfy_any');
-	})
+	return knex.schema
+		.table("access_list", (access_list) => {
+			access_list.renameColumn("satify_any", "satisfy_any");
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list Table altered');
+			logger.info(`[${migrateName}] access_list Table altered`);
 		});
 };

@@ -25,10 +26,11 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex, Promise) {
-	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
 	return Promise.resolve(true);
 };
+
+export { up, down };
--- a/backend/migrations/20201014143841_pass_auth.js
+++ b/backend/migrations/20201014143841_pass_auth.js
@@ -1,5 +1,6 @@
-const migrate_name = 'pass_auth';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "pass_auth";

 /**
 * Migrate
@@ -7,18 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	logger.info('[' + migrate_name + '] Migrating Up...');
-
-	return knex.schema.table('access_list', function (access_list) {
-		access_list.integer('pass_auth').notNull().defaultTo(1);
-	})
+	return knex.schema
+		.table("access_list", (access_list) => {
+			access_list.integer("pass_auth").notNull().defaultTo(1);
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list Table altered');
+			logger.info(`[${migrateName}] access_list Table altered`);
 		});
 };

@@ -26,16 +26,18 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param {Object} knex
- * @param {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

-	return knex.schema.table('access_list', function (access_list) {
-		access_list.dropColumn('pass_auth');
-	})
+	return knex.schema
+		.table("access_list", (access_list) => {
+			access_list.dropColumn("pass_auth");
+		})
 		.then(() => {
-			logger.info('[' + migrate_name + '] access_list pass_auth Column dropped');
+			logger.info(`[${migrateName}] access_list pass_auth Column dropped`);
 		});
 };
+
+export { up, down };
--- a/backend/migrations/20210210154702_redirection_scheme.js
+++ b/backend/migrations/20210210154702_redirection_scheme.js
@@ -1,5 +1,6 @@
-const migrate_name = 'redirection_scheme';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "redirection_scheme";

 /**
 * Migrate
@@ -7,18 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object} knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	logger.info('[' + migrate_name + '] Migrating Up...');
-
-	return knex.schema.table('redirection_host', (table) => {
-		table.string('forward_scheme').notNull().defaultTo('$scheme');
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+	return knex.schema
+		.table("redirection_host", (table) => {
+			table.string("forward_scheme").notNull().defaultTo("$scheme");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };

@@ -26,16 +26,18 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object} knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

-	return knex.schema.table('redirection_host', (table) => {
-		table.dropColumn('forward_scheme');
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+	return knex.schema
+		.table("redirection_host", (table) => {
+			table.dropColumn("forward_scheme");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };
+
+export { up, down };
--- a/backend/migrations/20210210154703_redirection_status_code.js
+++ b/backend/migrations/20210210154703_redirection_status_code.js
@@ -1,5 +1,6 @@
-const migrate_name = 'redirection_status_code';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "redirection_status_code";

 /**
 * Migrate
@@ -7,18 +8,17 @@ const logger       = require('../logger').migrate;
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object} knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.up = function (knex/*, Promise*/) {
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	logger.info('[' + migrate_name + '] Migrating Up...');
-
-	return knex.schema.table('redirection_host', (table) => {
-		table.integer('forward_http_code').notNull().unsigned().defaultTo(302);
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+	return knex.schema
+		.table("redirection_host", (table) => {
+			table.integer("forward_http_code").notNull().unsigned().defaultTo(302);
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };

@@ -26,16 +26,18 @@ exports.up = function (knex/*, Promise*/) {
 * Undo Migrate
 *
 * @param   {Object} knex
- * @param   {Promise} Promise
 * @returns {Promise}
 */
-exports.down = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

-	return knex.schema.table('redirection_host', (table) => {
-		table.dropColumn('forward_http_code');
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] redirection_host Table altered');
+	return knex.schema
+		.table("redirection_host", (table) => {
+			table.dropColumn("forward_http_code");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };
+
+export { up, down };
--- a/backend/migrations/20210423103500_stream_domain.js
+++ b/backend/migrations/20210423103500_stream_domain.js
@@ -1,40 +1,43 @@
-const migrate_name = 'stream_domain';
-const logger       = require('../logger').migrate;
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "stream_domain";

 /**
-	* Migrate
-	*
-	* @see http://knexjs.org/#Schema
-	*
-	* @param   {Object} knex
-	* @param   {Promise} Promise
-	* @returns {Promise}
-	*/
-exports.up = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Up...');
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);

-	return knex.schema.table('stream', (table) => {
-		table.renameColumn('forward_ip', 'forwarding_host');
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] stream Table altered');
+	return knex.schema
+		.table("stream", (table) => {
+			table.renameColumn("forward_ip", "forwarding_host");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] stream Table altered`);
 		});
 };

 /**
-	* Undo Migrate
-	*
-	* @param   {Object} knex
-	* @param   {Promise} Promise
-	* @returns {Promise}
-	*/
-exports.down = function (knex/*, Promise*/) {
-	logger.info('[' + migrate_name + '] Migrating Down...');
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);

-	return knex.schema.table('stream', (table) => {
-		table.renameColumn('forwarding_host', 'forward_ip');
-	})
-		.then(function () {
-			logger.info('[' + migrate_name + '] stream Table altered');
+	return knex.schema
+		.table("stream", (table) => {
+			table.renameColumn("forwarding_host", "forward_ip");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] stream Table altered`);
 		});
 };
+
+export { up, down };
--- a/backend/migrations/20211108145214_regenerate_default_host.js
+++ b/backend/migrations/20211108145214_regenerate_default_host.js
@@ -0,0 +1,52 @@
+import internalNginx from "../internal/nginx.js";
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "stream_domain";
+
+async function regenerateDefaultHost(knex) {
+	const row = await knex("setting").select("*").where("id", "default-site").first();
+
+	if (!row) {
+		return Promise.resolve();
+	}
+
+	return internalNginx
+		.deleteConfig("default")
+		.then(() => {
+			return internalNginx.generateConfig("default", row);
+		})
+		.then(() => {
+			return internalNginx.test();
+		})
+		.then(() => {
+			return internalNginx.reload();
+		});
+}
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);
+
+	return regenerateDefaultHost(knex);
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);
+
+	return regenerateDefaultHost(knex);
+};
+
+export { up, down };
--- a/backend/migrations/20240427161436_stream_ssl.js
+++ b/backend/migrations/20240427161436_stream_ssl.js
@@ -0,0 +1,43 @@
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "stream_ssl";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);
+
+	return knex.schema
+		.table("stream", (table) => {
+			table.integer("certificate_id").notNull().unsigned().defaultTo(0);
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] stream Table altered`);
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const down = (knex) => {
+	logger.info(`[${migrateName}] Migrating Down...`);
+
+	return knex.schema
+		.table("stream", (table) => {
+			table.dropColumn("certificate_id");
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] stream Table altered`);
+		});
+};
+
+export { up, down };
--- a/backend/models/access_list.js
+++ b/backend/models/access_list.js
@@ -1,102 +1,98 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db               = require('../db');
-const Model            = require('objection').Model;
-const User             = require('./user');
-const AccessListAuth   = require('./access_list_auth');
-const AccessListClient = require('./access_list_client');
-const now              = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import AccessListAuth from "./access_list_auth.js";
+import AccessListClient from "./access_list_client.js";
+import now from "./now_helper.js";
+import ProxyHostModel from "./proxy_host.js";
+import User from "./user.js";

 Model.knex(db);

+const boolFields = ["is_deleted", "satisfy_any", "pass_auth"];
+
 class AccessList extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'AccessList';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'access_list';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get name() {
+		return "AccessList";
 	}

-	static get relationMappings () {
-		const ProxyHost = require('./proxy_host');
+	static get tableName() {
+		return "access_list";
+	}

+	static get jsonAttributes() {
+		return ["meta"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'access_list.owner_user_id',
-					to:   'user.id'
+				join: {
+					from: "access_list.owner_user_id",
+					to: "user.id",
+				},
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
 			},
 			items: {
-				relation:   Model.HasManyRelation,
+				relation: Model.HasManyRelation,
 				modelClass: AccessListAuth,
-				join:       {
-					from: 'access_list.id',
-					to:   'access_list_auth.access_list_id'
+				join: {
+					from: "access_list.id",
+					to: "access_list_auth.access_list_id",
 				},
-				modify: function (qb) {
-					qb.omit(['id', 'created_on', 'modified_on', 'access_list_id', 'meta']);
-				}
 			},
 			clients: {
-				relation:   Model.HasManyRelation,
+				relation: Model.HasManyRelation,
 				modelClass: AccessListClient,
-				join:       {
-					from: 'access_list.id',
-					to:   'access_list_client.access_list_id'
+				join: {
+					from: "access_list.id",
+					to: "access_list_client.access_list_id",
 				},
-				modify: function (qb) {
-					qb.omit(['id', 'created_on', 'modified_on', 'access_list_id', 'meta']);
-				}
 			},
 			proxy_hosts: {
-				relation:   Model.HasManyRelation,
-				modelClass: ProxyHost,
-				join:       {
-					from: 'access_list.id',
-					to:   'proxy_host.access_list_id'
+				relation: Model.HasManyRelation,
+				modelClass: ProxyHostModel,
+				join: {
+					from: "access_list.id",
+					to: "proxy_host.access_list_id",
 				},
-				modify: function (qb) {
-					qb.where('proxy_host.is_deleted', 0);
-					qb.omit(['is_deleted', 'meta']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("proxy_host.is_deleted", 0);
+				},
+			},
 		};
 	}
-
-	get satisfy() {
-		return this.satisfy_any ? 'satisfy any' : 'satisfy all';
-	}
-
-	get passauth() {
-		return this.pass_auth ? '' : 'proxy_set_header Authorization "";';
-	}
 }

-module.exports = AccessList;
+export default AccessList;
--- a/backend/models/access_list_auth.js
+++ b/backend/models/access_list_auth.js
@@ -1,55 +1,55 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import accessListModel from "./access_list.js";
+import now from "./now_helper.js";

 Model.knex(db);

 class AccessListAuth extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'AccessListAuth';
+	static get name() {
+		return "AccessListAuth";
 	}

-	static get tableName () {
-		return 'access_list_auth';
+	static get tableName() {
+		return "access_list_auth";
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get jsonAttributes() {
+		return ["meta"];
 	}

-	static get relationMappings () {
+	static get relationMappings() {
 		return {
 			access_list: {
-				relation:   Model.HasOneRelation,
-				modelClass: require('./access_list'),
-				join:       {
-					from: 'access_list_auth.access_list_id',
-					to:   'access_list.id'
+				relation: Model.HasOneRelation,
+				modelClass: accessListModel,
+				join: {
+					from: "access_list_auth.access_list_id",
+					to: "access_list.id",
 				},
-				modify: function (qb) {
-					qb.where('access_list.is_deleted', 0);
-					qb.omit(['created_on', 'modified_on', 'is_deleted', 'access_list_id']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("access_list.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = AccessListAuth;
+export default AccessListAuth;
--- a/backend/models/access_list_client.js
+++ b/backend/models/access_list_client.js
@@ -1,59 +1,55 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import accessListModel from "./access_list.js";
+import now from "./now_helper.js";

 Model.knex(db);

 class AccessListClient extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'AccessListClient';
+	static get name() {
+		return "AccessListClient";
 	}

-	static get tableName () {
-		return 'access_list_client';
+	static get tableName() {
+		return "access_list_client";
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get jsonAttributes() {
+		return ["meta"];
 	}

-	static get relationMappings () {
+	static get relationMappings() {
 		return {
 			access_list: {
-				relation:   Model.HasOneRelation,
-				modelClass: require('./access_list'),
-				join:       {
-					from: 'access_list_client.access_list_id',
-					to:   'access_list.id'
+				relation: Model.HasOneRelation,
+				modelClass: accessListModel,
+				join: {
+					from: "access_list_client.access_list_id",
+					to: "access_list.id",
 				},
-				modify: function (qb) {
-					qb.where('access_list.is_deleted', 0);
-					qb.omit(['created_on', 'modified_on', 'is_deleted', 'access_list_id']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("access_list.is_deleted", 0);
+				},
+			},
 		};
 	}
-
-	get rule() {
-		return `${this.directive} ${this.address}`;
-	}
 }

-module.exports = AccessListClient;
+export default AccessListClient;
--- a/backend/models/audit-log.js
+++ b/backend/models/audit-log.js
@@ -1,55 +1,52 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
-const User  = require('./user');
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

 class AuditLog extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'AuditLog';
+	static get name() {
+		return "AuditLog";
 	}

-	static get tableName () {
-		return 'audit_log';
+	static get tableName() {
+		return "audit_log";
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get jsonAttributes() {
+		return ["meta"];
 	}

-	static get relationMappings () {
+	static get relationMappings() {
 		return {
 			user: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'audit_log.user_id',
-					to:   'user.id'
+				join: {
+					from: "audit_log.user_id",
+					to: "user.id",
 				},
-				modify: function (qb) {
-					qb.omit(['id', 'created_on', 'modified_on', 'roles']);
-				}
-			}
+			},
 		};
 	}
 }

-module.exports = AuditLog;
+export default AuditLog;
--- a/backend/models/auth.js
+++ b/backend/models/auth.js
@@ -1,86 +1,92 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const bcrypt = require('bcrypt');
-const db     = require('../db');
-const Model  = require('objection').Model;
-const User   = require('./user');
-const now    = require('./now_helper');
+import bcrypt from "bcrypt";
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

-function encryptPassword () {
-	/* jshint -W040 */
-	let _this = this;
+const boolFields = ["is_deleted"];

-	if (_this.type === 'password' && _this.secret) {
-		return bcrypt.hash(_this.secret, 13)
-			.then(function (hash) {
-				_this.secret = hash;
-			});
+function encryptPassword() {
+	if (this.type === "password" && this.secret) {
+		return bcrypt.hash(this.secret, 13).then((hash) => {
+			this.secret = hash;
+		});
 	}

 	return null;
 }

 class Auth extends Model {
-	$beforeInsert (queryContext) {
-		this.created_on  = now();
+	$beforeInsert(queryContext) {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}

 		return encryptPassword.apply(this, queryContext);
 	}

-	$beforeUpdate (queryContext) {
+	$beforeUpdate(queryContext) {
 		this.modified_on = now();
 		return encryptPassword.apply(this, queryContext);
 	}

+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
+	}
+
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
+	}
+
 	/**
 	 * Verify a plain password against the encrypted password
 	 *
 	 * @param {String} password
 	 * @returns {Promise}
 	 */
-	verifyPassword (password) {
+	verifyPassword(password) {
 		return bcrypt.compare(password, this.secret);
 	}

-	static get name () {
-		return 'Auth';
+	static get name() {
+		return "Auth";
 	}

-	static get tableName () {
-		return 'auth';
+	static get tableName() {
+		return "auth";
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get jsonAttributes() {
+		return ["meta"];
 	}

-	static get relationMappings () {
+	static get relationMappings() {
 		return {
 			user: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'auth.user_id',
-					to:   'user.id'
+				join: {
+					from: "auth.user_id",
+					to: "user.id",
 				},
 				filter: {
-					is_deleted: 0
+					is_deleted: 0,
 				},
-				modify: function (qb) {
-					qb.omit(['is_deleted']);
-				}
-			}
+			},
 		};
 	}
 }

-module.exports = Auth;
+export default Auth;
--- a/backend/models/certificate.js
+++ b/backend/models/certificate.js
@@ -1,73 +1,133 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
-const User  = require('./user');
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import deadHostModel from "./dead_host.js";
+import now from "./now_helper.js";
+import proxyHostModel from "./proxy_host.js";
+import redirectionHostModel from "./redirection_host.js";
+import streamModel from "./stream.js";
+import userModel from "./user.js";

 Model.knex(db);

+const boolFields = ["is_deleted"];
+
 class Certificate extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for expires_on
-		if (typeof this.expires_on === 'undefined') {
+		if (typeof this.expires_on === "undefined") {
 			this.expires_on = now();
 		}

 		// Default for domain_names
-		if (typeof this.domain_names === 'undefined') {
+		if (typeof this.domain_names === "undefined") {
 			this.domain_names = [];
 		}

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}

 		this.domain_names.sort();
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();

 		// Sort domain_names
-		if (typeof this.domain_names !== 'undefined') {
+		if (typeof this.domain_names !== "undefined") {
 			this.domain_names.sort();
 		}
 	}

-	static get name () {
-		return 'Certificate';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'certificate';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['domain_names', 'meta'];
+	static get name() {
+		return "Certificate";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "certificate";
+	}
+
+	static get jsonAttributes() {
+		return ["domain_names", "meta"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
-				modelClass: User,
-				join:       {
-					from: 'certificate.owner_user_id',
-					to:   'user.id'
+				relation: Model.HasOneRelation,
+				modelClass: userModel,
+				join: {
+					from: "certificate.owner_user_id",
+					to: "user.id",
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
+				},
+			},
+			proxy_hosts: {
+				relation: Model.HasManyRelation,
+				modelClass: proxyHostModel,
+				join: {
+					from: "certificate.id",
+					to: "proxy_host.certificate_id",
+				},
+				modify: (qb) => {
+					qb.where("proxy_host.is_deleted", 0);
+				},
+			},
+			dead_hosts: {
+				relation: Model.HasManyRelation,
+				modelClass: deadHostModel,
+				join: {
+					from: "certificate.id",
+					to: "dead_host.certificate_id",
+				},
+				modify: (qb) => {
+					qb.where("dead_host.is_deleted", 0);
+				},
+			},
+			redirection_hosts: {
+				relation: Model.HasManyRelation,
+				modelClass: redirectionHostModel,
+				join: {
+					from: "certificate.id",
+					to: "redirection_host.certificate_id",
+				},
+				modify: (qb) => {
+					qb.where("redirection_host.is_deleted", 0);
+				},
+			},
+			streams: {
+				relation: Model.HasManyRelation,
+				modelClass: streamModel,
+				join: {
+					from: "certificate.id",
+					to: "stream.certificate_id",
+				},
+				modify: (qb) => {
+					qb.where("stream.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = Certificate;
+export default Certificate;
--- a/backend/models/dead_host.js
+++ b/backend/models/dead_host.js
@@ -1,81 +1,92 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db          = require('../db');
-const Model       = require('objection').Model;
-const User        = require('./user');
-const Certificate = require('./certificate');
-const now         = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import Certificate from "./certificate.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

+const boolFields = ["is_deleted", "ssl_forced", "http2_support", "enabled", "hsts_enabled", "hsts_subdomains"];
+
 class DeadHost extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for domain_names
-		if (typeof this.domain_names === 'undefined') {
+		if (typeof this.domain_names === "undefined") {
 			this.domain_names = [];
 		}

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}

 		this.domain_names.sort();
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();

 		// Sort domain_names
-		if (typeof this.domain_names !== 'undefined') {
+		if (typeof this.domain_names !== "undefined") {
 			this.domain_names.sort();
 		}
 	}

-	static get name () {
-		return 'DeadHost';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'dead_host';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['domain_names', 'meta'];
+	static get name() {
+		return "DeadHost";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "dead_host";
+	}
+
+	static get jsonAttributes() {
+		return ["domain_names", "meta"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'dead_host.owner_user_id',
-					to:   'user.id'
+				join: {
+					from: "dead_host.owner_user_id",
+					to: "user.id",
+				},
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
 			},
 			certificate: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: Certificate,
-				join:       {
-					from: 'dead_host.certificate_id',
-					to:   'certificate.id'
+				join: {
+					from: "dead_host.certificate_id",
+					to: "certificate.id",
 				},
-				modify: function (qb) {
-					qb.where('certificate.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("certificate.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = DeadHost;
+export default DeadHost;
--- a/backend/models/now_helper.js
+++ b/backend/models/now_helper.js
@@ -1,13 +1,12 @@
-const db     = require('../db');
-const config = require('config');
-const Model  = require('objection').Model;
+import { Model } from "objection";
+import db from "../db.js";
+import { isSqlite } from "../lib/config.js";

 Model.knex(db);

-module.exports = function () {
-	if (config.database.knex && config.database.knex.client === 'sqlite3') {
-		return Model.raw('datetime(\'now\',\'localtime\')');
-	} else {
-		return Model.raw('NOW()');
+export default () => {
+	if (isSqlite()) {
+		return Model.raw("datetime('now','localtime')");
 	}
+	return Model.raw("NOW()");
 };
--- a/backend/models/proxy_host.js
+++ b/backend/models/proxy_host.js
@@ -1,94 +1,114 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db          = require('../db');
-const Model       = require('objection').Model;
-const User        = require('./user');
-const AccessList  = require('./access_list');
-const Certificate = require('./certificate');
-const now         = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import AccessList from "./access_list.js";
+import Certificate from "./certificate.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

+const boolFields = [
+	"is_deleted",
+	"ssl_forced",
+	"caching_enabled",
+	"block_exploits",
+	"allow_websocket_upgrade",
+	"http2_support",
+	"enabled",
+	"hsts_enabled",
+	"hsts_subdomains",
+];
+
 class ProxyHost extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for domain_names
-		if (typeof this.domain_names === 'undefined') {
+		if (typeof this.domain_names === "undefined") {
 			this.domain_names = [];
 		}

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}

 		this.domain_names.sort();
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();

 		// Sort domain_names
-		if (typeof this.domain_names !== 'undefined') {
+		if (typeof this.domain_names !== "undefined") {
 			this.domain_names.sort();
 		}
 	}

-	static get name () {
-		return 'ProxyHost';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'proxy_host';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['domain_names', 'meta', 'locations'];
+	static get name() {
+		return "ProxyHost";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "proxy_host";
+	}
+
+	static get jsonAttributes() {
+		return ["domain_names", "meta", "locations"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'proxy_host.owner_user_id',
-					to:   'user.id'
+				join: {
+					from: "proxy_host.owner_user_id",
+					to: "user.id",
+				},
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
 			},
 			access_list: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: AccessList,
-				join:       {
-					from: 'proxy_host.access_list_id',
-					to:   'access_list.id'
+				join: {
+					from: "proxy_host.access_list_id",
+					to: "access_list.id",
+				},
+				modify: (qb) => {
+					qb.where("access_list.is_deleted", 0);
 				},
-				modify: function (qb) {
-					qb.where('access_list.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']);
-				}
 			},
 			certificate: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: Certificate,
-				join:       {
-					from: 'proxy_host.certificate_id',
-					to:   'certificate.id'
+				join: {
+					from: "proxy_host.certificate_id",
+					to: "certificate.id",
 				},
-				modify: function (qb) {
-					qb.where('certificate.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("certificate.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = ProxyHost;
+export default ProxyHost;
--- a/backend/models/redirection_host.js
+++ b/backend/models/redirection_host.js
@@ -1,81 +1,101 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db          = require('../db');
-const Model       = require('objection').Model;
-const User        = require('./user');
-const Certificate = require('./certificate');
-const now         = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import Certificate from "./certificate.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

+const boolFields = [
+	"is_deleted",
+	"enabled",
+	"preserve_path",
+	"ssl_forced",
+	"block_exploits",
+	"hsts_enabled",
+	"hsts_subdomains",
+	"http2_support",
+];
+
 class RedirectionHost extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for domain_names
-		if (typeof this.domain_names === 'undefined') {
+		if (typeof this.domain_names === "undefined") {
 			this.domain_names = [];
 		}

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}

 		this.domain_names.sort();
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();

 		// Sort domain_names
-		if (typeof this.domain_names !== 'undefined') {
+		if (typeof this.domain_names !== "undefined") {
 			this.domain_names.sort();
 		}
 	}

-	static get name () {
-		return 'RedirectionHost';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'redirection_host';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['domain_names', 'meta'];
+	static get name() {
+		return "RedirectionHost";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "redirection_host";
+	}
+
+	static get jsonAttributes() {
+		return ["domain_names", "meta"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'redirection_host.owner_user_id',
-					to:   'user.id'
+				join: {
+					from: "redirection_host.owner_user_id",
+					to: "user.id",
+				},
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
 			},
 			certificate: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: Certificate,
-				join:       {
-					from: 'redirection_host.certificate_id',
-					to:   'certificate.id'
+				join: {
+					from: "redirection_host.certificate_id",
+					to: "certificate.id",
 				},
-				modify: function (qb) {
-					qb.where('certificate.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("certificate.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = RedirectionHost;
+export default RedirectionHost;
--- a/backend/models/setting.js
+++ b/backend/models/setting.js
@@ -1,8 +1,8 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
+import { Model } from "objection";
+import db from "../db.js";

 Model.knex(db);

@@ -27,4 +27,4 @@ class Setting extends Model {
 	}
 }

-module.exports = Setting;
+export default Setting;
--- a/backend/models/stream.js
+++ b/backend/models/stream.js
@@ -1,56 +1,77 @@
-// Objection Docs:
-// http://vincit.github.io/objection.js/
-
-const db    = require('../db');
-const Model = require('objection').Model;
-const User  = require('./user');
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import Certificate from "./certificate.js";
+import now from "./now_helper.js";
+import User from "./user.js";

 Model.knex(db);

+const boolFields = ["is_deleted", "enabled", "tcp_forwarding", "udp_forwarding"];
+
 class Stream extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for meta
-		if (typeof this.meta === 'undefined') {
+		if (typeof this.meta === "undefined") {
 			this.meta = {};
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'Stream';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'stream';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['meta'];
+	static get name() {
+		return "Stream";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "stream";
+	}
+
+	static get jsonAttributes() {
+		return ["meta"];
+	}
+
+	static get relationMappings() {
 		return {
 			owner: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: User,
-				join:       {
-					from: 'stream.owner_user_id',
-					to:   'user.id'
+				join: {
+					from: "stream.owner_user_id",
+					to: "user.id",
 				},
-				modify: function (qb) {
-					qb.where('user.is_deleted', 0);
-					qb.omit(['id', 'created_on', 'modified_on', 'is_deleted', 'email', 'roles']);
-				}
-			}
+				modify: (qb) => {
+					qb.where("user.is_deleted", 0);
+				},
+			},
+			certificate: {
+				relation: Model.HasOneRelation,
+				modelClass: Certificate,
+				join: {
+					from: "stream.certificate_id",
+					to: "certificate.id",
+				},
+				modify: (qb) => {
+					qb.where("certificate.is_deleted", 0);
+				},
+			},
 		};
 	}
 }

-module.exports = Stream;
+export default Stream;
--- a/backend/models/token.js
+++ b/backend/models/token.js
@@ -3,54 +3,44 @@
 and then has abilities after that.
 */

-const _      = require('lodash');
-const jwt    = require('jsonwebtoken');
-const crypto = require('crypto');
-const error  = require('../lib/error');
-const ALGO   = 'RS256';
+import crypto from "node:crypto";
+import jwt from "jsonwebtoken";
+import _ from "lodash";
+import { getPrivateKey, getPublicKey } from "../lib/config.js";
+import errs from "../lib/error.js";
+import { global as logger } from "../logger.js";

-let public_key  = null;
-let private_key = null;
+const ALGO = "RS256";

-function checkJWTKeyPair() {
-	if (!public_key || !private_key) {
-		let config  = require('config');
-		public_key  = config.get('jwt.pub');
-		private_key = config.get('jwt.key');
-	}
-}
+export default () => {
+	let tokenData = {};

-module.exports = function () {
-
-	let token_data = {};
-
-	let self = {
+	const self = {
 		/**
 		 * @param {Object}  payload
 		 * @returns {Promise}
 		 */
 		create: (payload) => {
+			if (!getPrivateKey()) {
+				logger.error("Private key is empty!");
+			}
 			// sign with RSA SHA256
-			let options = {
+			const options = {
 				algorithm: ALGO,
-				expiresIn: payload.expiresIn || '1d'
+				expiresIn: payload.expiresIn || "1d",
 			};

-			payload.jti = crypto.randomBytes(12)
-				.toString('base64')
-				.substr(-8);
-
-			checkJWTKeyPair();
+			payload.jti = crypto.randomBytes(12).toString("base64").substring(-8);

 			return new Promise((resolve, reject) => {
-				jwt.sign(payload, private_key, options, (err, token) => {
+				jwt.sign(payload, getPrivateKey(), options, (err, token) => {
 					if (err) {
 						reject(err);
 					} else {
-						token_data = payload;
+						tokenData = payload;
 						resolve({
-							token:   token,
-							payload: payload
+							token: token,
+							payload: payload,
 						});
 					}
 				});
@@ -61,42 +51,47 @@ module.exports = function () {
 		 * @param {String} token
 		 * @returns {Promise}
 		 */
-		load: function (token) {
+		load: (token) => {
+			if (!getPublicKey()) {
+				logger.error("Public key is empty!");
+			}
 			return new Promise((resolve, reject) => {
-				checkJWTKeyPair();
 				try {
-					if (!token || token === null || token === 'null') {
-						reject(new error.AuthError('Empty token'));
+					if (!token || token === null || token === "null") {
+						reject(new errs.AuthError("Empty token"));
 					} else {
-						jwt.verify(token, public_key, {ignoreExpiration: false, algorithms: [ALGO]}, (err, result) => {
-							if (err) {
-
-								if (err.name === 'TokenExpiredError') {
-									reject(new error.AuthError('Token has expired', err));
+						jwt.verify(
+							token,
+							getPublicKey(),
+							{ ignoreExpiration: false, algorithms: [ALGO] },
+							(err, result) => {
+								if (err) {
+									if (err.name === "TokenExpiredError") {
+										reject(new errs.AuthError("Token has expired", err));
+									} else {
+										reject(err);
+									}
 								} else {
-									reject(err);
+									tokenData = result;
+
+									// Hack: some tokens out in the wild have a scope of 'all' instead of 'user'.
+									// For 30 days at least, we need to replace 'all' with user.
+									if (
+										typeof tokenData.scope !== "undefined" &&
+										_.indexOf(tokenData.scope, "all") !== -1
+									) {
+										tokenData.scope = ["user"];
+									}
+
+									resolve(tokenData);
 								}
-
-							} else {
-								token_data = result;
-
-								// Hack: some tokens out in the wild have a scope of 'all' instead of 'user'.
-								// For 30 days at least, we need to replace 'all' with user.
-								if ((typeof token_data.scope !== 'undefined' && _.indexOf(token_data.scope, 'all') !== -1)) {
-									//console.log('Warning! Replacing "all" scope with "user"');
-
-									token_data.scope = ['user'];
-								}
-
-								resolve(token_data);
-							}
-						});
+							},
+						);
 					}
 				} catch (err) {
 					reject(err);
 				}
 			});
-
 		},

 		/**
@@ -105,17 +100,15 @@ module.exports = function () {
 		 * @param   {String}  scope
 		 * @returns {Boolean}
 		 */
-		hasScope: function (scope) {
-			return typeof token_data.scope !== 'undefined' && _.indexOf(token_data.scope, scope) !== -1;
-		},
+		hasScope: (scope) => typeof tokenData.scope !== "undefined" && _.indexOf(tokenData.scope, scope) !== -1,

 		/**
 		 * @param  {String}  key
 		 * @return {*}
 		 */
-		get: function (key) {
-			if (typeof token_data[key] !== 'undefined') {
-				return token_data[key];
+		get: (key) => {
+			if (typeof tokenData[key] !== "undefined") {
+				return tokenData[key];
 			}

 			return null;
@@ -125,22 +118,22 @@ module.exports = function () {
 		 * @param  {String}  key
 		 * @param  {*}       value
 		 */
-		set: function (key, value) {
-			token_data[key] = value;
+		set: (key, value) => {
+			tokenData[key] = value;
 		},

 		/**
-		 * @param   [default_value]
+		 * @param   [defaultValue]
 		 * @returns {Integer}
 		 */
-		getUserId: (default_value) => {
-			let attrs = self.get('attrs');
-			if (attrs && typeof attrs.id !== 'undefined' && attrs.id) {
+		getUserId: (defaultValue) => {
+			const attrs = self.get("attrs");
+			if (attrs?.id) {
 				return attrs.id;
 			}

-			return default_value || 0;
-		}
+			return defaultValue || 0;
+		},
 	};

 	return self;
--- a/backend/models/user.js
+++ b/backend/models/user.js
@@ -1,56 +1,65 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db             = require('../db');
-const Model          = require('objection').Model;
-const UserPermission = require('./user_permission');
-const now            = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.js";
+import now from "./now_helper.js";
+import UserPermission from "./user_permission.js";

 Model.knex(db);

+const boolFields = ["is_deleted", "is_disabled"];
+
 class User extends Model {
-	$beforeInsert () {
-		this.created_on  = now();
+	$beforeInsert() {
+		this.created_on = now();
 		this.modified_on = now();

 		// Default for roles
-		if (typeof this.roles === 'undefined') {
+		if (typeof this.roles === "undefined") {
 			this.roles = [];
 		}
 	}

-	$beforeUpdate () {
+	$beforeUpdate() {
 		this.modified_on = now();
 	}

-	static get name () {
-		return 'User';
+	$parseDatabaseJson(json) {
+		const thisJson = super.$parseDatabaseJson(json);
+		return convertIntFieldsToBool(thisJson, boolFields);
 	}

-	static get tableName () {
-		return 'user';
+	$formatDatabaseJson(json) {
+		const thisJson = convertBoolFieldsToInt(json, boolFields);
+		return super.$formatDatabaseJson(thisJson);
 	}

-	static get jsonAttributes () {
-		return ['roles'];
+	static get name() {
+		return "User";
 	}

-	static get relationMappings () {
+	static get tableName() {
+		return "user";
+	}
+
+	static get jsonAttributes() {
+		return ["roles"];
+	}
+
+	static get relationMappings() {
 		return {
 			permissions: {
-				relation:   Model.HasOneRelation,
+				relation: Model.HasOneRelation,
 				modelClass: UserPermission,
-				join:       {
-					from: 'user.id',
-					to:   'user_permission.user_id'
+				join: {
+					from: "user.id",
+					to: "user_permission.user_id",
 				},
-				modify: function (qb) {
-					qb.omit(['id', 'created_on', 'modified_on', 'user_id']);
-				}
-			}
+			},
 		};
 	}
-
 }

-module.exports = User;
+export default User;
--- a/backend/models/user_permission.js
+++ b/backend/models/user_permission.js
@@ -1,9 +1,9 @@
 // Objection Docs:
 // http://vincit.github.io/objection.js/

-const db    = require('../db');
-const Model = require('objection').Model;
-const now   = require('./now_helper');
+import { Model } from "objection";
+import db from "../db.js";
+import now from "./now_helper.js";

 Model.knex(db);

@@ -26,4 +26,4 @@ class UserPermission extends Model {
 	}
 }

-module.exports = UserPermission;
+export default UserPermission;
--- a/backend/nodemon.json
+++ b/backend/nodemon.json
@@ -3,5 +3,5 @@
  "ignore": [
    "data"
  ],
-  "ext": "js json ejs"
+  "ext": "js json ejs cjs"
 }
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,43 +1,49 @@
 {
 	"name": "nginx-proxy-manager",
-	"version": "0.0.0",
+	"version": "2.0.0",
 	"description": "A beautiful interface for creating Nginx endpoints",
-	"main": "js/index.js",
+	"author": "Jamie Curnow <jc@jc21.com>",
+	"license": "MIT",
+	"main": "index.js",
+	"type": "module",
+	"scripts": {
+		"lint": "biome lint",
+		"prettier": "biome format --write .",
+		"validate-schema": "node validate-schema.js"
+	},
 	"dependencies": {
-		"ajv": "^6.12.0",
+		"@apidevtools/json-schema-ref-parser": "^11.7.0",
+		"ajv": "^8.17.1",
 		"archiver": "^5.3.0",
 		"batchflow": "^0.4.0",
 		"bcrypt": "^5.0.0",
-		"body-parser": "^1.19.0",
+		"body-parser": "^1.20.3",
 		"compression": "^1.7.4",
-		"config": "^3.3.1",
-		"express": "^4.17.1",
-		"express-fileupload": "^1.1.9",
-		"gravatar": "^1.8.0",
-		"json-schema-ref-parser": "^8.0.0",
-		"jsonwebtoken": "^8.5.1",
-		"knex": "^0.20.13",
-		"liquidjs": "^9.11.10",
+		"express": "^4.20.0",
+		"express-fileupload": "^1.5.2",
+		"gravatar": "^1.8.2",
+		"jsonwebtoken": "^9.0.2",
+		"knex": "2.4.2",
+		"liquidjs": "10.6.1",
 		"lodash": "^4.17.21",
-		"moment": "^2.24.0",
-		"mysql": "^2.18.1",
-		"node-rsa": "^1.0.8",
-		"nodemon": "^2.0.2",
-		"objection": "^2.2.16",
+		"moment": "^2.30.1",
+		"mysql2": "^3.15.3",
+		"node-rsa": "^1.1.1",
+		"objection": "3.0.1",
 		"path": "^0.12.7",
-		"signale": "^1.4.0",
-		"sqlite3": "^4.1.1",
+		"pg": "^8.16.3",
+		"signale": "1.4.0",
+		"sqlite3": "^5.1.7",
 		"temp-write": "^4.0.0"
 	},
+	"devDependencies": {
+		"@apidevtools/swagger-parser": "^10.1.0",
+		"@biomejs/biome": "^2.3.2",
+		"chalk": "4.1.2",
+		"nodemon": "^2.0.2"
+	},
 	"signale": {
 		"displayDate": true,
 		"displayTimestamp": true
-	},
-	"author": "Jamie Curnow <jc@jc21.com>",
-	"license": "MIT",
-	"devDependencies": {
-		"eslint": "^6.8.0",
-		"eslint-plugin-align-assignments": "^1.1.2",
-		"prettier": "^2.0.4"
 	}
 }
--- a/backend/routes/api/audit-log.js
+++ b/backend/routes/api/audit-log.js
@@ -1,52 +0,0 @@
-const express          = require('express');
-const validator        = require('../../lib/validator');
-const jwtdecode        = require('../../lib/express/jwt-decode');
-const internalAuditLog = require('../../internal/audit-log');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/audit-log
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/audit-log
-	 *
-	 * Retrieve all logs
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalAuditLog.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/main.js
+++ b/backend/routes/api/main.js
@@ -1,51 +0,0 @@
-const express = require('express');
-const pjson   = require('../../package.json');
-const error   = require('../../lib/error');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * Health Check
- * GET /api
- */
-router.get('/', (req, res/*, next*/) => {
-	let version = pjson.version.split('-').shift().split('.');
-
-	res.status(200).send({
-		status:  'OK',
-		version: {
-			major:    parseInt(version.shift(), 10),
-			minor:    parseInt(version.shift(), 10),
-			revision: parseInt(version.shift(), 10)
-		}
-	});
-});
-
-router.use('/schema', require('./schema'));
-router.use('/tokens', require('./tokens'));
-router.use('/users', require('./users'));
-router.use('/audit-log', require('./audit-log'));
-router.use('/reports', require('./reports'));
-router.use('/settings', require('./settings'));
-router.use('/nginx/proxy-hosts', require('./nginx/proxy_hosts'));
-router.use('/nginx/redirection-hosts', require('./nginx/redirection_hosts'));
-router.use('/nginx/dead-hosts', require('./nginx/dead_hosts'));
-router.use('/nginx/streams', require('./nginx/streams'));
-router.use('/nginx/access-lists', require('./nginx/access_lists'));
-router.use('/nginx/certificates', require('./nginx/certificates'));
-
-/**
- * API 404 for all other routes
- *
- * ALL /api/*
- */
-router.all(/(.+)/, function (req, res, next) {
-	req.params.page = req.params['0'];
-	next(new error.ItemNotFoundError(req.params.page));
-});
-
-module.exports = router;
--- a/backend/routes/api/nginx/access_lists.js
+++ b/backend/routes/api/nginx/access_lists.js
@@ -1,148 +0,0 @@
-const express            = require('express');
-const validator          = require('../../../lib/validator');
-const jwtdecode          = require('../../../lib/express/jwt-decode');
-const internalAccessList = require('../../../internal/access-list');
-const apiValidator       = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/access-lists
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/access-lists
-	 *
-	 * Retrieve all access-lists
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalAccessList.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/access-lists
-	 *
-	 * Create a new access-list
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/access-lists#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalAccessList.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific access-list
- *
- * /api/nginx/access-lists/123
- */
-router
-	.route('/:list_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/access-lists/123
-	 *
-	 * Retrieve a specific access-list
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['list_id'],
-			additionalProperties: false,
-			properties:           {
-				list_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			list_id: req.params.list_id,
-			expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalAccessList.get(res.locals.access, {
-					id:     parseInt(data.list_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/access-lists/123
-	 *
-	 * Update and existing access-list
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/access-lists#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.list_id, 10);
-				return internalAccessList.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/access-lists/123
-	 *
-	 * Delete and existing access-list
-	 */
-	.delete((req, res, next) => {
-		internalAccessList.delete(res.locals.access, {id: parseInt(req.params.list_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/nginx/certificates.js
+++ b/backend/routes/api/nginx/certificates.js
@@ -1,274 +0,0 @@
-const express             = require('express');
-const validator           = require('../../../lib/validator');
-const jwtdecode           = require('../../../lib/express/jwt-decode');
-const internalCertificate = require('../../../internal/certificate');
-const apiValidator        = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/certificates
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/certificates
-	 *
-	 * Retrieve all certificates
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalCertificate.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/certificates
-	 *
-	 * Create a new certificate
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/certificates#/links/1/schema'}, req.body)
-			.then((payload) => {
-				req.setTimeout(900000); // 15 minutes timeout
-				return internalCertificate.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific certificate
- *
- * /api/nginx/certificates/123
- */
-router
-	.route('/:certificate_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/certificates/123
-	 *
-	 * Retrieve a specific certificate
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['certificate_id'],
-			additionalProperties: false,
-			properties:           {
-				certificate_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			certificate_id: req.params.certificate_id,
-			expand:         (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalCertificate.get(res.locals.access, {
-					id:     parseInt(data.certificate_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/certificates/123
-	 *
-	 * Update and existing certificate
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/certificates#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.certificate_id, 10);
-				return internalCertificate.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/certificates/123
-	 *
-	 * Update and existing certificate
-	 */
-	.delete((req, res, next) => {
-		internalCertificate.delete(res.locals.access, {id: parseInt(req.params.certificate_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Upload Certs
- *
- * /api/nginx/certificates/123/upload
- */
-router
-	.route('/:certificate_id/upload')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/certificates/123/upload
-	 *
-	 * Upload certificates
-	 */
-	.post((req, res, next) => {
-		if (!req.files) {
-			res.status(400)
-				.send({error: 'No files were uploaded'});
-		} else {
-			internalCertificate.upload(res.locals.access, {
-				id:    parseInt(req.params.certificate_id, 10),
-				files: req.files
-			})
-				.then((result) => {
-					res.status(200)
-						.send(result);
-				})
-				.catch(next);
-		}
-	});
-
-/**
- * Renew LE Certs
- *
- * /api/nginx/certificates/123/renew
- */
-router
-	.route('/:certificate_id/renew')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/certificates/123/renew
-	 *
-	 * Renew certificate
-	 */
-	.post((req, res, next) => {
-		req.setTimeout(900000); // 15 minutes timeout
-		internalCertificate.renew(res.locals.access, {
-			id: parseInt(req.params.certificate_id, 10)
-		})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-
-/**
- * Download LE Certs
- *
- * /api/nginx/certificates/123/download
- */
-router
-	.route('/:certificate_id/download')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/certificates/123/download
-	 *
-	 * Renew certificate
-	 */
-	.get((req, res, next) => {
-		internalCertificate.download(res.locals.access, {
-			id: parseInt(req.params.certificate_id, 10)
-		})
-			.then((result) => {
-				res.status(200)
-					.download(result.fileName);
-			})
-			.catch(next);
-	});
-
-/**
- * Validate Certs before saving
- *
- * /api/nginx/certificates/validate
- */
-router
-	.route('/validate')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/certificates/validate
-	 *
-	 * Validate certificates
-	 */
-	.post((req, res, next) => {
-		if (!req.files) {
-			res.status(400)
-				.send({error: 'No files were uploaded'});
-		} else {
-			internalCertificate.validate({
-				files: req.files
-			})
-				.then((result) => {
-					res.status(200)
-						.send(result);
-				})
-				.catch(next);
-		}
-	});
-
-module.exports = router;
--- a/backend/routes/api/nginx/dead_hosts.js
+++ b/backend/routes/api/nginx/dead_hosts.js
@@ -1,196 +0,0 @@
-const express          = require('express');
-const validator        = require('../../../lib/validator');
-const jwtdecode        = require('../../../lib/express/jwt-decode');
-const internalDeadHost = require('../../../internal/dead-host');
-const apiValidator     = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/dead-hosts
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/dead-hosts
-	 *
-	 * Retrieve all dead-hosts
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalDeadHost.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/dead-hosts
-	 *
-	 * Create a new dead-host
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/dead-hosts#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalDeadHost.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific dead-host
- *
- * /api/nginx/dead-hosts/123
- */
-router
-	.route('/:host_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/dead-hosts/123
-	 *
-	 * Retrieve a specific dead-host
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['host_id'],
-			additionalProperties: false,
-			properties:           {
-				host_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			host_id: req.params.host_id,
-			expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalDeadHost.get(res.locals.access, {
-					id:     parseInt(data.host_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/dead-hosts/123
-	 *
-	 * Update and existing dead-host
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/dead-hosts#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.host_id, 10);
-				return internalDeadHost.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/dead-hosts/123
-	 *
-	 * Update and existing dead-host
-	 */
-	.delete((req, res, next) => {
-		internalDeadHost.delete(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Enable dead-host
- *
- * /api/nginx/dead-hosts/123/enable
- */
-router
-	.route('/:host_id/enable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/dead-hosts/123/enable
-	 */
-	.post((req, res, next) => {
-		internalDeadHost.enable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Disable dead-host
- *
- * /api/nginx/dead-hosts/123/disable
- */
-router
-	.route('/:host_id/disable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/dead-hosts/123/disable
-	 */
-	.post((req, res, next) => {
-		internalDeadHost.disable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/nginx/proxy_hosts.js
+++ b/backend/routes/api/nginx/proxy_hosts.js
@@ -1,196 +0,0 @@
-const express           = require('express');
-const validator         = require('../../../lib/validator');
-const jwtdecode         = require('../../../lib/express/jwt-decode');
-const internalProxyHost = require('../../../internal/proxy-host');
-const apiValidator      = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/proxy-hosts
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/proxy-hosts
-	 *
-	 * Retrieve all proxy-hosts
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalProxyHost.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/proxy-hosts
-	 *
-	 * Create a new proxy-host
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/proxy-hosts#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalProxyHost.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific proxy-host
- *
- * /api/nginx/proxy-hosts/123
- */
-router
-	.route('/:host_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/proxy-hosts/123
-	 *
-	 * Retrieve a specific proxy-host
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['host_id'],
-			additionalProperties: false,
-			properties:           {
-				host_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			host_id: req.params.host_id,
-			expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalProxyHost.get(res.locals.access, {
-					id:     parseInt(data.host_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/proxy-hosts/123
-	 *
-	 * Update and existing proxy-host
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/proxy-hosts#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.host_id, 10);
-				return internalProxyHost.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/proxy-hosts/123
-	 *
-	 * Update and existing proxy-host
-	 */
-	.delete((req, res, next) => {
-		internalProxyHost.delete(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Enable proxy-host
- *
- * /api/nginx/proxy-hosts/123/enable
- */
-router
-	.route('/:host_id/enable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/proxy-hosts/123/enable
-	 */
-	.post((req, res, next) => {
-		internalProxyHost.enable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Disable proxy-host
- *
- * /api/nginx/proxy-hosts/123/disable
- */
-router
-	.route('/:host_id/disable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/proxy-hosts/123/disable
-	 */
-	.post((req, res, next) => {
-		internalProxyHost.disable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/nginx/redirection_hosts.js
+++ b/backend/routes/api/nginx/redirection_hosts.js
@@ -1,196 +0,0 @@
-const express                 = require('express');
-const validator               = require('../../../lib/validator');
-const jwtdecode               = require('../../../lib/express/jwt-decode');
-const internalRedirectionHost = require('../../../internal/redirection-host');
-const apiValidator            = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/redirection-hosts
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/redirection-hosts
-	 *
-	 * Retrieve all redirection-hosts
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalRedirectionHost.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/redirection-hosts
-	 *
-	 * Create a new redirection-host
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/redirection-hosts#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalRedirectionHost.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific redirection-host
- *
- * /api/nginx/redirection-hosts/123
- */
-router
-	.route('/:host_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/nginx/redirection-hosts/123
-	 *
-	 * Retrieve a specific redirection-host
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['host_id'],
-			additionalProperties: false,
-			properties:           {
-				host_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			host_id: req.params.host_id,
-			expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalRedirectionHost.get(res.locals.access, {
-					id:     parseInt(data.host_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/redirection-hosts/123
-	 *
-	 * Update and existing redirection-host
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/redirection-hosts#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.host_id, 10);
-				return internalRedirectionHost.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/redirection-hosts/123
-	 *
-	 * Update and existing redirection-host
-	 */
-	.delete((req, res, next) => {
-		internalRedirectionHost.delete(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Enable redirection-host
- *
- * /api/nginx/redirection-hosts/123/enable
- */
-router
-	.route('/:host_id/enable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/redirection-hosts/123/enable
-	 */
-	.post((req, res, next) => {
-		internalRedirectionHost.enable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Disable redirection-host
- *
- * /api/nginx/redirection-hosts/123/disable
- */
-router
-	.route('/:host_id/disable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/redirection-hosts/123/disable
-	 */
-	.post((req, res, next) => {
-		internalRedirectionHost.disable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/nginx/streams.js
+++ b/backend/routes/api/nginx/streams.js
@@ -1,196 +0,0 @@
-const express        = require('express');
-const validator      = require('../../../lib/validator');
-const jwtdecode      = require('../../../lib/express/jwt-decode');
-const internalStream = require('../../../internal/stream');
-const apiValidator   = require('../../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/nginx/streams
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode()) // preferred so it doesn't apply to nonexistent routes
-
-	/**
-	 * GET /api/nginx/streams
-	 *
-	 * Retrieve all streams
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalStream.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/nginx/streams
-	 *
-	 * Create a new stream
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/streams#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalStream.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific stream
- *
- * /api/nginx/streams/123
- */
-router
-	.route('/:stream_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode()) // preferred so it doesn't apply to nonexistent routes
-
-	/**
-	 * GET /api/nginx/streams/123
-	 *
-	 * Retrieve a specific stream
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['stream_id'],
-			additionalProperties: false,
-			properties:           {
-				stream_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			stream_id: req.params.stream_id,
-			expand:    (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalStream.get(res.locals.access, {
-					id:     parseInt(data.stream_id, 10),
-					expand: data.expand
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/nginx/streams/123
-	 *
-	 * Update and existing stream
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/streams#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = parseInt(req.params.stream_id, 10);
-				return internalStream.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/nginx/streams/123
-	 *
-	 * Update and existing stream
-	 */
-	.delete((req, res, next) => {
-		internalStream.delete(res.locals.access, {id: parseInt(req.params.stream_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Enable stream
- *
- * /api/nginx/streams/123/enable
- */
-router
-	.route('/:host_id/enable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/streams/123/enable
-	 */
-	.post((req, res, next) => {
-		internalStream.enable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Disable stream
- *
- * /api/nginx/streams/123/disable
- */
-router
-	.route('/:host_id/disable')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/nginx/streams/123/disable
-	 */
-	.post((req, res, next) => {
-		internalStream.disable(res.locals.access, {id: parseInt(req.params.host_id, 10)})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/reports.js
+++ b/backend/routes/api/reports.js
@@ -1,29 +0,0 @@
-const express        = require('express');
-const jwtdecode      = require('../../lib/express/jwt-decode');
-const internalReport = require('../../internal/report');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-router
-	.route('/hosts')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-
-	/**
-	 * GET /reports/hosts
-	 */
-	.get(jwtdecode(), (req, res, next) => {
-		internalReport.getHostsReport(res.locals.access)
-			.then((data) => {
-				res.status(200)
-					.send(data);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/schema.js
+++ b/backend/routes/api/schema.js
@@ -1,36 +0,0 @@
-const express     = require('express');
-const swaggerJSON = require('../../doc/api.swagger.json');
-const PACKAGE     = require('../../package.json');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-
-	/**
-	 * GET /schema
-	 */
-	.get((req, res/*, next*/) => {
-		let proto = req.protocol;
-		if (typeof req.headers['x-forwarded-proto'] !== 'undefined' && req.headers['x-forwarded-proto']) {
-			proto = req.headers['x-forwarded-proto'];
-		}
-
-		let origin = proto + '://' + req.hostname;
-		if (typeof req.headers.origin !== 'undefined' && req.headers.origin) {
-			origin = req.headers.origin;
-		}
-
-		swaggerJSON.info.version   = PACKAGE.version;
-		swaggerJSON.servers[0].url = origin + '/api';
-		res.status(200).send(swaggerJSON);
-	});
-
-module.exports = router;
--- a/backend/routes/api/settings.js
+++ b/backend/routes/api/settings.js
@@ -1,96 +0,0 @@
-const express         = require('express');
-const validator       = require('../../lib/validator');
-const jwtdecode       = require('../../lib/express/jwt-decode');
-const internalSetting = require('../../internal/setting');
-const apiValidator    = require('../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/settings
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/settings
-	 *
-	 * Retrieve all settings
-	 */
-	.get((req, res, next) => {
-		internalSetting.getAll(res.locals.access)
-			.then((rows) => {
-				res.status(200)
-					.send(rows);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific setting
- *
- * /api/settings/something
- */
-router
-	.route('/:setting_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /settings/something
-	 *
-	 * Retrieve a specific setting
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['setting_id'],
-			additionalProperties: false,
-			properties:           {
-				setting_id: {
-					$ref: 'definitions#/definitions/setting_id'
-				}
-			}
-		}, {
-			setting_id: req.params.setting_id
-		})
-			.then((data) => {
-				return internalSetting.get(res.locals.access, {
-					id: data.setting_id
-				});
-			})
-			.then((row) => {
-				res.status(200)
-					.send(row);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/settings/something
-	 *
-	 * Update and existing setting
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/settings#/links/1/schema'}, req.body)
-			.then((payload) => {
-				payload.id = req.params.setting_id;
-				return internalSetting.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/tokens.js
+++ b/backend/routes/api/tokens.js
@@ -1,54 +0,0 @@
-const express       = require('express');
-const jwtdecode     = require('../../lib/express/jwt-decode');
-const internalToken = require('../../internal/token');
-const apiValidator  = require('../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-
-	/**
-	 * GET /tokens
-	 *
-	 * Get a new Token, given they already have a token they want to refresh
-	 * We also piggy back on to this method, allowing admins to get tokens
-	 * for services like Job board and Worker.
-	 */
-	.get(jwtdecode(), (req, res, next) => {
-		internalToken.getFreshToken(res.locals.access, {
-			expiry: (typeof req.query.expiry !== 'undefined' ? req.query.expiry : null),
-			scope:  (typeof req.query.scope !== 'undefined' ? req.query.scope : null)
-		})
-			.then((data) => {
-				res.status(200)
-					.send(data);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /tokens
-	 *
-	 * Create a new Token
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/tokens#/links/0/schema'}, req.body)
-			.then((payload) => {
-				return internalToken.getTokenFromEmail(payload);
-			})
-			.then((data) => {
-				res.status(200)
-					.send(data);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/api/users.js
+++ b/backend/routes/api/users.js
@@ -1,239 +0,0 @@
-const express      = require('express');
-const validator    = require('../../lib/validator');
-const jwtdecode    = require('../../lib/express/jwt-decode');
-const userIdFromMe = require('../../lib/express/user-id-from-me');
-const internalUser = require('../../internal/user');
-const apiValidator = require('../../lib/validator/api');
-
-let router = express.Router({
-	caseSensitive: true,
-	strict:        true,
-	mergeParams:   true
-});
-
-/**
- * /api/users
- */
-router
-	.route('/')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * GET /api/users
-	 *
-	 * Retrieve all users
-	 */
-	.get((req, res, next) => {
-		validator({
-			additionalProperties: false,
-			properties:           {
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				},
-				query: {
-					$ref: 'definitions#/definitions/query'
-				}
-			}
-		}, {
-			expand: (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null),
-			query:  (typeof req.query.query === 'string' ? req.query.query : null)
-		})
-			.then((data) => {
-				return internalUser.getAll(res.locals.access, data.expand, data.query);
-			})
-			.then((users) => {
-				res.status(200)
-					.send(users);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * POST /api/users
-	 *
-	 * Create a new User
-	 */
-	.post((req, res, next) => {
-		apiValidator({$ref: 'endpoints/users#/links/1/schema'}, req.body)
-			.then((payload) => {
-				return internalUser.create(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific user
- *
- * /api/users/123
- */
-router
-	.route('/:user_id')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-	.all(userIdFromMe)
-
-	/**
-	 * GET /users/123 or /users/me
-	 *
-	 * Retrieve a specific user
-	 */
-	.get((req, res, next) => {
-		validator({
-			required:             ['user_id'],
-			additionalProperties: false,
-			properties:           {
-				user_id: {
-					$ref: 'definitions#/definitions/id'
-				},
-				expand: {
-					$ref: 'definitions#/definitions/expand'
-				}
-			}
-		}, {
-			user_id: req.params.user_id,
-			expand:  (typeof req.query.expand === 'string' ? req.query.expand.split(',') : null)
-		})
-			.then((data) => {
-				return internalUser.get(res.locals.access, {
-					id:     data.user_id,
-					expand: data.expand,
-					omit:   internalUser.getUserOmisionsByAccess(res.locals.access, data.user_id)
-				});
-			})
-			.then((user) => {
-				res.status(200)
-					.send(user);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * PUT /api/users/123
-	 *
-	 * Update and existing user
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/users#/links/2/schema'}, req.body)
-			.then((payload) => {
-				payload.id = req.params.user_id;
-				return internalUser.update(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	})
-
-	/**
-	 * DELETE /api/users/123
-	 *
-	 * Update and existing user
-	 */
-	.delete((req, res, next) => {
-		internalUser.delete(res.locals.access, {id: req.params.user_id})
-			.then((result) => {
-				res.status(200)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific user auth
- *
- * /api/users/123/auth
- */
-router
-	.route('/:user_id/auth')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-	.all(userIdFromMe)
-
-	/**
-	 * PUT /api/users/123/auth
-	 *
-	 * Update password for a user
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/users#/links/4/schema'}, req.body)
-			.then((payload) => {
-				payload.id = req.params.user_id;
-				return internalUser.setPassword(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific user permissions
- *
- * /api/users/123/permissions
- */
-router
-	.route('/:user_id/permissions')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-	.all(userIdFromMe)
-
-	/**
-	 * PUT /api/users/123/permissions
-	 *
-	 * Set some or all permissions for a user
-	 */
-	.put((req, res, next) => {
-		apiValidator({$ref: 'endpoints/users#/links/5/schema'}, req.body)
-			.then((payload) => {
-				payload.id = req.params.user_id;
-				return internalUser.setPermissions(res.locals.access, payload);
-			})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-/**
- * Specific user login as
- *
- * /api/users/123/login
- */
-router
-	.route('/:user_id/login')
-	.options((req, res) => {
-		res.sendStatus(204);
-	})
-	.all(jwtdecode())
-
-	/**
-	 * POST /api/users/123/login
-	 *
-	 * Log in as a user
-	 */
-	.post((req, res, next) => {
-		internalUser.loginAs(res.locals.access, {id: parseInt(req.params.user_id, 10)})
-			.then((result) => {
-				res.status(201)
-					.send(result);
-			})
-			.catch(next);
-	});
-
-module.exports = router;
--- a/backend/routes/audit-log.js
+++ b/backend/routes/audit-log.js
@@ -0,0 +1,107 @@
+import express from "express";
+import internalAuditLog from "../internal/audit-log.js";
+import jwtdecode from "../lib/express/jwt-decode.js";
+import validator from "../lib/validator/index.js";
+import { express as logger } from "../logger.js";
+
+const router = express.Router({
+	caseSensitive: true,
+	strict: true,
+	mergeParams: true,
+});
+
+/**
+ * /api/audit-log
+ */
+router
+	.route("/")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/audit-log
+	 *
+	 * Retrieve all logs
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					additionalProperties: false,
+					properties: {
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+						query: {
+							$ref: "common#/properties/query",
+						},
+					},
+				},
+				{
+					expand: typeof req.query.expand === "string" ? req.query.expand.split(",") : null,
+					query: typeof req.query.query === "string" ? req.query.query : null,
+				},
+			);
+			const rows = await internalAuditLog.getAll(res.locals.access, data.expand, data.query);
+			res.status(200).send(rows);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Specific audit log entry
+ *
+ * /api/audit-log/123
+ */
+router
+	.route("/:event_id")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/audit-log/123
+	 *
+	 * Retrieve a specific entry
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					required: ["event_id"],
+					additionalProperties: false,
+					properties: {
+						event_id: {
+							$ref: "common#/properties/id",
+						},
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+					},
+				},
+				{
+					event_id: req.params.event_id,
+					expand:
+						typeof req.query.expand === "string"
+							? req.query.expand.split(",")
+							: null,
+				},
+			);
+
+			const item = await internalAuditLog.get(res.locals.access, {
+				id: data.event_id,
+				expand: data.expand,
+			});
+			res.status(200).send(item);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+export default router;
--- a/backend/routes/main.js
+++ b/backend/routes/main.js
@@ -0,0 +1,66 @@
+import express from "express";
+import errs from "../lib/error.js";
+import pjson from "../package.json" with { type: "json" };
+import { isSetup } from "../setup.js";
+import auditLogRoutes from "./audit-log.js";
+import accessListsRoutes from "./nginx/access_lists.js";
+import certificatesHostsRoutes from "./nginx/certificates.js";
+import deadHostsRoutes from "./nginx/dead_hosts.js";
+import proxyHostsRoutes from "./nginx/proxy_hosts.js";
+import redirectionHostsRoutes from "./nginx/redirection_hosts.js";
+import streamsRoutes from "./nginx/streams.js";
+import reportsRoutes from "./reports.js";
+import schemaRoutes from "./schema.js";
+import settingsRoutes from "./settings.js";
+import tokensRoutes from "./tokens.js";
+import usersRoutes from "./users.js";
+
+const router = express.Router({
+	caseSensitive: true,
+	strict: true,
+	mergeParams: true,
+});
+
+/**
+ * Health Check
+ * GET /api
+ */
+router.get("/", async (_, res /*, next*/) => {
+	const version = pjson.version.split("-").shift().split(".");
+	const setup = await isSetup();
+
+	res.status(200).send({
+		status: "OK",
+		setup,
+		version: {
+			major: Number.parseInt(version.shift(), 10),
+			minor: Number.parseInt(version.shift(), 10),
+			revision: Number.parseInt(version.shift(), 10),
+		},
+	});
+});
+
+router.use("/schema", schemaRoutes);
+router.use("/tokens", tokensRoutes);
+router.use("/users", usersRoutes);
+router.use("/audit-log", auditLogRoutes);
+router.use("/reports", reportsRoutes);
+router.use("/settings", settingsRoutes);
+router.use("/nginx/proxy-hosts", proxyHostsRoutes);
+router.use("/nginx/redirection-hosts", redirectionHostsRoutes);
+router.use("/nginx/dead-hosts", deadHostsRoutes);
+router.use("/nginx/streams", streamsRoutes);
+router.use("/nginx/access-lists", accessListsRoutes);
+router.use("/nginx/certificates", certificatesHostsRoutes);
+
+/**
+ * API 404 for all other routes
+ *
+ * ALL /api/*
+ */
+router.all(/(.+)/, (req, _, next) => {
+	req.params.page = req.params["0"];
+	next(new errs.ItemNotFoundError(req.params.page));
+});
+
+export default router;
--- a/backend/routes/nginx/access_lists.js
+++ b/backend/routes/nginx/access_lists.js
@@ -0,0 +1,155 @@
+import express from "express";
+import internalAccessList from "../../internal/access-list.js";
+import jwtdecode from "../../lib/express/jwt-decode.js";
+import apiValidator from "../../lib/validator/api.js";
+import validator from "../../lib/validator/index.js";
+import { express as logger } from "../../logger.js";
+import { getValidationSchema } from "../../schema/index.js";
+
+const router = express.Router({
+	caseSensitive: true,
+	strict: true,
+	mergeParams: true,
+});
+
+/**
+ * /api/nginx/access-lists
+ */
+router
+	.route("/")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/access-lists
+	 *
+	 * Retrieve all access-lists
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					additionalProperties: false,
+					properties: {
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+						query: {
+							$ref: "common#/properties/query",
+						},
+					},
+				},
+				{
+					expand: typeof req.query.expand === "string" ? req.query.expand.split(",") : null,
+					query: typeof req.query.query === "string" ? req.query.query : null,
+				},
+			);
+			const rows = await internalAccessList.getAll(res.locals.access, data.expand, data.query);
+			res.status(200).send(rows);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * POST /api/nginx/access-lists
+	 *
+	 * Create a new access-list
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const payload = await apiValidator(getValidationSchema("/nginx/access-lists", "post"), req.body);
+			const result = await internalAccessList.create(res.locals.access, payload);
+			res.status(201).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Specific access-list
+ *
+ * /api/nginx/access-lists/123
+ */
+router
+	.route("/:list_id")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/access-lists/123
+	 *
+	 * Retrieve a specific access-list
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					required: ["list_id"],
+					additionalProperties: false,
+					properties: {
+						list_id: {
+							$ref: "common#/properties/id",
+						},
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+					},
+				},
+				{
+					list_id: req.params.list_id,
+					expand: typeof req.query.expand === "string" ? req.query.expand.split(",") : null,
+				},
+			);
+			const row = await internalAccessList.get(res.locals.access, {
+				id: Number.parseInt(data.list_id, 10),
+				expand: data.expand,
+			});
+			res.status(200).send(row);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * PUT /api/nginx/access-lists/123
+	 *
+	 * Update and existing access-list
+	 */
+	.put(async (req, res, next) => {
+		try {
+			const payload = await apiValidator(getValidationSchema("/nginx/access-lists/{listID}", "put"), req.body);
+			payload.id = Number.parseInt(req.params.list_id, 10);
+			const result = await internalAccessList.update(res.locals.access, payload);
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * DELETE /api/nginx/access-lists/123
+	 *
+	 * Delete and existing access-list
+	 */
+	.delete(async (req, res, next) => {
+		try {
+			const result = await internalAccessList.delete(res.locals.access, {
+				id: Number.parseInt(req.params.list_id, 10),
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+export default router;
--- a/backend/routes/nginx/certificates.js
+++ b/backend/routes/nginx/certificates.js
@@ -0,0 +1,355 @@
+import express from "express";
+import dnsPlugins from "../../certbot/dns-plugins.json" with { type: "json" };
+import internalCertificate from "../../internal/certificate.js";
+import errs from "../../lib/error.js";
+import jwtdecode from "../../lib/express/jwt-decode.js";
+import apiValidator from "../../lib/validator/api.js";
+import validator from "../../lib/validator/index.js";
+import { express as logger } from "../../logger.js";
+import { getValidationSchema } from "../../schema/index.js";
+
+const router = express.Router({
+	caseSensitive: true,
+	strict: true,
+	mergeParams: true,
+});
+
+/**
+ * /api/nginx/certificates
+ */
+router
+	.route("/")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/certificates
+	 *
+	 * Retrieve all certificates
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					additionalProperties: false,
+					properties: {
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+						query: {
+							$ref: "common#/properties/query",
+						},
+					},
+				},
+				{
+					expand:
+						typeof req.query.expand === "string"
+							? req.query.expand.split(",")
+							: null,
+					query: typeof req.query.query === "string" ? req.query.query : null,
+				},
+			);
+			const rows = await internalCertificate.getAll(
+				res.locals.access,
+				data.expand,
+				data.query,
+			);
+			res.status(200).send(rows);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * POST /api/nginx/certificates
+	 *
+	 * Create a new certificate
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const payload = await apiValidator(
+				getValidationSchema("/nginx/certificates", "post"),
+				req.body,
+			);
+			req.setTimeout(900000); // 15 minutes timeout
+			const result = await internalCertificate.create(
+				res.locals.access,
+				payload,
+			);
+			res.status(201).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * /api/nginx/certificates/dns-providers
+ */
+router
+	.route("/dns-providers")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/certificates/dns-providers
+	 *
+	 * Get list of all supported DNS providers
+	 */
+	.get(async (req, res, next) => {
+		try {
+			if (!res.locals.access.token.getUserId()) {
+				throw new errs.PermissionError("Login required");
+			}
+			const clean = Object.keys(dnsPlugins).map((key) => ({
+				id: key,
+				name: dnsPlugins[key].name,
+				credentials: dnsPlugins[key].credentials,
+			}));
+
+			clean.sort((a, b) => a.name.localeCompare(b.name));
+			res.status(200).send(clean);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Test HTTP challenge for domains
+ *
+ * /api/nginx/certificates/test-http
+ */
+router
+	.route("/test-http")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * POST /api/nginx/certificates/test-http
+	 *
+	 * Test HTTP challenge for domains
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const payload = await apiValidator(
+				getValidationSchema("/nginx/certificates/test-http", "post"),
+				req.body,
+			);
+			req.setTimeout(60000); // 1 minute timeout
+
+			const result = await internalCertificate.testHttpsChallenge(
+				res.locals.access,
+				payload,
+			);
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Validate Certs before saving
+ *
+ * /api/nginx/certificates/validate
+ */
+router
+	.route("/validate")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * POST /api/nginx/certificates/validate
+	 *
+	 * Validate certificates
+	 */
+	.post(async (req, res, next) => {
+		if (!req.files) {
+			res.status(400).send({ error: "No files were uploaded" });
+			return;
+		}
+
+		try {
+			const result = await internalCertificate.validate({
+				files: req.files,
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Specific certificate
+ *
+ * /api/nginx/certificates/123
+ */
+router
+	.route("/:certificate_id")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/certificates/123
+	 *
+	 * Retrieve a specific certificate
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const data = await validator(
+				{
+					required: ["certificate_id"],
+					additionalProperties: false,
+					properties: {
+						certificate_id: {
+							$ref: "common#/properties/id",
+						},
+						expand: {
+							$ref: "common#/properties/expand",
+						},
+					},
+				},
+				{
+					certificate_id: req.params.certificate_id,
+					expand:
+						typeof req.query.expand === "string"
+							? req.query.expand.split(",")
+							: null,
+				},
+			);
+			const row = await internalCertificate.get(res.locals.access, {
+				id: Number.parseInt(data.certificate_id, 10),
+				expand: data.expand,
+			});
+			res.status(200).send(row);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * DELETE /api/nginx/certificates/123
+	 *
+	 * Update and existing certificate
+	 */
+	.delete(async (req, res, next) => {
+		try {
+			const result = await internalCertificate.delete(res.locals.access, {
+				id: Number.parseInt(req.params.certificate_id, 10),
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Upload Certs
+ *
+ * /api/nginx/certificates/123/upload
+ */
+router
+	.route("/:certificate_id/upload")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * POST /api/nginx/certificates/123/upload
+	 *
+	 * Upload certificates
+	 */
+	.post(async (req, res, next) => {
+		if (!req.files) {
+			res.status(400).send({ error: "No files were uploaded" });
+			return;
+		}
+
+		try {
+			const result = await internalCertificate.upload(res.locals.access, {
+				id: Number.parseInt(req.params.certificate_id, 10),
+				files: req.files,
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Renew LE Certs
+ *
+ * /api/nginx/certificates/123/renew
+ */
+router
+	.route("/:certificate_id/renew")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * POST /api/nginx/certificates/123/renew
+	 *
+	 * Renew certificate
+	 */
+	.post(async (req, res, next) => {
+		req.setTimeout(900000); // 15 minutes timeout
+		try {
+			const result = await internalCertificate.renew(res.locals.access, {
+				id: Number.parseInt(req.params.certificate_id, 10),
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * Download LE Certs
+ *
+ * /api/nginx/certificates/123/download
+ */
+router
+	.route("/:certificate_id/download")
+	.options((_req, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+
+	/**
+	 * GET /api/nginx/certificates/123/download
+	 *
+	 * Renew certificate
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const result = await internalCertificate.download(res.locals.access, {
+				id: Number.parseInt(req.params.certificate_id, 10),
+			});
+			res.status(200).download(result.fileName);
+		} catch (err) {
+			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+export default router;
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .9.12
 .13.0