freescout

bundles/bind/items.py

@@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -29,7 +29,7 @@ files['/etc/default/bind9'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
             'svc_systemd:bind9',
         ],
         'triggers': [
-            'svc_systemd:bind9:restart',
+            'svc_systemd:bind9:reload',
         ],
     }
 
@@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
                 'svc_systemd:bind9',
             ],
             'triggers': [
-                'svc_systemd:bind9:restart',
+                'svc_systemd:bind9:reload',
             ],
         }
 
@@ -139,6 +139,6 @@ actions['named-checkconf'] = {
     'unless': 'named-checkconf -z',
     'needs': [
         'svc_systemd:bind9',
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ]
 }

bundles/freescout/items.py

@@ -21,7 +21,7 @@ actions = {
         ],
     },
     'pull_freescout': {
-        'command': run_as('www-data', 'git -C /opt/freescout pull'),
+        'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
         'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
         'needs': [
             'action:clone_freescout',

bundles/freescout/metadata.py

@@ -1,3 +1,6 @@
+from base64 import b64decode
+
+# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA=
 database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
 
 defaults = {
@@ -38,7 +41,10 @@ defaults = {
     'postgresql': {
         'roles': {
             'freescout': {
-                'password': database_password,
+                'password_hash': repo.libs.postgres.generate_scram_sha_256(
+                    database_password,
+                    b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()),
+                ),
             },
         },
         'databases': {

bundles/zsh/items.py

@@ -3,13 +3,13 @@ from os.path import join
 directories = {
     '/etc/zsh/oh-my-zsh': {},
     '/etc/zsh/oh-my-zsh/custom/plugins': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
     },
     '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
@@ -29,10 +29,10 @@ git_deploy = {
 
 files = {
     '/etc/zsh/zprofile': {
-        'mode': '0744',
+        'mode': '0755',
     },
     '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
@@ -41,7 +41,7 @@ files = {
 
 actions = {
     'chown_oh_my_zsh': {
-        'command': 'chmod -R 744 /etc/zsh/oh-my-zsh',
+        'command': 'chmod -R 755 /etc/zsh/oh-my-zsh',
         'triggered': True,
         'triggered_by': [
             "git_deploy:/etc/zsh/oh-my-zsh",

libs/postgres.py

@@ -0,0 +1,23 @@
+from base64 import standard_b64encode
+from hashlib import pbkdf2_hmac, sha256
+import hmac
+
+
+def b64enc(b: bytes) -> str:
+    return standard_b64encode(b).decode('utf8')
+
+def generate_scram_sha_256(password, salt):
+    if len(salt) != 16:
+        raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.")
+
+    digest_len = 32
+    iterations = 4096
+
+    digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len)
+    client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256')
+    stored_key = sha256(client_key).digest()
+    server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256')
+
+    return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}'
+
+

nodes/mseibert.freescout.py

@@ -27,7 +27,7 @@
             },
         },
         'freescout': {
-            'domain': 'freescout.foerderkreis-oranienschule.de',
+            'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
         },
         'vm': {
             'cores': 1,

nodes/netcup.mails.py

@@ -16,7 +16,7 @@
         'download-server',
         'islamicstate.eu',
         'nginx-rtmps',
-        'steam',
+        #'steam',
         'wireguard',
         'zfs',
     ],
@@ -53,7 +53,7 @@
                 'left4.me',
                 'elimu-kwanza.de',
                 'cronekorkn.de',
-                'freescout.foerderkreis-oranienschule.de',
+                'foerderkreis.oranienschule-wiesbaden-wiki.de',
             },
         },
         'dns': {