diff --git a/bundles/bind/items.py b/bundles/bind/items.py index b85c92e..6283b34 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -29,7 +29,7 @@ files['/etc/default/bind9'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items(): 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items(): 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -139,6 +139,6 @@ actions['named-checkconf'] = { 'unless': 'named-checkconf -z', 'needs': [ 'svc_systemd:bind9', - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ] } diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py index 14b947f..e409e81 100644 --- a/bundles/freescout/items.py +++ b/bundles/freescout/items.py @@ -21,7 +21,7 @@ actions = { ], }, 'pull_freescout': { - 'command': run_as('www-data', 'git -C /opt/freescout pull'), + 'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'), 'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'), 'needs': [ 'action:clone_freescout', diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py index e07d7c9..b15530e 100644 --- a/bundles/freescout/metadata.py +++ b/bundles/freescout/metadata.py @@ -1,3 +1,6 @@ +from base64 import b64decode + +# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA= database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value defaults = { @@ -38,7 +41,10 @@ defaults = { 'postgresql': { 'roles': { 'freescout': { - 'password': database_password, + 'password_hash': repo.libs.postgres.generate_scram_sha_256( + database_password, + b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()), + ), }, }, 'databases': { diff --git a/bundles/zsh/items.py b/bundles/zsh/items.py index 60b8d86..28848c5 100644 --- a/bundles/zsh/items.py +++ b/bundles/zsh/items.py @@ -3,13 +3,13 @@ from os.path import join directories = { '/etc/zsh/oh-my-zsh': {}, '/etc/zsh/oh-my-zsh/custom/plugins': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] }, '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] @@ -29,10 +29,10 @@ git_deploy = { files = { '/etc/zsh/zprofile': { - 'mode': '0744', + 'mode': '0755', }, '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] @@ -41,7 +41,7 @@ files = { actions = { 'chown_oh_my_zsh': { - 'command': 'chmod -R 744 /etc/zsh/oh-my-zsh', + 'command': 'chmod -R 755 /etc/zsh/oh-my-zsh', 'triggered': True, 'triggered_by': [ "git_deploy:/etc/zsh/oh-my-zsh", diff --git a/libs/postgres.py b/libs/postgres.py new file mode 100644 index 0000000..ed80036 --- /dev/null +++ b/libs/postgres.py @@ -0,0 +1,23 @@ +from base64 import standard_b64encode +from hashlib import pbkdf2_hmac, sha256 +import hmac + + +def b64enc(b: bytes) -> str: + return standard_b64encode(b).decode('utf8') + +def generate_scram_sha_256(password, salt): + if len(salt) != 16: + raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.") + + digest_len = 32 + iterations = 4096 + + digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len) + client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256') + stored_key = sha256(client_key).digest() + server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256') + + return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}' + + diff --git a/nodes/mseibert.freescout.py b/nodes/mseibert.freescout.py index 61bbebd..4125052 100644 --- a/nodes/mseibert.freescout.py +++ b/nodes/mseibert.freescout.py @@ -27,7 +27,7 @@ }, }, 'freescout': { - 'domain': 'freescout.foerderkreis-oranienschule.de', + 'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de', }, 'vm': { 'cores': 1, diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py index ac64d81..181d030 100644 --- a/nodes/netcup.mails.py +++ b/nodes/netcup.mails.py @@ -16,7 +16,7 @@ 'download-server', 'islamicstate.eu', 'nginx-rtmps', - 'steam', + #'steam', 'wireguard', 'zfs', ], @@ -53,7 +53,7 @@ 'left4.me', 'elimu-kwanza.de', 'cronekorkn.de', - 'freescout.foerderkreis-oranienschule.de', + 'foerderkreis.oranienschule-wiesbaden-wiki.de', }, }, 'dns': {