diff --git a/bundles/archive/README.md b/bundles/archive/README.md new file mode 100644 index 0000000..acf574a --- /dev/null +++ b/bundles/archive/README.md @@ -0,0 +1,10 @@ +``` +defaults = { + 'archive': { + 'exclude': [ + '\.cache/', + '\.log$', + ], + }, +} +``` diff --git a/bundles/archive/metadata.py b/bundles/archive/metadata.py index dacd3b4..b0c5a0d 100644 --- a/bundles/archive/metadata.py +++ b/bundles/archive/metadata.py @@ -1,4 +1,20 @@ defaults = { - 'backup': [], 'archive': {}, } + + +@metadata_reactor.provides( + 'gocryptfs', +) +def gocryptfs(metadata): + gocryptfs = {} + + for path in metadata.get('archive'): + gocryptfs[path] = { + 'mountpoint': f'/mnt/gocryptfs{path}', + 'reverse': True, + } + + return { + 'gocryptfs': gocryptfs, + } diff --git a/bundles/gocryptfs/items.py b/bundles/gocryptfs/items.py new file mode 100644 index 0000000..0acf942 --- /dev/null +++ b/bundles/gocryptfs/items.py @@ -0,0 +1,40 @@ +from hashlib import sha3_256 +from base64 import b64decode, b64encode +from binascii import hexlify +from uuid import UUID +from json import dumps + +id = node.metadata.get('id') + +directories['/etc/gocryptfs'] = { + 'purge': True, +} + +files['/etc/gocryptfs/masterkey'] = { + 'content': hexlify(b64decode( + str(repo.vault.random_bytes_as_base64_for(id, length=32)) + )), + 'mode': '500', +} + +files['/etc/gocryptfs/gocryptfs.conf'] = { + 'content': dumps({ + 'Version': 2, + 'Creator': 'gocryptfs 1.6.1', + 'ScryptObject': { + 'Salt': b64encode( + sha3_256(UUID(id).bytes).digest() + ).decode(), + 'N': 65536, + 'R': 8, + 'P': 1, + 'KeyLen': 32, + }, + 'FeatureFlags': [ + 'GCMIV128', + 'HKDF', + 'PlaintextNames', + 'AESSIV', + ] + }, indent=4, sort_keys=True) +} diff --git a/bundles/gocryptfs/metadata.py b/bundles/gocryptfs/metadata.py new file mode 100644 index 0000000..a987e70 --- /dev/null +++ b/bundles/gocryptfs/metadata.py @@ -0,0 +1,18 @@ +defaults = { + 'gocryptfs': {}, +} + + +@metadata_reactor.provides( + 'gocryptfs', +) +def gocryptfs(metadata): + gocryptfs = {} + + for path, options in metadata.get('gocryptfs'): + gocryptfs[path] = { + } + + return { + 'gocryptfs': gocryptfs, + } diff --git a/groups/applications/archive.py b/groups/applications/archive.py index 4f8d809..5ce7e4a 100644 --- a/groups/applications/archive.py +++ b/groups/applications/archive.py @@ -4,5 +4,6 @@ ], 'bundles': [ 'archive', + 'gocryptfs', ], } diff --git a/nodes/home.backups.py b/nodes/home.backups.py index 418626e..4b5444a 100644 --- a/nodes/home.backups.py +++ b/nodes/home.backups.py @@ -2,5 +2,7 @@ 'groups': [ 'debian-10', ], - 'metadata': {}, + 'metadata': { + 'id': '9cf52515-63a1-4659-a8ec-6c3c881727e5', + }, } diff --git a/nodes/home.server.py b/nodes/home.server.py index 1e8bd69..b9a2971 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -11,6 +11,7 @@ 'wireguard', ], 'metadata': { + 'id': 'af96709e-b13f-4965-a588-ef2cd476437a', 'network': { 'interface': 'enp1s0f0', 'ipv4': '10.0.0.2/24', diff --git a/nodes/htz.games.py b/nodes/htz.games.py index 8363a2b..fb40ecf 100644 --- a/nodes/htz.games.py +++ b/nodes/htz.games.py @@ -6,5 +6,7 @@ 'steam', 'l4d2', ], - 'metadata': {}, + 'metadata': { + 'id': '353bb086-f3ce-4f36-8533-e91786c91ed9', + }, } diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index 8bd417f..8401262 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -1,6 +1,7 @@ { 'hostname': '162.55.188.157', 'groups': [ + 'archive', 'hetzner-cloud', 'debian-10', 'mailserver', @@ -27,6 +28,7 @@ 'ckn.li': [], }, }, + 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'network': { 'interface': 'eth0', 'ipv4': '162.55.188.157/32',