cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request 'mseibert_yourls and many other fixes' (#19) from mseibert_yourls into master

Browse source 
Reviewed-on: #19
This commit is contained in:
cronekorkn 2025-06-22 10:09:58 +02:00
commit 5d95a33c5a
26 changed files with 265 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
bundles/apt/README.md
View file

@ -13,6 +13,9 @@
'deb',
'deb-src',
},
'options': { # optional
'aarch': 'amd64',
},
'urls': {
'https://deb.debian.org/debian',
},

1
bundles/apt/items.py
View file

@ -62,6 +62,7 @@ files = {
'/usr/lib/nagios/plugins/check_apt_upgradable': {
'mode': '0755',
},
# /etc/kernel/postinst.d/apt-auto-removal
}
actions = {

2
bundles/gitea/files/app.ini
View file

@ -40,7 +40,7 @@ ENABLE_OPENID_SIGNUP = false
[service]
REGISTER_EMAIL_CONFIRM = true
ENABLE_NOTIFY_MAIL = true
DISABLE_REGISTRATION = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false

4
bundles/grafana/metadata.py
View file

@ -69,6 +69,9 @@ defaults = {
},
},
},
'nginx': {
'has_websockets': True,
},
}
@ -144,6 +147,7 @@ def dns(metadata):
def nginx(metadata):
return {
'nginx': {
'has_websockets': True,
'vhosts': {
metadata.get('grafana/hostname'): {
'content': 'grafana/vhost.conf',

2
bundles/kea-dhcpd/items.py
View file

@ -15,7 +15,7 @@ svc_systemd = {
'needs': [
'pkg_apt:kea-dhcp4-server',
'file:/etc/kea/kea-dhcp4.conf',
'svc_systemd:systemd-networkd:restart',
'svc_systemd:systemd-networkd.service:restart',
],
},
}

2
bundles/mariadb/items.py
View file

@ -11,7 +11,7 @@ directories = {
'needs': [
'zfs_dataset:tank/mariadb',
],
'needed_by': [
'needs': [
'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
],

4
bundles/mariadb/metadata.py
View file

@ -3,12 +3,12 @@ defaults = {
'packages': {
'mariadb-server': {
'needs': {
'zfs_dataset:tank/mariadb',
#'zfs_dataset:tank/mariadb',
},
},
'mariadb-client': {
'needs': {
'zfs_dataset:tank/mariadb',
#'zfs_dataset:tank/mariadb',
},
},
},

10
bundles/nginx/files/nginx.conf
View file

@ -31,5 +31,13 @@ http {
}
% endif
include /etc/nginx/sites/*;
% if has_websockets:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
% endif
include /etc/nginx/sites-enabled/*;
}

13
bundles/nginx/items.py
View file

@ -9,7 +9,7 @@ directories = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites': {
'/etc/nginx/sites-available': {
'purge': True,
'triggers': {
'svc_systemd:nginx:restart',
@ -33,6 +33,7 @@ files = {
'context': {
'modules': node.metadata.get('nginx/modules'),
'worker_processes': node.metadata.get('vm/cores'),
'has_websockets': node.metadata.get('nginx/has_websockets'),
},
'triggers': {
'svc_systemd:nginx:restart',
@ -75,6 +76,12 @@ files = {
},
}
symlinks = {
'/etc/nginx/sites-enabled': {
'target': '/etc/nginx/sites-available',
},
}
actions = {
'nginx-generate-dhparam': {
'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096',
@ -93,7 +100,7 @@ svc_systemd = {
for name, config in node.metadata.get('nginx/vhosts').items():
files[f'/etc/nginx/sites/{name}'] = {
files[f'/etc/nginx/sites-available/{name}'] = {
'content': Template(filename=join(repo.path, 'data', config['content'])).render(
server_name=name,
**config.get('context', {}),
@ -109,6 +116,6 @@ for name, config in node.metadata.get('nginx/vhosts').items():
}
if name in node.metadata.get('letsencrypt/domains'):
files[f'/etc/nginx/sites/{name}']['needs'].append(
files[f'/etc/nginx/sites-available/{name}']['needs'].append(
f'action:letsencrypt_ensure-some-certificate_{name}',
)

1
bundles/nginx/metadata.py
View file

@ -18,6 +18,7 @@ defaults = {
'nginx': {
'vhosts': {},
'modules': set(),
'has_websockets': False,
},
'systemd': {
'units': {

2
bundles/redis/items.py
View file

@ -2,12 +2,14 @@ directories = {
'/etc/redis': {
'purge': True,
'owner': 'redis',
'mode': '2770',
'needs': [
'pkg_apt:redis-server',
],
},
'/var/lib/redis': {
'owner': 'redis',
'mode': '0750',
'needs': [
'pkg_apt:redis-server',
],

9
bundles/systemd-networkd/files/resolv.conf
View file

@ -1,3 +1,10 @@
% for nameserver in sorted(node.metadata.get('nameservers')):
<%
nameservers = (
node.metadata.get('overwrite_nameservers', []) or
node.metadata.get('nameservers', [])
)
%>\
\
% for nameserver in nameservers:
nameserver ${nameserver}
% endfor

3
bundles/systemd-networkd/items.py
View file

@ -19,5 +19,6 @@ directories = {
}
svc_systemd = {
'systemd-networkd': {},
'systemd-networkd.service': {},
}

4
bundles/systemd/items.py
View file

@ -24,10 +24,10 @@ for name, unit in node.metadata.get('systemd/units').items():
path = f'/etc/systemd/network/{name}'
dependencies = {
'needed_by': [
'svc_systemd:systemd-networkd',
'svc_systemd:systemd-networkd.service',
],
'triggers': [
'svc_systemd:systemd-networkd:restart',
'svc_systemd:systemd-networkd.service:restart',
],
}
elif extension in ['timer', 'service', 'mount', 'swap', 'target']:

2
bundles/wireguard/metadata.py
View file

@ -12,7 +12,7 @@ defaults = {
'wireguard': {
'backports': node.os_version < (11,),
'triggers': [
'svc_systemd:systemd-networkd:restart',
'svc_systemd:systemd-networkd.service:restart',
],
},
},

24
bundles/yourls/files/config.php Normal file
View file

@ -0,0 +1,24 @@
<?php
define( 'YOURLS_DB_USER', 'yourls' );
define( 'YOURLS_DB_PASS', '${db_password}' );
define( 'YOURLS_DB_NAME', 'yourls' );
define( 'YOURLS_DB_HOST', 'localhost' );
define( 'YOURLS_DB_PREFIX', 'yourls_' );
define( 'YOURLS_SITE', 'https://${hostname}' );
define( 'YOURLS_LANG', '' );
define( 'YOURLS_UNIQUE_URLS', true );
define( 'YOURLS_PRIVATE', true );
define( 'YOURLS_COOKIEKEY', '${cookiekey}' );
$yourls_user_passwords = [
% for username, password in users.items():
'${username}' => '${password}',
% endfor
];
define( 'YOURLS_URL_CONVERT', 36 );
define( 'YOURLS_DEBUG', false );
$yourls_reserved_URL = [];

48
bundles/yourls/items.py Normal file
View file

@ -0,0 +1,48 @@
directories = {
'/var/www/yourls/htdocs': {
'owner': 'www-data',
'group': 'www-data',
'mode': '0755',
},
}
git_deploy = {
'/var/www/yourls/htdocs': {
'repo': 'https://github.com/YOURLS/YOURLS.git',
'rev': node.metadata.get('yourls/version'),
'needs': [
'directory:/var/www/yourls/htdocs',
],
'triggers': [
'svc_systemd:nginx:restart',
],
},
}
files = {
f'/var/www/yourls/htdocs/user/config.php': {
'content_type': 'mako',
'mode': '0440',
'owner': 'www-data',
'group': 'www-data',
'context': {
'db_password': node.metadata.get('mariadb/databases/yourls/password'),
'hostname': node.metadata.get('yourls/hostname'),
'cookiekey': node.metadata.get('yourls/cookiekey'),
'users': node.metadata.get('yourls/users'),
},
'needs': [
'git_deploy:/var/www/yourls/htdocs',
],
'triggers': [
'svc_systemd:nginx:restart',
],
},
# FIXME:
'/var/www/certbot': {
'owner': 'www-data',
'group': 'www-data',
'mode': '0755',
}
}

42
bundles/yourls/metadata.py Normal file
View file

@ -0,0 +1,42 @@
defaults = {
'mariadb': {
'databases': {
'yourls': {
'password': repo.vault.random_bytes_as_base64_for(f'{node.name} yourls DB', length=32).value,
},
},
},
}
@metadata_reactor.provides(
'apt/packages',
)
def apt(metadata):
php_version = metadata.get('php/version')
return {
'apt':{
'packages': {
f'php{php_version}-mysql': {},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('yourls/hostname'): {
'content': 'yourls/vhost.conf',
'context': {
'php_version': metadata.get('php/version'),
},
},
},
},
}

5
data/grafana/vhost.conf
View file

@ -1,8 +1,3 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

4
data/nginx/proxy_pass.conf
View file

@ -8,6 +8,10 @@ server {
location / {
proxy_set_header X-Real-IP $remote_addr;
% if websockets:
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
% endif
proxy_pass ${target};
}
}

31
data/yourls/vhost.conf Normal file
View file

@ -0,0 +1,31 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /etc/letsencrypt/archive/${server_name}/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/archive/${server_name}/privkey1.pem;
root /var/www/yourls/htdocs;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /yourls-loader.php$is_args$args;
}
location ~ \.php$ {
include params/fastcgi;
fastcgi_index index.php;
fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
}
# temp
location ^~ /.well-known/acme-challenge/ {
alias /var/www/certbot/;
}
}
# FIXME: this is a temporary solution to allow the certbot challenge to work:
# - ssl_certificate
# - ssl_certificate_key

4
groups.py
View file

@ -6,4 +6,8 @@ for root, dirs, files in walk(join(repo_path, "groups")):
if filename.endswith(".py"):
group = join(root, filename)
with open(group, 'r', encoding='utf-8') as f:
try:
groups[splitext(basename(filename))[0]] = eval(f.read())
except:
print(f"Error parsing {group}:")
raise

3
libs/rsa.py
View file

@ -1,12 +1,10 @@
# https://stackoverflow.com/a/18266970
from Crypto.PublicKey import RSA
from Crypto.Hash import HMAC
from struct import pack
from hashlib import sha3_512
from cryptography.hazmat.primitives.serialization import load_der_private_key
from functools import cache
from cache_to_disk import cache_to_disk
class PRNG(object):
@ -22,7 +20,6 @@ class PRNG(object):
return result
@cache_to_disk(30)
def _generate_deterministic_rsa_private_key(secret_bytes):
return RSA.generate(2048, randfunc=PRNG(secret_bytes)).export_key('DER')

60
nodes/mseibert.yourls.py Normal file
View file

@ -0,0 +1,60 @@
# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
# https://console.hetzner.cloud/projects/889138/servers/46578341
{
'hostname': '168.119.250.114',
'groups': [
#'backup',
'debian-12',
#'monitored',
'webserver',
],
'bundles': [
#'wireguard',
'mariadb',
'php',
'yourls',
'zfs',
],
'metadata': {
'id': '52efcd47-edd8-426c-aead-c492553d14f9',
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.227.4/24',
},
'external': {
'interface': 'eth0',
'ipv4': '168.119.250.114/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:e321::2/64',
'gateway6': 'fe80::1',
},
},
'yourls': {
'hostname': "direkt.oranienschule.de",
'cookiekey': "!decrypt:encrypt$gAAAAABoRvmcUs3t7PREllyeN--jBqs0XYewMHW16GWC-ikLzsDSe02YKGycOlgXuHU4hzKbNjGMEutpFXRLk9Zji6bbpy4GdyE6vStfwd8ZT0obAyoqBPwI47LwUlDSFMS51y5j8rG5",
'version': "1.10.1",
'users': {
'mseibert': "!decrypt:encrypt$gAAAAABoRwtOcslyRY9ahkmtVI8QbXgJhyE3nuk04eakFDKl-4OZViiRvjtQW3Uwqki1aFeAS-syzr0Ug5sZM_zNelNahjZyzW1k47Xg9GltGNn_zp-uUII=",
},
},
# FIXME:
'overwrite_nameservers': [
'8.8.8.8',
],
'vm': {
'cores': 2,
'ram': 4096,
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/var/lib/zfs_file',
],
},
},
},
},
}

1
nodes/wb.offsite-backups.py
View file

@ -1,4 +1,5 @@
{
'dummy': True,
'hostname': '192.168.179.20',
'groups': [
'debian-12',

1
requirements.txt
View file

@ -3,5 +3,4 @@ pycryptodome
PyNaCl
PyYAML
pyqrcode
cache_to_disk
setuptools