From a3ba06bcb092852492f5d8d957b0012b8068323f Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Wed, 9 Oct 2024 12:50:18 +0200
Subject: [PATCH] pipes -> shlex

---
 bundles/nginx/files/nginx.conf |  4 +++-
 bundles/nginx/items.py         |  1 +
 items/download.py              |  8 ++++----
 nodes/home.router.py           | 20 ++++++++++----------
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf
index d3c1361..f4beed0 100644
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@@ -1,6 +1,6 @@
 pid /var/run/nginx.pid;
 user www-data;
-worker_processes 10;
+worker_processes ${worker_processes};
 
 % for module in sorted(modules):
 load_module modules/ngx_${module}_module.so;
@@ -22,6 +22,8 @@ http {
     tcp_nopush on;
     client_max_body_size 32G;
     ssl_dhparam "/etc/ssl/certs/dhparam.pem";
+    # dont show nginx version
+    server_tokens off;
 
     % if node.has_bundle('php'):
     upstream php-handler {
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 0fddc0c..b8f5849 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -32,6 +32,7 @@ files = {
         'content_type': 'mako',
         'context': {
             'modules': node.metadata.get('nginx/modules'),
+            'worker_processes': node.metadata.get('vm/cores'),
         },
         'triggers': {
             'svc_systemd:nginx:restart',
diff --git a/items/download.py b/items/download.py
index 799b1a1..85b836f 100644
--- a/items/download.py
+++ b/items/download.py
@@ -3,7 +3,7 @@ from bundlewrap.exceptions import BundleError
 from bundlewrap.utils.text import force_text, mark_for_translation as _
 from bundlewrap.utils.remote import PathInfo
 import types
-from pipes import quote
+from shlex import quote
 
 # Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py
 # No, we can't use plugins here, because bw4 won't support them anymore.
@@ -101,16 +101,16 @@ class Download(Item):
             elif self.attributes.get('gpg_signature_url'):
                 full_signature_url = self.attributes['gpg_signature_url'].format(url=self.attributes['url'])
                 signature_path = f'{self.name}.signature'
-                
+
                 self.node.run(f"curl -sSL {self.attributes['gpg_pubkey_url']} | gpg --import -")
                 self.node.run(f"curl -L {full_signature_url} -o {quote(signature_path)}")
                 gpg_output = self.node.run(f"gpg --verify {quote(signature_path)} {quote(self.name)}").stderr
-                
+
                 if b'Good signature' in gpg_output:
                     sdict['verified'] = True
                 else:
                     sdict['verified'] = False
-                    
+
         return sdict
 
     @classmethod
diff --git a/nodes/home.router.py b/nodes/home.router.py
index 57fffba..a57efd1 100644
--- a/nodes/home.router.py
+++ b/nodes/home.router.py
@@ -43,17 +43,17 @@
                 'dhcp_server': True,
             },
         },
-        'nftables': {
-            'forward': {
-                # Drop DHCP client requests (UDP port 68)
-                'udp sport 68 drop',
-                'udp dport 68 drop',
+        # 'nftables': {
+        #     'forward': {
+        #         # Drop DHCP client requests (UDP port 68)
+        #         'udp sport 68 drop',
+        #         'udp dport 68 drop',
 
-                # Drop DHCP server responses (UDP port 67)
-                'udp sport 67 drop',
-                'udp dport 67 drop',
-            },
-        },
+        #         # Drop DHCP server responses (UDP port 67)
+        #         'udp sport 67 drop',
+        #         'udp dport 67 drop',
+        #     },
+        # },
         'sysctl': {
             'net': {
                 'ipv4': {