From ab87fe6f969563b74f29fdbe0ed9eceedfdc2cb7 Mon Sep 17 00:00:00 2001 From: cronekorkn Date: Thu, 8 Feb 2024 13:45:35 +0100 Subject: [PATCH] freescout --- bundles/bind/items.py | 16 +++--- bundles/freescout/README.md | 13 +++++ bundles/freescout/items.py | 62 ++++++++++++++++++++ bundles/freescout/metadata.py | 98 ++++++++++++++++++++++++++++++++ bundles/gitea/metadata.py | 2 +- bundles/icinga2/items.py | 2 +- bundles/php/items.py | 12 +--- bundles/php/metadata.py | 4 +- bundles/postgresql/items.py | 15 +++-- bundles/wordpress/metadata.py | 10 +++- bundles/zsh/items.py | 10 ++-- data/freescout/vhost.conf | 53 +++++++++++++++++ groups/applications/freescout.py | 10 ++++ libs/postgres.py | 23 ++++++++ libs/tools.py | 6 ++ nodes/home.server.py | 1 + nodes/mseibert.freescout.py | 60 +++++++++++++++++++ nodes/netcup.mails.py | 8 ++- 18 files changed, 371 insertions(+), 34 deletions(-) create mode 100644 bundles/freescout/README.md create mode 100644 bundles/freescout/items.py create mode 100644 bundles/freescout/metadata.py create mode 100644 data/freescout/vhost.conf create mode 100644 groups/applications/freescout.py create mode 100644 libs/postgres.py create mode 100644 nodes/mseibert.freescout.py diff --git a/bundles/bind/items.py b/bundles/bind/items.py index b85c92e..6283b34 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -29,7 +29,7 @@ files['/etc/default/bind9'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = { 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items(): 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items(): 'svc_systemd:bind9', ], 'triggers': [ - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ], } @@ -139,6 +139,6 @@ actions['named-checkconf'] = { 'unless': 'named-checkconf -z', 'needs': [ 'svc_systemd:bind9', - 'svc_systemd:bind9:restart', + 'svc_systemd:bind9:reload', ] } diff --git a/bundles/freescout/README.md b/bundles/freescout/README.md new file mode 100644 index 0000000..c6f42e4 --- /dev/null +++ b/bundles/freescout/README.md @@ -0,0 +1,13 @@ +Pg Pass workaround: set manually: + +``` +root@freescout /ro psql freescout +psql (15.6 (Debian 15.6-0+deb12u1)) +Type "help" for help. + +freescout=# \password freescout +Enter new password for user "freescout": +Enter it again: +freescout=# +\q +``` diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py new file mode 100644 index 0000000..e409e81 --- /dev/null +++ b/bundles/freescout/items.py @@ -0,0 +1,62 @@ +# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide +run_as = repo.libs.tools.run_as +php_version = node.metadata.get('php/version') + + +directories = { + '/opt/freescout': { + 'owner': 'www-data', + 'group': 'www-data', + # chown -R www-data:www-data /opt/freescout + }, +} + +actions = { + 'clone_freescout': { + 'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'), + 'unless': 'test -e /opt/freescout/.git', + 'needs': [ + 'pkg_apt:git', + 'directory:/opt/freescout', + ], + }, + 'pull_freescout': { + 'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'), + 'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'), + 'needs': [ + 'action:clone_freescout', + ], + 'triggers': [ + 'action:freescout_artisan_update', + f'svc_systemd:php{php_version}-fpm.service:restart', + ], + }, + 'freescout_artisan_update': { + 'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'), + 'triggered': True, + 'needs': [ + f'svc_systemd:php{php_version}-fpm.service:restart', + 'action:pull_freescout', + ], + }, +} + +# files = { +# '/opt/freescout/.env': { +# # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example +# # Every time you are making changes in .env file, in order changes to take an effect you need to run: +# # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´ +# 'owner': 'www-data', +# 'content': '\n'.join( +# f'{k}={v}' for k, v in +# sorted(node.metadata.get('freescout/env').items()) +# ) + '\n', +# 'needs': [ +# 'directory:/opt/freescout', +# 'action:clone_freescout', +# ], +# }, +# } + +#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction' +#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction' diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py new file mode 100644 index 0000000..b15530e --- /dev/null +++ b/bundles/freescout/metadata.py @@ -0,0 +1,98 @@ +from base64 import b64decode + +# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA= +database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value + +defaults = { + 'apt': { + 'packages': { + 'git': {}, + 'php': {}, + 'php-pgsql': {}, + 'php-fpm': {}, + 'php-mbstring': {}, + 'php-xml': {}, + 'php-imap': {}, + 'php-zip': {}, + 'php-gd': {}, + 'php-curl': {}, + 'php-intl': {}, + }, + }, + 'freescout': { + 'env': { + 'APP_TIMEZONE': 'Europe/Berlin', + 'DB_CONNECTION': 'pgsql', + 'DB_HOST': '127.0.0.1', + 'DB_PORT': '5432', + 'DB_DATABASE': 'freescout', + 'DB_USERNAME': 'freescout', + 'DB_PASSWORD': database_password, + 'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value + }, + }, + 'php': { + 'php.ini': { + 'cgi': { + 'fix_pathinfo': '0', + }, + }, + }, + 'postgresql': { + 'roles': { + 'freescout': { + 'password_hash': repo.libs.postgres.generate_scram_sha_256( + database_password, + b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()), + ), + }, + }, + 'databases': { + 'freescout': { + 'owner': 'freescout', + }, + }, + }, + 'systemd-timers': { + 'freescout-cron': { + 'command': '/usr/bin/php /opt/freescout/artisan schedule:run', + 'when': 'Minutely', + 'user': 'www-data', + }, + }, + 'zfs': { + 'datasets': { + 'tank/freescout': { + 'mountpoint': '/opt/freescout', + }, + }, + }, +} + + +@metadata_reactor.provides( + 'freescout/env/APP_URL', +) +def freescout(metadata): + return { + 'freescout': { + 'env': { + 'APP_URL': 'https://' + metadata.get('freescout/domain') + '/', + }, + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + return { + 'nginx': { + 'vhosts': { + metadata.get('freescout/domain'): { + 'content': 'freescout/vhost.conf', + }, + }, + }, + } diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 62785cb..e84697a 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -118,7 +118,7 @@ def nginx(metadata): 'content': 'nginx/proxy_pass.conf', 'context': { 'target': 'http://127.0.0.1:3500', - } + }, }, }, }, diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 861dc1f..af25d58 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -269,7 +269,7 @@ svc_systemd = { 'icinga2.service': { 'needs': [ 'pkg_apt:icinga2-ido-pgsql', - 'svc_systemd:postgresql', + 'svc_systemd:postgresql.service', ], }, } diff --git a/bundles/php/items.py b/bundles/php/items.py index 81fe14c..222ec42 100644 --- a/bundles/php/items.py +++ b/bundles/php/items.py @@ -1,9 +1,3 @@ -from os.path import join -import json - -from bundlewrap.utils.dicts import merge_dict - - version = node.metadata.get('php/version') files = { @@ -21,7 +15,7 @@ files = { f'pkg_apt:php{version}-fpm', }, 'triggers': { - f'svc_systemd:php{version}-fpm:restart', + f'svc_systemd:php{version}-fpm.service:restart', }, }, f'/etc/php/{version}/fpm/pool.d/www.conf': { @@ -33,13 +27,13 @@ files = { f'pkg_apt:php{version}-fpm', }, 'triggers': { - f'svc_systemd:php{version}-fpm:restart', + f'svc_systemd:php{version}-fpm.service:restart', }, }, } svc_systemd = { - f'php{version}-fpm': { + f'php{version}-fpm.service': { 'needs': { 'pkg_apt:', f'file:/etc/php/{version}/fpm/php.ini', diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py index 15e7f90..7ed8d22 100644 --- a/bundles/php/metadata.py +++ b/bundles/php/metadata.py @@ -113,7 +113,7 @@ def php_ini(metadata): 'opcache.revalidate_freq': '60', }, } - + return { 'php': { 'php.ini': { @@ -145,7 +145,7 @@ def www_conf(metadata): 'pm': 'dynamic', 'pm.max_children': int(threads*2), 'pm.start_servers': int(threads), - 'pm.min_spare_servers': int(threads/2), + 'pm.min_spare_servers': max([1, int(threads/2)]), 'pm.max_spare_servers': int(threads), 'pm.max_requests': int(threads*32), }, diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index 8a5f4c6..b7e7ba8 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -12,7 +12,7 @@ directories = { 'zfs_dataset:tank/postgresql', ], 'needed_by': [ - 'svc_systemd:postgresql', + 'svc_systemd:postgresql.service', ], } } @@ -25,16 +25,19 @@ files = { ) + '\n', 'owner': 'postgres', 'group': 'postgres', + 'needs': [ + 'pkg_apt:postgresql', + ], 'needed_by': [ - 'svc_systemd:postgresql', + 'svc_systemd:postgresql.service', ], 'triggers': [ - 'svc_systemd:postgresql:restart', + 'svc_systemd:postgresql.service:restart', ], }, } -svc_systemd['postgresql'] = { +svc_systemd['postgresql.service'] = { 'needs': [ 'pkg_apt:postgresql', ], @@ -43,13 +46,13 @@ svc_systemd['postgresql'] = { for user, config in node.metadata.get('postgresql/roles').items(): postgres_roles[user] = merge_dict(config, { 'needs': [ - 'svc_systemd:postgresql', + 'svc_systemd:postgresql.service', ], }) for database, config in node.metadata.get('postgresql/databases').items(): postgres_dbs[database] = merge_dict(config, { 'needs': [ - 'svc_systemd:postgresql', + 'svc_systemd:postgresql.service', ], }) diff --git a/bundles/wordpress/metadata.py b/bundles/wordpress/metadata.py index 33a4e11..7df60e4 100644 --- a/bundles/wordpress/metadata.py +++ b/bundles/wordpress/metadata.py @@ -1,4 +1,12 @@ -defaults = {} +defaults = { + 'php': { + 'php.ini': { + 'cgi': { + 'fix_pathinfo': '0', + }, + }, + }, +} @metadata_reactor.provides( diff --git a/bundles/zsh/items.py b/bundles/zsh/items.py index 60b8d86..28848c5 100644 --- a/bundles/zsh/items.py +++ b/bundles/zsh/items.py @@ -3,13 +3,13 @@ from os.path import join directories = { '/etc/zsh/oh-my-zsh': {}, '/etc/zsh/oh-my-zsh/custom/plugins': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] }, '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] @@ -29,10 +29,10 @@ git_deploy = { files = { '/etc/zsh/zprofile': { - 'mode': '0744', + 'mode': '0755', }, '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': { - 'mode': '0744', + 'mode': '0755', 'needs': [ f"git_deploy:/etc/zsh/oh-my-zsh", ] @@ -41,7 +41,7 @@ files = { actions = { 'chown_oh_my_zsh': { - 'command': 'chmod -R 744 /etc/zsh/oh-my-zsh', + 'command': 'chmod -R 755 /etc/zsh/oh-my-zsh', 'triggered': True, 'triggered_by': [ "git_deploy:/etc/zsh/oh-my-zsh", diff --git a/data/freescout/vhost.conf b/data/freescout/vhost.conf new file mode 100644 index 0000000..628705a --- /dev/null +++ b/data/freescout/vhost.conf @@ -0,0 +1,53 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${server_name}; + + ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem; + + root /opt/freescout/public; + + index index.php index.html index.htm; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass php-handler; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include params/fastcgi; + } + # Uncomment this location if you want to improve attachments downloading speed. + # Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file. + #location ^~ /storage/app/attachment/ { + # internal; + # alias /var/www/html/storage/app/attachment/; + #} + location ~* ^/storage/attachment/ { + expires 1M; + access_log off; + try_files $uri $uri/ /index.php?$query_string; + } + location ~* ^/(?:css|js)/.*\.(?:css|js)$ { + expires 2d; + access_log off; + add_header Cache-Control "public, must-revalidate"; + } + # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php + location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ { + add_header Content-disposition "attachment; filename=$2"; + default_type application/octet-stream; + } + location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ { + expires 1M; + access_log off; + add_header Cache-Control "public"; + } + location ~ /\. { + deny all; + } +} diff --git a/groups/applications/freescout.py b/groups/applications/freescout.py new file mode 100644 index 0000000..d00e431 --- /dev/null +++ b/groups/applications/freescout.py @@ -0,0 +1,10 @@ +{ + 'supergroups': [ + 'webserver', + ], + 'bundles': [ + 'freescout', + 'php', + 'postgresql', + ], +} diff --git a/libs/postgres.py b/libs/postgres.py new file mode 100644 index 0000000..ed80036 --- /dev/null +++ b/libs/postgres.py @@ -0,0 +1,23 @@ +from base64 import standard_b64encode +from hashlib import pbkdf2_hmac, sha256 +import hmac + + +def b64enc(b: bytes) -> str: + return standard_b64encode(b).decode('utf8') + +def generate_scram_sha_256(password, salt): + if len(salt) != 16: + raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.") + + digest_len = 32 + iterations = 4096 + + digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len) + client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256') + stored_key = sha256(client_key).digest() + server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256') + + return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}' + + diff --git a/libs/tools.py b/libs/tools.py index d96feec..cbbe27c 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -86,3 +86,9 @@ def require_bundle(node, bundle, hint=''): # way of defining bundle requirements in other bundles. if not node.has_bundle(bundle): raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}') + + +from shlex import quote + +def run_as(user, command): + return f'sudo su - {user} -s /bin/bash -c {quote(command)}' diff --git a/nodes/home.server.py b/nodes/home.server.py index 3d2734e..ea13ec4 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -174,6 +174,7 @@ '10.0.10.0/24', '10.0.11.0/24', '192.168.179.0/24', + '10.0.227.0/24', # mseibert.freescout ], }, }, diff --git a/nodes/mseibert.freescout.py b/nodes/mseibert.freescout.py new file mode 100644 index 0000000..4125052 --- /dev/null +++ b/nodes/mseibert.freescout.py @@ -0,0 +1,60 @@ +{ + 'hostname': '159.69.117.89', + 'groups': [ +# 'backup', + 'debian-12', +# 'monitored', + 'webserver', + 'freescout', + ], + 'bundles': [ + 'wireguard', + 'zfs', + ], + 'metadata': { + 'id': '5333e3dd-0718-493a-a93c-529612a45079', + 'network': { + 'internal': { + 'interface': 'ens10', + 'ipv4': '10.0.227.2/24', + }, + 'external': { + 'interface': 'eth0', + 'ipv4': '159.69.117.89/32', + 'gateway4': '172.31.1.1', + 'ipv6': '2a01:4f8:c013:3d0b::1/64', + 'gateway6': 'fe80::1', + }, + }, + 'freescout': { + 'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de', + }, + 'vm': { + 'cores': 1, + 'ram': 2048, + }, + 'wireguard': { + 'my_ip': '172.30.0.238/32', + 's2s': { + 'netcup.mails': { + 'allowed_ips': [ + '10.0.0.0/24', + '10.0.2.0/24', + '10.0.9.0/24', + '10.0.10.0/24', + '10.0.11.0/24', + ], + }, + }, + }, + 'zfs': { + 'pools': { + 'tank': { + 'devices': [ + '/dev/disk/by-id/scsi-0HC_Volume_100662393', + ], + }, + }, + }, + }, +} diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py index 912c6e9..181d030 100644 --- a/nodes/netcup.mails.py +++ b/nodes/netcup.mails.py @@ -16,7 +16,7 @@ 'download-server', 'islamicstate.eu', 'nginx-rtmps', - 'steam', + #'steam', 'wireguard', 'zfs', ], @@ -53,6 +53,7 @@ 'left4.me', 'elimu-kwanza.de', 'cronekorkn.de', + 'foerderkreis.oranienschule-wiesbaden-wiki.de', }, }, 'dns': { @@ -216,6 +217,11 @@ '192.168.179.0/24', ], }, + 'mseibert.freescout': { + 'allowed_ips': [ + '10.0.227.0/24', + ], + }, }, 'clients': { 'macbook': {