cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

freescout

Browse source
This commit is contained in:
cronekorkn 2024-02-08 13:45:35 +01:00
parent 95efe10ef6
commit ab87fe6f96
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
18 changed files with 371 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
bundles/bind/items.py
View file

@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -29,7 +29,7 @@ files['/etc/default/bind9'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
], ],
} }
@ -139,6 +139,6 @@ actions['named-checkconf'] = {
'unless': 'named-checkconf -z', 'unless': 'named-checkconf -z',
'needs': [ 'needs': [
'svc_systemd:bind9', 'svc_systemd:bind9',
'svc_systemd:bind9:restart', 'svc_systemd:bind9:reload',
] ]
} }

13
bundles/freescout/README.md Normal file
View file

@ -0,0 +1,13 @@
Pg Pass workaround: set manually:
```
root@freescout /ro psql freescout
psql (15.6 (Debian 15.6-0+deb12u1))
Type "help" for help.
freescout=# \password freescout
Enter new password for user "freescout":
Enter it again:
freescout=#
\q
```

62
bundles/freescout/items.py Normal file
View file

@ -0,0 +1,62 @@
# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
run_as = repo.libs.tools.run_as
php_version = node.metadata.get('php/version')
directories = {
'/opt/freescout': {
'owner': 'www-data',
'group': 'www-data',
# chown -R www-data:www-data /opt/freescout
},
}
actions = {
'clone_freescout': {
'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
'unless': 'test -e /opt/freescout/.git',
'needs': [
'pkg_apt:git',
'directory:/opt/freescout',
],
},
'pull_freescout': {
'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
'needs': [
'action:clone_freescout',
],
'triggers': [
'action:freescout_artisan_update',
f'svc_systemd:php{php_version}-fpm.service:restart',
],
},
'freescout_artisan_update': {
'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
'triggered': True,
'needs': [
f'svc_systemd:php{php_version}-fpm.service:restart',
'action:pull_freescout',
],
},
}
# files = {
# '/opt/freescout/.env': {
# # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
# # Every time you are making changes in .env file, in order changes to take an effect you need to run:
# # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
# 'owner': 'www-data',
# 'content': '\n'.join(
# f'{k}={v}' for k, v in
# sorted(node.metadata.get('freescout/env').items())
# ) + '\n',
# 'needs': [
# 'directory:/opt/freescout',
# 'action:clone_freescout',
# ],
# },
# }
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'

98
bundles/freescout/metadata.py Normal file
View file

@ -0,0 +1,98 @@
from base64 import b64decode
# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA=
database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
defaults = {
'apt': {
'packages': {
'git': {},
'php': {},
'php-pgsql': {},
'php-fpm': {},
'php-mbstring': {},
'php-xml': {},
'php-imap': {},
'php-zip': {},
'php-gd': {},
'php-curl': {},
'php-intl': {},
},
},
'freescout': {
'env': {
'APP_TIMEZONE': 'Europe/Berlin',
'DB_CONNECTION': 'pgsql',
'DB_HOST': '127.0.0.1',
'DB_PORT': '5432',
'DB_DATABASE': 'freescout',
'DB_USERNAME': 'freescout',
'DB_PASSWORD': database_password,
'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
},
},
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
'postgresql': {
'roles': {
'freescout': {
'password_hash': repo.libs.postgres.generate_scram_sha_256(
database_password,
b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()),
),
},
},
'databases': {
'freescout': {
'owner': 'freescout',
},
},
},
'systemd-timers': {
'freescout-cron': {
'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
'when': 'Minutely',
'user': 'www-data',
},
},
'zfs': {
'datasets': {
'tank/freescout': {
'mountpoint': '/opt/freescout',
},
},
},
}
@metadata_reactor.provides(
'freescout/env/APP_URL',
)
def freescout(metadata):
return {
'freescout': {
'env': {
'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('freescout/domain'): {
'content': 'freescout/vhost.conf',
},
},
},
}

2
bundles/gitea/metadata.py
View file

@ -118,7 +118,7 @@ def nginx(metadata):
'content': 'nginx/proxy_pass.conf', 'content': 'nginx/proxy_pass.conf',
'context': { 'context': {
'target': 'http://127.0.0.1:3500', 'target': 'http://127.0.0.1:3500',
} },
}, },
}, },
}, },

2
bundles/icinga2/items.py
View file

@ -269,7 +269,7 @@ svc_systemd = {
'icinga2.service': { 'icinga2.service': {
'needs': [ 'needs': [
'pkg_apt:icinga2-ido-pgsql', 'pkg_apt:icinga2-ido-pgsql',
'svc_systemd:postgresql', 'svc_systemd:postgresql.service',
], ],
}, },
} }

12
bundles/php/items.py
View file

@ -1,9 +1,3 @@
from os.path import join
import json
from bundlewrap.utils.dicts import merge_dict
version = node.metadata.get('php/version') version = node.metadata.get('php/version')
files = { files = {
@ -21,7 +15,7 @@ files = {
f'pkg_apt:php{version}-fpm', f'pkg_apt:php{version}-fpm',
}, },
'triggers': { 'triggers': {
f'svc_systemd:php{version}-fpm:restart', f'svc_systemd:php{version}-fpm.service:restart',
}, },
}, },
f'/etc/php/{version}/fpm/pool.d/www.conf': { f'/etc/php/{version}/fpm/pool.d/www.conf': {
@ -33,13 +27,13 @@ files = {
f'pkg_apt:php{version}-fpm', f'pkg_apt:php{version}-fpm',
}, },
'triggers': { 'triggers': {
f'svc_systemd:php{version}-fpm:restart', f'svc_systemd:php{version}-fpm.service:restart',
}, },
}, },
} }
svc_systemd = { svc_systemd = {
f'php{version}-fpm': { f'php{version}-fpm.service': {
'needs': { 'needs': {
'pkg_apt:', 'pkg_apt:',
f'file:/etc/php/{version}/fpm/php.ini', f'file:/etc/php/{version}/fpm/php.ini',

2
bundles/php/metadata.py
View file

@ -145,7 +145,7 @@ def www_conf(metadata):
'pm': 'dynamic', 'pm': 'dynamic',
'pm.max_children': int(threads*2), 'pm.max_children': int(threads*2),
'pm.start_servers': int(threads), 'pm.start_servers': int(threads),
'pm.min_spare_servers': int(threads/2), 'pm.min_spare_servers': max([1, int(threads/2)]),
'pm.max_spare_servers': int(threads), 'pm.max_spare_servers': int(threads),
'pm.max_requests': int(threads*32), 'pm.max_requests': int(threads*32),
}, },

15
bundles/postgresql/items.py
View file

@ -12,7 +12,7 @@ directories = {
'zfs_dataset:tank/postgresql', 'zfs_dataset:tank/postgresql',
], ],
'needed_by': [ 'needed_by': [
'svc_systemd:postgresql', 'svc_systemd:postgresql.service',
], ],
} }
} }
@ -25,16 +25,19 @@ files = {
) + '\n', ) + '\n',
'owner': 'postgres', 'owner': 'postgres',
'group': 'postgres', 'group': 'postgres',
'needs': [
'pkg_apt:postgresql',
],
'needed_by': [ 'needed_by': [
'svc_systemd:postgresql', 'svc_systemd:postgresql.service',
], ],
'triggers': [ 'triggers': [
'svc_systemd:postgresql:restart', 'svc_systemd:postgresql.service:restart',
], ],
}, },
} }
svc_systemd['postgresql'] = { svc_systemd['postgresql.service'] = {
'needs': [ 'needs': [
'pkg_apt:postgresql', 'pkg_apt:postgresql',
], ],
@ -43,13 +46,13 @@ svc_systemd['postgresql'] = {
for user, config in node.metadata.get('postgresql/roles').items(): for user, config in node.metadata.get('postgresql/roles').items():
postgres_roles[user] = merge_dict(config, { postgres_roles[user] = merge_dict(config, {
'needs': [ 'needs': [
'svc_systemd:postgresql', 'svc_systemd:postgresql.service',
], ],
}) })
for database, config in node.metadata.get('postgresql/databases').items(): for database, config in node.metadata.get('postgresql/databases').items():
postgres_dbs[database] = merge_dict(config, { postgres_dbs[database] = merge_dict(config, {
'needs': [ 'needs': [
'svc_systemd:postgresql', 'svc_systemd:postgresql.service',
], ],
}) })

10
bundles/wordpress/metadata.py
View file

@ -1,4 +1,12 @@
defaults = {} defaults = {
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
}
@metadata_reactor.provides( @metadata_reactor.provides(

10
bundles/zsh/items.py
View file

@ -3,13 +3,13 @@ from os.path import join
directories = { directories = {
'/etc/zsh/oh-my-zsh': {}, '/etc/zsh/oh-my-zsh': {},
'/etc/zsh/oh-my-zsh/custom/plugins': { '/etc/zsh/oh-my-zsh/custom/plugins': {
'mode': '0744', 'mode': '0755',
'needs': [ 'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh", f"git_deploy:/etc/zsh/oh-my-zsh",
] ]
}, },
'/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': { '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': {
'mode': '0744', 'mode': '0755',
'needs': [ 'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh", f"git_deploy:/etc/zsh/oh-my-zsh",
] ]
@ -29,10 +29,10 @@ git_deploy = {
files = { files = {
'/etc/zsh/zprofile': { '/etc/zsh/zprofile': {
'mode': '0744', 'mode': '0755',
}, },
'/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': { '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': {
'mode': '0744', 'mode': '0755',
'needs': [ 'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh", f"git_deploy:/etc/zsh/oh-my-zsh",
] ]
@ -41,7 +41,7 @@ files = {
actions = { actions = {
'chown_oh_my_zsh': { 'chown_oh_my_zsh': {
'command': 'chmod -R 744 /etc/zsh/oh-my-zsh', 'command': 'chmod -R 755 /etc/zsh/oh-my-zsh',
'triggered': True, 'triggered': True,
'triggered_by': [ 'triggered_by': [
"git_deploy:/etc/zsh/oh-my-zsh", "git_deploy:/etc/zsh/oh-my-zsh",

53
data/freescout/vhost.conf Normal file
View file

@ -0,0 +1,53 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
root /opt/freescout/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include params/fastcgi;
}
# Uncomment this location if you want to improve attachments downloading speed.
# Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file.
#location ^~ /storage/app/attachment/ {
# internal;
# alias /var/www/html/storage/app/attachment/;
#}
location ~* ^/storage/attachment/ {
expires 1M;
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public, must-revalidate";
}
# The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
add_header Content-disposition "attachment; filename=$2";
default_type application/octet-stream;
}
location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~ /\. {
deny all;
}
}

10
groups/applications/freescout.py Normal file
View file

@ -0,0 +1,10 @@
{
'supergroups': [
'webserver',
],
'bundles': [
'freescout',
'php',
'postgresql',
],
}

23
libs/postgres.py Normal file
View file

@ -0,0 +1,23 @@
from base64 import standard_b64encode
from hashlib import pbkdf2_hmac, sha256
import hmac
def b64enc(b: bytes) -> str:
return standard_b64encode(b).decode('utf8')
def generate_scram_sha_256(password, salt):
if len(salt) != 16:
raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.")
digest_len = 32
iterations = 4096
digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len)
client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256')
stored_key = sha256(client_key).digest()
server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256')
return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}'

6
libs/tools.py
View file

@ -86,3 +86,9 @@ def require_bundle(node, bundle, hint=''):
# way of defining bundle requirements in other bundles. # way of defining bundle requirements in other bundles.
if not node.has_bundle(bundle): if not node.has_bundle(bundle):
raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}') raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}')
from shlex import quote
def run_as(user, command):
return f'sudo su - {user} -s /bin/bash -c {quote(command)}'

1
nodes/home.server.py
View file

@ -174,6 +174,7 @@
'10.0.10.0/24', '10.0.10.0/24',
'10.0.11.0/24', '10.0.11.0/24',
'192.168.179.0/24', '192.168.179.0/24',
'10.0.227.0/24', # mseibert.freescout
], ],
}, },
}, },

60
nodes/mseibert.freescout.py Normal file
View file

@ -0,0 +1,60 @@
{
'hostname': '159.69.117.89',
'groups': [
# 'backup',
'debian-12',
# 'monitored',
'webserver',
'freescout',
],
'bundles': [
'wireguard',
'zfs',
],
'metadata': {
'id': '5333e3dd-0718-493a-a93c-529612a45079',
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.227.2/24',
},
'external': {
'interface': 'eth0',
'ipv4': '159.69.117.89/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:3d0b::1/64',
'gateway6': 'fe80::1',
},
},
'freescout': {
'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
},
'vm': {
'cores': 1,
'ram': 2048,
},
'wireguard': {
'my_ip': '172.30.0.238/32',
's2s': {
'netcup.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.11.0/24',
],
},
},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/dev/disk/by-id/scsi-0HC_Volume_100662393',
],
},
},
},
},
}

8
nodes/netcup.mails.py
View file

@ -16,7 +16,7 @@
'download-server', 'download-server',
'islamicstate.eu', 'islamicstate.eu',
'nginx-rtmps', 'nginx-rtmps',
'steam', #'steam',
'wireguard', 'wireguard',
'zfs', 'zfs',
], ],
@ -53,6 +53,7 @@
'left4.me', 'left4.me',
'elimu-kwanza.de', 'elimu-kwanza.de',
'cronekorkn.de', 'cronekorkn.de',
'foerderkreis.oranienschule-wiesbaden-wiki.de',
}, },
}, },
'dns': { 'dns': {
@ -216,6 +217,11 @@
'192.168.179.0/24', '192.168.179.0/24',
], ],
}, },
'mseibert.freescout': {
'allowed_ips': [
'10.0.227.0/24',
],
},
}, },
'clients': { 'clients': {
'macbook': { 'macbook': {