nodes/mseibert.yourls.py: introduce

bundles/systemd-networkd/files/resolv.conf

@@ -1,3 +1,10 @@
-% for nameserver in sorted(node.metadata.get('nameservers')):
+<%
+    nameservers = (
+        node.metadata.get('overwrite_nameservers', []) or
+        node.metadata.get('nameservers', [])
+    )
+%>\
+\
+% for nameserver in nameservers:
 nameserver ${nameserver}
-% endfor
+% endfor

bundles/yourls/files/config.php

@@ -0,0 +1,24 @@
+<?php
+define( 'YOURLS_DB_USER', 'yourls' );
+define( 'YOURLS_DB_PASS', '${db_password}' );
+define( 'YOURLS_DB_NAME', 'yourls' );
+define( 'YOURLS_DB_HOST', 'localhost' );
+define( 'YOURLS_DB_PREFIX', 'yourls_' );
+
+define( 'YOURLS_SITE', 'https://${hostname}' );
+define( 'YOURLS_LANG', '' );
+define( 'YOURLS_UNIQUE_URLS', true );
+define( 'YOURLS_PRIVATE', true );
+define( 'YOURLS_COOKIEKEY', '${cookiekey}' );
+
+$yourls_user_passwords = [
+% for username, password in users.items():
+	'${username}' => '${password}',
+% endfor
+];
+
+define( 'YOURLS_URL_CONVERT', 36 );
+
+define( 'YOURLS_DEBUG', false );
+
+$yourls_reserved_URL = [];

bundles/yourls/items.py

@@ -0,0 +1,48 @@
+directories = {
+    '/var/www/yourls/htdocs': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        'mode': '0755',
+    },
+}
+
+git_deploy = {
+    '/var/www/yourls/htdocs': {
+        'repo': 'https://github.com/YOURLS/YOURLS.git',
+        'rev': node.metadata.get('yourls/version'),
+        'needs': [
+            'directory:/var/www/yourls/htdocs',
+        ],
+        'triggers': [
+            'svc_systemd:nginx:restart',
+        ],
+    },
+}
+
+files = {
+    f'/var/www/yourls/htdocs/user/config.php': {
+        'content_type': 'mako',
+        'mode': '0440',
+        'owner': 'www-data',
+        'group': 'www-data',
+        'context': {
+            'db_password': node.metadata.get('mariadb/databases/yourls/password'),
+            'hostname': node.metadata.get('yourls/hostname'),
+            'cookiekey': node.metadata.get('yourls/cookiekey'),
+            'users': node.metadata.get('yourls/users'),
+        },
+        'needs': [
+            'git_deploy:/var/www/yourls/htdocs',
+        ],
+        'triggers': [
+            'svc_systemd:nginx:restart',
+        ],
+    },
+
+    # FIXME:
+    '/var/www/certbot': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        'mode': '0755',
+    }
+}

bundles/yourls/metadata.py

@@ -0,0 +1,42 @@
+defaults = {
+    'mariadb': {
+        'databases': {
+            'yourls': {
+                'password': repo.vault.random_bytes_as_base64_for(f'{node.name} yourls DB', length=32).value,
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'apt/packages',
+)
+def apt(metadata):
+    php_version = metadata.get('php/version')
+
+    return {
+        'apt':{
+            'packages': {
+                f'php{php_version}-mysql': {},
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('yourls/hostname'): {
+                    'content': 'yourls/vhost.conf',
+                    'context': {
+                        'php_version': metadata.get('php/version'),
+                    },
+                },
+            },
+        },
+    }

data/yourls/vhost.conf

@@ -0,0 +1,31 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name ${server_name};
+
+  ssl_certificate /etc/letsencrypt/archive/${server_name}/fullchain1.pem;
+  ssl_certificate_key /etc/letsencrypt/archive/${server_name}/privkey1.pem;
+
+  root /var/www/yourls/htdocs;
+
+  location / {
+    index index.php index.html index.htm;
+    try_files $uri $uri/ /yourls-loader.php$is_args$args;
+  }
+
+  location ~ \.php$ {
+    include params/fastcgi;
+    fastcgi_index index.php;
+    fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
+  }
+
+  # temp
+  location ^~ /.well-known/acme-challenge/ {
+      alias /var/www/certbot/;
+  }
+}
+
+
+# FIXME: this is a temporary solution to allow the certbot challenge to work:
+# - ssl_certificate
+# - ssl_certificate_key

nodes/mseibert.yourls.py

@@ -0,0 +1,60 @@
+# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
+# https://console.hetzner.cloud/projects/889138/servers/46578341
+
+{
+    'hostname': '168.119.250.114',
+    'groups': [
+        #'backup',
+        'debian-12',
+        #'monitored',
+        'webserver',
+    ],
+    'bundles': [
+        #'wireguard',
+        'mariadb',
+        'php',
+        'yourls',
+        'zfs',
+    ],
+    'metadata': {
+        'id': '52efcd47-edd8-426c-aead-c492553d14f9',
+        'network': {
+            'internal': {
+                'interface': 'ens10',
+                'ipv4': '10.0.227.4/24',
+            },
+            'external': {
+                'interface': 'eth0',
+                'ipv4': '168.119.250.114/32',
+                'gateway4': '172.31.1.1',
+                'ipv6': '2a01:4f8:c013:e321::2/64',
+                'gateway6': 'fe80::1',
+            },
+        },
+        'yourls': {
+            'hostname': "direkt.oranienschule.de",
+            'cookiekey': "!decrypt:encrypt$gAAAAABoRvmcUs3t7PREllyeN--jBqs0XYewMHW16GWC-ikLzsDSe02YKGycOlgXuHU4hzKbNjGMEutpFXRLk9Zji6bbpy4GdyE6vStfwd8ZT0obAyoqBPwI47LwUlDSFMS51y5j8rG5",
+            'version': "1.10.1",
+            'users': {
+                'mseibert': "!decrypt:encrypt$gAAAAABoRwtOcslyRY9ahkmtVI8QbXgJhyE3nuk04eakFDKl-4OZViiRvjtQW3Uwqki1aFeAS-syzr0Ug5sZM_zNelNahjZyzW1k47Xg9GltGNn_zp-uUII=",
+            },
+        },
+        # FIXME:
+        'overwrite_nameservers': [
+            '8.8.8.8',
+        ],
+        'vm': {
+            'cores': 2,
+            'ram': 4096,
+        },
+        'zfs': {
+            'pools': {
+                'tank': {
+                    'devices': [
+                        '/var/lib/zfs_file',
+                    ],
+                },
+            },
+        },
+    },
+}