diff --git a/bundles/systemd-networkd/files/resolv.conf b/bundles/systemd-networkd/files/resolv.conf index e4f8999..36cabb2 100644 --- a/bundles/systemd-networkd/files/resolv.conf +++ b/bundles/systemd-networkd/files/resolv.conf @@ -1,3 +1,10 @@ -% for nameserver in sorted(node.metadata.get('nameservers')): +<% + nameservers = ( + node.metadata.get('overwrite_nameservers', []) or + node.metadata.get('nameservers', []) + ) +%>\ +\ +% for nameserver in nameservers: nameserver ${nameserver} -% endfor +% endfor \ No newline at end of file diff --git a/bundles/yourls/files/config.php b/bundles/yourls/files/config.php new file mode 100644 index 0000000..9be0a49 --- /dev/null +++ b/bundles/yourls/files/config.php @@ -0,0 +1,24 @@ + '${password}', +% endfor +]; + +define( 'YOURLS_URL_CONVERT', 36 ); + +define( 'YOURLS_DEBUG', false ); + +$yourls_reserved_URL = []; \ No newline at end of file diff --git a/bundles/yourls/items.py b/bundles/yourls/items.py new file mode 100644 index 0000000..d9eb886 --- /dev/null +++ b/bundles/yourls/items.py @@ -0,0 +1,48 @@ +directories = { + '/var/www/yourls/htdocs': { + 'owner': 'www-data', + 'group': 'www-data', + 'mode': '0755', + }, +} + +git_deploy = { + '/var/www/yourls/htdocs': { + 'repo': 'https://github.com/YOURLS/YOURLS.git', + 'rev': node.metadata.get('yourls/version'), + 'needs': [ + 'directory:/var/www/yourls/htdocs', + ], + 'triggers': [ + 'svc_systemd:nginx:restart', + ], + }, +} + +files = { + f'/var/www/yourls/htdocs/user/config.php': { + 'content_type': 'mako', + 'mode': '0440', + 'owner': 'www-data', + 'group': 'www-data', + 'context': { + 'db_password': node.metadata.get('mariadb/databases/yourls/password'), + 'hostname': node.metadata.get('yourls/hostname'), + 'cookiekey': node.metadata.get('yourls/cookiekey'), + 'users': node.metadata.get('yourls/users'), + }, + 'needs': [ + 'git_deploy:/var/www/yourls/htdocs', + ], + 'triggers': [ + 'svc_systemd:nginx:restart', + ], + }, + + # FIXME: + '/var/www/certbot': { + 'owner': 'www-data', + 'group': 'www-data', + 'mode': '0755', + } +} diff --git a/bundles/yourls/metadata.py b/bundles/yourls/metadata.py new file mode 100644 index 0000000..ed09937 --- /dev/null +++ b/bundles/yourls/metadata.py @@ -0,0 +1,42 @@ +defaults = { + 'mariadb': { + 'databases': { + 'yourls': { + 'password': repo.vault.random_bytes_as_base64_for(f'{node.name} yourls DB', length=32).value, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'apt/packages', +) +def apt(metadata): + php_version = metadata.get('php/version') + + return { + 'apt':{ + 'packages': { + f'php{php_version}-mysql': {}, + }, + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def nginx(metadata): + return { + 'nginx': { + 'vhosts': { + metadata.get('yourls/hostname'): { + 'content': 'yourls/vhost.conf', + 'context': { + 'php_version': metadata.get('php/version'), + }, + }, + }, + }, + } diff --git a/data/yourls/vhost.conf b/data/yourls/vhost.conf new file mode 100644 index 0000000..d1431df --- /dev/null +++ b/data/yourls/vhost.conf @@ -0,0 +1,31 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ${server_name}; + + ssl_certificate /etc/letsencrypt/archive/${server_name}/fullchain1.pem; + ssl_certificate_key /etc/letsencrypt/archive/${server_name}/privkey1.pem; + + root /var/www/yourls/htdocs; + + location / { + index index.php index.html index.htm; + try_files $uri $uri/ /yourls-loader.php$is_args$args; + } + + location ~ \.php$ { + include params/fastcgi; + fastcgi_index index.php; + fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; + } + + # temp + location ^~ /.well-known/acme-challenge/ { + alias /var/www/certbot/; + } +} + + +# FIXME: this is a temporary solution to allow the certbot challenge to work: +# - ssl_certificate +# - ssl_certificate_key diff --git a/nodes/mseibert.yourls.py b/nodes/mseibert.yourls.py new file mode 100644 index 0000000..d0d08c3 --- /dev/null +++ b/nodes/mseibert.yourls.py @@ -0,0 +1,60 @@ +# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/ +# https://console.hetzner.cloud/projects/889138/servers/46578341 + +{ + 'hostname': '168.119.250.114', + 'groups': [ + #'backup', + 'debian-12', + #'monitored', + 'webserver', + ], + 'bundles': [ + #'wireguard', + 'mariadb', + 'php', + 'yourls', + 'zfs', + ], + 'metadata': { + 'id': '52efcd47-edd8-426c-aead-c492553d14f9', + 'network': { + 'internal': { + 'interface': 'ens10', + 'ipv4': '10.0.227.4/24', + }, + 'external': { + 'interface': 'eth0', + 'ipv4': '168.119.250.114/32', + 'gateway4': '172.31.1.1', + 'ipv6': '2a01:4f8:c013:e321::2/64', + 'gateway6': 'fe80::1', + }, + }, + 'yourls': { + 'hostname': "direkt.oranienschule.de", + 'cookiekey': "!decrypt:encrypt$gAAAAABoRvmcUs3t7PREllyeN--jBqs0XYewMHW16GWC-ikLzsDSe02YKGycOlgXuHU4hzKbNjGMEutpFXRLk9Zji6bbpy4GdyE6vStfwd8ZT0obAyoqBPwI47LwUlDSFMS51y5j8rG5", + 'version': "1.10.1", + 'users': { + 'mseibert': "!decrypt:encrypt$gAAAAABoRwtOcslyRY9ahkmtVI8QbXgJhyE3nuk04eakFDKl-4OZViiRvjtQW3Uwqki1aFeAS-syzr0Ug5sZM_zNelNahjZyzW1k47Xg9GltGNn_zp-uUII=", + }, + }, + # FIXME: + 'overwrite_nameservers': [ + '8.8.8.8', + ], + 'vm': { + 'cores': 2, + 'ram': 4096, + }, + 'zfs': { + 'pools': { + 'tank': { + 'devices': [ + '/var/lib/zfs_file', + ], + }, + }, + }, + }, +}