diff --git a/bin/wireguard_client_config b/bin/wireguard_client_config index 7a77d6b..3bc2c55 100755 --- a/bin/wireguard_client_config +++ b/bin/wireguard_client_config @@ -7,7 +7,7 @@ from ipaddress import ip_network, ip_interface repo = Repository(dirname(dirname(realpath(__file__)))) -server_node = repo.get_node('htz.mails') +server_node = repo.get_node('netcup.mails') data = server_node.metadata.get(f'wireguard/clients/{argv[1]}') vpn_network = ip_interface(server_node.metadata.get('wireguard/my_ip')).network diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 984d5b3..2efc24d 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -35,16 +35,18 @@ def zfs(metadata): datasets[base_dataset] = { 'mountpoint': None, 'readonly': 'on', - 'backup': False, + 'compression': 'lz4', 'com.sun:auto-snapshot': 'false', + 'backup': False, } # for rsync backups datasets[f'{base_dataset}/fs'] = { 'mountpoint': f"/mnt/backups/{id}", 'readonly': 'off', - 'backup': False, + 'compression': 'lz4', 'com.sun:auto-snapshot': 'true', + 'backup': False, } # for zfs send/recv @@ -55,8 +57,9 @@ def zfs(metadata): datasets[f'{base_dataset}/{pool}'] = { 'mountpoint': None, 'readonly': 'on', - 'backup': False, + 'compression': 'lz4', 'com.sun:auto-snapshot': 'false', + 'backup': False, } # actual datasets @@ -66,8 +69,9 @@ def zfs(metadata): datasets[f'{base_dataset}/{dataset}'] = { 'mountpoint': None, 'readonly': 'on', - 'backup': False, + 'compression': 'lz4', 'com.sun:auto-snapshot': 'false', + 'backup': False, } continue diff --git a/bundles/bind/items.py b/bundles/bind/items.py index a318bb4..616af3c 100644 --- a/bundles/bind/items.py +++ b/bundles/bind/items.py @@ -10,6 +10,9 @@ directories[f'/var/lib/bind'] = { 'owner': 'bind', 'group': 'bind', 'purge': True, + 'needs': [ + 'pkg_apt:bind9', + ], 'needed_by': [ 'svc_systemd:bind9', ], diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh index a3d853d..4275eb0 100644 --- a/bundles/letsencrypt/files/hook.sh +++ b/bundles/letsencrypt/files/hook.sh @@ -4,7 +4,7 @@ set -o pipefail deploy_challenge() { echo " - server 10.0.10.2 + server 10.0.11.3 zone ${zone}. update add $1.${zone}. 60 IN TXT \"$3\" send @@ -15,7 +15,7 @@ deploy_challenge() { clean_challenge() { echo " - server 10.0.10.2 + server 10.0.11.3 zone ${zone}. update delete $1.${zone}. TXT send diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 607e6e3..9368956 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -83,6 +83,7 @@ if node.has_bundle('telegraf'): 'command': 'setfacl -Rm g:telegraf:rX /var/spool/postfix', 'unless': 'getfacl -a /var/spool/postfix | grep -q "^group:telegraf:r-x$"', 'needs': [ + 'pkg_apt:acl', 'svc_systemd:postfix', ], } @@ -90,6 +91,7 @@ if node.has_bundle('telegraf'): 'command': 'setfacl -dm g:telegraf:rX /var/spool/postfix', 'unless': 'getfacl -d /var/spool/postfix | grep -q "^group:telegraf:r-x$"', 'needs': [ + 'pkg_apt:acl', 'svc_systemd:postfix', ], } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index f050553..1600bf0 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -3,6 +3,7 @@ defaults = { 'packages': { 'postfix': {}, 'postfix-pgsql': {}, + 'acl': {}, #setfacl } }, 'backup': { diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index 2468320..8c21054 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -5,6 +5,7 @@ directories = { 'owner': 'postgres', 'group': 'postgres', 'needs': [ + 'pkg_apt:postgresql', 'zfs_dataset:tank/postgresql', ], 'needed_by': [ diff --git a/bundles/roundcube/items.py b/bundles/roundcube/items.py index 5a5e6f3..bb00cc5 100644 --- a/bundles/roundcube/items.py +++ b/bundles/roundcube/items.py @@ -22,10 +22,9 @@ directories = { } -downloads[f'/tmp/roundcube-{version}.tar.gz'] = { - 'url': f'https://github.com/roundcube/roundcubemail/releases/download/{version}/roundcubemail-{version}-complete.tar.gz', - 'gpg_signature_url': '{url}.asc', - 'gpg_pubkey_url': 'https://roundcube.net/download/pubkey.asc', +files[f'/tmp/roundcube-{version}.tar.gz'] = { + 'content_type': 'download', + 'source': f'https://github.com/roundcube/roundcubemail/releases/download/{version}/roundcubemail-{version}-complete.tar.gz', 'triggered': True, } actions['delete_roundcube'] = { @@ -37,7 +36,7 @@ actions['extract_roundcube'] = { 'unless': f'grep -q "Version {version}" /opt/roundcube/index.php', 'preceded_by': [ 'action:delete_roundcube', - f'download:/tmp/roundcube-{version}.tar.gz', + f'file:/tmp/roundcube-{version}.tar.gz', ], 'needs': [ 'directory:/opt/roundcube', @@ -53,30 +52,28 @@ actions['chown_roundcube'] = { } -files = { - '/opt/roundcube/config/config.inc.php': { - 'content_type': 'mako', - 'context': { - 'installer': node.metadata.get('roundcube/installer'), - 'product_name': node.metadata.get('roundcube/product_name'), - 'des_key': node.metadata.get('roundcube/des_key'), - 'database': node.metadata.get('roundcube/database'), - 'plugins': node.metadata.get('roundcube/plugins'), - }, - 'needs': [ - 'action:chown_roundcube', - ], +files['/opt/roundcube/config/config.inc.php'] = { + 'content_type': 'mako', + 'context': { + 'installer': node.metadata.get('roundcube/installer'), + 'product_name': node.metadata.get('roundcube/product_name'), + 'des_key': node.metadata.get('roundcube/des_key'), + 'database': node.metadata.get('roundcube/database'), + 'plugins': node.metadata.get('roundcube/plugins'), }, - '/opt/roundcube/plugins/password/config.inc.php': { - 'source': 'password.config.inc.php', - 'content_type': 'mako', - 'context': { - 'mailserver_db_password': node.metadata.get('mailserver/database/password'), - }, - 'needs': [ - 'action:chown_roundcube', - ], + 'needs': [ + 'action:chown_roundcube', + ], +} +files['/opt/roundcube/plugins/password/config.inc.php'] = { + 'source': 'password.config.inc.php', + 'content_type': 'mako', + 'context': { + 'mailserver_db_password': node.metadata.get('mailserver/database/password'), }, + 'needs': [ + 'action:chown_roundcube', + ], } actions['composer_install'] = { diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index e4e5430..6ff4e86 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,12 +2,12 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder files = { - '/etc/cron.d/zfsutils-linux': {'delete': True}, - '/etc/cron.d/zfs-auto-snapshot': {'delete': True}, - '/etc/cron.hourly/zfs-auto-snapshot': {'delete': True}, - '/etc/cron.daily/zfs-auto-snapshot': {'delete': True}, - '/etc/cron.weekly/zfs-auto-snapshot': {'delete': True}, - '/etc/cron.monthly/zfs-auto-snapshot': {'delete': True}, + '/etc/cron.d/zfsutils-linux': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, + '/etc/cron.d/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, + '/etc/cron.hourly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, + '/etc/cron.daily/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, + '/etc/cron.weekly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, + '/etc/cron.monthly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, '/etc/modprobe.d/zfs.conf': { 'content': '\n'.join( f'option zfs {k}={v}' diff --git a/groups/all.py b/groups/all.py index 5169847..89a8eda 100644 --- a/groups/all.py +++ b/groups/all.py @@ -7,7 +7,7 @@ 'metadata': { 'dns': {}, 'nameservers': { - '10.0.10.2', + '10.0.11.3', }, 'users': { 'root': { @@ -18,7 +18,7 @@ }, }, 'letsencrypt': { - 'acme_node': 'htz.mails', + 'acme_node': 'netcup.mails', }, } } diff --git a/groups/os/linux.py b/groups/os/linux.py index c199306..db3ebd0 100644 --- a/groups/os/linux.py +++ b/groups/os/linux.py @@ -22,7 +22,7 @@ }, }, 'hosts': { - '10.0.10.2': [ + '10.0.11.3': [ 'resolver.name', 'first.resolver.name', 'second.resolver.name', diff --git a/nodes/home.server.py b/nodes/home.server.py index 0fb5849..2d627c3 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -74,7 +74,7 @@ 'wireguard': { 'my_ip': '172.30.0.2/32', 's2s': { - 'htz.mails': { + 'netcup.mails': { 'allowed_ips': [ '10.0.10.0/24', '10.0.11.0/24', diff --git a/nodes/htz.mails.py b/nodes/netcup.mails.py similarity index 89% rename from nodes/htz.mails.py rename to nodes/netcup.mails.py index 5e0daa2..0a5429b 100644 --- a/nodes/htz.mails.py +++ b/nodes/netcup.mails.py @@ -1,8 +1,7 @@ { - 'hostname': '162.55.188.157', + 'hostname': '202.61.255.108', 'groups': [ 'backup', - 'hetzner-cloud', 'debian-11', 'mailserver', 'monitored', @@ -19,14 +18,14 @@ 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'network': { 'internal': { - 'interface': 'ens10', - 'ipv4': '10.0.10.2/32', + 'interface': 'eth1', + 'ipv4': '10.0.11.3/24', }, 'external': { 'interface': 'eth0', - 'ipv4': '162.55.188.157/32', - 'ipv6': '2a01:4f8:1c1c:4121::2/64', - 'gateway4': '172.31.1.1', + 'ipv4': '202.61.255.108/22', + 'gateway4': '202.61.252.1', + 'ipv6': '2a03:4000:55:a89::2/64', 'gateway6': 'fe80::1', } }, @@ -49,15 +48,15 @@ }, 'dns': { 'ckn.li': { - 'A': ['162.55.188.157'], + 'A': ['202.61.255.108'], 'AAAA': ['2a01:4f8:1c1c:4121::2'], }, 'sublimity.de': { - 'A': ['162.55.188.157'], + 'A': ['202.61.255.108'], 'AAAA': ['2a01:4f8:1c1c:4121::2'], }, 'freibrief.net': { - 'A': ['162.55.188.157'], + 'A': ['202.61.255.108'], 'AAAA': ['2a01:4f8:1c1c:4121::2'], }, }, @@ -127,12 +126,12 @@ }, 'roundcube': { 'product_name': 'Sublimity Mail', - 'version': '1.5-rc', + 'version': '1.5.0', 'installer': True, }, 'vm': { - 'cores': 2, - 'ram': 8096, + 'cores': 4, + 'ram': 16384, }, 'wireguard': { 'my_ip': '172.30.0.1/24', @@ -171,7 +170,7 @@ 'pools': { 'tank': { 'devices': [ - '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0-part2', + '/dev/sda4', ], }, }, diff --git a/nodes/netcup.secondary.py b/nodes/netcup.secondary.py index 313c6e3..5de7fda 100644 --- a/nodes/netcup.secondary.py +++ b/nodes/netcup.secondary.py @@ -24,17 +24,17 @@ }, }, 'bind': { - 'master_node': 'htz.mails', + 'master_node': 'netcup.mails', 'hostname': 'second.resolver.name', }, # 'postfix': { - # 'master_node': 'htz.mails', + # 'master_node': 'netcup.mails', # 'hostname': 'mail2.sublimity.de', # }, 'wireguard': { 'my_ip': '172.30.0.3/32', 's2s': { - 'htz.mails': { + 'netcup.mails': { 'allowed_ips': [ '10.0.0.0/24', '10.0.2.0/24', diff --git a/nodes/wb.offsite-backups.py b/nodes/wb.offsite-backups.py index 7c80da8..ec77062 100644 --- a/nodes/wb.offsite-backups.py +++ b/nodes/wb.offsite-backups.py @@ -38,7 +38,7 @@ 'wireguard': { 'my_ip': '172.30.0.4/32', 's2s': { - 'htz.mails': { + 'netcup.mails': { 'allowed_ips': [ '10.0.0.0/24', '10.0.2.0/24',