433c403ddc
left4me: validate sudoers file with visudo before install
...
A malformed /etc/sudoers.d/left4me would lock sudo on the target
(blast radius: every other bundle using sudo at apply time). bw's
file: items support test_with, which runs the supplied command on the
locally-rendered file before transfer. Use it to gate the sudoers
file on visudo -cf — analogous to the visudo -cf check the original
deploy script ran inline (deploy-test-server.sh:186).
2026-05-10 17:29:01 +02:00
80d2a79b97
left4me: declare directories, users, files, sysctl-reload action
...
Modes/owners match the upstream left4me deploy script:
helpers 0755 root:root
sudoers.d/left4me 0440 root:root (validated with visudo -cf)
sysctl conf 0644 root:root (triggers sysctl --system)
sandbox-resolv 0644 root:root
/etc/left4me/host.env 0644 root:root (Mako)
/etc/left4me/web.env 0640 root:left4me (Mako, contains SECRET_KEY)
/var/lib/left4me 0711 left4me:left4me (l4d2-sandbox traversal)
UIDs/GIDs pinned at 980/981 for deterministic ownership.
2026-05-10 17:23:03 +02:00
e842e7caa6
left4me: wire LEFT4ME_PORT_RANGE_{START,END} into web.env
...
Bundle metadata declares port_range_start/end in defaults, but the
running app (l4d2web/config.py:34-35) reads them from
LEFT4ME_PORT_RANGE_START/END env vars. Without these in web.env, the
bundle's metadata values were dead code and the app fell back to its
own hardcoded defaults. Wiring them through closes the loop.
2026-05-10 17:19:02 +02:00
3afd4d60cc
left4me: add Mako templates for host.env and web.env
...
SECRET_KEY pulled from node metadata (set via !32_random_bytes_as_base64_for:
in the node file). SESSION_COOKIE_SECURE flips to true since nginx fronts
gunicorn with TLS.
2026-05-10 17:14:36 +02:00
6db792ce6a
left4me: vendor privileged helpers + sudoers/sysctl/sandbox-resolv
...
Copied verbatim from left4me/deploy/files/. Helpers are the trust unit
the sudoers rules grant access to; left as static files (not generated)
so the audit trail stays grep-able. Modes/owners are set via items.py
in the next commit.
2026-05-10 17:10:17 +02:00
7547d041a2
left4me: scaffold bundle (items/metadata/README stubs)
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-10 17:05:13 +02:00
cc1c6a5767
systemd: accept .slice extension in unit-file routing
...
Slices are a standard systemd unit type; the existing routing only
covered timer/service/mount/swap/target and raised on .slice. Same
install path (/usr/local/lib/systemd/system/<name>) and same
systemd-reload trigger as the other unit kinds.
2026-05-10 17:00:45 +02:00
9e1bb2ac45
docs: per-bundle docs are README.md, not AGENTS.md
...
drops the per-bundle AGENTS.md convention and the rigid template
that went with it. each bundle has (or gets) one README.md that
serves humans and agents both.
bundles/AGENTS.md now has a "Per-bundle README" section pointing
at the more substantial existing READMEs (flask, dm-crypt, apt,
nextcloud) for orientation, plus loose guidance on what to cover
and what to skip. no required structure — match the bundle's
actual surface.
removes bundles/AGENTS.template.md; the template was prescriptive
in a way that wouldn't survive contact with this repo's actual
bundles, where READMEs range from one-paragraph balanced docs to
operational scratchpads.
phase-2 seed-bundle work stays deferred and will land as plain
README updates when bundles are materially edited.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 16:02:24 +02:00
04558a9189
docs: scaffold agent-friendly entry points (Phase 1)
...
introduces a balanced set of agent + human docs:
- root AGENTS.md (with CLAUDE.md symlink) — 5-rule quickstart,
layout map, mental model, use-case keyed example pointers.
- docs/agents/conventions.md — vault/demagify, eval-loader
constraints, group inheritance, naming, do-not-touch list,
suspension idioms, working-style notes.
- docs/agents/commands.md — repo-specific deltas to the fork's
bw runbook (apt-key offline-verify, *.py_ suspended-node
visibility, vault-echo rule).
- per-area AGENTS.md for bundles/, nodes/, groups/, libs/,
hooks/, data/, items/, bin/ — mechanism-focused, no enumeration.
- bundles/AGENTS.template.md — per-bundle doc template with
optional `## Writes into` section for cross-namespace reactors.
bundlewrap-language reference (item types, dep keywords, reactors,
runbook, three-tier safety envelope) is not duplicated here; we
link out to the fork's AGENTS.md instead.
bw test still green. all internal links resolve. Phase 0 invariants
preserved (libs/hooks docstrings, bin/* # purpose: headers).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 15:44:45 +02:00
186d5039af
migrate to bundlewrap 5
...
- pin bundlewrap ~=5.0
- rewrite non-reading and KeyError-driven metadata reactors per
https://docs.bundlewrap.org/guide/migrate_45/ (defaults / metadata.get
paths / MetadataUnavailable)
- rename custom Download item methods (cdict/sdict/get_auto_deps ->
expected_state/actual_state/get_auto_attrs)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-10 11:56:49 +02:00
7f20c94db8
telegraf deprications
2026-03-09 12:29:24 +01:00
a7c7aaf330
nc preview:pre-generate --no-interaction -vvv
2026-03-09 12:02:56 +01:00
2899cd50c8
nextcloude timer and docs
2026-03-09 12:01:01 +01:00
b62649cae0
nc picsort in python
2026-03-09 11:59:47 +01:00
cb19c38376
update home.server to trixie
2026-03-07 14:41:59 +01:00
bf38520b49
comment out slow download workshop maps
2026-03-07 14:41:12 +01:00
326f2aa44d
parallel picsort
2026-03-07 11:37:49 +01:00
a397399e5f
l4d readme
2026-02-10 19:38:35 +01:00
0d35bc2e6c
linux relax icmp ratelimit
2026-02-10 19:38:14 +01:00
969f9af83f
l4d2 rename vanilla to standard
2026-02-10 19:37:49 +01:00
5fab21be13
apt install ca-certificates
2026-02-10 19:37:33 +01:00
ac8e7e2733
delete old l4d bundles
2026-02-10 19:37:27 +01:00
985a15e5c7
wol waker only allow wakeonlan command
2026-01-11 14:52:46 +01:00
59dd4c5877
bundles/telegraf/metadata.py: relax telegraf collection
2026-01-11 14:17:34 +01:00
6ac8118002
bundles/left4dead2/items.py: fix apt deps
2026-01-11 14:11:47 +01:00
a6290244e5
bundles/roundcube/files/config.inc.php: smtp use domain name from cert instead of localhost
2026-01-11 11:32:36 +01:00
7ea760d5eb
hooks/test_ptr_records.py: introduce
2026-01-11 10:18:21 +01:00
a0f5f80a16
bundles/routeros-monitoring/metadata.py: typo
2026-01-11 09:51:24 +01:00
a8b295b551
bundles/routeros-monitoring/metadata.py: use monitoring from isac
2026-01-11 09:49:51 +01:00
49594610d3
bundles/telegraf/items.py: use new bundle from isac
2026-01-11 09:44:16 +01:00
982a27739a
bundles/routeros-monitoring/items.py: dont show mib diff
2026-01-10 11:10:56 +01:00
f5580e14ae
bundles/routeros-monitoring/metadata.py: field zugunsten der table entfernt, schien eh nix zu liefern
2025-12-30 13:34:22 +01:00
e519bdd3ee
bundles/routeros-monitoring/metadata.py: one input for all switches, one agent per switch
2025-12-30 13:19:46 +01:00
9415167ba5
add interface alias to interface_errors
2025-12-30 12:25:05 +01:00
1dc6fab755
routeros better port error monitoring
2025-12-16 17:53:03 +01:00
78a8abc39a
data/routeros-monitoring/files/mikrotik.mib: move to bundle bc why not
2025-12-16 17:14:26 +01:00
53c8615f25
bundles/routeros-monitoring/metadata.py: get interface stats from mikrotik specific mib
2025-12-16 16:46:38 +01:00
bd639cd6cb
routeros_health
2025-12-13 18:47:43 +01:00
75657d2423
more routeros grafana
2025-12-13 16:29:20 +01:00
4a4167e0b6
routeros grafana discards and errors
2025-12-13 15:31:09 +01:00
8539f59302
mikrotik snmp monitoring
2025-12-13 15:02:37 +01:00
8066efb923
routeros: also add comment to interface
2025-12-03 22:34:11 +01:00
08b8f03661
bundles/routeros/items.py: actually manage ports (pvid was crucial)
2025-12-03 22:04:45 +01:00
487fdffd91
update seom apt keys
2025-12-01 22:44:40 +01:00
a12edcd360
mroe worksop maps
2025-12-01 20:57:45 +01:00
5620c199a9
l4d refactor workshop downloads
2025-11-04 22:56:51 +01:00
08d99bf714
l4d fixes
2025-11-04 19:35:23 +01:00
ebe76358ce
l4d workshop maps overlay
2025-11-04 19:27:58 +01:00
47b69f0530
l4d items stop script
2025-11-04 19:27:42 +01:00
f46bae2372
fix path
2025-10-30 09:23:46 +01:00
bcb60def00
l4d purge directories and fix overlay path stuff
2025-10-29 16:51:01 +01:00
03654ef5af
l4d move workshop downlaoder to scripts
2025-10-29 16:45:50 +01:00
2d59c68004
l4d some more options here and there
2025-10-29 16:28:47 +01:00
7a51040ac0
l4d someoptions here and there
2025-10-29 16:26:03 +01:00
7f0aeed88a
l4d some tidyups
2025-10-29 16:00:56 +01:00
8391afdac5
l4d make all underlying server.cfg accessible
2025-10-29 15:57:36 +01:00
d91b205a89
l4d setup bring back workshop downlaoder installation
2025-10-29 15:40:56 +01:00
3311bfbd9f
rmove unnecessary conf
2025-10-29 15:14:11 +01:00
351ce246c5
l4d admin system id got mixed up
2025-10-29 15:13:32 +01:00
9572ac822f
l4d2 dynamic overlays
2025-10-29 14:13:31 +01:00
a59d33ec03
l4d overlay split scripts
2025-10-29 13:36:33 +01:00
a9e4013d86
l4d move some config around
2025-10-29 12:57:15 +01:00
19c1945110
l4d config defaults
2025-10-29 12:39:14 +01:00
fb22a015e5
systemd fix dependency overwrite
2025-10-29 12:27:37 +01:00
e6312a2318
l4d start script refactor
2025-10-29 12:25:05 +01:00
776654970e
l4d extra config folder
2025-10-29 11:05:33 +01:00
22f730d5b5
remove artefact
2025-10-29 10:47:21 +01:00
dc614483b5
zonemod autostart
2025-10-29 10:19:53 +01:00
891e29a362
fix vars
2025-10-28 22:54:32 +01:00
2667553cf2
l4d2 COMPETITIVE REWORK
2025-10-28 22:54:05 +01:00
8467803fdd
server config settings
2025-10-28 15:55:14 +01:00
084cf958a0
l4d2: tickrate enabler
2025-10-28 15:34:19 +01:00
841f523f73
bootshorn stuff
2025-08-24 15:23:17 +02:00
504089427d
bootshorn records use temp file
2025-08-24 13:34:01 +02:00
3469d98a43
the next l4d2 server iteration, this time more simple and kinda working
2025-08-24 13:33:05 +02:00
725d5292b2
must set number to not screw bw comparison
2025-08-10 15:39:45 +02:00
9161a2501c
vmail set recordsize
2025-08-10 15:34:41 +02:00
9b3f856eb0
mailserver zfs params
2025-08-10 15:33:21 +02:00
9621184bd8
htz.mails debian 13
2025-08-10 15:10:46 +02:00
2f263476d3
fix sysctl
2025-08-09 23:31:29 +02:00
70b17657a1
update router
2025-08-09 23:08:06 +02:00
b8389352ec
dont purge sudoers
2025-08-09 22:46:01 +02:00
7586d4ff29
remove unnecessary locales
2025-08-09 22:45:19 +02:00
278f6de6f5
l4d readme updates
2025-08-09 22:26:48 +02:00
3bcd2be520
netword remove netplan
2025-08-09 21:33:35 +02:00
7eac09e547
ovh.secondary cake
2025-08-09 21:33:26 +02:00
5fb1ee54b9
less annoying root passwords
2025-08-09 21:32:23 +02:00
81b17b389f
ovh.secondary l4d readme
2025-08-09 19:13:00 +02:00
57675c08eb
new ovh.secondary
2025-08-09 14:58:27 +02:00
64f869121b
zones.rfc1918 only affect recursive views
2025-08-09 12:46:05 +02:00
c41e6f8240
debian 13
2025-08-09 12:43:59 +02:00
962bd06a32
qdisc-ppp0 partof pppoe-isp
2025-08-03 22:38:12 +02:00
3d6d4d5503
IPv6AcceptRA not via dhcp option
2025-08-03 22:35:56 +02:00
4b22705ff7
pyenv install --skip-existing
2025-08-03 22:35:29 +02:00
983ad1b1ae
fix annoying icingaweb redirect to empty page
2025-07-13 14:04:50 +02:00
849c305d7d
remove obsolete homeassistant supervised
2025-07-13 14:04:31 +02:00
c98b8c6f05
homeassistant letsencrypt
2025-07-13 13:10:37 +02:00
4136f819a5
start service instead of duplicating code
2025-07-13 13:10:19 +02:00
78fe5440a8
change leaked password
2025-07-13 12:45:20 +02:00
951fa63296
bootshorn better temp logging +
2025-07-13 10:13:23 +02:00
