nginx use expected dirs and allow websockets in proxy pass

bundles/apt/README.md

@@ -13,6 +13,9 @@
                     'deb',
                     'deb-src',
                 },
+                'options': { # optional
+                    'aarch': 'amd64',
+                },
                 'urls': {
                     'https://deb.debian.org/debian',
                 },

bundles/apt/items.py

@@ -62,6 +62,7 @@ files = {
     '/usr/lib/nagios/plugins/check_apt_upgradable': {
         'mode': '0755',
     },
+    # /etc/kernel/postinst.d/apt-auto-removal
 }
 
 actions = {

bundles/gitea/files/app.ini

@@ -40,7 +40,7 @@ ENABLE_OPENID_SIGNUP = false
 [service]
 REGISTER_EMAIL_CONFIRM = true
 ENABLE_NOTIFY_MAIL = true
-DISABLE_REGISTRATION = false
+DISABLE_REGISTRATION = true
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ENABLE_CAPTCHA = false
 REQUIRE_SIGNIN_VIEW = false

bundles/grafana/metadata.py

@@ -69,6 +69,9 @@ defaults = {
             },
         },
     },
+    'nginx': {
+        'has_websockets': True,
+    },
 }
 
 
@@ -144,6 +147,7 @@ def dns(metadata):
 def nginx(metadata):
     return {
         'nginx': {
+            'has_websockets': True,
             'vhosts': {
                 metadata.get('grafana/hostname'): {
                     'content': 'grafana/vhost.conf',

bundles/nginx/files/nginx.conf

@@ -31,5 +31,13 @@ http {
     }
 
     % endif
-    include /etc/nginx/sites/*;
+
+    % if has_websockets:
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+    % endif
+
+    include /etc/nginx/sites-enabled/*;
 }

bundles/nginx/items.py

@@ -9,7 +9,7 @@ directories = {
             'svc_systemd:nginx:restart',
         },
     },
-    '/etc/nginx/sites': {
+    '/etc/nginx/sites-available': {
         'purge': True,
         'triggers': {
             'svc_systemd:nginx:restart',
@@ -25,6 +25,13 @@ directories = {
         'purge': True,
         'owner': 'www-data',
     },
+
+    # temp
+    '/var/www/certbot': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        'mode': '0755',
+    }
 }
 
 files = {
@@ -33,6 +40,7 @@ files = {
         'context': {
             'modules': node.metadata.get('nginx/modules'),
             'worker_processes': node.metadata.get('vm/cores'),
+            'has_websockets': node.metadata.get('nginx/has_websockets'),
         },
         'triggers': {
             'svc_systemd:nginx:restart',
@@ -75,6 +83,12 @@ files = {
     },
 }
 
+symlinks = {
+    '/etc/nginx/sites-enabled': {
+        'target': '/etc/nginx/sites-available',
+    },
+}
+
 actions = {
     'nginx-generate-dhparam': {
         'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096',
@@ -93,7 +107,7 @@ svc_systemd = {
 
 
 for name, config in node.metadata.get('nginx/vhosts').items():
-    files[f'/etc/nginx/sites/{name}'] = {
+    files[f'/etc/nginx/sites-available/{name}'] = {
         'content': Template(filename=join(repo.path, 'data', config['content'])).render(
             server_name=name,
             **config.get('context', {}),
@@ -109,6 +123,6 @@ for name, config in node.metadata.get('nginx/vhosts').items():
     }
 
     if name in node.metadata.get('letsencrypt/domains'):
-        files[f'/etc/nginx/sites/{name}']['needs'].append(
+        files[f'/etc/nginx/sites-available/{name}']['needs'].append(
             f'action:letsencrypt_ensure-some-certificate_{name}',
         )

bundles/nginx/metadata.py

@@ -18,6 +18,7 @@ defaults = {
     'nginx': {
         'vhosts': {},
         'modules': set(),
+        'has_websockets': False,
     },
     'systemd': {
         'units': {

bundles/redis/items.py

@@ -2,12 +2,14 @@ directories = {
     '/etc/redis': {
         'purge': True,
         'owner': 'redis',
+        'mode': '2770',
         'needs': [
             'pkg_apt:redis-server',
         ],
     },
     '/var/lib/redis': {
         'owner': 'redis',
+        'mode': '0750',
         'needs': [
             'pkg_apt:redis-server',
         ],

data/grafana/vhost.conf

@@ -1,8 +1,3 @@
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  '' close;
-}
-
 server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;

data/nginx/proxy_pass.conf

@@ -8,6 +8,10 @@ server {
 
     location / {
         proxy_set_header   X-Real-IP          $remote_addr;
+% if websockets:
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+% endif
         proxy_pass ${target};
     }
 }

groups.py

@@ -6,4 +6,8 @@ for root, dirs, files in walk(join(repo_path, "groups")):
         if filename.endswith(".py"):
             group = join(root, filename)
             with open(group, 'r', encoding='utf-8') as f:
+                try:
                     groups[splitext(basename(filename))[0]] = eval(f.read())
+                except:
+                    print(f"Error parsing {group}:")
+                    raise

libs/rsa.py

@@ -1,12 +1,10 @@
 # https://stackoverflow.com/a/18266970
 
 from Crypto.PublicKey import RSA
-from Crypto.Hash import HMAC
 from struct import pack
 from hashlib import sha3_512
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from functools import cache
-from cache_to_disk import cache_to_disk
 
 
 class PRNG(object):
@@ -22,7 +20,6 @@ class PRNG(object):
         return result
 
 
-@cache_to_disk(30)
 def _generate_deterministic_rsa_private_key(secret_bytes):
     return RSA.generate(2048, randfunc=PRNG(secret_bytes)).export_key('DER')
 

nodes/wb.offsite-backups.py

@@ -1,4 +1,5 @@
 {
+    'dummy': True,
     'hostname': '192.168.179.20',
     'groups': [
         'debian-12',

requirements.txt

@@ -3,5 +3,4 @@ pycryptodome
 PyNaCl
 PyYAML
 pyqrcode
-cache_to_disk
 setuptools