nginx use expected dirs and allow websockets in proxy pass

gitea disable registration
maybe keep etc/kernel/postinst.d/apt-auto-removal?
2025-06-22 09:49:27 +02:00 · 2025-06-22 09:40:41 +02:00 · 2025-06-22 09:40:26 +02:00 · 2025-06-22 09:40:13 +02:00 · 2025-06-22 09:37:16 +02:00 · 2025-06-22 09:36:56 +02:00
22 changed files with 15 additions and 382 deletions
--- a/bundles/kea-dhcpd/items.py
+++ b/bundles/kea-dhcpd/items.py
@ -15,7 +15,7 @@ svc_systemd = {
        'needs': [
            'pkg_apt:kea-dhcp4-server',
            'file:/etc/kea/kea-dhcp4.conf',
-            'svc_systemd:systemd-networkd.service:restart',
+            'svc_systemd:systemd-networkd:restart',
        ],
    },
 }
--- a/bundles/mariadb/items.py
+++ b/bundles/mariadb/items.py
@ -11,7 +11,7 @@ directories = {
        'needs': [
            'zfs_dataset:tank/mariadb',
        ],
-        'needs': [
+        'needed_by': [
            'pkg_apt:mariadb-server',
            'pkg_apt:mariadb-client',
        ],
--- a/bundles/mariadb/metadata.py
+++ b/bundles/mariadb/metadata.py
@ -3,12 +3,12 @@ defaults = {
        'packages': {
            'mariadb-server': {
                'needs': {
-                    #'zfs_dataset:tank/mariadb',
+                    'zfs_dataset:tank/mariadb',
                },
            },
            'mariadb-client': {
                'needs': {
-                    #'zfs_dataset:tank/mariadb',
+                    'zfs_dataset:tank/mariadb',
                },
            },
        },
--- a/bundles/proxmox-ve/items.py
+++ b/bundles/proxmox-ve/items.py
@ -1,21 +0,0 @@
 files = {
    '/etc/apt/apt.conf.d/10pveapthook': {
        'content_type': 'any',
        'mode': '0644',
    },
    '/etc/apt/apt.conf.d/76pveconf': {
        'content_type': 'any',
        'mode': '0444',
    },
    '/etc/apt/apt.conf.d/76pveproxy': {
        'content_type': 'any',
        'mode': '0444',
    },
    '/etc/network/interfaces': {
        'content_type': 'any',
    },
 }
 symlinks['/etc/ssh/ssh_host_rsa_key.pub'] = {
    'target': '/etc/ssh/ssh_host_managed_key.pub',
 }
--- a/bundles/proxmox-ve/metadata.py
+++ b/bundles/proxmox-ve/metadata.py
@ -1,98 +0,0 @@
 defaults = {
    'apt': {
        'packages': {
            'linux-image-amd64': {
                'installed': False,
            },
            'proxmox-default-kernel': {},
            # after reboot
            'proxmox-ve': {},
            'postfix': {},
            'open-iscsi': {},
            'chrony': {},
            'os-prober': {
                'installed': False,
            },
        },
        'sources': {
            'proxmox-ve': {
                'options': {
                    'aarch': 'amd64',
                },
                'urls': {
                    'http://download.proxmox.com/debian/pve',
                },
                'suites': {
                    '{codename}',
                },
                'components': {
                    'pve-no-subscription',
                },
                'key': 'proxmox-ve-{codename}',
            },
        },
    },
    # 'nftables': {
    #     'input': {
    #         'tcp dport 8006 accept',
    #     },
    # },
    'zfs': {
        'datasets': {
            'tank/proxmox-ve': {
                'mountpoint': '/var/lib/proxmox-ve',
            },
        }
    }
 }
 # @metadata_reactor.provides(
 #     'systemd',
 # )
 # def bridge(metadata):
 #     return {
 #         'systemd': {
 #             'units': {
 #                 # f'internal.network': {
 #                 #     'Network': {
 #                 #         'Bridge': 'br0',
 #                 #     },
 #                 # },
 #                 'br0.netdev': {
 #                     'NetDev': {
 #                         'Name': 'br0',
 #                         'Kind': 'bridge'
 #                     },
 #                 },
 #                 'br0.network': {
 #                     'Match': {
 #                         'Name': 'br0',
 #                     },
 #                     'Network': {
 #                         'Unmanaged': 'yes'
 #                     },
 #                 },
 #             },
 #         },
 #     }
@metadata_reactor.provides(
    'nginx/vhosts',
 )
 def nginx(metadata):
    return {
        'nginx': {
            'has_websockets': True,
            'vhosts': {
                metadata.get('proxmox-ve/domain'): {
                    'content': 'nginx/proxy_pass.conf',
                    'context': {
                        'target': 'https://localhost:8006',
                        'websockets': True,
                    }
                },
            },
        },
    }
--- a/bundles/systemd-networkd/files/resolv.conf
+++ b/bundles/systemd-networkd/files/resolv.conf
@ -1,3 +1,3 @@
 % for nameserver in sorted(node.metadata.get('nameservers')):
-nameserver 8.8.8.8
+nameserver ${nameserver}
 % endfor
--- a/bundles/systemd-networkd/items.py
+++ b/bundles/systemd-networkd/items.py
@ -1,6 +1,9 @@
 assert node.has_bundle('systemd')
 files = {
    '/etc/network/interfaces': {
        'delete': True,
    },
    '/etc/resolv.conf': {
        'content_type': 'mako',
    },
@ -16,11 +19,5 @@ directories = {
 }
 svc_systemd = {
-    'systemd-networkd.service': {},
+    'systemd-networkd': {},
 }
 if not node.has_bundle('proxmox-ve'):
    files['/etc/network/interfaces'] = {
        'delete': True,
    }
--- a/bundles/systemd/items.py
+++ b/bundles/systemd/items.py
@ -24,10 +24,10 @@ for name, unit in node.metadata.get('systemd/units').items():
        path = f'/etc/systemd/network/{name}'
        dependencies = {
            'needed_by': [
-                'svc_systemd:systemd-networkd.service',
+                'svc_systemd:systemd-networkd',
            ],
            'triggers': [
-                'svc_systemd:systemd-networkd.service:restart',
+                'svc_systemd:systemd-networkd:restart',
            ],
        }
    elif extension in ['timer', 'service', 'mount', 'swap', 'target']:
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -12,7 +12,7 @@ defaults = {
            'wireguard': {
                'backports': node.os_version < (11,),
                'triggers': [
-                    'svc_systemd:systemd-networkd.service:restart',
+                    'svc_systemd:systemd-networkd:restart',
                ],
            },
        },
--- a/bundles/yourls/files/config.php
+++ b/bundles/yourls/files/config.php
@ -1,24 +0,0 @@
 <?php
 define( 'YOURLS_DB_USER', 'yourls' );
 define( 'YOURLS_DB_PASS', '${db_password}' );
 define( 'YOURLS_DB_NAME', 'yourls' );
 define( 'YOURLS_DB_HOST', 'localhost' );
 define( 'YOURLS_DB_PREFIX', 'yourls_' );
 define( 'YOURLS_SITE', 'https://${hostname}' );
 define( 'YOURLS_LANG', '' );
 define( 'YOURLS_UNIQUE_URLS', true );
 define( 'YOURLS_PRIVATE', true );
 define( 'YOURLS_COOKIEKEY', '${cookiekey}' );
 $yourls_user_passwords = [
 % for username, password in users.items():
 	'${username}' => '${password}',
 % endfor
 ];
 define( 'YOURLS_URL_CONVERT', 36 );
 define( 'YOURLS_DEBUG', false );
 $yourls_reserved_URL = [];
--- a/bundles/yourls/items.py
+++ b/bundles/yourls/items.py
@ -1,41 +0,0 @@
 directories = {
    '/var/www/yourls/htdocs': {
        'owner': 'www-data',
        'group': 'www-data',
        'mode': '0755',
    },
 }
 git_deploy = {
    '/var/www/yourls/htdocs': {
        'repo': 'https://github.com/YOURLS/YOURLS.git',
        'rev': node.metadata.get('yourls/version'),
        'needs': [
            'directory:/var/www/yourls/htdocs',
        ],
        'triggers': [
            'svc_systemd:nginx:restart',
        ],
    },
 }
 files = {
    f'/var/www/yourls/htdocs/user/config.php': {
        'content_type': 'mako',
        'mode': '0440',
        'owner': 'www-data',
        'group': 'www-data',
        'context': {
            'db_password': node.metadata.get('mariadb/databases/yourls/password'),
            'hostname': node.metadata.get('yourls/hostname'),
            'cookiekey': node.metadata.get('yourls/cookiekey'),
            'users': node.metadata.get('yourls/users'),
        },
        'needs': [
            'git_deploy:/var/www/yourls/htdocs',
        ],
        'triggers': [
            'svc_systemd:nginx:restart',
        ],
    },
 }
--- a/bundles/yourls/metadata.py
+++ b/bundles/yourls/metadata.py
@ -1,42 +0,0 @@
 defaults = {
    'mariadb': {
        'databases': {
            'yourls': {
                'password': repo.vault.random_bytes_as_base64_for(f'{node.name} yourls DB', length=32).value,
            },
        },
    },
 }
@metadata_reactor.provides(
    'apt/packages',
 )
 def apt(metadata):
    php_version = metadata.get('php/version')
    return {
        'apt':{
            'packages': {
                f'php{php_version}-mysql': {},
            },
        },
    }
@metadata_reactor.provides(
    'nginx/vhosts',
 )
 def nginx(metadata):
    return {
        'nginx': {
            'vhosts': {
                metadata.get('yourls/hostname'): {
                    'content': 'yourls/vhost.conf',
                    'context': {
                        'php_version': metadata.get('php/version'),
                    },
                },
            },
        },
    }
--- a/data/apt/keys/proxmox-ve-bookworm.gpg
+++ b/data/apt/keys/proxmox-ve-bookworm.gpg
--- a/data/yourls/vhost.conf
+++ b/data/yourls/vhost.conf
@ -1,31 +0,0 @@
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ${server_name};
  ssl_certificate /etc/letsencrypt/archive/${server_name}/fullchain1.pem;
  ssl_certificate_key /etc/letsencrypt/archive/${server_name}/privkey1.pem;
  root /var/www/yourls/htdocs;
  location / {
    index index.php index.html index.htm;
    try_files $uri $uri/ /yourls-loader.php$is_args$args;
  }
  location ~ \.php$ {
    include params/fastcgi;
    fastcgi_index index.php;
    fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
  }
  # temp
  location ^~ /.well-known/acme-challenge/ {
      alias /var/www/certbot/;
  }
 }
 # FIXME: this is a temporary solution to allow the certbot challenge to work:
 # - ssl_certificate
 # - ssl_certificate_key
--- a/groups/os/debian-11.py
+++ b/groups/os/debian-11.py
@ -2,9 +2,6 @@
    'supergroups': [
        'debian',
    ],
    'bundles': [
        'systemd-networkd',
    ],
    'metadata': {
        'php': {
            'version': '7.4',
--- a/groups/os/debian-12-common.py
+++ b/groups/os/debian-12-common.py
@ -1,26 +0,0 @@
 {
    'metadata': {
        'apt': {
            'sources': {
                'debian': {
                    'components': {
                        'non-free-firmware',
                    },
                },
                'debian-security': {
                    'components': {
                        'non-free-firmware',
                    },
                },
            },
        },
        'php': {
            'version': '8.2',
        },
        'postgresql': {
            'version': '15',
        },
        'os_codename': 'bookworm',
    },
    'os_version': (12,),
 }
--- a/groups/os/debian-12-pve.py
+++ b/groups/os/debian-12-pve.py
@ -1,9 +0,0 @@
 {
    'supergroups': [
        'debian',
        'debian-12-common',
    ],
    'bundles': [
        'ifupdown',
    ],
 }
--- a/groups/os/debian-12.py
+++ b/groups/os/debian-12.py
@ -1,10 +1,6 @@
 {
    'supergroups': [
        'debian',
        'debian-12-common',
    ],
    'bundles': [
        'systemd-networkd',
    ],
    'metadata': {
        'apt': {
--- a/groups/os/linux.py
+++ b/groups/os/linux.py
@ -14,6 +14,7 @@
        'system',
        'systemd',
        'systemd-journald',
        'systemd-networkd',
        'systemd-mount',
        'systemd-timers',
        'users',
--- a/nodes/home.router.py
+++ b/nodes/home.router.py
@ -18,7 +18,7 @@
                'interface': 'enx00e04c220682',
                'ipv4': '10.0.99.126/24',
                'gateway4': '10.0.99.1',
-                'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal', 'proxmox'},
+                'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal'},
            },
            'internal': {
                'type': 'vlan',
@ -37,12 +37,6 @@
                'id': 3,
                'ipv4': '10.0.3.1/24',
            },
            'proxmox': {
                'type': 'vlan',
                'id': 4,
                'ipv4': '10.0.4.1/24',
                'dhcp_server': True,
            },
            'guest': {
                'type': 'vlan',
                'id': 9,
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@ -35,7 +35,6 @@
        #'tasmota-charge',
        'wol-waker',
        'zfs',
        'proxmox-ve',
    ],
    'metadata': {
        'id': 'af96709e-b13f-4965-a588-ef2cd476437a',
@ -48,7 +47,7 @@
        },
        'apt': {
            'packages': {
-                # 'firmware-realtek': {}, proxmox-ve incompatibility
+                'firmware-realtek': {},
            },
        },
        'build-server': {
@ -125,9 +124,6 @@
                'unsortable': 'SofortUpload/Unsortable',
            },
        },
        'proxmox-ve': {
            'domain': 'pve.ckn.li',
        },
        'raspberrymatic-cert': {
            'domain': 'homematic.ckn.li',
            'node': 'home.homematic',
--- a/nodes/mseibert.yourls.py
+++ b/nodes/mseibert.yourls.py
@ -1,56 +0,0 @@
 # https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
 # https://console.hetzner.cloud/projects/889138/servers/46578341
 {
    'hostname': '168.119.250.114',
    'groups': [
        #'backup',
        'debian-12',
        #'monitored',
        'webserver',
    ],
    'bundles': [
        #'wireguard',
        'mariadb',
        'php',
        'yourls',
        'zfs',
    ],
    'metadata': {
        'id': '52efcd47-edd8-426c-aead-c492553d14f9',
        'network': {
            'internal': {
                'interface': 'ens10',
                'ipv4': '10.0.227.4/24',
            },
            'external': {
                'interface': 'eth0',
                'ipv4': '168.119.250.114/32',
                'gateway4': '172.31.1.1',
                'ipv6': '2a01:4f8:c013:e321::2/64',
                'gateway6': 'fe80::1',
            },
        },
        'vm': {
            'cores': 2,
            'ram': 4096,
        },
        'yourls': {
            'hostname': "direkt.oranienschule.de",
            'cookiekey': "!decrypt:encrypt$gAAAAABoRvmcUs3t7PREllyeN--jBqs0XYewMHW16GWC-ikLzsDSe02YKGycOlgXuHU4hzKbNjGMEutpFXRLk9Zji6bbpy4GdyE6vStfwd8ZT0obAyoqBPwI47LwUlDSFMS51y5j8rG5",
            'version': "1.10.1",
            'users': {
                'mseibert': "!decrypt:encrypt$gAAAAABoRwtOcslyRY9ahkmtVI8QbXgJhyE3nuk04eakFDKl-4OZViiRvjtQW3Uwqki1aFeAS-syzr0Ug5sZM_zNelNahjZyzW1k47Xg9GltGNn_zp-uUII=",
            },
        },
        'zfs': {
            'pools': {
                'tank': {
                    'devices': [
                        '/var/lib/zfs_file',
                    ],
                },
            },
        },
    },
 }
Author	SHA1	Message	Date
CroneKorkN	187b0440c8	nginx use expected dirs and allow websockets in proxy pass	2025-06-22 09:49:27 +02:00
CroneKorkN	bdb9fa064d	gitea disable registration	2025-06-22 09:40:41 +02:00
CroneKorkN	d3ba9db0c6	maybe keep etc/kernel/postinst.d/apt-auto-removal?	2025-06-22 09:40:26 +02:00
CroneKorkN	3dffc05c9d	apt add docs about options	2025-06-22 09:40:13 +02:00
CroneKorkN	6616ae7417	fix some redis permissions	2025-06-22 09:37:16 +02:00
CroneKorkN	dc40295dde	print message on parsing group error	2025-06-22 09:36:56 +02:00
CroneKorkN	1d8361cc5f	cache_to_disk broken	2025-06-22 09:36:21 +02:00
CroneKorkN	35243fdba6	offsitebackup offline	2025-06-22 09:35:35 +02:00