wip

2025-06-22 09:30:41 +02:00 · 2025-06-22 09:30:29 +02:00
28 changed files with 216 additions and 23 deletions
--- a/bundles/apt/README.md
+++ b/bundles/apt/README.md
@ -13,6 +13,9 @@
                    'deb',
                    'deb-src',
                },
+                'options': { # optional
+                    'aarch': 'amd64',
+                },
                'urls': {
                    'https://deb.debian.org/debian',
                },
--- a/bundles/apt/items.py
+++ b/bundles/apt/items.py
@ -62,6 +62,7 @@ files = {
    '/usr/lib/nagios/plugins/check_apt_upgradable': {
        'mode': '0755',
    },
+    # /etc/kernel/postinst.d/apt-auto-removal
 }

 actions = {
--- a/bundles/gitea/files/app.ini
+++ b/bundles/gitea/files/app.ini
@ -40,7 +40,7 @@ ENABLE_OPENID_SIGNUP = false
 [service]
 REGISTER_EMAIL_CONFIRM = true
 ENABLE_NOTIFY_MAIL = true
-DISABLE_REGISTRATION = false
+DISABLE_REGISTRATION = true
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ENABLE_CAPTCHA = false
 REQUIRE_SIGNIN_VIEW = false
--- a/bundles/grafana/metadata.py
+++ b/bundles/grafana/metadata.py
@ -69,6 +69,9 @@ defaults = {
            },
        },
    },
+    'nginx': {
+        'has_websockets': True,
+    },
 }


@ -144,6 +147,7 @@ def dns(metadata):
 def nginx(metadata):
    return {
        'nginx': {
+            'has_websockets': True,
            'vhosts': {
                metadata.get('grafana/hostname'): {
                    'content': 'grafana/vhost.conf',
--- a/bundles/kea-dhcpd/items.py
+++ b/bundles/kea-dhcpd/items.py
@ -15,7 +15,7 @@ svc_systemd = {
        'needs': [
            'pkg_apt:kea-dhcp4-server',
            'file:/etc/kea/kea-dhcp4.conf',
-            'svc_systemd:systemd-networkd:restart',
+            'svc_systemd:systemd-networkd.service:restart',
        ],
    },
 }
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@ -31,5 +31,13 @@ http {
    }

    % endif
+
+    % if has_websockets:
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+    % endif
+
    include /etc/nginx/sites/*;
 }
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -33,6 +33,7 @@ files = {
        'context': {
            'modules': node.metadata.get('nginx/modules'),
            'worker_processes': node.metadata.get('vm/cores'),
+            'has_websockets': node.metadata.get('nginx/has_websockets'),
        },
        'triggers': {
            'svc_systemd:nginx:restart',
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -18,6 +18,7 @@ defaults = {
    'nginx': {
        'vhosts': {},
        'modules': set(),
+        'has_websockets': False,
    },
    'systemd': {
        'units': {
--- a/bundles/proxmox-ve/items.py
+++ b/bundles/proxmox-ve/items.py
@ -0,0 +1,21 @@
+files = {
+    '/etc/apt/apt.conf.d/10pveapthook': {
+        'content_type': 'any',
+        'mode': '0644',
+    },
+    '/etc/apt/apt.conf.d/76pveconf': {
+        'content_type': 'any',
+        'mode': '0444',
+    },
+    '/etc/apt/apt.conf.d/76pveproxy': {
+        'content_type': 'any',
+        'mode': '0444',
+    },
+    '/etc/network/interfaces': {
+        'content_type': 'any',
+    },
+}
+
+symlinks['/etc/ssh/ssh_host_rsa_key.pub'] = {
+    'target': '/etc/ssh/ssh_host_managed_key.pub',
+}
--- a/bundles/proxmox-ve/metadata.py
+++ b/bundles/proxmox-ve/metadata.py
@ -0,0 +1,98 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'linux-image-amd64': {
+                'installed': False,
+            },
+            'proxmox-default-kernel': {},
+            # after reboot
+            'proxmox-ve': {},
+            'postfix': {},
+            'open-iscsi': {},
+            'chrony': {},
+            'os-prober': {
+                'installed': False,
+            },
+        },
+        'sources': {
+            'proxmox-ve': {
+                'options': {
+                    'aarch': 'amd64',
+                },
+                'urls': {
+                    'http://download.proxmox.com/debian/pve',
+                },
+                'suites': {
+                    '{codename}',
+                },
+                'components': {
+                    'pve-no-subscription',
+                },
+                'key': 'proxmox-ve-{codename}',
+            },
+        },
+    },
+    # 'nftables': {
+    #     'input': {
+    #         'tcp dport 8006 accept',
+    #     },
+    # },
+    'zfs': {
+        'datasets': {
+            'tank/proxmox-ve': {
+                'mountpoint': '/var/lib/proxmox-ve',
+            },
+        }
+    }
+}
+
+
+# @metadata_reactor.provides(
+#     'systemd',
+# )
+# def bridge(metadata):
+#     return {
+#         'systemd': {
+#             'units': {
+#                 # f'internal.network': {
+#                 #     'Network': {
+#                 #         'Bridge': 'br0',
+#                 #     },
+#                 # },
+#                 'br0.netdev': {
+#                     'NetDev': {
+#                         'Name': 'br0',
+#                         'Kind': 'bridge'
+#                     },
+#                 },
+#                 'br0.network': {
+#                     'Match': {
+#                         'Name': 'br0',
+#                     },
+#                     'Network': {
+#                         'Unmanaged': 'yes'
+#                     },
+#                 },
+#             },
+#         },
+#     }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'has_websockets': True,
+            'vhosts': {
+                metadata.get('proxmox-ve/domain'): {
+                    'content': 'nginx/proxy_pass.conf',
+                    'context': {
+                        'target': 'https://localhost:8006',
+                        'websockets': True,
+                    }
+                },
+            },
+        },
+    }
--- a/bundles/redis/items.py
+++ b/bundles/redis/items.py
@ -2,12 +2,14 @@ directories = {
    '/etc/redis': {
        'purge': True,
        'owner': 'redis',
+        'mode': '2770',
        'needs': [
            'pkg_apt:redis-server',
        ],
    },
    '/var/lib/redis': {
        'owner': 'redis',
+        'mode': '0750',
        'needs': [
            'pkg_apt:redis-server',
        ],
--- a/bundles/systemd-networkd/items.py
+++ b/bundles/systemd-networkd/items.py
@ -1,9 +1,6 @@
 assert node.has_bundle('systemd')

 files = {
-    '/etc/network/interfaces': {
-        'delete': True,
-    },
    '/etc/resolv.conf': {
        'content_type': 'mako',
    },
@ -19,5 +16,11 @@ directories = {
 }

 svc_systemd = {
-    'systemd-networkd': {},
+    'systemd-networkd.service': {},
 }
+
+
+if not node.has_bundle('proxmox-ve'):
+    files['/etc/network/interfaces'] = {
+        'delete': True,
+    }
--- a/bundles/systemd/items.py
+++ b/bundles/systemd/items.py
@ -24,10 +24,10 @@ for name, unit in node.metadata.get('systemd/units').items():
        path = f'/etc/systemd/network/{name}'
        dependencies = {
            'needed_by': [
-                'svc_systemd:systemd-networkd',
+                'svc_systemd:systemd-networkd.service',
            ],
            'triggers': [
-                'svc_systemd:systemd-networkd:restart',
+                'svc_systemd:systemd-networkd.service:restart',
            ],
        }
    elif extension in ['timer', 'service', 'mount', 'swap', 'target']:
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -12,7 +12,7 @@ defaults = {
            'wireguard': {
                'backports': node.os_version < (11,),
                'triggers': [
-                    'svc_systemd:systemd-networkd:restart',
+                    'svc_systemd:systemd-networkd.service:restart',
                ],
            },
        },
--- a/data/apt/keys/proxmox-ve-bookworm.gpg
+++ b/data/apt/keys/proxmox-ve-bookworm.gpg
--- a/data/grafana/vhost.conf
+++ b/data/grafana/vhost.conf
@ -1,13 +1,8 @@
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  '' close;
-}
-
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name ${server_name};
-  
+
  ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
  ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;

--- a/data/nginx/proxy_pass.conf
+++ b/data/nginx/proxy_pass.conf
@ -8,6 +8,10 @@ server {

    location / {
        proxy_set_header   X-Real-IP          $remote_addr;
+% if websockets:
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+% endif
        proxy_pass ${target};
    }
 }
--- a/groups.py
+++ b/groups.py
@ -6,4 +6,8 @@ for root, dirs, files in walk(join(repo_path, "groups")):
        if filename.endswith(".py"):
            group = join(root, filename)
            with open(group, 'r', encoding='utf-8') as f:
-                groups[splitext(basename(filename))[0]] = eval(f.read())
+                try:
+                    groups[splitext(basename(filename))[0]] = eval(f.read())
+                except:
+                    print(f"Error parsing {group}:")
+                    raise
--- a/groups/os/debian-11.py
+++ b/groups/os/debian-11.py
@ -2,6 +2,9 @@
    'supergroups': [
        'debian',
    ],
+    'bundles': [
+        'systemd-networkd',
+    ],
    'metadata': {
        'php': {
            'version': '7.4',
--- a/groups/os/debian-12-common.py
+++ b/groups/os/debian-12-common.py
@ -0,0 +1,26 @@
+{
+    'metadata': {
+        'apt': {
+            'sources': {
+                'debian': {
+                    'components': {
+                        'non-free-firmware',
+                    },
+                },
+                'debian-security': {
+                    'components': {
+                        'non-free-firmware',
+                    },
+                },
+            },
+        },
+        'php': {
+            'version': '8.2',
+        },
+        'postgresql': {
+            'version': '15',
+        },
+        'os_codename': 'bookworm',
+    },
+    'os_version': (12,),
+}
--- a/groups/os/debian-12-pve.py
+++ b/groups/os/debian-12-pve.py
@ -0,0 +1,9 @@
+{
+    'supergroups': [
+        'debian',
+        'debian-12-common',
+    ],
+    'bundles': [
+        'ifupdown',
+    ],
+}
--- a/groups/os/debian-12.py
+++ b/groups/os/debian-12.py
@ -1,6 +1,10 @@
 {
    'supergroups': [
        'debian',
+        'debian-12-common',
+    ],
+    'bundles': [
+        'systemd-networkd',
    ],
    'metadata': {
        'apt': {
--- a/groups/os/linux.py
+++ b/groups/os/linux.py
@ -14,7 +14,6 @@
        'system',
        'systemd',
        'systemd-journald',
-        'systemd-networkd',
        'systemd-mount',
        'systemd-timers',
        'users',
--- a/libs/rsa.py
+++ b/libs/rsa.py
@ -1,12 +1,10 @@
 # https://stackoverflow.com/a/18266970

 from Crypto.PublicKey import RSA
-from Crypto.Hash import HMAC
 from struct import pack
 from hashlib import sha3_512
 from cryptography.hazmat.primitives.serialization import load_der_private_key
 from functools import cache
-from cache_to_disk import cache_to_disk


 class PRNG(object):
@ -22,7 +20,6 @@ class PRNG(object):
        return result


-@cache_to_disk(30)
 def _generate_deterministic_rsa_private_key(secret_bytes):
    return RSA.generate(2048, randfunc=PRNG(secret_bytes)).export_key('DER')

--- a/nodes/home.router.py
+++ b/nodes/home.router.py
@ -18,7 +18,7 @@
                'interface': 'enx00e04c220682',
                'ipv4': '10.0.99.126/24',
                'gateway4': '10.0.99.1',
-                'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal'},
+                'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal', 'proxmox'},
            },
            'internal': {
                'type': 'vlan',
@ -37,6 +37,12 @@
                'id': 3,
                'ipv4': '10.0.3.1/24',
            },
+            'proxmox': {
+                'type': 'vlan',
+                'id': 4,
+                'ipv4': '10.0.4.1/24',
+                'dhcp_server': True,
+            },
            'guest': {
                'type': 'vlan',
                'id': 9,
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@ -35,6 +35,7 @@
        #'tasmota-charge',
        'wol-waker',
        'zfs',
+        'proxmox-ve',
    ],
    'metadata': {
        'id': 'af96709e-b13f-4965-a588-ef2cd476437a',
@ -47,7 +48,7 @@
        },
        'apt': {
            'packages': {
-                'firmware-realtek': {},
+                # 'firmware-realtek': {}, proxmox-ve incompatibility
            },
        },
        'build-server': {
@ -124,6 +125,9 @@
                'unsortable': 'SofortUpload/Unsortable',
            },
        },
+        'proxmox-ve': {
+            'domain': 'pve.ckn.li',
+        },
        'raspberrymatic-cert': {
            'domain': 'homematic.ckn.li',
            'node': 'home.homematic',
--- a/nodes/wb.offsite-backups.py
+++ b/nodes/wb.offsite-backups.py
@ -1,4 +1,5 @@
 {
+    'dummy': True,
    'hostname': '192.168.179.20',
    'groups': [
        'debian-12',
--- a/requirements.txt
+++ b/requirements.txt
@ -3,5 +3,4 @@ pycryptodome
 PyNaCl
 PyYAML
 pyqrcode
-cache_to_disk
 setuptools
Author	SHA1	Message	Date
CroneKorkN	715a27edc7	wip	2025-06-22 09:30:41 +02:00
CroneKorkN	4caf0a4a19	wip	2025-06-22 09:30:29 +02:00