cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

Compare commits

base: cronekorkn:24488b16dcc017b706d2bf2151802344217f9c34
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver
...
compare: cronekorkn:0e78afea6aa4ce4733ec7cf45729a18cc1ff529f
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver

8 commits
24488b16dc ... 0e78afea6a

Author SHA1 Message Date
cronekorkn
0e78afea6a
fix ip 2024-11-23 09:53:05 +01:00
cronekorkn
f0d1cf9861
new icinga apt key 2024-11-23 09:53:05 +01:00
cronekorkn
e17b023503
some grafana permsission 2024-11-23 09:53:05 +01:00
cronekorkn
a3ba06bcb0
pipes -> shlex 2024-11-23 09:52:58 +01:00
cronekorkn
01bcfd8638
dhcp from interface 2024-11-23 09:52:48 +01:00
cronekorkn
c0944f9fa2
fix dhcp 2024-11-23 09:52:48 +01:00
cronekorkn
dedbffa107
vlans 2024-11-23 09:52:48 +01:00
cronekorkn
67d5a4bff8
TOTAL FACKUP 2024-11-23 09:52:22 +01:00
36 changed files with 411 additions and 178 deletions
Show stats Expand all files Collapse all files

5
bundles/grafana/items.py
View file

@ -26,7 +26,10 @@ actions['reset_grafana_admin_password'] = {
directories = { directories = {
'/etc/grafana': {}, '/etc/grafana': {},
'/etc/grafana/provisioning': {}, '/etc/grafana/provisioning': {
'owner': 'grafana',
'group': 'grafana',
},
'/etc/grafana/provisioning/datasources': { '/etc/grafana/provisioning/datasources': {
'purge': True, 'purge': True,
}, },

8
bundles/icinga2/files/conf.d/notifications.conf
View file

@ -13,9 +13,9 @@ apply Notification "mail-icingaadmin" to Host {
user_groups = host.vars.notification.mail.groups user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail assign where host.vars.notification.mail
} }
@ -25,9 +25,9 @@ apply Notification "mail-icingaadmin" to Service {
user_groups = host.vars.notification.mail.groups user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail assign where host.vars.notification.mail
} }

20
bundles/kea-dhcpd/items.py Normal file
View file

@ -0,0 +1,20 @@
from json import dumps
from bundlewrap.metadata import MetadataJSONEncoder
files = {
'/etc/kea/kea-dhcp4.conf': {
'content': dumps(node.metadata.get('kea'), indent=4, sort_keys=True, cls=MetadataJSONEncoder),
'triggers': [
'svc_systemd:kea-dhcp4-server:restart',
],
},
}
svc_systemd = {
'kea-dhcp4-server': {
'needs': [
'pkg_apt:kea-dhcp4-server',
'file:/etc/kea/kea-dhcp4.conf',
],
},
}

96
bundles/kea-dhcpd/metadata.py Normal file
View file

@ -0,0 +1,96 @@
from ipaddress import ip_interface, ip_network
hashable = repo.libs.hashable.hashable
defaults = {
'apt': {
'packages': {
'kea-dhcp4-server': {},
},
},
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': set(),
},
'lease-database': {
'type': 'memfile',
'lfc-interval': 3600
},
'subnet4': set(),
'loggers': set([
hashable({
'name': 'kea-dhcp4',
'output_options': [
{
'output': 'syslog',
}
],
'severity': 'INFO',
}),
]),
},
},
}
@metadata_reactor.provides(
'kea/Dhcp4/interfaces-config/interfaces',
'kea/Dhcp4/subnet4',
)
def subnets(metadata):
subnet4 = set()
interfaces = set()
reservations = set(
hashable({
'hw-address': network_conf['mac'],
'ip-address': str(ip_interface(network_conf['ipv4']).ip),
})
for other_node in repo.nodes
for network_conf in other_node.metadata.get('network', {}).values()
if 'mac' in network_conf
)
for network_name, network_conf in metadata.get('network').items():
dhcp_server_config = network_conf.get('dhcp_server_config', None)
if dhcp_server_config:
_network = ip_network(dhcp_server_config['subnet'])
subnet4.add(hashable({
'subnet': dhcp_server_config['subnet'],
'pools': [
{
'pool': f'{dhcp_server_config['pool_from']} - {dhcp_server_config['pool_to']}',
},
],
'option-data': [
{
'name': 'routers',
'data': dhcp_server_config['router'],
},
{
'name': 'domain-name-servers',
'data': '10.0.10.2',
},
],
'reservations': set(
reservation
for reservation in reservations
if ip_interface(reservation['ip-address']).ip in _network
),
}))
interfaces.add(network_conf.get('interface', network_name))
return {
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': interfaces,
},
'subnet4': subnet4,
},
},
}

18
bundles/left4dead2/files/server.cfg
View file

@ -1,36 +1,36 @@
hostname "CroneKorkN : ${name}" hostname "CroneKorkN : ${name}"
sv_contact "admin@sublimity.de" sv_contact "admin@sublimity.de"
// assign serevr to steam group
sv_steamgroup "${','.join(steamgroups)}" sv_steamgroup "${','.join(steamgroups)}"
rcon_password "${rcon_password}" rcon_password "${rcon_password}"
// no annoying message of the day
motd_enabled 0 motd_enabled 0
// enable cheats
sv_cheats 1 sv_cheats 1
// allow inconsistent files on clients (weapon mods for example)
sv_consistency 0 sv_consistency 0
// connect from internet
sv_lan 0 sv_lan 0
// join game at any point
sv_allow_lobby_connect_only 0 sv_allow_lobby_connect_only 0
// allowed modes
sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge" sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge"
// network
sv_minrate 30000 sv_minrate 30000
sv_maxrate 60000 sv_maxrate 60000
sv_mincmdrate 66 sv_mincmdrate 66
sv_maxcmdrate 101 sv_maxcmdrate 101
// logging
sv_logsdir "logs-${name}" //Folder in the game directory where server logs will be stored. sv_logsdir "logs-${name}" //Folder in the game directory where server logs will be stored.
log on //Creates a logfile (on | off) log on //Creates a logfile (on | off)
sv_logecho 0 //default 0; Echo log information to the console. sv_logecho 0 //default 0; Echo log information to the console.

1
bundles/letsencrypt/items.py
View file

@ -56,6 +56,7 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true', 'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true',
'needs': { 'needs': {
'file:/etc/dehydrated/letsencrypt-ensure-some-certificate', 'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
'pkg_apt:dehydrated',
}, },
'needed_by': { 'needed_by': {
'svc_systemd:nginx', 'svc_systemd:nginx',

41
bundles/linux/items.py Normal file
View file

@ -0,0 +1,41 @@
from shlex import quote
def generate_sysctl_key_value_pairs_from_json(json_data, parents=[]):
if isinstance(json_data, dict):
for key, value in json_data.items():
yield from generate_sysctl_key_value_pairs_from_json(value, [*parents, key])
elif isinstance(json_data, list):
raise ValueError(f"List not supported: '{json_data}'")
else:
# If it's a leaf node, yield the path
yield (parents, json_data)
key_value_pairs = generate_sysctl_key_value_pairs_from_json(node.metadata.get('sysctl'))
files= {
'/etc/sysctl.conf': {
'content': '\n'.join(
sorted(
f"{'.'.join(path)}={value}"
for path, value in key_value_pairs
),
),
'triggers': [
'svc_systemd:systemd-sysctl.service:restart',
],
},
}
svc_systemd = {
'systemd-sysctl.service': {},
}
for path, value in key_value_pairs:
actions[f'reload_sysctl.conf_{path}'] = {
'command': f"sysctl --values {'.'.join(path)} | grep -q {quote('^'+value+'$')}",
'needs': [
f'action:systemd-sysctl.service',
f'action:systemd-sysctl.service:restart',
],
}

3
bundles/linux/metadata.py Normal file
View file

@ -0,0 +1,3 @@
defaults = {
'sysctl': {},
}

2
bundles/macbook/files/macbook-update
View file

@ -18,7 +18,7 @@ git -C ~/.zsh/oh-my-zsh pull
brew upgrade brew upgrade
brew upgrade --cask --greedy brew upgrade --cask --greedy
pyenv install --keep-existing pyenv install --skip-existing
sudo softwareupdate -ia --verbose sudo softwareupdate -ia --verbose

22
bundles/mailserver-autoconfig/files/autodiscover.php
View file

@ -1,6 +1,6 @@
<?php <?php
// https://raw.githubusercontent.com/Radiergummi/autodiscover/master/autodiscover/autodiscover.php
/******************************** /********************************
* Autodiscover responder * Autodiscover responder
@ -8,45 +8,45 @@
* This PHP script is intended to respond to any request to http(s)://mydomain.com/autodiscover/autodiscover.xml. * This PHP script is intended to respond to any request to http(s)://mydomain.com/autodiscover/autodiscover.xml.
* If configured properly, it will send a spec-complient autodiscover XML response, pointing mail clients to the * If configured properly, it will send a spec-complient autodiscover XML response, pointing mail clients to the
* appropriate mail services. * appropriate mail services.
* If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if * If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if
* you use POP/IMAP servers, this will provide autoconfiguration to Outlook, Apple Mail and mobile devices. * you use POP/IMAP servers, this will provide autoconfiguration to Outlook, Apple Mail and mobile devices.
* *
* To work properly, you'll need to set the service (sub)domains below in the settings section to the correct * To work properly, you'll need to set the service (sub)domains below in the settings section to the correct
* domain names, adjust ports and SSL. * domain names, adjust ports and SSL.
*/ */
//get raw POST data so we can extract the email address
$request = file_get_contents("php://input"); $request = file_get_contents("php://input");
// optional debug log
# file_put_contents( 'request.log', $request, FILE_APPEND ); # file_put_contents( 'request.log', $request, FILE_APPEND );
// retrieve email address from client request
preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email ); preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email );
// check for invalid mail, to prevent XSS
if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) { if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) {
throw new Exception('Invalid E-Mail provided'); throw new Exception('Invalid E-Mail provided');
} }
// get domain from email address
$domain = substr( strrchr( $email[1], "@" ), 1 ); $domain = substr( strrchr( $email[1], "@" ), 1 );
/************************************** /**************************************
* Port and server settings below * * Port and server settings below *
**************************************/ **************************************/
// IMAP settings
$imapServer = 'imap.' . $domain; // imap.example.com $imapServer = 'imap.' . $domain; // imap.example.com
$imapPort = 993; $imapPort = 993;
$imapSSL = true; $imapSSL = true;
// SMTP settings
$smtpServer = 'smtp.' . $domain; // smtp.example.com $smtpServer = 'smtp.' . $domain; // smtp.example.com
$smtpPort = 587; $smtpPort = 587;
$smtpSSL = true; $smtpSSL = true;
//set Content-Type
header( 'Content-Type: application/xml' ); header( 'Content-Type: application/xml' );
?> ?>
<?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?> <?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?>

2
bundles/mariadb/items.py
View file

@ -13,6 +13,7 @@ directories = {
], ],
'needed_by': [ 'needed_by': [
'pkg_apt:mariadb-server', 'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
], ],
}, },
} }
@ -30,6 +31,7 @@ svc_systemd = {
'mariadb.service': { 'mariadb.service': {
'needs': [ 'needs': [
'pkg_apt:mariadb-server', 'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
], ],
}, },
} }

11
bundles/mariadb/metadata.py
View file

@ -1,7 +1,16 @@
defaults = { defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
'mariadb-server': {}, 'mariadb-server': {
'needs': {
'zfs_dataset:tank/mariadb',
},
},
'mariadb-client': {
'needs': {
'zfs_dataset:tank/mariadb',
},
},
}, },
}, },
'mariadb': { 'mariadb': {

73
bundles/network/metadata.py
View file

@ -5,38 +5,89 @@ defaults = {
} }
@metadata_reactor.provides(
'network',
)
def dhcp(metadata):
networks = {}
for network_name, network_conf in metadata.get('network').items():
_interface = ip_interface(network_conf['ipv4'])
_ip = _interface.ip
_network = _interface.network
_hosts = list(_network.hosts())
if network_conf.get('dhcp_server', False):
networks[network_name] = {
'dhcp_server_config': {
'subnet': str(_network),
'pool_from': str(_hosts[len(_hosts)//2]),
'pool_to': str(_hosts[-3]),
'router': str(_ip),
'domain-name-servers': str(_ip),
}
}
return {
'network': networks,
}
@metadata_reactor.provides( @metadata_reactor.provides(
'systemd/units', 'systemd/units',
) )
def units(metadata): def units(metadata):
units = {} units = {}
for type, network in metadata.get('network').items(): for network_name, network_conf in metadata.get('network').items():
units[f'{type}.network'] = { interface_type = network_conf.get('type', None)
# network
units[f'{network_name}.network'] = {
'Match': { 'Match': {
'Name': network['interface'], 'Name': network_name if interface_type == 'vlan' else network_conf['interface'],
}, },
'Network': { 'Network': {
'DHCP': network.get('dhcp', 'no'), 'DHCP': network_conf.get('dhcp', 'no'),
'IPv6AcceptRA': network.get('dhcp', 'no'), 'IPv6AcceptRA': network_conf.get('dhcp', 'no'),
'VLAN': set(network_conf.get('vlans', set()))
} }
} }
# type
if interface_type:
units[f'{network_name}.network']['Match']['Type'] = interface_type
# ips
for i in [4, 6]: for i in [4, 6]:
if network.get(f'ipv{i}', None): if network_conf.get(f'ipv{i}', None):
units[f'{type}.network'].update({ units[f'{network_name}.network'].update({
f'Address#ipv{i}': { f'Address#ipv{i}': {
'Address': network[f'ipv{i}'], 'Address': network_conf[f'ipv{i}'],
}, },
}) })
if f'gateway{i}' in network: if f'gateway{i}' in network_conf:
units[f'{type}.network'].update({ units[f'{network_name}.network'].update({
f'Route#ipv{i}': { f'Route#ipv{i}': {
'Gateway': network[f'gateway{i}'], 'Gateway': network_conf[f'gateway{i}'],
'GatewayOnlink': 'yes', 'GatewayOnlink': 'yes',
} }
}) })
# as vlan
if interface_type == 'vlan':
units[f"{network_name}.netdev"] = {
'NetDev': {
'Name': network_name,
'Kind': 'vlan',
},
'VLAN': {
'Id': network_conf['id'],
}
}
return { return {
'systemd': { 'systemd': {

4
bundles/nginx/files/nginx.conf
View file

@ -1,6 +1,6 @@
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
user www-data; user www-data;
worker_processes 10; worker_processes ${worker_processes};
% for module in sorted(modules): % for module in sorted(modules):
load_module modules/ngx_${module}_module.so; load_module modules/ngx_${module}_module.so;
@ -22,6 +22,8 @@ http {
tcp_nopush on; tcp_nopush on;
client_max_body_size 32G; client_max_body_size 32G;
ssl_dhparam "/etc/ssl/certs/dhparam.pem"; ssl_dhparam "/etc/ssl/certs/dhparam.pem";
# dont show nginx version
server_tokens off;
% if node.has_bundle('php'): % if node.has_bundle('php'):
upstream php-handler { upstream php-handler {

1
bundles/nginx/items.py
View file

@ -32,6 +32,7 @@ files = {
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
'modules': node.metadata.get('nginx/modules'), 'modules': node.metadata.get('nginx/modules'),
'worker_processes': node.metadata.get('vm/cores'),
}, },
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',

4
bundles/postfix/items.py
View file

@ -86,6 +86,8 @@ if node.has_bundle('telegraf'):
'needs': [ 'needs': [
'pkg_apt:acl', 'pkg_apt:acl',
'svc_systemd:postfix', 'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
], ],
} }
actions['postfix_setfacl_default_telegraf'] = { actions['postfix_setfacl_default_telegraf'] = {
@ -94,5 +96,7 @@ if node.has_bundle('telegraf'):
'needs': [ 'needs': [
'pkg_apt:acl', 'pkg_apt:acl',
'svc_systemd:postfix', 'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
], ],
} }

6
bundles/postgresql/metadata.py
View file

@ -6,7 +6,11 @@ root_password = repo.vault.password_for(f'{node.name} postgresql root')
defaults = { defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
'postgresql': {}, 'postgresql': {
'needs': {
'zfs_dataset:tank/postgresql',
},
},
}, },
}, },
'backup': { 'backup': {

64
bundles/roundcube/files/config.inc.php
View file

@ -6,80 +6,16 @@ $config['enable_installer'] = true;
/* Local configuration for Roundcube Webmail */ /* Local configuration for Roundcube Webmail */
// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}'; $config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}';
// ----------------------------------
// IMAP
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
// required to match old user data records with the new host.
$config['imap_host'] = 'localhost'; $config['imap_host'] = 'localhost';
// ----------------------------------
// SMTP
// ----------------------------------
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_host'] = 'tls://localhost'; $config['smtp_host'] = 'tls://localhost';
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u'; $config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p'; $config['smtp_pass'] = '%p';
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = ''; $config['support_url'] = '';
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '${des_key}'; $config['des_key'] = '${des_key}';
// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = '${product_name}'; $config['product_name'] = '${product_name}';
// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)}); $config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)});
// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'de_DE'; $config['language'] = 'de_DE';
// https://serverfault.com/a/991304
$config['smtp_conn_options'] = array( $config['smtp_conn_options'] = array(
'ssl' => array( 'ssl' => array(
'verify_peer' => false, 'verify_peer' => false,

2
bundles/roundcube/files/password.config.inc.php
View file

@ -1,7 +1,5 @@
<?php <?php
// https://github.com/roundcube/roundcubemail/blob/357cc90001f997fd223fb48fcede6040f527c2f4/plugins/password/config.inc.php.dist
$config['password_driver'] = 'sql'; $config['password_driver'] = 'sql';
$config['password_strength_driver'] = null; $config['password_strength_driver'] = null;
$config['password_confirm_current'] = true; $config['password_confirm_current'] = true;

16
bundles/roundcube/items.py
View file

@ -1,7 +1,8 @@
assert node.has_bundle('php') assert node.has_bundle('php')
assert node.has_bundle('mailserver') assert node.has_bundle('mailserver')
version = node.metadata.get('roundcube/version') roundcube_version = node.metadata.get('roundcube/version')
php_version = node.metadata.get('php/version')
directories = { directories = {
'/opt/roundcube': { '/opt/roundcube': {
@ -22,9 +23,9 @@ directories = {
} }
files[f'/tmp/roundcube-{version}.tar.gz'] = { files[f'/tmp/roundcube-{roundcube_version}.tar.gz'] = {
'content_type': 'download', 'content_type': 'download',
'source': f'https://github.com/roundcube/roundcubemail/releases/download/{version}/roundcubemail-{version}-complete.tar.gz', 'source': f'https://github.com/roundcube/roundcubemail/releases/download/{roundcube_version}/roundcubemail-{roundcube_version}-complete.tar.gz',
'triggered': True, 'triggered': True,
} }
actions['delete_roundcube'] = { actions['delete_roundcube'] = {
@ -32,11 +33,11 @@ actions['delete_roundcube'] = {
'triggered': True, 'triggered': True,
} }
actions['extract_roundcube'] = { actions['extract_roundcube'] = {
'command': f'tar xfvz /tmp/roundcube-{version}.tar.gz --strip 1 -C /opt/roundcube', 'command': f'tar xfvz /tmp/roundcube-{roundcube_version}.tar.gz --strip 1 -C /opt/roundcube',
'unless': f'grep -q "Version {version}" /opt/roundcube/index.php', 'unless': f'grep -q "Version {roundcube_version}" /opt/roundcube/index.php',
'preceded_by': [ 'preceded_by': [
'action:delete_roundcube', 'action:delete_roundcube',
f'file:/tmp/roundcube-{version}.tar.gz', f'file:/tmp/roundcube-{roundcube_version}.tar.gz',
], ],
'needs': [ 'needs': [
'directory:/opt/roundcube', 'directory:/opt/roundcube',
@ -64,6 +65,9 @@ files['/opt/roundcube/config/config.inc.php'] = {
'needs': [ 'needs': [
'action:chown_roundcube', 'action:chown_roundcube',
], ],
'triggers': [
f'svc_systemd:php{php_version}-fpm.service:restart',
],
} }
files['/opt/roundcube/plugins/password/config.inc.php'] = { files['/opt/roundcube/plugins/password/config.inc.php'] = {
'source': 'password.config.inc.php', 'source': 'password.config.inc.php',

2
bundles/telegraf/items.py
View file

@ -9,7 +9,7 @@ files = {
node.metadata.get('telegraf/config'), node.metadata.get('telegraf/config'),
cls=MetadataJSONEncoder, cls=MetadataJSONEncoder,
)), )),
sort_keys=True sort_keys=True,
), ),
'triggers': [ 'triggers': [
'svc_systemd:telegraf:restart', 'svc_systemd:telegraf:restart',

BIN
data/apt/keys/icinga.gpg Normal file
View file

Binary file not shown.

0
data/apt/keys/icinga.asc → data/apt/keys/icinga_.asc
View file

7
groups/os/linux.py
View file

@ -6,6 +6,7 @@
'hostname', 'hostname',
'hosts', 'hosts',
'htop', 'htop',
'linux',
'locale', 'locale',
'network', 'network',
'ssh', 'ssh',
@ -22,16 +23,16 @@
'metadata': { 'metadata': {
'dns': {}, 'dns': {},
'hosts': { 'hosts': {
'10.0.11.3': [ '10.0.10.2': [
'resolver.name', 'resolver.name',
'secondary.resolver.name', 'secondary.resolver.name',
], ],
}, },
'letsencrypt': { 'letsencrypt': {
'acme_node': 'netcup.mails', 'acme_node': 'htz.mails',
}, },
'nameservers': { 'nameservers': {
'10.0.11.3', '10.0.10.2',
}, },
'systemd-timers': { 'systemd-timers': {
'trim': { 'trim': {

8
items/download.py
View file

@ -3,7 +3,7 @@ from bundlewrap.exceptions import BundleError
from bundlewrap.utils.text import force_text, mark_for_translation as _ from bundlewrap.utils.text import force_text, mark_for_translation as _
from bundlewrap.utils.remote import PathInfo from bundlewrap.utils.remote import PathInfo
import types import types
from pipes import quote from shlex import quote
# Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py # Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py
# No, we can't use plugins here, because bw4 won't support them anymore. # No, we can't use plugins here, because bw4 won't support them anymore.
@ -101,16 +101,16 @@ class Download(Item):
elif self.attributes.get('gpg_signature_url'): elif self.attributes.get('gpg_signature_url'):
full_signature_url = self.attributes['gpg_signature_url'].format(url=self.attributes['url']) full_signature_url = self.attributes['gpg_signature_url'].format(url=self.attributes['url'])
signature_path = f'{self.name}.signature' signature_path = f'{self.name}.signature'
self.node.run(f"curl -sSL {self.attributes['gpg_pubkey_url']} | gpg --import -") self.node.run(f"curl -sSL {self.attributes['gpg_pubkey_url']} | gpg --import -")
self.node.run(f"curl -L {full_signature_url} -o {quote(signature_path)}") self.node.run(f"curl -L {full_signature_url} -o {quote(signature_path)}")
gpg_output = self.node.run(f"gpg --verify {quote(signature_path)} {quote(self.name)}").stderr gpg_output = self.node.run(f"gpg --verify {quote(signature_path)} {quote(self.name)}").stderr
if b'Good signature' in gpg_output: if b'Good signature' in gpg_output:
sdict['verified'] = True sdict['verified'] = True
else: else:
sdict['verified'] = False sdict['verified'] = False
return sdict return sdict
@classmethod @classmethod

1
libs/tools.py
View file

@ -92,3 +92,4 @@ from shlex import quote
def run_as(user, command): def run_as(user, command):
return f'sudo su - {user} -s /bin/bash -c {quote(command)}' return f'sudo su - {user} -s /bin/bash -c {quote(command)}'

7
nodes/home.homeassistant.py
View file

@ -29,6 +29,7 @@
'internal': { 'internal': {
'interface': 'eth0', 'interface': 'eth0',
'ipv4': '10.0.0.16/24', 'ipv4': '10.0.0.16/24',
'mac': 'd8:3a:dd:16:fc:9d',
'gateway4': '10.0.0.1', 'gateway4': '10.0.0.1',
}, },
}, },
@ -68,20 +69,20 @@
}, },
}, },
'hosts': { 'hosts': {
'10.0.11.3': [ '10.0.10.2': [
'resolver.name', 'resolver.name',
'secondary.resolver.name', 'secondary.resolver.name',
], ],
}, },
'letsencrypt': { 'letsencrypt': {
'acme_node': 'netcup.mails', 'acme_node': 'htz.mails',
}, },
'homeassistant': { 'homeassistant': {
'domain': 'homeassistant.ckn.li', 'domain': 'homeassistant.ckn.li',
'os_agent_version': '1.6.0', 'os_agent_version': '1.6.0',
}, },
'nameservers': { 'nameservers': {
'10.0.11.3', '10.0.10.2',
}, },
'users': { 'users': {
'ckn': { 'ckn': {

1
nodes/home.homematic.py
View file

@ -14,6 +14,7 @@
'network': { 'network': {
'internal': { 'internal': {
'ipv4': '10.0.2.8/24', 'ipv4': '10.0.2.8/24',
'mac': 'b8:27:eb:15:30:86',
}, },
}, },
'dns': { 'dns': {

8
nodes/home.hue.py
View file

@ -5,7 +5,13 @@
'home', 'home',
], ],
'metadata': { 'metadata': {
'id': '', 'id': '87879bc1-130f-4fca-a8d2-e1d93a794df4',
'network': {
'internal': {
'ipv4': '10.0.2.100/24',
'mac': '00:17:88:67:e7:f2',
},
},
'dns': { 'dns': {
'hue.ckn.li': { 'hue.ckn.li': {
'A': {'10.0.2.100'}, 'A': {'10.0.2.100'},

70
nodes/home.router.py
View file

@ -1,25 +1,77 @@
{ {
'hostname': '10.0.0.120', 'hostname': '10.0.0.1',
'dummy': True,
'groups': [ 'groups': [
'autologin', 'autologin',
'debian-11', 'debian-12',
'hardware', 'hardware',
'home', 'home',
'monitored', 'monitored',
], ],
'bundles': [
'kea-dhcpd',
'wireguard',
],
'metadata': { 'metadata': {
'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c', 'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c',
'network': { 'network': {
'internal': { 'internal': {
'interface': 'eno1', 'interface': 'eno1',
'ipv4': '10.0.0.120/24', 'ipv4': '10.0.0.1/24',
'gateway4': '10.0.0.1', 'vlans': {'iot', 'internet', 'guest'},
'dhcp_server': True,
}, },
'external': { 'temp': {
'interface': 'enx00e04c00135b', 'interface': 'enx00e04c220682',
'mac': '00:e0:4c:00:13:5b', 'ipv4': '10.0.99.126/24',
'dhcp': 'yes', 'gateway4': '10.0.99.1',
},
'iot': {
'type': 'vlan',
'id': 2,
'ipv4': '10.0.2.1/24',
'dhcp_server': True,
},
'internet': {
'type': 'vlan',
'id': 3,
'ipv4': '10.0.3.1/24',
},
'guest': {
'type': 'vlan',
'id': 9,
'ipv4': '10.0.9.1/24',
'dhcp_server': True,
},
},
# 'nftables': {
# 'forward': {
# # Drop DHCP client requests (UDP port 68)
# 'udp sport 68 drop',
# 'udp dport 68 drop',
# # Drop DHCP server responses (UDP port 67)
# 'udp sport 67 drop',
# 'udp dport 67 drop',
# },
# },
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'htz.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.10.0/24',
'192.168.179.0/24',
'10.0.227.0/24', # mseibert.freescout
],
},
}, },
}, },
}, },

27
nodes/home.server.py
View file

@ -33,7 +33,6 @@
'twitch-clip-download', 'twitch-clip-download',
'raspberrymatic-cert', 'raspberrymatic-cert',
'tasmota-charge', 'tasmota-charge',
'wireguard',
'wol-waker', 'wol-waker',
'zfs', 'zfs',
], ],
@ -63,10 +62,10 @@
'target': 'aarch64-unknown-linux-gnu', 'target': 'aarch64-unknown-linux-gnu',
}, },
}, },
'download_server': 'netcup.mails', 'download_server': 'htz.mails',
}, },
'gitea': { 'gitea': {
'version': '7.0.1', 'version': '8.0.3',
'domain': 'git.sublimity.de', 'domain': 'git.sublimity.de',
'conf': { 'conf': {
'mailer': { 'mailer': {
@ -111,7 +110,7 @@
}, },
'nextcloud': { 'nextcloud': {
'hostname': 'cloud.sublimity.de', 'hostname': 'cloud.sublimity.de',
'version': '29.0.3', 'version': '29.0.7',
'config': { 'config': {
'instanceid': 'oci6dw1woodz', 'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==', 'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',
@ -145,6 +144,13 @@
'steam-chat-viewer': { 'steam-chat-viewer': {
'hostname': 'steam-chats.ckn.li', 'hostname': 'steam-chats.ckn.li',
}, },
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'systemd-swap': 4_000_000_000, 'systemd-swap': 4_000_000_000,
'tasmota-charge': { 'tasmota-charge': {
'phone': { 'phone': {
@ -166,19 +172,6 @@
'threads': 32, 'threads': 32,
'ram': 49152, 'ram': 49152,
}, },
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'netcup.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.11.0/24',
'192.168.179.0/24',
'10.0.227.0/24', # mseibert.freescout
],
},
},
},
'zfs': { 'zfs': {
'zfs_arc_max_percent': 80, 'zfs_arc_max_percent': 80,
'storage_classes': { 'storage_classes': {

2
nodes/htz.games.py
View file

@ -37,7 +37,7 @@
'network': { 'network': {
'internal': { 'internal': {
'interface': 'ens10', 'interface': 'ens10',
'ipv4': '10.0.10.3/32', 'ipv4': '10.0.10.2/32',
}, },
'external': { 'external': {
'interface': 'eth0', 'interface': 'eth0',

40
nodes/netcup.mails.py → nodes/htz.mails.py
View file

@ -1,8 +1,9 @@
{ {
'hostname': '202.61.255.108', 'hostname': '49.12.184.229',
'groups': [ 'groups': [
'backup', 'backup',
'debian-12', 'debian-12',
'hetzner-cloud',
'mailserver', 'mailserver',
'monitored', 'monitored',
'webserver', 'webserver',
@ -15,7 +16,7 @@
'build-ci', 'build-ci',
'download-server', 'download-server',
'islamicstate.eu', 'islamicstate.eu',
'nginx-rtmps', #'nginx-rtmps',
#'steam', #'steam',
'wireguard', 'wireguard',
'zfs', 'zfs',
@ -24,14 +25,14 @@
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': { 'network': {
'internal': { 'internal': {
'interface': 'eth1', 'interface': 'enp7s0',
'ipv4': '10.0.11.3/24', 'ipv4': '10.0.10.2/24',
}, },
'external': { 'external': {
'interface': 'eth0', 'interface': 'eth0',
'ipv4': '202.61.255.108/22', 'ipv4': '49.12.184.229/32',
'gateway4': '202.61.252.1', 'gateway4': '172.31.1.1',
'ipv6': '2a03:4000:55:a89::1/64', 'ipv6': '2a01:4f8:c013:51f2::1',
'gateway6': 'fe80::1', 'gateway6': 'fe80::1',
} }
}, },
@ -58,20 +59,20 @@
}, },
'dns': { 'dns': {
'ckn.li': { 'ckn.li': {
'A': ['202.61.255.108'], 'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:1c1c:4121::1'], 'AAAA': ['2a01:4f8:c013:51f2::1'],
}, },
'sublimity.de': { 'sublimity.de': {
'A': ['202.61.255.108'], 'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:1c1c:4121::1'], 'AAAA': ['2a01:4f8:c013:51f2::1'],
}, },
'freibrief.net': { 'freibrief.net': {
'A': ['202.61.255.108'], 'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:1c1c:4121::1'], 'AAAA': ['2a01:4f8:c013:51f2::1'],
}, },
'left4.me': { 'left4.me': {
'A': ['202.61.255.108'], 'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:1c1c:4121::1'], 'AAAA': ['2a01:4f8:c013:51f2::1'],
}, },
'elimu-kwanza.de': { 'elimu-kwanza.de': {
'TXT': ['google-site-verification=JwgcfXQ6nIXKxjMqUGHVBDISgMCQXgzMryPBsP2ZXnE'], 'TXT': ['google-site-verification=JwgcfXQ6nIXKxjMqUGHVBDISgMCQXgzMryPBsP2ZXnE'],
@ -195,21 +196,22 @@
}, },
'vm': { 'vm': {
'cores': 4, 'cores': 4,
'ram': 16384, 'ram': 8192,
}, },
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.1/24', 'my_ip': '172.30.0.1/24',
's2s': { 's2s': {
'home.server': { 'home.router': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.99.0/24',
], ],
}, },
'ovh.secondary': { 'ovh.secondary': {
'allowed_ips': [ 'allowed_ips': [
'10.0.11.0/24', '10.0.10.0/24',
], ],
}, },
'wb.offsite-backups': { 'wb.offsite-backups': {
@ -239,7 +241,7 @@
'pools': { 'pools': {
'tank': { 'tank': {
'devices': [ 'devices': [
'/dev/sda4', '/dev/disk/by-id/scsi-0HC_Volume_101332312',
], ],
}, },
}, },

4
nodes/mseibert.freescout.py
View file

@ -37,13 +37,13 @@
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.238/32', 'my_ip': '172.30.0.238/32',
's2s': { 's2s': {
'netcup.mails': { 'htz.mails': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.10.0/24', '10.0.10.0/24',
'10.0.11.0/24', '10.0.10.0/24',
], ],
}, },
}, },

8
nodes/ovh.secondary.py
View file

@ -20,22 +20,22 @@
}, },
}, },
'bind': { 'bind': {
'master_node': 'netcup.mails', 'master_node': 'htz.mails',
'hostname': 'secondary.resolver.name', 'hostname': 'secondary.resolver.name',
}, },
# 'postfix': { # 'postfix': {
# 'master_node': 'netcup.mails', # 'master_node': 'htz.mails',
# 'hostname': 'mail2.sublimity.de', # 'hostname': 'mail2.sublimity.de',
# }, # },
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.3/32', 'my_ip': '172.30.0.3/32',
's2s': { 's2s': {
'netcup.mails': { 'htz.mails': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.11.0/24', '10.0.10.0/24',
], ],
}, },
}, },

5
nodes/wb.offsite-backups.py
View file

@ -1,4 +1,5 @@
{ {
'dummy': True,
'hostname': '192.168.179.20', 'hostname': '192.168.179.20',
'groups': [ 'groups': [
'debian-11', 'debian-11',
@ -43,13 +44,13 @@
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.4/32', 'my_ip': '172.30.0.4/32',
's2s': { 's2s': {
'netcup.mails': { 'htz.mails': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.10.0/24', '10.0.10.0/24',
'10.0.11.0/24', '10.0.10.0/24',
], ],
}, },
}, },