cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

Compare commits

base: cronekorkn:9b3e66915ce7a984ae5bd6aea94b1e134e9cc64e
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver
..
compare: cronekorkn:782b3fbe0b916e1e18b5ec2db85be7d4fbd664b9
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver

No commits in common. "9b3e66915ce7a984ae5bd6aea94b1e134e9cc64e" and "782b3fbe0b916e1e18b5ec2db85be7d4fbd664b9" have entirely different histories.
9b3e66915c ... 782b3fbe0b

15 changed files with 13 additions and 323 deletions
Show stats Expand all files Collapse all files

1
bundles/mariadb/README.md
View file

@ -1 +0,0 @@
https://mariadb.com/kb/en/systemd/#configuring-mariadb-to-write-the-error-log-to-syslog

11
bundles/mariadb/files/override.conf
View file

@ -1,11 +0,0 @@
% for section, options in sorted(conf.items()):
[${section}]
% for key, value in sorted(options.items()):
% if value is None:
${key}
% else:
${key} = ${value}
% endif
% endfor
% endfor

89
bundles/mariadb/items.py
View file

@ -1,89 +0,0 @@
from shlex import quote
def mariadb(sql, **kwargs):
kwargs_string = ''.join(f" --{k} {v}" for k, v in kwargs.items())
return f"mariadb{kwargs_string} -Bsr --execute {quote(sql)}"
directories = {
'/var/lib/mysql': {
'owner': 'mysql',
'group': 'mysql',
'needs': [
'zfs_dataset:tank/mariadb',
],
'needed_by': [
'pkg_apt:mariadb-server',
],
},
}
files = {
'/etc/mysql/conf.d/override.conf': {
'context': {
'conf': node.metadata.get('mariadb/conf'),
},
'content_type': 'mako',
},
}
svc_systemd = {
'mariadb.service': {
'needs': [
'pkg_apt:mariadb-server',
],
},
}
actions = {
'mariadb_sec_remove_anonymous_users': {
'command': mariadb("DELETE FROM mysql.global_priv WHERE User=''"),
'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User = ''") + " | grep -q '^0$'",
'needs': [
'svc_systemd:mariadb.service',
],
'triggers': [
'svc_systemd:mariadb.service:restart',
],
},
'mariadb_sec_remove_remote_root': {
'command': mariadb("DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"),
'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')") + " | grep -q '^0$'",
'needs': [
'svc_systemd:mariadb.service',
],
'triggers': [
'svc_systemd:mariadb.service:restart',
],
},
}
for db, conf in node.metadata.get('mariadb/databases', {}).items():
actions[f'mariadb_create_database_{db}'] = {
'command': mariadb(f"CREATE DATABASE {db}"),
'unless': mariadb(f"SHOW DATABASES LIKE '{db}'") + f" | grep -q '^{db}$'",
'needs': [
'svc_systemd:mariadb.service',
],
}
actions[f'mariadb_user_{db}_create'] = {
'command': mariadb(f"CREATE USER {db}"),
'unless': mariadb(f"SELECT User FROM mysql.user WHERE User = '{db}'") + f" | grep -q '^{db}$'",
'needs': [
f'action:mariadb_create_database_{db}',
],
}
pw = conf['password']
actions[f'mariadb_user_{db}_password'] = {
'command': mariadb(f"SET PASSWORD FOR {db} = PASSWORD('{conf['password']}')"),
'unless': f'echo {quote(pw)} | mariadb -u {db} -e quit -p',
'needs': [
f'action:mariadb_user_{db}_create',
],
}
actions[f'mariadb_grant_privileges_to_{db}'] = {
'command': mariadb(f"GRANT ALL PRIVILEGES ON {db}.* TO '{db}'", database=db),
'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.* TO `{db}`@`%`'",
'needs': [
f'action:mariadb_user_{db}_create',
],
}

36
bundles/mariadb/metadata.py
View file

@ -1,36 +0,0 @@
defaults = {
'apt': {
'packages': {
'mariadb-server': {},
},
},
'mariadb': {
'databases': {},
'conf': {
# https://www.reddit.com/r/zfs/comments/u1xklc/mariadbmysql_database_settings_for_zfs
'mysqld': {
'skip-innodb_doublewrite': None,
'innodb_flush_method': 'fsync',
'innodb_doublewrite': '0',
'innodb_use_atomic_writes': '0',
'innodb_use_native_aio': '0',
'innodb_read_io_threads': '10',
'innodb_write_io_threads': '10',
'innodb_buffer_pool_size': '26G',
'innodb_flush_log_at_trx_commit': '1',
'innodb_log_file_size': '1G',
'innodb_flush_neighbors': '0',
'innodb_fast_shutdown': '2',
},
},
},
'zfs': {
'datasets': {
'tank/mariadb': {
'mountpoint': '/var/lib/mysql',
'recordsize': '16384',
'atime': 'off',
},
},
},
}

1
bundles/wordpress/README.md
View file

@ -1 +0,0 @@
https://developer.wordpress.org/advanced-administration/upgrade/upgrading/

25
bundles/wordpress/files/check_wordpress_insecure
View file

@ -1,25 +0,0 @@
#!/bin/bash
SITE=$1
VERSION=$(php -r "require('/opt/$SITE/wp-includes/version.php'); echo \$wp_version;")
STATUS=$(curl -ssL http://api.wordpress.org/core/stable-check/1.0/ | jq -r '.["'$VERSION'"]')
echo "WordPress $VERSION is '$STATUS'"
if [[ "$STATUS" == latest ]]
then
exit 0
elif [[ "$STATUS" == outdated ]]
then
exit 1
elif [[ "$STATUS" == insecure ]]
then
if test -f /etc/nginx/sites/$SITE
then
rm /etc/nginx/sites/$SITE
systemctl restart nginx
fi
exit 2
else
exit 2
fi

5
bundles/wordpress/files/print-version.php
View file

@ -1,5 +0,0 @@
<?php
require_once '${path}/wp-includes/version.php';
echo "$wp_version";

0
bundles/wordpress/files/wp-config.php
View file

12
bundles/wordpress/items.py
View file

@ -1,12 +0,0 @@
files = {
'/usr/lib/nagios/plugins/check_wordpress_insecure': {
'mode': '0750',
},
}
for site, conf in node.metadata.get('wordpress').items():
directories[f'/opt/{site}'] = {
'owner': 'www-data',
'group': 'www-data',
'mode': '0755',
}

84
bundles/wordpress/metadata.py
View file

@ -1,84 +0,0 @@
defaults = {}
@metadata_reactor.provides(
'wordpress',
)
def wordpress(metadata):
return {
'wordpress': {
site: {
'db_password': repo.vault.password_for(f"wordpress {site} db").value,
}
for site in metadata.get('wordpress')
},
}
@metadata_reactor.provides(
'mariadb/databases',
)
def mariadb(metadata):
return {
'mariadb': {
'databases': {
site: {
'password': metadata.get(f'wordpress/{site}/db_password')
}
for site in metadata.get('wordpress')
},
},
}
@metadata_reactor.provides(
'nginx/vhosts'
)
def vhost(metadata):
return {
'nginx': {
'vhosts': {
conf['domain']: {
'content': 'wordpress/vhost.conf',
'context': {
'root': f'/opt/{site}',
},
}
for site, conf in metadata.get('wordpress').items()
},
},
}
@metadata_reactor.provides(
'zfs/datasets',
)
def zfs(metadata):
return {
'zfs': {
'datasets': {
f'tank/{site}': {
'mountpoint': f'/opt/{site}',
}
for site in metadata.get('wordpress')
},
},
}
@metadata_reactor.provides(
'monitoring/services',
)
def check_insecure(metadata):
return {
'monitoring': {
'services': {
f'wordpress {site} insecure': {
'vars.command': f'/usr/lib/nagios/plugins/check_wordpress_insecure {site}',
'check_interval': '30m',
'vars.sudo': True,
}
for site in metadata.get('wordpress')
},
},
}

43
data/wordpress/vhost.conf
View file

@ -1,43 +0,0 @@
# Upstream to abstract backend connection(s) for php
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
root ${root};
index index.php;
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include params/fastcgi;
fastcgi_intercept_errors on;
fastcgi_pass php-handler;
# The following parameter can be also included in fastcgi_params file
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}

8
groups/applications/wordpress.py
View file

@ -1,8 +0,0 @@
{
'bundles': [
'letsencrypt',
'mariadb',
'nginx',
'wordpress',
],
}

1
nodes/home.backups.py
View file

@ -1,5 +1,4 @@
{ {
'dummy': True,
'hostname': '10.0.0.5', 'hostname': '10.0.0.5',
'groups': [ 'groups': [
'autologin', 'autologin',

2
nodes/home.server.py
View file

@ -111,7 +111,7 @@
}, },
'nextcloud': { 'nextcloud': {
'hostname': 'cloud.sublimity.de', 'hostname': 'cloud.sublimity.de',
'version': '28.0.1', 'version': '27.1.4',
'config': { 'config': {
'instanceid': 'oci6dw1woodz', 'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==', 'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',

18
nodes/netcup.mails.py
View file

@ -7,7 +7,6 @@
'monitored', 'monitored',
'webserver', 'webserver',
'dnsserver', 'dnsserver',
'wordpress',
#'left4dead2', #'left4dead2',
], ],
'bundles': [ 'bundles': [
@ -22,11 +21,6 @@
'zfs', 'zfs',
], ],
'metadata': { 'metadata': {
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': { 'network': {
'internal': { 'internal': {
@ -79,6 +73,10 @@
'A': ['202.61.255.108'], 'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'], 'AAAA': ['2a01:4f8:1c1c:4121::1'],
}, },
'elimu-kwanza.de': {
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
}, },
'download-server': { 'download-server': {
'hostname': 'dl.sublimity.de', 'hostname': 'dl.sublimity.de',
@ -174,6 +172,14 @@
}, },
'internal_dns': False, 'internal_dns': False,
}, },
'elimu-kwanza.de': {
'content': 'nginx/message.conf',
'context': {
'title': 'Im Aufbau/under construction',
'message': '<a href=mailto:info@elimu-kwanza.de>info@elimu-kwanza.de</a>',
},
'internal_dns': False,
},
'cronekorkn.de': { 'cronekorkn.de': {
'content': 'nginx/redirect.conf', 'content': 'nginx/redirect.conf',
'context': { 'context': {