cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

Compare commits

base: cronekorkn:b9b10623ec69ba91ccf162d75dafc13aee98f5ee
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver
...
compare: cronekorkn:e39deddf7c7b7ca1900b72fee0064beb4402da0c
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver

32 commits
b9b10623ec ... e39deddf7c

Author SHA1 Message Date
cronekorkn
e39deddf7c
wip 2024-08-20 18:03:39 +02:00
cronekorkn
12c5b86cc5
wip 2024-08-20 18:03:39 +02:00
cronekorkn
c63e56975c
wip 2024-08-20 18:03:39 +02:00
cronekorkn
f74dbc6539
wip 2024-08-20 18:03:39 +02:00
cronekorkn
1221b68642
wip 2024-08-20 18:03:37 +02:00
cronekorkn
95efe10ef6
roundcube 1.6.7 2024-08-19 12:23:35 +02:00
cronekorkn
e47c709f39
dedup 2024-07-29 10:26:38 +02:00
cronekorkn
24d346962a
omz permissions 2024-07-22 10:35:50 +02:00
cronekorkn
3e2cae42e6
nextcloud update 2024-07-03 11:13:41 +02:00
cronekorkn
6e410bfc25
nextcloud maintenance_window_start 2024-07-03 11:13:09 +02:00
cronekorkn
8ebf4e0ec0
oh my zsh fix permissions 2024-07-03 10:12:27 +02:00
cronekorkn
8e8f77e546
ssh host key: use custom path to not collide with auto generated keys 2024-07-03 10:05:44 +02:00
cronekorkn
c128b8a1ca
comment 2024-06-23 13:17:44 +02:00
cronekorkn
53d2928de2
errors and deprecatons 2024-06-22 02:59:15 +02:00
cronekorkn
4996f98cd1 Merge pull request 'homeassistant-supervised' (#18) from homeassistant-supervised into master 
Reviewed-on: #18
 2024-06-11 18:41:31 +02:00
cronekorkn
5b254b1b28
homeassistant-supervised 2024-06-11 18:40:22 +02:00
cronekorkn
4348e6045e
zfs.headers use system/architecture 2024-06-11 18:03:32 +02:00
cronekorkn
28e9d69571
nginx fix ssl_dhparam path 2024-06-11 18:03:08 +02:00
cronekorkn
32011c5b1f
bundles/macbook/files/venv: install optional requirements 2024-06-11 18:02:03 +02:00
cronekorkn
5c8e28ddb5
homeass more log 2024-06-05 21:34:47 +02:00
cronekorkn
d62e609863
faster better dhparams that actually get used 2024-06-05 21:34:28 +02:00
cronekorkn
ff51b41c38
hass bluez 2024-05-31 16:11:15 +02:00
cronekorkn
76cf14a9ef
hass more timeout 2024-05-31 16:11:07 +02:00
cronekorkn
301889ab8b
homeassistant kinda works 2024-05-31 15:14:49 +02:00
cronekorkn
1a163ce9f0
dep order 2024-05-31 15:14:16 +02:00
cronekorkn
15a78737cb
sort 2024-05-31 15:13:37 +02:00
cronekorkn
d90e0a18e8
update nextcloud 2024-05-28 11:11:22 +02:00
cronekorkn
a55ec37d21
elimu-kwanza.de google-site-verification 2024-05-14 11:18:20 +02:00
cronekorkn
ee23f3ef6e
some default 2024-05-10 10:28:59 +02:00
cronekorkn
de67571f5e
lobercrew killed letsencrypt 2024-05-10 10:28:52 +02:00
cronekorkn
a04163b72f
update forgejo 2024-04-30 14:19:28 +02:00
cronekorkn
fc7f7e2c23
update gitea 2024-04-30 14:12:51 +02:00
38 changed files with 745 additions and 88 deletions
Show stats Expand all files Collapse all files

4
bundles/build-ci/metadata.py
View file

@ -1,6 +1,10 @@
from shlex import quote
defaults = {
'build-ci': {},
}
@metadata_reactor.provides(
'users/build-ci/authorized_users',
'sudoers/build-ci',

13
bundles/freescout/README.md Normal file
View file

@ -0,0 +1,13 @@
Pg Pass workaround: set manually:
```
root@freescout /ro psql freescout
psql (15.6 (Debian 15.6-0+deb12u1))
Type "help" for help.
freescout=# \password freescout
Enter new password for user "freescout":
Enter it again:
freescout=#
\q
```

62
bundles/freescout/items.py Normal file
View file

@ -0,0 +1,62 @@
# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
run_as = repo.libs.tools.run_as
php_version = node.metadata.get('php/version')
directories = {
'/opt/freescout': {
'owner': 'www-data',
'group': 'www-data',
# chown -R www-data:www-data /opt/freescout
},
}
actions = {
'clone_freescout': {
'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
'unless': 'test -e /opt/freescout/.git',
'needs': [
'pkg_apt:git',
'directory:/opt/freescout',
],
},
'pull_freescout': {
'command': run_as('www-data', 'git -C /opt/freescout pull'),
'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
'needs': [
'action:clone_freescout',
],
'triggers': [
'action:freescout_artisan_update',
f'svc_systemd:php{php_version}-fpm.service:restart',
],
},
'freescout_artisan_update': {
'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
'triggered': True,
'needs': [
f'svc_systemd:php{php_version}-fpm.service:restart',
'action:pull_freescout',
],
},
}
# files = {
# '/opt/freescout/.env': {
# # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
# # Every time you are making changes in .env file, in order changes to take an effect you need to run:
# # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
# 'owner': 'www-data',
# 'content': '\n'.join(
# f'{k}={v}' for k, v in
# sorted(node.metadata.get('freescout/env').items())
# ) + '\n',
# 'needs': [
# 'directory:/opt/freescout',
# 'action:clone_freescout',
# ],
# },
# }
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'

92
bundles/freescout/metadata.py Normal file
View file

@ -0,0 +1,92 @@
database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
defaults = {
'apt': {
'packages': {
'git': {},
'php': {},
'php-pgsql': {},
'php-fpm': {},
'php-mbstring': {},
'php-xml': {},
'php-imap': {},
'php-zip': {},
'php-gd': {},
'php-curl': {},
'php-intl': {},
},
},
'freescout': {
'env': {
'APP_TIMEZONE': 'Europe/Berlin',
'DB_CONNECTION': 'pgsql',
'DB_HOST': '127.0.0.1',
'DB_PORT': '5432',
'DB_DATABASE': 'freescout',
'DB_USERNAME': 'freescout',
'DB_PASSWORD': database_password,
'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
},
},
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
'postgresql': {
'roles': {
'freescout': {
'password': database_password,
},
},
'databases': {
'freescout': {
'owner': 'freescout',
},
},
},
'systemd-timers': {
'freescout-cron': {
'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
'when': 'Minutely',
'user': 'www-data',
},
},
'zfs': {
'datasets': {
'tank/freescout': {
'mountpoint': '/opt/freescout',
},
},
},
}
@metadata_reactor.provides(
'freescout/env/APP_URL',
)
def freescout(metadata):
return {
'freescout': {
'env': {
'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('freescout/domain'): {
'content': 'freescout/vhost.conf',
},
},
},
}

2
bundles/gitea/metadata.py
View file

@ -118,7 +118,7 @@ def nginx(metadata):
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'http://127.0.0.1:3500',
}
},
},
},
},

21
bundles/homeassistant-supervised/README.md Normal file
View file

@ -0,0 +1,21 @@
https://github.com/home-assistant/supervised-installer?tab=readme-ov-file
https://github.com/home-assistant/os-agent/tree/main?tab=readme-ov-file#using-home-assistant-supervised-on-debian
https://docs.docker.com/engine/install/debian/
https://www.home-assistant.io/installation/linux#install-home-assistant-supervised
https://github.com/home-assistant/supervised-installer
https://github.com/home-assistant/architecture/blob/master/adr/0014-home-assistant-supervised.md
DATA_SHARE=/usr/share/hassio dpkg --force-confdef --force-confold -i homeassistant-supervised.deb
neu debian
ha installieren
gucken ob geht
dann bw drüberbügeln
https://www.home-assistant.io/integrations/http/#ssl_certificate

30
bundles/homeassistant-supervised/items.py Normal file
View file

@ -0,0 +1,30 @@
from shlex import quote
version = node.metadata.get('homeassistant/os_agent_version')
directories = {
'/usr/share/hassio': {},
}
actions = {
'install_os_agent': {
'command': ' && '.join([
f'wget -O /tmp/os-agent.deb https://github.com/home-assistant/os-agent/releases/download/{quote(version)}/os-agent_{quote(version)}_linux_aarch64.deb',
'DEBIAN_FRONTEND=noninteractive dpkg -i /tmp/os-agent.deb',
]),
'unless': f'test "$(apt -qq list os-agent | cut -d" " -f2)" = "{quote(version)}"',
'needs': {
'pkg_apt:',
'zfs_dataset:tank/homeassistant',
},
},
'install_homeassistant_supervised': {
'command': 'wget -O /tmp/homeassistant-supervised.deb https://github.com/home-assistant/supervised-installer/releases/latest/download/homeassistant-supervised.deb && apt install /tmp/homeassistant-supervised.deb',
'unless': 'apt -qq list homeassistant-supervised | grep -q "installed"',
'needs': {
'action:install_os_agent',
},
},
}

65
bundles/homeassistant-supervised/metadata.py Normal file
View file

@ -0,0 +1,65 @@
defaults = {
'apt': {
'packages': {
# homeassistant-supervised
'apparmor': {},
'bluez': {},
'cifs-utils': {},
'curl': {},
'dbus': {},
'jq': {},
'libglib2.0-bin': {},
'lsb-release': {},
'network-manager': {},
'nfs-common': {},
'systemd-journal-remote': {},
'systemd-resolved': {},
'udisks2': {},
'wget': {},
# docker
'docker-ce': {},
'docker-ce-cli': {},
'containerd.io': {},
'docker-buildx-plugin': {},
'docker-compose-plugin': {},
},
'sources': {
# docker: https://docs.docker.com/engine/install/debian/#install-using-the-repository
'docker': {
'urls': {
'https://download.docker.com/linux/debian',
},
'suites': {
'{codename}',
},
'components': {
'stable',
},
},
},
},
'zfs': {
'datasets': {
'tank/homeassistant': {
'mountpoint': '/usr/share/hassio',
'needed_by': {
'directory:/usr/share/hassio',
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('homeassistant/domain'): {
'content': 'homeassistant/vhost.conf',
},
},
},
}

20
bundles/homeassistant/items.py
View file

@ -1,20 +0,0 @@
users = {
'homeassistant': {
'home': '/var/lib/homeassistant',
},
}
directories = {
'/var/lib/homeassistant': {
'owner': 'homeassistant',
},
'/var/lib/homeassistant/config': {
'owner': 'homeassistant',
},
'/var/lib/homeassistant/venv': {
'owner': 'homeassistant',
},
}
# https://wiki.instar.com/de/Software/Linux/Home_Assistant/

20
bundles/homeassistant/metadata.py
View file

@ -1,20 +0,0 @@
defaults = {
'apt': {
'packages': {
'python3': {},
'python3-dev': {},
'python3-pip': {},
'python3-venv': {},
'libffi-dev': {},
'libssl-dev': {},
'libjpeg-dev': {},
'zlib1g-dev': {},
'autoconf': {},
'build-essential': {},
'libopenjp2-7': {},
'libtiff5': {},
'libturbojpeg0-dev': {},
'tzdata': {},
},
},
}

2
bundles/icinga2/items.py
View file

@ -269,7 +269,7 @@ svc_systemd = {
'icinga2.service': {
'needs': [
'pkg_apt:icinga2-ido-pgsql',
'svc_systemd:postgresql',
'svc_systemd:postgresql.service',
],
},
}

15
bundles/locale/items.py
View file

@ -20,18 +20,19 @@ files = {
}
actions = {
'systemd-locale': {
'command': f'localectl set-locale LANG="{default_locale}"',
'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
'triggers': {
'action:locale-gen',
},
},
'locale-gen': {
'command': 'locale-gen',
'triggered': True,
'needs': {
'pkg_apt:locales',
},
},
'systemd-locale': {
'command': f'localectl set-locale LANG="{default_locale}"',
'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
'preceded_by': {
'action:locale-gen',
'action:systemd-locale',
},
},
}

4
bundles/macbook/files/venv
View file

@ -19,5 +19,9 @@ if test "$DELTA" -gt 86400
then
python3 -m pip --require-virtualenv install pip wheel --upgrade
python3 -m pip --require-virtualenv install -r requirements.txt --upgrade
if test -e optional-requirements.txt
then
python3 -m pip --require-virtualenv install -r optional-requirements.txt --upgrade
fi
date +%s > .pip_upgrade_timestamp
fi

1
bundles/nextcloud/metadata.py
View file

@ -142,6 +142,7 @@ def config(metadata):
'versions_retention_obligation': 'auto, 90',
'simpleSignUpLink.shown': False,
'allow_local_remote_servers': True, # FIXME?
'maintenance_window_start': 1, # https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html#maintenance-window-start
},
},
}

1
bundles/nginx/files/nginx.conf
View file

@ -21,6 +21,7 @@ http {
server_names_hash_bucket_size 128;
tcp_nopush on;
client_max_body_size 32G;
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
% if node.has_bundle('php'):
upstream php-handler {

2
bundles/nginx/items.py
View file

@ -76,7 +76,7 @@ files = {
actions = {
'nginx-generate-dhparam': {
'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096',
'unless': 'test -f /etc/ssl/certs/dhparam.pem',
},
}

12
bundles/php/items.py
View file

@ -1,9 +1,3 @@
from os.path import join
import json
from bundlewrap.utils.dicts import merge_dict
version = node.metadata.get('php/version')
files = {
@ -21,7 +15,7 @@ files = {
f'pkg_apt:php{version}-fpm',
},
'triggers': {
f'svc_systemd:php{version}-fpm:restart',
f'svc_systemd:php{version}-fpm.service:restart',
},
},
f'/etc/php/{version}/fpm/pool.d/www.conf': {
@ -33,13 +27,13 @@ files = {
f'pkg_apt:php{version}-fpm',
},
'triggers': {
f'svc_systemd:php{version}-fpm:restart',
f'svc_systemd:php{version}-fpm.service:restart',
},
},
}
svc_systemd = {
f'php{version}-fpm': {
f'php{version}-fpm.service': {
'needs': {
'pkg_apt:',
f'file:/etc/php/{version}/fpm/php.ini',

4
bundles/php/metadata.py
View file

@ -113,7 +113,7 @@ def php_ini(metadata):
'opcache.revalidate_freq': '60',
},
}
return {
'php': {
'php.ini': {
@ -145,7 +145,7 @@ def www_conf(metadata):
'pm': 'dynamic',
'pm.max_children': int(threads*2),
'pm.start_servers': int(threads),
'pm.min_spare_servers': int(threads/2),
'pm.min_spare_servers': max([1, int(threads/2)]),
'pm.max_spare_servers': int(threads),
'pm.max_requests': int(threads*32),
},

15
bundles/postgresql/items.py
View file

@ -12,7 +12,7 @@ directories = {
'zfs_dataset:tank/postgresql',
],
'needed_by': [
'svc_systemd:postgresql',
'svc_systemd:postgresql.service',
],
}
}
@ -25,16 +25,19 @@ files = {
) + '\n',
'owner': 'postgres',
'group': 'postgres',
'needs': [
'pkg_apt:postgresql',
],
'needed_by': [
'svc_systemd:postgresql',
'svc_systemd:postgresql.service',
],
'triggers': [
'svc_systemd:postgresql:restart',
'svc_systemd:postgresql.service:restart',
],
},
}
svc_systemd['postgresql'] = {
svc_systemd['postgresql.service'] = {
'needs': [
'pkg_apt:postgresql',
],
@ -43,13 +46,13 @@ svc_systemd['postgresql'] = {
for user, config in node.metadata.get('postgresql/roles').items():
postgres_roles[user] = merge_dict(config, {
'needs': [
'svc_systemd:postgresql',
'svc_systemd:postgresql.service',
],
})
for database, config in node.metadata.get('postgresql/databases').items():
postgres_dbs[database] = merge_dict(config, {
'needs': [
'svc_systemd:postgresql',
'svc_systemd:postgresql.service',
],
})

25
bundles/pyenv/items.py Normal file
View file

@ -0,0 +1,25 @@
from shlex import quote
directories = {
'/opt/pyenv': {},
'/opt/pyenv/install': {},
}
git_deploy = {
'/opt/pyenv/install': {
'repo': 'https://github.com/pyenv/pyenv.git',
'rev': 'master',
'needs': {
'directory:/opt/pyenv/install',
},
},
}
for version in node.metadata.get('pyenv/versions'):
actions[f'pyenv_install_{version}'] = {
'command': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv install {quote(version)}',
'unless': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv versions --bare | grep -Fxq {quote(version)}',
'needs': {
'git_deploy:/opt/pyenv/install',
},
}

23
bundles/pyenv/metadata.py Normal file
View file

@ -0,0 +1,23 @@
defaults = {
'apt': {
'packages': {
'build-essential': {},
'libssl-dev': {},
'zlib1g-dev': {},
'libbz2-dev': {},
'libreadline-dev': {},
'libsqlite3-dev': {},
'curl': {},
'libncurses-dev': {},
'xz-utils': {},
'tk-dev': {},
'libxml2-dev': {},
'libxmlsec1-dev': {},
'libffi-dev': {},
'liblzma-dev': {},
},
},
'pyenv': {
'versions': set(),
},
}

1
bundles/ssh/files/sshd_config
View file

@ -21,3 +21,4 @@ ClientAliveInterval 30
ClientAliveCountMax 5
AcceptEnv LANG
Subsystem sftp /usr/lib/openssh/sftp-server
HostKey /etc/ssh/ssh_host_managed_key

4
bundles/ssh/items.py
View file

@ -51,14 +51,14 @@ files = {
],
'skip': dont_touch_sshd,
},
'/etc/ssh/ssh_host_ed25519_key': {
'/etc/ssh/ssh_host_managed_key': {
'content': node.metadata.get('ssh/host_key/private') + '\n',
'mode': '0600',
'triggers': [
'svc_systemd:ssh:restart'
],
},
'/etc/ssh/ssh_host_ed25519_key.pub': {
'/etc/ssh/ssh_host_managed_key.pub': {
'content': node.metadata.get('ssh/host_key/public') + '\n',
'mode': '0644',
'triggers': [

2
bundles/systemd-journald/items.py
View file

@ -1,7 +1,7 @@
files = {
'/etc/systemd/journald.conf.d/managed.conf': {
'content': repo.libs.systemd.generate_unitfile({
'Jorunal': node.metadata.get('systemd-journald'),
'Journal': node.metadata.get('systemd-journald'),
}),
'triggers': {
'svc_systemd:systemd-journald:restart',

4
bundles/telegraf/metadata.py
View file

@ -7,6 +7,8 @@ defaults = {
# needed by crystal plugins:
'libgc-dev': {},
'libevent-dev': {},
# crystal based (procio, pressure_stall):
'libpcre3': {},
},
'sources': {
'influxdata': {
@ -56,7 +58,7 @@ defaults = {
'procstat': {h({
'interval': '60s',
'pattern': '.',
'fieldpass': [
'fieldinclude': [
'cpu_usage',
'memory_rss',
],

10
bundles/wordpress/metadata.py
View file

@ -1,4 +1,12 @@
defaults = {}
defaults = {
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
}
@metadata_reactor.provides(

1
bundles/zfs/items.py
View file

@ -6,6 +6,7 @@ files = {
'/etc/cron.weekly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}},
'/etc/cron.monthly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}},
'/etc/modprobe.d/zfs.conf': {
'content_type': 'text',
'content': '\n'.join(
f'options zfs {k}={v}'
for k, v in node.metadata.get('zfs/kernel_params').items()

5
bundles/zfs/metadata.py
View file

@ -122,10 +122,7 @@ def backup(metadata):
'apt/packages'
)
def headers(metadata):
if node.in_group('raspberry-pi'):
arch = 'arm64'
else:
arch = 'amd64'
arch = metadata.get('system/architecture')
return {
'apt': {

21
bundles/zsh/items.py
View file

@ -3,12 +3,13 @@ from os.path import join
directories = {
'/etc/zsh/oh-my-zsh': {},
'/etc/zsh/oh-my-zsh/custom/plugins': {
'mode': '0755',
'mode': '0744',
'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh",
]
},
'/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': {
'mode': '0744',
'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh",
]
@ -27,14 +28,30 @@ git_deploy = {
}
files = {
'/etc/zsh/zprofile': {},
'/etc/zsh/zprofile': {
'mode': '0744',
},
'/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': {
'mode': '0744',
'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh",
]
},
}
actions = {
'chown_oh_my_zsh': {
'command': 'chmod -R 744 /etc/zsh/oh-my-zsh',
'triggered': True,
'triggered_by': [
"git_deploy:/etc/zsh/oh-my-zsh",
"git_deploy:/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions",
"file:/etc/zsh/zprofile",
"file:/etc/zsh/oh-my-zsh/themes/bw.zsh-theme",
],
},
}
for name, user_config in node.metadata.get('users').items():
if user_config.get('shell', None) == '/usr/bin/zsh':
files[join(user_config['home'], '.zshrc')] = {

62
data/apt/keys/docker.asc Normal file
View file

@ -0,0 +1,62 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----

53
data/freescout/vhost.conf Normal file
View file

@ -0,0 +1,53 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
root /opt/freescout/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include params/fastcgi;
}
# Uncomment this location if you want to improve attachments downloading speed.
# Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file.
#location ^~ /storage/app/attachment/ {
# internal;
# alias /var/www/html/storage/app/attachment/;
#}
location ~* ^/storage/attachment/ {
expires 1M;
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public, must-revalidate";
}
# The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
add_header Content-disposition "attachment; filename=$2";
default_type application/octet-stream;
}
location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~ /\. {
deny all;
}
}

22
data/homeassistant/vhost.conf Normal file
View file

@ -0,0 +1,22 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_read_timeout 3600;
proxy_pass http://127.0.0.1:8123;
}
}

10
groups/applications/freescout.py Normal file
View file

@ -0,0 +1,10 @@
{
'supergroups': [
'webserver',
],
'bundles': [
'freescout',
'php',
'postgresql',
],
}

6
libs/tools.py
View file

@ -86,3 +86,9 @@ def require_bundle(node, bundle, hint=''):
# way of defining bundle requirements in other bundles.
if not node.has_bundle(bundle):
raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}')
from shlex import quote
def run_as(user, command):
return f'sudo su - {user} -s /bin/bash -c {quote(command)}'

111
nodes/home.homeassistant.py Normal file
View file

@ -0,0 +1,111 @@
{
'hostname': '10.0.0.16',
'groups': [
'webserver',
'backup',
'monitored',
'raspberry-pi',
'autologin',
],
'bundles': [
'apt',
'homeassistant-supervised',
'hostname',
'hosts',
'htop',
'users',
'ssh',
'sudo',
'locale',
'zsh',
'zfs',
'systemd',
'systemd-timers',
'systemd-journald',
],
'metadata': {
'id': '3d67964d-1270-4d3c-b93f-9c44219b3d59',
'network': {
'internal': {
'interface': 'eth0',
'ipv4': '10.0.0.16/24',
'gateway4': '10.0.0.1',
},
},
'apt': {
'sources': {
'debian': {
'urls': {
'https://deb.debian.org/debian',
},
'suites': {
'{codename}',
'{codename}-updates',
},
'components': {
'main',
'contrib',
'non-free',
'non-free-firmware',
},
'key': 'debian-{version}',
},
'debian-security': {
'urls': {
'http://security.debian.org/debian-security',
},
'suites': {
'{codename}-security',
},
'components': {
'main',
'contrib',
'non-free',
'non-free-firmware',
},
'key': 'debian-{version}-security',
},
},
},
'hosts': {
'10.0.11.3': [
'resolver.name',
'secondary.resolver.name',
],
},
'letsencrypt': {
'acme_node': 'netcup.mails',
},
'homeassistant': {
'domain': 'homeassistant.ckn.li',
'os_agent_version': '1.6.0',
},
'nameservers': {
'10.0.11.3',
},
'users': {
'ckn': {
'shell': '/usr/bin/zsh',
'authorized_keys': {
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I ckn',
},
},
},
'sudoers': {
'ckn': {'ALL'},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/var/lib/zfs/tank.img',
],
},
},
},
'os_codename': 'bookworm',
},
'os': 'debian',
'os_version': (12,),
'pip_command': 'pip3',
}

5
nodes/home.server.py
View file

@ -66,7 +66,7 @@
'download_server': 'netcup.mails',
},
'gitea': {
'version': '1.20.4-1',
'version': '7.0.1',
'domain': 'git.sublimity.de',
'conf': {
'mailer': {
@ -111,7 +111,7 @@
},
'nextcloud': {
'hostname': 'cloud.sublimity.de',
'version': '28.0.1',
'version': '29.0.3',
'config': {
'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',
@ -174,6 +174,7 @@
'10.0.10.0/24',
'10.0.11.0/24',
'192.168.179.0/24',
'10.0.227.0/24', # mseibert.freescout
],
},
},

60
nodes/mseibert.freescout.py Normal file
View file

@ -0,0 +1,60 @@
{
'hostname': '159.69.117.89',
'groups': [
# 'backup',
'debian-12',
# 'monitored',
'webserver',
'freescout',
],
'bundles': [
'wireguard',
'zfs',
],
'metadata': {
'id': '5333e3dd-0718-493a-a93c-529612a45079',
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.227.2/24',
},
'external': {
'interface': 'eth0',
'ipv4': '159.69.117.89/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:3d0b::1/64',
'gateway6': 'fe80::1',
},
},
'freescout': {
'domain': 'freescout.foerderkreis-oranienschule.de',
},
'vm': {
'cores': 1,
'ram': 2048,
},
'wireguard': {
'my_ip': '172.30.0.238/32',
's2s': {
'netcup.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.11.0/24',
],
},
},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/dev/disk/by-id/scsi-0HC_Volume_100662393',
],
},
},
},
},
}

23
nodes/netcup.mails.py
View file

@ -15,18 +15,12 @@
'build-ci',
'download-server',
'islamicstate.eu',
'lonercrew',
'nginx-rtmps',
'steam',
'wireguard',
'zfs',
],
'metadata': {
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': {
'internal': {
@ -56,10 +50,10 @@
'islamicstate.eu',
'hausamsilberberg.de',
'wiegand.tel',
'lonercrew.io',
'left4.me',
'elimu-kwanza.de',
'cronekorkn.de',
'freescout.foerderkreis-oranienschule.de',
},
},
'dns': {
@ -79,10 +73,18 @@
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'elimu-kwanza.de': {
'TXT': ['google-site-verification=JwgcfXQ6nIXKxjMqUGHVBDISgMCQXgzMryPBsP2ZXnE'],
},
},
'download-server': {
'hostname': 'dl.sublimity.de',
},
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'left4dead2': {
'servers': {
'standard': {
@ -188,7 +190,7 @@
},
'roundcube': {
'product_name': 'Sublimity Mail',
'version': '1.6.6',
'version': '1.6.7',
'installer': False,
},
'vm': {
@ -215,6 +217,11 @@
'192.168.179.0/24',
],
},
'mseibert.freescout': {
'allowed_ips': [
'10.0.227.0/24',
],
},
},
'clients': {
'macbook': {