wip

2023-09-25 16:59:37 +02:00 · 2023-09-25 16:59:37 +02:00 · 2023-09-25 16:59:37 +02:00 · 2023-09-25 16:59:35 +02:00 · 2023-09-25 16:59:23 +02:00 · 2023-09-25 16:59:03 +02:00
10 changed files with 179 additions and 12 deletions
--- a/bin/upgrade_and_restart_all
+++ b/bin/upgrade_and_restart_all
@ -10,7 +10,6 @@ nodes = [
        for node in sorted(repo.nodes_in_group('debian'))
        if not node.dummy
 ]
-reboot_nodes = []

 print('updating nodes:', sorted(node.name for node in nodes))

@ -25,13 +24,12 @@ for node in nodes:
    print(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable').stdout.decode())
    if int(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable 2> /dev/null | grep upgradable | wc -l').stdout.decode()):
        print(node.run('DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade').stdout.decode())
-        reboot_nodes.append(node)

 # REBOOT IN ORDER

 wireguard_servers = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if node.has_bundle('wireguard')
        and (
            ip_interface(node.metadata.get('wireguard/my_ip')).network.prefixlen <
@ -41,7 +39,7 @@ wireguard_servers = [

 wireguard_s2s = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if node.has_bundle('wireguard')
        and (
            ip_interface(node.metadata.get('wireguard/my_ip')).network.prefixlen ==
@ -51,7 +49,7 @@ wireguard_s2s = [

 everything_else = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if not node.has_bundle('wireguard')
 ]

@ -62,8 +60,9 @@ for node in [
    *wireguard_s2s,
    *wireguard_servers,
 ]:
-    print('rebooting', node.name)
    try:
-        print(node.run('systemctl reboot').stdout.decode())
+        if node.run('test -e /var/run/reboot-required').return_code == 0:
+            print('rebooting', node.name)
+            print(node.run('systemctl reboot').stdout.decode())
    except Exception as e:
        print(e)
--- a/bundles/backup-freshness-check/metadata.py
+++ b/bundles/backup-freshness-check/metadata.py
@ -25,7 +25,8 @@ def backup_freshness_check(metadata):
            'datasets': {
                f"{other_node.metadata.get('id')}/{dataset}"
                    for other_node in repo.nodes
-                    if other_node.has_bundle('backup')
+                    if not other_node.dummy
+                    and other_node.has_bundle('backup')
                    and other_node.has_bundle('zfs')
                    and other_node.metadata.get('backup/server') == metadata.get('backup-freshness-check/server')
                    for dataset, options in other_node.metadata.get('zfs/datasets').items()
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@ -35,6 +35,7 @@ def zfs(metadata):

    for other_node in repo.nodes:
        if (
+            not other_node.dummy and
            other_node.has_bundle('backup') and
            other_node.metadata.get('backup/server') == node.name
        ):
--- a/bundles/macbook/files/macbook-update
+++ b/bundles/macbook/files/macbook-update
@ -10,6 +10,7 @@ password   required       pam_deny.so
 session    required       pam_permit.so
 EOT

+sudo xcodebuild -license accept
 xcode-select --install

 git -C ~/.zsh/oh-my-zsh pull
@ -41,3 +42,5 @@ fi
 sudo systemsetup -setremotelogin on # enable ssh

 pip install --upgrade pip
+
+# https://sysadmin-journal.com/apache-directory-studio-on-the-apple-m1/
--- a/bundles/nginx/files/fastcgi
+++ b/bundles/nginx/files/fastcgi
@ -1,4 +1,3 @@
-fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
@ -24,6 +23,3 @@ fastcgi_param  SERVER_NAME        $server_name;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
-
-# This is the only thing that's different to the debian default.
-fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
--- a/bundles/rufbereitschaftsalarm/files/rufbereitschaftsalarm
+++ b/bundles/rufbereitschaftsalarm/files/rufbereitschaftsalarm
@ -0,0 +1,8 @@
+#!/bin/bash
+
+gpio=$(gpiofind SCL1)
+
+while gpiomon --num-events=1 --falling-edge $gpio 2&> /dev/null
+do
+  systemctl stop rufbereitschafts-klingel
+done
--- a/bundles/rufbereitschaftsalarm/items.py
+++ b/bundles/rufbereitschaftsalarm/items.py
@ -0,0 +1,16 @@
+files = {
+    '/opt/rufbereitschaftsalarm': {
+        'mode': '550',
+    },
+}
+
+svc_systemd = {
+    'rufbereitschaftsalarm.service': {
+        'enabled': False,
+        'running': False,
+        'needs': [
+            'pkg_apt:gpiod',
+            'file:/opt/rufbereitschaftsalarm',
+        ],
+    }
+}
--- a/bundles/rufbereitschaftsalarm/metadata.py
+++ b/bundles/rufbereitschaftsalarm/metadata.py
@ -0,0 +1,42 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'gpiod': {},
+        },
+    },
+    'flask': {
+
+    },
+    'systemd': {
+        'units': {
+            'rufbereitschaftsalarm-sound.service': {
+                'Unit': {
+                    'Description': 'rufbereitschaftsalarm sound effect',
+                    'After': 'network.target',
+                },
+                'Service': {
+                    'ExecStart': '/opt/rufbereitschaftsalarm-sound',
+                },
+                'Install': {
+                    'WantedBy': {
+                        'multi-user.target'
+                    },
+                },
+            },
+            'rufbereitschaftsalarm-stop.service': {
+                'Unit': {
+                    'Description': 'rufbereitschaftsalarm stop button',
+                    'After': 'network.target',
+                },
+                'Service': {
+                    'ExecStart': '/opt/rufbereitschaftsalarm-stop',
+                },
+                'Install': {
+                    'WantedBy': {
+                        'multi-user.target'
+                    },
+                },
+            },
+        },
+    },
+}
--- a/data/nginx/run_program.conf
+++ b/data/nginx/run_program.conf
@ -0,0 +1,29 @@
+# https://www.nginx.com/resources/wiki/start/topics/examples/fcgiwrap/
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${server_name};
+
+    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+    location / {
+        # Disable gzip (it makes scripts feel slower since they have to complete
+        # before getting gzipped)
+        gzip off;
+
+        # Set the root to /usr/lib (inside this location this means that we are
+        # giving access to the files under /usr/lib/cgi-bin)
+        root	/usr/lib;
+
+        # Fastcgi socket
+        fastcgi_pass  unix:/run/fcgiwrap.socket;
+
+        # Fastcgi parameters, include the standard ones
+        include /etc/nginx/params/fastcgi;
+
+        # Adjust non standard parameters (SCRIPT_FILENAME)
+        fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/hello.cgi;
+    }
+}
--- a/nodes/home.rufbereitschaft.py
+++ b/nodes/home.rufbereitschaft.py
@ -0,0 +1,72 @@
+{
+    'hostname': '10.0.0.190',
+    'groups': [
+        'autologin',
+        'debian-12',
+        'hardware',
+        'home',
+        'monitored',
+        'webserver',
+    ],
+    'bundles': [
+        'wireguard',
+    ],
+    'metadata': {
+        'id': '4eb7ba69-37fa-4594-8d54-3ebfc4e7e5d6',
+        'network': {
+            'internal': {
+                'interface': 'eth0',
+                'ipv4': '10.0.0.190/24',
+                'gateway4': '10.0.0.1',
+            },
+        },
+        'apt': {
+            'packages': {
+                'alsa-utils': {},
+                'espeak': {},
+                'libnginx-mod-http-lua': {},
+            },
+        },
+        'nginx': {
+            'vhosts': {
+                'rufbereitschaftsalarm.ckn.li': {
+                    'content': 'nginx/run_program.conf',
+                    'context': {
+                        'script': 'hello',
+                    },
+                },
+            },
+        },
+        'systemd': {
+            'units': {
+                "wireguard.network": {
+                    "Route#smedia": {
+                        "Destination": "10.200.128.1",
+                        "Gateway": "10.200.128.11"
+                    },
+                },
+                "wireguard.netdev": {
+                    "NetDev": {
+                        "Description": "WireGuard server",
+                        "Kind": "wireguard",
+                        "Name": "wg0"
+                    },
+                    "WireGuard": {
+                        "ListenPort": 51820,
+                        "PrivateKey": "encrypt$gAAAAABk6FEX92wQzlBIqxP6w5FQydlrDqOZeo1AZS9zaBE3QzujtBnB_cf6KlECzmoljr71dmRiFN5yvA8bzRIpcecvnufIji1XNg-i1UW1fq393XppRq0p9EtNBVzoXoyzZFEcjQRo"
+                    },
+                    "WireGuardPeer#rufbereitsschaftsalarm": {
+                        "AllowedIPs": "0.0.0.0/0",
+                        "Endpoint": "185.122.180.82:51820",
+                        "PersistentKeepalive": 30,
+                        "PresharedKey": "!decrypt:encrypt$gAAAAABk6FD0_39AzxKTTse3ukqs7VOcZ5mPsBsN09Y4FgITOEnbBVWZ-zDsaZi-woNbp4k10nrJtIrqz8a-FIFdNbQaTgulhRDKF6TFH4BhYlEB7d8NH5CU3kTTtqtjSWW9GPqAgb3z",
+                        "PublicKey": "gPKjFV8mAx5GZdfPmjThNolpSaXs285e7YznhaBlOwY="
+                    }
+                },
+            },
+        },
+        'wireguard': {
+            'my_ip': '10.200.128.11/24',
+        },
+    },
+}
Author	SHA1	Message	Date
cronekorkn	d9b84aaf7e	wip	2023-09-25 16:59:37 +02:00
cronekorkn	61da5978dc	wip	2023-09-25 16:59:37 +02:00
cronekorkn	6b21f2e8fd	wip	2023-09-25 16:59:37 +02:00
cronekorkn	314c968006	wip	2023-09-25 16:59:35 +02:00
cronekorkn	0eb37a909e	bundles/macbook/files/macbook-update: xcode acept license	2023-09-25 16:59:23 +02:00
cronekorkn	2211571689	exclude some dummies	2023-09-25 16:59:03 +02:00
cronekorkn	6cb4275e31	bin/upgrade_and_restart_all: use /var/run/reboot-required	2023-09-25 16:58:34 +02:00