13 changed files with 35 additions and 159 deletions
--- a/bundles/bind/metadata.py
+++ b/bundles/bind/metadata.py
@ -41,12 +41,6 @@ defaults = {
        },
        'zones': set(),
    },
    'nftables': {
        'input': {
            'tcp dport 53 accept',
            'udp dport 53 accept',
        },
    },
    'telegraf': {
        'config': {
            'inputs': {
@ -103,7 +97,7 @@ def dns(metadata):
 def collect_records(metadata):
    if metadata.get('bind/type') == 'slave':
        return {}
-
+    
    views = {}
    for view_name, view_conf in metadata.get('bind/views').items():
@ -123,7 +117,7 @@ def collect_records(metadata):
                name = fqdn[0:-len(zone) - 1]
-                for type, values in records.items():
+                for type, values in records.items():                    
                    for value in values:
                        if repo.libs.bind.record_matches_view(value, type, name, zone, view_name, metadata):
                            views\
@ -134,7 +128,7 @@ def collect_records(metadata):
                                .add(
                                    h({'name': name, 'type': type, 'value': value})
                                )
-
+    
    return {
        'bind': {
            'views': views,
@ -166,7 +160,7 @@ def ns_records(metadata):
                                # FIXME: bw currently cant handle lists of dicts :(
                                h({'name': '@', 'type': 'NS', 'value': f"{nameserver}."})
                                    for nameserver in nameservers
-                            }
+                            } 
                        }
                            for zone_name, zone_conf in view_conf['zones'].items()
                    }
@ -183,7 +177,7 @@ def ns_records(metadata):
 def slaves(metadata):
    if metadata.get('bind/type') == 'slave':
        return {}
-
+    
    return {
        'bind': {
            'slaves': [
--- a/bundles/dovecot/metadata.py
+++ b/bundles/dovecot/metadata.py
@ -13,20 +13,15 @@ defaults = {
            'catdoc':               {}, # catdoc, catppt, xls2csv
        },
    },
    'dovecot': {
        'database': {
            'dbname': 'mailserver',
            'dbuser': 'mailserver',
        },
    },
    'letsencrypt': {
        'reload_after': {
            'dovecot',
        },
    },
-    'nftables': {
+    'dovecot': {
-        'input': {
+        'database': {
-            'tcp dport {143, 993, 4190} accept',
+            'dbname': 'mailserver',
            'dbuser': 'mailserver',
        },
    },
 }
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -20,11 +20,6 @@ defaults = {
            }
        },
    },
    'nftables': {
        'input': {
            'tcp dport 5665 accept',
        },
    },
    'postgresql': {
        'databases': {
            'icinga2': {
--- a/bundles/influxdb2/metadata.py
+++ b/bundles/influxdb2/metadata.py
@ -10,11 +10,6 @@ defaults = {
            'deb https://repos.influxdata.com/debian {release} stable',
        },
    },
    'nftables': {
        'input': {
            'tcp dport 8200 accept',
        },
    },
    'influxdb': {
        'port': '8200',
        'username': 'admin',
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@ -1,65 +0,0 @@
 #!/usr/sbin/nft -f
 flush ruleset
 table inet filter {
  # INPUT
 	chain input {
 		type filter hook input priority 0;
    policy drop;
    # Allow traffic from established and related packets, drop invalid
    ct state vmap { established : accept, related : accept, invalid : drop }
    # Allow loopback traffic.
    iifname lo accept
    # accepting ping (icmp-echo-request) for diagnostic purposes.
    icmp type echo-request limit rate 5/second accept
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    # Jump to chain according to layer 3 protocol using a verdict map
    meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
    #rules
 % for rule in sorted(input):
    ${rule}
 % endfor
 	}
  chain inbound_ipv4 {
    # accepting ping (icmp-echo-request) for diagnostic purposes.
    icmp type echo-request limit rate 5/second accept
  }
  chain inbound_ipv6 {
    # accept neighbour discovery otherwise connectivity breaks
    icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
    # accepting ping (icmpv6-echo-request) for diagnostic purposes.
    icmpv6 type echo-request limit rate 5/second accept
  }
  # FORWARD
 	chain forward {
 		type filter hook forward priority 0;
    #rules
 % for rule in sorted(forward):
    ${rule}
 % endfor
 	}
  # OUTPUT
 	chain output {
 		type filter hook output priority 0;
 % for rule in sorted(output):
    ${rule}
 % endfor
 	}
 }
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@ -1,22 +0,0 @@
 files = {
    '/etc/nftables.conf': {
        'content_type': 'mako',
        'mode': '0755',
        'context': {
            'input': node.metadata.get('nftables/input'),
            'forward': node.metadata.get('nftables/forward'),
            'output': node.metadata.get('nftables/output'),
        },
        'triggers': [
            'svc_systemd:nftables.service:reload',
        ],
    },
 }
 svc_systemd = {
    'nftables.service': {
        'needs': [
            'pkg_apt:nftables',
        ],
    },
 }
--- a/bundles/nftables/metadata.py
+++ b/bundles/nftables/metadata.py
@ -1,14 +0,0 @@
 defaults = {
    'apt': {
        'packages': {
            'nftables': {},
        },
    },
    'nftables': {
        'input': {
            'tcp dport 22 accept',
        },
        'forward': {},
        'output': {},
    },
 }
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -8,12 +8,26 @@ defaults = {
            'nginx': {},
        },
    },
    'nftables': {
        'input': {
            'tcp dport {80, 443} accept',
        },
    },
    'nginx': {
        'default_vhosts': {
            '80': {
                'listen': [
                    '80',
                    '[::]:80',
                ],
                'location /.well-known/acme-challenge/': {
                    'alias': '/var/lib/dehydrated/acme-challenges/',
                },
                'location /': {
                    'return': '301 https://$host$request_uri',
                },
            },
            'stub_status': {
               'listen': '127.0.0.1:22999 default_server',
               'server_name': '_',
               'stub_status': '',
            },
        },
        'vhosts': {
            # '80': {
            #     'content': 'nginx/80.conf',
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@ -11,18 +11,10 @@ defaults = {
            '/var/vmail',
        },
    },
    'grafana_rows': {
        'postfix_queue',
    },
    'letsencrypt': {
        'reload_after': {
            'postfix',
-        },
+        }, 
    },
    'nftables': {
        'input': {
            'tcp dport {25, 465, 587} accept',
        },
    },
    'telegraf': {
        'config': {
@ -31,4 +23,7 @@ defaults = {
            },
        },
    },
    'grafana_rows': {
        'postfix_queue',
    },
 }
--- a/bundles/postgresql/metadata.py
+++ b/bundles/postgresql/metadata.py
@ -14,11 +14,6 @@ defaults = {
            '/var/lib/postgresql',
        },
    },
    'nftables': {
        'input': {
            'tcp dport 5432 accept',
        },
    },
    'postgresql': {
        'conf': {},
        'roles': {
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -17,11 +17,6 @@ defaults = {
            },
        },
    },
    'nftables': {
        'input': {
            'tcp dport 51820 accept',
        },
    },
    'wireguard': {
        's2s': {},
        'clients': {},
@ -111,7 +106,7 @@ def systemd_networkd_netdevs(metadata):
            'ListenPort': 51820,
        },
    }
-
+    
    for peer, config in {
        **metadata.get('wireguard/s2s'),
        **metadata.get('wireguard/clients'),
@ -126,7 +121,7 @@ def systemd_networkd_netdevs(metadata):
        })
        if config.get('endpoint'):
            netdev[f'WireGuardPeer#{peer}']['Endpoint'] = config['endpoint']
-
+    
    return {
        'systemd': {
            'units': {
--- a/groups/os/debian.py
+++ b/groups/os/debian.py
@ -4,7 +4,6 @@
    ],
    'bundles': [
        'apt',
        'nftables',
    ],
    'metadata': {
        'apt': {
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@ -95,7 +95,7 @@
        },
        'nextcloud': {
            'hostname': 'cloud.sublimity.de',
-            'version': '24.0.5',
+            'version': '24.0.4',
        },
        'nextcloud-picsort': {
            'ckn': {