dist-upgrade -> full-upgrade

debian update
backup all doesnt stop on first error
2025-01-16 10:20:34 +01:00 · 2025-01-16 10:20:18 +01:00 · 2025-01-09 23:41:21 +01:00 · 2025-01-09 22:45:27 +01:00 · 2025-01-01 13:04:42 +01:00 · 2024-12-09 09:07:19 +01:00
293 changed files with 6949 additions and 1365 deletions
--- a/.envrc
+++ b/.envrc
@ -1,13 +1,7 @@
 #!/usr/bin/env bash

-python3 -m venv .venv
-source ./.venv/bin/activate
-PATH_add .venv/bin
 PATH_add bin
-python3 -m pip install --upgrade pip

-rm -rf .cache/bw/git_deploy
-export BW_GIT_DEPLOY_CACHE=.cache/bw/git_deploy
-export EXPERIMENTAL_UPLOAD_VIA_CAT=1
-mkdir -p "$BW_GIT_DEPLOY_CACHE"
-unset PS1
+source_env ~/.local/share/direnv/pyenv
+source_env ~/.local/share/direnv/venv
+source_env ~/.local/share/direnv/bundlewrap
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ Raspberry pi as soundcard

 # install bw fork

-pip3 install --editable git+file:///Users/mwiegand/Projekte/bundlewrap-fork#egg=bundlewrap
+pip3 install --editable git+file:///Users/mwiegand/Projekte/bundlewrap-fork@main#egg=bundlewrap

 # monitor timers

@ -35,3 +35,14 @@ fi
 ```

 telegraf: execd for daemons
+
+TEST
+
+# git signing
+
+git config --global gpg.format ssh
+git config --global commit.gpgsign true
+
+git config user.name CroneKorkN
+git config user.email i@ckn.li
+git config user.signingkey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I"
--- a/bin/rcon
+++ b/bin/rcon
@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+
+from sys import argv
+from os.path import realpath, dirname
+from shlex import quote
+from bundlewrap.repo import Repository
+
+repo = Repository(dirname(dirname(realpath(__file__))))
+
+if len(argv) == 1:
+    for node in repo.nodes:
+        for name in node.metadata.get('left4dead2/servers', {}):
+            print(name)
+    exit(0)
+
+server = argv[1]
+command = argv[2]
+
+remote_code = """
+from rcon.source import Client
+
+with Client('127.0.0.1', {port}, passwd='''{password}''') as client:
+    response = client.run('''{command}''')
+
+print(response)
+"""
+
+for node in repo.nodes:
+    for name, conf in node.metadata.get('left4dead2/servers', {}).items():
+        if name == server:
+            response = node.run('python3 -c ' + quote(remote_code.format(port=conf['port'], password=conf['rcon_password'], command=command)))
+            print(response.stdout.decode())
--- a/bin/upgrade_and_restart_all
+++ b/bin/upgrade_and_restart_all
@ -10,7 +10,6 @@ nodes = [
        for node in sorted(repo.nodes_in_group('debian'))
        if not node.dummy
 ]
-reboot_nodes = []

 print('updating nodes:', sorted(node.name for node in nodes))

@ -24,14 +23,13 @@ for node in nodes:
    print(node.run('DEBIAN_FRONTEND=noninteractive apt update').stdout.decode())
    print(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable').stdout.decode())
    if int(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable 2> /dev/null | grep upgradable | wc -l').stdout.decode()):
-        print(node.run('DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade').stdout.decode())
-        reboot_nodes.append(node)
+        print(node.run('DEBIAN_FRONTEND=noninteractive apt -qy full-upgrade').stdout.decode())

 # REBOOT IN ORDER

 wireguard_servers = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if node.has_bundle('wireguard')
        and (
            ip_interface(node.metadata.get('wireguard/my_ip')).network.prefixlen <
@ -41,7 +39,7 @@ wireguard_servers = [

 wireguard_s2s = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if node.has_bundle('wireguard')
        and (
            ip_interface(node.metadata.get('wireguard/my_ip')).network.prefixlen ==
@ -51,7 +49,7 @@ wireguard_s2s = [

 everything_else = [
    node
-        for node in reboot_nodes
+        for node in nodes
        if not node.has_bundle('wireguard')
 ]

@ -62,8 +60,11 @@ for node in [
    *wireguard_s2s,
    *wireguard_servers,
 ]:
-    print('rebooting', node.name)
    try:
-        print(node.run('systemctl reboot').stdout.decode())
+        if node.run('test -e /var/run/reboot-required', may_fail=True).return_code == 0:
+            print('rebooting', node.name)
+            print(node.run('systemctl reboot').stdout.decode())
+        else:
+            print('not rebooting', node.name)
    except Exception as e:
        print(e)
--- a/bin/wireguard_client_config
+++ b/bin/wireguard_client_config
@ -5,9 +5,17 @@ from os.path import realpath, dirname
 from sys import argv
 from ipaddress import ip_network, ip_interface

-repo = Repository(dirname(dirname(realpath(__file__))))
+if len(argv) != 3:
+    print(f'usage: {argv[0]} <node> <client>')
+    exit(1)

+repo = Repository(dirname(dirname(realpath(__file__))))
 server_node = repo.get_node(argv[1])
+
+if argv[2] not in server_node.metadata.get('wireguard/clients'):
+    print(f'client {argv[2]} not found in: {server_node.metadata.get("wireguard/clients").keys()}')
+    exit(1)
+
 data = server_node.metadata.get(f'wireguard/clients/{argv[2]}')

 vpn_network = ip_interface(server_node.metadata.get('wireguard/my_ip')).network
@ -20,9 +28,7 @@ for peer in server_node.metadata.get('wireguard/s2s').values():
        if not ip_network(network).subnet_of(vpn_network):
            allowed_ips.append(ip_network(network))

-conf = \
-f'''>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-
+conf = f'''
 [Interface]
 PrivateKey = {repo.libs.wireguard.privkey(data['peer_id'])}
 ListenPort = 51820
@ -35,11 +41,12 @@ PresharedKey = {repo.libs.wireguard.psk(data['peer_id'], server_node.metadata.ge
 AllowedIPs = {', '.join(str(client_route) for client_route in sorted(allowed_ips))}
 Endpoint = {ip_interface(server_node.metadata.get('network/external/ipv4')).ip}:51820
 PersistentKeepalive = 10
+'''

-<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<'''
-
+print('>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>')
 print(conf)
+print('<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<')

-if input("print qrcode? [yN]: ").upper() == 'Y':
+if input("print qrcode? [Yn]: ").upper() in ['', 'Y']:
    import pyqrcode
    print(pyqrcode.create(conf).terminal(quiet_zone=1))
--- a/bundles/apt/README.md
+++ b/bundles/apt/README.md
@ -1,3 +1,6 @@
+# https://manpages.debian.org/latest/apt/sources.list.5.de.html
+# https://repolib.readthedocs.io/en/latest/deb822-format.html
+
 ```python
 {
    'apt': {
@ -5,8 +8,29 @@
            'apt-transport-https': {},
        },
        'sources': {
-            # place key under data/apt/keys/packages.cloud.google.com.{asc|gpg}
-            'deb https://packages.cloud.google.com/apt cloud-sdk main',
+            'debian': {
+                'types': { # optional, defaults to `{'deb'}``
+                    'deb',
+                    'deb-src',
+                },
+                'urls': {
+                    'https://deb.debian.org/debian',
+                },
+                'suites': { # at least one
+                    '{codename}',
+                    '{codename}-updates',
+                    '{codename}-backports',
+                },
+                'components': { # optional
+                    'main',
+                    'contrib',
+                    'non-frese',
+                },
+                # key:
+                # - optional, defaults to source name (`debian` in this example)
+                # - place key under data/apt/keys/debian-12.{asc|gpg}
+                'key': 'debian-{version}',
+            },
        },
    },
 }
--- a/bundles/apt/files/check_apt_upgradable
+++ b/bundles/apt/files/check_apt_upgradable
@ -0,0 +1,15 @@
+#!/bin/bash
+
+apt update -qq --silent 2> /dev/null
+
+UPGRADABLE=$(apt list --upgradable -qq 2> /dev/null | cut -d '/' -f 1)
+
+if test "$UPGRADABLE" != ""
+then
+  echo "$(wc -l <<< $UPGRADABLE) package(s) upgradable:"
+  echo
+  echo "$UPGRADABLE"
+  exit 1
+else
+  exit 0
+fi
--- a/bundles/apt/items.py
+++ b/bundles/apt/items.py
@ -1,32 +1,66 @@
-from os.path import join
-from urllib.parse import urlparse
-from glob import glob
+# TODO pin repo: https://superuser.com/a/1595920
+
 from os.path import join, basename

 directories = {
-    '/etc/apt/sources.list.d': {
+    '/etc/apt': {
        'purge': True,
        'triggers': {
            'action:apt_update',
        },
    },
-    '/etc/apt/trusted.gpg.d': {
+    '/etc/apt/apt.conf.d': {
+        # existance is expected
        'purge': True,
        'triggers': {
            'action:apt_update',
        },
    },
+    '/etc/apt/keyrings': {
+        # https://askubuntu.com/a/1307181
+        'purge': True,
+        'triggers': {
+            'action:apt_update',
+        },
+    },
+    # '/etc/apt/listchanges.conf.d': {
+    #     'purge': True,
+    #     'triggers': {
+    #         'action:apt_update',
+    #     },
+    # },
    '/etc/apt/preferences.d': {
        'purge': True,
        'triggers': {
            'action:apt_update',
        },
    },
+    '/etc/apt/sources.list.d': {
+        'purge': True,
+        'triggers': {
+            'action:apt_update',
+        },
+    },
 }

 files = {
+    '/etc/apt/apt.conf': {
+        'content': repo.libs.apt.render_apt_conf(node.metadata.get('apt/config')),
+        'triggers': {
+            'action:apt_update',
+        },
+    },
    '/etc/apt/sources.list': {
-        'content': '# managed'
+        'content': '# managed by bundlewrap\n',
+        'triggers': {
+            'action:apt_update',
+        },
+    },
+    # '/etc/apt/listchanges.conf': {
+    #     'content': repo.libs.ini.dumps(node.metadata.get('apt/list_changes')),
+    # },
+    '/usr/lib/nagios/plugins/check_apt_upgradable': {
+        'mode': '0755',
    },
 }

@ -41,41 +75,22 @@ actions = {
    },
 }

-# group sources by apt server hostname
+# create sources.lists and respective keyfiles

-hosts = {}
-
-for source_string in node.metadata.get('apt/sources'):
-    source = repo.libs.apt.AptSource(source_string)
-    hosts\
-        .setdefault(source.url.hostname, list())\
-        .append(source)
-
-# create sources lists and keyfiles
-
-for host, sources in hosts.items():
-    keyfile = basename(glob(join(repo.path, 'data', 'apt', 'keys', f'{host}.*'))[0])
-    destination_path = f'/etc/apt/trusted.gpg.d/{keyfile}'
-
-    for source in sources:
-        source.options['signed-by'] = [destination_path]
-
-    files[f'/etc/apt/sources.list.d/{host}.list'] = {
-        'content': '\n'.join(sorted(set(
-            str(source).format(
-                release=node.metadata.get('os_release'),
-                version=node.os_version[0], # WIP crystal
-            )
-                for source in sources
-        ))),
+for name, config in node.metadata.get('apt/sources').items():
+    # place keyfile
+    keyfile_destination_path = repo.libs.apt.format_variables(node, config['options']['Signed-By'])
+    files[keyfile_destination_path] = {
+        'source': join(repo.path, 'data', 'apt', 'keys', basename(keyfile_destination_path)),
+        'content_type': 'binary',
        'triggers': {
            'action:apt_update',
        },
    }
-    
-    files[destination_path] = {
-        'source': join(repo.path, 'data', 'apt', 'keys', keyfile),
-        'content_type': 'binary',
+
+    # place sources.list
+    files[f'/etc/apt/sources.list.d/{name}.sources'] = {
+        'content': repo.libs.apt.render_source(node, name),
        'triggers': {
            'action:apt_update',
        },
@ -83,14 +98,14 @@ for host, sources in hosts.items():

 # create backport pinnings

-for package, options in node.metadata.get('apt/packages', {}).items():    
+for package, options in node.metadata.get('apt/packages', {}).items():
    pkg_apt[package] = options

    if pkg_apt[package].pop('backports', False):
        files[f'/etc/apt/preferences.d/{package}'] = {
            'content': '\n'.join([
                f"Package: {package}",
-                f"Pin: release a={node.metadata.get('os_release')}-backports",
+                f"Pin: release a={node.metadata.get('os_codename')}-backports",
                f"Pin-Priority: 900",
            ]),
            'needed_by': [
@ -100,3 +115,25 @@ for package, options in node.metadata.get('apt/packages', {}).items():
                'action:apt_update',
            },
        }
+
+# unattended upgrades
+#
+# unattended-upgrades.service: delays shutdown if necessary
+# apt-daily.timer: performs apt update
+# apt-daily-upgrade.timer: performs apt upgrade
+
+svc_systemd['unattended-upgrades.service'] = {
+    'needs': [
+        'pkg_apt:unattended-upgrades',
+    ],
+}
+svc_systemd['apt-daily.timer'] = {
+    'needs': [
+        'pkg_apt:unattended-upgrades',
+    ],
+}
+svc_systemd['apt-daily-upgrade.timer'] = {
+    'needs': [
+        'pkg_apt:unattended-upgrades',
+    ],
+}
--- a/bundles/apt/metadata.py
+++ b/bundles/apt/metadata.py
@ -1,6 +1,177 @@
 defaults = {
    'apt': {
-        'packages': {},
-        'sources': set(),
+        'packages': {
+            'apt-listchanges': {
+                'installed': False,
+            },
+        },
+        'config': {
+            'DPkg': {
+                'Pre-Install-Pkgs': {
+                    '/usr/sbin/dpkg-preconfigure --apt || true',
+                },
+                'Post-Invoke': {
+                    # keep package cache empty
+                    '/bin/rm -f /var/cache/apt/archives/*.deb || true',
+                },
+                'Options': {
+                    # https://unix.stackexchange.com/a/642541/357916
+                    '--force-confold',
+                    '--force-confdef',
+                },
+            },
+            'APT': {
+                'NeverAutoRemove': {
+                    '^firmware-linux.*',
+                    '^linux-firmware$',
+                    '^linux-image-[a-z0-9]*$',
+                    '^linux-image-[a-z0-9]*-[a-z0-9]*$',
+                },
+                'VersionedKernelPackages': {
+                    # kernels
+                    'linux-.*',
+                    'kfreebsd-.*',
+                    'gnumach-.*',
+                    # (out-of-tree) modules
+                    '.*-modules',
+                    '.*-kernel',
+                },
+                'Never-MarkAuto-Sections': {
+                    'metapackages',
+                    'tasks',
+                },
+                'Move-Autobit-Sections': {
+                    'oldlibs',
+                },
+                'Update': {
+                    # https://unix.stackexchange.com/a/653377/357916
+                    'Error-Mode': 'any',
+                },
+            },
+        },
+        'sources': {},
+    },
+    'monitoring': {
+        'services': {
+            'apt upgradable': {
+                'vars.command': '/usr/lib/nagios/plugins/check_apt_upgradable',
+                'vars.sudo': True,
+                'check_interval': '1h',
+            },
+            'current kernel': {
+                'vars.command': 'ls /boot/vmlinuz-* | sort -V | tail -n 1 | xargs -n1 basename | cut -d "-" -f 2- | grep -q "^$(uname -r)$"',
+                'check_interval': '1h',
+            },
+            'apt reboot-required': {
+                'vars.command': 'ls /var/run/reboot-required 2> /dev/null && exit 1 || exit 0',
+                'check_interval': '1h',
+            },
+        },
    },
 }
+
+
+@metadata_reactor.provides(
+    'apt/sources',
+)
+def key(metadata):
+    return {
+        'apt': {
+            'sources': {
+                source_name: {
+                    'key': source_name,
+                }
+                    for source_name, source_config in metadata.get('apt/sources').items()
+                    if 'key' not in source_config
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'apt/sources',
+)
+def signed_by(metadata):
+    return {
+        'apt': {
+            'sources': {
+                source_name: {
+                    'options': {
+                        'Signed-By': '/etc/apt/keyrings/' + metadata.get(f'apt/sources/{source_name}/key') + '.' + repo.libs.apt.find_keyfile_extension(node, metadata.get(f'apt/sources/{source_name}/key')),
+                    },
+                }
+                    for source_name in metadata.get('apt/sources')
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'apt/config',
+    'apt/packages',
+)
+def unattended_upgrades(metadata):
+    return {
+        'apt': {
+            'config': {
+                'APT': {
+                    'Periodic': {
+                        'Update-Package-Lists': '1',
+                        'Unattended-Upgrade': '1',
+                    },
+                },
+                'Unattended-Upgrade': {
+                    'Origins-Pattern': {
+                        "origin=*",
+                    },
+                },
+            },
+            'packages': {
+                'unattended-upgrades': {},
+            },
+        },
+    }
+
+
+# @metadata_reactor.provides(
+#     'apt/config',
+#     'apt/list_changes',
+# )
+# def listchanges(metadata):
+#     return {
+#         'apt': {
+#             'config': {
+#                 'DPkg': {
+#                     'Pre-Install-Pkgs': {
+#                         '/usr/bin/apt-listchanges --apt || test $? -lt 10',
+#                     },
+#                     'Tools': {
+#                         'Options': {
+#                             '/usr/bin/apt-listchanges': {
+#                                 'Version': '2',
+#                                 'InfoFD': '20',
+#                             },
+#                         },
+#                     },
+#                 },
+#                 'Dir': {
+#                     'Etc': {
+#                         'apt-listchanges-main': 'listchanges.conf',
+#                         'apt-listchanges-parts': 'listchanges.conf.d',
+#                     },
+#                 },
+#             },
+#             'list_changes': {
+#                 'apt': {
+#                     'frontend': 'pager',
+#                     'which': 'news',
+#                     'email_address': 'root',
+#                     'email_format': 'text',
+#                     'confirm': 'false',
+#                     'headers': 'false',
+#                     'reverse': 'false',
+#                     'save_seen': '/var/lib/apt/listchanges.db',
+#                 },
+#             },
+#         },
+#     }
--- a/bundles/backup-freshness-check/files/check_backup_freshness
+++ b/bundles/backup-freshness-check/files/check_backup_freshness
@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+
+import json
+from subprocess import check_output
+from datetime import datetime, timedelta
+
+
+now = datetime.now()
+two_days_ago = now - timedelta(days=2)
+
+with open('/etc/backup-freshness-check.json', 'r') as file:
+    config = json.load(file)
+
+local_datasets = check_output(['zfs', 'list', '-H', '-o', 'name']).decode().splitlines()
+errors = set()
+
+for dataset in config['datasets']:
+    if f'tank/{dataset}' not in local_datasets:
+        errors.add(f'dataset "{dataset}" not present at all')
+        continue
+
+    snapshots = [
+        snapshot
+            for snapshot in check_output(['zfs', 'list', '-H', '-o', 'name', '-t', 'snapshot', f'tank/{dataset}', '-s', 'creation']).decode().splitlines()
+            if f"@{config['prefix']}" in snapshot
+    ]
+
+    if not snapshots:
+        errors.add(f'dataset "{dataset}" has no backup snapshots')
+        continue
+
+    newest_backup_snapshot = snapshots[-1]
+    snapshot_datetime = datetime.utcfromtimestamp(
+        int(check_output(['zfs', 'list', '-p', '-H', '-o', 'creation', '-t', 'snapshot', newest_backup_snapshot]).decode())
+    )
+
+    if snapshot_datetime < two_days_ago:
+        days_ago = (now - snapshot_datetime).days
+        errors.add(f'dataset "{dataset}" has not been backed up for {days_ago} days')
+        continue
+
+if errors:
+    for error in errors:
+        print(error)
+    exit(2)
+else:
+    print(f"all {len(config['datasets'])} datasets have fresh backups.")
--- a/bundles/backup-freshness-check/items.py
+++ b/bundles/backup-freshness-check/items.py
@ -0,0 +1,15 @@
+from json import dumps
+from bundlewrap.metadata import MetadataJSONEncoder
+
+
+files = {
+    '/etc/backup-freshness-check.json': {
+        'content': dumps({
+            'prefix': node.metadata.get('backup-freshness-check/prefix'),
+            'datasets': node.metadata.get('backup-freshness-check/datasets'),
+        }, indent=4, sort_keys=True, cls=MetadataJSONEncoder),
+    },
+    '/usr/lib/nagios/plugins/check_backup_freshness': {
+        'mode': '0755',
+    },
+}
--- a/bundles/backup-freshness-check/metadata.py
+++ b/bundles/backup-freshness-check/metadata.py
@ -0,0 +1,37 @@
+defaults = {
+    'backup-freshness-check': {
+        'server': node.name,
+        'prefix': 'auto-backup_',
+        'datasets': {},
+    },
+    'monitoring': {
+        'services': {
+            'backup freshness': {
+                'vars.command': '/usr/lib/nagios/plugins/check_backup_freshness',
+                'check_interval': '6h',
+                'vars.sudo': True,
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'backup-freshness-check/datasets'
+)
+def backup_freshness_check(metadata):
+    return {
+        'backup-freshness-check': {
+            'datasets': {
+                f"{other_node.metadata.get('id')}/{dataset}"
+                    for other_node in repo.nodes
+                    if not other_node.dummy
+                    and other_node.has_bundle('backup')
+                    and other_node.has_bundle('zfs')
+                    and other_node.metadata.get('backup/server') == metadata.get('backup-freshness-check/server')
+                    for dataset, options in other_node.metadata.get('zfs/datasets').items()
+                    if options.get('backup', True)
+                    and not options.get('mountpoint', None) in [None, 'none']
+            },
+        },
+    }
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@ -16,7 +16,14 @@ defaults = {
            '/usr/bin/rsync',
            '/sbin/zfs',
        },
-    }
+    },
+    'zfs': {
+        'datasets': {
+            'tank': {
+                'recordsize': "1048576",
+            },
+        },
+    },
 }


@ -25,9 +32,10 @@ defaults = {
 )
 def zfs(metadata):
    datasets = {}
-    
+
    for other_node in repo.nodes:
        if (
+            not other_node.dummy and
            other_node.has_bundle('backup') and
            other_node.metadata.get('backup/server') == node.name
        ):
@ -42,7 +50,7 @@ def zfs(metadata):
                'com.sun:auto-snapshot': 'false',
                'backup': False,
            }
-            
+
            # for rsync backups
            datasets[f'{base_dataset}/fs'] = {
                'mountpoint': f"/mnt/backups/{id}",
@ -51,10 +59,10 @@ def zfs(metadata):
                'com.sun:auto-snapshot': 'true',
                'backup': False,
            }
-            
+
            # for zfs send/recv
            if other_node.has_bundle('zfs'):
-                
+
                # base datasets for each tank
                for pool in other_node.metadata.get('zfs/pools'):
                    datasets[f'{base_dataset}/{pool}'] = {
@ -64,7 +72,7 @@ def zfs(metadata):
                        'com.sun:auto-snapshot': 'false',
                        'backup': False,
                    }
-                
+
                # actual datasets
                for path in other_node.metadata.get('backup/paths'):
                    for dataset, config in other_node.metadata.get('zfs/datasets').items():
@ -91,7 +99,7 @@ def zfs(metadata):
 def dns(metadata):
    return {
        'dns': {
-            metadata.get('backup-server/hostname'): repo.libs.dns.get_a_records(metadata),
+            metadata.get('backup-server/hostname'): repo.libs.ip.get_a_records(metadata),
        }
    }

--- a/bundles/backup/files/backup_all
+++ b/bundles/backup/files/backup_all
@ -1,11 +1,31 @@
 #!/bin/bash

+set -u
+
 # FIXME: inelegant
 % if wol_command:
 ${wol_command}
 % endif

+exit=0
+failed_paths=""
+
 for path in $(jq -r '.paths | .[]' < /etc/backup/config.json)
 do
+  echo backing up $path
  /opt/backup/backup_path "$path"
+  # set exit to 1 if any backup fails
+  if [ $? -ne 0 ]
+  then
+    echo ERROR: backing up $path failed >&2
+    exit=5
+    failed_paths="$failed_paths $path"
+  fi
 done
+
+if [ $exit -ne 0 ]
+then
+  echo "ERROR: failed to backup paths: $failed_paths" >&2
+fi
+
+exit $exit
--- a/bundles/backup/files/backup_path
+++ b/bundles/backup/files/backup_path
@ -1,11 +1,13 @@
 #!/bin/bash

+set -exu
+
 path=$1

-if zfs list -H -o mountpoint | grep -q "$path"
+if zfs list -H -o mountpoint | grep -q "^$path$"
 then
  /opt/backup/backup_path_via_zfs "$path"
-elif test -d "$path"
+elif test -e "$path"
 then
  /opt/backup/backup_path_via_rsync "$path"
 else
--- a/bundles/backup/files/backup_path_via_rsync
+++ b/bundles/backup/files/backup_path_via_rsync
@ -7,5 +7,14 @@ uuid=$(jq -r .client_uuid < /etc/backup/config.json)
 server=$(jq -r .server_hostname < /etc/backup/config.json)
 ssh="ssh -o ConnectTimeout=5 backup-receiver@$server"

-rsync -av --rsync-path="sudo rsync" "$path/" "backup-receiver@$server:/mnt/backups/$uuid$path/"
-$ssh sudo zfs snap "tank/$uuid/fs@auto-backup_$(date +"%Y-%m-%d_%H:%M:%S")" 
+if test -d "$path"
+then
+  postfix="/"
+elif test -f "$path"
+then
+  postfix=""
+else
+  exit 1
+fi
+
+rsync -av --rsync-path="sudo rsync" "$path$postfix" "backup-receiver@$server:/mnt/backups/$uuid$path$postfix"
--- a/bundles/backup/files/backup_path_via_zfs
+++ b/bundles/backup/files/backup_path_via_zfs
@ -1,6 +1,6 @@
 #!/bin/bash

-set -exu
+set -eu

 path=$1
 uuid=$(jq -r .client_uuid < /etc/backup/config.json)
@ -39,20 +39,20 @@ else
  echo "INCREMENTAL BACKUP"
  last_bookmark=$(zfs list -t bookmark -H -o name | grep "^$source_dataset#$bookmark_prefix" | sort | tail -1 | cut -d '#' -f 2)
  [[ -z "$last_bookmark" ]] && echo "ERROR - last_bookmark is empty" && exit 98
-  $(zfs send -v -i "#$last_bookmark" "$source_dataset@$new_bookmark" | $ssh sudo zfs recv "$target_dataset")
+  $(zfs send -v -L -i "#$last_bookmark" "$source_dataset@$new_bookmark" | $ssh sudo zfs recv "$target_dataset")
 fi

 if [[ "$?" == "0" ]]
 then

  # delete old local bookmarks
-  for destroyable_bookmark in $(zfs list -t bookmark -H -o name "$dataset" | grep "^$dataset#$bookmark_prefix")
+  for destroyable_bookmark in $(zfs list -t bookmark -H -o name "$source_dataset" | grep "^$source_dataset#$bookmark_prefix")
  do
    zfs destroy "$destroyable_bookmark"
  done

-  # delete snapshots from bookmarks (except newest, even of not necessary; maybe for resuming tho)
-  for destroyable_snapshot in $($ssh sudo zfs list -t snapshot -H -o name "$dataset" | grep "^$dataset@$bookmark_prefix" | grep -v "$new_bookmark")
+  # delete remote snapshots from bookmarks (except newest, even of not necessary; maybe for resuming tho)
+  for destroyable_snapshot in $($ssh sudo zfs list -t snapshot -H -o name "$target_dataset" | grep "^$target_dataset@$bookmark_prefix" | grep -v "$new_bookmark")
  do
    $ssh sudo zfs destroy "$destroyable_snapshot"
  done
--- a/bundles/backup/metadata.py
+++ b/bundles/backup/metadata.py
@ -20,7 +20,11 @@ defaults = {
    'systemd-timers': {
        f'backup': {
            'command': '/opt/backup/backup_all',
-            'when': 'daily',
+            'when': '1:00',
+            'persistent': True,
+            'after': {
+                'network-online.target',
+            },
        },
    },
 }
--- a/bundles/bind/items.py
+++ b/bundles/bind/items.py
@ -1,7 +1,5 @@
 from ipaddress import ip_address, ip_interface
 from datetime import datetime
-import json
-from bundlewrap.metadata import MetadataJSONEncoder
 from hashlib import sha3_512


@ -21,7 +19,7 @@ directories[f'/var/lib/bind'] = {
        'svc_systemd:bind9',
    ],
    'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ],
 }

@ -31,7 +29,7 @@ files['/etc/default/bind9'] = {
        'svc_systemd:bind9',
    ],
    'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ],
 }

@ -45,7 +43,7 @@ files['/etc/bind/named.conf'] = {
        'svc_systemd:bind9',
    ],
    'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ],
 }

@ -65,7 +63,7 @@ files['/etc/bind/named.conf.options'] = {
        'svc_systemd:bind9',
    ],
    'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ],
 }

@ -95,7 +93,7 @@ files['/etc/bind/named.conf.local'] = {
        'svc_systemd:bind9',
    ],
    'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ],
 }

@ -108,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
            'svc_systemd:bind9',
        ],
        'triggers': [
-            'svc_systemd:bind9:restart',
+            'svc_systemd:bind9:reload',
        ],
    }

@ -129,10 +127,10 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
                'svc_systemd:bind9',
            ],
            'triggers': [
-                'svc_systemd:bind9:restart',
+                'svc_systemd:bind9:reload',
            ],
        }
-        
+

 svc_systemd['bind9'] = {}

@ -141,6 +139,6 @@ actions['named-checkconf'] = {
    'unless': 'named-checkconf -z',
    'needs': [
        'svc_systemd:bind9',
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
    ]
 }
--- a/bundles/bind/metadata.py
+++ b/bundles/bind/metadata.py
@ -41,6 +41,12 @@ defaults = {
        },
        'zones': set(),
    },
+    'nftables': {
+        'input': {
+            'tcp dport 53 accept',
+            'udp dport 53 accept',
+        },
+    },
    'telegraf': {
        'config': {
            'inputs': {
@ -86,7 +92,7 @@ def master_slave(metadata):
 def dns(metadata):
    return {
        'dns': {
-            metadata.get('bind/hostname'): repo.libs.dns.get_a_records(metadata),
+            metadata.get('bind/hostname'): repo.libs.ip.get_a_records(metadata),
        }
    }

@ -97,7 +103,7 @@ def dns(metadata):
 def collect_records(metadata):
    if metadata.get('bind/type') == 'slave':
        return {}
-    
+
    views = {}

    for view_name, view_conf in metadata.get('bind/views').items():
@ -117,7 +123,7 @@ def collect_records(metadata):

                name = fqdn[0:-len(zone) - 1]

-                for type, values in records.items():                    
+                for type, values in records.items():
                    for value in values:
                        if repo.libs.bind.record_matches_view(value, type, name, zone, view_name, metadata):
                            views\
@ -128,7 +134,7 @@ def collect_records(metadata):
                                .add(
                                    h({'name': name, 'type': type, 'value': value})
                                )
-    
+
    return {
        'bind': {
            'views': views,
@ -160,7 +166,7 @@ def ns_records(metadata):
                                # FIXME: bw currently cant handle lists of dicts :(
                                h({'name': '@', 'type': 'NS', 'value': f"{nameserver}."})
                                    for nameserver in nameservers
-                            } 
+                            }
                        }
                            for zone_name, zone_conf in view_conf['zones'].items()
                    }
@ -177,7 +183,7 @@ def ns_records(metadata):
 def slaves(metadata):
    if metadata.get('bind/type') == 'slave':
        return {}
-    
+
    return {
        'bind': {
            'slaves': [
--- a/bundles/build-ci/metadata.py
+++ b/bundles/build-ci/metadata.py
@ -1,6 +1,10 @@
 from shlex import quote


+defaults = {
+    'build-ci': {},
+}
+
@metadata_reactor.provides(
    'users/build-ci/authorized_users',
    'sudoers/build-ci',
@ -18,7 +22,7 @@ def ssh_keys(metadata):
        },
        'sudoers': {
            'build-ci': {
-                f"/usr/bin/chown -R build-ci\:{quote(ci['group'])} {quote(ci['path'])}"
+                f"/usr/bin/chown -R build-ci\\:{quote(ci['group'])} {quote(ci['path'])}"
                    for ci in metadata.get('build-ci').values()
            }
        },
--- a/bundles/build-server/metadata.py
+++ b/bundles/build-server/metadata.py
@ -71,6 +71,7 @@ def nginx(metadata):
                    'context': {
                        'target': 'http://127.0.0.1:4000',
                    },
+                    'check_path': '/status',
                },
            },
        },
--- a/bundles/crystal/metadata.py
+++ b/bundles/crystal/metadata.py
@ -1,10 +1,20 @@
+debian_version = min([node.os_version, (11,)])[0] # FIXME
+
 defaults = {
    'apt': {
        'packages': {
            'crystal': {},
        },
        'sources': {
-            'deb http://download.opensuse.org/repositories/devel:/languages:/crystal/Debian_{version}/ /',
+            'crystal': {
+                # https://software.opensuse.org/download.html?project=devel%3Alanguages%3Acrystal&package=crystal
+                'urls': {
+                    'http://download.opensuse.org/repositories/devel:/languages:/crystal/Debian_Testing/',
+                },
+                'suites': {
+                    '/',
+                },
+            },
        },
    },
 }
--- a/bundles/dovecot/README.md
+++ b/bundles/dovecot/README.md
@ -1,9 +1,12 @@
 DOVECOT
 =======

-rescan index: https://doc.dovecot.org/configuration_manual/fts/#rescan
+rescan index
+------------
+
+https://doc.dovecot.org/configuration_manual/fts/#rescan

 ```
-    sudo -u vmail doveadm fts rescan -u 'test@mail2.sublimity.de'
-    sudo -u vmail doveadm index -u 'test@mail2.sublimity.de' -q '*'
+doveadm fts rescan -u 'i@ckn.li'
+doveadm index -u 'i@ckn.li' -q '*'
 ```
--- a/bundles/dovecot/files/decode2text.sh
+++ b/bundles/dovecot/files/decode2text.sh
@ -66,8 +66,7 @@ xmlunzip() {
  trap "rm -rf $path $tempdir" 0 1 2 3 14 15
  cd $tempdir || exit 1
  unzip -q "$path" 2>/dev/null || exit 0
-  find . -name "$name" -print0 | xargs -0 cat |
-    $libexec_dir/xml2text
+  find . -name "$name" -print0 | xargs -0 cat | /usr/lib/dovecot/xml2text
 }

 wait_timeout() {
--- a/bundles/dovecot/files/dovecot-sql.conf
+++ b/bundles/dovecot/files/dovecot-sql.conf
@ -2,7 +2,14 @@ connect = host=${host} dbname=${name} user=${user} password=${password}
 driver = pgsql
 default_pass_scheme = ARGON2ID

-password_query = SELECT CONCAT(users.name, '@', domains.name) AS user, password\
+user_query = SELECT '/var/vmail/%u' AS home, 'vmail' AS uid, 'vmail' AS gid
+
+iterate_query = SELECT CONCAT(users.name, '@', domains.name) AS user \
+  FROM users \
+  LEFT JOIN domains ON users.domain_id = domains.id \
+  WHERE redirect IS NULL
+
+password_query = SELECT CONCAT(users.name, '@', domains.name) AS user, password \
  FROM users \
  LEFT JOIN domains ON users.domain_id = domains.id \
  WHERE redirect IS NULL \
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@ -6,26 +6,26 @@ ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')
 ssl_key = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/privkey.pem
 ssl_dh = </etc/dovecot/dhparam.pem
 ssl_client_ca_dir = /etc/ssl/certs
-mail_location = maildir:~
+mail_location = maildir:${node.metadata.get('mailserver/maildir')}/%u:INDEX=${node.metadata.get('mailserver/maildir')}/index/%u
 mail_plugins = fts fts_xapian

 namespace inbox {
  inbox = yes
  separator = .
  mailbox Drafts {
-    auto = subscribe 
+    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
-    auto = create 
+    auto = create
    special_use = \Junk
  }
  mailbox Trash {
-    auto = subscribe 
+    auto = subscribe
    special_use = \Trash
  }
  mailbox Sent {
-    auto = subscribe 
+    auto = subscribe
    special_use = \Sent
  }
 }
@ -34,9 +34,10 @@ passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf
 }
+# use sql for userdb too, to enable iterate_query
 userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/var/vmail/%u
+  driver = sql
+  args = /etc/dovecot/dovecot-sql.conf
 }

 service auth {
@ -80,10 +81,10 @@ protocol imap {
   mail_plugins = $mail_plugins imap_sieve
   mail_max_userip_connections = 50
   imap_idle_notify_interval = 29 mins
-} 
+}
 protocol lmtp {
   mail_plugins = $mail_plugins sieve
-} 
+}
 protocol sieve {
  plugin {
    sieve = /var/vmail/sieve/%u.sieve
@ -117,7 +118,7 @@ plugin {
  sieve_dir = /var/vmail/sieve/%u/
  sieve = /var/vmail/sieve/%u.sieve
  sieve_pipe_bin_dir = /var/vmail/sieve/bin
-  sieve_extensions = +vnd.dovecot.pipe 
+  sieve_extensions = +vnd.dovecot.pipe

  sieve_after = /var/vmail/sieve/global/spam-to-folder.sieve

--- a/bundles/dovecot/items.py
+++ b/bundles/dovecot/items.py
@ -20,6 +20,10 @@ directories = {
        'owner': 'vmail',
        'group': 'vmail',
    },
+    '/var/vmail/index': {
+        'owner': 'vmail',
+        'group': 'vmail',
+    },
    '/var/vmail/sieve': {
        'owner': 'vmail',
        'group': 'vmail',
--- a/bundles/dovecot/metadata.py
+++ b/bundles/dovecot/metadata.py
@ -13,15 +13,26 @@ defaults = {
            'catdoc':               {}, # catdoc, catppt, xls2csv
        },
    },
+    'dovecot': {
+        'database': {
+            'dbname': 'mailserver',
+            'dbuser': 'mailserver',
+        },
+    },
    'letsencrypt': {
        'reload_after': {
            'dovecot',
        },
    },
-    'dovecot': {
-        'database': {
-            'dbname': 'mailserver',
-            'dbuser': 'mailserver',
+    'nftables': {
+        'input': {
+            'tcp dport {143, 993, 4190} accept',
+        },
+    },
+    'systemd-timers': {
+        'dovecot-optimize-index': {
+            'command': '/usr/bin/doveadm fts optimize -A',
+            'when': 'daily',
        },
    },
 }
--- a/bundles/download-server/items.py
+++ b/bundles/download-server/items.py
@ -1,6 +0,0 @@
-# directories = {
-#     '/var/lib/downloads': {
-#         'owner': 'downloads',
-#         'group': 'www-data',
-#     }
-# }
--- a/bundles/freescout/README.md
+++ b/bundles/freescout/README.md
@ -0,0 +1,23 @@
+Pg Pass workaround: set manually:
+
+```
+root@freescout /ro psql freescout
+psql (15.6 (Debian 15.6-0+deb12u1))
+Type "help" for help.
+
+freescout=# \password freescout
+Enter new password for user "freescout":
+Enter it again:
+freescout=#
+\q
+```
+
+
+# problems
+
+# check if /opt/freescout/.env is resettet
+# ckeck `psql -h localhost -d freescout -U freescout -W`with pw from .env
+# chown -R www-data:www-data /opt/freescout
+# sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash
+# javascript funny? `sudo su - www-data -c 'php /opt/freescout/artisan storage:link' -s /bin/bash`
+# benutzer bilder weg? aus dem backup holen: `/opt/freescout/.zfs/snapshot/zfs-auto-snap_hourly-2024-11-22-1700/storage/app/public/users` `./customers`
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@ -0,0 +1,66 @@
+# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
+run_as = repo.libs.tools.run_as
+php_version = node.metadata.get('php/version')
+
+
+directories = {
+    '/opt/freescout': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        # chown -R www-data:www-data /opt/freescout
+    },
+}
+
+actions = {
+    # 'clone_freescout': {
+    #     'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
+    #     'unless': 'test -e /opt/freescout/.git',
+    #     'needs': [
+    #         'pkg_apt:git',
+    #         'directory:/opt/freescout',
+    #     ],
+    # },
+    # 'pull_freescout': {
+    #     'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
+    #     'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
+    #     'needs': [
+    #         'action:clone_freescout',
+    #     ],
+    #     'triggers': [
+    #         'action:freescout_artisan_update',
+    #         f'svc_systemd:php{php_version}-fpm.service:restart',
+    #     ],
+    # },
+    # 'freescout_artisan_update': {
+    #     'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
+    #     'triggered': True,
+    #     'needs': [
+    #         f'svc_systemd:php{php_version}-fpm.service:restart',
+    #         'action:pull_freescout',
+    #     ],
+    # },
+}
+
+# svc_systemd = {
+#     f'freescout-cron.service': {},
+# }
+
+# files = {
+#     '/opt/freescout/.env': {
+#         # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
+#         # Every time you are making changes in .env file, in order changes to take an effect you need to run:
+#         # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
+#         'owner': 'www-data',
+#         'content': '\n'.join(
+#             f'{k}={v}' for k, v in
+#                 sorted(node.metadata.get('freescout/env').items())
+#         ) + '\n',
+#         'needs': [
+#             'directory:/opt/freescout',
+#             'action:clone_freescout',
+#         ],
+#     },
+# }
+
+#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
+#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@ -0,0 +1,121 @@
+from base64 import b64decode
+
+# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA=
+database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
+
+defaults = {
+    'apt': {
+        'packages': {
+            'git': {},
+            'php': {},
+            'php-pgsql': {},
+            'php-fpm': {},
+            'php-mbstring': {},
+            'php-xml': {},
+            'php-imap': {},
+            'php-zip': {},
+            'php-gd': {},
+            'php-curl': {},
+            'php-intl': {},
+        },
+    },
+    'freescout': {
+        'env': {
+            'APP_TIMEZONE': 'Europe/Berlin',
+            'DB_CONNECTION': 'pgsql',
+            'DB_HOST': '127.0.0.1',
+            'DB_PORT': '5432',
+            'DB_DATABASE': 'freescout',
+            'DB_USERNAME': 'freescout',
+            'DB_PASSWORD': database_password,
+            'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
+        },
+    },
+    'php': {
+        'php.ini': {
+            'cgi': {
+                'fix_pathinfo': '0',
+            },
+        },
+    },
+    'postgresql': {
+        'roles': {
+            'freescout': {
+                'password_hash': repo.libs.postgres.generate_scram_sha_256(
+                    database_password,
+                    b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()),
+                ),
+            },
+        },
+        'databases': {
+            'freescout': {
+                'owner': 'freescout',
+            },
+        },
+    },
+    # 'systemd': {
+    #     'units': {
+    #         f'freescout-cron.service': {
+    #             'Unit': {
+    #                 'Description': 'Freescout Cron',
+    #                 'After': 'network.target',
+    #             },
+    #             'Service': {
+    #                 'User': 'www-data',
+    #                 'Nice': 10,
+    #                 'ExecStart': f"/usr/bin/php /opt/freescout/artisan schedule:run"
+    #             },
+    #             'Install': {
+    #                 'WantedBy': {
+    #                     'multi-user.target'
+    #                 }
+    #             },
+    #         }
+    #     },
+    # },
+    'systemd-timers': {
+        'freescout-cron': {
+            'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
+            'when': '*-*-* *:*:00',
+            'RuntimeMaxSec': '180',
+            'user': 'www-data',
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/freescout': {
+                'mountpoint': '/opt/freescout',
+            },
+        },
+    },
+}
+
+
+
+
+@metadata_reactor.provides(
+    'freescout/env/APP_URL',
+)
+def freescout(metadata):
+    return {
+        'freescout': {
+            'env': {
+                'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('freescout/domain'): {
+                    'content': 'freescout/vhost.conf',
+                },
+            },
+        },
+    }
--- a/bundles/gcloud/metadata.py
+++ b/bundles/gcloud/metadata.py
@ -8,7 +8,15 @@ defaults = {
            'python3-crcmod': {},
        },
        'sources': {
-            'deb https://packages.cloud.google.com/apt cloud-sdk main',
+            'google-cloud': {
+                'url': 'https://packages.cloud.google.com/apt/',
+                'suites': {
+                    'cloud-sdk',
+                },
+                'components': {
+                    'main',
+                },
+            },
        },
    },
 }
--- a/bundles/gitea/files/app.ini
+++ b/bundles/gitea/files/app.ini
@ -1,3 +1,4 @@
+[DEFAULT]
 APP_NAME = ckn-gitea
 RUN_USER = git
 RUN_MODE = prod
@ -13,40 +14,24 @@ MEMBERS_PAGING_NUM = 100

 [server]
 PROTOCOL = http
-SSH_DOMAIN = ${domain}
-DOMAIN = ${domain}
 HTTP_ADDR = 0.0.0.0
 HTTP_PORT = 3500
-ROOT_URL = https://${domain}/
 DISABLE_SSH = true
 SSH_PORT = 22
 LFS_START_SERVER = true
 LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
-LFS_JWT_SECRET = ${lfs_secret_key}
 OFFLINE_MODE = true
 START_SSH_SERVER = false
 DISABLE_ROUTER_LOG = true
 LANDING_PAGE = explore

-[database]
-DB_TYPE = postgres
-HOST = ${database.get('host')}:${database.get('port')}
-NAME = ${database.get('database')}
-USER = ${database.get('username')}
-PASSWD = ${database.get('password')}
-SSL_MODE = disable
-LOG_SQL = false
-
 [admin]
 DEFAULT_EMAIL_NOTIFICATIONS = onmention
 DISABLE_REGULAR_ORG_CREATION = true

 [security]
-INTERNAL_TOKEN = ${internal_token}
 INSTALL_LOCK = true
-SECRET_KEY = ${security_secret_key}
 LOGIN_REMEMBER_DAYS = 30
-DISABLE_GIT_HOOKS = ${str(not enable_git_hooks).lower()}

 [openid]
 ENABLE_OPENID_SIGNIN = false
@ -62,12 +47,6 @@ REQUIRE_SIGNIN_VIEW = false
 DEFAULT_KEEP_EMAIL_PRIVATE = true
 DEFAULT_ALLOW_CREATE_ORGANIZATION = false
 DEFAULT_ENABLE_TIMETRACKING = true
-NO_REPLY_ADDRESS = noreply.${domain}
-
-[mailer]
-ENABLED = true
-MAILER_TYPE = sendmail
-FROM = "${app_name}" <noreply@${domain}>

 [session]
 PROVIDER = file
@ -80,9 +59,6 @@ ENABLE_FEDERATED_AVATAR = false
 MODE = console
 LEVEL = warn

-[oauth2]
-JWT_SECRET = ${oauth_secret_key}
-
 [other]
 SHOW_FOOTER_BRANDING = true
 SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
@ -90,3 +66,10 @@ SHOW_FOOTER_TEMPLATE_LOAD_TIME = false
 [webhook]
 ALLOWED_HOST_LIST = *
 DELIVER_TIMEOUT = 600
+
+[indexer]
+REPO_INDEXER_ENABLED = true
+MAX_FILE_SIZE = 10240000
+
+[queue.issue_indexer]
+LENGTH = 20
--- a/bundles/gitea/items.py
+++ b/bundles/gitea/items.py
@ -1,8 +1,15 @@
-version = version=node.metadata.get('gitea/version')
+from os.path import join
+from bundlewrap.utils.dicts import merge_dict
+
+
+version = node.metadata.get('gitea/version')
+assert not version.startswith('v')
+arch = node.metadata.get('system/architecture')

 downloads['/usr/local/bin/gitea'] = {
-    'url': f'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64',
-    'sha256': node.metadata.get('gitea/sha256'),
+    # https://forgejo.org/releases/
+    'url': f'https://codeberg.org/forgejo/forgejo/releases/download/v{version}/forgejo-{version}-linux-{arch}',
+    'sha256_url': '{url}.sha256',
    'triggers': {
        'svc_systemd:gitea:restart',
    },
@ -34,8 +41,14 @@ actions = {
 }

 files['/etc/gitea/app.ini'] = {
-    'content_type': 'mako',
+    'content': repo.libs.ini.dumps(
+        merge_dict(
+            repo.libs.ini.parse(open(join(repo.path, 'bundles', 'gitea', 'files', 'app.ini')).read()),
+            node.metadata.get('gitea/conf'),
+        ),
+    ),
    'owner': 'git',
+    'mode': '0600',
    'context': node.metadata['gitea'],
    'triggers': {
        'svc_systemd:gitea:restart',
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@ -1,4 +1,4 @@
-database_password = repo.vault.password_for(f'{node.name} postgresql gitea')
+database_password = repo.vault.password_for(f'{node.name} postgresql gitea').value

 defaults = {
    'apt': {
@ -11,18 +11,20 @@ defaults = {
        },
    },
    'gitea': {
-        'database': {
-            'host': 'localhost',
-            'port': '5432',
-            'username': 'gitea',
-            'password': database_password,
-            'database': 'gitea',
+        'conf': {
+            'DEFAULT': {
+                'WORK_PATH': '/var/lib/gitea',
+            },
+            'database': {
+                'DB_TYPE': 'postgres',
+                'HOST': 'localhost:5432',
+                'NAME': 'gitea',
+                'USER': 'gitea',
+                'PASSWD': database_password,
+                'SSL_MODE': 'disable',
+                'LOG_SQL': 'false',
+            },
        },
-        'app_name': 'Gitea',
-        'lfs_secret_key': repo.vault.password_for(f'{node.name} gitea lfs_secret_key', length=43),
-        'security_secret_key': repo.vault.password_for(f'{node.name} gitea security_secret_key'),
-        'oauth_secret_key': repo.vault.password_for(f'{node.name} gitea oauth_secret_key', length=43),
-        'internal_token': repo.vault.password_for(f'{node.name} gitea internal_token'),
    },
    'postgresql': {
        'roles': {
@ -41,8 +43,7 @@ defaults = {
            'gitea.service': {
                'Unit': {
                    'Description': 'gitea',
-                    'After': 'syslog.target',
-                    'After': 'network.target',
+                    'After': {'syslog.target', 'network.target'},
                    'Requires': 'postgresql.service',
                },
                'Service': {
@ -66,21 +67,40 @@ defaults = {
            'home': '/home/git',
        },
    },
+    'zfs': {
+        'datasets': {
+            'tank/gitea': {
+                'mountpoint': '/var/lib/gitea',
+            },
+        },
+    },
 }


@metadata_reactor.provides(
-    'zfs/datasets',
+    'gitea/conf',
 )
-def zfs(metadata):
-    if not node.has_bundle('zfs'):
-        return {}
+def conf(metadata):
+    domain = metadata.get('gitea/domain')

    return {
-        'zfs': {
-            'datasets': {
-                f"{metadata.get('zfs/storage_classes/ssd')}/gitea": {
-                    'mountpoint': '/var/lib/gitea',
+        'gitea': {
+            'conf': {
+                'server': {
+                    'SSH_DOMAIN': domain,
+                    'DOMAIN': domain,
+                    'ROOT_URL': f'https://{domain}/',
+                    'LFS_JWT_SECRET': repo.vault.password_for(f'{node.name} gitea lfs_secret_key', length=43),
+                },
+                'security': {
+                    'INTERNAL_TOKEN': repo.vault.password_for(f'{node.name} gitea internal_token'),
+                    'SECRET_KEY': repo.vault.password_for(f'{node.name} gitea security_secret_key'),
+                },
+                'service': {
+                    'NO_REPLY_ADDRESS': f'noreply.{domain}',
+                },
+                'oauth2': {
+                    'JWT_SECRET': repo.vault.password_for(f'{node.name} gitea oauth_secret_key', length=43),
                },
            },
        },
@ -98,7 +118,7 @@ def nginx(metadata):
                    'content': 'nginx/proxy_pass.conf',
                    'context': {
                        'target': 'http://127.0.0.1:3500',
-                    }
+                    },
                },
            },
        },
--- a/bundles/grafana/items.py
+++ b/bundles/grafana/items.py
@ -18,16 +18,17 @@ admin_password = node.metadata.get('grafana/config/security/admin_password')
 port = node.metadata.get('grafana/config/server/http_port')
 actions['reset_grafana_admin_password'] = {
    'command': f"grafana-cli admin reset-admin-password {quote(admin_password)}",
-    'unless': f"curl http://admin:{quote(admin_password)}@localhost:{port}/api/org",
+    'unless': f"sleep 5 && curl http://admin:{quote(admin_password)}@localhost:{port}/api/org --fail",
    'needs': [
        'svc_systemd:grafana-server',
    ],
 }

 directories = {
-    '/etc/grafana': {
-    },
+    '/etc/grafana': {},
    '/etc/grafana/provisioning': {
+        'owner': 'grafana',
+        'group': 'grafana',
    },
    '/etc/grafana/provisioning/datasources': {
        'purge': True,
@ -35,8 +36,13 @@ directories = {
    '/etc/grafana/provisioning/dashboards': {
        'purge': True,
    },
-    '/var/lib/grafana': {},
+    '/var/lib/grafana': {
+        'owner': 'grafana',
+        'group': 'grafana',
+    },
    '/var/lib/grafana/dashboards': {
+        'owner': 'grafana',
+        'group': 'grafana',
        'purge': True,
        'triggers': [
            'svc_systemd:grafana-server:restart',
@ -47,6 +53,8 @@ directories = {
 files = {
    '/etc/grafana/grafana.ini': {
        'content': repo.libs.ini.dumps(node.metadata.get('grafana/config')),
+        'owner': 'grafana',
+        'group': 'grafana',
        'triggers': [
            'svc_systemd:grafana-server:restart',
        ],
@ -56,6 +64,8 @@ files = {
            'apiVersion': 1,
            'datasources': list(node.metadata.get('grafana/datasources').values()),
        }),
+        'owner': 'grafana',
+        'group': 'grafana',
        'triggers': [
            'svc_systemd:grafana-server:restart',
        ],
@ -72,6 +82,8 @@ files = {
                },
            }],
        }),
+        'owner': 'grafana',
+        'group': 'grafana',
        'triggers': [
            'svc_systemd:grafana-server:restart',
        ],
@ -160,6 +172,8 @@ for dashboard_id, monitored_node in enumerate(monitored_nodes, start=1):

    files[f'/var/lib/grafana/dashboards/{monitored_node.name}.json'] = {
        'content': json.dumps(dashboard, indent=4),
+        'owner': 'grafana',
+        'group': 'grafana',
        'triggers': [
            'svc_systemd:grafana-server:restart',
        ]
--- a/bundles/grafana/metadata.py
+++ b/bundles/grafana/metadata.py
@ -8,8 +8,19 @@ defaults = {
            'grafana': {},
        },
        'sources': {
-            'deb https://packages.grafana.com/oss/deb stable main',
+            'grafana': {
+                'urls': {
+                    'https://packages.grafana.com/oss/deb',
+                },
+                'suites': {
+                    'stable',
+                },
+                'components': {
+                    'main',
+                },
+            },
        },
+
    },
    'grafana': {
        'config': {
@ -66,7 +77,7 @@ def domain(metadata):
                    'domain': metadata.get('grafana/hostname'),
                },
            },
-        },    
+        },
    }

@metadata_reactor.provides(
@ -74,7 +85,7 @@ def domain(metadata):
 )
 def influxdb2(metadata):
    influxdb_metadata = repo.get_node(metadata.get('grafana/influxdb_node')).metadata.get('influxdb')
-    
+
    return {
        'grafana': {
            'datasources': {
@ -93,7 +104,7 @@ def influxdb2(metadata):
                    'isDefault': True,
                },
            },
-        },    
+        },
    }


@ -106,7 +117,7 @@ def datasource_key_to_name(metadata):
            'datasources': {
                name: {'name': name} for name in metadata.get('grafana/datasources').keys()
            },
-        },    
+        },
    }


@ -116,7 +127,7 @@ def datasource_key_to_name(metadata):
 def dns(metadata):
    return {
        'dns': {
-            metadata.get('grafana/hostname'): repo.libs.dns.get_a_records(metadata),
+            metadata.get('grafana/hostname'): repo.libs.ip.get_a_records(metadata),
        }
    }

--- a/bundles/homeassistant-supervised/README.md
+++ b/bundles/homeassistant-supervised/README.md
@ -0,0 +1,23 @@
+https://github.com/home-assistant/supervised-installer?tab=readme-ov-file
+https://github.com/home-assistant/os-agent/tree/main?tab=readme-ov-file#using-home-assistant-supervised-on-debian
+https://docs.docker.com/engine/install/debian/
+
+
+
+
+
+https://www.home-assistant.io/installation/linux#install-home-assistant-supervised
+https://github.com/home-assistant/supervised-installer
+https://github.com/home-assistant/architecture/blob/master/adr/0014-home-assistant-supervised.md
+
+DATA_SHARE=/usr/share/hassio dpkg --force-confdef --force-confold -i homeassistant-supervised.deb
+
+neu debian
+ha installieren
+gucken ob geht
+dann bw drüberbügeln
+
+
+https://www.home-assistant.io/integrations/http/#ssl_certificate
+
+`wget "$(curl -L https://api.github.com/repos/home-assistant/supervised-installer/releases/latest | jq -r '.assets[0].browser_download_url')" -O homeassistant-supervised.deb && dpkg -i homeassistant-supervised.deb`
--- a/bundles/homeassistant-supervised/items.py
+++ b/bundles/homeassistant-supervised/items.py
@ -0,0 +1,30 @@
+from shlex import quote
+
+
+version = node.metadata.get('homeassistant/os_agent_version')
+
+directories = {
+    '/usr/share/hassio': {},
+}
+
+actions = {
+    'install_os_agent': {
+        'command': ' && '.join([
+            f'wget -O /tmp/os-agent.deb https://github.com/home-assistant/os-agent/releases/download/{quote(version)}/os-agent_{quote(version)}_linux_aarch64.deb',
+            'DEBIAN_FRONTEND=noninteractive dpkg -i /tmp/os-agent.deb',
+        ]),
+        'unless': f'test "$(apt -qq list os-agent | cut -d" " -f2)" = "{quote(version)}"',
+        'needs': {
+            'pkg_apt:',
+            'zfs_dataset:tank/homeassistant',
+        },
+    },
+    'install_homeassistant_supervised': {
+        'command': 'wget -O /tmp/homeassistant-supervised.deb https://github.com/home-assistant/supervised-installer/releases/latest/download/homeassistant-supervised.deb && apt install /tmp/homeassistant-supervised.deb',
+        'unless': 'apt -qq list homeassistant-supervised | grep -q "installed"',
+        'needs': {
+            'action:install_os_agent',
+        },
+    },
+}
+
--- a/bundles/homeassistant-supervised/metadata.py
+++ b/bundles/homeassistant-supervised/metadata.py
@ -0,0 +1,65 @@
+defaults = {
+    'apt': {
+        'packages': {
+            # homeassistant-supervised
+            'apparmor': {},
+            'bluez': {},
+            'cifs-utils': {},
+            'curl': {},
+            'dbus': {},
+            'jq': {},
+            'libglib2.0-bin': {},
+            'lsb-release': {},
+            'network-manager': {},
+            'nfs-common': {},
+            'systemd-journal-remote': {},
+            'systemd-resolved': {},
+            'udisks2': {},
+            'wget': {},
+            # docker
+            'docker-ce': {},
+            'docker-ce-cli': {},
+            'containerd.io': {},
+            'docker-buildx-plugin': {},
+            'docker-compose-plugin': {},
+       },
+        'sources': {
+            # docker: https://docs.docker.com/engine/install/debian/#install-using-the-repository
+            'docker': {
+                'urls': {
+                    'https://download.docker.com/linux/debian',
+                },
+                'suites': {
+                    '{codename}',
+                },
+                'components': {
+                    'stable',
+                },
+            },
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/homeassistant': {
+                'mountpoint': '/usr/share/hassio',
+                'needed_by': {
+                    'directory:/usr/share/hassio',
+                },
+            },
+        },
+    },
+}
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('homeassistant/domain'): {
+                    'content': 'homeassistant/vhost.conf',
+                },
+            },
+        },
+    }
--- a/bundles/homeassistant/items.py
+++ b/bundles/homeassistant/items.py
@ -1,20 +0,0 @@
-users = {
-    'homeassistant': {
-        'home': '/var/lib/homeassistant',
-    },
-}
-
-directories = {
-    '/var/lib/homeassistant': {
-        'owner': 'homeassistant',
-    },
-    '/var/lib/homeassistant/config': {
-        'owner': 'homeassistant',
-    },
-    '/var/lib/homeassistant/venv': {
-        'owner': 'homeassistant',
-    },
-}
-
-
-# https://wiki.instar.com/de/Software/Linux/Home_Assistant/
--- a/bundles/homeassistant/metadata.py
+++ b/bundles/homeassistant/metadata.py
@ -1,9 +0,0 @@
-defaults = {
-    'apt': {
-        'packages': {
-            'python3-dev': {},
-            'python3-pip': {},
-            'python3-venv': {},
-        },
-    },
-}
--- a/bundles/hostname/metadata.py
+++ b/bundles/hostname/metadata.py
@ -23,6 +23,6 @@ def hostname_file(metadata):
 def dns(metadata):
    return {
        'dns': {
-            metadata.get('hostname'): repo.libs.dns.get_a_records(metadata, external=False),
+            metadata.get('hostname'): repo.libs.ip.get_a_records(metadata),
        },
    }
--- a/bundles/htop/files/htoprc.global
+++ b/bundles/htop/files/htoprc.global
@ -24,7 +24,7 @@ header_margin=1
 detailed_cpu_time=0
 cpu_count_from_one=1
 show_cpu_usage=0
-show_cpu_frequency=0
+show_cpu_frequency=1
 show_cpu_temperature=0
 degree_fahrenheit=0
 update_process_names=0
--- a/bundles/icinga2/files/check_by_sshmon
+++ b/bundles/icinga2/files/check_by_sshmon
@ -0,0 +1,36 @@
+#!/bin/sh
+
+UNKNOWN=3
+
+if [ -z "$SSHMON_COMMAND" ]
+then
+    echo 'check_by_sshmon: Env SSHMON_COMMAND missing' >&2
+    exit $UNKNOWN
+elif [ -z "$SSHMON_HOST" ]
+then
+    echo 'check_by_sshmon: Env SSHMON_HOST missing' >&2
+    exit $UNKNOWN
+fi
+
+if [ -z "$SSHMON_SUDO" ]
+then
+    PREFIX=""
+else
+    PREFIX="sudo "
+fi
+
+ssh sshmon@"$SSHMON_HOST" "$PREFIX$SSHMON_COMMAND"
+
+exitcode=$?
+
+if [ "$exitcode" = 124 ]
+then
+    echo 'check_by_sshmon: Timeout while running check remotely' >&2
+    exit $UNKNOWN
+elif [ "$exitcode" = 255 ]
+then
+    echo 'check_by_sshmon: SSH error' >&2
+    exit $UNKNOWN
+else
+    exit $exitcode
+fi
--- a/bundles/icinga2/files/conf.d/api-users.conf
+++ b/bundles/icinga2/files/conf.d/api-users.conf
@ -0,0 +1,10 @@
+% for name, conf in sorted(users.items()):
+object ApiUser "${name}" {
+  password = "${conf['password']}"
+  permissions = [
+% for permission in conf['permissions']:
+    "${permission}",
+% endfor
+  ]
+}
+% endfor
--- a/bundles/icinga2/files/conf.d/app.conf
+++ b/bundles/icinga2/files/conf.d/app.conf
@ -0,0 +1 @@
+object IcingaApplication "app" { }
--- a/bundles/icinga2/files/conf.d/commands.conf
+++ b/bundles/icinga2/files/conf.d/commands.conf
@ -0,0 +1,198 @@
+/* Command objects */
+
+/* Notification Commands
+ *
+ * Please check the documentation for all required and
+ * optional parameters.
+ */
+
+
+object CheckCommand "sshmon" {
+    import "ipv4-or-ipv6"
+
+    command = [ "/usr/lib/nagios/plugins/check_by_sshmon" ]
+
+    env.SSHMON_COMMAND = "$command$"
+    env.SSHMON_HOST = "$address$"
+    env.SSHMON_SUDO = "$sudo$"
+}
+
+
+object NotificationCommand "mail-host-notification" {
+  command = [ ConfigDir + "/scripts/mail-host-notification.sh" ]
+
+  arguments += {
+    "-4" = "$notification_address$"
+    "-6" = "$notification_address6$"
+    "-b" = "$notification_author$"
+    "-c" = "$notification_comment$"
+    "-d" = {
+      required = true
+      value = "$notification_date$"
+    }
+    "-f" = {
+      value = "$notification_from$"
+      description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)"
+    }
+    "-i" = "$notification_icingaweb2url$"
+    "-l" = {
+      required = true
+      value = "$notification_hostname$"
+    }
+    "-n" = {
+      required = true
+      value = "$notification_hostdisplayname$"
+    }
+    "-o" = {
+      required = true
+      value = "$notification_hostoutput$"
+    }
+    "-r" = {
+      required = true
+      value = "$notification_useremail$"
+    }
+    "-s" = {
+      required = true
+      value = "$notification_hoststate$"
+    }
+    "-t" = {
+      required = true
+      value = "$notification_type$"
+    }
+    "-v" = "$notification_logtosyslog$"
+  }
+
+  vars += {
+    notification_address = "$address$"
+    notification_address6 = "$address6$"
+    notification_author = "$notification.author$"
+    notification_comment = "$notification.comment$"
+    notification_type = "$notification.type$"
+    notification_date = "$icinga.long_date_time$"
+    notification_hostname = "$host.name$"
+    notification_hostdisplayname = "$host.display_name$"
+    notification_hostoutput = "$host.output$"
+    notification_hoststate = "$host.state$"
+    notification_useremail = "$user.email$"
+  }
+}
+
+object NotificationCommand "mail-service-notification" {
+  command = [ ConfigDir + "/scripts/mail-service-notification.sh" ]
+
+  arguments += {
+    "-4" = "$notification_address$"
+    "-6" = "$notification_address6$"
+    "-b" = "$notification_author$"
+    "-c" = "$notification_comment$"
+    "-d" = {
+      required = true
+      value = "$notification_date$"
+    }
+    "-e" = {
+      required = true
+      value = "$notification_servicename$"
+    }
+    "-f" = {
+      value = "$notification_from$"
+      description = "Set from address. Requires GNU mailutils (Debian/Ubuntu) or mailx (RHEL/SUSE)"
+    }
+    "-i" = "$notification_icingaweb2url$"
+    "-l" = {
+      required = true
+      value = "$notification_hostname$"
+    }
+    "-n" = {
+      required = true
+      value = "$notification_hostdisplayname$"
+    }
+    "-o" = {
+      required = true
+      value = "$notification_serviceoutput$"
+    }
+    "-r" = {
+      required = true
+      value = "$notification_useremail$"
+    }
+    "-s" = {
+      required = true
+      value = "$notification_servicestate$"
+    }
+    "-t" = {
+      required = true
+      value = "$notification_type$"
+    }
+    "-u" = {
+      required = true
+      value = "$notification_servicedisplayname$"
+    }
+    "-v" = "$notification_logtosyslog$"
+  }
+
+  vars += {
+    notification_address = "$address$"
+    notification_address6 = "$address6$"
+    notification_author = "$notification.author$"
+    notification_comment = "$notification.comment$"
+    notification_type = "$notification.type$"
+    notification_date = "$icinga.long_date_time$"
+    notification_hostname = "$host.name$"
+    notification_hostdisplayname = "$host.display_name$"
+    notification_servicename = "$service.name$"
+    notification_serviceoutput = "$service.output$"
+    notification_servicestate = "$service.state$"
+    notification_useremail = "$user.email$"
+    notification_servicedisplayname = "$service.display_name$"
+  }
+}
+
+/*
+ * If you prefer to use the notification scripts with environment
+ * variables instead of command line parameters, you can use
+ * the following commands. They have been updated from < 2.7
+ * to support the new notification scripts and should help
+ * with an upgrade.
+ * Remove the comment blocks and comment the notification commands above.
+ */
+
+/*
+
+object NotificationCommand "mail-host-notification" {
+  command = [ ConfigDir + "/scripts/mail-host-notification.sh" ]
+
+  env = {
+    NOTIFICATIONTYPE = "$notification.type$"
+    HOSTDISPLAYNAME = "$host.display_name$"
+    HOSTNAME = "$host.name$"
+    HOSTADDRESS = "$address$"
+    HOSTSTATE = "$host.state$"
+    LONGDATETIME = "$icinga.long_date_time$"
+    HOSTOUTPUT = "$host.output$"
+    NOTIFICATIONAUTHORNAME = "$notification.author$"
+    NOTIFICATIONCOMMENT = "$notification.comment$"
+    HOSTDISPLAYNAME = "$host.display_name$"
+    USEREMAIL = "$user.email$"
+  }
+}
+
+object NotificationCommand "mail-service-notification" {
+  command = [ ConfigDir + "/scripts/mail-service-notification.sh" ]
+
+  env = {
+    NOTIFICATIONTYPE = "$notification.type$"
+    SERVICENAME = "$service.name$"
+    HOSTNAME = "$host.name$"
+    HOSTDISPLAYNAME = "$host.display_name$"
+    HOSTADDRESS = "$address$"
+    SERVICESTATE = "$service.state$"
+    LONGDATETIME = "$icinga.long_date_time$"
+    SERVICEOUTPUT = "$service.output$"
+    NOTIFICATIONAUTHORNAME = "$notification.author$"
+    NOTIFICATIONCOMMENT = "$notification.comment$"
+    HOSTDISPLAYNAME = "$host.display_name$"
+    SERVICEDISPLAYNAME = "$service.display_name$"
+    USEREMAIL = "$user.email$"
+  }
+}
+
+*/
--- a/bundles/icinga2/files/conf.d/groups.conf
+++ b/bundles/icinga2/files/conf.d/groups.conf
@ -0,0 +1,37 @@
+/**
+ * Host group examples.
+ */
+
+object HostGroup "linux-servers" {
+  display_name = "Linux Servers"
+
+  assign where host.vars.os == "Linux"
+}
+
+object HostGroup "windows-servers" {
+  display_name = "Windows Servers"
+
+  assign where host.vars.os == "Windows"
+}
+
+/**
+ * Service group examples.
+ */
+
+object ServiceGroup "ping" {
+  display_name = "Ping Checks"
+
+  assign where match("ping*", service.name)
+}
+
+object ServiceGroup "http" {
+  display_name = "HTTP Checks"
+
+  assign where match("http*", service.check_command)
+}
+
+object ServiceGroup "disk" {
+  display_name = "Disk Checks"
+
+  assign where match("disk*", service.check_command)
+}
--- a/bundles/icinga2/files/conf.d/notifications.conf
+++ b/bundles/icinga2/files/conf.d/notifications.conf
@ -0,0 +1,33 @@
+/**
+ * The example notification apply rules.
+ *
+ * Only applied if host/service objects have
+ * the custom variable `notification` defined
+ * and containing `mail` as key.
+ *
+ * Check `hosts.conf` for an example.
+ */
+
+apply Notification "mail-icingaadmin" to Host {
+  import "mail-host-notification"
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+
+
+
+
+  assign where host.vars.notification.mail
+}
+
+apply Notification "mail-icingaadmin" to Service {
+  import "mail-service-notification"
+  user_groups = host.vars.notification.mail.groups
+  users = host.vars.notification.mail.users
+
+
+
+
+
+  assign where host.vars.notification.mail
+}
--- a/bundles/icinga2/files/conf.d/templates.conf
+++ b/bundles/icinga2/files/conf.d/templates.conf
@ -0,0 +1,15 @@
+template Host "generic-host" {
+  max_check_attempts = 3
+  check_interval = 1m
+  retry_interval = 30s
+
+  check_command = "hostalive"
+}
+
+template Service "generic-service" {
+  max_check_attempts = 5
+  check_interval = 1m
+  retry_interval = 30s
+}
+
+template User "generic-user" {}
--- a/bundles/icinga2/files/conf.d/timeperiods.conf
+++ b/bundles/icinga2/files/conf.d/timeperiods.conf
@ -0,0 +1,34 @@
+/**
+ * Sample timeperiods for Icinga 2.
+ * Check the documentation for details.
+ */
+
+object TimePeriod "24x7" {
+  display_name = "Icinga 2 24x7 TimePeriod"
+  ranges = {
+    "monday" 	= "00:00-24:00"
+    "tuesday" 	= "00:00-24:00"
+    "wednesday" = "00:00-24:00"
+    "thursday" 	= "00:00-24:00"
+    "friday" 	= "00:00-24:00"
+    "saturday" 	= "00:00-24:00"
+    "sunday" 	= "00:00-24:00"
+  }
+}
+
+object TimePeriod "9to5" {
+  display_name = "Icinga 2 9to5 TimePeriod"
+  ranges = {
+    "monday" 	= "09:00-17:00"
+    "tuesday" 	= "09:00-17:00"
+    "wednesday" = "09:00-17:00"
+    "thursday" 	= "09:00-17:00"
+    "friday" 	= "09:00-17:00"
+  }
+}
+
+object TimePeriod "never" {
+  display_name = "Icinga 2 never TimePeriod"
+  ranges = {
+  }
+}
--- a/bundles/icinga2/files/constants.conf
+++ b/bundles/icinga2/files/constants.conf
@ -0,0 +1,6 @@
+const PluginDir = "/usr/lib/nagios/plugins"
+const ManubulonPluginDir = "/usr/lib/nagios/plugins"
+const PluginContribDir = "/usr/lib/nagios/plugins"
+const NodeName = "${hostname}"
+const ZoneName = NodeName
+const TicketSalt = ""
--- a/bundles/icinga2/files/features/api.conf
+++ b/bundles/icinga2/files/features/api.conf
@ -0,0 +1 @@
+object ApiListener "api" {}
--- a/bundles/icinga2/files/features/checker.conf
+++ b/bundles/icinga2/files/features/checker.conf
@ -0,0 +1 @@
+object CheckerComponent "checker" { }
--- a/bundles/icinga2/files/features/ido-pgsql.conf
+++ b/bundles/icinga2/files/features/ido-pgsql.conf
@ -0,0 +1,8 @@
+library "db_ido_pgsql"
+
+object IdoPgsqlConnection "ido-pgsql" {
+  user = "icinga2",
+  password = "${db_password}",
+  host = "localhost",
+  database = "icinga2"
+}
--- a/bundles/icinga2/files/features/journald.conf
+++ b/bundles/icinga2/files/features/journald.conf
@ -0,0 +1,7 @@
+/**
+ * The JournaldLogger type writes log information to the systemd journal.
+ */
+
+object JournaldLogger "journald" {
+    severity = "warning"
+}
--- a/bundles/icinga2/files/features/mainlog.conf
+++ b/bundles/icinga2/files/features/mainlog.conf
@ -0,0 +1,4 @@
+/**
+ * This file is requires for inital apt install.
+ * The JournaldLogger type writes log information to the systemd journal.
+ */
--- a/bundles/icinga2/files/features/notification.conf
+++ b/bundles/icinga2/files/features/notification.conf
@ -0,0 +1 @@
+object NotificationComponent "notification" { }
--- a/bundles/icinga2/files/hosts.d/host.conf
+++ b/bundles/icinga2/files/hosts.d/host.conf
@ -0,0 +1,39 @@
+<%!
+    from bundlewrap.utils import Fault
+
+    def render_value(key, value):
+        if isinstance(value, Fault):
+            return render_value(key, value.value)
+        elif isinstance(value, type(None)):
+            return '""'
+        elif isinstance(value, bool):
+            return 'true' if value else 'false'
+        elif isinstance(value, int):
+            return str(value)
+        elif isinstance(value, str):
+            if key.endswith('_interval'):
+                return value
+            else:
+                escaped_value = value.replace('$', '$$').replace('"', '\\"')
+                return f'"{escaped_value}"'
+        elif isinstance(value, (list, set)):
+            return '[' + ', '.join(render_value(e) for e in sorted(value)) + ']'
+        else:
+            raise Exception(f"cant process type '{type(value)}' of value '{value}'")
+%>
+
+object Host "${host_name}" {
+  import "generic-host"
+  % for key, value in sorted(host_settings.items()):
+  ${key} = ${render_value(key, value)}
+  % endfor
+}
+
+% for service_name, service_config in sorted(services.items()):
+object Service "${service_name}" {
+  import "generic-service"
+  % for key, value in sorted(service_config.items()):
+  ${key} = ${render_value(key, value)}
+  % endfor
+}
+% endfor
--- a/bundles/icinga2/files/icinga2.conf
+++ b/bundles/icinga2/files/icinga2.conf
@ -0,0 +1,10 @@
+include "constants.conf"
+include "zones.conf"
+
+include <itl>
+include <plugins>
+include <plugins-contrib>
+
+include "features-enabled/*.conf"
+include_recursive "conf.d"
+include "hosts.d/*.conf"
--- a/bundles/icinga2/files/zones.conf
+++ b/bundles/icinga2/files/zones.conf
@ -0,0 +1,7 @@
+object Endpoint NodeName {
+  host = NodeName
+}
+
+object Zone ZoneName {
+  endpoints = [ NodeName ]
+}
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@ -0,0 +1,275 @@
+from ipaddress import ip_interface
+
+directories = {
+    '/etc/icinga2': {
+       'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+   '/etc/icinga2/pki': { # required for apt install
+       'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+   '/etc/icinga2/zones.d': { # required for apt install
+       'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d': {
+        'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/hosts.d': {
+        'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/features-available': {
+        'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/features-enabled': {
+        'purge': True,
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/scripts': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/var/lib/icinga2': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0750',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/var/lib/icinga2/certs': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0700',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+}
+
+files = {
+    '/etc/icinga2/icinga2.conf': {
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/constants.conf': {
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'context': {
+            'hostname': node.metadata.get('icinga2/hostname')
+        },
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/zones.conf': {
+        'content_type': 'mako',
+        'context': {
+            'hostname': node.metadata.get('icinga2/hostname')
+        },
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/api-users.conf': {
+        'source': 'conf.d/api-users.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'context': {
+            'users': node.metadata.get('icinga2/api_users'),
+        },
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/app.conf': {
+        'source': 'conf.d/app.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/commands.conf': {
+        'source': 'conf.d/commands.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/groups.conf': {
+        'source': 'conf.d/groups.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/notifications.conf': {
+        'source': 'conf.d/notifications.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/templates.conf': {
+        'source': 'conf.d/templates.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/etc/icinga2/conf.d/timeperiods.conf': {
+        'source': 'conf.d/timeperiods.conf',
+        'content_type': 'mako',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'mode': '0640',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/var/lib/icinga2/certs/ca.crt': {
+        'content_type': 'download',
+        'source': f'https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    },
+    '/usr/lib/nagios/plugins/check_by_sshmon': {
+        'mode': '0755',
+    },
+}
+
+# FEATURES
+
+for feature, context in {
+    'mainlog': {},
+#    'journald': {}, FIXME
+    'notification': {},
+    'checker': {},
+    'api': {},
+    'ido-pgsql': {
+        'db_password': node.metadata.get('postgresql/roles/icinga2/password'),
+    },
+}.items():
+    files[f'/etc/icinga2/features-available/{feature}.conf'] = {
+        'content_type': 'mako' if context else 'text',
+        'context':  context,
+        'source': f'features/{feature}.conf',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    }
+    symlinks[f'/etc/icinga2/features-enabled/{feature}.conf'] = {
+        'target': f'/etc/icinga2/features-available/{feature}.conf',
+        'owner': 'nagios',
+        'group': 'nagios',
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    }
+
+# HOSTS
+
+for other_node in repo.nodes:
+    if other_node.dummy:
+        continue
+    elif not other_node.in_group('monitored'):
+        continue
+
+    files[f'/etc/icinga2/hosts.d/{other_node.name}.conf'] = {
+        'content_type': 'mako',
+        'source': 'hosts.d/host.conf',
+        'owner': 'nagios',
+        'context': {
+            'host_name': other_node.name,
+            'host_settings': {
+                'address': str(ip_interface(other_node.metadata.get('network/internal/ipv4', None) or other_node.metadata.get('wireguard/my_ip')).ip),
+            },
+            'services': other_node.metadata.get('monitoring/services'),
+        },
+        'triggers': [
+            'svc_systemd:icinga2.service:restart',
+        ],
+    }
+
+svc_systemd = {
+    'icinga2.service': {
+        'needs': [
+            'pkg_apt:icinga2-ido-pgsql',
+            'svc_systemd:postgresql.service',
+        ],
+    },
+}
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -0,0 +1,91 @@
+from hashlib import sha3_256
+
+defaults = {
+    'apt': {
+        'packages': {
+            'icinga2': {},
+            'icinga2-ido-pgsql': {},
+            'icingacli': {},
+            'monitoring-plugins': {},
+        },
+        'sources': {
+            'icinga': {
+                'types': {
+                    'deb',
+                    'deb-src',
+                },
+                'urls': {
+                    'https://packages.icinga.com/debian',
+                },
+                'suites': {
+                    'icinga-{codename}',
+                },
+                'components': {
+                    'main',
+                },
+            },
+        },
+    },
+    'icinga2': {
+        'api_users': {
+            'root': {
+                'password': repo.vault.password_for(f'icinga2 api user root on {node.name}'),
+                'permissions': {'*'},
+            }
+        },
+    },
+    'nftables': {
+        'input': {
+            'tcp dport 5665 accept',
+        },
+    },
+    'postgresql': {
+        'databases': {
+            'icinga2': {
+                'owner': 'icinga2',
+            },
+        },
+        'roles': {
+            'icinga2': {
+                'password': repo.vault.password_for(f'psql icinga2 on {node.name}'),
+            },
+        },
+    },
+    'users': {
+        'nagios': {
+            'home': '/var/lib/nagios',
+            'shell': '/usr/sbin/nologin',
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/icinga2': {
+                'mountpoint': '/var/lib/icinga2',
+                'needed_by': {
+                    'pkg_apt:icinga2',
+                    'pkg_apt:icinga2-ido-pgsql',
+                },
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'letsencrypt/domains',
+)
+def letsencrypt(metadata):
+    return {
+        'letsencrypt': {
+            'domains': {
+                metadata.get('icingaweb2/hostname'): {
+                    'reload': {'icinga2'},
+                    'owner': 'nagios',
+                    'group': 'nagios',
+                    'location': '/var/lib/icinga2/certs',
+                    'privkey_name': metadata.get('hostname') + '.key',
+                    'cert_name': metadata.get('hostname') + '.crt',
+                },
+            },
+        },
+    }
--- a/bundles/icingaweb2/README.md
+++ b/bundles/icingaweb2/README.md
@ -0,0 +1,5 @@
+- apply
+- open /icingaweb2/setup in browser
+- fill in values from metadata
+- apply
+- make sure tls cert exists and is owned by nagios
--- a/bundles/icingaweb2/items.py
+++ b/bundles/icingaweb2/items.py
@ -0,0 +1,84 @@
+directories = {
+    '/etc/icingaweb2': {
+#        'purge': True,
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '2770',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    },
+    '/etc/icingaweb2/enabledModules': {
+#        'purge': True,
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '2770',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    },
+    '/etc/icingaweb2/modules': {
+#        'purge': True,
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '2770',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    },
+}
+
+files = {
+    '/etc/icingaweb2/setup.token': {
+        'content': node.metadata.get('icingaweb2/setup_token'),
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '0660',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    },
+}
+
+symlinks = {
+    '/etc/icingaweb2/enabledModules/monitoring': {
+        'target': '/usr/share/icingaweb2/modules/monitoring',
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    },
+}
+
+for name in [
+    'authentication.ini',
+    'config.ini',
+    'groups.ini',
+    'resources.ini',
+    'roles.ini',
+]:
+    files[f'/etc/icingaweb2/{name}'] = {
+        'content': repo.libs.ini.dumps(node.metadata.get(f'icingaweb2/{name}')),
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '0660',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    }
+
+for name in [
+    'config.ini',
+    'backends.ini',
+    'commandtransports.ini',
+]:
+    files[f'/etc/icingaweb2/modules/monitoring/{name}'] = {
+        'content': repo.libs.ini.dumps(node.metadata.get(f'icingaweb2/monitoring/{name}')),
+        'owner': 'www-data',
+        'group': 'icingaweb2',
+        'mode': '0660',
+        'needs': [
+            'pkg_apt:icingaweb2',
+        ],
+    }
--- a/bundles/icingaweb2/metadata.py
+++ b/bundles/icingaweb2/metadata.py
@ -0,0 +1,185 @@
+from hashlib import sha3_256
+
+defaults = {
+    'apt': {
+        'packages': {
+            'php-ldap': {},
+            'php-json': {},
+            'php-intl': {},
+            'php-xml': {},
+            'php-gd': {},
+            'php-imagick': {},
+            'php-pgsql': {},
+            'icingaweb2': {},
+            #'icingaweb2-module-monitoring': {}, # ?
+        },
+        'sources': {
+            'icinga': {
+                'types': {
+                    'deb',
+                    'deb-src',
+                },
+                'urls': {
+                    'https://packages.icinga.com/debian',
+                },
+                'suites': {
+                    'icinga-{codename}',
+                },
+                'components': {
+                    'main',
+                },
+            },
+        },
+    },
+    'icingaweb2': {
+        'authentication.ini': {
+            'icingaweb2': {
+                'backend': 'db',
+                'resource': 'icingaweb2_db',
+            },
+        },
+        'config.ini': {
+            'global': {
+                'show_stacktraces': '1',
+                'show_application_state_messages': '1',
+                'module_path': '/usr/share/icingaweb2/modules',
+                'config_backend': 'db',
+                'config_resource': 'icingaweb2_db',
+            },
+            'logging': {
+                'log': 'syslog',
+                'level': 'INFO',
+                'application': 'icingaweb2',
+                'facility': 'user',
+            },
+        },
+        'groups.ini': {
+            'icingaweb2': {
+                'backend': 'db',
+                'resource': 'icingaweb2_db',
+            },
+        },
+        'resources.ini': {
+            'icingaweb2_db': {
+                'type': 'db',
+                'db': 'pgsql',
+                'host': 'localhost',
+                'port': '5432',
+                'dbname': 'icingaweb2',
+                'username': 'icingaweb2',
+                'password': str(repo.vault.password_for(f'psql icingaweb2 on {node.name}')),
+                'charset': '',
+                'use_ssl': '0',
+            },
+            'icinga_ido': {
+                'type': 'db',
+                'db': 'pgsql',
+                'host': 'localhost',
+                'port': '5432',
+                'dbname': 'icinga2',
+                'username': 'icinga2',
+                'charset': '',
+                'use_ssl': '0',
+            },
+        },
+        'roles.ini': {
+            'Administrators': {
+                'users': 'root',
+                'permissions': '*',
+                'groups': 'Administrators',
+            },
+        },
+        'monitoring': {
+            'config.ini': {
+                'security': {
+                    'protected_customvars': '*pw*,*pass*,community',
+                },
+            },
+            'backends.ini': {
+                'icinga2': {
+                    'type': 'ido',
+                    'resource': 'icinga_ido',
+                },
+            },
+            'commandtransports.ini': {
+                'icinga2': {
+                    'transport': 'api',
+                    'host': 'localhost',
+                    'port': '5665',
+                    'username': 'root',
+                },
+            },
+        },
+    },
+    'postgresql': {
+        'databases': {
+            'icingaweb2': {
+                'owner': 'icingaweb2',
+            },
+        },
+        'roles': {
+            'icingaweb2': {
+                'password': str(repo.vault.password_for(f'psql icingaweb2 on {node.name}')),
+            },
+        },
+    },
+    'redis': {
+        'icingaweb2': {},
+    },
+}
+
+
+@metadata_reactor.provides(
+    'icingaweb2/hostname',
+    'icingaweb2/resources.ini/icinga_ido/password',
+    'icingaweb2/monitoring/commandtransports.ini/icinga2/password',
+)
+def stuff(metadata):
+    return {
+        'icingaweb2': {
+            'hostname': metadata.get('icinga2/hostname'),
+            'resources.ini': {
+                'icinga_ido': {
+                    'password': str(metadata.get('postgresql/roles/icinga2/password')),
+                },
+            },
+            'monitoring': {
+                'commandtransports.ini': {
+                    'icinga2': {
+                        'password': str(metadata.get('icinga2/api_users/root/password')),
+                    },
+                },
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'icingaweb2/setup_token',
+    'icingaweb2/root_password',
+)
+def setup_token(metadata):
+    return {
+        'icingaweb2': {
+            'setup_token': sha3_256(metadata.get('id').encode()).hexdigest()[:16],
+            'root_password': str(repo.vault.password_for(f"icingaweb2 root user on {metadata.get('id')}")),
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('icingaweb2/hostname'): {
+                    'content': 'icingaweb2/vhost.conf',
+                    'context': {
+                        'php_version': metadata.get('php/version'),
+                    },
+                },
+            },
+        },
+    }
--- a/bundles/influxdb2/items.py
+++ b/bundles/influxdb2/items.py
@ -4,8 +4,9 @@ from shlex import quote
 directories['/var/lib/influxdb'] = {
    'owner': 'influxdb',
    'group': 'influxdb',
+    'mode': '0750',
    'needs': [
-        f"zfs_dataset:{node.metadata.get('zfs/storage_classes/ssd')}/influxdb",
+        'zfs_dataset:tank/influxdb',
    ],
 }

--- a/bundles/influxdb2/metadata.py
+++ b/bundles/influxdb2/metadata.py
@ -7,7 +7,22 @@ defaults = {
            'influxdb2-cli': {},
        },
        'sources': {
-            'deb https://repos.influxdata.com/debian {release} stable',
+            'influxdata': {
+                'urls': {
+                    'https://repos.influxdata.com/debian',
+                },
+                'suites': {
+                    'stable',
+                },
+                'components': {
+                    'main',
+                },
+            },
+        },
+    },
+    'nftables': {
+        'input': {
+            'tcp dport 8200 accept',
        },
    },
    'influxdb': {
@ -47,7 +62,7 @@ def zfs(metadata):
    return {
        'zfs': {
            'datasets': {
-                f"{metadata.get('zfs/storage_classes/ssd')}/influxdb": {
+                'tank/influxdb': {
                    'mountpoint': '/var/lib/influxdb',
                    'recordsize': '8192',
                    'atime': 'off',
@ -63,7 +78,7 @@ def zfs(metadata):
 def dns(metadata):
    return {
        'dns': {
-            metadata.get('influxdb/hostname'): repo.libs.dns.get_a_records(metadata),
+            metadata.get('influxdb/hostname'): repo.libs.ip.get_a_records(metadata),
        }
    }

--- a/bundles/java/metadata.py
+++ b/bundles/java/metadata.py
@ -19,7 +19,7 @@ def apt(metadata):
    return {
        'apt': {
            'packages': {
-                f'openjdk-{metadata.get("java/version")}-jre': {},
+                f'openjdk-{metadata.get("java/version")}-jre-headless': {},
            }
        }
    }
--- a/bundles/kea-dhcpd/items.py
+++ b/bundles/kea-dhcpd/items.py
@ -0,0 +1,21 @@
+from json import dumps
+from bundlewrap.metadata import MetadataJSONEncoder
+
+files = {
+    '/etc/kea/kea-dhcp4.conf': {
+        'content': dumps(node.metadata.get('kea'), indent=4, sort_keys=True, cls=MetadataJSONEncoder),
+        'triggers': [
+            'svc_systemd:kea-dhcp4-server:restart',
+        ],
+    },
+}
+
+svc_systemd = {
+    'kea-dhcp4-server': {
+        'needs': [
+            'pkg_apt:kea-dhcp4-server',
+            'file:/etc/kea/kea-dhcp4.conf',
+            'svc_systemd:systemd-networkd:restart',
+        ],
+    },
+}
--- a/bundles/kea-dhcpd/metadata.py
+++ b/bundles/kea-dhcpd/metadata.py
@ -0,0 +1,96 @@
+from ipaddress import ip_interface, ip_network
+
+hashable = repo.libs.hashable.hashable
+
+
+defaults = {
+    'apt': {
+        'packages': {
+            'kea-dhcp4-server': {},
+        },
+    },
+    'kea': {
+        'Dhcp4': {
+            'interfaces-config': {
+                'interfaces': set(),
+            },
+            'lease-database': {
+                'type': 'memfile',
+                'lfc-interval': 3600
+            },
+            'subnet4': set(),
+            'loggers': set([
+                hashable({
+                    'name': 'kea-dhcp4',
+                    'output_options': [
+                        {
+                            'output': 'syslog',
+                        }
+                    ],
+                    'severity': 'INFO',
+                }),
+            ]),
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'kea/Dhcp4/interfaces-config/interfaces',
+    'kea/Dhcp4/subnet4',
+)
+def subnets(metadata):
+    subnet4 = set()
+    interfaces = set()
+    reservations = set(
+        hashable({
+            'hw-address': network_conf['mac'],
+            'ip-address': str(ip_interface(network_conf['ipv4']).ip),
+        })
+            for other_node in repo.nodes
+            for network_conf in other_node.metadata.get('network', {}).values()
+            if 'mac' in network_conf
+    )
+
+    for network_name, network_conf in metadata.get('network').items():
+        dhcp_server_config = network_conf.get('dhcp_server_config', None)
+
+        if dhcp_server_config:
+            _network = ip_network(dhcp_server_config['subnet'])
+
+            subnet4.add(hashable({
+                'subnet': dhcp_server_config['subnet'],
+                'pools': [
+                    {
+                        'pool': f'{dhcp_server_config['pool_from']} - {dhcp_server_config['pool_to']}',
+                    },
+                ],
+                'option-data': [
+                    {
+                        'name': 'routers',
+                        'data': dhcp_server_config['router'],
+                    },
+                    {
+                        'name': 'domain-name-servers',
+                        'data': '10.0.10.2',
+                    },
+                ],
+                'reservations': set(
+                    reservation
+                        for reservation in reservations
+                        if ip_interface(reservation['ip-address']).ip in _network
+                ),
+            }))
+
+            interfaces.add(network_conf.get('interface', network_name))
+
+    return {
+        'kea': {
+            'Dhcp4': {
+                'interfaces-config': {
+                    'interfaces': interfaces,
+                },
+                'subnet4': subnet4,
+            },
+        },
+    }
--- a/bundles/left4dead2/files/server.cfg
+++ b/bundles/left4dead2/files/server.cfg
@ -0,0 +1,40 @@
+hostname "CroneKorkN : ${name}"
+sv_contact "admin@sublimity.de"
+
+
+sv_steamgroup "${','.join(steamgroups)}"
+
+rcon_password "${rcon_password}"
+
+
+motd_enabled 0
+
+
+sv_cheats 1
+
+
+sv_consistency 0
+
+
+sv_lan 0
+
+
+sv_allow_lobby_connect_only 0
+
+
+sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge"
+
+
+sv_minrate 30000
+sv_maxrate 60000
+sv_mincmdrate 66
+sv_maxcmdrate 101
+
+
+sv_logsdir "logs-${name}"        //Folder in the game directory where server logs will be stored.
+log on            //Creates a logfile (on | off)
+sv_logecho 0            //default 0; Echo log information to the console.
+sv_logfile 1        //default 1; Log server information in the log file.
+sv_log_onefile 0    //default 0; Log server information to only one file.
+sv_logbans 1        //default 0;Log server bans in the server logs.
+sv_logflush 0        //default 0; Flush the log files to disk on each write (slow).
--- a/bundles/left4dead2/items.py
+++ b/bundles/left4dead2/items.py
@ -1,106 +1,122 @@
+assert node.has_bundle('steam') and node.has_bundle('steam-workshop-download')
+
 directories = {
-    '/opt/left4dead2': {
+    '/opt/steam/left4dead2-servers': {
        'owner': 'steam',
+        'group': 'steam',
+        'mode': '0755',
+        'purge': True,
    },
-    '/opt/left4dead2/ems/admin system': {
-        'owner': 'steam',
-    },
-    '/opt/left4dead2/left4dead2/cfg': {
-        'owner': 'steam',
-    },
-    '/opt/left4dead2/left4dead2/addons': {
+    # Current zfs doesnt support zfs upperdir. The support was added in October 2022. Move upperdir - unused anyway -
+    # to another dir. Also move workdir alongside it, as it has to be on same fs.
+    '/opt/steam-zfs-overlay-workarounds': {
        'owner': 'steam',
+        'group': 'steam',
+        'mode': '0755',
        'purge': True,
    },
 }

-files = {
-    '/opt/left4dead2/ems/admin system/admins.txt': {
+# /opt/steam/steam/.steam/sdk32/steamclient.so: cannot open shared object file: No such file or directory
+symlinks = {
+    '/opt/steam/steam/.steam/sdk32': {
+        'target': '/opt/steam/steam/linux32',
        'owner': 'steam',
-        'content': '\n'.join(node.metadata.get('left4dead2/admins')),
+        'group': 'steam',
    }
 }

-svc_systemd = {
-    'left4dead2-workshop': {
-        'running': False,
-        'needs': [
-            'svc_systemd:steam-update',
-        ],
-    },
-}
+#
+# SERVERS
+#

-for id in node.metadata.get('left4dead2/workshop'):
-    directories[f'/opt/left4dead2/left4dead2/addons/{id}'] = {
-        'owner': 'steam',
-        'triggers': [
-            'svc_systemd:left4dead2-workshop:restart',
-        ],
-    }
-
-server_units = set()
 for name, config in node.metadata.get('left4dead2/servers').items():
-    config.pop('port')
-    config = {
-        'hostname': name,
-        'sv_steamgroup': ','.join(
-            str(gid) for gid in  node.metadata.get('left4dead2/steamgroups')
-        ),
-        'z_difficulty': 'Impossible',
-        'sv_gametypes': 'realism',
-        'sv_region': 3, # europe
-        'log': 'on',
-        'sv_logecho': 1,
-        'sv_logfile': 1,
-        'sv_log_onefile': 0,
-        'sv_logbans': 1,
-        'sv_logflush': 0,
-        'sv_logsdir': 'logs', # /opt/left4dead2/left4dead2/logs
-        **config,
-    }
-    
-    files[f'/opt/left4dead2/left4dead2/cfg/server-{name}.cfg'] = {
-        'content': '\n'.join(
-            f'{key} "{value}"' for key, value in sorted(config.items())
-        ) + '\n',
+
+    #overlay
+    directories[f'/opt/steam/left4dead2-servers/{name}'] = {
        'owner': 'steam',
+        'group': 'steam',
+    }
+    directories[f'/opt/steam-zfs-overlay-workarounds/{name}/upper'] = {
+        'owner': 'steam',
+        'group': 'steam',
+    }
+    directories[f'/opt/steam-zfs-overlay-workarounds/{name}/workdir'] = {
+        'owner': 'steam',
+        'group': 'steam',
+    }
+
+    # conf
+    files[f'/opt/steam/left4dead2-servers/{name}/left4dead2/cfg/server.cfg'] = {
+        'content_type': 'mako',
+        'source': 'server.cfg',
+        'context': {
+            'name': name,
+            'steamgroups': node.metadata.get('left4dead2/steamgroups'),
+            'rcon_password': config['rcon_password'],
+        },
+        'owner': 'steam',
+        'group': 'steam',
        'triggers': [
-            f'svc_systemd:left4dead2-server-{name}:restart',
+            f'svc_systemd:left4dead2-{name}.service:restart',
        ],
    }
-    svc_systemd[f'left4dead2-server-{name}'] = {
+
+    # service
+    svc_systemd[f'left4dead2-{name}.service'] = {
        'needs': [
-            f'file:/usr/local/lib/systemd/system/left4dead2-server-{name}.service',
+            f'file:/opt/steam/left4dead2-servers/{name}/left4dead2/cfg/server.cfg',
+            f'file:/usr/local/lib/systemd/system/left4dead2-{name}.service',
        ],
    }
-    server_units.add(f'left4dead2-server-{name}')
-    

-for id in node.metadata.get('left4dead2/workshop'):
-    directories[f'/opt/left4dead2/addons/{id}'] = {
+    #
+    # ADDONS
+    #
+
+    # base
+    files[f'/opt/steam/left4dead2-servers/{name}/left4dead2/addons/readme.txt'] = {
+        'content_type': 'any',
        'owner': 'steam',
+        'group': 'steam',
+    }
+    directories[f'/opt/steam/left4dead2-servers/{name}/left4dead2/addons'] = {
+        'owner': 'steam',
+        'group': 'steam',
+        'purge': True,
        'triggers': [
-            'svc_systemd:left4dead2-workshop:restart',
+            f'svc_systemd:left4dead2-{name}.service:restart',
        ],
    }
+    for id in [
+        *config.get('workshop', []),
+        *node.metadata.get('left4dead2/workshop'),
+    ]:
+        files[f'/opt/steam/left4dead2-servers/{name}/left4dead2/addons/{id}.vpk'] = {
+            'content_type': 'any',
+            'owner': 'steam',
+            'group': 'steam',
+            'triggers': [
+                f'svc_systemd:left4dead2-{name}.service:restart',
+            ],
+        }

-# TIDYUP
+    # admin system

-find_obsolete_units = (
-    'find /usr/local/lib/systemd/system -type f -name "left4dead2-server-*.service" ' +
-    ' '.join(f"! -name '{name}.service'" for name in server_units)
-)
-actions['remove_obsolete_left4dead2_units'] = {
-    'command':  (
-        f'for unitfile in $({find_obsolete_units}); '
-        f'do '
-            f'systemctl stop $(basename "$unitfile"); '
-            f'systemctl disable $(basename "$unitfile"); '
-            f'rm "$unitfile"; '
-            f'systemctl daemon-reload; '
-        f'done'
-    ),
-    'unless':    (
-        find_obsolete_units + " | wc -l | grep -q '^0$'"
-    ),
-}
+    directories[f'/opt/steam/left4dead2-servers/{name}/left4dead2/ems/admin system'] = {
+        'owner': 'steam',
+        'group': 'steam',
+        'mode': '0755',
+        'triggers': [
+            f'svc_systemd:left4dead2-{name}.service:restart',
+        ],
+    }
+    files[f'/opt/steam/left4dead2-servers/{name}/left4dead2/ems/admin system/admins.txt'] = {
+        'owner': 'steam',
+        'group': 'steam',
+        'mode': '0755',
+        'content': '\n'.join(sorted(node.metadata.get('left4dead2/admins'))),
+        'triggers': [
+            f'svc_systemd:left4dead2-{name}.service:restart',
+        ],
+    }
--- a/bundles/left4dead2/metadata.py
+++ b/bundles/left4dead2/metadata.py
@ -5,7 +5,7 @@ from shlex import quote
 defaults = {
    'steam': {
        'games': {
-            'left4dead2': '222860',
+            'left4dead2': 222860,
        },
    },
    'left4dead2': {
@ -17,64 +17,85 @@ defaults = {


@metadata_reactor.provides(
-    'systemd/units',
+    'left4dead2/servers',
 )
-def workshop(metadata):
-    command = (
-        'set -x; '
-        'for ID in ' + ' '.join(metadata.get('left4dead2/workshop')) + '; '
-        'do '
-            'if ! ls /opt/left4dead2/left4dead2/addons/$ID/*.vpk; '
-            'then '
-                'cd /opt/left4dead2/left4dead2/addons/$ID; '
-                '/opt/steam-workshop-downloader https://steamcommunity.com/sharedfiles/filedetails\?id\=$ID; '
-                'unzip $ID.zip; '
-            'fi; '
-        'done'
-    )
-    
+def rconn_password(metadata):
+    # only works from localhost!
    return {
-        'systemd': {
-            'units': {
-                'left4dead2-workshop.service': {
-                    'Unit': {
-                        'Description': 'install workshop items',
-                        'After': 'network.target',
-                        'Requires': 'steam-update.service',
-                        'PartOf': 'steam-update.service'
-                    },
-                    'Service': {
-                        'Type': 'oneshot',
-                        'User': 'steam',
-                        'ExecStart': f'/bin/bash -c {quote(command)}',
-                    },
-                    'Install': {
-                        'WantedBy': {'multi-user.target'},
-                    },
+        'left4dead2': {
+            'servers': {
+                server: {
+                    'rcon_password': repo.vault.password_for(f'{node.name} left4dead2 {server} rcon', length=24),
                }
-            }
-        }
+                    for server in metadata.get('left4dead2/servers')
+            },
+        },
    }


@metadata_reactor.provides(
+    'steam-workshop-download',
    'systemd/units',
 )
 def server_units(metadata):
    units = {}
-    
+    workshop = {}
+
    for name, config in metadata.get('left4dead2/servers').items():
-        units[f'left4dead2-server-{name}.service'] = {
+        # mount overlay
+        mountpoint = f'/opt/steam/left4dead2-servers/{name}'
+        mount_unit_name = mountpoint[1:].replace('-', '\\x2d').replace('/', '-') + '.mount'
+        units[mount_unit_name] = {
+            'Unit': {
+                'Description': f"Mount left4dead2 server {name} overlay",
+                'Conflicts': {'umount.target'},
+                'Before': {'umount.target'},
+            },
+            'Mount': {
+                'What': 'overlay',
+                'Where': mountpoint,
+                'Type': 'overlay',
+                'Options': ','.join([
+                    'auto',
+                    'lowerdir=/opt/steam/left4dead2',
+                    f'upperdir=/opt/steam-zfs-overlay-workarounds/{name}/upper',
+                    f'workdir=/opt/steam-zfs-overlay-workarounds/{name}/workdir',
+                ]),
+            },
+            'Install': {
+                'RequiredBy': {
+                    f'left4dead2-{name}.service',
+                },
+            },
+        }
+
+        # individual workshop
+        workshop_ids = config.get('workshop', set()) | metadata.get('left4dead2/workshop', set())
+        if  workshop_ids:
+            workshop[f'left4dead2-{name}'] = {
+                'ids': workshop_ids,
+                'path': f'/opt/steam/left4dead2-servers/{name}/left4dead2/addons',
+                'user': 'steam',
+                'requires': {
+                    mount_unit_name,
+                },
+                'required_by': {
+                    f'left4dead2-{name}.service',
+                },
+            }
+
+        # left4dead2 server unit
+        units[f'left4dead2-{name}.service'] = {
            'Unit': {
                'Description': f'left4dead2 server {name}',
-                'After': 'network.target',
-                'Requires': 'steam-update.service',
+                'After': {'steam-update.service'},
+                'Requires': {'steam-update.service'},
            },
            'Service': {
                'User': 'steam',
                'Group': 'steam',
-                'WorkingDirectory': '/opt/left4dead2',
-                'ExecStart': f'/opt/left4dead2/srcds_run -port {config["port"]} -insecure +map {config["map"]} +exec server-{name}.cfg',
+                'WorkingDirectory': f'/opt/steam/left4dead2-servers/{name}',
+                'ExecStart': f'/opt/steam/left4dead2-servers/{name}/srcds_run -port {config["port"]} +exec server.cfg',
                'Restart': 'on-failure',
            },
            'Install': {
@ -83,7 +104,24 @@ def server_units(metadata):
        }

    return {
+        'steam-workshop-download': workshop,
        'systemd': {
            'units': units,
        },
    }
+
+
+@metadata_reactor.provides(
+    'nftables/input',
+)
+def firewall(metadata):
+    ports = set(str(server['port']) for server in metadata.get('left4dead2/servers').values())
+
+    return {
+        'nftables': {
+            'input': {
+                f"tcp dport {{ {', '.join(sorted(ports))} }} accept",
+                f"udp dport {{ {', '.join(sorted(ports))} }} accept",
+            },
+        },
+    }
--- a/bundles/letsencrypt/README.md
+++ b/bundles/letsencrypt/README.md
@ -1,6 +1,6 @@
 https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script

-```
+```sh
 printf "server 127.0.0.1
 zone acme.resolver.name.
 update add _acme-challenge.ckn.li.acme.resolver.name. 600 IN TXT "hello"
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@ -4,7 +4,7 @@ set -o pipefail

 deploy_challenge() {
  echo "
-    server 10.0.11.3
+    server ${server}
    zone ${zone}.
    update add $1.${zone}. 60 IN TXT \"$3\"
    send
@ -13,7 +13,7 @@ deploy_challenge() {

 clean_challenge() {
  echo "
-    server 10.0.11.3
+    server ${server}
    zone ${zone}.
    update delete $1.${zone}. TXT
    send
@ -26,19 +26,23 @@ deploy_cert() {
  CERTFILE="$3"
  FULLCHAINFILE="$4"
  CHAINFILE="$5"
-  
+
  case $DOMAIN in
  % for domain, conf in sorted(domains.items()):
 <%   if not conf: continue %>\
    ${domain})
      % if conf.get('location', None):
-      cat "$KEYFILE" > "${conf['location']}/privkey.pem"
-      cat "$CERTFILE" > "${conf['location']}/cert.pem"
-      cat "$FULLCHAINFILE" > "${conf['location']}/fullchain.pem"
-      cat "$CHAINFILE" > "${conf['location']}/chain.pem"
+      cat "$KEYFILE" > "${conf['location']}/${conf.get('privkey_name', 'privkey.pem')}"
+      cat "$CERTFILE" > "${conf['location']}/${conf.get('cert_name', 'cert.pem')}"
+      cat "$FULLCHAINFILE" > "${conf['location']}/${conf.get('fullchain_name', 'fullchain.pem')}"
+      cat "$CHAINFILE" > "${conf['location']}/${conf.get('chain_name', 'chain.pem')}"
      % endif
      % if conf.get('owner', None):
-      chown ${conf['owner']} "${conf['location']}/privkey.pem" "${conf['location']}/cert.pem" "${conf['location']}/fullchain.pem" "${conf['location']}/chain.pem"
+      chown ${conf['owner']}:${conf.get('group', '')} \
+        "${conf['location']}/${conf.get('privkey_name', 'privkey.pem')}" \
+        "${conf['location']}/${conf.get('cert_name', 'cert.pem')}" \
+        "${conf['location']}/${conf.get('fullchain_name', 'fullchain.pem')}" \
+        "${conf['location']}/${conf.get('chain_name', 'chain.pem')}"
      % endif
      % for service in sorted(conf.get('reload', [])):
      systemctl reload-or-restart ${service}
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -56,6 +56,7 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
        'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true',
        'needs': {
            'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
+            'pkg_apt:dehydrated',
        },
        'needed_by': {
            'svc_systemd:nginx',
--- a/bundles/linux/items.py
+++ b/bundles/linux/items.py
@ -0,0 +1,41 @@
+from shlex import quote
+
+def generate_sysctl_key_value_pairs_from_json(json_data, parents=[]):
+    if isinstance(json_data, dict):
+        for key, value in json_data.items():
+            yield from generate_sysctl_key_value_pairs_from_json(value, [*parents, key])
+    elif isinstance(json_data, list):
+        raise ValueError(f"List not supported: '{json_data}'")
+    else:
+        # If it's a leaf node, yield the path
+        yield (parents, json_data)
+
+key_value_pairs = generate_sysctl_key_value_pairs_from_json(node.metadata.get('sysctl'))
+
+
+files= {
+    '/etc/sysctl.conf': {
+        'content': '\n'.join(
+            sorted(
+                f"{'.'.join(path)}={value}"
+                    for path, value in key_value_pairs
+            ),
+        ),
+        'triggers': [
+            'svc_systemd:systemd-sysctl.service:restart',
+        ],
+    },
+}
+
+svc_systemd = {
+    'systemd-sysctl.service': {},
+}
+
+for path, value in key_value_pairs:
+    actions[f'reload_sysctl.conf_{path}'] = {
+        'command': f"sysctl --values {'.'.join(path)}  | grep -q {quote('^'+value+'$')}",
+        'needs': [
+            f'action:systemd-sysctl.service',
+            f'action:systemd-sysctl.service:restart',
+        ],
+    }
--- a/bundles/linux/metadata.py
+++ b/bundles/linux/metadata.py
@ -0,0 +1,3 @@
+defaults = {
+    'sysctl': {},
+}
--- a/bundles/locale/items.py
+++ b/bundles/locale/items.py
@ -20,18 +20,19 @@ files = {
 }

 actions = {
+    'systemd-locale': {
+        'command': f'localectl set-locale LANG="{default_locale}"',
+        'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
+        'triggers': {
+            'action:locale-gen',
+        },
+    },
    'locale-gen': {
        'command': 'locale-gen',
        'triggered': True,
        'needs': {
            'pkg_apt:locales',
-        },
-    },
-    'systemd-locale': {
-        'command': f'localectl set-locale LANG="{default_locale}"',
-        'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
-        'preceded_by': {
-            'action:locale-gen',
+            'action:systemd-locale',
        },
    },
 }
--- a/bundles/macbook/files/bundlewrap
+++ b/bundles/macbook/files/bundlewrap
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+cd "$OLDPWD"
+
+export BW_ITEM_WORKERS=$(expr "$(sysctl -n hw.logicalcpu)" '*' 12 '/' 10)
+export BW_NODE_WORKERS=$(expr 320 '/' "$BW_ITEM_WORKERS")
--- a/bundles/macbook/files/gnu
+++ b/bundles/macbook/files/gnu
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+cd "$OLDPWD"
+
+PATH_add "/opt/homebrew/opt/gnu-sed/libexec/gnubin"
+PATH_add "/opt/homebrew/opt/grep/libexec/gnubin"
--- a/bundles/macbook/files/macbook-update
+++ b/bundles/macbook/files/macbook-update
@ -0,0 +1,46 @@
+#!/bin/bash -l
+
+sudo tee /etc/pam.d/sudo << EOT
+# sudo: auth account password session
+auth       sufficient     pam_tid.so
+auth       sufficient     pam_smartcard.so
+auth       required       pam_opendirectory.so
+account    required       pam_permit.so
+password   required       pam_deny.so
+session    required       pam_permit.so
+EOT
+
+sudo xcodebuild -license accept
+xcode-select --install
+
+git -C ~/.zsh/oh-my-zsh pull
+
+brew upgrade
+brew upgrade --cask --greedy
+
+pyenv install --skip-existing
+
+sudo softwareupdate -ia --verbose
+
+if test "$(defaults read com.apple.dock autohide-time-modifier)" == 0.16
+then
+    defaults write com.apple.dock autohide-time-modifier -float 0.16
+    RESTART_DOCK=TRUE
+fi
+
+if test "$(defaults read com.apple.dock autohide-delay)" -ne 0
+then
+    defaults write com.apple.dock autohide-delay -float 0
+    RESTART_DOCK=TRUE
+fi
+
+if test "$RESTART_DOCK" = TRUE
+then
+    killall Dock
+fi
+
+sudo systemsetup -setremotelogin on # enable ssh
+
+pip install --upgrade pip
+
+# https://sysadmin-journal.com/apache-directory-studio-on-the-apple-m1/
--- a/bundles/macbook/files/pyenv
+++ b/bundles/macbook/files/pyenv
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+cd "$OLDPWD"
+
+if test -f .venv/bin/python && test "$(realpath .venv/bin/python)" != "$(realpath "$(pyenv which python)")"
+then
+  echo "rebuilding venv für new python version"
+  rm -rf .venv .pip_upgrade_timestamp
+fi
--- a/bundles/macbook/files/ssh
+++ b/bundles/macbook/files/ssh
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+cd "$OLDPWD"
--- a/bundles/macbook/files/venv
+++ b/bundles/macbook/files/venv
@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+cd "$OLDPWD"
+
+python3 -m venv .venv
+source .venv/bin/activate
+PATH_add .venv/bin
+
+NOW=$(date +%s)
+if test -e .pip_upgrade_timestamp
+then
+  LAST=$(cat .pip_upgrade_timestamp)
+else
+  LAST=0
+fi
+DELTA=$(expr "$NOW" - "$LAST")
+echo "last pip upgrade $DELTA seconds ago"
+if test "$DELTA" -gt 86400
+then
+  python3 -m pip --require-virtualenv install pip wheel --upgrade
+  python3 -m pip --require-virtualenv install -r requirements.txt --upgrade
+  if test -e optional-requirements.txt
+  then
+    python3 -m pip --require-virtualenv install -r optional-requirements.txt --upgrade
+  fi
+  date +%s > .pip_upgrade_timestamp
+fi
--- a/bundles/macbook/files/zshrc
+++ b/bundles/macbook/files/zshrc
@ -0,0 +1,33 @@
+export PATH=~/.bin:$PATH
+export PATH=~/.cargo/bin:$PATH
+
+export ZSH=~/.zsh/oh-my-zsh
+export ZSH_HOSTNAME='sm'
+ZSH_THEME="bw"
+HIST_STAMPS="yyyy/mm/dd"
+plugins=(
+  zsh-autosuggestions
+  git
+)
+source $ZSH/oh-my-zsh.sh
+
+ulimit -S -n 24000
+
+antivir() {
+    printf 'scanning for viruses' && sleep 1 && printf '.' && sleep 1 && printf '.' && sleep 1 && printf '.' &&
+sleep 1 && echo '\nyour computer is safe!'
+}
+
+eval "$(rbenv init -)"
+eval "$(pyenv init -)"
+eval "$(direnv hook zsh)"
+eval "$(op completion zsh)"; compdef _op op
+
+# //S/M
+
+sshn() {
+    ssh "$(tr '.' ' ' <<< "$1" | tac -s ' ' | xargs | tr ' ' '.').smhss.de"
+}
+pingn() {
+    ping "$(tr '.' ' ' <<< "$1" | tac -s ' ' | xargs | tr ' ' '.').smhss.de"
+}
--- a/bundles/macbook/items.py
+++ b/bundles/macbook/items.py
@ -0,0 +1,47 @@
+# brew install
+
+actions['brew_install'] = {
+    'command': '/opt/homebrew/bin/brew install ' + ' '.join(node.metadata.get('brew')),
+    'unless': f"""PKGS=$(/opt/homebrew/bin/brew leaves); for p in {' '.join(node.metadata.get('brew'))}; do grep -q "$p" <<< $PKGS || exit 9; done"""
+}
+
+# bw init
+
+directories['/Users/mwiegand/.config/bundlewrap/lock'] = {}
+
+# home
+
+files['/Users/mwiegand/.zshrc'] = {
+    'source': 'zshrc',
+    'mode': '0644',
+}
+
+# updater
+
+files['/Users/mwiegand/.bin/macbook-update'] = {
+    'mode': '755',
+}
+
+with open(f'{repo.path}/bundles/zsh/files/bw.zsh-theme') as f:
+    files['/Users/mwiegand/.zsh/oh-my-zsh/themes/bw.zsh-theme'] = {
+        'content': f.read(),
+        'mode': '0644',
+    }
+
+# direnv
+
+directories['/Users/mwiegand/.local/share/direnv'] = {}
+files['/Users/mwiegand/.local/share/direnv/gnu'] = {}
+files['/Users/mwiegand/.local/share/direnv/pyenv'] = {}
+files['/Users/mwiegand/.local/share/direnv/venv'] = {}
+files['/Users/mwiegand/.local/share/direnv/bundlewrap'] = {}
+
+
+##################
+
+for element in [*files.values(), *directories.values()]:
+    element.update({
+        'owner': 'mwiegand',
+        'group': 'staff',
+        **element,
+    })
--- a/bundles/macbook/metadata.py
+++ b/bundles/macbook/metadata.py
@ -0,0 +1,3 @@
+defaults = {
+    'brew': {},
+}
--- a/bundles/mailserver-autoconfig/files/autodiscover.php
+++ b/bundles/mailserver-autoconfig/files/autodiscover.php
@ -1,6 +1,6 @@
 <?php

-// https://raw.githubusercontent.com/Radiergummi/autodiscover/master/autodiscover/autodiscover.php
+

 /********************************
 * Autodiscover responder
@ -8,45 +8,45 @@
 * This PHP script is intended to respond to any request to http(s)://mydomain.com/autodiscover/autodiscover.xml.
 * If configured properly, it will send a spec-complient autodiscover XML response, pointing mail clients to the
 * appropriate mail services.
- * If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if 
+ * If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if
 * you use POP/IMAP servers, this will provide autoconfiguration to Outlook, Apple Mail and mobile devices.
 *
- * To work properly, you'll need to set the service (sub)domains below in the settings section to the correct 
+ * To work properly, you'll need to set the service (sub)domains below in the settings section to the correct
 * domain names, adjust ports and SSL.
 */

-//get raw POST data so we can extract the email address
+
 $request = file_get_contents("php://input");

-// optional debug log
+
 # file_put_contents( 'request.log', $request, FILE_APPEND );

-// retrieve email address from client request
+
 preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email );

-// check for invalid mail, to prevent XSS
+
 if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) {
 	throw new Exception('Invalid E-Mail provided');
 }

-// get domain from email address
+
 $domain = substr( strrchr( $email[1], "@" ), 1 );

 /**************************************
 *   Port and server settings below   *
 **************************************/

-// IMAP settings
+
 $imapServer = 'imap.' . $domain; // imap.example.com
 $imapPort   = 993;
 $imapSSL    = true;

-// SMTP settings
+
 $smtpServer = 'smtp.' . $domain; // smtp.example.com
 $smtpPort   = 587;
 $smtpSSL    = true;

-//set Content-Type
+
 header( 'Content-Type: application/xml' );
 ?>
 <?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?>
--- a/bundles/mailserver-autoconfig/metadata.py
+++ b/bundles/mailserver-autoconfig/metadata.py
@ -24,6 +24,7 @@ def nginx(metadata):
                    'context': {
                        'root': f"/var/www/{metadata.get('mailserver/autoconfig_hostname')}",
                    },
+                    'check_path': '/mail/config-v1.1.xml',
                },
            },
        },
@ -59,7 +60,7 @@ def letsencrypt(metadata):
 )
 def autoconfig(metadata):
    dns = {}
-    
+
    for domain in metadata.get('mailserver/domains'):
        dns.update({
            f'autoconfig.{domain}': {
@ -87,7 +88,7 @@ def autoconfig(metadata):
                'SRV': {f"0 1 993 {metadata.get('mailserver/hostname')}."},
            },
        })
-    
+
    return {
        'dns': dns,
    }
--- a/bundles/mailserver/README.md
+++ b/bundles/mailserver/README.md
@ -1 +1,12 @@
-echo -n 'WarumGehtDasNicht?' | argon2 FAPf+gTwqTRr+3H0cDktqw
+mailserver
+==========
+
+argin2 hashes
+-------------
+
+`echo -n 'WarumGehtDasNicht?' | argon2 FAPf+gTwqTRr+3H0cDktqw`
+
+logs
+----
+
+`journalctl -u postfix@-.service -u dovecot.service -u rspamd.service -o cat -f`
--- a/bundles/mailserver/metadata.py
+++ b/bundles/mailserver/metadata.py
@ -33,6 +33,12 @@ defaults = {
                'mountpoint': '/var/vmail',
                'compression': 'on',
            },
+            'tank/vmail/index': {
+                'mountpoint': '/var/vmail/index',
+                'compression': 'on',
+                'com.sun:auto-snapshot': 'false',
+                'backup': False,
+            },
        },
    },
 }
@ -43,12 +49,30 @@ defaults = {
 )
 def dns(metadata):
    dns = {}
-    
+
    for domain in metadata.get('mailserver/domains'):
        dns[domain] = {
            'MX': [f"5 {metadata.get('mailserver/hostname')}."],
            'TXT': ['v=spf1 a mx -all'],
        }
+        report_email = metadata.get('mailserver/dmarc_report_email')
+        dns[f'_dmarc.{domain}'] = {
+            'TXT': ['; '.join(f'{k}={v}' for k, v in {
+                # dmarc version
+                'v': 'DMARC1',
+                # reject on failure
+                'p': 'reject',
+                # standard reports
+                'rua': f'mailto:{report_email}',
+                # forensic reports
+                'fo': 1,
+                'ruf': f'mailto:{report_email}',
+                # require alignment between the DKIM domain and the parent Header From domain
+                'adkim': 's',
+                # require alignment between the SPF domain (the sender) and the Header From domain
+                'aspf': 's',
+            }.items())]
+        }

    return {
        'dns': dns,
@ -66,4 +90,4 @@ def letsencrypt(metadata):
                },
            },
        },
-    } 
+    }
--- a/bundles/mariadb/README.md
+++ b/bundles/mariadb/README.md
@ -0,0 +1 @@
+https://mariadb.com/kb/en/systemd/#configuring-mariadb-to-write-the-error-log-to-syslog
--- a/bundles/mariadb/files/override.conf
+++ b/bundles/mariadb/files/override.conf
@ -0,0 +1,11 @@
+% for section, options in sorted(conf.items()):
+[${section}]
+% for key, value in sorted(options.items()):
+% if value is None:
+${key}
+% else:
+${key} = ${value}
+% endif
+% endfor
+
+% endfor
--- a/bundles/mariadb/items.py
+++ b/bundles/mariadb/items.py
@ -0,0 +1,91 @@
+from shlex import quote
+
+def mariadb(sql, **kwargs):
+    kwargs_string = ''.join(f" --{k} {v}" for k, v in kwargs.items())
+    return f"mariadb{kwargs_string} -Bsr --execute {quote(sql)}"
+
+directories = {
+    '/var/lib/mysql': {
+        'owner': 'mysql',
+        'group': 'mysql',
+        'needs': [
+            'zfs_dataset:tank/mariadb',
+        ],
+        'needed_by': [
+            'pkg_apt:mariadb-server',
+            'pkg_apt:mariadb-client',
+        ],
+    },
+}
+
+files = {
+    '/etc/mysql/conf.d/override.conf': {
+        'context': {
+            'conf': node.metadata.get('mariadb/conf'),
+        },
+        'content_type': 'mako',
+    },
+}
+
+svc_systemd = {
+    'mariadb.service': {
+        'needs': [
+            'pkg_apt:mariadb-server',
+            'pkg_apt:mariadb-client',
+        ],
+    },
+}
+
+actions = {
+    'mariadb_sec_remove_anonymous_users': {
+        'command': mariadb("DELETE FROM mysql.global_priv WHERE User=''"),
+        'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User = ''") + " | grep -q '^0$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+        'triggers': [
+            'svc_systemd:mariadb.service:restart',
+        ],
+    },
+    'mariadb_sec_remove_remote_root': {
+        'command': mariadb("DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"),
+        'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')") + " | grep -q '^0$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+        'triggers': [
+            'svc_systemd:mariadb.service:restart',
+        ],
+    },
+}
+
+for db, conf in node.metadata.get('mariadb/databases', {}).items():
+    actions[f'mariadb_create_database_{db}'] = {
+        'command': mariadb(f"CREATE DATABASE {db}"),
+        'unless': mariadb(f"SHOW DATABASES LIKE '{db}'") + f" | grep -q '^{db}$'",
+        'needs': [
+            'svc_systemd:mariadb.service',
+        ],
+    }
+    actions[f'mariadb_user_{db}_create'] = {
+        'command': mariadb(f"CREATE USER {db}"),
+        'unless': mariadb(f"SELECT User FROM mysql.user WHERE User = '{db}'") + f" | grep -q '^{db}$'",
+        'needs': [
+            f'action:mariadb_create_database_{db}',
+        ],
+    }
+    pw = conf['password']
+    actions[f'mariadb_user_{db}_password'] = {
+        'command': mariadb(f"SET PASSWORD FOR {db} = PASSWORD('{conf['password']}')"),
+        'unless': f'echo {quote(pw)} | mariadb -u {db} -e quit -p',
+        'needs': [
+            f'action:mariadb_user_{db}_create',
+        ],
+    }
+    actions[f'mariadb_grant_privileges_to_{db}'] = {
+        'command': mariadb(f"GRANT ALL PRIVILEGES ON {db}.* TO '{db}'", database=db),
+        'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.* TO `{db}`@`%`'",
+        'needs': [
+            f'action:mariadb_user_{db}_create',
+        ],
+    }
--- a/bundles/mariadb/metadata.py
+++ b/bundles/mariadb/metadata.py
@ -0,0 +1,45 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'mariadb-server': {
+                'needs': {
+                    'zfs_dataset:tank/mariadb',
+                },
+            },
+            'mariadb-client': {
+                'needs': {
+                    'zfs_dataset:tank/mariadb',
+                },
+            },
+        },
+    },
+    'mariadb': {
+        'databases': {},
+        'conf': {
+            # https://www.reddit.com/r/zfs/comments/u1xklc/mariadbmysql_database_settings_for_zfs
+            'mysqld': {
+                'skip-innodb_doublewrite': None,
+                'innodb_flush_method': 'fsync',
+                'innodb_doublewrite': '0',
+                'innodb_use_atomic_writes': '0',
+                'innodb_use_native_aio': '0',
+                'innodb_read_io_threads': '10',
+                'innodb_write_io_threads': '10',
+                'innodb_buffer_pool_size': '26G',
+                'innodb_flush_log_at_trx_commit': '1',
+                'innodb_log_file_size': '1G',
+                'innodb_flush_neighbors': '0',
+                'innodb_fast_shutdown': '2',
+            },
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/mariadb': {
+                'mountpoint': '/var/lib/mysql',
+                'recordsize': '16384',
+                'atime': 'off',
+            },
+        },
+    },
+}
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`object NotificationComponent "notification" { }`
				`@ -0,0 +1 @@`
				`https://mariadb.com/kb/en/systemd/#configuring-mariadb-to-write-the-error-log-to-syslog`