cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

Compare commits

base: cronekorkn:master
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver
..
compare: cronekorkn:freescout
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver

6 commits
master ... freescout

Author SHA1 Message Date
cronekorkn
28568320f1
freescout 2024-08-30 09:41:54 +02:00
cronekorkn
e39deddf7c
wip 2024-08-20 18:03:39 +02:00
cronekorkn
12c5b86cc5
wip 2024-08-20 18:03:39 +02:00
cronekorkn
c63e56975c
wip 2024-08-20 18:03:39 +02:00
cronekorkn
f74dbc6539
wip 2024-08-20 18:03:39 +02:00
cronekorkn
1221b68642
wip 2024-08-20 18:03:37 +02:00
47 changed files with 222 additions and 532 deletions
Show stats Expand all files Collapse all files

9
README.md
View file

@ -37,12 +37,3 @@ fi
telegraf: execd for daemons
TEST
# git signing
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config user.name CroneKorkN
git config user.email i@ckn.li
git config user.signingkey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I"

2
bin/upgrade_and_restart_all
View file

@ -23,7 +23,7 @@ for node in nodes:
print(node.run('DEBIAN_FRONTEND=noninteractive apt update').stdout.decode())
print(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable').stdout.decode())
if int(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable 2> /dev/null | grep upgradable | wc -l').stdout.decode()):
print(node.run('DEBIAN_FRONTEND=noninteractive apt -qy full-upgrade').stdout.decode())
print(node.run('DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade').stdout.decode())
# REBOOT IN ORDER

20
bundles/backup/files/backup_all
View file

@ -1,31 +1,13 @@
#!/bin/bash
set -u
set -exu
# FIXME: inelegant
% if wol_command:
${wol_command}
% endif
exit=0
failed_paths=""
for path in $(jq -r '.paths | .[]' < /etc/backup/config.json)
do
echo backing up $path
/opt/backup/backup_path "$path"
# set exit to 1 if any backup fails
if [ $? -ne 0 ]
then
echo ERROR: backing up $path failed >&2
exit=5
failed_paths="$failed_paths $path"
fi
done
if [ $exit -ne 0 ]
then
echo "ERROR: failed to backup paths: $failed_paths" >&2
fi
exit $exit

2
bundles/backup/files/backup_path_via_zfs
View file

@ -1,6 +1,6 @@
#!/bin/bash
set -eu
set -exu
path=$1
uuid=$(jq -r .client_uuid < /etc/backup/config.json)

10
bundles/freescout/README.md
View file

@ -11,13 +11,3 @@ Enter it again:
freescout=#
\q
```
# problems
# check if /opt/freescout/.env is resettet
# ckeck `psql -h localhost -d freescout -U freescout -W`with pw from .env
# chown -R www-data:www-data /opt/freescout
# sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash
# javascript funny? `sudo su - www-data -c 'php /opt/freescout/artisan storage:link' -s /bin/bash`
# benutzer bilder weg? aus dem backup holen: `/opt/freescout/.zfs/snapshot/zfs-auto-snap_hourly-2024-11-22-1700/storage/app/public/users` `./customers`

58
bundles/freescout/items.py
View file

@ -12,39 +12,35 @@ directories = {
}
actions = {
# 'clone_freescout': {
# 'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
# 'unless': 'test -e /opt/freescout/.git',
# 'needs': [
# 'pkg_apt:git',
# 'directory:/opt/freescout',
# ],
# },
# 'pull_freescout': {
# 'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
# 'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
# 'needs': [
# 'action:clone_freescout',
# ],
# 'triggers': [
# 'action:freescout_artisan_update',
# f'svc_systemd:php{php_version}-fpm.service:restart',
# ],
# },
# 'freescout_artisan_update': {
# 'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
# 'triggered': True,
# 'needs': [
# f'svc_systemd:php{php_version}-fpm.service:restart',
# 'action:pull_freescout',
# ],
# },
'clone_freescout': {
'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
'unless': 'test -e /opt/freescout/.git',
'needs': [
'pkg_apt:git',
'directory:/opt/freescout',
],
},
'pull_freescout': {
'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
'needs': [
'action:clone_freescout',
],
'triggers': [
'action:freescout_artisan_update',
f'svc_systemd:php{php_version}-fpm.service:restart',
],
},
'freescout_artisan_update': {
'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
'triggered': True,
'needs': [
f'svc_systemd:php{php_version}-fpm.service:restart',
'action:pull_freescout',
],
},
}
# svc_systemd = {
# f'freescout-cron.service': {},
# }
# files = {
# '/opt/freescout/.env': {
# # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example

25
bundles/freescout/metadata.py
View file

@ -53,31 +53,10 @@ defaults = {
},
},
},
# 'systemd': {
# 'units': {
# f'freescout-cron.service': {
# 'Unit': {
# 'Description': 'Freescout Cron',
# 'After': 'network.target',
# },
# 'Service': {
# 'User': 'www-data',
# 'Nice': 10,
# 'ExecStart': f"/usr/bin/php /opt/freescout/artisan schedule:run"
# },
# 'Install': {
# 'WantedBy': {
# 'multi-user.target'
# }
# },
# }
# },
# },
'systemd-timers': {
'freescout-cron': {
'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
'when': '*-*-* *:*:00',
'RuntimeMaxSec': '180',
'when': 'Minutely',
'user': 'www-data',
},
},
@ -91,8 +70,6 @@ defaults = {
}
@metadata_reactor.provides(
'freescout/env/APP_URL',
)

5
bundles/grafana/items.py
View file

@ -26,10 +26,7 @@ actions['reset_grafana_admin_password'] = {
directories = {
'/etc/grafana': {},
'/etc/grafana/provisioning': {
'owner': 'grafana',
'group': 'grafana',
},
'/etc/grafana/provisioning': {},
'/etc/grafana/provisioning/datasources': {
'purge': True,
},

2
bundles/homeassistant-supervised/README.md
View file

@ -19,5 +19,3 @@ dann bw drüberbügeln
https://www.home-assistant.io/integrations/http/#ssl_certificate
`wget "$(curl -L https://api.github.com/repos/home-assistant/supervised-installer/releases/latest | jq -r '.assets[0].browser_download_url')" -O homeassistant-supervised.deb && dpkg -i homeassistant-supervised.deb`

8
bundles/icinga2/files/conf.d/notifications.conf
View file

@ -13,9 +13,9 @@ apply Notification "mail-icingaadmin" to Host {
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail
}
@ -25,9 +25,9 @@ apply Notification "mail-icingaadmin" to Service {
user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail
}

21
bundles/kea-dhcpd/items.py
View file

@ -1,21 +0,0 @@
from json import dumps
from bundlewrap.metadata import MetadataJSONEncoder
files = {
'/etc/kea/kea-dhcp4.conf': {
'content': dumps(node.metadata.get('kea'), indent=4, sort_keys=True, cls=MetadataJSONEncoder),
'triggers': [
'svc_systemd:kea-dhcp4-server:restart',
],
},
}
svc_systemd = {
'kea-dhcp4-server': {
'needs': [
'pkg_apt:kea-dhcp4-server',
'file:/etc/kea/kea-dhcp4.conf',
'svc_systemd:systemd-networkd:restart',
],
},
}

96
bundles/kea-dhcpd/metadata.py
View file

@ -1,96 +0,0 @@
from ipaddress import ip_interface, ip_network
hashable = repo.libs.hashable.hashable
defaults = {
'apt': {
'packages': {
'kea-dhcp4-server': {},
},
},
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': set(),
},
'lease-database': {
'type': 'memfile',
'lfc-interval': 3600
},
'subnet4': set(),
'loggers': set([
hashable({
'name': 'kea-dhcp4',
'output_options': [
{
'output': 'syslog',
}
],
'severity': 'INFO',
}),
]),
},
},
}
@metadata_reactor.provides(
'kea/Dhcp4/interfaces-config/interfaces',
'kea/Dhcp4/subnet4',
)
def subnets(metadata):
subnet4 = set()
interfaces = set()
reservations = set(
hashable({
'hw-address': network_conf['mac'],
'ip-address': str(ip_interface(network_conf['ipv4']).ip),
})
for other_node in repo.nodes
for network_conf in other_node.metadata.get('network', {}).values()
if 'mac' in network_conf
)
for network_name, network_conf in metadata.get('network').items():
dhcp_server_config = network_conf.get('dhcp_server_config', None)
if dhcp_server_config:
_network = ip_network(dhcp_server_config['subnet'])
subnet4.add(hashable({
'subnet': dhcp_server_config['subnet'],
'pools': [
{
'pool': f'{dhcp_server_config['pool_from']} - {dhcp_server_config['pool_to']}',
},
],
'option-data': [
{
'name': 'routers',
'data': dhcp_server_config['router'],
},
{
'name': 'domain-name-servers',
'data': '10.0.10.2',
},
],
'reservations': set(
reservation
for reservation in reservations
if ip_interface(reservation['ip-address']).ip in _network
),
}))
interfaces.add(network_conf.get('interface', network_name))
return {
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': interfaces,
},
'subnet4': subnet4,
},
},
}

18
bundles/left4dead2/files/server.cfg
View file

@ -1,36 +1,36 @@
hostname "CroneKorkN : ${name}"
sv_contact "admin@sublimity.de"
// assign serevr to steam group
sv_steamgroup "${','.join(steamgroups)}"
rcon_password "${rcon_password}"
// no annoying message of the day
motd_enabled 0
// enable cheats
sv_cheats 1
// allow inconsistent files on clients (weapon mods for example)
sv_consistency 0
// connect from internet
sv_lan 0
// join game at any point
sv_allow_lobby_connect_only 0
// allowed modes
sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge"
// network
sv_minrate 30000
sv_maxrate 60000
sv_mincmdrate 66
sv_maxcmdrate 101
// logging
sv_logsdir "logs-${name}" //Folder in the game directory where server logs will be stored.
log on //Creates a logfile (on | off)
sv_logecho 0 //default 0; Echo log information to the console.

1
bundles/letsencrypt/items.py
View file

@ -56,7 +56,6 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true',
'needs': {
'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
'pkg_apt:dehydrated',
},
'needed_by': {
'svc_systemd:nginx',

41
bundles/linux/items.py
View file

@ -1,41 +0,0 @@
from shlex import quote
def generate_sysctl_key_value_pairs_from_json(json_data, parents=[]):
if isinstance(json_data, dict):
for key, value in json_data.items():
yield from generate_sysctl_key_value_pairs_from_json(value, [*parents, key])
elif isinstance(json_data, list):
raise ValueError(f"List not supported: '{json_data}'")
else:
# If it's a leaf node, yield the path
yield (parents, json_data)
key_value_pairs = generate_sysctl_key_value_pairs_from_json(node.metadata.get('sysctl'))
files= {
'/etc/sysctl.conf': {
'content': '\n'.join(
sorted(
f"{'.'.join(path)}={value}"
for path, value in key_value_pairs
),
),
'triggers': [
'svc_systemd:systemd-sysctl.service:restart',
],
},
}
svc_systemd = {
'systemd-sysctl.service': {},
}
for path, value in key_value_pairs:
actions[f'reload_sysctl.conf_{path}'] = {
'command': f"sysctl --values {'.'.join(path)} | grep -q {quote('^'+value+'$')}",
'needs': [
f'action:systemd-sysctl.service',
f'action:systemd-sysctl.service:restart',
],
}

3
bundles/linux/metadata.py
View file

@ -1,3 +0,0 @@
defaults = {
'sysctl': {},
}

2
bundles/macbook/files/bundlewrap
View file

@ -2,5 +2,5 @@
cd "$OLDPWD"
export BW_ITEM_WORKERS=$(expr "$(sysctl -n hw.logicalcpu)" '*' 12 '/' 10)
export BW_ITEM_WORKERS=$(expr "$(nproc)" '*' 12 '/' 10)
export BW_NODE_WORKERS=$(expr 320 '/' "$BW_ITEM_WORKERS")

6
bundles/macbook/files/gnu
View file

@ -2,5 +2,7 @@
cd "$OLDPWD"
PATH_add "/opt/homebrew/opt/gnu-sed/libexec/gnubin"
PATH_add "/opt/homebrew/opt/grep/libexec/gnubin"
GNU_PATH="$HOME/.local/gnu_bin"
mkdir -p "$GNU_PATH"
test -f "$GNU_PATH/sed" || ln -s "$(which gsed)" "$GNU_PATH/sed"
PATH_add "$GNU_PATH"

2
bundles/macbook/files/macbook-update
View file

@ -18,7 +18,7 @@ git -C ~/.zsh/oh-my-zsh pull
brew upgrade
brew upgrade --cask --greedy
pyenv install --skip-existing
pyenv install --keep-existing
sudo softwareupdate -ia --verbose

22
bundles/mailserver-autoconfig/files/autodiscover.php
View file

@ -1,6 +1,6 @@
<?php
// https://raw.githubusercontent.com/Radiergummi/autodiscover/master/autodiscover/autodiscover.php
/********************************
* Autodiscover responder
@ -8,45 +8,45 @@
* This PHP script is intended to respond to any request to http(s)://mydomain.com/autodiscover/autodiscover.xml.
* If configured properly, it will send a spec-complient autodiscover XML response, pointing mail clients to the
* appropriate mail services.
* If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if
* If you use MAPI or ActiveSync, stick with the Autodiscover service your mail server provides for you. But if
* you use POP/IMAP servers, this will provide autoconfiguration to Outlook, Apple Mail and mobile devices.
*
* To work properly, you'll need to set the service (sub)domains below in the settings section to the correct
* To work properly, you'll need to set the service (sub)domains below in the settings section to the correct
* domain names, adjust ports and SSL.
*/
//get raw POST data so we can extract the email address
$request = file_get_contents("php://input");
// optional debug log
# file_put_contents( 'request.log', $request, FILE_APPEND );
// retrieve email address from client request
preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email );
// check for invalid mail, to prevent XSS
if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) {
throw new Exception('Invalid E-Mail provided');
}
// get domain from email address
$domain = substr( strrchr( $email[1], "@" ), 1 );
/**************************************
* Port and server settings below *
**************************************/
// IMAP settings
$imapServer = 'imap.' . $domain; // imap.example.com
$imapPort = 993;
$imapSSL = true;
// SMTP settings
$smtpServer = 'smtp.' . $domain; // smtp.example.com
$smtpPort = 587;
$smtpSSL = true;
//set Content-Type
header( 'Content-Type: application/xml' );
?>
<?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?>

2
bundles/mariadb/items.py
View file

@ -13,7 +13,6 @@ directories = {
],
'needed_by': [
'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
],
},
}
@ -31,7 +30,6 @@ svc_systemd = {
'mariadb.service': {
'needs': [
'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
],
},
}

11
bundles/mariadb/metadata.py
View file

@ -1,16 +1,7 @@
defaults = {
'apt': {
'packages': {
'mariadb-server': {
'needs': {
'zfs_dataset:tank/mariadb',
},
},
'mariadb-client': {
'needs': {
'zfs_dataset:tank/mariadb',
},
},
'mariadb-server': {},
},
},
'mariadb': {

73
bundles/network/metadata.py
View file

@ -5,89 +5,38 @@ defaults = {
}
@metadata_reactor.provides(
'network',
)
def dhcp(metadata):
networks = {}
for network_name, network_conf in metadata.get('network').items():
_interface = ip_interface(network_conf['ipv4'])
_ip = _interface.ip
_network = _interface.network
_hosts = list(_network.hosts())
if network_conf.get('dhcp_server', False):
networks[network_name] = {
'dhcp_server_config': {
'subnet': str(_network),
'pool_from': str(_hosts[len(_hosts)//2]),
'pool_to': str(_hosts[-3]),
'router': str(_ip),
'domain-name-servers': str(_ip),
}
}
return {
'network': networks,
}
@metadata_reactor.provides(
'systemd/units',
)
def units(metadata):
units = {}
for network_name, network_conf in metadata.get('network').items():
interface_type = network_conf.get('type', None)
# network
units[f'{network_name}.network'] = {
for type, network in metadata.get('network').items():
units[f'{type}.network'] = {
'Match': {
'Name': network_name if interface_type == 'vlan' else network_conf['interface'],
'Name': network['interface'],
},
'Network': {
'DHCP': network_conf.get('dhcp', 'no'),
'IPv6AcceptRA': network_conf.get('dhcp', 'no'),
'VLAN': set(network_conf.get('vlans', set()))
'DHCP': network.get('dhcp', 'no'),
'IPv6AcceptRA': network.get('dhcp', 'no'),
}
}
# type
if interface_type:
units[f'{network_name}.network']['Match']['Type'] = interface_type
# ips
for i in [4, 6]:
if network_conf.get(f'ipv{i}', None):
units[f'{network_name}.network'].update({
if network.get(f'ipv{i}', None):
units[f'{type}.network'].update({
f'Address#ipv{i}': {
'Address': network_conf[f'ipv{i}'],
'Address': network[f'ipv{i}'],
},
})
if f'gateway{i}' in network_conf:
units[f'{network_name}.network'].update({
if f'gateway{i}' in network:
units[f'{type}.network'].update({
f'Route#ipv{i}': {
'Gateway': network_conf[f'gateway{i}'],
'Gateway': network[f'gateway{i}'],
'GatewayOnlink': 'yes',
}
})
# as vlan
if interface_type == 'vlan':
units[f"{network_name}.netdev"] = {
'NetDev': {
'Name': network_name,
'Kind': 'vlan',
},
'VLAN': {
'Id': network_conf['id'],
}
}
return {
'systemd': {

4
bundles/nginx/files/nginx.conf
View file

@ -1,6 +1,6 @@
pid /var/run/nginx.pid;
user www-data;
worker_processes ${worker_processes};
worker_processes 10;
% for module in sorted(modules):
load_module modules/ngx_${module}_module.so;
@ -22,8 +22,6 @@ http {
tcp_nopush on;
client_max_body_size 32G;
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
# dont show nginx version
server_tokens off;
% if node.has_bundle('php'):
upstream php-handler {

1
bundles/nginx/items.py
View file

@ -32,7 +32,6 @@ files = {
'content_type': 'mako',
'context': {
'modules': node.metadata.get('nginx/modules'),
'worker_processes': node.metadata.get('vm/cores'),
},
'triggers': {
'svc_systemd:nginx:restart',

4
bundles/postfix/items.py
View file

@ -86,8 +86,6 @@ if node.has_bundle('telegraf'):
'needs': [
'pkg_apt:acl',
'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
],
}
actions['postfix_setfacl_default_telegraf'] = {
@ -96,7 +94,5 @@ if node.has_bundle('telegraf'):
'needs': [
'pkg_apt:acl',
'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
],
}

6
bundles/postgresql/metadata.py
View file

@ -6,11 +6,7 @@ root_password = repo.vault.password_for(f'{node.name} postgresql root')
defaults = {
'apt': {
'packages': {
'postgresql': {
'needs': {
'zfs_dataset:tank/postgresql',
},
},
'postgresql': {},
},
},
'backup': {

64
bundles/roundcube/files/config.inc.php
View file

@ -6,16 +6,80 @@ $config['enable_installer'] = true;
/* Local configuration for Roundcube Webmail */
// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}';
// ----------------------------------
// IMAP
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
// required to match old user data records with the new host.
$config['imap_host'] = 'localhost';
// ----------------------------------
// SMTP
// ----------------------------------
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_host'] = 'tls://localhost';
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '${des_key}';
// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = '${product_name}';
// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)});
// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'de_DE';
// https://serverfault.com/a/991304
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,

2
bundles/roundcube/files/password.config.inc.php
View file

@ -1,5 +1,7 @@
<?php
// https://github.com/roundcube/roundcubemail/blob/357cc90001f997fd223fb48fcede6040f527c2f4/plugins/password/config.inc.php.dist
$config['password_driver'] = 'sql';
$config['password_strength_driver'] = null;
$config['password_confirm_current'] = true;

16
bundles/roundcube/items.py
View file

@ -1,8 +1,7 @@
assert node.has_bundle('php')
assert node.has_bundle('mailserver')
roundcube_version = node.metadata.get('roundcube/version')
php_version = node.metadata.get('php/version')
version = node.metadata.get('roundcube/version')
directories = {
'/opt/roundcube': {
@ -23,9 +22,9 @@ directories = {
}
files[f'/tmp/roundcube-{roundcube_version}.tar.gz'] = {
files[f'/tmp/roundcube-{version}.tar.gz'] = {
'content_type': 'download',
'source': f'https://github.com/roundcube/roundcubemail/releases/download/{roundcube_version}/roundcubemail-{roundcube_version}-complete.tar.gz',
'source': f'https://github.com/roundcube/roundcubemail/releases/download/{version}/roundcubemail-{version}-complete.tar.gz',
'triggered': True,
}
actions['delete_roundcube'] = {
@ -33,11 +32,11 @@ actions['delete_roundcube'] = {
'triggered': True,
}
actions['extract_roundcube'] = {
'command': f'tar xfvz /tmp/roundcube-{roundcube_version}.tar.gz --strip 1 -C /opt/roundcube',
'unless': f'grep -q "Version {roundcube_version}" /opt/roundcube/index.php',
'command': f'tar xfvz /tmp/roundcube-{version}.tar.gz --strip 1 -C /opt/roundcube',
'unless': f'grep -q "Version {version}" /opt/roundcube/index.php',
'preceded_by': [
'action:delete_roundcube',
f'file:/tmp/roundcube-{roundcube_version}.tar.gz',
f'file:/tmp/roundcube-{version}.tar.gz',
],
'needs': [
'directory:/opt/roundcube',
@ -65,9 +64,6 @@ files['/opt/roundcube/config/config.inc.php'] = {
'needs': [
'action:chown_roundcube',
],
'triggers': [
f'svc_systemd:php{php_version}-fpm.service:restart',
],
}
files['/opt/roundcube/plugins/password/config.inc.php'] = {
'source': 'password.config.inc.php',

2
bundles/systemd-timers/metadata.py
View file

@ -42,8 +42,6 @@ def systemd(metadata):
units[f'{name}.service']['Service']['SuccessExitStatus'] = config['success_exit_status']
if config.get('kill_mode'):
units[f'{name}.service']['Service']['KillMode'] = config['kill_mode']
if config.get('RuntimeMaxSec'):
units[f'{name}.service']['Service']['RuntimeMaxSec'] = config['RuntimeMaxSec']
services[f'{name}.timer'] = {}

2
bundles/telegraf/items.py
View file

@ -9,7 +9,7 @@ files = {
node.metadata.get('telegraf/config'),
cls=MetadataJSONEncoder,
)),
sort_keys=True,
sort_keys=True
),
'triggers': [
'svc_systemd:telegraf:restart',

0
data/apt/keys/icinga_.asc → data/apt/keys/icinga.asc
View file

BIN
data/apt/keys/icinga.gpg
View file

Binary file not shown.

7
groups/os/linux.py
View file

@ -6,7 +6,6 @@
'hostname',
'hosts',
'htop',
'linux',
'locale',
'network',
'ssh',
@ -23,16 +22,16 @@
'metadata': {
'dns': {},
'hosts': {
'10.0.10.2': [
'10.0.11.3': [
'resolver.name',
'secondary.resolver.name',
],
},
'letsencrypt': {
'acme_node': 'htz.mails',
'acme_node': 'netcup.mails',
},
'nameservers': {
'10.0.10.2',
'10.0.11.3',
},
'systemd-timers': {
'trim': {

8
items/download.py
View file

@ -3,7 +3,7 @@ from bundlewrap.exceptions import BundleError
from bundlewrap.utils.text import force_text, mark_for_translation as _
from bundlewrap.utils.remote import PathInfo
import types
from shlex import quote
from pipes import quote
# Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py
# No, we can't use plugins here, because bw4 won't support them anymore.
@ -101,16 +101,16 @@ class Download(Item):
elif self.attributes.get('gpg_signature_url'):
full_signature_url = self.attributes['gpg_signature_url'].format(url=self.attributes['url'])
signature_path = f'{self.name}.signature'
self.node.run(f"curl -sSL {self.attributes['gpg_pubkey_url']} | gpg --import -")
self.node.run(f"curl -L {full_signature_url} -o {quote(signature_path)}")
gpg_output = self.node.run(f"gpg --verify {quote(signature_path)} {quote(self.name)}").stderr
if b'Good signature' in gpg_output:
sdict['verified'] = True
else:
sdict['verified'] = False
return sdict
@classmethod

1
libs/tools.py
View file

@ -92,4 +92,3 @@ from shlex import quote
def run_as(user, command):
return f'sudo su - {user} -s /bin/bash -c {quote(command)}'

7
nodes/home.homeassistant.py
View file

@ -29,7 +29,6 @@
'internal': {
'interface': 'eth0',
'ipv4': '10.0.0.16/24',
'mac': 'd8:3a:dd:16:fc:9d',
'gateway4': '10.0.0.1',
},
},
@ -69,20 +68,20 @@
},
},
'hosts': {
'10.0.10.2': [
'10.0.11.3': [
'resolver.name',
'secondary.resolver.name',
],
},
'letsencrypt': {
'acme_node': 'htz.mails',
'acme_node': 'netcup.mails',
},
'homeassistant': {
'domain': 'homeassistant.ckn.li',
'os_agent_version': '1.6.0',
},
'nameservers': {
'10.0.10.2',
'10.0.11.3',
},
'users': {
'ckn': {

1
nodes/home.homematic.py
View file

@ -14,7 +14,6 @@
'network': {
'internal': {
'ipv4': '10.0.2.8/24',
'mac': 'b8:27:eb:15:30:86',
},
},
'dns': {

8
nodes/home.hue.py
View file

@ -5,13 +5,7 @@
'home',
],
'metadata': {
'id': '87879bc1-130f-4fca-a8d2-e1d93a794df4',
'network': {
'internal': {
'ipv4': '10.0.2.100/24',
'mac': '00:17:88:67:e7:f2',
},
},
'id': '',
'dns': {
'hue.ckn.li': {
'A': {'10.0.2.100'},

79
nodes/home.router.py
View file

@ -1,84 +1,25 @@
{
'hostname': '10.0.0.1',
'hostname': '10.0.0.120',
'dummy': True,
'groups': [
'autologin',
'debian-12',
'debian-11',
'hardware',
'home',
'monitored',
],
'bundles': [
'kea-dhcpd',
'wireguard',
],
'metadata': {
'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c',
'network': {
'external': {
'interface': 'enx00e04c220682',
'ipv4': '10.0.99.126/24',
'gateway4': '10.0.99.1',
'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal'},
},
'internal': {
'type': 'vlan',
'id': 1,
'ipv4': '10.0.0.1/24',
'dhcp_server': True,
'interface': 'eno1',
'ipv4': '10.0.0.120/24',
'gateway4': '10.0.0.1',
},
'iot': {
'type': 'vlan',
'id': 2,
'ipv4': '10.0.2.1/24',
'dhcp_server': True,
},
'internet': {
'type': 'vlan',
'id': 3,
'ipv4': '10.0.3.1/24',
},
'guest': {
'type': 'vlan',
'id': 9,
'ipv4': '10.0.9.1/24',
'dhcp_server': True,
},
'rolf': { # rolf local test
'type': 'vlan',
'id': 51,
'ipv4': '192.168.179.1/24',
'dhcp_server': True,
},
},
# 'nftables': {
# 'forward': {
# # Drop DHCP client requests (UDP port 68)
# 'udp sport 68 drop',
# 'udp dport 68 drop',
# # Drop DHCP server responses (UDP port 67)
# 'udp sport 67 drop',
# 'udp dport 67 drop',
# },
# },
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'htz.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.10.0/24',
#'192.168.179.0/24', # while raspi at home
'10.0.227.0/24', # mseibert.freescout
],
},
'external': {
'interface': 'enx00e04c00135b',
'mac': '00:e0:4c:00:13:5b',
'dhcp': 'yes',
},
},
},

29
nodes/home.server.py
View file

@ -32,7 +32,8 @@
'systemd-swap',
'twitch-clip-download',
'raspberrymatic-cert',
#'tasmota-charge',
'tasmota-charge',
'wireguard',
'wol-waker',
'zfs',
],
@ -62,10 +63,10 @@
'target': 'aarch64-unknown-linux-gnu',
},
},
'download_server': 'htz.mails',
'download_server': 'netcup.mails',
},
'gitea': {
'version': '8.0.3',
'version': '7.0.1',
'domain': 'git.sublimity.de',
'conf': {
'mailer': {
@ -110,7 +111,7 @@
},
'nextcloud': {
'hostname': 'cloud.sublimity.de',
'version': '29.0.7',
'version': '29.0.3',
'config': {
'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',
@ -144,13 +145,6 @@
'steam-chat-viewer': {
'hostname': 'steam-chats.ckn.li',
},
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'systemd-swap': 4_000_000_000,
'tasmota-charge': {
'phone': {
@ -172,6 +166,19 @@
'threads': 32,
'ram': 49152,
},
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'netcup.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.11.0/24',
'192.168.179.0/24',
'10.0.227.0/24', # mseibert.freescout
],
},
},
},
'zfs': {
'zfs_arc_max_percent': 80,
'storage_classes': {

2
nodes/htz.games.py
View file

@ -37,7 +37,7 @@
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.10.2/32',
'ipv4': '10.0.10.3/32',
},
'external': {
'interface': 'eth0',

16
nodes/mseibert.freescout.py
View file

@ -1,13 +1,9 @@
# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
# https://console.hetzner.cloud/projects/889138/servers/46578341
{
#'dummy': True,
'hostname': '159.69.117.89',
'groups': [
'backup',
# 'backup',
'debian-12',
'monitored',
# 'monitored',
'webserver',
'freescout',
],
@ -34,19 +30,19 @@
'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
},
'vm': {
'cores': 2,
'ram': 4096,
'cores': 1,
'ram': 2048,
},
'wireguard': {
'my_ip': '172.30.0.238/32',
's2s': {
'htz.mails': {
'netcup.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.10.0/24',
'10.0.11.0/24',
],
},
},

40
nodes/htz.mails.py → nodes/netcup.mails.py
View file

@ -1,9 +1,8 @@
{
'hostname': '49.12.184.229',
'hostname': '202.61.255.108',
'groups': [
'backup',
'debian-12',
'hetzner-cloud',
'mailserver',
'monitored',
'webserver',
@ -16,7 +15,7 @@
'build-ci',
'download-server',
'islamicstate.eu',
#'nginx-rtmps',
'nginx-rtmps',
#'steam',
'wireguard',
'zfs',
@ -25,14 +24,14 @@
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': {
'internal': {
'interface': 'enp7s0',
'ipv4': '10.0.10.2/24',
'interface': 'eth1',
'ipv4': '10.0.11.3/24',
},
'external': {
'interface': 'eth0',
'ipv4': '49.12.184.229/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:51f2::1',
'ipv4': '202.61.255.108/22',
'gateway4': '202.61.252.1',
'ipv6': '2a03:4000:55:a89::1/64',
'gateway6': 'fe80::1',
}
},
@ -59,20 +58,20 @@
},
'dns': {
'ckn.li': {
'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:c013:51f2::1'],
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'sublimity.de': {
'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:c013:51f2::1'],
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'freibrief.net': {
'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:c013:51f2::1'],
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'left4.me': {
'A': ['49.12.184.229'],
'AAAA': ['2a01:4f8:c013:51f2::1'],
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'elimu-kwanza.de': {
'TXT': ['google-site-verification=JwgcfXQ6nIXKxjMqUGHVBDISgMCQXgzMryPBsP2ZXnE'],
@ -196,22 +195,21 @@
},
'vm': {
'cores': 4,
'ram': 8192,
'ram': 16384,
},
'wireguard': {
'my_ip': '172.30.0.1/24',
's2s': {
'home.router': {
'home.server': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.99.0/24',
],
},
'ovh.secondary': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.11.0/24',
],
},
'wb.offsite-backups': {
@ -241,7 +239,7 @@
'pools': {
'tank': {
'devices': [
'/dev/disk/by-id/scsi-0HC_Volume_101332312',
'/dev/sda4',
],
},
},

8
nodes/ovh.secondary.py
View file

@ -20,22 +20,22 @@
},
},
'bind': {
'master_node': 'htz.mails',
'master_node': 'netcup.mails',
'hostname': 'secondary.resolver.name',
},
# 'postfix': {
# 'master_node': 'htz.mails',
# 'master_node': 'netcup.mails',
# 'hostname': 'mail2.sublimity.de',
# },
'wireguard': {
'my_ip': '172.30.0.3/32',
's2s': {
'htz.mails': {
'netcup.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.11.0/24',
],
},
},

8
nodes/wb.offsite-backups.py
View file

@ -1,7 +1,7 @@
{
'hostname': '192.168.179.20',
'groups': [
'debian-12',
'debian-11',
'monitored',
'raspberry-pi',
],
@ -9,7 +9,7 @@
'backup-freshness-check',
'dm-crypt',
'smartctl',
#'wireguard',
'wireguard',
'zfs',
],
'metadata': {
@ -43,13 +43,13 @@
'wireguard': {
'my_ip': '172.30.0.4/32',
's2s': {
'htz.mails': {
'netcup.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.10.0/24',
'10.0.11.0/24',
],
},
},