cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

Compare commits

base: cronekorkn:master
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver
..
compare: cronekorkn:wp
Branches Tags
cronekorkn:master
cronekorkn:n8n
cronekorkn:router
cronekorkn:freescout
cronekorkn:homeassistant-supervised
cronekorkn:conflecttest
cronekorkn:wp
cronekorkn:rufbereitschafts-alarm
cronekorkn:dnssec_2
cronekorkn:dnssec
cronekorkn:apt_sources_as_dict
cronekorkn:wordpress
cronekorkn:iperf3
cronekorkn:picsort-pythoon
cronekorkn:network_metadata_rework
cronekorkn:blog_dirty
cronekorkn:blog
cronekorkn:icinga2_notifications
cronekorkn:icinga_neumachen
cronekorkn:nextcloud_conf_in_metadata
cronekorkn:mastodon
cronekorkn:rtmp
cronekorkn:deterministic_rsa
cronekorkn:deterministic_rsa_test
cronekorkn:left4dead2
cronekorkn:temp130752653
cronekorkn:zfs_encrypt
cronekorkn:icingaweb
cronekorkn:ldap
cronekorkn:icinga2_remote_2
cronekorkn:icinga2_local
cronekorkn:icinga
cronekorkn:icinga2_remote
cronekorkn:modprobe
cronekorkn:autoconfig
cronekorkn:basic_auth
cronekorkn:crystal-buildserver
cronekorkn:build_Server
cronekorkn:cya_hetzner
cronekorkn:dns_challenge3
cronekorkn:dns_challenge2
cronekorkn:dns_challenge
cronekorkn:gpiod
cronekorkn:multi-redis
cronekorkn:l4d2
cronekorkn:wireguard_clients
cronekorkn:alles_sets
cronekorkn:hdict
cronekorkn:all_units
cronekorkn:unitbug_isolation
cronekorkn:whatsbroken
cronekorkn:minimal_mailserver

9 commits
master ... wp

Author SHA1 Message Date
cronekorkn
9b3e66915c
wip 2024-02-04 14:33:31 +01:00
cronekorkn
6f972fddd2
wip 2024-02-04 14:31:42 +01:00
cronekorkn
88d21ca1e5
wip 2024-02-04 12:48:19 +01:00
cronekorkn
a4d3041b45
wip 2024-02-04 11:49:21 +01:00
cronekorkn
379aaa7d10
wip 2024-02-04 11:27:35 +01:00
cronekorkn
3e3355d750
wip 2024-02-04 11:12:46 +01:00
cronekorkn
695bfb5dde
wip 2024-02-04 11:06:53 +01:00
cronekorkn
d6b109da01
wip 2024-02-04 10:50:49 +01:00
cronekorkn
1bd1d4d0a6
wip 2024-02-04 10:35:05 +01:00
81 changed files with 281 additions and 1286 deletions
Show stats Expand all files Collapse all files

9
README.md
View file

@ -37,12 +37,3 @@ fi
telegraf: execd for daemons telegraf: execd for daemons
TEST TEST
# git signing
git config --global gpg.format ssh
git config --global commit.gpgsign true
git config user.name CroneKorkN
git config user.email i@ckn.li
git config user.signingkey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I"

2
bin/upgrade_and_restart_all
View file

@ -23,7 +23,7 @@ for node in nodes:
print(node.run('DEBIAN_FRONTEND=noninteractive apt update').stdout.decode()) print(node.run('DEBIAN_FRONTEND=noninteractive apt update').stdout.decode())
print(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable').stdout.decode()) print(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable').stdout.decode())
if int(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable 2> /dev/null | grep upgradable | wc -l').stdout.decode()): if int(node.run('DEBIAN_FRONTEND=noninteractive apt list --upgradable 2> /dev/null | grep upgradable | wc -l').stdout.decode()):
print(node.run('DEBIAN_FRONTEND=noninteractive apt -qy full-upgrade').stdout.decode()) print(node.run('DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade').stdout.decode())
# REBOOT IN ORDER # REBOOT IN ORDER

20
bundles/backup/files/backup_all
View file

@ -1,31 +1,13 @@
#!/bin/bash #!/bin/bash
set -u set -exu
# FIXME: inelegant # FIXME: inelegant
% if wol_command: % if wol_command:
${wol_command} ${wol_command}
% endif % endif
exit=0
failed_paths=""
for path in $(jq -r '.paths | .[]' < /etc/backup/config.json) for path in $(jq -r '.paths | .[]' < /etc/backup/config.json)
do do
echo backing up $path
/opt/backup/backup_path "$path" /opt/backup/backup_path "$path"
# set exit to 1 if any backup fails
if [ $? -ne 0 ]
then
echo ERROR: backing up $path failed >&2
exit=5
failed_paths="$failed_paths $path"
fi
done done
if [ $exit -ne 0 ]
then
echo "ERROR: failed to backup paths: $failed_paths" >&2
fi
exit $exit

2
bundles/backup/files/backup_path_via_zfs
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
set -eu set -exu
path=$1 path=$1
uuid=$(jq -r .client_uuid < /etc/backup/config.json) uuid=$(jq -r .client_uuid < /etc/backup/config.json)

16
bundles/bind/items.py
View file

@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -29,7 +29,7 @@ files['/etc/default/bind9'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = {
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
'svc_systemd:bind9', 'svc_systemd:bind9',
], ],
'triggers': [ 'triggers': [
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
], ],
} }
@ -139,6 +139,6 @@ actions['named-checkconf'] = {
'unless': 'named-checkconf -z', 'unless': 'named-checkconf -z',
'needs': [ 'needs': [
'svc_systemd:bind9', 'svc_systemd:bind9',
'svc_systemd:bind9:reload', 'svc_systemd:bind9:restart',
] ]
} }

4
bundles/build-ci/metadata.py
View file

@ -1,10 +1,6 @@
from shlex import quote from shlex import quote
defaults = {
'build-ci': {},
}
@metadata_reactor.provides( @metadata_reactor.provides(
'users/build-ci/authorized_users', 'users/build-ci/authorized_users',
'sudoers/build-ci', 'sudoers/build-ci',

2
bundles/dovecot/files/dovecot.conf
View file

@ -6,7 +6,7 @@ ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')
ssl_key = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/privkey.pem ssl_key = </var/lib/dehydrated/certs/${node.metadata.get('mailserver/hostname')}/privkey.pem
ssl_dh = </etc/dovecot/dhparam.pem ssl_dh = </etc/dovecot/dhparam.pem
ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_dir = /etc/ssl/certs
mail_location = maildir:${node.metadata.get('mailserver/maildir')}/%u:INDEX=${node.metadata.get('mailserver/maildir')}/index/%u mail_location = maildir:~
mail_plugins = fts fts_xapian mail_plugins = fts fts_xapian
namespace inbox { namespace inbox {

4
bundles/dovecot/items.py
View file

@ -20,10 +20,6 @@ directories = {
'owner': 'vmail', 'owner': 'vmail',
'group': 'vmail', 'group': 'vmail',
}, },
'/var/vmail/index': {
'owner': 'vmail',
'group': 'vmail',
},
'/var/vmail/sieve': { '/var/vmail/sieve': {
'owner': 'vmail', 'owner': 'vmail',
'group': 'vmail', 'group': 'vmail',

23
bundles/freescout/README.md
View file

@ -1,23 +0,0 @@
Pg Pass workaround: set manually:
```
root@freescout /ro psql freescout
psql (15.6 (Debian 15.6-0+deb12u1))
Type "help" for help.
freescout=# \password freescout
Enter new password for user "freescout":
Enter it again:
freescout=#
\q
```
# problems
# check if /opt/freescout/.env is resettet
# ckeck `psql -h localhost -d freescout -U freescout -W`with pw from .env
# chown -R www-data:www-data /opt/freescout
# sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash
# javascript funny? `sudo su - www-data -c 'php /opt/freescout/artisan storage:link' -s /bin/bash`
# benutzer bilder weg? aus dem backup holen: `/opt/freescout/.zfs/snapshot/zfs-auto-snap_hourly-2024-11-22-1700/storage/app/public/users` `./customers`

66
bundles/freescout/items.py
View file

@ -1,66 +0,0 @@
# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
run_as = repo.libs.tools.run_as
php_version = node.metadata.get('php/version')
directories = {
'/opt/freescout': {
'owner': 'www-data',
'group': 'www-data',
# chown -R www-data:www-data /opt/freescout
},
}
actions = {
# 'clone_freescout': {
# 'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
# 'unless': 'test -e /opt/freescout/.git',
# 'needs': [
# 'pkg_apt:git',
# 'directory:/opt/freescout',
# ],
# },
# 'pull_freescout': {
# 'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
# 'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
# 'needs': [
# 'action:clone_freescout',
# ],
# 'triggers': [
# 'action:freescout_artisan_update',
# f'svc_systemd:php{php_version}-fpm.service:restart',
# ],
# },
# 'freescout_artisan_update': {
# 'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
# 'triggered': True,
# 'needs': [
# f'svc_systemd:php{php_version}-fpm.service:restart',
# 'action:pull_freescout',
# ],
# },
}
# svc_systemd = {
# f'freescout-cron.service': {},
# }
# files = {
# '/opt/freescout/.env': {
# # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
# # Every time you are making changes in .env file, in order changes to take an effect you need to run:
# # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
# 'owner': 'www-data',
# 'content': '\n'.join(
# f'{k}={v}' for k, v in
# sorted(node.metadata.get('freescout/env').items())
# ) + '\n',
# 'needs': [
# 'directory:/opt/freescout',
# 'action:clone_freescout',
# ],
# },
# }
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'

121
bundles/freescout/metadata.py
View file

@ -1,121 +0,0 @@
from base64 import b64decode
# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA=
database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
defaults = {
'apt': {
'packages': {
'git': {},
'php': {},
'php-pgsql': {},
'php-fpm': {},
'php-mbstring': {},
'php-xml': {},
'php-imap': {},
'php-zip': {},
'php-gd': {},
'php-curl': {},
'php-intl': {},
},
},
'freescout': {
'env': {
'APP_TIMEZONE': 'Europe/Berlin',
'DB_CONNECTION': 'pgsql',
'DB_HOST': '127.0.0.1',
'DB_PORT': '5432',
'DB_DATABASE': 'freescout',
'DB_USERNAME': 'freescout',
'DB_PASSWORD': database_password,
'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
},
},
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
'postgresql': {
'roles': {
'freescout': {
'password_hash': repo.libs.postgres.generate_scram_sha_256(
database_password,
b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()),
),
},
},
'databases': {
'freescout': {
'owner': 'freescout',
},
},
},
# 'systemd': {
# 'units': {
# f'freescout-cron.service': {
# 'Unit': {
# 'Description': 'Freescout Cron',
# 'After': 'network.target',
# },
# 'Service': {
# 'User': 'www-data',
# 'Nice': 10,
# 'ExecStart': f"/usr/bin/php /opt/freescout/artisan schedule:run"
# },
# 'Install': {
# 'WantedBy': {
# 'multi-user.target'
# }
# },
# }
# },
# },
'systemd-timers': {
'freescout-cron': {
'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
'when': '*-*-* *:*:00',
'RuntimeMaxSec': '180',
'user': 'www-data',
},
},
'zfs': {
'datasets': {
'tank/freescout': {
'mountpoint': '/opt/freescout',
},
},
},
}
@metadata_reactor.provides(
'freescout/env/APP_URL',
)
def freescout(metadata):
return {
'freescout': {
'env': {
'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('freescout/domain'): {
'content': 'freescout/vhost.conf',
},
},
},
}

2
bundles/gitea/metadata.py
View file

@ -118,7 +118,7 @@ def nginx(metadata):
'content': 'nginx/proxy_pass.conf', 'content': 'nginx/proxy_pass.conf',
'context': { 'context': {
'target': 'http://127.0.0.1:3500', 'target': 'http://127.0.0.1:3500',
}, }
}, },
}, },
}, },

5
bundles/grafana/items.py
View file

@ -26,10 +26,7 @@ actions['reset_grafana_admin_password'] = {
directories = { directories = {
'/etc/grafana': {}, '/etc/grafana': {},
'/etc/grafana/provisioning': { '/etc/grafana/provisioning': {},
'owner': 'grafana',
'group': 'grafana',
},
'/etc/grafana/provisioning/datasources': { '/etc/grafana/provisioning/datasources': {
'purge': True, 'purge': True,
}, },

23
bundles/homeassistant-supervised/README.md
View file

@ -1,23 +0,0 @@
https://github.com/home-assistant/supervised-installer?tab=readme-ov-file
https://github.com/home-assistant/os-agent/tree/main?tab=readme-ov-file#using-home-assistant-supervised-on-debian
https://docs.docker.com/engine/install/debian/
https://www.home-assistant.io/installation/linux#install-home-assistant-supervised
https://github.com/home-assistant/supervised-installer
https://github.com/home-assistant/architecture/blob/master/adr/0014-home-assistant-supervised.md
DATA_SHARE=/usr/share/hassio dpkg --force-confdef --force-confold -i homeassistant-supervised.deb
neu debian
ha installieren
gucken ob geht
dann bw drüberbügeln
https://www.home-assistant.io/integrations/http/#ssl_certificate
`wget "$(curl -L https://api.github.com/repos/home-assistant/supervised-installer/releases/latest | jq -r '.assets[0].browser_download_url')" -O homeassistant-supervised.deb && dpkg -i homeassistant-supervised.deb`

30
bundles/homeassistant-supervised/items.py
View file

@ -1,30 +0,0 @@
from shlex import quote
version = node.metadata.get('homeassistant/os_agent_version')
directories = {
'/usr/share/hassio': {},
}
actions = {
'install_os_agent': {
'command': ' && '.join([
f'wget -O /tmp/os-agent.deb https://github.com/home-assistant/os-agent/releases/download/{quote(version)}/os-agent_{quote(version)}_linux_aarch64.deb',
'DEBIAN_FRONTEND=noninteractive dpkg -i /tmp/os-agent.deb',
]),
'unless': f'test "$(apt -qq list os-agent | cut -d" " -f2)" = "{quote(version)}"',
'needs': {
'pkg_apt:',
'zfs_dataset:tank/homeassistant',
},
},
'install_homeassistant_supervised': {
'command': 'wget -O /tmp/homeassistant-supervised.deb https://github.com/home-assistant/supervised-installer/releases/latest/download/homeassistant-supervised.deb && apt install /tmp/homeassistant-supervised.deb',
'unless': 'apt -qq list homeassistant-supervised | grep -q "installed"',
'needs': {
'action:install_os_agent',
},
},
}

65
bundles/homeassistant-supervised/metadata.py
View file

@ -1,65 +0,0 @@
defaults = {
'apt': {
'packages': {
# homeassistant-supervised
'apparmor': {},
'bluez': {},
'cifs-utils': {},
'curl': {},
'dbus': {},
'jq': {},
'libglib2.0-bin': {},
'lsb-release': {},
'network-manager': {},
'nfs-common': {},
'systemd-journal-remote': {},
'systemd-resolved': {},
'udisks2': {},
'wget': {},
# docker
'docker-ce': {},
'docker-ce-cli': {},
'containerd.io': {},
'docker-buildx-plugin': {},
'docker-compose-plugin': {},
},
'sources': {
# docker: https://docs.docker.com/engine/install/debian/#install-using-the-repository
'docker': {
'urls': {
'https://download.docker.com/linux/debian',
},
'suites': {
'{codename}',
},
'components': {
'stable',
},
},
},
},
'zfs': {
'datasets': {
'tank/homeassistant': {
'mountpoint': '/usr/share/hassio',
'needed_by': {
'directory:/usr/share/hassio',
},
},
},
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('homeassistant/domain'): {
'content': 'homeassistant/vhost.conf',
},
},
},
}

20
bundles/homeassistant/items.py Normal file
View file

@ -0,0 +1,20 @@
users = {
'homeassistant': {
'home': '/var/lib/homeassistant',
},
}
directories = {
'/var/lib/homeassistant': {
'owner': 'homeassistant',
},
'/var/lib/homeassistant/config': {
'owner': 'homeassistant',
},
'/var/lib/homeassistant/venv': {
'owner': 'homeassistant',
},
}
# https://wiki.instar.com/de/Software/Linux/Home_Assistant/

20
bundles/homeassistant/metadata.py Normal file
View file

@ -0,0 +1,20 @@
defaults = {
'apt': {
'packages': {
'python3': {},
'python3-dev': {},
'python3-pip': {},
'python3-venv': {},
'libffi-dev': {},
'libssl-dev': {},
'libjpeg-dev': {},
'zlib1g-dev': {},
'autoconf': {},
'build-essential': {},
'libopenjp2-7': {},
'libtiff5': {},
'libturbojpeg0-dev': {},
'tzdata': {},
},
},
}

8
bundles/icinga2/files/conf.d/notifications.conf
View file

@ -13,9 +13,9 @@ apply Notification "mail-icingaadmin" to Host {
user_groups = host.vars.notification.mail.groups user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail assign where host.vars.notification.mail
} }
@ -25,9 +25,9 @@ apply Notification "mail-icingaadmin" to Service {
user_groups = host.vars.notification.mail.groups user_groups = host.vars.notification.mail.groups
users = host.vars.notification.mail.users users = host.vars.notification.mail.users
//interval = 2h
//vars.notification_logtosyslog = true
assign where host.vars.notification.mail assign where host.vars.notification.mail
} }

2
bundles/icinga2/items.py
View file

@ -269,7 +269,7 @@ svc_systemd = {
'icinga2.service': { 'icinga2.service': {
'needs': [ 'needs': [
'pkg_apt:icinga2-ido-pgsql', 'pkg_apt:icinga2-ido-pgsql',
'svc_systemd:postgresql.service', 'svc_systemd:postgresql',
], ],
}, },
} }

21
bundles/kea-dhcpd/items.py
View file

@ -1,21 +0,0 @@
from json import dumps
from bundlewrap.metadata import MetadataJSONEncoder
files = {
'/etc/kea/kea-dhcp4.conf': {
'content': dumps(node.metadata.get('kea'), indent=4, sort_keys=True, cls=MetadataJSONEncoder),
'triggers': [
'svc_systemd:kea-dhcp4-server:restart',
],
},
}
svc_systemd = {
'kea-dhcp4-server': {
'needs': [
'pkg_apt:kea-dhcp4-server',
'file:/etc/kea/kea-dhcp4.conf',
'svc_systemd:systemd-networkd:restart',
],
},
}

96
bundles/kea-dhcpd/metadata.py
View file

@ -1,96 +0,0 @@
from ipaddress import ip_interface, ip_network
hashable = repo.libs.hashable.hashable
defaults = {
'apt': {
'packages': {
'kea-dhcp4-server': {},
},
},
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': set(),
},
'lease-database': {
'type': 'memfile',
'lfc-interval': 3600
},
'subnet4': set(),
'loggers': set([
hashable({
'name': 'kea-dhcp4',
'output_options': [
{
'output': 'syslog',
}
],
'severity': 'INFO',
}),
]),
},
},
}
@metadata_reactor.provides(
'kea/Dhcp4/interfaces-config/interfaces',
'kea/Dhcp4/subnet4',
)
def subnets(metadata):
subnet4 = set()
interfaces = set()
reservations = set(
hashable({
'hw-address': network_conf['mac'],
'ip-address': str(ip_interface(network_conf['ipv4']).ip),
})
for other_node in repo.nodes
for network_conf in other_node.metadata.get('network', {}).values()
if 'mac' in network_conf
)
for network_name, network_conf in metadata.get('network').items():
dhcp_server_config = network_conf.get('dhcp_server_config', None)
if dhcp_server_config:
_network = ip_network(dhcp_server_config['subnet'])
subnet4.add(hashable({
'subnet': dhcp_server_config['subnet'],
'pools': [
{
'pool': f'{dhcp_server_config['pool_from']} - {dhcp_server_config['pool_to']}',
},
],
'option-data': [
{
'name': 'routers',
'data': dhcp_server_config['router'],
},
{
'name': 'domain-name-servers',
'data': '10.0.10.2',
},
],
'reservations': set(
reservation
for reservation in reservations
if ip_interface(reservation['ip-address']).ip in _network
),
}))
interfaces.add(network_conf.get('interface', network_name))
return {
'kea': {
'Dhcp4': {
'interfaces-config': {
'interfaces': interfaces,
},
'subnet4': subnet4,
},
},
}

18
bundles/left4dead2/files/server.cfg
View file

@ -1,36 +1,36 @@
hostname "CroneKorkN : ${name}" hostname "CroneKorkN : ${name}"
sv_contact "admin@sublimity.de" sv_contact "admin@sublimity.de"
// assign serevr to steam group
sv_steamgroup "${','.join(steamgroups)}" sv_steamgroup "${','.join(steamgroups)}"
rcon_password "${rcon_password}" rcon_password "${rcon_password}"
// no annoying message of the day
motd_enabled 0 motd_enabled 0
// enable cheats
sv_cheats 1 sv_cheats 1
// allow inconsistent files on clients (weapon mods for example)
sv_consistency 0 sv_consistency 0
// connect from internet
sv_lan 0 sv_lan 0
// join game at any point
sv_allow_lobby_connect_only 0 sv_allow_lobby_connect_only 0
// allowed modes
sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge" sv_gametypes "coop,realism,survival,versus,teamversus,scavenge,teamscavenge"
// network
sv_minrate 30000 sv_minrate 30000
sv_maxrate 60000 sv_maxrate 60000
sv_mincmdrate 66 sv_mincmdrate 66
sv_maxcmdrate 101 sv_maxcmdrate 101
// logging
sv_logsdir "logs-${name}" //Folder in the game directory where server logs will be stored. sv_logsdir "logs-${name}" //Folder in the game directory where server logs will be stored.
log on //Creates a logfile (on | off) log on //Creates a logfile (on | off)
sv_logecho 0 //default 0; Echo log information to the console. sv_logecho 0 //default 0; Echo log information to the console.

1
bundles/letsencrypt/items.py
View file

@ -56,7 +56,6 @@ for domain in node.metadata.get('letsencrypt/domains').keys():
'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true', 'unless': f'/etc/dehydrated/letsencrypt-ensure-some-certificate {domain} true',
'needs': { 'needs': {
'file:/etc/dehydrated/letsencrypt-ensure-some-certificate', 'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
'pkg_apt:dehydrated',
}, },
'needed_by': { 'needed_by': {
'svc_systemd:nginx', 'svc_systemd:nginx',

41
bundles/linux/items.py
View file

@ -1,41 +0,0 @@
from shlex import quote
def generate_sysctl_key_value_pairs_from_json(json_data, parents=[]):
if isinstance(json_data, dict):
for key, value in json_data.items():
yield from generate_sysctl_key_value_pairs_from_json(value, [*parents, key])
elif isinstance(json_data, list):
raise ValueError(f"List not supported: '{json_data}'")
else:
# If it's a leaf node, yield the path
yield (parents, json_data)
key_value_pairs = generate_sysctl_key_value_pairs_from_json(node.metadata.get('sysctl'))
files= {
'/etc/sysctl.conf': {
'content': '\n'.join(
sorted(
f"{'.'.join(path)}={value}"
for path, value in key_value_pairs
),
),
'triggers': [
'svc_systemd:systemd-sysctl.service:restart',
],
},
}
svc_systemd = {
'systemd-sysctl.service': {},
}
for path, value in key_value_pairs:
actions[f'reload_sysctl.conf_{path}'] = {
'command': f"sysctl --values {'.'.join(path)} | grep -q {quote('^'+value+'$')}",
'needs': [
f'action:systemd-sysctl.service',
f'action:systemd-sysctl.service:restart',
],
}

3
bundles/linux/metadata.py
View file

@ -1,3 +0,0 @@
defaults = {
'sysctl': {},
}

15
bundles/locale/items.py
View file

@ -20,19 +20,18 @@ files = {
} }
actions = { actions = {
'systemd-locale': {
'command': f'localectl set-locale LANG="{default_locale}"',
'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
'triggers': {
'action:locale-gen',
},
},
'locale-gen': { 'locale-gen': {
'command': 'locale-gen', 'command': 'locale-gen',
'triggered': True, 'triggered': True,
'needs': { 'needs': {
'pkg_apt:locales', 'pkg_apt:locales',
'action:systemd-locale', },
},
'systemd-locale': {
'command': f'localectl set-locale LANG="{default_locale}"',
'unless': f'localectl | grep -Fi "system locale" | grep -Fi "{default_locale}"',
'preceded_by': {
'action:locale-gen',
}, },
}, },
} }

2
bundles/macbook/files/bundlewrap
View file

@ -2,5 +2,5 @@
cd "$OLDPWD" cd "$OLDPWD"
export BW_ITEM_WORKERS=$(expr "$(sysctl -n hw.logicalcpu)" '*' 12 '/' 10) export BW_ITEM_WORKERS=$(expr "$(nproc)" '*' 12 '/' 10)
export BW_NODE_WORKERS=$(expr 320 '/' "$BW_ITEM_WORKERS") export BW_NODE_WORKERS=$(expr 320 '/' "$BW_ITEM_WORKERS")

6
bundles/macbook/files/gnu
View file

@ -2,5 +2,7 @@
cd "$OLDPWD" cd "$OLDPWD"
PATH_add "/opt/homebrew/opt/gnu-sed/libexec/gnubin" GNU_PATH="$HOME/.local/gnu_bin"
PATH_add "/opt/homebrew/opt/grep/libexec/gnubin" mkdir -p "$GNU_PATH"
test -f "$GNU_PATH/sed" || ln -s "$(which gsed)" "$GNU_PATH/sed"
PATH_add "$GNU_PATH"

2
bundles/macbook/files/macbook-update
View file

@ -18,7 +18,7 @@ git -C ~/.zsh/oh-my-zsh pull
brew upgrade brew upgrade
brew upgrade --cask --greedy brew upgrade --cask --greedy
pyenv install --skip-existing pyenv install --keep-existing
sudo softwareupdate -ia --verbose sudo softwareupdate -ia --verbose

4
bundles/macbook/files/venv
View file

@ -19,9 +19,5 @@ if test "$DELTA" -gt 86400
then then
python3 -m pip --require-virtualenv install pip wheel --upgrade python3 -m pip --require-virtualenv install pip wheel --upgrade
python3 -m pip --require-virtualenv install -r requirements.txt --upgrade python3 -m pip --require-virtualenv install -r requirements.txt --upgrade
if test -e optional-requirements.txt
then
python3 -m pip --require-virtualenv install -r optional-requirements.txt --upgrade
fi
date +%s > .pip_upgrade_timestamp date +%s > .pip_upgrade_timestamp
fi fi

18
bundles/mailserver-autoconfig/files/autodiscover.php
View file

@ -1,6 +1,6 @@
<?php <?php
// https://raw.githubusercontent.com/Radiergummi/autodiscover/master/autodiscover/autodiscover.php
/******************************** /********************************
* Autodiscover responder * Autodiscover responder
@ -15,38 +15,38 @@
* domain names, adjust ports and SSL. * domain names, adjust ports and SSL.
*/ */
//get raw POST data so we can extract the email address
$request = file_get_contents("php://input"); $request = file_get_contents("php://input");
// optional debug log
# file_put_contents( 'request.log', $request, FILE_APPEND ); # file_put_contents( 'request.log', $request, FILE_APPEND );
// retrieve email address from client request
preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email ); preg_match( "/\<EMailAddress\>(.*?)\<\/EMailAddress\>/", $request, $email );
// check for invalid mail, to prevent XSS
if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) { if (filter_var($email[1], FILTER_VALIDATE_EMAIL) === false) {
throw new Exception('Invalid E-Mail provided'); throw new Exception('Invalid E-Mail provided');
} }
// get domain from email address
$domain = substr( strrchr( $email[1], "@" ), 1 ); $domain = substr( strrchr( $email[1], "@" ), 1 );
/************************************** /**************************************
* Port and server settings below * * Port and server settings below *
**************************************/ **************************************/
// IMAP settings
$imapServer = 'imap.' . $domain; // imap.example.com $imapServer = 'imap.' . $domain; // imap.example.com
$imapPort = 993; $imapPort = 993;
$imapSSL = true; $imapSSL = true;
// SMTP settings
$smtpServer = 'smtp.' . $domain; // smtp.example.com $smtpServer = 'smtp.' . $domain; // smtp.example.com
$smtpPort = 587; $smtpPort = 587;
$smtpSSL = true; $smtpSSL = true;
//set Content-Type
header( 'Content-Type: application/xml' ); header( 'Content-Type: application/xml' );
?> ?>
<?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?> <?php echo '<?xml version="1.0" encoding="utf-8" ?>'; ?>

6
bundles/mailserver/metadata.py
View file

@ -33,12 +33,6 @@ defaults = {
'mountpoint': '/var/vmail', 'mountpoint': '/var/vmail',
'compression': 'on', 'compression': 'on',
}, },
'tank/vmail/index': {
'mountpoint': '/var/vmail/index',
'compression': 'on',
'com.sun:auto-snapshot': 'false',
'backup': False,
},
}, },
}, },
} }

2
bundles/mariadb/items.py
View file

@ -13,7 +13,6 @@ directories = {
], ],
'needed_by': [ 'needed_by': [
'pkg_apt:mariadb-server', 'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
], ],
}, },
} }
@ -31,7 +30,6 @@ svc_systemd = {
'mariadb.service': { 'mariadb.service': {
'needs': [ 'needs': [
'pkg_apt:mariadb-server', 'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client',
], ],
}, },
} }

11
bundles/mariadb/metadata.py
View file

@ -1,16 +1,7 @@
defaults = { defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
'mariadb-server': { 'mariadb-server': {},
'needs': {
'zfs_dataset:tank/mariadb',
},
},
'mariadb-client': {
'needs': {
'zfs_dataset:tank/mariadb',
},
},
}, },
}, },
'mariadb': { 'mariadb': {

73
bundles/network/metadata.py
View file

@ -5,89 +5,38 @@ defaults = {
} }
@metadata_reactor.provides(
'network',
)
def dhcp(metadata):
networks = {}
for network_name, network_conf in metadata.get('network').items():
_interface = ip_interface(network_conf['ipv4'])
_ip = _interface.ip
_network = _interface.network
_hosts = list(_network.hosts())
if network_conf.get('dhcp_server', False):
networks[network_name] = {
'dhcp_server_config': {
'subnet': str(_network),
'pool_from': str(_hosts[len(_hosts)//2]),
'pool_to': str(_hosts[-3]),
'router': str(_ip),
'domain-name-servers': str(_ip),
}
}
return {
'network': networks,
}
@metadata_reactor.provides( @metadata_reactor.provides(
'systemd/units', 'systemd/units',
) )
def units(metadata): def units(metadata):
units = {} units = {}
for network_name, network_conf in metadata.get('network').items(): for type, network in metadata.get('network').items():
interface_type = network_conf.get('type', None) units[f'{type}.network'] = {
# network
units[f'{network_name}.network'] = {
'Match': { 'Match': {
'Name': network_name if interface_type == 'vlan' else network_conf['interface'], 'Name': network['interface'],
}, },
'Network': { 'Network': {
'DHCP': network_conf.get('dhcp', 'no'), 'DHCP': network.get('dhcp', 'no'),
'IPv6AcceptRA': network_conf.get('dhcp', 'no'), 'IPv6AcceptRA': network.get('dhcp', 'no'),
'VLAN': set(network_conf.get('vlans', set()))
} }
} }
# type
if interface_type:
units[f'{network_name}.network']['Match']['Type'] = interface_type
# ips
for i in [4, 6]: for i in [4, 6]:
if network_conf.get(f'ipv{i}', None): if network.get(f'ipv{i}', None):
units[f'{network_name}.network'].update({ units[f'{type}.network'].update({
f'Address#ipv{i}': { f'Address#ipv{i}': {
'Address': network_conf[f'ipv{i}'], 'Address': network[f'ipv{i}'],
}, },
}) })
if f'gateway{i}' in network_conf: if f'gateway{i}' in network:
units[f'{network_name}.network'].update({ units[f'{type}.network'].update({
f'Route#ipv{i}': { f'Route#ipv{i}': {
'Gateway': network_conf[f'gateway{i}'], 'Gateway': network[f'gateway{i}'],
'GatewayOnlink': 'yes', 'GatewayOnlink': 'yes',
} }
}) })
# as vlan
if interface_type == 'vlan':
units[f"{network_name}.netdev"] = {
'NetDev': {
'Name': network_name,
'Kind': 'vlan',
},
'VLAN': {
'Id': network_conf['id'],
}
}
return { return {
'systemd': { 'systemd': {

1
bundles/nextcloud/metadata.py
View file

@ -142,7 +142,6 @@ def config(metadata):
'versions_retention_obligation': 'auto, 90', 'versions_retention_obligation': 'auto, 90',
'simpleSignUpLink.shown': False, 'simpleSignUpLink.shown': False,
'allow_local_remote_servers': True, # FIXME? 'allow_local_remote_servers': True, # FIXME?
'maintenance_window_start': 1, # https://docs.nextcloud.com/server/29/admin_manual/configuration_server/background_jobs_configuration.html#maintenance-window-start
}, },
}, },
} }

5
bundles/nginx/files/nginx.conf
View file

@ -1,6 +1,6 @@
pid /var/run/nginx.pid; pid /var/run/nginx.pid;
user www-data; user www-data;
worker_processes ${worker_processes}; worker_processes 10;
% for module in sorted(modules): % for module in sorted(modules):
load_module modules/ngx_${module}_module.so; load_module modules/ngx_${module}_module.so;
@ -21,9 +21,6 @@ http {
server_names_hash_bucket_size 128; server_names_hash_bucket_size 128;
tcp_nopush on; tcp_nopush on;
client_max_body_size 32G; client_max_body_size 32G;
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
# dont show nginx version
server_tokens off;
% if node.has_bundle('php'): % if node.has_bundle('php'):
upstream php-handler { upstream php-handler {

3
bundles/nginx/items.py
View file

@ -32,7 +32,6 @@ files = {
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
'modules': node.metadata.get('nginx/modules'), 'modules': node.metadata.get('nginx/modules'),
'worker_processes': node.metadata.get('vm/cores'),
}, },
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
@ -77,7 +76,7 @@ files = {
actions = { actions = {
'nginx-generate-dhparam': { 'nginx-generate-dhparam': {
'command': 'openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096', 'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
'unless': 'test -f /etc/ssl/certs/dhparam.pem', 'unless': 'test -f /etc/ssl/certs/dhparam.pem',
}, },
} }

12
bundles/php/items.py
View file

@ -1,3 +1,9 @@
from os.path import join
import json
from bundlewrap.utils.dicts import merge_dict
version = node.metadata.get('php/version') version = node.metadata.get('php/version')
files = { files = {
@ -15,7 +21,7 @@ files = {
f'pkg_apt:php{version}-fpm', f'pkg_apt:php{version}-fpm',
}, },
'triggers': { 'triggers': {
f'svc_systemd:php{version}-fpm.service:restart', f'svc_systemd:php{version}-fpm:restart',
}, },
}, },
f'/etc/php/{version}/fpm/pool.d/www.conf': { f'/etc/php/{version}/fpm/pool.d/www.conf': {
@ -27,13 +33,13 @@ files = {
f'pkg_apt:php{version}-fpm', f'pkg_apt:php{version}-fpm',
}, },
'triggers': { 'triggers': {
f'svc_systemd:php{version}-fpm.service:restart', f'svc_systemd:php{version}-fpm:restart',
}, },
}, },
} }
svc_systemd = { svc_systemd = {
f'php{version}-fpm.service': { f'php{version}-fpm': {
'needs': { 'needs': {
'pkg_apt:', 'pkg_apt:',
f'file:/etc/php/{version}/fpm/php.ini', f'file:/etc/php/{version}/fpm/php.ini',

2
bundles/php/metadata.py
View file

@ -145,7 +145,7 @@ def www_conf(metadata):
'pm': 'dynamic', 'pm': 'dynamic',
'pm.max_children': int(threads*2), 'pm.max_children': int(threads*2),
'pm.start_servers': int(threads), 'pm.start_servers': int(threads),
'pm.min_spare_servers': max([1, int(threads/2)]), 'pm.min_spare_servers': int(threads/2),
'pm.max_spare_servers': int(threads), 'pm.max_spare_servers': int(threads),
'pm.max_requests': int(threads*32), 'pm.max_requests': int(threads*32),
}, },

4
bundles/postfix/items.py
View file

@ -86,8 +86,6 @@ if node.has_bundle('telegraf'):
'needs': [ 'needs': [
'pkg_apt:acl', 'pkg_apt:acl',
'svc_systemd:postfix', 'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
], ],
} }
actions['postfix_setfacl_default_telegraf'] = { actions['postfix_setfacl_default_telegraf'] = {
@ -96,7 +94,5 @@ if node.has_bundle('telegraf'):
'needs': [ 'needs': [
'pkg_apt:acl', 'pkg_apt:acl',
'svc_systemd:postfix', 'svc_systemd:postfix',
'svc_systemd:postfix:reload',
'svc_systemd:postfix:restart',
], ],
} }

15
bundles/postgresql/items.py
View file

@ -12,7 +12,7 @@ directories = {
'zfs_dataset:tank/postgresql', 'zfs_dataset:tank/postgresql',
], ],
'needed_by': [ 'needed_by': [
'svc_systemd:postgresql.service', 'svc_systemd:postgresql',
], ],
} }
} }
@ -25,19 +25,16 @@ files = {
) + '\n', ) + '\n',
'owner': 'postgres', 'owner': 'postgres',
'group': 'postgres', 'group': 'postgres',
'needs': [
'pkg_apt:postgresql',
],
'needed_by': [ 'needed_by': [
'svc_systemd:postgresql.service', 'svc_systemd:postgresql',
], ],
'triggers': [ 'triggers': [
'svc_systemd:postgresql.service:restart', 'svc_systemd:postgresql:restart',
], ],
}, },
} }
svc_systemd['postgresql.service'] = { svc_systemd['postgresql'] = {
'needs': [ 'needs': [
'pkg_apt:postgresql', 'pkg_apt:postgresql',
], ],
@ -46,13 +43,13 @@ svc_systemd['postgresql.service'] = {
for user, config in node.metadata.get('postgresql/roles').items(): for user, config in node.metadata.get('postgresql/roles').items():
postgres_roles[user] = merge_dict(config, { postgres_roles[user] = merge_dict(config, {
'needs': [ 'needs': [
'svc_systemd:postgresql.service', 'svc_systemd:postgresql',
], ],
}) })
for database, config in node.metadata.get('postgresql/databases').items(): for database, config in node.metadata.get('postgresql/databases').items():
postgres_dbs[database] = merge_dict(config, { postgres_dbs[database] = merge_dict(config, {
'needs': [ 'needs': [
'svc_systemd:postgresql.service', 'svc_systemd:postgresql',
], ],
}) })

6
bundles/postgresql/metadata.py
View file

@ -6,11 +6,7 @@ root_password = repo.vault.password_for(f'{node.name} postgresql root')
defaults = { defaults = {
'apt': { 'apt': {
'packages': { 'packages': {
'postgresql': { 'postgresql': {},
'needs': {
'zfs_dataset:tank/postgresql',
},
},
}, },
}, },
'backup': { 'backup': {

25
bundles/pyenv/items.py
View file

@ -1,25 +0,0 @@
from shlex import quote
directories = {
'/opt/pyenv': {},
'/opt/pyenv/install': {},
}
git_deploy = {
'/opt/pyenv/install': {
'repo': 'https://github.com/pyenv/pyenv.git',
'rev': 'master',
'needs': {
'directory:/opt/pyenv/install',
},
},
}
for version in node.metadata.get('pyenv/versions'):
actions[f'pyenv_install_{version}'] = {
'command': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv install {quote(version)}',
'unless': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv versions --bare | grep -Fxq {quote(version)}',
'needs': {
'git_deploy:/opt/pyenv/install',
},
}

23
bundles/pyenv/metadata.py
View file

@ -1,23 +0,0 @@
defaults = {
'apt': {
'packages': {
'build-essential': {},
'libssl-dev': {},
'zlib1g-dev': {},
'libbz2-dev': {},
'libreadline-dev': {},
'libsqlite3-dev': {},
'curl': {},
'libncurses-dev': {},
'xz-utils': {},
'tk-dev': {},
'libxml2-dev': {},
'libxmlsec1-dev': {},
'libffi-dev': {},
'liblzma-dev': {},
},
},
'pyenv': {
'versions': set(),
},
}

64
bundles/roundcube/files/config.inc.php
View file

@ -6,16 +6,80 @@ $config['enable_installer'] = true;
/* Local configuration for Roundcube Webmail */ /* Local configuration for Roundcube Webmail */
// ----------------------------------
// SQL DATABASE
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}'; $config['db_dsnw'] = '${database['provider']}://${database['user']}:${database['password']}@${database['host']}/${database['name']}';
// ----------------------------------
// IMAP
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
// required to match old user data records with the new host.
$config['imap_host'] = 'localhost'; $config['imap_host'] = 'localhost';
// ----------------------------------
// SMTP
// ----------------------------------
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_host'] = 'tls://localhost'; $config['smtp_host'] = 'tls://localhost';
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u'; $config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p'; $config['smtp_pass'] = '%p';
// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = ''; $config['support_url'] = '';
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = '${des_key}'; $config['des_key'] = '${des_key}';
// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = '${product_name}'; $config['product_name'] = '${product_name}';
// ----------------------------------
// PLUGINS
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)}); $config['plugins'] = array(${', '.join(f'"{plugin}"' for plugin in plugins)});
// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'de_DE'; $config['language'] = 'de_DE';
// https://serverfault.com/a/991304
$config['smtp_conn_options'] = array( $config['smtp_conn_options'] = array(
'ssl' => array( 'ssl' => array(
'verify_peer' => false, 'verify_peer' => false,

2
bundles/roundcube/files/password.config.inc.php
View file

@ -1,5 +1,7 @@
<?php <?php
// https://github.com/roundcube/roundcubemail/blob/357cc90001f997fd223fb48fcede6040f527c2f4/plugins/password/config.inc.php.dist
$config['password_driver'] = 'sql'; $config['password_driver'] = 'sql';
$config['password_strength_driver'] = null; $config['password_strength_driver'] = null;
$config['password_confirm_current'] = true; $config['password_confirm_current'] = true;

16
bundles/roundcube/items.py
View file

@ -1,8 +1,7 @@
assert node.has_bundle('php') assert node.has_bundle('php')
assert node.has_bundle('mailserver') assert node.has_bundle('mailserver')
roundcube_version = node.metadata.get('roundcube/version') version = node.metadata.get('roundcube/version')
php_version = node.metadata.get('php/version')
directories = { directories = {
'/opt/roundcube': { '/opt/roundcube': {
@ -23,9 +22,9 @@ directories = {
} }
files[f'/tmp/roundcube-{roundcube_version}.tar.gz'] = { files[f'/tmp/roundcube-{version}.tar.gz'] = {
'content_type': 'download', 'content_type': 'download',
'source': f'https://github.com/roundcube/roundcubemail/releases/download/{roundcube_version}/roundcubemail-{roundcube_version}-complete.tar.gz', 'source': f'https://github.com/roundcube/roundcubemail/releases/download/{version}/roundcubemail-{version}-complete.tar.gz',
'triggered': True, 'triggered': True,
} }
actions['delete_roundcube'] = { actions['delete_roundcube'] = {
@ -33,11 +32,11 @@ actions['delete_roundcube'] = {
'triggered': True, 'triggered': True,
} }
actions['extract_roundcube'] = { actions['extract_roundcube'] = {
'command': f'tar xfvz /tmp/roundcube-{roundcube_version}.tar.gz --strip 1 -C /opt/roundcube', 'command': f'tar xfvz /tmp/roundcube-{version}.tar.gz --strip 1 -C /opt/roundcube',
'unless': f'grep -q "Version {roundcube_version}" /opt/roundcube/index.php', 'unless': f'grep -q "Version {version}" /opt/roundcube/index.php',
'preceded_by': [ 'preceded_by': [
'action:delete_roundcube', 'action:delete_roundcube',
f'file:/tmp/roundcube-{roundcube_version}.tar.gz', f'file:/tmp/roundcube-{version}.tar.gz',
], ],
'needs': [ 'needs': [
'directory:/opt/roundcube', 'directory:/opt/roundcube',
@ -65,9 +64,6 @@ files['/opt/roundcube/config/config.inc.php'] = {
'needs': [ 'needs': [
'action:chown_roundcube', 'action:chown_roundcube',
], ],
'triggers': [
f'svc_systemd:php{php_version}-fpm.service:restart',
],
} }
files['/opt/roundcube/plugins/password/config.inc.php'] = { files['/opt/roundcube/plugins/password/config.inc.php'] = {
'source': 'password.config.inc.php', 'source': 'password.config.inc.php',

1
bundles/ssh/files/sshd_config
View file

@ -21,4 +21,3 @@ ClientAliveInterval 30
ClientAliveCountMax 5 ClientAliveCountMax 5
AcceptEnv LANG AcceptEnv LANG
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp /usr/lib/openssh/sftp-server
HostKey /etc/ssh/ssh_host_managed_key

4
bundles/ssh/items.py
View file

@ -51,14 +51,14 @@ files = {
], ],
'skip': dont_touch_sshd, 'skip': dont_touch_sshd,
}, },
'/etc/ssh/ssh_host_managed_key': { '/etc/ssh/ssh_host_ed25519_key': {
'content': node.metadata.get('ssh/host_key/private') + '\n', 'content': node.metadata.get('ssh/host_key/private') + '\n',
'mode': '0600', 'mode': '0600',
'triggers': [ 'triggers': [
'svc_systemd:ssh:restart' 'svc_systemd:ssh:restart'
], ],
}, },
'/etc/ssh/ssh_host_managed_key.pub': { '/etc/ssh/ssh_host_ed25519_key.pub': {
'content': node.metadata.get('ssh/host_key/public') + '\n', 'content': node.metadata.get('ssh/host_key/public') + '\n',
'mode': '0644', 'mode': '0644',
'triggers': [ 'triggers': [

2
bundles/systemd-journald/items.py
View file

@ -1,7 +1,7 @@
files = { files = {
'/etc/systemd/journald.conf.d/managed.conf': { '/etc/systemd/journald.conf.d/managed.conf': {
'content': repo.libs.systemd.generate_unitfile({ 'content': repo.libs.systemd.generate_unitfile({
'Journal': node.metadata.get('systemd-journald'), 'Jorunal': node.metadata.get('systemd-journald'),
}), }),
'triggers': { 'triggers': {
'svc_systemd:systemd-journald:restart', 'svc_systemd:systemd-journald:restart',

2
bundles/systemd-timers/metadata.py
View file

@ -42,8 +42,6 @@ def systemd(metadata):
units[f'{name}.service']['Service']['SuccessExitStatus'] = config['success_exit_status'] units[f'{name}.service']['Service']['SuccessExitStatus'] = config['success_exit_status']
if config.get('kill_mode'): if config.get('kill_mode'):
units[f'{name}.service']['Service']['KillMode'] = config['kill_mode'] units[f'{name}.service']['Service']['KillMode'] = config['kill_mode']
if config.get('RuntimeMaxSec'):
units[f'{name}.service']['Service']['RuntimeMaxSec'] = config['RuntimeMaxSec']
services[f'{name}.timer'] = {} services[f'{name}.timer'] = {}

2
bundles/telegraf/items.py
View file

@ -9,7 +9,7 @@ files = {
node.metadata.get('telegraf/config'), node.metadata.get('telegraf/config'),
cls=MetadataJSONEncoder, cls=MetadataJSONEncoder,
)), )),
sort_keys=True, sort_keys=True
), ),
'triggers': [ 'triggers': [
'svc_systemd:telegraf:restart', 'svc_systemd:telegraf:restart',

4
bundles/telegraf/metadata.py
View file

@ -7,8 +7,6 @@ defaults = {
# needed by crystal plugins: # needed by crystal plugins:
'libgc-dev': {}, 'libgc-dev': {},
'libevent-dev': {}, 'libevent-dev': {},
# crystal based (procio, pressure_stall):
'libpcre3': {},
}, },
'sources': { 'sources': {
'influxdata': { 'influxdata': {
@ -58,7 +56,7 @@ defaults = {
'procstat': {h({ 'procstat': {h({
'interval': '60s', 'interval': '60s',
'pattern': '.', 'pattern': '.',
'fieldinclude': [ 'fieldpass': [
'cpu_usage', 'cpu_usage',
'memory_rss', 'memory_rss',
], ],

10
bundles/wordpress/metadata.py
View file

@ -1,12 +1,4 @@
defaults = { defaults = {}
'php': {
'php.ini': {
'cgi': {
'fix_pathinfo': '0',
},
},
},
}
@metadata_reactor.provides( @metadata_reactor.provides(

1
bundles/zfs/items.py
View file

@ -6,7 +6,6 @@ files = {
'/etc/cron.weekly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, '/etc/cron.weekly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}},
'/etc/cron.monthly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}}, '/etc/cron.monthly/zfs-auto-snapshot': {'delete': True, 'needs': {'pkg_apt:zfs-auto-snapshot'}},
'/etc/modprobe.d/zfs.conf': { '/etc/modprobe.d/zfs.conf': {
'content_type': 'text',
'content': '\n'.join( 'content': '\n'.join(
f'options zfs {k}={v}' f'options zfs {k}={v}'
for k, v in node.metadata.get('zfs/kernel_params').items() for k, v in node.metadata.get('zfs/kernel_params').items()

5
bundles/zfs/metadata.py
View file

@ -122,7 +122,10 @@ def backup(metadata):
'apt/packages' 'apt/packages'
) )
def headers(metadata): def headers(metadata):
arch = metadata.get('system/architecture') if node.in_group('raspberry-pi'):
arch = 'arm64'
else:
arch = 'amd64'
return { return {
'apt': { 'apt': {

19
bundles/zsh/items.py
View file

@ -9,7 +9,6 @@ directories = {
] ]
}, },
'/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': { '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': {
'mode': '0755',
'needs': [ 'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh", f"git_deploy:/etc/zsh/oh-my-zsh",
] ]
@ -28,30 +27,14 @@ git_deploy = {
} }
files = { files = {
'/etc/zsh/zprofile': { '/etc/zsh/zprofile': {},
'mode': '0755',
},
'/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': { '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': {
'mode': '0755',
'needs': [ 'needs': [
f"git_deploy:/etc/zsh/oh-my-zsh", f"git_deploy:/etc/zsh/oh-my-zsh",
] ]
}, },
} }
actions = {
'chown_oh_my_zsh': {
'command': 'chmod -R 755 /etc/zsh/oh-my-zsh',
'triggered': True,
'triggered_by': [
"git_deploy:/etc/zsh/oh-my-zsh",
"git_deploy:/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions",
"file:/etc/zsh/zprofile",
"file:/etc/zsh/oh-my-zsh/themes/bw.zsh-theme",
],
},
}
for name, user_config in node.metadata.get('users').items(): for name, user_config in node.metadata.get('users').items():
if user_config.get('shell', None) == '/usr/bin/zsh': if user_config.get('shell', None) == '/usr/bin/zsh':
files[join(user_config['home'], '.zshrc')] = { files[join(user_config['home'], '.zshrc')] = {

62
data/apt/keys/docker.asc
View file

@ -1,62 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----

0
data/apt/keys/icinga_.asc → data/apt/keys/icinga.asc
View file

BIN
data/apt/keys/icinga.gpg
View file

Binary file not shown.

53
data/freescout/vhost.conf
View file

@ -1,53 +0,0 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
root /opt/freescout/public;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php-handler;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include params/fastcgi;
}
# Uncomment this location if you want to improve attachments downloading speed.
# Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file.
#location ^~ /storage/app/attachment/ {
# internal;
# alias /var/www/html/storage/app/attachment/;
#}
location ~* ^/storage/attachment/ {
expires 1M;
access_log off;
try_files $uri $uri/ /index.php?$query_string;
}
location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public, must-revalidate";
}
# The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
add_header Content-disposition "attachment; filename=$2";
default_type application/octet-stream;
}
location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~ /\. {
deny all;
}
}

22
data/homeassistant/vhost.conf
View file

@ -1,22 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_read_timeout 3600;
proxy_pass http://127.0.0.1:8123;
}
}

10
groups/applications/freescout.py
View file

@ -1,10 +0,0 @@
{
'supergroups': [
'webserver',
],
'bundles': [
'freescout',
'php',
'postgresql',
],
}

7
groups/os/linux.py
View file

@ -6,7 +6,6 @@
'hostname', 'hostname',
'hosts', 'hosts',
'htop', 'htop',
'linux',
'locale', 'locale',
'network', 'network',
'ssh', 'ssh',
@ -23,16 +22,16 @@
'metadata': { 'metadata': {
'dns': {}, 'dns': {},
'hosts': { 'hosts': {
'10.0.10.2': [ '10.0.11.3': [
'resolver.name', 'resolver.name',
'secondary.resolver.name', 'secondary.resolver.name',
], ],
}, },
'letsencrypt': { 'letsencrypt': {
'acme_node': 'htz.mails', 'acme_node': 'netcup.mails',
}, },
'nameservers': { 'nameservers': {
'10.0.10.2', '10.0.11.3',
}, },
'systemd-timers': { 'systemd-timers': {
'trim': { 'trim': {

2
items/download.py
View file

@ -3,7 +3,7 @@ from bundlewrap.exceptions import BundleError
from bundlewrap.utils.text import force_text, mark_for_translation as _ from bundlewrap.utils.text import force_text, mark_for_translation as _
from bundlewrap.utils.remote import PathInfo from bundlewrap.utils.remote import PathInfo
import types import types
from shlex import quote from pipes import quote
# Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py # Downloaded from https://github.com/bundlewrap/plugins/blob/master/item_download/items/download.py
# No, we can't use plugins here, because bw4 won't support them anymore. # No, we can't use plugins here, because bw4 won't support them anymore.

23
libs/postgres.py
View file

@ -1,23 +0,0 @@
from base64 import standard_b64encode
from hashlib import pbkdf2_hmac, sha256
import hmac
def b64enc(b: bytes) -> str:
return standard_b64encode(b).decode('utf8')
def generate_scram_sha_256(password, salt):
if len(salt) != 16:
raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.")
digest_len = 32
iterations = 4096
digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len)
client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256')
stored_key = sha256(client_key).digest()
server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256')
return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}'

7
libs/tools.py
View file

@ -86,10 +86,3 @@ def require_bundle(node, bundle, hint=''):
# way of defining bundle requirements in other bundles. # way of defining bundle requirements in other bundles.
if not node.has_bundle(bundle): if not node.has_bundle(bundle):
raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}') raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}')
from shlex import quote
def run_as(user, command):
return f'sudo su - {user} -s /bin/bash -c {quote(command)}'

1
nodes/home.backups.py
View file

@ -1,4 +1,5 @@
{ {
'dummy': True,
'hostname': '10.0.0.5', 'hostname': '10.0.0.5',
'groups': [ 'groups': [
'autologin', 'autologin',

112
nodes/home.homeassistant.py
View file

@ -1,112 +0,0 @@
{
'hostname': '10.0.0.16',
'groups': [
'webserver',
'backup',
'monitored',
'raspberry-pi',
'autologin',
],
'bundles': [
'apt',
'homeassistant-supervised',
'hostname',
'hosts',
'htop',
'users',
'ssh',
'sudo',
'locale',
'zsh',
'zfs',
'systemd',
'systemd-timers',
'systemd-journald',
],
'metadata': {
'id': '3d67964d-1270-4d3c-b93f-9c44219b3d59',
'network': {
'internal': {
'interface': 'eth0',
'ipv4': '10.0.0.16/24',
'mac': 'd8:3a:dd:16:fc:9d',
'gateway4': '10.0.0.1',
},
},
'apt': {
'sources': {
'debian': {
'urls': {
'https://deb.debian.org/debian',
},
'suites': {
'{codename}',
'{codename}-updates',
},
'components': {
'main',
'contrib',
'non-free',
'non-free-firmware',
},
'key': 'debian-{version}',
},
'debian-security': {
'urls': {
'http://security.debian.org/debian-security',
},
'suites': {
'{codename}-security',
},
'components': {
'main',
'contrib',
'non-free',
'non-free-firmware',
},
'key': 'debian-{version}-security',
},
},
},
'hosts': {
'10.0.10.2': [
'resolver.name',
'secondary.resolver.name',
],
},
'letsencrypt': {
'acme_node': 'htz.mails',
},
'homeassistant': {
'domain': 'homeassistant.ckn.li',
'os_agent_version': '1.6.0',
},
'nameservers': {
'10.0.10.2',
},
'users': {
'ckn': {
'shell': '/usr/bin/zsh',
'authorized_keys': {
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I ckn',
},
},
},
'sudoers': {
'ckn': {'ALL'},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/var/lib/zfs/tank.img',
],
},
},
},
'os_codename': 'bookworm',
},
'os': 'debian',
'os_version': (12,),
'pip_command': 'pip3',
}

1
nodes/home.homematic.py
View file

@ -14,7 +14,6 @@
'network': { 'network': {
'internal': { 'internal': {
'ipv4': '10.0.2.8/24', 'ipv4': '10.0.2.8/24',
'mac': 'b8:27:eb:15:30:86',
}, },
}, },
'dns': { 'dns': {

8
nodes/home.hue.py
View file

@ -5,13 +5,7 @@
'home', 'home',
], ],
'metadata': { 'metadata': {
'id': '87879bc1-130f-4fca-a8d2-e1d93a794df4', 'id': '',
'network': {
'internal': {
'ipv4': '10.0.2.100/24',
'mac': '00:17:88:67:e7:f2',
},
},
'dns': { 'dns': {
'hue.ckn.li': { 'hue.ckn.li': {
'A': {'10.0.2.100'}, 'A': {'10.0.2.100'},

79
nodes/home.router.py
View file

@ -1,84 +1,25 @@
{ {
'hostname': '10.0.0.1', 'hostname': '10.0.0.120',
'dummy': True,
'groups': [ 'groups': [
'autologin', 'autologin',
'debian-12', 'debian-11',
'hardware', 'hardware',
'home', 'home',
'monitored', 'monitored',
], ],
'bundles': [
'kea-dhcpd',
'wireguard',
],
'metadata': { 'metadata': {
'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c', 'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c',
'network': { 'network': {
'external': {
'interface': 'enx00e04c220682',
'ipv4': '10.0.99.126/24',
'gateway4': '10.0.99.1',
'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal'},
},
'internal': { 'internal': {
'type': 'vlan', 'interface': 'eno1',
'id': 1, 'ipv4': '10.0.0.120/24',
'ipv4': '10.0.0.1/24', 'gateway4': '10.0.0.1',
'dhcp_server': True,
},
'iot': {
'type': 'vlan',
'id': 2,
'ipv4': '10.0.2.1/24',
'dhcp_server': True,
},
'internet': {
'type': 'vlan',
'id': 3,
'ipv4': '10.0.3.1/24',
},
'guest': {
'type': 'vlan',
'id': 9,
'ipv4': '10.0.9.1/24',
'dhcp_server': True,
},
'rolf': { # rolf local test
'type': 'vlan',
'id': 51,
'ipv4': '192.168.179.1/24',
'dhcp_server': True,
},
},
# 'nftables': {
# 'forward': {
# # Drop DHCP client requests (UDP port 68)
# 'udp sport 68 drop',
# 'udp dport 68 drop',
# # Drop DHCP server responses (UDP port 67)
# 'udp sport 67 drop',
# 'udp dport 67 drop',
# },
# },
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'htz.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.10.0/24',
#'192.168.179.0/24', # while raspi at home
'10.0.227.0/24', # mseibert.freescout
],
}, },
'external': {
'interface': 'enx00e04c00135b',
'mac': '00:e0:4c:00:13:5b',
'dhcp': 'yes',
}, },
}, },
}, },

28
nodes/home.server.py
View file

@ -32,7 +32,8 @@
'systemd-swap', 'systemd-swap',
'twitch-clip-download', 'twitch-clip-download',
'raspberrymatic-cert', 'raspberrymatic-cert',
#'tasmota-charge', 'tasmota-charge',
'wireguard',
'wol-waker', 'wol-waker',
'zfs', 'zfs',
], ],
@ -62,10 +63,10 @@
'target': 'aarch64-unknown-linux-gnu', 'target': 'aarch64-unknown-linux-gnu',
}, },
}, },
'download_server': 'htz.mails', 'download_server': 'netcup.mails',
}, },
'gitea': { 'gitea': {
'version': '8.0.3', 'version': '1.20.4-1',
'domain': 'git.sublimity.de', 'domain': 'git.sublimity.de',
'conf': { 'conf': {
'mailer': { 'mailer': {
@ -110,7 +111,7 @@
}, },
'nextcloud': { 'nextcloud': {
'hostname': 'cloud.sublimity.de', 'hostname': 'cloud.sublimity.de',
'version': '29.0.7', 'version': '28.0.1',
'config': { 'config': {
'instanceid': 'oci6dw1woodz', 'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==', 'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',
@ -144,13 +145,6 @@
'steam-chat-viewer': { 'steam-chat-viewer': {
'hostname': 'steam-chats.ckn.li', 'hostname': 'steam-chats.ckn.li',
}, },
'sysctl': {
'net': {
'ipv4': {
'ip_forward': 1,
},
},
},
'systemd-swap': 4_000_000_000, 'systemd-swap': 4_000_000_000,
'tasmota-charge': { 'tasmota-charge': {
'phone': { 'phone': {
@ -172,6 +166,18 @@
'threads': 32, 'threads': 32,
'ram': 49152, 'ram': 49152,
}, },
'wireguard': {
'my_ip': '172.30.0.2/32',
's2s': {
'netcup.mails': {
'allowed_ips': [
'10.0.10.0/24',
'10.0.11.0/24',
'192.168.179.0/24',
],
},
},
},
'zfs': { 'zfs': {
'zfs_arc_max_percent': 80, 'zfs_arc_max_percent': 80,
'storage_classes': { 'storage_classes': {

2
nodes/htz.games.py
View file

@ -37,7 +37,7 @@
'network': { 'network': {
'internal': { 'internal': {
'interface': 'ens10', 'interface': 'ens10',
'ipv4': '10.0.10.2/32', 'ipv4': '10.0.10.3/32',
}, },
'external': { 'external': {
'interface': 'eth0', 'interface': 'eth0',

64
nodes/mseibert.freescout.py
View file

@ -1,64 +0,0 @@
# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
# https://console.hetzner.cloud/projects/889138/servers/46578341
{
#'dummy': True,
'hostname': '159.69.117.89',
'groups': [
'backup',
'debian-12',
'monitored',
'webserver',
'freescout',
],
'bundles': [
'wireguard',
'zfs',
],
'metadata': {
'id': '5333e3dd-0718-493a-a93c-529612a45079',
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.227.2/24',
},
'external': {
'interface': 'eth0',
'ipv4': '159.69.117.89/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:3d0b::1/64',
'gateway6': 'fe80::1',
},
},
'freescout': {
'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
},
'vm': {
'cores': 2,
'ram': 4096,
},
'wireguard': {
'my_ip': '172.30.0.238/32',
's2s': {
'htz.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
'10.0.10.0/24',
],
},
},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/dev/disk/by-id/scsi-0HC_Volume_100662393',
],
},
},
},
},
}

65
nodes/htz.mails.py → nodes/netcup.mails.py
View file

@ -1,9 +1,8 @@
{ {
'hostname': '49.12.184.229', 'hostname': '202.61.255.108',
'groups': [ 'groups': [
'backup', 'backup',
'debian-12', 'debian-12',
'hetzner-cloud',
'mailserver', 'mailserver',
'monitored', 'monitored',
'webserver', 'webserver',
@ -16,23 +15,29 @@
'build-ci', 'build-ci',
'download-server', 'download-server',
'islamicstate.eu', 'islamicstate.eu',
#'nginx-rtmps', 'lonercrew',
#'steam', 'nginx-rtmps',
'steam',
'wireguard', 'wireguard',
'zfs', 'zfs',
], ],
'metadata': { 'metadata': {
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae', 'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': { 'network': {
'internal': { 'internal': {
'interface': 'enp7s0', 'interface': 'eth1',
'ipv4': '10.0.10.2/24', 'ipv4': '10.0.11.3/24',
}, },
'external': { 'external': {
'interface': 'eth0', 'interface': 'eth0',
'ipv4': '49.12.184.229/32', 'ipv4': '202.61.255.108/22',
'gateway4': '172.31.1.1', 'gateway4': '202.61.252.1',
'ipv6': '2a01:4f8:c013:51f2::1', 'ipv6': '2a03:4000:55:a89::1/64',
'gateway6': 'fe80::1', 'gateway6': 'fe80::1',
} }
}, },
@ -51,41 +56,33 @@
'islamicstate.eu', 'islamicstate.eu',
'hausamsilberberg.de', 'hausamsilberberg.de',
'wiegand.tel', 'wiegand.tel',
'lonercrew.io',
'left4.me', 'left4.me',
'elimu-kwanza.de', 'elimu-kwanza.de',
'cronekorkn.de', 'cronekorkn.de',
'foerderkreis.oranienschule-wiesbaden-wiki.de',
}, },
}, },
'dns': { 'dns': {
'ckn.li': { 'ckn.li': {
'A': ['49.12.184.229'], 'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:c013:51f2::1'], 'AAAA': ['2a01:4f8:1c1c:4121::1'],
}, },
'sublimity.de': { 'sublimity.de': {
'A': ['49.12.184.229'], 'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:c013:51f2::1'], 'AAAA': ['2a01:4f8:1c1c:4121::1'],
}, },
'freibrief.net': { 'freibrief.net': {
'A': ['49.12.184.229'], 'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:c013:51f2::1'], 'AAAA': ['2a01:4f8:1c1c:4121::1'],
}, },
'left4.me': { 'left4.me': {
'A': ['49.12.184.229'], 'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:c013:51f2::1'], 'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'elimu-kwanza.de': {
'TXT': ['google-site-verification=JwgcfXQ6nIXKxjMqUGHVBDISgMCQXgzMryPBsP2ZXnE'],
}, },
}, },
'download-server': { 'download-server': {
'hostname': 'dl.sublimity.de', 'hostname': 'dl.sublimity.de',
}, },
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'left4dead2': { 'left4dead2': {
'servers': { 'servers': {
'standard': { 'standard': {
@ -191,27 +188,26 @@
}, },
'roundcube': { 'roundcube': {
'product_name': 'Sublimity Mail', 'product_name': 'Sublimity Mail',
'version': '1.6.7', 'version': '1.6.2',
'installer': False, 'installer': False,
}, },
'vm': { 'vm': {
'cores': 4, 'cores': 4,
'ram': 8192, 'ram': 16384,
}, },
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.1/24', 'my_ip': '172.30.0.1/24',
's2s': { 's2s': {
'home.router': { 'home.server': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.99.0/24',
], ],
}, },
'ovh.secondary': { 'ovh.secondary': {
'allowed_ips': [ 'allowed_ips': [
'10.0.10.0/24', '10.0.11.0/24',
], ],
}, },
'wb.offsite-backups': { 'wb.offsite-backups': {
@ -219,11 +215,6 @@
'192.168.179.0/24', '192.168.179.0/24',
], ],
}, },
'mseibert.freescout': {
'allowed_ips': [
'10.0.227.0/24',
],
},
}, },
'clients': { 'clients': {
'macbook': { 'macbook': {
@ -241,7 +232,7 @@
'pools': { 'pools': {
'tank': { 'tank': {
'devices': [ 'devices': [
'/dev/disk/by-id/scsi-0HC_Volume_101332312', '/dev/sda4',
], ],
}, },
}, },

8
nodes/ovh.secondary.py
View file

@ -20,22 +20,22 @@
}, },
}, },
'bind': { 'bind': {
'master_node': 'htz.mails', 'master_node': 'netcup.mails',
'hostname': 'secondary.resolver.name', 'hostname': 'secondary.resolver.name',
}, },
# 'postfix': { # 'postfix': {
# 'master_node': 'htz.mails', # 'master_node': 'netcup.mails',
# 'hostname': 'mail2.sublimity.de', # 'hostname': 'mail2.sublimity.de',
# }, # },
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.3/32', 'my_ip': '172.30.0.3/32',
's2s': { 's2s': {
'htz.mails': { 'netcup.mails': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.10.0/24', '10.0.11.0/24',
], ],
}, },
}, },

8
nodes/wb.offsite-backups.py
View file

@ -1,7 +1,7 @@
{ {
'hostname': '192.168.179.20', 'hostname': '192.168.179.20',
'groups': [ 'groups': [
'debian-12', 'debian-11',
'monitored', 'monitored',
'raspberry-pi', 'raspberry-pi',
], ],
@ -9,7 +9,7 @@
'backup-freshness-check', 'backup-freshness-check',
'dm-crypt', 'dm-crypt',
'smartctl', 'smartctl',
#'wireguard', 'wireguard',
'zfs', 'zfs',
], ],
'metadata': { 'metadata': {
@ -43,13 +43,13 @@
'wireguard': { 'wireguard': {
'my_ip': '172.30.0.4/32', 'my_ip': '172.30.0.4/32',
's2s': { 's2s': {
'htz.mails': { 'netcup.mails': {
'allowed_ips': [ 'allowed_ips': [
'10.0.0.0/24', '10.0.0.0/24',
'10.0.2.0/24', '10.0.2.0/24',
'10.0.9.0/24', '10.0.9.0/24',
'10.0.10.0/24', '10.0.10.0/24',
'10.0.10.0/24', '10.0.11.0/24',
], ],
}, },
}, },