From 1221b68642d7f045db8548e30787a3214105d514 Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Thu, 8 Feb 2024 13:45:35 +0100
Subject: [PATCH 1/6] wip

---
 bundles/freescout/items.py       | 20 +++++++++++
 bundles/freescout/metadata.py    | 52 +++++++++++++++++++++++++++
 bundles/gitea/metadata.py        |  2 +-
 bundles/icinga2/items.py         |  2 +-
 bundles/php/metadata.py          |  4 +--
 bundles/postgresql/items.py      | 15 ++++----
 data/freescout/vhost.conf        | 53 ++++++++++++++++++++++++++++
 groups/applications/freescout.py | 10 ++++++
 nodes/home.server.py             |  1 +
 nodes/mseibert.freescout.py      | 60 ++++++++++++++++++++++++++++++++
 nodes/netcup.mails.py            |  6 ++++
 11 files changed, 215 insertions(+), 10 deletions(-)
 create mode 100644 bundles/freescout/items.py
 create mode 100644 bundles/freescout/metadata.py
 create mode 100644 data/freescout/vhost.conf
 create mode 100644 groups/applications/freescout.py
 create mode 100644 nodes/mseibert.freescout.py

diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
new file mode 100644
index 0000000..6168193
--- /dev/null
+++ b/bundles/freescout/items.py
@@ -0,0 +1,20 @@
+# https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
+
+directories = {
+    '/opt/freescout': {
+        'owner': 'www-data',
+        'group': 'www-data',
+        # chown -R www-data:www-data /opt/freescout
+    },
+}
+
+git_deploy = {
+    '/opt/freescout': {
+        'repo': 'https://github.com/freescout-helpdesk/freescout.git',
+        'rev': 'master',
+    },
+}
+
+
+files = {
+}
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
new file mode 100644
index 0000000..bc296d0
--- /dev/null
+++ b/bundles/freescout/metadata.py
@@ -0,0 +1,52 @@
+database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
+
+defaults = {
+    'apt': {
+        'packages': {
+            'php': {},
+            'php-mysql': {},
+            'php-fpm': {},
+            'php-mbstring': {},
+            'php-xml': {},
+            'php-imap': {},
+            'php-zip': {},
+            'php-gd': {},
+            'php-curl': {},
+            'php-intl': {},
+        },
+    },
+    'php': {
+        'php.ini': {
+            'cgi': {
+                'fix_pathinfo': '0',
+            },
+        },
+    },
+    'postgresql': {
+        'roles': {
+            'freescout': {
+                'password': database_password,
+            },
+        },
+        'databases': {
+            'freescout': {
+                'owner': 'freescout',
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def nginx(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                metadata.get('freescout/domain'): {
+                    'content': 'freescout/vhost.conf',
+                },
+            },
+        },
+    }
diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py
index 62785cb..e84697a 100644
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@@ -118,7 +118,7 @@ def nginx(metadata):
                     'content': 'nginx/proxy_pass.conf',
                     'context': {
                         'target': 'http://127.0.0.1:3500',
-                    }
+                    },
                 },
             },
         },
diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py
index 861dc1f..af25d58 100644
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@@ -269,7 +269,7 @@ svc_systemd = {
     'icinga2.service': {
         'needs': [
             'pkg_apt:icinga2-ido-pgsql',
-            'svc_systemd:postgresql',
+            'svc_systemd:postgresql.service',
         ],
     },
 }
diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py
index 15e7f90..7ed8d22 100644
--- a/bundles/php/metadata.py
+++ b/bundles/php/metadata.py
@@ -113,7 +113,7 @@ def php_ini(metadata):
             'opcache.revalidate_freq': '60',
         },
     }
-    
+
     return {
         'php': {
             'php.ini': {
@@ -145,7 +145,7 @@ def www_conf(metadata):
                 'pm': 'dynamic',
                 'pm.max_children': int(threads*2),
                 'pm.start_servers': int(threads),
-                'pm.min_spare_servers': int(threads/2),
+                'pm.min_spare_servers': max([1, int(threads/2)]),
                 'pm.max_spare_servers': int(threads),
                 'pm.max_requests': int(threads*32),
             },
diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py
index 8a5f4c6..b7e7ba8 100644
--- a/bundles/postgresql/items.py
+++ b/bundles/postgresql/items.py
@@ -12,7 +12,7 @@ directories = {
             'zfs_dataset:tank/postgresql',
         ],
         'needed_by': [
-            'svc_systemd:postgresql',
+            'svc_systemd:postgresql.service',
         ],
     }
 }
@@ -25,16 +25,19 @@ files = {
         ) + '\n',
         'owner': 'postgres',
         'group': 'postgres',
+        'needs': [
+            'pkg_apt:postgresql',
+        ],
         'needed_by': [
-            'svc_systemd:postgresql',
+            'svc_systemd:postgresql.service',
         ],
         'triggers': [
-            'svc_systemd:postgresql:restart',
+            'svc_systemd:postgresql.service:restart',
         ],
     },
 }
 
-svc_systemd['postgresql'] = {
+svc_systemd['postgresql.service'] = {
     'needs': [
         'pkg_apt:postgresql',
     ],
@@ -43,13 +46,13 @@ svc_systemd['postgresql'] = {
 for user, config in node.metadata.get('postgresql/roles').items():
     postgres_roles[user] = merge_dict(config, {
         'needs': [
-            'svc_systemd:postgresql',
+            'svc_systemd:postgresql.service',
         ],
     })
 
 for database, config in node.metadata.get('postgresql/databases').items():
     postgres_dbs[database] = merge_dict(config, {
         'needs': [
-            'svc_systemd:postgresql',
+            'svc_systemd:postgresql.service',
         ],
     })
diff --git a/data/freescout/vhost.conf b/data/freescout/vhost.conf
new file mode 100644
index 0000000..628705a
--- /dev/null
+++ b/data/freescout/vhost.conf
@@ -0,0 +1,53 @@
+server {
+    listen 443      ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${server_name};
+
+    ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
+
+    root /opt/freescout/public;
+
+    index index.php index.html index.htm;
+
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php-handler;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include params/fastcgi;
+    }
+    # Uncomment this location if you want to improve attachments downloading speed.
+    # Also make sure to set APP_DOWNLOAD_ATTACHMENTS_VIA=nginx in the .env file.
+    #location ^~ /storage/app/attachment/ {
+    #    internal;
+    #    alias /var/www/html/storage/app/attachment/;
+    #}
+    location ~* ^/storage/attachment/ {
+        expires 1M;
+        access_log off;
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+    location ~* ^/(?:css|js)/.*\.(?:css|js)$ {
+        expires 2d;
+        access_log off;
+        add_header Cache-Control "public, must-revalidate";
+    }
+    # The list should be in sync with /storage/app/public/uploads/.htaccess and /config/app.php
+    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
+        add_header Content-disposition "attachment; filename=$2";
+        default_type application/octet-stream;
+    }
+    location ~* ^/(?:css|fonts|img|installer|js|modules|[^\\\]+\..*)$ {
+        expires 1M;
+        access_log off;
+        add_header Cache-Control "public";
+    }
+    location ~ /\. {
+        deny  all;
+    }
+}
diff --git a/groups/applications/freescout.py b/groups/applications/freescout.py
new file mode 100644
index 0000000..d00e431
--- /dev/null
+++ b/groups/applications/freescout.py
@@ -0,0 +1,10 @@
+{
+    'supergroups': [
+        'webserver',
+    ],
+    'bundles': [
+        'freescout',
+        'php',
+        'postgresql',
+    ],
+}
diff --git a/nodes/home.server.py b/nodes/home.server.py
index 3d2734e..dc0737f 100644
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@@ -174,6 +174,7 @@
                         '10.0.10.0/24',
                         '10.0.11.0/24',
                         '192.168.179.0/24',
+                        '10.0.238.0/24', # mseibert.freescout
                     ],
                 },
             },
diff --git a/nodes/mseibert.freescout.py b/nodes/mseibert.freescout.py
new file mode 100644
index 0000000..3c1c722
--- /dev/null
+++ b/nodes/mseibert.freescout.py
@@ -0,0 +1,60 @@
+{
+    'hostname': '88.198.202.28',
+    'groups': [
+        'backup',
+        'debian-12',
+        'monitored',
+        'webserver',
+        'freescout',
+    ],
+    'bundles': [
+        'wireguard',
+        'zfs',
+    ],
+    'metadata': {
+        'id': '5333e3dd-0718-493a-a93c-529612a45079',
+        'network': {
+            'internal': {
+                'interface': 'ens10',
+                'ipv4': '10.0.238.2/32',
+            },
+            'external': {
+                'interface': 'eth0',
+                'ipv4': '88.198.202.28/32',
+                'gateway4': '172.31.1.1',
+                'ipv6': '2a01:4f8:c012:8e8f::1/64',
+                'gateway6': 'fe80::1',
+            },
+        },
+        'freescout': {
+            'domain': 'freescout.foerderkreis-oranienschule.de',
+        },
+        'vm': {
+            'cores': 1,
+            'ram': 2048,
+        },
+        'wireguard': {
+            'my_ip': '172.30.0.238/32',
+            's2s': {
+                'netcup.mails': {
+                    'allowed_ips': [
+                        '10.0.0.0/24',
+                        '10.0.2.0/24',
+                        '10.0.9.0/24',
+                        '10.0.10.0/24',
+                        '10.0.11.0/24',
+                    ],
+                },
+            },
+        },
+        'zfs': {
+            'pools': {
+                'tank': {
+                    'devices': [
+                        '/dev/disk/by-id/scsi-0HC_Volume_100356294',
+                    ],
+                },
+            },
+        },
+    },
+}
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index 912c6e9..65b73a4 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -53,6 +53,7 @@
                 'left4.me',
                 'elimu-kwanza.de',
                 'cronekorkn.de',
+                'freescout.foerderkreis-oranienschule.de',
             },
         },
         'dns': {
@@ -216,6 +217,11 @@
                         '192.168.179.0/24',
                     ],
                 },
+                'mseibert.freescout': {
+                    'allowed_ips': [
+                        '10.0.238.0/24',
+                    ],
+                },
             },
             'clients': {
                 'macbook': {
-- 
2.39.5


From f74dbc6539767317d38389b3c565522fb34cfeed Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Thu, 8 Feb 2024 16:15:57 +0100
Subject: [PATCH 2/6] wip

---
 bundles/freescout/items.py    | 45 +++++++++++++++++++++++++++++++----
 bundles/freescout/metadata.py | 35 ++++++++++++++++++++++++++-
 bundles/php/items.py          | 12 +++-------
 libs/tools.py                 |  6 +++++
 4 files changed, 83 insertions(+), 15 deletions(-)

diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
index 6168193..1b71f53 100644
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@@ -1,4 +1,7 @@
 # https://github.com/freescout-helpdesk/freescout/wiki/Installation-Guide
+run_as = repo.libs.tools.run_as
+php_version = node.metadata.get('php/version')
+
 
 directories = {
     '/opt/freescout': {
@@ -8,13 +11,45 @@ directories = {
     },
 }
 
-git_deploy = {
-    '/opt/freescout': {
-        'repo': 'https://github.com/freescout-helpdesk/freescout.git',
-        'rev': 'master',
+actions = {
+    'clone_freescout': {
+        'command': run_as('www-data', 'git clone https://github.com/freescout-helpdesk/freescout.git /opt/freescout'),
+        'unless': 'test -e /opt/freescout/.git',
+        'needs': [
+            'pkg_apt:git',
+            'directory:/opt/freescout',
+        ],
+    },
+    'pull_freescout': {
+        'command': run_as('www-data', 'git -C /opt/freescout pull'),
+        'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
+        'needs': [
+            'action:clone_freescout',
+        ],
+        'triggers': [
+            'action:freescout_artisan_update',
+            f'svc_systemd:php{php_version}-fpm.service:restart',
+        ],
+    },
+    'freescout_artisan_update': {
+        'command': run_as('www-data', 'php /opt/freescout/artisan freescout:after-app-update'),
+        'triggered': True,
+        'needs': [
+            f'svc_systemd:php{php_version}-fpm.service:restart',
+            'action:pull_freescout',
+        ],
     },
 }
 
-
 files = {
+    '/opt/freescout/.env': {
+        'content': '\n'.join(
+            f'{k}={v}' for k, v in
+                sorted(node.metadata.get('freescout/env').items())
+        ),
+        'needs': [
+            'directory:/opt/freescout',
+            'action:clone_freescout',
+        ],
+    },
 }
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
index bc296d0..3a803f6 100644
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@@ -3,8 +3,9 @@ database_password = repo.vault.password_for(f'{node.name} postgresql freescout')
 defaults = {
     'apt': {
         'packages': {
+            'git': {},
             'php': {},
-            'php-mysql': {},
+            'php-pgsql': {},
             'php-fpm': {},
             'php-mbstring': {},
             'php-xml': {},
@@ -15,6 +16,18 @@ defaults = {
             'php-intl': {},
         },
     },
+    'freescout': {
+        'env': {
+            'APP_TIMEZONE': 'Europe/Berlin',
+            'DB_CONNECTION': 'pgsql',
+            'DB_HOST': '127.0.0.1',
+            'DB_PORT': '5432',
+            'DB_DATABASE': 'freescout',
+            'DB_USERNAME': 'freescout',
+            'DB_PASSWORD': database_password,
+            'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
+        },
+    },
     'php': {
         'php.ini': {
             'cgi': {
@@ -34,9 +47,29 @@ defaults = {
             },
         },
     },
+    'zfs': {
+        'datasets': {
+            'tank/freescout': {
+                'mountpoint': '/opt/freescout',
+            },
+        },
+    },
 }
 
 
+@metadata_reactor.provides(
+    'freescout/env/APP_URL',
+)
+def freescout(metadata):
+    return {
+        'freescout': {
+            'env': {
+                'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
+            },
+        },
+    }
+
+
 @metadata_reactor.provides(
     'nginx/vhosts',
 )
diff --git a/bundles/php/items.py b/bundles/php/items.py
index 81fe14c..222ec42 100644
--- a/bundles/php/items.py
+++ b/bundles/php/items.py
@@ -1,9 +1,3 @@
-from os.path import join
-import json
-
-from bundlewrap.utils.dicts import merge_dict
-
-
 version = node.metadata.get('php/version')
 
 files = {
@@ -21,7 +15,7 @@ files = {
             f'pkg_apt:php{version}-fpm',
         },
         'triggers': {
-            f'svc_systemd:php{version}-fpm:restart',
+            f'svc_systemd:php{version}-fpm.service:restart',
         },
     },
     f'/etc/php/{version}/fpm/pool.d/www.conf': {
@@ -33,13 +27,13 @@ files = {
             f'pkg_apt:php{version}-fpm',
         },
         'triggers': {
-            f'svc_systemd:php{version}-fpm:restart',
+            f'svc_systemd:php{version}-fpm.service:restart',
         },
     },
 }
 
 svc_systemd = {
-    f'php{version}-fpm': {
+    f'php{version}-fpm.service': {
         'needs': {
             'pkg_apt:',
             f'file:/etc/php/{version}/fpm/php.ini',
diff --git a/libs/tools.py b/libs/tools.py
index d96feec..ac4856d 100644
--- a/libs/tools.py
+++ b/libs/tools.py
@@ -86,3 +86,9 @@ def require_bundle(node, bundle, hint=''):
     # way of defining bundle requirements in other bundles.
     if not node.has_bundle(bundle):
         raise BundleError(f'{node.name} requires bundle {bundle}, but wasn\'t found! {hint}')
+
+
+from shlex import quote
+
+def run_as(user, command):
+    return f'sudo su - {user} -c {quote(command)} -s /bin/bash'
-- 
2.39.5


From c63e56975c402f9940908a1547d0a946ded0a5a4 Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Thu, 8 Feb 2024 16:22:56 +0100
Subject: [PATCH 3/6] wip

---
 bundles/freescout/items.py    | 24 +++++++++---------
 bundles/freescout/metadata.py | 46 +++++++++++++++++------------------
 bundles/wordpress/metadata.py | 10 +++++++-
 3 files changed, 44 insertions(+), 36 deletions(-)

diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
index 1b71f53..8661d8b 100644
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@@ -41,15 +41,15 @@ actions = {
     },
 }
 
-files = {
-    '/opt/freescout/.env': {
-        'content': '\n'.join(
-            f'{k}={v}' for k, v in
-                sorted(node.metadata.get('freescout/env').items())
-        ),
-        'needs': [
-            'directory:/opt/freescout',
-            'action:clone_freescout',
-        ],
-    },
-}
+# files = {
+#     '/opt/freescout/.env': {
+#         'content': '\n'.join(
+#             f'{k}={v}' for k, v in
+#                 sorted(node.metadata.get('freescout/env').items())
+#         ),
+#         'needs': [
+#             'directory:/opt/freescout',
+#             'action:clone_freescout',
+#         ],
+#     },
+# }
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
index 3a803f6..8679a54 100644
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@@ -16,18 +16,18 @@ defaults = {
             'php-intl': {},
         },
     },
-    'freescout': {
-        'env': {
-            'APP_TIMEZONE': 'Europe/Berlin',
-            'DB_CONNECTION': 'pgsql',
-            'DB_HOST': '127.0.0.1',
-            'DB_PORT': '5432',
-            'DB_DATABASE': 'freescout',
-            'DB_USERNAME': 'freescout',
-            'DB_PASSWORD': database_password,
-            'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
-        },
-    },
+    # 'freescout': {
+    #     'env': {
+    #         'APP_TIMEZONE': 'Europe/Berlin',
+    #         'DB_CONNECTION': 'pgsql',
+    #         'DB_HOST': '127.0.0.1',
+    #         'DB_PORT': '5432',
+    #         'DB_DATABASE': 'freescout',
+    #         'DB_USERNAME': 'freescout',
+    #         'DB_PASSWORD': database_password,
+    #         'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
+    #     },
+    # },
     'php': {
         'php.ini': {
             'cgi': {
@@ -57,17 +57,17 @@ defaults = {
 }
 
 
-@metadata_reactor.provides(
-    'freescout/env/APP_URL',
-)
-def freescout(metadata):
-    return {
-        'freescout': {
-            'env': {
-                'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
-            },
-        },
-    }
+# @metadata_reactor.provides(
+#     'freescout/env/APP_URL',
+# )
+# def freescout(metadata):
+#     return {
+#         'freescout': {
+#             'env': {
+#                 'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
+#             },
+#         },
+#     }
 
 
 @metadata_reactor.provides(
diff --git a/bundles/wordpress/metadata.py b/bundles/wordpress/metadata.py
index 33a4e11..7df60e4 100644
--- a/bundles/wordpress/metadata.py
+++ b/bundles/wordpress/metadata.py
@@ -1,4 +1,12 @@
-defaults = {}
+defaults = {
+    'php': {
+        'php.ini': {
+            'cgi': {
+                'fix_pathinfo': '0',
+            },
+        },
+    },
+}
 
 
 @metadata_reactor.provides(
-- 
2.39.5


From 12c5b86cc5c1019c35b4ffccd4e095a93550ea45 Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Fri, 15 Mar 2024 15:46:51 +0100
Subject: [PATCH 4/6] wip

---
 bundles/freescout/items.py    | 28 ++++++++++++---------
 bundles/freescout/metadata.py | 46 +++++++++++++++++------------------
 libs/tools.py                 |  2 +-
 3 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
index 8661d8b..560c60d 100644
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@@ -41,15 +41,19 @@ actions = {
     },
 }
 
-# files = {
-#     '/opt/freescout/.env': {
-#         'content': '\n'.join(
-#             f'{k}={v}' for k, v in
-#                 sorted(node.metadata.get('freescout/env').items())
-#         ),
-#         'needs': [
-#             'directory:/opt/freescout',
-#             'action:clone_freescout',
-#         ],
-#     },
-# }
+files = {
+    '/opt/freescout/.env': {
+        # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
+        # Every time you are making changes in .env file, in order changes to take an effect you need to run:
+        # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
+        'owner': 'www-data',
+        'content': '\n'.join(
+            f'{k}={v}' for k, v in
+                sorted(node.metadata.get('freescout/env').items())
+        ) + '\n',
+        'needs': [
+            'directory:/opt/freescout',
+            'action:clone_freescout',
+        ],
+    },
+}
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
index 8679a54..3a803f6 100644
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@@ -16,18 +16,18 @@ defaults = {
             'php-intl': {},
         },
     },
-    # 'freescout': {
-    #     'env': {
-    #         'APP_TIMEZONE': 'Europe/Berlin',
-    #         'DB_CONNECTION': 'pgsql',
-    #         'DB_HOST': '127.0.0.1',
-    #         'DB_PORT': '5432',
-    #         'DB_DATABASE': 'freescout',
-    #         'DB_USERNAME': 'freescout',
-    #         'DB_PASSWORD': database_password,
-    #         'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
-    #     },
-    # },
+    'freescout': {
+        'env': {
+            'APP_TIMEZONE': 'Europe/Berlin',
+            'DB_CONNECTION': 'pgsql',
+            'DB_HOST': '127.0.0.1',
+            'DB_PORT': '5432',
+            'DB_DATABASE': 'freescout',
+            'DB_USERNAME': 'freescout',
+            'DB_PASSWORD': database_password,
+            'APP_KEY': 'base64:' + repo.vault.random_bytes_as_base64_for(f'{node.name} freescout APP_KEY', length=32).value
+        },
+    },
     'php': {
         'php.ini': {
             'cgi': {
@@ -57,17 +57,17 @@ defaults = {
 }
 
 
-# @metadata_reactor.provides(
-#     'freescout/env/APP_URL',
-# )
-# def freescout(metadata):
-#     return {
-#         'freescout': {
-#             'env': {
-#                 'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
-#             },
-#         },
-#     }
+@metadata_reactor.provides(
+    'freescout/env/APP_URL',
+)
+def freescout(metadata):
+    return {
+        'freescout': {
+            'env': {
+                'APP_URL': 'https://' + metadata.get('freescout/domain') + '/',
+            },
+        },
+    }
 
 
 @metadata_reactor.provides(
diff --git a/libs/tools.py b/libs/tools.py
index ac4856d..cbbe27c 100644
--- a/libs/tools.py
+++ b/libs/tools.py
@@ -91,4 +91,4 @@ def require_bundle(node, bundle, hint=''):
 from shlex import quote
 
 def run_as(user, command):
-    return f'sudo su - {user} -c {quote(command)} -s /bin/bash'
+    return f'sudo su - {user} -s /bin/bash -c {quote(command)}'
-- 
2.39.5


From e39deddf7c7b7ca1900b72fee0064beb4402da0c Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Tue, 30 Apr 2024 14:08:19 +0200
Subject: [PATCH 5/6] wip

---
 bundles/freescout/README.md   | 13 +++++++++++++
 bundles/freescout/items.py    | 35 +++++++++++++++++++----------------
 bundles/freescout/metadata.py |  7 +++++++
 nodes/home.server.py          |  2 +-
 nodes/mseibert.freescout.py   | 14 +++++++-------
 nodes/netcup.mails.py         |  2 +-
 6 files changed, 48 insertions(+), 25 deletions(-)
 create mode 100644 bundles/freescout/README.md

diff --git a/bundles/freescout/README.md b/bundles/freescout/README.md
new file mode 100644
index 0000000..c6f42e4
--- /dev/null
+++ b/bundles/freescout/README.md
@@ -0,0 +1,13 @@
+Pg Pass workaround: set manually:
+
+```
+root@freescout /ro psql freescout
+psql (15.6 (Debian 15.6-0+deb12u1))
+Type "help" for help.
+
+freescout=# \password freescout
+Enter new password for user "freescout":
+Enter it again:
+freescout=#
+\q
+```
diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
index 560c60d..14b947f 100644
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@@ -41,19 +41,22 @@ actions = {
     },
 }
 
-files = {
-    '/opt/freescout/.env': {
-        # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
-        # Every time you are making changes in .env file, in order changes to take an effect you need to run:
-        # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
-        'owner': 'www-data',
-        'content': '\n'.join(
-            f'{k}={v}' for k, v in
-                sorted(node.metadata.get('freescout/env').items())
-        ) + '\n',
-        'needs': [
-            'directory:/opt/freescout',
-            'action:clone_freescout',
-        ],
-    },
-}
+# files = {
+#     '/opt/freescout/.env': {
+#         # https://github.com/freescout-helpdesk/freescout/blob/dist/.env.example
+#         # Every time you are making changes in .env file, in order changes to take an effect you need to run:
+#         # ´sudo su - www-data -c 'php /opt/freescout/artisan freescout:clear-cache' -s /bin/bash´
+#         'owner': 'www-data',
+#         'content': '\n'.join(
+#             f'{k}={v}' for k, v in
+#                 sorted(node.metadata.get('freescout/env').items())
+#         ) + '\n',
+#         'needs': [
+#             'directory:/opt/freescout',
+#             'action:clone_freescout',
+#         ],
+#     },
+# }
+
+#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
+#sudo su - www-data -s /bin/bash -c 'php /opt/freescout/artisan freescout:create-user --role admin --firstName M --lastName W --email freescout@freibrief.net --password gyh.jzv2bnf6hvc.HKG --no-interaction'
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
index 3a803f6..e07d7c9 100644
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@@ -47,6 +47,13 @@ defaults = {
             },
         },
     },
+    'systemd-timers': {
+        'freescout-cron': {
+            'command': '/usr/bin/php /opt/freescout/artisan schedule:run',
+            'when': 'Minutely',
+            'user': 'www-data',
+        },
+    },
     'zfs': {
         'datasets': {
             'tank/freescout': {
diff --git a/nodes/home.server.py b/nodes/home.server.py
index dc0737f..ea13ec4 100644
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@@ -174,7 +174,7 @@
                         '10.0.10.0/24',
                         '10.0.11.0/24',
                         '192.168.179.0/24',
-                        '10.0.238.0/24', # mseibert.freescout
+                        '10.0.227.0/24', # mseibert.freescout
                     ],
                 },
             },
diff --git a/nodes/mseibert.freescout.py b/nodes/mseibert.freescout.py
index 3c1c722..61bbebd 100644
--- a/nodes/mseibert.freescout.py
+++ b/nodes/mseibert.freescout.py
@@ -1,9 +1,9 @@
 {
-    'hostname': '88.198.202.28',
+    'hostname': '159.69.117.89',
     'groups': [
-        'backup',
+#        'backup',
         'debian-12',
-        'monitored',
+#        'monitored',
         'webserver',
         'freescout',
     ],
@@ -16,13 +16,13 @@
         'network': {
             'internal': {
                 'interface': 'ens10',
-                'ipv4': '10.0.238.2/32',
+                'ipv4': '10.0.227.2/24',
             },
             'external': {
                 'interface': 'eth0',
-                'ipv4': '88.198.202.28/32',
+                'ipv4': '159.69.117.89/32',
                 'gateway4': '172.31.1.1',
-                'ipv6': '2a01:4f8:c012:8e8f::1/64',
+                'ipv6': '2a01:4f8:c013:3d0b::1/64',
                 'gateway6': 'fe80::1',
             },
         },
@@ -51,7 +51,7 @@
             'pools': {
                 'tank': {
                     'devices': [
-                        '/dev/disk/by-id/scsi-0HC_Volume_100356294',
+                        '/dev/disk/by-id/scsi-0HC_Volume_100662393',
                     ],
                 },
             },
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index 65b73a4..ac64d81 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -219,7 +219,7 @@
                 },
                 'mseibert.freescout': {
                     'allowed_ips': [
-                        '10.0.238.0/24',
+                        '10.0.227.0/24',
                     ],
                 },
             },
-- 
2.39.5


From 28568320f181a777c29b3d05e216ec4c1ff08651 Mon Sep 17 00:00:00 2001
From: cronekorkn <git@ckn.li>
Date: Fri, 30 Aug 2024 09:41:54 +0200
Subject: [PATCH 6/6] freescout

---
 bundles/bind/items.py         | 16 ++++++++--------
 bundles/freescout/items.py    |  2 +-
 bundles/freescout/metadata.py |  8 +++++++-
 bundles/zsh/items.py          | 10 +++++-----
 libs/postgres.py              | 23 +++++++++++++++++++++++
 nodes/mseibert.freescout.py   |  2 +-
 nodes/netcup.mails.py         |  4 ++--
 7 files changed, 47 insertions(+), 18 deletions(-)
 create mode 100644 libs/postgres.py

diff --git a/bundles/bind/items.py b/bundles/bind/items.py
index b85c92e..6283b34 100644
--- a/bundles/bind/items.py
+++ b/bundles/bind/items.py
@@ -19,7 +19,7 @@ directories[f'/var/lib/bind'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -29,7 +29,7 @@ files['/etc/default/bind9'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -43,7 +43,7 @@ files['/etc/bind/named.conf'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -63,7 +63,7 @@ files['/etc/bind/named.conf.options'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -93,7 +93,7 @@ files['/etc/bind/named.conf.local'] = {
         'svc_systemd:bind9',
     ],
     'triggers': [
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ],
 }
 
@@ -106,7 +106,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
             'svc_systemd:bind9',
         ],
         'triggers': [
-            'svc_systemd:bind9:restart',
+            'svc_systemd:bind9:reload',
         ],
     }
 
@@ -127,7 +127,7 @@ for view_name, view_conf in master_node.metadata.get('bind/views').items():
                 'svc_systemd:bind9',
             ],
             'triggers': [
-                'svc_systemd:bind9:restart',
+                'svc_systemd:bind9:reload',
             ],
         }
 
@@ -139,6 +139,6 @@ actions['named-checkconf'] = {
     'unless': 'named-checkconf -z',
     'needs': [
         'svc_systemd:bind9',
-        'svc_systemd:bind9:restart',
+        'svc_systemd:bind9:reload',
     ]
 }
diff --git a/bundles/freescout/items.py b/bundles/freescout/items.py
index 14b947f..e409e81 100644
--- a/bundles/freescout/items.py
+++ b/bundles/freescout/items.py
@@ -21,7 +21,7 @@ actions = {
         ],
     },
     'pull_freescout': {
-        'command': run_as('www-data', 'git -C /opt/freescout pull'),
+        'command': run_as('www-data', 'git -C /opt/freescout fetch origin dist && git -C /opt/freescout reset --hard origin/dist && git -C /opt/freescout clean -f'),
         'unless': run_as('www-data', 'git -C /opt/freescout fetch origin && git -C /opt/freescout status -uno | grep -q "Your branch is up to date"'),
         'needs': [
             'action:clone_freescout',
diff --git a/bundles/freescout/metadata.py b/bundles/freescout/metadata.py
index e07d7c9..b15530e 100644
--- a/bundles/freescout/metadata.py
+++ b/bundles/freescout/metadata.py
@@ -1,3 +1,6 @@
+from base64 import b64decode
+
+# hash: SCRAM-SHA-256$4096:tQNfqQi7seqNDwJdHqCHbg==$r3ibECluHJaY6VRwpvPqrtCjgrEK7lAkgtUO8/tllTU=:+eeo4M0L2SowfyHFxT2FRqGzezve4ZOEocSIo11DATA=
 database_password = repo.vault.password_for(f'{node.name} postgresql freescout').value
 
 defaults = {
@@ -38,7 +41,10 @@ defaults = {
     'postgresql': {
         'roles': {
             'freescout': {
-                'password': database_password,
+                'password_hash': repo.libs.postgres.generate_scram_sha_256(
+                    database_password,
+                    b64decode(repo.vault.random_bytes_as_base64_for(f'{node.name} postgres freescout', length=16).value.encode()),
+                ),
             },
         },
         'databases': {
diff --git a/bundles/zsh/items.py b/bundles/zsh/items.py
index 60b8d86..28848c5 100644
--- a/bundles/zsh/items.py
+++ b/bundles/zsh/items.py
@@ -3,13 +3,13 @@ from os.path import join
 directories = {
     '/etc/zsh/oh-my-zsh': {},
     '/etc/zsh/oh-my-zsh/custom/plugins': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
     },
     '/etc/zsh/oh-my-zsh/custom/plugins/zsh-autosuggestions': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
@@ -29,10 +29,10 @@ git_deploy = {
 
 files = {
     '/etc/zsh/zprofile': {
-        'mode': '0744',
+        'mode': '0755',
     },
     '/etc/zsh/oh-my-zsh/themes/bw.zsh-theme': {
-        'mode': '0744',
+        'mode': '0755',
         'needs': [
             f"git_deploy:/etc/zsh/oh-my-zsh",
         ]
@@ -41,7 +41,7 @@ files = {
 
 actions = {
     'chown_oh_my_zsh': {
-        'command': 'chmod -R 744 /etc/zsh/oh-my-zsh',
+        'command': 'chmod -R 755 /etc/zsh/oh-my-zsh',
         'triggered': True,
         'triggered_by': [
             "git_deploy:/etc/zsh/oh-my-zsh",
diff --git a/libs/postgres.py b/libs/postgres.py
new file mode 100644
index 0000000..ed80036
--- /dev/null
+++ b/libs/postgres.py
@@ -0,0 +1,23 @@
+from base64 import standard_b64encode
+from hashlib import pbkdf2_hmac, sha256
+import hmac
+
+
+def b64enc(b: bytes) -> str:
+    return standard_b64encode(b).decode('utf8')
+
+def generate_scram_sha_256(password, salt):
+    if len(salt) != 16:
+        raise ValueError(f"Salt '{salt}' is not 16, but {len(salt)} characters long.")
+
+    digest_len = 32
+    iterations = 4096
+
+    digest_key = pbkdf2_hmac('sha256', password.encode('utf8'), salt, iterations, digest_len)
+    client_key = hmac.digest(digest_key, 'Client Key'.encode('utf8'), 'sha256')
+    stored_key = sha256(client_key).digest()
+    server_key = hmac.digest(digest_key, 'Server Key'.encode('utf8'), 'sha256')
+
+    return f'SCRAM-SHA-256${iterations}:{b64enc(salt)}${b64enc(stored_key)}:{b64enc(server_key)}'
+
+
diff --git a/nodes/mseibert.freescout.py b/nodes/mseibert.freescout.py
index 61bbebd..4125052 100644
--- a/nodes/mseibert.freescout.py
+++ b/nodes/mseibert.freescout.py
@@ -27,7 +27,7 @@
             },
         },
         'freescout': {
-            'domain': 'freescout.foerderkreis-oranienschule.de',
+            'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
         },
         'vm': {
             'cores': 1,
diff --git a/nodes/netcup.mails.py b/nodes/netcup.mails.py
index ac64d81..181d030 100644
--- a/nodes/netcup.mails.py
+++ b/nodes/netcup.mails.py
@@ -16,7 +16,7 @@
         'download-server',
         'islamicstate.eu',
         'nginx-rtmps',
-        'steam',
+        #'steam',
         'wireguard',
         'zfs',
     ],
@@ -53,7 +53,7 @@
                 'left4.me',
                 'elimu-kwanza.de',
                 'cronekorkn.de',
-                'freescout.foerderkreis-oranienschule.de',
+                'foerderkreis.oranienschule-wiesbaden-wiki.de',
             },
         },
         'dns': {
-- 
2.39.5