cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

mailman #21

Closed
cronekorkn wants to merge 16 commits from mailman into proxmox
pull from: mailman
merge into: cronekorkn:proxmox
Conversation 1 Commits 16 Files changed 32 +1211 -97
32 changed files with 1211 additions and 97 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
bundles/ifupdown/items.py Normal file
View file

@ -0,0 +1,3 @@
# svc_systemd = {
# 'ifupdown.service': {},
# }

22
bundles/mailman/files/mailman-hyperkitty.cfg Normal file
View file

@ -0,0 +1,22 @@
# This is the mailman extension configuration file to enable HyperKitty as an
# archiver. Remember to add the following lines in the mailman.cfg file:
#
# [archiver.hyperkitty]
# class: mailman_hyperkitty.Archiver
# enable: yes
# configuration: /etc/mailman3/mailman-hyperkitty.cfg
#
[general]
# This is your HyperKitty installation, preferably on the localhost. This
# address will be used by Mailman to forward incoming emails to HyperKitty
# for archiving. It does not need to be publicly available, in fact it's
# better if it is not.
# However, if your Mailman installation is accessed via HTTPS, the URL needs
# to match your SSL certificate (e.g. https://lists.example.com/hyperkitty).
base_url: http://${hostname}/mailman3/hyperkitty/
# The shared api_key, must be identical except for quoting to the value of
# MAILMAN_ARCHIVER_KEY in HyperKitty's settings.
api_key: ${archiver_key}

190
bundles/mailman/files/mailman-web.py Normal file
View file

@ -0,0 +1,190 @@
ACCOUNT_EMAIL_VERIFICATION='none'
# This file is imported by the Mailman Suite. It is used to override
# the default settings from /usr/share/mailman3-web/settings.py.
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '${secret_key}'
ADMINS = (
('Mailman Suite Admin', 'root@localhost'),
)
# Hosts/domain names that are valid for this site; required if DEBUG is False
# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
# Set to '*' per default in the Deian package to allow all hostnames. Mailman3
# is meant to run behind a webserver reverse proxy anyway.
ALLOWED_HOSTS = [
'${hostname}',
]
# Mailman API credentials
MAILMAN_REST_API_URL = 'http://localhost:8001'
MAILMAN_REST_API_USER = 'restadmin'
MAILMAN_REST_API_PASS = '${api_password}'
MAILMAN_ARCHIVER_KEY = '${archiver_key}'
MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
# Application definition
INSTALLED_APPS = (
'hyperkitty',
'postorius',
'django_mailman3',
# Uncomment the next line to enable the admin:
'django.contrib.admin',
# Uncomment the next line to enable admin documentation:
# 'django.contrib.admindocs',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.sites',
'django.contrib.messages',
'django.contrib.staticfiles',
'rest_framework',
'django_gravatar',
'compressor',
'haystack',
'django_extensions',
'django_q',
'allauth',
'allauth.account',
'allauth.socialaccount',
'django_mailman3.lib.auth.fedora',
#'allauth.socialaccount.providers.openid',
#'allauth.socialaccount.providers.github',
#'allauth.socialaccount.providers.gitlab',
#'allauth.socialaccount.providers.google',
#'allauth.socialaccount.providers.facebook',
#'allauth.socialaccount.providers.twitter',
#'allauth.socialaccount.providers.stackexchange',
)
# Database
# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
DATABASES = {
'default': {
# Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
#'ENGINE': 'django.db.backends.sqlite3',
'ENGINE': 'django.db.backends.postgresql_psycopg2',
#'ENGINE': 'django.db.backends.mysql',
# DB name or path to database file if using sqlite3.
#'NAME': '/var/lib/mailman3/web/mailman3web.db',
'NAME': 'mailman',
# The following settings are not used with sqlite3:
'USER': 'mailman',
'PASSWORD': '${db_password}',
# HOST: empty for localhost through domain sockets or '127.0.0.1' for
# localhost through TCP.
'HOST': '127.0.0.1',
# PORT: set to empty string for default.
'PORT': '5432',
# OPTIONS: Extra parameters to use when connecting to the database.
'OPTIONS': {
# Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See
# https://docs.djangoproject.com/en/1.11/ref/
# databases/#setting-sql-mode
#'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
},
}
}
# If you're behind a proxy, use the X-Forwarded-Host header
# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
USE_X_FORWARDED_HOST = True
# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
# Other security settings
# SECURE_SSL_REDIRECT = True
# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
# contains at least this line:
# SECURE_REDIRECT_EXEMPT = [
# "archives/api/mailman/.*", # Request from Mailman.
# ]
# SESSION_COOKIE_SECURE = True
# SECURE_CONTENT_TYPE_NOSNIFF = True
# SECURE_BROWSER_XSS_FILTER = True
# CSRF_COOKIE_SECURE = True
# CSRF_COOKIE_HTTPONLY = True
# X_FRAME_OPTIONS = 'DENY'
# Internationalization
# https://docs.djangoproject.com/en/1.8/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Set default domain for email addresses.
EMAILNAME = 'localhost.local'
# If you enable internal authentication, this is the address that the emails
# will appear to be coming from. Make sure you set a valid domain name,
# otherwise the emails may get rejected.
# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
# If you enable email reporting for error messages, this is where those emails
# will appear to be coming from. Make sure you set a valid domain name,
# otherwise the emails may get rejected.
# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
# SERVER_EMAIL = 'root@your-domain.org'
SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
# Django Allauth
ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
#
# Social auth
#
SOCIALACCOUNT_PROVIDERS = {
#'openid': {
# 'SERVERS': [
# dict(id='yahoo',
# name='Yahoo',
# openid_url='http://me.yahoo.com'),
# ],
#},
#'google': {
# 'SCOPE': ['profile', 'email'],
# 'AUTH_PARAMS': {'access_type': 'online'},
#},
#'facebook': {
# 'METHOD': 'oauth2',
# 'SCOPE': ['email'],
# 'FIELDS': [
# 'email',
# 'name',
# 'first_name',
# 'last_name',
# 'locale',
# 'timezone',
# ],
# 'VERSION': 'v2.4',
#},
}
# On a production setup, setting COMPRESS_OFFLINE to True will bring a
# significant performance improvement, as CSS files will not need to be
# recompiled on each requests. It means running an additional "compress"
# management command after each code upgrade.
# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
COMPRESS_OFFLINE = True
POSTORIUS_TEMPLATE_BASE_URL = 'http://${hostname}/mailman3/'

277
bundles/mailman/files/mailman.cfg Normal file
View file

@ -0,0 +1,277 @@
# Copyright (C) 2008-2017 by the Free Software Foundation, Inc.
#
# This file is part of GNU Mailman.
#
# GNU Mailman is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option)
# any later version.
#
# GNU Mailman is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
#
# You should have received a copy of the GNU General Public License along with
# GNU Mailman. If not, see <http://www.gnu.org/licenses/>.
# This file contains the Debian configuration for mailman. It uses ini-style
# formats under the lazr.config regime to define all system configuration
# options. See <https://launchpad.net/lazr.config> for details.
[mailman]
# This address is the "site owner" address. Certain messages which must be
# delivered to a human, but which can't be delivered to a list owner (e.g. a
# bounce from a list owner), will be sent to this address. It should point to
# a human.
site_owner: ${site_owner_email}
# This is the local-part of an email address used in the From field whenever a
# message comes from some entity to which there is no natural reply recipient.
# Mailman will append '@' and the host name of the list involved. This
# address must not bounce and it must not point to a Mailman process.
noreply_address: noreply
# The default language for this server.
default_language: de
# Membership tests for posting purposes are usually performed by looking at a
# set of headers, passing the test if any of their values match a member of
# the list. Headers are checked in the order given in this variable. The
# value From_ means to use the envelope sender. Field names are case
# insensitive. This is a space separate list of headers.
sender_headers: from from_ reply-to sender
# Mail command processor will ignore mail command lines after designated max.
email_commands_max_lines: 10
# Default length of time a pending request is live before it is evicted from
# the pending database.
pending_request_life: 3d
# How long should files be saved before they are evicted from the cache?
cache_life: 7d
# A callable to run with no arguments early in the initialization process.
# This runs before database initialization.
pre_hook:
# A callable to run with no arguments late in the initialization process.
# This runs after adapters are initialized.
post_hook:
# Which paths.* file system layout to use.
# You should not change this variable.
layout: debian
# Can MIME filtered messages be preserved by list owners?
filtered_messages_are_preservable: no
# How should text/html parts be converted to text/plain when the mailing list
# is set to convert HTML to plaintext? This names a command to be called,
# where the substitution variable $filename is filled in by Mailman, and
# contains the path to the temporary file that the command should read from.
# The command should print the converted text to stdout.
html_to_plain_text_command: /usr/bin/lynx -dump $filename
# Specify what characters are allowed in list names. Characters outside of
# the class [-_.+=!$*{}~0-9a-z] matched case insensitively are never allowed,
# but this specifies a subset as the only allowable characters. This must be
# a valid character class regexp or the effect on list creation is
# unpredictable.
listname_chars: [-_.0-9a-z]
[shell]
# `mailman shell` (also `withlist`) gives you an interactive prompt that you
# can use to interact with an initialized and configured Mailman system. Use
# --help for more information. This section allows you to configure certain
# aspects of this interactive shell.
# Customize the interpreter prompt.
prompt: >>>
# Banner to show on startup.
banner: Welcome to the GNU Mailman shell
# Use IPython as the shell, which must be found on the system. Valid values
# are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except
# that any import errors will be displayed to stderr.
use_ipython: no
# Set this to allow for command line history if readline is available. This
# can be as simple as $var_dir/history.py to put the file in the var directory.
history_file:
[paths.debian]
# Important directories for Mailman operation. These are defined here so that
# different layouts can be supported. For example, a developer layout would
# be different from a FHS layout. Most paths are based off the var_dir, and
# often just setting that will do the right thing for all the other paths.
# You might also have to set spool_dir though.
#
# Substitutions are allowed, but must be of the form $var where 'var' names a
# configuration variable in the paths.* section. Substitutions are expanded
# recursively until no more $-variables are present. Beware of infinite
# expansion loops!
#
# This is the root of the directory structure that Mailman will use to store
# its run-time data.
var_dir: /var/lib/mailman3
# This is where the Mailman queue files directories will be created.
queue_dir: $var_dir/queue
# This is the directory containing the Mailman 'runner' and 'master' commands
# if set to the string '$argv', it will be taken as the directory containing
# the 'mailman' command.
bin_dir: /usr/lib/mailman3/bin
# All list-specific data.
list_data_dir: $var_dir/lists
# Directory where log files go.
log_dir: /var/log/mailman3
# Directory for system-wide locks.
lock_dir: $var_dir/locks
# Directory for system-wide data.
data_dir: $var_dir/data
# Cache files.
cache_dir: $var_dir/cache
# Directory for configuration files and such.
etc_dir: /etc/mailman3
# Directory containing Mailman plugins.
ext_dir: $var_dir/ext
# Directory where the default IMessageStore puts its messages.
messages_dir: $var_dir/messages
# Directory for archive backends to store their messages in. Archivers should
# create a subdirectory in here to store their files.
archive_dir: $var_dir/archives
# Root directory for site-specific template override files.
template_dir: $var_dir/templates
# There are also a number of paths to specific file locations that can be
# defined. For these, the directory containing the file must already exist,
# or be one of the directories created by Mailman as per above.
#
# This is where PID file for the master runner is stored.
pid_file: /run/mailman3/master.pid
# Lock file.
lock_file: $lock_dir/master.lck
[database]
# The class implementing the IDatabase.
class: mailman.database.sqlite.SQLiteDatabase
#class: mailman.database.mysql.MySQLDatabase
#class: mailman.database.postgresql.PostgreSQLDatabase
# Use this to set the Storm database engine URL. You generally have one
# primary database connection for all of Mailman. List data and most rosters
# will store their data in this database, although external rosters may access
# other databases in their own way. This string supports standard
# 'configuration' substitutions.
url: sqlite:///$DATA_DIR/mailman.db
#url: mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1
#url: postgresql://mailman3:mmpass@localhost/mailman3
debug: no
[logging.debian]
# This defines various log settings. The options available are:
#
# - level -- Overrides the default level; this may be any of the
# standard Python logging levels, case insensitive.
# - format -- Overrides the default format string
# - datefmt -- Overrides the default date format string
# - path -- Overrides the default logger path. This may be a relative
# path name, in which case it is relative to Mailman's LOG_DIR,
# or it may be an absolute path name. You cannot change the
# handler class that will be used.
# - propagate -- Boolean specifying whether to propagate log message from this
# logger to the root "mailman" logger. You cannot override
# settings for the root logger.
#
# In this section, you can define defaults for all loggers, which will be
# prefixed by 'mailman.'. Use subsections to override settings for specific
# loggers. The names of the available loggers are:
#
# - archiver -- All archiver output
# - bounce -- All bounce processing logs go here
# - config -- Configuration issues
# - database -- Database logging (SQLAlchemy and Alembic)
# - debug -- Only used for development
# - error -- All exceptions go to this log
# - fromusenet -- Information related to the Usenet to Mailman gateway
# - http -- Internal wsgi-based web interface
# - locks -- Lock state changes
# - mischief -- Various types of hostile activity
# - runner -- Runner process start/stops
# - smtp -- Successful SMTP activity
# - smtp-failure -- Unsuccessful SMTP activity
# - subscribe -- Information about leaves/joins
# - vette -- Message vetting information
format: %(asctime)s (%(process)d) %(message)s
datefmt: %b %d %H:%M:%S %Y
propagate: no
level: info
path: mailman.log
[webservice]
# The hostname at which admin web service resources are exposed.
hostname: localhost
# The port at which the admin web service resources are exposed.
port: 8001
# Whether or not requests to the web service are secured through SSL.
use_https: no
# Whether or not to show tracebacks in an HTTP response for a request that
# raised an exception.
show_tracebacks: yes
# The API version number for the current (highest) API.
api_version: 3.1
# The administrative username.
admin_user: restadmin
# The administrative password.
admin_pass: ${api_password}
[mta]
# The class defining the interface to the incoming mail transport agent.
#incoming: mailman.mta.exim4.LMTP
incoming: mailman.mta.postfix.LMTP
# The callable implementing delivery to the outgoing mail transport agent.
# This must accept three arguments, the mailing list, the message, and the
# message metadata dictionary.
outgoing: mailman.mta.deliver.deliver
# How to connect to the outgoing MTA. If smtp_user and smtp_pass is given,
# then Mailman will attempt to log into the MTA when making a new connection.
# smtp_host: smtp.ionos.de
# smtp_port: 587
# smtp_user: ${smtp_user}
# smtp_pass: ${smtp_password}
# smtp_secure_mode: starttls
smtp_host: 127.0.0.1
smtp_port: 25
smtp_user:
smtp_pass:
# Where the LMTP server listens for connections. Use 127.0.0.1 instead of
# localhost for Postfix integration, because Postfix only consults DNS
# (e.g. not /etc/hosts).
lmtp_host: 127.0.0.1
lmtp_port: 8024
# Where can we find the mail server specific configuration file? The path can
# be either a file system path or a Python import path. If the value starts
# with python: then it is a Python import path, otherwise it is a file system
# path. File system paths must be absolute since no guarantees are made about
# the current working directory. Python paths should not include the trailing
# .cfg, which the file must end with.
#configuration: python:mailman.config.exim4
configuration: python:mailman.config.postfix

52
bundles/mailman/files/postfix.cf Normal file
View file

@ -0,0 +1,52 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = <%text>btree:${data_directory}/smtp_scache</%text>
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ${hostname}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost, localhost.localdomain, ${hostname}
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
unknown_local_recipient_reject_code = 550
owner_request_special = no
transport_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
local_recipient_maps =
hash:/var/lib/mailman3/data/postfix_lmtp
relay_domains =
hash:/var/lib/mailman3/data/postfix_domains

50
bundles/mailman/files/uwsgi.ini Normal file
View file

@ -0,0 +1,50 @@
[uwsgi]
# Port on which uwsgi will be listening.
uwsgi-socket = /run/mailman3-web/uwsgi.sock
#Enable threading for python
enable-threads = true
# Move to the directory wher the django files are.
chdir = /usr/share/mailman3-web
# Use the wsgi file provided with the django project.
wsgi-file = wsgi.py
# Setup default number of processes and threads per process.
master = true
process = 2
threads = 2
# Drop privielges and don't run as root.
uid = www-data
gid = www-data
plugins = python3
# Setup the django_q related worker processes.
attach-daemon = python3 manage.py qcluster
# Setup hyperkitty's cron jobs.
#unique-cron = -1 -1 -1 -1 -1 ./manage.py runjobs minutely
#unique-cron = -15 -1 -1 -1 -1 ./manage.py runjobs quarter_hourly
#unique-cron = 0 -1 -1 -1 -1 ./manage.py runjobs hourly
#unique-cron = 0 0 -1 -1 -1 ./manage.py runjobs daily
#unique-cron = 0 0 1 -1 -1 ./manage.py runjobs monthly
#unique-cron = 0 0 -1 -1 0 ./manage.py runjobs weekly
#unique-cron = 0 0 1 1 -1 ./manage.py runjobs yearly
# Setup the request log.
#req-logger = file:/var/log/mailman3/web/mailman-web.log
# Log cron seperately.
#logger = cron file:/var/log/mailman3/web/mailman-web-cron.log
#log-route = cron uwsgi-cron
# Log qcluster commands seperately.
#logger = qcluster file:/var/log/mailman3/web/mailman-web-qcluster.log
#log-route = qcluster uwsgi-daemons
# Last log and it logs the rest of the stuff.
#logger = file:/var/log/mailman3/web/mailman-web-error.log
logto = /var/log/mailman3/web/mailman-web.log

104
bundles/mailman/items.py Normal file
View file

@ -0,0 +1,104 @@
directories = {
'/var/lib/mailman3': {
'owner': 'list',
'group': 'list',
'needs': {
'zfs_dataset:tank/mailman',
'pkg_apt:mailman3-full',
},
'needed_by': {
'svc_systemd:mailman3.service',
'svc_systemd:mailman3-web.service',
},
},
}
files = {
'/etc/postfix/main.cf': {
'source': 'postfix.cf',
'content_type': 'mako',
'mode': '0644',
'context': {
'hostname': node.metadata.get('mailman/hostname'),
},
'needs': {
'pkg_apt:postfix',
},
'triggers': {
'svc_systemd:postfix.service:restart',
},
},
'/etc/mailman3/mailman.cfg': {
'content_type': 'mako',
'owner': 'root',
'group': 'list',
'mode': '0640',
'context': node.metadata.get('mailman'),
'needs': {
'pkg_apt:mailman3-full',
},
'triggers': {
'svc_systemd:mailman3.service:restart',
'svc_systemd:mailman3-web.service:restart',
},
},
'/etc/mailman3/mailman-web.py': {
'content_type': 'mako',
'owner': 'root',
'group': 'www-data',
'mode': '0640',
'context': node.metadata.get('mailman'),
'needs': {
'pkg_apt:mailman3-full',
},
'triggers': {
'svc_systemd:mailman3.service:restart',
'svc_systemd:mailman3-web.service:restart',
},
},
'/etc/mailman3/mailman-hyperkitty.cfg': {
'content_type': 'mako',
'owner': 'root',
'group': 'list',
'mode': '0640',
'context': node.metadata.get('mailman'),
'needs': {
'pkg_apt:mailman3-full',
},
'triggers': {
'svc_systemd:mailman3.service:restart',
'svc_systemd:mailman3-web.service:restart',
},
},
'/etc/mailman3/uwsgi.ini': {
'content_type': 'text',
'owner': 'root',
'group': 'root',
'mode': '0644',
'needs': {
'pkg_apt:mailman3-full',
},
'triggers': {
'svc_systemd:mailman3.service:restart',
'svc_systemd:mailman3-web.service:restart',
},
},
}
svc_systemd = {
'postfix.service': {
'needs': {
'pkg_apt:postfix',
},
},
'mailman3.service': {
'needs': {
'pkg_apt:mailman3-full',
},
},
'mailman3-web.service': {
'needs': {
'pkg_apt:mailman3-full',
},
},
}

116
bundles/mailman/metadata.py Normal file
View file

@ -0,0 +1,116 @@
import base64
def derive_mailadmin_secret(metadata, salt):
node_id = metadata.get('id')
raw = base64.b64decode(
repo.vault.random_bytes_as_base64_for(f'{node_id}_{salt}', length=32).value
)
return base64.urlsafe_b64encode(raw).rstrip(b'=').decode('ascii')
defaults = {
'apt': {
'packages': {
'mailman3-full': {
'needs': {
'postgres_db:mailman',
'postgres_role:mailman',
'zfs_dataset:tank/mailman',
}
},
'postfix': {},
'python3-psycopg2': {
'needed_by': {
'pkg_apt:mailman3-full',
},
},
'apache2': {
'installed': False,
'needs': {
'pkg_apt:mailman3-full',
},
},
},
},
'zfs': {
'datasets': {
'tank/mailman': {
'mountpoint': '/var/lib/mailman3',
},
},
},
}
@metadata_reactor.provides(
'postgresql',
'mailman',
)
def postgresql(metadata):
node_id = metadata.get('id')
db_password = repo.vault.password_for(f'{node_id} database mailman')
return {
'postgresql': {
'databases': {
'mailman': {
'owner': 'mailman',
},
},
'roles': {
'mailman': {
'password': db_password,
},
},
},
'mailman': {
'db_password': db_password,
},
}
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('mailman/hostname'): {
'content': 'mailman/vhost.conf',
},
},
},
}
@metadata_reactor.provides(
'mailman/secret_key',
)
def secret_key(metadata):
import base64
node_id = metadata.get('id')
raw = base64.b64decode(
repo.vault.random_bytes_as_base64_for(f'{node_id}_mailman_secret_key', length=32).value
)
secret_key = base64.urlsafe_b64encode(raw).rstrip(b'=').decode('ascii')
return {
'mailman': {
'secret_key': secret_key,
},
}
@metadata_reactor.provides(
'mailman',
)
def secrets(metadata):
return {
'mailman': {
'web_secret': derive_mailadmin_secret(metadata, 'secret_key'),
'api_password': derive_mailadmin_secret(metadata, 'api_password'),
'archiver_key': derive_mailadmin_secret(metadata, 'archiver_key'),
},
}

11
bundles/mariadb/files/override.conf
View file

@ -1,11 +0,0 @@
% for section, options in sorted(conf.items()):
[${section}]
% for key, value in sorted(options.items()):
% if value is None:
${key}
% else:
${key} = ${value}
% endif
% endfor
% endfor

8
bundles/mariadb/items.py
View file

@ -10,8 +10,6 @@ directories = {
'group': 'mysql', 'group': 'mysql',
'needs': [ 'needs': [
'zfs_dataset:tank/mariadb', 'zfs_dataset:tank/mariadb',
],
'needs': [
'pkg_apt:mariadb-server', 'pkg_apt:mariadb-server',
'pkg_apt:mariadb-client', 'pkg_apt:mariadb-client',
], ],
@ -20,10 +18,8 @@ directories = {
files = { files = {
'/etc/mysql/conf.d/override.conf': { '/etc/mysql/conf.d/override.conf': {
'context': { 'content': repo.libs.ini.dumps(node.metadata.get('mariadb/conf')),
'conf': node.metadata.get('mariadb/conf'), 'content_type': 'text',
},
'content_type': 'mako',
}, },
} }

4
bundles/mariadb/metadata.py
View file

@ -3,12 +3,12 @@ defaults = {
'packages': { 'packages': {
'mariadb-server': { 'mariadb-server': {
'needs': { 'needs': {
#'zfs_dataset:tank/mariadb', 'zfs_dataset:tank/mariadb',
}, },
}, },
'mariadb-client': { 'mariadb-client': {
'needs': { 'needs': {
#'zfs_dataset:tank/mariadb', 'zfs_dataset:tank/mariadb',
}, },
}, },
}, },

103
bundles/network/metadata.py
View file

@ -36,61 +36,64 @@ def dhcp(metadata):
'systemd/units', 'systemd/units',
) )
def units(metadata): def units(metadata):
units = {} if node.has_bundle('systemd-networkd'):
units = {}
for network_name, network_conf in metadata.get('network').items(): for network_name, network_conf in metadata.get('network').items():
interface_type = network_conf.get('type', None) interface_type = network_conf.get('type', None)
# network # network
units[f'{network_name}.network'] = { units[f'{network_name}.network'] = {
'Match': { 'Match': {
'Name': network_name if interface_type == 'vlan' else network_conf['interface'], 'Name': network_name if interface_type == 'vlan' else network_conf['interface'],
},
'Network': {
'DHCP': network_conf.get('dhcp', 'no'),
'IPv6AcceptRA': network_conf.get('dhcp', 'no'),
'VLAN': set(network_conf.get('vlans', set()))
}
}
# type
if interface_type:
units[f'{network_name}.network']['Match']['Type'] = interface_type
# ips
for i in [4, 6]:
if network_conf.get(f'ipv{i}', None):
units[f'{network_name}.network'].update({
f'Address#ipv{i}': {
'Address': network_conf[f'ipv{i}'],
},
})
if f'gateway{i}' in network_conf:
units[f'{network_name}.network'].update({
f'Route#ipv{i}': {
'Gateway': network_conf[f'gateway{i}'],
'GatewayOnlink': 'yes',
}
})
# as vlan
if interface_type == 'vlan':
units[f"{network_name}.netdev"] = {
'NetDev': {
'Name': network_name,
'Kind': 'vlan',
}, },
'VLAN': { 'Network': {
'Id': network_conf['id'], 'DHCP': network_conf.get('dhcp', 'no'),
'IPv6AcceptRA': network_conf.get('dhcp', 'no'),
'VLAN': set(network_conf.get('vlans', set()))
} }
} }
return { # type
'systemd': {
'units': units, if interface_type:
units[f'{network_name}.network']['Match']['Type'] = interface_type
# ips
for i in [4, 6]:
if network_conf.get(f'ipv{i}', None):
units[f'{network_name}.network'].update({
f'Address#ipv{i}': {
'Address': network_conf[f'ipv{i}'],
},
})
if f'gateway{i}' in network_conf:
units[f'{network_name}.network'].update({
f'Route#ipv{i}': {
'Gateway': network_conf[f'gateway{i}'],
'GatewayOnlink': 'yes',
}
})
# as vlan
if interface_type == 'vlan':
units[f"{network_name}.netdev"] = {
'NetDev': {
'Name': network_name,
'Kind': 'vlan',
},
'VLAN': {
'Id': network_conf['id'],
}
}
return {
'systemd': {
'units': units,
}
} }
} else:
return {}

22
bundles/postgresql/files/pg_hba.conf Normal file
View file

@ -0,0 +1,22 @@
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database superuser can access the database using some other method.
# Noninteractive access to all databases is required during automatic
# maintenance (custom daily cronjobs, replication, and similar tasks).
#
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 ${node.metadata.get('postgresql/password_algorithm', 'md5')}
# IPv6 local connections:
host all all ::1/128 ${node.metadata.get('postgresql/password_algorithm', 'md5')}
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 ${node.metadata.get('postgresql/password_algorithm', 'md5')}
host replication all ::1/128 ${node.metadata.get('postgresql/password_algorithm', 'md5')}

15
bundles/postgresql/items.py
View file

@ -18,6 +18,21 @@ directories = {
} }
files = { files = {
f"/etc/postgresql/{version}/main/pg_hba.conf": {
'content_type': 'mako',
'mode': '0640',
'owner': 'postgres',
'group': 'postgres',
'needs': [
'pkg_apt:postgresql',
],
'needed_by': [
'svc_systemd:postgresql.service',
],
'triggers': [
'svc_systemd:postgresql.service:restart',
],
},
f"/etc/postgresql/{version}/main/conf.d/managed.conf": { f"/etc/postgresql/{version}/main/conf.d/managed.conf": {
'content': '\n'.join( 'content': '\n'.join(
f'{key} = {value}' f'{key} = {value}'

21
bundles/proxmox-ve/items.py Normal file
View file

@ -0,0 +1,21 @@
files = {
'/etc/apt/apt.conf.d/10pveapthook': {
'content_type': 'any',
'mode': '0644',
},
'/etc/apt/apt.conf.d/76pveconf': {
'content_type': 'any',
'mode': '0444',
},
'/etc/apt/apt.conf.d/76pveproxy': {
'content_type': 'any',
'mode': '0444',
},
'/etc/network/interfaces': {
'content_type': 'any',
},
}
symlinks['/etc/ssh/ssh_host_rsa_key.pub'] = {
'target': '/etc/ssh/ssh_host_managed_key.pub',
}

99
bundles/proxmox-ve/metadata.py Normal file
View file

@ -0,0 +1,99 @@
defaults = {
'apt': {
'packages': {
'linux-image-amd64': {
'installed': False,
},
'proxmox-default-kernel': {},
# after reboot
'proxmox-ve': {},
'postfix': {},
'open-iscsi': {},
'chrony': {},
'os-prober': {
'installed': False,
},
'dnsmasq-base': {},
},
'sources': {
'proxmox-ve': {
'options': {
'aarch': 'amd64',
},
'urls': {
'http://download.proxmox.com/debian/pve',
},
'suites': {
'{codename}',
},
'components': {
'pve-no-subscription',
},
'key': 'proxmox-ve-{codename}',
},
},
},
# 'nftables': {
# 'input': {
# 'tcp dport 8006 accept',
# },
# },
'zfs': {
'datasets': {
'tank/proxmox-ve': {
'mountpoint': '/var/lib/proxmox-ve',
},
}
}
}
# @metadata_reactor.provides(
# 'systemd',
# )
# def bridge(metadata):
# return {
# 'systemd': {
# 'units': {
# # f'internal.network': {
# # 'Network': {
# # 'Bridge': 'br0',
# # },
# # },
# 'br0.netdev': {
# 'NetDev': {
# 'Name': 'br0',
# 'Kind': 'bridge'
# },
# },
# 'br0.network': {
# 'Match': {
# 'Name': 'br0',
# },
# 'Network': {
# 'Unmanaged': 'yes'
# },
# },
# },
# },
# }
@metadata_reactor.provides(
'nginx/vhosts',
)
def nginx(metadata):
return {
'nginx': {
'has_websockets': True,
'vhosts': {
metadata.get('proxmox-ve/domain'): {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'https://localhost:8006',
'websockets': True,
}
},
},
},
}

4
bundles/systemd-networkd/items.py
View file

@ -1,9 +1,6 @@
assert node.has_bundle('systemd') assert node.has_bundle('systemd')
files = { files = {
'/etc/network/interfaces': {
'delete': True,
},
'/etc/resolv.conf': { '/etc/resolv.conf': {
'content_type': 'mako', 'content_type': 'mako',
}, },
@ -21,4 +18,3 @@ directories = {
svc_systemd = { svc_systemd = {
'systemd-networkd.service': {}, 'systemd-networkd.service': {},
} }

BIN
data/apt/keys/proxmox-ve-bookworm.gpg Normal file
View file

Binary file not shown.

31
data/mailman/vhost.conf Normal file
View file

@ -0,0 +1,31 @@
upstream mailman3 {
server unix:/run/mailman3-web/uwsgi.sock fail_timeout=0;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
server_tokens off;
location / {
uwsgi_pass mailman3;
include /etc/nginx/params/uwsgi;
}
location /mailman3/static {
alias /var/lib/mailman3/web/static;
}
location /mailman3/static/favicon.ico {
alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
}
# return 301 https://$server_name$request_uri;
access_log /var/log/nginx/mailman3/access.log combined;
error_log /var/log/nginx/mailman3/error.log;
}

4
groups/applications/dnsserver.py
View file

@ -1,5 +1,5 @@
{ {
'bundles': [ 'bundles': {
'bind', 'bind',
], },
} }

3
groups/os/debian-11.py
View file

@ -2,6 +2,9 @@
'supergroups': [ 'supergroups': [
'debian', 'debian',
], ],
'bundles': [
'systemd-networkd',
],
'metadata': { 'metadata': {
'php': { 'php': {
'version': '7.4', 'version': '7.4',

26
groups/os/debian-12-common.py Normal file
View file

@ -0,0 +1,26 @@
{
'metadata': {
'apt': {
'sources': {
'debian': {
'components': {
'non-free-firmware',
},
},
'debian-security': {
'components': {
'non-free-firmware',
},
},
},
},
'php': {
'version': '8.2',
},
'postgresql': {
'version': '15',
},
'os_codename': 'bookworm',
},
'os_version': (12,),
}

10
groups/os/debian-12-pve.py Normal file
View file

@ -0,0 +1,10 @@
{
'supergroups': [
'debian',
'debian-12-common',
],
'bundles': [
'ifupdown',
'proxmox-ve',
],
}

4
groups/os/debian-12.py
View file

@ -1,6 +1,10 @@
{ {
'supergroups': [ 'supergroups': [
'debian', 'debian',
'debian-12-common',
],
'bundles': [
'systemd-networkd',
], ],
'metadata': { 'metadata': {
'apt': { 'apt': {

8
groups/os/debian.py
View file

@ -47,6 +47,14 @@
'mtr-tiny': {}, 'mtr-tiny': {},
}, },
}, },
# iperf3
'nftables': {
'input': {
'tcp dport 5201 accept',
'udp dport 5201 accept',
},
},
}, },
'os': 'debian', 'os': 'debian',
'pip_command': 'pip3', 'pip_command': 'pip3',

1
groups/os/linux.py
View file

@ -14,7 +14,6 @@
'system', 'system',
'systemd', 'systemd',
'systemd-journald', 'systemd-journald',
'systemd-networkd',
'systemd-mount', 'systemd-mount',
'systemd-timers', 'systemd-timers',
'users', 'users',

5
libs/ini.py
View file

@ -14,7 +14,7 @@ class CaseSensitiveConfigParser(ConfigParser):
return value return value
def parse(text): def parse(text):
config = CaseSensitiveConfigParser() config = CaseSensitiveConfigParser(allow_no_value=True)
config.read_string(text) config.read_string(text)
return { return {
@ -24,8 +24,7 @@ def parse(text):
def dumps(dict): def dumps(dict):
sorted_dict = json.loads(json.dumps(dict, sort_keys=True, cls=MetadataJSONEncoder)) sorted_dict = json.loads(json.dumps(dict, sort_keys=True, cls=MetadataJSONEncoder))
parser = CaseSensitiveConfigParser(allow_no_value=True)
parser = CaseSensitiveConfigParser()
parser.read_dict(sorted_dict) parser.read_dict(sorted_dict)
writable = Writable() writable = Writable()

12
nodes/home.router.py
View file

@ -15,10 +15,10 @@
'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c', 'id': '1d6a43e5-858c-42f9-9c40-ab63d61c787c',
'network': { 'network': {
'external': { 'external': {
'interface': 'enx00e04c220682', 'interface': 'enp2s0',
'ipv4': '10.0.99.126/24', 'ipv4': '10.0.99.126/24',
'gateway4': '10.0.99.1', 'gateway4': '10.0.99.1',
'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal'}, 'vlans': {'iot', 'internet', 'guest', 'rolf', 'internal', 'proxmox'},
}, },
'internal': { 'internal': {
'type': 'vlan', 'type': 'vlan',
@ -37,6 +37,12 @@
'id': 3, 'id': 3,
'ipv4': '10.0.3.1/24', 'ipv4': '10.0.3.1/24',
}, },
'proxmox': {
'type': 'vlan',
'id': 4,
'ipv4': '10.0.4.1/24',
'dhcp_server': True,
},
'guest': { 'guest': {
'type': 'vlan', 'type': 'vlan',
'id': 9, 'id': 9,
@ -77,6 +83,8 @@
'10.0.10.0/24', '10.0.10.0/24',
#'192.168.179.0/24', # while raspi at home #'192.168.179.0/24', # while raspi at home
'10.0.227.0/24', # mseibert.freescout '10.0.227.0/24', # mseibert.freescout
'10.0.228.0/24', # mseibert.yourls
'10.0.229.0/24', # mseibert.mailsman
], ],
}, },
}, },

22
nodes/home.server.py
View file

@ -3,7 +3,7 @@
'groups': [ 'groups': [
'autologin', 'autologin',
'backup', 'backup',
'debian-12', 'debian-12-pve',
'home', 'home',
'nextcloud', 'nextcloud',
'monitored', 'monitored',
@ -12,7 +12,6 @@
'build-server', 'build-server',
], ],
'bundles': [ 'bundles': [
'apcupsd',
'build-agent', 'build-agent',
'crystal', 'crystal',
'gitea', 'gitea',
@ -32,9 +31,9 @@
'systemd-swap', 'systemd-swap',
'twitch-clip-download', 'twitch-clip-download',
'raspberrymatic-cert', 'raspberrymatic-cert',
#'tasmota-charge',
'wol-waker', 'wol-waker',
'zfs', 'zfs',
'proxmox-ve',
], ],
'metadata': { 'metadata': {
'id': 'af96709e-b13f-4965-a588-ef2cd476437a', 'id': 'af96709e-b13f-4965-a588-ef2cd476437a',
@ -47,7 +46,7 @@
}, },
'apt': { 'apt': {
'packages': { 'packages': {
'firmware-realtek': {}, # 'firmware-realtek': {}, proxmox-ve incompatibility
}, },
}, },
'build-server': { 'build-server': {
@ -124,6 +123,9 @@
'unsortable': 'SofortUpload/Unsortable', 'unsortable': 'SofortUpload/Unsortable',
}, },
}, },
'proxmox-ve': {
'domain': 'pve.ckn.li',
},
'raspberrymatic-cert': { 'raspberrymatic-cert': {
'domain': 'homematic.ckn.li', 'domain': 'homematic.ckn.li',
'node': 'home.homematic', 'node': 'home.homematic',
@ -152,18 +154,6 @@
}, },
}, },
'systemd-swap': 4_000_000_000, 'systemd-swap': 4_000_000_000,
'tasmota-charge': {
'phone': {
'ip': '10.0.0.175',
'user': 'u0_a233',
'password': 'november',
},
'plug': {
'ip': '10.0.2.115',
'min': 45,
'max': 70,
},
},
'twitch-clip-download': { 'twitch-clip-download': {
'channel_name': 'cronekorkn_', 'channel_name': 'cronekorkn_',
}, },

5
nodes/htz.mails.py
View file

@ -200,6 +200,11 @@
'10.0.228.0/24', '10.0.228.0/24',
], ],
}, },
'mseibert.mailman': {
'allowed_ips': [
'10.0.229.0/24',
],
},
}, },
'clients': { 'clients': {
'macbook': { 'macbook': {

3
nodes/mseibert.freescout.py
View file

@ -30,6 +30,9 @@
'gateway6': 'fe80::1', 'gateway6': 'fe80::1',
}, },
}, },
'postgresql': {
'password_algorithm': 'scram-sha-256',
},
'freescout': { 'freescout': {
'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de', 'domain': 'foerderkreis.oranienschule-wiesbaden-wiki.de',
}, },

73
nodes/mseibert.mailman.py Normal file
View file

@ -0,0 +1,73 @@
# https://teamvault.apps.seibert-media.net/secrets/mkqMRv/
# https://console.hetzner.cloud/projects/889138/servers/46578341
# mailman.ckn.li
{
'hostname': '91.99.123.176',
'groups': [
'backup',
'debian-12',
'monitored',
'webserver',
],
'bundles': [
'mailman',
'wireguard',
'zfs',
'postgresql',
],
'metadata': {
'id': '854cb39f-d964-4cc7-9051-ba6574708820',
'network': {
'internal': {
'interface': 'ens10',
'ipv4': '10.0.229.2/24',
},
'external': {
'interface': 'eth0',
'ipv4': '91.99.123.176/32',
'gateway4': '172.31.1.1',
'ipv6': '2a01:4f8:c013:2030::2/64',
'gateway6': 'fe80::1',
},
},
'mailman': {
'hostname': 'mailman.ckn.li',
'site_owner_email': '!decrypt:encrypt$gAAAAABoWEeTyypfKw9l9jnNgF4GlS0-6O2NWCB0f3Fj1XnQ_HMjHXymAL8FWTyQjRmz3r8KnGJ-sogfnhW6lub_pnuk-wqB5Zuy9tgGsfi3RvkyNaOUeTE=',
'smtp_host': 'smtp.ionos.de',
'smtp_port': 465,
'smtp_user': '!decrypt:encrypt$gAAAAABoWEcZlLxiTKluyg3gZ-un2fYkuviW9BD9tTW8mfKBL5d41Z1X7LtI5CDnhhLXTGFpPnY1thr17h22oW3Ybz_WPgvbJVepnVwmeQwvMpg2psATKAY=',
'smtp_password': '!decrypt:encrypt$gAAAAABoWDusH3XY4ONh8MnmfBbyHW477ipjSycb3TiDGXxO5eujum80zXjNrOblswCGRTHsW9UasM_dXeeGBsa7KcK4s6AK_eynXCWeLCtXfrUSE_oEd7c='
},
'overwrite_nameservers': [
'8.8.8.8',
],
'vm': {
'cores': 2,
'ram': 4096,
},
'wireguard': {
'my_ip': '172.30.0.240/32',
's2s': {
'htz.mails': {
'allowed_ips': [
'10.0.0.0/24',
'10.0.2.0/24',
'10.0.9.0/24',
'10.0.10.0/24',
],
},
},
},
'zfs': {
'pools': {
'tank': {
'devices': [
'/var/lib/zfs_file',
],
},
},
},
},
}