From a29f17a9f9a1fe713690901dd424dd31d02cb231 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 19:02:52 +0100 Subject: [PATCH 01/80] add bundle:woodpecker-server --- PORT_MAP.md | 2 + .../files/woodpecker-server.service | 19 ++++ bundles/woodpecker-server/items.py | 35 +++++++ bundles/woodpecker-server/metadata.py | 94 +++++++++++++++++++ .../powerdns/files/bind-zones/franzi.business | 2 +- nodes/rx300.py | 12 +++ 6 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 bundles/woodpecker-server/files/woodpecker-server.service create mode 100644 bundles/woodpecker-server/items.py create mode 100644 bundles/woodpecker-server/metadata.py diff --git a/PORT_MAP.md b/PORT_MAP.md index c683843..1e502c3 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -46,6 +46,8 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | | 22090 | openhab | http | +| 22100 | woodpecker-server | http | +| 22101 | woodpecker-server | gRPC | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/woodpecker-server/files/woodpecker-server.service b/bundles/woodpecker-server/files/woodpecker-server.service new file mode 100644 index 0000000..5520b49 --- /dev/null +++ b/bundles/woodpecker-server/files/woodpecker-server.service @@ -0,0 +1,19 @@ +[Unit] +Description=woodpecker ci +After=syslog.target +After=network.target +Requires=postgresql.service + +[Service] +RestartSec=2s +Type=simple +User=woodpecker +Group=woodpecker +ExecStart=/usr/local/bin/woodpecker-server +Restart=always +% for k, v in sorted(env.items()): +Environment=${k}=${v} +% endfor + +[Install] +WantedBy=multi-user.target diff --git a/bundles/woodpecker-server/items.py b/bundles/woodpecker-server/items.py new file mode 100644 index 0000000..cccbb8c --- /dev/null +++ b/bundles/woodpecker-server/items.py @@ -0,0 +1,35 @@ +version = node.metadata.get('woodpecker-server/version') + +actions['install_woodpecker-server'] = { + 'command': ' && '.join([ + f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb', + 'dpkg -i /tmp/woodpecker-server.deb', + ]), + 'unless': f'''bash -c "[[ \"$(woodpecker-server --version | cut -d' ' -f3)\" == "{version}" ]]"''', + 'triggers': { + 'svc_systemd:woodpecker-server:restart', + }, +} + +files['/usr/local/lib/systemd/system/woodpecker-server.service'] = { + 'content_type': 'mako', + 'context': { + 'env': node.metadata.get('woodpecker-server/environment'), + }, + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:woodpecker-server:restart', + }, +} + +svc_systemd['woodpecker-server'] = { + 'needs': { + 'action:install_woodpecker-server', + 'file:/usr/local/lib/systemd/system/woodpecker-server.service', + 'postgres_db:woodpecker', + 'postgres_role:woodpecker', + 'user:woodpecker', + }, +} + +users['woodpecker'] = {} diff --git a/bundles/woodpecker-server/metadata.py b/bundles/woodpecker-server/metadata.py new file mode 100644 index 0000000..b98c89a --- /dev/null +++ b/bundles/woodpecker-server/metadata.py @@ -0,0 +1,94 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'postgresql': { + 'roles': { + 'woodpecker': { + 'password': repo.vault.password_for(f'{node.name} postgresql woodpecker'), + }, + }, + 'databases': { + 'woodpecker': { + 'owner': 'woodpecker', + }, + }, + }, + 'woodpecker-server': { + 'environment': { + 'WOODPECKER_AGENT_SECRET': repo.vault.password_for(f'{node.name} WOODPECKER_AGENT_SECRET'), + 'WOODPECKER_DATABASE_DATASOURCE': repo.vault.password_for(f'{node.name} postgresql woodpecker').format_into( + 'postgres://woodpecker:{}@localhost/woodpecker?sslmode=disable' + ), + 'WOODPECKER_DATABASE_DRIVER': 'postgres', + 'WOODPECKER_GRPC_ADDR': ':22101', + 'WOODPECKER_LOG_LEVEL': 'warn', + 'WOODPECKER_OPEN': 'true', + 'WOODPECKER_SERVER_ADDR': ':22100', + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts/woodpecker-server', + 'woodpecker-server/environment/WOODPECKER_HOST', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + ssl = metadata.get('nginx/vhosts/woodpecker-server/ssl', 'letsencrypt') + domain = metadata.get('woodpecker-server/domain') + prefix = 'https' if ssl else 'http' + + return { + 'nginx': { + 'vhosts': { + 'woodpecker-server': { + 'domain': domain, + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22100', + 'additional_config': { + 'proxy_redirect off', + 'chunked_transfer_encoding off', + }, + }, + '/metrics': { + 'return': 403, + }, + '/debug': { + 'return': 403, + }, + }, + 'website_check_path': '/do-login', + 'website_check_string': 'Woodpecker', + }, + }, + }, + 'woodpecker-server': { + 'environment': { + 'WOODPECKER_HOST': f'{prefix}://{domain}', + }, + }, + } + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + port = metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR')[1:] + agents = set() + + for node in repo.nodes: + if node.has_bundle('woodpecker-agent'): + agents.add(node.name) + + return { + 'firewall': { + 'port_rules': { + port: atomic(agents), + }, + }, + } diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business index 2f8e3ea..0f17f37 100644 --- a/data/powerdns/files/bind-zones/franzi.business +++ b/data/powerdns/files/bind-zones/franzi.business @@ -23,8 +23,8 @@ rss IN CNAME rx300.kunbox.net. status IN CNAME icinga2.ovh.kunbox.net. tickets IN CNAME franzi-business.cname.pretix.eu. travelynx IN CNAME rx300.kunbox.net. -unicornsden IN CNAME rx300.kunbox.net. wiki IN CNAME rx300.kunbox.net. +woodpecker IN CNAME rx300.kunbox.net. _matrix._tcp IN SRV 10 10 443 matrix diff --git a/nodes/rx300.py b/nodes/rx300.py index 869efa0..3bf0a26 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -35,6 +35,7 @@ nodes['rx300'] = { 'travelynx', 'unbound', 'vmhost', + 'woodpecker-server', 'zfs', }, 'groups': { @@ -334,6 +335,7 @@ nodes['rx300'] = { 'netbox': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'travelynx': {'ssl': '_.franzi.business'}, + 'woodpecker-server': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, @@ -534,6 +536,16 @@ nodes['rx300'] = { 'enable_linger': True, }, }, + 'woodpecker-server': { + 'domain': 'woodpecker.franzi.business', + 'version': '0.15.5', + 'environment': { + 'WOODPECKER_GITEA': 'true', + 'WOODPECKER_GITEA_URL': 'https://git.franzi.business', + 'WOODPECKER_GITEA_CLIENT': vault.decrypt('encrypt$gAAAAABjpJJQkNyG2B2ThT5yrkGnrPoM33bVYNTyLcuaas4_7ewBRrDb-KO2-JIM895fdI6U6NO8wHQ3gKBxBBYUtt-xgbWW1j4iUrzyt7KhqswSNBIBFfce80UmQ5UuOHsaFPVyyd1W'), + 'WOODPECKER_GITEA_SECRET': vault.decrypt('encrypt$gAAAAABjpJJW95MaCPnK2ngkGf1DLBmV8Y_K6B0Dc8XBM4oN3sPHH54vFbKB1YLODepR-okpXUJGHxqlS7TkTlu4JylRINXiIh7OHRRDaTCkU_bfLSUDnc_VLgDmVULWH09fsveslKw5v1ssl-RBGJg16XXBz1Sq4g=='), + }, + }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 16, From b69aa322326f5dc455bb61b1b67f94ab5ee04733 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Dec 2022 16:54:59 +0100 Subject: [PATCH 02/80] bundles/woodpecker: try to get it working --- .../files/woodpecker-server.service | 24 +++++++++++++++++++ bundles/woodpecker-server/items.py | 8 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-server/files/woodpecker-server.service b/bundles/woodpecker-server/files/woodpecker-server.service index 5520b49..3bd7b82 100644 --- a/bundles/woodpecker-server/files/woodpecker-server.service +++ b/bundles/woodpecker-server/files/woodpecker-server.service @@ -9,8 +9,32 @@ RestartSec=2s Type=simple User=woodpecker Group=woodpecker +WorkingDirectory=/var/lib/woodpecker ExecStart=/usr/local/bin/woodpecker-server Restart=always +ReadWritePaths=/var/lib/woodpecker +CapabilityBoundingSet= +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +PrivateMounts=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap + % for k, v in sorted(env.items()): Environment=${k}=${v} % endfor diff --git a/bundles/woodpecker-server/items.py b/bundles/woodpecker-server/items.py index cccbb8c..eb98fe9 100644 --- a/bundles/woodpecker-server/items.py +++ b/bundles/woodpecker-server/items.py @@ -1,5 +1,9 @@ version = node.metadata.get('woodpecker-server/version') +directories['/var/lib/woodpecker'] = { + 'owner': 'woodpecker', +} + actions['install_woodpecker-server'] = { 'command': ' && '.join([ f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb', @@ -32,4 +36,6 @@ svc_systemd['woodpecker-server'] = { }, } -users['woodpecker'] = {} +users['woodpecker'] = { + 'home': '/var/lib/woodpecker', +} From d28cdc78d6feb9293a34b5f46bd149e978e1f765 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 08:44:40 +0100 Subject: [PATCH 03/80] bundles/woodpecker-server: add GODEBUG=netns=go --- bundles/woodpecker-server/metadata.py | 4 ++++ nodes/rx300.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-server/metadata.py b/bundles/woodpecker-server/metadata.py index b98c89a..257a307 100644 --- a/bundles/woodpecker-server/metadata.py +++ b/bundles/woodpecker-server/metadata.py @@ -24,6 +24,10 @@ defaults = { 'WOODPECKER_LOG_LEVEL': 'warn', 'WOODPECKER_OPEN': 'true', 'WOODPECKER_SERVER_ADDR': ':22100', + + # https://github.com/woodpecker-ci/woodpecker/issues/1497 + # https://github.com/woodpecker-ci/woodpecker/issues/748 + 'GODEBUG': 'netdns=go' }, }, } diff --git a/nodes/rx300.py b/nodes/rx300.py index 3bf0a26..7900321 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -538,7 +538,7 @@ nodes['rx300'] = { }, 'woodpecker-server': { 'domain': 'woodpecker.franzi.business', - 'version': '0.15.5', + 'version': '0.15.6', 'environment': { 'WOODPECKER_GITEA': 'true', 'WOODPECKER_GITEA_URL': 'https://git.franzi.business', From 0d56454af74ccca26bdf907b95c1e0d64723f159 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:40:13 +0100 Subject: [PATCH 04/80] add bundle:docker-ce --- bundles/docker-ce/items.py | 11 ++++++ bundles/docker-ce/metadata.py | 15 ++++++++ bundles/nftables/metadata.py | 2 +- data/apt/files/gpg-keys/docker.asc | 62 ++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 bundles/docker-ce/items.py create mode 100644 bundles/docker-ce/metadata.py create mode 100644 data/apt/files/gpg-keys/docker.asc diff --git a/bundles/docker-ce/items.py b/bundles/docker-ce/items.py new file mode 100644 index 0000000..bf56b1c --- /dev/null +++ b/bundles/docker-ce/items.py @@ -0,0 +1,11 @@ +from bundlewrap.metadata import metadata_to_json + +files['/etc/docker/daemon.json'] = { + 'content': metadata_to_json({ + 'iptables': False, + }), + 'before': { + 'pkg_apt:docker-ce', + 'pkg_apt:docker-ce-cli', + } +} diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py new file mode 100644 index 0000000..a7d0c98 --- /dev/null +++ b/bundles/docker-ce/metadata.py @@ -0,0 +1,15 @@ +defaults = { + 'apt': { + 'repos': { + 'docker': { + 'items': { + 'deb https://download.docker.com/linux/debian {os_release} stable', + }, + }, + }, + 'packages': { + 'docker-ce': {}, + 'docker-ce-cli': {}, + }, + }, +} diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 08396ce..06faaf0 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -25,7 +25,7 @@ defaults = { }, } -if not node.has_bundle('vmhost'): +if not node.has_bundle('vmhost') and not node.has_bundle('docker-ce'): # see comment in bundles/vmhost/items.py defaults['apt']['packages']['iptables'] = { 'installed': False, diff --git a/data/apt/files/gpg-keys/docker.asc b/data/apt/files/gpg-keys/docker.asc new file mode 100644 index 0000000..ee7872e --- /dev/null +++ b/data/apt/files/gpg-keys/docker.asc @@ -0,0 +1,62 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth +lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh +38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq +L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 +UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N +cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht +ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo +vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD +G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ +XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj +q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO +v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd +tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk +jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m +6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P +XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc +FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 +g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm +ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh +9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 +G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW +FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB +EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF +M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx +Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu +w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk +z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 +eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb +VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa +1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X +zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ +pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 +ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ +BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY +1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp +YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI +mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES +KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 +JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ +cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 +6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 +U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z +VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f +irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk +SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz +QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W +9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw +24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe +dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y +Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR +H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh +/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ +M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S +xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O +jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG +YT90qFF93M3v01BbxP+EIY2/9tiIPbrd +=0YYh +-----END PGP PUBLIC KEY BLOCK----- From e29f67a935bcb873d25f1623072dd10c89230181 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:41:27 +0100 Subject: [PATCH 05/80] add bundle:woodpecker-agent --- .../files/woodpecker-agent.service | 42 ++++++++++++++++++ bundles/woodpecker-agent/items.py | 43 +++++++++++++++++++ bundles/woodpecker-agent/metadata.py | 28 ++++++++++++ nodes/woodpecker-agent-1.toml | 24 +++++++++++ 4 files changed, 137 insertions(+) create mode 100644 bundles/woodpecker-agent/files/woodpecker-agent.service create mode 100644 bundles/woodpecker-agent/items.py create mode 100644 bundles/woodpecker-agent/metadata.py create mode 100644 nodes/woodpecker-agent-1.toml diff --git a/bundles/woodpecker-agent/files/woodpecker-agent.service b/bundles/woodpecker-agent/files/woodpecker-agent.service new file mode 100644 index 0000000..096a891 --- /dev/null +++ b/bundles/woodpecker-agent/files/woodpecker-agent.service @@ -0,0 +1,42 @@ +[Unit] +Description=woodpecker ci agent +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=simple +User=woodpecker +Group=woodpecker +WorkingDirectory=/var/lib/woodpecker +ExecStart=/usr/local/bin/woodpecker-agent +Restart=always +ReadWritePaths=/var/lib/woodpecker +CapabilityBoundingSet= +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +PrivateMounts=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap + +% for k, v in sorted(env.items()): +Environment=${k}=${v} +% endfor + +[Install] +WantedBy=multi-user.target diff --git a/bundles/woodpecker-agent/items.py b/bundles/woodpecker-agent/items.py new file mode 100644 index 0000000..d33df40 --- /dev/null +++ b/bundles/woodpecker-agent/items.py @@ -0,0 +1,43 @@ +version = node.metadata.get('woodpecker-agent/version') + +directories['/var/lib/woodpecker'] = { + 'owner': 'woodpecker', +} + +actions['install_woodpecker-agent'] = { + 'command': ' && '.join([ + f'wget -q -O/tmp/woodpecker-agent.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-agent_{version}_amd64.deb', + 'dpkg -i /tmp/woodpecker-agent.deb', + ]), + 'unless': f'''bash -c "[[ \"$(woodpecker-agent --version | cut -d' ' -f3)\" == "{version}" ]]"''', + 'triggers': {i + 'svc_systemd:woodpecker-agent:restart', + }, +} + +files['/usr/local/lib/systemd/system/woodpecker-agent.service'] = { + 'content_type': 'mako', + 'context': { + 'env': node.metadata.get('woodpecker-agent/environment'), + }, + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:woodpecker-agent:restart', + }, +} + +svc_systemd['woodpecker-agent'] = { + 'after': { + # to make sure we have docker and other eventual dependencies + 'pkg_apt:', + }, + 'needs': { + 'action:install_woodpecker-agent', + 'file:/usr/local/lib/systemd/system/woodpecker-agent.service', + 'user:woodpecker', + }, +} + +users['woodpecker'] = { + 'home': '/var/lib/woodpecker', +} diff --git a/bundles/woodpecker-agent/metadata.py b/bundles/woodpecker-agent/metadata.py new file mode 100644 index 0000000..7a78beb --- /dev/null +++ b/bundles/woodpecker-agent/metadata.py @@ -0,0 +1,28 @@ +@metadata_reactor.provides( + 'woodpecker-agent/environment', + 'woodpecker-agent/version', +) +def nginx(metadata): + env = {} + server = repo.get_node(metadata.get('woodpecker-agent/server')) + + domain = server.metadata.get('woodpecker-server/domain') + port = server.metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR') + env['WOODPECKER_SERVER'] = f'{domain}{port}' + + env['WOODPECKER_AGENT_SECRET'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_AGENT_SECRET') + + env['WOODPECKER_MAX_PROCS'] = int(int(metadata.get('vm/cpu'))/2) + + env['WOODPECKER_HOSTNAME'] = metadata.get('hostname') + + debug = server.metadata.get('woodpecker-server/environment/GODEBUG', None) + if debug: + env['GODEBUG'] = debug + + return { + 'woodpecker-agent': { + 'environment': env, + 'version': server.metadata.get('woodpecker-server/version'), + }, + } diff --git a/nodes/woodpecker-agent-1.toml b/nodes/woodpecker-agent-1.toml new file mode 100644 index 0000000..d2d6c60 --- /dev/null +++ b/nodes/woodpecker-agent-1.toml @@ -0,0 +1,24 @@ +hostname = "31.47.232.108" +bundles = [ + "docker-ce", + "woodpecker-agent", +] +groups = ["debian-bullseye"] + +[metadata.backups] +exclude_from_backups = true + +[metadata.interfaces.enp1s0] +ips = [ + "31.47.232.108/29", + "2a00:f820:528::5/64", +] +gateway4 = "31.47.232.105" +gateway6 = "2a00:f820:528::1" + +[metadata.woodpecker-agent] +server = "rx300" + +[metadata.vm] +cpu = 8 +ram = 16 From 06b21998d8de4522293074075e0ef6da8cc28fb7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:58:06 +0100 Subject: [PATCH 06/80] try running the test pipeline in woodpecker --- .woodpecker/bw-test.yml | 23 +++++++++++++++++++++++ .woodpecker/editorconfig.yml | 8 ++++++++ 2 files changed, 31 insertions(+) create mode 100644 .woodpecker/bw-test.yml create mode 100644 .woodpecker/editorconfig.yml diff --git a/.woodpecker/bw-test.yml b/.woodpecker/bw-test.yml new file mode 100644 index 0000000..efa4e3d --- /dev/null +++ b/.woodpecker/bw-test.yml @@ -0,0 +1,23 @@ +pipeline: + install-deps: + image: python:3.10-slim + commands: + - pip install -r requirements.txt + + test-dummymode: + image: python:3.10-slim + commands: + - bw test + environment: + BW_VAULT_DUMMY_MODE: 1 + BW_PASS_DUMMY_MODE: 1 + + test-ignore-missing-faults: + image: python:3.10-slim + commands: + - bw test --ignore-missing-faults + + test-determinism: + image: python:3.10-slim + commands: + - bw test --metadata-determinism 3 --config-determinism 3 diff --git a/.woodpecker/editorconfig.yml b/.woodpecker/editorconfig.yml new file mode 100644 index 0000000..6bac4f8 --- /dev/null +++ b/.woodpecker/editorconfig.yml @@ -0,0 +1,8 @@ +pipeline: + editorconfig: + image: alpine:latest + pipeline: + - wget -O ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz + - tar -xzf ec-linux-amd64.tar.gz + - rm ec-linux-amd64.tar.gz + - bin/ec-linux-amd64 -no-color -exclude '^bin/' From e1ac047810dcc7591533b215212e6a377ae12f46 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:59:38 +0100 Subject: [PATCH 07/80] ci: determinism tests need to run using dummy mode --- .woodpecker/bw-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.woodpecker/bw-test.yml b/.woodpecker/bw-test.yml index efa4e3d..5990f05 100644 --- a/.woodpecker/bw-test.yml +++ b/.woodpecker/bw-test.yml @@ -21,3 +21,6 @@ pipeline: image: python:3.10-slim commands: - bw test --metadata-determinism 3 --config-determinism 3 + environment: + BW_VAULT_DUMMY_MODE: 1 + BW_PASS_DUMMY_MODE: 1 From 0fea0a1c77b43b06f7d2d8e60ee19aa862462e67 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 18:05:35 +0100 Subject: [PATCH 08/80] ci: fix editorconfig --- .woodpecker/editorconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.woodpecker/editorconfig.yml b/.woodpecker/editorconfig.yml index 6bac4f8..201004f 100644 --- a/.woodpecker/editorconfig.yml +++ b/.woodpecker/editorconfig.yml @@ -1,7 +1,7 @@ pipeline: editorconfig: image: alpine:latest - pipeline: + commands: - wget -O ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz - tar -xzf ec-linux-amd64.tar.gz - rm ec-linux-amd64.tar.gz From cd418da02447a7b860bb9b527a64995b300acd7c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 18:22:29 +0100 Subject: [PATCH 09/80] bundles/docker-ce: add nftables rules --- bundles/docker-ce/metadata.py | 26 ++++++++++++++++++++++++++ bundles/woodpecker-agent/items.py | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py index a7d0c98..1315d1c 100644 --- a/bundles/docker-ce/metadata.py +++ b/bundles/docker-ce/metadata.py @@ -12,4 +12,30 @@ defaults = { 'docker-ce-cli': {}, }, }, + 'nftables': { + 'rules': { + '00-docker-ce': { + 'inet filter forward ct state { related, established } accept', + 'inet filter forward iifname docker0 accept', + }, + }, + }, } + + +@metadata_reactor.provides( + 'nftables/rules/00-docker-ce', +) +def nftables_nat(metadata): + rules = set() + + for iface in metadata.get('interfaces'): + rules.add(f'nat postrouting oifname {iface} masquerade') + + return { + 'nftables': { + 'rules': { + '00-docker-ce': rules, + }, + }, + } diff --git a/bundles/woodpecker-agent/items.py b/bundles/woodpecker-agent/items.py index d33df40..01e30e4 100644 --- a/bundles/woodpecker-agent/items.py +++ b/bundles/woodpecker-agent/items.py @@ -10,7 +10,7 @@ actions['install_woodpecker-agent'] = { 'dpkg -i /tmp/woodpecker-agent.deb', ]), 'unless': f'''bash -c "[[ \"$(woodpecker-agent --version | cut -d' ' -f3)\" == "{version}" ]]"''', - 'triggers': {i + 'triggers': { 'svc_systemd:woodpecker-agent:restart', }, } From 2914f463ff04524963b817935e76b9cc751ff51e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Dec 2022 08:25:00 +0100 Subject: [PATCH 10/80] bundles/woodpecker-agent: fix metadata reactor --- bundles/woodpecker-agent/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-agent/metadata.py b/bundles/woodpecker-agent/metadata.py index 7a78beb..5d2ff88 100644 --- a/bundles/woodpecker-agent/metadata.py +++ b/bundles/woodpecker-agent/metadata.py @@ -2,7 +2,7 @@ 'woodpecker-agent/environment', 'woodpecker-agent/version', ) -def nginx(metadata): +def environment(metadata): env = {} server = repo.get_node(metadata.get('woodpecker-agent/server')) @@ -16,6 +16,8 @@ def nginx(metadata): env['WOODPECKER_HOSTNAME'] = metadata.get('hostname') + env['WOODPECKER_LOG_LEVEL'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_LOG_LEVEL') + debug = server.metadata.get('woodpecker-server/environment/GODEBUG', None) if debug: env['GODEBUG'] = debug From 82143e34ad4ffb024ea61f707771c1da1882bdfe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 27 Dec 2022 13:38:39 +0100 Subject: [PATCH 11/80] update travelynx to 1.28.5 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 869efa0..17fa30e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -521,7 +521,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.23.12', + 'version': '1.28.5', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 070b466abe1baa857b76001e26ac93bacda4fc86 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 27 Dec 2022 13:38:53 +0100 Subject: [PATCH 12/80] bundles/travelynx: update bundle for new version --- bundles/travelynx/files/travelynx.conf | 25 +++++++------------------ bundles/travelynx/items.py | 6 +++--- 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index bc8e128..7787d8b 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -5,15 +5,13 @@ # 'localhost'. { - # Cache directories for schedule and realtime data. Mandatory. The parent - # directory ('/var/cache/travelynx' in this case) must already exist. + base_url => Mojo::URL->new('https://${domain}'), + cache => { schedule => '/var/cache/travelynx/iris', realtime => '/var/cache/travelynx/iris-rt', }, - # Database configuration. host and port are optional - # (defaulting to localhost:5432), the rest is mandatory. db => { host => '${database.get('host', 'localhost')}', port => 5432, @@ -22,8 +20,6 @@ password => '${database['password']}', }, - # See the Mojo::Server::Hypnotoad manual for details on the following - # settings. hypnotoad => { accepts => 100, clients => 10, @@ -34,21 +30,14 @@ }, mail => { - # If you want to disable outgoing mail for development purposes, - # uncomment the following line. Mails will instead be logged as - # Mojolicious "info" messages, causing their content to be printed on - # stdout. - ## disabled => 1, - - # Otherwise, specify the sender ("From" field) for mail sent by travelynx - # here. E.g. 'Travelynx ' from => '${mail_from}', }, - # Secrets used for cookie signing and verification. Must contain at least - # one random string. If you specify several strings, the first one will - # be used for signing new cookies, and the remaining ones will still be - # accepted for cookie validation. + ref => { + issues => 'https://github.com/derf/travelynx/issues', + source => 'https://github.com/derf/travelynx', + }, + secrets => [ '${cookie_secret}', ], diff --git a/bundles/travelynx/items.py b/bundles/travelynx/items.py index dda92cf..5463a1b 100644 --- a/bundles/travelynx/items.py +++ b/bundles/travelynx/items.py @@ -36,7 +36,7 @@ files = { }, '/opt/travelynx/travelynx.conf': { 'content_type': 'mako', - 'context': node.metadata['travelynx'], + 'context': node.metadata.get('travelynx'), 'needs': { 'git_deploy:/opt/travelynx', }, @@ -61,7 +61,7 @@ if isfile(join(repo.path, 'data', 'travelynx', 'files', 'imprint', node.name)): git_deploy = { '/opt/travelynx': { 'repo': 'https://github.com/derf/travelynx.git', - 'rev': node.metadata['travelynx']['version'], + 'rev': node.metadata.get('travelynx/version'), 'needs': { 'directory:/opt/travelynx', }, @@ -84,7 +84,7 @@ actions = { 'triggered': True, }, 'travelynx_database_migrate': { - 'command': 'cd /opt/travelynx && perl index.pl database migrate', + 'command': 'export PERL5LIB=/opt/travelynx/local/lib/perl5; cd /opt/travelynx && perl index.pl database migrate', # Because git_deploy does not put .git onto the server, the script # will complain on STDERR about not finding a git repository. # That's why we need to redirect stderr to /dev/null. From c04ce63c35e85ea3fff2d24f21c064f71eeda2da Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Dec 2022 13:45:06 +0100 Subject: [PATCH 13/80] bundles/arch-with-gui: more packages via bundle, less via nodefile --- bundles/arch-with-gui/metadata.py | 17 +++++++++++++++-- nodes/fkusei-locutus.py | 6 ------ nodes/kunsi-p14s.py | 10 ---------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index 869a7f9..4666cca 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -38,9 +38,14 @@ defaults = { 'rofi': {}, # sound + 'calf': {}, + 'easyeffects': {}, + 'lsp-plugins': {}, 'pavucontrol': {}, - 'pulseaudio': {}, - 'pulseaudio-zeroconf': {}, + 'pipewire': {}, + 'pipewire-jack': {}, + 'pipewire-pulse': {}, + 'qpwgraph': {}, # window management 'i3-wm': {}, @@ -53,6 +58,7 @@ defaults = { # Xorg 'xf86-input-libinput': {}, + 'xf86-input-wacom': {}, 'xorg-server': {}, 'xorg-setxkbmap': {}, 'xorg-xev': {}, @@ -62,20 +68,27 @@ defaults = { # all them apps 'browserpass': {}, 'browserpass-firefox': {}, + 'ffmpeg': {}, 'firefox': {}, 'gimp': {}, + 'imagemagick': {}, 'inkscape': {}, + 'kdenlive': {}, 'maim': {}, 'mosh': {}, + 'mosquitto': {}, 'mpv': {}, 'pass': {}, 'pass-otp': {}, 'pdftk': {}, 'pwgen': {}, 'qpdfview': {}, + 'samba': {}, + 'shotcut': {}, 'sipcalc': {}, 'the_silver_searcher': {}, 'tlp': {}, + 'virt-manager': {}, 'xclip': {}, 'xdotool': {}, # needed for maim window selection }, diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 7340a46..397e851 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -76,18 +76,12 @@ nodes['fkusei-locutus'] = { # video drivers 'xf86-video-intel': {}, - # for i3pystatus - 'iw': {}, - 'wireless_tools': {}, - # all that other random stuff one needs 'apachedirectorystudio': {}, 'direnv': {}, 'freerdp': {}, - 'mosquitto': {}, 'sdl_ttf': {}, # for compiling testcard 'thermald': {}, - 'virt-manager': {}, }, }, 'systemd-boot': { diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 8952f4d..3174722 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -96,25 +96,15 @@ nodes['kunsi-p14s'] = { 'mesa-vdpau': {}, 'xf86-video-amdgpu': {}, - # for i3pystatus - 'iw': {}, - 'wireless_tools': {}, - # all that other random stuff one needs 'abcde': {}, 'apachedirectorystudio': {}, 'claws-mail': {}, 'claws-mail-themes': {}, 'ferdi-bin': {}, - 'ffmpeg': {}, 'gumbo-parser': {}, # for claws litehtml - 'imagemagick': {}, - 'inkscape': {}, - 'mosquitto': {}, 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde - 'samba': {}, - 'xf86-input-wacom': {}, }, }, 'sysctl': { From 970d97b0a2adb0ea7912aeea4e7504b585b17323 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 30 Dec 2022 20:35:05 +0100 Subject: [PATCH 14/80] nodes/home.wled-wohnzimmer: new mac address --- nodes/home.wled-wohnzimmer.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home.wled-wohnzimmer.toml b/nodes/home.wled-wohnzimmer.toml index 42b7212..c032230 100644 --- a/nodes/home.wled-wohnzimmer.toml +++ b/nodes/home.wled-wohnzimmer.toml @@ -3,7 +3,7 @@ dummy = true [metadata.interfaces.default] ips = ["172.19.138.70"] dhcp = true -mac = "3c:61:05:d0:ba:1a" +mac = "3c:61:05:d0:f2:b9" [metadata.icinga_options] exclude_from_monitoring = true From c94aef55a5644918c4f873a5d8b48a93ba631523 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 31 Dec 2022 16:33:10 +0100 Subject: [PATCH 15/80] bundles/dovecot: enable sieve logging --- bundles/dovecot/files/dovecot.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 885b36a..9a294aa 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -46,11 +46,12 @@ plugin { zlib_save_level = 6 zlib_save = gz - sieve_plugins = sieve_imapsieve sieve_extprograms - sieve_dir = /var/mail/vmail/sieve/%d/%n/ sieve = /var/mail/vmail/sieve/%d/%n.sieve - sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin + sieve_dir = /var/mail/vmail/sieve/%d/%n/ sieve_extensions = +vnd.dovecot.pipe + sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin + sieve_plugins = sieve_imapsieve sieve_extprograms + sieve_user_log = /var/mail/vmail/sieve/%d/%n.log old_stats_refresh = 30 secs old_stats_track_cmds = yes From 7ee2d0800788b657f81f61537a46e4c0fb13081c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Jan 2023 17:53:32 +0100 Subject: [PATCH 16/80] element-web update --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 633567a..28eb942 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.17', + 'version': 'v1.11.19', 'config': { 'default_server_config': { 'm.homeserver': { From e393f3cc3c5de0b591dcf3673983c59f492289a3 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 27 Jan 2023 20:35:49 +0100 Subject: [PATCH 17/80] htz-cloud/miniserver element-web update --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 28eb942..2def17e 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.19', + 'version': 'v1.11.20', 'config': { 'default_server_config': { 'm.homeserver': { From 446e0d057e4f426f4843655017dd9d6d257961a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 5 Jan 2023 07:15:20 +0100 Subject: [PATCH 18/80] update travelynx to 1.29.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 17fa30e..c2befe4 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -521,7 +521,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.28.5', + 'version': '1.29.4', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 5ed4c1e9bd8f978ef68c1d3f59a0bf64f0b23532 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 5 Jan 2023 07:16:02 +0100 Subject: [PATCH 19/80] update netbox to 3.4.2 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index c2befe4..56b8d7d 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.1', + 'version': 'v3.4.2', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From ba3bf20db706cd41988f2534327bbbef777f0300 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Jan 2023 19:52:13 +0100 Subject: [PATCH 20/80] new gpg key for influxdb repo --- data/apt/files/gpg-keys/influxdb.asc | 75 ++++++++++------------------ 1 file changed, 26 insertions(+), 49 deletions(-) diff --git a/data/apt/files/gpg-keys/influxdb.asc b/data/apt/files/gpg-keys/influxdb.asc index c97d593..60aeaf6 100644 --- a/data/apt/files/gpg-keys/influxdb.asc +++ b/data/apt/files/gpg-keys/influxdb.asc @@ -1,52 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 -mQINBFYJmwQBEADCw7mob8Vzk+DmkYyiv0dTU/xgoSlp4SQwrTzat8MB8jxmx60l -QjmhqEyuB8ho4zzZF9KV+gJWrG6Rj4t69JMTJWM7jFz+0B1PC7kJfNM+VcBmkTnj -fP+KJjqz50ETnsF0kQTG++UJeRYjG1dDK0JQNQJAM6NQpIWJI339lcDf15vzrMnb -OgIlNxV6j1ZZqkle4fvScF1NQxYScRiL+sRgVx92SI4SyD/xZnVGD/szB+4OCzah -+0Q/MnNGV6TtN0RiCDZjIUYiHoeT9iQXEONKf7T62T4zUafO734HyqGvht93MLVU -GQAeuyx0ikGsULfOsJfBmb3XJS9u+16v7oPFt5WIbeyyNuhUu0ocK/PKt5sPYR4u -ouPq6Ls3RY3BGCH9DpokcYsdalo51NMrMdnYwdkeq9MEpsEKrKIN5ke7fk4weamJ -BiLI/bTcfM7Fy5r4ghdI9Ksw/ULXLm4GNabkIOSfT7UjTzcBDOvWfKRBLX4qvsx4 -YzA5kR+nX85u6I7W10aSqBiaLqk6vCj0QmBmCjlSeYqNQqSzH/6OoL6FZ7lP6AiG -F2NyGveJKjugoXlreLEhOYp20F81PNwlRBCAlMC2Q9mpcFu0dtAriVoG4gVDdYn5 -t+BiGfD2rJlCinYLgYBDpTPcdRT3VKHWqL9fcC4HKmic0mwWg9homx550wARAQAB -tDFJbmZsdXhEQiBQYWNrYWdpbmcgU2VydmljZSA8c3VwcG9ydEBpbmZsdXhkYi5j -b20+iQI3BBMBCgAhBQJWCZsEAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ -EGhKFM8lguDF9XEQAK9rREnZt6ujh7GXfeNki35bkn39q8GYh0mouShFbFY9o0i3 -UJVChsxokJSRPgFh9GOhOPTupl3rzfdpD+IlWI2Myt6han2HOjZKNZ4RGNrYJ5UR -uxt4dKMWlMbpkzL56bhHlx97RoXKv2d2zRQfw9nyZb6t3lw2k2kKXsMxjGa0agM+ -2SropwYOXdtkz8UWaGd3LYxwEvW3AuhI8EEEHdLetQaYe9sANDvUEofgFbdsuICH -9QLmbYavk7wyGTPBKfPBbeyTxwW2rMUnFCNccMKLm1i5NpZYineBtQbX2cfx9Xsk -1JLOzEBmNal53H2ob0kjev6ufzOD3s8hLu4KMCivbIz4YT3fZyeExn0/0lUtsQ56 -5fCxE983+ygDzKsCnfdXqm3GgjaI90OkNr1y4gWbcd5hicVDv5fD3TD9f0GbpDVw -yDz8YmvNzxMILt5Glisr6aH7gLG/u8jxy0D8YcBiyv5kfY4vMI2yXHpGg1cn/sVu -ZB01sU09VVIM2BznnimyAayI430wquxkZCyMx//BqFM1qetIgk1wDZTlFd0n6qtA -fDmXAC4s5pM5rfM5V57WmPaIqnRIaESJ35tFUFlCHfkfl/N/ribGVDg1z2KDW08r -96oEiIIiV4GfXl+NprJqpNS3Cn+aCXtd7/TsDScDEgs4sMaR29Lsf26cuWk8uQIN -BFYJmwQBEADDPi3fmwn6iwkiDcH2E2V31cHlBw9OdJfxKVUdyAQEhTtqmG9P8XFZ -ERRQF155XLQPLvRlUlq7vEYSROn5J6BAnsjdjsH9LmFMOEV8CIRCRIDePG/Mez2d -nIK5yiU6GkS3IFaQg2T9/tOBKxm0ZJPfqTXbT4jFSfvYJ3oUqc+AyYxtb8gj1GRk -X283/86/bA3C98u7re1vPtiDRyM8r0+lhEc59Yx/EAOL+X2gZyTgyUoH+LLuOWQK -s1egI8y80R8NZfM1nMiQk2ywMsTFwQjSVimScvzqv5Nt8k8CvHUQ3a6R+6doXGNX -5RnUqn9Qvmh0JY5sNgFsoaGbuk2PJrVaGBRnfnjaDqAlZpDhwkWhcCcguNhRbRHp -N7/a0pQr70bAG9VikzLyGC17EU0sxney/hyNHkr4Uyy2OXHpuJvRjVKy/BwZ3fxA -AYX2oZIOxQB3/OulzO/DppaCVhRtp1bt+Z5f+fpisiVb5DvZcMdeyAoQ4+oOr7v3 -EasIs2XYcQ+kOE3Y2kdlHWBeuXzxgWgJZ1OOpwGMjR3Uy6IwhuSWtreJBA4er+Df -vgSPwKBsRLNLbPe3ftjArnC5GfMiGgikVdAUdN4OkEqvUbkRoAVGKTOMLUKm+ZkG -OskJOVYS+JAina0qkYEFF7haycMjf9olhqLmTIC+6X7Ox9R2plaOhQARAQABiQIf -BBgBCgAJBQJWCZsEAhsMAAoJEGhKFM8lguDF8ZIP/1q9Sdz8oMvf9AJXZ7AYxm77 -V+kJzJqi62nZLWJnrFXDZJpU+LkYlb3fstsZ1rvBhnrEPSmFxoj72CP0RtcyX7wJ -dA7K1Fl9LpJi5H8300cC7UyG94MUYbrXijbLTbnFTfNr1tGx4a1T/7Yyxx/wZGrT -H/X8cvNybkl33SxDdlQQ9kx3lFOwC41e3TkGsUWxn3TCfvDh8VdA6Py6JeSPFGOb -MEO2/q7oUgvjfV+ivN5ayZi9bWgeqm1sgtmTHHQ4RqwwKrAb5ynXpn1b9QrkevgT -b91uzMA22Prl4DuzKiaMYDcZOQ3vtf0eFBP0GOSSgUKS4bQ3dGgi1JmQ7VuAM4uj -+Ug5TnGoLwclTwLksc7v89C5MMPgm2vVXvCUDzyzQA7bIHFeX+Rziby4nymec4Nr -eeXYNBJWrEp8XR7UNWmEgroXRoN1x9/6esh5pnoUXGAIWuKzSLQM70/wWxS67+v2 -aC1GNb+pXXAzYeIIiyLWaZwCSr8sWMvshFT9REk2+lnb6sAeJswQtfTUWI00mVqZ -dvI3Wys2h0IyIejuwetTUvGhr9VgpqiLLfGzGlt/y2sg27wdHzSJbMh0VrVAK26/ -BlvEwWDCFT0ZJUMG9Lvre25DD0ycbougLsRYjzmGb/3k3UktS3XTCxyBa/k3TPw3 -vqIHrEqk446nGPDqJPS5 -=9iF7 +mQINBGPIEycBEACpG4qSjhxA6fh4QJVJxFVBvCFt9tVx/hDbKH0Ryy9iilyMeReC +AS1/CZnSv/fhDNKmVPckf6on72z/ODwZcVfMV6DHkxmZ6x/tQrS6CWfKkupsON2H +KS3t4HUivahwHPlWtbfDqsWNwTAsZqklKpJQWY2ADPwurkbCmtYSjsgbLuWe23Pd +nJpLTHtlChM0ntW/l7Le1zYjGPUGoxMJgjg1YG8fi2l/zS0Of8bdQ26ps+WRvrSQ +RKhfAkfIgUiCXxBpDlN1spN73ZlAkaSb+myTfEKyJR55Yt9pHfkDdJh26RVgE1+N +GuLmm6oidaD9lTlNJ9P8wlLzoof3xJXYprgLLz/HmgtawnJ+DxFIXoXNNpUmhORJ +6Hb2Z5IKIyGIwXhQVe2Lw7B8awBNV99zUw517Wuax3RYx7Hwhntz9gFxS4GRxaCo +uLCFQ0AgDCkMHyEHufQo1XdjIB7fz6U551y5GMQw6/rjMnUM9ZI68SQ/FWou2cQf +533PyayvWOYQM4pP7ZmbzyCd393XlMaPWA5dyUOqv7Vcmv0IsAbncX6/KJmZAhKG +qu19xb6rv3ab2RbcU422guK3C/h/URPZJbSjf2w4jUV5UDe2veZg6BEVn7Sk5bW0 +ceX8n0GVbPNG7CvRduJPjXNzsz3FzmUS8QFFde3H5gl1T0f6GcfhmKgKEQARAQAB +tDdJbmZsdXhEYXRhIFBhY2thZ2UgU2lnbmluZyBLZXkgPHN1cHBvcnRAaW5mbHV4 +ZGF0YS5jb20+iQJVBBMBCAA/BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJBaOk +/BYhBJ1TnZDTMo3H1sjTudj/jh99+LB+BQJjyB9PAhsDAAoJENj/jh99+LB+klgQ +AKOKdwTyKOr6+mnRrACz5U3EFxfAXXFGan9Ka7Nzgz4K+FOnTtT1gWwqrPPmTKQk +epNUMcelfX1kCA08yCm0nyw2niqxES40W33ergKUj6jlDx7UQYXWsDQGD9IKksa8 +MWfZlJ3zlrsGKXA4oa+kfY+vltWDVP8WhLcQzm2LywbKvr3WgY80GZbnRjoekiBK +oMKztQVMJG5yNZBo9B4JrqB3wMpnXZxEtqZcBPsJJdXTFKHsQ7kB9TMNorbUvDNH +ohwsprgMw84vHikEk9jyCypXpYq/E/wvkM0CeIUJ36S2vGvACib7BiY6Xv0BQbM4 +rWq2Rrjag1y5vVAF9gJkeo/3rhM6lE1ahDCRq0QcBMVzbxiE+3COIzRPmz14J3Yn +0pkvzlVkNj5UZR8q91ESl+UxkFCP1wzcXgs0dpJWirQIOZ9E2eYv3LcjE68xjW1k +c5q1GOGvJI7aXADxUZ4lFbz+NUb4Ts4HXHc8gV1Gm0vvmIqv2YfAvL5DXbKLdZxh +73CxKvBMmTXIEQ+vQJ3p1ZnUnb+l6DoxEFWg/hXHmE5jY3P6HIVFdliXF5FEs1lr +9snU2Pn1BDL+TBN7SX0QbKqArWA4qyn6eGH8Z1ULoUVBPCjwC9QuInp/9fqifFYo +OM3A51MDGyc/HCVG6jNJEI5h71QGHlPfyQybpjy7rQSe +=YwXc -----END PGP PUBLIC KEY BLOCK----- From b460085bb0be6b28595e8af7c5587722fbb3dd1f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 17:38:38 +0100 Subject: [PATCH 21/80] bundles/powerdns: enable superslave if supported --- bundles/powerdns/files/pdns.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf index 1e2a5de..c88246f 100644 --- a/bundles/powerdns/files/pdns.conf +++ b/bundles/powerdns/files/pdns.conf @@ -20,8 +20,9 @@ setgid=pdns allow-notify-from=${','.join(sorted(my_primary_servers))} slave=yes -# FIXME enable once debian stable has 4.1.9 -#superslave=yes +% if node.os_version[0] > 10: +superslave=yes +% endif % else: api=yes api-key=${api_key} From ab76721ddb3a25ff67f40d23bb98deff02068f1d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 17:39:07 +0100 Subject: [PATCH 22/80] bundles/powerdnsadmin: install psycopg2 in venv --- bundles/powerdnsadmin/items.py | 2 +- bundles/powerdnsadmin/metadata.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index 7cdf08c..3ccaecc 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -39,7 +39,7 @@ actions = { }, 'powerdnsadmin_install_deps': { 'triggered': True, - 'command': '/opt/powerdnsadmin/venv/bin/pip install -r /opt/powerdnsadmin/src/requirements.txt', + 'command': '/opt/powerdnsadmin/venv/bin/pip install --upgrade psycopg2-binary -r /opt/powerdnsadmin/src/requirements.txt', 'needs': { 'action:powerdnsadmin_create_virtualenv', 'pkg_apt:', diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index 8389941..0617b03 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -10,7 +10,6 @@ defaults = { 'libxmlsec1-dev': {}, 'libxslt1-dev': {}, 'pkg-config': {}, - 'python3-psycopg2': {}, 'python3-wheel': {}, }, }, From c5ccc31ad9fa5700b1fd575cb42b53b22dc9764c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:07:31 +0100 Subject: [PATCH 23/80] get rid of molly-guard --- bundles/apt/items.py | 3 ++ .../files/10-check-unattended-upgrades | 9 ------ bundles/molly-guard/files/30-query-hostname | 29 ------------------- bundles/molly-guard/files/rc | 1 - bundles/molly-guard/items.py | 27 ----------------- bundles/molly-guard/metadata.py | 7 ----- 6 files changed, 3 insertions(+), 73 deletions(-) delete mode 100644 bundles/molly-guard/files/10-check-unattended-upgrades delete mode 100644 bundles/molly-guard/files/30-query-hostname delete mode 100644 bundles/molly-guard/files/rc delete mode 100644 bundles/molly-guard/items.py delete mode 100644 bundles/molly-guard/metadata.py diff --git a/bundles/apt/items.py b/bundles/apt/items.py index ae0f87a..639417d 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -143,6 +143,9 @@ pkg_apt = { 'cloud-init': { 'installed': False, }, + 'molly-guard': { + 'installed': False, + }, 'netplan.io': { 'installed': False, }, diff --git a/bundles/molly-guard/files/10-check-unattended-upgrades b/bundles/molly-guard/files/10-check-unattended-upgrades deleted file mode 100644 index 6adafdb..0000000 --- a/bundles/molly-guard/files/10-check-unattended-upgrades +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# Checks wether upgrade-and-reboot is currently running. - -if [[ -f "/var/lib/bundlewrap/soft-${node.name}/UNATTENDED" ]] -then - echo "Sorry, can't $MOLLYGUARD_CMD now, upgrade-and-reboot is running" - exit 1 -fi diff --git a/bundles/molly-guard/files/30-query-hostname b/bundles/molly-guard/files/30-query-hostname deleted file mode 100644 index 3e4fc4c..0000000 --- a/bundles/molly-guard/files/30-query-hostname +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# This script will ask for the bundlewrap node name. This replaces the -# original script, which will ask for the hostname, which sometimes -# is not enough to properly identify the system. - -NODE_NAME="${node.name}" - -# If this is not a terminal, do nothing -test -t 0 || exit 0 - -sigh() -{ - echo "Sorry, input does not match. Won't $MOLLYGUARD_CMD $NODE_NAME ..." >&2 - exit 1 -} - -trap 'echo;sigh' 1 2 3 9 10 12 15 - -echo -n "Please enter the bundlewrap node name of this System to $MOLLYGUARD_CMD: " -read NODE_NAME_USER || : - -NODE_NAME_USER="$(echo "$NODE_NAME_USER" | tr '[:upper:]' '[:lower:]')" - -[ "$NODE_NAME_USER" = "$NODE_NAME" ] || sigh - -trap - 1 2 3 9 10 12 15 - -exit 0 diff --git a/bundles/molly-guard/files/rc b/bundles/molly-guard/files/rc deleted file mode 100644 index 4b6f808..0000000 --- a/bundles/molly-guard/files/rc +++ /dev/null @@ -1 +0,0 @@ -# currently unused diff --git a/bundles/molly-guard/items.py b/bundles/molly-guard/items.py deleted file mode 100644 index 1d6d82f..0000000 --- a/bundles/molly-guard/items.py +++ /dev/null @@ -1,27 +0,0 @@ -directories = { - '/etc/molly-guard/messages.d': { - 'purge': True, - 'after': { - 'pkg_apt:molly-guard', - }, - }, - '/etc/molly-guard/run.d': { - 'purge': True, - 'after': { - 'pkg_apt:molly-guard', - }, - }, -} - -files = { - '/etc/molly-guard/rc': {}, - - '/etc/molly-guard/run.d/10-check-unattended-upgrades': { - 'content_type': 'mako', - 'mode': '0755', - }, - '/etc/molly-guard/run.d/30-query-hostname': { - 'content_type': 'mako', - 'mode': '0755', - }, -} diff --git a/bundles/molly-guard/metadata.py b/bundles/molly-guard/metadata.py deleted file mode 100644 index d8571e2..0000000 --- a/bundles/molly-guard/metadata.py +++ /dev/null @@ -1,7 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'molly-guard': {}, - }, - }, -} From 07dce73bcafcd06443612afedeac13c2b542af91 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:07:51 +0100 Subject: [PATCH 24/80] bundles/sshmon: get rid of sysstat --- bundles/sshmon/metadata.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 4fc3df2..8d5bb6b 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -8,7 +8,10 @@ defaults = { 'monitoring-plugins': {}, 'python3-requests': {}, 'python3-setuptools': {}, # needed by check_github_for_new_release - 'sysstat': {}, # needed by check_cpu_stats + 'sysstat': { + # legacy + 'installed': False, + }, }, }, 'icinga2_api': { @@ -37,7 +40,6 @@ defaults = { 'perl-libwww': {}, 'monitoring-plugins': {}, 'python-requests': {}, - 'sysstat': {}, }, }, } From e634c184c00c87cc3cc2276c9e78b8f2cdf4cea0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:08:31 +0100 Subject: [PATCH 25/80] data/powerdns: convert some zones to psql --- data/powerdns/files/bind-zones/emails.sexy | 3 --- data/powerdns/files/bind-zones/felix-kunsmann.de | 5 ----- data/powerdns/files/bind-zones/warnochwas.de | 3 --- 3 files changed, 11 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/emails.sexy delete mode 100644 data/powerdns/files/bind-zones/felix-kunsmann.de delete mode 100644 data/powerdns/files/bind-zones/warnochwas.de diff --git a/data/powerdns/files/bind-zones/emails.sexy b/data/powerdns/files/bind-zones/emails.sexy deleted file mode 100644 index c430731..0000000 --- a/data/powerdns/files/bind-zones/emails.sexy +++ /dev/null @@ -1,3 +0,0 @@ -${header} - -$ORIGIN emails.sexy. diff --git a/data/powerdns/files/bind-zones/felix-kunsmann.de b/data/powerdns/files/bind-zones/felix-kunsmann.de deleted file mode 100644 index ea21366..0000000 --- a/data/powerdns/files/bind-zones/felix-kunsmann.de +++ /dev/null @@ -1,5 +0,0 @@ -${header} - -$ORIGIN felix-kunsmann.de. - -@ IN MX 10 rx300.kunbox.net. diff --git a/data/powerdns/files/bind-zones/warnochwas.de b/data/powerdns/files/bind-zones/warnochwas.de deleted file mode 100644 index 2ff9e1f..0000000 --- a/data/powerdns/files/bind-zones/warnochwas.de +++ /dev/null @@ -1,3 +0,0 @@ -${header} - -$ORIGIN warnochwas.de. From d8aa1e80d085a3d3adf7ce897ed10911225f9954 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:08:59 +0100 Subject: [PATCH 26/80] get rid of molly-guard --- groups/os.py | 1 - 1 file changed, 1 deletion(-) diff --git a/groups/os.py b/groups/os.py index 4fa97f7..a1f3b72 100644 --- a/groups/os.py +++ b/groups/os.py @@ -71,7 +71,6 @@ groups['debian'] = { 'bundles': { 'apt', 'backup-client', - 'molly-guard', }, 'os': 'debian', 'pip_command': 'pip3', From 1899dfc27807cbf3ead9e634f326e7cb1da7094f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:09:31 +0100 Subject: [PATCH 27/80] dns: update to debian bullseye and postgresql 15 --- nodes/gce/bind01.py | 4 ++-- nodes/gce/dns02.py | 4 ++-- nodes/gce/dns03.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 3dce25c..a18d923 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -8,7 +8,7 @@ nodes['gce.bind01'] = { 'powerdnsadmin', }, 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', 'webserver', }, @@ -44,7 +44,7 @@ nodes['gce.bind01'] = { }, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'is_secondary': False, diff --git a/nodes/gce/dns02.py b/nodes/gce/dns02.py index def2765..7eb1253 100644 --- a/nodes/gce/dns02.py +++ b/nodes/gce/dns02.py @@ -5,7 +5,7 @@ nodes['gce.dns02'] = { 'hostname': '35.187.109.249', 'bundles': set(), 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns02'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'my_hostname': 'ns-2.kunbox.net', diff --git a/nodes/gce/dns03.py b/nodes/gce/dns03.py index fb23f27..14a87d7 100644 --- a/nodes/gce/dns03.py +++ b/nodes/gce/dns03.py @@ -5,7 +5,7 @@ nodes['gce.dns03'] = { 'hostname': '35.228.143.71', 'bundles': set(), 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns03'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'my_hostname': 'ns-3.kunbox.net', From b4b3fec8a7a5cbc1c26c1458c246e9b276a580b7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:41:47 +0100 Subject: [PATCH 28/80] move franzi.business to psql-managed zone --- .../powerdns/files/bind-zones/franzi.business | 43 ------------------- 1 file changed, 43 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/franzi.business diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business deleted file mode 100644 index 2f8e3ea..0000000 --- a/data/powerdns/files/bind-zones/franzi.business +++ /dev/null @@ -1,43 +0,0 @@ -${header} - -$ORIGIN franzi.business. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx a:sewfile.htz-cloud.kunbox.net ~all" - -chat IN CNAME rx300.kunbox.net. -dimension IN CNAME rx300.kunbox.net. -git IN CNAME rx300.kunbox.net. -jenkins IN CNAME rx300.kunbox.net. -matrix IN CNAME rx300.kunbox.net. -mta-sts IN CNAME rx300.kunbox.net. -netbox IN CNAME rx300.kunbox.net. -sewfile IN CNAME sewfile.htz-cloud.kunbox.net. -paste IN CNAME rx300.kunbox.net. -postfixadmin IN CNAME rx300.kunbox.net. -radicale IN CNAME rx300.kunbox.net. -rss IN CNAME rx300.kunbox.net. -status IN CNAME icinga2.ovh.kunbox.net. -tickets IN CNAME franzi-business.cname.pretix.eu. -travelynx IN CNAME rx300.kunbox.net. -unicornsden IN CNAME rx300.kunbox.net. -wiki IN CNAME rx300.kunbox.net. - -_matrix._tcp IN SRV 10 10 443 matrix - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; From f45a759a43ac0ac8c1e76948e3363ca44b687641 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:42:07 +0100 Subject: [PATCH 29/80] ssl: bump _.franzi.business --- data/ssl/_.franzi.business.crt.pem | 36 ++++++++++++------------ data/ssl/_.franzi.business.key.pem.vault | 2 +- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem index 50d05c7..b55b2de 100644 --- a/data/ssl/_.franzi.business.crt.pem +++ b/data/ssl/_.franzi.business.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEiTCCA3GgAwIBAgISBEiaFE6qZ3+AhUkmqKta5OSuMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISA8l+oC4pMh1Q/UNiEPuiw39OMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMjExMDYwNjA3MTZaFw0yMzAyMDQwNjA3MTVaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABFdgHf2P15+0 -as3iN/M7itWsdWCtH35cGIf871AeU5OhB4JDNbb5aDsho9ga/vIsjpB1Xh3EhNvP -I3b8KT9JUUE/dIRaWvNp8OSKihiU72mXIIlmslVW2AeqwBGMU0L+46OCAl0wggJZ +EwJSMzAeFw0yMzAxMjkwNDM5NTFaFw0yMzA0MjkwNDM5NTBaMBoxGDAWBgNVBAMT +D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABMlQ1P5Y0aZ5 +vUzB4TAP8iIuiO3GJnYhnKrbe/Lz3gf6Ct9bGM4JLY3RI9xcSmol3sNKdVmbHMRe +z63GW4twSnS517axo6jcT0YQkFVyhWHvLnpBW42M1FpjzaDCbs74zKOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsY9YAWIXWlFiQi/JImI6LFxrc6gwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURw5+tfBU0aOBqfN40kz43fUcjx4wHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELP -ep81xJ4dCYEl7bSZAAABhEvD10MAAAQDAEcwRQIhAM2BBzR9UWZNuK3+nk6AdaJL -1j8OvFPZnb+CJqdYtBe8AiAJM4kwOyZLzK/ZGXzwBJLjRTXs2hJZ4qXUzszhv/hs -+QB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhEvD2UYAAAQD -AEcwRQIgfMXcWDFe5IKe6n4D9t3zpecF7wCIje8pBd4WQ3OfxM4CIQDpGTCU2pUI -Hfwkq+6a2j6Lh3baERBbrfnGDF2AOjjelzANBgkqhkiG9w0BAQsFAAOCAQEAMGiD -9uo+WVO+p/HFA+bHM/1ZaTDBONP72YHPx0tdFvQAPQ59n8n6KsE2w9cioNHiRYVv -WhoHjWXtzsCiJzNvc4wuTCxJkBtfSAvsOGqGMQJ+cQym+aSBKqSKvKsIQQjOmz/p -sere5gqTkhuCfnbF8AL7JqDFld4knlbzzsdhj0SjcAO4OUA8SdHdGq192hVRB+nL -IFb6Ax4jD/fQ19j+uL+F1MgMmwUkVF77X279FGlax9PGpmQ47aLj5w7qDpZxfHf9 -Z2nq14Bk6USZcz9hR+gq38lvo6aU/0MvPey9QiIzLg78K0gEQ1o3qoUIl+9erSLR -ssU+fmyZoeNBV6q8xw== +ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIT +hU070ivBOlejUutSAAABhfwJ/TEAAAQDAEgwRgIhAINjOWzyMeYZYFNk5cdghSwA +JDuxKo8/ubIlsAV9ymJWAiEAuVZjp2GQ0RmFyGVDiF865uC4lTtzMIwmpgwYiBqg +DQsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYX8Cf1OAAAE +AwBHMEUCIGoeOIHC8O+zj/3E89BHv+9siaKSOy/2I6i53V5faX3EAiEAsk/Lhr/0 +NpogdjroYqt1sKvTzmO0BrxWJ5a41JQdtX0wDQYJKoZIhvcNAQELBQADggEBAIM4 +moszjbZGKjaoCtsj5t7Dtxu/JmE9gOnwfxnUrDKn0T00dKQi8Mk6a4C5vdGnxorO +lj8VutznRvp1RKxb6WWyk0iW22rLm+kTudf/vf9lY0X7DmD/u3MO2tGumwjMdLRT +QgxP+yu8R03ZppnuzYZhERAbY6AuC/U+owiYjNfF4v1Eyn4zxe6L2v0UWGnBWObb +xv5RbhHFezr676GaLIrcVh0rN6YNK2J1Cei2pNtAVSLiSJvuuO5Qq1KE7wQqbGd+ +lqK2tcEZRtzaFrpW7C0ZW7LpgO8zdeN4BtD25ozhGJO/0H5hhKpQ/wtWqXYKkhC/ +G47QSheqKqJnHOCL0hA= -----END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault index 60ada7b..9a5202f 100644 --- a/data/ssl/_.franzi.business.key.pem.vault +++ b/data/ssl/_.franzi.business.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABjZ10m0BnUbl5777KN6VHf6uAdtcs15-osbqRoQq6epRuWllD-ziy_2N7BrOkRcmfSJaB8zZ1l1bLD6ws3SlI7jvbkahvWnuKinkGiE30SGGjqr6MY_NJGawdox8OJWrsWLFYJJjrePl_mmVtx9G41oBreKizj1YPswzbzsFociJ0zF0xlx99sjjLxRB5PEaI3fwK1eXDmODGZ__dwKxINGSB2zxPb10Vwtnsp3cmaUiKh1TfIghQAm523cAuHPys1-tNXuJpvhPY3tIxB5gHZYiBXMzcS64mD1KqEubsnplxQlK-N_mJ7Q6n0xReG00pqvm5twRI5g7PoHYLH7nZI7KYOSI2XMAS7gP6Uy-H60BQKAHXuX4yutznVRJspv0wa4kfW9vcBfFECBhFeC8tAAkgAc-NvAsDYk6tYSi2k3N2zXsiyHy0NL-JMnUEicQT3YZNnfkoYqjuxwFbQvgtZZun38w== \ No newline at end of file +encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA== \ No newline at end of file From ba97cd432fc36704ea1a96c8aecddaf130698b48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:45:34 +0100 Subject: [PATCH 30/80] bundles/icinga2: icingaweb2 apparently ships monitoring module by itself --- bundles/icinga2/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 9bf7d26..fcbfd13 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,7 +17,9 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - 'icingaweb2-module-monitoring': {}, + + # apparently no longer needed + #'icingaweb2-module-monitoring': {}, # neeeded for statusmonitor 'python3-flask': {}, From ff8928dd0bb1490e8c607420287452ddf563c18b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:54:48 +0100 Subject: [PATCH 31/80] remove openhab, move backups to hass --- PORT_MAP.md | 1 - bundles/openhab/files/backup-pre-hook | 5 -- bundles/openhab/files/openhab | 62 ------------------- bundles/openhab/items.py | 32 ---------- bundles/openhab/metadata.py | 55 ---------------- data/apt/files/gpg-keys/openhab.asc | 52 ---------------- ....openhab.key.vault => home.hass.key.vault} | 0 .../keys/{home.openhab.pub => home.hass.pub} | 0 nodes/home.hass.toml | 3 - nodes/home.openhab.toml | 21 ------- 10 files changed, 231 deletions(-) delete mode 100644 bundles/openhab/files/backup-pre-hook delete mode 100644 bundles/openhab/files/openhab delete mode 100644 bundles/openhab/items.py delete mode 100644 bundles/openhab/metadata.py delete mode 100644 data/apt/files/gpg-keys/openhab.asc rename data/backup/keys/{home.openhab.key.vault => home.hass.key.vault} (100%) rename data/backup/keys/{home.openhab.pub => home.hass.pub} (100%) delete mode 100644 nodes/home.openhab.toml diff --git a/PORT_MAP.md b/PORT_MAP.md index c683843..7d9d4dc 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -45,7 +45,6 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22060 | pretalx | gunicorn | | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | -| 22090 | openhab | http | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/openhab/files/backup-pre-hook b/bundles/openhab/files/backup-pre-hook deleted file mode 100644 index fbf0eda..0000000 --- a/bundles/openhab/files/backup-pre-hook +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -find /var/lib/openhab/backups -type f -mtime +3 -delete - -/usr/share/openhab/runtime/bin/backup --full diff --git a/bundles/openhab/files/openhab b/bundles/openhab/files/openhab deleted file mode 100644 index 9893987..0000000 --- a/bundles/openhab/files/openhab +++ /dev/null @@ -1,62 +0,0 @@ -# openHAB service options - -######################### -## PORTS -## The ports openHAB will bind its HTTP/HTTPS web server to. - -OPENHAB_HTTP_PORT=22090 -#OPENHAB_HTTPS_PORT=8443 - -######################### -## HTTP(S) LISTEN ADDRESS -## The listen address used by the HTTP(S) server. -## 0.0.0.0 (default) allows a connection from any location -## 127.0.0.1 only allows the local machine to connect - -OPENHAB_HTTP_ADDRESS=127.0.0.1 - -######################### -## BACKUP DIRECTORY -## Set the following variable to specify the backup location. -## runtime/bin/backup and runtime/bin/restore will use this path for the zip files. - -#OPENHAB_BACKUPS=/var/lib/openhab/backups - -######################### -## JAVA OPTIONS -## Additional options for the JAVA_OPTS environment variable. -## These will be appended to the execution of the openHAB Java runtime in front of all other options. -## -## A couple of independent examples: -## EXTRA_JAVA_OPTS="-Dgnu.io.rxtx.SerialPorts=/dev/ttyZWAVE:/dev/ttyUSB0:/dev/ttyS0:/dev/ttyS2:/dev/ttyACM0:/dev/ttyAMA0" -## EXTRA_JAVA_OPTS="-Djna.library.path=/lib/arm-linux-gnueabihf/ -Duser.timezone=Europe/Berlin -Dgnu.io.rxtx.SerialPorts=/dev/ttyZWave" - -EXTRA_JAVA_OPTS="${extra_java_opts}" - -######################### -## OPENHAB DEFAULTS PATHS -## The following settings override the default apt/rpm locations and should be used with caution. -## openHAB will fail to update itself if you're using different paths. -## Only set these if you are testing and are confident in debugging. - -#OPENHAB_HOME=/usr/share/openhab -#OPENHAB_CONF=/etc/openhab -#OPENHAB_RUNTIME=/usr/share/openhab/runtime -#OPENHAB_USERDATA=/var/lib/openhab -#OPENHAB_LOGDIR=/var/log/openhab - -######################### -## OPENHAB USER AND GROUP -## The user and group that takes ownership of openHAB. Only available for init.d systems. -## To edit user and group for systemd, see the service file at /usr/lib/systemd/system/openhab.service. - -#OPENHAB_USER=openhab -#OPENHAB_GROUP=openhab - -######################### -## SYSTEMD START MODE -## The Karaf startmode for the openHAB runtime. Only available for systemctl/systemd systems. -## Defaults to daemon when unset here. Multiple options can be used without quotes. -## debug increases log output. daemon launches the Karaf/openHAB processes. - -#OPENHAB_STARTMODE=debug diff --git a/bundles/openhab/items.py b/bundles/openhab/items.py deleted file mode 100644 index eabe1d0..0000000 --- a/bundles/openhab/items.py +++ /dev/null @@ -1,32 +0,0 @@ -extra_java_opts = [] - -for opt, value in sorted(node.metadata.get('openhab/java_opts', {}).items()): - if value is None: - extra_java_opts.append(f'-D{opt}') - else: - extra_java_opts.append(f'-D{opt}={value}') - -files = { - '/etc/default/openhab': { - 'content_type': 'mako', - 'context': { - 'extra_java_opts': ' '.join(extra_java_opts), - }, - 'triggers': { - 'svc_systemd:openhab:restart', - }, - }, - '/etc/backup-pre-hooks.d/40-openhab': { - 'source': 'backup-pre-hook', - 'mode': '0755', - } -} - -svc_systemd = { - 'openhab': { - 'needs': { - 'pkg_apt:openhab', - 'pkg_apt:openhab-addons', - }, - }, -} diff --git a/bundles/openhab/metadata.py b/bundles/openhab/metadata.py deleted file mode 100644 index e6a87cc..0000000 --- a/bundles/openhab/metadata.py +++ /dev/null @@ -1,55 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'openjdk-17-jre': {}, - 'openhab': { - 'needs': { - 'pkg_apt:openjdk-17-jre', - }, - }, - 'openhab-addons': { - 'needs': { - 'pkg_apt:openhab', - }, - }, - }, - 'repos': { - 'openhab': { - 'items': { - 'deb https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable main', - }, - }, - }, - }, - 'backups': { - 'paths': { - '/usr/share/openhab/addons', # not included in openhab backup - '/var/lib/openhab', - }, - }, -} - - -@metadata_reactor.provides( - 'nginx/vhosts/openhab', -) -def nginx(metadata): - if not node.has_bundle('nginx'): - raise DoNotRunAgain - - return { - 'nginx': { - 'vhosts': { - 'openhab': { - 'domain': metadata.get('openhab/domain'), - 'locations': { - '/': { - 'target': 'http://localhost:22090/', - }, - }, - 'website_check_path': '/', - 'website_check_string': 'openHAB', - }, - }, - }, - } diff --git a/data/apt/files/gpg-keys/openhab.asc b/data/apt/files/gpg-keys/openhab.asc deleted file mode 100644 index 196e60e..0000000 --- a/data/apt/files/gpg-keys/openhab.asc +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFWz+OYBEACXcmKiL6ix1e4gJIWVoGMF7Hv0VOVKJgIUF/zJYBqk3sXQp/pi -JbIoODhrrIbEK33mqgy1EfzEmDhEurule59hq9HAQpOEz9hVbghhnsB8eXEQ9yJO -Wf8D8UGi2MKmqkvf7//jvdywNaQG/xhLu2xld7MxjuhswfiUWqoRFRpQoKY2QCe9 -n92qS0MGGK0B6WgapZZPT6AGyqKYtkCA5qUn7bcoEM2236nXhOAYHJh0o4qJ+cBk -BbSx8KEdrZxKQH50gB//gk/K2s+6CbYYOcJX6z3SLa3fxzlbyH9xQhpumAv/++2v -IIJbJHJicsmCKe/SQ7x5xVh90j6xA3oiYZIG78xWL0xnGCPhFws861dR2iON6CSp -+UKDciEQJH+Ew40la+DcHH7tzHlpZpCC1Jv7VBDkhziPrsscgOtYEwfhsq0Pyfpo -0IsyVDBUyj3Nne1NcKShd6+SYFz+gtXkttELi+DZmyA6onatw7LPGFHs8gOVKYBM -PzmERQ1DjlFW+Dc8FEQquYiquzmkyhJUXHVD1G8Mkic8jhccWbv3S7ePanvpgyZ3 -/KBAWk48/sym+zJTLWuJsCCNLI3K6gngexz1MMaRaPkbVK+4aboNLm6YhVlF5RCK -rTzIUAeB4dmu1k8Quqy/nYhYMokB9w5hiPwmGutjbpOntnrfqxvYy1EL1wARAQAB -tDBvcGVuSEFCIEJpbnRyYXkgUmVwb3NpdG9yaWVzIDxvd25lckBvcGVuaGFiLm9y -Zz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTtt9AwTi/K -9infEWMHVyH2oiQGCgUCXTjCTAUJDwsFBgAKCRAHVyH2oiQGCmfMD/sGZickeBlA -+x8XxfzvwxTnW/8MCvFBa4l/GoK9bALylvekP4adk/aaySMk/zjk231mwmMuttnP -VDg6TwhxhthveAFdbJEkTNhWUqH0FzyN9QwEGfIodjkQSYWwosY+55V0uYp2zfo9 -iHOtxzXjuLnkpZZPyY33qqGruqhnbyo2J09oLNw4MIwOepNMihP5u0nudTXiDivg -eg8lx/4WIIfwDwCe1gSBnU/731B0TIruxz3cQabLgeTuKB13+ajtJGuH1qrHxMVx -CFhD8wCugNj0qcI6NS06SXwLSAFr+xIeFXWVum2okWt2nzPpn7ll/FUG+qRECipt -m1IaEbelUrcuk7dUY75Fz5Fx8S0HtYAcCYYBDnhcaSSq7sK0NklrVz+bQZsJx4hY -ebkiNI/xFM3slOYoRzGWawuVpG/y1/VM/QRPS4uUS5rnvbGLVpn3bR+03FQwZWeb -yfMNke74TlM9+aEJZb1uxYQGLDFNDVNyALtGhDDp0R/FuDR0my3va3GJnZrtUGVg -M5Xfs/ebsKZ+CuLKqlbdZ0zjLUCJoT+tGGT1VPpi83jc+4wZXynj9b9/CWHoDfaN -VKTj95R7c7IOMRH5srpHX3qSzIF2Yav395SxJNuTTxcPCZ+n2M8jhvVnn4x8sWn5 -Ms0cN2tKVmfIbLF/1JempVsifJmRkbqN+rkCDQRVs/jmARAAxrYK7y1WW/szELpQ -guGSJGIjLt3tNGHGLP3lX4G1DlbziysTx3fY+c+hzGAM8WInsABq5fOWqkiLfx3f -wlHdo7bxv3U+xWq+xV9OOx+tjJn2xI3EtZ632pOQtxj/+6Tdcf3tIwOSMKK5kpGw -DU1VoLkWMfJeq0md6TDRB49p82Q1UGTaVCCfHYpvwCyuv1FWhSQuPJJLdP0YRX2i -1L7zyJLUzjmlAmlNoSMSaoozNJoz/XKFOPoJ66Tu8j8j8W+yqcAKeRTPiZXCEjbh -3wgxrx3PWV77kOmtfb0sHyxRujdJvEUfixrSoi4qLrE8kCo2OR8d1C5DsMlbZzvF -kHWaNSkOtpWqEGD/+BLs6lejHvbBEvYSsQMF53yH8q1U+9+7CP9wwKKAtN7LQJcw -xUADv/UhSLA/ZZTisaeUVem9vZlnVfANSieYQvy6zWqvKF4FhBpQbVzSINWv/nzu -NR4gg3uJRMHUb4cyfy3mmJ7FwwF8oHQXU+mkILWmiwrMDbq0Mjc8FRL5Bg4iTwS5 -jDGLZ0g4xU0GYi22eAWPL0dpQpA8t5Ja7W+x+VASOtbpnMAJO94YZ4yXlDcDeNJD -uo2y0z+xjuloPrGK+AssCpOBxpBlcrAFRMx5+rpkHSlLtkQNPeBPwXlryafDZ2PA -QsLBxUmFphyBraakmdGP3mR9ThUAEQEAAYkCPAQYAQoAJgIbDBYhBO230DBOL8r2 -Kd8RYwdXIfaiJAYKBQJdOMOgBQkPDFfaAAoJEAdXIfaiJAYKDLgP/iuh/Kppaem/ -wsRs6ehuCyEVz7ZJsKeq9ZL3d0jQy0CaFQRSICucptBeb14rTvf/i5+eEQI7E/bJ -9dLm1mepVS8M3wyn9+pP+Loa7bajEAD5ap08F88q56s+U70HO30qRHxp2yD9ZU0A -joX8pAIS/YaMicm1EFYajpyls/Jcyp2JG2AavRsrQ3iHvGv5Fc2/09E76lwje/Yh -royPhCrVm0adk6sxLfmKNiXBpLb5gzHR81oo20zk0+qYg2pRcVvfd6PvOcsrO4tl -K8kUMyfYixVKJu59xtMdg5ff6qlBrmTXkxyGb0t7VlhnX4UKcVU//+6b0TnBmUaG -61CZ4CGD2VvUMXcM0ihYl85g7+O9u/P2u3mhLX3xEa+rM4XpzqajL+jpt3CGQLkp -TnKZ8g1k9l7UkrHvVs/tBTCPvOEstzMwq2tWNuCbJ7Y9oB6FDPZGM3oFe2ubu2OH -MFT3KmOhD2jhWCXyB1hK/LOmINGfdfulBsK2KLKtKoJMWu2QLyMLa91l3AhzbH+s -7gQY6iC9rTy9qfHGOLTPjrHfkmrBky+KiDx1KVOnQvPqloLbKhkq1KHv8TAonqGK -THbU4Eod0DmWw80Z2zX7jV3BJs9VmDhr5NzpaZCVlrKrL+vIXzFClCYWQQMwfHpO -Yyq3xLVDG/Zs7LmgSAiEITxRFTR4qg7k -=r37a ------END PGP PUBLIC KEY BLOCK----- diff --git a/data/backup/keys/home.openhab.key.vault b/data/backup/keys/home.hass.key.vault similarity index 100% rename from data/backup/keys/home.openhab.key.vault rename to data/backup/keys/home.hass.key.vault diff --git a/data/backup/keys/home.openhab.pub b/data/backup/keys/home.hass.pub similarity index 100% rename from data/backup/keys/home.openhab.pub rename to data/backup/keys/home.hass.pub diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index b451d32..643a7a5 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -5,9 +5,6 @@ bundles = [ ] groups = ["debian-bullseye"] -[metadata.backups] -exclude_from_backups = true - [metadata.interfaces.enp1s0] ips = ["172.19.138.25/24"] gateway4 = "172.19.138.1" diff --git a/nodes/home.openhab.toml b/nodes/home.openhab.toml deleted file mode 100644 index a2c0656..0000000 --- a/nodes/home.openhab.toml +++ /dev/null @@ -1,21 +0,0 @@ -hostname = "172.19.138.21" -bundles = ["nginx", "openhab"] -groups = ["debian-bullseye"] - -[metadata.interfaces.enp1s0] -ips = ["172.19.138.21/24"] -gateway4 = "172.19.138.1" -ipv6_accept_ra = true - -[metadata.nginx.vhosts.openhab] -ssl = "_.home.kunbox.net" - -[metadata.openhab] -domain = "openhab.home.kunbox.net" - -[metadata.openhab.java_opts] -"user.timezone" = "Europe/Berlin" - -[metadata.vm] -cpu = 2 -ram = 2 From c717e86f70457ceb5c13705236c3391216539c12 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 07:03:28 +0100 Subject: [PATCH 32/80] bundles/homeassistant: fix website_check --- bundles/homeassistant/metadata.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 87855f8..feb1cd1 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -54,8 +54,8 @@ def nginx(metadata): 'vhosts': { 'homeassistant': { 'domain': metadata.get('homeassistant/domain'), - 'website_check_path': '/', - 'website_check_string': 'Homeassistant', + 'website_check_path': '/auth/authorize', + 'website_check_string': 'Home Assistant', 'locations': { '/': { 'target': 'http://127.0.0.1:8123', From 60585a3716805f448642073d701751c51b0bf9fc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 07:04:38 +0100 Subject: [PATCH 33/80] bundles/homeassistant: fix typo --- bundles/homeassistant/files/check_homeassistant_update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update index d01d830..ff2b0d7 100644 --- a/bundles/homeassistant/files/check_homeassistant_update +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -41,7 +41,7 @@ try: message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." else: status = 2 - message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}" + message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}" except Exception as e: message = f"{message}: {repr(e)}" From 31e614ab3ba6c652ed0644a9d5ed12c28175e74d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:06:27 +0100 Subject: [PATCH 34/80] bundles/powerdns: allow exposing API to the world --- bundles/powerdns/metadata.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 57f46f5..3cf5d4e 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -211,8 +211,9 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '53': atomic(metadata.get('powerdns/restrict-to', {'*'})), - '53/udp': atomic(metadata.get('powerdns/restrict-to', {'*'})), + '53': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), + '53/udp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), + '8081': atomic(metadata.get('powerdns/restrict-to/api', set())), }, }, } From c93a4d0a99332310fed7532c8b2e098b5a70ee5e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:35:08 +0100 Subject: [PATCH 35/80] powerdns: switch to AXFR for secondarie --- bundles/powerdns/files/named.conf | 2 +- bundles/powerdns/files/pdns.conf | 2 ++ bundles/powerdns/items.py | 26 ++++++++++++++++++-------- groups/features.py | 4 ---- nodes/gce/bind01.py | 3 +++ 5 files changed, 24 insertions(+), 13 deletions(-) diff --git a/bundles/powerdns/files/named.conf b/bundles/powerdns/files/named.conf index 196e3f5..4154935 100644 --- a/bundles/powerdns/files/named.conf +++ b/bundles/powerdns/files/named.conf @@ -1,6 +1,6 @@ % for zone in sorted(zones): zone "${zone}" { file "/var/lib/powerdns/zones/${zone}"; - type native; + type master; }; % endfor diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf index c88246f..7fcb1ca 100644 --- a/bundles/powerdns/files/pdns.conf +++ b/bundles/powerdns/files/pdns.conf @@ -27,6 +27,8 @@ superslave=yes api=yes api-key=${api_key} webserver=yes +webserver-address=0.0.0.0 +webserver-allow-from=0.0.0.0/0 allow-notify-from= diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index a6db93a..9444c2f 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -50,11 +50,11 @@ files = { '/etc/powerdns/pdns.conf': { 'content_type': 'mako', 'context': { - 'api_key': node.metadata['powerdns']['api_key'], - 'my_hostname': node.metadata['powerdns'].get('my_hostname', node.metadata.get('hostname')), - 'is_secondary': node.metadata['powerdns'].get('is_secondary', False), - 'my_primary_servers': node.metadata['powerdns'].get('my_primary_servers', set()), - 'my_secondary_servers': node.metadata['powerdns'].get('my_secondary_servers', set()), + 'api_key': node.metadata.get('powerdns/api_key'), + 'my_hostname': node.metadata.get('powerdns/my_hostname', node.metadata.get('hostname')), + 'is_secondary': node.metadata.get('powerdns/is_secondary', False), + 'my_primary_servers': node.metadata.get('powerdns/my_primary_servers', set()), + 'my_secondary_servers': node.metadata.get('powerdns/my_secondary_servers', set()), }, 'needs': { 'pkg_apt:pdns-server', @@ -142,12 +142,22 @@ if node.metadata.get('powerdns/features/bind', False): 'action:powerdns_reload_zones', }, } +else: + files['/etc/powerdns/named.conf'] = { + 'delete': True, + 'needed_by': { + 'svc_systemd:pdns', + }, + 'triggers': { + 'action:powerdns_reload_zones', + }, + } -if node.metadata.get('powerdns/features/pgsql', False): +if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): files['/etc/powerdns/pdns.d/pgsql.conf'] = { 'content_type': 'mako', 'context': { - 'password': node.metadata['postgresql']['roles']['powerdns']['password'], + 'password': node.metadata.get('postgresql/roles/powerdns/password'), }, 'needs': { 'pkg_apt:pdns-backend-pgsql', @@ -163,7 +173,7 @@ if node.metadata.get('powerdns/features/pgsql', False): files['/etc/powerdns/schema.pgsql.sql'] = {} actions['powerdns_load_pgsql_schema'] = { - 'command': node.metadata['postgresql']['roles']['powerdns']['password'].format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), + 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), 'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', 'needs': { 'bundle:postgresql', diff --git a/groups/features.py b/groups/features.py index 4605270..54a58a7 100644 --- a/groups/features.py +++ b/groups/features.py @@ -12,10 +12,6 @@ groups['dns'] = { }, 'metadata': { 'powerdns': { - 'features': { - 'bind': True, - 'pgsql': True, - }, # Overridden in node metadata for primary server 'is_secondary': True, }, diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index a18d923..1575237 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -47,6 +47,9 @@ nodes['gce.bind01'] = { 'version': '15', }, 'powerdns': { + 'features': { + 'bind': True, + }, 'is_secondary': False, 'secondary_nameservers': 'dns', 'my_hostname': 'ns-1.kunbox.net', From 9684e94e4d4a018a9b2f3819db16622a40f02b36 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:47:50 +0100 Subject: [PATCH 36/80] dns: switch everything but kunbox.net to psql --- .../files/bind-zones/cybert-media.net | 9 ------ .../bind-zones/die-brontosaurier-waren-es.org | 9 ------ .../files/bind-zones/eskalation.jetzt | 9 ------ .../files/bind-zones/flauschehorn.sexy | 15 --------- data/powerdns/files/bind-zones/kunbox.net | 4 +++ data/powerdns/files/bind-zones/kunsmann.eu | 31 ------------------- .../powerdns/files/bind-zones/trans-agenda.de | 4 --- .../powerdns/files/bind-zones/trans-agenda.eu | 22 ------------- 8 files changed, 4 insertions(+), 99 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/cybert-media.net delete mode 100644 data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org delete mode 100644 data/powerdns/files/bind-zones/eskalation.jetzt delete mode 100644 data/powerdns/files/bind-zones/flauschehorn.sexy delete mode 100644 data/powerdns/files/bind-zones/kunsmann.eu delete mode 100644 data/powerdns/files/bind-zones/trans-agenda.de delete mode 100644 data/powerdns/files/bind-zones/trans-agenda.eu diff --git a/data/powerdns/files/bind-zones/cybert-media.net b/data/powerdns/files/bind-zones/cybert-media.net deleted file mode 100644 index 9ce2544..0000000 --- a/data/powerdns/files/bind-zones/cybert-media.net +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN cybert-media.net. - -@ IN A 159.69.11.231 - IN AAAA 2a01:4f8:c2c:c410::1 - IN TXT "v=spf1 a ~all" - -www IN CNAME cybert-media.net. diff --git a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org deleted file mode 100644 index 8633268..0000000 --- a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN die-brontosaurier-waren-es.org. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" diff --git a/data/powerdns/files/bind-zones/eskalation.jetzt b/data/powerdns/files/bind-zones/eskalation.jetzt deleted file mode 100644 index fc09ecc..0000000 --- a/data/powerdns/files/bind-zones/eskalation.jetzt +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN eskalation.jetzt. - - -queere IN NS ns1.athena7.eu. -queere IN NS ns2.athena7.eu. -queere IN NS ns3.athena7.eu. -queere IN NS ns4.athena7.eu. diff --git a/data/powerdns/files/bind-zones/flauschehorn.sexy b/data/powerdns/files/bind-zones/flauschehorn.sexy deleted file mode 100644 index accc22e..0000000 --- a/data/powerdns/files/bind-zones/flauschehorn.sexy +++ /dev/null @@ -1,15 +0,0 @@ -${header} - -$ORIGIN flauschehorn.sexy. - -@ IN A 5.189.140.103 - IN AAAA 2a02:c207:3002:8320:feed:f2c1:c0ff:ee - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" - -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index ba40c0b..f5555a6 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -10,6 +10,10 @@ $ORIGIN kunbox.net. IN MX 10 rx300 IN TXT "v=spf1 mx ~all" +; delegate acme stuff to psql-managed zone +_acme-challenge IN CNAME kunbox.net.le.kunbox.net +_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net + ; Mail servers mta-sts IN CNAME rx300 diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu deleted file mode 100644 index ed4ff73..0000000 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ /dev/null @@ -1,31 +0,0 @@ -${header} - -$ORIGIN kunsmann.eu. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" - -git IN CNAME rx300.kunbox.net. -grafana IN CNAME influxdb.htz-cloud.kunbox.net. -icinga IN CNAME icinga2.ovh.kunbox.net. -influxdb IN CNAME influxdb.htz-cloud.kunbox.net. -luther-ps IN CNAME luther.htz-cloud.kunbox.net. -mta-sts IN CNAME rx300.kunbox.net. -statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net. - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; diff --git a/data/powerdns/files/bind-zones/trans-agenda.de b/data/powerdns/files/bind-zones/trans-agenda.de deleted file mode 100644 index 7da66d3..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.de +++ /dev/null @@ -1,4 +0,0 @@ -${header} - -$ORIGIN trans-agenda.de. - diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu deleted file mode 100644 index 4c665ee..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.eu +++ /dev/null @@ -1,22 +0,0 @@ -${header} - -$ORIGIN trans-agenda.eu. - -@ IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 a mx ~all" - -mta-sts IN CNAME rx300.kunbox.net. - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; From cb2b01a2b48be7d02a2b1d31a54a667b5e8f733d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:56:13 +0100 Subject: [PATCH 37/80] dns: fix cname for acme-challenge --- data/powerdns/files/bind-zones/kunbox.net | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index f5555a6..d1280bb 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -11,8 +11,8 @@ $ORIGIN kunbox.net. IN TXT "v=spf1 mx ~all" ; delegate acme stuff to psql-managed zone -_acme-challenge IN CNAME kunbox.net.le.kunbox.net -_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net +_acme-challenge IN CNAME kunbox.net.le.kunbox.net. +_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net. ; Mail servers mta-sts IN CNAME rx300 From 74d44535a82434a0b2b893e3c2a58479432f9d48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:11:02 +0100 Subject: [PATCH 38/80] dns: fix cname for acme-challenge --- data/powerdns/files/bind-zones/kunbox.net | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index d1280bb..4eec895 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -11,8 +11,8 @@ $ORIGIN kunbox.net. IN TXT "v=spf1 mx ~all" ; delegate acme stuff to psql-managed zone -_acme-challenge IN CNAME kunbox.net.le.kunbox.net. -_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net. +_acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. +_acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. ; Mail servers mta-sts IN CNAME rx300 From 2e6e6b663e21531c0be728c75c73f91bb022b854 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:21:59 +0100 Subject: [PATCH 39/80] bundles/powerdns: also send out notify to all secondaries --- bundles/powerdns/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 9444c2f..7b5da8a 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -78,7 +78,7 @@ svc_systemd = { actions = { 'powerdns_reload_zones': { 'triggered': True, - 'command': 'pdns_control rediscover; pdns_control reload', + 'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*', 'needs': { 'svc_systemd:pdns', }, From 932fd9e994cad8119a74f71a4d27dfda67f2d41e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:26:52 +0100 Subject: [PATCH 40/80] scripts/letsencrypt-wildcard: remove trailing dot from dns records we're now using a delegated zone, thus this is wrong there --- scripts/letsencrypt-wildcard | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/letsencrypt-wildcard b/scripts/letsencrypt-wildcard index 98eca7a..3d90231 100755 --- a/scripts/letsencrypt-wildcard +++ b/scripts/letsencrypt-wildcard @@ -39,7 +39,7 @@ then echo echo You must now provide this DNS record: - echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)" + echo "$(tput bold)_acme-challenge.$domain IN TXT $token_value$(tput sgr0)" echo echo "Hit ENTER once it's available." read From a3218ac41f536d11ca867e82f4d588627477880a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:35:05 +0100 Subject: [PATCH 41/80] bundles/sshmon: fix hostname in check_forgejo_for_new_release --- bundles/sshmon/files/check_forgejo_for_new_release | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/sshmon/files/check_forgejo_for_new_release b/bundles/sshmon/files/check_forgejo_for_new_release index 99fb18d..3db5bcd 100644 --- a/bundles/sshmon/files/check_forgejo_for_new_release +++ b/bundles/sshmon/files/check_forgejo_for_new_release @@ -55,8 +55,9 @@ try: exit(2) else: print( - "Currently installed version {} matches newest release on github".format( - current_version + "Currently installed version {} matches newest release on {}".format( + current_version, + host, ) ) exit(0) From 17aee0f6bb3a0e970f1b09b4deedeab24ac956c6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:35:29 +0100 Subject: [PATCH 42/80] update gitea to forgejo 1.18.2-1 --- bundles/gitea/items.py | 5 +---- nodes/rx300.py | 5 +++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index 2e2f518..e071483 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -40,10 +40,7 @@ files = { }, '/usr/local/bin/gitea': { 'content_type': 'download', - #'source': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata.get('gitea/version')), - 'source': 'https://github.com/go-gitea/gitea/releases/download/v{version}/gitea-{version}-linux-amd64'.format( - version=node.metadata.get('gitea/version'), - ), + 'source': node.metadata.get('gitea/url'), 'content_hash': node.metadata.get('gitea/sha1', None), 'mode': '0755', 'triggers': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 56b8d7d..ba7d3ef 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,8 +127,9 @@ nodes['rx300'] = { }, }, 'gitea': { - 'version': '1.17.3', - 'sha1': 'a78611a3e799150fbae3d45d2bd276d95ccffcd8', + 'version': '1.18.2-1', + 'url': 'https://codeberg.org/attachments/81b83949-c44b-44ec-a74b-ff9cead25dac', + 'sha1': 'b51cc44979f3df17403c709c8a4521f627763168', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From a8e2e6b5adc59e3f4b64ef1e2fc7d5b96ae1712a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:40:38 +0100 Subject: [PATCH 43/80] bundles/gitea: adjust config for 1.18 --- bundles/gitea/files/app.ini | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini index a904681..b55f210 100644 --- a/bundles/gitea/files/app.ini +++ b/bundles/gitea/files/app.ini @@ -21,7 +21,6 @@ ROOT_URL = https://${domain}/ DISABLE_SSH = false SSH_PORT = 22 LFS_START_SERVER = true -LFS_CONTENT_PATH = /var/lib/gitea/data/lfs LFS_JWT_SECRET = ${lfs_secret_key} OFFLINE_MODE = true START_SSH_SERVER = false @@ -67,7 +66,7 @@ EMAIL_DOMAIN_BLOCKLIST = ${','.join(sorted(email_domain_blocklist))} [mailer] ENABLED = true -MAILER_TYPE = sendmail +PROTOCOL = sendmail FROM = "${app_name}" [session] From f6b0c587d01d71e114f14e9a66d4dcfe29f52381 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:42:36 +0100 Subject: [PATCH 44/80] rename some gitea stuff to forgejo --- PORT_MAP.md | 2 +- bundles/gitea/metadata.py | 11 +++++------ nodes/rx300.py | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/PORT_MAP.md b/PORT_MAP.md index 7d9d4dc..a1725cb 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -36,7 +36,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20090 | matrix-media-repo | prometheus metrics | | 21000 | pleroma | pleroma | | 21010 | grafana | grafana | -| 22000 | gitea | gitea | +| 22000 | gitea | forgejo | | 22010 | jenkins-ci | Jenkins CI | | 22020 | travelynx | Travelynx Web | | 22030 | octoprint | OctoPrint Web Interface | diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 6785b4b..7a69b32 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -6,7 +6,7 @@ defaults = { }, }, 'gitea': { - 'app_name': 'Gitea', + 'app_name': 'Forgejo', 'database': { 'username': 'gitea', 'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)), @@ -23,7 +23,7 @@ defaults = { 'icinga2_api': { 'gitea': { 'services': { - 'GITEA PROCESS': { + 'FORGEJO PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', }, }, @@ -67,7 +67,7 @@ defaults = { @metadata_reactor.provides( - 'nginx/vhosts/gitea', + 'nginx/vhosts/forgejo', ) def nginx(metadata): if not node.has_bundle('nginx'): @@ -76,7 +76,7 @@ def nginx(metadata): return { 'nginx': { 'vhosts': { - 'gitea': { + 'forgejo': { 'domain': metadata.get('gitea/domain'), 'locations': { '/': { @@ -102,8 +102,7 @@ def icinga_check_for_new_release(metadata): 'icinga2_api': { 'gitea': { 'services': { - 'GITEA UPDATE': { - # this is only temporary. We will switch to forgejo once they have their first stable release. + 'FORGEJO UPDATE': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), 'vars.notification.mail': True, 'check_interval': '60m', diff --git a/nodes/rx300.py b/nodes/rx300.py index ba7d3ef..996644a 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -327,7 +327,7 @@ nodes['rx300'] = { }, 'vhosts': { 'element-web': {'ssl': '_.franzi.business'}, - 'gitea': {'ssl': '_.franzi.business'}, + 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, 'matrix-synapse': {'ssl': '_.franzi.business'}, From 6cec7e2c9c9099f1813a1ab90a5577fb81cfc02c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:43:49 +0100 Subject: [PATCH 45/80] rx300: update element-web to 1.11.20 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 996644a..d0f1235 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.17', + 'version': 'v1.11.20', 'config': { 'default_server_config': { 'm.homeserver': { From 733e4bf0e5a0e8d7ffc97a2ceb7d4c346cd09b35 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:44:09 +0100 Subject: [PATCH 46/80] rx300: update mautrix-whatsapp to 0.8.1 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index d0f1235..f241846 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -268,8 +268,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.0', - 'sha1': '4e561a96c8fae61edd8dee9abdd52b5146fa98b2', + 'version': 'v0.8.1', + 'sha1': '6c7645b83ed216786a25e9f45935a0170cf0b05c', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 8df44410283b41bb39b31a84347554b576e42b66 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:44:28 +0100 Subject: [PATCH 47/80] rx300: update netbox to 3.4.3 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index f241846..a815a65 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -306,7 +306,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.2', + 'version': 'v3.4.3', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 109914c0393e987141d31dd30505ce9cf52b035b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 10:04:47 +0100 Subject: [PATCH 48/80] bundles/powerdnsadmin: create virtualenv after packages are installed --- bundles/powerdnsadmin/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index 3ccaecc..ea256ea 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -36,6 +36,9 @@ actions = { 'needs': { 'directory:/opt/powerdnsadmin', # provided by bundle:users }, + 'after': { + 'pkg_apt:', + }, }, 'powerdnsadmin_install_deps': { 'triggered': True, From 264ea3e8a743ac16469fd984eb479b7eaa208355 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 10:13:26 +0100 Subject: [PATCH 49/80] bundles/systemd-networkd: remove isc-dhcp-client --- bundles/systemd-networkd/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py index 303e0f3..46cd893 100644 --- a/bundles/systemd-networkd/metadata.py +++ b/bundles/systemd-networkd/metadata.py @@ -1,6 +1,9 @@ defaults = { 'apt': { 'packages': { + 'isc-dhcp-client': { + 'installed': False, + }, 'resolvconf': { 'installed': False, }, From ef16a2d08104a382ccb496a64a07df8e105f0b48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:01:48 +0100 Subject: [PATCH 50/80] bundles/powerdns: rework zone file generation --- bundles/powerdns/items.py | 27 ++++++----------------- data/powerdns/files/bind-zones/kunbox.net | 12 +++++++++- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 7b5da8a..2aad214 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -5,26 +5,12 @@ from subprocess import check_output zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') -ZONE_HEADER = """ -; _ ____ _ _ _____ _ _ _ _ ____ -; / \\ / ___| | | |_ _| | | | \\ | |/ ___| -; / _ \\| | | |_| | | | | | | | \\| | | _ -; / ___ \\ |___| _ | | | | |_| | |\\ | |_| | -; /_/ \\_\\____|_| |_| |_| \\___/|_| \\_|\\____| -; -; --> Diese Datei wird von BundleWrap verwaltet! <-- - -$TTL 60 -@ IN SOA ns-1.kunbox.net. hostmaster.kunbox.net. ( - {serial} - 3600 - 600 - 86400 - 300 - ) -""" +nameservers = set() for rnode in sorted(repo.nodes_in_group('dns')): - ZONE_HEADER += '@ IN NS {}.\n'.format(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) + if not rnode.metadata.get('powerdns/is_secondary'): + # hide the primary nameserver from auto-generated nameserver lists + continue + nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) directories = { '/etc/powerdns/pdns.d': { @@ -102,7 +88,8 @@ if node.metadata.get('powerdns/features/bind', False): files[f'/var/lib/powerdns/zones/{zone}'] = { 'content_type': 'mako', 'context': { - 'header': ZONE_HEADER.format(serial=serial), + 'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})), + 'SERIAL': serial, 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []), }, 'source': f'bind-zones/{zone}', diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 4eec895..25a0273 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,4 +1,14 @@ -${header} +$TTL 60 +@ IN SOA ns-primary.kunbox.net. hostmaster.kunbox.net. ( + ${SERIAL} + 3600 + 600 + 86400 + 300 + ) + + +${NAMESERVERS} $ORIGIN kunbox.net. From 55bebda4d4b52a46542ef3e8edacba600ec5556a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:02:49 +0100 Subject: [PATCH 51/80] bundles/powerdns: fix socket path for telegraf --- bundles/powerdns/metadata.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 3cf5d4e..5a2cc41 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -43,7 +43,11 @@ if node.has_bundle('telegraf'): defaults['telegraf'] = { 'input_plugins': { 'builtin': { - 'powerdns': [{}], + 'powerdns': [{ + 'unix_sockets': [ + '/var/run/pdns/pdns.controlsocket', + ], + }], }, }, 'additional_groups': { @@ -186,16 +190,16 @@ def hosts_entries_for_all_dns_servers(metadata): if rnode.name == node.name: continue - ip = rnode.metadata.get('external_ipv4') + found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name) + for ip in sorted(found_ips['ipv4']): + if not ip.is_private: + entries[str(ip)] = { + rnode.metadata.get('hostname'), + rnode.name, + } - if ip: - entries[ip] = { - rnode.metadata.get('hostname'), - rnode.name, - } - - if rnode.metadata.get('powerdns/my_hostname', None): - entries[ip].add(rnode.metadata.get('powerdns/my_hostname')) + if rnode.metadata.get('powerdns/my_hostname', None): + entries[str(ip)].add(rnode.metadata.get('powerdns/my_hostname')) return { 'hosts': { From 7bd8237876f651221e4dc127c31aa1d6c645c269 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:03:38 +0100 Subject: [PATCH 52/80] bashrc: add 'ipa' alias --- bundles/users/files/bashrc | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index 0a21add..2b2729d 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -36,6 +36,7 @@ export EDITOR=vim export VISUAL=vim alias ipb='ip -brief --color=auto' +alias ipa='ip -brief --color=always addr show; echo; ip --color=always route show; ip -6 --color=always route show' alias l='ls -lAh' alias s='sudo -i' alias v='vim -p' From eeceebfd2351f9b90a7521e57b91ce33a5641b63 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:05:57 +0100 Subject: [PATCH 53/80] dns: add new primary nameserver --- data/backup/keys/ns-primary.key.vault | 1 + data/backup/keys/ns-primary.pub | 1 + nodes/gce/bind01.py | 28 ----------------- nodes/ns-primary.toml | 43 +++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 28 deletions(-) create mode 100644 data/backup/keys/ns-primary.key.vault create mode 100644 data/backup/keys/ns-primary.pub create mode 100644 nodes/ns-primary.toml diff --git a/data/backup/keys/ns-primary.key.vault b/data/backup/keys/ns-primary.key.vault new file mode 100644 index 0000000..52bb656 --- /dev/null +++ b/data/backup/keys/ns-primary.key.vault @@ -0,0 +1 @@ +encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj \ No newline at end of file diff --git a/data/backup/keys/ns-primary.pub b/data/backup/keys/ns-primary.pub new file mode 100644 index 0000000..442d8b9 --- /dev/null +++ b/data/backup/keys/ns-primary.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 1575237..7239082 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -3,19 +3,12 @@ nodes['gce.bind01'] = { 'hostname': '34.89.208.78', - 'bundles': { - 'nodejs', - 'powerdnsadmin', - }, 'groups': { 'debian-bullseye', 'dns', - 'webserver', }, 'metadata': { 'backups': { - # This is the primary DNS server. However, we only use - # replication for DynDNS, currently. No need for backups here. 'exclude_from_backups': True, }, 'interfaces': { @@ -30,33 +23,12 @@ nodes['gce.bind01'] = { 'icinga_options': { 'pretty_name': 'ns-1.kunbox.net', }, - 'nginx': { - 'vhosts': { - 'ns-1.kunbox.net': { - 'locations': { - '/': { - 'target': 'http://127.0.0.1:8000/', - }, - }, - 'website_check_path': '/login', - 'website_check_string': 'PowerDNS', - }, - }, - }, 'postgresql': { 'version': '15', }, 'powerdns': { - 'features': { - 'bind': True, - }, - 'is_secondary': False, - 'secondary_nameservers': 'dns', 'my_hostname': 'ns-1.kunbox.net', }, - 'powerdnsadmin': { - 'version': 'v0.3.0', - }, 'vm': { 'cpu': 1, 'ram': 1, diff --git a/nodes/ns-primary.toml b/nodes/ns-primary.toml new file mode 100644 index 0000000..885b1f2 --- /dev/null +++ b/nodes/ns-primary.toml @@ -0,0 +1,43 @@ +hostname = "82.165.52.168" +bundles = [ + "nodejs", + "powerdnsadmin", +] +groups = [ + "debian-bullseye", + "dns", + "webserver", +] + +[metadata.interfaces.ens192] +ips = [ + "82.165.52.168", + "2001:8d8:1801:7d4::1/64", +] +gateway4 = "10.255.255.1" +gateway6 = "fe80::250:56ff:fea8:628f" + +[metadata.icinga_options] +pretty_name = "ns-primary.kunbox.net" + +[metadata.nginx.vhosts."ns-primary.kunbox.net"] +website_check_path = "/login" +website_check_string = "PowerDNS" + +[metadata.nginx.vhosts."ns-primary.kunbox.net".locations."/"] +target = "http://127.0.0.1:8000/" + +[metadata.postgresql] +version = "15" + +[metadata.powerdns] +is_secondary = false +secondary_nameservers = "dns" +features.bind = true + +[metadata.powerdnsadmin] +version = "v0.3.0" + +[metadata.vm] +cpu = 2 +ram = 2 From 53e189c644017fb5b799b68b2120773873714054 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:14:31 +0100 Subject: [PATCH 54/80] ssl: bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 36 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 317b57b..7449694 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA7oUZzeuZgmxMvP1zm5RtCGYMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISA28YyqkbxYen4u/lcNEqBY7lMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMjExMDYwNjA3MTdaFw0yMzAyMDQwNjA3MTZaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABDcmJYSIKimG -w9hUy0guhMoubPJ+QcSioL4TjuqKmgVCXXEHzkGuaCQTwRX7BiHOyH+3nqcm7N1x -qF5rucOxJoKgGW40ZjemdWAVDGYm3euEU0Td0V+L6z/L/cWe25YwoKOCAl4wggJa +EwJSMzAeFw0yMzAxMjkwOTE0MjZaFw0yMzA0MjkwOTE0MjVaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCsS8YhWoIvn +yMOjY8LtjQ8+Pa58DBckQ1lnktMo1T3bfwxMxTGH+iYdOT4kHWOen6aNzdXqrerA +YjTN/MRBCR8tMZglzmshUG7qpzI/s89QSL6+KoCV5Pl0mEWLSvrLFKOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUJkY/Eq6HUOrPZyW+Y+4/uiG0/8swHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUtCIXQGA7PP7mGdMLuN3nYsynu4wwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyld -z7EMJMqFhjTr3IKKAAABhEvD2XwAAAQDAEgwRgIhAMzxM2rXgjZDrPm6jKHUS4u3 -BxokYdBgO63klZ5iuEyLAiEAinyT+YKDotIyWcUHvl0tpANYq+XlJaELvg7aCcwj -3MgAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRLw9tCAAAE -AwBHMEUCIQDTNayLb2lW5oNnj1bJaqbcOnjOktsPSYUGaokd6iBeUQIgOak7kR7e -rAvW3CwA1QSZgqRHLn86UFfGc0pVHNDb3e4wDQYJKoZIhvcNAQELBQADggEBABdr -R6NgzfgNT2WVTpZOpgLEPO58WKBEofMtVTRDjDKinSvDUFRhJAEjoXKxZXtEG+yH -VhGGLcmh+6mn8+8yz1qEngA3uGiHS533aOUbP3cCbfqRCeuKMS+5ojjOlKb3xZj4 -uRGvxw90wY3RYwn8k3/beEs+TaNnFU+NtBwScy+/8aRHG5rBQjdBWZHpcB4/wT0V -cLakTharwRHVw11GFlEk60k2JMEtCLkBjKq/CpbusQZHd1uVyzhWC802lWRqY4nq -YTO3Z8FNRGOaHVcydX6wMlQg/t+1hYgCC6HWhuOf8AOr+kkg4zSdv0YvAYuOzY8X -sc1/2y3z9deYm4qHw/w= +ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP +ep81xJ4dCYEl7bSZAAABhf0FYYAAAAQDAEcwRQIgLCh9130fH81/vY6Ps7inMh3l +GEM8GPiDEHk68oq2R9wCIQCnHdc9Seo+qTRnc6DcoKvyC9azNFEZBiikMgoIJkyq +6gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhf0FYZgAAAQD +AEgwRgIhAM3M2KLdUfIiqVgaMqIH1ust2lUjR10gwN8juONeXZoMAiEA2KArQKYG +GbhN/dWqht+So4Ni3/K5Vwcfb91ewthPR6swDQYJKoZIhvcNAQELBQADggEBALhs +LaBZ27UoZOqukblSD8EyoLnJ3Cplg1r3J9+e4QNzySjsDpYr/w+Y4mUT/nGAGgGL +4b1cHD57XnQB1yvB3Dv9aowg+Udo4eTNY41FMgouYhYFowi5gWYoQhpIFOpwvd0v +Cmrl4PPta2Ytbg/FMNxOt47E0sUL2zASMCKTKcPsIpcpEG7w8jBGcCX7e3NCG36z +K4jZqW3Pd3BZe1e7ywUyF/SSw38Pv1rFbBxuSh+kDjQfcOWN75oOyyKgcLsGBxfy +850WclzgMTnRRlZGaiUTVQ7uPkB44DIhTT6afxPMDKrtRLkd5LHownE3NPUTyfDx +cK9weiaIniziAnEjUr4= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index 6dd0aa4..f3cc906 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABjZ10mtywN2Tx7b0-sZywDVcNo5gQbnzjwlMjQPktMwmRBwGMbQVcwuGhhopu5vd4Ztw8aGO5lf-SQmLWgdpR4aIrPNx1Iu4urF2LMV-BMLSgmF85ADQzlbiBvrzGAnIoVUjwXYyGj1Wst4feWMKBDc_kThinYhSplMZ_yjEbMj0eMGRzjSclkvAm24KWi7l_LQAklRELuQQyopHDo47AxehNI-nvLfO0FfXZJpkdrMV1V8lSqyXwBSW3McJKH8bbmVEX8qq-mNntBNpe3n5V2ninj72aC0D572hfMp-jKC6xccf-CqnmX1qaWGGj1yiFDdBxfOSU-kO6204BVtfspMtkI75YAYE_7aA-GUiHfXaNHvDhf2uMb8ssbJUdvGS_oLx1qnKiyeyJ6RRhl71xxXjNEo0hPYYY1BGj6hjq30R8aGknkQNCjyCD87Sc7qh95KpMmY4d82xI70xeS4mk8hEgCow== \ No newline at end of file +encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A== \ No newline at end of file From 527181bba82bd70030959724a38ac5f5da85ec71 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:15:59 +0100 Subject: [PATCH 55/80] home.router: fix dyndns hostname --- nodes/home/router.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d033c1c..d7a7d20 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -133,13 +133,13 @@ nodes['home.router'] = { 'interface': 'enp1s0.100', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iif enp1s0.23 oif $INTERFACE accept', - 'inet filter forward iif enp1s0.42 accept', + 'inet filter forward iifname enp1s0.23 oif $INTERFACE accept', + 'inet filter forward iifname enp1s0.42 accept', }, }, 'unbound': { From 077b25f67eaf39e84025502201c9426f4c6ee3f9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 2 Feb 2023 19:29:28 +0100 Subject: [PATCH 56/80] bundles/miniflux: repo has changed ... also now everything is unsigned, yeaaaaaaaaaaaah --- bundles/miniflux/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/miniflux/metadata.py b/bundles/miniflux/metadata.py index 8c51627..b14fd15 100644 --- a/bundles/miniflux/metadata.py +++ b/bundles/miniflux/metadata.py @@ -6,7 +6,7 @@ defaults = { 'repos': { 'miniflux': { 'items': { - 'deb https://apt.miniflux.app/ /', + 'deb [trusted=yes] https://repo.miniflux.app/apt/ /', }, }, }, From 7dcad0d58459489066298a77e93a7a6ea2465ce6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 4 Feb 2023 16:30:53 +0100 Subject: [PATCH 57/80] update element-web to 1.11.22 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 2def17e..6868583 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.20', + 'version': 'v1.11.22', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index a815a65..3fea25f 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.20', + 'version': 'v1.11.22', 'config': { 'default_server_config': { 'm.homeserver': { From 1906e7c25689bc1be6c3da4ba67331cf6715c3b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:24:50 +0100 Subject: [PATCH 58/80] bundles/gitea: derive version number from installed gitea --- bundles/gitea/metadata.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 7a69b32..2b9bcbe 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -26,6 +26,11 @@ defaults = { 'FORGEJO PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', }, + 'FORGEJO UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(gitea --version | cut -d" " -f3)', + 'vars.notification.mail': True, + 'check_interval': '60m', + }, }, }, }, @@ -99,15 +104,4 @@ def nginx(metadata): ) def icinga_check_for_new_release(metadata): return { - 'icinga2_api': { - 'gitea': { - 'services': { - 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), - 'vars.notification.mail': True, - 'check_interval': '60m', - }, - }, - }, - }, } From bb1b430d162258631c8e0a837c57c87d25ccf363 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:25:18 +0100 Subject: [PATCH 59/80] rx300: update forgejo to 1.18.3-0 --- nodes/rx300.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 3fea25f..c3c569c 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,9 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'version': '1.18.2-1', - 'url': 'https://codeberg.org/attachments/81b83949-c44b-44ec-a74b-ff9cead25dac', - 'sha1': 'b51cc44979f3df17403c709c8a4521f627763168', + 'url': 'https://codeberg.org/attachments/af34fbfc-d651-41b1-aaff-2b9cc7134051', + 'sha1': '9560cf3f84031583d374cef57d20d6da8c07a2f6', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 6f9fb78d4e2d25d15017fb1dd5020b19eaf02fe6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:25:37 +0100 Subject: [PATCH 60/80] rx300: update netbox to 3.4.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index c3c569c..26b3799 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.3', + 'version': 'v3.4.4', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 429bc2a7c605151e50b022d416f3212e3f23d02d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:28:52 +0100 Subject: [PATCH 61/80] bundles/homeassistant: fix .provides() --- bundles/homeassistant/metadata.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index feb1cd1..0b41f39 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -1,5 +1,3 @@ -from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { @@ -25,7 +23,7 @@ defaults = { }, } @metadata_reactor.provides( - 'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE', + 'icinga2_api/homeassistant/services', ) def icinga_check_for_new_release(metadata): return { From 4122a7ccf83de478663797e5d45e83845aee45d9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:30:58 +0100 Subject: [PATCH 62/80] isort the repo --- bundles/backup-server/items.py | 1 + bundles/bird/metadata.py | 1 + bundles/icinga2/files/check_freifunk_node | 3 ++- bundles/icinga2/files/check_sipgate_account_balance | 3 ++- bundles/icinga2/files/check_spam_blocklist | 4 +--- bundles/icinga2/files/scripts/icinga_notification_wrapper | 3 ++- bundles/matrix-synapse/files/synapse-purge-unused-rooms | 2 +- bundles/mosquitto/files/tasmota-telegraf-plugin | 1 - bundles/mosquitto/metadata.py | 1 - bundles/octoprint/files/check_octoprint_update | 3 ++- bundles/postfix/files/postfix-telegraf-queue | 1 - bundles/powerdns/metadata.py | 2 +- bundles/pppd/files/dyndns | 3 ++- bundles/pretalx/files/pretalx-administrators-from-group | 3 ++- bundles/rspamd/files/telegraf-rspamd-plugin | 3 ++- bundles/smartd/files/telegraf_plugin | 2 +- bundles/sshmon/files/check_http_wget | 2 +- bundles/sshmon/files/check_mounts | 1 - bundles/users/items.py | 2 +- bundles/wireguard/metadata.py | 1 - bundles/zfs/files/check_zpool_space | 2 +- bundles/zfs/files/zfs-auto-snapshot | 1 - bundles/zfs/items.py | 1 - hooks/test_backup_metadata.py | 1 + hooks/test_metadata_dashes_vs_underscores.py | 1 + libs/faults.py | 2 +- libs/firewall.py | 2 +- libs/keys.py | 5 ++++- libs/tools.py | 5 +++-- nodes.py | 1 + scripts/encrypt_file | 1 - scripts/list-all-ips | 1 - scripts/passwords-for | 3 +-- 33 files changed, 36 insertions(+), 32 deletions(-) diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index c70512c..11d0624 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -1,6 +1,7 @@ repo.libs.tools.require_bundle(node, 'zfs') from os.path import join + from bundlewrap.metadata import metadata_to_json dataset = node.metadata.get('backup-server/zfs-base') diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index fd285d3..a5547d4 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic diff --git a/bundles/icinga2/files/check_freifunk_node b/bundles/icinga2/files/check_freifunk_node index 2723f13..22725b7 100644 --- a/bundles/icinga2/files/check_freifunk_node +++ b/bundles/icinga2/files/check_freifunk_node @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import argv, exit +from requests import get + meshviewer_url = argv[1] node_id = argv[2] node = None diff --git a/bundles/icinga2/files/check_sipgate_account_balance b/bundles/icinga2/files/check_sipgate_account_balance index 8e8ce2d..843dfd9 100644 --- a/bundles/icinga2/files/check_sipgate_account_balance +++ b/bundles/icinga2/files/check_sipgate_account_balance @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import exit +from requests import get + SIPGATE_USER = '${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS = '${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index bf14a82..5cb350d 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -1,12 +1,10 @@ #!/usr/bin/env python3 from concurrent.futures import ThreadPoolExecutor, as_completed -from ipaddress import ip_address, IPv6Address +from ipaddress import IPv6Address, ip_address from subprocess import check_output from sys import argv, exit - - BLOCKLISTS = [ '0spam.fusionzero.com', 'bl.mailspike.org', diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index f988be8..72ab749 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -4,10 +4,11 @@ import email.mime.text import smtplib from argparse import ArgumentParser from json import dumps -from requests import post from subprocess import run from sys import argv +from requests import post + SIPGATE_USER='${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS='${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/matrix-synapse/files/synapse-purge-unused-rooms b/bundles/matrix-synapse/files/synapse-purge-unused-rooms index aa54ebb..4e5f1e1 100644 --- a/bundles/matrix-synapse/files/synapse-purge-unused-rooms +++ b/bundles/matrix-synapse/files/synapse-purge-unused-rooms @@ -1,9 +1,9 @@ #!/usr/bin/env python3 from os import environ -from requests import get, post from sys import argv, exit +from requests import get, post SYNAPSE_MAX_ROOMS_TO_GET = 20000 SYNAPSE_HOST = 'http://[::1]:20080/' diff --git a/bundles/mosquitto/files/tasmota-telegraf-plugin b/bundles/mosquitto/files/tasmota-telegraf-plugin index 3aef6d6..4927002 100644 --- a/bundles/mosquitto/files/tasmota-telegraf-plugin +++ b/bundles/mosquitto/files/tasmota-telegraf-plugin @@ -7,7 +7,6 @@ from time import sleep import paho.mqtt.client as mqtt - BROKER_HOST = argv[1] BROKER_TOPIC = argv[2] diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index 08bd6de..c07a446 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -1,6 +1,5 @@ from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { diff --git a/bundles/octoprint/files/check_octoprint_update b/bundles/octoprint/files/check_octoprint_update index c7ae90a..ff89a3e 100644 --- a/bundles/octoprint/files/check_octoprint_update +++ b/bundles/octoprint/files/check_octoprint_update @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import exit +from requests import get + api_key = '${api_key}' try: diff --git a/bundles/postfix/files/postfix-telegraf-queue b/bundles/postfix/files/postfix-telegraf-queue index f5abfe7..16b64e5 100644 --- a/bundles/postfix/files/postfix-telegraf-queue +++ b/bundles/postfix/files/postfix-telegraf-queue @@ -4,7 +4,6 @@ from json import loads from subprocess import check_output - queue_counts = {} queue_json = check_output(['sudo', '/usr/sbin/postqueue', '-j']) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 5a2cc41..e93c7de 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -1,4 +1,4 @@ -from ipaddress import ip_address, IPv4Address, IPv6Address +from ipaddress import IPv4Address, IPv6Address, ip_address from bundlewrap.metadata import atomic diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index a88d7c5..f1760d8 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -import requests from sys import argv +import requests + INTERFACE = argv[1] LOCAL_IP = argv[4] diff --git a/bundles/pretalx/files/pretalx-administrators-from-group b/bundles/pretalx/files/pretalx-administrators-from-group index c1dcf80..3253000 100644 --- a/bundles/pretalx/files/pretalx-administrators-from-group +++ b/bundles/pretalx/files/pretalx-administrators-from-group @@ -1,9 +1,10 @@ #!/usr/bin/env python3 -import psycopg2 from configparser import ConfigParser from sys import argv, exit +import psycopg2 + def main(): try: diff --git a/bundles/rspamd/files/telegraf-rspamd-plugin b/bundles/rspamd/files/telegraf-rspamd-plugin index 9cb2c3d..23e5ccb 100644 --- a/bundles/rspamd/files/telegraf-rspamd-plugin +++ b/bundles/rspamd/files/telegraf-rspamd-plugin @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import argv, stderr +from requests import get + try: r = get('http://127.0.0.1:11334/stat') r.raise_for_status() diff --git a/bundles/smartd/files/telegraf_plugin b/bundles/smartd/files/telegraf_plugin index 5a7a1a5..5bd10f2 100644 --- a/bundles/smartd/files/telegraf_plugin +++ b/bundles/smartd/files/telegraf_plugin @@ -1,7 +1,7 @@ #!/usr/bin/env python -from subprocess import check_output from json import loads +from subprocess import check_output from sys import stderr devices = check_output(['smartctl', '--scan']).decode().splitlines() diff --git a/bundles/sshmon/files/check_http_wget b/bundles/sshmon/files/check_http_wget index ade5dbe..c259871 100644 --- a/bundles/sshmon/files/check_http_wget +++ b/bundles/sshmon/files/check_http_wget @@ -2,8 +2,8 @@ #this is actually a python https requests query, its called check_http_wget cause it got replaced -from sys import exit from argparse import ArgumentParser +from sys import exit import requests diff --git a/bundles/sshmon/files/check_mounts b/bundles/sshmon/files/check_mounts index f387ce4..bc2fc4b 100644 --- a/bundles/sshmon/files/check_mounts +++ b/bundles/sshmon/files/check_mounts @@ -5,7 +5,6 @@ from argparse import ArgumentParser from subprocess import check_output from tempfile import TemporaryFile - check_filesystem_types = { 'ext2', 'ext3', diff --git a/bundles/users/items.py b/bundles/users/items.py index 457c46a..d6df3cd 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -1,4 +1,4 @@ -from os.path import join, exists +from os.path import exists, join files = { '/etc/bash.bashrc': { diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 21e9b8f..b19ca8c 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -3,7 +3,6 @@ from ipaddress import ip_network from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { diff --git a/bundles/zfs/files/check_zpool_space b/bundles/zfs/files/check_zpool_space index ff4b9bb..abb533e 100644 --- a/bundles/zfs/files/check_zpool_space +++ b/bundles/zfs/files/check_zpool_space @@ -1,9 +1,9 @@ #!/usr/bin/env python3 +import re from subprocess import check_output from sys import argv, exit -import re def to_bytes(size): diff --git a/bundles/zfs/files/zfs-auto-snapshot b/bundles/zfs/files/zfs-auto-snapshot index 4f1c919..8e38cf7 100644 --- a/bundles/zfs/files/zfs-auto-snapshot +++ b/bundles/zfs/files/zfs-auto-snapshot @@ -2,7 +2,6 @@ import re - from datetime import datetime from json import loads from subprocess import check_call, check_output diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 8dda658..85ffdd7 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -1,5 +1,4 @@ from json import dumps -#from os.path import join from bundlewrap.metadata import MetadataJSONEncoder diff --git a/hooks/test_backup_metadata.py b/hooks/test_backup_metadata.py index 4937989..c8498eb 100644 --- a/hooks/test_backup_metadata.py +++ b/hooks/test_backup_metadata.py @@ -2,6 +2,7 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green, yellow from bundlewrap.utils.ui import io + def test_node(repo, node, **kwargs): if not node.has_bundle('backup-client'): return diff --git a/hooks/test_metadata_dashes_vs_underscores.py b/hooks/test_metadata_dashes_vs_underscores.py index 698ab56..b7c7419 100644 --- a/hooks/test_metadata_dashes_vs_underscores.py +++ b/hooks/test_metadata_dashes_vs_underscores.py @@ -4,6 +4,7 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green from bundlewrap.utils.ui import io + def test_underscore_vs_dash(node, metadata, path=[]): for k, v in metadata.items(): if not isinstance(k, str): diff --git a/libs/faults.py b/libs/faults.py index ad3735c..91d8b2f 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,4 +1,4 @@ -from json import loads, dumps +from json import dumps, loads from bundlewrap.metadata import metadata_to_json from bundlewrap.utils import Fault diff --git a/libs/firewall.py b/libs/firewall.py index 68b852d..b343824 100644 --- a/libs/firewall.py +++ b/libs/firewall.py @@ -1,5 +1,5 @@ +from ipaddress import IPv4Network, ip_network from os.path import abspath, dirname, join -from ipaddress import ip_network, IPv4Network REPO_PATH = dirname(dirname(abspath(__file__))) diff --git a/libs/keys.py b/libs/keys.py index 1565fee..4db382b 100644 --- a/libs/keys.py +++ b/libs/keys.py @@ -1,8 +1,11 @@ import base64 -from nacl.public import PrivateKey + from nacl.encoding import Base64Encoder +from nacl.public import PrivateKey + from bundlewrap.utils import Fault + def gen_privkey(repo, identifier): return repo.vault.random_bytes_as_base64_for(identifier) diff --git a/libs/tools.py b/libs/tools.py index 8e225a5..40afde2 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -1,9 +1,10 @@ -from ipaddress import ip_address, ip_network, IPv4Address, IPv4Network +from ipaddress import IPv4Address, IPv4Network, ip_address, ip_network -from bundlewrap.exceptions import NoSuchGroup, NoSuchNode, BundleError +from bundlewrap.exceptions import BundleError, NoSuchGroup, NoSuchNode from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io + def resolve_identifier(repo, identifier): """ Try to resolve an identifier (group or node). Return a set of ip diff --git a/nodes.py b/nodes.py index 75e6f1f..b9110ad 100644 --- a/nodes.py +++ b/nodes.py @@ -3,6 +3,7 @@ from os.path import join from pathlib import Path import bwpass + from bundlewrap.metadata import atomic from bundlewrap.utils import error_context diff --git a/scripts/encrypt_file b/scripts/encrypt_file index 8fa272e..430aac0 100755 --- a/scripts/encrypt_file +++ b/scripts/encrypt_file @@ -5,7 +5,6 @@ from sys import argv from bundlewrap.repo import Repository - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/list-all-ips b/scripts/list-all-ips index f5f2bc5..04a05ea 100755 --- a/scripts/list-all-ips +++ b/scripts/list-all-ips @@ -5,7 +5,6 @@ from sys import argv from bundlewrap.repo import Repository from bundlewrap.utils.dicts import merge_dict - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/passwords-for b/scripts/passwords-for index 3aa0d53..c12fa7b 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -2,10 +2,9 @@ from os import environ from sys import argv +from bundlewrap.exceptions import FaultUnavailable from bundlewrap.repo import Repository from bundlewrap.utils import Fault -from bundlewrap.exceptions import FaultUnavailable - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) From b49dc56c33176ba4d3a91bd6b2f032db43953682 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:34:39 +0100 Subject: [PATCH 63/80] Jenkinsfile: also check using isort --- Jenkinsfile | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index ef990d1..f371f82 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,15 +1,6 @@ pipeline { agent any stages { - stage('editorconfig-checker') { - steps { - sh """ - wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz - tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz - bin/ec-linux-amd64 -no-color -exclude '^bin/' - """ - } - } stage('install_requirements') { steps { sh """ @@ -18,13 +9,31 @@ pipeline { virtualenv -p python3 venv . venv/bin/activate - pip install --upgrade pip + pip install --upgrade pip isort pip install -r requirements.txt """ } } - stage('bw test') { + stage('tests') { parallel { + stage('syntax checking using editorconfig-checker') { + steps { + sh """ + wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz + tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz + bin/ec-linux-amd64 -no-color -exclude '^bin/' + """ + } + } + stage('syntax checking using isort') { + steps { + sh """ + . venv/bin/activate + + isort --check . + """ + } + } stage('config and metadata determinism') { steps { sh """ @@ -36,7 +45,7 @@ pipeline { """ } } - stage('other tests') { + stage('bw test -i') { steps { sh """ . venv/bin/activate From 25e03582b0c40d06c5ee59ed36ba4deac5bb199d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:01:28 +0100 Subject: [PATCH 64/80] entropia-jira- stuff has changed --- nodes/entropia-jira.toml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml index d648b3a..84af119 100644 --- a/nodes/entropia-jira.toml +++ b/nodes/entropia-jira.toml @@ -5,13 +5,18 @@ dummy = true period = "daytime" pretty_name = "ticket.gulas.ch" -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] +[metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"] check_command = "check_https_cert_at_url" "vars.domain" = "ticket.gulas.ch" "vars.notification.mail" = true +[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] +check_command = "check_https_cert_at_url" +"vars.domain" = "jira.gulas.ch" +"vars.notification.mail" = true + [metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] check_command = "check_http_wget" "vars.http_wget_contains" = "login.jsp" -"vars.http_wget_url" = "https://ticket.gulas.ch/secure/Dashboard.jspa" +"vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa" "vars.notification.sms" = true From 4975562fbca15be215215ec51d5f5c4d3449c252 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:02:13 +0100 Subject: [PATCH 65/80] update element-web to 1.11.23 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 6868583..9732bbd 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.22', + 'version': 'v1.11.23', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 26b3799..9326e3c 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.22', + 'version': 'v1.11.23', 'config': { 'default_server_config': { 'm.homeserver': { From d57844928d6d82218875cd1c9865eb9eaeb4d4e7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:02:40 +0100 Subject: [PATCH 66/80] update matrix-media-repo to 1.2.13 --- nodes/htz-cloud/miniserver.py | 4 ++-- nodes/rx300.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 9732bbd..5fdc86c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -134,8 +134,8 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.12', - 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', + 'version': 'v1.2.13', + 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', diff --git a/nodes/rx300.py b/nodes/rx300.py index 9326e3c..5bfa1c2 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -196,8 +196,8 @@ nodes['rx300'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.12', - 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', + 'version': 'v1.2.13', + 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', From 68d51450fdfdc55353681c1ecf50f3c489cd1932 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:01 +0100 Subject: [PATCH 67/80] update forgejo to 1.18.3-1 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 5bfa1c2..6d6d069 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,8 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/af34fbfc-d651-41b1-aaff-2b9cc7134051', - 'sha1': '9560cf3f84031583d374cef57d20d6da8c07a2f6', + 'url': 'https://codeberg.org/attachments/be5952ea-6cfb-4be5-a593-3564c4bd8cc9', + 'sha1': '0bcf3d6d6541a46571802d9e9276056ff860841e', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 5c4fc37a37d91e0df7368f376ae28b96672f1a00 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:25 +0100 Subject: [PATCH 68/80] update mautrix-whatsapp to 0.8.2 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 6d6d069..861fd83 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -267,8 +267,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.1', - 'sha1': '6c7645b83ed216786a25e9f45935a0170cf0b05c', + 'version': 'v0.8.2', + 'sha1': '31779131b0524e84f980a7e3b5a818150833470d', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 6cb56ab2ec0738aac5ca5eefe7c4b0650006d36d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:39 +0100 Subject: [PATCH 69/80] rx300: allow more postgresql connections --- nodes/rx300.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/rx300.py b/nodes/rx300.py index 861fd83..f5e1c71 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -448,6 +448,7 @@ nodes['rx300'] = { }, 'postgresql': { 'version': '13', + 'max_connections': 500, }, 'radicale': { 'domain': 'radicale.franzi.business', From cc767867cfbc3606ccd4e045b44d07fdf0a51729 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 19:02:52 +0100 Subject: [PATCH 70/80] add bundle:woodpecker-server --- PORT_MAP.md | 2 + .../files/woodpecker-server.service | 19 ++++ bundles/woodpecker-server/items.py | 35 +++++++ bundles/woodpecker-server/metadata.py | 94 +++++++++++++++++++ nodes/rx300.py | 12 +++ 5 files changed, 162 insertions(+) create mode 100644 bundles/woodpecker-server/files/woodpecker-server.service create mode 100644 bundles/woodpecker-server/items.py create mode 100644 bundles/woodpecker-server/metadata.py diff --git a/PORT_MAP.md b/PORT_MAP.md index a1725cb..40f6d0a 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -45,6 +45,8 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22060 | pretalx | gunicorn | | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | +| 22100 | woodpecker-server | http | +| 22101 | woodpecker-server | gRPC | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/woodpecker-server/files/woodpecker-server.service b/bundles/woodpecker-server/files/woodpecker-server.service new file mode 100644 index 0000000..5520b49 --- /dev/null +++ b/bundles/woodpecker-server/files/woodpecker-server.service @@ -0,0 +1,19 @@ +[Unit] +Description=woodpecker ci +After=syslog.target +After=network.target +Requires=postgresql.service + +[Service] +RestartSec=2s +Type=simple +User=woodpecker +Group=woodpecker +ExecStart=/usr/local/bin/woodpecker-server +Restart=always +% for k, v in sorted(env.items()): +Environment=${k}=${v} +% endfor + +[Install] +WantedBy=multi-user.target diff --git a/bundles/woodpecker-server/items.py b/bundles/woodpecker-server/items.py new file mode 100644 index 0000000..cccbb8c --- /dev/null +++ b/bundles/woodpecker-server/items.py @@ -0,0 +1,35 @@ +version = node.metadata.get('woodpecker-server/version') + +actions['install_woodpecker-server'] = { + 'command': ' && '.join([ + f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb', + 'dpkg -i /tmp/woodpecker-server.deb', + ]), + 'unless': f'''bash -c "[[ \"$(woodpecker-server --version | cut -d' ' -f3)\" == "{version}" ]]"''', + 'triggers': { + 'svc_systemd:woodpecker-server:restart', + }, +} + +files['/usr/local/lib/systemd/system/woodpecker-server.service'] = { + 'content_type': 'mako', + 'context': { + 'env': node.metadata.get('woodpecker-server/environment'), + }, + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:woodpecker-server:restart', + }, +} + +svc_systemd['woodpecker-server'] = { + 'needs': { + 'action:install_woodpecker-server', + 'file:/usr/local/lib/systemd/system/woodpecker-server.service', + 'postgres_db:woodpecker', + 'postgres_role:woodpecker', + 'user:woodpecker', + }, +} + +users['woodpecker'] = {} diff --git a/bundles/woodpecker-server/metadata.py b/bundles/woodpecker-server/metadata.py new file mode 100644 index 0000000..b98c89a --- /dev/null +++ b/bundles/woodpecker-server/metadata.py @@ -0,0 +1,94 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'postgresql': { + 'roles': { + 'woodpecker': { + 'password': repo.vault.password_for(f'{node.name} postgresql woodpecker'), + }, + }, + 'databases': { + 'woodpecker': { + 'owner': 'woodpecker', + }, + }, + }, + 'woodpecker-server': { + 'environment': { + 'WOODPECKER_AGENT_SECRET': repo.vault.password_for(f'{node.name} WOODPECKER_AGENT_SECRET'), + 'WOODPECKER_DATABASE_DATASOURCE': repo.vault.password_for(f'{node.name} postgresql woodpecker').format_into( + 'postgres://woodpecker:{}@localhost/woodpecker?sslmode=disable' + ), + 'WOODPECKER_DATABASE_DRIVER': 'postgres', + 'WOODPECKER_GRPC_ADDR': ':22101', + 'WOODPECKER_LOG_LEVEL': 'warn', + 'WOODPECKER_OPEN': 'true', + 'WOODPECKER_SERVER_ADDR': ':22100', + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts/woodpecker-server', + 'woodpecker-server/environment/WOODPECKER_HOST', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + ssl = metadata.get('nginx/vhosts/woodpecker-server/ssl', 'letsencrypt') + domain = metadata.get('woodpecker-server/domain') + prefix = 'https' if ssl else 'http' + + return { + 'nginx': { + 'vhosts': { + 'woodpecker-server': { + 'domain': domain, + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22100', + 'additional_config': { + 'proxy_redirect off', + 'chunked_transfer_encoding off', + }, + }, + '/metrics': { + 'return': 403, + }, + '/debug': { + 'return': 403, + }, + }, + 'website_check_path': '/do-login', + 'website_check_string': 'Woodpecker', + }, + }, + }, + 'woodpecker-server': { + 'environment': { + 'WOODPECKER_HOST': f'{prefix}://{domain}', + }, + }, + } + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + port = metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR')[1:] + agents = set() + + for node in repo.nodes: + if node.has_bundle('woodpecker-agent'): + agents.add(node.name) + + return { + 'firewall': { + 'port_rules': { + port: atomic(agents), + }, + }, + } diff --git a/nodes/rx300.py b/nodes/rx300.py index f5e1c71..1a6ed40 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -35,6 +35,7 @@ nodes['rx300'] = { 'travelynx', 'unbound', 'vmhost', + 'woodpecker-server', 'zfs', }, 'groups': { @@ -334,6 +335,7 @@ nodes['rx300'] = { 'netbox': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'travelynx': {'ssl': '_.franzi.business'}, + 'woodpecker-server': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, @@ -535,6 +537,16 @@ nodes['rx300'] = { 'enable_linger': True, }, }, + 'woodpecker-server': { + 'domain': 'woodpecker.franzi.business', + 'version': '0.15.5', + 'environment': { + 'WOODPECKER_GITEA': 'true', + 'WOODPECKER_GITEA_URL': 'https://git.franzi.business', + 'WOODPECKER_GITEA_CLIENT': vault.decrypt('encrypt$gAAAAABjpJJQkNyG2B2ThT5yrkGnrPoM33bVYNTyLcuaas4_7ewBRrDb-KO2-JIM895fdI6U6NO8wHQ3gKBxBBYUtt-xgbWW1j4iUrzyt7KhqswSNBIBFfce80UmQ5UuOHsaFPVyyd1W'), + 'WOODPECKER_GITEA_SECRET': vault.decrypt('encrypt$gAAAAABjpJJW95MaCPnK2ngkGf1DLBmV8Y_K6B0Dc8XBM4oN3sPHH54vFbKB1YLODepR-okpXUJGHxqlS7TkTlu4JylRINXiIh7OHRRDaTCkU_bfLSUDnc_VLgDmVULWH09fsveslKw5v1ssl-RBGJg16XXBz1Sq4g=='), + }, + }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 16, From c2e93c0abb7a1f61811b393a5de28937a2e59c25 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Dec 2022 16:54:59 +0100 Subject: [PATCH 71/80] bundles/woodpecker: try to get it working --- .../files/woodpecker-server.service | 24 +++++++++++++++++++ bundles/woodpecker-server/items.py | 8 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-server/files/woodpecker-server.service b/bundles/woodpecker-server/files/woodpecker-server.service index 5520b49..3bd7b82 100644 --- a/bundles/woodpecker-server/files/woodpecker-server.service +++ b/bundles/woodpecker-server/files/woodpecker-server.service @@ -9,8 +9,32 @@ RestartSec=2s Type=simple User=woodpecker Group=woodpecker +WorkingDirectory=/var/lib/woodpecker ExecStart=/usr/local/bin/woodpecker-server Restart=always +ReadWritePaths=/var/lib/woodpecker +CapabilityBoundingSet= +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +PrivateMounts=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap + % for k, v in sorted(env.items()): Environment=${k}=${v} % endfor diff --git a/bundles/woodpecker-server/items.py b/bundles/woodpecker-server/items.py index cccbb8c..eb98fe9 100644 --- a/bundles/woodpecker-server/items.py +++ b/bundles/woodpecker-server/items.py @@ -1,5 +1,9 @@ version = node.metadata.get('woodpecker-server/version') +directories['/var/lib/woodpecker'] = { + 'owner': 'woodpecker', +} + actions['install_woodpecker-server'] = { 'command': ' && '.join([ f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb', @@ -32,4 +36,6 @@ svc_systemd['woodpecker-server'] = { }, } -users['woodpecker'] = {} +users['woodpecker'] = { + 'home': '/var/lib/woodpecker', +} From eee786fabf45ff6ffb2f6d32b675860fa84b70cc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 08:44:40 +0100 Subject: [PATCH 72/80] bundles/woodpecker-server: add GODEBUG=netns=go --- bundles/woodpecker-server/metadata.py | 4 ++++ nodes/rx300.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-server/metadata.py b/bundles/woodpecker-server/metadata.py index b98c89a..257a307 100644 --- a/bundles/woodpecker-server/metadata.py +++ b/bundles/woodpecker-server/metadata.py @@ -24,6 +24,10 @@ defaults = { 'WOODPECKER_LOG_LEVEL': 'warn', 'WOODPECKER_OPEN': 'true', 'WOODPECKER_SERVER_ADDR': ':22100', + + # https://github.com/woodpecker-ci/woodpecker/issues/1497 + # https://github.com/woodpecker-ci/woodpecker/issues/748 + 'GODEBUG': 'netdns=go' }, }, } diff --git a/nodes/rx300.py b/nodes/rx300.py index 1a6ed40..eea38a1 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -539,7 +539,7 @@ nodes['rx300'] = { }, 'woodpecker-server': { 'domain': 'woodpecker.franzi.business', - 'version': '0.15.5', + 'version': '0.15.6', 'environment': { 'WOODPECKER_GITEA': 'true', 'WOODPECKER_GITEA_URL': 'https://git.franzi.business', From 019cc693713f5f0fb0e9a8a841ac10baba6365d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:40:13 +0100 Subject: [PATCH 73/80] add bundle:docker-ce --- bundles/docker-ce/items.py | 11 ++++++ bundles/docker-ce/metadata.py | 15 ++++++++ bundles/nftables/metadata.py | 2 +- data/apt/files/gpg-keys/docker.asc | 62 ++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 bundles/docker-ce/items.py create mode 100644 bundles/docker-ce/metadata.py create mode 100644 data/apt/files/gpg-keys/docker.asc diff --git a/bundles/docker-ce/items.py b/bundles/docker-ce/items.py new file mode 100644 index 0000000..bf56b1c --- /dev/null +++ b/bundles/docker-ce/items.py @@ -0,0 +1,11 @@ +from bundlewrap.metadata import metadata_to_json + +files['/etc/docker/daemon.json'] = { + 'content': metadata_to_json({ + 'iptables': False, + }), + 'before': { + 'pkg_apt:docker-ce', + 'pkg_apt:docker-ce-cli', + } +} diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py new file mode 100644 index 0000000..a7d0c98 --- /dev/null +++ b/bundles/docker-ce/metadata.py @@ -0,0 +1,15 @@ +defaults = { + 'apt': { + 'repos': { + 'docker': { + 'items': { + 'deb https://download.docker.com/linux/debian {os_release} stable', + }, + }, + }, + 'packages': { + 'docker-ce': {}, + 'docker-ce-cli': {}, + }, + }, +} diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 08396ce..06faaf0 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -25,7 +25,7 @@ defaults = { }, } -if not node.has_bundle('vmhost'): +if not node.has_bundle('vmhost') and not node.has_bundle('docker-ce'): # see comment in bundles/vmhost/items.py defaults['apt']['packages']['iptables'] = { 'installed': False, diff --git a/data/apt/files/gpg-keys/docker.asc b/data/apt/files/gpg-keys/docker.asc new file mode 100644 index 0000000..ee7872e --- /dev/null +++ b/data/apt/files/gpg-keys/docker.asc @@ -0,0 +1,62 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth +lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh +38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq +L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 +UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N +cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht +ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo +vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD +G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ +XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj +q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO +v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd +tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk +jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m +6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P +XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc +FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 +g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm +ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh +9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 +G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW +FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB +EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF +M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx +Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu +w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk +z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 +eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb +VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa +1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X +zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ +pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 +ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ +BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY +1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp +YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI +mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES +KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 +JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ +cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 +6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 +U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z +VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f +irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk +SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz +QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W +9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw +24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe +dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y +Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR +H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh +/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ +M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S +xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O +jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG +YT90qFF93M3v01BbxP+EIY2/9tiIPbrd +=0YYh +-----END PGP PUBLIC KEY BLOCK----- From 24f9f87734762a0e619cb021fd5493ed307392ac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:41:27 +0100 Subject: [PATCH 74/80] add bundle:woodpecker-agent --- .../files/woodpecker-agent.service | 42 ++++++++++++++++++ bundles/woodpecker-agent/items.py | 43 +++++++++++++++++++ bundles/woodpecker-agent/metadata.py | 28 ++++++++++++ nodes/woodpecker-agent-1.toml | 24 +++++++++++ 4 files changed, 137 insertions(+) create mode 100644 bundles/woodpecker-agent/files/woodpecker-agent.service create mode 100644 bundles/woodpecker-agent/items.py create mode 100644 bundles/woodpecker-agent/metadata.py create mode 100644 nodes/woodpecker-agent-1.toml diff --git a/bundles/woodpecker-agent/files/woodpecker-agent.service b/bundles/woodpecker-agent/files/woodpecker-agent.service new file mode 100644 index 0000000..096a891 --- /dev/null +++ b/bundles/woodpecker-agent/files/woodpecker-agent.service @@ -0,0 +1,42 @@ +[Unit] +Description=woodpecker ci agent +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=simple +User=woodpecker +Group=woodpecker +WorkingDirectory=/var/lib/woodpecker +ExecStart=/usr/local/bin/woodpecker-agent +Restart=always +ReadWritePaths=/var/lib/woodpecker +CapabilityBoundingSet= +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateUsers=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +PrivateMounts=true +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap + +% for k, v in sorted(env.items()): +Environment=${k}=${v} +% endfor + +[Install] +WantedBy=multi-user.target diff --git a/bundles/woodpecker-agent/items.py b/bundles/woodpecker-agent/items.py new file mode 100644 index 0000000..d33df40 --- /dev/null +++ b/bundles/woodpecker-agent/items.py @@ -0,0 +1,43 @@ +version = node.metadata.get('woodpecker-agent/version') + +directories['/var/lib/woodpecker'] = { + 'owner': 'woodpecker', +} + +actions['install_woodpecker-agent'] = { + 'command': ' && '.join([ + f'wget -q -O/tmp/woodpecker-agent.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-agent_{version}_amd64.deb', + 'dpkg -i /tmp/woodpecker-agent.deb', + ]), + 'unless': f'''bash -c "[[ \"$(woodpecker-agent --version | cut -d' ' -f3)\" == "{version}" ]]"''', + 'triggers': {i + 'svc_systemd:woodpecker-agent:restart', + }, +} + +files['/usr/local/lib/systemd/system/woodpecker-agent.service'] = { + 'content_type': 'mako', + 'context': { + 'env': node.metadata.get('woodpecker-agent/environment'), + }, + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:woodpecker-agent:restart', + }, +} + +svc_systemd['woodpecker-agent'] = { + 'after': { + # to make sure we have docker and other eventual dependencies + 'pkg_apt:', + }, + 'needs': { + 'action:install_woodpecker-agent', + 'file:/usr/local/lib/systemd/system/woodpecker-agent.service', + 'user:woodpecker', + }, +} + +users['woodpecker'] = { + 'home': '/var/lib/woodpecker', +} diff --git a/bundles/woodpecker-agent/metadata.py b/bundles/woodpecker-agent/metadata.py new file mode 100644 index 0000000..7a78beb --- /dev/null +++ b/bundles/woodpecker-agent/metadata.py @@ -0,0 +1,28 @@ +@metadata_reactor.provides( + 'woodpecker-agent/environment', + 'woodpecker-agent/version', +) +def nginx(metadata): + env = {} + server = repo.get_node(metadata.get('woodpecker-agent/server')) + + domain = server.metadata.get('woodpecker-server/domain') + port = server.metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR') + env['WOODPECKER_SERVER'] = f'{domain}{port}' + + env['WOODPECKER_AGENT_SECRET'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_AGENT_SECRET') + + env['WOODPECKER_MAX_PROCS'] = int(int(metadata.get('vm/cpu'))/2) + + env['WOODPECKER_HOSTNAME'] = metadata.get('hostname') + + debug = server.metadata.get('woodpecker-server/environment/GODEBUG', None) + if debug: + env['GODEBUG'] = debug + + return { + 'woodpecker-agent': { + 'environment': env, + 'version': server.metadata.get('woodpecker-server/version'), + }, + } diff --git a/nodes/woodpecker-agent-1.toml b/nodes/woodpecker-agent-1.toml new file mode 100644 index 0000000..d2d6c60 --- /dev/null +++ b/nodes/woodpecker-agent-1.toml @@ -0,0 +1,24 @@ +hostname = "31.47.232.108" +bundles = [ + "docker-ce", + "woodpecker-agent", +] +groups = ["debian-bullseye"] + +[metadata.backups] +exclude_from_backups = true + +[metadata.interfaces.enp1s0] +ips = [ + "31.47.232.108/29", + "2a00:f820:528::5/64", +] +gateway4 = "31.47.232.105" +gateway6 = "2a00:f820:528::1" + +[metadata.woodpecker-agent] +server = "rx300" + +[metadata.vm] +cpu = 8 +ram = 16 From 9b44bcf3a8aefdcd8420b74676b48e4cf7352e03 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:58:06 +0100 Subject: [PATCH 75/80] try running the test pipeline in woodpecker --- .woodpecker/bw-test.yml | 23 +++++++++++++++++++++++ .woodpecker/editorconfig.yml | 8 ++++++++ 2 files changed, 31 insertions(+) create mode 100644 .woodpecker/bw-test.yml create mode 100644 .woodpecker/editorconfig.yml diff --git a/.woodpecker/bw-test.yml b/.woodpecker/bw-test.yml new file mode 100644 index 0000000..efa4e3d --- /dev/null +++ b/.woodpecker/bw-test.yml @@ -0,0 +1,23 @@ +pipeline: + install-deps: + image: python:3.10-slim + commands: + - pip install -r requirements.txt + + test-dummymode: + image: python:3.10-slim + commands: + - bw test + environment: + BW_VAULT_DUMMY_MODE: 1 + BW_PASS_DUMMY_MODE: 1 + + test-ignore-missing-faults: + image: python:3.10-slim + commands: + - bw test --ignore-missing-faults + + test-determinism: + image: python:3.10-slim + commands: + - bw test --metadata-determinism 3 --config-determinism 3 diff --git a/.woodpecker/editorconfig.yml b/.woodpecker/editorconfig.yml new file mode 100644 index 0000000..6bac4f8 --- /dev/null +++ b/.woodpecker/editorconfig.yml @@ -0,0 +1,8 @@ +pipeline: + editorconfig: + image: alpine:latest + pipeline: + - wget -O ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz + - tar -xzf ec-linux-amd64.tar.gz + - rm ec-linux-amd64.tar.gz + - bin/ec-linux-amd64 -no-color -exclude '^bin/' From d2caadb41b0fbb8c5234146bcf1a3cf89915e551 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 17:59:38 +0100 Subject: [PATCH 76/80] ci: determinism tests need to run using dummy mode --- .woodpecker/bw-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.woodpecker/bw-test.yml b/.woodpecker/bw-test.yml index efa4e3d..5990f05 100644 --- a/.woodpecker/bw-test.yml +++ b/.woodpecker/bw-test.yml @@ -21,3 +21,6 @@ pipeline: image: python:3.10-slim commands: - bw test --metadata-determinism 3 --config-determinism 3 + environment: + BW_VAULT_DUMMY_MODE: 1 + BW_PASS_DUMMY_MODE: 1 From efdff6ef283ac41cfd602cba3e8735aac0c30646 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 18:05:35 +0100 Subject: [PATCH 77/80] ci: fix editorconfig --- .woodpecker/editorconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.woodpecker/editorconfig.yml b/.woodpecker/editorconfig.yml index 6bac4f8..201004f 100644 --- a/.woodpecker/editorconfig.yml +++ b/.woodpecker/editorconfig.yml @@ -1,7 +1,7 @@ pipeline: editorconfig: image: alpine:latest - pipeline: + commands: - wget -O ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz - tar -xzf ec-linux-amd64.tar.gz - rm ec-linux-amd64.tar.gz From 071250d798afefc870b487c7e4b4f4dbc5ad1cae Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 18:22:29 +0100 Subject: [PATCH 78/80] bundles/docker-ce: add nftables rules --- bundles/docker-ce/metadata.py | 26 ++++++++++++++++++++++++++ bundles/woodpecker-agent/items.py | 2 +- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py index a7d0c98..1315d1c 100644 --- a/bundles/docker-ce/metadata.py +++ b/bundles/docker-ce/metadata.py @@ -12,4 +12,30 @@ defaults = { 'docker-ce-cli': {}, }, }, + 'nftables': { + 'rules': { + '00-docker-ce': { + 'inet filter forward ct state { related, established } accept', + 'inet filter forward iifname docker0 accept', + }, + }, + }, } + + +@metadata_reactor.provides( + 'nftables/rules/00-docker-ce', +) +def nftables_nat(metadata): + rules = set() + + for iface in metadata.get('interfaces'): + rules.add(f'nat postrouting oifname {iface} masquerade') + + return { + 'nftables': { + 'rules': { + '00-docker-ce': rules, + }, + }, + } diff --git a/bundles/woodpecker-agent/items.py b/bundles/woodpecker-agent/items.py index d33df40..01e30e4 100644 --- a/bundles/woodpecker-agent/items.py +++ b/bundles/woodpecker-agent/items.py @@ -10,7 +10,7 @@ actions['install_woodpecker-agent'] = { 'dpkg -i /tmp/woodpecker-agent.deb', ]), 'unless': f'''bash -c "[[ \"$(woodpecker-agent --version | cut -d' ' -f3)\" == "{version}" ]]"''', - 'triggers': {i + 'triggers': { 'svc_systemd:woodpecker-agent:restart', }, } From cb4d28c994b8f0813ba23ea23997ee8d3c084d63 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Dec 2022 08:25:00 +0100 Subject: [PATCH 79/80] bundles/woodpecker-agent: fix metadata reactor --- bundles/woodpecker-agent/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/woodpecker-agent/metadata.py b/bundles/woodpecker-agent/metadata.py index 7a78beb..5d2ff88 100644 --- a/bundles/woodpecker-agent/metadata.py +++ b/bundles/woodpecker-agent/metadata.py @@ -2,7 +2,7 @@ 'woodpecker-agent/environment', 'woodpecker-agent/version', ) -def nginx(metadata): +def environment(metadata): env = {} server = repo.get_node(metadata.get('woodpecker-agent/server')) @@ -16,6 +16,8 @@ def nginx(metadata): env['WOODPECKER_HOSTNAME'] = metadata.get('hostname') + env['WOODPECKER_LOG_LEVEL'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_LOG_LEVEL') + debug = server.metadata.get('woodpecker-server/environment/GODEBUG', None) if debug: env['GODEBUG'] = debug From d282d77a99877e87804eaf2a16dcf11760667e55 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Dec 2022 12:57:42 +0100 Subject: [PATCH 80/80] bundles/docker-ce: sort nftables rules --- bundles/docker-ce/metadata.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py index 1315d1c..cf6e2bb 100644 --- a/bundles/docker-ce/metadata.py +++ b/bundles/docker-ce/metadata.py @@ -12,14 +12,6 @@ defaults = { 'docker-ce-cli': {}, }, }, - 'nftables': { - 'rules': { - '00-docker-ce': { - 'inet filter forward ct state { related, established } accept', - 'inet filter forward iifname docker0 accept', - }, - }, - }, } @@ -27,7 +19,10 @@ defaults = { 'nftables/rules/00-docker-ce', ) def nftables_nat(metadata): - rules = set() + rules = { + 'inet filter forward ct state { related, established } accept', + 'inet filter forward iifname docker0 accept', + } for iface in metadata.get('interfaces'): rules.add(f'nat postrouting oifname {iface} masquerade') @@ -35,7 +30,7 @@ def nftables_nat(metadata): return { 'nftables': { 'rules': { - '00-docker-ce': rules, + '00-docker-ce': sorted(rules), }, }, }