diff --git a/PORT_MAP.md b/PORT_MAP.md index e15cfec..003339b 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -26,11 +26,11 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 6667 | | bitlbee | | 8010 | | matrix-media-repo | | 8086 | influxdb2 | influx | -| 8184 | | matrix-dimension | | 11332-11334 | rspamd | rspamd | | 20000 | mx-puppet-discord | Bridge | | 20010 | mautrix-telegram | Bridge | | 20020 | mautrix-whatsapp | Bridge | +| 20030 | matrix-dimension | Matrix Integrations Manager| | 20080 | matrix-synapse | client, federation | | 20081 | matrix-synapse | prometheus metrics | | 20090 | matrix-media-repo | media_repo | diff --git a/README.md b/README.md index 7608202..c102b84 100644 --- a/README.md +++ b/README.md @@ -6,4 +6,4 @@ May also include some dummy nodes, for example for deploying websites onto shared webhosting. `bw test` runs according to Jenkinsfile after every commit. -[![Build Status](https://jenkins.kunsmann.eu/buildStatus/icon?job=bundlewrap%2Fmain)](https://jenkins.kunsmann.eu/job/bundlewrap/job/main/) +[![Build Status](https://jenkins.franzi.business/buildStatus/icon?job=kunsi%2Fbundlewrap%2Fmain)](https://jenkins.franzi.business/job/kunsi/job/bundlewrap/job/main/) diff --git a/bundles/check-mail-received/files/check_imap_for_mail_from b/bundles/check-mail-received/files/check_imap_for_mail_from new file mode 100644 index 0000000..f8db136 --- /dev/null +++ b/bundles/check-mail-received/files/check_imap_for_mail_from @@ -0,0 +1,70 @@ +#!/usr/bin/env python3 + +from imaplib import IMAP4_SSL +from subprocess import check_output +from sys import argv, exit +from time import time + +if len(argv) < 5: + print('Usage: {} '.format(argv[0])) + exit(3) + +NOW = time() + +try: + imap = IMAP4_SSL(argv[1]) + imap.login(argv[2], argv[3]) + + imap.select('Inbox') + + _, data = imap.search(None, 'ALL') + + something_found = False + + for item in data: + for index in item.split(): + received_in_this_mail = None + from_in_this_mail = False + + try: + message = imap.fetch(index, '(RFC822)') + + message_text = bytearray() + for part in message[1][0]: + message_text.extend(part) + message_text = message_text.decode().splitlines() + + for line in message_text: + lline = line.strip().lower() + + if lline.startswith('from:') and argv[4].lower() in line: + from_in_this_mail = True + + if lline.startswith('date:'): + date = line.strip()[5:].strip() + unixtime = int(check_output([ + 'date', + '--date={}'.format(date), + '+%s', + ]).decode().strip()) + + if unixtime > (NOW-(60*60*25)): + received_in_this_mail = date + + if received_in_this_mail and from_in_this_mail: + print('Found message from "{}" sent at "{}"'.format(argv[4], received_in_this_mail)) + received_in_this_mail = None + from_in_this_mail = False + something_found = True + except: + pass + + if something_found: + # there should be output above + exit(0) + + print('No Mails found') + exit(2) +except Exception as e: + print(repr(e)) + exit(3) diff --git a/bundles/check-mail-received/items.py b/bundles/check-mail-received/items.py new file mode 100644 index 0000000..ed76f80 --- /dev/null +++ b/bundles/check-mail-received/items.py @@ -0,0 +1,5 @@ +files = { + '/usr/local/share/icinga/plugins/check_imap_for_mail_from': { + 'mode': '0755', + }, +} diff --git a/bundles/check-mail-received/metadata.py b/bundles/check-mail-received/metadata.py new file mode 100644 index 0000000..0eb666d --- /dev/null +++ b/bundles/check-mail-received/metadata.py @@ -0,0 +1,41 @@ +@metadata_reactor.provides( + 'cron/check-mail-received', + 'icinga2_api/check-mail-received/services', +) +def process_metadata(metadata): + cron = set() + services = {} + + my_mail_address = 'root@{}'.format(metadata.get('hostname')) + + for name, config in metadata.get('check-mail-received', {}).items(): + cron.add('{minute} {hour} * * * root date | mail -s "daily test mail from {node}" -r {source} {target}'.format( + minute=node.magic_number%60, + hour=node.magic_number%24, + node=node.name, + source=my_mail_address, + target=config['email'], + )) + + services[f'MAIL RECEIVED ON {name}'] = { + 'command_on_monitored_host': repo.libs.faults.join_faults([ + '/usr/local/share/icinga/plugins/check_imap_for_mail_from', + config['imap_host'], + config.get('imap_user', config['email']), + config['imap_pass'], + my_mail_address, + ]), + 'check_interval': '15m', + 'retry_interval': '5m', + } + + return { + 'cron': { + 'check-mail-received': '\n'.join(sorted(cron)), + }, + 'icinga2_api': { + 'check-mail-received': { + 'services': services, + }, + }, + } diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index f24768f..faf3578 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -21,6 +21,11 @@ directories = { 'owner': 'git', 'group': 'git', }, + '/home/git/.ssh': { + 'mode': '0755', + 'owner': 'git', + 'group': 'git', + }, '/var/lib/gitea': { 'owner': 'git', 'mode': '0700', diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index e18b9fd..26eebac 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -2,6 +2,7 @@ defaults = { 'backups': { 'paths': { '/home/git', + '/var/lib/gitea', }, }, 'gitea': { @@ -44,6 +45,23 @@ defaults = { }, }, }, + 'zfs': { + 'datasets': { + 'tank/gitea': {}, + 'tank/gitea/home': { + 'mountpoint': '/home/git', + 'needed_by': { + 'directory:/home/git', + }, + }, + 'tank/gitea/var': { + 'mountpoint': '/var/lib/gitea', + 'needed_by': { + 'directory:/var/lib/gitea', + }, + }, + }, + }, } @@ -57,7 +75,8 @@ def nginx(metadata): return { 'nginx': { 'vhosts': { - metadata.get('gitea/domain'): { + 'gitea': { + 'domain': metadata.get('gitea/domain'), 'locations': { '/': { 'target': 'http://127.0.0.1:22000', diff --git a/bundles/grafana/dashboard-rows/cpu.py b/bundles/grafana/dashboard-rows/cpu.py index e370d5e..1279b2e 100644 --- a/bundles/grafana/dashboard-rows/cpu.py +++ b/bundles/grafana/dashboard-rows/cpu.py @@ -9,6 +9,8 @@ def dashboard_row_cpu(panel_id, node): 'iowait', 'nice', 'softirq', + 'guest', + 'guest_nice', ]: queries_cpu.append({ 'groupBy': [ diff --git a/bundles/jenkins-ci/files/ssh-config b/bundles/jenkins-ci/files/ssh-config new file mode 100644 index 0000000..564c5f9 --- /dev/null +++ b/bundles/jenkins-ci/files/ssh-config @@ -0,0 +1,3 @@ +Host * + UserKnownHostsFile /dev/null + StrictHostKeyChecking no diff --git a/bundles/jenkins-ci/items.py b/bundles/jenkins-ci/items.py index ff49882..03e627e 100644 --- a/bundles/jenkins-ci/items.py +++ b/bundles/jenkins-ci/items.py @@ -1,14 +1,41 @@ +directories = { + '/var/lib/jenkins': { + 'owner': 'jenkins', + 'group': 'jenkins', + 'needs': { + 'pkg_apt:jenkins', + }, + }, + '/var/lib/jenkins/.ssh': { + 'mode': '0755', + 'owner': 'git', + 'group': 'git', + }, +} + files = { '/etc/default/jenkins': { 'triggers': { 'svc_systemd:jenkins:restart', }, }, + '/var/lib/jenkins/.ssh/config': { + 'source': 'ssh-config', + }, } +if node.metadata.get('jenkins-ci/install_ssh_key', False): + files['/var/lib/jenkins/.ssh/id_ed25519'] = { + 'content': repo.vault.decrypt_file(f'jenkins-ci/files/ssh-keys/{node.name}.key.vault'), + 'mode': '0600', + 'owner': 'jenkins', + 'group': 'jenkins', + } + svc_systemd = { 'jenkins': { 'needs': { + 'directory:/var/lib/jenkins', 'pkg_apt:jenkins', }, }, diff --git a/bundles/jenkins-ci/metadata.py b/bundles/jenkins-ci/metadata.py index 0cd5e59..fae8052 100644 --- a/bundles/jenkins-ci/metadata.py +++ b/bundles/jenkins-ci/metadata.py @@ -21,4 +21,14 @@ defaults = { '/var/lib/jenkins', }, }, + 'zfs': { + 'datasets': { + 'tank/jenkins': { + 'mountpoint': '/var/lib/jenkins', + 'needed_by': { + 'pkg_apt:jenkins', + }, + }, + }, + }, } diff --git a/bundles/matrix-dimension/files/matrix-dimension.service b/bundles/matrix-dimension/files/matrix-dimension.service new file mode 100644 index 0000000..9d2bebc --- /dev/null +++ b/bundles/matrix-dimension/files/matrix-dimension.service @@ -0,0 +1,14 @@ +[Unit] +Description=Matrix Dimension +After=network.target + +[Service] +User=matrix-dimension +Group=matrix-dimension +Environment="NODE_ENV=production" +ExecStart=/usr/bin/node ${config['install_dir']}/build/app/index.js +WorkingDirectory=${config['install_dir']} +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/bundles/matrix-dimension/files/production.yaml b/bundles/matrix-dimension/files/production.yaml new file mode 100644 index 0000000..321f6d2 --- /dev/null +++ b/bundles/matrix-dimension/files/production.yaml @@ -0,0 +1,93 @@ +# The web settings for the service (API and UI). +# It is best to have this run on localhost and use a reverse proxy to access Dimension. +web: + port: 20030 + address: '127.0.0.1' + +# Homeserver configuration +homeserver: + # The domain name of the homeserver. This is used in many places, such as with go-neb + # setups, to identify the homeserver. + name: "${config['homeserver']['name']}" + + # The URL that Dimension, go-neb, and other services provisioned by Dimension should + # use to access the homeserver with. + clientServerUrl: "${config['homeserver']['clientServerUrl']}" + + # The URL that Dimension should use when trying to communicate with federated APIs on + # the homeserver. If not supplied or left empty Dimension will try to resolve the address + # through the normal federation process. + #federationUrl: "https://t2bot.io:8448" + + # The URL that Dimension will redirect media requests to for downloading media such as + # stickers. If not supplied or left empty Dimension will use the clientServerUrl. + #mediaUrl: "https://t2bot.io" + + # The access token Dimension should use for miscellaneous access to the homeserver, and + # for tracking custom sticker pack updates. This should be a user configured on the homeserver + # and be dedicated to Dimension (create a user named "dimension" on your homeserver). For + # information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens + accessToken: "${config['homeserver']['accessToken']}" + +# These users can modify the integrations this Dimension supports. +# To access the admin interface, open Dimension in Riot and click the settings icon. +admins: +% for i in config['admins']: + - "${i}" +% endfor +# IPs and CIDR ranges listed here will be blocked from being widgets. +# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. +widgetBlacklist: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 127.0.0.0/8 + +database: + # Where the database for Dimension is + uri: "postgres://${node.metadata['matrix-dimension']['database']['user']}:${node.metadata['matrix-dimension']['database']['password']}@${node.metadata['matrix-dimension']['database'].get('host', 'localhost')}/${node.metadata['matrix-dimension']['database']['database']}" + + # Where to store misc information for the utility bot account. + botData: "${config['data_dir']}/dimension.bot.json" + +# Display settings that apply to self-hosted go-neb instances +goneb: + # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver + # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, + # make the bot's avatar an empty string. + avatars: + giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" + imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" + github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" + wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" + travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" + rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" + google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" + guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" + echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" + circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" + jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" + +# Settings for interacting with Telegram. Currently only applies for importing +# sticker packs from Telegram. +telegram: + # Talk to @BotFather on Telegram to get a token + botToken: "${config['telegram']['botToken']}" + +# Custom sticker pack options. +# Largely based on https://github.com/turt2live/matrix-sticker-manager +stickers: + # Whether or not to allow people to add custom sticker packs + enabled: true + + # The sticker manager bot to promote + stickerBot: "@stickers:t2bot.io" + + # The sticker manager URL to promote + managerUrl: "https://stickers.t2bot.io" + + +# Settings for controlling how logging works +logging: + console: true + consoleLevel: info diff --git a/bundles/matrix-dimension/items.py b/bundles/matrix-dimension/items.py new file mode 100644 index 0000000..a8a9a5c --- /dev/null +++ b/bundles/matrix-dimension/items.py @@ -0,0 +1,74 @@ +repo.libs.tools.require_bundle(node, 'nodejs') + + +directories = { + node.metadata['matrix-dimension']['install_dir']: { + 'owner': 'matrix-dimension', + 'group': 'matrix-dimension', + }, +} + +git_deploy = { + node.metadata['matrix-dimension']['install_dir']: { + 'rev': node.metadata.get('matrix-dimension/version', 'master'), # doesn't have releases yet + 'repo': 'https://github.com/turt2live/matrix-dimension.git', + 'triggers': { + 'action:matrix_dimension_build', + }, + 'needs': { + 'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')), + 'directory:{}'.format(node.metadata.get('matrix-dimension/data_dir')), + }, + }, +} + +files = { + '{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')): { + 'owner': 'matrix-dimension', + 'group': 'matrix-dimension', + 'content_type': 'mako', + 'context': { + 'config': node.metadata.get('matrix-dimension', {}), + }, + 'needs': { + 'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')), + }, + 'triggers': { + 'svc_systemd:matrix-dimension:restart', + }, + }, + '/etc/systemd/system/matrix-dimension.service': { + 'content_type': 'mako', + 'context': { + 'config': node.metadata.get('matrix-dimension', {}), + }, + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:matrix-dimension:restart', + }, + }, +} + +actions = { + 'matrix_dimension_build': { + 'command': 'cd ' + node.metadata.get('matrix-dimension/install_dir') + ' && sudo -u matrix-dimension npm install && sudo -u matrix-dimension npm run build', + 'needs': { + 'pkg_apt:nodejs', + }, + 'triggered': True, + 'triggers': { + 'svc_systemd:matrix-dimension:restart', + }, + }, +} + +svc_systemd = { + 'matrix-dimension': { + 'needs': { + 'action:matrix_dimension_build', + 'file:{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')), + 'postgres_db:matrix-dimension', + 'postgres_role:matrix-dimension', + }, + }, +} diff --git a/bundles/matrix-dimension/metadata.py b/bundles/matrix-dimension/metadata.py new file mode 100644 index 0000000..2d41180 --- /dev/null +++ b/bundles/matrix-dimension/metadata.py @@ -0,0 +1,77 @@ +defaults = { + 'backups': { + 'paths': { + '/opt/matrix-dimension', + '/var/opt/matrix-dimension', + }, + }, + 'matrix-dimension': { + 'install_dir': '/opt/matrix-dimension', + 'data_dir': '/var/opt/matrix-dimension', + 'database': { + 'user': 'matrix-dimension', + 'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)), + 'database': 'matrix-dimension', + }, + }, + 'postgresql': { + 'roles': { + 'matrix-dimension': { + 'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)), + }, + }, + 'databases': { + 'matrix-dimension': { + 'owner': 'matrix-dimension', + }, + }, + }, + 'users': { + 'matrix-dimension': { + 'home': '/var/opt/matrix-dimension', + }, + }, +} + +@metadata_reactor.provides( + 'nginx/vhosts/matrix-dimension', +) +def nginx_config(metadata): + return { + 'nginx': { + 'vhosts': { + 'matrix-dimension': { + 'domain': metadata.get('matrix-dimension/url'), + 'do_not_set_content_security_headers': True, + 'max_body_size': '50M', + 'locations': { + '/': { + 'target': 'http://127.0.0.1:20030', + }, + }, + }, + }, + }, + } + + +@metadata_reactor.provides( + 'icinga2_api/matrix-dimension/services', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'matrix-dimension': { + 'services': { + 'MATRIX-DIMENSION UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release turt2live/matrix-dimension {}'.format(metadata.get('matrix-dimension/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + 'MATRIX-DIMENSION PROCESS': { + 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -a matrix-dimension -c 1:', + }, + }, + }, + }, + } diff --git a/bundles/mx-puppet-discord/files/config.yaml b/bundles/mx-puppet-discord/files/config.yaml index a93c889..6be98d2 100644 --- a/bundles/mx-puppet-discord/files/config.yaml +++ b/bundles/mx-puppet-discord/files/config.yaml @@ -16,6 +16,12 @@ provisioning: - "${regex}" % endfor +namePatterns: + user: ":name (Discord)" + userOverride: ":displayname (Discord)" + room: "#:name (Discord - :guild)" + group: ":name" + database: connString: "postgres://${node.metadata['mx-puppet-discord']['database']['user']}:${node.metadata['mx-puppet-discord']['database']['password']}@${node.metadata['mx-puppet-discord']['database'].get('host', 'localhost')}/${node.metadata['mx-puppet-discord']['database']['database']}?sslmode=disable" diff --git a/bundles/php/files/8.0/fpm.conf b/bundles/php/files/8.0/fpm.conf new file mode 100644 index 0000000..c4d6412 --- /dev/null +++ b/bundles/php/files/8.0/fpm.conf @@ -0,0 +1,23 @@ +[global] +pid=/run/php/php8.0-fpm.pid +; We're using journal, put logs there +error_log=/var/log/php8.0-fpm.log +daemonize=yes + +; The one and only worker pool we have +[www] +user=www-data +group=www-data +listen=/run/php/php8.0-fpm.sock +listen.owner=www-data +listen.group=www-data +listen.mode=0600 + +; Process Manager Settings +pm=dynamic +pm.max_children=${num_cpus*4} +pm.start_servers=${num_cpus} +pm.max_spare_servers=${num_cpus*2} +pm.min_spare_servers=${num_cpus} +pm.process_idle_timeout=30s +pm.max_requests=1024 diff --git a/bundles/php/files/8.0/php.ini b/bundles/php/files/8.0/php.ini new file mode 100644 index 0000000..45b78bf --- /dev/null +++ b/bundles/php/files/8.0/php.ini @@ -0,0 +1,99 @@ +[PHP] +; Only needed for libapache2-mod-php? +engine = On +short_open_tag = Off +precision = 14 +output_buffering = 4096 +zlib.output_compression = Off +implicit_flush = Off +serialize_precision = -1 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals +ignore_user_abort = Off +zend.enable_gc = On +expose_php = Off + +max_execution_time = 30 +max_input_time = 60 +memory_limit = 256M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_startup_errors = Off +log_errors = On +log_errors_max_len = 1024 +ignore_repeated_errors = Off +ignore_repeated_source = Off +report_memleaks = On +html_errors = On +error_log = syslog +syslog.ident = php7.4 +syslog.filter = ascii + +arg_separator.output = "&" +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +auto_globals_jit = On +post_max_size = ${post_max_size}M +default_mimetype = "text/html" +default_charset = "UTF-8" + +enable_dl = Off +file_uploads = On +upload_max_filesize = ${post_max_size}M +max_file_uploads = 20 + +allow_url_fopen = On +allow_url_include = Off +default_socket_timeout = 10 + +[CLI Server] +cli_server.color = On + +[mail function] +mail.add_x_header = Off + +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.max_persistent = -1 +odbc.max_links = -1 +odbc.defaultlrl = 4096 +odbc.defaultbinmode = 1 + +[PostgreSQL] +pgsql.allow_persistent = On +pgsql.auto_reset_persistent = Off +pgsql.max_persistent = -1 +pgsql.max_links = -1 +pgsql.ignore_notice = 0 +pgsql.log_notice = 0 + +[bcmath] +bcmath.scale = 0 + +[Session] +session.save_handler = files +session.use_strict_mode = 0 +session.use_cookies = 1 +session.use_only_cookies = 1 +session.name = PHPSESSID +session.auto_start = 0 +session.cookie_lifetime = 0 +session.cookie_path = / +session.cookie_domain = +session.cookie_httponly = +session.cookie_samesite = +session.serialize_handler = php +session.gc_probability = 1 +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.referer_check = +session.cache_limiter = nocache +session.cache_expire = 180 +session.use_trans_sid = 0 +session.sid_length = 32 +session.trans_sid_tags = "a=href,area=href,frame=src,form=" +session.sid_bits_per_character = 6 + +[Assertion] +zend.assertions = -1 diff --git a/bundles/postfix/files/arch-override.conf b/bundles/postfix/files/arch-override.conf new file mode 100644 index 0000000..3b3e46d --- /dev/null +++ b/bundles/postfix/files/arch-override.conf @@ -0,0 +1,6 @@ +[Service] +# arch postfix is not set up for chrooting by default +ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc +% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']: +ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file} +% endfor diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 1ca260b..7346fe3 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -21,7 +21,7 @@ for identifier in node.metadata.get('postfix/mynetworks', set()): netmask = '128' mynetworks.add(f'[{ip6}]/{netmask}') -my_package = 'pkg_pacman:postfix' if node.has_bundle('pacman') else 'pkg_apt:postfix' +my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { @@ -86,3 +86,13 @@ svc_systemd = { }, }, } + +if node.os == 'arch': + files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = { + 'source': 'arch-override.conf', + 'content_type': 'mako', + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:postfix:restart', + }, + } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 759f693..b9219f1 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -25,6 +25,7 @@ defaults = { 'pacman': { 'packages': { 'postfix': {}, + 's-nail': {}, }, }, } diff --git a/bundles/simple-icinga-dashboard/items.py b/bundles/simple-icinga-dashboard/items.py index c69c9df..74f05db 100644 --- a/bundles/simple-icinga-dashboard/items.py +++ b/bundles/simple-icinga-dashboard/items.py @@ -34,7 +34,7 @@ directories = { git_deploy = { '/opt/simple-icinga-dashboard/src': { - 'repo': 'https://git.kunsmann.eu/sophie/simple-icinga-dashboard.git', + 'repo': 'https://git.franzi.business/sophie/simple-icinga-dashboard.git', 'rev': 'main', 'triggers': { 'action:simple-icinga-dashboard_install_requirements', diff --git a/data/gitea/files/ssh-keys/htz.ex42-1048908.key.vault b/data/gitea/files/ssh-keys/rx300.key.vault similarity index 100% rename from data/gitea/files/ssh-keys/htz.ex42-1048908.key.vault rename to data/gitea/files/ssh-keys/rx300.key.vault diff --git a/data/gitea/files/ssh-keys/htz.ex42-1048908.pub b/data/gitea/files/ssh-keys/rx300.pub similarity index 100% rename from data/gitea/files/ssh-keys/htz.ex42-1048908.pub rename to data/gitea/files/ssh-keys/rx300.pub diff --git a/data/jenkins-ci/files/ssh-keys/rx300.key.vault b/data/jenkins-ci/files/ssh-keys/rx300.key.vault new file mode 100644 index 0000000..e56190a --- /dev/null +++ b/data/jenkins-ci/files/ssh-keys/rx300.key.vault @@ -0,0 +1 @@ +encrypt$gAAAAABg6vNNuCZcmhH52dQDiD4ePsbXhz0kHSjqX3yduJ6E5NylWEdKNtjtrfc9bu1WNnDBO0YpsqxIeax2u1xc6gstohVfbu2MgwGJKpA7J5Py6xiQL82YKJcwV7k0EZ7ilWbqlzXuSDh40KG3GWOTPiw_CbsbDEpCU09x1hUs1_0BTPAU6ln4t7ync7ZjFZf_vRBTlrnZWchzXoSwppzedAZeaptfhMWn_-8oARoYvxJf3pkmTSGjovNMvDak_sscq_M2rldng6_oboR4iTo_6eY6bpCjEGD3xMeSzLhDZsJ4c0l9bZBDef-NRWA7Ewptc4KYKVvzKlgyrByqSV8TCmYn4aBgOusv-VAW3VqKg2rHi3nq5L50zkPwWmHC6_rdtIS-pAlnR5A0HJYdXGyf2eQSq3UkrZA3BIFlqUWrvS8aTWxp9CUL5C9oRGpL8P3fVfExiqhmcLGamHZb1Y2kjxX8EMcSCRLgiVO9DwIpXlEm86HfgVcXaL0wpibM32PD0sspOPILThE5P9WETGhpFAWDkWR0WaYQjZuAVlXTtk8tgdh0vC2auQl2pEVbvvnZaa04Ohp2QgE3AJLg3tdekLciwCQmPm0bpX8xYvJ49vNWG-SCaAlLHzLVIMFXFY53-SBOHYnE \ No newline at end of file diff --git a/data/jenkins-ci/files/ssh-keys/rx300.pub b/data/jenkins-ci/files/ssh-keys/rx300.pub new file mode 100644 index 0000000..55ce7ec --- /dev/null +++ b/data/jenkins-ci/files/ssh-keys/rx300.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH diff --git a/data/nginx/files/extras/htz-cloud.miniserver/dimension.sophies-kitchen.eu b/data/nginx/files/extras/htz-cloud.miniserver/dimension.sophies-kitchen.eu deleted file mode 100644 index aa5cff2..0000000 --- a/data/nginx/files/extras/htz-cloud.miniserver/dimension.sophies-kitchen.eu +++ /dev/null @@ -1,6 +0,0 @@ - add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu"; - - location /.well-known/matrix/ { - alias /etc/matrix-synapse/wellknown/; - add_header Access-Control-Allow-Origin *; - } diff --git a/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension b/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension new file mode 100644 index 0000000..e13c482 --- /dev/null +++ b/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension @@ -0,0 +1 @@ +add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu"; diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business index 3fadfdb..b811603 100644 --- a/data/powerdns/files/bind-zones/franzi.business +++ b/data/powerdns/files/bind-zones/franzi.business @@ -2,8 +2,9 @@ ${header} $ORIGIN franzi.business. -@ IN A 94.130.52.224 - IN AAAA 2a01:4f8:10b:2a5f::2 +; ends up on rx300.kunbox.net +@ IN A 31.47.232.106 + IN AAAA 2a00:f820:528::2 IN MX 10 mx0.kunbox.net. IN TXT "v=spf1 mx ~all" @@ -13,6 +14,9 @@ chat IN AAAA 2a01:4f8:10b:2a5f::2 dimension IN A 94.130.52.224 dimension IN AAAA 2a01:4f8:10b:2a5f::2 +git IN CNAME rx300.kunbox.net. +jenkins IN CNAME rx300.kunbox.net. + matrix IN A 94.130.52.224 matrix IN AAAA 2a01:4f8:10b:2a5f::2 @@ -24,7 +28,6 @@ sewfile IN CNAME sewfile.htz-cloud.kunbox.net. rss IN CNAME rx300.kunbox.net. status IN CNAME icinga2.ovh.kunbox.net. - travelynx IN CNAME rx300.kunbox.net. unicornsden IN CNAME rx300.kunbox.net. diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu index b38fcf0..8f10382 100644 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ b/data/powerdns/files/bind-zones/kunsmann.eu @@ -10,17 +10,11 @@ $ORIGIN kunsmann.eu. dav IN A 94.130.52.224 dav IN AAAA 2a01:4f8:10b:2a5f::2 -git IN A 94.130.52.224 -git IN AAAA 2a01:4f8:10b:2a5f::2 - grafana IN CNAME influxdb.htz-cloud.kunbox.net. icinga IN CNAME icinga2.ovh.kunbox.net. influxdb IN CNAME influxdb.htz-cloud.kunbox.net. statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net. -jenkins IN A 94.130.52.224 -jenkins IN AAAA 2a01:4f8:10b:2a5f::2 - mta-sts IN A 94.130.52.224 mta-sts IN AAAA 2a01:4f8:10b:2a5f::2 @@ -29,8 +23,8 @@ luther-ps IN CNAME luther.htz-cloud.kunbox.net. paste IN A 94.130.52.224 paste IN AAAA 2a01:4f8:10b:2a5f::2 -rss IN A 94.130.52.224 -rss IN AAAA 2a01:4f8:10b:2a5f::2 +; legacy, for redirect +git IN CNAME ex42-1048908.htz.kunbox.net. _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@kunsmann.eu; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" _mta-sts IN TXT "v=STSv1;id=20201111;" diff --git a/data/travelynx/files/imprint/rx300 b/data/travelynx/files/imprint/rx300 index 77cb78a..031c68d 100644 --- a/data/travelynx/files/imprint/rx300 +++ b/data/travelynx/files/imprint/rx300 @@ -9,7 +9,7 @@

Datenschutz

Logdateien des Webservers

-

Der Webserver fertigt keine Logdateien an. Interessierte können sich in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen.

+

Der Webserver fertigt keine Logdateien an. Interessierte können sich in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen.

Account-spezifische Daten

diff --git a/libs/faults.py b/libs/faults.py index 2995249..ad3735c 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,6 +1,39 @@ from json import loads, dumps from bundlewrap.metadata import metadata_to_json +from bundlewrap.utils import Fault + def resolve_faults(dictionary: dict) -> dict: return loads(metadata_to_json(dictionary)) + + +def ensure_fault_or_none(maybe_fault): + if maybe_fault is None or isinstance(maybe_fault, Fault): + return maybe_fault + + return Fault(maybe_fault, lambda f: f, f=maybe_fault) + + +def join_faults(faults, by=' '): + result = [] + id_list = [] + + for item in faults: + result.append(ensure_fault_or_none(item)) + + if isinstance(item, Fault): + id_list += item.id_list + else: + id_list.append(item) + + id_list += [ + 'joined_by', + by, + ] + + return Fault( + id_list, + lambda o: by.join([i.value for i in o]), + o=result, + ) diff --git a/nodes/aurto.py b/nodes/aurto.py index 69fda0b..45d1adf 100644 --- a/nodes/aurto.py +++ b/nodes/aurto.py @@ -2,6 +2,7 @@ nodes['aurto'] = { 'hostname': '31.47.232.107', 'bundles': { 'backup-client', + 'check-mail-received', }, 'groups': { 'arch', @@ -18,6 +19,13 @@ nodes['aurto'] = { '/var/cache/pacman/aurto', }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, 'interfaces': { 'enp1s0': { 'ips': { @@ -55,6 +63,9 @@ nodes['aurto'] = { # kunsi 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA', 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971', + # n0emis + 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu', + 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== simeon@noemis.me (OLD)', }, }, 'kunsi': { diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 1085b16..f28568c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -4,6 +4,7 @@ nodes['htz-cloud.miniserver'] = { 'bundles': { 'element-web', + 'matrix-dimension', 'matrix-media-repo', 'matrix-synapse', 'nodejs', @@ -58,7 +59,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.7.31', + 'version': 'v1.7.32', 'config': { 'default_server_config': { 'm.homeserver': { @@ -68,10 +69,10 @@ nodes['htz-cloud.miniserver'] = { }, 'brand': 'sophies-kitchen.eu', 'showLabsSettings': True, - 'integrations_ui_url': 'https://dimension.franzi.business/riot', - 'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar', + 'integrations_ui_url': 'https://dimension.sophies-kitchen.eu/riot', + 'integrations_rest_url': 'https://dimension.sophies-kitchen.eu/api/v1/scalar', 'integrations_widgets_urls': { - 'https://dimension.franzi.business/widgets' + 'https://dimension.sophies-kitchen.eu/widgets' }, 'default_theme': 'dark', 'defaultCountryCode': 'DE', @@ -103,6 +104,21 @@ nodes['htz-cloud.miniserver'] = { }, }, }, + 'matrix-dimension': { + 'url': 'dimension.sophies-kitchen.eu', + 'version': 'master', # doesn't have releases yet + 'homeserver': { + 'name': 'sophies-kitchen.eu', + 'clientServerUrl': 'https://matrix.sophies-kitchen.eu', + 'accessToken': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'), + }, + 'admins': [ + '@sophie:sophies-kitchen.eu', + ], + 'telegram': { + 'botToken': vault.decrypt('encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t'), + }, + }, 'matrix-media-repo': { 'version': 'v1.2.8', 'homeservers': { @@ -144,6 +160,14 @@ nodes['htz-cloud.miniserver'] = { 'bot_token': '""', }, }, + 'nameservers': { + '213.133.98.98', + '213.133.99.99', + '213.133.100.100', + '2a01:4f8:0:1::add:1010', + '2a01:4f8:0:1::add:9999', + '2a01:4f8:0:1::add:9898', + }, 'nftables': { 'rules': { 'input': { @@ -156,16 +180,9 @@ nodes['htz-cloud.miniserver'] = { }, 'nginx': { 'vhosts': { - #'dimension.sophies-kitchen.eu': { - # 'extras': True, - # 'do_not_set_content_security_headers': True, - # 'max_body_size': '50M', - # 'locations': { - # '/': { - # 'target': 'http://127.0.0.1:8184', - # }, - # }, - #}, + 'matrix-dimension': { + 'extras': True, + }, 'sophies-kitchen.eu': { 'webroot': '/var/www/sophies-kitchen.eu/_site/', 'extras': True, diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 5953245..18b1b76 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -1,5 +1,6 @@ nodes['htz-cloud.pirmasens'] = { 'bundles': { + 'check-mail-received', 'dovecot', 'php', 'postfixadmin', @@ -23,6 +24,13 @@ nodes['htz-cloud.pirmasens'] = { 'gateway6': 'fe80::1', }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, 'icinga_options': { 'pretty_name': 'kunsmann.info', }, diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index f6d2418..cae81bf 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -1,9 +1,10 @@ nodes['htz.ex42-1048908'] = { 'bundles': { + 'check-mail-received', 'dovecot', 'element-web', - 'gitea', - 'jenkins-ci', +# 'gitea', +# 'jenkins-ci', 'lm-sensors', 'matrix-media-repo', 'matrix-synapse', @@ -86,8 +87,12 @@ nodes['htz.ex42-1048908'] = { '/opt/matrix/matrix-dimension', }, }, - 'cron': { - 'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * * root date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'), + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, }, 'element-web': { 'url': 'chat.franzi.business', @@ -113,27 +118,27 @@ nodes['htz.ex42-1048908'] = { }, }, }, - 'gitea': { - 'version': '1.14.3', - 'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2', - 'domain': 'git.kunsmann.eu', - 'email_domain_blocklist': { - 'gmail.com', - 'yahoo.com', - 'aol.com', - 'comcast.net', - 'verizon.net', - 'hotmail.com', - 'cox.net', - 'msn.com', - }, - 'enable_git_hooks': True, - 'install_ssh_key': True, - 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), - 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), - 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), - 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), - }, +# 'gitea': { +# 'version': '1.14.3', +# 'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2', +# 'domain': 'git.kunsmann.eu', +# 'email_domain_blocklist': { +# 'gmail.com', +# 'yahoo.com', +# 'aol.com', +# 'comcast.net', +# 'verizon.net', +# 'hotmail.com', +# 'cox.net', +# 'msn.com', +# }, +# 'enable_git_hooks': True, +# 'install_ssh_key': True, +# 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), +# 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), +# 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), +# 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), +# }, 'icinga_options': { 'pretty_name': 'kunsmann.eu', }, @@ -295,46 +300,53 @@ nodes['htz.ex42-1048908'] = { }, }, }, - 'franzi.business': { - 'webroot': '/var/www/franzi.business/_site/', - 'locations': { - '/.well-known/matrix/client': { - 'return': json_dumps({ - 'm.homeserver': { - 'base_url': 'https://matrix.franzi.business', - }, - 'm.identity_server': { - 'base_url': 'https://matrix.org', - }, - 'im.vector.riot.jitsi': { - 'preferredDomain': 'meet.ffmuc.net', - }, - }, sort_keys=True), - 'additional_config': { - 'default_type application/json', - 'add_header Access-Control-Allow-Origin *', - }, - }, - '/.well-known/matrix/server': { - 'return': json_dumps({ - 'm.server': 'https://matrix.franzi.business', - }, sort_keys=True), - 'additional_config': { - 'default_type application/json', - 'add_header Access-Control-Allow-Origin *', - }, - }, - }, - }, - 'jenkins.kunsmann.eu': { +# 'franzi.business': { +# 'webroot': '/var/www/franzi.business/_site/', +# 'locations': { +# '/.well-known/matrix/client': { +# 'return': json_dumps({ +# 'm.homeserver': { +# 'base_url': 'https://matrix.franzi.business', +# }, +# 'm.identity_server': { +# 'base_url': 'https://matrix.org', +# }, +# 'im.vector.riot.jitsi': { +# 'preferredDomain': 'meet.ffmuc.net', +# }, +# }, sort_keys=True), +# 'additional_config': { +# 'default_type application/json', +# 'add_header Access-Control-Allow-Origin *', +# }, +# }, +# '/.well-known/matrix/server': { +# 'return': json_dumps({ +# 'm.server': 'matrix.franzi.business:443', +# }, sort_keys=True), +# 'additional_config': { +# 'default_type application/json', +# 'add_header Access-Control-Allow-Origin *', +# }, +# }, +# }, +# }, + 'git.kunsmann.eu': { 'locations': { '/': { - 'target': 'http://localhost:22010/', + 'redirect': 'https://git.franzi.business$request_uri', }, }, - 'website_check_path': '/login', - 'website_check_string': 'Welcome to Jenkins', }, +# 'jenkins.kunsmann.eu': { +# 'locations': { +# '/': { +# 'target': 'http://localhost:22010/', +# }, +# }, +# 'website_check_path': '/login', +# 'website_check_string': 'Welcome to Jenkins', +# }, 'kunbox.net': {}, 'kunsmann.eu': { 'locations': { @@ -384,7 +396,7 @@ nodes['htz.ex42-1048908'] = { }, '/.well-known/matrix/server': { 'return': json_dumps({ - 'm.server': 'https://matrix.franzi.business', + 'm.server': 'matrix.franzi.business:443', }, sort_keys=True), 'additional_config': { 'default_type application/json', diff --git a/nodes/rx300.py b/nodes/rx300.py index 636ed45..d66a7b0 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -7,8 +7,12 @@ nodes['rx300'] = { 'hostname': '31.47.232.106', 'bundles': { + 'check-mail-received', + 'gitea', + 'jenkins-ci', 'lm-sensors', 'miniflux', + 'php', 'postgresql', 'smartd', 'travelynx', @@ -33,6 +37,15 @@ nodes['rx300'] = { 'apt': { 'packages': { 'ipmitool': {}, + + # for franzi.business deployment + 'ruby': {}, + 'ruby-dev': {}, + 'ruby-bundler': {}, + + # more php + 'php-imagick': {}, + 'php-yaml': {}, }, # XXX remove this once nginx.org has packages for debian bullseye 'repos': { @@ -43,23 +56,105 @@ nodes['rx300'] = { }, }, }, + 'check-mail-received': { + 't-online': { + 'email': 'franzi.kunsmann@t-online.de', + 'imap_host': 'secureimap.t-online.de', + 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), + }, + }, + 'gitea': { + 'version': '1.14.4', + 'sha256': 'e1ce2fadcf6561cb2543b44b9f1382d6ce4be29ed8edd6d9d7080a218aa114b0', + 'domain': 'git.franzi.business', + 'email_domain_blocklist': { + 'gmail.com', + 'yahoo.com', + 'aol.com', + 'comcast.net', + 'verizon.net', + 'hotmail.com', + 'cox.net', + 'msn.com', + }, + 'enable_git_hooks': True, + 'install_ssh_key': True, + 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), + 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), + 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), + 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), + }, 'icinga_options': { 'pretty_name': 'franzi.business', }, + 'jenkins-ci': { + 'install_ssh_key': True, + }, 'miniflux': { 'domain': 'rss.franzi.business', }, 'nginx': { 'vhosts': { - 'miniflux': { + 'gitea': {'ssl': '_.franzi.business'}, + 'miniflux': {'ssl': '_.franzi.business'}, + 'franzi.business': { + 'webroot': '/var/www/franzi.business/_site/', 'ssl': '_.franzi.business', + 'locations': { + '/.well-known/matrix/client': { + 'return': json_dumps({ + 'm.homeserver': { + 'base_url': 'https://matrix.franzi.business', + }, + 'm.identity_server': { + 'base_url': 'https://matrix.org', + }, + 'im.vector.riot.jitsi': { + 'preferredDomain': 'meet.ffmuc.net', + }, + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + '/.well-known/matrix/server': { + 'return': json_dumps({ + 'm.server': 'matrix.franzi.business:443', + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + }, }, - 'unicornsden': { + 'jenkins': { + 'domain': 'jenkins.franzi.business', + 'ssl': '_.franzi.business', + 'locations': { + '/': { + 'target': 'http://localhost:22010/', + }, + }, + 'website_check_path': '/login', + 'website_check_string': 'Welcome to Jenkins', + }, + 'unicornsden-redirect': { 'domain': 'unicornsden.franzi.business', 'ssl': '_.franzi.business', + 'locations': { + '/': { + 'redirect': 'https://map.unicornsden.com/', + }, + }, + }, + 'unicornsden': { + 'domain': 'map.unicornsden.com', + 'php': True, 'webroot_config': { - 'owner': 'kunsi', - 'group': 'kunsi', + 'owner': 'jenkins', + 'group': 'jenkins', 'mode': '0755', }, }, @@ -80,6 +175,19 @@ nodes['rx300'] = { }, }, }, + 'php': { + 'version': '8.0', + 'packages': { + 'gd', + 'imap', + 'intl', + 'mbstring', + 'opcache', + 'pgsql', + 'readline', + 'xml', + }, + }, 'postgresql': { 'version': '13', },