diff --git a/bundles/backup-server/files/check_backup_for_node-cron b/bundles/backup-server/files/check_backup_for_node-cron index ff1a368..b82217d 100644 --- a/bundles/backup-server/files/check_backup_for_node-cron +++ b/bundles/backup-server/files/check_backup_for_node-cron @@ -15,15 +15,16 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True) line = line.decode('UTF-8') if line.startswith('{}/'.format(server_settings['zfs-base'])): - try: - dataset, snapname = line.split('@', 1) + dataset, snapname = line.split('@', 1) - dataset = dataset.split('/')[-1] - ts, bucket = snapname.split('-', 1) + dataset = dataset.split('/')[-1] + ts, bucket = snapname.split('-', 1) - snapshots[dataset].add(int(ts)) - except Exception as e: - print(f"Exception while parsing snapshot name {line!r}: {e!r}") + if not ts.isdigit(): + # garbage, ignore + continue + + snapshots[dataset].add(int(ts)) backups = {} for dataset, snaps in snapshots.items(): diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 6714288..aace61b 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -83,24 +83,47 @@ def zfs_pool(metadata): devices = metadata.get('backup-server/encrypted-devices') - pool_devices = set() + # TODO remove this once we have migrated all systems + if isinstance(devices, dict): + pool_devices = set() - for device, dconfig in devices.items(): - crypt_devices[dconfig['device']] = { - 'dm-name': f'backup-{device}', - 'passphrase': dconfig['passphrase'], - } - pool_devices.add(f'/dev/mapper/backup-{device}') - unlock_actions.add(f'action:dm-crypt_open_backup-{device}') + for number, (device, passphrase) in enumerate(sorted(devices.items())): + crypt_devices[device] = { + 'dm-name': f'backup{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{number}') - pool_config = [{ - 'devices': pool_devices, - }] + pool_config = [{ + 'devices': pool_devices, + }] - if len(pool_devices) > 2: - pool_config[0]['type'] = 'raidz' - elif len(pool_devices) > 1: - pool_config[0]['type'] = 'mirror' + if len(pool_devices) > 2: + pool_config[0]['type'] = 'raidz' + elif len(pool_devices) > 1: + pool_config[0]['type'] = 'mirror' + + elif isinstance(devices, list): + pool_config = [] + + for idx, intended_pool in enumerate(devices): + pool_devices = set() + + for number, (device, passphrase) in enumerate(sorted(intended_pool.items())): + crypt_devices[device] = { + 'dm-name': f'backup{idx}-{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{idx}-{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}') + + pool_config.append({ + 'devices': pool_devices, + 'type': 'raidz', + }) + else: + raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices') return { 'backup-server': { diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index cafd32c..863f8b2 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -1,6 +1,5 @@ #!/usr/bin/env python3 -import logging from json import loads from os import environ from subprocess import check_output @@ -13,8 +12,6 @@ PSQL_USER = environ['DB_USERNAME'] PSQL_PASS = environ['DB_PASSWORD'] PSQL_DB = environ['DB_DATABASE_NAME'] -logging.basicConfig(level=logging.INFO) - docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) container_ip = None @@ -29,11 +26,11 @@ for network in docker_networks: container_ip = container['IPv4Address'].split('/')[0] if not container_ip: - logging.error(f'could not find ip address for container {PSQL_HOST=} in json') - logging.debug(f'{docker_networks=}') - exit(0) + print(f'could not find ip address for container {PSQL_HOST=} in json') + print(docker_networks) + exit(1) -logging.debug(f'{PSQL_HOST=} {container_ip=}') +print(f'{PSQL_HOST=} {container_ip=}') conn = psycopg2.connect( dbname=PSQL_DB, @@ -52,7 +49,6 @@ with conn: } for i in cur.fetchall() } - logging.debug(f'{albums=}') with conn.cursor() as cur: cur.execute('SELECT "id","name" FROM users;') @@ -60,28 +56,25 @@ with conn: i[0]: i[1] for i in cur.fetchall() } - logging.debug(f'{users=}') for album_id, album in albums.items(): - log = logging.getLogger(album["name"]) + print(f'----- working on album: {album["name"]}') with conn: with conn.cursor() as cur: cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) album_shares = [i[0] for i in cur.fetchall()] - log.info(f'album is shared with {len(album_shares)} users') - log.debug(f'{album_shares=}') + print(f' album is shared with {len(album_shares)} users: {album_shares}') for user_id, user_name in users.items(): if user_id == album['owner'] or user_id in album_shares: continue - log.info(f'sharing album with user {user_name}') - try: - with conn.cursor() as cur: - cur.execute( - 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', - (album_id, user_id, 'viewer'), - ) - except Exception: - log.exception('failure while creating share') + print(f' sharing album with user {user_name} ... ', end='') + with conn.cursor() as cur: + cur.execute( + 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', + (album_id, user_id, 'viewer'), + ) + print('done') + print() conn.close() diff --git a/bundles/navidrome/files/navidrome.service b/bundles/navidrome/files/navidrome.service new file mode 100644 index 0000000..90a1816 --- /dev/null +++ b/bundles/navidrome/files/navidrome.service @@ -0,0 +1,44 @@ +[Unit] +Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic +After=remote-fs.target network.target +AssertPathExists=/var/opt/navidrome + +[Install] +WantedBy=multi-user.target + +[Service] +User=navidrome +Group=navidrome +Type=simple +ExecStart=/opt/navidrome/navidrome --configfile "/opt/navidrome/config.toml" +WorkingDirectory=/var/opt/navidrome +TimeoutStopSec=20 +KillMode=process +Restart=on-failure + +# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html +DevicePolicy=closed +NoNewPrivileges=yes +PrivateTmp=yes +PrivateUsers=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +ReadWritePaths=/var/opt/navidrome + +# You can uncomment the following line if you're not using the jukebox This +# will prevent navidrome from accessing any real (physical) devices +PrivateDevices=yes + +# You can change the following line to `strict` instead of `full` if you don't +# want navidrome to be able to write anything on your filesystem outside of +# /var/lib/navidrome. +ProtectSystem=full + +# You can uncomment the following line if you don't have any media in /home/*. +# This will prevent navidrome from ever reading/writing anything there. +ProtectHome=true diff --git a/bundles/navidrome/items.py b/bundles/navidrome/items.py new file mode 100644 index 0000000..60e4c04 --- /dev/null +++ b/bundles/navidrome/items.py @@ -0,0 +1,59 @@ +users = { + 'navidrome': { + 'home': '/opt/navidrome', + }, +} + +directories = { + '/opt/navidrome': {}, + '/var/opt/navidrome': { + 'owner': 'navidrome', + }, +} +svc_systemd = { + 'navidrome': { + 'needs': { + 'file:/etc/systemd/system/navidrome.service', + 'file:/opt/navidrome/config.toml', + 'action:navidrome_install', + }, + }, +} + +actions['navidrome_install'] = { + 'command': ' && '.join([ + 'tar -C /opt/navidrome -xf /opt/navidrome/navidrome.tar.gz', + ]), + 'after': { + 'pkg_apt:', + }, + 'triggered': True, + 'triggers': { + 'svc_systemd:navidrome:restart', + }, +} + +files = { + '/opt/navidrome/config.toml': { + 'content': repo.libs.faults.dict_as_toml(node.metadata.get('navidrome/config')), + 'triggers': { + 'svc_systemd:navidrome:restart', + }, + }, + '/etc/systemd/system/navidrome.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:navidrome:restart', + }, + }, + '/opt/navidrome/navidrome.tar.gz': { + 'content_hash': node.metadata.get('navidrome/sha1', None), + 'content_type': 'download', + 'mode': '0755', + 'source': f'https://github.com/navidrome/navidrome/releases/download/v{node.metadata.get('navidrome/version')}/navidrome_{node.metadata.get('navidrome/version')}_linux_amd64.tar.gz', + 'triggers': { + 'action:navidrome_install', + 'svc_systemd:navidrome:restart', + }, + }, +} diff --git a/bundles/navidrome/metadata.py b/bundles/navidrome/metadata.py new file mode 100644 index 0000000..4151c51 --- /dev/null +++ b/bundles/navidrome/metadata.py @@ -0,0 +1,77 @@ +defaults = { + 'apt': { + 'packages': { + 'ffmpeg': {}, + 'mpv': {}, + + }, + }, + 'navidrome': { + 'config': { + 'DataFolder': '/var/opt/navidrome', + 'Address': '127.0.0.1', + 'MusicFolder': '/mnt/music', + 'EnableExternalServices': False, + 'LastFM.Enabled': False, + 'ListenBrainz.Enabled': False, + 'PasswordEncryptionKey': repo.vault.password_for('{} encryption navidrome'.format(node.name)), + 'Scanner.Schedule': '@every 72h', + 'Port': 4533, + }, + }, + 'zfs': { + 'datasets': { + 'tank/navidrome': {}, + 'tank/navidrome/install': { + 'mountpoint': '/opt/navidrome', + 'needed_by': { + 'directory:/opt/navidrome', + }, + }, + 'tank/navidrome/home': { + 'mountpoint': '/var/opt/navidrome', + 'needed_by': { + 'directory:/var/opt/navidrome', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'navidrome/config/baseurl', +) +def baseurl(metadata): + return { + 'navidrome': { + 'config': { + 'BaseUrl': f'https://{metadata.get('navidrome/domain')}', + }, + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts/navidrome', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'navidrome': { + 'domain': metadata.get('navidrome/domain'), + 'locations': { + '/': { + 'target': f'http://127.0.0.1:{metadata.get('navidrome/config/Port')}', + }, + }, + 'website_check_path': '/user/login', + 'website_check_string': 'Sign in', + }, + }, + }, + } diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index 9edbf0b..f261641 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -38,8 +38,8 @@ actions['netbox_install'] = { 'triggered': True, 'command': ' && '.join([ 'cd /opt/netbox/src', - '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager pip wheel setuptools django-auth-ldap gunicorn', - '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager -r requirements.txt', + '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn', + '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt', ]), 'needs': { 'pkg_apt:build-essential', diff --git a/bundles/nfs-server/files/avahi.service b/bundles/nfs-server/files/avahi.service deleted file mode 100644 index 394cdca..0000000 --- a/bundles/nfs-server/files/avahi.service +++ /dev/null @@ -1,10 +0,0 @@ - - - - NFS ${path} on %h - - _nfs._tcp - 2049 - path=${path} - - diff --git a/bundles/nfs-server/files/exports b/bundles/nfs-server/files/exports index ac9c8f8..ad2ca4c 100644 --- a/bundles/nfs-server/files/exports +++ b/bundles/nfs-server/files/exports @@ -1,4 +1,4 @@ -% for path, shares in sorted(node.metadata.get('nfs-server/shares', {}).items()): +% for path, shares in sorted(node.metadata['nfs-server']['shares'].items()): % for share_target, share_options in sorted(shares.items()): % for ip_list in repo.libs.tools.resolve_identifier(repo, share_target).values(): % for ip in sorted(ip_list): diff --git a/bundles/nfs-server/items.py b/bundles/nfs-server/items.py index ce025cf..dacbc48 100644 --- a/bundles/nfs-server/items.py +++ b/bundles/nfs-server/items.py @@ -1,40 +1,25 @@ -from re import sub - -files['/etc/exports'] = { - 'content_type': 'mako', - 'triggers': { - 'action:nfs_reload_shares', +files = { + '/etc/exports': { + 'content_type': 'mako', + 'triggers': { + 'action:nfs_reload_shares', + }, + }, + '/etc/default/nfs-kernel-server': { + 'source': 'etc-default', + 'triggers': { + 'svc_systemd:nfs-server:restart', + }, }, } -files['/etc/default/nfs-kernel-server'] = { - 'source': 'etc-default', - 'triggers': { - 'svc_systemd:nfs-server:restart', +actions = { + 'nfs_reload_shares': { + 'command': 'exportfs -a', + 'triggered': True, }, } -actions['nfs_reload_shares'] = { - 'command': 'exportfs -a', - 'triggered': True, +svc_systemd = { + 'nfs-server': {}, } - -svc_systemd['nfs-server'] = {} - -if node.has_bundle('avahi-daemon'): - for path, shares in node.metadata.get('nfs-server/shares', {}).items(): - create_avahi_file = False - for share_target, share_options in shares.items(): - if ',insecure,' in f',{share_options},': - create_avahi_file = True - - if create_avahi_file: - share_name_normalized = sub('[^a-z0-9-_]+', '_', path) - - files[f'/etc/avahi/services/nfs{share_name_normalized}.service'] = { - 'source': 'avahi.service', - 'content_type': 'mako', - 'context': { - 'path': path, - }, - } diff --git a/bundles/paperless-ng/files/paperless-webserver.service b/bundles/paperless-ng/files/paperless-webserver.service index 7c41aa7..5d7f806 100644 --- a/bundles/paperless-ng/files/paperless-webserver.service +++ b/bundles/paperless-ng/files/paperless-webserver.service @@ -8,11 +8,8 @@ Requires=redis.service User=paperless Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf -Environment=GRANIAN_PORT=22070 -Environment=GRANIAN_WORKERS=4 -Environment=GRANIAN_HOST=::1 WorkingDirectory=/opt/paperless/src/paperless-ngx/src -ExecStart=/opt/paperless/venv/bin/granian --interface asginl --ws "paperless.asgi:application" +ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application Restart=always RestartSec=10 SyslogIdentifier=paperless-webserver diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 8db5342..6746616 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -99,7 +99,7 @@ def nginx(metadata): 'domain': metadata.get('paperless/domain'), 'locations': { '/': { - 'target': 'http://[::1]:22070', + 'target': 'http://127.0.0.1:22070', 'websockets': True, 'proxy_set_header': { 'X-Forwarded-Host': '$server_name', diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index c972f90..b6a5e8f 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -2,14 +2,13 @@ from datetime import datetime from os import listdir from os.path import isfile, join from subprocess import check_output -from textwrap import dedent from bundlewrap.utils.ui import io zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') nameservers = set() -for rnode in repo.nodes_in_group('dns'): +for rnode in sorted(repo.nodes_in_group('dns')): nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) my_primary_servers = set() @@ -76,45 +75,25 @@ actions = { } if node.metadata.get('powerdns/features/bind', False): - try: - output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip() - serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M') - except Exception as e: - io.stderr(f"{node.name} Error while parsing commit time for powerdns zone serial: {e!r}") - serial = datetime.now().strftime('%y%m%d0000') - - HEADER = dedent(f""" - $TTL 60 - @ IN SOA ns-mephisto.kunbox.net. hostmaster.kunbox.net. ( - {serial} - 3600 - 600 - 86400 - 300 - ) - """).strip() - - for ns in sorted(nameservers): - HEADER += f"\n@ IN NS {ns}." - primary_zones = set() for zone in listdir(zone_path): - if ( - not ( - isfile(join(zone_path, zone)) - or islink(join(zone_path, zone)) - ) - or zone.startswith(".") - or zone.startswith("_") - ): + if not isfile(join(zone_path, zone)) or zone.startswith(".") or zone.startswith("_"): continue + try: + output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip() + serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M') + except Exception as e: + io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}") + serial = datetime.now().strftime('%y%m%d0000') + primary_zones.add(zone) files[f'/var/lib/powerdns/zones/{zone}'] = { 'content_type': 'mako', 'context': { - 'HEADER': HEADER + f"\n$ORIGIN {zone}.", + 'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})), + 'SERIAL': serial, 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []), }, 'source': f'bind-zones/{zone}', diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index f73e85f..46883cf 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -33,12 +33,6 @@ from => '${mail_from}', }, -% if not enable_registration: - registration => { - disabled => 1, - }, -% endif - ref => { issues => 'https://github.com/derf/travelynx/issues', source => 'https://github.com/derf/travelynx', diff --git a/bundles/travelynx/metadata.py b/bundles/travelynx/metadata.py index 630fd27..b7dadd6 100644 --- a/bundles/travelynx/metadata.py +++ b/bundles/travelynx/metadata.py @@ -10,12 +10,11 @@ defaults = { 'password': repo.vault.password_for('{} postgresql travelynx'.format(node.name)), 'database': 'travelynx', }, - 'additional_cookie_secrets': set(), - 'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)), - 'enable_registration': False, - 'mail_from': 'travelynx@{}'.format(node.hostname), - 'spare_workers': 2, 'workers': 4, + 'spare_workers': 2, + 'mail_from': 'travelynx@{}'.format(node.hostname), + 'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)), + 'additional_cookie_secrets': set(), }, 'postgresql': { 'roles': { diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 530d27f..c63250e 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -67,7 +67,6 @@ svc_systemd = { 'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf', }, 'after': { - 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, 'before': { @@ -84,7 +83,6 @@ svc_systemd = { }, 'zfs-mount.service': { 'after': { - 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, }, diff --git a/data/powerdns/files/bind-zones/_mail_NULL b/data/powerdns/files/bind-zones/_mail_NULL deleted file mode 100644 index 907abc8..0000000 --- a/data/powerdns/files/bind-zones/_mail_NULL +++ /dev/null @@ -1,2 +0,0 @@ -@ IN TXT "v=spf1 -all" -_dmarc IN TXT "v=DMARC1; p=reject" diff --git a/data/powerdns/files/bind-zones/_mail_carlene b/data/powerdns/files/bind-zones/_mail_carlene deleted file mode 100644 index 7a8e210..0000000 --- a/data/powerdns/files/bind-zones/_mail_carlene +++ /dev/null @@ -1,11 +0,0 @@ -@ IN TXT "v=spf1 mx -all" -@ IN MX 10 mail.franzi.business. -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@kunbox.net; ruf=mailto:dmarc@kunbox.net; fo=0:d:s; adkim=s; aspf=s" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:tlsrpt@kunbox.net" - -mta-sts IN CNAME carlene.kunbox.net. - -2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" - -uo4anejdvvdw8bkne3kjiqavcqmj0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" diff --git a/data/powerdns/files/bind-zones/_parked b/data/powerdns/files/bind-zones/_parked deleted file mode 100644 index 8331fc4..0000000 --- a/data/powerdns/files/bind-zones/_parked +++ /dev/null @@ -1,3 +0,0 @@ -${HEADER} - -<%include file="bind-zones/_mail_NULL" /> diff --git a/data/powerdns/files/bind-zones/afra.berlin b/data/powerdns/files/bind-zones/afra.berlin deleted file mode 100644 index 93ffc96..0000000 --- a/data/powerdns/files/bind-zones/afra.berlin +++ /dev/null @@ -1,6 +0,0 @@ -${HEADER} - -@ IN AAAA 2a0a:51c0:0:225::2 -@ IN A 193.135.9.29 - -<%include file="bind-zones/_mail_NULL" /> diff --git a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/emails.sexy b/data/powerdns/files/bind-zones/emails.sexy deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/emails.sexy +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/eskalation.jetzt b/data/powerdns/files/bind-zones/eskalation.jetzt deleted file mode 100644 index 8331fc4..0000000 --- a/data/powerdns/files/bind-zones/eskalation.jetzt +++ /dev/null @@ -1,3 +0,0 @@ -${HEADER} - -<%include file="bind-zones/_mail_NULL" /> diff --git a/data/powerdns/files/bind-zones/felix-kunsmann.de b/data/powerdns/files/bind-zones/felix-kunsmann.de deleted file mode 100644 index 42bac92..0000000 --- a/data/powerdns/files/bind-zones/felix-kunsmann.de +++ /dev/null @@ -1,3 +0,0 @@ -${HEADER} - -<%include file="bind-zones/_mail_carlene" /> diff --git a/data/powerdns/files/bind-zones/flauschehorn.sexy b/data/powerdns/files/bind-zones/flauschehorn.sexy deleted file mode 100644 index 4779fe4..0000000 --- a/data/powerdns/files/bind-zones/flauschehorn.sexy +++ /dev/null @@ -1,8 +0,0 @@ -${HEADER} - -@ IN AAAA 2a03:4000:4d:5e::1 -@ IN A 194.36.145.49 - -<%include file="bind-zones/_mail_carlene" /> - -_acme-challenge IN CNAME 63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.ctu.cx. diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business deleted file mode 100644 index ce864a7..0000000 --- a/data/powerdns/files/bind-zones/franzi.business +++ /dev/null @@ -1,29 +0,0 @@ -${HEADER} - -@ IN AAAA 2a0a:51c0:0:225::2 -@ IN A 193.135.9.29 - -<%include file="bind-zones/_mail_carlene" /> - -_atproto IN TXT "did=did:plc:d762mg6wvvmpeu66zojntlof" -_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc" -_matrix._tcp IN SRV 10 10 443 matrix.franzi.business. - -; carlene -git IN CNAME carlene.kunbox.net. -irc IN CNAME carlene.kunbox.net. -mail IN CNAME carlene.kunbox.net. -matrix IN CNAME carlene.kunbox.net. -matrix-stickers IN CNAME carlene.kunbox.net. -netbox IN CNAME carlene.kunbox.net. -ntfy IN CNAME carlene.kunbox.net. -postfixadmin IN CNAME carlene.kunbox.net. -rss IN CNAME carlene.kunbox.net. -travelynx IN CNAME carlene.kunbox.net. - -; icinga2 -icinga IN CNAME icinga2.kunbox.net. -status IN CNAME icinga2.kunbox.net. - -; pretix -tickets IN CNAME franzi-business.cname.pretix.eu. diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 2292b7d..bb45655 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,4 +1,16 @@ -${HEADER} +$TTL 60 +@ IN SOA ns-mephisto.kunbox.net. hostmaster.kunbox.net. ( + ${SERIAL} + 3600 + 600 + 86400 + 300 + ) + + +${NAMESERVERS} + +$ORIGIN kunbox.net. ; ends up on carlene.kunbox.net @ IN A 193.135.9.29 diff --git a/data/powerdns/files/bind-zones/kunsi.scot b/data/powerdns/files/bind-zones/kunsi.scot deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/kunsi.scot +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/kunsitracker.de b/data/powerdns/files/bind-zones/kunsitracker.de deleted file mode 100644 index 9c641b6..0000000 --- a/data/powerdns/files/bind-zones/kunsitracker.de +++ /dev/null @@ -1,6 +0,0 @@ -${HEADER} - -@ IN AAAA 2a0a:51c0:0:225::2 -@ IN A 193.135.9.29 - -<%include file="bind-zones/_mail_carlene" /> diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu deleted file mode 100644 index f5b8acf..0000000 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ /dev/null @@ -1,14 +0,0 @@ -${HEADER} - -@ IN AAAA 2a0a:51c0:0:225::2 -@ IN A 193.135.9.29 - -<%include file="bind-zones/_mail_carlene" /> - -@ IN TXT "google-site-verification=Xl-OBZpTL1maD2Qr8QmQ2aKRXZLnCmvddpFdrTT8L34" - -_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" - -git IN CNAME git.franzi.business. -grafana IN CNAME influxdb.htz-cloud.kunbox.net. -influxdb IN CNAME influxdb.htz-cloud.kunbox.net. diff --git a/data/powerdns/files/bind-zones/raptor.events b/data/powerdns/files/bind-zones/raptor.events deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/raptor.events +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/trans-agenda.de b/data/powerdns/files/bind-zones/trans-agenda.de deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.de +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.eu +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/data/powerdns/files/bind-zones/warnochwas.de b/data/powerdns/files/bind-zones/warnochwas.de deleted file mode 100644 index 9c641b6..0000000 --- a/data/powerdns/files/bind-zones/warnochwas.de +++ /dev/null @@ -1,6 +0,0 @@ -${HEADER} - -@ IN AAAA 2a0a:51c0:0:225::2 -@ IN A 193.135.9.29 - -<%include file="bind-zones/_mail_carlene" /> diff --git a/data/powerdns/files/bind-zones/winkeeinhorn.de b/data/powerdns/files/bind-zones/winkeeinhorn.de deleted file mode 120000 index e0f69f8..0000000 --- a/data/powerdns/files/bind-zones/winkeeinhorn.de +++ /dev/null @@ -1 +0,0 @@ -_parked \ No newline at end of file diff --git a/libs/s2s.py b/libs/s2s.py index 8372ec2..fe0fc4e 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -6,7 +6,6 @@ AS_NUMBERS = { 'htz-cloud': 4290000137, 'ionos': 4290000002, 'revision': 4290000078, - 'rottenraptor': 4290000030, } WG_AUTOGEN_NODES = [ diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml index 4a47ae4..3e17bd7 100644 --- a/nodes/backup-kunsi.toml +++ b/nodes/backup-kunsi.toml @@ -22,17 +22,15 @@ exclude_from_backups = true [metadata.backup-server.zpool_create_options] ashift = 12 -[metadata.backup-server.encrypted-devices.WVT0RNKF] -device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi4" -passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0RNKF" +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1" -[metadata.backup-server.encrypted-devices.WVT0V0NQ] -device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi5" -passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0V0NQ" - -[metadata.backup-server.encrypted-devices.WVT0W64H] -device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi6" -passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0W64H" +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2" [metadata.zfs] scrub_when = "Wed 08:00 Europe/Berlin" diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d5625d9..fb6d22a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "11.0.0" -sha1 = "3a12529ab21ca04f2b3e6cf7a6c91af18f00ee5d" +version = "10.0.3" +sha1 = "d1199c43de9e69f6bb8058c15290e79862913413" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true @@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.12.0" -sha1 = "02094da0a164099d4d35e5edb4b87875ad694833" +version = "v0.11.4" +sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" @@ -110,7 +110,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.8" +version = "v4.2.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] @@ -244,13 +244,8 @@ disks = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] -[metadata.systemd-timers.timers.42c3-topic] -command = "/home/kunsi/42c3-topic.sh" -user = "kunsi" -when = "04:00:00 Europe/Berlin" - [metadata.travelynx] -version = "2.11.24" +version = "2.11.13" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" diff --git a/nodes/home.mitel-rfp35.toml b/nodes/home.mitel-rfp35.toml new file mode 100644 index 0000000..414658a --- /dev/null +++ b/nodes/home.mitel-rfp35.toml @@ -0,0 +1,4 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.41"] diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 4bd2f10..4874561 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -42,7 +42,7 @@ nodes['home.downloadhelper'] = { 'mounts': { 'storage': { 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/mnt/download', + 'serverpath': '172.19.138.20:/storage/download', 'mount_options': { 'retry=0', 'rw', diff --git a/nodes/home/nas.py b/nodes/home/nas.py index d4a4211..13694e6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -5,6 +5,7 @@ nodes['home.nas'] = { 'bundles': { 'avahi-daemon', 'backup-client', + 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', @@ -60,7 +61,6 @@ nodes['home.nas'] = { }, 'backups': { 'paths': { - '/home/kunsi/', '/storage/nas/', }, }, @@ -69,6 +69,22 @@ nodes['home.nas'] = { 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', }, }, + 'dm-crypt': { + 'encrypted-devices': { + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { + 'dm-name': 'sam-S5SSNJ0X409404K', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'), + }, + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': { + 'dm-name': 'sam-S5SSNJ0X409845F', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'), + }, + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': { + 'dm-name': 'sam-S5SSNJ0X409870J', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'), + }, + }, + }, 'groups': { 'nas': {}, }, @@ -80,9 +96,11 @@ nodes['home.nas'] = { }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', + 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', + 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides @@ -92,6 +110,7 @@ nodes['home.nas'] = { # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', + 'home.mitel-rfp35', }, }, }, @@ -135,11 +154,11 @@ nodes['home.nas'] = { }, 'nfs-server': { 'shares': { - '/mnt/download': { + '/storage/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { - '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check,insecure', + '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', @@ -173,7 +192,7 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', - # nas/timemachine disks + # old nas disks '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', @@ -181,9 +200,10 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', - # ssdpool disks - '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', - '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', + # encrypted disks + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J', }, }, 'systemd-networkd': { @@ -238,20 +258,6 @@ nodes['home.nas'] = { 'zfs_arc_max_gb': 8, }, 'pools': { - 'ssdpool': { - 'when_creating': { - 'config': [ - { - 'type': 'mirror', - 'devices': { - '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', - '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', - }, - }, - ], - 'ashift': 12, - }, - }, 'tank': { 'when_creating': { 'config': [ @@ -270,46 +276,67 @@ nodes['home.nas'] = { 'ashift': 12, }, }, + 'encrypted': { + 'when_creating': { + 'config': [ + { + 'type': 'raidz', + 'devices': { + '/dev/mapper/sam-S5SSNJ0X409404K', + '/dev/mapper/sam-S5SSNJ0X409845F', + '/dev/mapper/sam-S5SSNJ0X409870J', + }, + }, + ], + 'ashift': 12, + }, + 'needs': { + 'action:dm-crypt_open_sam-S5SSNJ0X409404K', + 'action:dm-crypt_open_sam-S5SSNJ0X409845F', + 'action:dm-crypt_open_sam-S5SSNJ0X409870J', + }, + # see comment in bundle:backup-server + 'unless': 'zpool import encrypted', + }, }, 'datasets': { - 'ssdpool': { + 'encrypted': { 'primarycache': 'metadata', }, - 'ssdpool/yate': { - 'mountpoint': '/opt/yate', - }, - 'ssdpool/download': { - 'mountpoint': '/mnt/download', - 'quota': '858993459200', # 800 GB - }, - 'ssdpool/paperless': { - 'mountpoint': '/srv/paperless', - }, - 'tank': { - 'primarycache': 'metadata', - }, - 'tank/nas': { + 'encrypted/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, + 'tank': { + 'primarycache': 'metadata', + }, + 'tank/opt-yate': { + 'mountpoint': '/opt/yate', + }, + 'tank/download': { + 'mountpoint': '/storage/download', + }, + 'tank/paperless': { + 'mountpoint': '/srv/paperless', + }, }, 'snapshots': { 'retain_per_dataset': { - 'tank/nas': { + 'encrypted/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'ssdpool/download': { + 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'ssdpool/paperless': { + 'tank/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index f7035a5..caffb73 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -49,7 +49,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.15.3', + 'version': 'v2.14.7', 'timezone': 'Europe/Berlin', }, 'postgresql': { diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 1139390..3ceaf2d 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -37,7 +37,6 @@ nodes['htz-cloud.wireguard'] = { '172.19.137.0/24', '172.19.136.62/31', '172.19.136.64/31', - '172.19.136.66/31', '192.168.100.0/24', }, }, @@ -53,7 +52,6 @@ nodes['htz-cloud.wireguard'] = { 'udp dport 1194 accept', 'udp dport 51800 accept', 'udp dport 51804 accept', - 'udp dport 51805 accept', # wg.c3voc.de 'udp dport 51801 ip saddr 185.106.84.42 accept', @@ -127,13 +125,6 @@ nodes['htz-cloud.wireguard'] = { 'my_ip': '172.19.136.66', 'their_ip': '172.19.136.67', }, - 'rottenraptor-vpn': { - 'endpoint': None, - 'exclude_from_monitoring': True, - 'my_port': 51805, - 'my_ip': '172.19.136.68', - 'their_ip': '172.19.136.69', - }, }, }, }, diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index 7f10946..eee0256 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -14,18 +14,6 @@ check_command = "sshmon" check_command = "sshmon" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" -[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0RNKF"] -check_command = "sshmon" -"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0RNKF" - -[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0V0NQ"] -check_command = "sshmon" -"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0V0NQ" - -[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0W64H"] -check_command = "sshmon" -"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0W64H" - [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"] check_command = "sshmon" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W" diff --git a/nodes/rottenraptor-vpn.toml b/nodes/rottenraptor-vpn.toml deleted file mode 100644 index 342ce1c..0000000 --- a/nodes/rottenraptor-vpn.toml +++ /dev/null @@ -1,27 +0,0 @@ -hostname = "172.30.17.53" -bundles = ["bird", "wireguard"] -groups = ["debian-bookworm"] - -[metadata] -location = "rottenraptor" -backups.exclude_from_backups = true -icinga_options.exclude_from_monitoring = true - -[metadata.bird] -static_routes = [ - "172.30.17.0/24", -] - -[metadata.interfaces.ens18] -ips = ["172.30.17.53/24"] -gateway4 = "172.30.17.1" - -[metadata.nftables.postrouting] -"50-router" = [ - "oifname ens18 masquerade", -] - -[metadata.wireguard.peers."htz-cloud.wireguard"] -my_port = 51804 -my_ip = "172.19.136.69" -their_ip = "172.19.136.68" diff --git a/nodes/sophie/sophie.homeassistant.toml b/nodes/sophie/sophie.homeassistant.toml index 42e25d0..8e2c4da 100644 --- a/nodes/sophie/sophie.homeassistant.toml +++ b/nodes/sophie/sophie.homeassistant.toml @@ -14,6 +14,8 @@ ips = [ ] gateway4 = "172.19.164.1" ipv6_accept_ra = true +[metadata.interfaces.enp7s0.routes."172.19.165.0/24"] +via = "172.19.164.2" [metadata.vm] cpu = 2 diff --git a/nodes/sophie/sophie.navidrome.toml b/nodes/sophie/sophie.navidrome.toml new file mode 100644 index 0000000..d1df8eb --- /dev/null +++ b/nodes/sophie/sophie.navidrome.toml @@ -0,0 +1,46 @@ +hostname = "172.19.164.5" +bundles = [ + 'navidrome', + 'nginx', + 'nfs-client', +] +groups = [ + "debian-bookworm", +] + +[metadata.interfaces.enp1s0] +ips = [ + "172.19.164.5/24", +] +gateway4 = "172.19.164.1" +ipv6_accept_ra = true +[metadata.interfaces.enp1s0.routes."172.19.165.0/24"] +via = "172.19.164.2" + +[metadata.vm] +cpu = 2 +ram = 4 + +[metadata.navidrome] +domain = 'navidrome.home.sophies-kitchen.eu' +version = '0.55.2' +sha1 = 'c5e513fb830f40bea33537ef0c649a3621bd443c' + +[metadata.navidrome.config] +MusicFolder = "/mnt/media/Musik" + +[metadata.nfs-client.mounts.media] +mountpoint = '/mnt/media' +serverpath = '172.19.164.2:/srv/nas' +mount_options =[ + 'retry=0', + 'ro', +] + +[metadata.nginx] +restrict-to = [ + '172.19.164.0/22', +] + +[metadata.nginx.vhosts.navidrome] +ssl = '_.home.sophies-kitchen.eu'