kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Compare commits

base: kunsi:a51aad6a53fe90a8ffcb83effc9267ca61612547
Branches Tags
kunsi:main
kunsi:unbound-sophie
kunsi:miniserverupdates
kunsi:new-wildcard-sophies-kitchen
kunsi:updates
kunsi:update-miniserver
kunsi:vmhostumzug
kunsi:jhtoolz
kunsi:sophiesheomenetwork
kunsi:feature/kunsi-ipv6-only-vlan
kunsi:sophie-dimension-cleanup
kunsi:kunsi-woodpecker
kunsi:kunsi-junos
kunsi:loudness-monitoring-gstreamer
...
compare: kunsi:bce70561c252020aa90835677a078578a11a5b15
Branches Tags
kunsi:main
kunsi:unbound-sophie
kunsi:miniserverupdates
kunsi:new-wildcard-sophies-kitchen
kunsi:updates
kunsi:update-miniserver
kunsi:vmhostumzug
kunsi:jhtoolz
kunsi:sophiesheomenetwork
kunsi:feature/kunsi-ipv6-only-vlan
kunsi:sophie-dimension-cleanup
kunsi:kunsi-woodpecker
kunsi:kunsi-junos
kunsi:loudness-monitoring-gstreamer

42 commits
a51aad6a53 ... bce70561c2

Author SHA1 Message Date
Sophie Schiller
bce70561c2 bw/htz-cloud.miniserver bump element-web version
All checks were successful
kunsi/bundlewrap/pipeline/pr-main This commit looks good
Details
kunsi/bundlewrap/pipeline/head This commit looks good
Details
2021-07-11 16:29:15 +02:00
Sophie Schiller
8a89fefac9 bw/matrix-dimension repair syntax errors 2021-07-11 16:29:15 +02:00
Sophie Schiller
baad1ad24d bw/matrix-dimension remove unneeded metadata 2021-07-11 16:29:15 +02:00
Sophie Schiller
2ec5fe408a bw/matrix-dimension get all the things 2021-07-11 16:29:15 +02:00
Sophie Schiller
05f7d912b0 bw/matrix-dimension disable logfile 2021-07-11 16:29:15 +02:00
Sophie Schiller
19e331fe07 bw/matrix-dimension switch to generic vhost name 2021-07-11 16:29:15 +02:00
Sophie Schiller
7d5b26f66c bw/matrix-dimension enable process monitoring 2021-07-11 16:29:15 +02:00
Sophie Schiller
71e5a828d4 bw/matrix-dimensions fix typos 2021-07-11 16:29:15 +02:00
Sophie Schiller
65849daa75 bw/matrix-dimension switch listening port 2021-07-11 16:29:15 +02:00
Sophie Schiller
ad7582e38a bw/matrix-dimension switch to dedicated user 2021-07-11 16:29:15 +02:00
Sophie Schiller
3bcda42a77 bw/htz-cloud.miniserver cleanup extras 2021-07-11 16:29:15 +02:00
Sophie Schiller
459a08a7a5 bw/matrix-dimension witespaaaaaaaace 2021-07-11 16:29:15 +02:00
Sophie Schiller
b1473a0940 bundle/matrix-dimension enable backups 2021-07-11 16:29:15 +02:00
Sophie Schiller
e3db16bc62 bw/htz-cloud.miniserver set differend recursors 2021-07-11 16:29:15 +02:00
Sophie Schiller
4d65d48478 bw/bundle matrix-dimension this might actually work 2021-07-11 16:29:15 +02:00
Sophie Schiller
801b21a35c bw/bundle matrix-dimension add first draft 2021-07-11 16:29:15 +02:00
Franziska Kunsmann
a210ada211
README: jenkins has moved
All checks were successful
kunsi/bundlewrap/pipeline/head This commit looks good
Details
2021-07-11 15:58:26 +02:00
Franziska Kunsmann
72f148425a
bundles/jenkins-ci: add ssh keys and config
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-11 15:47:45 +02:00
Franziska Kunsmann
0a14d46cf2
bundles/jenkins: add zfs dataset 2021-07-11 15:29:42 +02:00
Franziska Kunsmann
3871893c9b
move jenkins to rx300 2021-07-11 15:24:08 +02:00
Franziska Kunsmann
8da40eab67
nodes/rx300: add php 8.0 2021-07-11 15:23:49 +02:00
Franziska Kunsmann
a66d9c5765
bundles/mx-puppet-discord: add (Discord) to room and user names
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-11 12:29:05 +02:00
Franziska Kunsmann
7fef4d7a00
nodes/aurto: add n0emis ssh keys
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-10 21:57:04 +02:00
Franziska Kunsmann
b193971625
bundles/postfix: fix some needed files not being present in chroot on arch
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-10 16:16:56 +02:00
Franziska Kunsmann
8f4db6f2ba
bundles/postfix: install pkg_pacman:s-nail 2021-07-10 15:59:03 +02:00
Franziska Kunsmann
fe5b7b7335
nodes/htz-cloud.pirmasens: add bundle:check-mail-received 2021-07-10 15:54:02 +02:00
Franziska Kunsmann
3351767d56
add bundle:check-mail-received
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-10 14:22:19 +02:00
Franziska Kunsmann
76b859c629
libs.faults: add ensure_fault_or_none() and join_faults() 2021-07-10 14:21:56 +02:00
Franziska Kunsmann
5781869f03
nodes/{aurto,rx300}: send a daily test message to a t-online address to keep our "reputation"
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-10 13:04:08 +02:00
Franziska Kunsmann
6c9809b165
bundles/grafana: add guest cpu time to cpu graph
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-10 10:05:26 +02:00
Franziska Kunsmann
b17ce5f905
nodes/htz.ex42: fix git.kunsmann.eu redirect url 2021-07-09 18:21:01 +02:00
Franziska Kunsmann
1e026c1769
nodes/rx300: update gitea to 1.14.4
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-09 18:19:15 +02:00
Franziska Kunsmann
6a4b24c0f2
fix git urls in repo
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-09 17:27:12 +02:00
Franziska Kunsmann
1f25d0052e
add legacy redirect for git.kunsmann.eu 2021-07-09 17:26:54 +02:00
Franziska Kunsmann
d0bdcacc94
nodes/rx300: install correct dependencies for franzi.business deployment
Some checks failed
bundlewrap/pipeline/head There was a failure building this commit
Details
2021-07-09 16:38:26 +02:00
Franziska Kunsmann
1927837205
bundles/gitea: add /var/lib/gitea to backups 2021-07-09 16:22:37 +02:00
Franziska Kunsmann
9bf0b8a0b0
bundles/gitea: use zfs datasets for all data 2021-07-09 16:22:10 +02:00
Franziska Kunsmann
82dd354f92
bundles/gitea: fix permissions for /home/git/.ssh 2021-07-09 16:15:38 +02:00
Franziska Kunsmann
bd77f8da93
move franzi.business to rx300 2021-07-09 16:11:53 +02:00
Franziska Kunsmann
c2cb5a2546
move gitea to rx300 2021-07-09 15:57:39 +02:00
Franziska Kunsmann
95c5e0b6ea
bundles/gitea: use generic vhost name 2021-07-09 15:55:31 +02:00
Franziska Kunsmann
4a30aeaab6
nodes/htz.ex42-1048908: fix matrix server wellknown stuff
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
2021-07-05 20:05:47 +02:00
37 changed files with 870 additions and 102 deletions
Show stats Expand all files Collapse all files

2
PORT_MAP.md
View file

@ -26,11 +26,11 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
| 6667 | | bitlbee |
| 8010 | | matrix-media-repo |
| 8086 | influxdb2 | influx |
| 8184 | | matrix-dimension |
| 11332-11334 | rspamd | rspamd |
| 20000 | mx-puppet-discord | Bridge |
| 20010 | mautrix-telegram | Bridge |
| 20020 | mautrix-whatsapp | Bridge |
| 20030 | matrix-dimension | Matrix Integrations Manager|
| 20080 | matrix-synapse | client, federation |
| 20081 | matrix-synapse | prometheus metrics |
| 20090 | matrix-media-repo | media_repo |

2
README.md
View file

@ -6,4 +6,4 @@ May also include some dummy nodes, for example for deploying websites
onto shared webhosting.
`bw test` runs according to Jenkinsfile after every commit.
[![Build Status](https://jenkins.kunsmann.eu/buildStatus/icon?job=bundlewrap%2Fmain)](https://jenkins.kunsmann.eu/job/bundlewrap/job/main/)
[![Build Status](https://jenkins.franzi.business/buildStatus/icon?job=kunsi%2Fbundlewrap%2Fmain)](https://jenkins.franzi.business/job/kunsi/job/bundlewrap/job/main/)

70
bundles/check-mail-received/files/check_imap_for_mail_from Normal file
View file

@ -0,0 +1,70 @@
#!/usr/bin/env python3
from imaplib import IMAP4_SSL
from subprocess import check_output
from sys import argv, exit
from time import time
if len(argv) < 5:
print('Usage: {} <imap host> <username> <password> <message sender>'.format(argv[0]))
exit(3)
NOW = time()
try:
imap = IMAP4_SSL(argv[1])
imap.login(argv[2], argv[3])
imap.select('Inbox')
_, data = imap.search(None, 'ALL')
something_found = False
for item in data:
for index in item.split():
received_in_this_mail = None
from_in_this_mail = False
try:
message = imap.fetch(index, '(RFC822)')
message_text = bytearray()
for part in message[1][0]:
message_text.extend(part)
message_text = message_text.decode().splitlines()
for line in message_text:
lline = line.strip().lower()
if lline.startswith('from:') and argv[4].lower() in line:
from_in_this_mail = True
if lline.startswith('date:'):
date = line.strip()[5:].strip()
unixtime = int(check_output([
'date',
'--date={}'.format(date),
'+%s',
]).decode().strip())
if unixtime > (NOW-(60*60*25)):
received_in_this_mail = date
if received_in_this_mail and from_in_this_mail:
print('Found message from "{}" sent at "{}"'.format(argv[4], received_in_this_mail))
received_in_this_mail = None
from_in_this_mail = False
something_found = True
except:
pass
if something_found:
# there should be output above
exit(0)
print('No Mails found')
exit(2)
except Exception as e:
print(repr(e))
exit(3)

5
bundles/check-mail-received/items.py Normal file
View file

@ -0,0 +1,5 @@
files = {
'/usr/local/share/icinga/plugins/check_imap_for_mail_from': {
'mode': '0755',
},
}

41
bundles/check-mail-received/metadata.py Normal file
View file

@ -0,0 +1,41 @@
@metadata_reactor.provides(
'cron/check-mail-received',
'icinga2_api/check-mail-received/services',
)
def process_metadata(metadata):
cron = set()
services = {}
my_mail_address = 'root@{}'.format(metadata.get('hostname'))
for name, config in metadata.get('check-mail-received', {}).items():
cron.add('{minute} {hour} * * * root date | mail -s "daily test mail from {node}" -r {source} {target}'.format(
minute=node.magic_number%60,
hour=node.magic_number%24,
node=node.name,
source=my_mail_address,
target=config['email'],
))
services[f'MAIL RECEIVED ON {name}'] = {
'command_on_monitored_host': repo.libs.faults.join_faults([
'/usr/local/share/icinga/plugins/check_imap_for_mail_from',
config['imap_host'],
config.get('imap_user', config['email']),
config['imap_pass'],
my_mail_address,
]),
'check_interval': '15m',
'retry_interval': '5m',
}
return {
'cron': {
'check-mail-received': '\n'.join(sorted(cron)),
},
'icinga2_api': {
'check-mail-received': {
'services': services,
},
},
}

5
bundles/gitea/items.py
View file

@ -21,6 +21,11 @@ directories = {
'owner': 'git',
'group': 'git',
},
'/home/git/.ssh': {
'mode': '0755',
'owner': 'git',
'group': 'git',
},
'/var/lib/gitea': {
'owner': 'git',
'mode': '0700',

21
bundles/gitea/metadata.py
View file

@ -2,6 +2,7 @@ defaults = {
'backups': {
'paths': {
'/home/git',
'/var/lib/gitea',
},
},
'gitea': {
@ -44,6 +45,23 @@ defaults = {
},
},
},
'zfs': {
'datasets': {
'tank/gitea': {},
'tank/gitea/home': {
'mountpoint': '/home/git',
'needed_by': {
'directory:/home/git',
},
},
'tank/gitea/var': {
'mountpoint': '/var/lib/gitea',
'needed_by': {
'directory:/var/lib/gitea',
},
},
},
},
}
@ -57,7 +75,8 @@ def nginx(metadata):
return {
'nginx': {
'vhosts': {
metadata.get('gitea/domain'): {
'gitea': {
'domain': metadata.get('gitea/domain'),
'locations': {
'/': {
'target': 'http://127.0.0.1:22000',

2
bundles/grafana/dashboard-rows/cpu.py
View file

@ -9,6 +9,8 @@ def dashboard_row_cpu(panel_id, node):
'iowait',
'nice',
'softirq',
'guest',
'guest_nice',
]:
queries_cpu.append({
'groupBy': [

3
bundles/jenkins-ci/files/ssh-config Normal file
View file

@ -0,0 +1,3 @@
Host *
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

27
bundles/jenkins-ci/items.py
View file

@ -1,14 +1,41 @@
directories = {
'/var/lib/jenkins': {
'owner': 'jenkins',
'group': 'jenkins',
'needs': {
'pkg_apt:jenkins',
},
},
'/var/lib/jenkins/.ssh': {
'mode': '0755',
'owner': 'git',
'group': 'git',
},
}
files = {
'/etc/default/jenkins': {
'triggers': {
'svc_systemd:jenkins:restart',
},
},
'/var/lib/jenkins/.ssh/config': {
'source': 'ssh-config',
},
}
if node.metadata.get('jenkins-ci/install_ssh_key', False):
files['/var/lib/jenkins/.ssh/id_ed25519'] = {
'content': repo.vault.decrypt_file(f'jenkins-ci/files/ssh-keys/{node.name}.key.vault'),
'mode': '0600',
'owner': 'jenkins',
'group': 'jenkins',
}
svc_systemd = {
'jenkins': {
'needs': {
'directory:/var/lib/jenkins',
'pkg_apt:jenkins',
},
},

10
bundles/jenkins-ci/metadata.py
View file

@ -21,4 +21,14 @@ defaults = {
'/var/lib/jenkins',
},
},
'zfs': {
'datasets': {
'tank/jenkins': {
'mountpoint': '/var/lib/jenkins',
'needed_by': {
'pkg_apt:jenkins',
},
},
},
},
}

14
bundles/matrix-dimension/files/matrix-dimension.service Normal file
View file

@ -0,0 +1,14 @@
[Unit]
Description=Matrix Dimension
After=network.target
[Service]
User=matrix-dimension
Group=matrix-dimension
Environment="NODE_ENV=production"
ExecStart=/usr/bin/node ${config['install_dir']}/build/app/index.js
WorkingDirectory=${config['install_dir']}
Restart=on-failure
[Install]
WantedBy=multi-user.target

93
bundles/matrix-dimension/files/production.yaml Normal file
View file

@ -0,0 +1,93 @@
# The web settings for the service (API and UI).
# It is best to have this run on localhost and use a reverse proxy to access Dimension.
web:
port: 20030
address: '127.0.0.1'
# Homeserver configuration
homeserver:
# The domain name of the homeserver. This is used in many places, such as with go-neb
# setups, to identify the homeserver.
name: "${config['homeserver']['name']}"
# The URL that Dimension, go-neb, and other services provisioned by Dimension should
# use to access the homeserver with.
clientServerUrl: "${config['homeserver']['clientServerUrl']}"
# The URL that Dimension should use when trying to communicate with federated APIs on
# the homeserver. If not supplied or left empty Dimension will try to resolve the address
# through the normal federation process.
#federationUrl: "https://t2bot.io:8448"
# The URL that Dimension will redirect media requests to for downloading media such as
# stickers. If not supplied or left empty Dimension will use the clientServerUrl.
#mediaUrl: "https://t2bot.io"
# The access token Dimension should use for miscellaneous access to the homeserver, and
# for tracking custom sticker pack updates. This should be a user configured on the homeserver
# and be dedicated to Dimension (create a user named "dimension" on your homeserver). For
# information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens
accessToken: "${config['homeserver']['accessToken']}"
# These users can modify the integrations this Dimension supports.
# To access the admin interface, open Dimension in Riot and click the settings icon.
admins:
% for i in config['admins']:
- "${i}"
% endfor
# IPs and CIDR ranges listed here will be blocked from being widgets.
# Note: Widgets may still be embedded with restricted content, although not through Dimension directly.
widgetBlacklist:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8
database:
# Where the database for Dimension is
uri: "postgres://${node.metadata['matrix-dimension']['database']['user']}:${node.metadata['matrix-dimension']['database']['password']}@${node.metadata['matrix-dimension']['database'].get('host', 'localhost')}/${node.metadata['matrix-dimension']['database']['database']}"
# Where to store misc information for the utility bot account.
botData: "${config['data_dir']}/dimension.bot.json"
# Display settings that apply to self-hosted go-neb instances
goneb:
# The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver
# is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot,
# make the bot's avatar an empty string.
avatars:
giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27"
imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513"
github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1"
wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1"
travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8"
rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3"
google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142"
guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526"
echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13"
circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee"
jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329"
# Settings for interacting with Telegram. Currently only applies for importing
# sticker packs from Telegram.
telegram:
# Talk to @BotFather on Telegram to get a token
botToken: "${config['telegram']['botToken']}"
# Custom sticker pack options.
# Largely based on https://github.com/turt2live/matrix-sticker-manager
stickers:
# Whether or not to allow people to add custom sticker packs
enabled: true
# The sticker manager bot to promote
stickerBot: "@stickers:t2bot.io"
# The sticker manager URL to promote
managerUrl: "https://stickers.t2bot.io"
# Settings for controlling how logging works
logging:
console: true
consoleLevel: info

74
bundles/matrix-dimension/items.py Normal file
View file

@ -0,0 +1,74 @@
repo.libs.tools.require_bundle(node, 'nodejs')
directories = {
node.metadata['matrix-dimension']['install_dir']: {
'owner': 'matrix-dimension',
'group': 'matrix-dimension',
},
}
git_deploy = {
node.metadata['matrix-dimension']['install_dir']: {
'rev': node.metadata.get('matrix-dimension/version', 'master'), # doesn't have releases yet
'repo': 'https://github.com/turt2live/matrix-dimension.git',
'triggers': {
'action:matrix_dimension_build',
},
'needs': {
'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')),
'directory:{}'.format(node.metadata.get('matrix-dimension/data_dir')),
},
},
}
files = {
'{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')): {
'owner': 'matrix-dimension',
'group': 'matrix-dimension',
'content_type': 'mako',
'context': {
'config': node.metadata.get('matrix-dimension', {}),
},
'needs': {
'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')),
},
'triggers': {
'svc_systemd:matrix-dimension:restart',
},
},
'/etc/systemd/system/matrix-dimension.service': {
'content_type': 'mako',
'context': {
'config': node.metadata.get('matrix-dimension', {}),
},
'triggers': {
'action:systemd-reload',
'svc_systemd:matrix-dimension:restart',
},
},
}
actions = {
'matrix_dimension_build': {
'command': 'cd ' + node.metadata.get('matrix-dimension/install_dir') + ' && sudo -u matrix-dimension npm install && sudo -u matrix-dimension npm run build',
'needs': {
'pkg_apt:nodejs',
},
'triggered': True,
'triggers': {
'svc_systemd:matrix-dimension:restart',
},
},
}
svc_systemd = {
'matrix-dimension': {
'needs': {
'action:matrix_dimension_build',
'file:{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')),
'postgres_db:matrix-dimension',
'postgres_role:matrix-dimension',
},
},
}

77
bundles/matrix-dimension/metadata.py Normal file
View file

@ -0,0 +1,77 @@
defaults = {
'backups': {
'paths': {
'/opt/matrix-dimension',
'/var/opt/matrix-dimension',
},
},
'matrix-dimension': {
'install_dir': '/opt/matrix-dimension',
'data_dir': '/var/opt/matrix-dimension',
'database': {
'user': 'matrix-dimension',
'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)),
'database': 'matrix-dimension',
},
},
'postgresql': {
'roles': {
'matrix-dimension': {
'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)),
},
},
'databases': {
'matrix-dimension': {
'owner': 'matrix-dimension',
},
},
},
'users': {
'matrix-dimension': {
'home': '/var/opt/matrix-dimension',
},
},
}
@metadata_reactor.provides(
'nginx/vhosts/matrix-dimension',
)
def nginx_config(metadata):
return {
'nginx': {
'vhosts': {
'matrix-dimension': {
'domain': metadata.get('matrix-dimension/url'),
'do_not_set_content_security_headers': True,
'max_body_size': '50M',
'locations': {
'/': {
'target': 'http://127.0.0.1:20030',
},
},
},
},
},
}
@metadata_reactor.provides(
'icinga2_api/matrix-dimension/services',
)
def icinga_check_for_new_release(metadata):
return {
'icinga2_api': {
'matrix-dimension': {
'services': {
'MATRIX-DIMENSION UPDATE': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release turt2live/matrix-dimension {}'.format(metadata.get('matrix-dimension/version')),
'vars.notification.mail': True,
'check_interval': '60m',
},
'MATRIX-DIMENSION PROCESS': {
'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -a matrix-dimension -c 1:',
},
},
},
},
}

6
bundles/mx-puppet-discord/files/config.yaml
View file

@ -16,6 +16,12 @@ provisioning:
- "${regex}"
% endfor
namePatterns:
user: ":name (Discord)"
userOverride: ":displayname (Discord)"
room: "#:name (Discord - :guild)"
group: ":name"
database:
connString: "postgres://${node.metadata['mx-puppet-discord']['database']['user']}:${node.metadata['mx-puppet-discord']['database']['password']}@${node.metadata['mx-puppet-discord']['database'].get('host', 'localhost')}/${node.metadata['mx-puppet-discord']['database']['database']}?sslmode=disable"

23
bundles/php/files/8.0/fpm.conf Normal file
View file

@ -0,0 +1,23 @@
[global]
pid=/run/php/php8.0-fpm.pid
; We're using journal, put logs there
error_log=/var/log/php8.0-fpm.log
daemonize=yes
; The one and only worker pool we have
[www]
user=www-data
group=www-data
listen=/run/php/php8.0-fpm.sock
listen.owner=www-data
listen.group=www-data
listen.mode=0600
; Process Manager Settings
pm=dynamic
pm.max_children=${num_cpus*4}
pm.start_servers=${num_cpus}
pm.max_spare_servers=${num_cpus*2}
pm.min_spare_servers=${num_cpus}
pm.process_idle_timeout=30s
pm.max_requests=1024

99
bundles/php/files/8.0/php.ini Normal file
View file

@ -0,0 +1,99 @@
[PHP]
; Only needed for libapache2-mod-php?
engine = On
short_open_tag = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
serialize_precision = -1
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals
ignore_user_abort = Off
zend.enable_gc = On
expose_php = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
html_errors = On
error_log = syslog
syslog.ident = php7.4
syslog.filter = ascii
arg_separator.output = "&amp;"
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = ${post_max_size}M
default_mimetype = "text/html"
default_charset = "UTF-8"
enable_dl = Off
file_uploads = On
upload_max_filesize = ${post_max_size}M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 10
[CLI Server]
cli_server.color = On
[mail function]
mail.add_x_header = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[bcmath]
bcmath.scale = 0
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.cookie_samesite =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.sid_length = 32
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.sid_bits_per_character = 6
[Assertion]
zend.assertions = -1

6
bundles/postfix/files/arch-override.conf Normal file
View file

@ -0,0 +1,6 @@
[Service]
# arch postfix is not set up for chrooting by default
ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc
% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']:
ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file}
% endfor

12
bundles/postfix/items.py
View file

@ -21,7 +21,7 @@ for identifier in node.metadata.get('postfix/mynetworks', set()):
netmask = '128'
mynetworks.add(f'[{ip6}]/{netmask}')
my_package = 'pkg_pacman:postfix' if node.has_bundle('pacman') else 'pkg_apt:postfix'
my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix'
files = {
'/etc/mailname': {
@ -86,3 +86,13 @@ svc_systemd = {
},
},
}
if node.os == 'arch':
files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = {
'source': 'arch-override.conf',
'content_type': 'mako',
'triggers': {
'action:systemd-reload',
'svc_systemd:postfix:restart',
},
}

1
bundles/postfix/metadata.py
View file

@ -25,6 +25,7 @@ defaults = {
'pacman': {
'packages': {
'postfix': {},
's-nail': {},
},
},
}

2
bundles/simple-icinga-dashboard/items.py
View file

@ -34,7 +34,7 @@ directories = {
git_deploy = {
'/opt/simple-icinga-dashboard/src': {
'repo': 'https://git.kunsmann.eu/sophie/simple-icinga-dashboard.git',
'repo': 'https://git.franzi.business/sophie/simple-icinga-dashboard.git',
'rev': 'main',
'triggers': {
'action:simple-icinga-dashboard_install_requirements',

0
data/gitea/files/ssh-keys/htz.ex42-1048908.key.vault → data/gitea/files/ssh-keys/rx300.key.vault
View file

0
data/gitea/files/ssh-keys/htz.ex42-1048908.pub → data/gitea/files/ssh-keys/rx300.pub
View file

1
data/jenkins-ci/files/ssh-keys/rx300.key.vault Normal file
View file

@ -0,0 +1 @@
encrypt$gAAAAABg6vNNuCZcmhH52dQDiD4ePsbXhz0kHSjqX3yduJ6E5NylWEdKNtjtrfc9bu1WNnDBO0YpsqxIeax2u1xc6gstohVfbu2MgwGJKpA7J5Py6xiQL82YKJcwV7k0EZ7ilWbqlzXuSDh40KG3GWOTPiw_CbsbDEpCU09x1hUs1_0BTPAU6ln4t7ync7ZjFZf_vRBTlrnZWchzXoSwppzedAZeaptfhMWn_-8oARoYvxJf3pkmTSGjovNMvDak_sscq_M2rldng6_oboR4iTo_6eY6bpCjEGD3xMeSzLhDZsJ4c0l9bZBDef-NRWA7Ewptc4KYKVvzKlgyrByqSV8TCmYn4aBgOusv-VAW3VqKg2rHi3nq5L50zkPwWmHC6_rdtIS-pAlnR5A0HJYdXGyf2eQSq3UkrZA3BIFlqUWrvS8aTWxp9CUL5C9oRGpL8P3fVfExiqhmcLGamHZb1Y2kjxX8EMcSCRLgiVO9DwIpXlEm86HfgVcXaL0wpibM32PD0sspOPILThE5P9WETGhpFAWDkWR0WaYQjZuAVlXTtk8tgdh0vC2auQl2pEVbvvnZaa04Ohp2QgE3AJLg3tdekLciwCQmPm0bpX8xYvJ49vNWG-SCaAlLHzLVIMFXFY53-SBOHYnE

1
data/jenkins-ci/files/ssh-keys/rx300.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH

6
data/nginx/files/extras/htz-cloud.miniserver/dimension.sophies-kitchen.eu
View file

@ -1,6 +0,0 @@
add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu";
location /.well-known/matrix/ {
alias /etc/matrix-synapse/wellknown/;
add_header Access-Control-Allow-Origin *;
}

1
data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension Normal file
View file

@ -0,0 +1 @@
add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu";

9
data/powerdns/files/bind-zones/franzi.business
View file

@ -2,8 +2,9 @@ ${header}
$ORIGIN franzi.business.
@ IN A 94.130.52.224
IN AAAA 2a01:4f8:10b:2a5f::2
; ends up on rx300.kunbox.net
@ IN A 31.47.232.106
IN AAAA 2a00:f820:528::2
IN MX 10 mx0.kunbox.net.
IN TXT "v=spf1 mx ~all"
@ -13,6 +14,9 @@ chat IN AAAA 2a01:4f8:10b:2a5f::2
dimension IN A 94.130.52.224
dimension IN AAAA 2a01:4f8:10b:2a5f::2
git IN CNAME rx300.kunbox.net.
jenkins IN CNAME rx300.kunbox.net.
matrix IN A 94.130.52.224
matrix IN AAAA 2a01:4f8:10b:2a5f::2
@ -24,7 +28,6 @@ sewfile IN CNAME sewfile.htz-cloud.kunbox.net.
rss IN CNAME rx300.kunbox.net.
status IN CNAME icinga2.ovh.kunbox.net.
travelynx IN CNAME rx300.kunbox.net.
unicornsden IN CNAME rx300.kunbox.net.

10
data/powerdns/files/bind-zones/kunsmann.eu
View file

@ -10,17 +10,11 @@ $ORIGIN kunsmann.eu.
dav IN A 94.130.52.224
dav IN AAAA 2a01:4f8:10b:2a5f::2
git IN A 94.130.52.224
git IN AAAA 2a01:4f8:10b:2a5f::2
grafana IN CNAME influxdb.htz-cloud.kunbox.net.
icinga IN CNAME icinga2.ovh.kunbox.net.
influxdb IN CNAME influxdb.htz-cloud.kunbox.net.
statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net.
jenkins IN A 94.130.52.224
jenkins IN AAAA 2a01:4f8:10b:2a5f::2
mta-sts IN A 94.130.52.224
mta-sts IN AAAA 2a01:4f8:10b:2a5f::2
@ -29,8 +23,8 @@ luther-ps IN CNAME luther.htz-cloud.kunbox.net.
paste IN A 94.130.52.224
paste IN AAAA 2a01:4f8:10b:2a5f::2
rss IN A 94.130.52.224
rss IN AAAA 2a01:4f8:10b:2a5f::2
; legacy, for redirect
git IN CNAME ex42-1048908.htz.kunbox.net.
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@kunsmann.eu; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
_mta-sts IN TXT "v=STSv1;id=20201111;"

2
data/travelynx/files/imprint/rx300
View file

@ -9,7 +9,7 @@
<div class="col s12">
<h1>Datenschutz</h1>
<h2>Logdateien des Webservers</h2>
<p>Der Webserver fertigt keine Logdateien an. Interessierte können sich <a href="https://git.kunsmann.eu/kunsi/bundlewrap/src/branch/main/bundles/nginx/files/site_template">in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen</a>.</p>
<p>Der Webserver fertigt keine Logdateien an. Interessierte können sich <a href="https://git.franzi.business/kunsi/bundlewrap/src/branch/main/bundles/nginx/files/site_template">in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen</a>.</p>
<h2>Account-spezifische Daten</h2>

33
libs/faults.py
View file

@ -1,6 +1,39 @@
from json import loads, dumps
from bundlewrap.metadata import metadata_to_json
from bundlewrap.utils import Fault
def resolve_faults(dictionary: dict) -> dict:
return loads(metadata_to_json(dictionary))
def ensure_fault_or_none(maybe_fault):
if maybe_fault is None or isinstance(maybe_fault, Fault):
return maybe_fault
return Fault(maybe_fault, lambda f: f, f=maybe_fault)
def join_faults(faults, by=' '):
result = []
id_list = []
for item in faults:
result.append(ensure_fault_or_none(item))
if isinstance(item, Fault):
id_list += item.id_list
else:
id_list.append(item)
id_list += [
'joined_by',
by,
]
return Fault(
id_list,
lambda o: by.join([i.value for i in o]),
o=result,
)

11
nodes/aurto.py
View file

@ -2,6 +2,7 @@ nodes['aurto'] = {
'hostname': '31.47.232.107',
'bundles': {
'backup-client',
'check-mail-received',
},
'groups': {
'arch',
@ -18,6 +19,13 @@ nodes['aurto'] = {
'/var/cache/pacman/aurto',
},
},
'check-mail-received': {
't-online': {
'email': 'franzi.kunsmann@t-online.de',
'imap_host': 'secureimap.t-online.de',
'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
},
},
'interfaces': {
'enp1s0': {
'ips': {
@ -55,6 +63,9 @@ nodes['aurto'] = {
# kunsi
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA',
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971',
# n0emis
'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu',
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== simeon@noemis.me (OLD)',
},
},
'kunsi': {

45
nodes/htz-cloud/miniserver.py
View file

@ -4,6 +4,7 @@
nodes['htz-cloud.miniserver'] = {
'bundles': {
'element-web',
'matrix-dimension',
'matrix-media-repo',
'matrix-synapse',
'nodejs',
@ -58,7 +59,7 @@ nodes['htz-cloud.miniserver'] = {
},
'element-web': {
'url': 'chat.sophies-kitchen.eu',
'version': 'v1.7.31',
'version': 'v1.7.32',
'config': {
'default_server_config': {
'm.homeserver': {
@ -68,10 +69,10 @@ nodes['htz-cloud.miniserver'] = {
},
'brand': 'sophies-kitchen.eu',
'showLabsSettings': True,
'integrations_ui_url': 'https://dimension.franzi.business/riot',
'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar',
'integrations_ui_url': 'https://dimension.sophies-kitchen.eu/riot',
'integrations_rest_url': 'https://dimension.sophies-kitchen.eu/api/v1/scalar',
'integrations_widgets_urls': {
'https://dimension.franzi.business/widgets'
'https://dimension.sophies-kitchen.eu/widgets'
},
'default_theme': 'dark',
'defaultCountryCode': 'DE',
@ -103,6 +104,21 @@ nodes['htz-cloud.miniserver'] = {
},
},
},
'matrix-dimension': {
'url': 'dimension.sophies-kitchen.eu',
'version': 'master', # doesn't have releases yet
'homeserver': {
'name': 'sophies-kitchen.eu',
'clientServerUrl': 'https://matrix.sophies-kitchen.eu',
'accessToken': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'),
},
'admins': [
'@sophie:sophies-kitchen.eu',
],
'telegram': {
'botToken': vault.decrypt('encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t'),
},
},
'matrix-media-repo': {
'version': 'v1.2.8',
'homeservers': {
@ -144,6 +160,14 @@ nodes['htz-cloud.miniserver'] = {
'bot_token': '""',
},
},
'nameservers': {
'213.133.98.98',
'213.133.99.99',
'213.133.100.100',
'2a01:4f8:0:1::add:1010',
'2a01:4f8:0:1::add:9999',
'2a01:4f8:0:1::add:9898',
},
'nftables': {
'rules': {
'input': {
@ -156,16 +180,9 @@ nodes['htz-cloud.miniserver'] = {
},
'nginx': {
'vhosts': {
#'dimension.sophies-kitchen.eu': {
# 'extras': True,
# 'do_not_set_content_security_headers': True,
# 'max_body_size': '50M',
# 'locations': {
# '/': {
# 'target': 'http://127.0.0.1:8184',
# },
# },
#},
'matrix-dimension': {
'extras': True,
},
'sophies-kitchen.eu': {
'webroot': '/var/www/sophies-kitchen.eu/_site/',
'extras': True,

8
nodes/htz-cloud/pirmasens.py
View file

@ -1,5 +1,6 @@
nodes['htz-cloud.pirmasens'] = {
'bundles': {
'check-mail-received',
'dovecot',
'php',
'postfixadmin',
@ -23,6 +24,13 @@ nodes['htz-cloud.pirmasens'] = {
'gateway6': 'fe80::1',
},
},
'check-mail-received': {
't-online': {
'email': 'franzi.kunsmann@t-online.de',
'imap_host': 'secureimap.t-online.de',
'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
},
},
'icinga_options': {
'pretty_name': 'kunsmann.info',
},

134
nodes/htz/ex42-1048908.py
View file

@ -1,9 +1,10 @@
nodes['htz.ex42-1048908'] = {
'bundles': {
'check-mail-received',
'dovecot',
'element-web',
'gitea',
'jenkins-ci',
# 'gitea',
# 'jenkins-ci',
'lm-sensors',
'matrix-media-repo',
'matrix-synapse',
@ -86,8 +87,12 @@ nodes['htz.ex42-1048908'] = {
'/opt/matrix/matrix-dimension',
},
},
'cron': {
'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * * root date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'),
'check-mail-received': {
't-online': {
'email': 'franzi.kunsmann@t-online.de',
'imap_host': 'secureimap.t-online.de',
'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
},
},
'element-web': {
'url': 'chat.franzi.business',
@ -113,27 +118,27 @@ nodes['htz.ex42-1048908'] = {
},
},
},
'gitea': {
'version': '1.14.3',
'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2',
'domain': 'git.kunsmann.eu',
'email_domain_blocklist': {
'gmail.com',
'yahoo.com',
'aol.com',
'comcast.net',
'verizon.net',
'hotmail.com',
'cox.net',
'msn.com',
},
'enable_git_hooks': True,
'install_ssh_key': True,
'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
},
# 'gitea': {
# 'version': '1.14.3',
# 'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2',
# 'domain': 'git.kunsmann.eu',
# 'email_domain_blocklist': {
# 'gmail.com',
# 'yahoo.com',
# 'aol.com',
# 'comcast.net',
# 'verizon.net',
# 'hotmail.com',
# 'cox.net',
# 'msn.com',
# },
# 'enable_git_hooks': True,
# 'install_ssh_key': True,
# 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
# 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
# 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
# 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
# },
'icinga_options': {
'pretty_name': 'kunsmann.eu',
},
@ -295,46 +300,53 @@ nodes['htz.ex42-1048908'] = {
},
},
},
'franzi.business': {
'webroot': '/var/www/franzi.business/_site/',
'locations': {
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
},
'jenkins.kunsmann.eu': {
# 'franzi.business': {
# 'webroot': '/var/www/franzi.business/_site/',
# 'locations': {
# '/.well-known/matrix/client': {
# 'return': json_dumps({
# 'm.homeserver': {
# 'base_url': 'https://matrix.franzi.business',
# },
# 'm.identity_server': {
# 'base_url': 'https://matrix.org',
# },
# 'im.vector.riot.jitsi': {
# 'preferredDomain': 'meet.ffmuc.net',
# },
# }, sort_keys=True),
# 'additional_config': {
# 'default_type application/json',
# 'add_header Access-Control-Allow-Origin *',
# },
# },
# '/.well-known/matrix/server': {
# 'return': json_dumps({
# 'm.server': 'matrix.franzi.business:443',
# }, sort_keys=True),
# 'additional_config': {
# 'default_type application/json',
# 'add_header Access-Control-Allow-Origin *',
# },
# },
# },
# },
'git.kunsmann.eu': {
'locations': {
'/': {
'target': 'http://localhost:22010/',
'redirect': 'https://git.franzi.business$request_uri',
},
},
'website_check_path': '/login',
'website_check_string': 'Welcome to Jenkins',
},
# 'jenkins.kunsmann.eu': {
# 'locations': {
# '/': {
# 'target': 'http://localhost:22010/',
# },
# },
# 'website_check_path': '/login',
# 'website_check_string': 'Welcome to Jenkins',
# },
'kunbox.net': {},
'kunsmann.eu': {
'locations': {
@ -384,7 +396,7 @@ nodes['htz.ex42-1048908'] = {
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
'm.server': 'matrix.franzi.business:443',
}, sort_keys=True),
'additional_config': {
'default_type application/json',

116
nodes/rx300.py
View file

@ -7,8 +7,12 @@
nodes['rx300'] = {
'hostname': '31.47.232.106',
'bundles': {
'check-mail-received',
'gitea',
'jenkins-ci',
'lm-sensors',
'miniflux',
'php',
'postgresql',
'smartd',
'travelynx',
@ -33,6 +37,15 @@ nodes['rx300'] = {
'apt': {
'packages': {
'ipmitool': {},
# for franzi.business deployment
'ruby': {},
'ruby-dev': {},
'ruby-bundler': {},
# more php
'php-imagick': {},
'php-yaml': {},
},
# XXX remove this once nginx.org has packages for debian bullseye
'repos': {
@ -43,23 +56,105 @@ nodes['rx300'] = {
},
},
},
'check-mail-received': {
't-online': {
'email': 'franzi.kunsmann@t-online.de',
'imap_host': 'secureimap.t-online.de',
'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
},
},
'gitea': {
'version': '1.14.4',
'sha256': 'e1ce2fadcf6561cb2543b44b9f1382d6ce4be29ed8edd6d9d7080a218aa114b0',
'domain': 'git.franzi.business',
'email_domain_blocklist': {
'gmail.com',
'yahoo.com',
'aol.com',
'comcast.net',
'verizon.net',
'hotmail.com',
'cox.net',
'msn.com',
},
'enable_git_hooks': True,
'install_ssh_key': True,
'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
},
'icinga_options': {
'pretty_name': 'franzi.business',
},
'jenkins-ci': {
'install_ssh_key': True,
},
'miniflux': {
'domain': 'rss.franzi.business',
},
'nginx': {
'vhosts': {
'miniflux': {
'gitea': {'ssl': '_.franzi.business'},
'miniflux': {'ssl': '_.franzi.business'},
'franzi.business': {
'webroot': '/var/www/franzi.business/_site/',
'ssl': '_.franzi.business',
'locations': {
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'matrix.franzi.business:443',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
},
'unicornsden': {
'jenkins': {
'domain': 'jenkins.franzi.business',
'ssl': '_.franzi.business',
'locations': {
'/': {
'target': 'http://localhost:22010/',
},
},
'website_check_path': '/login',
'website_check_string': 'Welcome to Jenkins',
},
'unicornsden-redirect': {
'domain': 'unicornsden.franzi.business',
'ssl': '_.franzi.business',
'locations': {
'/': {
'redirect': 'https://map.unicornsden.com/',
},
},
},
'unicornsden': {
'domain': 'map.unicornsden.com',
'php': True,
'webroot_config': {
'owner': 'kunsi',
'group': 'kunsi',
'owner': 'jenkins',
'group': 'jenkins',
'mode': '0755',
},
},
@ -80,6 +175,19 @@ nodes['rx300'] = {
},
},
},
'php': {
'version': '8.0',
'packages': {
'gd',
'imap',
'intl',
'mbstring',
'opcache',
'pgsql',
'readline',
'xml',
},
},
'postgresql': {
'version': '13',
},