bw/htz-cloud.miniserver bump element-web version

README.md

@@ -6,4 +6,4 @@ May also include some dummy nodes, for example for deploying websites
 onto shared webhosting.
 
 `bw test` runs according to Jenkinsfile after every commit.
-[![Build Status](https://jenkins.kunsmann.eu/buildStatus/icon?job=bundlewrap%2Fmain)](https://jenkins.kunsmann.eu/job/bundlewrap/job/main/)
+[![Build Status](https://jenkins.franzi.business/buildStatus/icon?job=kunsi%2Fbundlewrap%2Fmain)](https://jenkins.franzi.business/job/kunsi/job/bundlewrap/job/main/)

bundles/check-mail-received/files/check_imap_for_mail_from

@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+
+from imaplib import IMAP4_SSL
+from subprocess import check_output
+from sys import argv, exit
+from time import time
+
+if len(argv) < 5:
+    print('Usage: {} <imap host> <username> <password> <message sender>'.format(argv[0]))
+    exit(3)
+
+NOW = time()
+
+try:
+    imap = IMAP4_SSL(argv[1])
+    imap.login(argv[2], argv[3])
+
+    imap.select('Inbox')
+
+    _, data = imap.search(None, 'ALL')
+
+    something_found = False
+
+    for item in data:
+        for index in item.split():
+            received_in_this_mail = None
+            from_in_this_mail = False
+
+            try:
+                message = imap.fetch(index, '(RFC822)')
+
+                message_text = bytearray()
+                for part in message[1][0]:
+                    message_text.extend(part)
+                message_text = message_text.decode().splitlines()
+
+                for line in message_text:
+                    lline = line.strip().lower()
+
+                    if lline.startswith('from:') and argv[4].lower() in line:
+                        from_in_this_mail = True
+
+                    if lline.startswith('date:'):
+                        date = line.strip()[5:].strip()
+                        unixtime = int(check_output([
+                            'date',
+                            '--date={}'.format(date),
+                            '+%s',
+                        ]).decode().strip())
+
+                        if unixtime > (NOW-(60*60*25)):
+                            received_in_this_mail = date
+
+                    if received_in_this_mail and from_in_this_mail:
+                        print('Found message from "{}" sent at "{}"'.format(argv[4], received_in_this_mail))
+                        received_in_this_mail = None
+                        from_in_this_mail = False
+                        something_found = True
+            except:
+                pass
+
+    if  something_found:
+        # there should be output above
+        exit(0)
+
+    print('No Mails found')
+    exit(2)
+except Exception as e:
+    print(repr(e))
+    exit(3)

bundles/check-mail-received/items.py

@@ -0,0 +1,5 @@
+files = {
+    '/usr/local/share/icinga/plugins/check_imap_for_mail_from': {
+        'mode': '0755',
+    },
+}

bundles/check-mail-received/metadata.py

@@ -0,0 +1,41 @@
+@metadata_reactor.provides(
+    'cron/check-mail-received',
+    'icinga2_api/check-mail-received/services',
+)
+def process_metadata(metadata):
+    cron = set()
+    services = {}
+
+    my_mail_address = 'root@{}'.format(metadata.get('hostname'))
+
+    for name, config in metadata.get('check-mail-received', {}).items():
+        cron.add('{minute} {hour} * * *    root    date | mail -s "daily test mail from {node}" -r {source} {target}'.format(
+            minute=node.magic_number%60,
+            hour=node.magic_number%24,
+            node=node.name,
+            source=my_mail_address,
+            target=config['email'],
+        ))
+
+        services[f'MAIL RECEIVED ON {name}'] = {
+            'command_on_monitored_host': repo.libs.faults.join_faults([
+                '/usr/local/share/icinga/plugins/check_imap_for_mail_from',
+                config['imap_host'],
+                config.get('imap_user', config['email']),
+                config['imap_pass'],
+                my_mail_address,
+            ]),
+            'check_interval': '15m',
+            'retry_interval': '5m',
+        }
+
+    return {
+        'cron': {
+            'check-mail-received': '\n'.join(sorted(cron)),
+        },
+        'icinga2_api': {
+            'check-mail-received': {
+                'services': services,
+            },
+        },
+    }

bundles/gitea/items.py

@@ -21,6 +21,11 @@ directories = {
         'owner': 'git',
         'group': 'git',
     },
+    '/home/git/.ssh': {
+        'mode': '0755',
+        'owner': 'git',
+        'group': 'git',
+    },
     '/var/lib/gitea': {
         'owner': 'git',
         'mode': '0700',

bundles/gitea/metadata.py

@@ -2,6 +2,7 @@ defaults = {
     'backups': {
         'paths': {
             '/home/git',
+            '/var/lib/gitea',
         },
     },
     'gitea': {
@@ -44,6 +45,23 @@ defaults = {
             },
         },
     },
+    'zfs': {
+        'datasets': {
+            'tank/gitea': {},
+            'tank/gitea/home': {
+                'mountpoint': '/home/git',
+                'needed_by': {
+                    'directory:/home/git',
+                },
+            },
+            'tank/gitea/var': {
+                'mountpoint': '/var/lib/gitea',
+                'needed_by': {
+                    'directory:/var/lib/gitea',
+                },
+            },
+        },
+    },
 }
 
 
@@ -57,7 +75,8 @@ def nginx(metadata):
     return {
         'nginx': {
             'vhosts': {
-                metadata.get('gitea/domain'): {
+                'gitea': {
+                    'domain': metadata.get('gitea/domain'),
                     'locations': {
                         '/': {
                             'target': 'http://127.0.0.1:22000',

bundles/grafana/dashboard-rows/cpu.py

@@ -9,6 +9,8 @@ def dashboard_row_cpu(panel_id, node):
         'iowait',
         'nice',
         'softirq',
+        'guest',
+        'guest_nice',
     ]:
         queries_cpu.append({
             'groupBy': [

bundles/jenkins-ci/files/ssh-config

@@ -0,0 +1,3 @@
+Host *
+    UserKnownHostsFile /dev/null
+    StrictHostKeyChecking no

bundles/jenkins-ci/items.py

@@ -1,14 +1,41 @@
+directories = {
+    '/var/lib/jenkins': {
+        'owner': 'jenkins',
+        'group': 'jenkins',
+        'needs': {
+            'pkg_apt:jenkins',
+        },
+    },
+    '/var/lib/jenkins/.ssh': {
+        'mode': '0755',
+        'owner': 'git',
+        'group': 'git',
+    },
+}
+
 files = {
     '/etc/default/jenkins': {
         'triggers': {
             'svc_systemd:jenkins:restart',
         },
     },
+    '/var/lib/jenkins/.ssh/config': {
+        'source': 'ssh-config',
+    },
 }
 
+if node.metadata.get('jenkins-ci/install_ssh_key', False):
+    files['/var/lib/jenkins/.ssh/id_ed25519'] = {
+        'content': repo.vault.decrypt_file(f'jenkins-ci/files/ssh-keys/{node.name}.key.vault'),
+        'mode': '0600',
+        'owner': 'jenkins',
+        'group': 'jenkins',
+    }
+
 svc_systemd = {
     'jenkins': {
         'needs': {
+            'directory:/var/lib/jenkins',
             'pkg_apt:jenkins',
         },
     },

bundles/jenkins-ci/metadata.py

@@ -21,4 +21,14 @@ defaults = {
             '/var/lib/jenkins',
         },
     },
+    'zfs': {
+        'datasets': {
+            'tank/jenkins': {
+                'mountpoint': '/var/lib/jenkins',
+                'needed_by': {
+                    'pkg_apt:jenkins',
+                },
+            },
+        },
+    },
 }

bundles/mx-puppet-discord/files/config.yaml

@@ -16,6 +16,12 @@ provisioning:
     - "${regex}"
 % endfor
 
+namePatterns:
+  user: ":name (Discord)"
+  userOverride: ":displayname (Discord)"
+  room: "#:name (Discord - :guild)"
+  group: ":name"
+
 database:
   connString: "postgres://${node.metadata['mx-puppet-discord']['database']['user']}:${node.metadata['mx-puppet-discord']['database']['password']}@${node.metadata['mx-puppet-discord']['database'].get('host', 'localhost')}/${node.metadata['mx-puppet-discord']['database']['database']}?sslmode=disable"
 

bundles/php/files/8.0/fpm.conf

@@ -0,0 +1,23 @@
+[global]
+pid=/run/php/php8.0-fpm.pid
+; We're using journal, put logs there
+error_log=/var/log/php8.0-fpm.log
+daemonize=yes
+
+; The one and only worker pool we have
+[www]
+user=www-data
+group=www-data
+listen=/run/php/php8.0-fpm.sock
+listen.owner=www-data
+listen.group=www-data
+listen.mode=0600
+
+; Process Manager Settings
+pm=dynamic
+pm.max_children=${num_cpus*4}
+pm.start_servers=${num_cpus}
+pm.max_spare_servers=${num_cpus*2}
+pm.min_spare_servers=${num_cpus}
+pm.process_idle_timeout=30s
+pm.max_requests=1024

bundles/php/files/8.0/php.ini

@@ -0,0 +1,99 @@
+[PHP]
+; Only needed for libapache2-mod-php?
+engine = On
+short_open_tag = Off
+precision = 14
+output_buffering = 4096
+zlib.output_compression = Off
+implicit_flush = Off
+serialize_precision = -1
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals
+ignore_user_abort = Off
+zend.enable_gc = On
+expose_php = Off
+
+max_execution_time = 30
+max_input_time = 60
+memory_limit = 256M
+
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+display_startup_errors = Off
+log_errors = On
+log_errors_max_len = 1024
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+report_memleaks = On
+html_errors = On
+error_log = syslog
+syslog.ident = php7.4
+syslog.filter = ascii
+
+arg_separator.output = "&"
+variables_order = "GPCS"
+request_order = "GP"
+register_argc_argv = Off
+auto_globals_jit = On
+post_max_size = ${post_max_size}M
+default_mimetype = "text/html"
+default_charset = "UTF-8"
+
+enable_dl = Off
+file_uploads = On
+upload_max_filesize = ${post_max_size}M
+max_file_uploads = 20
+
+allow_url_fopen = On
+allow_url_include = Off
+default_socket_timeout = 10
+
+[CLI Server]
+cli_server.color = On
+
+[mail function]
+mail.add_x_header = Off
+
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 1
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 32
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 6
+
+[Assertion]
+zend.assertions = -1

bundles/postfix/files/arch-override.conf

@@ -0,0 +1,6 @@
+[Service]
+# arch postfix is not set up for chrooting by default
+ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc
+% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']:
+ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file}
+% endfor

bundles/postfix/items.py

@@ -21,7 +21,7 @@ for identifier in node.metadata.get('postfix/mynetworks', set()):
             netmask = '128'
         mynetworks.add(f'[{ip6}]/{netmask}')
 
-my_package = 'pkg_pacman:postfix' if node.has_bundle('pacman') else 'pkg_apt:postfix'
+my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix'
 
 files = {
     '/etc/mailname': {
@@ -86,3 +86,13 @@ svc_systemd = {
         },
     },
 }
+
+if node.os == 'arch':
+    files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = {
+        'source': 'arch-override.conf',
+        'content_type': 'mako',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:postfix:restart',
+        },
+    }

bundles/postfix/metadata.py

@@ -25,6 +25,7 @@ defaults = {
     'pacman': {
         'packages': {
             'postfix': {},
+            's-nail': {},
         },
     },
 }

bundles/simple-icinga-dashboard/items.py

@@ -34,7 +34,7 @@ directories = {
 
 git_deploy = {
     '/opt/simple-icinga-dashboard/src': {
-        'repo': 'https://git.kunsmann.eu/sophie/simple-icinga-dashboard.git',
+        'repo': 'https://git.franzi.business/sophie/simple-icinga-dashboard.git',
         'rev': 'main',
         'triggers': {
             'action:simple-icinga-dashboard_install_requirements',

data/jenkins-ci/files/ssh-keys/rx300.key.vault

@@ -0,0 +1 @@
+encrypt$gAAAAABg6vNNuCZcmhH52dQDiD4ePsbXhz0kHSjqX3yduJ6E5NylWEdKNtjtrfc9bu1WNnDBO0YpsqxIeax2u1xc6gstohVfbu2MgwGJKpA7J5Py6xiQL82YKJcwV7k0EZ7ilWbqlzXuSDh40KG3GWOTPiw_CbsbDEpCU09x1hUs1_0BTPAU6ln4t7ync7ZjFZf_vRBTlrnZWchzXoSwppzedAZeaptfhMWn_-8oARoYvxJf3pkmTSGjovNMvDak_sscq_M2rldng6_oboR4iTo_6eY6bpCjEGD3xMeSzLhDZsJ4c0l9bZBDef-NRWA7Ewptc4KYKVvzKlgyrByqSV8TCmYn4aBgOusv-VAW3VqKg2rHi3nq5L50zkPwWmHC6_rdtIS-pAlnR5A0HJYdXGyf2eQSq3UkrZA3BIFlqUWrvS8aTWxp9CUL5C9oRGpL8P3fVfExiqhmcLGamHZb1Y2kjxX8EMcSCRLgiVO9DwIpXlEm86HfgVcXaL0wpibM32PD0sspOPILThE5P9WETGhpFAWDkWR0WaYQjZuAVlXTtk8tgdh0vC2auQl2pEVbvvnZaa04Ohp2QgE3AJLg3tdekLciwCQmPm0bpX8xYvJ49vNWG-SCaAlLHzLVIMFXFY53-SBOHYnE

data/jenkins-ci/files/ssh-keys/rx300.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH

data/powerdns/files/bind-zones/franzi.business

@@ -2,8 +2,9 @@ ${header}
 
 $ORIGIN franzi.business.
 
-@               IN  A       94.130.52.224
+; ends up on rx300.kunbox.net
-                IN  AAAA    2a01:4f8:10b:2a5f::2
+@               IN  A       31.47.232.106
+                IN  AAAA    2a00:f820:528::2
                 IN  MX      10 mx0.kunbox.net.
                 IN  TXT     "v=spf1 mx ~all"
 
@@ -13,6 +14,9 @@ chat            IN  AAAA    2a01:4f8:10b:2a5f::2
 dimension       IN  A       94.130.52.224
 dimension       IN  AAAA    2a01:4f8:10b:2a5f::2
 
+git             IN  CNAME   rx300.kunbox.net.
+jenkins         IN  CNAME   rx300.kunbox.net.
+
 matrix          IN  A       94.130.52.224
 matrix          IN  AAAA    2a01:4f8:10b:2a5f::2
 
@@ -24,7 +28,6 @@ sewfile         IN  CNAME   sewfile.htz-cloud.kunbox.net.
 
 rss             IN  CNAME   rx300.kunbox.net.
 status          IN  CNAME   icinga2.ovh.kunbox.net.
-
 travelynx       IN  CNAME   rx300.kunbox.net.
 unicornsden     IN  CNAME   rx300.kunbox.net.
 

data/powerdns/files/bind-zones/kunsmann.eu

@@ -10,17 +10,11 @@ $ORIGIN kunsmann.eu.
 dav             IN  A       94.130.52.224
 dav             IN  AAAA    2a01:4f8:10b:2a5f::2
 
-git             IN  A       94.130.52.224
-git             IN  AAAA    2a01:4f8:10b:2a5f::2
-
 grafana                 IN  CNAME   influxdb.htz-cloud.kunbox.net.
 icinga                  IN  CNAME   icinga2.ovh.kunbox.net.
 influxdb                IN  CNAME   influxdb.htz-cloud.kunbox.net.
 statusmonitor.icinga    IN  CNAME   icinga2.ovh.kunbox.net.
 
-jenkins         IN  A       94.130.52.224
-jenkins         IN  AAAA    2a01:4f8:10b:2a5f::2
-
 mta-sts         IN  A       94.130.52.224
 mta-sts         IN  AAAA    2a01:4f8:10b:2a5f::2
 
@@ -29,8 +23,8 @@ luther-ps               IN  CNAME   luther.htz-cloud.kunbox.net.
 paste           IN  A       94.130.52.224
 paste           IN  AAAA    2a01:4f8:10b:2a5f::2
 
-rss             IN  A       94.130.52.224
+; legacy, for redirect
-rss             IN  AAAA    2a01:4f8:10b:2a5f::2
+git             IN  CNAME   ex42-1048908.htz.kunbox.net.
 
 _dmarc                  IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:postmaster@kunsmann.eu; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
 _mta-sts                IN  TXT     "v=STSv1;id=20201111;"

data/travelynx/files/imprint/rx300

@@ -9,7 +9,7 @@
     <div class="col s12">
         <h1>Datenschutz</h1>
         <h2>Logdateien des Webservers</h2>
-        <p>Der Webserver fertigt keine Logdateien an. Interessierte können sich <a href="https://git.kunsmann.eu/kunsi/bundlewrap/src/branch/main/bundles/nginx/files/site_template">in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen</a>.</p>
+        <p>Der Webserver fertigt keine Logdateien an. Interessierte können sich <a href="https://git.franzi.business/kunsi/bundlewrap/src/branch/main/bundles/nginx/files/site_template">in meinem Gitea die aktuelle nginx-Konfiguration des Servers ansehen</a>.</p>
 
         <h2>Account-spezifische Daten</h2>
 

libs/faults.py

@@ -1,6 +1,39 @@
 from json import loads, dumps
 
 from bundlewrap.metadata import metadata_to_json
+from bundlewrap.utils import Fault
+
 
 def resolve_faults(dictionary: dict) -> dict:
     return loads(metadata_to_json(dictionary))
+
+
+def ensure_fault_or_none(maybe_fault):
+    if maybe_fault is None or isinstance(maybe_fault, Fault):
+        return maybe_fault
+
+    return Fault(maybe_fault, lambda f: f, f=maybe_fault)
+
+
+def join_faults(faults, by=' '):
+    result = []
+    id_list = []
+
+    for item in faults:
+        result.append(ensure_fault_or_none(item))
+
+        if isinstance(item, Fault):
+            id_list += item.id_list
+        else:
+            id_list.append(item)
+
+    id_list += [
+        'joined_by',
+        by,
+    ]
+
+    return Fault(
+        id_list,
+        lambda o: by.join([i.value for i in o]),
+        o=result,
+    )

nodes/aurto.py

@@ -2,6 +2,7 @@ nodes['aurto'] = {
     'hostname': '31.47.232.107',
     'bundles': {
         'backup-client',
+        'check-mail-received',
     },
     'groups': {
         'arch',
@@ -18,6 +19,13 @@ nodes['aurto'] = {
                 '/var/cache/pacman/aurto',
             },
         },
+        'check-mail-received': {
+            't-online': {
+                'email': 'franzi.kunsmann@t-online.de',
+                'imap_host': 'secureimap.t-online.de',
+                'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
+            },
+        },
         'interfaces': {
             'enp1s0': {
                 'ips': {
@@ -55,6 +63,9 @@ nodes['aurto'] = {
                     # kunsi
                     'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA',
                     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971',
+                    # n0emis
+                    'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu',
+                    'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== simeon@noemis.me (OLD)',
                 },
             },
             'kunsi': {

nodes/htz-cloud/pirmasens.py

@@ -1,5 +1,6 @@
 nodes['htz-cloud.pirmasens'] = {
     'bundles': {
+        'check-mail-received',
         'dovecot',
         'php',
         'postfixadmin',
@@ -23,6 +24,13 @@ nodes['htz-cloud.pirmasens'] = {
                 'gateway6': 'fe80::1',
             },
         },
+        'check-mail-received': {
+            't-online': {
+                'email': 'franzi.kunsmann@t-online.de',
+                'imap_host': 'secureimap.t-online.de',
+                'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
+            },
+        },
         'icinga_options': {
             'pretty_name': 'kunsmann.info',
         },

nodes/htz/ex42-1048908.py

@@ -1,9 +1,10 @@
 nodes['htz.ex42-1048908'] = {
     'bundles': {
+        'check-mail-received',
         'dovecot',
         'element-web',
-        'gitea',
+#        'gitea',
-        'jenkins-ci',
+#        'jenkins-ci',
         'lm-sensors',
         'matrix-media-repo',
         'matrix-synapse',
@@ -86,8 +87,12 @@ nodes['htz.ex42-1048908'] = {
                 '/opt/matrix/matrix-dimension',
             },
         },
-        'cron': {
+        'check-mail-received': {
-            'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * *    root    date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'),
+            't-online': {
+                'email': 'franzi.kunsmann@t-online.de',
+                'imap_host': 'secureimap.t-online.de',
+                'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
+            },
         },
         'element-web': {
             'url': 'chat.franzi.business',
@@ -113,27 +118,27 @@ nodes['htz.ex42-1048908'] = {
                 },
             },
         },
-        'gitea': {
+#        'gitea': {
-            'version': '1.14.3',
+#            'version': '1.14.3',
-            'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2',
+#            'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2',
-            'domain': 'git.kunsmann.eu',
+#            'domain': 'git.kunsmann.eu',
-            'email_domain_blocklist': {
+#            'email_domain_blocklist': {
-                'gmail.com',
+#                'gmail.com',
-                'yahoo.com',
+#                'yahoo.com',
-                'aol.com',
+#                'aol.com',
-                'comcast.net',
+#                'comcast.net',
-                'verizon.net',
+#                'verizon.net',
-                'hotmail.com',
+#                'hotmail.com',
-                'cox.net',
+#                'cox.net',
-                'msn.com',
+#                'msn.com',
-            },
+#            },
-            'enable_git_hooks': True,
+#            'enable_git_hooks': True,
-            'install_ssh_key': True,
+#            'install_ssh_key': True,
-            'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
+#            'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
-            'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
+#            'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
-            'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
+#            'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
-            'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
+#            'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
-        },
+#        },
         'icinga_options': {
             'pretty_name': 'kunsmann.eu',
         },
@@ -295,46 +300,53 @@ nodes['htz.ex42-1048908'] = {
                         },
                     },
                 },
-                'franzi.business': {
+#                'franzi.business': {
-                    'webroot': '/var/www/franzi.business/_site/',
+#                    'webroot': '/var/www/franzi.business/_site/',
-                    'locations': {
+#                    'locations': {
-                        '/.well-known/matrix/client': {
+#                        '/.well-known/matrix/client': {
-                            'return': json_dumps({
+#                            'return': json_dumps({
-                                'm.homeserver': {
+#                                'm.homeserver': {
-                                    'base_url': 'https://matrix.franzi.business',
+#                                    'base_url': 'https://matrix.franzi.business',
-                                },
+#                                },
-                                'm.identity_server': {
+#                                'm.identity_server': {
-                                    'base_url': 'https://matrix.org',
+#                                    'base_url': 'https://matrix.org',
-                                },
+#                                },
-                                'im.vector.riot.jitsi': {
+#                                'im.vector.riot.jitsi': {
-                                    'preferredDomain': 'meet.ffmuc.net',
+#                                    'preferredDomain': 'meet.ffmuc.net',
-                                },
+#                                },
-                            }, sort_keys=True),
+#                            }, sort_keys=True),
-                            'additional_config': {
+#                            'additional_config': {
-                                'default_type application/json',
+#                                'default_type application/json',
-                                'add_header Access-Control-Allow-Origin *',
+#                                'add_header Access-Control-Allow-Origin *',
-                            },
+#                            },
-                        },
+#                        },
-                        '/.well-known/matrix/server': {
+#                        '/.well-known/matrix/server': {
-                            'return': json_dumps({
+#                            'return': json_dumps({
-                                'm.server':  'https://matrix.franzi.business',
+#                                'm.server':  'matrix.franzi.business:443',
-                            }, sort_keys=True),
+#                            }, sort_keys=True),
-                            'additional_config': {
+#                            'additional_config': {
-                                'default_type application/json',
+#                                'default_type application/json',
-                                'add_header Access-Control-Allow-Origin *',
+#                                'add_header Access-Control-Allow-Origin *',
-                            },
+#                            },
-                        },
+#                        },
-                    },
+#                    },
-                },
+#                },
-                'jenkins.kunsmann.eu': {
+                'git.kunsmann.eu': {
                     'locations': {
                         '/': {
-                            'target': 'http://localhost:22010/',
+                            'redirect': 'https://git.franzi.business$request_uri',
                         },
                     },
-                    'website_check_path': '/login',
-                    'website_check_string': 'Welcome to Jenkins',
                 },
+#                'jenkins.kunsmann.eu': {
+#                    'locations': {
+#                        '/': {
+#                            'target': 'http://localhost:22010/',
+#                        },
+#                    },
+#                    'website_check_path': '/login',
+#                    'website_check_string': 'Welcome to Jenkins',
+#                },
                 'kunbox.net': {},
                 'kunsmann.eu': {
                     'locations': {
@@ -384,7 +396,7 @@ nodes['htz.ex42-1048908'] = {
                         },
                         '/.well-known/matrix/server': {
                             'return': json_dumps({
-                                'm.server':  'https://matrix.franzi.business',
+                                'm.server':  'matrix.franzi.business:443',
                             }, sort_keys=True),
                             'additional_config': {
                                 'default_type application/json',

nodes/rx300.py

@@ -7,8 +7,12 @@
 nodes['rx300'] = {
     'hostname': '31.47.232.106',
     'bundles': {
+        'check-mail-received',
+        'gitea',
+        'jenkins-ci',
         'lm-sensors',
         'miniflux',
+        'php',
         'postgresql',
         'smartd',
         'travelynx',
@@ -33,6 +37,15 @@ nodes['rx300'] = {
         'apt': {
             'packages': {
                 'ipmitool': {},
+
+                # for franzi.business deployment
+                'ruby': {},
+                'ruby-dev': {},
+                'ruby-bundler': {},
+
+                # more php
+                'php-imagick': {},
+                'php-yaml': {},
             },
             # XXX remove this once nginx.org has packages for debian bullseye
             'repos': {
@@ -43,23 +56,105 @@ nodes['rx300'] = {
                 },
             },
         },
+        'check-mail-received': {
+            't-online': {
+                'email': 'franzi.kunsmann@t-online.de',
+                'imap_host': 'secureimap.t-online.de',
+                'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'),
+            },
+        },
+        'gitea': {
+            'version': '1.14.4',
+            'sha256': 'e1ce2fadcf6561cb2543b44b9f1382d6ce4be29ed8edd6d9d7080a218aa114b0',
+            'domain': 'git.franzi.business',
+            'email_domain_blocklist': {
+                'gmail.com',
+                'yahoo.com',
+                'aol.com',
+                'comcast.net',
+                'verizon.net',
+                'hotmail.com',
+                'cox.net',
+                'msn.com',
+            },
+            'enable_git_hooks': True,
+            'install_ssh_key': True,
+            'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
+            'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
+            'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
+            'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
+        },
         'icinga_options': {
             'pretty_name': 'franzi.business',
         },
+        'jenkins-ci': {
+            'install_ssh_key': True,
+        },
         'miniflux': {
             'domain': 'rss.franzi.business',
         },
         'nginx': {
             'vhosts': {
-                'miniflux': {
+                'gitea': {'ssl': '_.franzi.business'},
+                'miniflux': {'ssl': '_.franzi.business'},
+                'franzi.business': {
+                    'webroot': '/var/www/franzi.business/_site/',
                     'ssl': '_.franzi.business',
+                    'locations': {
+                        '/.well-known/matrix/client': {
+                            'return': json_dumps({
+                                'm.homeserver': {
+                                    'base_url': 'https://matrix.franzi.business',
+                                },
+                                'm.identity_server': {
+                                    'base_url': 'https://matrix.org',
+                                },
+                                'im.vector.riot.jitsi': {
+                                    'preferredDomain': 'meet.ffmuc.net',
+                                },
+                            }, sort_keys=True),
+                            'additional_config': {
+                                'default_type application/json',
+                                'add_header Access-Control-Allow-Origin *',
+                            },
+                        },
+                        '/.well-known/matrix/server': {
+                            'return': json_dumps({
+                                'm.server':  'matrix.franzi.business:443',
+                            }, sort_keys=True),
+                            'additional_config': {
+                                'default_type application/json',
+                                'add_header Access-Control-Allow-Origin *',
+                            },
+                        },
+                    },
                 },
-                'unicornsden': {
+                'jenkins': {
+                    'domain': 'jenkins.franzi.business',
+                    'ssl': '_.franzi.business',
+                    'locations': {
+                        '/': {
+                            'target': 'http://localhost:22010/',
+                        },
+                    },
+                    'website_check_path': '/login',
+                    'website_check_string': 'Welcome to Jenkins',
+                },
+                'unicornsden-redirect': {
                     'domain': 'unicornsden.franzi.business',
                     'ssl': '_.franzi.business',
+                    'locations': {
+                        '/': {
+                            'redirect': 'https://map.unicornsden.com/',
+                        },
+                    },
+                },
+                'unicornsden': {
+                    'domain': 'map.unicornsden.com',
+                    'php': True,
                     'webroot_config': {
-                        'owner': 'kunsi',
+                        'owner': 'jenkins',
-                        'group': 'kunsi',
+                        'group': 'jenkins',
                         'mode': '0755',
                     },
                 },
@@ -80,6 +175,19 @@ nodes['rx300'] = {
                 },
             },
         },
+        'php': {
+            'version': '8.0',
+            'packages': {
+                'gd',
+                'imap',
+                'intl',
+                'mbstring',
+                'opcache',
+                'pgsql',
+                'readline',
+                'xml',
+            },
+        },
         'postgresql': {
             'version': '13',
         },