From 4f75c95c203373b6fe5ae14aeba96baa2373ed85 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 13:05:11 +0100 Subject: [PATCH 001/996] add scripts/netbox-dump --- .editorconfig | 3 + netbox_dump.json | 1308 +++++++++++++++++++++++++++++++++++++++++++ requirements.txt | 1 + scripts/netbox-dump | 117 ++++ 4 files changed, 1429 insertions(+) create mode 100644 netbox_dump.json create mode 100755 scripts/netbox-dump diff --git a/.editorconfig b/.editorconfig index e09c9dd..b632cc1 100644 --- a/.editorconfig +++ b/.editorconfig @@ -22,3 +22,6 @@ indent_size = unset [*.vault] end_of_line = unset insert_final_newline = unset + +[*.json] +insert_final_newline = unset diff --git a/netbox_dump.json b/netbox_dump.json new file mode 100644 index 0000000..30eb1e7 --- /dev/null +++ b/netbox_dump.json @@ -0,0 +1,1308 @@ +{ + "home": { + "devices": { + "home.nas": { + "bond0": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "lag", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "br0": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.138.20/24" + ], + "lag": null, + "mode": "tagged-all", + "type": "bridge", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "br42": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "bridge", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "eno1": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp8s0f0": { + "description": "home.sw01 (41)", + "enabled": true, + "ip_addresses": [], + "lag": "bond0", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp8s0f1": { + "description": "home.sw01 (43)", + "enabled": true, + "ip_addresses": [], + "lag": "bond0", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp9s0f0": { + "description": "home.sw01 (45)", + "enabled": true, + "ip_addresses": [], + "lag": "bond0", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp9s0f1": { + "description": "home.sw01 (47)", + "enabled": true, + "ip_addresses": [], + "lag": "bond0", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + } + }, + "home.router": { + "enp1s0": { + "description": "home.sw01 (2)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp1s0.100": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "virtual", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp1s0.23": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.139.1/24" + ], + "lag": null, + "mode": null, + "type": "virtual", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "enp1s0.42": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.138.1/24" + ], + "lag": null, + "mode": null, + "type": "virtual", + "vlans": { + "tagged": [], + "untagged": null + } + } + }, + "home.sw01": { + "1": { + "description": "Isanet", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.dmz" + } + }, + "10": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "11": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "12": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "13": { + "description": "home.ejgwdesk", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "14": { + "description": "Schreibtisch Franzi", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "15": { + "description": "Schreibtisch Sophie", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "16": { + "description": "home.snom-wohnzimmer", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "17": { + "description": "home.drucker-sophie", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "18": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "19": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "2": { + "description": "home.router (enp1s0)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "home.clients", + "home.dmz", + "home.wan" + ], + "untagged": null + } + }, + "20": { + "description": "RIPE-Probe #28280", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.dmz" + } + }, + "21": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "22": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "23": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "24": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "25": { + "description": "home.kodi-wohnzimmer", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "26": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "27": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "28": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "29": { + "description": "Sofa-Kabel", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "3": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "30": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "31": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "32": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "33": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": "LAG3", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "34": { + "description": "Patchpanel unten (17)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "35": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": "LAG3", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "36": { + "description": "Patchpanel unten (18)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "37": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": "LAG1", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "38": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "39": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": "LAG1", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "4": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "40": { + "description": "info-beamer 12199 (LAN)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "41": { + "description": "home.nas (enp8s0f0)", + "enabled": true, + "ip_addresses": [], + "lag": "LAG2", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "42": { + "description": "Patchpanel unten (21)", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.wan" + } + }, + "43": { + "description": "home.nas (enp8s0f1)", + "enabled": true, + "ip_addresses": [], + "lag": "LAG2", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "44": { + "description": "home.bubble01", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "45": { + "description": "home.nas (enp9s0f0)", + "enabled": true, + "ip_addresses": [], + "lag": "LAG2", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "46": { + "description": "home.winkeeinhorn-1", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "ffwi.mesh" + ], + "untagged": "home.clients" + } + }, + "47": { + "description": "home.nas (enp9s0f1)", + "enabled": true, + "ip_addresses": [], + "lag": "LAG2", + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "48": { + "description": "home.winkeeinhorn-2", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "ffwi.mesh" + ], + "untagged": "home.clients" + } + }, + "49": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "5": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "50": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "51": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "52": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "6": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "7": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "8": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "9": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "ffwi.client" + } + }, + "LAG1": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "lag", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "LAG2": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "lag", + "vlans": { + "tagged": [ + "ffwi.client", + "ffwi.mesh", + "home.clients", + "home.dmz", + "home.wan" + ], + "untagged": null + } + }, + "LAG3": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "lag", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "VLAN42": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.138.2/24" + ], + "lag": null, + "mode": "access", + "type": "virtual", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + } + }, + "home.sw02": { + "ge-0/0/0": { + "description": "snom", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/1": { + "description": "bubble", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/10": { + "description": "sophie", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/11": { + "description": "sophie", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/12": { + "description": "franzi", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/13": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/14": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/15": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/16": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/17": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/18": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/19": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/2": { + "description": "freifunk", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "ffwi.mesh" + ], + "untagged": "home.clients" + } + }, + "ge-0/0/20": { + "description": "kodi", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/21": { + "description": "infobeamer", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/22": { + "description": "fritzbox", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.wan" + } + }, + "ge-0/0/23": { + "description": "router", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "home.clients", + "home.dmz", + "home.wan" + ], + "untagged": null + } + }, + "ge-0/0/3": { + "description": "freifunk", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "1000base-t", + "vlans": { + "tagged": [ + "ffwi.mesh" + ], + "untagged": "home.clients" + } + }, + "ge-0/0/4": { + "description": "wohnzimmer", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/5": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/6": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/7": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/0/8": { + "description": "drucker", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "ge-0/0/9": { + "description": "ripe-probe", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": "home.dmz" + } + }, + "ge-0/1/0": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/1/1": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/1/2": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "ge-0/1/3": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-x-sfp", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "xe-0/1/0": { + "description": "nas", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "tagged", + "type": "10gbase-x-sfpp", + "vlans": { + "tagged": [ + "ffwi.client", + "ffwi.mesh", + "home.clients", + "home.dmz" + ], + "untagged": null + } + }, + "xe-0/1/1": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "10gbase-x-sfpp", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + }, + "xe-0/1/2": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": "access", + "type": "10gbase-x-sfpp", + "vlans": { + "tagged": [], + "untagged": "home.clients" + } + } + }, + "home.usv01": { + "LAN": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.138.3/24" + ], + "lag": null, + "mode": null, + "type": "100base-tx", + "vlans": { + "tagged": [], + "untagged": null + } + } + } + }, + "vlans": { + "ffwi.client": 8, + "ffwi.mesh": 7, + "home.clients": 42, + "home.dmz": 23, + "home.wan": 100 + } + }, + "meerfarbig gmbh & co. kg": { + "devices": { + "rx300": { + "IPMI": { + "description": "", + "enabled": true, + "ip_addresses": [ + "10.250.179.2/32" + ], + "lag": null, + "mode": null, + "type": "100base-tx", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "LAN1": { + "description": "", + "enabled": true, + "ip_addresses": [ + "2a00:f820:528::2/64", + "31.47.232.106/29" + ], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + }, + "LAN2": { + "description": "", + "enabled": true, + "ip_addresses": [], + "lag": null, + "mode": null, + "type": "1000base-t", + "vlans": { + "tagged": [], + "untagged": null + } + } + } + }, + "vlans": {} + } +} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index eaec252..8c04545 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ bundlewrap~=4.16.0 PyNaCl bundlewrap-pass +pynetbox==7.0.0 diff --git a/scripts/netbox-dump b/scripts/netbox-dump new file mode 100755 index 0000000..779b143 --- /dev/null +++ b/scripts/netbox-dump @@ -0,0 +1,117 @@ +#!/usr/bin/env python3 + +from json import dump +from os import environ +from os.path import join +from sys import exit + +from bundlewrap.utils.ui import QUIT_EVENT, io +from bundlewrap.utils.text import bold, yellow, validate_name +from pynetbox import api as netbox_api + + +BW_REPO_PATH = environ.get('BW_REPO_PATH', '.') +netbox = netbox_api( + environ.get('NETBOX_HOST', 'https://netbox.franzi.business'), + token=environ.get('NETBOX_TOKEN', None), +) + +result = { +# 'my_site_name': { +# 'vlans': { +# 'my_vlan_name': 10, +# 'other_vlan_name': 11, +# 'yet_another_vlan_name': 12, +# }, +# 'devices': { +# 'my_switch': { +# 'port1': { +# 'description': 'foo', +# 'type': '1000base-t', # or 'lag' +# 'mode': None, # or 'access', 'tagged', 'tagged-all' +# 'lag': 'none', # or 'LAG1' +# 'vlan': { +# 'untagged': 'my_vlan_name', +# 'tagged': [ +# 'other_vlan_name', +# 'yet_another_vlan_name', +# ], +# }, +# }, +# }, +# }, +# }, +} + +errors = False +try: + io.activate() + + for site in netbox.dcim.sites.all(): + site_name = site.name.lower() + + result[site_name] = { + 'vlans': {}, + 'devices': {}, + } + + with io.job(f'{bold(site_name)} getting vlans'): + for vlan in netbox.ipam.vlans.filter(site_id=site.id): + if vlan.name in result[site_name]['vlans'].keys() and result[site_name]['vlans'][vlan.name] != vlan.id: + raise Exception(f"vlan {result[site_name]['vlans'][vlan.name]} and {vlan.id} both have the name {vlan.name}") + + result[site_name]['vlans'][vlan.name] = vlan.vid + + for interface in netbox.dcim.interfaces.filter(site_id=site.id): + if QUIT_EVENT.is_set(): + exit(0) + + with io.job(f'{bold(site_name)} {bold(interface.device.name)} interface {yellow(interface.name)}'): + if not interface.device.name: + # Unnamed device. Probably not managed by bw. + continue + elif not validate_name(interface.device.name): + # bundlewrap does not consider this device name to be a valid + # node name. Ignore it, we don't manage it + continue + + has_valid_description = False + if interface.description: + description = interface.description + has_valid_description = True + elif interface.connected_endpoints: + description = f'{sorted(interface.connected_endpoints)[0].device.display} ({sorted(interface.connected_endpoints)[0].display})' + has_valid_description = True + elif interface.link_peers: + description = f'{sorted(interface.link_peers)[0].device.display} ({sorted(interface.link_peers)[0].display})' + else: + description = '' + + if not description.isascii(): + errors = True + io.stderr(f'{bold(interface.device.name)} {bold(interface.name)} description "{description}" contains non-ascii characters, this isn\'t supported') + + result[site_name]['devices'].setdefault(interface.device.name, {})[interface.name] = { + 'description': description, + 'enabled': interface.enabled, + 'ip_addresses': sorted(set() if interface.count_ipaddresses == 0 else { + ip.address for ip in + netbox.ipam.ip_addresses.filter(interface_id=interface.id) + }), + 'mode': interface.mode.value if interface.mode else None, + 'type': interface.type.value, + 'lag': interface.lag.name if interface.lag else None, + 'vlans': { + 'untagged': interface.untagged_vlan.name if interface.untagged_vlan else None, + 'tagged': sorted(vlan.name for vlan in interface.tagged_vlans), + }, + } + + if errors: + exit(1) + + with io.job('dumping result to netbox_dump.json'): + with open(join(BW_REPO_PATH, 'netbox_dump.json'), 'w') as f: + dump(result, f, indent=4, sort_keys=True) +finally: + io.deactivate() From 6ae90733c3a31d511fefe10d8ab7a8c7f59fc2c7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 13:05:33 +0100 Subject: [PATCH 002/996] add libs/juniper --- libs/juniper.py | 149 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 libs/juniper.py diff --git a/libs/juniper.py b/libs/juniper.py new file mode 100644 index 0000000..9549a77 --- /dev/null +++ b/libs/juniper.py @@ -0,0 +1,149 @@ +import random + +# copied from https://github.com/peering-manager/peering-manager/blob/main/devices/crypto/juniper.py + + +# This code is the result of the attempt at converting a Perl module, the expected +# result might not actually be what we really want it to be ¯\_(ツ)_/¯ +# +# https://metacpan.org/pod/Crypt::Juniper + + +MAGIC = "$9$" + +FAMILY = [ + "QzF3n6/9CAtpu0O", + "B1IREhcSyrleKvMW8LXx", + "7N-dVbwsY2g4oaJZGUDj", + "iHkq.mPf5T", +] +EXTRA = {} +for counter, value in enumerate(FAMILY): + for character in value: + EXTRA[character] = 3 - counter + +NUM_ALPHA = [x for x in "".join(FAMILY)] +ALPHA_NUM = {NUM_ALPHA[x]: x for x in range(0, len(NUM_ALPHA))} + +ENCODING = [ + [1, 4, 32], + [1, 16, 32], + [1, 8, 32], + [1, 64], + [1, 32], + [1, 4, 16, 128], + [1, 32, 64], +] + + +def __nibble(cref, length): + nib = cref[0:length] + rest = cref[length:] + + if len(nib) != length: + raise Exception(f"Ran out of characters: hit '{nib}', expecting {length} chars") + + return nib, rest + + +def __gap(c1, c2): + return (ALPHA_NUM[str(c2)] - ALPHA_NUM[str(c1)]) % (len(NUM_ALPHA)) - 1 + + +def __gap_decode(gaps, dec): + num = 0 + + if len(gaps) != len(dec): + raise Exception("Nibble and decode size not the same.") + + for x in range(0, len(gaps)): + num += gaps[x] * dec[x] + + return chr(num % 256) + + +def __reverse(current): + reversed = list(current) + reversed.reverse() + return reversed + + +def __gap_encode(pc, prev, encode): + __ord = ord(pc) + + crypt = "" + gaps = [] + for mod in __reverse(encode): + gaps.insert(0, int(__ord / mod)) + __ord %= mod + + for gap in gaps: + gap += ALPHA_NUM[prev] + 1 + prev = NUM_ALPHA[gap % len(NUM_ALPHA)] + crypt += prev + + return crypt + + +def __randc(counter=0): + return_value = "" + for _ in range(counter): + return_value += NUM_ALPHA[random.randrange(len(NUM_ALPHA))] + return return_value + + +def is_encrypted(value): + return value.startswith(MAGIC) + + +def decrypt(value): + if not value: + return "" + + if not is_encrypted(value): + return value + + chars = value.split("$9$", 1)[1] + first, chars = __nibble(chars, 1) + toss, chars = __nibble(chars, EXTRA[first]) + previous = first + decrypted = "" + + while chars: + decode = ENCODING[len(decrypted) % len(ENCODING)] + nibble, chars = __nibble(chars, len(decode)) + gaps = [] + for i in nibble: + g = __gap(previous, i) + previous = i + gaps += [g] + decrypted += __gap_decode(gaps, decode) + + return decrypted + + +def encrypt(value, salt=None): + if not value: + return "" + + if not isinstance(value, str): + value = str(value) + + if is_encrypted(value): + return value + + if not salt: + salt = __randc(1) + rand = __randc(EXTRA[salt]) + + position = 0 + previous = salt + crypted = MAGIC + salt + rand + + for x in value: + encode = ENCODING[position % len(ENCODING)] + crypted += __gap_encode(x, previous, encode) + previous = crypted[-1] + position += 1 + + return crypted From f1a775b5c9c951540caf3ae024666f9310d802c0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 15:45:50 +0100 Subject: [PATCH 003/996] add junos device management --- configs/junos-template.conf | 141 ++++++++++++++++++++++++++++++++++++ groups/os.py | 7 ++ netbox_dump.json | 14 ++++ nodes/home/home.sw02.toml | 5 ++ scripts/junos-update-config | 137 +++++++++++++++++++++++++++++++++++ 5 files changed, 304 insertions(+) create mode 100644 configs/junos-template.conf create mode 100644 nodes/home/home.sw02.toml create mode 100755 scripts/junos-update-config diff --git a/configs/junos-template.conf b/configs/junos-template.conf new file mode 100644 index 0000000..0f4012e --- /dev/null +++ b/configs/junos-template.conf @@ -0,0 +1,141 @@ +version ${'.'.join(node.metadata.get('junos/version'))}; +system { + host-name ${node.name.split('.')[-1]}; + time-zone GMT; + root-authentication { + encrypted-password "$5$1hGrR8Kk$lx3CIdxqvesBrZUtDftROEoyXQuMENEu62JVtHw6WGD"; ## SECRET-DATA + } + name-server { +% for srv in repo.libs.defaults.nameservers_ipv4: + ${srv}; +% endfor + } + login { +% for uid, (uname, uconfig) in enumerate(sorted(users.items())): + user ${uname} { + full-name ${uname}; + uid ${1000+uid}; + class super-user; + authentication { +% for pubkey in sorted(uconfig['ssh_pubkey']): + ${pubkey.split(' ', 1)[0]} "${pubkey}"; +% endfor + } + } +% endfor + } + services { + ssh { + protocol-version v2; + } + netconf { + ssh; + } +# web-management { +# http; +# } + } + syslog { + user * { + any emergency; + } + file messages { + any notice; + authorization info; + } + file interactive-commands { + interactive-commands any; + } + } + ntp { +% for srv in sorted(ntp_servers): + server ${srv}; +% endfor; + } +} +interfaces { +% for iface, config in sorted(interfaces.items()): + ${iface} { + unit 0 { +% if not config['enabled']: + disable; +% endif +% if config['mode'] == 'trunk': + family ethernet-switching { + port-mode trunk; + vlan { + members [ ${' '.join(sorted(config['tagged_vlans']))} ]; + } +% if config['untagged_vlan']: + native-vlan-id ${config['untagged_vlan']}; +% endif + } +% else: + family ethernet-switching; +% endif + } + } +% endfor + vlan { +% for idx, (vlan, vconfig) in enumerate(sorted(vlans.items())): +% if vconfig['ip_address']: + unit ${idx} { + family inet { + address ${vconfig['ip_address']}; + } + } +% endif +% endfor + } +} +snmp { + contact "${repo.libs.defaults.hostmaster_email}"; + community public { + authorization read-only; + } +} +routing-options { + static { + route 0.0.0.0/0 next-hop ${gateway}; + } +} +protocols { + igmp-snooping { + vlan all; + } + rstp; + lldp { + interface all; + } + lldp-med { + interface all; + } +} +ethernet-switching-options { + voip; + storm-control { + interface all; + } +} +vlans { +% for idx, (vlan, vconfig) in enumerate(sorted(vlans.items())): + ${vlan} { +% if vconfig['id']: + vlan-id ${vconfig['id']}; +% endif + interface { +% for iface, iconfig in sorted(interfaces.items()): +% if iconfig['untagged_vlan'] == vlan: + ${iface}.0; +% endif +% endfor + } +% if vconfig['ip_address']: + l3-interface vlan.${idx}; +% endif + } +% endfor +} +poe { + interface all; +} diff --git a/groups/os.py b/groups/os.py index 4fa97f7..21d4a60 100644 --- a/groups/os.py +++ b/groups/os.py @@ -88,3 +88,10 @@ groups['debian-bullseye'] = { groups['debian-sid'] = { 'os_version': (99,) } + +groups['junos'] = { + 'dummy': True, + 'cmd_wrapper_outer': '{}', + 'cmd_wrapper_inner': '{}', + 'os': 'freebsd', +} diff --git a/netbox_dump.json b/netbox_dump.json index 30eb1e7..c013f00 100644 --- a/netbox_dump.json +++ b/netbox_dump.json @@ -1190,6 +1190,20 @@ "untagged": null } }, + "home.clients": { + "description": "", + "enabled": true, + "ip_addresses": [ + "172.19.138.4/24" + ], + "lag": null, + "mode": null, + "type": "virtual", + "vlans": { + "tagged": [], + "untagged": null + } + }, "xe-0/1/0": { "description": "nas", "enabled": true, diff --git a/nodes/home/home.sw02.toml b/nodes/home/home.sw02.toml new file mode 100644 index 0000000..8e4520a --- /dev/null +++ b/nodes/home/home.sw02.toml @@ -0,0 +1,5 @@ +hostname = "172.19.138.4" +groups = ["junos"] + +[metadata.junos] +version = ["15", "1R5", "5"] diff --git a/scripts/junos-update-config b/scripts/junos-update-config new file mode 100755 index 0000000..74191cf --- /dev/null +++ b/scripts/junos-update-config @@ -0,0 +1,137 @@ +#!/usr/bin/env python3 + +from json import load +from os import environ +from os.path import join +from sys import argv, exit +from tempfile import gettempdir + +from mako.template import Template + +from bundlewrap.repo import Repository +from bundlewrap.utils.text import bold +from bundlewrap.utils.ui import io + +NTP_SERVERS = { +# pool.ntp.org + '148.251.54.81', + '162.159.200.123', + '213.209.109.44', + '54.36.110.36', +} + +try: + node_name = argv[1] +except Exception: + print(f'Usage: {argv[0]} ') + exit(1) + +path = environ.get('BW_REPO_PATH', '.') +repo = Repository(path) +node = repo.get_node(node_name) + +try: + io.activate() + + interfaces = {} + users = {} + vlans = { + 'default': { + 'id': None, + 'ip_address': '169.254.254.254/24', + }, + } + + tmpfile = join(gettempdir(), f'{node.name}.conf') + + gw_split = node.hostname.split('.') + gw_split[3] = '1' + gateway = '.'.join(gw_split) + + with io.job('reading netbox_dump.json'): + with open(join(repo.path, 'netbox_dump.json'), 'r') as f: + json = load(f)[node.metadata.get('location')] + + for vlan, vid in json['vlans'].items(): + vlans[vlan] = { + 'id': vid, + 'ip_address': None, + } + + for iface, iconfig in json['devices'][node.name].items(): + if iface in vlans: + # If the interface name is the same as a vlan name, this + # means the ip assigned to this interface should get + # assigned to that vlan. + vlans[iface]['ip_address'] = iconfig['ip_addresses'][0] + else: + interfaces[iface] = { + 'enabled': bool( + iconfig['enabled'] + and iconfig['mode'] + and ( + iconfig['vlans']['tagged'] + or iconfig['vlans']['untagged'] + ) + ), + 'description': iconfig['description'], + 'untagged_vlan': iconfig['vlans']['untagged'], + } + + if iconfig['mode'] and iconfig['mode'].startswith('tagged'): + interfaces[iface]['mode'] = 'trunk' + else: + interfaces[iface]['mode'] = 'access' + + tagged_vlans = set() + for vlan in iconfig['vlans']['tagged']: + tagged_vlans.add(str(vlans[vlan]['id'])) + interfaces[iface]['tagged_vlans'] = tagged_vlans + + with io.job('reading users.json'): + with open(join(repo.path, 'users.json'), 'r') as f: + json = load(f) + + users = {} + for uname, config in json.items(): + if config.get('is_admin', False): + users[uname] = { + 'password': repo.vault.password_for(f'{node.name} {uname} login'), + 'ssh_pubkey': set(config['ssh_pubkey']), + } + + + with io.job(f'{bold(node.name)} rendering config template to {tmpfile}'): + with open(join(repo.path, 'configs', 'junos-template.conf')) as f: + template = Template( + f.read().encode('utf-8'), + input_encoding='utf-8', + output_encoding='utf-8', + ) + content = template.render( + gateway=gateway, + interfaces=interfaces, + node=node, + ntp_servers=NTP_SERVERS, + repo=repo, + users=users, + vlans=vlans, + ) + with open(tmpfile, 'w+') as f: + f.write(content.decode('utf-8')) + + with io.job(f'{bold(node.name)} updating configuration on device'): + node.upload(tmpfile, '/tmp/bundlewrap.conf') + + result = node.run( + 'configure exclusive ; load override /tmp/bundlewrap.conf ; commit', + log_output=True, + ) + + if 'commit complete' in result.stdout.decode(): + node.run( + 'request system configuration rescue save', + log_output=True, + ) +finally: + io.deactivate() From e67033db8c804cb64e6ad8f5908822ff65aa906f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 17:21:38 +0100 Subject: [PATCH 004/996] add home.hass basic node file --- nodes/home.hass.toml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 nodes/home.hass.toml diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml new file mode 100644 index 0000000..34cf68d --- /dev/null +++ b/nodes/home.hass.toml @@ -0,0 +1,15 @@ +hostname = "172.19.138.25" +bundles = [] +groups = ["debian-bullseye"] + +[metadata.backups] +exclude_from_backups = true + +[metadata.interfaces.enp1s0] +ips = ["172.19.138.25/24"] +gateway4 = "172.19.138.1" +ipv6_accept_ra = true + +[metadata.vm] +cpu = 2 +ram = 2 From 0c402791a9e6e11eb2a248d7c917c73e745fd585 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 17:25:51 +0100 Subject: [PATCH 005/996] convert a bunch of dummy nodes to toml --- nodes/home.bubble01.toml | 4 +++ nodes/home.drucker-sophie.toml | 6 ++++ nodes/home.ejgwdesk.toml | 9 ++++++ nodes/home.kodi-wohnzimmer.toml | 26 ++++++++++++++++ nodes/home.openhab.toml | 21 +++++++++++++ nodes/home.snom-wohnzimmer.toml | 6 ++++ nodes/home.sw01.toml | 4 +++ nodes/home.usv01.toml | 8 +++++ nodes/home.winkeeinhorn-1.toml | 11 +++++++ nodes/home.winkeeinhorn-2.toml | 11 +++++++ nodes/home.winkeeinhorn-vm.toml | 11 +++++++ nodes/home.wled-wohnzimmer.toml | 9 ++++++ nodes/home/bubble01.py | 13 -------- nodes/home/drucker-sophie.py | 14 --------- nodes/home/ejgwdesk.py | 17 ----------- nodes/home/kodi-wohnzimmer.py | 53 --------------------------------- nodes/home/openhab.py | 36 ---------------------- nodes/home/snom-wohnzimmer.py | 14 --------- nodes/home/sw01.py | 12 -------- nodes/home/usv01.py | 27 ----------------- nodes/home/winkeeinhorn-1.py | 25 ---------------- nodes/home/winkeeinhorn-2.py | 25 ---------------- nodes/home/winkeeinhorn-vm.py | 25 ---------------- nodes/home/wled-wohnzimmer.py | 17 ----------- 24 files changed, 126 insertions(+), 278 deletions(-) create mode 100644 nodes/home.bubble01.toml create mode 100644 nodes/home.drucker-sophie.toml create mode 100644 nodes/home.ejgwdesk.toml create mode 100644 nodes/home.kodi-wohnzimmer.toml create mode 100644 nodes/home.openhab.toml create mode 100644 nodes/home.snom-wohnzimmer.toml create mode 100644 nodes/home.sw01.toml create mode 100644 nodes/home.usv01.toml create mode 100644 nodes/home.winkeeinhorn-1.toml create mode 100644 nodes/home.winkeeinhorn-2.toml create mode 100644 nodes/home.winkeeinhorn-vm.toml create mode 100644 nodes/home.wled-wohnzimmer.toml delete mode 100644 nodes/home/bubble01.py delete mode 100644 nodes/home/drucker-sophie.py delete mode 100644 nodes/home/ejgwdesk.py delete mode 100644 nodes/home/kodi-wohnzimmer.py delete mode 100644 nodes/home/openhab.py delete mode 100644 nodes/home/snom-wohnzimmer.py delete mode 100644 nodes/home/sw01.py delete mode 100644 nodes/home/usv01.py delete mode 100644 nodes/home/winkeeinhorn-1.py delete mode 100644 nodes/home/winkeeinhorn-2.py delete mode 100644 nodes/home/winkeeinhorn-vm.py delete mode 100644 nodes/home/wled-wohnzimmer.py diff --git a/nodes/home.bubble01.toml b/nodes/home.bubble01.toml new file mode 100644 index 0000000..414658a --- /dev/null +++ b/nodes/home.bubble01.toml @@ -0,0 +1,4 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.41"] diff --git a/nodes/home.drucker-sophie.toml b/nodes/home.drucker-sophie.toml new file mode 100644 index 0000000..02c7141 --- /dev/null +++ b/nodes/home.drucker-sophie.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.61"] +dhcp = true +mac = "00:14:38:9E:29:E3" diff --git a/nodes/home.ejgwdesk.toml b/nodes/home.ejgwdesk.toml new file mode 100644 index 0000000..7572ba7 --- /dev/null +++ b/nodes/home.ejgwdesk.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.99"] +dhcp = true +mac = "54:04:A6:EF:A8:01" + +[metadata.icinga_options] +exclude_from_monitoring = true diff --git a/nodes/home.kodi-wohnzimmer.toml b/nodes/home.kodi-wohnzimmer.toml new file mode 100644 index 0000000..f3a2cf5 --- /dev/null +++ b/nodes/home.kodi-wohnzimmer.toml @@ -0,0 +1,26 @@ +hostname = "172.19.138.24" +bundles = ["kodi", "lm-sensors", "nfs-client", "smartd"] +groups = ["debian-bullseye"] + +[metadata.apt.packages.intel-media-va-driver-non-free] + +[metadata.apt.unattended-upgrades] +day = 6 +hour = 2 + +[metadata.interfaces.eno1] +ips = ["172.19.138.24/24"] +gateway4 = "172.19.138.1" +ipv6_accept_ra = true + +[metadata.nfs-client.mounts.nas-storage] +mountpoint = "/mnt/nas" +serverpath = "172.19.138.20:/storage/nas" +mount_options = ["retry=0", "ro"] + +[metadata.smartd] +disks = ["/dev/nvme0"] + +[metadata.vm] +cpu = 2 +ram = 4 diff --git a/nodes/home.openhab.toml b/nodes/home.openhab.toml new file mode 100644 index 0000000..a2c0656 --- /dev/null +++ b/nodes/home.openhab.toml @@ -0,0 +1,21 @@ +hostname = "172.19.138.21" +bundles = ["nginx", "openhab"] +groups = ["debian-bullseye"] + +[metadata.interfaces.enp1s0] +ips = ["172.19.138.21/24"] +gateway4 = "172.19.138.1" +ipv6_accept_ra = true + +[metadata.nginx.vhosts.openhab] +ssl = "_.home.kunbox.net" + +[metadata.openhab] +domain = "openhab.home.kunbox.net" + +[metadata.openhab.java_opts] +"user.timezone" = "Europe/Berlin" + +[metadata.vm] +cpu = 2 +ram = 2 diff --git a/nodes/home.snom-wohnzimmer.toml b/nodes/home.snom-wohnzimmer.toml new file mode 100644 index 0000000..65d8eda --- /dev/null +++ b/nodes/home.snom-wohnzimmer.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.40"] +dhcp = true +mac = "00:04:13:26:EE:1B" diff --git a/nodes/home.sw01.toml b/nodes/home.sw01.toml new file mode 100644 index 0000000..f9dca43 --- /dev/null +++ b/nodes/home.sw01.toml @@ -0,0 +1,4 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.2"] diff --git a/nodes/home.usv01.toml b/nodes/home.usv01.toml new file mode 100644 index 0000000..2125fdb --- /dev/null +++ b/nodes/home.usv01.toml @@ -0,0 +1,8 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.3"] + +[metadata.icinga2_api.usv.services."USV STATUS"] +check_command = "check_usv" +"vars.notification.mail" = true diff --git a/nodes/home.winkeeinhorn-1.toml b/nodes/home.winkeeinhorn-1.toml new file mode 100644 index 0000000..f2505b5 --- /dev/null +++ b/nodes/home.winkeeinhorn-1.toml @@ -0,0 +1,11 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.11"] +dhcp = true +mac = "f4:06:8d:df:05:60" + +[metadata.icinga2_api.freifunk.services."NODE HEALTH"] +check_command = "check_freifunk_node" +"vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" +"vars.id" = "f4068ddf055f" diff --git a/nodes/home.winkeeinhorn-2.toml b/nodes/home.winkeeinhorn-2.toml new file mode 100644 index 0000000..61e954b --- /dev/null +++ b/nodes/home.winkeeinhorn-2.toml @@ -0,0 +1,11 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.12"] +dhcp = true +mac = "f4:06:8d:df:03:38" + +[metadata.icinga2_api.freifunk.services."NODE HEALTH"] +check_command = "check_freifunk_node" +"vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" +"vars.id" = "f4068ddf0337" diff --git a/nodes/home.winkeeinhorn-vm.toml b/nodes/home.winkeeinhorn-vm.toml new file mode 100644 index 0000000..e94f390 --- /dev/null +++ b/nodes/home.winkeeinhorn-vm.toml @@ -0,0 +1,11 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.10"] +dhcp = true +mac = "52:54:00:b0:4e:4d" + +[metadata.icinga2_api.freifunk.services."NODE HEALTH"] +check_command = "check_freifunk_node" +"vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" +"vars.id" = "525400b04e4d" diff --git a/nodes/home.wled-wohnzimmer.toml b/nodes/home.wled-wohnzimmer.toml new file mode 100644 index 0000000..42b7212 --- /dev/null +++ b/nodes/home.wled-wohnzimmer.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.70"] +dhcp = true +mac = "3c:61:05:d0:ba:1a" + +[metadata.icinga_options] +exclude_from_monitoring = true diff --git a/nodes/home/bubble01.py b/nodes/home/bubble01.py deleted file mode 100644 index 6dedcfe..0000000 --- a/nodes/home/bubble01.py +++ /dev/null @@ -1,13 +0,0 @@ -# Mitel RFP35 -nodes['home.bubble01'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.41', - }, - }, - }, - }, -} diff --git a/nodes/home/drucker-sophie.py b/nodes/home/drucker-sophie.py deleted file mode 100644 index 98b349f..0000000 --- a/nodes/home/drucker-sophie.py +++ /dev/null @@ -1,14 +0,0 @@ -nodes['home.drucker-sophie'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.61', - }, - 'dhcp': True, - 'mac': '00:14:38:9E:29:E3', - }, - }, - }, -} diff --git a/nodes/home/ejgwdesk.py b/nodes/home/ejgwdesk.py deleted file mode 100644 index ba5c76d..0000000 --- a/nodes/home/ejgwdesk.py +++ /dev/null @@ -1,17 +0,0 @@ -nodes['home.ejgwdesk'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.99', - }, - 'dhcp': True, - 'mac': '54:04:A6:EF:A8:01', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - }, -} diff --git a/nodes/home/kodi-wohnzimmer.py b/nodes/home/kodi-wohnzimmer.py deleted file mode 100644 index d91fca5..0000000 --- a/nodes/home/kodi-wohnzimmer.py +++ /dev/null @@ -1,53 +0,0 @@ -nodes['home.kodi-wohnzimmer'] = { - 'hostname': '172.19.138.24', - 'bundles': { - 'lm-sensors', - 'kodi', - 'nfs-client', - 'smartd', - }, - 'groups': { - 'debian-bullseye', - }, - 'metadata': { - 'apt': { - 'packages': { - 'intel-media-va-driver-non-free': {}, - }, - 'unattended-upgrades': { - 'day': 6, - 'hour': 2, - }, - }, - 'interfaces': { - 'eno1': { - 'ips': { - '172.19.138.24/24', - }, - 'gateway4': '172.19.138.1', - 'ipv6_accept_ra': True, - }, - }, - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'smartd': { - 'disks': { - '/dev/nvme0', - }, - }, - 'vm': { - 'cpu': 2, - 'ram': 4, - }, - }, -} diff --git a/nodes/home/openhab.py b/nodes/home/openhab.py deleted file mode 100644 index efbb029..0000000 --- a/nodes/home/openhab.py +++ /dev/null @@ -1,36 +0,0 @@ -nodes['home.openhab'] = { - 'hostname': '172.19.138.21', - 'bundles': { - 'nginx', - 'openhab', - }, - 'groups': { - 'debian-bullseye', - }, - 'metadata': { - 'interfaces': { - 'enp1s0': { - 'ips': { - '172.19.138.21/24', - }, - 'gateway4': '172.19.138.1', - 'ipv6_accept_ra': True, - }, - }, - 'nginx': { - 'vhosts': { - 'openhab': {'ssl': '_.home.kunbox.net'}, - }, - }, - 'openhab': { - 'domain': 'openhab.home.kunbox.net', - 'java_opts': { - 'user.timezone': 'Europe/Berlin', - }, - }, - 'vm': { - 'cpu': 2, - 'ram': 2, - }, - }, -} diff --git a/nodes/home/snom-wohnzimmer.py b/nodes/home/snom-wohnzimmer.py deleted file mode 100644 index ce7d1a7..0000000 --- a/nodes/home/snom-wohnzimmer.py +++ /dev/null @@ -1,14 +0,0 @@ -nodes['home.snom-wohnzimmer'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.40', - }, - 'dhcp': True, - 'mac': '00:04:13:26:EE:1B', - }, - }, - }, -} diff --git a/nodes/home/sw01.py b/nodes/home/sw01.py deleted file mode 100644 index b49e308..0000000 --- a/nodes/home/sw01.py +++ /dev/null @@ -1,12 +0,0 @@ -nodes['home.sw01'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.2', - }, - }, - }, - }, -} diff --git a/nodes/home/usv01.py b/nodes/home/usv01.py deleted file mode 100644 index 77a95a2..0000000 --- a/nodes/home/usv01.py +++ /dev/null @@ -1,27 +0,0 @@ -nodes['home.usv01'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.3', - }, - }, - }, - 'icinga2_api': { - 'usv': { - 'services': { - 'USV STATUS': { - 'check_command': 'check_usv', - 'vars.notification.mail': True, - }, - }, - }, - }, - }, -} - -# Every system which is connected to the USV needs to have Dell Local -# Node Manager installed: -# -# A backup of this file is available in home.nas:/storage/nas diff --git a/nodes/home/winkeeinhorn-1.py b/nodes/home/winkeeinhorn-1.py deleted file mode 100644 index 063b25a..0000000 --- a/nodes/home/winkeeinhorn-1.py +++ /dev/null @@ -1,25 +0,0 @@ -nodes['home.winkeeinhorn-1'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.11', - }, - 'dhcp': True, - 'mac': 'f4:06:8d:df:05:60', - }, - }, - 'icinga2_api': { - 'freifunk': { - 'services': { - 'NODE HEALTH': { - 'check_command': 'check_freifunk_node', - 'vars.url': 'https://map.freifunk-mwu.de/data/meshviewer.json', - 'vars.id': 'f4068ddf055f', - }, - }, - }, - }, - }, -} diff --git a/nodes/home/winkeeinhorn-2.py b/nodes/home/winkeeinhorn-2.py deleted file mode 100644 index e9dfa44..0000000 --- a/nodes/home/winkeeinhorn-2.py +++ /dev/null @@ -1,25 +0,0 @@ -nodes['home.winkeeinhorn-2'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.12', - }, - 'dhcp': True, - 'mac': 'f4:06:8d:df:03:38', - }, - }, - 'icinga2_api': { - 'freifunk': { - 'services': { - 'NODE HEALTH': { - 'check_command': 'check_freifunk_node', - 'vars.url': 'https://map.freifunk-mwu.de/data/meshviewer.json', - 'vars.id': 'f4068ddf0337', - }, - }, - }, - }, - }, -} diff --git a/nodes/home/winkeeinhorn-vm.py b/nodes/home/winkeeinhorn-vm.py deleted file mode 100644 index 618110b..0000000 --- a/nodes/home/winkeeinhorn-vm.py +++ /dev/null @@ -1,25 +0,0 @@ -nodes['home.winkeeinhorn-vm'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.10', - }, - 'dhcp': True, - 'mac': '52:54:00:b0:4e:4d', - }, - }, - 'icinga2_api': { - 'freifunk': { - 'services': { - 'NODE HEALTH': { - 'check_command': 'check_freifunk_node', - 'vars.url': 'https://map.freifunk-mwu.de/data/meshviewer.json', - 'vars.id': '525400b04e4d', - }, - }, - }, - }, - }, -} diff --git a/nodes/home/wled-wohnzimmer.py b/nodes/home/wled-wohnzimmer.py deleted file mode 100644 index df781b9..0000000 --- a/nodes/home/wled-wohnzimmer.py +++ /dev/null @@ -1,17 +0,0 @@ -nodes['home.wled-wohnzimmer'] = { - 'dummy': True, - 'metadata': { - 'interfaces': { - 'default': { - 'ips': { - '172.19.138.70', - }, - 'dhcp': True, - 'mac': '3c:61:05:d0:ba:1a', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - }, -} From f2e4d9e731db991efb4a83f29a5a151839168b73 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 17:27:48 +0100 Subject: [PATCH 006/996] remove obsolete README files --- nodes/gce/README | 1 - nodes/htz-cloud/README | 1 - 2 files changed, 2 deletions(-) delete mode 100644 nodes/gce/README delete mode 100644 nodes/htz-cloud/README diff --git a/nodes/gce/README b/nodes/gce/README deleted file mode 100644 index 2ca735d..0000000 --- a/nodes/gce/README +++ /dev/null @@ -1 +0,0 @@ -Google Compute Engine diff --git a/nodes/htz-cloud/README b/nodes/htz-cloud/README deleted file mode 100644 index d1bf55d..0000000 --- a/nodes/htz-cloud/README +++ /dev/null @@ -1 +0,0 @@ -Hetzner Cloud From fcb546baf65a61a1c65b1aeb76710191c30ae96a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 17:29:39 +0100 Subject: [PATCH 007/996] bundles/nodejs: fix repo name --- bundles/nodejs/metadata.py | 2 +- data/apt/files/gpg-keys/{node.asc => nodejs.asc} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename data/apt/files/gpg-keys/{node.asc => nodejs.asc} (100%) diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py index 4609903..18f0de6 100644 --- a/bundles/nodejs/metadata.py +++ b/bundles/nodejs/metadata.py @@ -22,7 +22,7 @@ def nodejs_from_version(metadata): return { 'apt': { 'repos': { - 'node': { + 'nodejs': { 'items': { f'deb https://deb.nodesource.com/node_{version}.x {{os_release}} main', f'deb-src https://deb.nodesource.com/node_{version}.x {{os_release}} main', diff --git a/data/apt/files/gpg-keys/node.asc b/data/apt/files/gpg-keys/nodejs.asc similarity index 100% rename from data/apt/files/gpg-keys/node.asc rename to data/apt/files/gpg-keys/nodejs.asc From c407a4520af8f5d1ba9f885ea25a2d01b55c218b Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 17:36:26 +0100 Subject: [PATCH 008/996] blind dev result of homeassistant --- .../homeassistant/files/homeassistant.service | 13 ++++ bundles/homeassistant/items.py | 66 +++++++++++++++++++ bundles/homeassistant/metadata.py | 23 +++++++ 3 files changed, 102 insertions(+) create mode 100644 bundles/homeassistant/files/homeassistant.service create mode 100644 bundles/homeassistant/items.py create mode 100644 bundles/homeassistant/metadata.py diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service new file mode 100644 index 0000000..ece9e21 --- /dev/null +++ b/bundles/homeassistant/files/homeassistant.service @@ -0,0 +1,13 @@ +[Unit] +Description=Home Assistant +After=network-online.target + +[Service] +Type=simple +User=homeassistant +WorkingDirectory=/var/opt/homeassistant +ExecStart=/opt/homeassistant/bin/hass -c "/var/opt/homeassistant" +RestartForceExitStatus=100 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py new file mode 100644 index 0000000..d562859 --- /dev/null +++ b/bundles/homeassistant/items.py @@ -0,0 +1,66 @@ +users = { + 'homeassistant': { + 'home': '/var/opt/homeassistant', + }, +} + +directories = { + '/opt/homeassistant': {}, + '/var/opt/homeassistant': { + 'owner': 'homeassistant', + }, +} + +files = { + '/etc/systemd/system/homeassistant.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:homeassistant:restart', + }, + }, +} + +actions = { + 'homeassistant_create_virtualenv': { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv', + 'unless': 'test -d /opt/homeassistant/venv/', + 'needed_by': { + 'action:homeassistant_install', + }, + }, + 'homeassistant_install': { + 'triggered': True, + 'command': ' && '.join([ + 'cd /opt/homeassistant/src', + f"/opt/homeassistant/venv/bin/pip install --upgrade homeassistant=={node.metadata.get('homeassistant/version')}", + ]) , + 'needs': { + 'pkg_apt:bluez', + 'pkg_apt:libffi-dev', + 'pkg_apt:libssl-dev', + 'pkg_apt:libjpeg-dev', + 'pkg_apt:zlib1g-dev', + 'pkg_apt:autoconf', + 'pkg_apt:build-essential', + 'pkg_apt:libopenjp2-7', + 'pkg_apt:libtiff5', + 'pkg_apt:libturbojpeg0-dev', + 'pkg_apt:tzdata', + }, + 'triggers': { + 'svc_systemd:homeassistant:restart', + }, + 'unless': { + "[[ $(/opt/homeassistant/venv/bin/pip freeze | grep homeassistant=={node.metadata.get('homeassistant/version')}) ]]", + }, + }, +} + +svc_systemd = { + 'homeassistant': { + 'needs': { + 'action:homeassistant_install', + 'file:/etc/systemd/system/homeassistant.service', + }, + }, +} diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py new file mode 100644 index 0000000..3f66d4d --- /dev/null +++ b/bundles/homeassistant/metadata.py @@ -0,0 +1,23 @@ +defaults = { + 'apt': { + 'packages': { + 'bluez': {}, + 'libffi-dev': {}, + 'libssl-dev': {}, + 'libjpeg-dev': {}, + 'zlib1g-dev': {}, + 'autoconf': {}, + 'build-essential': {}, + 'libopenjp2-7': {}, + 'libtiff5': {}, + 'libturbojpeg0-dev': {}, + 'tzdata': {}, + }, + }, + 'backups': { + 'paths': { + '/opt/homeassistant', + '/var/opt/homeassistant', + }, + }, +} From 107fd6872be8cf6b48a9f746163e82f866d536e7 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 17:53:10 +0100 Subject: [PATCH 009/996] home.hass add metadata --- bundles/homeassistant/metadata.py | 41 +++++++++++++++++++++++++++++++ nodes/home.hass.toml | 18 +++++++++++++- 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 3f66d4d..6c71656 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -21,3 +21,44 @@ defaults = { }, }, } +@metadata_reactor.provides( + 'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'homeassistant': { + 'services': { + 'HOMEASSISTANT UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release homeassistant/core {}'.format(metadata.get('homeassistant/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, + } + +@metadata_reactor.provides( + 'nginx/vhosts/homeassistant', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'homeassistant': { + 'domain': metadata.get('homeassistant/domain'), + 'website_check_path': '/', + 'website_check_string': 'Homeassistant', + 'locations': { + '/': { + 'target': 'http://127.0.0.1:8123', + }, + }, + }, + }, + }, + } diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 34cf68d..a053f8c 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,5 +1,8 @@ hostname = "172.19.138.25" -bundles = [] +bundles = [ + 'homeassistant', + 'nginx' +] groups = ["debian-bullseye"] [metadata.backups] @@ -13,3 +16,16 @@ ipv6_accept_ra = true [metadata.vm] cpu = 2 ram = 2 + +[metadata.homeassistant] +domain = 'hass.home.kunbox.net' +version = '2022.12.8' + +[metadata.nginx] +restrict-to = [ + '172.19.136.0/25', + '172.19.138.0/24', +] + +[metadata.nginx.vhosts.homeassistant] +ssl = '_.home.kunbox.net' From edeffee5c2f69215e9500dbf90294b0d693263c6 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 18:59:27 +0100 Subject: [PATCH 010/996] first running hass stuff --- .../homeassistant/files/homeassistant.service | 2 +- bundles/homeassistant/items.py | 28 +++++++++---------- bundles/homeassistant/metadata.py | 14 ++++++++++ 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service index ece9e21..d97cec7 100644 --- a/bundles/homeassistant/files/homeassistant.service +++ b/bundles/homeassistant/files/homeassistant.service @@ -6,7 +6,7 @@ After=network-online.target Type=simple User=homeassistant WorkingDirectory=/var/opt/homeassistant -ExecStart=/opt/homeassistant/bin/hass -c "/var/opt/homeassistant" +ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant" RestartForceExitStatus=100 [Install] diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index d562859..f5f7a08 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -5,7 +5,9 @@ users = { } directories = { - '/opt/homeassistant': {}, + '/opt/homeassistant': { + 'owner': 'homeassistant', + }, '/var/opt/homeassistant': { 'owner': 'homeassistant', }, @@ -22,19 +24,11 @@ files = { actions = { 'homeassistant_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv', + 'command': 'sudo -u homeassistant /usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv/', 'unless': 'test -d /opt/homeassistant/venv/', - 'needed_by': { - 'action:homeassistant_install', - }, - }, - 'homeassistant_install': { - 'triggered': True, - 'command': ' && '.join([ - 'cd /opt/homeassistant/src', - f"/opt/homeassistant/venv/bin/pip install --upgrade homeassistant=={node.metadata.get('homeassistant/version')}", - ]) , 'needs': { + 'directory:/opt/homeassistant', + 'user:homeassistant', 'pkg_apt:bluez', 'pkg_apt:libffi-dev', 'pkg_apt:libssl-dev', @@ -47,12 +41,16 @@ actions = { 'pkg_apt:libturbojpeg0-dev', 'pkg_apt:tzdata', }, + }, + 'homeassistant_install': { + 'command': 'sudo -u homeassistant /opt/homeassistant/venv/bin/pip install homeassistant', + 'unless': 'test -f /opt/homeassistant/venv/bin/hass', + 'needs': { + 'action:homeassistant_create_virtualenv', + }, 'triggers': { 'svc_systemd:homeassistant:restart', }, - 'unless': { - "[[ $(/opt/homeassistant/venv/bin/pip freeze | grep homeassistant=={node.metadata.get('homeassistant/version')}) ]]", - }, }, } diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 6c71656..508c274 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { @@ -62,3 +64,15 @@ def nginx(metadata): }, }, } + +@metadata_reactor.provides( + 'firewall/port_rules/8123', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '8123': atomic(metadata.get('nginx/restrict-to', {'*'})), + }, + }, + } From df303b3487cdc53f34050a909b8f2bcfafc663d1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 20:01:35 +0100 Subject: [PATCH 011/996] bundles/homeassistant: set websockets=True in nginx config --- bundles/homeassistant/metadata.py | 1 + nodes/home.hass.toml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 508c274..e000af9 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -58,6 +58,7 @@ def nginx(metadata): 'locations': { '/': { 'target': 'http://127.0.0.1:8123', + 'websockets': True, }, }, }, diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index a053f8c..00fd3c6 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,7 +1,7 @@ hostname = "172.19.138.25" bundles = [ - 'homeassistant', - 'nginx' + 'homeassistant', + 'nginx' ] groups = ["debian-bullseye"] @@ -23,8 +23,8 @@ version = '2022.12.8' [metadata.nginx] restrict-to = [ - '172.19.136.0/25', - '172.19.138.0/24', + '172.19.136.0/25', + '172.19.138.0/24', ] [metadata.nginx.vhosts.homeassistant] From face47b9fe1ef355836497215db07108a78c8d20 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Dec 2022 14:49:17 +0100 Subject: [PATCH 012/996] voc.pretalx: update downstream plugin to 1.1.5 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 7e84aed..16b0d60 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -54,7 +54,7 @@ nodes['voc.pretalx'] = { 'plugins': { 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', - 'rev': 'v1.1.0', + 'rev': 'v1.1.5', }, 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', From 931f3cd58358d5f0838341798395e61129e1c820 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Dec 2022 14:57:32 +0100 Subject: [PATCH 013/996] bundles/gitea: set update check to check for forgejo update --- bundles/gitea/metadata.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 81bd36c..5541762 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -103,7 +103,8 @@ def icinga_check_for_new_release(metadata): 'gitea': { 'services': { 'GITEA UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release go-gitea/gitea v{}'.format(metadata.get('gitea/version')), + # this is only temporary. We will switch to forgejo once they have their first stable release. + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_codeberg_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), 'vars.notification.mail': True, 'check_interval': '60m', }, From e28494e9a0a7ce9c697bdd75b89eebc268b64c38 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Dec 2022 15:06:12 +0100 Subject: [PATCH 014/996] update element-web to 1.11.17 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 17322ae..633567a 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.16', + 'version': 'v1.11.17', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index cd5ea0a..869efa0 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.16', + 'version': 'v1.11.17', 'config': { 'default_server_config': { 'm.homeserver': { From 648a80362e8b9606e9ba9d13faccf50c05a39e8f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 08:45:48 +0100 Subject: [PATCH 015/996] bundles/sshmon: actually install the check --- bundles/sshmon/items.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/sshmon/items.py b/bundles/sshmon/items.py index 1361eb2..3250f39 100644 --- a/bundles/sshmon/items.py +++ b/bundles/sshmon/items.py @@ -50,6 +50,7 @@ files = { for check in { 'cpu_stats', + 'forgejo_for_new_release', 'github_for_new_release', 'http_url_for_string', 'http_wget', From 9a45e3c30ee3b95149002d9a62f20f853e79eee1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 13:45:44 +0100 Subject: [PATCH 016/996] bundles/gitea: fix wrong monitoring command --- bundles/gitea/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 5541762..6785b4b 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -104,7 +104,7 @@ def icinga_check_for_new_release(metadata): 'services': { 'GITEA UPDATE': { # this is only temporary. We will switch to forgejo once they have their first stable release. - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_codeberg_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), 'vars.notification.mail': True, 'check_interval': '60m', }, From 638363e9275f940274236939f1e55eefd27a0cf9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 24 Dec 2022 16:12:22 +0100 Subject: [PATCH 017/996] bundles/php: rework bundle, fix directory permissions --- bundles/php/items.py | 106 +++++++++++++++++++++++-------------------- 1 file changed, 56 insertions(+), 50 deletions(-) diff --git a/bundles/php/items.py b/bundles/php/items.py index f4479d7..45b149a 100644 --- a/bundles/php/items.py +++ b/bundles/php/items.py @@ -1,58 +1,64 @@ -version = node.metadata['php']['version'] +version = node.metadata.get('php/version') -files = { - f'/etc/php/{version}/fpm/php-fpm.conf': { - 'source': f'{version}/fpm.conf', - 'content_type': 'mako', - 'context': { - 'num_cpus': node.metadata['vm']['cpu'], - 'clear_env': node.metadata.get('php/clear_env', True), - }, - 'needs': { - # "all php packages" - 'pkg_apt:' - }, - 'triggers': { - f'svc_systemd:php{version}-fpm:restart', - }, +directories['/var/lib/php/sessions'] = { + 'owner': 'www-data', + 'mode': None, + 'after': { + 'pkg_apt:', + } +} + +files[f'/etc/php/{version}/fpm/php-fpm.conf'] = { + 'source': f'{version}/fpm.conf', + 'content_type': 'mako', + 'context': { + 'num_cpus': node.metadata.get('vm/cpu'), + 'clear_env': node.metadata.get('php/clear_env', True), }, - f'/etc/php/{version}/fpm/php.ini': { - 'source': f'{version}/php.ini', - 'content_type': 'mako', - 'context': { - 'num_cpus': node.metadata['vm']['cpu'], - 'post_max_size': node.metadata['php'].get('post_max_size', 10), - 'memory_limit': node.metadata.get('php/memory_limit', 256), - }, - 'needs': { - # "all php packages" - 'pkg_apt:' - }, - 'triggers': { - f'svc_systemd:php{version}-fpm:restart', - }, + 'after': { + # "all php packages" + 'pkg_apt:' }, - f'/etc/php/{version}/cli/php.ini': { - 'source': f'{version}/php.ini', - 'content_type': 'mako', - 'context': { - 'num_cpus': node.metadata['vm']['cpu'], - 'post_max_size': node.metadata['php'].get('post_max_size', 10), - 'memory_limit': node.metadata.get('php/memory_limit', 256), - }, - 'needs': { - # "all php packages" - 'pkg_apt:' - }, + 'triggers': { + f'svc_systemd:php{version}-fpm:restart', }, } -svc_systemd = { - f'php{version}-fpm': { - 'needs': { - 'pkg_apt:', - f'file:/etc/php/{version}/fpm/php-fpm.conf', - f'file:/etc/php/{version}/fpm/php.ini', - }, +files[f'/etc/php/{version}/fpm/php.ini'] = { + 'source': f'{version}/php.ini', + 'content_type': 'mako', + 'context': { + 'num_cpus': node.metadata.get('vm/cpu'), + 'post_max_size': node.metadata.get('phppost_max_size', 10), + 'memory_limit': node.metadata.get('php/memory_limit', 256), + }, + 'after': { + # "all php packages" + 'pkg_apt:' + }, + 'triggers': { + f'svc_systemd:php{version}-fpm:restart', + }, +} + +files[f'/etc/php/{version}/cli/php.ini'] = { + 'source': f'{version}/php.ini', + 'content_type': 'mako', + 'context': { + 'num_cpus': node.metadata.get('vm/cpu'), + 'post_max_size': node.metadata.get('php/post_max_size', 10), + 'memory_limit': node.metadata.get('php/memory_limit', 256), + }, + 'after': { + # "all php packages" + 'pkg_apt:' + }, +} + +svc_systemd[f'php{version}-fpm'] = { + 'needs': { + 'pkg_apt:', + f'file:/etc/php/{version}/fpm/php-fpm.conf', + f'file:/etc/php/{version}/fpm/php.ini', }, } From 52983a51a97e159eb40719e5bb91c37b01b2194d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 24 Dec 2022 17:51:42 +0100 Subject: [PATCH 018/996] homeassistant: rework update check --- .../files/check_homeassistant_update | 49 +++++++++++++++++++ bundles/homeassistant/items.py | 8 +++ bundles/homeassistant/metadata.py | 25 +++------- 3 files changed, 64 insertions(+), 18 deletions(-) create mode 100644 bundles/homeassistant/files/check_homeassistant_update diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update new file mode 100644 index 0000000..d01d830 --- /dev/null +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +from sys import exit + +import requests +from packaging import version + +bearer = "${bearer}" +domain = "${domain}" +OK = 0 +WARN = 1 +CRITICAL = 2 +UNKNOWN = 3 + +status = 3 +message = "Unknown Update Status" + + +domain = "hass.home.kunbox.net" + +s = requests.Session() +s.headers.update({"Content-Type": "application/json"}) + +try: + stable_version = version.parse( + s.get("https://version.home-assistant.io/stable.json").json()["homeassistant"][ + "generic-x86-64" + ] + ) + s.headers.update( + {"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"} + ) + running_version = version.parse( + s.get(f"https://{domain}/api/config").json()["version"] + ) + if running_version == stable_version: + status = 0 + message = f"OK - running version {running_version} equals stable version {stable_version}" + elif running_version > stable_version: + status = 1 + message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." + else: + status = 2 + message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}" +except Exception as e: + message = f"{message}: {repr(e)}" + +print(message) +exit(status) diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index f5f7a08..6ceeec4 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -20,6 +20,14 @@ files = { 'svc_systemd:homeassistant:restart', }, }, + '/usr/local/share/icinga/plugins/check_homeassistant_update': { + 'content_type': 'mako', + 'context': { + 'bearer': repo.vault.decrypt(node.metadata.get('homeassistant/api_secret')), + 'domain': node.metadata.get('homeassistant/domain'), + }, + 'mode': '0755', + }, } actions = { diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index e000af9..87855f8 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -3,17 +3,18 @@ from bundlewrap.metadata import atomic defaults = { 'apt': { 'packages': { - 'bluez': {}, - 'libffi-dev': {}, - 'libssl-dev': {}, - 'libjpeg-dev': {}, - 'zlib1g-dev': {}, 'autoconf': {}, + 'bluez': {}, 'build-essential': {}, + 'libffi-dev': {}, + 'libjpeg-dev': {}, 'libopenjp2-7': {}, + 'libssl-dev': {}, 'libtiff5': {}, 'libturbojpeg0-dev': {}, + 'python3-packaging': {}, 'tzdata': {}, + 'zlib1g-dev': {}, }, }, 'backups': { @@ -32,7 +33,7 @@ def icinga_check_for_new_release(metadata): 'homeassistant': { 'services': { 'HOMEASSISTANT UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release homeassistant/core {}'.format(metadata.get('homeassistant/version')), + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_homeassistant_update', 'vars.notification.mail': True, 'check_interval': '60m', }, @@ -65,15 +66,3 @@ def nginx(metadata): }, }, } - -@metadata_reactor.provides( - 'firewall/port_rules/8123', -) -def firewall(metadata): - return { - 'firewall': { - 'port_rules': { - '8123': atomic(metadata.get('nginx/restrict-to', {'*'})), - }, - }, - } From 3019ee43553dbacbda6f33774a56c2e1bc9d2f8d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 24 Dec 2022 17:52:04 +0100 Subject: [PATCH 019/996] home.hass: add api secret for update check --- nodes/home.hass.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 00fd3c6..b451d32 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -19,7 +19,7 @@ ram = 2 [metadata.homeassistant] domain = 'hass.home.kunbox.net' -version = '2022.12.8' +api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33YbjbkpELU2HGBzqiWX40J0hsaEbYJOnCHFk8gJ-Xt0vdqqbQ5vca_TGPNQHZPAS4qZoPTcUhmX_I-0EdT6ukhxejXFYBiYRZikTLjH3lcNM5qnckCm-H9NbRdjLb9hbCDIjbEglHmBl_g08S1_ukvX3dDSCIHIxgXXGsdK_Go1KxPJd8G22FL_MMhCfsTW-6ioIqoHSeSA1NGk3MZHEIM2errckiopKBxoBaROsacO9Uqk1zrrgXOs2NsgiTRtrbV1TNlFVaIX9mZdsUnMGZ' [metadata.nginx] restrict-to = [ From 82143e34ad4ffb024ea61f707771c1da1882bdfe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 27 Dec 2022 13:38:39 +0100 Subject: [PATCH 020/996] update travelynx to 1.28.5 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 869efa0..17fa30e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -521,7 +521,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.23.12', + 'version': '1.28.5', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 070b466abe1baa857b76001e26ac93bacda4fc86 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 27 Dec 2022 13:38:53 +0100 Subject: [PATCH 021/996] bundles/travelynx: update bundle for new version --- bundles/travelynx/files/travelynx.conf | 25 +++++++------------------ bundles/travelynx/items.py | 6 +++--- 2 files changed, 10 insertions(+), 21 deletions(-) diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index bc8e128..7787d8b 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -5,15 +5,13 @@ # 'localhost'. { - # Cache directories for schedule and realtime data. Mandatory. The parent - # directory ('/var/cache/travelynx' in this case) must already exist. + base_url => Mojo::URL->new('https://${domain}'), + cache => { schedule => '/var/cache/travelynx/iris', realtime => '/var/cache/travelynx/iris-rt', }, - # Database configuration. host and port are optional - # (defaulting to localhost:5432), the rest is mandatory. db => { host => '${database.get('host', 'localhost')}', port => 5432, @@ -22,8 +20,6 @@ password => '${database['password']}', }, - # See the Mojo::Server::Hypnotoad manual for details on the following - # settings. hypnotoad => { accepts => 100, clients => 10, @@ -34,21 +30,14 @@ }, mail => { - # If you want to disable outgoing mail for development purposes, - # uncomment the following line. Mails will instead be logged as - # Mojolicious "info" messages, causing their content to be printed on - # stdout. - ## disabled => 1, - - # Otherwise, specify the sender ("From" field) for mail sent by travelynx - # here. E.g. 'Travelynx ' from => '${mail_from}', }, - # Secrets used for cookie signing and verification. Must contain at least - # one random string. If you specify several strings, the first one will - # be used for signing new cookies, and the remaining ones will still be - # accepted for cookie validation. + ref => { + issues => 'https://github.com/derf/travelynx/issues', + source => 'https://github.com/derf/travelynx', + }, + secrets => [ '${cookie_secret}', ], diff --git a/bundles/travelynx/items.py b/bundles/travelynx/items.py index dda92cf..5463a1b 100644 --- a/bundles/travelynx/items.py +++ b/bundles/travelynx/items.py @@ -36,7 +36,7 @@ files = { }, '/opt/travelynx/travelynx.conf': { 'content_type': 'mako', - 'context': node.metadata['travelynx'], + 'context': node.metadata.get('travelynx'), 'needs': { 'git_deploy:/opt/travelynx', }, @@ -61,7 +61,7 @@ if isfile(join(repo.path, 'data', 'travelynx', 'files', 'imprint', node.name)): git_deploy = { '/opt/travelynx': { 'repo': 'https://github.com/derf/travelynx.git', - 'rev': node.metadata['travelynx']['version'], + 'rev': node.metadata.get('travelynx/version'), 'needs': { 'directory:/opt/travelynx', }, @@ -84,7 +84,7 @@ actions = { 'triggered': True, }, 'travelynx_database_migrate': { - 'command': 'cd /opt/travelynx && perl index.pl database migrate', + 'command': 'export PERL5LIB=/opt/travelynx/local/lib/perl5; cd /opt/travelynx && perl index.pl database migrate', # Because git_deploy does not put .git onto the server, the script # will complain on STDERR about not finding a git repository. # That's why we need to redirect stderr to /dev/null. From c04ce63c35e85ea3fff2d24f21c064f71eeda2da Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Dec 2022 13:45:06 +0100 Subject: [PATCH 022/996] bundles/arch-with-gui: more packages via bundle, less via nodefile --- bundles/arch-with-gui/metadata.py | 17 +++++++++++++++-- nodes/fkusei-locutus.py | 6 ------ nodes/kunsi-p14s.py | 10 ---------- 3 files changed, 15 insertions(+), 18 deletions(-) diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index 869a7f9..4666cca 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -38,9 +38,14 @@ defaults = { 'rofi': {}, # sound + 'calf': {}, + 'easyeffects': {}, + 'lsp-plugins': {}, 'pavucontrol': {}, - 'pulseaudio': {}, - 'pulseaudio-zeroconf': {}, + 'pipewire': {}, + 'pipewire-jack': {}, + 'pipewire-pulse': {}, + 'qpwgraph': {}, # window management 'i3-wm': {}, @@ -53,6 +58,7 @@ defaults = { # Xorg 'xf86-input-libinput': {}, + 'xf86-input-wacom': {}, 'xorg-server': {}, 'xorg-setxkbmap': {}, 'xorg-xev': {}, @@ -62,20 +68,27 @@ defaults = { # all them apps 'browserpass': {}, 'browserpass-firefox': {}, + 'ffmpeg': {}, 'firefox': {}, 'gimp': {}, + 'imagemagick': {}, 'inkscape': {}, + 'kdenlive': {}, 'maim': {}, 'mosh': {}, + 'mosquitto': {}, 'mpv': {}, 'pass': {}, 'pass-otp': {}, 'pdftk': {}, 'pwgen': {}, 'qpdfview': {}, + 'samba': {}, + 'shotcut': {}, 'sipcalc': {}, 'the_silver_searcher': {}, 'tlp': {}, + 'virt-manager': {}, 'xclip': {}, 'xdotool': {}, # needed for maim window selection }, diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 7340a46..397e851 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -76,18 +76,12 @@ nodes['fkusei-locutus'] = { # video drivers 'xf86-video-intel': {}, - # for i3pystatus - 'iw': {}, - 'wireless_tools': {}, - # all that other random stuff one needs 'apachedirectorystudio': {}, 'direnv': {}, 'freerdp': {}, - 'mosquitto': {}, 'sdl_ttf': {}, # for compiling testcard 'thermald': {}, - 'virt-manager': {}, }, }, 'systemd-boot': { diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 8952f4d..3174722 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -96,25 +96,15 @@ nodes['kunsi-p14s'] = { 'mesa-vdpau': {}, 'xf86-video-amdgpu': {}, - # for i3pystatus - 'iw': {}, - 'wireless_tools': {}, - # all that other random stuff one needs 'abcde': {}, 'apachedirectorystudio': {}, 'claws-mail': {}, 'claws-mail-themes': {}, 'ferdi-bin': {}, - 'ffmpeg': {}, 'gumbo-parser': {}, # for claws litehtml - 'imagemagick': {}, - 'inkscape': {}, - 'mosquitto': {}, 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde - 'samba': {}, - 'xf86-input-wacom': {}, }, }, 'sysctl': { From 970d97b0a2adb0ea7912aeea4e7504b585b17323 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 30 Dec 2022 20:35:05 +0100 Subject: [PATCH 023/996] nodes/home.wled-wohnzimmer: new mac address --- nodes/home.wled-wohnzimmer.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home.wled-wohnzimmer.toml b/nodes/home.wled-wohnzimmer.toml index 42b7212..c032230 100644 --- a/nodes/home.wled-wohnzimmer.toml +++ b/nodes/home.wled-wohnzimmer.toml @@ -3,7 +3,7 @@ dummy = true [metadata.interfaces.default] ips = ["172.19.138.70"] dhcp = true -mac = "3c:61:05:d0:ba:1a" +mac = "3c:61:05:d0:f2:b9" [metadata.icinga_options] exclude_from_monitoring = true From c94aef55a5644918c4f873a5d8b48a93ba631523 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 31 Dec 2022 16:33:10 +0100 Subject: [PATCH 024/996] bundles/dovecot: enable sieve logging --- bundles/dovecot/files/dovecot.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 885b36a..9a294aa 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -46,11 +46,12 @@ plugin { zlib_save_level = 6 zlib_save = gz - sieve_plugins = sieve_imapsieve sieve_extprograms - sieve_dir = /var/mail/vmail/sieve/%d/%n/ sieve = /var/mail/vmail/sieve/%d/%n.sieve - sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin + sieve_dir = /var/mail/vmail/sieve/%d/%n/ sieve_extensions = +vnd.dovecot.pipe + sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin + sieve_plugins = sieve_imapsieve sieve_extprograms + sieve_user_log = /var/mail/vmail/sieve/%d/%n.log old_stats_refresh = 30 secs old_stats_track_cmds = yes From 7ee2d0800788b657f81f61537a46e4c0fb13081c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Jan 2023 17:53:32 +0100 Subject: [PATCH 025/996] element-web update --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 633567a..28eb942 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.17', + 'version': 'v1.11.19', 'config': { 'default_server_config': { 'm.homeserver': { From e393f3cc3c5de0b591dcf3673983c59f492289a3 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 27 Jan 2023 20:35:49 +0100 Subject: [PATCH 026/996] htz-cloud/miniserver element-web update --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 28eb942..2def17e 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.19', + 'version': 'v1.11.20', 'config': { 'default_server_config': { 'm.homeserver': { From 446e0d057e4f426f4843655017dd9d6d257961a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 5 Jan 2023 07:15:20 +0100 Subject: [PATCH 027/996] update travelynx to 1.29.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 17fa30e..c2befe4 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -521,7 +521,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.28.5', + 'version': '1.29.4', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 5ed4c1e9bd8f978ef68c1d3f59a0bf64f0b23532 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 5 Jan 2023 07:16:02 +0100 Subject: [PATCH 028/996] update netbox to 3.4.2 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index c2befe4..56b8d7d 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.1', + 'version': 'v3.4.2', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From ba3bf20db706cd41988f2534327bbbef777f0300 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Jan 2023 19:52:13 +0100 Subject: [PATCH 029/996] new gpg key for influxdb repo --- data/apt/files/gpg-keys/influxdb.asc | 75 ++++++++++------------------ 1 file changed, 26 insertions(+), 49 deletions(-) diff --git a/data/apt/files/gpg-keys/influxdb.asc b/data/apt/files/gpg-keys/influxdb.asc index c97d593..60aeaf6 100644 --- a/data/apt/files/gpg-keys/influxdb.asc +++ b/data/apt/files/gpg-keys/influxdb.asc @@ -1,52 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 -mQINBFYJmwQBEADCw7mob8Vzk+DmkYyiv0dTU/xgoSlp4SQwrTzat8MB8jxmx60l -QjmhqEyuB8ho4zzZF9KV+gJWrG6Rj4t69JMTJWM7jFz+0B1PC7kJfNM+VcBmkTnj -fP+KJjqz50ETnsF0kQTG++UJeRYjG1dDK0JQNQJAM6NQpIWJI339lcDf15vzrMnb -OgIlNxV6j1ZZqkle4fvScF1NQxYScRiL+sRgVx92SI4SyD/xZnVGD/szB+4OCzah -+0Q/MnNGV6TtN0RiCDZjIUYiHoeT9iQXEONKf7T62T4zUafO734HyqGvht93MLVU -GQAeuyx0ikGsULfOsJfBmb3XJS9u+16v7oPFt5WIbeyyNuhUu0ocK/PKt5sPYR4u -ouPq6Ls3RY3BGCH9DpokcYsdalo51NMrMdnYwdkeq9MEpsEKrKIN5ke7fk4weamJ -BiLI/bTcfM7Fy5r4ghdI9Ksw/ULXLm4GNabkIOSfT7UjTzcBDOvWfKRBLX4qvsx4 -YzA5kR+nX85u6I7W10aSqBiaLqk6vCj0QmBmCjlSeYqNQqSzH/6OoL6FZ7lP6AiG -F2NyGveJKjugoXlreLEhOYp20F81PNwlRBCAlMC2Q9mpcFu0dtAriVoG4gVDdYn5 -t+BiGfD2rJlCinYLgYBDpTPcdRT3VKHWqL9fcC4HKmic0mwWg9homx550wARAQAB -tDFJbmZsdXhEQiBQYWNrYWdpbmcgU2VydmljZSA8c3VwcG9ydEBpbmZsdXhkYi5j -b20+iQI3BBMBCgAhBQJWCZsEAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ -EGhKFM8lguDF9XEQAK9rREnZt6ujh7GXfeNki35bkn39q8GYh0mouShFbFY9o0i3 -UJVChsxokJSRPgFh9GOhOPTupl3rzfdpD+IlWI2Myt6han2HOjZKNZ4RGNrYJ5UR -uxt4dKMWlMbpkzL56bhHlx97RoXKv2d2zRQfw9nyZb6t3lw2k2kKXsMxjGa0agM+ -2SropwYOXdtkz8UWaGd3LYxwEvW3AuhI8EEEHdLetQaYe9sANDvUEofgFbdsuICH -9QLmbYavk7wyGTPBKfPBbeyTxwW2rMUnFCNccMKLm1i5NpZYineBtQbX2cfx9Xsk -1JLOzEBmNal53H2ob0kjev6ufzOD3s8hLu4KMCivbIz4YT3fZyeExn0/0lUtsQ56 -5fCxE983+ygDzKsCnfdXqm3GgjaI90OkNr1y4gWbcd5hicVDv5fD3TD9f0GbpDVw -yDz8YmvNzxMILt5Glisr6aH7gLG/u8jxy0D8YcBiyv5kfY4vMI2yXHpGg1cn/sVu -ZB01sU09VVIM2BznnimyAayI430wquxkZCyMx//BqFM1qetIgk1wDZTlFd0n6qtA -fDmXAC4s5pM5rfM5V57WmPaIqnRIaESJ35tFUFlCHfkfl/N/ribGVDg1z2KDW08r -96oEiIIiV4GfXl+NprJqpNS3Cn+aCXtd7/TsDScDEgs4sMaR29Lsf26cuWk8uQIN -BFYJmwQBEADDPi3fmwn6iwkiDcH2E2V31cHlBw9OdJfxKVUdyAQEhTtqmG9P8XFZ -ERRQF155XLQPLvRlUlq7vEYSROn5J6BAnsjdjsH9LmFMOEV8CIRCRIDePG/Mez2d -nIK5yiU6GkS3IFaQg2T9/tOBKxm0ZJPfqTXbT4jFSfvYJ3oUqc+AyYxtb8gj1GRk -X283/86/bA3C98u7re1vPtiDRyM8r0+lhEc59Yx/EAOL+X2gZyTgyUoH+LLuOWQK -s1egI8y80R8NZfM1nMiQk2ywMsTFwQjSVimScvzqv5Nt8k8CvHUQ3a6R+6doXGNX -5RnUqn9Qvmh0JY5sNgFsoaGbuk2PJrVaGBRnfnjaDqAlZpDhwkWhcCcguNhRbRHp -N7/a0pQr70bAG9VikzLyGC17EU0sxney/hyNHkr4Uyy2OXHpuJvRjVKy/BwZ3fxA -AYX2oZIOxQB3/OulzO/DppaCVhRtp1bt+Z5f+fpisiVb5DvZcMdeyAoQ4+oOr7v3 -EasIs2XYcQ+kOE3Y2kdlHWBeuXzxgWgJZ1OOpwGMjR3Uy6IwhuSWtreJBA4er+Df -vgSPwKBsRLNLbPe3ftjArnC5GfMiGgikVdAUdN4OkEqvUbkRoAVGKTOMLUKm+ZkG -OskJOVYS+JAina0qkYEFF7haycMjf9olhqLmTIC+6X7Ox9R2plaOhQARAQABiQIf -BBgBCgAJBQJWCZsEAhsMAAoJEGhKFM8lguDF8ZIP/1q9Sdz8oMvf9AJXZ7AYxm77 -V+kJzJqi62nZLWJnrFXDZJpU+LkYlb3fstsZ1rvBhnrEPSmFxoj72CP0RtcyX7wJ -dA7K1Fl9LpJi5H8300cC7UyG94MUYbrXijbLTbnFTfNr1tGx4a1T/7Yyxx/wZGrT -H/X8cvNybkl33SxDdlQQ9kx3lFOwC41e3TkGsUWxn3TCfvDh8VdA6Py6JeSPFGOb -MEO2/q7oUgvjfV+ivN5ayZi9bWgeqm1sgtmTHHQ4RqwwKrAb5ynXpn1b9QrkevgT -b91uzMA22Prl4DuzKiaMYDcZOQ3vtf0eFBP0GOSSgUKS4bQ3dGgi1JmQ7VuAM4uj -+Ug5TnGoLwclTwLksc7v89C5MMPgm2vVXvCUDzyzQA7bIHFeX+Rziby4nymec4Nr -eeXYNBJWrEp8XR7UNWmEgroXRoN1x9/6esh5pnoUXGAIWuKzSLQM70/wWxS67+v2 -aC1GNb+pXXAzYeIIiyLWaZwCSr8sWMvshFT9REk2+lnb6sAeJswQtfTUWI00mVqZ -dvI3Wys2h0IyIejuwetTUvGhr9VgpqiLLfGzGlt/y2sg27wdHzSJbMh0VrVAK26/ -BlvEwWDCFT0ZJUMG9Lvre25DD0ycbougLsRYjzmGb/3k3UktS3XTCxyBa/k3TPw3 -vqIHrEqk446nGPDqJPS5 -=9iF7 +mQINBGPIEycBEACpG4qSjhxA6fh4QJVJxFVBvCFt9tVx/hDbKH0Ryy9iilyMeReC +AS1/CZnSv/fhDNKmVPckf6on72z/ODwZcVfMV6DHkxmZ6x/tQrS6CWfKkupsON2H +KS3t4HUivahwHPlWtbfDqsWNwTAsZqklKpJQWY2ADPwurkbCmtYSjsgbLuWe23Pd +nJpLTHtlChM0ntW/l7Le1zYjGPUGoxMJgjg1YG8fi2l/zS0Of8bdQ26ps+WRvrSQ +RKhfAkfIgUiCXxBpDlN1spN73ZlAkaSb+myTfEKyJR55Yt9pHfkDdJh26RVgE1+N +GuLmm6oidaD9lTlNJ9P8wlLzoof3xJXYprgLLz/HmgtawnJ+DxFIXoXNNpUmhORJ +6Hb2Z5IKIyGIwXhQVe2Lw7B8awBNV99zUw517Wuax3RYx7Hwhntz9gFxS4GRxaCo +uLCFQ0AgDCkMHyEHufQo1XdjIB7fz6U551y5GMQw6/rjMnUM9ZI68SQ/FWou2cQf +533PyayvWOYQM4pP7ZmbzyCd393XlMaPWA5dyUOqv7Vcmv0IsAbncX6/KJmZAhKG +qu19xb6rv3ab2RbcU422guK3C/h/URPZJbSjf2w4jUV5UDe2veZg6BEVn7Sk5bW0 +ceX8n0GVbPNG7CvRduJPjXNzsz3FzmUS8QFFde3H5gl1T0f6GcfhmKgKEQARAQAB +tDdJbmZsdXhEYXRhIFBhY2thZ2UgU2lnbmluZyBLZXkgPHN1cHBvcnRAaW5mbHV4 +ZGF0YS5jb20+iQJVBBMBCAA/BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJBaOk +/BYhBJ1TnZDTMo3H1sjTudj/jh99+LB+BQJjyB9PAhsDAAoJENj/jh99+LB+klgQ +AKOKdwTyKOr6+mnRrACz5U3EFxfAXXFGan9Ka7Nzgz4K+FOnTtT1gWwqrPPmTKQk +epNUMcelfX1kCA08yCm0nyw2niqxES40W33ergKUj6jlDx7UQYXWsDQGD9IKksa8 +MWfZlJ3zlrsGKXA4oa+kfY+vltWDVP8WhLcQzm2LywbKvr3WgY80GZbnRjoekiBK +oMKztQVMJG5yNZBo9B4JrqB3wMpnXZxEtqZcBPsJJdXTFKHsQ7kB9TMNorbUvDNH +ohwsprgMw84vHikEk9jyCypXpYq/E/wvkM0CeIUJ36S2vGvACib7BiY6Xv0BQbM4 +rWq2Rrjag1y5vVAF9gJkeo/3rhM6lE1ahDCRq0QcBMVzbxiE+3COIzRPmz14J3Yn +0pkvzlVkNj5UZR8q91ESl+UxkFCP1wzcXgs0dpJWirQIOZ9E2eYv3LcjE68xjW1k +c5q1GOGvJI7aXADxUZ4lFbz+NUb4Ts4HXHc8gV1Gm0vvmIqv2YfAvL5DXbKLdZxh +73CxKvBMmTXIEQ+vQJ3p1ZnUnb+l6DoxEFWg/hXHmE5jY3P6HIVFdliXF5FEs1lr +9snU2Pn1BDL+TBN7SX0QbKqArWA4qyn6eGH8Z1ULoUVBPCjwC9QuInp/9fqifFYo +OM3A51MDGyc/HCVG6jNJEI5h71QGHlPfyQybpjy7rQSe +=YwXc -----END PGP PUBLIC KEY BLOCK----- From b460085bb0be6b28595e8af7c5587722fbb3dd1f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 17:38:38 +0100 Subject: [PATCH 030/996] bundles/powerdns: enable superslave if supported --- bundles/powerdns/files/pdns.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf index 1e2a5de..c88246f 100644 --- a/bundles/powerdns/files/pdns.conf +++ b/bundles/powerdns/files/pdns.conf @@ -20,8 +20,9 @@ setgid=pdns allow-notify-from=${','.join(sorted(my_primary_servers))} slave=yes -# FIXME enable once debian stable has 4.1.9 -#superslave=yes +% if node.os_version[0] > 10: +superslave=yes +% endif % else: api=yes api-key=${api_key} From ab76721ddb3a25ff67f40d23bb98deff02068f1d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 17:39:07 +0100 Subject: [PATCH 031/996] bundles/powerdnsadmin: install psycopg2 in venv --- bundles/powerdnsadmin/items.py | 2 +- bundles/powerdnsadmin/metadata.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index 7cdf08c..3ccaecc 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -39,7 +39,7 @@ actions = { }, 'powerdnsadmin_install_deps': { 'triggered': True, - 'command': '/opt/powerdnsadmin/venv/bin/pip install -r /opt/powerdnsadmin/src/requirements.txt', + 'command': '/opt/powerdnsadmin/venv/bin/pip install --upgrade psycopg2-binary -r /opt/powerdnsadmin/src/requirements.txt', 'needs': { 'action:powerdnsadmin_create_virtualenv', 'pkg_apt:', diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index 8389941..0617b03 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -10,7 +10,6 @@ defaults = { 'libxmlsec1-dev': {}, 'libxslt1-dev': {}, 'pkg-config': {}, - 'python3-psycopg2': {}, 'python3-wheel': {}, }, }, From c5ccc31ad9fa5700b1fd575cb42b53b22dc9764c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:07:31 +0100 Subject: [PATCH 032/996] get rid of molly-guard --- bundles/apt/items.py | 3 ++ .../files/10-check-unattended-upgrades | 9 ------ bundles/molly-guard/files/30-query-hostname | 29 ------------------- bundles/molly-guard/files/rc | 1 - bundles/molly-guard/items.py | 27 ----------------- bundles/molly-guard/metadata.py | 7 ----- 6 files changed, 3 insertions(+), 73 deletions(-) delete mode 100644 bundles/molly-guard/files/10-check-unattended-upgrades delete mode 100644 bundles/molly-guard/files/30-query-hostname delete mode 100644 bundles/molly-guard/files/rc delete mode 100644 bundles/molly-guard/items.py delete mode 100644 bundles/molly-guard/metadata.py diff --git a/bundles/apt/items.py b/bundles/apt/items.py index ae0f87a..639417d 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -143,6 +143,9 @@ pkg_apt = { 'cloud-init': { 'installed': False, }, + 'molly-guard': { + 'installed': False, + }, 'netplan.io': { 'installed': False, }, diff --git a/bundles/molly-guard/files/10-check-unattended-upgrades b/bundles/molly-guard/files/10-check-unattended-upgrades deleted file mode 100644 index 6adafdb..0000000 --- a/bundles/molly-guard/files/10-check-unattended-upgrades +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# Checks wether upgrade-and-reboot is currently running. - -if [[ -f "/var/lib/bundlewrap/soft-${node.name}/UNATTENDED" ]] -then - echo "Sorry, can't $MOLLYGUARD_CMD now, upgrade-and-reboot is running" - exit 1 -fi diff --git a/bundles/molly-guard/files/30-query-hostname b/bundles/molly-guard/files/30-query-hostname deleted file mode 100644 index 3e4fc4c..0000000 --- a/bundles/molly-guard/files/30-query-hostname +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# This script will ask for the bundlewrap node name. This replaces the -# original script, which will ask for the hostname, which sometimes -# is not enough to properly identify the system. - -NODE_NAME="${node.name}" - -# If this is not a terminal, do nothing -test -t 0 || exit 0 - -sigh() -{ - echo "Sorry, input does not match. Won't $MOLLYGUARD_CMD $NODE_NAME ..." >&2 - exit 1 -} - -trap 'echo;sigh' 1 2 3 9 10 12 15 - -echo -n "Please enter the bundlewrap node name of this System to $MOLLYGUARD_CMD: " -read NODE_NAME_USER || : - -NODE_NAME_USER="$(echo "$NODE_NAME_USER" | tr '[:upper:]' '[:lower:]')" - -[ "$NODE_NAME_USER" = "$NODE_NAME" ] || sigh - -trap - 1 2 3 9 10 12 15 - -exit 0 diff --git a/bundles/molly-guard/files/rc b/bundles/molly-guard/files/rc deleted file mode 100644 index 4b6f808..0000000 --- a/bundles/molly-guard/files/rc +++ /dev/null @@ -1 +0,0 @@ -# currently unused diff --git a/bundles/molly-guard/items.py b/bundles/molly-guard/items.py deleted file mode 100644 index 1d6d82f..0000000 --- a/bundles/molly-guard/items.py +++ /dev/null @@ -1,27 +0,0 @@ -directories = { - '/etc/molly-guard/messages.d': { - 'purge': True, - 'after': { - 'pkg_apt:molly-guard', - }, - }, - '/etc/molly-guard/run.d': { - 'purge': True, - 'after': { - 'pkg_apt:molly-guard', - }, - }, -} - -files = { - '/etc/molly-guard/rc': {}, - - '/etc/molly-guard/run.d/10-check-unattended-upgrades': { - 'content_type': 'mako', - 'mode': '0755', - }, - '/etc/molly-guard/run.d/30-query-hostname': { - 'content_type': 'mako', - 'mode': '0755', - }, -} diff --git a/bundles/molly-guard/metadata.py b/bundles/molly-guard/metadata.py deleted file mode 100644 index d8571e2..0000000 --- a/bundles/molly-guard/metadata.py +++ /dev/null @@ -1,7 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'molly-guard': {}, - }, - }, -} From 07dce73bcafcd06443612afedeac13c2b542af91 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:07:51 +0100 Subject: [PATCH 033/996] bundles/sshmon: get rid of sysstat --- bundles/sshmon/metadata.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 4fc3df2..8d5bb6b 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -8,7 +8,10 @@ defaults = { 'monitoring-plugins': {}, 'python3-requests': {}, 'python3-setuptools': {}, # needed by check_github_for_new_release - 'sysstat': {}, # needed by check_cpu_stats + 'sysstat': { + # legacy + 'installed': False, + }, }, }, 'icinga2_api': { @@ -37,7 +40,6 @@ defaults = { 'perl-libwww': {}, 'monitoring-plugins': {}, 'python-requests': {}, - 'sysstat': {}, }, }, } From e634c184c00c87cc3cc2276c9e78b8f2cdf4cea0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:08:31 +0100 Subject: [PATCH 034/996] data/powerdns: convert some zones to psql --- data/powerdns/files/bind-zones/emails.sexy | 3 --- data/powerdns/files/bind-zones/felix-kunsmann.de | 5 ----- data/powerdns/files/bind-zones/warnochwas.de | 3 --- 3 files changed, 11 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/emails.sexy delete mode 100644 data/powerdns/files/bind-zones/felix-kunsmann.de delete mode 100644 data/powerdns/files/bind-zones/warnochwas.de diff --git a/data/powerdns/files/bind-zones/emails.sexy b/data/powerdns/files/bind-zones/emails.sexy deleted file mode 100644 index c430731..0000000 --- a/data/powerdns/files/bind-zones/emails.sexy +++ /dev/null @@ -1,3 +0,0 @@ -${header} - -$ORIGIN emails.sexy. diff --git a/data/powerdns/files/bind-zones/felix-kunsmann.de b/data/powerdns/files/bind-zones/felix-kunsmann.de deleted file mode 100644 index ea21366..0000000 --- a/data/powerdns/files/bind-zones/felix-kunsmann.de +++ /dev/null @@ -1,5 +0,0 @@ -${header} - -$ORIGIN felix-kunsmann.de. - -@ IN MX 10 rx300.kunbox.net. diff --git a/data/powerdns/files/bind-zones/warnochwas.de b/data/powerdns/files/bind-zones/warnochwas.de deleted file mode 100644 index 2ff9e1f..0000000 --- a/data/powerdns/files/bind-zones/warnochwas.de +++ /dev/null @@ -1,3 +0,0 @@ -${header} - -$ORIGIN warnochwas.de. From d8aa1e80d085a3d3adf7ce897ed10911225f9954 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:08:59 +0100 Subject: [PATCH 035/996] get rid of molly-guard --- groups/os.py | 1 - 1 file changed, 1 deletion(-) diff --git a/groups/os.py b/groups/os.py index 4fa97f7..a1f3b72 100644 --- a/groups/os.py +++ b/groups/os.py @@ -71,7 +71,6 @@ groups['debian'] = { 'bundles': { 'apt', 'backup-client', - 'molly-guard', }, 'os': 'debian', 'pip_command': 'pip3', From 1899dfc27807cbf3ead9e634f326e7cb1da7094f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Jan 2023 18:09:31 +0100 Subject: [PATCH 036/996] dns: update to debian bullseye and postgresql 15 --- nodes/gce/bind01.py | 4 ++-- nodes/gce/dns02.py | 4 ++-- nodes/gce/dns03.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 3dce25c..a18d923 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -8,7 +8,7 @@ nodes['gce.bind01'] = { 'powerdnsadmin', }, 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', 'webserver', }, @@ -44,7 +44,7 @@ nodes['gce.bind01'] = { }, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'is_secondary': False, diff --git a/nodes/gce/dns02.py b/nodes/gce/dns02.py index def2765..7eb1253 100644 --- a/nodes/gce/dns02.py +++ b/nodes/gce/dns02.py @@ -5,7 +5,7 @@ nodes['gce.dns02'] = { 'hostname': '35.187.109.249', 'bundles': set(), 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns02'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'my_hostname': 'ns-2.kunbox.net', diff --git a/nodes/gce/dns03.py b/nodes/gce/dns03.py index fb23f27..14a87d7 100644 --- a/nodes/gce/dns03.py +++ b/nodes/gce/dns03.py @@ -5,7 +5,7 @@ nodes['gce.dns03'] = { 'hostname': '35.228.143.71', 'bundles': set(), 'groups': { - 'debian-buster', + 'debian-bullseye', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns03'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '11', + 'version': '15', }, 'powerdns': { 'my_hostname': 'ns-3.kunbox.net', From b4b3fec8a7a5cbc1c26c1458c246e9b276a580b7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:41:47 +0100 Subject: [PATCH 037/996] move franzi.business to psql-managed zone --- .../powerdns/files/bind-zones/franzi.business | 43 ------------------- 1 file changed, 43 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/franzi.business diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business deleted file mode 100644 index 2f8e3ea..0000000 --- a/data/powerdns/files/bind-zones/franzi.business +++ /dev/null @@ -1,43 +0,0 @@ -${header} - -$ORIGIN franzi.business. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx a:sewfile.htz-cloud.kunbox.net ~all" - -chat IN CNAME rx300.kunbox.net. -dimension IN CNAME rx300.kunbox.net. -git IN CNAME rx300.kunbox.net. -jenkins IN CNAME rx300.kunbox.net. -matrix IN CNAME rx300.kunbox.net. -mta-sts IN CNAME rx300.kunbox.net. -netbox IN CNAME rx300.kunbox.net. -sewfile IN CNAME sewfile.htz-cloud.kunbox.net. -paste IN CNAME rx300.kunbox.net. -postfixadmin IN CNAME rx300.kunbox.net. -radicale IN CNAME rx300.kunbox.net. -rss IN CNAME rx300.kunbox.net. -status IN CNAME icinga2.ovh.kunbox.net. -tickets IN CNAME franzi-business.cname.pretix.eu. -travelynx IN CNAME rx300.kunbox.net. -unicornsden IN CNAME rx300.kunbox.net. -wiki IN CNAME rx300.kunbox.net. - -_matrix._tcp IN SRV 10 10 443 matrix - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; From f45a759a43ac0ac8c1e76948e3363ca44b687641 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:42:07 +0100 Subject: [PATCH 038/996] ssl: bump _.franzi.business --- data/ssl/_.franzi.business.crt.pem | 36 ++++++++++++------------ data/ssl/_.franzi.business.key.pem.vault | 2 +- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem index 50d05c7..b55b2de 100644 --- a/data/ssl/_.franzi.business.crt.pem +++ b/data/ssl/_.franzi.business.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEiTCCA3GgAwIBAgISBEiaFE6qZ3+AhUkmqKta5OSuMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISA8l+oC4pMh1Q/UNiEPuiw39OMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMjExMDYwNjA3MTZaFw0yMzAyMDQwNjA3MTVaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABFdgHf2P15+0 -as3iN/M7itWsdWCtH35cGIf871AeU5OhB4JDNbb5aDsho9ga/vIsjpB1Xh3EhNvP -I3b8KT9JUUE/dIRaWvNp8OSKihiU72mXIIlmslVW2AeqwBGMU0L+46OCAl0wggJZ +EwJSMzAeFw0yMzAxMjkwNDM5NTFaFw0yMzA0MjkwNDM5NTBaMBoxGDAWBgNVBAMT +D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABMlQ1P5Y0aZ5 +vUzB4TAP8iIuiO3GJnYhnKrbe/Lz3gf6Ct9bGM4JLY3RI9xcSmol3sNKdVmbHMRe +z63GW4twSnS517axo6jcT0YQkFVyhWHvLnpBW42M1FpjzaDCbs74zKOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsY9YAWIXWlFiQi/JImI6LFxrc6gwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURw5+tfBU0aOBqfN40kz43fUcjx4wHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELP -ep81xJ4dCYEl7bSZAAABhEvD10MAAAQDAEcwRQIhAM2BBzR9UWZNuK3+nk6AdaJL -1j8OvFPZnb+CJqdYtBe8AiAJM4kwOyZLzK/ZGXzwBJLjRTXs2hJZ4qXUzszhv/hs -+QB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhEvD2UYAAAQD -AEcwRQIgfMXcWDFe5IKe6n4D9t3zpecF7wCIje8pBd4WQ3OfxM4CIQDpGTCU2pUI -Hfwkq+6a2j6Lh3baERBbrfnGDF2AOjjelzANBgkqhkiG9w0BAQsFAAOCAQEAMGiD -9uo+WVO+p/HFA+bHM/1ZaTDBONP72YHPx0tdFvQAPQ59n8n6KsE2w9cioNHiRYVv -WhoHjWXtzsCiJzNvc4wuTCxJkBtfSAvsOGqGMQJ+cQym+aSBKqSKvKsIQQjOmz/p -sere5gqTkhuCfnbF8AL7JqDFld4knlbzzsdhj0SjcAO4OUA8SdHdGq192hVRB+nL -IFb6Ax4jD/fQ19j+uL+F1MgMmwUkVF77X279FGlax9PGpmQ47aLj5w7qDpZxfHf9 -Z2nq14Bk6USZcz9hR+gq38lvo6aU/0MvPey9QiIzLg78K0gEQ1o3qoUIl+9erSLR -ssU+fmyZoeNBV6q8xw== +ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIT +hU070ivBOlejUutSAAABhfwJ/TEAAAQDAEgwRgIhAINjOWzyMeYZYFNk5cdghSwA +JDuxKo8/ubIlsAV9ymJWAiEAuVZjp2GQ0RmFyGVDiF865uC4lTtzMIwmpgwYiBqg +DQsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYX8Cf1OAAAE +AwBHMEUCIGoeOIHC8O+zj/3E89BHv+9siaKSOy/2I6i53V5faX3EAiEAsk/Lhr/0 +NpogdjroYqt1sKvTzmO0BrxWJ5a41JQdtX0wDQYJKoZIhvcNAQELBQADggEBAIM4 +moszjbZGKjaoCtsj5t7Dtxu/JmE9gOnwfxnUrDKn0T00dKQi8Mk6a4C5vdGnxorO +lj8VutznRvp1RKxb6WWyk0iW22rLm+kTudf/vf9lY0X7DmD/u3MO2tGumwjMdLRT +QgxP+yu8R03ZppnuzYZhERAbY6AuC/U+owiYjNfF4v1Eyn4zxe6L2v0UWGnBWObb +xv5RbhHFezr676GaLIrcVh0rN6YNK2J1Cei2pNtAVSLiSJvuuO5Qq1KE7wQqbGd+ +lqK2tcEZRtzaFrpW7C0ZW7LpgO8zdeN4BtD25ozhGJO/0H5hhKpQ/wtWqXYKkhC/ +G47QSheqKqJnHOCL0hA= -----END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault index 60ada7b..9a5202f 100644 --- a/data/ssl/_.franzi.business.key.pem.vault +++ b/data/ssl/_.franzi.business.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABjZ10m0BnUbl5777KN6VHf6uAdtcs15-osbqRoQq6epRuWllD-ziy_2N7BrOkRcmfSJaB8zZ1l1bLD6ws3SlI7jvbkahvWnuKinkGiE30SGGjqr6MY_NJGawdox8OJWrsWLFYJJjrePl_mmVtx9G41oBreKizj1YPswzbzsFociJ0zF0xlx99sjjLxRB5PEaI3fwK1eXDmODGZ__dwKxINGSB2zxPb10Vwtnsp3cmaUiKh1TfIghQAm523cAuHPys1-tNXuJpvhPY3tIxB5gHZYiBXMzcS64mD1KqEubsnplxQlK-N_mJ7Q6n0xReG00pqvm5twRI5g7PoHYLH7nZI7KYOSI2XMAS7gP6Uy-H60BQKAHXuX4yutznVRJspv0wa4kfW9vcBfFECBhFeC8tAAkgAc-NvAsDYk6tYSi2k3N2zXsiyHy0NL-JMnUEicQT3YZNnfkoYqjuxwFbQvgtZZun38w== \ No newline at end of file +encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA== \ No newline at end of file From ba97cd432fc36704ea1a96c8aecddaf130698b48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:45:34 +0100 Subject: [PATCH 039/996] bundles/icinga2: icingaweb2 apparently ships monitoring module by itself --- bundles/icinga2/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 9bf7d26..fcbfd13 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,7 +17,9 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - 'icingaweb2-module-monitoring': {}, + + # apparently no longer needed + #'icingaweb2-module-monitoring': {}, # neeeded for statusmonitor 'python3-flask': {}, From ff8928dd0bb1490e8c607420287452ddf563c18b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 06:54:48 +0100 Subject: [PATCH 040/996] remove openhab, move backups to hass --- PORT_MAP.md | 1 - bundles/openhab/files/backup-pre-hook | 5 -- bundles/openhab/files/openhab | 62 ------------------- bundles/openhab/items.py | 32 ---------- bundles/openhab/metadata.py | 55 ---------------- data/apt/files/gpg-keys/openhab.asc | 52 ---------------- ....openhab.key.vault => home.hass.key.vault} | 0 .../keys/{home.openhab.pub => home.hass.pub} | 0 nodes/home.hass.toml | 3 - nodes/home.openhab.toml | 21 ------- 10 files changed, 231 deletions(-) delete mode 100644 bundles/openhab/files/backup-pre-hook delete mode 100644 bundles/openhab/files/openhab delete mode 100644 bundles/openhab/items.py delete mode 100644 bundles/openhab/metadata.py delete mode 100644 data/apt/files/gpg-keys/openhab.asc rename data/backup/keys/{home.openhab.key.vault => home.hass.key.vault} (100%) rename data/backup/keys/{home.openhab.pub => home.hass.pub} (100%) delete mode 100644 nodes/home.openhab.toml diff --git a/PORT_MAP.md b/PORT_MAP.md index c683843..7d9d4dc 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -45,7 +45,6 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22060 | pretalx | gunicorn | | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | -| 22090 | openhab | http | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/openhab/files/backup-pre-hook b/bundles/openhab/files/backup-pre-hook deleted file mode 100644 index fbf0eda..0000000 --- a/bundles/openhab/files/backup-pre-hook +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -find /var/lib/openhab/backups -type f -mtime +3 -delete - -/usr/share/openhab/runtime/bin/backup --full diff --git a/bundles/openhab/files/openhab b/bundles/openhab/files/openhab deleted file mode 100644 index 9893987..0000000 --- a/bundles/openhab/files/openhab +++ /dev/null @@ -1,62 +0,0 @@ -# openHAB service options - -######################### -## PORTS -## The ports openHAB will bind its HTTP/HTTPS web server to. - -OPENHAB_HTTP_PORT=22090 -#OPENHAB_HTTPS_PORT=8443 - -######################### -## HTTP(S) LISTEN ADDRESS -## The listen address used by the HTTP(S) server. -## 0.0.0.0 (default) allows a connection from any location -## 127.0.0.1 only allows the local machine to connect - -OPENHAB_HTTP_ADDRESS=127.0.0.1 - -######################### -## BACKUP DIRECTORY -## Set the following variable to specify the backup location. -## runtime/bin/backup and runtime/bin/restore will use this path for the zip files. - -#OPENHAB_BACKUPS=/var/lib/openhab/backups - -######################### -## JAVA OPTIONS -## Additional options for the JAVA_OPTS environment variable. -## These will be appended to the execution of the openHAB Java runtime in front of all other options. -## -## A couple of independent examples: -## EXTRA_JAVA_OPTS="-Dgnu.io.rxtx.SerialPorts=/dev/ttyZWAVE:/dev/ttyUSB0:/dev/ttyS0:/dev/ttyS2:/dev/ttyACM0:/dev/ttyAMA0" -## EXTRA_JAVA_OPTS="-Djna.library.path=/lib/arm-linux-gnueabihf/ -Duser.timezone=Europe/Berlin -Dgnu.io.rxtx.SerialPorts=/dev/ttyZWave" - -EXTRA_JAVA_OPTS="${extra_java_opts}" - -######################### -## OPENHAB DEFAULTS PATHS -## The following settings override the default apt/rpm locations and should be used with caution. -## openHAB will fail to update itself if you're using different paths. -## Only set these if you are testing and are confident in debugging. - -#OPENHAB_HOME=/usr/share/openhab -#OPENHAB_CONF=/etc/openhab -#OPENHAB_RUNTIME=/usr/share/openhab/runtime -#OPENHAB_USERDATA=/var/lib/openhab -#OPENHAB_LOGDIR=/var/log/openhab - -######################### -## OPENHAB USER AND GROUP -## The user and group that takes ownership of openHAB. Only available for init.d systems. -## To edit user and group for systemd, see the service file at /usr/lib/systemd/system/openhab.service. - -#OPENHAB_USER=openhab -#OPENHAB_GROUP=openhab - -######################### -## SYSTEMD START MODE -## The Karaf startmode for the openHAB runtime. Only available for systemctl/systemd systems. -## Defaults to daemon when unset here. Multiple options can be used without quotes. -## debug increases log output. daemon launches the Karaf/openHAB processes. - -#OPENHAB_STARTMODE=debug diff --git a/bundles/openhab/items.py b/bundles/openhab/items.py deleted file mode 100644 index eabe1d0..0000000 --- a/bundles/openhab/items.py +++ /dev/null @@ -1,32 +0,0 @@ -extra_java_opts = [] - -for opt, value in sorted(node.metadata.get('openhab/java_opts', {}).items()): - if value is None: - extra_java_opts.append(f'-D{opt}') - else: - extra_java_opts.append(f'-D{opt}={value}') - -files = { - '/etc/default/openhab': { - 'content_type': 'mako', - 'context': { - 'extra_java_opts': ' '.join(extra_java_opts), - }, - 'triggers': { - 'svc_systemd:openhab:restart', - }, - }, - '/etc/backup-pre-hooks.d/40-openhab': { - 'source': 'backup-pre-hook', - 'mode': '0755', - } -} - -svc_systemd = { - 'openhab': { - 'needs': { - 'pkg_apt:openhab', - 'pkg_apt:openhab-addons', - }, - }, -} diff --git a/bundles/openhab/metadata.py b/bundles/openhab/metadata.py deleted file mode 100644 index e6a87cc..0000000 --- a/bundles/openhab/metadata.py +++ /dev/null @@ -1,55 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'openjdk-17-jre': {}, - 'openhab': { - 'needs': { - 'pkg_apt:openjdk-17-jre', - }, - }, - 'openhab-addons': { - 'needs': { - 'pkg_apt:openhab', - }, - }, - }, - 'repos': { - 'openhab': { - 'items': { - 'deb https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable main', - }, - }, - }, - }, - 'backups': { - 'paths': { - '/usr/share/openhab/addons', # not included in openhab backup - '/var/lib/openhab', - }, - }, -} - - -@metadata_reactor.provides( - 'nginx/vhosts/openhab', -) -def nginx(metadata): - if not node.has_bundle('nginx'): - raise DoNotRunAgain - - return { - 'nginx': { - 'vhosts': { - 'openhab': { - 'domain': metadata.get('openhab/domain'), - 'locations': { - '/': { - 'target': 'http://localhost:22090/', - }, - }, - 'website_check_path': '/', - 'website_check_string': 'openHAB', - }, - }, - }, - } diff --git a/data/apt/files/gpg-keys/openhab.asc b/data/apt/files/gpg-keys/openhab.asc deleted file mode 100644 index 196e60e..0000000 --- a/data/apt/files/gpg-keys/openhab.asc +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFWz+OYBEACXcmKiL6ix1e4gJIWVoGMF7Hv0VOVKJgIUF/zJYBqk3sXQp/pi -JbIoODhrrIbEK33mqgy1EfzEmDhEurule59hq9HAQpOEz9hVbghhnsB8eXEQ9yJO -Wf8D8UGi2MKmqkvf7//jvdywNaQG/xhLu2xld7MxjuhswfiUWqoRFRpQoKY2QCe9 -n92qS0MGGK0B6WgapZZPT6AGyqKYtkCA5qUn7bcoEM2236nXhOAYHJh0o4qJ+cBk -BbSx8KEdrZxKQH50gB//gk/K2s+6CbYYOcJX6z3SLa3fxzlbyH9xQhpumAv/++2v -IIJbJHJicsmCKe/SQ7x5xVh90j6xA3oiYZIG78xWL0xnGCPhFws861dR2iON6CSp -+UKDciEQJH+Ew40la+DcHH7tzHlpZpCC1Jv7VBDkhziPrsscgOtYEwfhsq0Pyfpo -0IsyVDBUyj3Nne1NcKShd6+SYFz+gtXkttELi+DZmyA6onatw7LPGFHs8gOVKYBM -PzmERQ1DjlFW+Dc8FEQquYiquzmkyhJUXHVD1G8Mkic8jhccWbv3S7ePanvpgyZ3 -/KBAWk48/sym+zJTLWuJsCCNLI3K6gngexz1MMaRaPkbVK+4aboNLm6YhVlF5RCK -rTzIUAeB4dmu1k8Quqy/nYhYMokB9w5hiPwmGutjbpOntnrfqxvYy1EL1wARAQAB -tDBvcGVuSEFCIEJpbnRyYXkgUmVwb3NpdG9yaWVzIDxvd25lckBvcGVuaGFiLm9y -Zz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTtt9AwTi/K -9infEWMHVyH2oiQGCgUCXTjCTAUJDwsFBgAKCRAHVyH2oiQGCmfMD/sGZickeBlA -+x8XxfzvwxTnW/8MCvFBa4l/GoK9bALylvekP4adk/aaySMk/zjk231mwmMuttnP -VDg6TwhxhthveAFdbJEkTNhWUqH0FzyN9QwEGfIodjkQSYWwosY+55V0uYp2zfo9 -iHOtxzXjuLnkpZZPyY33qqGruqhnbyo2J09oLNw4MIwOepNMihP5u0nudTXiDivg -eg8lx/4WIIfwDwCe1gSBnU/731B0TIruxz3cQabLgeTuKB13+ajtJGuH1qrHxMVx -CFhD8wCugNj0qcI6NS06SXwLSAFr+xIeFXWVum2okWt2nzPpn7ll/FUG+qRECipt -m1IaEbelUrcuk7dUY75Fz5Fx8S0HtYAcCYYBDnhcaSSq7sK0NklrVz+bQZsJx4hY -ebkiNI/xFM3slOYoRzGWawuVpG/y1/VM/QRPS4uUS5rnvbGLVpn3bR+03FQwZWeb -yfMNke74TlM9+aEJZb1uxYQGLDFNDVNyALtGhDDp0R/FuDR0my3va3GJnZrtUGVg -M5Xfs/ebsKZ+CuLKqlbdZ0zjLUCJoT+tGGT1VPpi83jc+4wZXynj9b9/CWHoDfaN -VKTj95R7c7IOMRH5srpHX3qSzIF2Yav395SxJNuTTxcPCZ+n2M8jhvVnn4x8sWn5 -Ms0cN2tKVmfIbLF/1JempVsifJmRkbqN+rkCDQRVs/jmARAAxrYK7y1WW/szELpQ -guGSJGIjLt3tNGHGLP3lX4G1DlbziysTx3fY+c+hzGAM8WInsABq5fOWqkiLfx3f -wlHdo7bxv3U+xWq+xV9OOx+tjJn2xI3EtZ632pOQtxj/+6Tdcf3tIwOSMKK5kpGw -DU1VoLkWMfJeq0md6TDRB49p82Q1UGTaVCCfHYpvwCyuv1FWhSQuPJJLdP0YRX2i -1L7zyJLUzjmlAmlNoSMSaoozNJoz/XKFOPoJ66Tu8j8j8W+yqcAKeRTPiZXCEjbh -3wgxrx3PWV77kOmtfb0sHyxRujdJvEUfixrSoi4qLrE8kCo2OR8d1C5DsMlbZzvF -kHWaNSkOtpWqEGD/+BLs6lejHvbBEvYSsQMF53yH8q1U+9+7CP9wwKKAtN7LQJcw -xUADv/UhSLA/ZZTisaeUVem9vZlnVfANSieYQvy6zWqvKF4FhBpQbVzSINWv/nzu -NR4gg3uJRMHUb4cyfy3mmJ7FwwF8oHQXU+mkILWmiwrMDbq0Mjc8FRL5Bg4iTwS5 -jDGLZ0g4xU0GYi22eAWPL0dpQpA8t5Ja7W+x+VASOtbpnMAJO94YZ4yXlDcDeNJD -uo2y0z+xjuloPrGK+AssCpOBxpBlcrAFRMx5+rpkHSlLtkQNPeBPwXlryafDZ2PA -QsLBxUmFphyBraakmdGP3mR9ThUAEQEAAYkCPAQYAQoAJgIbDBYhBO230DBOL8r2 -Kd8RYwdXIfaiJAYKBQJdOMOgBQkPDFfaAAoJEAdXIfaiJAYKDLgP/iuh/Kppaem/ -wsRs6ehuCyEVz7ZJsKeq9ZL3d0jQy0CaFQRSICucptBeb14rTvf/i5+eEQI7E/bJ -9dLm1mepVS8M3wyn9+pP+Loa7bajEAD5ap08F88q56s+U70HO30qRHxp2yD9ZU0A -joX8pAIS/YaMicm1EFYajpyls/Jcyp2JG2AavRsrQ3iHvGv5Fc2/09E76lwje/Yh -royPhCrVm0adk6sxLfmKNiXBpLb5gzHR81oo20zk0+qYg2pRcVvfd6PvOcsrO4tl -K8kUMyfYixVKJu59xtMdg5ff6qlBrmTXkxyGb0t7VlhnX4UKcVU//+6b0TnBmUaG -61CZ4CGD2VvUMXcM0ihYl85g7+O9u/P2u3mhLX3xEa+rM4XpzqajL+jpt3CGQLkp -TnKZ8g1k9l7UkrHvVs/tBTCPvOEstzMwq2tWNuCbJ7Y9oB6FDPZGM3oFe2ubu2OH -MFT3KmOhD2jhWCXyB1hK/LOmINGfdfulBsK2KLKtKoJMWu2QLyMLa91l3AhzbH+s -7gQY6iC9rTy9qfHGOLTPjrHfkmrBky+KiDx1KVOnQvPqloLbKhkq1KHv8TAonqGK -THbU4Eod0DmWw80Z2zX7jV3BJs9VmDhr5NzpaZCVlrKrL+vIXzFClCYWQQMwfHpO -Yyq3xLVDG/Zs7LmgSAiEITxRFTR4qg7k -=r37a ------END PGP PUBLIC KEY BLOCK----- diff --git a/data/backup/keys/home.openhab.key.vault b/data/backup/keys/home.hass.key.vault similarity index 100% rename from data/backup/keys/home.openhab.key.vault rename to data/backup/keys/home.hass.key.vault diff --git a/data/backup/keys/home.openhab.pub b/data/backup/keys/home.hass.pub similarity index 100% rename from data/backup/keys/home.openhab.pub rename to data/backup/keys/home.hass.pub diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index b451d32..643a7a5 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -5,9 +5,6 @@ bundles = [ ] groups = ["debian-bullseye"] -[metadata.backups] -exclude_from_backups = true - [metadata.interfaces.enp1s0] ips = ["172.19.138.25/24"] gateway4 = "172.19.138.1" diff --git a/nodes/home.openhab.toml b/nodes/home.openhab.toml deleted file mode 100644 index a2c0656..0000000 --- a/nodes/home.openhab.toml +++ /dev/null @@ -1,21 +0,0 @@ -hostname = "172.19.138.21" -bundles = ["nginx", "openhab"] -groups = ["debian-bullseye"] - -[metadata.interfaces.enp1s0] -ips = ["172.19.138.21/24"] -gateway4 = "172.19.138.1" -ipv6_accept_ra = true - -[metadata.nginx.vhosts.openhab] -ssl = "_.home.kunbox.net" - -[metadata.openhab] -domain = "openhab.home.kunbox.net" - -[metadata.openhab.java_opts] -"user.timezone" = "Europe/Berlin" - -[metadata.vm] -cpu = 2 -ram = 2 From c717e86f70457ceb5c13705236c3391216539c12 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 07:03:28 +0100 Subject: [PATCH 041/996] bundles/homeassistant: fix website_check --- bundles/homeassistant/metadata.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 87855f8..feb1cd1 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -54,8 +54,8 @@ def nginx(metadata): 'vhosts': { 'homeassistant': { 'domain': metadata.get('homeassistant/domain'), - 'website_check_path': '/', - 'website_check_string': 'Homeassistant', + 'website_check_path': '/auth/authorize', + 'website_check_string': 'Home Assistant', 'locations': { '/': { 'target': 'http://127.0.0.1:8123', From 60585a3716805f448642073d701751c51b0bf9fc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 07:04:38 +0100 Subject: [PATCH 042/996] bundles/homeassistant: fix typo --- bundles/homeassistant/files/check_homeassistant_update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update index d01d830..ff2b0d7 100644 --- a/bundles/homeassistant/files/check_homeassistant_update +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -41,7 +41,7 @@ try: message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." else: status = 2 - message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}" + message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}" except Exception as e: message = f"{message}: {repr(e)}" From 31e614ab3ba6c652ed0644a9d5ed12c28175e74d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:06:27 +0100 Subject: [PATCH 043/996] bundles/powerdns: allow exposing API to the world --- bundles/powerdns/metadata.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 57f46f5..3cf5d4e 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -211,8 +211,9 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '53': atomic(metadata.get('powerdns/restrict-to', {'*'})), - '53/udp': atomic(metadata.get('powerdns/restrict-to', {'*'})), + '53': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), + '53/udp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), + '8081': atomic(metadata.get('powerdns/restrict-to/api', set())), }, }, } From c93a4d0a99332310fed7532c8b2e098b5a70ee5e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:35:08 +0100 Subject: [PATCH 044/996] powerdns: switch to AXFR for secondarie --- bundles/powerdns/files/named.conf | 2 +- bundles/powerdns/files/pdns.conf | 2 ++ bundles/powerdns/items.py | 26 ++++++++++++++++++-------- groups/features.py | 4 ---- nodes/gce/bind01.py | 3 +++ 5 files changed, 24 insertions(+), 13 deletions(-) diff --git a/bundles/powerdns/files/named.conf b/bundles/powerdns/files/named.conf index 196e3f5..4154935 100644 --- a/bundles/powerdns/files/named.conf +++ b/bundles/powerdns/files/named.conf @@ -1,6 +1,6 @@ % for zone in sorted(zones): zone "${zone}" { file "/var/lib/powerdns/zones/${zone}"; - type native; + type master; }; % endfor diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf index c88246f..7fcb1ca 100644 --- a/bundles/powerdns/files/pdns.conf +++ b/bundles/powerdns/files/pdns.conf @@ -27,6 +27,8 @@ superslave=yes api=yes api-key=${api_key} webserver=yes +webserver-address=0.0.0.0 +webserver-allow-from=0.0.0.0/0 allow-notify-from= diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index a6db93a..9444c2f 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -50,11 +50,11 @@ files = { '/etc/powerdns/pdns.conf': { 'content_type': 'mako', 'context': { - 'api_key': node.metadata['powerdns']['api_key'], - 'my_hostname': node.metadata['powerdns'].get('my_hostname', node.metadata.get('hostname')), - 'is_secondary': node.metadata['powerdns'].get('is_secondary', False), - 'my_primary_servers': node.metadata['powerdns'].get('my_primary_servers', set()), - 'my_secondary_servers': node.metadata['powerdns'].get('my_secondary_servers', set()), + 'api_key': node.metadata.get('powerdns/api_key'), + 'my_hostname': node.metadata.get('powerdns/my_hostname', node.metadata.get('hostname')), + 'is_secondary': node.metadata.get('powerdns/is_secondary', False), + 'my_primary_servers': node.metadata.get('powerdns/my_primary_servers', set()), + 'my_secondary_servers': node.metadata.get('powerdns/my_secondary_servers', set()), }, 'needs': { 'pkg_apt:pdns-server', @@ -142,12 +142,22 @@ if node.metadata.get('powerdns/features/bind', False): 'action:powerdns_reload_zones', }, } +else: + files['/etc/powerdns/named.conf'] = { + 'delete': True, + 'needed_by': { + 'svc_systemd:pdns', + }, + 'triggers': { + 'action:powerdns_reload_zones', + }, + } -if node.metadata.get('powerdns/features/pgsql', False): +if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): files['/etc/powerdns/pdns.d/pgsql.conf'] = { 'content_type': 'mako', 'context': { - 'password': node.metadata['postgresql']['roles']['powerdns']['password'], + 'password': node.metadata.get('postgresql/roles/powerdns/password'), }, 'needs': { 'pkg_apt:pdns-backend-pgsql', @@ -163,7 +173,7 @@ if node.metadata.get('powerdns/features/pgsql', False): files['/etc/powerdns/schema.pgsql.sql'] = {} actions['powerdns_load_pgsql_schema'] = { - 'command': node.metadata['postgresql']['roles']['powerdns']['password'].format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), + 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), 'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', 'needs': { 'bundle:postgresql', diff --git a/groups/features.py b/groups/features.py index 4605270..54a58a7 100644 --- a/groups/features.py +++ b/groups/features.py @@ -12,10 +12,6 @@ groups['dns'] = { }, 'metadata': { 'powerdns': { - 'features': { - 'bind': True, - 'pgsql': True, - }, # Overridden in node metadata for primary server 'is_secondary': True, }, diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index a18d923..1575237 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -47,6 +47,9 @@ nodes['gce.bind01'] = { 'version': '15', }, 'powerdns': { + 'features': { + 'bind': True, + }, 'is_secondary': False, 'secondary_nameservers': 'dns', 'my_hostname': 'ns-1.kunbox.net', From 9684e94e4d4a018a9b2f3819db16622a40f02b36 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:47:50 +0100 Subject: [PATCH 045/996] dns: switch everything but kunbox.net to psql --- .../files/bind-zones/cybert-media.net | 9 ------ .../bind-zones/die-brontosaurier-waren-es.org | 9 ------ .../files/bind-zones/eskalation.jetzt | 9 ------ .../files/bind-zones/flauschehorn.sexy | 15 --------- data/powerdns/files/bind-zones/kunbox.net | 4 +++ data/powerdns/files/bind-zones/kunsmann.eu | 31 ------------------- .../powerdns/files/bind-zones/trans-agenda.de | 4 --- .../powerdns/files/bind-zones/trans-agenda.eu | 22 ------------- 8 files changed, 4 insertions(+), 99 deletions(-) delete mode 100644 data/powerdns/files/bind-zones/cybert-media.net delete mode 100644 data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org delete mode 100644 data/powerdns/files/bind-zones/eskalation.jetzt delete mode 100644 data/powerdns/files/bind-zones/flauschehorn.sexy delete mode 100644 data/powerdns/files/bind-zones/kunsmann.eu delete mode 100644 data/powerdns/files/bind-zones/trans-agenda.de delete mode 100644 data/powerdns/files/bind-zones/trans-agenda.eu diff --git a/data/powerdns/files/bind-zones/cybert-media.net b/data/powerdns/files/bind-zones/cybert-media.net deleted file mode 100644 index 9ce2544..0000000 --- a/data/powerdns/files/bind-zones/cybert-media.net +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN cybert-media.net. - -@ IN A 159.69.11.231 - IN AAAA 2a01:4f8:c2c:c410::1 - IN TXT "v=spf1 a ~all" - -www IN CNAME cybert-media.net. diff --git a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org deleted file mode 100644 index 8633268..0000000 --- a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN die-brontosaurier-waren-es.org. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" diff --git a/data/powerdns/files/bind-zones/eskalation.jetzt b/data/powerdns/files/bind-zones/eskalation.jetzt deleted file mode 100644 index fc09ecc..0000000 --- a/data/powerdns/files/bind-zones/eskalation.jetzt +++ /dev/null @@ -1,9 +0,0 @@ -${header} - -$ORIGIN eskalation.jetzt. - - -queere IN NS ns1.athena7.eu. -queere IN NS ns2.athena7.eu. -queere IN NS ns3.athena7.eu. -queere IN NS ns4.athena7.eu. diff --git a/data/powerdns/files/bind-zones/flauschehorn.sexy b/data/powerdns/files/bind-zones/flauschehorn.sexy deleted file mode 100644 index accc22e..0000000 --- a/data/powerdns/files/bind-zones/flauschehorn.sexy +++ /dev/null @@ -1,15 +0,0 @@ -${header} - -$ORIGIN flauschehorn.sexy. - -@ IN A 5.189.140.103 - IN AAAA 2a02:c207:3002:8320:feed:f2c1:c0ff:ee - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" - -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index ba40c0b..f5555a6 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -10,6 +10,10 @@ $ORIGIN kunbox.net. IN MX 10 rx300 IN TXT "v=spf1 mx ~all" +; delegate acme stuff to psql-managed zone +_acme-challenge IN CNAME kunbox.net.le.kunbox.net +_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net + ; Mail servers mta-sts IN CNAME rx300 diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu deleted file mode 100644 index ed4ff73..0000000 --- a/data/powerdns/files/bind-zones/kunsmann.eu +++ /dev/null @@ -1,31 +0,0 @@ -${header} - -$ORIGIN kunsmann.eu. - -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 - IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 mx ~all" - -git IN CNAME rx300.kunbox.net. -grafana IN CNAME influxdb.htz-cloud.kunbox.net. -icinga IN CNAME icinga2.ovh.kunbox.net. -influxdb IN CNAME influxdb.htz-cloud.kunbox.net. -luther-ps IN CNAME luther.htz-cloud.kunbox.net. -mta-sts IN CNAME rx300.kunbox.net. -statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net. - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; diff --git a/data/powerdns/files/bind-zones/trans-agenda.de b/data/powerdns/files/bind-zones/trans-agenda.de deleted file mode 100644 index 7da66d3..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.de +++ /dev/null @@ -1,4 +0,0 @@ -${header} - -$ORIGIN trans-agenda.de. - diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu deleted file mode 100644 index 4c665ee..0000000 --- a/data/powerdns/files/bind-zones/trans-agenda.eu +++ /dev/null @@ -1,22 +0,0 @@ -${header} - -$ORIGIN trans-agenda.eu. - -@ IN MX 10 rx300.kunbox.net. - IN TXT "v=spf1 a mx ~all" - -mta-sts IN CNAME rx300.kunbox.net. - -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" -_mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" -_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" - -2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" - "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" -) ; -uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" - "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" -) ; From cb2b01a2b48be7d02a2b1d31a54a667b5e8f733d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 08:56:13 +0100 Subject: [PATCH 046/996] dns: fix cname for acme-challenge --- data/powerdns/files/bind-zones/kunbox.net | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index f5555a6..d1280bb 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -11,8 +11,8 @@ $ORIGIN kunbox.net. IN TXT "v=spf1 mx ~all" ; delegate acme stuff to psql-managed zone -_acme-challenge IN CNAME kunbox.net.le.kunbox.net -_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net +_acme-challenge IN CNAME kunbox.net.le.kunbox.net. +_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net. ; Mail servers mta-sts IN CNAME rx300 From 74d44535a82434a0b2b893e3c2a58479432f9d48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:11:02 +0100 Subject: [PATCH 047/996] dns: fix cname for acme-challenge --- data/powerdns/files/bind-zones/kunbox.net | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index d1280bb..4eec895 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -11,8 +11,8 @@ $ORIGIN kunbox.net. IN TXT "v=spf1 mx ~all" ; delegate acme stuff to psql-managed zone -_acme-challenge IN CNAME kunbox.net.le.kunbox.net. -_acme-challenge.home IN CNAME home.kunbox.net.le.kunbox.net. +_acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. +_acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. ; Mail servers mta-sts IN CNAME rx300 From 2e6e6b663e21531c0be728c75c73f91bb022b854 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:21:59 +0100 Subject: [PATCH 048/996] bundles/powerdns: also send out notify to all secondaries --- bundles/powerdns/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 9444c2f..7b5da8a 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -78,7 +78,7 @@ svc_systemd = { actions = { 'powerdns_reload_zones': { 'triggered': True, - 'command': 'pdns_control rediscover; pdns_control reload', + 'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*', 'needs': { 'svc_systemd:pdns', }, From 932fd9e994cad8119a74f71a4d27dfda67f2d41e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:26:52 +0100 Subject: [PATCH 049/996] scripts/letsencrypt-wildcard: remove trailing dot from dns records we're now using a delegated zone, thus this is wrong there --- scripts/letsencrypt-wildcard | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/letsencrypt-wildcard b/scripts/letsencrypt-wildcard index 98eca7a..3d90231 100755 --- a/scripts/letsencrypt-wildcard +++ b/scripts/letsencrypt-wildcard @@ -39,7 +39,7 @@ then echo echo You must now provide this DNS record: - echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)" + echo "$(tput bold)_acme-challenge.$domain IN TXT $token_value$(tput sgr0)" echo echo "Hit ENTER once it's available." read From a3218ac41f536d11ca867e82f4d588627477880a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:35:05 +0100 Subject: [PATCH 050/996] bundles/sshmon: fix hostname in check_forgejo_for_new_release --- bundles/sshmon/files/check_forgejo_for_new_release | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/sshmon/files/check_forgejo_for_new_release b/bundles/sshmon/files/check_forgejo_for_new_release index 99fb18d..3db5bcd 100644 --- a/bundles/sshmon/files/check_forgejo_for_new_release +++ b/bundles/sshmon/files/check_forgejo_for_new_release @@ -55,8 +55,9 @@ try: exit(2) else: print( - "Currently installed version {} matches newest release on github".format( - current_version + "Currently installed version {} matches newest release on {}".format( + current_version, + host, ) ) exit(0) From 17aee0f6bb3a0e970f1b09b4deedeab24ac956c6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:35:29 +0100 Subject: [PATCH 051/996] update gitea to forgejo 1.18.2-1 --- bundles/gitea/items.py | 5 +---- nodes/rx300.py | 5 +++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index 2e2f518..e071483 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -40,10 +40,7 @@ files = { }, '/usr/local/bin/gitea': { 'content_type': 'download', - #'source': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata.get('gitea/version')), - 'source': 'https://github.com/go-gitea/gitea/releases/download/v{version}/gitea-{version}-linux-amd64'.format( - version=node.metadata.get('gitea/version'), - ), + 'source': node.metadata.get('gitea/url'), 'content_hash': node.metadata.get('gitea/sha1', None), 'mode': '0755', 'triggers': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 56b8d7d..ba7d3ef 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,8 +127,9 @@ nodes['rx300'] = { }, }, 'gitea': { - 'version': '1.17.3', - 'sha1': 'a78611a3e799150fbae3d45d2bd276d95ccffcd8', + 'version': '1.18.2-1', + 'url': 'https://codeberg.org/attachments/81b83949-c44b-44ec-a74b-ff9cead25dac', + 'sha1': 'b51cc44979f3df17403c709c8a4521f627763168', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From a8e2e6b5adc59e3f4b64ef1e2fc7d5b96ae1712a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:40:38 +0100 Subject: [PATCH 052/996] bundles/gitea: adjust config for 1.18 --- bundles/gitea/files/app.ini | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini index a904681..b55f210 100644 --- a/bundles/gitea/files/app.ini +++ b/bundles/gitea/files/app.ini @@ -21,7 +21,6 @@ ROOT_URL = https://${domain}/ DISABLE_SSH = false SSH_PORT = 22 LFS_START_SERVER = true -LFS_CONTENT_PATH = /var/lib/gitea/data/lfs LFS_JWT_SECRET = ${lfs_secret_key} OFFLINE_MODE = true START_SSH_SERVER = false @@ -67,7 +66,7 @@ EMAIL_DOMAIN_BLOCKLIST = ${','.join(sorted(email_domain_blocklist))} [mailer] ENABLED = true -MAILER_TYPE = sendmail +PROTOCOL = sendmail FROM = "${app_name}" [session] From f6b0c587d01d71e114f14e9a66d4dcfe29f52381 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:42:36 +0100 Subject: [PATCH 053/996] rename some gitea stuff to forgejo --- PORT_MAP.md | 2 +- bundles/gitea/metadata.py | 11 +++++------ nodes/rx300.py | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/PORT_MAP.md b/PORT_MAP.md index 7d9d4dc..a1725cb 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -36,7 +36,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20090 | matrix-media-repo | prometheus metrics | | 21000 | pleroma | pleroma | | 21010 | grafana | grafana | -| 22000 | gitea | gitea | +| 22000 | gitea | forgejo | | 22010 | jenkins-ci | Jenkins CI | | 22020 | travelynx | Travelynx Web | | 22030 | octoprint | OctoPrint Web Interface | diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 6785b4b..7a69b32 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -6,7 +6,7 @@ defaults = { }, }, 'gitea': { - 'app_name': 'Gitea', + 'app_name': 'Forgejo', 'database': { 'username': 'gitea', 'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)), @@ -23,7 +23,7 @@ defaults = { 'icinga2_api': { 'gitea': { 'services': { - 'GITEA PROCESS': { + 'FORGEJO PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', }, }, @@ -67,7 +67,7 @@ defaults = { @metadata_reactor.provides( - 'nginx/vhosts/gitea', + 'nginx/vhosts/forgejo', ) def nginx(metadata): if not node.has_bundle('nginx'): @@ -76,7 +76,7 @@ def nginx(metadata): return { 'nginx': { 'vhosts': { - 'gitea': { + 'forgejo': { 'domain': metadata.get('gitea/domain'), 'locations': { '/': { @@ -102,8 +102,7 @@ def icinga_check_for_new_release(metadata): 'icinga2_api': { 'gitea': { 'services': { - 'GITEA UPDATE': { - # this is only temporary. We will switch to forgejo once they have their first stable release. + 'FORGEJO UPDATE': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), 'vars.notification.mail': True, 'check_interval': '60m', diff --git a/nodes/rx300.py b/nodes/rx300.py index ba7d3ef..996644a 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -327,7 +327,7 @@ nodes['rx300'] = { }, 'vhosts': { 'element-web': {'ssl': '_.franzi.business'}, - 'gitea': {'ssl': '_.franzi.business'}, + 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, 'matrix-synapse': {'ssl': '_.franzi.business'}, From 6cec7e2c9c9099f1813a1ab90a5577fb81cfc02c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:43:49 +0100 Subject: [PATCH 054/996] rx300: update element-web to 1.11.20 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 996644a..d0f1235 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.17', + 'version': 'v1.11.20', 'config': { 'default_server_config': { 'm.homeserver': { From 733e4bf0e5a0e8d7ffc97a2ceb7d4c346cd09b35 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:44:09 +0100 Subject: [PATCH 055/996] rx300: update mautrix-whatsapp to 0.8.1 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index d0f1235..f241846 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -268,8 +268,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.0', - 'sha1': '4e561a96c8fae61edd8dee9abdd52b5146fa98b2', + 'version': 'v0.8.1', + 'sha1': '6c7645b83ed216786a25e9f45935a0170cf0b05c', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 8df44410283b41bb39b31a84347554b576e42b66 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 09:44:28 +0100 Subject: [PATCH 056/996] rx300: update netbox to 3.4.3 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index f241846..a815a65 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -306,7 +306,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.2', + 'version': 'v3.4.3', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 109914c0393e987141d31dd30505ce9cf52b035b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 10:04:47 +0100 Subject: [PATCH 057/996] bundles/powerdnsadmin: create virtualenv after packages are installed --- bundles/powerdnsadmin/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index 3ccaecc..ea256ea 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -36,6 +36,9 @@ actions = { 'needs': { 'directory:/opt/powerdnsadmin', # provided by bundle:users }, + 'after': { + 'pkg_apt:', + }, }, 'powerdnsadmin_install_deps': { 'triggered': True, From 264ea3e8a743ac16469fd984eb479b7eaa208355 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 10:13:26 +0100 Subject: [PATCH 058/996] bundles/systemd-networkd: remove isc-dhcp-client --- bundles/systemd-networkd/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py index 303e0f3..46cd893 100644 --- a/bundles/systemd-networkd/metadata.py +++ b/bundles/systemd-networkd/metadata.py @@ -1,6 +1,9 @@ defaults = { 'apt': { 'packages': { + 'isc-dhcp-client': { + 'installed': False, + }, 'resolvconf': { 'installed': False, }, From ef16a2d08104a382ccb496a64a07df8e105f0b48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:01:48 +0100 Subject: [PATCH 059/996] bundles/powerdns: rework zone file generation --- bundles/powerdns/items.py | 27 ++++++----------------- data/powerdns/files/bind-zones/kunbox.net | 12 +++++++++- 2 files changed, 18 insertions(+), 21 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 7b5da8a..2aad214 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -5,26 +5,12 @@ from subprocess import check_output zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') -ZONE_HEADER = """ -; _ ____ _ _ _____ _ _ _ _ ____ -; / \\ / ___| | | |_ _| | | | \\ | |/ ___| -; / _ \\| | | |_| | | | | | | | \\| | | _ -; / ___ \\ |___| _ | | | | |_| | |\\ | |_| | -; /_/ \\_\\____|_| |_| |_| \\___/|_| \\_|\\____| -; -; --> Diese Datei wird von BundleWrap verwaltet! <-- - -$TTL 60 -@ IN SOA ns-1.kunbox.net. hostmaster.kunbox.net. ( - {serial} - 3600 - 600 - 86400 - 300 - ) -""" +nameservers = set() for rnode in sorted(repo.nodes_in_group('dns')): - ZONE_HEADER += '@ IN NS {}.\n'.format(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) + if not rnode.metadata.get('powerdns/is_secondary'): + # hide the primary nameserver from auto-generated nameserver lists + continue + nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) directories = { '/etc/powerdns/pdns.d': { @@ -102,7 +88,8 @@ if node.metadata.get('powerdns/features/bind', False): files[f'/var/lib/powerdns/zones/{zone}'] = { 'content_type': 'mako', 'context': { - 'header': ZONE_HEADER.format(serial=serial), + 'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})), + 'SERIAL': serial, 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []), }, 'source': f'bind-zones/{zone}', diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 4eec895..25a0273 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,4 +1,14 @@ -${header} +$TTL 60 +@ IN SOA ns-primary.kunbox.net. hostmaster.kunbox.net. ( + ${SERIAL} + 3600 + 600 + 86400 + 300 + ) + + +${NAMESERVERS} $ORIGIN kunbox.net. From 55bebda4d4b52a46542ef3e8edacba600ec5556a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:02:49 +0100 Subject: [PATCH 060/996] bundles/powerdns: fix socket path for telegraf --- bundles/powerdns/metadata.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 3cf5d4e..5a2cc41 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -43,7 +43,11 @@ if node.has_bundle('telegraf'): defaults['telegraf'] = { 'input_plugins': { 'builtin': { - 'powerdns': [{}], + 'powerdns': [{ + 'unix_sockets': [ + '/var/run/pdns/pdns.controlsocket', + ], + }], }, }, 'additional_groups': { @@ -186,16 +190,16 @@ def hosts_entries_for_all_dns_servers(metadata): if rnode.name == node.name: continue - ip = rnode.metadata.get('external_ipv4') + found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name) + for ip in sorted(found_ips['ipv4']): + if not ip.is_private: + entries[str(ip)] = { + rnode.metadata.get('hostname'), + rnode.name, + } - if ip: - entries[ip] = { - rnode.metadata.get('hostname'), - rnode.name, - } - - if rnode.metadata.get('powerdns/my_hostname', None): - entries[ip].add(rnode.metadata.get('powerdns/my_hostname')) + if rnode.metadata.get('powerdns/my_hostname', None): + entries[str(ip)].add(rnode.metadata.get('powerdns/my_hostname')) return { 'hosts': { From 7bd8237876f651221e4dc127c31aa1d6c645c269 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:03:38 +0100 Subject: [PATCH 061/996] bashrc: add 'ipa' alias --- bundles/users/files/bashrc | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index 0a21add..2b2729d 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -36,6 +36,7 @@ export EDITOR=vim export VISUAL=vim alias ipb='ip -brief --color=auto' +alias ipa='ip -brief --color=always addr show; echo; ip --color=always route show; ip -6 --color=always route show' alias l='ls -lAh' alias s='sudo -i' alias v='vim -p' From eeceebfd2351f9b90a7521e57b91ce33a5641b63 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:05:57 +0100 Subject: [PATCH 062/996] dns: add new primary nameserver --- data/backup/keys/ns-primary.key.vault | 1 + data/backup/keys/ns-primary.pub | 1 + nodes/gce/bind01.py | 28 ----------------- nodes/ns-primary.toml | 43 +++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 28 deletions(-) create mode 100644 data/backup/keys/ns-primary.key.vault create mode 100644 data/backup/keys/ns-primary.pub create mode 100644 nodes/ns-primary.toml diff --git a/data/backup/keys/ns-primary.key.vault b/data/backup/keys/ns-primary.key.vault new file mode 100644 index 0000000..52bb656 --- /dev/null +++ b/data/backup/keys/ns-primary.key.vault @@ -0,0 +1 @@ +encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj \ No newline at end of file diff --git a/data/backup/keys/ns-primary.pub b/data/backup/keys/ns-primary.pub new file mode 100644 index 0000000..442d8b9 --- /dev/null +++ b/data/backup/keys/ns-primary.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 1575237..7239082 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -3,19 +3,12 @@ nodes['gce.bind01'] = { 'hostname': '34.89.208.78', - 'bundles': { - 'nodejs', - 'powerdnsadmin', - }, 'groups': { 'debian-bullseye', 'dns', - 'webserver', }, 'metadata': { 'backups': { - # This is the primary DNS server. However, we only use - # replication for DynDNS, currently. No need for backups here. 'exclude_from_backups': True, }, 'interfaces': { @@ -30,33 +23,12 @@ nodes['gce.bind01'] = { 'icinga_options': { 'pretty_name': 'ns-1.kunbox.net', }, - 'nginx': { - 'vhosts': { - 'ns-1.kunbox.net': { - 'locations': { - '/': { - 'target': 'http://127.0.0.1:8000/', - }, - }, - 'website_check_path': '/login', - 'website_check_string': 'PowerDNS', - }, - }, - }, 'postgresql': { 'version': '15', }, 'powerdns': { - 'features': { - 'bind': True, - }, - 'is_secondary': False, - 'secondary_nameservers': 'dns', 'my_hostname': 'ns-1.kunbox.net', }, - 'powerdnsadmin': { - 'version': 'v0.3.0', - }, 'vm': { 'cpu': 1, 'ram': 1, diff --git a/nodes/ns-primary.toml b/nodes/ns-primary.toml new file mode 100644 index 0000000..885b1f2 --- /dev/null +++ b/nodes/ns-primary.toml @@ -0,0 +1,43 @@ +hostname = "82.165.52.168" +bundles = [ + "nodejs", + "powerdnsadmin", +] +groups = [ + "debian-bullseye", + "dns", + "webserver", +] + +[metadata.interfaces.ens192] +ips = [ + "82.165.52.168", + "2001:8d8:1801:7d4::1/64", +] +gateway4 = "10.255.255.1" +gateway6 = "fe80::250:56ff:fea8:628f" + +[metadata.icinga_options] +pretty_name = "ns-primary.kunbox.net" + +[metadata.nginx.vhosts."ns-primary.kunbox.net"] +website_check_path = "/login" +website_check_string = "PowerDNS" + +[metadata.nginx.vhosts."ns-primary.kunbox.net".locations."/"] +target = "http://127.0.0.1:8000/" + +[metadata.postgresql] +version = "15" + +[metadata.powerdns] +is_secondary = false +secondary_nameservers = "dns" +features.bind = true + +[metadata.powerdnsadmin] +version = "v0.3.0" + +[metadata.vm] +cpu = 2 +ram = 2 From 53e189c644017fb5b799b68b2120773873714054 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:14:31 +0100 Subject: [PATCH 063/996] ssl: bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 36 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 317b57b..7449694 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA7oUZzeuZgmxMvP1zm5RtCGYMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISA28YyqkbxYen4u/lcNEqBY7lMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMjExMDYwNjA3MTdaFw0yMzAyMDQwNjA3MTZaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABDcmJYSIKimG -w9hUy0guhMoubPJ+QcSioL4TjuqKmgVCXXEHzkGuaCQTwRX7BiHOyH+3nqcm7N1x -qF5rucOxJoKgGW40ZjemdWAVDGYm3euEU0Td0V+L6z/L/cWe25YwoKOCAl4wggJa +EwJSMzAeFw0yMzAxMjkwOTE0MjZaFw0yMzA0MjkwOTE0MjVaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCsS8YhWoIvn +yMOjY8LtjQ8+Pa58DBckQ1lnktMo1T3bfwxMxTGH+iYdOT4kHWOen6aNzdXqrerA +YjTN/MRBCR8tMZglzmshUG7qpzI/s89QSL6+KoCV5Pl0mEWLSvrLFKOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUJkY/Eq6HUOrPZyW+Y+4/uiG0/8swHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUtCIXQGA7PP7mGdMLuN3nYsynu4wwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyld -z7EMJMqFhjTr3IKKAAABhEvD2XwAAAQDAEgwRgIhAMzxM2rXgjZDrPm6jKHUS4u3 -BxokYdBgO63klZ5iuEyLAiEAinyT+YKDotIyWcUHvl0tpANYq+XlJaELvg7aCcwj -3MgAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRLw9tCAAAE -AwBHMEUCIQDTNayLb2lW5oNnj1bJaqbcOnjOktsPSYUGaokd6iBeUQIgOak7kR7e -rAvW3CwA1QSZgqRHLn86UFfGc0pVHNDb3e4wDQYJKoZIhvcNAQELBQADggEBABdr -R6NgzfgNT2WVTpZOpgLEPO58WKBEofMtVTRDjDKinSvDUFRhJAEjoXKxZXtEG+yH -VhGGLcmh+6mn8+8yz1qEngA3uGiHS533aOUbP3cCbfqRCeuKMS+5ojjOlKb3xZj4 -uRGvxw90wY3RYwn8k3/beEs+TaNnFU+NtBwScy+/8aRHG5rBQjdBWZHpcB4/wT0V -cLakTharwRHVw11GFlEk60k2JMEtCLkBjKq/CpbusQZHd1uVyzhWC802lWRqY4nq -YTO3Z8FNRGOaHVcydX6wMlQg/t+1hYgCC6HWhuOf8AOr+kkg4zSdv0YvAYuOzY8X -sc1/2y3z9deYm4qHw/w= +ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP +ep81xJ4dCYEl7bSZAAABhf0FYYAAAAQDAEcwRQIgLCh9130fH81/vY6Ps7inMh3l +GEM8GPiDEHk68oq2R9wCIQCnHdc9Seo+qTRnc6DcoKvyC9azNFEZBiikMgoIJkyq +6gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhf0FYZgAAAQD +AEgwRgIhAM3M2KLdUfIiqVgaMqIH1ust2lUjR10gwN8juONeXZoMAiEA2KArQKYG +GbhN/dWqht+So4Ni3/K5Vwcfb91ewthPR6swDQYJKoZIhvcNAQELBQADggEBALhs +LaBZ27UoZOqukblSD8EyoLnJ3Cplg1r3J9+e4QNzySjsDpYr/w+Y4mUT/nGAGgGL +4b1cHD57XnQB1yvB3Dv9aowg+Udo4eTNY41FMgouYhYFowi5gWYoQhpIFOpwvd0v +Cmrl4PPta2Ytbg/FMNxOt47E0sUL2zASMCKTKcPsIpcpEG7w8jBGcCX7e3NCG36z +K4jZqW3Pd3BZe1e7ywUyF/SSw38Pv1rFbBxuSh+kDjQfcOWN75oOyyKgcLsGBxfy +850WclzgMTnRRlZGaiUTVQ7uPkB44DIhTT6afxPMDKrtRLkd5LHownE3NPUTyfDx +cK9weiaIniziAnEjUr4= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index 6dd0aa4..f3cc906 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABjZ10mtywN2Tx7b0-sZywDVcNo5gQbnzjwlMjQPktMwmRBwGMbQVcwuGhhopu5vd4Ztw8aGO5lf-SQmLWgdpR4aIrPNx1Iu4urF2LMV-BMLSgmF85ADQzlbiBvrzGAnIoVUjwXYyGj1Wst4feWMKBDc_kThinYhSplMZ_yjEbMj0eMGRzjSclkvAm24KWi7l_LQAklRELuQQyopHDo47AxehNI-nvLfO0FfXZJpkdrMV1V8lSqyXwBSW3McJKH8bbmVEX8qq-mNntBNpe3n5V2ninj72aC0D572hfMp-jKC6xccf-CqnmX1qaWGGj1yiFDdBxfOSU-kO6204BVtfspMtkI75YAYE_7aA-GUiHfXaNHvDhf2uMb8ssbJUdvGS_oLx1qnKiyeyJ6RRhl71xxXjNEo0hPYYY1BGj6hjq30R8aGknkQNCjyCD87Sc7qh95KpMmY4d82xI70xeS4mk8hEgCow== \ No newline at end of file +encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A== \ No newline at end of file From 527181bba82bd70030959724a38ac5f5da85ec71 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Jan 2023 11:15:59 +0100 Subject: [PATCH 064/996] home.router: fix dyndns hostname --- nodes/home/router.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d033c1c..d7a7d20 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -133,13 +133,13 @@ nodes['home.router'] = { 'interface': 'enp1s0.100', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iif enp1s0.23 oif $INTERFACE accept', - 'inet filter forward iif enp1s0.42 accept', + 'inet filter forward iifname enp1s0.23 oif $INTERFACE accept', + 'inet filter forward iifname enp1s0.42 accept', }, }, 'unbound': { From 077b25f67eaf39e84025502201c9426f4c6ee3f9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 2 Feb 2023 19:29:28 +0100 Subject: [PATCH 065/996] bundles/miniflux: repo has changed ... also now everything is unsigned, yeaaaaaaaaaaaah --- bundles/miniflux/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/miniflux/metadata.py b/bundles/miniflux/metadata.py index 8c51627..b14fd15 100644 --- a/bundles/miniflux/metadata.py +++ b/bundles/miniflux/metadata.py @@ -6,7 +6,7 @@ defaults = { 'repos': { 'miniflux': { 'items': { - 'deb https://apt.miniflux.app/ /', + 'deb [trusted=yes] https://repo.miniflux.app/apt/ /', }, }, }, From 7dcad0d58459489066298a77e93a7a6ea2465ce6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 4 Feb 2023 16:30:53 +0100 Subject: [PATCH 066/996] update element-web to 1.11.22 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 2def17e..6868583 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.20', + 'version': 'v1.11.22', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index a815a65..3fea25f 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.20', + 'version': 'v1.11.22', 'config': { 'default_server_config': { 'm.homeserver': { From 1906e7c25689bc1be6c3da4ba67331cf6715c3b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:24:50 +0100 Subject: [PATCH 067/996] bundles/gitea: derive version number from installed gitea --- bundles/gitea/metadata.py | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 7a69b32..2b9bcbe 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -26,6 +26,11 @@ defaults = { 'FORGEJO PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', }, + 'FORGEJO UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(gitea --version | cut -d" " -f3)', + 'vars.notification.mail': True, + 'check_interval': '60m', + }, }, }, }, @@ -99,15 +104,4 @@ def nginx(metadata): ) def icinga_check_for_new_release(metadata): return { - 'icinga2_api': { - 'gitea': { - 'services': { - 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), - 'vars.notification.mail': True, - 'check_interval': '60m', - }, - }, - }, - }, } From bb1b430d162258631c8e0a837c57c87d25ccf363 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:25:18 +0100 Subject: [PATCH 068/996] rx300: update forgejo to 1.18.3-0 --- nodes/rx300.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 3fea25f..c3c569c 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,9 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'version': '1.18.2-1', - 'url': 'https://codeberg.org/attachments/81b83949-c44b-44ec-a74b-ff9cead25dac', - 'sha1': 'b51cc44979f3df17403c709c8a4521f627763168', + 'url': 'https://codeberg.org/attachments/af34fbfc-d651-41b1-aaff-2b9cc7134051', + 'sha1': '9560cf3f84031583d374cef57d20d6da8c07a2f6', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 6f9fb78d4e2d25d15017fb1dd5020b19eaf02fe6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:25:37 +0100 Subject: [PATCH 069/996] rx300: update netbox to 3.4.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index c3c569c..26b3799 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.3', + 'version': 'v3.4.4', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 429bc2a7c605151e50b022d416f3212e3f23d02d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:28:52 +0100 Subject: [PATCH 070/996] bundles/homeassistant: fix .provides() --- bundles/homeassistant/metadata.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index feb1cd1..0b41f39 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -1,5 +1,3 @@ -from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { @@ -25,7 +23,7 @@ defaults = { }, } @metadata_reactor.provides( - 'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE', + 'icinga2_api/homeassistant/services', ) def icinga_check_for_new_release(metadata): return { From 4122a7ccf83de478663797e5d45e83845aee45d9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:30:58 +0100 Subject: [PATCH 071/996] isort the repo --- bundles/backup-server/items.py | 1 + bundles/bird/metadata.py | 1 + bundles/icinga2/files/check_freifunk_node | 3 ++- bundles/icinga2/files/check_sipgate_account_balance | 3 ++- bundles/icinga2/files/check_spam_blocklist | 4 +--- bundles/icinga2/files/scripts/icinga_notification_wrapper | 3 ++- bundles/matrix-synapse/files/synapse-purge-unused-rooms | 2 +- bundles/mosquitto/files/tasmota-telegraf-plugin | 1 - bundles/mosquitto/metadata.py | 1 - bundles/octoprint/files/check_octoprint_update | 3 ++- bundles/postfix/files/postfix-telegraf-queue | 1 - bundles/powerdns/metadata.py | 2 +- bundles/pppd/files/dyndns | 3 ++- bundles/pretalx/files/pretalx-administrators-from-group | 3 ++- bundles/rspamd/files/telegraf-rspamd-plugin | 3 ++- bundles/smartd/files/telegraf_plugin | 2 +- bundles/sshmon/files/check_http_wget | 2 +- bundles/sshmon/files/check_mounts | 1 - bundles/users/items.py | 2 +- bundles/wireguard/metadata.py | 1 - bundles/zfs/files/check_zpool_space | 2 +- bundles/zfs/files/zfs-auto-snapshot | 1 - bundles/zfs/items.py | 1 - hooks/test_backup_metadata.py | 1 + hooks/test_metadata_dashes_vs_underscores.py | 1 + libs/faults.py | 2 +- libs/firewall.py | 2 +- libs/keys.py | 5 ++++- libs/tools.py | 5 +++-- nodes.py | 1 + scripts/encrypt_file | 1 - scripts/list-all-ips | 1 - scripts/passwords-for | 3 +-- 33 files changed, 36 insertions(+), 32 deletions(-) diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index c70512c..11d0624 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -1,6 +1,7 @@ repo.libs.tools.require_bundle(node, 'zfs') from os.path import join + from bundlewrap.metadata import metadata_to_json dataset = node.metadata.get('backup-server/zfs-base') diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index fd285d3..a5547d4 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic diff --git a/bundles/icinga2/files/check_freifunk_node b/bundles/icinga2/files/check_freifunk_node index 2723f13..22725b7 100644 --- a/bundles/icinga2/files/check_freifunk_node +++ b/bundles/icinga2/files/check_freifunk_node @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import argv, exit +from requests import get + meshviewer_url = argv[1] node_id = argv[2] node = None diff --git a/bundles/icinga2/files/check_sipgate_account_balance b/bundles/icinga2/files/check_sipgate_account_balance index 8e8ce2d..843dfd9 100644 --- a/bundles/icinga2/files/check_sipgate_account_balance +++ b/bundles/icinga2/files/check_sipgate_account_balance @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import exit +from requests import get + SIPGATE_USER = '${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS = '${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index bf14a82..5cb350d 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -1,12 +1,10 @@ #!/usr/bin/env python3 from concurrent.futures import ThreadPoolExecutor, as_completed -from ipaddress import ip_address, IPv6Address +from ipaddress import IPv6Address, ip_address from subprocess import check_output from sys import argv, exit - - BLOCKLISTS = [ '0spam.fusionzero.com', 'bl.mailspike.org', diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index f988be8..72ab749 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -4,10 +4,11 @@ import email.mime.text import smtplib from argparse import ArgumentParser from json import dumps -from requests import post from subprocess import run from sys import argv +from requests import post + SIPGATE_USER='${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS='${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/matrix-synapse/files/synapse-purge-unused-rooms b/bundles/matrix-synapse/files/synapse-purge-unused-rooms index aa54ebb..4e5f1e1 100644 --- a/bundles/matrix-synapse/files/synapse-purge-unused-rooms +++ b/bundles/matrix-synapse/files/synapse-purge-unused-rooms @@ -1,9 +1,9 @@ #!/usr/bin/env python3 from os import environ -from requests import get, post from sys import argv, exit +from requests import get, post SYNAPSE_MAX_ROOMS_TO_GET = 20000 SYNAPSE_HOST = 'http://[::1]:20080/' diff --git a/bundles/mosquitto/files/tasmota-telegraf-plugin b/bundles/mosquitto/files/tasmota-telegraf-plugin index 3aef6d6..4927002 100644 --- a/bundles/mosquitto/files/tasmota-telegraf-plugin +++ b/bundles/mosquitto/files/tasmota-telegraf-plugin @@ -7,7 +7,6 @@ from time import sleep import paho.mqtt.client as mqtt - BROKER_HOST = argv[1] BROKER_TOPIC = argv[2] diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index 08bd6de..c07a446 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -1,6 +1,5 @@ from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { diff --git a/bundles/octoprint/files/check_octoprint_update b/bundles/octoprint/files/check_octoprint_update index c7ae90a..ff89a3e 100644 --- a/bundles/octoprint/files/check_octoprint_update +++ b/bundles/octoprint/files/check_octoprint_update @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import exit +from requests import get + api_key = '${api_key}' try: diff --git a/bundles/postfix/files/postfix-telegraf-queue b/bundles/postfix/files/postfix-telegraf-queue index f5abfe7..16b64e5 100644 --- a/bundles/postfix/files/postfix-telegraf-queue +++ b/bundles/postfix/files/postfix-telegraf-queue @@ -4,7 +4,6 @@ from json import loads from subprocess import check_output - queue_counts = {} queue_json = check_output(['sudo', '/usr/sbin/postqueue', '-j']) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 5a2cc41..e93c7de 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -1,4 +1,4 @@ -from ipaddress import ip_address, IPv4Address, IPv6Address +from ipaddress import IPv4Address, IPv6Address, ip_address from bundlewrap.metadata import atomic diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index a88d7c5..f1760d8 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -import requests from sys import argv +import requests + INTERFACE = argv[1] LOCAL_IP = argv[4] diff --git a/bundles/pretalx/files/pretalx-administrators-from-group b/bundles/pretalx/files/pretalx-administrators-from-group index c1dcf80..3253000 100644 --- a/bundles/pretalx/files/pretalx-administrators-from-group +++ b/bundles/pretalx/files/pretalx-administrators-from-group @@ -1,9 +1,10 @@ #!/usr/bin/env python3 -import psycopg2 from configparser import ConfigParser from sys import argv, exit +import psycopg2 + def main(): try: diff --git a/bundles/rspamd/files/telegraf-rspamd-plugin b/bundles/rspamd/files/telegraf-rspamd-plugin index 9cb2c3d..23e5ccb 100644 --- a/bundles/rspamd/files/telegraf-rspamd-plugin +++ b/bundles/rspamd/files/telegraf-rspamd-plugin @@ -1,8 +1,9 @@ #!/usr/bin/env python3 -from requests import get from sys import argv, stderr +from requests import get + try: r = get('http://127.0.0.1:11334/stat') r.raise_for_status() diff --git a/bundles/smartd/files/telegraf_plugin b/bundles/smartd/files/telegraf_plugin index 5a7a1a5..5bd10f2 100644 --- a/bundles/smartd/files/telegraf_plugin +++ b/bundles/smartd/files/telegraf_plugin @@ -1,7 +1,7 @@ #!/usr/bin/env python -from subprocess import check_output from json import loads +from subprocess import check_output from sys import stderr devices = check_output(['smartctl', '--scan']).decode().splitlines() diff --git a/bundles/sshmon/files/check_http_wget b/bundles/sshmon/files/check_http_wget index ade5dbe..c259871 100644 --- a/bundles/sshmon/files/check_http_wget +++ b/bundles/sshmon/files/check_http_wget @@ -2,8 +2,8 @@ #this is actually a python https requests query, its called check_http_wget cause it got replaced -from sys import exit from argparse import ArgumentParser +from sys import exit import requests diff --git a/bundles/sshmon/files/check_mounts b/bundles/sshmon/files/check_mounts index f387ce4..bc2fc4b 100644 --- a/bundles/sshmon/files/check_mounts +++ b/bundles/sshmon/files/check_mounts @@ -5,7 +5,6 @@ from argparse import ArgumentParser from subprocess import check_output from tempfile import TemporaryFile - check_filesystem_types = { 'ext2', 'ext3', diff --git a/bundles/users/items.py b/bundles/users/items.py index 457c46a..d6df3cd 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -1,4 +1,4 @@ -from os.path import join, exists +from os.path import exists, join files = { '/etc/bash.bashrc': { diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 21e9b8f..b19ca8c 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -3,7 +3,6 @@ from ipaddress import ip_network from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic - defaults = { 'apt': { 'packages': { diff --git a/bundles/zfs/files/check_zpool_space b/bundles/zfs/files/check_zpool_space index ff4b9bb..abb533e 100644 --- a/bundles/zfs/files/check_zpool_space +++ b/bundles/zfs/files/check_zpool_space @@ -1,9 +1,9 @@ #!/usr/bin/env python3 +import re from subprocess import check_output from sys import argv, exit -import re def to_bytes(size): diff --git a/bundles/zfs/files/zfs-auto-snapshot b/bundles/zfs/files/zfs-auto-snapshot index 4f1c919..8e38cf7 100644 --- a/bundles/zfs/files/zfs-auto-snapshot +++ b/bundles/zfs/files/zfs-auto-snapshot @@ -2,7 +2,6 @@ import re - from datetime import datetime from json import loads from subprocess import check_call, check_output diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 8dda658..85ffdd7 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -1,5 +1,4 @@ from json import dumps -#from os.path import join from bundlewrap.metadata import MetadataJSONEncoder diff --git a/hooks/test_backup_metadata.py b/hooks/test_backup_metadata.py index 4937989..c8498eb 100644 --- a/hooks/test_backup_metadata.py +++ b/hooks/test_backup_metadata.py @@ -2,6 +2,7 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green, yellow from bundlewrap.utils.ui import io + def test_node(repo, node, **kwargs): if not node.has_bundle('backup-client'): return diff --git a/hooks/test_metadata_dashes_vs_underscores.py b/hooks/test_metadata_dashes_vs_underscores.py index 698ab56..b7c7419 100644 --- a/hooks/test_metadata_dashes_vs_underscores.py +++ b/hooks/test_metadata_dashes_vs_underscores.py @@ -4,6 +4,7 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green from bundlewrap.utils.ui import io + def test_underscore_vs_dash(node, metadata, path=[]): for k, v in metadata.items(): if not isinstance(k, str): diff --git a/libs/faults.py b/libs/faults.py index ad3735c..91d8b2f 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,4 +1,4 @@ -from json import loads, dumps +from json import dumps, loads from bundlewrap.metadata import metadata_to_json from bundlewrap.utils import Fault diff --git a/libs/firewall.py b/libs/firewall.py index 68b852d..b343824 100644 --- a/libs/firewall.py +++ b/libs/firewall.py @@ -1,5 +1,5 @@ +from ipaddress import IPv4Network, ip_network from os.path import abspath, dirname, join -from ipaddress import ip_network, IPv4Network REPO_PATH = dirname(dirname(abspath(__file__))) diff --git a/libs/keys.py b/libs/keys.py index 1565fee..4db382b 100644 --- a/libs/keys.py +++ b/libs/keys.py @@ -1,8 +1,11 @@ import base64 -from nacl.public import PrivateKey + from nacl.encoding import Base64Encoder +from nacl.public import PrivateKey + from bundlewrap.utils import Fault + def gen_privkey(repo, identifier): return repo.vault.random_bytes_as_base64_for(identifier) diff --git a/libs/tools.py b/libs/tools.py index 8e225a5..40afde2 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -1,9 +1,10 @@ -from ipaddress import ip_address, ip_network, IPv4Address, IPv4Network +from ipaddress import IPv4Address, IPv4Network, ip_address, ip_network -from bundlewrap.exceptions import NoSuchGroup, NoSuchNode, BundleError +from bundlewrap.exceptions import BundleError, NoSuchGroup, NoSuchNode from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io + def resolve_identifier(repo, identifier): """ Try to resolve an identifier (group or node). Return a set of ip diff --git a/nodes.py b/nodes.py index 75e6f1f..b9110ad 100644 --- a/nodes.py +++ b/nodes.py @@ -3,6 +3,7 @@ from os.path import join from pathlib import Path import bwpass + from bundlewrap.metadata import atomic from bundlewrap.utils import error_context diff --git a/scripts/encrypt_file b/scripts/encrypt_file index 8fa272e..430aac0 100755 --- a/scripts/encrypt_file +++ b/scripts/encrypt_file @@ -5,7 +5,6 @@ from sys import argv from bundlewrap.repo import Repository - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/list-all-ips b/scripts/list-all-ips index f5f2bc5..04a05ea 100755 --- a/scripts/list-all-ips +++ b/scripts/list-all-ips @@ -5,7 +5,6 @@ from sys import argv from bundlewrap.repo import Repository from bundlewrap.utils.dicts import merge_dict - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/passwords-for b/scripts/passwords-for index 3aa0d53..c12fa7b 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -2,10 +2,9 @@ from os import environ from sys import argv +from bundlewrap.exceptions import FaultUnavailable from bundlewrap.repo import Repository from bundlewrap.utils import Fault -from bundlewrap.exceptions import FaultUnavailable - path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) From b49dc56c33176ba4d3a91bd6b2f032db43953682 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Feb 2023 17:34:39 +0100 Subject: [PATCH 072/996] Jenkinsfile: also check using isort --- Jenkinsfile | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index ef990d1..f371f82 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,15 +1,6 @@ pipeline { agent any stages { - stage('editorconfig-checker') { - steps { - sh """ - wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz - tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz - bin/ec-linux-amd64 -no-color -exclude '^bin/' - """ - } - } stage('install_requirements') { steps { sh """ @@ -18,13 +9,31 @@ pipeline { virtualenv -p python3 venv . venv/bin/activate - pip install --upgrade pip + pip install --upgrade pip isort pip install -r requirements.txt """ } } - stage('bw test') { + stage('tests') { parallel { + stage('syntax checking using editorconfig-checker') { + steps { + sh """ + wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz + tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz + bin/ec-linux-amd64 -no-color -exclude '^bin/' + """ + } + } + stage('syntax checking using isort') { + steps { + sh """ + . venv/bin/activate + + isort --check . + """ + } + } stage('config and metadata determinism') { steps { sh """ @@ -36,7 +45,7 @@ pipeline { """ } } - stage('other tests') { + stage('bw test -i') { steps { sh """ . venv/bin/activate From 25e03582b0c40d06c5ee59ed36ba4deac5bb199d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:01:28 +0100 Subject: [PATCH 073/996] entropia-jira- stuff has changed --- nodes/entropia-jira.toml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml index d648b3a..84af119 100644 --- a/nodes/entropia-jira.toml +++ b/nodes/entropia-jira.toml @@ -5,13 +5,18 @@ dummy = true period = "daytime" pretty_name = "ticket.gulas.ch" -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] +[metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"] check_command = "check_https_cert_at_url" "vars.domain" = "ticket.gulas.ch" "vars.notification.mail" = true +[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] +check_command = "check_https_cert_at_url" +"vars.domain" = "jira.gulas.ch" +"vars.notification.mail" = true + [metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] check_command = "check_http_wget" "vars.http_wget_contains" = "login.jsp" -"vars.http_wget_url" = "https://ticket.gulas.ch/secure/Dashboard.jspa" +"vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa" "vars.notification.sms" = true From 4975562fbca15be215215ec51d5f5c4d3449c252 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:02:13 +0100 Subject: [PATCH 074/996] update element-web to 1.11.23 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 6868583..9732bbd 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.22', + 'version': 'v1.11.23', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 26b3799..9326e3c 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.22', + 'version': 'v1.11.23', 'config': { 'default_server_config': { 'm.homeserver': { From d57844928d6d82218875cd1c9865eb9eaeb4d4e7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:02:40 +0100 Subject: [PATCH 075/996] update matrix-media-repo to 1.2.13 --- nodes/htz-cloud/miniserver.py | 4 ++-- nodes/rx300.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 9732bbd..5fdc86c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -134,8 +134,8 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.12', - 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', + 'version': 'v1.2.13', + 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', diff --git a/nodes/rx300.py b/nodes/rx300.py index 9326e3c..5bfa1c2 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -196,8 +196,8 @@ nodes['rx300'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.12', - 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', + 'version': 'v1.2.13', + 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', From 68d51450fdfdc55353681c1ecf50f3c489cd1932 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:01 +0100 Subject: [PATCH 076/996] update forgejo to 1.18.3-1 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 5bfa1c2..6d6d069 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,8 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/af34fbfc-d651-41b1-aaff-2b9cc7134051', - 'sha1': '9560cf3f84031583d374cef57d20d6da8c07a2f6', + 'url': 'https://codeberg.org/attachments/be5952ea-6cfb-4be5-a593-3564c4bd8cc9', + 'sha1': '0bcf3d6d6541a46571802d9e9276056ff860841e', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 5c4fc37a37d91e0df7368f376ae28b96672f1a00 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:25 +0100 Subject: [PATCH 077/996] update mautrix-whatsapp to 0.8.2 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 6d6d069..861fd83 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -267,8 +267,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.1', - 'sha1': '6c7645b83ed216786a25e9f45935a0170cf0b05c', + 'version': 'v0.8.2', + 'sha1': '31779131b0524e84f980a7e3b5a818150833470d', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 6cb56ab2ec0738aac5ca5eefe7c4b0650006d36d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 17 Feb 2023 05:03:39 +0100 Subject: [PATCH 078/996] rx300: allow more postgresql connections --- nodes/rx300.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/rx300.py b/nodes/rx300.py index 861fd83..f5e1c71 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -448,6 +448,7 @@ nodes['rx300'] = { }, 'postgresql': { 'version': '13', + 'max_connections': 500, }, 'radicale': { 'domain': 'radicale.franzi.business', From d4e1da068926296d239c0f40b7073355f8294b89 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 3 Mar 2023 21:23:02 +0100 Subject: [PATCH 079/996] update ALL the things! --- nodes/htz-cloud/miniserver.py | 6 +++--- nodes/rx300.py | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 5fdc86c..cd3c30b 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.23', + 'version': 'v1.11.24', 'config': { 'default_server_config': { 'm.homeserver': { @@ -86,7 +86,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'hedgedoc': { - 'version': '1.9.6', + 'version': '1.9.7', 'config': { 'production': { 'allowAnonymousEdits': True, @@ -156,7 +156,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.12.2', + 'version': 'v0.13.0', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', diff --git a/nodes/rx300.py b/nodes/rx300.py index f5e1c71..a852266 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.23', + 'version': 'v1.11.24', 'config': { 'default_server_config': { 'm.homeserver': { @@ -127,8 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/be5952ea-6cfb-4be5-a593-3564c4bd8cc9', - 'sha1': '0bcf3d6d6541a46571802d9e9276056ff860841e', + 'url': 'https://codeberg.org/attachments/415526b5-e483-45b6-9d46-a7078dcea461', + 'sha1': '0a473b1bf7498db7508ae1ad5f917a2b504ab139', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', @@ -244,7 +244,7 @@ nodes['rx300'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.12.2', + 'version': 'v0.13.0', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.4', + 'version': 'v3.4.5', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From b1d032df9062ce5bc42ce16ceb6d931be86731cd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 7 Mar 2023 18:22:55 +0100 Subject: [PATCH 080/996] voc.pretalx: update pretalx to 2.3.2 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 16b0d60..b7055c2 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -47,7 +47,7 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': '7c3f8861a0ced94ffb4745c071a6ca3359dc1047', + 'version': 'v2.3.2', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, From 5272a212a7dcd705a12b10bf653d1ad6412e1195 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 7 Mar 2023 18:23:22 +0100 Subject: [PATCH 081/996] voc.pretalx: update broadcast-tools to 1.1.0 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index b7055c2..204aaa1 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -58,7 +58,7 @@ nodes['voc.pretalx'] = { }, 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', - 'rev': '1.0.1', + 'rev': '1.1.0', }, 'media.ccc.de': { 'repo': 'https://github.com/pretalx/pretalx-media-ccc-de.git', From 985bb3cdecf0c85dc3197b8e7c530b6a3b6b8ba6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Mar 2023 10:59:35 +0100 Subject: [PATCH 082/996] ns-primary: update powerdnsadmin to 0.4.0 --- nodes/ns-primary.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/ns-primary.toml b/nodes/ns-primary.toml index 885b1f2..c2ef311 100644 --- a/nodes/ns-primary.toml +++ b/nodes/ns-primary.toml @@ -36,7 +36,7 @@ secondary_nameservers = "dns" features.bind = true [metadata.powerdnsadmin] -version = "v0.3.0" +version = "v0.4.0" [metadata.vm] cpu = 2 From de6579140d5d4ceabe4d78f035df7fb9b372dbf3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Mar 2023 10:59:52 +0100 Subject: [PATCH 083/996] rx300: update travelynx to 1.30.7 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index a852266..4766f45 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -522,7 +522,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.29.4', + 'version': '1.30.7', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 9c590635b6e1a6f68b65772779f7e1cdff295279 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Mar 2023 09:24:12 +0100 Subject: [PATCH 084/996] kunsi-p14s: install sdl_ttf --- nodes/kunsi-p14s.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 3174722..fc091da 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -105,6 +105,7 @@ nodes['kunsi-p14s'] = { 'gumbo-parser': {}, # for claws litehtml 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde + 'sdl_ttf': {}, # for compiling testcard }, }, 'sysctl': { From b1b8df7dd89b0b1b807d30a3baca342c103aa906 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 19 Mar 2023 15:42:43 +0100 Subject: [PATCH 085/996] remove some old scripts --- scripts/encrypt_file | 41 --------------------------------------- scripts/list-all-ips | 46 -------------------------------------------- 2 files changed, 87 deletions(-) delete mode 100755 scripts/encrypt_file delete mode 100755 scripts/list-all-ips diff --git a/scripts/encrypt_file b/scripts/encrypt_file deleted file mode 100755 index 430aac0..0000000 --- a/scripts/encrypt_file +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env python3 -from os import environ -from os.path import abspath, isfile, join, relpath -from sys import argv - -from bundlewrap.repo import Repository - -path = environ.get('BW_REPO_PATH', '.') -repo = Repository(path) - -if len(argv) < 3: - print('Usage: {} [encryption key, default \'encrypt\']'.format(argv[0])) - exit(1) - -target = abspath(argv[2]) -datapath = join(abspath(path), 'data') - -if not isfile(argv[1]): - print('ERROR: Source file \'{}\' does not exist.'.format(argv[1])) - exit(1) - -if not target.endswith('.vault'): - print('ERROR: Target file \'{}\' does not end in .vault'.format(argv[2])) - exit(1) -elif not target.startswith(datapath): - print('ERROR: Target file \'{}\' is not in BW_REPO_PATH/data/'.format(argv[2])) - exit(1) - -if isfile(target): - if input('ERROR: Target file \'{}\' already exists, overwrite? [yN]'.format(argv[2])) not in ['y', 'Y']: - print('Abort') - exit(2) - -if len(argv) > 3: - key = argv[3] -else: - key = 'encrypt' - -repo.vault.encrypt_file(argv[1], relpath(target, start=datapath), key) - -print('encryption successful') diff --git a/scripts/list-all-ips b/scripts/list-all-ips deleted file mode 100755 index 04a05ea..0000000 --- a/scripts/list-all-ips +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python3 -from os import environ -from sys import argv - -from bundlewrap.repo import Repository -from bundlewrap.utils.dicts import merge_dict - -path = environ.get('BW_REPO_PATH', '.') -repo = Repository(path) - - -if len(argv) > 1: - ips = {} - for i in argv[1:]: - ips = merge_dict(ips, repo.libs.tools.resolve_identifier(repo, i)) -else: - ips = repo.libs.tools.resolve_identifier(repo, 'all') - - -if ips['ipv4']: - # editorconfig-checker-disable - print(''' ________ __ __ - / _/ __ \\_ __/ // / - / // /_/ / | / / // /_ - _/ // ____/| |/ /__ __/ -/___/_/ |___/ /_/''') - # editorconfig-checker-enable - - for ip in sorted(ips['ipv4']): - print(ip) - -if ips['ipv4'] and ips['ipv6']: - # some space inbetween - print() - -if ips['ipv6']: - # editorconfig-checker-disable - print(''' ________ _____ - / _/ __ \\_ __/ ___/ - / // /_/ / | / / __ \\ - _/ // ____/| |/ / /_/ / -/___/_/ |___/\\____/''') - # editorconfig-checker-enable - - for ip in sorted(ips['ipv6']): - print(ip) From cc49d344750679ed0050c51b7cff6df666e01d4f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 19 Mar 2023 15:43:09 +0100 Subject: [PATCH 086/996] bundles/matrix-synapse: add script to reset the federation timeout --- .../files/synapse-reset-federation-timeout | 29 +++++++++++++++++++ bundles/matrix-synapse/items.py | 3 ++ bundles/matrix-synapse/metadata.py | 1 + 3 files changed, 33 insertions(+) create mode 100644 bundles/matrix-synapse/files/synapse-reset-federation-timeout diff --git a/bundles/matrix-synapse/files/synapse-reset-federation-timeout b/bundles/matrix-synapse/files/synapse-reset-federation-timeout new file mode 100644 index 0000000..258270a --- /dev/null +++ b/bundles/matrix-synapse/files/synapse-reset-federation-timeout @@ -0,0 +1,29 @@ +#!/usr/bin/env python3 + +from os import environ +from sys import argv, exit + +from requests import post + +SYNAPSE_HOST = "http://[::1]:20080/" + +if "MATRIX_AUTH_TOKEN" in environ: + SYNAPSE_AUTH_TOKEN = environ["MATRIX_AUTH_TOKEN"] +else: + print("Usage: MATRIX_AUTH_TOKEN='your_token_here' {}".format(argv[0])) + exit(255) + +if len(argv) != 2: + print(f"Usage: {argv[0]} ") + exit(1) + +r = post( + SYNAPSE_HOST + + "_synapse/admin/v1/federation/destinations/{}/reset_connection".format(argv[1]), + headers={ + "Authorization": "Bearer {}".format(SYNAPSE_AUTH_TOKEN), + }, +) + +r.raise_for_status() +print(r.json()) diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 7305e6b..224d7b8 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -12,6 +12,9 @@ files = { '/etc/matrix-synapse/scripts/synapse-purge-unused-rooms': { 'mode': '0755', }, + '/etc/matrix-synapse/scripts/synapse-reset-federation-timeout': { + 'mode': '0755', + }, '/etc/systemd/system/matrix-synapse.service.d/override.conf': { 'needs': { 'pkg_apt:matrix-synapse-py3', diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index df14735..3100368 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -119,6 +119,7 @@ def nginx(metadata): locations = { '/_matrix': { 'target': 'http://[::1]:20080', + 'max_body_size': '50M', }, '/_synapse': { 'target': 'http://[::1]:20080', From e3b1d14fe72d6b2ed2dfeb2347711eab71ded2c1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 19 Mar 2023 15:43:34 +0100 Subject: [PATCH 087/996] bundles/miniflux: fix proxy settings --- bundles/miniflux/files/miniflux.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/miniflux/files/miniflux.conf b/bundles/miniflux/files/miniflux.conf index 0c03f45..fd0b26e 100644 --- a/bundles/miniflux/files/miniflux.conf +++ b/bundles/miniflux/files/miniflux.conf @@ -5,5 +5,6 @@ CLEANUP_ARCHIVE_UNREAD_DAYS=-1 DATABASE_URL="user=miniflux password=${dbpassword} dbname=miniflux sslmode=disable host=localhost" LISTEN_ADDR=127.0.0.1:22040 POLLING_FREQUENCY=15 -PROXY_IMAGES=all +PROXY_MEDIA_TYPES=image,audio +PROXY_OPTION=all WORKER_POOL_SIZE=5 From 445ec0ea1563c9a6e6cbe9435700c48bf93130ef Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 19 Mar 2023 15:43:50 +0100 Subject: [PATCH 088/996] rx300: update element-web to 1.11.25 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 4766f45..0492c66 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.24', + 'version': 'v1.11.25', 'config': { 'default_server_config': { 'm.homeserver': { From 8da5650134a7c0b5afc17a9c2f520d42bc54a07c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 21 Mar 2023 07:29:15 +0100 Subject: [PATCH 089/996] htz-cloud.miniserver: update element-web to 1.11.25 --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index cd3c30b..44f3034 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.24', + 'version': 'v1.11.25', 'config': { 'default_server_config': { 'm.homeserver': { From 51cdcba9e9ba1c4fc250c91ceaf557681b1fd902 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 21 Mar 2023 07:29:37 +0100 Subject: [PATCH 090/996] rx300: update mautrix-whatsapp to 0.8.3 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 0492c66..f6fe7bb 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -267,8 +267,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.2', - 'sha1': '31779131b0524e84f980a7e3b5a818150833470d', + 'version': 'v0.8.3', + 'sha1': '89ac3134ed6ca81b498122113754dd4548982685', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 08aadcaf364a6b9d2ddc113e0a0a2745b87e87e3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 21 Mar 2023 07:29:55 +0100 Subject: [PATCH 091/996] rx300: update netbox to 3.4.6 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index f6fe7bb..cb69d51 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.5', + 'version': 'v3.4.6', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From a738b49aa48d1477e3acce77066879c9740d9f91 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 22 Mar 2023 21:19:41 +0100 Subject: [PATCH 092/996] add scripts/netbox-dump --- scripts/netbox-dump | 152 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100755 scripts/netbox-dump diff --git a/scripts/netbox-dump b/scripts/netbox-dump new file mode 100755 index 0000000..8a914d4 --- /dev/null +++ b/scripts/netbox-dump @@ -0,0 +1,152 @@ +#!/usr/bin/env python3 + +from json import dump +from os import environ +from os.path import dirname, join +from sys import exit + +import bwpass +from requests import post + +from bundlewrap.utils.text import validate_name + +TOKEN = environ.get("NETBOX_AUTH_TOKEN") + +# editorconfig-checker-disable +QUERY = """{ + device_list(tag: "bundlewrap") { + name + site { + id + } + interfaces { + id + name + enabled + description + mode + untagged_vlan { + name + } + tagged_vlans { + name + } + link_peers { + ... on InterfaceType { + name + device { + name + } + } + ... on FrontPortType { + name + device { + name + } + } + } + connected_endpoints { + ... on InterfaceType { + name + device { + name + } + } + } + } + } + site_list { + id + vlans { + name + vid + } + } +}""" +# editorconfig-checker-enable + +if not TOKEN: + try: + TOKEN = bwpass.attr("netbox.franzi.business/kunsi", "token") + except Exception: + print("NETBOX_AUTH_TOKEN is missing") + exit(1) + +r = post( + "https://netbox.franzi.business/graphql/", + headers={ + "Accept": "application/json", + "Authorization": f"Token {TOKEN}", + }, + json={ + "query": QUERY, + }, +) +r.raise_for_status() + +data = r.json()["data"] + +site_vlans = {site["id"]: site["vlans"] for site in data["site_list"]} + +for device in data["device_list"]: + if not device["name"] or not validate_name(device["name"]): + # invalid node name, ignore + continue + + result = { + "interfaces": {}, + "vlans": site_vlans[device["site"]["id"]], + } + + for interface in device["interfaces"]: + description = "" + peers = None + + if interface["connected_endpoints"]: + peers = interface["connected_endpoints"] + elif interface["link_peers"]: + peers = interface["link_peers"] + + if interface["description"]: + description = interface["description"] + elif peers: + peer_list = set() + + for i in peers: + peer_list.add( + "{} ({})".format( + i["device"]["name"], + i["name"], + ) + ) + + description = "; ".join(sorted(peer_list)) + else: + description = "" + + assert description.isascii() + + result["interfaces"][interface["name"]] = { + "description": description, + "enabled": interface["enabled"], + "mode": interface["mode"], + "untagged_vlan": interface["untagged_vlan"]["name"] + if interface["untagged_vlan"] + else None, + "tagged_vlans": sorted({v["name"] for v in interface["tagged_vlans"]}), + } + + with open( + join( + dirname(dirname(__file__)), + "configs", + "netbox_device_{}.json".format(device["name"]), + ), + "w+", + ) as f: + dump( + result, + f, + indent=4, + sort_keys=True, + ) From 66c6a92ec554587f25ddab4039775b62d3df4291 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Mar 2023 15:21:16 +0200 Subject: [PATCH 093/996] scripts/netbox-dump: also add interface type and ip addresses --- scripts/netbox-dump | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/netbox-dump b/scripts/netbox-dump index 8a914d4..f3c79a6 100755 --- a/scripts/netbox-dump +++ b/scripts/netbox-dump @@ -25,6 +25,10 @@ QUERY = """{ enabled description mode + type + ip_addresses { + address + } untagged_vlan { name } @@ -130,6 +134,8 @@ for device in data["device_list"]: "description": description, "enabled": interface["enabled"], "mode": interface["mode"], + "type": interface["type"], + "ips": sorted({i['address'] for i in interface['ip_addresses']}), "untagged_vlan": interface["untagged_vlan"]["name"] if interface["untagged_vlan"] else None, From 190833c54aadf26119c8f15f573414dd6195f8ff Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Mar 2023 15:58:09 +0200 Subject: [PATCH 094/996] bundles/lldp: do not run for routeros devices --- bundles/lldp/items.py | 47 ++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/bundles/lldp/items.py b/bundles/lldp/items.py index ac02aa1..7646f10 100644 --- a/bundles/lldp/items.py +++ b/bundles/lldp/items.py @@ -1,28 +1,29 @@ -directories = { - '/etc/lldpd.d': { - 'purge': True, - 'triggers': { - 'svc_systemd:lldpd:restart', +if node.os != 'routeros': + directories = { + '/etc/lldpd.d': { + 'purge': True, + 'triggers': { + 'svc_systemd:lldpd:restart', + }, }, - }, -} + } -files = { - '/etc/lldpd.conf': { - 'delete': True, - }, - '/etc/lldpd.d/bundlewrap.conf': { - 'content_type': 'mako', - 'triggers': { - 'svc_systemd:lldpd:restart', + files = { + '/etc/lldpd.conf': { + 'delete': True, }, - }, -} + '/etc/lldpd.d/bundlewrap.conf': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:lldpd:restart', + }, + }, + } -svc_systemd = { - 'lldpd': { - 'needs': { - 'file:/etc/lldpd.d/bundlewrap.conf', + svc_systemd = { + 'lldpd': { + 'needs': { + 'file:/etc/lldpd.d/bundlewrap.conf', + }, }, - }, -} + } From ca614efec11fff1965c9497d90151f34d79a2439 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Mar 2023 15:58:29 +0200 Subject: [PATCH 095/996] add home.switch-rack --- .editorconfig | 3 + bundles/routeros/README.md | 9 + bundles/routeros/items.py | 172 ++++++++++++ bundles/routeros/metadata.py | 123 +++++++++ configs/netbox_device_home.switch-rack.json | 276 ++++++++++++++++++++ nodes/home.switch-rack.toml | 5 + 6 files changed, 588 insertions(+) create mode 100644 bundles/routeros/README.md create mode 100644 bundles/routeros/items.py create mode 100644 bundles/routeros/metadata.py create mode 100644 configs/netbox_device_home.switch-rack.json create mode 100644 nodes/home.switch-rack.toml diff --git a/.editorconfig b/.editorconfig index e09c9dd..b632cc1 100644 --- a/.editorconfig +++ b/.editorconfig @@ -22,3 +22,6 @@ indent_size = unset [*.vault] end_of_line = unset insert_final_newline = unset + +[*.json] +insert_final_newline = unset diff --git a/bundles/routeros/README.md b/bundles/routeros/README.md new file mode 100644 index 0000000..3b4ccf4 --- /dev/null +++ b/bundles/routeros/README.md @@ -0,0 +1,9 @@ +RouterOS +======== + +Pulls device configuration from netbox_dump.json and creates items accordingly. + +Notes +----- + +To add management IPs to a VLAN, you need to create a virtual interface in Netbox whose name matches the name of a VLAN. Then add the IP to that virtual interface. diff --git a/bundles/routeros/items.py b/bundles/routeros/items.py new file mode 100644 index 0000000..cd1ec29 --- /dev/null +++ b/bundles/routeros/items.py @@ -0,0 +1,172 @@ +routeros['/ip/dns'] = { + 'servers': '8.8.8.8', +} + +for service in ( + 'api-ssl', # slow :( + 'ftp', # we can download files via HTTP + 'telnet', + 'www-ssl', # slow :( + 'winbox', +): + routeros[f'/ip/service?name={service}'] = { + 'disabled': True, + } + +for service in ( + 'api', + 'ssh', + 'www', +): + routeros[f'/ip/service?name={service}'] = { + 'disabled': False, + } + +LOGGING_TOPICS = ( + 'critical', + 'error', + 'info', + 'stp', + 'warning', +) + +for topic in LOGGING_TOPICS: + routeros[f'/system/logging?action=memory&topics={topic}'] = {} + +if node.metadata.get('routeros/syslog-server', None): + routeros['/system/logging/action?name=remote'] = { + 'target': 'remote', + 'remote': node.metadata.get('routeros/syslog-server'), + 'remote-port': 514, + } + for topic in LOGGING_TOPICS: + routeros[f'/system/logging?action=remote&topics={topic}'] = {} + +routeros['/snmp'] = { + 'enabled': True, +} +routeros['/snmp/community?name=public'] = { + 'addresses': '::/0', + 'disabled': False, + 'read-access': True, + 'write-access': False, +} + +routeros['/system/clock'] = { + 'time-zone-autodetect': False, + 'time-zone-name': 'UTC', +} + +routeros['/system/identity'] = { + 'name': node.name, + # doing this first gives us some chance to notice an IP mixup + 'before': {'routeros:'}, +} + +routeros['/system/ntp/client'] = { + 'enabled': True, + 'server-dns-names': 'de.pool.ntp.org', +} + +if node.metadata.get('routeros/gateway'): + routeros['/ip/route?dst-address=0.0.0.0/0'] = { + 'gateway': node.metadata.get('routeros/gateway'), + } + +routeros['/interface/bridge?name=bridge'] = { + 'priority': node.metadata.get('routeros/bridge_priority', '0x8000'), + 'protocol-mode': 'rstp', + 'vlan-filtering': True, +} + +# assign bridge ports +for port_name, port_conf in node.metadata.get('routeros/ports').items(): + if port_conf.get('delete'): + routeros[f'/interface/bridge/port?interface={port_name}'] = { + 'delete': True, + 'tags': {'routeros-port'}, + 'needs': {f'routeros:/interface?name={port_name}'}, + } + else: + pvid = port_conf.get('pvid') + if not pvid: + for vlan_name, vlan_conf in node.metadata.get('routeros/vlans').items(): + if port_name in vlan_conf.get('untagged', []): + if pvid: + raise ValueError( + f"{node.name}: port {port_name} untagged " + f"in VLANs {pvid} and {vlan_conf['id']}" + ) + else: + pvid = vlan_conf['id'] + + # Field must not be present of some port types. + if port_conf.get('hw'): + hw = {'hw': port_conf['hw']} + else: + hw = {} + + routeros[f'/interface/bridge/port?interface={port_name}'] = { + 'bridge': 'bridge', + '_comment': port_conf.get('description', ''), + 'disabled': False, + **hw, + 'pvid': pvid or '1', + 'tags': {'routeros-port'}, + 'needs': { + f'routeros:/interface?name={port_name}', + 'routeros:/interface/bridge?name=bridge', + 'tag:routeros-bridge-vlan', # or we end up with dynamic VLANs after setting pvid to an unknown VLAN + }, + } + + routeros[f'/interface?name={port_name}'] = { + '_comment': port_conf.get('description', ''), + 'disabled': port_conf.get('disabled', False) + and not port_conf.get('delete', False), + } + + +# create IPs +for ip, ip_conf in node.metadata.get('routeros/ips').items(): + routeros[f'/ip/address?address={ip}'] = { + 'interface': ip_conf['interface'], + 'tags': {'routeros-ip'}, + 'needs': { + 'tag:routeros-vlan', + }, + } + +for vlan, conf in node.metadata.get('routeros/vlans').items(): + if conf['delete']: + # delete old VLANs + routeros[f'/interface/vlan?name={vlan}'] = { + 'delete': True, + } + + routeros[f"/interface/bridge/vlan?vlan-ids={conf['id']}"] = { + 'delete': True, + } + else: + # create vlans + routeros[f'/interface/vlan?name={vlan}'] = { + 'vlan-id': conf['id'], + 'interface': 'bridge', + 'tags': {'routeros-vlan'}, + 'needs': { + 'routeros:/interface/bridge?name=bridge', + }, + } + + # assign ports to vlans + routeros[f"/interface/bridge/vlan?vlan-ids={conf['id']}"] = { + 'bridge': 'bridge', + 'untagged': sorted(conf['untagged']), + 'tagged': sorted(conf['tagged']), + '_comment': vlan, + 'tags': {'routeros-bridge-vlan'}, + 'needs': { + 'routeros:/interface/bridge?name=bridge', + 'tag:routeros-vlan', + }, + } diff --git a/bundles/routeros/metadata.py b/bundles/routeros/metadata.py new file mode 100644 index 0000000..72bc063 --- /dev/null +++ b/bundles/routeros/metadata.py @@ -0,0 +1,123 @@ +import re +from json import load +from os.path import join + +defaults = { + 'icinga2_api': { + 'routeros': { + 'services': { + 'TEMPERATURE': { + 'check_command': 'snmp', + 'vars.snmp_oid': '1.3.6.1.4.1.14988.1.1.3.11.0', + 'vars.snmp_version': '2c', + 'vars.snmp_community': 'public', + 'vars.warn': '@750:799', # 1/10 °C + 'vars.crit': '@800:9999', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'routeros/ips', + 'routeros/ports', + 'routeros/vlans', +) +def get_ports_from_netbox_dump(metadata): + with open(join(repo.path, 'configs', f'netbox_device_{node.name}.json')) as f: + netbox = load(f) + + ips = {} + ports = {} + vlans = { + v['name']: { + 'id': v['vid'], + 'delete': False, + 'tagged': set(), + 'untagged': set(), + } + for v in netbox['vlans'] + } + + for port, conf in netbox['interfaces'].items(): + for ip in conf['ips']: + ips[ip] = {'interface': port} + + if conf['type'] == 'VIRTUAL': + # these are VLAN interfaces (for management IPs) + if conf['ips']: + # this makes management services available in the VLAN + try: + vlans[port]['tagged'].add('bridge') + except KeyError: + raise ValueError( + f'name of virtual interface "{port}" on {node.name} ' + f'matches none of the known VLANs: {list(vlans.keys())} ' + '(you probably need to rename the interface in Netbox ' + 'and/or run netbox-dump)' + ) + # We do not create the actual VLAN interface here, that + # happens automatically in items.py. + continue + elif not conf['enabled'] or not conf['mode']: + # disable unconfigured ports + ports[port] = { + 'disabled': True, + 'description': conf.get('description', ''), + } + # dont add vlans for this port + continue + else: + ports[port] = { + 'disabled': False, + 'description': conf.get('description', ''), + } + if conf.get('ips', []): + ports[port]['ips'] = set(conf['ips']) + if conf['type'] in ( + 'A_1000BASE_T', + 'A_10GBASE_X_SFPP', + ): + ports[port]['hw'] = True + + if conf['untagged_vlan']: + vlans[conf['untagged_vlan']]['untagged'].add(port) + if conf['ips']: + # this makes management services available in the VLAN + vlans[conf['untagged_vlan']]['tagged'].add('bridge') + + # tagged + + if conf['mode'] == 'TAGGED_ALL': + tagged = set(vlans.keys()) - {conf['untagged_vlan']} + else: + tagged = conf['tagged_vlans'] + + for vlan in tagged: + vlans[vlan]['tagged'].add(port) + + # this makes management services available in the VLAN + if conf['ips']: + vlans[vlan]['tagged'].add('bridge') + + return { + 'routeros': { + 'ips': ips, + 'ports': ports, + 'vlans': vlans, + } + } + + +@metadata_reactor.provides('routeros/gateway') +def gateway(metadata): + ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.)\d{1,3}') + gateway = ip_pattern.match(node.hostname).group(1) + '1' + + return { + 'routeros': { + 'gateway': gateway, + }, + } diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox_device_home.switch-rack.json new file mode 100644 index 0000000..1e84e4b --- /dev/null +++ b/configs/netbox_device_home.switch-rack.json @@ -0,0 +1,276 @@ +{ + "interfaces": { + "ether1": { + "description": "home.router (enp1s0)", + "enabled": true, + "ips": [], + "mode": "TAGGED_ALL", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": null + }, + "ether10": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether11": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether12": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether13": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether14": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether15": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether16": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether17": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether18": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether19": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether2": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether20": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether21": { + "description": "Patchpanel oben (4)", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether22": { + "description": "home.nas (eno1)", + "enabled": true, + "ips": [], + "mode": "TAGGED", + "tagged_vlans": [ + "ffwi.client", + "ffwi.mesh", + "home.clients", + "home.dmz" + ], + "type": "A_1000BASE_T", + "untagged_vlan": null + }, + "ether23": { + "description": "uplink", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.wan" + }, + "ether24": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether3": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether4": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether5": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether6": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether7": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether8": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "ether9": { + "description": "", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" + }, + "home.clients": { + "description": "", + "enabled": true, + "ips": [ + "172.19.138.4/24" + ], + "mode": null, + "tagged_vlans": [], + "type": "VIRTUAL", + "untagged_vlan": null + }, + "sfp-sfpplus1": { + "description": "", + "enabled": true, + "ips": [], + "mode": null, + "tagged_vlans": [], + "type": "A_10GBASE_X_SFPP", + "untagged_vlan": null + }, + "sfp-sfpplus2": { + "description": "", + "enabled": true, + "ips": [], + "mode": null, + "tagged_vlans": [], + "type": "A_10GBASE_X_SFPP", + "untagged_vlan": null + } + }, + "vlans": [ + { + "name": "home.wan", + "vid": 7 + }, + { + "name": "home.clients", + "vid": 1138 + }, + { + "name": "home.dmz", + "vid": 1139 + }, + { + "name": "ffwi.mesh", + "vid": 3000 + }, + { + "name": "ffwi.client", + "vid": 3001 + } + ] +} \ No newline at end of file diff --git a/nodes/home.switch-rack.toml b/nodes/home.switch-rack.toml new file mode 100644 index 0000000..2f5dbda --- /dev/null +++ b/nodes/home.switch-rack.toml @@ -0,0 +1,5 @@ +bundles = ["routeros"] +hostname = "172.19.138.4" +os = "routeros" +username = "admin" +# TODO password From f254b9bb126e4aae9a47960d052e88424b68d692 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 14:09:00 +0200 Subject: [PATCH 096/996] kunsi-p14s: fix mountpoint for rootfs --- nodes/kunsi-p14s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index fc091da..c96d793 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -214,7 +214,7 @@ nodes['kunsi-p14s'] = { }, 'zroot/system/root': { 'canmount': 'noauto', - 'mountpoint': '/', + 'mountpoint': 'legacy', }, 'zroot/user/kunsi': { 'mountpoint': '/home/kunsi', From 8ec7f9e992e0b357f11661de81d664f33f6d3fb9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 19:18:26 +0200 Subject: [PATCH 097/996] rx300: update forgejo to 1.19.0-2 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index cb69d51..48dc145 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -127,8 +127,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/415526b5-e483-45b6-9d46-a7078dcea461', - 'sha1': '0a473b1bf7498db7508ae1ad5f917a2b504ab139', + 'url': 'https://codeberg.org/attachments/7bd411b7-0e75-4e0f-89e3-9274cb9c0120', + 'sha1': 'c4b80feb8dcaa9d38612895cd9828dfa11b98333', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 6c48c25a94afa5db62f2c72ad57a344f1db227fc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 19:18:45 +0200 Subject: [PATCH 098/996] update element-web to 1.11.26 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 44f3034..970f939 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.25', + 'version': 'v1.11.26', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 48dc145..6dac6e2 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.25', + 'version': 'v1.11.26', 'config': { 'default_server_config': { 'm.homeserver': { From 6835793d6a97e857ccbb99c04cc75f131ade1a08 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 22:16:59 +0200 Subject: [PATCH 099/996] rx300: update travelynx to 1.30.9 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 6dac6e2..3517a35 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -522,7 +522,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.30.7', + 'version': '1.30.9', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From ee68c9075b679a7038dd1ababb1426e19c7b0e1e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 23:17:29 +0200 Subject: [PATCH 100/996] rx300: update netbox to 3.4.7 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 3517a35..617ac08 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -305,7 +305,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.6', + 'version': 'v3.4.7', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 0522425218490ae7e4686657de88f3ec9760b8df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 10:48:06 +0200 Subject: [PATCH 101/996] rx300: we need bigger emails --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 617ac08..293d86f 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -436,7 +436,7 @@ nodes['rx300'] = { }, }, 'postfix': { - 'message_size_limit_mb': 50, + 'message_size_limit_mb': 75, 'mynetworks': { 'gce', 'ovh', From 64716d12cf7dc4081b1104ae9bac5c67a97ed90a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 13:47:35 +0200 Subject: [PATCH 102/996] bump netbox dump for home.switch-rack --- configs/netbox_device_home.switch-rack.json | 83 +++++++++++---------- 1 file changed, 42 insertions(+), 41 deletions(-) diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox_device_home.switch-rack.json index 1e84e4b..1570cbe 100644 --- a/configs/netbox_device_home.switch-rack.json +++ b/configs/netbox_device_home.switch-rack.json @@ -10,7 +10,7 @@ "untagged_vlan": null }, "ether10": { - "description": "", + "description": "dect", "enabled": true, "ips": [], "mode": "ACCESS", @@ -91,7 +91,7 @@ "untagged_vlan": "home.clients" }, "ether19": { - "description": "", + "description": "kodi", "enabled": true, "ips": [], "mode": "ACCESS", @@ -100,16 +100,16 @@ "untagged_vlan": "home.clients" }, "ether2": { - "description": "", + "description": "Fritz!Box", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": "home.wan" }, "ether20": { - "description": "", + "description": "Schreibtisch Franzi", "enabled": true, "ips": [], "mode": "ACCESS", @@ -118,7 +118,7 @@ "untagged_vlan": "home.clients" }, "ether21": { - "description": "Patchpanel oben (4)", + "description": "Schreibtisch Sophie", "enabled": true, "ips": [], "mode": "ACCESS", @@ -127,30 +127,25 @@ "untagged_vlan": "home.clients" }, "ether22": { - "description": "home.nas (eno1)", - "enabled": true, - "ips": [], - "mode": "TAGGED", - "tagged_vlans": [ - "ffwi.client", - "ffwi.mesh", - "home.clients", - "home.dmz" - ], - "type": "A_1000BASE_T", - "untagged_vlan": null - }, - "ether23": { - "description": "uplink", + "description": "Schreibtisch Sophie", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.wan" + "untagged_vlan": "home.clients" + }, + "ether23": { + "description": "Wohnzimmer Kabel", + "enabled": true, + "ips": [], + "mode": "ACCESS", + "tagged_vlans": [], + "type": "A_1000BASE_T", + "untagged_vlan": "home.clients" }, "ether24": { - "description": "", + "description": "Wohnzimmer Telefon", "enabled": true, "ips": [], "mode": "ACCESS", @@ -159,61 +154,67 @@ "untagged_vlan": "home.clients" }, "ether3": { - "description": "", + "description": "Freifunk", "enabled": true, "ips": [], - "mode": "ACCESS", - "tagged_vlans": [], + "mode": "TAGGED", + "tagged_vlans": [ + "ffwi.mesh", + "home.clients" + ], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": null }, "ether4": { - "description": "", + "description": "Freifunk", "enabled": true, "ips": [], - "mode": "ACCESS", - "tagged_vlans": [], + "mode": "TAGGED", + "tagged_vlans": [ + "ffwi.mesh", + "home.clients" + ], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": null }, "ether5": { - "description": "", + "description": "home.nas (eno1)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "TAGGED_ALL", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": null }, "ether6": { - "description": "", + "description": "info-beamer", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": "home.dmz" }, "ether7": { - "description": "", + "description": "Isanet", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": "home.dmz" }, "ether8": { - "description": "", + "description": "ripe-probe", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.clients" + "untagged_vlan": "home.dmz" }, "ether9": { - "description": "", + "description": "drucker sophie", "enabled": true, "ips": [], "mode": "ACCESS", From fe9716088ae5f39a79bbb51a32495de882efe9b5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 13:51:44 +0200 Subject: [PATCH 103/996] home.downloadhelper: rotate all the vlans --- nodes/home/downloadhelper.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 56a3b7d..4396651 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -9,11 +9,11 @@ nodes['home.downloadhelper'] = { }, 'metadata': { 'interfaces': { - 'enp1s0.8': { + 'enp1s0.3301': { 'dhcp': True, 'send_hostname': False, }, - 'enp1s0.42': { + 'enp1s0.1138': { 'ips': { '172.19.138.27/24', }, From 317a3df11d3dec656936f225f44bda2038877707 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 13:52:08 +0200 Subject: [PATCH 104/996] home.router: rotate all the vlans --- nodes/home/router.py | 52 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d7a7d20..740c3f0 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -16,16 +16,16 @@ nodes['home.router'] = { }, 'metadata': { 'interfaces': { - 'enp1s0.23': { - 'ips': { - '172.19.139.1/24', - }, - }, - 'enp1s0.42': { + 'enp1s0.1138': { 'ips': { '172.19.138.1/24', }, }, + 'enp1s0.1139': { + 'ips': { + '172.19.139.1/24', + }, + }, }, 'backups': { 'exclude_from_backups': True, @@ -47,18 +47,7 @@ nodes['home.router'] = { }, 'dhcpd': { 'subnets': { - 'enp1s0.23': { - 'range_lower': '172.19.139.200', - 'range_higher': '172.19.139.250', - 'subnet': '172.19.139.0/24', - 'options': { - 'broadcast-address': '172.19.139.255', - 'domain-name-servers': '172.19.139.1', - 'routers': '172.19.139.1', - 'subnet-mask': '255.255.255.0', - }, - }, - 'enp1s0.42': { + 'enp1s0.1138': { 'range_lower': '172.19.138.100', 'range_higher': '172.19.138.250', 'subnet': '172.19.138.0/24', @@ -71,6 +60,17 @@ nodes['home.router'] = { 'subnet-mask': '255.255.255.0', }, }, + 'enp1s0.1139': { + 'range_lower': '172.19.139.200', + 'range_higher': '172.19.139.250', + 'subnet': '172.19.139.0/24', + 'options': { + 'broadcast-address': '172.19.139.255', + 'domain-name-servers': '172.19.139.1', + 'routers': '172.19.139.1', + 'subnet-mask': '255.255.255.0', + }, + }, }, }, 'hosts': { @@ -118,8 +118,8 @@ nodes['home.router'] = { }, 'radvd': { 'interfaces': { - 'enp1s0.23': {}, - 'enp1s0.42': {}, + 'enp1s0.1138': {}, + 'enp1s0.1138': {}, }, }, 'postfix': { @@ -130,7 +130,7 @@ nodes['home.router'] = { 'pppd': { 'username': vault.decrypt('encrypt$gAAAAABfruZ5AZbgJ3mfMLWqIMx8o4bBRMJsDPD1jElh-vWN_gnhiuZVjrQ1-7Y6zDXNkxXiyhx8rxc2enmvo26axd7EBI8FqknCptXAPruVtDZrBCis4TE='), 'password': vault.decrypt('encrypt$gAAAAABfruaXEDkaFksFMU8g97ydWyJF8p2KcSDJJBlzaOLDsLL6oCDYjG1kMPVESOzqjn8ThtSht1uZDuMCstA-sATmLS-EWQ=='), - 'interface': 'enp1s0.100', + 'interface': 'enp1s0.7', 'dyndns': { 'domain': 'franzi-home.kunbox.net', 'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', @@ -138,8 +138,8 @@ nodes['home.router'] = { 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iifname enp1s0.23 oif $INTERFACE accept', - 'inet filter forward iifname enp1s0.42 accept', + 'inet filter forward iifname enp1s0.1138 accept', + 'inet filter forward iifname enp1s0.1139 oif $INTERFACE accept', }, }, 'unbound': { @@ -161,7 +161,7 @@ nodes['home.router'] = { }, }, 'vnstat': { - 'interface': 'enp1s0.100', + 'interface': 'enp1s0.7', }, 'vm': { 'cpu': 2, @@ -170,8 +170,8 @@ nodes['home.router'] = { 'wide-dhcp6c': { 'source': 'ppp0', 'targets': { - 'enp1s0.23': '2', - 'enp1s0.42': '1', + 'enp1s0.1138': '1', + 'enp1s0.1139': '2', }, }, 'wireguard': { From f6da1f6d718d4a872a0ad8eadf7b06849e3d9907 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 13:52:23 +0200 Subject: [PATCH 105/996] home.nas: rotate all the vlans --- nodes/home/nas.py | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 34ae010..b67b1de 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -18,7 +18,7 @@ nodes['home.nas'] = { }, 'metadata': { 'interfaces': { - 'br42': { + 'br1138': { 'ips': { '172.19.138.20/24', }, @@ -148,23 +148,15 @@ nodes['home.nas'] = { }, }, 'systemd-networkd': { - 'bonds': { - 'bond0': { - 'match': { - 'enp8*', - 'enp9*', - }, - }, - }, 'bridges': { 'br0': { 'match': { - 'bond0', + 'enp1s0', }, }, - 'br42': { + 'br1138': { 'match': { - 'br0.42', + 'br0.1138', }, }, }, From fe7d57aca077dc5511fc544a53554c01d5a993b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 27 Mar 2023 13:52:50 +0200 Subject: [PATCH 106/996] home.downloadhelper: more vlans --- nodes/home/downloadhelper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 4396651..19f6c9c 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -30,7 +30,7 @@ nodes['home.downloadhelper'] = { }, 'lldp': { 'interfaces': { - 'enp1s0.42', + 'enp1s0.1138', }, }, 'nfs-client': { From 7eb2bf68d8bd25da711413e9af564f15370361b7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 22:52:10 +0200 Subject: [PATCH 107/996] home.switch-rack: use password for authentication --- nodes.py | 3 +++ nodes/home.switch-rack.toml | 3 ++- scripts/passwords-for | 11 ++++++++--- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/nodes.py b/nodes.py index b9110ad..9be84b4 100644 --- a/nodes.py +++ b/nodes.py @@ -15,3 +15,6 @@ for node in Path(join(repo_path, "nodes")).rglob("*.py"): for name, data in nodes.items(): data.setdefault('hostname', '.'.join(reversed(name.split('.'))) + '.kunbox.net') data.setdefault('metadata', {}).setdefault('hostname', '.'.join(reversed(name.split('.'))) + '.kunbox.net') + + if 'password' in data: + data['password'] = vault.decrypt(data['password']) diff --git a/nodes/home.switch-rack.toml b/nodes/home.switch-rack.toml index 2f5dbda..1944e1e 100644 --- a/nodes/home.switch-rack.toml +++ b/nodes/home.switch-rack.toml @@ -1,5 +1,6 @@ bundles = ["routeros"] hostname = "172.19.138.4" +locking_node = "home.router" os = "routeros" +password = "encrypt$gAAAAABkI1Eqsust7XuYFK2-FaRzXWM5fOXumhdi5fWNokLtM0CBAqVqc5zcg37XH_JIZvkhp3buKvswcvd_znaV3Rb8kKeJTs4_VJo6OsvbiWkujfT50HspoUXER0JSZSmeZts8a_2i" username = "admin" -# TODO password diff --git a/scripts/passwords-for b/scripts/passwords-for index c12fa7b..10beb14 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -2,6 +2,7 @@ from os import environ from sys import argv +from bundlewrap.metagen import NodeMetadataProxy from bundlewrap.exceptions import FaultUnavailable from bundlewrap.repo import Repository from bundlewrap.utils import Fault @@ -19,13 +20,17 @@ def print_faults(dictionary, keypath=[]): else: if '\n' not in resolved_fault: print('{}/{}: {}'.format('/'.join(keypath), key, value)) - elif isinstance(value, dict): + elif isinstance(value, (list, set, tuple)): + print_faults(dict(enumerate(value)), keypath=keypath+[key]) + elif isinstance(value, (dict, NodeMetadataProxy)): print_faults(value, keypath=keypath+[key]) - if len(argv) == 1: print('node name missing') exit(1) node = repo.get_node(argv[1]) -print_faults(node.metadata) +print_faults({ + 'password': node.password, + 'metadata': node.metadata, +}) From 5116ba8a2734462141b1dda59f807267492556ec Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 28 Mar 2023 22:57:05 +0200 Subject: [PATCH 108/996] home.downloadhelper: fix vlan id --- nodes/home/downloadhelper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 19f6c9c..d09d558 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -9,7 +9,7 @@ nodes['home.downloadhelper'] = { }, 'metadata': { 'interfaces': { - 'enp1s0.3301': { + 'enp1s0.3001': { 'dhcp': True, 'send_hostname': False, }, From 3c921e5d2e183e03a59c896d9369b39cfc9f49f3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:15:30 +0200 Subject: [PATCH 109/996] rename home.bubble01 to home.mitel-rfp35 --- nodes/{home.bubble01.toml => home.mitel-rfp35.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename nodes/{home.bubble01.toml => home.mitel-rfp35.toml} (100%) diff --git a/nodes/home.bubble01.toml b/nodes/home.mitel-rfp35.toml similarity index 100% rename from nodes/home.bubble01.toml rename to nodes/home.mitel-rfp35.toml From 9b11e69a7346850f0b4f96c0e4b2de2c139929a0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:15:51 +0200 Subject: [PATCH 110/996] home.router: fix vlans --- nodes/home/router.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index 740c3f0..cbdbc5d 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -119,7 +119,7 @@ nodes['home.router'] = { 'radvd': { 'interfaces': { 'enp1s0.1138': {}, - 'enp1s0.1138': {}, + 'enp1s0.1139': {}, }, }, 'postfix': { @@ -139,7 +139,7 @@ nodes['home.router'] = { }, 'nftables-rules.d': { 'inet filter forward iifname enp1s0.1138 accept', - 'inet filter forward iifname enp1s0.1139 oif $INTERFACE accept', + 'inet filter forward iifname enp1s0.1139 oifname $INTERFACE accept', }, }, 'unbound': { From 7ff8319f0996ba4c2ddda227617dfaa36ec0b190 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:16:05 +0200 Subject: [PATCH 111/996] home.nas: fix firewall and interface names --- nodes/home/nas.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index b67b1de..37136d5 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -69,11 +69,11 @@ nodes['home.nas'] = { }, '5060': { # yate SIP 'home.snom-wohnzimmer', - 'home.bubble01', + 'home.mitel-rfp35', }, '5061': { # yate SIPS 'home.snom-wohnzimmer', - 'home.bubble01', + 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides @@ -83,7 +83,7 @@ nodes['home.nas'] = { # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', - 'home.bubble01', + 'home.mitel-rfp35', }, }, }, @@ -151,7 +151,7 @@ nodes['home.nas'] = { 'bridges': { 'br0': { 'match': { - 'enp1s0', + 'eno1', }, }, 'br1138': { From 83f720d2346f7949f0a00e47ca6fd70ead551e90 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:16:27 +0200 Subject: [PATCH 112/996] bump netbox-dump --- configs/netbox_device_home.switch-rack.json | 44 ++++++++++----------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox_device_home.switch-rack.json index 1570cbe..09d3775 100644 --- a/configs/netbox_device_home.switch-rack.json +++ b/configs/netbox_device_home.switch-rack.json @@ -10,7 +10,7 @@ "untagged_vlan": null }, "ether10": { - "description": "dect", + "description": "home.mitel-rfp35 (LAN)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -19,7 +19,7 @@ "untagged_vlan": "home.clients" }, "ether11": { - "description": "", + "description": "home.usv01 (LAN)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -28,7 +28,7 @@ "untagged_vlan": "home.clients" }, "ether12": { - "description": "", + "description": "home.rechenmonster (IPMI)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -46,7 +46,7 @@ "untagged_vlan": "home.clients" }, "ether14": { - "description": "", + "description": "home.rechenmonster (LAN)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -91,7 +91,7 @@ "untagged_vlan": "home.clients" }, "ether19": { - "description": "kodi", + "description": "home.kodi-wohnzimmer", "enabled": true, "ips": [], "mode": "ACCESS", @@ -100,7 +100,7 @@ "untagged_vlan": "home.clients" }, "ether2": { - "description": "Fritz!Box", + "description": "Fritz!Box (LAN1)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -109,7 +109,7 @@ "untagged_vlan": "home.wan" }, "ether20": { - "description": "Schreibtisch Franzi", + "description": "Franzi Laptop", "enabled": true, "ips": [], "mode": "ACCESS", @@ -118,7 +118,7 @@ "untagged_vlan": "home.clients" }, "ether21": { - "description": "Schreibtisch Sophie", + "description": "Sophie Laptop", "enabled": true, "ips": [], "mode": "ACCESS", @@ -127,7 +127,7 @@ "untagged_vlan": "home.clients" }, "ether22": { - "description": "Schreibtisch Sophie", + "description": "Sophie Desktop", "enabled": true, "ips": [], "mode": "ACCESS", @@ -145,7 +145,7 @@ "untagged_vlan": "home.clients" }, "ether24": { - "description": "Wohnzimmer Telefon", + "description": "home.snom-wohnzimmer", "enabled": true, "ips": [], "mode": "ACCESS", @@ -154,28 +154,26 @@ "untagged_vlan": "home.clients" }, "ether3": { - "description": "Freifunk", + "description": "home.winkeeinhorn-1 (LAN)", "enabled": true, "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.mesh", - "home.clients" + "ffwi.mesh" ], "type": "A_1000BASE_T", - "untagged_vlan": null + "untagged_vlan": "home.clients" }, "ether4": { - "description": "Freifunk", + "description": "home.winkeeinhorn-2 (LAN)", "enabled": true, "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.mesh", - "home.clients" + "ffwi.mesh" ], "type": "A_1000BASE_T", - "untagged_vlan": null + "untagged_vlan": "home.clients" }, "ether5": { "description": "home.nas (eno1)", @@ -187,7 +185,7 @@ "untagged_vlan": null }, "ether6": { - "description": "info-beamer", + "description": "isanet", "enabled": true, "ips": [], "mode": "ACCESS", @@ -196,7 +194,7 @@ "untagged_vlan": "home.dmz" }, "ether7": { - "description": "Isanet", + "description": "RIPE-Probe #28280 (LAN)", "enabled": true, "ips": [], "mode": "ACCESS", @@ -205,16 +203,16 @@ "untagged_vlan": "home.dmz" }, "ether8": { - "description": "ripe-probe", + "description": "home.drucker-sophie", "enabled": true, "ips": [], "mode": "ACCESS", "tagged_vlans": [], "type": "A_1000BASE_T", - "untagged_vlan": "home.dmz" + "untagged_vlan": "home.clients" }, "ether9": { - "description": "drucker sophie", + "description": "info-beamer 12199 (LAN)", "enabled": true, "ips": [], "mode": "ACCESS", From a9874ce8fb57d93d7ded9d69d7f72d485469b587 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:22:34 +0200 Subject: [PATCH 113/996] htz-cloud.influxdb: switch ip has changed --- nodes/htz-cloud/influxdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index ba1274a..1125952 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -69,7 +69,7 @@ nodes['htz-cloud.influxdb'] = { 'builtin': { 'snmp': [ { - 'agents': ['udp://172.19.138.2'], + 'agents': ['udp://172.19.138.4'], 'agent_host_tag': 'host', 'table': [{'oid': 'IF-MIB::ifTable'}], 'interval': '10s', From 5af85ad53550343f13d2438b32ce96aa18f329a0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Mar 2023 18:36:14 +0200 Subject: [PATCH 114/996] remove home.sw02 --- nodes/home.sw01.toml | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 nodes/home.sw01.toml diff --git a/nodes/home.sw01.toml b/nodes/home.sw01.toml deleted file mode 100644 index f9dca43..0000000 --- a/nodes/home.sw01.toml +++ /dev/null @@ -1,4 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.2"] From bbbcfee042e1d5bfab8418ebeaaef5335c387346 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 31 Mar 2023 16:47:27 +0200 Subject: [PATCH 115/996] add group switches-mikrotik --- groups/features.py | 9 +++++++++ nodes/home.switch-rack.toml | 5 +---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/groups/features.py b/groups/features.py index 54a58a7..fca9379 100644 --- a/groups/features.py +++ b/groups/features.py @@ -17,3 +17,12 @@ groups['dns'] = { }, }, } + +groups['switches-mikrotik'] = { + 'bundles': { + 'routeros', + }, + 'locking_node': 'home.router', + 'os': 'routeros', + 'username': 'admin', +} diff --git a/nodes/home.switch-rack.toml b/nodes/home.switch-rack.toml index 1944e1e..57014f0 100644 --- a/nodes/home.switch-rack.toml +++ b/nodes/home.switch-rack.toml @@ -1,6 +1,3 @@ -bundles = ["routeros"] +groups = ["switches-mikrotik"] hostname = "172.19.138.4" -locking_node = "home.router" -os = "routeros" password = "encrypt$gAAAAABkI1Eqsust7XuYFK2-FaRzXWM5fOXumhdi5fWNokLtM0CBAqVqc5zcg37XH_JIZvkhp3buKvswcvd_znaV3Rb8kKeJTs4_VJo6OsvbiWkujfT50HspoUXER0JSZSmeZts8a_2i" -username = "admin" From 8d3e913a8c3bb62ed5a738df5d51bea9d53931c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 31 Mar 2023 16:47:43 +0200 Subject: [PATCH 116/996] kunsi-p14s: br0 contains all wired interfaces --- nodes/kunsi-p14s.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index c96d793..a341c5b 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -148,8 +148,8 @@ nodes['kunsi-p14s'] = { 'bridges': { 'br0': { 'match': { - 'enp2s0f0', - 'enp5s0', + 'en*', + 'eth*', }, }, }, From 28298d3ce69a86b81a0b3eeae02559b4347183fc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 31 Mar 2023 21:41:12 +0200 Subject: [PATCH 117/996] replace predefined ssh keys with generated ones --- bundles/backup-client/items.py | 7 ++- bundles/backup-server/items.py | 8 +-- libs/ssh.py | 96 ++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 6 deletions(-) create mode 100644 libs/ssh.py diff --git a/bundles/backup-client/items.py b/bundles/backup-client/items.py index 6538803..a4c9a11 100644 --- a/bundles/backup-client/items.py +++ b/bundles/backup-client/items.py @@ -33,14 +33,17 @@ else: backup_target = repo.get_node(node.metadata.get('backup-client/target')) files['/etc/backup.priv'] = { - 'content': repo.vault.decrypt_file(join('backup', 'keys', f'{node.name}.key.vault')), + 'content': repo.libs.ssh.generate_ed25519_private_key( + node.metadata.get('backup-client/user-name'), + backup_target, + ), 'mode': '0400', } files['/usr/local/bin/generate-backup'] = { 'content_type': 'mako', 'context': { - 'username': node.metadata['backup-client']['user-name'], + 'username': node.metadata.get('backup-client/user-name'), 'server': backup_target.metadata.get('backup-server/my_hostname'), 'port': backup_target.metadata.get('backup-server/my_ssh_port'), 'paths': backup_paths, diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index 11d0624..bd4d12f 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -27,9 +27,6 @@ directories['/etc/backup-server/clients'] = { sudoers = {} for nodename, config in node.metadata.get('backup-server/clients', {}).items(): - with open(join(repo.path, 'data', 'backup', 'keys', f'{nodename}.pub'), 'r') as f: - pubkey = f.read().strip() - sudoers[config['user']] = nodename users[config['user']] = { @@ -41,7 +38,10 @@ for nodename, config in node.metadata.get('backup-server/clients', {}).items(): } files[f'/srv/backups/{nodename}/.ssh/authorized_keys'] = { - 'content': pubkey, + 'content': repo.libs.ssh.generate_ed25519_public_key( + config['user'], + node, + ), 'owner': config['user'], 'mode': '0400', 'needs': { diff --git a/libs/ssh.py b/libs/ssh.py new file mode 100644 index 0000000..90fb674 --- /dev/null +++ b/libs/ssh.py @@ -0,0 +1,96 @@ +from base64 import b64decode, b64encode +from functools import lru_cache +from hashlib import sha3_224 + +from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey +from cryptography.hazmat.primitives.serialization import ( + Encoding, + NoEncryption, + PrivateFormat, + PublicFormat, +) + +from bundlewrap.utils import Fault + + +@lru_cache(maxsize=None) +def generate_ed25519_private_key(username, node): + return Fault( + f'private key {username}@{node.name}', + lambda username, node: _generate_ed25519_private_key(username, node), + username=username, + node=node, + ) + + +@lru_cache(maxsize=None) +def generate_ed25519_public_key(username, node): + return Fault( + f'public key {username}@{node.name}', + lambda username, node: _generate_ed25519_public_key(username, node), + username=username, + node=node, + ) + + +def _generate_ed25519_private_key(username, node): + privkey_bytes = Ed25519PrivateKey.from_private_bytes(_secret(username, node)) + + nondeterministic_privatekey = privkey_bytes.private_bytes( + encoding=Encoding.PEM, + format=PrivateFormat.OpenSSH, + encryption_algorithm=NoEncryption(), + ).decode() + + # get relevant lines from string + nondeterministic_bytes = b64decode( + ''.join(nondeterministic_privatekey.split('\n')[1:-2]) + ) + + # sanity check + if nondeterministic_bytes[98:102] != nondeterministic_bytes[102:106]: + raise Exception("checksums should be the same: whats going on here?") + + # replace random bytes with deterministic values + random_bytes = sha3_224(_secret(username, node)).digest()[0:4] + deterministic_bytes = ( + nondeterministic_bytes[:98] + + random_bytes + + random_bytes + + nondeterministic_bytes[106:] + ) + + # reassemble file + deterministic_privatekey = '\n'.join( + [ + '-----BEGIN OPENSSH PRIVATE KEY-----', + b64encode(deterministic_bytes).decode(), + '-----END OPENSSH PRIVATE KEY-----', + ] + ) + '\n' + + return deterministic_privatekey + + +def _generate_ed25519_public_key(username, node): + return ( + Ed25519PrivateKey.from_private_bytes(_secret(username, node)) + .public_key() + .public_bytes( + encoding=Encoding.OpenSSH, + format=PublicFormat.OpenSSH, + ) + .decode() + + f' {username}@{node.name}' + ) + + +@lru_cache(maxsize=None) +def _secret(username, node): + return b64decode( + str( + node.repo.vault.random_bytes_as_base64_for( + f"{username}@{node.name}", length=32 + ) + ) + ) From 60fc0e64e784c2d898d1c9b457b33c9cf9e480eb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Apr 2023 06:50:37 +0200 Subject: [PATCH 118/996] bundles/{apt,pacman}: ignore sshd processes spawned by user nobody --- bundles/apt/files/upgrade-and-reboot | 2 +- bundles/pacman/files/upgrade-and-reboot | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/apt/files/upgrade-and-reboot b/bundles/apt/files/upgrade-and-reboot index ab99a10..1a0ff36 100644 --- a/bundles/apt/files/upgrade-and-reboot +++ b/bundles/apt/files/upgrade-and-reboot @@ -19,7 +19,7 @@ statusfile="/var/tmp/unattended_upgrades.status" # Workaround, because /var/tmp is usually 1777 [[ "$UID" == 0 ]] && chown root:root "$statusfile" -logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon"') +logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon" && $1 != "nobody"') if [[ -n "$logins" ]] then echo "Will abort now, there are active SSH logins: $logins" diff --git a/bundles/pacman/files/upgrade-and-reboot b/bundles/pacman/files/upgrade-and-reboot index b8339ce..8f1e9c1 100644 --- a/bundles/pacman/files/upgrade-and-reboot +++ b/bundles/pacman/files/upgrade-and-reboot @@ -19,7 +19,7 @@ statusfile="/var/tmp/unattended_upgrades.status" # Workaround, because /var/tmp is usually 1777 [[ "$UID" == 0 ]] && chown root:root "$statusfile" -logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon"') +logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon" && $1 != "nobody"') if [[ -n "$logins" ]] then echo "Will abort now, there are active SSH logins: $logins" From 9a6be52b056ae7d2ac6c2c81234845b906bd57d0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Apr 2023 06:58:48 +0200 Subject: [PATCH 119/996] bundles/backup-client: use set instead of list --- bundles/backup-client/items.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/backup-client/items.py b/bundles/backup-client/items.py index a4c9a11..facd113 100644 --- a/bundles/backup-client/items.py +++ b/bundles/backup-client/items.py @@ -19,12 +19,12 @@ else: if node.metadata.get('backups/exclude_from_backups', False): # make sure nobody tries to do something funny - for file in [ + for file in { '/etc/backup.priv', '/usr/local/bin/generate-backup', '/usr/local/bin/generate-backup-with-retries', '/var/tmp/backup.monitoring', # status file - ]: + }: files[file] = { 'delete': True, } From 4bcf15a64c1fce39696bea4dc90fb422e50304f2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Apr 2023 06:59:13 +0200 Subject: [PATCH 120/996] voc.pretalx: do rsync backups, too --- nodes/voc/pretalx.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 204aaa1..e14a740 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -5,6 +5,7 @@ nodes['voc.pretalx'] = { 'hostname': 'pretalx.c3voc.de', 'bundles': { + 'backup-client', 'check-mail-received', 'c3voc-addons', 'pretalx', @@ -14,6 +15,9 @@ nodes['voc.pretalx'] = { 'sshmon', }, 'metadata': { + 'backup-client': { + 'target': 'htz-hel.backup-kunsi', + }, 'check-mail-received': { 't-online': { 'email': 'franzi.kunsmann@t-online.de', From a27ac38beced844b6e5868540b8ff66fbfa11ccd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Apr 2023 07:01:03 +0200 Subject: [PATCH 121/996] add bundle:telegraf-monitors-mikrotik --- .../files/telegraf-plugin-snmp-mikrotik | 61 +++++++++++++++++++ bundles/telegraf-monitors-mikrotik/items.py | 9 +++ .../telegraf-monitors-mikrotik/metadata.py | 22 +++++++ nodes/htz-cloud/influxdb.py | 7 +-- 4 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik create mode 100644 bundles/telegraf-monitors-mikrotik/items.py create mode 100644 bundles/telegraf-monitors-mikrotik/metadata.py diff --git a/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik b/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik new file mode 100644 index 0000000..322e9db --- /dev/null +++ b/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +from sys import argv + +from hnmp import SNMP + + +snmp = SNMP(argv[2], community=argv[3]) + +single_value_metrics_int_oids = { + 'cpu-load': '1.3.6.1.2.1.25.3.3.1.2.1', + 'cpu-temperature': '1.3.6.1.4.1.14988.1.1.3.11.0', + 'fan1-speed': '1.3.6.1.4.1.14988.1.1.3.17.0', + 'fan2-speed': '1.3.6.1.4.1.14988.1.1.3.18.0', + 'power-consumption': '1.3.6.1.4.1.14988.1.1.3.12.0', + #'psu1-state': '1.3.6.1.4.1.14988.1.1.3.15.0', + 'temperature': '1.3.6.1.4.1.14988.1.1.3.10.0', +} + +single_value_metrics_int_values = { + key: snmp.get(oid) + for key, oid in single_value_metrics_int_oids.items() +} + +formatted_values = sorted([ + f"{key}={value}i" + for key, value in single_value_metrics_int_values.items() + if value +]) + +print("mikrotik,host={host} {values}".format( + host=argv[1], + values=",".join(formatted_values), +)) + + +table = snmp.table( + "1.3.6.1.4.1.14988.1.1.15.1.1", + columns={ + 2: "interface", + #3: "status", + 4: "voltage", + 5: "current", + 6: "power", + }, + fetch_all_columns=False, +) + +for row in table.rows: + print(row) + interface_name = row['interface'] + values = [] + for column, value in row.items(): + if column == "interface" or not value: + continue + values.append("{}={}i".format(column, value)) + + print("mikrotik,interface={interface},host={host} {values}".format( + host=argv[1], + interface=interface_name, + values=",".join(values), + )) diff --git a/bundles/telegraf-monitors-mikrotik/items.py b/bundles/telegraf-monitors-mikrotik/items.py new file mode 100644 index 0000000..410e563 --- /dev/null +++ b/bundles/telegraf-monitors-mikrotik/items.py @@ -0,0 +1,9 @@ +files['/usr/local/bin/telegraf-plugin-snmp-mikrotik'] = { + 'mode': '0755', +} + +pkg_pip['hnmp'] = { + 'before': { + 'svc_systemd:telegraf', + }, +} diff --git a/bundles/telegraf-monitors-mikrotik/metadata.py b/bundles/telegraf-monitors-mikrotik/metadata.py new file mode 100644 index 0000000..29d5c08 --- /dev/null +++ b/bundles/telegraf-monitors-mikrotik/metadata.py @@ -0,0 +1,22 @@ +@metadata_reactor.provides( + 'telegraf/input_plugins/exec', +) +def collect_nodes(metadata): + execs = {} + + for rnode in repo.nodes_in_group('switches-mikrotik'): + snmp_pw = rnode.metadata.get('routeros/snmp/community', 'public') + + execs[f'snmp_mikrotik_{rnode.name}'] = { + 'commands': [f'/usr/local/bin/telegraf-plugin-snmp-mikrotik {rnode.name} {rnode.hostname} {snmp_pw}'], + 'data_format': 'influx', + 'timeout': '30s', + } + + return { + 'telegraf': { + 'input_plugins': { + 'exec': execs, + }, + }, + } diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index 1125952..8a8d884 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -3,6 +3,7 @@ nodes['htz-cloud.influxdb'] = { 'bundles': { 'grafana', 'influxdb2', + 'telegraf-monitors-mikrotik', 'zfs', }, 'groups': { @@ -68,12 +69,6 @@ nodes['htz-cloud.influxdb'] = { 'input_plugins': { 'builtin': { 'snmp': [ - { - 'agents': ['udp://172.19.138.4'], - 'agent_host_tag': 'host', - 'table': [{'oid': 'IF-MIB::ifTable'}], - 'interval': '10s', - }, { 'agents': ['udp://172.19.138.3'], 'agent_host_tag': 'host', From 68c4ee9482d43fc55772c33d2f54281c23848f61 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Apr 2023 07:08:32 +0200 Subject: [PATCH 122/996] update element-web to 1.11.28 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 970f939..ff82059 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.26', + 'version': 'v1.11.28', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 293d86f..b1ad5ee 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -104,7 +104,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.26', + 'version': 'v1.11.28', 'config': { 'default_server_config': { 'm.homeserver': { From e573f42730fa44c33b24469936bb07336e36d91c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 2 Apr 2023 12:06:44 +0200 Subject: [PATCH 123/996] htz-cloud.miniserver: remove nonfunctional dimension --- .../htz-cloud.miniserver/matrix-dimension | 1 - nodes/htz-cloud/miniserver.py | 24 ------------------- 2 files changed, 25 deletions(-) delete mode 100644 data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension diff --git a/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension b/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension deleted file mode 100644 index e13c482..0000000 --- a/data/nginx/files/extras/htz-cloud.miniserver/matrix-dimension +++ /dev/null @@ -1 +0,0 @@ -add_header Content-Security-Policy "frame-ancestors 'self' chat.sophies-kitchen.eu"; diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index ff82059..90299a4 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -4,7 +4,6 @@ nodes['htz-cloud.miniserver'] = { 'bundles': { 'element-web', 'hedgedoc', - 'matrix-dimension', 'matrix-media-repo', 'matrix-synapse', 'nodejs', @@ -72,11 +71,6 @@ nodes['htz-cloud.miniserver'] = { }, 'brand': 'sophies-kitchen.eu', 'showLabsSettings': True, - 'integrations_ui_url': 'https://dimension.sophies-kitchen.eu/riot', - 'integrations_rest_url': 'https://dimension.sophies-kitchen.eu/api/v1/scalar', - 'integrations_widgets_urls': { - 'https://dimension.sophies-kitchen.eu/widgets' - }, 'default_theme': 'dark', 'defaultCountryCode': 'DE', 'jitsi': { @@ -118,21 +112,6 @@ nodes['htz-cloud.miniserver'] = { }, }, }, - 'matrix-dimension': { - 'url': 'dimension.sophies-kitchen.eu', - 'version': 'c6d047c', # XXX master is broken as of 2021-11-27 - 'homeserver': { - 'name': 'sophies-kitchen.eu', - 'clientServerUrl': 'https://matrix.sophies-kitchen.eu', - 'accessToken': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'), - }, - 'admins': [ - '@sophie:sophies-kitchen.eu', - ], - 'telegram': { - 'botToken': vault.decrypt('encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t'), - }, - }, 'matrix-media-repo': { 'version': 'v1.2.13', 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', @@ -193,9 +172,6 @@ nodes['htz-cloud.miniserver'] = { }, 'nginx': { 'vhosts': { - 'matrix-dimension': { - 'extras': True, - }, 'sophies-kitchen.eu': { 'webroot': '/var/www/sophies-kitchen.eu/_site/', 'extras': True, From d7d46c2681920f530bba1d4c341e0418d34d3414 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 3 Apr 2023 18:39:14 +0200 Subject: [PATCH 124/996] rx300: update travelynx to 1.30.11 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index b1ad5ee..5b054ae 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -522,7 +522,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.30.9', + 'version': '1.30.11', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 2297f1dacf6614aa63a184c801e1d6f340d55d6c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 3 Apr 2023 18:39:42 +0200 Subject: [PATCH 125/996] kunsi-p14s: more packages please --- nodes/kunsi-p14s.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index a341c5b..bd0dd03 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -103,9 +103,12 @@ nodes['kunsi-p14s'] = { 'claws-mail-themes': {}, 'ferdi-bin': {}, 'gumbo-parser': {}, # for claws litehtml + 'inkstitch': {}, # for RZL embroidery machine + 'obs-studio': {}, 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde 'sdl_ttf': {}, # for compiling testcard + 'x32edit': {}, }, }, 'sysctl': { From 95d5c0cfc81ba099473d90eadd6de17b5d028193 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:09:28 +0200 Subject: [PATCH 126/996] bundles/ntfy: update config to more recent version --- bundles/ntfy/files/server.yml | 69 ++++++++++++++++++++++++++++---- bundles/ntfy/items.py | 74 ++++++++++++++++++++--------------- 2 files changed, 104 insertions(+), 39 deletions(-) diff --git a/bundles/ntfy/files/server.yml b/bundles/ntfy/files/server.yml index 8add6f3..f4693a8 100644 --- a/bundles/ntfy/files/server.yml +++ b/bundles/ntfy/files/server.yml @@ -11,7 +11,7 @@ # - iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic) # - Matrix Push Gateway (to validate that the pushkey is correct) # -base-url: "https://${node.metadata.get('ntfy/domain', 'ntfy')}" +base-url: "https://${node.metadata.get('ntfy/domain')}" # Listen address for the HTTP & HTTPS web server. If "listen-https" is set, you must also # set "key-file" and "cert-file". Format: []:, e.g. "1.2.3.4:8080". @@ -93,7 +93,7 @@ auth-default-access: "write-only" # WARNING: If you are behind a proxy, you must set this, otherwise all visitors are rate limited # as if they are one. # -# behind-proxy: false +behind-proxy: true # If enabled, clients can attach files to notifications as attachments. Minimum settings to enable attachments # are "attachment-cache-dir" and "base-url". @@ -153,6 +153,17 @@ manager-interval: "1m" # # web-root: app +# Various feature flags used to control the web app, and API access, mainly around user and +# account management. +# +# - enable-signup allows users to sign up via the web app, or API +# - enable-login allows users to log in via the web app, or API +# - enable-reservations allows users to reserve topics (if their tier allows it) +# +enable-signup: false +enable-login: true +enable-reservations: false + # Server URL of a Firebase/APNS-connected ntfy server (likely "https://ntfy.sh"). # # iOS users: @@ -181,7 +192,7 @@ visitor-subscription-limit: 64 # visitor-request-limit-burst: 60 visitor-request-limit-replenish: "5s" -visitor-request-limit-exempt-hosts: "localhost" +visitor-request-limit-exempt-hosts: "${','.join(sorted(ratelimit_exempt_hosts))}" # Rate limiting: Allowed emails per visitor: # - visitor-email-limit-burst is the initial bucket of emails each visitor has @@ -190,12 +201,54 @@ visitor-request-limit-exempt-hosts: "localhost" # visitor-email-limit-burst: 16 # visitor-email-limit-replenish: "1h" -# Rate limiting: Attachment size and bandwidth limits per visitor: -# - visitor-attachment-total-size-limit is the total storage limit used for attachments per visitor -# - visitor-attachment-daily-bandwidth-limit is the total daily attachment download/upload traffic limit per visitor +# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush) # -# visitor-attachment-total-size-limit: "100M" -# visitor-attachment-daily-bandwidth-limit: "500M" +# If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed +# to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume +# publishers (e.g. Matrix/Mastodon servers) are allowed to send. +# +# Once enabled, a client may send a "Rate-Topics: ,,..." header when subscribing to topics via +# HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits +# to use when publishing on this topic. Note: Setting the rate visitor requires READ-WRITE permission on the topic. +# +# UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if +# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit". +# +# visitor-subscriber-rate-limiting: false + +# Payments integration via Stripe +# +# - stripe-secret-key is the key used for the Stripe API communication. Setting this values +# enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys. +# - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe. +# Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks. +# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach +# out with billing questions. If unset, nothing will be displayed. +# +# stripe-secret-key: +# stripe-webhook-key: +# billing-contact: + +# Metrics +# +# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port. +# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are +# doing, and/or secure access to the endpoint in your reverse proxy. +# +# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket) +# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly +# enables metrics as well, e.g. "10.0.1.1:9090" or ":9090" +# +# enable-metrics: false +# metrics-listen-http: + +# Profiling +# +# ntfy can expose Go's net/http/pprof endpoints to support profiling of the ntfy server. If enabled, ntfy will listen +# on a dedicated listen IP/port, which can be accessed via the web browser on http://:/debug/pprof/. +# This can be helpful to expose bottlenecks, and visualize call flows. See https://pkg.go.dev/net/http/pprof for details. +# +# profile-listen-http: # Log level, can be TRACE, DEBUG, INFO, WARN or ERROR # This option can be hot-reloaded by calling "kill -HUP $pid" or "systemctl reload ntfy". diff --git a/bundles/ntfy/items.py b/bundles/ntfy/items.py index d9a93bb..c3437be 100644 --- a/bundles/ntfy/items.py +++ b/bundles/ntfy/items.py @@ -1,43 +1,55 @@ +ratelimit_exempt_hosts = set() -files = { - '/etc/ntfy/server.yml': { - 'content_type': 'mako', - 'needs': { - 'pkg_apt:ntfy', - }, - 'triggers': { - 'svc_systemd:ntfy:restart', - }, +for identifier in node.metadata.get('ntfy/ratelimit-exempt-hosts', set()): + ips = repo.libs.tools.resolve_identifier(repo, identifier) + ratelimit_exempt_hosts |= {str(ip) for ip in ips['ipv4']} + ratelimit_exempt_hosts |= {str(ip) for ip in ips['ipv6']} + + +files['/etc/ntfy/server.yml'] = { + 'content_type': 'mako', + 'context': { + 'ratelimit_exempt_hosts': ratelimit_exempt_hosts, + }, + 'after': { + 'pkg_apt:ntfy', + }, + 'triggers': { + 'svc_systemd:ntfy:restart', }, } -directories = { - '/opt/ntfy': {}, - '/var/lib/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', - }, - '/var/cache/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', - }, - '/var/opt/ntfy': { - 'owner': 'ntfy', - 'group': 'ntfy', +directories['/var/lib/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } -svc_systemd = { - 'ntfy': { - 'needs': { - 'file:/etc/ntfy/server.yml', - 'pkg_apt:ntfy', - }, +directories['/var/cache/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } -users = { - 'ntfy': { - 'home': '/opt/ntfy', +directories['/var/opt/ntfy'] = { + 'owner': 'ntfy', + 'group': 'ntfy', + 'before': { + 'pkg_apt:ntfy', }, } + +svc_systemd['ntfy'] = { + 'needs': { + 'file:/etc/ntfy/server.yml', + 'pkg_apt:ntfy', + }, +} + +users['ntfy'] = { + 'home': '/var/lib/ntfy', +} From 3e497c35451f29acbaafd2047c1a493c31a7186e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:10:04 +0200 Subject: [PATCH 127/996] rx300: install ntfy --- nodes/rx300.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nodes/rx300.py b/nodes/rx300.py index 5b054ae..53ac989 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -24,6 +24,7 @@ nodes['rx300'] = { 'mx-puppet-discord', 'netbox', 'nodejs', + 'ntfy', 'oidentd', 'php', 'postfixadmin', @@ -332,6 +333,7 @@ nodes['rx300'] = { 'matrix-synapse': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, 'netbox': {'ssl': '_.franzi.business'}, + 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'travelynx': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { @@ -412,6 +414,13 @@ nodes['rx300'] = { }, 'worker_processes': 8, }, + 'ntfy': { + 'domain': 'ntfy.franzi.business', + 'ratelimit-exempt-hosts': { + 'ovh.icinga2', + 'rx300', + }, + }, 'oidentd': { 'allows': { 'kunsi': { From 4d4640162906641f62ea66d110aa2cb46396d879 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:10:17 +0200 Subject: [PATCH 128/996] bump bundlewrap --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index eaec252..48687b3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -bundlewrap~=4.16.0 +bundlewrap>=4.16.0 PyNaCl bundlewrap-pass From 5ff46edd8c5275ad33a81be941d64365aa05b614 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:10:29 +0200 Subject: [PATCH 129/996] voc.infobeamer-cms: prepare for easterhegg --- nodes/voc/infobeamer-cms.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ef285c8..3240d1a 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -27,8 +27,8 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer-cms.c3voc.de', - 'event_start_date': '2022-07-22', - 'event_duration_days': 5, + 'event_start_date': '2023-04-07', + 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ 'kunsi', @@ -43,7 +43,9 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_SERVER': 'mqtt.c3voc.de', 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), - 'SETUP_IDS': [220674], + 'SETUP_IDS': [ + 240569, + ], }, 'rooms': { 'infobeamer stream': 23541, From f17117d6409ea2eeb3ff8f413b1ed7a60dde0b79 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:24:03 +0200 Subject: [PATCH 130/996] add hooks/test_apply_dummy_mode --- hooks/test_apply_dummy_mode.py | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 hooks/test_apply_dummy_mode.py diff --git a/hooks/test_apply_dummy_mode.py b/hooks/test_apply_dummy_mode.py new file mode 100644 index 0000000..cd8c78c --- /dev/null +++ b/hooks/test_apply_dummy_mode.py @@ -0,0 +1,7 @@ +from os import environ + +from bundlewrap.exceptions import SkipNode + +def node_apply_start(repo, node, interactive=False, **kwargs): + if environ.get('BW_VAULT_DUMMY_MODE') or environ.get('BW_PASS_DUMMY_MODE'): + raise SkipNode('refusing apply because dummy mode is active') From c6cf99710281cf144cd664c469021c179b89e8ce Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 12:24:23 +0200 Subject: [PATCH 131/996] bundles/ntfy: add option to disable unauthorized writes --- bundles/ntfy/files/server.yml | 4 ++++ bundles/ntfy/metadata.py | 3 +++ nodes/htz-cloud/miniserver.py | 1 + 3 files changed, 8 insertions(+) diff --git a/bundles/ntfy/files/server.yml b/bundles/ntfy/files/server.yml index f4693a8..babb90b 100644 --- a/bundles/ntfy/files/server.yml +++ b/bundles/ntfy/files/server.yml @@ -85,7 +85,11 @@ cache-startup-queries: | # ntfy user and group by running: chown ntfy.ntfy . # auth-file: "/var/lib/ntfy/user.db" +% if node.metadata.get('ntfy/allow_unauthorized_write'): auth-default-access: "write-only" +% else: +auth-default-access: "deny-all" +% endif # If set, the X-Forwarded-For header is used to determine the visitor IP address # instead of the remote address of the connection. diff --git a/bundles/ntfy/metadata.py b/bundles/ntfy/metadata.py index a49ae55..f2e303f 100644 --- a/bundles/ntfy/metadata.py +++ b/bundles/ntfy/metadata.py @@ -19,6 +19,9 @@ defaults = { "/var/opt/ntfy", }, }, + 'ntfy': { + 'allow_unauthorized_write': False, + }, 'zfs': { 'datasets': { 'tank/ntfy': {}, diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index ff82059..3d4d33e 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -225,6 +225,7 @@ nodes['htz-cloud.miniserver'] = { }, 'ntfy': { 'domain': 'ntfy.sophies-kitchen.eu', + 'allow_unauthorized_write': True, }, 'postgresql': { 'version': '11', From 25aabad865da8874c628e1fa6c6f2867126dcac3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 14:36:14 +0200 Subject: [PATCH 132/996] voc.infobeamer-cms: add jwacalex --- nodes/voc/infobeamer-cms.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 3240d1a..afc24e8 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -31,9 +31,10 @@ nodes['voc.infobeamer-cms'] = { 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ + 'hexchen', + 'jwacalex', 'kunsi', 'sophieschi', - 'hexchen', ], 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), From b3e490720ed484e33211b4f9e2168a08a2729c38 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Apr 2023 17:32:36 +0200 Subject: [PATCH 133/996] bundles/icinga2: add notification support via ntfy --- .../files/check_sipgate_account_balance | 7 +- .../files/scripts/icinga_notification_wrapper | 74 ++++++++++++------- bundles/icinga2/items.py | 17 ++++- libs/faults.py | 8 ++ nodes/ovh/icinga2.py | 11 ++- 5 files changed, 81 insertions(+), 36 deletions(-) diff --git a/bundles/icinga2/files/check_sipgate_account_balance b/bundles/icinga2/files/check_sipgate_account_balance index 843dfd9..65054ba 100644 --- a/bundles/icinga2/files/check_sipgate_account_balance +++ b/bundles/icinga2/files/check_sipgate_account_balance @@ -1,16 +1,17 @@ #!/usr/bin/env python3 +from json import load from sys import exit from requests import get -SIPGATE_USER = '${node.metadata['icinga2']['sipgate_user']}' -SIPGATE_PASS = '${node.metadata['icinga2']['sipgate_pass']}' +with open('/etc/icinga2/notification_config.json') as f: + CONFIG = load(f) try: r = get( 'https://api.sipgate.com/v2/balance', - auth=(SIPGATE_USER, SIPGATE_PASS), + auth=(CONFIG['sipgate']['user'], CONFIG['sipgate']['password']), headers={'Accept': 'application/json'}, ) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 72ab749..66a9f5b 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -3,22 +3,14 @@ import email.mime.text import smtplib from argparse import ArgumentParser -from json import dumps +from json import dumps, load from subprocess import run from sys import argv from requests import post -SIPGATE_USER='${node.metadata['icinga2']['sipgate_user']}' -SIPGATE_PASS='${node.metadata['icinga2']['sipgate_pass']}' - -STATUS_TO_EMOJI = { - 'critical': '🔥', - 'down': '🚨🚨🚨', - 'ok': '🆗', - 'up': '👌', - 'warning': '⚡', -} +with open('/etc/icinga2/notification_config.json') as f: + CONFIG = load(f) parser = ArgumentParser( prog='icinga_notification_wrapper', @@ -73,36 +65,31 @@ def notify_per_sms(): output_text = '' else: output_text = '\n\n{}'.format(args.output) - if args.state.lower() in STATUS_TO_EMOJI: - message_text = '{emoji} {host}{service} {emoji}{output}'.format( - emoji=STATUS_TO_EMOJI[args.state.lower()], - host=args.host_name, - service=('/'+args.service_name if args.service_name else ''), - state=args.state.upper(), - output=output_text, - ) - else: - message_text = 'ICINGA: {host}{service} is {state}{output}'.format( - host=args.host_name, - service=('/'+args.service_name if args.service_name else ''), - state=args.state.upper(), - output=output_text, - ) + + message_text = 'ICINGA: {host}{service} is {state}{output}'.format( + host=args.host_name, + service=('/'+args.service_name if args.service_name else ''), + state=args.state.upper(), + output=output_text, + ) + message = { 'message': message_text, 'smsId': 's0', # XXX what does this mean? Documentation is unclear 'recipient': args.sms } + headers = { 'Content-type': 'application/json', 'Accept': 'application/json' } + try: r = post( 'https://api.sipgate.com/v2/sessions/sms', json=message, headers=headers, - auth=(SIPGATE_USER, SIPGATE_PASS), + auth=(CONFIG['sipgate']['user'], CONFIG['sipgate']['password']), ) if r.status_code == 204: @@ -113,6 +100,37 @@ def notify_per_sms(): log_to_syslog('Sending a SMS to "{}" failed: {}'.format(args.sms, repr(e))) +def notify_per_ntfy(): + message_text = 'ICINGA: {host}{service} is {state}\n\n{output}'.format( + host=args.host_name, + service=('/'+args.service_name if args.service_name else ''), + state=args.state.upper(), + output=args.output, + ) + + if args.service_name: + subject = '[ICINGA] {}/{}'.format(args.host_name, args.service_name) + else: + subject = '[ICINGA] {}'.format(args.host_name) + + headers = { + 'Title': subject, + 'Priority': 'urgent', + } + + try: + r = post( + CONFIG['ntfy']['url'], + data=message_text, + headers=headers, + auth=(CONFIG['ntfy']['user'], CONFIG['ntfy']['password']), + ) + + r.raise_for_status() + except Exception as e: + log_to_syslog('Sending a Notification failed: {}'.format(repr(e))) + + def notify_per_mail(): if args.notification_type.lower() == 'recovery': # Do not send recovery emails. @@ -177,3 +195,5 @@ if __name__ == '__main__': if args.sms: notify_per_sms() + if CONFIG['ntfy']['user']: + notify_per_ntfy() diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 1a42e70..ff763a2 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -76,8 +76,6 @@ files = { }, '/usr/local/share/icinga/plugins/check_sipgate_account_balance': { 'mode': '0755', - 'content_type': 'mako', - 'cascade_skip': False, # contains faults }, '/usr/local/share/icinga/plugins/check_freifunk_node': { 'mode': '0755', @@ -114,11 +112,22 @@ files = { 'svc_systemd:icinga2:restart', }, }, + '/etc/icinga2/notification_config.json': { + 'content': repo.libs.faults.dict_as_json({ + 'sipgate': { + 'user': node.metadata.get('icinga2/sipgate/user'), + 'password': node.metadata.get('icinga2/sipgate/pass'), + }, + 'ntfy': { + 'url': node.metadata.get('icinga2/ntfy/url'), + 'user': node.metadata.get('icinga2/ntfy/user'), + 'password': node.metadata.get('icinga2/ntfy/pass'), + }, + }), + }, '/etc/icinga2/scripts/icinga_notification_wrapper': { 'source': 'scripts/icinga_notification_wrapper', - 'content_type': 'mako', 'mode': '0755', - 'cascade_skip': False, # contains faults }, '/etc/icinga2/features-available/ido-pgsql.conf': { 'source': 'icinga2/ido-pgsql.conf', diff --git a/libs/faults.py b/libs/faults.py index 91d8b2f..8990b64 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -37,3 +37,11 @@ def join_faults(faults, by=' '): lambda o: by.join([i.value for i in o]), o=result, ) + + +def dict_as_json(json): + return Fault( + 'dict_as_json', + lambda o: metadata_to_json(o) + '\n', + o=json + ) diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 1c930be..0de9a46 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -54,8 +54,15 @@ nodes['ovh.icinga2'] = { 'restrict-to': { '172.19.138.0/24', }, - 'sipgate_user': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_tokenid'), - 'sipgate_pass': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_token'), + 'sipgate': { + 'user': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_tokenid'), + 'pass': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_token'), + }, + 'ntfy': { + 'url': 'https://ntfy.franzi.business/icinga2', + 'user': vault.decrypt('encrypt$gAAAAABkMtfW_tyGDUh7TkVX6AN8wSkKixWcQiOrPUWHtDZqnzjqrAkfD40fD8M_PiPDvW5pAa6xHNcUSU34jHolxnC44rDiLw=='), + 'pass': vault.decrypt('encrypt$gAAAAABkMtfD8lenogwJc8uKeGZUQ8QVWHMpAqY_GLW3VhF3Jt0TOC4JiJn49qfaC9Ij5rw6GGsowNIsNBe1Ac83HXOLveANEU2o-O4fp5TxNF0xFWebCCtcaTkj_L2DjUbSUe8QVDn3'), + }, }, 'icinga2_api': { 'custom': { From f2e238d879c950dcd8cc37464a5f5a83b99a86e9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Apr 2023 17:50:26 +0200 Subject: [PATCH 134/996] update ALL the things --- nodes/htz-cloud/miniserver.py | 2 +- nodes/ns-primary.toml | 2 +- nodes/rx300.py | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 42ce90b..57366e4 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.28', + 'version': 'v1.11.29', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/ns-primary.toml b/nodes/ns-primary.toml index c2ef311..d75d4a7 100644 --- a/nodes/ns-primary.toml +++ b/nodes/ns-primary.toml @@ -36,7 +36,7 @@ secondary_nameservers = "dns" features.bind = true [metadata.powerdnsadmin] -version = "v0.4.0" +version = "v0.4.1" [metadata.vm] cpu = 2 diff --git a/nodes/rx300.py b/nodes/rx300.py index 53ac989..ec50efb 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -105,7 +105,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.28', + 'version': 'v1.11.29', 'config': { 'default_server_config': { 'm.homeserver': { @@ -128,8 +128,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/7bd411b7-0e75-4e0f-89e3-9274cb9c0120', - 'sha1': 'c4b80feb8dcaa9d38612895cd9828dfa11b98333', + 'url': 'https://codeberg.org/attachments/fafff70e-5070-4d15-9422-e54162e9a70d', + 'sha1': '25fa55a9cc6f7d8f3ba0990bf6a0b36a8db09dc2', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', @@ -306,7 +306,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.7', + 'version': 'v3.4.8', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From d78102adb888e0e8bca8077a4e1a76f9620e0a39 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Apr 2023 13:22:01 +0200 Subject: [PATCH 135/996] voc.pretalx: is bullseye now --- nodes/voc/pretalx.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index e14a740..fa3d116 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -51,7 +51,7 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2.3.2', + 'version': '60722c43cf975f319e94102e6bff320723776890', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, @@ -75,10 +75,10 @@ nodes['voc.pretalx'] = { 'relayhost': 'mng.c3voc.de', }, 'postgresql': { - 'version': '11', + 'version': '13', }, }, 'os': 'debian', - 'os_version': (10,), + 'os_version': (11,), 'pip_command': 'pip3', } From ac8c1fd3f379684cb96c52723249bbdd582968e4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Apr 2023 15:13:50 +0200 Subject: [PATCH 136/996] ssl: bump _.franzi.business --- data/ssl/_.franzi.business.crt.pem | 36 ++++++++++++------------ data/ssl/_.franzi.business.key.pem.vault | 2 +- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem index b55b2de..1d6dd80 100644 --- a/data/ssl/_.franzi.business.crt.pem +++ b/data/ssl/_.franzi.business.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA8l+oC4pMh1Q/UNiEPuiw39OMA0GCSqGSIb3DQEBCwUA +MIIEiTCCA3GgAwIBAgISA+1F527WpSDVi98NbLC6ggqZMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzAxMjkwNDM5NTFaFw0yMzA0MjkwNDM5NTBaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABMlQ1P5Y0aZ5 -vUzB4TAP8iIuiO3GJnYhnKrbe/Lz3gf6Ct9bGM4JLY3RI9xcSmol3sNKdVmbHMRe -z63GW4twSnS517axo6jcT0YQkFVyhWHvLnpBW42M1FpjzaDCbs74zKOCAl4wggJa +EwJSMzAeFw0yMzA0MjMxMjEzMzhaFw0yMzA3MjIxMjEzMzdaMBoxGDAWBgNVBAMT +D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABNewrTbpJMY1 +fGAXh8dlMHkDYFFbLtRmQTuO1J8OyzpEiENZqmdtrLwnA9Z8w2Z6RrUtzDTm+aha +ATNAysRmZ2ZA0czi85GsDzG7PsGtHwMerp6P4SUuUGD8JLzfk4j4r6OCAl0wggJZ MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURw5+tfBU0aOBqfN40kz43fUcjx4wHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+AUyabSaDRaSUNlvCjZhXhqLbJowHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIT -hU070ivBOlejUutSAAABhfwJ/TEAAAQDAEgwRgIhAINjOWzyMeYZYFNk5cdghSwA -JDuxKo8/ubIlsAV9ymJWAiEAuVZjp2GQ0RmFyGVDiF865uC4lTtzMIwmpgwYiBqg -DQsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYX8Cf1OAAAE -AwBHMEUCIGoeOIHC8O+zj/3E89BHv+9siaKSOy/2I6i53V5faX3EAiEAsk/Lhr/0 -NpogdjroYqt1sKvTzmO0BrxWJ5a41JQdtX0wDQYJKoZIhvcNAQELBQADggEBAIM4 -moszjbZGKjaoCtsj5t7Dtxu/JmE9gOnwfxnUrDKn0T00dKQi8Mk6a4C5vdGnxorO -lj8VutznRvp1RKxb6WWyk0iW22rLm+kTudf/vf9lY0X7DmD/u3MO2tGumwjMdLRT -QgxP+yu8R03ZppnuzYZhERAbY6AuC/U+owiYjNfF4v1Eyn4zxe6L2v0UWGnBWObb -xv5RbhHFezr676GaLIrcVh0rN6YNK2J1Cei2pNtAVSLiSJvuuO5Qq1KE7wQqbGd+ -lqK2tcEZRtzaFrpW7C0ZW7LpgO8zdeN4BtD25ozhGJO/0H5hhKpQ/wtWqXYKkhC/ -G47QSheqKqJnHOCL0hA= +ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHoyjFTYty22IOo44FIe6YQWcDIT +hU070ivBOlejUutSAAABh64/oVsAAAQDAEgwRgIhAP7YtA8CP1H13zTu+1Kc6NhK +FZYUKu8ri2+dzB88ITbvAiEAvJlpn8nVnUDXxkUOP5Mpsjoa3HXvCtNPxYDnTgEY +BfsAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYeuP6FCAAAE +AwBGMEQCIECTpZFm85CZIFL2HH3OgqL4OXqoGK35Kw47BXbxn/mJAiAMEmFHB2Hu +mJWkGvqaxzhEmm6zQQm1ZBHpX2/zwrSYPzANBgkqhkiG9w0BAQsFAAOCAQEANiKy +sb6X4RTmQKMfFCMZHZIE/v+3ivyajm5srjbzaAPdIyxyiwGZQlhnFnqi6EN5jlCT +Cmj7U5qGmLALtfphNIOwNXblpgdJULRVle0WaB0lF8tGo5aKAFd4Ph7yxEdz69Bj +zJn0f92qEef7PNzJgIqYvPs+YOr5zhMGPPsqEmdxdwSj0j1E3y6omjq5kDHfbxQc +SKhbizxzrimxxInC0x16YrSCOVivtoEkfFAFLVRDAh/5SjPeHMEVaeleIMfSEW0q +7+O8+nttGJpAVwM/yNolYjxTK4HaB+8P3viBW0iISn1d2ntNt+8CFR18/2pmu8TG +hEME6qHQFvwIHyv0Kw== -----END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault index 9a5202f..237c8fd 100644 --- a/data/ssl/_.franzi.business.key.pem.vault +++ b/data/ssl/_.franzi.business.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA== \ No newline at end of file +encrypt$gAAAAABkRS8EmQt9ja80ubJPFsHB0UCWjaKQIQka18hT8C85Yom07ahlYOHZs5-wCG6Hl0BE8lSJu9yFXWoQBOkLqwKV-d-dFYWpqlKiSA4I1nQwDffkpYhmbfzOIyXaET07aIOKLNXs68TDQpnXlbIuw10LIguonsfJIEHucWU0EKP0GbHGvXd9r7VBVSmGJaEU4LZhgtnCwMjvk_oAQcqfecv3gJoFuYu6SbbXWUM1w8mTfbYhnfhJORucoEKEDqMoXvShP1kwzgRXMQyJRAj0rkrw9UuD3yBKQqynN3ldOdIQJtvxBx0Era0NkdtXmVhRyiPo5-ATBUzkZBmr_xkhEPnKrcc2WlI5PdJUy-pLx2kWCnzcomMWtV-TlQEcWJn-Vd5T-02jc4VGaGP6goufmtZP_AvO15bCy3VSTwSQEavFoeh8NecN3heoPTwEsFQx_E916MxV2AoMuvcyrA4B9GWPGtjyjA== \ No newline at end of file From 1c42226a4282cbaa6773f3b75cdd9d15ea11ee6c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Apr 2023 15:14:10 +0200 Subject: [PATCH 137/996] ssl: bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 34 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 7449694..49f8692 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA28YyqkbxYen4u/lcNEqBY7lMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISBCniY2EWesmrYQmLl4y/fxV2MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzAxMjkwOTE0MjZaFw0yMzA0MjkwOTE0MjVaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCsS8YhWoIvn -yMOjY8LtjQ8+Pa58DBckQ1lnktMo1T3bfwxMxTGH+iYdOT4kHWOen6aNzdXqrerA -YjTN/MRBCR8tMZglzmshUG7qpzI/s89QSL6+KoCV5Pl0mEWLSvrLFKOCAl4wggJa +EwJSMzAeFw0yMzA0MjMxMjEwNTdaFw0yMzA3MjIxMjEwNTZaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABIDVSPH/4t0T +UmfqQfMTCfnsRIigYXok48yGBhjQHSn8TSoXxkjJHDm0yFIjfwnj30zfEOGRBCM4 +n43+3H1K0GkUkGMRf6Uab1+BvsSpKW0cWdX3oKItdiz9C590H/WdXqOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUtCIXQGA7PP7mGdMLuN3nYsynu4wwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5URSSxe195kWSJ9SXYqBeU3m1pMwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP -ep81xJ4dCYEl7bSZAAABhf0FYYAAAAQDAEcwRQIgLCh9130fH81/vY6Ps7inMh3l -GEM8GPiDEHk68oq2R9wCIQCnHdc9Seo+qTRnc6DcoKvyC9azNFEZBiikMgoIJkyq -6gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhf0FYZgAAAQD -AEgwRgIhAM3M2KLdUfIiqVgaMqIH1ust2lUjR10gwN8juONeXZoMAiEA2KArQKYG -GbhN/dWqht+So4Ni3/K5Vwcfb91ewthPR6swDQYJKoZIhvcNAQELBQADggEBALhs -LaBZ27UoZOqukblSD8EyoLnJ3Cplg1r3J9+e4QNzySjsDpYr/w+Y4mUT/nGAGgGL -4b1cHD57XnQB1yvB3Dv9aowg+Udo4eTNY41FMgouYhYFowi5gWYoQhpIFOpwvd0v -Cmrl4PPta2Ytbg/FMNxOt47E0sUL2zASMCKTKcPsIpcpEG7w8jBGcCX7e3NCG36z -K4jZqW3Pd3BZe1e7ywUyF/SSw38Pv1rFbBxuSh+kDjQfcOWN75oOyyKgcLsGBxfy -850WclzgMTnRRlZGaiUTVQ7uPkB44DIhTT6afxPMDKrtRLkd5LHownE3NPUTyfDx -cK9weiaIniziAnEjUr4= +ep81xJ4dCYEl7bSZAAABh649Lk8AAAQDAEcwRQIhAP+qb4D+kC/4Cfbfi6qifGdJ +9mEx6o739AWBlow+uIi8AiAe/8BVo7cf+7tCb/fecOgicD0L5NF6w6g4hxUU97zK +iQB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABh649LmEAAAQD +AEgwRgIhAPRZ93I+Y0otV5+f+gHYW06m0pQ2RkjSr65KNEti+Xq5AiEA5Ys/iEns +O3KRqJiUXgiSRY17DQpViSsa9A9JiIx2JPowDQYJKoZIhvcNAQELBQADggEBAHeY +sCvU7bEAfFhAH1s0ajmKoFRT4vk78gxCXzqa7TB/uQ0wqe5ScsNTpJXFSZlqhXn+ +u2fw+Y64WT1joNH6vbqXU0DkaMdjb+JEfGOTlvWxql9IvduiLN7gCNGTJpt3UqGk +0IcGx1fs41kTcy5QInXgN5WIDUAFlvx9sKPMoEZvhK/Yjd2XoE/d/B9Tc7wPtObQ +R2Co3BNwA7LZZxFZh82io6MXOUXnzItSh/ieWb4LstX7gcalE5h9SLwsyk4dIYja +8n/pmZoQRzEG1v0qHQfOC1hEsTcNpcZ06gVcdy5eBn7LymvbzvHELhsrQ6FSEOqN +rlGE4RpZbHj4eMrf08Y= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index f3cc906..ae2b653 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A== \ No newline at end of file +encrypt$gAAAAABkRS5ko2IFEzFfaAJGFwXPlBuwncdLwvNYjfvGwA9_kP6a6jBvuSw2nVTW3QFfaOB-eo64O9eE41oZa6yVq9wOYzF5vMg0_V5Xh5Tw0SXuEA7FS5l9khDjgEAW6ksZjjQ9P17Uhl8p7gFYcOJWXkzEpuksPfFbyXJMmTUmB1yHxBcdaCbonYHBieqanlzoKLLBZz2p5-NVigQHUSC_eGXZ0tcUId5jjbB1c-ssnNteqAI_5jdna5aIGn6EzfjDnIRvikaq4XNZ1vff5Zv9-GxpaXtbaee0a6Q__7socfGQ9-Za0KmpIwGJkZJfI51Abkrv0h2YApKaaEqD9mHgPiHrxbW4wMiAN66KBSMy0unWn5N_qMezEGnTY9HKLRpa-9T6PvYJShGlKH4mhGJJJgLUqT1OD6FvR8DBOx6ctr69ZhKDHcs_vkbHvvMmwRTVTUSVUFvGrS_44e6R9t6K_w5h0O69fA== \ No newline at end of file From acc3f3022a71cae29de2c2ab36f3c029d839ac21 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Apr 2023 15:16:25 +0200 Subject: [PATCH 138/996] rx300: update mautrix-whatsapp to 0.8.4 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index ec50efb..5e58955 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -268,8 +268,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.3', - 'sha1': '89ac3134ed6ca81b498122113754dd4548982685', + 'version': 'v0.8.4', + 'sha1': 'b26f10941ce144b6569fa499c676cede2cc52553', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 7b8eb63672cdc0d9a02c0a300ef015b50fac3d7a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Apr 2023 15:16:51 +0200 Subject: [PATCH 139/996] rx300: update forgejo to 1.19.1-0 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 5e58955..78c7671 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -128,8 +128,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/fafff70e-5070-4d15-9422-e54162e9a70d', - 'sha1': '25fa55a9cc6f7d8f3ba0990bf6a0b36a8db09dc2', + 'url': 'https://codeberg.org/attachments/f83c11d7-a22b-4494-9f62-61660e81b559', + 'sha1': '4a2634cb6860554b171100c7bd61ba8180e3b957', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 9a32534c499ea94ca3bac2c2878b93a9a377c666 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 28 Apr 2023 16:42:55 +0200 Subject: [PATCH 140/996] bundles/icinga2: remove uceprotect level 2 from check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index 5cb350d..6d159cb 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -11,7 +11,6 @@ BLOCKLISTS = [ 'bl.spamcop.net', 'blackholes.brainerd.net', 'dnsbl-1.uceprotect.net', - 'dnsbl-2.uceprotect.net', 'l2.spews.dnsbl.sorbs.net', 'list.dsbl.org', 'map.spam-rbl.com', From 5a594ad308cf1e06ffa548d84960f4e0cf1cc9d0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 28 Apr 2023 16:44:48 +0200 Subject: [PATCH 141/996] update element-web to 1.11.30 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 57366e4..17b028d 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.29', + 'version': 'v1.11.30', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 78c7671..9d0a1d6 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -105,7 +105,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.29', + 'version': 'v1.11.30', 'config': { 'default_server_config': { 'm.homeserver': { From 87184bc07b25ee7f7ed8d044a89cfb3ba8c9f60b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 28 Apr 2023 16:45:01 +0200 Subject: [PATCH 142/996] update netbox to 3.5.0 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 9d0a1d6..45cd228 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -306,7 +306,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.8', + 'version': 'v3.5.0', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From e59aa591247b3fc54757a7b0b3ca828c8c80534c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 28 Apr 2023 16:47:09 +0200 Subject: [PATCH 143/996] update grafana gpg key --- data/apt/files/gpg-keys/grafana.asc | 65 +++++++++++++++++------------ 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/data/apt/files/gpg-keys/grafana.asc b/data/apt/files/gpg-keys/grafana.asc index c74f292..dc4f616 100644 --- a/data/apt/files/gpg-keys/grafana.asc +++ b/data/apt/files/gpg-keys/grafana.asc @@ -1,30 +1,41 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 -mQENBFiHXVIBCADr3VDEAGpq9Sg/xrPVu1GGqWGXdbnTbbNKeveCtFHZz7/GSATW -iwiY1skvlAOBiIKCqJEji0rZZgd8WxuhdfugiCBk1hDTMWCpjI0P+YymV77jHjYB -jHrKNlhb+aLjEd9Gf2EtbKUT1fvGUkzlVrcRGSX/XR9MBZlgja7NIyuVbn3uwZQ4 -jflWSNSlvMpohNxTFkrBFTRrCJXhbDLfCS46+so22CP3+1VQyqJ7/6RWK9v9KYdS -AVNgILXMggSrMqha4WA1a/ktczVQXNtP8IuPxTdp9pNYsklOTmrFVeq3mXsvWh9Q -lIhpYHIZlTZ5wVBq4wTRchsXC5MubIhz+ASDABEBAAG0GkdyYWZhbmEgPGluZm9A -Z3JhZmFuYS5jb20+iQE4BBMBAgAiBQJYh11SAhsDBgsJCAcDAgYVCAIJCgsEFgID -AQIeAQIXgAAKCRCMjDTFJAmMthxJB/9Id6JrwqRkJW+eSBb71FGQmRsJvNFR8J+3 -NPVhJNkTFFOM7TnjAMUIv+LYEURqGcceTNAN1aHq/7n/8ybXucCS0CnDYyNYpyVs -tWJ3FOQK3jPrmziDCWPQATqMM/Z2auXVFWrDFqfh2xKZNjuix0w2nyuWB8U0CG2U -89w+ksPJblGGU5xLPPzDQoAqyZXY3gpGGTkCuohMq2RWYbp/QJSQagYhQkKZoJhr -XJlnw4At6R1A5UUPzDw6WJqMRkGrkieE6ApIgf1vZSmnLRpXkqquRTAEyGT8Pugg -ee6YkD19/LK6ED6gn32StY770U9ti560U7oRjrOPK/Kjp4+qBtkQuQENBFiHXVIB -CACz4hO1g/4fKO9QWLcbSWpB75lbNgt1kHXP0UcW8TE0DIgqrifod09lC85adIz0 -zdhs+00lLqckM5wNbp2r+pd5rRaxOsMw2V+c/y1Pt3qZxupmPc5l5lL6jzbEVR9g -ygPaE+iabTk9Np2OZQ7Qv5gIDzivqK2mRHXaHTzoQn2dA/3xpFcxnen9dvu7LCpA -CdScSj9/UIRKk9PHIgr2RJhcjzLx0u1PxN9MEqfIsIJUUgZOoDsr8oCs44PGGIMm -cK1CKALLLiC4ZM58B56jRyXo18MqB6VYsC1X9wkcIs72thL3tThXO70oDGcoXzoo -ywAHBH63EzEyduInOhecDIKlABEBAAGJAR8EGAECAAkFAliHXVICGwwACgkQjIw0 -xSQJjLbWSwf/VIM5wEFBY4QLGUAfqfjDyfGXpcha58Y24Vv3n6MwJqnCIbTAaeWf -30CZ/wHg3NNIMB7I31vgmMOEbHQdv0LPTi9TG205VQeehcpNtZRZQ0D8TIetbxyi -Emmn9osig9U3/7jaAWBabE/9bGx4TF3eLlEH9wmFrNYeXvgRqmyqVoqhIMCNAAOY -REYyHyy9mzr9ywkwl0aroBqhzKIPyFlatZy9oRKllY/CCKO9RJy4DZidLphuwzqU -ymdQ1sqe5nKvwG5GvcncPc3O7LMevDBWnpNNkgERnVxCqpm90TuE3ONbirnU4+/S -tUsVU1DERc1fjOCnAm4pKIlNYphISIE7OQ== -=0pMC +mQGNBGO4aiUBDAC82zo3vUyQH3yTCabQ7ZpospBg/xXBbJWbQNksIbEP/+I12CjB +zac1QcMFd27MJlyXpsTqqSo1ZHOisNy0Tmyl/WlqMyoMeChg+LmIHLNbvAK0jPOX +1Pt2OykXJWN9Ru+ZZ4uQNgdKO5nXS6CZtK+McfhRwwghp+vlZFJgqP6aGR2A4cZ7 +IJpUQIoT/8GY6Fdx5TStTJucVUXjSJ3VqafZe4c0WHrk5Yb0UptYPBj9brZkmC9F +Uz6BLX6eO0HGLdwvYzoenlN1sD/2dclUtxoKYmfKDgpcG1V4vOClYPgOZ7g6jvwU ++nW39VGwR7yzbEAmGxVcd93QNUjTaZMfO3xJFm1UG5JwC6VJcd7Wp3hNHJle/y62 +lw0N2AATqJ7AV6PXKBPNebXvCB0LqkAiC/W//imeMCk9hfREmb5rhf1s83owpJaQ +gScEtJYIVgOqgGoFE8wkCkHFG1slneLykmGK2xAJ2Rk63MIAE4hL9WKLV624LMid +JqH3YIEA6pR+GlEAEQEAAbQmR3JhZmFuYSBMYWJzIDxlbmdpbmVlcmluZ0BncmFm +YW5hLmNvbT6JAdQEEwEIAD4WIQQOIuuI454SJ3p3YK6eQ5sQLPPAxgUCY7hqJQIb +AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCeQ5sQLPPAxhXnDACu +6rtTbZsbHYaotiQ757UX+Yu+hXTDBQe74ahEqKAYLg2JKzYNx2Q7UovvVLJ3JZQ4 +e2lezdj7NkeyuSuiq1C/A58fqRICqNh8vRCqOQ9+zfUy9DHwkCrLUVY+31MGLh3G +nXuNrb4AzC2PPNL+VoJhhYnXoFO6Ko6ftzmKeIVeuNp6YfM95gyfIupXGvmwefgx +fHIaq0MaeFhIf1RgcvPyMVIMCUoaHMeA5+Z2REjc9iopT4YVzn7ZmoG5vlXIo2gX +HGWFUQDTD3PW9cURVdaHAYcN0owl4o90jef14Md9xgTUIDx6soFhD3wXpiV5z/HC +7BZqe5mdpp0vDuQNRkqX/uALOBDdoh/r5mBjFxOzNeBHAtf8Fer9/w6g222sGUz/ +I3BCBFBRUKEBaExvonIEFToVDM4nHTCW9vTgnPOLkgX8GBfF3cobmnJlKrX5gLKQ +MKs+9JtaRi8+RBb8hOCm3tGxW+o6GKwZ6BGYrsTzFHNfWV42EwXJUhbfQnK5K0S5 +AY0EY7hqJQEMAO/jPuCVTthJR5JHFtzd/Sew59YJVIb8FgCPaZRKZwZ0rznMuZDf +HB6pDdHe5yy84Ig2pGundrxURkax5oRqQsTc6KWU27DPpyHx5yva1A7Sf55A0/i6 +XLBd2IFabijChiYhVxD/CFOwMtkhjU5CLY67fZ6FRB20ByrlDSNrhVMJ5F8lxRNb +Kh14Jc4Hk4F2Mm1+VlNdrmFqSzPF9JcEvUYHSuzOHi14L1jS2ECdyakbYLHGiHhj +dxuTVlUTEZ9fZ73qRLRViUsy1fwMWTUBWwyO5Qpgbtps3+WefusuJycWnQDOZxxr +0/SGxTE3qNn5kWXCg56t0YFISlhGM2ImU+BdTY+p8AthibdhZCTYswoghkPGVXbu +DGR98tVaeG1hLHsL3yh17VbukSCliyurOleQt2AuG9kKieU8zcxsXvFASz2fJOiQ +T7ehyDMCK0rLSigA66pZ63PVy05NnH4P4MNRvCE03KthblDrMiF0BckB0fDxBbd8 +17FEDGkunWKWmwARAQABiQG8BBgBCAAmFiEEDiLriOOeEid6d2CunkObECzzwMYF +AmO4aiUCGwwFCQPCZwAACgkQnkObECzzwMbAYAv+PWbRuO7McuaD8itXAtqW9o4F +o9PBMGXXJuWfN2UathyGuS6iZNCdIZMZgpOfuuk2ctFKeQHizM/hfUrguNGhvZX+ +xSbuq8M+/dx+c2Lse7NDP0Q8Pw9UaDHcW6gTTLizq/CWhFpOD2IH2ywxY3IrAvzG +R4pDs+NodJgLCQPd1ez/lGk90mk/j17Yue2sD2fwJyqWqbHZJe8qgfvEtn+WPK33 +84JN9DgDkcq7ThoLxU0Q7U3SempJGT98Yg2RWMAPj51DqtZOIVdeKoR8lr1rk3Kv +X7sojTBU4eWUrc0A3GwoqyCXz9xlXb8OLhTsFAlsQCLkgK7Rdt3sXyg3QkFQmGuk +MnYQV0TkaAcXE2p03nk45vVrWoGJPzDfx68LBT6Ck/Ytw8/QHm4zqjZBLH5cMdax +Fj8eP2CocfRC+Lqv0azQwyEVMkYSMKoFbhXmjiBZn9JxblndKnVbByA1/nMAa0Q7 +HTJC50jDJfpM9d1xQW/W5LBSQjd3czM6zlRXsliX +=lSMJ -----END PGP PUBLIC KEY BLOCK----- From 83930e12bc85a54479197142060f5c36849f27a1 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 29 Apr 2023 13:15:36 +0200 Subject: [PATCH 144/996] sophie's desktopbackups --- nodes/htz-hel/backup-sophie.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/htz-hel/backup-sophie.py b/nodes/htz-hel/backup-sophie.py index dfd492d..d6efed3 100644 --- a/nodes/htz-hel/backup-sophie.py +++ b/nodes/htz-hel/backup-sophie.py @@ -53,6 +53,9 @@ nodes['htz-hel.backup-sophie'] = { 'tank/ejgwthink': { 'mountpoint': '/mnt/backups/ejgwthink', }, + 'tank/ejgwdesk': { + 'mountpoint': '/mnt/backups/ejgwdesk', + }, 'tank/moto-sophie': { 'mountpoint': '/mnt/backups/moto-sophie', }, From f12a176759f3739e96a89c757c8aec21075326c6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 2 May 2023 05:45:23 +0200 Subject: [PATCH 145/996] bundles/sysctl: we need 99-sysctl.conf on debian --- bundles/sysctl/items.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bundles/sysctl/items.py b/bundles/sysctl/items.py index c4c448c..99860e1 100644 --- a/bundles/sysctl/items.py +++ b/bundles/sysctl/items.py @@ -20,6 +20,14 @@ files = { }, } +if node.os == 'debian': + # debian insists on creating that file during almost every + # unattended-upgrades run. Make it known to bundlewrap, so + # it does not get removed during applies. + symlinks['/etc/sysctl.d/99-sysctl.conf'] = { + 'target': '../sysctl.conf', + } + directories = { '/etc/sysctl.d': { 'purge': True, From 556e0d75c8a96086d798f14a26b40443d026026b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 2 May 2023 05:45:50 +0200 Subject: [PATCH 146/996] home.nas: add another backup folder --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 37136d5..df4d593 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -53,6 +53,7 @@ nodes['home.nas'] = { '/storage/nas/Bilder', '/storage/nas/Bilder_Archiv', '/storage/nas/Books', + '/storage/nas/Installer', '/storage/nas/Musik', '/storage/nas/Musikvideos', '/storage/nas/normen', From 714fa88d72e36c0894f719e9da60215160fcebda Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 May 2023 17:25:53 +0200 Subject: [PATCH 147/996] bundles/ntfy: fix directory modes --- bundles/ntfy/items.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/ntfy/items.py b/bundles/ntfy/items.py index c3437be..cb3c50b 100644 --- a/bundles/ntfy/items.py +++ b/bundles/ntfy/items.py @@ -22,6 +22,7 @@ files['/etc/ntfy/server.yml'] = { directories['/var/lib/ntfy'] = { 'owner': 'ntfy', 'group': 'ntfy', + 'mode': '0700', 'before': { 'pkg_apt:ntfy', }, @@ -30,6 +31,7 @@ directories['/var/lib/ntfy'] = { directories['/var/cache/ntfy'] = { 'owner': 'ntfy', 'group': 'ntfy', + 'mode': '0700', 'before': { 'pkg_apt:ntfy', }, From 906994b50fde33aa88407ed3cf04fbb45f334b1a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 May 2023 17:26:25 +0200 Subject: [PATCH 148/996] rx300: add bundle:jugendhackt_tools --- PORT_MAP.md | 1 + bundles/jugendhackt_tools/files/config.toml | 4 + .../files/jugendhackt_tools.service | 16 ++++ bundles/jugendhackt_tools/items.py | 76 +++++++++++++++++++ bundles/jugendhackt_tools/metadata.py | 28 +++++++ nodes/rx300.py | 17 +++++ 6 files changed, 142 insertions(+) create mode 100644 bundles/jugendhackt_tools/files/config.toml create mode 100644 bundles/jugendhackt_tools/files/jugendhackt_tools.service create mode 100644 bundles/jugendhackt_tools/items.py create mode 100644 bundles/jugendhackt_tools/metadata.py diff --git a/PORT_MAP.md b/PORT_MAP.md index a1725cb..1f13d47 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -45,6 +45,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22060 | pretalx | gunicorn | | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | +| 22090 | jugendhackt_tools | gunicorn | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/jugendhackt_tools/files/config.toml b/bundles/jugendhackt_tools/files/config.toml new file mode 100644 index 0000000..7c4131d --- /dev/null +++ b/bundles/jugendhackt_tools/files/config.toml @@ -0,0 +1,4 @@ +<% + from tomlkit import dumps as toml_dumps + from bundlewrap.utils.text import toml_clean +%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(node.metadata.get('jugendhackt_tools')), sort_keys=True))} diff --git a/bundles/jugendhackt_tools/files/jugendhackt_tools.service b/bundles/jugendhackt_tools/files/jugendhackt_tools.service new file mode 100644 index 0000000..2d0a36c --- /dev/null +++ b/bundles/jugendhackt_tools/files/jugendhackt_tools.service @@ -0,0 +1,16 @@ +[Unit] +Description=jugendhackt_tools web service +After=network.target +Requires=postgresql.service + +[Service] +User=jugendhackt_tools +Group=jugendhackt_tools +Environment=CONFIG_PATH=/opt/jugendhackt_tools/config.toml +WorkingDirectory=/opt/jugendhackt_tools/src +ExecStart=/opt/jugendhackt_tools/venv/bin/gunicorn jugendhackt_tools.wsgi --name jugendhackt_tools --workers 4 --max-requests 1200 --max-requests-jitter 50 --log-level=info --bind=127.0.0.1:22090 +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/jugendhackt_tools/items.py b/bundles/jugendhackt_tools/items.py new file mode 100644 index 0000000..3c9bf28 --- /dev/null +++ b/bundles/jugendhackt_tools/items.py @@ -0,0 +1,76 @@ +directories['/opt/jugendhackt_tools/src'] = {} +directories['/opt/jugendhackt_tools/static'] = {} + +git_deploy['/opt/jugendhackt_tools/src'] = { + 'repo': 'https://github.com/kunsi/jugendhackt_schedule.git', + 'rev': 'main', + 'triggers': { + 'action:jugendhackt_tools_install', + 'action:jugendhackt_tools_migrate', + 'svc_systemd:jugendhackt_tools:restart', + }, +} + +actions['jugendhackt_tools_create_virtualenv'] = { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/jugendhackt_tools/venv/', + 'unless': 'test -d /opt/jugendhackt_tools/venv/', + 'needs': { + # actually /opt/jugendhackt_tools, but we don't create that + 'directory:/opt/jugendhackt_tools/src', + }, +} + +actions['jugendhackt_tools_install'] = { + 'command': ' && '.join([ + 'cd /opt/jugendhackt_tools/src', + '/opt/jugendhackt_tools/venv/bin/pip install --upgrade pip wheel gunicorn psycopg2-binary', + '/opt/jugendhackt_tools/venv/bin/pip install --upgrade -r requirements.txt', + ]), + 'needs': { + 'action:jugendhackt_tools_create_virtualenv', + }, + 'triggered': True, +} + +actions['jugendhackt_tools_migrate'] = { + 'command': ' && '.join([ + 'cd /opt/jugendhackt_tools/src', + 'CONFIG_PATH=/opt/jugendhackt_tools/config.toml /opt/jugendhackt_tools/venv/bin/python manage.py migrate', + 'CONFIG_PATH=/opt/jugendhackt_tools/config.toml /opt/jugendhackt_tools/venv/bin/python manage.py collectstatic --noinput', + ]), + 'needs': { + 'action:jugendhackt_tools_install', + 'file:/opt/jugendhackt_tools/config.toml', + 'postgres_db:jugendhackt_tools', + 'postgres_role:jugendhackt_tools', + }, + 'triggered': True, +} + +files['/opt/jugendhackt_tools/config.toml'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:jugendhackt_tools:restart', + }, +} + +files['/usr/local/lib/systemd/system/jugendhackt_tools.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:jugendhackt_tools:restart', + }, +} + +svc_systemd['jugendhackt_tools'] = { + 'needs': { + 'action:jugendhackt_tools_migrate', + 'file:/opt/jugendhackt_tools/config.toml', + 'file:/usr/local/lib/systemd/system/jugendhackt_tools.service', + 'git_deploy:/opt/jugendhackt_tools/src', + 'user:jugendhackt_tools', + }, +} + +users['jugendhackt_tools'] = { + 'home': '/opt/jugendhackt_tools/src', +} diff --git a/bundles/jugendhackt_tools/metadata.py b/bundles/jugendhackt_tools/metadata.py new file mode 100644 index 0000000..beb7385 --- /dev/null +++ b/bundles/jugendhackt_tools/metadata.py @@ -0,0 +1,28 @@ +defaults = { + 'jugendhackt_tools': { + 'django_secret': repo.vault.random_bytes_as_base64_for(f'{node.name} jugendhackt_tools django_secret'), + 'django_debug': False, + 'static_root': '/opt/jugendhackt_tools/static/', + 'database': { + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': 'jugendhackt_tools', + 'USER': 'jugendhackt_tools', + 'PASSWORD': repo.vault.password_for(f'{node.name} postgresql jugendhackt_tools'), + 'HOST': 'localhost', + 'PORT': '5432' + }, + }, + 'postgresql': { + 'roles': { + 'jugendhackt_tools': { + 'password': repo.vault.password_for(f'{node.name} postgresql jugendhackt_tools'), + }, + }, + 'databases': { + 'jugendhackt_tools': { + 'owner': 'jugendhackt_tools', + }, + }, + }, +} + diff --git a/nodes/rx300.py b/nodes/rx300.py index 45cd228..0c20bad 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -13,6 +13,7 @@ nodes['rx300'] = { 'gitea', 'ipmitool', 'jenkins-ci', + 'jugendhackt_tools', 'lm-sensors', 'matrix-dimension', 'matrix-media-repo', @@ -180,6 +181,10 @@ nodes['rx300'] = { '/var/www/franzi.business', # for deployment task }, }, + 'jugendhackt_tools': { + 'allowed_hosts': ['jh.franzi.business'], + 'timezone': 'Europe/Berlin', + }, 'letsencrypt': { 'concat_and_deploy': { 'kunsi-weechat': { @@ -358,6 +363,18 @@ nodes['rx300'] = { }, }, }, + 'jugendhackt_tools': { + 'domain': 'jh.franzi.business', + 'ssl': '_.franzi.business', + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22090/', + }, + '/static/': { + 'alias': '/opt/jugendhackt_tools/static/', + }, + }, + }, 'kunbox.net': {}, 'kunsmann.eu': { 'locations': { From b2ad9ce3d80b13d845512a95c3b0869b9868a247 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 12:06:41 +0200 Subject: [PATCH 149/996] bundles/jugendhackt_tools: fix static root --- bundles/jugendhackt_tools/items.py | 1 - bundles/jugendhackt_tools/metadata.py | 2 +- nodes/rx300.py | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/jugendhackt_tools/items.py b/bundles/jugendhackt_tools/items.py index 3c9bf28..38afbb5 100644 --- a/bundles/jugendhackt_tools/items.py +++ b/bundles/jugendhackt_tools/items.py @@ -1,5 +1,4 @@ directories['/opt/jugendhackt_tools/src'] = {} -directories['/opt/jugendhackt_tools/static'] = {} git_deploy['/opt/jugendhackt_tools/src'] = { 'repo': 'https://github.com/kunsi/jugendhackt_schedule.git', diff --git a/bundles/jugendhackt_tools/metadata.py b/bundles/jugendhackt_tools/metadata.py index beb7385..0b3d073 100644 --- a/bundles/jugendhackt_tools/metadata.py +++ b/bundles/jugendhackt_tools/metadata.py @@ -2,7 +2,7 @@ defaults = { 'jugendhackt_tools': { 'django_secret': repo.vault.random_bytes_as_base64_for(f'{node.name} jugendhackt_tools django_secret'), 'django_debug': False, - 'static_root': '/opt/jugendhackt_tools/static/', + 'static_root': '/opt/jugendhackt_tools/src/static/', 'database': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'jugendhackt_tools', diff --git a/nodes/rx300.py b/nodes/rx300.py index 0c20bad..45acd01 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -371,7 +371,7 @@ nodes['rx300'] = { 'target': 'http://127.0.0.1:22090/', }, '/static/': { - 'alias': '/opt/jugendhackt_tools/static/', + 'alias': '/opt/jugendhackt_tools/src/static/', }, }, }, From 77930b9a2fc5175692bef163d5ea1e155a218f82 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 12:07:03 +0200 Subject: [PATCH 150/996] update element-web to 1.11.32 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 17b028d..22b10a0 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.30', + 'version': 'v1.11.31', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 45acd01..9954731 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -106,7 +106,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.30', + 'version': 'v1.11.31', 'config': { 'default_server_config': { 'm.homeserver': { From 6449797b060cec0a418b6459ea3f9a9083f4fd91 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 12:07:36 +0200 Subject: [PATCH 151/996] update forgejo to 1.19.3-0 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 9954731..6f37cba 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -129,8 +129,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/f83c11d7-a22b-4494-9f62-61660e81b559', - 'sha1': '4a2634cb6860554b171100c7bd61ba8180e3b957', + 'url': 'https://codeberg.org/attachments/25eea495-ba85-4061-bec0-cf9823b63cb2', + 'sha1': '8b3ccd4bd300e41fd96e7e593a80d081dc1bc825', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From 034047dcd8c9f8205b9e910669b9f22eea34fb82 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 12:09:22 +0200 Subject: [PATCH 152/996] update netbox to 3.5.1 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 6f37cba..c730bc2 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -311,7 +311,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.5.0', + 'version': 'v3.5.1', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 1ed9a4ff15e5ce28e73a96671353dd167b155f13 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 12:11:32 +0200 Subject: [PATCH 153/996] update travelynx to 1.31.2 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index c730bc2..0b22de5 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -548,7 +548,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.30.11', + 'version': '1.31.2', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From a15cc2f121fed56d40eb1e0fa819679d56719968 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 May 2023 15:56:42 +0200 Subject: [PATCH 154/996] wip --- data/powerdns/files/bind-zones/kunbox.net | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 25a0273..1048a75 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,5 +1,5 @@ $TTL 60 -@ IN SOA ns-primary.kunbox.net. hostmaster.kunbox.net. ( +@ IN SOA ns-ionos.kunbox.net. hostmaster.kunbox.net. ( ${SERIAL} 3600 600 @@ -28,6 +28,7 @@ _acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. mta-sts IN CNAME rx300 ; Nameservers +ns-primary IN CNAME ns-ionos ns-1 IN A 34.89.208.78 ns-2 IN A 35.187.109.249 ns-3 IN A 35.228.143.71 From b68a80c8c3ae381a7ca661e9a89b6dfc1c2ccd83 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 13:01:04 +0200 Subject: [PATCH 155/996] home.nas: replace failed disk --- nodes/home/nas.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index df4d593..48c7c4a 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -226,7 +226,7 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', - '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJU4NR', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, From a4bb7f89ecc51b99f51c3a44d51c64c0da3d1dd5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 17:58:31 +0200 Subject: [PATCH 156/996] rename ns-primary to ns-ionos --- bundles/powerdns/items.py | 3 --- nodes/{ns-primary.toml => ns-ionos.toml} | 0 2 files changed, 3 deletions(-) rename nodes/{ns-primary.toml => ns-ionos.toml} (100%) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 2aad214..7328360 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -7,9 +7,6 @@ zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') nameservers = set() for rnode in sorted(repo.nodes_in_group('dns')): - if not rnode.metadata.get('powerdns/is_secondary'): - # hide the primary nameserver from auto-generated nameserver lists - continue nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) directories = { diff --git a/nodes/ns-primary.toml b/nodes/ns-ionos.toml similarity index 100% rename from nodes/ns-primary.toml rename to nodes/ns-ionos.toml From f8416215d5b9459face7884a5b57982a4e50623f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 18:07:34 +0200 Subject: [PATCH 157/996] ns-ionos: move powerdnsadmin webinterface to new hostname --- PORT_MAP.md | 1 + .../powerdnsadmin/files/powerdnsadmin.service | 2 +- bundles/powerdnsadmin/items.py | 4 ++++ bundles/powerdnsadmin/metadata.py | 24 +++++++++++++++++++ nodes/home/router.py | 2 +- nodes/ns-ionos.toml | 10 +++----- 6 files changed, 34 insertions(+), 9 deletions(-) diff --git a/PORT_MAP.md b/PORT_MAP.md index 1f13d47..453040d 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -46,6 +46,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | | 22090 | jugendhackt_tools | gunicorn | +| 22100 | powerdnsadmin | gunicorn | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/powerdnsadmin/files/powerdnsadmin.service b/bundles/powerdnsadmin/files/powerdnsadmin.service index 333cfe7..1153886 100644 --- a/bundles/powerdnsadmin/files/powerdnsadmin.service +++ b/bundles/powerdnsadmin/files/powerdnsadmin.service @@ -9,7 +9,7 @@ Group=powerdnsadmin Environment=FLASK_CONF=/opt/powerdnsadmin/config.py WorkingDirectory=/opt/powerdnsadmin/src ExecStartPre=-/bin/chown powerdnsadmin:powerdnsadmin /opt/powerdnsadmin/src/powerdnsadmin/static -ExecStart=/opt/powerdnsadmin/venv/bin/gunicorn 'powerdnsadmin:create_app()' +ExecStart=/opt/powerdnsadmin/venv/bin/gunicorn 'powerdnsadmin:create_app()' --name powerdnsadmin --workers 4 --max-requests 1200 --max-requests-jitter 50 --log-level=info --bind=127.0.0.1:22100 [Install] WantedBy=multi-user.target diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index ea256ea..fb1bf0d 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -21,10 +21,14 @@ git_deploy = { files = { '/opt/powerdnsadmin/config.py': { 'content_type': 'mako', + 'triggers': { + 'svc_systemd:powerdnsadmin:restart', + }, }, '/etc/systemd/system/powerdnsadmin.service': { 'triggers': { 'action:systemd-reload', + 'svc_systemd:powerdnsadmin:restart', }, }, } diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index 0617b03..d7e93be 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -50,3 +50,27 @@ def icinga_check_for_new_release(metadata): }, }, } + + +@metadata_reactor.provides( + 'nginx/vhosts/powerdnsadmin', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'powerdnsadmin': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22100', + }, + }, + 'website_check_path': '/login', + 'website_check_string': 'PowerDNS', + }, + }, + }, + } diff --git a/nodes/home/router.py b/nodes/home/router.py index cbdbc5d..68b7e16 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -133,7 +133,7 @@ nodes['home.router'] = { 'interface': 'enp1s0.7', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-ionos.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, diff --git a/nodes/ns-ionos.toml b/nodes/ns-ionos.toml index d75d4a7..30e4a39 100644 --- a/nodes/ns-ionos.toml +++ b/nodes/ns-ionos.toml @@ -18,14 +18,10 @@ gateway4 = "10.255.255.1" gateway6 = "fe80::250:56ff:fea8:628f" [metadata.icinga_options] -pretty_name = "ns-primary.kunbox.net" +pretty_name = "ns-ionos.kunbox.net" -[metadata.nginx.vhosts."ns-primary.kunbox.net"] -website_check_path = "/login" -website_check_string = "PowerDNS" - -[metadata.nginx.vhosts."ns-primary.kunbox.net".locations."/"] -target = "http://127.0.0.1:8000/" +[metadata.nginx.vhosts.powerdnsadmin] +domain = "ns-ionos.kunbox.net" [metadata.postgresql] version = "15" From 6d2cf0fa244a660da8eb7b20137359186fdb86d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 19:23:52 +0200 Subject: [PATCH 158/996] bundles/powerdns: ensure primary servers are in database --- bundles/powerdns/items.py | 24 +++++++++++++++++++++++- bundles/powerdns/metadata.py | 10 ++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 7328360..ddb8751 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -9,6 +9,10 @@ nameservers = set() for rnode in sorted(repo.nodes_in_group('dns')): nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) +my_primary_servers = set() +for ips in node.metadata.get('powerdns/my_primary_servers', {}).values(): + my_primary_servers.update(ips) + directories = { '/etc/powerdns/pdns.d': { 'purge': True, @@ -36,7 +40,7 @@ files = { 'api_key': node.metadata.get('powerdns/api_key'), 'my_hostname': node.metadata.get('powerdns/my_hostname', node.metadata.get('hostname')), 'is_secondary': node.metadata.get('powerdns/is_secondary', False), - 'my_primary_servers': node.metadata.get('powerdns/my_primary_servers', set()), + 'my_primary_servers': my_primary_servers, 'my_secondary_servers': node.metadata.get('powerdns/my_secondary_servers', set()), }, 'needs': { @@ -167,3 +171,21 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): 'svc_systemd:pdns', }, } + + for hostname, ips in node.metadata.get('powerdns/my_primary_servers', {}).items(): + for ip in ips: + ip_name = ip.replace(':', '-') + actions[f'powerdns_ensure_{hostname}_{ip_name}_in_autoprimaries'] = { + 'command': 'psql -c "INSERT INTO supermasters (ip, nameserver, account) VALUES ' + f'(\'{ip}\', \'{hostname}\', \'admin\') ON CONFLICT ON CONSTRAINT ' + f'supermasters_pkey DO UPDATE SET nameserver = \'{hostname}\'" powerdns', + 'unless': f'bash -c "[ \"$(psql -tAqc "SELECT nameserver FROM supermasters WHERE ip = \'{ip}\'" powerdns)\" == \"{hostname}\" ]"', + 'triggers': { + 'action:powerdns_fix_primaries', + }, + } + + actions['powerdns_fix_primaries'] = { + 'command': f'psql -c "UPDATE domains SET master = \'{", ".join(sorted(my_primary_servers))}\'" powerdns', + 'triggered': True, + } diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index e93c7de..90c06d4 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -86,6 +86,8 @@ def get_ips_of_secondary_nameservers(metadata): ips = set() for rnode in repo.nodes_in_group('dns'): if rnode.metadata.get('powerdns/is_secondary', False): + if rnode.name == node.name: + raise BundleError(f'{node.name} cannot be its own secondary') for _, found_ips in repo.libs.tools.resolve_identifier(repo, rnode.name).items(): ips.update({str(ip) for ip in found_ips}) @@ -102,11 +104,15 @@ def get_ips_of_primary_nameservers(metadata): if not metadata.get('powerdns/is_secondary', False): return {} - ips = set() + ips = {} for rnode in repo.nodes_in_group('dns'): if not rnode.metadata.get('powerdns/is_secondary', False): + if rnode.name == node.name: + raise BundleError(f'{node.name} cannot be its own secondary') + hostname = rnode.metadata.get('hostname') + ips[hostname] = set() for _, found_ips in repo.libs.tools.resolve_identifier(repo, rnode.name).items(): - ips.update({str(ip) for ip in found_ips}) + ips[hostname].update({str(ip) for ip in found_ips}) return { 'powerdns': { From 261c284f2f0729f2b9ee9329b83c9ba77c498bd2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 19:25:23 +0200 Subject: [PATCH 159/996] add ns-digitalocean --- nodes/ns-digitalocean.toml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 nodes/ns-digitalocean.toml diff --git a/nodes/ns-digitalocean.toml b/nodes/ns-digitalocean.toml new file mode 100644 index 0000000..ae87f1d --- /dev/null +++ b/nodes/ns-digitalocean.toml @@ -0,0 +1,23 @@ +hostname = "46.101.91.6" +groups = [ + "debian-bullseye", + "dns", +] + +[metadata.interfaces.eth0] +ips = [ + "46.101.91.6/20", + "2a03:b0c0:1:d0::bc2:6001/124", +] +gateway4 = "46.101.80.1" +gateway6 = "2a03:b0c0:1:d0::1" + +[metadata.icinga_options] +pretty_name = "ns-digitalocean.kunbox.net" + +[metadata.postgresql] +version = "15" + +[metadata.vm] +cpu = 1 +ram = 1 From 1260410eae1d770ee25c350585d737f1717714b9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 19:56:21 +0200 Subject: [PATCH 160/996] bundles/powerdns: split "add ip to autoprimaries" and "fix hostname for autoprimary" --- bundles/powerdns/items.py | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index ddb8751..04261c0 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -175,14 +175,27 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): for hostname, ips in node.metadata.get('powerdns/my_primary_servers', {}).items(): for ip in ips: ip_name = ip.replace(':', '-') - actions[f'powerdns_ensure_{hostname}_{ip_name}_in_autoprimaries'] = { - 'command': 'psql -c "INSERT INTO supermasters (ip, nameserver, account) VALUES ' - f'(\'{ip}\', \'{hostname}\', \'admin\') ON CONFLICT ON CONSTRAINT ' - f'supermasters_pkey DO UPDATE SET nameserver = \'{hostname}\'" powerdns', + + actions[f'powerdns_ensure_{ip_name}_in_autoprimaries'] = { + 'command': f'psql -c "INSERT INTO supermasters (ip, nameserver, account) VALUES (\'{ip}\', \'{hostname}\', \'admin\')" powerdns', + 'unless': f'test -n \"$(psql -tAqc "SELECT nameserver FROM supermasters WHERE ip = \'{ip}\'" powerdns)\"', + 'triggers': { + 'action:powerdns_fix_primaries', + }, + 'after': { + 'action:powerdns_load_pgsql_schema', + }, + } + + actions[f'powerdns_ensure_{hostname}_matches_{ip_name}_in_autoprimaries'] = { + 'command': f'psql -c "UPDATE supermasters SET nameserver = \'{hostname}\' WHERE ip = \'{ip}\'" powerdns', 'unless': f'bash -c "[ \"$(psql -tAqc "SELECT nameserver FROM supermasters WHERE ip = \'{ip}\'" powerdns)\" == \"{hostname}\" ]"', 'triggers': { 'action:powerdns_fix_primaries', }, + 'after': { + f'action:powerdns_ensure_{ip_name}_in_autoprimaries', + }, } actions['powerdns_fix_primaries'] = { From a6f865104c68dc1065e9d83f460e7b59a4a30bec Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 20:05:40 +0200 Subject: [PATCH 161/996] rename nameservers, once again --- data/powerdns/files/bind-zones/kunbox.net | 9 +++++++-- nodes/home/router.py | 2 +- nodes/{ns-digitalocean.toml => ns-ghirahim.toml} | 2 +- nodes/{ns-ionos.toml => ns-mephisto.toml} | 4 ++-- 4 files changed, 11 insertions(+), 6 deletions(-) rename nodes/{ns-digitalocean.toml => ns-ghirahim.toml} (88%) rename nodes/{ns-ionos.toml => ns-mephisto.toml} (88%) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 1048a75..ae07e90 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -27,12 +27,17 @@ _acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. ; Mail servers mta-sts IN CNAME rx300 -; Nameservers -ns-primary IN CNAME ns-ionos +; legacy Nameservers ns-1 IN A 34.89.208.78 ns-2 IN A 35.187.109.249 ns-3 IN A 35.228.143.71 +; temp, while updating names +; XXX remove 2023-07-01 +ns-primary IN CNAME ns-mephisto +ns-ionos IN CNAME ns-mephisto +ns-digitalocean IN CNAME ns-ghirahim + % for record in sorted(metadata_records): ${record} % endfor diff --git a/nodes/home/router.py b/nodes/home/router.py index 68b7e16..29eb8c6 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -133,7 +133,7 @@ nodes['home.router'] = { 'interface': 'enp1s0.7', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-ionos.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-mephisto.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, diff --git a/nodes/ns-digitalocean.toml b/nodes/ns-ghirahim.toml similarity index 88% rename from nodes/ns-digitalocean.toml rename to nodes/ns-ghirahim.toml index ae87f1d..aa88109 100644 --- a/nodes/ns-digitalocean.toml +++ b/nodes/ns-ghirahim.toml @@ -13,7 +13,7 @@ gateway4 = "46.101.80.1" gateway6 = "2a03:b0c0:1:d0::1" [metadata.icinga_options] -pretty_name = "ns-digitalocean.kunbox.net" +pretty_name = "ns-ghirahim.kunbox.net" [metadata.postgresql] version = "15" diff --git a/nodes/ns-ionos.toml b/nodes/ns-mephisto.toml similarity index 88% rename from nodes/ns-ionos.toml rename to nodes/ns-mephisto.toml index 30e4a39..c707113 100644 --- a/nodes/ns-ionos.toml +++ b/nodes/ns-mephisto.toml @@ -18,10 +18,10 @@ gateway4 = "10.255.255.1" gateway6 = "fe80::250:56ff:fea8:628f" [metadata.icinga_options] -pretty_name = "ns-ionos.kunbox.net" +pretty_name = "ns-mephisto.kunbox.net" [metadata.nginx.vhosts.powerdnsadmin] -domain = "ns-ionos.kunbox.net" +domain = "ns-mephisto.kunbox.net" [metadata.postgresql] version = "15" From 768a445e849baa562483482feb2b8e079b13119a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 16 May 2023 20:31:05 +0200 Subject: [PATCH 162/996] dns/kunbox.net: fix primary name server --- data/powerdns/files/bind-zones/kunbox.net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index ae07e90..500f336 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,5 +1,5 @@ $TTL 60 -@ IN SOA ns-ionos.kunbox.net. hostmaster.kunbox.net. ( +@ IN SOA ns-mephisto.kunbox.net. hostmaster.kunbox.net. ( ${SERIAL} 3600 600 From a44a3b30248919a7366499761bd1040fd603887c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 May 2023 21:58:20 +0200 Subject: [PATCH 163/996] ns-ghirahim: set postfix relayhost --- nodes/ns-ghirahim.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nodes/ns-ghirahim.toml b/nodes/ns-ghirahim.toml index aa88109..28f61a8 100644 --- a/nodes/ns-ghirahim.toml +++ b/nodes/ns-ghirahim.toml @@ -15,6 +15,12 @@ gateway6 = "2a03:b0c0:1:d0::1" [metadata.icinga_options] pretty_name = "ns-ghirahim.kunbox.net" +[metadata.postfix] +# It's fine to do this without authentificating to the relayhost. +# These Systems are not supposed to send mail anywhere else +# than our own domains. +relayhost = "[rx300.kunbox.net]:2525" + [metadata.postgresql] version = "15" From 9b1cea1e1d89ce344261729df8ca7c67c0665c74 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 May 2023 22:01:40 +0200 Subject: [PATCH 164/996] update mautrix-whatsapp to 0.8.5 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 0b22de5..ed172dc 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -273,8 +273,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.4', - 'sha1': 'b26f10941ce144b6569fa499c676cede2cc52553', + 'version': 'v0.8.5', + 'sha1': 'e89c0c471e2be9b8b6ff2821b62c97cc100ff0ae', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 604170f13353b8c7afc1925b478c77844e3b477a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 07:44:23 +0200 Subject: [PATCH 165/996] Jenkinsfile: remove isort check, because it behaves differently between venv and non-venv mode --- Jenkinsfile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index f371f82..8b0af2d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -25,15 +25,6 @@ pipeline { """ } } - stage('syntax checking using isort') { - steps { - sh """ - . venv/bin/activate - - isort --check . - """ - } - } stage('config and metadata determinism') { steps { sh """ From 92cca7f396abaadaaab9930bea51db8a12cf1d31 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 07:46:02 +0200 Subject: [PATCH 166/996] isort the repo --- .../files/telegraf-plugin-snmp-mikrotik | 1 - hooks/test_apply_dummy_mode.py | 1 + libs/ssh.py | 10 ++++------ scripts/passwords-for | 2 +- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik b/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik index 322e9db..dbcefd8 100644 --- a/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik +++ b/bundles/telegraf-monitors-mikrotik/files/telegraf-plugin-snmp-mikrotik @@ -3,7 +3,6 @@ from sys import argv from hnmp import SNMP - snmp = SNMP(argv[2], community=argv[3]) single_value_metrics_int_oids = { diff --git a/hooks/test_apply_dummy_mode.py b/hooks/test_apply_dummy_mode.py index cd8c78c..8ba58c1 100644 --- a/hooks/test_apply_dummy_mode.py +++ b/hooks/test_apply_dummy_mode.py @@ -2,6 +2,7 @@ from os import environ from bundlewrap.exceptions import SkipNode + def node_apply_start(repo, node, interactive=False, **kwargs): if environ.get('BW_VAULT_DUMMY_MODE') or environ.get('BW_PASS_DUMMY_MODE'): raise SkipNode('refusing apply because dummy mode is active') diff --git a/libs/ssh.py b/libs/ssh.py index 90fb674..89c643a 100644 --- a/libs/ssh.py +++ b/libs/ssh.py @@ -3,12 +3,10 @@ from functools import lru_cache from hashlib import sha3_224 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey -from cryptography.hazmat.primitives.serialization import ( - Encoding, - NoEncryption, - PrivateFormat, - PublicFormat, -) +from cryptography.hazmat.primitives.serialization import (Encoding, + NoEncryption, + PrivateFormat, + PublicFormat) from bundlewrap.utils import Fault diff --git a/scripts/passwords-for b/scripts/passwords-for index 10beb14..0b29e95 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -2,8 +2,8 @@ from os import environ from sys import argv -from bundlewrap.metagen import NodeMetadataProxy from bundlewrap.exceptions import FaultUnavailable +from bundlewrap.metagen import NodeMetadataProxy from bundlewrap.repo import Repository from bundlewrap.utils import Fault From 048fb83ee76fb9d8cb8b118f779b2d8acf0eb599 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 07:46:23 +0200 Subject: [PATCH 167/996] bundles/apt: support spreading unattended-upgrades in a group --- bundles/apt/metadata.py | 7 +++- bundles/icinga2/files/icinga2/downtimes.conf | 29 ++++---------- bundles/icinga2/items.py | 40 +++++++++++++++++++- groups/features.py | 5 +++ hooks/test_unattended_upgrades_spread.py | 24 ++++++++++++ 5 files changed, 81 insertions(+), 24 deletions(-) create mode 100644 hooks/test_unattended_upgrades_spread.py diff --git a/bundles/apt/metadata.py b/bundles/apt/metadata.py index 141d89a..df84473 100644 --- a/bundles/apt/metadata.py +++ b/bundles/apt/metadata.py @@ -24,13 +24,18 @@ def patchday(metadata): day = metadata.get('apt/unattended-upgrades/day') hour = metadata.get('apt/unattended-upgrades/hour') + spread = metadata.get('apt/unattended-upgrades/spread_in_group', None) + if spread is not None: + spread_nodes = sorted(repo.nodes_in_group(spread)) + day += spread_nodes.index(node) + return { 'cron': { 'jobs': { 'upgrade-and-reboot': '{minute} {hour} * * {day} root /usr/local/sbin/upgrade-and-reboot'.format( minute=node.magic_number % 30, hour=hour, - day=day, + day=day%7, ), }, }, diff --git a/bundles/icinga2/files/icinga2/downtimes.conf b/bundles/icinga2/files/icinga2/downtimes.conf index 0052816..6dffabd 100644 --- a/bundles/icinga2/files/icinga2/downtimes.conf +++ b/bundles/icinga2/files/icinga2/downtimes.conf @@ -1,31 +1,18 @@ -% for monitored_node in sorted(repo.nodes): -<% - auto_updates_enabled = ( - monitored_node.has_any_bundle(['apt', 'c3voc-addons']) - or ( - monitored_node.has_bundle('pacman') - and monitored_node.metadata.get('pacman/unattended-upgrades/is_enabled', False) - ) - ) and not monitored_node.metadata.get('icinga_options/exclude_from_monitoring', False) -%>\ -% if auto_updates_enabled: -object ScheduledDowntime "unattended_upgrades" { - host_name = "${monitored_node.name}" +% for dt in downtimes: +object ScheduledDowntime "${dt['name']}" { + host_name = "${dt['host']}" - author = "unattended-upgrades" - comment = "Downtime for upgrade-and-reboot of node ${monitored_node.name}" + author = "${dt['name']}" + comment = "${dt['comment']}" fixed = true ranges = { -% if monitored_node.has_bundle('pacman'): - "${days[monitored_node.metadata.get('pacman/unattended-upgrades/day')]}" = "${monitored_node.metadata.get('pacman/unattended-upgrades/hour')}:${monitored_node.magic_number%30}-${monitored_node.metadata.get('pacman/unattended-upgrades/hour')}:${(monitored_node.magic_number%30)+30}" -% else: - "${days[monitored_node.metadata.get('apt/unattended-upgrades/day')]}" = "${monitored_node.metadata.get('apt/unattended-upgrades/hour')}:${monitored_node.magic_number%30}-${monitored_node.metadata.get('apt/unattended-upgrades/hour')}:${(monitored_node.magic_number%30)+30}" -% endif +% for d,t in dt['times'].items(): + "${d}" = "${t}" +% endfor } child_options = "DowntimeTriggeredChildren" } -% endif % endfor diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index ff763a2..5f850b0 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -346,7 +346,8 @@ svc_systemd = { # The actual hosts and services management starts here bundles = set() -for rnode in repo.nodes: +downtimes = [] +for rnode in sorted(repo.nodes): if rnode.metadata.get('icinga_options/exclude_from_monitoring', False): continue @@ -388,6 +389,41 @@ for rnode in repo.nodes: bundles |= set(rnode.metadata.get('icinga2_api', {}).keys()) + if rnode.has_any_bundle(['apt', 'c3voc-addons']): + day = rnode.metadata.get('apt/unattended-upgrades/day') + hour = rnode.metadata.get('apt/unattended-upgrades/hour') + minute = rnode.magic_number%30 + + spread = rnode.metadata.get('apt/unattended-upgrades/spread_in_group', None) + if spread is not None: + spread_nodes = sorted(repo.nodes_in_group(spread)) + day += spread_nodes.index(rnode) + + downtimes.append({ + 'name': 'unattended-upgrades', + 'host': rnode.name, + 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', + 'times': { + DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+30}', + }, + }) + elif ( + rnode.has_bundle('pacman') + and rnode.metadata.get('pacman/unattended-upgrades/is_enabled', False) + ): + day = rnode.metadata.get('pacman/unattended-upgrades/day') + hour = rnode.metadata.get('pacman/unattended-upgrades/hour') + minute = rnode.magic_number%30 + + downtimes.append({ + 'name': 'unattended-upgrades', + 'host': rnode.name, + 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', + 'times': { + DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+30}', + }, + }) + files['/etc/icinga2/conf.d/groups.conf'] = { 'source': 'icinga2/groups.conf', 'content_type': 'mako', @@ -408,7 +444,7 @@ files['/etc/icinga2/conf.d/downtimes.conf'] = { 'source': 'icinga2/downtimes.conf', 'content_type': 'mako', 'context': { - 'days': DAYS_TO_STRING, + 'downtimes': downtimes, }, 'owner': 'nagios', 'group': 'nagios', diff --git a/groups/features.py b/groups/features.py index fca9379..8e20009 100644 --- a/groups/features.py +++ b/groups/features.py @@ -11,6 +11,11 @@ groups['dns'] = { 'powerdns', }, 'metadata': { + 'apt': { + 'unattended-upgrades': { + 'spread_in_group': 'dns', + }, + }, 'powerdns': { # Overridden in node metadata for primary server 'is_secondary': True, diff --git a/hooks/test_unattended_upgrades_spread.py b/hooks/test_unattended_upgrades_spread.py new file mode 100644 index 0000000..dbf87ce --- /dev/null +++ b/hooks/test_unattended_upgrades_spread.py @@ -0,0 +1,24 @@ +from bundlewrap.exceptions import BundleError +from bundlewrap.utils.text import bold, green, yellow +from bundlewrap.utils.ui import io + + +def test(repo, **kwargs): + for node in repo.nodes: + if not node.has_bundle('apt'): + continue + + spread = node.metadata.get('apt/unattended-upgrades/spread_in_group', None) + if spread is None: + continue + + for rnode in repo.nodes_in_group(spread): + rspread = rnode.metadata.get('apt/unattended-upgrades/spread_in_group', None) + + if spread != rspread: + raise BundleError(f'{node.name} sets apt/unattended-upgrades/spread_in_group to "{spread}", but node {rnode.name} in that group does set "{rspread}"!') + + io.stdout('{x} {node} apt/unattended-upgrades/spread_in_group matches'.format( + x=green("✓"), + node=bold(node.name), + )) From 3aedd7395badbffd677eb2abb930d278d8ba613c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 10:53:15 +0200 Subject: [PATCH 168/996] update htz-cloud.luther to debian bullseye --- nodes/htz-cloud/luther.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/luther.py b/nodes/htz-cloud/luther.py index 6e30f57..1558bd9 100644 --- a/nodes/htz-cloud/luther.py +++ b/nodes/htz-cloud/luther.py @@ -5,7 +5,7 @@ nodes['htz-cloud.luther'] = { 'zfs', }, 'groups': { - 'debian-buster', + 'debian-bullseye', 'webserver', }, 'metadata': { From c07b428cc9a8c99ec57199d2185496d34b81e62d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 11:08:16 +0200 Subject: [PATCH 169/996] add automatix script to upgrade systems to debian bullseye --- README.md | 4 +++ automatix/upgrade_debian_bullseye.yaml | 48 ++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 automatix/upgrade_debian_bullseye.yaml diff --git a/README.md b/README.md index c102b84..9de80d5 100644 --- a/README.md +++ b/README.md @@ -7,3 +7,7 @@ onto shared webhosting. `bw test` runs according to Jenkinsfile after every commit. [![Build Status](https://jenkins.franzi.business/buildStatus/icon?job=kunsi%2Fbundlewrap%2Fmain)](https://jenkins.franzi.business/job/kunsi/job/bundlewrap/job/main/) + +## automatix + +Ensure you set `bundlewrap: true` in your `~/.automatix.cfg.yaml`. diff --git a/automatix/upgrade_debian_bullseye.yaml b/automatix/upgrade_debian_bullseye.yaml new file mode 100644 index 0000000..042752e --- /dev/null +++ b/automatix/upgrade_debian_bullseye.yaml @@ -0,0 +1,48 @@ +name: Upgrade to debian bullseye +systems: + node: foonode + +always: + - has_zfs=python: NODES.node.has_bundle('zfs') + +pipeline: + - manual: "set icinga2 downtime: https://icinga.kunsmann.eu/monitoring/host/schedule-downtime?host={SYSTEMS.node}" + + # apply first so we only see the upgrade changes later + - local: bw apply {SYSTEMS.node} + - manual: update debian version in node groups + - local: "bw apply -o bundle:apt -s symlink:/usr/bin/python pkg_apt: -- {SYSTEMS.node}" + + # double time! + - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade + - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade + + # export zpool so we can import it later + - has_zfs?remote@node: zpool export tank + + # reboot into bullseye + - remote@node: systemctl reboot + - local: | + exit=1 + while [[ $exit -ne 0 ]]; + do + sleep 1 + ssh {SYSTEMS.node} true + exit=$? + done + + # fix zfs and reboot again + - has_zfs?remote@node: zpool import tank + - has_zfs?remote@node: zpool upgrade -a + - has_zfs?remote@node: systemctl reboot + - has_zfs?local: | + exit=1 + while [[ $exit -ne 0 ]]; + do + sleep 1 + ssh {SYSTEMS.node} true + exit=$? + done + + # final apply + - local: bw apply {SYSTEMS.node} From cff42ef0f7f278d19ae10ca560b74656457a16b9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 11:13:48 +0200 Subject: [PATCH 170/996] update home.downloadhelper to debian bullseye --- bundles/transmission/metadata.py | 1 - nodes/home/downloadhelper.py | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/transmission/metadata.py b/bundles/transmission/metadata.py index 5f5c682..60643b4 100644 --- a/bundles/transmission/metadata.py +++ b/bundles/transmission/metadata.py @@ -4,7 +4,6 @@ defaults = { 'apt': { 'packages': { 'transmission-daemon': {}, - 'transmission-remote-cli': {}, }, }, 'icinga2_api': { diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index d09d558..7626fb9 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -5,7 +5,7 @@ nodes['home.downloadhelper'] = { 'transmission', }, 'groups': { - 'debian-buster', + 'debian-bullseye', }, 'metadata': { 'interfaces': { From 32e6e61a3b3063724ff4a5a51838efb0454f343c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 11:25:26 +0200 Subject: [PATCH 171/996] bundles/systemd: fix dependencies --- bundles/systemd/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/systemd/metadata.py b/bundles/systemd/metadata.py index f8a8ba4..848a8b9 100644 --- a/bundles/systemd/metadata.py +++ b/bundles/systemd/metadata.py @@ -31,5 +31,6 @@ if node.has_bundle('apt') and node.os_version[0] > 10: }, 'needed_by': { 'action:systemd-enable-ntp', + 'svc_systemd:systemd-timesyncd', }, } From 2d433264e79ae0f134a65cf75e8e1d76a4b26b60 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 11:25:43 +0200 Subject: [PATCH 172/996] htz-cloud.influxdb: update to debian bullseye --- nodes/htz-cloud/influxdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index 8a8d884..7e780e5 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -7,7 +7,7 @@ nodes['htz-cloud.influxdb'] = { 'zfs', }, 'groups': { - 'debian-buster', + 'debian-bullseye', 'webserver', }, 'metadata': { From b955633a23a800acaca012581ab7cc216386ae1f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 11:47:39 +0200 Subject: [PATCH 173/996] automatix/upgrade_debian_bullseye: do zfs another way --- automatix/upgrade_debian_bullseye.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/automatix/upgrade_debian_bullseye.yaml b/automatix/upgrade_debian_bullseye.yaml index 042752e..6531f1c 100644 --- a/automatix/upgrade_debian_bullseye.yaml +++ b/automatix/upgrade_debian_bullseye.yaml @@ -17,9 +17,6 @@ pipeline: - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade - # export zpool so we can import it later - - has_zfs?remote@node: zpool export tank - # reboot into bullseye - remote@node: systemctl reboot - local: | @@ -32,7 +29,7 @@ pipeline: done # fix zfs and reboot again - - has_zfs?remote@node: zpool import tank + - has_zfs?remote@node: zpool import tank -f - has_zfs?remote@node: zpool upgrade -a - has_zfs?remote@node: systemctl reboot - has_zfs?local: | From 0db4c19457f7381cab702877739fbbd8cc624ae6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 12:19:46 +0200 Subject: [PATCH 174/996] htz-cloud.sewfile: update to debian bullseye --- bundles/seafile/items.py | 34 +++++++++++++++++++++++++++++++++- bundles/seafile/metadata.py | 1 + nodes/htz-cloud/sewfile.py | 2 +- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/bundles/seafile/items.py b/bundles/seafile/items.py index 24c6c72..5517e3f 100644 --- a/bundles/seafile/items.py +++ b/bundles/seafile/items.py @@ -32,10 +32,42 @@ files = { } svc_systemd = { - 'seafile': {}, + 'seafile': { + 'needs': { + 'pkg_pip:', + }, + }, 'seahub': { 'needs': { 'svc_systemd:seafile', + 'pkg_pip:', }, }, } + +for pkg in ( + 'django==3.2.19', + 'future==0.18.3', + 'mysqlclient==2.1.1', + 'pymysql', + 'pillow==9.3.0', + 'pylibmc', + 'captcha==0.4', + 'markupsafe==2.0.1', + 'jinja2', + 'sqlalchemy==1.4.3', + 'psd-tools', + 'django-pylibmc', + 'django_simple_captcha==0.5.17', + 'djangosaml2==1.5.7', + 'pysaml2==7.2.1', + 'pycryptodome==3.16.0', + 'cffi==1.15.1', + 'lxml', +): + if '==' in pkg: + pkg, version = pkg.split('==', 1) + else: + version = None + + pkg_pip[pkg.replace('_', '-')] = {'version': version} diff --git a/bundles/seafile/metadata.py b/bundles/seafile/metadata.py index 66a586d..128380f 100644 --- a/bundles/seafile/metadata.py +++ b/bundles/seafile/metadata.py @@ -5,6 +5,7 @@ defaults = { 'python3': {}, 'python3-setuptools': {}, 'python3-pip': {}, + 'default-libmysqlclient-dev': {}, }, }, 'backups': { diff --git a/nodes/htz-cloud/sewfile.py b/nodes/htz-cloud/sewfile.py index 95cdcf3..d8585ec 100644 --- a/nodes/htz-cloud/sewfile.py +++ b/nodes/htz-cloud/sewfile.py @@ -7,7 +7,7 @@ nodes['htz-cloud.sewfile'] = { 'zfs', }, 'groups': { - 'debian-buster', + 'debian-bullseye', 'webserver', }, 'metadata': { From b1567443ca62624c47099aafc9c3203c012f08cd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 12:38:27 +0200 Subject: [PATCH 175/996] bundles/zfs: support other cpu architectures --- bundles/zfs/metadata.py | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index 624e2a6..a270d5f 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -3,11 +3,6 @@ defaults = { 'apt': { 'packages': { - 'linux-headers-amd64': { - 'needed_by': { - 'pkg_apt:zfs-dkms', - }, - }, 'zfs-dkms': { 'needed_by': { 'pkg_apt:zfs-zed', @@ -147,6 +142,24 @@ def packages(metadata): }, } +@metadata_reactor.provides( + 'apt/packages', +) +def linux_headers(metadata): + cpu_arch = metadata.get('cpu_arch', 'amd64') + + return { + 'apt': { + 'packages': { + f'linux-headers-{cpu_arch}': { + 'needed_by': { + 'pkg_apt:zfs-dkms', + }, + }, + }, + }, + } + @metadata_reactor.provides( 'systemd-timers/timers/zfs-scrub', From 3a5c944926761c7ac16335a0b6e4cc038cd2f374 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 14:07:25 +0200 Subject: [PATCH 176/996] scripts/passwords-for: ensure keys are strings --- scripts/passwords-for | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/passwords-for b/scripts/passwords-for index 0b29e95..136ba99 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -12,6 +12,8 @@ repo = Repository(path) def print_faults(dictionary, keypath=[]): for key, value in sorted(dictionary.items()): + key = str(key) + if isinstance(value, Fault): try: resolved_fault = value.value From 1708f6ae171dfd1cf353e3457a9ba34a5cbe0980 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 14:23:52 +0200 Subject: [PATCH 177/996] bundles/matrix-synapse: include signing key in backups --- bundles/matrix-synapse/items.py | 3 --- bundles/matrix-synapse/metadata.py | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 224d7b8..172a940 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -24,9 +24,6 @@ files = { 'svc_systemd:matrix-synapse:restart', }, }, - '/etc/matrix-synapse/homeserver.signing.key': { - 'content': repo.vault.decrypt_file('matrix-synapse/{}/homeserver_signing.key.vault'.format(node.name)), - }, '/etc/matrix-synapse/conf.d/server_name.yaml': { # We don't actually need this file. However, if we don't put the # server name in there, synapse will somehow remove it from diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index 3100368..46f64ca 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -15,6 +15,7 @@ defaults = { }, 'backups': { 'paths': { + '/etc/matrix-synapse', # to backup the signing key '/var/lib/matrix-synapse', }, }, From 6a573b3231e369ae84f2a014b56de08233dbe295 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 15:00:07 +0200 Subject: [PATCH 178/996] README: add system naming --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 9de80d5..6663cd4 100644 --- a/README.md +++ b/README.md @@ -11,3 +11,12 @@ onto shared webhosting. ## automatix Ensure you set `bundlewrap: true` in your `~/.automatix.cfg.yaml`. + +## system naming + +All systems should be named after their location and use. + +For example, influxdb hosted at hetzner cloud will be `htz-cloud.influxdb`. + +The only exception to this are name servers, they are named after [demons +in fiction](https://en.wikipedia.org/wiki/List_of_demons_in_fiction). From c44badb1e197d48cf3c9de04f61574704e3ab7cb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 15:07:24 +0200 Subject: [PATCH 179/996] update matrix.org gpg key --- data/apt/files/gpg-keys/matrix.asc | 99 +++++++++++++++++------------- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/data/apt/files/gpg-keys/matrix.asc b/data/apt/files/gpg-keys/matrix.asc index 4e8d81b..78f4114 100644 --- a/data/apt/files/gpg-keys/matrix.asc +++ b/data/apt/files/gpg-keys/matrix.asc @@ -12,47 +12,60 @@ s0UuBxwDV/x4AiFTbvYEncYwlXME4scNoeQkESj6bT/EAK50WduMyG7XHULeAD86 i4cSG9mbhDLGaOB084gRb+Jhk6mNUbXiy7TwsNmDaanrP4CO1g8vIRwSCl0l6ayz uFGv3BRVuC+6yN1gvh82DgQm6iWeWdHxkIkNdO3lP5JDZy2Y3LpahsWTfwARAQAB tCltYXRyaXgub3JnIHBhY2thZ2VzIDxwYWNrYWdlc0BtYXRyaXgub3JnPokCVAQT -AQoAPhYhBKr5roQ6dYS1o+TNK89FpRLeLaBYBQJctRAtAhsDBQkJZgGABQsJCAcC -BhUKCQgLAgQWAgMBAh4BAheAAAoJEM9FpRLeLaBYWwAP/3dNMHj+hu6Nn583H5Wu -UuTGKbxb7LlWpGtYVd5qt0to/fkYEms3koYJ5X+K71bv8weto+TKyhXM1yoaVHT+ -yvAhQGA8X/jpXUgQpmF48cw1vKFf4guw+hXMhr9Tuiald+7qEi6neLxXt6kh+k7c -+MeZAJ1jsKbPeehGrzJJCjSrQHeYiK9+krw5jfpwCpL3Aqo6wrizWlzBScHmxckP -XPXVc6xsKtQ/EsD8dM7c5LuJA1Na21HzGfFoMUODEg6bjp7rvs4GrY4MGx7jJG6E -xYYArVh4rzy82GJaV6SOKHLqoTMyVdSw3gwL4LoKdfUiv92vszY7un3466eruLcv -fHEA6jRYl7Da8Csb9odFWFrua1Jo9TrT9dZZUFxkSNDSwSHYT8qjCDoPemi9/5T1 -7EY8htVjEv+pE7l33SP1GURvQhWvg8rdJLHILVTzwOz33y30OGOGqWV9P1wqcfbf -ZLcwZIX8HQCBmxPf4+i8augXnBEzVIfUBHh4SJ+md9UNK5Sx1rYRvb/Epd1GenQr -On5NJlNkthyUBCvKDfrFquW5UDTW6TOyhXcmycWcL2lSFueS1psBtiJNeBWnhxc0 -c8OHGV5x3CqigVya5kFL4/47Ay7ldiGXQzLl1RxCBxCaw+0sDbKQlJx2b3/f45V9 -ukVK4rmFVlUeO1ULo/dpOo1ZuQGNBFy1EV4BDADIlwWsfB4tQIErRVHabD1NU6uB -XHNoXG3z1ackyByCLSZzD5r4HbAcdgeAjYPZdBnxrtAhXjc4J5Z2ITZkq4riFfYV -UsuastrrFXKO8XwA7f8IPhoKVDRbJiRj0S4hEnwwT8yH/bOwJrJEW97OuMeKQ4kW -0fzjg/ifNV4C0gYzo7suOLE4lcOGg+czmyOXrVMMluBqsHihdNgEU84Ht/3pPFJ7 -ofbgagJHycbi/QZdItEAkRWlXPl2k7iOh7nNMNDMGfnAh+SOEqmu/1d/08/N/w9t -FUV32+oHTkATADF5OnnnCuAgLG3WNBIKOyA1Ov+e0SmFk1So1hU+mE6349v0rp3R -LpV2QRDrIAcn6wUHLsEqyQBArvWP+cg5JuPALYR3ZBEgah52tSgnOGnvVWyPPHNo -0bhAFZ9YGToDuE3qPV+ud8qNe4nT7qsZo4NdfFd3JgBHV6CaVwdRMtkut8Xjjmt9 -DiVaHS1hgi+METEMFXdhyXMSwFLH6DDF6Uny9LsAEQEAAYkD8gQYAQoAJgIbAhYh -BKr5roQ6dYS1o+TNK89FpRLeLaBYBQJgd9nFBQkHhS9nAcDA9CAEGQEKAB0WIQRV -hszAy7vvx6JYEa30c91EczZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+M -I7SNg1of/1ekeRXzvXc8m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+ -/8VaX9+7wm7UaGHWVmPFkSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSU -D3hiBgTQpu0CSMlcZIk6C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gE -uVJPAFF86z39hiGNnYJcikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk -+LAxwuQJpe5skvj1NrjD3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvF -RRb3hyRWTRtLQhhaMw3zSwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al -7+E0fmOfie93KYh+BV6FuL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmC -VxOxNM3lY7Jun1E/f/KE6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkwJEM9FpRLe -LaBYVA4QALCPlSk7P4e8BySAex3BEoDEhTTZtl89/bqRJpcK8Pvi04Qnqa1fcqYF -gM9LB4OzGst54ipixIQbMuKxdMT3aaqAsAUQvhtrNC5763SjxCWE/J4wDo5ICj8s -WJDMJeyJ7HgBhaTLVSRGE3ADamXI/NxIRxZ3czuS1NIojNcLlVptOzBnYl7dVH7O -cRsp7Qj6L4mNYMLMl70xXXEaI3WHK3OjQ+Qn7x5gv5NhdP/tVjMT0a5p24yw9KwM -FkDn9LYTzu7IskkPlAFl5kirfOHJGie+NuhK/XW3stoIVc3D3qHZhkRx+/y/wfVW -MavMZTMTs2pXtoFA3yIwm8bIwcMPZWU6KoQTQBxGc3vTj4LKlib0f28xYSX+YMsB -X3JZipPUdzR6ApvJA/9Da/u8LQ6K8ji2bvU1vnRKu8/ot4eABX+1+DY8oAlQWPLJ -6G+PpsHCDtOJf76x+JcFHzIBlLyihCjhZbDkcJj59Jm+7TsKHOaQ1ySEkKnUpog8 -R2Xi6A7nF11n2OlW3T5e7K0qpHoUwvecXA854yQocW6GK9N/HPSbC/qDi/lLKZ5J -jsA55fwysSXtnIqaHyvMN2wVCRQFGx3u4NcI2lwR+cqmJlwS93ZYnK33sGPDYQ6D -UiCsvX1EBMQT1Q6GxDcTXBHfW+M4JciUofUpTXO9exBzHHyJd8cN -=FEYi +AQoAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBKr5roQ6dYS1o+TNK89F +pRLeLaBYBQJkE1uZBQkaKk5sAAoJEM9FpRLeLaBYpZsQAJp+ZbE1J/AWaUCrmsMp +8pS3TOrTyAqZFw48Ew1UHFBbadjX2T6C97dJz+nDjF/0NpKOsOJokbzq1QA3j3wu +sgZsqub4XGKolTr4DzRg2whYflWygeYmbOz+fQNBGDksT+C37ezu7SmkWykQHUQp +CqmYVUpFTc9ZwIISB0KR/N+V07sc0gJ/6CcokBSE0rHlAolMtV6c7Iy+EauUuvlm +wmRDyN+8TZAtnteO2LBrr4+6/Sl2I1z2Fb9AvY4JMaqrmxYJv+1FTrUc6ilXmuWr +S7eaNUm+lvZQQdInnjWO9UnulBd88HP2j8ltGr5ySOHdpC19mps0V9upG8CsdiHm +UAftNKjleCnhR2vOhHqjapZLBLBW5FYZerSRYRaqKVQ/GHzYa1OAjWf0s/1Mc3cx +MT/11OWdhbRn5zxpg28KRhKcfTKOfeiObbDq5idDbAyhbzvKxyxTX6204q8fmUhh +mq5EiRcBeKF5hQv9eyOyBcBsDnMJsV2+zEP8hVZleOncx8pn1uNNd1nWPX10/R5j +BfgnlUSNNJWZ+YnPH1f71kduhn2iee58jbA1CXnVbFjPMI4c4p2yZsfBm74LziC1 +PVrFtSd7WijWyP2rC3JoL7KQPvqyXJ53Yn4jGQx6brXFPY53lXicLoYTTByg7WK5 +nMfe+URZO54gAkGN7JLo+BhXiQJUBBMBCgA+FiEEqvmuhDp1hLWj5M0rz0WlEt4t +oFgFAly1EC0CGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQz0Wl +Et4toFhbAA//d00weP6G7o2fnzcfla5S5MYpvFvsuVaka1hV3mq3S2j9+RgSazeS +hgnlf4rvVu/zB62j5MrKFczXKhpUdP7K8CFAYDxf+OldSBCmYXjxzDW8oV/iC7D6 +FcyGv1O6JqV37uoSLqd4vFe3qSH6Ttz4x5kAnWOwps956EavMkkKNKtAd5iIr36S +vDmN+nAKkvcCqjrCuLNaXMFJwebFyQ9c9dVzrGwq1D8SwPx0ztzku4kDU1rbUfMZ +8WgxQ4MSDpuOnuu+zgatjgwbHuMkboTFhgCtWHivPLzYYlpXpI4ocuqhMzJV1LDe +DAvgugp19SK/3a+zNju6ffjrp6u4ty98cQDqNFiXsNrwKxv2h0VYWu5rUmj1OtP1 +1llQXGRI0NLBIdhPyqMIOg96aL3/lPXsRjyG1WMS/6kTuXfdI/UZRG9CFa+Dyt0k +scgtVPPA7PffLfQ4Y4apZX0/XCpx9t9ktzBkhfwdAIGbE9/j6Lxq6BecETNUh9QE +eHhIn6Z31Q0rlLHWthG9v8Sl3UZ6dCs6fk0mU2S2HJQEK8oN+sWq5blQNNbpM7KF +dybJxZwvaVIW55LWmwG2Ik14FaeHFzRzw4cZXnHcKqKBXJrmQUvj/jsDLuV2IZdD +MuXVHEIHEJrD7SwNspCUnHZvf9/jlX26RUriuYVWVR47VQuj92k6jVm5AY0EXLUR +XgEMAMiXBax8Hi1AgStFUdpsPU1Tq4Fcc2hcbfPVpyTIHIItJnMPmvgdsBx2B4CN +g9l0GfGu0CFeNzgnlnYhNmSriuIV9hVSy5qy2usVco7xfADt/wg+GgpUNFsmJGPR +LiESfDBPzIf9s7AmskRb3s64x4pDiRbR/OOD+J81XgLSBjOjuy44sTiVw4aD5zOb +I5etUwyW4GqweKF02ARTzge3/ek8Unuh9uBqAkfJxuL9Bl0i0QCRFaVc+XaTuI6H +uc0w0MwZ+cCH5I4Sqa7/V3/Tz83/D20VRXfb6gdOQBMAMXk6eecK4CAsbdY0Ego7 +IDU6/57RKYWTVKjWFT6YTrfj2/SundEulXZBEOsgByfrBQcuwSrJAECu9Y/5yDkm +48AthHdkESBqHna1KCc4ae9VbI88c2jRuEAVn1gZOgO4Teo9X653yo17idPuqxmj +g118V3cmAEdXoJpXB1Ey2S63xeOOa30OJVodLWGCL4wRMQwVd2HJcxLAUsfoMMXp +SfL0uwARAQABiQPyBBgBCgAmAhsCFiEEqvmuhDp1hLWj5M0rz0WlEt4toFgFAmQT +W7cFCQsgsVkBwAkQz0WlEt4toFjA9CAEGQEKAB0WIQRVhszAy7vvx6JYEa30c91E +czZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+MI7SNg1of/1ekeRXzvXc8 +m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+/8VaX9+7wm7UaGHWVmPF +kSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSUD3hiBgTQpu0CSMlcZIk6 +C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gEuVJPAFF86z39hiGNnYJc +ikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk+LAxwuQJpe5skvj1NrjD +3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvFRRb3hyRWTRtLQhhaMw3z +SwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al7+E0fmOfie93KYh+BV6F +uL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmCVxOxNM3lY7Jun1E/f/KE +6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkzIOQ/+NSYFQ3/+49nw+qogt2r/Rj8e +AQEwD2ZbqCE30lMuqpmr4QTADccPtJmRIZ4zJMOOCggfnefYE4xvCBk5dSVtwFxu +GIGbYf29hI1VDuM2ak+kS+T8UC438FFVLUGQ19AYHpu5jLY3IAgqi4229G9R7mZa +1CVYBl4J6y/yKQ7OrmTltb1sYvSKXNl+dMrXrmRrMEdMViwtaQ8ZbA7CCNLVm3Cm ++SqbwSn1FQWptiEeZzDaOLWdJTBRLEFjLH77zrhOjJalhp0Mf1oMp04BSFKSXe5f +ZF8Pw70bJQXpl3cnzh/StasaRx7z0y63jsQA65RG7KCCZC5Idb8b0bRnjgw6tDNR +z/1BD+e6aJ9YUpTUZ+3GV1x3St+cPJAVdLq0nBpg2MvIm5weEQmNvDopH33f03M1 +isQRehf6vbTohMX5Z3BHdLoTwG3eRgVKgdcTLpkt4coRQL8W3DN81O6zBNby9XRA +851jGlc9Xkj6QLqf7966MfyR6s23JLEp2pg9Fa2o1NH4X4U3AFRAefQaBJIalWJj +8G++sWlmjPLUouhsxdX0L99FxYhC06RI2TQvlw6cbIPLOCv1h5rKIkKag6Gt3eMM +fnfvKn49QzptFmGBZ5Fd+sKjr3/IlnKIeCUBjCVsvsFAlcaO38ghGnayOBJZviz9 +ZW94e89LdsmxP1kNAEo= +=QODj -----END PGP PUBLIC KEY BLOCK----- From 6374f6b71eadba5a16920864aab8bd8691c1bcc5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 15:10:57 +0200 Subject: [PATCH 180/996] bundles/matrix-synapse: support home servers without appservices --- bundles/matrix-synapse/files/homeserver.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bundles/matrix-synapse/files/homeserver.yaml b/bundles/matrix-synapse/files/homeserver.yaml index c5f9af3..9c43437 100644 --- a/bundles/matrix-synapse/files/homeserver.yaml +++ b/bundles/matrix-synapse/files/homeserver.yaml @@ -62,10 +62,14 @@ allow_guest_access: false enable_metrics: True +% if appservice_configs: app_service_config_files: -% for config in sorted(appservice_configs): +% for config in sorted(appservice_configs): - "${config}" -% endfor +% endfor +% else: +app_service_config_files: [] +% endif signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" trusted_key_servers: @@ -81,7 +85,7 @@ password_config: email: enable_notifs: false - notif_from: "Matrix " enable_group_creation: true From 2607049f8d0ed898a11a21f80f732003c94de66f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 15:15:35 +0200 Subject: [PATCH 181/996] add bundle:matrix-registration --- bundles/matrix-registration/files/config.yaml | 40 ++++++++++++ .../files/matrix-registration.service | 14 ++++ bundles/matrix-registration/items.py | 64 +++++++++++++++++++ bundles/matrix-registration/metadata.py | 25 ++++++++ 4 files changed, 143 insertions(+) create mode 100644 bundles/matrix-registration/files/config.yaml create mode 100644 bundles/matrix-registration/files/matrix-registration.service create mode 100644 bundles/matrix-registration/items.py create mode 100644 bundles/matrix-registration/metadata.py diff --git a/bundles/matrix-registration/files/config.yaml b/bundles/matrix-registration/files/config.yaml new file mode 100644 index 0000000..27d2467 --- /dev/null +++ b/bundles/matrix-registration/files/config.yaml @@ -0,0 +1,40 @@ +server_location: 'http://localhost:20080' +server_name: '${server_name}' +registration_shared_secret: '${reg_secret}' +admin_api_shared_secret: '${admin_secret}' +base_url: '${base_url}' +client_redirect: 'https://app.element.io/#/login' +client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory +#db: 'sqlite:///opt/matrix-registration/data/db.sqlite3' +db: 'postgresql://${database['user']}:${database['password']}@localhost/${database['database']}' +host: 'localhost' +port: 20100 +rate_limit: ["100 per day", "10 per minute"] +allow_cors: false +ip_logging: false +logging: + disable_existing_loggers: false + version: 1 + root: + level: DEBUG + handlers: [console] + formatters: + brief: + format: '%(name)s - %(levelname)s - %(message)s' + handlers: + console: + class: logging.StreamHandler + level: INFO + formatter: brief + stream: ext://sys.stdout +# password requirements +password: + min_length: 8 +# username requirements +username: + validation_regex: [] #list of regexes that the selected username must match. Example: '[a-zA-Z]\.[a-zA-Z]' + invalidation_regex: #list of regexes that the selected username must NOT match. Example: '(admin|support)' + - '^abuse' + - 'admin' + - 'support' + - 'help' diff --git a/bundles/matrix-registration/files/matrix-registration.service b/bundles/matrix-registration/files/matrix-registration.service new file mode 100644 index 0000000..bf6ace9 --- /dev/null +++ b/bundles/matrix-registration/files/matrix-registration.service @@ -0,0 +1,14 @@ +[Unit] +Description=matrix-registration +After=network.target + +[Service] +User=matrix-registration +Group=matrix-registration +WorkingDirectory=/opt/matrix-registration/src +ExecStart=/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml serve +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/matrix-registration/items.py b/bundles/matrix-registration/items.py new file mode 100644 index 0000000..a1fe4f8 --- /dev/null +++ b/bundles/matrix-registration/items.py @@ -0,0 +1,64 @@ +actions['matrix-registration_create_virtualenv'] = { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/matrix-registration/venv/', + 'unless': 'test -d /opt/matrix-registration/venv/', + 'needs': { + # actually /opt/matrix-registration, but we don't create that + 'directory:/opt/matrix-registration/src', + }, +} + +actions['matrix-registration_install'] = { + 'command': ' && '.join([ + 'cd /opt/matrix-registration/src', + '/opt/matrix-registration/venv/bin/pip install psycopg2-binary', + '/opt/matrix-registration/venv/bin/pip install -e .', + ]), + 'needs': { + 'action:matrix-registration_create_virtualenv', + }, + 'triggered': True, +} + +users['matrix-registration'] = { + 'home': '/opt/matrix-registration', +} + +directories['/opt/matrix-registration/src'] = {} + +git_deploy['/opt/matrix-registration/src'] = { + 'repo': 'https://github.com/zeratax/matrix-registration.git', + 'rev': 'master', + 'triggers': { + 'action:matrix-registration_install', + 'svc_systemd:matrix-registration:restart', + }, +} + +files['/opt/matrix-registration/config.yaml'] = { + 'content_type': 'mako', + 'context': { + 'server_name': node.metadata.get('matrix-synapse/server_name'), + 'reg_secret': '', + 'admin_secret': node.metadata.get('matrix-registration/admin_secret'), + 'database': node.metadata.get('matrix-registration/database'), + 'base_url': node.metadata.get('matrix-registration/base_path', ''), + }, + 'triggers': { + 'svc_systemd:matrix-registration:restart', + }, +} + +files['/usr/local/lib/systemd/system/matrix-registration.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:matrix-registration:restart', + }, +} + +svc_systemd['matrix-registration'] = { + 'needs': { + 'action:matrix-registration_install', + 'file:/opt/matrix-registration/config.yaml', + 'file:/usr/local/lib/systemd/system/matrix-registration.service', + }, +} diff --git a/bundles/matrix-registration/metadata.py b/bundles/matrix-registration/metadata.py new file mode 100644 index 0000000..f5e4e7c --- /dev/null +++ b/bundles/matrix-registration/metadata.py @@ -0,0 +1,25 @@ +defaults = { + 'bash_aliases': { + 'matrix-registration': '/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml', + }, + 'matrix-registration': { + 'admin_secret': repo.vault.password_for(f'{node.name} matrix-registration admin secret'), + 'database': { + 'user': 'matrix-registration', + 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), + 'database': 'matrix-registration', + }, + }, + 'postgresql': { + 'roles': { + 'matrix-registration': { + 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), + }, + }, + 'databases': { + 'matrix-registration': { + 'owner': 'matrix-registration', + }, + }, + }, +} From b35bfc85e9a090955e2ae2b915daec5fb56176e3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 May 2023 20:12:24 +0200 Subject: [PATCH 182/996] ovh.icinga2: fix simple-icinga-dashboard --- bundles/simple-icinga-dashboard/items.py | 20 -------------------- bundles/simple-icinga-dashboard/metadata.py | 13 +++++++++++++ nodes/ovh/icinga2.py | 3 ++- 3 files changed, 15 insertions(+), 21 deletions(-) diff --git a/bundles/simple-icinga-dashboard/items.py b/bundles/simple-icinga-dashboard/items.py index 74f05db..7568c86 100644 --- a/bundles/simple-icinga-dashboard/items.py +++ b/bundles/simple-icinga-dashboard/items.py @@ -43,16 +43,6 @@ git_deploy = { } files = { - '/etc/systemd/system/simple-icinga-dashboard.service': { - 'triggers': { - 'action:systemd-reload', - }, - }, - '/etc/systemd/system/simple-icinga-dashboard.timer': { - 'triggers': { - 'action:systemd-reload', - }, - }, '/opt/simple-icinga-dashboard/config.toml': { 'content_type': 'mako', 'needs': { @@ -69,13 +59,3 @@ symlinks = { }, }, } - -svc_systemd = { - 'simple-icinga-dashboard.timer': { - 'needs': { - 'action:simple-icinga-dashboard_install_requirements', - 'file:/etc/systemd/system/simple-icinga-dashboard.service', - 'file:/etc/systemd/system/simple-icinga-dashboard.timer', - }, - }, -} diff --git a/bundles/simple-icinga-dashboard/metadata.py b/bundles/simple-icinga-dashboard/metadata.py index 1d1b905..91c5cf5 100644 --- a/bundles/simple-icinga-dashboard/metadata.py +++ b/bundles/simple-icinga-dashboard/metadata.py @@ -11,4 +11,17 @@ defaults = { 'filename': '/opt/simple-icinga-dashboard/out/index.html', }, }, + 'systemd-timers': { + 'timers': { + 'simple-icinga-dashboard': { + 'when': 'minutely', + 'command': '/opt/simple-icinga-dashboard/venv/bin/python /opt/simple-icinga-dashboard/src/service.py', + 'pwd': '/opt/simple-icinga-dashboard/src/', + 'user': 'icinga_dashboard', + 'environment': { + 'STATUSPAGE_CONFIG': '/opt/simple-icinga-dashboard/config.toml', + }, + }, + }, + }, } diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 0de9a46..0e9e309 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -39,7 +39,8 @@ nodes['ovh.icinga2'] = { 'dashboard': { 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), 'permissions': { - 'objects/query/Service' + 'objects/query/Service', + 'objects/query/Host', }, }, # Used with From 9fc0004746e3c856d691f40db6768e7a5e86e9d9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 May 2023 06:59:34 +0200 Subject: [PATCH 183/996] add option to exclude hosts from public status page --- bundles/icinga2/files/icinga2/groups.conf | 8 ++++++++ bundles/icinga2/files/icinga2/hosts_template.conf | 3 ++- groups/locations.py | 4 ++++ nodes/entropia-jira.toml | 2 +- nodes/htz-cloud/influxdb.py | 3 ++- nodes/ns-ghirahim.toml | 3 --- nodes/ns-mephisto.toml | 3 --- nodes/ovh/icinga2.py | 2 +- nodes/voc/infobeamer-cms.py | 3 --- nodes/voc/pretalx.py | 3 --- 10 files changed, 18 insertions(+), 16 deletions(-) diff --git a/bundles/icinga2/files/icinga2/groups.conf b/bundles/icinga2/files/icinga2/groups.conf index cc18159..513568c 100644 --- a/bundles/icinga2/files/icinga2/groups.conf +++ b/bundles/icinga2/files/icinga2/groups.conf @@ -33,3 +33,11 @@ object ServiceGroup "checks_with_sms" { assign where service.vars.notification.sms == true ignore where host.vars.notification.sms == false } + +object ServiceGroup "statuspage" { + display_name = "Checks which are show on the public status page" + + assign where service.vars.notification.sms == true + ignore where host.vars.notification.sms == false + ignore where host.vars.show_on_statuspage == false +} diff --git a/bundles/icinga2/files/icinga2/hosts_template.conf b/bundles/icinga2/files/icinga2/hosts_template.conf index 1c4f957..631fc8a 100644 --- a/bundles/icinga2/files/icinga2/hosts_template.conf +++ b/bundles/icinga2/files/icinga2/hosts_template.conf @@ -14,7 +14,8 @@ object Host "${rnode.name}" { vars.os = "${rnode.os}" # used for status page - vars.pretty_name = "${rnode.metadata.get('icinga_options/pretty_name', rnode.name)}" + vars.pretty_name = "${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))}" + vars.show_on_statuspage = ${str(rnode.metadata.get('icinga_options/show_on_statuspage', True)).lower()} vars.period = "${rnode.metadata.get('icinga_options/period', '24x7')}" diff --git a/groups/locations.py b/groups/locations.py index 94d7d8d..353832e 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -78,6 +78,7 @@ groups['home'] = { 'home.router', }, 'vars.notification.sms': False, + 'show_on_statuspage': False, }, 'postfix': { # It's fine to do this without authentificating to the relayhost. @@ -117,6 +118,9 @@ groups['voc'] = { 'day': 1, }, }, + 'icinga_options': { + 'show_on_statuspage': False, + }, 'location': 'voc', }, } diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml index 84af119..d4bee28 100644 --- a/nodes/entropia-jira.toml +++ b/nodes/entropia-jira.toml @@ -3,7 +3,7 @@ dummy = true [metadata.icinga_options] period = "daytime" -pretty_name = "ticket.gulas.ch" +show_on_statuspage = false [metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"] check_command = "check_https_cert_at_url" diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index 7e780e5..59f729e 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -44,7 +44,8 @@ nodes['htz-cloud.influxdb'] = { 'login_max_duration': '30d', }, 'icinga_options': { - 'pretty_name': 'InfluxDB', + # no public access + 'show_on_statuspage': False, }, 'nginx': { 'vhosts': { diff --git a/nodes/ns-ghirahim.toml b/nodes/ns-ghirahim.toml index 28f61a8..ea835a0 100644 --- a/nodes/ns-ghirahim.toml +++ b/nodes/ns-ghirahim.toml @@ -12,9 +12,6 @@ ips = [ gateway4 = "46.101.80.1" gateway6 = "2a03:b0c0:1:d0::1" -[metadata.icinga_options] -pretty_name = "ns-ghirahim.kunbox.net" - [metadata.postfix] # It's fine to do this without authentificating to the relayhost. # These Systems are not supposed to send mail anywhere else diff --git a/nodes/ns-mephisto.toml b/nodes/ns-mephisto.toml index c707113..48ffd17 100644 --- a/nodes/ns-mephisto.toml +++ b/nodes/ns-mephisto.toml @@ -17,9 +17,6 @@ ips = [ gateway4 = "10.255.255.1" gateway6 = "fe80::250:56ff:fea8:628f" -[metadata.icinga_options] -pretty_name = "ns-mephisto.kunbox.net" - [metadata.nginx.vhosts.powerdnsadmin] domain = "ns-mephisto.kunbox.net" diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 0e9e309..ea24874 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -127,7 +127,7 @@ nodes['ovh.icinga2'] = { 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), }, 'filters': { - 'services': '"checks_with_sms" in service.groups', + 'services': '"statuspage" in service.groups', }, 'output': { 'page_title': 'franzi.business Service Status', diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index afc24e8..a4bb419 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -22,9 +22,6 @@ nodes['voc.infobeamer-cms'] = { 'gateway6': '2001:67c:20a0:e::1', }, }, - 'icinga_options': { - 'pretty_name': 'infobeamer-cms.c3voc.de', - }, 'infobeamer-cms': { 'domain': 'infobeamer-cms.c3voc.de', 'event_start_date': '2023-04-07', diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index fa3d116..86f2f68 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -35,9 +35,6 @@ nodes['voc.pretalx'] = { 'gateway6': '2a01:a700:48d1::1', }, }, - 'icinga_options': { - 'pretty_name': 'pretalx.c3voc.de', - }, 'nginx': { 'vhosts': { 'pretalx': { From 926776fba21ee7cd22ac61436ea1823018a17d8d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 23 May 2023 19:29:27 +0200 Subject: [PATCH 184/996] update netbox to 3.5.2 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index ed172dc..e1728f6 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -311,7 +311,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.5.1', + 'version': 'v3.5.2', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 829ebccad63404d010ac9bfd7538fb8aa39ed80c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 23 May 2023 19:33:30 +0200 Subject: [PATCH 185/996] update travelynx to 1.31.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index e1728f6..dd189d3 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -548,7 +548,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.31.2', + 'version': '1.31.4', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From b8805c6f9717e0d6740b0e8672cfdea46371f957 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 25 May 2023 00:57:51 +0200 Subject: [PATCH 186/996] bw/data new tmux theme for sophie --- data/users/files/tmux/sophie.conf | 110 ++++++++++++------------------ 1 file changed, 44 insertions(+), 66 deletions(-) diff --git a/data/users/files/tmux/sophie.conf b/data/users/files/tmux/sophie.conf index d8c2819..cf385ec 100644 --- a/data/users/files/tmux/sophie.conf +++ b/data/users/files/tmux/sophie.conf @@ -1,39 +1,4 @@ -# https://github.com/seebi/tmux-colors-solarized/blob/master/tmuxcolors-256.conf -set-option -g status-style bg=colour235,fg=colour136 - -# set window split -bind-key v split-window -h -bind-key b split-window - -# default window title colors -set-window-option -g window-status-style fg=colour39,bg=default,dim - -# active window title colors -set-window-option -g window-status-current-style fg=colour235,bg=colour113,bright - -# pane border -set-option -g pane-border-style fg=colour235 #base02 -set-option -g pane-active-border-style fg=colour240 #base01 - -# message text -set-option -g message-style bg=colour235 #base02 -set-option -g message-style fg=colour166 #orange - -# pane number display -set-option -g display-panes-active-colour colour33 #blue -set-option -g display-panes-colour colour166 #orange -# clock -set-window-option -g clock-mode-colour green #green - - -set -g status-interval 1 -set -g status-justify left # center align window list -set -g status-left-length 14 -set -g status-right-length 140 -#set -g status-left '#[default]〘 ' -set -g status-left '#[fg=green,bright]#(uname -r | cut -c 1-8)#[default]〘' -set -g status-right "〙#[fg=red,bg=default]⇑#(uptime -p |sed 's/\ week/w/; s/\ days/d/; s/\ day/d/; s/\ hours/h/; s/\ minutes/m/; s/\ minute/m/; s/,//g; s/up//') #[fg=green,bg=default]⎋ #(cat /proc/loadavg | awk '{print $1,$2,$3}') #[fg=blue] %Y-%m-%d #[fg=white,bg=default] %H:%M #[fg=green] #H" - +### keybindings # C-b is not acceptable -- Vim uses it set-option -g prefix C-a bind-key C-a last-window @@ -44,12 +9,12 @@ set -g base-index 1 # Allows for faster key repetition set -s escape-time 0 -# Rather than constraining window size to the maximum size of any client -# connected to the *session*, constrain window size to the maximum size of any +# Rather than constraining window size to the maximum size of any client +# connected to the *session*, constrain window size to the maximum size of any # client connected to *that window*. Much more reasonable. setw -g aggressive-resize on -# Allows us to use C-a a to send commands to a TMUX session inside +# Allows us to use C-a a to send commands to a TMUX session inside # another TMUX session bind-key a send-prefix @@ -59,17 +24,7 @@ set -g visual-activity on # Vi copypaste mode set-window-option -g mode-keys vi -#bind-key -t vi-copy 'v' begin-selection -#bind-key -t vi-copy 'y' copy-selection -#/home/sophie/.tmux.conf:68: usage: bind-key [-cnr] [-T key-table] key command [arguments] [0/0] - - -# hjkl pane traversal -bind h select-pane -L -bind j select-pane -D -bind k select-pane -U -bind l select-pane -R # set to main-horizontal, 60% height for main pane bind m set-window-option main-pane-height 60\; select-layout main-horizontal @@ -79,28 +34,51 @@ bind-key C command-prompt -p "Name of new window: " "new-window -n '%%'" # reload config bind r source-file ~/.tmux.conf \; display-message "Config reloaded..." +# set window split +bind-key v split-window -h +bind-key b split-window + # auto window rename set-window-option -g automatic-rename -# color -set -g default-terminal "tmux-256color" +set -g status-interval 2 -# status bar -#set-option -g status-utf8 on +#################################### +# new theme -# https://github.com/edkolev/dots/blob/master/tmux.conf -# Updates for tmux 1.9's current pane splitting paths. +set-window-option -g status-style bg=colour236,fg=white +# left +set-window-option -g status-left "#[bg=colour240,fg=white] #S #[fg=colour236,reverse]" +set-window-option -g status-left-length 40 +# right +set-window-option -g status-right "#[fg=black,bg=colour208]#(uptime -p |sed 's/\ week/w/; s/\ day/d/; s/\ hour/h/; s/\ minute/m/; s/s//g; s/,//g; s/up//') #[bg=colour236,fg=white] #(cat /proc/loadavg | awk '{print $1,$2,$3}') #[fg=colour252]#[fg=black,bg=colour252,nobold] %Y-%m-%d #[bold]%H:%M #[fg=colour231,bg=colour240] #H " +set-window-option -g status-right-length 80 +# Status bar window currently active +set-window-option -g window-status-current-format "#[fg=colour236]#[default,bold] #I #[fg=colour123,reverse]#[default]#[bg=colour123] #W #[fg=colour236,reverse]" +# colour33 is green +set-window-option -g window-status-current-style none,bg=colour33,fg=black +# Status bar window in background (not active) +set-window-option -g window-status-format "#[fg=colour236,nounderscore]#[default,bold,nounderscore] #I #[fg=colour240,reverse]#[default]#[bg=colour240]#[nounderscore] #[default]#[fg=colour231,bg=colour240]#W#[nounderscore] #[fg=colour236,reverse]" -# from powerline -run-shell "tmux set-environment -g TMUX_VERSION_MAJOR $(tmux -V | cut -d' ' -f2 | cut -d'.' -f1 | sed 's/[^0-9]*//g')" -run-shell "tmux set-environment -g TMUX_VERSION_MINOR $(tmux -V | cut -d' ' -f2 | cut -d'.' -f2 | sed 's/[^0-9]*//g')" +# Black on green +set-window-option -g window-status-style none,bg=colour76,fg=black -# rm mouse mode fail -if-shell '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -ge 1\) -o #{$TMUX_VERSION_MAJOR} -gt 2' 'set -g mouse off' -if-shell '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -lt 1\) -o #{$TMUX_VERSION_MAJOR} -le 1' 'set -g mode-mouse off' +# +# Status bar window last active (Tmux 1.8+) +# -# fix pane_current_path on new window and splits -if-shell "#{$TMUX_VERSION_MAJOR} -gt 1 -o \( #{$TMUX_VERSION_MAJOR} -eq 1 -a #{$TMUX_VERSION_MINOR} -ge 8 \)" 'unbind c; bind c new-window -c "#{pane_current_path}"' -if-shell "#{$TMUX_VERSION_MAJOR} -gt 1 -o \( #{$TMUX_VERSION_MAJOR} -eq 1 -a #{$TMUX_VERSION_MINOR} -ge 8 \)" "unbind '\"'; bind '\"' split-window -v -c '#{pane_current_path}'" -if-shell "#{$TMUX_VERSION_MAJOR} -gt 1 -o \( #{$TMUX_VERSION_MAJOR} -eq 1 -a #{$TMUX_VERSION_MINOR} -ge 8 \)" 'unbind v; bind v split-window -h -c "#{pane_current_path}"' -if-shell "#{$TMUX_VERSION_MAJOR} -gt 1 -o \( #{$TMUX_VERSION_MAJOR} -eq 1 -a #{$TMUX_VERSION_MINOR} -ge 8 \)" 'unbind %; bind % split-window -h -c "#{pane_current_path}"' +set-window-option -g window-status-last-style none,bg=cyan,fg=black + +# +# Status bar window with activity/silence (monitor-activity, monitor-silence) +# + +# colour127 is pink +set-window-option -g window-status-activity-style bold,bg=colour127,fg=black + +# +# Status bar window with bell triggered +# + +# red is urgent +set-window-option -g window-status-bell-style bold,bg=red,fg=black From e6111efe2d2c5661361e6e9512ab3f263eeeebea Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 May 2023 07:10:09 +0200 Subject: [PATCH 187/996] bundles/matrix-registration: configurable client_redirect --- bundles/matrix-registration/files/config.yaml | 2 +- bundles/matrix-registration/items.py | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bundles/matrix-registration/files/config.yaml b/bundles/matrix-registration/files/config.yaml index 27d2467..b5e7b96 100644 --- a/bundles/matrix-registration/files/config.yaml +++ b/bundles/matrix-registration/files/config.yaml @@ -3,7 +3,7 @@ server_name: '${server_name}' registration_shared_secret: '${reg_secret}' admin_api_shared_secret: '${admin_secret}' base_url: '${base_url}' -client_redirect: 'https://app.element.io/#/login' +client_redirect: '${client_redirect}' client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory #db: 'sqlite:///opt/matrix-registration/data/db.sqlite3' db: 'postgresql://${database['user']}:${database['password']}@localhost/${database['database']}' diff --git a/bundles/matrix-registration/items.py b/bundles/matrix-registration/items.py index a1fe4f8..10b5a92 100644 --- a/bundles/matrix-registration/items.py +++ b/bundles/matrix-registration/items.py @@ -37,11 +37,12 @@ git_deploy['/opt/matrix-registration/src'] = { files['/opt/matrix-registration/config.yaml'] = { 'content_type': 'mako', 'context': { - 'server_name': node.metadata.get('matrix-synapse/server_name'), - 'reg_secret': '', 'admin_secret': node.metadata.get('matrix-registration/admin_secret'), - 'database': node.metadata.get('matrix-registration/database'), 'base_url': node.metadata.get('matrix-registration/base_path', ''), + 'client_redirect': node.metadata.get('matrix-registration/base_path'), + 'database': node.metadata.get('matrix-registration/database'), + 'reg_secret': '', + 'server_name': node.metadata.get('matrix-synapse/server_name'), }, 'triggers': { 'svc_systemd:matrix-registration:restart', From c3701da258f6a8dc644cb0f12f4f8d9ac77b4d59 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 May 2023 07:10:47 +0200 Subject: [PATCH 188/996] add htz-cloud.afra --- nodes/htz-cloud.afra.toml | 86 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 nodes/htz-cloud.afra.toml diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml new file mode 100644 index 0000000..5345ebb --- /dev/null +++ b/nodes/htz-cloud.afra.toml @@ -0,0 +1,86 @@ +hostname = "91.107.203.234" +bundles = [ + "element-web", + "matrix-media-repo", + "matrix-registration", + "matrix-synapse", + "nodejs", + "postgresql", + "zfs", +] +groups = [ + "debian-bullseye", + "webserver", +] + +[metadata.icinga_options] +pretty_name = "afra.berlin" + +[metadata.interfaces.eth0] +ips = [ + "91.107.203.234/32", + "2a01:4f8:c010:b0e1::1/64", +] +gateway4 = '172.31.1.1' +gateway6 = 'fe80::1' + +[metadata.interfaces.ens10] +ips = [ + "172.19.137.7/32", +] +routes.'172.19.136.0/22'.via = "172.19.137.1" + +[metadata.element-web] +url = "element.afra.berlin" +version = "v1.11.31" + +[metadata.element-web.config] +default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" +default_server_config.'m.homeserver'.server_name = "afra.berlin" +brand = "afra.berlin" +defaultCountryCode = "DE" +jitsi.preferredDomain = "meet.ffmuc.net" + +[metadata.matrix-media-repo] +version = "v1.2.13" +sha1 = "0915bdf7c461368859180419d1f66717969cbe32" +admins = ['@administress:afra.berlin'] +upload_max_mb = 50 + +[metadata.matrix-media-repo.homeservers.'afra.berlin'] +domain = "http://[::1]:20080/" +api = "synapse" + +[metadata.matrix-registration] +base_path = "/matrix" +client_redirect = "https://element.afra.berlin" + +[metadata.matrix-synapse] +server_name = "afra.berlin" +baseurl = "matrix.afra.berlin" +admin_contact = 'mailto:hostmaster@kunbox.net' +trusted_key_servers = [ + "matrix.org", + "franzi.business", +] +wellknown_also_on_vhosts = ["redirect"] + +[metadata.nginx.vhosts.redirect] +domain = "afra.berlin" + +[metadata.nginx.vhosts.redirect.locations.'/'] +redirect = "https://afra-berlin.de" +mode = 302 + +[metadata.nginx.vhosts.redirect.locations.'/matrix/'] +target = "http://127.0.0.1:20100/" + +[metadata.postgresql] +version = "15" + +[[metadata.zfs.pools.tank.when_creating.config]] +devices = ["/dev/disk/by-id/scsi-0HC_Volume_32207877"] + +[metadata.vm] +cpu = 2 +ram = 4 From 55f80b468e55b068baaa34a4631def9f708b7c61 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 May 2023 10:48:01 +0200 Subject: [PATCH 189/996] bundles/matrix-registration: fix bugs --- bundles/matrix-registration/files/config.yaml | 2 +- bundles/matrix-registration/items.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/matrix-registration/files/config.yaml b/bundles/matrix-registration/files/config.yaml index b5e7b96..b3ad3a5 100644 --- a/bundles/matrix-registration/files/config.yaml +++ b/bundles/matrix-registration/files/config.yaml @@ -1,4 +1,4 @@ -server_location: 'http://localhost:20080' +server_location: 'http://[::1]:20080' server_name: '${server_name}' registration_shared_secret: '${reg_secret}' admin_api_shared_secret: '${admin_secret}' diff --git a/bundles/matrix-registration/items.py b/bundles/matrix-registration/items.py index 10b5a92..05d8914 100644 --- a/bundles/matrix-registration/items.py +++ b/bundles/matrix-registration/items.py @@ -39,9 +39,9 @@ files['/opt/matrix-registration/config.yaml'] = { 'context': { 'admin_secret': node.metadata.get('matrix-registration/admin_secret'), 'base_url': node.metadata.get('matrix-registration/base_path', ''), - 'client_redirect': node.metadata.get('matrix-registration/base_path'), + 'client_redirect': node.metadata.get('matrix-registration/client_redirect'), 'database': node.metadata.get('matrix-registration/database'), - 'reg_secret': '', + 'reg_secret': node.metadata.get('matrix-synapse/registration_shared_secret'), 'server_name': node.metadata.get('matrix-synapse/server_name'), }, 'triggers': { From 5b9ce2faa123646e5a8724368dbbc7e320f28cbf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 May 2023 10:49:23 +0200 Subject: [PATCH 190/996] fix trailing whitespace in tmux.conf of sophie --- data/users/files/tmux/sophie.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/users/files/tmux/sophie.conf b/data/users/files/tmux/sophie.conf index cf385ec..80598f6 100644 --- a/data/users/files/tmux/sophie.conf +++ b/data/users/files/tmux/sophie.conf @@ -9,12 +9,12 @@ set -g base-index 1 # Allows for faster key repetition set -s escape-time 0 -# Rather than constraining window size to the maximum size of any client -# connected to the *session*, constrain window size to the maximum size of any +# Rather than constraining window size to the maximum size of any client +# connected to the *session*, constrain window size to the maximum size of any # client connected to *that window*. Much more reasonable. setw -g aggressive-resize on -# Allows us to use C-a a to send commands to a TMUX session inside +# Allows us to use C-a a to send commands to a TMUX session inside # another TMUX session bind-key a send-prefix From 712454c1e3136daf702486f8d2645625f6581657 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Jun 2023 13:21:23 +0200 Subject: [PATCH 191/996] bundles/postgresql: more cache, please --- bundles/postgresql/files/postgresql.conf | 1 + bundles/postgresql/metadata.py | 1 + nodes/htz-cloud.afra.toml | 2 ++ nodes/rx300.py | 6 +++++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bundles/postgresql/files/postgresql.conf b/bundles/postgresql/files/postgresql.conf index 56fa5af..7bcbe10 100644 --- a/bundles/postgresql/files/postgresql.conf +++ b/bundles/postgresql/files/postgresql.conf @@ -9,6 +9,7 @@ max_connections = ${max_connections} autovacuum_max_workers = ${autovacuum_max_workers} maintenance_work_mem = ${maintenance_work_mem}MB work_mem = ${work_mem}MB +effective_cache_size = ${cache_size}MB shared_buffers = ${shared_buffers}MB temp_buffers = ${temp_buffers}MB log_destination = syslog diff --git a/bundles/postgresql/metadata.py b/bundles/postgresql/metadata.py index fce9bb6..46b6718 100644 --- a/bundles/postgresql/metadata.py +++ b/bundles/postgresql/metadata.py @@ -24,6 +24,7 @@ defaults = { 'shared_buffers': 128, 'temp_buffers': 8, 'slow_query_log_sec': 0, + 'cache_size': 256, }, } diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 5345ebb..14ef4b6 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -77,6 +77,8 @@ target = "http://127.0.0.1:20100/" [metadata.postgresql] version = "15" +work_mem = 1024 +cache_size = 2048 [[metadata.zfs.pools.tank.when_creating.config]] devices = ["/dev/disk/by-id/scsi-0HC_Volume_32207877"] diff --git a/nodes/rx300.py b/nodes/rx300.py index dd189d3..96dbd8f 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -475,6 +475,10 @@ nodes['rx300'] = { 'postgresql': { 'version': '13', 'max_connections': 500, + 'autovacuum_max_workers': 12, + 'maintenance_work_mem': 2*1024, + 'work_mem': 8*1024, + 'cache_size': 32*1024, }, 'radicale': { 'domain': 'radicale.franzi.business', @@ -563,7 +567,7 @@ nodes['rx300'] = { }, 'zfs': { 'module_options': { - 'zfs_arc_max_gb': 16, + 'zfs_arc_max_gb': 48, }, 'pools': { 'tank': { From d360dfb0879d6e033b950c10bd64b40692b58a7f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Jun 2023 16:31:08 +0200 Subject: [PATCH 192/996] update mautrix-telegram to 0.14.0 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 22b10a0..fe29ddf 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -135,7 +135,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.13.0', + 'version': 'v0.14.0', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', diff --git a/nodes/rx300.py b/nodes/rx300.py index 96dbd8f..086647e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -250,7 +250,7 @@ nodes['rx300'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.13.0', + 'version': 'v0.14.0', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 0ca35a2e7e62db192b7b8a5d2961e4f086ed6295 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Jun 2023 16:31:21 +0200 Subject: [PATCH 193/996] update netbox to 3.5.3 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 086647e..ade9efc 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -311,7 +311,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.5.2', + 'version': 'v3.5.3', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From d17b146476432f4c4a8493dac1d0012ed74318b6 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 4 Jun 2023 23:17:55 +0200 Subject: [PATCH 194/996] hedgedoc new release --- bundles/hedgedoc/items.py | 17 +++++++++++++++++ nodes/htz-cloud/miniserver.py | 2 +- requirements.txt | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/bundles/hedgedoc/items.py b/bundles/hedgedoc/items.py index ac66fcb..8a0219e 100644 --- a/bundles/hedgedoc/items.py +++ b/bundles/hedgedoc/items.py @@ -1,3 +1,5 @@ +from semver import compare + repo.libs.tools.require_bundle(node, 'nodejs') git_deploy = { @@ -47,6 +49,21 @@ directories = { }, } +if compare(node.metadata.get('hedgedoc/version'), '1.9.7') <= 0: + command = ' && '.join([ + 'cd /opt/hedgedoc', + 'yarn install --production=true --pure-lockfile --ignore-scripts', + 'yarn install --ignore-scripts', + 'yarn build', + ]) +elif compare(node.metadata.get('hedgedoc/version'), '1.9.9') >= 0: + command = ' && '.join([ + 'cd /opt/hedgedoc', + 'bin/setup', + 'yarn install --immutable', + 'yarn build', + ]) + actions = { 'hedgedoc_yarn': { 'command': ' && '.join([ diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index fe29ddf..723c838 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -80,7 +80,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'hedgedoc': { - 'version': '1.9.7', + 'version': '1.9.8', 'config': { 'production': { 'allowAnonymousEdits': True, diff --git a/requirements.txt b/requirements.txt index 48687b3..7e81327 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ bundlewrap>=4.16.0 PyNaCl bundlewrap-pass +semver From 85b95576c48c6252059196a2a9f0132a847095ff Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 10 Jun 2023 11:01:53 +0200 Subject: [PATCH 195/996] infobeamer-cms: additional moderators --- nodes/voc/infobeamer-cms.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index a4bb419..89fd283 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -29,6 +29,7 @@ nodes['voc.infobeamer-cms'] = { 'config': { 'ADMIN_USERS': [ 'hexchen', + 'jbeyerstedt', 'jwacalex', 'kunsi', 'sophieschi', From 42e20b122c98f78df4cf25579411dc12499bcd67 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 21 Jun 2023 23:23:16 +0200 Subject: [PATCH 196/996] bundles/icinga2: add non-listing results to check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 58 ++++++++++++---------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index 6d159cb..aa80164 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -5,29 +5,34 @@ from ipaddress import IPv6Address, ip_address from subprocess import check_output from sys import argv, exit -BLOCKLISTS = [ - '0spam.fusionzero.com', - 'bl.mailspike.org', - 'bl.spamcop.net', - 'blackholes.brainerd.net', - 'dnsbl-1.uceprotect.net', - 'l2.spews.dnsbl.sorbs.net', - 'list.dsbl.org', - 'map.spam-rbl.com', - 'multihop.dsbl.org', - 'ns1.unsubscore.com', - 'opm.blitzed.org', - 'psbl.surriel.com', - 'rbl.efnet.org', - 'rbl.schulte.org', - 'spamguard.leadmon.net', - 'ubl.unsubscore.com', - 'unconfirmed.dsbl.org', - 'virbl.dnsbl.bit.nl', - 'zen.spamhaus.org', -] +BLOCKLISTS = { + '0spam.fusionzero.com': set(), + 'bl.mailspike.org': set(), + 'bl.spamcop.net': set(), + 'blackholes.brainerd.net': set(), + 'dnsbl-1.uceprotect.net': set(), + 'l2.spews.dnsbl.sorbs.net': set(), + 'list.dsbl.org': set(), + 'map.spam-rbl.com': set(), + 'multihop.dsbl.org': set(), + 'ns1.unsubscore.com': set(), + 'opm.blitzed.org': set(), + 'psbl.surriel.com': set(), + 'rbl.efnet.org': set(), + 'rbl.schulte.org': set(), + 'spamguard.leadmon.net': set(), + 'ubl.unsubscore.com': set(), + 'unconfirmed.dsbl.org': set(), + 'virbl.dnsbl.bit.nl': set(), + 'zen.spamhaus.org': { + # https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now. + '127.255.255.252', # Typing Error + '127.255.255.254', # public resolver / generic rdns + '127.255.255.255', # rate limited + }, +} -def check_list(ip_list, blocklist): +def check_list(ip_list, blocklist, warn_ips): dns_name = '{}.{}'.format( '.'.join(ip_list), blocklist, @@ -50,7 +55,10 @@ def check_list(ip_list, blocklist): blocklist, item, )) - returncode = 2 + if item in warn_ips and returncode < 2: + returncode = 1 + else: + returncode = 2 except Exception as e: if e.returncode == 9: # no reply from server @@ -77,8 +85,8 @@ exitcode = 0 with ThreadPoolExecutor(max_workers=len(BLOCKLISTS)) as executor: futures = set() - for blocklist in BLOCKLISTS: - futures.add(executor.submit(check_list, ip_list, blocklist)) + for blocklist, warn_ips in BLOCKLISTS.items(): + futures.add(executor.submit(check_list, ip_list, blocklist, warn_ips)) for future in as_completed(futures): msgs, this_exitcode = future.result() From 2e6e80d1c57c5065d5cc65aeaca5aff248ffb2af Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 21 Jun 2023 23:23:57 +0200 Subject: [PATCH 197/996] voc.infobeamer-cms: gpn21 --- nodes/voc/infobeamer-cms.py | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 89fd283..5fd767a 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -24,7 +24,7 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer-cms.c3voc.de', - 'event_start_date': '2023-04-07', + 'event_start_date': '2023-06-08', 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ @@ -43,8 +43,18 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), 'SETUP_IDS': [ - 240569, + 230384, + 241629, ], +# 'EXTRA_ASSETS': [{ +# 'type': "image", +# 'asset': 1316000, +# # bottom left, 10px from border +# 'x1': 10, +# 'y1': 970, +# 'x2': 110, +# 'y2': 1070, +# }], }, 'rooms': { 'infobeamer stream': 23541, From 6fb982e94cc54e393774f8664f36aad230321ad1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 21 Jun 2023 23:24:15 +0200 Subject: [PATCH 198/996] rx300: update travelynx to 1.32.0 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index ade9efc..5178255 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -552,7 +552,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.31.4', + 'version': '1.32.0', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, From 8968252ba6c583388b4fb068b48e5e10c7199db7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 21 Jun 2023 23:27:30 +0200 Subject: [PATCH 199/996] bundles/nginx: fix content_type for logrotate config --- bundles/nginx/items.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 88852e0..eb59250 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -34,6 +34,7 @@ directories = { files = { '/etc/logrotate.d/nginx': { + 'content_type': 'mako', 'source': 'logrotate.conf', }, '/etc/nginx/nginx.conf': { From 3a2006739c1d9e575f461bc066f3f4f862060d3b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:17:35 +0200 Subject: [PATCH 200/996] update mautrix-telegram to 0.14.1 --- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 723c838..bcc1c58 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -135,7 +135,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.14.0', + 'version': 'v0.14.1', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', diff --git a/nodes/rx300.py b/nodes/rx300.py index 5178255..984533e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -250,7 +250,7 @@ nodes['rx300'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.14.0', + 'version': 'v0.14.1', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From 341a43baf30aa69d32afa4fb58262c81d65d352c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:18:19 +0200 Subject: [PATCH 201/996] update netbox to 3.5.4 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 984533e..9a99780 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -311,7 +311,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.5.3', + 'version': 'v3.5.4', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From 91b3d2f8501c9d5bcd4556db26524d4d3cc4581a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:20:00 +0200 Subject: [PATCH 202/996] update mautrix-whatsapp to 0.8.6 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 9a99780..3f42538 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -273,8 +273,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.5', - 'sha1': 'e89c0c471e2be9b8b6ff2821b62c97cc100ff0ae', + 'version': 'v0.8.6', + 'sha1': 'aa3c25aa2f8d2ddd241e2f73eea473ecdbaf295d', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', From c3fe24c7b9b54e31b5f3b14ad30a8c98c770794c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:37:55 +0200 Subject: [PATCH 203/996] update element-web to 1.11.34 --- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 14ef4b6..bc5ee2d 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.31" +version = "v1.11.34" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index bcc1c58..c57ac24 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.31', + 'version': 'v1.11.34', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 3f42538..5e74b13 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -106,7 +106,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.31', + 'version': 'v1.11.34', 'config': { 'default_server_config': { 'm.homeserver': { From dff2bb028991478b8bed74cfe2c0b5fabf9a0d6a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:38:55 +0200 Subject: [PATCH 204/996] htz-cloud.afra: moar power plx --- nodes/htz-cloud.afra.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index bc5ee2d..adcd2bc 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -85,4 +85,4 @@ devices = ["/dev/disk/by-id/scsi-0HC_Volume_32207877"] [metadata.vm] cpu = 2 -ram = 4 +ram = 8 From d5f5fd853ba4db0e181e173046c3b7851a00173c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Jun 2023 05:39:30 +0200 Subject: [PATCH 205/996] bundles/element-web: remove --openssl-legacy-provider --- bundles/element-web/items.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/bundles/element-web/items.py b/bundles/element-web/items.py index 0edf9c9..b141c97 100644 --- a/bundles/element-web/items.py +++ b/bundles/element-web/items.py @@ -8,7 +8,7 @@ directories = { git_deploy = { '/opt/element-web': { - 'rev': node.metadata['element-web']['version'], + 'rev': node.metadata.get('element-web/version'), 'repo': 'https://github.com/vector-im/element-web.git', 'triggers': { 'action:element-web_yarn', @@ -18,22 +18,16 @@ git_deploy = { files = { '/opt/element-web/webapp/config.json': { - 'content': metadata_to_json(node.metadata['element-web']['config']), + 'content': metadata_to_json(node.metadata.get('element-web/config')), 'needs': { 'action:element-web_yarn', }, }, } -extra_install_cmds = [] -if node.metadata.get('nodejs/version') >= 17: - # TODO verify this is still needed when upgrading to 1.12 - extra_install_cmds.append('export NODE_OPTIONS=--openssl-legacy-provider') - actions = { 'element-web_yarn': { 'command': ' && '.join([ - *extra_install_cmds, 'cd /opt/element-web', 'yarn install --pure-lockfile --ignore-scripts', 'yarn build', From e9ee11cd088fafe17df90334e76e0ce760d93d22 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Mon, 10 Jul 2023 18:45:58 +0200 Subject: [PATCH 206/996] element-web updates --- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- nodes/rx300.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index adcd2bc..4ab6fd6 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.34" +version = "v1.11.35" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index c57ac24..5f4bb70 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.34', + 'version': 'v1.11.35', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/rx300.py b/nodes/rx300.py index 5e74b13..e4481d2 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -106,7 +106,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.34', + 'version': 'v1.11.35', 'config': { 'default_server_config': { 'm.homeserver': { From fa4ea575b41f793074e6e83af2340bf025a820ed Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Jul 2023 06:09:23 +0200 Subject: [PATCH 207/996] bundles/users: show last five logins on login --- bundles/users/files/bashrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index 2b2729d..6bcdcd2 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -19,7 +19,9 @@ then fi uptime -last | grep 'still logged in' +echo +last | head -n5 +echo export HISTCONTROL=ignoredups export HISTSIZE=50000 From cba412ecc144b7f2e7f888ff9e03ec6240043d39 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Jul 2023 05:54:44 +0200 Subject: [PATCH 208/996] update forgejo to 1.19.4-0 --- nodes/rx300.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index e4481d2..79f2ced 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -129,8 +129,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/25eea495-ba85-4061-bec0-cf9823b63cb2', - 'sha1': '8b3ccd4bd300e41fd96e7e593a80d081dc1bc825', + 'url': 'https://codeberg.org/attachments/8aac5e74-a26b-44c9-83b8-267f114af958', + 'sha1': '4dda6dd09e75e38e4f564bd8249d8fc3dc4a334a', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', From b8600255fca7491bd7d0f2f6b70e18c2602725b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Jul 2023 05:55:11 +0200 Subject: [PATCH 209/996] update netbox to 3.5.6 --- nodes/rx300.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 79f2ced..9d71ea9 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -311,7 +311,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.5.4', + 'version': 'v3.5.6', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', From c6b20aea4e9b98183054dc4c3a5c8cb50908a90f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 08:04:04 +0200 Subject: [PATCH 210/996] ssl: bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 39 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 49f8692..a5bc0db 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,27 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISBCniY2EWesmrYQmLl4y/fxV2MA0GCSqGSIb3DQEBCwUA +MIIEUTCCAzmgAwIBAgISA3XCqX5YOhUosSIywZ+FUWgQMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA0MjMxMjEwNTdaFw0yMzA3MjIxMjEwNTZaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABIDVSPH/4t0T -UmfqQfMTCfnsRIigYXok48yGBhjQHSn8TSoXxkjJHDm0yFIjfwnj30zfEOGRBCM4 -n43+3H1K0GkUkGMRf6Uab1+BvsSpKW0cWdX3oKItdiz9C590H/WdXqOCAl4wggJa +EwJSMzAeFw0yMzA3MTMwNTAzNDJaFw0yMzEwMTEwNTAzNDFaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABPfI2XD0xYsU +blEuSTQ6TAPU4qbMlyYFUk2iYBqhqCxcGwNA+z6F4VwR92YCXUp9mfMZxQwvE96L +6bsCyPiwJSAPEAV8nvIi4DvOd9WAtd3NEZrr2p+KZ2Lpzt2DcpaSF6OCAiUwggIh MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5URSSxe195kWSJ9SXYqBeU3m1pMwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7hLG0VpjgCUu78o7JlVIj/DaN/UwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u -ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE -AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP -ep81xJ4dCYEl7bSZAAABh649Lk8AAAQDAEcwRQIhAP+qb4D+kC/4Cfbfi6qifGdJ -9mEx6o739AWBlow+uIi8AiAe/8BVo7cf+7tCb/fecOgicD0L5NF6w6g4hxUU97zK -iQB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABh649LmEAAAQD -AEgwRgIhAPRZ93I+Y0otV5+f+gHYW06m0pQ2RkjSr65KNEti+Xq5AiEA5Ys/iEns -O3KRqJiUXgiSRY17DQpViSsa9A9JiIx2JPowDQYJKoZIhvcNAQELBQADggEBAHeY -sCvU7bEAfFhAH1s0ajmKoFRT4vk78gxCXzqa7TB/uQ0wqe5ScsNTpJXFSZlqhXn+ -u2fw+Y64WT1joNH6vbqXU0DkaMdjb+JEfGOTlvWxql9IvduiLN7gCNGTJpt3UqGk -0IcGx1fs41kTcy5QInXgN5WIDUAFlvx9sKPMoEZvhK/Yjd2XoE/d/B9Tc7wPtObQ -R2Co3BNwA7LZZxFZh82io6MXOUXnzItSh/ieWb4LstX7gcalE5h9SLwsyk4dIYja -8n/pmZoQRzEG1v0qHQfOC1hEsTcNpcZ06gVcdy5eBn7LymvbzvHELhsrQ6FSEOqN -rlGE4RpZbHj4eMrf08Y= +ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisG +AQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlej +UutSAAABiU3ZIScAAAQDAEgwRgIhAI/IWOzaAkoJ4imfGvN+//beCTXm76RYd4jz +1lsWIcjzAiEAl1oqzrJ8NsWmTYXH8HsU4Yqpt0Ymg3/6hVCXpJSgCnYAdgC3Pvsk +35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYlN2SMNAAAEAwBHMEUCIFvo +elOBybAi2tLHrUTK4MbK6blQ1zGV6HhS9WlhhT1dAiEA4TZfRm1XoKvjw/NA6gT5 +rN+DRpP19xRqUBH+gp1i6RkwDQYJKoZIhvcNAQELBQADggEBAEYLbh1TJOv2Gpxv +WVpU17jdbjtP4saDZTncr8I6oeN5Hblp7YOkBO9YJMGtd9iMOXtO79pjaQj6uiy2 +qLdjkfBtLHGcmoRnqqwVD9eXY8qNr+2jRRbga7b9/3A0KR6BX/0cdG2XGoCd5k16 +Jza3XA5b7sGKfRtQiQFrhvH2tvmsr/Z1qfwe/m1BCv2QxAwvakMB9Ccua2QI2Jle ++cmOGwjMrRgHuTdMF8W8m2hfGGGIxY8A9h0teycn7CTFjLUwhcmsWfJuBGKAgnCj +Unof8vWbYdqdUDrj3kbTqDYx9IWO2j2iQkJPNS5XbtswpdaeDVy/n4i51ui4p+Z4 +mZf3Tf8= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index ae2b653..fd04536 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABkRS5ko2IFEzFfaAJGFwXPlBuwncdLwvNYjfvGwA9_kP6a6jBvuSw2nVTW3QFfaOB-eo64O9eE41oZa6yVq9wOYzF5vMg0_V5Xh5Tw0SXuEA7FS5l9khDjgEAW6ksZjjQ9P17Uhl8p7gFYcOJWXkzEpuksPfFbyXJMmTUmB1yHxBcdaCbonYHBieqanlzoKLLBZz2p5-NVigQHUSC_eGXZ0tcUId5jjbB1c-ssnNteqAI_5jdna5aIGn6EzfjDnIRvikaq4XNZ1vff5Zv9-GxpaXtbaee0a6Q__7socfGQ9-Za0KmpIwGJkZJfI51Abkrv0h2YApKaaEqD9mHgPiHrxbW4wMiAN66KBSMy0unWn5N_qMezEGnTY9HKLRpa-9T6PvYJShGlKH4mhGJJJgLUqT1OD6FvR8DBOx6ctr69ZhKDHcs_vkbHvvMmwRTVTUSVUFvGrS_44e6R9t6K_w5h0O69fA== \ No newline at end of file +encrypt$gAAAAABkr5PB2erIW8c5yuAXfM9WRbpaeegip8Y4pLBWTWgwU-TC-58fBjXQjifFoXAcxbSKpaIW2PQR7HUZujYUUtWeL5MOI3L5UY2qK-SfLhl_kyMdZXYrdvknxAA_qGbxT6GqeMNQ8PtA5a38FR6ay6jCzpyNkGrLilEaFC6cgJB2IUnihlpS4BmXzPYIr-bpXMwEggID3O3y_A1UR_RrSs9dsRSIGcy_QCRFJ_9-I7VsDL2APB_IrDtSMACdxXozU02fD4WZm_RRMm2auROBi3HSvLNa3BrJu-tkJ6v2KN-O0d2IuYg74cyAxu_fqnKeM78dGFdHA2EX_L3-Sd5gFAstdZM3y8BxqTt0pJsbKPGSpcu5j1C_N_qjvSKqG9wuzVuVVeA5laoc4cIOYSRmQD_T97d-iyxqV8yB8aZaSe1P0JCI8gr7PelZns9nW0XhVKuiN3wvCIx26ZPqwES0Cayh1VZGQA== \ No newline at end of file From a5677e7d15cc5f4b845b217357abd119079832af Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 08:04:17 +0200 Subject: [PATCH 211/996] ssl: bump _.franzi.business --- data/ssl/_.franzi.business.crt.pem | 39 ++++++++++++------------ data/ssl/_.franzi.business.key.pem.vault | 2 +- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem index 1d6dd80..65bbc10 100644 --- a/data/ssl/_.franzi.business.crt.pem +++ b/data/ssl/_.franzi.business.crt.pem @@ -1,27 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEiTCCA3GgAwIBAgISA+1F527WpSDVi98NbLC6ggqZMA0GCSqGSIb3DQEBCwUA +MIIETzCCAzegAwIBAgISAzGdIp3DLkAfPLjomF+m+BsmMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA0MjMxMjEzMzhaFw0yMzA3MjIxMjEzMzdaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABNewrTbpJMY1 -fGAXh8dlMHkDYFFbLtRmQTuO1J8OyzpEiENZqmdtrLwnA9Z8w2Z6RrUtzDTm+aha -ATNAysRmZ2ZA0czi85GsDzG7PsGtHwMerp6P4SUuUGD8JLzfk4j4r6OCAl0wggJZ +EwJSMzAeFw0yMzA3MTMwNTAzNDNaFw0yMzEwMTEwNTAzNDJaMBoxGDAWBgNVBAMT +D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABOWungq5D/Wi +w965jO2U3qQ/eMRlJ6zOF6DKh0VqzC7bf5viaRPcpzF6UZ5a3S2laX3GTrRHay01 +A+Oblv+m6kFfnftM916DLU3LiOpa2yhWD5q5Y6ZWMQUusM9Zcb/k4KOCAiMwggIf MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+AUyabSaDRaSUNlvCjZhXhqLbJowHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU/NkZwxOc6itD/i7eJVR83sWIPdkwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l -c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE -AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AHoyjFTYty22IOo44FIe6YQWcDIT -hU070ivBOlejUutSAAABh64/oVsAAAQDAEgwRgIhAP7YtA8CP1H13zTu+1Kc6NhK -FZYUKu8ri2+dzB88ITbvAiEAvJlpn8nVnUDXxkUOP5Mpsjoa3HXvCtNPxYDnTgEY -BfsAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYeuP6FCAAAE -AwBGMEQCIECTpZFm85CZIFL2HH3OgqL4OXqoGK35Kw47BXbxn/mJAiAMEmFHB2Hu -mJWkGvqaxzhEmm6zQQm1ZBHpX2/zwrSYPzANBgkqhkiG9w0BAQsFAAOCAQEANiKy -sb6X4RTmQKMfFCMZHZIE/v+3ivyajm5srjbzaAPdIyxyiwGZQlhnFnqi6EN5jlCT -Cmj7U5qGmLALtfphNIOwNXblpgdJULRVle0WaB0lF8tGo5aKAFd4Ph7yxEdz69Bj -zJn0f92qEef7PNzJgIqYvPs+YOr5zhMGPPsqEmdxdwSj0j1E3y6omjq5kDHfbxQc -SKhbizxzrimxxInC0x16YrSCOVivtoEkfFAFLVRDAh/5SjPeHMEVaeleIMfSEW0q -7+O8+nttGJpAVwM/yNolYjxTK4HaB+8P3viBW0iISn1d2ntNt+8CFR18/2pmu8TG -hEME6qHQFvwIHyv0Kw== +c3OCD2ZyYW56aS5idXNpbmVzczATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisG +AQQB1nkCBAIEgfQEgfEA7wB1ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl +7bSZAAABiU3ZI3oAAAQDAEYwRAIgP1dd+F46HS4zZnqzCmwSBDnKBWNUqultNaLv +31T7lRYCIHzn9vc5y8d53koQwbwpTDm2dyME0R1IyBwml6gHBxVQAHYArfe++nz/ +EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGJTdkjoAAABAMARzBFAiB9NX9E +cLDCqp/7OtbSXX+aKWrLvjxJxkJ/t6KKHs5KuAIhAPe0vRkffH2QXeKmoSJIbIsu +12nE//Eq2W7lZILeMAE+MA0GCSqGSIb3DQEBCwUAA4IBAQA18AfnCf61CHygVBJ+ +X6VJGD4sIN+pEgitXDExIXsRFs40jql17G6mn6zauC1Tg39y6c++AZV3kW405dac +tPcCwNVPv6P4E+ZDUTtJcPcD9CxoF2u9qm4yyluJa93K5pa+mwSX0k5a1jYG1PcB +ZPuqjlls67abv3t3Bml/nPKvjtPh4WX9MaInmHHKgM1XVrsChSjyW0FqLQ0YF3iH +vDDUPTXHBTq4oYg0ITFn1ivbEn1CpLjmYe+sKluzwTJzuYYAI4a8dfxHBPqKVVU7 +CwAGD+sI+FaiwKzNvqKOe8YyAXH/T7Txd9EmjdRVrBeOYbN9Ee75eBSvXo4q+6XU +m694 -----END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault index 237c8fd..25d60b2 100644 --- a/data/ssl/_.franzi.business.key.pem.vault +++ b/data/ssl/_.franzi.business.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABkRS8EmQt9ja80ubJPFsHB0UCWjaKQIQka18hT8C85Yom07ahlYOHZs5-wCG6Hl0BE8lSJu9yFXWoQBOkLqwKV-d-dFYWpqlKiSA4I1nQwDffkpYhmbfzOIyXaET07aIOKLNXs68TDQpnXlbIuw10LIguonsfJIEHucWU0EKP0GbHGvXd9r7VBVSmGJaEU4LZhgtnCwMjvk_oAQcqfecv3gJoFuYu6SbbXWUM1w8mTfbYhnfhJORucoEKEDqMoXvShP1kwzgRXMQyJRAj0rkrw9UuD3yBKQqynN3ldOdIQJtvxBx0Era0NkdtXmVhRyiPo5-ATBUzkZBmr_xkhEPnKrcc2WlI5PdJUy-pLx2kWCnzcomMWtV-TlQEcWJn-Vd5T-02jc4VGaGP6goufmtZP_AvO15bCy3VSTwSQEavFoeh8NecN3heoPTwEsFQx_E916MxV2AoMuvcyrA4B9GWPGtjyjA== \ No newline at end of file +encrypt$gAAAAABkr5PB-wJHkafI36L_D3PczVkrAfnOgriEiGubuh55kBw-fbT2-ufmRs59rPFgc9AYamQ8TeCXOVDnQaN6Q1yyESHZ8GClp2EVuitHenIKO2skUaiKknAwOj7teh0fHcXpJ4MkXRFjtDqdzvvWvBbcrPj4pLS_Ft_izE4EBIcSza_qoDSxSZ8_9wR0IUx7_ie2OfyhOSRZV8dfb8jFVawC9Fz7vkB23Y_vmY7_oc3x7t00SFuB-5R0D2max16mygV7lgyKdbnchbXoVo7s3naZ514eE4X46Q61xcsMDQkbmTKpGjqrQThkvAiDwFpfWOqRB9go-bSU54Vo5DVUdqZY-Jab6RiaxbEu4XOEhEhCnQdq671dKkLF26N2wcXYQwtWLuMCaKO0gHPA4lO5RByZmK7NKUbCH5-RD6cY9K_DqkMMaNkYrJVANWpotjACggNR2x4ZlVlqlQ0JV0lGj3toY891xQ== \ No newline at end of file From 5fa8c72863182fe365fda185e8bffb9d7814a955 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:02:38 +0200 Subject: [PATCH 212/996] debian bookworm time \o/ --- bundles/apt/files/sources.list-debian-bookworm | 3 +++ bundles/apt/items.py | 3 ++- groups/os.py | 10 ++++++---- 3 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 bundles/apt/files/sources.list-debian-bookworm diff --git a/bundles/apt/files/sources.list-debian-bookworm b/bundles/apt/files/sources.list-debian-bookworm new file mode 100644 index 0000000..8c19914 --- /dev/null +++ b/bundles/apt/files/sources.list-debian-bookworm @@ -0,0 +1,3 @@ +deb http://deb.debian.org/debian/ bookworm main non-free contrib +deb http://security.debian.org/debian-security bookworm-security main contrib non-free +deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 639417d..5dd236d 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -4,6 +4,7 @@ supported_os = { 'debian': { 10: 'buster', 11: 'bullseye', + 12: 'bookworm', 99: 'unstable', }, 'raspbian': { @@ -113,7 +114,7 @@ pkg_apt = { 'mtr': {}, 'ncdu': {}, 'ncurses-term': {}, - 'netcat': {}, + 'netcat-openbsd': {}, 'nmap': {}, 'python3': {}, 'python3-dev': {}, diff --git a/groups/os.py b/groups/os.py index a1f3b72..ab6339c 100644 --- a/groups/os.py +++ b/groups/os.py @@ -63,10 +63,8 @@ groups['arch'] = { } groups['debian'] = { - 'subgroups': { - 'debian-buster', - 'debian-bullseye', - 'debian-sid', + 'subgroup_patterns': { + '^debian-[a-z]+$', }, 'bundles': { 'apt', @@ -84,6 +82,10 @@ groups['debian-bullseye'] = { 'os_version': (11,) } +groups['debian-bookworm'] = { + 'os_version': (12,) +} + groups['debian-sid'] = { 'os_version': (99,) } From cff3fe558e6b19aadc15f337d67be850326d0947 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:02:53 +0200 Subject: [PATCH 213/996] bundles/zfs: more ordering please --- bundles/zfs/items.py | 45 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 85ffdd7..c63250e 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,27 +2,6 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder -if node.os == 'debian': - actions = { - # For some reason, this module doesn't get auto-loaded on debian, - # even if installation of zfsutils-linux tries to start - # zfs-mount.service. We have no choice but to do it manually. - 'modprobe_zfs': { - 'command': 'modprobe zfs', - 'unless': 'lsmod | grep ^zfs', - 'needs': { - 'pkg_apt:zfs-dkms', - }, - 'needed_by': { - 'pkg_apt:zfs-zed', - 'pkg_apt:zfsutils-linux', - 'zfs_dataset:', - 'zfs_pool:', - }, - 'comment': 'If this fails, do a dist-upgrade, reinstall zfs-dkms, reboot', - }, - } - files = { '/etc/modprobe.d/zfs.conf': { 'source': 'zfs-modprobe.conf', @@ -87,6 +66,9 @@ svc_systemd = { 'needs': { 'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf', }, + 'after': { + 'pkg_apt:', + }, 'before': { 'svc_systemd:zfs-import-cache.service', }, @@ -95,14 +77,31 @@ svc_systemd = { 'running': None, 'enabled': False, 'masked': True, + 'after': { + 'pkg_apt:', + }, + }, + 'zfs-mount.service': { + 'after': { + 'pkg_apt:', + }, + }, + 'zfs-zed': { + 'after': { + 'pkg_apt:', + }, }, - 'zfs-mount.service': {}, - 'zfs-zed': {}, 'zfs.target': { 'running': None, + 'after': { + 'pkg_apt:', + }, }, 'zfs-import.target': { 'running': None, + 'after': { + 'pkg_apt:', + }, }, } From 40c90163ad55b646bcc4739a13aaf19facd0b769 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:09:04 +0200 Subject: [PATCH 214/996] EHLO carlene --- nodes/carlene.toml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 nodes/carlene.toml diff --git a/nodes/carlene.toml b/nodes/carlene.toml new file mode 100644 index 0000000..84935ef --- /dev/null +++ b/nodes/carlene.toml @@ -0,0 +1,25 @@ +hostname = "193.135.9.29" +groups = [ + "debian-bookworm", +] +bundles = [ + "zfs", +] + +[metadata.interfaces.eno1] +ips = [ + "193.135.9.29/24", +] +gateway4 = "193.135.9.1" +#gateway6 = "" + +[[metadata.zfs.pools.tank.when_creating.config]] +devices = [ + "/dev/nvme0n1p3", + "/dev/nvme1n1p3", +] +type = "mirror" + +[metadata.vm] +cpu = 24 +ram = 64 From 70bd7d295ddda9d18f77aa474a1b21cc6b72b1db Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:19:17 +0200 Subject: [PATCH 215/996] bundles/cron: less strict dependencies --- bundles/cron/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/cron/items.py b/bundles/cron/items.py index 81409b8..72e8711 100644 --- a/bundles/cron/items.py +++ b/bundles/cron/items.py @@ -17,7 +17,7 @@ files = { directories = { '/etc/cron.d': { 'purge': True, - 'needs': { + 'after': { 'pkg_apt:', }, }, From 97307fc6f33f0eb9e2c886a02b124ccc1dd6ff01 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:28:09 +0200 Subject: [PATCH 216/996] nodes.py: demagify toml nodes --- libs/demagify.py | 21 +++++++++++++++++++++ nodes.py | 10 +++++++--- 2 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 libs/demagify.py diff --git a/libs/demagify.py b/libs/demagify.py new file mode 100644 index 0000000..5fe492c --- /dev/null +++ b/libs/demagify.py @@ -0,0 +1,21 @@ +import bwpass + +def demagify(something, vault): + if isinstance(something, str): + if something.startswith('!bwpass:'): + return bwpass.password(something[8:]) + elif something.startswith('!bwpass_attr:'): + identifier, attribute = something[13:].split(':', 1) + return bwpass.attr(identifier, attribute) + elif something.startswith('!decrypt:'): + return vault.decrypt(something[9:]) + return something + elif isinstance(something, dict): + return {k:demagify(v, vault) for k,v in something.items()} + elif isinstance(something, list): + return [demagify(i, vault) for i in something] + elif isinstance(something, set): + return {demagify(i, vault) for i in something} + elif isinstance(something, tuple): + return tuple([demagify(i, vault) for i in something]) + return something diff --git a/nodes.py b/nodes.py index 9be84b4..f47f004 100644 --- a/nodes.py +++ b/nodes.py @@ -7,6 +7,13 @@ import bwpass from bundlewrap.metadata import atomic from bundlewrap.utils import error_context +for name, data in nodes.items(): + data.setdefault('metadata', {}) + + if 'password' in data: + data['password'] = vault.decrypt(data['password']) + data['metadata'].update(libs.demagify.demagify(data['metadata'], vault)) + for node in Path(join(repo_path, "nodes")).rglob("*.py"): with error_context(filename=str(node)): with open(node, 'r') as f: @@ -15,6 +22,3 @@ for node in Path(join(repo_path, "nodes")).rglob("*.py"): for name, data in nodes.items(): data.setdefault('hostname', '.'.join(reversed(name.split('.'))) + '.kunbox.net') data.setdefault('metadata', {}).setdefault('hostname', '.'.join(reversed(name.split('.'))) + '.kunbox.net') - - if 'password' in data: - data['password'] = vault.decrypt(data['password']) From 59c913b97c85f085a5c058cbda1f09e5c0047d40 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:28:33 +0200 Subject: [PATCH 217/996] carlene: add bundle:check-mail-received --- nodes/carlene.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 84935ef..7585427 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -3,9 +3,15 @@ groups = [ "debian-bookworm", ] bundles = [ + "check-mail-received", "zfs", ] +[metadata.check-mail-received.t-online] +email = "franzi.kunsmann@t-online.de" +imap_host = "secureimap.t-online.de" +imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" + [metadata.interfaces.eno1] ips = [ "193.135.9.29/24", From 14ec3c0ee239e6a84ebcbd6de78b34ef2375d2af Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 20:48:04 +0200 Subject: [PATCH 218/996] gce: disable ipv6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Because this is "the cloud"™, gce does not support ipv6. --- groups/locations.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/groups/locations.py b/groups/locations.py index 353832e..15177f6 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -24,6 +24,12 @@ groups['gce'] = { # than our own domains. 'relayhost': '[rx300.kunbox.net]:2525', }, + 'sysctl': { + 'options': { + 'net.ipv6.conf.all.disable_ipv6': '1', + 'net.ipv6.conf.default.disable_ipv6': '1', + }, + }, }, } From d0825a51ee84c65df2b880a65b2ae28ead4ecd03 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:30:29 +0200 Subject: [PATCH 219/996] bundles/smartd: unit names have changed --- bundles/smartd/items.py | 6 ++---- bundles/smartd/metadata.py | 6 +++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/bundles/smartd/items.py b/bundles/smartd/items.py index 540a6a9..e18270f 100644 --- a/bundles/smartd/items.py +++ b/bundles/smartd/items.py @@ -2,7 +2,7 @@ files = { '/etc/smartd.conf': { 'content_type': 'mako', 'triggers': { - 'svc_systemd:smartd:reload', + 'svc_systemd:smartmontools:reload', }, }, '/usr/local/share/icinga/plugins/check_smart': { @@ -15,7 +15,5 @@ files = { } svc_systemd = { - 'smartd': { - 'enabled': None, # FIXME this is symlinked to smartmontools.service on bullseye - }, + 'smartmontools': {}, } diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py index 63af59a..fca64eb 100644 --- a/bundles/smartd/metadata.py +++ b/bundles/smartd/metadata.py @@ -3,12 +3,12 @@ defaults = { 'packages': { 'smartmontools': { 'needed_by': { - 'svc_systemd:smartd', + 'svc_systemd:smartmontools', }, }, 'nvme-cli': { 'needed_by': { - 'svc_systemd:smartd', + 'svc_systemd:smartmontools', }, }, }, @@ -17,7 +17,7 @@ defaults = { 'smartd': { 'services': { 'SMARTD PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit smartd', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit smartmontools', }, }, }, From bbfa985e1dbb2ae4111000da35e14dc29f4e55af Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:30:49 +0200 Subject: [PATCH 220/996] bundles/smartd: ignore partitions in smartd check --- bundles/smartd/metadata.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py index fca64eb..3ccd720 100644 --- a/bundles/smartd/metadata.py +++ b/bundles/smartd/metadata.py @@ -1,3 +1,5 @@ +from re import search + defaults = { 'apt': { 'packages': { @@ -53,6 +55,9 @@ def zfs_disks_to_metadata(metadata): continue for disk in option['devices']: + if search(r'p([0-9]+)$', disk): + continue + disks.add(disk) return { From 3936e642271f70b08bf7e7c78e53d9c527b97b9f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:31:11 +0200 Subject: [PATCH 221/996] bundles/smartd: use systemd-timers --- bundles/smartd/metadata.py | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py index 3ccd720..e444c35 100644 --- a/bundles/smartd/metadata.py +++ b/bundles/smartd/metadata.py @@ -89,21 +89,19 @@ def icinga(metadata): @metadata_reactor.provides( - 'cron/jobs/smartd', + 'systemd-timers/timers', ) def monthly_long_test(metadata): - lines = set() + timers = {} - for number, disk in enumerate(sorted(metadata.get('smartd/disks', set()))): - lines.add('0 3 {} * * root /usr/sbin/smartctl --test=long {} >/dev/null'.format( - number+1, # enumerate() starts at 0 - disk, - )) + for day, disk in enumerate(sorted(metadata.get('smartd/disks', set())), start=1): + timers[f'smartd{disk.replace("/", "-")}'] = { + 'command': f'/usr/sbin/smartctl --test=long {disk}', + 'when': f'*-*-{day} 03:00:00 UTC', + } return { - 'cron': { - 'jobs': { - 'smartd': '\n'.join(sorted(lines)), - }, + 'systemd-timers': { + 'timers': timers, }, } From 6b27128b6d93d0282960e95ac90767c0fdc8478d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:31:25 +0200 Subject: [PATCH 222/996] bundles/systemd-timers: add exclude_from_monitoring --- bundles/systemd-timers/files/template.service | 2 ++ bundles/systemd-timers/metadata.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/bundles/systemd-timers/files/template.service b/bundles/systemd-timers/files/template.service index 6f7c444..ed68677 100644 --- a/bundles/systemd-timers/files/template.service +++ b/bundles/systemd-timers/files/template.service @@ -17,6 +17,8 @@ Type=oneshot % for command in config['command']: ExecStart=/usr/local/sbin/systemd-timer-monitored ${timer} ${command} % endfor +% elif config.get('exclude_from_monitoring', False): +ExecStart=${config['command']} % else: ExecStart=/usr/local/sbin/systemd-timer-monitored ${timer} ${config['command']} % endif diff --git a/bundles/systemd-timers/metadata.py b/bundles/systemd-timers/metadata.py index 23f87ff..9aaf573 100644 --- a/bundles/systemd-timers/metadata.py +++ b/bundles/systemd-timers/metadata.py @@ -5,7 +5,10 @@ def monitoring(metadata): services = {} for timer, config in node.metadata.get('systemd-timers/timers', {}).items(): - if config.get('delete', False): + if ( + config.get('delete', False) + or config.get('exclude_from_monitoring', False) + ): continue services[f'SYSTEMD-TIMER {timer}'] = { From 8d5fe0d926c3091a57b6c98866925c8c811c631e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:31:44 +0200 Subject: [PATCH 223/996] carlene: add smartd --- nodes/carlene.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 7585427..f05f64f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -3,6 +3,7 @@ groups = [ "debian-bookworm", ] bundles = [ + "smartd", "check-mail-received", "zfs", ] @@ -19,6 +20,12 @@ ips = [ gateway4 = "193.135.9.1" #gateway6 = "" +[metadata.smartd] +disks = [ + "/dev/nvme0", + "/dev/nvme1", +] + [[metadata.zfs.pools.tank.when_creating.config]] devices = [ "/dev/nvme0n1p3", From 838b61a2b92f43b777c115c8bed32f4f392a83aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:40:55 +0200 Subject: [PATCH 224/996] bundles/grafana: remove useless "power on hours" graph --- bundles/grafana/dashboard-rows/smartd.py | 112 +---------------------- 1 file changed, 1 insertion(+), 111 deletions(-) diff --git a/bundles/grafana/dashboard-rows/smartd.py b/bundles/grafana/dashboard-rows/smartd.py index f2fb257..88b7b0b 100644 --- a/bundles/grafana/dashboard-rows/smartd.py +++ b/bundles/grafana/dashboard-rows/smartd.py @@ -47,7 +47,7 @@ def dashboard_row_smartd(panel_id, node): 'renderer': 'flot', 'seriesOverrides': [], 'spaceLength': 10, - 'span': 8, + 'span': 12, 'stack': False, 'steppedLine': False, 'targets': [ @@ -114,115 +114,5 @@ def dashboard_row_smartd(panel_id, node): 'alignLevel': None } }, - { - 'aliasColors': {}, - 'bars': False, - 'dashLength': 10, - 'dashes': False, - 'datasource': None, - 'fieldConfig': { - 'defaults': { - 'displayName': '${__field.labels.device}' - }, - 'overrides': [] - }, - 'fill': 0, - 'fillGradient': 0, - 'hiddenSeries': False, - 'id': next(panel_id), - 'legend': { - 'alignAsTable': False, - 'avg': False, - 'current': False, - 'hideEmpty': True, - 'hideZero': True, - 'max': False, - 'min': False, - 'rightSide': False, - 'show': True, - 'total': False, - 'values': False - }, - 'lines': True, - 'linewidth': 1, - 'NonePointMode': 'None', - 'options': { - 'alertThreshold': True - }, - 'percentage': False, - 'pluginVersion': '7.5.5', - 'pointradius': 2, - 'points': False, - 'renderer': 'flot', - 'seriesOverrides': [], - 'spaceLength': 10, - 'span': 4, - 'stack': False, - 'steppedLine': False, - 'targets': [ - { - 'groupBy': [ - {'type': 'time', 'params': ['$__interval']}, - {'type': 'fill', 'params': ['linear']}, - ], - 'orderByTime': "ASC", - 'policy': "default", - 'query': f"""from(bucket: "telegraf") - |> range(start: v.timeRangeStart, stop: v.timeRangeStop) - |> filter(fn: (r) => - r["_measurement"] == "smartd_stats" and - r["_field"] == "power_on_hours" and - r["host"] == "{node.name}" - ) - |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false) - |> yield(name: "fan")""", - 'resultFormat': 'time_series', - 'select': [[ - {'type': 'field', 'params': ['value']}, - {'type': 'mean', 'params': []}, - ]], - "tags": [] - }, - ], - 'thresholds': [], - 'timeRegions': [], - 'title': 'fans', - 'tooltip': { - 'shared': True, - 'sort': 0, - 'value_type': 'individual' - }, - 'type': 'graph', - 'xaxis': { - 'buckets': None, - 'mode': 'time', - 'name': None, - 'show': True, - 'values': [] - }, - 'yaxes': [ - { - 'format': 'hours', - 'label': None, - 'logBase': 1, - 'max': None, - 'min': None, - 'show': True, - 'decimals': 0, - }, - { - 'format': 'short', - 'label': None, - 'logBase': 1, - 'max': None, - 'min': None, - 'show': False, - } - ], - 'yaxis': { - 'align': False, - 'alignLevel': None - } - }, ], } From 471e2ba6f63ec57ebad9798d8edda955fb5bdbc1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:41:22 +0200 Subject: [PATCH 225/996] bundles/{influxdb2,telegraf}: it's always the same, just use 'stable main' --- bundles/influxdb2/metadata.py | 2 +- bundles/telegraf/metadata.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/influxdb2/metadata.py b/bundles/influxdb2/metadata.py index 68fda00..1a7b2a0 100644 --- a/bundles/influxdb2/metadata.py +++ b/bundles/influxdb2/metadata.py @@ -10,7 +10,7 @@ defaults = { 'repos': { 'influxdb': { 'items': { - 'deb https://repos.influxdata.com/{os} {os_release} stable', + 'deb https://repos.influxdata.com/{os} stable main', }, }, }, diff --git a/bundles/telegraf/metadata.py b/bundles/telegraf/metadata.py index 50a588e..097750e 100644 --- a/bundles/telegraf/metadata.py +++ b/bundles/telegraf/metadata.py @@ -11,7 +11,7 @@ defaults = { 'repos': { 'influxdb': { 'items': { - 'deb https://repos.influxdata.com/{os} {os_release} stable', + 'deb https://repos.influxdata.com/{os} stable main', }, }, }, From e9ee2039d5b64e2ce3e912a9adfa13db25113a13 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 13 Jul 2023 21:41:52 +0200 Subject: [PATCH 226/996] bundles/smartd: ignore non-digit values in telegraf stats --- bundles/smartd/files/telegraf_plugin | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bundles/smartd/files/telegraf_plugin b/bundles/smartd/files/telegraf_plugin index 5bd10f2..46144bf 100644 --- a/bundles/smartd/files/telegraf_plugin +++ b/bundles/smartd/files/telegraf_plugin @@ -29,10 +29,16 @@ for device in devices: if 'nvme_smart_health_information_log' in json: for k, v in json['nvme_smart_health_information_log'].items(): + if not str(v).isdigit(): + continue + telegraf_output.add(f'{k}={v}') if 'ata_smart_attributes' in json: for entry in json['ata_smart_attributes']['table']: + if not str(entry['raw']['value']).isdigit(): + continue + telegraf_output.add('{}={}'.format( entry['name'], entry['raw']['value'], From f12d19fec6a5987ebeac46981be2fc9b6b51bf63 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 22 Jul 2023 15:52:28 +0200 Subject: [PATCH 227/996] htz-cloud.miniserver: fix element-web --- nodes/htz-cloud/miniserver.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 5f4bb70..b13aa07 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.35', + 'version': 'v1.11.36', 'config': { 'default_server_config': { 'm.homeserver': { @@ -197,7 +197,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'nodejs': { - 'version': 16, + 'version': 18, }, 'ntfy': { 'domain': 'ntfy.sophies-kitchen.eu', From 54d0c42da63f05f7658b63d58811546089030867 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Jul 2023 05:45:00 +0200 Subject: [PATCH 228/996] bundles/matrix-synapse: auto-trust all own servers as keyservers --- bundles/matrix-synapse/metadata.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index 46f64ca..8a3175a 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -156,3 +156,20 @@ def nginx(metadata): 'vhosts': vhosts }, } + +@metadata_reactor.provides( + 'matrix-synapse/trusted_key_servers', +) +def autotrust_our_own_servers(metadata): + domains = set() + for rnode in repo.nodes: + if not rnode.has_bundle('matrix-synapse'): + continue + + domains.add(rnode.metadata.get('matrix-synapse/server_name')) + + return { + 'matrix-synapse': { + 'trusted_key_servers': domains, + }, + } From 76eef92ee2334129d3576b5251e19da293e79517 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Jul 2023 05:45:26 +0200 Subject: [PATCH 229/996] bundles/postgresql: some improvements --- bundles/postgresql/files/postgresql.conf | 2 +- bundles/postgresql/items.py | 2 +- bundles/postgresql/metadata.py | 37 ++++++------------------ 3 files changed, 11 insertions(+), 30 deletions(-) diff --git a/bundles/postgresql/files/postgresql.conf b/bundles/postgresql/files/postgresql.conf index 7bcbe10..2392466 100644 --- a/bundles/postgresql/files/postgresql.conf +++ b/bundles/postgresql/files/postgresql.conf @@ -27,7 +27,7 @@ log_min_duration_statement = -1 % endif effective_io_concurrency = ${effective_io_concurrency} max_worker_processes = ${max_worker_processes} -% if version_list >= [10]: +% if version >= 10: max_parallel_workers = ${max_parallel_workers} % endif max_parallel_workers_per_gather = ${max_parallel_workers_per_gather} diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index 5f21b42..83754e4 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -45,7 +45,7 @@ files = { "/etc/postgresql/{}/main/postgresql.conf".format(postgresql_version): { 'content_type': 'mako', 'context': { - 'version_list': [int(i) for i in node.metadata['postgresql']['version'].split('.')], + 'version': postgresql_version, **node.metadata['postgresql'], }, 'owner': 'postgres', diff --git a/bundles/postgresql/metadata.py b/bundles/postgresql/metadata.py index 46b6718..e69a117 100644 --- a/bundles/postgresql/metadata.py +++ b/bundles/postgresql/metadata.py @@ -1,4 +1,13 @@ defaults = { + 'apt': { + 'repos': { + 'postgresql': { + 'items': { + 'deb https://apt.postgresql.org/pub/repos/apt/ {os_release}-pgdg main', + }, + }, + }, + }, 'backups': { 'paths': { '/var/lib/postgresql', @@ -69,34 +78,6 @@ else: defaults['backups']['paths'].add('/var/tmp/postgresdumps') -@metadata_reactor.provides( - 'apt/repos/postgresql', -) -def default_postgresql_version_for_debian(metadata): - # - versions_in_debian = { - '10': '11', # buster - '11': '13', # bullseye - } - os = str(node.os_version[0]) - version_to_be_installed = metadata.get('postgresql/version') - - if version_to_be_installed != versions_in_debian[os]: - return { - 'apt': { - 'repos': { - 'postgresql': { - 'items': { - 'deb https://apt.postgresql.org/pub/repos/apt/ {os_release}-pgdg main', - }, - }, - }, - }, - } - - return {} - - @metadata_reactor.provides( 'postgresql/effective_io_concurrency', 'postgresql/max_worker_processes', From 9aacb8f5064f1bfa7079f9dd105d00f6f6137600 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Jul 2023 05:57:42 +0200 Subject: [PATCH 230/996] htop: less room for cpus please --- bundles/basic/files/htoprc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/basic/files/htoprc b/bundles/basic/files/htoprc index 68ef687..f9dfd53 100644 --- a/bundles/basic/files/htoprc +++ b/bundles/basic/files/htoprc @@ -32,8 +32,8 @@ account_guest_in_cpu_meter=0 color_scheme=0 enable_mouse=0 delay=10 -left_meters=Tasks LoadAverage Uptime Memory CPU LeftCPUs CPU +left_meters=Tasks LoadAverage Uptime Memory CPU LeftCPUs2 CPU left_meter_modes=2 2 2 1 1 1 2 -right_meters=Hostname CPU RightCPUs +right_meters=Hostname CPU RightCPUs2 right_meter_modes=2 3 1 hide_function_bar=0 From 272a11f7d3ad094f6bc8bc10e56955cc43115452 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Jul 2023 06:33:59 +0200 Subject: [PATCH 231/996] bundles/postgresql: remove version-specific options --- bundles/postgresql/files/postgresql.conf | 2 -- bundles/postgresql/items.py | 7 ++----- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/bundles/postgresql/files/postgresql.conf b/bundles/postgresql/files/postgresql.conf index 2392466..0996a13 100644 --- a/bundles/postgresql/files/postgresql.conf +++ b/bundles/postgresql/files/postgresql.conf @@ -27,7 +27,5 @@ log_min_duration_statement = -1 % endif effective_io_concurrency = ${effective_io_concurrency} max_worker_processes = ${max_worker_processes} -% if version >= 10: max_parallel_workers = ${max_parallel_workers} -% endif max_parallel_workers_per_gather = ${max_parallel_workers_per_gather} diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index 83754e4..f9cdc46 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -1,4 +1,4 @@ -postgresql_version = node.metadata['postgresql']['version'] +postgresql_version = int(node.metadata.get('postgresql/version')) pkg_apt = { 'postgresql-common': {}, @@ -44,10 +44,7 @@ files = { }, "/etc/postgresql/{}/main/postgresql.conf".format(postgresql_version): { 'content_type': 'mako', - 'context': { - 'version': postgresql_version, - **node.metadata['postgresql'], - }, + 'context': node.metadata.get('postgresql'), 'owner': 'postgres', 'group': 'postgres', 'needs': { From 3ab8eb88bd67fd7e9252f4e8cf20ccb361924f8b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Jul 2023 07:01:00 +0200 Subject: [PATCH 232/996] move matrix from rx300 to carlene --- nodes/carlene.toml | 56 +++++++++++++++++++++++++++++++++++++++++++++- nodes/rx300.py | 12 +++++----- 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f05f64f..685bd02 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -1,10 +1,17 @@ hostname = "193.135.9.29" groups = [ "debian-bookworm", + "webserver", ] bundles = [ + "matrix-media-repo", + "matrix-synapse", + "mautrix-telegram", + "mautrix-whatsapp", + "redis", "smartd", "check-mail-received", + "postgresql", "zfs", ] @@ -16,9 +23,53 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.interfaces.eno1] ips = [ "193.135.9.29/24", + "2a0a:51c0:0:225::2/64", ] gateway4 = "193.135.9.1" -#gateway6 = "" +gateway6 = "2a0a:51c0:0:225::1" + +[metadata.matrix-media-repo] +admins = ["@kunsi:franzi.business"] +sha1 = "0915bdf7c461368859180419d1f66717969cbe32" +upload_max_mb = 500 +version = "v1.2.13" +[metadata.matrix-media-repo.homeservers.'franzi.business'] +api = "synapse" +domain = "http://[::1]:20080/" + +[metadata.matrix-synapse] +admin_contact = "mailto:hostmaster@kunbox.net" +baseurl = "matrix.franzi.business" +server_name = "franzi.business" +trusted_key_servers = ["matrix.org", "finallycoffee.eu"] +additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" +# wellknown_also_on_vhosts = ["franzi.business"] + +[metadata.mautrix-telegram] +version = "v0.14.1" +homeserver.domain = "franzi.business" +homeserver.url = "https://matrix.franzi.business" +telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ==" +telegram.api_token = "!decrypt:encrypt$gAAAAABfVK5jHuUly1xr9Iku362k7oF4ZYRhLGzNJh3aJpiNrLfAy_DJpTwucx4FV_g45dyQF5boqG2rgdDfwsJN_Ab95es6T4SPGiXIxJOBlvIln1Torwh16pXKchhUTn_PQ077Ll1W" +# same as for matrix-dimension +telegram.bot_token = "!decrypt:encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q" +provisioning.enabled = true +provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4gGPym0oF6p4WSMdAveTpx-hFsZd2s7v9ubw99yIsyKx0dHOJI0UND7hV1rKZdvjy4Qa642abZ2wwW7SWTqvuP_qVtrf6-klc2QKTzeD9c_LVsyZ2dqz_JxRPq3MRXgkubZuWOZ6FmFlAlteTffoGfWE=" +[metadata.mautrix-telegram.permissions] +"'*'" = "relaybot" +'franzi.business' = "full" +"'@kunsi:franzi.business'" = "admin" + +[metadata.mautrix-whatsapp] +version = "v0.8.6" +sha1 = "aa3c25aa2f8d2ddd241e2f73eea473ecdbaf295d" +permissions."'@kunsi:franzi.business'" = "admin" +[metadata.mautrix-whatsapp.homeserver] +domain = "franzi.business" +url = "https://matrix.franzi.business" + +[metadata.postgresql] +version = 15 [metadata.smartd] disks = [ @@ -33,6 +84,9 @@ devices = [ ] type = "mirror" +[metadata.zfs.datasets.tank] +primarycache = "metadata" + [metadata.vm] cpu = 24 ram = 64 diff --git a/nodes/rx300.py b/nodes/rx300.py index 9d71ea9..5a1272b 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -16,13 +16,13 @@ nodes['rx300'] = { 'jugendhackt_tools', 'lm-sensors', 'matrix-dimension', - 'matrix-media-repo', - 'matrix-synapse', - 'mautrix-telegram', - 'mautrix-whatsapp', + #'matrix-media-repo', + #'matrix-synapse', + #'mautrix-telegram', + #'mautrix-whatsapp', 'miniflux', 'minecraft', - 'mx-puppet-discord', + #'mx-puppet-discord', 'netbox', 'nodejs', 'ntfy', @@ -335,7 +335,7 @@ nodes['rx300'] = { 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, - 'matrix-synapse': {'ssl': '_.franzi.business'}, + #'matrix-synapse': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, 'netbox': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, From 21ec75a398de915e167e02de16ed7d2cda91e834 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 13:58:02 +0200 Subject: [PATCH 233/996] carlene: technician replugged the network cable to the other port :/ --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 685bd02..d0e4f3c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -20,7 +20,7 @@ email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" -[metadata.interfaces.eno1] +[metadata.interfaces.eno2] ips = [ "193.135.9.29/24", "2a0a:51c0:0:225::2/64", From 9d1fc65b82224419a96716bc1a77c34650821c5e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 13:58:34 +0200 Subject: [PATCH 234/996] update mautrix-whatsapp to 0.9.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d0e4f3c..eb57bc3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -61,8 +61,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.8.6" -sha1 = "aa3c25aa2f8d2ddd241e2f73eea473ecdbaf295d" +version = "v0.9.0" +sha1 = "5cb95b3dd1f8b2c124bc08af1ce23ab425fe859e" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 80e0a29a31a5393dbf5c098903df2958db432780 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 13:58:51 +0200 Subject: [PATCH 235/996] htz-cloud.afra: update element-web to 1.11.36 --- nodes/htz-cloud.afra.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 4ab6fd6..80bad5f 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.35" +version = "v1.11.36" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From 00cbabea1bbec482db2a9f3874f28f2ba42faf4f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 14:02:09 +0200 Subject: [PATCH 236/996] bundles/mixcloud-downloader: fix duplicate --- bundles/mixcloud-downloader/files/download.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/mixcloud-downloader/files/download.sh b/bundles/mixcloud-downloader/files/download.sh index 963d44d..302b256 100644 --- a/bundles/mixcloud-downloader/files/download.sh +++ b/bundles/mixcloud-downloader/files/download.sh @@ -21,7 +21,7 @@ pip install --upgrade pip yt-dlp errors=0 -for i in Neosignal tasmo starkato b4m Alexeyan jakehunnter davem_dokebi tasmo +for i in Neosignal tasmo starkato b4m Alexeyan jakehunnter davem_dokebi do echo "> mixcloud $i" >&2 if ! [[ -d "/storage/nas/Musik/mixcloud/$i" ]] From 4b434e7946e737ec4d54f547ed058efb77d7d4cd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 14:04:01 +0200 Subject: [PATCH 237/996] bundles/mixcloud-downloader: fix username --- bundles/mixcloud-downloader/files/download.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/mixcloud-downloader/files/download.sh b/bundles/mixcloud-downloader/files/download.sh index 302b256..6ddce1e 100644 --- a/bundles/mixcloud-downloader/files/download.sh +++ b/bundles/mixcloud-downloader/files/download.sh @@ -21,7 +21,7 @@ pip install --upgrade pip yt-dlp errors=0 -for i in Neosignal tasmo starkato b4m Alexeyan jakehunnter davem_dokebi +for i in Neosignal tasmo starkato b4m ProjectPoltergeist jakehunnter davem_dokebi do echo "> mixcloud $i" >&2 if ! [[ -d "/storage/nas/Musik/mixcloud/$i" ]] From 92acae3cbe36471f7e9f90eeaa1aa4212daa117e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jul 2023 15:48:07 +0200 Subject: [PATCH 238/996] move element-web from rx300 to carlene --- nodes/carlene.toml | 12 ++++++++++++ nodes/rx300.py | 22 ++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index eb57bc3..6fc918b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -4,10 +4,12 @@ groups = [ "webserver", ] bundles = [ + "element-web", "matrix-media-repo", "matrix-synapse", "mautrix-telegram", "mautrix-whatsapp", + "nodejs", "redis", "smartd", "check-mail-received", @@ -20,6 +22,16 @@ email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" +[metadata.element-web] +url = "chat.franzi.business" +version = "v1.11.36" +[metadata.element-web.config] +default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" +default_server_config.'m.homeserver'.server_name = "franzi.business" +brand = "franzi.business" +defaultCountryCode = "DE" +jitsi.preferredDomain = "meet.ffmuc.net" + [metadata.interfaces.eno2] ips = [ "193.135.9.29/24", diff --git a/nodes/rx300.py b/nodes/rx300.py index 5a1272b..c7f7647 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -9,7 +9,7 @@ nodes['rx300'] = { 'bundles': { 'check-mail-received', 'dovecot', - 'element-web', + #'element-web', 'gitea', 'ipmitool', 'jenkins-ci', @@ -331,7 +331,7 @@ nodes['rx300'] = { 'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc', }, 'vhosts': { - 'element-web': {'ssl': '_.franzi.business'}, + #'element-web': {'ssl': '_.franzi.business'}, 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, @@ -355,6 +355,24 @@ nodes['rx300'] = { 'webroot': '/var/www/franzi.business/_site/', 'ssl': '_.franzi.business', 'extras': True, + "locations": { + "/.well-known/matrix/client": { + "additional_config": [ + "add_header Access-Control-Allow-Origin *", + "default_type application/json" + ], + "content": "{\"im.vector.riot.jitsi\": {\"preferredDomain\": \"meet.ffmuc.net\"}, \"m.homeserver\": {\"base_url\": \"https://matrix.franzi.business\"}, \"m.identity_server\": {\"base_url\": \"https://matrix.org\"}}", + "return": 200 + }, + "/.well-known/matrix/server": { + "additional_config": [ + "add_header Access-Control-Allow-Origin *", + "default_type application/json" + ], + "content": "{\"m.server\": \"matrix.franzi.business:443\"}", + "return": 200 + } + }, }, 'git.kunsmann.eu': { 'locations': { From 3a8e3ce01bc649d6b415bd7b50e3e1c8c7bf8a1a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 26 Jul 2023 08:24:25 +0200 Subject: [PATCH 239/996] home.kodi-wohnzimmer: do not reboot automatically --- nodes/home.kodi-wohnzimmer.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes/home.kodi-wohnzimmer.toml b/nodes/home.kodi-wohnzimmer.toml index f3a2cf5..8a77455 100644 --- a/nodes/home.kodi-wohnzimmer.toml +++ b/nodes/home.kodi-wohnzimmer.toml @@ -7,6 +7,8 @@ groups = ["debian-bullseye"] [metadata.apt.unattended-upgrades] day = 6 hour = 2 +# needs powered on display to detect HDMI audio correctly +reboot_enabled = false [metadata.interfaces.eno1] ips = ["172.19.138.24/24"] From 3826ccf4ecfa22be3daa20c5e37b5852694c6d3a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 26 Jul 2023 08:29:37 +0200 Subject: [PATCH 240/996] remove reboot mails, noone does care about these anyway --- bundles/apt/files/upgrade-and-reboot | 4 ---- bundles/apt/files/upgrade-and-reboot.conf | 1 - bundles/pacman/files/upgrade-and-reboot | 4 ---- groups/os.py | 5 ----- 4 files changed, 14 deletions(-) diff --git a/bundles/apt/files/upgrade-and-reboot b/bundles/apt/files/upgrade-and-reboot index 1a0ff36..81516e2 100644 --- a/bundles/apt/files/upgrade-and-reboot +++ b/bundles/apt/files/upgrade-and-reboot @@ -46,10 +46,6 @@ fi if [[ -f /var/run/reboot-required ]] && [[ "$auto_reboot_enabled" == "True" ]] then - if [[ -n "$reboot_mail_to" ]] - then - date | mail -s "SYSREBOOTNOW $nodename" "$reboot_mail_to" - fi systemctl reboot fi diff --git a/bundles/apt/files/upgrade-and-reboot.conf b/bundles/apt/files/upgrade-and-reboot.conf index ca71dce..8eff278 100644 --- a/bundles/apt/files/upgrade-and-reboot.conf +++ b/bundles/apt/files/upgrade-and-reboot.conf @@ -1,3 +1,2 @@ nodename="${node.name}" -reboot_mail_to="${node.metadata.get('apt/unattended-upgrades/reboot_mail_to', '')}" auto_reboot_enabled="${node.metadata.get('apt/unattended-upgrades/reboot_enabled', True)}" diff --git a/bundles/pacman/files/upgrade-and-reboot b/bundles/pacman/files/upgrade-and-reboot index 8f1e9c1..41973aa 100644 --- a/bundles/pacman/files/upgrade-and-reboot +++ b/bundles/pacman/files/upgrade-and-reboot @@ -44,10 +44,6 @@ then exit 1 fi -if [[ -n "$reboot_mail_to" ]] -then - date | mail -s "SYSREBOOTNOW $nodename" "$reboot_mail_to" -fi systemctl reboot echo "upgrade-and-reboot for node $nodename is DONE" diff --git a/groups/os.py b/groups/os.py index ab6339c..754d427 100644 --- a/groups/os.py +++ b/groups/os.py @@ -33,11 +33,6 @@ groups['linux'] = { 'users', }, 'metadata': { - 'apt': { - 'unattended-upgrades': { - 'reboot_mail_to': libs.defaults.hostmaster_email, - }, - }, 'backup-client': { 'target': 'htz-hel.backup-kunsi', }, From c121110f0052fe6ef75f6f91fac8054bba352ccd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Aug 2023 21:21:31 +0200 Subject: [PATCH 241/996] bundles/travelynx: prepare for bookworm --- bundles/travelynx/files/travelynx.conf | 3 +++ bundles/travelynx/files/travelynx.service | 6 +++--- bundles/travelynx/items.py | 9 +++++---- bundles/travelynx/metadata.py | 6 ++++++ 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index 7787d8b..46883cf 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -40,6 +40,9 @@ secrets => [ '${cookie_secret}', +% for i in sorted(additional_cookie_secrets): + '${i}', +% endfor ], version => '${version}', diff --git a/bundles/travelynx/files/travelynx.service b/bundles/travelynx/files/travelynx.service index 6c7b4f2..53aec53 100644 --- a/bundles/travelynx/files/travelynx.service +++ b/bundles/travelynx/files/travelynx.service @@ -8,9 +8,9 @@ Type=simple RemainAfterExit=yes PIDFile=/var/cache/travelynx/travelynx.pid -ExecStart=/usr/local/bin/hypnotoad -f index.pl -ExecStop=/usr/local/bin/hypnotoad -s index.pl -ExecReload=/usr/local/bin/hypnotoad index.pl +ExecStart=/usr/bin/hypnotoad -f index.pl +ExecStop=/usr/bin/hypnotoad -s index.pl +ExecReload=/usr/bin/hypnotoad index.pl User=travelynx WorkingDirectory=/opt/travelynx diff --git a/bundles/travelynx/items.py b/bundles/travelynx/items.py index 5463a1b..9a03785 100644 --- a/bundles/travelynx/items.py +++ b/bundles/travelynx/items.py @@ -20,14 +20,14 @@ directories = { } files = { - '/etc/systemd/system/travelynx.service': { + '/usr/local/lib/systemd/system/travelynx.service': { 'triggers': { 'action:systemd-reload', 'svc_systemd:travelynx:restart', 'svc_systemd:travelynx-worker:restart', }, }, - '/etc/systemd/system/travelynx-worker.service': { + '/usr/local/lib/systemd/system/travelynx-worker.service': { 'triggers': { 'action:systemd-reload', 'svc_systemd:travelynx:restart', @@ -102,14 +102,15 @@ actions = { svc_systemd = { 'travelynx': { 'needs': { - 'file:/etc/systemd/system/travelynx.service', + 'file:/usr/local/lib/systemd/system/travelynx.service', 'action:travelynx_database_migrate', 'directory:/var/cache/travelynx', + 'pkg_apt:libmojolicious-perl', }, }, 'travelynx-worker': { 'needs': { - 'file:/etc/systemd/system/travelynx-worker.service', + 'file:/usr/local/lib/systemd/system/travelynx-worker.service', 'svc_systemd:travelynx', }, }, diff --git a/bundles/travelynx/metadata.py b/bundles/travelynx/metadata.py index 969b0cd..b7dadd6 100644 --- a/bundles/travelynx/metadata.py +++ b/bundles/travelynx/metadata.py @@ -1,4 +1,9 @@ defaults = { + 'apt': { + 'packages': { + 'libmojolicious-perl': {}, + }, + }, 'travelynx': { 'database': { 'username': 'travelynx', @@ -9,6 +14,7 @@ defaults = { 'spare_workers': 2, 'mail_from': 'travelynx@{}'.format(node.hostname), 'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)), + 'additional_cookie_secrets': set(), }, 'postgresql': { 'roles': { From a16fcdd935450d9f57922dbb94f527e11103f8f8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Aug 2023 21:22:28 +0200 Subject: [PATCH 242/996] migrate travelynx to carlene --- data/travelynx/files/imprint/{rx300 => carlene} | 0 nodes/carlene.toml | 8 ++++++++ nodes/rx300.py | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) rename data/travelynx/files/imprint/{rx300 => carlene} (100%) diff --git a/data/travelynx/files/imprint/rx300 b/data/travelynx/files/imprint/carlene similarity index 100% rename from data/travelynx/files/imprint/rx300 rename to data/travelynx/files/imprint/carlene diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6fc918b..98ef291 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -14,6 +14,7 @@ bundles = [ "smartd", "check-mail-received", "postgresql", + "travelynx", "zfs", ] @@ -89,6 +90,13 @@ disks = [ "/dev/nvme1", ] +[metadata.travelynx] +version = "1.33.7" +mail_from = "travelynx@franzi.business" +domain = "travelynx.franzi.business" +# the old one from rx300, XXX remove 2024-01-01 +additional_cookie_secrets = ["!decrypt:encrypt$gAAAAABkyVq1Eena0FVcAW1V456-QrEtKL_fU7RSGr9mZTSBG28bk5bHJdqkvxrr4rOXNCnreJY7AsJSw-h7yrbzTNa9CUzOtt_a0caQIi7Qnen5k_TI_hTa08jViYLu3WrRxLPknpU_"] + [[metadata.zfs.pools.tank.when_creating.config]] devices = [ "/dev/nvme0n1p3", diff --git a/nodes/rx300.py b/nodes/rx300.py index c7f7647..305bf64 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -34,7 +34,7 @@ nodes['rx300'] = { 'redis', 'rspamd', 'smartd', - 'travelynx', + #'travelynx', 'unbound', 'vmhost', 'zfs', @@ -340,7 +340,7 @@ nodes['rx300'] = { 'netbox': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, - 'travelynx': {'ssl': '_.franzi.business'}, + #'travelynx': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, From 88ccd3ca728d76e5d32625a3ed53a64d23128394 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 08:07:36 +0200 Subject: [PATCH 243/996] migrate netbox from rx300 to carlene --- bundles/netbox/items.py | 8 ++++---- nodes/carlene.toml | 6 ++++++ nodes/rx300.py | 4 ++-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index ca54922..b04698a 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -73,13 +73,13 @@ actions = { } files = { - '/etc/systemd/system/netbox-web.service': { + '/usr/local/lib/systemd/system/netbox-web.service': { 'triggers': { 'action:systemd-reload', 'svc_systemd:netbox-web:restart', }, }, - '/etc/systemd/system/netbox-worker.service': { + '/usr/local/lib/systemd/system/netbox-worker.service': { 'triggers': { 'action:systemd-reload', 'svc_systemd:netbox-worker:restart', @@ -108,7 +108,7 @@ svc_systemd = { 'needs': { 'action:netbox_install', 'action:netbox_upgrade', - 'file:/etc/systemd/system/netbox-web.service', + 'file:/usr/local/lib/systemd/system/netbox-web.service', 'file:/opt/netbox/gunicorn_config.py', 'file:/opt/netbox/src/netbox/netbox/configuration.py', }, @@ -117,7 +117,7 @@ svc_systemd = { 'needs': { 'action:netbox_install', 'action:netbox_upgrade', - 'file:/etc/systemd/system/netbox-worker.service', + 'file:/usr/local/lib/systemd/system/netbox-worker.service', 'file:/opt/netbox/src/netbox/netbox/configuration.py', }, }, diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 98ef291..afb7722 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -9,6 +9,7 @@ bundles = [ "matrix-synapse", "mautrix-telegram", "mautrix-whatsapp", + "netbox", "nodejs", "redis", "smartd", @@ -81,6 +82,11 @@ permissions."'@kunsi:franzi.business'" = "admin" domain = "franzi.business" url = "https://matrix.franzi.business" +[metadata.netbox] +domain = "netbox.franzi.business" +version = "v3.5.7" +admins.kunsi = "hostmaster@kunbox.net" + [metadata.postgresql] version = 15 diff --git a/nodes/rx300.py b/nodes/rx300.py index 305bf64..3f8cfde 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -23,7 +23,7 @@ nodes['rx300'] = { 'miniflux', 'minecraft', #'mx-puppet-discord', - 'netbox', + #'netbox', 'nodejs', 'ntfy', 'oidentd', @@ -337,7 +337,7 @@ nodes['rx300'] = { 'matrix-dimension': {'ssl': '_.franzi.business'}, #'matrix-synapse': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, - 'netbox': {'ssl': '_.franzi.business'}, + #'netbox': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, #'travelynx': {'ssl': '_.franzi.business'}, From f1045172fd8f37e3c94c99917a1f5e4b385829b3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 08:09:30 +0200 Subject: [PATCH 244/996] rx300: delete unused configs --- nodes/rx300.py | 107 ------------------------------------------------- 1 file changed, 107 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 3f8cfde..f6214f9 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -9,21 +9,14 @@ nodes['rx300'] = { 'bundles': { 'check-mail-received', 'dovecot', - #'element-web', 'gitea', 'ipmitool', 'jenkins-ci', 'jugendhackt_tools', 'lm-sensors', 'matrix-dimension', - #'matrix-media-repo', - #'matrix-synapse', - #'mautrix-telegram', - #'mautrix-whatsapp', 'miniflux', 'minecraft', - #'mx-puppet-discord', - #'netbox', 'nodejs', 'ntfy', 'oidentd', @@ -34,7 +27,6 @@ nodes['rx300'] = { 'redis', 'rspamd', 'smartd', - #'travelynx', 'unbound', 'vmhost', 'zfs', @@ -104,30 +96,6 @@ nodes['rx300'] = { 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), }, }, - 'element-web': { - 'url': 'chat.franzi.business', - 'version': 'v1.11.35', - 'config': { - 'default_server_config': { - 'm.homeserver': { - 'base_url': 'https://matrix.franzi.business', - 'server_name': 'franzi.business', - }, - }, - 'brand': 'franzi.business', - 'showLabsSettings': True, - 'integrations_ui_url': 'https://dimension.franzi.business/riot', - 'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar', - 'integrations_widgets_urls': { - 'https://dimension.franzi.business/widgets' - }, - 'default_theme': 'dark', - 'defaultCountryCode': 'DE', - 'jitsi': { - 'preferredDomain': 'meet.ffmuc.net', - }, - }, - }, 'gitea': { 'url': 'https://codeberg.org/attachments/8aac5e74-a26b-44c9-83b8-267f114af958', 'sha1': '4dda6dd09e75e38e4f564bd8249d8fc3dc4a334a', @@ -201,20 +169,6 @@ nodes['rx300'] = { 'rx300.kunbox.net': set(), }, }, - 'matrix-media-repo': { - 'version': 'v1.2.13', - 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', - 'homeservers': { - 'franzi.business': { - 'domain': 'http://[::1]:20080/', - 'api': 'synapse', - }, - }, - 'admins': { - '@kunsi:franzi.business', - }, - 'upload_max_mb': 500, - }, 'matrix-dimension': { 'url': 'dimension.franzi.business', 'version': 'c6d047c', # XXX master is broken as of 2021-11-27 @@ -231,58 +185,6 @@ nodes['rx300'] = { 'botToken': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), }, }, - 'matrix-synapse': { - 'server_name': 'franzi.business', - 'baseurl': 'matrix.franzi.business', - 'admin_contact': 'mailto:hostmaster@kunbox.net', - 'trusted_key_servers': { - 'matrix.org', - 'finallycoffee.eu', - 'nyantec.com', - }, - 'additional_client_config': { - 'im.vector.riot.jitsi': { - 'preferredDomain': 'meet.ffmuc.net', - }, - }, - 'wellknown_also_on_vhosts': { - 'franzi.business', - }, - }, - 'mautrix-telegram': { - 'version': 'v0.14.1', - 'homeserver': { - 'domain': 'franzi.business', - 'url': 'https://matrix.franzi.business', - }, - 'provisioning': { - 'enabled': True, - 'shared_secret': vault.decrypt('encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4gGPym0oF6p4WSMdAveTpx-hFsZd2s7v9ubw99yIsyKx0dHOJI0UND7hV1rKZdvjy4Qa642abZ2wwW7SWTqvuP_qVtrf6-klc2QKTzeD9c_LVsyZ2dqz_JxRPq3MRXgkubZuWOZ6FmFlAlteTffoGfWE='), - }, - 'permissions': { - "'*'": 'relaybot', - 'nyantec.com': 'full', - 'franzi.business': 'full', - "'@kunsi:franzi.business'": 'admin', - }, - 'telegram': { - 'api_id': vault.decrypt('encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ=='), - 'api_token': vault.decrypt('encrypt$gAAAAABfVK5jHuUly1xr9Iku362k7oF4ZYRhLGzNJh3aJpiNrLfAy_DJpTwucx4FV_g45dyQF5boqG2rgdDfwsJN_Ab95es6T4SPGiXIxJOBlvIln1Torwh16pXKchhUTn_PQ077Ll1W'), - # same as for matrix-dimension - 'bot_token': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), - }, - }, - 'mautrix-whatsapp': { - 'version': 'v0.8.6', - 'sha1': 'aa3c25aa2f8d2ddd241e2f73eea473ecdbaf295d', - 'homeserver': { - 'domain': 'franzi.business', - 'url': 'https://matrix.franzi.business', - }, - 'permissions': { - "'@kunsi:franzi.business'": 'admin', - }, - }, 'miniflux': { 'domain': 'rss.franzi.business', }, @@ -331,16 +233,12 @@ nodes['rx300'] = { 'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc', }, 'vhosts': { - #'element-web': {'ssl': '_.franzi.business'}, 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, - #'matrix-synapse': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, - #'netbox': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, - #'travelynx': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, @@ -569,11 +467,6 @@ nodes['rx300'] = { }, }, }, - 'travelynx': { - 'version': '1.32.0', - 'mail_from': 'travelynx@franzi.business', - 'domain': 'travelynx.franzi.business', - }, 'unbound': { 'threads': 8, 'cache_slabs': 8, From b692b09c0011edfcd04813e8883268b86b2fbfc7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 16:37:48 +0200 Subject: [PATCH 245/996] rename bundle:gitea to bundle:forgejo --- PORT_MAP.md | 2 +- bundles/{gitea => forgejo}/files/app.ini | 3 +- .../files/forgejo.service} | 7 +- bundles/forgejo/items.py | 65 ++++++++++++++++++ bundles/{gitea => forgejo}/metadata.py | 56 ++++++--------- bundles/gitea/items.py | 68 ------------------- .../files/ssh-keys/carlene.key.vault} | 0 .../files/ssh-keys/carlene.pub} | 0 8 files changed, 91 insertions(+), 110 deletions(-) rename bundles/{gitea => forgejo}/files/app.ini (96%) rename bundles/{gitea/files/gitea.service => forgejo/files/forgejo.service} (55%) create mode 100644 bundles/forgejo/items.py rename bundles/{gitea => forgejo}/metadata.py (56%) delete mode 100644 bundles/gitea/items.py rename data/{gitea/files/ssh-keys/rx300.key.vault => forgejo/files/ssh-keys/carlene.key.vault} (100%) rename data/{gitea/files/ssh-keys/rx300.pub => forgejo/files/ssh-keys/carlene.pub} (100%) diff --git a/PORT_MAP.md b/PORT_MAP.md index 453040d..fd5c46b 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -36,7 +36,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20090 | matrix-media-repo | prometheus metrics | | 21000 | pleroma | pleroma | | 21010 | grafana | grafana | -| 22000 | gitea | forgejo | +| 22000 | forgejo | forgejo | | 22010 | jenkins-ci | Jenkins CI | | 22020 | travelynx | Travelynx Web | | 22030 | octoprint | OctoPrint Web Interface | diff --git a/bundles/gitea/files/app.ini b/bundles/forgejo/files/app.ini similarity index 96% rename from bundles/gitea/files/app.ini rename to bundles/forgejo/files/app.ini index b55f210..557a20c 100644 --- a/bundles/gitea/files/app.ini +++ b/bundles/forgejo/files/app.ini @@ -1,9 +1,10 @@ APP_NAME = ${app_name} RUN_USER = git RUN_MODE = prod +WORK_PATH = /var/lib/forgejo [repository] -ROOT = /home/git/gitea-repositories +ROOT = /var/lib/forgejo/repositories MAX_CREATION_LIMIT = 0 DEFAULT_BRANCH = main diff --git a/bundles/gitea/files/gitea.service b/bundles/forgejo/files/forgejo.service similarity index 55% rename from bundles/gitea/files/gitea.service rename to bundles/forgejo/files/forgejo.service index 24f1505..76a5096 100644 --- a/bundles/gitea/files/gitea.service +++ b/bundles/forgejo/files/forgejo.service @@ -5,14 +5,13 @@ After=network.target Requires=postgresql.service [Service] -RestartSec=2s +RestartSec=10 Type=simple User=git Group=git -WorkingDirectory=/var/lib/gitea/ -ExecStart=/usr/local/bin/gitea web -c /etc/gitea/app.ini +WorkingDirectory=/var/lib/forgejo +ExecStart=/usr/local/bin/forgejo web -c /etc/forgejo/app.ini Restart=always -Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea [Install] WantedBy=multi-user.target diff --git a/bundles/forgejo/items.py b/bundles/forgejo/items.py new file mode 100644 index 0000000..cb51771 --- /dev/null +++ b/bundles/forgejo/items.py @@ -0,0 +1,65 @@ +users = { + 'git': { + 'home': '/var/lib/forgejo', + }, +} + +directories = { + '/var/lib/forgejo/.ssh': { + 'mode': '0700', + 'owner': 'git', + 'group': 'git', + }, + '/var/lib/forgejo': { + 'owner': 'git', + 'mode': '0700', + 'triggers': { + 'svc_systemd:forgejo:restart', + }, + }, +} + +files = { + '/usr/local/lib/systemd/system/forgejo.service': { + 'content_type': 'mako', + 'context': node.metadata.get('forgejo'), + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:forgejo:restart', + }, + }, + '/etc/forgejo/app.ini': { + 'content_type': 'mako', + 'context': node.metadata.get('forgejo'), + 'triggers': { + 'svc_systemd:forgejo:restart', + }, + }, + '/usr/local/bin/forgejo': { + 'content_type': 'download', + 'source': node.metadata.get('forgejo/url'), + 'content_hash': node.metadata.get('forgejo/sha1', None), + 'mode': '0755', + 'triggers': { + 'svc_systemd:forgejo:restart', + }, + }, +} + +if node.metadata.get('forgejoinstall_ssh_key', False): + files['/var/lib/forgejo/.ssh/id_ed25519'] = { + 'content': repo.vault.decrypt_file(f'forgejo/files/ssh-keys/{node.name}.key.vault'), + 'mode': '0600', + 'owner': 'git', + 'group': 'git', + } + +svc_systemd = { + 'forgejo': { + 'needs': { + 'file:/etc/forgejo/app.ini', + 'file:/usr/local/bin/forgejo', + 'file:/usr/local/lib/systemd/system/forgejo.service', + }, + }, +} diff --git a/bundles/gitea/metadata.py b/bundles/forgejo/metadata.py similarity index 56% rename from bundles/gitea/metadata.py rename to bundles/forgejo/metadata.py index 2b9bcbe..d94eb9f 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/forgejo/metadata.py @@ -1,33 +1,32 @@ defaults = { 'backups': { 'paths': { - '/home/git', - '/var/lib/gitea', + '/var/lib/forgejo', }, }, - 'gitea': { + 'forgejo': { 'app_name': 'Forgejo', 'database': { - 'username': 'gitea', - 'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)), - 'database': 'gitea', + 'username': 'forgejo', + 'password': repo.vault.password_for('{} postgresql forgejo'.format(node.name)), + 'database': 'forgejo', }, 'disable_registration': True, 'email_domain_blocklist': set(), 'enable_git_hooks': False, - 'internal_token': repo.vault.password_for('{} gitea internal_token'.format(node.name)), - 'lfs_secret_key': repo.vault.password_for('{} gitea lfs_secret_key'.format(node.name)), - 'oauth_secret_key': repo.vault.password_for('{} gitea oauth_secret_key'.format(node.name)), - 'security_secret_key': repo.vault.password_for('{} gitea security_secret_key'.format(node.name)), + 'internal_token': repo.vault.password_for('{} forgejo internal_token'.format(node.name)), + 'lfs_secret_key': repo.vault.password_for('{} forgejo lfs_secret_key'.format(node.name)), + 'oauth_secret_key': repo.vault.password_for('{} forgejo oauth_secret_key'.format(node.name)), + 'security_secret_key': repo.vault.password_for('{} forgejo security_secret_key'.format(node.name)), }, 'icinga2_api': { - 'gitea': { + 'forgejo': { 'services': { 'FORGEJO PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit forgejo', }, 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(gitea --version | cut -d" " -f3)', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(forgejo --version | cut -d" " -f3)', 'vars.notification.mail': True, 'check_interval': '60m', }, @@ -41,29 +40,22 @@ defaults = { }, 'postgresql': { 'roles': { - 'gitea': { - 'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)), + 'forgejo': { + 'password': repo.vault.password_for('{} postgresql forgejo'.format(node.name)), }, }, 'databases': { - 'gitea': { - 'owner': 'gitea', + 'forgejo': { + 'owner': 'forgejo', }, }, }, 'zfs': { 'datasets': { - 'tank/gitea': {}, - 'tank/gitea/home': { - 'mountpoint': '/home/git', + 'tank/forgejo': { + 'mountpoint': '/var/lib/forgejo', 'needed_by': { - 'directory:/home/git', - }, - }, - 'tank/gitea/var': { - 'mountpoint': '/var/lib/gitea', - 'needed_by': { - 'directory:/var/lib/gitea', + 'directory:/var/lib/forgejo', }, }, }, @@ -82,7 +74,7 @@ def nginx(metadata): 'nginx': { 'vhosts': { 'forgejo': { - 'domain': metadata.get('gitea/domain'), + 'domain': metadata.get('forgejo/domain'), 'locations': { '/': { 'target': 'http://127.0.0.1:22000', @@ -97,11 +89,3 @@ def nginx(metadata): }, }, } - - -@metadata_reactor.provides( - 'icinga2_api/gitea/services', -) -def icinga_check_for_new_release(metadata): - return { - } diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py deleted file mode 100644 index e071483..0000000 --- a/bundles/gitea/items.py +++ /dev/null @@ -1,68 +0,0 @@ -users = { - 'git': {}, -} - -directories = { - '/home/git': { - 'mode': '0755', - 'owner': 'git', - 'group': 'git', - }, - '/home/git/.ssh': { - 'mode': '0755', - 'owner': 'git', - 'group': 'git', - }, - '/var/lib/gitea': { - 'owner': 'git', - 'mode': '0700', - 'triggers': { - 'svc_systemd:gitea:restart', - }, - }, -} - -files = { - '/etc/systemd/system/gitea.service': { - 'content_type': 'mako', - 'context': node.metadata.get('gitea'), - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:gitea:restart', - }, - }, - '/etc/gitea/app.ini': { - 'content_type': 'mako', - 'context': node.metadata.get('gitea'), - 'triggers': { - 'svc_systemd:gitea:restart', - }, - }, - '/usr/local/bin/gitea': { - 'content_type': 'download', - 'source': node.metadata.get('gitea/url'), - 'content_hash': node.metadata.get('gitea/sha1', None), - 'mode': '0755', - 'triggers': { - 'svc_systemd:gitea:restart', - }, - }, -} - -if node.metadata['gitea'].get('install_ssh_key', False): - files['/home/git/.ssh/id_ed25519'] = { - 'content': repo.vault.decrypt_file(f'gitea/files/ssh-keys/{node.name}.key.vault'), - 'mode': '0600', - 'owner': 'git', - 'group': 'git', - } - -svc_systemd = { - 'gitea': { - 'needs': { - 'file:/etc/gitea/app.ini', - 'file:/etc/systemd/system/gitea.service', - 'file:/usr/local/bin/gitea', - }, - }, -} diff --git a/data/gitea/files/ssh-keys/rx300.key.vault b/data/forgejo/files/ssh-keys/carlene.key.vault similarity index 100% rename from data/gitea/files/ssh-keys/rx300.key.vault rename to data/forgejo/files/ssh-keys/carlene.key.vault diff --git a/data/gitea/files/ssh-keys/rx300.pub b/data/forgejo/files/ssh-keys/carlene.pub similarity index 100% rename from data/gitea/files/ssh-keys/rx300.pub rename to data/forgejo/files/ssh-keys/carlene.pub From d3f55dc82173402de7ba252bdd7d5796b6a5709d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 16:38:14 +0200 Subject: [PATCH 246/996] htz-cloud.afra: add fedi redirects --- nodes/htz-cloud.afra.toml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 80bad5f..9ef5192 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -72,6 +72,16 @@ domain = "afra.berlin" redirect = "https://afra-berlin.de" mode = 302 +[metadata.nginx.vhosts.redirect.locations.'/.well-known/host-meta'] +redirect = "https://fedi.afra.berlin/.well-known/host-meta" +mode = 301 +[metadata.nginx.vhosts.redirect.locations.'/.well-known/nodeinfo'] +redirect = "https://fedi.afra.berlin/.well-known/nodeinfo" +mode = 301 +[metadata.nginx.vhosts.redirect.locations.'/.well-known/webfinger'] +redirect = "https://fedi.afra.berlin/.well-known/webfinger" +mode = 301 + [metadata.nginx.vhosts.redirect.locations.'/matrix/'] target = "http://127.0.0.1:20100/" From 5f0ba20622b571ebe9090a440d05e79f12d98049 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 16:38:32 +0200 Subject: [PATCH 247/996] move forgejo from rx300 to carlene --- nodes/carlene.toml | 12 ++++++++++++ nodes/rx300.py | 45 --------------------------------------------- 2 files changed, 12 insertions(+), 45 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index afb7722..590a7ff 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -5,6 +5,7 @@ groups = [ ] bundles = [ "element-web", + "forgejo", "matrix-media-repo", "matrix-synapse", "mautrix-telegram", @@ -34,6 +35,17 @@ brand = "franzi.business" defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" +[metadata.forgejo] +url = "https://codeberg.org/attachments/48524ed4-efdc-4ac5-8b68-f7d5c77d7672" +sha1= "5a7f987b5e95c547cc83c2a000b3cd2dfe4e64a6" +domain = "git.franzi.business" +enable_git_hooks = true +install_ssh_key = true +internal_token = "!decrypt:encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg==" +lfs_secret_key = "!decrypt:encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr" +oauth_secret_key = "!decrypt:encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz" +security_secret_key = "!decrypt:encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4=" + [metadata.interfaces.eno2] ips = [ "193.135.9.29/24", diff --git a/nodes/rx300.py b/nodes/rx300.py index f6214f9..4a15b0c 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -9,7 +9,6 @@ nodes['rx300'] = { 'bundles': { 'check-mail-received', 'dovecot', - 'gitea', 'ipmitool', 'jenkins-ci', 'jugendhackt_tools', @@ -96,49 +95,6 @@ nodes['rx300'] = { 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), }, }, - 'gitea': { - 'url': 'https://codeberg.org/attachments/8aac5e74-a26b-44c9-83b8-267f114af958', - 'sha1': '4dda6dd09e75e38e4f564bd8249d8fc3dc4a334a', - 'domain': 'git.franzi.business', - 'email_domain_blocklist': { - 'aol.com', - 'bamibi.com', - 'beezom.buzz', - 'block521.com', - 'cloud-mail.top', - 'comcast.net', - 'cox.net', - 'cupbest.com', - 'dakcans.com', - 'fitshot.xyz', - 'gmail.co', - 'gmail.com', - 'grabmail.club', - 'hbehs.com', - 'hotmail.com', - 'msn.com', - 'nycexercise.com', - 'oceore.com', - 'popcornfly.com', - 'qqhow.com', - 'runqx.com', - 'spicethainj.com', - 'spruzme.com', - 'syswift.com', - 'tagbert.com', - 'teleg.eu', - 'tempinbox.xyz', - 'verizon.net', - 'vusra.com', - 'yahoo.com', - }, - 'enable_git_hooks': True, - 'install_ssh_key': True, - 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), - 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), - 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), - 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), - }, 'icinga_options': { 'pretty_name': 'franzi.business', }, @@ -233,7 +189,6 @@ nodes['rx300'] = { 'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc', }, 'vhosts': { - 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, From 5604763303dcf90b422f3f285631234a9939e22a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 16:49:29 +0200 Subject: [PATCH 248/996] update element-web to 1.11.37 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 590a7ff..c487787 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -27,7 +27,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.36" +version = "v1.11.37" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 9ef5192..a52988b 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.36" +version = "v1.11.37" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index b13aa07..2a6d679 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.36', + 'version': 'v1.11.37', 'config': { 'default_server_config': { 'm.homeserver': { From 726023db171949cb8969d957522eb5909cdf41bb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Aug 2023 19:51:50 +0200 Subject: [PATCH 249/996] htz-cloud.miniserver: update hedgedoc to 1.9.9 --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 2a6d679..64e18fc 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -80,7 +80,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'hedgedoc': { - 'version': '1.9.8', + 'version': '1.9.9', 'config': { 'production': { 'allowAnonymousEdits': True, From 1834bedf91399b83bf2d006aa645827baf983774 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Aug 2023 08:07:41 +0200 Subject: [PATCH 250/996] remove htz-cloud.luther --- data/backup/keys/aurto.key.vault | 1 - data/backup/keys/aurto.pub | 1 - data/backup/keys/gce.bind01.key.vault | 1 - data/backup/keys/gce.bind01.pub | 1 - data/backup/keys/home.hass.key.vault | 1 - data/backup/keys/home.hass.pub | 1 - .../keys/home.kodi-wohnzimmer.key.vault | 1 - data/backup/keys/home.kodi-wohnzimmer.pub | 1 - data/backup/keys/home.nas.key.vault | 1 - data/backup/keys/home.nas.pub | 1 - ...home.octoprint-vielschichtigkeit.key.vault | 1 - .../keys/home.octoprint-vielschichtigkeit.pub | 1 - data/backup/keys/home.paperless.key.vault | 1 - data/backup/keys/home.paperless.pub | 1 - data/backup/keys/htz-cloud.influxdb.key.vault | 1 - data/backup/keys/htz-cloud.influxdb.pub | 1 - data/backup/keys/htz-cloud.luther.key.vault | 1 - data/backup/keys/htz-cloud.luther.pub | 1 - .../keys/htz-cloud.miniserver.key.vault | 1 - data/backup/keys/htz-cloud.miniserver.pub | 1 - .../backup/keys/htz-cloud.pirmasens.key.vault | 1 - data/backup/keys/htz-cloud.pirmasens.pub | 1 - data/backup/keys/htz-cloud.pleroma.key.vault | 1 - data/backup/keys/htz-cloud.pleroma.pub | 1 - data/backup/keys/htz-cloud.sewfile.key.vault | 1 - data/backup/keys/htz-cloud.sewfile.pub | 1 - data/backup/keys/htz.ex42-1048908.key.vault | 1 - data/backup/keys/htz.ex42-1048908.pub | 1 - data/backup/keys/kunsi-p14s.key.vault | 1 - data/backup/keys/kunsi-p14s.pub | 1 - data/backup/keys/kunsi-t470.pub | 1 - data/backup/keys/ns-primary.key.vault | 1 - data/backup/keys/ns-primary.pub | 1 - data/backup/keys/ovh.icinga2.key.vault | 1 - data/backup/keys/ovh.icinga2.pub | 1 - data/backup/keys/rx300.key.vault | 1 - data/backup/keys/rx300.pub | 1 - .../files/extras/htz-cloud.luther/luther-ps | 51 -------- nodes/htz-cloud/luther.py | 109 ------------------ 39 files changed, 197 deletions(-) delete mode 100644 data/backup/keys/aurto.key.vault delete mode 100644 data/backup/keys/aurto.pub delete mode 100644 data/backup/keys/gce.bind01.key.vault delete mode 100644 data/backup/keys/gce.bind01.pub delete mode 100644 data/backup/keys/home.hass.key.vault delete mode 100644 data/backup/keys/home.hass.pub delete mode 100644 data/backup/keys/home.kodi-wohnzimmer.key.vault delete mode 100644 data/backup/keys/home.kodi-wohnzimmer.pub delete mode 100644 data/backup/keys/home.nas.key.vault delete mode 100644 data/backup/keys/home.nas.pub delete mode 100644 data/backup/keys/home.octoprint-vielschichtigkeit.key.vault delete mode 100644 data/backup/keys/home.octoprint-vielschichtigkeit.pub delete mode 100644 data/backup/keys/home.paperless.key.vault delete mode 100644 data/backup/keys/home.paperless.pub delete mode 100644 data/backup/keys/htz-cloud.influxdb.key.vault delete mode 100644 data/backup/keys/htz-cloud.influxdb.pub delete mode 100644 data/backup/keys/htz-cloud.luther.key.vault delete mode 100644 data/backup/keys/htz-cloud.luther.pub delete mode 100644 data/backup/keys/htz-cloud.miniserver.key.vault delete mode 100644 data/backup/keys/htz-cloud.miniserver.pub delete mode 100644 data/backup/keys/htz-cloud.pirmasens.key.vault delete mode 100644 data/backup/keys/htz-cloud.pirmasens.pub delete mode 100644 data/backup/keys/htz-cloud.pleroma.key.vault delete mode 100644 data/backup/keys/htz-cloud.pleroma.pub delete mode 100644 data/backup/keys/htz-cloud.sewfile.key.vault delete mode 100644 data/backup/keys/htz-cloud.sewfile.pub delete mode 100644 data/backup/keys/htz.ex42-1048908.key.vault delete mode 100644 data/backup/keys/htz.ex42-1048908.pub delete mode 100644 data/backup/keys/kunsi-p14s.key.vault delete mode 100644 data/backup/keys/kunsi-p14s.pub delete mode 100644 data/backup/keys/kunsi-t470.pub delete mode 100644 data/backup/keys/ns-primary.key.vault delete mode 100644 data/backup/keys/ns-primary.pub delete mode 100644 data/backup/keys/ovh.icinga2.key.vault delete mode 100644 data/backup/keys/ovh.icinga2.pub delete mode 100644 data/backup/keys/rx300.key.vault delete mode 100644 data/backup/keys/rx300.pub delete mode 100644 data/nginx/files/extras/htz-cloud.luther/luther-ps delete mode 100644 nodes/htz-cloud/luther.py diff --git a/data/backup/keys/aurto.key.vault b/data/backup/keys/aurto.key.vault deleted file mode 100644 index 8cf9e4d..0000000 --- a/data/backup/keys/aurto.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABg2xbZgDvKN7zvwFWAanfqHpsVJxRzvvPZBN7OzYBYlpjMbr7NCYngOVzMeHrBWoD56QASpBpCXib7GoZhjRbrkA3XLg-xHyC2W0UQrdIm6w3o5RpMji5ll5BdDJJYpCsf_l_lgklBM4k5fb_4X4zjK77J-15B_DdPGzQbAZxw1LT0OV3LrC55MNv_UeVwmDGg07Xy38-GPdFEAzH-lrzfsP7-PBsjaRmdFT_iShrsQgpcecKSBG_zqyxbbZKxG3cRJL791RYVNwGXFWVTZTs0UjbAFd5Q2pHjy10cdio_EnhfCcP2b6pwMjgihvYGwS3j_s90bXf9ko1njxpPXvxauSN6biURa7j7k3EABhywdhV_kcZoWbIK7tLY7ojYi1Al2xx1e-L9jvS66QLnbMrNW_xqVHPple98hYcTawf3yI2n4KSKcsDr71Iu3cOrdJOQkG6QiE2CjTm0J2gySoRvtoqTJjsBPud6LSHrDcbHKenMr9aCSM5MYm_aadyeHh0bphgU5F5ye8UVuAmPmFa12WChxLTWDj7zhgeTJpvbfQUALry8nD6tDOWMOqkXOhJkGV48xBoCKLrtxVgpnKxNu7aTDpJAwxEY9uFyymmD4lXQquQC8eElEl-n2Xz2Z-9fK3uJ \ No newline at end of file diff --git a/data/backup/keys/aurto.pub b/data/backup/keys/aurto.pub deleted file mode 100644 index d590079..0000000 --- a/data/backup/keys/aurto.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEqhj3JQ+82FCLVg4a+cRU4FRudnifcwrWgZnvrQGkG diff --git a/data/backup/keys/gce.bind01.key.vault b/data/backup/keys/gce.bind01.key.vault deleted file mode 100644 index e08644e..0000000 --- a/data/backup/keys/gce.bind01.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWfFm8-vDqO9So0Ru3QCA_kWvO2bbIcYtnq3VnJfq0QxPKW4TTuUbS8gloq19TbQRTZeZ0-22H-CdIeiXv_SGtKzK7ijbV3pUfNppy5I9c1Kcn--6YnLEBRx9DxhOh3n3i3gxyF8dA9izjp_-XS3XjjPcdw6WAp1z55a6p6ggTDEyXn1MGEUl8405ri8kpe9AtPIBZV7GND8GmH8jG8jrMJGTta_TJlrW_FcsYqcEKf5f1N1ShOCWCxUijlTwLVZzufZCR3-IJpcdKR8L2ifTggT04meHRzd_4HkC3X-3wdfqnoNCo7ln63SeerseN0Gnz_Psk0L9CnwQwWlfTbCMVdn2oiRUc8wLZ06R-GVhdIs9C4jGnQJZeStOFYYtHWgqZcToNx_Bq5zIK4aMa5vZ8cmKgCDWBMfjcaWJ8SKK8_zRZwRbsPOzuzSfvGoAmcnhQbnDmmhtSaka4POk-aH-8ZV_1dNq0JK5g7xcC6vUb1GSvfFPqXhx9ypo48NueHC9seJt7Pp05hP91z8yBT9-CHtMH91G4iBkyJf-DfG65YfDFVmXTU4ikV5UV6leXFkzmIzGshKAwuDuRVWA5tXEHAyoluTaX2nZXziz_wNszj2Fc= \ No newline at end of file diff --git a/data/backup/keys/gce.bind01.pub b/data/backup/keys/gce.bind01.pub deleted file mode 100644 index 9db75f4..0000000 --- a/data/backup/keys/gce.bind01.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4wrVPICvYitHaR0Qp6K8LzlPaHothuw0BI3XGiyAmN diff --git a/data/backup/keys/home.hass.key.vault b/data/backup/keys/home.hass.key.vault deleted file mode 100644 index 44f9b82..0000000 --- a/data/backup/keys/home.hass.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABhflKcIRszHtJHuBcgaWh7divgjgw72cKDiP7PPk7CQ9xpdSDw3phE7tpVBnaYSjYFcn0lxH5IN7YfgsgQnRFrH4N25-awLwxp6kVsL00Si9F4o8GUBvzobQGJtzEh0nuQ3zmGGfQSLZGKiXkFHLPmnc67Mqtz7zK7Qc5Lp0qqhMJ-2PLEwl5F6WxQU8TcNTlHDgIb23yS2GWfT3DrUvZjgOKkDvS--Huphyklksn3SR3cxHy1wSmlzJxV31t4Rh7YQyj1DcuBy2TIzLAhebtPJbiUZTFsFXDJULiHl1zi5X2jVIc17rpKW_9JMTeBEDZbebyqpOp3bo9zNv4RcC_XEIW7i2hCXNT8RksW5x45-E01jKQpiKgIcJoImcDQAanNh6_xEWEPWiJFVDulkMiJob5EvZjl1j79jOciahq8ycuePWyFAAtDZgpLm9u0JlzOLFL4NbvL8-MypBLpysXTohqDa3SYKlc2-UvsUJD8bagEYsy0Ay_nGQo961AqlWF7vPk2SdYXUjN657PxSbnczOuKv63BmFWEF9Bu8OFOzxIRs1ds7jvK3KChikO91VJMQxsZrSynFBwDm5zpYRsk-k1D2blf2g1yaThd2fijYCe1Lico_nTlyf-dpSrN5szlKW5V \ No newline at end of file diff --git a/data/backup/keys/home.hass.pub b/data/backup/keys/home.hass.pub deleted file mode 100644 index 25e2a1b..0000000 --- a/data/backup/keys/home.hass.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYyrgpO2tCRTP+eEFD127OlRIATw7BxaSgYMnyYAbMS diff --git a/data/backup/keys/home.kodi-wohnzimmer.key.vault b/data/backup/keys/home.kodi-wohnzimmer.key.vault deleted file mode 100644 index 1904a4f..0000000 --- a/data/backup/keys/home.kodi-wohnzimmer.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWfJTYZVIlllCPefCyzG16p3-JLyr1vST3xWvkc5rB9jvCNw-7LwP7CSh62YTchvyJBk5NfrDCnZnYhW44rn4I2YWr-LfHkVNIsq_b1Kv7rL_xvgcHt1iww_0Fa0nUmK5gGbbedz0uJtTO_9IS8P7KJUWziW3Ugsajt0NKIAB__-M7d461E6coLKmbkD9EnTGkXGp14U1vA0oyR8xsfHasWtQ8ntNu3it4_SFmu_xMbeEXOV1RZACKkCr-nS7ctjQ4LNgIIdfLWs-KKM1cmCjwDQqPWRIoPD5YJJ8EtBxvUyNc0KT8ySMS7m2TNfw158U2QdO4KQUdbuwPTpDWuhOMRp5nzliEkiw2QHhKbZGbHrliw1AD9naQWUh-R1XtMx3gKRp-vser4RFQk83bhcL63j7dSjzKHpANa3HB0f2GEoek9VOwZIHpXWu1OkJNMVk5a_F8f75Iggmj5xiz_O_nRRhYRA3MzXgfV_QKTvPHEKFvkoh_-esb33qgiJ8tL-5uJ2ADWFbBqy-KoUJDKFeoyDNlJKwFpgFq0Kbd5eJbbVp95D9LCCkdiwQ34_SopMqbVBfauHdloygsgs35ifAvEW1VDyHtz-cpmRDYc0jV-iyI= \ No newline at end of file diff --git a/data/backup/keys/home.kodi-wohnzimmer.pub b/data/backup/keys/home.kodi-wohnzimmer.pub deleted file mode 100644 index b5ff2e9..0000000 --- a/data/backup/keys/home.kodi-wohnzimmer.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/WEgalbJUsr2q3DurqR7NkY9RXnuMs7BmmBgVmW3tj diff --git a/data/backup/keys/home.nas.key.vault b/data/backup/keys/home.nas.key.vault deleted file mode 100644 index 84683c7..0000000 --- a/data/backup/keys/home.nas.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABh27wEndfbW4cyz1fgM3e87zCqStsK8upwR56flNhpwAMJQJtjflH76nvw63cZYGWjJaOY29jO4y8DONjRoe3OQxH1bt9qgBgSfdW4k1A2axKevj67wphrb5bipJCg_EKFZumRONCSaaFDFlRp8DJlwj4LWxHONENx6KEYtMMZyGRUnh853kYDxA9E2gq7ScXZMAws002iD1sBONCsXOLEcpX8-Yt1f9qDzhfSGh4z7JdBa_xfmjKYAMBl62pPeZoI2c8LnogtjPEdblPJmjBuIVhGb_wP6nF4jdEim57v0lGezPblddTFvsgNcZO9AWIeM4ivtVd0AZaZXHXxSh7aGTKOKn6BiZtvah5Dhc61GL-Iga3sXISuG7EALWVODtwfUBwD-s8gAXfT0_LYh2tkrkPVm39Uwx8hM1WZUyDvQ3ox3a5RxQgenz4YskdNA-2Yw53zxdaCp_sORJJPpsFntoPXtw0aHXGVTdluRDtBJCqDPUVvO69J3jDMDnNXb3W9BrKK1CABbZkd5hLQH9jH6ZY8SOZzr5-RpEPbR4akIKPJAL0lcCFRwS0TgCfTAKDBbz9y19xkzIAM4cjraMlUDS69zegryOzG9u1-Cjj82kNKT95iA70Hm63idJWR0naCRUCu \ No newline at end of file diff --git a/data/backup/keys/home.nas.pub b/data/backup/keys/home.nas.pub deleted file mode 100644 index b556e97..0000000 --- a/data/backup/keys/home.nas.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf2z34n5oovv1PjJrDTNQyrI78oEmazeshLKTwheP4x diff --git a/data/backup/keys/home.octoprint-vielschichtigkeit.key.vault b/data/backup/keys/home.octoprint-vielschichtigkeit.key.vault deleted file mode 100644 index 39fa436..0000000 --- a/data/backup/keys/home.octoprint-vielschichtigkeit.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWgqqfc6tymm4tFnl4qy6rodRU7ZCMsPXw-bLOBoPdxxPdQEVVvWWK6WhqidBtGRGEvyp32W3rltA_lTZFhSEy5y-xOHK7waviQi2wahK4B3zBYPc-nKOREzbSKqOaaNlpOsReAfyZgizeKb_XGump--sOwLn120k9ImMGmVhhQSx0BdJpi2Z23aqV6TvRgDM2utCR2aRFXyFbFG_TR8exI9tQLg80qaotXv9O5I2pnIyTyanXEm4pZBmN88kGSW-ZPTVO2SpWjfGO46XtPirsFAp7pya-0O8EeXApEGjtQiVUw_JrlQmMTJ14j8AV4m_lNsiu_6bKPawaNJCcSfOF9C_49LMj-0mupyss2Py3qtF-KTxU0TvODg2DnLIMlcxtv_zheYFeY90nPBpQ3Dh8L2qAOd_eDu4gFvQLQvWQyB6aAlChC9ufTrhDFNyNI3Am5oWh32iFcv8Ie7UNtIB0Jc2bHfApJl8LJhizpObLgHtuxK127m2D5jEXRYwjLYDGGDwyL-qfKpxQoKaBPBP8JNxT0LbtsecveAyLIknyqtX3fxvZpon1DbJ0UTwvlUeoRcmOThmtx_hlGS7As12Ds60EnDbuhMddFGnZyo4GObqA= \ No newline at end of file diff --git a/data/backup/keys/home.octoprint-vielschichtigkeit.pub b/data/backup/keys/home.octoprint-vielschichtigkeit.pub deleted file mode 100644 index 32866d0..0000000 --- a/data/backup/keys/home.octoprint-vielschichtigkeit.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6c5QTi50obr8Eh3pCCy+y8E4HXb/5YwRIVD1WZneO9 diff --git a/data/backup/keys/home.paperless.key.vault b/data/backup/keys/home.paperless.key.vault deleted file mode 100644 index 364fa26..0000000 --- a/data/backup/keys/home.paperless.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABgqlxI4OjgrQfSKqCqA8vSbhNpdPwt56Akk73WMcqTs0nf9tiQsGoneptdO-1x5X_-yEI_YE_SywHo4yZ0ABQjUdNpLDojjDqkT2wZPDeSXgoIQFpnf_JZ84aw89_srH6CBEBGDU6bjljiAarrkAyBWaW21DFSuH1SSwuNiy3Rr1GP6HwTgqMVtNc-W4x6pehViOpkiyvvffgYGTY826YXmV4dCapr3Z8l4acOmSucnnc5YxKXSHl5wk9vTDpyhcT6qQJ7d-_cRCDrZtkPYNWNJRjAVmshIg_QRXwgQU_YPqZRrcQIUGMnaIBNjv0LKcSDPDAD2Rv8GHMLF1Vt6brJ_p3ihY_8KrP6QvwKyvSX1CDVxhwYq9WfCqvlqQOIkVLnn_vS-FzqU98cbef-rZsXLVRe7ODrU-Fg5tOVmKp761VGQSF1l4FIZnkQwF5uj-AmJXgaTfkcvoYhWtFEadnrKYmV92GbymiwPB6EG9SRMgcgpMAYCl9If7oEMjuYBs6bfTq0dfA39xWRJQx9zhAMTAAWHewYwEzME5PuTaQCDSRd2qIYik-DemhRp3suuphvjeuJTL5qyHXIH03yCTRxYf28cw0PVC2B696mI-z0I_-FT5Tc9l4pbh3RZlQ7Z8dNewJX \ No newline at end of file diff --git a/data/backup/keys/home.paperless.pub b/data/backup/keys/home.paperless.pub deleted file mode 100644 index db4a767..0000000 --- a/data/backup/keys/home.paperless.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbL8JFM5vHyxSf4Ym57K+ssOi7gbk7Ma/+pOoT+1qGy diff --git a/data/backup/keys/htz-cloud.influxdb.key.vault b/data/backup/keys/htz-cloud.influxdb.key.vault deleted file mode 100644 index 296f65c..0000000 --- a/data/backup/keys/htz-cloud.influxdb.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABgoBM4n7eEwMxfav4200d5LoGyLsM67Ps9CCPBgjZjdsOpyQulbp2l4LIhWj1kljgrXZ_LnOaRUf3S8q7-drv3yEfG1d-cyK8vP7r8wkTcawaazM5XdhR8VkgxCyBCuOZmM1vvAmOwIMi1JiQcgiJ4G32ThS085onN3T9HvEu2a9sWYuOlk-yVUBpelqP97vbO6r2n3hn-62AC7Ww-Q_EQ_kcdDdJLOawNe1anJOsOeLb1XOlMIJWI74LZXfszsRi9LmxUpzaB4Gd_nzDLO1AZHD_GOf9UOeeab8PujwhQ4UhbEHCdB-uVH88LGCw25-6eiv0yA_kRulj7InA9sKRyBZ1okSF4Xhl-htez6XwBD6BuA_ly6ulSxWuoOV_qsCNiXhJYGTuKPJS0-wpLyeLb_PV1tlYOKZv3VK5a_EpCRa4fCdX7oj9pcA8ZQkQeFAx0P4b3oYkz8YkDiBINFdOLE177lC6Kuk33sLfsZBuoR7MSjHUtZHPOXUHu8pV0o0_YxxF5fBs6hyReXvCbZB18NikeH4Ki-RR5IE4ofTngf6dIQhCxp9u-cNs-mNP0GRKiYIBUInr9Udpr-ymXRq-7OvyTM92950ePm-qoqjbpVFA8HN057WfkW6N6DASRRa2HjqQJ \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.influxdb.pub b/data/backup/keys/htz-cloud.influxdb.pub deleted file mode 100644 index efa9e6d..0000000 --- a/data/backup/keys/htz-cloud.influxdb.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpAUytQ0ncucltODEr3MgcKF5U/6TS4zZG1OYJDIEQp diff --git a/data/backup/keys/htz-cloud.luther.key.vault b/data/backup/keys/htz-cloud.luther.key.vault deleted file mode 100644 index 13c5671..0000000 --- a/data/backup/keys/htz-cloud.luther.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWgO_QYaKznjoFXGPw4PTjv92niiHE_61_Tp7dOnKiqWHJc06MOxmFdZaf9i8wLH1H0R8MNgt5gGuGDk6frQh1cz_EMyQh9Vo9iBbHI6q5OXYHmTX3mEeeoudhGUNaXwaea0SaErcql_jJDRGrbvxGJH2-wmiJaeZ5oyIkedp6F7_Y1SuRw-c2YG8hEBtjALlLhz3bL25_2V8hzrKZ1OtK1TyoWvdbA7yo2PdE1RfxfzJG5MMCNBTb9ngVvCXz6bZuq6EQidBONOvR7mWncMKeuB_pd87DvxIvahhhI4roHp8H7rbH_6eqRQLKiNBvmJxmqtNlb_wJPFtzTGZUNNOzZLuddJsBZggx6R3CsDigQVK6MKBi6qGlZTsn3nBNhEtX9jmRWU2Xx9IaVNuc9a3qlkMN2qTXg4B6ijMYa6emIva5Y-2ByK4dBwZd9nQSqk_QNcaLA_EVGBah1yIXCTRWqF5A3VrIlPnpVxTZZoLqnyjtWRh23L0-K47V3NuvXS7R1sZGGAapadVenRUH-iRs8493v07aJlH2DHNSuINEw15sPWALWpOiGJ6UdVsZ5FYtXcCTBX87PfmCp6OKChmkRqVXS_j3LTH48HzknZvYP-YY= \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.luther.pub b/data/backup/keys/htz-cloud.luther.pub deleted file mode 100644 index bd609da..0000000 --- a/data/backup/keys/htz-cloud.luther.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6bxLAHdTe9gQIwFhFWRBKq9BSMeds3lyDK9iud4kpL diff --git a/data/backup/keys/htz-cloud.miniserver.key.vault b/data/backup/keys/htz-cloud.miniserver.key.vault deleted file mode 100644 index a7468c7..0000000 --- a/data/backup/keys/htz-cloud.miniserver.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABgoVlzLgIb2UCbDSztRNaLNDY5AaF3BlosclzZvKQPDvgRLobDusDPGCuxreeZ19PB1vOjyT0unuALoM-3qufCutiv9QxmeDwzKy6D9RFn_PVfL2WhNGOG_oO8W_2Itx8Nza-8ta-eQfnR-1FJnti3gXDh60usWwE9rI3C8BMBDiaGBWNqhi_P2r7YoWBsJ06jE-qr7J51ddO1W2VaP_95ebZu9GmAljQkzUy4EdgH5f0xQBgjHFzA5H_OAUMZ-ey3MFXPAXMSFKomIBy4eSks0ghHS5KcJYD3UTjXEdag022CXfNqQDZL99yZm7re4tvQ1nsaiD8rRPciNZHxb2VYEj-OPHEjJnJ4dv_uqba8IPd8Stc5n3A-vklMsZwQWwaAvu12T6m61HbJeCc7WPst8UTJbJJPMhX1bhnvo8qtmB0kRdQ7GhVno0OZRFbHAEgXj8ifXdEEwWuGmw_191LA_UGKjcUau27CxyfY9CnJoah0DSWoZ8_M6haQB4QisiPdDXUilb1Jva3b13U7wubMCSqdZCc5ySnI5womn-GuXWCOQlfwR3sKop5NPs8oeOcN2k_XZUvHm1udcntEMPqEbEBtlP21nUkxZ2nUl4KCpbQQ6iM= \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.miniserver.pub b/data/backup/keys/htz-cloud.miniserver.pub deleted file mode 100644 index 35357fd..0000000 --- a/data/backup/keys/htz-cloud.miniserver.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBkINf6i/nlscFFcvyZUrvYlpKZRMo6Si1LbNlClWksA diff --git a/data/backup/keys/htz-cloud.pirmasens.key.vault b/data/backup/keys/htz-cloud.pirmasens.key.vault deleted file mode 100644 index 0990166..0000000 --- a/data/backup/keys/htz-cloud.pirmasens.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWgKPszezQgjWLwmoRjEF1k_AedpCj3sYAIrzKDfdSEVuYjj_8tbzflMRuCax9FPCwffQdy2Y-79SuIoHgjVDfrV3jRPTegFhSWudIcbSMrlc-3Ypob_BD2pGyz8XbdYXdaPTz8R7wTLpYgqxWPkBAnHj_AsJeXO3qtbFkuMwqiUST9fFDbNfmUxunbmjk-WYYr6pBNy91dydWVR7Th_XxJNPtTucK1qRJgzaA5aA1UsiMXoc07jkDMVJAvs7Qy1ynofz0hh8DEb8SHo2htPQyKEWljU6vdYQ4PgYIWdP746m4fuDvTVKU2EkMmMxTtBF-lSHpg_AxVt3krB3Geo9MHTzodBmKkwHRRD49ZjY6E1QXQqjsrJ9T8eudokyaLuOZz9AwzgBZfWKNMh1D8BqaJVOoGgK0S1nLvRiONqX0sLq6XmQqEHalR1puMwugOBDNmrt2dBH283Jr9p_zbxe8fnNK0hgOeVJCe9tAr68Cn_dcWJgLsL-KUnhORXLjZXP44k8-k8ovj15cbW8fUobf8VyK6XqyUt119hXMCrjDed0RbjRBYjwm0A9Zv_DjsH6dFVKfyC1mu1nWTeOK0km3H6CnzWEPPhD3bA8YvXAoQfFY= \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.pirmasens.pub b/data/backup/keys/htz-cloud.pirmasens.pub deleted file mode 100644 index 7cbe538..0000000 --- a/data/backup/keys/htz-cloud.pirmasens.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILD1lwc1lNzVWQDxBxs9//5OUioFGOA7qGZjDykSIRa diff --git a/data/backup/keys/htz-cloud.pleroma.key.vault b/data/backup/keys/htz-cloud.pleroma.key.vault deleted file mode 100644 index 06e6894..0000000 --- a/data/backup/keys/htz-cloud.pleroma.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABgMXllIGiB__clFctfOC6T4qRhFDrh_WJZU745-DZef2UpKCy0gz_2FlDAIqrNceL-Ahz1AXZrsdHUKPYAZ5AW4ne0b0G6uHQENYB0xv-ZqA3MZS26gzvNM7ejhyTCM1zO1j6ePgIxfZlaalNcuLIRAphuhu7KkJA8sGaoUMjdTqVWJUjj4Le8KHcS-s7PhB1XjkyHYxb0cKFgPxs1CgHWVjfCviVnl3yFAF1aLvYsbNcpzM_RGGIIA9YsO3yPQ8Mfk4B3truuNg1mdNaunpnhoTImF2cSNoI64f2mVaSNxxRXm1NG2qUJkZN8ZQlW8k7A1w_zUwHw9-JaimZejfPWrhew7krAbPQWEqOz7Km0RkQdbzFzxWECDIOQ_Z87n_yEFLSN3sAHA0eQ-a6oqj5Ybga5p9eeNNdOYAZyU_6KfSl9U6XSKT16brAXnsZevWQHk06ObdOPhJW5SMIQwk0TZXUOMZ11T0o0-2IMGBngOjoOxqt7gjZoiLFt4c8BkFcDkpTj25asyG2iF-2jWZ1cY91F5nDkIE3CSQzD7DYANyTI7ik9qACiY25bBYOwo9HS9TEcE-wDS2_jKolFFmEx5EFdxzIpSXdWB7EznbizgqAtu2eYubASKlBKILpeVZiqKZi8 \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.pleroma.pub b/data/backup/keys/htz-cloud.pleroma.pub deleted file mode 100644 index 1795293..0000000 --- a/data/backup/keys/htz-cloud.pleroma.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7vz3CMmmHmnWZs4b+Ohh4wnUgcME8PvZscjgS+91Qd diff --git a/data/backup/keys/htz-cloud.sewfile.key.vault b/data/backup/keys/htz-cloud.sewfile.key.vault deleted file mode 100644 index ab1b31f..0000000 --- a/data/backup/keys/htz-cloud.sewfile.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWhKNaNm-FvjJIB97rK-RoXRnLHHZ63k8Y-beVmSwuYnXYEjZLSD5yrvE3TtkodVikztjx4Cuck6lTECQR2MwSSlZ76L_uJOCmwyCKbDmjCRAfJsr8ni0WIIDa6GBWeqy1KDqZsaqEJwaH_zF6Ps-JHsUB7NCpqcDLGCTGOQLUrgH_Qzyi4Jme0LAnH2DeY7bSyzOGdLezwGUd2nhv7eKet0NeJwWWTnN3HSd6KGJybZLR2I2FsqiNutqGNLnJgeuTHHsUVUxroJepmE4bC0sK9kd_yWWQDNTVc2MRsJA2XkfgfeWzusmjQyho-9iOucX66E2DnSLOSVfvV1ZQ5iTUx_iYQstDs_V48-Za8OEh0wtMvWJlw4fIZvT2CTbFMjv-Z3ID9O8zu-MOZTKJlvGgQzaCJlvI1xMAd9UcfwKvoejGrZNZdHdadyjB_hbNZk1e2KLYEXsnSzIyTU544K4yWOaKpA70di_rQHfrgUosdRn-CtZkWJolUzKVILNmaaI1gZYI3jr3SYqWWfHjVIlQIt8z5qmR527bvEKhJhDIkJ-RnvTNHeXx9Kqw3VPIWxHaYSS1Fv-M47e2rXsM5eDfPWRsQvYOiQO3g0EbMQhjho8o= \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.sewfile.pub b/data/backup/keys/htz-cloud.sewfile.pub deleted file mode 100644 index 4d33a5a..0000000 --- a/data/backup/keys/htz-cloud.sewfile.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9fWj0+jwIxDSvwyP6sOiFeI6huU/kQ+N5nIBAj+2eT diff --git a/data/backup/keys/htz.ex42-1048908.key.vault b/data/backup/keys/htz.ex42-1048908.key.vault deleted file mode 100644 index 69129e2..0000000 --- a/data/backup/keys/htz.ex42-1048908.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWhxrcCNO5KHOsPsxD5ZymUgHG3my4qIJxfr3nJQyBVMRjFjxx2akQubpWWG9UC8xKthSvADXUZxjcGTAvqcELX60W2cdvJ90bY8RGHQ-Dua6-PsThurLVJeWZSmxo3vCneTj0lYEdAwK1aiZsRvxLjWhkyRELXvgPhC3GeNnS0SeC1AHGuRJVnC3ZMbRfSps1_LBxRvIES_acDJSfsRpcLg0oPmdpkDV9wdB0ZBuimngUYCl6jZ-syofI9yRU9q9lpNtZbahKAIBKNHeFzkgC6I5oi8e2-mZqnh_BSLomvRXPdZRvlHQWsSPNX2_25IlZiXyXrBIsN5rXAAwl16PNZjuG703WWiV2RxifGRux7cbJVE-LREBKCADgLduOZPe2voXo3jRq8v4NZfTtk8CKSm4QxS6Q7fRb7_0dAWZadd_dap8HigCUkr_5l-CotSKhiBNTAwyClLSMpDW1oUAaeLgM2YLF7V8TlWAwtxKi1lqmDchoWk221CQ97njVfhUOCNrdiGXOtFeiB-JRsXK8eAgthDzrR2F78s2w9NGZf0SdRxxNNil1f7ikDZfXbsdagaP_HZvjmq8oeTcwibcjsGl7HDVw0xV_7SvOJ3iDhLdQ= \ No newline at end of file diff --git a/data/backup/keys/htz.ex42-1048908.pub b/data/backup/keys/htz.ex42-1048908.pub deleted file mode 100644 index 88b121e..0000000 --- a/data/backup/keys/htz.ex42-1048908.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFn5SDyIV+GtSqSDvKPsfkxRgmUKdu8eOOyEWUo5ZtJl diff --git a/data/backup/keys/kunsi-p14s.key.vault b/data/backup/keys/kunsi-p14s.key.vault deleted file mode 100644 index f2ee06a..0000000 --- a/data/backup/keys/kunsi-p14s.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABiB-rPruxytUp5eFUDx-bfXhTHoXbV4E71--i0EFgQxVn0bmgfNrQQL21mAHm9JqSnwtzHxuHW5C_VYXb1vsg6b3lopue3i4XPHZYFe0VU5SDFdKbP2JEQcuMZfYqjN49MxM3bGVkTiErNpf-Ctgf_sop02O_IYNR3fhvD8IST32RUrfqYHPAky9O48pon202bPi10jPMu2dZTevE3ODtBHdiY1Sx7vTzpUiVskXj9H3A3dzywM2w7KpHiUx5sROaOWNZBQ2MASQLfIbAe1mQobCpySKsMNhbxmpTO2Cg75a8tLbtTicrzwU9DB8HOLn5L3ed-K1bPpP57_bWrxl9_Jrvgu6PgDB8b1PTInycej8o7zZKF-UTi1aGcjJAvSRymWDb045WBQs3HIJJuBlKoHwjMUN7Vw9u1JqooTSmJWFql3pdIlhR3YZxTe5wrT1jxHeyxKPk7YlNqcj6nlK8v9QT9w24IdF0yekVl_HVnFgZ4EQ_DH_wdKTnAJWLOMkqYjlFCz0HS_IOF-X3oPr8UcbXzQ6dtcJAh3nR6kJRUIfifzEk0hBkZZ8axiDt2KFFYLqv5SM5TmtRuxeJq38Eqa-uv62w2_lJZiLQ6wFHR7UoGgBexp65vGe3cDnN7j1fPXgGo \ No newline at end of file diff --git a/data/backup/keys/kunsi-p14s.pub b/data/backup/keys/kunsi-p14s.pub deleted file mode 100644 index 636ca3f..0000000 --- a/data/backup/keys/kunsi-p14s.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDTtww1OWI29zxXpUANToHzzBR/Kp0Jqpii0+JUr3MY kunsi@kunsi-p14s.kunbox.net diff --git a/data/backup/keys/kunsi-t470.pub b/data/backup/keys/kunsi-t470.pub deleted file mode 100644 index 1d712a5..0000000 --- a/data/backup/keys/kunsi-t470.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== diff --git a/data/backup/keys/ns-primary.key.vault b/data/backup/keys/ns-primary.key.vault deleted file mode 100644 index 52bb656..0000000 --- a/data/backup/keys/ns-primary.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj \ No newline at end of file diff --git a/data/backup/keys/ns-primary.pub b/data/backup/keys/ns-primary.pub deleted file mode 100644 index 442d8b9..0000000 --- a/data/backup/keys/ns-primary.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net diff --git a/data/backup/keys/ovh.icinga2.key.vault b/data/backup/keys/ovh.icinga2.key.vault deleted file mode 100644 index 93964c5..0000000 --- a/data/backup/keys/ovh.icinga2.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABfrlWizt5Lp7t_CRYxVrlPmXFKSKKpNzWIKaM8X6l-7eUD-vDMN9G1tj6nucjQ3sHOll7WXM367HIcqIlOQfUDM2Qat3_4MstsKnEHUvoPh1xyjrui74ZQvLrdedYjtQ_YlsLJnoHkqLThJQ1D3pazifMYouF0CO9MMz4pVxTNiSGYPzVaixUN_LcMm9-u0vWaVh3UqDa3mLxufI36C5lKR6p7jEhB3vTpxtahquDxSjMmCYQv1AiEbPfoh0-8mFlZ5QZ9ZPxno5q_5SnZViv4jDuLLcW1VeK4ocOP2vjh8QuN2uc2-AuQRzykOAHBjprKcjgrp_M9sejy4W5I40wgpMliPtgc8z_tdBhU5uLwKR50l0xjCW9oR7mPQIzrs8Y6b-KPO3Hy9v2iCKYT0XOLiY9fCF_hmIk-hN7ekS2zUlU4TzRC9nDD-YBX28mqXU7n1-0QciDjVkpmcxvBFzBbNt5XXJJ7jLdfj6fx2keErnmSLWAnMv-ztJX93sfxYfnQejqhYIc_H81xF4Nm3P3V7lf8PeR_FsfqvQujR9ECBWQ6vo8-5KnAiYnMSyPapirY8b4FPUjKhEgel5goSZ4DhbmUBKPVecByUTYSBAXP76IyXRE= \ No newline at end of file diff --git a/data/backup/keys/ovh.icinga2.pub b/data/backup/keys/ovh.icinga2.pub deleted file mode 100644 index a0045cc..0000000 --- a/data/backup/keys/ovh.icinga2.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5hLAqBz7Vm6oVv+oye5hQCsRI3cPA9q5B8KCWYCYUw diff --git a/data/backup/keys/rx300.key.vault b/data/backup/keys/rx300.key.vault deleted file mode 100644 index b272d12..0000000 --- a/data/backup/keys/rx300.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABg2xbjGmqokuwp9mIL5CX0fmGhvxpeYJGam2csaFKM5UqpgpnE9BFSUUkJRPOc0cnXH7xNriDJaY6EXEd959gkCMm0Cwu4H7t8XUeHNPfeqoyp7R1mmddnDp5BglbhkI6VJqCiD4YhmDzAieu6YY9Ho-E0SR-kOB-z9Jfw1P8yUzaF4GzNqKdWlSaTSt_fq2aotIQm13ukrewZChA8xY_1mMVgxcfVfOLFFRNVCrW1oRcH0qaQ_6_7ZsRZat_8tCgjknFLb9suBGBNbwl7yxlayaRfbN36VevSX4iSA4Q_nvSZ40oV5otqljpMyUpbVRbeZb0uAJFbn_8nEWc0FKR5iJy-mXcToBlx0Rc8wPmHuG2Gdf0BJDFK8AIIL9p-ucqYdvfU8oC_dsHlnhIXnf0dc9PdP-9Lnh3Ov1Lkm-i0GLa6K6nPrtRXgDaj_fv1V01-0vYF_t4vs_4VbjMMXGhUXI94lRw59vFB4WJQluir2ut-jDQR0Ek0U3g5-ziRbg4t77JzKjeUymbguT2BAT0er7W0zfKUcQ5VizSJ3j1U7VtbVJ7E3710BQ_1pCoz9HAt_BcxYSJ3bnhRR9V_NdaSdtPeIVqQ0G69hKbwNYZ0CAEAgIhbRgeyDeMev6WhWN6T5We- \ No newline at end of file diff --git a/data/backup/keys/rx300.pub b/data/backup/keys/rx300.pub deleted file mode 100644 index 6fff864..0000000 --- a/data/backup/keys/rx300.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/pOUa5sbFtqzHZF2qnG+MroI8Z65FRnYAiS1CrqCss diff --git a/data/nginx/files/extras/htz-cloud.luther/luther-ps b/data/nginx/files/extras/htz-cloud.luther/luther-ps deleted file mode 100644 index f5a95e6..0000000 --- a/data/nginx/files/extras/htz-cloud.luther/luther-ps +++ /dev/null @@ -1,51 +0,0 @@ - location ~ ^/sites/.*/private/ { - return 403; - } - - location ~ ^/sites/[^/]+/files/.*\.php$ { - deny all; - } - - location ~ (^|/)\. { - return 403; - } - - location / { - try_files $uri /index.php?$query_string; - } - - location /update { - try_files $uri /update.php; - } - - location @rewrite { - rewrite ^ /index.php; - } - - location ~ /vendor/.*\.php$ { - deny all; - return 404; - } - - location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { - deny all; - return 404; - } - - location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { - try_files $uri @rewrite; - expires max; - log_not_found off; - } - - location ~ ^/sites/.*/files/styles/ { - try_files $uri @rewrite; - } - - location ~ ^(/[a-z\-]+)?/system/files/ { - try_files $uri /index.php?$query_string; - } - - if ($request_uri ~* "^(.*/)index\.php/(.*)") { - return 307 $1$2; - } diff --git a/nodes/htz-cloud/luther.py b/nodes/htz-cloud/luther.py deleted file mode 100644 index 1558bd9..0000000 --- a/nodes/htz-cloud/luther.py +++ /dev/null @@ -1,109 +0,0 @@ -nodes['htz-cloud.luther'] = { - 'bundles': { - 'php', - 'postgresql', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '195.201.136.20', - '2a01:4f8:c2c:fc3b::1/64', - }, - 'gateway4': '172.31.1.1', - 'gateway6': 'fe80::1', - }, - 'ens10': { - 'ips': { - '172.19.137.4/32', - }, - 'routes': { - # VPN - '172.19.136.0/22': { - 'via': '172.19.137.1', - }, - }, - }, - }, - 'apt': { - 'packages': { - 'php-apcu': {}, - 'php-uploadprogress': {}, - }, - }, - 'cron': { - 'jobs': { - 'luther-ps': vault.decrypt('encrypt$gAAAAABfnUqTXXpUYCA2DxllTKgbKg6YguCBbguJ0rerFGi9UNxEuTO6eqReqraS9FzNmLl81S_20bYwXM5W8pNwV5I5i6BVz1M37TxdsMCAxMG-9G0ZHFXeE4K5a4MWxuyYkrVPtK_hNFOciwxDDwPYT8tH_Jahdqmr8fZcCcsICzsSOxycn89VEm2ODnfH24Azrj6mVq5cPMc_xkdWnn-dSMCvPXpjjg==').format_into('*/10 * * * * www-data /usr/bin/curl -s {}'), - }, - }, - 'icinga_options': { - 'period': 'daytime', - 'pretty_name': 'Lutherkirchengemeinde Pirmasens', - 'vars.notification.sms': False, - }, - 'nginx': { - 'vhosts': { - 'luther-ps': { - 'domain': 'luther-ps.kunsmann.eu', - 'php': True, - 'extras': True, - 'website_check_path': '/user/login', - 'website_check_string': 'Username', - }, - }, - }, - 'php': { - 'version': '7.4', - 'packages': { - 'curl', - 'gd', - 'json', - 'mbstring', - 'pgsql', - 'xml', - }, - }, - 'postgresql': { - 'version': '11', - 'users': { - 'luther-ps': { - # can't use password_for() here, application is unmanaged - 'password': vault.decrypt('encrypt$gAAAAABfnSxJtRTeWRTO_ubSqpBbH8L-khPamKtSiUYbuMIoyJnoF_oSfUlMpTpQsmdDh61F3JQEH0xfYOkzkiCGZONRHyYdqkTjWV4Ku1Avdb0SL74VG6NihUJOpZlhOKnuniopCwuW'), - }, - }, - 'databases': { - 'luther-ps': { - 'owner': 'luther-ps', - }, - }, - }, - 'zfs': { - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': {'/dev/sdb'}, - }], - }, - }, - }, - 'datasets': { - 'tank/luther-website': { - 'mountpoint': '/var/www/luther-ps', - 'needed_by': { - 'directory:/var/www/luther-ps', - }, - }, - }, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - }, -} From 8ec785ffd8eb1d54f7b590076597ac48442f2717 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 5 Aug 2023 08:33:42 +0200 Subject: [PATCH 251/996] update element-web to 1.11.38 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c487787..2a35bd5 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -27,7 +27,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.37" +version = "v1.11.38" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index a52988b..505e8ff 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.37" +version = "v1.11.38" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 64e18fc..51da4d4 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.37', + 'version': 'v1.11.38', 'config': { 'default_server_config': { 'm.homeserver': { From 4b6f6802481c8f9daadb47a9515af3f7b3a808f6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:18:25 +0200 Subject: [PATCH 252/996] update element-web to 1.11.39 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2a35bd5..ae51559 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -27,7 +27,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.38" +version = "v1.11.39" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 505e8ff..bb0d02c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.38" +version = "v1.11.39" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 51da4d4..fe0732d 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.38', + 'version': 'v1.11.39', 'config': { 'default_server_config': { 'm.homeserver': { From 20d1c0af05b95653b5f451c5d992a38678853825 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:18:58 +0200 Subject: [PATCH 253/996] update netbox to 3.5.8 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ae51559..b2901f3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -96,7 +96,7 @@ url = "https://matrix.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.5.7" +version = "v3.5.8" admins.kunsi = "hostmaster@kunbox.net" [metadata.postgresql] From aecaebcefddf064e6d4338b84206e739995ddbcd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:19:24 +0200 Subject: [PATCH 254/996] carlene: add web vhost for skye --- nodes/carlene.toml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b2901f3..61cb43a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -99,6 +99,9 @@ domain = "netbox.franzi.business" version = "v3.5.8" admins.kunsi = "hostmaster@kunbox.net" +[metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] +owner = "skye" + [metadata.postgresql] version = 15 @@ -115,6 +118,11 @@ domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 additional_cookie_secrets = ["!decrypt:encrypt$gAAAAABkyVq1Eena0FVcAW1V456-QrEtKL_fU7RSGr9mZTSBG28bk5bHJdqkvxrr4rOXNCnreJY7AsJSw-h7yrbzTNa9CUzOtt_a0caQIi7Qnen5k_TI_hTa08jViYLu3WrRxLPknpU_"] +[metadata.users.skye] +ssh_pubkey = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCO0KG3/hnMO6UsReyEHvV4y7fYmJGQeCVnmw2xUoM4so2ZacWDi27aQbMq6wWb/JsUh4j3OOvEfNvf27LU6wpqcxM/QO22YjLsOtVzVnGjupsKAnN/nKy+X7KhspaF9qKFpmseBpuEAAnaxnreEFNC2tHarzJzgj+Y+Bmkg4tnMWsVc6EoBp1R2xmsdeRtgcQwms3xX9COeAjkFNgniGfqigO2AxPgC68h3GqSlcPzgpJ7ukvtCRCs/g3R+9GCnxsamd3AYhaRCIKauIyA44WqtH8lAH5+g16tU8WYcK1KySuwLt418kXDDJrZXaOLbxRl+jrShIdPoGhqs1y6KlOVTbj9TBVGt8CtV8JsLwzH2GCdLjImcXWUob2j2sxgBGTWiTfWf98XBLmBQwbAlBJ01gsHhJxDx0E2ttxueSjyg4hTzWCH0TlRmbpUDdIlqLgwHxmh97YFF5oqkgWGjSt7jxrW8Q9+FeMi5L2qHzKez5Z3quOhDIXWjEcpxqQQ2Lc=", +] + [[metadata.zfs.pools.tank.when_creating.config]] devices = [ "/dev/nvme0n1p3", From 7a1dc40584a3b0bf2845ba3bd617bc2fa2a379d2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:19:56 +0200 Subject: [PATCH 255/996] voc.infobeamer-cms: new domain and update for cccamp23 --- nodes/voc/infobeamer-cms.py | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 5fd767a..500f03f 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -23,9 +23,9 @@ nodes['voc.infobeamer-cms'] = { }, }, 'infobeamer-cms': { - 'domain': 'infobeamer-cms.c3voc.de', - 'event_start_date': '2023-06-08', - 'event_duration_days': 4, + 'domain': 'infobeamer.c3voc.de', + 'event_start_date': '2023-08-15', + 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ 'hexchen', @@ -43,8 +43,7 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), 'SETUP_IDS': [ - 230384, - 241629, + 242962, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -60,5 +59,17 @@ nodes['voc.infobeamer-cms'] = { 'infobeamer stream': 23541, }, }, + 'nginx': { + 'vhosts': { + 'redirect': { + 'domain': 'infobeamer-cms.c3voc.de', + 'locations': { + '/': { + 'redirect': 'https://infobeamer.c3voc.de', + }, + }, + }, + }, + }, }, } From 6aa0114db51629c8fe3c10513e1ee2627d06896c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:39:31 +0200 Subject: [PATCH 256/996] update mautrix-whatsapp to 0.10.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 61cb43a..c3fc632 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -87,8 +87,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.9.0" -sha1 = "5cb95b3dd1f8b2c124bc08af1ce23ab425fe859e" +version = "v0.10.0" +sha1 = "eadcfa474c94bce51f9dfaf3d03de2311bb8d07b" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From a8adde8c63314d9dccbe21abc3f688f8369b9045 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 12:40:37 +0200 Subject: [PATCH 257/996] update forgejo to 1.20.3-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c3fc632..8befb89 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -36,8 +36,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -url = "https://codeberg.org/attachments/48524ed4-efdc-4ac5-8b68-f7d5c77d7672" -sha1= "5a7f987b5e95c547cc83c2a000b3cd2dfe4e64a6" +url = "https://codeberg.org/forgejo/forgejo/releases/download/v1.20.3-0/forgejo-1.20.3-0-linux-amd64" +sha1 = "3199c656c9b9916f288d5feadcf0b63f6bbe1193" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 8482f6a270b2b4e5d458015d15cc59280cc5a166 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 13:46:44 +0200 Subject: [PATCH 258/996] {c3voc,entropia}-jira: more monitoring --- nodes/c3voc-jira.toml | 29 +++++++++++++++++++++++++++++ nodes/entropia-jira.toml | 12 ++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 nodes/c3voc-jira.toml diff --git a/nodes/c3voc-jira.toml b/nodes/c3voc-jira.toml new file mode 100644 index 0000000..df28559 --- /dev/null +++ b/nodes/c3voc-jira.toml @@ -0,0 +1,29 @@ +hostname = "31.172.33.107" +dummy = true + +[metadata.icinga_options] +period = "daytime" +show_on_statuspage = false + +[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] +check_command = "check_https_cert_at_url" +"vars.domain" = "jira.c3voc.de" +"vars.notification.mail" = true + +[metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] +check_command = "check_http_wget" +"vars.http_wget_contains" = "login.jsp" +"vars.http_wget_url" = "https://jira.c3voc.de/secure/Dashboard.jspa" +"vars.notification.sms" = true + +[metadata.icinga2_api.custom.services] +# these checks do not get deployed onto the actual host by us, we only +# execute those checks +'DISK SPACE'.'vars.sshmon_command' = 'DISK_SPACE' +'JIRA HEAP'.'vars.sshmon_command' = 'JIRA_HEAP' +'JIRA THREADS'.'vars.sshmon_command' = 'JIRA_THREADS' +'LOAD'.'vars.sshmon_command' = 'LOAD' +'OOM KILLER'.'vars.sshmon_command' = 'OOM_KILLER' +'RAM'.'vars.sshmon_command' = 'RAM' +'USER PROCESS SECURITY jira'.'vars.sshmon_command' = 'USER_PROCESS_SECURITY_jira' +'ZPOOL SPACE tank'.'vars.sshmon_command' = 'check_zpool_space_tank' diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml index d4bee28..302756c 100644 --- a/nodes/entropia-jira.toml +++ b/nodes/entropia-jira.toml @@ -20,3 +20,15 @@ check_command = "check_http_wget" "vars.http_wget_contains" = "login.jsp" "vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa" "vars.notification.sms" = true + +[metadata.icinga2_api.custom.services] +# these checks do not get deployed onto the actual host by us, we only +# execute those checks +'DISK SPACE'.'vars.sshmon_command' = 'DISK_SPACE' +'JIRA HEAP'.'vars.sshmon_command' = 'JIRA_HEAP' +'JIRA THREADS'.'vars.sshmon_command' = 'JIRA_THREADS' +'LOAD'.'vars.sshmon_command' = 'LOAD' +'OOM KILLER'.'vars.sshmon_command' = 'OOM_KILLER' +'RAM'.'vars.sshmon_command' = 'RAM' +'USER PROCESS SECURITY jira'.'vars.sshmon_command' = 'USER_PROCESS_SECURITY_jira' +'ZPOOL SPACE tank'.'vars.sshmon_command' = 'check_zpool_space_tank' From daae7106245cf511d86ad78d40dee7dac6f10e0e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 13:47:38 +0200 Subject: [PATCH 259/996] bundles/forgejo: fix version string in update check --- bundles/forgejo/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/forgejo/metadata.py b/bundles/forgejo/metadata.py index d94eb9f..7eb43ec 100644 --- a/bundles/forgejo/metadata.py +++ b/bundles/forgejo/metadata.py @@ -26,7 +26,7 @@ defaults = { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit forgejo', }, 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(forgejo --version | cut -d" " -f3)', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(forgejo --version | cut -d" " -f3 | sed "s/\\+/\\-/g")', 'vars.notification.mail': True, 'check_interval': '60m', }, From 10a9e6102664a7649d7ff3576f9ef97e3aef75e8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 17:17:42 +0200 Subject: [PATCH 260/996] bundles/homeassistant: changes for bookworm --- .../homeassistant/files/homeassistant.service | 2 ++ bundles/homeassistant/items.py | 16 ++++++++-------- bundles/homeassistant/metadata.py | 5 ++++- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service index d97cec7..a650f17 100644 --- a/bundles/homeassistant/files/homeassistant.service +++ b/bundles/homeassistant/files/homeassistant.service @@ -8,6 +8,8 @@ User=homeassistant WorkingDirectory=/var/opt/homeassistant ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant" RestartForceExitStatus=100 +Restart=on-failure +RestartSec=2 [Install] WantedBy=multi-user.target diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index 6ceeec4..5751178 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -37,6 +37,13 @@ actions = { 'needs': { 'directory:/opt/homeassistant', 'user:homeassistant', + }, + }, + 'homeassistant_install': { + 'command': 'sudo -u homeassistant /opt/homeassistant/venv/bin/pip install homeassistant', + 'unless': 'test -f /opt/homeassistant/venv/bin/hass', + 'needs': { + 'action:homeassistant_create_virtualenv', 'pkg_apt:bluez', 'pkg_apt:libffi-dev', 'pkg_apt:libssl-dev', @@ -45,17 +52,10 @@ actions = { 'pkg_apt:autoconf', 'pkg_apt:build-essential', 'pkg_apt:libopenjp2-7', - 'pkg_apt:libtiff5', + 'pkg_apt:libtiff6', 'pkg_apt:libturbojpeg0-dev', 'pkg_apt:tzdata', }, - }, - 'homeassistant_install': { - 'command': 'sudo -u homeassistant /opt/homeassistant/venv/bin/pip install homeassistant', - 'unless': 'test -f /opt/homeassistant/venv/bin/hass', - 'needs': { - 'action:homeassistant_create_virtualenv', - }, 'triggers': { 'svc_systemd:homeassistant:restart', }, diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 0b41f39..2ecf827 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -8,7 +8,7 @@ defaults = { 'libjpeg-dev': {}, 'libopenjp2-7': {}, 'libssl-dev': {}, - 'libtiff5': {}, + 'libtiff6': {}, 'libturbojpeg0-dev': {}, 'python3-packaging': {}, 'tzdata': {}, @@ -22,6 +22,8 @@ defaults = { }, }, } + + @metadata_reactor.provides( 'icinga2_api/homeassistant/services', ) @@ -40,6 +42,7 @@ def icinga_check_for_new_release(metadata): }, } + @metadata_reactor.provides( 'nginx/vhosts/homeassistant', ) From bf9b9b4189a653a1afbeb3a1c540535508f3caeb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 17:18:11 +0200 Subject: [PATCH 261/996] home.hass: update to bookworm --- nodes/home.hass.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 643a7a5..afb4bce 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -3,7 +3,7 @@ bundles = [ 'homeassistant', 'nginx' ] -groups = ["debian-bullseye"] +groups = ["debian-bookworm"] [metadata.interfaces.enp1s0] ips = ["172.19.138.25/24"] From e754b68f06c13166a79bea99c4b369e89f37cbfe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 17:18:34 +0200 Subject: [PATCH 262/996] carlene: update travelynx to 2.0.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 8befb89..ce1ba64 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -112,7 +112,7 @@ disks = [ ] [metadata.travelynx] -version = "1.33.7" +version = "2.0.3" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 33d42e24725a8c397ad30dd6e074333e076ed690 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Aug 2023 17:25:41 +0200 Subject: [PATCH 263/996] bundles/matrix-synapse: ensure we're logging to journal --- bundles/matrix-synapse/files/log.yaml | 21 +++++++++++++++++++++ bundles/matrix-synapse/items.py | 13 +++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 bundles/matrix-synapse/files/log.yaml diff --git a/bundles/matrix-synapse/files/log.yaml b/bundles/matrix-synapse/files/log.yaml new file mode 100644 index 0000000..f2bc9ff --- /dev/null +++ b/bundles/matrix-synapse/files/log.yaml @@ -0,0 +1,21 @@ +version: 1 + +formatters: + journal: + format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + console: + class: logging.StreamHandler + formatter: journal + +loggers: + synapse.storage.SQL: + level: INFO + +root: + level: INFO + + handlers: [console] + +disable_existing_loggers: false diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 172a940..527cc5e 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -1,7 +1,15 @@ files = { '/etc/matrix-synapse/homeserver.yaml': { 'content_type': 'mako', - 'context': node.metadata['matrix-synapse'], + 'context': node.metadata.get('matrix-synapse'), + 'needs': { + 'pkg_apt:matrix-synapse-py3', + }, + 'triggers': { + 'svc_systemd:matrix-synapse:restart', + }, + }, + '/etc/matrix-synapse/log.yaml': { 'needs': { 'pkg_apt:matrix-synapse-py3', }, @@ -31,7 +39,7 @@ files = { # Our override.conf ensures this file is never read, so we don't # need to restart synapse after changing stuff in here. 'content_type': 'mako', - 'context': node.metadata['matrix-synapse'], + 'context': node.metadata.get('matrix-synapse'), }, '/etc/matrix-synapse/conf.d/report_stats.yaml': { # see comment above @@ -42,6 +50,7 @@ svc_systemd = { 'matrix-synapse': { 'needs': { 'file:/etc/matrix-synapse/homeserver.yaml', + 'file:/etc/matrix-synapse/log.yaml', 'file:/etc/systemd/system/matrix-synapse.service.d/override.conf', 'pkg_apt:matrix-synapse-py3', 'postgres_db:synapse', From bca4d152ea572a79fe214381d53bd6cfa432cc71 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Aug 2023 07:41:37 +0200 Subject: [PATCH 264/996] bundles/zfs: print `zfs status` output if pool is not online --- bundles/zfs/files/check_zpool_online | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bundles/zfs/files/check_zpool_online b/bundles/zfs/files/check_zpool_online index 9fb0cae..0e7c16c 100644 --- a/bundles/zfs/files/check_zpool_online +++ b/bundles/zfs/files/check_zpool_online @@ -5,11 +5,14 @@ if [ $# -eq 0 ] ; then exit 3 fi -if [ "$(zpool status "$1" | grep '^ state:')" = ' state: ONLINE' ] +status="$(zpool status "$1")" + +if [ "$(echo "$status" | grep '^ state:')" = ' state: ONLINE' ] then echo "OK - Pool '$1' is online" exit 0 else echo "CRITICAL - Pool '$1' is FAULTY or NOT ONLINE" + echo "$status" exit 2 fi From 48d3f8eee61ddf249b6a68a2f83b54c124440f50 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 24 Aug 2023 19:12:57 +0200 Subject: [PATCH 265/996] miniserver hedgedoc update --- bundles/hedgedoc/items.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/hedgedoc/items.py b/bundles/hedgedoc/items.py index 8a0219e..d5d256d 100644 --- a/bundles/hedgedoc/items.py +++ b/bundles/hedgedoc/items.py @@ -52,7 +52,7 @@ directories = { if compare(node.metadata.get('hedgedoc/version'), '1.9.7') <= 0: command = ' && '.join([ 'cd /opt/hedgedoc', - 'yarn install --production=true --pure-lockfile --ignore-scripts', + 'yarn workspaces focus --production', 'yarn install --ignore-scripts', 'yarn build', ]) @@ -68,8 +68,7 @@ actions = { 'hedgedoc_yarn': { 'command': ' && '.join([ 'cd /opt/hedgedoc', - 'yarn install --production=true --pure-lockfile --ignore-scripts', - 'yarn install --ignore-scripts', + 'yarn install --immutable', 'yarn build', ]), 'needs': { From 0977dd5042e8159e40447770e470c373a27f4d6b Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 24 Aug 2023 19:30:25 +0200 Subject: [PATCH 266/996] miniserver: move webdump to zfs --- nodes/htz-cloud/miniserver.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index fe0732d..fd94b81 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -226,6 +226,14 @@ nodes['htz-cloud.miniserver'] = { }, }, 'zfs': { + "datasets": { + "tank/webdump": { + "mountpoint": "/var/www/webdump.sophies-kitchen.eu", + "needed_by": [ + "directory:/var/www/webdump.sophies-kitchen.eu" + ] + } + }, 'pools': { 'tank': { 'when_creating': { From d0302d826a133a98437ff430444b491bc01cf4cb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Aug 2023 11:08:54 +0200 Subject: [PATCH 267/996] bundles/icinga2: add icingaweb2 monitoring config --- bundles/icinga2/files/icingaweb2/monitoring_config.ini | 5 +++++ bundles/icinga2/items.py | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 bundles/icinga2/files/icingaweb2/monitoring_config.ini diff --git a/bundles/icinga2/files/icingaweb2/monitoring_config.ini b/bundles/icinga2/files/icingaweb2/monitoring_config.ini new file mode 100644 index 0000000..3bfd342 --- /dev/null +++ b/bundles/icinga2/files/icingaweb2/monitoring_config.ini @@ -0,0 +1,5 @@ +[settings] +acknowledge_sticky = 1 +hostdowntime_all_services = 1 +hostdowntime_end_fixed = P1W +hostdowntime_end_fixed = P2D diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 5f850b0..0732d59 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -254,6 +254,11 @@ files = { 'mode': '0660', 'group': 'icingaweb2', }, + '/etc/icingaweb2/modules/monitoring/config.ini': { + 'source': 'icingaweb2/monitoring_config.ini', + 'mode': '0660', + 'group': 'icingaweb2', + }, '/etc/icingaweb2/groups.ini': { 'source': 'icingaweb2/groups.ini', 'mode': '0660', From c6120accc19f2dd0377a8d09f62e0f80fe58b807 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Aug 2023 11:11:48 +0200 Subject: [PATCH 268/996] bundles/icinga2: fix monitoring config --- bundles/icinga2/files/icingaweb2/monitoring_config.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/icinga2/files/icingaweb2/monitoring_config.ini b/bundles/icinga2/files/icingaweb2/monitoring_config.ini index 3bfd342..8194280 100644 --- a/bundles/icinga2/files/icingaweb2/monitoring_config.ini +++ b/bundles/icinga2/files/icingaweb2/monitoring_config.ini @@ -2,4 +2,4 @@ acknowledge_sticky = 1 hostdowntime_all_services = 1 hostdowntime_end_fixed = P1W -hostdowntime_end_fixed = P2D +servicedowntime_end_fixed = P2D From 8cf2dde6e048ef4ea207aa90c841814068a74cae Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Aug 2023 12:51:19 +0200 Subject: [PATCH 269/996] add bundle:weechat, migrate weechat from rx300 to carlene --- bundles/weechat/metadata.py | 98 +++++++++++++++++++++++++++++++++++++ nodes/carlene.toml | 13 +++++ nodes/rx300.py | 61 ----------------------- 3 files changed, 111 insertions(+), 61 deletions(-) create mode 100644 bundles/weechat/metadata.py diff --git a/bundles/weechat/metadata.py b/bundles/weechat/metadata.py new file mode 100644 index 0000000..939bc74 --- /dev/null +++ b/bundles/weechat/metadata.py @@ -0,0 +1,98 @@ +defaults = { + 'apt': { + 'packages': { + 'libpod-parser-perl': {}, + 'mosh': {}, + 'weechat': {}, + 'weechat-core': {}, + 'weechat-curses': {}, + 'weechat-perl': {}, + 'weechat-plugins': {}, + 'weechat-python': {}, + 'weechat-ruby': {}, + }, + 'repos': { + 'weechat': { + 'items': { + 'deb https://weechat.org/{os} {os_release} main', + }, + }, + }, + }, + 'nftables': { + 'rules': { + 'weechat-mosh': { + 'inet filter input udp dport { 60000-61000 } accept', + }, + }, + }, +} + + +@metadata_reactor.provides( + 'backup-client/pre-hooks', + 'backups/paths', + 'users', + 'zfs/datasets', +) +def paths(metadata): + user = metadata.get('weechat/user') + + return { + 'backup-client': { + 'pre-hooks': { + 'weechat': f""" + echo 'core.weechat */layout store' >> /home/{user}/.weechat/fifo + echo 'core.weechat */save' >> /home/{user}/.weechat/fifo + """, + }, + }, + 'backups': { + 'paths': { + f'/home/{user}/.weechat', + }, + }, + 'users': { + user: { + 'enable_linger': True, + }, + }, + 'zfs': { + 'datasets': { + f'tank/{user}': {}, + f'tank/{user}/weechat': { + 'mountpoint': f'/home/{user}/.weechat', + 'compression': 'on', + }, + }, + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts', +) +def relay_vhost(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + relay_domain = metadata.get('weechat/relay_domain', None) + if relay_domain is None: + return {} + + return { + 'nginx': { + 'vhosts': { + 'weechat': { + 'domain': relay_domain, + 'locations': { + '/weechat': { + 'proxy_read_timeout': '12h', + 'target': 'http://[::1]:9000', + 'websockets': True, + }, + }, + }, + }, + }, + } diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ce1ba64..14132c0 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -17,9 +17,15 @@ bundles = [ "check-mail-received", "postgresql", "travelynx", + "weechat", "zfs", ] +[metadata.backups] +paths = [ + "/var/www/paste.franzi.business/", +] + [metadata.check-mail-received.t-online] email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" @@ -123,6 +129,10 @@ ssh_pubkey = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCO0KG3/hnMO6UsReyEHvV4y7fYmJGQeCVnmw2xUoM4so2ZacWDi27aQbMq6wWb/JsUh4j3OOvEfNvf27LU6wpqcxM/QO22YjLsOtVzVnGjupsKAnN/nKy+X7KhspaF9qKFpmseBpuEAAnaxnreEFNC2tHarzJzgj+Y+Bmkg4tnMWsVc6EoBp1R2xmsdeRtgcQwms3xX9COeAjkFNgniGfqigO2AxPgC68h3GqSlcPzgpJ7ukvtCRCs/g3R+9GCnxsamd3AYhaRCIKauIyA44WqtH8lAH5+g16tU8WYcK1KySuwLt418kXDDJrZXaOLbxRl+jrShIdPoGhqs1y6KlOVTbj9TBVGt8CtV8JsLwzH2GCdLjImcXWUob2j2sxgBGTWiTfWf98XBLmBQwbAlBJ01gsHhJxDx0E2ttxueSjyg4hTzWCH0TlRmbpUDdIlqLgwHxmh97YFF5oqkgWGjSt7jxrW8Q9+FeMi5L2qHzKez5Z3quOhDIXWjEcpxqQQ2Lc=", ] +[metadata.weechat] +user = "kunsi" +relay_domain = "irc.franzi.business" + [[metadata.zfs.pools.tank.when_creating.config]] devices = [ "/dev/nvme0n1p3", @@ -133,6 +143,9 @@ type = "mirror" [metadata.zfs.datasets.tank] primarycache = "metadata" +[metadata.zfs.datasets.'tank/kunsi/webdump'] +mountpoint = "/var/www/paste.franzi.business" + [metadata.vm] cpu = 24 ram = 64 diff --git a/nodes/rx300.py b/nodes/rx300.py index 4a15b0c..505e1df 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -54,38 +54,6 @@ nodes['rx300'] = { # for `bw test` on jenkins 'bind9utils': {}, - - # used by user:kunsi - 'mosh': {}, - 'weechat': {}, - 'weechat-core': {}, - 'weechat-curses': {}, - 'weechat-perl': {}, - 'weechat-plugins': {}, - 'weechat-python': {}, - 'weechat-ruby': {}, - - # for weechat scripts - 'libpod-parser-perl': {}, - }, - 'repos': { - 'weechat': { - 'items': { - 'deb https://weechat.org/debian {os_release} main', - }, - }, - }, - }, - 'backup-client': { - 'pre-hooks': { - 'kunsi-weechat': \ - 'echo \'core.weechat */layout store\' >> /home/kunsi/.weechat/weechat_fifo\n' \ - 'echo \'core.weechat */save\' >> /home/kunsi/.weechat/weechat_fifo\n', - }, - }, - 'backups': { - 'paths': { - '/home/kunsi/.weechat', }, }, 'check-mail-received': { @@ -109,22 +77,6 @@ nodes['rx300'] = { 'allowed_hosts': ['jh.franzi.business'], 'timezone': 'Europe/Berlin', }, - 'letsencrypt': { - 'concat_and_deploy': { - 'kunsi-weechat': { - 'match_domain': 'rx300.kunbox.net', - 'target': '/home/kunsi/.weechat/ssl/relay.pem', - 'chown': 'kunsi:kunsi', - 'chmod': '0440', - 'commands': [ - 'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo' - ], - }, - }, - 'domains': { - 'rx300.kunbox.net': set(), - }, - }, 'matrix-dimension': { 'url': 'dimension.franzi.business', 'version': 'c6d047c', # XXX master is broken as of 2021-11-27 @@ -175,14 +127,6 @@ nodes['rx300'] = { 'kunsi': 'hostmaster@kunbox.net', }, }, - 'nftables': { - 'rules': { - '50-kunsi-weechat': [ - 'inet filter input udp dport { 60000-61000 } accept', - 'inet filter input tcp dport 9001 accept', - ], - }, - }, 'nginx': { 'security.txt': { 'contact': 'mailto:security@kunsmann.eu', @@ -426,11 +370,6 @@ nodes['rx300'] = { 'threads': 8, 'cache_slabs': 8, }, - 'users': { - 'kunsi': { - 'enable_linger': True, - }, - }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 48, From c6bb00c1245602324674ae14ce0165d4cee1458f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Aug 2023 07:28:12 +0200 Subject: [PATCH 270/996] bundles/systemd: ensure we're not logging to syslog --- bundles/systemd/files/journald.conf | 5 +++++ bundles/systemd/metadata.py | 3 +++ 2 files changed, 8 insertions(+) diff --git a/bundles/systemd/files/journald.conf b/bundles/systemd/files/journald.conf index a062649..1ccdb9c 100644 --- a/bundles/systemd/files/journald.conf +++ b/bundles/systemd/files/journald.conf @@ -15,5 +15,10 @@ RuntimeKeepFree=${journal.get('keepfree', '2G')} RuntimeMaxFileSize=100M MaxFileSec=1d +ForwardToSyslog=no +ForwardToKMsg=no +ForwardToConsole=no +ForwardToWall=yes + # Disable auditing Audit=no diff --git a/bundles/systemd/metadata.py b/bundles/systemd/metadata.py index 848a8b9..725fc35 100644 --- a/bundles/systemd/metadata.py +++ b/bundles/systemd/metadata.py @@ -7,6 +7,9 @@ defaults = { 'ntp': { 'installed': False, }, + 'rsyslog': { + 'installed': False, + }, }, }, 'icinga2_api': { From 757e9e6bb8fb3647ecccd144c851c27bf5cc464c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Aug 2023 17:21:23 +0200 Subject: [PATCH 271/996] bundles/nginx: add option to disable anon_timing log --- bundles/nginx/files/site_template | 2 ++ bundles/nginx/items.py | 1 + bundles/nginx/metadata.py | 9 ++++++--- bundles/weechat/metadata.py | 4 ++++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index bccff8c..a3271e3 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -57,7 +57,9 @@ server { % if create_access_log: access_log /var/log/nginx/access-${vhost}.log gdpr; % endif +% if create_timing_log: access_log /var/log/nginx-timing/${vhost}.log anon_timing; +% endif # error_log is disabled globally % if max_body_size: diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index eb59250..4663f92 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -126,6 +126,7 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): 'content_type': 'mako', 'context': { 'create_access_log': config.get('access_log', node.metadata.get('nginx/access_log', False)), + 'create_timing_log': config.get('timing_log', True), 'php_version': node.metadata.get('php/version', ''), 'security_txt': security_txt_enabled, 'vhost': vhost, diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index ba2d18a..4d926f7 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -189,9 +189,12 @@ def firewall(metadata): def telegraf_anon_timing(metadata): result = {} - for vhost in metadata.get('nginx/vhosts', {}): - result[f'nginx-{vhost}'] = { - 'files': [f'/var/log/nginx-timing/{vhost}.log'], + for vname, vconfig in metadata.get('nginx/vhosts', {}).items(): + if not vconfig.get('timing_log', True): + continue + + result[f'nginx-{vname}'] = { + 'files': [f'/var/log/nginx-timing/{vname}.log'], 'from_beginning': False, 'grok_patterns': ['%{LOGPATTERN}'], 'grok_custom_patterns': 'LOGPATTERN \[%{HTTPDATE:ts:ts-httpd}\] %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-) "%{WORD:verb:tag} %{NOTSPACE:request} HTTP/%{NUMBER:http_version:float}" %{NUMBER:resp_code:tag}', diff --git a/bundles/weechat/metadata.py b/bundles/weechat/metadata.py index 939bc74..506b5d1 100644 --- a/bundles/weechat/metadata.py +++ b/bundles/weechat/metadata.py @@ -85,6 +85,10 @@ def relay_vhost(metadata): 'vhosts': { 'weechat': { 'domain': relay_domain, + # This only does websockets connections, which stay + # open for a very long time. This only generates + # useless metrics. + 'timing_log': False, 'locations': { '/weechat': { 'proxy_read_timeout': '12h', From 0190555f164392ffd9cae5015385cbe7623b8e74 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 09:17:12 +0200 Subject: [PATCH 272/996] bundles/matrix-synapse: do not log every request --- bundles/matrix-synapse/files/log.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/matrix-synapse/files/log.yaml b/bundles/matrix-synapse/files/log.yaml index f2bc9ff..de4ff6b 100644 --- a/bundles/matrix-synapse/files/log.yaml +++ b/bundles/matrix-synapse/files/log.yaml @@ -11,10 +11,10 @@ handlers: loggers: synapse.storage.SQL: - level: INFO + level: WARNING root: - level: INFO + level: WARNING handlers: [console] From 50cba7cb495d3706655c75be62064cb0179ba820 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 09:17:34 +0200 Subject: [PATCH 273/996] bundles/miniflux: use metadata.get() --- bundles/miniflux/items.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/miniflux/items.py b/bundles/miniflux/items.py index 4e8e015..6ea55ae 100644 --- a/bundles/miniflux/items.py +++ b/bundles/miniflux/items.py @@ -2,8 +2,8 @@ files = { '/etc/miniflux.conf': { 'content_type': 'mako', 'context': { - 'dbpassword': node.metadata['postgresql']['roles']['miniflux']['password'], - 'base_url': node.metadata['miniflux']['domain'], + 'dbpassword': node.metadata.get('postgresql/roles/miniflux/password'), + 'base_url': node.metadata.get('miniflux/domain'), }, 'triggers': { 'svc_systemd:miniflux:restart', From 7dda27b69df57008b4bcd21bcea359383477098b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 09:17:55 +0200 Subject: [PATCH 274/996] migrate miniflux from rx300 to carlene --- nodes/carlene.toml | 4 ++++ nodes/rx300.py | 5 ----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 14132c0..c25268b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -10,6 +10,7 @@ bundles = [ "matrix-synapse", "mautrix-telegram", "mautrix-whatsapp", + "miniflux", "netbox", "nodejs", "redis", @@ -100,6 +101,9 @@ permissions."'@kunsi:franzi.business'" = "admin" domain = "franzi.business" url = "https://matrix.franzi.business" +[metadata.miniflux] +domain = "rss.franzi.business" + [metadata.netbox] domain = "netbox.franzi.business" version = "v3.5.8" diff --git a/nodes/rx300.py b/nodes/rx300.py index 505e1df..d97e944 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -14,7 +14,6 @@ nodes['rx300'] = { 'jugendhackt_tools', 'lm-sensors', 'matrix-dimension', - 'miniflux', 'minecraft', 'nodejs', 'ntfy', @@ -93,9 +92,6 @@ nodes['rx300'] = { 'botToken': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), }, }, - 'miniflux': { - 'domain': 'rss.franzi.business', - }, 'minecraft': { 'heap_mb': 16*1024, 'sha1': '82be5e1bbdfd1bcb001644780562282fd42ee5a9', @@ -135,7 +131,6 @@ nodes['rx300'] = { 'vhosts': { 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, - 'miniflux': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { From ad2312b7155ec255210cba7beb8846665e2d81e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 09:28:57 +0200 Subject: [PATCH 275/996] matrix stuff: make journal usable again --- bundles/matrix-synapse/files/log.yaml | 18 ++++++++++++++++-- bundles/mautrix-telegram/files/config.yaml | 2 +- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/bundles/matrix-synapse/files/log.yaml b/bundles/matrix-synapse/files/log.yaml index de4ff6b..7bb4ef2 100644 --- a/bundles/matrix-synapse/files/log.yaml +++ b/bundles/matrix-synapse/files/log.yaml @@ -1,10 +1,25 @@ version: 1 formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' journal: format: '%(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/homeserver.log + when: midnight + backupCount: 1 # Does not include the current log file. + encoding: utf8 + buffer: + class: synapse.logging.handlers.PeriodicallyFlushingMemoryHandler + target: file + capacity: 10 + flushLevel: 30 # Flush immediately for WARNING logs and higher + period: 5 console: class: logging.StreamHandler formatter: journal @@ -15,7 +30,6 @@ loggers: root: level: WARNING - - handlers: [console] + handlers: [buffer] disable_existing_loggers: false diff --git a/bundles/mautrix-telegram/files/config.yaml b/bundles/mautrix-telegram/files/config.yaml index 0a3ad1c..1fbe165 100644 --- a/bundles/mautrix-telegram/files/config.yaml +++ b/bundles/mautrix-telegram/files/config.yaml @@ -180,7 +180,7 @@ logging: telethon: level: INFO aiohttp: - level: INFO + level: WARNING root: level: INFO handlers: [console] From bb478430b903ac7c881f16a42d7135a436dcbec4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 09:38:06 +0200 Subject: [PATCH 276/996] migrate ntfy from rx300 to carlene --- nodes/carlene.toml | 10 ++++++++++ nodes/rx300.py | 9 --------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c25268b..923e5b9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -13,6 +13,7 @@ bundles = [ "miniflux", "netbox", "nodejs", + "ntfy", "redis", "smartd", "check-mail-received", @@ -112,6 +113,15 @@ admins.kunsi = "hostmaster@kunbox.net" [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] owner = "skye" + +[metadata.ntfy] +domain = "ntfy.franzi.business" +ratelimit-exempt-hosts = [ + "carlene", + "ovh.icinga2", + "rx300", +] + [metadata.postgresql] version = 15 diff --git a/nodes/rx300.py b/nodes/rx300.py index d97e944..c7f07be 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -16,7 +16,6 @@ nodes['rx300'] = { 'matrix-dimension', 'minecraft', 'nodejs', - 'ntfy', 'oidentd', 'php', 'postfixadmin', @@ -131,7 +130,6 @@ nodes['rx300'] = { 'vhosts': { 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, - 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', @@ -241,13 +239,6 @@ nodes['rx300'] = { }, 'worker_processes': 8, }, - 'ntfy': { - 'domain': 'ntfy.franzi.business', - 'ratelimit-exempt-hosts': { - 'ovh.icinga2', - 'rx300', - }, - }, 'oidentd': { 'allows': { 'kunsi': { From ab3f2df29f632b2333e5b37c083d05eeb9029595 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 10:30:22 +0200 Subject: [PATCH 277/996] update travelynx to 2.1.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 923e5b9..05c5a0b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -132,7 +132,7 @@ disks = [ ] [metadata.travelynx] -version = "2.0.3" +version = "2.1.1" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 36dac3be7c70e5709e94b91594cc1562e8c9f2f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Aug 2023 11:13:35 +0200 Subject: [PATCH 278/996] bundles/weechat: fix weechat fifo path --- bundles/weechat/metadata.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/weechat/metadata.py b/bundles/weechat/metadata.py index 506b5d1..6efc467 100644 --- a/bundles/weechat/metadata.py +++ b/bundles/weechat/metadata.py @@ -42,8 +42,8 @@ def paths(metadata): 'backup-client': { 'pre-hooks': { 'weechat': f""" - echo 'core.weechat */layout store' >> /home/{user}/.weechat/fifo - echo 'core.weechat */save' >> /home/{user}/.weechat/fifo + echo 'core.weechat */layout store' >> /home/{user}/.weechat/weechat_fifo + echo 'core.weechat */save' >> /home/{user}/.weechat/weechat_fifo """, }, }, From 39576fda386e7632cbfbab44618e8ca7bda41f61 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Aug 2023 17:21:48 +0200 Subject: [PATCH 279/996] add bundle:rsyslogd --- bundles/rsyslogd/files/logrotate.conf | 10 +++++++++ bundles/rsyslogd/files/rsyslog.conf | 18 +++++++++++++++ bundles/rsyslogd/items.py | 18 +++++++++++++++ bundles/rsyslogd/metadata.py | 32 +++++++++++++++++++++++++++ bundles/systemd/metadata.py | 8 ++++--- nodes/home/nas.py | 6 +++++ 6 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 bundles/rsyslogd/files/logrotate.conf create mode 100644 bundles/rsyslogd/files/rsyslog.conf create mode 100644 bundles/rsyslogd/items.py create mode 100644 bundles/rsyslogd/metadata.py diff --git a/bundles/rsyslogd/files/logrotate.conf b/bundles/rsyslogd/files/logrotate.conf new file mode 100644 index 0000000..1fef33b --- /dev/null +++ b/bundles/rsyslogd/files/logrotate.conf @@ -0,0 +1,10 @@ +/var/log/rsyslog/*/*.log +{ + rotate 4 + daily + missingok + notifempty + compress + delaycompress + copytruncate +} diff --git a/bundles/rsyslogd/files/rsyslog.conf b/bundles/rsyslogd/files/rsyslog.conf new file mode 100644 index 0000000..b7ca916 --- /dev/null +++ b/bundles/rsyslogd/files/rsyslog.conf @@ -0,0 +1,18 @@ +# provides UDP syslog reception +module(load="imudp") +input(type="imudp" port="514") + +# provides TCP syslog reception +module(load="imtcp") +input(type="imtcp" port="514") + +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +$WorkDirectory /var/spool/rsyslog + +$template remote-incoming-logs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log" +*.* ?remote-incoming-logs diff --git a/bundles/rsyslogd/items.py b/bundles/rsyslogd/items.py new file mode 100644 index 0000000..1ef2572 --- /dev/null +++ b/bundles/rsyslogd/items.py @@ -0,0 +1,18 @@ +files['/etc/logrotate.d/rsyslog'] = { + 'source': 'logrotate.conf', +} + +files['/etc/rsyslog.conf'] = { + 'triggers': { + 'svc_systemd:rsyslog:restart', + }, +} + +svc_systemd['rsyslog'] = { + 'needs': { + 'pkg_apt:rsyslog', + }, + 'after': { + 'file:/etc/rsyslog.conf', + }, +} diff --git a/bundles/rsyslogd/metadata.py b/bundles/rsyslogd/metadata.py new file mode 100644 index 0000000..3fe9624 --- /dev/null +++ b/bundles/rsyslogd/metadata.py @@ -0,0 +1,32 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'apt': { + 'packages': { + 'rsyslog': {}, + }, + }, + 'icinga2_api': { + 'rsyslog': { + 'services': { + 'RSYSLOGD PROCESS': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit rsyslog', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '514': atomic(metadata.get('rsyslogd/restrict-to', set())), + '514/udp': atomic(metadata.get('rsyslogd/restrict-to', set())), + }, + }, + } diff --git a/bundles/systemd/metadata.py b/bundles/systemd/metadata.py index 725fc35..15f9b8a 100644 --- a/bundles/systemd/metadata.py +++ b/bundles/systemd/metadata.py @@ -7,9 +7,6 @@ defaults = { 'ntp': { 'installed': False, }, - 'rsyslog': { - 'installed': False, - }, }, }, 'icinga2_api': { @@ -26,6 +23,11 @@ defaults = { }, } +if not node.has_bundle('rsyslogd'): + defaults['apt']['packages']['rsyslog'] = { + 'installed': False, + } + if node.has_bundle('apt') and node.os_version[0] > 10: defaults['apt']['packages']['systemd-timesyncd'] = { 'after': { diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 48c7c4a..8406511 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -8,6 +8,7 @@ nodes['home.nas'] = { 'mixcloud-downloader', 'mosquitto', 'nfs-server', + 'rsyslogd', 'scansnap', 'smartd', 'vmhost', @@ -133,6 +134,11 @@ nodes['home.nas'] = { }, }, }, + 'rsyslogd': { + 'restrict-to': { + 'home', + }, + }, 'smartd': { 'disks': { '/dev/nvme0', From d450a43a96d20f2bc83cee44e7b9ca2b5501f2d8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Aug 2023 17:25:34 +0200 Subject: [PATCH 280/996] switches-mikrotik: add rsyslog server --- groups/features.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/groups/features.py b/groups/features.py index 8e20009..04dc7d0 100644 --- a/groups/features.py +++ b/groups/features.py @@ -27,6 +27,11 @@ groups['switches-mikrotik'] = { 'bundles': { 'routeros', }, + 'metadata': { + 'routeros': { + 'syslog-server': '172.19.138.20', + }, + }, 'locking_node': 'home.router', 'os': 'routeros', 'username': 'admin', From 01531c62de297c8ab5b3a2db4c811ba9dc2a41f0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Aug 2023 17:26:34 +0200 Subject: [PATCH 281/996] bundles/rsyslogd: keep more logfiles --- bundles/rsyslogd/files/logrotate.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/rsyslogd/files/logrotate.conf b/bundles/rsyslogd/files/logrotate.conf index 1fef33b..66c90fa 100644 --- a/bundles/rsyslogd/files/logrotate.conf +++ b/bundles/rsyslogd/files/logrotate.conf @@ -1,6 +1,6 @@ /var/log/rsyslog/*/*.log { - rotate 4 + rotate 30 daily missingok notifempty From 553ed05ba22c82aa4b4d6224a7db69996a22c029 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 30 Aug 2023 19:39:36 +0200 Subject: [PATCH 282/996] remove freifunk access points, replace with aruba --- nodes/home.aruba325-office.toml | 6 ++++++ nodes/home.aruba325-schlafzimmer.toml | 6 ++++++ nodes/home.aruba325-wohnzimmer.toml | 6 ++++++ nodes/home.winkeeinhorn-1.toml | 11 ----------- nodes/home.winkeeinhorn-2.toml | 11 ----------- 5 files changed, 18 insertions(+), 22 deletions(-) create mode 100644 nodes/home.aruba325-office.toml create mode 100644 nodes/home.aruba325-schlafzimmer.toml create mode 100644 nodes/home.aruba325-wohnzimmer.toml delete mode 100644 nodes/home.winkeeinhorn-1.toml delete mode 100644 nodes/home.winkeeinhorn-2.toml diff --git a/nodes/home.aruba325-office.toml b/nodes/home.aruba325-office.toml new file mode 100644 index 0000000..1515e76 --- /dev/null +++ b/nodes/home.aruba325-office.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.eth0] +ips = ["172.19.138.53"] +dhcp = true +mac = "f0:5c:19:cf:9e:72" diff --git a/nodes/home.aruba325-schlafzimmer.toml b/nodes/home.aruba325-schlafzimmer.toml new file mode 100644 index 0000000..27be1ce --- /dev/null +++ b/nodes/home.aruba325-schlafzimmer.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.eth0] +ips = ["172.19.138.52"] +dhcp = true +mac = "b4:5d:50:c7:11:78" diff --git a/nodes/home.aruba325-wohnzimmer.toml b/nodes/home.aruba325-wohnzimmer.toml new file mode 100644 index 0000000..e3263fd --- /dev/null +++ b/nodes/home.aruba325-wohnzimmer.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.eth0] +ips = ["172.19.138.51"] +dhcp = true +mac = "f0:5c:19:cf:9f:7e" diff --git a/nodes/home.winkeeinhorn-1.toml b/nodes/home.winkeeinhorn-1.toml deleted file mode 100644 index f2505b5..0000000 --- a/nodes/home.winkeeinhorn-1.toml +++ /dev/null @@ -1,11 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.11"] -dhcp = true -mac = "f4:06:8d:df:05:60" - -[metadata.icinga2_api.freifunk.services."NODE HEALTH"] -check_command = "check_freifunk_node" -"vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" -"vars.id" = "f4068ddf055f" diff --git a/nodes/home.winkeeinhorn-2.toml b/nodes/home.winkeeinhorn-2.toml deleted file mode 100644 index 61e954b..0000000 --- a/nodes/home.winkeeinhorn-2.toml +++ /dev/null @@ -1,11 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.12"] -dhcp = true -mac = "f4:06:8d:df:03:38" - -[metadata.icinga2_api.freifunk.services."NODE HEALTH"] -check_command = "check_freifunk_node" -"vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" -"vars.id" = "f4068ddf0337" From b01dcb0ff99cbbe5369ea9ac19d4ad4d5db2f373 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 05:53:37 +0200 Subject: [PATCH 283/996] bundles/nginx: enable creating logs for debugging purposes --- bundles/nginx/files/site_template | 7 +++++-- bundles/nginx/items.py | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index a3271e3..fdd5279 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -54,13 +54,16 @@ server { resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; -% if create_access_log: +% if create_logs: access_log /var/log/nginx/access-${vhost}.log gdpr; + error_log /var/log/nginx/error-${vhost}.log; +% else: + # regular access_log is disabled + # error_log is disabled % endif % if create_timing_log: access_log /var/log/nginx-timing/${vhost}.log anon_timing; % endif - # error_log is disabled globally % if max_body_size: client_max_body_size ${max_body_size}; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 4663f92..2de11db 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -125,7 +125,7 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): 'source': 'site_template', 'content_type': 'mako', 'context': { - 'create_access_log': config.get('access_log', node.metadata.get('nginx/access_log', False)), + 'create_logs': config.get('create_logs', False), 'create_timing_log': config.get('timing_log', True), 'php_version': node.metadata.get('php/version', ''), 'security_txt': security_txt_enabled, From a838f6c5bd481b42a0ebfb5f0a85a461a59f11d7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 05:54:23 +0200 Subject: [PATCH 284/996] bundles/postfixadmin: move vhost generation to reactor --- bundles/postfixadmin/metadata.py | 20 ++++++++++++++++++++ nodes/htz-cloud/pirmasens.py | 7 +------ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/bundles/postfixadmin/metadata.py b/bundles/postfixadmin/metadata.py index bed7ab6..b9d6379 100644 --- a/bundles/postfixadmin/metadata.py +++ b/bundles/postfixadmin/metadata.py @@ -60,3 +60,23 @@ def icinga_check_for_new_release(metadata): }, }, } + + +@metadata_reactor.provides( + 'nginx/vhosts/postfixadmin', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'postfixadmin': { + 'domain': metadata.get('postfixadmin/domain'), + 'webroot': '/opt/postfixadmin/public/', + 'php': True, + }, + }, + }, + } diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 67d7e12..aa51e2f 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -37,12 +37,6 @@ nodes['htz-cloud.pirmasens'] = { }, 'nginx': { 'vhosts': { - 'mail.kunsmann.info': { - 'webroot': '/opt/postfixadmin/public/', - 'php': True, - 'website_check_path': '/login.php', - 'website_check_string': 'login', - }, 'salonkatrin.de': { 'website_check_path': '/', 'website_check_string': 'Salon Katrin', @@ -82,6 +76,7 @@ nodes['htz-cloud.pirmasens'] = { 'message_size_limit_mb': 50, }, 'postfixadmin': { + 'domain': 'mail.kunsmann.info', 'version': '3.3.13', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, From 97afd6c52298ad0141cf70d9e1865ac46a3eb11f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 05:54:54 +0200 Subject: [PATCH 285/996] bundles/php: add php8.2 --- bundles/php/files/8.2/fpm.conf | 27 ++++++++++ bundles/php/files/8.2/php.ini | 99 ++++++++++++++++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 bundles/php/files/8.2/fpm.conf create mode 100644 bundles/php/files/8.2/php.ini diff --git a/bundles/php/files/8.2/fpm.conf b/bundles/php/files/8.2/fpm.conf new file mode 100644 index 0000000..f3aa189 --- /dev/null +++ b/bundles/php/files/8.2/fpm.conf @@ -0,0 +1,27 @@ +[global] +pid=/run/php/php8.0-fpm.pid +; We're using journal, put logs there +error_log=/var/log/php8.0-fpm.log +daemonize=yes + +; The one and only worker pool we have +[www] +user=www-data +group=www-data +listen=/run/php/php8.2-fpm.sock +listen.owner=www-data +listen.group=www-data +listen.mode=0600 + +; Process Manager Settings +pm=dynamic +pm.max_children=${num_cpus*4} +pm.start_servers=${num_cpus} +pm.max_spare_servers=${num_cpus*2} +pm.min_spare_servers=${num_cpus} +pm.process_idle_timeout=30s +pm.max_requests=1024 + +% if not clear_env: +clear_env=no +% endif diff --git a/bundles/php/files/8.2/php.ini b/bundles/php/files/8.2/php.ini new file mode 100644 index 0000000..c8ef0e9 --- /dev/null +++ b/bundles/php/files/8.2/php.ini @@ -0,0 +1,99 @@ +[PHP] +; Only needed for libapache2-mod-php? +engine = On +short_open_tag = Off +precision = 14 +output_buffering = 4096 +zlib.output_compression = Off +implicit_flush = Off +serialize_precision = -1 +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals +ignore_user_abort = Off +zend.enable_gc = On +expose_php = Off + +max_execution_time = 30 +max_input_time = 60 +memory_limit = ${memory_limit}M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +display_startup_errors = Off +log_errors = On +log_errors_max_len = 1024 +ignore_repeated_errors = Off +ignore_repeated_source = Off +report_memleaks = On +html_errors = On +error_log = syslog +syslog.ident = php7.4 +syslog.filter = ascii + +arg_separator.output = "&" +variables_order = "GPCS" +request_order = "GP" +register_argc_argv = Off +auto_globals_jit = On +post_max_size = ${post_max_size}M +default_mimetype = "text/html" +default_charset = "UTF-8" + +enable_dl = Off +file_uploads = On +upload_max_filesize = ${post_max_size}M +max_file_uploads = 20 + +allow_url_fopen = On +allow_url_include = Off +default_socket_timeout = 10 + +[CLI Server] +cli_server.color = On + +[mail function] +mail.add_x_header = Off + +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.max_persistent = -1 +odbc.max_links = -1 +odbc.defaultlrl = 4096 +odbc.defaultbinmode = 1 + +[PostgreSQL] +pgsql.allow_persistent = On +pgsql.auto_reset_persistent = Off +pgsql.max_persistent = -1 +pgsql.max_links = -1 +pgsql.ignore_notice = 0 +pgsql.log_notice = 0 + +[bcmath] +bcmath.scale = 0 + +[Session] +session.save_handler = files +session.use_strict_mode = 0 +session.use_cookies = 1 +session.use_only_cookies = 1 +session.name = PHPSESSID +session.auto_start = 0 +session.cookie_lifetime = 0 +session.cookie_path = / +session.cookie_domain = +session.cookie_httponly = +session.cookie_samesite = +session.serialize_handler = php +session.gc_probability = 1 +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.referer_check = +session.cache_limiter = nocache +session.cache_expire = 180 +session.use_trans_sid = 0 +session.sid_length = 32 +session.trans_sid_tags = "a=href,area=href,frame=src,form=" +session.sid_bits_per_character = 6 + +[Assertion] +zend.assertions = -1 From dd8fd452eb2442a74fe02f9847699c64a2f92240 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 05:55:27 +0200 Subject: [PATCH 286/996] move mail from rx300 to carlene --- groups/locations.py | 6 ++-- nodes/carlene.toml | 77 ++++++++++++++++++++++++++++++++++++++++++--- nodes/rx300.py | 63 ------------------------------------- 3 files changed, 76 insertions(+), 70 deletions(-) diff --git a/groups/locations.py b/groups/locations.py index 15177f6..63447d6 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -22,7 +22,7 @@ groups['gce'] = { # It's fine to do this without authentificating to the relayhost. # These Systems are not supposed to send mail anywhere else # than our own domains. - 'relayhost': '[rx300.kunbox.net]:2525', + 'relayhost': '[mail.franzi.business]:2525', }, 'sysctl': { 'options': { @@ -90,7 +90,7 @@ groups['home'] = { # It's fine to do this without authentificating to the relayhost. # These Systems are not supposed to send mail anywhere else # than our own domains. - 'relayhost': '[rx300.kunbox.net]:2525', + 'relayhost': '[mail.franzi.business]:2525', }, }, } @@ -102,7 +102,7 @@ groups['ovh'] = { 'metadata': { 'location': 'ovh', 'postfix': { - 'relayhost': '[rx300.kunbox.net]:2525', + 'relayhost': '[mail.franzi.business]:2525', }, 'users': { 'debian': { diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 05c5a0b..c761435 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -4,6 +4,8 @@ groups = [ "webserver", ] bundles = [ + "check-mail-received", + "dovecot", "element-web", "forgejo", "matrix-media-repo", @@ -14,10 +16,12 @@ bundles = [ "netbox", "nodejs", "ntfy", - "redis", - "smartd", - "check-mail-received", + "php", + "postfixadmin", "postgresql", + "redis", + "rspamd", + "smartd", "travelynx", "weechat", "zfs", @@ -110,10 +114,13 @@ domain = "netbox.franzi.business" version = "v3.5.8" admins.kunsi = "hostmaster@kunbox.net" +[metadata.nginx.'security.txt'] +contact = "mailto:security@kunsmann.eu" +Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" + [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] owner = "skye" - [metadata.ntfy] domain = "ntfy.franzi.business" ratelimit-exempt-hosts = [ @@ -122,9 +129,71 @@ ratelimit-exempt-hosts = [ "rx300", ] +[metadata.php] +version = "8.2" +packages = [ + 'gd', + 'imagick', + 'imap', + 'intl', + 'mbstring', + 'opcache', + 'pgsql', + 'readline', + 'xml', + 'yaml', +] + +[metadata.postfix] +message_size_limit_mb = 100 +myhostname = "mail.franzi.business" +mynetworks = ["gce", "ovh"] + +[metadata.postfixadmin] +domain = "postfixadmin.franzi.business" +setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ==" +version = "3.3.13" + [metadata.postgresql] version = 15 +[metadata.rspamd] +ignore_spam_check_for_ips = [ + # entropia + '45.140.180.32/27', # Entropia e. V. + '45.140.180.112/28', # MicroPOC + '2a0e:c5c0:0:201::/64', # Entropia e. V. + '2a0e:c5c0:0:307::/64', # MicroPOC + + # c3kl + '116.202.19.236', + '2a01:4f8:1c17:cc52::/64', + + # ccc + '212.12.55.65', + '212.12.55.67', + '2a00:14b0:4200:3000:23:55:0:65', + + # IN-Berlin mailman + '130.133.8.35', + '192.109.42.28', + '192.109.42.122', + '193.29.188.9', + '217.197.80.23', + '217.197.80.134', + '2001:bf0:c000:a::2:134', + + # c3voc + '185.106.84.32/26', + '2001:67c:20a0:e::/64', + + # DENOG + '195.20.121.100', + '2001:1440:201:101::5', +] +password = "!bwpass:bw/rx300/rspamd" +dkim = "uO4aNejDvVdw8BKne3KJIqAvCQMJ0416" + [metadata.smartd] disks = [ "/dev/nvme0", diff --git a/nodes/rx300.py b/nodes/rx300.py index c7f07be..bccf91a 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -8,7 +8,6 @@ nodes['rx300'] = { 'hostname': '31.47.232.106', 'bundles': { 'check-mail-received', - 'dovecot', 'ipmitool', 'jenkins-ci', 'jugendhackt_tools', @@ -18,11 +17,9 @@ nodes['rx300'] = { 'nodejs', 'oidentd', 'php', - 'postfixadmin', 'postgresql', 'radicale', 'redis', - 'rspamd', 'smartd', 'unbound', 'vmhost', @@ -213,18 +210,6 @@ nodes['rx300'] = { 'owner': 'kunsi', }, }, - 'postfixadmin': { - 'domain': 'postfixadmin.franzi.business', - 'ssl': '_.franzi.business', - 'webroot': '/opt/postfixadmin/public/', - 'php': True, - 'locations': { - '/rspamd/': { - 'target': 'http://localhost:11334/', - 'websockets': True, - }, - } - }, 'wiki.franzi.business': { 'ssl': '_.franzi.business', 'extras': True, @@ -262,17 +247,6 @@ nodes['rx300'] = { 'yaml', }, }, - 'postfix': { - 'message_size_limit_mb': 75, - 'mynetworks': { - 'gce', - 'ovh', - }, - }, - 'postfixadmin': { - 'version': '3.3.13', - 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), - }, 'postgresql': { 'version': '13', 'max_connections': 500, @@ -287,43 +261,6 @@ nodes['rx300'] = { 'kunsi': bwpass.password('radicale.franzi.business/kunsi'), }, }, - 'rspamd': { - 'ignore_spam_check_for_ips': { - # entropia - '45.140.180.32/27', # Entropia e. V. - '45.140.180.112/28', # MicroPOC - '2a0e:c5c0:0:201::/64', # Entropia e. V. - '2a0e:c5c0:0:307::/64', # MicroPOC - - # c3kl - '116.202.19.236', - '2a01:4f8:1c17:cc52::/64', - - # ccc - '212.12.55.65', - '212.12.55.67', - '2a00:14b0:4200:3000:23:55:0:65', - - # IN-Berlin mailman - '130.133.8.35', - '192.109.42.28', - '192.109.42.122', - '193.29.188.9', - '217.197.80.23', - '217.197.80.134', - '2001:bf0:c000:a::2:134', - - # c3voc - '185.106.84.32/26', - '2001:67c:20a0:e::/64', - - # DENOG - '195.20.121.100', - '2001:1440:201:101::5', - }, - 'password': bwpass.password('bw/rx300/rspamd'), - 'dkim': 'uO4aNejDvVdw8BKne3KJIqAvCQMJ0416', - }, 'smartd': { 'disks': { '/dev/nvme0', From e3784158dee0bb7ef8d075b5822cee0fac7053a3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 06:15:38 +0200 Subject: [PATCH 287/996] update element-web to 1.11.40 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c761435..5597691 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -39,7 +39,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.39" +version = "v1.11.40" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index bb0d02c..611a848 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.39" +version = "v1.11.40" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index fd94b81..3d77123 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.39', + 'version': 'v1.11.40', 'config': { 'default_server_config': { 'm.homeserver': { From 43d26650b0abed4a8b6a57ff10da6641a1610111 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 06:15:54 +0200 Subject: [PATCH 288/996] update netbox to 3.6.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5597691..a689188 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -111,7 +111,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.5.8" +version = "v3.6.0" admins.kunsi = "hostmaster@kunbox.net" [metadata.nginx.'security.txt'] From 59fd245a3fcefe59d2c68afbf0883a1105e6a3fa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 06:16:09 +0200 Subject: [PATCH 289/996] add dynamic node attribute for last apply so we can check if something has changed in the repo since the last apply --- hooks/deploy_commit_hash_to_node.py | 5 +++++ nodes/attributes.py | 24 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 hooks/deploy_commit_hash_to_node.py create mode 100644 nodes/attributes.py diff --git a/hooks/deploy_commit_hash_to_node.py b/hooks/deploy_commit_hash_to_node.py new file mode 100644 index 0000000..caddaad --- /dev/null +++ b/hooks/deploy_commit_hash_to_node.py @@ -0,0 +1,5 @@ +def node_apply_end(repo, node, duration, interactive, result, **kwargs): + if not node.os in node.OS_FAMILY_UNIX: + return + + node.run(f'echo "{repo.revision}" > /var/lib/bundlewrap/last_apply_commit_id') diff --git a/nodes/attributes.py b/nodes/attributes.py new file mode 100644 index 0000000..8460bc9 --- /dev/null +++ b/nodes/attributes.py @@ -0,0 +1,24 @@ +from bundlewrap.utils.ui import io +from bundlewrap.utils.scm import get_rev +from bundlewrap.utils.text import red, bold + +@node_attribute +def needs_apply(node): + if node.dummy: + return False + + if node.os not in node.OS_FAMILY_UNIX: + return True + + try: + applied = node.run( + 'cat /var/lib/bundlewrap/last_apply_commit_id', + may_fail=True, + ).stdout.decode().strip() + + if not applied or applied != get_rev(): + return True + except Exception as e: + io.stderr(f'{red("!!!")} {bold(node.name)} {e!r}') + + return False From 194c60ddb217c82345429a4fdda32f082898a4cb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 06:20:19 +0200 Subject: [PATCH 290/996] bundles/ntfy: do not create timing logs --- bundles/ntfy/metadata.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bundles/ntfy/metadata.py b/bundles/ntfy/metadata.py index f2e303f..5b6f81d 100644 --- a/bundles/ntfy/metadata.py +++ b/bundles/ntfy/metadata.py @@ -76,6 +76,10 @@ def nginx(metadata): 'ntfy': { 'domain': metadata.get('ntfy/domain'), 'locations': locations, + # This only does websockets connections, which stay + # open for a very long time. This only generates + # useless metrics. + 'timing_log': False, 'website_check_path': '/', 'website_check_string': 'ntfy', }, From fc75e92a788ee4374f6f3c98e0d3b6bc75616526 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 1 Sep 2023 06:21:15 +0200 Subject: [PATCH 291/996] dns: new mail server --- data/powerdns/files/bind-zones/kunbox.net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 500f336..a1bd83c 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -17,7 +17,7 @@ $ORIGIN kunbox.net. IN AAAA 2a00:f820:528::2 ; Needs to have a working Mail address, otherwise Telekom goes mimimi - IN MX 10 rx300 + IN MX 10 mail.franzi.business. IN TXT "v=spf1 mx ~all" ; delegate acme stuff to psql-managed zone From b08c9fb5a4eef1cf21c6613b2c2b9e0d17fdfbee Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 13:35:04 +0200 Subject: [PATCH 292/996] replace matrix-dimension on rx300 with matrix-stickerpicker on carlene --- .../files/matrix-dimension.service | 14 --- .../matrix-dimension/files/production.yaml | 93 --------------- bundles/matrix-dimension/items.py | 78 ------------- bundles/matrix-dimension/metadata.py | 110 ------------------ .../matrix-stickerpicker/files/sticker-import | 7 ++ bundles/matrix-stickerpicker/items.py | 47 ++++++++ bundles/matrix-stickerpicker/metadata.py | 35 ++++++ nodes/carlene.toml | 9 ++ nodes/rx300.py | 35 ------ 9 files changed, 98 insertions(+), 330 deletions(-) delete mode 100644 bundles/matrix-dimension/files/matrix-dimension.service delete mode 100644 bundles/matrix-dimension/files/production.yaml delete mode 100644 bundles/matrix-dimension/items.py delete mode 100644 bundles/matrix-dimension/metadata.py create mode 100644 bundles/matrix-stickerpicker/files/sticker-import create mode 100644 bundles/matrix-stickerpicker/items.py create mode 100644 bundles/matrix-stickerpicker/metadata.py diff --git a/bundles/matrix-dimension/files/matrix-dimension.service b/bundles/matrix-dimension/files/matrix-dimension.service deleted file mode 100644 index 9d2bebc..0000000 --- a/bundles/matrix-dimension/files/matrix-dimension.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Matrix Dimension -After=network.target - -[Service] -User=matrix-dimension -Group=matrix-dimension -Environment="NODE_ENV=production" -ExecStart=/usr/bin/node ${config['install_dir']}/build/app/index.js -WorkingDirectory=${config['install_dir']} -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/bundles/matrix-dimension/files/production.yaml b/bundles/matrix-dimension/files/production.yaml deleted file mode 100644 index 321f6d2..0000000 --- a/bundles/matrix-dimension/files/production.yaml +++ /dev/null @@ -1,93 +0,0 @@ -# The web settings for the service (API and UI). -# It is best to have this run on localhost and use a reverse proxy to access Dimension. -web: - port: 20030 - address: '127.0.0.1' - -# Homeserver configuration -homeserver: - # The domain name of the homeserver. This is used in many places, such as with go-neb - # setups, to identify the homeserver. - name: "${config['homeserver']['name']}" - - # The URL that Dimension, go-neb, and other services provisioned by Dimension should - # use to access the homeserver with. - clientServerUrl: "${config['homeserver']['clientServerUrl']}" - - # The URL that Dimension should use when trying to communicate with federated APIs on - # the homeserver. If not supplied or left empty Dimension will try to resolve the address - # through the normal federation process. - #federationUrl: "https://t2bot.io:8448" - - # The URL that Dimension will redirect media requests to for downloading media such as - # stickers. If not supplied or left empty Dimension will use the clientServerUrl. - #mediaUrl: "https://t2bot.io" - - # The access token Dimension should use for miscellaneous access to the homeserver, and - # for tracking custom sticker pack updates. This should be a user configured on the homeserver - # and be dedicated to Dimension (create a user named "dimension" on your homeserver). For - # information on how to acquire an access token, visit https://t2bot.io/docs/access_tokens - accessToken: "${config['homeserver']['accessToken']}" - -# These users can modify the integrations this Dimension supports. -# To access the admin interface, open Dimension in Riot and click the settings icon. -admins: -% for i in config['admins']: - - "${i}" -% endfor -# IPs and CIDR ranges listed here will be blocked from being widgets. -# Note: Widgets may still be embedded with restricted content, although not through Dimension directly. -widgetBlacklist: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - 127.0.0.0/8 - -database: - # Where the database for Dimension is - uri: "postgres://${node.metadata['matrix-dimension']['database']['user']}:${node.metadata['matrix-dimension']['database']['password']}@${node.metadata['matrix-dimension']['database'].get('host', 'localhost')}/${node.metadata['matrix-dimension']['database']['database']}" - - # Where to store misc information for the utility bot account. - botData: "${config['data_dir']}/dimension.bot.json" - -# Display settings that apply to self-hosted go-neb instances -goneb: - # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver - # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot, - # make the bot's avatar an empty string. - avatars: - giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27" - imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513" - github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1" - wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1" - travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8" - rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3" - google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142" - guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526" - echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13" - circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee" - jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329" - -# Settings for interacting with Telegram. Currently only applies for importing -# sticker packs from Telegram. -telegram: - # Talk to @BotFather on Telegram to get a token - botToken: "${config['telegram']['botToken']}" - -# Custom sticker pack options. -# Largely based on https://github.com/turt2live/matrix-sticker-manager -stickers: - # Whether or not to allow people to add custom sticker packs - enabled: true - - # The sticker manager bot to promote - stickerBot: "@stickers:t2bot.io" - - # The sticker manager URL to promote - managerUrl: "https://stickers.t2bot.io" - - -# Settings for controlling how logging works -logging: - console: true - consoleLevel: info diff --git a/bundles/matrix-dimension/items.py b/bundles/matrix-dimension/items.py deleted file mode 100644 index 9744754..0000000 --- a/bundles/matrix-dimension/items.py +++ /dev/null @@ -1,78 +0,0 @@ -repo.libs.tools.require_bundle(node, 'nodejs') - - -directories = { - node.metadata['matrix-dimension']['install_dir']: { - 'owner': 'matrix-dimension', - 'group': 'matrix-dimension', - }, -} - -git_deploy = { - node.metadata['matrix-dimension']['install_dir']: { - 'rev': node.metadata.get('matrix-dimension/version', 'master'), # doesn't have releases yet - 'repo': 'https://github.com/turt2live/matrix-dimension.git', - 'triggers': { - 'action:matrix_dimension_build', - }, - 'needs': { - 'directory:{}'.format(node.metadata.get('matrix-dimension/install_dir')), - 'directory:{}'.format(node.metadata.get('matrix-dimension/data_dir')), - }, - }, -} - -files = { - '{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')): { - 'owner': 'matrix-dimension', - 'group': 'matrix-dimension', - 'content_type': 'mako', - 'context': { - 'config': node.metadata.get('matrix-dimension', {}), - }, - 'needs': { - 'git_deploy:{}'.format(node.metadata.get('matrix-dimension/install_dir')), - }, - 'triggers': { - 'svc_systemd:matrix-dimension:restart', - }, - }, - '/etc/systemd/system/matrix-dimension.service': { - 'content_type': 'mako', - 'context': { - 'config': node.metadata.get('matrix-dimension', {}), - }, - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:matrix-dimension:restart', - }, - }, -} - -actions = { - 'matrix_dimension_build': { - 'command': ' && '.join([ - 'cd ' + node.metadata.get('matrix-dimension/install_dir'), - 'sudo -u matrix-dimension npm install --legacy-peer-deps', - 'sudo -u matrix-dimension NODE_OPTIONS=--openssl-legacy-provider npm run build', - ]), - 'needs': { - 'pkg_apt:nodejs', - }, - 'triggered': True, - 'triggers': { - 'svc_systemd:matrix-dimension:restart', - }, - }, -} - -svc_systemd = { - 'matrix-dimension': { - 'needs': { - 'action:matrix_dimension_build', - 'file:{}/config/production.yaml'.format(node.metadata.get('matrix-dimension/install_dir')), - 'postgres_db:matrix-dimension', - 'postgres_role:matrix-dimension', - }, - }, -} diff --git a/bundles/matrix-dimension/metadata.py b/bundles/matrix-dimension/metadata.py deleted file mode 100644 index c3f037d..0000000 --- a/bundles/matrix-dimension/metadata.py +++ /dev/null @@ -1,110 +0,0 @@ -defaults = { - 'backups': { - 'paths': { - '/opt/matrix-dimension', - '/var/opt/matrix-dimension', - }, - }, - 'icinga2_api': { - 'matrix-dimension': { - 'services': { - 'MATRIX-DIMENSION PROCESS': { - 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -a matrix-dimension -c 1:', - }, - }, - }, - }, - 'matrix-dimension': { - 'install_dir': '/opt/matrix-dimension', - 'data_dir': '/var/opt/matrix-dimension', - 'database': { - 'user': 'matrix-dimension', - 'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)), - 'database': 'matrix-dimension', - }, - }, - 'postgresql': { - 'roles': { - 'matrix-dimension': { - 'password': repo.vault.password_for('{} postgresql matrix-dimension'.format(node.name)), - }, - }, - 'databases': { - 'matrix-dimension': { - 'owner': 'matrix-dimension', - }, - }, - }, - 'users': { - 'matrix-dimension': { - 'home': '/var/opt/matrix-dimension', - }, - }, -} - - -@metadata_reactor.provides( - 'nginx/vhosts/matrix-dimension', -) -def nginx_config(metadata): - return { - 'nginx': { - 'vhosts': { - 'matrix-dimension': { - 'domain': metadata.get('matrix-dimension/url'), - 'do_not_set_content_security_headers': True, - 'max_body_size': '50M', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:20030', - }, - }, - }, - }, - }, - } - - -@metadata_reactor.provides( - 'zfs/datasets', -) -def zfs(metadata): - return { - 'zfs': { - 'datasets': { - 'tank/matrix-dimension': {}, - 'tank/matrix-dimension/install': { - 'mountpoint': metadata.get('matrix-dimension/install_dir'), - 'needed_by': { - 'directory:{}'.format(metadata.get('matrix-dimension/install_dir')), - }, - }, - 'tank/matrix-dimension/var': { - 'mountpoint': metadata.get('matrix-dimension/data_dir'), - 'needed_by': { - 'directory:{}'.format(metadata.get('matrix-dimension/data_dir')), - }, - }, - }, - }, - } - - -# XXX enable this once there are releases for matrix-dimension -#@metadata_reactor.provides( -# 'icinga2_api/matrix-dimension/services', -#) -#def icinga_check_for_new_release(metadata): -# return { -# 'icinga2_api': { -# 'matrix-dimension': { -# 'services': { -# 'MATRIX-DIMENSION UPDATE': { -# 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release turt2live/matrix-dimension {}'.format(metadata.get('matrix-dimension/version')), -# 'vars.notification.mail': True, -# 'check_interval': '60m', -# }, -# }, -# }, -# }, -# } diff --git a/bundles/matrix-stickerpicker/files/sticker-import b/bundles/matrix-stickerpicker/files/sticker-import new file mode 100644 index 0000000..fd765c9 --- /dev/null +++ b/bundles/matrix-stickerpicker/files/sticker-import @@ -0,0 +1,7 @@ +#!/bin/bash + +/opt/matrix-stickerpicker/venv/bin/sticker-import \ + --config /opt/matrix-stickerpicker/config.json \ + --session /opt/matrix-stickerpicker/sticker-import.session \ + --output-dir /var/opt/matrix-stickerpicker/ \ + "$@" diff --git a/bundles/matrix-stickerpicker/items.py b/bundles/matrix-stickerpicker/items.py new file mode 100644 index 0000000..0cbe6c5 --- /dev/null +++ b/bundles/matrix-stickerpicker/items.py @@ -0,0 +1,47 @@ +actions['matrix-stickerpicker_create_virtualenv'] = { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/matrix-stickerpicker/venv/', + 'unless': 'test -d /opt/matrix-stickerpicker/venv/', + 'needs': { + # actually /opt/matrix-stickerpicker, but we don't create that + 'directory:/opt/matrix-stickerpicker/src', + }, +} + +actions['matrix-stickerpicker_install'] = { + 'command': 'cd /opt/matrix-stickerpicker/src && /opt/matrix-stickerpicker/venv/bin/pip install --upgrade pip .', + 'needs': { + 'action:matrix-stickerpicker_create_virtualenv', + }, + 'triggered': True, +} + +users['matrix-stickerpicker'] = { + 'home': '/opt/matrix-stickerpicker', +} + +files['/usr/local/bin/sticker-import'] = { + 'mode': '0700', +} + +files['/opt/matrix-stickerpicker/config.json'] = { + 'content': repo.libs.faults.dict_as_json(node.metadata.get('matrix-stickerpicker/config')), +} + +directories['/opt/matrix-stickerpicker/src'] = {} + +directories['/var/opt/matrix-stickerpicker'] = {} + +git_deploy['/opt/matrix-stickerpicker/src'] = { + 'repo': 'https://github.com/maunium/stickerpicker.git', + 'rev': node.metadata.get('matrix-stickerpicker/version', 'master'), + 'triggers': { + 'action:matrix-stickerpicker_install', + }, +} + +symlinks['/opt/matrix-stickerpicker/src/web/packs'] = { + 'target': '/var/opt/matrix-stickerpicker', + 'after': { + 'git_deploy:/opt/matrix-stickerpicker/src', + }, +} diff --git a/bundles/matrix-stickerpicker/metadata.py b/bundles/matrix-stickerpicker/metadata.py new file mode 100644 index 0000000..32bc870 --- /dev/null +++ b/bundles/matrix-stickerpicker/metadata.py @@ -0,0 +1,35 @@ +defaults = { + 'backups': { + 'paths': '/var/opt/matrix-stickerpicker', + }, + 'zfs': { + 'datasets': { + 'tank/matrix-stickerpicker': { + 'mountpoint': '/var/opt/matrix-stickerpicker', + 'needed_by': { + 'directory:/var/opt/matrix-stickerpicker', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts/matrix-stickerpicker', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'matrix-stickerpicker': { + 'domain': metadata.get('matrix-stickerpicker/domain'), + 'do_not_set_content_security_headers': True, + 'webroot': '/opt/matrix-stickerpicker/src/web/', + }, + }, + }, + } diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a689188..8835238 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -9,6 +9,7 @@ bundles = [ "element-web", "forgejo", "matrix-media-repo", + "matrix-stickerpicker", "matrix-synapse", "mautrix-telegram", "mautrix-whatsapp", @@ -75,6 +76,14 @@ version = "v1.2.13" api = "synapse" domain = "http://[::1]:20080/" +[metadata.matrix-stickerpicker] +# use this bot token: encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q +domain = "matrix-stickers.franzi.business" +[metadata.matrix-stickerpicker.config] +access_token = "!decrypt:encrypt$gAAAAABg-wBmGbAy-Ou1mkG2w5UyoqWmWYzDr4ZavyUQdmG_VtrUSmwHjx-qcBGIz_7NniD3zKm9GGvzRZItDu5zYiojcudYr74TkWJKhdDrgFbcWlfJJ_m3bWzrSORaTYzBGRckp2Vz_8xHgDk1W03vpT6mdIPMDzjuINssIcPs0YDth25W942tMfPA2csvLADY50qVRMJpdBOVIWba55o0g6-mAAQLOz6Ld4cCvYqZsqXsxjT8JUytJv_uSG4zgCS_aX20JlAyJWpJgT8FQF5HzIbsko_-Z9-TwtY7yllJp5Ri3n0WaDaWoMmUfhLvkMJeymmOc32A4WJBAePQ_2F-_oUDE7t97A-m3ZiMVAEefDnH5MkoiQEJTfHrJsXRkdBT_BnJlY1CoAuXpRYDdvbVDwN_qZHHHtqsno437l9S6GgDK_-sKBiojYkYsfHcJCdSEqeFGuxT" +homeserver = "https://matrix.franzi.business" +user_id = "@dimension:franzi.business" + [metadata.matrix-synapse] admin_contact = "mailto:hostmaster@kunbox.net" baseurl = "matrix.franzi.business" diff --git a/nodes/rx300.py b/nodes/rx300.py index bccf91a..917c9c6 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -12,7 +12,6 @@ nodes['rx300'] = { 'jenkins-ci', 'jugendhackt_tools', 'lm-sensors', - 'matrix-dimension', 'minecraft', 'nodejs', 'oidentd', @@ -72,22 +71,6 @@ nodes['rx300'] = { 'allowed_hosts': ['jh.franzi.business'], 'timezone': 'Europe/Berlin', }, - 'matrix-dimension': { - 'url': 'dimension.franzi.business', - 'version': 'c6d047c', # XXX master is broken as of 2021-11-27 - 'homeserver': { - 'name': 'franzi.business', - 'clientServerUrl': 'https://matrix.franzi.business', - 'accessToken': vault.decrypt('encrypt$gAAAAABg-wBmGbAy-Ou1mkG2w5UyoqWmWYzDr4ZavyUQdmG_VtrUSmwHjx-qcBGIz_7NniD3zKm9GGvzRZItDu5zYiojcudYr74TkWJKhdDrgFbcWlfJJ_m3bWzrSORaTYzBGRckp2Vz_8xHgDk1W03vpT6mdIPMDzjuINssIcPs0YDth25W942tMfPA2csvLADY50qVRMJpdBOVIWba55o0g6-mAAQLOz6Ld4cCvYqZsqXsxjT8JUytJv_uSG4zgCS_aX20JlAyJWpJgT8FQF5HzIbsko_-Z9-TwtY7yllJp5Ri3n0WaDaWoMmUfhLvkMJeymmOc32A4WJBAePQ_2F-_oUDE7t97A-m3ZiMVAEefDnH5MkoiQEJTfHrJsXRkdBT_BnJlY1CoAuXpRYDdvbVDwN_qZHHHtqsno437l9S6GgDK_-sKBiojYkYsfHcJCdSEqeFGuxT'), - }, - 'admins': [ - '@kunsi:franzi.business', - ], - 'telegram': { - # same as for mautrix-telegram - 'botToken': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), - }, - }, 'minecraft': { 'heap_mb': 16*1024, 'sha1': '82be5e1bbdfd1bcb001644780562282fd42ee5a9', @@ -102,23 +85,6 @@ nodes['rx300'] = { }, 'restrict-to': {'*'}, }, - 'mx-puppet-discord': { - 'homeserver': { - 'domain': 'franzi.business', - 'url': 'https://matrix.franzi.business', - }, - 'allowed-users': { - '@.*:franzi\\\\.business', - }, - }, - 'netbox': { - 'domain': 'netbox.franzi.business', - 'version': 'v3.5.6', - 'changelog_retention_days': 360, - 'admins': { - 'kunsi': 'hostmaster@kunbox.net', - }, - }, 'nginx': { 'security.txt': { 'contact': 'mailto:security@kunsmann.eu', @@ -126,7 +92,6 @@ nodes['rx300'] = { }, 'vhosts': { 'jenkins-ci': {'ssl': '_.franzi.business'}, - 'matrix-dimension': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', From 8cfcefcfc422dcadf2ae216c814c7219000a6f63 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 20:48:15 +0200 Subject: [PATCH 293/996] bundles/matrix-stickerpicker: fix backup paths --- bundles/matrix-stickerpicker/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/matrix-stickerpicker/metadata.py b/bundles/matrix-stickerpicker/metadata.py index 32bc870..e491a9d 100644 --- a/bundles/matrix-stickerpicker/metadata.py +++ b/bundles/matrix-stickerpicker/metadata.py @@ -1,6 +1,8 @@ defaults = { 'backups': { - 'paths': '/var/opt/matrix-stickerpicker', + 'paths': { + '/var/opt/matrix-stickerpicker', + }, }, 'zfs': { 'datasets': { From 72607adbfe0947e9269e21c5317da029b7b78d8d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 20:48:41 +0200 Subject: [PATCH 294/996] bundles/nginx: allow vhosts to set their own index files --- bundles/nginx/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 4d926f7..1d386dd 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -103,6 +103,9 @@ def index_files(metadata): vhosts = {} for vhost, config in metadata.get('nginx/vhosts', {}).items(): + if 'index' in config: + continue + vhosts[vhost] = { 'index': [ 'index.html', From ea77c68e16b772e2fdad3a4ee254b55c4fd228e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 20:49:05 +0200 Subject: [PATCH 295/996] bundles/nginx: hide content security headers coming from php --- bundles/nginx/files/site_template | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index fdd5279..51dd27e 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -149,9 +149,16 @@ server { % endfor % endif % if php: - location ~ \.php$ { + location ~ \.php(?:$|/) { include fastcgi.conf; fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; +% if not do_not_set_content_security_headers: + fastcgi_hide_header Referrer-Policy; + fastcgi_hide_header X-Frame-Options; + fastcgi_hide_header X-Content-Type-Options; + fastcgi_hide_header X-XSS-Protection; +% endif + fastcgi_hide_header Permissions-Policy; } % if not max_body_size: client_max_body_size 5M; From 0001b5639b15edb4a842529c7739b8cf6b9eda8a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 20:49:34 +0200 Subject: [PATCH 296/996] kunsi-p14s: bug has been fixed --- nodes/kunsi-p14s.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index bd0dd03..30cc830 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -111,14 +111,6 @@ nodes['kunsi-p14s'] = { 'x32edit': {}, }, }, - 'sysctl': { - 'options': { - # XXX temp, try to find out why the system randomly - # hangs when using wifi, but only after suspending or - # switching from ethernet. - 'net.ipv6.conf.wlp3s0.disable_ipv6': '1', - }, - }, 'systemd-boot': { 'default': 'arch', 'entries': { From ad24c0ea5b5ed7fb495e80e1dd2c677d9a04fd9b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 2 Sep 2023 21:14:38 +0200 Subject: [PATCH 297/996] add bundle:nextcloud to carlene --- bundles/nextcloud/metadata.py | 87 +++++++++++++++++++++++ data/nextcloud/nginx.conf | 31 ++++++++ data/nginx/files/extras/carlene/nextcloud | 1 + libs/defaults.py | 3 +- nodes/carlene.toml | 4 ++ 5 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 bundles/nextcloud/metadata.py create mode 100644 data/nextcloud/nginx.conf create mode 120000 data/nginx/files/extras/carlene/nextcloud diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py new file mode 100644 index 0000000..488d354 --- /dev/null +++ b/bundles/nextcloud/metadata.py @@ -0,0 +1,87 @@ +defaults = { + 'backups': { + 'paths': { + '/var/www/nextcloud', + }, + }, + 'php': { + 'clear_env': False, + 'memory_limit': 512, + 'packages': { + 'bcmath', + 'bz2', + 'curl', + 'gd', + 'gmp', + 'imagick', + 'intl', + 'mbstring', + 'opcache', + 'pgsql', + 'redis', + 'xml', + 'yaml', + 'zip', + }, + }, + 'postgresql': { + 'roles': { + 'nextcloud': { + 'password': repo.vault.password_for(f'{node.name} postgresql nextcloud'), + }, + }, + 'databases': { + 'nextcloud': { + 'owner': 'nextcloud', + }, + }, + }, + 'systemd-timers': { + 'timers': { + 'nextcloud-cron': { + 'command': '/usr/bin/php -f /var/www/nextcloud/cron.php', + 'pwd': '/var/www/nextcloud', + 'user': 'www-data', + 'when': '*:00/5', + }, + }, + }, + 'zfs': { + 'datasets': { + 'tank/nextcloud': { + 'mountpoint': '/var/www/nextcloud', + 'needed_by': { + 'directory:/var/www/nextcloud', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts/nextcloud', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'nextcloud': { + 'domain': metadata.get('nextcloud/domain'), + 'php': True, + 'extras': True, + 'index': [ + 'index.php', + 'index.html', + '/index.php$request_uri', + ], + 'webroot_config': { + 'owner': 'www-data', + }, + }, + }, + }, + } diff --git a/data/nextcloud/nginx.conf b/data/nextcloud/nginx.conf new file mode 100644 index 0000000..d58819c --- /dev/null +++ b/data/nextcloud/nginx.conf @@ -0,0 +1,31 @@ + location ^~ /.well-known { + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + return 301 /index.php$request_uri; + } + + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { + try_files $uri /index.php$request_uri; + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; + } + + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } diff --git a/data/nginx/files/extras/carlene/nextcloud b/data/nginx/files/extras/carlene/nextcloud new file mode 120000 index 0000000..eaabf9e --- /dev/null +++ b/data/nginx/files/extras/carlene/nextcloud @@ -0,0 +1 @@ +../../../../nextcloud/nginx.conf \ No newline at end of file diff --git a/libs/defaults.py b/libs/defaults.py index e746722..25a9895 100644 --- a/libs/defaults.py +++ b/libs/defaults.py @@ -13,9 +13,10 @@ nameservers = [*nameservers_ipv4, *nameservers_ipv6] redis_databases = { 'matrix-media-repo': 7, 'netbox': (4, 5), - 'rspamd': 6, + 'nextcloud': 7, 'paperless-ng': None, # probably 0, but undocumented 'pretalx': (1, 2, 3), + 'rspamd': 6, } security_email = f'mailto:{hostmaster_email}' diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 8835238..70d24f8 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -15,6 +15,7 @@ bundles = [ "mautrix-whatsapp", "miniflux", "netbox", + "nextcloud", "nodejs", "ntfy", "php", @@ -123,6 +124,9 @@ domain = "netbox.franzi.business" version = "v3.6.0" admins.kunsi = "hostmaster@kunbox.net" +[metadata.nextcloud] +domain = "warnochwas.de" + [metadata.nginx.'security.txt'] contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" From 2d201ebf0e275b7884eaeb04e03bcae71aac7b1e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 12:02:36 +0200 Subject: [PATCH 298/996] new access points, who dis? --- configs/netbox_device_home.switch-rack.json | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox_device_home.switch-rack.json index 09d3775..991eed5 100644 --- a/configs/netbox_device_home.switch-rack.json +++ b/configs/netbox_device_home.switch-rack.json @@ -154,23 +154,23 @@ "untagged_vlan": "home.clients" }, "ether3": { - "description": "home.winkeeinhorn-1 (LAN)", + "description": "home.aruba325-schlafzimmer", "enabled": true, "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.mesh" + "ffwi.client" ], "type": "A_1000BASE_T", "untagged_vlan": "home.clients" }, "ether4": { - "description": "home.winkeeinhorn-2 (LAN)", + "description": "home.aruba325-wohnzimmer", "enabled": true, "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.mesh" + "ffwi.client" ], "type": "A_1000BASE_T", "untagged_vlan": "home.clients" @@ -185,13 +185,15 @@ "untagged_vlan": null }, "ether6": { - "description": "isanet", + "description": "home.aruba325-office", "enabled": true, "ips": [], - "mode": "ACCESS", - "tagged_vlans": [], + "mode": "TAGGED", + "tagged_vlans": [ + "ffwi.client" + ], "type": "A_1000BASE_T", - "untagged_vlan": "home.dmz" + "untagged_vlan": "home.clients" }, "ether7": { "description": "RIPE-Probe #28280 (LAN)", From a33076186be37fca8d49741f82df906931ce4d75 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 12:19:34 +0200 Subject: [PATCH 299/996] bundles/nextcloud: install php-apcu --- bundles/nextcloud/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py index 488d354..36ff78c 100644 --- a/bundles/nextcloud/metadata.py +++ b/bundles/nextcloud/metadata.py @@ -8,6 +8,7 @@ defaults = { 'clear_env': False, 'memory_limit': 512, 'packages': { + 'apcu', 'bcmath', 'bz2', 'curl', From 94bee38ca7e26de112389acb4be6dc3d331c3568 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 12:20:24 +0200 Subject: [PATCH 300/996] bundles/php: fix some typos --- bundles/php/files/8.2/php.ini | 2 +- bundles/php/items.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/php/files/8.2/php.ini b/bundles/php/files/8.2/php.ini index c8ef0e9..874bb71 100644 --- a/bundles/php/files/8.2/php.ini +++ b/bundles/php/files/8.2/php.ini @@ -25,7 +25,7 @@ ignore_repeated_source = Off report_memleaks = On html_errors = On error_log = syslog -syslog.ident = php7.4 +syslog.ident = php8.2 syslog.filter = ascii arg_separator.output = "&" diff --git a/bundles/php/items.py b/bundles/php/items.py index 45b149a..b115c19 100644 --- a/bundles/php/items.py +++ b/bundles/php/items.py @@ -29,7 +29,7 @@ files[f'/etc/php/{version}/fpm/php.ini'] = { 'content_type': 'mako', 'context': { 'num_cpus': node.metadata.get('vm/cpu'), - 'post_max_size': node.metadata.get('phppost_max_size', 10), + 'post_max_size': node.metadata.get('php/post_max_size', 10), 'memory_limit': node.metadata.get('php/memory_limit', 256), }, 'after': { From 0964bd16954ed0c717a89ee012bd52aadc0fc22e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 12:20:40 +0200 Subject: [PATCH 301/996] update travelynx to 2.1.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 70d24f8..836dd03 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -214,7 +214,7 @@ disks = [ ] [metadata.travelynx] -version = "2.1.1" +version = "2.1.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From e087daae94f38cf9dc2f4ceb7ff41247643db7e9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 12:25:57 +0200 Subject: [PATCH 302/996] nextcloud: add cache-control headers to static assets --- data/nextcloud/nginx.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/data/nextcloud/nginx.conf b/data/nextcloud/nginx.conf index d58819c..34267ad 100644 --- a/data/nextcloud/nginx.conf +++ b/data/nextcloud/nginx.conf @@ -11,6 +11,9 @@ location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map)$ { try_files $uri /index.php$request_uri; + # 182 days, 14 hours, 54 minutes, 23 seconds. I have no clue why + # this exact value, but i copied it from the example config. + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; location ~ \.wasm$ { default_type application/wasm; @@ -29,3 +32,10 @@ location / { try_files $uri $uri/ /index.php$request_uri; } + + # cursed shit, use like this to have the 'map' feature outside the regular nginx config +} + +map $arg_v $asset_immutable { + "" ""; + default "immutable"; From 895f26d2f3bd0656e720d07bd2310d9c978be2ab Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 17:24:42 +0200 Subject: [PATCH 303/996] rx300: remove radicale --- nodes/rx300.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/nodes/rx300.py b/nodes/rx300.py index 917c9c6..f11837e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -17,7 +17,6 @@ nodes['rx300'] = { 'oidentd', 'php', 'postgresql', - 'radicale', 'redis', 'smartd', 'unbound', @@ -92,7 +91,6 @@ nodes['rx300'] = { }, 'vhosts': { 'jenkins-ci': {'ssl': '_.franzi.business'}, - 'radicale': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, @@ -220,12 +218,6 @@ nodes['rx300'] = { 'work_mem': 8*1024, 'cache_size': 32*1024, }, - 'radicale': { - 'domain': 'radicale.franzi.business', - 'users': { - 'kunsi': bwpass.password('radicale.franzi.business/kunsi'), - }, - }, 'smartd': { 'disks': { '/dev/nvme0', From 5863105d644a595332d909e20c22044d79c3251a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 18:10:55 +0200 Subject: [PATCH 304/996] dns: move kunbox.net to carlene --- data/powerdns/files/bind-zones/kunbox.net | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index a1bd83c..642f933 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -12,9 +12,9 @@ ${NAMESERVERS} $ORIGIN kunbox.net. -; ends up on rx300.kunbox.net -@ IN A 31.47.232.106 - IN AAAA 2a00:f820:528::2 +; ends up on carlene.kunbox.net +@ IN A 193.135.9.29 + IN AAAA 2a0a:51c0:0:225::2 ; Needs to have a working Mail address, otherwise Telekom goes mimimi IN MX 10 mail.franzi.business. From e2e5eaa23693f09261207691f6a17c345457fae3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 18:15:17 +0200 Subject: [PATCH 305/996] bundles/nextcloud: more upload limit please --- bundles/nextcloud/metadata.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py index 36ff78c..8081cbe 100644 --- a/bundles/nextcloud/metadata.py +++ b/bundles/nextcloud/metadata.py @@ -7,6 +7,7 @@ defaults = { 'php': { 'clear_env': False, 'memory_limit': 512, + 'post_max_size': 500, # MB 'packages': { 'apcu', 'bcmath', @@ -74,6 +75,7 @@ def nginx(metadata): 'domain': metadata.get('nextcloud/domain'), 'php': True, 'extras': True, + 'max_body_size': '500M', 'index': [ 'index.php', 'index.html', From 9dacd4a14b552b42ae3a3f12710544b2c9620953 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 18:22:51 +0200 Subject: [PATCH 306/996] move mta-sts vhost to carlene --- data/powerdns/files/bind-zones/kunbox.net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 642f933..d0eb4de 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -25,7 +25,7 @@ _acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. _acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. ; Mail servers -mta-sts IN CNAME rx300 +mta-sts IN CNAME carlene ; legacy Nameservers ns-1 IN A 34.89.208.78 From 7e335cc3ae03d759c3fd55b1cb3d528fa9e6b7b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Sep 2023 18:25:48 +0200 Subject: [PATCH 307/996] move some stuff from rx300 to carlene --- nodes/carlene.toml | 35 +++++++++++++++++------ nodes/rx300.py | 71 ---------------------------------------------- 2 files changed, 26 insertions(+), 80 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 836dd03..db31308 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -29,11 +29,6 @@ bundles = [ "zfs", ] -[metadata.backups] -paths = [ - "/var/www/paste.franzi.business/", -] - [metadata.check-mail-received.t-online] email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" @@ -91,7 +86,7 @@ baseurl = "matrix.franzi.business" server_name = "franzi.business" trusted_key_servers = ["matrix.org", "finallycoffee.eu"] additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" -# wellknown_also_on_vhosts = ["franzi.business"] +wellknown_also_on_vhosts = ["franzi.business"] [metadata.mautrix-telegram] version = "v0.14.1" @@ -131,9 +126,34 @@ domain = "warnochwas.de" contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" +[metadata.nginx.vhosts.'franzi.business'] +domain = "franzi.business" + [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] owner = "skye" +[metadata.nginx.vhosts.mta-sts] +domain = "mta-sts.kunbox.net" +domain_aliases = [ + "mta-sts.franzi.business", + "mta-sts.kunsmann.eu", +] + +[metadata.nginx.vhosts.redirector] +domain = "kunbox.net" +domain_aliases = [ + "carlene.kunbox.net", + "kunsmann.eu", +] +[metadata.nginx.vhosts.redirector.locations.'/'] +redirect = "https://franzi.business/" +[metadata.nginx.vhosts.redirector.locations.'/.well-known/openpgpkey/'] +alias = "/var/www/franzi.business/.well-known/openpgpkey" +additional_config = [ + "add_header Access-Control-Allow-Origin *", + "default_type application/octet-stream", +] + [metadata.ntfy] domain = "ntfy.franzi.business" ratelimit-exempt-hosts = [ @@ -239,9 +259,6 @@ type = "mirror" [metadata.zfs.datasets.tank] primarycache = "metadata" -[metadata.zfs.datasets.'tank/kunsi/webdump'] -mountpoint = "/var/www/paste.franzi.business" - [metadata.vm] cpu = 24 ram = 64 diff --git a/nodes/rx300.py b/nodes/rx300.py index f11837e..96865b5 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -101,36 +101,6 @@ nodes['rx300'] = { }, }, }, - 'franzi.business': { - 'webroot': '/var/www/franzi.business/_site/', - 'ssl': '_.franzi.business', - 'extras': True, - "locations": { - "/.well-known/matrix/client": { - "additional_config": [ - "add_header Access-Control-Allow-Origin *", - "default_type application/json" - ], - "content": "{\"im.vector.riot.jitsi\": {\"preferredDomain\": \"meet.ffmuc.net\"}, \"m.homeserver\": {\"base_url\": \"https://matrix.franzi.business\"}, \"m.identity_server\": {\"base_url\": \"https://matrix.org\"}}", - "return": 200 - }, - "/.well-known/matrix/server": { - "additional_config": [ - "add_header Access-Control-Allow-Origin *", - "default_type application/json" - ], - "content": "{\"m.server\": \"matrix.franzi.business:443\"}", - "return": 200 - } - }, - }, - 'git.kunsmann.eu': { - 'locations': { - '/': { - 'redirect': 'https://git.franzi.business$request_uri', - }, - }, - }, 'jugendhackt_tools': { 'domain': 'jh.franzi.business', 'ssl': '_.franzi.business', @@ -143,47 +113,6 @@ nodes['rx300'] = { }, }, }, - 'kunbox.net': {}, - 'kunsmann.eu': { - 'locations': { - '/': { - 'redirect': 'https://franzi.business$request_uri', - }, - '/.well-known/openpgpkey': { - 'alias': '/var/www/kunsmann.eu/.well-known/openpgpkey/', - 'additional_config': { - 'default_type application/octet-stream', - 'add_header Access-Control-Allow-Origin *', - }, - }, - }, - }, - 'mta-sts': { - 'domain': 'mta-sts.kunbox.net', - 'domain_aliases': { - 'mta-sts.franzi.business', - 'mta-sts.kunsmann.eu', - 'mta-sts.trans-agenda.eu', - }, - }, - 'paste.franzi.business': { - 'ssl': '_.franzi.business', - 'extras': True, - 'webroot_config': { - 'owner': 'kunsi', - }, - }, - 'wiki.franzi.business': { - 'ssl': '_.franzi.business', - 'extras': True, - 'php': True, - 'webroot_config': { - 'owner': 'www-data', - 'group': 'www-data', - }, - 'website_check_path': '/start?do=login', - 'website_check_string': 'Username', - }, }, 'worker_processes': 8, }, From 7b8740601f2777c7ead2b71b6d219edf9e3ac509 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Sep 2023 07:23:19 +0200 Subject: [PATCH 308/996] carlene: update netbox to 3.6.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index db31308..d747025 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -116,7 +116,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.0" +version = "v3.6.1" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 7df6b1d13a34af98db0565abd87e6917b4416d4b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 13:54:27 +0200 Subject: [PATCH 309/996] bundles/wireguard: name wg interfaces according to their peers --- bundles/bird/metadata.py | 3 ++- bundles/wireguard/files/wg.netdev | 2 +- bundles/wireguard/items.py | 6 +++--- bundles/wireguard/metadata.py | 29 ++++++++++++++--------------- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index a5547d4..38794ba 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -62,7 +62,8 @@ def neighbor_info_from_wireguard(metadata): ) def my_ip(metadata): if node.has_bundle('wireguard'): - my_ip = sorted(metadata.get('interfaces/wg0/ips'))[0].split('/')[0] + wg_iface = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')})[0] + my_ip = sorted(metadata.get(f'interfaces/{wg_iface}/ips'))[0].split('/')[0] else: my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0]) diff --git a/bundles/wireguard/files/wg.netdev b/bundles/wireguard/files/wg.netdev index de9af7f..493db88 100644 --- a/bundles/wireguard/files/wg.netdev +++ b/bundles/wireguard/files/wg.netdev @@ -1,5 +1,5 @@ [NetDev] -Name=wg${number} +Name=wg_${iface} Kind=wireguard Description=WireGuard connection to ${peer} diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index 37d018b..e9f1d71 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -14,15 +14,15 @@ if node.has_bundle('apt'): deps.add('pkg_apt:wireguard') health_checks = {} -for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())): - files[f'/etc/systemd/network/wg{number}.netdev'] = { +for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): + files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = { 'content_type': 'mako', 'source': 'wg.netdev', 'owner': 'systemd-network', 'mode': '0600', 'context': { 'endpoint': config.get('endpoint'), - 'number': number, + 'iface': config['iface'], 'peer': peer, 'port': config['my_port'], 'privatekey': node.metadata.get('wireguard/privatekey'), diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index b19ca8c..e409e86 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -1,4 +1,5 @@ from ipaddress import ip_network +from re import sub from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic @@ -39,20 +40,18 @@ if node.has_bundle('telegraf'): @metadata_reactor.provides( 'wireguard/peers', ) -def peer_psks(metadata): +def peer_psks_and_iface_names(metadata): peers = {} for peer_name in metadata.get('wireguard/peers', {}): - peers[peer_name] = {} + peers[peer_name] = { + 'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:20], + } if node.name < peer_name: - peers[peer_name] = { - 'psk': repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}'), - } + peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}') else: - peers[peer_name] = { - 'psk': repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}'), - } + peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}') return { 'wireguard': { @@ -156,12 +155,12 @@ def peer_endpoints(metadata): def icinga2(metadata): services = {} - for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): + for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): if config.get('exclude_from_monitoring', False): continue services[f'WIREGUARD CONNECTION {peer}'] = { - 'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg{number} {{}}'), + 'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg_{config["iface"]} {{}}'), } return { @@ -198,12 +197,12 @@ def firewall(metadata): ) def interface_ips(metadata): interfaces = {} - for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): + for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): if '/' in config['my_ip']: my_ip = config['my_ip'] else: my_ip = '{}/31'.format(config['my_ip']) - interfaces[f'wg{number}'] = { + interfaces[f'wg_{config["iface"]}'] = { 'ips': { my_ip, }, @@ -221,9 +220,9 @@ def snat(metadata): raise DoNotRunAgain rules = set() - for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): - rules.add(f'inet filter forward iifname wg{number} accept') - rules.add(f'inet filter forward oifname wg{number} accept') + for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): + rules.add(f'inet filter forward iifname wg_{config["iface"]} accept') + rules.add(f'inet filter forward oifname wg_{config["iface"]} accept') if 'snat_to' in config: rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( From d1bb94fd749b59d63921dd9acd92633d4d684b4e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 13:55:16 +0200 Subject: [PATCH 310/996] bundles/icinga2: more auto-generation of stuff --- bundles/icinga2/items.py | 24 ------------------- bundles/icinga2/metadata.py | 46 ++++++++++++++++++++++++++++--------- 2 files changed, 35 insertions(+), 35 deletions(-) diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 0732d59..a8d6e3a 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -275,23 +275,6 @@ files = { 'mode': '0660', 'group': 'icingaweb2', }, - - # Statusmonitor - '/etc/icinga2/icinga_statusmonitor.py': { - 'triggers': { - 'svc_systemd:icinga_statusmonitor:restart', - }, - }, - '/etc/systemd/system/icinga_statusmonitor.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:icinga_statusmonitor:restart', - }, - }, -} - -pkg_pip = { - 'easysnmp': {}, # for check_usv_snmp } actions = { @@ -337,13 +320,6 @@ svc_systemd = { 'icinga2': { 'needs': icinga_run_deps, }, - 'icinga_statusmonitor': { - 'needs': { - 'file:/etc/icinga2/icinga_statusmonitor.py', - 'file:/etc/systemd/system/icinga_statusmonitor.service', - 'pkg_apt:python3-flask', - }, - }, } diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index fcbfd13..1131129 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,12 +17,8 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - - # apparently no longer needed - #'icingaweb2-module-monitoring': {}, - - # neeeded for statusmonitor - 'python3-flask': {}, + 'icingaweb2-module-monitoring': {}, + 'python3-easysnmp': {}, } }, 'icinga2': { @@ -59,6 +55,21 @@ defaults = { 'icingaweb2': { 'setup-token': repo.vault.password_for(f'{node.name} icingaweb2 setup-token'), }, + 'php': { + 'version': '8.2', + 'packages': { + 'curl', + 'gd', + 'intl', + 'imagick', + 'ldap', + 'mysql', + 'opcache', + 'pgsql', + 'readline', + 'xml', + }, + }, 'postgresql': { 'roles': { 'icinga2': { @@ -105,13 +116,26 @@ def add_users_from_json(metadata): @metadata_reactor.provides( - 'firewall/port_rules/5665', + 'nginx/vhosts/icingaweb2', + 'nginx/vhosts/icinga_statusmonitor', ) -def firewall(metadata): +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + return { - 'firewall': { - 'port_rules': { - '5665': atomic(metadata.get('icinga2/restrict-to', set())), + 'nginx': { + 'vhosts': { + 'icingaweb2': { + 'domain': metadata.get('icinga2/web_domain'), + 'webroot': '/usr/share/icingaweb2/public', + 'locations': { + '/api/': { + 'target': 'https://127.0.0.1:5665/', + }, + }, + 'extras': True, + }, }, }, } From deb0c7b5970e9425b1959c35cacf1640a6a565bd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 13:55:58 +0200 Subject: [PATCH 311/996] bundles/unbound: ensure /usr/share/dns exists --- bundles/unbound/items.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bundles/unbound/items.py b/bundles/unbound/items.py index 519b811..89bce8a 100644 --- a/bundles/unbound/items.py +++ b/bundles/unbound/items.py @@ -41,6 +41,13 @@ svc_systemd = { }, } +directories['/usr/share/dns'] = { + 'before': { + 'pkg_apt:unbound', + 'pkg_apt:unbound-anchor', + }, +} + if node.has_bundle('systemd-networkd'): svc_systemd['unbound']['needed_by'] = { 'file:/etc/resolv.conf', From 8f500b121c2371e1b02a680052f9db4f80238392 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 13:56:17 +0200 Subject: [PATCH 312/996] voc.infobeamer-cms: add hexchen --- nodes/voc/infobeamer-cms.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 500f03f..2804d2c 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -71,5 +71,15 @@ nodes['voc.infobeamer-cms'] = { }, }, }, + 'users': { + 'hexchen': { + 'ssh_pubkey': { + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3", + }, + 'sudo_commands': {'ALL'}, + }, + }, }, } From e029329a037b803a02e8b9500de0df125c64d697 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 14:10:27 +0200 Subject: [PATCH 313/996] bundles/icinga2: handle dig status messages in check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index aa80164..d6a2d31 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -50,12 +50,18 @@ def check_list(ip_list, blocklist, warn_ips): dns_name ]).decode().splitlines() for item in result: - msgs.append('{} listed in {} as {}'.format( - ip, - blocklist, - item, - )) - if item in warn_ips and returncode < 2: + if line.startswith(';;'): + msgs.append('{} - {}'.format( + blocklist, + item, + )) + else: + msgs.append('{} listed in {} as {}'.format( + ip, + blocklist, + item, + )) + if (item in warn_ips or line.startswith(';;')) and returncode < 2: returncode = 1 else: returncode = 2 From 5db38562181581100a6c0be738764ec92d16f122 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 14:10:58 +0200 Subject: [PATCH 314/996] bundles/icinga2: remove obsolete check --- bundles/icinga2/metadata.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 1131129..f52f079 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -39,9 +39,6 @@ defaults = { 'check_interval': '30m', 'vars.notification.mail': True, }, - 'ICINGA STATUSMONITOR': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit icinga_statusmonitor', - }, 'IDO-PGSQL': { 'check_command': 'ido', 'vars.ido_type': 'IdoPgsqlConnection', From 99e261fe24dd58ffaf72455b37ac0373c8e9608d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 14:11:39 +0200 Subject: [PATCH 315/996] libs/s2s: switch to static list of wireguard peers --- libs/s2s.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/libs/s2s.py b/libs/s2s.py index 1d57128..bc8576d 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -4,18 +4,29 @@ AS_NUMBERS = { # 4290xxxxxx 'home': 4290000138, 'htz-cloud': 4290000137, + 'ionos': 4290000002, 'ovh': 4290000001, } +WG_AUTOGEN_NODES = [ + # only ever append to this list. If a node vanishes, set its name to + # `None`. You may remove nodes from the end of this, though it's not + # recommended to do so. + + None, # fkusei-locutus never used this + 'home.router', + 'htz-cloud.wireguard', + 'icinga2', + 'ovh.icinga2', + 'ovh.wireguard', +] + def get_subnet_for_connection(repo, peer_a, peer_b): - # XXX this assumes there are never more than 128 nodes which match that expression - nodes = sorted({node.name for node in repo.nodes if node.has_bundle('wireguard')}) + assert peer_a in WG_AUTOGEN_NODES + assert peer_b in WG_AUTOGEN_NODES - assert peer_a in nodes - assert peer_b in nodes - - pos_peer_a = nodes.index(peer_a) - pos_peer_b = nodes.index(peer_b) + pos_peer_a = WG_AUTOGEN_NODES.index(peer_a) + pos_peer_b = WG_AUTOGEN_NODES.index(peer_b) vpn_subnet = list(IPv4Network('169.254.0.0/16').subnets(new_prefix=24))[pos_peer_a] return list(IPv4Network(vpn_subnet).subnets(new_prefix=31))[pos_peer_b] From e6e9e425fcded1e13d71ea531b603c1d9b9809a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 14:12:24 +0200 Subject: [PATCH 316/996] move icinga2 to new host --- bundles/basic/items.py | 2 +- data/icinga2/icingaweb2_nginx.conf | 15 +++ data/nginx/files/extras/icinga2/icingaweb2 | 1 + groups/os.py | 2 + nodes/home/router.py | 1 + nodes/icinga2.toml | 101 +++++++++++++++++++++ nodes/ovh/icinga2.py | 2 + 7 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 data/icinga2/icingaweb2_nginx.conf create mode 120000 data/nginx/files/extras/icinga2/icingaweb2 create mode 100644 nodes/icinga2.toml diff --git a/bundles/basic/items.py b/bundles/basic/items.py index d25d4c7..74a0518 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -51,7 +51,7 @@ actions = { description = [] if not node.metadata.get('icinga_options/exclude_from_monitoring', False): - description.append('icingaweb2: https://icinga.kunsmann.eu/monitoring/host/show?host={}'.format(node.name)) + description.append('icingaweb2: https://icinga.franzi.business/monitoring/host/show?host={}'.format(node.name)) if node.has_bundle('telegraf'): description.append('Grafana: https://grafana.kunsmann.eu/d/{}'.format(UUID(int=node.magic_number).hex[:10])) diff --git a/data/icinga2/icingaweb2_nginx.conf b/data/icinga2/icingaweb2_nginx.conf new file mode 100644 index 0000000..bd9415e --- /dev/null +++ b/data/icinga2/icingaweb2_nginx.conf @@ -0,0 +1,15 @@ + location ~ \.php$ { + include fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php; + fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2; + } + + location = / { + return 301 https://$host/authentication/login; + } + + location / { + try_files $1 $uri $uri/ /index.php$is_args$args; + } diff --git a/data/nginx/files/extras/icinga2/icingaweb2 b/data/nginx/files/extras/icinga2/icingaweb2 new file mode 120000 index 0000000..b6a8498 --- /dev/null +++ b/data/nginx/files/extras/icinga2/icingaweb2 @@ -0,0 +1 @@ +../../../../icinga2/icingaweb2_nginx.conf \ No newline at end of file diff --git a/groups/os.py b/groups/os.py index 754d427..4542cc8 100644 --- a/groups/os.py +++ b/groups/os.py @@ -40,9 +40,11 @@ groups['linux'] = { 'port_rules': { '*': { 'ovh.icinga2', + 'icinga2', }, '*/udp': { 'ovh.icinga2', + 'icinga2', }, }, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 29eb8c6..da68207 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -181,6 +181,7 @@ nodes['home.router'] = { 'health_check': True, 'snat_to': '172.19.138.1', }, + 'icinga2': {}, }, }, }, diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml new file mode 100644 index 0000000..ed9a84c --- /dev/null +++ b/nodes/icinga2.toml @@ -0,0 +1,101 @@ +hostname = "217.160.71.39" +bundles = [ + "bird", + "icinga2", + "php", + "postgresql", +# 'simple-icinga-dashboard', + "unbound", + "wireguard", +] +groups = [ + 'debian-bookworm', + 'webserver', +] + +[metadata] +location = "ionos" + +[metadata.interfaces.ens192] +ips = [ + "217.160.71.39/32", + "2001:8d8:1800:d5::1/128" +] +gateway4 = "10.255.255.1" +gateway6 = "fe80::1" + +[metadata.interfaces.wg_home_router] +ips = ["172.19.136.4"] + +[metadata.bird] +static_routes = ["172.19.136.4/32"] + +[metadata.icinga2] +web_domain = "icinga.franzi.business" +ntfy.pass = "!decrypt:encrypt$gAAAAABkMtfD8lenogwJc8uKeGZUQ8QVWHMpAqY_GLW3VhF3Jt0TOC4JiJn49qfaC9Ij5rw6GGsowNIsNBe1Ac83HXOLveANEU2o-O4fp5TxNF0xFWebCCtcaTkj_L2DjUbSUe8QVDn3" +ntfy.url = "https://ntfy.franzi.business/icinga2" +ntfy.user = "!decrypt:encrypt$gAAAAABkMtfW_tyGDUh7TkVX6AN8wSkKixWcQiOrPUWHtDZqnzjqrAkfD40fD8M_PiPDvW5pAa6xHNcUSU34jHolxnC44rDiLw==" +sipgate.pass = "!bwpass_attr:sipgate.de/hi@kunsmann.eu:icinga_token" +sipgate.user = "!bwpass_attr:sipgate.de/hi@kunsmann.eu:icinga_tokenid" + +[metadata.icinga2.api_users.icinga2beamer] +# Used with +password = "!decrypt:encrypt$gAAAAABf3wM9YS5ZpRdhp3xyIFX21_MK0omzqHqykWbWdkZWp2xyJ6awaUSXODnZQ5j-rws6n0yrpaeMdXoj1irb2FrgxMDTdfCh88hIsqcKGOObzwGaRg6Ze0tuiMrzIfOO3tRnc9Kd" +permissions = [ + "objects/query/Host", + "objects/query/Service", +] + +# 'icinga2_api': { +# 'custom': { +# # redundant monitoring of services/hosts +# 'services': { +# 'flauschekatze.space CERTIFICATE': { +# 'check_command': 'check_https_cert_at_url', +# 'vars.domain': 'flauschekatze.space', +# }, +# 'matrix.flauschekatze.space CERTIFICATE': { +# 'check_command': 'check_https_cert_at_url', +# 'vars.domain': 'matrix.flauschekatze.space', +# }, +# }, +# }, +# }, +# 'nginx': { +# 'vhosts': { +# 'statuspage': { +# 'domain': 'status.franzi.business', +# 'ssl': '_.franzi.business', +# 'webroot': '/opt/simple-icinga-dashboard/out', +# }, +# }, +# }, + +[metadata.postgresql] +version = 15 + +# 'simple-icinga-dashboard': { +# 'icinga2_api': { +# 'baseurl': 'https://127.0.0.1:5665', +# 'username': 'dashboard', +# 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), +# }, +# 'filters': { +# 'services': '"statuspage" in service.groups', +# }, +# 'output': { +# 'page_title': 'franzi.business Service Status', +# }, +# 'prettify': { +# 'CONTENT': '', +# 'NGINX': 'WEBSERVER', +# 'PROCESS': 'SERVICE', +# }, +# }, + +[metadata.wireguard.peers.'home.router'] +snat_to = "172.19.136.4" + +[metadata.vm] +cpu = 2 +ram = 2 diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index ea24874..8b9b975 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -1,4 +1,5 @@ nodes['ovh.icinga2'] = { + 'dummy': True, # gekündigt 'bundles': { 'bird', 'icinga2', @@ -35,6 +36,7 @@ nodes['ovh.icinga2'] = { }, }, 'icinga2': { + 'web_domain': 'icinga.kunsmann.eu', 'api_users': { 'dashboard': { 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), From bf6ed289e1e229a64f176b0575e2e4a198c40bf4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 14:24:34 +0200 Subject: [PATCH 317/996] bundles/icinga2: fix stupid in check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index d6a2d31..2986d66 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -50,7 +50,7 @@ def check_list(ip_list, blocklist, warn_ips): dns_name ]).decode().splitlines() for item in result: - if line.startswith(';;'): + if item.startswith(';;'): msgs.append('{} - {}'.format( blocklist, item, @@ -61,7 +61,7 @@ def check_list(ip_list, blocklist, warn_ips): blocklist, item, )) - if (item in warn_ips or line.startswith(';;')) and returncode < 2: + if (item in warn_ips or item.startswith(';;')) and returncode < 2: returncode = 1 else: returncode = 2 From 4a0aa81e8d3bbe8bb2731f0368fddb546ae0bdba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 15:28:07 +0200 Subject: [PATCH 318/996] carlene: add new icinga2 host to ntfy exemptions --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d747025..0c907c0 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -158,7 +158,7 @@ additional_config = [ domain = "ntfy.franzi.business" ratelimit-exempt-hosts = [ "carlene", - "ovh.icinga2", + "icinga2", "rx300", ] From 653992364475208ae27f566e30a69c2ddfde57a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 15:28:29 +0200 Subject: [PATCH 319/996] update travelynx to 2.2.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0c907c0..76ac12e 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -234,7 +234,7 @@ disks = [ ] [metadata.travelynx] -version = "2.1.2" +version = "2.2.0" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 2b5181211888d044966cbf71f2c1598ecbe69855 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 15:37:37 +0200 Subject: [PATCH 320/996] libs.tools.resolve_identifier(): add option to filter out linklocal ips and only physical interfaces --- bundles/nftables/metadata.py | 2 +- bundles/powerdns/metadata.py | 30 +++++------------------------- libs/tools.py | 14 +++++++++++++- 3 files changed, 19 insertions(+), 27 deletions(-) diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 08396ce..acfb166 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -78,7 +78,7 @@ def port_rules_to_nftables(metadata): if target in ('*', 'ipv4', 'ipv6'): ruleset.add(f'inet filter input {version_str} {port_str} accept {comment}') else: - resolved = repo.libs.tools.resolve_identifier(repo, target) + resolved = repo.libs.tools.resolve_identifier(repo, target, linklocal=True) for address in resolved['ipv4']: ruleset.add(f'inet filter input meta nfproto ipv4 {port_str} ip saddr {address} accept {comment}') diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 90c06d4..db43cee 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -134,7 +134,7 @@ def generate_dns_entries_for_nodes(metadata): ip4 = None ip6 = None - found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name) + found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name, only_physical=True) for ip in sorted(found_ips['ipv4']): if not ip4 and not ip.is_private: ip4 = ip @@ -144,30 +144,10 @@ def generate_dns_entries_for_nodes(metadata): ip6 = ip if not ip4 and found_ips['ipv4']: - # This node apparently does not have a public IPv4 address. - # We now manually iterate over that nodes interfaces to get - # a IPv4 address which is tied to a physical interface. - # Note we can't use resolve_identifier() here, because we - # only want physical interfaces. - for interface, config in rnode.metadata.get('interfaces', {}).items(): - if not ( - interface.startswith('bond') or - interface.startswith('br') or - interface.startswith('eno') or - interface.startswith('enp') or - interface.startswith('eth') or - interface == 'default' # dummy nodes use these - ): - continue - - for ip in sorted(config.get('ips', set())): - if '/' in ip: - addr = ip_address(ip.split('/')[0]) - else: - addr = ip_address(ip) - - if not ip4 and isinstance(addr, IPv4Address): - ip4 = addr + # do it again, but do not filter out private addresses + for ip in sorted(found_ips['ipv4']): + if not ip4: + ip4 = ip if ip4: results.add('{} IN A {}'.format(dns_name, ip4)) diff --git a/libs/tools.py b/libs/tools.py index 40afde2..7a984df 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -5,7 +5,7 @@ from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io -def resolve_identifier(repo, identifier): +def resolve_identifier(repo, identifier, linklocal=False, only_physical=False): """ Try to resolve an identifier (group or node). Return a set of ip addresses valid for this identifier. @@ -34,6 +34,15 @@ def resolve_identifier(repo, identifier): found_ips = set() for node in nodes: for interface, config in node.metadata.get('interfaces', {}).items(): + if only_physical and not ( + interface.startswith('bond') or + interface.startswith('br') or + interface.startswith('en') or + interface.startswith('et') or + interface == 'default' # dummy nodes use these + ): + continue + for ip in config.get('ips', set()): if '/' in ip: found_ips.add(ip_address(ip.split('/')[0])) @@ -54,6 +63,9 @@ def resolve_identifier(repo, identifier): } for ip in found_ips: + if ip.is_link_local and not linklocal: + continue + if isinstance(ip, IPv4Address): ip_dict['ipv4'].add(ip) else: From a2ceb8cc3a693cb2dc7490fa970401d9821c2b20 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:10:33 +0200 Subject: [PATCH 321/996] bundles/bird: announce subnets via all ips --- bundles/bird/files/bird.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/bird/files/bird.conf b/bundles/bird/files/bird.conf index 0e6e876..b3ebbc9 100644 --- a/bundles/bird/files/bird.conf +++ b/bundles/bird/files/bird.conf @@ -19,7 +19,9 @@ protocol static { ipv4; % for route in sorted(node.metadata.get('bird/static_routes', set())): - route ${route} via ${node.metadata.get('bird/my_ip')}; +% for name, config in sorted(node.metadata.get('bird/bgp_neighbors', {}).items()): + route ${route} via ${config['local_ip']}; +% endfor % endfor } % endif From fe4d4abc9cbfc64a2c16d272bc4d1ea14c042dba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:10:49 +0200 Subject: [PATCH 322/996] bundles/wireguard: fix max interface length --- bundles/wireguard/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index e409e86..c9fd288 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -45,7 +45,7 @@ def peer_psks_and_iface_names(metadata): for peer_name in metadata.get('wireguard/peers', {}): peers[peer_name] = { - 'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:20], + 'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:12], } if node.name < peer_name: From 20ff2f40f47bc88766f2cc852aed1845ad2147cf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:12:28 +0200 Subject: [PATCH 323/996] add wireguard tunnel between htz-cloud and icinga2 --- nodes/htz-cloud/wireguard.py | 3 +++ nodes/icinga2.toml | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 2837438..4cd7e3c 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -45,6 +45,9 @@ nodes['htz-cloud.wireguard'] = { 'ovh.wireguard': { 'snat_to': '172.19.137.2', }, + 'icinga2': { + 'snat_to': '172.19.137.2', + }, }, 'subnets': { '172.19.137.0/24', diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml index ed9a84c..4bc530e 100644 --- a/nodes/icinga2.toml +++ b/nodes/icinga2.toml @@ -27,6 +27,9 @@ gateway6 = "fe80::1" [metadata.interfaces.wg_home_router] ips = ["172.19.136.4"] +[metadata.interfaces.wg_htz-cloud_wi] +ips = ["172.19.136.4"] + [metadata.bird] static_routes = ["172.19.136.4/32"] @@ -96,6 +99,9 @@ version = 15 [metadata.wireguard.peers.'home.router'] snat_to = "172.19.136.4" +[metadata.wireguard.peers.'htz-cloud.wireguard'] +snat_to = "172.19.136.4" + [metadata.vm] cpu = 2 ram = 2 From b3b305076f2b5a79f96fff8515975053eab27802 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:44:04 +0200 Subject: [PATCH 324/996] move die-brontosaurier-waren-es.org to carlene --- nodes/carlene.toml | 6 ++++++ nodes/rx300.py | 10 ---------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 76ac12e..b6aca91 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,6 +126,12 @@ domain = "warnochwas.de" contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" +[metadata.nginx.vhosts.daskritzelt-redirect] +domain = "die-brontosaurier-waren-es.org" +ssl = false +locations.'/'.redirect = "https://twitter.com/daskritzelt/status/1259167444373028864" +locations.'/'.mode = 302 + [metadata.nginx.vhosts.'franzi.business'] domain = "franzi.business" diff --git a/nodes/rx300.py b/nodes/rx300.py index 96865b5..0368ea3 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -91,16 +91,6 @@ nodes['rx300'] = { }, 'vhosts': { 'jenkins-ci': {'ssl': '_.franzi.business'}, - 'daskritzelt-redirect': { - 'domain': 'die-brontosaurier-waren-es.org', - 'ssl': None, - 'locations': { - '/': { - 'redirect': 'https://twitter.com/daskritzelt/status/1259167444373028864', - 'mode': 302, - }, - }, - }, 'jugendhackt_tools': { 'domain': 'jh.franzi.business', 'ssl': '_.franzi.business', From 711230a472a229156353d43813d730232fe04b6a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:45:28 +0200 Subject: [PATCH 325/996] rx300: disable sms --- nodes/rx300.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/rx300.py b/nodes/rx300.py index 0368ea3..fa5523e 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -58,6 +58,7 @@ nodes['rx300'] = { }, 'icinga_options': { 'pretty_name': 'franzi.business', + 'vars.notification.sms': False, }, 'jenkins-ci': { 'install_ssh_key': True, From f2b538a16870a68499b4790c053520145a5eabf4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 16:54:33 +0200 Subject: [PATCH 326/996] bundles/homeassistant: allow more time for checking stuff --- bundles/homeassistant/metadata.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 2ecf827..f0a4d2e 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -33,9 +33,10 @@ def icinga_check_for_new_release(metadata): 'homeassistant': { 'services': { 'HOMEASSISTANT UPDATE': { + 'check_interval': '60m', 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_homeassistant_update', 'vars.notification.mail': True, - 'check_interval': '60m', + 'vars.sshmon_timeout': 20, }, }, }, From f061196f0dfa058938b2e2a87bcc33f4a4a0b95e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 17:02:51 +0200 Subject: [PATCH 327/996] bundles/icinga2: add snmp package, needed for check_snmp to work --- bundles/icinga2/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index f52f079..8c9cc14 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -19,6 +19,7 @@ defaults = { 'icingaweb2': {}, 'icingaweb2-module-monitoring': {}, 'python3-easysnmp': {}, + 'snmp': {}, } }, 'icinga2': { From 25a484f04e35e71a9b27ede9a9fbcdc387abb559 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 17:46:30 +0200 Subject: [PATCH 328/996] remove ovh nodes from monitoring --- nodes/home/router.py | 13 +------------ nodes/ovh/icinga2.py | 3 +++ nodes/ovh/wireguard.py | 3 +++ 3 files changed, 7 insertions(+), 12 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index da68207..58f58c7 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -73,20 +73,9 @@ nodes['home.router'] = { }, }, }, - 'hosts': { - 'entries': { - # Hackaround to force wireguard to only use IPv4 for - # the connection to this system. - '51.195.47.180': { - 'wireguard.ovh.kunbox.net', - }, - }, - }, 'icinga_options': { # override group default - 'also_affected_by': atomic({ - 'ovh.wireguard', - }), + 'also_affected_by': atomic(set()), # disabled on group level # XXX reenable this once we can leave the house safely again #'vars.notification.sms': True diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 8b9b975..0f2a592 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -30,6 +30,9 @@ nodes['ovh.icinga2'] = { }, }, }, + 'icinga_options': { + 'exclude_from_monitoring': True, + }, 'bird': { 'static_routes': { '172.19.136.3/32', diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py index 6e92c59..334e1b3 100644 --- a/nodes/ovh/wireguard.py +++ b/nodes/ovh/wireguard.py @@ -22,6 +22,9 @@ nodes['ovh.wireguard'] = { '172.19.136.64/26', }, }, + 'icinga_options': { + 'exclude_from_monitoring': True, + }, 'backups': { 'exclude_from_backups': True, }, From d9cb324bb64feeb70579ce7f77351e4e7d0857ab Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 17:48:22 +0200 Subject: [PATCH 329/996] update pretalx to 2023.1.0 --- bundles/c3voc-addons/items.py | 49 ++++++++++++++++++++++++++ bundles/pretalx/items.py | 49 ++++++++++++++------------ bundles/pretalx/metadata.py | 8 +++-- data/c3voc-addons/files | 1 - data/c3voc-addons/files/error.html | 1 + data/c3voc-addons/files/extras | 1 + data/c3voc-addons/files/gpg-keys | 1 + data/c3voc-addons/files/not_found.html | 1 + data/c3voc-addons/files/ssl | 1 + nodes/voc/pretalx.py | 11 ++++-- 10 files changed, 93 insertions(+), 30 deletions(-) delete mode 120000 data/c3voc-addons/files create mode 120000 data/c3voc-addons/files/error.html create mode 120000 data/c3voc-addons/files/extras create mode 120000 data/c3voc-addons/files/gpg-keys create mode 120000 data/c3voc-addons/files/not_found.html create mode 120000 data/c3voc-addons/files/ssl diff --git a/bundles/c3voc-addons/items.py b/bundles/c3voc-addons/items.py index a8116a2..709b10e 100644 --- a/bundles/c3voc-addons/items.py +++ b/bundles/c3voc-addons/items.py @@ -1,5 +1,22 @@ from bundlewrap.exceptions import BundleError +supported_os = { + 'debian': { + 10: 'buster', + 11: 'bullseye', + 12: 'bookworm', + 99: 'unstable', + }, + 'raspbian': { + 10: 'buster', + }, +} + +try: + supported_os[node.os][node.os_version[0]] +except (KeyError, IndexError): + raise BundleError(f'{node.name}: OS {node.os} {node.os_version} is not supported by bundle:apt') + CONFLICTING_BUNDLES = { 'apt', 'nginx', @@ -57,6 +74,14 @@ actions = { 'svc_systemd:', }, }, + 'apt_update': { + 'command': 'apt-get update', + 'needed_by': { + 'pkg_apt:', + }, + 'triggered': True, + 'cascade_skip': False, + }, } directories = { @@ -92,6 +117,30 @@ files = { }, } +for name, data in node.metadata.get('apt/repos', {}).items(): + files['/etc/apt/sources.list.d/{}.list'.format(name)] = { + 'content_type': 'mako', + 'content': ("\n".join(sorted(data['items']))).format( + os=node.os, + os_release=supported_os[node.os][node.os_version[0]], + ), + 'triggers': { + 'action:apt_update', + }, + } + + if data.get('install_gpg_key', True): + files['/etc/apt/sources.list.d/{}.list'.format(name)]['needs'] = { + 'file:/etc/apt/trusted.gpg.d/{}.list.asc'.format(name), + } + + files['/etc/apt/trusted.gpg.d/{}.list.asc'.format(name)] = { + 'source': 'gpg-keys/{}.asc'.format(name), + 'triggers': { + 'action:apt_update', + }, + } + for crontab, content in node.metadata.get('cron/jobs', {}).items(): files['/etc/cron.d/{}'.format(crontab)] = { 'source': 'cron_template', diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py index e5b65d1..8a57eae 100644 --- a/bundles/pretalx/items.py +++ b/bundles/pretalx/items.py @@ -1,3 +1,6 @@ +assert node.has_bundle('redis'), f'{node.name}: pretalx needs redis' +assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild and regenerate_css step' + actions = { 'pretalx_create_virtualenv': { 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/pretalx/venv/', @@ -8,17 +11,20 @@ actions = { }, }, 'pretalx_install': { - 'command': - 'cd /opt/pretalx/src/src && ' - '/opt/pretalx/venv/bin/pip install --upgrade pip wheel gunicorn psycopg2-binary && ' + 'command': ' && '.join([ + 'cd /opt/pretalx/src', + '/opt/pretalx/venv/bin/pip install --upgrade pip wheel gunicorn psycopg2-binary', '/opt/pretalx/venv/bin/pip install --upgrade -e .[redis]', + ]), 'needs': { 'action:pretalx_create_virtualenv', + 'pkg_apt:gcc', + 'pkg_apt:python3-dev', }, 'triggered': True, }, 'pretalx_migrate': { - 'command': 'PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx migrate', + 'command': '/usr/bin/sudo -Hu pretalx PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx migrate', 'needs': { 'action:pretalx_install', 'file:/opt/pretalx/pretalx.cfg', @@ -28,24 +34,33 @@ actions = { 'triggered': True, }, 'pretalx_rebuild': { - 'command': 'PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx rebuild', + 'command': ' && '.join([ + 'cd /opt/pretalx/src/src/pretalx/frontend/schedule-editor/', + 'npm install', + 'PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx rebuild', + ]), 'needs': { 'action:pretalx_install', 'action:pretalx_migrate', 'directory:/opt/pretalx/data', 'directory:/opt/pretalx/static', 'file:/opt/pretalx/pretalx.cfg', + 'bundle:nodejs', + }, + 'triggers': { + # pretalx-web reads the manifest.json generated by this build-step upon startup + 'svc_systemd:pretalx-web:restart', }, 'triggered': True, }, 'pretalx_regenerate-css': { 'command': 'sudo -u pretalx PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx regenerate_css', 'needs': { - 'action:pretalx_install', 'action:pretalx_migrate', 'directory:/opt/pretalx/data', 'directory:/opt/pretalx/static', 'file:/opt/pretalx/pretalx.cfg', + 'bundle:nodejs', }, 'triggered': True, }, @@ -70,7 +85,7 @@ directories = { git_deploy = { '/opt/pretalx/src': { 'repo': 'https://github.com/pretalx/pretalx.git', - 'rev': node.metadata['pretalx']['version'], + 'rev': node.metadata.get('pretalx/version'), 'triggers': { 'action:pretalx_install', 'action:pretalx_migrate', @@ -82,7 +97,6 @@ git_deploy = { }, } - svc_systemd = { 'pretalx-runperiodic.timer': { 'needs': { @@ -125,15 +139,12 @@ svc_systemd = { files = { '/opt/pretalx/pretalx.cfg': { 'content_type': 'mako', - 'context': node.metadata['pretalx'], + 'context': node.metadata.get('pretalx'), 'triggers': { 'svc_systemd:pretalx-web:restart', 'svc_systemd:pretalx-worker:restart', }, }, - '/opt/pretalx/pretalx-administrators-from-group': { - 'mode': '0755', - }, '/etc/systemd/system/pretalx-runperiodic.timer': { 'triggers': { 'action:systemd-reload', @@ -170,24 +181,16 @@ files = { }, } -if node.metadata.get('pretalx/administrators-from-group-id', None): - files['/etc/cron.d/pretalx-administrators-from-group'] = { - 'source': 'cron-pretalx-administrators-from-group', - 'content_type': 'mako', - } -else: - files['/etc/cron.d/pretalx-administrators-from-group'] = { - 'delete': True, - } - # run `pip install` one after another due to concurrency issues last_action = 'action:pretalx_install' for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items(): + assert '-' not in plugin_name, f'{node.name} pretalx plugin {plugin_name} must not contain dashes' + directories[f'/opt/pretalx/plugin_{plugin_name}'] = {} git_deploy[f'/opt/pretalx/plugin_{plugin_name}'] = { 'repo': plugin_config['repo'], - 'rev': plugin_config['rev'], + 'rev': plugin_config.get('rev', 'master'), 'triggers': { f'action:pretalx_install_plugin_{plugin_name}', }, diff --git a/bundles/pretalx/metadata.py b/bundles/pretalx/metadata.py index 3c52e15..f60c54b 100644 --- a/bundles/pretalx/metadata.py +++ b/bundles/pretalx/metadata.py @@ -1,17 +1,19 @@ defaults = { 'apt': { 'packages': { + 'gcc': {}, # for compiling some python deps 'gettext': {}, + 'python3-dev': {}, }, }, + 'bash_aliases': { + 'pretalx': 'sudo /opt/pretalx/venv/bin/python -m pretalx', + }, 'backups': { 'paths': { '/opt/pretalx/data', }, }, - 'bash_aliases': { - 'pretalx': 'sudo /opt/pretalx/venv/bin/python -m pretalx', - }, 'icinga2_api': { 'pretalx': { 'services': { diff --git a/data/c3voc-addons/files b/data/c3voc-addons/files deleted file mode 120000 index e2f9229..0000000 --- a/data/c3voc-addons/files +++ /dev/null @@ -1 +0,0 @@ -../nginx/files \ No newline at end of file diff --git a/data/c3voc-addons/files/error.html b/data/c3voc-addons/files/error.html new file mode 120000 index 0000000..26606f0 --- /dev/null +++ b/data/c3voc-addons/files/error.html @@ -0,0 +1 @@ +../../nginx/files/error.html \ No newline at end of file diff --git a/data/c3voc-addons/files/extras b/data/c3voc-addons/files/extras new file mode 120000 index 0000000..afe5648 --- /dev/null +++ b/data/c3voc-addons/files/extras @@ -0,0 +1 @@ +../../nginx/files/extras \ No newline at end of file diff --git a/data/c3voc-addons/files/gpg-keys b/data/c3voc-addons/files/gpg-keys new file mode 120000 index 0000000..c649d44 --- /dev/null +++ b/data/c3voc-addons/files/gpg-keys @@ -0,0 +1 @@ +../../apt/files/gpg-keys \ No newline at end of file diff --git a/data/c3voc-addons/files/not_found.html b/data/c3voc-addons/files/not_found.html new file mode 120000 index 0000000..b6964cb --- /dev/null +++ b/data/c3voc-addons/files/not_found.html @@ -0,0 +1 @@ +../../nginx/files/not_found.html \ No newline at end of file diff --git a/data/c3voc-addons/files/ssl b/data/c3voc-addons/files/ssl new file mode 120000 index 0000000..348aeea --- /dev/null +++ b/data/c3voc-addons/files/ssl @@ -0,0 +1 @@ +../../ssl \ No newline at end of file diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 86f2f68..4c877a9 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -8,6 +8,7 @@ nodes['voc.pretalx'] = { 'backup-client', 'check-mail-received', 'c3voc-addons', + 'nodejs', 'pretalx', 'postfix', 'postgresql', @@ -48,17 +49,21 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': '60722c43cf975f319e94102e6bff320723776890', + 'version': 'v2023.1.0', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, 'plugins': { + 'broadcast_tools': { + 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', + 'rev': '2.0.1', + }, 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', 'rev': 'v1.1.5', }, - 'broadcast_tools': { - 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', + 'halfnarp': { + 'repo': 'https://github.com/seibert-media/pretalx-halfnarp.git', 'rev': '1.1.0', }, 'media.ccc.de': { From cb6f12b218e3865867ac559e83472b72e4e3e6f8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 18:40:10 +0200 Subject: [PATCH 330/996] add bundle:kea-dhcp-server --- bundles/kea-dhcp-server/items.py | 42 +++++++++++++++ bundles/kea-dhcp-server/metadata.py | 83 +++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 bundles/kea-dhcp-server/items.py create mode 100644 bundles/kea-dhcp-server/metadata.py diff --git a/bundles/kea-dhcp-server/items.py b/bundles/kea-dhcp-server/items.py new file mode 100644 index 0000000..921bf78 --- /dev/null +++ b/bundles/kea-dhcp-server/items.py @@ -0,0 +1,42 @@ +kea_config = { + 'Dhcp4': { + **node.metadata.get('kea-dhcp-server/config'), + 'interfaces-config': { + 'interfaces': sorted(node.metadata.get('kea-dhcp-server/subnets', {}).keys()), + }, + 'subnet4': [], + }, + 'Server': { + 'loggers': [{ + 'name': 'kea-dhcp4', + 'output_options': [{ + # -> journal + 'output': 'stdout', + }], + 'severity': 'WARN', + }], + }, +} + +for iface, config in sorted(node.metadata.get('kea-dhcp-server/subnets', {}).items()): + kea_config['Dhcp4']['subnet4'].append({ + 'subnet': config['subnet'], + 'pools': [{ + 'pool': f'{config["lower"]} - {config["higher"]}', + }], + 'option-data': [ + { + 'name': k, + 'data': v, + } for k, v in sorted(config.get('options', {}).items()) + ], + 'reservations': [ + { + 'ip-address': v['ip'], + 'hw-address': v['mac'], + 'hostname': k, + } for k, v in sorted(node.metadata.get(f'kea-dhcp-server/fixed_allocations/{iface}', {}).items()) + ] + }) + +# TODO deploy config diff --git a/bundles/kea-dhcp-server/metadata.py b/bundles/kea-dhcp-server/metadata.py new file mode 100644 index 0000000..7b69f3e --- /dev/null +++ b/bundles/kea-dhcp-server/metadata.py @@ -0,0 +1,83 @@ +from ipaddress import ip_address, ip_network + +defaults = { + 'apt': { + 'packages': { + 'kea-dhcp4-server': {}, + }, + }, + 'kea-dhcp-server': { + 'config': { + 'authoritative': True, + 'rebind-timer': 450, + 'renew-timer': 300, + 'valid-lifetime': 600, + 'expired-leases-processing': { + 'max-reclaim-leases': 0, + 'max-reclaim-time': 0, + }, + 'lease-database': { + 'lfc-interval': 3600, + 'name': '/var/lib/kea/kea-leases4.csv', + 'persist': True, + 'type': 'memfile', + }, + }, + }, +} + + +@metadata_reactor.provides( + 'kea-dhcp-server/fixed_allocations', +) +def get_static_allocations(metadata): + result = {} + mapping = {} + + for iface, config in metadata.get('kea-dhcp-server/subnets', {}).items(): + result[iface] = {} + mapping[iface] = ip_network(config['subnet']) + + for rnode in repo.nodes: + if ( + rnode.metadata.get('location', '') != metadata.get('location', '') + or rnode == node + ): + continue + + for iface_name, iface_config in rnode.metadata.get('interfaces', {}).items(): + if iface_config.get('dhcp', False) and iface_config.get('mac'): + for ip in iface_config.get('ips', set()): + ipaddr = ip_address(ip) + + for kea_iface, kea_subnet in mapping.items(): + if ipaddr in kea_subnet: + result[kea_iface][f'{rnode.name}_{iface_name}'] = { + 'ip': ip, + 'mac': iface_config['mac'], + } + break + + return { + 'kea-dhcp-server': { + 'fixed_allocations': result, + } + } + + +@metadata_reactor.provides( + 'nftables/rules/10-kea-dhcp-server', +) +def nftables(metadata): + rules = set() + for iface in node.metadata.get('kea-dhcp-server/subnets', {}): + rules.add(f'inet filter input udp dport {{ 67, 68 }} iif {iface} accept') + + return { + 'nftables': { + 'rules': { + # can't use port_rules here, because we're generating interface based rules. + '10-kea-dhcp-server': sorted(rules), + }, + } + } From 1f2266302f1af1f31d397d073f81e1edd2c02b38 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 19:37:44 +0200 Subject: [PATCH 331/996] s/autojenkins/forgejo-carlene/ --- nodes/htz-cloud/pirmasens.py | 4 ++-- users.json | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index aa51e2f..6321ccc 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -44,7 +44,7 @@ nodes['htz-cloud.pirmasens'] = { 'salonkatrin-v2': { 'domain': 'dev.salonkatrin.de', 'webroot_config': { - 'owner': 'autojenkins', + 'owner': 'forgejo-carlene', }, }, 'salonkatrin-www': { @@ -87,7 +87,7 @@ nodes['htz-cloud.pirmasens'] = { 'password': vault.decrypt('encrypt$gAAAAABfp7qzym32R6Go1A6oax0NGQM7EBMckbEbnZC6-RSKx-klSJsL57XbSUTD-AJM-gBIPzlmor-3bfVxPWLRYXtO8uTVw6jNQ1yt15ReHkOTijVqV2ACk-LTDBG3p4YKBn0pQgNvvjXhWV_J1-Pgjywbl4sHXc0zqjCGZ6xtEn6ywj0Pd599JJjREF4QCIFVZVWuKvo1'), }, 'users': { - 'autojenkins': {}, + 'forgejo-carlene': {}, 'frank': {}, 'sophie': { 'delete': True, diff --git a/users.json b/users.json index 7769c17..7499acf 100644 --- a/users.json +++ b/users.json @@ -1,14 +1,14 @@ { - "autojenkins": { - "ssh_pubkey": [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH" - ] - }, "fkunsmann": { "ssh_pubkey": [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA" ] }, + "forgejo-carlene": { + "ssh_pubkey": [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3aj7Ij9aIgSBgIAyIPAQa/w++7eVKIxbK0iFuVvjeH" + ] + }, "kunsi": { "ssh_pubkey": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971" From b38ba55ed3b679e99c35c98e1455a120b20888b5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 20:31:05 +0200 Subject: [PATCH 332/996] bundles/forgejo: fix missing slash --- bundles/forgejo/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/forgejo/items.py b/bundles/forgejo/items.py index cb51771..e3ed9b1 100644 --- a/bundles/forgejo/items.py +++ b/bundles/forgejo/items.py @@ -46,7 +46,7 @@ files = { }, } -if node.metadata.get('forgejoinstall_ssh_key', False): +if node.metadata.get('forgejo/install_ssh_key', False): files['/var/lib/forgejo/.ssh/id_ed25519'] = { 'content': repo.vault.decrypt_file(f'forgejo/files/ssh-keys/{node.name}.key.vault'), 'mode': '0600', From 40aeeab2656f07535e5ebc688bdb75b4ce89e005 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 20:39:23 +0200 Subject: [PATCH 333/996] update matrix-media-repo to 1.3.1 --- bundles/matrix-media-repo/files/config.yaml | 43 ++++++++++----------- nodes/carlene.toml | 8 +++- nodes/htz-cloud.afra.toml | 5 ++- nodes/htz-cloud/miniserver.py | 5 ++- 4 files changed, 32 insertions(+), 29 deletions(-) diff --git a/bundles/matrix-media-repo/files/config.yaml b/bundles/matrix-media-repo/files/config.yaml index 3623928..5e4549f 100644 --- a/bundles/matrix-media-repo/files/config.yaml +++ b/bundles/matrix-media-repo/files/config.yaml @@ -1,7 +1,7 @@ # General repo configuration repo: - bindAddress: '${node.metadata['matrix-media-repo'].get('listen-addr', '127.0.0.1')}' - port: ${node.metadata['matrix-media-repo'].get('port', 20090)} + bindAddress: '${node.metadata.get('matrix-media-repo/listen-addr', '127.0.0.1')}' + port: ${node.metadata.get('matrix-media-repo/port', 20090)} logDirectory: '-' trustAnyForwardedAddress: false useForwardedHost: true @@ -10,14 +10,14 @@ federation: backoffAt: 20 database: - postgres: "postgres://${node.metadata['matrix-media-repo']['database']['user']}:${node.metadata['matrix-media-repo']['database']['password']}@${node.metadata['matrix-media-repo']['database'].get('host', 'localhost')}/${node.metadata['matrix-media-repo']['database']['database']}?sslmode=disable" + postgres: "postgres://${node.metadata.get('matrix-media-repo/database/user')}:${node.metadata.get('matrix-media-repo/database/password')}@${node.metadata.get('matrix-media-repo/database/host', 'localhost')}/${node.metadata.get('matrix-media-repo/database/database')}?sslmode=disable" pool: maxConnections: 25 maxIdleConnections: 5 homeservers: -% for homeserver, config in node.metadata['matrix-media-repo'].get('homeservers', {}).items(): +% for homeserver, config in node.metadata.get('matrix-media-repo/homeservers').items(): - name: ${homeserver} csApi: "${config['domain']}" backoffAt: ${config.get('backoff_at', 10)} @@ -29,45 +29,42 @@ accessTokens: useLocalAppserviceConfig: false admins: -% for user in sorted(node.metadata['matrix-media-repo']['admins']): +% for user in sorted(node.metadata.get('matrix-media-repo/admins')): - "${user}" % endfor sharedSecretAuth: enabled: false - token: "${node.metadata['matrix-media-repo']['shared-secret-token']}" + token: "${node.metadata.get('matrix-media-repo/shared-secret-token')}" datastores: - type: file + id: "${node.metadata.get('matrix-media-repo/datastore_id')}" enabled: true - forKinds: - - 'thumbnails' - - 'remote_media' - - 'local_media' - - 'archives' + forKinds: ['all'] opts: path: /var/matrix/media archiving: enabled: true - selfService: ${str(node.metadata['matrix-media-repo']['archive']['self-service']).lower()} - targetBytesPerPart: ${node.metadata['matrix-media-repo']['archive'].get('mb_per_part', node.metadata['matrix-media-repo']['upload_max_mb']*2)*1024*1024} + selfService: ${str(node.metadata.get('matrix-media-repo/archive/self-service')).lower()} + targetBytesPerPart: ${node.metadata.get('matrix-media-repo/archive/mb_per_part', node.metadata.get('matrix-media-repo/upload_max_mb')*2)*1024*1024} uploads: - maxBytes: ${node.metadata['matrix-media-repo']['upload_max_mb']*1024*1024} + maxBytes: ${node.metadata.get('matrix-media-repo/upload_max_mb')*1024*1024} minBytes: 100 reportedMaxBytes: 0 quotas: enabled: false downloads: - maxBytes: ${node.metadata['matrix-media-repo']['download_max_mb']*1024*1024} - numWorkers: ${node.metadata['matrix-media-repo']['workers']} + maxBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024} + numWorkers: ${node.metadata.get('matrix-media-repo/workers')} failureCacheMinutes: 5 cache: enabled: true - maxSizeBytes: ${node.metadata['matrix-media-repo']['download_max_mb']*10*1024*1024} - maxFileSizeBytes: ${node.metadata['matrix-media-repo']['upload_max_mb']*1024*1024} + maxSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*10*1024*1024} + maxFileSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024} trackedMinutes: 30 minDownloads: 5 minCacheTimeSeconds: 300 @@ -76,7 +73,7 @@ downloads: urlPreviews: enabled: true - maxPageSizeBytes: ${node.metadata['matrix-media-repo']['preview_max_mb']*1024*1024} + maxPageSizeBytes: ${node.metadata.get('matrix-media-repo/preview_max_mb')*1024*1024} previewUnsafeCertificates: false numWords: 50 maxLength: 200 @@ -84,7 +81,7 @@ urlPreviews: maxTitleLength: 150 filePreviewTypes: - "image/*" - numWorkers: ${node.metadata['matrix-media-repo']['workers']} + numWorkers: ${node.metadata.get('matrix-media-repo/workers')} disallowedNetworks: - "127.0.0.1/8" - "10.0.0.0/8" @@ -103,8 +100,8 @@ urlPreviews: oEmbed: false thumbnails: - maxSourceBytes: ${node.metadata['matrix-media-repo']['preview_max_mb']*1024*1024} - numWorkers: ${node.metadata['matrix-media-repo']['workers']} + maxSourceBytes: ${node.metadata.get('matrix-media-repo/preview_max_mb')*1024*1024} + numWorkers: ${node.metadata.get('matrix-media-repo/workers')} sizes: - width: 32 height: 32 @@ -134,7 +131,7 @@ thumbnails: - "video/mp4" allowAnimated: true defaultAnimated: false - maxAnimateSizeBytes: ${node.metadata['matrix-media-repo']['preview_max_mb']*1024*1024} + maxAnimateSizeBytes: ${node.metadata.get('matrix-media-repo/preview_max_mb')*1024*1024} stillFrame: 0.5 expireAfterDays: 0 diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b6aca91..d2a692b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -29,6 +29,9 @@ bundles = [ "zfs", ] +# for auto-deployment of salonkatrin.de +[metadata.apt.packages.jekyll] + [metadata.check-mail-received.t-online] email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" @@ -65,9 +68,10 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] -sha1 = "0915bdf7c461368859180419d1f66717969cbe32" +datastore_id = "3fff5da324ed784c771d638bb6be5917" +sha1 = "0f9e686f9538baa059eba91e56b320e38ae6125b" upload_max_mb = 500 -version = "v1.2.13" +version = "v1.3.1" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 611a848..5e89e98 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -42,10 +42,11 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] -version = "v1.2.13" -sha1 = "0915bdf7c461368859180419d1f66717969cbe32" admins = ['@administress:afra.berlin'] +datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" +sha1 = "0f9e686f9538baa059eba91e56b320e38ae6125b" upload_max_mb = 50 +version = "v1.3.1" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 3d77123..9e2c246 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -113,8 +113,9 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.13', - 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', + 'version': 'v1.3.1', + 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', + 'sha1': '0f9e686f9538baa059eba91e56b320e38ae6125b', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', From 54d55bbb8dadfe16497ca035db0833e4a55ae992 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 21:09:30 +0200 Subject: [PATCH 334/996] update forgejo to 1.20.4 --- bundles/forgejo/items.py | 2 +- bundles/forgejo/metadata.py | 18 +++++++++++++++++- nodes/carlene.toml | 4 ++-- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/bundles/forgejo/items.py b/bundles/forgejo/items.py index e3ed9b1..f94c360 100644 --- a/bundles/forgejo/items.py +++ b/bundles/forgejo/items.py @@ -37,7 +37,7 @@ files = { }, '/usr/local/bin/forgejo': { 'content_type': 'download', - 'source': node.metadata.get('forgejo/url'), + 'source': 'https://codeberg.org/forgejo/forgejo/releases/download/v{0}/forgejo-{0}-linux-amd64'.format(node.metadata.get('forgejo/version')), 'content_hash': node.metadata.get('forgejo/sha1', None), 'mode': '0755', 'triggers': { diff --git a/bundles/forgejo/metadata.py b/bundles/forgejo/metadata.py index 7eb43ec..714568f 100644 --- a/bundles/forgejo/metadata.py +++ b/bundles/forgejo/metadata.py @@ -26,7 +26,6 @@ defaults = { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit forgejo', }, 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(forgejo --version | cut -d" " -f3 | sed "s/\\+/\\-/g")', 'vars.notification.mail': True, 'check_interval': '60m', }, @@ -63,6 +62,23 @@ defaults = { } +@metadata_reactor.provides( + 'icinga2_api/forgejo', +) +def update_monitoring(metadata): + return { + 'icinga2_api': { + 'forgejo': { + 'services': { + 'FORGEJO UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('forgejo/version')), + }, + }, + }, + }, + } + + @metadata_reactor.provides( 'nginx/vhosts/forgejo', ) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d2a692b..0501f3b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -48,8 +48,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -url = "https://codeberg.org/forgejo/forgejo/releases/download/v1.20.3-0/forgejo-1.20.3-0-linux-amd64" -sha1 = "3199c656c9b9916f288d5feadcf0b63f6bbe1193" +version = "1.20.4-0" +sha1 = "20994ac3f10a7c6af11743b19bcea33107a49b35" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From e7a652503f2b11bec227f3a5aa9540c939ad32a8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 21:09:52 +0200 Subject: [PATCH 335/996] update htz-cloud.{afra,miniserver} to bookworm --- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 5e89e98..65f9b5d 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -9,7 +9,7 @@ bundles = [ "zfs", ] groups = [ - "debian-bullseye", + "debian-bookworm", "webserver", ] diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 9e2c246..551ddf7 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -13,7 +13,7 @@ nodes['htz-cloud.miniserver'] = { 'zfs', }, 'groups': { - 'debian-bullseye', + 'debian-bookworm', 'webserver', }, 'metadata': { From 30604db869e3f54e381b956a926131f9a8f65d3b Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 9 Sep 2023 22:42:53 +0200 Subject: [PATCH 336/996] hedgedoc: makee usable on bookworm --- bundles/hedgedoc/files/hedgedoc.service | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bundles/hedgedoc/files/hedgedoc.service b/bundles/hedgedoc/files/hedgedoc.service index 2bd0de4..5bafd07 100644 --- a/bundles/hedgedoc/files/hedgedoc.service +++ b/bundles/hedgedoc/files/hedgedoc.service @@ -33,7 +33,11 @@ ProtectSystem=strict ProtectHome=true PrivateTmp=true SystemCallArchitectures=native -SystemCallFilter=@system-service +# FIXME +# causes problems on bookworm +# see https://github.com/hedgedoc/hedgedoc/issues/4686 +# cmmented out for now ... +#SystemCallFilter=@system-service # You may have to adjust these settings User=hedgedoc From 5fda0ab4640403b326f6357c664e190a3369c590 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 22:27:34 +0200 Subject: [PATCH 337/996] aurto.kunbox.net IN CNAME aurto.htz-cloud.kunbox.net --- data/powerdns/files/bind-zones/kunbox.net | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index d0eb4de..c7b110a 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -24,6 +24,9 @@ $ORIGIN kunbox.net. _acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. _acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. +; aurto, keep old name +aurto IN CNAME aurto.htz-cloud + ; Mail servers mta-sts IN CNAME carlene From 5238937044aca8abc608f80108f7c0fa94b22fa3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 22:28:52 +0200 Subject: [PATCH 338/996] bundles/powerdns: do not put private ipv4 into dns if public ipv6 exists --- bundles/powerdns/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index db43cee..b418636 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -143,7 +143,7 @@ def generate_dns_entries_for_nodes(metadata): if not ip6 and not ip.is_private: ip6 = ip - if not ip4 and found_ips['ipv4']: + if not (ip4 or ip6) and found_ips['ipv4']: # do it again, but do not filter out private addresses for ip in sorted(found_ips['ipv4']): if not ip4: From 7845faeac37d24ca2b051c6b2c3ecab9cebe8194 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 22:46:09 +0200 Subject: [PATCH 339/996] htz-cloud.wireguard: add IPv4 NAT --- nodes/htz-cloud/wireguard.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 4cd7e3c..d7c9a89 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -36,6 +36,15 @@ nodes['htz-cloud.wireguard'] = { '172.19.137.0/24', }, }, + 'nftables': { + 'rules': { + '50-router': [ + 'inet filter forward ct state { related, established } accept', + 'inet filter forward oif eth0 accept', + 'nat postrouting oif eth0 masquerade', + ], + }, + }, 'vm': { 'cpu': 1, 'ram': 2, From b38bc67a603a2e840063fd591cd0f9fa14d9a484 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Sep 2023 23:02:08 +0200 Subject: [PATCH 340/996] move aurto to hetzner cloud --- .../extras/{aurto => htz-cloud.aurto}/aurto | 0 nodes/aurto.py | 99 ------------------- nodes/htz-cloud.aurto.toml | 65 ++++++++++++ 3 files changed, 65 insertions(+), 99 deletions(-) rename data/nginx/files/extras/{aurto => htz-cloud.aurto}/aurto (100%) delete mode 100644 nodes/aurto.py create mode 100644 nodes/htz-cloud.aurto.toml diff --git a/data/nginx/files/extras/aurto/aurto b/data/nginx/files/extras/htz-cloud.aurto/aurto similarity index 100% rename from data/nginx/files/extras/aurto/aurto rename to data/nginx/files/extras/htz-cloud.aurto/aurto diff --git a/nodes/aurto.py b/nodes/aurto.py deleted file mode 100644 index d7a98c3..0000000 --- a/nodes/aurto.py +++ /dev/null @@ -1,99 +0,0 @@ -nodes['aurto'] = { - 'hostname': '31.47.232.107', - 'bundles': { - 'backup-client', - 'check-mail-received', - }, - 'groups': { - 'arch', - 'webserver', - }, - 'metadata': { - 'icinga_options': { - 'also_affected_by': { - 'rx300', - }, - 'period': 'daytime', - }, - 'backups': { - 'paths': { - '/var/cache/pacman/aurto', - }, - }, - 'check-mail-received': { - 't-online': { - 'email': 'franzi.kunsmann@t-online.de', - 'imap_host': 'secureimap.t-online.de', - 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), - }, - }, - 'description': [ - 'When adding packages to aurto, please also add those packages to ~/PACKAGES', - 'Wenn Pakete zu aurto hinzugefügt werden, trage sie bitte auch in ~/PACKAGES ein', - ], - 'interfaces': { - 'enp1s0': { - 'ips': { - '31.47.232.107/29', - '2a00:f820:528::3/64', - }, - 'gateway4': '31.47.232.105', - 'gateway6': '2a00:f820:528::1', - }, - }, - 'nginx': { - 'vhosts': { - 'aurto': { - 'domain': 'aurto.kunbox.net', - 'webroot': '/var/cache/pacman/aurto', - 'extras': True, - }, - }, - }, - 'pacman': { - 'enable_aurto': False, - 'additional_config': { - 'Include = /etc/pacman.d/aurto', - }, - 'unattended-upgrades': { - 'is_enabled': True, - 'hour': 22, # one hour after the host - }, - }, - 'sudo': { - 'extra_configs': { - '50_aurto_passwordless': { - '%wheel ALL=(ALL) NOPASSWD: /usr/bin/arch-nspawn', - '%wheel ALL=(ALL) NOPASSWD: /usr/bin/pacsync aurto', - '%wheel ALL=(ALL) NOPASSWD:SETENV: /usr/bin/makechrootpkg', - }, - }, - }, - 'users': { - 'aurto': { - 'groups': { - 'wheel', - }, - 'ssh_pubkey': { - # e1mo - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfbb4m4o89EumFjE8ichX03CC/mWry0JYaz91HKVJPb e1mo', - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9x/kL2fFqQSEyFvdEgiM2UKYAZyV1oct9alS6mweVa e1mo (ssh_0x6D617FD0A85BAADA)', - # f2k1de - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', - # kunsi - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA', - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971', - # n0emis - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9 n0emis@n0emis.eu', - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw== simeon@noemis.me (OLD)', - }, - }, - 'kunsi': { - 'groups': { - 'wheel', - }, - }, - }, - }, -} diff --git a/nodes/htz-cloud.aurto.toml b/nodes/htz-cloud.aurto.toml new file mode 100644 index 0000000..ffa68d1 --- /dev/null +++ b/nodes/htz-cloud.aurto.toml @@ -0,0 +1,65 @@ +hostname = "2a01:4f9:c010:95fa::2" +bundles = ["backup-client"] +groups = [ + "arch", + "webserver", +] + +[metadata] +description = [ + "When adding packages to aurto, please also add those packages to ~/PACKAGES", + "Wenn Pakete zu aurto hinzugefügt werden, trage sie bitte auch in ~/PACKAGES ein", +] + +[metadata.icinga_options] +period = "daytime" + +[metadata.backups] +paths = [ + "/var/cache/pacman/aurto", +] + +[metadata.interfaces.enp1s0] +ips = ["2a01:4f9:c010:95fa::2/64"] +gateway6 = "fe80::1" + +[metadata.interfaces.enp7s0] +ips = ["172.19.137.4/32"] +gateway4 = "172.19.137.1" + +[metadata.nginx.vhosts.aurto] +domain = "aurto.kunbox.net" +webroot = "/var/cache/pacman/aurto" +extras = true + +[metadata.pacman] +enable_aurto = false +additional_config = [ + "Include = /etc/pacman.d/aurto", +] + +[metadata.pacman.unattended-upgrades] +is_enabled = true + +[metadata.sudo.extra_configs] +50_aurto_passwordless = [ + "%wheel ALL=(ALL) NOPASSWD: /usr/bin/arch-nspawn", + "%wheel ALL=(ALL) NOPASSWD: /usr/bin/pacsync aurto", + "%wheel ALL=(ALL) NOPASSWD:SETENV: /usr/bin/makechrootpkg", +] + +[metadata.users.aurto] +groups = ["wheel"] +ssh_pubkey = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfbb4m4o89EumFjE8ichX03CC/mWry0JYaz91HKVJPb", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9x/kL2fFqQSEyFvdEgiM2UKYAZyV1oct9alS6mweVa", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw==", +] + +[metadata.users.kunsi] +groups = ["wheel"] From 563735d31a8f2fcf71630ddd99c17bc4f00deaaa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 09:48:20 +0200 Subject: [PATCH 341/996] add new status page to icinga --- PORT_MAP.md | 1 + .../files/icinga2-statuspage.service | 16 ++++++ bundles/icinga2-statuspage/items.py | 34 ++++++++++++ bundles/icinga2-statuspage/metadata.py | 47 +++++++++++++++++ nodes/icinga2.toml | 52 ++++--------------- 5 files changed, 107 insertions(+), 43 deletions(-) create mode 100644 bundles/icinga2-statuspage/files/icinga2-statuspage.service create mode 100644 bundles/icinga2-statuspage/items.py create mode 100644 bundles/icinga2-statuspage/metadata.py diff --git a/PORT_MAP.md b/PORT_MAP.md index fd5c46b..109c03e 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -47,6 +47,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22080 | netbox | gunicorn | | 22090 | jugendhackt_tools | gunicorn | | 22100 | powerdnsadmin | gunicorn | +| 22110 | icinga2-statuspage | gunicorn | | 22999 | nginx | stub_status | | 22100 | ntfy | http | diff --git a/bundles/icinga2-statuspage/files/icinga2-statuspage.service b/bundles/icinga2-statuspage/files/icinga2-statuspage.service new file mode 100644 index 0000000..8a8e4a2 --- /dev/null +++ b/bundles/icinga2-statuspage/files/icinga2-statuspage.service @@ -0,0 +1,16 @@ +[Unit] +Description=icinga2-statuspage +After=network.target +Requires=postgresql.service + +[Service] +User=www-data +Group=www-data +Environment=APP_CONFIG=/opt/icinga2-statuspage/config.json +WorkingDirectory=/opt/icinga2-statuspage/src +ExecStart=/usr/bin/gunicorn statuspage:app --workers 4 --max-requests 1200 --max-requests-jitter 50 --log-level=info --bind=127.0.0.1:22110 +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/icinga2-statuspage/items.py b/bundles/icinga2-statuspage/items.py new file mode 100644 index 0000000..fb3c413 --- /dev/null +++ b/bundles/icinga2-statuspage/items.py @@ -0,0 +1,34 @@ +directories['/opt/icinga2-statuspage/src'] = {} + +git_deploy['/opt/icinga2-statuspage/src'] = { + 'repo': 'https://git.franzi.business/kunsi/icinga-dynamic-statuspage.git', + 'rev': 'main', + 'triggers': { + 'svc_systemd:icinga2-statuspage:restart', + }, +} + +files['/opt/icinga2-statuspage/config.json'] = { + 'content': repo.libs.faults.dict_as_json(node.metadata.get('icinga2-statuspage')), + 'triggers': { + 'svc_systemd:icinga2-statuspage:restart', + }, +} + +files['/usr/local/lib/systemd/system/icinga2-statuspage.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:icinga2-statuspage:restart', + }, +} + + +svc_systemd['icinga2-statuspage'] = { + 'needs': { + 'file:/opt/icinga2-statuspage/config.json', + 'git_deploy:/opt/icinga2-statuspage/src', + 'pkg_apt:gunicorn', + 'pkg_apt:python3-flask', + 'pkg_apt:python3-psycopg2', + }, +} diff --git a/bundles/icinga2-statuspage/metadata.py b/bundles/icinga2-statuspage/metadata.py new file mode 100644 index 0000000..ffe5dcf --- /dev/null +++ b/bundles/icinga2-statuspage/metadata.py @@ -0,0 +1,47 @@ +defaults = { + 'apt': { + 'packages': { + 'gunicorn': {}, + 'python3-flask': {}, + 'python3-psycopg2': {}, + }, + }, +} + + +@metadata_reactor.provides( + 'icinga2-statuspage', +) +def import_db_settings_from_icinga(metadata): + return { + 'icinga2-statuspage': { + 'DB_USER': 'icinga2', + 'DB_PASS': metadata.get('postgresql/roles/icinga2/password'), + 'DB_NAME': 'icinga2', + }, + } + + +@metadata_reactor.provides( + 'nginx/vhosts/icinga2-statuspage', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'icinga2-statuspage': { + 'domain': metadata.get('icinga2-statuspage/DOMAIN'), + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22110', + }, + }, + 'website_check_path': '/', + 'website_check_string': 'status page', + }, + }, + }, + } diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml index 4bc530e..d9b24b2 100644 --- a/nodes/icinga2.toml +++ b/nodes/icinga2.toml @@ -2,6 +2,7 @@ hostname = "217.160.71.39" bundles = [ "bird", "icinga2", + "icinga2-statuspage", "php", "postgresql", # 'simple-icinga-dashboard', @@ -15,6 +16,7 @@ groups = [ [metadata] location = "ionos" +icinga_options.pretty_name = "icinga.franzi.business" [metadata.interfaces.ens192] ips = [ @@ -49,53 +51,17 @@ permissions = [ "objects/query/Service", ] -# 'icinga2_api': { -# 'custom': { -# # redundant monitoring of services/hosts -# 'services': { -# 'flauschekatze.space CERTIFICATE': { -# 'check_command': 'check_https_cert_at_url', -# 'vars.domain': 'flauschekatze.space', -# }, -# 'matrix.flauschekatze.space CERTIFICATE': { -# 'check_command': 'check_https_cert_at_url', -# 'vars.domain': 'matrix.flauschekatze.space', -# }, -# }, -# }, -# }, -# 'nginx': { -# 'vhosts': { -# 'statuspage': { -# 'domain': 'status.franzi.business', -# 'ssl': '_.franzi.business', -# 'webroot': '/opt/simple-icinga-dashboard/out', -# }, -# }, -# }, +[metadata.icinga2-statuspage] +DOMAIN = "status.franzi.business" +SERVICEGROUP_ID = 80 + +[metadata.icinga2-statuspage.NAME_REPLACEMENTS] +" PROCESS$" = " SERVICE" +".+ VHOST (.+) CONTENT" = "WEB ACCESS \\1" [metadata.postgresql] version = 15 -# 'simple-icinga-dashboard': { -# 'icinga2_api': { -# 'baseurl': 'https://127.0.0.1:5665', -# 'username': 'dashboard', -# 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), -# }, -# 'filters': { -# 'services': '"statuspage" in service.groups', -# }, -# 'output': { -# 'page_title': 'franzi.business Service Status', -# }, -# 'prettify': { -# 'CONTENT': '', -# 'NGINX': 'WEBSERVER', -# 'PROCESS': 'SERVICE', -# }, -# }, - [metadata.wireguard.peers.'home.router'] snat_to = "172.19.136.4" From 5b1d814d40165a1b7b88c6169dbb85a58bea11ac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 21:15:31 +0200 Subject: [PATCH 342/996] bundles/icinga2: more timeout for check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index 2986d66..dba6744 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -45,7 +45,7 @@ def check_list(ip_list, blocklist, warn_ips): result = check_output([ 'dig', '+tries=2', - '+time=5', + '+time=10', '+short', dns_name ]).decode().splitlines() From e70a86a6c15c574f481d535ba079089c0f45e6b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 21:16:02 +0200 Subject: [PATCH 343/996] htz-cloud.aurto: remove no longer needed keys --- nodes/htz-cloud.aurto.toml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/nodes/htz-cloud.aurto.toml b/nodes/htz-cloud.aurto.toml index ffa68d1..16fbf9a 100644 --- a/nodes/htz-cloud.aurto.toml +++ b/nodes/htz-cloud.aurto.toml @@ -51,14 +51,8 @@ is_enabled = true [metadata.users.aurto] groups = ["wheel"] ssh_pubkey = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfbb4m4o89EumFjE8ichX03CC/mWry0JYaz91HKVJPb", - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID9x/kL2fFqQSEyFvdEgiM2UKYAZyV1oct9alS6mweVa", - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcOPtW5FWNIdlMQFoqeyA1vHw+cA8ft8oXSbXPzQNL9", - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e", - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up", - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8xqVakxJ+AwcIrS/wyL03N++pE09epwMFlIMXWvlpwwEp1J/0H7nygwxk/9LIZdabs/ETWn0s8oHAkc7YR1c6ajSTCDiZEYATAWt7t8t4Gw/80c8u8T50lIqmiDEEVbOVv3Vta/pAN4hAUp9U5DpYCkQbvF+NKKcK3Yp8d9usNC6ohqgTK+IGAEdMhvpbbNppDMXoWHuynBzUX7TS6ST6yEr0tD+CBbCpbfcMuwTI3lNtfywEVpuFaeHqDZx2QDrEX4bg0dRKgQstbXYdqmBfnOiBpUr8Wyl8U1J24rN+E07pBw/8KDGWbVg19/Ex8o4ht/p5voUfKVjD/DwWXTLntBirjfAgQAm4GH/qP4x3zNiTtlYlQFbXSk6VEVrTrxCB5rTWvGnhg31tk5P3YwvagDmGABazY5s/8tlttSc1yWBctWQJCjxSqcCLekxG4D1rVuGKCKOZgflQ9QFdQlKycInPBek3zi0i3GYkE1YnNFye5ggOnxT8qGuKjfdtZI9qvMJQO8lbEDzbYQvNns1V/k4ZobiihYwrG5TJUzZFEpMYetDK6tI8BRU11d+ja0jWzguj5/7wc0nrr/BiZ8FkAr2fZ60j2aI5kG0s3qjbrQbB/RXaGP9hRU0+480+IokNJJIcjv5iwH5ophdrjC8GH4So2kPPt0NXob1yNysdjw==", + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", # kunsi work + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", # kunsi privat ] [metadata.users.kunsi] From 234e81431d12d3b4afc78579c9ff24c626d4f621 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 21:19:23 +0200 Subject: [PATCH 344/996] bundles/wireguard: easier snat setup --- bundles/wireguard/metadata.py | 16 +++++++++++----- nodes/home/router.py | 2 +- nodes/htz-cloud/wireguard.py | 12 +++--------- nodes/icinga2.toml | 12 +++--------- 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index c9fd288..0823dbf 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -197,15 +197,19 @@ def firewall(metadata): ) def interface_ips(metadata): interfaces = {} + snat_ip = metadata.get('wireguard/snat_ip', None) + for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): if '/' in config['my_ip']: my_ip = config['my_ip'] else: my_ip = '{}/31'.format(config['my_ip']) + + ips = {my_ip} + if snat_ip: + ips.add(snat_ip) interfaces[f'wg_{config["iface"]}'] = { - 'ips': { - my_ip, - }, + 'ips': ips, } return { 'interfaces': interfaces, @@ -219,16 +223,18 @@ def snat(metadata): if not node.has_bundle('nftables') or node.os == 'arch': raise DoNotRunAgain + snat_ip = metadata.get('wireguard/snat_ip', None) + rules = set() for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): rules.add(f'inet filter forward iifname wg_{config["iface"]} accept') rules.add(f'inet filter forward oifname wg_{config["iface"]} accept') - if 'snat_to' in config: + if snat_ip: rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( config['my_ip'], config['their_ip'], - config['snat_to'], + snat_ip, )) return { diff --git a/nodes/home/router.py b/nodes/home/router.py index 58f58c7..b61fe14 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -165,10 +165,10 @@ nodes['home.router'] = { }, 'wireguard': { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS + 'snat_ip': '172.19.138.1', 'peers': { 'ovh.wireguard': { 'health_check': True, - 'snat_to': '172.19.138.1', }, 'icinga2': {}, }, diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index d7c9a89..ea1086c 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -50,16 +50,10 @@ nodes['htz-cloud.wireguard'] = { 'ram': 2, }, 'wireguard': { + 'snat_ip': '172.19.137.2', 'peers': { - 'ovh.wireguard': { - 'snat_to': '172.19.137.2', - }, - 'icinga2': { - 'snat_to': '172.19.137.2', - }, - }, - 'subnets': { - '172.19.137.0/24', + 'ovh.wireguard': {}, + 'icinga2': {}, }, }, }, diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml index d9b24b2..1c85347 100644 --- a/nodes/icinga2.toml +++ b/nodes/icinga2.toml @@ -26,12 +26,6 @@ ips = [ gateway4 = "10.255.255.1" gateway6 = "fe80::1" -[metadata.interfaces.wg_home_router] -ips = ["172.19.136.4"] - -[metadata.interfaces.wg_htz-cloud_wi] -ips = ["172.19.136.4"] - [metadata.bird] static_routes = ["172.19.136.4/32"] @@ -62,11 +56,11 @@ SERVICEGROUP_ID = 80 [metadata.postgresql] version = 15 -[metadata.wireguard.peers.'home.router'] -snat_to = "172.19.136.4" +[metadata.wireguard] +snat_ip = "172.19.136.4" +[metadata.wireguard.peers.'home.router'] [metadata.wireguard.peers.'htz-cloud.wireguard'] -snat_to = "172.19.136.4" [metadata.vm] cpu = 2 From aaf67f1a3d051283cc95342bdb1816d073959c67 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 22:00:19 +0200 Subject: [PATCH 345/996] bundles/apt: bookworm has their own firmware repo --- bundles/apt/files/sources.list-debian-bookworm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/apt/files/sources.list-debian-bookworm b/bundles/apt/files/sources.list-debian-bookworm index 8c19914..852554d 100644 --- a/bundles/apt/files/sources.list-debian-bookworm +++ b/bundles/apt/files/sources.list-debian-bookworm @@ -1,3 +1,3 @@ -deb http://deb.debian.org/debian/ bookworm main non-free contrib +deb http://deb.debian.org/debian/ bookworm main non-free contrib non-free-firmware deb http://security.debian.org/debian-security bookworm-security main contrib non-free deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free From 9bde0d9410722329debe8cf0ffcb292fbfc4ec96 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Sep 2023 22:02:14 +0200 Subject: [PATCH 346/996] home.router: upgrade to bookworm and switch to kea-dhcp-server --- bundles/kea-dhcp-server/items.py | 16 +++++++++++++--- nodes/home/router.py | 18 +++++++----------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/bundles/kea-dhcp-server/items.py b/bundles/kea-dhcp-server/items.py index 921bf78..9171d0b 100644 --- a/bundles/kea-dhcp-server/items.py +++ b/bundles/kea-dhcp-server/items.py @@ -5,8 +5,6 @@ kea_config = { 'interfaces': sorted(node.metadata.get('kea-dhcp-server/subnets', {}).keys()), }, 'subnet4': [], - }, - 'Server': { 'loggers': [{ 'name': 'kea-dhcp4', 'output_options': [{ @@ -39,4 +37,16 @@ for iface, config in sorted(node.metadata.get('kea-dhcp-server/subnets', {}).ite ] }) -# TODO deploy config +files['/etc/kea/kea-dhcp4.conf'] = { + 'content': repo.libs.faults.dict_as_json(kea_config), + 'triggers': { + 'svc_systemd:kea-dhcp4-server:restart', + }, +} + +svc_systemd['kea-dhcp4-server'] = { + 'needs': { + 'file:/etc/kea/kea-dhcp4.conf', + 'pkg_apt:kea-dhcp4-server', + }, +} diff --git a/nodes/home/router.py b/nodes/home/router.py index b61fe14..747935b 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -2,7 +2,7 @@ nodes['home.router'] = { 'hostname': '172.19.138.1', 'bundles': { 'bird', - 'dhcpd', + 'kea-dhcp-server', 'nginx', 'pppd', 'radvd', @@ -12,7 +12,7 @@ nodes['home.router'] = { 'wireguard', }, 'groups': { - 'debian-bullseye', + 'debian-bookworm', }, 'metadata': { 'interfaces': { @@ -45,30 +45,26 @@ nodes['home.router'] = { 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', }, }, - 'dhcpd': { + 'kea-dhcp-server': { 'subnets': { 'enp1s0.1138': { - 'range_lower': '172.19.138.100', - 'range_higher': '172.19.138.250', + 'lower': '172.19.138.100', + 'higher': '172.19.138.250', 'subnet': '172.19.138.0/24', 'options': { - 'broadcast-address': '172.19.138.255', 'domain-name': 'franzi-home.kunbox.net', 'domain-name-servers': '172.19.138.1', 'domain-search': 'home.kunbox.net', 'routers': '172.19.138.1', - 'subnet-mask': '255.255.255.0', }, }, 'enp1s0.1139': { - 'range_lower': '172.19.139.200', - 'range_higher': '172.19.139.250', + 'lower': '172.19.139.200', + 'higher': '172.19.139.250', 'subnet': '172.19.139.0/24', 'options': { - 'broadcast-address': '172.19.139.255', 'domain-name-servers': '172.19.139.1', 'routers': '172.19.139.1', - 'subnet-mask': '255.255.255.0', }, }, }, From 15eaa94397b8e3c041aa812cbbb229ab7b79d4c3 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Tue, 12 Sep 2023 20:05:43 +0200 Subject: [PATCH 347/996] miniserter: element-web update --- nodes/htz-cloud/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 551ddf7..c066315 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.40', + 'version': 'v1.11.41', 'config': { 'default_server_config': { 'm.homeserver': { From 4f260932c375ac478760cf70a8eabefec70d1148 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 11 Sep 2023 09:09:09 +0200 Subject: [PATCH 348/996] bundles/wireguard: health checks for everyone --- bundles/wireguard/items.py | 22 +++++++--------------- bundles/wireguard/metadata.py | 34 ++++++++++++++++++++++++++++++++++ nodes/fkusei-locutus.py | 3 ++- nodes/home/router.py | 4 +--- nodes/ovh/wireguard.py | 4 +--- 5 files changed, 45 insertions(+), 22 deletions(-) diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index e9f1d71..5bbd7d3 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -13,7 +13,6 @@ deps = set() if node.has_bundle('apt'): deps.add('pkg_apt:wireguard') -health_checks = {} for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = { 'content_type': 'mako', @@ -35,20 +34,13 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): }, } - if config.get('health_check', False): - health_checks[peer] = config['their_ip'] - -if health_checks: - files['/usr/local/bin/wg_health_check'] = { - 'content_type': 'mako', - 'context': { - 'peers': health_checks, - }, - 'mode': '0755', - } - files['/etc/cron.d/wg_health_check'] = { - 'content': '* * * * * root /usr/local/bin/wg_health_check | logger -t wg_health_check\n', - } +files['/usr/local/bin/wg_health_check'] = { + 'content_type': 'mako', + 'context': { + 'peers': node.metadata.get('wireguard/health_checks'), + }, + 'mode': '0755', +} if node.has_bundle('pppd'): files['/etc/ppp/ip-up.d/reconnect-wireguard'] = { diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 0823dbf..8bc3ddd 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -244,3 +244,37 @@ def snat(metadata): }, }, } + + +@metadata_reactor.provides( + 'wireguard/health_checks', + 'systemd-timers/timers/wg-health-check', +) +def health_checks(metadata): + checks = {} + + for peer, config in metadata.get('wireguard/peers', {}).items(): + if ( + config.get('exclude_from_monitoring', False) + or 'endpoint' not in config + ): + continue + + checks[peer] = config['their_ip'] + + if not checks: + return {} + + return { + 'systemd-timers': { + 'timers': { + 'wg-health-check': { + 'command': '/usr/local/bin/wg_health_check', + 'when': 'minutely', + }, + }, + }, + 'wireguard': { + 'health_checks': checks, + }, + } diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 397e851..b7f9215 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -134,11 +134,12 @@ nodes['fkusei-locutus'] = { 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), 'peers': { 'smedia': { + 'endpoint': '185.122.180.82:51820', 'my_ip': '10.200.128.2/20', 'my_port': 51820, - 'endpoint': '185.122.180.82:51820', 'psk': vault.decrypt('smedia$NotViaThisRepository'), 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), + 'their_ip': '10.200.128.1', }, }, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 747935b..1806918 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -163,9 +163,7 @@ nodes['home.router'] = { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'snat_ip': '172.19.138.1', 'peers': { - 'ovh.wireguard': { - 'health_check': True, - }, + 'ovh.wireguard': {}, 'icinga2': {}, }, }, diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py index 334e1b3..c3405e9 100644 --- a/nodes/ovh/wireguard.py +++ b/nodes/ovh/wireguard.py @@ -35,9 +35,7 @@ nodes['ovh.wireguard'] = { 'wireguard': { 'peers': { 'ovh.icinga2': {}, - 'home.router': { - 'health_check': True, - }, + 'home.router': {}, 'htz-cloud.wireguard': {}, 'kunsi-oneplus3': { 'their_ip': '172.19.136.65', From 40a283d5c9c468b3184db8d71946d5913f732dd6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 12 Sep 2023 20:15:33 +0200 Subject: [PATCH 349/996] update element-web to 1.11.41 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0501f3b..0baea6f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -39,7 +39,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.40" +version = "v1.11.41" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 65f9b5d..f8c01a9 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.40" +version = "v1.11.41" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From d4f7f1b08db6a0eafb232fea4f84c3ac92b6fb22 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Sep 2023 16:03:06 +0200 Subject: [PATCH 350/996] update element-web to 1.11.42 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0baea6f..bd42673 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -39,7 +39,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.41" +version = "v1.11.42" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index f8c01a9..d434851 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.41" +version = "v1.11.42" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index c066315..1ba53b1 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.41', + 'version': 'v1.11.42', 'config': { 'default_server_config': { 'm.homeserver': { From 049cc899bebc576384c7443e969fe53755a4ec54 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Sep 2023 17:06:27 +0200 Subject: [PATCH 351/996] update travelynx to 2.2.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index bd42673..c09961a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.2.0" +version = "2.2.1" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 32141b6e98818a1b7ddcb1d8197062114b21048b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Sep 2023 13:07:50 +0200 Subject: [PATCH 352/996] update element-web and matrix-media-repo --- nodes/carlene.toml | 6 +++--- nodes/htz-cloud.afra.toml | 6 +++--- nodes/htz-cloud/miniserver.py | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c09961a..d7f59f4 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -39,7 +39,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.42" +version = "v1.11.43" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" @@ -69,9 +69,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "0f9e686f9538baa059eba91e56b320e38ae6125b" +sha1 = "7a9976b09f6835171c610624f51b3cbf429bc0cf" upload_max_mb = 500 -version = "v1.3.1" +version = "v1.3.2" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index d434851..e0ce906 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.42" +version = "v1.11.43" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" @@ -44,9 +44,9 @@ jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] admins = ['@administress:afra.berlin'] datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "0f9e686f9538baa059eba91e56b320e38ae6125b" +sha1 = "7a9976b09f6835171c610624f51b3cbf429bc0cf" upload_max_mb = 50 -version = "v1.3.1" +version = "v1.3.2" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 1ba53b1..00f15e3 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.42', + 'version': 'v1.11.43', 'config': { 'default_server_config': { 'm.homeserver': { @@ -113,9 +113,9 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.3.1', + 'version': 'v1.3.2', 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '0f9e686f9538baa059eba91e56b320e38ae6125b', + 'sha1': '7a9976b09f6835171c610624f51b3cbf429bc0cf', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', From 3bf0e1124e4f1e7bee8a25de71ce8e98316f473f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 17 Sep 2023 15:44:43 +0200 Subject: [PATCH 353/996] bundles/rspamd: disable greylisting This only gets in the way. If mail is spam, it will get delivered to the junk mail folder anyways. --- bundles/rspamd/files/local.d/greylist.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 bundles/rspamd/files/local.d/greylist.conf diff --git a/bundles/rspamd/files/local.d/greylist.conf b/bundles/rspamd/files/local.d/greylist.conf new file mode 100644 index 0000000..a6ee831 --- /dev/null +++ b/bundles/rspamd/files/local.d/greylist.conf @@ -0,0 +1 @@ +enabled = false; From aab7a1abc4cd5b8eb051263b4b8793e89d57cbb9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 19 Sep 2023 15:04:57 +0200 Subject: [PATCH 354/996] update mautrix-whatsapp to 0.10.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d7f59f4..d1b5e54 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -108,8 +108,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.0" -sha1 = "eadcfa474c94bce51f9dfaf3d03de2311bb8d07b" +version = "v0.10.1" +sha1 = "adf5c0e58fce844049bc4e67d16942dab79ca54e" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From b17d7bccf6147db6c916d54a1355912884bb4b46 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 19 Sep 2023 15:05:19 +0200 Subject: [PATCH 355/996] update travelynx to 2.2.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d1b5e54..ca70769 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.2.1" +version = "2.2.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 5d69595bbffc813ad9aec04cf7b5fceadb5a9ab0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 19 Sep 2023 15:05:41 +0200 Subject: [PATCH 356/996] update pretalx to 2023.1.3 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 4c877a9..e3fee52 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,7 +49,7 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2023.1.0', + 'version': 'v2023.1.3', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, From 8d2daeeb77fdcf1b6db26c7ef46b67cdf933e256 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 20 Sep 2023 14:43:02 +0200 Subject: [PATCH 357/996] update mautrix-telegram to 0.14.2 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ca70769..c9031d3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -93,7 +93,7 @@ additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.ne wellknown_also_on_vhosts = ["franzi.business"] [metadata.mautrix-telegram] -version = "v0.14.1" +version = "v0.14.2" homeserver.domain = "franzi.business" homeserver.url = "https://matrix.franzi.business" telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ==" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 00f15e3..c89b23a 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -136,7 +136,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.14.1', + 'version': 'v0.14.2', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', From c6b01aa219301be125627d2fa6a7fcc51f2ee3ac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 20 Sep 2023 14:43:25 +0200 Subject: [PATCH 358/996] update mautrix-whatsapp to 0.10.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c9031d3..1fbffdc 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -108,8 +108,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.1" -sha1 = "adf5c0e58fce844049bc4e67d16942dab79ca54e" +version = "v0.10.2" +sha1 = "938c970ff522e067aac0b753f5def94aacd11d81" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From dda3c4162c192159a19b58a8e30f3602db554ff1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 20 Sep 2023 17:38:17 +0200 Subject: [PATCH 359/996] bundles/postfix: ensure /etc/mailname exists before installing postfix --- bundles/postfix/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index e66185f..43f4ae9 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -26,6 +26,9 @@ my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { 'content': node.metadata.get('postfix/myhostname', node.metadata['hostname']), + 'before': { + my_package, + }, 'triggers': { 'svc_systemd:postfix:restart', }, From a926825b4b8c34d0c1e1ea0b81795d8d84f7b603 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 20 Sep 2023 18:21:57 +0200 Subject: [PATCH 360/996] libs/defaults: quad9 is apparently half-broken, just use cloudflare instead --- libs/defaults.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/defaults.py b/libs/defaults.py index 25a9895..3125b48 100644 --- a/libs/defaults.py +++ b/libs/defaults.py @@ -5,8 +5,8 @@ influxdb_org = 'encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn influxdb_token = 'encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN' influxdb_url = 'https://influxdb.kunsmann.eu/' -nameservers_ipv4 = ['9.9.9.10'] -nameservers_ipv6 = ['2620:fe::10'] +nameservers_ipv4 = ['1.1.1.1', '1.0.0.1'] +nameservers_ipv6 = ['2606:4700::1111', '2606:4700:4700::1001'] nameservers = [*nameservers_ipv4, *nameservers_ipv6] # FIXME database conflicts From a61a3816eda53be2629a26b93d8da0bc3cc995b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 20 Sep 2023 18:34:59 +0200 Subject: [PATCH 361/996] hello, daisy! --- nodes/daisy.toml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 nodes/daisy.toml diff --git a/nodes/daisy.toml b/nodes/daisy.toml new file mode 100644 index 0000000..1a0b33e --- /dev/null +++ b/nodes/daisy.toml @@ -0,0 +1,19 @@ +hostname = "2a11:f2c0:3:4::120" +bundles = [] +groups = [ + "debian-bookworm", +] + +[metadata] +nameservers = [ + "2606:4700::1111", + "2606:4700:4700::1001", +] +backups.exclude_from_backups = true +icinga_options.period = "daytime" + +[metadata.interfaces.ens18] +ips = [ + "2a11:f2c0:3:4::120/64", +] +gateway6 = "fe80::220:91ff:fe45:e19e" From c59a3038a11fe07f1855bf2f2e83e7c22ec7d6c3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 09:23:41 +0200 Subject: [PATCH 362/996] bundles/wide-dhcp-client: fix some bugs --- bundles/wide-dhcp6c/files/ip-down | 5 +---- bundles/wide-dhcp6c/files/ip-up | 2 +- bundles/wide-dhcp6c/items.py | 25 +++++++++++-------------- 3 files changed, 13 insertions(+), 19 deletions(-) diff --git a/bundles/wide-dhcp6c/files/ip-down b/bundles/wide-dhcp6c/files/ip-down index ec060ee..edc84de 100644 --- a/bundles/wide-dhcp6c/files/ip-down +++ b/bundles/wide-dhcp6c/files/ip-down @@ -3,8 +3,5 @@ systemctl stop wide-dhcpv6-client % for interface, subnet_id in sorted(targets.items()): -for IP in $(ip -6 addr show dev ${interface} | grep inet6 | awk '{print $2}' | grep -vF 'fe80::') -do - ip -6 addr del $IP dev ${interface} -done +ip -6 addr flush dev ${interface} scope global % endfor diff --git a/bundles/wide-dhcp6c/files/ip-up b/bundles/wide-dhcp6c/files/ip-up index d6624a8..da0ac8d 100644 --- a/bundles/wide-dhcp6c/files/ip-up +++ b/bundles/wide-dhcp6c/files/ip-up @@ -12,7 +12,7 @@ if systemctl is-active wide-dhcpv6-client; then systemctl stop wide-dhcpv6-client sleep 1 - systemctl sart wide-dhcpv6-client + systemctl start wide-dhcpv6-client else systemctl start wide-dhcpv6-client fi diff --git a/bundles/wide-dhcp6c/items.py b/bundles/wide-dhcp6c/items.py index fb04b49..53fc656 100644 --- a/bundles/wide-dhcp6c/items.py +++ b/bundles/wide-dhcp6c/items.py @@ -2,18 +2,21 @@ if node.has_bundle('pppd'): files['/etc/ppp/ip-up.d/wide-dhcp6c'] = { 'source': 'ip-up', 'content_type': 'mako', - 'context': { - 'source': node.metadata['wide-dhcp6c']['source'], - }, + 'context': node.metadata.get('wide-dhcp6c'), 'mode': '0755', + 'triggers': { + 'svc_systemd:wide-dhcpv6-client:restart', + }, } + files['/etc/ppp/ip-down.d/wide-dhcp6c'] = { 'source': 'ip-down', 'content_type': 'mako', - 'context': { - 'targets': node.metadata['wide-dhcp6c']['targets'], - }, + 'context': node.metadata.get('wide-dhcp6c'), 'mode': '0755', + 'triggers': { + 'svc_systemd:wide-dhcpv6-client:restart', + }, } # Will be started and stopped by pppd. @@ -25,11 +28,7 @@ else: files['/etc/wide-dhcpv6/dhcp6c.conf'] = { 'content_type': 'mako', - 'context': { - 'source': node.metadata['wide-dhcp6c']['source'], - 'targets': node.metadata['wide-dhcp6c']['targets'], - 'subnet_len': node.metadata['wide-dhcp6c']['subnet_len'], - }, + 'context': node.metadata.get('wide-dhcp6c'), 'triggers': { 'svc_systemd:wide-dhcpv6-client:restart', }, @@ -37,9 +36,7 @@ files['/etc/wide-dhcpv6/dhcp6c.conf'] = { files['/etc/systemd/system/wide-dhcpv6-client.service'] = { 'content_type': 'mako', - 'context': { - 'source': node.metadata['wide-dhcp6c']['source'], - }, + 'context': node.metadata.get('wide-dhcp6c'), 'triggers': { 'action:systemd-reload', 'svc_systemd:wide-dhcpv6-client:restart', From c444722291784fd859dad87fd71b6569edc60786 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 10:12:12 +0200 Subject: [PATCH 363/996] add automatix to upgrade to debian bookworm --- automatix/upgrade_debian_bookworm.yaml | 47 ++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 automatix/upgrade_debian_bookworm.yaml diff --git a/automatix/upgrade_debian_bookworm.yaml b/automatix/upgrade_debian_bookworm.yaml new file mode 100644 index 0000000..822597b --- /dev/null +++ b/automatix/upgrade_debian_bookworm.yaml @@ -0,0 +1,47 @@ +name: Upgrade to debian bullseye +systems: + node: foonode + +always: + - has_zfs=python: NODES.node.has_bundle('zfs') + - is_buster=python: NODES.node.os_version[0] <= 10 + - buster_with_zfs=python: "{has_zfs} and {is_buster}" + +pipeline: + - manual: "set icinga2 downtime: https://icinga.kunsmann.eu/monitoring/host/schedule-downtime?host={SYSTEMS.node}" + + # apply first so we only see the upgrade changes later + - local: bw apply {SYSTEMS.node} + - manual: update debian version in node groups + - is_buster?local: "bw apply -o bundle:apt -s symlink:/usr/bin/python pkg_apt: -- {SYSTEMS.node}" + + # double time! + - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade + - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade + + # reboot into bullseye + - remote@node: systemctl reboot + - local: | + exit=1 + while [[ $exit -ne 0 ]]; + do + sleep 1 + ssh {SYSTEMS.node} true + exit=$? + done + + # fix zfs and reboot again + - buster_with_zfs?remote@node: zpool import tank -f + - buster_with_zfs?remote@node: zpool upgrade -a + - buster_with_zfs?remote@node: systemctl reboot + - buster_with_zfs?local: | + exit=1 + while [[ $exit -ne 0 ]]; + do + sleep 1 + ssh {SYSTEMS.node} true + exit=$? + done + + # final apply + - local: bw apply {SYSTEMS.node} From 4a9596988d214db32bb08a4204b6e8cbc719443b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 10:13:56 +0200 Subject: [PATCH 364/996] update forgejo to 1.20.4-1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1fbffdc..cc71e2d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -48,8 +48,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.20.4-0" -sha1 = "20994ac3f10a7c6af11743b19bcea33107a49b35" +version = "1.20.4-1" +sha1 = "9650694ec7969643ebb4dbdf2f27462af57284e6" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 667fd6a2f08df30c21467602c40da0dfea3632a0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 10:14:11 +0200 Subject: [PATCH 365/996] update netbox to 3.6.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index cc71e2d..0fadfeb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -120,7 +120,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.1" +version = "v3.6.2" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 799cff884b2b959ac257e6edb029300df0fa1d87 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:03:01 +0200 Subject: [PATCH 366/996] remove a bunch of deprecated nodes --- nodes/fkusei-locutus.py | 184 ---------------------------------------- nodes/ovh/icinga2.py | 171 ------------------------------------- nodes/ovh/wireguard.py | 62 -------------- 3 files changed, 417 deletions(-) delete mode 100644 nodes/fkusei-locutus.py delete mode 100644 nodes/ovh/icinga2.py delete mode 100644 nodes/ovh/wireguard.py diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py deleted file mode 100644 index b7f9215..0000000 --- a/nodes/fkusei-locutus.py +++ /dev/null @@ -1,184 +0,0 @@ -nodes['fkusei-locutus'] = { - 'hostname': '172.19.138.96', - 'bundles': { - 'arch-with-gui', - 'bird', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'wireguard', - 'voc-tracker-worker', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'fkunsmann', - }, - 'bird': { - 'bgp_neighbors': { - 'smedia': { - 'local_as': 4200128002, - 'local_ip': '10.200.128.2', - 'neighbor_as': 64900, - 'neighbor_ip': '10.200.128.1', - }, - }, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000': {'*'}, - }, - }, - 'interfaces': { - 'enp0s31f6': { - 'dhcp': True, - 'ips': { - '172.19.138.96', # for static dhcp lease - }, - 'mac': 'e8:6a:64:ef:cc:5c', - }, - # there is also wlp2s0, but that's managed by netctl - }, - 'location': 'home', # not actually true, but needed for static dhcp lease - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - 'ipv6', - }, - }, - 'pacman': { - 'linux-lts': True, - 'packages': { - # video drivers - 'xf86-video-intel': {}, - - # all that other random stuff one needs - 'apachedirectorystudio': {}, - 'direnv': {}, - 'freerdp': {}, - 'sdl_ttf': {}, # for compiling testcard - 'thermald': {}, - }, - }, - 'systemd-boot': { - 'default': 'arch-lts', - 'entries': { - 'arch-lts': { - 'title': 'Arch Linux (LTS kernel)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/intel-ucode.img', - '/initramfs-linux-lts.img', - ], - 'options': { - 'zfs=zroot/system/root', - 'rw', - }, - }, - 'arch-lts-fallback': { - 'title': 'Arch Linux (LTS kernel, no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/initramfs-linux-lts-fallback.img', - ], - 'options': { - 'zfs=zroot/system/root', - 'rw', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'fkunsmann': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - 'sudo_commands': { - 'ALL', - }, - }, - 'sophie': { - 'delete': True, - }, - }, - 'voc-tracker-worker': { - 'url': 'https://tracker.c3voc.de/rpc', - 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), - 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), - }, - 'wireguard': { - 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), - 'peers': { - 'smedia': { - 'endpoint': '185.122.180.82:51820', - 'my_ip': '10.200.128.2/20', - 'my_port': 51820, - 'psk': vault.decrypt('smedia$NotViaThisRepository'), - 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), - 'their_ip': '10.200.128.1', - }, - }, - }, - 'zfs': { - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': '/', - }, - 'zroot/user/fkunsmann': { - 'mountpoint': '/home/fkunsmann', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/fkunsmann': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/system/journal', - }, - }, - }, - }, - 'os': 'arch', -} diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py deleted file mode 100644 index 0f2a592..0000000 --- a/nodes/ovh/icinga2.py +++ /dev/null @@ -1,171 +0,0 @@ -nodes['ovh.icinga2'] = { - 'dummy': True, # gekündigt - 'bundles': { - 'bird', - 'icinga2', - 'php', - 'postgresql', - 'simple-icinga-dashboard', - 'unbound', - 'wireguard', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '51.195.44.8', - '2001:41d0:701:1100::2618/128' - }, - 'gateway4': '51.195.44.1', - 'gateway6': '2001:41d0:701:1100::1' - }, - 'dummy-snat': { - 'ips': { - '172.19.136.3', - }, - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'bird': { - 'static_routes': { - '172.19.136.3/32', - }, - }, - 'icinga2': { - 'web_domain': 'icinga.kunsmann.eu', - 'api_users': { - 'dashboard': { - 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), - 'permissions': { - 'objects/query/Service', - 'objects/query/Host', - }, - }, - # Used with - 'icinga2beamer': { - 'password': vault.decrypt('encrypt$gAAAAABf3wM9YS5ZpRdhp3xyIFX21_MK0omzqHqykWbWdkZWp2xyJ6awaUSXODnZQ5j-rws6n0yrpaeMdXoj1irb2FrgxMDTdfCh88hIsqcKGOObzwGaRg6Ze0tuiMrzIfOO3tRnc9Kd'), - 'permissions': { - 'objects/query/Host', - 'objects/query/Service' - }, - }, - }, - 'restrict-to': { - '172.19.138.0/24', - }, - 'sipgate': { - 'user': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_tokenid'), - 'pass': bwpass.attr('sipgate.de/hi@kunsmann.eu', 'icinga_token'), - }, - 'ntfy': { - 'url': 'https://ntfy.franzi.business/icinga2', - 'user': vault.decrypt('encrypt$gAAAAABkMtfW_tyGDUh7TkVX6AN8wSkKixWcQiOrPUWHtDZqnzjqrAkfD40fD8M_PiPDvW5pAa6xHNcUSU34jHolxnC44rDiLw=='), - 'pass': vault.decrypt('encrypt$gAAAAABkMtfD8lenogwJc8uKeGZUQ8QVWHMpAqY_GLW3VhF3Jt0TOC4JiJn49qfaC9Ij5rw6GGsowNIsNBe1Ac83HXOLveANEU2o-O4fp5TxNF0xFWebCCtcaTkj_L2DjUbSUe8QVDn3'), - }, - }, - 'icinga2_api': { - 'custom': { - # redundant monitoring of services/hosts - 'services': { - 'flauschekatze.space CERTIFICATE': { - 'check_command': 'check_https_cert_at_url', - 'vars.domain': 'flauschekatze.space', - }, - 'matrix.flauschekatze.space CERTIFICATE': { - 'check_command': 'check_https_cert_at_url', - 'vars.domain': 'matrix.flauschekatze.space', - }, - }, - }, - }, - 'nginx': { - 'vhosts': { - 'icingaweb': { - 'domain': 'icinga.kunsmann.eu', - 'webroot': '/usr/share/icingaweb2/public', - 'extras': True, - }, - 'icinga_statusmonitor': { - 'domain': 'statusmonitor.icinga.kunsmann.eu', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:5000/', - } - }, - }, - 'statuspage': { - 'domain': 'status.franzi.business', - 'ssl': '_.franzi.business', - 'webroot': '/opt/simple-icinga-dashboard/out', - }, - }, - }, - 'php': { - 'version': '8.0', - 'packages': { - 'curl', - 'gd', - 'intl', - 'imagick', - 'ldap', - 'mysql', - 'opcache', - 'pgsql', - 'readline', - 'xml', - }, - }, - 'postgresql': { - 'version': '11', - }, - 'simple-icinga-dashboard': { - 'icinga2_api': { - 'baseurl': 'https://127.0.0.1:5665', - 'username': 'dashboard', - 'password': vault.password_for('ovh.icinga2 icinga2 api_user dashboard'), - }, - 'filters': { - 'services': '"statuspage" in service.groups', - }, - 'output': { - 'page_title': 'franzi.business Service Status', - }, - 'prettify': { - 'CONTENT': '', - 'NGINX': 'WEBSERVER', - 'PROCESS': 'SERVICE', - }, - }, - 'wireguard': { - 'peers': { - 'ovh.wireguard': { - 'snat_to': '172.19.136.3', - }, - }, - }, - 'zfs': { - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': { - '/dev/sdb' - }, - }], - }, - }, - }, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - }, -} diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py deleted file mode 100644 index c3405e9..0000000 --- a/nodes/ovh/wireguard.py +++ /dev/null @@ -1,62 +0,0 @@ -nodes['ovh.wireguard'] = { - 'bundles': { - 'bird', - 'wireguard', - }, - 'groups': { - 'debian-buster', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '51.195.47.180', - '2001:41d0:701:1100::20da/128' - }, - 'gateway4': '51.195.44.1', - 'gateway6': '2001:41d0:701:1100::1' - }, - }, - 'bird': { - 'static_routes': { - '172.19.136.64/26', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'backups': { - 'exclude_from_backups': True, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - 'wireguard': { - 'peers': { - 'ovh.icinga2': {}, - 'home.router': {}, - 'htz-cloud.wireguard': {}, - 'kunsi-oneplus3': { - 'their_ip': '172.19.136.65', - 'my_ip': '172.19.136.64', - 'my_port': 51819, - 'psk': vault.decrypt('encrypt$gAAAAABgKYeeuPfokbk7lSbbJX-52kap5Cs3tdCHpezkKcExV-yLTHPjszIcAh1T9wW1BtGElRdZea7VTikV3qEu3bupiSqEW4l2lmD5cn2ERYRfuVCoYSkOlmEGokHUX7Nja4G_A2_x'), - 'pubkey': vault.decrypt('encrypt$gAAAAABgKYdTqLG3DcB13QqQadUxyzIjvSxwgZQNjorQi-ADSLsNdDbhikSAGQnSmGelLB74V175awIIir768WEnpLJUKX6nt_i2BxOP3JazvKZSQECkiK8G-IRn8wWWgKarfmtqRwh6'), - 'exclude_from_monitoring': True, - }, - 'sophie-ejgwthink': { - 'their_ip': '172.19.136.67', - 'my_ip': '172.19.136.66', - 'my_port': 51818, - 'psk': vault.decrypt('encrypt$gAAAAABhWWg7WWnVAl3R46oXfPHnmsuXIFELWoMb4wGeDDInKUAwjtI6Y9nYkMpvdxiPRbHnwG4sPxgUAu3l83E4BLTNwb-9_ZYPjz6bQQGYA7oYvCdsezWYYx22hmu8wJhq_j4sMyLK'), - 'pubkey': vault.decrypt('encrypt$gAAAAABhWWg7fSm9snyXS_VLCpEv28_o2fvu6MRzrqngbKQ41DSAQE5fg4ADSbQpi0uwP_6VE_aGo56z1qmLV9wHpOUYCqgYk57w2KcuHR92r_Cw6iNs_h85k38nFGkmuvHzUecqpCNa'), - 'exclude_from_monitoring': True, - }, - }, - 'restrict-to': { - '*', - }, - }, - }, -} From 0d79216ae5acc2c5588272901fc8c8603ca2779b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:03:44 +0200 Subject: [PATCH 367/996] bundles/wireguard: fix KeyError when running with no peers --- bundles/wireguard/metadata.py | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 8bc3ddd..e2fe76d 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -262,17 +262,19 @@ def health_checks(metadata): checks[peer] = config['their_ip'] - if not checks: - return {} + if checks: + timer = { + 'wg-health-check': { + 'command': '/usr/local/bin/wg_health_check', + 'when': 'minutely', + }, + } + else: + timer = {} return { 'systemd-timers': { - 'timers': { - 'wg-health-check': { - 'command': '/usr/local/bin/wg_health_check', - 'when': 'minutely', - }, - }, + 'timers': timer, }, 'wireguard': { 'health_checks': checks, From d47f7db70846ea0d08e5040152780dfe8f56a50a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:04:11 +0200 Subject: [PATCH 368/996] bundles/wireguard: only try to auto-generate ips and ports if nodes are present in WG_AUTOGEN_NODES --- bundles/wireguard/metadata.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index e2fe76d..9f8e28c 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -91,6 +91,9 @@ def peer_pubkeys(metadata): 'wireguard/peers', ) def peer_ips_and_ports(metadata): + if node.name not in repo.libs.s2s.WG_AUTOGEN_NODES: + raise DoNotRunAgain + peers = {} base_port = 51820 @@ -100,6 +103,9 @@ def peer_ips_and_ports(metadata): except NoSuchNode: continue + if rnode.name not in repo.libs.s2s.WG_AUTOGEN_NODES: + continue + ip_a, ip_b = repo.libs.s2s.get_subnet_for_connection(repo, *sorted({node.name, peer_name})) if peer_name < node.name: From 3a0ed4a7f595a33b547e5abb01b9317ca9aa2288 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:04:47 +0200 Subject: [PATCH 369/996] bundles/wireguard: autogenerate port number based on index in WG_AUTOGEN_NODES --- bundles/wireguard/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 9f8e28c..561dfd2 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -117,7 +117,7 @@ def peer_ips_and_ports(metadata): peers[rnode.name] = { 'my_ip': str(my_ip), - 'my_port': base_port + number, + 'my_port': base_port + repo.libs.s2s.WG_AUTOGEN_NODES.index(rnode.name), 'their_ip': str(their_ip) } From e9f3268e1555f42e7c1f6754320ed6febb9876ed Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:05:33 +0200 Subject: [PATCH 370/996] clean up some leftovers --- groups/os.py | 2 -- libs/s2s.py | 2 -- 2 files changed, 4 deletions(-) diff --git a/groups/os.py b/groups/os.py index 4542cc8..13e954f 100644 --- a/groups/os.py +++ b/groups/os.py @@ -39,11 +39,9 @@ groups['linux'] = { 'firewall': { 'port_rules': { '*': { - 'ovh.icinga2', 'icinga2', }, '*/udp': { - 'ovh.icinga2', 'icinga2', }, }, diff --git a/libs/s2s.py b/libs/s2s.py index bc8576d..6c6b874 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -17,8 +17,6 @@ WG_AUTOGEN_NODES = [ 'home.router', 'htz-cloud.wireguard', 'icinga2', - 'ovh.icinga2', - 'ovh.wireguard', ] def get_subnet_for_connection(repo, peer_a, peer_b): From 07de570175a2f9bbd7ced57d2dbe52e9196f2d77 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:06:16 +0200 Subject: [PATCH 371/996] auto-generate full wireguard mesh between all nodes in libs.s2s.WG_AUTOGEN_NODES --- bundles/wireguard/metadata.py | 28 +++++++++++++++++++++++++++- nodes/home/router.py | 6 +----- nodes/htz-cloud/wireguard.py | 4 ---- nodes/icinga2.toml | 3 --- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 561dfd2..a01f300 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -36,11 +36,37 @@ if node.has_bundle('telegraf'): } +@metadata_reactor.provides( + 'wireguard/peers', +) +def peers_auto_full_mesh(metadata): + peers = {} + + for rnode in repo.libs.s2s.WG_AUTOGEN_NODES: + if rnode is None or rnode == node.name: + continue + + try: + rnode = repo.get_node(rnode) + except NoSuchNode: + continue + + if rnode.dummy: + continue + + peers[rnode.name] = {} + + return { + 'wireguard': { + 'peers': peers, + }, + } + @metadata_reactor.provides( 'wireguard/peers', ) -def peer_psks_and_iface_names(metadata): +def peer_psks(metadata): peers = {} for peer_name in metadata.get('wireguard/peers', {}): diff --git a/nodes/home/router.py b/nodes/home/router.py index 1806918..480c2ed 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -1,5 +1,5 @@ nodes['home.router'] = { - 'hostname': '172.19.138.1', + 'hostname': 'router-remote', 'bundles': { 'bird', 'kea-dhcp-server', @@ -162,10 +162,6 @@ nodes['home.router'] = { 'wireguard': { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'snat_ip': '172.19.138.1', - 'peers': { - 'ovh.wireguard': {}, - 'icinga2': {}, - }, }, }, } diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index ea1086c..ac4a02a 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -51,10 +51,6 @@ nodes['htz-cloud.wireguard'] = { }, 'wireguard': { 'snat_ip': '172.19.137.2', - 'peers': { - 'ovh.wireguard': {}, - 'icinga2': {}, - }, }, }, } diff --git a/nodes/icinga2.toml b/nodes/icinga2.toml index 1c85347..3194c8b 100644 --- a/nodes/icinga2.toml +++ b/nodes/icinga2.toml @@ -59,9 +59,6 @@ version = 15 [metadata.wireguard] snat_ip = "172.19.136.4" -[metadata.wireguard.peers.'home.router'] -[metadata.wireguard.peers.'htz-cloud.wireguard'] - [metadata.vm] cpu = 2 ram = 2 From 951d254c7a80609c268b4a2f9a3ddb5bfecbda8a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 15:15:28 +0200 Subject: [PATCH 372/996] add location information to daisy --- libs/s2s.py | 2 +- nodes/daisy.toml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/libs/s2s.py b/libs/s2s.py index 6c6b874..aa0ab8c 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -5,7 +5,7 @@ AS_NUMBERS = { 'home': 4290000138, 'htz-cloud': 4290000137, 'ionos': 4290000002, - 'ovh': 4290000001, + 'glauca': 4290207960, } WG_AUTOGEN_NODES = [ diff --git a/nodes/daisy.toml b/nodes/daisy.toml index 1a0b33e..5ca9234 100644 --- a/nodes/daisy.toml +++ b/nodes/daisy.toml @@ -5,6 +5,7 @@ groups = [ ] [metadata] +location = "glauca" nameservers = [ "2606:4700::1111", "2606:4700:4700::1001", From d99989545008a24ecc7f1c177eae9c5028cf8e8a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 16:42:00 +0200 Subject: [PATCH 373/996] home.router: let dyndns have ipv6 please --- bundles/pppd/files/check_dyndns_update | 20 -------- bundles/pppd/files/dyndns | 63 ++++++++++++++++++++------ bundles/pppd/files/dyndns_periodic | 63 ++++++++++++++++++++------ bundles/pppd/items.py | 5 -- bundles/pppd/metadata.py | 21 --------- nodes/home/router.py | 4 +- 6 files changed, 100 insertions(+), 76 deletions(-) delete mode 100644 bundles/pppd/files/check_dyndns_update diff --git a/bundles/pppd/files/check_dyndns_update b/bundles/pppd/files/check_dyndns_update deleted file mode 100644 index eaf8dfe..0000000 --- a/bundles/pppd/files/check_dyndns_update +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -[[ -n "$DEBUG" ]] && set -x - -interface="$(ip link show | awk '/ ppp/ {print substr($2, 1, length($2)-1)}')" -addr="$(ip addr show dev "$interface" | awk '/inet / {print $2}')" -resolved="$(dig +short "${domain}" A)" - -if [[ -z "$addr" ]] || [[ -z "$resolved" ]] -then - echo "Address on '$interface' is '$addr' - resolved '$resolved'" - exit 3 -elif [[ "$addr" == "$resolved" ]] -then - echo "Resolved IP for ${domain} matches current ip on $interface" - exit 0 -else - echo "Resolved $resolved for ${domain}, but got $addr on $interface!" - exit 2 -fi diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index f1760d8..5058b2f 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -1,24 +1,59 @@ #!/usr/bin/env python3 -from sys import argv +import logging +from ipaddress import ip_address +from json import loads +from subprocess import check_output -import requests +from requests import get -INTERFACE = argv[1] -LOCAL_IP = argv[4] UPDATE_URL = '${url}' USERNAME = '${username}' PASSWORD = '${password}' -r = requests.get( - UPDATE_URL.format( - ip=LOCAL_IP, - ), - auth=( - USERNAME, - PASSWORD, - ) -) +# <%text> +logging.basicConfig(level=logging.INFO) +LOG = logging.getLogger('DynDNS') +try: + ips = set() -print('got status {} when updating dns'.format(r.status_code)) + iproute = loads(check_output(['ip', '-json', 'address', 'show', 'scope', 'global'])) + + for iface in iproute: + if not iface['ifname'].startswith('ppp'): + LOG.debug(f'ignoring {iface["ifname"]}') + continue + + LOG.info(f'working on {iface["ifname"]}') + for ip in iface['addr_info']: + try: + addr = ip_address(ip['local']) + + LOG.info(f'{iface["ifname"]} has ip {addr.compressed}') + ips.add(addr.compressed) + except Exception: + continue + + if ips: + LOG.info('got some addresses!') + break + + url = UPDATE_URL.format( + ips=','.join(sorted(ips)) + ) + + LOG.info(url) + + r = get( + url, + auth=( + USERNAME, + PASSWORD, + ), + ) + r.raise_for_status() +except Exception as e: + logging.exception(e) + +# diff --git a/bundles/pppd/files/dyndns_periodic b/bundles/pppd/files/dyndns_periodic index 3aebb47..236c4fc 100644 --- a/bundles/pppd/files/dyndns_periodic +++ b/bundles/pppd/files/dyndns_periodic @@ -1,17 +1,52 @@ -#!/bin/bash +#!/usr/bin/env python3 -[[ -n "$DEBUG" ]] && set -x +import logging +from ipaddress import ip_address +from json import loads +from subprocess import check_output, run -interface="$(ip link show | awk '/ ppp/ {print substr($2, 1, length($2)-1)}')" -addr="$(ip addr show dev "$interface" | awk '/inet / {print $2}')" -resolved="$(dig +short "${domain}" A)" -if [[ -z "$addr" ]] || [[ -z "$resolved" ]] -then - echo "Something is wrong:" - echo "Address on '$interface' is '$addr'" - echo "Resolved DNS is '$resolved'" -elif [[ "$addr" != "$resolved" ]] -then - /etc/ppp/ip-up.d/dyndns "$interface" "doesnt" "matter" "$addr" -fi +DOMAIN = '${domain}' + +# <%text> +logging.basicConfig(level=logging.INFO) +LOG = logging.getLogger('DynDNS checker') +try: + iproute = loads(check_output(['ip', '-json', 'address', 'show', 'scope', 'global'])) + resolved_ipv4 = check_output(['dig', '+short', DOMAIN, 'A']).decode().strip() + resolved_ipv6 = check_output(['dig', '+short', DOMAIN, 'AAAA']).decode().strip() + + LOG.info(f'resolved ipv4 is "{resolved_ipv4}"') + LOG.info(f'resolved ipv6 is "{resolved_ipv6}"') + + needs_changing = False + + for iface in iproute: + if not iface['ifname'].startswith('ppp'): + LOG.debug(f'ignoring {iface["ifname"]}') + continue + + LOG.info(f'working on {iface["ifname"]}') + for ip in iface['addr_info']: + try: + addr = ip_address(ip['local']) + + LOG.info(f'{iface["ifname"]} has ip {addr.compressed}') + + if ( + (addr.version == 4 and addr.compressed != resolved_ipv4) + or (addr.version == 6 and addr.compressed != resolved_ipv6) + ): + needs_changing = True + except Exception: + continue + + if needs_changing: + LOG.warning('addresses have changed, calling update script!') + run(['/etc/ppp/ip-up.d/dyndns']) + else: + LOG.info('everything is fine') +except Exception as e: + logging.exception(e) + +# diff --git a/bundles/pppd/items.py b/bundles/pppd/items.py index 8d94950..cf21a6f 100644 --- a/bundles/pppd/items.py +++ b/bundles/pppd/items.py @@ -110,11 +110,6 @@ if node.metadata.get('pppd/dyndns', {}): 'context': node.metadata.get('pppd/dyndns'), 'mode': '0755', } - files['/usr/local/share/icinga/plugins/check_dyndns_update'] = { - 'content_type': 'mako', - 'context': node.metadata.get('pppd/dyndns'), - 'mode': '0755', - } files['/usr/local/bin/dyndns_periodic'] = { 'content_type': 'mako', 'context': node.metadata.get('pppd/dyndns'), diff --git a/bundles/pppd/metadata.py b/bundles/pppd/metadata.py index 9d8792b..75274a5 100644 --- a/bundles/pppd/metadata.py +++ b/bundles/pppd/metadata.py @@ -39,24 +39,3 @@ def ignore_interface(metadata): }, }, } - - -@metadata_reactor.provides( - 'icinga2_api/pppd/services', -) -def icinga_dyndns(metadata): - if not metadata.get('pppd/dyndns', {}): - return {} - - return { - 'icinga2_api': { - 'pppd': { - 'services': { - 'DYNDNS UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_dyndns_update', - 'vars.notification.mail': True, - }, - }, - }, - }, - } diff --git a/nodes/home/router.py b/nodes/home/router.py index 480c2ed..e6f9125 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -1,5 +1,5 @@ nodes['home.router'] = { - 'hostname': 'router-remote', + 'hostname': '172.19.138.1', 'bundles': { 'bird', 'kea-dhcp-server', @@ -118,7 +118,7 @@ nodes['home.router'] = { 'interface': 'enp1s0.7', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-mephisto.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-mephisto.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ips}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, From 6f31d6c0e44699fa6c33b547bc1253c9d5a88363 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Sep 2023 16:46:45 +0200 Subject: [PATCH 374/996] add daisy to wireguard mesh --- libs/s2s.py | 1 + nodes/daisy.toml | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libs/s2s.py b/libs/s2s.py index aa0ab8c..a490e15 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -17,6 +17,7 @@ WG_AUTOGEN_NODES = [ 'home.router', 'htz-cloud.wireguard', 'icinga2', + 'daisy', ] def get_subnet_for_connection(repo, peer_a, peer_b): diff --git a/nodes/daisy.toml b/nodes/daisy.toml index 5ca9234..b300487 100644 --- a/nodes/daisy.toml +++ b/nodes/daisy.toml @@ -1,5 +1,8 @@ hostname = "2a11:f2c0:3:4::120" -bundles = [] +bundles = [ + "bird", + "wireguard", +] groups = [ "debian-bookworm", ] From 2d3d0ca02ae0daf2cc4d09028b2f532d36b70001 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 10:34:54 +0200 Subject: [PATCH 375/996] EOL OVH, EOL rx300 --- groups/locations.py | 17 ---- nodes/carlene.toml | 3 +- nodes/ns-ghirahim.toml | 2 +- nodes/rx300.py | 214 ----------------------------------------- 4 files changed, 2 insertions(+), 234 deletions(-) delete mode 100644 nodes/rx300.py diff --git a/groups/locations.py b/groups/locations.py index 63447d6..d60eccc 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -95,23 +95,6 @@ groups['home'] = { }, } -groups['ovh'] = { - 'member_patterns': { - r"ovh\..*", - }, - 'metadata': { - 'location': 'ovh', - 'postfix': { - 'relayhost': '[mail.franzi.business]:2525', - }, - 'users': { - 'debian': { - 'delete': True, - }, - }, - }, -} - groups['voc'] = { 'member_patterns': { r"voc\..*", diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0fadfeb..78e439b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -169,7 +169,6 @@ domain = "ntfy.franzi.business" ratelimit-exempt-hosts = [ "carlene", "icinga2", - "rx300", ] [metadata.php] @@ -190,7 +189,7 @@ packages = [ [metadata.postfix] message_size_limit_mb = 100 myhostname = "mail.franzi.business" -mynetworks = ["gce", "ovh"] +mynetworks = ["gce"] [metadata.postfixadmin] domain = "postfixadmin.franzi.business" diff --git a/nodes/ns-ghirahim.toml b/nodes/ns-ghirahim.toml index ea835a0..a8581c6 100644 --- a/nodes/ns-ghirahim.toml +++ b/nodes/ns-ghirahim.toml @@ -16,7 +16,7 @@ gateway6 = "2a03:b0c0:1:d0::1" # It's fine to do this without authentificating to the relayhost. # These Systems are not supposed to send mail anywhere else # than our own domains. -relayhost = "[rx300.kunbox.net]:2525" +relayhost = "[mail.franzi.business]:2525" [metadata.postgresql] version = "15" diff --git a/nodes/rx300.py b/nodes/rx300.py deleted file mode 100644 index fa5523e..0000000 --- a/nodes/rx300.py +++ /dev/null @@ -1,214 +0,0 @@ -# To use the serial console in iRMC, set up grub as follows: -# GRUB_TIMEOUT=30 -# GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0,115200 console=tty0" -# GRUB_TERMINAL=serial -# GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" - -nodes['rx300'] = { - 'hostname': '31.47.232.106', - 'bundles': { - 'check-mail-received', - 'ipmitool', - 'jenkins-ci', - 'jugendhackt_tools', - 'lm-sensors', - 'minecraft', - 'nodejs', - 'oidentd', - 'php', - 'postgresql', - 'redis', - 'smartd', - 'unbound', - 'vmhost', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'br0': { - 'ips': { - '31.47.232.106/29', - '2a00:f820:528::2/64', - }, - 'gateway4': '31.47.232.105', - 'gateway6': '2a00:f820:528::1', - }, - }, - 'apt': { - 'packages': { - # for franzi.business deployment - 'ruby': {}, - 'ruby-dev': {}, - 'ruby-bundler': {}, - - # for `bw test` on jenkins - 'bind9utils': {}, - }, - }, - 'check-mail-received': { - 't-online': { - 'email': 'franzi.kunsmann@t-online.de', - 'imap_host': 'secureimap.t-online.de', - 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), - }, - }, - 'icinga_options': { - 'pretty_name': 'franzi.business', - 'vars.notification.sms': False, - }, - 'jenkins-ci': { - 'install_ssh_key': True, - 'domain': 'jenkins.franzi.business', - 'writeable_paths': { - '/var/www/franzi.business', # for deployment task - }, - }, - 'jugendhackt_tools': { - 'allowed_hosts': ['jh.franzi.business'], - 'timezone': 'Europe/Berlin', - }, - 'minecraft': { - 'heap_mb': 16*1024, - 'sha1': '82be5e1bbdfd1bcb001644780562282fd42ee5a9', - 'version': ('1.19.2', '261'), - 'allowlist': { - # use https://mcuuid.net/ - 'kunsi': 'a2b93640-9dff-4c3c-a6c7-bd75329d8997', - 'sophie': '7e593cbb-9d61-4d46-a416-6edbcf8a2109', - }, - 'ops': { - 'kunsi': 'a2b93640-9dff-4c3c-a6c7-bd75329d8997', - }, - 'restrict-to': {'*'}, - }, - 'nginx': { - 'security.txt': { - 'contact': 'mailto:security@kunsmann.eu', - 'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc', - }, - 'vhosts': { - 'jenkins-ci': {'ssl': '_.franzi.business'}, - 'jugendhackt_tools': { - 'domain': 'jh.franzi.business', - 'ssl': '_.franzi.business', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:22090/', - }, - '/static/': { - 'alias': '/opt/jugendhackt_tools/src/static/', - }, - }, - }, - }, - 'worker_processes': 8, - }, - 'oidentd': { - 'allows': { - 'kunsi': { - 'spoof', - 'spoof_all', - }, - }, - }, - 'php': { - 'version': '8.0', - 'packages': { - 'gd', - 'imagick', - 'imap', - 'intl', - 'mbstring', - 'opcache', - 'pgsql', - 'readline', - 'xml', - 'yaml', - }, - }, - 'postgresql': { - 'version': '13', - 'max_connections': 500, - 'autovacuum_max_workers': 12, - 'maintenance_work_mem': 2*1024, - 'work_mem': 8*1024, - 'cache_size': 32*1024, - }, - 'smartd': { - 'disks': { - '/dev/nvme0', - }, - }, - 'systemd': { - 'journal': { - 'maxuse': '4G', - }, - }, - 'systemd-networkd': { - 'bridges': { - 'br0': { - 'match': { - 'eno1', - }, - }, - }, - }, - 'systemd-timers': { - 'timers': { - 'cleanup-paste.franzi.business': { - 'command': '/usr/bin/find /var/www/paste.franzi.business/ -maxdepth 1 -type d -mtime +60 -exec rm -r {} \;', - 'user': 'kunsi', - 'when': 'daily', - }, - }, - }, - 'unbound': { - 'threads': 8, - 'cache_slabs': 8, - }, - 'zfs': { - 'module_options': { - 'zfs_arc_max_gb': 48, - }, - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'type': 'raidz', - 'devices': { - '/dev/sda', - '/dev/sdb', - '/dev/sdc', - '/dev/sdd', - }, - }], - 'ashift': 12, - }, - }, - }, - 'datasets': { - 'tank/libvirt': { - 'mountpoint': '/var/lib/libvirt', - 'compression': 'on', - 'needed_by': { - 'bundle:vmhost', - }, - }, - 'tank/home-kunsi': { - 'mountpoint': '/home/kunsi', - 'needed_by': { - 'directory:/home/kunsi', - }, - }, - }, - }, - 'vm': { - 'cpu': 32, - 'ram': 256, - }, - }, -} From 77ed050adec051167f536d3ecf2baf267cedbbad Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 10:40:47 +0200 Subject: [PATCH 376/996] install oidentd on carlene, fix dependencies --- bundles/oidentd/files/oidentd.service | 3 ++- nodes/carlene.toml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/oidentd/files/oidentd.service b/bundles/oidentd/files/oidentd.service index 06b9a6d..64ac97f 100644 --- a/bundles/oidentd/files/oidentd.service +++ b/bundles/oidentd/files/oidentd.service @@ -1,6 +1,7 @@ [Unit] Description=RFC 1413 compliant ident daemon -After=network.target +Requires=network.target +After=network-online.target [Service] ExecStart=/usr/sbin/oidentd -i -u oident -g oident diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 78e439b..e49b158 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -18,6 +18,7 @@ bundles = [ "nextcloud", "nodejs", "ntfy", + "oidentd", "php", "postfixadmin", "postgresql", From c2460e5291cef70b8518d5a3a6157f52fe4fb48b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 10:52:51 +0200 Subject: [PATCH 377/996] remove *.franzi.business wildcard cert --- data/ssl/_.franzi.business.crt.pem | 26 -------- .../_.franzi.business.crt_intermediate.pem | 63 ------------------- data/ssl/_.franzi.business.key.pem.vault | 1 - nodes/htz-cloud/sewfile.py | 1 - 4 files changed, 91 deletions(-) delete mode 100644 data/ssl/_.franzi.business.crt.pem delete mode 100644 data/ssl/_.franzi.business.crt_intermediate.pem delete mode 100644 data/ssl/_.franzi.business.key.pem.vault diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem deleted file mode 100644 index 65bbc10..0000000 --- a/data/ssl/_.franzi.business.crt.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIETzCCAzegAwIBAgISAzGdIp3DLkAfPLjomF+m+BsmMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA3MTMwNTAzNDNaFw0yMzEwMTEwNTAzNDJaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABOWungq5D/Wi -w965jO2U3qQ/eMRlJ6zOF6DKh0VqzC7bf5viaRPcpzF6UZ5a3S2laX3GTrRHay01 -A+Oblv+m6kFfnftM916DLU3LiOpa2yhWD5q5Y6ZWMQUusM9Zcb/k4KOCAiMwggIf -MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU/NkZwxOc6itD/i7eJVR83sWIPdkwHwYD -VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG -CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 -dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l -c3OCD2ZyYW56aS5idXNpbmVzczATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisG -AQQB1nkCBAIEgfQEgfEA7wB1ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl -7bSZAAABiU3ZI3oAAAQDAEYwRAIgP1dd+F46HS4zZnqzCmwSBDnKBWNUqultNaLv -31T7lRYCIHzn9vc5y8d53koQwbwpTDm2dyME0R1IyBwml6gHBxVQAHYArfe++nz/ -EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGJTdkjoAAABAMARzBFAiB9NX9E -cLDCqp/7OtbSXX+aKWrLvjxJxkJ/t6KKHs5KuAIhAPe0vRkffH2QXeKmoSJIbIsu -12nE//Eq2W7lZILeMAE+MA0GCSqGSIb3DQEBCwUAA4IBAQA18AfnCf61CHygVBJ+ -X6VJGD4sIN+pEgitXDExIXsRFs40jql17G6mn6zauC1Tg39y6c++AZV3kW405dac -tPcCwNVPv6P4E+ZDUTtJcPcD9CxoF2u9qm4yyluJa93K5pa+mwSX0k5a1jYG1PcB -ZPuqjlls67abv3t3Bml/nPKvjtPh4WX9MaInmHHKgM1XVrsChSjyW0FqLQ0YF3iH -vDDUPTXHBTq4oYg0ITFn1ivbEn1CpLjmYe+sKluzwTJzuYYAI4a8dfxHBPqKVVU7 -CwAGD+sI+FaiwKzNvqKOe8YyAXH/T7Txd9EmjdRVrBeOYbN9Ee75eBSvXo4q+6XU -m694 ------END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.crt_intermediate.pem b/data/ssl/_.franzi.business.crt_intermediate.pem deleted file mode 100644 index efd07a1..0000000 --- a/data/ssl/_.franzi.business.crt_intermediate.pem +++ /dev/null @@ -1,63 +0,0 @@ - ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ------END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault deleted file mode 100644 index 25d60b2..0000000 --- a/data/ssl/_.franzi.business.key.pem.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABkr5PB-wJHkafI36L_D3PczVkrAfnOgriEiGubuh55kBw-fbT2-ufmRs59rPFgc9AYamQ8TeCXOVDnQaN6Q1yyESHZ8GClp2EVuitHenIKO2skUaiKknAwOj7teh0fHcXpJ4MkXRFjtDqdzvvWvBbcrPj4pLS_Ft_izE4EBIcSza_qoDSxSZ8_9wR0IUx7_ie2OfyhOSRZV8dfb8jFVawC9Fz7vkB23Y_vmY7_oc3x7t00SFuB-5R0D2max16mygV7lgyKdbnchbXoVo7s3naZ514eE4X46Q61xcsMDQkbmTKpGjqrQThkvAiDwFpfWOqRB9go-bSU54Vo5DVUdqZY-Jab6RiaxbEu4XOEhEhCnQdq671dKkLF26N2wcXYQwtWLuMCaKO0gHPA4lO5RByZmK7NKUbCH5-RD6cY9K_DqkMMaNkYrJVANWpotjACggNR2x4ZlVlqlQ0JV0lGj3toY891xQ== \ No newline at end of file diff --git a/nodes/htz-cloud/sewfile.py b/nodes/htz-cloud/sewfile.py index d8585ec..0ecd5db 100644 --- a/nodes/htz-cloud/sewfile.py +++ b/nodes/htz-cloud/sewfile.py @@ -55,7 +55,6 @@ nodes['htz-cloud.sewfile'] = { 'nginx': { 'vhosts': { 'sewfile.franzi.business': { - 'ssl': '_.franzi.business', 'max_body_size': '0', 'extras': True, 'website_check_path': '/accounts/login/', From 787607b5a16cc7c19c9fc0e55a2798bcf5a0a5bf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 14:49:02 +0200 Subject: [PATCH 378/996] automatix/upgrade_debian_bookworm: always upgrade zfs pools --- automatix/upgrade_debian_bookworm.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automatix/upgrade_debian_bookworm.yaml b/automatix/upgrade_debian_bookworm.yaml index 822597b..352940b 100644 --- a/automatix/upgrade_debian_bookworm.yaml +++ b/automatix/upgrade_debian_bookworm.yaml @@ -32,9 +32,9 @@ pipeline: # fix zfs and reboot again - buster_with_zfs?remote@node: zpool import tank -f - - buster_with_zfs?remote@node: zpool upgrade -a - - buster_with_zfs?remote@node: systemctl reboot - - buster_with_zfs?local: | + - has_zfs?remote@node: zpool upgrade -a + - has_zfs?remote@node: systemctl reboot + - has_zfs?local: | exit=1 while [[ $exit -ne 0 ]]; do From 74baeb4bf4fb63e9a8c21844d3349151316fdb6d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 15:22:14 +0200 Subject: [PATCH 379/996] bundles/apt: suport deb822-style sources --- bundles/apt/files/deb822-sources | 9 ++++++ bundles/apt/items.py | 49 +++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 13 deletions(-) create mode 100644 bundles/apt/files/deb822-sources diff --git a/bundles/apt/files/deb822-sources b/bundles/apt/files/deb822-sources new file mode 100644 index 0000000..c1b8202 --- /dev/null +++ b/bundles/apt/files/deb822-sources @@ -0,0 +1,9 @@ +% for uri in sorted(uris): +Types: ${' '.join(sorted(data.get('types', {'deb'})))} +URIs: ${uri} +Suites: ${os_release} +Components: ${' '.join(sorted(data.get('components', {'main'})))} +Architectures: ${' '.join(sorted(data.get('architectures', {'amd64'})))} +Signed-By: /etc/apt/trusted.gpg.d/${name}.list.asc + +% endfor diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 5dd236d..6adbab1 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -169,21 +169,44 @@ if node.os_version[0] >= 11: } for name, data in node.metadata.get('apt/repos', {}).items(): - files['/etc/apt/sources.list.d/{}.list'.format(name)] = { - 'content_type': 'mako', - 'content': ("\n".join(sorted(data['items']))).format( - os=node.os, - os_release=supported_os[node.os][node.os_version[0]], - ), - 'triggers': { - 'action:apt_update', - }, - } + if 'items' in data: + files['/etc/apt/sources.list.d/{}.list'.format(name)] = { + 'content_type': 'mako', + 'content': ("\n".join(sorted(data['items']))).format( + os=node.os, + os_release=supported_os[node.os][node.os_version[0]], + ), + 'triggers': { + 'action:apt_update', + }, + } + elif 'uris' in data: + uris = { + x.format( + os=node.os, + os_release=supported_os[node.os][node.os_version[0]], + ) for x in data['uris'] + } + + files['/etc/apt/sources.list.d/{}.sources'.format(name)] = { + 'source': 'deb822-sources', + 'content_type': 'mako', + 'context': { + 'data': data, + 'name': name, + 'os_release': supported_os[node.os][node.os_version[0]], + 'uris': uris, + }, + 'triggers': { + 'action:apt_update', + }, + } if data.get('install_gpg_key', True): - files['/etc/apt/sources.list.d/{}.list'.format(name)]['needs'] = { - 'file:/etc/apt/trusted.gpg.d/{}.list.asc'.format(name), - } + if 'items' in data: + files['/etc/apt/sources.list.d/{}.list'.format(name)]['needs'] = { + 'file:/etc/apt/trusted.gpg.d/{}.list.asc'.format(name), + } files['/etc/apt/trusted.gpg.d/{}.list.asc'.format(name)] = { 'source': 'gpg-keys/{}.asc'.format(name), From 361bb6a56314dc19e4baf5e1b053a9a95d2c9846 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 15:22:38 +0200 Subject: [PATCH 380/996] install jellyfin onto home.nas --- bundles/jellyfin/files/jellyfin-sudoers | 7 ++++ bundles/jellyfin/items.py | 5 +++ bundles/jellyfin/metadata.py | 38 ++++++++++++++++++ data/apt/files/gpg-keys/jellyfin.asc | 51 +++++++++++++++++++++++++ nodes/home/nas.py | 1 + 5 files changed, 102 insertions(+) create mode 100644 bundles/jellyfin/files/jellyfin-sudoers create mode 100644 bundles/jellyfin/items.py create mode 100644 bundles/jellyfin/metadata.py create mode 100644 data/apt/files/gpg-keys/jellyfin.asc diff --git a/bundles/jellyfin/files/jellyfin-sudoers b/bundles/jellyfin/files/jellyfin-sudoers new file mode 100644 index 0000000..1d138d6 --- /dev/null +++ b/bundles/jellyfin/files/jellyfin-sudoers @@ -0,0 +1,7 @@ +Cmnd_Alias RESTARTSERVER_SYSTEMD = /usr/bin/systemd-run systemctl restart jellyfin +Cmnd_Alias STARTSERVER_SYSTEMD = /usr/bin/systemd-run systemctl start jellyfin +Cmnd_Alias STOPSERVER_SYSTEMD = /usr/bin/systemd-run systemctl stop jellyfin + +jellyfin ALL=(ALL) NOPASSWD: RESTARTSERVER_SYSTEMD +jellyfin ALL=(ALL) NOPASSWD: STARTSERVER_SYSTEMD +jellyfin ALL=(ALL) NOPASSWD: STOPSERVER_SYSTEMD diff --git a/bundles/jellyfin/items.py b/bundles/jellyfin/items.py new file mode 100644 index 0000000..6bd828d --- /dev/null +++ b/bundles/jellyfin/items.py @@ -0,0 +1,5 @@ +files['/etc/sudoers.d/jellyfin-sudoers'] = { + 'after': { + 'pkg_apt:jellyfin', + }, +} diff --git a/bundles/jellyfin/metadata.py b/bundles/jellyfin/metadata.py new file mode 100644 index 0000000..b675d93 --- /dev/null +++ b/bundles/jellyfin/metadata.py @@ -0,0 +1,38 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'apt': { + 'packages': { + 'jellyfin': {}, + }, + 'repos': { + 'jellyfin': { + 'uris': { + 'https://repo.jellyfin.org/{os}' + }, + }, + }, + }, + 'icinga2_api': { + 'transmission': { + 'services': { + 'JELLYFIN PROCESS': { + 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -C jellyfin -c 1:', + }, + }, + }, + }, +} + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '8096': atomic(metadata.get('jellyfin/restrict-to', {'*'})), + }, + }, + } diff --git a/data/apt/files/gpg-keys/jellyfin.asc b/data/apt/files/gpg-keys/jellyfin.asc new file mode 100644 index 0000000..618b517 --- /dev/null +++ b/data/apt/files/gpg-keys/jellyfin.asc @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBFwWoe0BDAC84Lw0ULDa7goKnxx6MsoSRp/c26mVSyo32NaaU4hd0j2ZsRpA +/Au33yZJesgtq6O5H3X2aQazmENqtp/phyWexwPn6L7w5SMkSMQIGCNzmbWnd2ef +RHHp2vJ7w9p5d2FRm2mPnxvgV+G2lumg2Nq9YWCdhI0lpIh47n4KBR4WjmVi+Jrp +VhZan4TUUX8Lz3HP3jW1gzXIOnD8dEM+HyBamq8GCnmA3jtqFY2pxeU/Ol7uXmBw +n4B2AHHDe5CyhczK+j6tvdvN+1mNnXXrg0W5hu6MJuHBucQF1sXhYC7q9BzhMEES +MM+mXzwwjknVdxh7rFHz5Hh+rwA6cTE/3rbvMhNaFusLC6gGuZw+LyK2Y2gsWkZ9 +1vtdlpU1Evox+JYH2wnfgLdMEnqOP4JT7jOwJwoQS7nxTJBGBx9RK/BGfCHf5LE8 +moJxIBsw3rpgsP75ekaNTuxIZdQz+hzRB/rsk8I7U7L1i9RS8E+2DQDO98PZ7ZMQ +hcUbEFSEtrdMTEMAEQEAAbQhSmVsbHlmaW4gVGVhbSA8dGVhbUBqZWxseWZpbi5v +cmc+iQHOBBMBCgA4AhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAFiEESRiqvEhs +oFI1jXeNSQI80B3iGnsFAl+6tVIACgkQSQI80B3iGntaRwwAmoF7msQXtBc+pC+q +li/kP/HAY/lowPdG6HqnVlfIUnDymBR4oKTO+izuZDNVFczBtiExcWecp4kbV0vV +o1W7vtzrSsZngYSU9JeZD41WOOM4oKtk8wU4ctS/bXKpgj8fY+sb9J0xwJEl0lPF +lV582aChUa2IZJUmOaoQPij/HZDnZ4HVgjB4AsPQUmdENVypV83BjuRuSyifOdGv +hXmwouM8i/nZRNTcrVtaLQyFRJ9zmqa34qioXWmgJPOZbrZf3s/YGCfsQKuwyOzH +v92g0bV0N6pHTct9tyNyXg3qVYZvybrpaDJgDKZ3e6xcxOmbfLdDG79r5OdEzSby +ooVLwl5au2dtODgKgnohso+02bqFCP63szPU4LmexysEqQKqVVU6bZum8rAYN52j +C4ejkqxoDbUiay2Ou0BsUnQFdH3p/H25YMUAUuPYD4iFkGe3KmfRAbW6k0z1+pF1 +qXst9T9/egEDFmgdpj7O//TqGZ8kk5nBiFjsLt42/yLUJy4ZiQHUBBMBCgA+FiEE +SRiqvEhsoFI1jXeNSQI80B3iGnsFAlwWoe0CGwMFCQPCZwAFCwkIBwMFFQoJCAsF +FgMCAQACHgECF4AACgkQSQI80B3iGntrNgwAqjW/2LvcvnIldvc1kwCGkZ5Tueka +msP1UvhWs9hy4LQw3oRfDBqh4rBS2cU889GUjJsu825hudxQ0bGz3fw/c8oSPNnU +haygZqAuHHu6wTrw3p4/F2o3vdvCvOBDvwdqF9R/ID3IcIL3n8Yor4RrYyYp9jCZ +YS97kmW2UoplrkcJoeKf1pbYdQQUgM5MVKDRe7fEsXKTEouRlfkGF/9k66t+sAL0 +qUhJ89cEXHYSZQR+XA9ajft9+6pEWNNZwV4lwjBYx1AGF0l/VfGcH8QDNBqsfKM4 +rOEDfKUrpo91HavqdR7z8g6hVRvn1p30QKceMQLJTwM2ppAWmZlDEjeeqZVxsnYG +a9wbt5euc9m5lhXOPDIHCbecTzEku4g3vbdU+YR7os/1uosvZ/oAoFQrO4x5jbes +kTIGawfzUxv75U0Yk0wOaa7wrvLn+iQNAV09skzLee0w4ZOUZAvqVVvM1jWiz0kV +t6KK2zDmXZpU5ucZijn/j4sjFTe5s5b/d/BnuQGNBFwWoe0BDACm+PPkKavrzYX7 +nx7Bhii1u/8pn8xWuSkLbUaAez0h1AAjmxNG0ntYNuyzucbZSyae6ujPH3V/a9qC +omIIy8CqY0Tn9AZ5Icz1UmG7EZV5hMyWTELG6/PKK0K0p5m3IT6la4fVUv5z8wb6 +7qDSbWoW9ZQZMYeK7BOAXPns9nJ9Q753cxafl5g6D44WquGiOLhy7Ms37J/eua5i +6FhEeLZaqvlwJ0cC3R/JgZGACjZVXNrzUMZ2jnS7XtuzWcwyabh4GvDE8baLGGQG +mFHNm5o80ZlsrC5hIHIcH1QrcAxTkS6BnMCIKc05ZuotYJhwUFhZPXguw0fQjfcw +M9nCwMbQtYJdnifiKxeJNMo3Nwv6ZXv57y9wjx1F4zQB0LhnZQqkEIIUCzFgaHNC +gnfmPgiOnC0XjXLw84k8rIsCx2c7Aqzg7fygsry0l8sTllewejM1LZDyWHqGJM0L +RlZMTKFOJmx6pBkLfcZpggaN6FucL/6kDgQ1Gu+h4GTJlx76t60AEQEAAYkBtgQY +AQoAIAIbDBYhBEkYqrxIbKBSNY13jUkCPNAd4hp7BQJfurVdAAoJEEkCPNAd4hp7 +gdgL/ja9frYBY2Iyhzk9p3TYyk4NXYqtmd42oslrQtXDkRLld3Hn1d0caacKngKY +xgJOV46qOdXMgOTGdIjYkDYVTiNyVmsiGGnclxO8CWXuPR243zxSLik/1JTO+6dZ +tOwJYAYct8hsKY3gayPViu4tRCmDx2zbiXUYy3/puwBFZDrlk7XCguc3Yl9vgWdB +WgoSMxqq5PGIRngKe416Fkjm3eLUOXi1MTifC4gHBi9yqK/sQ3VK4/xj1hsAfJ4t +ynJE1d/PGF3DDtV/Jo+lEcxUQre32ItAMQ6//6sePfyre9lscO1c0ju6kvEEfxhw +h6qGmrnTVVHBbpBvI7nY3M5BfdDIg5/oQm0r5OLcPkMb2FKYNMmCPg/sd1qkw0LF +ZoV3SMsxEMK5J6P+XVH2vmZPWQhObZxUbnCYEZX/nVG1lbtRQ/EwXLT2/WoxQ5sg +JsVnlqQu0XjtZhSDcIR/dNgJfYsrts3xfn1qMzs8b63nq/GXTEmRvZpOggGo/ybT +oqYC5A== +=OWPs +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 8406511..fee7979 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -4,6 +4,7 @@ nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-client', + 'jellyfin', 'lm-sensors', 'mixcloud-downloader', 'mosquitto', From 4084e764e49905d093907029c13886d1a19bf304 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 16:48:19 +0200 Subject: [PATCH 381/996] add nginx proxy to jellyfin --- bundles/jellyfin/metadata.py | 29 +++++++++++++++++++---- data/powerdns/files/bind-zones/kunbox.net | 3 +++ nodes/home/nas.py | 9 +++++++ 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/bundles/jellyfin/metadata.py b/bundles/jellyfin/metadata.py index b675d93..5728913 100644 --- a/bundles/jellyfin/metadata.py +++ b/bundles/jellyfin/metadata.py @@ -13,6 +13,11 @@ defaults = { }, }, }, + 'backups': { + 'paths': { + f'/var/lib/jellyfin/{x}' for x in ('data', 'metadata', 'plugins', 'root') + }, + }, 'icinga2_api': { 'transmission': { 'services': { @@ -26,13 +31,27 @@ defaults = { @metadata_reactor.provides( - 'firewall/port_rules', + 'nginx/vhosts/jellyfin', ) -def firewall(metadata): +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + if 'jellyfin' not in metadata.get('nginx/vhosts', {}): + return {} + return { - 'firewall': { - 'port_rules': { - '8096': atomic(metadata.get('jellyfin/restrict-to', {'*'})), + 'nginx': { + 'vhosts': { + 'jellyfin': { + 'do_not_add_content_security_headers': True, + 'locations': { + '/': { + 'target': 'http://127.0.0.1:8096', + 'websockets': True, + }, + }, + }, }, }, } diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index c7b110a..3e77354 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -27,6 +27,9 @@ _acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. ; aurto, keep old name aurto IN CNAME aurto.htz-cloud +; stuff running at home +jellyfin.home IN CNAME nas.home + ; Mail servers mta-sts IN CNAME carlene diff --git a/nodes/home/nas.py b/nodes/home/nas.py index fee7979..818d9b3 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -17,6 +17,7 @@ nodes['home.nas'] = { }, 'groups': { 'debian-bullseye', + 'webserver', }, 'metadata': { 'interfaces': { @@ -135,6 +136,14 @@ nodes['home.nas'] = { }, }, }, + 'nginx': { + 'vhosts': { + 'jellyfin': { + 'domain': 'jellyfin.home.kunbox.net', + 'ssl': '_.home.kunbox.net', + }, + }, + }, 'rsyslogd': { 'restrict-to': { 'home', From d6eb0b42289729cdcbeb88ddd4b997fac395af21 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:48:24 +0200 Subject: [PATCH 382/996] bundles/bird: do not auto-generate config if peer does not use bird --- bundles/bird/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index 38794ba..c442a26 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -43,6 +43,9 @@ def neighbor_info_from_wireguard(metadata): except NoSuchNode: continue + if not rnode.has_bundle('bird'): + continue + neighbors[name] = { 'local_ip': config['my_ip'], 'local_as': my_as, From e27e374983355c49cff40ab42bade06231a8198c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:49:31 +0200 Subject: [PATCH 383/996] bundles/vmhost: qemu-headless does not exist anymore, apparently --- bundles/vmhost/metadata.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/vmhost/metadata.py b/bundles/vmhost/metadata.py index 36eb53b..9c4cd5e 100644 --- a/bundles/vmhost/metadata.py +++ b/bundles/vmhost/metadata.py @@ -25,7 +25,6 @@ defaults = { 'packages': { 'edk2-ovmf': {}, 'libvirt': {}, - 'qemu-headless': {}, }, }, } From 53ff288d89dfc09bf80cd6702b00af1b81506289 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:54:47 +0200 Subject: [PATCH 384/996] bundles/systemd-networkd: combine templates for interfaces --- .../files/template-iface-dhcp.network | 27 --------------- ...-nodhcp.network => template-iface.network} | 33 ++++++++++++++----- bundles/systemd-networkd/items.py | 4 +-- 3 files changed, 26 insertions(+), 38 deletions(-) delete mode 100644 bundles/systemd-networkd/files/template-iface-dhcp.network rename bundles/systemd-networkd/files/{template-iface-nodhcp.network => template-iface.network} (62%) diff --git a/bundles/systemd-networkd/files/template-iface-dhcp.network b/bundles/systemd-networkd/files/template-iface-dhcp.network deleted file mode 100644 index 19fd0d8..0000000 --- a/bundles/systemd-networkd/files/template-iface-dhcp.network +++ /dev/null @@ -1,27 +0,0 @@ -<% - from ipaddress import ip_network -%>\ -[Match] -Name=${interface} - -[Network] -DHCP=yes -IPv6AcceptRA=yes - -[DHCPv4] -UseDomains=${str(config.get('use_dhcp_domains', False)).lower()} -UseHostname=no -UseMTU=${str(config.get('use_dhcp_mtu', True)).lower()} -UseNTP=${str(config.get('use_dhcp_ntp', False)).lower()} -UseTimezone=no - -% if config.get('send_hostname', True): -SendHostname=yes -Hostname=${node.name.split('.')[-1]} -% else: -SendHostname=no -% endif - -% if config.get('forwarding', False): -IPForward=yes -%endif diff --git a/bundles/systemd-networkd/files/template-iface-nodhcp.network b/bundles/systemd-networkd/files/template-iface.network similarity index 62% rename from bundles/systemd-networkd/files/template-iface-nodhcp.network rename to bundles/systemd-networkd/files/template-iface.network index 59c2d91..cbb10b6 100644 --- a/bundles/systemd-networkd/files/template-iface-nodhcp.network +++ b/bundles/systemd-networkd/files/template-iface.network @@ -25,30 +25,47 @@ Destination=${route} GatewayOnlink=yes % endfor -% if 'gateway4' in config: +% if not config.get('dhcp', False): +% if 'gateway4' in config: [Route] Gateway=${config['gateway4']} GatewayOnlink=yes -% endif -% if 'gateway6' in config: +% endif +% if 'gateway6' in config: [Route] Gateway=${config['gateway6']} GatewayOnlink=yes +% endif % endif [Network] -DHCP=no -% if config.get('ipv6_accept_ra', False): +% if config.get('ipv6_accept_ra', False) or config.get('dhcp', False): IPv6AcceptRA=yes % else: IPv6AcceptRA=no % endif +% if config.get('dhcp', False): +DHCP=yes +IPv6AcceptRA=yes -% if config.get('forwarding', False): -IPForward=yes -%endif +[DHCPv4] +UseDomains=false +UseHostname=no +UseMTU=true +UseNTP=false +UseTimezone=no + +SendHostname=no +% else: +DHCP=no +% endif % for vlan in sorted(config.get('vlans', set())): VLAN=${interface}.${vlan} % endfor +% if 'activation_policy' in config: + +[Link] +ActivationPolicy=${config['activation_policy']} +% endif diff --git a/bundles/systemd-networkd/items.py b/bundles/systemd-networkd/items.py index 969c3e2..7bd0808 100644 --- a/bundles/systemd-networkd/items.py +++ b/bundles/systemd-networkd/items.py @@ -40,9 +40,7 @@ for interface, config in node.metadata.get('interfaces').items(): if config.get('dhcp', False): if 'vlans' in config: raise BundleError(f'{node.name} interface {interface} cannot use vlans and dhcp!') - template = 'template-iface-dhcp.network' else: - template = 'template-iface-nodhcp.network' all_interfaces_use_dhcp = False if '.' in interface: @@ -80,7 +78,7 @@ for interface, config in node.metadata.get('interfaces').items(): if not config.get('ignore', False): files[f'/etc/systemd/network/{interface}.network'] = { - 'source': template, + 'source': 'template-iface.network', 'content_type': 'mako', 'context': { 'interface': interface, From 0e40b030609da1212562bad4032e8bccce1ea3e2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:55:29 +0200 Subject: [PATCH 385/996] bundles/wireguard: only try to do full mesh if *we* are doing full mesh --- bundles/wireguard/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index a01f300..b739efa 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -42,6 +42,9 @@ if node.has_bundle('telegraf'): def peers_auto_full_mesh(metadata): peers = {} + if node.name not in repo.libs.s2s.WG_AUTOGEN_NODES: + return {} + for rnode in repo.libs.s2s.WG_AUTOGEN_NODES: if rnode is None or rnode == node.name: continue From 458606649eb1575c44fa0969ce5d8ff538a13d2a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:56:50 +0200 Subject: [PATCH 386/996] bundles/wireguard: add option to route networks through vpn --- bundles/wireguard/metadata.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index b739efa..a7f3000 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -235,6 +235,8 @@ def interface_ips(metadata): snat_ip = metadata.get('wireguard/snat_ip', None) for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): + routes = {} + if '/' in config['my_ip']: my_ip = config['my_ip'] else: @@ -243,8 +245,18 @@ def interface_ips(metadata): ips = {my_ip} if snat_ip: ips.add(snat_ip) + + their_ip = config['their_ip'] + if '/' in their_ip: + their_ip = their_ip.split('/')[0] + + for route in config.get('routes', set()): + routes[route] = {'via': their_ip} + interfaces[f'wg_{config["iface"]}'] = { + 'activation_policy': 'up' if config.get('auto_connection', True) else 'manual', 'ips': ips, + 'routes': routes, } return { 'interfaces': interfaces, From a09b5b98ca61959f56fdc0272ed50e5da2b9e44e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:57:27 +0200 Subject: [PATCH 387/996] bundles/wireguard: disable health_checks if auto_connection is false --- bundles/wireguard/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index a7f3000..987fd35 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -303,6 +303,7 @@ def health_checks(metadata): for peer, config in metadata.get('wireguard/peers', {}).items(): if ( config.get('exclude_from_monitoring', False) + or not config.get('auto_connection', True) or 'endpoint' not in config ): continue From b9d420406031a6a2e7382ba981b7194f6d64603a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 18:58:03 +0200 Subject: [PATCH 388/996] add wireguard connection between htz-cloud.wireguard and kunsi-p14s --- nodes/htz-cloud/wireguard.py | 13 +++++++++++++ nodes/kunsi-p14s.py | 15 +++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index ac4a02a..90b15ad 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -34,6 +34,7 @@ nodes['htz-cloud.wireguard'] = { 'bird': { 'static_routes': { '172.19.137.0/24', + '172.19.136.64/31', }, }, 'nftables': { @@ -43,6 +44,9 @@ nodes['htz-cloud.wireguard'] = { 'inet filter forward oif eth0 accept', 'nat postrouting oif eth0 masquerade', ], + 'wg_special': [ + 'inet filter input udp dport 51819 accept', + ], }, }, 'vm': { @@ -51,6 +55,15 @@ nodes['htz-cloud.wireguard'] = { }, 'wireguard': { 'snat_ip': '172.19.137.2', + 'peers': { + 'kunsi-p14s': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_ip': '172.19.136.64', + 'my_port': 51819, + 'their_ip': '172.19.136.65', + }, + }, }, }, } diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 30cc830..7c41354 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -11,6 +11,7 @@ nodes['kunsi-p14s'] = { 'telegraf-battery-usage', 'vmhost', 'voc-tracker-worker', + 'wireguard', 'zfs', }, 'groups': { @@ -164,6 +165,20 @@ nodes['kunsi-p14s'] = { 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), }, + 'wireguard': { + 'peers': { + 'htz-cloud.wireguard': { + 'auto_connection': False, + 'endpoint': 'wireguard.htz-cloud.kunbox.net:51819', + 'my_ip': '172.19.136.65', + 'my_port': 51819, + 'their_ip': '172.19.136.64', + 'routes': { + '172.19.128.0/20', + }, + }, + }, + }, 'zfs': { 'pools': { 'zroot': { From be62c1270fee6d123b8a6d17f6e0e8f601ace46b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 19:25:03 +0200 Subject: [PATCH 389/996] remove isc-dhcp-server --- bundles/dhcpd/files/dhcpd.conf | 36 ------------------- bundles/dhcpd/files/isc-dhcp-server | 18 ---------- bundles/dhcpd/items.py | 41 ---------------------- bundles/dhcpd/metadata.py | 54 ----------------------------- 4 files changed, 149 deletions(-) delete mode 100644 bundles/dhcpd/files/dhcpd.conf delete mode 100644 bundles/dhcpd/files/isc-dhcp-server delete mode 100644 bundles/dhcpd/items.py delete mode 100644 bundles/dhcpd/metadata.py diff --git a/bundles/dhcpd/files/dhcpd.conf b/bundles/dhcpd/files/dhcpd.conf deleted file mode 100644 index 97e734b..0000000 --- a/bundles/dhcpd/files/dhcpd.conf +++ /dev/null @@ -1,36 +0,0 @@ -<% - import re - from ipaddress import ip_network -%> -ddns-update-style none; - -authoritative; - -% for interface, subnet in sorted(dhcp_config.get('subnets', {}).items()): -<% - network = ip_network(subnet['subnet']) -%> -# interface ${interface} provides ${subnet['subnet']} -subnet ${network.network_address} netmask ${network.netmask} { -% if subnet.get('range_lower', None) and subnet.get('range_higher', None): - range ${subnet['range_lower']} ${subnet['range_higher']}; -% endif - interface "${interface}"; - default-lease-time ${subnet.get('default-lease-time', 600)}; - max-lease-time ${subnet.get('max-lease-time', 3600)}; -% for option, value in sorted(subnet.get('options', {}).items()): -% if re.match('([^0-9\.,\ ])', value): - option ${option} "${value}"; -% else: - option ${option} ${value}; -% endif -% endfor -} -% endfor - -% for identifier, allocation in dhcp_config.get('fixed_allocations', {}).items(): -host ${identifier} { - hardware ethernet ${allocation['mac']}; - fixed-address ${allocation['ipv4']}; -} -% endfor diff --git a/bundles/dhcpd/files/isc-dhcp-server b/bundles/dhcpd/files/isc-dhcp-server deleted file mode 100644 index 4b0120d..0000000 --- a/bundles/dhcpd/files/isc-dhcp-server +++ /dev/null @@ -1,18 +0,0 @@ -# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server) - -# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf). -#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf -#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf - -# Path to dhcpd's PID file (default: /var/run/dhcpd.pid). -#DHCPDv4_PID=/var/run/dhcpd.pid -#DHCPDv6_PID=/var/run/dhcpd6.pid - -# Additional options to start dhcpd with. -# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead -#OPTIONS="" - -# On what interfaces should the DHCP server (dhcpd) serve DHCP requests? -# Separate multiple interfaces with spaces, e.g. "eth0 eth1". -INTERFACESv4="${' '.join(sorted(node.metadata.get('dhcpd/subnets', {})))}" -INTERFACESv6="" diff --git a/bundles/dhcpd/items.py b/bundles/dhcpd/items.py deleted file mode 100644 index bdf9944..0000000 --- a/bundles/dhcpd/items.py +++ /dev/null @@ -1,41 +0,0 @@ -files = { - '/etc/dhcp/dhcpd.conf': { - 'content_type': 'mako', - 'context': { - 'dhcp_config': node.metadata['dhcpd'], - }, - 'needs': { - 'pkg_apt:isc-dhcp-server' - }, - 'triggers': { - 'svc_systemd:isc-dhcp-server:restart', - }, - }, - '/etc/default/isc-dhcp-server': { - 'content_type': 'mako', - 'needs': { - 'pkg_apt:isc-dhcp-server' - }, - 'triggers': { - 'svc_systemd:isc-dhcp-server:restart', - }, - }, -} - -actions = { - # needed for dhcp-lease-list - 'dhcpd_download_oui.txt': { - 'command': 'wget http://standards-oui.ieee.org/oui.txt -O /usr/local/etc/oui.txt', - 'unless': 'test -f /usr/local/etc/oui.txt', - }, -} - -svc_systemd = { - 'isc-dhcp-server': { - 'needs': { - 'pkg_apt:isc-dhcp-server', - 'file:/etc/dhcp/dhcpd.conf', - 'file:/etc/default/isc-dhcp-server', - }, - }, -} diff --git a/bundles/dhcpd/metadata.py b/bundles/dhcpd/metadata.py deleted file mode 100644 index cc091af..0000000 --- a/bundles/dhcpd/metadata.py +++ /dev/null @@ -1,54 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'isc-dhcp-server': {}, - }, - }, - 'bash_aliases': { - 'leases': 'sudo dhcp-lease-list | tail -n +4 | sort -k 2,2', - }, -} - - -@metadata_reactor.provides( - 'dhcpd/fixed_allocations', -) -def get_static_allocations(metadata): - allocations = {} - for rnode in repo.nodes: - if rnode.metadata.get('location', '') != metadata.get('location', ''): - continue - - for iface_name, iface_config in rnode.metadata.get('interfaces', {}).items(): - if iface_config.get('dhcp', False): - try: - allocations[f'{rnode.name}_{iface_name}'] = { - 'ipv4': sorted(iface_config['ips'])[0], - 'mac': iface_config['mac'], - } - except KeyError: - pass - - return { - 'dhcpd': { - 'fixed_allocations': allocations, - } - } - - -@metadata_reactor.provides( - 'nftables/rules/10-dhcpd', -) -def nftables(metadata): - rules = set() - for iface in node.metadata.get('dhcpd/subnets', {}): - rules.add(f'inet filter input udp dport {{ 67, 68 }} iif {iface} accept') - - return { - 'nftables': { - 'rules': { - # can't use port_rules here, because we're generating interface based rules. - '10-dhcpd': sorted(rules), - }, - } - } From cd48cf495d0e9b0ab9ca52a3477e070e92764f82 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 20:59:58 +0200 Subject: [PATCH 390/996] rework firewall setup --- bundles/bird/metadata.py | 2 +- bundles/dovecot/metadata.py | 12 ++++----- bundles/kea-dhcp-server/metadata.py | 6 ++--- bundles/kodi/metadata.py | 8 +++--- bundles/minecraft/metadata.py | 4 +-- bundles/mosquitto/metadata.py | 2 +- bundles/nfs-server/metadata.py | 4 +-- bundles/nftables/files/nftables.conf | 28 +++++++++++++++++++++ bundles/nftables/items.py | 23 +++++------------ bundles/nftables/metadata.py | 37 ++++++++++++++-------------- bundles/nginx/metadata.py | 8 +++--- bundles/oidentd/metadata.py | 4 +-- bundles/openssh/metadata.py | 4 +-- bundles/postfix/metadata.py | 16 ++++++------ bundles/powerdns/metadata.py | 4 +-- bundles/pppd/files/ip-up | 2 +- bundles/rsyslogd/metadata.py | 2 +- bundles/transmission/metadata.py | 6 ++--- bundles/unbound/metadata.py | 2 +- bundles/weechat/metadata.py | 6 ++--- bundles/wide-dhcp6c/metadata.py | 6 ++--- bundles/wireguard/metadata.py | 19 ++++++++------ groups/os.py | 3 --- nodes/home/nas.py | 6 ++--- nodes/home/router.py | 17 +++++++------ nodes/htz-cloud/miniserver.py | 6 ++--- nodes/htz-cloud/wireguard.py | 16 +++++++----- nodes/htz-hel/backup-sophie.py | 6 ++--- nodes/kunsi-p14s.py | 3 +-- nodes/kunsi-t470.py | 5 ++-- 30 files changed, 145 insertions(+), 122 deletions(-) diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index c442a26..ea4c1e6 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -88,7 +88,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '179': atomic(sources), + '179/tcp': atomic(sources), }, }, } diff --git a/bundles/dovecot/metadata.py b/bundles/dovecot/metadata.py index bd1427e..00ee5a4 100644 --- a/bundles/dovecot/metadata.py +++ b/bundles/dovecot/metadata.py @@ -76,19 +76,19 @@ def import_database_settings_from_postfixadmin(metadata): @metadata_reactor.provides( - 'firewall/port_rules/143', - 'firewall/port_rules/993', - 'firewall/port_rules/4190', + 'firewall/port_rules', + 'firewall/port_rules', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { # imap(s) - '143': atomic(metadata.get('dovecot/restrict-to', {'*'})), - '993': atomic(metadata.get('dovecot/restrict-to', {'*'})), + '143/tcp': atomic(metadata.get('dovecot/restrict-to', {'*'})), + '993/tcp': atomic(metadata.get('dovecot/restrict-to', {'*'})), # managesieve - '4190': atomic(metadata.get('dovecot/restrict-to', {'*'})), + '4190/tcp': atomic(metadata.get('dovecot/restrict-to', {'*'})), }, }, } diff --git a/bundles/kea-dhcp-server/metadata.py b/bundles/kea-dhcp-server/metadata.py index 7b69f3e..6a25c1f 100644 --- a/bundles/kea-dhcp-server/metadata.py +++ b/bundles/kea-dhcp-server/metadata.py @@ -66,16 +66,16 @@ def get_static_allocations(metadata): @metadata_reactor.provides( - 'nftables/rules/10-kea-dhcp-server', + 'nftables/input/10-kea-dhcp-server', ) def nftables(metadata): rules = set() for iface in node.metadata.get('kea-dhcp-server/subnets', {}): - rules.add(f'inet filter input udp dport {{ 67, 68 }} iif {iface} accept') + rules.add(f'udp dport {{ 67, 68 }} iifname {iface} accept') return { 'nftables': { - 'rules': { + 'input': { # can't use port_rules here, because we're generating interface based rules. '10-kea-dhcp-server': sorted(rules), }, diff --git a/bundles/kodi/metadata.py b/bundles/kodi/metadata.py index e217b21..0fe2061 100644 --- a/bundles/kodi/metadata.py +++ b/bundles/kodi/metadata.py @@ -43,15 +43,15 @@ defaults = { @metadata_reactor.provides( - 'firewall/port_rules/8080', - 'firewall/port_rules/9090', + 'firewall/port_rules', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { - '8080': atomic(metadata.get('kodi/restrict-to', {'*'})), - '9090': atomic(metadata.get('kodi/restrict-to', {'*'})), + '8080/tcp': atomic(metadata.get('kodi/restrict-to', {'*'})), + '9090/tcp': atomic(metadata.get('kodi/restrict-to', {'*'})), }, }, } diff --git a/bundles/minecraft/metadata.py b/bundles/minecraft/metadata.py index 4c7626b..4bd5223 100644 --- a/bundles/minecraft/metadata.py +++ b/bundles/minecraft/metadata.py @@ -150,13 +150,13 @@ def heap_to_java_opts(metadata): @metadata_reactor.provides( - 'firewall/port_rules/25565', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { - '25565': atomic(metadata.get('minecraft/restrict-to', set())), + '25565/tcp': atomic(metadata.get('minecraft/restrict-to', set())), }, }, } diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index c07a446..66199ac 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -33,7 +33,7 @@ def firewall(metadata): result = {} for listener in metadata.get('mosquitto/listeners').keys(): - result[listener] = atomic(sources) + result[f'{listener}/tcp'] = atomic(sources) return { 'firewall': { diff --git a/bundles/nfs-server/metadata.py b/bundles/nfs-server/metadata.py index 4b9e8d5..73dc68a 100644 --- a/bundles/nfs-server/metadata.py +++ b/bundles/nfs-server/metadata.py @@ -33,8 +33,8 @@ def firewall(metadata): ips.add(share_target) rules = {} - for port in ('111', '2049', '1110', '4045', '35295'): # TODO find out if we need more ports - for proto in ('', '/udp'): + for port in ('111', '2049', '1110', '4045', '35295'): + for proto in ('/tcp', '/udp'): rules[port + proto] = atomic(ips) return { diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf index 4034ad4..83bf07f 100644 --- a/bundles/nftables/files/nftables.conf +++ b/bundles/nftables/files/nftables.conf @@ -19,6 +19,13 @@ table inet filter { ip protocol icmp accept ip6 nexthdr ipv6-icmp accept +% for ruleset, rules in sorted(input.items()): + + # ${ruleset} +% for rule in rules: + ${rule} +% endfor +% endfor } chain output { @@ -32,15 +39,36 @@ table inet filter { icmp type timestamp-request drop icmp type timestamp-reply drop +% for ruleset, rules in sorted(forward.items()): + + # ${ruleset} +% for rule in rules: + ${rule} +% endfor +% endfor } } table nat { chain prerouting { type nat hook prerouting priority -100 +% for ruleset, rules in sorted(prerouting.items()): + + # ${ruleset} +% for rule in rules: + ${rule} +% endfor +% endfor } chain postrouting { type nat hook postrouting priority 100 +% for ruleset, rules in sorted(postrouting.items()): + + # ${ruleset} +% for rule in rules: + ${rule} +% endfor +% endfor } } diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py index 42bf2e4..96eebcf 100644 --- a/bundles/nftables/items.py +++ b/bundles/nftables/items.py @@ -15,8 +15,12 @@ directories = { files = { '/etc/nftables.conf': { - 'needs': { - 'directory:/etc/nftables-rules.d', + 'content_type': 'mako', + 'context': { + 'forward': node.metadata.get('nftables/forward', {}), + 'input': node.metadata.get('nftables/input', {}), + 'postrouting': node.metadata.get('nftables/postrouting', {}), + 'prerouting': node.metadata.get('nftables/prerouting', {}), }, 'triggers': { 'svc_systemd:nftables:reload', @@ -32,21 +36,6 @@ files = { }, } -for ruleset, rules in node.metadata.get('nftables/rules', {}).items(): - files[f'/etc/nftables-rules.d/{ruleset}'] = { - 'source': 'rules-template', - 'content_type': 'mako', - 'context': { - 'rules': rules, - }, - 'needed_by': { - 'svc_systemd:nftables', - }, - 'triggers': { - 'svc_systemd:nftables:reload', - }, - } - svc_systemd = { 'nftables': { 'needs': { diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index acfb166..0d7819a 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -35,7 +35,7 @@ if not node.has_bundle('vmhost'): } @metadata_reactor.provides( - 'nftables/rules/99-port_rules', + 'nftables/input/99-port_rules', ) def port_rules_to_nftables(metadata): # Using this, bundles can simply set up port based rules. This @@ -49,46 +49,47 @@ def port_rules_to_nftables(metadata): if '/' in portdef: port, proto = portdef.split('/', 2) - if proto not in {'udp'}: + if proto not in ('tcp', 'udp'): raise BundleError(f'firewall/port_rules: illegal identifier {portdef} in metadata for {node.name}') else: port = portdef - proto = 'tcp' + proto = None for target in targets: - if port == '*' and target == '*': - raise BundleError('firewall/port_rules: setting both port and target to * is unsupported') + if ( + (port == '*' and target == '*') + or (target == '*' and proto is None) + or (port != '*' and proto is None) + ): + raise BundleError(f'firewall/port_rules: illegal combination of port, target and protocol: "{port}" "{target}" "{proto}"') comment = f'comment "port_rules {target}"' if port != '*': if ':' in port: parts = port.split(':') - port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }}' + port_str = f'{proto} dport {{ {parts[0]}-{parts[1]} }} ' else: - port_str = f'{proto} dport {port}' + port_str = f'{proto} dport {port} ' + elif proto is not None: + port_str = f'meta l4proto {proto} ' else: - port_str = f'meta l4proto {proto}' + port_str = '' - if target in ('ipv4', 'ipv6'): - version_str = f'meta nfproto {target}' - else: - version_str = '' - - if target in ('*', 'ipv4', 'ipv6'): - ruleset.add(f'inet filter input {version_str} {port_str} accept {comment}') + if target == '*': + ruleset.add(f'{port_str}accept {comment}') else: resolved = repo.libs.tools.resolve_identifier(repo, target, linklocal=True) for address in resolved['ipv4']: - ruleset.add(f'inet filter input meta nfproto ipv4 {port_str} ip saddr {address} accept {comment}') + ruleset.add(f'{port_str}ip saddr {address} accept {comment}') for address in resolved['ipv6']: - ruleset.add(f'inet filter input meta nfproto ipv6 {port_str} ip6 saddr {address} accept {comment}') + ruleset.add(f'{port_str}ip6 saddr {address} accept {comment}') return { 'nftables': { - 'rules': { + 'input': { # order does not matter here. '99-port_rules': sorted(ruleset), }, diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 1d386dd..e47e84d 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -172,15 +172,15 @@ def monitoring(metadata): @metadata_reactor.provides( - 'firewall/port_rules/80', - 'firewall/port_rules/443', + 'firewall/port_rules', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { - '80': atomic(metadata.get('nginx/restrict-to', {'*'})), - '443': atomic(metadata.get('nginx/restrict-to', {'*'})), + '80/tcp': atomic(metadata.get('nginx/restrict-to', {'*'})), + '443/tcp': atomic(metadata.get('nginx/restrict-to', {'*'})), }, }, } diff --git a/bundles/oidentd/metadata.py b/bundles/oidentd/metadata.py index f9d4390..dbc27a1 100644 --- a/bundles/oidentd/metadata.py +++ b/bundles/oidentd/metadata.py @@ -10,13 +10,13 @@ defaults = { @metadata_reactor.provides( - 'firewall/port_rules/113', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { - '113': atomic(metadata.get('oidentd/restrict-to', {'*'})), + '113/tcp': atomic(metadata.get('oidentd/restrict-to', {'*'})), }, }, } diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py index 3cad1b9..630b851 100644 --- a/bundles/openssh/metadata.py +++ b/bundles/openssh/metadata.py @@ -16,13 +16,13 @@ defaults = { } @metadata_reactor.provides( - 'firewall/port_rules/22', + 'firewall/port_rules', ) def firewall(metadata): return { 'firewall': { 'port_rules': { - '22': atomic(metadata.get('openssh/restrict-to', {'*'})), + '22/tcp': atomic(metadata.get('openssh/restrict-to', {'*'})), }, }, } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index e0dbe61..4788de6 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -96,10 +96,10 @@ def letsencrypt(metadata): @metadata_reactor.provides( - 'firewall/port_rules/25', - 'firewall/port_rules/465', - 'firewall/port_rules/587', - 'firewall/port_rules/2525', + 'firewall/port_rules', + 'firewall/port_rules', + 'firewall/port_rules', + 'firewall/port_rules', ) def firewall(metadata): if node.has_bundle('postfixadmin'): @@ -108,13 +108,13 @@ def firewall(metadata): default = metadata.get('postfix/mynetworks', set()) rules = { - '25': atomic(metadata.get('postfix/restrict-to', default)), - '465': atomic(metadata.get('postfix/restrict-to', default)), + '25/tcp': atomic(metadata.get('postfix/restrict-to', default)), + '465/tcp': atomic(metadata.get('postfix/restrict-to', default)), } if node.has_bundle('postfixadmin'): - rules['587'] = atomic(metadata.get('postfix/restrict-to', default)) - rules['2525'] = atomic(metadata.get('postfix/restrict-to', default)) + rules['587/tcp'] = atomic(metadata.get('postfix/restrict-to', default)) + rules['2525/tcp'] = atomic(metadata.get('postfix/restrict-to', default)) return { 'firewall': { diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index b418636..801161d 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -201,9 +201,9 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '53': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), + '53/tcp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), '53/udp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), - '8081': atomic(metadata.get('powerdns/restrict-to/api', set())), + '8081/tcp': atomic(metadata.get('powerdns/restrict-to/api', set())), }, }, } diff --git a/bundles/pppd/files/ip-up b/bundles/pppd/files/ip-up index 8eba2b9..2ac4934 100644 --- a/bundles/pppd/files/ip-up +++ b/bundles/pppd/files/ip-up @@ -2,7 +2,7 @@ INTERFACE=$1 -echo "add rule nat postrouting oif $INTERFACE masquerade" > /etc/nftables-rules.d/90-pppd +echo "add rule nat postrouting oifname $INTERFACE masquerade" > /etc/nftables-rules.d/90-pppd % for rule in sorted(nftables): echo "add rule ${rule}" >> /etc/nftables-rules.d/90-pppd % endfor diff --git a/bundles/rsyslogd/metadata.py b/bundles/rsyslogd/metadata.py index 3fe9624..aec2591 100644 --- a/bundles/rsyslogd/metadata.py +++ b/bundles/rsyslogd/metadata.py @@ -25,7 +25,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '514': atomic(metadata.get('rsyslogd/restrict-to', set())), + '514/tcp': atomic(metadata.get('rsyslogd/restrict-to', set())), '514/udp': atomic(metadata.get('rsyslogd/restrict-to', set())), }, }, diff --git a/bundles/transmission/metadata.py b/bundles/transmission/metadata.py index 60643b4..da2a09e 100644 --- a/bundles/transmission/metadata.py +++ b/bundles/transmission/metadata.py @@ -55,9 +55,9 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - str(metadata.get('transmission/config/peer-port')): atomic({'*'}), - str(metadata.get('transmission/config/peer-port')) + '/udp': atomic({'*'}), - str(metadata.get('transmission/config/rpc-port')): atomic(metadata.get('transmission/restrict-to', {'*'})), + f"{metadata.get('transmission/config/peer-port')}/tcp": atomic({'*'}), + f"{metadata.get('transmission/config/peer-port')}/udp": atomic({'*'}), + f"{metadata.get('transmission/config/rpc-port')}/tcp": atomic(metadata.get('transmission/restrict-to', {'*'})), }, }, } diff --git a/bundles/unbound/metadata.py b/bundles/unbound/metadata.py index b08df0b..70a3511 100644 --- a/bundles/unbound/metadata.py +++ b/bundles/unbound/metadata.py @@ -70,7 +70,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '53': atomic(metadata.get('unbound/restrict-to', set())), + '53/tcp': atomic(metadata.get('unbound/restrict-to', set())), '53/udp': atomic(metadata.get('unbound/restrict-to', set())), }, }, diff --git a/bundles/weechat/metadata.py b/bundles/weechat/metadata.py index 6efc467..034ecfb 100644 --- a/bundles/weechat/metadata.py +++ b/bundles/weechat/metadata.py @@ -20,9 +20,9 @@ defaults = { }, }, 'nftables': { - 'rules': { - 'weechat-mosh': { - 'inet filter input udp dport { 60000-61000 } accept', + 'input': { + '10-weechat': { + 'udp dport { 60000-61000 } accept', }, }, }, diff --git a/bundles/wide-dhcp6c/metadata.py b/bundles/wide-dhcp6c/metadata.py index 7ac556b..050e690 100644 --- a/bundles/wide-dhcp6c/metadata.py +++ b/bundles/wide-dhcp6c/metadata.py @@ -5,10 +5,10 @@ defaults = { }, }, 'nftables': { - 'rules': { + 'input': { '10-wide-dhcp6c': [ - 'inet filter input udp dport { 546, 547 } ip6 saddr ff00::/12 accept', - 'inet filter input udp dport { 546, 547 } ip6 saddr fe80::/10 accept', + 'udp dport { 546, 547 } ip6 saddr ff00::/12 accept', + 'udp dport { 546, 547 } ip6 saddr fe80::/10 accept', ], }, }, diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 987fd35..c8951ee 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -264,7 +264,8 @@ def interface_ips(metadata): @metadata_reactor.provides( - 'nftables/rules/10-wireguard', + 'nftables/forward/10-wireguard', + 'nftables/postrouting/10-wireguard', ) def snat(metadata): if not node.has_bundle('nftables') or node.os == 'arch': @@ -272,13 +273,14 @@ def snat(metadata): snat_ip = metadata.get('wireguard/snat_ip', None) - rules = set() + forward = set() + postrouting = set() for peer, config in sorted(metadata.get('wireguard/peers', {}).items()): - rules.add(f'inet filter forward iifname wg_{config["iface"]} accept') - rules.add(f'inet filter forward oifname wg_{config["iface"]} accept') + forward.add(f'iifname wg_{config["iface"]} accept') + forward.add(f'oifname wg_{config["iface"]} accept') if snat_ip: - rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( + postrouting.add('ip saddr {} ip daddr != {} snat to {}'.format( config['my_ip'], config['their_ip'], snat_ip, @@ -286,8 +288,11 @@ def snat(metadata): return { 'nftables': { - 'rules': { - '10-wireguard': sorted(rules), + 'forward': { + '10-wireguard': sorted(forward), + }, + 'postrouting': { + '10-wireguard': sorted(postrouting), }, }, } diff --git a/groups/os.py b/groups/os.py index 13e954f..65f2691 100644 --- a/groups/os.py +++ b/groups/os.py @@ -41,9 +41,6 @@ groups['linux'] = { '*': { 'icinga2', }, - '*/udp': { - 'icinga2', - }, }, }, }, diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 818d9b3..2b23903 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -67,15 +67,15 @@ nodes['home.nas'] = { }, 'firewall': { 'port_rules': { - '4679': { # Dell ULNM + '4679/tcp': { # Dell ULNM '172.19.136.0/25', '172.19.138.0/24', }, - '5060': { # yate SIP + '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, - '5061': { # yate SIPS + '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', 'home.mitel-rfp35', }, diff --git a/nodes/home/router.py b/nodes/home/router.py index e6f9125..6a0fe3b 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -77,15 +77,16 @@ nodes['home.router'] = { #'vars.notification.sms': True }, 'nftables': { - 'rules': { + 'forward': { '50-router': [ - # This is a router. Allow forwarding traffic for internal networks. - 'inet filter forward ct state { related, established } accept', - - # yaaaaay, IPv6! No NAT! - 'inet filter forward ip6 nexthdr ipv6-icmp accept', - 'inet filter forward tcp dport 22 accept', - 'nat prerouting tcp dport 2022 dnat 172.19.138.20:22', + 'ct state { related, established } accept', + 'ip6 nexthdr ipv6-icmp accept', + 'tcp dport 22 accept', + ], + }, + 'prerouting': { + '50-router': [ + 'tcp dport 2022 dnat 172.19.138.20:22', ], }, }, diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index c89b23a..b93bb53 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -164,10 +164,10 @@ nodes['htz-cloud.miniserver'] = { '2a01:4f8:0:1::add:9898', }, 'nftables': { - 'rules': { + 'input': { '50-sophie-weechat': [ - 'inet filter input udp dport { 60000-61000 } accept', - 'inet filter input tcp dport 9001 accept', + 'udp dport { 60000-61000 } accept', + 'tcp dport 9001 accept', ], }, }, diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 90b15ad..0e2c03d 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -38,14 +38,18 @@ nodes['htz-cloud.wireguard'] = { }, }, 'nftables': { - 'rules': { + 'input': { '50-router': [ - 'inet filter forward ct state { related, established } accept', - 'inet filter forward oif eth0 accept', - 'nat postrouting oif eth0 masquerade', + 'ct state { related, established } accept', + 'oifname eth0 accept', ], - 'wg_special': [ - 'inet filter input udp dport 51819 accept', + '50-wireguard': [ + 'udp dport 51819 accept', + ], + }, + 'postrouting': { + '50-router': [ + 'oifname eth0 masquerade', ], }, }, diff --git a/nodes/htz-hel/backup-sophie.py b/nodes/htz-hel/backup-sophie.py index d6efed3..e6003f1 100644 --- a/nodes/htz-hel/backup-sophie.py +++ b/nodes/htz-hel/backup-sophie.py @@ -41,10 +41,10 @@ nodes['htz-hel.backup-sophie'] = { 'zfs-base': 'tank/backups', }, 'nftables': { - 'rules': { + 'input': { '50-sophie-misc': [ - 'inet filter input udp dport { 60000-61000 } accept', - 'inet filter input tcp dport 5201 accept', + 'udp dport { 60000-61000 } accept', + 'tcp dport 5201 accept', ], }, }, diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 7c41354..03d63a1 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -34,7 +34,7 @@ nodes['kunsi-p14s'] = { # '192.168.0.0/16', #}, # For the occasional file-share using `python -m http.server` - '8000': {'*'}, + '8000/tcp': {'*'}, }, }, 'interfaces': { @@ -68,7 +68,6 @@ nodes['kunsi-p14s'] = { 'openssh': { 'restrict-to': { 'rfc1918', - 'ipv6', }, }, 'openvpn-client': { diff --git a/nodes/kunsi-t470.py b/nodes/kunsi-t470.py index 61f21d4..c5b1ee7 100644 --- a/nodes/kunsi-t470.py +++ b/nodes/kunsi-t470.py @@ -36,13 +36,13 @@ nodes['kunsi-t470'] = { 'firewall': { 'port_rules': { # obs websocket thingie - just allow all RFC1918 ips here - '4444': { + '4444/tcp': { '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', }, # For the occasional file-share using `python -m http.server` - '8000': {'*'}, + '8000/tcp': {'*'}, }, }, 'locale': { @@ -73,7 +73,6 @@ nodes['kunsi-t470'] = { '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', - 'ipv6', }, }, 'pacman': { From ad9a920a4884c181a43cda5b9555591e6c327cf8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Sep 2023 21:07:21 +0200 Subject: [PATCH 391/996] bundles/icinga2: please only use "real" network interfaces instead of some vpn transfer ips --- bundles/icinga2/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index a8d6e3a..fd51b34 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -332,7 +332,7 @@ for rnode in sorted(repo.nodes): if rnode.metadata.get('icinga_options/exclude_from_monitoring', False): continue - host_ips = repo.libs.tools.resolve_identifier(repo, rnode.name) + host_ips = repo.libs.tools.resolve_identifier(repo, rnode.name, only_physical=True) icinga_ips = {} # XXX for the love of god, PLEASE remove this once DNS is no longer From d88645c7bdeec83310ea6bcdaf22a58a8dd19726 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Sep 2023 10:44:09 +0200 Subject: [PATCH 392/996] move wireguard connection between kunsi-p14s and htz-cloud.wireguard to port 1194 --- nodes/htz-cloud/wireguard.py | 4 ++-- nodes/kunsi-p14s.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 0e2c03d..cdd0519 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -44,7 +44,7 @@ nodes['htz-cloud.wireguard'] = { 'oifname eth0 accept', ], '50-wireguard': [ - 'udp dport 51819 accept', + 'udp dport 1194 accept', ], }, 'postrouting': { @@ -64,7 +64,7 @@ nodes['htz-cloud.wireguard'] = { 'endpoint': None, 'exclude_from_monitoring': True, 'my_ip': '172.19.136.64', - 'my_port': 51819, + 'my_port': 1194, 'their_ip': '172.19.136.65', }, }, diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 03d63a1..6c08895 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -168,7 +168,7 @@ nodes['kunsi-p14s'] = { 'peers': { 'htz-cloud.wireguard': { 'auto_connection': False, - 'endpoint': 'wireguard.htz-cloud.kunbox.net:51819', + 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', 'my_ip': '172.19.136.65', 'my_port': 51819, 'their_ip': '172.19.136.64', From 497ecb527976ee72529dd176f95dc87c30a7dc70 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Sep 2023 17:38:20 +0200 Subject: [PATCH 393/996] EOL htz-cloud.pleroma --- PORT_MAP.md | 1 - bundles/pleroma/files/pleroma.config.exs | 35 -------- bundles/pleroma/files/pleroma.service | 22 ----- bundles/pleroma/items.py | 88 ------------------- bundles/pleroma/metadata.py | 62 ------------- .../files/extras/htz-cloud.pleroma/pleroma | 2 - nodes/htz-cloud/pleroma.py | 85 ------------------ 7 files changed, 295 deletions(-) delete mode 100644 bundles/pleroma/files/pleroma.config.exs delete mode 100644 bundles/pleroma/files/pleroma.service delete mode 100644 bundles/pleroma/items.py delete mode 100644 bundles/pleroma/metadata.py delete mode 100644 data/nginx/files/extras/htz-cloud.pleroma/pleroma delete mode 100644 nodes/htz-cloud/pleroma.py diff --git a/PORT_MAP.md b/PORT_MAP.md index 109c03e..90b46f4 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -34,7 +34,6 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20081 | matrix-synapse | prometheus metrics | | 20090 | matrix-media-repo | media_repo | | 20090 | matrix-media-repo | prometheus metrics | -| 21000 | pleroma | pleroma | | 21010 | grafana | grafana | | 22000 | forgejo | forgejo | | 22010 | jenkins-ci | Jenkins CI | diff --git a/bundles/pleroma/files/pleroma.config.exs b/bundles/pleroma/files/pleroma.config.exs deleted file mode 100644 index 64c2c0b..0000000 --- a/bundles/pleroma/files/pleroma.config.exs +++ /dev/null @@ -1,35 +0,0 @@ -import Config - -config :pleroma, - configurable_from_database: true - -config :pleroma, Pleroma.Web.Endpoint, - url: [host: "${node.metadata['pleroma']['url']}", scheme: "https", port: 443], - http: [port: 21000, ip: {127, 0, 0, 1}], - secret_key_base: "${node.metadata['pleroma']['secret_key']}", - secure_cookie_flag: true - -config :pleroma, :instance, - static_dir: "/var/pleroma/static/" - -config :pleroma, Pleroma.Upload, - uploader: Pleroma.Uploaders.Local, - filters: [Pleroma.Upload.Filter.Dedupe] - -config :pleroma, Pleroma.Uploaders.Local, - uploads: "/var/pleroma/uploads/" - -config :pleroma, :media_proxy, - enabled: false, - redirect_on_failure: true - #base_url: "https://cache.pleroma.social" - -# Configure your database -config :pleroma, Pleroma.Repo, - adapter: Ecto.Adapters.Postgres, - username: "pleroma", - password: "${node.metadata['postgresql']['roles']['pleroma']['password']}", - database: "pleroma", - hostname: "localhost", - pool_size: 10, - timeout: 60000 diff --git a/bundles/pleroma/files/pleroma.service b/bundles/pleroma/files/pleroma.service deleted file mode 100644 index 085b041..0000000 --- a/bundles/pleroma/files/pleroma.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=Pleroma social network -After=network.target -Requires=postgresql.service - -[Service] -User=pleroma -WorkingDirectory=/opt/pleroma -Environment="HOME=/opt/pleroma" -Environment="PLEROMA_CONFIG_PATH=/opt/pleroma/pleroma.config.exs" -Environment="PLUG_TMPDIR=/tmp/pleroma" -ExecStart=/opt/pleroma/release/bin/pleroma start -ExecStop=/opt/pleroma/release/bin/pleroma stop -Restart=always - -PrivateTmp=true -ProtectHome=true -ProtectSystem=full -CapabilityBoundingSet=~CAP_SYS_ADMIN - -[Install] -WantedBy=multi-user.target diff --git a/bundles/pleroma/items.py b/bundles/pleroma/items.py deleted file mode 100644 index a03b973..0000000 --- a/bundles/pleroma/items.py +++ /dev/null @@ -1,88 +0,0 @@ -version = node.metadata['pleroma']['version'] - -users = { - 'pleroma': { - 'home': '/opt/pleroma', - }, -} - -directories = { - '/opt/pleroma': {}, - '/var/pleroma': { - 'owner': 'pleroma', - }, - '/var/pleroma/uploads': { - 'owner': 'pleroma', - }, - '/var/pleroma/static': { - 'owner': 'pleroma', - }, - '/var/pleroma/static/emoji': { - 'owner': 'pleroma', - }, -} - -if node.has_bundle('zfs'): - directories['/var/pleroma']['needs'] = { - 'zfs_dataset:tank/pleroma-data', - } - -actions = { - 'pleroma_download_release': { - 'command': \ - 'cd /opt/pleroma/ && '\ - f'wget -O/opt/pleroma/pleroma.zip https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/release/{version}/download?job=amd64 && '\ - 'rm -rf release && '\ - 'unzip /opt/pleroma/pleroma.zip && '\ - 'chown -R pleroma:pleroma /opt/pleroma/release && '\ - f'echo -n "{version}" > /opt/pleroma/.bundlewrap_installed_version', - 'unless': f'[ "$(cat /opt/pleroma/.bundlewrap_installed_version)" = "{version}" ]', - 'needs': { - 'directory:/opt/pleroma', - }, - 'preceded_by': { - 'svc_systemd:pleroma:stop', - }, - 'triggers': { - 'action:pleroma_migrate_database', - 'svc_systemd:pleroma:restart', - }, - }, - 'pleroma_migrate_database': { - 'triggered': True, - 'command': \ - 'echo "CREATE EXTENSION IF NOT EXISTS citext;" | psql pleroma && '\ - 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm;" | psql pleroma && '\ - 'echo "CREATE EXTENSION IF NOT EXISTS \\\"uuid-ossp\\\";" | psql pleroma && '\ - 'sudo -u pleroma PLEROMA_CONFIG_PATH=/opt/pleroma/pleroma.config.exs /opt/pleroma/release/bin/pleroma_ctl create', - 'needs': { - 'postgres_db:pleroma', - }, - }, -} - -files = { - '/etc/systemd/system/pleroma.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:pleroma:restart', - }, - }, - '/opt/pleroma/pleroma.config.exs': { - 'content_type': 'mako', - 'triggers': { - 'svc_systemd:pleroma:restart', - }, - }, -} - -svc_systemd = { - 'pleroma': { - 'needs': { - 'action:pleroma_download_release', - 'action:pleroma_migrate_database', - 'file:/etc/systemd/system/pleroma.service', - 'file:/opt/pleroma/pleroma.config.exs', - }, - }, -} diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py deleted file mode 100644 index 44e7a3b..0000000 --- a/bundles/pleroma/metadata.py +++ /dev/null @@ -1,62 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'imagemagick': {}, - 'ffmpeg': {}, - 'libimage-exiftool-perl': {}, - }, - }, - 'backups': { - 'paths': { - '/var/pleroma', - }, - }, - 'zfs': { - 'datasets': { - 'tank/pleroma-data': { - 'mountpoint': '/var/pleroma', - 'needed_by': { - 'directory:/var/pleroma', - }, - }, - }, - }, - 'postgresql': { - 'roles': { - 'pleroma': { - 'password': repo.vault.password_for(f'{node.name} postgresql pleroma'), - }, - }, - 'databases': { - 'pleroma': { - 'owner': 'pleroma', - }, - }, - }, -} - - -@metadata_reactor.provides( - 'nginx/vhosts/pleroma', -) -def nginx(metadata): - if not node.has_bundle('nginx'): - raise DoNotRunAgain - - return { - 'nginx': { - 'vhosts': { - 'pleroma': { - 'domain': metadata.get('pleroma/url'), - 'locations': { - '/': { - 'target': 'http://127.0.0.1:21000', - 'websockets': True, - }, - }, - 'website_check_path': '/main/all', - 'website_check_string': 'use Pleroma', - }, - }, - }, - } diff --git a/data/nginx/files/extras/htz-cloud.pleroma/pleroma b/data/nginx/files/extras/htz-cloud.pleroma/pleroma deleted file mode 100644 index 7e69502..0000000 --- a/data/nginx/files/extras/htz-cloud.pleroma/pleroma +++ /dev/null @@ -1,2 +0,0 @@ - access_log /var/log/nginx/pleroma.log gdpr; - error_log /var/log/nginx/error.log; diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py deleted file mode 100644 index b57d13c..0000000 --- a/nodes/htz-cloud/pleroma.py +++ /dev/null @@ -1,85 +0,0 @@ -nodes['htz-cloud.pleroma'] = { - 'bundles': { - 'pleroma', - 'postgresql', - 'zfs', - }, - 'groups': { - 'debian-buster', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '159.69.11.231', - '2a01:4f8:c2c:c410::1/64', - }, - 'gateway4': '172.31.1.1', - 'gateway6': 'fe80::1', - }, - 'ens10': { - 'ips': { - '172.19.137.5/32', - }, - 'routes': { - # VPN - '172.19.136.0/22': { - 'via': '172.19.137.1', - }, - }, - }, - }, - 'icinga_options': { - 'period': 'daytime', - 'pretty_name': 'cybert-media.net', - }, - 'cron': { - 'jobs': { - 'auto-authorize-sm-users': '* * * * * root echo "UPDATE users SET approval_pending=false WHERE email LIKE \'\\%@seibert-media.net\' AND approval_pending=true;" | psql pleroma >/dev/null', - }, - }, - 'nginx': { - 'vhosts': { - 'pleroma': { - 'max_body_size': '16M', - 'extras': True, - }, - 'pleroma-www-redir': { - 'domain': 'www.cybert-media.net', - 'locations': { - '/': { - 'redirect': 'https://cybert-media.net$request_uri', - }, - }, - }, - }, - }, - 'pleroma': { - 'version': '2.2.2', - 'url': 'cybert-media.net', - 'secret_key': vault.decrypt('encrypt$gAAAAABgMVXXclfxVY022fM0Fdf94Oh3sxVlK0lYyBO_CsQFEbZcMua3w1oJY8_9d1JcrCJSSeBRTDnt-ZkRCQ6xKoALo8Rl7s9DPxa7J0vHdkggeZ3IHaOyXBcBPdx8vILyKDLHRXacaynOUBOjy6RIl6Qf2wH1ASbphCcjD-Njricg4PG6Rcixm87fF60rLBjAAkRoz5ZQnXlut1rhjLj-z-7UpA68fkeyPVJXbroWBJdmvCUt92dwjuGARsku2XI22mVvjtJJ'), - }, - 'postfix': { - 'myhostname': 'cybert-media.net', - }, - 'postgresql': { - 'version': '11', - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - 'zfs': { - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': {'/dev/sdb'}, - }], - }, - }, - }, - }, - }, -} From 7cfe098b20d124fbed7e3634f6880e1a4dcc43a0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Sep 2023 17:38:54 +0200 Subject: [PATCH 394/996] update all the things * element-web -> 1.11.45 * netbox -> 3.6.3 * travelynx -> 2.3.1 --- nodes/carlene.toml | 6 +++--- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- nodes/voc/pretalx.py | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e49b158..017bbbc 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.43" +version = "v1.11.45" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.2" +version = "v3.6.3" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.2.2" +version = "2.3.1" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index e0ce906..478286c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.43" +version = "v1.11.45" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index b93bb53..dd34bf5 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.43', + 'version': 'v1.11.45', 'config': { 'default_server_config': { 'm.homeserver': { diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index e3fee52..735cef6 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -56,7 +56,7 @@ nodes['voc.pretalx'] = { 'plugins': { 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', - 'rev': '2.0.1', + 'rev': '2.1.0', }, 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', From 3767825b8426bb03d32d33eff54822951450e3d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 1 Oct 2023 16:57:13 +0200 Subject: [PATCH 395/996] ssl: bump *.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 38 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index a5bc0db..547ddbe 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEUTCCAzmgAwIBAgISA3XCqX5YOhUosSIywZ+FUWgQMA0GCSqGSIb3DQEBCwUA +MIIEUDCCAzigAwIBAgISBBhjMERhSG5b8U7eIAlaGWn/MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzA3MTMwNTAzNDJaFw0yMzEwMTEwNTAzNDFaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABPfI2XD0xYsU -blEuSTQ6TAPU4qbMlyYFUk2iYBqhqCxcGwNA+z6F4VwR92YCXUp9mfMZxQwvE96L -6bsCyPiwJSAPEAV8nvIi4DvOd9WAtd3NEZrr2p+KZ2Lpzt2DcpaSF6OCAiUwggIh +EwJSMzAeFw0yMzEwMDExMzU3MDFaFw0yMzEyMzAxMzU3MDBaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABBfSWUJQ54y3 +xvd2UUSVUPA3KBN58D5QekHsen2sREg5fCRrl7gboO7OhDUQ6KZPbhiLfk4G7Ezy +DTkNRBmwYA4Qi1fTiwjMKkk1QI6jjaB0x3e01y2CkxvNRfoLRcS7a6OCAiQwggIg MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7hLG0VpjgCUu78o7JlVIj/DaN/UwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5V6aws5mTQy1PxpjO3m4igx9rtswHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u -ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisG -AQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlej -UutSAAABiU3ZIScAAAQDAEgwRgIhAI/IWOzaAkoJ4imfGvN+//beCTXm76RYd4jz -1lsWIcjzAiEAl1oqzrJ8NsWmTYXH8HsU4Yqpt0Ymg3/6hVCXpJSgCnYAdgC3Pvsk -35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYlN2SMNAAAEAwBHMEUCIFvo -elOBybAi2tLHrUTK4MbK6blQ1zGV6HhS9WlhhT1dAiEA4TZfRm1XoKvjw/NA6gT5 -rN+DRpP19xRqUBH+gp1i6RkwDQYJKoZIhvcNAQELBQADggEBAEYLbh1TJOv2Gpxv -WVpU17jdbjtP4saDZTncr8I6oeN5Hblp7YOkBO9YJMGtd9iMOXtO79pjaQj6uiy2 -qLdjkfBtLHGcmoRnqqwVD9eXY8qNr+2jRRbga7b9/3A0KR6BX/0cdG2XGoCd5k16 -Jza3XA5b7sGKfRtQiQFrhvH2tvmsr/Z1qfwe/m1BCv2QxAwvakMB9Ccua2QI2Jle -+cmOGwjMrRgHuTdMF8W8m2hfGGGIxY8A9h0teycn7CTFjLUwhcmsWfJuBGKAgnCj -Unof8vWbYdqdUDrj3kbTqDYx9IWO2j2iQkJPNS5XbtswpdaeDVy/n4i51ui4p+Z4 -mZf3Tf8= +ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisG +AQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl +7bSZAAABiuu+JUUAAAQDAEcwRQIhAMPnv6DVVfV3i+ocaTnc6TQhimNLQYmb3CVd +oEwKNlAQAiAc6YfUB1LpdWybMR7inRrI6jxmYyna1KWk+FAQWvDTGgB2AHoyjFTY +ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiuu+JVIAAAQDAEcwRQIgMf8n +M3Moi4M+gY3zoGtENnO6Eb9SzDBvbIc2PiroSgwCIQDSgbI+iTbBoG1CMykpeuzW +e24rm4+5GLZwELWuJ0w58jANBgkqhkiG9w0BAQsFAAOCAQEAlPtNavaIzvXkGK3k +gvBr2UkE69d9n8xjhaAPrSS2Nsqp+k8ze9Z+QN0+x52UwEqyZ5X2LjpM3fxsdiQo +MemNJjDpYJZLTBU6N1JpA2QbEUKQCo1hyhNo6pdy8zNehRYb4sxjr6RWo4XlM2FO +gbFoJzWezy6fM21vI/DmF2wKhlL1hmauyd6Lb7JBRkrykGuTSdKjtRJUNJtGhjkG +++NnaVHFV4D38EJOOqW56p+MtCxjS/zGjj1VV0D9iocIUmvau5aaaE55lNl8X2G8 +ycZ54g08rbiSv1NWLfbQ1pZwr+nhiAtuMncBeUgnyaRp079tcOLejbwKpgvxfxSm +6w2QHw== -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index fd04536..983d6d5 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABkr5PB2erIW8c5yuAXfM9WRbpaeegip8Y4pLBWTWgwU-TC-58fBjXQjifFoXAcxbSKpaIW2PQR7HUZujYUUtWeL5MOI3L5UY2qK-SfLhl_kyMdZXYrdvknxAA_qGbxT6GqeMNQ8PtA5a38FR6ay6jCzpyNkGrLilEaFC6cgJB2IUnihlpS4BmXzPYIr-bpXMwEggID3O3y_A1UR_RrSs9dsRSIGcy_QCRFJ_9-I7VsDL2APB_IrDtSMACdxXozU02fD4WZm_RRMm2auROBi3HSvLNa3BrJu-tkJ6v2KN-O0d2IuYg74cyAxu_fqnKeM78dGFdHA2EX_L3-Sd5gFAstdZM3y8BxqTt0pJsbKPGSpcu5j1C_N_qjvSKqG9wuzVuVVeA5laoc4cIOYSRmQD_T97d-iyxqV8yB8aZaSe1P0JCI8gr7PelZns9nW0XhVKuiN3wvCIx26ZPqwES0Cayh1VZGQA== \ No newline at end of file +encrypt$gAAAAABlGYjCaSTuBPkMzru_0lYu_y7mVE3F_7MKAdc1NcayBOGZmtEL9c0SY57yWWZCvJRNki7nnkYnbd4Um4HfEMwJgibbQZVGX9OOo9YWkKcka-dZ_qIFAKS8AIrtjrqadMfNW0zGmBLVCjBK0WhgLTDbcbIeUW7oToy6bq3LUDW3T1sORDiiQp5ejISSTSFLD2XKsCmfBDpFaUR9O6bI32-pDDweq2ZI9S5KKPinrSjeCxbzSCGa1ILszs1lLbw2vsXQWgndTSmqdbAIXykGkHl1JxXGG3DyXf7ldezu1vEJvmaii2OSsjG0pPx40mrf1JQ1vh5h48a5Eis7w_F4YDCyUqnl8FvMKSGs3rZmUORVETal82x9_LimpCdm7i_Q1C3aUj--UN7GRqrNCG2dyl61qt8RkelGnteyWfhcQVSNHZFiL4nt7CirryVO0uB3yNztdsRjvjEgU2X9tAVu9iBdkfHLhw== \ No newline at end of file From 60a8c70caed0b982fe0a72633d6c86f748b8e1e2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 1 Oct 2023 17:00:10 +0200 Subject: [PATCH 396/996] home.winkeeinhorn-vm: send email for node health --- nodes/home.winkeeinhorn-vm.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home.winkeeinhorn-vm.toml b/nodes/home.winkeeinhorn-vm.toml index e94f390..c51893d 100644 --- a/nodes/home.winkeeinhorn-vm.toml +++ b/nodes/home.winkeeinhorn-vm.toml @@ -9,3 +9,4 @@ mac = "52:54:00:b0:4e:4d" check_command = "check_freifunk_node" "vars.url" = "https://map.freifunk-mwu.de/data/meshviewer.json" "vars.id" = "525400b04e4d" +"vars.notification.mail" = true From 3c77ff530d8a9ed5977fbf8ad649e14467282431 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 3 Oct 2023 14:29:28 +0200 Subject: [PATCH 397/996] update travelynx to 2.4.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 017bbbc..1407cdb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.3.1" +version = "2.4.0" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 34428034dc9dc295ab712d557e30cb4166e4d0f3 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 8 Oct 2023 16:54:34 +0200 Subject: [PATCH 398/996] bw/phanpy add fediverse interface --- bundles/phanpy/items.py | 29 ++++++++++++++++++++++ bundles/phanpy/metadata.py | 46 +++++++++++++++++++++++++++++++++++ nodes/htz-cloud/miniserver.py | 5 ++++ 3 files changed, 80 insertions(+) create mode 100644 bundles/phanpy/items.py create mode 100644 bundles/phanpy/metadata.py diff --git a/bundles/phanpy/items.py b/bundles/phanpy/items.py new file mode 100644 index 0000000..dfbb0e5 --- /dev/null +++ b/bundles/phanpy/items.py @@ -0,0 +1,29 @@ +repo.libs.tools.require_bundle(node, 'nodejs') + +directories = { + '/opt/phanpy': {} +} + +git_deploy = { + '/opt/phanpy': { + 'rev': node.metadata.get('phanpy/version'), + 'repo': 'https://github.com/cheeaun/phanpy.git', + 'triggers': { + 'action:phanpy_build', + }, + }, +} + +actions = { + 'phanpy_build': { + 'command': ' && '.join([ + 'cd /opt/phanpy', + 'npm install ', + 'npm run build', + ]), + 'needs': { + 'pkg_apt:nodejs', + }, + 'triggered': True, + }, +} diff --git a/bundles/phanpy/metadata.py b/bundles/phanpy/metadata.py new file mode 100644 index 0000000..4bc56a0 --- /dev/null +++ b/bundles/phanpy/metadata.py @@ -0,0 +1,46 @@ +defaults = { + 'zfs': { + 'datasets': { + 'tank/phanpy': { + 'mountpoint': '/opt/phanpy', + 'needed_by': { + 'directory:/opt/phanpy', + }, + }, + }, + }, +} + +@metadata_reactor.provides( + 'nginx/vhosts/phanpy', +) +def nginx_config(metadata): + return { + 'nginx': { + 'vhosts': { + 'phanpy': { + 'domain': metadata.get('phanpy/url'), + 'webroot': '/opt/phanpy/dist/', + }, + }, + }, + } + + +@metadata_reactor.provides( + 'icinga2_api/phanpy/services', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'phanpy': { + 'services': { + 'PHANPY UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release cheeaun/phanpy {}'.format(metadata.get('phanpy/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, + } diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index dd34bf5..e4d44a2 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -9,6 +9,7 @@ nodes['htz-cloud.miniserver'] = { 'nodejs', 'ntfy', 'mautrix-telegram', + 'phanpy', 'postgresql', 'zfs', }, @@ -204,6 +205,10 @@ nodes['htz-cloud.miniserver'] = { 'domain': 'ntfy.sophies-kitchen.eu', 'allow_unauthorized_write': True, }, + 'phanpy': { + 'url': 'phanpy.sophies-kitchen.eu', + 'version': '2023.10.07.9b1800d', + }, 'postgresql': { 'version': '11', }, From fb55226ba08ef04afa88dd472914e61b5b3989aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 9 Oct 2023 07:35:22 +0200 Subject: [PATCH 399/996] update forgejo to 1.20.5 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1407cdb..5bb19ff 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,7 +49,7 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.20.4-1" +version = "1.20.5-1" sha1 = "9650694ec7969643ebb4dbdf2f27462af57284e6" domain = "git.franzi.business" enable_git_hooks = true From 3ab970a04a37dd47d2e9b3f6802710e131a8c4a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 9 Oct 2023 07:35:35 +0200 Subject: [PATCH 400/996] update netbox to 2.4.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5bb19ff..4165260 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.4.0" +version = "2.4.1" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From ebc59f28434e05e4bef989f483f6324808175ebf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 10 Oct 2023 16:29:50 +0200 Subject: [PATCH 401/996] update element-web to 1.11.46 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4165260..86dab66 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.45" +version = "v1.11.46" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 478286c..cd010b1 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.45" +version = "v1.11.46" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index e4d44a2..424721d 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.45', + 'version': 'v1.11.46', 'config': { 'default_server_config': { 'm.homeserver': { From 7a9401cd6c798eb3193a431ea92bfdc101078de2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 15 Oct 2023 16:09:15 +0200 Subject: [PATCH 402/996] kunsi-p14s: always have voc ip set up, enable forwarding and nat through wireless interface --- nodes/kunsi-p14s.py | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 6c08895..311bf65 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -39,8 +39,8 @@ nodes['kunsi-p14s'] = { }, 'interfaces': { 'br0': { - #'ips': {'10.73.100.103/16'}, - #'gateway4': '10.73.0.254', + 'ips': {'10.73.100.103/16'}, + 'gateway4': '10.73.0.254', 'dhcp': True, }, # there is also wlp3s0, but that's managed by netctl @@ -65,6 +65,19 @@ nodes['kunsi-p14s'] = { }, }, }, + 'nftables': { + 'forward': { + '50-routing': { + 'ct state { related, established } accept', + 'oifname wlp2s0 accept', + }, + }, + 'postrouting': { + '50-routing': { + 'oifname wlp2s0 masquerade', + }, + }, + }, 'openssh': { 'restrict-to': { 'rfc1918', @@ -139,6 +152,12 @@ nodes['kunsi-p14s'] = { }, }, }, + 'sysctl': { + 'options': { + 'net.ipv4.ip_forward': '1', + 'net.ipv6.conf.all.forwarding': '1', + }, + }, 'systemd-networkd': { 'bridges': { 'br0': { From 588f1218c2ed7c23804d7800fa7b88b4188734f5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 16 Oct 2023 22:26:29 +0200 Subject: [PATCH 403/996] htz-cloud.wireguard: fix firewall --- nodes/htz-cloud/wireguard.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index cdd0519..10af696 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -38,11 +38,13 @@ nodes['htz-cloud.wireguard'] = { }, }, 'nftables': { - 'input': { + 'forward': { '50-router': [ 'ct state { related, established } accept', 'oifname eth0 accept', ], + }, + 'input': { '50-wireguard': [ 'udp dport 1194 accept', ], From 08bf3b6565e1e52d28e25fd28e37c494610dfbb5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 16 Oct 2023 22:27:09 +0200 Subject: [PATCH 404/996] kunsi-p14s: disable ipv6 forwarding, we don't need that --- nodes/kunsi-p14s.py | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 311bf65..901f793 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -155,7 +155,6 @@ nodes['kunsi-p14s'] = { 'sysctl': { 'options': { 'net.ipv4.ip_forward': '1', - 'net.ipv6.conf.all.forwarding': '1', }, }, 'systemd-networkd': { From ea42188904b31f4f5aa62058b9552ddb4c288a09 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Oct 2023 08:58:31 +0200 Subject: [PATCH 405/996] bundles/oidentd: disable socket based activation --- bundles/oidentd/items.py | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/bundles/oidentd/items.py b/bundles/oidentd/items.py index 723f9fe..fae03b3 100644 --- a/bundles/oidentd/items.py +++ b/bundles/oidentd/items.py @@ -1,24 +1,26 @@ -files = { - '/etc/oidentd.conf': { - 'content_type': 'mako', - 'triggers': { - 'svc_systemd:oidentd:restart', - }, - }, - '/usr/local/lib/systemd/system/oidentd.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:oidentd:restart', - }, +files['/etc/oidentd.conf'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:oidentd:restart', }, } -svc_systemd = { - 'oidentd': { - 'needs': { - 'pkg_apt:oidentd', - 'file:/etc/oidentd.conf', - 'file:/usr/local/lib/systemd/system/oidentd.service', - }, +files['/usr/local/lib/systemd/system/oidentd.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:oidentd:restart', }, } + +svc_systemd['oidentd'] = { + 'needs': { + 'pkg_apt:oidentd', + 'file:/etc/oidentd.conf', + 'file:/usr/local/lib/systemd/system/oidentd.service', + }, +} + +svc_systemd['oidentd.socket'] = { + 'running': False, + 'enabled': False, +} From 0e03038bdb19e881fabe846918022748f7ca1a9e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Oct 2023 08:58:48 +0200 Subject: [PATCH 406/996] bundles/voc-tracker-worker: use EnvironmentFile --- bundles/voc-tracker-worker/files/crs-runner.service | 1 + bundles/voc-tracker-worker/files/environment | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bundles/voc-tracker-worker/files/crs-runner.service b/bundles/voc-tracker-worker/files/crs-runner.service index 72665cb..1c85a33 100644 --- a/bundles/voc-tracker-worker/files/crs-runner.service +++ b/bundles/voc-tracker-worker/files/crs-runner.service @@ -5,6 +5,7 @@ After=network.target [Service] User=voc Group=voc +EnvironmentFile=/etc/default/crs-worker ExecStart=/opt/crs-scripts/bin/crs_run ${script} WorkingDirectory=/opt/crs-scripts Restart=on-failure diff --git a/bundles/voc-tracker-worker/files/environment b/bundles/voc-tracker-worker/files/environment index 87e4333..98f40ea 100644 --- a/bundles/voc-tracker-worker/files/environment +++ b/bundles/voc-tracker-worker/files/environment @@ -1,6 +1,6 @@ -export CRS_TRACKER="${url}" -export CRS_TOKEN="${token}" -export CRS_SECRET="${secret}" +CRS_TRACKER=${url} +CRS_TOKEN=${token} +CRS_SECRET=${secret} % if use_vaapi: -export CRS_USE_VAAPI="yes" +CRS_USE_VAAPI=yes % endif From 01ffa3cc89d6b872af9452320843d72e583f8610 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Oct 2023 08:59:29 +0200 Subject: [PATCH 407/996] update mautrix-whatsapp to 0.10.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 86dab66..b87c5bd 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -109,8 +109,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.2" -sha1 = "938c970ff522e067aac0b753f5def94aacd11d81" +version = "v0.10.3" +sha1 = "b7456543b2abd0ef5e303acc438e84adca4a7582" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 74bcebfd054b8c8163269f283ed06fb24e8950c0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Oct 2023 08:59:42 +0200 Subject: [PATCH 408/996] update netbox to 3.6.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b87c5bd..6c2937d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.3" +version = "v3.6.4" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 32afd183b15c34eaebd554d9aaaa079b415cbb9b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Oct 2023 18:54:33 +0200 Subject: [PATCH 409/996] update element-web to 1.11.47 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6c2937d..dbfb3ff 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.46" +version = "v1.11.47" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index cd010b1..e892c56 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.46" +version = "v1.11.47" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 424721d..8e1de6a 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.46', + 'version': 'v1.11.47', 'config': { 'default_server_config': { 'm.homeserver': { From f9ef74600f483d283d739089befb9831c9cc370f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Oct 2023 18:54:51 +0200 Subject: [PATCH 410/996] remove c3voc-jira lives in c3voc infrastructure and monitoring now --- nodes/c3voc-jira.toml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 nodes/c3voc-jira.toml diff --git a/nodes/c3voc-jira.toml b/nodes/c3voc-jira.toml deleted file mode 100644 index df28559..0000000 --- a/nodes/c3voc-jira.toml +++ /dev/null @@ -1,29 +0,0 @@ -hostname = "31.172.33.107" -dummy = true - -[metadata.icinga_options] -period = "daytime" -show_on_statuspage = false - -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] -check_command = "check_https_cert_at_url" -"vars.domain" = "jira.c3voc.de" -"vars.notification.mail" = true - -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] -check_command = "check_http_wget" -"vars.http_wget_contains" = "login.jsp" -"vars.http_wget_url" = "https://jira.c3voc.de/secure/Dashboard.jspa" -"vars.notification.sms" = true - -[metadata.icinga2_api.custom.services] -# these checks do not get deployed onto the actual host by us, we only -# execute those checks -'DISK SPACE'.'vars.sshmon_command' = 'DISK_SPACE' -'JIRA HEAP'.'vars.sshmon_command' = 'JIRA_HEAP' -'JIRA THREADS'.'vars.sshmon_command' = 'JIRA_THREADS' -'LOAD'.'vars.sshmon_command' = 'LOAD' -'OOM KILLER'.'vars.sshmon_command' = 'OOM_KILLER' -'RAM'.'vars.sshmon_command' = 'RAM' -'USER PROCESS SECURITY jira'.'vars.sshmon_command' = 'USER_PROCESS_SECURITY_jira' -'ZPOOL SPACE tank'.'vars.sshmon_command' = 'check_zpool_space_tank' From 60fffd67141d21557cded63debf95ba137363ba4 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 27 Oct 2023 19:29:33 +0200 Subject: [PATCH 411/996] remove phanpy --- bundles/phanpy/items.py | 29 ---------------------- bundles/phanpy/metadata.py | 46 ----------------------------------- nodes/htz-cloud/miniserver.py | 5 ---- 3 files changed, 80 deletions(-) delete mode 100644 bundles/phanpy/items.py delete mode 100644 bundles/phanpy/metadata.py diff --git a/bundles/phanpy/items.py b/bundles/phanpy/items.py deleted file mode 100644 index dfbb0e5..0000000 --- a/bundles/phanpy/items.py +++ /dev/null @@ -1,29 +0,0 @@ -repo.libs.tools.require_bundle(node, 'nodejs') - -directories = { - '/opt/phanpy': {} -} - -git_deploy = { - '/opt/phanpy': { - 'rev': node.metadata.get('phanpy/version'), - 'repo': 'https://github.com/cheeaun/phanpy.git', - 'triggers': { - 'action:phanpy_build', - }, - }, -} - -actions = { - 'phanpy_build': { - 'command': ' && '.join([ - 'cd /opt/phanpy', - 'npm install ', - 'npm run build', - ]), - 'needs': { - 'pkg_apt:nodejs', - }, - 'triggered': True, - }, -} diff --git a/bundles/phanpy/metadata.py b/bundles/phanpy/metadata.py deleted file mode 100644 index 4bc56a0..0000000 --- a/bundles/phanpy/metadata.py +++ /dev/null @@ -1,46 +0,0 @@ -defaults = { - 'zfs': { - 'datasets': { - 'tank/phanpy': { - 'mountpoint': '/opt/phanpy', - 'needed_by': { - 'directory:/opt/phanpy', - }, - }, - }, - }, -} - -@metadata_reactor.provides( - 'nginx/vhosts/phanpy', -) -def nginx_config(metadata): - return { - 'nginx': { - 'vhosts': { - 'phanpy': { - 'domain': metadata.get('phanpy/url'), - 'webroot': '/opt/phanpy/dist/', - }, - }, - }, - } - - -@metadata_reactor.provides( - 'icinga2_api/phanpy/services', -) -def icinga_check_for_new_release(metadata): - return { - 'icinga2_api': { - 'phanpy': { - 'services': { - 'PHANPY UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release cheeaun/phanpy {}'.format(metadata.get('phanpy/version')), - 'vars.notification.mail': True, - 'check_interval': '60m', - }, - }, - }, - }, - } diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 8e1de6a..1d6ee6a 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -9,7 +9,6 @@ nodes['htz-cloud.miniserver'] = { 'nodejs', 'ntfy', 'mautrix-telegram', - 'phanpy', 'postgresql', 'zfs', }, @@ -205,10 +204,6 @@ nodes['htz-cloud.miniserver'] = { 'domain': 'ntfy.sophies-kitchen.eu', 'allow_unauthorized_write': True, }, - 'phanpy': { - 'url': 'phanpy.sophies-kitchen.eu', - 'version': '2023.10.07.9b1800d', - }, 'postgresql': { 'version': '11', }, From 0b155a8a4d3d1083cc9dc7c5b82360a63e003520 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Oct 2023 20:14:01 +0100 Subject: [PATCH 412/996] carlene: update travelynx to 2.5.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index dbfb3ff..b9df19f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,7 +244,7 @@ disks = [ ] [metadata.travelynx] -version = "2.4.1" +version = "2.5.1" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 99ca3b6282f6c689c84146c6687b059fea3a78b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Oct 2023 20:14:15 +0100 Subject: [PATCH 413/996] home.nas: get jellyfin hardware transcoding to work --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 2b23903..7befeb9 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -38,6 +38,10 @@ nodes['home.nas'] = { 'packages': { 'mpv': {}, + # for hardware transcoding of video + 'firmware-amd-graphics': {}, + 'mesa-va-drivers': {}, + # for compiling yate 'autoconf': {}, 'subversion': {}, From 9476771565d2cf4dca59dcb24b846bcafdfa6c56 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 4 Nov 2023 14:14:22 +0100 Subject: [PATCH 414/996] update matrix-media-repo to 1.3.3 --- nodes/carlene.toml | 4 ++-- nodes/htz-cloud.afra.toml | 4 ++-- nodes/htz-cloud/miniserver.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b9df19f..4f02366 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -70,9 +70,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "7a9976b09f6835171c610624f51b3cbf429bc0cf" +sha1 = "0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae" upload_max_mb = 500 -version = "v1.3.2" +version = "v1.3.3" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index e892c56..c3f706e 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -44,9 +44,9 @@ jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] admins = ['@administress:afra.berlin'] datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "7a9976b09f6835171c610624f51b3cbf429bc0cf" +sha1 = "0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae" upload_max_mb = 50 -version = "v1.3.2" +version = "v1.3.3" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 1d6ee6a..f82204d 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -113,9 +113,9 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.3.2', + 'version': 'v1.3.3', 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '7a9976b09f6835171c610624f51b3cbf429bc0cf', + 'sha1': '0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', From 529e999e69a96d89f304f6721d231383742959d4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 8 Nov 2023 07:50:18 +0100 Subject: [PATCH 415/996] voc.pretalx: more recent versions of everything please --- nodes/voc/pretalx.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 735cef6..da62f65 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,18 +49,18 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2023.1.3', + 'version': 'main', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, 'plugins': { 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', - 'rev': '2.1.0', + 'rev': 'main', }, 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', - 'rev': 'v1.1.5', + 'rev': 'main', }, 'halfnarp': { 'repo': 'https://github.com/seibert-media/pretalx-halfnarp.git', From 807024eb9889810f003706d0a1842442a977a76f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 8 Nov 2023 07:51:11 +0100 Subject: [PATCH 416/996] update element-web to 1.11.48 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4f02366..a161836 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.47" +version = "v1.11.48" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index c3f706e..7ec28e0 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.47" +version = "v1.11.48" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index f82204d..eb8a554 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.47', + 'version': 'v1.11.48', 'config': { 'default_server_config': { 'm.homeserver': { From c473f730d24de622691fe991242e4b3591a96b14 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 11 Nov 2023 10:14:00 +0100 Subject: [PATCH 417/996] htz-cloud.pirmasens: move salonkatrin.de to new website --- nodes/htz-cloud/pirmasens.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 6321ccc..98afe10 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -37,12 +37,13 @@ nodes['htz-cloud.pirmasens'] = { }, 'nginx': { 'vhosts': { - 'salonkatrin.de': { - 'website_check_path': '/', - 'website_check_string': 'Salon Katrin', + 'salonkatrin-v1': { + 'domain': 'old.salonkatrin.de', }, 'salonkatrin-v2': { - 'domain': 'dev.salonkatrin.de', + 'domain': 'salonkatrin.de', + 'website_check_path': '/', + 'website_check_string': 'Salon Katrin', 'webroot_config': { 'owner': 'forgejo-carlene', }, From 1ae02ad4ec5146f8986bc80fa8be219259d208ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 11 Nov 2023 20:16:33 +0100 Subject: [PATCH 418/996] bundles/php: some opcache settings --- bundles/php/files/8.2/php.ini | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bundles/php/files/8.2/php.ini b/bundles/php/files/8.2/php.ini index 874bb71..40c16d5 100644 --- a/bundles/php/files/8.2/php.ini +++ b/bundles/php/files/8.2/php.ini @@ -97,3 +97,12 @@ session.sid_bits_per_character = 6 [Assertion] zend.assertions = -1 + +[opcache] +opcache.enable = 1 +opcache.save_comments = 1 +opcache.revalidate_freq = 60 +opcache.jit = 1255 +opcache.jit_buffer_size = 256M +opcache.memory_consumption = 256 +opcache.max_accelerated_files = 1048793 From 6f318f21aeefbf8e8280fa71a106c37af1fd3d3f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 11 Nov 2023 20:38:45 +0100 Subject: [PATCH 419/996] bundles/powerdns: use schema provided by the powerdns package --- bundles/powerdns/files/schema.pgsql.sql | 105 ------------------------ bundles/powerdns/items.py | 8 +- 2 files changed, 3 insertions(+), 110 deletions(-) delete mode 100644 bundles/powerdns/files/schema.pgsql.sql diff --git a/bundles/powerdns/files/schema.pgsql.sql b/bundles/powerdns/files/schema.pgsql.sql deleted file mode 100644 index 9635168..0000000 --- a/bundles/powerdns/files/schema.pgsql.sql +++ /dev/null @@ -1,105 +0,0 @@ --- 4.3 schema, https://doc.powerdns.com/authoritative/backends/generic-postgresql.html - -CREATE TABLE domains ( - id SERIAL PRIMARY KEY, - name VARCHAR(255) NOT NULL, - master VARCHAR(128) DEFAULT NULL, - last_check INT DEFAULT NULL, - type VARCHAR(6) NOT NULL, - notified_serial BIGINT DEFAULT NULL, - account VARCHAR(40) DEFAULT NULL, - CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) -); - -CREATE UNIQUE INDEX name_index ON domains(name); - -ALTER TABLE domains OWNER TO ${user}; - -CREATE TABLE records ( - id BIGSERIAL PRIMARY KEY, - domain_id INT DEFAULT NULL, - name VARCHAR(255) DEFAULT NULL, - type VARCHAR(10) DEFAULT NULL, - content VARCHAR(65535) DEFAULT NULL, - ttl INT DEFAULT NULL, - prio INT DEFAULT NULL, - change_date INT DEFAULT NULL, - disabled BOOL DEFAULT 'f', - ordername VARCHAR(255), - auth BOOL DEFAULT 't', - CONSTRAINT domain_exists - FOREIGN KEY(domain_id) REFERENCES domains(id) - ON DELETE CASCADE, - CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) -); - -CREATE INDEX rec_name_index ON records(name); -CREATE INDEX nametype_index ON records(name,type); -CREATE INDEX domain_id ON records(domain_id); -CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops); - -ALTER TABLE records OWNER TO ${user}; - -CREATE TABLE supermasters ( - ip INET NOT NULL, - nameserver VARCHAR(255) NOT NULL, - account VARCHAR(40) NOT NULL, - PRIMARY KEY(ip, nameserver) -); - -ALTER TABLE supermasters OWNER TO ${user}; - -CREATE TABLE comments ( - id SERIAL PRIMARY KEY, - domain_id INT NOT NULL, - name VARCHAR(255) NOT NULL, - type VARCHAR(10) NOT NULL, - modified_at INT NOT NULL, - account VARCHAR(40) DEFAULT NULL, - comment VARCHAR(65535) NOT NULL, - CONSTRAINT domain_exists - FOREIGN KEY(domain_id) REFERENCES domains(id) - ON DELETE CASCADE, - CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) -); - -CREATE INDEX comments_domain_id_idx ON comments (domain_id); -CREATE INDEX comments_name_type_idx ON comments (name, type); -CREATE INDEX comments_order_idx ON comments (domain_id, modified_at); - -ALTER TABLE comments OWNER TO ${user}; - -CREATE TABLE domainmetadata ( - id SERIAL PRIMARY KEY, - domain_id INT REFERENCES domains(id) ON DELETE CASCADE, - kind VARCHAR(32), - content TEXT -); - -CREATE INDEX domainidmetaindex ON domainmetadata(domain_id); - -ALTER TABLE domainmetadata OWNER TO ${user}; - -CREATE TABLE cryptokeys ( - id SERIAL PRIMARY KEY, - domain_id INT REFERENCES domains(id) ON DELETE CASCADE, - flags INT NOT NULL, - active BOOL, - content TEXT -); - -CREATE INDEX domainidindex ON cryptokeys(domain_id); -ALTER TABLE cryptokeys OWNER TO ${user}; - - -CREATE TABLE tsigkeys ( - id SERIAL PRIMARY KEY, - name VARCHAR(255), - algorithm VARCHAR(50), - secret VARCHAR(255), - CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) -); - -CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm); - -ALTER TABLE tsigkeys OWNER TO ${user}; diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 04261c0..8d9ab85 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -66,7 +66,7 @@ actions = { 'powerdns_reload_zones': { 'triggered': True, 'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*', - 'needs': { + 'after': { 'svc_systemd:pdns', }, }, @@ -158,14 +158,12 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): }, } - files['/etc/powerdns/schema.pgsql.sql'] = {} - actions['powerdns_load_pgsql_schema'] = { - 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), + 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'), 'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', 'needs': { 'bundle:postgresql', - 'file:/etc/powerdns/schema.pgsql.sql', + 'pkg_apt:pdns-backend-pgsql', }, 'needed_by': { 'svc_systemd:pdns', From 210f17da530875ba3a642b3b77747b745d883564 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 11 Nov 2023 20:41:07 +0100 Subject: [PATCH 420/996] add ns-sargeras --- nodes/ns-sargeras.toml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 nodes/ns-sargeras.toml diff --git a/nodes/ns-sargeras.toml b/nodes/ns-sargeras.toml new file mode 100644 index 0000000..53f64b0 --- /dev/null +++ b/nodes/ns-sargeras.toml @@ -0,0 +1,26 @@ +hostname = "46.102.156.104" +groups = [ + "debian-bookworm", + "dns", +] + +[metadata.interfaces.ens18] +ips = [ + "46.102.156.104/26", + "2a0d:f302:113:73e6::1/48", +] +gateway4 = "46.102.156.65" +gateway6 = "2a0d:f302:113::1" + +[metadata.postfix] +# It's fine to do this without authentificating to the relayhost. +# These Systems are not supposed to send mail anywhere else +# than our own domains. +relayhost = "[mail.franzi.business]:2525" + +[metadata.postgresql] +version = "15" + +[metadata.vm] +cpu = 2 +ram = 2 From 90ca65eb9f926529ccaa9e4cc51a3cc46951fcb4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 11 Nov 2023 21:09:47 +0100 Subject: [PATCH 421/996] carlene: remove die-brontosaurier-waren-es.org --- nodes/carlene.toml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a161836..fae6081 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -131,12 +131,6 @@ domain = "warnochwas.de" contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" -[metadata.nginx.vhosts.daskritzelt-redirect] -domain = "die-brontosaurier-waren-es.org" -ssl = false -locations.'/'.redirect = "https://twitter.com/daskritzelt/status/1259167444373028864" -locations.'/'.mode = 302 - [metadata.nginx.vhosts.'franzi.business'] domain = "franzi.business" From d6db192f539b08971808f2f2946769c28604d590 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Nov 2023 11:00:12 +0100 Subject: [PATCH 422/996] automatix fixes --- automatix/upgrade_debian_bookworm.yaml | 47 -------------------------- automatix/upgrade_debian_bullseye.yaml | 2 +- 2 files changed, 1 insertion(+), 48 deletions(-) delete mode 100644 automatix/upgrade_debian_bookworm.yaml diff --git a/automatix/upgrade_debian_bookworm.yaml b/automatix/upgrade_debian_bookworm.yaml deleted file mode 100644 index 352940b..0000000 --- a/automatix/upgrade_debian_bookworm.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: Upgrade to debian bullseye -systems: - node: foonode - -always: - - has_zfs=python: NODES.node.has_bundle('zfs') - - is_buster=python: NODES.node.os_version[0] <= 10 - - buster_with_zfs=python: "{has_zfs} and {is_buster}" - -pipeline: - - manual: "set icinga2 downtime: https://icinga.kunsmann.eu/monitoring/host/schedule-downtime?host={SYSTEMS.node}" - - # apply first so we only see the upgrade changes later - - local: bw apply {SYSTEMS.node} - - manual: update debian version in node groups - - is_buster?local: "bw apply -o bundle:apt -s symlink:/usr/bin/python pkg_apt: -- {SYSTEMS.node}" - - # double time! - - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade - - remote@node: DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade - - # reboot into bullseye - - remote@node: systemctl reboot - - local: | - exit=1 - while [[ $exit -ne 0 ]]; - do - sleep 1 - ssh {SYSTEMS.node} true - exit=$? - done - - # fix zfs and reboot again - - buster_with_zfs?remote@node: zpool import tank -f - - has_zfs?remote@node: zpool upgrade -a - - has_zfs?remote@node: systemctl reboot - - has_zfs?local: | - exit=1 - while [[ $exit -ne 0 ]]; - do - sleep 1 - ssh {SYSTEMS.node} true - exit=$? - done - - # final apply - - local: bw apply {SYSTEMS.node} diff --git a/automatix/upgrade_debian_bullseye.yaml b/automatix/upgrade_debian_bullseye.yaml index 6531f1c..3eaee06 100644 --- a/automatix/upgrade_debian_bullseye.yaml +++ b/automatix/upgrade_debian_bullseye.yaml @@ -6,7 +6,7 @@ always: - has_zfs=python: NODES.node.has_bundle('zfs') pipeline: - - manual: "set icinga2 downtime: https://icinga.kunsmann.eu/monitoring/host/schedule-downtime?host={SYSTEMS.node}" + - manual: "set icinga2 downtime: https://icinga.franzi.business/monitoring/host/schedule-downtime?host={SYSTEMS.node}" # apply first so we only see the upgrade changes later - local: bw apply {SYSTEMS.node} From 75ef2e7bb94e375337b9b5f6758c7a29a9c0cd5f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Nov 2023 11:00:43 +0100 Subject: [PATCH 423/996] bundles/wireguard: uninstall dkms package for debian > 11 --- bundles/wireguard/metadata.py | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index c8951ee..19e324a 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -9,20 +9,26 @@ defaults = { 'packages': { 'wireguard': {}, }, - 'repos': { - 'backports': { - 'install_gpg_key': False, # default debian signing key - 'items': { - 'deb http://deb.debian.org/debian {os_release}-backports main', - }, - }, - }, }, 'wireguard': { 'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'), }, } +if node.os_version <= (11,): + defaults['apt']['repos'] = { + 'backports': { + 'install_gpg_key': False, # default debian signing key + 'items': { + 'deb http://deb.debian.org/debian {os_release}-backports main', + }, + }, + } +else: + defaults['apt']['packages']['wireguard-dkms'] = { + 'installed': False, + } + if node.has_bundle('telegraf'): defaults['telegraf'] = { 'input_plugins': { From b454fe474506e5116274e6feaa2257e49e87f31d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Nov 2023 11:01:50 +0100 Subject: [PATCH 424/996] htz-cloud.{pirmasens,wireguard}: update to debian bookworm --- nodes/htz-cloud/pirmasens.py | 2 +- nodes/htz-cloud/wireguard.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 98afe10..8f469e0 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -10,7 +10,7 @@ nodes['htz-cloud.pirmasens'] = { 'unbound', }, 'groups': { - 'debian-buster', + 'debian-bookworm', 'webserver', }, 'metadata': { diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 10af696..c6fefb6 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -5,7 +5,7 @@ nodes['htz-cloud.wireguard'] = { 'wireguard', }, 'groups': { - 'debian-buster', + 'debian-bookworm', }, 'metadata': { 'interfaces': { From 400b10789ae58ff61206b5e47987da61c51ddcda Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Nov 2023 11:28:40 +0100 Subject: [PATCH 425/996] home.paperless: update debian bookworm, update to paperless-ngx --- bundles/paperless-ng/items.py | 6 +++--- bundles/paperless-ng/metadata.py | 19 +++++++++++++++++++ nodes/home/paperless.py | 4 ++-- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/bundles/paperless-ng/items.py b/bundles/paperless-ng/items.py index 84e9e43..dcbc19d 100644 --- a/bundles/paperless-ng/items.py +++ b/bundles/paperless-ng/items.py @@ -13,7 +13,7 @@ directories = { git_deploy = { '/opt/paperless/src': { - 'repo': 'https://github.com/jonaswinkler/paperless-ng.git', + 'repo': 'https://github.com/paperless-ngx/paperless-ngx.git', 'rev': node.metadata.get('paperless/version'), 'triggers': { 'action:paperless_collectstatic', @@ -100,7 +100,7 @@ actions = { 'command': 'cd /opt/paperless/src/src-ui && ' 'npm install && ' - 'node_modules/.bin/ng build --prod', + 'node_modules/.bin/ng build', 'triggered': True, 'needs': { 'file:/opt/paperless/src/paperless.conf', @@ -115,7 +115,7 @@ actions = { 'needs': { 'directory:/opt/paperless/static', 'file:/opt/paperless/src/paperless.conf', - 'action:paperless_create_virtualenv', + 'action:paperless_install_deps', }, }, } diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 1424e08..da0a401 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -56,3 +56,22 @@ def paperless_tesseract_languages(metadata): 'packages': packages, }, } + + +@metadata_reactor.provides( + 'icinga2_api/paperless/services', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'paperless': { + 'services': { + 'PAPERLESS UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release paperless-ngx/paperless-ngx {}'.format(metadata.get('paperless/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, + } diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 3dd957e..12fb5a4 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -8,7 +8,7 @@ nodes['home.paperless'] = { 'paperless-ng', }, 'groups': { - 'debian-buster', + 'debian-bookworm', 'webserver', }, 'metadata': { @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'ng-1.4.4', + 'version': 'v1.17.4', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 9bde59d7e3779db8c67d1c81afddebcd2488b339 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Nov 2023 11:32:27 +0100 Subject: [PATCH 426/996] carlene: update netbox to 3.6.5 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fae6081..aa242e1 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.4" +version = "v3.6.5" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 48b453ceedb5d5ee1661d04c3b592840f10068b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 18 Nov 2023 14:28:40 +0100 Subject: [PATCH 427/996] update element-web to 1.11.49 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index aa242e1..d238685 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.48" +version = "v1.11.49" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 7ec28e0..05e401e 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.48" +version = "v1.11.49" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index eb8a554..a39b4a3 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.48', + 'version': 'v1.11.49', 'config': { 'default_server_config': { 'm.homeserver': { From 1bce530ba15f40c9a4ead79aa187f0a86a61b042 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 18 Nov 2023 14:29:03 +0100 Subject: [PATCH 428/996] update matrix-whatsapp to 0.10.4 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d238685..504aadb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -109,8 +109,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.3" -sha1 = "b7456543b2abd0ef5e303acc438e84adca4a7582" +version = "v0.10.4" +sha1 = "a07bc0d52ffa53130d285aaca309d42798e17f1a" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 935f68ee9786ddd6b5b955fbe8e3d26f77b58d8d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 Nov 2023 08:23:56 +0100 Subject: [PATCH 429/996] bundles/icinga2: remove map.spam-rbl.com from SPAM BLOCKLIST check points to sale.domainserviceplatform.com nowadays --- bundles/icinga2/files/check_spam_blocklist | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index dba6744..c9f94df 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -13,7 +13,6 @@ BLOCKLISTS = { 'dnsbl-1.uceprotect.net': set(), 'l2.spews.dnsbl.sorbs.net': set(), 'list.dsbl.org': set(), - 'map.spam-rbl.com': set(), 'multihop.dsbl.org': set(), 'ns1.unsubscore.com': set(), 'opm.blitzed.org': set(), From 22fb8fc1624933faa595c6cb86a0f7ebed35b45d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 25 Nov 2023 12:40:40 +0100 Subject: [PATCH 430/996] add home.wled-aftonsparv --- nodes/home.wled-aftonsparv.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.wled-aftonsparv.toml diff --git a/nodes/home.wled-aftonsparv.toml b/nodes/home.wled-aftonsparv.toml new file mode 100644 index 0000000..661a403 --- /dev/null +++ b/nodes/home.wled-aftonsparv.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.71"] +dhcp = true +mac = "84:fc:e6:11:34:80" + +[metadata.icinga_options] +exclude_from_monitoring = true From 7199371065d0d750016f3ce27b74b3ccc311f942 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Nov 2023 10:41:16 +0100 Subject: [PATCH 431/996] update element-web to 1.11.50 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 504aadb..43fa23c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.49" +version = "v1.11.50" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 05e401e..331c8f9 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.49" +version = "v1.11.50" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index a39b4a3..679b3e1 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.49', + 'version': 'v1.11.50', 'config': { 'default_server_config': { 'm.homeserver': { From 308b66c407e7ba5ad6b8a1ac63c1da679884ec19 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Nov 2023 11:14:17 +0100 Subject: [PATCH 432/996] bundles/apt: explicitely uninstall python3-packaging --- bundles/apt/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 6adbab1..ede8aae 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -153,6 +153,9 @@ pkg_apt = { 'popularity-contest': { 'installed': False, }, + 'python3-packaging': { + 'installed': False, + }, 'unattended-upgrades': { 'installed': False, }, From 7b646110f9e47a61c66b2d06a912454a70c42178 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Nov 2023 19:26:06 +0100 Subject: [PATCH 433/996] add home.o2-joggler --- nodes/home.o2-joggler.toml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 nodes/home.o2-joggler.toml diff --git a/nodes/home.o2-joggler.toml b/nodes/home.o2-joggler.toml new file mode 100644 index 0000000..8dffb68 --- /dev/null +++ b/nodes/home.o2-joggler.toml @@ -0,0 +1,16 @@ +hostname = "172.19.138.95" +dummy = true +# + +[metadata.interfaces.eth0] +# only used for debugging, device uses wifi otherwise +ips = ["169.254.172.100"] +mac = "9a:d0:d7:e7:b0:bb" + +[metadata.interfaces.wlan0] +ips = ["172.19.138.94"] +dhcp = true +mac = "00:0e:8e:22:9c:9b" + +[metadata.icinga_options] +exclude_from_monitoring = true From d364b3c1527dba6d4f425ccc5429fb98e4477846 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Nov 2023 16:40:43 +0100 Subject: [PATCH 434/996] update mautrix-telegram to 0.15.0 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 43fa23c..d371710 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -94,7 +94,7 @@ additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.ne wellknown_also_on_vhosts = ["franzi.business"] [metadata.mautrix-telegram] -version = "v0.14.2" +version = "v0.15.0" homeserver.domain = "franzi.business" homeserver.url = "https://matrix.franzi.business" telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ==" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 679b3e1..0b3d752 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -136,7 +136,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.14.2', + 'version': 'v0.15.0', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', From a21102724ad82dd1e32359992b75c81b55d529ef Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Nov 2023 16:41:03 +0100 Subject: [PATCH 435/996] bundles/basic: use metadata.get() --- bundles/basic/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/basic/items.py b/bundles/basic/items.py index 74a0518..197c952 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -30,7 +30,7 @@ files = { } locale_needs = set() -for locale in sorted(node.metadata['locale']['installed']): +for locale in sorted(node.metadata.get('locale/installed')): actions[f'ensure_locale_{locale}_is_enabled'] = { 'command': f"sed -i '/{locale}/s/^# *//g' /etc/locale.gen", 'unless': f"grep -e '^{locale}' /etc/locale.gen", From 81bb8653d85f1569a9300de18736598f2f30f1a9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 29 Nov 2023 16:43:08 +0100 Subject: [PATCH 436/996] update forgejo to 1.21.1-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d371710..9769b72 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.20.5-1" -sha1 = "9650694ec7969643ebb4dbdf2f27462af57284e6" +version = "1.21.1-0" +sha1 = "56299b3a89134fe832ad05593e5effab0515aed9" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 4e50bfe1a2f8c82caf1aa26417862c87b67c19b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 5 Dec 2023 07:21:38 +0100 Subject: [PATCH 437/996] htz-cloud.wireguard: wg for oneplus7 --- nodes/htz-cloud/wireguard.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index c6fefb6..0b1d162 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -34,6 +34,7 @@ nodes['htz-cloud.wireguard'] = { 'bird': { 'static_routes': { '172.19.137.0/24', + '172.19.136.62/31', '172.19.136.64/31', }, }, @@ -47,6 +48,7 @@ nodes['htz-cloud.wireguard'] = { 'input': { '50-wireguard': [ 'udp dport 1194 accept', + 'udp dport 51800 accept', ], }, 'postrouting': { @@ -62,6 +64,15 @@ nodes['htz-cloud.wireguard'] = { 'wireguard': { 'snat_ip': '172.19.137.2', 'peers': { + 'kunsi-oneplus7': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_ip': '172.19.136.62', + 'my_port': 51800, + 'their_ip': '172.19.136.63', + 'psk': vault.decrypt('encrypt$gAAAAABlbr26kyQ_DNIObVNtG31e1uSZkfDKH9Y1tzq8ZNSAMeuEh30cMJBZQskLLYqt5HUGd-YFwYQB_E7oa-WWbHmDh4vAxJ22Efr85tA0TWsgkc2KvKHqZrNo-GCXhxCqs7SqhW1C'), + 'pubkey': vault.decrypt('encrypt$gAAAAABlbr27doNVsPXF7hMpAp93fP-h_jlW10zycZAHy05r4R7rOZrLqf5b-lhdamx_kQxypYtcW-jOCYgcqWNsId7RluEmFo3drFuUYKIa32YU_U0Pe5EjVRFz_tuf9NRPPugmHb22'), + }, 'kunsi-p14s': { 'endpoint': None, 'exclude_from_monitoring': True, From 9a3134cf46210807c204194d9bff3d5d743799d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Dec 2023 21:07:33 +0100 Subject: [PATCH 438/996] update paperless-ngx to v2.1.0 --- .../files/paperless-consumer.service | 3 +- .../files/paperless-scheduler.service | 5 +- .../files/paperless-taskqueue.service | 13 ++ .../files/paperless-webserver.service | 5 +- bundles/paperless-ng/files/paperless.conf | 3 +- bundles/paperless-ng/items.py | 204 +++++++----------- bundles/paperless-ng/metadata.py | 4 + nodes/home/paperless.py | 4 +- 8 files changed, 106 insertions(+), 135 deletions(-) create mode 100644 bundles/paperless-ng/files/paperless-taskqueue.service diff --git a/bundles/paperless-ng/files/paperless-consumer.service b/bundles/paperless-ng/files/paperless-consumer.service index 60a95f9..25c45a5 100644 --- a/bundles/paperless-ng/files/paperless-consumer.service +++ b/bundles/paperless-ng/files/paperless-consumer.service @@ -5,7 +5,8 @@ Requires=redis.service [Service] User=paperless Group=paperless -WorkingDirectory=/opt/paperless/src/src +Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +WorkingDirectory=/opt/paperless/src/paperless-ngx/src ExecStart=/opt/paperless/venv/bin/python manage.py document_consumer [Install] diff --git a/bundles/paperless-ng/files/paperless-scheduler.service b/bundles/paperless-ng/files/paperless-scheduler.service index 54cfeae..3a4f9d8 100644 --- a/bundles/paperless-ng/files/paperless-scheduler.service +++ b/bundles/paperless-ng/files/paperless-scheduler.service @@ -5,8 +5,9 @@ Requires=redis.service [Service] User=paperless Group=paperless -WorkingDirectory=/opt/paperless/src/src -ExecStart=/opt/paperless/venv/bin/python manage.py qcluster +Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +WorkingDirectory=/opt/paperless/src/paperless-ngx/src +ExecStart=/opt/paperless/venv/bin/celery --app paperless beat --loglevel INFO [Install] WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless-taskqueue.service b/bundles/paperless-ng/files/paperless-taskqueue.service new file mode 100644 index 0000000..d0863d6 --- /dev/null +++ b/bundles/paperless-ng/files/paperless-taskqueue.service @@ -0,0 +1,13 @@ +[Unit] +Description=Paperless task queue +Requires=redis.service + +[Service] +User=paperless +Group=paperless +Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +WorkingDirectory=/opt/paperless/src/paperless-ngx/src +ExecStart=/opt/paperless/venv/bin/celery --app paperless worker --loglevel INFO + +[Install] +WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless-webserver.service b/bundles/paperless-ng/files/paperless-webserver.service index 9bcd926..b39c57d 100644 --- a/bundles/paperless-ng/files/paperless-webserver.service +++ b/bundles/paperless-ng/files/paperless-webserver.service @@ -7,8 +7,9 @@ Requires=redis.service [Service] User=paperless Group=paperless -WorkingDirectory=/opt/paperless/src/src -ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application +Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +WorkingDirectory=/opt/paperless/src/paperless-ngx/src +ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application [Install] WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 7972eef..6d0e684 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -28,7 +28,8 @@ PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('nginx/vhosts/paperless/ # OCR settings PAPERLESS_OCR_LANGUAGE=${'+'.join(sorted(node.metadata.get('paperless/ocr_languages', {'deu', 'eng'})))} -PAPERLESS_OCR_MODE=skip_noarchive +PAPERLESS_OCR_MODE=skip +PAPERLESS_OCR_SKIP_ARCHIVE_FILE=never #PAPERLESS_OCR_OUTPUT_TYPE=pdfa #PAPERLESS_OCR_PAGES=1 #PAPERLESS_OCR_IMAGE_DPI=300 diff --git a/bundles/paperless-ng/items.py b/bundles/paperless-ng/items.py index dcbc19d..9afda57 100644 --- a/bundles/paperless-ng/items.py +++ b/bundles/paperless-ng/items.py @@ -1,146 +1,96 @@ -users = { - 'paperless': { - 'home': '/opt/paperless', +version = node.metadata.get('paperless/version') +workers = ('consumer', 'scheduler', 'taskqueue', 'webserver') + +users['paperless'] = { + 'home': '/opt/paperless', +} + +directories['/opt/paperless'] = {} + +directories['/opt/paperless/static'] = { + 'owner': 'paperless', +} + + +files['/opt/paperless/paperless.conf'] = { + 'content_type': 'mako', + 'triggers': { + f'svc_systemd:paperless-{worker}:restart' + for worker in workers }, } -directories = { - '/opt/paperless/src': {}, - '/opt/paperless/static': { - 'owner': 'paperless', +actions['paperless_create_virtualenv'] = { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/paperless/venv/', + 'unless': 'test -d /opt/paperless/venv/', + 'needs': { + 'directory:/opt/paperless', + 'pkg_apt:python3', + 'pkg_apt:python3-pip', + 'pkg_apt:python3-virtualenv', }, } -git_deploy = { - '/opt/paperless/src': { - 'repo': 'https://github.com/paperless-ngx/paperless-ngx.git', - 'rev': node.metadata.get('paperless/version'), - 'triggers': { - 'action:paperless_collectstatic', - 'action:paperless_compile_frontend', - 'action:paperless_install_deps', - 'action:paperless_migrate_database', - 'svc_systemd:paperless-consumer:restart', - 'svc_systemd:paperless-scheduler:restart', - 'svc_systemd:paperless-webserver:restart', - }, +actions['paperless_install'] = { + 'command': ' && '.join([ + f'wget -qO /opt/paperless/{version}.tar.xz https://github.com/paperless-ngx/paperless-ngx/releases/download/{version}/paperless-ngx-{version}.tar.xz', + 'rm -rf /opt/paperless/src/', + 'mkdir -p /opt/paperless/src/', + f'tar -C /opt/paperless/src -xf /opt/paperless/{version}.tar.xz', + f'rm /opt/paperless/{version}.tar.xz', + 'cd /opt/paperless/src/paperless-ngx', + '/opt/paperless/venv/bin/pip install --upgrade pip', + '/opt/paperless/venv/bin/pip install --upgrade -r requirements.txt', + f'echo "{version}" > /opt/paperless/version', + ]), + 'unless': f'''bash -c '[[ "$(cat /opt/paperless/version)" == "{version}" ]]' ''', + 'after': { + 'pkg_apt:', + }, + 'needs': { + 'action:paperless_create_virtualenv', + }, + 'triggers': { + 'action:paperless_migrate_database', }, } -files = { - '/etc/systemd/system/paperless-consumer.service': { +actions['paperless_migrate_database'] = { + 'command': ' && '.join([ + 'cd /opt/paperless/src/paperless-ngx/src', + 'sudo -Hu paperless PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf /opt/paperless/venv/bin/python manage.py migrate', + ]), + 'triggered': True, + 'needs': { + # /mnt/paperless is NOT created by this bundle. + 'action:paperless_install', + 'directory:/mnt/paperless', + 'directory:/opt/paperless/static', + 'file:/opt/paperless/paperless.conf', + 'user:paperless', + 'postgres_db:paperless', + }, +} + +for worker in workers: + files[f'/etc/systemd/system/paperless-{worker}.service'] = { + 'delete': True, 'triggers': { 'action:systemd-reload', - 'svc_systemd:paperless-consumer:restart', }, - }, - '/etc/systemd/system/paperless-scheduler.service': { + } + + files[f'/usr/local/lib/systemd/system/paperless-{worker}.service'] = { 'triggers': { 'action:systemd-reload', - 'svc_systemd:paperless-scheduler:restart', + f'svc_systemd:paperless-{worker}:restart', }, - }, - '/etc/systemd/system/paperless-webserver.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:paperless-webserver:restart', - }, - }, - '/opt/paperless/src/paperless.conf': { - 'content_type': 'mako', - 'needs': { - 'git_deploy:/opt/paperless/src', - }, - 'triggers': { - 'svc_systemd:paperless-consumer:restart', - 'svc_systemd:paperless-scheduler:restart', - 'svc_systemd:paperless-webserver:restart', - }, - }, -} + } -actions = { - 'paperless_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/paperless/venv/', - 'unless': 'test -d /opt/paperless/venv/', - 'needs': { - # actually /opt/paperless, but we don't create that - 'directory:/opt/paperless/src', - 'pkg_apt:python3', - 'pkg_apt:python3-pip', - 'pkg_apt:python3-virtualenv', - }, - }, - 'paperless_install_deps': { - 'command': - 'cd /opt/paperless/src && ' - '/opt/paperless/venv/bin/pip install --upgrade pip && ' - '/opt/paperless/venv/bin/pip install --upgrade -r requirements.txt', - 'triggered': True, - 'needs': { - 'action:paperless_create_virtualenv', - }, - }, - 'paperless_migrate_database': { - 'command': - 'cd /opt/paperless/src/src && ' - 'sudo -Hu paperless /opt/paperless/venv/bin/python manage.py migrate', - 'triggered': True, - 'needs': { - # /mnt/paperless is NOT created by this bundle. - 'action:paperless_install_deps', - 'directory:/mnt/paperless', - 'directory:/opt/paperless/static', - 'file:/opt/paperless/src/paperless.conf', - 'user:paperless', - 'postgres_db:paperless', - }, - }, - 'paperless_compile_frontend': { - 'command': - 'cd /opt/paperless/src/src-ui && ' - 'npm install && ' - 'node_modules/.bin/ng build', - 'triggered': True, - 'needs': { - 'file:/opt/paperless/src/paperless.conf', - 'pkg_apt:nodejs', - }, - }, - 'paperless_collectstatic': { - 'command': - 'cd /opt/paperless/src/src && ' - 'sudo -Hu paperless /opt/paperless/venv/bin/python manage.py collectstatic', - 'triggered': True, - 'needs': { - 'directory:/opt/paperless/static', - 'file:/opt/paperless/src/paperless.conf', - 'action:paperless_install_deps', - }, - }, -} - -svc_systemd = { - 'paperless-consumer': { + svc_systemd[f'paperless-{worker}'] = { 'needs': { + 'action:paperless_install', 'action:paperless_migrate_database', - 'file:/etc/systemd/system/paperless-consumer.service', - 'git_deploy:/opt/paperless/src', + f'file:/usr/local/lib/systemd/system/paperless-{worker}.service', }, - }, - 'paperless-scheduler': { - 'needs': { - 'action:paperless_migrate_database', - 'file:/etc/systemd/system/paperless-scheduler.service', - 'git_deploy:/opt/paperless/src', - }, - }, - 'paperless-webserver': { - 'needs': { - 'action:paperless_compile_frontend', - 'action:paperless_migrate_database', - 'file:/etc/systemd/system/paperless-webserver.service', - 'git_deploy:/opt/paperless/src', - }, - }, -} + } diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index da0a401..af7a17e 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -6,7 +6,9 @@ defaults = { 'gnupg': {}, 'imagemagick': {}, 'libmagic-dev': {}, + 'default-libmysqlclient-dev': {}, 'libpq-dev': {}, + 'mariadb-client': {}, 'mime-support': {}, 'optipng': {}, 'python3-wheel': {}, @@ -19,6 +21,8 @@ defaults = { 'pngquant': {}, 'qpdf': {}, 'tesseract-ocr': {}, + 'tesseract-ocr-deu': {}, + 'tesseract-ocr-eng': {}, 'unpaper': {}, 'zlib1g': {}, }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 12fb5a4..3913e33 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,11 +55,11 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v1.17.4', + 'version': 'v2.1.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { - 'version': '11', + 'version': 15, }, 'vm': { 'cpu': 2, From 526a0ec64d57be92ec3c11f85a8953ba34c25ca3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Dec 2023 21:12:36 +0100 Subject: [PATCH 439/996] update element-web to 1.11.51 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9769b72..1dca769 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.50" +version = "v1.11.51" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 331c8f9..7067b3a 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.50" +version = "v1.11.51" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 0b3d752..38175fe 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -61,7 +61,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.50', + 'version': 'v1.11.51', 'config': { 'default_server_config': { 'm.homeserver': { From c8bb51715e633a99c3deac90781c43beeb5420ea Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Dec 2023 21:12:47 +0100 Subject: [PATCH 440/996] update netbox to 3.6.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1dca769..1855e95 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.5" +version = "v3.6.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 4e0f2863812e4361a16225721b3e5df6c389c7b8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 8 Dec 2023 07:56:59 +0100 Subject: [PATCH 441/996] update paperless to 2.1.1 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 3913e33..6014d87 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.1.0', + 'version': 'v2.1.1', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 0084257872c2df56018ce01f48e9207a93a1d97f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 9 Dec 2023 13:42:31 +0100 Subject: [PATCH 442/996] kunsi-p14s: nftables rules order is important --- nodes/kunsi-p14s.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 901f793..9f66fc0 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -67,15 +67,15 @@ nodes['kunsi-p14s'] = { }, 'nftables': { 'forward': { - '50-routing': { + '50-routing': [ 'ct state { related, established } accept', 'oifname wlp2s0 accept', - }, + ], }, 'postrouting': { - '50-routing': { + '50-routing': [ 'oifname wlp2s0 masquerade', - }, + ], }, }, 'openssh': { From ffb5125ddd25b17b08c0db3638199a17ed89fb87 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 14:48:24 +0100 Subject: [PATCH 443/996] bundles/wireguard: add option to set settings based on a specific peer --- bundles/wireguard/files/wg.netdev | 2 ++ bundles/wireguard/items.py | 1 + libs/s2s.py | 7 +++++++ 3 files changed, 10 insertions(+) diff --git a/bundles/wireguard/files/wg.netdev b/bundles/wireguard/files/wg.netdev index 493db88..375bada 100644 --- a/bundles/wireguard/files/wg.netdev +++ b/bundles/wireguard/files/wg.netdev @@ -14,4 +14,6 @@ PresharedKey=${psk} % if endpoint: Endpoint=${endpoint} % endif +% if specials.get('persistent_keepalive', True): PersistentKeepalive=30 +% endif diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index 5bbd7d3..6d4461a 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -27,6 +27,7 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): 'privatekey': node.metadata.get('wireguard/privatekey'), 'psk': config['psk'], 'pubkey': config['pubkey'], + 'specials': repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(peer, {}), }, 'needs': deps, 'triggers': { diff --git a/libs/s2s.py b/libs/s2s.py index a490e15..0da6d41 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -20,6 +20,13 @@ WG_AUTOGEN_NODES = [ 'daisy', ] +WG_AUTOGEN_SETTINGS = { + # special settings to apply when peering with a specific node + 'home.router': { + 'persistent_keepalive': False, + }, +} + def get_subnet_for_connection(repo, peer_a, peer_b): assert peer_a in WG_AUTOGEN_NODES assert peer_b in WG_AUTOGEN_NODES From 63d42c6b42a8bd17f83f743ce6d43c7a38cf8abd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 15:20:05 +0100 Subject: [PATCH 444/996] bundles/wireguard: add no_autoconnect option --- bundles/wireguard/metadata.py | 6 ++++-- libs/s2s.py | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 19e324a..f0600c3 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -175,11 +175,13 @@ def peer_endpoints(metadata): except NoSuchNode: continue + if repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(name, {}).get('no_autoconnect'): + continue peers[rnode.name] = { 'endpoint': '{}:{}'.format( - rnode.metadata.get('wireguard/external_hostname', rnode.hostname), - rnode.metadata.get(f'wireguard/peers/{node.name}/my_port', 51820), + rnode.hostname, + rnode.metadata.get(f'wireguard/peers/{node.name}/my_port'), ), } diff --git a/libs/s2s.py b/libs/s2s.py index 0da6d41..eba4728 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -23,6 +23,7 @@ WG_AUTOGEN_NODES = [ WG_AUTOGEN_SETTINGS = { # special settings to apply when peering with a specific node 'home.router': { + 'no_autoconnect': True, 'persistent_keepalive': False, }, } From 493dc91e0de67c1fb4e47ac5f83ba8699d94c9bc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 15:20:20 +0100 Subject: [PATCH 445/996] home.router: disable pppd restart at night --- nodes/home/router.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index 6a0fe3b..81a61c9 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -36,15 +36,15 @@ nodes['home.router'] = { '172.19.139.0/24', }, }, - 'cron': { - 'jobs': { - # Our internet provider resets the connection if you're - # connected longer than 24 hours. We install this cronjob - # to make sure we don't get disconnected randomly during the - # day. - 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', - }, - }, +# 'cron': { +# 'jobs': { +# # Our internet provider resets the connection if you're +# # connected longer than 24 hours. We install this cronjob +# # to make sure we don't get disconnected randomly during the +# # day. +# 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', +# }, +# }, 'kea-dhcp-server': { 'subnets': { 'enp1s0.1138': { From 2497800f4a21eaf338b3d8d5c890a42356c3111d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 15:22:04 +0100 Subject: [PATCH 446/996] home.router: remove wg external_hostname --- nodes/home/router.py | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index 81a61c9..aa23ccb 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -161,7 +161,6 @@ nodes['home.router'] = { }, }, 'wireguard': { - 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'snat_ip': '172.19.138.1', }, }, From cd48cc59116661d033d08dcb5ba7d645bb9cb55d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 16:50:36 +0100 Subject: [PATCH 447/996] bump versatel and telekom ip ranges --- configs/as3320.txt | 221 ++++++++++++++++++++++++++++----------------- configs/as8881.txt | 92 ++++++++----------- 2 files changed, 179 insertions(+), 134 deletions(-) diff --git a/configs/as3320.txt b/configs/as3320.txt index 4eb09e7..2a42ee0 100644 --- a/configs/as3320.txt +++ b/configs/as3320.txt @@ -1,10 +1,5 @@ -109.160.36.0/24 -109.160.37.0/24 -109.160.38.0/24 -109.160.39.0/24 -109.160.40.0/24 -109.160.41.0/24 109.237.176.0/20 +116.50.16.0/21 129.181.208.0/21 129.181.216.0/22 137.170.112.0/24 @@ -18,19 +13,12 @@ 139.12.255.0/24 139.12.3.0/24 139.12.4.0/24 -141.11.17.0/24 -141.11.18.0/24 -141.11.247.0/24 141.169.240.0/20 141.77.0.0/16 141.98.44.0/24 -145.225.1.0/24 -145.225.148.0/22 -145.225.152.0/24 +143.99.213.0/24 145.225.16.0/23 -145.225.2.0/24 -147.136.68.0/22 -147.136.76.0/22 +146.247.58.0/24 147.136.84.0/22 147.161.22.0/24 147.78.17.0/24 @@ -55,8 +43,10 @@ 153.17.255.0/24 153.96.218.0/24 153.96.22.0/24 +153.97.32.0/24 158.116.231.0/24 160.211.126.0/24 +163.5.168.0/24 164.133.10.0/24 164.133.11.0/24 164.133.150.0/24 @@ -65,18 +55,21 @@ 164.133.91.0/24 164.133.98.0/24 164.133.99.0/24 -164.18.96.0/21 +168.199.128.0/22 +168.199.160.0/22 +168.199.192.0/22 +168.199.212.0/22 170.237.92.0/23 171.25.178.0/24 176.221.24.0/24 176.221.25.0/24 176.53.136.0/24 176.53.137.0/24 -179.61.160.0/22 185.100.160.0/22 +185.101.244.0/23 +185.101.246.0/23 185.101.4.0/22 185.109.108.0/22 -185.112.249.0/24 185.114.200.0/22 185.124.48.0/24 185.126.168.0/22 @@ -97,33 +90,31 @@ 185.172.38.0/24 185.172.39.0/24 185.180.224.0/24 +185.183.212.0/23 +185.183.214.0/23 185.188.64.0/24 185.198.13.0/24 185.202.32.0/21 185.203.148.0/22 -185.206.69.0/24 185.207.46.0/24 -185.215.183.0/24 -185.230.136.0/24 +185.235.71.0/24 185.237.0.0/24 185.237.1.0/24 185.237.2.0/24 +185.240.85.0/24 185.242.224.0/24 185.243.44.0/22 185.243.44.0/24 185.243.45.0/24 185.243.46.0/24 185.243.47.0/24 +185.250.42.0/23 185.28.208.0/22 185.39.12.0/22 185.48.0.0/22 +185.57.24.0/24 185.82.160.0/23 185.91.204.0/22 -185.95.156.0/24 -185.95.157.0/24 -185.95.158.0/24 -185.95.159.0/24 -188.208.103.0/24 192.109.121.0/24 192.109.122.0/24 192.109.124.0/24 @@ -141,10 +132,8 @@ 192.109.209.0/24 192.109.54.0/24 192.109.96.0/24 -192.124.252.0/24 192.129.58.0/24 192.145.8.0/22 -192.166.146.0/23 192.166.253.0/24 192.166.49.0/24 192.166.52.0/24 @@ -152,7 +141,6 @@ 192.31.102.0/24 192.54.39.0/24 192.54.48.0/24 -192.54.66.0/24 192.54.73.0/24 192.54.79.0/24 192.67.167.0/24 @@ -188,19 +176,21 @@ 193.110.102.0/23 193.110.102.0/24 193.110.103.0/24 +193.124.35.0/24 193.138.91.0/24 193.141.143.0/24 193.141.180.0/23 193.141.91.0/24 193.143.24.0/22 +193.151.248.0/22 193.158.0.0/15 193.16.184.0/23 193.16.235.0/24 +193.163.15.0/24 193.168.0.0/24 193.168.232.0/22 193.168.234.0/23 193.169.204.0/23 -193.178.226.0/23 193.188.196.0/24 193.201.170.0/24 193.201.206.0/24 @@ -208,6 +198,7 @@ 193.22.110.0/24 193.22.111.0/24 193.22.16.0/22 +193.22.164.0/24 193.22.174.0/24 193.22.205.0/24 193.22.29.0/24 @@ -233,12 +224,10 @@ 193.28.34.0/23 193.28.48.0/23 193.28.50.0/24 -193.28.64.0/21 193.29.112.0/24 193.29.115.0/24 193.29.116.0/24 193.29.126.0/24 -193.29.152.0/21 193.29.158.0/24 193.3.240.0/24 193.30.136.0/22 @@ -254,8 +243,10 @@ 193.41.10.0/23 193.47.164.0/24 193.53.93.0/24 +193.56.21.0/24 193.58.253.0/24 193.84.136.0/22 +193.96.230.0/24 193.96.232.0/23 193.97.238.0/24 193.98.181.0/24 @@ -272,6 +263,8 @@ 194.115.120.0/24 194.115.163.0/24 194.115.182.0/23 +194.115.182.0/24 +194.115.183.0/24 194.115.52.0/24 194.115.66.0/24 194.115.88.0/21 @@ -293,6 +286,7 @@ 194.127.182.0/24 194.127.195.0/24 194.127.208.0/22 +194.127.242.0/23 194.127.254.0/24 194.145.252.0/24 194.15.194.0/24 @@ -300,6 +294,7 @@ 194.15.61.0/24 194.15.64.0/21 194.15.72.0/22 +194.150.228.0/23 194.153.86.0/24 194.156.128.0/22 194.156.148.0/24 @@ -322,6 +317,7 @@ 194.25.0.0/16 194.25.1.5/32 194.26.191.0/24 +194.31.142.0/24 194.31.208.0/24 194.31.209.0/24 194.31.210.0/24 @@ -336,6 +332,7 @@ 194.39.48.0/20 194.39.48.0/21 194.39.56.0/21 +194.39.61.0/24 194.39.62.0/24 194.39.63.0/24 194.39.88.0/21 @@ -358,6 +355,8 @@ 194.55.63.0/24 194.55.64.0/20 194.55.87.0/24 +194.58.40.0/24 +194.58.56.0/23 194.59.143.0/24 194.59.150.0/24 194.59.151.0/24 @@ -383,15 +382,27 @@ 194.76.52.0/24 194.77.41.0/24 194.77.42.0/24 +194.85.248.0/24 +194.85.251.0/24 +194.87.10.0/24 +194.87.17.0/24 +194.87.255.0/24 +194.87.77.0/24 +194.88.112.0/20 194.88.16.0/21 194.88.24.0/23 194.88.26.0/24 194.88.28.0/23 +194.88.96.0/21 194.99.118.0/24 194.99.34.0/24 194.99.76.0/23 194.99.83.0/24 194.99.92.0/22 +195.133.20.0/24 +195.133.64.0/22 +195.133.7.0/24 +195.133.76.0/24 195.137.216.0/23 195.138.223.0/24 195.144.15.0/24 @@ -401,8 +412,8 @@ 195.178.132.0/22 195.190.2.0/24 195.192.254.0/24 -195.20.114.0/23 195.200.207.0/24 +195.226.200.0/24 195.230.116.0/24 195.234.133.0/24 195.243.0.0/16 @@ -411,13 +422,13 @@ 195.248.140.0/23 195.248.144.0/23 195.248.89.0/24 -195.250.48.0/24 195.250.50.0/24 195.250.57.0/24 195.36.64.0/18 195.36.81.0/24 195.36.90.0/24 195.36.91.0/24 +195.66.83.0/24 195.68.204.0/23 195.74.94.0/24 195.78.249.0/24 @@ -425,12 +436,18 @@ 198.40.90.0/24 198.57.10.0/24 2.160.0.0/12 +2.58.102.0/24 204.69.32.0/24 205.142.63.0/24 -212.102.107.0/24 212.184.0.0/15 212.185.0.0/16 +212.87.217.0/24 +213.145.90.0/23 +213.145.92.0/23 213.173.0.0/19 +213.209.136.0/24 +213.209.149.0/24 +213.209.156.0/24 217.0.0.0/13 217.117.96.0/24 217.224.0.0/11 @@ -440,42 +457,60 @@ 217.80.0.0/12 31.212.0.0/15 31.224.0.0/11 -31.6.52.0/22 +31.6.56.0/23 +37.143.0.0/22 +37.230.56.0/24 +37.230.57.0/24 +37.230.58.0/23 +37.230.60.0/24 +37.230.63.0/24 37.46.11.0/24 37.50.0.0/15 37.80.0.0/12 -45.10.157.0/24 -45.128.158.0/23 +45.128.14.0/23 +45.132.217.0/24 45.132.80.0/22 -45.140.8.0/23 -45.141.232.0/24 -45.141.62.0/23 -45.151.112.0/23 -45.151.114.0/23 -45.154.238.0/23 -45.157.202.0/23 -45.157.32.0/23 -45.90.184.0/22 +45.140.208.0/24 +45.141.130.0/24 +45.142.236.0/24 +45.145.241.0/24 +45.145.243.0/24 +45.147.227.0/24 +45.81.255.0/24 +45.83.136.0/22 +45.84.214.0/24 +45.93.186.0/23 +46.20.216.0/21 +46.250.224.0/21 +46.250.232.0/21 46.78.0.0/15 46.80.0.0/12 5.10.208.0/24 5.10.209.0/24 5.10.220.0/24 5.133.112.0/24 +5.249.188.0/22 +5.35.192.0/21 62.153.0.0/16 62.154.0.0/15 62.155.0.0/16 62.156.0.0/14 62.156.153.0/24 62.156.168.0/24 -62.192.152.0/24 62.224.0.0/14 62.56.208.0/21 -62.76.229.0/24 +62.68.73.0/24 +64.137.119.0/24 +64.137.125.0/24 +64.137.127.0/24 +77.242.149.0/24 77.47.152.0/22 77.83.136.0/23 77.83.138.0/23 -78.159.131.0/24 +77.83.32.0/22 +77.90.156.0/24 +77.90.184.0/24 +79.139.52.0/22 79.192.0.0/10 80.128.0.0/11 80.128.0.0/12 @@ -488,40 +523,49 @@ 80.187.0.0/16 80.187.160.0/20 80.64.240.0/22 +80.71.231.0/24 +80.71.233.0/24 +80.71.235.0/24 +80.71.236.0/24 +80.71.238.0/24 81.201.32.0/20 81.30.96.0/20 +82.152.178.0/24 +82.163.60.0/22 +82.206.32.0/21 +82.206.40.0/21 +82.215.70.0/24 83.136.208.0/22 -83.147.40.0/22 +83.147.36.0/22 83.243.48.0/21 -83.243.55.0/24 84.128.0.0/10 +84.234.16.0/20 84.246.108.0/24 -84.32.20.0/22 +84.32.108.0/22 84.32.48.0/22 -84.32.56.0/22 -84.46.240.0/20 +85.116.28.0/24 +85.116.29.0/24 +85.116.30.0/24 +85.116.31.0/24 85.119.160.0/23 +85.204.160.0/22 85.208.248.0/24 85.208.249.0/24 85.208.250.0/24 85.208.251.0/24 -85.239.148.0/24 -85.239.149.0/24 -85.239.150.0/24 -85.239.151.0/24 -86.38.156.0/24 +85.237.76.0/22 86.38.248.0/21 86.38.37.0/24 87.128.0.0/10 87.128.0.0/11 87.237.240.0/21 88.128.0.0/16 -88.216.208.0/24 -89.116.248.0/24 +88.135.96.0/20 +88.216.60.0/22 89.116.64.0/22 -89.117.172.0/22 +89.213.186.0/23 89.35.127.0/24 -89.35.72.0/24 +89.43.34.0/24 91.0.0.0/10 91.103.240.0/21 91.189.192.0/21 @@ -543,42 +587,38 @@ 91.212.130.0/24 91.212.243.0/24 91.213.116.0/24 +91.214.10.0/24 91.215.116.0/22 91.216.242.0/24 91.216.45.0/24 91.217.214.0/24 91.222.232.0/22 91.227.98.0/23 +91.232.136.0/22 91.232.54.0/24 -91.92.33.0/24 -91.92.34.0/24 -91.92.35.0/24 -91.92.49.0/24 -92.118.161.0/24 +92.114.44.0/22 +92.119.164.0/22 92.119.208.0/24 92.119.209.0/24 92.119.210.0/24 92.119.211.0/24 -93.152.205.0/24 -93.152.207.0/24 -93.152.209.0/24 -93.152.215.0/24 -93.152.219.0/24 -93.152.221.0/24 -93.152.223.0/24 -93.152.224.0/24 -93.152.225.0/24 +93.119.184.0/21 93.192.0.0/10 +93.95.119.0/24 94.126.98.0/24 -94.26.90.0/24 +94.26.110.0/23 +94.26.64.0/23 +95.178.8.0/21 2001:650:cc02::/48 2001:678:184::/48 2001:678:36c::/48 2001:678:480::/48 +2001:678:5b0::/48 2001:678:5d4::/48 2001:678:a04::/48 2001:678:adc::/48 2001:678:b38::/48 +2001:678:bdc::/48 2001:678:d4c::/48 2001:678:e9c::/48 2001:678:ff0::/48 @@ -598,10 +638,28 @@ 2001:67c:764::/48 2001:67c:94c::/48 2001:67c:a34::/48 +2001:67c:b80::/48 +2001:67c:c84::/48 +2001:67c:c9c::/48 2003:3c0::/28 2003:3e0::/28 2003:8:1800::/48 2003:8:1803::/48 +2003:8:f400::/48 +2003:8:f401::/48 +2003:8:f402::/48 +2003:8:f403::/48 +2003:8:f404::/48 +2003:8:f405::/48 +2003:8:f406::/48 +2003:8:f407::/48 +2003:8:f408::/48 +2003:8:f409::/48 +2003:8:f40a::/48 +2003:8:f40b::/48 +2003:8:f40c::/48 +2003:8:f40d::/48 +2003:8:f40e::/48 2003::/19 2003::/20 2003::/23 @@ -618,12 +676,10 @@ 2a06:1800::/29 2a06:1a80::/29 2a06:7180::/29 -2a07:b982:c000::/48 2a09:6f80::/29 2a09:8180::/30 2a0a:5340:ffff::/48 2a0a:a3c0:b0::/44 -2a0b:3c41:1::/48 2a0b:3c41:2::/48 2a0c:9e02:1000::/40 2a0c:9e02:100::/40 @@ -639,5 +695,8 @@ 2a0d:480::/30 2a0d:484::/30 2a0e:eb40::/32 +2a0f:15c0::/32 2a10:cd80::/29 2a11:7400:d1::/48 +2a12:6900:1000::/40 +2a13:9500:2::/48 diff --git a/configs/as8881.txt b/configs/as8881.txt index 9420d5f..3ff36ae 100644 --- a/configs/as8881.txt +++ b/configs/as8881.txt @@ -6,8 +6,7 @@ 109.250.160.0/19 109.250.192.0/19 109.250.224.0/19 -109.250.32.0/20 -109.250.48.0/20 +109.250.32.0/19 109.250.64.0/19 109.250.80.0/22 109.250.84.0/22 @@ -67,16 +66,22 @@ 193.22.3.0/24 193.28.72.0/21 193.29.240.0/24 +193.29.241.0/24 +193.29.242.0/24 193.29.243.0/24 +193.29.244.0/24 +193.29.245.0/24 193.29.246.0/24 +193.29.247.0/24 193.30.132.0/24 193.30.140.0/24 193.96.238.0/24 193.98.229.0/24 193.98.40.0/22 193.99.160.0/21 -194.113.252.0/23 -194.113.253.0/24 +194.115.182.0/23 +194.115.182.0/24 +194.115.183.0/24 194.115.26.0/24 194.120.182.0/23 194.120.182.0/24 @@ -92,9 +97,11 @@ 194.156.232.0/23 194.156.233.0/24 194.174.168.0/22 +194.180.18.0/24 194.180.53.0/24 194.180.64.0/20 194.187.112.0/24 +194.30.180.0/24 194.31.92.0/24 194.39.185.0/24 194.39.87.0/24 @@ -106,7 +113,6 @@ 194.88.25.0/24 194.9.190.0/24 194.99.0.0/21 -194.99.113.0/24 195.149.80.0/23 195.167.208.0/20 195.191.20.0/23 @@ -203,8 +209,7 @@ 83.135.0.0/16 83.135.0.0/22 83.135.112.0/20 -83.135.128.0/20 -83.135.144.0/20 +83.135.128.0/19 83.135.16.0/22 83.135.160.0/21 83.135.164.0/22 @@ -245,9 +250,6 @@ 83.135.64.0/19 83.135.8.0/21 83.135.96.0/20 -83.243.48.0/21 -83.243.48.0/22 -83.243.52.0/22 84.19.192.0/19 84.19.192.0/20 84.19.208.0/20 @@ -257,7 +259,7 @@ 87.122.128.0/21 87.122.136.0/22 87.122.144.0/20 -87.122.16.0/22 +87.122.16.0/20 87.122.160.0/20 87.122.176.0/21 87.122.184.0/24 @@ -268,21 +270,15 @@ 87.122.189.0/24 87.122.190.0/24 87.122.191.0/24 -87.122.192.0/20 -87.122.20.0/22 -87.122.208.0/20 +87.122.192.0/19 87.122.224.0/19 -87.122.24.0/21 87.122.32.0/19 -87.122.64.0/20 -87.122.80.0/20 +87.122.64.0/19 87.122.96.0/19 87.123.0.0/16 -87.123.0.0/20 +87.123.0.0/19 87.123.112.0/20 -87.123.128.0/20 -87.123.144.0/20 -87.123.16.0/20 +87.123.128.0/19 87.123.160.0/20 87.123.176.0/20 87.123.192.0/20 @@ -296,13 +292,13 @@ 87.123.253.0/24 87.123.254.0/24 87.123.255.0/24 -87.123.48.0/20 +87.123.32.0/19 87.123.64.0/20 87.123.80.0/20 +87.123.96.0/19 87.123.96.0/20 88.130.0.0/16 88.130.0.0/19 -88.130.112.0/20 88.130.130.0/23 88.130.132.0/22 88.130.136.0/21 @@ -358,17 +354,16 @@ 88.130.62.0/24 88.130.63.0/24 88.130.64.0/19 -88.130.96.0/20 +88.130.96.0/19 89.244.0.0/14 89.244.0.0/16 89.244.112.0/21 89.244.120.0/21 89.244.120.0/22 89.244.124.0/24 -89.244.125.0/24 89.244.126.0/24 89.244.127.0/24 -89.244.160.0/20 +89.244.160.0/21 89.244.164.0/22 89.244.168.0/21 89.244.176.0/20 @@ -377,7 +372,6 @@ 89.244.240.0/20 89.244.64.0/21 89.244.72.0/22 -89.244.76.0/22 89.244.80.0/20 89.244.96.0/20 89.245.0.0/16 @@ -395,13 +389,13 @@ 89.245.191.0/24 89.245.192.0/19 89.245.224.0/19 +89.245.32.0/19 89.245.32.0/20 -89.245.48.0/20 89.245.64.0/20 89.245.80.0/20 89.245.96.0/20 89.246.0.0/16 -89.246.0.0/20 +89.246.0.0/19 89.246.104.0/23 89.246.106.0/24 89.246.107.0/24 @@ -416,8 +410,8 @@ 89.246.122.0/24 89.246.123.0/24 89.246.124.0/22 -89.246.16.0/20 89.246.160.0/20 +89.246.160.0/21 89.246.176.0/22 89.246.180.0/22 89.246.184.0/21 @@ -427,21 +421,20 @@ 89.246.56.0/21 89.246.96.0/21 89.247.0.0/16 -89.247.0.0/20 +89.247.0.0/19 89.247.112.0/21 89.247.120.0/22 89.247.124.0/24 89.247.125.0/24 89.247.126.0/24 89.247.127.0/24 -89.247.144.0/22 -89.247.152.0/21 -89.247.16.0/20 +89.247.144.0/20 89.247.160.0/20 89.247.192.0/20 89.247.208.0/21 89.247.216.0/22 89.247.224.0/21 +89.247.232.0/21 89.247.232.0/22 89.247.236.0/22 89.247.240.0/21 @@ -450,15 +443,14 @@ 89.247.253.0/24 89.247.254.0/24 89.247.255.0/24 +89.247.32.0/19 89.247.32.0/20 -89.247.48.0/20 89.247.64.0/20 89.247.80.0/20 89.247.96.0/20 89.27.128.0/17 89.27.153.0/24 91.194.180.0/23 -91.195.104.0/23 91.198.67.0/24 91.199.158.0/24 91.201.128.0/22 @@ -469,8 +461,6 @@ 91.208.212.0/24 91.217.145.0/24 91.220.125.0/24 -91.223.2.0/24 -91.223.41.0/24 91.229.3.0/24 92.116.0.0/15 92.116.0.0/20 @@ -479,10 +469,8 @@ 92.116.128.0/18 92.116.16.0/20 92.116.192.0/19 -92.116.224.0/20 -92.116.240.0/20 -92.116.32.0/20 -92.116.48.0/20 +92.116.224.0/19 +92.116.32.0/19 92.116.64.0/18 92.116.96.0/19 92.117.0.0/19 @@ -498,7 +486,6 @@ 94.134.0.0/15 94.134.0.0/18 94.134.100.0/22 -94.134.104.0/21 94.134.112.0/21 94.134.120.0/24 94.134.121.0/24 @@ -509,9 +496,7 @@ 94.134.126.0/24 94.134.127.0/24 94.134.128.0/20 -94.134.144.0/22 -94.134.148.0/22 -94.134.152.0/21 +94.134.144.0/20 94.134.160.0/21 94.134.168.0/22 94.134.172.0/22 @@ -535,6 +520,7 @@ 94.134.93.0/24 94.134.94.0/24 94.134.95.0/24 +94.134.96.0/20 94.134.96.0/22 2001:1438:1000::/36 2001:1438:2000::/36 @@ -564,6 +550,7 @@ 2001:16b8:1200::/40 2001:16b8:1300::/40 2001:16b8:1400::/40 +2001:16b8:2000::/35 2001:16b8:2000::/40 2001:16b8:200::/40 2001:16b8:2100::/40 @@ -581,14 +568,10 @@ 2001:16b8:2d00::/40 2001:16b8:2e00::/40 2001:16b8:300::/40 -2001:16b8:4000::/40 +2001:16b8:4000::/35 2001:16b8:400::/40 -2001:16b8:4100::/40 -2001:16b8:4200::/40 -2001:16b8:4300::/40 -2001:16b8:4500::/40 -2001:16b8:4600::/40 2001:16b8:500::/40 +2001:16b8:6000::/35 2001:16b8:6000::/40 2001:16b8:600::/40 2001:16b8:6100::/40 @@ -600,13 +583,16 @@ 2001:16b8:6700::/40 2001:16b8:6800::/40 2001:16b8:700::/40 +2001:16b8:8000::/36 2001:16b8:800::/40 +2001:16b8:9000::/36 2001:16b8:900::/40 2001:16b8::/32 +2001:16b8::/35 2001:16b8::/40 +2001:16b8:a000::/35 2001:16b8:a00::/40 2001:16b8:b00::/40 -2001:678:274::/48 2001:678:c74::/48 2001:67c:27ac::/48 2001:67c:2878::/48 From f3269ce979bff4ebb8616545e8447921ebd40a51 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 16:57:19 +0100 Subject: [PATCH 448/996] bundle/wireguard: fix firewall for home.router --- bundles/wireguard/metadata.py | 4 +++- libs/s2s.py | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index f0600c3..ed5a8fa 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -226,7 +226,9 @@ def firewall(metadata): except NoSuchNode: # roadwarrior ports['{}/udp'.format(config['my_port'])] = atomic(set(metadata.get('wireguard/restrict-to', set()))) else: - ports['{}/udp'.format(config['my_port'])] = atomic({name}) + ports['{}/udp'.format(config['my_port'])] = atomic( + set(repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(name, {}).get('firewall', set())) | {name} + ) return { 'firewall': { diff --git a/libs/s2s.py b/libs/s2s.py index eba4728..136a257 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -23,6 +23,7 @@ WG_AUTOGEN_NODES = [ WG_AUTOGEN_SETTINGS = { # special settings to apply when peering with a specific node 'home.router': { + 'firewall': {'versatel'}, 'no_autoconnect': True, 'persistent_keepalive': False, }, From 86b8cd8edf189a5e8e025b0b21475492ade15da6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Dec 2023 15:19:41 +0100 Subject: [PATCH 449/996] bundles/wireguard: remove wg_health_check --- bundles/wireguard/items.py | 8 -------- bundles/wireguard/metadata.py | 37 ----------------------------------- 2 files changed, 45 deletions(-) diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index 6d4461a..0a270d1 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -35,14 +35,6 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): }, } -files['/usr/local/bin/wg_health_check'] = { - 'content_type': 'mako', - 'context': { - 'peers': node.metadata.get('wireguard/health_checks'), - }, - 'mode': '0755', -} - if node.has_bundle('pppd'): files['/etc/ppp/ip-up.d/reconnect-wireguard'] = { 'source': 'pppd-ip-up', diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index ed5a8fa..3c055ba 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -306,40 +306,3 @@ def snat(metadata): }, }, } - - -@metadata_reactor.provides( - 'wireguard/health_checks', - 'systemd-timers/timers/wg-health-check', -) -def health_checks(metadata): - checks = {} - - for peer, config in metadata.get('wireguard/peers', {}).items(): - if ( - config.get('exclude_from_monitoring', False) - or not config.get('auto_connection', True) - or 'endpoint' not in config - ): - continue - - checks[peer] = config['their_ip'] - - if checks: - timer = { - 'wg-health-check': { - 'command': '/usr/local/bin/wg_health_check', - 'when': 'minutely', - }, - } - else: - timer = {} - - return { - 'systemd-timers': { - 'timers': timer, - }, - 'wireguard': { - 'health_checks': checks, - }, - } From 2fc8b125e32ed1dbea08720b585463f676895c29 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 12 Dec 2023 07:28:20 +0100 Subject: [PATCH 450/996] update forgejo to 1.21.2-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1855e95..b05a76c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.1-0" -sha1 = "56299b3a89134fe832ad05593e5effab0515aed9" +version = "1.21.2-0" +sha1 = "6f433745af022741d767a2be013465ce00bf490f" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 3cff203bec650d1f2eba61abb5dc0a50d9d0a8df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Dec 2023 19:55:04 +0100 Subject: [PATCH 451/996] update forgejo to 1.21.2-1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b05a76c..1f9459d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.2-0" -sha1 = "6f433745af022741d767a2be013465ce00bf490f" +version = "1.21.2-1" +sha1 = "c5c392ed570f7888fba5aa2ce493fd26741649b2" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From eb30240dc3902a4a895d81736a34c088ee7ecf9b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Dec 2023 19:55:30 +0100 Subject: [PATCH 452/996] update paperless to 2.1.2 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 6014d87..f5311c7 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.1.1', + 'version': 'v2.1.2', 'timezone': 'Europe/Berlin', }, 'postgresql': { From b22ee8aa303954d948f98590ee77d971a0219c82 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 13 Dec 2023 21:31:51 +0100 Subject: [PATCH 453/996] miniserver: new stickers --- nodes/htz-cloud/miniserver.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 38175fe..86b169e 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -6,6 +6,7 @@ nodes['htz-cloud.miniserver'] = { 'hedgedoc', 'matrix-media-repo', 'matrix-synapse', + "matrix-stickerpicker", 'nodejs', 'ntfy', 'mautrix-telegram', @@ -127,6 +128,15 @@ nodes['htz-cloud.miniserver'] = { }, 'upload_max_mb': 500, }, + 'matrix-stickerpicker': { + # use this bot token for telegram import: encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t + 'domain': "matrix-stickers.sophies-kitchen.eu", + 'config': { + 'access_token': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'), + 'homeserver': "https://matrix.sophies-kitchen.eu", + 'user_id': "@dimension:sophies-kitchen.eu", + }, + }, 'matrix-synapse': { 'server_name': 'sophies-kitchen.eu', 'baseurl': 'matrix.sophies-kitchen.eu', From 9a026b1fd902356cf52c3ec294879a555ac123ff Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Dec 2023 21:02:36 +0100 Subject: [PATCH 454/996] dismantle gce nameservers, part 1 --- nodes/gce/bind01.py | 1 + nodes/gce/dns02.py | 1 + nodes/gce/dns03.py | 1 + 3 files changed, 3 insertions(+) diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 7239082..986996d 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -3,6 +3,7 @@ nodes['gce.bind01'] = { 'hostname': '34.89.208.78', + 'dummy': True, 'groups': { 'debian-bullseye', 'dns', diff --git a/nodes/gce/dns02.py b/nodes/gce/dns02.py index 7eb1253..f1e8728 100644 --- a/nodes/gce/dns02.py +++ b/nodes/gce/dns02.py @@ -3,6 +3,7 @@ nodes['gce.dns02'] = { 'hostname': '35.187.109.249', + 'dummy': True, 'bundles': set(), 'groups': { 'debian-bullseye', diff --git a/nodes/gce/dns03.py b/nodes/gce/dns03.py index 14a87d7..83ae302 100644 --- a/nodes/gce/dns03.py +++ b/nodes/gce/dns03.py @@ -3,6 +3,7 @@ nodes['gce.dns03'] = { 'hostname': '35.228.143.71', + 'dummy': True, 'bundles': set(), 'groups': { 'debian-bullseye', From 5b19b2052d63637e148fc65e3bbd1bf9f80b1ed6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 13 Dec 2023 21:22:45 +0100 Subject: [PATCH 455/996] remove rx300 leftovers --- .../jenkins-ci/files/ssh-keys/rx300.key.vault | 1 - data/jenkins-ci/files/ssh-keys/rx300.pub | 1 - .../rx300/homeserver_signing.key.vault | 1 - data/minecraft/files/rx300 | 59 ------------------- data/nginx/files/extras/rx300/franzi.business | 15 ----- .../files/extras/rx300/paste.franzi.business | 5 -- .../files/extras/rx300/wiki.franzi.business | 12 ---- 7 files changed, 94 deletions(-) delete mode 100644 data/jenkins-ci/files/ssh-keys/rx300.key.vault delete mode 100644 data/jenkins-ci/files/ssh-keys/rx300.pub delete mode 100644 data/matrix-synapse/rx300/homeserver_signing.key.vault delete mode 100644 data/minecraft/files/rx300 delete mode 100644 data/nginx/files/extras/rx300/franzi.business delete mode 100644 data/nginx/files/extras/rx300/paste.franzi.business delete mode 100644 data/nginx/files/extras/rx300/wiki.franzi.business diff --git a/data/jenkins-ci/files/ssh-keys/rx300.key.vault b/data/jenkins-ci/files/ssh-keys/rx300.key.vault deleted file mode 100644 index e56190a..0000000 --- a/data/jenkins-ci/files/ssh-keys/rx300.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABg6vNNuCZcmhH52dQDiD4ePsbXhz0kHSjqX3yduJ6E5NylWEdKNtjtrfc9bu1WNnDBO0YpsqxIeax2u1xc6gstohVfbu2MgwGJKpA7J5Py6xiQL82YKJcwV7k0EZ7ilWbqlzXuSDh40KG3GWOTPiw_CbsbDEpCU09x1hUs1_0BTPAU6ln4t7ync7ZjFZf_vRBTlrnZWchzXoSwppzedAZeaptfhMWn_-8oARoYvxJf3pkmTSGjovNMvDak_sscq_M2rldng6_oboR4iTo_6eY6bpCjEGD3xMeSzLhDZsJ4c0l9bZBDef-NRWA7Ewptc4KYKVvzKlgyrByqSV8TCmYn4aBgOusv-VAW3VqKg2rHi3nq5L50zkPwWmHC6_rdtIS-pAlnR5A0HJYdXGyf2eQSq3UkrZA3BIFlqUWrvS8aTWxp9CUL5C9oRGpL8P3fVfExiqhmcLGamHZb1Y2kjxX8EMcSCRLgiVO9DwIpXlEm86HfgVcXaL0wpibM32PD0sspOPILThE5P9WETGhpFAWDkWR0WaYQjZuAVlXTtk8tgdh0vC2auQl2pEVbvvnZaa04Ohp2QgE3AJLg3tdekLciwCQmPm0bpX8xYvJ49vNWG-SCaAlLHzLVIMFXFY53-SBOHYnE \ No newline at end of file diff --git a/data/jenkins-ci/files/ssh-keys/rx300.pub b/data/jenkins-ci/files/ssh-keys/rx300.pub deleted file mode 100644 index 55ce7ec..0000000 --- a/data/jenkins-ci/files/ssh-keys/rx300.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZnYhsdtGUYJiFcvfqTLljGkInnFTOoDF/WZniLtPjH diff --git a/data/matrix-synapse/rx300/homeserver_signing.key.vault b/data/matrix-synapse/rx300/homeserver_signing.key.vault deleted file mode 100644 index 120737d..0000000 --- a/data/matrix-synapse/rx300/homeserver_signing.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABeiaEqyvC5b9qRtL9I760dD51BJ9ZMKjofyORoSedhjqfHM0Pp-x_UECvoZgrtY8dgcq0Ste27YlSofnPwLM6Jr6wXfNX-Ih8WZD7hV6yQdEQ6wmj2FYilmMknGdQ_yVnu5TRe_malgW78n6hRQc7DsdsEfw== \ No newline at end of file diff --git a/data/minecraft/files/rx300 b/data/minecraft/files/rx300 deleted file mode 100644 index 19e41fe..0000000 --- a/data/minecraft/files/rx300 +++ /dev/null @@ -1,59 +0,0 @@ -#Minecraft server properties -#Sun Nov 06 13:56:13 UTC 2022 -allow-flight=true -allow-nether=true -broadcast-console-to-ops=true -broadcast-rcon-to-ops=true -debug=false -difficulty=easy -enable-command-block=false -enable-jmx-monitoring=true -enable-query=false -enable-rcon=true -enable-status=true -enforce-secure-profile=true -enforce-whitelist=true -entity-broadcast-range-percentage=100 -force-gamemode=false -function-permission-level=2 -gamemode=creative -generate-structures=true -generator-settings={} -hardcore=false -hide-online-players=false -level-name=/home/minecraft/world -level-seed= -level-type=minecraft\:normal -max-chained-neighbor-updates=1000000 -max-players=20 -max-tick-time=60000 -max-world-size=29999984 -motd=CutieMC -network-compression-threshold=256 -online-mode=true -op-permission-level=4 -player-idle-timeout=0 -prevent-proxy-connections=false -previews-chat=false -pvp=true -query.port=25565 -rate-limit=0 -rcon.password= -rcon.port=25575 -require-resource-pack=false -resource-pack-prompt= -resource-pack-sha1= -resource-pack= -server-ip= -server-port=25565 -simulation-distance=10 -snooper-enabled=false -spawn-animals=true -spawn-monsters=false -spawn-npcs=true -spawn-protection=16 -sync-chunk-writes=true -text-filtering-config= -use-native-transport=true -view-distance=32 -white-list=true diff --git a/data/nginx/files/extras/rx300/franzi.business b/data/nginx/files/extras/rx300/franzi.business deleted file mode 100644 index 472d106..0000000 --- a/data/nginx/files/extras/rx300/franzi.business +++ /dev/null @@ -1,15 +0,0 @@ - gzip on; - gzip_vary on; - gzip_min_length 10240; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml image/svg+xml; - - location /css/ { - expires 7d; - add_header Cache-Control "public, no-transform"; - } - - location /img/ { - expires 30d; - add_header Cache-Control "public, no-transform"; - } diff --git a/data/nginx/files/extras/rx300/paste.franzi.business b/data/nginx/files/extras/rx300/paste.franzi.business deleted file mode 100644 index 93f035d..0000000 --- a/data/nginx/files/extras/rx300/paste.franzi.business +++ /dev/null @@ -1,5 +0,0 @@ - autoindex on; - - location = / { - autoindex off; - } diff --git a/data/nginx/files/extras/rx300/wiki.franzi.business b/data/nginx/files/extras/rx300/wiki.franzi.business deleted file mode 100644 index cc1fc01..0000000 --- a/data/nginx/files/extras/rx300/wiki.franzi.business +++ /dev/null @@ -1,12 +0,0 @@ - location ~ /(data|conf|bin|inc|vendor)/ { - deny all; - } - - location / { try_files $uri $uri/ @dokuwiki; } - - location @dokuwiki { - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - } From 24373d0ac99b76036652558b158b1a47f9151682 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Dec 2023 10:19:33 +0100 Subject: [PATCH 456/996] bundles/icinga2: 15min downtime is enough for unattended upgrades --- bundles/icinga2/items.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index fd51b34..607d098 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -385,7 +385,7 @@ for rnode in sorted(repo.nodes): 'host': rnode.name, 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', 'times': { - DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+30}', + DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', }, }) elif ( @@ -401,7 +401,7 @@ for rnode in sorted(repo.nodes): 'host': rnode.name, 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', 'times': { - DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+30}', + DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', }, }) From b11fece803bc21e6e34874680a4bb57976660d79 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Dec 2023 10:23:44 +0100 Subject: [PATCH 457/996] EOL GCE --- bundles/gce-workaround/items.py | 33 ---------------------------- bundles/icinga2/items.py | 21 +++++++----------- groups/locations.py | 35 ----------------------------- nodes/carlene.toml | 1 - nodes/gce/bind01.py | 38 -------------------------------- nodes/gce/dns02.py | 39 --------------------------------- nodes/gce/dns03.py | 39 --------------------------------- 7 files changed, 8 insertions(+), 198 deletions(-) delete mode 100644 bundles/gce-workaround/items.py delete mode 100644 nodes/gce/bind01.py delete mode 100644 nodes/gce/dns02.py delete mode 100644 nodes/gce/dns03.py diff --git a/bundles/gce-workaround/items.py b/bundles/gce-workaround/items.py deleted file mode 100644 index 583e055..0000000 --- a/bundles/gce-workaround/items.py +++ /dev/null @@ -1,33 +0,0 @@ -svc_systemd = {} -pkg_apt = {} - -for i in { - 'gce-disk-expand', - 'google-cloud-packages-archive-keyring', - 'google-cloud-sdk', - 'google-compute-engine', - 'google-compute-engine-oslogin', - 'google-guest-agent', - 'google-osconfig-agent', -}: - pkg_apt[i] = { - 'installed': False, - } - -for i in { - 'google-accounts-daemon.service', - 'google-accounts-manager.service', - 'google-clock-skew-daemon.service', - 'google-clock-sync-manager.service', - 'google-guest-agent.service', - 'google-osconfig-agent.service', - 'google-shutdown-scripts.service', - 'google-startup-scripts.service', - 'sshguard.service', - - 'google-oslogin-cache.timer', -}: - svc_systemd[i] = { - 'enabled': False, - 'running': False, - } diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 607d098..2632de2 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -335,19 +335,14 @@ for rnode in sorted(repo.nodes): host_ips = repo.libs.tools.resolve_identifier(repo, rnode.name, only_physical=True) icinga_ips = {} - # XXX for the love of god, PLEASE remove this once DNS is no longer - # hosted at GCE - if rnode.in_group('gce'): - icinga_ips['ipv4'] = rnode.metadata.get('external_ipv4') - else: - for ip_type in ('ipv4', 'ipv6'): - for ip in sorted(host_ips[ip_type]): - if ip.is_private and not ip.is_link_local: - icinga_ips[ip_type] = str(ip) - break - else: - if host_ips[ip_type]: - icinga_ips[ip_type] = sorted(host_ips[ip_type])[0] + for ip_type in ('ipv4', 'ipv6'): + for ip in sorted(host_ips[ip_type]): + if ip.is_private and not ip.is_link_local: + icinga_ips[ip_type] = str(ip) + break + else: + if host_ips[ip_type]: + icinga_ips[ip_type] = sorted(host_ips[ip_type])[0] if not icinga_ips: raise ValueError(f'{rnode.name} requests monitoring, but has neither IPv4 nor IPv6 addresses!') diff --git a/groups/locations.py b/groups/locations.py index d60eccc..a3738a6 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -1,38 +1,3 @@ -groups['gce'] = { - 'bundles': { - 'gce-workaround', - }, - 'member_patterns': { - r"gce\..*", - }, - 'metadata': { - 'hosts': { - 'entries': { - '169.254.169.254': { - 'metadata.google.internal', - }, - }, - }, - 'location': 'gce', - 'nameservers': { - '8.8.8.8', - '8.8.4.4', - }, - 'postfix': { - # It's fine to do this without authentificating to the relayhost. - # These Systems are not supposed to send mail anywhere else - # than our own domains. - 'relayhost': '[mail.franzi.business]:2525', - }, - 'sysctl': { - 'options': { - 'net.ipv6.conf.all.disable_ipv6': '1', - 'net.ipv6.conf.default.disable_ipv6': '1', - }, - }, - }, -} - groups['htz'] = { 'subgroup_patterns': { r'htz\-.+', diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1f9459d..8f0372a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -184,7 +184,6 @@ packages = [ [metadata.postfix] message_size_limit_mb = 100 myhostname = "mail.franzi.business" -mynetworks = ["gce"] [metadata.postfixadmin] domain = "postfixadmin.franzi.business" diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py deleted file mode 100644 index 986996d..0000000 --- a/nodes/gce/bind01.py +++ /dev/null @@ -1,38 +0,0 @@ -# ns-1.kunbox.net -# Frankfurt, Germany - -nodes['gce.bind01'] = { - 'hostname': '34.89.208.78', - 'dummy': True, - 'groups': { - 'debian-bullseye', - 'dns', - }, - 'metadata': { - 'backups': { - 'exclude_from_backups': True, - }, - 'interfaces': { - 'ens4': { - 'ips': { - '10.156.0.4', - }, - 'gateway4': '10.156.0.1', - }, - }, - 'external_ipv4': '34.89.208.78', - 'icinga_options': { - 'pretty_name': 'ns-1.kunbox.net', - }, - 'postgresql': { - 'version': '15', - }, - 'powerdns': { - 'my_hostname': 'ns-1.kunbox.net', - }, - 'vm': { - 'cpu': 1, - 'ram': 1, - }, - }, -} diff --git a/nodes/gce/dns02.py b/nodes/gce/dns02.py deleted file mode 100644 index f1e8728..0000000 --- a/nodes/gce/dns02.py +++ /dev/null @@ -1,39 +0,0 @@ -# ns-2.kunbox.net -# Belgium - -nodes['gce.dns02'] = { - 'hostname': '35.187.109.249', - 'dummy': True, - 'bundles': set(), - 'groups': { - 'debian-bullseye', - 'dns', - }, - 'metadata': { - 'interfaces': { - 'ens4': { - 'ips': { - '10.132.0.2', - }, - 'gateway4': '10.132.0.1', - }, - }, - 'external_ipv4': '35.187.109.249', - 'icinga_options': { - 'pretty_name': 'ns-2.kunbox.net', - }, - 'backups': { - 'exclude_from_backups': True, - }, - 'postgresql': { - 'version': '15', - }, - 'powerdns': { - 'my_hostname': 'ns-2.kunbox.net', - }, - 'vm': { - 'cpu': 1, - 'ram': 1, - }, - }, -} diff --git a/nodes/gce/dns03.py b/nodes/gce/dns03.py deleted file mode 100644 index 83ae302..0000000 --- a/nodes/gce/dns03.py +++ /dev/null @@ -1,39 +0,0 @@ -# ns-3.kunbox.net -# Finland - -nodes['gce.dns03'] = { - 'hostname': '35.228.143.71', - 'dummy': True, - 'bundles': set(), - 'groups': { - 'debian-bullseye', - 'dns', - }, - 'metadata': { - 'interfaces': { - 'ens4': { - 'ips': { - '10.166.0.2', - }, - 'gateway4': '10.166.0.1', - }, - }, - 'external_ipv4': '35.228.143.71', - 'icinga_options': { - 'pretty_name': 'ns-3.kunbox.net', - }, - 'backups': { - 'exclude_from_backups': True, - }, - 'postgresql': { - 'version': '15', - }, - 'powerdns': { - 'my_hostname': 'ns-3.kunbox.net', - }, - 'vm': { - 'cpu': 1, - 'ram': 1, - }, - }, -} From 50bc26deaffdd2e8873359cb9fa26b309946944b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Dec 2023 10:41:26 +0100 Subject: [PATCH 458/996] kunsi-p14s: use net.ifnames=0 --- nodes/kunsi-p14s.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 9f66fc0..d0432e0 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -69,12 +69,12 @@ nodes['kunsi-p14s'] = { 'forward': { '50-routing': [ 'ct state { related, established } accept', - 'oifname wlp2s0 accept', + 'oifname wlan0 accept', ], }, 'postrouting': { '50-routing': [ - 'oifname wlp2s0 masquerade', + 'oifname wlan0 masquerade', ], }, }, @@ -135,8 +135,9 @@ nodes['kunsi-p14s'] = { '/initramfs-linux.img', ], 'options': { - 'zfs=zroot/system/root', + 'net.ifnames=0', 'rw', + 'zfs=zroot/system/root', }, }, 'arch-fallback': { @@ -146,8 +147,9 @@ nodes['kunsi-p14s'] = { '/initramfs-linux-fallback.img', ], 'options': { - 'zfs=zroot/system/root', + 'net.ifnames=0', 'rw', + 'zfs=zroot/system/root', }, }, }, From 8435b2401fe3c6f46605b8665996c5509004bd41 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Dec 2023 12:09:09 +0100 Subject: [PATCH 459/996] update netbox to 3.6.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 8f0372a..e9d0ae5 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.6" +version = "v3.6.7" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 8ca2cfeeb2f1e4ea447afc240951471dff52adfa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Dec 2023 12:10:54 +0100 Subject: [PATCH 460/996] update paperless-ngx to 2.1.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index f5311c7..5cc39fb 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.1.2', + 'version': 'v2.1.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 2fddfcd4ff61dadf7e958df5e6aa9efc4f01558a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 18 Dec 2023 06:53:52 +0100 Subject: [PATCH 461/996] update mautrix-whatsapp to 0.10.5 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e9d0ae5..df70876 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -109,8 +109,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.4" -sha1 = "a07bc0d52ffa53130d285aaca309d42798e17f1a" +version = "v0.10.5" +sha1 = "4d7d0243a77587c3fa060788eb2bcc93ea5cb6b3" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 08628f47217e6e5d071cb241ad6ab560f74bfe45 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 18 Dec 2023 09:13:41 +0100 Subject: [PATCH 462/996] voc.infobeamer-cms: 37C3 --- nodes/voc/infobeamer-cms.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 2804d2c..ffc504d 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -24,8 +24,8 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2023-08-15', - 'event_duration_days': 5, + 'event_start_date': '2023-12-27', + 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ 'hexchen', @@ -43,7 +43,7 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), 'SETUP_IDS': [ - 242962, + 245793, ], # 'EXTRA_ASSETS': [{ # 'type': "image", From 3ea9da16e85d763236808ca30f58aa2d456eed9e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 18 Dec 2023 10:12:17 +0100 Subject: [PATCH 463/996] voc.infobeamer-cms: add all rooms and interrupts --- nodes/voc/infobeamer-cms.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ffc504d..d9ed6f3 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -37,6 +37,7 @@ nodes['voc.infobeamer-cms'] = { 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), + 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'), 'MQTT_MESSAGE': '{{"level":"info","component":"infobeamer-cms","msg":"{asset} uploaded by {user}. Check it at {url}"}}', 'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='), 'MQTT_SERVER': 'mqtt.c3voc.de', @@ -56,7 +57,16 @@ nodes['voc.infobeamer-cms'] = { # }], }, 'rooms': { - 'infobeamer stream': 23541, + 'Saal 1': 22027, + 'Saal G': 26598, + 'Saal Z': 26610, + 'Saal E (SoS/Lightning-Talks)': 32814, + 'Saal F (Sendezentrum/DLF)': 9717, + 'kunsi-dev': 28068, + }, + 'interrupts': { + 'Questions': 'questions', + 'Translations': 'translations', }, }, 'nginx': { From 41d909f34d5cc3c5f0c936e8cd82eb5e6ee8d801 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 19 Dec 2023 07:48:14 +0100 Subject: [PATCH 464/996] update travelynx to 2.5.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index df70876..4b4d8c3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.1" +version = "2.5.3" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 005804d839d73d47f55b51ed6bed3391b1743c4d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Dec 2023 12:10:16 +0100 Subject: [PATCH 465/996] voc.infobeamer-cms: remove device kunsi-dev --- nodes/voc/infobeamer-cms.py | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index d9ed6f3..5da8e79 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -62,7 +62,6 @@ nodes['voc.infobeamer-cms'] = { 'Saal Z': 26610, 'Saal E (SoS/Lightning-Talks)': 32814, 'Saal F (Sendezentrum/DLF)': 9717, - 'kunsi-dev': 28068, }, 'interrupts': { 'Questions': 'questions', From 9cf5fa2e5f7455a1bfd2b29fd2630ed0b3acde81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:11:18 +0100 Subject: [PATCH 466/996] ssl: bump home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 38 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 547ddbe..b92f7c2 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEUDCCAzigAwIBAgISBBhjMERhSG5b8U7eIAlaGWn/MA0GCSqGSIb3DQEBCwUA +MIIEUTCCAzmgAwIBAgISA3fDQ6qgGojGPTrT+xkvOAX/MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzEwMDExMzU3MDFaFw0yMzEyMzAxMzU3MDBaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABBfSWUJQ54y3 -xvd2UUSVUPA3KBN58D5QekHsen2sREg5fCRrl7gboO7OhDUQ6KZPbhiLfk4G7Ezy -DTkNRBmwYA4Qi1fTiwjMKkk1QI6jjaB0x3e01y2CkxvNRfoLRcS7a6OCAiQwggIg +EwJSMzAeFw0yMzEyMjUwODEwMTdaFw0yNDAzMjQwODEwMTZaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLd8zNhUwPxn +xgUYaXNOKKUcgvN5XujyK6ZqZc4qPv6C4V7jw65dgS+ztnB0RaMPnX9Q/I4VjFm3 +tv1A8f6WFQWdHy7eu4JInDlk6//u3TFqxsb+1RKLhdjfAckGjZGE8KOCAiUwggIh MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5V6aws5mTQy1PxpjO3m4igx9rtswHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURN7w27lwahJ3sktccheUYRZ2AV0wHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u -ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisG -AQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl -7bSZAAABiuu+JUUAAAQDAEcwRQIhAMPnv6DVVfV3i+ocaTnc6TQhimNLQYmb3CVd -oEwKNlAQAiAc6YfUB1LpdWybMR7inRrI6jxmYyna1KWk+FAQWvDTGgB2AHoyjFTY -ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABiuu+JVIAAAQDAEcwRQIgMf8n -M3Moi4M+gY3zoGtENnO6Eb9SzDBvbIc2PiroSgwCIQDSgbI+iTbBoG1CMykpeuzW -e24rm4+5GLZwELWuJ0w58jANBgkqhkiG9w0BAQsFAAOCAQEAlPtNavaIzvXkGK3k -gvBr2UkE69d9n8xjhaAPrSS2Nsqp+k8ze9Z+QN0+x52UwEqyZ5X2LjpM3fxsdiQo -MemNJjDpYJZLTBU6N1JpA2QbEUKQCo1hyhNo6pdy8zNehRYb4sxjr6RWo4XlM2FO -gbFoJzWezy6fM21vI/DmF2wKhlL1hmauyd6Lb7JBRkrykGuTSdKjtRJUNJtGhjkG -++NnaVHFV4D38EJOOqW56p+MtCxjS/zGjj1VV0D9iocIUmvau5aaaE55lNl8X2G8 -ycZ54g08rbiSv1NWLfbQ1pZwr+nhiAtuMncBeUgnyaRp079tcOLejbwKpgvxfxSm -6w2QHw== +ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisG +AQQB1nkCBAIEgfYEgfMA8QB3ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h ++tQXAAABjKA9PVgAAAQDAEgwRgIhAJTQNSRZeyHIjGgBh6bH6C3zl9/lPPJYoBj/ +piq8PF+gAiEA9PRMavdrkuYcayG5D17gWuUVTJH4s3QGexGZauTxQw8AdgB2/4g/ +Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYygPT2XAAAEAwBHMEUCIBsW +QqOo9FBoU6mG8iMLIelS/mQhq6QfqImz9VehT5qbAiEAy80PWrDKlUqfKqf1mEEo +G++YOxg7ZP3I9riN6vUu6a8wDQYJKoZIhvcNAQELBQADggEBAKnevUCPEKOBYX/W +PQhioiixJeflWQyabArVdIbKrfVtSCvcp7Mb12u4z9vlXsR/4KIu5E1tbW8vunhG +97j00KsWdFoH2YAlccVE220IYoU1V/7bPFPNrHviKNiku4TUSPpH+vt+inE+3xG+ +Bpw++vG7L3c92LrW0fexfGYXUmv40fkudC/BROmdQYmpdTHq26zRaW+VcBDrAQe6 +6oagF8rnXO9aS41KeFhNDrqN2PKd9oLAdkrJ5wfeadAMeNso2v/83FqXnDOVoXZU +6Vot6e74FGb9MLuzszh1NeKVBsFwAYHTIstAlNuer50LVRq3mnQrbpCdHCphmppE +ddB3rTM= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index 983d6d5..80865d5 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABlGYjCaSTuBPkMzru_0lYu_y7mVE3F_7MKAdc1NcayBOGZmtEL9c0SY57yWWZCvJRNki7nnkYnbd4Um4HfEMwJgibbQZVGX9OOo9YWkKcka-dZ_qIFAKS8AIrtjrqadMfNW0zGmBLVCjBK0WhgLTDbcbIeUW7oToy6bq3LUDW3T1sORDiiQp5ejISSTSFLD2XKsCmfBDpFaUR9O6bI32-pDDweq2ZI9S5KKPinrSjeCxbzSCGa1ILszs1lLbw2vsXQWgndTSmqdbAIXykGkHl1JxXGG3DyXf7ldezu1vEJvmaii2OSsjG0pPx40mrf1JQ1vh5h48a5Eis7w_F4YDCyUqnl8FvMKSGs3rZmUORVETal82x9_LimpCdm7i_Q1C3aUj--UN7GRqrNCG2dyl61qt8RkelGnteyWfhcQVSNHZFiL4nt7CirryVO0uB3yNztdsRjvjEgU2X9tAVu9iBdkfHLhw== \ No newline at end of file +encrypt$gAAAAABliUb76xBCh-ySEK5S2LUthvW7ySEIC63Z9jpoylEbplGh-Jbs7n0MEJWTa7MkN4Ke6vqB10VtkFjvHOJxoXaQDlb856YdCWbQuFxoHw3qdWBYUJ2zYisFo81TbiO07Brzdk-bD3IfedUUOjD7jNnp50GWp3i5ZEvsmpN38G1StzOBqTmrYYUePCLRo9NFp5k51bmHS-Q5BbHwHHDZ-8qwuGpcTTlU7OBtK27RrQBRBLoS3DFyS0ErGZtm_bzpW8N2o6lFGfjOpUHHodkQB4anLbb_5q2XxqFvEZY5dxbuuJsc1X4EltIJ8FD9stzSaEyh3GsV4Kz7Y6dGBkVEGfvjBykRUycHcCiqjgiuMjW0eX-wIc66BqRHU1bPiful99qPwXOh7oou59c8DwHKO9uFzcKKQIY21KPap2CWezh_WExCx14oCJ7yT0Cd3vjmBBaTwWxVN-jZxRlSIneEzLuwOBeB2Q== \ No newline at end of file From 3b7e14755c7b485261d715dccd438932c3c78f58 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:19:34 +0100 Subject: [PATCH 467/996] bundles/wireguard: clean up leftovers --- bundles/wireguard/files/pppd-ip-up | 10 ------ bundles/wireguard/files/wg_health_check | 46 ------------------------- bundles/wireguard/items.py | 7 ---- 3 files changed, 63 deletions(-) delete mode 100644 bundles/wireguard/files/pppd-ip-up delete mode 100644 bundles/wireguard/files/wg_health_check diff --git a/bundles/wireguard/files/pppd-ip-up b/bundles/wireguard/files/pppd-ip-up deleted file mode 100644 index 5e5d200..0000000 --- a/bundles/wireguard/files/pppd-ip-up +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# We need to send some traffic over the wireguard tunnel to make sure -# it gets connected. Easiest way is to simply send some pings to the -# other side. - -% for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): -# refresh connection to ${peer} -/usr/bin/ping -c 4 ${config['their_ip']} -% endfor diff --git a/bundles/wireguard/files/wg_health_check b/bundles/wireguard/files/wg_health_check deleted file mode 100644 index 976e112..0000000 --- a/bundles/wireguard/files/wg_health_check +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -if [[ -e "/var/lib/bundlewrap/hard-${node.name}/info" ]] -then - # make sure we're not restarting during bw apply - echo "bw apply running" - exit 0 -fi - -now="$(date +%s)" - -everything_up=1 - -% for peer, ip in sorted(peers.items()): -# ${peer} -if ! /usr/bin/ping -c 4 ${ip} >/dev/null 2>&1 -then - echo "${peer} was not reachable!" - everything_up=0 -fi - -% endfor -if [[ "$everything_up" -eq 1 ]] -then - echo "Everything is up as expected" - echo "$now" > /var/tmp/wg_all_reached - exit 0 -fi - -five_min_ago="$(expr $now - 300)" -last_reached="$(cat /var/tmp/wg_all_reached)" - -if [[ "$last_reached" -lt "$five_min_ago" ]] -then - echo "RESTART" - - systemctl restart systemd-networkd - - # only restart once an hour - echo "$(expr $now + 3300)" > /var/tmp/wg_all_reached -elif [[ "$last_reached" -gt "$now" ]] -then - echo "Something's broken, but we have recently restarted" -else - echo "Something's broken, but still in grace time" -fi diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index 0a270d1..4298dde 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -34,10 +34,3 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): 'svc_systemd:systemd-networkd:restart', }, } - -if node.has_bundle('pppd'): - files['/etc/ppp/ip-up.d/reconnect-wireguard'] = { - 'source': 'pppd-ip-up', - 'content_type': 'mako', - 'mode': '0755', - } From e7e2fd184fb6bd5aee06f8535b7952739c454a17 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:22:33 +0100 Subject: [PATCH 468/996] bundles/bird: fix bw test --- bundles/bird/metadata.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index ea4c1e6..43d6af4 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -65,8 +65,10 @@ def neighbor_info_from_wireguard(metadata): ) def my_ip(metadata): if node.has_bundle('wireguard'): - wg_iface = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')})[0] - my_ip = sorted(metadata.get(f'interfaces/{wg_iface}/ips'))[0].split('/')[0] + wg_ifaces = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')}) + if not wg_ifaces: + return {} + my_ip = sorted(metadata.get(f'interfaces/{wg_ifaces[0]}/ips'))[0].split('/')[0] else: my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0]) From 8331c04b51d1f706271cd833ba759b73115f0ee9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:28:25 +0100 Subject: [PATCH 469/996] update forgejo to 1.21.3-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4b4d8c3..6a1b89c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.2-1" -sha1 = "c5c392ed570f7888fba5aa2ce493fd26741649b2" +version = "1.21.3-0" +sha1 = "4b6fd8b5cfff1e4e9b2214076e8998c290419cbb" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 2875bb7160dac7a58156a27a7c776d05570951fd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:28:43 +0100 Subject: [PATCH 470/996] update element-web to 1.11.52 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6a1b89c..1eea7e4 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.51" +version = "v1.11.52" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 7067b3a..979790c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.51" +version = "v1.11.52" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 86b169e..0cd782d 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.51', + 'version': 'v1.11.52', 'config': { 'default_server_config': { 'm.homeserver': { From d9f9690518e3f21d9a678a9308c4c525f1f5a98b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Dec 2023 10:40:17 +0100 Subject: [PATCH 471/996] update travelynx to 2.5.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1eea7e4..e0b93af 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.3" +version = "2.5.4" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 66bb1a80c6fa2b76586fb2b7959add12d5fbbb64 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Mon, 25 Dec 2023 23:00:32 +0100 Subject: [PATCH 472/996] voc.infobeamer-cms: move event start date to day 0 --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 5da8e79..12e40ca 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -24,7 +24,7 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2023-12-27', + 'event_start_date': '2023-12-26', 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ From 3ddc75d8461bc32547dc60834b98fdaca86f605b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 26 Dec 2023 09:14:25 +0100 Subject: [PATCH 473/996] voc.infobeamer-cms: allow uploads on day 4 as well --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 12e40ca..3abaaf2 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,7 +25,7 @@ nodes['voc.infobeamer-cms'] = { 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', 'event_start_date': '2023-12-26', - 'event_duration_days': 4, + 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ 'hexchen', From 2670d60906e420475aa61c6aee1db19c27cf0bfa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 26 Dec 2023 14:49:04 +0100 Subject: [PATCH 474/996] bundles/infobeamer-cms: new version requires new configs --- .../infobeamer-cms/files/infobeamer-cms-runperiodic.service | 5 +++-- .../infobeamer-cms/files/infobeamer-cms-runperiodic.timer | 2 +- bundles/infobeamer-cms/metadata.py | 5 ++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.service b/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.service index 8be500a..bf63eb1 100644 --- a/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.service +++ b/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.service @@ -4,7 +4,8 @@ After=network.target Requires=infobeamer-cms.service [Service] +Environment=SETTINGS=/opt/infobeamer-cms/settings.toml +WorkingDirectory=/opt/infobeamer-cms/src User=infobeamer-cms Group=infobeamer-cms -WorkingDirectory=/opt/infobeamer-cms -ExecStart=curl -s -H "Host: ${domain}" http://127.0.0.1:8000/sync +ExecStart=/opt/infobeamer-cms/venv/bin/python syncer.py diff --git a/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.timer b/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.timer index 48b52f4..049b063 100644 --- a/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.timer +++ b/bundles/infobeamer-cms/files/infobeamer-cms-runperiodic.timer @@ -2,7 +2,7 @@ Description=Run infobeamer-cms sync [Timer] -OnCalendar=*:0/5 +OnCalendar=minutely Persistent=true [Install] diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index 8d8703b..ab4685c 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -29,9 +29,6 @@ def nginx(metadata): '/': { 'target': 'http://127.0.0.1:8000', }, - '/sync': { - 'return': 403, - }, '/static': { 'alias': '/opt/infobeamer-cms/src/static', }, @@ -45,6 +42,7 @@ def nginx(metadata): @metadata_reactor.provides( + 'infobeamer-cms/config/DOMAIN', 'infobeamer-cms/config/TIME_MAX', 'infobeamer-cms/config/TIME_MIN', ) @@ -57,6 +55,7 @@ def event_times(metadata): return { 'infobeamer-cms': { 'config': { + 'DOMAIN': metadata.get('infobeamer-cms/domain'), 'TIME_MAX': int(event_end.timestamp()), 'TIME_MIN': int(event_start.timestamp()), }, From b5475df467ad975e172c77cc8fa6dcef11d20dc7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 26 Dec 2023 14:50:24 +0100 Subject: [PATCH 475/996] voc.infobeamer-cms: add infobeamer-monitor --- bundles/infobeamer-monitor/files/config.toml | 4 + .../files/infobeamer-monitor.service | 15 ++ bundles/infobeamer-monitor/files/monitor.py | 155 ++++++++++++++++++ bundles/infobeamer-monitor/items.py | 33 ++++ nodes/voc/infobeamer-cms.py | 10 ++ 5 files changed, 217 insertions(+) create mode 100644 bundles/infobeamer-monitor/files/config.toml create mode 100644 bundles/infobeamer-monitor/files/infobeamer-monitor.service create mode 100644 bundles/infobeamer-monitor/files/monitor.py create mode 100644 bundles/infobeamer-monitor/items.py diff --git a/bundles/infobeamer-monitor/files/config.toml b/bundles/infobeamer-monitor/files/config.toml new file mode 100644 index 0000000..12dcdb7 --- /dev/null +++ b/bundles/infobeamer-monitor/files/config.toml @@ -0,0 +1,4 @@ +<% + from tomlkit import dumps as toml_dumps + from bundlewrap.utils.text import toml_clean +%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(config), sort_keys=True))} diff --git a/bundles/infobeamer-monitor/files/infobeamer-monitor.service b/bundles/infobeamer-monitor/files/infobeamer-monitor.service new file mode 100644 index 0000000..7be13a2 --- /dev/null +++ b/bundles/infobeamer-monitor/files/infobeamer-monitor.service @@ -0,0 +1,15 @@ +[Unit] +Description=infobeamer-monitor +After=network.target + +[Service] +Type=exec +Restart=always +RestartSec=5s +ExecStart=/opt/infobeamer-cms/venv/bin/python monitor.py +User=infobeamer-cms +Group=infobeamer-cms +WorkingDirectory=/opt/infobeamer-monitor/ + +[Install] +WantedBy=multi-user.target diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py new file mode 100644 index 0000000..b957633 --- /dev/null +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -0,0 +1,155 @@ +#!/usr/bin/env python3 + +import logging +from json import dumps +from time import sleep + +import paho.mqtt.client as mqtt +from requests import RequestException, get + +try: + # python 3.11 + from tomllib import loads as toml_load +except ImportError: + from rtoml import load as toml_load + +with open("config.toml") as f: + CONFIG = toml_load(f.read()) + + +logging.basicConfig( + format="[%(levelname)s %(name)s] %(message)s", + level=logging.INFO, +) + +LOG = logging.getLogger("main") +MLOG = logging.getLogger("mqtt") + +state = None + +client = mqtt.Client() +client.username_pw_set(CONFIG["mqtt"]["user"], CONFIG["mqtt"]["password"]) +client.connect(CONFIG["mqtt"]["host"], 1883, 60) +client.loop_start() + + +def mqtt_out(message, level="INFO", device=None): + key = "infobeamer" + if device: + key += f"/{device['id']}" + message = f"[{device['description']}] {message}" + + client.publish( + CONFIG["mqtt"]["topic"], + dumps( + { + "level": level, + "component": key, + "msg": message, + } + ), + ) + + +def mqtt_dump_state(device): + mqtt_out( + "Sync status: {} - Location: {} - Running Setup: {} ({}) - Resolution: {}".format( + "yes" if device["is_synced"] else "unknown", + device["location"], + device["setup"]["name"], + device["setup"]["id"], + device["run"].get("resolution", "unknown"), + ), + device=device, + ) + + +mqtt_out("Monitor starting up") +while True: + try: + try: + r = get("https://info-beamer.com/api/v1/device/list", auth=("", CONFIG["api_key"])) + r.raise_for_status() + ib_state = r.json()["devices"] + except RequestException as e: + LOG.exception("Could not get data from info-beamer") + mqtt_out( + f"Could not get data from info-beamer: {e!r}", + level="WARN", + ) + else: + new_state = {} + for device in ib_state: + did = str(device["id"]) + + if did in new_state: + mqtt_out("DUPLICATE DETECTED!", level="ERROR", device=device) + continue + + new_state[did] = device + must_dump_state = False + + if state is not None: + if did not in state: + LOG.info( + "new device found: {} [{}]".format( + did, + device["description"], + ) + ) + mqtt_out( + 'new device found with name "{}"!'.format( + device["description"] + ), + device=device, + ) + if device["is_online"]: + must_dump_state = True + + else: + if device["is_online"] != state[did]["is_online"]: + online_status = ( + "online from {}".format(device["run"]["public_addr"]) + if device["is_online"] + else "offline" + ) + + LOG.info("device {} is now {}".format(did, online_status)) + mqtt_out( + f"online status changed to {online_status}", + device=device, + ) + if device["is_online"]: + must_dump_state = True + + if device["is_online"]: + if device["maintenance"]: + mqtt_out( + "maintenance required: {}".join( + sorted(device["maintenance"]) + ), + level="WARN", + device=device, + ) + + if ( + device["is_synced"] != state[did]["is_synced"] + or device["location"] != state[did]["location"] + or device["setup"]["name"] != state[did]["setup"]["name"] + or device["run"].get("resolution") + != state[did]["run"].get("resolution") + ): + must_dump_state = True + + if must_dump_state: + mqtt_dump_state(device) + + else: + LOG.info("adding device {} to empty state".format(device["id"])) + + state = new_state + sleep(30) + except KeyboardInterrupt: + break + +mqtt_out("Monitor exiting") diff --git a/bundles/infobeamer-monitor/items.py b/bundles/infobeamer-monitor/items.py new file mode 100644 index 0000000..ff7c0fd --- /dev/null +++ b/bundles/infobeamer-monitor/items.py @@ -0,0 +1,33 @@ +assert node.has_bundle('infobeamer-cms') # uses same venv + +files['/opt/infobeamer-monitor/config.toml'] = { + 'content_type': 'mako', + 'context': { + 'config': node.metadata.get('infobeamer-monitor'), + }, + 'triggers': { + 'svc_systemd:infobeamer-monitor:restart', + }, +} + +files['/opt/infobeamer-monitor/monitor.py'] = { + 'mode': '0755', + 'triggers': { + 'svc_systemd:infobeamer-monitor:restart', + }, +} + +files['/usr/local/lib/systemd/system/infobeamer-monitor.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:infobeamer-monitor:restart', + }, +} + +svc_systemd['infobeamer-monitor'] = { + 'needs': { + 'file:/opt/infobeamer-monitor/config.toml', + 'file:/opt/infobeamer-monitor/monitor.py', + 'file:/usr/local/lib/systemd/system/infobeamer-monitor.service', + }, +} diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 3abaaf2..65c621c 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -2,6 +2,7 @@ nodes['voc.infobeamer-cms'] = { 'hostname': 'infobeamer-cms.c3voc.de', 'bundles': { 'infobeamer-cms', + 'infobeamer-monitor', 'redis', }, 'groups': { @@ -68,6 +69,15 @@ nodes['voc.infobeamer-cms'] = { 'Translations': 'translations', }, }, + 'infobeamer-monitor': { + 'api_key': vault.decrypt('encrypt$gAAAAABlitmDR1duKo_4KuMJBF_HbPO2GFo_gdoT1rvUKQ2kkugPbe2RljM4bxW5bmwhs5avjxiaSAvjnOBte9ioyPEr7cIh79WFEfMnsHeexlCHwMt6NV_t-8EAhuuEQEf3Py93g8zQ'), + 'mqtt': { + 'password': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='), + 'host': 'mqtt.c3voc.de', + 'topic': '/voc/alert', + 'user': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), + }, + }, 'nginx': { 'vhosts': { 'redirect': { From 9be370f8df79243ba3ee8c90696e8ad06937e45c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 26 Dec 2023 15:02:56 +0100 Subject: [PATCH 476/996] bundles/infobeamer-monitor: improve code a bit --- bundles/infobeamer-monitor/files/monitor.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index b957633..3015381 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -117,6 +117,7 @@ while True: LOG.info("device {} is now {}".format(did, online_status)) mqtt_out( f"online status changed to {online_status}", + level="INFO" if device["is_online"] else "WARN", device=device, ) if device["is_online"]: @@ -131,6 +132,7 @@ while True: level="WARN", device=device, ) + must_dump_state = True if ( device["is_synced"] != state[did]["is_synced"] From 14c01e3bf0d4eab784f8b3c6a3bc05f16e93db2f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 26 Dec 2023 23:15:18 +0100 Subject: [PATCH 477/996] bundles/infobeamer-monitor: more alerts --- bundles/infobeamer-monitor/files/monitor.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 3015381..4e6c855 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -98,9 +98,7 @@ while True: ) ) mqtt_out( - 'new device found with name "{}"!'.format( - device["description"] - ), + 'new device found!', device=device, ) if device["is_online"]: @@ -123,6 +121,10 @@ while True: if device["is_online"]: must_dump_state = True + if device["description"] != state[did]["description"]: + LOG.info("device {} changed name to {}".format(did, device["description"])) + must_dump_state = True + if device["is_online"]: if device["maintenance"]: mqtt_out( @@ -137,7 +139,7 @@ while True: if ( device["is_synced"] != state[did]["is_synced"] or device["location"] != state[did]["location"] - or device["setup"]["name"] != state[did]["setup"]["name"] + or device["setup"]["id"] != state[did]["setup"]["id"] or device["run"].get("resolution") != state[did]["run"].get("resolution") ): From c5ea690621062b6a7e07ec33f5a154a9b0796cf1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 27 Dec 2023 12:12:24 +0100 Subject: [PATCH 478/996] bundles/infobeamer-cms: less security needed --- bundles/infobeamer-cms/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index ab4685c..d376b62 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -35,6 +35,7 @@ def nginx(metadata): }, 'website_check_path': '/', 'website_check_string': 'Share your projects', + 'do_not_set_content_security_headers': True, }, }, }, From 2e2e8cf7c03a380ffde9d7ff08773627e027c7a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 27 Dec 2023 12:15:42 +0100 Subject: [PATCH 479/996] voc.infobeamer-cms: device has changed --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 65c621c..d379b90 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -58,7 +58,7 @@ nodes['voc.infobeamer-cms'] = { # }], }, 'rooms': { - 'Saal 1': 22027, + 'Saal 1': 34430, 'Saal G': 26598, 'Saal Z': 26610, 'Saal E (SoS/Lightning-Talks)': 32814, From e33cc65cb172557e4d7e414044976ff416bf7f57 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 27 Dec 2023 14:55:15 +0100 Subject: [PATCH 480/996] bundles/infobeamer-monitor: only dump state if device is online --- bundles/infobeamer-monitor/files/monitor.py | 23 ++++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 4e6c855..466c625 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -52,6 +52,8 @@ def mqtt_out(message, level="INFO", device=None): def mqtt_dump_state(device): + if not device["is_online"]: + return mqtt_out( "Sync status: {} - Location: {} - Running Setup: {} ({}) - Resolution: {}".format( "yes" if device["is_synced"] else "unknown", @@ -68,7 +70,10 @@ mqtt_out("Monitor starting up") while True: try: try: - r = get("https://info-beamer.com/api/v1/device/list", auth=("", CONFIG["api_key"])) + r = get( + "https://info-beamer.com/api/v1/device/list", + auth=("", CONFIG["api_key"]), + ) r.raise_for_status() ib_state = r.json()["devices"] except RequestException as e: @@ -98,11 +103,10 @@ while True: ) ) mqtt_out( - 'new device found!', + "new device found!", device=device, ) - if device["is_online"]: - must_dump_state = True + must_dump_state = True else: if device["is_online"] != state[did]["is_online"]: @@ -114,15 +118,18 @@ while True: LOG.info("device {} is now {}".format(did, online_status)) mqtt_out( - f"online status changed to {online_status}", + f"status changed to {online_status}", level="INFO" if device["is_online"] else "WARN", device=device, ) - if device["is_online"]: - must_dump_state = True + must_dump_state = True if device["description"] != state[did]["description"]: - LOG.info("device {} changed name to {}".format(did, device["description"])) + LOG.info( + "device {} changed name to {}".format( + did, device["description"] + ) + ) must_dump_state = True if device["is_online"]: From 8dde3dba0b628ad785e1ccb0f8db21f432e6ddd6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 28 Dec 2023 11:32:44 +0100 Subject: [PATCH 481/996] home.downloadhelper: adjust home ip range --- nodes/home/downloadhelper.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 7626fb9..fc84fbe 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -19,7 +19,7 @@ nodes['home.downloadhelper'] = { }, 'routes': { # VPN - '172.19.136.0/22': { + '172.19.128.0/20': { 'via': '172.19.138.1', }, }, From ec1efaafcc635d5018a3af27e615be3509426985 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 29 Dec 2023 08:16:58 +0100 Subject: [PATCH 482/996] bundles/infobeamer-cms: move static files outside repo root --- bundles/infobeamer-cms/items.py | 22 ++++++++++++++-------- bundles/infobeamer-cms/metadata.py | 3 ++- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/bundles/infobeamer-cms/items.py b/bundles/infobeamer-cms/items.py index 226fc23..39820cc 100644 --- a/bundles/infobeamer-cms/items.py +++ b/bundles/infobeamer-cms/items.py @@ -1,8 +1,4 @@ actions = { - 'infobeamer-cms_set_directory_permissions': { - 'triggered': True, - 'command': 'chown -R infobeamer-cms:infobeamer-cms /opt/infobeamer-cms/src/static/' - }, 'infobeamer-cms_create_virtualenv': { 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/infobeamer-cms/venv/', 'unless': 'test -d /opt/infobeamer-cms/venv/', @@ -12,7 +8,11 @@ actions = { }, }, 'infobeamer-cms_install_requirements': { - 'command': 'cd /opt/infobeamer-cms/src && /opt/infobeamer-cms/venv/bin/pip install --upgrade pip gunicorn -r requirements.txt', + 'command': ' && '.join([ + 'cd /opt/infobeamer-cms/src', + '/opt/infobeamer-cms/venv/bin/pip install --upgrade pip gunicorn -r requirements.txt', + 'rsync /opt/infobeamer-cms/src/static/* /opt/infobeamer-cms/static/', + ]), 'needs': { 'action:infobeamer-cms_create_virtualenv', }, @@ -29,7 +29,6 @@ git_deploy = { }, 'triggers': { 'svc_systemd:infobeamer-cms:restart', - 'action:infobeamer-cms_set_directory_permissions', 'action:infobeamer-cms_install_requirements', }, }, @@ -37,6 +36,9 @@ git_deploy = { directories = { '/opt/infobeamer-cms/src': {}, + '/opt/infobeamer-cms/static': { + 'owner': 'infobeamer-cms', + }, } config = node.metadata.get('infobeamer-cms/config', {}) @@ -109,7 +111,7 @@ svc_systemd = { 'infobeamer-cms': { 'needs': { 'action:infobeamer-cms_install_requirements', - 'action:infobeamer-cms_set_directory_permissions', + 'directory:/opt/infobeamer-cms/static', 'file:/etc/systemd/system/infobeamer-cms.service', 'file:/opt/infobeamer-cms/settings.toml', 'git_deploy:/opt/infobeamer-cms/src', @@ -117,8 +119,12 @@ svc_systemd = { }, 'infobeamer-cms-runperiodic.timer': { 'needs': { - 'file:/etc/systemd/system/infobeamer-cms-runperiodic.timer', + 'action:infobeamer-cms_install_requirements', + 'directory:/opt/infobeamer-cms/static', 'file:/etc/systemd/system/infobeamer-cms-runperiodic.service', + 'file:/etc/systemd/system/infobeamer-cms-runperiodic.timer', + 'file:/opt/infobeamer-cms/settings.toml', + 'git_deploy:/opt/infobeamer-cms/src', }, }, } diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index d376b62..9d602e0 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -6,6 +6,7 @@ defaults = { 'MAX_UPLOADS': 5, 'PREFERRED_URL_SCHEME': 'https', 'SESSION_COOKIE_NAME': '__Host-sess', + 'STATIC_PATH': '/opt/infobeamer-cms/static', 'URL_KEY': repo.vault.password_for(f'{node.name} infobeamer-cms url key'), 'VERSION': 1, }, @@ -30,7 +31,7 @@ def nginx(metadata): 'target': 'http://127.0.0.1:8000', }, '/static': { - 'alias': '/opt/infobeamer-cms/src/static', + 'alias': '/opt/infobeamer-cms/static', }, }, 'website_check_path': '/', From a929f24977374e6989b1c62e5206999160b39c8c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 31 Dec 2023 08:50:45 +0100 Subject: [PATCH 483/996] bundles/infobeamer-cms: more and better information --- bundles/infobeamer-monitor/files/monitor.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 466c625..9ac2333 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 import logging +from datetime import datetime, timezone from json import dumps from time import sleep @@ -56,7 +57,7 @@ def mqtt_dump_state(device): return mqtt_out( "Sync status: {} - Location: {} - Running Setup: {} ({}) - Resolution: {}".format( - "yes" if device["is_synced"] else "unknown", + "yes" if device["is_synced"] else "syncing", device["location"], device["setup"]["name"], device["setup"]["id"], @@ -84,6 +85,7 @@ while True: ) else: new_state = {} + online_devices = set() for device in ib_state: did = str(device["id"]) @@ -154,11 +156,21 @@ while True: if must_dump_state: mqtt_dump_state(device) - else: LOG.info("adding device {} to empty state".format(device["id"])) + if device["is_online"]: + online_devices.add( + "{} ({})".format( + device["id"], + device["description"], + ) + ) + state = new_state + + if datetime.now(timezone.utc).strftime("%H%M") == "1312" and online_devices: + mqtt_out("Online Devices: {}".format(", ".join(sorted(online_devices)))) sleep(30) except KeyboardInterrupt: break From 46e00d6fc8795178ef7f4802949099fef716b94e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:11:11 +0100 Subject: [PATCH 484/996] bundles/nodejs: only install nodesource packages if debian does not ship that version --- bundles/nodejs/items.py | 4 ++-- bundles/nodejs/metadata.py | 40 ++++++++++++++++++++++++++++---------- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/bundles/nodejs/items.py b/bundles/nodejs/items.py index dc8607c..54f8ca7 100644 --- a/bundles/nodejs/items.py +++ b/bundles/nodejs/items.py @@ -2,8 +2,8 @@ actions = { 'nodejs_install_yarn': { 'command': 'npm install -g yarn@latest', 'unless': 'test -e /usr/lib/node_modules/yarn', - 'needs': { - 'pkg_apt:nodejs', + 'after': { + 'pkg_apt:', }, }, } diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py index 18f0de6..544cd9c 100644 --- a/bundles/nodejs/metadata.py +++ b/bundles/nodejs/metadata.py @@ -2,7 +2,6 @@ defaults = { 'apt': { 'additional_update_commands': { # update npm to latest version - 'npm install -g npm@latest', 'npm install -g yarn@latest', }, 'packages': { @@ -14,20 +13,41 @@ defaults = { }, } +VERSIONS_SHIPPED_BY_DEBIAN = { + 10: 10, + 11: 12, + 12: 18, + 13: 18, +} + @metadata_reactor.provides( 'apt/repos/nodejs/items', ) def nodejs_from_version(metadata): version = metadata.get('nodejs/version') - return { - 'apt': { - 'repos': { - 'nodejs': { - 'items': { - f'deb https://deb.nodesource.com/node_{version}.x {{os_release}} main', - f'deb-src https://deb.nodesource.com/node_{version}.x {{os_release}} main', + + if version != VERSIONS_SHIPPED_BY_DEBIAN[node.os_version[0]]: + return { + 'apt': { + 'additional_update_commands': { + # update npm to latest version + 'npm install -g npm@latest', + }, + 'repos': { + 'nodejs': { + 'items': { + f'deb https://deb.nodesource.com/node_{version}.x {{os_release}} main', + f'deb-src https://deb.nodesource.com/node_{version}.x {{os_release}} main', + }, }, }, }, - }, - } + } + else: + return { + 'apt': { + 'packages': { + 'npm': {}, + }, + }, + } From 4889ea4d311c737b42516f1f7ae46167e1fd255c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:12:03 +0100 Subject: [PATCH 485/996] update mautrix-telegram to 0.15.1 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e0b93af..09f9377 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -94,7 +94,7 @@ additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.ne wellknown_also_on_vhosts = ["franzi.business"] [metadata.mautrix-telegram] -version = "v0.15.0" +version = "v0.15.1" homeserver.domain = "franzi.business" homeserver.url = "https://matrix.franzi.business" telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ==" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 0cd782d..bdba4c4 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -146,7 +146,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.15.0', + 'version': 'v0.15.1', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', From adba83feeadec9b3c169a1e15560e399f29505b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:12:24 +0100 Subject: [PATCH 486/996] update netbox to 3.7.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 09f9377..e3f7bab 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.6.7" +version = "v3.7.0" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From a05a809131643711bf1c22fe66ebf6c31b1575df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:12:38 +0100 Subject: [PATCH 487/996] update travelynx to 2.5.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e3f7bab..335ece3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.4" +version = "2.5.7" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From fa107dcc3f8bf1ae07d1b855500fc58ec45ebba2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:12:51 +0100 Subject: [PATCH 488/996] update paperless-ngx to 2.2.1 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 5cc39fb..cc4a037 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.1.3', + 'version': 'v2.2.1', 'timezone': 'Europe/Berlin', }, 'postgresql': { From dfadffd92185ddd3e02789afb83206c9eac76514 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 10:15:56 +0100 Subject: [PATCH 489/996] add home.lgtv-wohnzimmer --- nodes/home.lgtv-wohnzimmer.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.lgtv-wohnzimmer.toml diff --git a/nodes/home.lgtv-wohnzimmer.toml b/nodes/home.lgtv-wohnzimmer.toml new file mode 100644 index 0000000..611e16a --- /dev/null +++ b/nodes/home.lgtv-wohnzimmer.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.72"] +dhcp = true +mac = "ac:5a:f0:32:05:7b" + +[metadata.icinga_options] +exclude_from_monitoring = true From 7c70c600f430fb563a72580914875a6a57343251 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jan 2024 11:38:39 +0100 Subject: [PATCH 490/996] bundles/infobeamer-monitor: only alert online devices once --- bundles/infobeamer-monitor/files/monitor.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 9ac2333..f61cb43 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -169,7 +169,11 @@ while True: state = new_state - if datetime.now(timezone.utc).strftime("%H%M") == "1312" and online_devices: + if ( + datetime.now(timezone.utc).strftime("%H%M") == "1312" + and online_devices + and int(datetime.now(timezone.utc).strftime("%S")) < 30 + ): mqtt_out("Online Devices: {}".format(", ".join(sorted(online_devices)))) sleep(30) except KeyboardInterrupt: From 3bddab5f6720178323c37a19516ddb2b7b902f2a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 3 Jan 2024 12:59:21 +0100 Subject: [PATCH 491/996] bundles/arch-with-gui: ensure we have avahi installed and running --- bundles/arch-with-gui/items.py | 5 +++++ bundles/arch-with-gui/metadata.py | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/bundles/arch-with-gui/items.py b/bundles/arch-with-gui/items.py index 9d3d911..67702b2 100644 --- a/bundles/arch-with-gui/items.py +++ b/bundles/arch-with-gui/items.py @@ -44,6 +44,11 @@ directories = { } svc_systemd = { + 'avahi-daemon': { + 'needs': { + 'pkg_pacman:avahi', + }, + }, 'sddm': { 'needs': { 'pkg_pacman:sddm', diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index 4666cca..d75d8e1 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -9,6 +9,14 @@ defaults = { 'icinga_options': { 'exclude_from_monitoring': True, }, + 'nftables': { + 'input': { + '50-avahi': { + 'udp dport 5353 accept', + 'udp sport 5353 accept', + }, + }, + }, 'pacman': { 'packages': { # fonts @@ -23,6 +31,7 @@ defaults = { 'sddm': {}, # networking + 'avahi': {}, 'netctl': {}, 'rfkill': {}, 'wpa_supplicant': {}, From fabe11d5b2c805632e0b1a97b8e258b93792340d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 3 Jan 2024 14:16:25 +0100 Subject: [PATCH 492/996] update travelynx to 2.5.9 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 335ece3..5d5f8ea 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.7" +version = "2.5.9" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From bc63ef97abb84549854d854124ef5447aa3a8b62 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 3 Jan 2024 15:11:05 +0100 Subject: [PATCH 493/996] bundles/arch-with-gui: install pipewire-zeroconf --- bundles/arch-with-gui/files/50-network.conf | 5 +++++ bundles/arch-with-gui/items.py | 2 ++ bundles/arch-with-gui/metadata.py | 1 + 3 files changed, 8 insertions(+) create mode 100644 bundles/arch-with-gui/files/50-network.conf diff --git a/bundles/arch-with-gui/files/50-network.conf b/bundles/arch-with-gui/files/50-network.conf new file mode 100644 index 0000000..39c38f2 --- /dev/null +++ b/bundles/arch-with-gui/files/50-network.conf @@ -0,0 +1,5 @@ +context.exec = [ + { path = "pactl" args = "load-module module-native-protocol-tcp" } + { path = "pactl" args = "load-module module-zeroconf-discover" } + { path = "pactl" args = "load-module module-zeroconf-publish" } +] diff --git a/bundles/arch-with-gui/items.py b/bundles/arch-with-gui/items.py index 67702b2..5a35931 100644 --- a/bundles/arch-with-gui/items.py +++ b/bundles/arch-with-gui/items.py @@ -66,6 +66,8 @@ git_deploy = { }, } +files['/etc/pipewire/pipewire-pulse.conf.d/50-network.conf'] = {} + for filename in listdir(join(repo.path, 'data', 'arch-with-gui', 'files', 'fonts')): if filename.startswith('.'): continue diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index d75d8e1..d7063f7 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -54,6 +54,7 @@ defaults = { 'pipewire': {}, 'pipewire-jack': {}, 'pipewire-pulse': {}, + 'pipewire-zeroconf': {}, 'qpwgraph': {}, # window management From d5491648f25ab23173b14b5190aef7d7014a3c44 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 3 Jan 2024 22:25:59 +0100 Subject: [PATCH 494/996] bundles/mixcloud-downloader: download zotanmew sets --- bundles/mixcloud-downloader/files/download.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/mixcloud-downloader/files/download.sh b/bundles/mixcloud-downloader/files/download.sh index 6ddce1e..eb532b3 100644 --- a/bundles/mixcloud-downloader/files/download.sh +++ b/bundles/mixcloud-downloader/files/download.sh @@ -53,7 +53,7 @@ do ) || errors=1 done -for i in tschunkelmusik +for i in tschunkelmusik zotanmew do echo "> soundcloud $i" >&2 if ! [[ -d "/storage/nas/Musik/mixcloud/$i" ]] From e9d4c85676b77dbe18dedb9c1bad12a0b5d03190 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 13 Jan 2024 14:12:20 +0100 Subject: [PATCH 495/996] wled-blobkette is new! --- nodes/home.wled-blobkette.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.wled-blobkette.toml diff --git a/nodes/home.wled-blobkette.toml b/nodes/home.wled-blobkette.toml new file mode 100644 index 0000000..cc3b3b1 --- /dev/null +++ b/nodes/home.wled-blobkette.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.73"] +dhcp = true +mac = "7c:87:ce:b6:54:cd" + +[metadata.icinga_options] +exclude_from_monitoring = true From f917f9a2b749cffc1c5b417b202afac88b9572d1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 8 Jan 2024 17:14:44 +0100 Subject: [PATCH 496/996] kunsi-p14s: remove voc-tracker-worker we have a vm for that --- nodes/kunsi-p14s.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index d0432e0..0b39191 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -10,7 +10,6 @@ nodes['kunsi-p14s'] = { 'systemd-boot', 'telegraf-battery-usage', 'vmhost', - 'voc-tracker-worker', 'wireguard', 'zfs', }, @@ -179,11 +178,6 @@ nodes['kunsi-p14s'] = { 'delete': True, }, }, - 'voc-tracker-worker': { - 'url': 'https://tracker.c3voc.de/rpc', - 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), - 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), - }, 'wireguard': { 'peers': { 'htz-cloud.wireguard': { From 739ce09e607e748dc78bd58511c83e52489fa4fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Jan 2024 11:57:56 +0100 Subject: [PATCH 497/996] bundles/homeassistant: requires ffmpeg now atleast it's complaining about the lack of ffmpeg in its logs ... --- bundles/homeassistant/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index f0a4d2e..f1c76de 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -4,6 +4,7 @@ defaults = { 'autoconf': {}, 'bluez': {}, 'build-essential': {}, + 'ffmpeg': {}, 'libffi-dev': {}, 'libjpeg-dev': {}, 'libopenjp2-7': {}, From 58d978292aa7aee8417ce7169154115b2a36d5f8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Jan 2024 11:58:41 +0100 Subject: [PATCH 498/996] update element-web to 1.11.53 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5d5f8ea..2007dfb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.52" +version = "v1.11.53" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 979790c..545a041 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.52" +version = "v1.11.53" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index bdba4c4..471503f 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.52', + 'version': 'v1.11.53', 'config': { 'default_server_config': { 'm.homeserver': { From edc95ac2ab2a5d8ca7a10ea2932572afb720c1cd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Jan 2024 11:59:01 +0100 Subject: [PATCH 499/996] update travelynx to 2.5.10 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2007dfb..3dcab6d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.9" +version = "2.5.10" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 17334a8e3e5debb3e0378b4cd8d28ba6e5e5a5b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Jan 2024 11:59:15 +0100 Subject: [PATCH 500/996] update paperless-ngx to 2.3.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index cc4a037..eb10a4b 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.2.1', + 'version': 'v2.3.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 70127f797b7c25962b2396da9434b2f53b4b2005 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Jan 2024 12:23:32 +0100 Subject: [PATCH 501/996] home.kodi-wohnzimmer: set dummy/exclude_from_monitoring --- nodes/home.kodi-wohnzimmer.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nodes/home.kodi-wohnzimmer.toml b/nodes/home.kodi-wohnzimmer.toml index 8a77455..bdd1977 100644 --- a/nodes/home.kodi-wohnzimmer.toml +++ b/nodes/home.kodi-wohnzimmer.toml @@ -2,6 +2,9 @@ hostname = "172.19.138.24" bundles = ["kodi", "lm-sensors", "nfs-client", "smartd"] groups = ["debian-bullseye"] +# is powered off +dummy = true + [metadata.apt.packages.intel-media-va-driver-non-free] [metadata.apt.unattended-upgrades] @@ -10,6 +13,10 @@ hour = 2 # needs powered on display to detect HDMI audio correctly reboot_enabled = false +[metadata.icinga_options] +# is powered off +exclude_from_monitoring = true + [metadata.interfaces.eno1] ips = ["172.19.138.24/24"] gateway4 = "172.19.138.1" From ccfe2ff0b0dcd5568c58340c01ac46e3c53c8ec3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 15 Jan 2024 21:52:48 +0100 Subject: [PATCH 502/996] home.nas: allow TV to access jellyfin without https for some reason, connecting to the hostname fails, and connecting to the ip using https leads to certificate errors --- bundles/jellyfin/metadata.py | 12 ++++++++++++ nodes/home/nas.py | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/bundles/jellyfin/metadata.py b/bundles/jellyfin/metadata.py index 5728913..d3d6003 100644 --- a/bundles/jellyfin/metadata.py +++ b/bundles/jellyfin/metadata.py @@ -55,3 +55,15 @@ def nginx(metadata): }, }, } + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '8096/tcp': atomic(metadata.get('jellyfin/restrict-to', {'*'})), + }, + }, + } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 7befeb9..e7121ab 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -95,6 +95,11 @@ nodes['home.nas'] = { }, }, }, + 'jellyfin': { + 'restrict-to': { + 'home.lgtv-wohnzimmer', + }, + }, 'mosquitto': { 'bridges': { 'c3voc': { From 44baf7cbf93ffbdaf19c953e25af68d815508971 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Jan 2024 10:57:56 +0100 Subject: [PATCH 503/996] update element-web to 1.11.55 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3dcab6d..b99a1e3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.53" +version = "v1.11.55" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 545a041..7e4b019 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.53" +version = "v1.11.55" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 471503f..3a48955 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.53', + 'version': 'v1.11.55', 'config': { 'default_server_config': { 'm.homeserver': { From 87e30e84fa6cb7662d7ecbfa13c101c66a368bf9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Jan 2024 10:58:12 +0100 Subject: [PATCH 504/996] update forgejo to 1.12.4-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b99a1e3..c950b3f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.3-0" -sha1 = "4b6fd8b5cfff1e4e9b2214076e8998c290419cbb" +version = "1.21.4-0" +sha1 = "b74528e27b34f719995d8031d45063eaf9c5014b" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From ec183da69b4beb68af44825d37fcbd546c664312 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Jan 2024 10:58:32 +0100 Subject: [PATCH 505/996] update netbox to 3.7.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c950b3f..94e4ce9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.0" +version = "v3.7.1" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 28d48398229ddf158bf22cef65476bdd5d1656df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Jan 2024 10:58:46 +0100 Subject: [PATCH 506/996] update paperless to 2.4.0 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index eb10a4b..11d9a61 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.3.3', + 'version': 'v2.4.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 8fa488e411a0f3ee9de3c8983112fe1206933835 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Jan 2024 11:16:46 +0100 Subject: [PATCH 507/996] bundles/icinga2: only send sms for HOST alerts --- bundles/icinga2/files/scripts/icinga_notification_wrapper | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 66a9f5b..4804bab 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -194,6 +194,7 @@ if __name__ == '__main__': notify_per_mail() if args.sms: - notify_per_sms() + if args.service_name: + notify_per_sms() if CONFIG['ntfy']['user']: notify_per_ntfy() From fa8d05fc74d3dee43a3fe2e4349198fc8566ca0d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Jan 2024 11:17:05 +0100 Subject: [PATCH 508/996] bundles/mixcloud-downloader: add elisa --- bundles/mixcloud-downloader/files/download.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/mixcloud-downloader/files/download.sh b/bundles/mixcloud-downloader/files/download.sh index eb532b3..a30b36a 100644 --- a/bundles/mixcloud-downloader/files/download.sh +++ b/bundles/mixcloud-downloader/files/download.sh @@ -21,7 +21,7 @@ pip install --upgrade pip yt-dlp errors=0 -for i in Neosignal tasmo starkato b4m ProjectPoltergeist jakehunnter davem_dokebi +for i in Neosignal tasmo starkato b4m ProjectPoltergeist jakehunnter davem_dokebi El1s4 do echo "> mixcloud $i" >&2 if ! [[ -d "/storage/nas/Musik/mixcloud/$i" ]] From 57c76e5eba85a2933c6917d8999e26e08eb4e5f6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Jan 2024 11:18:33 +0100 Subject: [PATCH 509/996] update travelynx to 2.5.11 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 94e4ce9..f9eb6f6 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -237,7 +237,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.10" +version = "2.5.11" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From ee58509e93ddc2a7097580493f04a37f3346213f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Jan 2024 11:43:43 +0100 Subject: [PATCH 510/996] bundles/postfix: add feature to block email recipients --- bundles/postfix/files/blocked_recipients | 3 +++ bundles/postfix/files/main.cf | 2 ++ bundles/postfix/items.py | 23 +++++++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 bundles/postfix/files/blocked_recipients diff --git a/bundles/postfix/files/blocked_recipients b/bundles/postfix/files/blocked_recipients new file mode 100644 index 0000000..736e9d4 --- /dev/null +++ b/bundles/postfix/files/blocked_recipients @@ -0,0 +1,3 @@ +% for address in sorted(blocked): +${address} REJECT +% endfor diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index bb647fc..cb7f95c 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -48,6 +48,8 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining +smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients +smtpd_relay_before_recipient_restrictions = yes # generated using mozilla ssl generator, using "old" configuration. # we need this to support CentOS 7 systems, sadly ... diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 43f4ae9..d1bf0c2 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -39,6 +39,16 @@ files = { 'action:postfix_newaliases', }, }, + '/etc/postfix/blocked_recipients': { + 'content_type': 'mako', + 'context': { + 'blocked': node.metadata.get('postfix/blocked_recipients', set()), + }, + 'triggers': { + 'action:postfix_postmap_blocked_recipients', + 'svc_systemd:postfix:restart', + }, + }, '/etc/postfix/master.cf': { 'content_type': 'mako', 'triggers': { @@ -74,6 +84,19 @@ actions = { 'needs': { my_package, }, + 'before': { + 'svc_systemd:postfix', + }, + }, + 'postfix_postmap_blocked_recipients': { + 'command': 'postmap hash:/etc/postfix/blocked_recipients', + 'triggered': True, + 'needs': { + my_package, + }, + 'before': { + 'svc_systemd:postfix', + }, }, } From bb56f0fb9a8a944efb8a746fcbfac9b82172b225 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Jan 2024 11:44:13 +0100 Subject: [PATCH 511/996] bundles/nftables: add feature to block ips --- bundles/nftables/files/nftables.conf | 7 +++++++ bundles/nftables/items.py | 2 ++ 2 files changed, 9 insertions(+) diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf index 83bf07f..c39e8be 100644 --- a/bundles/nftables/files/nftables.conf +++ b/bundles/nftables/files/nftables.conf @@ -14,6 +14,13 @@ table inet filter { iif lo accept +% for address in sorted(blocked_v4): + ip saddr ${address} drop +% endfor +% for address in sorted(blocked_v6): + ip6 saddr ${address} drop +% endfor + icmp type timestamp-request drop icmp type timestamp-reply drop ip protocol icmp accept diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py index 96eebcf..9bbe11f 100644 --- a/bundles/nftables/items.py +++ b/bundles/nftables/items.py @@ -17,6 +17,8 @@ files = { '/etc/nftables.conf': { 'content_type': 'mako', 'context': { + 'blocked_v4': node.metadata.get('nftables/blocked_v4', set()), + 'blocked_v6': node.metadata.get('nftables/blocked_v6', set()), 'forward': node.metadata.get('nftables/forward', {}), 'input': node.metadata.get('nftables/input', {}), 'postrouting': node.metadata.get('nftables/postrouting', {}), From 5ffbe50b1e1c246db8b5d81a1a81dc9a5f101d64 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 23 Jan 2024 09:30:13 +0100 Subject: [PATCH 512/996] add bundle:telegraf_airgradient --- .../files/airgradient_telegraf | 54 +++++++++++++++++++ bundles/telegraf_airgradient/items.py | 3 ++ bundles/telegraf_airgradient/metadata.py | 19 +++++++ nodes/htz-cloud/influxdb.py | 4 ++ 4 files changed, 80 insertions(+) create mode 100644 bundles/telegraf_airgradient/files/airgradient_telegraf create mode 100644 bundles/telegraf_airgradient/items.py create mode 100644 bundles/telegraf_airgradient/metadata.py diff --git a/bundles/telegraf_airgradient/files/airgradient_telegraf b/bundles/telegraf_airgradient/files/airgradient_telegraf new file mode 100644 index 0000000..3ada3e8 --- /dev/null +++ b/bundles/telegraf_airgradient/files/airgradient_telegraf @@ -0,0 +1,54 @@ +#!/usr/bin/python3 + +from logging import basicConfig, getLogger +from sys import argv + +from requests import get + +basicConfig(level="INFO") +L = getLogger(__name__) + + +def out(keys, values): + print( + "airgradient,{} {}".format( + ",".join([f"{k}={v}" for k, v in keys.items()]), + ",".join([f"{k}={v}" for k, v in values.items()]), + ), + flush=True, + ) + + +try: + r = get( + f"https://api.airgradient.com/public/api/v1/locations/measures/current?token={argv[2]}" + ) + L.debug(r.status_code) + L.info(r.text) + r.raise_for_status() + for location in r.json(): + L.debug(location) + out( + { + "place": argv[1], + "location": location["locationName"], + }, + { + k: location[k] + for k in ( + "atmp", + "noxIndex", + "pm003Count", + "pm01", + "pm02", + "pm10", + "rco2", + "rhum", + "tvoc", + "tvocIndex", + "wifi", + ) + }, + ) +except Exception: + L.exception("fail!") diff --git a/bundles/telegraf_airgradient/items.py b/bundles/telegraf_airgradient/items.py new file mode 100644 index 0000000..702d22f --- /dev/null +++ b/bundles/telegraf_airgradient/items.py @@ -0,0 +1,3 @@ +files['/usr/local/bin/airgradient_telegraf'] = { + 'mode': '0755', +} diff --git a/bundles/telegraf_airgradient/metadata.py b/bundles/telegraf_airgradient/metadata.py new file mode 100644 index 0000000..f64fb28 --- /dev/null +++ b/bundles/telegraf_airgradient/metadata.py @@ -0,0 +1,19 @@ +@metadata_reactor.provides( + 'telegraf/input_plugins/exec', +) +def telegraf(metadata): + result = {} + for location, api_key in metadata.get('telegraf_airgradient', {}).items(): + result[f'airgradient_{location}'] = { + 'commands': [f'/usr/local/bin/airgradient_telegraf {location} {api_key}'], + 'data_format': 'influx', + 'timeout': '10s', + } + + return { + 'telegraf': { + 'input_plugins': { + 'exec': result, + }, + }, + } diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index 59f729e..b609857 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -3,6 +3,7 @@ nodes['htz-cloud.influxdb'] = { 'bundles': { 'grafana', 'influxdb2', + 'telegraf_airgradient', 'telegraf-monitors-mikrotik', 'zfs', }, @@ -66,6 +67,9 @@ nodes['htz-cloud.influxdb'] = { }, }, }, + 'telegraf_airgradient': { + 'Home': vault.decrypt('encrypt$gAAAAABlr3KvHLSHLFwVr5hvJ1j676Flm5fVLumqpBcffjYWXjPjSovDXCyEcVqhxfsX-GNut2dXsenFQoFShaAugLV_zVQYaLnNQipbZqI0cXfsMht1iZPyOxlSzy3YoZ3voSaeiLll'), + }, 'telegraf': { 'input_plugins': { 'builtin': { From 980f4cb41aa406734a722ab5e2d5564c24e4bdd8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 23 Jan 2024 09:30:41 +0100 Subject: [PATCH 513/996] bundles/nftables: add "globally blocked ips" --- bundles/nftables/metadata.py | 4 ++++ libs/firewall.py | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 0d7819a..8212d3c 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -6,6 +6,10 @@ defaults = { 'nftables': {}, }, }, + 'nftables': { + 'blocked_v4': repo.libs.firewall.global_ip4_blocklist, + 'blocked_v6': repo.libs.firewall.global_ip6_blocklist, + }, 'pacman': { 'packages': { 'nftables': {}, diff --git a/libs/firewall.py b/libs/firewall.py index b343824..7a2fa32 100644 --- a/libs/firewall.py +++ b/libs/firewall.py @@ -44,3 +44,8 @@ named_networks = { }, }, } + +global_ip4_blocklist = { + "141.98.11.0/24", # 2024-01-21, smtp login bruteforce +} +global_ip6_blocklist = set() From e3b63a99c2af875d6058cb2f977501c4cbda4792 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 23 Jan 2024 09:31:02 +0100 Subject: [PATCH 514/996] carlene: add some mail addresses to blocked --- nodes/carlene.toml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f9eb6f6..70f1750 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -184,6 +184,10 @@ packages = [ [metadata.postfix] message_size_limit_mb = 100 myhostname = "mail.franzi.business" +blocked_recipients = [ + "!decrypt:encrypt$gAAAAABlrPHMqx7o9pscfSx4Elayrzwun9jcTYOM4XrcAoUWaHJ9vP_7P5G7V3nwdB8pWfObNew-2IOihn5EPS-0ej2gn9rI4iDnMG_6S2IBCDYMqZMn1W0=", # deadname + "tectu@kunsmann.eu", +] [metadata.postfixadmin] domain = "postfixadmin.franzi.business" From a3cc5a9347486476fc743f22eae028cbd5f4aecb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 30 Jan 2024 21:01:20 +0100 Subject: [PATCH 515/996] bundles/kea-dhcp-server: add kea-lease-list script --- bundles/kea-dhcp-server/files/kea-lease-list | 37 ++++++++++++++++++++ bundles/kea-dhcp-server/items.py | 4 +++ 2 files changed, 41 insertions(+) create mode 100644 bundles/kea-dhcp-server/files/kea-lease-list diff --git a/bundles/kea-dhcp-server/files/kea-lease-list b/bundles/kea-dhcp-server/files/kea-lease-list new file mode 100644 index 0000000..7919b0c --- /dev/null +++ b/bundles/kea-dhcp-server/files/kea-lease-list @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 + +from csv import DictReader +from datetime import datetime, timezone +from os import scandir +from os.path import join + + +def parse(): + NOW = datetime.now() + active_leases = {} + for file in scandir("/var/lib/kea/"): + with open(file.path) as f: + for row in DictReader(f): + expires = datetime.fromtimestamp(int(row["expire"])) + + if expires >= NOW: + if ( + row["address"] not in active_leases + or active_leases[row["address"]]["expires_dt"] < expires + ): + row["expires_dt"] = expires + active_leases[row["address"]] = row + return active_leases.values() + + +def print_table(leases): + print(""" address | MAC | expires | hostname +-----------------+-------------------+---------+----------""") + for lease in sorted(leases, key=lambda r: r["address"]): + print( + f' {lease["address"]:<15} | {lease["hwaddr"].lower()} | {lease["expires_dt"]:%H:%M} | {lease["hostname"]}' + ) + + +if __name__ == "__main__": + print_table(parse()) diff --git a/bundles/kea-dhcp-server/items.py b/bundles/kea-dhcp-server/items.py index 9171d0b..c6219cf 100644 --- a/bundles/kea-dhcp-server/items.py +++ b/bundles/kea-dhcp-server/items.py @@ -44,6 +44,10 @@ files['/etc/kea/kea-dhcp4.conf'] = { }, } +files['/usr/local/bin/kea-lease-list'] = { + 'mode': '0500', +} + svc_systemd['kea-dhcp4-server'] = { 'needs': { 'file:/etc/kea/kea-dhcp4.conf', From 643151c052ff6ed7b0cc11c82956ddea58587568 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 30 Jan 2024 21:02:23 +0100 Subject: [PATCH 516/996] add home.wled-raketenlaemp --- nodes/home.wled-raketenlaemp.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.wled-raketenlaemp.toml diff --git a/nodes/home.wled-raketenlaemp.toml b/nodes/home.wled-raketenlaemp.toml new file mode 100644 index 0000000..a151839 --- /dev/null +++ b/nodes/home.wled-raketenlaemp.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.74"] +dhcp = true +mac = "84:fc:e6:11:34:74" + +[metadata.icinga_options] +exclude_from_monitoring = true From c02a1f2a906c86fdf0b3b91b7f26847140ba2f96 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Feb 2024 19:12:53 +0100 Subject: [PATCH 517/996] clean up some users --- nodes/home/nas.py | 14 ++------------ nodes/home/paperless-sophie.py | 7 +++++++ nodes/home/router.py | 10 ++++++---- nodes/htz-cloud/miniserver.py | 3 +++ users.json | 3 +-- 5 files changed, 19 insertions(+), 18 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index e7121ab..c065912 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -205,15 +205,11 @@ nodes['home.nas'] = { }, 'users': { 'f2k1de': { - 'ssh_pubkey': { - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', - }, + 'delete': True, }, 'inbox': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', - 'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl9zOB7FBeqecfGBRQXZB9nM8e2HNIOKj7IhjgD47GUPh/niD4kUWfVsd6JiNs6RZZE7mQBAKD1wh3/sTd5Twn3ptMIZpoTrLAYEknICzdtwoLRlkHVfb3eK/Q9ufpOGV7Pd24viONSSWSgtd/GcXFCclpEtM06/47USwytFcN5NPmE3/yi68IKDSbIo3hWNo5ZUdeS7g0v+/uF/DkYMJRv0oQatcZx+P/yPLrKqekg/5nMw3RHRwcYVCDqoTc2KjAwWJQw1hOtt105tOpfmbo4eX9cmjcw3Eihwdyl+EeZelaTay1oIzHlKnuxp2oTI0O0KHNQngRt7YDgnEICY16SvyIOJD9ZOam1VeOr0+Z8QgPgGu82Wv+UG+/21yjIoB48VlkNNNpUBeGTBad23Cb+wHVFC5PIQN4iEH2i0PS0xVCIU2bOlXUPJx6/XK51vFoZdknH/8/Mr0jvMsw9i3QSrSy76AjxkexNYje0phNiseMRCakZ8uKdL2yA0g3P5s=', }, }, 'kunsi': { @@ -227,13 +223,7 @@ nodes['home.nas'] = { }, }, 'qcn': { - 'ssh_pubkey': { - #'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', - 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAwUA5t2cSy9YD+ilu5nklvokSRAoNOq/gUV73/KTsv lexi@aranea', - 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC7cCmJ1+btuwpbGrGAuiK8R/hTMCK7CFK0aK2vPcSy+ lexi@kanaya', - 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/movies/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILLx+8d429D1KjaqOaGRFK09j6j3/FuU4xQMsrNLdflg lexi@toriel', - 'command="/usr/share/rsync/scripts/rrsync -ro /storage/nas/Serien_Englisch/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPGPse+vv3+kHBYt6bdab/4AbP1hU34/3qH9SBuC8LCJ jenny@normandy', - }, + 'delete': True, }, }, 'zfs': { diff --git a/nodes/home/paperless-sophie.py b/nodes/home/paperless-sophie.py index 929bd24..9b972d9 100644 --- a/nodes/home/paperless-sophie.py +++ b/nodes/home/paperless-sophie.py @@ -71,6 +71,13 @@ nodes['home.paperless-sophie'] = { 'postgresql': { 'version': '11', }, + 'users': { + 'sophie': { + 'sudo_commands': { + 'ALL', + }, + }, + }, 'vm': { 'cpu': 2, 'ram': 2, diff --git a/nodes/home/router.py b/nodes/home/router.py index aa23ccb..26e8f45 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -135,16 +135,18 @@ nodes['home.router'] = { }, 'users': { 'f2k1de': { - 'ssh_pubkey': { - 'command="/bin/false",no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e', - 'command="/bin/false",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH5+j2vDW1FHSSEEI/Sf5qiKJq1uoxGO5BPv84mqohvol7GxDFObv69tn7g6HYfZY/SaS75C4ZXy+cKa0xy8UCpF0SBa2xHASkenS9v55oweDL4rYSPARzn2XKt3RFJG/d8V5NOWtcyq5DFSzewUF35E4hx1pUc/CIxgJEem5ZvzvN0hlIKXUN2djkVUx+mz6RryBysLTJEFBamjJxIkvDG/PZU73W4SHaKAYV4Ojz2NY7T5/NYKePfIU5F9pkE3RU0LRj58usvA1eP0PvEArWlGNCd8EJU+HQ5xr2dZ6MKPpEyG0KJkC88DuapeF5RwUV53ZhNpF+QgzpI72fH5up', - }, + 'delete': True, }, 'fkunsmann': { 'sudo_commands': { 'ALL', }, }, + 'sophie': { + 'sudo_commands': { + 'ALL', + }, + }, }, 'vnstat': { 'interface': 'enp1s0.7', diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 3a48955..b7c79a0 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -234,6 +234,9 @@ nodes['htz-cloud.miniserver'] = { 'ssh_pubkey': [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDILcYrMQNRVXAm5L+7No1ZumqfCyRc1QZmTY3O7Q8hsE4+fCAvwsWm2aSMfLL3NnIl8Nm1Rixzic5jdYKYNIY3SlX1wvTB+MhGb2eyVSd7c/Y98aCLSlDkQ2sebjpdA1FoJOeGD3qxqDwj0+KckXU2ZaSSQY7CxVsjH65UxCHqVAg+6uLdNbj7j850s1B9NXVXef+sBQ5jUngXxnqQWwNh2Mn8auwumkeEG4SYf96wyFkLvmBitOng/GyLWl9YPnXXHHDnatcVipy7y34qw4CQ4P84anecbA+Bqr9IcxBW6qYmYgRKEnAcmEfjQd+BI1gCLB1BBEmb/qp+mVLd4tOh sophie@carbon" ], + 'sudo_commands': { + 'ALL', + }, }, }, 'zfs': { diff --git a/users.json b/users.json index 7499acf..5d5b066 100644 --- a/users.json +++ b/users.json @@ -20,7 +20,6 @@ "sophie": { "ssh_pubkey": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile" - ], - "is_admin": true + ] } } From dcb9db363913516f5fc8816a1abadee80c94334a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 3 Feb 2024 20:51:45 +0100 Subject: [PATCH 518/996] bundles/users: source users bashrc after loading global bashrc instead of overwriting it --- bundles/users/files/bashrc | 5 +++++ bundles/users/items.py | 13 ++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index 6bcdcd2..02a9c02 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -64,3 +64,8 @@ ${k}() { ${v} } % endfor + +if [[ -f "/etc/bashrc_bundlewrap/$(logname)" ]] +then + source "/etc/bashrc_bundlewrap/$(logname)" +fi diff --git a/bundles/users/items.py b/bundles/users/items.py index d6df3cd..79590dc 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -1,5 +1,9 @@ from os.path import exists, join +directories['/etc/bashrc_bundlewrap'] = { + 'purge': True, +} + files = { '/etc/bash.bashrc': { 'source': 'bashrc', @@ -64,14 +68,13 @@ for username, attrs in node.metadata['users'].items(): } if exists(join(repo.path, 'data', 'users', 'files', 'bash', '{}.bashrc'.format(username))): - files[home + '/.bashrc'] = { + files[f'/etc/bashrc_bundlewrap/{username}'] = { 'content_type': 'mako', 'source': 'bash/{}.bashrc'.format(username), } - else: - files[home + '/.bashrc'] = { - 'delete': True, - } + files[f"{home}/.bashrc"] = { + 'delete': True, + } if attrs.get('enable_linger', False): linger_test = '' From 8df380357e6a78cbb598a0666f687282f4e7a49c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Feb 2024 17:26:13 +0100 Subject: [PATCH 519/996] update travelynx to 2.5.15 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 70f1750..30882ba 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -241,7 +241,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.11" +version = "2.5.15" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" # the old one from rx300, XXX remove 2024-01-01 From 80ca8b7e50934dfe3565836f621b22dd3eb470f5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Feb 2024 17:26:33 +0100 Subject: [PATCH 520/996] update element-web to 1.11.57 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 30882ba..243708a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.55" +version = "v1.11.57" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 7e4b019..44a8d09 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.55" +version = "v1.11.57" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index b7c79a0..940d307 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.55', + 'version': 'v1.11.57', 'config': { 'default_server_config': { 'm.homeserver': { From 512454a94929e2043ecc5b293934393345c23e77 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Feb 2024 17:26:52 +0100 Subject: [PATCH 521/996] update paperless-ngx to 2.4.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 11d9a61..e194f94 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.4.0', + 'version': 'v2.4.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From e2ed5131692f442a58cfd2e1ad2a0b6406945a97 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Feb 2024 17:27:05 +0100 Subject: [PATCH 522/996] update powerdnsadmin to 0.4.2 --- nodes/ns-mephisto.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/ns-mephisto.toml b/nodes/ns-mephisto.toml index 48ffd17..88f253e 100644 --- a/nodes/ns-mephisto.toml +++ b/nodes/ns-mephisto.toml @@ -29,7 +29,7 @@ secondary_nameservers = "dns" features.bind = true [metadata.powerdnsadmin] -version = "v0.4.1" +version = "v0.4.2" [metadata.vm] cpu = 2 From c934bc45aa5098a246a866d4cee6291d20003145 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Feb 2024 17:40:06 +0100 Subject: [PATCH 523/996] update forgejo to 1.21.5-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 243708a..60010bb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.4-0" -sha1 = "b74528e27b34f719995d8031d45063eaf9c5014b" +version = "1.21.5-0" +sha1 = "ba8721981cbe1e5b144674348da8c168caea4ceb" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 2ca460269ef80227450f0a8f709b02a3b9ee217f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 9 Feb 2024 21:02:02 +0100 Subject: [PATCH 524/996] update netbox to 3.7.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 60010bb..a0ae85f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.1" +version = "v3.7.2" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 8f2878157265cb9bf169bc8663e847b2e9cb6968 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 9 Feb 2024 21:02:38 +0100 Subject: [PATCH 525/996] update travelynx to 2.5.16 --- nodes/carlene.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a0ae85f..b2cb66f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -241,11 +241,9 @@ disks = [ ] [metadata.travelynx] -version = "2.5.15" +version = "2.5.16" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" -# the old one from rx300, XXX remove 2024-01-01 -additional_cookie_secrets = ["!decrypt:encrypt$gAAAAABkyVq1Eena0FVcAW1V456-QrEtKL_fU7RSGr9mZTSBG28bk5bHJdqkvxrr4rOXNCnreJY7AsJSw-h7yrbzTNa9CUzOtt_a0caQIi7Qnen5k_TI_hTa08jViYLu3WrRxLPknpU_"] [metadata.users.skye] ssh_pubkey = [ From fa375d0d6912a898e1cf5ce6bfd9a54d5935d9c3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 13:47:55 +0100 Subject: [PATCH 526/996] carlene: keep git.kunsmann.eu alias around --- nodes/carlene.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b2cb66f..b5e8825 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -131,6 +131,9 @@ domain = "warnochwas.de" contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" +[metadata.nginx.vhosts.forgejo] +domain_aliases = ["git.kunsmann.eu"] + [metadata.nginx.vhosts.'franzi.business'] domain = "franzi.business" From 050931edf214c057f0f4de690e6fa5a29261ac5b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 13:57:53 +0100 Subject: [PATCH 527/996] bundles/nginx: redirect domain_aliases to primary domain --- bundles/nginx/files/site_template | 51 ++++++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 8 deletions(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 51dd27e..0a70a56 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -12,22 +12,20 @@ server { % if ssl: location / { - return 308 https://$host$request_uri; + return 301 https://${domain}$request_uri; } -% if ssl == 'letsencrypt': +% if ssl == 'letsencrypt': location /.well-known/acme-challenge/ { alias /var/lib/dehydrated/acme-challenges/; } -% endif +% endif } +% if domain_aliases: server { -% if domain_aliases: - server_name ${domain} ${' '.join(sorted(domain_aliases))}; -% else: - server_name ${domain}; -% endif + server_name ${' '.join(sorted(domain_aliases))}; + root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; index ${' '.join(index)}; @@ -48,6 +46,43 @@ server { ssl_session_cache shared:SSL:10m; ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + +% if ssl == 'letsencrypt': + location /.well-known/acme-challenge/ { + alias /var/lib/dehydrated/acme-challenges/; + } +% endif + + location / { + return 301 https://${domain}$request_uri; + } +} + +% endif +server { + server_name ${domain}; + + root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; + index ${' '.join(index)}; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + +% if ssl == 'letsencrypt': + ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem; +% else: + ssl_certificate /etc/nginx/ssl/${vhost}.crt; + ssl_certificate_key /etc/nginx/ssl/${vhost}.key; +% endif + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; % endif From 698f203936f1d7313603cb5263a92cce77f12e7e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 14:01:40 +0100 Subject: [PATCH 528/996] bundles/nginx: add option to not redirect domain aliases --- bundles/nginx/files/site_template | 6 +++++- bundles/nginx/metadata.py | 1 + nodes/carlene.toml | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 0a70a56..59d7ac4 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -22,7 +22,7 @@ server { % endif } -% if domain_aliases: +% if domain_aliases and force_domain: server { server_name ${' '.join(sorted(domain_aliases))}; @@ -61,7 +61,11 @@ server { % endif server { +% if domain_aliases and not force_domain: + server_name ${domain} ${' '.join(sorted(domain_aliases))}; +% else: server_name ${domain}; +% endif root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; index ${' '.join(index)}; diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index e47e84d..e52bc11 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -81,6 +81,7 @@ def letsencrypt(metadata): domains[domain] = config.get('domain_aliases', set()) vhosts[vhost] = { 'ssl': 'letsencrypt', + 'force_domain': True, } return { diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b5e8825..e509a2c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -146,6 +146,7 @@ domain_aliases = [ "mta-sts.franzi.business", "mta-sts.kunsmann.eu", ] +force_domain = false [metadata.nginx.vhosts.redirector] domain = "kunbox.net" From 418015b4846787be4ea1b838a2748518c2eab561 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 14:14:34 +0100 Subject: [PATCH 529/996] update matrix-media-repo to 1.3.4 --- nodes/carlene.toml | 4 ++-- nodes/htz-cloud.afra.toml | 4 ++-- nodes/htz-cloud/miniserver.py | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e509a2c..c0f0dd7 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -70,9 +70,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae" +sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba" upload_max_mb = 500 -version = "v1.3.3" +version = "v1.3.4" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 44a8d09..3902501 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -44,9 +44,9 @@ jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] admins = ['@administress:afra.berlin'] datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae" +sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba" upload_max_mb = 50 -version = "v1.3.3" +version = "v1.3.4" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 940d307..39cf7db 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -114,9 +114,9 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.3.3', + 'version': 'v1.3.4', 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '0be76072295f8b3ea2ca0f8c1d7b2833fd13d3ae', + 'sha1': '55d353b472894547c61b11567089eb2cf40ce5ba', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', From 8c4611452ec75711b2bfbd6fd0cd2f2fe933bab0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 14:18:30 +0100 Subject: [PATCH 530/996] htz-hel.backup-sophie: allow sophie to access --- nodes/htz-hel/backup-sophie.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nodes/htz-hel/backup-sophie.py b/nodes/htz-hel/backup-sophie.py index e6003f1..77cabe3 100644 --- a/nodes/htz-hel/backup-sophie.py +++ b/nodes/htz-hel/backup-sophie.py @@ -48,6 +48,13 @@ nodes['htz-hel.backup-sophie'] = { ], }, }, + 'users': { + 'sophie': { + 'sudo_commands': { + 'ALL', + }, + }, + }, 'zfs': { 'datasets': { 'tank/ejgwthink': { From ac7f73588dd33f0c9e95db15643aa746813fd566 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 14:18:45 +0100 Subject: [PATCH 531/996] update paperless-ngx to 2.5.1 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index e194f94..44c6f70 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.4.3', + 'version': 'v2.5.1', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 297726f297a4e3bdad6c88b3e9d98fc9b271c0d7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 13 Feb 2024 14:24:27 +0100 Subject: [PATCH 532/996] bundles/backup-client: don't monitor backups for nodes which have exclude_from_monitoring --- bundles/backup-server/metadata.py | 9 ++++++++- nodes/kunsi-p14s.py | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 098e264..692717d 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -35,8 +35,15 @@ def get_my_clients(metadata): continue my_clients[rnode.name] = { - 'user': rnode.metadata.get('backup-client/user-name'), + 'exclude_from_monitoring': rnode.metadata.get( + 'backup-client/exclude_from_monitoring', + rnode.metadata.get( + 'icinga_options/exclude_from_monitoring', + False, + ), + ), 'one_backup_every_hours': rnode.metadata.get('backup-client/one_backup_every_hours', 24), + 'user': rnode.metadata.get('backup-client/user-name'), 'retain': { 'daily': rnode.metadata.get('backups/retain/daily', retain_defaults['daily']), 'weekly': rnode.metadata.get('backups/retain/weekly', retain_defaults['weekly']), diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 0b39191..282f716 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -21,6 +21,7 @@ nodes['kunsi-p14s'] = { 'autologin_as': 'kunsi', }, 'backup-client': { + 'exclude_from_monitoring': False, # only alert people if we're missing more than a week of backups 'one_backup_every_hours': 7 * 24, }, From 012726a2ce5865f2869d0760771d0ee59270bdb9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 17 Feb 2024 04:36:39 +0100 Subject: [PATCH 533/996] bundles/paperless: ensure we run collectstatic and restart services --- bundles/paperless-ng/items.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bundles/paperless-ng/items.py b/bundles/paperless-ng/items.py index 9afda57..ddaab5a 100644 --- a/bundles/paperless-ng/items.py +++ b/bundles/paperless-ng/items.py @@ -52,6 +52,9 @@ actions['paperless_install'] = { }, 'triggers': { 'action:paperless_migrate_database', + *{ + f'svc_systemd:paperless-{worker}:restart' for worker in workers + } }, } @@ -61,6 +64,21 @@ actions['paperless_migrate_database'] = { 'sudo -Hu paperless PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf /opt/paperless/venv/bin/python manage.py migrate', ]), 'triggered': True, + 'needs': { + # /mnt/paperless is NOT created by this bundle. + 'action:paperless_install', + 'directory:/mnt/paperless', + 'file:/opt/paperless/paperless.conf', + 'user:paperless', + 'postgres_db:paperless', + }, +} +actions['paperless_collectstatic'] = { + 'command': ' && '.join([ + 'cd /opt/paperless/src/paperless-ngx/src', + 'sudo -Hu paperless PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf /opt/paperless/venv/bin/python manage.py collectstatic', + ]), + 'triggered': True, 'needs': { # /mnt/paperless is NOT created by this bundle. 'action:paperless_install', @@ -91,6 +109,7 @@ for worker in workers: 'needs': { 'action:paperless_install', 'action:paperless_migrate_database', + 'action:paperless_collectstatic', f'file:/usr/local/lib/systemd/system/paperless-{worker}.service', }, } From 898ebe4d6bca23bc60bc4df454487de0ad87cbd0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 17 Feb 2024 04:37:16 +0100 Subject: [PATCH 534/996] update element-web to 1.11.58 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c0f0dd7..db2c57a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.57" +version = "v1.11.58" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 3902501..b44b933 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.136.0/22'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.57" +version = "v1.11.58" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 39cf7db..0714b6c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.57', + 'version': 'v1.11.58', 'config': { 'default_server_config': { 'm.homeserver': { From 72f756a68674f6c66fdafa26db23e13f525e6a91 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 17 Feb 2024 04:37:38 +0100 Subject: [PATCH 535/996] update paperless-ngx to 2.5.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 44c6f70..e9493d9 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -55,7 +55,7 @@ nodes['home.paperless'] = { }, }, 'paperless': { - 'version': 'v2.5.1', + 'version': 'v2.5.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 26ee966bd6c6df5fd277c7c3e7fb7b0a5879e8ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 17 Feb 2024 04:44:29 +0100 Subject: [PATCH 536/996] bundles/paperless: fix config for static directory --- bundles/paperless-ng/files/paperless.conf | 6 ++-- bundles/paperless-ng/items.py | 22 ------------- bundles/paperless-ng/metadata.py | 33 +++++++++++++++++++ .../extras/home.paperless-sophie/paperless | 3 -- nodes/home/paperless-sophie.py | 12 +------ nodes/home/paperless.py | 15 +-------- 6 files changed, 38 insertions(+), 53 deletions(-) delete mode 100644 data/nginx/files/extras/home.paperless-sophie/paperless diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 6d0e684..6b4c600 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -11,14 +11,14 @@ PAPERLESS_DBSSLMODE=disable PAPERLESS_CONSUMPTION_DIR=/mnt/paperless/consume PAPERLESS_DATA_DIR=/mnt/paperless/data PAPERLESS_MEDIA_ROOT=/mnt/paperless/media -PAPERLESS_STATICDIR=/opt/paperless/static +PAPERLESS_STATICDIR=/opt/paperless/src/paperless-ngx/static PAPERLESS_FILENAME_FORMAT={created_year}/{created_month}/{correspondent}/{asn}_{title} # Security and hosting PAPERLESS_SECRET_KEY=${repo.vault.random_bytes_as_base64_for(f'{node.name} paperless secret key')} -PAPERLESS_ALLOWED_HOSTS=${node.metadata.get('nginx/vhosts/paperless/domain', '127.0.0.1')} -PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('nginx/vhosts/paperless/domain', '127.0.0.1')},https://${node.metadata.get('nginx/vhosts/paperless/domain', '127.0.0.1')} +PAPERLESS_ALLOWED_HOSTS=${node.metadata.get('paperless/domain')} +PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('paperless/domain')},https://${node.metadata.get('paperless/domain')} #PAPERLESS_FORCE_SCRIPT_NAME= #PAPERLESS_STATIC_URL=/static/ #PAPERLESS_AUTO_LOGIN_USERNAME= diff --git a/bundles/paperless-ng/items.py b/bundles/paperless-ng/items.py index ddaab5a..62ac156 100644 --- a/bundles/paperless-ng/items.py +++ b/bundles/paperless-ng/items.py @@ -7,11 +7,6 @@ users['paperless'] = { directories['/opt/paperless'] = {} -directories['/opt/paperless/static'] = { - 'owner': 'paperless', -} - - files['/opt/paperless/paperless.conf'] = { 'content_type': 'mako', 'triggers': { @@ -73,22 +68,6 @@ actions['paperless_migrate_database'] = { 'postgres_db:paperless', }, } -actions['paperless_collectstatic'] = { - 'command': ' && '.join([ - 'cd /opt/paperless/src/paperless-ngx/src', - 'sudo -Hu paperless PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf /opt/paperless/venv/bin/python manage.py collectstatic', - ]), - 'triggered': True, - 'needs': { - # /mnt/paperless is NOT created by this bundle. - 'action:paperless_install', - 'directory:/mnt/paperless', - 'directory:/opt/paperless/static', - 'file:/opt/paperless/paperless.conf', - 'user:paperless', - 'postgres_db:paperless', - }, -} for worker in workers: files[f'/etc/systemd/system/paperless-{worker}.service'] = { @@ -109,7 +88,6 @@ for worker in workers: 'needs': { 'action:paperless_install', 'action:paperless_migrate_database', - 'action:paperless_collectstatic', f'file:/usr/local/lib/systemd/system/paperless-{worker}.service', }, } diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index af7a17e..d9f0c72 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -79,3 +79,36 @@ def icinga_check_for_new_release(metadata): }, }, } + + +@metadata_reactor.provides( + 'nginx/vhosts/paperless', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'paperless': { + 'domain': metadata.get('paperless/domain'), + 'locations': { + '/': { + 'target': 'http://127.0.0.1:22070', + 'websockets': True, + 'proxy_set_header': { + 'X-Forwarded-Host': '$server_name', + }, + }, + '/static/': { + 'alias': '/opt/paperless/src/paperless-ngx/static/', + }, + }, + 'max_body_size': '100M', + 'website_check_path': '/accounts/login/', + 'website_check_string': 'Paperless-ngx', + }, + }, + }, + } diff --git a/data/nginx/files/extras/home.paperless-sophie/paperless b/data/nginx/files/extras/home.paperless-sophie/paperless deleted file mode 100644 index 1aa1b28..0000000 --- a/data/nginx/files/extras/home.paperless-sophie/paperless +++ /dev/null @@ -1,3 +0,0 @@ - location /static/ { - alias /opt/paperless/static/; - } diff --git a/nodes/home/paperless-sophie.py b/nodes/home/paperless-sophie.py index 9b972d9..c17ca8d 100644 --- a/nodes/home/paperless-sophie.py +++ b/nodes/home/paperless-sophie.py @@ -49,22 +49,12 @@ nodes['home.paperless-sophie'] = { 'nginx': { 'vhosts': { 'paperless': { - 'domain': 'paperless-sophie.home.kunbox.net', 'ssl': '_.home.kunbox.net', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:22070', - 'websockets': True, - 'proxy_set_header': { - 'X-Forwarded-Host': '$server_name', - }, - }, - }, - 'extras': True, }, }, }, 'paperless': { + 'domain': 'paperless-sophie.home.kunbox.net', 'version': 'ng-1.4.4', 'timezone': 'Europe/Berlin', }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index e9493d9..b9556ca 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -36,25 +36,12 @@ nodes['home.paperless'] = { 'nginx': { 'vhosts': { 'paperless': { - 'domain': 'paperless.home.kunbox.net', 'ssl': '_.home.kunbox.net', - 'locations': { - '/': { - 'target': 'http://127.0.0.1:22070', - 'websockets': True, - 'proxy_set_header': { - 'X-Forwarded-Host': '$server_name', - }, - }, - '/static/': { - 'alias': '/opt/paperless/static/', - }, - }, - 'max_body_size': '100M', }, }, }, 'paperless': { + 'domain': 'paperless.home.kunbox.net', 'version': 'v2.5.3', 'timezone': 'Europe/Berlin', }, From b60fb4ff6033a7ab214e0906c551a0395d769aaa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 17 Feb 2024 05:00:03 +0100 Subject: [PATCH 537/996] update travelynx to 2.5.17 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index db2c57a..1a6fd7e 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.16" +version = "2.5.17" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 9df3e5539d9fd7634757cb24b36c909fd945cfe6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 18 Feb 2024 21:21:51 +0100 Subject: [PATCH 538/996] htz-cloud.pirmasens: use domain_aliases to redirect to main domain --- nodes/htz-cloud/pirmasens.py | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 8f469e0..8aa5edf 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -37,25 +37,18 @@ nodes['htz-cloud.pirmasens'] = { }, 'nginx': { 'vhosts': { - 'salonkatrin-v1': { - 'domain': 'old.salonkatrin.de', - }, 'salonkatrin-v2': { 'domain': 'salonkatrin.de', + 'domain_aliases': { + 'www.salonkatrin.de', + 'old.salonkatrin.de', + }, 'website_check_path': '/', 'website_check_string': 'Salon Katrin', 'webroot_config': { 'owner': 'forgejo-carlene', }, }, - 'salonkatrin-www': { - 'domain': 'www.salonkatrin.de', - 'locations': { - '/': { - 'redirect': 'https://salonkatrin.de$request_uri', - }, - }, - }, }, }, 'php': { From 281696d411e20b520ccacfe189ad78b7312b67fa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 18 Feb 2024 21:23:31 +0100 Subject: [PATCH 539/996] htz-cloud.afra: fedi.afra.berlin is gone --- nodes/htz-cloud.afra.toml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index b44b933..4a0cafe 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -73,15 +73,15 @@ domain = "afra.berlin" redirect = "https://afra-berlin.de" mode = 302 -[metadata.nginx.vhosts.redirect.locations.'/.well-known/host-meta'] -redirect = "https://fedi.afra.berlin/.well-known/host-meta" -mode = 301 -[metadata.nginx.vhosts.redirect.locations.'/.well-known/nodeinfo'] -redirect = "https://fedi.afra.berlin/.well-known/nodeinfo" -mode = 301 -[metadata.nginx.vhosts.redirect.locations.'/.well-known/webfinger'] -redirect = "https://fedi.afra.berlin/.well-known/webfinger" -mode = 301 +#[metadata.nginx.vhosts.redirect.locations.'/.well-known/host-meta'] +#redirect = "https://fedi.afra.berlin/.well-known/host-meta" +#mode = 301 +#[metadata.nginx.vhosts.redirect.locations.'/.well-known/nodeinfo'] +#redirect = "https://fedi.afra.berlin/.well-known/nodeinfo" +#mode = 301 +#[metadata.nginx.vhosts.redirect.locations.'/.well-known/webfinger'] +#redirect = "https://fedi.afra.berlin/.well-known/webfinger" +#mode = 301 [metadata.nginx.vhosts.redirect.locations.'/matrix/'] target = "http://127.0.0.1:20100/" From 20b1e5dccc27c0e3e9b6a0e1092f49b4272a42df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 18 Feb 2024 21:38:06 +0100 Subject: [PATCH 540/996] voc.pretalx: update pretalx to 2024.1.0 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index da62f65..893f674 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,7 +49,7 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'main', + 'version': 'v2024.1.0', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, From 781264432a41b38f59d982272356df400ab09671 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 20 Feb 2024 16:36:45 +0100 Subject: [PATCH 541/996] kunsi-seibert-x1 -> fkusei-locutus --- nodes/fkusei-locutus.py | 195 ++++++++++++++++++++++++++++++++++++++ nodes/kunsi-seibert-x1.py | 67 ------------- 2 files changed, 195 insertions(+), 67 deletions(-) create mode 100644 nodes/fkusei-locutus.py delete mode 100644 nodes/kunsi-seibert-x1.py diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py new file mode 100644 index 0000000..8654cf8 --- /dev/null +++ b/nodes/fkusei-locutus.py @@ -0,0 +1,195 @@ +nodes['fkusei-locutus'] = { + 'hostname': '10.5.99.29', + 'bundles': { + 'arch-with-gui', + 'bird', + 'lldp', + 'lm-sensors', + 'nfs-client', + 'systemd-boot', + 'telegraf-battery-usage', + 'wireguard', + 'voc-tracker-worker', + 'zfs', + }, + 'groups': { + 'arch', + }, + 'metadata': { + 'arch-with-gui': { + 'autologin_as': 'fkunsmann', + }, + 'bird': { + 'bgp_neighbors': { + 'smedia': { + 'local_as': 4200128002, + 'local_ip': '10.200.128.2', + 'neighbor_as': 64900, + 'neighbor_ip': '10.200.128.1', + }, + }, + }, + 'firewall': { + 'port_rules': { + # obs websocket thingie - just allow all RFC1918 ips here + #'4444': { + # '10.0.0.0/8', + # '172.16.0.0/12', + # '192.168.0.0/16', + #}, + # For the occasional file-share using `python -m http.server` + '8000/tcp': {'*'}, + }, + }, + 'interfaces': { + 'eth*': { + 'dhcp': True, + }, + # there is also wlan0, but that's managed by netctl + }, + 'location': 'home', # not actually true, but needed for static dhcp lease + 'nfs-client': { + 'mounts': { + 'nas-storage': { + 'mountpoint': '/mnt/nas', + 'serverpath': '172.19.138.20:/storage/nas', + 'mount_options': { + 'retry=0', + 'ro', + }, + }, + }, + }, + 'openssh': { + 'restrict-to': { + 'rfc1918', + }, + }, + 'pacman': { + 'packages': { + 'amd-ucode': {}, + 'xf86-video-amdgpu': {}, + + # all that other random stuff one needs + 'apachedirectorystudio': {}, + 'direnv': {}, + 'freerdp': {}, + 'sdl_ttf': {}, # for compiling testcard + 'thermald': {}, + }, + }, + 'sysctl': { + 'options': { + # accept RA even though forwarding is enabled + 'net.ipv4.conf.all.accept_ra': '2', + 'net.ipv4.conf.wlan0.accept_ra': '2', + }, + }, + 'systemd-boot': { + 'default': 'arch', + 'entries': { + 'arch': { + 'title': 'Arch Linux', + 'linux': '/vmlinuz-linux', + 'initrd': [ + '/amd-ucode.img', + '/initramfs-linux.img', + ], + 'options': { + 'net.ifnames=0', + 'rw', + 'zfs=zroot/system/root', + }, + }, + 'arch-fallback': { + 'title': 'Arch Linux (no ucode, fallback initramfs)', + 'linux': '/vmlinuz-linux', + 'initrd': [ + '/initramfs-linux-fallback.img', + ], + 'options': { + 'net.ifnames=0', + 'rw', + 'zfs=zroot/system/root', + }, + }, + }, + }, + 'timezone': 'Europe/Berlin', + 'users': { + 'fkunsmann': { + 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), + 'shell': '/usr/bin/fish', + 'sudo_commands': { + 'ALL', + }, + }, + 'sophie': { + 'delete': True, + }, + }, + 'voc-tracker-worker': { + 'url': 'https://tracker.c3voc.de/rpc', + 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), + 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), + }, + 'wireguard': { + 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), + 'peers': { + 'smedia': { + 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', + 'their_ip': '10.200.128.1', + 'my_ip': '10.200.128.2/20', + 'my_port': 51820, + 'endpoint': '185.122.180.82:51820', + 'psk': vault.decrypt('smedia$NotViaThisRepository'), + 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), + }, + }, + }, + 'zfs': { + 'pools': { + 'zroot': { + 'when_creating': { + 'config': [], + }, + }, + }, + 'datasets': { + # this is not a complete list, but we can't create that + # structure using bundlewrap anyway, so there's no point + # in adding it here. + 'zroot': { + 'compression': 'lz4', + 'relatime': 'on', + 'xattr': 'sa', + 'primarycache': 'metadata' + # encryption is enabled, too. + }, + 'zroot/system/journal': { + 'mountpoint': '/var/log/journal', + 'acltype': 'posix', + }, + 'zroot/system/root': { + 'canmount': 'noauto', + 'mountpoint': '/', + }, + 'zroot/user/fkunsmann': { + 'mountpoint': '/home/fkunsmann', + }, + }, + 'snapshots': { + 'retain_per_dataset': { + 'zroot/user/fkunsmann': { + # juuuuuuuust to be sure + 'hourly': 100, + }, + }, + 'snapshot_never': { + 'zroot/system/journal', + }, + }, + }, + }, + 'os': 'arch', +} diff --git a/nodes/kunsi-seibert-x1.py b/nodes/kunsi-seibert-x1.py deleted file mode 100644 index 19ec8bf..0000000 --- a/nodes/kunsi-seibert-x1.py +++ /dev/null @@ -1,67 +0,0 @@ -# work laptop. Only apply interactively. - -nodes['kunsi-seibert-x1'] = { - 'dummy': True, - 'hostname': '172.19.138.240', - 'bundles': { - 'basic', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'pacman', - 'openssh', - 'sudo', - 'systemd', - 'telegraf', - 'telegraf-battery-usage', - 'users', - }, - 'groups': set(), - 'metadata': { - 'timezone': 'Europe/Berlin', - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'locale': { - 'default': 'en_DK.UTF-8', - }, - 'lldp': { - 'hostname': 'fkunsmann-seibertmedia', - }, - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'pacman': { - 'install_gui': True, - }, - 'telegraf': { - 'influxdb_url': 'https://influxdb.kunsmann.eu/', - 'influxdb_token': vault.decrypt('encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'), - 'influxdb_org': vault.decrypt('encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='), - 'influxdb_bucket': vault.decrypt('encrypt$gAAAAABgg9iMnq0nKpODMiMN4NtUw231iqpbyDXV-O8epOAGDSL4jcf3CaSa2bLZzH2fJFaKWjW-dpVd384x6KqSQU19XpfsWA=='), - }, - 'users': { - 'kunsi': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - 'ssh_pubkey': { - # work key - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA', - }, - }, - 'sophie': { - 'delete': True, - }, - }, - }, - 'os': 'arch', -} From c6552e8dd2e0cb1a4173fe89527d9d2bcc1a061a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 14:45:47 +0100 Subject: [PATCH 542/996] bundles/smartd: do not try to monitor encrypted devices --- bundles/smartd/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py index e444c35..73789d0 100644 --- a/bundles/smartd/metadata.py +++ b/bundles/smartd/metadata.py @@ -55,7 +55,7 @@ def zfs_disks_to_metadata(metadata): continue for disk in option['devices']: - if search(r'p([0-9]+)$', disk): + if search(r'p([0-9]+)$', disk) or disk.startswith('/dev/mapper/'): continue disks.add(disk) From 02e25f89fffc13153ef99dfe0e60df34edea4102 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 14:47:55 +0100 Subject: [PATCH 543/996] home.nas: prepare for new NAS disks --- nodes/home/nas.py | 98 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 82 insertions(+), 16 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index c065912..8832b6e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -4,6 +4,7 @@ nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { 'backup-client', + 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', @@ -66,6 +67,26 @@ nodes['home.nas'] = { '/storage/nas/normen', }, }, + 'dm-crypt': { + 'encrypted-devices': { + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part1': { + 'dm-name': 'sg-ZVV06JV7-1', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-1'), + }, + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part2': { + 'dm-name': 'sg-ZVV06JV7-2', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-2'), + }, + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part1': { + 'dm-name': 'sg-ZVV06SLR-1', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-1'), + }, + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part2': { + 'dm-name': 'sg-ZVV06SLR-2', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-2'), + }, + }, + }, 'groups': { 'nas': {}, }, @@ -162,9 +183,13 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', + # encrypted disks + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7', + '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR', + # ZFS cache disks - '/dev/disk/by-id/ata-TS64GSSD370_B807810503', - '/dev/disk/by-id/ata-TS64GSSD370_B807810527', + #'/dev/disk/by-id/ata-TS64GSSD370_B807810503', + #'/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, 'sysctl': { @@ -245,26 +270,67 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, - { - 'type': 'log', - 'devices': { - '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', - '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', - }, - }, - { - 'type': 'cache', - 'devices': { - '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', - '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', - }, - }, +# { +# 'type': 'log', +# 'devices': { +# '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', +# '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', +# }, +# }, +# { +# 'type': 'cache', +# 'devices': { +# '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', +# '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', +# }, +# }, ], 'ashift': 12, }, }, + 'encrypted': { + 'when_creating': { + 'config': [ + # These are new and fancy "dual actuator" + # drives, partitioned into two partitions + # taking 50% of the disk each. + { + 'type': 'mirror', + 'devices': { + '/dev/mapper/sg-ZVV06JV7-1', + '/dev/mapper/sg-ZVV06SLR-1', + }, + }, + { + 'type': 'mirror', + 'devices': { + '/dev/mapper/sg-ZVV06JV7-2', + '/dev/mapper/sg-ZVV06SLR-2', + }, + }, + ], + 'ashift': 12 + }, + 'needs': { + 'action:dm-crypt_open_sg-ZVV06JV7-1', + 'action:dm-crypt_open_sg-ZVV06JV7-2', + 'action:dm-crypt_open_sg-ZVV06SLR-1', + 'action:dm-crypt_open_sg-ZVV06SLR-2', + }, + # see comment in bundle:backup-server + 'unless': 'zpool import encrypted', + }, }, 'datasets': { + 'encrypted': { + 'primarycache': 'metadata', + }, + 'encrypted/nas': { + 'acltype': 'off', + 'atime': 'off', + 'compression': 'off', + 'mountpoint': '/media/nas', + }, 'storage': { 'primarycache': 'metadata', }, From 7d4624ce6214f1831af69250ebcf95f55766a732 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 15:29:10 +0100 Subject: [PATCH 544/996] remove users/$user/is_admin metadata, directly write sudo_commands instead --- bundles/sudo/files/bwusers | 8 ++------ bundles/users/metadata.py | 2 +- bundles/vmhost/metadata.py | 2 +- nodes/home/router.py | 12 ++---------- nodes/htz-cloud/miniserver.py | 3 --- nodes/htz-hel/backup-sophie.py | 6 +----- nodes/voc/infobeamer-cms.py | 1 + 7 files changed, 8 insertions(+), 26 deletions(-) diff --git a/bundles/sudo/files/bwusers b/bundles/sudo/files/bwusers index 6c47ecd..00dfafa 100644 --- a/bundles/sudo/files/bwusers +++ b/bundles/sudo/files/bwusers @@ -1,9 +1,5 @@ % for user, config in sorted(node.metadata['users'].items()): -% if config.get('is_admin', False): -${user} ALL=(ALL) NOPASSWD:ALL -% else: -% for p in sorted(config.get('sudo_commands', [])): +% for p in sorted(config.get('sudo_commands', [])): ${user} ALL=(ALL) NOPASSWD:${p} -% endfor -% endif +% endfor % endfor diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index fc3cb0c..48a8b72 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -36,7 +36,7 @@ def add_users_from_json(metadata): if config.get('is_admin', False) or uname in metadata_users: users[uname] = { 'ssh_pubkey': set(config['ssh_pubkey']), - 'is_admin': config.get('is_admin', False), + 'sudo_commands': ['ALL'], } # Then, run again to get all 'to be deleted' users diff --git a/bundles/vmhost/metadata.py b/bundles/vmhost/metadata.py index 9c4cd5e..3aaa10e 100644 --- a/bundles/vmhost/metadata.py +++ b/bundles/vmhost/metadata.py @@ -52,7 +52,7 @@ if node.has_bundle('arch-with-gui'): def libvirt_group_for_admins(metadata): result = {} for user, config in metadata.get('users', {}).items(): - if config.get('is_admin', False): + if 'ALL' in config.get('sudo_commands', set()): result[user] = { 'groups': { 'libvirt', diff --git a/nodes/home/router.py b/nodes/home/router.py index 26e8f45..ff03ba1 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -137,16 +137,8 @@ nodes['home.router'] = { 'f2k1de': { 'delete': True, }, - 'fkunsmann': { - 'sudo_commands': { - 'ALL', - }, - }, - 'sophie': { - 'sudo_commands': { - 'ALL', - }, - }, + 'fkunsmann': {}, + 'sophie': {}, }, 'vnstat': { 'interface': 'enp1s0.7', diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 0714b6c..320b35f 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -234,9 +234,6 @@ nodes['htz-cloud.miniserver'] = { 'ssh_pubkey': [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDILcYrMQNRVXAm5L+7No1ZumqfCyRc1QZmTY3O7Q8hsE4+fCAvwsWm2aSMfLL3NnIl8Nm1Rixzic5jdYKYNIY3SlX1wvTB+MhGb2eyVSd7c/Y98aCLSlDkQ2sebjpdA1FoJOeGD3qxqDwj0+KckXU2ZaSSQY7CxVsjH65UxCHqVAg+6uLdNbj7j850s1B9NXVXef+sBQ5jUngXxnqQWwNh2Mn8auwumkeEG4SYf96wyFkLvmBitOng/GyLWl9YPnXXHHDnatcVipy7y34qw4CQ4P84anecbA+Bqr9IcxBW6qYmYgRKEnAcmEfjQd+BI1gCLB1BBEmb/qp+mVLd4tOh sophie@carbon" ], - 'sudo_commands': { - 'ALL', - }, }, }, 'zfs': { diff --git a/nodes/htz-hel/backup-sophie.py b/nodes/htz-hel/backup-sophie.py index 77cabe3..c9de769 100644 --- a/nodes/htz-hel/backup-sophie.py +++ b/nodes/htz-hel/backup-sophie.py @@ -49,11 +49,7 @@ nodes['htz-hel.backup-sophie'] = { }, }, 'users': { - 'sophie': { - 'sudo_commands': { - 'ALL', - }, - }, + 'sophie': {}, }, 'zfs': { 'datasets': { diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index d379b90..5e2adeb 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -99,6 +99,7 @@ nodes['voc.infobeamer-cms'] = { }, 'sudo_commands': {'ALL'}, }, + 'sophie': {}, }, }, } From 6bb72f4b2753a36b57126e8a0d3f6bcff9b39993 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 19:01:53 +0100 Subject: [PATCH 545/996] update travelynx to 2.5.20 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1a6fd7e..890c597 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.17" +version = "2.5.20" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 182be4e690ded4371f573fad7eb3f9bf5c0862b4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 19:02:23 +0100 Subject: [PATCH 546/996] update netbox to 3.7.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 890c597..a04167b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.2" +version = "v3.7.3" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 577a175bd01756a6c1d877a70ffd9ec3ccf46343 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 19:04:55 +0100 Subject: [PATCH 547/996] update forgejo to 1.21.6-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a04167b..d8ab558 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.5-0" -sha1 = "ba8721981cbe1e5b144674348da8c168caea4ceb" +version = "1.21.6-0" +sha1 = "5ba1ed075c147cf54e1ccf039c96a41c71440744" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 9c4d1c94a5546de9dceae01180706852372da91d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 19:14:13 +0100 Subject: [PATCH 548/996] htz-cloud: fix routes for vpn --- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/influxdb.py | 2 +- nodes/htz-cloud/sewfile.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 4a0cafe..80faf60 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -28,7 +28,7 @@ gateway6 = 'fe80::1' ips = [ "172.19.137.7/32", ] -routes.'172.19.136.0/22'.via = "172.19.137.1" +routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index b609857..e3dc166 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -34,7 +34,7 @@ nodes['htz-cloud.influxdb'] = { }, 'routes': { # VPN - '172.19.136.0/22': { + '172.19.128.0/20': { 'via': '172.19.137.1', }, }, diff --git a/nodes/htz-cloud/sewfile.py b/nodes/htz-cloud/sewfile.py index 0ecd5db..8d4d6a2 100644 --- a/nodes/htz-cloud/sewfile.py +++ b/nodes/htz-cloud/sewfile.py @@ -26,7 +26,7 @@ nodes['htz-cloud.sewfile'] = { }, 'routes': { # VPN - '172.19.136.0/22': { + '172.19.128.0/20': { 'via': '172.19.137.1', }, }, From 9e59bb044ab553f5122e6df26359e26e1ecfe320 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:50:25 +0100 Subject: [PATCH 549/996] nodes/home.*: add ipv6 site-local ip addressing and v6-only vlan --- nodes/home.hass.toml | 5 ++++- nodes/home/nas.py | 1 + nodes/home/router.py | 18 +++++++++++++++++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index afb4bce..fab3829 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -6,7 +6,10 @@ bundles = [ groups = ["debian-bookworm"] [metadata.interfaces.enp1s0] -ips = ["172.19.138.25/24"] +ips = [ + "172.19.138.25/24", + "fd90:2017:0:1138::25/64", +] gateway4 = "172.19.138.1" ipv6_accept_ra = true diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 8832b6e..9825874 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -25,6 +25,7 @@ nodes['home.nas'] = { 'br1138': { 'ips': { '172.19.138.20/24', + 'fd90:2017:0:1138::20/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, diff --git a/nodes/home/router.py b/nodes/home/router.py index ff03ba1..d54d230 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -19,6 +19,7 @@ nodes['home.router'] = { 'enp1s0.1138': { 'ips': { '172.19.138.1/24', + 'fd90:2017:0:1138::1/64', }, }, 'enp1s0.1139': { @@ -26,6 +27,11 @@ nodes['home.router'] = { '172.19.139.1/24', }, }, + 'enp1s0.2000': { + 'ips': { + 'fd90:2017:0:2000::1/64', + }, + }, }, 'backups': { 'exclude_from_backups': True, @@ -104,8 +110,17 @@ nodes['home.router'] = { }, 'radvd': { 'interfaces': { - 'enp1s0.1138': {}, + 'enp1s0.1138': { + 'rdnss': { + 'fd90:2017:0:1138::1', + }, + }, 'enp1s0.1139': {}, + 'enp1s0.2000': { + 'rdnss': { + 'fd90:2017:0:2000::1', + }, + }, }, }, 'postfix': { @@ -152,6 +167,7 @@ nodes['home.router'] = { 'targets': { 'enp1s0.1138': '1', 'enp1s0.1139': '2', + 'enp1s0.2000': '3', }, }, 'wireguard': { From 7c9bb42c039963257b47f5e8d6bfc48ff298e275 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:51:02 +0100 Subject: [PATCH 550/996] home.switch-rack: new vlan --- configs/netbox_device_home.switch-rack.json | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox_device_home.switch-rack.json index 991eed5..9e3159d 100644 --- a/configs/netbox_device_home.switch-rack.json +++ b/configs/netbox_device_home.switch-rack.json @@ -91,7 +91,7 @@ "untagged_vlan": "home.clients" }, "ether19": { - "description": "home.kodi-wohnzimmer", + "description": "home.lgtv-wohnzimmer", "enabled": true, "ips": [], "mode": "ACCESS", @@ -159,7 +159,8 @@ "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.client" + "ffwi.client", + "home.v6only" ], "type": "A_1000BASE_T", "untagged_vlan": "home.clients" @@ -170,7 +171,8 @@ "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.client" + "ffwi.client", + "home.v6only" ], "type": "A_1000BASE_T", "untagged_vlan": "home.clients" @@ -190,7 +192,8 @@ "ips": [], "mode": "TAGGED", "tagged_vlans": [ - "ffwi.client" + "ffwi.client", + "home.v6only" ], "type": "A_1000BASE_T", "untagged_vlan": "home.clients" @@ -265,6 +268,10 @@ "name": "home.dmz", "vid": 1139 }, + { + "name": "home.v6only", + "vid": 2000 + }, { "name": "ffwi.mesh", "vid": 3000 From b89ba32f4c12593c2a3d97c0757c59fb8e1995d3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:55:53 +0100 Subject: [PATCH 551/996] home.router: allow forwarding for new vlan --- nodes/home/router.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d54d230..708737e 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -86,6 +86,8 @@ nodes['home.router'] = { 'forward': { '50-router': [ 'ct state { related, established } accept', + 'iifname enp1s0.1138 accept', + 'iifname enp1s0.2000 accept', 'ip6 nexthdr ipv6-icmp accept', 'tcp dport 22 accept', ], @@ -139,7 +141,6 @@ nodes['home.router'] = { 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iifname enp1s0.1138 accept', 'inet filter forward iifname enp1s0.1139 oifname $INTERFACE accept', }, }, From 304ce8aa543b03025193b09899e78d9da5fa0c43 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 25 Feb 2024 20:56:13 +0100 Subject: [PATCH 552/996] home.router: a bit more firewall rules --- nodes/home/router.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/home/router.py b/nodes/home/router.py index 708737e..a239cb0 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -102,6 +102,7 @@ nodes['home.router'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', + 'fd90:2017::/32', }, 'vhosts': { 'vnstat': { @@ -128,6 +129,7 @@ nodes['home.router'] = { 'postfix': { 'mynetworks': { '172.19.138.0/24', + 'fd90:2017::/32', }, }, 'pppd': { @@ -147,6 +149,7 @@ nodes['home.router'] = { 'unbound': { 'restrict-to': { '172.19.138.0/23', + 'fd90:2017::/32', }, }, 'users': { From e73dcf16e39050de11c36e2cec5b5d04e832b133 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 06:33:45 +0100 Subject: [PATCH 553/996] change a bunch of nodes to use their ipv6 address as hostname --- nodes/home.hass.toml | 3 ++- nodes/home/nas.py | 2 +- nodes/home/router.py | 2 +- nodes/ns-ghirahim.toml | 2 +- nodes/ns-mephisto.toml | 2 +- nodes/ns-sargeras.toml | 2 +- 6 files changed, 7 insertions(+), 6 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index fab3829..7e689b0 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,4 +1,4 @@ -hostname = "172.19.138.25" +hostname = "fd90:2017:0:1138::25" bundles = [ 'homeassistant', 'nginx' @@ -25,6 +25,7 @@ api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33Yb restrict-to = [ '172.19.136.0/25', '172.19.138.0/24', + 'fd90:2017::/32', ] [metadata.nginx.vhosts.homeassistant] diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 9825874..33bc31f 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -1,7 +1,7 @@ # Dell Local Node Manager running on nodes['home.nas'] = { - 'hostname': '172.19.138.20', + 'hostname': 'fd90:2017:0:1138::20', 'bundles': { 'backup-client', 'dm-crypt', diff --git a/nodes/home/router.py b/nodes/home/router.py index a239cb0..08e1fbf 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -1,5 +1,5 @@ nodes['home.router'] = { - 'hostname': '172.19.138.1', + 'hostname': 'fd90:2017:0:1138::1', 'bundles': { 'bird', 'kea-dhcp-server', diff --git a/nodes/ns-ghirahim.toml b/nodes/ns-ghirahim.toml index a8581c6..1b58a62 100644 --- a/nodes/ns-ghirahim.toml +++ b/nodes/ns-ghirahim.toml @@ -1,4 +1,4 @@ -hostname = "46.101.91.6" +hostname = "2a03:b0c0:1:d0::bc2:6001" groups = [ "debian-bullseye", "dns", diff --git a/nodes/ns-mephisto.toml b/nodes/ns-mephisto.toml index 88f253e..9794b41 100644 --- a/nodes/ns-mephisto.toml +++ b/nodes/ns-mephisto.toml @@ -1,4 +1,4 @@ -hostname = "82.165.52.168" +hostname = "2001:8d8:1801:7d4::1" bundles = [ "nodejs", "powerdnsadmin", diff --git a/nodes/ns-sargeras.toml b/nodes/ns-sargeras.toml index 53f64b0..2a24023 100644 --- a/nodes/ns-sargeras.toml +++ b/nodes/ns-sargeras.toml @@ -1,4 +1,4 @@ -hostname = "46.102.156.104" +hostname = "2a0d:f302:113:73e6::1" groups = [ "debian-bookworm", "dns", From 0d0548311c811d0b81e45d6284a8fb9a4317cae6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 06:34:30 +0100 Subject: [PATCH 554/996] bundles/powerdns: add private ipv6 addresses as well --- bundles/powerdns/metadata.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index 801161d..5437657 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -143,11 +143,14 @@ def generate_dns_entries_for_nodes(metadata): if not ip6 and not ip.is_private: ip6 = ip - if not (ip4 or ip6) and found_ips['ipv4']: + if not (ip4 or ip6) and (found_ips['ipv4'] or found_ips['ipv6']): # do it again, but do not filter out private addresses for ip in sorted(found_ips['ipv4']): if not ip4: ip4 = ip + for ip in sorted(found_ips['ipv6']): + if not ip6: + ip6 = ip if ip4: results.add('{} IN A {}'.format(dns_name, ip4)) From 4514541e8f2d328b64db0c0cb6e43ba5de22a1d3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 06:41:59 +0100 Subject: [PATCH 555/996] bundles/radvd: decrease RDNSS lifetime --- bundles/radvd/files/radvd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/radvd/files/radvd.conf b/bundles/radvd/files/radvd.conf index 10b7fc7..156a262 100644 --- a/bundles/radvd/files/radvd.conf +++ b/bundles/radvd/files/radvd.conf @@ -14,7 +14,7 @@ interface ${interface} % if 'rdnss' in config: RDNSS ${' '.join(sorted(config['rdnss']))} { - AdvRDNSSLifetime 900; + AdvRDNSSLifetime 45; }; % endif }; From 12c6b5fc54423c09a6895f45b2dea675b8fdafc7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 07:22:54 +0100 Subject: [PATCH 556/996] add bundle:jool --- bundles/jool/items.py | 15 +++++++++++++++ bundles/jool/metadata.py | 14 ++++++++++++++ bundles/kernel-modules/files/modules | 8 ++++++++ bundles/kernel-modules/items.py | 3 +++ bundles/unbound/files/unbound.conf | 9 +++++---- groups/os.py | 1 + 6 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 bundles/jool/items.py create mode 100644 bundles/jool/metadata.py create mode 100644 bundles/kernel-modules/files/modules create mode 100644 bundles/kernel-modules/items.py diff --git a/bundles/jool/items.py b/bundles/jool/items.py new file mode 100644 index 0000000..5ce5bac --- /dev/null +++ b/bundles/jool/items.py @@ -0,0 +1,15 @@ +actions['modprobe_jool'] = { + 'command': 'modprobe jool', + 'unless': 'lsmod | grep -F jool', +} + +actions['jool_add_nat64_instance'] = { + 'command': 'jool instance add "nat64" --netfilter --pool6 64:ff9b::/96', + 'unless': 'jool instance display --no-headers --csv | grep -E ",nat64,netfilter$"', + 'needs': { + 'action:modprobe_jool', + 'pkg_apt:jool-dkms', + 'pkg_apt:jool-tools', + 'pkg_apt:linux-headers-amd64', + }, +} diff --git a/bundles/jool/metadata.py b/bundles/jool/metadata.py new file mode 100644 index 0000000..9ef83dd --- /dev/null +++ b/bundles/jool/metadata.py @@ -0,0 +1,14 @@ +defaults = { + 'apt': { + 'packages': { + 'jool-dkms': {}, + 'jool-tools': {}, + 'linux-headers-amd64': {}, + }, + }, + 'modules': { + 'jool': [ + 'jool', + ], + }, +} diff --git a/bundles/kernel-modules/files/modules b/bundles/kernel-modules/files/modules new file mode 100644 index 0000000..5abf592 --- /dev/null +++ b/bundles/kernel-modules/files/modules @@ -0,0 +1,8 @@ +# This file is managed using bundlewrap +% for identifier, modules in sorted(node.metadata.get('modules', {}).items()): + +# ${identifier} +% for module in modules: +${module} +% endfor +% endfor diff --git a/bundles/kernel-modules/items.py b/bundles/kernel-modules/items.py new file mode 100644 index 0000000..dd848fd --- /dev/null +++ b/bundles/kernel-modules/items.py @@ -0,0 +1,3 @@ +files['/etc/modules'] = { + 'content_type': 'mako', +} diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf index 247768a..eba526d 100644 --- a/bundles/unbound/files/unbound.conf +++ b/bundles/unbound/files/unbound.conf @@ -1,6 +1,11 @@ server: # provided by pkg_apt:unbound-anchor auto-trust-anchor-file: "/var/lib/unbound/root.key" +% if node.has_bundle('jool'): + module-config: "dns64 validator iterator" +% else: + module-config: "validator iterator" +% endif verbosity: 0 @@ -23,10 +28,6 @@ server: access-control: ::1 allow % endif -% if node.has_bundle('pppd'): - prefer-ip4: yes -% endif - msg-cache-size: ${cache_size} msg-cache-slabs: ${cache_slabs} rrset-cache-size: ${cache_size} diff --git a/groups/os.py b/groups/os.py index 65f2691..a6fca0f 100644 --- a/groups/os.py +++ b/groups/os.py @@ -20,6 +20,7 @@ groups['linux'] = { 'bundles': { 'basic', 'cron', + 'kernel-modules', 'nftables', 'openssh', 'postfix', From 575fe91685343b968019ca45a04e53d252dfe72c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 07:27:25 +0100 Subject: [PATCH 557/996] bundles/radvd: fix syntax --- bundles/radvd/files/radvd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/radvd/files/radvd.conf b/bundles/radvd/files/radvd.conf index 156a262..ee7f4b6 100644 --- a/bundles/radvd/files/radvd.conf +++ b/bundles/radvd/files/radvd.conf @@ -11,7 +11,7 @@ interface ${interface} AdvAutonomous on; AdvRouterAddr on; }; -% if 'rdnss' in config: +% if config.get('rdnss'): RDNSS ${' '.join(sorted(config['rdnss']))} { AdvRDNSSLifetime 45; From a045e701a6bf50d266875c1263b9f0d93ec350e3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 07:27:47 +0100 Subject: [PATCH 558/996] home.router: add bundle:jool, fix dns --- nodes/home/router.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/home/router.py b/nodes/home/router.py index 08e1fbf..b63d4d2 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -2,6 +2,7 @@ nodes['home.router'] = { 'hostname': 'fd90:2017:0:1138::1', 'bundles': { 'bird', + 'jool', 'kea-dhcp-server', 'nginx', 'pppd', @@ -90,6 +91,10 @@ nodes['home.router'] = { 'iifname enp1s0.2000 accept', 'ip6 nexthdr ipv6-icmp accept', 'tcp dport 22 accept', + + # TODO remove this once a better solution exists + 'udp dport 53 iifname enp1s0.1138 accept', + 'udp dport 53 iifname enp1s0.2000 accept', ], }, 'prerouting': { From 661d8895dcda9411496320f993df0774c5f0b70a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 07:41:51 +0100 Subject: [PATCH 559/996] home.{downloadhelper,paperless}: add ipv6 unique local addresses --- nodes/home/downloadhelper.py | 7 ++++++- nodes/home/paperless.py | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index fc84fbe..84185d8 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -1,5 +1,5 @@ nodes['home.downloadhelper'] = { - 'hostname': '172.19.138.27', + 'hostname': 'fd90:2017:0:1138::27', 'bundles': { 'nfs-client', 'transmission', @@ -16,12 +16,16 @@ nodes['home.downloadhelper'] = { 'enp1s0.1138': { 'ips': { '172.19.138.27/24', + 'fd90:2017:0:1138::27/64', }, 'routes': { # VPN '172.19.128.0/20': { 'via': '172.19.138.1', }, + 'fd90:2017::/32': { + 'via': 'fd90:2017:0:1138::1', + }, }, }, }, @@ -52,6 +56,7 @@ nodes['home.downloadhelper'] = { }, 'restrict-to': { '172.19.136.0/22', + 'fd90:2017::/32', }, }, }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index b9556ca..9d7d79f 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -1,5 +1,5 @@ nodes['home.paperless'] = { - 'hostname': '172.19.138.29', + 'hostname': 'fd90:2017:0:1138::29', 'bundles': { 'nfs-client', 'nodejs', @@ -16,6 +16,7 @@ nodes['home.paperless'] = { 'enp1s0': { 'ips': { '172.19.138.29/24', + 'fd90:2017:0:1138::29/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, From 79c4dcdf976edb56f7956a36195651c37788e2e8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 19:12:13 +0100 Subject: [PATCH 560/996] Revert "change a bunch of nodes to use their ipv6 address as hostname" This reverts commit e73dcf16e39050de11c36e2cec5b5d04e832b133. --- nodes/home.hass.toml | 3 +-- nodes/home/nas.py | 2 +- nodes/home/router.py | 2 +- nodes/ns-ghirahim.toml | 2 +- nodes/ns-mephisto.toml | 2 +- nodes/ns-sargeras.toml | 2 +- 6 files changed, 6 insertions(+), 7 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 7e689b0..fab3829 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,4 +1,4 @@ -hostname = "fd90:2017:0:1138::25" +hostname = "172.19.138.25" bundles = [ 'homeassistant', 'nginx' @@ -25,7 +25,6 @@ api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33Yb restrict-to = [ '172.19.136.0/25', '172.19.138.0/24', - 'fd90:2017::/32', ] [metadata.nginx.vhosts.homeassistant] diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 33bc31f..9825874 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -1,7 +1,7 @@ # Dell Local Node Manager running on nodes['home.nas'] = { - 'hostname': 'fd90:2017:0:1138::20', + 'hostname': '172.19.138.20', 'bundles': { 'backup-client', 'dm-crypt', diff --git a/nodes/home/router.py b/nodes/home/router.py index b63d4d2..a287b35 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -1,5 +1,5 @@ nodes['home.router'] = { - 'hostname': 'fd90:2017:0:1138::1', + 'hostname': '172.19.138.1', 'bundles': { 'bird', 'jool', diff --git a/nodes/ns-ghirahim.toml b/nodes/ns-ghirahim.toml index 1b58a62..a8581c6 100644 --- a/nodes/ns-ghirahim.toml +++ b/nodes/ns-ghirahim.toml @@ -1,4 +1,4 @@ -hostname = "2a03:b0c0:1:d0::bc2:6001" +hostname = "46.101.91.6" groups = [ "debian-bullseye", "dns", diff --git a/nodes/ns-mephisto.toml b/nodes/ns-mephisto.toml index 9794b41..88f253e 100644 --- a/nodes/ns-mephisto.toml +++ b/nodes/ns-mephisto.toml @@ -1,4 +1,4 @@ -hostname = "2001:8d8:1801:7d4::1" +hostname = "82.165.52.168" bundles = [ "nodejs", "powerdnsadmin", diff --git a/nodes/ns-sargeras.toml b/nodes/ns-sargeras.toml index 2a24023..53f64b0 100644 --- a/nodes/ns-sargeras.toml +++ b/nodes/ns-sargeras.toml @@ -1,4 +1,4 @@ -hostname = "2a0d:f302:113:73e6::1" +hostname = "46.102.156.104" groups = [ "debian-bookworm", "dns", From 699c7acf93c9961fc45d0255aeebca3203d202f2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 19:25:43 +0100 Subject: [PATCH 561/996] bundles/radvd: increase intervals again --- bundles/radvd/files/radvd.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/radvd/files/radvd.conf b/bundles/radvd/files/radvd.conf index ee7f4b6..c66c08f 100644 --- a/bundles/radvd/files/radvd.conf +++ b/bundles/radvd/files/radvd.conf @@ -2,8 +2,8 @@ interface ${interface} { AdvSendAdvert on; - MinRtrAdvInterval 10; - MaxRtrAdvInterval 30; + MinRtrAdvInterval 60; + MaxRtrAdvInterval 300; MinDelayBetweenRAs 10; prefix ${config.get('prefix', '::/64')} { @@ -14,7 +14,7 @@ interface ${interface} % if config.get('rdnss'): RDNSS ${' '.join(sorted(config['rdnss']))} { - AdvRDNSSLifetime 45; + AdvRDNSSLifetime 900; }; % endif }; From c5550bf552970860ed0301770fb7bb98fb6bfbf4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 19:26:01 +0100 Subject: [PATCH 562/996] bundles/unbound: add option to disable dns64 even when jool is installed --- bundles/unbound/files/unbound.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf index eba526d..c25e0a3 100644 --- a/bundles/unbound/files/unbound.conf +++ b/bundles/unbound/files/unbound.conf @@ -1,7 +1,7 @@ server: # provided by pkg_apt:unbound-anchor auto-trust-anchor-file: "/var/lib/unbound/root.key" -% if node.has_bundle('jool'): +% if node.metadata.get('unbound/dns64', node.has_bundle('jool')): module-config: "dns64 validator iterator" % else: module-config: "validator iterator" From 3749be61445b844b709d34ec98906a168f3bb65e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 19:27:18 +0100 Subject: [PATCH 563/996] home.router: remove ipv6-only vlan --- nodes/home/router.py | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index a287b35..66fce52 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -20,17 +20,13 @@ nodes['home.router'] = { 'enp1s0.1138': { 'ips': { '172.19.138.1/24', - 'fd90:2017:0:1138::1/64', + 'fe80::1/64', }, }, 'enp1s0.1139': { 'ips': { '172.19.139.1/24', - }, - }, - 'enp1s0.2000': { - 'ips': { - 'fd90:2017:0:2000::1/64', + 'fe80::1/64', }, }, }, @@ -88,13 +84,8 @@ nodes['home.router'] = { '50-router': [ 'ct state { related, established } accept', 'iifname enp1s0.1138 accept', - 'iifname enp1s0.2000 accept', 'ip6 nexthdr ipv6-icmp accept', 'tcp dport 22 accept', - - # TODO remove this once a better solution exists - 'udp dport 53 iifname enp1s0.1138 accept', - 'udp dport 53 iifname enp1s0.2000 accept', ], }, 'prerouting': { @@ -107,7 +98,6 @@ nodes['home.router'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', - 'fd90:2017::/32', }, 'vhosts': { 'vnstat': { @@ -120,13 +110,12 @@ nodes['home.router'] = { 'interfaces': { 'enp1s0.1138': { 'rdnss': { - 'fd90:2017:0:1138::1', + 'fe80::1', }, }, - 'enp1s0.1139': {}, - 'enp1s0.2000': { + 'enp1s0.1139': { 'rdnss': { - 'fd90:2017:0:2000::1', + 'fe80::1', }, }, }, @@ -134,7 +123,6 @@ nodes['home.router'] = { 'postfix': { 'mynetworks': { '172.19.138.0/24', - 'fd90:2017::/32', }, }, 'pppd': { @@ -152,9 +140,10 @@ nodes['home.router'] = { }, }, 'unbound': { + 'dns64': False, 'restrict-to': { '172.19.138.0/23', - 'fd90:2017::/32', + 'fe80::/64', }, }, 'users': { @@ -176,7 +165,6 @@ nodes['home.router'] = { 'targets': { 'enp1s0.1138': '1', 'enp1s0.1139': '2', - 'enp1s0.2000': '3', }, }, 'wireguard': { From 409a1c900a41c053f6c210a2d73eae1225366ab5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 26 Feb 2024 19:56:23 +0100 Subject: [PATCH 564/996] remove ULA from remaining home nodes --- nodes/home.hass.toml | 1 - nodes/home/downloadhelper.py | 4 ---- nodes/home/nas.py | 1 - nodes/home/paperless.py | 1 - 4 files changed, 7 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index fab3829..a6dc1d5 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -8,7 +8,6 @@ groups = ["debian-bookworm"] [metadata.interfaces.enp1s0] ips = [ "172.19.138.25/24", - "fd90:2017:0:1138::25/64", ] gateway4 = "172.19.138.1" ipv6_accept_ra = true diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 84185d8..909982c 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -16,16 +16,12 @@ nodes['home.downloadhelper'] = { 'enp1s0.1138': { 'ips': { '172.19.138.27/24', - 'fd90:2017:0:1138::27/64', }, 'routes': { # VPN '172.19.128.0/20': { 'via': '172.19.138.1', }, - 'fd90:2017::/32': { - 'via': 'fd90:2017:0:1138::1', - }, }, }, }, diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 9825874..8832b6e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -25,7 +25,6 @@ nodes['home.nas'] = { 'br1138': { 'ips': { '172.19.138.20/24', - 'fd90:2017:0:1138::20/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 9d7d79f..8c8283d 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -16,7 +16,6 @@ nodes['home.paperless'] = { 'enp1s0': { 'ips': { '172.19.138.29/24', - 'fd90:2017:0:1138::29/64', }, 'gateway4': '172.19.138.1', 'ipv6_accept_ra': True, From 32e67ff5ec0cb38f971ea466a867af5c38f7ed0e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Feb 2024 07:39:05 +0100 Subject: [PATCH 565/996] update paperless to 2.5.4 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 8c8283d..a2740aa 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.5.3', + 'version': 'v2.5.4', 'timezone': 'Europe/Berlin', }, 'postgresql': { From b34879d0cae2ee42fca6c76fd1e1ff3362f7d860 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Feb 2024 07:40:19 +0100 Subject: [PATCH 566/996] update element-web to 1.11.59 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d8ab558..fa19562 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.58" +version = "v1.11.59" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 80faf60..d45d12f 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.58" +version = "v1.11.59" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 320b35f..73c7b2b 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.58', + 'version': 'v1.11.59', 'config': { 'default_server_config': { 'm.homeserver': { From ffc9c1651ccc9ad0622f7b239272e3fbde8cc9af Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 29 Feb 2024 07:40:36 +0100 Subject: [PATCH 567/996] fix some leftover ULA addressing --- nodes/home/downloadhelper.py | 3 +-- nodes/home/paperless.py | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 909982c..fc84fbe 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -1,5 +1,5 @@ nodes['home.downloadhelper'] = { - 'hostname': 'fd90:2017:0:1138::27', + 'hostname': '172.19.138.27', 'bundles': { 'nfs-client', 'transmission', @@ -52,7 +52,6 @@ nodes['home.downloadhelper'] = { }, 'restrict-to': { '172.19.136.0/22', - 'fd90:2017::/32', }, }, }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index a2740aa..a71a149 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -1,5 +1,5 @@ nodes['home.paperless'] = { - 'hostname': 'fd90:2017:0:1138::29', + 'hostname': '172.19.138.29', 'bundles': { 'nfs-client', 'nodejs', From 8d8f45746853c1940d7cd0662287621c89786e36 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Mar 2024 12:44:41 +0100 Subject: [PATCH 568/996] bundles/nginx: add mjs to mime types --- bundles/nginx/files/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 3f4a9a9..dae0a26 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -10,6 +10,9 @@ events { http { include /etc/nginx/mime.types; + types { + application/javascript js mjs; + } default_type application/octet-stream; charset UTF-8; override_charset on; From f5a1a504722266f6527af25b875612eb9b1c60d8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Mar 2024 12:47:24 +0100 Subject: [PATCH 569/996] carlene: add sewfile zfs dataset --- nodes/carlene.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fa19562..1b3171a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -268,6 +268,9 @@ type = "mirror" [metadata.zfs.datasets.tank] primarycache = "metadata" +[metadata.zfs.datasets.'tank/sewfile'] +mountpoint = "/mnt/sewfile/" + [metadata.vm] cpu = 24 ram = 64 From 0fa9ef91aeea64dc42f8d56e49249ae421b67861 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Mar 2024 13:16:53 +0100 Subject: [PATCH 570/996] kunsi-p14s: add dataset for nextcloud client --- nodes/kunsi-p14s.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 282f716..017c1ed 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -220,6 +220,9 @@ nodes['kunsi-p14s'] = { 'zroot/movies': { 'mountpoint': '/media/movies', }, + 'zroot/nextcloud': { + 'mountpoint': '/home/kunsi/nextcloud', + }, 'zroot/system/journal': { 'mountpoint': '/var/log/journal', 'acltype': 'posix', @@ -253,6 +256,7 @@ nodes['kunsi-p14s'] = { }, 'snapshot_never': { 'zroot/movies', + 'zroot/nextcloud', 'zroot/system/journal', 'zroot/system/video', }, From e3d7cae2517e53b301e648bb97b366ee9608805b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Mar 2024 15:44:31 +0100 Subject: [PATCH 571/996] net.ipv4.ip_forward -> net.ipv4.conf.all.forwarding --- bundles/bird/metadata.py | 2 +- nodes/home/nas.py | 6 ------ nodes/htz-cloud/miniserver.py | 2 +- nodes/kunsi-p14s.py | 2 +- 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index 43d6af4..bc6be9a 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -24,7 +24,7 @@ defaults = { }, 'sysctl': { 'options': { - 'net.ipv4.ip_forward': '1', + 'net.ipv4.conf.all.forwarding': '1', 'net.ipv6.conf.all.forwarding': '1', }, }, diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 8832b6e..20e2679 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -192,12 +192,6 @@ nodes['home.nas'] = { #'/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, - 'sysctl': { - 'options': { - # XXX find out if this is really needed - 'net.ipv4.ip_forward': '1', - }, - }, 'systemd-networkd': { 'bridges': { 'br0': { diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 73c7b2b..cda134f 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -220,7 +220,7 @@ nodes['htz-cloud.miniserver'] = { 'sysctl': { 'options': { # XXX find out if this is really needed - 'net.ipv4.ip_forward': '1', + 'net.ipv4.conf.all.forwarding': '1', 'net.ipv6.conf.all.forwarding': '1', }, }, diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 017c1ed..0bad208 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -156,7 +156,7 @@ nodes['kunsi-p14s'] = { }, 'sysctl': { 'options': { - 'net.ipv4.ip_forward': '1', + 'net.ipv4.conf.all.forwarding': '1', }, }, 'systemd-networkd': { From 232e087905bf76eaa8a79ddc60df2e5a0b4049ee Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 4 Mar 2024 21:02:19 +0100 Subject: [PATCH 572/996] bundles/paperless: please, just import documents --- bundles/paperless-ng/files/paperless.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 6b4c600..7cac533 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -30,6 +30,7 @@ PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('paperless/domain')},htt PAPERLESS_OCR_LANGUAGE=${'+'.join(sorted(node.metadata.get('paperless/ocr_languages', {'deu', 'eng'})))} PAPERLESS_OCR_MODE=skip PAPERLESS_OCR_SKIP_ARCHIVE_FILE=never +PAPERLESS_OCR_USER_ARGS='{"continue_on_soft_render_error": true}' #PAPERLESS_OCR_OUTPUT_TYPE=pdfa #PAPERLESS_OCR_PAGES=1 #PAPERLESS_OCR_IMAGE_DPI=300 From faa30962aaeeef60cbd6060175f16cc33bc1a269 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 4 Mar 2024 21:20:39 +0100 Subject: [PATCH 573/996] bundles/paperless: restart please --- bundles/paperless-ng/files/paperless-consumer.service | 3 +++ bundles/paperless-ng/files/paperless-scheduler.service | 3 +++ bundles/paperless-ng/files/paperless-taskqueue.service | 3 +++ bundles/paperless-ng/files/paperless-webserver.service | 3 +++ 4 files changed, 12 insertions(+) diff --git a/bundles/paperless-ng/files/paperless-consumer.service b/bundles/paperless-ng/files/paperless-consumer.service index 25c45a5..5f43db2 100644 --- a/bundles/paperless-ng/files/paperless-consumer.service +++ b/bundles/paperless-ng/files/paperless-consumer.service @@ -8,6 +8,9 @@ Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf WorkingDirectory=/opt/paperless/src/paperless-ngx/src ExecStart=/opt/paperless/venv/bin/python manage.py document_consumer +Restart=always +RestartSec=10 +SyslogIdentifier=paperless-consumer [Install] WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless-scheduler.service b/bundles/paperless-ng/files/paperless-scheduler.service index 3a4f9d8..5ed83f0 100644 --- a/bundles/paperless-ng/files/paperless-scheduler.service +++ b/bundles/paperless-ng/files/paperless-scheduler.service @@ -8,6 +8,9 @@ Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf WorkingDirectory=/opt/paperless/src/paperless-ngx/src ExecStart=/opt/paperless/venv/bin/celery --app paperless beat --loglevel INFO +Restart=always +RestartSec=10 +SyslogIdentifier=paperless-scheduler [Install] WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless-taskqueue.service b/bundles/paperless-ng/files/paperless-taskqueue.service index d0863d6..d7be698 100644 --- a/bundles/paperless-ng/files/paperless-taskqueue.service +++ b/bundles/paperless-ng/files/paperless-taskqueue.service @@ -8,6 +8,9 @@ Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf WorkingDirectory=/opt/paperless/src/paperless-ngx/src ExecStart=/opt/paperless/venv/bin/celery --app paperless worker --loglevel INFO +Restart=always +RestartSec=10 +SyslogIdentifier=paperless-taskqueue [Install] WantedBy=multi-user.target diff --git a/bundles/paperless-ng/files/paperless-webserver.service b/bundles/paperless-ng/files/paperless-webserver.service index b39c57d..5d7f806 100644 --- a/bundles/paperless-ng/files/paperless-webserver.service +++ b/bundles/paperless-ng/files/paperless-webserver.service @@ -10,6 +10,9 @@ Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf WorkingDirectory=/opt/paperless/src/paperless-ngx/src ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application +Restart=always +RestartSec=10 +SyslogIdentifier=paperless-webserver [Install] WantedBy=multi-user.target From dd80579faeb1c498f7fcb2b52d5dc1d3b6c31a69 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 4 Mar 2024 21:23:00 +0100 Subject: [PATCH 574/996] bundles/paperless: add missing dependency --- bundles/paperless-ng/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index d9f0c72..b9ab153 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -11,6 +11,7 @@ defaults = { 'mariadb-client': {}, 'mime-support': {}, 'optipng': {}, + 'poppler-utils': {}, 'python3-wheel': {}, # for OCRmyPDF From e386b444421be68fc40b0a414b12e806619d318a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 4 Mar 2024 21:23:19 +0100 Subject: [PATCH 575/996] bundles/paperless: PLEASE just import my files --- bundles/paperless-ng/files/paperless.conf | 3 ++- bundles/paperless-ng/files/pre-consume.sh | 11 +++++++++++ bundles/paperless-ng/items.py | 4 ++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 bundles/paperless-ng/files/pre-consume.sh diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 7cac533..0cbd054 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -30,7 +30,8 @@ PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('paperless/domain')},htt PAPERLESS_OCR_LANGUAGE=${'+'.join(sorted(node.metadata.get('paperless/ocr_languages', {'deu', 'eng'})))} PAPERLESS_OCR_MODE=skip PAPERLESS_OCR_SKIP_ARCHIVE_FILE=never -PAPERLESS_OCR_USER_ARGS='{"continue_on_soft_render_error": true}' +PAPERLESS_OCR_USER_ARGS='{"invalidate_digital_signatures": true}' +PAPERLESS_PRE_CONSUME_SCRIPT=/opt/paperless/pre-consume.sh #PAPERLESS_OCR_OUTPUT_TYPE=pdfa #PAPERLESS_OCR_PAGES=1 #PAPERLESS_OCR_IMAGE_DPI=300 diff --git a/bundles/paperless-ng/files/pre-consume.sh b/bundles/paperless-ng/files/pre-consume.sh new file mode 100644 index 0000000..e7937ba --- /dev/null +++ b/bundles/paperless-ng/files/pre-consume.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +[[ -n "$DEBUG" ]] && set -x +set -euo pipefail + +pdfinfo "${DOCUMENT_WORKING_PATH}" | grep -q "Encrypted:" + +if pdfinfo "${DOCUMENT_WORKING_PATH}" | grep -q "Encrypted: yes" +then + qpdf --replace-input --decrypt "${DOCUMENT_WORKING_PATH}" +fi diff --git a/bundles/paperless-ng/items.py b/bundles/paperless-ng/items.py index 62ac156..6b80397 100644 --- a/bundles/paperless-ng/items.py +++ b/bundles/paperless-ng/items.py @@ -15,6 +15,10 @@ files['/opt/paperless/paperless.conf'] = { }, } +files['/opt/paperless/pre-consume.sh'] = { + 'mode': '0755', +} + actions['paperless_create_virtualenv'] = { 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/paperless/venv/', 'unless': 'test -d /opt/paperless/venv/', From 0d362bdb229c904316787ce86c865cbfafdd9a8c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 6 Mar 2024 20:06:42 +0100 Subject: [PATCH 576/996] EOL htz-cloud.sewfile --- bundles/seafile/files/seafile.service | 13 --- bundles/seafile/files/seahub.service | 13 --- bundles/seafile/items.py | 73 --------------- bundles/seafile/metadata.py | 28 ------ .../htz-cloud.sewfile/sewfile.franzi.business | 23 ----- nodes/htz-cloud/sewfile.py | 92 ------------------- 6 files changed, 242 deletions(-) delete mode 100644 bundles/seafile/files/seafile.service delete mode 100644 bundles/seafile/files/seahub.service delete mode 100644 bundles/seafile/items.py delete mode 100644 bundles/seafile/metadata.py delete mode 100644 data/nginx/files/extras/htz-cloud.sewfile/sewfile.franzi.business delete mode 100644 nodes/htz-cloud/sewfile.py diff --git a/bundles/seafile/files/seafile.service b/bundles/seafile/files/seafile.service deleted file mode 100644 index 5b0a959..0000000 --- a/bundles/seafile/files/seafile.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Seafile -After=network.target mysql.service - -[Service] -Type=forking -ExecStart=/opt/seafile/seafile-server-latest/seafile.sh start -ExecStop=/opt/seafile/seafile-server-latest/seafile.sh stop -User=seafile -Group=seafile - -[Install] -WantedBy=multi-user.target diff --git a/bundles/seafile/files/seahub.service b/bundles/seafile/files/seahub.service deleted file mode 100644 index b554599..0000000 --- a/bundles/seafile/files/seahub.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Seafile hub -After=network.target seafile.service - -[Service] -Type=forking -ExecStart=/opt/seafile/seafile-server-latest/seahub.sh start -ExecStop=/opt/seafile/seafile-server-latest/seahub.sh stop -User=seafile -Group=seafile - -[Install] -WantedBy=multi-user.target diff --git a/bundles/seafile/items.py b/bundles/seafile/items.py deleted file mode 100644 index 5517e3f..0000000 --- a/bundles/seafile/items.py +++ /dev/null @@ -1,73 +0,0 @@ -users = { - 'seafile': { - 'home': '/opt/seafile', - }, -} - -directories = { - '/opt/seafile': { - 'mode': '0755', - 'owner': 'seafile', - 'group': 'seafile', - }, -} - -files = { - '/etc/systemd/system/seafile.service': { - 'needed_by': { - 'svc_systemd:seafile', - }, - 'triggers': { - 'action:systemd-reload', - }, - }, - '/etc/systemd/system/seahub.service': { - 'needed_by': { - 'svc_systemd:seafile', - }, - 'triggers': { - 'action:systemd-reload', - }, - }, -} - -svc_systemd = { - 'seafile': { - 'needs': { - 'pkg_pip:', - }, - }, - 'seahub': { - 'needs': { - 'svc_systemd:seafile', - 'pkg_pip:', - }, - }, -} - -for pkg in ( - 'django==3.2.19', - 'future==0.18.3', - 'mysqlclient==2.1.1', - 'pymysql', - 'pillow==9.3.0', - 'pylibmc', - 'captcha==0.4', - 'markupsafe==2.0.1', - 'jinja2', - 'sqlalchemy==1.4.3', - 'psd-tools', - 'django-pylibmc', - 'django_simple_captcha==0.5.17', - 'djangosaml2==1.5.7', - 'pysaml2==7.2.1', - 'pycryptodome==3.16.0', - 'cffi==1.15.1', - 'lxml', -): - if '==' in pkg: - pkg, version = pkg.split('==', 1) - else: - version = None - - pkg_pip[pkg.replace('_', '-')] = {'version': version} diff --git a/bundles/seafile/metadata.py b/bundles/seafile/metadata.py deleted file mode 100644 index 128380f..0000000 --- a/bundles/seafile/metadata.py +++ /dev/null @@ -1,28 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'mariadb-server': {}, - 'python3': {}, - 'python3-setuptools': {}, - 'python3-pip': {}, - 'default-libmysqlclient-dev': {}, - }, - }, - 'backups': { - 'paths': { - '/opt/seafile', - }, - }, - 'icinga2_api': { - 'seafile': { - 'services': { - 'SEAFILE PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit seafile', - }, - 'SEAHUB PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit seahub', - }, - }, - }, - }, -} diff --git a/data/nginx/files/extras/htz-cloud.sewfile/sewfile.franzi.business b/data/nginx/files/extras/htz-cloud.sewfile/sewfile.franzi.business deleted file mode 100644 index 9312c7e..0000000 --- a/data/nginx/files/extras/htz-cloud.sewfile/sewfile.franzi.business +++ /dev/null @@ -1,23 +0,0 @@ - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_read_timeout 1200s; - } - - location /seafhttp { - rewrite ^/seafhttp(.*)$ $1 break; - proxy_pass http://127.0.0.1:8082; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_connect_timeout 36000s; - proxy_read_timeout 36000s; - proxy_send_timeout 36000s; - send_timeout 36000s; - proxy_request_buffering off; - } - - location /media { - alias /opt/seafile/seafile-server-latest/seahub/media; - } diff --git a/nodes/htz-cloud/sewfile.py b/nodes/htz-cloud/sewfile.py deleted file mode 100644 index 8d4d6a2..0000000 --- a/nodes/htz-cloud/sewfile.py +++ /dev/null @@ -1,92 +0,0 @@ -# this node runs only seafile. Seafile and the mysql server are not -# managed by bundlewrap. - -nodes['htz-cloud.sewfile'] = { - 'bundles': { - 'seafile', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - 'webserver', - }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '116.203.205.248', - '2a01:4f8:c0c:c71b::1/64', - }, - 'gateway4': '172.31.1.1', - 'gateway6': 'fe80::1', - }, - 'ens10': { - 'ips': { - '172.19.137.3/32', - }, - 'routes': { - # VPN - '172.19.128.0/20': { - 'via': '172.19.137.1', - }, - }, - }, - }, - 'backups': { - 'paths': { - '/mnt/seafile-data', - '/var/tmp/mysqldumps', - }, - }, - 'backup-client': { - 'pre-hooks': { - 'mysqldump': \ - 'test -d /var/tmp/mysqldumps || mkdir -p /var/tmp/mysqldumps\n'\ - 'rm /var/tmp/mysqldumps/*.sql\n'\ - 'mysqldump --databases ccnet_db > /var/tmp/mysqldumps/ccnet_db.sql\n'\ - 'mysqldump --databases seafile_db > /var/tmp/mysqldumps/seafile_db.sql\n'\ - 'mysqldump --databases seahub_db > /var/tmp/mysqldumps/seahub_db.sql\n', - }, - }, - 'icinga_options': { - 'pretty_name': 'sewfile.franzi.business', - 'vars.notification.sms': False, - }, - 'nginx': { - 'vhosts': { - 'sewfile.franzi.business': { - 'max_body_size': '0', - 'extras': True, - 'website_check_path': '/accounts/login/', - 'website_check_string': 'Username', - }, - }, - }, - 'vm': { - 'cpu': 1, - 'ram': 2, - }, - 'zfs': { - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': {'/dev/sdb'}, - }], - }, - }, - }, - 'datasets': { - 'tank/mysql': { - 'mountpoint': '/var/lib/mysql', - }, - 'tank/seafile-data': { - 'mountpoint': '/mnt/seafile-data', - 'needed_by': { - 'bundle:seafile', - }, - }, - }, - }, - }, -} From 6b387c9d111dc26a4c0c6961cb6742f725a6a821 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 6 Mar 2024 23:02:18 +0100 Subject: [PATCH 577/996] add dummy htz-cloud.molly-connector --- nodes/home/downloadhelper.py | 2 +- nodes/home/router.py | 1 + nodes/htz-cloud.molly-connector.toml | 8 ++++++++ 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 nodes/htz-cloud.molly-connector.toml diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index fc84fbe..0d97ba1 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -51,7 +51,7 @@ nodes['home.downloadhelper'] = { 'download-queue-size': 10, }, 'restrict-to': { - '172.19.136.0/22', + '172.19.128.0/20', }, }, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 66fce52..a35fa5e 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -98,6 +98,7 @@ nodes['home.router'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', + 'htz-cloud.molly-connector', }, 'vhosts': { 'vnstat': { diff --git a/nodes/htz-cloud.molly-connector.toml b/nodes/htz-cloud.molly-connector.toml new file mode 100644 index 0000000..eeea694 --- /dev/null +++ b/nodes/htz-cloud.molly-connector.toml @@ -0,0 +1,8 @@ +dummy = true + +# Machine is managed by molly and does SNAT for her vpn infrastructure. +# Putting this into my hetzner cloud project was the easiest way to do +# interconnect. + +[metadata.interfaces.default] +ips = ["172.19.137.5"] From ac10630fb984b0f8bbb361fecf472a650ee23484 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Mar 2024 08:15:23 +0100 Subject: [PATCH 578/996] add bundle:pyenv --- bundles/pyenv/items.py | 28 ++++++++++++++++++++++++++++ bundles/pyenv/metadata.py | 20 ++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 bundles/pyenv/items.py create mode 100644 bundles/pyenv/metadata.py diff --git a/bundles/pyenv/items.py b/bundles/pyenv/items.py new file mode 100644 index 0000000..97f1439 --- /dev/null +++ b/bundles/pyenv/items.py @@ -0,0 +1,28 @@ +from shlex import quote + +directories = { + '/opt/pyenv': {}, + '/opt/pyenv/install': {}, +} + +git_deploy = { + '/opt/pyenv/install': { + 'repo': 'https://github.com/pyenv/pyenv.git', + 'rev': node.metadata.get('pyenv/version'), + 'needs': { + 'directory:/opt/pyenv/install', + }, + }, +} + +for version in node.metadata.get('pyenv/python_versions', set()): + actions[f'pyenv_install_{version}'] = { + 'command': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv install {quote(version)}', + 'unless': f'PYENV_ROOT=/opt/pyenv /opt/pyenv/install/bin/pyenv versions --bare | grep -E "^{quote(version)}$"', + 'needs': { + 'git_deploy:/opt/pyenv/install', + }, + 'after': { + 'pkg_apt:', + }, + } diff --git a/bundles/pyenv/metadata.py b/bundles/pyenv/metadata.py new file mode 100644 index 0000000..177a2b3 --- /dev/null +++ b/bundles/pyenv/metadata.py @@ -0,0 +1,20 @@ +defaults = { + 'apt': { + 'packages': { + 'build-essential': {}, + 'curl': {}, + 'libbz2-dev': {}, + 'libffi-dev': {}, + 'liblzma-dev': {}, + 'libncurses-dev': {}, + 'libreadline-dev': {}, + 'libsqlite3-dev': {}, + 'libssl-dev': {}, + 'libxml2-dev': {}, + 'libxmlsec1-dev': {}, + 'tk-dev': {}, + 'xz-utils': {}, + 'zlib1g-dev': {}, + }, + }, +} From 4d92211862343e037778c92864837e9b1f6ecc68 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 7 Mar 2024 08:23:04 +0100 Subject: [PATCH 579/996] home.hass: use pyenv for homeassistant --- bundles/homeassistant/items.py | 8 +++++++- nodes/home.hass.toml | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index 5751178..f7e5ea2 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -1,3 +1,9 @@ +if node.has_bundle('pyenv'): + python_version = sorted(node.metadata.get('pyenv/python_versions'))[-1] + python_path = f'/opt/pyenv/versions/{python_version}/bin/python' +else: + python_path = '/usr/bin/python3' + users = { 'homeassistant': { 'home': '/var/opt/homeassistant', @@ -32,7 +38,7 @@ files = { actions = { 'homeassistant_create_virtualenv': { - 'command': 'sudo -u homeassistant /usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv/', + 'command': f'sudo -u homeassistant virtualenv -p {python_path} /opt/homeassistant/venv/', 'unless': 'test -d /opt/homeassistant/venv/', 'needs': { 'directory:/opt/homeassistant', diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index a6dc1d5..8922404 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,7 +1,8 @@ hostname = "172.19.138.25" bundles = [ 'homeassistant', - 'nginx' + 'nginx', + 'pyenv', ] groups = ["debian-bookworm"] @@ -26,5 +27,9 @@ restrict-to = [ '172.19.138.0/24', ] +[metadata.pyenv] +version = 'v2.3.36' +python_versions = ["3.12.2"] + [metadata.nginx.vhosts.homeassistant] ssl = '_.home.kunbox.net' From 1573bdc3842f6be65ad56b765912415875cc9744 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 10:47:37 +0100 Subject: [PATCH 580/996] update forgejo to 1.21.7-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1b3171a..cef22ea 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.6-0" -sha1 = "5ba1ed075c147cf54e1ccf039c96a41c71440744" +version = "1.21.7-0" +sha1 = "e9775d0fe4b63a83197a7800791df56338f8d074" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From a344bde87d2736fcb70f7979ecc5ca10b70744f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 10:48:05 +0100 Subject: [PATCH 581/996] update netbox to 3.7.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index cef22ea..cec0cbc 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -121,7 +121,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.3" +version = "v3.7.4" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 4c5167fefa5e0e921fd6bee11e533c1afed68073 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 10:48:26 +0100 Subject: [PATCH 582/996] update paperless-ngx to 2.6.2 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index a71a149..0580dbb 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.5.4', + 'version': 'v2.6.2', 'timezone': 'Europe/Berlin', }, 'postgresql': { From bd0cb5e1b4141b380fe19a8daa09dc8f1ac773a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 10:49:04 +0100 Subject: [PATCH 583/996] update element-web to 1.11.61 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index cec0cbc..d87c171 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.59" +version = "v1.11.61" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index d45d12f..e2c7a3b 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.59" +version = "v1.11.61" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index cda134f..b0e8292 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.59', + 'version': 'v1.11.61', 'config': { 'default_server_config': { 'm.homeserver': { From abb408c907aeefdfbefac9dfa0271a68ad0a9924 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 10:51:56 +0100 Subject: [PATCH 584/996] carlene: ensure kunsi can write to the franzi.business vhost --- nodes/carlene.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d87c171..8b231fd 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -136,6 +136,7 @@ domain_aliases = ["git.kunsmann.eu"] [metadata.nginx.vhosts.'franzi.business'] domain = "franzi.business" +webroot_config.owner = "kunsi" [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] owner = "skye" From f5b87d995b27326d4301f3e582471bca937d9f48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 11:01:56 +0100 Subject: [PATCH 585/996] bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 38 +++++++++---------- .../_.home.kunbox.net.crt_intermediate.pem | 32 ---------------- data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 3 files changed, 20 insertions(+), 52 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index b92f7c2..a011d41 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- -MIIEUTCCAzmgAwIBAgISA3fDQ6qgGojGPTrT+xkvOAX/MA0GCSqGSIb3DQEBCwUA +MIIETzCCAzegAwIBAgISBGnv4i5cZkqMTZ6E2W9oY145MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzEyMjUwODEwMTdaFw0yNDAzMjQwODEwMTZaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLd8zNhUwPxn -xgUYaXNOKKUcgvN5XujyK6ZqZc4qPv6C4V7jw65dgS+ztnB0RaMPnX9Q/I4VjFm3 -tv1A8f6WFQWdHy7eu4JInDlk6//u3TFqxsb+1RKLhdjfAckGjZGE8KOCAiUwggIh +EwJSMzAeFw0yNDAzMTYwOTAxNDdaFw0yNDA2MTQwOTAxNDZaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNjknNF3eIBR +7bzqJEfvTTmGnw9nCDa/VY2l+POYFhrBryT9pCgO7lcSK3raynAu3yNjVSSK4KdB +p2fEu8SytoRPp6Hjz5epjIQvdaYaWsg7gjPe1GoFU8YG6KrX7y6DNaOCAiMwggIf MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURN7w27lwahJ3sktccheUYRZ2AV0wHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUkioReLB1H6GooNGezjbwLZ0dTBwwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u -ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisG -AQQB1nkCBAIEgfYEgfMA8QB3ADtTd3U+LbmAToswWwb+QDtn2E/D9Me9AA0tcm/h -+tQXAAABjKA9PVgAAAQDAEgwRgIhAJTQNSRZeyHIjGgBh6bH6C3zl9/lPPJYoBj/ -piq8PF+gAiEA9PRMavdrkuYcayG5D17gWuUVTJH4s3QGexGZauTxQw8AdgB2/4g/ -Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAYygPT2XAAAEAwBHMEUCIBsW -QqOo9FBoU6mG8iMLIelS/mQhq6QfqImz9VehT5qbAiEAy80PWrDKlUqfKqf1mEEo -G++YOxg7ZP3I9riN6vUu6a8wDQYJKoZIhvcNAQELBQADggEBAKnevUCPEKOBYX/W -PQhioiixJeflWQyabArVdIbKrfVtSCvcp7Mb12u4z9vlXsR/4KIu5E1tbW8vunhG -97j00KsWdFoH2YAlccVE220IYoU1V/7bPFPNrHviKNiku4TUSPpH+vt+inE+3xG+ -Bpw++vG7L3c92LrW0fexfGYXUmv40fkudC/BROmdQYmpdTHq26zRaW+VcBDrAQe6 -6oagF8rnXO9aS41KeFhNDrqN2PKd9oLAdkrJ5wfeadAMeNso2v/83FqXnDOVoXZU -6Vot6e74FGb9MLuzszh1NeKVBsFwAYHTIstAlNuer50LVRq3mnQrbpCdHCphmppE -ddB3rTM= +ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisG +AQQB1nkCBAIEgfQEgfEA7wB1AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZx +H7WbAAABjka13wQAAAQDAEYwRAIgK0+HX4aRu8J69wpybX8ExvOSDT4GTFhQGz1t +RBm8WJMCICs/8Nj65/IEUp7AaBPruyrUFvbfhZ2pNxwQIy03fn3GAHYAO1N3dT4t +uYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGORrXg5wAABAMARzBFAiEAvSxW +MJIsOZei1W3J1C1hkMQwodZC/9ucFicCWXkX7UUCIFzShY5chEVFurxRDKSYLgV1 +R820vp8F9ilwp465IeE+MA0GCSqGSIb3DQEBCwUAA4IBAQCMEbmFNXyfSwczdrf9 +0SOFEVEP8guf6JHmlSL2hNI2cWp+08fyxIEHhvNtyyyLZ57lBvtE6Q8h8WNkKayz +wBUdrHbl9HMnznURX95uofgI/6GZKv1RHyxQd6KxJZCatIhxnsVfFfoDwJmzzg80 +/aoHksxbQzzJWLcm8fJTqsE95Alc1W4u+bDkHjj+OrvNYaHsQLjxedt++jN3o4at +bkOY3zEQyg5mspykq7DjxNpPIC9mSeH6dKZAzsOc6KRWVj91Ol68GYM35TWXUp+3 +kYkU828fznJQc77u9BysTGlyc4iYLzzb0Xus6McqOVPDVnNbeLxdHCQfF8A9Hh6F +o4UX -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.crt_intermediate.pem b/data/ssl/_.home.kunbox.net.crt_intermediate.pem index efd07a1..6626b9c 100644 --- a/data/ssl/_.home.kunbox.net.crt_intermediate.pem +++ b/data/ssl/_.home.kunbox.net.crt_intermediate.pem @@ -29,35 +29,3 @@ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ------END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index 80865d5..e8b045b 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABliUb76xBCh-ySEK5S2LUthvW7ySEIC63Z9jpoylEbplGh-Jbs7n0MEJWTa7MkN4Ke6vqB10VtkFjvHOJxoXaQDlb856YdCWbQuFxoHw3qdWBYUJ2zYisFo81TbiO07Brzdk-bD3IfedUUOjD7jNnp50GWp3i5ZEvsmpN38G1StzOBqTmrYYUePCLRo9NFp5k51bmHS-Q5BbHwHHDZ-8qwuGpcTTlU7OBtK27RrQBRBLoS3DFyS0ErGZtm_bzpW8N2o6lFGfjOpUHHodkQB4anLbb_5q2XxqFvEZY5dxbuuJsc1X4EltIJ8FD9stzSaEyh3GsV4Kz7Y6dGBkVEGfvjBykRUycHcCiqjgiuMjW0eX-wIc66BqRHU1bPiful99qPwXOh7oou59c8DwHKO9uFzcKKQIY21KPap2CWezh_WExCx14oCJ7yT0Cd3vjmBBaTwWxVN-jZxRlSIneEzLuwOBeB2Q== \ No newline at end of file +encrypt$gAAAAABl9W4O5LekyB_15MB30WObrH9t9ew-irVSO5PnG5C6neXdHFTtiun46guBfuqqJo99a-jXkdXrCMmmi_qmPylw625w27fh_jpV6imyJejUTNV5LZKJJ8-jgX43dsWZHdX29TgjLDl8ebVPOoeWv6GPZ2u0-88Aylr5d_T6A0c5NB0WG7481PiR8Obu-T8uMXJRTgQwMdwWJ8mIzceJ_lD1YeF3PBNSXJatcwRqmLRB_7YfQfFCOZEUutZHRUuIsvmyPwuql0bAoV9dfgQjdsGtuPmE2i58CCKtTuweb6sq-FsF6v6pvj7Joq9hStx9lYN3l36-Zl7OvwxWkMSjcrvQvbaAO7h7Aws8fkgFOEO5cBeN9x30nhSOdmYjqvSyRAFFdJu0PEFPdu6Ft9v_g_NnARRnvDokWEEKee_NRsEuKsct2kbu05pPOHerEpNjtPEwqKnTe387Z2K2wlnYfev6LSHSDw== \ No newline at end of file From 6296ab583d08d02922098a37f253a01a1d397640 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 11:04:49 +0100 Subject: [PATCH 586/996] add node attribute for all hosts that don't use letsencrypt ssl certs --- nodes/attributes.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodes/attributes.py b/nodes/attributes.py index 8460bc9..85fa36d 100644 --- a/nodes/attributes.py +++ b/nodes/attributes.py @@ -22,3 +22,15 @@ def needs_apply(node): io.stderr(f'{red("!!!")} {bold(node.name)} {e!r}') return False + + +@node_attribute +def uses_bw_managed_ssl(node): + if not node.has_bundle('nginx'): + return False + + for vhost in node.metadata.get('nginx/vhosts', {}).values(): + if vhost['ssl'] not in (None, False, 'letsencrypt'): + return True + + return False From a4e51c5d54889ae1f8f782c65f25f2361d7faf7d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Mar 2024 14:49:28 +0100 Subject: [PATCH 587/996] home.router: remove dns search domain --- nodes/home/router.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index a35fa5e..6fa3aa3 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -55,9 +55,7 @@ nodes['home.router'] = { 'higher': '172.19.138.250', 'subnet': '172.19.138.0/24', 'options': { - 'domain-name': 'franzi-home.kunbox.net', 'domain-name-servers': '172.19.138.1', - 'domain-search': 'home.kunbox.net', 'routers': '172.19.138.1', }, }, From ae14265abc128443e5eae1328b9dbbc6595e44ff Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 17 Mar 2024 18:32:28 +0100 Subject: [PATCH 588/996] bundles/matrix-synapse: add sliding-sync proxy --- PORT_MAP.md | 1 + .../files/matrix-sliding-sync.service | 27 +++++++++++++++++ bundles/matrix-synapse/items.py | 29 +++++++++++++++++++ bundles/matrix-synapse/metadata.py | 15 ++++++++++ nodes/carlene.toml | 4 +++ 5 files changed, 76 insertions(+) create mode 100644 bundles/matrix-synapse/files/matrix-sliding-sync.service diff --git a/PORT_MAP.md b/PORT_MAP.md index 90b46f4..908b747 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -30,6 +30,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20010 | mautrix-telegram | Bridge | | 20020 | mautrix-whatsapp | Bridge | | 20030 | matrix-dimension | Matrix Integrations Manager| +| 20070 | matrix-synapse | sliding-sync | | 20080 | matrix-synapse | client, federation | | 20081 | matrix-synapse | prometheus metrics | | 20090 | matrix-media-repo | media_repo | diff --git a/bundles/matrix-synapse/files/matrix-sliding-sync.service b/bundles/matrix-synapse/files/matrix-sliding-sync.service new file mode 100644 index 0000000..0eaa5b9 --- /dev/null +++ b/bundles/matrix-synapse/files/matrix-sliding-sync.service @@ -0,0 +1,27 @@ +<% + database = node.metadata.get('matrix-synapse/database') + db_string = 'postgresql://{}:{}@{}/{}?sslmode=disable'.format( + database['user'], + database['password'], + database.get('host', 'localhost'), + database['database'], + ) +%>\ +[Unit] +Description=matrix-org sliding-sync proxy +After=network.target +Requires=postgresql.service + +[Service] +User=matrix-synapse +Group=matrix-synapse +Environment=SYNCV3_SERVER=https://${node.metadata.get('matrix-synapse/baseurl')} +Environment=SYNCV3_DB=${db_string} +Environment=SYNCV3_SECRET=${node.metadata.get('matrix-synapse/sliding_sync/secret')} +Environment=SYNCV3_BINDADDR=127.0.0.1:20070 +ExecStart=/usr/local/bin/matrix-sliding-sync +Restart=always +RestartSec=10s + +[Install] +WantedBy=multi-user.target diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 527cc5e..fc851c6 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -57,3 +57,32 @@ svc_systemd = { }, }, } + +if node.metadata.get('matrix-synapse/sliding_sync/version', None): + files['/usr/local/bin/matrix-sliding-sync'] = { + 'content_type': 'download', + 'source': 'https://github.com/matrix-org/sliding-sync/releases/download/{}/syncv3_linux_amd64'.format( + node.metadata.get('matrix-synapse/sliding_sync/version'), + ), + 'content_hash': node.metadata.get('matrix-synapse/sliding_sync/sha1', None), + 'mode': '0755', + 'triggers': { + 'svc_systemd:matrix-sliding-sync:restart', + }, + } + + files['/usr/local/lib/systemd/system/matrix-sliding-sync.service'] = { + 'content_type': 'mako', + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:matrix-sliding-sync:restart', + }, + } + + svc_systemd['matrix-sliding-sync'] = { + 'needs': { + 'file:/usr/local/bin/matrix-sliding-sync', + 'file:/usr/local/lib/systemd/system/matrix-sliding-sync.service', + 'postgres_db:matrix-sliding-sync', + }, + } diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index 8a3175a..d0cb15e 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -88,6 +88,14 @@ def nginx(metadata): if not node.has_bundle('nginx'): raise DoNotRunAgain + wellknown_client_sliding_sync = {} + if metadata.get('matrix-synapse/sliding_sync/version', None): + wellknown_client_sliding_sync = { + 'org.matrix.msc3575.proxy': { + 'url': 'https://{}'.format(metadata.get('matrix-synapse/baseurl')), + }, + } + wellknown = { '/.well-known/matrix/client': { 'content': dumps({ @@ -97,6 +105,7 @@ def nginx(metadata): 'm.identity_server': { 'base_url': metadata.get('matrix-synapse/identity_server', 'https://matrix.org'), }, + **wellknown_client_sliding_sync, **metadata.get('matrix-synapse/additional_client_config', {}), }, sort_keys=True), 'return': 200, @@ -118,10 +127,16 @@ def nginx(metadata): } locations = { + '/_client/': { + 'target': 'http://127.0.0.1:20070', + }, '/_matrix': { 'target': 'http://[::1]:20080', 'max_body_size': '50M', }, + '/_matrix/client/unstable/org.matrix.msc3575/sync': { + 'target': 'http://127.0.0.1:20070', + }, '/_synapse': { 'target': 'http://[::1]:20080', }, diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 8b231fd..470d26c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -92,6 +92,10 @@ server_name = "franzi.business" trusted_key_servers = ["matrix.org", "finallycoffee.eu"] additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" wellknown_also_on_vhosts = ["franzi.business"] +[metadata.matrix-synapse.sliding_sync] +version = "v0.99.15" +sha1 = "cecb371ff5f1dd528cfc490484a0967dcc28cd82" +secret = "!decrypt:encrypt$gAAAAABl9yJlbEZafJ2mumtg03rW0-440NIgFcgdWGMo3Axrypugwctacy9Cq7MYtCBGjnDyNvVLI5B2QMJ9ssCD46NCsFRN3-X4u9rDtxPhRZV7rls_LQ_Csc_GsffJfvpmHbn_wsljd3I74h4ouWlYhhEQUIKwb3eErSZ_VTZhu_bC4jTa0FY=" [metadata.mautrix-telegram] version = "v0.15.1" From 104d1f11bf4118e295aa408fd755d8e0d6a3e582 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 22 Mar 2024 22:52:12 +0100 Subject: [PATCH 589/996] bundles/wireguard: support s2s connection to other services --- bundles/wireguard/files/wg.netdev | 2 ++ bundles/wireguard/items.py | 2 +- bundles/wireguard/metadata.py | 6 ++++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/bundles/wireguard/files/wg.netdev b/bundles/wireguard/files/wg.netdev index 375bada..c6abf78 100644 --- a/bundles/wireguard/files/wg.netdev +++ b/bundles/wireguard/files/wg.netdev @@ -10,7 +10,9 @@ ListenPort=${port} [WireGuardPeer] PublicKey=${pubkey} AllowedIPs=0.0.0.0/0 +% if psk: PresharedKey=${psk} +% endif % if endpoint: Endpoint=${endpoint} % endif diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index 4298dde..0d8d13d 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -25,7 +25,7 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): 'peer': peer, 'port': config['my_port'], 'privatekey': node.metadata.get('wireguard/privatekey'), - 'psk': config['psk'], + 'psk': config.get('psk'), 'pubkey': config['pubkey'], 'specials': repo.libs.s2s.WG_AUTOGEN_SETTINGS.get(peer, {}), }, diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 3c055ba..1aa6e4a 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -253,7 +253,7 @@ def interface_ips(metadata): my_ip = '{}/31'.format(config['my_ip']) ips = {my_ip} - if snat_ip: + if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES: ips.add(snat_ip) their_ip = config['their_ip'] @@ -289,12 +289,14 @@ def snat(metadata): forward.add(f'iifname wg_{config["iface"]} accept') forward.add(f'oifname wg_{config["iface"]} accept') - if snat_ip: + if snat_ip and peer in repo.libs.s2s.WG_AUTOGEN_NODES: postrouting.add('ip saddr {} ip daddr != {} snat to {}'.format( config['my_ip'], config['their_ip'], snat_ip, )) + elif config.get('masquerade', False): + postrouting.add(f'oifname wg_{peer} masquerade') return { 'nftables': { From e6f6229b87399ad13248a40d294afc65728a6bf9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:19:15 +0100 Subject: [PATCH 590/996] bundles/wireguard: do not generate PSKs for unmanaged nodes --- bundles/wireguard/metadata.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 1aa6e4a..c08d5ca 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -83,10 +83,15 @@ def peer_psks(metadata): 'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:12], } - if node.name < peer_name: - peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}') - else: - peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}') + try: + repo.get_node(peer_name) + + if node.name < peer_name: + peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}') + else: + peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}') + except NoSuchNode: + pass return { 'wireguard': { From aa0d4e5a76ef3beb332346751833e09419be444a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:19:35 +0100 Subject: [PATCH 591/996] kunsi-p14s: set correct ip --- nodes/kunsi-p14s.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 0bad208..8f2f0b9 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -39,7 +39,7 @@ nodes['kunsi-p14s'] = { }, 'interfaces': { 'br0': { - 'ips': {'10.73.100.103/16'}, + 'ips': {'10.73.100.112/16'}, 'gateway4': '10.73.0.254', 'dhcp': True, }, @@ -188,6 +188,7 @@ nodes['kunsi-p14s'] = { 'my_port': 51819, 'their_ip': '172.19.136.64', 'routes': { + '10.73.0.0/16', '172.19.128.0/20', }, }, From 9b4a473236084f10202bc9311efe14d0ef67ca27 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:19:56 +0100 Subject: [PATCH 592/996] htz-cloud.wireguard: add c3voc vpn connection --- nodes/htz-cloud/wireguard.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 0b1d162..6c6c17a 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -33,6 +33,7 @@ nodes['htz-cloud.wireguard'] = { }, 'bird': { 'static_routes': { + '10.73.0.0/16', '172.19.137.0/24', '172.19.136.62/31', '172.19.136.64/31', @@ -64,6 +65,17 @@ nodes['htz-cloud.wireguard'] = { 'wireguard': { 'snat_ip': '172.19.137.2', 'peers': { + 'c3voc': { + 'endpoint': 'wg.c3voc.de:13337', + 'my_ip': '10.44.0.35/24', + 'my_port': 51801, + 'their_ip': '10.44.0.1', + 'pubkey': vault.decrypt('encrypt$gAAAAABl_fnDW_9u0RLQpKmiE9V-4DjEcEVSaGp5NohG8tBD3tayGkrDd-LahgeEhDeWlCnoomErZi6HHCag3ODeoKivPr9F_UfdKPEOlCoDkMahqud8p5_3edi-TvIt30Bq_45yeIOo'), + 'masquerade': True, + 'routes': { + '10.73.0.0/16', + }, + }, 'kunsi-oneplus7': { 'endpoint': None, 'exclude_from_monitoring': True, From 1d5bcf74c0293c62b1ccf9eb422388295d1f9b6c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:27:30 +0100 Subject: [PATCH 593/996] remove bundle:openvpn-client --- bundles/openvpn-client/items.py | 25 ---------------------- bundles/openvpn-client/metadata.py | 20 ----------------- data/openvpn-client/c3voc.conf.vault | 1 - data/openvpn-client/smedia-priv.conf.vault | 1 - nodes/kunsi-p14s.py | 13 ----------- 5 files changed, 60 deletions(-) delete mode 100644 bundles/openvpn-client/items.py delete mode 100644 bundles/openvpn-client/metadata.py delete mode 100644 data/openvpn-client/c3voc.conf.vault delete mode 100644 data/openvpn-client/smedia-priv.conf.vault diff --git a/bundles/openvpn-client/items.py b/bundles/openvpn-client/items.py deleted file mode 100644 index 7d35517..0000000 --- a/bundles/openvpn-client/items.py +++ /dev/null @@ -1,25 +0,0 @@ -from os.path import join - -directories = { - '/etc/openvpn/client': { - 'mode': '0750', - 'owner': 'openvpn', - 'group': None, - 'purge': True, - }, -} - -for fname, config in node.metadata.get('openvpn-client/configs', {}).items(): - files[f'/etc/openvpn/client/{fname}.conf'] = { - 'content': repo.vault.decrypt_file(join('openvpn-client', f'{fname}.conf.vault')), - 'triggers': { - f'svc_systemd:openvpn-client@{config}:restart', - } if config.get('running', True) else set(), - } - - svc_systemd[f'openvpn-client@{fname}'] = { - 'needs': { - f'file:/etc/openvpn/client/{fname}.conf', - }, - **config, - } diff --git a/bundles/openvpn-client/metadata.py b/bundles/openvpn-client/metadata.py deleted file mode 100644 index 9c5b722..0000000 --- a/bundles/openvpn-client/metadata.py +++ /dev/null @@ -1,20 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'openvpn': { - 'needed_by': { - 'directory:/etc/openvpn/client', - }, - }, - }, - }, - 'pacman': { - 'packages': { - 'openvpn': { - 'needed_by': { - 'directory:/etc/openvpn/client', - }, - }, - }, - }, -} diff --git a/data/openvpn-client/c3voc.conf.vault b/data/openvpn-client/c3voc.conf.vault deleted file mode 100644 index e18a68e..0000000 --- a/data/openvpn-client/c3voc.conf.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABje8PnbzxHl_1Lr3mpXemItAaxmkeKsKtZ1dWVxcK9DJ8MUNKwryWcmcMkpHFFgYrjmyU3pw93vmlPn6wa0Vc5IcY4ZR3xqO9LqhgXtzD_PGXwAhL9vTEVinDdBS_3S9ub9w8LhlLv99eHVbojqCw7xHtwvo4Nc78EZexuHrhitWEP-ailL_UGXpeaQzUZegjzK8lbUqdgEIUFQb7nraZGm3ZwHVt8oQ3Qeipb6joiFo1jChFiIIRXk1M4TqZAHiRCWIuMomXxDio386WcvnEpghVAebU5s2EgSIjoaDW9DQhLNzuUAFjJW_ugBJNZd3wA3m0CdpSWskpi3ppK0YRbIOxepgtoFa_sITu0OdTRKUgbEnNU8zePwf6zHe2ujH_AjHQ_F1Y46KDsk5yi_8yC5Ml8ivyHkUV0CI4eRYd5pwl0HxFh-gaxZoCPfVec2-13gLY_eugtydTux0Ci4DXsc_RnPUvKpMS5eTPSK-YggB_ctjUV4-Au-WQQ3830-gruYePxnuhtSRsxNbf_MsUVKPM6zYdHg6sXX7RN7EvZ-tyATPVTdwDDf-F0xjiRMQd8gNcklELo--OjKV-J2yj6bZNG3TVDk74DVKiogytrvevQYG-cMIIPLFNBIRrhn5Xycy2ypZj3R-qvfksb0aQtTl3NYzWrJZBw8n0HtUxtLZRqH-e4zz0ft6rKdI576NIjNHksMeKt_8W_Rty-huNicrXX2tZYoi3_D5EglFtRuhgygSPoFiPh-BU5bQaconMDuQki5vemSGYL8tC1Oy4VhnMHwGRHBm76a4LsC_lBB97uWlBtZ7ubd8CmXQfijxewWmKliMOlsMgBG8nb25cpxBoklPpq4VG_JKMNGZN1Sa-e4TdLe4Men655qMZ1eUyp0AYiScQplwKDcADlFUmbuj7FBqZ5hqKhgnLZydUk2skZsD_GydNEA9PAkULM34p24T0sND-BmLnE7TAtdEaxpNq9uhsVSEa59EJhCq0Zygs3MTSAWZ8r1rxPVfwvTdEm30whhqEwn53zbFLQWCnKbINUx37MMrgyRAYL_kP6JLlz8ANQYCu5TFGwn2_d6vEahesXAvIB8CuN2CMqx5XMQrI5GE45g0a0vp3tLUuU_4RX5qLBPCig5UvxXA0PXuSsuhvKRMN8Le0h-s4KEX6xWon4rb7adsj9WuyMDolySqW3FB7grf-eqx3S_PfCZEL3w-URzuQbkKUH0BgDkltmTr6ZgoNqWxVIbYDIjzO4TGNOItDWQBrAOlOakTj2X3NyOim1btLw8RlVRRdcUNq2ueLquyrcvGOhFMkAYYgXR34Z7FE4DG70omfETAzc4jhvcggYRjxZLwMcImbs_q6ZhfYY_SQkNP7_ot2lE8UoU13j3mKYdZoMQ0LL_IRMt4g_CYWtHRjKY0m2cmP4avwK469H337LXwijwrSLNP6jUtqbUyhX-HiGtkJ6ZlIzH7JHfO5CEl7Fu_3ljla9CTKcXybORj_ElwHWOufACHbpC8jc6LLnxwYVjBiFuCIn2JiulGygef8LQemXHN6vud1xWtKf_OhJFDGkJX1D-IwYK_5MGkLZZUj6K4NMelWQIecR5qkYcDOc1-URKxUO8-g_pALbTzrVaf6aybQl9xQasyFb84aD0Gp8CgmDQG0yt_KH0TQNr9-mUQhS4baEF4O4TwrgERdl0sJ-521wBCyq2M3hAbcBtP1n8vxjfxkv9PLBaRHldGoPqCWDQmEnT57CZToj_MjVI_mJRPJ900VZk8IRIkmmeiGup0jbJujrAf6sQ5MGIUMVBEA_gc9qFgRruU-2PpA0mwsbomsv0aUSZKXSHMF_KyHoSC73haDNxzifbbJV2PzNVp1ce_j9m3V1SUbAgKUaIBzf52hDfC2Ub373EXE5z0JmvnLNWYe5SLw5iLLOXiriujzNsEdi5_AoOEx5wuLNwhR9mmvB8giUsbp0c-EC_JC3vPt1W-6unsb2CnMrIvqjRLVXhE0ZyzVtAl0JVlQ9bb3Va5HL2aLE3DOQrMl1E0iddmsNrsJrGM80X1RGMwyXrVNoDTjkxVTKg4tqngV4BCYkzD7xkKh5mBatYCSwetb2IRslut5SvJOBzJ-wLNjxcWiBIs2NEEGMfj8WjiXY7JOmaneXjprrsVsmvDAlHEMjtZpXlML72lfYkF64SA9uhz2wQLKuUXCWZPENCytYz52TtEtePmPOKP4CPi_w1QyP7CLhymOWZAQQc3xHDnL3orpUbstpYgdo34D-iuSyd3quQLTJQnPTC1fKxJuNrKBxftqs3ZbE4EBxLjBxhW3hVadS4-VYzdc--nv8hPLQU1k8IpGAJ5U7kmxROKQMJEqr9Ay4zosY8AqnPqD48cJ5o2hDSa9Znve9QIaXKV1dH3WPsF8aEu71E7hH-TXo-56HY_lxfPejaa7Ls3JZ6JJKNh8KncQU1AdARIU9Gw-bCpfQuKTaB7F6OdrqcGd4Qhic0kvIkWzFGLKUsQ_UigcbdW0h1kIU6qZJxV-8KQMhHOUsoXgVExkNU7bBlXxCa8-owQkTY1auTyCDvGIET36UzKyfSyympBIdL3YWNphgErhI4ZMrr3ol6iPAWqlQYxpu9OY1XYq63KvSXirIm3YEW0_FqCm2jgQdYqXoelgpAqmTSCfCaZTRMm__zqf0xqVUTYagVGUHUNpTKwr_YD-F7KtgnGH_KDSt-auNBfAJEMB9-c1AgmkYff4FLhiu_pUJaD7U1qwac8fu1amf9obUNTX_zArJqYwOCFKJcRR7mOH_TABT58VaCcMPaI6cKKoBj_UtfSKH-m_Vq_N6uMbcMFZahhBuLGKTtidCqHENz1IGo8FePAUaFgg7rviyHg4cfZMXkI8YG5S447rj5F52j2nOsWWS2yxUGVbgIUFqCEDk_c4eeEBhzfFVc4gyPssuAOWn-FvIrMOInNyctgqQSmRpYzorsYzTtdJCO1wnz5m-gbrGKkwd10TTf2Wt24xxhPOsAGv_ZFD2jlKtzAseRvR9lKAVr-roApPS1Ikeeq2mDrwrz5qEX9L8U5TCh3GVihQRbOtDphivDmeAEu_OS5yZyDFEtqoea31dtz3dmbLws8_ph_7E9ZDHv8OmAbDVC0hoq65Wl6r2jeJ-nnowy4ntRqw9zUfwJnMb56cXAbsLUnKr_CJ5sk0ip3yRJW7tcMwVOB33QZWfrlr9IJJEKkKS56BuuhZriUQCqT6ZXf0U64GHirSz8C7uG7bPKk9cSO9dKAPMAhhuzf7Z9wTlXtGfja_XbHL0zaSc5xINrdTZiXRidaj0YSHNw3aPokwAmzsDZv8kVwwX7Wdnb_StkClle5EuIVcRfeyz7l5jQC-Bsqe3mVnN3KmPAWzHhT_p3TDk843OEN59b6vv286Z_kEijIu2ujW5isdZLnUgvprTq9LkLaAvSF53ruPiWR7lPg4vrT9Ag8P6No1wDuTKK9M7ZI79a7optNYlJw_dWCjE0VU4cFF74Kxdg9kjnsrkQrNInDFFwCQRfTMr2gPTXdMmWJX1a_U1PGUdoAv7v5pwPoXPO2iaBeqw98GpCPc463mOOpp2_rrKbUIfJ9IjCFN8MBvbvnHxQoLrif-D5xvFaZ1CxtfMSLo4jecJFQ62kRxbkOfNlRGyVX9e9ZN8LJ3Hr5hKx6EJelUktjpYdZZjr9jmQa8E7mmKzw918nbaQEt28xp_yJ2G18EqYw5k1fICvYwbrSwVnJnrFIOc3dNbMz9jt2CLccNx6V1w5bLagGj99zWdpywEqpzrIUFUz0rpQRD9kbHHwaTCPZ0R2tW8XFYN6nPvaTMsJWRXR4Z9jqW6x95vB6O11sCOM_z8fJYjHWTsA0VQbzdglHo7iKDH7qjprC8AtHzYSVknP4WSIOst93Me9KTmZNcNls34vS507SeJpMMQ9JOT4Vd_ZGcvZmhhZ2pbAxyruglTOmdF5Dny5PZfiAACgCY74s7H759o2jPDiY6cJddanH44uCtXVSWsBLbFh9ImWKWfFPH6kffAq1UoLRvAoz3apZGdCU4gLpUYgevudO7y6jL5U5xQC9pyKJuwQ5TpXBpZ3ADVvpttcilAVi4oc-zgigJRxiJAl2SxpN0BfcW43cLM17s26xEEtry_bFv_K4_DjAV2lkVxCebHAvXnSoJu8Ub8_59bZTCov690l48wa0yHf6ANnxFkvV1dmweTdLvplSfVRbRICrljm2fMYJpI2IIJ1JGKHzY2T76oeIzoitwgAetWgz04w8beC8YTv1zwMNOoXslz3XYRHBE2Z6BQ2DGWgFMlfBcea8aUJKJJC1E93iz2GHNysFLYF8gLrM1obE26G1q5i6djJtmF7fSQyterDRIpvQNR8WhMKn5z-oGzOU1ZwTXhuYOV7CITDHfUuAd11hT6hbiDp1m9JfCmZZCkUdPayH57XdNKwsTm1C9m3vwdTVGmySTqvhiRGKnz5jBhnI1qQloIqRNbtUjicpCd_vpUbgPaYxQYZZZS3OjVAcMNqb3EFO2G-E6uS5EY9C8iIzMRDpc4T5PnT3WdvlqPPPWOEAIHRvlIInOyI5g_q6hR9NyJ_-pR-ebz7KUbXZnv4TxS9gSnfBeDPGLZ3TQ0YJJ_ecXWzwuT-TYRDO4WlQxssci_KayBlK6NVeCs6c4JhDiKghID6gBiy3StNDmvNKzb0jwv1vPhuJ6TLFr3NHXx4wqCKu9W8hIGx3d5KceCfubhzF0qW7GmorGWeud5WDMNn9KSBMyIrRT3YwpHzaDEyCcKaIwfZLEWSIV7io3cB1STdKHUJ_6NHTPsTA-4f7nFk5AnNl9MtVCK82si5w0v6-PU8z6Otu4JdoCGUx_ppPPnAYsuiWqQGswEJszgCRjckshMr6LZn804C2urW--JMUcMn8Zb5CCDut6HDk002hKDhprsMJKItp5raIM03u4m75gBA4b0gu_PLCbzAOQRY_gGUsxk3jL1LvLrq0mmlS8w51Ri4i6gDFJ6FviSFjhpMGPqwONX78HnFYlWajdGTbEc_0Q-l_zrhuh3iP2vxvuh1Es75g3X6AxcxTJYn7wfE4whWv_g8NCg6kW7NAM91AmUzf5SG2sEqYa-wy7JYDOIqVj7K6CiagEsKEXEyeu17VrpH5FQCqzfd3pCDECPFbwF28Y7A74VvL45GnmG0Iup5qmcZJWQ60ZYaxxq37jVRGX464-lnygem4leqHBa30_-a6lWywPCiJYSedfxZ1ekrqiAlYAKDS2VpI6fbRmgwQMf4p381iUBIbjpXO7VVneBS4CCY0H1G9TdXVhWsArMzODxw2reTo0oSHyGkXhvImEkBnPeqpJFtT7rc90Aw6BeeZMcVwiM7_1xvfZ6c6N6ldBii4kcJAuQ5qq8Ew-mriYknK1wnX0QzYReO7uu5hgb3jPC5L59MO8LysjBN0JgWRl6z0BU0bPBnClscgkHbkqDtWBToUThpymJSJe9HeH_2PfUWvAUMh-139fUoLsKW27agLYgySuP1vYdNUCxda32R5DlCe-5c_O6cZhokSng9BeFgtldHu1s_phs0w0EYdMuBGzi_n62-77_kGwwHBkwPK4q-ti-dkACMvyQQdbxFOAiQWcLmjAkFelufq_ydYlUst7OzFlJ232onjLV4xRBYvn9aiIoaxCwxFswuWHeQ_SDdOfFcEu12SuOuvH6y9t_s8Tmus_PTbzLoHCX4VOe1hytZV-WCr8M_9RuMseInz1Qb0pIbi6tXgMjLukTVmNu0KOeQrFkEtggpLhYkEE2REajUhlo7gpdWH0nRazsU-cM1WbVChDsf6BXYlaDziOi4DyQViXDWjQ9jM-xUtCaWngVcpnx0wnNd5j04G2oIF1a9T0ZH1_vsgZwvX-KmX-KBY8qcv0zUA3anBKPUeZ0n0JGN7Suj_Upl-IobJM2nv_HbI8CYFFa9SGphxxKSPNA-FMZH0n8cLG50hOWJ7GSn1DtNY3_9uZC4my3nnJ9DDFTS8xhH2-UHHqFy7sAP3GthtDJsydQnZ5lfI47S8J7XC55bWxYrphYOcDhZbn-r2gKIniyncwODrx2yX_4TXHXjxjQScRZliJ-AlmKcFnSXBbL1LPoWSwqtxaB0_f5F9U5CfnPa7kSnmqit6bNvdvzJ3HVWAaUKTkcnLeOAz17MNH9gPuoY2SpXe5siLykWxcwdzYlkCfU9-IbnC_tJqyadfWnVsvOJ6YiPxEOofy-ZFzpq7YRbz3cxLq6Zm3QzKovYPbDEdpimU_pt08HSmQyTqP8WMsoXOF3otqt_Q2nYrRCwljfY-SACU8-zCw0eU_rrV_FLuYgoiwnyFBIWtr35vHs6ZEevpjvBUg-ikkWBgLUV7WpX6V2976orH3oF4hmewllyLDOGaChCcFnOZOj9EEbYJfp6FaqQjzICr1ShXwSp5K_E-BEVax6bsmLkH_AY1B0CIlc_zN_o-sS0vjs4dlQwD7dYciayOFh3nvSwrR-IZiUrPMmnqq-4oo18k7LjNQTQmZh-OWIROBxhfjVIRb0V1MR2SS0INYgtqpycuFjKYgAIxeY_of0BlBwm-4YkuOKzA4gvGY9Cxd4rLx99tU6wR3YQ7VVGX0tLUDPqtyKnjMqxbCRO2ciToXvC6svzG1l0OZdYc-ao_8fha-MHDogUSej4o8dsvd46QZf4dy9teafEtrnJZ3TGVlTOoHjkoFYsXuhKWz6djGIAN6-XSGToaBeBNccgtlr_cCitEW_5QJ3YVjJH7IIZlNJpGC58fq3_KnoX2LnDpdWSbuU-inkNeXMkZA48RbFbvOtjiD4CwsAjKNJ84ay5Tfa-nH0DLdwyXytQk48FWlUMAHdSY7HIAlS2I8bHIcPSaMWk1HcUOrxuxc_J-M8KXmD3OKzNg_p_OeBEjCUne1oiMTiWUSwU3kSbajIu11t6W_wDWx_l0LeGmt1TfNS1cXvq1mbPWZF_0wtUMXGCNrj7040to_mic3SoWwKc6GApePZ9xlktTBRNmdPzxwz1d3Fotrh-ALRrfskXa0quDBI_TerFZs07yboGjhBXbijtXsxw3RLoCPSB6jXDEI7rwz5xoA4D_67B2kL35mM_IPCmu2lqBEJUGKucB4x1E7ru4YungoYLSZynSIFZOtuQ3ZxELtIbNy1rESycClW9D-QmqkoMzUOohvPiVyGdMTP3uChSPCRZ4xiCaSWrQEPRKYm69zBnQtbYAfBsXT0Km-OKANYEDn4KTTZL4nSdkhFKK0dxHBigKJw1YHbw5mUMe1HJ05EfTP3BlClhqDtvQj-ybuPKcJJ-bgqUbf5jg8UrOBoc1s-LsFSCEajvR3Su2xUJM6jlqcRYAFtsGL8weUvlWvrFQ7hnh6WCS099ByIk-lKkMNfbSPD9OBKGAPdXaGPKVSyytzvLgk-Fv-qLCYgIx_-olcGdDGMnNZVrlAysiGK0lAJA0Cxf3qK-5nm4FP-hQ_aVegddt11Kt2zyq5_T8O81sO-DI-Ef4TTEJPr5HfRXVff4I5Mpy5J_-Wso84AdtcCQjU3wjBE0waPP0EIvrBLvxQfG9nQywujk6dte4o2AuT4ysJDD6ff5DP3Ccq0moAKqTXwAA26z3F0qgXV1TaoPoiWXcg8bMIyDvidtXB3yjDWjpgRDkKRnruDwWYeDho0mQqfJeJf8AAjDEYCyYZNm_KFtc8G-6s71hrx8R4OPoO6qn4aCEG06bP8VB24AqoHlIyS7osmWF5SF1pl51otNHVZ-0h5gmLCq58VZJPvFnXwf3Q3ipXUvWVq2jzohlX2T6IPz4NfJjBzu_Veng9HW42sL6qF1aE26lIyG2YD5_1zLRSg0Rsm7BhOQ3ei_Kp-gyseHvVS0L5FxRmtVxMF3OavJg_Y195M0g5k_2ubVVuPzGZq6aGBmTTZedYjdgIJ8QA5Oa70VCwbsNK0ATAsi77I1R1sY15KDblFj4omlu71zzr-PlUecSK3I_VoFzI4g4SFUM3eNm-0lmEqWDKHHhjyhxYIkWGGtfCOB5MOiqEZbnLVNeEvjRaXB6A_LVwtGs-muVB85dp8Xu_-gQF-ctxp7lelY1mnr4lHHJwSL-5_Q5BUn9OScGWIsBG3XSjCOdJMmrwFp4JJs3wNRbJle8WKKb0IVQ65zqBwrUc37ek105KHeU1GiAaJeALGLgTfx62cjGkg98sWemoDGcXiL748ZQvcfbWTNDsk6o4_PLvRfqxttLdZmeiCcmuHBazv_WASwDYwjA2MHHzAOqZCiK84xtJm-SOvoCqmfngwer2e79585hjgsirj8YylH3-C5zu9N9rntDWJtUtGTy71qKV_IY_S-Wp-eEbpIXcD0LR-V1VABfrsF8CLgKnX-Q1x2BGjLywCEUNR7SSP_B8MJ00LNM0uhGF8d6I1t4CO2Njf7gxbCwSXvkXayojvHzvxIElqTBo6H6JFNrD2T7Mhb6arXY0fjmLYfSpAlY07noByxnm2f7qY0Im7oRhM9RiIGmoe0jaaIoH6IRQOc47u_uOh0JbceS2eWMkB1hO-NHy-w5Bdt5g0_wGgyqNjxNKGmpXfUn43rizTk5r3sXvK64fnA6PYXB_zLtF51z-_6kdGMNh3KqWrxldkQUop06wKJ5kjssgLaDnas6tkB6UuBFSpwp5GDWSrD_i5u2aOH-mqWtXu2FQSB_jtj8sDG2gbqDjhz1SWbzZwp-ONgPkgvmpCiUvZ8_lI9BH0JzVjPRMHmACIN3xp4zc-hkK18cTGniYSk2A91uYcgsgsMD6n5iuSzRe1G7zyIRLF3ty177fkDxGsCXYaGUExurD5cLHOtgJU7f6pK4DPcuZs9EbaoIO4vMADEy0rD50D5OxHsGXVdPJHcYZflGFOo3WdU5PbgAGbWeMyi1wsT4VnkzeD2GdQfXH6GmECLL3lyAcnXBml2myeRO-aKqk0QCpd1L054RV-fbr-CuJg9L1k1A8l9dg1t-JvhOaGZT2wBhnt0DrRKJtktXzuKyVUwTffkHlXkASAYiLk8YN6ReHThr540KkF_FZyfADIaPHZ7AaIr6vnKC4jshDYoXTZJRElHlpgLWgo-hBVCmxAYsRHOk2ihwpU8jfLFC_97ZBUZJht6PDiU_fikgiZ_BTE4sLA5ZUs8_GPCN1Tz_hE5FM2YlmyXxEzvorFgItpl8KYQ6cvJvtiXkGakxiJvEqCPHxrn7wwJW6ctPBDFC42X-dVlxueQvuo3yFXJ5w4hapUL6h_bM_KYD365FDnnf-JL2yHsw5mL9y7fydR4eViQemIsj8Iw7_vjOnz21MWsH2h-kS0_BjAd8nPLGNDM7Omi16TXK_9xP8ZysEYnf2JyZeo81tPGg6XmR6fBoKmrBWdwxbxzCR1Gai4umbzlL0vil_nSoOZ9zRl4vR8SDxDpOV7Njp7TsaBy6Cy5bmE7XhxRZKtmZ4upnESY-EcRAch2j1zKlwIhYthrJWG1InsvGa5yotxwY5bhz8VM6TGdiFxC3yn4zwoS0SYf6YlL1C65COj7NiVITkAJQlRcorzyCa-CAPmvJ5BkYV3SvlLtIp2QiKC25pPnZl4U25rWB09LOnLW5ckfcYoCFCL3-QPnwuXdsEAQ-LUDQT8TqiZpnN7-gLSnLVdNgUDoHHkJTndJZFklcMQNCNmGHlTBrz0CDjikVpXmMZZ4Ahy_d0MoUoH1vXGzs-duxFZYXwPNGXGjcYvZ-sFV3R-cNM-SlnAq_XkWA4xxEzDotdYU72u9CeBS8pt1_en1hi7H96FK638PChKZthH7wr6k1M2d-De0QerSiRtAA8egfMnUlAIGBEx40YM-1-UCont-9TiKdkUBxwydb5sBcJZChK0hoIV244-qsByvSM9lAnp8eQV4Q_FqNkTaFJVr0jz9RQE9xIXeHi7KSQkRPRTHCTBxpkiXJf-_pipMZ2r6mWpzLu8ypjycJVFNHT4SjLFN6axjF8iBzSZl5VueIxD7iOmgMT4JSPOTlK3jywOoI2JRgT4eOmWvh-El-M1zwKjvVY6SoVY87CHoSuVtcM6TfVhb9geXjULdXXXtPgzOV9wFkc4W476YY_qtomnMNtU8YU_vBANyRRvlAOoQSnDwh7qW9NvEeAS9aftmlOFfJiWCG9SaLXMP4KIJ9cl-FFLlgREcupLAPb3kqCBF92a8VH1D5f_qPlOzR6HZf6DQjznNkPMZfhbYhr0miB7lYSDn4EaDHxXUbtpfvUpFv7ZjukGP3DvpWrTaNXh2EoNpWmVGJ6ovnYzQlPVtKqcd8XuQxMOm94V9LDLQE_Navc0H2U= \ No newline at end of file diff --git a/data/openvpn-client/smedia-priv.conf.vault b/data/openvpn-client/smedia-priv.conf.vault deleted file mode 100644 index e537847..0000000 --- a/data/openvpn-client/smedia-priv.conf.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABjfQln8FpE4uWbo-nqbkXRv72SVSeQaUKM7H38QT9TfBaXSWHbwMGJLr8wa7LS8IXTy0CiZd6VA3GUi4oWjVAw1qYnuE2Unn4tf99nYqOG1iP9BWMNtR5CKx1tDblaJy9vSvFGQGuSdjHpcRXnfynW3PHJZpHRjqTxMc5wGVNF0Nh1RNADpQ5hcJ66VBpdY1yKVbgMKdrqJqj4a1qm7dqrEemFdVJbR_O3_ZKOM-9rjma18Raje2b9DV-XdcuOs8RsnK_RWzEkBdUnv8AKeW6jV-h9-TEQS4H8A_LDdVOXwh-nF3Um_SCGip2VKo-nJqe3PT38MkBi6VWtReO2AgwE6ZSNxF4c8X8PjDMXnQF8nUhtHLYGNu6qArgT8XeBrRmxESm1bLlkMWsXElTRvtNoVZfwcuapZU2DoMslGmpkf76-ryEPRmmfPtuAgKEY9DsBSnJL1ogp1xqmVucXiePKqfEGhZ1kyTBJFGq3JyLcL8NUoLBbXOwoVLDW_3V1-yg-GolsJ8w_jKMm1f8wKmupSYICOcORuEZy7piKmZRIEYv7Xbi9VVQWd0xY8_3d6VZJKlNSZhv7Sip0maWDA17IAedPSDQmspmqcpgCcBTT1NROFfNYCT3ZiNLsA1A4pSJoER72o_72l1S_NVRc-wwwNoE7eSw77ZftriB8Hx2Ke69phAdT_auwUVP5hR8s99RsS16Gb1W6_TCMj3abwTxM7o4gqpfmlfKf8b1HOu_2NtALy4DITvTTL25c4IbuWDxb7saPR239etoI41BLsANx8Coq2OCm_iHmmeNe8eiz_n_Yu3tE_EIv05eiFxo5GIRIKqbiN-QLdaISeNNUCW01YBMPwnEW9MKqFd7w5eVzdHwdNB0jK_b6bC8G-qura2E6BMOGUfOSqm9P8ylAHvvljEK6wwDDYwt2TUwSi8YpfDThv5xlwAwj6bz8tlBdGDspIRhPth7P9p75ZZQZqDfYnliWl3c5QA4HV6JJ1534CeVpdCJCqfG3Txs43CWkFUxPA7Su1pDVnHBZig1m9Up_KxWSA_nPk2WUzoTIUfwI-e8IE-D0TlZ7Tn73fwpzVR-Bwr6j52D6BAsIx8KFw9yunf_uokDbaGed29SdoITnDthy8SzkVdu04PsaznDZ-D_Dh1uLnZM-F6PKVMh8QmwYsg81D5-fzHqRAYlyBpR4HHtksSDdaWfvYhjR8qedTa0g5X83FcQZ4DuZCnJNa6SNcFpa3DqyLc7iwMckFg2nppKeum2MoP4hQJ_h-CVvd2kgNey9EmrcOXgJs8O5wJEOI-L0oR34XrYhmnGAkjwyng_omt9hTzIGHrbVqktkgkI4ZELFde1TKGbvHVoIC_z2ig_sZZDRqZ5HgNYmAX5mesMWVY4J0Pqr0UL6dUZ_r87__r8eBVGl29uwEw9cEyzbqJh19qOyo0WrVfwr1_8jqBZvhN6Dfss5uJH1Yv7GC4j3Vrsv-fZ-sZTgRSmtid-k1bxTUhlJYYcONc9kqr8ko7EiLQwLO8m-u9AHVoRpIJou3lZ6s3O0pZj6v_P1DAuy6YF8Oa1sC5D3loePdF4V2WV5ElPCBl1GoIxjGo7afM6x4hjzIAxk6anspv7VOL55qq_StfDP7WrVq84Zxn2oUBuc7RV9DvWzTAfZx-Wo7ITwnaUQdsCQ2SVUxOJZpWAxZwPKjFCcNEo5pEmuyBU2OmlyFQo2OAwi7_zhzgMftbpFOUPlAI1MMlSFaxmIRRk3nBKvQQm3uS-bZwy_UcDaWSjZ0QqH1RUIKtrsi_2P3WRz7g2Wojz1paLVcT5GdLXK96aX9N1L2lzS_Q8CYswno5mS9VcUPKylRUMtnNE1QfdBCalg_0q0XVUZaP7Jz5-F0-hbDt0A2uev5YEr0EdZVdhMKnntSo09RB0garHyW2Isw-YqxRAIgVZ69FJ-mNANUgd8n59tsgY9puP-WYd-big5eQM3NoOip5e623rYbOfG3Mtuc-ki6-1-HfJhIEon0vBpTFozgkipEAsn1-yZHWgXTbwbErz5eNNPcdgOUu5SIyJLuwiNv6AO8kRvK8le-TNqbcMF1TAhW09o2IlMPqNxhCBlPc3YtVtj4z3KcrPirUp0m8LCCyykAh3Y3vODbg-H1AOnX5MJUyaHSXrgnRbu2-PsbjwHD9x5VgZTvJgeNYDf8vi6Rqfa8HlKwt-YfmNetMJoiZZ3lT88O1VlaAVuep_TneDixHoqMlLTuWJ_6MnqOjGGap-6tkCYArZVfTufyjrfg6CaU-iLwTWmAPnoqexABc6tfZOHqjWo89uGhVbp_VfsKVfcEIlOKP1ioFCWC01zpCe4hzOJEPWb8DOrg2ZyC4nsHAleL8Ni9CxqNT9J28tnh-7h_K6I0t9wd0eLZTCu0ZY-Atwwb0IICjJmLNN7ac19G6OvSAErw-hw1Aadj-pZtfCYvtFWpu6WzST5pMxejut3Y_4O-CjisN5uGp4zLKsbQ7NGHZUzuSl58Q3I1jc7DyN5xCRa4IDRKZIzf0gr7S9nZ64E3A4NoXo5gemSVnVHlv9luN4-ak_sM36BE05DW-U9UmHtT8Jjj2C97oOq4fgf8dpFZ9bDty0z8pbsvVwkhrDGPw-xzhfu6qlVPLApizYxkxcM6WZYgAM6EjFWeNJu0vP9iUbXCaczXfs3dphmO2NII-DuekHQMjh4sLfWQ3hniN-2yU0S8cHUUl0xRr5_BhsSqC-gbh03UgUeP1d_NSXon0EsBHbl0vOQwJ8XKSyxBRCmNiGhevChiUdhzpVJwmq665KgiL200ldW8uOEIqHA8ZdQmgcxjkuYJtIWrNNTazlNfyFHt1-9Ir-IkAnjEk-l7s3rAqQ-TpFIC7jjYF52rSZ8MTzjxHlftEtkd2ifbqBgvfIlaCn1ff_LMynP1ijq6UX5r7pOlVMIPasJMG08gt7lmLTZIbI0lJKVD9Ar7qBsQzQCD25Y8rlsKFW3YZtGL3RMnPH2BmeszQ4mpNT9MJVe5DhV8IP0YO3ulM5IGiPj9bf9rDb6um8DjG4AfylREez-eZhDvibjJNyK7B4h9FxjhtZQSybXyJxiglUp5UV8oq8XZ4pE2GzE7KJFpjDOBjA7DGFNNSSjUSdtdqHr-4DKv3tBovcGrzQkPkt6omHB_q_cZk3Xi8e0uhMtixDknL5NdHBoXO7LIus1XykUlZLmlMoE8ct0Sqyq7nVGS3966wyBLe3nCgROi210z5sOcCZYzJSrJvlONjV2ltUZ-kJJnjUrcixFaqGcB8w3wxkfFqNrTeMxVqCLpKak4wO8ZS1xF-_46me4RG5cGB-TDU4i7Am5BXX0FrVnAl2TdjRe2qrLJkIZB4HSTJAcmfsj34HOCunTsCgZcLI4y8XbPHoN3PpZMi0o0uy2HMxSE_UUS80hR_pq8gpd1FGyikV9b-UdW0AuDpxYK9MmFNOXUSAl0SXJ77wXWGxFt1kc4WgtLGawRgr8cdE9nYpQr-VKlVvg3j7ruojD7c73tVwkZAi_8F9uiXaxHfszgskAiNOQN2J9jKWwks1XfBXqD-l_4yRBGu0dHCGYI_1xE1CFTUpXsRDoM7EyeR5dXZKWuaAlEetxdlQcyClCFyskAjNCw5ET3_b3wZOaZpGItIEIy0vfdAH9gB9bzDZfjFG13K2Dx5SYVm98ZgbIQMjSXMa-IA99qOPVMpDh6TX6fmH8Q-c-h6W5BeDoO4dR5_36QlADyxEBtvjtb-XaMlbM8ha3V_KpkcT0sOP8fSm6xxkONkVsmms1oYZPcxEu_4pvkJbQNIZKWtbb0BNS5uEen6Sp37nEQN2ERcL8SqxoWVhYs6kiDeVmcycIcGUh0S5NKucw5mwoMnfP9qKK5xG6XKaQtaRgCHb0Ji_W4MmD-jNJayMksi3PD6U_gI3FcEhdZzkgv2YNNWQML4xeKz_VIkzmb8lfmQdoc792YyaWtuEVqR3z-c3L8gUu7VuA6Q6LIqhswK3SB2J9vkUuMLLUvet9vPNsvtLLNJ3kkVGMcTCDNPQGfOF9nh8_gKB7fIJYRLozk9xSP9JoqAtTQlT-lunPNc-52cBkPIo2ziaUc73ICI7eLKJSTfMhTThqvhLGQSv0Lqj87O7gGR9G5U7gxRtz7s5ghEoD-SRv5drvSudPMfKf4KFF9K3KycHdFEGWoL5cGOXetl8y3bmFiT2bjoedmBCboSdr2GZthf9RYcqJwTz54IxkoDp11bgdvo3VWAvEA6Deobsryjb4wq8G1VvlIK9ZaH7gxbKYc4wJ83nIqbO6H_W00rr5uXq9SoArYmKF6eMzI2o_geyPtibmCljDdrx3X78P-8iumHJVqv45pDEo1zkPF0XoXFr0RlIEsiZBOoMGBi9NKZvCAkD4w_cZw82sZQOQv3HkTBfUKrf1K7UsqUXHz5HNyYbmJojUR-ttTY6o3q5ysQ-trToH8KjDBNF6reRdEZh3fuxYt1gnJriCR_RRRI8vOseuJZm8WgoBNSSSyrzCUP_CyCfZrVXxpfPm0ElTalwa6DCyOyKW3MVut_vaneluUZ5Mrfc9mDy0lH3RJ3XREkAOKugqhDQaUh7ExTmPwreEQR8GX0GIxRa6g8QqGljWF8pkkDYXa9CWj2lj3Xwzuj9GYmlY5d-VzFkbWYlsP2k6NrOfzK-2D1ZN9n2TwkMlEj-zQVZtgdt0M9Jvp3tuCku5zxhRXE0JEQPm12wcpuLIJQmb9cgwyTkMMOclkSTeUsepo2xGPNAQ4dK383suQD7TcgFdllyQ1udFUuJTDCDs0rr2OLspxif74qp_x0MF-9dJJfRD6uKPWUzUKhIswzD5nY9EH040DxBnX4n_NNO1xaViNlUiD2NNOL86e3jlxNAqf7Q8DJJ7XHOPpiherB4VbudCad8ddilq3URd-oVRmxR63lVlGdvaDkKBzE13Zpqe2acErEvKfuUgO2oUdXiLBczOSvcGhcELn72jIKkBeR79klJgdNsntCdBzM_o3M-OPzkGpu3u5tIn2al8JwElB_dCdNauJbLo0yYBncXMUs9SZtqdm3Jk_bQYaAJ7Wua9ZJTB5_bT9BTZyj-GEvyAPAS5w3IkwhXE9wA5zlh-LvsK26qWnMiTc3IKCunav8DbEUoSNj_ACTD6zcUqoggiIREjoye-kTlERU09CZZWSmU29zB9gDlYaycGpexcdvdpMBpO1-unw1cdqkBO8bbeb7Jh6eBVYwWbAzKCJutEzJ7jBGNmeRVbqgtLcHrWUD2eW8e_-K-xFJG4Snt0IMIQdetRZVFAio4VR9XEqN6JQ8RjDWX1N5BrWMe5VW1wP7S9Jd_pQpOC4cGRuiIO9ATFamVvmre-CuI789pO8tMVrXQ3GGCI391CVXtQMTyXbRUkU-9r9RVfRX6R-v0TZm4Iq1IY4nDt53QbpACMg1c9KbKZnDoNJ6TCs16oJ0YnAqpCSohXq4d94UsCC61eTPBxRbK8iZ6yCulCxOI9g4-s000KTrS54_cfQ-TBd3OwrKe6aIAfO3w2ZXb-AAnxHlF5ih_0-J2fvFqfkiowa2kecozFwPzcddKRlF2gfGjD3v8LwP0VC7RW3onemwRTVpb7bXXyhKQAoJ33DhVACcU6wC8TpPZpndot8X6B5sZjhbugw2t5yIOHJJLqGNUZPKfN27K5TzeJdVS2t6CcDhhIVtE3O5eOMnUABK6xnDP5SzPbfkWP4yZqbKxbqQuOI9qlyoxZlZIYHqohmF4QgGtCc2SDhQW2qXW88Q7zo_OhUxNLRu7TldSo0qCcMou_vqU8zjhALUtASJQtFlWINGVmxJ0Qci-9OaNWeVBi9Tj9MVFAbcaYKKOxusy3ZQcjfkDueRKP-hZXBUGERj5yN7jEDEGjMKB3ykVRNfWogyX9Jy0TB98UYsb8Fm4-SxGrs8atgnfVZzVQY0vcXEuJPT9MYPZRMIST0-SNcYUlMnnqq6xaSoUwVMyy5VnI_KdilQWJ3Mv42TA23JZcK0kXtsWZY9WQX8ppwimUidvKAWLSKWAN2Po7L_LVOpOl6kI1xqXquD-zFH_XFRr4r3rmm9vYOXL932eSVFKo5S5U7ACSVq6cBXegyf3IxGESxFhb0xTinT7iIjESHh7VwpwWm74F8AtOoPODscL00S6uMevWbYtRSpbf2e8wFJSLImMlE9QKKos2o7HPhpqDLSqA9F3Qtz-ymtmCZADk37ZTwYtpNZzVqSx2iTH_GpgY43gPyollG_LXPVCfj0LKpiylIHZJ75DEqjSvePkGCPQxuqbfVR7PqZ2U1rRSUddhY_VzZvFYjai-GRZDJf1EBSgvnYZolnIcubfggsCYB6iZOgpgxZtPIW1Dz67IhV9-J6rTZMuZ2SSf6zZCxf4JyQ0eTuzu7Bw9scys64R65K1NLe_JCdADQhkW1XqrCfdUIVrxyeYV-W46-LvcGGCfeBmRNfRoPgitnsOHTcHtjd8eGXzGRyXYNKWAfzgZBl0IZS2kMsyj0hOJLoR9b7Cu56vkdAJKKQQb_hu09DQuly9BVG5MG4nxh7UPp6rpwr7b1w58cUcKfEeEeQrzoV5KB_XzycHkYgpbeluBArGkgpgnKUAL47SbyBeFcSSzURxnvnsFFH-s3o1H-BFCHQ4Ciu-vcgxQ7IEywwCRAICLhfFzhoL6N1jw9PMZF-yBaQ6O8cheAzRiP0OFHOk-ygMEuQJu8JzDy0Ux7_Y6lHQGHkmmoVOoRyEFAGsZoPmFwKEF1aNo5_xsOpz5mEyRDeiNh8TvOk9MyW7fwpmDe130YUP6kuzRlkJ7YbChu1WxQspkBn5qFsjrMBav0NfIFO5m3HN4WxuyMlG8ZiXalagGFu8kCKuzvAjf0A8NjBpv8ReOBSDfH1Pa3ABOlShbMCRoFNnuuqje_oflKQ5r1-AboBXjgyJuxa01PeKRazLSvtHR2ETBAgNZTBw8knVWRkvVkNGgVI_AZuZQpirF1iHevGzCl87RsZQoAnoqxwDdkapjXvopi1zKyBu9h3H6z1nv-vYdl6lW-tREjx4eT49spEwq3eOr4rLULTXDcMZBKKDEuFlZDzwVd2diazxMmVYJNEyzmqUs5UeufsAzJeZCGBwA4HxaaxLJu1PzCjeBPKxa7PVaU7SP8dqu8N8MkOOGP4sB6Sjn6e_yoGvx_0tcNRxNhzV7FLsX4cMHKRrXCqphR_k4bea3AqEEbvX9y63p22y1iTVzYtIEXMlzJnusC_5v5ZJxyQRneiYz0z8GIJiZvNBaLkk-zhRndiMoTTiG82bCyL2SuYR8kDFP6naXfXIzH2psP1XHCpmyKGceqBzkuW8BjaYqNM8-DK876sW-xW-zPsacFTYL0iCxHqYILfpCxia1e0JO_-RX4AjGoasftm66wmIOvb_J_lcIDJiDkh9sAH8ZfKF-_Q79Hdi5K97ysEyd7gWU6GZlKh9rdnHTiJbAM9x49EqHM7knzO1i4Jc5ey4DBdx2oLnWOeDoY_bvUyF8qCBJkCOTuBjyeEss8Pg2w8pOyyRZjFPMeatADUPM2UR1cntLHBGkselEkoVMxT_3rzq_lotxAQQERoCoGvnbf4n-nKPE1g2js6tEM6lSg88C-7j83CvwmqqfLe4jE1SwsvQ80q7YsS16c3VKnzH40E7pL_NDl9YlTbrgLDKNKFQIkx-6t0dlMeDb7bB4JiAivEUpJ1RpTdlNOpP-LgfasqI6a1OP7VrXsJEnBIm7xHiqiklJ5WA29511aIfIDrMJPW-U1imBK77jJp_7EenOac5jsgIXayHnh2zBWmzqyddccDtFEwcbyIfxkfoSxkNGjddYkI6ImI2ECRc_ukHVMEIqVH25sOxb-9Lss_aSAi7-qGgAIM7f-KJ3TyMCRMHFPm66xeRTOa8JUi5C0h57nUSG5OvK18uSODYL1BBNM-4JrJGZTVFCot23oLTUmM3M5xNxrJ8VY8JybBraFzgwZ0dJ_tEENSb9x-MZlG42cLhovSOr3vmbwkEN5dVDaK1otC0vgJglyZfXHiBocNPn3Tb1R4wbqEdvXuijUtbKNr3xBWXsKPBrInu4yHkOxNN6eFjtZBcXcIzyQucvrvcFVqjLrZBY7ni5Rrz13b7mDG90BpVF4JBdSuv_5vAw-DbCXYbaXpxo9sUah-68v0EBlILyLqJl5uKLJumCh2r_FYB6yyJrLAmk9Lz8GPhNhC9TyEBTZk2G78_LcMN5y5fJRfElTtXbnTIDjSyN6wAhqFNVoblV_6yZgzXRg1B2PUU0CSzj6aTpXT_2m3fRhKOe9x3Pvd72ZzEj2Ls4Pvn_oFMoPCVTaaNFiX5hu1mbGv67ngJE8egT1xUIJwNC987tIh8c88FnT-D-Z4lyA_PLJ75d-6MwpwNoi3qM-BGt6EUkSlQvFMGFuO2mT8QCY_E8OlKPUmUPiapwzYYj8Gmr7TOxa_H9TJhTvGjWLDc8JkhRb93zjBgwtkxi0ZM4m-EO0RYRkqiz1AtqFPRJKmRQ5C4EURB0bDu89y19YK4YPBhtcCgJ_nvpsG7Bf0IMJsQyH5bVrQSBS2bLZ-ggjjysEO8TaAK79UiBJuW6jbbOANPJVcKC9dSlGkGoft4KJCsP_MyZ28_joWbeamk5Ic4XKxx9ydHCuFPXrk2LfoOrCPyEEOU05dpdCjbBfZhU0q_Lohb4lo3zz8F5wF86V_VZCRfe00gk2DxRyM32zfbhQlf3Ikp5AphpMvqYqKdiwDsAypUJjsbUMOSkjeD6qqgHGfeOR5Mk8s2U21VgXqtHJzhaQud8aiF_8E5vMFOzbY20y5iWMeSK5owu2j5ODmC--iU1HLAX0TnfUKPa48qnYO_s4hG9UTgeOIwZKalnonBIeUPwVk1gUciy4s0-CJ7Nmh2s5s-3Hhqgf8nLaJrnekm_4Yp3iTG9c8UyPYM7JxSM01yFxQreGHBzhpj6Me9hNLqdNGWuNCI3ANnDTFdXb3skQYaFeF8RS0MPEoOfoDeY9nirniZ9bMk69fCUDcUqpKJ6RolFiD_d6raJPnr1FYPpWklmxbh_14VJ6ApJJYbKR9dGcAHGGhISPNsN4arC3RwdTGj24rrwA0zHI-U11MmFwW2fSobW0KKwcnc6-QD-nf5NRowedYCTZxWMwlXzV6Qu3szkTjs_Gn4nWqqBgiJdWAlGNQNIAVqnkDaoGDQccvQNT2mjvFdBL3oKxvTSPVF-xA3ZNBYEzF2YkiIvS8f7GBrfnli6LYecAlEsF6j0kFlUarR8kA1boNpXhbDm8x4TvUk5b4mGhn1dfz77UGmlXhs-bu-XTpY59TsjaIIBGM6CZBM7SRw5vQWEqIXAxhcRBE3sMRj2Da4WnnJVan0l_h8iF4r_XgE5PAmqYL4p_-ENS_thdtDFSnfYWuUU9_U7KCvssJC3FjkIPc-Ix0NmmEiVnyDh9s98sn_KG2k4J2vQ4BPsgkx8chlRd-eBmhyEw4wzBNUII1zis5V_jyJX727r3PEXN-iAOLkWHaVY-kpfQSfVbnb73FPAicZWyKMfnTbDRZBBerKKzZznvC3IEuQowJo2cvfxaKjTKkQyJRyG49QaAxgXl-bv31DOHQRcIvmvRROF-uJjTt0AKrEP5W3wiiznQZxQWZARSpV8MfezoRGdfjUqphJBIE5TdZMhcWW4Yl5tL34QNgqktJRCey3RrN2Q69bv8wiWrXcchotJ64n5xJ6Cawr31H-CajE= \ No newline at end of file diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 8f2f0b9..5571633 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -6,7 +6,6 @@ nodes['kunsi-p14s'] = { 'lldp', 'lm-sensors', 'nfs-client', - 'openvpn-client', 'systemd-boot', 'telegraf-battery-usage', 'vmhost', @@ -83,18 +82,6 @@ nodes['kunsi-p14s'] = { 'rfc1918', }, }, - 'openvpn-client': { - 'configs': { - 'c3voc': { - 'running': None, - 'enabled': False, - }, - 'smedia-priv': { - 'running': None, - 'enabled': False, - }, - }, - }, 'pacman': { 'no_extract': { 'etc/sudoers.d/ctdb', # samba junk From 773e8d118f1e45a80b23256b1289f12b34d2adf2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:34:41 +0100 Subject: [PATCH 594/996] add repo.libs.faults.dict_as_toml --- bundles/infobeamer-cms/files/settings.toml | 4 ---- bundles/infobeamer-cms/items.py | 5 +---- bundles/infobeamer-monitor/files/config.toml | 4 ---- bundles/infobeamer-monitor/items.py | 5 +---- bundles/jugendhackt_tools/files/config.toml | 4 ---- bundles/jugendhackt_tools/items.py | 2 +- bundles/simple-icinga-dashboard/files/config.toml | 4 ---- bundles/simple-icinga-dashboard/items.py | 2 +- bundles/telegraf/files/telegraf.conf | 4 ---- bundles/telegraf/items.py | 5 +---- libs/faults.py | 11 +++++++++++ 11 files changed, 16 insertions(+), 34 deletions(-) delete mode 100644 bundles/infobeamer-cms/files/settings.toml delete mode 100644 bundles/infobeamer-monitor/files/config.toml delete mode 100644 bundles/jugendhackt_tools/files/config.toml delete mode 100644 bundles/simple-icinga-dashboard/files/config.toml delete mode 100644 bundles/telegraf/files/telegraf.conf diff --git a/bundles/infobeamer-cms/files/settings.toml b/bundles/infobeamer-cms/files/settings.toml deleted file mode 100644 index 12dcdb7..0000000 --- a/bundles/infobeamer-cms/files/settings.toml +++ /dev/null @@ -1,4 +0,0 @@ -<% - from tomlkit import dumps as toml_dumps - from bundlewrap.utils.text import toml_clean -%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(config), sort_keys=True))} diff --git a/bundles/infobeamer-cms/items.py b/bundles/infobeamer-cms/items.py index 39820cc..2d2f8c0 100644 --- a/bundles/infobeamer-cms/items.py +++ b/bundles/infobeamer-cms/items.py @@ -68,10 +68,7 @@ for room, device_id in sorted(node.metadata.get('infobeamer-cms/rooms', {}).item files = { '/opt/infobeamer-cms/settings.toml': { - 'content_type': 'mako', - 'context': { - 'config': config, - }, + 'content': repo.libs.faults.dict_as_toml(config), 'triggers': { 'svc_systemd:infobeamer-cms:restart', }, diff --git a/bundles/infobeamer-monitor/files/config.toml b/bundles/infobeamer-monitor/files/config.toml deleted file mode 100644 index 12dcdb7..0000000 --- a/bundles/infobeamer-monitor/files/config.toml +++ /dev/null @@ -1,4 +0,0 @@ -<% - from tomlkit import dumps as toml_dumps - from bundlewrap.utils.text import toml_clean -%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(config), sort_keys=True))} diff --git a/bundles/infobeamer-monitor/items.py b/bundles/infobeamer-monitor/items.py index ff7c0fd..683d240 100644 --- a/bundles/infobeamer-monitor/items.py +++ b/bundles/infobeamer-monitor/items.py @@ -1,10 +1,7 @@ assert node.has_bundle('infobeamer-cms') # uses same venv files['/opt/infobeamer-monitor/config.toml'] = { - 'content_type': 'mako', - 'context': { - 'config': node.metadata.get('infobeamer-monitor'), - }, + 'content': repo.libs.faults.dict_as_toml(node.metadata.get('infobeamer-monitor')), 'triggers': { 'svc_systemd:infobeamer-monitor:restart', }, diff --git a/bundles/jugendhackt_tools/files/config.toml b/bundles/jugendhackt_tools/files/config.toml deleted file mode 100644 index 7c4131d..0000000 --- a/bundles/jugendhackt_tools/files/config.toml +++ /dev/null @@ -1,4 +0,0 @@ -<% - from tomlkit import dumps as toml_dumps - from bundlewrap.utils.text import toml_clean -%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(node.metadata.get('jugendhackt_tools')), sort_keys=True))} diff --git a/bundles/jugendhackt_tools/items.py b/bundles/jugendhackt_tools/items.py index 38afbb5..c2d0c6e 100644 --- a/bundles/jugendhackt_tools/items.py +++ b/bundles/jugendhackt_tools/items.py @@ -47,7 +47,7 @@ actions['jugendhackt_tools_migrate'] = { } files['/opt/jugendhackt_tools/config.toml'] = { - 'content_type': 'mako', + 'content': repo.libs.faults.dict_as_toml(node.metadata.get('jugendhackt_tools')), 'triggers': { 'svc_systemd:jugendhackt_tools:restart', }, diff --git a/bundles/simple-icinga-dashboard/files/config.toml b/bundles/simple-icinga-dashboard/files/config.toml deleted file mode 100644 index b72063a..0000000 --- a/bundles/simple-icinga-dashboard/files/config.toml +++ /dev/null @@ -1,4 +0,0 @@ -<% - from tomlkit import dumps as toml_dumps - from bundlewrap.utils.text import toml_clean -%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(node.metadata['simple-icinga-dashboard']), sort_keys=True))} diff --git a/bundles/simple-icinga-dashboard/items.py b/bundles/simple-icinga-dashboard/items.py index 7568c86..a2b6f47 100644 --- a/bundles/simple-icinga-dashboard/items.py +++ b/bundles/simple-icinga-dashboard/items.py @@ -44,7 +44,7 @@ git_deploy = { files = { '/opt/simple-icinga-dashboard/config.toml': { - 'content_type': 'mako', + 'content': repo.libs.faults.dict_as_toml(node.metadata.get('simple-icinga-dashboard')), 'needs': { 'git_deploy:/opt/simple-icinga-dashboard/src', }, diff --git a/bundles/telegraf/files/telegraf.conf b/bundles/telegraf/files/telegraf.conf deleted file mode 100644 index 12dcdb7..0000000 --- a/bundles/telegraf/files/telegraf.conf +++ /dev/null @@ -1,4 +0,0 @@ -<% - from tomlkit import dumps as toml_dumps - from bundlewrap.utils.text import toml_clean -%>${toml_clean(toml_dumps(repo.libs.faults.resolve_faults(config), sort_keys=True))} diff --git a/bundles/telegraf/items.py b/bundles/telegraf/items.py index 8577cbb..81b6375 100644 --- a/bundles/telegraf/items.py +++ b/bundles/telegraf/items.py @@ -93,10 +93,7 @@ for name, config in sorted(node.metadata.get('telegraf/input_plugins/prometheus' files = { '/etc/telegraf/telegraf.conf': { - 'content_type': 'mako', - 'context': { - 'config': telegraf_config, - }, + 'content': repo.libs.faults.dict_as_toml(telegraf_config), 'triggers': { 'svc_systemd:telegraf:restart', }, diff --git a/libs/faults.py b/libs/faults.py index 8990b64..848ea84 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,7 +1,10 @@ from json import dumps, loads +from tomlkit import dumps as toml_dumps + from bundlewrap.metadata import metadata_to_json from bundlewrap.utils import Fault +from bundlewrap.utils.text import toml_clean def resolve_faults(dictionary: dict) -> dict: @@ -45,3 +48,11 @@ def dict_as_json(json): lambda o: metadata_to_json(o) + '\n', o=json ) + + +def dict_as_toml(toml): + return Fault( + 'dict_as_toml', + lambda o: toml_clean(toml_dumps(resolve_faults(o), sort_keys=True)) + '\n', + o=toml + ) From a027faa8ca673be5b28276e95c05030efb32dedd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 10:35:02 +0100 Subject: [PATCH 595/996] fix tests --- bundles/matrix-synapse/items.py | 2 +- bundles/nodejs/metadata.py | 1 + nodes/fkusei-locutus.py | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index fc851c6..47a9758 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -83,6 +83,6 @@ if node.metadata.get('matrix-synapse/sliding_sync/version', None): 'needs': { 'file:/usr/local/bin/matrix-sliding-sync', 'file:/usr/local/lib/systemd/system/matrix-sliding-sync.service', - 'postgres_db:matrix-sliding-sync', + 'postgres_db:synapse', }, } diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py index 544cd9c..cc484b2 100644 --- a/bundles/nodejs/metadata.py +++ b/bundles/nodejs/metadata.py @@ -22,6 +22,7 @@ VERSIONS_SHIPPED_BY_DEBIAN = { @metadata_reactor.provides( 'apt/repos/nodejs/items', + 'apt/additional_update_commands', ) def nodejs_from_version(metadata): version = metadata.get('nodejs/version') diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 8654cf8..f88830d 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -1,4 +1,5 @@ nodes['fkusei-locutus'] = { + 'dummy': True, 'hostname': '10.5.99.29', 'bundles': { 'arch-with-gui', From cad026c1ef14f3eb36a1f0d47516c3abb1911b46 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 12:18:49 +0100 Subject: [PATCH 596/996] update mautrix-whatsapp to 0.10.6 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 470d26c..62e1645 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -113,8 +113,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.5" -sha1 = "4d7d0243a77587c3fa060788eb2bcc93ea5cb6b3" +version = "v0.10.6" +sha1 = "741b4103b519b6effc9fa7087018c89afa5593ec" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From a3d582c2c561f4d997d2b7eafb3921d5f23a1749 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 12:19:10 +0100 Subject: [PATCH 597/996] update travelynx to 2.5.21 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 62e1645..39055e1 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.20" +version = "2.5.21" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 272bccf42d12bfe14d503f252fcf7531e4e81d3a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Mar 2024 12:19:24 +0100 Subject: [PATCH 598/996] update paperless-ngx to 2.6.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 0580dbb..943ffc1 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.6.2', + 'version': 'v2.6.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 713f7e02d8b2e0b5c03a29751d82c081db9671b0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 24 Mar 2024 09:06:48 +0100 Subject: [PATCH 599/996] update forgejo to 1.21.8-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 39055e1..50d1756 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.7-0" -sha1 = "e9775d0fe4b63a83197a7800791df56338f8d074" +version = "1.21.8-0" +sha1 = "552551f5dcfc29bc6d9fa19b2a74317b27dd3afc" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From df8955fa35e8f17127bea627f0127a9f54f8bc81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 25 Mar 2024 14:52:51 +0100 Subject: [PATCH 600/996] bundles/infobeamer-monitor: better state dump output --- bundles/infobeamer-monitor/files/monitor.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index f61cb43..36c2497 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -55,14 +55,17 @@ def mqtt_out(message, level="INFO", device=None): def mqtt_dump_state(device): if not device["is_online"]: return + + out = [] + if device["location"]: + out.append("Location: {}".format(device["location"])) + out.append("Setup: {} ({})".format(device["setup"]["name"], device["setup"]["id"])) + out.append("Resolution: {}".format(device["run"].get("resolution", "unknown"))) + if not device["is_synced"]: + out.append("syncing ...") + mqtt_out( - "Sync status: {} - Location: {} - Running Setup: {} ({}) - Resolution: {}".format( - "yes" if device["is_synced"] else "syncing", - device["location"], - device["setup"]["name"], - device["setup"]["id"], - device["run"].get("resolution", "unknown"), - ), + " - ".join(out), device=device, ) From 139d5ff948fdb0493153c6e124c6cf2d4d8243a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 31 Mar 2024 12:45:26 +0200 Subject: [PATCH 601/996] htz-cloud.wireguard: actually allow wg.c3voc.de to connect --- nodes/htz-cloud/wireguard.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 6c6c17a..42c187d 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -50,6 +50,10 @@ nodes['htz-cloud.wireguard'] = { '50-wireguard': [ 'udp dport 1194 accept', 'udp dport 51800 accept', + + # wg.c3voc.de + 'udp dport 51801 ip saddr 185.106.84.42 accept', + 'udp dport 51801 ip6 saddr 2001:67c:20a0:e::189 accept', ], }, 'postrouting': { From efeee3fa624be552ff6386bcb4d3228894bc009c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 31 Mar 2024 13:47:15 +0200 Subject: [PATCH 602/996] update travelynx to 2.5.23 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 50d1756..c3f7ed0 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.21" +version = "2.5.23" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From b028c207581b83d801c72fbe3ea132d7c44da076 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 31 Mar 2024 13:47:53 +0200 Subject: [PATCH 603/996] update element-web to 1.11.63 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c3f7ed0..ea196b5 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.61" +version = "v1.11.63" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index e2c7a3b..2cc620d 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.61" +version = "v1.11.63" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index b0e8292..aa15855 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.61', + 'version': 'v1.11.63', 'config': { 'default_server_config': { 'm.homeserver': { From c0c83338ad2e926d5d56ea5adb3ed27ca0879d5f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 2 Apr 2024 15:06:52 +0200 Subject: [PATCH 604/996] bundles/icinga2: do not send out URGENT for recovery messages --- bundles/icinga2/files/scripts/icinga_notification_wrapper | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 4804bab..2741839 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -113,9 +113,14 @@ def notify_per_ntfy(): else: subject = '[ICINGA] {}'.format(args.host_name) + if args.notification_type.lower() == 'recovery': + priority = 'default' + else: + priority = 'urgent' + headers = { 'Title': subject, - 'Priority': 'urgent', + 'Priority': priority, } try: From 896781e53d85a97135044dd6c98cfc1ff0f8cd8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 2 Apr 2024 21:54:31 +0200 Subject: [PATCH 605/996] update travelynx to 2.6.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ea196b5..4207266 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.5.23" +version = "2.6.3" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From ed05a74f56fb6779eb0f0bcbf507a93e837337f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 3 Apr 2024 17:27:40 +0200 Subject: [PATCH 606/996] update travelynx to 2.6.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4207266..0ca966f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.6.3" +version = "2.6.4" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 4a44ae104824d2e1c4feadc07423051623e2dfeb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:00:05 +0200 Subject: [PATCH 607/996] kunbox.net: fix tlsrpt address --- data/powerdns/files/bind-zones/kunbox.net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 3e77354..ee2bd1e 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -53,7 +53,7 @@ ${record} ; record here to avoid creating loops. ; We're still publishing DKIM keys and have enabled TLSRPT, though. _mta-sts IN TXT "v=STSv1;id=20201111;" -_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" +_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:tlsrpt@kunbox.net" _token._dnswl IN TXT "6akc10htbgmg56e072w0w2n0wql4oezu" 2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " From 128ac48fd63fceea9a71e2c4df49201f0f4df468 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:00:23 +0200 Subject: [PATCH 608/996] update forgejo to 1.21.10-0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0ca966f..0dc787d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.8-0" -sha1 = "552551f5dcfc29bc6d9fa19b2a74317b27dd3afc" +version = "1.21.10-0" +sha1 = "8c1a1ccc0657422087d51d1a317aa587f48ee5a2" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From a6e7359ec033e50839c76db04ec15c382f1af899 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:00:42 +0200 Subject: [PATCH 609/996] update netbox to 3.7.5 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0dc787d..b45988b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.4" +version = "v3.7.5" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 8f09170b44d1721eaabcd5f651b14e07e240e3a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:01:01 +0200 Subject: [PATCH 610/996] update travelynx to 2.6.5 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b45988b..ba53464 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.6.4" +version = "2.6.5" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 33ae4796d43885cd23d6b7015891af3cbcf2e564 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:03:11 +0200 Subject: [PATCH 611/996] update paperless to 2.7.2 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 943ffc1..81fa1cc 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.6.3', + 'version': 'v2.7.2', 'timezone': 'Europe/Berlin', }, 'postgresql': { From f8b833720a95b8e0b942fdcfbd3beee0dc90a84d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:06:02 +0200 Subject: [PATCH 612/996] bundles/systemd-timers: better exclude_from_monitoring support --- bundles/systemd-timers/files/template.service | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/bundles/systemd-timers/files/template.service b/bundles/systemd-timers/files/template.service index ed68677..09c3080 100644 --- a/bundles/systemd-timers/files/template.service +++ b/bundles/systemd-timers/files/template.service @@ -1,3 +1,9 @@ +<% + if config.get('exclude_from_monitoring', False): + monitored = '' + else: + monitored = f'/usr/local/sbin/systemd-timer-monitored {timer} ' +%>\ [Unit] Description=Service for Timer ${timer} After=network.target @@ -15,10 +21,8 @@ WorkingDirectory=${config.get('pwd', '/')} Type=oneshot % if isinstance(config['command'], list): % for command in config['command']: -ExecStart=/usr/local/sbin/systemd-timer-monitored ${timer} ${command} +ExecStart=${monitored}${command} % endfor -% elif config.get('exclude_from_monitoring', False): -ExecStart=${config['command']} % else: -ExecStart=/usr/local/sbin/systemd-timer-monitored ${timer} ${config['command']} +ExecStart=${monitored}${config['command']} % endif From ab61444a1ffcfb10c817eaabaebc376b92c70a6a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:06:29 +0200 Subject: [PATCH 613/996] bundles/letsencrypt: do not monitor renew timer --- bundles/letsencrypt/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py index 310dadd..09620c4 100644 --- a/bundles/letsencrypt/metadata.py +++ b/bundles/letsencrypt/metadata.py @@ -39,6 +39,7 @@ def cron(metadata): '/usr/bin/dehydrated --cleanup', ], 'when': '04:{}:00'.format(node.magic_number % 60), + 'exclude_from_monitoring': True, }, }, }, From 6be9fb3614f1378a442ef5e104605c8c5b35157a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 9 Apr 2024 06:09:03 +0200 Subject: [PATCH 614/996] bundles/pacman: 'dnsutils' is now part of 'bind' --- bundles/pacman/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py index 4d95a99..9f80ca7 100644 --- a/bundles/pacman/items.py +++ b/bundles/pacman/items.py @@ -36,13 +36,13 @@ pkg_pacman = { 'at': {}, 'autoconf': {}, 'automake': {}, + 'bind': {}, 'binutils': {}, 'bison': {}, 'bzip2': {}, 'curl': {}, 'dialog': {}, 'diffutils': {}, - 'dnsutils': {}, 'fakeroot': {}, 'file': {}, 'findutils': {}, From 0f9222424e0be6f93b27b8d7e8088a447e2e9391 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 13 Apr 2024 11:03:40 +0200 Subject: [PATCH 615/996] dns/kunbox.net: add htz-cloud.pirmasens to SPF --- data/powerdns/files/bind-zones/kunbox.net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index ee2bd1e..bb45655 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -18,7 +18,7 @@ $ORIGIN kunbox.net. ; Needs to have a working Mail address, otherwise Telekom goes mimimi IN MX 10 mail.franzi.business. - IN TXT "v=spf1 mx ~all" + IN TXT "v=spf1 mx a:mail.kunsmann.info ~all" ; delegate acme stuff to psql-managed zone _acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. From a155fe22cbb28720cd36a91e0e7268675b8e15a3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 14 Apr 2024 10:09:08 +0200 Subject: [PATCH 616/996] Revert "home.router: disable pppd restart at night" This reverts commit 493dc91e0de67c1fb4e47ac5f83ba8699d94c9bc. --- nodes/home/router.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index 6fa3aa3..67845ba 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -39,15 +39,15 @@ nodes['home.router'] = { '172.19.139.0/24', }, }, -# 'cron': { -# 'jobs': { -# # Our internet provider resets the connection if you're -# # connected longer than 24 hours. We install this cronjob -# # to make sure we don't get disconnected randomly during the -# # day. -# 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', -# }, -# }, + 'cron': { + 'jobs': { + # Our internet provider resets the connection if you're + # connected longer than 24 hours. We install this cronjob + # to make sure we don't get disconnected randomly during the + # day. + 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', + }, + }, 'kea-dhcp-server': { 'subnets': { 'enp1s0.1138': { From 7491ec840cb5d73df435f9bee46ad61e1561d068 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 14 Apr 2024 12:05:58 +0200 Subject: [PATCH 617/996] bundles/dovecot: add full text indexing --- bundles/dovecot/files/dovecot-sql.conf | 1 + bundles/dovecot/files/dovecot.conf | 34 +++++++++++++++++++++----- bundles/dovecot/items.py | 7 ++++++ bundles/dovecot/metadata.py | 11 +++++++++ 4 files changed, 47 insertions(+), 6 deletions(-) diff --git a/bundles/dovecot/files/dovecot-sql.conf b/bundles/dovecot/files/dovecot-sql.conf index 86cb8db..75c06ae 100644 --- a/bundles/dovecot/files/dovecot-sql.conf +++ b/bundles/dovecot/files/dovecot-sql.conf @@ -3,3 +3,4 @@ driver = pgsql default_pass_scheme = MD5-CRYPT password_query = SELECT username as user, password FROM mailbox WHERE username = '%u' AND active = true user_query = SELECT '/var/mail/vmail/' || maildir as home, 65534 as uid, 65534 as gid FROM mailbox WHERE username = '%u' AND active = true +iterate_query = SELECT username as user FROM mailbox WHERE active = true diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 9a294aa..19dea4f 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -40,7 +40,7 @@ login_greeting = IMAPd ready auth_mechanisms = plain login first_valid_uid = 65534 disable_plaintext_auth = yes -mail_plugins = $mail_plugins zlib old_stats +mail_plugins = $mail_plugins zlib old_stats fts fts_xapian plugin { zlib_save_level = 6 @@ -56,6 +56,15 @@ plugin { old_stats_refresh = 30 secs old_stats_track_cmds = yes + fts = xapian + fts_xapian = partial=3 full=20 + + fts_autoindex = yes + fts_enforced = yes + + # Index attachements + fts_decoder = decode2text + % if node.has_bundle('rspamd'): sieve_before = /var/mail/vmail/sieve/global/spam-global.sieve @@ -86,14 +95,19 @@ service auth { } } -service lmtp { - unix_listener /var/spool/postfix/private/dovecot-lmtp { - group = postfix - mode = 0600 - user = postfix +service decode2text { + executable = script /usr/lib/dovecot/decode2text.sh + user = dovecot + unix_listener decode2text { + mode = 0666 } } +service indexer-worker { + vsz_limit = 0 + process_limit = 0 +} + service imap { executable = imap } @@ -104,6 +118,14 @@ service imap-login { vsz_limit = 64M } +service lmtp { + unix_listener /var/spool/postfix/private/dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } +} + service managesieve-login { inet_listener sieve { port = 4190 diff --git a/bundles/dovecot/items.py b/bundles/dovecot/items.py index 627a203..6c14a79 100644 --- a/bundles/dovecot/items.py +++ b/bundles/dovecot/items.py @@ -49,6 +49,13 @@ files = { }, } +symlinks['/usr/lib/dovecot/decode2text.sh'] = { + 'target': '/usr/share/doc/dovecot-core/examples/decode2text.sh', + 'before': { + 'svc_systemd:dovecot', + }, +} + actions = { 'dovecot_generate_dhparam': { 'command': 'openssl dhparam -out /etc/dovecot/ssl/dhparam.pem 2048', diff --git a/bundles/dovecot/metadata.py b/bundles/dovecot/metadata.py index 00ee5a4..6d126a1 100644 --- a/bundles/dovecot/metadata.py +++ b/bundles/dovecot/metadata.py @@ -3,6 +3,7 @@ from bundlewrap.metadata import atomic defaults = { 'apt': { 'packages': { + 'dovecot-fts-xapian': {}, 'dovecot-imapd': {}, 'dovecot-lmtpd': {}, 'dovecot-managesieved': {}, @@ -35,6 +36,16 @@ defaults = { 'dovecot', }, }, + 'systemd-timers': { + 'timers': { + 'dovecot_fts_optimize': { + 'command': [ + '/usr/bin/doveadm fts optimize -A', + ], + 'when': '02:{}:00'.format(node.magic_number % 60), + }, + }, + }, } if node.has_bundle('postfixadmin'): From 1ec545e08053412d50da5372036b1a88dbc64041 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 17 Apr 2024 06:33:37 +0200 Subject: [PATCH 618/996] update element-web to 1.11.64 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ba53464..fce0d6f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.63" +version = "v1.11.64" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 2cc620d..2c5c42f 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.63" +version = "v1.11.64" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index aa15855..cf00105 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.63', + 'version': 'v1.11.64', 'config': { 'default_server_config': { 'm.homeserver': { From e64ae3aef76210bd01292922d3ebe914b9c00587 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 17 Apr 2024 06:42:08 +0200 Subject: [PATCH 619/996] bundles/icinga2: run check_mounts check as well --- bundles/icinga2/files/icinga_statusmonitor.py | 5 +++++ bundles/icinga2/files/icinga_statusmonitor.service | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bundles/icinga2/files/icinga_statusmonitor.py b/bundles/icinga2/files/icinga_statusmonitor.py index e816ada..bc33759 100644 --- a/bundles/icinga2/files/icinga_statusmonitor.py +++ b/bundles/icinga2/files/icinga_statusmonitor.py @@ -9,6 +9,11 @@ app = Flask(__name__) @app.route('/status') def statuspage(): everything_fine = True + try: + check_output(['/usr/local/share/icinga/plugins/check_mounts']) + except: + everything_fine = False + try: check_output(['/usr/lib/nagios/plugins/check_procs', '-C', 'icinga2', '-c', '1:']) except: diff --git a/bundles/icinga2/files/icinga_statusmonitor.service b/bundles/icinga2/files/icinga_statusmonitor.service index 3bfd258..b651357 100644 --- a/bundles/icinga2/files/icinga_statusmonitor.service +++ b/bundles/icinga2/files/icinga_statusmonitor.service @@ -3,8 +3,6 @@ Description=Icinga2 Statusmonitor After=network.target [Service] -User=nagios -Group=nagios Environment="FLASK_APP=/etc/icinga2/icinga_statusmonitor.py" ExecStart=/usr/bin/python3 -m flask run WorkingDirectory=/tmp From bbc69dfd25cb316e5d4506ce51215ada7ac19605 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Apr 2024 18:30:39 +0200 Subject: [PATCH 620/996] bundles/icinga2: re-add statusmonitor --- bundles/icinga2/items.py | 28 +++++++++++++++++++++++----- bundles/icinga2/metadata.py | 4 ++++ 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 2632de2..804d920 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -275,6 +275,27 @@ files = { 'mode': '0660', 'group': 'icingaweb2', }, + + # monitoring + '/etc/icinga2/icinga_statusmonitor.py': { + 'triggers': { + 'svc_systemd:icinga_statusmonitor:restart', + }, + }, + '/usr/local/lib/systemd/system/icinga_statusmonitor.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:icinga_statusmonitor:restart', + }, + }, +} + +svc_systemd['icinga_statusmonitor'] = { + 'needs': { + 'file:/etc/icinga2/icinga_statusmonitor.py', + 'file:/usr/local/lib/systemd/system/icinga_statusmonitor.service', + 'pkg_apt:python3-flask', + }, } actions = { @@ -316,15 +337,12 @@ for name in files: for name in symlinks: icinga_run_deps.add(f'symlink:{name}') -svc_systemd = { - 'icinga2': { - 'needs': icinga_run_deps, - }, +svc_systemd['icinga2'] = { + 'needs': icinga_run_deps, } - # The actual hosts and services management starts here bundles = set() downtimes = [] diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 8c9cc14..494ff89 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -19,6 +19,7 @@ defaults = { 'icingaweb2': {}, 'icingaweb2-module-monitoring': {}, 'python3-easysnmp': {}, + 'python3-flask': {}, 'snmp': {}, } }, @@ -131,6 +132,9 @@ def nginx(metadata): '/api/': { 'target': 'https://127.0.0.1:5665/', }, + '/statusmonitor/': { + 'target': 'http://127.0.0.1:5000/', + }, }, 'extras': True, }, From d02d26cb5e3865437288b68020de900bf0a6ca67 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Apr 2024 18:31:13 +0200 Subject: [PATCH 621/996] update forgejo to 1.21.11-1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fce0d6f..724fc94 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.10-0" -sha1 = "8c1a1ccc0657422087d51d1a317aa587f48ee5a2" +version = "1.21.11-0" +sha1 = "7b2e22b628ba8de2b44fc80aeefa606ec8e99213" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 27cb0cb0df89436d97214bf0a9e9e60d219c0554 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Apr 2024 18:31:30 +0200 Subject: [PATCH 622/996] update mautrix-whatsapp to 0.10.7 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 724fc94..91be03e 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -113,8 +113,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.6" -sha1 = "741b4103b519b6effc9fa7087018c89afa5593ec" +version = "v0.10.7" +sha1 = "7ebfadc247c3fb4c6c9503f7c48234fcc976cadf" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 0bfcd8df45727da81606b4494e5031193550cc2b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Apr 2024 18:31:44 +0200 Subject: [PATCH 623/996] update travelynx to 2.6.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 91be03e..b166c5a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.6.5" +version = "2.6.7" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 610c1d0978188e929cf059d3af3f10210f2fb08f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Apr 2024 18:35:00 +0200 Subject: [PATCH 624/996] update forgejo to 1.21.11-1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b166c5a..eae717e 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.11-0" -sha1 = "7b2e22b628ba8de2b44fc80aeefa606ec8e99213" +version = "1.21.11-1" +sha1 = "232db6b4e5432bf718597758d13591af58adaa47" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 09e59af95f231a5ce2929661fdadaa3e6e8b3c75 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 24 Apr 2024 23:04:06 +0200 Subject: [PATCH 625/996] bundles/nginx: listen ... http2; is deprecated --- bundles/nginx/files/site_template | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 59d7ac4..2e994e7 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -29,8 +29,9 @@ server { root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; index ${' '.join(index)}; - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; % if ssl == 'letsencrypt': ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; @@ -70,8 +71,9 @@ server { root ${webroot if webroot else '/var/www/{}/'.format(vhost)}; index ${' '.join(index)}; - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl; + listen [::]:443 ssl; + http2 on; % if ssl == 'letsencrypt': ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; From dbf17424d2ed6ce9598af6ac92fd4ab85e0bacc4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 28 Apr 2024 20:57:14 +0200 Subject: [PATCH 626/996] update element-web to 1.11.65 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index eae717e..d82a73e 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.64" +version = "v1.11.65" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 2c5c42f..cbac44c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.64" +version = "v1.11.65" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index cf00105..cf5a81c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.64', + 'version': 'v1.11.65', 'config': { 'default_server_config': { 'm.homeserver': { From 516a54371974bf2e76287fb8f2ad12180b967e90 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 28 Apr 2024 20:57:31 +0200 Subject: [PATCH 627/996] update forgejo to 7.0.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d82a73e..b23a4a7 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "1.21.11-1" -sha1 = "232db6b4e5432bf718597758d13591af58adaa47" +version = "7.0.1" +sha1 = "c78dde2d91ac61ffe0f2f7fc4f1b430df9591e92" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 65af9ae0c5e6e5fd16e868dff6220786558eb12e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 28 Apr 2024 20:57:44 +0200 Subject: [PATCH 628/996] update netbox to 3.7.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b23a4a7..5b20479 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.5" +version = "v3.7.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 9e78b9e07bbce399b12e0095fe593badd22978a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 28 Apr 2024 21:40:35 +0200 Subject: [PATCH 629/996] python3.12 compat --- bundles/nginx/metadata.py | 4 ++-- bundles/rspamd/items.py | 2 +- nodes/home/nas.py | 4 ++-- nodes/home/router.py | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index e52bc11..2715065 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -200,8 +200,8 @@ def telegraf_anon_timing(metadata): result[f'nginx-{vname}'] = { 'files': [f'/var/log/nginx-timing/{vname}.log'], 'from_beginning': False, - 'grok_patterns': ['%{LOGPATTERN}'], - 'grok_custom_patterns': 'LOGPATTERN \[%{HTTPDATE:ts:ts-httpd}\] %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-) "%{WORD:verb:tag} %{NOTSPACE:request} HTTP/%{NUMBER:http_version:float}" %{NUMBER:resp_code:tag}', + 'grok_patterns': [r'%{LOGPATTERN}'], + 'grok_custom_patterns': r'LOGPATTERN \[%{HTTPDATE:ts:ts-httpd}\] %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-) "%{WORD:verb:tag} %{NOTSPACE:request} HTTP/%{NUMBER:http_version:float}" %{NUMBER:resp_code:tag}', 'data_format': 'grok', 'name_override': 'nginx_timing', } diff --git a/bundles/rspamd/items.py b/bundles/rspamd/items.py index 8fa793c..0491d17 100644 --- a/bundles/rspamd/items.py +++ b/bundles/rspamd/items.py @@ -101,7 +101,7 @@ if 'dkim' in node.metadata.get('rspamd', {}): actions = { 'rspamd_assure_dkim_key_permissions': { 'command': 'chown _rspamd:_rspamd /var/lib/rspamd/dkim/*.key', - 'unless': 'test -z "$(find /var/lib/rspamd/ -iname \"*.key\" \! -user _rspamd)"', + 'unless': r'test -z "$(find /var/lib/rspamd/ -iname \"*.key\" \! -user _rspamd)"', 'needs': { 'action:rspamd_generate_dkim_key', 'directory:/var/lib/rspamd/dkim', diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 20e2679..695941e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -212,8 +212,8 @@ nodes['home.nas'] = { 'nas_permissions': { 'command': [ 'chown -R :nas /storage/nas/', - 'find /storage/nas/ -type d -exec chmod 0775 {} \;', - 'find /storage/nas/ -type f -exec chmod 0664 {} \;', + r'find /storage/nas/ -type d -exec chmod 0775 {} \;', + r'find /storage/nas/ -type f -exec chmod 0664 {} \;', ], 'when': '*-*-* 02:00:00', }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 67845ba..968477a 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -45,7 +45,7 @@ nodes['home.router'] = { # connected longer than 24 hours. We install this cronjob # to make sure we don't get disconnected randomly during the # day. - 'restart_pppd': '23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', + 'restart_pppd': r'23 2 * * * root systemctl restart pppoe && date -u +\%s > /var/tmp/pppd-last-restart.status', }, }, 'kea-dhcp-server': { From c9b393c6dce8257af98c2743223268918783ce1f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 28 Apr 2024 21:40:46 +0200 Subject: [PATCH 630/996] update travelynx to 2.6.9 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5b20479..5d7e364 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.6.7" +version = "2.6.9" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From dd32ed075bed578eb739c79b49c39c253b578ecb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 4 May 2024 10:18:18 +0200 Subject: [PATCH 631/996] remove kunsi-p14s --- nodes/kunsi-t470.py | 103 -------------------------------------------- 1 file changed, 103 deletions(-) delete mode 100644 nodes/kunsi-t470.py diff --git a/nodes/kunsi-t470.py b/nodes/kunsi-t470.py deleted file mode 100644 index c5b1ee7..0000000 --- a/nodes/kunsi-t470.py +++ /dev/null @@ -1,103 +0,0 @@ -# My own laptop. - -nodes['kunsi-t470'] = { - 'dummy': True, - 'hostname': 'no', - 'bundles': { - 'lldp', - 'lm-sensors', - 'nfs-client', - 'telegraf-battery-usage', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'timezone': 'Europe/Berlin', - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'hosts': { - 'entries': { - '10.101.64.10': { - 'www.wifionice.de', - 'wifionice.de', - }, - }, - }, - 'interfaces': { - 'br0': { - 'dhcp': True, - 'use_dhcp_domains': True, - 'send_hostname': False, - }, - # there is also wlp4s0, but that's managed by netctl - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - '4444/tcp': { - '10.0.0.0/8', - '172.16.0.0/12', - '192.168.0.0/16', - }, - # For the occasional file-share using `python -m http.server` - '8000/tcp': {'*'}, - }, - }, - 'locale': { - 'default': 'en_DK.UTF-8', - }, - 'nfs-client': { - 'mounts': { - 'nas-scansnap': { - 'mountpoint': '/mnt/scansnap', - 'serverpath': '172.19.138.20:/srv/scansnap', - 'mount_options': { - 'retry=0', - 'rw', - }, - }, - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'openssh': { - 'restrict-to': { - '10.0.0.0/8', - '172.16.0.0/12', - '192.168.0.0/16', - }, - }, - 'pacman': { - 'install_gui': True, - }, - 'systemd-networkd': { - 'bridges': { - 'br0': { - 'match': { - 'enp0s31f6', - }, - }, - }, - }, - 'users': { - 'kunsi': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - # FIXME move qemu VMs out of /home/kunsi - 'home-mode': '0755', - }, - 'sophie': { - 'delete': True, - }, - }, - }, - 'os': 'arch', -} From 35331f5f4c39b63c134ff8fc6dbfbb7db7bc64a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 May 2024 15:49:45 +0200 Subject: [PATCH 632/996] update ssl configuration of some bundles --- bundles/basic/items.py | 19 ++++++++++++++----- bundles/dovecot/files/dovecot.conf | 8 ++++---- bundles/dovecot/items.py | 21 +-------------------- bundles/nginx/files/site_template | 5 +++-- bundles/nginx/items.py | 9 +-------- bundles/postfix/files/main.cf | 13 ++++++------- 6 files changed, 29 insertions(+), 46 deletions(-) diff --git a/bundles/basic/items.py b/bundles/basic/items.py index 197c952..e0f9242 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -29,6 +29,17 @@ files = { }, } +if node.has_any_bundle([ + 'dovecot', + 'nginx', + 'postfix', +]): + actions['generate-dhparam'] = { + 'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048', + 'unless': 'test -f /etc/ssl/certs/dhparam.pem', + } + + locale_needs = set() for locale in sorted(node.metadata.get('locale/installed')): actions[f'ensure_locale_{locale}_is_enabled'] = { @@ -41,11 +52,9 @@ for locale in sorted(node.metadata.get('locale/installed')): } locale_needs = {f'action:ensure_locale_{locale}_is_enabled'} -actions = { - 'locale-gen': { - 'triggered': True, - 'command': 'locale-gen', - }, +actions['locale-gen'] = { + 'triggered': True, + 'command': 'locale-gen', } description = [] diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 19dea4f..804c6a9 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -28,13 +28,13 @@ namespace inbox { mail_location = maildir:/var/mail/vmail/%d/%n protocols = imap lmtp sieve -ssl = yes +ssl = required ssl_cert = relay_domains = $mydestination, pgsql:/etc/postfix/pgsql/relay_domains.cf From cc9c12729644f1ed01f5f52d989800f2947d95b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 May 2024 16:18:13 +0200 Subject: [PATCH 633/996] update forgejo to 7.0.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5d7e364..1c184c6 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "7.0.1" -sha1 = "c78dde2d91ac61ffe0f2f7fc4f1b430df9591e92" +version = "7.0.2" +sha1 = "8d8f463b875a114012d688b413b11501aaba2eee" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From a8da2aef44dd343d20b1a6fe5f7bcf7d9e78135a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 May 2024 16:18:27 +0200 Subject: [PATCH 634/996] update netbox to 3.7.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1c184c6..b82808c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.6" +version = "v3.7.7" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From c806d7b890fa16aff17cd6f51d819e44498ad4c4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 May 2024 16:49:42 +0200 Subject: [PATCH 635/996] bundles/netbox: rework --- bundles/netbox/items.py | 222 +++++++++++++++++++++------------------- 1 file changed, 118 insertions(+), 104 deletions(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index b04698a..920aa78 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -1,124 +1,138 @@ -users = { - 'netbox': { - 'home': '/opt/netbox', - }, +users['netbox'] = { + 'home': '/opt/netbox', } -directories = { - '/opt/netbox/src': {}, - '/opt/netbox/media': { - 'owner': 'netbox', - }, - '/opt/netbox/scripts': { - 'owner': 'netbox', - }, +directories['/opt/netbox/src'] = {} + +directories['/opt/netbox/media'] = { + 'owner': 'netbox', } -git_deploy = { - '/opt/netbox/src': { - 'repo': 'https://github.com/netbox-community/netbox.git', - 'rev': node.metadata.get('netbox/version'), - 'triggers': { - 'action:netbox_install', - 'action:netbox_upgrade', - 'svc_systemd:netbox-web:restart', - 'svc_systemd:netbox-worker:restart', - }, +directories['/opt/netbox/scripts'] = { + 'owner': 'netbox', +} + +git_deploy['/opt/netbox/src'] = { + 'repo': 'https://github.com/netbox-community/netbox.git', + 'rev': node.metadata.get('netbox/version'), + 'triggers': { + 'action:netbox_install', + 'svc_systemd:netbox-web:restart', + 'svc_systemd:netbox-worker:restart', + }, + 'tags': { + 'netbox-install', }, } # This is a recreation of https://github.com/netbox-community/netbox/blob/develop/upgrade.sh -actions = { - 'netbox_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/netbox/venv', - 'unless': 'test -d /opt/netbox/venv/', - 'needed_by': { - 'action:netbox_install', - }, - }, - 'netbox_install': { - 'triggered': True, - 'command': ' && '.join([ - 'cd /opt/netbox/src', - '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn', - '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt', - ]), - 'needs': { - 'pkg_apt:build-essential', - 'pkg_apt:graphviz', - 'pkg_apt:libffi-dev', - 'pkg_apt:libldap2-dev', - 'pkg_apt:libpq-dev', - 'pkg_apt:libsasl2-dev', - 'pkg_apt:libssl-dev', - 'pkg_apt:libxml2-dev', - 'pkg_apt:libxslt1-dev', - 'pkg_apt:python3-dev', - 'pkg_apt:zlib1g-dev', - } - }, - 'netbox_upgrade': { - 'triggered': True, - 'command': ' && '.join([ - '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py migrate', - '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py collectstatic --no-input', - '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py remove_stale_contenttypes --no-input', - '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py clearsessions', - ]), - 'needs': { - 'action:netbox_install', - 'file:/opt/netbox/src/netbox/netbox/configuration.py', - }, +actions['netbox_create_virtualenv'] = { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/netbox/venv', + 'unless': 'test -d /opt/netbox/venv/', + 'needed_by': { + 'action:netbox_install', }, } -files = { - '/usr/local/lib/systemd/system/netbox-web.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:netbox-web:restart', - }, +actions['netbox_install'] = { + 'triggered': True, + 'command': ' && '.join([ + 'cd /opt/netbox/src', + '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn', + '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt', + ]), + 'needs': { + 'pkg_apt:build-essential', + 'pkg_apt:graphviz', + 'pkg_apt:libffi-dev', + 'pkg_apt:libldap2-dev', + 'pkg_apt:libpq-dev', + 'pkg_apt:libsasl2-dev', + 'pkg_apt:libssl-dev', + 'pkg_apt:libxml2-dev', + 'pkg_apt:libxslt1-dev', + 'pkg_apt:python3-dev', + 'pkg_apt:zlib1g-dev', }, - '/usr/local/lib/systemd/system/netbox-worker.service': { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:netbox-worker:restart', - }, - }, - '/opt/netbox/src/netbox/netbox/configuration.py': { - 'content_type': 'mako', - 'triggers': { - 'svc_systemd:netbox-web:restart', - 'svc_systemd:netbox-worker:restart', - }, - 'needs': { - 'git_deploy:/opt/netbox/src', - }, - }, - '/opt/netbox/gunicorn_config.py': { - 'content_type': 'mako', - 'triggers': { - 'svc_systemd:netbox-web:restart', - }, + 'tags': { + 'netbox-install', }, } -svc_systemd = { - 'netbox-web': { +last_action = 'netbox_install' +for upgrade_command in ( + 'migrate', + 'trace_paths --no-input', + 'collectstatic --no-input', + 'remove_stale_contenttypes --no-input', + 'reindex --no-input', + 'clearsessions', +): + actions[f'netbox_upgrade_{upgrade_command.split()[0]}'] = { + 'triggered': True, + 'command': '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py {upgrade_command}', 'needs': { - 'action:netbox_install', - 'action:netbox_upgrade', - 'file:/usr/local/lib/systemd/system/netbox-web.service', - 'file:/opt/netbox/gunicorn_config.py', - 'file:/opt/netbox/src/netbox/netbox/configuration.py', + f'action:{last_action}', }, - }, - 'netbox-worker': { - 'needs': { - 'action:netbox_install', - 'action:netbox_upgrade', - 'file:/usr/local/lib/systemd/system/netbox-worker.service', - 'file:/opt/netbox/src/netbox/netbox/configuration.py', + 'tags': { + 'netbox-upgrade', }, + 'triggered_by': { + 'tag:netbox-install', + }, + } + last_action = f'netbox_upgrade_{upgrade_command.split()[0]}' + +files['/usr/local/lib/systemd/system/netbox-web.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:netbox-web:restart', + }, +} + +files['/usr/local/lib/systemd/system/netbox-worker.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:netbox-worker:restart', + }, +} + +files['/opt/netbox/src/netbox/netbox/configuration.py'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:netbox-web:restart', + 'svc_systemd:netbox-worker:restart', + }, + 'needs': { + 'git_deploy:/opt/netbox/src', + }, + 'tags': { + 'netbox-install', + }, +} + +files['/opt/netbox/gunicorn_config.py'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:netbox-web:restart', + }, +} + +svc_systemd['netbox-web'] = { + 'needs': { + 'file:/usr/local/lib/systemd/system/netbox-web.service', + 'file:/opt/netbox/gunicorn_config.py', + 'file:/opt/netbox/src/netbox/netbox/configuration.py', + 'tag:netbox-install', + 'tag:netbox-upgrade', + }, +} + +svc_systemd['netbox-worker'] = { + 'needs': { + 'file:/usr/local/lib/systemd/system/netbox-worker.service', + 'file:/opt/netbox/src/netbox/netbox/configuration.py', + 'tag:netbox-install', + 'tag:netbox-upgrade', }, } From a17833698ddeaa1e860ce1d6cf896c4a5c84961b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:36:31 +0200 Subject: [PATCH 636/996] bundles/apt: run autoremove first, then clean cached packages --- bundles/apt/files/do-unattended-upgrades | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/apt/files/do-unattended-upgrades b/bundles/apt/files/do-unattended-upgrades index 5eb8adf..3ed0166 100644 --- a/bundles/apt/files/do-unattended-upgrades +++ b/bundles/apt/files/do-unattended-upgrades @@ -6,10 +6,10 @@ apt-get update DEBIAN_FRONTEND=noninteractive apt-get -y -q -o Dpkg::Options::=--force-confold dist-upgrade -DEBIAN_FRONTEND=noninteractive apt-get -y -q autoclean - DEBIAN_FRONTEND=noninteractive apt-get -y -q autoremove +DEBIAN_FRONTEND=noninteractive apt-get -y -q clean + % if clean_old_kernels: existing=$(dpkg --get-selections | grep -E '^linux-(image|headers)-[0-9]' || true) From 88fce3405e54a09d0d9eb2dadde5524cd7b4be35 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:42:04 +0200 Subject: [PATCH 637/996] bundles/netbox: fix f-string --- bundles/netbox/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index 920aa78..afd1371 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -70,7 +70,7 @@ for upgrade_command in ( ): actions[f'netbox_upgrade_{upgrade_command.split()[0]}'] = { 'triggered': True, - 'command': '/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py {upgrade_command}', + 'command': f'/opt/netbox/venv/bin/python /opt/netbox/src/netbox/manage.py {upgrade_command}', 'needs': { f'action:{last_action}', }, From cf82ed5dd3a16946040da2c1c8480c8f29672ba1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:42:24 +0200 Subject: [PATCH 638/996] update element-web to 1.11.66 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b82808c..5f0180a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.65" +version = "v1.11.66" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index cbac44c..1799dca 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.65" +version = "v1.11.66" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index cf5a81c..ca3ff6e 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.65', + 'version': 'v1.11.66', 'config': { 'default_server_config': { 'm.homeserver': { From 799f275e4e55ac233fe3c1ac56082d7250d72331 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:42:42 +0200 Subject: [PATCH 639/996] update netbox to 4.0.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5f0180a..d77e4bd 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v3.7.7" +version = "v4.0.1" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From fd1cbcfd5013172c476b0767fb50ca1e74db60d9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:42:54 +0200 Subject: [PATCH 640/996] update paperless to 2.8.3 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 81fa1cc..a0c16d1 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.7.2', + 'version': 'v2.8.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 5c1ff593e102aa404a646d049347c058c6085b19 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:43:07 +0200 Subject: [PATCH 641/996] carlene: add kunsitracker.de --- nodes/carlene.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d77e4bd..0f055b2 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -145,6 +145,11 @@ webroot_config.owner = "kunsi" [metadata.nginx.vhosts.'gaenseblum.eu'.webroot_config] owner = "skye" +[metadata.nginx.vhosts.kunsitracker] +domain = "kunsitracker.de" +locations.'/'.redirect = "https://travelynx.franzi.business/p/Kunsi" +locations.'/'.mode = 302 + [metadata.nginx.vhosts.mta-sts] domain = "mta-sts.kunbox.net" domain_aliases = [ From 1dce906b3deb9f4f8e003507a3a792400078068c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 May 2024 19:46:07 +0200 Subject: [PATCH 642/996] bundles/netbox: reindex must be lazy --- bundles/netbox/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index afd1371..f261641 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -65,7 +65,7 @@ for upgrade_command in ( 'trace_paths --no-input', 'collectstatic --no-input', 'remove_stale_contenttypes --no-input', - 'reindex --no-input', + 'reindex --lazy', 'clearsessions', ): actions[f'netbox_upgrade_{upgrade_command.split()[0]}'] = { From 8c42c9411a6ad463806f883a6d5b1c3487a06d37 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 15:24:14 +0200 Subject: [PATCH 643/996] bundles/postfix: fix typo --- bundles/postfix/files/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index 44161bc..6ffffaf 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -57,7 +57,7 @@ smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = medium -smtpd_tls_dh1024_param_file = /etc/ssl/certs/dhparam.pem; +smtpd_tls_dh1024_param_file = /etc/ssl/certs/dhparam.pem tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 tls_preempt_cipherlist = no From a8ef19f4ffa5e9304e35fbbb42cf478750536693 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 15:26:35 +0200 Subject: [PATCH 644/996] bundles/icinga2: add check_omm --- bundles/icinga2/files/check_omm.py | 132 +++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 bundles/icinga2/files/check_omm.py diff --git a/bundles/icinga2/files/check_omm.py b/bundles/icinga2/files/check_omm.py new file mode 100644 index 0000000..25bf9b0 --- /dev/null +++ b/bundles/icinga2/files/check_omm.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 + +import re +from hashlib import md5 +from sys import argv, exit + +# Supress SSL certificate warnings for ssl_verify=False +import urllib3 +from lxml import html +from requests import Session + +USERNAME_FIELD = "g2" +PASSWORD_FIELD = "g3" +CRSF_FIELD = "password" + +STATUS_OK = 0 +STATUS_WARNING = 1 +STATUS_CRITICAL = 2 +STATUS_UNKNOWN = 3 + + +class OMMCrawler: + def __init__(self, hostname, username, password): + self.session = Session() + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + self.session.verify = False + + self.url = f"https://{hostname}" + self.login_data = { + USERNAME_FIELD: username, + PASSWORD_FIELD: password, + CRSF_FIELD: md5(password.encode()).hexdigest(), + } + self.logged_in = False + + def login(self): + # if we have multiple dect masters, find out which one is the current master + current_master_url = self.session.get(self.url, verify=False).url + self.hostname = re.search(r"^(.*[\\\/])", current_master_url).group(0)[:-1] + + response = self.session.post(f"{self.url}/login_set.html", data=self.login_data) + response.raise_for_status() + + # set cookie + pass_value = re.search(r"(?<=pass=)\d+(?=;)", response.text).group(0) + self.session.cookies.set("pass", pass_value) + self.logged_in = True + + def get_station_status(self): + if not self.logged_in: + self.login() + + data = {} + response = self.session.get(f"{self.url}/fp_pnp_status.html") + response.raise_for_status() + tree = html.fromstring(response.text) + xpath_results = tree.xpath('//tr[@class="l0" or @class="l1"]') + + for result in xpath_results: + bubble_is_in_inactive_cluster = False + bubble_is_connected = False + bubble_is_active = False + + bubble_name = result.xpath("td[4]/text()")[0] + try: + bubble_is_connected = result.xpath("td[11]/img/@alt")[0] == "yes" + + if bubble_is_connected: + try: + bubble_is_active = result.xpath("td[12]/img/@alt")[0] == "yes" + except IndexError: + # If an IndexError occurs, there is no image in the + # 12th td. This means this bubble is in the not inside + # an active DECT cluster, but is a backup bubble. + # This is probably fine. + bubble_is_active = False + bubble_is_in_inactive_cluster = True + else: + bubble_is_active = False + except: + # There is no Image in the 11th td. This usually means there + # is a warning message in the 10th td. We do not care about + # that, currently. + pass + + data[bubble_name] = { + "is_connected": bubble_is_connected, + "is_active": bubble_is_active, + "is_in_inactive_cluster": bubble_is_in_inactive_cluster, + } + return data + + def handle_station_data(self): + try: + data = self.get_station_status() + except Exception as e: + print(f"Something went wrong. You should take a look at {self.url}") + print(repr(e)) + exit(STATUS_UNKNOWN) + + critical = False + for name, status in data.items(): + if not status["is_active"] and not status["is_connected"]: + print( + f"Base station {name} is not active or connected! Check manually!" + ) + critical = True + elif not status["is_active"] and not status["is_in_inactive_cluster"]: + # Bubble is part of an active DECT cluster, but not active. + # This shouldn't happen. + print( + f"Base station {name} is not active but connected! Check manually!" + ) + critical = True + elif not status["is_connected"]: + # This should never happen. Seeing this state means OMM + # itself is broken. + print( + f"Base station {name} is not connected but active! Check manually!" + ) + critical = True + + if critical: + exit(STATUS_CRITICAL) + else: + print(f"OK - {len(data)} base stations connected") + exit(STATUS_OK) + + +if __name__ == "__main__": + omm = OMMCrawler(argv[1], argv[2], argv[3]) + omm.handle_station_data() From a6c1d67b550c6e30e051fd59a0ddd4ef975a6a63 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 17:03:18 +0200 Subject: [PATCH 645/996] remove entropia-jira --- nodes/entropia-jira.toml | 34 ---------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 nodes/entropia-jira.toml diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml deleted file mode 100644 index 302756c..0000000 --- a/nodes/entropia-jira.toml +++ /dev/null @@ -1,34 +0,0 @@ -hostname = "45.140.180.45" -dummy = true - -[metadata.icinga_options] -period = "daytime" -show_on_statuspage = false - -[metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"] -check_command = "check_https_cert_at_url" -"vars.domain" = "ticket.gulas.ch" -"vars.notification.mail" = true - -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] -check_command = "check_https_cert_at_url" -"vars.domain" = "jira.gulas.ch" -"vars.notification.mail" = true - -[metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] -check_command = "check_http_wget" -"vars.http_wget_contains" = "login.jsp" -"vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa" -"vars.notification.sms" = true - -[metadata.icinga2_api.custom.services] -# these checks do not get deployed onto the actual host by us, we only -# execute those checks -'DISK SPACE'.'vars.sshmon_command' = 'DISK_SPACE' -'JIRA HEAP'.'vars.sshmon_command' = 'JIRA_HEAP' -'JIRA THREADS'.'vars.sshmon_command' = 'JIRA_THREADS' -'LOAD'.'vars.sshmon_command' = 'LOAD' -'OOM KILLER'.'vars.sshmon_command' = 'OOM_KILLER' -'RAM'.'vars.sshmon_command' = 'RAM' -'USER PROCESS SECURITY jira'.'vars.sshmon_command' = 'USER_PROCESS_SECURITY_jira' -'ZPOOL SPACE tank'.'vars.sshmon_command' = 'check_zpool_space_tank' From ea21e4b1195a8d5b79839d36ff16390d092003c0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 17:06:38 +0200 Subject: [PATCH 646/996] update element-web to 1.11.67 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- nodes/htz-cloud/miniserver.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0f055b2..d188b5b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.66" +version = "v1.11.67" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 1799dca..4596d01 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.66" +version = "v1.11.67" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index ca3ff6e..90354b3 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.66', + 'version': 'v1.11.67', 'config': { 'default_server_config': { 'm.homeserver': { From 5b8784e916872c68a083128ba02f2118be128199 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 17:06:53 +0200 Subject: [PATCH 647/996] update forgejo to 7.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d188b5b..95340d9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "7.0.2" -sha1 = "8d8f463b875a114012d688b413b11501aaba2eee" +version = "7.0.3" +sha1 = "81b8adc6686bbaebdca6c17059fe6b4f67250e67" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 43fe8313954a336aa1cae6ce9236d33f8bdc57aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 17:07:10 +0200 Subject: [PATCH 648/996] update netbox to 4.0.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 95340d9..9db42e9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.1" +version = "v4.0.3" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From bebc603c435eea6c88fed20d6f8ebe9c18fdf1aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 24 May 2024 17:07:21 +0200 Subject: [PATCH 649/996] update paperless-ngx to 2.8.6 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index a0c16d1..8b725e8 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.8.3', + 'version': 'v2.8.6', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 768ae0a37a71ee4816e8b5b85234ac08f52bef3c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 29 May 2024 00:02:29 +0200 Subject: [PATCH 650/996] htz-cloud.miniserver: backlinks to social media --- .../extras/htz-cloud.miniserver/sophies-kitchen.eu | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/data/nginx/files/extras/htz-cloud.miniserver/sophies-kitchen.eu b/data/nginx/files/extras/htz-cloud.miniserver/sophies-kitchen.eu index cc5c4e3..2f321f7 100644 --- a/data/nginx/files/extras/htz-cloud.miniserver/sophies-kitchen.eu +++ b/data/nginx/files/extras/htz-cloud.miniserver/sophies-kitchen.eu @@ -8,3 +8,13 @@ location /.well-known/matrix/server { default_type application/json; add_header Access-Control-Allow-Origin *; } + +location /.well-known/webfinger { + return 302 'https://chaos.social/.well-known/webfinger?resource=acct:sophie@chaos.social'; +} + +location /social { + return 200 'Mastodon'; + default_type text/html; + add_header Access-Control-Allow-Origin *; +} From 1c2127437c97af2c743315d8d45a7610162c6de2 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 30 May 2024 21:44:07 +0200 Subject: [PATCH 651/996] voc.infobeamer-cms: gpn22 --- nodes/voc/infobeamer-cms.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 5e2adeb..77c21c4 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,7 +25,7 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2023-12-26', + 'event_start_date': '2024-05-29', 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ @@ -45,7 +45,7 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), 'SETUP_IDS': [ - 245793, + 250294, ], # 'EXTRA_ASSETS': [{ # 'type': "image", From d1e28c3f0cb5ece0605d3762852061cb89983c68 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Jun 2024 18:46:51 +0200 Subject: [PATCH 652/996] sophie gets her own group --- groups/locations.py | 11 ++++++ nodes/home.drucker-sophie.toml | 6 ---- nodes/home.kodi-wohnzimmer.toml | 35 ------------------- nodes/home.wled-blobkette.toml | 9 ----- nodes/home.wled-wohnzimmer.toml | 9 ----- .../backupserver.py} | 4 +-- nodes/{htz-cloud => sophie}/miniserver.py | 5 +-- .../paperless.py} | 2 +- nodes/{home => sophie}/rechenmonster.py | 2 +- 9 files changed, 15 insertions(+), 68 deletions(-) delete mode 100644 nodes/home.drucker-sophie.toml delete mode 100644 nodes/home.kodi-wohnzimmer.toml delete mode 100644 nodes/home.wled-blobkette.toml delete mode 100644 nodes/home.wled-wohnzimmer.toml rename nodes/{htz-hel/backup-sophie.py => sophie/backupserver.py} (95%) rename nodes/{htz-cloud => sophie}/miniserver.py (98%) rename nodes/{home/paperless-sophie.py => sophie/paperless.py} (98%) rename nodes/{home => sophie}/rechenmonster.py (98%) diff --git a/groups/locations.py b/groups/locations.py index a3738a6..3d40c99 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -60,6 +60,17 @@ groups['home'] = { }, } +groups['sophie'] = { + 'member_patterns': { + r"sophie\..*", + }, + 'metadata': { + 'icinga_options': { + 'exclude_from_monitoring': True, + }, + }, +} + groups['voc'] = { 'member_patterns': { r"voc\..*", diff --git a/nodes/home.drucker-sophie.toml b/nodes/home.drucker-sophie.toml deleted file mode 100644 index 02c7141..0000000 --- a/nodes/home.drucker-sophie.toml +++ /dev/null @@ -1,6 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.61"] -dhcp = true -mac = "00:14:38:9E:29:E3" diff --git a/nodes/home.kodi-wohnzimmer.toml b/nodes/home.kodi-wohnzimmer.toml deleted file mode 100644 index bdd1977..0000000 --- a/nodes/home.kodi-wohnzimmer.toml +++ /dev/null @@ -1,35 +0,0 @@ -hostname = "172.19.138.24" -bundles = ["kodi", "lm-sensors", "nfs-client", "smartd"] -groups = ["debian-bullseye"] - -# is powered off -dummy = true - -[metadata.apt.packages.intel-media-va-driver-non-free] - -[metadata.apt.unattended-upgrades] -day = 6 -hour = 2 -# needs powered on display to detect HDMI audio correctly -reboot_enabled = false - -[metadata.icinga_options] -# is powered off -exclude_from_monitoring = true - -[metadata.interfaces.eno1] -ips = ["172.19.138.24/24"] -gateway4 = "172.19.138.1" -ipv6_accept_ra = true - -[metadata.nfs-client.mounts.nas-storage] -mountpoint = "/mnt/nas" -serverpath = "172.19.138.20:/storage/nas" -mount_options = ["retry=0", "ro"] - -[metadata.smartd] -disks = ["/dev/nvme0"] - -[metadata.vm] -cpu = 2 -ram = 4 diff --git a/nodes/home.wled-blobkette.toml b/nodes/home.wled-blobkette.toml deleted file mode 100644 index cc3b3b1..0000000 --- a/nodes/home.wled-blobkette.toml +++ /dev/null @@ -1,9 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.73"] -dhcp = true -mac = "7c:87:ce:b6:54:cd" - -[metadata.icinga_options] -exclude_from_monitoring = true diff --git a/nodes/home.wled-wohnzimmer.toml b/nodes/home.wled-wohnzimmer.toml deleted file mode 100644 index c032230..0000000 --- a/nodes/home.wled-wohnzimmer.toml +++ /dev/null @@ -1,9 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.70"] -dhcp = true -mac = "3c:61:05:d0:f2:b9" - -[metadata.icinga_options] -exclude_from_monitoring = true diff --git a/nodes/htz-hel/backup-sophie.py b/nodes/sophie/backupserver.py similarity index 95% rename from nodes/htz-hel/backup-sophie.py rename to nodes/sophie/backupserver.py index c9de769..41a21c0 100644 --- a/nodes/htz-hel/backup-sophie.py +++ b/nodes/sophie/backupserver.py @@ -6,6 +6,7 @@ nodes['htz-hel.backup-sophie'] = { }, 'groups': { 'debian-bullseye', + 'sophie', }, 'metadata': { 'apt': { @@ -30,9 +31,6 @@ nodes['htz-hel.backup-sophie'] = { 'gateway6': '2a01:4f9:6b:2d99::2', }, }, - 'icinga_options': { - 'pretty_name': 'backup.sophies-kitchen.eu', - }, 'vm': { 'cpu': 4, 'ram': 8, diff --git a/nodes/htz-cloud/miniserver.py b/nodes/sophie/miniserver.py similarity index 98% rename from nodes/htz-cloud/miniserver.py rename to nodes/sophie/miniserver.py index 90354b3..346a8ee 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -15,6 +15,7 @@ nodes['htz-cloud.miniserver'] = { }, 'groups': { 'debian-bookworm', + 'sophie', 'webserver', }, 'metadata': { @@ -89,10 +90,6 @@ nodes['htz-cloud.miniserver'] = { }, }, }, - 'icinga_options': { - 'pretty_name': 'sophies-kitchen.eu', - 'vars.notification.sms': False, - }, 'letsencrypt': { 'concat_and_deploy': { 'sophie-weechat': { diff --git a/nodes/home/paperless-sophie.py b/nodes/sophie/paperless.py similarity index 98% rename from nodes/home/paperless-sophie.py rename to nodes/sophie/paperless.py index c17ca8d..9463f06 100644 --- a/nodes/home/paperless-sophie.py +++ b/nodes/sophie/paperless.py @@ -1,4 +1,4 @@ -nodes['home.paperless-sophie'] = { +nodes['sophie.paperless'] = { 'hostname': '172.19.138.30', 'bundles': { 'nfs-client', diff --git a/nodes/home/rechenmonster.py b/nodes/sophie/rechenmonster.py similarity index 98% rename from nodes/home/rechenmonster.py rename to nodes/sophie/rechenmonster.py index f4e76ad..699935d 100644 --- a/nodes/home/rechenmonster.py +++ b/nodes/sophie/rechenmonster.py @@ -1,4 +1,4 @@ -nodes['home.rechenmonster'] = { +nodes['sophie.rechenmonster'] = { 'hostname': '172.19.138.98', 'bundles': { 'basic', From 56df06e98157bc71cdd3b9e23593b5352b2119b4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Jun 2024 18:50:55 +0200 Subject: [PATCH 653/996] clean up some nodefiles --- groups/locations.py | 3 +++ nodes/fkusei-locutus.py | 6 ------ nodes/home/nas.py | 11 ----------- nodes/home/router.py | 4 ---- nodes/htz-cloud/pirmasens.py | 3 --- nodes/kunsi-p14s.py | 3 --- nodes/sophie/backupserver.py | 3 --- nodes/sophie/paperless.py | 7 ------- nodes/sophie/rechenmonster.py | 3 --- 9 files changed, 3 insertions(+), 40 deletions(-) diff --git a/groups/locations.py b/groups/locations.py index 3d40c99..00bf560 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -68,6 +68,9 @@ groups['sophie'] = { 'icinga_options': { 'exclude_from_monitoring': True, }, + 'users': { + 'sophie': {}, + }, }, } diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index f88830d..23118bd 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -121,12 +121,6 @@ nodes['fkusei-locutus'] = { 'fkunsmann': { 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), 'shell': '/usr/bin/fish', - 'sudo_commands': { - 'ALL', - }, - }, - 'sophie': { - 'delete': True, }, }, 'voc-tracker-worker': { diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 695941e..4afce46 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -223,9 +223,6 @@ nodes['home.nas'] = { 'enable_x_forwarding_for_admins': True, }, 'users': { - 'f2k1de': { - 'delete': True, - }, 'inbox': { 'ssh_pubkey': { #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', @@ -236,14 +233,6 @@ nodes['home.nas'] = { 'nas', }, }, - 'sophie': { - 'groups': { - 'nas', - }, - }, - 'qcn': { - 'delete': True, - }, }, 'zfs': { 'module_options': { diff --git a/nodes/home/router.py b/nodes/home/router.py index 968477a..c84b4ef 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -146,11 +146,7 @@ nodes['home.router'] = { }, }, 'users': { - 'f2k1de': { - 'delete': True, - }, 'fkunsmann': {}, - 'sophie': {}, }, 'vnstat': { 'interface': 'enp1s0.7', diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 8aa5edf..b4c405d 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -83,9 +83,6 @@ nodes['htz-cloud.pirmasens'] = { 'users': { 'forgejo-carlene': {}, 'frank': {}, - 'sophie': { - 'delete': True, - }, }, 'vm': { 'cpu': 2, diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 5571633..7d377ab 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -162,9 +162,6 @@ nodes['kunsi-p14s'] = { 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), 'shell': '/usr/bin/fish', }, - 'sophie': { - 'delete': True, - }, }, 'wireguard': { 'peers': { diff --git a/nodes/sophie/backupserver.py b/nodes/sophie/backupserver.py index 41a21c0..efabae1 100644 --- a/nodes/sophie/backupserver.py +++ b/nodes/sophie/backupserver.py @@ -46,9 +46,6 @@ nodes['htz-hel.backup-sophie'] = { ], }, }, - 'users': { - 'sophie': {}, - }, 'zfs': { 'datasets': { 'tank/ejgwthink': { diff --git a/nodes/sophie/paperless.py b/nodes/sophie/paperless.py index 9463f06..9319c7a 100644 --- a/nodes/sophie/paperless.py +++ b/nodes/sophie/paperless.py @@ -61,13 +61,6 @@ nodes['sophie.paperless'] = { 'postgresql': { 'version': '11', }, - 'users': { - 'sophie': { - 'sudo_commands': { - 'ALL', - }, - }, - }, 'vm': { 'cpu': 2, 'ram': 2, diff --git a/nodes/sophie/rechenmonster.py b/nodes/sophie/rechenmonster.py index 699935d..34f6783 100644 --- a/nodes/sophie/rechenmonster.py +++ b/nodes/sophie/rechenmonster.py @@ -54,9 +54,6 @@ nodes['sophie.rechenmonster'] = { }, }, 'users': { - 'kunsi': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - }, 'sophie': { 'password': vault.decrypt('encrypt$gAAAAABiEAyiedXL6ZnvelOMumhcB73X72SXZhjS_G0EDYVK5-NQ3_J_0h1W1HkFBNe5tShGNmg88jUiULRBn5u2IoiRGiDrYg=='), }, From 658acbd12b612aa01eb0fc08b99ce8d47a0664f2 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 9 Jun 2024 10:21:08 +0200 Subject: [PATCH 654/996] rechenmonster: add dataset --- nodes/sophie/rechenmonster.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/sophie/rechenmonster.py b/nodes/sophie/rechenmonster.py index 34f6783..ee862f7 100644 --- a/nodes/sophie/rechenmonster.py +++ b/nodes/sophie/rechenmonster.py @@ -88,6 +88,9 @@ nodes['sophie.rechenmonster'] = { 'storage/video': { 'mountpoint': '/video', }, + 'storage/nas': { + 'mountpoint': '/nas', + }, }, }, }, From 52c093427fa0571cdf060687897df32b6ded7cab Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Jun 2024 17:42:43 +0200 Subject: [PATCH 655/996] ssl: bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 44 ++++++++-------- .../_.home.kunbox.net.crt_intermediate.pem | 50 +++++++++---------- data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 3 files changed, 44 insertions(+), 52 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index a011d41..b350df9 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,26 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIETzCCAzegAwIBAgISBGnv4i5cZkqMTZ6E2W9oY145MA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yNDAzMTYwOTAxNDdaFw0yNDA2MTQwOTAxNDZaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNjknNF3eIBR -7bzqJEfvTTmGnw9nCDa/VY2l+POYFhrBryT9pCgO7lcSK3raynAu3yNjVSSK4KdB -p2fEu8SytoRPp6Hjz5epjIQvdaYaWsg7gjPe1GoFU8YG6KrX7y6DNaOCAiMwggIf -MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUkioReLB1H6GooNGezjbwLZ0dTBwwHwYD -VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG -CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 -dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u -ZXSCD2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisG -AQQB1nkCBAIEgfQEgfEA7wB1AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZx -H7WbAAABjka13wQAAAQDAEYwRAIgK0+HX4aRu8J69wpybX8ExvOSDT4GTFhQGz1t -RBm8WJMCICs/8Nj65/IEUp7AaBPruyrUFvbfhZ2pNxwQIy03fn3GAHYAO1N3dT4t -uYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGORrXg5wAABAMARzBFAiEAvSxW -MJIsOZei1W3J1C1hkMQwodZC/9ucFicCWXkX7UUCIFzShY5chEVFurxRDKSYLgV1 -R820vp8F9ilwp465IeE+MA0GCSqGSIb3DQEBCwUAA4IBAQCMEbmFNXyfSwczdrf9 -0SOFEVEP8guf6JHmlSL2hNI2cWp+08fyxIEHhvNtyyyLZ57lBvtE6Q8h8WNkKayz -wBUdrHbl9HMnznURX95uofgI/6GZKv1RHyxQd6KxJZCatIhxnsVfFfoDwJmzzg80 -/aoHksxbQzzJWLcm8fJTqsE95Alc1W4u+bDkHjj+OrvNYaHsQLjxedt++jN3o4at -bkOY3zEQyg5mspykq7DjxNpPIC9mSeH6dKZAzsOc6KRWVj91Ol68GYM35TWXUp+3 -kYkU828fznJQc77u9BysTGlyc4iYLzzb0Xus6McqOVPDVnNbeLxdHCQfF8A9Hh6F -o4UX +MIIDsDCCAzWgAwIBAgISBMRgrLMPa1cucom1daU3fmCaMAoGCCqGSM49BAMDMDIx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF +NTAeFw0yNDA2MTExNDQyMzdaFw0yNDA5MDkxNDQyMzZaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABGlCPITmq729xoLb +DkSn6SYxnP7Mns9dBSqUv1WktnYjwbavlbXKN3Bz0yCGcXSCZA+Nq576DBK9L9X6 +tTeIvqG1akyNxY+1eDK3vhH4FKmZE6oOyh1jqfG2LY7dvLYCQKOCAiQwggIgMA4G +A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUt6i+27R0AAj+AUgSNg3Gmm5GzLYwHwYDVR0j +BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG +AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 +Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC +D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB +1nkCBAIEgfUEgfIA8AB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7Wb +AAABkAf3K9YAAAQDAEcwRQIhAPFpuj8ZoOmqhDNJDSuJ3BWyUuOUyY2QXjIVRHop +dKyPAiAa2cwsyBFOjWOEYRCZ/7UgBA5axt8ZCrRYseefFwpvSQB2AN/hVuuqBa+1 +nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJcAAABkAf3LJ8AAAQDAEcwRQIhAL9+dxTj +34moGhk32PnQZg2+nVNiVxLxYjDL9fk1R+bXAiAA7EjWqcZgktinTpt1pVQMmuUn +FQ1IRh5AdycNn0lL2jAKBggqhkjOPQQDAwNpADBmAjEAubnofDBEyrcSJAiGxlqc +EpUndlnkT/irfl/As8EUt0KMSPhnV3i7oEq89bi0KDghAjEA+XHccaWUi7BJEoV7 +nCUOCct64mb2LmXkvYiFVicsV9ubp4kVbziWjLgng6TC3HoM -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.crt_intermediate.pem b/data/ssl/_.home.kunbox.net.crt_intermediate.pem index 6626b9c..59039ae 100644 --- a/data/ssl/_.home.kunbox.net.crt_intermediate.pem +++ b/data/ssl/_.home.kunbox.net.crt_intermediate.pem @@ -1,31 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw +WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw +gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g +BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index e8b045b..d07bce8 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABl9W4O5LekyB_15MB30WObrH9t9ew-irVSO5PnG5C6neXdHFTtiun46guBfuqqJo99a-jXkdXrCMmmi_qmPylw625w27fh_jpV6imyJejUTNV5LZKJJ8-jgX43dsWZHdX29TgjLDl8ebVPOoeWv6GPZ2u0-88Aylr5d_T6A0c5NB0WG7481PiR8Obu-T8uMXJRTgQwMdwWJ8mIzceJ_lD1YeF3PBNSXJatcwRqmLRB_7YfQfFCOZEUutZHRUuIsvmyPwuql0bAoV9dfgQjdsGtuPmE2i58CCKtTuweb6sq-FsF6v6pvj7Joq9hStx9lYN3l36-Zl7OvwxWkMSjcrvQvbaAO7h7Aws8fkgFOEO5cBeN9x30nhSOdmYjqvSyRAFFdJu0PEFPdu6Ft9v_g_NnARRnvDokWEEKee_NRsEuKsct2kbu05pPOHerEpNjtPEwqKnTe387Z2K2wlnYfev6LSHSDw== \ No newline at end of file +encrypt$gAAAAABmaHBwHXKZDN_8bEa47lNIX25-wvvW1RcC689Hod4HAsY2tT6fd9k7zdnbK8KWedRNopdRIlhQUkU0xBVh5J5maiYfn5R8Kp_VpkXiWY0LVY3XMWjB4oHmU29VEbl490oesAhUUH6hb7lwfvsbV4WTM_7aL0_sPfF1udxO89gg-9z2nbl-7zmTdSBY651fZQngd4SlwK17N1fedkHgYamGLdgE10oPZiRsOJKrUGv-Pxi4ICQ7J_AF6bO05PyZkeNqqUP19g2f5EsKNnT0bxQHCP5sbofvYzli-fU2bW-leuvm-VU8lV27t39lQZyF-WcWnB7626w0semrg7cCJ4qoHJVekEFWzJBLhagSNdCDWHAwdV2_MHzSgbXvyXz0maga8-1wBoa8Ueinp2oPQMPaUsVzy6NVX7mAsB6Rw9CXDSEf8WPSKWaz7324qhxKmhMHt0r68z0qM28mHb98F_vbS6geCw== \ No newline at end of file From 60a0737187f91e270163630ecce3e406c0e65543 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 18 Jun 2024 20:40:09 +0200 Subject: [PATCH 656/996] bundles/jellyfin: fix firewall defaults --- bundles/jellyfin/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/jellyfin/metadata.py b/bundles/jellyfin/metadata.py index d3d6003..8c4e9ff 100644 --- a/bundles/jellyfin/metadata.py +++ b/bundles/jellyfin/metadata.py @@ -63,7 +63,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '8096/tcp': atomic(metadata.get('jellyfin/restrict-to', {'*'})), + '8096/tcp': atomic(metadata.get('jellyfin/restrict-to', set())), }, }, } From b9583d9a64e316d86776a1b1b6806bddcb97cc3a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 18 Jun 2024 20:43:10 +0200 Subject: [PATCH 657/996] update element-web to 1.11.69 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9db42e9..4cd7f51 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.67" +version = "v1.11.69" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 4596d01..d473293 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.67" +version = "v1.11.69" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From e876d390020a85aa6c50e69a9b91b472b6530196 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 18 Jun 2024 20:43:25 +0200 Subject: [PATCH 658/996] update netbox to 4.0.5 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4cd7f51..22e52c1 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.3" +version = "v4.0.5" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From cda7e3b7fd3328de25458b543741d2dcf6b3e9cd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 18 Jun 2024 20:43:41 +0200 Subject: [PATCH 659/996] update paperless to 2.10.0 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 8b725e8..8a0a8d4 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.8.6', + 'version': 'v2.10.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { From c47b412cf3200a7a628c39a2567e3d4fc6f2fbb1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 18 Jun 2024 20:43:55 +0200 Subject: [PATCH 660/996] update forgejo to 7.0.4 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 22e52c1..3b16b54 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "7.0.3" -sha1 = "81b8adc6686bbaebdca6c17059fe6b4f67250e67" +version = "7.0.4" +sha1 = "2ca8a4b6d9abae666b84a3b03a5c017f4a774651" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From e5c567255469d7d2782c1101dd22822f67e678f5 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 21 Jun 2024 19:32:28 +0200 Subject: [PATCH 661/996] add vmhost for sophies home --- nodes/sophie/vmhost.py | 85 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 nodes/sophie/vmhost.py diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py new file mode 100644 index 0000000..d9321d1 --- /dev/null +++ b/nodes/sophie/vmhost.py @@ -0,0 +1,85 @@ +nodes['sophie.vmhost'] = { + 'hostname': '172.19.164.2', + 'bundles': { + 'backup-client', + 'lm-sensors', + 'mosquitto', + 'smartd', + 'vmhost', + 'zfs', + }, + 'groups': { + 'debian-bookworm', + }, + 'metadata': { + 'interfaces': { + 'br1': { + 'ips': { + '172.19.164.2/24', + }, + 'gateway4': '172.19.164.1', + 'ipv6_accept_ra': True, + }, + }, + 'mosquitto': { + 'bridges': { + 'c3voc': { + 'peer': 'mqtt.c3voc.de', + 'client_id': 'sophie-vm-host', + 'auth': { + 'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='), + 'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='), + }, + 'topics': [ + { + 'pattern': '#', + 'remote_prefix': '/voc/', + 'local_prefix': 'voc' + }, + ], + }, + }, + 'listeners': { + '8083': { + 'protocol': 'websockets', + }, + }, + 'tasmota-telegraf-topic': '/switch/#', + 'restrict-to': { + '172.19.164.0/24', + }, + }, + 'systemd-networkd': { + 'bridges': { + 'br0': { + 'match': { + 'eno2', + }, + }, + 'br1': { + 'match': { + 'br0.1', + }, + }, + }, + }, + 'zfs': { + 'pools': { + 'storage': { + 'when_creating': { + 'config': [{ + 'devices': { + '/dev/disk/by-id/nvme-SAMSUNG_MZVLB256HAHQ-000L7_S41GNX0M481966-part3', + }, + }] + } + } + }, + "datasets": { + "storage/libvirt": { + "mountpoint": "/var/lib/libvirt", + }, + }, + }, + }, +} From 2f4b90c14789fb57c98a04d363fc91dd0fbb409a Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 21 Jun 2024 19:32:43 +0200 Subject: [PATCH 662/996] miniserver: element update --- nodes/sophie/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 346a8ee..06fb140 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -63,7 +63,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.67', + 'version': 'v1.11.69', 'config': { 'default_server_config': { 'm.homeserver': { From 263301b26532a8fca2c049d5a0e40f49f8324352 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 21 Jun 2024 20:32:06 +0200 Subject: [PATCH 663/996] add homeassistant in sophies home --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 23 +++++++++++++ ...me.sophies-kitchen.eu.crt_intermediate.pem | 27 +++++++++++++++ .../_.home.sophies-kitchen.eu.key.pem.vault | 1 + nodes/sophie/sophie.homeassistant.toml | 34 +++++++++++++++++++ 4 files changed, 85 insertions(+) create mode 100644 data/ssl/_.home.sophies-kitchen.eu.crt.pem create mode 100644 data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem create mode 100644 data/ssl/_.home.sophies-kitchen.eu.key.pem.vault create mode 100644 nodes/sophie/sophie.homeassistant.toml diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem new file mode 100644 index 0000000..6f6da9e --- /dev/null +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxzCCA02gAwIBAgISBDW3AazQEdYbYaSrLIoUKbvsMAoGCCqGSM49BAMDMDIx +CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF +NjAeFw0yNDA2MjExNjUzNDBaFw0yNDA5MTkxNjUzMzlaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEQDuO +QacqKUrKWbwBWgSqPkaBIb4t6f4kiRMvCyY8KiZmIvJadVD6iKnbcGzFQ0LRI+vt ++O6ZVpwsUOXvgF3PB7o7OfODlVsKRc4pYJPvoRRaz1VlK6eZW20GGivBVgl0o4IC +NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRScRdoEyCVXr1PC0yvKusaOO5i +dTAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE +DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1AEiw42vapkc0 +D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkDvuwaIAAAQDAEYwRAIgP3lyMqvr ++a7XWoRLxzQzhv6umJ/hiQPTWen3qqTao34CIGLq9y9ZPZUuo2smf49h9v9I9B4t +o6ihFaHoOB68q37DAHcA3+FW66oFr7WcD4ZxjajAMk6uVtlup/WlagHRwTu+UlwA +AAGQO+7CZAAABAMASDBGAiEAjl1f87koOUNfTNL4IRO+BBEVeHCxPvYRaztVJoC0 +x6ECIQDblc+Snmea3OSqydLcyi8xgdtMySyQgPElXLtM7H+RUjAKBggqhkjOPQQD +AwNoADBlAjA0FOSmTiYrA9Hd2T5DkI2TMOH2akk8SxXprkei6H37bI8O3br7ke8t +jwHWVtvN4d8CMQDohhdWUQ3G8Fl4ektN34oX6U3NcywBm96U3RVt5JYcfnn8ea68 +Qboj263s/g0Ciqs= +-----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem new file mode 100644 index 0000000..4652201 --- /dev/null +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -0,0 +1,27 @@ + +-----BEGIN CERTIFICATE----- +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw +WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g +BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= +-----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault new file mode 100644 index 0000000..2bc548a --- /dev/null +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -0,0 +1 @@ +encrypt$gAAAAABmdb4pdFakOuqHPRpEu_RjEPVVS9Ef0kuvWKKT3Gr3056e0nhinh_THX1w7CqiZ4CQlvSIH7vlDNUORFWlqDuZJOh8FYPSzjr78aK1MqVGZHxQBK8VVNd0K5m1U3z9_4W_pB7Zr_5fLXDqtIW-t68GQPEfxCwy2h2eBepQ2zJiLupWa7JwuqiXH6QyB4gD5Y-9F30RjH52WtJLrx6XtgClPG0p-6FrHcNHqmMYqgpt11zvLa88lOBUoDGFrrqqFRbY039ay2b1jrQOAhTQLDxnAMsbr5jTSbST1modE-1u_Wis-Km-jcMwkiViZpK-HC6Ce_TNdt1NDarBat6nRhTrpqHXENlroVixHmGl1_-Y6mc75tJ-KHQKRRzwK8V_X62iA3vfSz1Xps8B1FZqxJWA2EdM0JkQecCuC-bnpedEoumYnif3vLhe91NV8SQ5FBlkd3NFT8vBAWCgnqT_jDf5YQW70w== \ No newline at end of file diff --git a/nodes/sophie/sophie.homeassistant.toml b/nodes/sophie/sophie.homeassistant.toml new file mode 100644 index 0000000..321328c --- /dev/null +++ b/nodes/sophie/sophie.homeassistant.toml @@ -0,0 +1,34 @@ +hostname = "172.19.164.3" +bundles = [ + 'homeassistant', + 'nginx', + 'pyenv', +] +groups = ["debian-bookworm"] + +[metadata.interfaces.enp1s0] +ips = [ + "172.19.164.3/24", +] +gateway4 = "172.19.164.1" +ipv6_accept_ra = true + +[metadata.vm] +cpu = 2 +ram = 4 + +[metadata.homeassistant] +domain = 'homeassistant.home.sophies-kitchen.eu' +api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33YbjbkpELU2HGBzqiWX40J0hsaEbYJOnCHFk8gJ-Xt0vdqqbQ5vca_TGPNQHZPAS4qZoPTcUhmX_I-0EdT6ukhxejXFYBiYRZikTLjH3lcNM5qnckCm-H9NbRdjLb9hbCDIjbEglHmBl_g08S1_ukvX3dDSCIHIxgXXGsdK_Go1KxPJd8G22FL_MMhCfsTW-6ioIqoHSeSA1NGk3MZHEIM2errckiopKBxoBaROsacO9Uqk1zrrgXOs2NsgiTRtrbV1TNlFVaIX9mZdsUnMGZ' + +[metadata.nginx] +restrict-to = [ + '172.19.164.0/22', +] + +[metadata.pyenv] +version = 'v2.3.36' +python_versions = ["3.12.2"] + +[metadata.nginx.vhosts.homeassistant] +ssl = '_.home.sophies-kitchen.eu' From 2c51caa524cac3d84494f54731bc003813186edc Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 21 Jun 2024 20:58:17 +0200 Subject: [PATCH 664/996] update nginx signing key --- data/apt/files/gpg-keys/nginx.asc | 202 +++++++++++++++++++++++++++--- 1 file changed, 183 insertions(+), 19 deletions(-) diff --git a/data/apt/files/gpg-keys/nginx.asc b/data/apt/files/gpg-keys/nginx.asc index d2258b8..656d40c 100644 --- a/data/apt/files/gpg-keys/nginx.asc +++ b/data/apt/files/gpg-keys/nginx.asc @@ -1,5 +1,66 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBGZXLBYBEACxv3nUIdUtFCpH1G4hBB+eVSsWwnHVTDtSYfINHmN8dQfyGy22 +XcX2DR6ZW9/I5e06McAz4e3hTuhD5+sF7zv4Dd/xEqxpra08liVvB3QlJ6kawBJa +Bn29s/N/A06yUrOVC1ZjhpDLshaHeyHjWDVLUX9ibLx1N3BQoeoH/5lgTmfF4JPk +LfnTMwHWQ5phT52MVE+B/XExldIPAn27m2ZfXHXnSUMKCRybQNypBiIp6OBfirwa +pyjaRO1AajwalSkbSV9o/fL3liluv1HimQ11/5y0rxMdi+aaeca9oA4Gvfdh/biO +MYcTeiZx72BKqDwMfJVXSjQ8XOYbfCjWp8dNkS5Yd4bmX+ITXRkZHqQxgmoKWr7B +9/i+asColt/qqsQ6PROa2y86TbQSfn/HM8L6c85BkJrI41abJ2QHShVzpk0e/464 +hqxvnAZCrmdM+GBSuYfDDqHHHgxhIzHnKnyRX/MtfhZA/CUFUOe+m6j214KKtkMQ +6EpZzgH52FFD6Vi1NkQvfYx5pqEdmJfRKR9ABf8fYI8U8ryNgIq7f13bwoX4haZy +ql/fC4lTG6OEppgdQe7afyAmdi7G/w1pMcbz5Wwp91R+1372XifynBdeTrUsbK25 +P42TH3OADC2Id+MaaGh1AjY1bFifOGRf48rnrcMn0Q4Lw3l56wgjou4MUQARAQAB +tCtuZ2lueCBzaWduaW5nIGtleSA8c2lnbmluZy1rZXktMkBuZ2lueC5jb20+iQIi +BBMBCgAWBQJmVywWCRAv0hMQtJ9rRgIbAwIZAQAAq08P/jeIVEj9/cJFzdOeBqjg +F9DNZljkR+2z5UAkQSHfkzWgHRbdAnjT1bc/ltLi6w/z/97kOZhaiSx6TLRg2mX/ +5nuC4KijhT9rNc/d5j/BHS4U7lFK8c5ED5wxGvJZcF0VCSfeaiuxoO3QiNYX1iiD +qEyJ1XL/XHd7LjJ4gKxsohKL1rRLSuvtOkK799YArNit5ueATDWW6EUSZaxOiMNz +MaQFMEkjoiPVlj7jNwZN7KHNXkaJjiER0kmJ9XWDtkgSHOZrUNX2PHJpxxCtQj7d +YpOFM/DHvNUZ9dHXm3Ioo3R/MUcC4mbZpAvs4YwZ/yRqov/MX4WEUtvcCY36EL5t +hUDK09huMMBLBdM0jgVLsJnXn5ksMdVkpgFyeR/SKEaUTmQrgkCIwqvRxDegAkNN +lmAiNhxdKD+CrWws+EzQYOeWVRUO9aHKC5ttwhhQuxyvmNgoAMhd8x8Tcm7grC/m +ZOqYWzpEWd1DEyi9jaTkhrSWMd5jc5lvCwOHDRzVi1HmIJy+cybPbQpkbFY6vj/7 +shx2Aa+QKRJs+33Ztg0drc3j+mDk9NJQy0KPIbqee0gy0pmaKNiJOxdIWI6ra3cM +3lh5OG+CGakga1X9YiCWv4/OgDYY/6cFTqEN0wXruFLNZ7P4iowJgPU1KZauvDZl +gfsgBoKJ35Nf6p9PdjcjcyW5iQEzBBABCAAdFiEEcziXMGntP0Q/TTffpk/VsXrb +OagFAmZXLlcACgkQpk/VsXrbOaiWowgAvU9HwLkK74VGjosmPpcjurRowUp+/KOA +HmIro2wQ6JVlUrSL2Rz+RIBJ1BKTgGnVZznkXywXHWK2LI4nL3aDoAuyyrzQk1pj +hO1ZJGJBvh9Zq/kGRgEdlTe2sXVX2G7fr4fhd6BcYYvUBQ5OWR6Hh6uS+G1QVw0y +Lu5Gp+7kyolyH6iYlgvxseche+EIqBPyHe5fyb1t8Zcu1uHoQHj9O90FvJSbq4dR +d0tTlqK1tDklT+Aod2UobBCurn45udjiAKtzH6Bg2dvF/oY4udSC9/HgNPbm7JuY +clEaLukWMdFOCEj9Xr6krHtUh7zTiU6pHvUL2SYMPhsJj6AKZRg52IkBMwQQAQgA +HRYhBFc7/Ws9j7xkEHmmq6v1vYJ72b9iBQJmVz0rAAoJEKv1vYJ72b9iVTwH/Awq +vgnXbJ5mCGbLdQgrDoUYe+1nw/qWbl7Hpn/px55BEIW5S0itI50c9sOS2QFQMdRh +YVqZ+YH4aH5pDNW2kFik4Y+CFoJI9QkrEUx66PYIMu3RVBEE7/HQEwND/IbEAeMg +PpGQdEfEDD8kevlinJTyDXJ3dfBa6HEDpK0wDYrBx3mbHP7ouACsZcxqSdx4kOyv +U2Xvlc5pVRsdvJ7AsVRhRaRdSO8YlqU1Ue/OM/Ejj+GZ1Qo8EDge5887HiY8gcjy +J4FS1n2+3839n990s5xDCFSB1G8KmwgkfbkS6gEpA5wf9nk3tiSPS+HMfjMb50GJ +SayUVrAyUupv/Sxvyo+JAjMEEAEIAB0WIQTWeGzjA9mpAimY3GzIRk1UmvdcCgUC +ZldKbQAKCRDIRk1UmvdcCn6EEACUhtMnJGtrunotTwywt/jfkqexA+lhQ+S9V5eF +IIK6Tlq1asFy0s+twYJBQzTXt+hmL8GrBgeQp26CA8wrbxmnUOrXO1K9ksaXXjj0 +SRo9Xr/flCmeFKFRSSVy18UZVwf1vftFwF2lQspU+xZmj7vgr+2vKa3Z+81J8tHw +3/Sc5pt3EGB8GeCiEThe3zr49KpANejy/7feASSS+BBBUbNqnCFImfwLJ2V99mGx +GdejudbTYEXsn6jyVWTeKBcaLM4ArS20O0DJkqBcVC1Ymq+K3AGmKnrLJXDSwaV/ ++yv5pyqApf6Lu9tx7wy6upBop8KroB9xiTN5UIiYhwtHBlpOLkmXB7K549CYX34y +aOHJjez8Txn1bDhbCOe8WOnPEDI8V4RQBr0/xePru6lfwSmSriquVuBGZSir6qxA +1folqrEuoF5aEuxFper6yC/zfVP85znqBOh8OaYTGBeb622UswzLTbW4y2M3E9Ws +KhaXzTqXgIn3INCJLCv4CHiGQQB6zN6meGdOkEV0IaZvq3O4iZOAVFmKbN3GZcKT +Kjxq295LNO15c0WCauik3FRjSppyvcAqoCEbr+LVAX3/ZV3oELhQPnkZCuAFQUB+ +LKxTcTEIdjFKrPEvDgXLL9CNe747ANcLCV02SRRGYnfQ1aoxJNQlzbFw0unHjyDk +vKcD44kBswQQAQgAHRYhBBPIKmO2A1dhVuMKTqDqmBtmsNlnBQJmV1HlAAoJEKDq +mBtmsNlni3gMALfZSqIL7v66dMyjLQR81G4o6rEAixTuFc3B8xDmWDHKIjmdRMTN +mm2KGz0CG7VjdHSe3oOBYok4fDVS0o636EOxndOHszuB9cfhMMXNDFi4T1xcZCLm +UTdXCH88cagwTf6REsbfuXF8WiFemNNiPzMzLmnTlUe7Va2t+gKD/Q9vSlDLKz66 +IZBMdDoAHDKHZTtvwlAKswnpO0cDIeZjO0C1+YFLLSJ1nYQbh6mH+hJvNLimWPKR +ZQCPAa5w0Gutz91cE9nv03yg3FMcjlEgklQ77g/nGGFJnQHAeMhfgUUfPLx1rI9/ +5NON5w7Wf3PXOlTYWO25ieUVKESu8dUCFktKRMnzauej2vjnQlMFG0upzw8dhytn +E83WanvRzVynanK38PCNYQ3INsydN3wvJNetHpBdpyPfOa61dOUtu1TBvV80qcBR +wIe6vbWZx0WB59b3KV8Sc68j8OJxF6i3E0IRby4f0hcoqogBkry0NPK/rtL2HHnN +vcV0wl+DODz9hw== +=oWlI +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I @@ -7,22 +68,125 @@ QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt 97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5 XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg -a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV -CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol -kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr -KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG -F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN -1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD -oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi -MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S -YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx -JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/ -Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk -RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J -SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf -Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6 -cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f -YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y -Va3l3WuB+rgKjsQ= -=EWWI +a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoBQJOTjJiAhsDBQkJ +ZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCr9b2Ce9m/YpvjB/98uV4t +94d0oEh5XlqEZzVMrcTgPQ3BZt05N5xVuYaglv7OQtdlErMXmRWaFZEqDaMHdniC +sF63jWMd29vC4xpzIfmsLK3ce9oYo4t9o4WWqBUdf0Ff1LMz1dfLG2HDtKPfYg3C +8NESud09zuP5NohaE8Qzj/4p6rWDiRpuZ++4fnL3Dt3N6jXILwr/TM/Ma7jvaXGP +DO3kzm4dNKp5b5bn2nT2QWLPnEKxvOg5Zoej8l9+KFsUnXoWoYCkMQ2QTpZQFNwF +xwJGoAz8K3PwVPUrIL6b1lsiNovDgcgP0eDgzvwLynWKBPkRRjtgmWLoeaS9FAZV +ccXJMmANXJFuCf26iQFVBBMBCAA/AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX +gBYhBFc7/Ws9j7xkEHmmq6v1vYJ72b9iBQJmULK1BQkdphrTAAoJEKv1vYJ72b9i +2+AH/RSX5voZXtSAl0fxVc9GDrGesOsykkSELnailOkWiFEHZS842U1EQst9Omki +OC14xk9fY36gK8bxXnLwww4hnnh/fpj7vJkJpVCi2uO3RKizyN6rp+7xbZ2lCKfp +5tsDg5U4iaaziTNtb4ISq79gLmLY/gqBwGksRozmChsl2QOVgg0KDTI5TP+41IwW +AFuO+XzHZ7OEegxwHta65KeVNipYjCarTRcRhGxA0rpLdBynkZ/OaI5+J6UZVfna +2eyDgHPlMo+v12+g/wOFOwShVWo4PwIsZw1jzBCLhspgezn7IolQFMHtVxCJAkgw +XhLgogChbe885HzTB6GlMowXclGJATMEEAEIAB0WIQRzOJcwae0/RD9NN9+mT9Wx +ets5qAUCZlcuRQAKCRCmT9Wxets5qD1GB/4/NIcvCRj3LvFbrtmtbExBoBP6Hv/8 +U4wUpuJbAAxImJ9uNKKaH+cmvoshkWTSUBXTvNjAQW3SM9oW+V3G7wicUtH+7cnd +xExuqf5e6f6IGqKCgrV25g0WWvJZG6ynMDDkgnyu3fTE7GkVKwoWQ6qV6Akar8oV +29P+xe2U7AWPvw+O+SBghl32x8DA/nUjIyLbvBQuXb6BjHOxrTw3WOJDfwHwOyMd +P7NHe7RE70cSj/TNabuNw9c31H0+PAj+UWfvgs5diPVJ9Fd/PK4pWQoh/4poMEbc +/1Ol0G7SItUKO6v4aHn89g00xnqUxrfwbCWCEF9EjnfFtlsDbGSWIdz8iQE+BBMB +AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr +9b2Ce9m/YloaB/9XGrolkocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG +/aa2xJvrXE8X32tgcTjrKoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115et +N9piPl0Zz+4rkx8+2vJGF+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4ok +C1klWiRIRSdp4QY1wdrN1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLD +wSDfVx7rWyfRhcBzVbwDoe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3 +JFyauDgU4K4MytsZ1HDiMgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP +1bF62zmo79oH/1XDb29SYtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnC +jNjk0EVBVGa2grvy9JtxJKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyM +eUrSbY3XfToGfwHC4sa/Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZ +aoQVrmORGjCuH0I0aAFkRS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDB +AeCHl+v4t/uotIad8v6JSO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8m +H4cJHRTFNSEhPW6ghmlfWa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkL +LBcgg1G+AKCnacLb/+W6cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gca +QZmIRgQQEQIABgUCTk5fYQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeW +uCgVRwCcCUFhXRCpQO2YVa3l3WuB+rgKjsSJAjMEEAEIAB0WIQTWeGzjA9mpAimY +3GzIRk1UmvdcCgUCZldKdQAKCRDIRk1UmvdcCj1hEACv1XfhwpsBPVNzcfzMIpfY +xAQF28m/VFLwD8FYKoVgb4rF2wLBtt9kaoPZxphEvV/FWHhpa3Tyr3L320r6sVk2 +5Ou6G/AH6kNF6vYn98chEmbCc7DE2B03G1HFFuRSOmp0ZwafJ6MYUhjpDrf6fFDL +fmdkr/hjLwCYvFQsHXYiIWDFBPZ6RvVC6ozbdFr4eWj+CIPZM4jcGTgSI/u67tC6 +8tOdX4a8/ujdkLDjyf2xgbWT8ZxY3o0fvfLFEQVpNMUsYtiW/kTPBsq48Gq2BWow +/2Ld86KjgBOyElnVy9kMLCB4d/DPnSdBkjHzWWDx2c/PDGWIGnES6O7NYvRQ9Sr0 +bQwtr70nvai2OkpYVszVwOqyr4vDeTIt0GFKOMRDRrscVGmlGr2mpExiCEgGyAjR +Z/aZDCzEnsswfJ+6IARYzE5nB3+pbJnzQNvj9r/YL8T9HkWID4sWJnnNmaFoWEMF +m+yvI8vyVMGPSqfVtN9pEpx/pzV/Q525nFYuUlEsqGgaDydnwe6AV9gZsRyA+YjE +H3gI1gxGwRyupldmstzoYzTktb4o1KL/vGj/onUIk8mFKx8p1X9VPWW0+8LqnAYf +Ui3jDoXE/9avsF6ipS7y1k8ga81z01NOvuhai3c9pvMAIYrNTvoQVz8vTIOtJac1 +PEoU6jdm8blCt2UjGp8A4okBswQQAQgAHRYhBBPIKmO2A1dhVuMKTqDqmBtmsNln +BQJmV1HrAAoJEKDqmBtmsNlntoEMANBPdskGMrU4ZxHMlOTd1JX74ucp5jez0Y2o +bwlxOiWroraYVBnWT9v150kNf1Tb5mDxi820qebiSPZxhlI1Kj7NrPFNxQkhhNzN +7Xr/M9OGpkwxosEpcMAiWfofyAdrnwos+MA/edu/EoyVRs6zpo75nP9GKUZwVcjH +KtvPMojkZYpxjxsio0aK8LW8VwDtsbwPIXDIHzE7sxUvThrMdXumrh7gKqaC6gep +HZB2lL5ES0kVE3/yjZR1khmcmF1zELeC0IddJjX2R9HMcSLixdJ2V8/VFsWMb2KQ +pGtDzCuRyyxbugzBIxiGV2Xb7XwOByaikc1duqFv3gtk7Vk8wgQN3YwLkZ6pztlK +vCbqy2b2wlPviGjApQ2GVd6EEmlCk2gKPkjrn2lxS2BXWorM+ANSswJT+eILi9yW +Q5zzmYK2vFTzL7FAMeqS/671jNhZQ8O7jvbY/mRhl66k2MY7/JgI+coP0cY+HHr2 +ozw9yNdOZmnk2Prj7+mBuchbT3BJOQ== +=AgHy +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGZXO1wBEADEm061e/MGo2f7rpSqokI59in/egWbeQE26vwxB7vPu4e7j+cU +Vg3AezwCbf3nVRAE9DpJ+yuB0KVkM/0QszjOEEBuehZYJrUiwMyiY6jAk8xtqjpV +PsOMyZrypoJhwzg/sYNadUPw4UoHJ/xq4wNA2ZG9Xf0l8M3shYJPmKWLz/eefa5V +Ef/toQ7a55l0aJ7XyACTU6dv4bkHHqomDImK2C94s+KyCxaFyz6NgFz25V/j66Am +gB1m6UGGsvP4qYXW+KTsLz9XDvJeLLHWNcqQoyUO5Vs5C3hGozL7kEkyK/1qHcou +XXkeGN365z93ZeK+VdBZKJtsCswPk2wdDBByU9lAUNHYcLHf6S8fwCACeIqJ6LaY +MKmZUN2gR/boTyMERHEA8XnWXTDp7EsSNIc+LkU5AT8yesANcczH5k/XOI4hltJC +piEsSgg9V7FvO4eA2iQWGv/Y4nlUfw3lbRuRFvd7oqVQKlX4iIs++kVCCegBvtNA +1naxPbvTqrC4THvBSSZpOW/y/6XibAr/scCNNW1mEhwm5SPBHq9Sv35p6xKDTcgQ +8o3KLM8tKKt6kokAqlrXk9Nq6LYrZKwg5a9crFF7nCL2xgxZy1OJQVcPuhhZy5WT +WReE5RJdlF5VGRT9nMJ3B4Vlp5luQnMUFYXTAKQd6Cogbb99J4MjDttAlwARAQAB +tCtuZ2lueCBzaWduaW5nIGtleSA8c2lnbmluZy1rZXktM0BuZ2lueC5jb20+iQIi +BBMBCgAWBQJmVztcCRC83NijjYiiswIbAwIZAQAA9FMQAJ/e8F1egZGbRIV6qU/Q +bJD3EsKZZlitQSVXbBpxqDlkD+uzSFATGjiLGvJoTzfpJpJjI7FwrtO74lRkjCl9 +wQUNJ+wm2Kod6rEEQc6lWkDsgxpjqAAGVS0lmMf+VPBGQ+kc8S3ZdCOWEeq7nThZ +/xWR+UuQQcz1vCKmEgwTrr5MJVcqDg4wiH1Z4lRVfjTezf9IWk+xeE3mV8h7Ltbr +N5ZvOkiw88JLrbQsurxx+lYEaGIZyIk3huiDE/KpsMdw9KXUfoDcBqWc7oDjqKL+ +QEaq7TW6VetKyJaakP6Do+Opx0BtS3eH86PEZqtULEw9WifC86GtRr50iTXWBTfI +MFZo4AwigHXvZ5WrJvLfldY+scoU1rPMouYlZJ9W+6YHLjf/jpr4W1w6LKKXX3ah +h4VLtlOmrOLA21E7RQ0PwoE6nT7DAm1DsMFCXy7lyp3u5IXGahnJddWCb0Px3RTm +PZgOt+YAGJDsP46ngl5LxhilMK5f5R8v5n1lJ/XzFcXCEN4i/d8A1jx9DQx4CJN1 +wp/WZzJ6GjnCqMCdOBlQ2eNmhR+q1bAI79kSv86ahaM/aS1FvHMz8ppzwkRhv5jY +eR9aRlAwaCPOjbWhYJt/xveOWmxCdg5ta+Pj5g+41wHZyNf9aqR314aKwsxo2AYH +uUe+PgpsHbe1sQTkb/W1OfSCiQEzBBABCAAdFiEEcziXMGntP0Q/TTffpk/VsXrb +OagFAmZXO+kACgkQpk/VsXrbOajGgwf8CAXJwSIhGOWFSgV6vpvZPChTsgteZxhT +8NrJJLxL8X34Rw5YctSli4akkchTonm5RRp/SlvI2fPe0o6q2ymF4BASPJ/oSI3p +Gs/jwctHz8hwaVN0xQ4SBXgquIFWrLRNOjCxEV/vMRJRzuF9jrrdv3vxZEugETI+ +rnoEZu2Z2ZlMj7PPeiScf8dFXax67+Xi5S2KJCaXm1QGAJvttHrwsbBAIE9CVUg4 +UmXwADQ6HkOKjY+QS5AP8Ak1dg8/oadgyMqB4GrcE44KUpo4YafP37XnwXfQNKpk +Rb0bO9Qm9lM/LhPulBY8WIPkmrFCVhGTE6K5ZvI59R4nECHHx24/LYkBMwQQAQgA +HRYhBFc7/Ws9j7xkEHmmq6v1vYJ72b9iBQJmVzzzAAoJEKv1vYJ72b9iPPIIAJ5k +hTz2d7CaJefHzoraogKSIeBnA3OR+nDgdDl9Mp8i2WLGu9YYhIrPU0iSVw8jqa8t +GIjCw4/bS9HN8oub2Ip802xDLugCz1Yz6CXjCXN2rlNPsdBV8IIKNHOv93qMvnZS +DwyBUAvAs4XzF7zbYgfZ30B0gRI0g0+Nt44oDOn3PfO/kNUJyBVPT9m7l3JUHuZT +FPOD8a0oJPvW+iYlSkmPELBvgehsX7MVLoeQ5qtS1KkuWr+y1wqD5kxqabMPcfdU +jAr4ssXs/pSsYJVyS4CuUWkY4FiCJm4KtU+XPDs1RCTzMkW6HHgSebocTZzLETYw +XsDx80qd21UAdGc116qJAjMEEAEIAB0WIQTWeGzjA9mpAimY3GzIRk1UmvdcCgUC +ZldKYgAKCRDIRk1UmvdcCoG/D/9qLmHYOGnsmedUbgtLmuBJOuA6oqnaWxYI45eV ++vaAaI2+QfRoJTrjklTXv29Pi4LTzN5YBySSIkv/z9ry5Xsz5yroNY9Xb6JdrqOt +fLa/U0wddNuJbmIom4gUPXGInhHUBbP6mNz+s6e2ukBEWvb2XIsGe5v291QXMohQ +/PT8zTIwNYaw2zVF6Sa/0spA9/9XA5BdUcrtl7xPgYL7pLVmKYGJlCf5TOaWfLDJ +mIMeeUznVK9vK+vT+YqUPfFyIqO7dvio/+MRFjePoD6csT4UBT009ugy8vrYg2YR +K9uaRxP3laz9b6xdUM648ycUQLoI4fLhyKAHwPU9/Q+4rOFdrL72ZGVKzv1XOB0H +VXf0/E4JmJBydM7AyXHNxIPDtNFydosGn6VZsEvSPZdQSCsCeBs9UuBWgwFb1XBB +61XiHGnheb3U3ZRkajS1ZNdxfohHrBzHnd8tbDkv5Rq+XoUmDauoeM0VcN15hl4a +M/JzkeOrHuJicn3mg+HRHxQSCl3D37bVQT7O36n7cff22GykT7XQUBBxMlhKzygD +SgdQUtSEt0eu7AXIvr6yl0kobgZQS3wzUIaY0JEuv2ahtEXXjoPzCVWB2OHIpPbu +D58cpyyEVqr+ZecaI4HlaO9lVShf+K0rf/6DC12rC2gNzzv/fCIinDiqiMsPTfEM +fduRSYkBswQQAQgAHRYhBBPIKmO2A1dhVuMKTqDqmBtmsNlnBQJmV1HlAAoJEKDq +mBtmsNlnhI4L/0MHtfCZ2nuKTF/BkxJ7oB3Uule0tWiFj5SU97GjcVj1LgawGY7Y ++zoyEd6Twpl6H/+QkZBB55Bf8+cTzRbDzH1Og0fSORu0pGC0uxWdYu1sTLeTnn93 +mesXAvevHFNbsPchIWwsVJopTdzMWuAQS5hMMMtNb/14ZfnBadzhjvaJeH3DlZVK +0cGFp0qfbMfjr9yRJzQ1IkiXsS4G4uKg9T+KRsPr4+JalurWJgLnBXZGetNNjjUa +UCV1KZY/iWCAlZjkZ5z7yBRj5nUWLb5AVouEQPEDbn+i/0uEjukC+G6EMq2mgbrh +m0bFHbHAYBaf9EH0eP799HpoAx2aziDB5igAC516i3BnqxINI9mXHh92tU/H797I +oYZvpBsAHDWDHj6O74jwk5lXF5Qwri8gjA8aTudmuQX3uX4h0/FyGGQJW4/wWecH +/1fMuvHHyRtOSsJsheDwcSjrw5WlsyNjvSIbBPV2fIx60W2haVMUVX6CrxAeq44F +UYda9m8fOnaIew== +=TEOn -----END PGP PUBLIC KEY BLOCK----- From 182cdada229c0cd33f08f56af0ceb2130239fea1 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Fri, 21 Jun 2024 21:25:48 +0200 Subject: [PATCH 665/996] homeassistant metadata reshuffle --- nodes/sophie/sophie.homeassistant.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nodes/sophie/sophie.homeassistant.toml b/nodes/sophie/sophie.homeassistant.toml index 321328c..5fc3f93 100644 --- a/nodes/sophie/sophie.homeassistant.toml +++ b/nodes/sophie/sophie.homeassistant.toml @@ -4,7 +4,9 @@ bundles = [ 'nginx', 'pyenv', ] -groups = ["debian-bookworm"] +groups = [ + "debian-bookworm", +] [metadata.interfaces.enp1s0] ips = [ From 9be31b88504c4a2546e719fa90e99c469bd6dc11 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 22 Jun 2024 00:51:33 +0200 Subject: [PATCH 666/996] homeassistant: use correct network interface --- bundles/homeassistant/items.py | 1 + nodes/sophie/sophie.homeassistant.toml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index f7e5ea2..67042d1 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -7,6 +7,7 @@ else: users = { 'homeassistant': { 'home': '/var/opt/homeassistant', + "groups": ["dialout"], }, } diff --git a/nodes/sophie/sophie.homeassistant.toml b/nodes/sophie/sophie.homeassistant.toml index 5fc3f93..3b2461d 100644 --- a/nodes/sophie/sophie.homeassistant.toml +++ b/nodes/sophie/sophie.homeassistant.toml @@ -8,7 +8,7 @@ groups = [ "debian-bookworm", ] -[metadata.interfaces.enp1s0] +[metadata.interfaces.enp7s0] ips = [ "172.19.164.3/24", ] From d1f182607d58cc15c06a03f4a500464abe88780c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 22 Jun 2024 20:04:51 +0200 Subject: [PATCH 667/996] rework netbox-dump script and routeros bundle for better usability --- bundles/routeros/metadata.py | 8 +- .../home.switch-rack.json} | 108 +++--- scripts/netbox-dump | 350 +++++++++++------- 3 files changed, 275 insertions(+), 191 deletions(-) rename configs/{netbox_device_home.switch-rack.json => netbox/home.switch-rack.json} (77%) diff --git a/bundles/routeros/metadata.py b/bundles/routeros/metadata.py index 72bc063..13230d6 100644 --- a/bundles/routeros/metadata.py +++ b/bundles/routeros/metadata.py @@ -26,7 +26,7 @@ defaults = { 'routeros/vlans', ) def get_ports_from_netbox_dump(metadata): - with open(join(repo.path, 'configs', f'netbox_device_{node.name}.json')) as f: + with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f: netbox = load(f) ips = {} @@ -45,7 +45,7 @@ def get_ports_from_netbox_dump(metadata): for ip in conf['ips']: ips[ip] = {'interface': port} - if conf['type'] == 'VIRTUAL': + if conf['type'].lower() == 'virtual': # these are VLAN interfaces (for management IPs) if conf['ips']: # this makes management services available in the VLAN @@ -77,6 +77,8 @@ def get_ports_from_netbox_dump(metadata): if conf.get('ips', []): ports[port]['ips'] = set(conf['ips']) if conf['type'] in ( + '1000base-t', + '10gbase-x-sfpp', 'A_1000BASE_T', 'A_10GBASE_X_SFPP', ): @@ -90,7 +92,7 @@ def get_ports_from_netbox_dump(metadata): # tagged - if conf['mode'] == 'TAGGED_ALL': + if conf['mode'] in ('TAGGED_ALL', 'tagged-all'): tagged = set(vlans.keys()) - {conf['untagged_vlan']} else: tagged = conf['tagged_vlans'] diff --git a/configs/netbox_device_home.switch-rack.json b/configs/netbox/home.switch-rack.json similarity index 77% rename from configs/netbox_device_home.switch-rack.json rename to configs/netbox/home.switch-rack.json index 9e3159d..e5da349 100644 --- a/configs/netbox_device_home.switch-rack.json +++ b/configs/netbox/home.switch-rack.json @@ -4,225 +4,225 @@ "description": "home.router (enp1s0)", "enabled": true, "ips": [], - "mode": "TAGGED_ALL", + "mode": "tagged-all", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": null }, "ether10": { "description": "home.mitel-rfp35 (LAN)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether11": { "description": "home.usv01 (LAN)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether12": { "description": "home.rechenmonster (IPMI)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether13": { "description": "", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether14": { "description": "home.rechenmonster (LAN)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether15": { "description": "", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether16": { "description": "", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether17": { "description": "", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether18": { "description": "", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether19": { "description": "home.lgtv-wohnzimmer", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether2": { "description": "Fritz!Box (LAN1)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.wan" }, "ether20": { "description": "Franzi Laptop", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether21": { "description": "Sophie Laptop", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether22": { "description": "Sophie Desktop", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether23": { "description": "Wohnzimmer Kabel", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether24": { "description": "home.snom-wohnzimmer", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether3": { "description": "home.aruba325-schlafzimmer", "enabled": true, "ips": [], - "mode": "TAGGED", + "mode": "tagged", "tagged_vlans": [ "ffwi.client", "home.v6only" ], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether4": { "description": "home.aruba325-wohnzimmer", "enabled": true, "ips": [], - "mode": "TAGGED", + "mode": "tagged", "tagged_vlans": [ "ffwi.client", "home.v6only" ], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether5": { "description": "home.nas (eno1)", "enabled": true, "ips": [], - "mode": "TAGGED_ALL", + "mode": "tagged-all", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": null }, "ether6": { "description": "home.aruba325-office", "enabled": true, "ips": [], - "mode": "TAGGED", + "mode": "tagged", "tagged_vlans": [ "ffwi.client", "home.v6only" ], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether7": { "description": "RIPE-Probe #28280 (LAN)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.dmz" }, "ether8": { "description": "home.drucker-sophie", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "ether9": { "description": "info-beamer 12199 (LAN)", "enabled": true, "ips": [], - "mode": "ACCESS", + "mode": "access", "tagged_vlans": [], - "type": "A_1000BASE_T", + "type": "1000base-t", "untagged_vlan": "home.clients" }, "home.clients": { @@ -231,27 +231,27 @@ "ips": [ "172.19.138.4/24" ], - "mode": null, + "mode": "", "tagged_vlans": [], - "type": "VIRTUAL", + "type": "virtual", "untagged_vlan": null }, "sfp-sfpplus1": { "description": "", "enabled": true, "ips": [], - "mode": null, + "mode": "", "tagged_vlans": [], - "type": "A_10GBASE_X_SFPP", + "type": "10gbase-x-sfpp", "untagged_vlan": null }, "sfp-sfpplus2": { "description": "", "enabled": true, "ips": [], - "mode": null, + "mode": "", "tagged_vlans": [], - "type": "A_10GBASE_X_SFPP", + "type": "10gbase-x-sfpp", "untagged_vlan": null } }, diff --git a/scripts/netbox-dump b/scripts/netbox-dump index f3c79a6..8486653 100755 --- a/scripts/netbox-dump +++ b/scripts/netbox-dump @@ -1,158 +1,240 @@ #!/usr/bin/env python3 +from argparse import ArgumentParser from json import dump -from os import environ -from os.path import dirname, join +from os import environ, makedirs, remove, scandir +from os.path import abspath, dirname, join from sys import exit import bwpass from requests import post -from bundlewrap.utils.text import validate_name +from bundlewrap.utils.text import bold, red, validate_name +from bundlewrap.utils.ui import io TOKEN = environ.get("NETBOX_AUTH_TOKEN") - -# editorconfig-checker-disable -QUERY = """{ - device_list(tag: "bundlewrap") { - name - site { - id - } - interfaces { - id - name - enabled - description - mode - type - ip_addresses { - address - } - untagged_vlan { - name - } - tagged_vlans { - name - } - link_peers { - ... on InterfaceType { - name - device { - name - } - } - ... on FrontPortType { - name - device { - name - } - } - } - connected_endpoints { - ... on InterfaceType { - name - device { - name - } - } - } - } - } - site_list { - id - vlans { - name - vid - } - } -}""" -# editorconfig-checker-enable - if not TOKEN: try: TOKEN = bwpass.attr("netbox.franzi.business/kunsi", "token") except Exception: - print("NETBOX_AUTH_TOKEN is missing") + print("NETBOX_AUTH_TOKEN missing") exit(1) -r = post( - "https://netbox.franzi.business/graphql/", - headers={ - "Accept": "application/json", - "Authorization": f"Token {TOKEN}", - }, - json={ - "query": QUERY, - }, -) -r.raise_for_status() +TARGET_PATH = join(dirname(dirname(abspath(__file__))), "configs", "netbox") -data = r.json()["data"] - -site_vlans = {site["id"]: site["vlans"] for site in data["site_list"]} - -for device in data["device_list"]: - if not device["name"] or not validate_name(device["name"]): - # invalid node name, ignore - continue - - result = { - "interfaces": {}, - "vlans": site_vlans[device["site"]["id"]], +QUERY_SITES = """{ + site_list { + name + id + vlans { + name + vid + } } +}""" - for interface in device["interfaces"]: - description = "" - peers = None +QUERY_DEVICES = """{ + device_list(filters: {tag: "bundlewrap", site_id: "SITE_ID"}) { + name + id + } +}""" - if interface["connected_endpoints"]: - peers = interface["connected_endpoints"] - elif interface["link_peers"]: - peers = interface["link_peers"] +QUERY_DEVICE_DETAILS = """{ + device(id: DEVICE_ID) { + name + interfaces { + id + name + enabled + description + mode + type + ip_addresses { + address + } + untagged_vlan { + name + } + tagged_vlans { + name + } + link_peers { + ... on InterfaceType { + name + device { + name + } + } + ... on FrontPortType { + name + device { + name + } + } + } + connected_endpoints { + ... on InterfaceType { + name + device { + name + } + } + } + } + } +}""" - if interface["description"]: - description = interface["description"] - elif peers: - peer_list = set() - for i in peers: - peer_list.add( - "{} ({})".format( - i["device"]["name"], - i["name"], - ) +def graphql(query): + r = post( + "https://netbox.franzi.business/graphql/", + headers={ + "Accept": "application/json", + "Authorization": f"Token {TOKEN}", + }, + json={ + "query": query, + }, + ) + r.raise_for_status() + return r.json()["data"] + + +def filter_results(results, filter_by): + if filter_by is None: + return results + + out = [] + for result in results: + if str(result["id"]) in filter_by or result["name"] in filter_by: + out.append(result) + return out + + +parser = ArgumentParser() +parser.add_argument("--only-site", nargs="+", type=str) +parser.add_argument("--only-device", nargs="+", type=str) +args = parser.parse_args() + +try: + io.activate() + filenames_used = set() + + with io.job("getting sites"): + sites = filter_results( + graphql(QUERY_SITES).get("site_list", []), args.only_site + ) + + io.stdout(f"Processing {len(sites)} sites in total") + + for site in sites: + with io.job(f"{bold(site['name'])} getting devices"): + devices = filter_results( + graphql(QUERY_DEVICES.replace("SITE_ID", site["id"])).get( + "device_list", [] + ), + args.only_device, + ) + io.stdout(f"Site {bold(site['name'])} has {len(devices)} devices to process") + + for device in devices: + if not device["name"] or not validate_name(device["name"]): + # invalid node name, ignore + continue + + with io.job( + f"{bold(site['name'])} {bold(device['name'])} getting interfaces" + ): + details = graphql( + QUERY_DEVICE_DETAILS.replace("DEVICE_ID", device["id"]) + )["device"] + + result = { + "interfaces": {}, + "vlans": site["vlans"], + } + + for interface in details["interfaces"]: + peers = None + + if interface["connected_endpoints"]: + peers = interface["connected_endpoints"] + elif interface["link_peers"]: + peers = interface["link_peers"] + + if interface["description"]: + description = interface["description"] + elif peers: + peer_list = set() + + for i in peers: + peer_list.add( + "{} ({})".format( + i["device"]["name"], + i["name"], + ) + ) + + description = "; ".join(sorted(peer_list)) + else: + description = "" + + assert description.isascii() + + result["interfaces"][interface["name"]] = { + "description": description, + "enabled": interface["enabled"], + "mode": interface["mode"], + "type": interface["type"], + "ips": sorted( + {i["address"] for i in interface["ip_addresses"]} + ), + "untagged_vlan": ( + interface["untagged_vlan"]["name"] + if interface["untagged_vlan"] + else None + ), + "tagged_vlans": sorted( + {v["name"] for v in interface["tagged_vlans"]} + ), + } + + if result["interfaces"]: + filename = f"{device['name']}.json" + filenames_used.add(filename) + file_with_path = join(TARGET_PATH, filename) + + with io.job( + f"{bold(site['name'])} {bold(device['name'])} writing to {file_with_path}" + ): + with open( + file_with_path, + "w+", + ) as f: + dump( + result, + f, + indent=4, + sort_keys=True, + ) + else: + io.stdout( + f"device {bold(device['name'])} has no interfaces, {red('not')} dumping!" ) - description = "; ".join(sorted(peer_list)) - else: - description = "" - - assert description.isascii() - - result["interfaces"][interface["name"]] = { - "description": description, - "enabled": interface["enabled"], - "mode": interface["mode"], - "type": interface["type"], - "ips": sorted({i['address'] for i in interface['ip_addresses']}), - "untagged_vlan": interface["untagged_vlan"]["name"] - if interface["untagged_vlan"] - else None, - "tagged_vlans": sorted({v["name"] for v in interface["tagged_vlans"]}), - } - - with open( - join( - dirname(dirname(__file__)), - "configs", - "netbox_device_{}.json".format(device["name"]), - ), - "w+", - ) as f: - dump( - result, - f, - indent=4, - sort_keys=True, - ) + if not args.only_site and not args.only_device and filenames_used: + with io.job(f"cleaning leftover files from {TARGET_PATH}"): + for direntry in scandir(TARGET_PATH): + filename = direntry.name + if filename.startswith("."): + continue + if not direntry.is_file(): + io.stderr( + f"found non-file {filename} in {TARGET_PATH}, please check what's going on!" + ) + continue + if filename not in filenames_used: + remove(join(TARGET_PATH, filename)) +finally: + io.deactivate() From b72d82b894f4ffaa423e3b8e75ab810e92ae89b5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 22 Jun 2024 20:39:04 +0200 Subject: [PATCH 668/996] bundles/routeros: this does not need to be a metadata reactor --- bundles/routeros/metadata.py | 177 +++++++++++++++++------------------ 1 file changed, 84 insertions(+), 93 deletions(-) diff --git a/bundles/routeros/metadata.py b/bundles/routeros/metadata.py index 13230d6..ca7979f 100644 --- a/bundles/routeros/metadata.py +++ b/bundles/routeros/metadata.py @@ -2,6 +2,85 @@ import re from json import load from os.path import join + +with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f: + netbox = load(f) + +ips = {} +ports = {} +vlans = { + v['name']: { + 'id': v['vid'], + 'delete': False, + 'tagged': set(), + 'untagged': set(), + } + for v in netbox['vlans'] +} + +for port, conf in netbox['interfaces'].items(): + for ip in conf['ips']: + ips[ip] = {'interface': port} + + if conf['type'].lower() == 'virtual': + # these are VLAN interfaces (for management IPs) + if conf['ips']: + # this makes management services available in the VLAN + try: + vlans[port]['tagged'].add('bridge') + except KeyError: + raise ValueError( + f'name of virtual interface "{port}" on {node.name} ' + f'matches none of the known VLANs: {list(vlans.keys())} ' + '(you probably need to rename the interface in Netbox ' + 'and/or run netbox-dump)' + ) + # We do not create the actual VLAN interface here, that + # happens automatically in items.py. + continue + elif not conf['enabled'] or not conf['mode']: + # disable unconfigured ports + ports[port] = { + 'disabled': True, + 'description': conf.get('description', ''), + } + # dont add vlans for this port + continue + else: + ports[port] = { + 'disabled': False, + 'description': conf.get('description', ''), + } + if conf.get('ips', []): + ports[port]['ips'] = set(conf['ips']) + if conf['type'] in ( + '1000base-t', + '10gbase-x-sfpp', + 'A_1000BASE_T', + 'A_10GBASE_X_SFPP', + ): + ports[port]['hw'] = True + + if conf['untagged_vlan']: + vlans[conf['untagged_vlan']]['untagged'].add(port) + if conf['ips']: + # this makes management services available in the VLAN + vlans[conf['untagged_vlan']]['tagged'].add('bridge') + + # tagged + + if conf['mode'] in ('TAGGED_ALL', 'tagged-all'): + tagged = set(vlans.keys()) - {conf['untagged_vlan']} + else: + tagged = conf['tagged_vlans'] + + for vlan in tagged: + vlans[vlan]['tagged'].add(port) + + # this makes management services available in the VLAN + if conf['ips']: + vlans[vlan]['tagged'].add('bridge') + defaults = { 'icinga2_api': { 'routeros': { @@ -17,102 +96,14 @@ defaults = { }, }, }, + 'routeros': { + 'ips': ips, + 'ports': ports, + 'vlans': vlans, + }, } -@metadata_reactor.provides( - 'routeros/ips', - 'routeros/ports', - 'routeros/vlans', -) -def get_ports_from_netbox_dump(metadata): - with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f: - netbox = load(f) - - ips = {} - ports = {} - vlans = { - v['name']: { - 'id': v['vid'], - 'delete': False, - 'tagged': set(), - 'untagged': set(), - } - for v in netbox['vlans'] - } - - for port, conf in netbox['interfaces'].items(): - for ip in conf['ips']: - ips[ip] = {'interface': port} - - if conf['type'].lower() == 'virtual': - # these are VLAN interfaces (for management IPs) - if conf['ips']: - # this makes management services available in the VLAN - try: - vlans[port]['tagged'].add('bridge') - except KeyError: - raise ValueError( - f'name of virtual interface "{port}" on {node.name} ' - f'matches none of the known VLANs: {list(vlans.keys())} ' - '(you probably need to rename the interface in Netbox ' - 'and/or run netbox-dump)' - ) - # We do not create the actual VLAN interface here, that - # happens automatically in items.py. - continue - elif not conf['enabled'] or not conf['mode']: - # disable unconfigured ports - ports[port] = { - 'disabled': True, - 'description': conf.get('description', ''), - } - # dont add vlans for this port - continue - else: - ports[port] = { - 'disabled': False, - 'description': conf.get('description', ''), - } - if conf.get('ips', []): - ports[port]['ips'] = set(conf['ips']) - if conf['type'] in ( - '1000base-t', - '10gbase-x-sfpp', - 'A_1000BASE_T', - 'A_10GBASE_X_SFPP', - ): - ports[port]['hw'] = True - - if conf['untagged_vlan']: - vlans[conf['untagged_vlan']]['untagged'].add(port) - if conf['ips']: - # this makes management services available in the VLAN - vlans[conf['untagged_vlan']]['tagged'].add('bridge') - - # tagged - - if conf['mode'] in ('TAGGED_ALL', 'tagged-all'): - tagged = set(vlans.keys()) - {conf['untagged_vlan']} - else: - tagged = conf['tagged_vlans'] - - for vlan in tagged: - vlans[vlan]['tagged'].add(port) - - # this makes management services available in the VLAN - if conf['ips']: - vlans[vlan]['tagged'].add('bridge') - - return { - 'routeros': { - 'ips': ips, - 'ports': ports, - 'vlans': vlans, - } - } - - @metadata_reactor.provides('routeros/gateway') def gateway(metadata): ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.)\d{1,3}') From 668ae0432be77bf5fcf954c3046bcb4f19b4919f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Jun 2024 14:52:09 +0200 Subject: [PATCH 669/996] htz-hel.backup-kunsi: remove backup target for kunsi-t470 --- nodes/htz-hel/backup-kunsi.py | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/nodes/htz-hel/backup-kunsi.py b/nodes/htz-hel/backup-kunsi.py index be66592..6db104e 100644 --- a/nodes/htz-hel/backup-kunsi.py +++ b/nodes/htz-hel/backup-kunsi.py @@ -32,22 +32,6 @@ nodes['htz-hel.backup-kunsi'] = { 'encrypted-devices': { '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1': bwpass.password('bw/backup-kunsi/encryption-passphrase'), }, - 'clients': { - 'kunsi-t470': { - 'user': 'kunsi-t470', - 'exclude_from_monitoring': True, - 'retain': { - 'daily': 30, - 'weekly': 6, - 'monthly': 12, - }, - }, - }, - }, - 'openssh': { - 'allowed_users': { - 'kunsi-t470', # backup user - }, }, }, } From 791eb8d1a9e4ee4cc78f9f144b701c9f038a3404 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 25 Jun 2024 17:10:32 +0200 Subject: [PATCH 670/996] bump netbox-dump --- configs/netbox/home.switch-rack.json | 10 +++++----- nodes/sophie/sophie.homeassistant.toml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/configs/netbox/home.switch-rack.json b/configs/netbox/home.switch-rack.json index e5da349..1792a8b 100644 --- a/configs/netbox/home.switch-rack.json +++ b/configs/netbox/home.switch-rack.json @@ -28,7 +28,7 @@ "untagged_vlan": "home.clients" }, "ether12": { - "description": "home.rechenmonster (IPMI)", + "description": "", "enabled": true, "ips": [], "mode": "access", @@ -46,7 +46,7 @@ "untagged_vlan": "home.clients" }, "ether14": { - "description": "home.rechenmonster (LAN)", + "description": "", "enabled": true, "ips": [], "mode": "access", @@ -118,7 +118,7 @@ "untagged_vlan": "home.clients" }, "ether21": { - "description": "Sophie Laptop", + "description": "", "enabled": true, "ips": [], "mode": "access", @@ -127,7 +127,7 @@ "untagged_vlan": "home.clients" }, "ether22": { - "description": "Sophie Desktop", + "description": "Arbeitsplatz Regal", "enabled": true, "ips": [], "mode": "access", @@ -208,7 +208,7 @@ "untagged_vlan": "home.dmz" }, "ether8": { - "description": "home.drucker-sophie", + "description": "home.drucker-franzi", "enabled": true, "ips": [], "mode": "access", diff --git a/nodes/sophie/sophie.homeassistant.toml b/nodes/sophie/sophie.homeassistant.toml index 3b2461d..42e25d0 100644 --- a/nodes/sophie/sophie.homeassistant.toml +++ b/nodes/sophie/sophie.homeassistant.toml @@ -5,7 +5,7 @@ bundles = [ 'pyenv', ] groups = [ - "debian-bookworm", + "debian-bookworm", ] [metadata.interfaces.enp7s0] From 67198c5fd975bf3d2d996baa001424cfd1818551 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 25 Jun 2024 17:32:24 +0200 Subject: [PATCH 671/996] bundles/grafana: needs websockets --- bundles/grafana/metadata.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/grafana/metadata.py b/bundles/grafana/metadata.py index 2f0f4d7..f27cb81 100644 --- a/bundles/grafana/metadata.py +++ b/bundles/grafana/metadata.py @@ -43,6 +43,7 @@ def nginx(metadata): 'locations': { '/': { 'target': 'http://127.0.0.1:21010', + 'websockets': True, }, '/api/ds/query': { 'target': 'http://127.0.0.1:21010', From 101928339fc3d0ed38a62ff02242f54a2cc67718 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 26 Jun 2024 07:11:44 +0200 Subject: [PATCH 672/996] bundles/powerdns: fix SyntaxWarning --- bundles/powerdns/items.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 8d9ab85..a0c89d2 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -65,7 +65,7 @@ svc_systemd = { actions = { 'powerdns_reload_zones': { 'triggered': True, - 'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*', + 'command': r'pdns_control rediscover; pdns_control reload; pdns_control notify \*', 'after': { 'svc_systemd:pdns', }, @@ -160,7 +160,7 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): actions['powerdns_load_pgsql_schema'] = { 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'), - 'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', + 'unless': r'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', 'needs': { 'bundle:postgresql', 'pkg_apt:pdns-backend-pgsql', From 79bb4169a72d28441414104b211aa7efe1b55550 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jul 2024 11:34:36 +0200 Subject: [PATCH 673/996] ns-mephisto: new ip config --- nodes/ns-mephisto.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/ns-mephisto.toml b/nodes/ns-mephisto.toml index 88f253e..a4494fa 100644 --- a/nodes/ns-mephisto.toml +++ b/nodes/ns-mephisto.toml @@ -11,11 +11,11 @@ groups = [ [metadata.interfaces.ens192] ips = [ - "82.165.52.168", - "2001:8d8:1801:7d4::1/64", + "82.165.52.168/32", + "2a01:239:31c:9b00::1/80" ] -gateway4 = "10.255.255.1" -gateway6 = "fe80::250:56ff:fea8:628f" +gateway4 = "82.165.52.1" +gateway6 = "fe80::1" [metadata.nginx.vhosts.powerdnsadmin] domain = "ns-mephisto.kunbox.net" From b3ab18a32cb48e3bfdf525821c08963c152b15bd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jul 2024 17:17:30 +0200 Subject: [PATCH 674/996] bundles/nginx: don't cache stuff when running through php --- bundles/nginx/files/site_template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index a60b79e..a967893 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -201,6 +201,8 @@ server { fastcgi_hide_header X-XSS-Protection; % endif fastcgi_hide_header Permissions-Policy; + fastcgi_request_buffering off; + proxy_buffering off; } % if not max_body_size: client_max_body_size 5M; From 4736e3b2818ee798439e7a768a5c0e998a9cad6d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 4 Jul 2024 11:43:43 +0200 Subject: [PATCH 675/996] update travelynx to 2.7.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3b16b54..b4ab1b3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -255,7 +255,7 @@ disks = [ ] [metadata.travelynx] -version = "2.6.9" +version = "2.7.6" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From ce44926920d6f013a445f098e3664acf86fac8b5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 09:44:41 +0200 Subject: [PATCH 676/996] update forgejo to 7.0.5 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b4ab1b3..5d7ea06 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "7.0.4" -sha1 = "2ca8a4b6d9abae666b84a3b03a5c017f4a774651" +version = "7.0.5" +sha1 = "8dc0526cdd886d5bc96ce96841202c2800029e68" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From fc4aaf4abb0ea7dd2ae259f2faa2b98ef8434212 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 09:44:57 +0200 Subject: [PATCH 677/996] update netbox to 4.0.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5d7ea06..0908fa4 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -125,7 +125,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.5" +version = "v4.0.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From c0b3db55ec2460ab9c152c4a409fe9e4688e33b4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 09:45:18 +0200 Subject: [PATCH 678/996] update travelynx to 2.7.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0908fa4..a8dfbcc 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -255,7 +255,7 @@ disks = [ ] [metadata.travelynx] -version = "2.7.6" +version = "2.7.7" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 6e677a7a0b738d3a25aa80ce454aa50e86524d17 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 09:45:41 +0200 Subject: [PATCH 679/996] update paperless-ngx to 2.10.2 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 8a0a8d4..f6820f6 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,7 +42,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.10.0', + 'version': 'v2.10.2', 'timezone': 'Europe/Berlin', }, 'postgresql': { From ced6479b8edace352b8c5c7ee0143a9dbce83877 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 09:49:22 +0200 Subject: [PATCH 680/996] home.nas: clean up zfs datasets --- nodes/home/nas.py | 67 +++-------------------------------------------- 1 file changed, 3 insertions(+), 64 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 4afce46..821de15 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -67,26 +67,6 @@ nodes['home.nas'] = { '/storage/nas/normen', }, }, - 'dm-crypt': { - 'encrypted-devices': { - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part1': { - 'dm-name': 'sg-ZVV06JV7-1', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-1'), - }, - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part2': { - 'dm-name': 'sg-ZVV06JV7-2', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-2'), - }, - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part1': { - 'dm-name': 'sg-ZVV06SLR-1', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-1'), - }, - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part2': { - 'dm-name': 'sg-ZVV06SLR-2', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-2'), - }, - }, - }, 'groups': { 'nas': {}, }, @@ -271,58 +251,14 @@ nodes['home.nas'] = { 'ashift': 12, }, }, - 'encrypted': { - 'when_creating': { - 'config': [ - # These are new and fancy "dual actuator" - # drives, partitioned into two partitions - # taking 50% of the disk each. - { - 'type': 'mirror', - 'devices': { - '/dev/mapper/sg-ZVV06JV7-1', - '/dev/mapper/sg-ZVV06SLR-1', - }, - }, - { - 'type': 'mirror', - 'devices': { - '/dev/mapper/sg-ZVV06JV7-2', - '/dev/mapper/sg-ZVV06SLR-2', - }, - }, - ], - 'ashift': 12 - }, - 'needs': { - 'action:dm-crypt_open_sg-ZVV06JV7-1', - 'action:dm-crypt_open_sg-ZVV06JV7-2', - 'action:dm-crypt_open_sg-ZVV06SLR-1', - 'action:dm-crypt_open_sg-ZVV06SLR-2', - }, - # see comment in bundle:backup-server - 'unless': 'zpool import encrypted', - }, }, 'datasets': { - 'encrypted': { - 'primarycache': 'metadata', - }, - 'encrypted/nas': { - 'acltype': 'off', - 'atime': 'off', - 'compression': 'off', - 'mountpoint': '/media/nas', - }, 'storage': { 'primarycache': 'metadata', }, 'storage/opt-yate': { 'mountpoint': '/opt/yate', }, - 'storage/f2k1de': { - 'mountpoint': '/storage/f2k1de', - }, 'storage/download': { 'mountpoint': '/storage/download', }, @@ -331,6 +267,9 @@ nodes['home.nas'] = { 'mountpoint': '/storage/inbox', }, 'storage/nas': { + 'acltype': 'off', + 'atime': 'off', + 'compression': 'off', 'mountpoint': '/storage/nas', }, 'storage/paperless': { From fbe21970552c35ccb0c6613f7ab63afed055f124 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 10:56:13 +0200 Subject: [PATCH 681/996] add home.r630 --- nodes/home.r630-ipmi.toml | 6 ++++++ nodes/home.r630.toml | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 nodes/home.r630-ipmi.toml create mode 100644 nodes/home.r630.toml diff --git a/nodes/home.r630-ipmi.toml b/nodes/home.r630-ipmi.toml new file mode 100644 index 0000000..f58012b --- /dev/null +++ b/nodes/home.r630-ipmi.toml @@ -0,0 +1,6 @@ +dummy = true + +[metadata.interfaces.eth0] +ips = ["172.19.138.23"] +dhcp = true +mac = "50:9a:4c:ad:f9:c4" diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml new file mode 100644 index 0000000..e28673b --- /dev/null +++ b/nodes/home.r630.toml @@ -0,0 +1,19 @@ +hostname = "172.19.138.22" +groups = ["debian-bookworm"] + +[metadata] +icinga_options.exclude_from_monitoring = true + +[metadata.interfaces.eno3] +ips = [ + "172.19.138.22/24", +] +gateway4 = "172.19.138.1" +ipv6_accept_ra = true + +[metadata.users.molly] +password = "!decrypt:dummy$no" + +[metadata.vm] +cpu = 56 +ram = 128 From 52b68d6e4282891bccc348d73eec1546760ec075 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Jul 2024 10:59:46 +0200 Subject: [PATCH 682/996] home.nas: clean up smartd config --- nodes/home/nas.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 821de15..9a674a4 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -163,10 +163,6 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', - # encrypted disks - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7', - '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR', - # ZFS cache disks #'/dev/disk/by-id/ata-TS64GSSD370_B807810503', #'/dev/disk/by-id/ata-TS64GSSD370_B807810527', From 5a86e657ffbe84ca1da3e99bac23cfe291878372 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 7 Jul 2024 10:22:26 +0200 Subject: [PATCH 683/996] bundles/mixcloud-downloader: add login via netrc --- bundles/mixcloud-downloader/files/download.sh | 8 ++++++-- bundles/mixcloud-downloader/files/netrc | 3 +++ bundles/mixcloud-downloader/items.py | 6 ++++++ nodes/home/nas.py | 8 ++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 bundles/mixcloud-downloader/files/netrc diff --git a/bundles/mixcloud-downloader/files/download.sh b/bundles/mixcloud-downloader/files/download.sh index a30b36a..b7d97de 100644 --- a/bundles/mixcloud-downloader/files/download.sh +++ b/bundles/mixcloud-downloader/files/download.sh @@ -1,11 +1,15 @@ #!/bin/bash -OPTS="" +OPTS="--netrc" +OPTS="$OPTS --netrc-location /opt/mixcloud-downloader/netrc" +OPTS="$OPTS --retry-sleep linear=1::2" +OPTS="$OPTS --retry-sleep fragment:exp=1:60" +OPTS="$OPTS --extractor-retries 5" if [[ -n "$DEBUG" ]] then set -x else - OPTS="-q" + OPTS="$OPTS -q" fi set -euo pipefail diff --git a/bundles/mixcloud-downloader/files/netrc b/bundles/mixcloud-downloader/files/netrc new file mode 100644 index 0000000..40def1b --- /dev/null +++ b/bundles/mixcloud-downloader/files/netrc @@ -0,0 +1,3 @@ +% for domain, data in sorted(node.metadata.get('mixcloud-downloader/netrc', {}).items()): +machine ${domain} login ${data['username']} password ${data['password']} +% endfor diff --git a/bundles/mixcloud-downloader/items.py b/bundles/mixcloud-downloader/items.py index a45acdc..8c66ce8 100644 --- a/bundles/mixcloud-downloader/items.py +++ b/bundles/mixcloud-downloader/items.py @@ -6,3 +6,9 @@ files['/opt/mixcloud-downloader/download.sh'] = { directories['/opt/mixcloud-downloader'] = { 'owner': 'kunsi', } + +files['/opt/mixcloud-downloader/netrc'] = { + 'content_type': 'mako', + 'mode': '0400', + 'owner': 'kunsi', +} diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 9a674a4..9c2c62f 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -101,6 +101,14 @@ nodes['home.nas'] = { 'home.lgtv-wohnzimmer', }, }, + 'mixcloud-downloader': { + 'netrc': { + 'soundcloud': { + 'username': 'oauth', + 'password': bwpass.attr('soundcloud.com/hi@kunsmann.eu', 'oauth_token'), + }, + }, + }, 'mosquitto': { 'bridges': { 'c3voc': { From 2fddd57ed838e25d22dc972c94114f80f09153d8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 7 Jul 2024 10:23:20 +0200 Subject: [PATCH 684/996] bundles/backup-client: only log to logfile when not running in debug mode --- bundles/backup-client/files/generate-backup | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bundles/backup-client/files/generate-backup b/bundles/backup-client/files/generate-backup index 28ef49d..3fd9d7d 100644 --- a/bundles/backup-client/files/generate-backup +++ b/bundles/backup-client/files/generate-backup @@ -62,10 +62,13 @@ trap "on_exit" EXIT # redirect stdout and stderr to logfile prepare_and_cleanup_logdir -logfile="$logdir/backup--$(date '+%F--%H-%M-%S')--$$.log.gz" -echo "All log output will go to $logfile" | logger -it backup-client -exec > >(gzip >"$logfile") -exec 2>&1 +if [[ -z "$DEBUG" ]] +then + logfile="$logdir/backup--$(date '+%F--%H-%M-%S')--$$.log.gz" + echo "All log output will go to $logfile" | logger -it backup-client + exec > >(gzip >"$logfile") + exec 2>&1 +fi # this is where the real work starts ts_begin=$(date +%s) From d08e9f12abba19d69003aac7ab05ec51fd9ebfab Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:13:43 +0200 Subject: [PATCH 685/996] add icinga_options.also_affected_by to systems running in vm on home.nas --- nodes/home.hass.toml | 3 +++ nodes/home.winkeeinhorn-vm.toml | 3 +++ nodes/home/downloadhelper.py | 5 +++++ nodes/home/paperless.py | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 8922404..b29dd0e 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -6,6 +6,9 @@ bundles = [ ] groups = ["debian-bookworm"] +[metadata.icinga_options] +also_affected_by = ['home.nas'] + [metadata.interfaces.enp1s0] ips = [ "172.19.138.25/24", diff --git a/nodes/home.winkeeinhorn-vm.toml b/nodes/home.winkeeinhorn-vm.toml index c51893d..c28c39b 100644 --- a/nodes/home.winkeeinhorn-vm.toml +++ b/nodes/home.winkeeinhorn-vm.toml @@ -1,5 +1,8 @@ dummy = true +[metadata.icinga_options] +also_affected_by = ['home.nas'] + [metadata.interfaces.default] ips = ["172.19.138.10"] dhcp = true diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 0d97ba1..4874561 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -8,6 +8,11 @@ nodes['home.downloadhelper'] = { 'debian-bullseye', }, 'metadata': { + 'icinga_options': { + 'also_affected_by': { + 'home.nas', + }, + }, 'interfaces': { 'enp1s0.3001': { 'dhcp': True, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index f6820f6..286741c 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -12,6 +12,11 @@ nodes['home.paperless'] = { 'webserver', }, 'metadata': { + 'icinga_options': { + 'also_affected_by': { + 'home.nas', + }, + }, 'interfaces': { 'enp1s0': { 'ips': { From a472ca465747c381c9249cc6bba30e58d0684373 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:20:53 +0200 Subject: [PATCH 686/996] bw/bundles/matrix-media-repo: adjust config for 1.3.6 --- bundles/matrix-media-repo/files/config.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/bundles/matrix-media-repo/files/config.yaml b/bundles/matrix-media-repo/files/config.yaml index 5e4549f..0b07b0f 100644 --- a/bundles/matrix-media-repo/files/config.yaml +++ b/bundles/matrix-media-repo/files/config.yaml @@ -3,6 +3,9 @@ repo: bindAddress: '${node.metadata.get('matrix-media-repo/listen-addr', '127.0.0.1')}' port: ${node.metadata.get('matrix-media-repo/port', 20090)} logDirectory: '-' + logColors: false + jsonLogs: false + logLevel: 'info' trustAnyForwardedAddress: false useForwardedHost: true @@ -22,6 +25,9 @@ homeservers: csApi: "${config['domain']}" backoffAt: ${config.get('backoff_at', 10)} adminApiKind: "${config.get('api', 'matrix')}" +% if config.get('signing_key_path'): + signingKeyPath: "${config['signing_key_path']}" +% endif % endfor accessTokens: @@ -53,7 +59,9 @@ archiving: uploads: maxBytes: ${node.metadata.get('matrix-media-repo/upload_max_mb')*1024*1024} minBytes: 100 - reportedMaxBytes: 0 + #reportedMaxBytes: 0 + maxPending: 5 + maxAgeSeconds: 1800 quotas: enabled: false @@ -61,14 +69,6 @@ downloads: maxBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024} numWorkers: ${node.metadata.get('matrix-media-repo/workers')} failureCacheMinutes: 5 - cache: - enabled: true - maxSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*10*1024*1024} - maxFileSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024} - trackedMinutes: 30 - minDownloads: 5 - minCacheTimeSeconds: 300 - minEvictedTimeSeconds: 60 expireAfterDays: 0 urlPreviews: From b2028855d152226e4903c94c0ba6a7ca60cf15e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:24:27 +0200 Subject: [PATCH 687/996] bundles/sshmon: new issuer hash for letsencrypt --- bundles/sshmon/files/check_https_certificate_at_url | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/sshmon/files/check_https_certificate_at_url b/bundles/sshmon/files/check_https_certificate_at_url index 7c22cfe..7ad2cc3 100644 --- a/bundles/sshmon/files/check_https_certificate_at_url +++ b/bundles/sshmon/files/check_https_certificate_at_url @@ -19,7 +19,8 @@ crit_days=30 case "$issuer_hash" in # 4f06f81d: issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 # 8d33f237: issuer=C = US, O = Let's Encrypt, CN = R3 - 4f06f81d|8d33f237) + # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5 + 4f06f81d|8d33f237|462422cf) warn_days=10 crit_days=3 ;; From 08f2c46c31762b87812089afbe9eb3cdf0f90072 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:39:09 +0200 Subject: [PATCH 688/996] bundles/matrix-synapse: media-repo needs more paths now --- bundles/matrix-synapse/metadata.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index d0cb15e..7af43f0 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -144,13 +144,14 @@ def nginx(metadata): } if node.has_bundle('matrix-media-repo'): - locations['/_matrix/media'] = { - 'target': 'http://localhost:20090', - 'max_body_size': '{}M'.format(metadata.get('matrix-media-repo/upload_max_mb')), - # matrix-media-repo needs this to be the - # homeserver address. - 'x_forwarded_host': metadata.get('matrix-synapse/server_name'), - } + for path in ('/_matrix/media', '/_matrix/client/v1/media', '/_matrix/federation/v1/media'): + locations[path] = { + 'target': 'http://localhost:20090', + 'max_body_size': '{}M'.format(metadata.get('matrix-media-repo/upload_max_mb')), + # matrix-media-repo needs this to be the + # homeserver address. + 'x_forwarded_host': metadata.get('matrix-synapse/server_name'), + } vhosts = { 'matrix-synapse': { From e4dfd17bb6637f100c2e38977fc8a64c6c8ea03f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:42:31 +0200 Subject: [PATCH 689/996] bundles/matrix-media-repo: has live config reload --- bundles/matrix-media-repo/items.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/bundles/matrix-media-repo/items.py b/bundles/matrix-media-repo/items.py index ba2b2bb..faf08ad 100644 --- a/bundles/matrix-media-repo/items.py +++ b/bundles/matrix-media-repo/items.py @@ -19,9 +19,6 @@ files = { '/opt/matrix-media-repo/config.yaml': { 'owner': 'matrix-media-repo', 'content_type': 'mako', - 'triggers': { - 'svc_systemd:matrix-media-repo:restart', - }, }, '/etc/systemd/system/matrix-media-repo.service': { 'triggers': { From c3489536111af69dfa245e9cd8d14607149aee81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:45:43 +0200 Subject: [PATCH 690/996] bundles/sshmon: even more letsencrypt shenanigans --- bundles/sshmon/files/check_https_certificate_at_url | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/sshmon/files/check_https_certificate_at_url b/bundles/sshmon/files/check_https_certificate_at_url index 7ad2cc3..f494e37 100644 --- a/bundles/sshmon/files/check_https_certificate_at_url +++ b/bundles/sshmon/files/check_https_certificate_at_url @@ -20,7 +20,8 @@ case "$issuer_hash" in # 4f06f81d: issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 # 8d33f237: issuer=C = US, O = Let's Encrypt, CN = R3 # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5 - 4f06f81d|8d33f237|462422cf) + # 9aad238c: issuer=C = US, O = Let's Encrypt, CN = E6 + 4f06f81d|8d33f237|462422cf|9aad238c) warn_days=10 crit_days=3 ;; From 04094df41844eef76c8689748c75bf092477c6e3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 18:46:10 +0200 Subject: [PATCH 691/996] update matrix-media-repo to 1.3.6 --- nodes/carlene.toml | 5 +++-- nodes/htz-cloud.afra.toml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a8dfbcc..bf7787d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -70,12 +70,13 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba" +sha1 = "ef9e8624e70714e4d421ece0c27f2974f55c0e59" upload_max_mb = 500 -version = "v1.3.4" +version = "v1.3.6" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" +signing_key_path = "/etc/matrix-synapse/mmr.signing.key" [metadata.matrix-stickerpicker] # use this bot token: encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index d473293..db2ca6c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -44,13 +44,14 @@ jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] admins = ['@administress:afra.berlin'] datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba" +sha1 = "ef9e8624e70714e4d421ece0c27f2974f55c0e59" upload_max_mb = 50 -version = "v1.3.4" +version = "v1.3.6" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" api = "synapse" +signing_key_path = "/etc/matrix-synapse/mmr.signing.key" [metadata.matrix-registration] base_path = "/matrix" From 466a620bcad55854b3e7ec58ec0ed2b864f992d5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 19:06:28 +0200 Subject: [PATCH 692/996] update element-web to 1.11.70 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index bf7787d..bd86592 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.69" +version = "v1.11.70" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index db2ca6c..719fa8c 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.69" +version = "v1.11.70" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From fb46d81f97e86786d5f55ba22dea289ed70f63e8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 19:06:43 +0200 Subject: [PATCH 693/996] update netbox to 4.0.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index bd86592..3b3b979 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.6" +version = "v4.0.7" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 205fea377a5e4734040186c8c139317092d0f41e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 12 Jul 2024 19:06:55 +0200 Subject: [PATCH 694/996] update paperless to 2.11.0 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 286741c..85a35e2 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -47,7 +47,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.10.2', + 'version': 'v2.11.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 350c436e4d4914a809e868cb3fba0d900d80dce2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:19:14 +0200 Subject: [PATCH 695/996] bundles/apt: add action to execute additional_update_commands --- bundles/apt/items.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bundles/apt/items.py b/bundles/apt/items.py index ede8aae..5d055d3 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -27,6 +27,10 @@ actions = { 'triggered': True, 'cascade_skip': False, }, + 'apt_execute_update_commands': { + 'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands'))), + 'triggered': True, + }, } files = { From 55a3e6675f672bff6a8288d0a937b20a0e75f37f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:19:45 +0200 Subject: [PATCH 696/996] bundles/nodejs: everything changed, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --- bundles/nodejs/items.py | 9 ------ bundles/nodejs/metadata.py | 57 +++++++++++++++----------------------- 2 files changed, 22 insertions(+), 44 deletions(-) diff --git a/bundles/nodejs/items.py b/bundles/nodejs/items.py index 54f8ca7..e69de29 100644 --- a/bundles/nodejs/items.py +++ b/bundles/nodejs/items.py @@ -1,9 +0,0 @@ -actions = { - 'nodejs_install_yarn': { - 'command': 'npm install -g yarn@latest', - 'unless': 'test -e /usr/lib/node_modules/yarn', - 'after': { - 'pkg_apt:', - }, - }, -} diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py index cc484b2..b213fcc 100644 --- a/bundles/nodejs/metadata.py +++ b/bundles/nodejs/metadata.py @@ -1,54 +1,41 @@ defaults = { 'apt': { 'additional_update_commands': { - # update npm to latest version + # update npm and yarn to latest version + 'npm install -g npm@latest', 'npm install -g yarn@latest', }, 'packages': { - 'nodejs': {}, + 'nodejs': { + 'triggers': { + 'action:apt_execute_update_commands', + }, + }, + 'npm': { + 'installed': False, + 'triggers': { + 'action:apt_execute_update_commands', + }, + }, }, }, - 'nodejs': { - 'version': 18, - }, -} - -VERSIONS_SHIPPED_BY_DEBIAN = { - 10: 10, - 11: 12, - 12: 18, - 13: 18, } @metadata_reactor.provides( 'apt/repos/nodejs/items', - 'apt/additional_update_commands', ) def nodejs_from_version(metadata): version = metadata.get('nodejs/version') - if version != VERSIONS_SHIPPED_BY_DEBIAN[node.os_version[0]]: - return { - 'apt': { - 'additional_update_commands': { - # update npm to latest version - 'npm install -g npm@latest', - }, - 'repos': { - 'nodejs': { - 'items': { - f'deb https://deb.nodesource.com/node_{version}.x {{os_release}} main', - f'deb-src https://deb.nodesource.com/node_{version}.x {{os_release}} main', - }, + return { + 'apt': { + 'repos': { + 'nodejs': { + 'items': { + f'deb https://deb.nodesource.com/node_{version}.x nodistro main', + f'deb-src https://deb.nodesource.com/node_{version}.x nodistro main', }, }, }, - } - else: - return { - 'apt': { - 'packages': { - 'npm': {}, - }, - }, - } + }, + } From 263440296d188cc65022a23f7b35a8503c320992 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:20:23 +0200 Subject: [PATCH 697/996] bundles: no default for nodejs version anymore --- bundles/element-web/items.py | 2 +- bundles/element-web/metadata.py | 20 ++++++++++++++++++++ bundles/paperless-ng/metadata.py | 3 +++ bundles/powerdnsadmin/metadata.py | 3 +++ bundles/pretalx/metadata.py | 3 +++ 5 files changed, 30 insertions(+), 1 deletion(-) diff --git a/bundles/element-web/items.py b/bundles/element-web/items.py index b141c97..a832829 100644 --- a/bundles/element-web/items.py +++ b/bundles/element-web/items.py @@ -33,7 +33,7 @@ actions = { 'yarn build', ]), 'needs': { - 'action:nodejs_install_yarn', + 'action:apt_execute_update_commands', 'pkg_apt:nodejs', }, 'triggered': True, diff --git a/bundles/element-web/metadata.py b/bundles/element-web/metadata.py index 0ce259a..b68b481 100644 --- a/bundles/element-web/metadata.py +++ b/bundles/element-web/metadata.py @@ -11,6 +11,26 @@ defaults = { }, } +@metadata_reactor.provides( + 'nodejs/version', +) +def nodejs(metadata): + version = tuple([int(i) for i in metadata.get('element-web/version')[1:].split('.')]) + + if version >= (1, 11, 71): + return { + 'nodejs': { + 'version': 20, + }, + } + else: + return { + 'nodejs': { + 'version': 18, + }, + } + + @metadata_reactor.provides( 'nginx/vhosts/element-web', ) diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index b9ab153..91a18c6 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -33,6 +33,9 @@ defaults = { '/mnt/paperless', }, }, + 'nodejs': { + 'version': 18, + }, 'postgresql': { 'roles': { 'paperless': { diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index d7e93be..e6f5014 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -13,6 +13,9 @@ defaults = { 'python3-wheel': {}, }, }, + 'nodejs': { + 'version': 18, + }, 'users': { 'powerdnsadmin': { 'home': '/opt/powerdnsadmin', diff --git a/bundles/pretalx/metadata.py b/bundles/pretalx/metadata.py index f60c54b..7bbad24 100644 --- a/bundles/pretalx/metadata.py +++ b/bundles/pretalx/metadata.py @@ -26,6 +26,9 @@ defaults = { }, }, }, + 'nodejs': { + 'version': 18, + }, 'pretalx': { 'database': { 'user': 'pretalx', From 69691f75c5d2de893258b2cdc1b725439956931c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:20:40 +0200 Subject: [PATCH 698/996] data/apt: new gpg key for nodesource --- data/apt/files/gpg-keys/nodejs.asc | 75 +++++++++++------------------- 1 file changed, 26 insertions(+), 49 deletions(-) diff --git a/data/apt/files/gpg-keys/nodejs.asc b/data/apt/files/gpg-keys/nodejs.asc index 1dc1d10..b7637b8 100644 --- a/data/apt/files/gpg-keys/nodejs.asc +++ b/data/apt/files/gpg-keys/nodejs.asc @@ -1,52 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 -Comment: GPGTools - https://gpgtools.org -mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+ -W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs -fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy -qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7 -89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD -Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7 -C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/ -G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc -Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft -qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm -EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB -tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2 -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy -jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ -kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1 -GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm -XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU -VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka -1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI -IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc -pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn -xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y -gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI -AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ -fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ -Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh -41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea -JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD -xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi -vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/ -aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o -QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK -yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3 -QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek -fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK -CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec -0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1 -PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh -qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15 -ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac -hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb -DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4 -xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu -G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd -sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy -/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g== -=CLGF +mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B +hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM +Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32 +9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR +TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z +E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk +LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc +NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o +xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk +Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4 +hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg +BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5 +AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u +JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu +ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi +0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp +Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ +YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb +DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE +IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet +y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao +x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2 +K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw +FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa +=MARt -----END PGP PUBLIC KEY BLOCK----- From c4bf96482f0009f58e4215ec4e34bec65a59b050 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:21:37 +0200 Subject: [PATCH 699/996] update element-web to 1.11.71 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3b3b979..06ac5a9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.70" +version = "v1.11.71" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 719fa8c..0c0e8c4 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.70" +version = "v1.11.71" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From c1fc942b1dab84243a2005e69fc490be399ca281 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:21:50 +0200 Subject: [PATCH 700/996] update mautrix-telegram to 0.15.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 06ac5a9..b6a9423 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -99,7 +99,7 @@ sha1 = "cecb371ff5f1dd528cfc490484a0967dcc28cd82" secret = "!decrypt:encrypt$gAAAAABl9yJlbEZafJ2mumtg03rW0-440NIgFcgdWGMo3Axrypugwctacy9Cq7MYtCBGjnDyNvVLI5B2QMJ9ssCD46NCsFRN3-X4u9rDtxPhRZV7rls_LQ_Csc_GsffJfvpmHbn_wsljd3I74h4ouWlYhhEQUIKwb3eErSZ_VTZhu_bC4jTa0FY=" [metadata.mautrix-telegram] -version = "v0.15.1" +version = "v0.15.2" homeserver.domain = "franzi.business" homeserver.url = "https://matrix.franzi.business" telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ==" From 2a8c1ef84ba2c88bbf97b8ef27e1fffe3f05cb74 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 19 Jul 2024 19:22:05 +0200 Subject: [PATCH 701/996] update mautrix-whatsapp to 0.10.9 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b6a9423..32b101f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.7" -sha1 = "7ebfadc247c3fb4c6c9503f7c48234fcc976cadf" +version = "v0.10.9" +sha1 = "1619579ec6b9fca84fec085a94842d309d3f730c" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 95bb7c52fe10327dcc3903d695395e53e9bf48b7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 22 Jul 2024 21:31:27 +0200 Subject: [PATCH 702/996] bundles/apt: add bissing default for update commands --- bundles/apt/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 5d055d3..05528d0 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -28,7 +28,7 @@ actions = { 'cascade_skip': False, }, 'apt_execute_update_commands': { - 'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands'))), + 'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands', {'true'}))), 'triggered': True, }, } From 242279636f8d1a4008eb7a156ec415caf4be5bcb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 30 Jul 2024 17:44:09 +0200 Subject: [PATCH 703/996] bundles/raspberrypi: things have changed since buster --- bundles/raspberrypi/files/config.txt | 1 + bundles/raspberrypi/items.py | 4 ++-- bundles/raspberrypi/metadata.py | 9 +++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/bundles/raspberrypi/files/config.txt b/bundles/raspberrypi/files/config.txt index 00079b2..445fc63 100644 --- a/bundles/raspberrypi/files/config.txt +++ b/bundles/raspberrypi/files/config.txt @@ -12,6 +12,7 @@ gpu_mem=${node.metadata['raspberrypi'].get('gpu_mem', 128)} % if node.os == 'debian': arm_64bit=1 % endif +arm_boost=1 % for item in sorted(node.metadata['raspberrypi'].get('config.txt', set())): ${item} diff --git a/bundles/raspberrypi/items.py b/bundles/raspberrypi/items.py index aab459a..41f5544 100644 --- a/bundles/raspberrypi/items.py +++ b/bundles/raspberrypi/items.py @@ -15,11 +15,11 @@ actions = { } files = { - '/boot/cmdline.txt': { + '/boot/firmware/cmdline.txt': { 'content': ' '.join(sorted(node.metadata['raspberrypi']['cmdline'])), **file_perms, }, - '/boot/config.txt': { + '/boot/firmware/config.txt': { 'content_type': 'mako', 'context': node.metadata['raspberrypi'], **file_perms, diff --git a/bundles/raspberrypi/metadata.py b/bundles/raspberrypi/metadata.py index a4c10c2..5c8f42a 100644 --- a/bundles/raspberrypi/metadata.py +++ b/bundles/raspberrypi/metadata.py @@ -1,5 +1,6 @@ defaults = { 'apt': { + 'clean_old_kernels': False, 'packages': { 'dhcpcd5': { 'installed': False, @@ -14,6 +15,14 @@ defaults = { 'installed': False, }, }, + 'repos': { + 'raspi': { + 'install_gpg_key': False, + 'items': { + 'deb http://archive.raspberrypi.org/debian/ {os_release} main', + }, + }, + }, }, 'raspberrypi': { 'default-target': 'multi-user.target', From b1790ece358f9b2d9fe0f611f899efeb19b73b42 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 30 Jul 2024 17:45:05 +0200 Subject: [PATCH 704/996] bundles/apt: 32bit raspbian is no longer supported --- bundles/apt/files/sources.list-raspbian-buster | 1 - bundles/apt/items.py | 3 --- 2 files changed, 4 deletions(-) delete mode 100644 bundles/apt/files/sources.list-raspbian-buster diff --git a/bundles/apt/files/sources.list-raspbian-buster b/bundles/apt/files/sources.list-raspbian-buster deleted file mode 100644 index d52d1f9..0000000 --- a/bundles/apt/files/sources.list-raspbian-buster +++ /dev/null @@ -1 +0,0 @@ -deb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 05528d0..0f3f92d 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -7,9 +7,6 @@ supported_os = { 12: 'bookworm', 99: 'unstable', }, - 'raspbian': { - 10: 'buster', - }, } try: From 7649396b8a102d9676b53d74fc21fda6338a60a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 30 Jul 2024 17:54:24 +0200 Subject: [PATCH 705/996] bundles/mosquitto: only install telegraf plugin if we have telegraf --- bundles/mosquitto/items.py | 16 ++++++++-------- bundles/mosquitto/metadata.py | 4 +++- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/bundles/mosquitto/items.py b/bundles/mosquitto/items.py index 92eb1b5..1b16413 100644 --- a/bundles/mosquitto/items.py +++ b/bundles/mosquitto/items.py @@ -5,12 +5,6 @@ files = { 'svc_systemd:mosquitto:restart', }, }, - '/usr/local/bin/tasmota-telegraf-plugin': { - 'mode': '0755', - 'needs': { - 'pkg_apt:python3-paho-mqtt', - }, - }, } svc_systemd = { @@ -23,6 +17,12 @@ svc_systemd = { } if node.has_bundle('telegraf'): - files['/usr/local/bin/tasmota-telegraf-plugin']['triggers'] = { - 'svc_systemd:telegraf:restart', + files['/usr/local/bin/tasmota-telegraf-plugin'] = { + 'mode': '0755', + 'needs': { + 'pkg_apt:python3-paho-mqtt', + }, + 'triggers': { + 'svc_systemd:telegraf:restart', + }, } diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index 66199ac..213dac6 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -5,7 +5,6 @@ defaults = { 'packages': { 'mosquitto': {}, 'mosquitto-clients': {}, - 'python3-paho-mqtt': {}, # for telegraf plugin }, }, 'icinga2_api': { @@ -24,6 +23,9 @@ defaults = { }, } +if node.has_bundle('telegraf'): + defaults['apt']['packages']['python3-paho-mqtt'] = {} + @metadata_reactor.provides( 'firewall/port_rules', From de6073bdcf2d69fbd2869154ac2d69996a6acd46 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 31 Jul 2024 14:53:22 +0200 Subject: [PATCH 706/996] bundles/apt: add option to disable unattended upgrades --- bundles/apt/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/apt/metadata.py b/bundles/apt/metadata.py index df84473..526f318 100644 --- a/bundles/apt/metadata.py +++ b/bundles/apt/metadata.py @@ -21,6 +21,9 @@ defaults = { 'cron/jobs/upgrade-and-reboot' ) def patchday(metadata): + if not node.metadata.get('apt/unattended-upgrades/enabled', True): + return {} + day = metadata.get('apt/unattended-upgrades/day') hour = metadata.get('apt/unattended-upgrades/hour') From fa47322bb0268224d189f2745d8cde47e15f0a49 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 31 Jul 2024 15:30:48 +0200 Subject: [PATCH 707/996] bundles/raspberrypi: fix config.txt for lcd display --- bundles/raspberrypi/files/config.txt | 23 +++++++++++++++-------- bundles/raspberrypi/metadata.py | 19 ++++++++++++++++++- 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/bundles/raspberrypi/files/config.txt b/bundles/raspberrypi/files/config.txt index 445fc63..bf6751e 100644 --- a/bundles/raspberrypi/files/config.txt +++ b/bundles/raspberrypi/files/config.txt @@ -1,23 +1,30 @@ disable_overscan=1 -hdmi_force_hotplug=1 -dtparam=spi=on dtparam=audio=on -dtoverlay=vc4-fkms-v3d +dtoverlay=vc4-kms-v3d max_framebuffers=2 -hdmi_drive=2 force_turbo=1 -gpu_mem=${node.metadata['raspberrypi'].get('gpu_mem', 128)} +gpu_mem=${node.metadata.get('raspberrypi/gpu_mem', 128)} + +% if node.metadata.get('raspberrypi/enable_display'): +display_auto_detect=1 +% else: +dtparam=i2c_arm=on +dtparam=i2s=on +dtparam=spi=on +hdmi_drive=2 +hdmi_force_hotplug=1 +% endif % if node.os == 'debian': arm_64bit=1 % endif arm_boost=1 -% for item in sorted(node.metadata['raspberrypi'].get('config.txt', set())): +% for item in sorted(node.metadata.get('raspberrypi/config.txt', set())): ${item} % endfor -% if node.metadata['raspberrypi'].get('camera', False): -start_x=1 +% if node.metadata.get('raspberrypi/enable_camera', False): +camera_auto_detect=1 % endif diff --git a/bundles/raspberrypi/metadata.py b/bundles/raspberrypi/metadata.py index 5c8f42a..80eac1a 100644 --- a/bundles/raspberrypi/metadata.py +++ b/bundles/raspberrypi/metadata.py @@ -25,7 +25,6 @@ defaults = { }, }, 'raspberrypi': { - 'default-target': 'multi-user.target', 'cmdline': { 'console=tty1', 'root=/dev/mmcblk0p2', @@ -37,6 +36,8 @@ defaults = { 'plymouth.ignore-serial-consoles', 'net.ifnames=0', }, + 'default-target': 'multi-user.target', + 'enable_display': False, }, 'systemd': { 'journal': { @@ -46,3 +47,19 @@ defaults = { }, }, } + + +@metadata_reactor.provides( + 'raspberrypi/cmdline', +) +def display(metadata): + if not metadata.get('raspberrypi/enable_display'): + return {} + + return { + 'raspberrypi': { + 'cmdline': { + 'video=DSI-1:800x480@60,rotate=180', + }, + }, + } From 89000c12e64aea7a7e608ba9a441ef861032f3ce Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Mon, 22 Jul 2024 21:21:48 +0200 Subject: [PATCH 708/996] vmhost: document interface change --- nodes/sophie/vmhost.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py index d9321d1..d6e56f3 100644 --- a/nodes/sophie/vmhost.py +++ b/nodes/sophie/vmhost.py @@ -53,7 +53,7 @@ nodes['sophie.vmhost'] = { 'bridges': { 'br0': { 'match': { - 'eno2', + 'eno1', }, }, 'br1': { From 7fd248af8d691cb9d260537a472266876259d1cc Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 3 Aug 2024 17:10:04 +0200 Subject: [PATCH 709/996] version bumps on miniserver --- nodes/sophie/miniserver.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 06fb140..b2d6db9 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -63,7 +63,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.69', + 'version': 'v1.11.72', 'config': { 'default_server_config': { 'm.homeserver': { @@ -111,9 +111,9 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.3.4', + 'version': 'v1.3.7', 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '55d353b472894547c61b11567089eb2cf40ce5ba', + 'sha1': '3e2bb7089b0898b86000243a82cc58ae998dc9d9', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', @@ -143,7 +143,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'mautrix-telegram': { - 'version': 'v0.15.1', + 'version': 'v0.15.2', 'homeserver': { 'domain': 'sophies-kitchen.eu', 'url': 'https://matrix.sophies-kitchen.eu', @@ -205,7 +205,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'nodejs': { - 'version': 18, + 'version': 20, }, 'ntfy': { 'domain': 'ntfy.sophies-kitchen.eu', From 6fa3abc2179e35ff440a919dd51125bcce2c7b0a Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 3 Aug 2024 17:10:38 +0200 Subject: [PATCH 710/996] hedgedoc: fix install needs --- bundles/hedgedoc/items.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/hedgedoc/items.py b/bundles/hedgedoc/items.py index d5d256d..732f465 100644 --- a/bundles/hedgedoc/items.py +++ b/bundles/hedgedoc/items.py @@ -72,7 +72,6 @@ actions = { 'yarn build', ]), 'needs': { - 'action:nodejs_install_yarn', 'file:/opt/hedgedoc/config.json', 'git_deploy:/opt/hedgedoc', 'pkg_apt:nodejs', From fb70a068d8c3ec0399bfddf9cb6a489f42cecf1e Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 3 Aug 2024 17:10:55 +0200 Subject: [PATCH 711/996] nodejs: deb-src no longer available --- bundles/nodejs/metadata.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/nodejs/metadata.py b/bundles/nodejs/metadata.py index b213fcc..5c0f7ad 100644 --- a/bundles/nodejs/metadata.py +++ b/bundles/nodejs/metadata.py @@ -33,7 +33,6 @@ def nodejs_from_version(metadata): 'nodejs': { 'items': { f'deb https://deb.nodesource.com/node_{version}.x nodistro main', - f'deb-src https://deb.nodesource.com/node_{version}.x nodistro main', }, }, }, From a1eb9cb3fc058a6c0ea77aec5558896ad3a775a9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 31 Jul 2024 17:40:36 +0200 Subject: [PATCH 712/996] bundles/telegraf: add option to opt-out of default metrics --- bundles/telegraf/items.py | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/bundles/telegraf/items.py b/bundles/telegraf/items.py index 81b6375..4ee5ef2 100644 --- a/bundles/telegraf/items.py +++ b/bundles/telegraf/items.py @@ -11,7 +11,19 @@ telegraf_config = { 'quiet': False, 'round_interval': False, }, - 'inputs': { + 'outputs': { + 'influxdb_v2': [{ + 'urls': [node.metadata.get('telegraf/influxdb_url', repo.libs.defaults.influxdb_url)], + 'token': node.metadata.get('telegraf/influxdb_token', repo.vault.decrypt(repo.libs.defaults.influxdb_token)), + 'organization': node.metadata.get('telegraf/influxdb_org', repo.vault.decrypt(repo.libs.defaults.influxdb_org)), + 'bucket': node.metadata.get('telegraf/influxdb_bucket', repo.vault.decrypt(repo.libs.defaults.influxdb_bucket)), + }], + }, + 'inputs': {}, +} + +if node.metadata.get('telegraf/collect_default_metrics', True): + telegraf_config['inputs'] = { 'cpu': [{ 'percpu': False, 'totalcpu': True, @@ -43,17 +55,9 @@ telegraf_config = { 'nstat': [{}], 'processes': [{}], 'system': [{}], - **node.metadata.get('telegraf/input_plugins/builtin', {}), - }, - 'outputs': { - 'influxdb_v2': [{ - 'urls': [node.metadata.get('telegraf/influxdb_url', repo.libs.defaults.influxdb_url)], - 'token': node.metadata.get('telegraf/influxdb_token', repo.vault.decrypt(repo.libs.defaults.influxdb_token)), - 'organization': node.metadata.get('telegraf/influxdb_org', repo.vault.decrypt(repo.libs.defaults.influxdb_org)), - 'bucket': node.metadata.get('telegraf/influxdb_bucket', repo.vault.decrypt(repo.libs.defaults.influxdb_bucket)), - }], - }, -} + } + +telegraf_config['inputs'].update(node.metadata.get('telegraf/input_plugins/builtin', {})) # Bundlewrap can't merge lists. To work around this, telegraf/input_plugins/exec(d) # is a dict, of which we only use the value of it. This also allows us From 5a1e37a41c2381f1b9fdad35a9f2b121ed22fd64 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 1 Aug 2024 08:40:47 +0200 Subject: [PATCH 713/996] bundles/systemd-networkd: remove networkmanager --- bundles/systemd-networkd/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py index 46cd893..6e67af9 100644 --- a/bundles/systemd-networkd/metadata.py +++ b/bundles/systemd-networkd/metadata.py @@ -4,6 +4,9 @@ defaults = { 'isc-dhcp-client': { 'installed': False, }, + 'network-manager': { + 'installed': False, + }, 'resolvconf': { 'installed': False, }, From 5af7b92663c258182b4d9e6e4616d983894e7a1f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 1 Aug 2024 08:41:30 +0200 Subject: [PATCH 714/996] bw/data/apt: grafana changed their gpg key --- data/apt/files/gpg-keys/grafana.asc | 98 +++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/data/apt/files/gpg-keys/grafana.asc b/data/apt/files/gpg-keys/grafana.asc index dc4f616..074cc78 100644 --- a/data/apt/files/gpg-keys/grafana.asc +++ b/data/apt/files/gpg-keys/grafana.asc @@ -1,4 +1,46 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 + +mQENBFiHXVIBCADr3VDEAGpq9Sg/xrPVu1GGqWGXdbnTbbNKeveCtFHZz7/GSATW +iwiY1skvlAOBiIKCqJEji0rZZgd8WxuhdfugiCBk1hDTMWCpjI0P+YymV77jHjYB +jHrKNlhb+aLjEd9Gf2EtbKUT1fvGUkzlVrcRGSX/XR9MBZlgja7NIyuVbn3uwZQ4 +jflWSNSlvMpohNxTFkrBFTRrCJXhbDLfCS46+so22CP3+1VQyqJ7/6RWK9v9KYdS +AVNgILXMggSrMqha4WA1a/ktczVQXNtP8IuPxTdp9pNYsklOTmrFVeq3mXsvWh9Q +lIhpYHIZlTZ5wVBq4wTRchsXC5MubIhz+ASDABEBAAG0GkdyYWZhbmEgPGluZm9A +Z3JhZmFuYS5jb20+iQE4BBMBAgAiBQJYh11SAhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgAAKCRCMjDTFJAmMthxJB/9Id6JrwqRkJW+eSBb71FGQmRsJvNFR8J+3 +NPVhJNkTFFOM7TnjAMUIv+LYEURqGcceTNAN1aHq/7n/8ybXucCS0CnDYyNYpyVs +tWJ3FOQK3jPrmziDCWPQATqMM/Z2auXVFWrDFqfh2xKZNjuix0w2nyuWB8U0CG2U +89w+ksPJblGGU5xLPPzDQoAqyZXY3gpGGTkCuohMq2RWYbp/QJSQagYhQkKZoJhr +XJlnw4At6R1A5UUPzDw6WJqMRkGrkieE6ApIgf1vZSmnLRpXkqquRTAEyGT8Pugg +ee6YkD19/LK6ED6gn32StY770U9ti560U7oRjrOPK/Kjp4+qBtkQuQENBFiHXVIB +CACz4hO1g/4fKO9QWLcbSWpB75lbNgt1kHXP0UcW8TE0DIgqrifod09lC85adIz0 +zdhs+00lLqckM5wNbp2r+pd5rRaxOsMw2V+c/y1Pt3qZxupmPc5l5lL6jzbEVR9g +ygPaE+iabTk9Np2OZQ7Qv5gIDzivqK2mRHXaHTzoQn2dA/3xpFcxnen9dvu7LCpA +CdScSj9/UIRKk9PHIgr2RJhcjzLx0u1PxN9MEqfIsIJUUgZOoDsr8oCs44PGGIMm +cK1CKALLLiC4ZM58B56jRyXo18MqB6VYsC1X9wkcIs72thL3tThXO70oDGcoXzoo +ywAHBH63EzEyduInOhecDIKlABEBAAGJAR8EGAECAAkFAliHXVICGwwACgkQjIw0 +xSQJjLbWSwf/VIM5wEFBY4QLGUAfqfjDyfGXpcha58Y24Vv3n6MwJqnCIbTAaeWf +30CZ/wHg3NNIMB7I31vgmMOEbHQdv0LPTi9TG205VQeehcpNtZRZQ0D8TIetbxyi +Emmn9osig9U3/7jaAWBabE/9bGx4TF3eLlEH9wmFrNYeXvgRqmyqVoqhIMCNAAOY +REYyHyy9mzr9ywkwl0aroBqhzKIPyFlatZy9oRKllY/CCKO9RJy4DZidLphuwzqU +ymdQ1sqe5nKvwG5GvcncPc3O7LMevDBWnpNNkgERnVxCqpm90TuE3ONbirnU4+/S +tUsVU1DERc1fjOCnAm4pKIlNYphISIE7OQ== +=0pMC +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: This is a revocation certificate + +iQE2BCABCgAgFiEETkDd9tduKEpKZ4DkjIw0xSQJjLYFAmO9q0cCHQIACgkQjIw0 +xSQJjLarJAf+JJU0CHTMSSs5WH6ohVy54HN+ev7p7vfcgvvFBAWZLTLrG5+eFUH0 +w0m9KegxAs+H/H/68ld1jY/P62fvkOR7WCWQ7HH+8ClKLwuWS4DpOHK9IOkHDK0w +0pVJ6NBiwhv8/B7EmiBf9zndjMtYa/wf8JZYVOXb0XE0L+Ec0WZSRZH+/WGA1E1s +MSgPwqDF7RKXDCJ65elYxi9CPZvXhj6RVldn/aRuHf5/SCDE/HmnDB9+v6ReEsWV +r/Xis2J0pWphpF/xtYxGf+Iy5fAHwDd4z9uKs9mBHSR0aDisuAW/eHF6KvBzQ7y0 +Yf3KxEyDvLwuAA5NBi7Xsd2wSKdfBGUGcQ== +=KTb+ +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGO4aiUBDAC82zo3vUyQH3yTCabQ7ZpospBg/xXBbJWbQNksIbEP/+I12CjB zac1QcMFd27MJlyXpsTqqSo1ZHOisNy0Tmyl/WlqMyoMeChg+LmIHLNbvAK0jPOX @@ -39,3 +81,59 @@ Fj8eP2CocfRC+Lqv0azQwyEVMkYSMKoFbhXmjiBZn9JxblndKnVbByA1/nMAa0Q7 HTJC50jDJfpM9d1xQW/W5LBSQjd3czM6zlRXsliX =lSMJ -----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: This is a revocation certificate + +iQG2BCABCAAgFiEEDiLriOOeEid6d2CunkObECzzwMYFAmO4amECHQAACgkQnkOb +ECzzwMYiDQv/bbRnEhrFhr5XyA2vnu6nTZezbMwArC/ZwtFxtnj2iAwGZYY/pbPx +L8cHTpvK99I6J02SBHpmzthwHSindddPjuuQENdqH/TDlGvPH/mECJVTN9/kpjlg +HtO0MVKAKyXGbij7fR8prfPMRqOFbo4Rn9nQZZ/eY9KwkKVKxKHymppNbUbvv1qQ +NGfOi2QWkF+T8dbihbJHJgYpPb7uEmJ2EOX0KHu9nlYGX4jxtql+M3yeOi3juaXH +hLFWqVn3FkQW7N4IV+bVTkYcxQg01rWqY/h7BvL88AiMoiUXhOvE5iAS4sJe+EVB +bDfRaLr1Ju1CXYm5B+Q9b2pU0SWAbBNlVxYGs+NOeBh9YzwdGTFW2l/S/VLLv0bE +hBYuLwOIs0BqrL4TWwlB1ucEikg+r3O7OZL8Dnw0mnBVBmQxKhl1p8dLcYtylG3B +aEIbN6wHQe03xYvAmaHDdG0kjPiwhOlpZ+YU3ux8F2YnENXm9J+25GMyTXqybKQl +ltTE4hHgRH2v +=n71X +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGTnhmkBDADUE+SzjRRyitIm1siGxiHlIlnn6KO4C4GfEuV+PNzqxvwYO+1r +mcKlGDU0ugo8ohXruAOC77Kwc4keVGNU89BeHvrYbIftz/yxEneuPsCbGnbDMIyC +k44UOetRtV9/59Gj5YjNqnsZCr+e5D/JfrHUJTTwKLv88A9eHKxskrlZr7Un7j3i +Ef3NChlOh2Zk9Wfk8IhAqMMTferU4iTIhQk+5fanShtXIuzBaxU3lkzFSG7VuAH4 +CBLPWitKRMn5oqXUE0FZbRYL/6Qz0Gt6YCJsZbaQ3Am7FCwWCp9+ZHbR9yU+bkK0 +Dts4PNx4Wr9CktHIvbypT4Lk2oJEPWjcCJQHqpPQZXbnclXRlK5Ea0NVpaQdGK+v +JS4HGxFFjSkvTKAZYgwOk93qlpFeDML3TuSgWxuw4NIDitvewudnaWzfl9tDIoVS +Bb16nwJ8bMDzovC/RBE14rRKYtMLmBsRzGYHWd0NnX+FitAS9uURHuFxghv9GFPh +eTaXvc4glM94HBUAEQEAAbQmR3JhZmFuYSBMYWJzIDxlbmdpbmVlcmluZ0BncmFm +YW5hLmNvbT6JAdQEEwEKAD4WIQS1Oud7rbYwpoMEYAWWP6J3EEWFRQUCZOeGaQIb +AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCWP6J3EEWFRUiADACa +i+xytv2keEFJWjXNnFAx6/obnHRcXOI3w6nH/zL8gNI7YN5jcdQT2NYvKVYTb3fW +GuMsjHWgat5Gq3AtJrOKABpZ6qeYNPk0Axn/dKtOTwXjZ4pKX3bbUYvVfs0fCEZv +B0HHIj2wI9kgMpoTrkj22LE8layZTPOoQ+3/FbLzS8hN3CYZj25mHN7bpZq8EbV3 +8FW9EU0HM0tg6CvoxkRiVqAuAC0KnVIZAdhD4dlYKuncq64nMvT1A5wxSYbnE+uf +mnWQQhhS6BOwRqN054yw1FrWNDFsvnOSHmr8dIiriv+aZYvx5JQFJ7oZP3LwdYyg +ocQcAJA8HFTIk3P6uJiIF/zdDzocgdKs+IYDoId0hxX7sGCvqdrsveq8n3m7uQiN +7FvSiV0eXIdV4F7340kc8EKiYwpuYSaZX0UWKLenzlUvD+W4pZCWtoXzPsW7PKUt +q1xdW0+NY+AGLCvSJCc5F4S5kFCObfBAYBbldjwwJFocdq/YOvvWYTPyV7kJeJS5 +AY0EZOeGaQEMALNIFUricEIwtZiX7vSDjwxobbqPKqzdek8x3ud0CyYlrbGHy0k+ +FDEXstjJQQ1s9rjJSu3sv5wyg9GDAUH3nzO976n/ZZvKPti3p2XU2UFx5gYkaaFV +D56yYxqGY0YU5ft6BG+RUz3iEPg3UBUzt0sCIYnG9+CsDqGOnRYIIa46fu2/H9Vu +8JvvSq9xbsK9CfoQDkIcoQOixPuI4P7eHtswCeYR/1LUTWEnYQWsBCf57cEpzR6t +7mlQnzQo9z4i/kp4S0ybDB77wnn+isMADOS+/VpXO+M7Zj5tpfJ6PkKch3SGXdUy +3zht8luFOYpJr2lVzp7n3NwB4zW08RptTzTgFAaW/NH2JjYI+rDvQm4jNs08Dtsp +nm4OQvBA9Df/6qwMEOZ9i10ixqk+55UpQFJ3nf4uKlSUM7bKXXVcD/odq804Y/K4 +y3csE059YVIyaPexEvYSYlHE2odJWRg2Q1VehmrOSC8Qps3xpU7dTHXD74ZpaYbr +haViRS5v/lCsiwARAQABiQG8BBgBCgAmFiEEtTrne622MKaDBGAFlj+idxBFhUUF +AmTnhmkCGwwFCQPCZwAACgkQlj+idxBFhUUNbQv8DCcfi3GbWfvp9pfY0EJuoFJX +LNgci7z7smXq7aqDp2huYQ+MulnPAydjRCVW2fkHItF2Ks6l+2/8t5Xz0eesGxST +xTyR31ARENMXaq78Lq+itZ+usOSDNuwJcEmJM6CceNMLs4uFkX2GRYhchkry7P0C +lkLxUTiB43ooi+CqILtlNxH7kM1O4Ncs6UGZMXf2IiG9s3JDCsYVPkC5QDMOPkTy +2ZriF56uPerlJveF0dC61RZ6RlM3iSJ9Fwvea0Oy4rwkCcs5SHuwoDTFyxiyz0QC +9iqi3fG3iSbLvY9UtJ6X+BtDqdXLAT9Pq527mukPP3LwpEqFVyNQKnGLdLOu2YXc +TWWWseSQkHRzBmjD18KTD74mg4aXxEabyT4snrXpi5+UGLT4KXGV5syQO6Lc0OGw +9O/0qAIU+YW7ojbKv8fr+NB31TGhGYWASjYlN1NvPotRAK6339O0/Rqr9xGgy3AY +SR+ic2Y610IM7xccKuTVAW9UofKQwJZChqae9VVZ +=J9CI +-----END PGP PUBLIC KEY BLOCK----- From 30cf20c28db6416ae1345e2635ba8d2c653a8ade Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:09:26 +0200 Subject: [PATCH 715/996] bundles/c3voc-addons: add action:apt_execute_update_commands --- bundles/c3voc-addons/items.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bundles/c3voc-addons/items.py b/bundles/c3voc-addons/items.py index 709b10e..cd7612b 100644 --- a/bundles/c3voc-addons/items.py +++ b/bundles/c3voc-addons/items.py @@ -7,9 +7,6 @@ supported_os = { 12: 'bookworm', 99: 'unstable', }, - 'raspbian': { - 10: 'buster', - }, } try: @@ -82,6 +79,10 @@ actions = { 'triggered': True, 'cascade_skip': False, }, + 'apt_execute_update_commands': { + 'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands', {'true'}))), + 'triggered': True, + }, } directories = { From f0ebed5dba10d9282138c3bd69537f126bca2779 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:09:59 +0200 Subject: [PATCH 716/996] bundles/sshmon: yet another letsencrypt hash --- bundles/sshmon/files/check_https_certificate_at_url | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/sshmon/files/check_https_certificate_at_url b/bundles/sshmon/files/check_https_certificate_at_url index f494e37..e9fb507 100644 --- a/bundles/sshmon/files/check_https_certificate_at_url +++ b/bundles/sshmon/files/check_https_certificate_at_url @@ -21,7 +21,8 @@ case "$issuer_hash" in # 8d33f237: issuer=C = US, O = Let's Encrypt, CN = R3 # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5 # 9aad238c: issuer=C = US, O = Let's Encrypt, CN = E6 - 4f06f81d|8d33f237|462422cf|9aad238c) + # 31dfb39d: issuer=C = US, O = Let's Encrypt, CN = R11 + 4f06f81d|8d33f237|462422cf|9aad238c|31dfb39d) warn_days=10 crit_days=3 ;; From 01a8d7a6db1354ca0d7888d7d7c7a6d51ef0518e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:10:20 +0200 Subject: [PATCH 717/996] add bundle:sdm630_mqtt --- .../sdm630_mqtt/files/sdm630_printout.service | 21 +++++ .../sdm630_mqtt/files/sdm630_to_mqtt.service | 14 ++++ bundles/sdm630_mqtt/items.py | 76 +++++++++++++++++++ bundles/sdm630_mqtt/metadata.py | 38 ++++++++++ 4 files changed, 149 insertions(+) create mode 100644 bundles/sdm630_mqtt/files/sdm630_printout.service create mode 100644 bundles/sdm630_mqtt/files/sdm630_to_mqtt.service create mode 100644 bundles/sdm630_mqtt/items.py create mode 100644 bundles/sdm630_mqtt/metadata.py diff --git a/bundles/sdm630_mqtt/files/sdm630_printout.service b/bundles/sdm630_mqtt/files/sdm630_printout.service new file mode 100644 index 0000000..8ba5a23 --- /dev/null +++ b/bundles/sdm630_mqtt/files/sdm630_printout.service @@ -0,0 +1,21 @@ +[Unit] +Description=SDM630 stats printout +Conflicts=getty@tty1.service +After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service + +[Service] +User=sdm630_mqtt +Group=sdm630_mqtt +ExecStart=/opt/sdm630_mqtt/venv/bin/python printout.py /opt/sdm630_mqtt/config.toml +WorkingDirectory=/opt/sdm630_mqtt/src +Restart=always +RestartSec=10 +StandardInput=tty +StandardOutput=tty +StandardError=journal +TTYPath=/dev/tty1 +TTYReset=yes +TTYVHangup=yes + +[Install] +WantedBy=multi-user.target diff --git a/bundles/sdm630_mqtt/files/sdm630_to_mqtt.service b/bundles/sdm630_mqtt/files/sdm630_to_mqtt.service new file mode 100644 index 0000000..b1e67d7 --- /dev/null +++ b/bundles/sdm630_mqtt/files/sdm630_to_mqtt.service @@ -0,0 +1,14 @@ +[Unit] +Description=SDM630-to-MQTT bridge +After=network.target + +[Service] +User=sdm630_mqtt +Group=sdm630_mqtt +ExecStart=/opt/sdm630_mqtt/venv/bin/python sdm630_mqtt.py /opt/sdm630_mqtt/config.toml +WorkingDirectory=/opt/sdm630_mqtt/src +Restart=always +RestartSec=1 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/sdm630_mqtt/items.py b/bundles/sdm630_mqtt/items.py new file mode 100644 index 0000000..6a691c9 --- /dev/null +++ b/bundles/sdm630_mqtt/items.py @@ -0,0 +1,76 @@ +directories['/opt/sdm630_mqtt/src'] = {} + +git_deploy['/opt/sdm630_mqtt/src'] = { + 'repo': 'https://git.franzi.business/kunsi/sdm630_mqtt.git', + 'rev': 'main', + 'triggers': { + 'action:sdm630_mqtt_install_deps', + }, +} + +actions['sdm630_mqtt_create_virtualenv'] = { + 'command': 'python3 -m virtualenv /opt/sdm630_mqtt/venv', + 'unless': 'test -x /opt/sdm630_mqtt/venv/bin/python3', + 'needs': { + 'directory:/opt/sdm630_mqtt/src', + }, +} + +actions['sdm630_mqtt_install_deps'] = { + 'command': 'cd /opt/sdm630_mqtt/src && /opt/sdm630_mqtt/venv/bin/pip install -r requirements.txt', + 'triggered': True, + 'needs': { + 'action:sdm630_mqtt_create_virtualenv', + }, +} + +users['sdm630_mqtt'] = { + 'home': '/opt/sdm630_mqtt', +} + +files['/opt/sdm630_mqtt/config.toml'] = { + 'content': repo.libs.faults.dict_as_toml(node.metadata.get('sdm630_mqtt/config')), + 'triggers': set(), +} + +if node.has_bundle('telegraf'): + files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:telegraf:restart') + git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:telegraf:restart') + +if node.metadata.get('sdm630_mqtt/enable_stats_collection', True): + files['/usr/local/lib/systemd/system/sdm630_to_mqtt.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:sdm630_to_mqtt:restart', + }, + } + + svc_systemd['sdm630_to_mqtt'] = { + 'needs': { + 'git_deploy:/opt/sdm630_mqtt/src', + 'action:sdm630_mqtt_install_deps', + 'file:/usr/local/lib/systemd/system/sdm630_to_mqtt.service', + }, + } + + files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:sdm630_to_mqtt:restart') + git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:sdm630_to_mqtt:restart') + +if node.metadata.get('sdm630_mqtt/enable_local_printout', False): + files['/usr/local/lib/systemd/system/sdm630_printout.service'] = { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:sdm630_printout:restart', + }, + } + + svc_systemd['sdm630_printout'] = { + 'needs': { + 'git_deploy:/opt/sdm630_mqtt/src', + 'action:sdm630_mqtt_install_deps', + 'file:/usr/local/lib/systemd/system/sdm630_printout.service', + }, + } + + files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:sdm630_printout:restart') + git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:sdm630_printout:restart') diff --git a/bundles/sdm630_mqtt/metadata.py b/bundles/sdm630_mqtt/metadata.py new file mode 100644 index 0000000..944b8b2 --- /dev/null +++ b/bundles/sdm630_mqtt/metadata.py @@ -0,0 +1,38 @@ +defaults = { + 'sdm630_mqtt': { + 'config': { + 'modbus': { + 'host': '127.0.0.1', + 'port': 501, + 'unit_id': 1, + }, + 'mqtt': { + 'prefix': 'sdm630', + 'host': '127.0.0.1', + 'port': 1883, + }, + 'printout': { + 'title': 'SDM630', + }, + 'telegraf': { + 'identifier': 'unknown', + }, + }, + }, + 'telegraf': { + 'input_plugins': { + 'execd': { + 'sdm630_mqtt': { + 'command': [ + '/opt/sdm630_mqtt/venv/bin/python', + '/opt/sdm630_mqtt/src/telegraf.py', + '/opt/sdm630_mqtt/config.toml', + ], + 'signal': 'none', + 'restart_delay': '1s', + 'data_format': 'influx', + }, + }, + }, + }, +} From 94e56fd92dce0947a9c8638b7418a09a618376b7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:11:18 +0200 Subject: [PATCH 718/996] update element-web to 1.11.73 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 32b101f..67a886a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.71" +version = "v1.11.73" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 0c0e8c4..10a4f86 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.71" +version = "v1.11.73" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From e4eb00bdbe03a2d3ea474ac0bafb85e8e8cd05e3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:12:39 +0200 Subject: [PATCH 719/996] update forgejo to 8.0.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 67a886a..731c105 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "7.0.5" -sha1 = "8dc0526cdd886d5bc96ce96841202c2800029e68" +version = "8.0.1" +sha1 = "a2e5fd72db7b53d453e6105553ac0c3415d6995c" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 6fb8d81159499dcbcae3d5e55a90383caaf5da46 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:12:55 +0200 Subject: [PATCH 720/996] carlene: fix network config Apparently, the DC technicians are unable to plug in a server into the correct network ports after changing disks ... --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 731c105..fbd10d5 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -59,7 +59,7 @@ lfs_secret_key = "!decrypt:encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76kl oauth_secret_key = "!decrypt:encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz" security_secret_key = "!decrypt:encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4=" -[metadata.interfaces.eno2] +[metadata.interfaces.'eno*'] ips = [ "193.135.9.29/24", "2a0a:51c0:0:225::2/64", From 6fe0598032ef1d07906befd2ef03c7dc16900f57 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:13:48 +0200 Subject: [PATCH 721/996] update matrix-media-repo to 1.3.7 --- nodes/carlene.toml | 4 ++-- nodes/htz-cloud.afra.toml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fbd10d5..7ae86ff 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -70,9 +70,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "ef9e8624e70714e4d421ece0c27f2974f55c0e59" +sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9" upload_max_mb = 500 -version = "v1.3.6" +version = "v1.3.7" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 10a4f86..39bf364 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -44,9 +44,9 @@ jitsi.preferredDomain = "meet.ffmuc.net" [metadata.matrix-media-repo] admins = ['@administress:afra.berlin'] datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "ef9e8624e70714e4d421ece0c27f2974f55c0e59" +sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9" upload_max_mb = 50 -version = "v1.3.6" +version = "v1.3.7" [metadata.matrix-media-repo.homeservers.'afra.berlin'] domain = "http://[::1]:20080/" From a8678fc01b6ac44ae7a3996807b12d3a7872c6d9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:14:04 +0200 Subject: [PATCH 722/996] update netbox to 4.0.8 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 7ae86ff..aa37588 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.7" +version = "v4.0.8" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From c48e11d78714edcd06fb7cdf7586209f20550721 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:14:21 +0200 Subject: [PATCH 723/996] update paperless to 2.11.4 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 85a35e2..22ccf6e 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -47,7 +47,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.11.0', + 'version': 'v2.11.4', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 422303ee5b5d14aa9ef1e128cb7cb5c70ad3dcb0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 Aug 2024 19:14:35 +0200 Subject: [PATCH 724/996] update pretalx to 2024.2.1 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 893f674..845aa23 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,7 +49,7 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2024.1.0', + 'version': 'v2024.2.1', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, From c66bc8b5ebaf3d2c3be6d98143a055a37b46938d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 12 Aug 2024 19:36:32 +0200 Subject: [PATCH 725/996] add home.{appletv-wohnzimmer,encoder96} --- nodes/home.appletv-wohnzimmer.toml | 9 +++++++++ nodes/home.encoder96.toml | 9 +++++++++ 2 files changed, 18 insertions(+) create mode 100644 nodes/home.appletv-wohnzimmer.toml create mode 100644 nodes/home.encoder96.toml diff --git a/nodes/home.appletv-wohnzimmer.toml b/nodes/home.appletv-wohnzimmer.toml new file mode 100644 index 0000000..5febb38 --- /dev/null +++ b/nodes/home.appletv-wohnzimmer.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.73"] +dhcp = true +mac = "c0:95:6d:5e:82:47" + +[metadata.icinga_options] +exclude_from_monitoring = true diff --git a/nodes/home.encoder96.toml b/nodes/home.encoder96.toml new file mode 100644 index 0000000..ca9bdce --- /dev/null +++ b/nodes/home.encoder96.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.99"] +dhcp = true +mac = "6c:4b:90:5c:e3:6d" + +[metadata.icinga_options] +exclude_from_monitoring = true From 10b1fb8a5b7e06345d1efdbccc914dbeb0cc25a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 12 Aug 2024 19:39:57 +0200 Subject: [PATCH 726/996] remove legacy nodes --- nodes/home.ejgwdesk.toml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 nodes/home.ejgwdesk.toml diff --git a/nodes/home.ejgwdesk.toml b/nodes/home.ejgwdesk.toml deleted file mode 100644 index 7572ba7..0000000 --- a/nodes/home.ejgwdesk.toml +++ /dev/null @@ -1,9 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.99"] -dhcp = true -mac = "54:04:A6:EF:A8:01" - -[metadata.icinga_options] -exclude_from_monitoring = true From e8983829ed8609b181dc00b0662298910ed06bc3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 16 Aug 2024 14:35:33 +0200 Subject: [PATCH 727/996] bundles/infobeamer-monitor: fix maintenance warnings --- bundles/infobeamer-monitor/files/monitor.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 36c2497..6f353e6 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -140,13 +140,12 @@ while True: if device["is_online"]: if device["maintenance"]: mqtt_out( - "maintenance required: {}".join( + "maintenance required: {}".format(' '.join( sorted(device["maintenance"]) - ), + )), level="WARN", device=device, ) - must_dump_state = True if ( device["is_synced"] != state[did]["is_synced"] From 82aeeb585d01eb40092fa1a999b07b7b04f8e214 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Aug 2024 19:43:04 +0200 Subject: [PATCH 728/996] add samba share for music on nas --- bundles/samba/files/override.conf | 3 ++ bundles/samba/files/smb.conf | 39 ++++++++++++++++++++ bundles/samba/items.py | 59 +++++++++++++++++++++++++++++++ bundles/samba/metadata.py | 26 ++++++++++++++ nodes/home/nas.py | 12 +++++++ 5 files changed, 139 insertions(+) create mode 100644 bundles/samba/files/override.conf create mode 100644 bundles/samba/files/smb.conf create mode 100644 bundles/samba/items.py create mode 100644 bundles/samba/metadata.py diff --git a/bundles/samba/files/override.conf b/bundles/samba/files/override.conf new file mode 100644 index 0000000..35693b4 --- /dev/null +++ b/bundles/samba/files/override.conf @@ -0,0 +1,3 @@ +[Service] +RestartSec=10 +Restart=on-failure diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf new file mode 100644 index 0000000..325b040 --- /dev/null +++ b/bundles/samba/files/smb.conf @@ -0,0 +1,39 @@ +[global] +workgroup = KUNBOX +server string = ${node.name} samba +dns proxy = no +max log size = 1000 +syslog = 1 +syslog only = 1 +panic action = /usr/share/samba/panic-action %d +encrypt passwords = true +passdb backend = tdbsam +obey pam restrictions = yes +map to guest = bad user +load printers = no +usershare allow guests = yes +allow insecure wide links = yes +% for name, opts in sorted(node.metadata.get('samba/shares', {}).items()): + +[${name}] +browseable = yes +comment = ${opts.get('comment', f'share of {opts["path"]}')} +fake oplocks = yes +force group = ${opts.get('force_group', 'nobody')} +force user = ${opts.get('force_user', 'nogroup')} +% if opts.get('guest_ok', True): +guest ok = yes +% else: +guest ok = no +% endif +locking = no +path = ${opts['path']} +printable = no +read only = no +vfs objects = catia fruit +writable = ${'yes' if opts.get('writable', False) else 'no'} +% if opts.get('follow_symlinks', True): +follow symlinks = yes +wide links = yes +% endif +% endfor diff --git a/bundles/samba/items.py b/bundles/samba/items.py new file mode 100644 index 0000000..333a338 --- /dev/null +++ b/bundles/samba/items.py @@ -0,0 +1,59 @@ +svc_systemd = { + 'nmbd': { + 'needs': { + 'pkg_apt:samba', + }, + }, + 'smbd': { + 'needs': { + 'pkg_apt:samba', + }, + }, +} + +files = { + '/etc/samba/smb.conf': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:nmbd:restart', + 'svc_systemd:smbd:restart', + }, + }, + '/etc/systemd/system/nmbd.service.d/bundlewrap.conf': { + 'source': 'override.conf', + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:nmbd:restart', + }, + }, + '/etc/systemd/system/smbd.service.d/bundlewrap.conf': { + 'source': 'override.conf', + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:smbd:restart', + }, + }, +} + +last_action = set() +for user, uconfig in node.metadata.get('users', {}).items(): + if ( + 'password' not in uconfig + or uconfig.get('delete') + or user in ('root',) + ): + continue + + actions[f'smbpasswd_for_user_{user}'] = { + 'command': f'smbpasswd -a -s {user}', + 'unless': f'pdbedit -L | grep -E "^{user}:"', + 'data_stdin': uconfig['password'] + '\n' + uconfig['password'], + 'needs': { + 'pkg_apt:samba', + f'user:{user}', + }, + 'after': last_action, + } + last_action = { + f'action:smbpasswd_for_user_{user}', + } diff --git a/bundles/samba/metadata.py b/bundles/samba/metadata.py new file mode 100644 index 0000000..7b9400c --- /dev/null +++ b/bundles/samba/metadata.py @@ -0,0 +1,26 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'apt': { + 'packages': { + 'samba': {}, + 'samba-vfs-modules': {}, + } + } +} + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '137/udp': atomic(metadata.get('samba/restrict-to', set())), + '138/udp': atomic(metadata.get('samba/restrict-to', set())), + '139/tcp': atomic(metadata.get('samba/restrict-to', set())), + '445/tcp': atomic(metadata.get('samba/restrict-to', set())), + }, + }, + } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 9c2c62f..0ca0790 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -11,6 +11,7 @@ nodes['home.nas'] = { 'mosquitto', 'nfs-server', 'rsyslogd', + 'samba', 'scansnap', 'smartd', 'vmhost', @@ -167,6 +168,17 @@ nodes['home.nas'] = { 'home', }, }, + 'samba': { + 'shares': { + 'music': { + 'path': '/storage/nas/Musik', + 'force_group': 'nas', + }, + }, + 'restrict-to': { + '172.19.138.0/24', + }, + }, 'smartd': { 'disks': { '/dev/nvme0', From aff13291224a93a8f9468b4cb85ac40012033942 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Aug 2024 19:43:27 +0200 Subject: [PATCH 729/996] add rottenraptor devices --- nodes/rottenraptor-stromdisplay.toml | 40 ++++++++++++++++++++++++ nodes/rottenraptor-stromzaehler.toml | 46 ++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 nodes/rottenraptor-stromdisplay.toml create mode 100644 nodes/rottenraptor-stromzaehler.toml diff --git a/nodes/rottenraptor-stromdisplay.toml b/nodes/rottenraptor-stromdisplay.toml new file mode 100644 index 0000000..a111bef --- /dev/null +++ b/nodes/rottenraptor-stromdisplay.toml @@ -0,0 +1,40 @@ +hostname = "192.168.1.252" +os = "debian" +os_version = [12,] +bundles = [ + "apt", + "basic", + "kernel-modules", + "openssh", + "raspberrypi", + "sdm630_mqtt", + "sudo", + "sysctl", + "systemd", + "systemd-networkd", + "users", +] + +[metadata.apt.unattended-upgrades] +enabled = false + +[metadata.icinga_options] +exclude_from_monitoring = true + +[metadata.interfaces.eth0] +ips = [ + "192.168.1.252/24", +] +dhcp = true + +[metadata.raspberrypi] +enable_display = true + +[metadata.sdm630_mqtt] +enable_stats_collection = false +enable_local_printout = true +config.mqtt.host = "192.168.1.253" + +[metadata.users.kutscher] +password = "!decrypt:encrypt$gAAAAABmqQgvrVuPqFJWJSu8Yxd9NV4ppo5STfCPFqUWn0KepLRdFCktEMla0EJPPxZR5HbNnD6K2Vp-c63raeWwahFUT24SUrAoBFeWfToYWaRDi5WeXJU=" +sudo_commands = ["ALL"] diff --git a/nodes/rottenraptor-stromzaehler.toml b/nodes/rottenraptor-stromzaehler.toml new file mode 100644 index 0000000..c04d6a4 --- /dev/null +++ b/nodes/rottenraptor-stromzaehler.toml @@ -0,0 +1,46 @@ +hostname = "192.168.1.253" +os = "debian" +os_version = [12,] +bundles = [ + "apt", + "basic", + "kernel-modules", + "mosquitto", + "openssh", + "raspberrypi", + "sdm630_mqtt", + "sudo", + "sysctl", + "systemd", + "systemd-networkd", + "telegraf", + "users", +] + +[metadata.apt.unattended-upgrades] +enabled = false + +[metadata.icinga_options] +exclude_from_monitoring = true + +[metadata.interfaces.eth0] +ips = [ + "192.168.1.253/24", +] +dhcp = true + +[metadata.sdm630_mqtt] +enable_local_printout = true +config.modbus.host = "192.168.1.254" +config.modbus.port = 4196 +config.telegraf.identifier = 'rottenraptor_truck' + +[metadata.sysctl.options] +'net.ipv6.conf.all.disable_ipv6' = '1' + +[metadata.telegraf] +collect_default_metrics = false + +[metadata.users.kutscher] +password = "!decrypt:encrypt$gAAAAABmqQgvrVuPqFJWJSu8Yxd9NV4ppo5STfCPFqUWn0KepLRdFCktEMla0EJPPxZR5HbNnD6K2Vp-c63raeWwahFUT24SUrAoBFeWfToYWaRDi5WeXJU=" +sudo_commands = ["ALL"] From 13bae5c993add0a03153e33357ff1d1e13b2b081 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 23 Aug 2024 19:47:19 +0200 Subject: [PATCH 730/996] bundles/samba: fix typo --- bundles/samba/files/smb.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf index 325b040..c9a7859 100644 --- a/bundles/samba/files/smb.conf +++ b/bundles/samba/files/smb.conf @@ -19,8 +19,8 @@ allow insecure wide links = yes browseable = yes comment = ${opts.get('comment', f'share of {opts["path"]}')} fake oplocks = yes -force group = ${opts.get('force_group', 'nobody')} -force user = ${opts.get('force_user', 'nogroup')} +force group = ${opts.get('force_group', 'nogroup')} +force user = ${opts.get('force_user', 'nobody')} % if opts.get('guest_ok', True): guest ok = yes % else: From 4234070514f628ccc81a2a2732ea17e542b216b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 28 Aug 2024 15:41:39 +0200 Subject: [PATCH 731/996] update element-web to 1.11.76 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index aa37588..f5e3c68 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.73" +version = "v1.11.76" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 39bf364..1585909 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.73" +version = "v1.11.76" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From 2fbf122660d438b41bb78f15b732923e2cf6bc1c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 28 Aug 2024 15:41:54 +0200 Subject: [PATCH 732/996] update netbox to 4.0.9 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f5e3c68..3a03857 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.8" +version = "v4.0.9" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 3d86923e9e2165e6c7c5472b749373b28d1cf120 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 28 Aug 2024 15:42:07 +0200 Subject: [PATCH 733/996] update travelynx to 2.8.35 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3a03857..a1a03e4 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -256,7 +256,7 @@ disks = [ ] [metadata.travelynx] -version = "2.7.7" +version = "2.8.35" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 23fb2aba1cebc7599e947c208ab43cc8b55e236e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 31 Aug 2024 13:14:24 +0200 Subject: [PATCH 734/996] home.nas: add br1139 --- bundles/systemd-networkd/files/template-bridge.network | 3 +++ nodes/home/nas.py | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/bundles/systemd-networkd/files/template-bridge.network b/bundles/systemd-networkd/files/template-bridge.network index 0487f79..d7ea47c 100644 --- a/bundles/systemd-networkd/files/template-bridge.network +++ b/bundles/systemd-networkd/files/template-bridge.network @@ -3,3 +3,6 @@ Name=${' '.join(sorted(match))} [Network] Bridge=${bridge} + +[Link] +ActivationPolicy=always-up diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 0ca0790..e5a1480 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -200,6 +200,11 @@ nodes['home.nas'] = { 'br0.1138', }, }, + 'br1139': { + 'match': { + 'br0.1139', + }, + }, }, }, 'systemd-timers': { From bfbbffe22c160effbf5dab9f92eda9a4cb59f309 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 31 Aug 2024 19:12:05 +0200 Subject: [PATCH 735/996] home.r630: allow forwarding traffic So i can actually reach the docker containers running on there --- nodes/home.r630.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index e28673b..2a18418 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -11,6 +11,13 @@ ips = [ gateway4 = "172.19.138.1" ipv6_accept_ra = true +[metadata.nftable.forward] +50-local-forward = [ + 'ct state { related, established } accept', + 'iifname eno3 accept', + 'ip6 nexthdr ipv6-icmp accept', +] + [metadata.users.molly] password = "!decrypt:dummy$no" From 319dc8ad216e96f39b765f8f7d642b293dfe6e24 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 3 Sep 2024 21:09:17 +0200 Subject: [PATCH 736/996] icinga: fix logic error, do not send sms for service problems --- bundles/icinga2/files/scripts/icinga_notification_wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 2741839..612882d 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -199,7 +199,7 @@ if __name__ == '__main__': notify_per_mail() if args.sms: - if args.service_name: + if not args.service_name: notify_per_sms() if CONFIG['ntfy']['user']: notify_per_ntfy() From 2b5a76ffb0972e17332469a9fbf0d07443db5918 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 18:50:58 +0200 Subject: [PATCH 737/996] update netbox to 4.1.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a1a03e4..d8efc29 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.0.9" +version = "v4.1.0" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 41b76aec9c543d25a93c3f6406976102128d0f8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 18:52:10 +0200 Subject: [PATCH 738/996] update forgejo to 8.0.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d8efc29..16fa613 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "8.0.1" -sha1 = "a2e5fd72db7b53d453e6105553ac0c3415d6995c" +version = "8.0.2" +sha1 = "c842480b99445b70c314e20be144789711fa7deb" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From b73ac2b7ce00d59d874c6abd4bdb1077d3fee00a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 18:54:18 +0200 Subject: [PATCH 739/996] update paperless to 2.11.6 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 22ccf6e..b734ad3 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -47,7 +47,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.11.4', + 'version': 'v2.11.6', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 3f02f7b8f5c70b1a9bc61637a333381eaaee82b9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 18:56:48 +0200 Subject: [PATCH 740/996] bundles/icinga2: ignore lines starting with ;; in check_spam_blocklist --- bundles/icinga2/files/check_spam_blocklist | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index c9f94df..2b1a3c3 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -50,17 +50,13 @@ def check_list(ip_list, blocklist, warn_ips): ]).decode().splitlines() for item in result: if item.startswith(';;'): - msgs.append('{} - {}'.format( - blocklist, - item, - )) - else: - msgs.append('{} listed in {} as {}'.format( - ip, - blocklist, - item, - )) - if (item in warn_ips or item.startswith(';;')) and returncode < 2: + continue + msgs.append('{} listed in {} as {}'.format( + ip, + blocklist, + item, + )) + if item in warn_ips and returncode < 2: returncode = 1 else: returncode = 2 From 331d363a45ebecb938f6efed3fc3a2d78b703e21 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 19:04:47 +0200 Subject: [PATCH 741/996] bump _.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 34 +++++++++--------- .../_.home.kunbox.net.crt_intermediate.pem | 36 +++++++++---------- data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 3 files changed, 36 insertions(+), 36 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index b350df9..a263c3f 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDsDCCAzWgAwIBAgISBMRgrLMPa1cucom1daU3fmCaMAoGCCqGSM49BAMDMDIx +MIIDsDCCAzWgAwIBAgISBIi3muU9O51f4fWWUXJHNgRHMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNDA2MTExNDQyMzdaFw0yNDA5MDkxNDQyMzZaMBoxGDAWBgNVBAMTD2hv -bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABGlCPITmq729xoLb -DkSn6SYxnP7Mns9dBSqUv1WktnYjwbavlbXKN3Bz0yCGcXSCZA+Nq576DBK9L9X6 -tTeIvqG1akyNxY+1eDK3vhH4FKmZE6oOyh1jqfG2LY7dvLYCQKOCAiQwggIgMA4G +NjAeFw0yNDA5MDQxNjA1MThaFw0yNDEyMDMxNjA1MTdaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABA5vskMN8tWHCOsv +aUojW+t8otSpRgcU0tLsONhzQ7GhG5tC5DQ5pN7HiG14eejONQE4hRWC4rkP/e47 +EVQd/rFK5m0lQesR68zogtW9KfQZUoINhlOuR4CxpBY1LrG5laOCAiQwggIgMA4G A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQUt6i+27R0AAj+AUgSNg3Gmm5GzLYwHwYDVR0j -BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG -AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 -Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC +VR0TAQH/BAIwADAdBgNVHQ4EFgQU3iCazGKeVwzCa84zl+qckbspEmEwHwYDVR0j +BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG +AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 +Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB -1nkCBAIEgfUEgfIA8AB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7Wb -AAABkAf3K9YAAAQDAEcwRQIhAPFpuj8ZoOmqhDNJDSuJ3BWyUuOUyY2QXjIVRHop -dKyPAiAa2cwsyBFOjWOEYRCZ/7UgBA5axt8ZCrRYseefFwpvSQB2AN/hVuuqBa+1 -nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJcAAABkAf3LJ8AAAQDAEcwRQIhAL9+dxTj -34moGhk32PnQZg2+nVNiVxLxYjDL9fk1R+bXAiAA7EjWqcZgktinTpt1pVQMmuUn -FQ1IRh5AdycNn0lL2jAKBggqhkjOPQQDAwNpADBmAjEAubnofDBEyrcSJAiGxlqc -EpUndlnkT/irfl/As8EUt0KMSPhnV3i7oEq89bi0KDghAjEA+XHccaWUi7BJEoV7 -nCUOCct64mb2LmXkvYiFVicsV9ubp4kVbziWjLgng6TC3HoM +1nkCBAIEgfUEgfIA8AB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRu +AAABkb3+C2AAAAQDAEcwRQIhAMwv6NjH3Ggd1WfeSVvyToVaM15glwfSJcAW8+40 +XbCKAiABUoDmQjhKi5VfwZ7e0WX5XjEmgBN2qTafK5RqlaCDJgB2AO7N0GTV2xrO +xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkb3+C3IAAAQDAEcwRQIgU9sxMGOG +aP3npu7vw3G9TiFRxuZRCI96My34WVSCOcsCIQDhDjS9QhJGtNT68Z0sx6DJCcco +L1AXGWwojxizcx48bTAKBggqhkjOPQQDAwNpADBmAjEA/SOZeiZrClB5EJlZFdQy +hrt2qh4HC5zvHdSLTWI4GAxDy8xRg/ANO6fp0Sb7Q7jdAjEAhiQgQfgUln08i/tv +3TGjVRIT/Y4A4QadodTROpfmFDH3QIsNwRPRhQUUSscBavK9 -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.crt_intermediate.pem b/data/ssl/_.home.kunbox.net.crt_intermediate.pem index 59039ae..4652201 100644 --- a/data/ssl/_.home.kunbox.net.crt_intermediate.pem +++ b/data/ssl/_.home.kunbox.net.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK -a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO -VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw -i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C -2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ -bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG -6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV -XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO -koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq -cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI -E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e -K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX -GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL -sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd -VQD9F6Na/+zmXCc= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index d07bce8..df3ed76 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABmaHBwHXKZDN_8bEa47lNIX25-wvvW1RcC689Hod4HAsY2tT6fd9k7zdnbK8KWedRNopdRIlhQUkU0xBVh5J5maiYfn5R8Kp_VpkXiWY0LVY3XMWjB4oHmU29VEbl490oesAhUUH6hb7lwfvsbV4WTM_7aL0_sPfF1udxO89gg-9z2nbl-7zmTdSBY651fZQngd4SlwK17N1fedkHgYamGLdgE10oPZiRsOJKrUGv-Pxi4ICQ7J_AF6bO05PyZkeNqqUP19g2f5EsKNnT0bxQHCP5sbofvYzli-fU2bW-leuvm-VU8lV27t39lQZyF-WcWnB7626w0semrg7cCJ4qoHJVekEFWzJBLhagSNdCDWHAwdV2_MHzSgbXvyXz0maga8-1wBoa8Ueinp2oPQMPaUsVzy6NVX7mAsB6Rw9CXDSEf8WPSKWaz7324qhxKmhMHt0r68z0qM28mHb98F_vbS6geCw== \ No newline at end of file +encrypt$gAAAAABm2JL0vVqh3Zut-a1Gfn8iOtDZS8aBpGobV3-d3u8My0MPunYmbQ6kXUAw7U0Bu87AAPXNsmi1pxrxcu8vXvhw4uM445WwKj-UqaV5fmk-ZasHGq-O6K52YqEgK6wo-9u_sOBubbwJSwFVaHxT3gczLW_GVRHhFIFGgdnRlz4YoAz4NXcos_uNO9GMEOGhfGx9e2c2GOIg64vXkj_1LjXEDoV9HYMzy-2wLt4A6q-ZiZwCoKl8-lt8sY_rLk_yfmy3sMvzqg8JaE7T4sunmXDdf4HQlnvl_cu1uW33Rrsq4-080HKx6rKNsZQGhWD2yls016xBAYZvQbDjHd6-7bld1bs5RUF5tfEC3Kx567TBdMaf5C7-PnNB7O_MC4I6SkmUElGRdYyCHuP5HXf9dKtiGCtjHyfEzqTBrcI0xPt631_IGPWMNId7zyLqfLHpMFTPS9jgGVKoT1TXwKe4NSHaGxXO-A== \ No newline at end of file From a7baf225ffa767be3ecb402a6b24f1489895c2a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 20:00:54 +0200 Subject: [PATCH 742/996] kunsi-p14s: s/ferdi/ferdium/ --- nodes/kunsi-p14s.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 7d377ab..5e63351 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -101,7 +101,7 @@ nodes['kunsi-p14s'] = { 'apachedirectorystudio': {}, 'claws-mail': {}, 'claws-mail-themes': {}, - 'ferdi-bin': {}, + 'ferdium-bin': {}, 'gumbo-parser': {}, # for claws litehtml 'inkstitch': {}, # for RZL embroidery machine 'obs-studio': {}, From 9f1dc01d6b2da541aa6a9376be07d421e2ab247d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 4 Sep 2024 20:02:18 +0200 Subject: [PATCH 743/996] bundles/arch-with-gui: s/rfkill/util-linux/ --- bundles/arch-with-gui/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index d7063f7..f1fa8d0 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -33,7 +33,7 @@ defaults = { # networking 'avahi': {}, 'netctl': {}, - 'rfkill': {}, + 'util-linux': {}, # provides rfkill 'wpa_supplicant': {}, 'wpa_actiond': {}, From 497d4fff30853072bb59ede8976c8622f64e6949 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 4 Sep 2024 21:25:50 +0200 Subject: [PATCH 744/996] miniserver: element-web update --- nodes/sophie/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index b2d6db9..57fe6f4 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -63,7 +63,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.72', + 'version': 'v1.11.76', 'config': { 'default_server_config': { 'm.homeserver': { From b9216f230b5f8c7e4af75a385cc70ae6633e2521 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 4 Sep 2024 23:06:07 +0200 Subject: [PATCH 745/996] matrix-media-repo: extend rate limits --- bundles/matrix-media-repo/files/config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/matrix-media-repo/files/config.yaml b/bundles/matrix-media-repo/files/config.yaml index 0b07b0f..3726bb2 100644 --- a/bundles/matrix-media-repo/files/config.yaml +++ b/bundles/matrix-media-repo/files/config.yaml @@ -31,7 +31,7 @@ homeservers: % endfor accessTokens: - maxCacheTimeSeconds: 0 + maxCacheTimeSeconds: 10 useLocalAppserviceConfig: false admins: @@ -137,8 +137,8 @@ thumbnails: rateLimit: enabled: true - requestsPerSecond: 10 - burst: 50 + requestsPerSecond: 100 + burst: 5000 identicons: enabled: true From 121a261ecdb269761a9a6834b01060e92f70bd1f Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 4 Sep 2024 23:06:23 +0200 Subject: [PATCH 746/996] miniserver: actually use signing key --- nodes/sophie/miniserver.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 57fe6f4..a6603b9 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -118,6 +118,7 @@ nodes['htz-cloud.miniserver'] = { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', 'api': 'synapse', + 'signing_key_path': "/etc/matrix-synapse/mmr.signing.key" }, }, 'admins': { From d5881da154ff58b6ac4715c7643c0987425a576c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 7 Sep 2024 09:07:40 +0200 Subject: [PATCH 747/996] fix sophie backup locations --- groups/locations.py | 3 +++ nodes/sophie/miniserver.py | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/groups/locations.py b/groups/locations.py index 00bf560..8f56c2b 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -68,6 +68,9 @@ groups['sophie'] = { 'icinga_options': { 'exclude_from_monitoring': True, }, + 'backup-client': { + 'target': 'htz-hel.backup-sohpie', + }, 'users': { 'sophie': {}, }, diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index b2d6db9..c4a72b2 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -54,7 +54,6 @@ nodes['htz-cloud.miniserver'] = { 'echo \'core.weechat */layout store\' >> /home/sophie/.weechat/weechat_fifo\n' \ 'echo \'core.weechat */save\' >> /home/sophie/.weechat/weechat_fifo\n', }, - 'target': "htz-hel.backup-sophie", }, 'backups': { 'paths': { From 5e55dc6fb9e966b28ada239284381404bb5a529b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 7 Sep 2024 09:09:03 +0200 Subject: [PATCH 748/996] update forgejo to 8.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 16fa613..e5a536a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "8.0.2" -sha1 = "c842480b99445b70c314e20be144789711fa7deb" +version = "8.0.3" +sha1 = "a19aa24f26c1ff5a38cf12619b6a6064242d0cf2" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 455c5c5ce5224f1ea9915095f0b7add606372212 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 7 Sep 2024 13:01:37 +0200 Subject: [PATCH 749/996] update as3320 and as8881 --- configs/as3320.txt | 178 +++++++++++++++---------- configs/as8881.txt | 315 +++++++++------------------------------------ 2 files changed, 170 insertions(+), 323 deletions(-) diff --git a/configs/as3320.txt b/configs/as3320.txt index 2a42ee0..5c42e56 100644 --- a/configs/as3320.txt +++ b/configs/as3320.txt @@ -1,5 +1,7 @@ 109.237.176.0/20 +109.72.116.0/24 116.50.16.0/21 +128.65.164.0/22 129.181.208.0/21 129.181.216.0/22 137.170.112.0/24 @@ -15,13 +17,12 @@ 139.12.4.0/24 141.169.240.0/20 141.77.0.0/16 -141.98.44.0/24 143.99.213.0/24 145.225.16.0/23 146.247.58.0/24 -147.136.84.0/22 147.161.22.0/24 147.78.17.0/24 +147.79.8.0/21 149.208.250.0/23 149.208.252.0/24 149.208.253.0/24 @@ -34,6 +35,7 @@ 149.249.244.0/22 149.249.244.0/23 149.249.246.0/23 +153.17.244.8/29 153.17.249.0/24 153.17.250.0/24 153.17.251.0/24 @@ -46,7 +48,11 @@ 153.97.32.0/24 158.116.231.0/24 160.211.126.0/24 -163.5.168.0/24 +163.5.156.0/24 +163.5.170.0/24 +163.5.186.0/24 +163.5.220.0/24 +163.5.66.0/24 164.133.10.0/24 164.133.11.0/24 164.133.150.0/24 @@ -60,11 +66,9 @@ 168.199.192.0/22 168.199.212.0/22 170.237.92.0/23 -171.25.178.0/24 -176.221.24.0/24 -176.221.25.0/24 176.53.136.0/24 176.53.137.0/24 +176.57.59.0/24 185.100.160.0/22 185.101.244.0/23 185.101.246.0/23 @@ -76,45 +80,38 @@ 185.131.239.0/24 185.133.12.0/22 185.136.115.0/24 -185.149.25.0/24 -185.149.26.0/24 -185.149.27.0/24 185.149.52.0/24 185.157.101.0/24 185.161.176.0/22 -185.162.72.0/23 185.163.76.0/24 185.163.77.0/24 185.163.78.0/24 185.163.79.0/24 -185.172.38.0/24 -185.172.39.0/24 185.180.224.0/24 185.183.212.0/23 185.183.214.0/23 185.188.64.0/24 +185.195.239.0/24 185.198.13.0/24 185.202.32.0/21 -185.203.148.0/22 185.207.46.0/24 -185.235.71.0/24 +185.21.247.0/24 185.237.0.0/24 185.237.1.0/24 185.237.2.0/24 -185.240.85.0/24 185.242.224.0/24 185.243.44.0/22 185.243.44.0/24 185.243.45.0/24 185.243.46.0/24 185.243.47.0/24 -185.250.42.0/23 185.28.208.0/22 185.39.12.0/22 185.48.0.0/22 +185.57.231.0/24 185.57.24.0/24 185.82.160.0/23 -185.91.204.0/22 +188.214.139.0/24 192.109.121.0/24 192.109.122.0/24 192.109.124.0/24 @@ -176,7 +173,6 @@ 193.110.102.0/23 193.110.102.0/24 193.110.103.0/24 -193.124.35.0/24 193.138.91.0/24 193.141.143.0/24 193.141.180.0/23 @@ -243,7 +239,6 @@ 193.41.10.0/23 193.47.164.0/24 193.53.93.0/24 -193.56.21.0/24 193.58.253.0/24 193.84.136.0/22 193.96.230.0/24 @@ -253,6 +248,7 @@ 193.98.224.0/24 193.99.96.0/20 194.0.151.0/24 +194.0.232.0/24 194.110.133.0/24 194.113.160.0/22 194.113.20.0/23 @@ -295,6 +291,13 @@ 194.15.64.0/21 194.15.72.0/22 194.150.228.0/23 +194.152.128.0/24 +194.152.129.0/24 +194.152.132.0/24 +194.152.141.0/24 +194.152.142.0/24 +194.152.154.0/24 +194.152.155.0/24 194.153.86.0/24 194.156.128.0/22 194.156.148.0/24 @@ -337,26 +340,20 @@ 194.39.63.0/24 194.39.88.0/21 194.39.97.0/24 -194.45.144.0/21 -194.49.110.0/24 194.49.117.0/24 194.49.118.0/23 194.49.125.0/24 194.49.48.0/24 194.49.54.0/24 -194.49.72.0/24 194.49.73.0/24 194.49.74.0/23 194.49.85.0/24 -194.55.158.0/24 194.55.180.0/24 194.55.183.0/24 194.55.192.0/19 194.55.63.0/24 194.55.64.0/20 194.55.87.0/24 -194.58.40.0/24 -194.58.56.0/23 194.59.143.0/24 194.59.150.0/24 194.59.151.0/24 @@ -382,34 +379,22 @@ 194.76.52.0/24 194.77.41.0/24 194.77.42.0/24 -194.85.248.0/24 -194.85.251.0/24 -194.87.10.0/24 -194.87.17.0/24 -194.87.255.0/24 -194.87.77.0/24 -194.88.112.0/20 194.88.16.0/21 194.88.24.0/23 194.88.26.0/24 194.88.28.0/23 -194.88.96.0/21 194.99.118.0/24 194.99.34.0/24 194.99.76.0/23 194.99.83.0/24 194.99.92.0/22 -195.133.20.0/24 -195.133.64.0/22 195.133.7.0/24 -195.133.76.0/24 195.137.216.0/23 195.138.223.0/24 195.144.15.0/24 195.145.0.0/16 195.149.79.0/24 195.160.248.0/22 -195.178.132.0/22 195.190.2.0/24 195.192.254.0/24 195.200.207.0/24 @@ -436,12 +421,14 @@ 198.40.90.0/24 198.57.10.0/24 2.160.0.0/12 +2.58.100.0/24 2.58.102.0/24 +204.52.120.0/24 +204.52.121.0/24 204.69.32.0/24 205.142.63.0/24 212.184.0.0/15 212.185.0.0/16 -212.87.217.0/24 213.145.90.0/23 213.145.92.0/23 213.173.0.0/19 @@ -450,6 +437,7 @@ 213.209.156.0/24 217.0.0.0/13 217.117.96.0/24 +217.198.189.0/24 217.224.0.0/11 217.24.32.0/20 217.24.33.0/24 @@ -459,35 +447,21 @@ 31.224.0.0/11 31.6.56.0/23 37.143.0.0/22 -37.230.56.0/24 -37.230.57.0/24 -37.230.58.0/23 -37.230.60.0/24 -37.230.63.0/24 37.46.11.0/24 37.50.0.0/15 37.80.0.0/12 -45.128.14.0/23 -45.132.217.0/24 45.132.80.0/22 -45.140.208.0/24 -45.141.130.0/24 -45.142.236.0/24 -45.145.241.0/24 -45.145.243.0/24 +45.141.54.0/24 +45.145.16.0/24 45.147.227.0/24 +45.155.77.0/24 45.81.255.0/24 45.83.136.0/22 -45.84.214.0/24 45.93.186.0/23 -46.20.216.0/21 46.250.224.0/21 46.250.232.0/21 46.78.0.0/15 46.80.0.0/12 -5.10.208.0/24 -5.10.209.0/24 -5.10.220.0/24 5.133.112.0/24 5.249.188.0/22 5.35.192.0/21 @@ -503,14 +477,11 @@ 64.137.119.0/24 64.137.125.0/24 64.137.127.0/24 -77.242.149.0/24 77.47.152.0/22 77.83.136.0/23 77.83.138.0/23 -77.83.32.0/22 77.90.156.0/24 77.90.184.0/24 -79.139.52.0/22 79.192.0.0/10 80.128.0.0/11 80.128.0.0/12 @@ -522,38 +493,47 @@ 80.157.8.0/21 80.187.0.0/16 80.187.160.0/20 +80.244.13.0/24 80.64.240.0/22 80.71.231.0/24 80.71.233.0/24 80.71.235.0/24 80.71.236.0/24 80.71.238.0/24 +80.83.80.0/21 81.201.32.0/20 -81.30.96.0/20 -82.152.178.0/24 +81.31.210.0/23 +82.163.104.0/21 82.163.60.0/22 82.206.32.0/21 82.206.40.0/21 +82.206.48.0/21 82.215.70.0/24 -83.136.208.0/22 -83.147.36.0/22 83.243.48.0/21 84.128.0.0/10 -84.234.16.0/20 84.246.108.0/24 84.32.108.0/22 84.32.48.0/22 +84.55.0.0/24 +84.55.1.0/24 +84.55.2.0/24 +84.55.3.0/24 +84.55.4.0/24 +84.55.5.0/24 +84.55.6.0/24 +84.55.7.0/24 85.116.28.0/24 85.116.29.0/24 85.116.30.0/24 85.116.31.0/24 85.119.160.0/23 -85.204.160.0/22 +85.204.181.0/24 85.208.248.0/24 85.208.249.0/24 85.208.250.0/24 85.208.251.0/24 -85.237.76.0/22 +86.105.211.0/24 +86.107.164.0/24 86.38.248.0/21 86.38.37.0/24 87.128.0.0/10 @@ -564,10 +544,40 @@ 88.216.60.0/22 89.116.64.0/22 89.213.186.0/23 -89.35.127.0/24 +89.39.97.0/24 89.43.34.0/24 91.0.0.0/10 91.103.240.0/21 +91.124.135.0/24 +91.124.19.0/24 +91.124.20.0/24 +91.124.21.0/24 +91.124.22.0/24 +91.124.23.0/24 +91.124.24.0/24 +91.124.26.0/24 +91.124.27.0/24 +91.124.28.0/24 +91.124.31.0/24 +91.124.32.0/24 +91.124.33.0/24 +91.124.34.0/24 +91.124.36.0/24 +91.124.37.0/24 +91.124.38.0/24 +91.124.39.0/24 +91.124.40.0/24 +91.124.41.0/24 +91.124.42.0/24 +91.124.43.0/24 +91.124.44.0/24 +91.124.45.0/24 +91.124.46.0/24 +91.124.47.0/24 +91.124.50.0/24 +91.124.51.0/24 +91.124.6.0/24 +91.124.7.0/24 91.189.192.0/21 91.194.232.0/23 91.198.113.0/24 @@ -592,19 +602,40 @@ 91.216.242.0/24 91.216.45.0/24 91.217.214.0/24 +91.221.12.0/23 91.222.232.0/22 91.227.98.0/23 -91.232.136.0/22 91.232.54.0/24 +92.112.128.0/24 +92.112.155.0/24 +92.112.157.0/24 +92.112.16.0/22 +92.112.160.0/24 +92.112.162.0/24 +92.112.165.0/24 +92.112.167.0/24 +92.112.20.0/22 +92.112.48.0/24 +92.112.49.0/24 +92.112.52.0/24 +92.112.54.0/24 +92.112.59.0/24 +92.112.63.0/24 +92.112.64.0/24 +92.112.67.0/24 +92.112.79.0/24 +92.112.81.0/24 +92.112.83.0/24 +92.112.94.0/24 92.114.44.0/22 92.119.164.0/22 92.119.208.0/24 92.119.209.0/24 92.119.210.0/24 92.119.211.0/24 -93.119.184.0/21 +93.113.70.0/24 +93.119.201.0/24 93.192.0.0/10 -93.95.119.0/24 94.126.98.0/24 94.26.110.0/23 94.26.64.0/23 @@ -620,7 +651,6 @@ 2001:678:b38::/48 2001:678:bdc::/48 2001:678:d4c::/48 -2001:678:e9c::/48 2001:678:ff0::/48 2001:67c:11a4::/48 2001:67c:14c4::/48 @@ -641,6 +671,7 @@ 2001:67c:b80::/48 2001:67c:c84::/48 2001:67c:c9c::/48 +2001:67c:ec0::/48 2003:3c0::/28 2003:3e0::/28 2003:8:1800::/48 @@ -663,6 +694,8 @@ 2003::/19 2003::/20 2003::/23 +2a00:5c60:3::/48 +2a00:5c60:a::/48 2a00:6680::/46 2a01:598::/29 2a01:8fa0::/32 @@ -694,8 +727,11 @@ 2a0d:480::/29 2a0d:480::/30 2a0d:484::/30 +2a0e:cbc4::/32 +2a0e:cbc5::/32 +2a0e:cbc6::/32 +2a0e:cbc7::/32 2a0e:eb40::/32 -2a0f:15c0::/32 2a10:cd80::/29 2a11:7400:d1::/48 2a12:6900:1000::/40 diff --git a/configs/as8881.txt b/configs/as8881.txt index 3ff36ae..cd09176 100644 --- a/configs/as8881.txt +++ b/configs/as8881.txt @@ -1,19 +1,13 @@ 104.151.0.0/17 109.250.0.0/16 -109.250.0.0/20 +109.250.0.0/18 109.250.128.0/19 -109.250.16.0/20 109.250.160.0/19 109.250.192.0/19 109.250.224.0/19 -109.250.32.0/19 -109.250.64.0/19 -109.250.80.0/22 -109.250.84.0/22 -109.250.88.0/22 -109.250.92.0/22 -109.250.96.0/19 +109.250.64.0/18 134.101.0.0/21 +14.102.90.0/24 143.58.64.0/18 149.233.32.0/19 153.94.0.0/20 @@ -35,6 +29,7 @@ 185.151.201.0/24 185.151.203.0/24 185.158.48.0/22 +185.187.122.0/24 185.199.205.0/24 185.235.232.0/22 185.8.230.0/23 @@ -45,13 +40,13 @@ 192.166.84.0/22 192.166.87.0/24 192.166.88.0/21 +192.189.14.0/24 193.101.4.0/23 -193.101.5.0/24 +193.102.10.0/24 193.111.212.0/22 193.111.212.0/24 193.163.13.0/24 -193.163.13.0/25 -193.163.13.128/25 +193.17.225.0/24 193.219.15.0/24 193.22.120.0/21 193.22.120.0/24 @@ -92,7 +87,7 @@ 194.127.144.0/21 194.127.203.0/24 194.139.55.0/24 -194.145.230.0/24 +194.145.218.0/23 194.156.216.0/21 194.156.232.0/23 194.156.233.0/24 @@ -115,24 +110,23 @@ 194.99.0.0/21 195.149.80.0/23 195.167.208.0/20 -195.191.20.0/23 195.202.32.0/19 195.226.160.0/19 195.226.96.0/19 195.234.139.0/24 195.238.233.0/24 -195.244.10.0/23 +195.238.238.0/24 195.64.176.0/23 195.93.158.0/23 202.71.128.0/20 +202.71.141.0/24 212.204.0.0/19 212.7.128.0/19 212.8.0.0/19 212.80.224.0/19 -212.80.224.0/20 -212.80.240.0/20 212.93.0.0/19 213.138.32.0/19 +213.138.35.0/24 213.139.128.0/19 213.182.128.0/19 213.30.192.0/18 @@ -149,307 +143,155 @@ 45.13.15.0/24 46.142.0.0/16 46.142.0.0/19 -46.142.112.0/20 46.142.128.0/19 46.142.160.0/19 -46.142.194.0/24 46.142.214.0/24 46.142.224.0/19 -46.142.32.0/20 -46.142.48.0/20 +46.142.32.0/19 46.142.64.0/19 +46.142.96.0/19 46.142.96.0/20 46.189.0.0/17 -46.189.116.0/24 61.8.128.0/19 +61.8.128.0/22 +61.8.132.0/22 +61.8.136.0/22 +61.8.144.0/22 +61.8.152.0/22 +61.8.156.0/24 +61.8.157.0/24 62.214.0.0/16 -62.214.213.0/24 62.214.224.0/19 62.217.32.0/19 62.220.0.0/19 62.68.82.0/24 62.72.64.0/19 -62.72.88.0/22 -62.72.92.0/23 -62.72.94.0/24 +62.72.70.0/24 77.74.136.0/21 77.87.190.0/24 +80.241.192.0/20 80.242.160.0/19 82.119.160.0/19 82.140.0.0/18 -82.140.2.0/23 -82.140.2.0/24 -82.140.3.0/24 -82.140.48.0/21 +82.140.48.0/20 82.144.32.0/19 -82.144.34.0/24 -82.144.35.0/24 -82.144.36.0/24 -82.144.37.0/24 82.145.0.0/19 82.194.96.0/19 82.207.128.0/17 82.207.192.0/19 -82.207.224.0/21 -82.207.232.0/22 -82.207.236.0/24 -82.207.240.0/20 -82.207.244.0/24 -82.207.245.0/24 -82.207.246.0/24 -82.207.247.0/24 -82.207.248.0/24 -82.207.249.0/24 -82.207.250.0/24 -82.207.251.0/24 -82.207.252.0/24 -82.207.253.0/24 -82.207.254.0/24 -82.207.255.0/24 83.135.0.0/16 -83.135.0.0/22 +83.135.0.0/20 83.135.112.0/20 83.135.128.0/19 -83.135.16.0/22 83.135.160.0/21 -83.135.164.0/22 83.135.168.0/21 83.135.176.0/22 -83.135.180.0/22 83.135.184.0/21 83.135.192.0/20 -83.135.20.0/24 83.135.208.0/20 -83.135.21.0/24 -83.135.22.0/24 83.135.224.0/22 -83.135.23.0/24 -83.135.230.0/23 83.135.232.0/21 -83.135.24.0/24 83.135.240.0/22 -83.135.244.0/24 -83.135.245.0/24 -83.135.248.0/24 -83.135.249.0/24 -83.135.25.0/24 -83.135.250.0/24 -83.135.251.0/24 -83.135.252.0/24 -83.135.253.0/24 -83.135.254.0/24 -83.135.255.0/24 -83.135.26.0/24 -83.135.27.0/24 -83.135.28.0/24 -83.135.29.0/24 -83.135.30.0/24 -83.135.31.0/24 -83.135.32.0/19 -83.135.4.0/22 83.135.64.0/19 -83.135.8.0/21 83.135.96.0/20 84.19.192.0/19 -84.19.192.0/20 -84.19.208.0/20 87.122.0.0/15 -87.122.0.0/16 87.122.0.0/20 87.122.128.0/21 -87.122.136.0/22 87.122.144.0/20 87.122.16.0/20 87.122.160.0/20 87.122.176.0/21 -87.122.184.0/24 -87.122.185.0/24 -87.122.186.0/24 -87.122.187.0/24 -87.122.188.0/24 -87.122.189.0/24 -87.122.190.0/24 -87.122.191.0/24 87.122.192.0/19 87.122.224.0/19 87.122.32.0/19 87.122.64.0/19 87.122.96.0/19 -87.123.0.0/16 87.123.0.0/19 -87.123.112.0/20 87.123.128.0/19 87.123.160.0/20 87.123.176.0/20 -87.123.192.0/20 -87.123.208.0/22 +87.123.194.0/24 +87.123.196.0/24 +87.123.203.0/24 87.123.216.0/21 87.123.224.0/20 -87.123.240.0/22 -87.123.244.0/22 -87.123.248.0/22 -87.123.252.0/24 -87.123.253.0/24 -87.123.254.0/24 -87.123.255.0/24 +87.123.240.0/21 87.123.32.0/19 87.123.64.0/20 87.123.80.0/20 87.123.96.0/19 -87.123.96.0/20 88.130.0.0/16 -88.130.0.0/19 -88.130.130.0/23 -88.130.132.0/22 88.130.136.0/21 -88.130.144.0/21 -88.130.152.0/24 -88.130.153.0/24 -88.130.154.0/24 -88.130.155.0/24 -88.130.156.0/22 -88.130.156.0/24 -88.130.157.0/24 -88.130.158.0/24 -88.130.159.0/24 -88.130.160.0/21 -88.130.172.0/22 +88.130.144.0/20 88.130.176.0/21 -88.130.180.0/24 -88.130.181.0/24 -88.130.182.0/24 -88.130.183.0/24 -88.130.184.0/24 -88.130.185.0/24 -88.130.186.0/24 -88.130.187.0/24 -88.130.188.0/24 -88.130.189.0/24 -88.130.190.0/24 -88.130.191.0/24 -88.130.192.0/21 -88.130.200.0/21 -88.130.208.0/21 +88.130.192.0/23 +88.130.194.0/23 88.130.216.0/21 -88.130.216.0/22 -88.130.220.0/24 -88.130.221.0/24 -88.130.222.0/24 -88.130.223.0/24 -88.130.32.0/20 88.130.48.0/24 88.130.49.0/24 88.130.50.0/24 -88.130.51.0/24 88.130.52.0/24 88.130.53.0/24 -88.130.54.0/24 -88.130.55.0/24 +88.130.54.0/23 88.130.56.0/24 88.130.57.0/24 88.130.58.0/24 88.130.59.0/24 -88.130.60.0/24 88.130.61.0/24 -88.130.62.0/24 88.130.63.0/24 88.130.64.0/19 88.130.96.0/19 +89.207.200.0/21 89.244.0.0/14 -89.244.0.0/16 -89.244.112.0/21 89.244.120.0/21 -89.244.120.0/22 -89.244.124.0/24 -89.244.126.0/24 -89.244.127.0/24 89.244.160.0/21 -89.244.164.0/22 -89.244.168.0/21 89.244.176.0/20 89.244.192.0/19 89.244.224.0/20 -89.244.240.0/20 -89.244.64.0/21 -89.244.72.0/22 +89.244.76.0/24 +89.244.78.0/23 89.244.80.0/20 -89.244.96.0/20 -89.245.0.0/16 +89.244.96.0/22 89.245.0.0/20 +89.245.112.0/20 +89.245.158.0/24 +89.245.159.0/24 89.245.16.0/20 89.245.160.0/20 89.245.176.0/21 -89.245.184.0/24 -89.245.185.0/24 -89.245.186.0/24 -89.245.187.0/24 -89.245.188.0/24 -89.245.189.0/24 -89.245.190.0/24 -89.245.191.0/24 89.245.192.0/19 89.245.224.0/19 89.245.32.0/19 -89.245.32.0/20 -89.245.64.0/20 -89.245.80.0/20 +89.245.64.0/19 89.245.96.0/20 -89.246.0.0/16 89.246.0.0/19 -89.246.104.0/23 -89.246.106.0/24 -89.246.107.0/24 -89.246.108.0/24 -89.246.109.0/24 -89.246.110.0/24 -89.246.111.0/24 89.246.112.0/22 -89.246.116.0/22 -89.246.120.0/24 -89.246.121.0/24 89.246.122.0/24 -89.246.123.0/24 89.246.124.0/22 -89.246.160.0/20 89.246.160.0/21 -89.246.176.0/22 -89.246.180.0/22 89.246.184.0/21 89.246.192.0/19 -89.246.32.0/20 -89.246.48.0/21 -89.246.56.0/21 +89.246.32.0/19 89.246.96.0/21 -89.247.0.0/16 89.247.0.0/19 89.247.112.0/21 +89.247.112.0/22 89.247.120.0/22 -89.247.124.0/24 -89.247.125.0/24 -89.247.126.0/24 -89.247.127.0/24 89.247.144.0/20 89.247.160.0/20 +89.247.179.0/24 89.247.192.0/20 -89.247.208.0/21 89.247.216.0/22 -89.247.224.0/21 +89.247.228.0/22 89.247.232.0/21 -89.247.232.0/22 89.247.236.0/22 -89.247.240.0/21 -89.247.240.0/22 -89.247.252.0/24 -89.247.253.0/24 -89.247.254.0/24 -89.247.255.0/24 +89.247.252.0/22 89.247.32.0/19 89.247.32.0/20 89.247.64.0/20 89.247.80.0/20 -89.247.96.0/20 89.27.128.0/17 -89.27.153.0/24 91.194.180.0/23 91.198.67.0/24 91.199.158.0/24 @@ -468,8 +310,7 @@ 92.116.120.0/21 92.116.128.0/18 92.116.16.0/20 -92.116.192.0/19 -92.116.224.0/19 +92.116.192.0/18 92.116.32.0/19 92.116.64.0/18 92.116.96.0/19 @@ -483,67 +324,34 @@ 92.117.240.0/21 92.117.248.0/21 92.117.64.0/19 +92.117.96.0/19 94.134.0.0/15 94.134.0.0/18 -94.134.100.0/22 -94.134.112.0/21 -94.134.120.0/24 -94.134.121.0/24 -94.134.122.0/24 -94.134.123.0/24 -94.134.124.0/24 -94.134.125.0/24 -94.134.126.0/24 -94.134.127.0/24 -94.134.128.0/20 +94.134.112.0/22 94.134.144.0/20 94.134.160.0/21 94.134.168.0/22 94.134.172.0/22 -94.134.176.0/20 94.134.176.0/21 -94.134.192.0/20 -94.134.208.0/21 +94.134.192.0/22 94.134.216.0/21 -94.134.224.0/19 -94.134.64.0/20 +94.134.64.0/22 +94.134.68.0/22 94.134.80.0/22 -94.134.84.0/24 -94.134.85.0/24 -94.134.86.0/24 -94.134.87.0/24 -94.134.88.0/24 -94.134.89.0/24 -94.134.90.0/24 -94.134.91.0/24 -94.134.92.0/24 -94.134.93.0/24 -94.134.94.0/24 -94.134.95.0/24 +94.134.88.0/22 +94.134.94.0/23 94.134.96.0/20 -94.134.96.0/22 2001:1438:1000::/36 +2001:1438:1:100::/56 +2001:1438:1:200::/56 +2001:1438:1:300::/56 +2001:1438:1:400::/56 +2001:1438:1:900::/56 +2001:1438:1:a00::/56 2001:1438:2000::/36 2001:1438:3000::/36 2001:1438:4000::/36 2001:1438::/32 -2001:1438:f000::/36 -2001:1438:fff:10::/64 -2001:1438:fff:11::/64 -2001:1438:fff:12::/64 -2001:1438:fff:3::/64 -2001:1438:fff:4::/64 -2001:1438:fff:5::/64 -2001:1438:fff:6::/64 -2001:1438:fff:7::/64 -2001:1438:fff:8::/64 -2001:1438:fff:9::/64 -2001:1438:fff:a::/64 -2001:1438:fff:b::/64 -2001:1438:fff:c::/64 -2001:1438:fff:d::/64 -2001:1438:fff:e::/64 -2001:1438:fff:f::/64 2001:16b8:1000::/40 2001:16b8:100::/40 2001:16b8:1100::/40 @@ -593,12 +401,14 @@ 2001:16b8:a000::/35 2001:16b8:a00::/40 2001:16b8:b00::/40 +2001:16b8:c000::/35 2001:678:c74::/48 2001:67c:27ac::/48 2001:67c:2878::/48 2001:67c:2e8c::/48 2001:67c:660::/48 2001:67c:888::/48 +2001:67c:ed8::/48 2001:7b0::/32 2001:9e8:2000::/35 2001:9e8:4000::/35 @@ -615,10 +425,11 @@ 2a00:fb8:4000::/35 2a00:fb8:6000::/35 2a00:fb8::/29 -2a00:fb8::/32 2a00:fb8::/35 2a03:3fc0:2000::/48 2a07:9400::/29 2a0a:ed40::/29 +2a0b:9e80:1000::/36 2a0d:240::/29 2a0d:ad00::/29 +2a11:d00::/32 From 3a52cf55c4a99b6a65a33456d04dba748fefe768 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Sep 2024 17:12:20 +0200 Subject: [PATCH 750/996] remove bundle:scansnap --- bundles/scansnap/files/ocr.sh | 21 ------------ bundles/scansnap/files/scan.sh | 9 ------ bundles/scansnap/files/scanbd.conf | 52 ------------------------------ bundles/scansnap/items.py | 39 ---------------------- bundles/scansnap/metadata.py | 22 ------------- nodes/home/nas.py | 7 ---- 6 files changed, 150 deletions(-) delete mode 100644 bundles/scansnap/files/ocr.sh delete mode 100644 bundles/scansnap/files/scan.sh delete mode 100644 bundles/scansnap/files/scanbd.conf delete mode 100644 bundles/scansnap/items.py delete mode 100644 bundles/scansnap/metadata.py diff --git a/bundles/scansnap/files/ocr.sh b/bundles/scansnap/files/ocr.sh deleted file mode 100644 index 04e98f9..0000000 --- a/bundles/scansnap/files/ocr.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -DATE=$(date +%F_%H-%M-%S) - -cd "$1" - -convert *.tiff no_ocr.pdf -ocrmypdf -l deu no_ocr.pdf has_ocr.pdf - -rm -f *.tiff -rm -f no_ocr.pdf - -chown nobody:nogroup has_ocr.pdf - -mv has_ocr.pdf "/srv/scansnap/${DATE}.pdf" - -cd / - -rm -r "$1" diff --git a/bundles/scansnap/files/scan.sh b/bundles/scansnap/files/scan.sh deleted file mode 100644 index ab5800f..0000000 --- a/bundles/scansnap/files/scan.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -OUTFILE=$(mktemp -d) - -scanimage --source 'ADF Duplex' --format tiff --mode Color --brightness 23 --resolution 300 --page-width 210 --page-height 297.3 -x 210 -y 297.3 --batch=${OUTFILE}/p%04d.tiff - -/etc/scanbd/scripts/ocr.sh "$OUTFILE" & diff --git a/bundles/scansnap/files/scanbd.conf b/bundles/scansnap/files/scanbd.conf deleted file mode 100644 index f425338..0000000 --- a/bundles/scansnap/files/scanbd.conf +++ /dev/null @@ -1,52 +0,0 @@ -global { - debug = true - debug-level = 2 - - user = saned - group = scanner - - saned = "/usr/sbin/saned" - saned_opt = {} - saned_env = { "SANE_CONFIG_DIR=/etc/scanbd" } - - scriptdir = /etc/scanbd/scripts - - timeout = 500 - - pidfile = "/var/run/scanbd.pid" - - environment { - device = "SCANBD_DEVICE" - action = "SCANBD_ACTION" - } - - function function_knob { - filter = "^message.*" - desc = "The value of the function knob / wheel / selector" - env = "SCANBD_FUNCTION" - } - function function_mode { - filter = "^mode.*" - desc = "Color mode" - env = "SCANBD_FUNCTION_MODE" - } - - multiple_actions = false - action scan { - filter = "^scan.*" - numerical-trigger { - from-value = 0 - to-value = 1 - } - desc = "Scan to file" - script = "scan.sh" - } -} - -include(scanner.d/avision.conf) -include(scanner.d/fujitsu.conf) -include(scanner.d/hp.conf) -include(scanner.d/pixma.conf) -include(scanner.d/snapscan.conf) -include(scanner.d/canon.conf) -include(scanner.d/plustek.conf) diff --git a/bundles/scansnap/items.py b/bundles/scansnap/items.py deleted file mode 100644 index 23f9305..0000000 --- a/bundles/scansnap/items.py +++ /dev/null @@ -1,39 +0,0 @@ -directories = { - '/etc/scanbd/scripts': { - 'purge': True, - }, - '/srv/scansnap': { - 'owner': 'nobody', - 'group': 'nogroup', - }, -} - -files = { - '/etc/scanbd/scanbd.conf': { - 'triggers': { - 'svc_systemd:scanbd:restart', - }, - }, - '/etc/scanbd/scripts/ocr.sh': { - 'mode': '0755', - 'needs': { - 'directory:/srv/scansnap', - }, - }, - '/etc/scanbd/scripts/scan.sh': { - 'mode': '0755', - 'needs': { - 'directory:/srv/scansnap', - 'file:/etc/scanbd/scripts/ocr.sh', - }, - }, -} - -svc_systemd = { - 'scanbd': { - 'needs': { - 'file:/etc/scanbd/scanbd.conf', - 'pkg_apt:scanbd', - }, - }, -} diff --git a/bundles/scansnap/metadata.py b/bundles/scansnap/metadata.py deleted file mode 100644 index b1d5535..0000000 --- a/bundles/scansnap/metadata.py +++ /dev/null @@ -1,22 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'sane-utils': {}, - 'scanbd': {}, - 'imagemagick': {}, - 'ocrmypdf': {}, - 'tesseract-ocr-deu': {}, - }, - }, - 'backups': { - 'paths': { - '/srv/scansnap', - }, - }, - 'cron': { - 'jobs': { - # Automatically remove files which are older than 14 days - 'scansnap_cleanup': '00 00 * * * root /usr/bin/find /srv/scansnap/ -mindepth 1 -mtime +14 -delete', - }, - }, -} diff --git a/nodes/home/nas.py b/nodes/home/nas.py index e5a1480..46f5aa6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -12,7 +12,6 @@ nodes['home.nas'] = { 'nfs-server', 'rsyslogd', 'samba', - 'scansnap', 'smartd', 'vmhost', 'zfs', @@ -150,9 +149,6 @@ nodes['home.nas'] = { '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', }, - '/srv/scansnap': { - '172.19.138.0/24': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', - }, }, }, 'nginx': { @@ -296,9 +292,6 @@ nodes['home.nas'] = { 'storage/paperless': { 'mountpoint': '/srv/paperless', }, - 'storage/scan': { - 'mountpoint': '/srv/scansnap', - }, }, 'snapshots': { 'retain_per_dataset': { From 6483f863ff2fcdbf78c2aa7a12fd97a518a3611a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Sep 2024 17:19:03 +0200 Subject: [PATCH 751/996] bundles/rsyslogd: add backups --- bundles/rsyslogd/metadata.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bundles/rsyslogd/metadata.py b/bundles/rsyslogd/metadata.py index aec2591..877e93b 100644 --- a/bundles/rsyslogd/metadata.py +++ b/bundles/rsyslogd/metadata.py @@ -6,6 +6,11 @@ defaults = { 'rsyslog': {}, }, }, + 'backups': { + 'paths': { + '/var/log/rsyslog', + }, + }, 'icinga2_api': { 'rsyslog': { 'services': { From 06a94d7cba8e8190335664894c12623a7b49d81f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Sep 2024 17:19:13 +0200 Subject: [PATCH 752/996] home.nas: clean up nodefile --- nodes/home/nas.py | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 46f5aa6..02c6790 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -96,11 +96,6 @@ nodes['home.nas'] = { }, }, }, - 'jellyfin': { - 'restrict-to': { - 'home.lgtv-wohnzimmer', - }, - }, 'mixcloud-downloader': { 'netrc': { 'soundcloud': { @@ -178,10 +173,6 @@ nodes['home.nas'] = { 'smartd': { 'disks': { '/dev/nvme0', - - # ZFS cache disks - #'/dev/disk/by-id/ata-TS64GSSD370_B807810503', - #'/dev/disk/by-id/ata-TS64GSSD370_B807810527', }, }, 'systemd-networkd': { @@ -250,20 +241,6 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', }, }, -# { -# 'type': 'log', -# 'devices': { -# '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1', -# '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1', -# }, -# }, -# { -# 'type': 'cache', -# 'devices': { -# '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2', -# '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2', -# }, -# }, ], 'ashift': 12, }, @@ -279,10 +256,6 @@ nodes['home.nas'] = { 'storage/download': { 'mountpoint': '/storage/download', }, - 'storage/inbox': { - 'quota': str(1024*1024*1024*1024), # 1TB - 'mountpoint': '/storage/inbox', - }, 'storage/nas': { 'acltype': 'off', 'atime': 'off', @@ -312,12 +285,6 @@ nodes['home.nas'] = { 'weekly': 6, 'monthly': 24, }, - 'storage/scan': { - 'hourly': 6, - 'daily': 0, - 'weekly': 0, - 'monthly': 0, - }, }, }, }, From 40fcaf56ee417eed954b8e1b1077a53d7f052af2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Sep 2024 19:42:15 +0200 Subject: [PATCH 753/996] add home.fujitsu-n7100 --- nodes/home.fujitsu-n7100.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.fujitsu-n7100.toml diff --git a/nodes/home.fujitsu-n7100.toml b/nodes/home.fujitsu-n7100.toml new file mode 100644 index 0000000..07d51c0 --- /dev/null +++ b/nodes/home.fujitsu-n7100.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.75"] +dhcp = true +mac = "00:01:29:59:a9:8c" + +[metadata.icinga_options] +exclude_from_monitoring = true From 3f9f84f23086e563bb917f434f316b0b21443dc9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Sep 2024 19:42:27 +0200 Subject: [PATCH 754/996] home.paperless: add proftpd for paperless ingest --- bundles/proftpd/items.py | 13 +++++ bundles/proftpd/metadata.py | 26 +++++++++ data/proftpd/files/home.paperless.conf | 74 ++++++++++++++++++++++++++ nodes/home/paperless.py | 6 +++ 4 files changed, 119 insertions(+) create mode 100644 bundles/proftpd/items.py create mode 100644 bundles/proftpd/metadata.py create mode 100644 data/proftpd/files/home.paperless.conf diff --git a/bundles/proftpd/items.py b/bundles/proftpd/items.py new file mode 100644 index 0000000..506fb1b --- /dev/null +++ b/bundles/proftpd/items.py @@ -0,0 +1,13 @@ +files['/etc/proftpd/proftpd.conf'] = { + 'source': f'{node.name}.conf', + 'triggers': { + 'svc_systemd:proftpd:restart', + }, +} + +svc_systemd['proftpd'] = { + 'needs': { + 'file:/etc/proftpd/proftpd.conf', + 'pkg_apt:proftpd-core', + }, +} diff --git a/bundles/proftpd/metadata.py b/bundles/proftpd/metadata.py new file mode 100644 index 0000000..ad33bfb --- /dev/null +++ b/bundles/proftpd/metadata.py @@ -0,0 +1,26 @@ +from bundlewrap.metadata import atomic + +defaults = { + 'apt': { + 'packages': { + 'proftpd-core': {}, + }, + }, +} + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + sources = atomic(metadata.get('mosquitto/restrict-to', set())) + + return { + 'firewall': { + 'port_rules': { + '20/tcp': sources, + '21/tcp': sources, + '49152-50192/tcp': sources, + }, + }, + } diff --git a/data/proftpd/files/home.paperless.conf b/data/proftpd/files/home.paperless.conf new file mode 100644 index 0000000..4d861ad --- /dev/null +++ b/data/proftpd/files/home.paperless.conf @@ -0,0 +1,74 @@ +Include /etc/proftpd/modules.conf + +UseIPv6 on + + IdentLookups off + + +ServerName "home.paperless" +ServerType standalone +DeferWelcome off + +DefaultServer on +ShowSymlinks on + +TimeoutNoTransfer 600 +TimeoutStalled 600 +TimeoutIdle 1200 + +DisplayLogin welcome.msg +DisplayChdir .message true +ListOptions "-l" + +DenyFilter \*.*/ + +RequireValidShell off + +Port 21 + +PassivePorts 49152 50192 + +MaxInstances 30 + +User proftpd +Group nogroup + +Umask 022 022 +AllowOverwrite on + +TransferLog /var/log/proftpd/xferlog +SystemLog /var/log/proftpd/proftpd.log + + + QuotaEngine off + + + + Ratios off + + + + DelayEngine on + + + + ControlsEngine off + ControlsMaxClients 2 + ControlsLog /var/log/proftpd/controls.log + ControlsInterval 5 + ControlsSocket /var/run/proftpd/proftpd.sock + + + + AdminControlsEngine off + + + + User nobody + Group nogroup + UserAlias anonymous ftp + + + AllowAll + + diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index b734ad3..1c0c00a 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -6,6 +6,7 @@ nodes['home.paperless'] = { 'redis', 'postgresql', 'paperless-ng', + 'proftpd', }, 'groups': { 'debian-bookworm', @@ -53,6 +54,11 @@ nodes['home.paperless'] = { 'postgresql': { 'version': 15, }, + 'proftpd': { + 'restrict-to': { + 'home.fujitsu-n7100', + }, + }, 'vm': { 'cpu': 2, 'ram': 2, From 07f6fb99f29593d3618fd956e0c2e4662916d8c4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 10 Sep 2024 06:14:55 +0200 Subject: [PATCH 755/996] bundles/backup-server: more time for monitoring please --- bundles/backup-server/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 692717d..3d78ed6 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -160,7 +160,7 @@ def monitoring(metadata): client, config['one_backup_every_hours'], ), - 'vars.sshmon_timeout': 20, + 'vars.sshmon_timeout': 40, } return { From 2e72f107e933f3166d5f4e487641cf47398c2861 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 10 Sep 2024 06:15:48 +0200 Subject: [PATCH 756/996] update paperles to 2.12.0 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 1c0c00a..aeb9c78 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.11.6', + 'version': 'v2.12.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { From be3a7a44d6454a088ae68309fdecd648bc86b2ab Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 12 Sep 2024 19:58:15 +0200 Subject: [PATCH 757/996] home.nas: new ssd-based pool --- nodes/home/nas.py | 75 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 02c6790..bf404e4 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -67,6 +67,22 @@ nodes['home.nas'] = { '/storage/nas/normen', }, }, + 'dm-crypt': { + 'encrypted-devices': { + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { + 'dm-name': 'sam-S5SSNJ0X409404K', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'), + }, + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': { + 'dm-name': 'sam-S5SSNJ0X409845F', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'), + }, + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': { + 'dm-name': 'sam-S5SSNJ0X409870J', + 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'), + }, + }, + }, 'groups': { 'nas': {}, }, @@ -173,6 +189,11 @@ nodes['home.nas'] = { 'smartd': { 'disks': { '/dev/nvme0', + + # encrypted disks + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', + '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J', }, }, 'systemd-networkd': { @@ -245,8 +266,45 @@ nodes['home.nas'] = { 'ashift': 12, }, }, + 'encrypted': { + 'when_creating': { + 'config': [ + { + 'type': 'raidz', + 'devices': { + '/dev/mapper/sam-S5SSNJ0X409404K', + '/dev/mapper/sam-S5SSNJ0X409845F', + '/dev/mapper/sam-S5SSNJ0X409870J', + }, + }, + ], + 'ashift': 12, + }, + 'needs': { + 'action:dm-crypt_open_sam-S5SSNJ0X409404K', + 'action:dm-crypt_open_sam-S5SSNJ0X409845F', + 'action:dm-crypt_open_sam-S5SSNJ0X409870J', + }, + # see comment in bundle:backup-server + 'unless': 'zpool import encrypted', + }, }, 'datasets': { + 'encrypted': { + 'primarycache': 'metadata', + }, + 'encrypted/download': { + 'mountpoint': '/media/download', + }, + 'encrypted/nas': { + 'acltype': 'off', + 'atime': 'off', + 'compression': 'off', + 'mountpoint': '/media/nas', + }, + 'encrypted/paperless': { + 'mountpoint': '/media/paperless', + }, 'storage': { 'primarycache': 'metadata', }, @@ -268,6 +326,23 @@ nodes['home.nas'] = { }, 'snapshots': { 'retain_per_dataset': { + 'encrypted/download': { + 'hourly': 6, + 'daily': 0, + 'weekly': 0, + 'monthly': 0, + }, + 'encrypted/nas': { + # juuuuuuuust to be sure. + 'daily': 14, + 'weekly': 6, + 'monthly': 12, + }, + 'encrypted/paperless': { + 'daily': 14, + 'weekly': 6, + 'monthly': 24, + }, 'storage/download': { 'hourly': 48, 'daily': 0, From aa30b78fcfff312a793234da3fe63b2e2a471205 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 14 Sep 2024 18:29:55 +0200 Subject: [PATCH 758/996] remove daisy --- libs/s2s.py | 2 +- nodes/daisy.toml | 23 ----------------------- 2 files changed, 1 insertion(+), 24 deletions(-) delete mode 100644 nodes/daisy.toml diff --git a/libs/s2s.py b/libs/s2s.py index 136a257..d7c9e9f 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -17,7 +17,7 @@ WG_AUTOGEN_NODES = [ 'home.router', 'htz-cloud.wireguard', 'icinga2', - 'daisy', + None, # daisy ] WG_AUTOGEN_SETTINGS = { diff --git a/nodes/daisy.toml b/nodes/daisy.toml deleted file mode 100644 index b300487..0000000 --- a/nodes/daisy.toml +++ /dev/null @@ -1,23 +0,0 @@ -hostname = "2a11:f2c0:3:4::120" -bundles = [ - "bird", - "wireguard", -] -groups = [ - "debian-bookworm", -] - -[metadata] -location = "glauca" -nameservers = [ - "2606:4700::1111", - "2606:4700:4700::1001", -] -backups.exclude_from_backups = true -icinga_options.period = "daytime" - -[metadata.interfaces.ens18] -ips = [ - "2a11:f2c0:3:4::120/64", -] -gateway6 = "fe80::220:91ff:fe45:e19e" From ec834f2a92038268b4257bed6e59eef83067d441 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 14 Sep 2024 18:32:27 +0200 Subject: [PATCH 759/996] update element-web to 1.11.77 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e5a536a..a9b6121 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.76" +version = "v1.11.77" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 1585909..e75586d 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.76" +version = "v1.11.77" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From a712c098c654d5398a5a92c95ee94e9c30eb8af9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 14 Sep 2024 18:32:39 +0200 Subject: [PATCH 760/996] update netbox to 4.1.1 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a9b6121..e277e7d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.0" +version = "v4.1.1" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From ce76b03fe77983db7c50c2aadf53836adb85138d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 15 Sep 2024 10:26:51 +0200 Subject: [PATCH 761/996] bundles/zfs: configurable scrub time --- bundles/zfs/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index a270d5f..01ed900 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -170,7 +170,7 @@ def scrub_timer(metadata): 'systemd-timers': { 'timers': { 'zfs-scrub': { - 'when': 'Sun 02:00:00 UTC', + 'when': metadata.get('zfs/scrub_when', 'Sun 02:00:00 UTC'), 'command': scrubs, }, }, From 64fb1906d11ce4e4a40e393e46b0f987f2cb8cc1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 15 Sep 2024 10:27:08 +0200 Subject: [PATCH 762/996] htz-hel.backup-kunsi: move scrub to wednesday --- nodes/htz-hel/backup-kunsi.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/htz-hel/backup-kunsi.py b/nodes/htz-hel/backup-kunsi.py index 6db104e..50996fb 100644 --- a/nodes/htz-hel/backup-kunsi.py +++ b/nodes/htz-hel/backup-kunsi.py @@ -33,5 +33,8 @@ nodes['htz-hel.backup-kunsi'] = { '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1': bwpass.password('bw/backup-kunsi/encryption-passphrase'), }, }, + 'zfs': { + 'scrub_when': 'Wed 08:00 Europe/Berlin', + }, }, } From 9415b281ceff89530629e8e500eacda2a009d0b0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 15 Sep 2024 13:33:23 +0200 Subject: [PATCH 763/996] update travelynx to 2.8.38 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e277e7d..14deee9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -256,7 +256,7 @@ disks = [ ] [metadata.travelynx] -version = "2.8.35" +version = "2.8.38" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 8980c05c743284180397664efa83531ab77c0991 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Sep 2024 22:52:01 +0200 Subject: [PATCH 764/996] new wildcard for sophie's home infra --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 38 +++++++++---------- ...me.sophies-kitchen.eu.crt_intermediate.pem | 36 +++++++++--------- .../_.home.sophies-kitchen.eu.key.pem.vault | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem index 6f6da9e..df6ad40 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDxzCCA02gAwIBAgISBDW3AazQEdYbYaSrLIoUKbvsMAoGCCqGSM49BAMDMDIx +MIIDxjCCA0ygAwIBAgISBIbwgyWchKDri2pD+Lk46M3eMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDA2MjExNjUzNDBaFw0yNDA5MTkxNjUzMzlaMCIxIDAeBgNVBAMTF2hv -bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEQDuO -QacqKUrKWbwBWgSqPkaBIb4t6f4kiRMvCyY8KiZmIvJadVD6iKnbcGzFQ0LRI+vt -+O6ZVpwsUOXvgF3PB7o7OfODlVsKRc4pYJPvoRRaz1VlK6eZW20GGivBVgl0o4IC -NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRScRdoEyCVXr1PC0yvKusaOO5i -dTAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ -MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw -AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +NTAeFw0yNDA5MTkxOTQ5NDFaFw0yNDEyMTgxOTQ5NDBaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4rKd +PfAtfQts90WjdnsscizZzlUF/HZBx97kT4/eWgyU/MNOFGF4WqGA92OX0ymZVJ7l +D4CnHq96odx0LqHBQ+W+MXNlsWnwBTUOPKp8XyUeDhZbkgNJDR8nGtHje9a8o4IC +MzCCAi8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSONIAWFPI0mqJYBqnWk1J0Ea27 +sDAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE -DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1AEiw42vapkc0 -D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkDvuwaIAAAQDAEYwRAIgP3lyMqvr -+a7XWoRLxzQzhv6umJ/hiQPTWen3qqTao34CIGLq9y9ZPZUuo2smf49h9v9I9B4t -o6ihFaHoOB68q37DAHcA3+FW66oFr7WcD4ZxjajAMk6uVtlup/WlagHRwTu+UlwA -AAGQO+7CZAAABAMASDBGAiEAjl1f87koOUNfTNL4IRO+BBEVeHCxPvYRaztVJoC0 -x6ECIQDblc+Snmea3OSqydLcyi8xgdtMySyQgPElXLtM7H+RUjAKBggqhkjOPQQD -AwNoADBlAjA0FOSmTiYrA9Hd2T5DkI2TMOH2akk8SxXprkei6H37bI8O3br7ke8t -jwHWVtvN4d8CMQDohhdWUQ3G8Fl4ektN34oX6U3NcywBm96U3RVt5JYcfnn8ea68 -Qboj263s/g0Ciqs= +DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEiw42vapkc0 +D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkgwK350AAAQDAEYwRAIga5zPs7YZ +mJqbxhinEJKKQ9XCe1w/MhBzFMzwHFGbaPgCIHeprkwET14Y3h5dmUF7szwTg1Ey +zqLM+GQL3t7EAX2cAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A +AAGSDArfogAABAMARzBFAiEA0faR1cyqpmCyHo/0KCv04fkpwgzWdMY+WopJXDLD +zz8CIEBKANatmiRstc5D69jKhq2beHldLZB3jRfm1WlWqmxJMAoGCCqGSM49BAMD +A2gAMGUCMCrpe2jxoTH410jNJPOnbN4ae0Ng54JtRNcFWHlcwpk07NrByJSTPWDd +zr7AYsbbVQIxAOGboJcIxsuf+rN30iWoe5KwCY3sd5XW8bEKFQnugIVHxAQKnHNc +0InWz2sVWYKNBA== -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem index 4652201..59039ae 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G -h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV -6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj -v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc -MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL -pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp -eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH -pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 -s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu -h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv -YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 -ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 -LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ -EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY -Ig46v9mFmBvyH04= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault index 2bc548a..ce7b75d 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABmdb4pdFakOuqHPRpEu_RjEPVVS9Ef0kuvWKKT3Gr3056e0nhinh_THX1w7CqiZ4CQlvSIH7vlDNUORFWlqDuZJOh8FYPSzjr78aK1MqVGZHxQBK8VVNd0K5m1U3z9_4W_pB7Zr_5fLXDqtIW-t68GQPEfxCwy2h2eBepQ2zJiLupWa7JwuqiXH6QyB4gD5Y-9F30RjH52WtJLrx6XtgClPG0p-6FrHcNHqmMYqgpt11zvLa88lOBUoDGFrrqqFRbY039ay2b1jrQOAhTQLDxnAMsbr5jTSbST1modE-1u_Wis-Km-jcMwkiViZpK-HC6Ce_TNdt1NDarBat6nRhTrpqHXENlroVixHmGl1_-Y6mc75tJ-KHQKRRzwK8V_X62iA3vfSz1Xps8B1FZqxJWA2EdM0JkQecCuC-bnpedEoumYnif3vLhe91NV8SQ5FBlkd3NFT8vBAWCgnqT_jDf5YQW70w== \ No newline at end of file +encrypt$gAAAAABm7I7N50TwtCs2LUt_MArRJnLQ-xLFVhr-zDtdWUVMejViIN2O9h5d_RP45jWt5BpxIkTORarcULXprEXp7zbb-CR5CTwbsNK6HnvSHPwuwXuxJQKRJtT4wWfYEFOxY9aUR9gxvXc3arsYHwVsGyLOeWA_6YzjO5IpL1LfQrsJuUE_1p9sKRyPpslmOJtD5OihMtIfAJNzBDwOSE_gdtLa8iae3DHtSvmKbGKSvwQEZ0pkJxVTVXJY4wddQmdsuV0ky04ls_tUINH8t6IMTJCt_5_ELzpTSdcHgV6W4yh8r_LTEH38n2boYnz3fKgieHnDHDWxFW1EYA2JWjkamH7hQ8iOMl8bqQieFAENnYjF41iz6tSCjfxVyKt_OfJUAwMScVMhPsuaI_i_ZB0Ge6BLsMwkw0d3yw06CwRQ3N7PcPPJLhL_eQS3EuV7Y-7Vv64secplJJIkcFfm1t5zcGkkm4-pDw== \ No newline at end of file From 0d28883da326e4b5746e0fdb260f53bb61d8ca29 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Sep 2024 22:55:15 +0200 Subject: [PATCH 765/996] fix name of backup server --- groups/locations.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/locations.py b/groups/locations.py index 8f56c2b..bd8473c 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -69,7 +69,7 @@ groups['sophie'] = { 'exclude_from_monitoring': True, }, 'backup-client': { - 'target': 'htz-hel.backup-sohpie', + 'target': 'htz-hel.backup-sophie', }, 'users': { 'sophie': {}, From 95c5b28469de154ff5fbb5220802dc4431081e4b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 16 Sep 2024 07:02:27 +0200 Subject: [PATCH 766/996] basic monitoring for proxmox-backupstorage --- nodes/htz-hel/proxmox-backupstorage.toml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/nodes/htz-hel/proxmox-backupstorage.toml b/nodes/htz-hel/proxmox-backupstorage.toml index 19d83d3..0c6d7ac 100644 --- a/nodes/htz-hel/proxmox-backupstorage.toml +++ b/nodes/htz-hel/proxmox-backupstorage.toml @@ -1,5 +1,6 @@ hostname = "2a01:4f9:6b:2d99::c0ff:ee" -dummy = true +#dummy = true +bundles = ["sshmon", "smartd"] # How to install: # - Get server at Hetzner (no IPv4) @@ -17,3 +18,11 @@ dummy = true # - IPv6 only # - IP from the /64 hetzner gives us # - Gateway is the host itself, to work around the MAC filter hetzner uses + +[metadata.smartd] +disks = [ + "/dev/sda", + "/dev/sdb", + "/dev/sdc", + "/dev/sdd", +] From c6421c7bd4edbff517168b196e4cfab747a287bd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 20 Sep 2024 15:33:56 +0200 Subject: [PATCH 767/996] update travelynx to 2.8.39 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 14deee9..5466246 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -256,7 +256,7 @@ disks = [ ] [metadata.travelynx] -version = "2.8.38" +version = "2.8.39" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 423049667fa765c28d0c01ab04f7de26dce6edfa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Sep 2024 18:09:49 +0200 Subject: [PATCH 768/996] bundles/nftables: improve handling for icmp --- bundles/nftables/files/nftables.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/bundles/nftables/files/nftables.conf b/bundles/nftables/files/nftables.conf index c39e8be..56fba34 100644 --- a/bundles/nftables/files/nftables.conf +++ b/bundles/nftables/files/nftables.conf @@ -23,9 +23,8 @@ table inet filter { icmp type timestamp-request drop icmp type timestamp-reply drop - ip protocol icmp accept + meta l4proto {icmp, ipv6-icmp} accept - ip6 nexthdr ipv6-icmp accept % for ruleset, rules in sorted(input.items()): # ${ruleset} From abdc7f751e50b29653caac146a88837503938583 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 25 Sep 2024 21:45:52 +0200 Subject: [PATCH 769/996] update pretalx-halfnarp to 1.1.2 --- nodes/voc/pretalx.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 845aa23..b75ba3c 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -64,7 +64,7 @@ nodes['voc.pretalx'] = { }, 'halfnarp': { 'repo': 'https://github.com/seibert-media/pretalx-halfnarp.git', - 'rev': '1.1.0', + 'rev': '1.1.2', }, 'media.ccc.de': { 'repo': 'https://github.com/pretalx/pretalx-media-ccc-de.git', From 4a28bc55c0d3c07d08f8bedf5ca62e0a4fbb3aa4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 08:42:58 +0200 Subject: [PATCH 770/996] bundles/homeassistant: rework check_homeassistant_update --- .../files/check_homeassistant_update | 72 +++++++++---------- bundles/homeassistant/items.py | 2 +- nodes/home.hass.toml | 2 +- 3 files changed, 35 insertions(+), 41 deletions(-) diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update index ff2b0d7..0e6f2e8 100644 --- a/bundles/homeassistant/files/check_homeassistant_update +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -2,48 +2,42 @@ from sys import exit -import requests from packaging import version +from requests import get -bearer = "${bearer}" -domain = "${domain}" -OK = 0 -WARN = 1 -CRITICAL = 2 -UNKNOWN = 3 - -status = 3 -message = "Unknown Update Status" - - -domain = "hass.home.kunbox.net" - -s = requests.Session() -s.headers.update({"Content-Type": "application/json"}) +API_TOKEN = "${token}" +DOMAIN = "${domain}" try: - stable_version = version.parse( - s.get("https://version.home-assistant.io/stable.json").json()["homeassistant"][ - "generic-x86-64" - ] - ) - s.headers.update( - {"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"} - ) - running_version = version.parse( - s.get(f"https://{domain}/api/config").json()["version"] - ) - if running_version == stable_version: - status = 0 - message = f"OK - running version {running_version} equals stable version {stable_version}" - elif running_version > stable_version: - status = 1 - message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." - else: - status = 2 - message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}" + r = get("https://version.home-assistant.io/stable.json") + r.raise_for_status() + stable_version = r.json()["homeassistant"]["generic-x86-64"] except Exception as e: - message = f"{message}: {repr(e)}" + print(f"Could not get stable version information from home-assistant.io: {e!r}") + exit(3) -print(message) -exit(status) +try: + r = get( + f"https://{DOMAIN}/api/config", + headers={"Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json"}, + ) + r.raise_for_status() + running_version = r.json()["version"] +except Exception as e: + print(f"Could not get running version information from homeassistant: {e!r}") + exit(3) + +try: + if stable_version > running_version: + print( + f"There is a newer version available: {stable_version} (currently installed: {running_version})" + ) + exit(2) + else: + print( + f"Currently running version {running_version} matches newest release on home-assistant.io" + ) + exit(0) +except Exception as e: + print(repr(e)) + exit(3) diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index 67042d1..92f097b 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -30,7 +30,7 @@ files = { '/usr/local/share/icinga/plugins/check_homeassistant_update': { 'content_type': 'mako', 'context': { - 'bearer': repo.vault.decrypt(node.metadata.get('homeassistant/api_secret')), + 'token': node.metadata.get('homeassistant/api_secret'), 'domain': node.metadata.get('homeassistant/domain'), }, 'mode': '0755', diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index b29dd0e..2c52708 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -22,7 +22,7 @@ ram = 2 [metadata.homeassistant] domain = 'hass.home.kunbox.net' -api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33YbjbkpELU2HGBzqiWX40J0hsaEbYJOnCHFk8gJ-Xt0vdqqbQ5vca_TGPNQHZPAS4qZoPTcUhmX_I-0EdT6ukhxejXFYBiYRZikTLjH3lcNM5qnckCm-H9NbRdjLb9hbCDIjbEglHmBl_g08S1_ukvX3dDSCIHIxgXXGsdK_Go1KxPJd8G22FL_MMhCfsTW-6ioIqoHSeSA1NGk3MZHEIM2errckiopKBxoBaROsacO9Uqk1zrrgXOs2NsgiTRtrbV1TNlFVaIX9mZdsUnMGZ' +api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' [metadata.nginx] restrict-to = [ From c699f0d5105e5234a2b8c1eb36c1eda012cc8d25 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 08:50:52 +0200 Subject: [PATCH 771/996] update element-web to 1.11.78 --- nodes/carlene.toml | 2 +- nodes/htz-cloud.afra.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 5466246..1ec3187 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.77" +version = "v1.11.78" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index e75586d..443ffa3 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -32,7 +32,7 @@ routes.'172.19.128.0/20'.via = "172.19.137.1" [metadata.element-web] url = "element.afra.berlin" -version = "v1.11.77" +version = "v1.11.78" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" From 8a28886012b17faa12810aad809c152e48ad33df Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 08:51:08 +0200 Subject: [PATCH 772/996] update netbox to 4.1.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1ec3187..7241f6c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.1" +version = "v4.1.2" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 2564f416c22b203eb53f0a8a362c8e7777a951dc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 08:51:20 +0200 Subject: [PATCH 773/996] update paperless to 2.12.1 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index aeb9c78..859eb07 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.12.0', + 'version': 'v2.12.1', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 7b6d811128371a07b83439663b1dc4cedc72f559 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 10:02:27 +0200 Subject: [PATCH 774/996] bundles/sshmon: better cpu check --- bundles/sshmon/files/check_cpu_stats | 25 ++++++++++++++----------- bundles/sshmon/metadata.py | 2 ++ 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/bundles/sshmon/files/check_cpu_stats b/bundles/sshmon/files/check_cpu_stats index 36e5ae3..c0985ef 100644 --- a/bundles/sshmon/files/check_cpu_stats +++ b/bundles/sshmon/files/check_cpu_stats @@ -4,27 +4,30 @@ from re import findall from subprocess import check_output from sys import exit +ITERATIONS = 10 + try: top_output = None - for line in check_output(['top', '-b', '-n1', '-d1']).decode('UTF-8').splitlines(): - if line.lower().strip().startswith('%cpu'): - top_output = line.lower().split(':', 2)[1] - break - - if not top_output: - print('%cpu not found in top output') - exit(3) + top_output = check_output(rf"top -b -n{ITERATIONS} -d1 | grep -i '^%cpu'", shell=True).decode('UTF-8') cpu_usage = {} for value, identifier in findall('([0-9\.\,]{3,5}) ([a-z]{2})', top_output): - cpu_usage[identifier] = float(value.replace(',', '.')) + if identifier not in cpu_usage: + cpu_usage[identifier] = 0.0 + cpu_usage[identifier] += float(value.replace(',', '.')) + + output = [] + for identifier, value_added in cpu_usage.items(): + value = value_added / ITERATIONS + output.append(f"{value:.2f} {identifier}") + cpu_usage[identifier] = value + + print(f"Average over {ITERATIONS} seconds: " + ", ".join(output)) warn = set() crit = set() - print(top_output) - # steal if cpu_usage['st'] > 10: crit.add('CPU steal is {}% (>10%)'.format(cpu_usage['st'])) diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 8d5bb6b..2142623 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -19,6 +19,8 @@ defaults = { 'services': { 'CPU': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_cpu_stats', + # takes samples over 10 seconds + 'vars.sshmon_timeout': 20 }, 'LOAD': { 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_load -r -w 4,2,1 -c 8,4,2', From 54f669313a37f443abb50b3e8faa099a67326316 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 10:15:50 +0200 Subject: [PATCH 775/996] home.nas: nas dataset goes ssd --- nodes/home/nas.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index bf404e4..1122e43 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -300,7 +300,7 @@ nodes['home.nas'] = { 'acltype': 'off', 'atime': 'off', 'compression': 'off', - 'mountpoint': '/media/nas', + 'mountpoint': '/storage/nas', }, 'encrypted/paperless': { 'mountpoint': '/media/paperless', @@ -318,7 +318,7 @@ nodes['home.nas'] = { 'acltype': 'off', 'atime': 'off', 'compression': 'off', - 'mountpoint': '/storage/nas', + 'mountpoint': '/media/nas_old', }, 'storage/paperless': { 'mountpoint': '/srv/paperless', From 8c28d612cbcd820dbc96206c34ecc44635fc2d38 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 10:16:07 +0200 Subject: [PATCH 776/996] groups/sophie: fix group conflict --- groups/locations.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/groups/locations.py b/groups/locations.py index 8f56c2b..43e7674 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -61,6 +61,9 @@ groups['home'] = { } groups['sophie'] = { + 'supergroups': { + 'linux', + }, 'member_patterns': { r"sophie\..*", }, @@ -69,7 +72,7 @@ groups['sophie'] = { 'exclude_from_monitoring': True, }, 'backup-client': { - 'target': 'htz-hel.backup-sohpie', + 'target': 'htz-hel.backup-sophie', }, 'users': { 'sophie': {}, From 67f901c1c91aaa8274c27735163ed451842204c5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 10:19:01 +0200 Subject: [PATCH 777/996] bundles/powerdnsadmin: fix dependencies --- bundles/powerdnsadmin/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index fb1bf0d..8398916 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -71,8 +71,8 @@ actions = { 'chown -R powerdnsadmin:powerdnsadmin /opt/powerdnsadmin/src/powerdnsadmin/static/', ]), 'needs': { - 'action:nodejs_install_yarn', 'action:powerdnsadmin_install_deps', + 'bundle:nodejs', 'pkg_apt:', }, }, From 8ba63e112c273f6f5939f641c0d1695dcf070485 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Sep 2024 10:22:58 +0200 Subject: [PATCH 778/996] bundles/sshmon: fix SyntaxWarning --- bundles/sshmon/files/check_cpu_stats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/sshmon/files/check_cpu_stats b/bundles/sshmon/files/check_cpu_stats index c0985ef..f0c3a35 100644 --- a/bundles/sshmon/files/check_cpu_stats +++ b/bundles/sshmon/files/check_cpu_stats @@ -12,7 +12,7 @@ try: top_output = check_output(rf"top -b -n{ITERATIONS} -d1 | grep -i '^%cpu'", shell=True).decode('UTF-8') cpu_usage = {} - for value, identifier in findall('([0-9\.\,]{3,5}) ([a-z]{2})', top_output): + for value, identifier in findall(r'([0-9\.\,]{3,5}) ([a-z]{2})', top_output): if identifier not in cpu_usage: cpu_usage[identifier] = 0.0 cpu_usage[identifier] += float(value.replace(',', '.')) From 52e891d3a7406f9c5e4924d82de4585ca94544f3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Sep 2024 13:46:21 +0200 Subject: [PATCH 779/996] move afra.berlin redirect to carlene --- nodes/carlene.toml | 4 ++++ nodes/htz-cloud.afra.toml | 21 --------------------- 2 files changed, 4 insertions(+), 21 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 7241f6c..92ce624 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -136,6 +136,10 @@ domain = "warnochwas.de" contact = "mailto:security@kunsmann.eu" Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc" +[metadata.nginx.vhosts.'afra.berlin'.locations.'/'] +redirect = "https://afra-berlin.de" +mode = 302 + [metadata.nginx.vhosts.forgejo] domain_aliases = ["git.kunsmann.eu"] diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml index 443ffa3..b938c2f 100644 --- a/nodes/htz-cloud.afra.toml +++ b/nodes/htz-cloud.afra.toml @@ -65,27 +65,6 @@ trusted_key_servers = [ "matrix.org", "franzi.business", ] -wellknown_also_on_vhosts = ["redirect"] - -[metadata.nginx.vhosts.redirect] -domain = "afra.berlin" - -[metadata.nginx.vhosts.redirect.locations.'/'] -redirect = "https://afra-berlin.de" -mode = 302 - -#[metadata.nginx.vhosts.redirect.locations.'/.well-known/host-meta'] -#redirect = "https://fedi.afra.berlin/.well-known/host-meta" -#mode = 301 -#[metadata.nginx.vhosts.redirect.locations.'/.well-known/nodeinfo'] -#redirect = "https://fedi.afra.berlin/.well-known/nodeinfo" -#mode = 301 -#[metadata.nginx.vhosts.redirect.locations.'/.well-known/webfinger'] -#redirect = "https://fedi.afra.berlin/.well-known/webfinger" -#mode = 301 - -[metadata.nginx.vhosts.redirect.locations.'/matrix/'] -target = "http://127.0.0.1:20100/" [metadata.postgresql] version = "15" From 95860e978b919ab3ddf8a191eb39003568ff70cc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 29 Sep 2024 16:17:48 +0200 Subject: [PATCH 780/996] remove htz-cloud.afra --- nodes/htz-cloud.afra.toml | 79 --------------------------------------- 1 file changed, 79 deletions(-) delete mode 100644 nodes/htz-cloud.afra.toml diff --git a/nodes/htz-cloud.afra.toml b/nodes/htz-cloud.afra.toml deleted file mode 100644 index b938c2f..0000000 --- a/nodes/htz-cloud.afra.toml +++ /dev/null @@ -1,79 +0,0 @@ -hostname = "91.107.203.234" -bundles = [ - "element-web", - "matrix-media-repo", - "matrix-registration", - "matrix-synapse", - "nodejs", - "postgresql", - "zfs", -] -groups = [ - "debian-bookworm", - "webserver", -] - -[metadata.icinga_options] -pretty_name = "afra.berlin" - -[metadata.interfaces.eth0] -ips = [ - "91.107.203.234/32", - "2a01:4f8:c010:b0e1::1/64", -] -gateway4 = '172.31.1.1' -gateway6 = 'fe80::1' - -[metadata.interfaces.ens10] -ips = [ - "172.19.137.7/32", -] -routes.'172.19.128.0/20'.via = "172.19.137.1" - -[metadata.element-web] -url = "element.afra.berlin" -version = "v1.11.78" - -[metadata.element-web.config] -default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin" -default_server_config.'m.homeserver'.server_name = "afra.berlin" -brand = "afra.berlin" -defaultCountryCode = "DE" -jitsi.preferredDomain = "meet.ffmuc.net" - -[metadata.matrix-media-repo] -admins = ['@administress:afra.berlin'] -datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57" -sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9" -upload_max_mb = 50 -version = "v1.3.7" - -[metadata.matrix-media-repo.homeservers.'afra.berlin'] -domain = "http://[::1]:20080/" -api = "synapse" -signing_key_path = "/etc/matrix-synapse/mmr.signing.key" - -[metadata.matrix-registration] -base_path = "/matrix" -client_redirect = "https://element.afra.berlin" - -[metadata.matrix-synapse] -server_name = "afra.berlin" -baseurl = "matrix.afra.berlin" -admin_contact = 'mailto:hostmaster@kunbox.net' -trusted_key_servers = [ - "matrix.org", - "franzi.business", -] - -[metadata.postgresql] -version = "15" -work_mem = 1024 -cache_size = 2048 - -[[metadata.zfs.pools.tank.when_creating.config]] -devices = ["/dev/disk/by-id/scsi-0HC_Volume_32207877"] - -[metadata.vm] -cpu = 2 -ram = 8 From 663f7eec9f56b998b62e784e65cad3b1aafcd0fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Sep 2024 10:20:01 +0200 Subject: [PATCH 781/996] remove finallycoffee.eu from trusted key servers --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 92ce624..19a59cc 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -90,7 +90,7 @@ user_id = "@dimension:franzi.business" admin_contact = "mailto:hostmaster@kunbox.net" baseurl = "matrix.franzi.business" server_name = "franzi.business" -trusted_key_servers = ["matrix.org", "finallycoffee.eu"] +trusted_key_servers = ["matrix.org", "161.rocks"] additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" wellknown_also_on_vhosts = ["franzi.business"] [metadata.matrix-synapse.sliding_sync] From e2b430fd0e112dd7752898e69ae6faa236627886 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Sep 2024 10:21:05 +0200 Subject: [PATCH 782/996] update travelynx to 2.8.40 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 19a59cc..40a421b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -260,7 +260,7 @@ disks = [ ] [metadata.travelynx] -version = "2.8.39" +version = "2.8.40" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From a1d1351411566a8cde61cac13a473907a7a47dc6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Sep 2024 22:24:34 +0200 Subject: [PATCH 783/996] update infobeamer-cms to current version --- bundles/infobeamer-cms/items.py | 10 +--------- nodes/voc/infobeamer-cms.py | 11 ++++++----- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/bundles/infobeamer-cms/items.py b/bundles/infobeamer-cms/items.py index 2d2f8c0..aa424a1 100644 --- a/bundles/infobeamer-cms/items.py +++ b/bundles/infobeamer-cms/items.py @@ -23,7 +23,7 @@ actions = { git_deploy = { '/opt/infobeamer-cms/src': { 'rev': 'master', - 'repo': 'https://github.com/sophieschi/36c3-cms.git', + 'repo': 'https://github.com/voc/infobeamer-cms.git', 'needs': { 'directory:/opt/infobeamer-cms/src', }, @@ -96,14 +96,6 @@ files = { }, } -pkg_pip = { - 'github-flask': { - 'needed_by': { - 'svc_systemd:infobeamer-cms', - }, - }, -} - svc_systemd = { 'infobeamer-cms': { 'needs': { diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 77c21c4..9e38edc 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -39,11 +39,6 @@ nodes['voc.infobeamer-cms'] = { 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'), - 'MQTT_MESSAGE': '{{"level":"info","component":"infobeamer-cms","msg":"{asset} uploaded by {user}. Check it at {url}"}}', - 'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='), - 'MQTT_SERVER': 'mqtt.c3voc.de', - 'MQTT_TOPIC': '/voc/alert', - 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), 'SETUP_IDS': [ 250294, ], @@ -56,6 +51,12 @@ nodes['voc.infobeamer-cms'] = { # 'x2': 110, # 'y2': 1070, # }], + 'NOTIFIER': { + 'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='), + 'MQTT_SERVER': 'mqtt.c3voc.de', + 'MQTT_TOPIC': '/voc/alert', + 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), + }, }, 'rooms': { 'Saal 1': 34430, From 4fbbf83952a89f3115ba4b858167224920d67a39 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Sep 2024 22:24:53 +0200 Subject: [PATCH 784/996] update infobeamer-cms to debian bookworm --- nodes/voc/infobeamer-cms.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 9e38edc..152e199 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -1,12 +1,12 @@ nodes['voc.infobeamer-cms'] = { - 'hostname': 'infobeamer-cms.c3voc.de', + 'hostname': 'infobeamer.c3voc.de', 'bundles': { 'infobeamer-cms', 'infobeamer-monitor', 'redis', }, 'groups': { - 'debian-bullseye', + 'debian-bookworm', 'webserver', }, 'metadata': { From df69b876a9e8a7cf9c1077cc5d59a1292cb72d7a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 30 Sep 2024 22:40:07 +0200 Subject: [PATCH 785/996] voc.infobeamer-cms: prepare for mrmcd --- nodes/voc/infobeamer-cms.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 152e199..ba41766 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,8 +25,8 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2024-05-29', - 'event_duration_days': 5, + 'event_start_date': '2024-10-03', + 'event_duration_days': 4, 'config': { 'ADMIN_USERS': [ 'hexchen', @@ -59,15 +59,15 @@ nodes['voc.infobeamer-cms'] = { }, }, 'rooms': { - 'Saal 1': 34430, - 'Saal G': 26598, - 'Saal Z': 26610, - 'Saal E (SoS/Lightning-Talks)': 32814, - 'Saal F (Sendezentrum/DLF)': 9717, +# 'Saal 1': 34430, +# 'Saal G': 26598, +# 'Saal Z': 26610, +# 'Saal E (SoS/Lightning-Talks)': 32814, +# 'Saal F (Sendezentrum/DLF)': 9717, }, 'interrupts': { - 'Questions': 'questions', - 'Translations': 'translations', +# 'Questions': 'questions', +# 'Translations': 'translations', }, }, 'infobeamer-monitor': { From a5ea87b4e99c7392b78528008f734e906bce11ff Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Oct 2024 10:53:04 +0200 Subject: [PATCH 786/996] voc.infobeamer-cms: fix mqtt config --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ba41766..0de3e17 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -53,7 +53,7 @@ nodes['voc.infobeamer-cms'] = { # }], 'NOTIFIER': { 'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='), - 'MQTT_SERVER': 'mqtt.c3voc.de', + 'MQTT_HOST': 'mqtt.c3voc.de', 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), }, From ef8d3368c163732a73c0253595a68f25f951ed8b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Oct 2024 11:03:50 +0200 Subject: [PATCH 787/996] voc.infobeamer-cms: add FAQ entries --- nodes/voc/infobeamer-cms.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 0de3e17..4f636a6 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -57,6 +57,15 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), }, + 'FAQ': { + 'SOURCE': 'https://github.com/voc/infobeamer-cms', + 'CONTACT': ''' + Please use the IRC + Channel #infobeamer on irc.hackint.org (also + bridged to matrix) + or #info-beamer on the cccv rocketchat instance. + '''.strip(), + }, }, 'rooms': { # 'Saal 1': 34430, From b57f2056964fe8262fb40217d41f2929a1fca88f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 2 Oct 2024 17:45:58 +0200 Subject: [PATCH 788/996] voc.infobeamer-cms: prepare for mrmcd24 --- nodes/voc/infobeamer-cms.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 4f636a6..a048c89 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -40,7 +40,7 @@ nodes['voc.infobeamer-cms'] = { 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'), 'SETUP_IDS': [ - 250294, + 253559, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -56,6 +56,9 @@ nodes['voc.infobeamer-cms'] = { 'MQTT_HOST': 'mqtt.c3voc.de', 'MQTT_TOPIC': '/voc/alert', 'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='), + 'NTFY': [ + vault.decrypt('encrypt$gAAAAABm_RXKqIgRfe24frA_uvUMwJECr0TmL6TWPOmrPlS0CJuuBlpN6vGHrMkm5pjD5c5h1brC-aqQavsTk_AHXwq8bHG1QiZtQwqPxGuD_fEVP4-xOZ3t-RjqG3kPLz6ebqPoqyPl'), + ], }, 'FAQ': { 'SOURCE': 'https://github.com/voc/infobeamer-cms', From 3ff7db7d6d743b7df7404645be8d6ee70b9dd437 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 3 Oct 2024 22:43:25 +0200 Subject: [PATCH 789/996] bundles/sshmon: more letsencrypt issuer hashes --- bundles/sshmon/files/check_https_certificate_at_url | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/sshmon/files/check_https_certificate_at_url b/bundles/sshmon/files/check_https_certificate_at_url index e9fb507..ce0f0ba 100644 --- a/bundles/sshmon/files/check_https_certificate_at_url +++ b/bundles/sshmon/files/check_https_certificate_at_url @@ -22,7 +22,8 @@ case "$issuer_hash" in # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5 # 9aad238c: issuer=C = US, O = Let's Encrypt, CN = E6 # 31dfb39d: issuer=C = US, O = Let's Encrypt, CN = R11 - 4f06f81d|8d33f237|462422cf|9aad238c|31dfb39d) + # aa578057: issuer=C = US, O = Let's Encrypt, CN = R10 + 4f06f81d|8d33f237|462422cf|9aad238c|31dfb39d|aa578057) warn_days=10 crit_days=3 ;; From 814b67a9d033de19c88a713b6c832767579fad89 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 5 Oct 2024 16:58:50 +0200 Subject: [PATCH 790/996] voc.infobeamer-cms add v0tti to admins --- nodes/voc/infobeamer-cms.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index a048c89..ea48a85 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -34,6 +34,7 @@ nodes['voc.infobeamer-cms'] = { 'jwacalex', 'kunsi', 'sophieschi', + 'v0tti', ], 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), From c5fb1b8a2885632997f5728ef21f305976faeda4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 10 Oct 2024 19:39:38 +0200 Subject: [PATCH 791/996] htz-cloud.wireguard: add wg connection to fra-jana --- nodes/htz-cloud/wireguard.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 42c187d..df618ea 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -37,6 +37,7 @@ nodes['htz-cloud.wireguard'] = { '172.19.137.0/24', '172.19.136.62/31', '172.19.136.64/31', + '192.168.100.0/24', }, }, 'nftables': { @@ -80,6 +81,17 @@ nodes['htz-cloud.wireguard'] = { '10.73.0.0/16', }, }, + 'fra-jana': { + 'endpoint': 'gw.as212226.net:40000', + 'my_ip': '192.168.48.11/24', + 'my_port': 51802, + 'their_ip': '192.168.48.1', + 'pubkey': vault.decrypt('encrypt$gAAAAABnCA7M0Jg0cQwIaYCYEYN74MOSQK30rbhxD6tDIi2VEBqPh-UHrt7MdRzI4AUZ-p0MzjIdsps_DdGBkUTwA_UKD15Q_tg_LJNwDb04zvgSqc3hnJ4jeS2ZZEED0T1dVJ7E0YNS'), + 'masquerade': True, + 'routes': { + '192.168.100.0/24', + }, + }, 'kunsi-oneplus7': { 'endpoint': None, 'exclude_from_monitoring': True, From e35fbdd1834ac08ef8ede9a131e18237f59e9781 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 10 Oct 2024 19:40:01 +0200 Subject: [PATCH 792/996] add rottenraptor-server --- nodes/rottenraptor-server.toml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 nodes/rottenraptor-server.toml diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml new file mode 100644 index 0000000..b73bba4 --- /dev/null +++ b/nodes/rottenraptor-server.toml @@ -0,0 +1,14 @@ +hostname = "172.19.138.98" +groups = ["debian-bookworm"] +bundles = ["ipmitool"] + +[metadata] +backups.exclude_from_backups = true + +[metadata.interfaces.eno4] +ips = [ + "91.198.192.207/27", + "2001:67c:b54:1::e/64", +] +gateway4 = "91.198.192.193" +gateway6 = "2001:67c:b54:1::1" From 07a44598d2bba277dd539f8de3f1cabd64d05063 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Oct 2024 18:16:48 +0200 Subject: [PATCH 793/996] rottenraptor-server is in its colo now --- nodes/rottenraptor-server-ipmi.toml | 7 +++++++ nodes/rottenraptor-server.toml | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 nodes/rottenraptor-server-ipmi.toml diff --git a/nodes/rottenraptor-server-ipmi.toml b/nodes/rottenraptor-server-ipmi.toml new file mode 100644 index 0000000..fdc76b9 --- /dev/null +++ b/nodes/rottenraptor-server-ipmi.toml @@ -0,0 +1,7 @@ +dummy = true + +[metadata.icinga_options] +period = "daytime" + +[metadata.interfaces.default] +ips = ["192.168.100.27/24"] diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index b73bba4..6c60d62 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -1,10 +1,13 @@ -hostname = "172.19.138.98" +hostname = "91.198.192.207" groups = ["debian-bookworm"] bundles = ["ipmitool"] [metadata] backups.exclude_from_backups = true +[metadata.icinga_options] +period = "daytime" + [metadata.interfaces.eno4] ips = [ "91.198.192.207/27", From d1b369fb26ced0b6c67a3ec18c3ab9361deea116 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Oct 2024 19:25:00 +0200 Subject: [PATCH 794/996] bundles/smartd: do not try to guess disk names --- bundles/smartd/metadata.py | 24 ------------------------ nodes/carlene.toml | 4 ++-- nodes/home/nas.py | 8 ++++++++ 3 files changed, 10 insertions(+), 26 deletions(-) diff --git a/bundles/smartd/metadata.py b/bundles/smartd/metadata.py index 73789d0..5202068 100644 --- a/bundles/smartd/metadata.py +++ b/bundles/smartd/metadata.py @@ -43,30 +43,6 @@ if node.has_bundle('telegraf'): } -@metadata_reactor.provides( - 'smartd/disks', -) -def zfs_disks_to_metadata(metadata): - disks = set() - - for config in metadata.get('zfs/pools', {}).values(): - for option in config['when_creating']['config']: - if option.get('type', '') in {'log', 'cache'}: - continue - - for disk in option['devices']: - if search(r'p([0-9]+)$', disk) or disk.startswith('/dev/mapper/'): - continue - - disks.add(disk) - - return { - 'smartd': { - 'disks': disks, - }, - } - - @metadata_reactor.provides( 'icinga2_api/smartd/services', ) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 40a421b..42847d0 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -255,8 +255,8 @@ dkim = "uO4aNejDvVdw8BKne3KJIqAvCQMJ0416" [metadata.smartd] disks = [ - "/dev/nvme0", - "/dev/nvme1", + "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NF0W508470", + "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] [metadata.travelynx] diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 1122e43..0415c87 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -190,6 +190,14 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', + # old nas disks + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJGN6R', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', + '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', + # encrypted disks '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', From ed9607433d1e6923a954237e16ecc79f25c44d47 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Oct 2024 19:25:23 +0200 Subject: [PATCH 795/996] rottenraptor-server: add smartd and zfs --- nodes/rottenraptor-server.toml | 36 +++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 6c60d62..b0dd56b 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -1,6 +1,6 @@ hostname = "91.198.192.207" groups = ["debian-bookworm"] -bundles = ["ipmitool"] +bundles = ["ipmitool", "smartd", "zfs"] [metadata] backups.exclude_from_backups = true @@ -15,3 +15,37 @@ ips = [ ] gateway4 = "91.198.192.193" gateway6 = "2001:67c:b54:1::1" + +[metadata.smartd] +disks = [ + "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", + "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21133V800321", + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21283J446103", + "/dev/disk/by-id/nvme-TOSHIBA-RC100_58UPC29HPW5S", +] + +[metadata.zfs.pools.tank.when_creating] +ashift = 12 + +[[metadata.zfs.pools.tank.when_creating.config]] +type = "mirror" +devices = [ + "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", + "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", +] + +[[metadata.zfs.pools.tank.when_creating.config]] +type = "log" +devices = [ + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21133V800321-part1", + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21283J446103-part1", +] + +[[metadata.zfs.pools.tank.when_creating.config]] +type = "cache" +devices = [ + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21133V800321-part2", + "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21283J446103-part2", +] + From a83b380490062b7616457c54a48808a200208bef Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 08:19:43 +0200 Subject: [PATCH 796/996] bundles/nginx: more config options --- bundles/nginx/files/nginx.conf | 3 --- bundles/nginx/files/site_template | 6 +++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index dae0a26..3f4a9a9 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -10,9 +10,6 @@ events { http { include /etc/nginx/mime.types; - types { - application/javascript js mjs; - } default_type application/octet-stream; charset UTF-8; override_charset on; diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index a967893..96875c8 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -149,18 +149,18 @@ server { % if 'target' in options: proxy_pass ${options['target']}; proxy_http_version ${options.get('http_version', '1.1')}; - proxy_set_header Host ${domain}; + proxy_set_header Host ${options.get('proxy_pass_host', domain)}; % if options.get('websockets', False): proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; % endif proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host ${options.get('x_forwarded_host', domain)}; + proxy_set_header X-Forwarded-Host ${options.get('x_forwarded_host', options.get('proxy_pass_host', domain))}; % for option, value in options.get('proxy_set_header', {}).items(): proxy_set_header ${option} ${value}; % endfor -% if location != '/': +% if location != '/' and location != '= /': proxy_set_header X-Script-Name ${location}; % endif proxy_buffering off; From 078d52c075d948a0af82ed42f41159aef4fe6f4a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 08:20:01 +0200 Subject: [PATCH 797/996] carlene: rework kunsitracker --- nodes/carlene.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 42847d0..e94a0b2 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -152,8 +152,10 @@ owner = "skye" [metadata.nginx.vhosts.kunsitracker] domain = "kunsitracker.de" -locations.'/'.redirect = "https://travelynx.franzi.business/p/Kunsi" -locations.'/'.mode = 302 +locations.'/'.target = "https://travelynx.franzi.business/" +locations.'/'.proxy_pass_host = "travelynx.franzi.business" +locations.'= /'.target = "https://travelynx.franzi.business/p/Kunsi" +locations.'= /'.proxy_pass_host = "travelynx.franzi.business" [metadata.nginx.vhosts.mta-sts] domain = "mta-sts.kunbox.net" From c4e3d0abc298db806471f480e620d43f5dd231c6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:24:47 +0200 Subject: [PATCH 798/996] bundles/nginx: we need a type definition for .mjs --- bundles/nginx/files/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 3f4a9a9..2c20144 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -10,6 +10,9 @@ events { http { include /etc/nginx/mime.types; + types { + application/javascript mjs; + } default_type application/octet-stream; charset UTF-8; override_charset on; From 729b975b776adb46f6ba85ef25a09b201df67c8a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:25:06 +0200 Subject: [PATCH 799/996] bundles/redis: ensure protected mode is off --- bundles/redis/files/redis.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/redis/files/redis.conf b/bundles/redis/files/redis.conf index f479be2..f636ddf 100644 --- a/bundles/redis/files/redis.conf +++ b/bundles/redis/files/redis.conf @@ -48,3 +48,4 @@ tcp-keepalive 0 timeout 0 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 +protected-mode no From 4238eeb6d8a658e2273d2246e030f84d408e7cc1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:25:54 +0200 Subject: [PATCH 800/996] add bundle:docker-engine --- .../files/check_docker_container | 39 ++++++++ bundles/docker-engine/files/docker-wrapper | 50 ++++++++++ .../files/docker-wrapper.service | 14 +++ bundles/docker-engine/items.py | 99 +++++++++++++++++++ bundles/docker-engine/metadata.py | 83 ++++++++++++++++ bundles/nftables/metadata.py | 2 +- data/apt/files/gpg-keys/docker.asc | 62 ++++++++++++ 7 files changed, 348 insertions(+), 1 deletion(-) create mode 100644 bundles/docker-engine/files/check_docker_container create mode 100644 bundles/docker-engine/files/docker-wrapper create mode 100644 bundles/docker-engine/files/docker-wrapper.service create mode 100644 bundles/docker-engine/items.py create mode 100644 bundles/docker-engine/metadata.py create mode 100644 data/apt/files/gpg-keys/docker.asc diff --git a/bundles/docker-engine/files/check_docker_container b/bundles/docker-engine/files/check_docker_container new file mode 100644 index 0000000..2d8216a --- /dev/null +++ b/bundles/docker-engine/files/check_docker_container @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +from json import loads +from subprocess import check_output +from sys import argv + +try: + container_name = argv[1] + + docker_ps = check_output([ + 'docker', + 'container', + 'ls', + '--all', + '--format', + 'json', + '--filter', + f'name={container_name}' + ]) + + containers = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]") + + if not containers: + print(f'CRITICAL: container {container_name} not found!') + exit(2) + + if len(containers) > 1: + print(f'Found more than one container matching {container_name}!') + print(docker_ps) + exit(3) + + if containers[0]['State'] != 'running': + print(f'WARNING: container {container_name} not "running"') + exit(2) + + print(f"OK: {containers[0]['Status']}") +except Exception as e: + print(repr(e)) + exit(2) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper new file mode 100644 index 0000000..c225ceb --- /dev/null +++ b/bundles/docker-engine/files/docker-wrapper @@ -0,0 +1,50 @@ +#!/bin/bash + +[[ -n "$DEBUG" ]] && set -x + +ACTION="$1" + +set -euo pipefail + +if [[ -z "$ACTION" ]] +then + echo "Usage: $0 start|stop" + exit 1 +fi + +PUID="$(id -u "docker-${name}")" +PGID="$(id -g "docker-${name}")" + +if [ "$ACTION" == "start" ] +then + docker run -d \ + --name "${name}" \ + --env "PUID=$PUID" \ + --env "PGID=$PGID" \ + --env "TZ=${timezone}" \ +% for k, v in sorted(environment.items()): + --env "${k}=${v}" \ +% endfor + --network host \ +% for host_port, container_port in sorted(ports.items()): + --expose "127.0.0.1:${host_port}:${container_port}" \ +% endfor +% for host_path, container_path in sorted(volumes.items()): + --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \ +% endfor + --restart unless-stopped \ + "${image}" + +elif [ "$ACTION" == "stop" ] +then + docker stop "${name}" + docker rm "${name}" + +else + echo "Unknown action $ACTION" + exit 1 +fi + +% if node.has_bundle('nftables'): +systemctl reload nftables +% endif diff --git a/bundles/docker-engine/files/docker-wrapper.service b/bundles/docker-engine/files/docker-wrapper.service new file mode 100644 index 0000000..a908c86 --- /dev/null +++ b/bundles/docker-engine/files/docker-wrapper.service @@ -0,0 +1,14 @@ +[Unit] +Description=docker-engine app ${name} +After=network.target +Requires=${' '.join(sorted(requires))} + +[Service] +WorkingDirectory=/var/opt/docker-engine/${name}/ +ExecStart=/opt/docker-engine/${name} start +ExecStop=/opt/docker-engine/${name} stop +Type=simple +RemainAfterExit=true + +[Install] +WantedBy=multi-user.target diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py new file mode 100644 index 0000000..9e52eca --- /dev/null +++ b/bundles/docker-engine/items.py @@ -0,0 +1,99 @@ +from bundlewrap.metadata import metadata_to_json + +deps = { + 'pkg_apt:docker-ce', + 'pkg_apt:docker-ce-cli', +} + +directories['/opt/docker-engine'] = { + 'purge': True, +} +directories['/var/opt/docker-engine'] = {} + +files['/etc/docker/daemon.json'] = { + 'content': metadata_to_json(node.metadata.get('docker-engine/config')), + 'triggers': { + 'svc_systemd:docker:restart', + }, + # install config before installing packages to ensure the config is + # applied to the first start as well + 'before': deps, +} + +svc_systemd['docker'] = { + 'needs': deps, +} + +files['/usr/local/share/icinga/plugins/check_docker_container'] = { + 'mode': '0755', +} + +for app, config in node.metadata.get('docker-engine/containers', {}).items(): + volumes = config.get('volumes', {}) + + files[f'/opt/docker-engine/{app}'] = { + 'source': 'docker-wrapper', + 'content_type': 'mako', + 'context': { + 'environment': config.get('environment', {}), + 'image': config['image'], + 'name': app, + 'ports': config.get('ports', {}), + 'timezone': node.metadata.get('timezone'), + 'volumes': volumes, + }, + 'mode': '0755', + 'triggers': { + f'svc_systemd:docker-{app}:restart', + }, + } + + users[f'docker-{app}'] = { + 'home': f'/var/opt/docker-engine/{app}', + 'groups': { + 'docker', + }, + 'after': { + # provides docker group + 'pkg_apt:docker-ce', + }, + } + + files[f'/usr/local/lib/systemd/system/docker-{app}.service'] = { + 'source': 'docker-wrapper.service', + 'content_type': 'mako', + 'context': { + 'name': app, + 'requires': { + *set(config.get('requires', set())), + 'docker.service', + } + }, + 'triggers': { + 'action:systemd-reload', + f'svc_systemd:docker-{app}:restart', + }, + } + + svc_systemd[f'docker-{app}'] = { + 'needs': { + *deps, + f'file:/opt/docker-engine/{app}', + f'file:/usr/local/lib/systemd/system/docker-{app}.service', + f'user:docker-{app}', + 'svc_systemd:docker', + *set(config.get('needs', set())), + }, + } + + for volume in volumes: + directories[f'/var/opt/docker-engine/{app}/{volume}'] = { + 'owner': f'docker-{app}', + 'group': f'docker-{app}', + 'needed_by': { + f'svc_systemd:docker-{app}', + }, + # don't do anything if the directory exists, docker images + # mangle owners + 'unless': f'test -d /var/opt/docker-engine/{app}/{volume}', + } diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py new file mode 100644 index 0000000..fa55b5e --- /dev/null +++ b/bundles/docker-engine/metadata.py @@ -0,0 +1,83 @@ +defaults = { + 'apt': { + 'packages': { + 'docker-ce': {}, + 'docker-ce-cli': {}, + 'docker-compose-plugin': {}, + }, + 'repos': { + 'docker': { + 'items': { + 'deb https://download.docker.com/linux/debian {os_release} stable', + }, + }, + }, + }, + 'backups': { + 'paths': { + '/var/opt/docker-engine', + }, + }, + 'hosts': { + 'entries': { + '172.17.0.1': { + 'host.docker.internal', + }, + }, + }, + 'docker-engine': { + 'config': { + 'iptables': False, + 'no-new-privileges': True, + }, + }, + 'zfs': { + 'datasets': { + 'tank/docker-data': { + 'mountpoint': '/var/opt/docker-engine', + }, + }, + }, +} + + +@metadata_reactor.provides( + 'icinga2_api/docker-engine/services', +) +def monitoring(metadata): + services = { + 'DOCKER PROCESS': { + 'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -C dockerd -c 1:', + }, + } + + for app in metadata.get('docker-engine/containers', {}): + services[f'DOCKER CONTAINER {app}'] = { + 'command_on_monitored_host': f'sudo /usr/local/share/icinga/plugins/check_docker_container {app}' + } + + return { + 'icinga2_api': { + 'docker-engine': { + 'services': services, + }, + }, + } + + +@metadata_reactor.provides( + 'zfs/datasets', +) +def zfs(metadata): + datasets = {} + + for app in metadata.get('docker-engine/containers', {}): + datasets[f'tank/docker-data/{app}'] = { + 'mountpoint': f'/var/opt/docker-engine/{app}' + } + + return { + 'zfs': { + 'datasets': datasets, + }, + } diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 8212d3c..15f34d4 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -29,7 +29,7 @@ defaults = { }, } -if not node.has_bundle('vmhost'): +if not node.has_bundle('vmhost') and not node.has_bundle('docker-engine'): # see comment in bundles/vmhost/items.py defaults['apt']['packages']['iptables'] = { 'installed': False, diff --git a/data/apt/files/gpg-keys/docker.asc b/data/apt/files/gpg-keys/docker.asc new file mode 100644 index 0000000..ee7872e --- /dev/null +++ b/data/apt/files/gpg-keys/docker.asc @@ -0,0 +1,62 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth +lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh +38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq +L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 +UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N +cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht +ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo +vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD +G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ +XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj +q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO +v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd +tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk +jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m +6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P +XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc +FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 +g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm +ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh +9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 +G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW +FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB +EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF +M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx +Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu +w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk +z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 +eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb +VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa +1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X +zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ +pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 +ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ +BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY +1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp +YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI +mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES +KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 +JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ +cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 +6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 +U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z +VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f +irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk +SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz +QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W +9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw +24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe +dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y +Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR +H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh +/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ +M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S +xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O +jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG +YT90qFF93M3v01BbxP+EIY2/9tiIPbrd +=0YYh +-----END PGP PUBLIC KEY BLOCK----- From 453d2a78891e676dc7a0847e5f1c399f0e4d8052 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:27:16 +0200 Subject: [PATCH 801/996] home.r630: add docker, fix firewall --- nodes/home.r630.toml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index 2a18418..cdfc4ba 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -1,9 +1,15 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] +bundles = ["docker-engine", "nginx", "redis"] [metadata] icinga_options.exclude_from_monitoring = true +[metadata.docker-engine.config] +# this is a dev machine, it's fine if docker does shenanigans with +# iptables +iptables = true + [metadata.interfaces.eno3] ips = [ "172.19.138.22/24", @@ -11,7 +17,7 @@ ips = [ gateway4 = "172.19.138.1" ipv6_accept_ra = true -[metadata.nftable.forward] +[metadata.nftables.forward] 50-local-forward = [ 'ct state { related, established } accept', 'iifname eno3 accept', From 2e8cbd60616eb60e4d4865e19e110d064e29d364 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:27:54 +0200 Subject: [PATCH 802/996] add bundle:docker-immich --- bundles/docker-immich/metadata.py | 64 +++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 bundles/docker-immich/metadata.py diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py new file mode 100644 index 0000000..b41ea36 --- /dev/null +++ b/bundles/docker-immich/metadata.py @@ -0,0 +1,64 @@ +assert node.has_bundle('docker-engine') +assert node.has_bundle('redis') +assert not node.has_bundle('postgresql') # docker container uses that port + +defaults = { + 'docker-engine': { + 'containers': { + 'immich': { + 'image': 'ghcr.io/imagegenius/immich:latest', + 'environment': { + 'DB_DATABASE_NAME': 'immich', + 'DB_HOSTNAME': 'host.docker.internal', + 'DB_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), + 'DB_USERNAME': 'immich', + 'REDIS_HOSTNAME': 'host.docker.internal', + }, + 'volumes': { + 'config': '/config', + 'libraries': '/libraries', + 'photos': '/photos', + }, + 'needs': { + 'svc_systemd:docker-postgresql14', + }, + 'requires': { + 'docker-postgresql14.service', + }, + }, + 'postgresql14': { + 'image': 'tensorchord/pgvecto-rs:pg14-v0.2.0', + 'environment': { + 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), + 'POSTGRES_USER': 'immich', + 'POSTGRES_DB': 'immich', + }, + 'volumes': { + 'database': '/var/lib/postgresql/data', + }, + }, + }, + }, + 'nginx': { + 'vhosts': { + 'immich': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:8080/', + 'websockets': True, + 'max_body_size': '500m', + }, + #'/api/socket.io/': { + # 'target': 'http://127.0.0.1:8081/', + # 'websockets': True, + #}, + }, + }, + }, + }, + 'redis': { + 'bind': '0.0.0.0', + }, +} + + From 6647e714842bed36593009d90bbf0b7c6992a8e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 26 Oct 2024 16:28:09 +0200 Subject: [PATCH 803/996] rottenraptor-server: add docker-immich --- nodes/rottenraptor-server.toml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index b0dd56b..5e53f81 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -1,9 +1,16 @@ hostname = "91.198.192.207" -groups = ["debian-bookworm"] -bundles = ["ipmitool", "smartd", "zfs"] - -[metadata] -backups.exclude_from_backups = true +groups = [ + "debian-bookworm", + "webserver", +] +bundles = [ + "docker-engine", + "docker-immich", + "ipmitool", + "redis", + "smartd", + "zfs", +] [metadata.icinga_options] period = "daytime" @@ -16,6 +23,9 @@ ips = [ gateway4 = "91.198.192.193" gateway6 = "2001:67c:b54:1::1" +[metadata.nginx.vhosts.immich] +domain = "rr-immich.franzi.business" + [metadata.smartd] disks = [ "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", From 84867ff1e61a8091d255e31d0fe5cf08c6f7a075 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 11:19:05 +0100 Subject: [PATCH 804/996] bundles/postfix: provide myhostname from reactor --- bundles/dovecot/files/dovecot.conf | 4 ++-- bundles/postfix/files/main.cf | 6 +++--- bundles/postfix/items.py | 2 +- bundles/postfix/metadata.py | 13 ++++++++++++- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 804c6a9..73afeaf 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -29,8 +29,8 @@ mail_location = maildir:/var/mail/vmail/%d/%n protocols = imap lmtp sieve ssl = required -ssl_cert = % if node.has_bundle('postfixadmin'): -smtpd_tls_cert_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/fullchain.pem -smtpd_tls_key_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/privkey.pem +smtpd_tls_cert_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/fullchain.pem +smtpd_tls_key_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/privkey.pem <%text> smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index d1bf0c2..5518c90 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -25,7 +25,7 @@ my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { - 'content': node.metadata.get('postfix/myhostname', node.metadata['hostname']), + 'content': node.metadata.get('postfix/myhostname'), 'before': { my_package, }, diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 4788de6..3c3be24 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -87,7 +87,7 @@ def letsencrypt(metadata): } result['domains'] = { - metadata.get('postfix/myhostname', metadata.get('hostname')): set(), + metadata.get('postfix/myhostname'): set(), } return { @@ -148,3 +148,14 @@ def icinga2(metadata): }, }, } + + +@metadata_reactor.provides( + 'postfix/myhostname', +) +def myhostname(metadata): + return { + 'postfix': { + 'myhostname': metadata.get('hostname'), + }, + } From 9bfb5312149ca432ff5cd3fb454977ee419eddea Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 11:19:26 +0100 Subject: [PATCH 805/996] kunsi-p14s: clean up packages --- nodes/kunsi-p14s.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 5e63351..b94f2b0 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -97,16 +97,15 @@ nodes['kunsi-p14s'] = { 'xf86-video-amdgpu': {}, # all that other random stuff one needs - 'abcde': {}, - 'apachedirectorystudio': {}, + #'abcde': {}, 'claws-mail': {}, 'claws-mail-themes': {}, 'ferdium-bin': {}, 'gumbo-parser': {}, # for claws litehtml 'inkstitch': {}, # for RZL embroidery machine 'obs-studio': {}, - 'perl-musicbrainz-discid': {}, # for abcde - 'perl-webservice-musicbrainz': {}, # for abcde + #'perl-musicbrainz-discid': {}, # for abcde + #'perl-webservice-musicbrainz': {}, # for abcde 'sdl_ttf': {}, # for compiling testcard 'x32edit': {}, }, From ec8af84fb1000011318e5da4384b0bb89d67dd16 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 11:19:42 +0100 Subject: [PATCH 806/996] bundles/postfix: add devnull@myhostname mail address --- bundles/postfix/files/blocked_recipients | 2 ++ bundles/postfix/files/main.cf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/postfix/files/blocked_recipients b/bundles/postfix/files/blocked_recipients index 736e9d4..4aff372 100644 --- a/bundles/postfix/files/blocked_recipients +++ b/bundles/postfix/files/blocked_recipients @@ -1,3 +1,5 @@ +devnull@${node.metadata.get('postfix/myhostname')} DISCARD DEV-NULL + % for address in sorted(blocked): ${address} REJECT % endfor diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index e0261b0..770114b 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -48,7 +48,7 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname smtpd_data_restrictions = reject_unauth_pipelining -smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients +smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blocked_recipients, permit_mynetworks smtpd_relay_before_recipient_restrictions = yes # https://ssl-config.mozilla.org/#server=postfix&version=3.7.10&config=intermediate&openssl=3.0.11&guideline=5.7 From 58964cc10f376e230f78ab0a0543fb10295ee5ac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 11:21:12 +0100 Subject: [PATCH 807/996] bundles/rspamd: send dmarc report emails from devnull address --- bundles/rspamd/files/local.d/dmarc.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/rspamd/files/local.d/dmarc.conf b/bundles/rspamd/files/local.d/dmarc.conf index fa42ec0..195361e 100644 --- a/bundles/rspamd/files/local.d/dmarc.conf +++ b/bundles/rspamd/files/local.d/dmarc.conf @@ -1,7 +1,7 @@ reporting { enabled = true; - email = 'dmarc+${node.name.replace('.', '-')}@kunbox.net'; - domain = '${node.metadata.get('hostname')}'; + email = 'devnull@${node.metadata.get('postfix/myhostname')}'; + domain = '${node.metadata.get('postfix/myhostname')}'; org_name = 'kunbox.net'; smtp = '127.0.0.1'; smtp_port = 25; From 4f0ced4d9a696a7553a70363fc7291640fb34510 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 17:37:14 +0100 Subject: [PATCH 808/996] bundles/homeassistant: fix version check --- bundles/homeassistant/files/check_homeassistant_update | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update index 0e6f2e8..853c467 100644 --- a/bundles/homeassistant/files/check_homeassistant_update +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -2,7 +2,7 @@ from sys import exit -from packaging import version +from packaging.version import parse from requests import get API_TOKEN = "${token}" @@ -11,7 +11,7 @@ DOMAIN = "${domain}" try: r = get("https://version.home-assistant.io/stable.json") r.raise_for_status() - stable_version = r.json()["homeassistant"]["generic-x86-64"] + stable_version = parse(r.json()["homeassistant"]["generic-x86-64"]) except Exception as e: print(f"Could not get stable version information from home-assistant.io: {e!r}") exit(3) @@ -22,7 +22,7 @@ try: headers={"Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json"}, ) r.raise_for_status() - running_version = r.json()["version"] + running_version = parse(r.json()["version"]) except Exception as e: print(f"Could not get running version information from homeassistant: {e!r}") exit(3) From 9b0e6272745924a6349edbf4c5f89b534bec853d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 27 Oct 2024 17:45:22 +0100 Subject: [PATCH 809/996] bundles/homeassistant: ensure virtualenv is in PATH --- bundles/homeassistant/files/homeassistant.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service index a650f17..ed0f2a9 100644 --- a/bundles/homeassistant/files/homeassistant.service +++ b/bundles/homeassistant/files/homeassistant.service @@ -5,6 +5,8 @@ After=network-online.target [Service] Type=simple User=homeassistant +Environment="VIRTUAL_ENV=/opt/homeassistant/venv" +Environment="PATH=/opt/homeassistant/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" WorkingDirectory=/var/opt/homeassistant ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant" RestartForceExitStatus=100 From 12c735f4aa1460dfc2cbebd4baba24b568524600 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:16:10 +0100 Subject: [PATCH 810/996] update element-web to 1.11.82 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index e94a0b2..be10e09 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.78" +version = "v1.11.82" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From 1be5ab268b4252bcb82191ecbbcc672bdcd0f841 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:16:24 +0100 Subject: [PATCH 811/996] update forgejo to 9.0.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index be10e09..f9bc638 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "8.0.3" -sha1 = "a19aa24f26c1ff5a38cf12619b6a6064242d0cf2" +version = "9.0.1" +sha1 = "060d9f00aaf595875eaf1897cbb24e760ef54d64" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From c006748165ee114d3ac417c2ae90ef4eb356fd3d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:16:36 +0100 Subject: [PATCH 812/996] update mautrix-whatsapp to 0.11.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f9bc638..3949e12 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.10.9" -sha1 = "1619579ec6b9fca84fec085a94842d309d3f730c" +version = "v0.11.0" +sha1 = "997c794eb246e6cc67ac050c106d54f88531f213" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 6eb2c6651b7f4df7c21697cd2d8e728751c85053 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:16:48 +0100 Subject: [PATCH 813/996] update netbox to 4.1.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3949e12..9f4a66d 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.2" +version = "v4.1.4" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From f6cb540007dee76d796ef55109e4b0c64ac0fe79 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:17:16 +0100 Subject: [PATCH 814/996] update paperless-ngx to 2.13.0 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 859eb07..ded32c5 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.12.1', + 'version': 'v2.13.0', 'timezone': 'Europe/Berlin', }, 'postgresql': { From e29a838fad051196347df912dfe86eb1edd7d95c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:54:53 +0100 Subject: [PATCH 815/996] bundles/forgejo: fix website_check_string --- bundles/forgejo/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/forgejo/metadata.py b/bundles/forgejo/metadata.py index 714568f..16190e2 100644 --- a/bundles/forgejo/metadata.py +++ b/bundles/forgejo/metadata.py @@ -100,7 +100,7 @@ def nginx(metadata): }, }, 'website_check_path': '/user/login', - 'website_check_string': 'Sign In', + 'website_check_string': 'Sign in', }, }, }, From 46ec4cc2e7af4197dd58eba4a340d80780d3a140 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 28 Oct 2024 16:55:10 +0100 Subject: [PATCH 816/996] bundles/postgresql: please also always do dumps --- bundles/postgresql/items.py | 6 +----- bundles/postgresql/metadata.py | 3 +-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index f9cdc46..0a1b09f 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -57,7 +57,7 @@ files = { }, } -if node.has_bundle('backup-client') and not node.has_bundle('zfs'): +if node.has_bundle('backup-client'): files['/etc/backup-pre-hooks.d/90-postgresql-dump-all'] = { 'source': 'backup-pre-hook', 'content_type': 'mako', @@ -67,10 +67,6 @@ if node.has_bundle('backup-client') and not node.has_bundle('zfs'): 'mode': '0700', } directories['/var/tmp/postgresdumps'] = {} -else: - files['/var/tmp/postgresdumps'] = { - 'delete': True, - } postgres_roles = { 'root': { diff --git a/bundles/postgresql/metadata.py b/bundles/postgresql/metadata.py index e69a117..b624bae 100644 --- a/bundles/postgresql/metadata.py +++ b/bundles/postgresql/metadata.py @@ -11,6 +11,7 @@ defaults = { 'backups': { 'paths': { '/var/lib/postgresql', + '/var/tmp/postgresdumps', }, }, 'bash_functions': { @@ -74,8 +75,6 @@ if node.has_bundle('zfs'): }, }, } -else: - defaults['backups']['paths'].add('/var/tmp/postgresdumps') @metadata_reactor.provides( From 6f5b862a38828dc2392a01c119ab9d52806479b6 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 30 Oct 2024 20:41:13 +0100 Subject: [PATCH 817/996] sophies backupserver hostname --- nodes/sophie/backupserver.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/sophie/backupserver.py b/nodes/sophie/backupserver.py index efabae1..42c6292 100644 --- a/nodes/sophie/backupserver.py +++ b/nodes/sophie/backupserver.py @@ -37,6 +37,7 @@ nodes['htz-hel.backup-sophie'] = { }, 'backup-server': { 'zfs-base': 'tank/backups', + 'my_hostname': 'backup.sophies-kitchen.eu', }, 'nftables': { 'input': { From c1c3e1f9289dc6492a37244b9b3e28434414523a Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 30 Oct 2024 20:41:42 +0100 Subject: [PATCH 818/996] miniserver: diverse updates --- nodes/sophie/miniserver.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 2656fa5..5088f87 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.76', + 'version': 'v1.11.83', 'config': { 'default_server_config': { 'm.homeserver': { @@ -81,7 +81,7 @@ nodes['htz-cloud.miniserver'] = { }, }, 'hedgedoc': { - 'version': '1.9.9', + 'version': '1.10.0', 'config': { 'production': { 'allowAnonymousEdits': True, From ec49c8d3ffce91cfa3c5ba9c9e1eedbf5b9edb75 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 31 Oct 2024 16:36:07 +0100 Subject: [PATCH 819/996] voc.infobeamer-cms: hackint changed their webirc service --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ea48a85..b5dae71 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -64,7 +64,7 @@ nodes['voc.infobeamer-cms'] = { 'FAQ': { 'SOURCE': 'https://github.com/voc/infobeamer-cms', 'CONTACT': ''' - Please use the IRC + Please use the IRC Channel #infobeamer on irc.hackint.org (also bridged to matrix) or #info-beamer on the cccv rocketchat instance. From 2c83a5c4fccf1034bcab70261515c94a896a9c4b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 31 Oct 2024 16:58:26 +0100 Subject: [PATCH 820/996] voc.infobeamer-cms: prepare for 38c3 --- nodes/voc/infobeamer-cms.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index b5dae71..f0dc6cf 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,8 +25,8 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2024-10-03', - 'event_duration_days': 4, + 'event_start_date': '2024-12-26', + 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ 'hexchen', @@ -39,7 +39,7 @@ nodes['voc.infobeamer-cms'] = { 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), - 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'), + 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ 253559, ], From 72638e0856c8dc100f4ca067eaa4d2693f004368 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Nov 2024 17:40:46 +0100 Subject: [PATCH 821/996] bundles/infobeamer-monitor: add account data monitoring --- bundles/infobeamer-monitor/files/monitor.py | 72 ++++++++++++++++----- 1 file changed, 57 insertions(+), 15 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 6f353e6..2aa2daf 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -61,8 +61,6 @@ def mqtt_dump_state(device): out.append("Location: {}".format(device["location"])) out.append("Setup: {} ({})".format(device["setup"]["name"], device["setup"]["id"])) out.append("Resolution: {}".format(device["run"].get("resolution", "unknown"))) - if not device["is_synced"]: - out.append("syncing ...") mqtt_out( " - ".join(out), @@ -73,6 +71,9 @@ def mqtt_dump_state(device): mqtt_out("Monitor starting up") while True: try: + online_devices = set() + available_credits = None + try: r = get( "https://info-beamer.com/api/v1/device/list", @@ -88,7 +89,6 @@ while True: ) else: new_state = {} - online_devices = set() for device in ib_state: did = str(device["id"]) @@ -140,16 +140,15 @@ while True: if device["is_online"]: if device["maintenance"]: mqtt_out( - "maintenance required: {}".format(' '.join( - sorted(device["maintenance"]) - )), + "maintenance required: {}".format( + " ".join(sorted(device["maintenance"])) + ), level="WARN", device=device, ) if ( - device["is_synced"] != state[did]["is_synced"] - or device["location"] != state[did]["location"] + device["location"] != state[did]["location"] or device["setup"]["id"] != state[did]["setup"]["id"] or device["run"].get("resolution") != state[did]["run"].get("resolution") @@ -171,13 +170,56 @@ while True: state = new_state - if ( - datetime.now(timezone.utc).strftime("%H%M") == "1312" - and online_devices - and int(datetime.now(timezone.utc).strftime("%S")) < 30 - ): - mqtt_out("Online Devices: {}".format(", ".join(sorted(online_devices)))) - sleep(30) + try: + r = get( + "https://info-beamer.com/api/v1/account", + auth=("", CONFIG["api_key"]), + ) + r.raise_for_status() + ib_account = r.json() + except RequestException as e: + LOG.exception("Could not get data from info-beamer") + mqtt_out( + f"Could not get data from info-beamer: {e!r}", + level="WARN", + ) + else: + available_credits = ib_account["balance"] + if available_credits < 50: + mqtt_out( + f"balance has dropped below 50 credits! (available: {available_credits})", + level="ERROR", + ) + elif available_credits < 100: + mqtt_out( + f"balance has dropped below 100 credits! (available: {available_credits})", + level="WARN", + ) + + for quota_name, quota_config in sorted(ib_account["quotas"].items()): + value = quota_config["count"]["value"] + limit = quota_config["count"]["limit"] + if value > limit * 0.9: + mqtt_out( + f"quota {quota_name} is over 90% (limit {limit}, value {value})", + level="ERROR", + ) + elif value > limit * 0.8: + mqtt_out( + f"quota {quota_name} is over 80% (limit {limit}, value {value})", + level="WARN", + ) + + if datetime.now(timezone.utc).strftime("%H%M") == "1312": + if available_credits is not None: + mqtt_out(f"Available Credits: {available_credits}") + + if online_devices: + mqtt_out( + "Online Devices: {}".format(", ".join(sorted(online_devices))) + ) + + sleep(60) except KeyboardInterrupt: break From e51c24f837b116c033b639ddfcc90ad59b3ddad3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 8 Nov 2024 06:39:05 +0100 Subject: [PATCH 822/996] bundles/powerdns: use *repo* commit time instead of *file* commit time for serial --- bundles/powerdns/items.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index a0c89d2..329694a 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -2,6 +2,7 @@ from datetime import datetime from os import listdir from os.path import isfile, join from subprocess import check_output +from bundlewrap.utils.ui import io zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') @@ -79,9 +80,10 @@ if node.metadata.get('powerdns/features/bind', False): continue try: - output = check_output(['git', 'log', '-1', '--pretty=%ci', join(zone_path, zone)]).decode('utf-8').strip() + output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip() serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M') - except: + except Exception as e: + io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}") serial = datetime.now().strftime('%y%m%d0000') primary_zones.add(zone) From 209dedccf90b5e1ad164ec39cb21c1fb7b998740 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 8 Nov 2024 06:39:59 +0100 Subject: [PATCH 823/996] `isort` the whole repo --- bundles/powerdns/items.py | 1 + bundles/pppd/files/dyndns | 1 - bundles/pppd/files/dyndns_periodic | 1 - bundles/routeros/metadata.py | 1 - libs/demagify.py | 1 + libs/ssh.py | 6 +++--- nodes/attributes.py | 5 +++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 329694a..b6a5e8f 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -2,6 +2,7 @@ from datetime import datetime from os import listdir from os.path import isfile, join from subprocess import check_output + from bundlewrap.utils.ui import io zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index 5058b2f..633915f 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -7,7 +7,6 @@ from subprocess import check_output from requests import get - UPDATE_URL = '${url}' USERNAME = '${username}' PASSWORD = '${password}' diff --git a/bundles/pppd/files/dyndns_periodic b/bundles/pppd/files/dyndns_periodic index 236c4fc..353ee6d 100644 --- a/bundles/pppd/files/dyndns_periodic +++ b/bundles/pppd/files/dyndns_periodic @@ -5,7 +5,6 @@ from ipaddress import ip_address from json import loads from subprocess import check_output, run - DOMAIN = '${domain}' # <%text> diff --git a/bundles/routeros/metadata.py b/bundles/routeros/metadata.py index ca7979f..e987a4e 100644 --- a/bundles/routeros/metadata.py +++ b/bundles/routeros/metadata.py @@ -2,7 +2,6 @@ import re from json import load from os.path import join - with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f: netbox = load(f) diff --git a/libs/demagify.py b/libs/demagify.py index 5fe492c..02180f0 100644 --- a/libs/demagify.py +++ b/libs/demagify.py @@ -1,5 +1,6 @@ import bwpass + def demagify(something, vault): if isinstance(something, str): if something.startswith('!bwpass:'): diff --git a/libs/ssh.py b/libs/ssh.py index 89c643a..fe3b9b4 100644 --- a/libs/ssh.py +++ b/libs/ssh.py @@ -4,9 +4,9 @@ from hashlib import sha3_224 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey from cryptography.hazmat.primitives.serialization import (Encoding, - NoEncryption, - PrivateFormat, - PublicFormat) + NoEncryption, + PrivateFormat, + PublicFormat) from bundlewrap.utils import Fault diff --git a/nodes/attributes.py b/nodes/attributes.py index 85fa36d..eda23f4 100644 --- a/nodes/attributes.py +++ b/nodes/attributes.py @@ -1,6 +1,7 @@ -from bundlewrap.utils.ui import io from bundlewrap.utils.scm import get_rev -from bundlewrap.utils.text import red, bold +from bundlewrap.utils.text import bold, red +from bundlewrap.utils.ui import io + @node_attribute def needs_apply(node): From 563ba266ff0f93981e97d3e4d03e172fc497e5ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Nov 2024 18:56:35 +0100 Subject: [PATCH 824/996] fix icinga2 bundle (gpg key / packages) --- bundles/icinga2/metadata.py | 1 - data/apt/files/gpg-keys/icinga2.asc | 53 ++++++++++++++--------------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 494ff89..60d28fe 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,7 +17,6 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - 'icingaweb2-module-monitoring': {}, 'python3-easysnmp': {}, 'python3-flask': {}, 'snmp': {}, diff --git a/data/apt/files/gpg-keys/icinga2.asc b/data/apt/files/gpg-keys/icinga2.asc index 901c78c..165344f 100644 --- a/data/apt/files/gpg-keys/icinga2.asc +++ b/data/apt/files/gpg-keys/icinga2.asc @@ -1,30 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) -mQGiBFKHzk4RBACSHMIFTtfw4ZsNKAA03Gf5t7ovsKWnS7kcMYleAidypqhOmkGg -0petiYsMPYT+MOepCJFGNzwQwJhZrdLUxxMSWay4Xj0ArgpD9vbvU+gj8Tb02l+x -SqNGP8jXMV5UnK4gZsrYGLUPvx47uNNYRIRJAGOPYTvohhnFJiG402dzlwCg4u5I -1RdFplkp9JM6vNM9VBIAmcED/2jr7UQGsPs8YOiPkskGHLh/zXgO8SvcNAxCLgbp -BjGcF4Iso/A2TAI/2KGJW6kBW/Paf722ltU6s/6mutdXJppgNAz5nfpEt4uZKZyu -oSWf77179B2B/Wl1BsX/Oc3chscAgQb2pD/qPF/VYRJU+hvdQkq1zfi6cVsxyREV -k+IwA/46nXh51CQxE29ayuy1BoIOxezvuXFUXZ8rP6aCh4KaiN9AJoy7pBieCzsq -d7rPEeGIzBjI+yhEu8p92W6KWzL0xduWfYg9I7a2GTk8CaLX2OCLuwnKd7RVDyyZ -yzRjWs0T5U7SRAWspLStYxMdKert9lLyQiRHtLwmlgBPqa0gh7Q+SWNpbmdhIE9w -ZW4gU291cmNlIE1vbml0b3JpbmcgKEJ1aWxkIHNlcnZlcikgPGluZm9AaWNpbmdh -Lm9yZz6IYAQTEQIAIAUCUofOTgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ -EMbjGcM0QQaCgSQAnRjXdbsyqziqhmxfAKffNJYuMPwdAKCS/IRCVyQzApFBtIBQ -1xuoym/4C7kCDQRSh85OEAgAvPwjlURCi8z6+7i60no4n16dNcSzd6AT8Kizpv2r -9BmNBff/GNYGnHyob/DMtmO2esEuVG8w62rO9m1wzzXzjbtmtU7NZ1Tg+C+reU2I -GNVu3SYtEVK/UTJHAhLcgry9yD99610tYPN2Fx33Efse94mXOreBfCvDsmFGSc7j -GVNCWXpMR3jTYyGj1igYd5ztOzG63D8gPyOucTTl+RWN/G9EoGBv6sWqk5eCd1Fs -JlWyQX4BJn3YsCZx3uj1DWL0dAl2zqcn6m1M4oj1ozW47MqM/efKOcV6VvCs9SL8 -F/NFvZcH4LKzeupCQ5jEONqcTlVlnLlIqId95Z4DI4AV9wADBQf/S6sKA4oH49tD -Yb5xAfUyEp5ben05TzUJbXs0Z7hfRQzy9+vQbWGamWLgg3QRUVPx1e4IT+W5vEm5 -dggNTMEwlLMI7izCPDcD32B5oxNVxlfj428KGllYWCFj+edY+xKTvw/PHnn+drKs -LE65Gwx4BPHm9EqWHIBX6aPzbgbJZZ06f6jWVBi/N7e/5n8lkxXqS23DBKemapyu -S1i56sH7mQSMaRZP/iiOroAJemPNxv1IQkykxw2woWMmTLKLMCD/i+4DxejE50tK -dxaOLTc4HDCsattw/RVJO6fwE414IXHMv330z4HKWJevMQ+CmQGfswvCwgeBP9n8 -PItLjBQAXIhJBBgRAgAJBQJSh85OAhsMAAoJEMbjGcM0QQaCzpAAmwUNoRyySf9p -5G3/2UD1PMueIwOtAKDVVDXEq5LJPVg4iafNu0SRMwgP0Q== -=icbY +mQINBGZMb30BEAC6c5P5lo5cLN2wX9+jA7TEEJ/NiiOM9VxBwB/c2PFd6AjdGBbe +28VcXWmFdETg1N3Woq08yNVXdxS1tMslyl9apmmyCiSC2OPMmTOveLzZ196IljYR +DeZMF8C+rdzNKXZzn7+nEp9xRy34QUZRfx6pEnugMd0VK0d/ZKgMbcq2IvcRQwap +60+9t8ppesXhgaRBsAzvrj1twngqXP90JwzKGaR+iaGzrvvJn6cgXkw3MyXhskKY +4J0c7TV6DmTOIfL6RmBp8+SSco8xXD/O/YIpG8LWe+sbMqSaq7jFvKCINWgK4RAt +7mBRHvx81Y8IwV6B2wch/lSyYxKXTbE7uMefy3vyP9A9IFhMbFpc0EJA/4tHYEL4 +qPZyR44mizsxa+1h6AXO258ERtzL+FoksXnWTcQqBKjd6SHhLwN4BLsjrlWsJ6lD +VaSKsekEwMFTLvZiLxYXBLPU04dvGNgX7nbkFMEK6RxHqfMu+m6+0jPXzQ+ejuae +xoBBT61O7v5PPTqbZFBKnVzQPf7fBIHW5/AGAc+qAI459viwcCSlJ21RCzirFYc0 +/KDuSoo61yyNcq4G271lbT5SNeMZNlDxKkiHjbCpIU6iEF7uK828F1ZGKOMRztok +bzE7j1IDIfDQ3P/zfq73Rr2S9FfHlXvEmLIuj5G4PO7p0IwUlCD1a9oY+QARAQAB +tCxJY2luZ2EgR21iSCAoQnVpbGQgc2VydmVyKSA8aW5mb0BpY2luZ2EuY29tPokC +TgQTAQoAOBYhBN069hmO0AC0wLc5VswRb1WqfyOCBQJmTG99AhsDBQsJCAcCBhUK +CQgLAgQWAgMBAh4BAheAAAoJEMwRb1WqfyOCGrIP/i/4fYEkdCi4nhQGMzSP0Eyh +UhJjsUP9mEqSQRqOAplvjYa1yBbrSPLfkRE0oAL/o+4eUKcAQFeDQtDXJ/D4xl3Q +J5MehRJYzklrSs5XkEscb73HoDBUfFSgCVM2zK+JkCX0CPJ4ZLWtZGJ+8pCLpnkH +nCPonbGc6sS+m2JsPRwxyxAhdXxWSAesXd8dUSW3MOQz9JlC4/idQcCFs03fdhuZ +4jGMry08OihWVudTDK8nkwRZLzNoOivAQ3mIeaTcRMmgPJfYN4k0o90lXJWAbG+2 +j8p7Pyjv71OctI8KUbS4+f2H8i6r5Pc4M4hlUQh6QAN9o1oPJrXxurdp0EXgQXSy +rVH2MeguqprFJxGjdlTCSTYgQEmEXMixRAGzteEgCf/Qk9mPXoxFTNyNg4/Lkglb +Nj6dY6or6w+IsbdrcePqDAs+j9t5B97vU7Ldquloj85myQjkWPP8kjlsOlsXBkQ/ +C+mD+5iW2AiWh+yCasf6mOZwUfINZF+VDpmfIsZZbWpcMgp1f32fpRFZ3ietnsnR ++luNb19hUHKyyDDHMe/YM7H9P5vtX9BGz6O9kNpo1LAnigkSQSFBZlK3Po3Yk9eg +XPbDT5HsU3TMyS5ZnSDRRPPJwsyGPXz+0pCADae9H9hCc2C2LZIrrtwlOFPWuViA +ifY/dQmUP37n5XgMADRc +=O0zm -----END PGP PUBLIC KEY BLOCK----- From fcd097599d9efcbe428d389d31b64640032dea10 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:17:37 +0100 Subject: [PATCH 825/996] home.nas: samba share for music videos --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 0415c87..741fa75 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -181,6 +181,10 @@ nodes['home.nas'] = { 'path': '/storage/nas/Musik', 'force_group': 'nas', }, + 'music_videos': { + 'path': '/storage/nas/Musikvideos', + 'force_group': 'nas', + }, }, 'restrict-to': { '172.19.138.0/24', From 50b71bc8b864991392ee011d2f1e649b25eaa2ec Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:13 +0100 Subject: [PATCH 826/996] update element-web to 1.11.85 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9f4a66d..939cf1c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.82" +version = "v1.11.85" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From 3a56995ab112f3b07b79e492b2e79e7c886bec1e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:28 +0100 Subject: [PATCH 827/996] update netbox to 4.1.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 939cf1c..99ec9ed 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.4" +version = "v4.1.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From fa63ad72d52a54bc40e77fa17ee4e6fd713fd4f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:42 +0100 Subject: [PATCH 828/996] update paperless-ngx to 2.13.5 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index ded32c5..6297179 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.13.0', + 'version': 'v2.13.5', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 9884b703cd62500378903c7f0faa25edcff68488 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 12:11:01 +0100 Subject: [PATCH 829/996] update forgejo to 9.0.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 99ec9ed..32bca34 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "9.0.1" -sha1 = "060d9f00aaf595875eaf1897cbb24e760ef54d64" +version = "9.0.2" +sha1 = "5aecc64f93e8ef05c6d6f83d4b647bdb2c831d9f" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 669b28f6ed511e90114383fd0f3532126d768d4c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 13:02:39 +0100 Subject: [PATCH 830/996] voc.pretalx: update to 2023.3.1 --- nodes/voc/pretalx.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index b75ba3c..376a5e6 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,14 +49,15 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2024.2.1', + # 2023.3.1 with some bugfixes + 'version': '05e377398cecdd45d3ca6013040c5857bbe225d6', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, 'plugins': { 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', - 'rev': 'main', + 'rev': '2.4.0', }, 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', @@ -81,6 +82,6 @@ nodes['voc.pretalx'] = { }, }, 'os': 'debian', - 'os_version': (11,), + 'os_version': (12,), 'pip_command': 'pip3', } From 6a203085b97085565a1f2a8be0eb6d48028e5ad1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 13:35:24 +0100 Subject: [PATCH 831/996] bundles/pretalx: we do not need to regenerate_css anymore --- bundles/pretalx/items.py | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py index 8a57eae..75e4c09 100644 --- a/bundles/pretalx/items.py +++ b/bundles/pretalx/items.py @@ -1,5 +1,5 @@ assert node.has_bundle('redis'), f'{node.name}: pretalx needs redis' -assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild and regenerate_css step' +assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild step' actions = { 'pretalx_create_virtualenv': { @@ -53,17 +53,6 @@ actions = { }, 'triggered': True, }, - 'pretalx_regenerate-css': { - 'command': 'sudo -u pretalx PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx regenerate_css', - 'needs': { - 'action:pretalx_migrate', - 'directory:/opt/pretalx/data', - 'directory:/opt/pretalx/static', - 'file:/opt/pretalx/pretalx.cfg', - 'bundle:nodejs', - }, - 'triggered': True, - }, } users = { @@ -90,7 +79,6 @@ git_deploy = { 'action:pretalx_install', 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'svc_systemd:pretalx-web:restart', 'svc_systemd:pretalx-worker:restart', }, @@ -121,7 +109,6 @@ svc_systemd = { 'action:pretalx_install', 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'file:/etc/systemd/system/pretalx-web.service', 'file:/opt/pretalx/pretalx.cfg', }, @@ -129,7 +116,8 @@ svc_systemd = { 'pretalx-worker': { 'needs': { 'action:pretalx_install', - 'action:pretalx_migrate', + 'action:pretalx_migrate',, + 'action:pretalx_rebuild', 'file:/etc/systemd/system/pretalx-worker.service', 'file:/opt/pretalx/pretalx.cfg', }, @@ -204,7 +192,6 @@ for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items 'triggers': { 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'svc_systemd:pretalx-web:restart', 'svc_systemd:pretalx-worker:restart', }, From b3070a8b8bf7c11ec8004ec16c466bb01631ecb1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 14:14:05 +0100 Subject: [PATCH 832/996] bundles/infobeamer-monitor: announce online devices at 09:00 CE(S)T --- bundles/infobeamer-monitor/files/monitor.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 2aa2daf..5a253e3 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -1,9 +1,10 @@ #!/usr/bin/env python3 import logging -from datetime import datetime, timezone +from datetime import datetime from json import dumps from time import sleep +from zoneinfo import ZoneInfo import paho.mqtt.client as mqtt from requests import RequestException, get @@ -210,7 +211,7 @@ while True: level="WARN", ) - if datetime.now(timezone.utc).strftime("%H%M") == "1312": + if datetime.now(ZoneInfo("Europe/Berlin")).strftime("%H%M") == "0900": if available_credits is not None: mqtt_out(f"Available Credits: {available_credits}") From 8f705fc8e3d554a5bb574a8a99e21fa3413e5fca Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 17 Nov 2024 11:48:08 +0100 Subject: [PATCH 833/996] update mautrix-whatsapp to 0.11.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 32bca34..ea1625f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.0" -sha1 = "997c794eb246e6cc67ac050c106d54f88531f213" +version = "v0.11.1" +sha1 = "ada2dc6acfd5cb15fae341266b383d3f6e8b42bd" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From a9b16c18ad36592e15f384e1064528830dd85ffb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 22 Nov 2024 20:50:52 +0100 Subject: [PATCH 834/996] bundles/postfix: remove smtp_use_tls option Log says: postconf: warning: /etc/postfix/main.cf: support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level" --- bundles/postfix/files/main.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index 770114b..9d74175 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -25,7 +25,6 @@ inet_interfaces = 127.0.0.1 % endif <%text> -smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache From 3a5db80843568696ac377a661354a5d26d5814a9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Nov 2024 13:30:22 +0100 Subject: [PATCH 835/996] bundles/icinga2: notify per sms if ntfy does not respond in time --- .../icinga2/files/scripts/icinga_notification_wrapper | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 612882d..fbecd8e 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -129,11 +129,14 @@ def notify_per_ntfy(): data=message_text, headers=headers, auth=(CONFIG['ntfy']['user'], CONFIG['ntfy']['password']), + timeout=10, ) r.raise_for_status() except Exception as e: log_to_syslog('Sending a Notification failed: {}'.format(repr(e))) + return False + return True def notify_per_mail(): @@ -199,7 +202,8 @@ if __name__ == '__main__': notify_per_mail() if args.sms: - if not args.service_name: - notify_per_sms() + ntfy_worked = False if CONFIG['ntfy']['user']: - notify_per_ntfy() + ntfy_worked = notify_per_ntfy() + if not args.service_name or not ntfy_worked: + notify_per_sms() From 3b608d95ece971098d6fc38449f4f010989063c1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Nov 2024 13:31:00 +0100 Subject: [PATCH 836/996] add static ip reservation for mixer96 as well --- nodes/home.mixer96.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.mixer96.toml diff --git a/nodes/home.mixer96.toml b/nodes/home.mixer96.toml new file mode 100644 index 0000000..815205f --- /dev/null +++ b/nodes/home.mixer96.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.98"] +dhcp = true +mac = "54:e1:ad:a6:0d:1f" + +[metadata.icinga_options] +exclude_from_monitoring = true From 8e237474003a0ba1c8961dc58e45f01976256632 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 28 Nov 2024 08:27:17 +0100 Subject: [PATCH 837/996] home.hass: remove nginx ip restriction --- nodes/home.hass.toml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 2c52708..52a2388 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -24,12 +24,6 @@ ram = 2 domain = 'hass.home.kunbox.net' api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' -[metadata.nginx] -restrict-to = [ - '172.19.136.0/25', - '172.19.138.0/24', -] - [metadata.pyenv] version = 'v2.3.36' python_versions = ["3.12.2"] From 128a61706e5211b73eeb4cc5bbf4be4122b68a57 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 28 Nov 2024 08:27:36 +0100 Subject: [PATCH 838/996] bundles/infobeamer-monitor: some more improvements in status display --- bundles/infobeamer-monitor/files/monitor.py | 39 +++++++-------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 5a253e3..e5755c2 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -25,7 +25,8 @@ logging.basicConfig( ) LOG = logging.getLogger("main") -MLOG = logging.getLogger("mqtt") +TZ = ZoneInfo("Europe/Berlin") +DUMP_TIME = "0900" state = None @@ -68,13 +69,12 @@ def mqtt_dump_state(device): device=device, ) +def is_dump_time(): + return datetime.now(TZ).strftime("%H%M") == DUMP_TIME mqtt_out("Monitor starting up") while True: try: - online_devices = set() - available_credits = None - try: r = get( "https://info-beamer.com/api/v1/device/list", @@ -83,9 +83,9 @@ while True: r.raise_for_status() ib_state = r.json()["devices"] except RequestException as e: - LOG.exception("Could not get data from info-beamer") + LOG.exception("Could not get device data from info-beamer") mqtt_out( - f"Could not get data from info-beamer: {e!r}", + f"Could not get device data from info-beamer: {e!r}", level="WARN", ) else: @@ -98,7 +98,8 @@ while True: continue new_state[did] = device - must_dump_state = False + # force information output for every online device at 09:00 CE(S)T + must_dump_state = is_dump_time() if state is not None: if did not in state: @@ -161,14 +162,6 @@ while True: else: LOG.info("adding device {} to empty state".format(device["id"])) - if device["is_online"]: - online_devices.add( - "{} ({})".format( - device["id"], - device["description"], - ) - ) - state = new_state try: @@ -179,13 +172,16 @@ while True: r.raise_for_status() ib_account = r.json() except RequestException as e: - LOG.exception("Could not get data from info-beamer") + LOG.exception("Could not get account data from info-beamer") mqtt_out( - f"Could not get data from info-beamer: {e!r}", + f"Could not get account data from info-beamer: {e!r}", level="WARN", ) else: available_credits = ib_account["balance"] + if is_dump_time(): + mqtt_out(f"Available Credits: {available_credits}") + if available_credits < 50: mqtt_out( f"balance has dropped below 50 credits! (available: {available_credits})", @@ -211,15 +207,6 @@ while True: level="WARN", ) - if datetime.now(ZoneInfo("Europe/Berlin")).strftime("%H%M") == "0900": - if available_credits is not None: - mqtt_out(f"Available Credits: {available_credits}") - - if online_devices: - mqtt_out( - "Online Devices: {}".format(", ".join(sorted(online_devices))) - ) - sleep(60) except KeyboardInterrupt: break From ba1de350bb8d55f661f09008884455123e3122dc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:20 +0100 Subject: [PATCH 839/996] update element-web to 1.11.85 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ea1625f..03eb3a3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.85" +version = "v1.11.86" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From 19359f72e6259c92403a3de2e77187001ee2843c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:39 +0100 Subject: [PATCH 840/996] update netbox to 4.1.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 03eb3a3..3955616 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.6" +version = "v4.1.7" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 49c5d0b1e37795ebde6cd8a3ac80e784d0f056c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:53 +0100 Subject: [PATCH 841/996] update postfixadmin to 3.3.14 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/pirmasens.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3955616..18a7966 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -213,7 +213,7 @@ blocked_recipients = [ [metadata.postfixadmin] domain = "postfixadmin.franzi.business" setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ==" -version = "3.3.13" +version = "3.3.14" [metadata.postgresql] version = 15 diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index b4c405d..46f4638 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -71,7 +71,7 @@ nodes['htz-cloud.pirmasens'] = { }, 'postfixadmin': { 'domain': 'mail.kunsmann.info', - 'version': '3.3.13', + 'version': '3.3.14', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, 'postgresql': { From 9be4ba75eb0ec08e8caf649cdf99589f1345b678 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:35:05 +0100 Subject: [PATCH 842/996] update travelynx to 2.9.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 18a7966..b0f1593 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.8.40" +version = "2.9.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From a6f29fe3890c8838ed15c5db896421b848de94a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:37:06 +0100 Subject: [PATCH 843/996] bump certificate for *.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 30 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index a263c3f..06ea249 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDsDCCAzWgAwIBAgISBIi3muU9O51f4fWWUXJHNgRHMAoGCCqGSM49BAMDMDIx +MIIDsDCCAzagAwIBAgISBGjVgPFJCHOuBJul17PsmUBlMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDA5MDQxNjA1MThaFw0yNDEyMDMxNjA1MTdaMBoxGDAWBgNVBAMTD2hv -bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABA5vskMN8tWHCOsv -aUojW+t8otSpRgcU0tLsONhzQ7GhG5tC5DQ5pN7HiG14eejONQE4hRWC4rkP/e47 -EVQd/rFK5m0lQesR68zogtW9KfQZUoINhlOuR4CxpBY1LrG5laOCAiQwggIgMA4G +NjAeFw0yNDExMzAwOTM4MzNaFw0yNTAyMjgwOTM4MzJaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK+7B9tE5ejhYZWq +3gs8q4s6/A98pW5GGpkYl7iPsPM8ko0UvZ8tfBU+KuEavDmFoFa8W4ePEkPkypHo +gqRMhIm55/2wyTTh8/PnXp8vWCwMISmPHEqou2mphx0feLRAlqOCAiUwggIhMA4G A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQU3iCazGKeVwzCa84zl+qckbspEmEwHwYDVR0j +VR0TAQH/BAIwADAdBgNVHQ4EFgQUicTvP+5xKDeHcAhxZi7CeD5xzCUwHwYDVR0j BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC -D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB -1nkCBAIEgfUEgfIA8AB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRu -AAABkb3+C2AAAAQDAEcwRQIhAMwv6NjH3Ggd1WfeSVvyToVaM15glwfSJcAW8+40 -XbCKAiABUoDmQjhKi5VfwZ7e0WX5XjEmgBN2qTafK5RqlaCDJgB2AO7N0GTV2xrO -xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkb3+C3IAAAQDAEcwRQIgU9sxMGOG -aP3npu7vw3G9TiFRxuZRCI96My34WVSCOcsCIQDhDjS9QhJGtNT68Z0sx6DJCcco -L1AXGWwojxizcx48bTAKBggqhkjOPQQDAwNpADBmAjEA/SOZeiZrClB5EJlZFdQy -hrt2qh4HC5zvHdSLTWI4GAxDy8xRg/ANO6fp0Sb7Q7jdAjEAhiQgQfgUln08i/tv -3TGjVRIT/Y4A4QadodTROpfmFDH3QIsNwRPRhQUUSscBavK9 +D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB +1nkCBAIEgfYEgfMA8QB3AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsI +AAABk3ylPJIAAAQDAEgwRgIhAPf1V/hozFwCyj8rwHFrxslXPa77KFbbm1yrvikr +ypvZAiEAgsSapcCShSJcW21/Rig7MOjp8IjdirAzLDRnBcl4tooAdgB9WR4S4Xgq +exxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55uAAAAZN8pURGAAAEAwBHMEUCIBF42g56 +wBpQRx1aHM+tFrydhInIx+ji6o7d055uc7bAAiEA4bRrxTsQQIJ+5lY2XIYTpf5C +msc2KAHccsMqstH+ur8wCgYIKoZIzj0EAwMDaAAwZQIxAOTsntM8s/ik3N09mXq4 +fVm1XQk2B2jALeTZLZevUY8jUjhKwoXTNVXQlMr1ilnC9QIwCa7zOQJQ2Y7D8xMv +uKfu7TMSLJlWMDHhIsggdPeQDYtNm85jsOXqB1SjWeCR25Mn -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index df3ed76..f5fa8b4 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABm2JL0vVqh3Zut-a1Gfn8iOtDZS8aBpGobV3-d3u8My0MPunYmbQ6kXUAw7U0Bu87AAPXNsmi1pxrxcu8vXvhw4uM445WwKj-UqaV5fmk-ZasHGq-O6K52YqEgK6wo-9u_sOBubbwJSwFVaHxT3gczLW_GVRHhFIFGgdnRlz4YoAz4NXcos_uNO9GMEOGhfGx9e2c2GOIg64vXkj_1LjXEDoV9HYMzy-2wLt4A6q-ZiZwCoKl8-lt8sY_rLk_yfmy3sMvzqg8JaE7T4sunmXDdf4HQlnvl_cu1uW33Rrsq4-080HKx6rKNsZQGhWD2yls016xBAYZvQbDjHd6-7bld1bs5RUF5tfEC3Kx567TBdMaf5C7-PnNB7O_MC4I6SkmUElGRdYyCHuP5HXf9dKtiGCtjHyfEzqTBrcI0xPt631_IGPWMNId7zyLqfLHpMFTPS9jgGVKoT1TXwKe4NSHaGxXO-A== \ No newline at end of file +encrypt$gAAAAABnSurPS00unDJP1C7wyToyZOzKrEruyT6itqZG1Bbv6IZPVrkdcbgyfPrXY8ViPSRwtdVJsju-X8pvLHZGSHXvxhpNlNrNQTas2_VCMwYIihGnp7VI6ovQXd_iVHON5sXaNpKURRwCsvnYhHQfn4qPGLSN8II2QdpJ4A4nDschZwN2u-8X9omGPOcC6zeivoew4UcpossYuJDskHeJnRnR3roGwrHuPWfEKRgRJ_eTHgij00uyoJZxhWGRV9nS_MnacbGUP6KBXfaZP_23DFJPMMq734qVfcLObhYa8nam9kLHh4TaloET2pK-IVqcb_FOorWiipiGBSNCw9EQr57d8AOLEFAwMmb_1fgPCjpchVZaSKD4OhdjPt1CU3unzR-zPkrjBdL-az0ci984vJnLolr4z8nMW6oR1SyJGyccJ-lmoMf34M3oI3zIlNg2GPdGcZMFa6GhvmLYwDb7r0PHil_GRA== \ No newline at end of file From 94868e726f8446a27e12e25a3278ecb5a5782b51 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 1 Dec 2024 13:28:15 +0100 Subject: [PATCH 844/996] prepare for 38c3 --- nodes/voc/infobeamer-cms.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index f0dc6cf..ceebc9e 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -41,7 +41,7 @@ nodes['voc.infobeamer-cms'] = { 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ - 253559, + 255228, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -72,15 +72,15 @@ nodes['voc.infobeamer-cms'] = { }, }, 'rooms': { -# 'Saal 1': 34430, -# 'Saal G': 26598, -# 'Saal Z': 26610, -# 'Saal E (SoS/Lightning-Talks)': 32814, -# 'Saal F (Sendezentrum/DLF)': 9717, + 'Saal 1': 34430, + 'Saal G': 26598, + 'Saal Z': 26610, + 'Saal E (SoS/Lightning-Talks)': 32814, + 'Saal F (Sendezentrum/DLF)': 9717, }, 'interrupts': { -# 'Questions': 'questions', -# 'Translations': 'translations', + 'Questions': 'questions', + 'Translations': 'translations', }, }, 'infobeamer-monitor': { From 3ad6a0fed8a3bd31cdc98be2f087b819c26a7bd4 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 1 Dec 2024 21:06:47 +0100 Subject: [PATCH 845/996] miniserver: updates --- nodes/sophie/miniserver.py | 365 +++++++++++++++++++------------------ 1 file changed, 185 insertions(+), 180 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 5088f87..7be112f 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -1,255 +1,260 @@ # sophie's miniserver -nodes['htz-cloud.miniserver'] = { - 'bundles': { - 'element-web', - 'hedgedoc', - 'matrix-media-repo', - 'matrix-synapse', +nodes["htz-cloud.miniserver"] = { + "bundles": { + "element-web", + "hedgedoc", + "matrix-media-repo", + "matrix-synapse", "matrix-stickerpicker", - 'nodejs', - 'ntfy', - 'mautrix-telegram', - 'postgresql', - 'zfs', + "nodejs", + "ntfy", + "mautrix-telegram", + "postgresql", + "zfs", }, - 'groups': { - 'debian-bookworm', - 'sophie', - 'webserver', + "groups": { + "debian-bookworm", + "sophie", + "webserver", }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '157.90.20.62', - '2a01:4f8:c2c:840f::1/64', + "metadata": { + "interfaces": { + "eth0": { + "ips": { + "157.90.20.62", + "2a01:4f8:c2c:840f::1/64", }, - 'gateway4': '172.31.1.1', - 'gateway6': 'fe80::1', + "gateway4": "172.31.1.1", + "gateway6": "fe80::1", }, }, - 'apt': { - 'packages': { - 'mosh': {}, - 'weechat': {}, - 'weechat-core': {}, - 'weechat-curses': {}, - 'weechat-perl': {}, - 'weechat-plugins': {}, - 'weechat-python': {}, - 'weechat-ruby': {}, + "apt": { + "packages": { + "mosh": {}, + "weechat": {}, + "weechat-core": {}, + "weechat-curses": {}, + "weechat-perl": {}, + "weechat-plugins": {}, + "weechat-python": {}, + "weechat-ruby": {}, }, - 'repos': { - 'weechat': { - 'items': { - 'deb https://weechat.org/debian {os_release} main', + "repos": { + "weechat": { + "items": { + "deb https://weechat.org/debian {os_release} main", }, }, }, }, - 'backup-client': { - 'pre-hooks': { - 'sophie-weechat': \ - 'echo \'core.weechat */layout store\' >> /home/sophie/.weechat/weechat_fifo\n' \ - 'echo \'core.weechat */save\' >> /home/sophie/.weechat/weechat_fifo\n', + "backup-client": { + "pre-hooks": { + "sophie-weechat": "echo 'core.weechat */layout store' >> /home/sophie/.weechat/weechat_fifo\n" + "echo 'core.weechat */save' >> /home/sophie/.weechat/weechat_fifo\n", }, }, - 'backups': { - 'paths': { - '/home/sophie/.weechat', + "backups": { + "paths": { + "/home/sophie/.weechat", }, }, - 'element-web': { - 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.83', - 'config': { - 'default_server_config': { - 'm.homeserver': { - 'base_url': 'https://matrix.sophies-kitchen.eu', - 'server_name': 'sophies-kitchen.eu', + "element-web": { + "url": "chat.sophies-kitchen.eu", + "version": "v1.11.86", + "config": { + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.sophies-kitchen.eu", + "server_name": "sophies-kitchen.eu", }, }, - 'brand': 'sophies-kitchen.eu', - 'showLabsSettings': True, - 'default_theme': 'dark', - 'defaultCountryCode': 'DE', - 'jitsi': { - 'preferredDomain': 'meet.ffmuc.net', + "brand": "sophies-kitchen.eu", + "showLabsSettings": True, + "default_theme": "dark", + "defaultCountryCode": "DE", + "jitsi": { + "preferredDomain": "meet.ffmuc.net", }, - 'map_style_url': "https://api.maptiler.com/maps/openstreetmap/style.json?key=fU3vlMsMn4Jb6dnEIFsx" + "map_style_url": "https://api.maptiler.com/maps/openstreetmap/style.json?key=fU3vlMsMn4Jb6dnEIFsx", }, }, - 'hedgedoc': { - 'version': '1.10.0', - 'config': { - 'production': { - 'allowAnonymousEdits': True, - 'domain': 'pad.sophies-kitchen.eu', + "hedgedoc": { + "version": "1.10.0", + "config": { + "production": { + "allowAnonymousEdits": True, + "domain": "pad.sophies-kitchen.eu", }, }, }, - 'letsencrypt': { - 'concat_and_deploy': { - 'sophie-weechat': { - 'match_domain': 'i.sophies-kitchen.eu', - 'target': '/home/sophie/.weechat/ssl/relay.pem', - 'chown': 'sophie:sophie', - 'chmod': '0440', - 'commands': [ - 'echo \'core.weechat */relay sslcertkey\' >> /home/sophie/.weechat/weechat_fifo' + "letsencrypt": { + "concat_and_deploy": { + "sophie-weechat": { + "match_domain": "i.sophies-kitchen.eu", + "target": "/home/sophie/.weechat/ssl/relay.pem", + "chown": "sophie:sophie", + "chmod": "0440", + "commands": [ + "echo 'core.weechat */relay sslcertkey' >> /home/sophie/.weechat/weechat_fifo" ], }, }, - 'domains': { - 'i.sophies-kitchen.eu': set(), - 'webdump.sophies-kitchen.eu': set(), - 'matrix.sophies-kitchen.eu': { - 'sophies-kitchen.eu', + "domains": { + "i.sophies-kitchen.eu": set(), + "webdump.sophies-kitchen.eu": set(), + "matrix.sophies-kitchen.eu": { + "sophies-kitchen.eu", }, }, }, - 'matrix-media-repo': { - 'version': 'v1.3.7', - 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '3e2bb7089b0898b86000243a82cc58ae998dc9d9', - 'homeservers': { - 'sophies-kitchen.eu': { - 'domain': 'http://[::1]:20080/', - 'api': 'synapse', - 'signing_key_path': "/etc/matrix-synapse/mmr.signing.key" + "matrix-media-repo": { + "version": "v1.3.7", + "datastore_id": "99c09e24edc4e9be6c4c9486bc147e385bc87044", + "sha1": "3e2bb7089b0898b86000243a82cc58ae998dc9d9", + "homeservers": { + "sophies-kitchen.eu": { + "domain": "http://[::1]:20080/", + "api": "synapse", + "signing_key_path": "/etc/matrix-synapse/mmr.signing.key", }, }, - 'admins': { - '@sophie:sophies-kitchen.eu', + "admins": { + "@sophie:sophies-kitchen.eu", }, - 'upload_max_mb': 500, + "upload_max_mb": 500, }, - 'matrix-stickerpicker': { - # use this bot token for telegram import: encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t - 'domain': "matrix-stickers.sophies-kitchen.eu", - 'config': { - 'access_token': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'), - 'homeserver': "https://matrix.sophies-kitchen.eu", - 'user_id': "@dimension:sophies-kitchen.eu", + "matrix-stickerpicker": { + # use this bot token for telegram import: encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t + "domain": "matrix-stickers.sophies-kitchen.eu", + "config": { + "access_token": vault.decrypt( + "encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1" + ), + "homeserver": "https://matrix.sophies-kitchen.eu", + "user_id": "@dimension:sophies-kitchen.eu", }, }, - 'matrix-synapse': { - 'server_name': 'sophies-kitchen.eu', - 'baseurl': 'matrix.sophies-kitchen.eu', - 'admin_contact': 'mailto:foobar@sophies-kitchen.eu', - 'trusted_key_servers': { - 'matrix.org', + "matrix-synapse": { + "server_name": "sophies-kitchen.eu", + "baseurl": "matrix.sophies-kitchen.eu", + "admin_contact": "mailto:foobar@sophies-kitchen.eu", + "trusted_key_servers": { + "matrix.org", }, }, - 'mautrix-telegram': { - 'version': 'v0.15.2', - 'homeserver': { - 'domain': 'sophies-kitchen.eu', - 'url': 'https://matrix.sophies-kitchen.eu', + "mautrix-telegram": { + "version": "v0.15.2", + "homeserver": { + "domain": "sophies-kitchen.eu", + "url": "https://matrix.sophies-kitchen.eu", }, - 'provisioning': { - 'enabled': False, - 'shared_secret': '""', + "provisioning": { + "enabled": False, + "shared_secret": '""', }, - 'permissions': { - 'sophies-kitchen.eu': 'full', - "'@sophie:sophies-kitchen.eu'": 'admin', + "permissions": { + "sophies-kitchen.eu": "full", + "'@sophie:sophies-kitchen.eu'": "admin", }, - 'telegram': { - 'api_id': vault.decrypt('encrypt$gAAAAABgnqdXhCTwtCXJhSaCZsiNfHPtjwlYtV1sUAux7JZdejN3xItU9RJLeNu4gUniv36XbBoxKwVtqqyV3RcAs-PgumcfYQ=='), - 'api_token': vault.decrypt('encrypt$gAAAAABgnqd5IdpYRmW-C4ONBSXQfiJrpTVQX0rP0eKoDnLnVTLg-5olSjcw2gVvEKWLnsGEZIgVcG7yEs-sqYRxeiQLFFpSn-Z4We0mhj0CUeFoD-eXJsp-bAgLv9PJoMv5Gjb8r9i6'), - 'bot_token': '""', + "telegram": { + "api_id": vault.decrypt( + "encrypt$gAAAAABgnqdXhCTwtCXJhSaCZsiNfHPtjwlYtV1sUAux7JZdejN3xItU9RJLeNu4gUniv36XbBoxKwVtqqyV3RcAs-PgumcfYQ==" + ), + "api_token": vault.decrypt( + "encrypt$gAAAAABgnqd5IdpYRmW-C4ONBSXQfiJrpTVQX0rP0eKoDnLnVTLg-5olSjcw2gVvEKWLnsGEZIgVcG7yEs-sqYRxeiQLFFpSn-Z4We0mhj0CUeFoD-eXJsp-bAgLv9PJoMv5Gjb8r9i6" + ), + "bot_token": '""', }, }, - 'nameservers': { - '213.133.98.98', - '213.133.99.99', - '213.133.100.100', - '2a01:4f8:0:1::add:1010', - '2a01:4f8:0:1::add:9999', - '2a01:4f8:0:1::add:9898', + "nameservers": { + "213.133.98.98", + "213.133.99.99", + "213.133.100.100", + "2a01:4f8:0:1::add:1010", + "2a01:4f8:0:1::add:9999", + "2a01:4f8:0:1::add:9898", }, - 'nftables': { - 'input': { - '50-sophie-weechat': [ - 'udp dport { 60000-61000 } accept', - 'tcp dport 9001 accept', + "nftables": { + "input": { + "50-sophie-weechat": [ + "udp dport { 60000-61000 } accept", + "tcp dport 9001 accept", ], }, }, - 'nginx': { - 'vhosts': { - 'sophies-kitchen.eu': { - 'webroot': '/var/www/sophies-kitchen.eu/_site/', - 'extras': True, + "nginx": { + "vhosts": { + "sophies-kitchen.eu": { + "webroot": "/var/www/sophies-kitchen.eu/_site/", + "extras": True, }, - 'matrix-synapse': { - 'domain': 'matrix.sophies-kitchen.eu', + "matrix-synapse": { + "domain": "matrix.sophies-kitchen.eu", }, - 'webdump.sophies-kitchen.eu': { - 'webroot_config': { - 'owner': 'sophie', - 'group': 'sophie', - 'mode': '0755', + "webdump.sophies-kitchen.eu": { + "webroot_config": { + "owner": "sophie", + "group": "sophie", + "mode": "0755", }, - 'extras': True, + "extras": True, }, - 'recipes.sophies-kitchen.eu': { - 'webroot_config': { - 'owner': 'sophie', - 'group': 'sophie', - 'mode': '0755', + "recipes.sophies-kitchen.eu": { + "webroot_config": { + "owner": "sophie", + "group": "sophie", + "mode": "0755", }, }, }, }, - 'nodejs': { - 'version': 20, + "nodejs": { + "version": 20, }, - 'ntfy': { - 'domain': 'ntfy.sophies-kitchen.eu', - 'allow_unauthorized_write': True, + "ntfy": { + "domain": "ntfy.sophies-kitchen.eu", + "allow_unauthorized_write": True, }, - 'postgresql': { - 'version': '11', + "postgresql": { + "version": "11", }, - 'sysctl': { - 'options': { + "sysctl": { + "options": { # XXX find out if this is really needed - 'net.ipv4.conf.all.forwarding': '1', - 'net.ipv6.conf.all.forwarding': '1', + "net.ipv4.conf.all.forwarding": "1", + "net.ipv6.conf.all.forwarding": "1", }, }, - 'vm': { - 'cpu': 2, - 'ram': 4, + "vm": { + "cpu": 2, + "ram": 4, }, - 'users': { - 'sophie': { - 'enable_linger': True, - 'ssh_pubkey': [ + "users": { + "sophie": { + "enable_linger": True, + "ssh_pubkey": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDILcYrMQNRVXAm5L+7No1ZumqfCyRc1QZmTY3O7Q8hsE4+fCAvwsWm2aSMfLL3NnIl8Nm1Rixzic5jdYKYNIY3SlX1wvTB+MhGb2eyVSd7c/Y98aCLSlDkQ2sebjpdA1FoJOeGD3qxqDwj0+KckXU2ZaSSQY7CxVsjH65UxCHqVAg+6uLdNbj7j850s1B9NXVXef+sBQ5jUngXxnqQWwNh2Mn8auwumkeEG4SYf96wyFkLvmBitOng/GyLWl9YPnXXHHDnatcVipy7y34qw4CQ4P84anecbA+Bqr9IcxBW6qYmYgRKEnAcmEfjQd+BI1gCLB1BBEmb/qp+mVLd4tOh sophie@carbon" ], }, }, - 'zfs': { + "zfs": { "datasets": { "tank/webdump": { "mountpoint": "/var/www/webdump.sophies-kitchen.eu", - "needed_by": [ - "directory:/var/www/webdump.sophies-kitchen.eu" - ] + "needed_by": ["directory:/var/www/webdump.sophies-kitchen.eu"], } }, - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': { - '/dev/disk/by-id/scsi-0HC_Volume_23952298', - }, - }] + "pools": { + "tank": { + "when_creating": { + "config": [ + { + "devices": { + "/dev/disk/by-id/scsi-0HC_Volume_23952298", + }, + } + ] }, }, }, From 9c382ed8f59ac49837c75909e2e2ec816875ee08 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 2 Dec 2024 20:17:54 +0100 Subject: [PATCH 846/996] bundles/systemd: move timezone information to metadata defaults --- bundles/systemd/items.py | 2 +- bundles/systemd/metadata.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/systemd/items.py b/bundles/systemd/items.py index c8ecbd9..005696e 100644 --- a/bundles/systemd/items.py +++ b/bundles/systemd/items.py @@ -1,4 +1,4 @@ -timezone = node.metadata.get('timezone', 'UTC') +timezone = node.metadata.get('timezone') actions['systemd-reload'] = { 'command': 'systemctl daemon-reload', diff --git a/bundles/systemd/metadata.py b/bundles/systemd/metadata.py index 15f9b8a..76f2016 100644 --- a/bundles/systemd/metadata.py +++ b/bundles/systemd/metadata.py @@ -21,6 +21,7 @@ defaults = { }, }, }, + 'timezone': 'UTC', } if not node.has_bundle('rsyslogd'): From 77b2d02e6631b0d785ecedad1eafc343a33c4c59 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 7 Dec 2024 22:41:10 +0100 Subject: [PATCH 847/996] sophie.unbound: new node --- nodes/sophie/unbound.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 nodes/sophie/unbound.py diff --git a/nodes/sophie/unbound.py b/nodes/sophie/unbound.py new file mode 100644 index 0000000..e0cb10d --- /dev/null +++ b/nodes/sophie/unbound.py @@ -0,0 +1,32 @@ +nodes["sophie.unbound"] = { + "hostname": "172.19.164.4", + "bundles": { + "unbound", + }, + "groups": { + "debian-bookworm", + }, + "metadata": { + "interfaces": { + "enp1s0": { + "ips": { + "172.19.164.4/24", + "fe80::4/64", + }, + "gateway4": "172.19.164.1", + "ipv6_accept_ra": True, + }, + }, + "vm": { + "cpu": 2, + "ram": 2, + }, + "unbound": { + "dns64": False, + "restrict-to": { + "172.19.164.0/24", + "fe80::/64", + }, + }, + }, +} From c03690fe88eb997e583aed16266dc3ec1f9bdf8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 14:10:59 +0100 Subject: [PATCH 848/996] bundles/pacman: always use linux-lts please --- bundles/pacman/files/pacman.conf | 14 +------------- bundles/pacman/items.py | 8 ++------ bundles/pacman/metadata.py | 1 + bundles/zfs/items.py | 3 +++ bundles/zfs/metadata.py | 27 ++++++--------------------- nodes/kunsi-p14s.py | 8 ++++---- 6 files changed, 17 insertions(+), 44 deletions(-) diff --git a/bundles/pacman/files/pacman.conf b/bundles/pacman/files/pacman.conf index 834108e..7fb4e48 100644 --- a/bundles/pacman/files/pacman.conf +++ b/bundles/pacman/files/pacman.conf @@ -32,21 +32,9 @@ Include = /etc/pacman.d/mirrorlist Server = ${node.metadata.get('pacman/repository')} Include = /etc/pacman.d/mirrorlist % endif -% if node.metadata.get('pacman/enable_aurto', True): +% if node.metadata.get('pacman/enable_aurto'): [aurto] Server = https://aurto.kunbox.net/ SigLevel = Optional TrustAll % endif -% if node.has_bundle('zfs'): - -[archzfs] -Server = http://archzfs.com/archzfs/x86_64 - -% if node.metadata.get('pacman/linux-lts', False): -[zfs-linux-lts] -% else: -[zfs-linux] -% endif -Server = http://kernels.archzfs.com/$repo/ -% endif diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py index 9f80ca7..fe4f605 100644 --- a/bundles/pacman/items.py +++ b/bundles/pacman/items.py @@ -33,6 +33,7 @@ svc_systemd['paccache.timer'] = { } pkg_pacman = { + 'acpi_call-lts': {}, 'at': {}, 'autoconf': {}, 'automake': {}, @@ -61,6 +62,7 @@ pkg_pacman = { 'ldns': {}, 'less': {}, 'libtool': {}, + 'linux-lts': {}, 'logrotate': {}, 'lsof': {}, 'm4': {}, @@ -102,12 +104,6 @@ pkg_pacman = { 'zip': {}, } -if node.metadata.get('pacman/linux-lts', False): - pkg_pacman['linux-lts'] = {} - pkg_pacman['acpi_call-lts'] = {} -else: - pkg_pacman['linux'] = {} - pkg_pacman['acpi_call'] = {} for pkg, config in node.metadata.get('pacman/packages', {}).items(): pkg_pacman[pkg] = config diff --git a/bundles/pacman/metadata.py b/bundles/pacman/metadata.py index fb69a04..1c60981 100644 --- a/bundles/pacman/metadata.py +++ b/bundles/pacman/metadata.py @@ -4,6 +4,7 @@ defaults = { 'glibc', 'pacman', }, + 'enable_aurto': True, 'no_extract': { 'etc/cron.d/0hourly', # don't install systemd-homed pam module. It produces a lot of spam in diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index c63250e..8b13f4b 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,6 +2,9 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder +if node.has_bundle('pacman'): + assert node.metadata.get('pacman/enable_aurto'), f'{node.name}: bundle:zfs needs aurto for zfs-linux-lts package' + files = { '/etc/modprobe.d/zfs.conf': { 'source': 'zfs-modprobe.conf', diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index 01ed900..4191834 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -48,6 +48,12 @@ defaults = { 'etc/sudoers.d/zfs', }, 'packages': { + 'zfs-linux-lts': { + 'needed_by': { + 'zfs_dataset:', + 'zfs_pool:', + }, + }, 'zfs-utils': { 'needed_by': { 'svc_systemd:zfs-zed', @@ -121,27 +127,6 @@ if node.has_bundle('telegraf'): } -@metadata_reactor.provides( - 'pacman/packages', -) -def packages(metadata): - if node.metadata.get('pacman/linux-lts', False): - pkgname = 'zfs-linux-lts' - else: - pkgname = 'zfs-linux' - return { - 'pacman': { - 'packages': { - pkgname: { - 'needed_by': { - 'zfs_dataset:', - 'zfs_pool:', - }, - }, - }, - }, - } - @metadata_reactor.provides( 'apt/packages', ) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index b94f2b0..385cf3f 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -115,10 +115,10 @@ nodes['kunsi-p14s'] = { 'entries': { 'arch': { 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux', + 'linux': '/vmlinuz-linux-lts', 'initrd': [ '/amd-ucode.img', - '/initramfs-linux.img', + '/initramfs-linux-lts.img', ], 'options': { 'net.ifnames=0', @@ -128,9 +128,9 @@ nodes['kunsi-p14s'] = { }, 'arch-fallback': { 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux', + 'linux': '/vmlinuz-linux-lts', 'initrd': [ - '/initramfs-linux-fallback.img', + '/initramfs-linux-lts-fallback.img', ], 'options': { 'net.ifnames=0', From c084048905a0c3e51ffb30c30f622a770f1514c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 14:18:40 +0100 Subject: [PATCH 849/996] home.nas: add samba share for various TV streams --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 741fa75..c9b630e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -177,6 +177,10 @@ nodes['home.nas'] = { }, 'samba': { 'shares': { + 'TV': { + 'path': '/storage/nas/TV', + 'force_group': 'nas', + }, 'music': { 'path': '/storage/nas/Musik', 'force_group': 'nas', From e55f32bfb6562549de7d66187b12045991c9bd78 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 15:49:19 +0100 Subject: [PATCH 850/996] use device serial if description is not set --- bundles/infobeamer-monitor/files/monitor.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index e5755c2..01ffe29 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -40,7 +40,10 @@ def mqtt_out(message, level="INFO", device=None): key = "infobeamer" if device: key += f"/{device['id']}" - message = f"[{device['description']}] {message}" + if device["description"]: + message = f"[{device['description']}] {message}" + else: + message = f"[{device['serial']}] {message}" client.publish( CONFIG["mqtt"]["topic"], From 316ba1c1c6fabb1417b53ab1816b792765416b4f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 15:52:54 +0100 Subject: [PATCH 851/996] voc.infobeamer-cms: room names --- nodes/voc/infobeamer-cms.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ceebc9e..c610345 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -72,11 +72,12 @@ nodes['voc.infobeamer-cms'] = { }, }, 'rooms': { - 'Saal 1': 34430, - 'Saal G': 26598, - 'Saal Z': 26610, - 'Saal E (SoS/Lightning-Talks)': 32814, - 'Saal F (Sendezentrum/DLF)': 9717, + 'Saal 1': 34430, # s1 + 'Saal GLITCH': 37731, # s2 + 'Saal ZIGZAG': 26610, # s3 + 'Saal HUFF': 38641, # s4 + 'Saal YELL': 38642, # s5 + 'Sendezentrum': 35042, # s6 }, 'interrupts': { 'Questions': 'questions', From bd2662b87ae085f2753ee229601a98130e911b80 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 12 Dec 2024 11:02:14 +0100 Subject: [PATCH 852/996] update travelynx to 2.9.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b0f1593..f027fcd 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.2" +version = "2.9.6" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 58304bf5c6aeacc9fd3c3fb0d94f6f69d9aff6c5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 18 Dec 2024 10:43:35 +0100 Subject: [PATCH 853/996] voc.infobeamer-cms: add evilscientress and stblassitude --- nodes/voc/infobeamer-cms.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index c610345..2e4e8cb 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -29,6 +29,7 @@ nodes['voc.infobeamer-cms'] = { 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ + 'evilscientress', 'hexchen', 'jbeyerstedt', 'jwacalex', @@ -36,6 +37,9 @@ nodes['voc.infobeamer-cms'] = { 'sophieschi', 'v0tti', ], + 'NO_LIMIT_USERS': [ + 'stblassitude', + ], 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), From 2f73aae13b42a3b37b815e906b6aa63ce8a483a5 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Dec 2024 03:15:27 +0100 Subject: [PATCH 854/996] bw/ssl new cert for home.sophie --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 38 +++++++++---------- ...me.sophies-kitchen.eu.crt_intermediate.pem | 36 +++++++++--------- .../_.home.sophies-kitchen.eu.key.pem.vault | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem index df6ad40..c0e1bad 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDxjCCA0ygAwIBAgISBIbwgyWchKDri2pD+Lk46M3eMAoGCCqGSM49BAMDMDIx +MIIDxzCCA02gAwIBAgISA1HOrGT03Yk2QXIKpt4i5P2mMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNDA5MTkxOTQ5NDFaFw0yNDEyMTgxOTQ5NDBaMCIxIDAeBgNVBAMTF2hv -bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4rKd -PfAtfQts90WjdnsscizZzlUF/HZBx97kT4/eWgyU/MNOFGF4WqGA92OX0ymZVJ7l -D4CnHq96odx0LqHBQ+W+MXNlsWnwBTUOPKp8XyUeDhZbkgNJDR8nGtHje9a8o4IC -MzCCAi8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSONIAWFPI0mqJYBqnWk1J0Ea27 -sDAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJ -MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcw -AoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +NjAeFw0yNDEyMTkwMTE2MTdaFw0yNTAzMTkwMTE2MTZaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEKI2X +YK5pxQUcBjOYQwH6OQBEaj2kVhtj1BgRXXrap/U3Zi9M1oKpDk22husbUDS4fACo +IFAsNYbFi15ayAwvkkcWEe4VkgYEdPVJes3XnkL1YOGzUpT9+eC6VbjCxjfdo4IC +NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQB7GGtPhw9dPLCx28NgPOq+Wa +jjAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE -DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEiw42vapkc0 -D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkgwK350AAAQDAEYwRAIga5zPs7YZ -mJqbxhinEJKKQ9XCe1w/MhBzFMzwHFGbaPgCIHeprkwET14Y3h5dmUF7szwTg1Ey -zqLM+GQL3t7EAX2cAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A -AAGSDArfogAABAMARzBFAiEA0faR1cyqpmCyHo/0KCv04fkpwgzWdMY+WopJXDLD -zz8CIEBKANatmiRstc5D69jKhq2beHldLZB3jRfm1WlWqmxJMAoGCCqGSM49BAMD -A2gAMGUCMCrpe2jxoTH410jNJPOnbN4ae0Ng54JtRNcFWHlcwpk07NrByJSTPWDd -zr7AYsbbVQIxAOGboJcIxsuf+rN30iWoe5KwCY3sd5XW8bEKFQnugIVHxAQKnHNc -0InWz2sVWYKNBA== +DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKLjCuRF772t +m3447Udnd1PXgluElNcrXhssxLlQpEfnAAABk9yyNhIAAAQDAEgwRgIhAOsCeRvZ +GUN1z2lGajkrKcCtffuDhwNRPAIN2we+oXuzAiEA7XeLDROcGGcOYUMin5xKE+qr +XwitlCEyUejC5xKJm1QAdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwN +sAAAAZPcsjYwAAAEAwBGMEQCIFRahCu7PZCNkSF6+oyB3MAWoLQYmjlDXxeI91E0 +QfOkAiBGaToUTmM1n16nkX0hMVhNm7icCFojHkNCUzfSJ0wk8zAKBggqhkjOPQQD +AwNoADBlAjAgbshjfMt0K8pG2NzhVW1m/es3HJEtK4QGAe/BR5lgjLy1bJG/iLr9 +eXPh4xACg5wCMQDx7cF2C2T06e9ogshtJGODQSM9tGHbtt2rpAbUAzWNZgu+F3XL +mwaSjFAL7mBYSMM= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem index 59039ae..4652201 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK -a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO -VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw -i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C -2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ -bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG -6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV -XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO -koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq -cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI -E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e -K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX -GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL -sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd -VQD9F6Na/+zmXCc= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault index ce7b75d..4b79230 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABm7I7N50TwtCs2LUt_MArRJnLQ-xLFVhr-zDtdWUVMejViIN2O9h5d_RP45jWt5BpxIkTORarcULXprEXp7zbb-CR5CTwbsNK6HnvSHPwuwXuxJQKRJtT4wWfYEFOxY9aUR9gxvXc3arsYHwVsGyLOeWA_6YzjO5IpL1LfQrsJuUE_1p9sKRyPpslmOJtD5OihMtIfAJNzBDwOSE_gdtLa8iae3DHtSvmKbGKSvwQEZ0pkJxVTVXJY4wddQmdsuV0ky04ls_tUINH8t6IMTJCt_5_ELzpTSdcHgV6W4yh8r_LTEH38n2boYnz3fKgieHnDHDWxFW1EYA2JWjkamH7hQ8iOMl8bqQieFAENnYjF41iz6tSCjfxVyKt_OfJUAwMScVMhPsuaI_i_ZB0Ge6BLsMwkw0d3yw06CwRQ3N7PcPPJLhL_eQS3EuV7Y-7Vv64secplJJIkcFfm1t5zcGkkm4-pDw== \ No newline at end of file +encrypt$gAAAAABnY4Ga6MmpudhHnOVKVh3j6R071y-Bs6es3e3hNHkZP7Tfj6IomEhTSxWb_oG9HYZmhkadw66cmVRQcxp1wGChWWLye-ykadgy0xUCxGW3YmBWp4t--Yesvbjamaa5OlvDFWQVG5Zt4fsY7BloXRdio8XUdPKBkbi2MV0quvpqsFfOqr_ZmIOOkjLlZojfw9HQ7odM9lSAm8cVS5NXimOhA1ks_gK6CzJbzwhpbekCOcx5_sGhdb8XFUxLN-VBtmQ2HGIncou66rE1P3mBg2hDSyqiXapVMkqMjNoVM71V_5lUnAF7Lxce3nG72SnOe2oITnxRNcnaavxDEgd0ffM5revuCd-XWlaUW1iQrgSyQzJyD6Ukv-mM2IRpuoq79JdTZK_LNJkAmJozrGBT0c5ZwGVNLmZEcjQ1dk8jyYslF5s7rK1lmNvcTUaHGpFToXc1p-qFY8NNWj_Iu-MLE8PNrIscDg== \ No newline at end of file From 8f61fec65f069fecfa4ea117947eb909f8ed2c0e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 20 Dec 2024 10:24:36 +0100 Subject: [PATCH 855/996] bundles/infobeamer-cms: ensure we have and use redis --- bundles/infobeamer-cms/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index 9d602e0..f340e01 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -1,10 +1,13 @@ from datetime import datetime, timedelta +assert node.has_bundle('redis') + defaults = { 'infobeamer-cms': { 'config': { 'MAX_UPLOADS': 5, 'PREFERRED_URL_SCHEME': 'https', + 'REDIS_HOST': '127.0.0.1', 'SESSION_COOKIE_NAME': '__Host-sess', 'STATIC_PATH': '/opt/infobeamer-cms/static', 'URL_KEY': repo.vault.password_for(f'{node.name} infobeamer-cms url key'), From 6cd20c2e43195d6948b25e50859bd1552e8dd0fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 20 Dec 2024 13:14:57 +0100 Subject: [PATCH 856/996] fix device names for s4, s5 and s6 --- nodes/voc/infobeamer-cms.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 2e4e8cb..023a589 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -79,9 +79,9 @@ nodes['voc.infobeamer-cms'] = { 'Saal 1': 34430, # s1 'Saal GLITCH': 37731, # s2 'Saal ZIGZAG': 26610, # s3 - 'Saal HUFF': 38641, # s4 - 'Saal YELL': 38642, # s5 - 'Sendezentrum': 35042, # s6 + 'Sendezentrum': 38641, # s4 + 'Stage YELL': 38642, # s5 + 'Stage HUFF': 35042, # s6 }, 'interrupts': { 'Questions': 'questions', From 12d179235e6ec74bbdb9f664a3fd1eb0726341a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 04:59:29 +0100 Subject: [PATCH 857/996] bump nodejs versions --- bundles/element-web/metadata.py | 2 +- bundles/paperless-ng/metadata.py | 2 +- bundles/powerdnsadmin/metadata.py | 2 +- bundles/pretalx/metadata.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/element-web/metadata.py b/bundles/element-web/metadata.py index b68b481..5ee7449 100644 --- a/bundles/element-web/metadata.py +++ b/bundles/element-web/metadata.py @@ -20,7 +20,7 @@ def nodejs(metadata): if version >= (1, 11, 71): return { 'nodejs': { - 'version': 20, + 'version': 22, }, } else: diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 91a18c6..6746616 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -34,7 +34,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'postgresql': { 'roles': { diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index e6f5014..c2b2c1e 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -14,7 +14,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'users': { 'powerdnsadmin': { diff --git a/bundles/pretalx/metadata.py b/bundles/pretalx/metadata.py index 7bbad24..15b61e3 100644 --- a/bundles/pretalx/metadata.py +++ b/bundles/pretalx/metadata.py @@ -27,7 +27,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'pretalx': { 'database': { From 958ea3c9e3b10c4ea76663c317a9c50bb70c685f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 04:59:55 +0100 Subject: [PATCH 858/996] libs/tools: add option to only add private ips if system has only private ips --- libs/tools.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libs/tools.py b/libs/tools.py index 7a984df..4f98677 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -5,7 +5,7 @@ from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io -def resolve_identifier(repo, identifier, linklocal=False, only_physical=False): +def resolve_identifier(repo, identifier, linklocal=False, only_physical=False, allow_private=True): """ Try to resolve an identifier (group or node). Return a set of ip addresses valid for this identifier. @@ -62,10 +62,15 @@ def resolve_identifier(repo, identifier, linklocal=False, only_physical=False): 'ipv6': set(), } + has_public_ips = bool([ip for ip in found_ips if not ip.is_private]) + for ip in found_ips: if ip.is_link_local and not linklocal: continue + if ip.is_private and not allow_private and has_public_ips: + continue + if isinstance(ip, IPv4Address): ip_dict['ipv4'].add(ip) else: From 6f6b1932e2889fc024f562d98989481b198c5b78 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 05:03:54 +0100 Subject: [PATCH 859/996] bundles/pretalx: fix syntax error --- bundles/pretalx/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py index 75e4c09..e6b22a4 100644 --- a/bundles/pretalx/items.py +++ b/bundles/pretalx/items.py @@ -116,7 +116,7 @@ svc_systemd = { 'pretalx-worker': { 'needs': { 'action:pretalx_install', - 'action:pretalx_migrate',, + 'action:pretalx_migrate', 'action:pretalx_rebuild', 'file:/etc/systemd/system/pretalx-worker.service', 'file:/opt/pretalx/pretalx.cfg', From 9ba35569d6702a939164dc9d26e3799a689e4e59 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 05:25:44 +0100 Subject: [PATCH 860/996] home.hass: bump python version for home assistant --- nodes/home.hass.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 52a2388..afb204f 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -25,8 +25,8 @@ domain = 'hass.home.kunbox.net' api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' [metadata.pyenv] -version = 'v2.3.36' -python_versions = ["3.12.2"] +version = 'v2.4.23' +python_versions = ["3.13.1"] [metadata.nginx.vhosts.homeassistant] ssl = '_.home.kunbox.net' From 4124e6788f4b01cc8da361e90cb811f9996f5722 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:32:35 +0100 Subject: [PATCH 861/996] bundles/infobeamer-monitor: sort by device id --- bundles/infobeamer-monitor/files/monitor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 01ffe29..7646fa6 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -93,7 +93,7 @@ while True: ) else: new_state = {} - for device in ib_state: + for device in sorted(ib_state, key=lambda x: x["id"]): did = str(device["id"]) if did in new_state: From 54ccb5f44fbacdbccb7f75906f035fdfbf604fb1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:39:37 +0100 Subject: [PATCH 862/996] update element-web to 1.11.89 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f027fcd..eb7dba7 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.86" +version = "v1.11.89" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From c552dad9b4fb5e8d70b2c237ba4ebae211a8c522 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:39:53 +0100 Subject: [PATCH 863/996] update forgejo to 9.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index eb7dba7..9ca4691 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "9.0.2" -sha1 = "5aecc64f93e8ef05c6d6f83d4b647bdb2c831d9f" +version = "9.0.3" +sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From ca72edd77511a4358c7767990f888081230ea469 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:06 +0100 Subject: [PATCH 864/996] update mautrix-whatsapp to 0.11.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9ca4691..2288222 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.1" -sha1 = "ada2dc6acfd5cb15fae341266b383d3f6e8b42bd" +version = "v0.11.2" +sha1 = "0bd8ebef237473989c4e9658c72595e9f7c09d44" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 71705f8b231183e5cecbf584609a1c4e131585e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:27 +0100 Subject: [PATCH 865/996] update netbox to 4.1.9 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2288222..85ac262 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.7" +version = "v4.1.9" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 17ff238b24125f6c8e6c7edb7d454db9e18d5fe9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:40 +0100 Subject: [PATCH 866/996] update postfixadmin to 3.3.15 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/pirmasens.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 85ac262..6d90334 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -213,7 +213,7 @@ blocked_recipients = [ [metadata.postfixadmin] domain = "postfixadmin.franzi.business" setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ==" -version = "3.3.14" +version = "3.3.15" [metadata.postgresql] version = 15 diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 46f4638..655f325 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -71,7 +71,7 @@ nodes['htz-cloud.pirmasens'] = { }, 'postfixadmin': { 'domain': 'mail.kunsmann.info', - 'version': '3.3.14', + 'version': '3.3.15', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, 'postgresql': { From 9395fcb7f5253ac75c557e264ad208b32bb3c999 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:01:26 +0100 Subject: [PATCH 867/996] home.nas: rename zpool --- nodes/home/nas.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index c9b630e..52a2bfd 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -264,7 +264,7 @@ nodes['home.nas'] = { 'zfs_arc_max_gb': 8, }, 'pools': { - 'storage': { + 'tank': { 'when_creating': { 'config': [ { @@ -321,22 +321,22 @@ nodes['home.nas'] = { 'encrypted/paperless': { 'mountpoint': '/media/paperless', }, - 'storage': { + 'tank': { 'primarycache': 'metadata', }, - 'storage/opt-yate': { + 'tank/opt-yate': { 'mountpoint': '/opt/yate', }, - 'storage/download': { + 'tank/download': { 'mountpoint': '/storage/download', }, - 'storage/nas': { + 'tank/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/media/nas_old', }, - 'storage/paperless': { + 'tank/paperless': { 'mountpoint': '/srv/paperless', }, }, @@ -359,19 +359,19 @@ nodes['home.nas'] = { 'weekly': 6, 'monthly': 24, }, - 'storage/download': { + 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'storage/nas': { + 'tank/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'storage/paperless': { + 'tank/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, From 91432197e8fae83fbc133d1c113ae111dc88bd5d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:19:59 +0100 Subject: [PATCH 868/996] add bundle:avahi-daemon --- bundles/avahi-daemon/files/avahi-daemon.conf | 21 ++++++++++++++++++++ bundles/avahi-daemon/items.py | 17 ++++++++++++++++ bundles/avahi-daemon/metadata.py | 7 +++++++ 3 files changed, 45 insertions(+) create mode 100644 bundles/avahi-daemon/files/avahi-daemon.conf create mode 100644 bundles/avahi-daemon/items.py create mode 100644 bundles/avahi-daemon/metadata.py diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf new file mode 100644 index 0000000..7a639fd --- /dev/null +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -0,0 +1,21 @@ +[server] +host-name=${node.name.split('.')[-1]} +use-ipv4=yes +use-ipv6=yes +ratelimit-interval-usec=1000000 +ratelimit-burst=1000 + +[wide-area] +enable-wide-area=yes + +[publish] +disable-publishing=no +disable-user-service-publishing=no +publish-hinfo=yes +publish-workstation=no +publish-aaaa-on-ipv4=yes +publish-a-on-ipv6=no + +[reflector] + +[rlimits] diff --git a/bundles/avahi-daemon/items.py b/bundles/avahi-daemon/items.py new file mode 100644 index 0000000..74bcdd3 --- /dev/null +++ b/bundles/avahi-daemon/items.py @@ -0,0 +1,17 @@ +directories['/etc/avahi/services'] = { + 'purge': True, +} + +files['/etc/avahi/avahi-daemon.conf'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:avahi-daemon:restart', + }, +} + +svc_systemd['avahi-daemon'] = { + 'needs': { + 'file:/etc/avahi/avahi-daemon.conf', + 'pkg_apt:avahi-daemon', + }, +} diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py new file mode 100644 index 0000000..b1400d9 --- /dev/null +++ b/bundles/avahi-daemon/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'avahi-daemon': {}, + }, + }, +} From ab717f62e7bd57c179f55d6f6480660a96e196b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:20:20 +0100 Subject: [PATCH 869/996] bundles/samba: add code to show up as time machine backup target --- bundles/samba/files/smb.conf | 28 +++++++++++++++++++++++++ bundles/samba/files/timemachine.service | 21 +++++++++++++++++++ bundles/samba/items.py | 26 +++++++++++++++++++++++ bundles/samba/metadata.py | 27 ++++++++++++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 bundles/samba/files/timemachine.service diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf index c9a7859..22905ee 100644 --- a/bundles/samba/files/smb.conf +++ b/bundles/samba/files/smb.conf @@ -13,6 +13,13 @@ map to guest = bad user load printers = no usershare allow guests = yes allow insecure wide links = yes +min protocol = SMB2 +% if timemachine: +vfs objects = fruit +fruit:aapl = yes +fruit:copyfile = yes +fruit:model = MacSamba +% endif % for name, opts in sorted(node.metadata.get('samba/shares', {}).items()): [${name}] @@ -37,3 +44,24 @@ follow symlinks = yes wide links = yes % endif % endfor +% for name in sorted(timemachine): + +[timemachine-${name}] +comment = Time Machine backup for ${name} +available = yes +browseable = yes +guest ok = no +read only = false +valid users = timemachine-${name} +path = /srv/timemachine/${name} +durable handles = yes +vfs objects = catia fruit streams_xattr + +fruit:delete_empty_adfiles = yes +fruit:metadata = stream +fruit:posix_rename = yes +fruit:time machine = yes +fruit:time machine max size = 750G +fruit:veto_appledouble = no +fruit:wipe_intentionally_left_blank_rfork = yes +% endfor diff --git a/bundles/samba/files/timemachine.service b/bundles/samba/files/timemachine.service new file mode 100644 index 0000000..d25e6e5 --- /dev/null +++ b/bundles/samba/files/timemachine.service @@ -0,0 +1,21 @@ + + + + %h + + _smb._tcp + 445 + + + _device-info._tcp + 0 + model=RackMac1,2 + + + _adisk._tcp +% for idx, share_name in enumerate(sorted(shares)): + dk${idx}=adVN=timemachine-${share_name},adVF=0x82 +% endfor + sys=waMa=0,adVF=0x100 + + diff --git a/bundles/samba/items.py b/bundles/samba/items.py index 333a338..a9567b4 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -11,9 +11,14 @@ svc_systemd = { }, } +timemachine_shares = node.metadata.get('samba/timemachine-shares', set()) + files = { '/etc/samba/smb.conf': { 'content_type': 'mako', + 'context': { + 'timemachine': timemachine_shares, + }, 'triggers': { 'svc_systemd:nmbd:restart', 'svc_systemd:smbd:restart', @@ -57,3 +62,24 @@ for user, uconfig in node.metadata.get('users', {}).items(): last_action = { f'action:smbpasswd_for_user_{user}', } + +if timemachine_shares: + assert node.has_bundle('avahi-daemon'), f'{node.name}: samba needs avahi-daemon to publish time machine shares' + + files['/etc/avahi/services/timemachine.service'] = { + 'content_type': 'mako', + 'context': { + 'shares': timemachine_shares, + }, + } + + for share_name in timemachine_shares: + users[f'timemachine-{share_name}'] = { + 'home': f'/srv/timemachine/{share_name}', + } + + directories[f'/srv/timemachine/{share_name}'] = { + 'owner': f'timemachine-{share_name}', + 'group': f'timemachine-{share_name}', + 'mode': '0700', + } diff --git a/bundles/samba/metadata.py b/bundles/samba/metadata.py index 7b9400c..c8243af 100644 --- a/bundles/samba/metadata.py +++ b/bundles/samba/metadata.py @@ -24,3 +24,30 @@ def firewall(metadata): }, }, } + + +@metadata_reactor.provides( + 'zfs/datasets', +) +def timemachine_zfs(metadata): + shares = metadata.get('samba/timemachine-shares', set()) + + if not shares: + return {} + + assert node.has_bundle('zfs'), f'{node.name}: time machine backups require zfs' + + datasets = { + 'tank/timemachine': {}, + } + + for share_name in shares: + datasets[f'tank/timemachine/{share_name}'] = { + 'mountpoint': f'/srv/timemachine/{share_name}', + } + + return { + 'zfs': { + 'datasets': datasets, + }, + } From 884c6f73af94678cf121f0ed6727a61cd4d5f444 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:24:20 +0100 Subject: [PATCH 870/996] home.nas: clean up some datasets --- nodes/home/nas.py | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 52a2bfd..84d4aff 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -309,18 +309,12 @@ nodes['home.nas'] = { 'encrypted': { 'primarycache': 'metadata', }, - 'encrypted/download': { - 'mountpoint': '/media/download', - }, 'encrypted/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, - 'encrypted/paperless': { - 'mountpoint': '/media/paperless', - }, 'tank': { 'primarycache': 'metadata', }, @@ -330,47 +324,24 @@ nodes['home.nas'] = { 'tank/download': { 'mountpoint': '/storage/download', }, - 'tank/nas': { - 'acltype': 'off', - 'atime': 'off', - 'compression': 'off', - 'mountpoint': '/media/nas_old', - }, 'tank/paperless': { 'mountpoint': '/srv/paperless', }, }, 'snapshots': { 'retain_per_dataset': { - 'encrypted/download': { - 'hourly': 6, - 'daily': 0, - 'weekly': 0, - 'monthly': 0, - }, 'encrypted/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'encrypted/paperless': { - 'daily': 14, - 'weekly': 6, - 'monthly': 24, - }, 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'tank/nas': { - # juuuuuuuust to be sure. - 'daily': 14, - 'weekly': 6, - 'monthly': 12, - }, 'tank/paperless': { 'daily': 14, 'weekly': 6, From fe4cd98612084da4c9b5c82d4d625d6ab2a64991 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:24:35 +0100 Subject: [PATCH 871/996] home.nas: prepare for time machine backups --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 84d4aff..bf14b89 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -3,6 +3,7 @@ nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { + 'avahi-daemon', 'backup-client', 'dm-crypt', 'jellyfin', @@ -193,6 +194,9 @@ nodes['home.nas'] = { 'restrict-to': { '172.19.138.0/24', }, + 'timemachine-shares': { + #'apfelcomputer', # hostname TBD + }, }, 'smartd': { 'disks': { From c455718847fdfae59a6f8062e5f21d020373322c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:29:39 +0100 Subject: [PATCH 872/996] bundles/avahi-daemon: install more dependencies and limit to interfaces that are configured --- bundles/avahi-daemon/files/avahi-daemon.conf | 1 + bundles/avahi-daemon/items.py | 1 + bundles/avahi-daemon/metadata.py | 1 + 3 files changed, 3 insertions(+) diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf index 7a639fd..efdd222 100644 --- a/bundles/avahi-daemon/files/avahi-daemon.conf +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -2,6 +2,7 @@ host-name=${node.name.split('.')[-1]} use-ipv4=yes use-ipv6=yes +allow-interfaces=${','.join(sorted(node.metadata.get('interfaces', {}).keys()))} ratelimit-interval-usec=1000000 ratelimit-burst=1000 diff --git a/bundles/avahi-daemon/items.py b/bundles/avahi-daemon/items.py index 74bcdd3..0a0f1aa 100644 --- a/bundles/avahi-daemon/items.py +++ b/bundles/avahi-daemon/items.py @@ -13,5 +13,6 @@ svc_systemd['avahi-daemon'] = { 'needs': { 'file:/etc/avahi/avahi-daemon.conf', 'pkg_apt:avahi-daemon', + 'pkg_apt:libnss-mdns', }, } diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py index b1400d9..0bb909f 100644 --- a/bundles/avahi-daemon/metadata.py +++ b/bundles/avahi-daemon/metadata.py @@ -2,6 +2,7 @@ defaults = { 'apt': { 'packages': { 'avahi-daemon': {}, + 'libnss-mdns': {}, }, }, } From 0df4c8f75e100064cc7d4e89452121c9e59d4e4a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 09:56:55 +0100 Subject: [PATCH 873/996] bump as3320 and as8881 routes --- configs/as3320.txt | 75 +++++++++++++++++++++++++++++----------------- configs/as8881.txt | 16 ++++++++-- 2 files changed, 61 insertions(+), 30 deletions(-) diff --git a/configs/as3320.txt b/configs/as3320.txt index 5c42e56..0ac3052 100644 --- a/configs/as3320.txt +++ b/configs/as3320.txt @@ -1,3 +1,4 @@ +109.203.176.0/21 109.237.176.0/20 109.72.116.0/24 116.50.16.0/21 @@ -19,7 +20,6 @@ 141.77.0.0/16 143.99.213.0/24 145.225.16.0/23 -146.247.58.0/24 147.161.22.0/24 147.78.17.0/24 147.79.8.0/21 @@ -31,10 +31,13 @@ 149.237.203.0/24 149.237.250.0/24 149.237.251.0/24 +149.237.254.0/24 149.243.232.0/22 149.249.244.0/22 149.249.244.0/23 149.249.246.0/23 +151.243.168.0/24 +151.243.173.0/24 153.17.244.8/29 153.17.249.0/24 153.17.250.0/24 @@ -46,12 +49,13 @@ 153.96.218.0/24 153.96.22.0/24 153.97.32.0/24 +153.97.34.0/24 158.116.231.0/24 -160.211.126.0/24 163.5.156.0/24 163.5.170.0/24 163.5.186.0/24 163.5.220.0/24 +163.5.47.0/24 163.5.66.0/24 164.133.10.0/24 164.133.11.0/24 @@ -96,6 +100,7 @@ 185.202.32.0/21 185.207.46.0/24 185.21.247.0/24 +185.224.0.0/24 185.237.0.0/24 185.237.1.0/24 185.237.2.0/24 @@ -108,11 +113,16 @@ 185.28.208.0/22 185.39.12.0/22 185.48.0.0/22 -185.57.231.0/24 185.57.24.0/24 185.82.160.0/23 +185.97.227.0/24 +188.208.124.0/24 +188.208.125.0/24 +188.209.223.0/24 +188.214.136.0/24 +188.214.137.0/24 +188.214.138.0/24 188.214.139.0/24 -192.109.121.0/24 192.109.122.0/24 192.109.124.0/24 192.109.129.0/24 @@ -153,7 +163,6 @@ 193.100.248.0/22 193.100.252.0/24 193.100.3.0/24 -193.101.12.0/22 193.101.128.0/22 193.101.139.0/24 193.101.162.0/23 @@ -285,6 +294,7 @@ 194.127.242.0/23 194.127.254.0/24 194.145.252.0/24 +194.147.171.0/24 194.15.194.0/24 194.15.60.0/24 194.15.61.0/24 @@ -319,7 +329,6 @@ 194.180.64.0/20 194.25.0.0/16 194.25.1.5/32 -194.26.191.0/24 194.31.142.0/24 194.31.208.0/24 194.31.209.0/24 @@ -330,6 +339,11 @@ 194.33.115.0/24 194.33.120.0/24 194.33.121.0/24 +194.33.50.0/24 +194.38.48.0/24 +194.38.49.0/24 +194.38.50.0/24 +194.38.51.0/24 194.39.175.0/24 194.39.189.0/24 194.39.48.0/20 @@ -429,6 +443,9 @@ 205.142.63.0/24 212.184.0.0/15 212.185.0.0/16 +212.68.172.0/22 +212.68.176.0/22 +212.68.180.0/22 213.145.90.0/23 213.145.92.0/23 213.173.0.0/19 @@ -437,7 +454,7 @@ 213.209.156.0/24 217.0.0.0/13 217.117.96.0/24 -217.198.189.0/24 +217.177.33.0/24 217.224.0.0/11 217.24.32.0/20 217.24.33.0/24 @@ -447,17 +464,22 @@ 31.224.0.0/11 31.6.56.0/23 37.143.0.0/22 +37.230.61.0/24 37.46.11.0/24 37.50.0.0/15 37.80.0.0/12 +45.112.192.0/24 +45.129.165.0/24 45.132.80.0/22 45.141.54.0/24 45.145.16.0/24 45.147.227.0/24 +45.149.7.0/24 45.155.77.0/24 45.81.255.0/24 45.83.136.0/22 45.93.186.0/23 +46.202.0.0/24 46.250.224.0/21 46.250.232.0/21 46.78.0.0/15 @@ -474,6 +496,7 @@ 62.224.0.0/14 62.56.208.0/21 62.68.73.0/24 +62.72.172.0/24 64.137.119.0/24 64.137.125.0/24 64.137.127.0/24 @@ -516,7 +539,9 @@ 84.32.48.0/22 84.55.0.0/24 84.55.1.0/24 +84.55.17.0/24 84.55.2.0/24 +84.55.22.0/24 84.55.3.0/24 84.55.4.0/24 84.55.5.0/24 @@ -527,13 +552,19 @@ 85.116.30.0/24 85.116.31.0/24 85.119.160.0/23 +85.133.193.0/24 +85.133.208.0/24 +85.133.214.0/24 +85.133.254.0/24 85.204.181.0/24 85.208.248.0/24 85.208.249.0/24 85.208.250.0/24 85.208.251.0/24 86.105.211.0/24 +86.105.58.0/24 86.107.164.0/24 +86.110.57.0/24 86.38.248.0/21 86.38.37.0/24 87.128.0.0/10 @@ -545,7 +576,6 @@ 89.116.64.0/22 89.213.186.0/23 89.39.97.0/24 -89.43.34.0/24 91.0.0.0/10 91.103.240.0/21 91.124.135.0/24 @@ -559,7 +589,6 @@ 91.124.27.0/24 91.124.28.0/24 91.124.31.0/24 -91.124.32.0/24 91.124.33.0/24 91.124.34.0/24 91.124.36.0/24 @@ -606,27 +635,15 @@ 91.222.232.0/22 91.227.98.0/23 91.232.54.0/24 -92.112.128.0/24 -92.112.155.0/24 -92.112.157.0/24 +91.246.176.0/21 +92.112.10.0/24 +92.112.158.0/24 92.112.16.0/22 -92.112.160.0/24 -92.112.162.0/24 -92.112.165.0/24 -92.112.167.0/24 92.112.20.0/22 92.112.48.0/24 -92.112.49.0/24 -92.112.52.0/24 -92.112.54.0/24 -92.112.59.0/24 -92.112.63.0/24 -92.112.64.0/24 -92.112.67.0/24 -92.112.79.0/24 -92.112.81.0/24 -92.112.83.0/24 -92.112.94.0/24 +92.112.6.0/24 +92.112.7.0/24 +92.112.8.0/24 92.114.44.0/22 92.119.164.0/22 92.119.208.0/24 @@ -635,8 +652,12 @@ 92.119.211.0/24 93.113.70.0/24 93.119.201.0/24 +93.119.232.0/24 93.192.0.0/10 94.126.98.0/24 +94.176.72.0/24 +94.176.74.0/24 +94.176.79.0/24 94.26.110.0/23 94.26.64.0/23 95.178.8.0/21 diff --git a/configs/as8881.txt b/configs/as8881.txt index cd09176..aa354f9 100644 --- a/configs/as8881.txt +++ b/configs/as8881.txt @@ -6,6 +6,7 @@ 109.250.192.0/19 109.250.224.0/19 109.250.64.0/18 +109.72.113.0/24 134.101.0.0/21 14.102.90.0/24 143.58.64.0/18 @@ -121,6 +122,7 @@ 202.71.128.0/20 202.71.141.0/24 212.204.0.0/19 +212.23.205.0/24 212.7.128.0/19 212.8.0.0/19 212.80.224.0/19 @@ -152,6 +154,8 @@ 46.142.96.0/19 46.142.96.0/20 46.189.0.0/17 +46.203.156.0/24 +46.203.227.0/24 61.8.128.0/19 61.8.128.0/22 61.8.132.0/22 @@ -164,6 +168,7 @@ 62.214.224.0/19 62.217.32.0/19 62.220.0.0/19 +62.220.1.0/24 62.68.82.0/24 62.72.64.0/19 62.72.70.0/24 @@ -224,6 +229,7 @@ 88.130.0.0/16 88.130.136.0/21 88.130.144.0/20 +88.130.172.0/22 88.130.176.0/21 88.130.192.0/23 88.130.194.0/23 @@ -242,14 +248,16 @@ 88.130.63.0/24 88.130.64.0/19 88.130.96.0/19 +89.187.24.0/24 +89.187.26.0/24 89.207.200.0/21 89.244.0.0/14 89.244.120.0/21 89.244.160.0/21 89.244.176.0/20 89.244.192.0/19 -89.244.224.0/20 -89.244.76.0/24 +89.244.224.0/19 +89.244.76.0/22 89.244.78.0/23 89.244.80.0/20 89.244.96.0/22 @@ -266,7 +274,6 @@ 89.245.64.0/19 89.245.96.0/20 89.246.0.0/19 -89.246.112.0/22 89.246.122.0/24 89.246.124.0/22 89.246.160.0/21 @@ -325,6 +332,8 @@ 92.117.248.0/21 92.117.64.0/19 92.117.96.0/19 +93.114.90.0/24 +93.114.91.0/24 94.134.0.0/15 94.134.0.0/18 94.134.112.0/22 @@ -350,6 +359,7 @@ 2001:1438:1:a00::/56 2001:1438:2000::/36 2001:1438:3000::/36 +2001:1438:300::/56 2001:1438:4000::/36 2001:1438::/32 2001:16b8:1000::/40 From 0adf14a2934fad72711071094e224aca003b5c6f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 10:15:00 +0100 Subject: [PATCH 874/996] bundles/infobeamer-cms: times are in UTC, please --- bundles/infobeamer-cms/metadata.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index f340e01..4413d5a 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -1,4 +1,4 @@ -from datetime import datetime, timedelta +from datetime import datetime, timedelta, timezone assert node.has_bundle('redis') @@ -52,7 +52,7 @@ def nginx(metadata): 'infobeamer-cms/config/TIME_MIN', ) def event_times(metadata): - event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d') + event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d').replace(tzinfo=timezone.utc) event_duration = metadata.get('infobeamer-cms/event_duration_days', 4) event_end = event_start + timedelta(days=event_duration) From 1c1be571d8b53710fbbea3a0e51c595142e3092d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 13:41:24 +0100 Subject: [PATCH 875/996] update travelynx to 2.9.8 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6d90334..645a460 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.6" +version = "2.9.8" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 158b091487066635202d988943fa09f485b93384 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 19:05:59 +0100 Subject: [PATCH 876/996] voc.infobeamer-cms: new sso setup --- nodes/voc/infobeamer-cms.py | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 023a589..2a743fa 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -29,21 +29,20 @@ nodes['voc.infobeamer-cms'] = { 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ - 'evilscientress', - 'hexchen', - 'jbeyerstedt', - 'jwacalex', - 'kunsi', - 'sophieschi', - 'v0tti', + 'github:evilscientress', + 'github:hexchen', + 'github:jbeyerstedt', + 'github:jwacalex', + 'github:sophieschi', + 'github:v0tti', ], 'NO_LIMIT_USERS': [ - 'stblassitude', + 'github:stblassitude', ], - 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), + 'DEFAULT_SSO_PROVIDER': 'github', + 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'SETUP_IDS': [ 255228, ], @@ -74,6 +73,16 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, + 'oauth2_providers': { + 'github': { + 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + }, + 'c3voc': { + 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', + 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), + }, + }, }, 'rooms': { 'Saal 1': 34430, # s1 From f06607df60329e1998c4871c75df51ea4503c7eb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 19:27:34 +0100 Subject: [PATCH 877/996] voc.infobeamer-cms: remove github admins of c3voc sso users --- nodes/voc/infobeamer-cms.py | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 2a743fa..e6de7d2 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -28,14 +28,7 @@ nodes['voc.infobeamer-cms'] = { 'event_start_date': '2024-12-26', 'event_duration_days': 5, 'config': { - 'ADMIN_USERS': [ - 'github:evilscientress', - 'github:hexchen', - 'github:jbeyerstedt', - 'github:jwacalex', - 'github:sophieschi', - 'github:v0tti', - ], + 'ADMIN_USERS': [], 'NO_LIMIT_USERS': [ 'github:stblassitude', ], From f3f78700e712b56a9d9779d8e920ed0b417eb0e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 24 Dec 2024 12:46:59 +0100 Subject: [PATCH 878/996] voc.infobeamer-cms: add 38c3 hub sso --- nodes/voc/infobeamer-cms.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index e6de7d2..e577141 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -67,14 +67,18 @@ nodes['voc.infobeamer-cms'] = { '''.strip(), }, 'oauth2_providers': { - 'github': { - 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), - }, + #'github': { + # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + # 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + #}, 'c3voc': { 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), }, + 'c3hub': { + 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', + 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), + }, }, }, 'rooms': { From 1c385514674a4326fd4b3de3bdb3a67cb47aa366 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 24 Dec 2024 13:39:38 +0100 Subject: [PATCH 879/996] voc.infobeamer-cms: set default sso provider --- nodes/voc/infobeamer-cms.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index e577141..043c7a5 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -34,8 +34,6 @@ nodes['voc.infobeamer-cms'] = { ], 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), - 'DEFAULT_SSO_PROVIDER': 'github', - 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'SETUP_IDS': [ 255228, ], @@ -66,6 +64,8 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, + 'DEFAULT_SSO_PROVIDER': 'c3hub', + 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'oauth2_providers': { #'github': { # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), From 1c8d2ccb665ea7234420aeb363cd0a54b5ec4db4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Dec 2024 09:59:14 +0100 Subject: [PATCH 880/996] home.nas: add time machine share for apfelcomputer --- nodes/home/nas.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index bf14b89..bcf1f80 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -195,7 +195,7 @@ nodes['home.nas'] = { '172.19.138.0/24', }, 'timemachine-shares': { - #'apfelcomputer', # hostname TBD + 'apfelcomputer', }, }, 'smartd': { From 9e2b36767f7361b96832516a3e2b0939a892fa1d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Dec 2024 09:59:35 +0100 Subject: [PATCH 881/996] home.nas: remove inbox user --- nodes/home/nas.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index bcf1f80..ad18be3 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -252,11 +252,11 @@ nodes['home.nas'] = { 'enable_x_forwarding_for_admins': True, }, 'users': { - 'inbox': { - 'ssh_pubkey': { - #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', - }, - }, + #'inbox': { + # 'ssh_pubkey': { + # #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', + # }, + #}, 'kunsi': { 'groups': { 'nas', From 81376c950c862a3201315bd463b41db3f4ede616 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 10:26:30 +0100 Subject: [PATCH 882/996] bundles/samba: increase time machine disk size --- bundles/samba/files/smb.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf index 22905ee..7c4ad0b 100644 --- a/bundles/samba/files/smb.conf +++ b/bundles/samba/files/smb.conf @@ -61,7 +61,7 @@ fruit:delete_empty_adfiles = yes fruit:metadata = stream fruit:posix_rename = yes fruit:time machine = yes -fruit:time machine max size = 750G +fruit:time machine max size = 2000G fruit:veto_appledouble = no fruit:wipe_intentionally_left_blank_rfork = yes % endfor From 3e6872c96b8c1c004ac2855685353ac8960f9310 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:05:17 +0100 Subject: [PATCH 883/996] add .envrc --- .envrc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .envrc diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..20da331 --- /dev/null +++ b/.envrc @@ -0,0 +1,3 @@ +layout python3 + + source_env_if_exists .envrc.local From 5afe534d9cf5dfa28864571fe4b88ce8936d8c00 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:32:27 +0100 Subject: [PATCH 884/996] scripts/update-ssh-client-config: add configurable extra line --- scripts/update-ssh-client-config | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/update-ssh-client-config b/scripts/update-ssh-client-config index 0c2f7fd..dc86661 100755 --- a/scripts/update-ssh-client-config +++ b/scripts/update-ssh-client-config @@ -12,10 +12,20 @@ BW_TABLE_STYLE=grep bw nodes -a hostname -- "lambda:not node.dummy" | \ while read node addr do + if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + then + echo "Host $addr" >>"$tmpfile" + echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" + echo "" >>"$tmpfile" + fi echo "Host $node" >>"$tmpfile" echo "HostName $addr" >>"$tmpfile" + if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + then + echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" + fi echo "" >>"$tmpfile" done - mv "$tmpfile" ~/.ssh/bwnodes + mv "$tmpfile" ~/.ssh/config.d/bwnodes ) & From 1c3768100c292100631c68ae73d528dddc295ff5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:34:37 +0100 Subject: [PATCH 885/996] update netbox to 4.1.10 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 645a460..4581a4b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.9" +version = "v4.1.10" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From b84bfb909f80cc6bce577d45ce5847f41df996ed Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 17:22:21 +0100 Subject: [PATCH 886/996] fix update-ssh-client-config --- .gitignore | 2 ++ scripts/update-ssh-client-config | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index bbb5845..7a53a34 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ .secrets.cfg* __pycache__ *.swp +.direnv +.envrc.local diff --git a/scripts/update-ssh-client-config b/scripts/update-ssh-client-config index dc86661..ba5acde 100755 --- a/scripts/update-ssh-client-config +++ b/scripts/update-ssh-client-config @@ -12,7 +12,7 @@ BW_TABLE_STYLE=grep bw nodes -a hostname -- "lambda:not node.dummy" | \ while read node addr do - if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + if [[ -n "$BW_SSH_HOOK_EXTRA_LINE" ]] then echo "Host $addr" >>"$tmpfile" echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" @@ -20,7 +20,7 @@ fi echo "Host $node" >>"$tmpfile" echo "HostName $addr" >>"$tmpfile" - if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + if [[ -n "$BW_SSH_HOOK_EXTRA_LINE" ]] then echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" fi From 0b18ae0d1b7ae028f3b57b2531ddbb99c1907525 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 17:26:55 +0100 Subject: [PATCH 887/996] add new ssh key for kunsi --- users.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/users.json b/users.json index 5d5b066..031215c 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,8 @@ }, "kunsi": { "ssh_pubkey": [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG56iljhXQfY0euup1tUtMaFTONGI022uq/kpFOmIQVXeuIClcVB2p4BjL+GwRV51NnpqH9J+qow0/XK3YQkiHY=", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", "phone": "encrypt$gAAAAABfuXkP2GetSvTd9JJFz4V2v5r5NubihFRg2AB91mtvXpUVUiflzy1VHQJ_qbp6Rke5LEXbtlluNkAa3OOAr_c9L6Pstw==", @@ -19,7 +20,7 @@ }, "sophie": { "ssh_pubkey": [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7" ] } } From 68fced83d6610353b44fb231768e6bb10bbda06b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 09:30:46 +0000 Subject: [PATCH 888/996] htz-cloud.wireguard: replace vpn of kunsi-p14s with apfelcomputer --- nodes/htz-cloud/wireguard.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index df618ea..d7f97ff 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -101,12 +101,21 @@ nodes['htz-cloud.wireguard'] = { 'psk': vault.decrypt('encrypt$gAAAAABlbr26kyQ_DNIObVNtG31e1uSZkfDKH9Y1tzq8ZNSAMeuEh30cMJBZQskLLYqt5HUGd-YFwYQB_E7oa-WWbHmDh4vAxJ22Efr85tA0TWsgkc2KvKHqZrNo-GCXhxCqs7SqhW1C'), 'pubkey': vault.decrypt('encrypt$gAAAAABlbr27doNVsPXF7hMpAp93fP-h_jlW10zycZAHy05r4R7rOZrLqf5b-lhdamx_kQxypYtcW-jOCYgcqWNsId7RluEmFo3drFuUYKIa32YU_U0Pe5EjVRFz_tuf9NRPPugmHb22'), }, - 'kunsi-p14s': { + #'kunsi-p14s': { + # 'endpoint': None, + # 'exclude_from_monitoring': True, + # 'my_ip': '172.19.136.64', + # 'my_port': 1194, + # 'their_ip': '172.19.136.65', + #}, + 'apfelcomputer': { 'endpoint': None, 'exclude_from_monitoring': True, 'my_ip': '172.19.136.64', 'my_port': 1194, 'their_ip': '172.19.136.65', + 'psk': vault.decrypt('encrypt$gAAAAABnc7LZSHWmOOQJpbtnpMn9QuWnbiB-6rShwgqbilVd45GzkUwOfEHBw28P_TVm9XJgFiQPOIo12DdxPCzSxKRtcqzji72QCzTlze4ZYWjL-iHm7TydLcKzXOTCO42LKpkMPUgR'), + 'pubkey': vault.decrypt('encrypt$gAAAAABnc7LZpfAeig8yCdcZ-NegshXl-DmkJr0F2OlQR2fqhVnrfKPjgOu-5Cq09KnhdvhomGx_9ZtoFS_3OsVqcFHEasBh27aQN41xZPzEN5-qIPQRnmVoTHpufcU6tC-37Fq-PeAE'), }, }, }, From fed3d5dfdcf36c5289ef80976bcd31fbd68d36b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 13:17:07 +0000 Subject: [PATCH 889/996] correct kunsi ssh key --- users.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.json b/users.json index 031215c..d422a05 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,7 @@ }, "kunsi": { "ssh_pubkey": [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG56iljhXQfY0euup1tUtMaFTONGI022uq/kpFOmIQVXeuIClcVB2p4BjL+GwRV51NnpqH9J+qow0/XK3YQkiHY=", + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxEkRuXD/83N6cB1/hz8e0VvwEbPDNvnA/NiEeKOtAI0s2AlluJ5VrQHzxmLkwpBca9SlZo56MskzSYNqN6AgI=", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", From d27c42d51ad6c2b6d218f3eae8c569e5462caf8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 13:17:25 +0000 Subject: [PATCH 890/996] home.nas: allow molly to coonect to mqtt --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index ad18be3..576aa3e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -148,6 +148,7 @@ nodes['home.nas'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', + 'htz-cloud.molly-connector', }, }, 'nfs-server': { From f67de1ea1b3b78c7b38fb0a27f2072a97699f9b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Jan 2025 10:46:51 +0100 Subject: [PATCH 891/996] ihome.nas: disable ipv6 on avahi to try to mitigate intermittent problems --- bundles/avahi-daemon/files/avahi-daemon.conf | 4 ++-- bundles/avahi-daemon/metadata.py | 3 +++ nodes/home/nas.py | 3 +++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf index efdd222..0ad1412 100644 --- a/bundles/avahi-daemon/files/avahi-daemon.conf +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -1,7 +1,7 @@ [server] host-name=${node.name.split('.')[-1]} use-ipv4=yes -use-ipv6=yes +use-ipv6=${'yes' if node.metadata.get('avahi-daemon/use-ipv6') else 'no'} allow-interfaces=${','.join(sorted(node.metadata.get('interfaces', {}).keys()))} ratelimit-interval-usec=1000000 ratelimit-burst=1000 @@ -14,7 +14,7 @@ disable-publishing=no disable-user-service-publishing=no publish-hinfo=yes publish-workstation=no -publish-aaaa-on-ipv4=yes +publish-aaaa-on-ipv4=no publish-a-on-ipv6=no [reflector] diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py index 0bb909f..f6c3ef5 100644 --- a/bundles/avahi-daemon/metadata.py +++ b/bundles/avahi-daemon/metadata.py @@ -5,4 +5,7 @@ defaults = { 'libnss-mdns': {}, }, }, + 'avahi-daemon': { + 'use-ipv6': True, + } } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 576aa3e..c1adeb1 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -56,6 +56,9 @@ nodes['home.nas'] = { # systemctl start yate }, }, + 'avahi-daemon': { + 'use-ipv6': False, # because having a dynamic address confuses the network somehow + }, 'backups': { 'paths': { '/storage/nas/Audiobooks', From 1a34555530953ed16a12f9637be22f5abb0fbfc8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:44:06 +0100 Subject: [PATCH 892/996] bundles/rspamd: use metadata.get() --- bundles/rspamd/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/rspamd/items.py b/bundles/rspamd/items.py index 0491d17..2f9aacb 100644 --- a/bundles/rspamd/items.py +++ b/bundles/rspamd/items.py @@ -96,7 +96,7 @@ if 'dkim' in node.metadata.get('rspamd', {}): }, } - dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata['rspamd']['dkim']) + dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata.get('rspamd/dkim')) actions = { 'rspamd_assure_dkim_key_permissions': { From 46c761a3c21617223650c976b51634e8b7f48ddc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:44:41 +0100 Subject: [PATCH 893/996] home.nas: more weird avahi fixups --- nodes/home/nas.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index c1adeb1..a5b904d 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -71,6 +71,11 @@ nodes['home.nas'] = { '/storage/nas/normen', }, }, + 'cron': { + 'jobs': { + 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', + }, + }, 'dm-crypt': { 'encrypted-devices': { '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { From 5df7bdf2da4f847b1020cee481a6e60f5a8fe8a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:46:13 +0100 Subject: [PATCH 894/996] fix kunsis ssh key (again) --- users.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.json b/users.json index d422a05..0dab537 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,7 @@ }, "kunsi": { "ssh_pubkey": [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxEkRuXD/83N6cB1/hz8e0VvwEbPDNvnA/NiEeKOtAI0s2AlluJ5VrQHzxmLkwpBca9SlZo56MskzSYNqN6AgI=", + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpRRSFhzPC8xNorYiNDG37JivSSER+oUNjSFwJ+4Gn8QdcM5sjQZsokAEFs5AsAWl1i7d/qceA2JGG4jCwDBx0=", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", From 0b09537ba4643c99c3d28d41ddc22738eb838755 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 20:12:06 +0100 Subject: [PATCH 895/996] dismantle all arch infrastructure --- bundles/arch-with-gui/files/50-network.conf | 5 - bundles/arch-with-gui/files/autologin.conf | 3 - bundles/arch-with-gui/items.py | 110 -------- bundles/arch-with-gui/metadata.py | 124 --------- bundles/basic/items.py | 1 - bundles/bird/items.py | 9 +- bundles/bird/metadata.py | 9 - bundles/cron/items.py | 11 +- bundles/cron/metadata.py | 5 - bundles/icinga2/items.py | 16 -- bundles/ipmitool/metadata.py | 5 - bundles/letsencrypt/metadata.py | 9 - bundles/lldp/metadata.py | 11 - bundles/lm-sensors/metadata.py | 5 - bundles/nfs-client/items.py | 9 +- bundles/nfs-client/metadata.py | 5 - bundles/nftables/items.py | 7 +- bundles/nftables/metadata.py | 17 -- bundles/nginx/files/arch-override.conf | 9 - bundles/nginx/files/nginx.conf | 2 +- bundles/nginx/items.py | 22 +- bundles/nginx/metadata.py | 5 - bundles/openssh/items.py | 13 +- bundles/openssh/metadata.py | 5 - .../pacman/files/check_unattended_upgrades | 38 --- bundles/pacman/files/do-unattended-upgrades | 18 -- bundles/pacman/files/faillock.conf | 2 - bundles/pacman/files/pacman.conf | 40 --- bundles/pacman/files/upgrade-and-reboot | 49 ---- bundles/pacman/files/upgrade-and-reboot.conf | 3 - bundles/pacman/items.py | 109 -------- bundles/pacman/metadata.py | 55 ---- bundles/postfix/files/arch-override.conf | 6 - bundles/postfix/items.py | 19 +- bundles/postfix/metadata.py | 8 +- bundles/sshmon/items.py | 9 - bundles/sshmon/metadata.py | 8 - bundles/sudo/metadata.py | 5 - bundles/systemd-boot/files/entry | 13 - bundles/systemd-boot/files/loader.conf | 5 - bundles/systemd-boot/files/pacman_hook | 9 - bundles/systemd-boot/items.py | 32 --- bundles/telegraf/metadata.py | 10 - bundles/users/metadata.py | 5 - bundles/vmhost/items.py | 9 - bundles/vmhost/metadata.py | 9 - .../files/crs-runner.service | 16 -- bundles/voc-tracker-worker/files/environment | 6 - bundles/voc-tracker-worker/items.py | 56 ---- bundles/voc-tracker-worker/metadata.py | 52 ---- bundles/wireguard/metadata.py | 2 +- .../files/zfs-import-scan-override.service | 4 - bundles/zfs/items.py | 3 - bundles/zfs/metadata.py | 18 -- groups/os.py | 8 - hooks/test_zfs_consistency.py | 2 +- nodes/fkusei-locutus.py | 190 ------------- nodes/htz-cloud.aurto.toml | 59 ---- nodes/kunsi-p14s.py | 251 ------------------ 59 files changed, 21 insertions(+), 1524 deletions(-) delete mode 100644 bundles/arch-with-gui/files/50-network.conf delete mode 100644 bundles/arch-with-gui/files/autologin.conf delete mode 100644 bundles/arch-with-gui/items.py delete mode 100644 bundles/arch-with-gui/metadata.py delete mode 100644 bundles/nginx/files/arch-override.conf delete mode 100644 bundles/pacman/files/check_unattended_upgrades delete mode 100644 bundles/pacman/files/do-unattended-upgrades delete mode 100644 bundles/pacman/files/faillock.conf delete mode 100644 bundles/pacman/files/pacman.conf delete mode 100644 bundles/pacman/files/upgrade-and-reboot delete mode 100644 bundles/pacman/files/upgrade-and-reboot.conf delete mode 100644 bundles/pacman/items.py delete mode 100644 bundles/pacman/metadata.py delete mode 100644 bundles/postfix/files/arch-override.conf delete mode 100755 bundles/systemd-boot/files/entry delete mode 100755 bundles/systemd-boot/files/loader.conf delete mode 100644 bundles/systemd-boot/files/pacman_hook delete mode 100644 bundles/systemd-boot/items.py delete mode 100644 bundles/voc-tracker-worker/files/crs-runner.service delete mode 100644 bundles/voc-tracker-worker/files/environment delete mode 100644 bundles/voc-tracker-worker/items.py delete mode 100644 bundles/voc-tracker-worker/metadata.py delete mode 100644 nodes/fkusei-locutus.py delete mode 100644 nodes/htz-cloud.aurto.toml delete mode 100644 nodes/kunsi-p14s.py diff --git a/bundles/arch-with-gui/files/50-network.conf b/bundles/arch-with-gui/files/50-network.conf deleted file mode 100644 index 39c38f2..0000000 --- a/bundles/arch-with-gui/files/50-network.conf +++ /dev/null @@ -1,5 +0,0 @@ -context.exec = [ - { path = "pactl" args = "load-module module-native-protocol-tcp" } - { path = "pactl" args = "load-module module-zeroconf-discover" } - { path = "pactl" args = "load-module module-zeroconf-publish" } -] diff --git a/bundles/arch-with-gui/files/autologin.conf b/bundles/arch-with-gui/files/autologin.conf deleted file mode 100644 index 9398062..0000000 --- a/bundles/arch-with-gui/files/autologin.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Autologin] -User=${user} -Session=i3.desktop diff --git a/bundles/arch-with-gui/items.py b/bundles/arch-with-gui/items.py deleted file mode 100644 index 5a35931..0000000 --- a/bundles/arch-with-gui/items.py +++ /dev/null @@ -1,110 +0,0 @@ -from os import listdir -from os.path import join - -actions = { - 'fc-cache_flush': { - 'command': 'fc-cache -f', - 'triggered': True, - 'needs': { - 'pkg_pacman:fontconfig', - }, - }, - 'i3pystatus_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/i3pystatus/venv/', - 'unless': 'test -d /opt/i3pystatus/venv/', - 'needs': { - 'directory:/opt/i3pystatus/src', - 'pkg_pacman:python-virtualenv', - }, - }, - 'i3pystatus_install': { - 'command': ' && '.join([ - 'cd /opt/i3pystatus/src', - '/opt/i3pystatus/venv/bin/pip install --upgrade pip colour netifaces basiciw pytz', - '/opt/i3pystatus/venv/bin/pip install --upgrade -e .', - ]), - 'needs': { - 'action:i3pystatus_create_virtualenv', - }, - 'triggered': True, - }, -} - -directories = { - '/etc/sddm.conf.d': { - 'purge': True, - }, - '/opt/i3pystatus/src': {}, - '/usr/share/fonts/bundlewrap': { - 'purge': True, - 'triggers': { - 'action:fc-cache_flush', - }, - }, -} - -svc_systemd = { - 'avahi-daemon': { - 'needs': { - 'pkg_pacman:avahi', - }, - }, - 'sddm': { - 'needs': { - 'pkg_pacman:sddm', - }, - }, -} - -git_deploy = { - '/opt/i3pystatus/src': { - 'repo': 'https://github.com/enkore/i3pystatus.git', - 'rev': 'current', - 'triggers': { - 'action:i3pystatus_install', - }, - }, -} - -files['/etc/pipewire/pipewire-pulse.conf.d/50-network.conf'] = {} - -for filename in listdir(join(repo.path, 'data', 'arch-with-gui', 'files', 'fonts')): - if filename.startswith('.'): - continue - - if filename.endswith('.vault'): - # XXX remove this once we have a new bundlewrap release - # https://github.com/bundlewrap/bundlewrap/commit/2429b153dd1ca6781cf3812e2dec9c2b646a546b - from os import environ - if environ.get('BW_VAULT_DUMMY_MODE', '0') == '1': - continue - - font_name = filename[:-6] - attrs = { - 'content': repo.vault.decrypt_file_as_base64(join('arch-with-gui', 'files', 'fonts', filename)), - 'content_type': 'base64', - } - else: - font_name = filename - attrs = { - 'source': join('fonts', filename), - 'content_type': 'binary', - } - - files[f'/usr/share/fonts/bundlewrap/{font_name}'] = { - 'triggers': { - 'action:fc-cache_flush', - }, - **attrs, - } - -if node.metadata.get('arch-with-gui/autologin_as', None): - files['/etc/sddm.conf.d/autologin.conf'] = { - 'context': { - 'user': node.metadata.get('arch-with-gui/autologin_as'), - }, - 'content_type': 'mako', - 'before': { - 'svc_systemd:sddm', - }, - } diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py deleted file mode 100644 index f1fa8d0..0000000 --- a/bundles/arch-with-gui/metadata.py +++ /dev/null @@ -1,124 +0,0 @@ -assert node.os == 'arch' - -defaults = { - 'backups': { - 'paths': { - '/etc/netctl', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'nftables': { - 'input': { - '50-avahi': { - 'udp dport 5353 accept', - 'udp sport 5353 accept', - }, - }, - }, - 'pacman': { - 'packages': { - # fonts - 'fontconfig': {}, - 'ttf-dejavu': { - 'needed_by': { - 'pkg_pacman:sddm', - }, - }, - - # login management - 'sddm': {}, - - # networking - 'avahi': {}, - 'netctl': {}, - 'util-linux': {}, # provides rfkill - 'wpa_supplicant': {}, - 'wpa_actiond': {}, - - # shell and other gui stuff - 'dunst': {}, - 'fish': {}, - 'kitty': {}, - 'libnotify': {}, # provides notify-send - 'light': {}, - 'redshift': {}, - 'rofi': {}, - - # sound - 'calf': {}, - 'easyeffects': {}, - 'lsp-plugins': {}, - 'pavucontrol': {}, - 'pipewire': {}, - 'pipewire-jack': {}, - 'pipewire-pulse': {}, - 'pipewire-zeroconf': {}, - 'qpwgraph': {}, - - # window management - 'i3-wm': {}, - 'i3lock': {}, - 'xss-lock': {}, - - # i3pystatus dependencies - 'iw': {}, - 'wireless_tools': {}, - - # Xorg - 'xf86-input-libinput': {}, - 'xf86-input-wacom': {}, - 'xorg-server': {}, - 'xorg-setxkbmap': {}, - 'xorg-xev': {}, - 'xorg-xinput': {}, - 'xorg-xset': {}, - - # all them apps - 'browserpass': {}, - 'browserpass-firefox': {}, - 'ffmpeg': {}, - 'firefox': {}, - 'gimp': {}, - 'imagemagick': {}, - 'inkscape': {}, - 'kdenlive': {}, - 'maim': {}, - 'mosh': {}, - 'mosquitto': {}, - 'mpv': {}, - 'pass': {}, - 'pass-otp': {}, - 'pdftk': {}, - 'pwgen': {}, - 'qpdfview': {}, - 'samba': {}, - 'shotcut': {}, - 'sipcalc': {}, - 'the_silver_searcher': {}, - 'tlp': {}, - 'virt-manager': {}, - 'xclip': {}, - 'xdotool': {}, # needed for maim window selection - }, - }, -} - -@metadata_reactor.provides( - 'backups/paths', -) -def backup_every_user_home(metadata): - paths = set() - - for user, config in metadata.get('users', {}).items(): - if config.get('delete', False): - continue - - paths.add(config.get('home', f'/home/{user}')) - - return { - 'backups': { - 'paths': paths, - }, - } diff --git a/bundles/basic/items.py b/bundles/basic/items.py index e0f9242..c2cdd49 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -24,7 +24,6 @@ files = { 'before': { 'action:', 'pkg_apt:', - 'pkg_pacman:', }, }, } diff --git a/bundles/bird/items.py b/bundles/bird/items.py index 38a1549..4c4b51c 100644 --- a/bundles/bird/items.py +++ b/bundles/bird/items.py @@ -1,10 +1,5 @@ -if node.os == 'arch': - filename = '/etc/bird.conf' -else: - filename = '/etc/bird/bird.conf' - files = { - filename: { + '/etc/bird/bird.conf': { 'content_type': 'mako', 'triggers': { 'svc_systemd:bird:reload', @@ -15,7 +10,7 @@ files = { svc_systemd = { 'bird': { 'needs': { - f'file:{filename}', + f'file:/etc/bird/bird.conf', }, }, } diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index bc6be9a..f6096a7 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -13,15 +13,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'bird': { - 'needed_by': { - 'svc_systemd:bird', - }, - }, - }, - }, 'sysctl': { 'options': { 'net.ipv4.conf.all.forwarding': '1', diff --git a/bundles/cron/items.py b/bundles/cron/items.py index 72e8711..577bb59 100644 --- a/bundles/cron/items.py +++ b/bundles/cron/items.py @@ -1,10 +1,3 @@ -if node.os == 'arch': - service_name = 'cronie' - package_name = 'pkg_pacman:cronie' -else: - service_name = 'cron' - package_name = 'pkg_apt:cron' - files = { '/etc/crontab': { 'content_type': 'mako', @@ -24,9 +17,9 @@ directories = { } svc_systemd = { - service_name: { + 'cron': { 'needs': { - package_name, + 'pkg_apt:cron', }, }, } diff --git a/bundles/cron/metadata.py b/bundles/cron/metadata.py index 66d612a..67b2b22 100644 --- a/bundles/cron/metadata.py +++ b/bundles/cron/metadata.py @@ -4,9 +4,4 @@ defaults = { 'cron': {}, }, }, - 'pacman': { - 'packages': { - 'cronie': {}, - }, - }, } diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 804d920..6f8de54 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -401,22 +401,6 @@ for rnode in sorted(repo.nodes): DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', }, }) - elif ( - rnode.has_bundle('pacman') - and rnode.metadata.get('pacman/unattended-upgrades/is_enabled', False) - ): - day = rnode.metadata.get('pacman/unattended-upgrades/day') - hour = rnode.metadata.get('pacman/unattended-upgrades/hour') - minute = rnode.magic_number%30 - - downtimes.append({ - 'name': 'unattended-upgrades', - 'host': rnode.name, - 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', - 'times': { - DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', - }, - }) files['/etc/icinga2/conf.d/groups.conf'] = { 'source': 'icinga2/groups.conf', diff --git a/bundles/ipmitool/metadata.py b/bundles/ipmitool/metadata.py index a340a7a..e908366 100644 --- a/bundles/ipmitool/metadata.py +++ b/bundles/ipmitool/metadata.py @@ -19,9 +19,4 @@ defaults = { '/usr/bin/ipmitool *', }, }, - 'pacman': { - 'packages': { - 'ipmitool': {}, - }, - }, } diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py index 09620c4..ffeb084 100644 --- a/bundles/letsencrypt/metadata.py +++ b/bundles/letsencrypt/metadata.py @@ -13,15 +13,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'dehydrated': { - 'needed_by': { - 'action:letsencrypt_update_certificates', - }, - }, - }, - }, } diff --git a/bundles/lldp/metadata.py b/bundles/lldp/metadata.py index 7a499dd..2f1875c 100644 --- a/bundles/lldp/metadata.py +++ b/bundles/lldp/metadata.py @@ -10,15 +10,4 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'lldpd': { - 'needed_by': { - 'directory:/etc/lldpd.d', - 'file:/etc/lldpd.conf', - 'svc_systemd:lldpd', - }, - }, - }, - }, } diff --git a/bundles/lm-sensors/metadata.py b/bundles/lm-sensors/metadata.py index ffd3900..01a6d1a 100644 --- a/bundles/lm-sensors/metadata.py +++ b/bundles/lm-sensors/metadata.py @@ -4,11 +4,6 @@ defaults = { 'lm-sensors': {}, }, }, - 'pacman': { - 'packages': { - 'lm_sensors': {}, - }, - }, 'telegraf': { 'input_plugins': { 'builtin': { diff --git a/bundles/nfs-client/items.py b/bundles/nfs-client/items.py index 918d02c..97cebc4 100644 --- a/bundles/nfs-client/items.py +++ b/bundles/nfs-client/items.py @@ -1,8 +1,3 @@ -if node.has_bundle('pacman'): - package = 'pkg_pacman:nfs-utils' -else: - package = 'pkg_apt:nfs-common' - for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): data['mount'] = mount data['mount_options'] = set(data.get('mount_options', set())) @@ -42,7 +37,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'file:/etc/systemd/system/{}.automount'.format(unitname), 'directory:{}'.format(data['mountpoint']), 'svc_systemd:systemd-networkd', - package, + 'pkg_apt:nfs-common', }, } else: @@ -58,7 +53,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'file:/etc/systemd/system/{}.mount'.format(unitname), 'directory:{}'.format(data['mountpoint']), 'svc_systemd:systemd-networkd', - package, + 'pkg_apt:nfs-common', }, } diff --git a/bundles/nfs-client/metadata.py b/bundles/nfs-client/metadata.py index c59ee60..93bf66e 100644 --- a/bundles/nfs-client/metadata.py +++ b/bundles/nfs-client/metadata.py @@ -4,11 +4,6 @@ defaults = { 'nfs-common': {}, }, }, - 'pacman': { - 'packages': { - 'nfs-utils': {}, - }, - }, } if node.has_bundle('telegraf'): diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py index 9bbe11f..fc943d4 100644 --- a/bundles/nftables/items.py +++ b/bundles/nftables/items.py @@ -1,8 +1,3 @@ -if node.has_bundle('pacman'): - package = 'pkg_pacman:nftables' -else: - package = 'pkg_apt:nftables' - directories = { # used by other bundles '/etc/nftables-rules.d': { @@ -42,7 +37,7 @@ svc_systemd = { 'nftables': { 'needs': { 'file:/etc/nftables.conf', - package, + 'pkg_apt:nftables', }, }, } diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 15f34d4..4fac791 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -10,23 +10,6 @@ defaults = { 'blocked_v4': repo.libs.firewall.global_ip4_blocklist, 'blocked_v6': repo.libs.firewall.global_ip6_blocklist, }, - 'pacman': { - 'packages': { - 'nftables': {}, -# https://github.com/bundlewrap/bundlewrap/issues/688 -# 'iptables': { -# 'installed': False, -# 'needed_by': { -# 'pkg_pacman:iptables-nft', -# }, -# }, - 'iptables-nft': { - 'needed_by': { - 'pkg_pacman:nftables', - }, - }, - }, - }, } if not node.has_bundle('vmhost') and not node.has_bundle('docker-engine'): diff --git a/bundles/nginx/files/arch-override.conf b/bundles/nginx/files/arch-override.conf deleted file mode 100644 index 5496fe6..0000000 --- a/bundles/nginx/files/arch-override.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf - -ExecReload= -ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" - -ExecStop= -ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 2c20144..7f7bd77 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -1,4 +1,4 @@ -user ${username}; +user www-data; worker_processes ${worker_processes}; pid /var/run/nginx.pid; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 53edc86..2928686 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -1,12 +1,5 @@ from datetime import datetime, timedelta -if node.has_bundle('pacman'): - package = 'pkg_pacman:nginx' - username = 'http' -else: - package = 'pkg_apt:nginx' - username = 'www-data' - directories = { '/etc/nginx/sites': { 'purge': True, @@ -24,9 +17,9 @@ directories = { }, }, '/var/log/nginx-timing': { - 'owner': username, + 'owner': 'www-data', 'needs': { - package, + 'pkg_apt:nginx', }, }, '/var/www': {}, @@ -40,7 +33,6 @@ files = { '/etc/nginx/nginx.conf': { 'content_type': 'mako', 'context': { - 'username': username, **node.metadata['nginx'], }, 'triggers': { @@ -69,21 +61,13 @@ files = { '/var/www/error.html': {}, '/var/www/not_found.html': {}, } -if node.has_bundle('pacman'): - files['/etc/systemd/system/nginx.service.d/bundlewrap.conf'] = { - 'source': 'arch-override.conf', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:nginx:restart', - }, - } svc_systemd = { 'nginx': { 'needs': { 'action:generate-dhparam', 'directory:/var/log/nginx-timing', - package, + 'pkg_apt:nginx', }, }, } diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 2715065..28395ff 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -33,11 +33,6 @@ defaults = { 'nginx': { 'worker_connections': 768, }, - 'pacman': { - 'packages': { - 'nginx': {}, - }, - }, } if node.has_bundle('telegraf'): diff --git a/bundles/openssh/items.py b/bundles/openssh/items.py index a93b873..0b9fa04 100644 --- a/bundles/openssh/items.py +++ b/bundles/openssh/items.py @@ -27,29 +27,22 @@ files = { }, } -if node.has_bundle('pacman'): - package = 'pkg_pacman:openssh' - service = 'sshd' -else: - package = 'pkg_apt:openssh-server' - service = 'ssh' - actions = { 'sshd_check_config': { 'command': 'sshd -T -C user=root -C host=localhost -C addr=localhost', 'triggered': True, 'triggers': { - 'svc_systemd:{}:restart'.format(service), + 'svc_systemd:ssh:restart', }, }, } svc_systemd = { - service: { + 'ssh': { 'needs': { 'file:/etc/systemd/system/ssh.service.d/bundlewrap.conf', 'file:/etc/ssh/sshd_config', - package, + 'pkg_apt:openssh-server', }, }, } diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py index 630b851..4db6d78 100644 --- a/bundles/openssh/metadata.py +++ b/bundles/openssh/metadata.py @@ -8,11 +8,6 @@ defaults = { 'openssh-sftp-server': {}, }, }, - 'pacman': { - 'packages': { - 'openssh': {}, - }, - }, } @metadata_reactor.provides( diff --git a/bundles/pacman/files/check_unattended_upgrades b/bundles/pacman/files/check_unattended_upgrades deleted file mode 100644 index 1cafab5..0000000 --- a/bundles/pacman/files/check_unattended_upgrades +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -statusfile="/var/tmp/unattended_upgrades.status" -if ! [[ -f "$statusfile" ]] -then - echo "Status file not found" - exit 3 -fi - -mtime=$(stat -c %Y $statusfile) -now=$(date +%s) -if (( $now - $mtime > 60*60*24*8 )) -then - echo "Status file is older than 8 days!" - exit 3 -fi - -exitcode=$(cat $statusfile) -case "$exitcode" in - abort_ssh) - echo "Upgrades skipped due to active SSH login" - exit 1 - ;; - 0) - if [[ -f /var/run/reboot-required ]] - then - echo "OK, but updates require a reboot" - exit 1 - else - echo "OK" - exit 0 - fi - ;; - *) - echo "Last exitcode was $exitcode" - exit 2 - ;; -esac diff --git a/bundles/pacman/files/do-unattended-upgrades b/bundles/pacman/files/do-unattended-upgrades deleted file mode 100644 index a04b5fc..0000000 --- a/bundles/pacman/files/do-unattended-upgrades +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -set -xeuo pipefail - -pacman -Syu --noconfirm --noprogressbar - -% for affected, restarts in sorted(restart_triggers.items()): -up_since=$(systemctl show "${affected}" | sed -n 's/^ActiveEnterTimestamp=//p' || echo 0) -up_since_ts=$(date -d "$up_since" +%s || echo 0) -now=$(date +%s) - -if [ $((now - up_since_ts)) -lt 3600 ] -then -% for restart in sorted(restarts): - systemctl restart "${restart}" || true -% endfor -fi -% endfor diff --git a/bundles/pacman/files/faillock.conf b/bundles/pacman/files/faillock.conf deleted file mode 100644 index 19c0ff3..0000000 --- a/bundles/pacman/files/faillock.conf +++ /dev/null @@ -1,2 +0,0 @@ -# just disable faillock. -deny = 0 diff --git a/bundles/pacman/files/pacman.conf b/bundles/pacman/files/pacman.conf deleted file mode 100644 index 7fb4e48..0000000 --- a/bundles/pacman/files/pacman.conf +++ /dev/null @@ -1,40 +0,0 @@ -[options] -Architecture = auto -CheckSpace -Color -HoldPkg = ${' '.join(sorted(node.metadata.get('pacman/ask_before_removal')))} -ILoveCandy -IgnorePkg = ${' '.join(sorted(node.metadata.get('pacman/ignore_packages', set())))} -LocalFileSigLevel = Optional -NoExtract=${' '.join(sorted(node.metadata.get('pacman/no_extract', set())))} -ParallelDownloads = ${node.metadata.get('pacman/parallel_downloads')} -SigLevel = Required DatabaseOptional -VerbosePkgLists - -% for line in sorted(node.metadata.get('pacman/additional_config', set())): -${line} -% endfor - -[core] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist - -[extra] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist - -[community] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist -% if node.metadata.get('pacman/enable_multilib', False): - -[multilib] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist -% endif -% if node.metadata.get('pacman/enable_aurto'): - -[aurto] -Server = https://aurto.kunbox.net/ -SigLevel = Optional TrustAll -% endif diff --git a/bundles/pacman/files/upgrade-and-reboot b/bundles/pacman/files/upgrade-and-reboot deleted file mode 100644 index 41973aa..0000000 --- a/bundles/pacman/files/upgrade-and-reboot +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -# With systemd, we can force logging to the journal. This is better than -# spamming the world with cron mails. You can then view these logs using -# "journalctl -rat upgrade-and-reboot". -if which logger >/dev/null 2>&1 -then - # Dump stdout and stderr to logger, which will then put everything - # into the journal. - exec 1> >(logger -t upgrade-and-reboot -p user.info) - exec 2> >(logger -t upgrade-and-reboot -p user.error) -fi - -. /etc/upgrade-and-reboot.conf - -echo "Starting upgrade-and-reboot for node $nodename ..." - -statusfile="/var/tmp/unattended_upgrades.status" -# Workaround, because /var/tmp is usually 1777 -[[ "$UID" == 0 ]] && chown root:root "$statusfile" - -logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon" && $1 != "nobody"') -if [[ -n "$logins" ]] -then - echo "Will abort now, there are active SSH logins: $logins" - echo "abort_ssh" > "$statusfile" - exit 1 -fi - -softlockdir=/var/lib/bundlewrap/soft-$nodename -mkdir -p "$softlockdir" -printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "items": ["*"], "user": "root@localhost"}\n' \ - $(date +%s) \ - $(date -d 'now + 30 mins' +%s) \ - >"$softlockdir"/UNATTENDED -trap 'rm -f "$softlockdir"/UNATTENDED' EXIT - -do-unattended-upgrades -ret=$? - -echo "$ret" > "$statusfile" -if (( $ret != 0 )) -then - exit 1 -fi - -systemctl reboot - -echo "upgrade-and-reboot for node $nodename is DONE" diff --git a/bundles/pacman/files/upgrade-and-reboot.conf b/bundles/pacman/files/upgrade-and-reboot.conf deleted file mode 100644 index ca71dce..0000000 --- a/bundles/pacman/files/upgrade-and-reboot.conf +++ /dev/null @@ -1,3 +0,0 @@ -nodename="${node.name}" -reboot_mail_to="${node.metadata.get('apt/unattended-upgrades/reboot_mail_to', '')}" -auto_reboot_enabled="${node.metadata.get('apt/unattended-upgrades/reboot_enabled', True)}" diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py deleted file mode 100644 index fe4f605..0000000 --- a/bundles/pacman/items.py +++ /dev/null @@ -1,109 +0,0 @@ -from bundlewrap.exceptions import BundleError - -if not node.os == 'arch': - raise BundleError(f'{node.name}: bundle:pacman requires arch linux') - -files = { - '/etc/pacman.conf': { - 'content_type': 'mako', - }, - '/etc/upgrade-and-reboot.conf': { - 'content_type': 'mako', - }, - '/etc/security/faillock.conf': {}, - '/usr/local/sbin/upgrade-and-reboot': { - 'mode': '0700', - }, - '/usr/local/sbin/do-unattended-upgrades': { - 'content_type': 'mako', - 'mode': '0700', - 'context': { - 'restart_triggers': node.metadata.get('pacman/restart_triggers', {}), - } - }, - '/usr/local/share/icinga/plugins/check_unattended_upgrades': { - 'mode': '0755', - }, -} - -svc_systemd['paccache.timer'] = { - 'needs': { - 'pkg_pacman:pacman-contrib', - }, -} - -pkg_pacman = { - 'acpi_call-lts': {}, - 'at': {}, - 'autoconf': {}, - 'automake': {}, - 'bind': {}, - 'binutils': {}, - 'bison': {}, - 'bzip2': {}, - 'curl': {}, - 'dialog': {}, - 'diffutils': {}, - 'fakeroot': {}, - 'file': {}, - 'findutils': {}, - 'flex': {}, - 'fwupd': {}, - 'gawk': {}, - 'gcc': {}, - 'gettext': {}, - 'git': {}, - 'gnu-netcat': {}, - 'grep': {}, - 'groff': {}, - 'gzip': {}, - 'htop': {}, - 'jq': {}, - 'ldns': {}, - 'less': {}, - 'libtool': {}, - 'linux-lts': {}, - 'logrotate': {}, - 'lsof': {}, - 'm4': {}, - 'mailutils': {}, - 'make': {}, - 'man-db': {}, - 'man-pages': {}, - 'moreutils': {}, - 'mtr': {}, - 'ncdu': {}, - 'nmap': {}, - 'pacman-contrib': {}, - 'patch': {}, - 'pkgconf': {}, - 'python': {}, - 'python-setuptools': { - 'needed_by': { - 'pkg_pip:', - }, - }, - 'python-pip': { - 'needed_by': { - 'pkg_pip:', - }, - }, - 'python-virtualenv': {}, - 'rsync': {}, - 'run-parts': {}, - 'sed': {}, - 'tar': {}, - 'texinfo': {}, - 'tmux': {}, - 'tree': {}, - 'unzip': {}, - 'vim': {}, - 'wget': {}, - 'which': {}, - 'whois': {}, - 'zip': {}, -} - - -for pkg, config in node.metadata.get('pacman/packages', {}).items(): - pkg_pacman[pkg] = config diff --git a/bundles/pacman/metadata.py b/bundles/pacman/metadata.py deleted file mode 100644 index 1c60981..0000000 --- a/bundles/pacman/metadata.py +++ /dev/null @@ -1,55 +0,0 @@ -defaults = { - 'pacman': { - 'ask_before_removal': { - 'glibc', - 'pacman', - }, - 'enable_aurto': True, - 'no_extract': { - 'etc/cron.d/0hourly', - # don't install systemd-homed pam module. It produces a lot of spam in - # journal about systemd-homed not being active, so just get rid of it. - # Requires reinstall of systemd package, though - 'usr/lib/security/pam_systemd_home.so', - }, - 'parallel_downloads': 4, - 'repository': 'http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch', - 'unattended-upgrades': { - 'day': 5, - 'hour': 21, - }, - }, -} - - -@metadata_reactor.provides( - 'cron/jobs/upgrade-and-reboot', - 'icinga2_api/pacman/services', -) -def patchday(metadata): - if not metadata.get('pacman/unattended-upgrades/is_enabled', False): - return {} - - day = metadata.get('pacman/unattended-upgrades/day') - hour = metadata.get('pacman/unattended-upgrades/hour') - - return { - 'cron': { - 'jobs': { - 'upgrade-and-reboot': '{minute} {hour} * * {day} root /usr/local/sbin/upgrade-and-reboot'.format( - minute=node.magic_number % 30, - hour=hour, - day=day, - ), - }, - }, - 'icinga2_api': { - 'pacman': { - 'services': { - 'UNATTENDED UPGRADES': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_unattended_upgrades', - }, - }, - }, - }, - } diff --git a/bundles/postfix/files/arch-override.conf b/bundles/postfix/files/arch-override.conf deleted file mode 100644 index 3b3e46d..0000000 --- a/bundles/postfix/files/arch-override.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Service] -# arch postfix is not set up for chrooting by default -ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc -% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']: -ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file} -% endfor diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 5518c90..aeceed1 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -21,13 +21,12 @@ for identifier in node.metadata.get('postfix/mynetworks', set()): netmask = '128' mynetworks.add(f'[{ip6}]/{netmask}') -my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { 'content': node.metadata.get('postfix/myhostname'), 'before': { - my_package, + 'pkg_apt:postfix', }, 'triggers': { 'svc_systemd:postfix:restart', @@ -82,7 +81,7 @@ actions = { 'command': 'newaliases', 'triggered': True, 'needs': { - my_package, + 'pkg_apt:postfix', }, 'before': { 'svc_systemd:postfix', @@ -92,7 +91,7 @@ actions = { 'command': 'postmap hash:/etc/postfix/blocked_recipients', 'triggered': True, 'needs': { - my_package, + 'pkg_apt:postfix', }, 'before': { 'svc_systemd:postfix', @@ -105,17 +104,7 @@ svc_systemd = { 'needs': { 'file:/etc/postfix/master.cf', 'file:/etc/postfix/main.cf', - my_package, + 'pkg_apt:postfix', }, }, } - -if node.os == 'arch': - files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = { - 'source': 'arch-override.conf', - 'content_type': 'mako', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:postfix:restart', - }, - } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 3c3be24..1ccf633 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -14,7 +14,7 @@ defaults = { 'postfix': { 'services': { 'POSTFIX PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix' + ('' if node.os == 'arch' else '@-'), + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-', }, 'POSTFIX QUEUE': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50', @@ -22,12 +22,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'postfix': {}, - 's-nail': {}, - }, - }, } if node.has_bundle('postfixadmin'): diff --git a/bundles/sshmon/items.py b/bundles/sshmon/items.py index 3250f39..be9a9a4 100644 --- a/bundles/sshmon/items.py +++ b/bundles/sshmon/items.py @@ -64,12 +64,3 @@ for check in { files["/usr/local/share/icinga/plugins/check_{}".format(check)] = { 'mode': "0755", } - - -if node.has_bundle('pacman'): - symlinks['/usr/lib/nagios/plugins'] = { - 'target': '/usr/lib/monitoring-plugins', - 'needs': { - 'pkg_pacman:monitoring-plugins', - }, - } diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 2142623..3026479 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -36,14 +36,6 @@ defaults = { 'sshmon', }, }, - 'pacman': { - 'packages': { - 'gawk': {}, - 'perl-libwww': {}, - 'monitoring-plugins': {}, - 'python-requests': {}, - }, - }, } diff --git a/bundles/sudo/metadata.py b/bundles/sudo/metadata.py index 82b007d..e76edaf 100644 --- a/bundles/sudo/metadata.py +++ b/bundles/sudo/metadata.py @@ -4,9 +4,4 @@ defaults = { 'sudo': {}, }, }, - 'pacman': { - 'packages': { - 'sudo': {}, - }, - }, } diff --git a/bundles/systemd-boot/files/entry b/bundles/systemd-boot/files/entry deleted file mode 100755 index 00d3d8f..0000000 --- a/bundles/systemd-boot/files/entry +++ /dev/null @@ -1,13 +0,0 @@ -title ${config['title']} - -% if 'linux' in config: -linux ${config['linux']} -% for line in config['initrd']: -initrd ${line} -% endfor -% if config.get('options', set()): -options ${' '.join(sorted(config['options']))} -% endif -% else: -efi ${config['efi']} -% endif diff --git a/bundles/systemd-boot/files/loader.conf b/bundles/systemd-boot/files/loader.conf deleted file mode 100755 index b30de61..0000000 --- a/bundles/systemd-boot/files/loader.conf +++ /dev/null @@ -1,5 +0,0 @@ -auto-entries no -auto-firmware yes -console-mode keep -default ${config['default']} -timeout ${config.get('timeout', 5)} diff --git a/bundles/systemd-boot/files/pacman_hook b/bundles/systemd-boot/files/pacman_hook deleted file mode 100644 index d65c027..0000000 --- a/bundles/systemd-boot/files/pacman_hook +++ /dev/null @@ -1,9 +0,0 @@ -[Trigger] -Type = Package -Operation = Upgrade -Target = systemd - -[Action] -Description = Gracefully upgrading systemd-boot... -When = PostTransaction -Exec = /usr/bin/systemctl restart systemd-boot-update.service diff --git a/bundles/systemd-boot/items.py b/bundles/systemd-boot/items.py deleted file mode 100644 index 0f26d00..0000000 --- a/bundles/systemd-boot/items.py +++ /dev/null @@ -1,32 +0,0 @@ -assert node.os == 'arch' -assert node.metadata.get('systemd-boot/default') in node.metadata.get('systemd-boot/entries') - -files = { - '/etc/pacman.d/hooks/99-systemd-boot-update': { - 'source': 'pacman_hook', - }, - '/boot/loader/loader.conf': { - 'content_type': 'mako', - 'context': { - 'config': node.metadata.get('systemd-boot'), - }, - 'mode': None, - }, -} - -directories = { - '/boot/loader/entries': { - 'purge': True, - }, -} - -for entry, config in node.metadata.get('systemd-boot/entries').items(): - files[f'/boot/loader/entries/{entry}.conf'] = { - 'source': 'entry', - 'content_type': 'mako', - 'context': { - 'entry': entry, - 'config': config, - }, - 'mode': None, - } diff --git a/bundles/telegraf/metadata.py b/bundles/telegraf/metadata.py index 097750e..4af8190 100644 --- a/bundles/telegraf/metadata.py +++ b/bundles/telegraf/metadata.py @@ -25,14 +25,4 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'telegraf-bin': { - 'needed_by': { - 'svc_systemd:telegraf', - 'user:telegraf', - }, - }, - }, - }, } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index 48a8b72..e6f3498 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -7,11 +7,6 @@ defaults = { 'kitty-terminfo': {}, }, }, - 'pacman': { - 'packages': { - 'kitty-terminfo': {}, - }, - }, 'users': { 'root': { 'home': '/root', diff --git a/bundles/vmhost/items.py b/bundles/vmhost/items.py index e432a40..402e8ec 100644 --- a/bundles/vmhost/items.py +++ b/bundles/vmhost/items.py @@ -24,12 +24,3 @@ if node.has_bundle('nftables') and node.has_bundle('apt'): 'svc_systemd:nftables:reload', }, } - -if node.has_bundle('pacman'): - svc_systemd['libvirtd'] = { - 'running': None, # triggered via .socket - } - svc_systemd['virtlogd'] = { - 'running': None, # triggered via .socket - 'enabled': None, # triggered via .socket - } diff --git a/bundles/vmhost/metadata.py b/bundles/vmhost/metadata.py index 3aaa10e..79f9d8a 100644 --- a/bundles/vmhost/metadata.py +++ b/bundles/vmhost/metadata.py @@ -21,12 +21,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'edk2-ovmf': {}, - 'libvirt': {}, - }, - }, } if node.os == 'debian' and node.os_version[0] < 11: @@ -42,9 +36,6 @@ if node.has_bundle('nftables'): }, } -if node.has_bundle('arch-with-gui'): - defaults['pacman']['packages']['virt-manager'] = {} - @metadata_reactor.provides( 'users', diff --git a/bundles/voc-tracker-worker/files/crs-runner.service b/bundles/voc-tracker-worker/files/crs-runner.service deleted file mode 100644 index 1c85a33..0000000 --- a/bundles/voc-tracker-worker/files/crs-runner.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=CRS runner for ${script} -After=network.target - -[Service] -User=voc -Group=voc -EnvironmentFile=/etc/default/crs-worker -ExecStart=/opt/crs-scripts/bin/crs_run ${script} -WorkingDirectory=/opt/crs-scripts -Restart=on-failure -RestartSec=10 -SyslogIdentifier=crs-${worker} - -[Install] -WantedBy=crs-worker.target diff --git a/bundles/voc-tracker-worker/files/environment b/bundles/voc-tracker-worker/files/environment deleted file mode 100644 index 98f40ea..0000000 --- a/bundles/voc-tracker-worker/files/environment +++ /dev/null @@ -1,6 +0,0 @@ -CRS_TRACKER=${url} -CRS_TOKEN=${token} -CRS_SECRET=${secret} -% if use_vaapi: -CRS_USE_VAAPI=yes -% endif diff --git a/bundles/voc-tracker-worker/items.py b/bundles/voc-tracker-worker/items.py deleted file mode 100644 index 6f28a8b..0000000 --- a/bundles/voc-tracker-worker/items.py +++ /dev/null @@ -1,56 +0,0 @@ -paths = { # subpaths of /video - 'capture', - 'encoded', - 'fuse', - 'intros', - 'repair', - 'tmp', -} - -directories = { - '/opt/crs-scripts': {}, -} - -for path in paths: - directories[f'/video/{path}'] = { - 'owner': 'voc', - 'group': 'voc', - } - -git_deploy = { - '/opt/crs-scripts': { - 'repo': 'https://github.com/crs-tools/crs-scripts.git', - 'rev': 'master', - }, -} - -files = { - '/etc/default/crs-worker': { - 'content_type': 'mako', - 'source': 'environment', - 'context': node.metadata.get('voc-tracker-worker'), - }, -} - -for worker, script in { - 'recording-scheduler': 'script-A-recording-scheduler.pl', - 'mount4cut': 'script-B-mount4cut.pl', - 'cut-postprocessor': 'script-C-cut-postprocessor.pl', - 'encoding': 'script-D-encoding.pl', - 'postencoding': 'script-E-postencoding-auphonic.pl', - 'postprocessing': 'script-F-postprocessing-upload.pl', -}.items(): - files[f'/etc/systemd/system/crs-{worker}.service'] = { - 'content_type': 'mako', - 'source': 'crs-runner.service', - 'context': { - 'worker': worker, - 'script': script, - }, - 'needs': { - 'file:/etc/default/crs-worker', - }, - 'triggers': { - 'action:systemd-reload', - }, - } diff --git a/bundles/voc-tracker-worker/metadata.py b/bundles/voc-tracker-worker/metadata.py deleted file mode 100644 index 3a741a8..0000000 --- a/bundles/voc-tracker-worker/metadata.py +++ /dev/null @@ -1,52 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'ffmpeg': {}, - 'fuse': {}, - 'fuse-ts': {}, - 'libboolean-perl': {}, - 'libconfig-inifiles-perl': {}, - 'libdatetime-perl': {}, - 'libfile-which-perl': {}, - 'libipc-run3-perl': {}, - 'libjson-perl': {}, - 'libmath-round-perl': {}, - 'libproc-processtable-perl': {}, - 'libwww-curl-perl': {}, - 'libxml-rpc-fast-perl': {}, - 'libxml-simple-perl': {}, - }, - }, - 'voc-tracker-worker': { - 'use_vaapi': False, - }, - 'users': { - 'voc': { - 'home': '/opt/voc', - }, - }, - 'pacman': { - 'packages': { - 'ffmpeg': {}, - 'fuse2': {}, - 'fuse3': {}, - # fuse-ts missing - 'perl-boolean': {}, # from aurto - 'perl-config-inifiles': {}, - 'perl-datetime': {}, - 'perl-file-which': {}, - 'perl-ipc-run3': {}, - 'perl-json': {}, - 'perl-math-round': {}, - 'perl-proc-processtable': {}, - 'perl-www-curl': {}, # from aurto - 'perl-xml-simple': {}, - }, - }, -} - -# Install manually from CPAN: -# IO::Socket::SSL -# LWP::Protocol::https -# Types::Serialiser::Error -# XML::RPC::Fast diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index c08d5ca..267be6a 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -283,7 +283,7 @@ def interface_ips(metadata): 'nftables/postrouting/10-wireguard', ) def snat(metadata): - if not node.has_bundle('nftables') or node.os == 'arch': + if not node.has_bundle('nftables'): raise DoNotRunAgain snat_ip = metadata.get('wireguard/snat_ip', None) diff --git a/bundles/zfs/files/zfs-import-scan-override.service b/bundles/zfs/files/zfs-import-scan-override.service index 3853425..9004ee2 100644 --- a/bundles/zfs/files/zfs-import-scan-override.service +++ b/bundles/zfs/files/zfs-import-scan-override.service @@ -3,8 +3,4 @@ ConditionPathExists= [Service] ExecStart= -% if node.os == 'arch': -ExecStart=/usr/bin/zpool import -aN -o cachefile=none -% else: ExecStart=/usr/sbin/zpool import -aN -o cachefile=none -% endif diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 8b13f4b..c63250e 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,9 +2,6 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder -if node.has_bundle('pacman'): - assert node.metadata.get('pacman/enable_aurto'), f'{node.name}: bundle:zfs needs aurto for zfs-linux-lts package' - files = { '/etc/modprobe.d/zfs.conf': { 'source': 'zfs-modprobe.conf', diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index 4191834..3b63e0b 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -43,24 +43,6 @@ defaults = { }, }, }, - 'pacman': { - 'no_extract': { - 'etc/sudoers.d/zfs', - }, - 'packages': { - 'zfs-linux-lts': { - 'needed_by': { - 'zfs_dataset:', - 'zfs_pool:', - }, - }, - 'zfs-utils': { - 'needed_by': { - 'svc_systemd:zfs-zed', - }, - }, - }, - }, 'systemd-timers': { 'timers': { 'zfs-auto-snapshot-daily': { diff --git a/groups/os.py b/groups/os.py index a6fca0f..d6f1d6b 100644 --- a/groups/os.py +++ b/groups/os.py @@ -13,7 +13,6 @@ groups['raspberry'] = { groups['linux'] = { 'subgroups': { - 'arch', 'debian', 'raspberry', }, @@ -48,13 +47,6 @@ groups['linux'] = { 'pip_command': 'pip3', } -groups['arch'] = { - 'bundles': { - 'pacman', - }, - 'os': 'arch', -} - groups['debian'] = { 'subgroup_patterns': { '^debian-[a-z]+$', diff --git a/hooks/test_zfs_consistency.py b/hooks/test_zfs_consistency.py index 132afe3..d7231e5 100644 --- a/hooks/test_zfs_consistency.py +++ b/hooks/test_zfs_consistency.py @@ -25,7 +25,7 @@ def test_node(repo, node, **kwargs): pool_name = name.split('/', 1)[0] - if pool_name not in zfs_pools and node.os != 'arch': + if pool_name not in zfs_pools: raise BundleError('{n} zfs_dataset:{ds} wants zfs_pool:{pool}, which wasn\'t found'.format( n=node.name, ds=name, diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py deleted file mode 100644 index 23118bd..0000000 --- a/nodes/fkusei-locutus.py +++ /dev/null @@ -1,190 +0,0 @@ -nodes['fkusei-locutus'] = { - 'dummy': True, - 'hostname': '10.5.99.29', - 'bundles': { - 'arch-with-gui', - 'bird', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'wireguard', - 'voc-tracker-worker', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'fkunsmann', - }, - 'bird': { - 'bgp_neighbors': { - 'smedia': { - 'local_as': 4200128002, - 'local_ip': '10.200.128.2', - 'neighbor_as': 64900, - 'neighbor_ip': '10.200.128.1', - }, - }, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000/tcp': {'*'}, - }, - }, - 'interfaces': { - 'eth*': { - 'dhcp': True, - }, - # there is also wlan0, but that's managed by netctl - }, - 'location': 'home', # not actually true, but needed for static dhcp lease - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - }, - }, - 'pacman': { - 'packages': { - 'amd-ucode': {}, - 'xf86-video-amdgpu': {}, - - # all that other random stuff one needs - 'apachedirectorystudio': {}, - 'direnv': {}, - 'freerdp': {}, - 'sdl_ttf': {}, # for compiling testcard - 'thermald': {}, - }, - }, - 'sysctl': { - 'options': { - # accept RA even though forwarding is enabled - 'net.ipv4.conf.all.accept_ra': '2', - 'net.ipv4.conf.wlan0.accept_ra': '2', - }, - }, - 'systemd-boot': { - 'default': 'arch', - 'entries': { - 'arch': { - 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux', - 'initrd': [ - '/amd-ucode.img', - '/initramfs-linux.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - 'arch-fallback': { - 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux', - 'initrd': [ - '/initramfs-linux-fallback.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'fkunsmann': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - }, - }, - 'voc-tracker-worker': { - 'url': 'https://tracker.c3voc.de/rpc', - 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), - 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), - }, - 'wireguard': { - 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), - 'peers': { - 'smedia': { - 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', - 'their_ip': '10.200.128.1', - 'my_ip': '10.200.128.2/20', - 'my_port': 51820, - 'endpoint': '185.122.180.82:51820', - 'psk': vault.decrypt('smedia$NotViaThisRepository'), - 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), - }, - }, - }, - 'zfs': { - 'pools': { - 'zroot': { - 'when_creating': { - 'config': [], - }, - }, - }, - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': '/', - }, - 'zroot/user/fkunsmann': { - 'mountpoint': '/home/fkunsmann', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/fkunsmann': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/system/journal', - }, - }, - }, - }, - 'os': 'arch', -} diff --git a/nodes/htz-cloud.aurto.toml b/nodes/htz-cloud.aurto.toml deleted file mode 100644 index 16fbf9a..0000000 --- a/nodes/htz-cloud.aurto.toml +++ /dev/null @@ -1,59 +0,0 @@ -hostname = "2a01:4f9:c010:95fa::2" -bundles = ["backup-client"] -groups = [ - "arch", - "webserver", -] - -[metadata] -description = [ - "When adding packages to aurto, please also add those packages to ~/PACKAGES", - "Wenn Pakete zu aurto hinzugefügt werden, trage sie bitte auch in ~/PACKAGES ein", -] - -[metadata.icinga_options] -period = "daytime" - -[metadata.backups] -paths = [ - "/var/cache/pacman/aurto", -] - -[metadata.interfaces.enp1s0] -ips = ["2a01:4f9:c010:95fa::2/64"] -gateway6 = "fe80::1" - -[metadata.interfaces.enp7s0] -ips = ["172.19.137.4/32"] -gateway4 = "172.19.137.1" - -[metadata.nginx.vhosts.aurto] -domain = "aurto.kunbox.net" -webroot = "/var/cache/pacman/aurto" -extras = true - -[metadata.pacman] -enable_aurto = false -additional_config = [ - "Include = /etc/pacman.d/aurto", -] - -[metadata.pacman.unattended-upgrades] -is_enabled = true - -[metadata.sudo.extra_configs] -50_aurto_passwordless = [ - "%wheel ALL=(ALL) NOPASSWD: /usr/bin/arch-nspawn", - "%wheel ALL=(ALL) NOPASSWD: /usr/bin/pacsync aurto", - "%wheel ALL=(ALL) NOPASSWD:SETENV: /usr/bin/makechrootpkg", -] - -[metadata.users.aurto] -groups = ["wheel"] -ssh_pubkey = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", # kunsi work - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", # kunsi privat -] - -[metadata.users.kunsi] -groups = ["wheel"] diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py deleted file mode 100644 index 385cf3f..0000000 --- a/nodes/kunsi-p14s.py +++ /dev/null @@ -1,251 +0,0 @@ -nodes['kunsi-p14s'] = { - 'hostname': 'localhost', - 'bundles': { - 'arch-with-gui', - 'backup-client', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'vmhost', - 'wireguard', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'kunsi', - }, - 'backup-client': { - 'exclude_from_monitoring': False, - # only alert people if we're missing more than a week of backups - 'one_backup_every_hours': 7 * 24, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000/tcp': {'*'}, - }, - }, - 'interfaces': { - 'br0': { - 'ips': {'10.73.100.112/16'}, - 'gateway4': '10.73.0.254', - 'dhcp': True, - }, - # there is also wlp3s0, but that's managed by netctl - }, - 'nfs-client': { - 'mounts': { - 'nas-scansnap': { - 'mountpoint': '/mnt/scansnap', - 'serverpath': '172.19.138.20:/srv/scansnap', - 'mount_options': { - 'retry=0', - 'rw', - }, - }, - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'nftables': { - 'forward': { - '50-routing': [ - 'ct state { related, established } accept', - 'oifname wlan0 accept', - ], - }, - 'postrouting': { - '50-routing': [ - 'oifname wlan0 masquerade', - ], - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - }, - }, - 'pacman': { - 'no_extract': { - 'etc/sudoers.d/ctdb', # samba junk - }, - 'packages': { - # for hardware support - 'amd-ucode': {}, - 'mesa': {}, - - # various video drivers - 'libva-mesa-driver': {}, - 'mesa-vdpau': {}, - 'xf86-video-amdgpu': {}, - - # all that other random stuff one needs - #'abcde': {}, - 'claws-mail': {}, - 'claws-mail-themes': {}, - 'ferdium-bin': {}, - 'gumbo-parser': {}, # for claws litehtml - 'inkstitch': {}, # for RZL embroidery machine - 'obs-studio': {}, - #'perl-musicbrainz-discid': {}, # for abcde - #'perl-webservice-musicbrainz': {}, # for abcde - 'sdl_ttf': {}, # for compiling testcard - 'x32edit': {}, - }, - }, - 'systemd-boot': { - 'default': 'arch', - 'entries': { - 'arch': { - 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/amd-ucode.img', - '/initramfs-linux-lts.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - 'arch-fallback': { - 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/initramfs-linux-lts-fallback.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - }, - }, - 'sysctl': { - 'options': { - 'net.ipv4.conf.all.forwarding': '1', - }, - }, - 'systemd-networkd': { - 'bridges': { - 'br0': { - 'match': { - 'en*', - 'eth*', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'kunsi': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - }, - }, - 'wireguard': { - 'peers': { - 'htz-cloud.wireguard': { - 'auto_connection': False, - 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', - 'my_ip': '172.19.136.65', - 'my_port': 51819, - 'their_ip': '172.19.136.64', - 'routes': { - '10.73.0.0/16', - '172.19.128.0/20', - }, - }, - }, - }, - 'zfs': { - 'pools': { - 'zroot': { - 'when_creating': { - 'config': [{ - 'devices': [ - '/dev/disk/by-id/nvme-UMIS_RPETJ1T24MGE2QDQ_SS0L25218X3RC1BG1182-part2', - ], - }], - 'ashift': 12, - }, - }, - }, - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/movies': { - 'mountpoint': '/media/movies', - }, - 'zroot/nextcloud': { - 'mountpoint': '/home/kunsi/nextcloud', - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/libvirt': { - 'mountpoint': '/var/lib/libvirt', - 'needed_by': { - 'bundle:vmhost', - }, - }, - 'zroot/system/video': { - 'mountpoint': '/video', - 'needed_by': { - 'bundle:voc-tracker-worker', - }, - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': 'legacy', - }, - 'zroot/user/kunsi': { - 'mountpoint': '/home/kunsi', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/kunsi': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/movies', - 'zroot/nextcloud', - 'zroot/system/journal', - 'zroot/system/video', - }, - }, - }, - }, - 'os': 'arch', -} From ecbb28d0ff0e7e85b9521d714ca568dd7376b1c7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Jan 2025 10:58:24 +0100 Subject: [PATCH 896/996] .envrc fix indentation --- .envrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc b/.envrc index 20da331..5fd603a 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,3 @@ layout python3 - source_env_if_exists .envrc.local +source_env_if_exists .envrc.local From 767fc06b725cb803c3df1987985fc2368404a149 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 19:58:08 +0100 Subject: [PATCH 897/996] carlene: remove element-web --- nodes/carlene.toml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4581a4b..9939076 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -6,7 +6,6 @@ groups = [ bundles = [ "check-mail-received", "dovecot", - "element-web", "forgejo", "matrix-media-repo", "matrix-stickerpicker", @@ -38,16 +37,6 @@ email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" -[metadata.element-web] -url = "chat.franzi.business" -version = "v1.11.89" -[metadata.element-web.config] -default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" -default_server_config.'m.homeserver'.server_name = "franzi.business" -brand = "franzi.business" -defaultCountryCode = "DE" -jitsi.preferredDomain = "meet.ffmuc.net" - [metadata.forgejo] version = "9.0.3" sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" From d27a047db2266aaeddd044b42b4f88a480e7720b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 19:58:32 +0100 Subject: [PATCH 898/996] remote bundle:matrix-registration --- bundles/matrix-registration/files/config.yaml | 40 ------------ .../files/matrix-registration.service | 14 ---- bundles/matrix-registration/items.py | 65 ------------------- bundles/matrix-registration/metadata.py | 25 ------- 4 files changed, 144 deletions(-) delete mode 100644 bundles/matrix-registration/files/config.yaml delete mode 100644 bundles/matrix-registration/files/matrix-registration.service delete mode 100644 bundles/matrix-registration/items.py delete mode 100644 bundles/matrix-registration/metadata.py diff --git a/bundles/matrix-registration/files/config.yaml b/bundles/matrix-registration/files/config.yaml deleted file mode 100644 index b3ad3a5..0000000 --- a/bundles/matrix-registration/files/config.yaml +++ /dev/null @@ -1,40 +0,0 @@ -server_location: 'http://[::1]:20080' -server_name: '${server_name}' -registration_shared_secret: '${reg_secret}' -admin_api_shared_secret: '${admin_secret}' -base_url: '${base_url}' -client_redirect: '${client_redirect}' -client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory -#db: 'sqlite:///opt/matrix-registration/data/db.sqlite3' -db: 'postgresql://${database['user']}:${database['password']}@localhost/${database['database']}' -host: 'localhost' -port: 20100 -rate_limit: ["100 per day", "10 per minute"] -allow_cors: false -ip_logging: false -logging: - disable_existing_loggers: false - version: 1 - root: - level: DEBUG - handlers: [console] - formatters: - brief: - format: '%(name)s - %(levelname)s - %(message)s' - handlers: - console: - class: logging.StreamHandler - level: INFO - formatter: brief - stream: ext://sys.stdout -# password requirements -password: - min_length: 8 -# username requirements -username: - validation_regex: [] #list of regexes that the selected username must match. Example: '[a-zA-Z]\.[a-zA-Z]' - invalidation_regex: #list of regexes that the selected username must NOT match. Example: '(admin|support)' - - '^abuse' - - 'admin' - - 'support' - - 'help' diff --git a/bundles/matrix-registration/files/matrix-registration.service b/bundles/matrix-registration/files/matrix-registration.service deleted file mode 100644 index bf6ace9..0000000 --- a/bundles/matrix-registration/files/matrix-registration.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=matrix-registration -After=network.target - -[Service] -User=matrix-registration -Group=matrix-registration -WorkingDirectory=/opt/matrix-registration/src -ExecStart=/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml serve -Restart=always -RestartSec=5 - -[Install] -WantedBy=multi-user.target diff --git a/bundles/matrix-registration/items.py b/bundles/matrix-registration/items.py deleted file mode 100644 index 05d8914..0000000 --- a/bundles/matrix-registration/items.py +++ /dev/null @@ -1,65 +0,0 @@ -actions['matrix-registration_create_virtualenv'] = { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/matrix-registration/venv/', - 'unless': 'test -d /opt/matrix-registration/venv/', - 'needs': { - # actually /opt/matrix-registration, but we don't create that - 'directory:/opt/matrix-registration/src', - }, -} - -actions['matrix-registration_install'] = { - 'command': ' && '.join([ - 'cd /opt/matrix-registration/src', - '/opt/matrix-registration/venv/bin/pip install psycopg2-binary', - '/opt/matrix-registration/venv/bin/pip install -e .', - ]), - 'needs': { - 'action:matrix-registration_create_virtualenv', - }, - 'triggered': True, -} - -users['matrix-registration'] = { - 'home': '/opt/matrix-registration', -} - -directories['/opt/matrix-registration/src'] = {} - -git_deploy['/opt/matrix-registration/src'] = { - 'repo': 'https://github.com/zeratax/matrix-registration.git', - 'rev': 'master', - 'triggers': { - 'action:matrix-registration_install', - 'svc_systemd:matrix-registration:restart', - }, -} - -files['/opt/matrix-registration/config.yaml'] = { - 'content_type': 'mako', - 'context': { - 'admin_secret': node.metadata.get('matrix-registration/admin_secret'), - 'base_url': node.metadata.get('matrix-registration/base_path', ''), - 'client_redirect': node.metadata.get('matrix-registration/client_redirect'), - 'database': node.metadata.get('matrix-registration/database'), - 'reg_secret': node.metadata.get('matrix-synapse/registration_shared_secret'), - 'server_name': node.metadata.get('matrix-synapse/server_name'), - }, - 'triggers': { - 'svc_systemd:matrix-registration:restart', - }, -} - -files['/usr/local/lib/systemd/system/matrix-registration.service'] = { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:matrix-registration:restart', - }, -} - -svc_systemd['matrix-registration'] = { - 'needs': { - 'action:matrix-registration_install', - 'file:/opt/matrix-registration/config.yaml', - 'file:/usr/local/lib/systemd/system/matrix-registration.service', - }, -} diff --git a/bundles/matrix-registration/metadata.py b/bundles/matrix-registration/metadata.py deleted file mode 100644 index f5e4e7c..0000000 --- a/bundles/matrix-registration/metadata.py +++ /dev/null @@ -1,25 +0,0 @@ -defaults = { - 'bash_aliases': { - 'matrix-registration': '/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml', - }, - 'matrix-registration': { - 'admin_secret': repo.vault.password_for(f'{node.name} matrix-registration admin secret'), - 'database': { - 'user': 'matrix-registration', - 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), - 'database': 'matrix-registration', - }, - }, - 'postgresql': { - 'roles': { - 'matrix-registration': { - 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), - }, - }, - 'databases': { - 'matrix-registration': { - 'owner': 'matrix-registration', - }, - }, - }, -} From 774cdd65b97d6c3eb4b8bcacc9fbf94be574f93e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 20:01:06 +0100 Subject: [PATCH 899/996] carlene: remove nodejs --- nodes/carlene.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9939076..2dbc16c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -15,7 +15,6 @@ bundles = [ "miniflux", "netbox", "nextcloud", - "nodejs", "ntfy", "oidentd", "php", From 037ec8e2305c1238d9853fd8d9aa10135a602a30 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Tue, 14 Jan 2025 21:30:22 +0100 Subject: [PATCH 900/996] miniserver: postgres and element update --- nodes/sophie/miniserver.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 7be112f..c9d3034 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.86", + "version": "v1.11.90", "config": { "default_server_config": { "m.homeserver": { @@ -217,7 +217,7 @@ nodes["htz-cloud.miniserver"] = { "allow_unauthorized_write": True, }, "postgresql": { - "version": "11", + "version": "13", }, "sysctl": { "options": { From d258a02d46398d7f87bf8d9246bda8de45e0f2f3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Jan 2025 09:34:22 +0100 Subject: [PATCH 901/996] update travelynx to 2.9.18 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2dbc16c..ff16153 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.8" +version = "2.9.18" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 8a6c0d9e951157a7634c3f57c1d4ff8c65559dce Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 3 Feb 2025 20:52:38 +0100 Subject: [PATCH 902/996] rottenraptor-server new domain --- bundles/letsencrypt/items.py | 4 ++++ nodes/rottenraptor-server.toml | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index 585cf8e..dd0b9c2 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -12,6 +12,10 @@ actions = { 'needs': { 'svc_systemd:nginx', }, + 'after': { + 'svc_systemd:nginx:reload', + 'svc_systemd:nginx:restart', + }, }, } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 5e53f81..af8000f 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -23,8 +23,12 @@ ips = [ gateway4 = "91.198.192.193" gateway6 = "2001:67c:b54:1::1" +[metadata.nginx.vhosts.'rotten.city'.locations.'/'] +redirect = "https://www.rottenraptor.com/" +mode = 302 + [metadata.nginx.vhosts.immich] -domain = "rr-immich.franzi.business" +domain = "immich.rotten.city" [metadata.smartd] disks = [ From 97f6e8538f25cd33f72e9129700b16e7020c5037 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 6 Feb 2025 23:37:00 +0100 Subject: [PATCH 903/996] miniserver: element-web update --- nodes/sophie/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index c9d3034..5fd1c11 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.90", + "version": "v1.11.91", "config": { "default_server_config": { "m.homeserver": { From 0c1a96cb724ac1afa8c7390651001023051e010b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:16:16 +0100 Subject: [PATCH 904/996] carlene: new ssd --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ff16153..51b4f73 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ dkim = "uO4aNejDvVdw8BKne3KJIqAvCQMJ0416" [metadata.smartd] disks = [ - "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NF0W508470", + "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NF0W503350", "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] From 6d2aad20ba3bfbc94f89df265ac2bd2696bda93e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:20:30 +0100 Subject: [PATCH 905/996] update forgejo to 10.0.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 51b4f73..1936f4c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "9.0.3" -sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" +version = "10.0.1" +sha1 = "4bfe8cbe979ef8896e294ca662f4cf62af01531c" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 846f34b8556343a31e64f711d51f7f0b1564f14a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:20:52 +0100 Subject: [PATCH 906/996] update matrix-media-repo to 1.3.8 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1936f4c..c361868 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -58,9 +58,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9" +sha1 = "453c12cfb9f2c44c509620b63f94f8a9e2d048ef" upload_max_mb = 500 -version = "v1.3.7" +version = "v1.3.8" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" From 159701d7b8658f35911abe08725e0c8341fe239e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:21:27 +0100 Subject: [PATCH 907/996] update netbox to 4.2.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c361868..6a8c489 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,7 +114,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.10" +version = "v4.2.3" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 59596c08ae4e9fef085ae7bfd53c3c5ef1f22ad0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:23:15 +0100 Subject: [PATCH 908/996] update paperless-ngx to 2.14.7 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 6297179..7a28c3d 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.13.5', + 'version': 'v2.14.7', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 18b8c963ab7903bc36a96e09a9c0ae6aaae6b021 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:32:13 +0100 Subject: [PATCH 909/996] bundles/backup-server: support raid0-ing multiple raidz --- bundles/backup-server/metadata.py | 63 ++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 18 deletions(-) diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 3d78ed6..4be6390 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.exceptions import BundleError + defaults = { 'backup-server': { 'my_ssh_port': 22, @@ -69,25 +71,51 @@ def zfs_pool(metadata): return {} crypt_devices = {} - pool_devices = set() unlock_actions = set() - for number, (device, passphrase) in enumerate(sorted(metadata.get('backup-server/encrypted-devices', {}).items())): - crypt_devices[device] = { - 'dm-name': f'backup{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{number}') + devices = metadata.get('backup-server/encrypted-devices') - pool_opts = { - 'devices': pool_devices, - } + # TODO remove this once we have migrated all systems + if isinstance(devices, dict): + pool_devices = set() - if len(pool_devices) > 2: - pool_opts['type'] = 'raidz' - elif len(pool_devices) > 1: - pool_opts['type'] = 'mirror' + for number, (device, passphrase) in enumerate(sorted(devices.items())): + crypt_devices[device] = { + 'dm-name': f'backup{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{number}') + + pool_config = [{ + 'devices': pool_devices, + }] + + if len(pool_devices) > 2: + pool_config[0]['type'] = 'raidz' + elif len(pool_devices) > 1: + pool_config[0]['type'] = 'mirror' + + elif isinstance(devices, list): + pool_config = [] + + for idx, intended_pool in enumerate(devices): + pool_devices = set() + + for number, (device, passphrase) in enumerate(sorted(intended_pool.items())): + crypt_devices[device] = { + 'dm-name': f'backup{idx}-{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{idx}-{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}') + + pool_config.append({ + 'devices': pool_devices, + 'type': 'raidz', + }) + else: + raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices') return { 'backup-server': { @@ -100,9 +128,8 @@ def zfs_pool(metadata): 'pools': { 'backups': { 'when_creating': { - 'config': [ - pool_opts, - ], + 'config': pool_config, + **metadata.get('backup-server/zpool_create_options', {}), }, 'needs': unlock_actions, # That's a bit hacky. We do it this way to auto-import From f0031ef847d52500ddb5648f86a426011e04ea64 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:33:13 +0100 Subject: [PATCH 910/996] rottenraptor-server: new disks --- nodes/rottenraptor-server.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index af8000f..1a28b6b 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,7 +5,7 @@ groups = [ ] bundles = [ "docker-engine", - "docker-immich", +# "docker-immich", "ipmitool", "redis", "smartd", @@ -32,8 +32,8 @@ domain = "immich.rotten.city" [metadata.smartd] disks = [ - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH726C", "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21133V800321", "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21283J446103", "/dev/disk/by-id/nvme-TOSHIBA-RC100_58UPC29HPW5S", @@ -45,8 +45,8 @@ ashift = 12 [[metadata.zfs.pools.tank.when_creating.config]] type = "mirror" devices = [ - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH726C", ] [[metadata.zfs.pools.tank.when_creating.config]] From 22263eaf6f6dfddef6e3ebb10d935a2709496ace Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:33:52 +0100 Subject: [PATCH 911/996] add new backup server --- nodes/backup-kunsi.toml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 nodes/backup-kunsi.toml diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml new file mode 100644 index 0000000..276aa0a --- /dev/null +++ b/nodes/backup-kunsi.toml @@ -0,0 +1,34 @@ +hostname = "2001:67c:b54:1::f" +bundles = ["backup-server", "dm-crypt", "zfs"] +groups = ["debian-bookworm"] + +[metadata] +nameservers = ["2001:4860:4860::8888"] + +[metadata.apt.unattended-upgrades] +# requires manual apply to unlock disks +reboot_enabled = false + +[metadata.interfaces.ens18] +ips = ["2001:67c:b54:1::f/64"] +gateway6 = "2001:67c:b54:1::1" + +[metadata.backups] +# this is the backup server +exclude_from_backups = true + +[metadata.backup-server.zpool_create_options] +ashift = 12 + +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1" + +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2" + +[metadata.zfs] +scrub_when = "Wed 08:00 Europe/Berlin" From a7a59fd690fa08bd0c1e4bc36826dd9ae64eddaf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 21:25:10 +0100 Subject: [PATCH 912/996] bundles/backups-server: read backup snapshot info from file instead of asking zfs every time --- .../backup-server/files/check_backup_for_node | 23 +++-------- .../files/check_backup_for_node-cron | 39 +++++++++++++++++++ bundles/backup-server/items.py | 3 ++ bundles/backup-server/metadata.py | 10 ++++- 4 files changed, 56 insertions(+), 19 deletions(-) create mode 100644 bundles/backup-server/files/check_backup_for_node-cron diff --git a/bundles/backup-server/files/check_backup_for_node b/bundles/backup-server/files/check_backup_for_node index b7866f8..bf57012 100644 --- a/bundles/backup-server/files/check_backup_for_node +++ b/bundles/backup-server/files/check_backup_for_node @@ -2,7 +2,6 @@ from datetime import datetime from json import load -from subprocess import check_output from sys import argv, exit from time import time @@ -18,29 +17,17 @@ try: with open(f'/etc/backup-server/config.json', 'r') as f: server_settings = load(f) - # get all existing snapshots for NODE - for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines(): - line = line.decode('UTF-8') + with open(f'/etc/backup-server/backups.json', 'r') as f: + backups = load(f) - if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)): - _, snapname = line.split('@', 1) - - if 'zfs-auto-snap' in snapname: - # migration from auto-snapshots, ignore - continue - - ts, bucket = snapname.split('-', 1) - snaps.add(int(ts)) - - if not snaps: + if NODE not in backups: print('No backups found!') exit(2) - last_snap = sorted(snaps)[-1] - delta = NOW - last_snap + delta = NOW - backups[NODE] print('Last backup was on {} UTC'.format( - datetime.fromtimestamp(last_snap).strftime('%Y-%m-%d %H:%M:%S'), + datetime.fromtimestamp(backups[NODE]).strftime('%Y-%m-%d %H:%M:%S'), )) # One day without backups is still okay. There may be fluctuations diff --git a/bundles/backup-server/files/check_backup_for_node-cron b/bundles/backup-server/files/check_backup_for_node-cron new file mode 100644 index 0000000..b82217d --- /dev/null +++ b/bundles/backup-server/files/check_backup_for_node-cron @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +from json import load, dump +from subprocess import check_output +from shutil import move +from os import remove +from collections import defaultdict + +with open('/etc/backup-server/config.json', 'r') as f: + server_settings = load(f) + +snapshots = defaultdict(set) + +for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines(): + line = line.decode('UTF-8') + + if line.startswith('{}/'.format(server_settings['zfs-base'])): + dataset, snapname = line.split('@', 1) + + dataset = dataset.split('/')[-1] + ts, bucket = snapname.split('-', 1) + + if not ts.isdigit(): + # garbage, ignore + continue + + snapshots[dataset].add(int(ts)) + +backups = {} +for dataset, snaps in snapshots.items(): + backups[dataset] = sorted(snaps)[-1] + +with open('/etc/backup-server/backups.tmp.json', 'w') as f: + dump(backups, f) + +move( + '/etc/backup-server/backups.tmp.json', + '/etc/backup-server/backups.json', +) diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index bd4d12f..e872231 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -18,6 +18,9 @@ files = { '/usr/local/share/icinga/plugins/check_backup_for_node': { 'mode': '0755', }, + '/usr/local/share/icinga/plugins/check_backup_for_node-cron': { + 'mode': '0755', + }, } directories['/etc/backup-server/clients'] = { diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 4be6390..aace61b 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -10,6 +10,14 @@ defaults = { 'c-*', }, }, + 'systemd-timers': { + 'timers': { + 'check_backup_for_node-cron': { + 'command': '/usr/local/share/icinga/plugins/check_backup_for_node-cron', + 'when': '*-*-* *:00/5:00', # every five minutes + } + }, + }, 'zfs': { # The whole point of doing backups is to keep them for a long # time, which eliminates the need for this check. @@ -183,7 +191,7 @@ def monitoring(metadata): continue services[f'BACKUPS FOR NODE {client}'] = { - 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format( + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format( client, config['one_backup_every_hours'], ), From 83730ccb6d106d35e67103bdf472478e780af4d2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 08:51:07 +0100 Subject: [PATCH 913/996] bundles/backup-server: ignore all non-digit snapshots when rotating --- bundles/backup-server/files/rotate-single-backup-client | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/backup-server/files/rotate-single-backup-client b/bundles/backup-server/files/rotate-single-backup-client index ee49e26..c76c6b5 100644 --- a/bundles/backup-server/files/rotate-single-backup-client +++ b/bundles/backup-server/files/rotate-single-backup-client @@ -33,12 +33,11 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True) if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)): _, snapname = line.split('@', 1) + ts, bucket = snapname.split('-', 1) - if 'zfs-auto-snap' in snapname: - # migration from auto-snapshots, ignore + if not ts.isdigit(): continue - ts, bucket = snapname.split('-', 1) buckets.setdefault(bucket, set()).add(int(ts)) syslog(f'classified {line} as {bucket} from {ts}') From aae1e8397e06332c8f3358474e1de11ab49005fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 09:19:24 +0100 Subject: [PATCH 914/996] proxmox-backupstorage: new server, new checks --- nodes/htz-hel/proxmox-backupstorage.toml | 28 ------------------- nodes/proxmox-backupstorage.toml | 34 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 28 deletions(-) delete mode 100644 nodes/htz-hel/proxmox-backupstorage.toml create mode 100644 nodes/proxmox-backupstorage.toml diff --git a/nodes/htz-hel/proxmox-backupstorage.toml b/nodes/htz-hel/proxmox-backupstorage.toml deleted file mode 100644 index 0c6d7ac..0000000 --- a/nodes/htz-hel/proxmox-backupstorage.toml +++ /dev/null @@ -1,28 +0,0 @@ -hostname = "2a01:4f9:6b:2d99::c0ff:ee" -#dummy = true -bundles = ["sshmon", "smartd"] - -# How to install: -# - Get server at Hetzner (no IPv4) -# - Install latest proxmox compatible debian -# - RAID5 -# - 50G for system -# - leave rest unpartitioned -# - install zfs -# - create additional partitions for remaining disk space -# - create raidz on those partitions -# - enable ipv6 forwarding -# - install proxmox via apt - -# VM config: -# - IPv6 only -# - IP from the /64 hetzner gives us -# - Gateway is the host itself, to work around the MAC filter hetzner uses - -[metadata.smartd] -disks = [ - "/dev/sda", - "/dev/sdb", - "/dev/sdc", - "/dev/sdd", -] diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml new file mode 100644 index 0000000..7d58297 --- /dev/null +++ b/nodes/proxmox-backupstorage.toml @@ -0,0 +1,34 @@ +hostname = "192.168.100.31" +dummy = true + +[metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] +check_command = "sshmon" +"vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C695" + +[metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C6C8"] +check_command = "sshmon" +"vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06JV7"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06JV7" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06SLR"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06SLR" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYQWR"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EYQWR" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYZQF"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EYZQF" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EZ0X5"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EZ0X5" From 463443e1e3d4bcb16b1a3f26b62d296fd0c5afdc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 10:32:56 +0100 Subject: [PATCH 915/996] bundles/docker-engine: do not put containers on the host network --- bundles/docker-engine/files/docker-wrapper | 5 ++--- bundles/docker-engine/metadata.py | 13 +++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index c225ceb..20bf38d 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -18,6 +18,7 @@ PGID="$(id -g "docker-${name}")" if [ "$ACTION" == "start" ] then docker run -d \ + --rm \ --name "${name}" \ --env "PUID=$PUID" \ --env "PGID=$PGID" \ @@ -25,9 +26,8 @@ then % for k, v in sorted(environment.items()): --env "${k}=${v}" \ % endfor - --network host \ % for host_port, container_port in sorted(ports.items()): - --expose "127.0.0.1:${host_port}:${container_port}" \ + --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor % for host_path, container_path in sorted(volumes.items()): --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \ @@ -38,7 +38,6 @@ then elif [ "$ACTION" == "stop" ] then docker stop "${name}" - docker rm "${name}" else echo "Unknown action $ACTION" diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index fa55b5e..39cc92f 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -18,6 +18,19 @@ defaults = { '/var/opt/docker-engine', }, }, + 'nftables': { + 'forward': { + 'docker-engine': [ + 'ct state { related, established } accept', + 'iifname docker0 accept', + ], + }, + 'postrouting': { + 'docker-engine': [ + 'iifname docker0 masquerade', + ], + }, + }, 'hosts': { 'entries': { '172.17.0.1': { From 5af3fbe3e06de7ac32f5efdff89699bb8f674b81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 10:33:25 +0100 Subject: [PATCH 916/996] bundles/redis: support 'restrict-to' --- bundles/redis/metadata.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index cf15c20..dc0f23b 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { @@ -48,3 +50,16 @@ if node.has_bundle('telegraf'): }, }, } + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '6379/tcp': atomic(metadata.get('redis/restrict-to', {'*'})), + }, + }, + } From 932ae43621382ae0b0faf691d1e7b7870817911d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 11:06:09 +0100 Subject: [PATCH 917/996] bundles/docker-engine: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARGLLLLLLLLLLLLLLLLLLLLLLLLL networking is apparently hard --- bundles/docker-engine/files/docker-wrapper | 4 +++- bundles/docker-engine/items.py | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index 20bf38d..adff8e4 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -17,8 +17,9 @@ PGID="$(id -g "docker-${name}")" if [ "$ACTION" == "start" ] then + docker rm "${name}" || true + docker run -d \ - --rm \ --name "${name}" \ --env "PUID=$PUID" \ --env "PGID=$PGID" \ @@ -26,6 +27,7 @@ then % for k, v in sorted(environment.items()): --env "${k}=${v}" \ % endfor + --network aaarghhh \ % for host_port, container_port in sorted(ports.items()): --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 9e52eca..941c766 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -28,6 +28,21 @@ files['/usr/local/share/icinga/plugins/check_docker_container'] = { 'mode': '0755', } +actions['docker_create_nondefault_network'] = { + # + # By default, containers inherit the DNS settings as defined in the + # /etc/resolv.conf configuration file. Containers that attach to the + # default bridge network receive a copy of this file. Containers that + # attach to a custom network use Docker's embedded DNS server. The embedded + # DNS server forwards external DNS lookups to the DNS servers configured on + # the host. + 'command': 'docker network create aaarghhh', + 'unless': 'docker network ls | grep -q -F aaarghhh', + 'needs': { + 'svc_systemd:docker', + }, +} + for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) @@ -54,8 +69,8 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): 'docker', }, 'after': { - # provides docker group - 'pkg_apt:docker-ce', + 'action:docker_create_nondefault_network', + 'svc_systemd:docker', }, } From 46381c63df883f9f22f29257922552782be7f56f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 11:07:11 +0100 Subject: [PATCH 918/996] rottenraptor-server: get immich working again --- bundles/docker-immich/metadata.py | 27 ++++++++++++++------------- nodes/rottenraptor-server.toml | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index b41ea36..4c57801 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -9,24 +9,29 @@ defaults = { 'image': 'ghcr.io/imagegenius/immich:latest', 'environment': { 'DB_DATABASE_NAME': 'immich', - 'DB_HOSTNAME': 'host.docker.internal', + 'DB_HOSTNAME': 'immich-postgresql', 'DB_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), 'DB_USERNAME': 'immich', - 'REDIS_HOSTNAME': 'host.docker.internal', + 'REDIS_HOSTNAME': 'immich-redis', }, 'volumes': { 'config': '/config', 'libraries': '/libraries', 'photos': '/photos', }, + 'ports': { + '8080': '8080', + }, 'needs': { - 'svc_systemd:docker-postgresql14', + 'svc_systemd:docker-immich-postgresql', + 'svc_systemd:docker-immich-redis', }, 'requires': { - 'docker-postgresql14.service', + 'docker-immich-postgresql.service', + 'docker-immich-redis.service', }, }, - 'postgresql14': { + 'immich-postgresql': { 'image': 'tensorchord/pgvecto-rs:pg14-v0.2.0', 'environment': { 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), @@ -37,6 +42,9 @@ defaults = { 'database': '/var/lib/postgresql/data', }, }, + 'immich-redis': { + 'image': 'docker.io/redis:6.2-alpine', + }, }, }, 'nginx': { @@ -46,19 +54,12 @@ defaults = { '/': { 'target': 'http://127.0.0.1:8080/', 'websockets': True, - 'max_body_size': '500m', + 'max_body_size': '5000m', }, - #'/api/socket.io/': { - # 'target': 'http://127.0.0.1:8081/', - # 'websockets': True, - #}, }, }, }, }, - 'redis': { - 'bind': '0.0.0.0', - }, } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 1a28b6b..54a5fe1 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,7 +5,7 @@ groups = [ ] bundles = [ "docker-engine", -# "docker-immich", + "docker-immich", "ipmitool", "redis", "smartd", From 2257e9a863ccbe5ff4dae934b47fac07d6c314f0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 12:55:47 +0100 Subject: [PATCH 919/996] bundles/docker-immich: fix assers --- bundles/docker-immich/metadata.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 4c57801..5b73f70 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -1,6 +1,4 @@ assert node.has_bundle('docker-engine') -assert node.has_bundle('redis') -assert not node.has_bundle('postgresql') # docker container uses that port defaults = { 'docker-engine': { @@ -61,5 +59,3 @@ defaults = { }, }, } - - From 7df5570db8361662ea87e0aa1ba7d27237290abd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 12:59:49 +0100 Subject: [PATCH 920/996] bundles/redis: fix default for restrict-to --- bundles/redis/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index dc0f23b..db31a84 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -59,7 +59,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '6379/tcp': atomic(metadata.get('redis/restrict-to', {'*'})), + '6379/tcp': atomic(metadata.get('redis/restrict-to', set())), }, }, } From 63779b6519658f36da05c5f5789a8c23cca573d3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 14:34:21 +0100 Subject: [PATCH 921/996] bundles/docker-engine: fix firewqall rules --- bundles/docker-engine/metadata.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index 39cc92f..2b9212f 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -22,22 +22,15 @@ defaults = { 'forward': { 'docker-engine': [ 'ct state { related, established } accept', - 'iifname docker0 accept', + 'ip saddr 172.16.0.0/12 accept', ], }, 'postrouting': { 'docker-engine': [ - 'iifname docker0 masquerade', + 'ip saddr 172.16.0.0/12 masquerade', ], }, }, - 'hosts': { - 'entries': { - '172.17.0.1': { - 'host.docker.internal', - }, - }, - }, 'docker-engine': { 'config': { 'iptables': False, From df469cc2e2289d199cfbfb38fd22a17e3aa2f1ea Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 14:41:49 +0100 Subject: [PATCH 922/996] backup-kunsi: install qemu-guest-agent --- nodes/backup-kunsi.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml index 276aa0a..3e17bd7 100644 --- a/nodes/backup-kunsi.toml +++ b/nodes/backup-kunsi.toml @@ -5,6 +5,8 @@ groups = ["debian-bookworm"] [metadata] nameservers = ["2001:4860:4860::8888"] +[metadata.apt.packages.qemu-guest-agent] + [metadata.apt.unattended-upgrades] # requires manual apply to unlock disks reboot_enabled = false From b44c7097657605480cd10d03211a31786950f529 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 15:27:18 +0100 Subject: [PATCH 923/996] switch systems to new backup server --- groups/os.py | 2 +- nodes/voc/pretalx.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/groups/os.py b/groups/os.py index d6f1d6b..98dacfa 100644 --- a/groups/os.py +++ b/groups/os.py @@ -34,7 +34,7 @@ groups['linux'] = { }, 'metadata': { 'backup-client': { - 'target': 'htz-hel.backup-kunsi', + 'target': 'backup-kunsi', }, 'firewall': { 'port_rules': { diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 376a5e6..f37a29c 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -17,7 +17,7 @@ nodes['voc.pretalx'] = { }, 'metadata': { 'backup-client': { - 'target': 'htz-hel.backup-kunsi', + 'target': 'backup-kunsi', }, 'check-mail-received': { 't-online': { From 79680e2119ecc7bc08f94dd123f0d48d32f35b74 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 16:09:51 +0100 Subject: [PATCH 924/996] home.r630: exclude from backups --- nodes/home.r630.toml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index cdfc4ba..408afb4 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -4,11 +4,7 @@ bundles = ["docker-engine", "nginx", "redis"] [metadata] icinga_options.exclude_from_monitoring = true - -[metadata.docker-engine.config] -# this is a dev machine, it's fine if docker does shenanigans with -# iptables -iptables = true +backups.exclude_from_backups = true [metadata.interfaces.eno3] ips = [ From 45c52c62ca73e0d58281a48b7e5907d1f6fc59b9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 16:14:56 +0100 Subject: [PATCH 925/996] bundles/docker-engine: turns out, filtering by name means getting everything where the name contains the filter ... --- bundles/docker-engine/files/check_docker_container | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bundles/docker-engine/files/check_docker_container b/bundles/docker-engine/files/check_docker_container index 2d8216a..ea94173 100644 --- a/bundles/docker-engine/files/check_docker_container +++ b/bundles/docker-engine/files/check_docker_container @@ -18,7 +18,13 @@ try: f'name={container_name}' ]) - containers = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]") + docker_json = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]") + + containers = [ + container + for container in docker_json + if container['Names'] == container_name + ] if not containers: print(f'CRITICAL: container {container_name} not found!') From e0903ffa50823bc7020b62c6534a26cdf8bbaa2c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 17:31:35 +0100 Subject: [PATCH 926/996] update mautrix-whatsapp to 0.11.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6a8c489..d738e4b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -102,8 +102,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.2" -sha1 = "0bd8ebef237473989c4e9658c72595e9f7c09d44" +version = "v0.11.3" +sha1 = "f1daba15750313fe205f6d3af2594f11992f0a35" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From f04149b4a7aaab46870f4a9e13e99fa22607ffb2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 18:35:54 +0100 Subject: [PATCH 927/996] bundles/docker-engine: support different user, arbitrary mapped volumes, custom command --- bundles/docker-engine/files/docker-wrapper | 13 +++++++++++-- bundles/docker-engine/items.py | 21 ++++++++++++++------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index adff8e4..97c0d37 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -12,8 +12,8 @@ then exit 1 fi -PUID="$(id -u "docker-${name}")" -PGID="$(id -g "docker-${name}")" +PUID="$(id -u "${user}")" +PGID="$(id -g "${user}")" if [ "$ACTION" == "start" ] then @@ -32,10 +32,19 @@ then --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor % for host_path, container_path in sorted(volumes.items()): +% if host_path.startswith('/'): + --volume "${host_path}:${container_path}" \ +% else: --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \ +% endif % endfor --restart unless-stopped \ +% if command: + "${image}" \ + "${command}" +% else: "${image}" +% endif elif [ "$ACTION" == "stop" ] then diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 941c766..7050197 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -45,16 +45,19 @@ actions['docker_create_nondefault_network'] = { for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) + user = config.get('user', f'docker-{app}') files[f'/opt/docker-engine/{app}'] = { 'source': 'docker-wrapper', 'content_type': 'mako', 'context': { + 'command': config.get('command'), 'environment': config.get('environment', {}), 'image': config['image'], 'name': app, 'ports': config.get('ports', {}), 'timezone': node.metadata.get('timezone'), + 'user': user, 'volumes': volumes, }, 'mode': '0755', @@ -63,8 +66,7 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): }, } - users[f'docker-{app}'] = { - 'home': f'/var/opt/docker-engine/{app}', + users[user] = { 'groups': { 'docker', }, @@ -73,6 +75,8 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): 'svc_systemd:docker', }, } + if user == f'docker-{app}': + users[user]['home'] = f'/var/opt/docker-engine/{app}' files[f'/usr/local/lib/systemd/system/docker-{app}.service'] = { 'source': 'docker-wrapper.service', @@ -95,20 +99,23 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): *deps, f'file:/opt/docker-engine/{app}', f'file:/usr/local/lib/systemd/system/docker-{app}.service', - f'user:docker-{app}', + f'user:{user}', 'svc_systemd:docker', *set(config.get('needs', set())), }, } for volume in volumes: - directories[f'/var/opt/docker-engine/{app}/{volume}'] = { - 'owner': f'docker-{app}', - 'group': f'docker-{app}', + if not volume.startswith('/'): + volume = f'/var/opt/docker-engine/{app}/{volume}' + + directories[volume] = { + 'owner': user, + 'group': user, 'needed_by': { f'svc_systemd:docker-{app}', }, # don't do anything if the directory exists, docker images # mangle owners - 'unless': f'test -d /var/opt/docker-engine/{app}/{volume}', + 'unless': f'test -d {volume}', } From d2a70632828ae8724da2a4eeb4a6fff0da567f32 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 18:36:35 +0100 Subject: [PATCH 928/996] rottenraptor-server: add docker-goauthentik --- bundles/docker-goauthentik/metadata.py | 89 ++++++++++++++++++++++++++ nodes/rottenraptor-server.toml | 4 ++ 2 files changed, 93 insertions(+) create mode 100644 bundles/docker-goauthentik/metadata.py diff --git a/bundles/docker-goauthentik/metadata.py b/bundles/docker-goauthentik/metadata.py new file mode 100644 index 0000000..8cae899 --- /dev/null +++ b/bundles/docker-goauthentik/metadata.py @@ -0,0 +1,89 @@ +assert node.has_bundle('docker-engine') + +defaults = { + 'docker-engine': { + 'containers': { + 'goauthentik-server': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + 'media': '/media', + 'templates': '/templates', + }, + 'ports': { + '9000': '9000', + '9443': '9443', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-worker': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'worker', + 'user': 'docker-goauthentik-server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + '/var/opt/docker-engine/goauthentik-server/media': '/media', + '/var/opt/docker-engine/goauthentik-server/certs': '/certs', + '/var/opt/docker-engine/doauthentik-server/templates': '/templates', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-postgresql': { + 'image': 'docker.io/library/postgres:16-alpine', + 'environment': { + 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'POSTGRES_USER': 'goauthentik', + 'POSTGRES_DB': 'goauthentik', + }, + 'volumes': { + 'database': '/var/lib/postgresql/data', + }, + }, + 'goauthentik-redis': { + 'image': 'docker.io/library/redis:alpine', + }, + }, + }, + 'nginx': { + 'vhosts': { + 'goauthentik': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:9000/', + 'websockets': True, + 'max_body_size': '5000m', + }, + }, + }, + }, + }, +} diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 54a5fe1..407bb70 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,6 +5,7 @@ groups = [ ] bundles = [ "docker-engine", + "docker-goauthentik", "docker-immich", "ipmitool", "redis", @@ -27,6 +28,9 @@ gateway6 = "2001:67c:b54:1::1" redirect = "https://www.rottenraptor.com/" mode = 302 +[metadata.nginx.vhosts.goauthentik] +domain = "sso.rotten.city" + [metadata.nginx.vhosts.immich] domain = "immich.rotten.city" From 8db6c73f2564eb468582d043b87630cc9a97d575 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 09:54:47 +0100 Subject: [PATCH 929/996] home.nas: back up entire NAS --- nodes/home/nas.py | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index a5b904d..831513a 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -61,14 +61,7 @@ nodes['home.nas'] = { }, 'backups': { 'paths': { - '/storage/nas/Audiobooks', - '/storage/nas/Bilder', - '/storage/nas/Bilder_Archiv', - '/storage/nas/Books', - '/storage/nas/Installer', - '/storage/nas/Musik', - '/storage/nas/Musikvideos', - '/storage/nas/normen', + '/storage/nas/', }, }, 'cron': { From 5bd406ae90b57e3989d0d42e865448c811e5c653 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 10:05:02 +0100 Subject: [PATCH 930/996] remove htz-hel.backup-kunsi --- nodes/htz-hel/backup-kunsi.py | 40 ----------------------------------- 1 file changed, 40 deletions(-) delete mode 100644 nodes/htz-hel/backup-kunsi.py diff --git a/nodes/htz-hel/backup-kunsi.py b/nodes/htz-hel/backup-kunsi.py deleted file mode 100644 index 50996fb..0000000 --- a/nodes/htz-hel/backup-kunsi.py +++ /dev/null @@ -1,40 +0,0 @@ -nodes['htz-hel.backup-kunsi'] = { - 'hostname': '2a01:4f9:6b:2d99::1337', - 'bundles': { - 'backup-server', - 'dm-crypt', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - }, - 'metadata': { - 'apt': { - 'unattended-upgrades': { - # requires manual apply after reboot to unlock dm-crypt - # devices - 'reboot_enabled': False, - }, - }, - 'interfaces': { - 'ens18': { - 'ips': { - '2a01:4f9:6b:2d99::1337/64', - }, - 'gateway6': '2a01:4f9:6b:2d99::2', - }, - }, - 'backups': { - # This is the backup target. - 'exclude_from_backups': True, - }, - 'backup-server': { - 'encrypted-devices': { - '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1': bwpass.password('bw/backup-kunsi/encryption-passphrase'), - }, - }, - 'zfs': { - 'scrub_when': 'Wed 08:00 Europe/Berlin', - }, - }, -} From 7808d9b0ea5c1d733bdb277ea91dd41eb29eda81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 12:25:20 +0100 Subject: [PATCH 931/996] update travelynx to 2.10.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d738e4b..2237fdf 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.18" +version = "2.10.0" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 77003a01d8cd262cad6ac202982d6eea3e8291a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 21 Feb 2025 19:24:10 +0100 Subject: [PATCH 932/996] rottenraptor-server: add vhost for dokuwiki --- .../files/extras/rottenraptor-server/dokuwiki | 33 +++++++++++++++++++ nodes/rottenraptor-server.toml | 17 ++++++++++ 2 files changed, 50 insertions(+) create mode 100644 data/nginx/files/extras/rottenraptor-server/dokuwiki diff --git a/data/nginx/files/extras/rottenraptor-server/dokuwiki b/data/nginx/files/extras/rottenraptor-server/dokuwiki new file mode 100644 index 0000000..2e9b682 --- /dev/null +++ b/data/nginx/files/extras/rottenraptor-server/dokuwiki @@ -0,0 +1,33 @@ + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg|svg)$ { + expires 365d; # browser caching + } + + location ~ /(install.php) { deny all; } + + location ~ /(\.ht|\.git|\.hg|\.svn|\.vs|data|conf|bin|inc|vendor|README|VERSION|SECURITY.md|COPYING|composer.json|composer.lock) { + #return 404; # https://www.dokuwiki.org/install:nginx?rev=1734102057#nginx_particulars + deny all; # Returns 403 + } + + # Support for X-Accel-Redirect + location ~ ^/data/ { + internal; + } + + location / { + try_files $uri $uri/ @dokuwiki; + + # This means; where $uri is 'path', if 'GET /path' doesnt exist, redirect + # client to 'GET /path/' directory. If neither, goto @dokuwiki rules. + } + + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; +# rewrite ^/tag/(.*) /doku.php?id=tag:$1&do=showtag&tag=tag:$1 last; #untested + rewrite ^/(.*) /doku.php?id=$1&$args last; + + # rewrites "doku.php/" out of the URLs if you set the userewrite + # setting to .htaccess in dokuwiki config page + } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 407bb70..1af14fb 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -8,6 +8,7 @@ bundles = [ "docker-goauthentik", "docker-immich", "ipmitool", + "php", "redis", "smartd", "zfs", @@ -28,12 +29,24 @@ gateway6 = "2001:67c:b54:1::1" redirect = "https://www.rottenraptor.com/" mode = 302 +[metadata.nginx.vhosts.dokuwiki] +domain = "wiki.rotten.city" +php = true +extras = true +webroot_config.owner = "www-data" + [metadata.nginx.vhosts.goauthentik] domain = "sso.rotten.city" [metadata.nginx.vhosts.immich] domain = "immich.rotten.city" +[metadata.php] +version = "8.2" +packages = [ + "xml", +] + [metadata.smartd] disks = [ "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", @@ -43,6 +56,10 @@ disks = [ "/dev/disk/by-id/nvme-TOSHIBA-RC100_58UPC29HPW5S", ] +[metadata.vm] +cpu = 4 +ram = 8 + [metadata.zfs.pools.tank.when_creating] ashift = 12 From a7cb759bd2d5cfcadc9ffb1e1df725a1d625ed4e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 21 Feb 2025 19:29:35 +0100 Subject: [PATCH 933/996] bundles/docker-goauthentik: fix typo --- bundles/docker-goauthentik/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/docker-goauthentik/metadata.py b/bundles/docker-goauthentik/metadata.py index 8cae899..9d742fa 100644 --- a/bundles/docker-goauthentik/metadata.py +++ b/bundles/docker-goauthentik/metadata.py @@ -46,7 +46,7 @@ defaults = { 'volumes': { '/var/opt/docker-engine/goauthentik-server/media': '/media', '/var/opt/docker-engine/goauthentik-server/certs': '/certs', - '/var/opt/docker-engine/doauthentik-server/templates': '/templates', + '/var/opt/docker-engine/goauthentik-server/templates': '/templates', }, 'needs': { 'svc_systemd:docker-goauthentik-postgresql', From 349aaac56db74d251bcdaea75d5f6142119979db Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:01:16 +0100 Subject: [PATCH 934/996] data/ssl: bump *.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 36 +++++++++---------- .../_.home.kunbox.net.crt_intermediate.pem | 36 +++++++++---------- data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 06ea249..4fb984a 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDsDCCAzagAwIBAgISBGjVgPFJCHOuBJul17PsmUBlMAoGCCqGSM49BAMDMDIx +MIIDrTCCAzOgAwIBAgISAzN38KowyAxKJIRnBKR9SwXnMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDExMzAwOTM4MzNaFw0yNTAyMjgwOTM4MzJaMBoxGDAWBgNVBAMTD2hv -bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK+7B9tE5ejhYZWq -3gs8q4s6/A98pW5GGpkYl7iPsPM8ko0UvZ8tfBU+KuEavDmFoFa8W4ePEkPkypHo -gqRMhIm55/2wyTTh8/PnXp8vWCwMISmPHEqou2mphx0feLRAlqOCAiUwggIhMA4G +NTAeFw0yNTAyMjMwOTAyMzdaFw0yNTA1MjQwOTAyMzZaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCySMhuLfj3x+wjp +BFpNu+R3IRL0qsBazrTrz8jwA1Brs8jxFSlPZRGpKiycFFQDwX5dSDJu+usngNh7 +pAs1UsniV2d3yLYK6qTVB8C420Xc55jlqTsGW+cvv0Adeap8DaOCAiIwggIeMA4G A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQUicTvP+5xKDeHcAhxZi7CeD5xzCUwHwYDVR0j -BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG -AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 -Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC -D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB -1nkCBAIEgfYEgfMA8QB3AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsI -AAABk3ylPJIAAAQDAEgwRgIhAPf1V/hozFwCyj8rwHFrxslXPa77KFbbm1yrvikr -ypvZAiEAgsSapcCShSJcW21/Rig7MOjp8IjdirAzLDRnBcl4tooAdgB9WR4S4Xgq -exxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55uAAAAZN8pURGAAAEAwBHMEUCIBF42g56 -wBpQRx1aHM+tFrydhInIx+ji6o7d055uc7bAAiEA4bRrxTsQQIJ+5lY2XIYTpf5C -msc2KAHccsMqstH+ur8wCgYIKoZIzj0EAwMDaAAwZQIxAOTsntM8s/ik3N09mXq4 -fVm1XQk2B2jALeTZLZevUY8jUjhKwoXTNVXQlMr1ilnC9QIwCa7zOQJQ2Y7D8xMv -uKfu7TMSLJlWMDHhIsggdPeQDYtNm85jsOXqB1SjWeCR25Mn +VR0TAQH/BAIwADAdBgNVHQ4EFgQUDEclq7TWouOYtvpzzutWtxXmZB8wHwYDVR0j +BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG +AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 +Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC +D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQIGCisGAQQB +1nkCBAIEgfMEgfAA7gB1AKLjCuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfn +AAABlTJA35QAAAQDAEYwRAIgK6RVpdOCgEWCLxyLM7P9LRYWmPJ9+oA8DQ6EhV1V +e+cCICAtK2lRg+vPuCXkqSGRFQEPqidmcT1NMrAstl6zOF3uAHUATnWjJ1yaEMM4 +W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVMkDfigAABAMARjBEAiBH2f88Uh6R +tPyyZzuKT5t6jcYLOsSQVkWbrerG34Z1xwIgXmW3tlmgKlUiTrRjCFbltLNJ12Tf +xA/QCmSHAyKUnHIwCgYIKoZIzj0EAwMDaAAwZQIxAKT8YobI9cF1LpSwF8esUwhX +M1oK0TVOnpFn3dyUgweqVS5sCn3V81626qP+wGrENgIwWlDcbKhT4j0G19O43pKp +6f9TqzcY4iH5+VAuKPjh7H5ag7B+qCn9No2p56SagQpv -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.crt_intermediate.pem b/data/ssl/_.home.kunbox.net.crt_intermediate.pem index 4652201..59039ae 100644 --- a/data/ssl/_.home.kunbox.net.crt_intermediate.pem +++ b/data/ssl/_.home.kunbox.net.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G -h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV -6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj -v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc -MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL -pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp -eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH -pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 -s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu -h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv -YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 -ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 -LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ -EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY -Ig46v9mFmBvyH04= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index f5fa8b4..e17988a 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABnSurPS00unDJP1C7wyToyZOzKrEruyT6itqZG1Bbv6IZPVrkdcbgyfPrXY8ViPSRwtdVJsju-X8pvLHZGSHXvxhpNlNrNQTas2_VCMwYIihGnp7VI6ovQXd_iVHON5sXaNpKURRwCsvnYhHQfn4qPGLSN8II2QdpJ4A4nDschZwN2u-8X9omGPOcC6zeivoew4UcpossYuJDskHeJnRnR3roGwrHuPWfEKRgRJ_eTHgij00uyoJZxhWGRV9nS_MnacbGUP6KBXfaZP_23DFJPMMq734qVfcLObhYa8nam9kLHh4TaloET2pK-IVqcb_FOorWiipiGBSNCw9EQr57d8AOLEFAwMmb_1fgPCjpchVZaSKD4OhdjPt1CU3unzR-zPkrjBdL-az0ci984vJnLolr4z8nMW6oR1SyJGyccJ-lmoMf34M3oI3zIlNg2GPdGcZMFa6GhvmLYwDb7r0PHil_GRA== \ No newline at end of file +encrypt$gAAAAABnuvHlF1U1dT-xIICT5GmDxxqm0hQAgshQSA46WrVoo18ypjyxQE1qRzPNdp0xHKPYwpGmAoT7ftX7U3X3sjIvH8W5DUNMEBPZk6Z2yPxsyMDqUbxqJUOkjsSjVf1GZ_n3R5kZfb-THJMjNQMy3tL5RwrSvZjsYeYT-NwBle5rUKZpgE_6sDr5jSr8xpNx87gJr1vqgnZIBPllU47CJQy7LHEsVcCvbKhpVoau02LlPAoApVt_iYYm1fL_E6jFGfnCwGoeiytMc2fl1DPWS8q8oauQ1pNVTWQ2BXnLiXoc8u3hgp93PpT2LubYgIrVXpY8iErNtghuXi_HmqL37btdN5h-p1Div-R_5uva1maXffduwutCd5xWJK__G_bhqiSoEaKEMvo_H47vqbi7Hvwi70ckYek9KD_bIb2W8zBEPl1Q2436Uz54B0muXv6X7OoZlTj51_gZUcT3cp8SDJqAWDpnWg== \ No newline at end of file From 5752ad3f0994e1ea8dd9ca6bee8d773b4c83191a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:07:59 +0100 Subject: [PATCH 935/996] rottenraptor-server: remove redis this runs in docker now --- nodes/rottenraptor-server.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 1af14fb..e88891a 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -9,7 +9,6 @@ bundles = [ "docker-immich", "ipmitool", "php", - "redis", "smartd", "zfs", ] From a54dceb3c6f7c0a1526bc9bd0c7329e3c96b3c88 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:37:29 +0100 Subject: [PATCH 936/996] bundles/radvd: better options for changing prefixes --- bundles/radvd/files/radvd.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/radvd/files/radvd.conf b/bundles/radvd/files/radvd.conf index c66c08f..ee40111 100644 --- a/bundles/radvd/files/radvd.conf +++ b/bundles/radvd/files/radvd.conf @@ -10,11 +10,13 @@ interface ${interface} AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; + AdvPreferredLifetime 600; + AdvValidLifetime 900; }; % if config.get('rdnss'): RDNSS ${' '.join(sorted(config['rdnss']))} { - AdvRDNSSLifetime 900; + AdvRDNSSLifetime 600; }; % endif }; From fab81145caceeda6c0b815d3e21dbb993f46ee9a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:40:47 +0100 Subject: [PATCH 937/996] update netbox to 4.2.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2237fdf..6509140 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,7 +114,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.3" +version = "v4.2.4" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From fed5cbfc5228104d45c2b4f9aa6a1b75470e974b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 12:08:14 +0100 Subject: [PATCH 938/996] bundles/php: remove sury repo, use debian php version --- bundles/icinga2/metadata.py | 1 - bundles/nginx/items.py | 2 +- bundles/php/items.py | 2 +- bundles/php/metadata.py | 17 +++++++------ data/apt/files/gpg-keys/php.asc | 42 --------------------------------- nodes/carlene.toml | 1 - nodes/htz-cloud/pirmasens.py | 2 -- nodes/rottenraptor-server.toml | 1 - 8 files changed, 10 insertions(+), 58 deletions(-) delete mode 100644 data/apt/files/gpg-keys/php.asc diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 60d28fe..c25ca41 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -54,7 +54,6 @@ defaults = { 'setup-token': repo.vault.password_for(f'{node.name} icingaweb2 setup-token'), }, 'php': { - 'version': '8.2', 'packages': { 'curl', 'gd', diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 2928686..304dcd7 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -104,7 +104,7 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): 'context': { 'create_logs': config.get('create_logs', False), 'create_timing_log': config.get('timing_log', True), - 'php_version': node.metadata.get('php/version', ''), + 'php_version': node.metadata.get('php/__version', ''), 'security_txt': security_txt_enabled, 'vhost': vhost, **config, diff --git a/bundles/php/items.py b/bundles/php/items.py index b115c19..c836efa 100644 --- a/bundles/php/items.py +++ b/bundles/php/items.py @@ -1,4 +1,4 @@ -version = node.metadata.get('php/version') +version = node.metadata.get('php/__version') directories['/var/lib/php/sessions'] = { 'owner': 'www-data', diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py index d14954e..edb8399 100644 --- a/bundles/php/metadata.py +++ b/bundles/php/metadata.py @@ -1,12 +1,11 @@ +OS_PHP_VERSION = { + 12: '8.2', + 13: '8.4', +} + defaults = { - 'apt': { - 'repos': { - 'php': { - 'items': { - 'deb https://packages.sury.org/php/ {os_release} main', - }, - }, - }, + 'php': { + '__version': OS_PHP_VERSION[node.os_version[0]], }, } @@ -15,7 +14,7 @@ defaults = { 'apt/packages', ) def php_packages_with_features(metadata): - version = metadata.get('php/version') + version = metadata.get('php/__version') packages = { f'php{version}': {}, diff --git a/data/apt/files/gpg-keys/php.asc b/data/apt/files/gpg-keys/php.asc deleted file mode 100644 index ba04e3c..0000000 --- a/data/apt/files/gpg-keys/php.asc +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN PGP ARMORED FILE----- -Comment: Use "gpg --dearmor" for unpacking - -mQGNBFyPb58BDADTDlJLrGJktWDaUT0tFohjFxy/lL2GcVYp4zB981MWIDC0aIQZ -ERfUZRaq/ov/LG3F0UhkvouCNrnXiFaKRCeNG52pQM0P/p3gmIOoPO4/jF0o3SK1 -Aapf/NaKTh3EgeYYCnVKuxdXGqyu1JT4qfztsmUGmODzxVr+/YJLP54jrCUgI3lj -4zEeTBDexQvnlVUF59U1/ipMq4iWqqth8/aMsoZl3Ztfcc87jBFbJIoeQMhZtNZk -Ik7L15aYIZXWY2byBy6LB42HPm9DwM99l2eY4EXGfAq/UQeYbDGonibBqrDURggH -rkLfG7ZfoexF67/9S2s6VYfS4npWVfw2SEPTfSBdibElbGncd+p9Wb6SovqapCPl -crkLgPhBAz/R9M7E/G3zedmiEhsV78pBF3bup+nQVvBVtV/NucN5N6LkAclT4O3F -flGZa1/mJcpgjVapT6duY0POXczfS6ts55x2BE0UfYtXfRnVnHtu2+j8kqYG3N1G -sfVnzRkwtTWBMxMAEQEAAbQxREVCLlNVUlkuT1JHIEF1dG9tYXRpYyBTaWduaW5n -IEtleSA8ZGViQHN1cnkub3JnPokB1AQTAQoAPgIbAwULCQgHAgYVCgkICwIEFgID -AQIeAQIXgBYhBBUFhQCgI12X9dEAY7GI4raVvUdDBQJgK4WHBQkJP7BoAAoJELGI -4raVvUdDQ/QL+wa0KQ8o8askks4elU1PSdUP/ywacroMtl6BV2d/di/PtquZl4zI -p/qAhUmcSJhUJMJBdGQ5S4uxCn0rEy2CBO8LhSTFuS01UGVHhjZQLA+GZEMunpS8 -KbPH5lWuwWwY1bbx9eCwpIxzz3Krctk8WGvja4EsqIWmRcaQ1z19JndbH8Ekfhf2 -U7noZNFZIhHIOHK51dOm4oaSdrJUhhd52zrwLf+lOtHh0kkOad+eCByah9XwmO9q -SAuHLquSv9BWfnLKSHfwRW+YeAHlkELui0Zi6zD2PYqcBAebZWNmyxiJUz0oHJPJ -H6DoXXxI6OsCdFDkqW5hP/IfVI97fbKMGY9g4RyasJmb/18F7eSFC1S7fj6hHCRn -HTKR5cO3PdzYndyICGfaQMUa+n0HsWZAw8mgWPnKZd3xXt4n+Exx/LBV3ZkOwHT7 -L9nTPALsoqqEtn0zjOo/eOt9fmaW9TcvL1V1oiRpEk3lejvF/Wt5zwkPOgys2ZCZ -Ttefx/lGoxC2lrkBjQRcj2+fAQwA4McaM/y2XQSHlJBSYR7yqZtHX/kZ8g9pnViq -kCEADz8XKCroEzvY1gaWtR6obtjaq8pF0g4KtAC65/gIOtsHvWg3OclrODPkXN+x -OM1LpXZGV6kwk+LXOrybtPhVZe3FtvDMW0MVZeHYi+soZ4tTQHkKjZUPAXZs3ZoZ -rWfE5ft447sCxzX+jxDwwlckkKqZ9sHYD0TV8Y5av3RsxiWBt+coch8jvw+1mDZ0 -zBjMO8ZRD8PuvP9UTKCNOIm0mW9A2cUfpkk/uAwo5hCnw4iljS81/KKGM/scwc5K -x6G3WWoAb8kajt0VFG/wYN2qjfjdhXtdu3ZxYtDdjA2UGGRbgkCsr+gRCnSTiuwv -LzCVZCz9WNzZjUMg6LFP2IrHned4Kdy4KjJo+g/weKJoxfKokZ/9vUYpw5OYx3UE -SUk3yHDN9r/JC4RJJ2tE2qkeggJ892RJGxUK/Lw3/7jIQKalO3Qx2zYUqnCYMC9g -PhQGH+F9kwSpGVwb0DKFT6gR9Pt3ABEBAAGJAbwEGAEKACYCGwwWIQQVBYUAoCNd -l/XRAGOxiOK2lb1HQwUCYCuFsQUJCT+wkgAKCRCxiOK2lb1HQ3icDADGRBYuqFNG -2mnAKH9W2qMKGJUBOMdEouUpFZELs5bgMfLH9/i5PNi+73IhHqsSsR3JIHRPuzt5 -nmifWYFPvsVV/8eu2O1UeyCbt+KK1v+aMfJbg3J38pCLgqOrMK1a3VxKZ6mHIy6A -5xEBLdl9HP6+lGYhYPdQd2kq5H+64DyF5zlpUX9biTpiri4ZiF3kUrXKLEupUtuS -aWf+n4hTreT2olThoQIsxWPj+YV/9irNRpATY+JrD74tA3HPI02nq3Xvaz0R0gVG -8HRUcw3ejXgn8SfSmY8p3JxVtYQJTUdsR3+qTgm+91LpFhWBBJZagjUoYrGb5/ZU -iCyr1kJMo+/PceVsGuiaH9r84fxi0VGZVl4P9rP3Dwx8QLosFrElkQBhX1YIYhJX -mo/XAlzVedQ37DyJu+/TZDUXu1q/4D+7z0s3oekWmUwziFI1HBxsNbwHRQyek/To -nirX97CSifEBg1L8BRRex7eUGWJ/YI/Zjf6CNaqUt5SIUBUv0zv1lFc= -=gNGr ------END PGP ARMORED FILE----- diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6509140..a455063 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -176,7 +176,6 @@ ratelimit-exempt-hosts = [ ] [metadata.php] -version = "8.2" packages = [ 'gd', 'imagick', diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 655f325..908e85e 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -52,12 +52,10 @@ nodes['htz-cloud.pirmasens'] = { }, }, 'php': { - 'version': '7.4', 'packages': { 'gd', 'imap', 'intl', - 'json', 'mbstring', 'opcache', 'pgsql', diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index e88891a..96eb5fb 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -41,7 +41,6 @@ domain = "sso.rotten.city" domain = "immich.rotten.city" [metadata.php] -version = "8.2" packages = [ "xml", ] From 9edf9111a1283c685a425c0ba7bfa67f269cd49b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 13:16:52 +0100 Subject: [PATCH 939/996] bundles/docker-engine: exit "start" action early if container is running this happens on daemon restarts --- bundles/docker-engine/files/docker-wrapper | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index 97c0d37..fe2a010 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -17,7 +17,12 @@ PGID="$(id -g "${user}")" if [ "$ACTION" == "start" ] then - docker rm "${name}" || true + # just exit if the container is actually running already. + set +e + /usr/local/share/icinga/plugins/check_docker_container "${name}" && exit 0 + set -e + + docker rm "${name}" || true docker run -d \ --name "${name}" \ From ff2be8d58d55e299e3fa6208631121c834acd4bd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 13:17:54 +0100 Subject: [PATCH 940/996] bundles/docker-immich: add album-auto-share script --- .../files/immich-auto-album-share.py | 80 +++++++++++++++++++ bundles/docker-immich/items.py | 3 + bundles/docker-immich/metadata.py | 28 +++++++ nodes/rottenraptor-server.toml | 3 + 4 files changed, 114 insertions(+) create mode 100644 bundles/docker-immich/files/immich-auto-album-share.py create mode 100644 bundles/docker-immich/items.py diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py new file mode 100644 index 0000000..863f8b2 --- /dev/null +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 + +from json import loads +from os import environ +from subprocess import check_output +from sys import exit + +import psycopg2 + +PSQL_HOST = environ['DB_HOSTNAME'] +PSQL_USER = environ['DB_USERNAME'] +PSQL_PASS = environ['DB_PASSWORD'] +PSQL_DB = environ['DB_DATABASE_NAME'] + +docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) + +container_ip = None +# why the fuck is this a list of networks, even though we have to provide +# a network name to inspect ... +for network in docker_networks: + if network['Name'] != 'aaarghhh': + continue + + for _, container in network['Containers'].items(): + if container['Name'] == PSQL_HOST: + container_ip = container['IPv4Address'].split('/')[0] + +if not container_ip: + print(f'could not find ip address for container {PSQL_HOST=} in json') + print(docker_networks) + exit(1) + +print(f'{PSQL_HOST=} {container_ip=}') + +conn = psycopg2.connect( + dbname=PSQL_DB, + host=container_ip, + password=PSQL_PASS, + user=PSQL_USER, +) + +with conn: + with conn.cursor() as cur: + cur.execute('SELECT "id","ownerId","albumName" FROM albums;') + albums = { + i[0]: { + 'owner': i[1], + 'name': i[2], + } + for i in cur.fetchall() + } + + with conn.cursor() as cur: + cur.execute('SELECT "id","name" FROM users;') + users = { + i[0]: i[1] + for i in cur.fetchall() + } + +for album_id, album in albums.items(): + print(f'----- working on album: {album["name"]}') + with conn: + with conn.cursor() as cur: + cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) + album_shares = [i[0] for i in cur.fetchall()] + print(f' album is shared with {len(album_shares)} users: {album_shares}') + for user_id, user_name in users.items(): + if user_id == album['owner'] or user_id in album_shares: + continue + + print(f' sharing album with user {user_name} ... ', end='') + with conn.cursor() as cur: + cur.execute( + 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', + (album_id, user_id, 'viewer'), + ) + print('done') + print() + +conn.close() diff --git a/bundles/docker-immich/items.py b/bundles/docker-immich/items.py new file mode 100644 index 0000000..8c9d54e --- /dev/null +++ b/bundles/docker-immich/items.py @@ -0,0 +1,3 @@ +files['/usr/local/bin/immich-auto-album-share.py'] = { + 'mode': '0755', +} diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 5b73f70..288b7f1 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -1,6 +1,11 @@ assert node.has_bundle('docker-engine') defaults = { + 'apt': { + 'packages': { + 'python3-psycopg2': {}, + }, + }, 'docker-engine': { 'containers': { 'immich': { @@ -45,6 +50,9 @@ defaults = { }, }, }, + 'docker-immich': { + 'enable_auto_album_share': False, + }, 'nginx': { 'vhosts': { 'immich': { @@ -59,3 +67,23 @@ defaults = { }, }, } + + +@metadata_reactor.provides( + 'systemd-timers/timers/immich-auto-album-share', +) +def auto_album_share(metadata): + if not metadata.get('docker-immich/enable_auto_album_share'): + return {} + + return { + 'systemd-timers': { + 'timers': { + 'immich-auto-album-share': { + 'command': '/usr/local/bin/immich-auto-album-share.py', + 'environment': metadata.get('docker-engine/containers/immich/environment'), + 'when': 'minutely', + }, + }, + }, + } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 96eb5fb..2ab03f8 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,6 +13,9 @@ bundles = [ "zfs", ] +[metadata.docker-immich] +enable_auto_album_share = true + [metadata.icinga_options] period = "daytime" From 02320e2488503b201a2774b6fa0bc1b202b43299 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Mar 2025 12:56:21 +0100 Subject: [PATCH 941/996] add boilerplate prometheus node --- nodes/htz-cloud.prometheus.toml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 nodes/htz-cloud.prometheus.toml diff --git a/nodes/htz-cloud.prometheus.toml b/nodes/htz-cloud.prometheus.toml new file mode 100644 index 0000000..6532493 --- /dev/null +++ b/nodes/htz-cloud.prometheus.toml @@ -0,0 +1,7 @@ +hostname = "138.199.210.112" +groups = ["debian-bookworm"] + +[metadata.interfaces.eth0] +ips = ["138.199.210.112/32", "2a01:4f8:1c1e:65e4::1/64"] +gateway4 = "172.31.1.1" +gateway6 = "fe80::1" From a60156f9ff859655702e3aa6d7981fff1ef669b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Mar 2025 12:56:56 +0100 Subject: [PATCH 942/996] voc.infobeamer-cms: WICMP25 --- nodes/voc/infobeamer-cms.py | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 043c7a5..55949e2 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,17 +25,15 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2024-12-26', - 'event_duration_days': 5, + 'event_start_date': '2025-02-28', + 'event_duration_days': 3, 'config': { 'ADMIN_USERS': [], - 'NO_LIMIT_USERS': [ - 'github:stblassitude', - ], + 'NO_LIMIT_USERS': [], 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ - 255228, + 258552, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -64,21 +62,21 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, - 'DEFAULT_SSO_PROVIDER': 'c3hub', + 'DEFAULT_SSO_PROVIDER': 'github', 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'oauth2_providers': { - #'github': { - # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - # 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), - #}, + 'github': { + 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + }, 'c3voc': { 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), }, - 'c3hub': { - 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', - 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), - }, + #'c3hub': { + # 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', + # 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), + #}, }, }, 'rooms': { From d40efd219210b3e5cd4be33f00471d0698dd2f04 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:44:25 +0100 Subject: [PATCH 943/996] bundles/icinga2: add monitoring for ipmi interfaces --- .../icinga2/files/icinga2/hosts_template.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bundles/icinga2/files/icinga2/hosts_template.conf b/bundles/icinga2/files/icinga2/hosts_template.conf index 631fc8a..c28d8e4 100644 --- a/bundles/icinga2/files/icinga2/hosts_template.conf +++ b/bundles/icinga2/files/icinga2/hosts_template.conf @@ -23,6 +23,25 @@ object Host "${rnode.name}" { vars.notification.mail = true } +% if rnode._attributes.get('ipmi'): +object Host "IPMI ${rnode.name}" { + import "generic-host" + + address = "${rnode._attributes['ipmi']['hostname']}" + + vars.location = "${rnode.metadata.get('location', 'unknown')}" + vars.os = "ipmi" + + vars.pretty_name = "IPMI ${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))}" + vars.show_on_statuspage = false + + vars.period = "${rnode.metadata.get('icinga_options/period', '24x7')}" + + vars.notification.sms = ${str(rnode.metadata.get('icinga_options/vars.notification.sms', True)).lower()} + vars.notification.mail = true +} +% endif + % for depends_on_host in sorted(rnode.metadata.get('icinga_options/also_affected_by', set())): object Dependency "${rnode.name}_depends_on_${depends_on_host}" { parent_host_name = "${depends_on_host}" From 8135e4160f6bb2853781a3c3d000c608c66132a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:44:50 +0100 Subject: [PATCH 944/996] nodes.py: add demagify for ipmi data --- nodes.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes.py b/nodes.py index f47f004..1798613 100644 --- a/nodes.py +++ b/nodes.py @@ -12,6 +12,8 @@ for name, data in nodes.items(): if 'password' in data: data['password'] = vault.decrypt(data['password']) + if 'ipmi' in data: + data['ipmi'].update(libs.demagify.demagify(data['ipmi'], vault)) data['metadata'].update(libs.demagify.demagify(data['metadata'], vault)) for node in Path(join(repo_path, "nodes")).rglob("*.py"): From 7a5ca524b43831659b636f9001ef7b8d26a194a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:49:30 +0100 Subject: [PATCH 945/996] add ipmi information to hosts which have ipmi --- nodes/home.r630-ipmi.toml | 6 ------ nodes/home.r630.toml | 6 ++++++ nodes/proxmox-backupstorage.toml | 6 ++++++ nodes/rottenraptor-server-ipmi.toml | 7 ------- nodes/rottenraptor-server.toml | 6 ++++++ 5 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 nodes/home.r630-ipmi.toml delete mode 100644 nodes/rottenraptor-server-ipmi.toml diff --git a/nodes/home.r630-ipmi.toml b/nodes/home.r630-ipmi.toml deleted file mode 100644 index f58012b..0000000 --- a/nodes/home.r630-ipmi.toml +++ /dev/null @@ -1,6 +0,0 @@ -dummy = true - -[metadata.interfaces.eth0] -ips = ["172.19.138.23"] -dhcp = true -mac = "50:9a:4c:ad:f9:c4" diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index 408afb4..ffd4c46 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,6 +2,12 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] +#[ipmi] +#hostname = "172.19.138.23" +#username = "root" +#password = "calvin" +#interface = "lanplus" + [metadata] icinga_options.exclude_from_monitoring = true backups.exclude_from_backups = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index 7d58297..8a9da36 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,6 +1,12 @@ hostname = "192.168.100.31" dummy = true +#[ipmi] +#hostname = "192.168.100.30" +#username = "root" +#password = "!bwpass:192.168.100.30/root" +#interface = "lanplus" + [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C695" diff --git a/nodes/rottenraptor-server-ipmi.toml b/nodes/rottenraptor-server-ipmi.toml deleted file mode 100644 index fdc76b9..0000000 --- a/nodes/rottenraptor-server-ipmi.toml +++ /dev/null @@ -1,7 +0,0 @@ -dummy = true - -[metadata.icinga_options] -period = "daytime" - -[metadata.interfaces.default] -ips = ["192.168.100.27/24"] diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 2ab03f8..529984a 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,6 +13,12 @@ bundles = [ "zfs", ] +#[ipmi] +#hostname = "192.168.100.27" +#username = "Administrator" +#password = "!bwpass:bw/rottenraptor-server/ipmi" +#interface = "lanplus" + [metadata.docker-immich] enable_auto_album_share = true From e9e25f8a1ea074788180448201f5ade1ccef1343 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 19:01:23 +0100 Subject: [PATCH 946/996] bundles/docker-engine: pull image before starting it --- bundles/docker-engine/files/docker-wrapper | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index fe2a010..2821d29 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -24,6 +24,8 @@ then docker rm "${name}" || true + docker pull "${image}" + docker run -d \ --name "${name}" \ --env "PUID=$PUID" \ From c0a436385df7b8e087120323ced5899cc576f8d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 5 Mar 2025 21:26:35 +0100 Subject: [PATCH 947/996] update travelynx to 2.10.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a455063..d936789 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -249,7 +249,7 @@ disks = [ ] [metadata.travelynx] -version = "2.10.0" +version = "2.10.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 4c6abb65eefa0484b154988e894cfb88dfb7d38f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 6 Mar 2025 20:03:37 +0100 Subject: [PATCH 948/996] groups.py: don't overwrite toml groups --- groups.py | 1 - 1 file changed, 1 deletion(-) diff --git a/groups.py b/groups.py index d99ced7..b5acfd9 100644 --- a/groups.py +++ b/groups.py @@ -3,7 +3,6 @@ from pathlib import Path from bundlewrap.utils import error_context -groups = {} for group in Path(join(repo_path, "groups")).rglob("*.py"): with error_context(filename=str(group)): with open(group, 'r') as f: From a376d980cbb3738856fef79e73aae39fa71a5ba8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 6 Mar 2025 20:32:31 +0100 Subject: [PATCH 949/996] add .bw_debug_history to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 7a53a34..8c736ec 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ __pycache__ *.swp .direnv .envrc.local +.bw_debug_history From 6d5ae359ebdd301229ab743f801cc6bbb772a7e2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:11:10 +0100 Subject: [PATCH 950/996] node: correct syntax for ipmi data --- nodes/home.r630.toml | 9 ++++----- nodes/proxmox-backupstorage.toml | 9 ++++----- nodes/rottenraptor-server.toml | 9 ++++----- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index ffd4c46..03e2f56 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,11 +2,10 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] -#[ipmi] -#hostname = "172.19.138.23" -#username = "root" -#password = "calvin" -#interface = "lanplus" +#ipmi_hostname = "172.19.138.23" +#ipmi_username = "root" +#ipmi_password = "calvin" +#ipmi_interface = "lanplus" [metadata] icinga_options.exclude_from_monitoring = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index 8a9da36..a061f7e 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,11 +1,10 @@ hostname = "192.168.100.31" dummy = true -#[ipmi] -#hostname = "192.168.100.30" -#username = "root" -#password = "!bwpass:192.168.100.30/root" -#interface = "lanplus" +#ipmi_hostname = "192.168.100.30" +#ipmi_username = "root" +#ipmi_password = "!bwpass:192.168.100.30/root" +#ipmi_interface = "lanplus" [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 529984a..964839c 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,11 +13,10 @@ bundles = [ "zfs", ] -#[ipmi] -#hostname = "192.168.100.27" -#username = "Administrator" -#password = "!bwpass:bw/rottenraptor-server/ipmi" -#interface = "lanplus" +#ipmi_hostname = "192.168.100.27" +#ipmi_username = "Administrator" +#ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" +#ipmi_interface = "lanplus" [metadata.docker-immich] enable_auto_album_share = true From 18207d2ae5303fd34d6b9f6552dc8ee4a51718e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:13:37 +0100 Subject: [PATCH 951/996] bundles/icinga2: fix ipmi check --- bundles/icinga2/files/icinga2/hosts_template.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/icinga2/files/icinga2/hosts_template.conf b/bundles/icinga2/files/icinga2/hosts_template.conf index c28d8e4..ac56ef2 100644 --- a/bundles/icinga2/files/icinga2/hosts_template.conf +++ b/bundles/icinga2/files/icinga2/hosts_template.conf @@ -23,16 +23,16 @@ object Host "${rnode.name}" { vars.notification.mail = true } -% if rnode._attributes.get('ipmi'): -object Host "IPMI ${rnode.name}" { +% if rnode.ipmi_hostname: +object Host "${rnode.name} IPMI" { import "generic-host" - address = "${rnode._attributes['ipmi']['hostname']}" + address = "${rnode.ipmi_hostname}" vars.location = "${rnode.metadata.get('location', 'unknown')}" vars.os = "ipmi" - vars.pretty_name = "IPMI ${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))}" + vars.pretty_name = "${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))} IPMI" vars.show_on_statuspage = false vars.period = "${rnode.metadata.get('icinga_options/period', '24x7')}" From 333873383b93ab74c24f7c777b46469e0ecbce2c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:26:13 +0100 Subject: [PATCH 952/996] scripts/passwords_for: various improvements --- scripts/passwords-for | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/scripts/passwords-for b/scripts/passwords-for index 136ba99..d019e74 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -1,5 +1,7 @@ #!/usr/bin/env python3 + from os import environ +from os.path import abspath, dirname from sys import argv from bundlewrap.exceptions import FaultUnavailable @@ -7,13 +9,13 @@ from bundlewrap.metagen import NodeMetadataProxy from bundlewrap.repo import Repository from bundlewrap.utils import Fault -path = environ.get('BW_REPO_PATH', '.') -repo = Repository(path) +repo = Repository( + dirname(dirname(abspath(__file__))) +) def print_faults(dictionary, keypath=[]): for key, value in sorted(dictionary.items()): key = str(key) - if isinstance(value, Fault): try: resolved_fault = value.value @@ -27,12 +29,22 @@ def print_faults(dictionary, keypath=[]): elif isinstance(value, (dict, NodeMetadataProxy)): print_faults(value, keypath=keypath+[key]) + if len(argv) == 1: print('node name missing') exit(1) node = repo.get_node(argv[1]) +if node.username or node.password: + print_faults({ + 'username': node.username, + 'password': node.password, + }) +#if node.ipmi_username or node.ipmi_password: +# print_faults({ +# 'ipmi_username': node.ipmi_username, +# 'ipmi_password': node.ipmi_password, +# }) print_faults({ - 'password': node.password, 'metadata': node.metadata, }) From b5a9a502da053e0dabd93bb37a9b83bf390e3f81 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 19 Mar 2025 19:24:58 +0100 Subject: [PATCH 953/996] bw/ssl add new home wildcard --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 39 ++++++++++--------- ...me.sophies-kitchen.eu.crt_intermediate.pem | 36 ++++++++--------- .../_.home.sophies-kitchen.eu.key.pem.vault | 2 +- 3 files changed, 39 insertions(+), 38 deletions(-) diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem index c0e1bad..bc6c33e 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -1,23 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDxzCCA02gAwIBAgISA1HOrGT03Yk2QXIKpt4i5P2mMAoGCCqGSM49BAMDMDIx +MIID9jCCA3ygAwIBAgISBaRtAN5dI7hI3l+MeuwXGm48MAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDEyMTkwMTE2MTdaFw0yNTAzMTkwMTE2MTZaMCIxIDAeBgNVBAMTF2hv -bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEKI2X -YK5pxQUcBjOYQwH6OQBEaj2kVhtj1BgRXXrap/U3Zi9M1oKpDk22husbUDS4fACo -IFAsNYbFi15ayAwvkkcWEe4VkgYEdPVJes3XnkL1YOGzUpT9+eC6VbjCxjfdo4IC -NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQB7GGtPhw9dPLCx28NgPOq+Wa -jjAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ -MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw -AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +NTAeFw0yNTAzMTkxNzI1NTVaFw0yNTA2MTcxNzI1NTRaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMpwz +KfaRqcoUak1UJzHRmcy1Zz/9KmlEoja94JwEO7qqARCOJedwJ/MS8Zkz3ZkJvjv5 +iIXe9u6qbn/C8RS+/UqunvnCxTJeWMcXaI2p9M+DE7PlPQiIP1t/SPQ2QsIso4IC +YzCCAl8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSspYDX4yydAiYu+8XZw/Vu7IrW +xDAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE -DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKLjCuRF772t -m3447Udnd1PXgluElNcrXhssxLlQpEfnAAABk9yyNhIAAAQDAEgwRgIhAOsCeRvZ -GUN1z2lGajkrKcCtffuDhwNRPAIN2we+oXuzAiEA7XeLDROcGGcOYUMin5xKE+qr -XwitlCEyUejC5xKJm1QAdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwN -sAAAAZPcsjYwAAAEAwBGMEQCIFRahCu7PZCNkSF6+oyB3MAWoLQYmjlDXxeI91E0 -QfOkAiBGaToUTmM1n16nkX0hMVhNm7icCFojHkNCUzfSJ0wk8zAKBggqhkjOPQQD -AwNoADBlAjAgbshjfMt0K8pG2NzhVW1m/es3HJEtK4QGAe/BR5lgjLy1bJG/iLr9 -eXPh4xACg5wCMQDx7cF2C2T06e9ogshtJGODQSM9tGHbtt2rpAbUAzWNZgu+F3XL -mwaSjFAL7mBYSMM= +DDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5sZW5j +ci5vcmcvNjEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcATnWjJ1yaEMM4 +W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVr6ZJYgAABAMASDBGAiEA2TRwcna6 +vp3yZSUfXjd14SFvTZtXucSMJQQERKgwDekCIQCEppv+qukiFo4SjQBMQ50ptVXC +LMJZVy4A6VuMCmj3VQB1AOCSs/wMHcjnaDYf3mG5lk0KUngZinLWcsSwTaVtb1QE +AAABla+mSgEAAAQDAEYwRAIgXjJYEE32AFXfqx43ZOQrgP5cGdK5znOGCSxmjcMg +S/UCIBZNBTNVtJWGYKJQgS+bx7EbDDWobar7shNd1/jK0Kt3MAoGCCqGSM49BAMD +A2gAMGUCMQCoQeeM5wcNWCgtjoWPqduuEP/W0M4UrBydd2tVAAE7dbYb2Batj2Gg +qnaDMK2j/+ACMCNtwr4CWsgMAsK8HlDVM0UBvzEFOy2X+hkGzqOe0kfN+abHP0Sf +L0aZkl5gt8NcKg== -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem index 4652201..59039ae 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G -h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV -6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj -v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc -MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL -pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp -eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH -pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 -s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu -h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv -YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 -ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 -LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ -EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY -Ig46v9mFmBvyH04= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault index 4b79230..8f76986 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABnY4Ga6MmpudhHnOVKVh3j6R071y-Bs6es3e3hNHkZP7Tfj6IomEhTSxWb_oG9HYZmhkadw66cmVRQcxp1wGChWWLye-ykadgy0xUCxGW3YmBWp4t--Yesvbjamaa5OlvDFWQVG5Zt4fsY7BloXRdio8XUdPKBkbi2MV0quvpqsFfOqr_ZmIOOkjLlZojfw9HQ7odM9lSAm8cVS5NXimOhA1ks_gK6CzJbzwhpbekCOcx5_sGhdb8XFUxLN-VBtmQ2HGIncou66rE1P3mBg2hDSyqiXapVMkqMjNoVM71V_5lUnAF7Lxce3nG72SnOe2oITnxRNcnaavxDEgd0ffM5revuCd-XWlaUW1iQrgSyQzJyD6Ukv-mM2IRpuoq79JdTZK_LNJkAmJozrGBT0c5ZwGVNLmZEcjQ1dk8jyYslF5s7rK1lmNvcTUaHGpFToXc1p-qFY8NNWj_Iu-MLE8PNrIscDg== \ No newline at end of file +encrypt$gAAAAABn2wvcFmCiy7gpvvwJzRVNJSSxLvlld2ob9O2ivyekdR6y1_k90Q1xZhs7-ombGAIyez1D7lvuNhYQrnff5TqRa9wKbIVyqOOj4lc5qS2jJWyMl9BCr7Fu0mdW0_33Ke5nGpc3mAMjwTLCn8aw-I_I0kALuhKvZ_H31Oy0Mdjw9rau8TmeWGmJDiPMyHlg_C6s2Gvj2VKHVuGeSVg01frjlTveK-ZsJNGvKm7njCqvqGJytFeV6iHzWYyzMTk8-z_xtv-PKH82ME_IdGVv8YcgmCrXWzzA35A3YEaac7uKui1RFzqN6K5sYL1hsxU9rAyidNRd1fp0CRlpyJWgcf_ykoe2u3ManhFOdMmJdx_nrt2znNLaiQqcSHWuws7pGeSZtX72rGa5ZEBF5xeTruhRSQyjMUuBZrqi75QKyYnpmNSpgh0fDHqHUVmSQ5vInd8Tai2BWz3oqKhrkqJMIXlKQn35Jw== \ No newline at end of file From 544c889e82602297bacb6db01c59587428732122 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 20 Mar 2025 22:12:30 +0100 Subject: [PATCH 954/996] bump bw version, enable ipmi information --- nodes/home.r630.toml | 8 ++++---- nodes/proxmox-backupstorage.toml | 8 ++++---- nodes/rottenraptor-server.toml | 8 ++++---- requirements.txt | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index 03e2f56..f41bb19 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,10 +2,10 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] -#ipmi_hostname = "172.19.138.23" -#ipmi_username = "root" -#ipmi_password = "calvin" -#ipmi_interface = "lanplus" +ipmi_hostname = "172.19.138.23" +ipmi_username = "root" +ipmi_password = "calvin" +ipmi_interface = "lanplus" [metadata] icinga_options.exclude_from_monitoring = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index a061f7e..eee0256 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,10 +1,10 @@ hostname = "192.168.100.31" dummy = true -#ipmi_hostname = "192.168.100.30" -#ipmi_username = "root" -#ipmi_password = "!bwpass:192.168.100.30/root" -#ipmi_interface = "lanplus" +ipmi_hostname = "192.168.100.30" +ipmi_username = "root" +ipmi_password = "!bwpass:192.168.100.30/root" +ipmi_interface = "lanplus" [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 964839c..dadc232 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,10 +13,10 @@ bundles = [ "zfs", ] -#ipmi_hostname = "192.168.100.27" -#ipmi_username = "Administrator" -#ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" -#ipmi_interface = "lanplus" +ipmi_hostname = "192.168.100.27" +ipmi_username = "Administrator" +ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" +ipmi_interface = "lanplus" [metadata.docker-immich] enable_auto_album_share = true diff --git a/requirements.txt b/requirements.txt index 7e81327..6b2227f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -bundlewrap>=4.16.0 +bundlewrap>=4.22.0 PyNaCl bundlewrap-pass semver From 0e2d25281e0d1cd57b6c092ae723b3724fd2946d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 22 Mar 2025 19:46:35 +0100 Subject: [PATCH 955/996] voc.pretalx: remove fonts vhost --- data/nginx/files/extras/voc.pretalx/pretalx | 9 --------- 1 file changed, 9 deletions(-) diff --git a/data/nginx/files/extras/voc.pretalx/pretalx b/data/nginx/files/extras/voc.pretalx/pretalx index 1d1c718..8c82109 100644 --- a/data/nginx/files/extras/voc.pretalx/pretalx +++ b/data/nginx/files/extras/voc.pretalx/pretalx @@ -25,12 +25,3 @@ expires 365d; add_header Cache-Control "public"; } - - location /Uluagh8Oichai4Uk/ { - alias /var/www/pretalx/; - access_log off; - expires 365d; - add_header Cache-Control "public"; - autoindex on; - } - From 38ec7af32c68dd67efcc2e753a366460048b4e5d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 27 Mar 2025 10:09:09 +0100 Subject: [PATCH 956/996] matrix updates --- data/apt/files/gpg-keys/matrix.asc | 75 ++++++++++++------------------ nodes/sophie/miniserver.py | 2 +- 2 files changed, 32 insertions(+), 45 deletions(-) diff --git a/data/apt/files/gpg-keys/matrix.asc b/data/apt/files/gpg-keys/matrix.asc index 78f4114..41274cb 100644 --- a/data/apt/files/gpg-keys/matrix.asc +++ b/data/apt/files/gpg-keys/matrix.asc @@ -24,48 +24,35 @@ MT/11OWdhbRn5zxpg28KRhKcfTKOfeiObbDq5idDbAyhbzvKxyxTX6204q8fmUhh mq5EiRcBeKF5hQv9eyOyBcBsDnMJsV2+zEP8hVZleOncx8pn1uNNd1nWPX10/R5j BfgnlUSNNJWZ+YnPH1f71kduhn2iee58jbA1CXnVbFjPMI4c4p2yZsfBm74LziC1 PVrFtSd7WijWyP2rC3JoL7KQPvqyXJ53Yn4jGQx6brXFPY53lXicLoYTTByg7WK5 -nMfe+URZO54gAkGN7JLo+BhXiQJUBBMBCgA+FiEEqvmuhDp1hLWj5M0rz0WlEt4t -oFgFAly1EC0CGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQz0Wl -Et4toFhbAA//d00weP6G7o2fnzcfla5S5MYpvFvsuVaka1hV3mq3S2j9+RgSazeS -hgnlf4rvVu/zB62j5MrKFczXKhpUdP7K8CFAYDxf+OldSBCmYXjxzDW8oV/iC7D6 -FcyGv1O6JqV37uoSLqd4vFe3qSH6Ttz4x5kAnWOwps956EavMkkKNKtAd5iIr36S -vDmN+nAKkvcCqjrCuLNaXMFJwebFyQ9c9dVzrGwq1D8SwPx0ztzku4kDU1rbUfMZ -8WgxQ4MSDpuOnuu+zgatjgwbHuMkboTFhgCtWHivPLzYYlpXpI4ocuqhMzJV1LDe -DAvgugp19SK/3a+zNju6ffjrp6u4ty98cQDqNFiXsNrwKxv2h0VYWu5rUmj1OtP1 -1llQXGRI0NLBIdhPyqMIOg96aL3/lPXsRjyG1WMS/6kTuXfdI/UZRG9CFa+Dyt0k -scgtVPPA7PffLfQ4Y4apZX0/XCpx9t9ktzBkhfwdAIGbE9/j6Lxq6BecETNUh9QE -eHhIn6Z31Q0rlLHWthG9v8Sl3UZ6dCs6fk0mU2S2HJQEK8oN+sWq5blQNNbpM7KF -dybJxZwvaVIW55LWmwG2Ik14FaeHFzRzw4cZXnHcKqKBXJrmQUvj/jsDLuV2IZdD -MuXVHEIHEJrD7SwNspCUnHZvf9/jlX26RUriuYVWVR47VQuj92k6jVm5AY0EXLUR -XgEMAMiXBax8Hi1AgStFUdpsPU1Tq4Fcc2hcbfPVpyTIHIItJnMPmvgdsBx2B4CN -g9l0GfGu0CFeNzgnlnYhNmSriuIV9hVSy5qy2usVco7xfADt/wg+GgpUNFsmJGPR -LiESfDBPzIf9s7AmskRb3s64x4pDiRbR/OOD+J81XgLSBjOjuy44sTiVw4aD5zOb -I5etUwyW4GqweKF02ARTzge3/ek8Unuh9uBqAkfJxuL9Bl0i0QCRFaVc+XaTuI6H -uc0w0MwZ+cCH5I4Sqa7/V3/Tz83/D20VRXfb6gdOQBMAMXk6eecK4CAsbdY0Ego7 -IDU6/57RKYWTVKjWFT6YTrfj2/SundEulXZBEOsgByfrBQcuwSrJAECu9Y/5yDkm -48AthHdkESBqHna1KCc4ae9VbI88c2jRuEAVn1gZOgO4Teo9X653yo17idPuqxmj -g118V3cmAEdXoJpXB1Ey2S63xeOOa30OJVodLWGCL4wRMQwVd2HJcxLAUsfoMMXp -SfL0uwARAQABiQPyBBgBCgAmAhsCFiEEqvmuhDp1hLWj5M0rz0WlEt4toFgFAmQT -W7cFCQsgsVkBwAkQz0WlEt4toFjA9CAEGQEKAB0WIQRVhszAy7vvx6JYEa30c91E -czZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+MI7SNg1of/1ekeRXzvXc8 -m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+/8VaX9+7wm7UaGHWVmPF -kSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSUD3hiBgTQpu0CSMlcZIk6 -C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gEuVJPAFF86z39hiGNnYJc -ikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk+LAxwuQJpe5skvj1NrjD -3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvFRRb3hyRWTRtLQhhaMw3z -SwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al7+E0fmOfie93KYh+BV6F -uL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmCVxOxNM3lY7Jun1E/f/KE -6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkzIOQ/+NSYFQ3/+49nw+qogt2r/Rj8e -AQEwD2ZbqCE30lMuqpmr4QTADccPtJmRIZ4zJMOOCggfnefYE4xvCBk5dSVtwFxu -GIGbYf29hI1VDuM2ak+kS+T8UC438FFVLUGQ19AYHpu5jLY3IAgqi4229G9R7mZa -1CVYBl4J6y/yKQ7OrmTltb1sYvSKXNl+dMrXrmRrMEdMViwtaQ8ZbA7CCNLVm3Cm -+SqbwSn1FQWptiEeZzDaOLWdJTBRLEFjLH77zrhOjJalhp0Mf1oMp04BSFKSXe5f -ZF8Pw70bJQXpl3cnzh/StasaRx7z0y63jsQA65RG7KCCZC5Idb8b0bRnjgw6tDNR -z/1BD+e6aJ9YUpTUZ+3GV1x3St+cPJAVdLq0nBpg2MvIm5weEQmNvDopH33f03M1 -isQRehf6vbTohMX5Z3BHdLoTwG3eRgVKgdcTLpkt4coRQL8W3DN81O6zBNby9XRA -851jGlc9Xkj6QLqf7966MfyR6s23JLEp2pg9Fa2o1NH4X4U3AFRAefQaBJIalWJj -8G++sWlmjPLUouhsxdX0L99FxYhC06RI2TQvlw6cbIPLOCv1h5rKIkKag6Gt3eMM -fnfvKn49QzptFmGBZ5Fd+sKjr3/IlnKIeCUBjCVsvsFAlcaO38ghGnayOBJZviz9 -ZW94e89LdsmxP1kNAEo= -=QODj +nMfe+URZO54gAkGN7JLo+BhXuQGNBFy1EV4BDADIlwWsfB4tQIErRVHabD1NU6uB +XHNoXG3z1ackyByCLSZzD5r4HbAcdgeAjYPZdBnxrtAhXjc4J5Z2ITZkq4riFfYV +UsuastrrFXKO8XwA7f8IPhoKVDRbJiRj0S4hEnwwT8yH/bOwJrJEW97OuMeKQ4kW +0fzjg/ifNV4C0gYzo7suOLE4lcOGg+czmyOXrVMMluBqsHihdNgEU84Ht/3pPFJ7 +ofbgagJHycbi/QZdItEAkRWlXPl2k7iOh7nNMNDMGfnAh+SOEqmu/1d/08/N/w9t +FUV32+oHTkATADF5OnnnCuAgLG3WNBIKOyA1Ov+e0SmFk1So1hU+mE6349v0rp3R +LpV2QRDrIAcn6wUHLsEqyQBArvWP+cg5JuPALYR3ZBEgah52tSgnOGnvVWyPPHNo +0bhAFZ9YGToDuE3qPV+ud8qNe4nT7qsZo4NdfFd3JgBHV6CaVwdRMtkut8Xjjmt9 +DiVaHS1hgi+METEMFXdhyXMSwFLH6DDF6Uny9LsAEQEAAYkD8gQYAQoAJgIbAhYh +BKr5roQ6dYS1o+TNK89FpRLeLaBYBQJnxeuFBQkO4xMnAcDA9CAEGQEKAB0WIQRV +hszAy7vvx6JYEa30c91EczZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+M +I7SNg1of/1ekeRXzvXc8m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+ +/8VaX9+7wm7UaGHWVmPFkSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSU +D3hiBgTQpu0CSMlcZIk6C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gE +uVJPAFF86z39hiGNnYJcikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk ++LAxwuQJpe5skvj1NrjD3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvF +RRb3hyRWTRtLQhhaMw3zSwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al +7+E0fmOfie93KYh+BV6FuL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmC +VxOxNM3lY7Jun1E/f/KE6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkwJEM9FpRLe +LaBY9+YQAKXMKKOY7D+cJVKjVDbVuhknB+vLLRIN7Yx6GxRxM0Q6wPo42WmstDui +ex6u5MN0UjoA7+bPrC/vGBGOIr56sIMiaHkCqhoQoz7vwKayTJHa8McO/x8oRMr1 +aPtDgvUU78N7cdSv01wMW7zF/anCESEtbpfOzd5SM5V+XuYJoVzm3KtAdKQIxH0X +khOPvDa9Nn2bCsEvkp0pds0c5STKPWBeMSYSYuJzf48lcmoDilruPl2PaXPY1oxN +ciOGVuiCoT/XAdYuw2iynU5eC6h7W6b9EQZ1XPatFhkfGSucWtypObgCe+UGojOP +xZvqujcKnZBzECzawFu45Gp7TjPXnbsLmH5tv4GvJ9R0AeBnnHzTTpkduq7C7lO/ +X8VyxPpisJZII6s8pymSuw0/0CCNodf4wd1ar7ATCixcmJutWCJi8HLzvfoXEe8J +hE/ZjUEkVpWwxYIsM/U4ImWmrus81dMqBDVHowxwXoeJHsHNeUGTa8fKkPFo7i54 +Y/GhsNRDIk9nOHNqucV6xx3+WPs5p8eEcNFLalqjONcugfOB6Sfo/NaR3Jus7p+7 +kmwJ4YNxXYnogj4I24PT1/+BTFrrjYMXgbVs8s0yL68AHDlEo5MxHk3C82+ukeI6 +97uC8U9NZEpwVDk2mNb3ngwHWzp7InGGi3bwozHPj8bGIPuBaAlF +=3XJ/ -----END PGP PUBLIC KEY BLOCK----- diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 5fd1c11..b852a35 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.91", + "version": "v1.11.96", "config": { "default_server_config": { "m.homeserver": { From a592de005ebcc06056ce4cf68b2321d933af0ae4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 13:37:45 +0100 Subject: [PATCH 957/996] bundles/docker-engine: fix backups and zfs dependencies --- bundles/docker-engine/items.py | 5 +++++ bundles/docker-engine/metadata.py | 21 ++++++++++++--------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 7050197..253daff 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -46,6 +46,10 @@ actions['docker_create_nondefault_network'] = { for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) user = config.get('user', f'docker-{app}') + directories[f'/var/opt/docker-engine/{app}'] = { + 'owner': user, + 'group': user, + } files[f'/opt/docker-engine/{app}'] = { 'source': 'docker-wrapper', @@ -97,6 +101,7 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): svc_systemd[f'docker-{app}'] = { 'needs': { *deps, + f'directory:/var/opt/docker-engine/{app}', f'file:/opt/docker-engine/{app}', f'file:/usr/local/lib/systemd/system/docker-{app}.service', f'user:{user}', diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index 2b9212f..4600233 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -13,11 +13,6 @@ defaults = { }, }, }, - 'backups': { - 'paths': { - '/var/opt/docker-engine', - }, - }, 'nftables': { 'forward': { 'docker-engine': [ @@ -39,9 +34,7 @@ defaults = { }, 'zfs': { 'datasets': { - 'tank/docker-data': { - 'mountpoint': '/var/opt/docker-engine', - }, + 'tank/docker-data': {}, }, }, } @@ -72,6 +65,7 @@ def monitoring(metadata): @metadata_reactor.provides( + 'backups/paths', 'zfs/datasets', ) def zfs(metadata): @@ -79,10 +73,19 @@ def zfs(metadata): for app in metadata.get('docker-engine/containers', {}): datasets[f'tank/docker-data/{app}'] = { - 'mountpoint': f'/var/opt/docker-engine/{app}' + 'mountpoint': f'/var/opt/docker-engine/{app}', + 'needed_by': { + f'directory:/var/opt/docker-engine/{app}', + }, } return { + 'backups': { + 'paths': { + v['mountpoint'] + for v in datasets.values() + }, + }, 'zfs': { 'datasets': datasets, }, From 7cb8876231368337e29a7b51d0b5c369c1aeaea9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 13:38:08 +0100 Subject: [PATCH 958/996] home.nas: add new samba share for watching c3voc streams --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 831513a..b98fb7d 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -180,6 +180,10 @@ nodes['home.nas'] = { }, 'samba': { 'shares': { + 'C3VOC': { + 'path': '/storage/nas/C3VOC', + 'force_group': 'nas', + }, 'TV': { 'path': '/storage/nas/TV', 'force_group': 'nas', From d71af7561ae72e2411b913e5569458c271f7d97f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:07:17 +0100 Subject: [PATCH 959/996] add support for debian trixie --- bundles/apt/files/sources.list-debian-trixie | 3 +++ bundles/apt/items.py | 1 + groups/os.py | 4 ++++ 3 files changed, 8 insertions(+) create mode 100644 bundles/apt/files/sources.list-debian-trixie diff --git a/bundles/apt/files/sources.list-debian-trixie b/bundles/apt/files/sources.list-debian-trixie new file mode 100644 index 0000000..6ac79f3 --- /dev/null +++ b/bundles/apt/files/sources.list-debian-trixie @@ -0,0 +1,3 @@ +deb http://deb.debian.org/debian/ trixie main non-free contrib non-free-firmware +deb http://security.debian.org/debian-security trixie-security main contrib non-free +deb http://deb.debian.org/debian/ trixie-updates main contrib non-free diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 0f3f92d..ea988af 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -5,6 +5,7 @@ supported_os = { 10: 'buster', 11: 'bullseye', 12: 'bookworm', + 13: 'trixie', 99: 'unstable', }, } diff --git a/groups/os.py b/groups/os.py index 98dacfa..34f49b2 100644 --- a/groups/os.py +++ b/groups/os.py @@ -71,6 +71,10 @@ groups['debian-bookworm'] = { 'os_version': (12,) } +groups['debian-trixie'] = { + 'os_version': (13,) +} + groups['debian-sid'] = { 'os_version': (99,) } From e1d01d7bc6b15506ddc6d3df9c47aa8218c36ef0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:08:06 +0100 Subject: [PATCH 960/996] bundles/paperless-ng: fix PAPERLESS_FILENAME_FORMAT --- bundles/paperless-ng/files/paperless.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 0cbd054..d943063 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -12,7 +12,7 @@ PAPERLESS_CONSUMPTION_DIR=/mnt/paperless/consume PAPERLESS_DATA_DIR=/mnt/paperless/data PAPERLESS_MEDIA_ROOT=/mnt/paperless/media PAPERLESS_STATICDIR=/opt/paperless/src/paperless-ngx/static -PAPERLESS_FILENAME_FORMAT={created_year}/{created_month}/{correspondent}/{asn}_{title} +PAPERLESS_FILENAME_FORMAT={{ created_year }}/{{ created_month }}/{{ correspondent }}/{{ asn }}_{{ title }} # Security and hosting From 61d60b788242b516a310459a186945ae0a04ea48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:08:34 +0100 Subject: [PATCH 961/996] home.paperless: upgrade to debian trixie --- data/proftpd/files/home.paperless.conf | 7 ------- nodes/home/paperless.py | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/data/proftpd/files/home.paperless.conf b/data/proftpd/files/home.paperless.conf index 4d861ad..49a9c5b 100644 --- a/data/proftpd/files/home.paperless.conf +++ b/data/proftpd/files/home.paperless.conf @@ -10,15 +10,9 @@ ServerType standalone DeferWelcome off DefaultServer on -ShowSymlinks on - -TimeoutNoTransfer 600 -TimeoutStalled 600 -TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true -ListOptions "-l" DenyFilter \*.*/ @@ -34,7 +28,6 @@ User proftpd Group nogroup Umask 022 022 -AllowOverwrite on TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 7a28c3d..654a79e 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -9,7 +9,7 @@ nodes['home.paperless'] = { 'proftpd', }, 'groups': { - 'debian-bookworm', + 'debian-trixie', 'webserver', }, 'metadata': { From da7928d0e6e384272a812dea83cecc1e2ca0e971 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:10:13 +0100 Subject: [PATCH 962/996] bundlespostfix: unit has changed since debian trixie --- bundles/postfix/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 1ccf633..f457b9b 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -14,7 +14,7 @@ defaults = { 'postfix': { 'services': { 'POSTFIX PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix' + ('' if node.os_version >= (13,) else '@-'), }, 'POSTFIX QUEUE': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50', From 3bcf7ad714f86bf8dbc32ba9173f61a8c0cfdfc2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:13:07 +0100 Subject: [PATCH 963/996] bunndles/sshmon: fix update checks --- bundles/sshmon/files/check_forgejo_for_new_release | 4 ++-- bundles/sshmon/files/check_github_for_new_release | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/sshmon/files/check_forgejo_for_new_release b/bundles/sshmon/files/check_forgejo_for_new_release index 3db5bcd..99dcd30 100644 --- a/bundles/sshmon/files/check_forgejo_for_new_release +++ b/bundles/sshmon/files/check_forgejo_for_new_release @@ -38,10 +38,10 @@ try: for i in releases: if i["tag_name"].startswith(tag_prefix): - if ( + if not (i["prerelease"] or i["draft"]) and ( newest_release is None or parse(i["tag_name"]) > parse(newest_release["tag_name"]) - ) and not (i["prerelease"] or i["draft"]): + ): newest_release = i assert newest_release is not None, "Could not determine latest release" diff --git a/bundles/sshmon/files/check_github_for_new_release b/bundles/sshmon/files/check_github_for_new_release index 3a50d94..ec510de 100644 --- a/bundles/sshmon/files/check_github_for_new_release +++ b/bundles/sshmon/files/check_github_for_new_release @@ -37,10 +37,10 @@ try: for i in releases: if i["tag_name"].startswith(tag_prefix): - if ( + if not (i["prerelease"] or i["draft"]) and ( newest_release is None or parse(i["tag_name"]) > parse(newest_release["tag_name"]) - ) and not (i["prerelease"] or i["draft"]): + ): newest_release = i assert newest_release is not None, "Could not determine latest release" From 7b51bb57f86d6a36d781f15c5199d1fbf3b178dc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 08:59:41 +0200 Subject: [PATCH 964/996] bundles/docker-immich: only start auto-album-share when postgresql is actually running --- bundles/docker-immich/metadata.py | 3 +++ bundles/systemd-timers/files/template.service | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 288b7f1..3952922 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -83,6 +83,9 @@ def auto_album_share(metadata): 'command': '/usr/local/bin/immich-auto-album-share.py', 'environment': metadata.get('docker-engine/containers/immich/environment'), 'when': 'minutely', + 'requisite': { + 'docker-immich-postgresql.service', + }, }, }, }, diff --git a/bundles/systemd-timers/files/template.service b/bundles/systemd-timers/files/template.service index 09c3080..271b756 100644 --- a/bundles/systemd-timers/files/template.service +++ b/bundles/systemd-timers/files/template.service @@ -7,8 +7,11 @@ [Unit] Description=Service for Timer ${timer} After=network.target -% if config.get('requires', ''): -Requires=${config['requires']} +% if config.get('requires', set()): +Requires=${' '.join(sorted(config['requires']))} +% endif +% if config.get('requisite', set()): +Requisite=${' '.join(sorted(config['requisite']))} % endif [Service] From 74ca0ad2bc3795e1e4ce81d48aa81fcb78b3ebe3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:01:13 +0200 Subject: [PATCH 965/996] bundles/nextcloud: only run cron if postgresql is running --- bundles/nextcloud/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py index 8081cbe..73c7264 100644 --- a/bundles/nextcloud/metadata.py +++ b/bundles/nextcloud/metadata.py @@ -45,6 +45,9 @@ defaults = { 'pwd': '/var/www/nextcloud', 'user': 'www-data', 'when': '*:00/5', + 'requisite': { + 'postgresql.service', + }, }, }, }, From accd2145769ab996694a10f5b0fd860ab6f95515 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:08:18 +0200 Subject: [PATCH 966/996] bundles/matrix-synapse: remove sliding sync --- bundles/matrix-synapse/items.py | 29 ----------------------------- bundles/matrix-synapse/metadata.py | 12 ------------ nodes/carlene.toml | 4 ---- 3 files changed, 45 deletions(-) diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 47a9758..527cc5e 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -57,32 +57,3 @@ svc_systemd = { }, }, } - -if node.metadata.get('matrix-synapse/sliding_sync/version', None): - files['/usr/local/bin/matrix-sliding-sync'] = { - 'content_type': 'download', - 'source': 'https://github.com/matrix-org/sliding-sync/releases/download/{}/syncv3_linux_amd64'.format( - node.metadata.get('matrix-synapse/sliding_sync/version'), - ), - 'content_hash': node.metadata.get('matrix-synapse/sliding_sync/sha1', None), - 'mode': '0755', - 'triggers': { - 'svc_systemd:matrix-sliding-sync:restart', - }, - } - - files['/usr/local/lib/systemd/system/matrix-sliding-sync.service'] = { - 'content_type': 'mako', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:matrix-sliding-sync:restart', - }, - } - - svc_systemd['matrix-sliding-sync'] = { - 'needs': { - 'file:/usr/local/bin/matrix-sliding-sync', - 'file:/usr/local/lib/systemd/system/matrix-sliding-sync.service', - 'postgres_db:synapse', - }, - } diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index 7af43f0..eac3005 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -88,14 +88,6 @@ def nginx(metadata): if not node.has_bundle('nginx'): raise DoNotRunAgain - wellknown_client_sliding_sync = {} - if metadata.get('matrix-synapse/sliding_sync/version', None): - wellknown_client_sliding_sync = { - 'org.matrix.msc3575.proxy': { - 'url': 'https://{}'.format(metadata.get('matrix-synapse/baseurl')), - }, - } - wellknown = { '/.well-known/matrix/client': { 'content': dumps({ @@ -105,7 +97,6 @@ def nginx(metadata): 'm.identity_server': { 'base_url': metadata.get('matrix-synapse/identity_server', 'https://matrix.org'), }, - **wellknown_client_sliding_sync, **metadata.get('matrix-synapse/additional_client_config', {}), }, sort_keys=True), 'return': 200, @@ -134,9 +125,6 @@ def nginx(metadata): 'target': 'http://[::1]:20080', 'max_body_size': '50M', }, - '/_matrix/client/unstable/org.matrix.msc3575/sync': { - 'target': 'http://127.0.0.1:20070', - }, '/_synapse': { 'target': 'http://[::1]:20080', }, diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d936789..0aae01f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -81,10 +81,6 @@ server_name = "franzi.business" trusted_key_servers = ["matrix.org", "161.rocks"] additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" wellknown_also_on_vhosts = ["franzi.business"] -[metadata.matrix-synapse.sliding_sync] -version = "v0.99.15" -sha1 = "cecb371ff5f1dd528cfc490484a0967dcc28cd82" -secret = "!decrypt:encrypt$gAAAAABl9yJlbEZafJ2mumtg03rW0-440NIgFcgdWGMo3Axrypugwctacy9Cq7MYtCBGjnDyNvVLI5B2QMJ9ssCD46NCsFRN3-X4u9rDtxPhRZV7rls_LQ_Csc_GsffJfvpmHbn_wsljd3I74h4ouWlYhhEQUIKwb3eErSZ_VTZhu_bC4jTa0FY=" [metadata.mautrix-telegram] version = "v0.15.2" From 149d9af16bafb63f913dfb25a8ed2ace176a34aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:08:36 +0200 Subject: [PATCH 967/996] update forgejo to 10.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0aae01f..9df6f57 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "10.0.1" -sha1 = "4bfe8cbe979ef8896e294ca662f4cf62af01531c" +version = "10.0.3" +sha1 = "d1199c43de9e69f6bb8058c15290e79862913413" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 0685c1a64f5c1d5ae9212f6f9f33faaf7bfe5b18 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:09:01 +0200 Subject: [PATCH 968/996] aupdate mautrix-whatsapp to 0.11.4 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9df6f57..c0e4a61 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.3" -sha1 = "f1daba15750313fe205f6d3af2594f11992f0a35" +version = "v0.11.4" +sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 11a9800906627e6b61e36af18f880388e2ea14a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:09:24 +0200 Subject: [PATCH 969/996] update netbox to 4.2.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c0e4a61..0eef421 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -110,7 +110,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.4" +version = "v4.2.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 5e32a562ec41519b58702edcf904a851d9cb2fd3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Apr 2025 17:17:18 +0200 Subject: [PATCH 970/996] bundles/nginx: fix error_log logging to file instead of being disabled --- bundles/nginx/files/nginx.conf | 2 +- nodes/home/nas.py | 1 + nodes/home/paperless.py | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 7f7bd77..b020d3c 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -26,7 +26,7 @@ http { send_timeout 10; access_log off; - error_log off; + error_log /dev/null; client_body_buffer_size 16K; client_header_buffer_size 4k; diff --git a/nodes/home/nas.py b/nodes/home/nas.py index b98fb7d..fbc7bbd 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -168,6 +168,7 @@ nodes['home.nas'] = { 'nginx': { 'vhosts': { 'jellyfin': { + 'create_logs': True, 'domain': 'jellyfin.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 654a79e..caffb73 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,6 +42,7 @@ nodes['home.paperless'] = { 'nginx': { 'vhosts': { 'paperless': { + 'create_logs': True, 'ssl': '_.home.kunbox.net', }, }, From 5a4c3284b65a2cf90d721352afcea299e0ba27e5 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 3 Apr 2025 20:08:25 +0200 Subject: [PATCH 971/996] sophie/vmhost: new disksgit add sophie/vmhost.py git add sophie/vmhost.py --- nodes/sophie/vmhost.py | 56 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py index d6e56f3..3fa02ec 100644 --- a/nodes/sophie/vmhost.py +++ b/nodes/sophie/vmhost.py @@ -3,6 +3,7 @@ nodes['sophie.vmhost'] = { 'bundles': { 'backup-client', 'lm-sensors', + 'nfs-server', 'mosquitto', 'smartd', 'vmhost', @@ -12,6 +13,9 @@ nodes['sophie.vmhost'] = { 'debian-bookworm', }, 'metadata': { + 'groups': { + 'nas': {}, + }, 'interfaces': { 'br1': { 'ips': { @@ -49,11 +53,27 @@ nodes['sophie.vmhost'] = { '172.19.164.0/24', }, }, + 'nfs-server': { + 'shares': { + '/srv/nas': { + '172.19.164.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', + }, + }, + }, + 'smartd': { + 'disks': { + '/dev/nvme0', + + # nas disks + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', + }, + }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { - 'eno1', + 'enp1s0', }, }, 'br1': { @@ -63,6 +83,26 @@ nodes['sophie.vmhost'] = { }, }, }, + 'systemd-timers': { + 'timers': { + # Ensure every user is able to read and write to the NAS dataset. + 'nas_permissions': { + 'command': [ + 'chown -R :nas /srv/nas/', + r'find /srv/nas/ -type d -exec chmod 0775 {} \;', + r'find /srv/nas/ -type f -exec chmod 0664 {} \;', + ], + 'when': '*-*-* 02:00:00', + }, + }, + }, + 'users': { + 'sophie': { + 'groups': { + 'nas', + }, + }, + }, 'zfs': { 'pools': { 'storage': { @@ -73,12 +113,26 @@ nodes['sophie.vmhost'] = { }, }] } + }, + 'nas': { + 'when_creating': { + 'config': [{ + 'type': 'mirror', + 'devices': { + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', + }, + }] + } } }, "datasets": { "storage/libvirt": { "mountpoint": "/var/lib/libvirt", }, + "nas": { + "mountpoint": "/srv/nas", + }, }, }, }, From 1f120b9923b484a18edd6bc06597bc33959cd515 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Apr 2025 19:52:34 +0200 Subject: [PATCH 972/996] bundles/samba: fix timemachine backups dependencies --- bundles/samba/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/samba/items.py b/bundles/samba/items.py index a9567b4..5c60c69 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -82,4 +82,7 @@ if timemachine_shares: 'owner': f'timemachine-{share_name}', 'group': f'timemachine-{share_name}', 'mode': '0700', + 'needs': { + f'zfs_dataset:tank/timemachine/{share_name}', + }, } From fd1ad352d0d56dae48a1f662fe10a0b5e3565fdf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 15:00:05 +0200 Subject: [PATCH 973/996] add revision-dect-vpn --- libs/s2s.py | 2 +- nodes/htz-cloud/wireguard.py | 8 ++++++++ nodes/revision-dect-vpn.toml | 26 ++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 nodes/revision-dect-vpn.toml diff --git a/libs/s2s.py b/libs/s2s.py index d7c9e9f..fe0fc4e 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -5,7 +5,7 @@ AS_NUMBERS = { 'home': 4290000138, 'htz-cloud': 4290000137, 'ionos': 4290000002, - 'glauca': 4290207960, + 'revision': 4290000078, } WG_AUTOGEN_NODES = [ diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index d7f97ff..3ceaf2d 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -51,6 +51,7 @@ nodes['htz-cloud.wireguard'] = { '50-wireguard': [ 'udp dport 1194 accept', 'udp dport 51800 accept', + 'udp dport 51804 accept', # wg.c3voc.de 'udp dport 51801 ip saddr 185.106.84.42 accept', @@ -117,6 +118,13 @@ nodes['htz-cloud.wireguard'] = { 'psk': vault.decrypt('encrypt$gAAAAABnc7LZSHWmOOQJpbtnpMn9QuWnbiB-6rShwgqbilVd45GzkUwOfEHBw28P_TVm9XJgFiQPOIo12DdxPCzSxKRtcqzji72QCzTlze4ZYWjL-iHm7TydLcKzXOTCO42LKpkMPUgR'), 'pubkey': vault.decrypt('encrypt$gAAAAABnc7LZpfAeig8yCdcZ-NegshXl-DmkJr0F2OlQR2fqhVnrfKPjgOu-5Cq09KnhdvhomGx_9ZtoFS_3OsVqcFHEasBh27aQN41xZPzEN5-qIPQRnmVoTHpufcU6tC-37Fq-PeAE'), }, + 'revision-dect-vpn': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_port': 51804, + 'my_ip': '172.19.136.66', + 'their_ip': '172.19.136.67', + }, }, }, }, diff --git a/nodes/revision-dect-vpn.toml b/nodes/revision-dect-vpn.toml new file mode 100644 index 0000000..5789358 --- /dev/null +++ b/nodes/revision-dect-vpn.toml @@ -0,0 +1,26 @@ +hostname = "10.1.3.252" +bundles = ["bird", "wireguard"] +groups = ["debian-bookworm"] + +[metadata] +location = "revision" +icinga_options.exclude_from_monitoring = true + +[metadata.bird] +static_routes = [ + "10.1.3.0/24", +] + +[metadata.interfaces.ens18] +ips = ["10.1.3.252/24"] +gateway4 = "10.1.3.1" + +[metadata.nftables.postrouting] +"50-router" = [ + "oifname ens18 masquerade", +] + +[metadata.wireguard.peers."htz-cloud.wireguard"] +my_port = 51804 +my_ip = "172.19.136.67" +their_ip = "172.19.136.66" From e1548ff61ee5fff174e1a4b1dfc6f037b019fcac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:17:11 +0200 Subject: [PATCH 974/996] bundles/samba: cannot have time machine and 'guest ok' shares on the same machine --- bundles/samba/items.py | 3 +++ nodes/home/nas.py | 18 ------------------ 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/bundles/samba/items.py b/bundles/samba/items.py index 5c60c69..2f5090e 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -66,6 +66,9 @@ for user, uconfig in node.metadata.get('users', {}).items(): if timemachine_shares: assert node.has_bundle('avahi-daemon'), f'{node.name}: samba needs avahi-daemon to publish time machine shares' + for share, share_config in node.metadata.get('samba/shares', {}).items(): + assert not share_config.get('guest_ok', True), f'{node.name} samba {share}: cannot have time machine shares and "guest ok" shares on the same machine' + files['/etc/avahi/services/timemachine.service'] = { 'content_type': 'mako', 'context': { diff --git a/nodes/home/nas.py b/nodes/home/nas.py index fbc7bbd..93fb47f 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -180,24 +180,6 @@ nodes['home.nas'] = { }, }, 'samba': { - 'shares': { - 'C3VOC': { - 'path': '/storage/nas/C3VOC', - 'force_group': 'nas', - }, - 'TV': { - 'path': '/storage/nas/TV', - 'force_group': 'nas', - }, - 'music': { - 'path': '/storage/nas/Musik', - 'force_group': 'nas', - }, - 'music_videos': { - 'path': '/storage/nas/Musikvideos', - 'force_group': 'nas', - }, - }, 'restrict-to': { '172.19.138.0/24', }, From 75e3ae91eab51b03a76fcab5bf7aed2d4b4b541b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:18:03 +0200 Subject: [PATCH 975/996] home.nas: add timemachine share for verrat --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 93fb47f..13694e6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -185,6 +185,7 @@ nodes['home.nas'] = { }, 'timemachine-shares': { 'apfelcomputer', + 'verrat', }, }, 'smartd': { From ad909120747f0a69ff41f27804ab8a6099bf6745 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:19:37 +0200 Subject: [PATCH 976/996] revision-dect-vpn: does not need to do backups --- nodes/revision-dect-vpn.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/revision-dect-vpn.toml b/nodes/revision-dect-vpn.toml index 5789358..1340297 100644 --- a/nodes/revision-dect-vpn.toml +++ b/nodes/revision-dect-vpn.toml @@ -4,6 +4,7 @@ groups = ["debian-bookworm"] [metadata] location = "revision" +backups.exclude_from_backups = true icinga_options.exclude_from_monitoring = true [metadata.bird] From d584fd88d781f382bb222381c056b3f70c6a775c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 18:12:16 +0200 Subject: [PATCH 977/996] update travelynx to 2.11.13 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0eef421..fb6d22a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ disks = [ ] [metadata.travelynx] -version = "2.10.2" +version = "2.11.13" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From c905b7dc132f87565440461f06dbcb7db2a6aa5c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 5 Apr 2025 20:15:50 +0200 Subject: [PATCH 978/996] bw/nfs close ports no longer needed for nfs4 --- bundles/nfs-server/metadata.py | 5 ++++- nodes/sophie/vmhost.py | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bundles/nfs-server/metadata.py b/bundles/nfs-server/metadata.py index 73dc68a..d2f833c 100644 --- a/bundles/nfs-server/metadata.py +++ b/bundles/nfs-server/metadata.py @@ -33,7 +33,10 @@ def firewall(metadata): ips.add(share_target) rules = {} - for port in ('111', '2049', '1110', '4045', '35295'): + ports = ('111', '2049', '1110', '4045', '35295') + if metadata.get('nfs-server/version', 3) == 4: + ports = ('111', '2049') + for port in ports: for proto in ('/tcp', '/udp'): rules[port + proto] = atomic(ips) diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py index 3fa02ec..aca520c 100644 --- a/nodes/sophie/vmhost.py +++ b/nodes/sophie/vmhost.py @@ -13,6 +13,11 @@ nodes['sophie.vmhost'] = { 'debian-bookworm', }, 'metadata': { + 'apt': { + 'packages': { + 'irqbalance': {}, + }, + }, 'groups': { 'nas': {}, }, @@ -54,6 +59,7 @@ nodes['sophie.vmhost'] = { }, }, 'nfs-server': { + 'version': 4, 'shares': { '/srv/nas': { '172.19.164.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', From a15740c89972723879463b4be67f6055e390ee13 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:02:18 +0200 Subject: [PATCH 979/996] bundles/backup-server: improve --- .../files/check_backup_for_node-cron | 15 +++--- bundles/backup-server/metadata.py | 53 ++++++------------- 2 files changed, 22 insertions(+), 46 deletions(-) diff --git a/bundles/backup-server/files/check_backup_for_node-cron b/bundles/backup-server/files/check_backup_for_node-cron index b82217d..ff1a368 100644 --- a/bundles/backup-server/files/check_backup_for_node-cron +++ b/bundles/backup-server/files/check_backup_for_node-cron @@ -15,16 +15,15 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True) line = line.decode('UTF-8') if line.startswith('{}/'.format(server_settings['zfs-base'])): - dataset, snapname = line.split('@', 1) + try: + dataset, snapname = line.split('@', 1) - dataset = dataset.split('/')[-1] - ts, bucket = snapname.split('-', 1) + dataset = dataset.split('/')[-1] + ts, bucket = snapname.split('-', 1) - if not ts.isdigit(): - # garbage, ignore - continue - - snapshots[dataset].add(int(ts)) + snapshots[dataset].add(int(ts)) + except Exception as e: + print(f"Exception while parsing snapshot name {line!r}: {e!r}") backups = {} for dataset, snaps in snapshots.items(): diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index aace61b..6714288 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -83,47 +83,24 @@ def zfs_pool(metadata): devices = metadata.get('backup-server/encrypted-devices') - # TODO remove this once we have migrated all systems - if isinstance(devices, dict): - pool_devices = set() + pool_devices = set() - for number, (device, passphrase) in enumerate(sorted(devices.items())): - crypt_devices[device] = { - 'dm-name': f'backup{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{number}') + for device, dconfig in devices.items(): + crypt_devices[dconfig['device']] = { + 'dm-name': f'backup-{device}', + 'passphrase': dconfig['passphrase'], + } + pool_devices.add(f'/dev/mapper/backup-{device}') + unlock_actions.add(f'action:dm-crypt_open_backup-{device}') - pool_config = [{ - 'devices': pool_devices, - }] + pool_config = [{ + 'devices': pool_devices, + }] - if len(pool_devices) > 2: - pool_config[0]['type'] = 'raidz' - elif len(pool_devices) > 1: - pool_config[0]['type'] = 'mirror' - - elif isinstance(devices, list): - pool_config = [] - - for idx, intended_pool in enumerate(devices): - pool_devices = set() - - for number, (device, passphrase) in enumerate(sorted(intended_pool.items())): - crypt_devices[device] = { - 'dm-name': f'backup{idx}-{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{idx}-{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}') - - pool_config.append({ - 'devices': pool_devices, - 'type': 'raidz', - }) - else: - raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices') + if len(pool_devices) > 2: + pool_config[0]['type'] = 'raidz' + elif len(pool_devices) > 1: + pool_config[0]['type'] = 'mirror' return { 'backup-server': { From a34f3a8d980b8b69e8a3577a5d27c93e7a7eaf50 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:03:23 +0200 Subject: [PATCH 980/996] backup-kunsi: new disks --- nodes/backup-kunsi.toml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml index 3e17bd7..4a47ae4 100644 --- a/nodes/backup-kunsi.toml +++ b/nodes/backup-kunsi.toml @@ -22,15 +22,17 @@ exclude_from_backups = true [metadata.backup-server.zpool_create_options] ashift = 12 -[[metadata.backup-server.encrypted-devices]] -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1" +[metadata.backup-server.encrypted-devices.WVT0RNKF] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi4" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0RNKF" -[[metadata.backup-server.encrypted-devices]] -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2" +[metadata.backup-server.encrypted-devices.WVT0V0NQ] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi5" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0V0NQ" + +[metadata.backup-server.encrypted-devices.WVT0W64H] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi6" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0W64H" [metadata.zfs] scrub_when = "Wed 08:00 Europe/Berlin" From af5a75e0656793e7f250c25f64f14f4963278842 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:03:53 +0200 Subject: [PATCH 981/996] home.nas: change storage layout --- nodes/home/downloadhelper.py | 2 +- nodes/home/nas.py | 99 ++++++++++++++---------------------- 2 files changed, 38 insertions(+), 63 deletions(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 4874561..4bd2f10 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -42,7 +42,7 @@ nodes['home.downloadhelper'] = { 'mounts': { 'storage': { 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/download', + 'serverpath': '172.19.138.20:/mnt/download', 'mount_options': { 'retry=0', 'rw', diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 13694e6..2f210d6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -5,7 +5,6 @@ nodes['home.nas'] = { 'bundles': { 'avahi-daemon', 'backup-client', - 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', @@ -69,22 +68,6 @@ nodes['home.nas'] = { 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', }, }, - 'dm-crypt': { - 'encrypted-devices': { - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { - 'dm-name': 'sam-S5SSNJ0X409404K', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'), - }, - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': { - 'dm-name': 'sam-S5SSNJ0X409845F', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'), - }, - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': { - 'dm-name': 'sam-S5SSNJ0X409870J', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'), - }, - }, - }, 'groups': { 'nas': {}, }, @@ -154,7 +137,7 @@ nodes['home.nas'] = { }, 'nfs-server': { 'shares': { - '/storage/download': { + '/mnt/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { @@ -192,7 +175,7 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', - # old nas disks + # nas/timemachine disks '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', @@ -200,10 +183,9 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', - # encrypted disks - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J', + # ssdpool disks + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', }, }, 'systemd-networkd': { @@ -258,6 +240,20 @@ nodes['home.nas'] = { 'zfs_arc_max_gb': 8, }, 'pools': { + 'ssdpool': { + 'when_creating': { + 'config': [ + { + 'type': 'mirror', + 'devices': { + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', + }, + }, + ], + 'ashift': 12, + }, + }, 'tank': { 'when_creating': { 'config': [ @@ -276,67 +272,46 @@ nodes['home.nas'] = { 'ashift': 12, }, }, - 'encrypted': { - 'when_creating': { - 'config': [ - { - 'type': 'raidz', - 'devices': { - '/dev/mapper/sam-S5SSNJ0X409404K', - '/dev/mapper/sam-S5SSNJ0X409845F', - '/dev/mapper/sam-S5SSNJ0X409870J', - }, - }, - ], - 'ashift': 12, - }, - 'needs': { - 'action:dm-crypt_open_sam-S5SSNJ0X409404K', - 'action:dm-crypt_open_sam-S5SSNJ0X409845F', - 'action:dm-crypt_open_sam-S5SSNJ0X409870J', - }, - # see comment in bundle:backup-server - 'unless': 'zpool import encrypted', - }, }, 'datasets': { - 'encrypted': { + 'ssdpool': { 'primarycache': 'metadata', }, - 'encrypted/nas': { + 'ssdpool/yate': { + 'mountpoint': '/opt/yate', + }, + 'ssdpool/download': { + 'mountpoint': '/mnt/download', + 'quota': '858993459200', # 800 GB + }, + 'ssdpool/paperless': { + 'mountpoint': '/srv/paperless', + }, + 'tank': { + 'primarycache': 'metadata', + }, + 'tank/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, - 'tank': { - 'primarycache': 'metadata', - }, - 'tank/opt-yate': { - 'mountpoint': '/opt/yate', - }, - 'tank/download': { - 'mountpoint': '/storage/download', - }, - 'tank/paperless': { - 'mountpoint': '/srv/paperless', - }, }, 'snapshots': { 'retain_per_dataset': { - 'encrypted/nas': { + 'tank/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'tank/download': { + 'ssdpool/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'tank/paperless': { + 'ssdpool/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, From 6f902c5c7b6c1e1852e086626b538964d59fac4d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:04:17 +0200 Subject: [PATCH 982/996] proxmox-backupstorage: more disks --- nodes/proxmox-backupstorage.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index eee0256..7f10946 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -14,6 +14,18 @@ check_command = "sshmon" check_command = "sshmon" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0RNKF"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0RNKF" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0V0NQ"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0V0NQ" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0W64H"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0W64H" + [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"] check_command = "sshmon" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W" From 80a5d3563a70bc8d423b82c48fc3ad48bd5c05db Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:07:18 +0200 Subject: [PATCH 983/996] htz-cloud.wireguard: also announce ip we're routing --- nodes/htz-cloud/wireguard.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 3ceaf2d..e560667 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -37,6 +37,7 @@ nodes['htz-cloud.wireguard'] = { '172.19.137.0/24', '172.19.136.62/31', '172.19.136.64/31', + '172.19.136.66/31', '192.168.100.0/24', }, }, From 4bc94987a761aaba6cf778ce989c8242696edc59 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:07:45 +0200 Subject: [PATCH 984/996] carlene: add 42c3 topic timer --- nodes/carlene.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fb6d22a..3457ef6 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,6 +244,11 @@ disks = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] +[metadata.systemd-timers.timers.42c3-topic] +command = "/home/kunsi/42c3-topic.sh" +user = "kunsi" +when = "04:00:00 Europe/Berlin" + [metadata.travelynx] version = "2.11.13" mail_from = "travelynx@franzi.business" From 1af04b684657fae6e50e68c468540d9b10f777fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:56:17 +0200 Subject: [PATCH 985/996] update forgejo to 11.0.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3457ef6..ed051fb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "10.0.3" -sha1 = "d1199c43de9e69f6bb8058c15290e79862913413" +version = "11.0.0" +sha1 = "3a12529ab21ca04f2b3e6cf7a6c91af18f00ee5d" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From a999071cca1c9c1a8d88dceb812af019979117a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:56:34 +0200 Subject: [PATCH 986/996] update mautrix-whatsapp to 0.12.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ed051fb..f98154c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.4" -sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77" +version = "v0.12.0" +sha1 = "02094da0a164099d4d35e5edb4b87875ad694833" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 19d80513915cfc0810c3bbe60fd6216b5e8485e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:57:03 +0200 Subject: [PATCH 987/996] update netbox to 4.2.8 --- bundles/netbox/items.py | 4 ++-- nodes/carlene.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index f261641..9edbf0b 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -38,8 +38,8 @@ actions['netbox_install'] = { 'triggered': True, 'command': ' && '.join([ 'cd /opt/netbox/src', - '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn', - '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt', + '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager pip wheel setuptools django-auth-ldap gunicorn', + '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager -r requirements.txt', ]), 'needs': { 'pkg_apt:build-essential', diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f98154c..9c79e23 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -110,7 +110,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.6" +version = "v4.2.8" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From f72f701a5a92e1b24d8303132599320740f6ead0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:57:24 +0200 Subject: [PATCH 988/996] update paperless-ngx to 2.15.3 --- bundles/paperless-ng/files/paperless-webserver.service | 5 ++++- bundles/paperless-ng/metadata.py | 2 +- nodes/home/paperless.py | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/bundles/paperless-ng/files/paperless-webserver.service b/bundles/paperless-ng/files/paperless-webserver.service index 5d7f806..7c41aa7 100644 --- a/bundles/paperless-ng/files/paperless-webserver.service +++ b/bundles/paperless-ng/files/paperless-webserver.service @@ -8,8 +8,11 @@ Requires=redis.service User=paperless Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +Environment=GRANIAN_PORT=22070 +Environment=GRANIAN_WORKERS=4 +Environment=GRANIAN_HOST=::1 WorkingDirectory=/opt/paperless/src/paperless-ngx/src -ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application +ExecStart=/opt/paperless/venv/bin/granian --interface asginl --ws "paperless.asgi:application" Restart=always RestartSec=10 SyslogIdentifier=paperless-webserver diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 6746616..8db5342 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -99,7 +99,7 @@ def nginx(metadata): 'domain': metadata.get('paperless/domain'), 'locations': { '/': { - 'target': 'http://127.0.0.1:22070', + 'target': 'http://[::1]:22070', 'websockets': True, 'proxy_set_header': { 'X-Forwarded-Host': '$server_name', diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index caffb73..f7035a5 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -49,7 +49,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.14.7', + 'version': 'v2.15.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 3ec701b2b6dc0bc73174f76207247dcb6e90520c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:58:10 +0200 Subject: [PATCH 989/996] add rottenraptor vpn --- libs/s2s.py | 1 + nodes/htz-cloud/wireguard.py | 8 ++++++++ nodes/rottenraptor-vpn.toml | 27 +++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 nodes/rottenraptor-vpn.toml diff --git a/libs/s2s.py b/libs/s2s.py index fe0fc4e..8372ec2 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -6,6 +6,7 @@ AS_NUMBERS = { 'htz-cloud': 4290000137, 'ionos': 4290000002, 'revision': 4290000078, + 'rottenraptor': 4290000030, } WG_AUTOGEN_NODES = [ diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index e560667..1139390 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -53,6 +53,7 @@ nodes['htz-cloud.wireguard'] = { 'udp dport 1194 accept', 'udp dport 51800 accept', 'udp dport 51804 accept', + 'udp dport 51805 accept', # wg.c3voc.de 'udp dport 51801 ip saddr 185.106.84.42 accept', @@ -126,6 +127,13 @@ nodes['htz-cloud.wireguard'] = { 'my_ip': '172.19.136.66', 'their_ip': '172.19.136.67', }, + 'rottenraptor-vpn': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_port': 51805, + 'my_ip': '172.19.136.68', + 'their_ip': '172.19.136.69', + }, }, }, }, diff --git a/nodes/rottenraptor-vpn.toml b/nodes/rottenraptor-vpn.toml new file mode 100644 index 0000000..342ce1c --- /dev/null +++ b/nodes/rottenraptor-vpn.toml @@ -0,0 +1,27 @@ +hostname = "172.30.17.53" +bundles = ["bird", "wireguard"] +groups = ["debian-bookworm"] + +[metadata] +location = "rottenraptor" +backups.exclude_from_backups = true +icinga_options.exclude_from_monitoring = true + +[metadata.bird] +static_routes = [ + "172.30.17.0/24", +] + +[metadata.interfaces.ens18] +ips = ["172.30.17.53/24"] +gateway4 = "172.30.17.1" + +[metadata.nftables.postrouting] +"50-router" = [ + "oifname ens18 masquerade", +] + +[metadata.wireguard.peers."htz-cloud.wireguard"] +my_port = 51804 +my_ip = "172.19.136.69" +their_ip = "172.19.136.68" From 3d643efe0fb7b455f1ab7dff1a26895a7c7957f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 11:05:48 +0200 Subject: [PATCH 990/996] bundles/zfs: fix dependencies --- bundles/zfs/items.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index c63250e..530d27f 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -67,6 +67,7 @@ svc_systemd = { 'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf', }, 'after': { + 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, 'before': { @@ -83,6 +84,7 @@ svc_systemd = { }, 'zfs-mount.service': { 'after': { + 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, }, From f9e87bde9e660bf818c922b8950b5a9da494afa4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Apr 2025 11:12:49 +0200 Subject: [PATCH 991/996] update travelynx to 2.11.23 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9c79e23..3b53d0f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ user = "kunsi" when = "04:00:00 Europe/Berlin" [metadata.travelynx] -version = "2.11.13" +version = "2.11.23" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 57c1eb26056694b7ca1b25db256708fae337044f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:32:20 +0200 Subject: [PATCH 992/996] bundles/docker-immich: database not existing should not error out the script after all, we have monitoring to ensure the database container runs --- .../files/immich-auto-album-share.py | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index 863f8b2..2cac6c2 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -1,5 +1,6 @@ #!/usr/bin/env python3 +import logging from json import loads from os import environ from subprocess import check_output @@ -12,6 +13,8 @@ PSQL_USER = environ['DB_USERNAME'] PSQL_PASS = environ['DB_PASSWORD'] PSQL_DB = environ['DB_DATABASE_NAME'] +logging.basicConfig(level=logging.INFO) + docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) container_ip = None @@ -26,9 +29,9 @@ for network in docker_networks: container_ip = container['IPv4Address'].split('/')[0] if not container_ip: - print(f'could not find ip address for container {PSQL_HOST=} in json') - print(docker_networks) - exit(1) + logging.error(f'could not find ip address for container {PSQL_HOST=} in json') + logging.debug(f'{docker_networks=}') + exit(0) print(f'{PSQL_HOST=} {container_ip=}') @@ -49,6 +52,7 @@ with conn: } for i in cur.fetchall() } + logging.debug(f'{albums=}') with conn.cursor() as cur: cur.execute('SELECT "id","name" FROM users;') @@ -56,25 +60,27 @@ with conn: i[0]: i[1] for i in cur.fetchall() } + logging.debug(f'{users=}') for album_id, album in albums.items(): - print(f'----- working on album: {album["name"]}') + log = logging.getLogger(album["name"]) with conn: with conn.cursor() as cur: cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) album_shares = [i[0] for i in cur.fetchall()] - print(f' album is shared with {len(album_shares)} users: {album_shares}') + log.info(f'album is shared with {len(album_shares)} users: {album_shares}') for user_id, user_name in users.items(): if user_id == album['owner'] or user_id in album_shares: continue - print(f' sharing album with user {user_name} ... ', end='') - with conn.cursor() as cur: - cur.execute( - 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', - (album_id, user_id, 'viewer'), - ) - print('done') - print() + log.info(f'sharing album with user {user_name}') + try: + with conn.cursor() as cur: + cur.execute( + 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', + (album_id, user_id, 'viewer'), + ) + except Exception: + log.exception('failure while creating share') conn.close() From 29799a1d339a3e5d1a01446c79d795cf5ef284f0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:33:49 +0200 Subject: [PATCH 993/996] bundles/docker-immich; do not log all those user ids if we don't need them --- bundles/docker-immich/files/immich-auto-album-share.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index 2cac6c2..ad9aac7 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -68,7 +68,8 @@ for album_id, album in albums.items(): with conn.cursor() as cur: cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) album_shares = [i[0] for i in cur.fetchall()] - log.info(f'album is shared with {len(album_shares)} users: {album_shares}') + log.info(f'album is shared with {len(album_shares)} users') + log.debug(f'{album_shares=}') for user_id, user_name in users.items(): if user_id == album['owner'] or user_id in album_shares: continue From 2b0e559f6ce507c1d52840b1abbd5d411f5ab626 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:35:31 +0200 Subject: [PATCH 994/996] bundles/docker-immich: remove leftover print statement --- bundles/docker-immich/files/immich-auto-album-share.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index ad9aac7..cafd32c 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -33,7 +33,7 @@ if not container_ip: logging.debug(f'{docker_networks=}') exit(0) -print(f'{PSQL_HOST=} {container_ip=}') +logging.debug(f'{PSQL_HOST=} {container_ip=}') conn = psycopg2.connect( dbname=PSQL_DB, From ae079764395f3b770e52134eaf5610a3693f52e4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 20:57:41 +0200 Subject: [PATCH 995/996] bundles/nfs-server: add avahi config --- bundles/nfs-server/files/avahi.service | 10 +++++ bundles/nfs-server/files/exports | 2 +- bundles/nfs-server/items.py | 51 +++++++++++++++++--------- nodes/home/nas.py | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 bundles/nfs-server/files/avahi.service diff --git a/bundles/nfs-server/files/avahi.service b/bundles/nfs-server/files/avahi.service new file mode 100644 index 0000000..394cdca --- /dev/null +++ b/bundles/nfs-server/files/avahi.service @@ -0,0 +1,10 @@ + + + + NFS ${path} on %h + + _nfs._tcp + 2049 + path=${path} + + diff --git a/bundles/nfs-server/files/exports b/bundles/nfs-server/files/exports index ad2ca4c..ac9c8f8 100644 --- a/bundles/nfs-server/files/exports +++ b/bundles/nfs-server/files/exports @@ -1,4 +1,4 @@ -% for path, shares in sorted(node.metadata['nfs-server']['shares'].items()): +% for path, shares in sorted(node.metadata.get('nfs-server/shares', {}).items()): % for share_target, share_options in sorted(shares.items()): % for ip_list in repo.libs.tools.resolve_identifier(repo, share_target).values(): % for ip in sorted(ip_list): diff --git a/bundles/nfs-server/items.py b/bundles/nfs-server/items.py index dacbc48..ce025cf 100644 --- a/bundles/nfs-server/items.py +++ b/bundles/nfs-server/items.py @@ -1,25 +1,40 @@ -files = { - '/etc/exports': { - 'content_type': 'mako', - 'triggers': { - 'action:nfs_reload_shares', - }, - }, - '/etc/default/nfs-kernel-server': { - 'source': 'etc-default', - 'triggers': { - 'svc_systemd:nfs-server:restart', - }, +from re import sub + +files['/etc/exports'] = { + 'content_type': 'mako', + 'triggers': { + 'action:nfs_reload_shares', }, } -actions = { - 'nfs_reload_shares': { - 'command': 'exportfs -a', - 'triggered': True, +files['/etc/default/nfs-kernel-server'] = { + 'source': 'etc-default', + 'triggers': { + 'svc_systemd:nfs-server:restart', }, } -svc_systemd = { - 'nfs-server': {}, +actions['nfs_reload_shares'] = { + 'command': 'exportfs -a', + 'triggered': True, } + +svc_systemd['nfs-server'] = {} + +if node.has_bundle('avahi-daemon'): + for path, shares in node.metadata.get('nfs-server/shares', {}).items(): + create_avahi_file = False + for share_target, share_options in shares.items(): + if ',insecure,' in f',{share_options},': + create_avahi_file = True + + if create_avahi_file: + share_name_normalized = sub('[^a-z0-9-_]+', '_', path) + + files[f'/etc/avahi/services/nfs{share_name_normalized}.service'] = { + 'source': 'avahi.service', + 'content_type': 'mako', + 'context': { + 'path': path, + }, + } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 2f210d6..e98955c 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -141,7 +141,7 @@ nodes['home.nas'] = { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { - '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', + '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check,insecure', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', From cc94f10c2da1e8943246e6f3424697113f77d20e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 20:58:33 +0200 Subject: [PATCH 996/996] remove mitel rfp35 --- nodes/home.mitel-rfp35.toml | 4 ---- nodes/home/nas.py | 3 --- 2 files changed, 7 deletions(-) delete mode 100644 nodes/home.mitel-rfp35.toml diff --git a/nodes/home.mitel-rfp35.toml b/nodes/home.mitel-rfp35.toml deleted file mode 100644 index 414658a..0000000 --- a/nodes/home.mitel-rfp35.toml +++ /dev/null @@ -1,4 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.41"] diff --git a/nodes/home/nas.py b/nodes/home/nas.py index e98955c..ebfdc2c 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -79,11 +79,9 @@ nodes['home.nas'] = { }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides @@ -93,7 +91,6 @@ nodes['home.nas'] = { # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, }, },