diff --git a/Jenkinsfile b/Jenkinsfile index f371f82..ef990d1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,6 +1,15 @@ pipeline { agent any stages { + stage('editorconfig-checker') { + steps { + sh """ + wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz + tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz + bin/ec-linux-amd64 -no-color -exclude '^bin/' + """ + } + } stage('install_requirements') { steps { sh """ @@ -9,31 +18,13 @@ pipeline { virtualenv -p python3 venv . venv/bin/activate - pip install --upgrade pip isort + pip install --upgrade pip pip install -r requirements.txt """ } } - stage('tests') { + stage('bw test') { parallel { - stage('syntax checking using editorconfig-checker') { - steps { - sh """ - wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz - tar -xzf ec-linux-amd64.tar.gz && rm ec-linux-amd64.tar.gz - bin/ec-linux-amd64 -no-color -exclude '^bin/' - """ - } - } - stage('syntax checking using isort') { - steps { - sh """ - . venv/bin/activate - - isort --check . - """ - } - } stage('config and metadata determinism') { steps { sh """ @@ -45,7 +36,7 @@ pipeline { """ } } - stage('bw test -i') { + stage('other tests') { steps { sh """ . venv/bin/activate diff --git a/PORT_MAP.md b/PORT_MAP.md index 40f6d0a..1e502c3 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -36,7 +36,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20090 | matrix-media-repo | prometheus metrics | | 21000 | pleroma | pleroma | | 21010 | grafana | grafana | -| 22000 | gitea | forgejo | +| 22000 | gitea | gitea | | 22010 | jenkins-ci | Jenkins CI | | 22020 | travelynx | Travelynx Web | | 22030 | octoprint | OctoPrint Web Interface | @@ -45,6 +45,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 22060 | pretalx | gunicorn | | 22070 | paperless-ng | gunicorn | | 22080 | netbox | gunicorn | +| 22090 | openhab | http | | 22100 | woodpecker-server | http | | 22101 | woodpecker-server | gRPC | | 22999 | nginx | stub_status | diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 639417d..ae0f87a 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -143,9 +143,6 @@ pkg_apt = { 'cloud-init': { 'installed': False, }, - 'molly-guard': { - 'installed': False, - }, 'netplan.io': { 'installed': False, }, diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py index 4666cca..869a7f9 100644 --- a/bundles/arch-with-gui/metadata.py +++ b/bundles/arch-with-gui/metadata.py @@ -38,14 +38,9 @@ defaults = { 'rofi': {}, # sound - 'calf': {}, - 'easyeffects': {}, - 'lsp-plugins': {}, 'pavucontrol': {}, - 'pipewire': {}, - 'pipewire-jack': {}, - 'pipewire-pulse': {}, - 'qpwgraph': {}, + 'pulseaudio': {}, + 'pulseaudio-zeroconf': {}, # window management 'i3-wm': {}, @@ -58,7 +53,6 @@ defaults = { # Xorg 'xf86-input-libinput': {}, - 'xf86-input-wacom': {}, 'xorg-server': {}, 'xorg-setxkbmap': {}, 'xorg-xev': {}, @@ -68,27 +62,20 @@ defaults = { # all them apps 'browserpass': {}, 'browserpass-firefox': {}, - 'ffmpeg': {}, 'firefox': {}, 'gimp': {}, - 'imagemagick': {}, 'inkscape': {}, - 'kdenlive': {}, 'maim': {}, 'mosh': {}, - 'mosquitto': {}, 'mpv': {}, 'pass': {}, 'pass-otp': {}, 'pdftk': {}, 'pwgen': {}, 'qpdfview': {}, - 'samba': {}, - 'shotcut': {}, 'sipcalc': {}, 'the_silver_searcher': {}, 'tlp': {}, - 'virt-manager': {}, 'xclip': {}, 'xdotool': {}, # needed for maim window selection }, diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index 11d0624..c70512c 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -1,7 +1,6 @@ repo.libs.tools.require_bundle(node, 'zfs') from os.path import join - from bundlewrap.metadata import metadata_to_json dataset = node.metadata.get('backup-server/zfs-base') diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index a5547d4..fd285d3 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -1,5 +1,4 @@ from ipaddress import ip_network - from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic diff --git a/bundles/docker-ce/metadata.py b/bundles/docker-ce/metadata.py index cf6e2bb..1315d1c 100644 --- a/bundles/docker-ce/metadata.py +++ b/bundles/docker-ce/metadata.py @@ -12,6 +12,14 @@ defaults = { 'docker-ce-cli': {}, }, }, + 'nftables': { + 'rules': { + '00-docker-ce': { + 'inet filter forward ct state { related, established } accept', + 'inet filter forward iifname docker0 accept', + }, + }, + }, } @@ -19,10 +27,7 @@ defaults = { 'nftables/rules/00-docker-ce', ) def nftables_nat(metadata): - rules = { - 'inet filter forward ct state { related, established } accept', - 'inet filter forward iifname docker0 accept', - } + rules = set() for iface in metadata.get('interfaces'): rules.add(f'nat postrouting oifname {iface} masquerade') @@ -30,7 +35,7 @@ def nftables_nat(metadata): return { 'nftables': { 'rules': { - '00-docker-ce': sorted(rules), + '00-docker-ce': rules, }, }, } diff --git a/bundles/dovecot/files/dovecot.conf b/bundles/dovecot/files/dovecot.conf index 9a294aa..885b36a 100644 --- a/bundles/dovecot/files/dovecot.conf +++ b/bundles/dovecot/files/dovecot.conf @@ -46,12 +46,11 @@ plugin { zlib_save_level = 6 zlib_save = gz - sieve = /var/mail/vmail/sieve/%d/%n.sieve - sieve_dir = /var/mail/vmail/sieve/%d/%n/ - sieve_extensions = +vnd.dovecot.pipe - sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin sieve_plugins = sieve_imapsieve sieve_extprograms - sieve_user_log = /var/mail/vmail/sieve/%d/%n.log + sieve_dir = /var/mail/vmail/sieve/%d/%n/ + sieve = /var/mail/vmail/sieve/%d/%n.sieve + sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin + sieve_extensions = +vnd.dovecot.pipe old_stats_refresh = 30 secs old_stats_track_cmds = yes diff --git a/bundles/gitea/files/app.ini b/bundles/gitea/files/app.ini index b55f210..a904681 100644 --- a/bundles/gitea/files/app.ini +++ b/bundles/gitea/files/app.ini @@ -21,6 +21,7 @@ ROOT_URL = https://${domain}/ DISABLE_SSH = false SSH_PORT = 22 LFS_START_SERVER = true +LFS_CONTENT_PATH = /var/lib/gitea/data/lfs LFS_JWT_SECRET = ${lfs_secret_key} OFFLINE_MODE = true START_SSH_SERVER = false @@ -66,7 +67,7 @@ EMAIL_DOMAIN_BLOCKLIST = ${','.join(sorted(email_domain_blocklist))} [mailer] ENABLED = true -PROTOCOL = sendmail +MAILER_TYPE = sendmail FROM = "${app_name}" [session] diff --git a/bundles/gitea/items.py b/bundles/gitea/items.py index e071483..2e2f518 100644 --- a/bundles/gitea/items.py +++ b/bundles/gitea/items.py @@ -40,7 +40,10 @@ files = { }, '/usr/local/bin/gitea': { 'content_type': 'download', - 'source': node.metadata.get('gitea/url'), + #'source': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata.get('gitea/version')), + 'source': 'https://github.com/go-gitea/gitea/releases/download/v{version}/gitea-{version}-linux-amd64'.format( + version=node.metadata.get('gitea/version'), + ), 'content_hash': node.metadata.get('gitea/sha1', None), 'mode': '0755', 'triggers': { diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 2b9bcbe..6785b4b 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -6,7 +6,7 @@ defaults = { }, }, 'gitea': { - 'app_name': 'Forgejo', + 'app_name': 'Gitea', 'database': { 'username': 'gitea', 'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)), @@ -23,14 +23,9 @@ defaults = { 'icinga2_api': { 'gitea': { 'services': { - 'FORGEJO PROCESS': { + 'GITEA PROCESS': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea', }, - 'FORGEJO UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(gitea --version | cut -d" " -f3)', - 'vars.notification.mail': True, - 'check_interval': '60m', - }, }, }, }, @@ -72,7 +67,7 @@ defaults = { @metadata_reactor.provides( - 'nginx/vhosts/forgejo', + 'nginx/vhosts/gitea', ) def nginx(metadata): if not node.has_bundle('nginx'): @@ -81,7 +76,7 @@ def nginx(metadata): return { 'nginx': { 'vhosts': { - 'forgejo': { + 'gitea': { 'domain': metadata.get('gitea/domain'), 'locations': { '/': { @@ -104,4 +99,16 @@ def nginx(metadata): ) def icinga_check_for_new_release(metadata): return { + 'icinga2_api': { + 'gitea': { + 'services': { + 'GITEA UPDATE': { + # this is only temporary. We will switch to forgejo once they have their first stable release. + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, } diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update index ff2b0d7..d01d830 100644 --- a/bundles/homeassistant/files/check_homeassistant_update +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -41,7 +41,7 @@ try: message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." else: status = 2 - message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}" + message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}" except Exception as e: message = f"{message}: {repr(e)}" diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 0b41f39..87855f8 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { @@ -23,7 +25,7 @@ defaults = { }, } @metadata_reactor.provides( - 'icinga2_api/homeassistant/services', + 'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE', ) def icinga_check_for_new_release(metadata): return { @@ -52,8 +54,8 @@ def nginx(metadata): 'vhosts': { 'homeassistant': { 'domain': metadata.get('homeassistant/domain'), - 'website_check_path': '/auth/authorize', - 'website_check_string': 'Home Assistant', + 'website_check_path': '/', + 'website_check_string': 'Homeassistant', 'locations': { '/': { 'target': 'http://127.0.0.1:8123', diff --git a/bundles/icinga2/files/check_freifunk_node b/bundles/icinga2/files/check_freifunk_node index 22725b7..2723f13 100644 --- a/bundles/icinga2/files/check_freifunk_node +++ b/bundles/icinga2/files/check_freifunk_node @@ -1,8 +1,7 @@ #!/usr/bin/env python3 -from sys import argv, exit - from requests import get +from sys import argv, exit meshviewer_url = argv[1] node_id = argv[2] diff --git a/bundles/icinga2/files/check_sipgate_account_balance b/bundles/icinga2/files/check_sipgate_account_balance index 843dfd9..8e8ce2d 100644 --- a/bundles/icinga2/files/check_sipgate_account_balance +++ b/bundles/icinga2/files/check_sipgate_account_balance @@ -1,8 +1,7 @@ #!/usr/bin/env python3 -from sys import exit - from requests import get +from sys import exit SIPGATE_USER = '${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS = '${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/icinga2/files/check_spam_blocklist b/bundles/icinga2/files/check_spam_blocklist index 5cb350d..bf14a82 100644 --- a/bundles/icinga2/files/check_spam_blocklist +++ b/bundles/icinga2/files/check_spam_blocklist @@ -1,10 +1,12 @@ #!/usr/bin/env python3 from concurrent.futures import ThreadPoolExecutor, as_completed -from ipaddress import IPv6Address, ip_address +from ipaddress import ip_address, IPv6Address from subprocess import check_output from sys import argv, exit + + BLOCKLISTS = [ '0spam.fusionzero.com', 'bl.mailspike.org', diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 72ab749..f988be8 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -4,11 +4,10 @@ import email.mime.text import smtplib from argparse import ArgumentParser from json import dumps +from requests import post from subprocess import run from sys import argv -from requests import post - SIPGATE_USER='${node.metadata['icinga2']['sipgate_user']}' SIPGATE_PASS='${node.metadata['icinga2']['sipgate_pass']}' diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index fcbfd13..9bf7d26 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,9 +17,7 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - - # apparently no longer needed - #'icingaweb2-module-monitoring': {}, + 'icingaweb2-module-monitoring': {}, # neeeded for statusmonitor 'python3-flask': {}, diff --git a/bundles/matrix-synapse/files/synapse-purge-unused-rooms b/bundles/matrix-synapse/files/synapse-purge-unused-rooms index 4e5f1e1..aa54ebb 100644 --- a/bundles/matrix-synapse/files/synapse-purge-unused-rooms +++ b/bundles/matrix-synapse/files/synapse-purge-unused-rooms @@ -1,9 +1,9 @@ #!/usr/bin/env python3 from os import environ +from requests import get, post from sys import argv, exit -from requests import get, post SYNAPSE_MAX_ROOMS_TO_GET = 20000 SYNAPSE_HOST = 'http://[::1]:20080/' diff --git a/bundles/miniflux/metadata.py b/bundles/miniflux/metadata.py index b14fd15..8c51627 100644 --- a/bundles/miniflux/metadata.py +++ b/bundles/miniflux/metadata.py @@ -6,7 +6,7 @@ defaults = { 'repos': { 'miniflux': { 'items': { - 'deb [trusted=yes] https://repo.miniflux.app/apt/ /', + 'deb https://apt.miniflux.app/ /', }, }, }, diff --git a/bundles/molly-guard/files/10-check-unattended-upgrades b/bundles/molly-guard/files/10-check-unattended-upgrades new file mode 100644 index 0000000..6adafdb --- /dev/null +++ b/bundles/molly-guard/files/10-check-unattended-upgrades @@ -0,0 +1,9 @@ +#!/bin/bash + +# Checks wether upgrade-and-reboot is currently running. + +if [[ -f "/var/lib/bundlewrap/soft-${node.name}/UNATTENDED" ]] +then + echo "Sorry, can't $MOLLYGUARD_CMD now, upgrade-and-reboot is running" + exit 1 +fi diff --git a/bundles/molly-guard/files/30-query-hostname b/bundles/molly-guard/files/30-query-hostname new file mode 100644 index 0000000..3e4fc4c --- /dev/null +++ b/bundles/molly-guard/files/30-query-hostname @@ -0,0 +1,29 @@ +#!/bin/sh + +# This script will ask for the bundlewrap node name. This replaces the +# original script, which will ask for the hostname, which sometimes +# is not enough to properly identify the system. + +NODE_NAME="${node.name}" + +# If this is not a terminal, do nothing +test -t 0 || exit 0 + +sigh() +{ + echo "Sorry, input does not match. Won't $MOLLYGUARD_CMD $NODE_NAME ..." >&2 + exit 1 +} + +trap 'echo;sigh' 1 2 3 9 10 12 15 + +echo -n "Please enter the bundlewrap node name of this System to $MOLLYGUARD_CMD: " +read NODE_NAME_USER || : + +NODE_NAME_USER="$(echo "$NODE_NAME_USER" | tr '[:upper:]' '[:lower:]')" + +[ "$NODE_NAME_USER" = "$NODE_NAME" ] || sigh + +trap - 1 2 3 9 10 12 15 + +exit 0 diff --git a/bundles/molly-guard/files/rc b/bundles/molly-guard/files/rc new file mode 100644 index 0000000..4b6f808 --- /dev/null +++ b/bundles/molly-guard/files/rc @@ -0,0 +1 @@ +# currently unused diff --git a/bundles/molly-guard/items.py b/bundles/molly-guard/items.py new file mode 100644 index 0000000..1d6d82f --- /dev/null +++ b/bundles/molly-guard/items.py @@ -0,0 +1,27 @@ +directories = { + '/etc/molly-guard/messages.d': { + 'purge': True, + 'after': { + 'pkg_apt:molly-guard', + }, + }, + '/etc/molly-guard/run.d': { + 'purge': True, + 'after': { + 'pkg_apt:molly-guard', + }, + }, +} + +files = { + '/etc/molly-guard/rc': {}, + + '/etc/molly-guard/run.d/10-check-unattended-upgrades': { + 'content_type': 'mako', + 'mode': '0755', + }, + '/etc/molly-guard/run.d/30-query-hostname': { + 'content_type': 'mako', + 'mode': '0755', + }, +} diff --git a/bundles/molly-guard/metadata.py b/bundles/molly-guard/metadata.py new file mode 100644 index 0000000..d8571e2 --- /dev/null +++ b/bundles/molly-guard/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'molly-guard': {}, + }, + }, +} diff --git a/bundles/mosquitto/files/tasmota-telegraf-plugin b/bundles/mosquitto/files/tasmota-telegraf-plugin index 4927002..3aef6d6 100644 --- a/bundles/mosquitto/files/tasmota-telegraf-plugin +++ b/bundles/mosquitto/files/tasmota-telegraf-plugin @@ -7,6 +7,7 @@ from time import sleep import paho.mqtt.client as mqtt + BROKER_HOST = argv[1] BROKER_TOPIC = argv[2] diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index c07a446..08bd6de 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -1,5 +1,6 @@ from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { diff --git a/bundles/octoprint/files/check_octoprint_update b/bundles/octoprint/files/check_octoprint_update index ff89a3e..c7ae90a 100644 --- a/bundles/octoprint/files/check_octoprint_update +++ b/bundles/octoprint/files/check_octoprint_update @@ -1,8 +1,7 @@ #!/usr/bin/env python3 -from sys import exit - from requests import get +from sys import exit api_key = '${api_key}' diff --git a/bundles/openhab/files/backup-pre-hook b/bundles/openhab/files/backup-pre-hook new file mode 100644 index 0000000..fbf0eda --- /dev/null +++ b/bundles/openhab/files/backup-pre-hook @@ -0,0 +1,5 @@ +#!/bin/bash + +find /var/lib/openhab/backups -type f -mtime +3 -delete + +/usr/share/openhab/runtime/bin/backup --full diff --git a/bundles/openhab/files/openhab b/bundles/openhab/files/openhab new file mode 100644 index 0000000..9893987 --- /dev/null +++ b/bundles/openhab/files/openhab @@ -0,0 +1,62 @@ +# openHAB service options + +######################### +## PORTS +## The ports openHAB will bind its HTTP/HTTPS web server to. + +OPENHAB_HTTP_PORT=22090 +#OPENHAB_HTTPS_PORT=8443 + +######################### +## HTTP(S) LISTEN ADDRESS +## The listen address used by the HTTP(S) server. +## 0.0.0.0 (default) allows a connection from any location +## 127.0.0.1 only allows the local machine to connect + +OPENHAB_HTTP_ADDRESS=127.0.0.1 + +######################### +## BACKUP DIRECTORY +## Set the following variable to specify the backup location. +## runtime/bin/backup and runtime/bin/restore will use this path for the zip files. + +#OPENHAB_BACKUPS=/var/lib/openhab/backups + +######################### +## JAVA OPTIONS +## Additional options for the JAVA_OPTS environment variable. +## These will be appended to the execution of the openHAB Java runtime in front of all other options. +## +## A couple of independent examples: +## EXTRA_JAVA_OPTS="-Dgnu.io.rxtx.SerialPorts=/dev/ttyZWAVE:/dev/ttyUSB0:/dev/ttyS0:/dev/ttyS2:/dev/ttyACM0:/dev/ttyAMA0" +## EXTRA_JAVA_OPTS="-Djna.library.path=/lib/arm-linux-gnueabihf/ -Duser.timezone=Europe/Berlin -Dgnu.io.rxtx.SerialPorts=/dev/ttyZWave" + +EXTRA_JAVA_OPTS="${extra_java_opts}" + +######################### +## OPENHAB DEFAULTS PATHS +## The following settings override the default apt/rpm locations and should be used with caution. +## openHAB will fail to update itself if you're using different paths. +## Only set these if you are testing and are confident in debugging. + +#OPENHAB_HOME=/usr/share/openhab +#OPENHAB_CONF=/etc/openhab +#OPENHAB_RUNTIME=/usr/share/openhab/runtime +#OPENHAB_USERDATA=/var/lib/openhab +#OPENHAB_LOGDIR=/var/log/openhab + +######################### +## OPENHAB USER AND GROUP +## The user and group that takes ownership of openHAB. Only available for init.d systems. +## To edit user and group for systemd, see the service file at /usr/lib/systemd/system/openhab.service. + +#OPENHAB_USER=openhab +#OPENHAB_GROUP=openhab + +######################### +## SYSTEMD START MODE +## The Karaf startmode for the openHAB runtime. Only available for systemctl/systemd systems. +## Defaults to daemon when unset here. Multiple options can be used without quotes. +## debug increases log output. daemon launches the Karaf/openHAB processes. + +#OPENHAB_STARTMODE=debug diff --git a/bundles/openhab/items.py b/bundles/openhab/items.py new file mode 100644 index 0000000..eabe1d0 --- /dev/null +++ b/bundles/openhab/items.py @@ -0,0 +1,32 @@ +extra_java_opts = [] + +for opt, value in sorted(node.metadata.get('openhab/java_opts', {}).items()): + if value is None: + extra_java_opts.append(f'-D{opt}') + else: + extra_java_opts.append(f'-D{opt}={value}') + +files = { + '/etc/default/openhab': { + 'content_type': 'mako', + 'context': { + 'extra_java_opts': ' '.join(extra_java_opts), + }, + 'triggers': { + 'svc_systemd:openhab:restart', + }, + }, + '/etc/backup-pre-hooks.d/40-openhab': { + 'source': 'backup-pre-hook', + 'mode': '0755', + } +} + +svc_systemd = { + 'openhab': { + 'needs': { + 'pkg_apt:openhab', + 'pkg_apt:openhab-addons', + }, + }, +} diff --git a/bundles/openhab/metadata.py b/bundles/openhab/metadata.py new file mode 100644 index 0000000..e6a87cc --- /dev/null +++ b/bundles/openhab/metadata.py @@ -0,0 +1,55 @@ +defaults = { + 'apt': { + 'packages': { + 'openjdk-17-jre': {}, + 'openhab': { + 'needs': { + 'pkg_apt:openjdk-17-jre', + }, + }, + 'openhab-addons': { + 'needs': { + 'pkg_apt:openhab', + }, + }, + }, + 'repos': { + 'openhab': { + 'items': { + 'deb https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable main', + }, + }, + }, + }, + 'backups': { + 'paths': { + '/usr/share/openhab/addons', # not included in openhab backup + '/var/lib/openhab', + }, + }, +} + + +@metadata_reactor.provides( + 'nginx/vhosts/openhab', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'openhab': { + 'domain': metadata.get('openhab/domain'), + 'locations': { + '/': { + 'target': 'http://localhost:22090/', + }, + }, + 'website_check_path': '/', + 'website_check_string': 'openHAB', + }, + }, + }, + } diff --git a/bundles/postfix/files/postfix-telegraf-queue b/bundles/postfix/files/postfix-telegraf-queue index 16b64e5..f5abfe7 100644 --- a/bundles/postfix/files/postfix-telegraf-queue +++ b/bundles/postfix/files/postfix-telegraf-queue @@ -4,6 +4,7 @@ from json import loads from subprocess import check_output + queue_counts = {} queue_json = check_output(['sudo', '/usr/sbin/postqueue', '-j']) diff --git a/bundles/powerdns/files/named.conf b/bundles/powerdns/files/named.conf index 4154935..196e3f5 100644 --- a/bundles/powerdns/files/named.conf +++ b/bundles/powerdns/files/named.conf @@ -1,6 +1,6 @@ % for zone in sorted(zones): zone "${zone}" { file "/var/lib/powerdns/zones/${zone}"; - type master; + type native; }; % endfor diff --git a/bundles/powerdns/files/pdns.conf b/bundles/powerdns/files/pdns.conf index 7fcb1ca..1e2a5de 100644 --- a/bundles/powerdns/files/pdns.conf +++ b/bundles/powerdns/files/pdns.conf @@ -20,15 +20,12 @@ setgid=pdns allow-notify-from=${','.join(sorted(my_primary_servers))} slave=yes -% if node.os_version[0] > 10: -superslave=yes -% endif +# FIXME enable once debian stable has 4.1.9 +#superslave=yes % else: api=yes api-key=${api_key} webserver=yes -webserver-address=0.0.0.0 -webserver-allow-from=0.0.0.0/0 allow-notify-from= diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 2aad214..a6db93a 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -5,12 +5,26 @@ from subprocess import check_output zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') -nameservers = set() +ZONE_HEADER = """ +; _ ____ _ _ _____ _ _ _ _ ____ +; / \\ / ___| | | |_ _| | | | \\ | |/ ___| +; / _ \\| | | |_| | | | | | | | \\| | | _ +; / ___ \\ |___| _ | | | | |_| | |\\ | |_| | +; /_/ \\_\\____|_| |_| |_| \\___/|_| \\_|\\____| +; +; --> Diese Datei wird von BundleWrap verwaltet! <-- + +$TTL 60 +@ IN SOA ns-1.kunbox.net. hostmaster.kunbox.net. ( + {serial} + 3600 + 600 + 86400 + 300 + ) +""" for rnode in sorted(repo.nodes_in_group('dns')): - if not rnode.metadata.get('powerdns/is_secondary'): - # hide the primary nameserver from auto-generated nameserver lists - continue - nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) + ZONE_HEADER += '@ IN NS {}.\n'.format(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) directories = { '/etc/powerdns/pdns.d': { @@ -36,11 +50,11 @@ files = { '/etc/powerdns/pdns.conf': { 'content_type': 'mako', 'context': { - 'api_key': node.metadata.get('powerdns/api_key'), - 'my_hostname': node.metadata.get('powerdns/my_hostname', node.metadata.get('hostname')), - 'is_secondary': node.metadata.get('powerdns/is_secondary', False), - 'my_primary_servers': node.metadata.get('powerdns/my_primary_servers', set()), - 'my_secondary_servers': node.metadata.get('powerdns/my_secondary_servers', set()), + 'api_key': node.metadata['powerdns']['api_key'], + 'my_hostname': node.metadata['powerdns'].get('my_hostname', node.metadata.get('hostname')), + 'is_secondary': node.metadata['powerdns'].get('is_secondary', False), + 'my_primary_servers': node.metadata['powerdns'].get('my_primary_servers', set()), + 'my_secondary_servers': node.metadata['powerdns'].get('my_secondary_servers', set()), }, 'needs': { 'pkg_apt:pdns-server', @@ -64,7 +78,7 @@ svc_systemd = { actions = { 'powerdns_reload_zones': { 'triggered': True, - 'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*', + 'command': 'pdns_control rediscover; pdns_control reload', 'needs': { 'svc_systemd:pdns', }, @@ -88,8 +102,7 @@ if node.metadata.get('powerdns/features/bind', False): files[f'/var/lib/powerdns/zones/{zone}'] = { 'content_type': 'mako', 'context': { - 'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})), - 'SERIAL': serial, + 'header': ZONE_HEADER.format(serial=serial), 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []), }, 'source': f'bind-zones/{zone}', @@ -129,22 +142,12 @@ if node.metadata.get('powerdns/features/bind', False): 'action:powerdns_reload_zones', }, } -else: - files['/etc/powerdns/named.conf'] = { - 'delete': True, - 'needed_by': { - 'svc_systemd:pdns', - }, - 'triggers': { - 'action:powerdns_reload_zones', - }, - } -if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): +if node.metadata.get('powerdns/features/pgsql', False): files['/etc/powerdns/pdns.d/pgsql.conf'] = { 'content_type': 'mako', 'context': { - 'password': node.metadata.get('postgresql/roles/powerdns/password'), + 'password': node.metadata['postgresql']['roles']['powerdns']['password'], }, 'needs': { 'pkg_apt:pdns-backend-pgsql', @@ -160,7 +163,7 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')): files['/etc/powerdns/schema.pgsql.sql'] = {} actions['powerdns_load_pgsql_schema'] = { - 'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), + 'command': node.metadata['postgresql']['roles']['powerdns']['password'].format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'), 'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null', 'needs': { 'bundle:postgresql', diff --git a/bundles/powerdns/metadata.py b/bundles/powerdns/metadata.py index e93c7de..57f46f5 100644 --- a/bundles/powerdns/metadata.py +++ b/bundles/powerdns/metadata.py @@ -1,4 +1,4 @@ -from ipaddress import IPv4Address, IPv6Address, ip_address +from ipaddress import ip_address, IPv4Address, IPv6Address from bundlewrap.metadata import atomic @@ -43,11 +43,7 @@ if node.has_bundle('telegraf'): defaults['telegraf'] = { 'input_plugins': { 'builtin': { - 'powerdns': [{ - 'unix_sockets': [ - '/var/run/pdns/pdns.controlsocket', - ], - }], + 'powerdns': [{}], }, }, 'additional_groups': { @@ -190,16 +186,16 @@ def hosts_entries_for_all_dns_servers(metadata): if rnode.name == node.name: continue - found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name) - for ip in sorted(found_ips['ipv4']): - if not ip.is_private: - entries[str(ip)] = { - rnode.metadata.get('hostname'), - rnode.name, - } + ip = rnode.metadata.get('external_ipv4') - if rnode.metadata.get('powerdns/my_hostname', None): - entries[str(ip)].add(rnode.metadata.get('powerdns/my_hostname')) + if ip: + entries[ip] = { + rnode.metadata.get('hostname'), + rnode.name, + } + + if rnode.metadata.get('powerdns/my_hostname', None): + entries[ip].add(rnode.metadata.get('powerdns/my_hostname')) return { 'hosts': { @@ -215,9 +211,8 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '53': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), - '53/udp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})), - '8081': atomic(metadata.get('powerdns/restrict-to/api', set())), + '53': atomic(metadata.get('powerdns/restrict-to', {'*'})), + '53/udp': atomic(metadata.get('powerdns/restrict-to', {'*'})), }, }, } diff --git a/bundles/powerdnsadmin/items.py b/bundles/powerdnsadmin/items.py index ea256ea..7cdf08c 100644 --- a/bundles/powerdnsadmin/items.py +++ b/bundles/powerdnsadmin/items.py @@ -36,13 +36,10 @@ actions = { 'needs': { 'directory:/opt/powerdnsadmin', # provided by bundle:users }, - 'after': { - 'pkg_apt:', - }, }, 'powerdnsadmin_install_deps': { 'triggered': True, - 'command': '/opt/powerdnsadmin/venv/bin/pip install --upgrade psycopg2-binary -r /opt/powerdnsadmin/src/requirements.txt', + 'command': '/opt/powerdnsadmin/venv/bin/pip install -r /opt/powerdnsadmin/src/requirements.txt', 'needs': { 'action:powerdnsadmin_create_virtualenv', 'pkg_apt:', diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index 0617b03..8389941 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -10,6 +10,7 @@ defaults = { 'libxmlsec1-dev': {}, 'libxslt1-dev': {}, 'pkg-config': {}, + 'python3-psycopg2': {}, 'python3-wheel': {}, }, }, diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index f1760d8..a88d7c5 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -1,8 +1,7 @@ #!/usr/bin/env python3 -from sys import argv - import requests +from sys import argv INTERFACE = argv[1] LOCAL_IP = argv[4] diff --git a/bundles/pretalx/files/pretalx-administrators-from-group b/bundles/pretalx/files/pretalx-administrators-from-group index 3253000..c1dcf80 100644 --- a/bundles/pretalx/files/pretalx-administrators-from-group +++ b/bundles/pretalx/files/pretalx-administrators-from-group @@ -1,10 +1,9 @@ #!/usr/bin/env python3 +import psycopg2 from configparser import ConfigParser from sys import argv, exit -import psycopg2 - def main(): try: diff --git a/bundles/rspamd/files/telegraf-rspamd-plugin b/bundles/rspamd/files/telegraf-rspamd-plugin index 23e5ccb..9cb2c3d 100644 --- a/bundles/rspamd/files/telegraf-rspamd-plugin +++ b/bundles/rspamd/files/telegraf-rspamd-plugin @@ -1,8 +1,7 @@ #!/usr/bin/env python3 -from sys import argv, stderr - from requests import get +from sys import argv, stderr try: r = get('http://127.0.0.1:11334/stat') diff --git a/bundles/smartd/files/telegraf_plugin b/bundles/smartd/files/telegraf_plugin index 5bd10f2..5a7a1a5 100644 --- a/bundles/smartd/files/telegraf_plugin +++ b/bundles/smartd/files/telegraf_plugin @@ -1,7 +1,7 @@ #!/usr/bin/env python -from json import loads from subprocess import check_output +from json import loads from sys import stderr devices = check_output(['smartctl', '--scan']).decode().splitlines() diff --git a/bundles/sshmon/files/check_forgejo_for_new_release b/bundles/sshmon/files/check_forgejo_for_new_release index 3db5bcd..99fb18d 100644 --- a/bundles/sshmon/files/check_forgejo_for_new_release +++ b/bundles/sshmon/files/check_forgejo_for_new_release @@ -55,9 +55,8 @@ try: exit(2) else: print( - "Currently installed version {} matches newest release on {}".format( - current_version, - host, + "Currently installed version {} matches newest release on github".format( + current_version ) ) exit(0) diff --git a/bundles/sshmon/files/check_http_wget b/bundles/sshmon/files/check_http_wget index c259871..ade5dbe 100644 --- a/bundles/sshmon/files/check_http_wget +++ b/bundles/sshmon/files/check_http_wget @@ -2,8 +2,8 @@ #this is actually a python https requests query, its called check_http_wget cause it got replaced -from argparse import ArgumentParser from sys import exit +from argparse import ArgumentParser import requests diff --git a/bundles/sshmon/files/check_mounts b/bundles/sshmon/files/check_mounts index bc2fc4b..f387ce4 100644 --- a/bundles/sshmon/files/check_mounts +++ b/bundles/sshmon/files/check_mounts @@ -5,6 +5,7 @@ from argparse import ArgumentParser from subprocess import check_output from tempfile import TemporaryFile + check_filesystem_types = { 'ext2', 'ext3', diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 8d5bb6b..4fc3df2 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -8,10 +8,7 @@ defaults = { 'monitoring-plugins': {}, 'python3-requests': {}, 'python3-setuptools': {}, # needed by check_github_for_new_release - 'sysstat': { - # legacy - 'installed': False, - }, + 'sysstat': {}, # needed by check_cpu_stats }, }, 'icinga2_api': { @@ -40,6 +37,7 @@ defaults = { 'perl-libwww': {}, 'monitoring-plugins': {}, 'python-requests': {}, + 'sysstat': {}, }, }, } diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py index 46cd893..303e0f3 100644 --- a/bundles/systemd-networkd/metadata.py +++ b/bundles/systemd-networkd/metadata.py @@ -1,9 +1,6 @@ defaults = { 'apt': { 'packages': { - 'isc-dhcp-client': { - 'installed': False, - }, 'resolvconf': { 'installed': False, }, diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index 7787d8b..bc8e128 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -5,13 +5,15 @@ # 'localhost'. { - base_url => Mojo::URL->new('https://${domain}'), - + # Cache directories for schedule and realtime data. Mandatory. The parent + # directory ('/var/cache/travelynx' in this case) must already exist. cache => { schedule => '/var/cache/travelynx/iris', realtime => '/var/cache/travelynx/iris-rt', }, + # Database configuration. host and port are optional + # (defaulting to localhost:5432), the rest is mandatory. db => { host => '${database.get('host', 'localhost')}', port => 5432, @@ -20,6 +22,8 @@ password => '${database['password']}', }, + # See the Mojo::Server::Hypnotoad manual for details on the following + # settings. hypnotoad => { accepts => 100, clients => 10, @@ -30,14 +34,21 @@ }, mail => { + # If you want to disable outgoing mail for development purposes, + # uncomment the following line. Mails will instead be logged as + # Mojolicious "info" messages, causing their content to be printed on + # stdout. + ## disabled => 1, + + # Otherwise, specify the sender ("From" field) for mail sent by travelynx + # here. E.g. 'Travelynx ' from => '${mail_from}', }, - ref => { - issues => 'https://github.com/derf/travelynx/issues', - source => 'https://github.com/derf/travelynx', - }, - + # Secrets used for cookie signing and verification. Must contain at least + # one random string. If you specify several strings, the first one will + # be used for signing new cookies, and the remaining ones will still be + # accepted for cookie validation. secrets => [ '${cookie_secret}', ], diff --git a/bundles/travelynx/items.py b/bundles/travelynx/items.py index 5463a1b..dda92cf 100644 --- a/bundles/travelynx/items.py +++ b/bundles/travelynx/items.py @@ -36,7 +36,7 @@ files = { }, '/opt/travelynx/travelynx.conf': { 'content_type': 'mako', - 'context': node.metadata.get('travelynx'), + 'context': node.metadata['travelynx'], 'needs': { 'git_deploy:/opt/travelynx', }, @@ -61,7 +61,7 @@ if isfile(join(repo.path, 'data', 'travelynx', 'files', 'imprint', node.name)): git_deploy = { '/opt/travelynx': { 'repo': 'https://github.com/derf/travelynx.git', - 'rev': node.metadata.get('travelynx/version'), + 'rev': node.metadata['travelynx']['version'], 'needs': { 'directory:/opt/travelynx', }, @@ -84,7 +84,7 @@ actions = { 'triggered': True, }, 'travelynx_database_migrate': { - 'command': 'export PERL5LIB=/opt/travelynx/local/lib/perl5; cd /opt/travelynx && perl index.pl database migrate', + 'command': 'cd /opt/travelynx && perl index.pl database migrate', # Because git_deploy does not put .git onto the server, the script # will complain on STDERR about not finding a git repository. # That's why we need to redirect stderr to /dev/null. diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index 2b2729d..0a21add 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -36,7 +36,6 @@ export EDITOR=vim export VISUAL=vim alias ipb='ip -brief --color=auto' -alias ipa='ip -brief --color=always addr show; echo; ip --color=always route show; ip -6 --color=always route show' alias l='ls -lAh' alias s='sudo -i' alias v='vim -p' diff --git a/bundles/users/items.py b/bundles/users/items.py index d6df3cd..457c46a 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -1,4 +1,4 @@ -from os.path import exists, join +from os.path import join, exists files = { '/etc/bash.bashrc': { diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index b19ca8c..21e9b8f 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -3,6 +3,7 @@ from ipaddress import ip_network from bundlewrap.exceptions import NoSuchNode from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { diff --git a/bundles/zfs/files/check_zpool_space b/bundles/zfs/files/check_zpool_space index abb533e..ff4b9bb 100644 --- a/bundles/zfs/files/check_zpool_space +++ b/bundles/zfs/files/check_zpool_space @@ -1,9 +1,9 @@ #!/usr/bin/env python3 -import re from subprocess import check_output from sys import argv, exit +import re def to_bytes(size): diff --git a/bundles/zfs/files/zfs-auto-snapshot b/bundles/zfs/files/zfs-auto-snapshot index 8e38cf7..4f1c919 100644 --- a/bundles/zfs/files/zfs-auto-snapshot +++ b/bundles/zfs/files/zfs-auto-snapshot @@ -2,6 +2,7 @@ import re + from datetime import datetime from json import loads from subprocess import check_call, check_output diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 85ffdd7..8dda658 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -1,4 +1,5 @@ from json import dumps +#from os.path import join from bundlewrap.metadata import MetadataJSONEncoder diff --git a/data/apt/files/gpg-keys/influxdb.asc b/data/apt/files/gpg-keys/influxdb.asc index 60aeaf6..c97d593 100644 --- a/data/apt/files/gpg-keys/influxdb.asc +++ b/data/apt/files/gpg-keys/influxdb.asc @@ -1,29 +1,52 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1 -mQINBGPIEycBEACpG4qSjhxA6fh4QJVJxFVBvCFt9tVx/hDbKH0Ryy9iilyMeReC -AS1/CZnSv/fhDNKmVPckf6on72z/ODwZcVfMV6DHkxmZ6x/tQrS6CWfKkupsON2H -KS3t4HUivahwHPlWtbfDqsWNwTAsZqklKpJQWY2ADPwurkbCmtYSjsgbLuWe23Pd -nJpLTHtlChM0ntW/l7Le1zYjGPUGoxMJgjg1YG8fi2l/zS0Of8bdQ26ps+WRvrSQ -RKhfAkfIgUiCXxBpDlN1spN73ZlAkaSb+myTfEKyJR55Yt9pHfkDdJh26RVgE1+N -GuLmm6oidaD9lTlNJ9P8wlLzoof3xJXYprgLLz/HmgtawnJ+DxFIXoXNNpUmhORJ -6Hb2Z5IKIyGIwXhQVe2Lw7B8awBNV99zUw517Wuax3RYx7Hwhntz9gFxS4GRxaCo -uLCFQ0AgDCkMHyEHufQo1XdjIB7fz6U551y5GMQw6/rjMnUM9ZI68SQ/FWou2cQf -533PyayvWOYQM4pP7ZmbzyCd393XlMaPWA5dyUOqv7Vcmv0IsAbncX6/KJmZAhKG -qu19xb6rv3ab2RbcU422guK3C/h/URPZJbSjf2w4jUV5UDe2veZg6BEVn7Sk5bW0 -ceX8n0GVbPNG7CvRduJPjXNzsz3FzmUS8QFFde3H5gl1T0f6GcfhmKgKEQARAQAB -tDdJbmZsdXhEYXRhIFBhY2thZ2UgU2lnbmluZyBLZXkgPHN1cHBvcnRAaW5mbHV4 -ZGF0YS5jb20+iQJVBBMBCAA/BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJBaOk -/BYhBJ1TnZDTMo3H1sjTudj/jh99+LB+BQJjyB9PAhsDAAoJENj/jh99+LB+klgQ -AKOKdwTyKOr6+mnRrACz5U3EFxfAXXFGan9Ka7Nzgz4K+FOnTtT1gWwqrPPmTKQk -epNUMcelfX1kCA08yCm0nyw2niqxES40W33ergKUj6jlDx7UQYXWsDQGD9IKksa8 -MWfZlJ3zlrsGKXA4oa+kfY+vltWDVP8WhLcQzm2LywbKvr3WgY80GZbnRjoekiBK -oMKztQVMJG5yNZBo9B4JrqB3wMpnXZxEtqZcBPsJJdXTFKHsQ7kB9TMNorbUvDNH -ohwsprgMw84vHikEk9jyCypXpYq/E/wvkM0CeIUJ36S2vGvACib7BiY6Xv0BQbM4 -rWq2Rrjag1y5vVAF9gJkeo/3rhM6lE1ahDCRq0QcBMVzbxiE+3COIzRPmz14J3Yn -0pkvzlVkNj5UZR8q91ESl+UxkFCP1wzcXgs0dpJWirQIOZ9E2eYv3LcjE68xjW1k -c5q1GOGvJI7aXADxUZ4lFbz+NUb4Ts4HXHc8gV1Gm0vvmIqv2YfAvL5DXbKLdZxh -73CxKvBMmTXIEQ+vQJ3p1ZnUnb+l6DoxEFWg/hXHmE5jY3P6HIVFdliXF5FEs1lr -9snU2Pn1BDL+TBN7SX0QbKqArWA4qyn6eGH8Z1ULoUVBPCjwC9QuInp/9fqifFYo -OM3A51MDGyc/HCVG6jNJEI5h71QGHlPfyQybpjy7rQSe -=YwXc +mQINBFYJmwQBEADCw7mob8Vzk+DmkYyiv0dTU/xgoSlp4SQwrTzat8MB8jxmx60l +QjmhqEyuB8ho4zzZF9KV+gJWrG6Rj4t69JMTJWM7jFz+0B1PC7kJfNM+VcBmkTnj +fP+KJjqz50ETnsF0kQTG++UJeRYjG1dDK0JQNQJAM6NQpIWJI339lcDf15vzrMnb +OgIlNxV6j1ZZqkle4fvScF1NQxYScRiL+sRgVx92SI4SyD/xZnVGD/szB+4OCzah ++0Q/MnNGV6TtN0RiCDZjIUYiHoeT9iQXEONKf7T62T4zUafO734HyqGvht93MLVU +GQAeuyx0ikGsULfOsJfBmb3XJS9u+16v7oPFt5WIbeyyNuhUu0ocK/PKt5sPYR4u +ouPq6Ls3RY3BGCH9DpokcYsdalo51NMrMdnYwdkeq9MEpsEKrKIN5ke7fk4weamJ +BiLI/bTcfM7Fy5r4ghdI9Ksw/ULXLm4GNabkIOSfT7UjTzcBDOvWfKRBLX4qvsx4 +YzA5kR+nX85u6I7W10aSqBiaLqk6vCj0QmBmCjlSeYqNQqSzH/6OoL6FZ7lP6AiG +F2NyGveJKjugoXlreLEhOYp20F81PNwlRBCAlMC2Q9mpcFu0dtAriVoG4gVDdYn5 +t+BiGfD2rJlCinYLgYBDpTPcdRT3VKHWqL9fcC4HKmic0mwWg9homx550wARAQAB +tDFJbmZsdXhEQiBQYWNrYWdpbmcgU2VydmljZSA8c3VwcG9ydEBpbmZsdXhkYi5j +b20+iQI3BBMBCgAhBQJWCZsEAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ +EGhKFM8lguDF9XEQAK9rREnZt6ujh7GXfeNki35bkn39q8GYh0mouShFbFY9o0i3 +UJVChsxokJSRPgFh9GOhOPTupl3rzfdpD+IlWI2Myt6han2HOjZKNZ4RGNrYJ5UR +uxt4dKMWlMbpkzL56bhHlx97RoXKv2d2zRQfw9nyZb6t3lw2k2kKXsMxjGa0agM+ +2SropwYOXdtkz8UWaGd3LYxwEvW3AuhI8EEEHdLetQaYe9sANDvUEofgFbdsuICH +9QLmbYavk7wyGTPBKfPBbeyTxwW2rMUnFCNccMKLm1i5NpZYineBtQbX2cfx9Xsk +1JLOzEBmNal53H2ob0kjev6ufzOD3s8hLu4KMCivbIz4YT3fZyeExn0/0lUtsQ56 +5fCxE983+ygDzKsCnfdXqm3GgjaI90OkNr1y4gWbcd5hicVDv5fD3TD9f0GbpDVw +yDz8YmvNzxMILt5Glisr6aH7gLG/u8jxy0D8YcBiyv5kfY4vMI2yXHpGg1cn/sVu +ZB01sU09VVIM2BznnimyAayI430wquxkZCyMx//BqFM1qetIgk1wDZTlFd0n6qtA +fDmXAC4s5pM5rfM5V57WmPaIqnRIaESJ35tFUFlCHfkfl/N/ribGVDg1z2KDW08r +96oEiIIiV4GfXl+NprJqpNS3Cn+aCXtd7/TsDScDEgs4sMaR29Lsf26cuWk8uQIN +BFYJmwQBEADDPi3fmwn6iwkiDcH2E2V31cHlBw9OdJfxKVUdyAQEhTtqmG9P8XFZ +ERRQF155XLQPLvRlUlq7vEYSROn5J6BAnsjdjsH9LmFMOEV8CIRCRIDePG/Mez2d +nIK5yiU6GkS3IFaQg2T9/tOBKxm0ZJPfqTXbT4jFSfvYJ3oUqc+AyYxtb8gj1GRk +X283/86/bA3C98u7re1vPtiDRyM8r0+lhEc59Yx/EAOL+X2gZyTgyUoH+LLuOWQK +s1egI8y80R8NZfM1nMiQk2ywMsTFwQjSVimScvzqv5Nt8k8CvHUQ3a6R+6doXGNX +5RnUqn9Qvmh0JY5sNgFsoaGbuk2PJrVaGBRnfnjaDqAlZpDhwkWhcCcguNhRbRHp +N7/a0pQr70bAG9VikzLyGC17EU0sxney/hyNHkr4Uyy2OXHpuJvRjVKy/BwZ3fxA +AYX2oZIOxQB3/OulzO/DppaCVhRtp1bt+Z5f+fpisiVb5DvZcMdeyAoQ4+oOr7v3 +EasIs2XYcQ+kOE3Y2kdlHWBeuXzxgWgJZ1OOpwGMjR3Uy6IwhuSWtreJBA4er+Df +vgSPwKBsRLNLbPe3ftjArnC5GfMiGgikVdAUdN4OkEqvUbkRoAVGKTOMLUKm+ZkG +OskJOVYS+JAina0qkYEFF7haycMjf9olhqLmTIC+6X7Ox9R2plaOhQARAQABiQIf +BBgBCgAJBQJWCZsEAhsMAAoJEGhKFM8lguDF8ZIP/1q9Sdz8oMvf9AJXZ7AYxm77 +V+kJzJqi62nZLWJnrFXDZJpU+LkYlb3fstsZ1rvBhnrEPSmFxoj72CP0RtcyX7wJ +dA7K1Fl9LpJi5H8300cC7UyG94MUYbrXijbLTbnFTfNr1tGx4a1T/7Yyxx/wZGrT +H/X8cvNybkl33SxDdlQQ9kx3lFOwC41e3TkGsUWxn3TCfvDh8VdA6Py6JeSPFGOb +MEO2/q7oUgvjfV+ivN5ayZi9bWgeqm1sgtmTHHQ4RqwwKrAb5ynXpn1b9QrkevgT +b91uzMA22Prl4DuzKiaMYDcZOQ3vtf0eFBP0GOSSgUKS4bQ3dGgi1JmQ7VuAM4uj ++Ug5TnGoLwclTwLksc7v89C5MMPgm2vVXvCUDzyzQA7bIHFeX+Rziby4nymec4Nr +eeXYNBJWrEp8XR7UNWmEgroXRoN1x9/6esh5pnoUXGAIWuKzSLQM70/wWxS67+v2 +aC1GNb+pXXAzYeIIiyLWaZwCSr8sWMvshFT9REk2+lnb6sAeJswQtfTUWI00mVqZ +dvI3Wys2h0IyIejuwetTUvGhr9VgpqiLLfGzGlt/y2sg27wdHzSJbMh0VrVAK26/ +BlvEwWDCFT0ZJUMG9Lvre25DD0ycbougLsRYjzmGb/3k3UktS3XTCxyBa/k3TPw3 +vqIHrEqk446nGPDqJPS5 +=9iF7 -----END PGP PUBLIC KEY BLOCK----- diff --git a/data/apt/files/gpg-keys/openhab.asc b/data/apt/files/gpg-keys/openhab.asc new file mode 100644 index 0000000..196e60e --- /dev/null +++ b/data/apt/files/gpg-keys/openhab.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFWz+OYBEACXcmKiL6ix1e4gJIWVoGMF7Hv0VOVKJgIUF/zJYBqk3sXQp/pi +JbIoODhrrIbEK33mqgy1EfzEmDhEurule59hq9HAQpOEz9hVbghhnsB8eXEQ9yJO +Wf8D8UGi2MKmqkvf7//jvdywNaQG/xhLu2xld7MxjuhswfiUWqoRFRpQoKY2QCe9 +n92qS0MGGK0B6WgapZZPT6AGyqKYtkCA5qUn7bcoEM2236nXhOAYHJh0o4qJ+cBk +BbSx8KEdrZxKQH50gB//gk/K2s+6CbYYOcJX6z3SLa3fxzlbyH9xQhpumAv/++2v +IIJbJHJicsmCKe/SQ7x5xVh90j6xA3oiYZIG78xWL0xnGCPhFws861dR2iON6CSp ++UKDciEQJH+Ew40la+DcHH7tzHlpZpCC1Jv7VBDkhziPrsscgOtYEwfhsq0Pyfpo +0IsyVDBUyj3Nne1NcKShd6+SYFz+gtXkttELi+DZmyA6onatw7LPGFHs8gOVKYBM +PzmERQ1DjlFW+Dc8FEQquYiquzmkyhJUXHVD1G8Mkic8jhccWbv3S7ePanvpgyZ3 +/KBAWk48/sym+zJTLWuJsCCNLI3K6gngexz1MMaRaPkbVK+4aboNLm6YhVlF5RCK +rTzIUAeB4dmu1k8Quqy/nYhYMokB9w5hiPwmGutjbpOntnrfqxvYy1EL1wARAQAB +tDBvcGVuSEFCIEJpbnRyYXkgUmVwb3NpdG9yaWVzIDxvd25lckBvcGVuaGFiLm9y +Zz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTtt9AwTi/K +9infEWMHVyH2oiQGCgUCXTjCTAUJDwsFBgAKCRAHVyH2oiQGCmfMD/sGZickeBlA ++x8XxfzvwxTnW/8MCvFBa4l/GoK9bALylvekP4adk/aaySMk/zjk231mwmMuttnP +VDg6TwhxhthveAFdbJEkTNhWUqH0FzyN9QwEGfIodjkQSYWwosY+55V0uYp2zfo9 +iHOtxzXjuLnkpZZPyY33qqGruqhnbyo2J09oLNw4MIwOepNMihP5u0nudTXiDivg +eg8lx/4WIIfwDwCe1gSBnU/731B0TIruxz3cQabLgeTuKB13+ajtJGuH1qrHxMVx +CFhD8wCugNj0qcI6NS06SXwLSAFr+xIeFXWVum2okWt2nzPpn7ll/FUG+qRECipt +m1IaEbelUrcuk7dUY75Fz5Fx8S0HtYAcCYYBDnhcaSSq7sK0NklrVz+bQZsJx4hY +ebkiNI/xFM3slOYoRzGWawuVpG/y1/VM/QRPS4uUS5rnvbGLVpn3bR+03FQwZWeb +yfMNke74TlM9+aEJZb1uxYQGLDFNDVNyALtGhDDp0R/FuDR0my3va3GJnZrtUGVg +M5Xfs/ebsKZ+CuLKqlbdZ0zjLUCJoT+tGGT1VPpi83jc+4wZXynj9b9/CWHoDfaN +VKTj95R7c7IOMRH5srpHX3qSzIF2Yav395SxJNuTTxcPCZ+n2M8jhvVnn4x8sWn5 +Ms0cN2tKVmfIbLF/1JempVsifJmRkbqN+rkCDQRVs/jmARAAxrYK7y1WW/szELpQ +guGSJGIjLt3tNGHGLP3lX4G1DlbziysTx3fY+c+hzGAM8WInsABq5fOWqkiLfx3f +wlHdo7bxv3U+xWq+xV9OOx+tjJn2xI3EtZ632pOQtxj/+6Tdcf3tIwOSMKK5kpGw +DU1VoLkWMfJeq0md6TDRB49p82Q1UGTaVCCfHYpvwCyuv1FWhSQuPJJLdP0YRX2i +1L7zyJLUzjmlAmlNoSMSaoozNJoz/XKFOPoJ66Tu8j8j8W+yqcAKeRTPiZXCEjbh +3wgxrx3PWV77kOmtfb0sHyxRujdJvEUfixrSoi4qLrE8kCo2OR8d1C5DsMlbZzvF +kHWaNSkOtpWqEGD/+BLs6lejHvbBEvYSsQMF53yH8q1U+9+7CP9wwKKAtN7LQJcw +xUADv/UhSLA/ZZTisaeUVem9vZlnVfANSieYQvy6zWqvKF4FhBpQbVzSINWv/nzu +NR4gg3uJRMHUb4cyfy3mmJ7FwwF8oHQXU+mkILWmiwrMDbq0Mjc8FRL5Bg4iTwS5 +jDGLZ0g4xU0GYi22eAWPL0dpQpA8t5Ja7W+x+VASOtbpnMAJO94YZ4yXlDcDeNJD +uo2y0z+xjuloPrGK+AssCpOBxpBlcrAFRMx5+rpkHSlLtkQNPeBPwXlryafDZ2PA +QsLBxUmFphyBraakmdGP3mR9ThUAEQEAAYkCPAQYAQoAJgIbDBYhBO230DBOL8r2 +Kd8RYwdXIfaiJAYKBQJdOMOgBQkPDFfaAAoJEAdXIfaiJAYKDLgP/iuh/Kppaem/ +wsRs6ehuCyEVz7ZJsKeq9ZL3d0jQy0CaFQRSICucptBeb14rTvf/i5+eEQI7E/bJ +9dLm1mepVS8M3wyn9+pP+Loa7bajEAD5ap08F88q56s+U70HO30qRHxp2yD9ZU0A +joX8pAIS/YaMicm1EFYajpyls/Jcyp2JG2AavRsrQ3iHvGv5Fc2/09E76lwje/Yh +royPhCrVm0adk6sxLfmKNiXBpLb5gzHR81oo20zk0+qYg2pRcVvfd6PvOcsrO4tl +K8kUMyfYixVKJu59xtMdg5ff6qlBrmTXkxyGb0t7VlhnX4UKcVU//+6b0TnBmUaG +61CZ4CGD2VvUMXcM0ihYl85g7+O9u/P2u3mhLX3xEa+rM4XpzqajL+jpt3CGQLkp +TnKZ8g1k9l7UkrHvVs/tBTCPvOEstzMwq2tWNuCbJ7Y9oB6FDPZGM3oFe2ubu2OH +MFT3KmOhD2jhWCXyB1hK/LOmINGfdfulBsK2KLKtKoJMWu2QLyMLa91l3AhzbH+s +7gQY6iC9rTy9qfHGOLTPjrHfkmrBky+KiDx1KVOnQvPqloLbKhkq1KHv8TAonqGK +THbU4Eod0DmWw80Z2zX7jV3BJs9VmDhr5NzpaZCVlrKrL+vIXzFClCYWQQMwfHpO +Yyq3xLVDG/Zs7LmgSAiEITxRFTR4qg7k +=r37a +-----END PGP PUBLIC KEY BLOCK----- diff --git a/data/backup/keys/home.hass.key.vault b/data/backup/keys/home.openhab.key.vault similarity index 100% rename from data/backup/keys/home.hass.key.vault rename to data/backup/keys/home.openhab.key.vault diff --git a/data/backup/keys/home.hass.pub b/data/backup/keys/home.openhab.pub similarity index 100% rename from data/backup/keys/home.hass.pub rename to data/backup/keys/home.openhab.pub diff --git a/data/backup/keys/ns-primary.key.vault b/data/backup/keys/ns-primary.key.vault deleted file mode 100644 index 52bb656..0000000 --- a/data/backup/keys/ns-primary.key.vault +++ /dev/null @@ -1 +0,0 @@ -encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj \ No newline at end of file diff --git a/data/backup/keys/ns-primary.pub b/data/backup/keys/ns-primary.pub deleted file mode 100644 index 442d8b9..0000000 --- a/data/backup/keys/ns-primary.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net diff --git a/data/powerdns/files/bind-zones/cybert-media.net b/data/powerdns/files/bind-zones/cybert-media.net new file mode 100644 index 0000000..9ce2544 --- /dev/null +++ b/data/powerdns/files/bind-zones/cybert-media.net @@ -0,0 +1,9 @@ +${header} + +$ORIGIN cybert-media.net. + +@ IN A 159.69.11.231 + IN AAAA 2a01:4f8:c2c:c410::1 + IN TXT "v=spf1 a ~all" + +www IN CNAME cybert-media.net. diff --git a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org new file mode 100644 index 0000000..8633268 --- /dev/null +++ b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org @@ -0,0 +1,9 @@ +${header} + +$ORIGIN die-brontosaurier-waren-es.org. + +; ends up on rx300.kunbox.net +@ IN A 31.47.232.106 + IN AAAA 2a00:f820:528::2 + IN MX 10 rx300.kunbox.net. + IN TXT "v=spf1 mx ~all" diff --git a/data/powerdns/files/bind-zones/emails.sexy b/data/powerdns/files/bind-zones/emails.sexy new file mode 100644 index 0000000..c430731 --- /dev/null +++ b/data/powerdns/files/bind-zones/emails.sexy @@ -0,0 +1,3 @@ +${header} + +$ORIGIN emails.sexy. diff --git a/data/powerdns/files/bind-zones/eskalation.jetzt b/data/powerdns/files/bind-zones/eskalation.jetzt new file mode 100644 index 0000000..fc09ecc --- /dev/null +++ b/data/powerdns/files/bind-zones/eskalation.jetzt @@ -0,0 +1,9 @@ +${header} + +$ORIGIN eskalation.jetzt. + + +queere IN NS ns1.athena7.eu. +queere IN NS ns2.athena7.eu. +queere IN NS ns3.athena7.eu. +queere IN NS ns4.athena7.eu. diff --git a/data/powerdns/files/bind-zones/felix-kunsmann.de b/data/powerdns/files/bind-zones/felix-kunsmann.de new file mode 100644 index 0000000..ea21366 --- /dev/null +++ b/data/powerdns/files/bind-zones/felix-kunsmann.de @@ -0,0 +1,5 @@ +${header} + +$ORIGIN felix-kunsmann.de. + +@ IN MX 10 rx300.kunbox.net. diff --git a/data/powerdns/files/bind-zones/flauschehorn.sexy b/data/powerdns/files/bind-zones/flauschehorn.sexy new file mode 100644 index 0000000..accc22e --- /dev/null +++ b/data/powerdns/files/bind-zones/flauschehorn.sexy @@ -0,0 +1,15 @@ +${header} + +$ORIGIN flauschehorn.sexy. + +@ IN A 5.189.140.103 + IN AAAA 2a02:c207:3002:8320:feed:f2c1:c0ff:ee + IN MX 10 rx300.kunbox.net. + IN TXT "v=spf1 mx ~all" + +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" + +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" + "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" +) ; diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business new file mode 100644 index 0000000..0f17f37 --- /dev/null +++ b/data/powerdns/files/bind-zones/franzi.business @@ -0,0 +1,43 @@ +${header} + +$ORIGIN franzi.business. + +; ends up on rx300.kunbox.net +@ IN A 31.47.232.106 + IN AAAA 2a00:f820:528::2 + IN MX 10 rx300.kunbox.net. + IN TXT "v=spf1 mx a:sewfile.htz-cloud.kunbox.net ~all" + +chat IN CNAME rx300.kunbox.net. +dimension IN CNAME rx300.kunbox.net. +git IN CNAME rx300.kunbox.net. +jenkins IN CNAME rx300.kunbox.net. +matrix IN CNAME rx300.kunbox.net. +mta-sts IN CNAME rx300.kunbox.net. +netbox IN CNAME rx300.kunbox.net. +sewfile IN CNAME sewfile.htz-cloud.kunbox.net. +paste IN CNAME rx300.kunbox.net. +postfixadmin IN CNAME rx300.kunbox.net. +radicale IN CNAME rx300.kunbox.net. +rss IN CNAME rx300.kunbox.net. +status IN CNAME icinga2.ovh.kunbox.net. +tickets IN CNAME franzi-business.cname.pretix.eu. +travelynx IN CNAME rx300.kunbox.net. +wiki IN CNAME rx300.kunbox.net. +woodpecker IN CNAME rx300.kunbox.net. + +_matrix._tcp IN SRV 10 10 443 matrix + +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" +_mta-sts IN TXT "v=STSv1;id=20201111;" +_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" +_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc" + +2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" + "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +) ; +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" + "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" +) ; diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net index 25a0273..ba40c0b 100644 --- a/data/powerdns/files/bind-zones/kunbox.net +++ b/data/powerdns/files/bind-zones/kunbox.net @@ -1,14 +1,4 @@ -$TTL 60 -@ IN SOA ns-primary.kunbox.net. hostmaster.kunbox.net. ( - ${SERIAL} - 3600 - 600 - 86400 - 300 - ) - - -${NAMESERVERS} +${header} $ORIGIN kunbox.net. @@ -20,10 +10,6 @@ $ORIGIN kunbox.net. IN MX 10 rx300 IN TXT "v=spf1 mx ~all" -; delegate acme stuff to psql-managed zone -_acme-challenge IN CNAME _acme-challenge.kunbox.net.le.kunbox.net. -_acme-challenge.home IN CNAME _acme-challenge.home.kunbox.net.le.kunbox.net. - ; Mail servers mta-sts IN CNAME rx300 diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu new file mode 100644 index 0000000..ed4ff73 --- /dev/null +++ b/data/powerdns/files/bind-zones/kunsmann.eu @@ -0,0 +1,31 @@ +${header} + +$ORIGIN kunsmann.eu. + +; ends up on rx300.kunbox.net +@ IN A 31.47.232.106 + IN AAAA 2a00:f820:528::2 + IN MX 10 rx300.kunbox.net. + IN TXT "v=spf1 mx ~all" + +git IN CNAME rx300.kunbox.net. +grafana IN CNAME influxdb.htz-cloud.kunbox.net. +icinga IN CNAME icinga2.ovh.kunbox.net. +influxdb IN CNAME influxdb.htz-cloud.kunbox.net. +luther-ps IN CNAME luther.htz-cloud.kunbox.net. +mta-sts IN CNAME rx300.kunbox.net. +statusmonitor.icinga IN CNAME icinga2.ovh.kunbox.net. + +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" +_mta-sts IN TXT "v=STSv1;id=20201111;" +_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" +_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" + +2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" + "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +) ; +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" + "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" +) ; diff --git a/data/powerdns/files/bind-zones/trans-agenda.de b/data/powerdns/files/bind-zones/trans-agenda.de new file mode 100644 index 0000000..7da66d3 --- /dev/null +++ b/data/powerdns/files/bind-zones/trans-agenda.de @@ -0,0 +1,4 @@ +${header} + +$ORIGIN trans-agenda.de. + diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu new file mode 100644 index 0000000..4c665ee --- /dev/null +++ b/data/powerdns/files/bind-zones/trans-agenda.eu @@ -0,0 +1,22 @@ +${header} + +$ORIGIN trans-agenda.eu. + +@ IN MX 10 rx300.kunbox.net. + IN TXT "v=spf1 a mx ~all" + +mta-sts IN CNAME rx300.kunbox.net. + +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r" +_mta-sts IN TXT "v=STSv1;id=20201111;" +_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net" +_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg" + +2019._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440" + "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB" +) ; +uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp" + "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB" +) ; diff --git a/data/powerdns/files/bind-zones/warnochwas.de b/data/powerdns/files/bind-zones/warnochwas.de new file mode 100644 index 0000000..2ff9e1f --- /dev/null +++ b/data/powerdns/files/bind-zones/warnochwas.de @@ -0,0 +1,3 @@ +${header} + +$ORIGIN warnochwas.de. diff --git a/data/ssl/_.franzi.business.crt.pem b/data/ssl/_.franzi.business.crt.pem index b55b2de..50d05c7 100644 --- a/data/ssl/_.franzi.business.crt.pem +++ b/data/ssl/_.franzi.business.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA8l+oC4pMh1Q/UNiEPuiw39OMA0GCSqGSIb3DQEBCwUA +MIIEiTCCA3GgAwIBAgISBEiaFE6qZ3+AhUkmqKta5OSuMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzAxMjkwNDM5NTFaFw0yMzA0MjkwNDM5NTBaMBoxGDAWBgNVBAMT -D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABMlQ1P5Y0aZ5 -vUzB4TAP8iIuiO3GJnYhnKrbe/Lz3gf6Ct9bGM4JLY3RI9xcSmol3sNKdVmbHMRe -z63GW4twSnS517axo6jcT0YQkFVyhWHvLnpBW42M1FpjzaDCbs74zKOCAl4wggJa +EwJSMzAeFw0yMjExMDYwNjA3MTZaFw0yMzAyMDQwNjA3MTVaMBoxGDAWBgNVBAMT +D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABFdgHf2P15+0 +as3iN/M7itWsdWCtH35cGIf871AeU5OhB4JDNbb5aDsho9ga/vIsjpB1Xh3EhNvP +I3b8KT9JUUE/dIRaWvNp8OSKihiU72mXIIlmslVW2AeqwBGMU0L+46OCAl0wggJZ MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURw5+tfBU0aOBqfN40kz43fUcjx4wHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsY9YAWIXWlFiQi/JImI6LFxrc6gwHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIT -hU070ivBOlejUutSAAABhfwJ/TEAAAQDAEgwRgIhAINjOWzyMeYZYFNk5cdghSwA -JDuxKo8/ubIlsAV9ymJWAiEAuVZjp2GQ0RmFyGVDiF865uC4lTtzMIwmpgwYiBqg -DQsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYX8Cf1OAAAE -AwBHMEUCIGoeOIHC8O+zj/3E89BHv+9siaKSOy/2I6i53V5faX3EAiEAsk/Lhr/0 -NpogdjroYqt1sKvTzmO0BrxWJ5a41JQdtX0wDQYJKoZIhvcNAQELBQADggEBAIM4 -moszjbZGKjaoCtsj5t7Dtxu/JmE9gOnwfxnUrDKn0T00dKQi8Mk6a4C5vdGnxorO -lj8VutznRvp1RKxb6WWyk0iW22rLm+kTudf/vf9lY0X7DmD/u3MO2tGumwjMdLRT -QgxP+yu8R03ZppnuzYZhERAbY6AuC/U+owiYjNfF4v1Eyn4zxe6L2v0UWGnBWObb -xv5RbhHFezr676GaLIrcVh0rN6YNK2J1Cei2pNtAVSLiSJvuuO5Qq1KE7wQqbGd+ -lqK2tcEZRtzaFrpW7C0ZW7LpgO8zdeN4BtD25ozhGJO/0H5hhKpQ/wtWqXYKkhC/ -G47QSheqKqJnHOCL0hA= +ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELP +ep81xJ4dCYEl7bSZAAABhEvD10MAAAQDAEcwRQIhAM2BBzR9UWZNuK3+nk6AdaJL +1j8OvFPZnb+CJqdYtBe8AiAJM4kwOyZLzK/ZGXzwBJLjRTXs2hJZ4qXUzszhv/hs ++QB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhEvD2UYAAAQD +AEcwRQIgfMXcWDFe5IKe6n4D9t3zpecF7wCIje8pBd4WQ3OfxM4CIQDpGTCU2pUI +Hfwkq+6a2j6Lh3baERBbrfnGDF2AOjjelzANBgkqhkiG9w0BAQsFAAOCAQEAMGiD +9uo+WVO+p/HFA+bHM/1ZaTDBONP72YHPx0tdFvQAPQ59n8n6KsE2w9cioNHiRYVv +WhoHjWXtzsCiJzNvc4wuTCxJkBtfSAvsOGqGMQJ+cQym+aSBKqSKvKsIQQjOmz/p +sere5gqTkhuCfnbF8AL7JqDFld4knlbzzsdhj0SjcAO4OUA8SdHdGq192hVRB+nL +IFb6Ax4jD/fQ19j+uL+F1MgMmwUkVF77X279FGlax9PGpmQ47aLj5w7qDpZxfHf9 +Z2nq14Bk6USZcz9hR+gq38lvo6aU/0MvPey9QiIzLg78K0gEQ1o3qoUIl+9erSLR +ssU+fmyZoeNBV6q8xw== -----END CERTIFICATE----- diff --git a/data/ssl/_.franzi.business.key.pem.vault b/data/ssl/_.franzi.business.key.pem.vault index 9a5202f..60ada7b 100644 --- a/data/ssl/_.franzi.business.key.pem.vault +++ b/data/ssl/_.franzi.business.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA== \ No newline at end of file +encrypt$gAAAAABjZ10m0BnUbl5777KN6VHf6uAdtcs15-osbqRoQq6epRuWllD-ziy_2N7BrOkRcmfSJaB8zZ1l1bLD6ws3SlI7jvbkahvWnuKinkGiE30SGGjqr6MY_NJGawdox8OJWrsWLFYJJjrePl_mmVtx9G41oBreKizj1YPswzbzsFociJ0zF0xlx99sjjLxRB5PEaI3fwK1eXDmODGZ__dwKxINGSB2zxPb10Vwtnsp3cmaUiKh1TfIghQAm523cAuHPys1-tNXuJpvhPY3tIxB5gHZYiBXMzcS64mD1KqEubsnplxQlK-N_mJ7Q6n0xReG00pqvm5twRI5g7PoHYLH7nZI7KYOSI2XMAS7gP6Uy-H60BQKAHXuX4yutznVRJspv0wa4kfW9vcBfFECBhFeC8tAAkgAc-NvAsDYk6tYSi2k3N2zXsiyHy0NL-JMnUEicQT3YZNnfkoYqjuxwFbQvgtZZun38w== \ No newline at end of file diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 7449694..317b57b 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEijCCA3KgAwIBAgISA28YyqkbxYen4u/lcNEqBY7lMA0GCSqGSIb3DQEBCwUA +MIIEijCCA3KgAwIBAgISA7oUZzeuZgmxMvP1zm5RtCGYMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMzAxMjkwOTE0MjZaFw0yMzA0MjkwOTE0MjVaMBoxGDAWBgNVBAMT -D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCsS8YhWoIvn -yMOjY8LtjQ8+Pa58DBckQ1lnktMo1T3bfwxMxTGH+iYdOT4kHWOen6aNzdXqrerA -YjTN/MRBCR8tMZglzmshUG7qpzI/s89QSL6+KoCV5Pl0mEWLSvrLFKOCAl4wggJa +EwJSMzAeFw0yMjExMDYwNjA3MTdaFw0yMzAyMDQwNjA3MTZaMBoxGDAWBgNVBAMT +D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABDcmJYSIKimG +w9hUy0guhMoubPJ+QcSioL4TjuqKmgVCXXEHzkGuaCQTwRX7BiHOyH+3nqcm7N1x +qF5rucOxJoKgGW40ZjemdWAVDGYm3euEU0Td0V+L6z/L/cWe25YwoKOCAl4wggJa MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw -DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUtCIXQGA7PP7mGdMLuN3nYsynu4wwHwYD +DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUJkY/Eq6HUOrPZyW+Y+4/uiG0/8swHwYD VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y -ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP -ep81xJ4dCYEl7bSZAAABhf0FYYAAAAQDAEcwRQIgLCh9130fH81/vY6Ps7inMh3l -GEM8GPiDEHk68oq2R9wCIQCnHdc9Seo+qTRnc6DcoKvyC9azNFEZBiikMgoIJkyq -6gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhf0FYZgAAAQD -AEgwRgIhAM3M2KLdUfIiqVgaMqIH1ust2lUjR10gwN8juONeXZoMAiEA2KArQKYG -GbhN/dWqht+So4Ni3/K5Vwcfb91ewthPR6swDQYJKoZIhvcNAQELBQADggEBALhs -LaBZ27UoZOqukblSD8EyoLnJ3Cplg1r3J9+e4QNzySjsDpYr/w+Y4mUT/nGAGgGL -4b1cHD57XnQB1yvB3Dv9aowg+Udo4eTNY41FMgouYhYFowi5gWYoQhpIFOpwvd0v -Cmrl4PPta2Ytbg/FMNxOt47E0sUL2zASMCKTKcPsIpcpEG7w8jBGcCX7e3NCG36z -K4jZqW3Pd3BZe1e7ywUyF/SSw38Pv1rFbBxuSh+kDjQfcOWN75oOyyKgcLsGBxfy -850WclzgMTnRRlZGaiUTVQ7uPkB44DIhTT6afxPMDKrtRLkd5LHownE3NPUTyfDx -cK9weiaIniziAnEjUr4= +ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyld +z7EMJMqFhjTr3IKKAAABhEvD2XwAAAQDAEgwRgIhAMzxM2rXgjZDrPm6jKHUS4u3 +BxokYdBgO63klZ5iuEyLAiEAinyT+YKDotIyWcUHvl0tpANYq+XlJaELvg7aCcwj +3MgAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRLw9tCAAAE +AwBHMEUCIQDTNayLb2lW5oNnj1bJaqbcOnjOktsPSYUGaokd6iBeUQIgOak7kR7e +rAvW3CwA1QSZgqRHLn86UFfGc0pVHNDb3e4wDQYJKoZIhvcNAQELBQADggEBABdr +R6NgzfgNT2WVTpZOpgLEPO58WKBEofMtVTRDjDKinSvDUFRhJAEjoXKxZXtEG+yH +VhGGLcmh+6mn8+8yz1qEngA3uGiHS533aOUbP3cCbfqRCeuKMS+5ojjOlKb3xZj4 +uRGvxw90wY3RYwn8k3/beEs+TaNnFU+NtBwScy+/8aRHG5rBQjdBWZHpcB4/wT0V +cLakTharwRHVw11GFlEk60k2JMEtCLkBjKq/CpbusQZHd1uVyzhWC802lWRqY4nq +YTO3Z8FNRGOaHVcydX6wMlQg/t+1hYgCC6HWhuOf8AOr+kkg4zSdv0YvAYuOzY8X +sc1/2y3z9deYm4qHw/w= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index f3cc906..6dd0aa4 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A== \ No newline at end of file +encrypt$gAAAAABjZ10mtywN2Tx7b0-sZywDVcNo5gQbnzjwlMjQPktMwmRBwGMbQVcwuGhhopu5vd4Ztw8aGO5lf-SQmLWgdpR4aIrPNx1Iu4urF2LMV-BMLSgmF85ADQzlbiBvrzGAnIoVUjwXYyGj1Wst4feWMKBDc_kThinYhSplMZ_yjEbMj0eMGRzjSclkvAm24KWi7l_LQAklRELuQQyopHDo47AxehNI-nvLfO0FfXZJpkdrMV1V8lSqyXwBSW3McJKH8bbmVEX8qq-mNntBNpe3n5V2ninj72aC0D572hfMp-jKC6xccf-CqnmX1qaWGGj1yiFDdBxfOSU-kO6204BVtfspMtkI75YAYE_7aA-GUiHfXaNHvDhf2uMb8ssbJUdvGS_oLx1qnKiyeyJ6RRhl71xxXjNEo0hPYYY1BGj6hjq30R8aGknkQNCjyCD87Sc7qh95KpMmY4d82xI70xeS4mk8hEgCow== \ No newline at end of file diff --git a/groups/features.py b/groups/features.py index 54a58a7..4605270 100644 --- a/groups/features.py +++ b/groups/features.py @@ -12,6 +12,10 @@ groups['dns'] = { }, 'metadata': { 'powerdns': { + 'features': { + 'bind': True, + 'pgsql': True, + }, # Overridden in node metadata for primary server 'is_secondary': True, }, diff --git a/groups/os.py b/groups/os.py index a1f3b72..4fa97f7 100644 --- a/groups/os.py +++ b/groups/os.py @@ -71,6 +71,7 @@ groups['debian'] = { 'bundles': { 'apt', 'backup-client', + 'molly-guard', }, 'os': 'debian', 'pip_command': 'pip3', diff --git a/hooks/test_backup_metadata.py b/hooks/test_backup_metadata.py index c8498eb..4937989 100644 --- a/hooks/test_backup_metadata.py +++ b/hooks/test_backup_metadata.py @@ -2,7 +2,6 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green, yellow from bundlewrap.utils.ui import io - def test_node(repo, node, **kwargs): if not node.has_bundle('backup-client'): return diff --git a/hooks/test_metadata_dashes_vs_underscores.py b/hooks/test_metadata_dashes_vs_underscores.py index b7c7419..698ab56 100644 --- a/hooks/test_metadata_dashes_vs_underscores.py +++ b/hooks/test_metadata_dashes_vs_underscores.py @@ -4,7 +4,6 @@ from bundlewrap.exceptions import BundleError from bundlewrap.utils.text import bold, green from bundlewrap.utils.ui import io - def test_underscore_vs_dash(node, metadata, path=[]): for k, v in metadata.items(): if not isinstance(k, str): diff --git a/libs/faults.py b/libs/faults.py index 91d8b2f..ad3735c 100644 --- a/libs/faults.py +++ b/libs/faults.py @@ -1,4 +1,4 @@ -from json import dumps, loads +from json import loads, dumps from bundlewrap.metadata import metadata_to_json from bundlewrap.utils import Fault diff --git a/libs/firewall.py b/libs/firewall.py index b343824..68b852d 100644 --- a/libs/firewall.py +++ b/libs/firewall.py @@ -1,5 +1,5 @@ -from ipaddress import IPv4Network, ip_network from os.path import abspath, dirname, join +from ipaddress import ip_network, IPv4Network REPO_PATH = dirname(dirname(abspath(__file__))) diff --git a/libs/keys.py b/libs/keys.py index 4db382b..1565fee 100644 --- a/libs/keys.py +++ b/libs/keys.py @@ -1,11 +1,8 @@ import base64 - -from nacl.encoding import Base64Encoder from nacl.public import PrivateKey - +from nacl.encoding import Base64Encoder from bundlewrap.utils import Fault - def gen_privkey(repo, identifier): return repo.vault.random_bytes_as_base64_for(identifier) diff --git a/libs/tools.py b/libs/tools.py index 40afde2..8e225a5 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -1,10 +1,9 @@ -from ipaddress import IPv4Address, IPv4Network, ip_address, ip_network +from ipaddress import ip_address, ip_network, IPv4Address, IPv4Network -from bundlewrap.exceptions import BundleError, NoSuchGroup, NoSuchNode +from bundlewrap.exceptions import NoSuchGroup, NoSuchNode, BundleError from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io - def resolve_identifier(repo, identifier): """ Try to resolve an identifier (group or node). Return a set of ip diff --git a/nodes.py b/nodes.py index b9110ad..75e6f1f 100644 --- a/nodes.py +++ b/nodes.py @@ -3,7 +3,6 @@ from os.path import join from pathlib import Path import bwpass - from bundlewrap.metadata import atomic from bundlewrap.utils import error_context diff --git a/nodes/entropia-jira.toml b/nodes/entropia-jira.toml index 84af119..d648b3a 100644 --- a/nodes/entropia-jira.toml +++ b/nodes/entropia-jira.toml @@ -5,18 +5,13 @@ dummy = true period = "daytime" pretty_name = "ticket.gulas.ch" -[metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"] -check_command = "check_https_cert_at_url" -"vars.domain" = "ticket.gulas.ch" -"vars.notification.mail" = true - [metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"] check_command = "check_https_cert_at_url" -"vars.domain" = "jira.gulas.ch" +"vars.domain" = "ticket.gulas.ch" "vars.notification.mail" = true [metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"] check_command = "check_http_wget" "vars.http_wget_contains" = "login.jsp" -"vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa" +"vars.http_wget_url" = "https://ticket.gulas.ch/secure/Dashboard.jspa" "vars.notification.sms" = true diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 397e851..7340a46 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -76,12 +76,18 @@ nodes['fkusei-locutus'] = { # video drivers 'xf86-video-intel': {}, + # for i3pystatus + 'iw': {}, + 'wireless_tools': {}, + # all that other random stuff one needs 'apachedirectorystudio': {}, 'direnv': {}, 'freerdp': {}, + 'mosquitto': {}, 'sdl_ttf': {}, # for compiling testcard 'thermald': {}, + 'virt-manager': {}, }, }, 'systemd-boot': { diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 7239082..3dce25c 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -3,12 +3,19 @@ nodes['gce.bind01'] = { 'hostname': '34.89.208.78', + 'bundles': { + 'nodejs', + 'powerdnsadmin', + }, 'groups': { - 'debian-bullseye', + 'debian-buster', 'dns', + 'webserver', }, 'metadata': { 'backups': { + # This is the primary DNS server. However, we only use + # replication for DynDNS, currently. No need for backups here. 'exclude_from_backups': True, }, 'interfaces': { @@ -23,12 +30,30 @@ nodes['gce.bind01'] = { 'icinga_options': { 'pretty_name': 'ns-1.kunbox.net', }, + 'nginx': { + 'vhosts': { + 'ns-1.kunbox.net': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:8000/', + }, + }, + 'website_check_path': '/login', + 'website_check_string': 'PowerDNS', + }, + }, + }, 'postgresql': { - 'version': '15', + 'version': '11', }, 'powerdns': { + 'is_secondary': False, + 'secondary_nameservers': 'dns', 'my_hostname': 'ns-1.kunbox.net', }, + 'powerdnsadmin': { + 'version': 'v0.3.0', + }, 'vm': { 'cpu': 1, 'ram': 1, diff --git a/nodes/gce/dns02.py b/nodes/gce/dns02.py index 7eb1253..def2765 100644 --- a/nodes/gce/dns02.py +++ b/nodes/gce/dns02.py @@ -5,7 +5,7 @@ nodes['gce.dns02'] = { 'hostname': '35.187.109.249', 'bundles': set(), 'groups': { - 'debian-bullseye', + 'debian-buster', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns02'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '15', + 'version': '11', }, 'powerdns': { 'my_hostname': 'ns-2.kunbox.net', diff --git a/nodes/gce/dns03.py b/nodes/gce/dns03.py index 14a87d7..fb23f27 100644 --- a/nodes/gce/dns03.py +++ b/nodes/gce/dns03.py @@ -5,7 +5,7 @@ nodes['gce.dns03'] = { 'hostname': '35.228.143.71', 'bundles': set(), 'groups': { - 'debian-bullseye', + 'debian-buster', 'dns', }, 'metadata': { @@ -25,7 +25,7 @@ nodes['gce.dns03'] = { 'exclude_from_backups': True, }, 'postgresql': { - 'version': '15', + 'version': '11', }, 'powerdns': { 'my_hostname': 'ns-3.kunbox.net', diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 643a7a5..b451d32 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -5,6 +5,9 @@ bundles = [ ] groups = ["debian-bullseye"] +[metadata.backups] +exclude_from_backups = true + [metadata.interfaces.enp1s0] ips = ["172.19.138.25/24"] gateway4 = "172.19.138.1" diff --git a/nodes/home.openhab.toml b/nodes/home.openhab.toml new file mode 100644 index 0000000..a2c0656 --- /dev/null +++ b/nodes/home.openhab.toml @@ -0,0 +1,21 @@ +hostname = "172.19.138.21" +bundles = ["nginx", "openhab"] +groups = ["debian-bullseye"] + +[metadata.interfaces.enp1s0] +ips = ["172.19.138.21/24"] +gateway4 = "172.19.138.1" +ipv6_accept_ra = true + +[metadata.nginx.vhosts.openhab] +ssl = "_.home.kunbox.net" + +[metadata.openhab] +domain = "openhab.home.kunbox.net" + +[metadata.openhab.java_opts] +"user.timezone" = "Europe/Berlin" + +[metadata.vm] +cpu = 2 +ram = 2 diff --git a/nodes/home.wled-wohnzimmer.toml b/nodes/home.wled-wohnzimmer.toml index c032230..42b7212 100644 --- a/nodes/home.wled-wohnzimmer.toml +++ b/nodes/home.wled-wohnzimmer.toml @@ -3,7 +3,7 @@ dummy = true [metadata.interfaces.default] ips = ["172.19.138.70"] dhcp = true -mac = "3c:61:05:d0:f2:b9" +mac = "3c:61:05:d0:ba:1a" [metadata.icinga_options] exclude_from_monitoring = true diff --git a/nodes/home/router.py b/nodes/home/router.py index d7a7d20..d033c1c 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -133,13 +133,13 @@ nodes['home.router'] = { 'interface': 'enp1s0.100', 'dyndns': { 'domain': 'franzi-home.kunbox.net', - 'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', + 'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}', 'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='), 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, 'nftables-rules.d': { - 'inet filter forward iifname enp1s0.23 oif $INTERFACE accept', - 'inet filter forward iifname enp1s0.42 accept', + 'inet filter forward iif enp1s0.23 oif $INTERFACE accept', + 'inet filter forward iif enp1s0.42 accept', }, }, 'unbound': { diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 5fdc86c..633567a 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = { }, 'element-web': { 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.23', + 'version': 'v1.11.17', 'config': { 'default_server_config': { 'm.homeserver': { @@ -134,8 +134,8 @@ nodes['htz-cloud.miniserver'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.13', - 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', + 'version': 'v1.2.12', + 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', 'homeservers': { 'sophies-kitchen.eu': { 'domain': 'http://[::1]:20080/', diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index 3174722..8952f4d 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -96,15 +96,25 @@ nodes['kunsi-p14s'] = { 'mesa-vdpau': {}, 'xf86-video-amdgpu': {}, + # for i3pystatus + 'iw': {}, + 'wireless_tools': {}, + # all that other random stuff one needs 'abcde': {}, 'apachedirectorystudio': {}, 'claws-mail': {}, 'claws-mail-themes': {}, 'ferdi-bin': {}, + 'ffmpeg': {}, 'gumbo-parser': {}, # for claws litehtml + 'imagemagick': {}, + 'inkscape': {}, + 'mosquitto': {}, 'perl-musicbrainz-discid': {}, # for abcde 'perl-webservice-musicbrainz': {}, # for abcde + 'samba': {}, + 'xf86-input-wacom': {}, }, }, 'sysctl': { diff --git a/nodes/ns-primary.toml b/nodes/ns-primary.toml deleted file mode 100644 index 885b1f2..0000000 --- a/nodes/ns-primary.toml +++ /dev/null @@ -1,43 +0,0 @@ -hostname = "82.165.52.168" -bundles = [ - "nodejs", - "powerdnsadmin", -] -groups = [ - "debian-bullseye", - "dns", - "webserver", -] - -[metadata.interfaces.ens192] -ips = [ - "82.165.52.168", - "2001:8d8:1801:7d4::1/64", -] -gateway4 = "10.255.255.1" -gateway6 = "fe80::250:56ff:fea8:628f" - -[metadata.icinga_options] -pretty_name = "ns-primary.kunbox.net" - -[metadata.nginx.vhosts."ns-primary.kunbox.net"] -website_check_path = "/login" -website_check_string = "PowerDNS" - -[metadata.nginx.vhosts."ns-primary.kunbox.net".locations."/"] -target = "http://127.0.0.1:8000/" - -[metadata.postgresql] -version = "15" - -[metadata.powerdns] -is_secondary = false -secondary_nameservers = "dns" -features.bind = true - -[metadata.powerdnsadmin] -version = "v0.3.0" - -[metadata.vm] -cpu = 2 -ram = 2 diff --git a/nodes/rx300.py b/nodes/rx300.py index eea38a1..7900321 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -105,7 +105,7 @@ nodes['rx300'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.11.23', + 'version': 'v1.11.17', 'config': { 'default_server_config': { 'm.homeserver': { @@ -128,8 +128,8 @@ nodes['rx300'] = { }, }, 'gitea': { - 'url': 'https://codeberg.org/attachments/be5952ea-6cfb-4be5-a593-3564c4bd8cc9', - 'sha1': '0bcf3d6d6541a46571802d9e9276056ff860841e', + 'version': '1.17.3', + 'sha1': 'a78611a3e799150fbae3d45d2bd276d95ccffcd8', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', @@ -197,8 +197,8 @@ nodes['rx300'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.13', - 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', + 'version': 'v1.2.12', + 'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', @@ -268,8 +268,8 @@ nodes['rx300'] = { }, }, 'mautrix-whatsapp': { - 'version': 'v0.8.2', - 'sha1': '31779131b0524e84f980a7e3b5a818150833470d', + 'version': 'v0.8.0', + 'sha1': '4e561a96c8fae61edd8dee9abdd52b5146fa98b2', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', @@ -306,7 +306,7 @@ nodes['rx300'] = { }, 'netbox': { 'domain': 'netbox.franzi.business', - 'version': 'v3.4.4', + 'version': 'v3.4.1', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', @@ -327,7 +327,7 @@ nodes['rx300'] = { }, 'vhosts': { 'element-web': {'ssl': '_.franzi.business'}, - 'forgejo': {'ssl': '_.franzi.business'}, + 'gitea': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, 'matrix-synapse': {'ssl': '_.franzi.business'}, @@ -450,7 +450,6 @@ nodes['rx300'] = { }, 'postgresql': { 'version': '13', - 'max_connections': 500, }, 'radicale': { 'domain': 'radicale.franzi.business', @@ -524,7 +523,7 @@ nodes['rx300'] = { }, }, 'travelynx': { - 'version': '1.29.4', + 'version': '1.23.12', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, diff --git a/scripts/encrypt_file b/scripts/encrypt_file index 430aac0..8fa272e 100755 --- a/scripts/encrypt_file +++ b/scripts/encrypt_file @@ -5,6 +5,7 @@ from sys import argv from bundlewrap.repo import Repository + path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/letsencrypt-wildcard b/scripts/letsencrypt-wildcard index 3d90231..98eca7a 100755 --- a/scripts/letsencrypt-wildcard +++ b/scripts/letsencrypt-wildcard @@ -39,7 +39,7 @@ then echo echo You must now provide this DNS record: - echo "$(tput bold)_acme-challenge.$domain IN TXT $token_value$(tput sgr0)" + echo "$(tput bold)_acme-challenge.$domain. IN TXT $token_value$(tput sgr0)" echo echo "Hit ENTER once it's available." read diff --git a/scripts/list-all-ips b/scripts/list-all-ips index 04a05ea..f5f2bc5 100755 --- a/scripts/list-all-ips +++ b/scripts/list-all-ips @@ -5,6 +5,7 @@ from sys import argv from bundlewrap.repo import Repository from bundlewrap.utils.dicts import merge_dict + path = environ.get('BW_REPO_PATH', '.') repo = Repository(path) diff --git a/scripts/passwords-for b/scripts/passwords-for index c12fa7b..3aa0d53 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -2,9 +2,10 @@ from os import environ from sys import argv -from bundlewrap.exceptions import FaultUnavailable from bundlewrap.repo import Repository from bundlewrap.utils import Fault +from bundlewrap.exceptions import FaultUnavailable + path = environ.get('BW_REPO_PATH', '.') repo = Repository(path)