bundles/woodpecker-agent: fix metadata reactor

bundles/docker-ce: add nftables rules
ci: fix editorconfig
2022-12-25 08:26:59 +01:00 · 2022-12-25 08:26:55 +01:00 · 2022-12-25 08:26:51 +01:00 · 2022-12-25 08:26:47 +01:00 · 2022-12-25 08:26:44 +01:00 · 2022-12-25 08:26:40 +01:00
104 changed files with 779 additions and 335 deletions
--- a/29
+++ b/29
@ -1,22 +1,7 @@
 pipeline {
    agent any
    stages {
-        stage('install_requirements') {
+        stage('editorconfig-checker') {
            steps {
                sh """
                    [ -d venv ] && rm -rf venv
                    virtualenv -p python3 venv
                    . venv/bin/activate
                    pip install --upgrade pip isort
                    pip install -r requirements.txt
                """
            }
        }
        stage('tests') {
            parallel {
                stage('syntax checking using editorconfig-checker') {
            steps {
                sh """
                    wget -Oec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz
@ -25,15 +10,21 @@ pipeline {
                """
            }
        }
-                stage('syntax checking using isort') {
+        stage('install_requirements') {
            steps {
                sh """
                    [ -d venv ] && rm -rf venv
                    virtualenv -p python3 venv
                    . venv/bin/activate
-                            isort --check .
+                    pip install --upgrade pip
                    pip install -r requirements.txt
                """
            }
        }
        stage('bw test') {
            parallel {
                stage('config and metadata determinism') {
                    steps {
                        sh """
@ -45,7 +36,7 @@ pipeline {
                        """
                    }
                }
-                stage('bw test -i') {
+                stage('other tests') {
                    steps {
                        sh """
                            . venv/bin/activate
--- a/PORT_MAP.md
+++ b/PORT_MAP.md
@ -36,7 +36,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 20090       | matrix-media-repo    | prometheus metrics |
 | 21000       | pleroma              | pleroma |
 | 21010       | grafana              | grafana |
-| 22000       | gitea                | forgejo |
+| 22000       | gitea                | gitea |
 | 22010       | jenkins-ci           | Jenkins CI |
 | 22020       | travelynx            | Travelynx Web |
 | 22030       | octoprint            | OctoPrint Web Interface |
@ -45,6 +45,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 22060       | pretalx              | gunicorn |
 | 22070       | paperless-ng         | gunicorn |
 | 22080       | netbox               | gunicorn |
 | 22090       | openhab              | http |
 | 22100       | woodpecker-server    | http |
 | 22101       | woodpecker-server    | gRPC |
 | 22999       | nginx                | stub_status |
--- a/bundles/apt/items.py
+++ b/bundles/apt/items.py
@ -143,9 +143,6 @@ pkg_apt = {
    'cloud-init': {
        'installed': False,
    },
    'molly-guard': {
        'installed': False,
    },
    'netplan.io': {
        'installed': False,
    },
--- a/bundles/arch-with-gui/metadata.py
+++ b/bundles/arch-with-gui/metadata.py
@ -38,14 +38,9 @@ defaults = {
            'rofi': {},
            # sound
            'calf': {},
            'easyeffects': {},
            'lsp-plugins': {},
            'pavucontrol': {},
-            'pipewire': {},
+            'pulseaudio': {},
-            'pipewire-jack': {},
+            'pulseaudio-zeroconf': {},
            'pipewire-pulse': {},
            'qpwgraph': {},
            # window management
            'i3-wm': {},
@ -58,7 +53,6 @@ defaults = {
            # Xorg
            'xf86-input-libinput': {},
            'xf86-input-wacom': {},
            'xorg-server': {},
            'xorg-setxkbmap': {},
            'xorg-xev': {},
@ -68,27 +62,20 @@ defaults = {
            # all them apps
            'browserpass': {},
            'browserpass-firefox': {},
            'ffmpeg': {},
            'firefox': {},
            'gimp': {},
            'imagemagick': {},
            'inkscape': {},
            'kdenlive': {},
            'maim': {},
            'mosh': {},
            'mosquitto': {},
            'mpv': {},
            'pass': {},
            'pass-otp': {},
            'pdftk': {},
            'pwgen': {},
            'qpdfview': {},
            'samba': {},
            'shotcut': {},
            'sipcalc': {},
            'the_silver_searcher': {},
            'tlp': {},
            'virt-manager': {},
            'xclip': {},
            'xdotool': {}, # needed for maim window selection
        },
--- a/bundles/backup-server/items.py
+++ b/bundles/backup-server/items.py
@ -1,7 +1,6 @@
 repo.libs.tools.require_bundle(node, 'zfs')
 from os.path import join
 from bundlewrap.metadata import metadata_to_json
 dataset = node.metadata.get('backup-server/zfs-base')
--- a/bundles/bird/metadata.py
+++ b/bundles/bird/metadata.py
@ -1,5 +1,4 @@
 from ipaddress import ip_network
 from bundlewrap.exceptions import NoSuchNode
 from bundlewrap.metadata import atomic
--- a/bundles/docker-ce/metadata.py
+++ b/bundles/docker-ce/metadata.py
@ -12,6 +12,14 @@ defaults = {
            'docker-ce-cli': {},
        },
    },
    'nftables': {
        'rules': {
            '00-docker-ce': {
                'inet filter forward ct state { related, established } accept',
                'inet filter forward iifname docker0 accept',
            },
        },
    },
 }
@ -19,10 +27,7 @@ defaults = {
    'nftables/rules/00-docker-ce',
 )
 def nftables_nat(metadata):
-    rules = {
+    rules = set()
        'inet filter forward ct state { related, established } accept',
        'inet filter forward iifname docker0 accept',
    }
    for iface in metadata.get('interfaces'):
        rules.add(f'nat postrouting oifname {iface} masquerade')
@ -30,7 +35,7 @@ def nftables_nat(metadata):
    return {
        'nftables': {
            'rules': {
-                '00-docker-ce': sorted(rules),
+                '00-docker-ce': rules,
            },
        },
    }
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@ -46,12 +46,11 @@ plugin {
    zlib_save_level = 6
    zlib_save = gz
    sieve = /var/mail/vmail/sieve/%d/%n.sieve
    sieve_dir = /var/mail/vmail/sieve/%d/%n/
    sieve_extensions = +vnd.dovecot.pipe
    sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin
    sieve_plugins = sieve_imapsieve sieve_extprograms
-    sieve_user_log = /var/mail/vmail/sieve/%d/%n.log
+    sieve_dir = /var/mail/vmail/sieve/%d/%n/
    sieve = /var/mail/vmail/sieve/%d/%n.sieve
    sieve_pipe_bin_dir = /var/mail/vmail/sieve/bin
    sieve_extensions = +vnd.dovecot.pipe
    old_stats_refresh = 30 secs
    old_stats_track_cmds = yes
--- a/bundles/gitea/files/app.ini
+++ b/bundles/gitea/files/app.ini
@ -21,6 +21,7 @@ ROOT_URL = https://${domain}/
 DISABLE_SSH = false
 SSH_PORT = 22
 LFS_START_SERVER = true
 LFS_CONTENT_PATH = /var/lib/gitea/data/lfs
 LFS_JWT_SECRET = ${lfs_secret_key}
 OFFLINE_MODE = true
 START_SSH_SERVER = false
@ -66,7 +67,7 @@ EMAIL_DOMAIN_BLOCKLIST = ${','.join(sorted(email_domain_blocklist))}
 [mailer]
 ENABLED = true
-PROTOCOL = sendmail
+MAILER_TYPE = sendmail
 FROM = "${app_name}" <noreply@${domain}>
 [session]
--- a/bundles/gitea/items.py
+++ b/bundles/gitea/items.py
@ -40,7 +40,10 @@ files = {
    },
    '/usr/local/bin/gitea': {
        'content_type': 'download',
-        'source': node.metadata.get('gitea/url'),
+        #'source': 'https://dl.gitea.io/gitea/{version}/gitea-{version}-linux-amd64'.format(version=node.metadata.get('gitea/version')),
        'source': 'https://github.com/go-gitea/gitea/releases/download/v{version}/gitea-{version}-linux-amd64'.format(
            version=node.metadata.get('gitea/version'),
        ),
        'content_hash': node.metadata.get('gitea/sha1', None),
        'mode': '0755',
        'triggers': {
--- a/bundles/gitea/metadata.py
+++ b/bundles/gitea/metadata.py
@ -6,7 +6,7 @@ defaults = {
        },
    },
    'gitea': {
-        'app_name': 'Forgejo',
+        'app_name': 'Gitea',
        'database': {
            'username': 'gitea',
            'password': repo.vault.password_for('{} postgresql gitea'.format(node.name)),
@ -23,14 +23,9 @@ defaults = {
    'icinga2_api': {
        'gitea': {
            'services': {
-                'FORGEJO PROCESS': {
+                'GITEA PROCESS': {
                    'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit gitea',
                },
                'FORGEJO UPDATE': {
                    'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v$(gitea --version | cut -d" " -f3)',
                    'vars.notification.mail': True,
                    'check_interval': '60m',
                },
            },
        },
    },
@ -72,7 +67,7 @@ defaults = {
@metadata_reactor.provides(
-    'nginx/vhosts/forgejo',
+    'nginx/vhosts/gitea',
 )
 def nginx(metadata):
    if not node.has_bundle('nginx'):
@ -81,7 +76,7 @@ def nginx(metadata):
    return {
        'nginx': {
            'vhosts': {
-                'forgejo': {
+                'gitea': {
                    'domain': metadata.get('gitea/domain'),
                    'locations': {
                        '/': {
@ -104,4 +99,16 @@ def nginx(metadata):
 )
 def icinga_check_for_new_release(metadata):
    return {
        'icinga2_api': {
            'gitea': {
                'services': {
                    'GITEA UPDATE': {
                        # this is only temporary. We will switch to forgejo once they have their first stable release.
                        'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_forgejo_for_new_release codeberg.org forgejo/forgejo v{}'.format(metadata.get('gitea/version')),
                        'vars.notification.mail': True,
                        'check_interval': '60m',
                    },
                },
            },
        },
    }
--- a/bundles/homeassistant/files/check_homeassistant_update
+++ b/bundles/homeassistant/files/check_homeassistant_update
@ -41,7 +41,7 @@ try:
        message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary."
    else:
        status = 2
-        message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}"
+        message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}"
 except Exception as e:
    message = f"{message}: {repr(e)}"
--- a/bundles/homeassistant/metadata.py
+++ b/bundles/homeassistant/metadata.py
@ -1,3 +1,5 @@
 from bundlewrap.metadata import atomic
 defaults = {
    'apt': {
        'packages': {
@ -23,7 +25,7 @@ defaults = {
    },
 }
@metadata_reactor.provides(
-    'icinga2_api/homeassistant/services',
+    'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE',
 )
 def icinga_check_for_new_release(metadata):
    return {
@ -52,8 +54,8 @@ def nginx(metadata):
            'vhosts': {
                'homeassistant': {
                    'domain': metadata.get('homeassistant/domain'),
-                    'website_check_path': '/auth/authorize',
+                    'website_check_path': '/',
-                    'website_check_string': 'Home Assistant',
+                    'website_check_string': 'Homeassistant',
                    'locations': {
                        '/': {
                            'target': 'http://127.0.0.1:8123',
--- a/bundles/icinga2/files/check_freifunk_node
+++ b/bundles/icinga2/files/check_freifunk_node
@ -1,8 +1,7 @@
 #!/usr/bin/env python3
 from sys import argv, exit
 from requests import get
 from sys import argv, exit
 meshviewer_url = argv[1]
 node_id = argv[2]
--- a/bundles/icinga2/files/check_sipgate_account_balance
+++ b/bundles/icinga2/files/check_sipgate_account_balance
@ -1,8 +1,7 @@
 #!/usr/bin/env python3
 from sys import exit
 from requests import get
 from sys import exit
 SIPGATE_USER = '${node.metadata['icinga2']['sipgate_user']}'
 SIPGATE_PASS = '${node.metadata['icinga2']['sipgate_pass']}'
--- a/bundles/icinga2/files/check_spam_blocklist
+++ b/bundles/icinga2/files/check_spam_blocklist
@ -1,10 +1,12 @@
 #!/usr/bin/env python3
 from concurrent.futures import ThreadPoolExecutor, as_completed
-from ipaddress import IPv6Address, ip_address
+from ipaddress import ip_address, IPv6Address
 from subprocess import check_output
 from sys import argv, exit
 BLOCKLISTS = [
    '0spam.fusionzero.com',
    'bl.mailspike.org',
--- a/bundles/icinga2/files/scripts/icinga_notification_wrapper
+++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper
@ -4,11 +4,10 @@ import email.mime.text
 import smtplib
 from argparse import ArgumentParser
 from json import dumps
 from requests import post
 from subprocess import run
 from sys import argv
 from requests import post
 SIPGATE_USER='${node.metadata['icinga2']['sipgate_user']}'
 SIPGATE_PASS='${node.metadata['icinga2']['sipgate_pass']}'
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -17,9 +17,7 @@ defaults = {
            'icinga2': {},
            'icinga2-ido-pgsql': {},
            'icingaweb2': {},
-
+            'icingaweb2-module-monitoring': {},
            # apparently no longer needed
            #'icingaweb2-module-monitoring': {},
            # neeeded for statusmonitor
            'python3-flask': {},
--- a/bundles/matrix-synapse/files/synapse-purge-unused-rooms
+++ b/bundles/matrix-synapse/files/synapse-purge-unused-rooms
@ -1,9 +1,9 @@
 #!/usr/bin/env python3
 from os import environ
 from requests import get, post
 from sys import argv, exit
 from requests import get, post
 SYNAPSE_MAX_ROOMS_TO_GET = 20000
 SYNAPSE_HOST = 'http://[::1]:20080/'
--- a/bundles/miniflux/metadata.py
+++ b/bundles/miniflux/metadata.py
@ -6,7 +6,7 @@ defaults = {
        'repos': {
            'miniflux': {
                'items': {
-                    'deb [trusted=yes] https://repo.miniflux.app/apt/ /',
+                    'deb https://apt.miniflux.app/ /',
                },
            },
        },
--- a/bundles/molly-guard/files/10-check-unattended-upgrades
+++ b/bundles/molly-guard/files/10-check-unattended-upgrades
@ -0,0 +1,9 @@
 #!/bin/bash
 # Checks wether upgrade-and-reboot is currently running.
 if [[ -f "/var/lib/bundlewrap/soft-${node.name}/UNATTENDED" ]]
 then
    echo "Sorry, can't $MOLLYGUARD_CMD now, upgrade-and-reboot is running"
    exit 1
 fi
--- a/bundles/molly-guard/files/30-query-hostname
+++ b/bundles/molly-guard/files/30-query-hostname
@ -0,0 +1,29 @@
 #!/bin/sh
 # This script will ask for the bundlewrap node name. This replaces the
 # original script, which will ask for the hostname, which sometimes
 # is not enough to properly identify the system.
 NODE_NAME="${node.name}"
 # If this is not a terminal, do nothing
 test -t 0 || exit 0
 sigh()
 {
    echo "Sorry, input does not match. Won't $MOLLYGUARD_CMD $NODE_NAME ..." >&2
    exit 1
 }
 trap 'echo;sigh' 1 2 3 9 10 12 15
 echo -n "Please enter the bundlewrap node name of this System to $MOLLYGUARD_CMD: "
 read NODE_NAME_USER || :
 NODE_NAME_USER="$(echo "$NODE_NAME_USER" | tr '[:upper:]' '[:lower:]')"
 [ "$NODE_NAME_USER" = "$NODE_NAME" ] || sigh
 trap - 1 2 3 9 10 12 15
 exit 0
--- a/bundles/molly-guard/files/rc
+++ b/bundles/molly-guard/files/rc
@ -0,0 +1 @@
 # currently unused
--- a/bundles/molly-guard/items.py
+++ b/bundles/molly-guard/items.py
@ -0,0 +1,27 @@
 directories = {
    '/etc/molly-guard/messages.d': {
        'purge': True,
        'after': {
            'pkg_apt:molly-guard',
        },
    },
    '/etc/molly-guard/run.d': {
        'purge': True,
        'after': {
            'pkg_apt:molly-guard',
        },
    },
 }
 files = {
    '/etc/molly-guard/rc': {},
    '/etc/molly-guard/run.d/10-check-unattended-upgrades': {
        'content_type': 'mako',
        'mode': '0755',
    },
    '/etc/molly-guard/run.d/30-query-hostname': {
        'content_type': 'mako',
        'mode': '0755',
    },
 }
--- a/bundles/molly-guard/metadata.py
+++ b/bundles/molly-guard/metadata.py
@ -0,0 +1,7 @@
 defaults = {
    'apt': {
        'packages': {
            'molly-guard': {},
        },
    },
 }
--- a/bundles/mosquitto/files/tasmota-telegraf-plugin
+++ b/bundles/mosquitto/files/tasmota-telegraf-plugin
@ -7,6 +7,7 @@ from time import sleep
 import paho.mqtt.client as mqtt
 BROKER_HOST = argv[1]
 BROKER_TOPIC = argv[2]
--- a/bundles/mosquitto/metadata.py
+++ b/bundles/mosquitto/metadata.py
@ -1,5 +1,6 @@
 from bundlewrap.metadata import atomic
 defaults = {
    'apt': {
        'packages': {
--- a/bundles/octoprint/files/check_octoprint_update
+++ b/bundles/octoprint/files/check_octoprint_update
@ -1,8 +1,7 @@
 #!/usr/bin/env python3
 from sys import exit
 from requests import get
 from sys import exit
 api_key = '${api_key}'
--- a/bundles/openhab/files/backup-pre-hook
+++ b/bundles/openhab/files/backup-pre-hook
@ -0,0 +1,5 @@
 #!/bin/bash
 find /var/lib/openhab/backups -type f -mtime +3 -delete
 /usr/share/openhab/runtime/bin/backup --full
--- a/bundles/openhab/files/openhab
+++ b/bundles/openhab/files/openhab
@ -0,0 +1,62 @@
 # openHAB service options
 #########################
 ## PORTS
 ## The ports openHAB will bind its HTTP/HTTPS web server to.
 OPENHAB_HTTP_PORT=22090
 #OPENHAB_HTTPS_PORT=8443
 #########################
 ## HTTP(S) LISTEN ADDRESS
 ##  The listen address used by the HTTP(S) server.
 ##  0.0.0.0 (default) allows a connection from any location
 ##  127.0.0.1 only allows the local machine to connect
 OPENHAB_HTTP_ADDRESS=127.0.0.1
 #########################
 ## BACKUP DIRECTORY
 ## Set the following variable to specify the backup location.
 ## runtime/bin/backup and runtime/bin/restore will use this path for the zip files.
 #OPENHAB_BACKUPS=/var/lib/openhab/backups
 #########################
 ## JAVA OPTIONS
 ## Additional options for the JAVA_OPTS environment variable.
 ## These will be appended to the execution of the openHAB Java runtime in front of all other options.
 ##
 ## A couple of independent examples:
 ##   EXTRA_JAVA_OPTS="-Dgnu.io.rxtx.SerialPorts=/dev/ttyZWAVE:/dev/ttyUSB0:/dev/ttyS0:/dev/ttyS2:/dev/ttyACM0:/dev/ttyAMA0"
 ##   EXTRA_JAVA_OPTS="-Djna.library.path=/lib/arm-linux-gnueabihf/ -Duser.timezone=Europe/Berlin -Dgnu.io.rxtx.SerialPorts=/dev/ttyZWave"
 EXTRA_JAVA_OPTS="${extra_java_opts}"
 #########################
 ## OPENHAB DEFAULTS PATHS
 ## The following settings override the default apt/rpm locations and should be used with caution.
 ## openHAB will fail to update itself if you're using different paths.
 ## Only set these if you are testing and are confident in debugging.
 #OPENHAB_HOME=/usr/share/openhab
 #OPENHAB_CONF=/etc/openhab
 #OPENHAB_RUNTIME=/usr/share/openhab/runtime
 #OPENHAB_USERDATA=/var/lib/openhab
 #OPENHAB_LOGDIR=/var/log/openhab
 #########################
 ## OPENHAB USER AND GROUP
 ## The user and group that takes ownership of openHAB. Only available for init.d systems.
 ## To edit user and group for systemd, see the service file at /usr/lib/systemd/system/openhab.service.
 #OPENHAB_USER=openhab
 #OPENHAB_GROUP=openhab
 #########################
 ## SYSTEMD START MODE
 ## The Karaf startmode for the openHAB runtime. Only available for systemctl/systemd systems.
 ## Defaults to daemon when unset here. Multiple options can be used without quotes.
 ## debug increases log output. daemon launches the Karaf/openHAB processes.
 #OPENHAB_STARTMODE=debug
--- a/bundles/openhab/items.py
+++ b/bundles/openhab/items.py
@ -0,0 +1,32 @@
 extra_java_opts = []
 for opt, value in sorted(node.metadata.get('openhab/java_opts', {}).items()):
    if value is None:
        extra_java_opts.append(f'-D{opt}')
    else:
        extra_java_opts.append(f'-D{opt}={value}')
 files = {
    '/etc/default/openhab': {
        'content_type': 'mako',
        'context': {
            'extra_java_opts': ' '.join(extra_java_opts),
        },
        'triggers': {
            'svc_systemd:openhab:restart',
        },
    },
    '/etc/backup-pre-hooks.d/40-openhab': {
        'source': 'backup-pre-hook',
        'mode': '0755',
    }
 }
 svc_systemd = {
    'openhab': {
        'needs': {
            'pkg_apt:openhab',
            'pkg_apt:openhab-addons',
        },
    },
 }
--- a/bundles/openhab/metadata.py
+++ b/bundles/openhab/metadata.py
@ -0,0 +1,55 @@
 defaults = {
    'apt': {
        'packages': {
            'openjdk-17-jre': {},
            'openhab': {
                'needs': {
                    'pkg_apt:openjdk-17-jre',
                },
            },
            'openhab-addons': {
                'needs': {
                    'pkg_apt:openhab',
                },
            },
        },
        'repos': {
            'openhab': {
                'items': {
                    'deb https://openhab.jfrog.io/artifactory/openhab-linuxpkg stable main',
                },
            },
        },
    },
    'backups': {
        'paths': {
            '/usr/share/openhab/addons', # not included in openhab backup
            '/var/lib/openhab',
        },
    },
 }
@metadata_reactor.provides(
    'nginx/vhosts/openhab',
 )
 def nginx(metadata):
    if not node.has_bundle('nginx'):
        raise DoNotRunAgain
    return {
        'nginx': {
            'vhosts': {
                'openhab': {
                    'domain': metadata.get('openhab/domain'),
                    'locations': {
                        '/': {
                            'target': 'http://localhost:22090/',
                        },
                    },
                    'website_check_path': '/',
                    'website_check_string': 'openHAB',
                },
            },
        },
    }
--- a/bundles/postfix/files/postfix-telegraf-queue
+++ b/bundles/postfix/files/postfix-telegraf-queue
@ -4,6 +4,7 @@
 from json import loads
 from subprocess import check_output
 queue_counts = {}
 queue_json = check_output(['sudo', '/usr/sbin/postqueue', '-j'])
--- a/bundles/powerdns/files/named.conf
+++ b/bundles/powerdns/files/named.conf
@ -1,6 +1,6 @@
 % for zone in sorted(zones):
 zone "${zone}" {
    file "/var/lib/powerdns/zones/${zone}";
-    type master;
+    type native;
 };
 % endfor
--- a/bundles/powerdns/files/pdns.conf
+++ b/bundles/powerdns/files/pdns.conf
@ -20,15 +20,12 @@ setgid=pdns
 allow-notify-from=${','.join(sorted(my_primary_servers))}
 slave=yes
-% if node.os_version[0] > 10:
+# FIXME enable once debian stable has 4.1.9
-superslave=yes
+#superslave=yes
 % endif
 % else:
 api=yes
 api-key=${api_key}
 webserver=yes
 webserver-address=0.0.0.0
 webserver-allow-from=0.0.0.0/0
 allow-notify-from=
--- a/bundles/powerdns/items.py
+++ b/bundles/powerdns/items.py
@ -5,12 +5,26 @@ from subprocess import check_output
 zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones')
-nameservers = set()
+ZONE_HEADER = """
 ;      _    ____ _   _ _____ _   _ _   _  ____
 ;     / \\  / ___| | | |_   _| | | | \\ | |/ ___|
 ;    / _ \\| |   | |_| | | | | | | |  \\| | |  _
 ;   / ___ \\ |___|  _  | | | | |_| | |\\  | |_| |
 ;  /_/   \\_\\____|_| |_| |_|  \\___/|_| \\_|\\____|
 ;
 ; --> Diese Datei wird von BundleWrap verwaltet! <--
 $TTL 60
@       IN  SOA ns-1.kunbox.net.    hostmaster.kunbox.net. (
        {serial}
        3600
        600
        86400
        300
    )
 """
 for rnode in sorted(repo.nodes_in_group('dns')):
-    if not rnode.metadata.get('powerdns/is_secondary'):
+    ZONE_HEADER += '@       IN  NS {}.\n'.format(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname')))
        # hide the primary nameserver from auto-generated nameserver lists
        continue
    nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname')))
 directories = {
    '/etc/powerdns/pdns.d': {
@ -36,11 +50,11 @@ files = {
    '/etc/powerdns/pdns.conf': {
        'content_type': 'mako',
        'context': {
-            'api_key': node.metadata.get('powerdns/api_key'),
+            'api_key': node.metadata['powerdns']['api_key'],
-            'my_hostname': node.metadata.get('powerdns/my_hostname', node.metadata.get('hostname')),
+            'my_hostname': node.metadata['powerdns'].get('my_hostname', node.metadata.get('hostname')),
-            'is_secondary': node.metadata.get('powerdns/is_secondary', False),
+            'is_secondary': node.metadata['powerdns'].get('is_secondary', False),
-            'my_primary_servers': node.metadata.get('powerdns/my_primary_servers', set()),
+            'my_primary_servers': node.metadata['powerdns'].get('my_primary_servers', set()),
-            'my_secondary_servers': node.metadata.get('powerdns/my_secondary_servers', set()),
+            'my_secondary_servers': node.metadata['powerdns'].get('my_secondary_servers', set()),
        },
        'needs': {
            'pkg_apt:pdns-server',
@ -64,7 +78,7 @@ svc_systemd = {
 actions = {
    'powerdns_reload_zones': {
        'triggered': True,
-        'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*',
+        'command': 'pdns_control rediscover; pdns_control reload',
        'needs': {
            'svc_systemd:pdns',
        },
@ -88,8 +102,7 @@ if node.metadata.get('powerdns/features/bind', False):
        files[f'/var/lib/powerdns/zones/{zone}'] = {
            'content_type': 'mako',
            'context': {
-                'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})),
+                'header': ZONE_HEADER.format(serial=serial),
                'SERIAL': serial,
                'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []),
            },
            'source': f'bind-zones/{zone}',
@ -129,22 +142,12 @@ if node.metadata.get('powerdns/features/bind', False):
            'action:powerdns_reload_zones',
        },
    }
 else:
    files['/etc/powerdns/named.conf'] = {
        'delete': True,
        'needed_by': {
            'svc_systemd:pdns',
        },
        'triggers': {
            'action:powerdns_reload_zones',
        },
    }
-if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')):
+if node.metadata.get('powerdns/features/pgsql', False):
    files['/etc/powerdns/pdns.d/pgsql.conf'] = {
        'content_type': 'mako',
        'context': {
-            'password': node.metadata.get('postgresql/roles/powerdns/password'),
+            'password': node.metadata['postgresql']['roles']['powerdns']['password'],
        },
        'needs': {
            'pkg_apt:pdns-backend-pgsql',
@ -160,7 +163,7 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')):
    files['/etc/powerdns/schema.pgsql.sql'] = {}
    actions['powerdns_load_pgsql_schema'] = {
-        'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'),
+        'command': node.metadata['postgresql']['roles']['powerdns']['password'].format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /etc/powerdns/schema.pgsql.sql'),
        'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null',
        'needs': {
            'bundle:postgresql',
--- a/bundles/powerdns/metadata.py
+++ b/bundles/powerdns/metadata.py
@ -1,4 +1,4 @@
-from ipaddress import IPv4Address, IPv6Address, ip_address
+from ipaddress import ip_address, IPv4Address, IPv6Address
 from bundlewrap.metadata import atomic
@ -43,11 +43,7 @@ if node.has_bundle('telegraf'):
    defaults['telegraf'] = {
        'input_plugins': {
            'builtin': {
-                'powerdns': [{
+                'powerdns': [{}],
                    'unix_sockets': [
                        '/var/run/pdns/pdns.controlsocket',
                    ],
                }],
            },
        },
        'additional_groups': {
@ -190,16 +186,16 @@ def hosts_entries_for_all_dns_servers(metadata):
        if rnode.name == node.name:
            continue
-        found_ips = repo.libs.tools.resolve_identifier(repo, rnode.name)
+        ip = rnode.metadata.get('external_ipv4')
-        for ip in sorted(found_ips['ipv4']):
+
-            if not ip.is_private:
+        if ip:
-                entries[str(ip)] = {
+            entries[ip] = {
                rnode.metadata.get('hostname'),
                rnode.name,
            }
            if rnode.metadata.get('powerdns/my_hostname', None):
-                    entries[str(ip)].add(rnode.metadata.get('powerdns/my_hostname'))
+                entries[ip].add(rnode.metadata.get('powerdns/my_hostname'))
    return {
        'hosts': {
@ -215,9 +211,8 @@ def firewall(metadata):
    return {
        'firewall': {
            'port_rules': {
-                '53': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})),
+                '53': atomic(metadata.get('powerdns/restrict-to', {'*'})),
-                '53/udp': atomic(metadata.get('powerdns/restrict-to/dns', {'*'})),
+                '53/udp': atomic(metadata.get('powerdns/restrict-to', {'*'})),
                '8081': atomic(metadata.get('powerdns/restrict-to/api', set())),
            },
        },
    }
--- a/bundles/powerdnsadmin/items.py
+++ b/bundles/powerdnsadmin/items.py
@ -36,13 +36,10 @@ actions = {
        'needs': {
            'directory:/opt/powerdnsadmin', # provided by bundle:users
        },
        'after': {
            'pkg_apt:',
        },
    },
    'powerdnsadmin_install_deps': {
        'triggered': True,
-        'command': '/opt/powerdnsadmin/venv/bin/pip install --upgrade psycopg2-binary -r /opt/powerdnsadmin/src/requirements.txt',
+        'command': '/opt/powerdnsadmin/venv/bin/pip install -r /opt/powerdnsadmin/src/requirements.txt',
        'needs': {
            'action:powerdnsadmin_create_virtualenv',
            'pkg_apt:',
--- a/bundles/powerdnsadmin/metadata.py
+++ b/bundles/powerdnsadmin/metadata.py
@ -10,6 +10,7 @@ defaults = {
            'libxmlsec1-dev': {},
            'libxslt1-dev': {},
            'pkg-config': {},
            'python3-psycopg2': {},
            'python3-wheel': {},
        },
    },
--- a/bundles/pppd/files/dyndns
+++ b/bundles/pppd/files/dyndns
@ -1,8 +1,7 @@
 #!/usr/bin/env python3
 from sys import argv
 import requests
 from sys import argv
 INTERFACE = argv[1]
 LOCAL_IP = argv[4]
--- a/bundles/pretalx/files/pretalx-administrators-from-group
+++ b/bundles/pretalx/files/pretalx-administrators-from-group
@ -1,10 +1,9 @@
 #!/usr/bin/env python3
 import psycopg2
 from configparser import ConfigParser
 from sys import argv, exit
 import psycopg2
 def main():
    try:
--- a/bundles/rspamd/files/telegraf-rspamd-plugin
+++ b/bundles/rspamd/files/telegraf-rspamd-plugin
@ -1,8 +1,7 @@
 #!/usr/bin/env python3
 from sys import argv, stderr
 from requests import get
 from sys import argv, stderr
 try:
    r = get('http://127.0.0.1:11334/stat')
--- a/bundles/smartd/files/telegraf_plugin
+++ b/bundles/smartd/files/telegraf_plugin
@ -1,7 +1,7 @@
 #!/usr/bin/env python
 from json import loads
 from subprocess import check_output
 from json import loads
 from sys import stderr
 devices = check_output(['smartctl', '--scan']).decode().splitlines()
--- a/bundles/sshmon/files/check_forgejo_for_new_release
+++ b/bundles/sshmon/files/check_forgejo_for_new_release
@ -55,9 +55,8 @@ try:
        exit(2)
    else:
        print(
-            "Currently installed version {} matches newest release on {}".format(
+            "Currently installed version {} matches newest release on github".format(
-                current_version,
+                current_version
                host,
            )
        )
        exit(0)
--- a/bundles/sshmon/files/check_http_wget
+++ b/bundles/sshmon/files/check_http_wget
@ -2,8 +2,8 @@
 #this is actually a python https requests query, its called check_http_wget cause it got replaced
 from argparse import ArgumentParser
 from sys import exit
 from argparse import ArgumentParser
 import requests
--- a/bundles/sshmon/files/check_mounts
+++ b/bundles/sshmon/files/check_mounts
@ -5,6 +5,7 @@ from argparse import ArgumentParser
 from subprocess import check_output
 from tempfile import TemporaryFile
 check_filesystem_types = {
    'ext2',
    'ext3',
--- a/bundles/sshmon/metadata.py
+++ b/bundles/sshmon/metadata.py
@ -8,10 +8,7 @@ defaults = {
            'monitoring-plugins': {},
            'python3-requests': {},
            'python3-setuptools': {},  # needed by check_github_for_new_release
-            'sysstat': {
+            'sysstat': {},  # needed by check_cpu_stats
                # legacy
                'installed': False,
            },
        },
    },
    'icinga2_api': {
@ -40,6 +37,7 @@ defaults = {
            'perl-libwww': {},
            'monitoring-plugins': {},
            'python-requests': {},
            'sysstat': {},
        },
    },
 }
--- a/bundles/systemd-networkd/metadata.py
+++ b/bundles/systemd-networkd/metadata.py
@ -1,9 +1,6 @@
 defaults = {
    'apt': {
        'packages': {
            'isc-dhcp-client': {
                'installed': False,
            },
            'resolvconf': {
                'installed': False,
            },
--- a/bundles/travelynx/files/travelynx.conf
+++ b/bundles/travelynx/files/travelynx.conf
@ -5,13 +5,15 @@
 # 'localhost'.
 {
-    base_url => Mojo::URL->new('https://${domain}'),
+    # Cache directories for schedule and realtime data. Mandatory.  The parent
-
+    # directory ('/var/cache/travelynx' in this case) must already exist.
    cache => {
        schedule => '/var/cache/travelynx/iris',
        realtime => '/var/cache/travelynx/iris-rt',
    },
    # Database configuration. host and port are optional
    # (defaulting to localhost:5432), the rest is mandatory.
    db => {
        host => '${database.get('host', 'localhost')}',
        port => 5432,
@ -20,6 +22,8 @@
        password => '${database['password']}',
    },
    # See the Mojo::Server::Hypnotoad manual for details on the following
    # settings.
    hypnotoad => {
        accepts  => 100,
        clients  => 10,
@ -30,14 +34,21 @@
    },
    mail => {
        # If you want to disable outgoing mail for development purposes,
        # uncomment the following line.  Mails will instead be logged as
        # Mojolicious "info" messages, causing their content to be printed on
        # stdout.
        ## disabled => 1,
        # Otherwise, specify the sender ("From" field) for mail sent by travelynx
        # here.  E.g. 'Travelynx <mail@example.org>'
        from => '${mail_from}',
    },
-    ref => {
+    # Secrets used for cookie signing and verification. Must contain at least
-        issues => 'https://github.com/derf/travelynx/issues',
+    # one random string. If you specify several strings, the first one will
-        source => 'https://github.com/derf/travelynx',
+    # be used for signing new cookies, and the remaining ones will still be
-    },
+    # accepted for cookie validation.
    secrets => [
        '${cookie_secret}',
    ],
--- a/bundles/travelynx/items.py
+++ b/bundles/travelynx/items.py
@ -36,7 +36,7 @@ files = {
    },
    '/opt/travelynx/travelynx.conf': {
        'content_type': 'mako',
-        'context': node.metadata.get('travelynx'),
+        'context': node.metadata['travelynx'],
        'needs': {
            'git_deploy:/opt/travelynx',
        },
@ -61,7 +61,7 @@ if isfile(join(repo.path, 'data', 'travelynx', 'files', 'imprint', node.name)):
 git_deploy = {
    '/opt/travelynx': {
        'repo': 'https://github.com/derf/travelynx.git',
-        'rev': node.metadata.get('travelynx/version'),
+        'rev': node.metadata['travelynx']['version'],
        'needs': {
            'directory:/opt/travelynx',
        },
@ -84,7 +84,7 @@ actions = {
        'triggered': True,
    },
    'travelynx_database_migrate': {
-        'command': 'export PERL5LIB=/opt/travelynx/local/lib/perl5; cd /opt/travelynx && perl index.pl database migrate',
+        'command': 'cd /opt/travelynx && perl index.pl database migrate',
        # Because git_deploy does not put .git onto the server, the script
        # will complain on STDERR about not finding a git repository.
        # That's why we need to redirect stderr to /dev/null.
--- a/bundles/users/files/bashrc
+++ b/bundles/users/files/bashrc
@ -36,7 +36,6 @@ export EDITOR=vim
 export VISUAL=vim
 alias ipb='ip -brief --color=auto'
 alias ipa='ip -brief --color=always addr show; echo; ip --color=always route show; ip -6 --color=always route show'
 alias l='ls -lAh'
 alias s='sudo -i'
 alias v='vim -p'
--- a/bundles/users/items.py
+++ b/bundles/users/items.py
@ -1,4 +1,4 @@
-from os.path import exists, join
+from os.path import join, exists
 files = {
    '/etc/bash.bashrc': {
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -3,6 +3,7 @@ from ipaddress import ip_network
 from bundlewrap.exceptions import NoSuchNode
 from bundlewrap.metadata import atomic
 defaults = {
    'apt': {
        'packages': {
--- a/bundles/zfs/files/check_zpool_space
+++ b/bundles/zfs/files/check_zpool_space
@ -1,9 +1,9 @@
 #!/usr/bin/env python3
 import re
 from subprocess import check_output
 from sys import argv, exit
 import re
 def to_bytes(size):
--- a/bundles/zfs/files/zfs-auto-snapshot
+++ b/bundles/zfs/files/zfs-auto-snapshot
@ -2,6 +2,7 @@
 import re
 from datetime import datetime
 from json import loads
 from subprocess import check_call, check_output
--- a/bundles/zfs/items.py
+++ b/bundles/zfs/items.py
@ -1,4 +1,5 @@
 from json import dumps
 #from os.path import join
 from bundlewrap.metadata import MetadataJSONEncoder
--- a/data/apt/files/gpg-keys/influxdb.asc
+++ b/data/apt/files/gpg-keys/influxdb.asc
@ -1,29 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1
-mQINBGPIEycBEACpG4qSjhxA6fh4QJVJxFVBvCFt9tVx/hDbKH0Ryy9iilyMeReC
+mQINBFYJmwQBEADCw7mob8Vzk+DmkYyiv0dTU/xgoSlp4SQwrTzat8MB8jxmx60l
-AS1/CZnSv/fhDNKmVPckf6on72z/ODwZcVfMV6DHkxmZ6x/tQrS6CWfKkupsON2H
+QjmhqEyuB8ho4zzZF9KV+gJWrG6Rj4t69JMTJWM7jFz+0B1PC7kJfNM+VcBmkTnj
-KS3t4HUivahwHPlWtbfDqsWNwTAsZqklKpJQWY2ADPwurkbCmtYSjsgbLuWe23Pd
+fP+KJjqz50ETnsF0kQTG++UJeRYjG1dDK0JQNQJAM6NQpIWJI339lcDf15vzrMnb
-nJpLTHtlChM0ntW/l7Le1zYjGPUGoxMJgjg1YG8fi2l/zS0Of8bdQ26ps+WRvrSQ
+OgIlNxV6j1ZZqkle4fvScF1NQxYScRiL+sRgVx92SI4SyD/xZnVGD/szB+4OCzah
-RKhfAkfIgUiCXxBpDlN1spN73ZlAkaSb+myTfEKyJR55Yt9pHfkDdJh26RVgE1+N
+0Q/MnNGV6TtN0RiCDZjIUYiHoeT9iQXEONKf7T62T4zUafO734HyqGvht93MLVU
-GuLmm6oidaD9lTlNJ9P8wlLzoof3xJXYprgLLz/HmgtawnJ+DxFIXoXNNpUmhORJ
+GQAeuyx0ikGsULfOsJfBmb3XJS9u+16v7oPFt5WIbeyyNuhUu0ocK/PKt5sPYR4u
-6Hb2Z5IKIyGIwXhQVe2Lw7B8awBNV99zUw517Wuax3RYx7Hwhntz9gFxS4GRxaCo
+ouPq6Ls3RY3BGCH9DpokcYsdalo51NMrMdnYwdkeq9MEpsEKrKIN5ke7fk4weamJ
-uLCFQ0AgDCkMHyEHufQo1XdjIB7fz6U551y5GMQw6/rjMnUM9ZI68SQ/FWou2cQf
+BiLI/bTcfM7Fy5r4ghdI9Ksw/ULXLm4GNabkIOSfT7UjTzcBDOvWfKRBLX4qvsx4
-533PyayvWOYQM4pP7ZmbzyCd393XlMaPWA5dyUOqv7Vcmv0IsAbncX6/KJmZAhKG
+YzA5kR+nX85u6I7W10aSqBiaLqk6vCj0QmBmCjlSeYqNQqSzH/6OoL6FZ7lP6AiG
-qu19xb6rv3ab2RbcU422guK3C/h/URPZJbSjf2w4jUV5UDe2veZg6BEVn7Sk5bW0
+F2NyGveJKjugoXlreLEhOYp20F81PNwlRBCAlMC2Q9mpcFu0dtAriVoG4gVDdYn5
-ceX8n0GVbPNG7CvRduJPjXNzsz3FzmUS8QFFde3H5gl1T0f6GcfhmKgKEQARAQAB
+t+BiGfD2rJlCinYLgYBDpTPcdRT3VKHWqL9fcC4HKmic0mwWg9homx550wARAQAB
-tDdJbmZsdXhEYXRhIFBhY2thZ2UgU2lnbmluZyBLZXkgPHN1cHBvcnRAaW5mbHV4
+tDFJbmZsdXhEQiBQYWNrYWdpbmcgU2VydmljZSA8c3VwcG9ydEBpbmZsdXhkYi5j
-ZGF0YS5jb20+iQJVBBMBCAA/BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUJBaOk
+b20+iQI3BBMBCgAhBQJWCZsEAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ
-/BYhBJ1TnZDTMo3H1sjTudj/jh99+LB+BQJjyB9PAhsDAAoJENj/jh99+LB+klgQ
+EGhKFM8lguDF9XEQAK9rREnZt6ujh7GXfeNki35bkn39q8GYh0mouShFbFY9o0i3
-AKOKdwTyKOr6+mnRrACz5U3EFxfAXXFGan9Ka7Nzgz4K+FOnTtT1gWwqrPPmTKQk
+UJVChsxokJSRPgFh9GOhOPTupl3rzfdpD+IlWI2Myt6han2HOjZKNZ4RGNrYJ5UR
-epNUMcelfX1kCA08yCm0nyw2niqxES40W33ergKUj6jlDx7UQYXWsDQGD9IKksa8
+uxt4dKMWlMbpkzL56bhHlx97RoXKv2d2zRQfw9nyZb6t3lw2k2kKXsMxjGa0agM+
-MWfZlJ3zlrsGKXA4oa+kfY+vltWDVP8WhLcQzm2LywbKvr3WgY80GZbnRjoekiBK
+2SropwYOXdtkz8UWaGd3LYxwEvW3AuhI8EEEHdLetQaYe9sANDvUEofgFbdsuICH
-oMKztQVMJG5yNZBo9B4JrqB3wMpnXZxEtqZcBPsJJdXTFKHsQ7kB9TMNorbUvDNH
+9QLmbYavk7wyGTPBKfPBbeyTxwW2rMUnFCNccMKLm1i5NpZYineBtQbX2cfx9Xsk
-ohwsprgMw84vHikEk9jyCypXpYq/E/wvkM0CeIUJ36S2vGvACib7BiY6Xv0BQbM4
+1JLOzEBmNal53H2ob0kjev6ufzOD3s8hLu4KMCivbIz4YT3fZyeExn0/0lUtsQ56
-rWq2Rrjag1y5vVAF9gJkeo/3rhM6lE1ahDCRq0QcBMVzbxiE+3COIzRPmz14J3Yn
+5fCxE983+ygDzKsCnfdXqm3GgjaI90OkNr1y4gWbcd5hicVDv5fD3TD9f0GbpDVw
-0pkvzlVkNj5UZR8q91ESl+UxkFCP1wzcXgs0dpJWirQIOZ9E2eYv3LcjE68xjW1k
+yDz8YmvNzxMILt5Glisr6aH7gLG/u8jxy0D8YcBiyv5kfY4vMI2yXHpGg1cn/sVu
-c5q1GOGvJI7aXADxUZ4lFbz+NUb4Ts4HXHc8gV1Gm0vvmIqv2YfAvL5DXbKLdZxh
+ZB01sU09VVIM2BznnimyAayI430wquxkZCyMx//BqFM1qetIgk1wDZTlFd0n6qtA
-73CxKvBMmTXIEQ+vQJ3p1ZnUnb+l6DoxEFWg/hXHmE5jY3P6HIVFdliXF5FEs1lr
+fDmXAC4s5pM5rfM5V57WmPaIqnRIaESJ35tFUFlCHfkfl/N/ribGVDg1z2KDW08r
-9snU2Pn1BDL+TBN7SX0QbKqArWA4qyn6eGH8Z1ULoUVBPCjwC9QuInp/9fqifFYo
+96oEiIIiV4GfXl+NprJqpNS3Cn+aCXtd7/TsDScDEgs4sMaR29Lsf26cuWk8uQIN
-OM3A51MDGyc/HCVG6jNJEI5h71QGHlPfyQybpjy7rQSe
+BFYJmwQBEADDPi3fmwn6iwkiDcH2E2V31cHlBw9OdJfxKVUdyAQEhTtqmG9P8XFZ
-=YwXc
+ERRQF155XLQPLvRlUlq7vEYSROn5J6BAnsjdjsH9LmFMOEV8CIRCRIDePG/Mez2d
 nIK5yiU6GkS3IFaQg2T9/tOBKxm0ZJPfqTXbT4jFSfvYJ3oUqc+AyYxtb8gj1GRk
 X283/86/bA3C98u7re1vPtiDRyM8r0+lhEc59Yx/EAOL+X2gZyTgyUoH+LLuOWQK
 s1egI8y80R8NZfM1nMiQk2ywMsTFwQjSVimScvzqv5Nt8k8CvHUQ3a6R+6doXGNX
 5RnUqn9Qvmh0JY5sNgFsoaGbuk2PJrVaGBRnfnjaDqAlZpDhwkWhcCcguNhRbRHp
 N7/a0pQr70bAG9VikzLyGC17EU0sxney/hyNHkr4Uyy2OXHpuJvRjVKy/BwZ3fxA
 AYX2oZIOxQB3/OulzO/DppaCVhRtp1bt+Z5f+fpisiVb5DvZcMdeyAoQ4+oOr7v3
 EasIs2XYcQ+kOE3Y2kdlHWBeuXzxgWgJZ1OOpwGMjR3Uy6IwhuSWtreJBA4er+Df
 vgSPwKBsRLNLbPe3ftjArnC5GfMiGgikVdAUdN4OkEqvUbkRoAVGKTOMLUKm+ZkG
 OskJOVYS+JAina0qkYEFF7haycMjf9olhqLmTIC+6X7Ox9R2plaOhQARAQABiQIf
 BBgBCgAJBQJWCZsEAhsMAAoJEGhKFM8lguDF8ZIP/1q9Sdz8oMvf9AJXZ7AYxm77
 V+kJzJqi62nZLWJnrFXDZJpU+LkYlb3fstsZ1rvBhnrEPSmFxoj72CP0RtcyX7wJ
 dA7K1Fl9LpJi5H8300cC7UyG94MUYbrXijbLTbnFTfNr1tGx4a1T/7Yyxx/wZGrT
 H/X8cvNybkl33SxDdlQQ9kx3lFOwC41e3TkGsUWxn3TCfvDh8VdA6Py6JeSPFGOb
 MEO2/q7oUgvjfV+ivN5ayZi9bWgeqm1sgtmTHHQ4RqwwKrAb5ynXpn1b9QrkevgT
 b91uzMA22Prl4DuzKiaMYDcZOQ3vtf0eFBP0GOSSgUKS4bQ3dGgi1JmQ7VuAM4uj
 +Ug5TnGoLwclTwLksc7v89C5MMPgm2vVXvCUDzyzQA7bIHFeX+Rziby4nymec4Nr
 eeXYNBJWrEp8XR7UNWmEgroXRoN1x9/6esh5pnoUXGAIWuKzSLQM70/wWxS67+v2
 aC1GNb+pXXAzYeIIiyLWaZwCSr8sWMvshFT9REk2+lnb6sAeJswQtfTUWI00mVqZ
 dvI3Wys2h0IyIejuwetTUvGhr9VgpqiLLfGzGlt/y2sg27wdHzSJbMh0VrVAK26/
 BlvEwWDCFT0ZJUMG9Lvre25DD0ycbougLsRYjzmGb/3k3UktS3XTCxyBa/k3TPw3
 vqIHrEqk446nGPDqJPS5
 =9iF7
 -----END PGP PUBLIC KEY BLOCK-----
--- a/data/apt/files/gpg-keys/openhab.asc
+++ b/data/apt/files/gpg-keys/openhab.asc
@ -0,0 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFWz+OYBEACXcmKiL6ix1e4gJIWVoGMF7Hv0VOVKJgIUF/zJYBqk3sXQp/pi
 JbIoODhrrIbEK33mqgy1EfzEmDhEurule59hq9HAQpOEz9hVbghhnsB8eXEQ9yJO
 Wf8D8UGi2MKmqkvf7//jvdywNaQG/xhLu2xld7MxjuhswfiUWqoRFRpQoKY2QCe9
 n92qS0MGGK0B6WgapZZPT6AGyqKYtkCA5qUn7bcoEM2236nXhOAYHJh0o4qJ+cBk
 BbSx8KEdrZxKQH50gB//gk/K2s+6CbYYOcJX6z3SLa3fxzlbyH9xQhpumAv/++2v
 IIJbJHJicsmCKe/SQ7x5xVh90j6xA3oiYZIG78xWL0xnGCPhFws861dR2iON6CSp
 +UKDciEQJH+Ew40la+DcHH7tzHlpZpCC1Jv7VBDkhziPrsscgOtYEwfhsq0Pyfpo
 0IsyVDBUyj3Nne1NcKShd6+SYFz+gtXkttELi+DZmyA6onatw7LPGFHs8gOVKYBM
 PzmERQ1DjlFW+Dc8FEQquYiquzmkyhJUXHVD1G8Mkic8jhccWbv3S7ePanvpgyZ3
 /KBAWk48/sym+zJTLWuJsCCNLI3K6gngexz1MMaRaPkbVK+4aboNLm6YhVlF5RCK
 rTzIUAeB4dmu1k8Quqy/nYhYMokB9w5hiPwmGutjbpOntnrfqxvYy1EL1wARAQAB
 tDBvcGVuSEFCIEJpbnRyYXkgUmVwb3NpdG9yaWVzIDxvd25lckBvcGVuaGFiLm9y
 Zz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTtt9AwTi/K
 9infEWMHVyH2oiQGCgUCXTjCTAUJDwsFBgAKCRAHVyH2oiQGCmfMD/sGZickeBlA
 +x8XxfzvwxTnW/8MCvFBa4l/GoK9bALylvekP4adk/aaySMk/zjk231mwmMuttnP
 VDg6TwhxhthveAFdbJEkTNhWUqH0FzyN9QwEGfIodjkQSYWwosY+55V0uYp2zfo9
 iHOtxzXjuLnkpZZPyY33qqGruqhnbyo2J09oLNw4MIwOepNMihP5u0nudTXiDivg
 eg8lx/4WIIfwDwCe1gSBnU/731B0TIruxz3cQabLgeTuKB13+ajtJGuH1qrHxMVx
 CFhD8wCugNj0qcI6NS06SXwLSAFr+xIeFXWVum2okWt2nzPpn7ll/FUG+qRECipt
 m1IaEbelUrcuk7dUY75Fz5Fx8S0HtYAcCYYBDnhcaSSq7sK0NklrVz+bQZsJx4hY
 ebkiNI/xFM3slOYoRzGWawuVpG/y1/VM/QRPS4uUS5rnvbGLVpn3bR+03FQwZWeb
 yfMNke74TlM9+aEJZb1uxYQGLDFNDVNyALtGhDDp0R/FuDR0my3va3GJnZrtUGVg
 M5Xfs/ebsKZ+CuLKqlbdZ0zjLUCJoT+tGGT1VPpi83jc+4wZXynj9b9/CWHoDfaN
 VKTj95R7c7IOMRH5srpHX3qSzIF2Yav395SxJNuTTxcPCZ+n2M8jhvVnn4x8sWn5
 Ms0cN2tKVmfIbLF/1JempVsifJmRkbqN+rkCDQRVs/jmARAAxrYK7y1WW/szELpQ
 guGSJGIjLt3tNGHGLP3lX4G1DlbziysTx3fY+c+hzGAM8WInsABq5fOWqkiLfx3f
 wlHdo7bxv3U+xWq+xV9OOx+tjJn2xI3EtZ632pOQtxj/+6Tdcf3tIwOSMKK5kpGw
 DU1VoLkWMfJeq0md6TDRB49p82Q1UGTaVCCfHYpvwCyuv1FWhSQuPJJLdP0YRX2i
 1L7zyJLUzjmlAmlNoSMSaoozNJoz/XKFOPoJ66Tu8j8j8W+yqcAKeRTPiZXCEjbh
 3wgxrx3PWV77kOmtfb0sHyxRujdJvEUfixrSoi4qLrE8kCo2OR8d1C5DsMlbZzvF
 kHWaNSkOtpWqEGD/+BLs6lejHvbBEvYSsQMF53yH8q1U+9+7CP9wwKKAtN7LQJcw
 xUADv/UhSLA/ZZTisaeUVem9vZlnVfANSieYQvy6zWqvKF4FhBpQbVzSINWv/nzu
 NR4gg3uJRMHUb4cyfy3mmJ7FwwF8oHQXU+mkILWmiwrMDbq0Mjc8FRL5Bg4iTwS5
 jDGLZ0g4xU0GYi22eAWPL0dpQpA8t5Ja7W+x+VASOtbpnMAJO94YZ4yXlDcDeNJD
 uo2y0z+xjuloPrGK+AssCpOBxpBlcrAFRMx5+rpkHSlLtkQNPeBPwXlryafDZ2PA
 QsLBxUmFphyBraakmdGP3mR9ThUAEQEAAYkCPAQYAQoAJgIbDBYhBO230DBOL8r2
 Kd8RYwdXIfaiJAYKBQJdOMOgBQkPDFfaAAoJEAdXIfaiJAYKDLgP/iuh/Kppaem/
 wsRs6ehuCyEVz7ZJsKeq9ZL3d0jQy0CaFQRSICucptBeb14rTvf/i5+eEQI7E/bJ
 9dLm1mepVS8M3wyn9+pP+Loa7bajEAD5ap08F88q56s+U70HO30qRHxp2yD9ZU0A
 joX8pAIS/YaMicm1EFYajpyls/Jcyp2JG2AavRsrQ3iHvGv5Fc2/09E76lwje/Yh
 royPhCrVm0adk6sxLfmKNiXBpLb5gzHR81oo20zk0+qYg2pRcVvfd6PvOcsrO4tl
 K8kUMyfYixVKJu59xtMdg5ff6qlBrmTXkxyGb0t7VlhnX4UKcVU//+6b0TnBmUaG
 61CZ4CGD2VvUMXcM0ihYl85g7+O9u/P2u3mhLX3xEa+rM4XpzqajL+jpt3CGQLkp
 TnKZ8g1k9l7UkrHvVs/tBTCPvOEstzMwq2tWNuCbJ7Y9oB6FDPZGM3oFe2ubu2OH
 MFT3KmOhD2jhWCXyB1hK/LOmINGfdfulBsK2KLKtKoJMWu2QLyMLa91l3AhzbH+s
 7gQY6iC9rTy9qfHGOLTPjrHfkmrBky+KiDx1KVOnQvPqloLbKhkq1KHv8TAonqGK
 THbU4Eod0DmWw80Z2zX7jV3BJs9VmDhr5NzpaZCVlrKrL+vIXzFClCYWQQMwfHpO
 Yyq3xLVDG/Zs7LmgSAiEITxRFTR4qg7k
 =r37a
 -----END PGP PUBLIC KEY BLOCK-----
--- a/data/backup/keys/home.openhab.key.vault
+++ b/data/backup/keys/home.openhab.key.vault
--- a/data/backup/keys/home.openhab.pub
+++ b/data/backup/keys/home.openhab.pub
--- a/data/backup/keys/ns-primary.key.vault
+++ b/data/backup/keys/ns-primary.key.vault
@ -1 +0,0 @@
 encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj
--- a/data/backup/keys/ns-primary.pub
+++ b/data/backup/keys/ns-primary.pub
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net
--- a/data/powerdns/files/bind-zones/cybert-media.net
+++ b/data/powerdns/files/bind-zones/cybert-media.net
@ -0,0 +1,9 @@
 ${header}
 $ORIGIN cybert-media.net.
@               IN  A       159.69.11.231
                IN  AAAA    2a01:4f8:c2c:c410::1
                IN  TXT     "v=spf1 a ~all"
 www             IN  CNAME   cybert-media.net.
--- a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org
+++ b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org
@ -0,0 +1,9 @@
 ${header}
 $ORIGIN die-brontosaurier-waren-es.org.
 ; ends up on rx300.kunbox.net
@               IN  A       31.47.232.106
                IN  AAAA    2a00:f820:528::2
                IN  MX      10 rx300.kunbox.net.
                IN  TXT     "v=spf1 mx ~all"
--- a/data/powerdns/files/bind-zones/emails.sexy
+++ b/data/powerdns/files/bind-zones/emails.sexy
@ -0,0 +1,3 @@
 ${header}
 $ORIGIN emails.sexy.
--- a/data/powerdns/files/bind-zones/eskalation.jetzt
+++ b/data/powerdns/files/bind-zones/eskalation.jetzt
@ -0,0 +1,9 @@
 ${header}
 $ORIGIN eskalation.jetzt.
 queere  IN  NS  ns1.athena7.eu.
 queere  IN  NS  ns2.athena7.eu.
 queere  IN  NS  ns3.athena7.eu.
 queere  IN  NS  ns4.athena7.eu.
--- a/data/powerdns/files/bind-zones/felix-kunsmann.de
+++ b/data/powerdns/files/bind-zones/felix-kunsmann.de
@ -0,0 +1,5 @@
 ${header}
 $ORIGIN felix-kunsmann.de.
@               IN  MX      10 rx300.kunbox.net.
--- a/data/powerdns/files/bind-zones/flauschehorn.sexy
+++ b/data/powerdns/files/bind-zones/flauschehorn.sexy
@ -0,0 +1,15 @@
 ${header}
 $ORIGIN flauschehorn.sexy.
@               IN  A       5.189.140.103
                IN  AAAA    2a02:c207:3002:8320:feed:f2c1:c0ff:ee
                IN  MX      10 rx300.kunbox.net.
                IN  TXT     "v=spf1 mx ~all"
 _dmarc          IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
 uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp"
    "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
 ) ;
--- a/data/powerdns/files/bind-zones/franzi.business
+++ b/data/powerdns/files/bind-zones/franzi.business
@ -0,0 +1,43 @@
 ${header}
 $ORIGIN franzi.business.
 ; ends up on rx300.kunbox.net
@               IN  A       31.47.232.106
                IN  AAAA    2a00:f820:528::2
                IN  MX      10 rx300.kunbox.net.
                IN  TXT     "v=spf1 mx a:sewfile.htz-cloud.kunbox.net ~all"
 chat            IN  CNAME   rx300.kunbox.net.
 dimension       IN  CNAME   rx300.kunbox.net.
 git             IN  CNAME   rx300.kunbox.net.
 jenkins         IN  CNAME   rx300.kunbox.net.
 matrix          IN  CNAME   rx300.kunbox.net.
 mta-sts         IN  CNAME   rx300.kunbox.net.
 netbox          IN  CNAME   rx300.kunbox.net.
 sewfile         IN  CNAME   sewfile.htz-cloud.kunbox.net.
 paste           IN  CNAME   rx300.kunbox.net.
 postfixadmin    IN  CNAME   rx300.kunbox.net.
 radicale        IN  CNAME   rx300.kunbox.net.
 rss             IN  CNAME   rx300.kunbox.net.
 status          IN  CNAME   icinga2.ovh.kunbox.net.
 tickets         IN  CNAME   franzi-business.cname.pretix.eu.
 travelynx       IN  CNAME   rx300.kunbox.net.
 wiki            IN  CNAME   rx300.kunbox.net.
 woodpecker      IN  CNAME   rx300.kunbox.net.
 _matrix._tcp    IN  SRV     10 10 443 matrix
 _dmarc          IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
 _mta-sts        IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls      IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl   IN  TXT     "gg3mbwjx9bbuo5osvh7oz6bc881wcmc"
 2019._domainkey IN  TXT     ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440"
    "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
 ) ;
 uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp"
    "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
 ) ;
--- a/data/powerdns/files/bind-zones/kunbox.net
+++ b/data/powerdns/files/bind-zones/kunbox.net
@ -1,14 +1,4 @@
-$TTL 60
+${header}
@       IN  SOA ns-primary.kunbox.net.    hostmaster.kunbox.net. (
        ${SERIAL}
        3600
        600
        86400
        300
    )
 ${NAMESERVERS}
 $ORIGIN kunbox.net.
@ -20,10 +10,6 @@ $ORIGIN kunbox.net.
                    IN  MX      10 rx300
                    IN  TXT     "v=spf1 mx ~all"
 ; delegate acme stuff to psql-managed zone
 _acme-challenge     IN  CNAME   _acme-challenge.kunbox.net.le.kunbox.net.
 _acme-challenge.home IN CNAME   _acme-challenge.home.kunbox.net.le.kunbox.net.
 ; Mail servers
 mta-sts             IN  CNAME   rx300
--- a/data/powerdns/files/bind-zones/kunsmann.eu
+++ b/data/powerdns/files/bind-zones/kunsmann.eu
@ -0,0 +1,31 @@
 ${header}
 $ORIGIN kunsmann.eu.
 ; ends up on rx300.kunbox.net
@               IN  A       31.47.232.106
                IN  AAAA    2a00:f820:528::2
                IN  MX      10 rx300.kunbox.net.
                IN  TXT     "v=spf1 mx ~all"
 git                     IN  CNAME   rx300.kunbox.net.
 grafana                 IN  CNAME   influxdb.htz-cloud.kunbox.net.
 icinga                  IN  CNAME   icinga2.ovh.kunbox.net.
 influxdb                IN  CNAME   influxdb.htz-cloud.kunbox.net.
 luther-ps               IN  CNAME   luther.htz-cloud.kunbox.net.
 mta-sts                 IN  CNAME   rx300.kunbox.net.
 statusmonitor.icinga    IN  CNAME   icinga2.ovh.kunbox.net.
 _dmarc                  IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
 _mta-sts                IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls              IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl           IN  TXT     "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
 2019._domainkey         IN  TXT     ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440"
    "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
 ) ;
 uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp"
    "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
 ) ;
--- a/data/powerdns/files/bind-zones/trans-agenda.de
+++ b/data/powerdns/files/bind-zones/trans-agenda.de
@ -0,0 +1,4 @@
 ${header}
 $ORIGIN trans-agenda.de.
--- a/data/powerdns/files/bind-zones/trans-agenda.eu
+++ b/data/powerdns/files/bind-zones/trans-agenda.eu
@ -0,0 +1,22 @@
 ${header}
 $ORIGIN trans-agenda.eu.
@               IN  MX      10 rx300.kunbox.net.
                IN  TXT     "v=spf1 a mx ~all"
 mta-sts         IN  CNAME   rx300.kunbox.net.
 _dmarc          IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:hostmaster@kunbox.net; ruf=mailto:postmaster@kunsmann.eu; fo=0:d:s; adkim=r; aspf=r"
 _mta-sts        IN  TXT     "v=STSv1;id=20201111;"
 _smtp._tls      IN  TXT     "v=TLSRPTv1;rua=mailto:hostmaster@kunbox.net"
 _token._dnswl   IN  TXT     "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
 2019._domainkey IN  TXT     ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440"
    "vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
 ) ;
 uO4aNejDvVdw8BKne3KJIqAvCQMJ0416._domainkey IN TXT ( "v=DKIM1; k=rsa; "
    "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDp"
    "oveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
 ) ;
--- a/data/powerdns/files/bind-zones/warnochwas.de
+++ b/data/powerdns/files/bind-zones/warnochwas.de
@ -0,0 +1,3 @@
 ${header}
 $ORIGIN warnochwas.de.
--- a/data/ssl/_.franzi.business.crt.pem
+++ b/data/ssl/_.franzi.business.crt.pem
@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEijCCA3KgAwIBAgISA8l+oC4pMh1Q/UNiEPuiw39OMA0GCSqGSIb3DQEBCwUA
+MIIEiTCCA3GgAwIBAgISBEiaFE6qZ3+AhUkmqKta5OSuMA0GCSqGSIb3DQEBCwUA
 MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-EwJSMzAeFw0yMzAxMjkwNDM5NTFaFw0yMzA0MjkwNDM5NTBaMBoxGDAWBgNVBAMT
+EwJSMzAeFw0yMjExMDYwNjA3MTZaFw0yMzAyMDQwNjA3MTVaMBoxGDAWBgNVBAMT
-D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABMlQ1P5Y0aZ5
+D2ZyYW56aS5idXNpbmVzczB2MBAGByqGSM49AgEGBSuBBAAiA2IABFdgHf2P15+0
-vUzB4TAP8iIuiO3GJnYhnKrbe/Lz3gf6Ct9bGM4JLY3RI9xcSmol3sNKdVmbHMRe
+as3iN/M7itWsdWCtH35cGIf871AeU5OhB4JDNbb5aDsho9ga/vIsjpB1Xh3EhNvP
-z63GW4twSnS517axo6jcT0YQkFVyhWHvLnpBW42M1FpjzaDCbs74zKOCAl4wggJa
+I3b8KT9JUUE/dIRaWvNp8OSKihiU72mXIIlmslVW2AeqwBGMU0L+46OCAl0wggJZ
 MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
-DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURw5+tfBU0aOBqfN40kz43fUcjx4wHwYD
+DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsY9YAWIXWlFiQi/JImI6LFxrc6gwHwYD
 VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG
 CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0
 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5mcmFuemkuYnVzaW5l
 c3OCD2ZyYW56aS5idXNpbmVzczBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
 AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
-ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIT
+ZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALc++yTfnE26dfI5xbpY9Gxd/ELP
-hU070ivBOlejUutSAAABhfwJ/TEAAAQDAEgwRgIhAINjOWzyMeYZYFNk5cdghSwA
+ep81xJ4dCYEl7bSZAAABhEvD10MAAAQDAEcwRQIhAM2BBzR9UWZNuK3+nk6AdaJL
-JDuxKo8/ubIlsAV9ymJWAiEAuVZjp2GQ0RmFyGVDiF865uC4lTtzMIwmpgwYiBqg
+1j8OvFPZnb+CJqdYtBe8AiAJM4kwOyZLzK/ZGXzwBJLjRTXs2hJZ4qXUzszhv/hs
-DQsAdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYX8Cf1OAAAE
+QB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhEvD2UYAAAQD
-AwBHMEUCIGoeOIHC8O+zj/3E89BHv+9siaKSOy/2I6i53V5faX3EAiEAsk/Lhr/0
+AEcwRQIgfMXcWDFe5IKe6n4D9t3zpecF7wCIje8pBd4WQ3OfxM4CIQDpGTCU2pUI
-NpogdjroYqt1sKvTzmO0BrxWJ5a41JQdtX0wDQYJKoZIhvcNAQELBQADggEBAIM4
+Hfwkq+6a2j6Lh3baERBbrfnGDF2AOjjelzANBgkqhkiG9w0BAQsFAAOCAQEAMGiD
-moszjbZGKjaoCtsj5t7Dtxu/JmE9gOnwfxnUrDKn0T00dKQi8Mk6a4C5vdGnxorO
+9uo+WVO+p/HFA+bHM/1ZaTDBONP72YHPx0tdFvQAPQ59n8n6KsE2w9cioNHiRYVv
-lj8VutznRvp1RKxb6WWyk0iW22rLm+kTudf/vf9lY0X7DmD/u3MO2tGumwjMdLRT
+WhoHjWXtzsCiJzNvc4wuTCxJkBtfSAvsOGqGMQJ+cQym+aSBKqSKvKsIQQjOmz/p
-QgxP+yu8R03ZppnuzYZhERAbY6AuC/U+owiYjNfF4v1Eyn4zxe6L2v0UWGnBWObb
+sere5gqTkhuCfnbF8AL7JqDFld4knlbzzsdhj0SjcAO4OUA8SdHdGq192hVRB+nL
-xv5RbhHFezr676GaLIrcVh0rN6YNK2J1Cei2pNtAVSLiSJvuuO5Qq1KE7wQqbGd+
+IFb6Ax4jD/fQ19j+uL+F1MgMmwUkVF77X279FGlax9PGpmQ47aLj5w7qDpZxfHf9
-lqK2tcEZRtzaFrpW7C0ZW7LpgO8zdeN4BtD25ozhGJO/0H5hhKpQ/wtWqXYKkhC/
+Z2nq14Bk6USZcz9hR+gq38lvo6aU/0MvPey9QiIzLg78K0gEQ1o3qoUIl+9erSLR
-G47QSheqKqJnHOCL0hA=
+ssU+fmyZoeNBV6q8xw==
 -----END CERTIFICATE-----
--- a/data/ssl/_.franzi.business.key.pem.vault
+++ b/data/ssl/_.franzi.business.key.pem.vault
@ -1 +1 @@
-encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA==
+encrypt$gAAAAABjZ10m0BnUbl5777KN6VHf6uAdtcs15-osbqRoQq6epRuWllD-ziy_2N7BrOkRcmfSJaB8zZ1l1bLD6ws3SlI7jvbkahvWnuKinkGiE30SGGjqr6MY_NJGawdox8OJWrsWLFYJJjrePl_mmVtx9G41oBreKizj1YPswzbzsFociJ0zF0xlx99sjjLxRB5PEaI3fwK1eXDmODGZ__dwKxINGSB2zxPb10Vwtnsp3cmaUiKh1TfIghQAm523cAuHPys1-tNXuJpvhPY3tIxB5gHZYiBXMzcS64mD1KqEubsnplxQlK-N_mJ7Q6n0xReG00pqvm5twRI5g7PoHYLH7nZI7KYOSI2XMAS7gP6Uy-H60BQKAHXuX4yutznVRJspv0wa4kfW9vcBfFECBhFeC8tAAkgAc-NvAsDYk6tYSi2k3N2zXsiyHy0NL-JMnUEicQT3YZNnfkoYqjuxwFbQvgtZZun38w==
--- a/data/ssl/_.home.kunbox.net.crt.pem
+++ b/data/ssl/_.home.kunbox.net.crt.pem
@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEijCCA3KgAwIBAgISA28YyqkbxYen4u/lcNEqBY7lMA0GCSqGSIb3DQEBCwUA
+MIIEijCCA3KgAwIBAgISA7oUZzeuZgmxMvP1zm5RtCGYMA0GCSqGSIb3DQEBCwUA
 MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-EwJSMzAeFw0yMzAxMjkwOTE0MjZaFw0yMzA0MjkwOTE0MjVaMBoxGDAWBgNVBAMT
+EwJSMzAeFw0yMjExMDYwNjA3MTdaFw0yMzAyMDQwNjA3MTZaMBoxGDAWBgNVBAMT
-D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCsS8YhWoIvn
+D2hvbWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABDcmJYSIKimG
-yMOjY8LtjQ8+Pa58DBckQ1lnktMo1T3bfwxMxTGH+iYdOT4kHWOen6aNzdXqrerA
+w9hUy0guhMoubPJ+QcSioL4TjuqKmgVCXXEHzkGuaCQTwRX7BiHOyH+3nqcm7N1x
-YjTN/MRBCR8tMZglzmshUG7qpzI/s89QSL6+KoCV5Pl0mEWLSvrLFKOCAl4wggJa
+qF5rucOxJoKgGW40ZjemdWAVDGYm3euEU0Td0V+L6z/L/cWe25YwoKOCAl4wggJa
 MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
-DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUtCIXQGA7PP7mGdMLuN3nYsynu4wwHwYD
+DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUJkY/Eq6HUOrPZyW+Y+4/uiG0/8swHwYD
 VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG
 CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0
 dHA6Ly9yMy5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5u
 ZXSCD2hvbWUua3VuYm94Lm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
 AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
-ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALc++yTfnE26dfI5xbpY9Gxd/ELP
+ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AK33vvp8/xDIi509nB4+GGq0Zyld
-ep81xJ4dCYEl7bSZAAABhf0FYYAAAAQDAEcwRQIgLCh9130fH81/vY6Ps7inMh3l
+z7EMJMqFhjTr3IKKAAABhEvD2XwAAAQDAEgwRgIhAMzxM2rXgjZDrPm6jKHUS4u3
-GEM8GPiDEHk68oq2R9wCIQCnHdc9Seo+qTRnc6DcoKvyC9azNFEZBiikMgoIJkyq
+BxokYdBgO63klZ5iuEyLAiEAinyT+YKDotIyWcUHvl0tpANYq+XlJaELvg7aCcwj
-6gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhf0FYZgAAAQD
+3MgAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYRLw9tCAAAE
-AEgwRgIhAM3M2KLdUfIiqVgaMqIH1ust2lUjR10gwN8juONeXZoMAiEA2KArQKYG
+AwBHMEUCIQDTNayLb2lW5oNnj1bJaqbcOnjOktsPSYUGaokd6iBeUQIgOak7kR7e
-GbhN/dWqht+So4Ni3/K5Vwcfb91ewthPR6swDQYJKoZIhvcNAQELBQADggEBALhs
+rAvW3CwA1QSZgqRHLn86UFfGc0pVHNDb3e4wDQYJKoZIhvcNAQELBQADggEBABdr
-LaBZ27UoZOqukblSD8EyoLnJ3Cplg1r3J9+e4QNzySjsDpYr/w+Y4mUT/nGAGgGL
+R6NgzfgNT2WVTpZOpgLEPO58WKBEofMtVTRDjDKinSvDUFRhJAEjoXKxZXtEG+yH
-4b1cHD57XnQB1yvB3Dv9aowg+Udo4eTNY41FMgouYhYFowi5gWYoQhpIFOpwvd0v
+VhGGLcmh+6mn8+8yz1qEngA3uGiHS533aOUbP3cCbfqRCeuKMS+5ojjOlKb3xZj4
-Cmrl4PPta2Ytbg/FMNxOt47E0sUL2zASMCKTKcPsIpcpEG7w8jBGcCX7e3NCG36z
+uRGvxw90wY3RYwn8k3/beEs+TaNnFU+NtBwScy+/8aRHG5rBQjdBWZHpcB4/wT0V
-K4jZqW3Pd3BZe1e7ywUyF/SSw38Pv1rFbBxuSh+kDjQfcOWN75oOyyKgcLsGBxfy
+cLakTharwRHVw11GFlEk60k2JMEtCLkBjKq/CpbusQZHd1uVyzhWC802lWRqY4nq
-850WclzgMTnRRlZGaiUTVQ7uPkB44DIhTT6afxPMDKrtRLkd5LHownE3NPUTyfDx
+YTO3Z8FNRGOaHVcydX6wMlQg/t+1hYgCC6HWhuOf8AOr+kkg4zSdv0YvAYuOzY8X
-cK9weiaIniziAnEjUr4=
+sc1/2y3z9deYm4qHw/w=
 -----END CERTIFICATE-----
--- a/data/ssl/_.home.kunbox.net.key.pem.vault
+++ b/data/ssl/_.home.kunbox.net.key.pem.vault
@ -1 +1 @@
-encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A==
+encrypt$gAAAAABjZ10mtywN2Tx7b0-sZywDVcNo5gQbnzjwlMjQPktMwmRBwGMbQVcwuGhhopu5vd4Ztw8aGO5lf-SQmLWgdpR4aIrPNx1Iu4urF2LMV-BMLSgmF85ADQzlbiBvrzGAnIoVUjwXYyGj1Wst4feWMKBDc_kThinYhSplMZ_yjEbMj0eMGRzjSclkvAm24KWi7l_LQAklRELuQQyopHDo47AxehNI-nvLfO0FfXZJpkdrMV1V8lSqyXwBSW3McJKH8bbmVEX8qq-mNntBNpe3n5V2ninj72aC0D572hfMp-jKC6xccf-CqnmX1qaWGGj1yiFDdBxfOSU-kO6204BVtfspMtkI75YAYE_7aA-GUiHfXaNHvDhf2uMb8ssbJUdvGS_oLx1qnKiyeyJ6RRhl71xxXjNEo0hPYYY1BGj6hjq30R8aGknkQNCjyCD87Sc7qh95KpMmY4d82xI70xeS4mk8hEgCow==
--- a/groups/features.py
+++ b/groups/features.py
@ -12,6 +12,10 @@ groups['dns'] = {
    },
    'metadata': {
        'powerdns': {
            'features': {
                'bind': True,
                'pgsql': True,
            },
            # Overridden in node metadata for primary server
            'is_secondary': True,
        },
--- a/groups/os.py
+++ b/groups/os.py
@ -71,6 +71,7 @@ groups['debian'] = {
    'bundles': {
        'apt',
        'backup-client',
        'molly-guard',
    },
    'os': 'debian',
    'pip_command': 'pip3',
--- a/hooks/test_backup_metadata.py
+++ b/hooks/test_backup_metadata.py
@ -2,7 +2,6 @@ from bundlewrap.exceptions import BundleError
 from bundlewrap.utils.text import bold, green, yellow
 from bundlewrap.utils.ui import io
 def test_node(repo, node, **kwargs):
    if not node.has_bundle('backup-client'):
        return
--- a/hooks/test_metadata_dashes_vs_underscores.py
+++ b/hooks/test_metadata_dashes_vs_underscores.py
@ -4,7 +4,6 @@ from bundlewrap.exceptions import BundleError
 from bundlewrap.utils.text import bold, green
 from bundlewrap.utils.ui import io
 def test_underscore_vs_dash(node, metadata, path=[]):
    for k, v in metadata.items():
        if not isinstance(k, str):
--- a/libs/faults.py
+++ b/libs/faults.py
@ -1,4 +1,4 @@
-from json import dumps, loads
+from json import loads, dumps
 from bundlewrap.metadata import metadata_to_json
 from bundlewrap.utils import Fault
--- a/libs/firewall.py
+++ b/libs/firewall.py
@ -1,5 +1,5 @@
 from ipaddress import IPv4Network, ip_network
 from os.path import abspath, dirname, join
 from ipaddress import ip_network, IPv4Network
 REPO_PATH = dirname(dirname(abspath(__file__)))
--- a/libs/keys.py
+++ b/libs/keys.py
@ -1,11 +1,8 @@
 import base64
 from nacl.encoding import Base64Encoder
 from nacl.public import PrivateKey
-
+from nacl.encoding import Base64Encoder
 from bundlewrap.utils import Fault
 def gen_privkey(repo, identifier):
    return repo.vault.random_bytes_as_base64_for(identifier)
--- a/libs/tools.py
+++ b/libs/tools.py
@ -1,10 +1,9 @@
-from ipaddress import IPv4Address, IPv4Network, ip_address, ip_network
+from ipaddress import ip_address, ip_network, IPv4Address, IPv4Network
-from bundlewrap.exceptions import BundleError, NoSuchGroup, NoSuchNode
+from bundlewrap.exceptions import NoSuchGroup, NoSuchNode, BundleError
 from bundlewrap.utils.text import bold, red
 from bundlewrap.utils.ui import io
 def resolve_identifier(repo, identifier):
    """
    Try to resolve an identifier (group or node). Return a set of ip
--- a/nodes.py
+++ b/nodes.py
@ -3,7 +3,6 @@ from os.path import join
 from pathlib import Path
 import bwpass
 from bundlewrap.metadata import atomic
 from bundlewrap.utils import error_context
--- a/nodes/entropia-jira.toml
+++ b/nodes/entropia-jira.toml
@ -5,18 +5,13 @@ dummy = true
 period = "daytime"
 pretty_name = "ticket.gulas.ch"
 [metadata.icinga2_api.nginx.services."NGINX VHOST ticket-redirect CERTIFICATE"]
 check_command = "check_https_cert_at_url"
 "vars.domain" = "ticket.gulas.ch"
 "vars.notification.mail" = true
 [metadata.icinga2_api.nginx.services."NGINX VHOST jira CERTIFICATE"]
 check_command = "check_https_cert_at_url"
-"vars.domain" = "jira.gulas.ch"
+"vars.domain" = "ticket.gulas.ch"
 "vars.notification.mail" = true
 [metadata.icinga2_api.nginx.services."NGINX VHOST jira CONTENT"]
 check_command = "check_http_wget"
 "vars.http_wget_contains" = "login.jsp"
-"vars.http_wget_url" = "https://jira.gulas.ch/secure/Dashboard.jspa"
+"vars.http_wget_url" = "https://ticket.gulas.ch/secure/Dashboard.jspa"
 "vars.notification.sms" = true
--- a/nodes/fkusei-locutus.py
+++ b/nodes/fkusei-locutus.py
@ -76,12 +76,18 @@ nodes['fkusei-locutus'] = {
                # video drivers
                'xf86-video-intel': {},
                # for i3pystatus
                'iw': {},
                'wireless_tools': {},
                # all that other random stuff one needs
                'apachedirectorystudio': {},
                'direnv': {},
                'freerdp': {},
                'mosquitto': {},
                'sdl_ttf': {}, # for compiling testcard
                'thermald': {},
                'virt-manager': {},
            },
        },
        'systemd-boot': {
--- a/nodes/gce/bind01.py
+++ b/nodes/gce/bind01.py
@ -3,12 +3,19 @@
 nodes['gce.bind01'] = {
    'hostname': '34.89.208.78',
    'bundles': {
        'nodejs',
        'powerdnsadmin',
    },
    'groups': {
-        'debian-bullseye',
+        'debian-buster',
        'dns',
        'webserver',
    },
    'metadata': {
        'backups': {
            # This is the primary DNS server. However, we only use
            # replication for DynDNS, currently. No need for backups here.
            'exclude_from_backups': True,
        },
        'interfaces': {
@ -23,12 +30,30 @@ nodes['gce.bind01'] = {
        'icinga_options': {
            'pretty_name': 'ns-1.kunbox.net',
        },
        'nginx': {
            'vhosts': {
                'ns-1.kunbox.net': {
                    'locations': {
                        '/': {
                            'target': 'http://127.0.0.1:8000/',
                        },
                    },
                    'website_check_path': '/login',
                    'website_check_string': 'PowerDNS',
                },
            },
        },
        'postgresql': {
-            'version': '15',
+            'version': '11',
        },
        'powerdns': {
            'is_secondary': False,
            'secondary_nameservers': 'dns',
            'my_hostname': 'ns-1.kunbox.net',
        },
        'powerdnsadmin': {
            'version': 'v0.3.0',
        },
        'vm': {
            'cpu': 1,
            'ram': 1,
--- a/nodes/gce/dns02.py
+++ b/nodes/gce/dns02.py
@ -5,7 +5,7 @@ nodes['gce.dns02'] = {
    'hostname': '35.187.109.249',
    'bundles': set(),
    'groups': {
-        'debian-bullseye',
+        'debian-buster',
        'dns',
    },
    'metadata': {
@ -25,7 +25,7 @@ nodes['gce.dns02'] = {
            'exclude_from_backups': True,
        },
        'postgresql': {
-            'version': '15',
+            'version': '11',
        },
        'powerdns': {
            'my_hostname': 'ns-2.kunbox.net',
--- a/nodes/gce/dns03.py
+++ b/nodes/gce/dns03.py
@ -5,7 +5,7 @@ nodes['gce.dns03'] = {
    'hostname': '35.228.143.71',
    'bundles': set(),
    'groups': {
-        'debian-bullseye',
+        'debian-buster',
        'dns',
    },
    'metadata': {
@ -25,7 +25,7 @@ nodes['gce.dns03'] = {
            'exclude_from_backups': True,
        },
        'postgresql': {
-            'version': '15',
+            'version': '11',
        },
        'powerdns': {
            'my_hostname': 'ns-3.kunbox.net',
--- a/nodes/home.hass.toml
+++ b/nodes/home.hass.toml
@ -5,6 +5,9 @@ bundles = [
 ]
 groups = ["debian-bullseye"]
 [metadata.backups]
 exclude_from_backups = true
 [metadata.interfaces.enp1s0]
 ips = ["172.19.138.25/24"]
 gateway4 = "172.19.138.1"
--- a/nodes/home.openhab.toml
+++ b/nodes/home.openhab.toml
@ -0,0 +1,21 @@
 hostname = "172.19.138.21"
 bundles = ["nginx", "openhab"]
 groups = ["debian-bullseye"]
 [metadata.interfaces.enp1s0]
 ips = ["172.19.138.21/24"]
 gateway4 = "172.19.138.1"
 ipv6_accept_ra = true
 [metadata.nginx.vhosts.openhab]
 ssl = "_.home.kunbox.net"
 [metadata.openhab]
 domain = "openhab.home.kunbox.net"
 [metadata.openhab.java_opts]
 "user.timezone" = "Europe/Berlin"
 [metadata.vm]
 cpu = 2
 ram = 2
--- a/nodes/home.wled-wohnzimmer.toml
+++ b/nodes/home.wled-wohnzimmer.toml
@ -3,7 +3,7 @@ dummy = true
 [metadata.interfaces.default]
 ips = ["172.19.138.70"]
 dhcp = true
-mac = "3c:61:05:d0:f2:b9"
+mac = "3c:61:05:d0:ba:1a"
 [metadata.icinga_options]
 exclude_from_monitoring = true
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -133,13 +133,13 @@ nodes['home.router'] = {
            'interface': 'enp1s0.100',
            'dyndns': {
                'domain': 'franzi-home.kunbox.net',
-                'url': 'https://ns-primary.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}',
+                'url': 'https://ns-1.kunbox.net/nic/update?hostname=franzi-home.kunbox.net&myip={ip}',
                'username': vault.decrypt('encrypt$gAAAAABfr8DLAJhmUIhdxLq83I8MnRRvkRgDZcO8Brvw1KpvplC3K8ZGj0jIIWD3Us33vIP6t0ybd_mgD8slpRUk78Kqd3BMoQ=='),
                'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='),
            },
            'nftables-rules.d': {
-                'inet filter forward iifname enp1s0.23 oif $INTERFACE accept',
+                'inet filter forward iif enp1s0.23 oif $INTERFACE accept',
-                'inet filter forward iifname enp1s0.42 accept',
+                'inet filter forward iif enp1s0.42 accept',
            },
        },
        'unbound': {
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@ -62,7 +62,7 @@ nodes['htz-cloud.miniserver'] = {
        },
        'element-web': {
            'url': 'chat.sophies-kitchen.eu',
-            'version': 'v1.11.23',
+            'version': 'v1.11.17',
            'config': {
                'default_server_config': {
                    'm.homeserver': {
@ -134,8 +134,8 @@ nodes['htz-cloud.miniserver'] = {
            },
        },
        'matrix-media-repo': {
-            'version': 'v1.2.13',
+            'version': 'v1.2.12',
-            'sha1': '0915bdf7c461368859180419d1f66717969cbe32',
+            'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e',
            'homeservers': {
                'sophies-kitchen.eu': {
                    'domain': 'http://[::1]:20080/',
--- a/nodes/kunsi-p14s.py
+++ b/nodes/kunsi-p14s.py
@ -96,15 +96,25 @@ nodes['kunsi-p14s'] = {
                'mesa-vdpau': {},
                'xf86-video-amdgpu': {},
                # for i3pystatus
                'iw': {},
                'wireless_tools': {},
                # all that other random stuff one needs
                'abcde': {},
                'apachedirectorystudio': {},
                'claws-mail': {},
                'claws-mail-themes': {},
                'ferdi-bin': {},
                'ffmpeg': {},
                'gumbo-parser': {}, # for claws litehtml
                'imagemagick': {},
                'inkscape': {},
                'mosquitto': {},
                'perl-musicbrainz-discid': {}, # for abcde
                'perl-webservice-musicbrainz': {}, # for abcde
                'samba': {},
                'xf86-input-wacom': {},
            },
        },
        'sysctl': {
--- a/nodes/ns-primary.toml
+++ b/nodes/ns-primary.toml
@ -1,43 +0,0 @@
 hostname = "82.165.52.168"
 bundles = [
    "nodejs",
    "powerdnsadmin",
 ]
 groups = [
    "debian-bullseye",
    "dns",
    "webserver",
 ]
 [metadata.interfaces.ens192]
 ips = [
    "82.165.52.168",
    "2001:8d8:1801:7d4::1/64",
 ]
 gateway4 = "10.255.255.1"
 gateway6 = "fe80::250:56ff:fea8:628f"
 [metadata.icinga_options]
 pretty_name = "ns-primary.kunbox.net"
 [metadata.nginx.vhosts."ns-primary.kunbox.net"]
 website_check_path = "/login"
 website_check_string = "PowerDNS"
 [metadata.nginx.vhosts."ns-primary.kunbox.net".locations."/"]
 target = "http://127.0.0.1:8000/"
 [metadata.postgresql]
 version = "15"
 [metadata.powerdns]
 is_secondary = false
 secondary_nameservers = "dns"
 features.bind = true
 [metadata.powerdnsadmin]
 version = "v0.3.0"
 [metadata.vm]
 cpu = 2
 ram = 2
--- a/nodes/rx300.py
+++ b/nodes/rx300.py
@ -105,7 +105,7 @@ nodes['rx300'] = {
        },
        'element-web': {
            'url': 'chat.franzi.business',
-            'version': 'v1.11.23',
+            'version': 'v1.11.17',
            'config': {
                'default_server_config': {
                    'm.homeserver': {
@ -128,8 +128,8 @@ nodes['rx300'] = {
            },
        },
        'gitea': {
-            'url': 'https://codeberg.org/attachments/be5952ea-6cfb-4be5-a593-3564c4bd8cc9',
+            'version': '1.17.3',
-            'sha1': '0bcf3d6d6541a46571802d9e9276056ff860841e',
+            'sha1': 'a78611a3e799150fbae3d45d2bd276d95ccffcd8',
            'domain': 'git.franzi.business',
            'email_domain_blocklist': {
                'aol.com',
@ -197,8 +197,8 @@ nodes['rx300'] = {
            },
        },
        'matrix-media-repo': {
-            'version': 'v1.2.13',
+            'version': 'v1.2.12',
-            'sha1': '0915bdf7c461368859180419d1f66717969cbe32',
+            'sha1': 'c2dfa521c2eea9a0dcde9f1c7803f52ce6d0352e',
            'homeservers': {
                'franzi.business': {
                    'domain': 'http://[::1]:20080/',
@ -268,8 +268,8 @@ nodes['rx300'] = {
            },
        },
        'mautrix-whatsapp': {
-            'version': 'v0.8.2',
+            'version': 'v0.8.0',
-            'sha1': '31779131b0524e84f980a7e3b5a818150833470d',
+            'sha1': '4e561a96c8fae61edd8dee9abdd52b5146fa98b2',
            'homeserver': {
                'domain': 'franzi.business',
                'url': 'https://matrix.franzi.business',
@ -306,7 +306,7 @@ nodes['rx300'] = {
        },
        'netbox': {
            'domain': 'netbox.franzi.business',
-            'version': 'v3.4.4',
+            'version': 'v3.4.1',
            'changelog_retention_days': 360,
            'admins': {
                'kunsi': 'hostmaster@kunbox.net',
@ -327,7 +327,7 @@ nodes['rx300'] = {
            },
            'vhosts': {
                'element-web': {'ssl': '_.franzi.business'},
-                'forgejo': {'ssl': '_.franzi.business'},
+                'gitea': {'ssl': '_.franzi.business'},
                'jenkins-ci': {'ssl': '_.franzi.business'},
                'matrix-dimension': {'ssl': '_.franzi.business'},
                'matrix-synapse': {'ssl': '_.franzi.business'},
@ -450,7 +450,6 @@ nodes['rx300'] = {
        },
        'postgresql': {
            'version': '13',
            'max_connections': 500,
        },
        'radicale': {
            'domain': 'radicale.franzi.business',
@ -524,7 +523,7 @@ nodes['rx300'] = {
            },
        },
        'travelynx': {
-            'version': '1.29.4',
+            'version': '1.23.12',
            'mail_from': 'travelynx@franzi.business',
            'domain': 'travelynx.franzi.business',
        },
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Franziska Kunsmann	2914f463ff	bundles/woodpecker-agent: fix metadata reactor	2022-12-25 08:26:59 +01:00
Franziska Kunsmann	cd418da024	bundles/docker-ce: add nftables rules	2022-12-25 08:26:55 +01:00
Franziska Kunsmann	0fea0a1c77	ci: fix editorconfig	2022-12-25 08:26:51 +01:00
Franziska Kunsmann	e1ac047810	ci: determinism tests need to run using dummy mode	2022-12-25 08:26:47 +01:00
Franziska Kunsmann	06b21998d8	try running the test pipeline in woodpecker	2022-12-25 08:26:44 +01:00
Franziska Kunsmann	e29f67a935	add bundle:woodpecker-agent	2022-12-25 08:26:40 +01:00
Franziska Kunsmann	0d56454af7	add bundle:docker-ce	2022-12-25 08:26:37 +01:00
Franziska Kunsmann	d28cdc78d6	bundles/woodpecker-server: add GODEBUG=netns=go	2022-12-25 08:26:34 +01:00
Franziska Kunsmann	b69aa32232	bundles/woodpecker: try to get it working	2022-12-25 08:26:30 +01:00
Franziska Kunsmann	a29f17a9f9	add bundle:woodpecker-server	2022-12-25 08:26:25 +01:00
		`@ -1 +0,0 @@`
			encrypt$gAAAAABj1jTasX0XOFRWh7F0pxNgMoJIjrblvqOM8ohGVCsvVyMEQDiOmGaJCs9lW-lbeghlzRpiC8P7CNot6OOeNXBYWmxN_HgN3J2p6Q5-XoSJ62NUJWQNRNNENuiN1Yy0g0MREk4gVsNh8-VeoXuKgyLEXJQJI-SYLzl8faZoBnQGTK4FbTAiN6KSB4EbTPwxx-8dYp8kNIj4ipBjkQKNu-mXuVvdnf5fTUwTCQx6rz7yjlp7DOPuSJDASg5bE33dd8gt89grW5vBKeEnQsi7hpJCJF5vNfRay89IKfjf6UqxJHKCmS2tIWQ9Kz4Tv41MnNR0-jvnULq7TWcnqwo_SKb8JRLUA3dH2wLiOUu7aApYSkeSNiul2ILCtBPsjY_eWzqdd3tkpJBErOcFVe2mdjVRSIUOXTM_T3nNWCJgn5TxD4qbHklZoCaM6Ey9P_yQj-sSRGizgcDhGiqY8xJNmwbWz9IH5a_Fs6iRVhAh6VzSa1ZAKxcum87dj-KVA_SjG9hy7Dy28xK0D4NoSpYFOkEz4VHpa1tP0t8QJ2WtQiw-qjHFzokkIINEUKUPIBg6t_5oedJ24YMnyyzBZ2_uQ1HFVFjBx-7Iw73bTPNluVwXkobzEnrYFwDsEXGE6tR0HjbteNxj
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+FCn1sWP74+lVAyaXDpXxCCauh6LC2KEJmIMhDEYvJ kunsi@kunsi-p14s.kunbox.net`
		`@ -1 +1 @@`
			`encrypt$gAAAAABj1gankGocRRCdH6WqCUFJ6UtA1f07KpXYh4KcelenJv0ZbQ98f2nwIk29iXWEIsS9FTiRyEG95u_Lmm_p7GbKCMDSIZfZgAC2I3tp_BxZPerhEkwxTT_BjEYHRjMDFrzwoAypTO1Mj_XiT_CYvAZptHI3MZcI9QwPVw-CMJ4KqzG-IztkW8KVnuM7agiBdUt4IYkLyeZ0IoL4nOIWANtdM-y4rILv6N7WIMw6dgsSvLPEQR-PYdNLq866IR0-yFGOfYcQKOvpBqAt6A69E6JxSm3AakaJaS75QYF2lzGVjTfrFoGz60LUjC60KuTsu3dUckGUm7JEq1BSMxvc5b_a6pCazvoAnM0gbtbM_DjL0phLj7VWZEg-_1CHfc2S0-UxbxBjLKJ3NPPs93_En5RWxqxkhvvZgxzWJqQWP2eBprge8Q_EEXkMbxumVVx9Ymdynlw2AgkQhVVJIu_vnsZ4Uc8vIA==`				`encrypt$gAAAAABjZ10m0BnUbl5777KN6VHf6uAdtcs15-osbqRoQq6epRuWllD-ziy_2N7BrOkRcmfSJaB8zZ1l1bLD6ws3SlI7jvbkahvWnuKinkGiE30SGGjqr6MY_NJGawdox8OJWrsWLFYJJjrePl_mmVtx9G41oBreKizj1YPswzbzsFociJ0zF0xlx99sjjLxRB5PEaI3fwK1eXDmODGZ__dwKxINGSB2zxPb10Vwtnsp3cmaUiKh1TfIghQAm523cAuHPys1-tNXuJpvhPY3tIxB5gHZYiBXMzcS64mD1KqEubsnplxQlK-N_mJ7Q6n0xReG00pqvm5twRI5g7PoHYLH7nZI7KYOSI2XMAS7gP6Uy-H60BQKAHXuX4yutznVRJspv0wa4kfW9vcBfFECBhFeC8tAAkgAc-NvAsDYk6tYSi2k3N2zXsiyHy0NL-JMnUEicQT3YZNnfkoYqjuxwFbQvgtZZun38w==`
		`@ -1 +1 @@`
			`encrypt$gAAAAABj1kcBpq8c_Ez3JkYJIB0evClkcblewwzBEbl4rfcd-3Z2xFlQ8OggIxGdlLGWjIN_ZBaENvXcqy4ZYlwpXgqrZJpBao8WyovZiKLK759r8qVRjbIBvHnH90t_JZ3-MydlpD1mUzHUy5oQq5Qn8jLoRTzHE2TM8VyhaBkMVQ9gacHdqNGW6dsvCRzXCQM1CNqs8pyc8nQxdARjv_FGwSeZlCxcYPSLEBeE-Hf-wJyVWnG7oyq9XKUyI8NWLPQNwWUjzMgKwumtDh21goRsSRAtLLFmqE_iU1IyZYwNh4J3SBMZKBl0fATtHXhnW1_k-RA1-l54PFMTR0KgS-uxYtqZ1Az0t1KEfEvyzfHAQLJ8RIwOOVtPNUvhSiMHr3jG0WpxymilOLfjFpnCZ8E_CA6L8hmytXEBfoM4ZHMCWzOIe_9tIKcMS146NOzaPnCXpKFganNuvV_S7zEn33zv-jYEHD4d8A==`				`encrypt$gAAAAABjZ10mtywN2Tx7b0-sZywDVcNo5gQbnzjwlMjQPktMwmRBwGMbQVcwuGhhopu5vd4Ztw8aGO5lf-SQmLWgdpR4aIrPNx1Iu4urF2LMV-BMLSgmF85ADQzlbiBvrzGAnIoVUjwXYyGj1Wst4feWMKBDc_kThinYhSplMZ_yjEbMj0eMGRzjSclkvAm24KWi7l_LQAklRELuQQyopHDo47AxehNI-nvLfO0FfXZJpkdrMV1V8lSqyXwBSW3McJKH8bbmVEX8qq-mNntBNpe3n5V2ninj72aC0D572hfMp-jKC6xccf-CqnmX1qaWGGj1yiFDdBxfOSU-kO6204BVtfspMtkI75YAYE_7aA-GUiHfXaNHvDhf2uMb8ssbJUdvGS_oLx1qnKiyeyJ6RRhl71xxXjNEo0hPYYY1BGj6hjq30R8aGknkQNCjyCD87Sc7qh95KpMmY4d82xI70xeS4mk8hEgCow==`