From ec49c8d3ffce91cfa3c5ba9c9e1eedbf5b9edb75 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 31 Oct 2024 16:36:07 +0100 Subject: [PATCH 001/181] voc.infobeamer-cms: hackint changed their webirc service --- nodes/voc/infobeamer-cms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ea48a85..b5dae71 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -64,7 +64,7 @@ nodes['voc.infobeamer-cms'] = { 'FAQ': { 'SOURCE': 'https://github.com/voc/infobeamer-cms', 'CONTACT': ''' - Please use the IRC + Please use the IRC Channel #infobeamer on irc.hackint.org (also bridged to matrix) or #info-beamer on the cccv rocketchat instance. From 2c83a5c4fccf1034bcab70261515c94a896a9c4b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 31 Oct 2024 16:58:26 +0100 Subject: [PATCH 002/181] voc.infobeamer-cms: prepare for 38c3 --- nodes/voc/infobeamer-cms.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index b5dae71..f0dc6cf 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,8 +25,8 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2024-10-03', - 'event_duration_days': 4, + 'event_start_date': '2024-12-26', + 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ 'hexchen', @@ -39,7 +39,7 @@ nodes['voc.infobeamer-cms'] = { 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), - 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'), + 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ 253559, ], From 72638e0856c8dc100f4ca067eaa4d2693f004368 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 3 Nov 2024 17:40:46 +0100 Subject: [PATCH 003/181] bundles/infobeamer-monitor: add account data monitoring --- bundles/infobeamer-monitor/files/monitor.py | 72 ++++++++++++++++----- 1 file changed, 57 insertions(+), 15 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 6f353e6..2aa2daf 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -61,8 +61,6 @@ def mqtt_dump_state(device): out.append("Location: {}".format(device["location"])) out.append("Setup: {} ({})".format(device["setup"]["name"], device["setup"]["id"])) out.append("Resolution: {}".format(device["run"].get("resolution", "unknown"))) - if not device["is_synced"]: - out.append("syncing ...") mqtt_out( " - ".join(out), @@ -73,6 +71,9 @@ def mqtt_dump_state(device): mqtt_out("Monitor starting up") while True: try: + online_devices = set() + available_credits = None + try: r = get( "https://info-beamer.com/api/v1/device/list", @@ -88,7 +89,6 @@ while True: ) else: new_state = {} - online_devices = set() for device in ib_state: did = str(device["id"]) @@ -140,16 +140,15 @@ while True: if device["is_online"]: if device["maintenance"]: mqtt_out( - "maintenance required: {}".format(' '.join( - sorted(device["maintenance"]) - )), + "maintenance required: {}".format( + " ".join(sorted(device["maintenance"])) + ), level="WARN", device=device, ) if ( - device["is_synced"] != state[did]["is_synced"] - or device["location"] != state[did]["location"] + device["location"] != state[did]["location"] or device["setup"]["id"] != state[did]["setup"]["id"] or device["run"].get("resolution") != state[did]["run"].get("resolution") @@ -171,13 +170,56 @@ while True: state = new_state - if ( - datetime.now(timezone.utc).strftime("%H%M") == "1312" - and online_devices - and int(datetime.now(timezone.utc).strftime("%S")) < 30 - ): - mqtt_out("Online Devices: {}".format(", ".join(sorted(online_devices)))) - sleep(30) + try: + r = get( + "https://info-beamer.com/api/v1/account", + auth=("", CONFIG["api_key"]), + ) + r.raise_for_status() + ib_account = r.json() + except RequestException as e: + LOG.exception("Could not get data from info-beamer") + mqtt_out( + f"Could not get data from info-beamer: {e!r}", + level="WARN", + ) + else: + available_credits = ib_account["balance"] + if available_credits < 50: + mqtt_out( + f"balance has dropped below 50 credits! (available: {available_credits})", + level="ERROR", + ) + elif available_credits < 100: + mqtt_out( + f"balance has dropped below 100 credits! (available: {available_credits})", + level="WARN", + ) + + for quota_name, quota_config in sorted(ib_account["quotas"].items()): + value = quota_config["count"]["value"] + limit = quota_config["count"]["limit"] + if value > limit * 0.9: + mqtt_out( + f"quota {quota_name} is over 90% (limit {limit}, value {value})", + level="ERROR", + ) + elif value > limit * 0.8: + mqtt_out( + f"quota {quota_name} is over 80% (limit {limit}, value {value})", + level="WARN", + ) + + if datetime.now(timezone.utc).strftime("%H%M") == "1312": + if available_credits is not None: + mqtt_out(f"Available Credits: {available_credits}") + + if online_devices: + mqtt_out( + "Online Devices: {}".format(", ".join(sorted(online_devices))) + ) + + sleep(60) except KeyboardInterrupt: break From e51c24f837b116c033b639ddfcc90ad59b3ddad3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 8 Nov 2024 06:39:05 +0100 Subject: [PATCH 004/181] bundles/powerdns: use *repo* commit time instead of *file* commit time for serial --- bundles/powerdns/items.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index a0c89d2..329694a 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -2,6 +2,7 @@ from datetime import datetime from os import listdir from os.path import isfile, join from subprocess import check_output +from bundlewrap.utils.ui import io zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') @@ -79,9 +80,10 @@ if node.metadata.get('powerdns/features/bind', False): continue try: - output = check_output(['git', 'log', '-1', '--pretty=%ci', join(zone_path, zone)]).decode('utf-8').strip() + output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip() serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M') - except: + except Exception as e: + io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}") serial = datetime.now().strftime('%y%m%d0000') primary_zones.add(zone) From 209dedccf90b5e1ad164ec39cb21c1fb7b998740 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 8 Nov 2024 06:39:59 +0100 Subject: [PATCH 005/181] `isort` the whole repo --- bundles/powerdns/items.py | 1 + bundles/pppd/files/dyndns | 1 - bundles/pppd/files/dyndns_periodic | 1 - bundles/routeros/metadata.py | 1 - libs/demagify.py | 1 + libs/ssh.py | 6 +++--- nodes/attributes.py | 5 +++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py index 329694a..b6a5e8f 100644 --- a/bundles/powerdns/items.py +++ b/bundles/powerdns/items.py @@ -2,6 +2,7 @@ from datetime import datetime from os import listdir from os.path import isfile, join from subprocess import check_output + from bundlewrap.utils.ui import io zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') diff --git a/bundles/pppd/files/dyndns b/bundles/pppd/files/dyndns index 5058b2f..633915f 100644 --- a/bundles/pppd/files/dyndns +++ b/bundles/pppd/files/dyndns @@ -7,7 +7,6 @@ from subprocess import check_output from requests import get - UPDATE_URL = '${url}' USERNAME = '${username}' PASSWORD = '${password}' diff --git a/bundles/pppd/files/dyndns_periodic b/bundles/pppd/files/dyndns_periodic index 236c4fc..353ee6d 100644 --- a/bundles/pppd/files/dyndns_periodic +++ b/bundles/pppd/files/dyndns_periodic @@ -5,7 +5,6 @@ from ipaddress import ip_address from json import loads from subprocess import check_output, run - DOMAIN = '${domain}' # <%text> diff --git a/bundles/routeros/metadata.py b/bundles/routeros/metadata.py index ca7979f..e987a4e 100644 --- a/bundles/routeros/metadata.py +++ b/bundles/routeros/metadata.py @@ -2,7 +2,6 @@ import re from json import load from os.path import join - with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f: netbox = load(f) diff --git a/libs/demagify.py b/libs/demagify.py index 5fe492c..02180f0 100644 --- a/libs/demagify.py +++ b/libs/demagify.py @@ -1,5 +1,6 @@ import bwpass + def demagify(something, vault): if isinstance(something, str): if something.startswith('!bwpass:'): diff --git a/libs/ssh.py b/libs/ssh.py index 89c643a..fe3b9b4 100644 --- a/libs/ssh.py +++ b/libs/ssh.py @@ -4,9 +4,9 @@ from hashlib import sha3_224 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey from cryptography.hazmat.primitives.serialization import (Encoding, - NoEncryption, - PrivateFormat, - PublicFormat) + NoEncryption, + PrivateFormat, + PublicFormat) from bundlewrap.utils import Fault diff --git a/nodes/attributes.py b/nodes/attributes.py index 85fa36d..eda23f4 100644 --- a/nodes/attributes.py +++ b/nodes/attributes.py @@ -1,6 +1,7 @@ -from bundlewrap.utils.ui import io from bundlewrap.utils.scm import get_rev -from bundlewrap.utils.text import red, bold +from bundlewrap.utils.text import bold, red +from bundlewrap.utils.ui import io + @node_attribute def needs_apply(node): From 563ba266ff0f93981e97d3e4d03e172fc497e5ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 10 Nov 2024 18:56:35 +0100 Subject: [PATCH 006/181] fix icinga2 bundle (gpg key / packages) --- bundles/icinga2/metadata.py | 1 - data/apt/files/gpg-keys/icinga2.asc | 53 ++++++++++++++--------------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 494ff89..60d28fe 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -17,7 +17,6 @@ defaults = { 'icinga2': {}, 'icinga2-ido-pgsql': {}, 'icingaweb2': {}, - 'icingaweb2-module-monitoring': {}, 'python3-easysnmp': {}, 'python3-flask': {}, 'snmp': {}, diff --git a/data/apt/files/gpg-keys/icinga2.asc b/data/apt/files/gpg-keys/icinga2.asc index 901c78c..165344f 100644 --- a/data/apt/files/gpg-keys/icinga2.asc +++ b/data/apt/files/gpg-keys/icinga2.asc @@ -1,30 +1,29 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) -mQGiBFKHzk4RBACSHMIFTtfw4ZsNKAA03Gf5t7ovsKWnS7kcMYleAidypqhOmkGg -0petiYsMPYT+MOepCJFGNzwQwJhZrdLUxxMSWay4Xj0ArgpD9vbvU+gj8Tb02l+x -SqNGP8jXMV5UnK4gZsrYGLUPvx47uNNYRIRJAGOPYTvohhnFJiG402dzlwCg4u5I -1RdFplkp9JM6vNM9VBIAmcED/2jr7UQGsPs8YOiPkskGHLh/zXgO8SvcNAxCLgbp -BjGcF4Iso/A2TAI/2KGJW6kBW/Paf722ltU6s/6mutdXJppgNAz5nfpEt4uZKZyu -oSWf77179B2B/Wl1BsX/Oc3chscAgQb2pD/qPF/VYRJU+hvdQkq1zfi6cVsxyREV -k+IwA/46nXh51CQxE29ayuy1BoIOxezvuXFUXZ8rP6aCh4KaiN9AJoy7pBieCzsq -d7rPEeGIzBjI+yhEu8p92W6KWzL0xduWfYg9I7a2GTk8CaLX2OCLuwnKd7RVDyyZ -yzRjWs0T5U7SRAWspLStYxMdKert9lLyQiRHtLwmlgBPqa0gh7Q+SWNpbmdhIE9w -ZW4gU291cmNlIE1vbml0b3JpbmcgKEJ1aWxkIHNlcnZlcikgPGluZm9AaWNpbmdh -Lm9yZz6IYAQTEQIAIAUCUofOTgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJ -EMbjGcM0QQaCgSQAnRjXdbsyqziqhmxfAKffNJYuMPwdAKCS/IRCVyQzApFBtIBQ -1xuoym/4C7kCDQRSh85OEAgAvPwjlURCi8z6+7i60no4n16dNcSzd6AT8Kizpv2r -9BmNBff/GNYGnHyob/DMtmO2esEuVG8w62rO9m1wzzXzjbtmtU7NZ1Tg+C+reU2I -GNVu3SYtEVK/UTJHAhLcgry9yD99610tYPN2Fx33Efse94mXOreBfCvDsmFGSc7j -GVNCWXpMR3jTYyGj1igYd5ztOzG63D8gPyOucTTl+RWN/G9EoGBv6sWqk5eCd1Fs -JlWyQX4BJn3YsCZx3uj1DWL0dAl2zqcn6m1M4oj1ozW47MqM/efKOcV6VvCs9SL8 -F/NFvZcH4LKzeupCQ5jEONqcTlVlnLlIqId95Z4DI4AV9wADBQf/S6sKA4oH49tD -Yb5xAfUyEp5ben05TzUJbXs0Z7hfRQzy9+vQbWGamWLgg3QRUVPx1e4IT+W5vEm5 -dggNTMEwlLMI7izCPDcD32B5oxNVxlfj428KGllYWCFj+edY+xKTvw/PHnn+drKs -LE65Gwx4BPHm9EqWHIBX6aPzbgbJZZ06f6jWVBi/N7e/5n8lkxXqS23DBKemapyu -S1i56sH7mQSMaRZP/iiOroAJemPNxv1IQkykxw2woWMmTLKLMCD/i+4DxejE50tK -dxaOLTc4HDCsattw/RVJO6fwE414IXHMv330z4HKWJevMQ+CmQGfswvCwgeBP9n8 -PItLjBQAXIhJBBgRAgAJBQJSh85OAhsMAAoJEMbjGcM0QQaCzpAAmwUNoRyySf9p -5G3/2UD1PMueIwOtAKDVVDXEq5LJPVg4iafNu0SRMwgP0Q== -=icbY +mQINBGZMb30BEAC6c5P5lo5cLN2wX9+jA7TEEJ/NiiOM9VxBwB/c2PFd6AjdGBbe +28VcXWmFdETg1N3Woq08yNVXdxS1tMslyl9apmmyCiSC2OPMmTOveLzZ196IljYR +DeZMF8C+rdzNKXZzn7+nEp9xRy34QUZRfx6pEnugMd0VK0d/ZKgMbcq2IvcRQwap +60+9t8ppesXhgaRBsAzvrj1twngqXP90JwzKGaR+iaGzrvvJn6cgXkw3MyXhskKY +4J0c7TV6DmTOIfL6RmBp8+SSco8xXD/O/YIpG8LWe+sbMqSaq7jFvKCINWgK4RAt +7mBRHvx81Y8IwV6B2wch/lSyYxKXTbE7uMefy3vyP9A9IFhMbFpc0EJA/4tHYEL4 +qPZyR44mizsxa+1h6AXO258ERtzL+FoksXnWTcQqBKjd6SHhLwN4BLsjrlWsJ6lD +VaSKsekEwMFTLvZiLxYXBLPU04dvGNgX7nbkFMEK6RxHqfMu+m6+0jPXzQ+ejuae +xoBBT61O7v5PPTqbZFBKnVzQPf7fBIHW5/AGAc+qAI459viwcCSlJ21RCzirFYc0 +/KDuSoo61yyNcq4G271lbT5SNeMZNlDxKkiHjbCpIU6iEF7uK828F1ZGKOMRztok +bzE7j1IDIfDQ3P/zfq73Rr2S9FfHlXvEmLIuj5G4PO7p0IwUlCD1a9oY+QARAQAB +tCxJY2luZ2EgR21iSCAoQnVpbGQgc2VydmVyKSA8aW5mb0BpY2luZ2EuY29tPokC +TgQTAQoAOBYhBN069hmO0AC0wLc5VswRb1WqfyOCBQJmTG99AhsDBQsJCAcCBhUK +CQgLAgQWAgMBAh4BAheAAAoJEMwRb1WqfyOCGrIP/i/4fYEkdCi4nhQGMzSP0Eyh +UhJjsUP9mEqSQRqOAplvjYa1yBbrSPLfkRE0oAL/o+4eUKcAQFeDQtDXJ/D4xl3Q +J5MehRJYzklrSs5XkEscb73HoDBUfFSgCVM2zK+JkCX0CPJ4ZLWtZGJ+8pCLpnkH +nCPonbGc6sS+m2JsPRwxyxAhdXxWSAesXd8dUSW3MOQz9JlC4/idQcCFs03fdhuZ +4jGMry08OihWVudTDK8nkwRZLzNoOivAQ3mIeaTcRMmgPJfYN4k0o90lXJWAbG+2 +j8p7Pyjv71OctI8KUbS4+f2H8i6r5Pc4M4hlUQh6QAN9o1oPJrXxurdp0EXgQXSy +rVH2MeguqprFJxGjdlTCSTYgQEmEXMixRAGzteEgCf/Qk9mPXoxFTNyNg4/Lkglb +Nj6dY6or6w+IsbdrcePqDAs+j9t5B97vU7Ldquloj85myQjkWPP8kjlsOlsXBkQ/ +C+mD+5iW2AiWh+yCasf6mOZwUfINZF+VDpmfIsZZbWpcMgp1f32fpRFZ3ietnsnR ++luNb19hUHKyyDDHMe/YM7H9P5vtX9BGz6O9kNpo1LAnigkSQSFBZlK3Po3Yk9eg +XPbDT5HsU3TMyS5ZnSDRRPPJwsyGPXz+0pCADae9H9hCc2C2LZIrrtwlOFPWuViA +ifY/dQmUP37n5XgMADRc +=O0zm -----END PGP PUBLIC KEY BLOCK----- From fcd097599d9efcbe428d389d31b64640032dea10 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:17:37 +0100 Subject: [PATCH 007/181] home.nas: samba share for music videos --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 0415c87..741fa75 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -181,6 +181,10 @@ nodes['home.nas'] = { 'path': '/storage/nas/Musik', 'force_group': 'nas', }, + 'music_videos': { + 'path': '/storage/nas/Musikvideos', + 'force_group': 'nas', + }, }, 'restrict-to': { '172.19.138.0/24', From 50b71bc8b864991392ee011d2f1e649b25eaa2ec Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:13 +0100 Subject: [PATCH 008/181] update element-web to 1.11.85 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9f4a66d..939cf1c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.82" +version = "v1.11.85" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From 3a56995ab112f3b07b79e492b2e79e7c886bec1e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:28 +0100 Subject: [PATCH 009/181] update netbox to 4.1.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 939cf1c..99ec9ed 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.4" +version = "v4.1.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From fa63ad72d52a54bc40e77fa17ee4e6fd713fd4f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 15 Nov 2024 10:24:42 +0100 Subject: [PATCH 010/181] update paperless-ngx to 2.13.5 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index ded32c5..6297179 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.13.0', + 'version': 'v2.13.5', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 9884b703cd62500378903c7f0faa25edcff68488 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 12:11:01 +0100 Subject: [PATCH 011/181] update forgejo to 9.0.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 99ec9ed..32bca34 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "9.0.1" -sha1 = "060d9f00aaf595875eaf1897cbb24e760ef54d64" +version = "9.0.2" +sha1 = "5aecc64f93e8ef05c6d6f83d4b647bdb2c831d9f" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 669b28f6ed511e90114383fd0f3532126d768d4c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 13:02:39 +0100 Subject: [PATCH 012/181] voc.pretalx: update to 2023.3.1 --- nodes/voc/pretalx.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index b75ba3c..376a5e6 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -49,14 +49,15 @@ nodes['voc.pretalx'] = { }, }, 'pretalx': { - 'version': 'v2024.2.1', + # 2023.3.1 with some bugfixes + 'version': '05e377398cecdd45d3ca6013040c5857bbe225d6', 'domain': 'pretalx.c3voc.de', 'mail_from': 'pretalx@c3voc.de', 'administrators-from-group-id': 1, 'plugins': { 'broadcast_tools': { 'repo': 'https://github.com/Kunsi/pretalx-plugin-broadcast-tools.git', - 'rev': 'main', + 'rev': '2.4.0', }, 'downstream': { 'repo': 'https://github.com/pretalx/pretalx-downstream.git', @@ -81,6 +82,6 @@ nodes['voc.pretalx'] = { }, }, 'os': 'debian', - 'os_version': (11,), + 'os_version': (12,), 'pip_command': 'pip3', } From 6a203085b97085565a1f2a8be0eb6d48028e5ad1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 13:35:24 +0100 Subject: [PATCH 013/181] bundles/pretalx: we do not need to regenerate_css anymore --- bundles/pretalx/items.py | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py index 8a57eae..75e4c09 100644 --- a/bundles/pretalx/items.py +++ b/bundles/pretalx/items.py @@ -1,5 +1,5 @@ assert node.has_bundle('redis'), f'{node.name}: pretalx needs redis' -assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild and regenerate_css step' +assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild step' actions = { 'pretalx_create_virtualenv': { @@ -53,17 +53,6 @@ actions = { }, 'triggered': True, }, - 'pretalx_regenerate-css': { - 'command': 'sudo -u pretalx PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx regenerate_css', - 'needs': { - 'action:pretalx_migrate', - 'directory:/opt/pretalx/data', - 'directory:/opt/pretalx/static', - 'file:/opt/pretalx/pretalx.cfg', - 'bundle:nodejs', - }, - 'triggered': True, - }, } users = { @@ -90,7 +79,6 @@ git_deploy = { 'action:pretalx_install', 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'svc_systemd:pretalx-web:restart', 'svc_systemd:pretalx-worker:restart', }, @@ -121,7 +109,6 @@ svc_systemd = { 'action:pretalx_install', 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'file:/etc/systemd/system/pretalx-web.service', 'file:/opt/pretalx/pretalx.cfg', }, @@ -129,7 +116,8 @@ svc_systemd = { 'pretalx-worker': { 'needs': { 'action:pretalx_install', - 'action:pretalx_migrate', + 'action:pretalx_migrate',, + 'action:pretalx_rebuild', 'file:/etc/systemd/system/pretalx-worker.service', 'file:/opt/pretalx/pretalx.cfg', }, @@ -204,7 +192,6 @@ for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items 'triggers': { 'action:pretalx_migrate', 'action:pretalx_rebuild', - 'action:pretalx_regenerate-css', 'svc_systemd:pretalx-web:restart', 'svc_systemd:pretalx-worker:restart', }, From b3070a8b8bf7c11ec8004ec16c466bb01631ecb1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 16 Nov 2024 14:14:05 +0100 Subject: [PATCH 014/181] bundles/infobeamer-monitor: announce online devices at 09:00 CE(S)T --- bundles/infobeamer-monitor/files/monitor.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 2aa2daf..5a253e3 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -1,9 +1,10 @@ #!/usr/bin/env python3 import logging -from datetime import datetime, timezone +from datetime import datetime from json import dumps from time import sleep +from zoneinfo import ZoneInfo import paho.mqtt.client as mqtt from requests import RequestException, get @@ -210,7 +211,7 @@ while True: level="WARN", ) - if datetime.now(timezone.utc).strftime("%H%M") == "1312": + if datetime.now(ZoneInfo("Europe/Berlin")).strftime("%H%M") == "0900": if available_credits is not None: mqtt_out(f"Available Credits: {available_credits}") From 8f705fc8e3d554a5bb574a8a99e21fa3413e5fca Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 17 Nov 2024 11:48:08 +0100 Subject: [PATCH 015/181] update mautrix-whatsapp to 0.11.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 32bca34..ea1625f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.0" -sha1 = "997c794eb246e6cc67ac050c106d54f88531f213" +version = "v0.11.1" +sha1 = "ada2dc6acfd5cb15fae341266b383d3f6e8b42bd" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From a9b16c18ad36592e15f384e1064528830dd85ffb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 22 Nov 2024 20:50:52 +0100 Subject: [PATCH 016/181] bundles/postfix: remove smtp_use_tls option Log says: postconf: warning: /etc/postfix/main.cf: support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level" --- bundles/postfix/files/main.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/postfix/files/main.cf b/bundles/postfix/files/main.cf index 770114b..9d74175 100644 --- a/bundles/postfix/files/main.cf +++ b/bundles/postfix/files/main.cf @@ -25,7 +25,6 @@ inet_interfaces = 127.0.0.1 % endif <%text> -smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache From 3a5db80843568696ac377a661354a5d26d5814a9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Nov 2024 13:30:22 +0100 Subject: [PATCH 017/181] bundles/icinga2: notify per sms if ntfy does not respond in time --- .../icinga2/files/scripts/icinga_notification_wrapper | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/bundles/icinga2/files/scripts/icinga_notification_wrapper b/bundles/icinga2/files/scripts/icinga_notification_wrapper index 612882d..fbecd8e 100644 --- a/bundles/icinga2/files/scripts/icinga_notification_wrapper +++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper @@ -129,11 +129,14 @@ def notify_per_ntfy(): data=message_text, headers=headers, auth=(CONFIG['ntfy']['user'], CONFIG['ntfy']['password']), + timeout=10, ) r.raise_for_status() except Exception as e: log_to_syslog('Sending a Notification failed: {}'.format(repr(e))) + return False + return True def notify_per_mail(): @@ -199,7 +202,8 @@ if __name__ == '__main__': notify_per_mail() if args.sms: - if not args.service_name: - notify_per_sms() + ntfy_worked = False if CONFIG['ntfy']['user']: - notify_per_ntfy() + ntfy_worked = notify_per_ntfy() + if not args.service_name or not ntfy_worked: + notify_per_sms() From 3b608d95ece971098d6fc38449f4f010989063c1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 23 Nov 2024 13:31:00 +0100 Subject: [PATCH 018/181] add static ip reservation for mixer96 as well --- nodes/home.mixer96.toml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 nodes/home.mixer96.toml diff --git a/nodes/home.mixer96.toml b/nodes/home.mixer96.toml new file mode 100644 index 0000000..815205f --- /dev/null +++ b/nodes/home.mixer96.toml @@ -0,0 +1,9 @@ +dummy = true + +[metadata.interfaces.default] +ips = ["172.19.138.98"] +dhcp = true +mac = "54:e1:ad:a6:0d:1f" + +[metadata.icinga_options] +exclude_from_monitoring = true From 8e237474003a0ba1c8961dc58e45f01976256632 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 28 Nov 2024 08:27:17 +0100 Subject: [PATCH 019/181] home.hass: remove nginx ip restriction --- nodes/home.hass.toml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 2c52708..52a2388 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -24,12 +24,6 @@ ram = 2 domain = 'hass.home.kunbox.net' api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' -[metadata.nginx] -restrict-to = [ - '172.19.136.0/25', - '172.19.138.0/24', -] - [metadata.pyenv] version = 'v2.3.36' python_versions = ["3.12.2"] From 128a61706e5211b73eeb4cc5bbf4be4122b68a57 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 28 Nov 2024 08:27:36 +0100 Subject: [PATCH 020/181] bundles/infobeamer-monitor: some more improvements in status display --- bundles/infobeamer-monitor/files/monitor.py | 39 +++++++-------------- 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 5a253e3..e5755c2 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -25,7 +25,8 @@ logging.basicConfig( ) LOG = logging.getLogger("main") -MLOG = logging.getLogger("mqtt") +TZ = ZoneInfo("Europe/Berlin") +DUMP_TIME = "0900" state = None @@ -68,13 +69,12 @@ def mqtt_dump_state(device): device=device, ) +def is_dump_time(): + return datetime.now(TZ).strftime("%H%M") == DUMP_TIME mqtt_out("Monitor starting up") while True: try: - online_devices = set() - available_credits = None - try: r = get( "https://info-beamer.com/api/v1/device/list", @@ -83,9 +83,9 @@ while True: r.raise_for_status() ib_state = r.json()["devices"] except RequestException as e: - LOG.exception("Could not get data from info-beamer") + LOG.exception("Could not get device data from info-beamer") mqtt_out( - f"Could not get data from info-beamer: {e!r}", + f"Could not get device data from info-beamer: {e!r}", level="WARN", ) else: @@ -98,7 +98,8 @@ while True: continue new_state[did] = device - must_dump_state = False + # force information output for every online device at 09:00 CE(S)T + must_dump_state = is_dump_time() if state is not None: if did not in state: @@ -161,14 +162,6 @@ while True: else: LOG.info("adding device {} to empty state".format(device["id"])) - if device["is_online"]: - online_devices.add( - "{} ({})".format( - device["id"], - device["description"], - ) - ) - state = new_state try: @@ -179,13 +172,16 @@ while True: r.raise_for_status() ib_account = r.json() except RequestException as e: - LOG.exception("Could not get data from info-beamer") + LOG.exception("Could not get account data from info-beamer") mqtt_out( - f"Could not get data from info-beamer: {e!r}", + f"Could not get account data from info-beamer: {e!r}", level="WARN", ) else: available_credits = ib_account["balance"] + if is_dump_time(): + mqtt_out(f"Available Credits: {available_credits}") + if available_credits < 50: mqtt_out( f"balance has dropped below 50 credits! (available: {available_credits})", @@ -211,15 +207,6 @@ while True: level="WARN", ) - if datetime.now(ZoneInfo("Europe/Berlin")).strftime("%H%M") == "0900": - if available_credits is not None: - mqtt_out(f"Available Credits: {available_credits}") - - if online_devices: - mqtt_out( - "Online Devices: {}".format(", ".join(sorted(online_devices))) - ) - sleep(60) except KeyboardInterrupt: break From ba1de350bb8d55f661f09008884455123e3122dc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:20 +0100 Subject: [PATCH 021/181] update element-web to 1.11.85 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ea1625f..03eb3a3 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.85" +version = "v1.11.86" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From 19359f72e6259c92403a3de2e77187001ee2843c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:39 +0100 Subject: [PATCH 022/181] update netbox to 4.1.7 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 03eb3a3..3955616 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.6" +version = "v4.1.7" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 49c5d0b1e37795ebde6cd8a3ac80e784d0f056c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:34:53 +0100 Subject: [PATCH 023/181] update postfixadmin to 3.3.14 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/pirmasens.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3955616..18a7966 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -213,7 +213,7 @@ blocked_recipients = [ [metadata.postfixadmin] domain = "postfixadmin.franzi.business" setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ==" -version = "3.3.13" +version = "3.3.14" [metadata.postgresql] version = 15 diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index b4c405d..46f4638 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -71,7 +71,7 @@ nodes['htz-cloud.pirmasens'] = { }, 'postfixadmin': { 'domain': 'mail.kunsmann.info', - 'version': '3.3.13', + 'version': '3.3.14', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, 'postgresql': { From 9be4ba75eb0ec08e8caf649cdf99589f1345b678 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:35:05 +0100 Subject: [PATCH 024/181] update travelynx to 2.9.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 18a7966..b0f1593 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.8.40" +version = "2.9.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From a6f29fe3890c8838ed15c5db896421b848de94a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 30 Nov 2024 11:37:06 +0100 Subject: [PATCH 025/181] bump certificate for *.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 30 ++++++++++++------------ data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index a263c3f..06ea249 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDsDCCAzWgAwIBAgISBIi3muU9O51f4fWWUXJHNgRHMAoGCCqGSM49BAMDMDIx +MIIDsDCCAzagAwIBAgISBGjVgPFJCHOuBJul17PsmUBlMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDA5MDQxNjA1MThaFw0yNDEyMDMxNjA1MTdaMBoxGDAWBgNVBAMTD2hv -bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABA5vskMN8tWHCOsv -aUojW+t8otSpRgcU0tLsONhzQ7GhG5tC5DQ5pN7HiG14eejONQE4hRWC4rkP/e47 -EVQd/rFK5m0lQesR68zogtW9KfQZUoINhlOuR4CxpBY1LrG5laOCAiQwggIgMA4G +NjAeFw0yNDExMzAwOTM4MzNaFw0yNTAyMjgwOTM4MzJaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK+7B9tE5ejhYZWq +3gs8q4s6/A98pW5GGpkYl7iPsPM8ko0UvZ8tfBU+KuEavDmFoFa8W4ePEkPkypHo +gqRMhIm55/2wyTTh8/PnXp8vWCwMISmPHEqou2mphx0feLRAlqOCAiUwggIhMA4G A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQU3iCazGKeVwzCa84zl+qckbspEmEwHwYDVR0j +VR0TAQH/BAIwADAdBgNVHQ4EFgQUicTvP+5xKDeHcAhxZi7CeD5xzCUwHwYDVR0j BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC -D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB -1nkCBAIEgfUEgfIA8AB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRu -AAABkb3+C2AAAAQDAEcwRQIhAMwv6NjH3Ggd1WfeSVvyToVaM15glwfSJcAW8+40 -XbCKAiABUoDmQjhKi5VfwZ7e0WX5XjEmgBN2qTafK5RqlaCDJgB2AO7N0GTV2xrO -xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkb3+C3IAAAQDAEcwRQIgU9sxMGOG -aP3npu7vw3G9TiFRxuZRCI96My34WVSCOcsCIQDhDjS9QhJGtNT68Z0sx6DJCcco -L1AXGWwojxizcx48bTAKBggqhkjOPQQDAwNpADBmAjEA/SOZeiZrClB5EJlZFdQy -hrt2qh4HC5zvHdSLTWI4GAxDy8xRg/ANO6fp0Sb7Q7jdAjEAhiQgQfgUln08i/tv -3TGjVRIT/Y4A4QadodTROpfmFDH3QIsNwRPRhQUUSscBavK9 +D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB +1nkCBAIEgfYEgfMA8QB3AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsI +AAABk3ylPJIAAAQDAEgwRgIhAPf1V/hozFwCyj8rwHFrxslXPa77KFbbm1yrvikr +ypvZAiEAgsSapcCShSJcW21/Rig7MOjp8IjdirAzLDRnBcl4tooAdgB9WR4S4Xgq +exxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55uAAAAZN8pURGAAAEAwBHMEUCIBF42g56 +wBpQRx1aHM+tFrydhInIx+ji6o7d055uc7bAAiEA4bRrxTsQQIJ+5lY2XIYTpf5C +msc2KAHccsMqstH+ur8wCgYIKoZIzj0EAwMDaAAwZQIxAOTsntM8s/ik3N09mXq4 +fVm1XQk2B2jALeTZLZevUY8jUjhKwoXTNVXQlMr1ilnC9QIwCa7zOQJQ2Y7D8xMv +uKfu7TMSLJlWMDHhIsggdPeQDYtNm85jsOXqB1SjWeCR25Mn -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index df3ed76..f5fa8b4 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABm2JL0vVqh3Zut-a1Gfn8iOtDZS8aBpGobV3-d3u8My0MPunYmbQ6kXUAw7U0Bu87AAPXNsmi1pxrxcu8vXvhw4uM445WwKj-UqaV5fmk-ZasHGq-O6K52YqEgK6wo-9u_sOBubbwJSwFVaHxT3gczLW_GVRHhFIFGgdnRlz4YoAz4NXcos_uNO9GMEOGhfGx9e2c2GOIg64vXkj_1LjXEDoV9HYMzy-2wLt4A6q-ZiZwCoKl8-lt8sY_rLk_yfmy3sMvzqg8JaE7T4sunmXDdf4HQlnvl_cu1uW33Rrsq4-080HKx6rKNsZQGhWD2yls016xBAYZvQbDjHd6-7bld1bs5RUF5tfEC3Kx567TBdMaf5C7-PnNB7O_MC4I6SkmUElGRdYyCHuP5HXf9dKtiGCtjHyfEzqTBrcI0xPt631_IGPWMNId7zyLqfLHpMFTPS9jgGVKoT1TXwKe4NSHaGxXO-A== \ No newline at end of file +encrypt$gAAAAABnSurPS00unDJP1C7wyToyZOzKrEruyT6itqZG1Bbv6IZPVrkdcbgyfPrXY8ViPSRwtdVJsju-X8pvLHZGSHXvxhpNlNrNQTas2_VCMwYIihGnp7VI6ovQXd_iVHON5sXaNpKURRwCsvnYhHQfn4qPGLSN8II2QdpJ4A4nDschZwN2u-8X9omGPOcC6zeivoew4UcpossYuJDskHeJnRnR3roGwrHuPWfEKRgRJ_eTHgij00uyoJZxhWGRV9nS_MnacbGUP6KBXfaZP_23DFJPMMq734qVfcLObhYa8nam9kLHh4TaloET2pK-IVqcb_FOorWiipiGBSNCw9EQr57d8AOLEFAwMmb_1fgPCjpchVZaSKD4OhdjPt1CU3unzR-zPkrjBdL-az0ci984vJnLolr4z8nMW6oR1SyJGyccJ-lmoMf34M3oI3zIlNg2GPdGcZMFa6GhvmLYwDb7r0PHil_GRA== \ No newline at end of file From 94868e726f8446a27e12e25a3278ecb5a5782b51 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 1 Dec 2024 13:28:15 +0100 Subject: [PATCH 026/181] prepare for 38c3 --- nodes/voc/infobeamer-cms.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index f0dc6cf..ceebc9e 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -41,7 +41,7 @@ nodes['voc.infobeamer-cms'] = { 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ - 253559, + 255228, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -72,15 +72,15 @@ nodes['voc.infobeamer-cms'] = { }, }, 'rooms': { -# 'Saal 1': 34430, -# 'Saal G': 26598, -# 'Saal Z': 26610, -# 'Saal E (SoS/Lightning-Talks)': 32814, -# 'Saal F (Sendezentrum/DLF)': 9717, + 'Saal 1': 34430, + 'Saal G': 26598, + 'Saal Z': 26610, + 'Saal E (SoS/Lightning-Talks)': 32814, + 'Saal F (Sendezentrum/DLF)': 9717, }, 'interrupts': { -# 'Questions': 'questions', -# 'Translations': 'translations', + 'Questions': 'questions', + 'Translations': 'translations', }, }, 'infobeamer-monitor': { From 3ad6a0fed8a3bd31cdc98be2f087b819c26a7bd4 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sun, 1 Dec 2024 21:06:47 +0100 Subject: [PATCH 027/181] miniserver: updates --- nodes/sophie/miniserver.py | 365 +++++++++++++++++++------------------ 1 file changed, 185 insertions(+), 180 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 5088f87..7be112f 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -1,255 +1,260 @@ # sophie's miniserver -nodes['htz-cloud.miniserver'] = { - 'bundles': { - 'element-web', - 'hedgedoc', - 'matrix-media-repo', - 'matrix-synapse', +nodes["htz-cloud.miniserver"] = { + "bundles": { + "element-web", + "hedgedoc", + "matrix-media-repo", + "matrix-synapse", "matrix-stickerpicker", - 'nodejs', - 'ntfy', - 'mautrix-telegram', - 'postgresql', - 'zfs', + "nodejs", + "ntfy", + "mautrix-telegram", + "postgresql", + "zfs", }, - 'groups': { - 'debian-bookworm', - 'sophie', - 'webserver', + "groups": { + "debian-bookworm", + "sophie", + "webserver", }, - 'metadata': { - 'interfaces': { - 'eth0': { - 'ips': { - '157.90.20.62', - '2a01:4f8:c2c:840f::1/64', + "metadata": { + "interfaces": { + "eth0": { + "ips": { + "157.90.20.62", + "2a01:4f8:c2c:840f::1/64", }, - 'gateway4': '172.31.1.1', - 'gateway6': 'fe80::1', + "gateway4": "172.31.1.1", + "gateway6": "fe80::1", }, }, - 'apt': { - 'packages': { - 'mosh': {}, - 'weechat': {}, - 'weechat-core': {}, - 'weechat-curses': {}, - 'weechat-perl': {}, - 'weechat-plugins': {}, - 'weechat-python': {}, - 'weechat-ruby': {}, + "apt": { + "packages": { + "mosh": {}, + "weechat": {}, + "weechat-core": {}, + "weechat-curses": {}, + "weechat-perl": {}, + "weechat-plugins": {}, + "weechat-python": {}, + "weechat-ruby": {}, }, - 'repos': { - 'weechat': { - 'items': { - 'deb https://weechat.org/debian {os_release} main', + "repos": { + "weechat": { + "items": { + "deb https://weechat.org/debian {os_release} main", }, }, }, }, - 'backup-client': { - 'pre-hooks': { - 'sophie-weechat': \ - 'echo \'core.weechat */layout store\' >> /home/sophie/.weechat/weechat_fifo\n' \ - 'echo \'core.weechat */save\' >> /home/sophie/.weechat/weechat_fifo\n', + "backup-client": { + "pre-hooks": { + "sophie-weechat": "echo 'core.weechat */layout store' >> /home/sophie/.weechat/weechat_fifo\n" + "echo 'core.weechat */save' >> /home/sophie/.weechat/weechat_fifo\n", }, }, - 'backups': { - 'paths': { - '/home/sophie/.weechat', + "backups": { + "paths": { + "/home/sophie/.weechat", }, }, - 'element-web': { - 'url': 'chat.sophies-kitchen.eu', - 'version': 'v1.11.83', - 'config': { - 'default_server_config': { - 'm.homeserver': { - 'base_url': 'https://matrix.sophies-kitchen.eu', - 'server_name': 'sophies-kitchen.eu', + "element-web": { + "url": "chat.sophies-kitchen.eu", + "version": "v1.11.86", + "config": { + "default_server_config": { + "m.homeserver": { + "base_url": "https://matrix.sophies-kitchen.eu", + "server_name": "sophies-kitchen.eu", }, }, - 'brand': 'sophies-kitchen.eu', - 'showLabsSettings': True, - 'default_theme': 'dark', - 'defaultCountryCode': 'DE', - 'jitsi': { - 'preferredDomain': 'meet.ffmuc.net', + "brand": "sophies-kitchen.eu", + "showLabsSettings": True, + "default_theme": "dark", + "defaultCountryCode": "DE", + "jitsi": { + "preferredDomain": "meet.ffmuc.net", }, - 'map_style_url': "https://api.maptiler.com/maps/openstreetmap/style.json?key=fU3vlMsMn4Jb6dnEIFsx" + "map_style_url": "https://api.maptiler.com/maps/openstreetmap/style.json?key=fU3vlMsMn4Jb6dnEIFsx", }, }, - 'hedgedoc': { - 'version': '1.10.0', - 'config': { - 'production': { - 'allowAnonymousEdits': True, - 'domain': 'pad.sophies-kitchen.eu', + "hedgedoc": { + "version": "1.10.0", + "config": { + "production": { + "allowAnonymousEdits": True, + "domain": "pad.sophies-kitchen.eu", }, }, }, - 'letsencrypt': { - 'concat_and_deploy': { - 'sophie-weechat': { - 'match_domain': 'i.sophies-kitchen.eu', - 'target': '/home/sophie/.weechat/ssl/relay.pem', - 'chown': 'sophie:sophie', - 'chmod': '0440', - 'commands': [ - 'echo \'core.weechat */relay sslcertkey\' >> /home/sophie/.weechat/weechat_fifo' + "letsencrypt": { + "concat_and_deploy": { + "sophie-weechat": { + "match_domain": "i.sophies-kitchen.eu", + "target": "/home/sophie/.weechat/ssl/relay.pem", + "chown": "sophie:sophie", + "chmod": "0440", + "commands": [ + "echo 'core.weechat */relay sslcertkey' >> /home/sophie/.weechat/weechat_fifo" ], }, }, - 'domains': { - 'i.sophies-kitchen.eu': set(), - 'webdump.sophies-kitchen.eu': set(), - 'matrix.sophies-kitchen.eu': { - 'sophies-kitchen.eu', + "domains": { + "i.sophies-kitchen.eu": set(), + "webdump.sophies-kitchen.eu": set(), + "matrix.sophies-kitchen.eu": { + "sophies-kitchen.eu", }, }, }, - 'matrix-media-repo': { - 'version': 'v1.3.7', - 'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044', - 'sha1': '3e2bb7089b0898b86000243a82cc58ae998dc9d9', - 'homeservers': { - 'sophies-kitchen.eu': { - 'domain': 'http://[::1]:20080/', - 'api': 'synapse', - 'signing_key_path': "/etc/matrix-synapse/mmr.signing.key" + "matrix-media-repo": { + "version": "v1.3.7", + "datastore_id": "99c09e24edc4e9be6c4c9486bc147e385bc87044", + "sha1": "3e2bb7089b0898b86000243a82cc58ae998dc9d9", + "homeservers": { + "sophies-kitchen.eu": { + "domain": "http://[::1]:20080/", + "api": "synapse", + "signing_key_path": "/etc/matrix-synapse/mmr.signing.key", }, }, - 'admins': { - '@sophie:sophies-kitchen.eu', + "admins": { + "@sophie:sophies-kitchen.eu", }, - 'upload_max_mb': 500, + "upload_max_mb": 500, }, - 'matrix-stickerpicker': { - # use this bot token for telegram import: encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t - 'domain': "matrix-stickers.sophies-kitchen.eu", - 'config': { - 'access_token': vault.decrypt('encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1'), - 'homeserver': "https://matrix.sophies-kitchen.eu", - 'user_id': "@dimension:sophies-kitchen.eu", + "matrix-stickerpicker": { + # use this bot token for telegram import: encrypt$gAAAAABg4bcQVzBF_iXdDtjRQD-O37GHdbHwWXyhCLPOuJLbv3ezUeXKR203hkCXkjfItSHi4NiTEgQPadDZTRkavaRpvAoaQV1a4srCS_Y-NU4RiOmkrVFJ_Xhw6UZvwjQUQ0QPOx9t + "domain": "matrix-stickers.sophies-kitchen.eu", + "config": { + "access_token": vault.decrypt( + "encrypt$gAAAAABg4btB0KGk068ahGZzR0w_Lm1bj1wUbB2WfNNs2bp3PwM4Ftp6MjQnrF-CejZfrF0NjPJw9Z4MrgileHP0sVw04mvgKSHfTf8gv4kTB6WuCIxHeMWHUDx00LTWL73fSlhCK0o1" + ), + "homeserver": "https://matrix.sophies-kitchen.eu", + "user_id": "@dimension:sophies-kitchen.eu", }, }, - 'matrix-synapse': { - 'server_name': 'sophies-kitchen.eu', - 'baseurl': 'matrix.sophies-kitchen.eu', - 'admin_contact': 'mailto:foobar@sophies-kitchen.eu', - 'trusted_key_servers': { - 'matrix.org', + "matrix-synapse": { + "server_name": "sophies-kitchen.eu", + "baseurl": "matrix.sophies-kitchen.eu", + "admin_contact": "mailto:foobar@sophies-kitchen.eu", + "trusted_key_servers": { + "matrix.org", }, }, - 'mautrix-telegram': { - 'version': 'v0.15.2', - 'homeserver': { - 'domain': 'sophies-kitchen.eu', - 'url': 'https://matrix.sophies-kitchen.eu', + "mautrix-telegram": { + "version": "v0.15.2", + "homeserver": { + "domain": "sophies-kitchen.eu", + "url": "https://matrix.sophies-kitchen.eu", }, - 'provisioning': { - 'enabled': False, - 'shared_secret': '""', + "provisioning": { + "enabled": False, + "shared_secret": '""', }, - 'permissions': { - 'sophies-kitchen.eu': 'full', - "'@sophie:sophies-kitchen.eu'": 'admin', + "permissions": { + "sophies-kitchen.eu": "full", + "'@sophie:sophies-kitchen.eu'": "admin", }, - 'telegram': { - 'api_id': vault.decrypt('encrypt$gAAAAABgnqdXhCTwtCXJhSaCZsiNfHPtjwlYtV1sUAux7JZdejN3xItU9RJLeNu4gUniv36XbBoxKwVtqqyV3RcAs-PgumcfYQ=='), - 'api_token': vault.decrypt('encrypt$gAAAAABgnqd5IdpYRmW-C4ONBSXQfiJrpTVQX0rP0eKoDnLnVTLg-5olSjcw2gVvEKWLnsGEZIgVcG7yEs-sqYRxeiQLFFpSn-Z4We0mhj0CUeFoD-eXJsp-bAgLv9PJoMv5Gjb8r9i6'), - 'bot_token': '""', + "telegram": { + "api_id": vault.decrypt( + "encrypt$gAAAAABgnqdXhCTwtCXJhSaCZsiNfHPtjwlYtV1sUAux7JZdejN3xItU9RJLeNu4gUniv36XbBoxKwVtqqyV3RcAs-PgumcfYQ==" + ), + "api_token": vault.decrypt( + "encrypt$gAAAAABgnqd5IdpYRmW-C4ONBSXQfiJrpTVQX0rP0eKoDnLnVTLg-5olSjcw2gVvEKWLnsGEZIgVcG7yEs-sqYRxeiQLFFpSn-Z4We0mhj0CUeFoD-eXJsp-bAgLv9PJoMv5Gjb8r9i6" + ), + "bot_token": '""', }, }, - 'nameservers': { - '213.133.98.98', - '213.133.99.99', - '213.133.100.100', - '2a01:4f8:0:1::add:1010', - '2a01:4f8:0:1::add:9999', - '2a01:4f8:0:1::add:9898', + "nameservers": { + "213.133.98.98", + "213.133.99.99", + "213.133.100.100", + "2a01:4f8:0:1::add:1010", + "2a01:4f8:0:1::add:9999", + "2a01:4f8:0:1::add:9898", }, - 'nftables': { - 'input': { - '50-sophie-weechat': [ - 'udp dport { 60000-61000 } accept', - 'tcp dport 9001 accept', + "nftables": { + "input": { + "50-sophie-weechat": [ + "udp dport { 60000-61000 } accept", + "tcp dport 9001 accept", ], }, }, - 'nginx': { - 'vhosts': { - 'sophies-kitchen.eu': { - 'webroot': '/var/www/sophies-kitchen.eu/_site/', - 'extras': True, + "nginx": { + "vhosts": { + "sophies-kitchen.eu": { + "webroot": "/var/www/sophies-kitchen.eu/_site/", + "extras": True, }, - 'matrix-synapse': { - 'domain': 'matrix.sophies-kitchen.eu', + "matrix-synapse": { + "domain": "matrix.sophies-kitchen.eu", }, - 'webdump.sophies-kitchen.eu': { - 'webroot_config': { - 'owner': 'sophie', - 'group': 'sophie', - 'mode': '0755', + "webdump.sophies-kitchen.eu": { + "webroot_config": { + "owner": "sophie", + "group": "sophie", + "mode": "0755", }, - 'extras': True, + "extras": True, }, - 'recipes.sophies-kitchen.eu': { - 'webroot_config': { - 'owner': 'sophie', - 'group': 'sophie', - 'mode': '0755', + "recipes.sophies-kitchen.eu": { + "webroot_config": { + "owner": "sophie", + "group": "sophie", + "mode": "0755", }, }, }, }, - 'nodejs': { - 'version': 20, + "nodejs": { + "version": 20, }, - 'ntfy': { - 'domain': 'ntfy.sophies-kitchen.eu', - 'allow_unauthorized_write': True, + "ntfy": { + "domain": "ntfy.sophies-kitchen.eu", + "allow_unauthorized_write": True, }, - 'postgresql': { - 'version': '11', + "postgresql": { + "version": "11", }, - 'sysctl': { - 'options': { + "sysctl": { + "options": { # XXX find out if this is really needed - 'net.ipv4.conf.all.forwarding': '1', - 'net.ipv6.conf.all.forwarding': '1', + "net.ipv4.conf.all.forwarding": "1", + "net.ipv6.conf.all.forwarding": "1", }, }, - 'vm': { - 'cpu': 2, - 'ram': 4, + "vm": { + "cpu": 2, + "ram": 4, }, - 'users': { - 'sophie': { - 'enable_linger': True, - 'ssh_pubkey': [ + "users": { + "sophie": { + "enable_linger": True, + "ssh_pubkey": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDILcYrMQNRVXAm5L+7No1ZumqfCyRc1QZmTY3O7Q8hsE4+fCAvwsWm2aSMfLL3NnIl8Nm1Rixzic5jdYKYNIY3SlX1wvTB+MhGb2eyVSd7c/Y98aCLSlDkQ2sebjpdA1FoJOeGD3qxqDwj0+KckXU2ZaSSQY7CxVsjH65UxCHqVAg+6uLdNbj7j850s1B9NXVXef+sBQ5jUngXxnqQWwNh2Mn8auwumkeEG4SYf96wyFkLvmBitOng/GyLWl9YPnXXHHDnatcVipy7y34qw4CQ4P84anecbA+Bqr9IcxBW6qYmYgRKEnAcmEfjQd+BI1gCLB1BBEmb/qp+mVLd4tOh sophie@carbon" ], }, }, - 'zfs': { + "zfs": { "datasets": { "tank/webdump": { "mountpoint": "/var/www/webdump.sophies-kitchen.eu", - "needed_by": [ - "directory:/var/www/webdump.sophies-kitchen.eu" - ] + "needed_by": ["directory:/var/www/webdump.sophies-kitchen.eu"], } }, - 'pools': { - 'tank': { - 'when_creating': { - 'config': [{ - 'devices': { - '/dev/disk/by-id/scsi-0HC_Volume_23952298', - }, - }] + "pools": { + "tank": { + "when_creating": { + "config": [ + { + "devices": { + "/dev/disk/by-id/scsi-0HC_Volume_23952298", + }, + } + ] }, }, }, From 9c382ed8f59ac49837c75909e2e2ec816875ee08 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 2 Dec 2024 20:17:54 +0100 Subject: [PATCH 028/181] bundles/systemd: move timezone information to metadata defaults --- bundles/systemd/items.py | 2 +- bundles/systemd/metadata.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/systemd/items.py b/bundles/systemd/items.py index c8ecbd9..005696e 100644 --- a/bundles/systemd/items.py +++ b/bundles/systemd/items.py @@ -1,4 +1,4 @@ -timezone = node.metadata.get('timezone', 'UTC') +timezone = node.metadata.get('timezone') actions['systemd-reload'] = { 'command': 'systemctl daemon-reload', diff --git a/bundles/systemd/metadata.py b/bundles/systemd/metadata.py index 15f9b8a..76f2016 100644 --- a/bundles/systemd/metadata.py +++ b/bundles/systemd/metadata.py @@ -21,6 +21,7 @@ defaults = { }, }, }, + 'timezone': 'UTC', } if not node.has_bundle('rsyslogd'): From 77b2d02e6631b0d785ecedad1eafc343a33c4c59 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 7 Dec 2024 22:41:10 +0100 Subject: [PATCH 029/181] sophie.unbound: new node --- nodes/sophie/unbound.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 nodes/sophie/unbound.py diff --git a/nodes/sophie/unbound.py b/nodes/sophie/unbound.py new file mode 100644 index 0000000..e0cb10d --- /dev/null +++ b/nodes/sophie/unbound.py @@ -0,0 +1,32 @@ +nodes["sophie.unbound"] = { + "hostname": "172.19.164.4", + "bundles": { + "unbound", + }, + "groups": { + "debian-bookworm", + }, + "metadata": { + "interfaces": { + "enp1s0": { + "ips": { + "172.19.164.4/24", + "fe80::4/64", + }, + "gateway4": "172.19.164.1", + "ipv6_accept_ra": True, + }, + }, + "vm": { + "cpu": 2, + "ram": 2, + }, + "unbound": { + "dns64": False, + "restrict-to": { + "172.19.164.0/24", + "fe80::/64", + }, + }, + }, +} From c03690fe88eb997e583aed16266dc3ec1f9bdf8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 14:10:59 +0100 Subject: [PATCH 030/181] bundles/pacman: always use linux-lts please --- bundles/pacman/files/pacman.conf | 14 +------------- bundles/pacman/items.py | 8 ++------ bundles/pacman/metadata.py | 1 + bundles/zfs/items.py | 3 +++ bundles/zfs/metadata.py | 27 ++++++--------------------- nodes/kunsi-p14s.py | 8 ++++---- 6 files changed, 17 insertions(+), 44 deletions(-) diff --git a/bundles/pacman/files/pacman.conf b/bundles/pacman/files/pacman.conf index 834108e..7fb4e48 100644 --- a/bundles/pacman/files/pacman.conf +++ b/bundles/pacman/files/pacman.conf @@ -32,21 +32,9 @@ Include = /etc/pacman.d/mirrorlist Server = ${node.metadata.get('pacman/repository')} Include = /etc/pacman.d/mirrorlist % endif -% if node.metadata.get('pacman/enable_aurto', True): +% if node.metadata.get('pacman/enable_aurto'): [aurto] Server = https://aurto.kunbox.net/ SigLevel = Optional TrustAll % endif -% if node.has_bundle('zfs'): - -[archzfs] -Server = http://archzfs.com/archzfs/x86_64 - -% if node.metadata.get('pacman/linux-lts', False): -[zfs-linux-lts] -% else: -[zfs-linux] -% endif -Server = http://kernels.archzfs.com/$repo/ -% endif diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py index 9f80ca7..fe4f605 100644 --- a/bundles/pacman/items.py +++ b/bundles/pacman/items.py @@ -33,6 +33,7 @@ svc_systemd['paccache.timer'] = { } pkg_pacman = { + 'acpi_call-lts': {}, 'at': {}, 'autoconf': {}, 'automake': {}, @@ -61,6 +62,7 @@ pkg_pacman = { 'ldns': {}, 'less': {}, 'libtool': {}, + 'linux-lts': {}, 'logrotate': {}, 'lsof': {}, 'm4': {}, @@ -102,12 +104,6 @@ pkg_pacman = { 'zip': {}, } -if node.metadata.get('pacman/linux-lts', False): - pkg_pacman['linux-lts'] = {} - pkg_pacman['acpi_call-lts'] = {} -else: - pkg_pacman['linux'] = {} - pkg_pacman['acpi_call'] = {} for pkg, config in node.metadata.get('pacman/packages', {}).items(): pkg_pacman[pkg] = config diff --git a/bundles/pacman/metadata.py b/bundles/pacman/metadata.py index fb69a04..1c60981 100644 --- a/bundles/pacman/metadata.py +++ b/bundles/pacman/metadata.py @@ -4,6 +4,7 @@ defaults = { 'glibc', 'pacman', }, + 'enable_aurto': True, 'no_extract': { 'etc/cron.d/0hourly', # don't install systemd-homed pam module. It produces a lot of spam in diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index c63250e..8b13f4b 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,6 +2,9 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder +if node.has_bundle('pacman'): + assert node.metadata.get('pacman/enable_aurto'), f'{node.name}: bundle:zfs needs aurto for zfs-linux-lts package' + files = { '/etc/modprobe.d/zfs.conf': { 'source': 'zfs-modprobe.conf', diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index 01ed900..4191834 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -48,6 +48,12 @@ defaults = { 'etc/sudoers.d/zfs', }, 'packages': { + 'zfs-linux-lts': { + 'needed_by': { + 'zfs_dataset:', + 'zfs_pool:', + }, + }, 'zfs-utils': { 'needed_by': { 'svc_systemd:zfs-zed', @@ -121,27 +127,6 @@ if node.has_bundle('telegraf'): } -@metadata_reactor.provides( - 'pacman/packages', -) -def packages(metadata): - if node.metadata.get('pacman/linux-lts', False): - pkgname = 'zfs-linux-lts' - else: - pkgname = 'zfs-linux' - return { - 'pacman': { - 'packages': { - pkgname: { - 'needed_by': { - 'zfs_dataset:', - 'zfs_pool:', - }, - }, - }, - }, - } - @metadata_reactor.provides( 'apt/packages', ) diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py index b94f2b0..385cf3f 100644 --- a/nodes/kunsi-p14s.py +++ b/nodes/kunsi-p14s.py @@ -115,10 +115,10 @@ nodes['kunsi-p14s'] = { 'entries': { 'arch': { 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux', + 'linux': '/vmlinuz-linux-lts', 'initrd': [ '/amd-ucode.img', - '/initramfs-linux.img', + '/initramfs-linux-lts.img', ], 'options': { 'net.ifnames=0', @@ -128,9 +128,9 @@ nodes['kunsi-p14s'] = { }, 'arch-fallback': { 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux', + 'linux': '/vmlinuz-linux-lts', 'initrd': [ - '/initramfs-linux-fallback.img', + '/initramfs-linux-lts-fallback.img', ], 'options': { 'net.ifnames=0', From c084048905a0c3e51ffb30c30f622a770f1514c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 14:18:40 +0100 Subject: [PATCH 031/181] home.nas: add samba share for various TV streams --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 741fa75..c9b630e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -177,6 +177,10 @@ nodes['home.nas'] = { }, 'samba': { 'shares': { + 'TV': { + 'path': '/storage/nas/TV', + 'force_group': 'nas', + }, 'music': { 'path': '/storage/nas/Musik', 'force_group': 'nas', From e55f32bfb6562549de7d66187b12045991c9bd78 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 15:49:19 +0100 Subject: [PATCH 032/181] use device serial if description is not set --- bundles/infobeamer-monitor/files/monitor.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index e5755c2..01ffe29 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -40,7 +40,10 @@ def mqtt_out(message, level="INFO", device=None): key = "infobeamer" if device: key += f"/{device['id']}" - message = f"[{device['description']}] {message}" + if device["description"]: + message = f"[{device['description']}] {message}" + else: + message = f"[{device['serial']}] {message}" client.publish( CONFIG["mqtt"]["topic"], From 316ba1c1c6fabb1417b53ab1816b792765416b4f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 8 Dec 2024 15:52:54 +0100 Subject: [PATCH 033/181] voc.infobeamer-cms: room names --- nodes/voc/infobeamer-cms.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index ceebc9e..c610345 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -72,11 +72,12 @@ nodes['voc.infobeamer-cms'] = { }, }, 'rooms': { - 'Saal 1': 34430, - 'Saal G': 26598, - 'Saal Z': 26610, - 'Saal E (SoS/Lightning-Talks)': 32814, - 'Saal F (Sendezentrum/DLF)': 9717, + 'Saal 1': 34430, # s1 + 'Saal GLITCH': 37731, # s2 + 'Saal ZIGZAG': 26610, # s3 + 'Saal HUFF': 38641, # s4 + 'Saal YELL': 38642, # s5 + 'Sendezentrum': 35042, # s6 }, 'interrupts': { 'Questions': 'questions', From bd2662b87ae085f2753ee229601a98130e911b80 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 12 Dec 2024 11:02:14 +0100 Subject: [PATCH 034/181] update travelynx to 2.9.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index b0f1593..f027fcd 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.2" +version = "2.9.6" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 58304bf5c6aeacc9fd3c3fb0d94f6f69d9aff6c5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 18 Dec 2024 10:43:35 +0100 Subject: [PATCH 035/181] voc.infobeamer-cms: add evilscientress and stblassitude --- nodes/voc/infobeamer-cms.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index c610345..2e4e8cb 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -29,6 +29,7 @@ nodes['voc.infobeamer-cms'] = { 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ + 'evilscientress', 'hexchen', 'jbeyerstedt', 'jwacalex', @@ -36,6 +37,9 @@ nodes['voc.infobeamer-cms'] = { 'sophieschi', 'v0tti', ], + 'NO_LIMIT_USERS': [ + 'stblassitude', + ], 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), From 2f73aae13b42a3b37b815e906b6aa63ce8a483a5 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 19 Dec 2024 03:15:27 +0100 Subject: [PATCH 036/181] bw/ssl new cert for home.sophie --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 38 +++++++++---------- ...me.sophies-kitchen.eu.crt_intermediate.pem | 36 +++++++++--------- .../_.home.sophies-kitchen.eu.key.pem.vault | 2 +- 3 files changed, 38 insertions(+), 38 deletions(-) diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem index df6ad40..c0e1bad 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDxjCCA0ygAwIBAgISBIbwgyWchKDri2pD+Lk46M3eMAoGCCqGSM49BAMDMDIx +MIIDxzCCA02gAwIBAgISA1HOrGT03Yk2QXIKpt4i5P2mMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNDA5MTkxOTQ5NDFaFw0yNDEyMTgxOTQ5NDBaMCIxIDAeBgNVBAMTF2hv -bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE4rKd -PfAtfQts90WjdnsscizZzlUF/HZBx97kT4/eWgyU/MNOFGF4WqGA92OX0ymZVJ7l -D4CnHq96odx0LqHBQ+W+MXNlsWnwBTUOPKp8XyUeDhZbkgNJDR8nGtHje9a8o4IC -MzCCAi8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSONIAWFPI0mqJYBqnWk1J0Ea27 -sDAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJ -MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcw -AoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +NjAeFw0yNDEyMTkwMTE2MTdaFw0yNTAzMTkwMTE2MTZaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEKI2X +YK5pxQUcBjOYQwH6OQBEaj2kVhtj1BgRXXrap/U3Zi9M1oKpDk22husbUDS4fACo +IFAsNYbFi15ayAwvkkcWEe4VkgYEdPVJes3XnkL1YOGzUpT9+eC6VbjCxjfdo4IC +NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQB7GGtPhw9dPLCx28NgPOq+Wa +jjAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE -DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AEiw42vapkc0 -D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABkgwK350AAAQDAEYwRAIga5zPs7YZ -mJqbxhinEJKKQ9XCe1w/MhBzFMzwHFGbaPgCIHeprkwET14Y3h5dmUF7szwTg1Ey -zqLM+GQL3t7EAX2cAHYAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A -AAGSDArfogAABAMARzBFAiEA0faR1cyqpmCyHo/0KCv04fkpwgzWdMY+WopJXDLD -zz8CIEBKANatmiRstc5D69jKhq2beHldLZB3jRfm1WlWqmxJMAoGCCqGSM49BAMD -A2gAMGUCMCrpe2jxoTH410jNJPOnbN4ae0Ng54JtRNcFWHlcwpk07NrByJSTPWDd -zr7AYsbbVQIxAOGboJcIxsuf+rN30iWoe5KwCY3sd5XW8bEKFQnugIVHxAQKnHNc -0InWz2sVWYKNBA== +DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKLjCuRF772t +m3447Udnd1PXgluElNcrXhssxLlQpEfnAAABk9yyNhIAAAQDAEgwRgIhAOsCeRvZ +GUN1z2lGajkrKcCtffuDhwNRPAIN2we+oXuzAiEA7XeLDROcGGcOYUMin5xKE+qr +XwitlCEyUejC5xKJm1QAdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwN +sAAAAZPcsjYwAAAEAwBGMEQCIFRahCu7PZCNkSF6+oyB3MAWoLQYmjlDXxeI91E0 +QfOkAiBGaToUTmM1n16nkX0hMVhNm7icCFojHkNCUzfSJ0wk8zAKBggqhkjOPQQD +AwNoADBlAjAgbshjfMt0K8pG2NzhVW1m/es3HJEtK4QGAe/BR5lgjLy1bJG/iLr9 +eXPh4xACg5wCMQDx7cF2C2T06e9ogshtJGODQSM9tGHbtt2rpAbUAzWNZgu+F3XL +mwaSjFAL7mBYSMM= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem index 59039ae..4652201 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK -a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO -VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G +h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV +6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw -i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj +v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C -2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ -bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG -6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV -XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO -koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq -cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI -E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e -K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX -GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL -sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd -VQD9F6Na/+zmXCc= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc +MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL +pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp +eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH +pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 +s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu +h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv +YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 +ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 +LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ +EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY +Ig46v9mFmBvyH04= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault index ce7b75d..4b79230 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABm7I7N50TwtCs2LUt_MArRJnLQ-xLFVhr-zDtdWUVMejViIN2O9h5d_RP45jWt5BpxIkTORarcULXprEXp7zbb-CR5CTwbsNK6HnvSHPwuwXuxJQKRJtT4wWfYEFOxY9aUR9gxvXc3arsYHwVsGyLOeWA_6YzjO5IpL1LfQrsJuUE_1p9sKRyPpslmOJtD5OihMtIfAJNzBDwOSE_gdtLa8iae3DHtSvmKbGKSvwQEZ0pkJxVTVXJY4wddQmdsuV0ky04ls_tUINH8t6IMTJCt_5_ELzpTSdcHgV6W4yh8r_LTEH38n2boYnz3fKgieHnDHDWxFW1EYA2JWjkamH7hQ8iOMl8bqQieFAENnYjF41iz6tSCjfxVyKt_OfJUAwMScVMhPsuaI_i_ZB0Ge6BLsMwkw0d3yw06CwRQ3N7PcPPJLhL_eQS3EuV7Y-7Vv64secplJJIkcFfm1t5zcGkkm4-pDw== \ No newline at end of file +encrypt$gAAAAABnY4Ga6MmpudhHnOVKVh3j6R071y-Bs6es3e3hNHkZP7Tfj6IomEhTSxWb_oG9HYZmhkadw66cmVRQcxp1wGChWWLye-ykadgy0xUCxGW3YmBWp4t--Yesvbjamaa5OlvDFWQVG5Zt4fsY7BloXRdio8XUdPKBkbi2MV0quvpqsFfOqr_ZmIOOkjLlZojfw9HQ7odM9lSAm8cVS5NXimOhA1ks_gK6CzJbzwhpbekCOcx5_sGhdb8XFUxLN-VBtmQ2HGIncou66rE1P3mBg2hDSyqiXapVMkqMjNoVM71V_5lUnAF7Lxce3nG72SnOe2oITnxRNcnaavxDEgd0ffM5revuCd-XWlaUW1iQrgSyQzJyD6Ukv-mM2IRpuoq79JdTZK_LNJkAmJozrGBT0c5ZwGVNLmZEcjQ1dk8jyYslF5s7rK1lmNvcTUaHGpFToXc1p-qFY8NNWj_Iu-MLE8PNrIscDg== \ No newline at end of file From 8f61fec65f069fecfa4ea117947eb909f8ed2c0e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 20 Dec 2024 10:24:36 +0100 Subject: [PATCH 037/181] bundles/infobeamer-cms: ensure we have and use redis --- bundles/infobeamer-cms/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index 9d602e0..f340e01 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -1,10 +1,13 @@ from datetime import datetime, timedelta +assert node.has_bundle('redis') + defaults = { 'infobeamer-cms': { 'config': { 'MAX_UPLOADS': 5, 'PREFERRED_URL_SCHEME': 'https', + 'REDIS_HOST': '127.0.0.1', 'SESSION_COOKIE_NAME': '__Host-sess', 'STATIC_PATH': '/opt/infobeamer-cms/static', 'URL_KEY': repo.vault.password_for(f'{node.name} infobeamer-cms url key'), From 6cd20c2e43195d6948b25e50859bd1552e8dd0fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 20 Dec 2024 13:14:57 +0100 Subject: [PATCH 038/181] fix device names for s4, s5 and s6 --- nodes/voc/infobeamer-cms.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 2e4e8cb..023a589 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -79,9 +79,9 @@ nodes['voc.infobeamer-cms'] = { 'Saal 1': 34430, # s1 'Saal GLITCH': 37731, # s2 'Saal ZIGZAG': 26610, # s3 - 'Saal HUFF': 38641, # s4 - 'Saal YELL': 38642, # s5 - 'Sendezentrum': 35042, # s6 + 'Sendezentrum': 38641, # s4 + 'Stage YELL': 38642, # s5 + 'Stage HUFF': 35042, # s6 }, 'interrupts': { 'Questions': 'questions', From 12d179235e6ec74bbdb9f664a3fd1eb0726341a6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 04:59:29 +0100 Subject: [PATCH 039/181] bump nodejs versions --- bundles/element-web/metadata.py | 2 +- bundles/paperless-ng/metadata.py | 2 +- bundles/powerdnsadmin/metadata.py | 2 +- bundles/pretalx/metadata.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/element-web/metadata.py b/bundles/element-web/metadata.py index b68b481..5ee7449 100644 --- a/bundles/element-web/metadata.py +++ b/bundles/element-web/metadata.py @@ -20,7 +20,7 @@ def nodejs(metadata): if version >= (1, 11, 71): return { 'nodejs': { - 'version': 20, + 'version': 22, }, } else: diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 91a18c6..6746616 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -34,7 +34,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'postgresql': { 'roles': { diff --git a/bundles/powerdnsadmin/metadata.py b/bundles/powerdnsadmin/metadata.py index e6f5014..c2b2c1e 100644 --- a/bundles/powerdnsadmin/metadata.py +++ b/bundles/powerdnsadmin/metadata.py @@ -14,7 +14,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'users': { 'powerdnsadmin': { diff --git a/bundles/pretalx/metadata.py b/bundles/pretalx/metadata.py index 7bbad24..15b61e3 100644 --- a/bundles/pretalx/metadata.py +++ b/bundles/pretalx/metadata.py @@ -27,7 +27,7 @@ defaults = { }, }, 'nodejs': { - 'version': 18, + 'version': 22, }, 'pretalx': { 'database': { From 958ea3c9e3b10c4ea76663c317a9c50bb70c685f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 04:59:55 +0100 Subject: [PATCH 040/181] libs/tools: add option to only add private ips if system has only private ips --- libs/tools.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libs/tools.py b/libs/tools.py index 7a984df..4f98677 100644 --- a/libs/tools.py +++ b/libs/tools.py @@ -5,7 +5,7 @@ from bundlewrap.utils.text import bold, red from bundlewrap.utils.ui import io -def resolve_identifier(repo, identifier, linklocal=False, only_physical=False): +def resolve_identifier(repo, identifier, linklocal=False, only_physical=False, allow_private=True): """ Try to resolve an identifier (group or node). Return a set of ip addresses valid for this identifier. @@ -62,10 +62,15 @@ def resolve_identifier(repo, identifier, linklocal=False, only_physical=False): 'ipv6': set(), } + has_public_ips = bool([ip for ip in found_ips if not ip.is_private]) + for ip in found_ips: if ip.is_link_local and not linklocal: continue + if ip.is_private and not allow_private and has_public_ips: + continue + if isinstance(ip, IPv4Address): ip_dict['ipv4'].add(ip) else: From 6f6b1932e2889fc024f562d98989481b198c5b78 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 05:03:54 +0100 Subject: [PATCH 041/181] bundles/pretalx: fix syntax error --- bundles/pretalx/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/pretalx/items.py b/bundles/pretalx/items.py index 75e4c09..e6b22a4 100644 --- a/bundles/pretalx/items.py +++ b/bundles/pretalx/items.py @@ -116,7 +116,7 @@ svc_systemd = { 'pretalx-worker': { 'needs': { 'action:pretalx_install', - 'action:pretalx_migrate',, + 'action:pretalx_migrate', 'action:pretalx_rebuild', 'file:/etc/systemd/system/pretalx-worker.service', 'file:/opt/pretalx/pretalx.cfg', From 9ba35569d6702a939164dc9d26e3799a689e4e59 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 05:25:44 +0100 Subject: [PATCH 042/181] home.hass: bump python version for home assistant --- nodes/home.hass.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 52a2388..afb204f 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -25,8 +25,8 @@ domain = 'hass.home.kunbox.net' api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' [metadata.pyenv] -version = 'v2.3.36' -python_versions = ["3.12.2"] +version = 'v2.4.23' +python_versions = ["3.13.1"] [metadata.nginx.vhosts.homeassistant] ssl = '_.home.kunbox.net' From 4124e6788f4b01cc8da361e90cb811f9996f5722 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:32:35 +0100 Subject: [PATCH 043/181] bundles/infobeamer-monitor: sort by device id --- bundles/infobeamer-monitor/files/monitor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/infobeamer-monitor/files/monitor.py b/bundles/infobeamer-monitor/files/monitor.py index 01ffe29..7646fa6 100644 --- a/bundles/infobeamer-monitor/files/monitor.py +++ b/bundles/infobeamer-monitor/files/monitor.py @@ -93,7 +93,7 @@ while True: ) else: new_state = {} - for device in ib_state: + for device in sorted(ib_state, key=lambda x: x["id"]): did = str(device["id"]) if did in new_state: From 54ccb5f44fbacdbccb7f75906f035fdfbf604fb1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:39:37 +0100 Subject: [PATCH 044/181] update element-web to 1.11.89 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f027fcd..eb7dba7 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.element-web] url = "chat.franzi.business" -version = "v1.11.86" +version = "v1.11.89" [metadata.element-web.config] default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" default_server_config.'m.homeserver'.server_name = "franzi.business" From c552dad9b4fb5e8d70b2c237ba4ebae211a8c522 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:39:53 +0100 Subject: [PATCH 045/181] update forgejo to 9.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index eb7dba7..9ca4691 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -49,8 +49,8 @@ defaultCountryCode = "DE" jitsi.preferredDomain = "meet.ffmuc.net" [metadata.forgejo] -version = "9.0.2" -sha1 = "5aecc64f93e8ef05c6d6f83d4b647bdb2c831d9f" +version = "9.0.3" +sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From ca72edd77511a4358c7767990f888081230ea469 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:06 +0100 Subject: [PATCH 046/181] update mautrix-whatsapp to 0.11.2 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9ca4691..2288222 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.1" -sha1 = "ada2dc6acfd5cb15fae341266b383d3f6e8b42bd" +version = "v0.11.2" +sha1 = "0bd8ebef237473989c4e9658c72595e9f7c09d44" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 71705f8b231183e5cecbf584609a1c4e131585e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:27 +0100 Subject: [PATCH 047/181] update netbox to 4.1.9 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2288222..85ac262 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.7" +version = "v4.1.9" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 17ff238b24125f6c8e6c7edb7d454db9e18d5fe9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 11:40:40 +0100 Subject: [PATCH 048/181] update postfixadmin to 3.3.15 --- nodes/carlene.toml | 2 +- nodes/htz-cloud/pirmasens.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 85ac262..6d90334 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -213,7 +213,7 @@ blocked_recipients = [ [metadata.postfixadmin] domain = "postfixadmin.franzi.business" setup_password = "!decrypt:encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ==" -version = "3.3.14" +version = "3.3.15" [metadata.postgresql] version = 15 diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 46f4638..655f325 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -71,7 +71,7 @@ nodes['htz-cloud.pirmasens'] = { }, 'postfixadmin': { 'domain': 'mail.kunsmann.info', - 'version': '3.3.14', + 'version': '3.3.15', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, 'postgresql': { From 9395fcb7f5253ac75c557e264ad208b32bb3c999 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:01:26 +0100 Subject: [PATCH 049/181] home.nas: rename zpool --- nodes/home/nas.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index c9b630e..52a2bfd 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -264,7 +264,7 @@ nodes['home.nas'] = { 'zfs_arc_max_gb': 8, }, 'pools': { - 'storage': { + 'tank': { 'when_creating': { 'config': [ { @@ -321,22 +321,22 @@ nodes['home.nas'] = { 'encrypted/paperless': { 'mountpoint': '/media/paperless', }, - 'storage': { + 'tank': { 'primarycache': 'metadata', }, - 'storage/opt-yate': { + 'tank/opt-yate': { 'mountpoint': '/opt/yate', }, - 'storage/download': { + 'tank/download': { 'mountpoint': '/storage/download', }, - 'storage/nas': { + 'tank/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/media/nas_old', }, - 'storage/paperless': { + 'tank/paperless': { 'mountpoint': '/srv/paperless', }, }, @@ -359,19 +359,19 @@ nodes['home.nas'] = { 'weekly': 6, 'monthly': 24, }, - 'storage/download': { + 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'storage/nas': { + 'tank/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'storage/paperless': { + 'tank/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, From 91432197e8fae83fbc133d1c113ae111dc88bd5d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:19:59 +0100 Subject: [PATCH 050/181] add bundle:avahi-daemon --- bundles/avahi-daemon/files/avahi-daemon.conf | 21 ++++++++++++++++++++ bundles/avahi-daemon/items.py | 17 ++++++++++++++++ bundles/avahi-daemon/metadata.py | 7 +++++++ 3 files changed, 45 insertions(+) create mode 100644 bundles/avahi-daemon/files/avahi-daemon.conf create mode 100644 bundles/avahi-daemon/items.py create mode 100644 bundles/avahi-daemon/metadata.py diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf new file mode 100644 index 0000000..7a639fd --- /dev/null +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -0,0 +1,21 @@ +[server] +host-name=${node.name.split('.')[-1]} +use-ipv4=yes +use-ipv6=yes +ratelimit-interval-usec=1000000 +ratelimit-burst=1000 + +[wide-area] +enable-wide-area=yes + +[publish] +disable-publishing=no +disable-user-service-publishing=no +publish-hinfo=yes +publish-workstation=no +publish-aaaa-on-ipv4=yes +publish-a-on-ipv6=no + +[reflector] + +[rlimits] diff --git a/bundles/avahi-daemon/items.py b/bundles/avahi-daemon/items.py new file mode 100644 index 0000000..74bcdd3 --- /dev/null +++ b/bundles/avahi-daemon/items.py @@ -0,0 +1,17 @@ +directories['/etc/avahi/services'] = { + 'purge': True, +} + +files['/etc/avahi/avahi-daemon.conf'] = { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:avahi-daemon:restart', + }, +} + +svc_systemd['avahi-daemon'] = { + 'needs': { + 'file:/etc/avahi/avahi-daemon.conf', + 'pkg_apt:avahi-daemon', + }, +} diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py new file mode 100644 index 0000000..b1400d9 --- /dev/null +++ b/bundles/avahi-daemon/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'avahi-daemon': {}, + }, + }, +} From ab717f62e7bd57c179f55d6f6480660a96e196b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:20:20 +0100 Subject: [PATCH 051/181] bundles/samba: add code to show up as time machine backup target --- bundles/samba/files/smb.conf | 28 +++++++++++++++++++++++++ bundles/samba/files/timemachine.service | 21 +++++++++++++++++++ bundles/samba/items.py | 26 +++++++++++++++++++++++ bundles/samba/metadata.py | 27 ++++++++++++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 bundles/samba/files/timemachine.service diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf index c9a7859..22905ee 100644 --- a/bundles/samba/files/smb.conf +++ b/bundles/samba/files/smb.conf @@ -13,6 +13,13 @@ map to guest = bad user load printers = no usershare allow guests = yes allow insecure wide links = yes +min protocol = SMB2 +% if timemachine: +vfs objects = fruit +fruit:aapl = yes +fruit:copyfile = yes +fruit:model = MacSamba +% endif % for name, opts in sorted(node.metadata.get('samba/shares', {}).items()): [${name}] @@ -37,3 +44,24 @@ follow symlinks = yes wide links = yes % endif % endfor +% for name in sorted(timemachine): + +[timemachine-${name}] +comment = Time Machine backup for ${name} +available = yes +browseable = yes +guest ok = no +read only = false +valid users = timemachine-${name} +path = /srv/timemachine/${name} +durable handles = yes +vfs objects = catia fruit streams_xattr + +fruit:delete_empty_adfiles = yes +fruit:metadata = stream +fruit:posix_rename = yes +fruit:time machine = yes +fruit:time machine max size = 750G +fruit:veto_appledouble = no +fruit:wipe_intentionally_left_blank_rfork = yes +% endfor diff --git a/bundles/samba/files/timemachine.service b/bundles/samba/files/timemachine.service new file mode 100644 index 0000000..d25e6e5 --- /dev/null +++ b/bundles/samba/files/timemachine.service @@ -0,0 +1,21 @@ + + + + %h + + _smb._tcp + 445 + + + _device-info._tcp + 0 + model=RackMac1,2 + + + _adisk._tcp +% for idx, share_name in enumerate(sorted(shares)): + dk${idx}=adVN=timemachine-${share_name},adVF=0x82 +% endfor + sys=waMa=0,adVF=0x100 + + diff --git a/bundles/samba/items.py b/bundles/samba/items.py index 333a338..a9567b4 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -11,9 +11,14 @@ svc_systemd = { }, } +timemachine_shares = node.metadata.get('samba/timemachine-shares', set()) + files = { '/etc/samba/smb.conf': { 'content_type': 'mako', + 'context': { + 'timemachine': timemachine_shares, + }, 'triggers': { 'svc_systemd:nmbd:restart', 'svc_systemd:smbd:restart', @@ -57,3 +62,24 @@ for user, uconfig in node.metadata.get('users', {}).items(): last_action = { f'action:smbpasswd_for_user_{user}', } + +if timemachine_shares: + assert node.has_bundle('avahi-daemon'), f'{node.name}: samba needs avahi-daemon to publish time machine shares' + + files['/etc/avahi/services/timemachine.service'] = { + 'content_type': 'mako', + 'context': { + 'shares': timemachine_shares, + }, + } + + for share_name in timemachine_shares: + users[f'timemachine-{share_name}'] = { + 'home': f'/srv/timemachine/{share_name}', + } + + directories[f'/srv/timemachine/{share_name}'] = { + 'owner': f'timemachine-{share_name}', + 'group': f'timemachine-{share_name}', + 'mode': '0700', + } diff --git a/bundles/samba/metadata.py b/bundles/samba/metadata.py index 7b9400c..c8243af 100644 --- a/bundles/samba/metadata.py +++ b/bundles/samba/metadata.py @@ -24,3 +24,30 @@ def firewall(metadata): }, }, } + + +@metadata_reactor.provides( + 'zfs/datasets', +) +def timemachine_zfs(metadata): + shares = metadata.get('samba/timemachine-shares', set()) + + if not shares: + return {} + + assert node.has_bundle('zfs'), f'{node.name}: time machine backups require zfs' + + datasets = { + 'tank/timemachine': {}, + } + + for share_name in shares: + datasets[f'tank/timemachine/{share_name}'] = { + 'mountpoint': f'/srv/timemachine/{share_name}', + } + + return { + 'zfs': { + 'datasets': datasets, + }, + } From 884c6f73af94678cf121f0ed6727a61cd4d5f444 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:24:20 +0100 Subject: [PATCH 052/181] home.nas: clean up some datasets --- nodes/home/nas.py | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 52a2bfd..84d4aff 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -309,18 +309,12 @@ nodes['home.nas'] = { 'encrypted': { 'primarycache': 'metadata', }, - 'encrypted/download': { - 'mountpoint': '/media/download', - }, 'encrypted/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, - 'encrypted/paperless': { - 'mountpoint': '/media/paperless', - }, 'tank': { 'primarycache': 'metadata', }, @@ -330,47 +324,24 @@ nodes['home.nas'] = { 'tank/download': { 'mountpoint': '/storage/download', }, - 'tank/nas': { - 'acltype': 'off', - 'atime': 'off', - 'compression': 'off', - 'mountpoint': '/media/nas_old', - }, 'tank/paperless': { 'mountpoint': '/srv/paperless', }, }, 'snapshots': { 'retain_per_dataset': { - 'encrypted/download': { - 'hourly': 6, - 'daily': 0, - 'weekly': 0, - 'monthly': 0, - }, 'encrypted/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'encrypted/paperless': { - 'daily': 14, - 'weekly': 6, - 'monthly': 24, - }, 'tank/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'tank/nas': { - # juuuuuuuust to be sure. - 'daily': 14, - 'weekly': 6, - 'monthly': 12, - }, 'tank/paperless': { 'daily': 14, 'weekly': 6, From fe4cd98612084da4c9b5c82d4d625d6ab2a64991 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:24:35 +0100 Subject: [PATCH 053/181] home.nas: prepare for time machine backups --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 84d4aff..bf14b89 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -3,6 +3,7 @@ nodes['home.nas'] = { 'hostname': '172.19.138.20', 'bundles': { + 'avahi-daemon', 'backup-client', 'dm-crypt', 'jellyfin', @@ -193,6 +194,9 @@ nodes['home.nas'] = { 'restrict-to': { '172.19.138.0/24', }, + 'timemachine-shares': { + #'apfelcomputer', # hostname TBD + }, }, 'smartd': { 'disks': { From c455718847fdfae59a6f8062e5f21d020373322c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 22 Dec 2024 20:29:39 +0100 Subject: [PATCH 054/181] bundles/avahi-daemon: install more dependencies and limit to interfaces that are configured --- bundles/avahi-daemon/files/avahi-daemon.conf | 1 + bundles/avahi-daemon/items.py | 1 + bundles/avahi-daemon/metadata.py | 1 + 3 files changed, 3 insertions(+) diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf index 7a639fd..efdd222 100644 --- a/bundles/avahi-daemon/files/avahi-daemon.conf +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -2,6 +2,7 @@ host-name=${node.name.split('.')[-1]} use-ipv4=yes use-ipv6=yes +allow-interfaces=${','.join(sorted(node.metadata.get('interfaces', {}).keys()))} ratelimit-interval-usec=1000000 ratelimit-burst=1000 diff --git a/bundles/avahi-daemon/items.py b/bundles/avahi-daemon/items.py index 74bcdd3..0a0f1aa 100644 --- a/bundles/avahi-daemon/items.py +++ b/bundles/avahi-daemon/items.py @@ -13,5 +13,6 @@ svc_systemd['avahi-daemon'] = { 'needs': { 'file:/etc/avahi/avahi-daemon.conf', 'pkg_apt:avahi-daemon', + 'pkg_apt:libnss-mdns', }, } diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py index b1400d9..0bb909f 100644 --- a/bundles/avahi-daemon/metadata.py +++ b/bundles/avahi-daemon/metadata.py @@ -2,6 +2,7 @@ defaults = { 'apt': { 'packages': { 'avahi-daemon': {}, + 'libnss-mdns': {}, }, }, } From 0df4c8f75e100064cc7d4e89452121c9e59d4e4a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 09:56:55 +0100 Subject: [PATCH 055/181] bump as3320 and as8881 routes --- configs/as3320.txt | 75 +++++++++++++++++++++++++++++----------------- configs/as8881.txt | 16 ++++++++-- 2 files changed, 61 insertions(+), 30 deletions(-) diff --git a/configs/as3320.txt b/configs/as3320.txt index 5c42e56..0ac3052 100644 --- a/configs/as3320.txt +++ b/configs/as3320.txt @@ -1,3 +1,4 @@ +109.203.176.0/21 109.237.176.0/20 109.72.116.0/24 116.50.16.0/21 @@ -19,7 +20,6 @@ 141.77.0.0/16 143.99.213.0/24 145.225.16.0/23 -146.247.58.0/24 147.161.22.0/24 147.78.17.0/24 147.79.8.0/21 @@ -31,10 +31,13 @@ 149.237.203.0/24 149.237.250.0/24 149.237.251.0/24 +149.237.254.0/24 149.243.232.0/22 149.249.244.0/22 149.249.244.0/23 149.249.246.0/23 +151.243.168.0/24 +151.243.173.0/24 153.17.244.8/29 153.17.249.0/24 153.17.250.0/24 @@ -46,12 +49,13 @@ 153.96.218.0/24 153.96.22.0/24 153.97.32.0/24 +153.97.34.0/24 158.116.231.0/24 -160.211.126.0/24 163.5.156.0/24 163.5.170.0/24 163.5.186.0/24 163.5.220.0/24 +163.5.47.0/24 163.5.66.0/24 164.133.10.0/24 164.133.11.0/24 @@ -96,6 +100,7 @@ 185.202.32.0/21 185.207.46.0/24 185.21.247.0/24 +185.224.0.0/24 185.237.0.0/24 185.237.1.0/24 185.237.2.0/24 @@ -108,11 +113,16 @@ 185.28.208.0/22 185.39.12.0/22 185.48.0.0/22 -185.57.231.0/24 185.57.24.0/24 185.82.160.0/23 +185.97.227.0/24 +188.208.124.0/24 +188.208.125.0/24 +188.209.223.0/24 +188.214.136.0/24 +188.214.137.0/24 +188.214.138.0/24 188.214.139.0/24 -192.109.121.0/24 192.109.122.0/24 192.109.124.0/24 192.109.129.0/24 @@ -153,7 +163,6 @@ 193.100.248.0/22 193.100.252.0/24 193.100.3.0/24 -193.101.12.0/22 193.101.128.0/22 193.101.139.0/24 193.101.162.0/23 @@ -285,6 +294,7 @@ 194.127.242.0/23 194.127.254.0/24 194.145.252.0/24 +194.147.171.0/24 194.15.194.0/24 194.15.60.0/24 194.15.61.0/24 @@ -319,7 +329,6 @@ 194.180.64.0/20 194.25.0.0/16 194.25.1.5/32 -194.26.191.0/24 194.31.142.0/24 194.31.208.0/24 194.31.209.0/24 @@ -330,6 +339,11 @@ 194.33.115.0/24 194.33.120.0/24 194.33.121.0/24 +194.33.50.0/24 +194.38.48.0/24 +194.38.49.0/24 +194.38.50.0/24 +194.38.51.0/24 194.39.175.0/24 194.39.189.0/24 194.39.48.0/20 @@ -429,6 +443,9 @@ 205.142.63.0/24 212.184.0.0/15 212.185.0.0/16 +212.68.172.0/22 +212.68.176.0/22 +212.68.180.0/22 213.145.90.0/23 213.145.92.0/23 213.173.0.0/19 @@ -437,7 +454,7 @@ 213.209.156.0/24 217.0.0.0/13 217.117.96.0/24 -217.198.189.0/24 +217.177.33.0/24 217.224.0.0/11 217.24.32.0/20 217.24.33.0/24 @@ -447,17 +464,22 @@ 31.224.0.0/11 31.6.56.0/23 37.143.0.0/22 +37.230.61.0/24 37.46.11.0/24 37.50.0.0/15 37.80.0.0/12 +45.112.192.0/24 +45.129.165.0/24 45.132.80.0/22 45.141.54.0/24 45.145.16.0/24 45.147.227.0/24 +45.149.7.0/24 45.155.77.0/24 45.81.255.0/24 45.83.136.0/22 45.93.186.0/23 +46.202.0.0/24 46.250.224.0/21 46.250.232.0/21 46.78.0.0/15 @@ -474,6 +496,7 @@ 62.224.0.0/14 62.56.208.0/21 62.68.73.0/24 +62.72.172.0/24 64.137.119.0/24 64.137.125.0/24 64.137.127.0/24 @@ -516,7 +539,9 @@ 84.32.48.0/22 84.55.0.0/24 84.55.1.0/24 +84.55.17.0/24 84.55.2.0/24 +84.55.22.0/24 84.55.3.0/24 84.55.4.0/24 84.55.5.0/24 @@ -527,13 +552,19 @@ 85.116.30.0/24 85.116.31.0/24 85.119.160.0/23 +85.133.193.0/24 +85.133.208.0/24 +85.133.214.0/24 +85.133.254.0/24 85.204.181.0/24 85.208.248.0/24 85.208.249.0/24 85.208.250.0/24 85.208.251.0/24 86.105.211.0/24 +86.105.58.0/24 86.107.164.0/24 +86.110.57.0/24 86.38.248.0/21 86.38.37.0/24 87.128.0.0/10 @@ -545,7 +576,6 @@ 89.116.64.0/22 89.213.186.0/23 89.39.97.0/24 -89.43.34.0/24 91.0.0.0/10 91.103.240.0/21 91.124.135.0/24 @@ -559,7 +589,6 @@ 91.124.27.0/24 91.124.28.0/24 91.124.31.0/24 -91.124.32.0/24 91.124.33.0/24 91.124.34.0/24 91.124.36.0/24 @@ -606,27 +635,15 @@ 91.222.232.0/22 91.227.98.0/23 91.232.54.0/24 -92.112.128.0/24 -92.112.155.0/24 -92.112.157.0/24 +91.246.176.0/21 +92.112.10.0/24 +92.112.158.0/24 92.112.16.0/22 -92.112.160.0/24 -92.112.162.0/24 -92.112.165.0/24 -92.112.167.0/24 92.112.20.0/22 92.112.48.0/24 -92.112.49.0/24 -92.112.52.0/24 -92.112.54.0/24 -92.112.59.0/24 -92.112.63.0/24 -92.112.64.0/24 -92.112.67.0/24 -92.112.79.0/24 -92.112.81.0/24 -92.112.83.0/24 -92.112.94.0/24 +92.112.6.0/24 +92.112.7.0/24 +92.112.8.0/24 92.114.44.0/22 92.119.164.0/22 92.119.208.0/24 @@ -635,8 +652,12 @@ 92.119.211.0/24 93.113.70.0/24 93.119.201.0/24 +93.119.232.0/24 93.192.0.0/10 94.126.98.0/24 +94.176.72.0/24 +94.176.74.0/24 +94.176.79.0/24 94.26.110.0/23 94.26.64.0/23 95.178.8.0/21 diff --git a/configs/as8881.txt b/configs/as8881.txt index cd09176..aa354f9 100644 --- a/configs/as8881.txt +++ b/configs/as8881.txt @@ -6,6 +6,7 @@ 109.250.192.0/19 109.250.224.0/19 109.250.64.0/18 +109.72.113.0/24 134.101.0.0/21 14.102.90.0/24 143.58.64.0/18 @@ -121,6 +122,7 @@ 202.71.128.0/20 202.71.141.0/24 212.204.0.0/19 +212.23.205.0/24 212.7.128.0/19 212.8.0.0/19 212.80.224.0/19 @@ -152,6 +154,8 @@ 46.142.96.0/19 46.142.96.0/20 46.189.0.0/17 +46.203.156.0/24 +46.203.227.0/24 61.8.128.0/19 61.8.128.0/22 61.8.132.0/22 @@ -164,6 +168,7 @@ 62.214.224.0/19 62.217.32.0/19 62.220.0.0/19 +62.220.1.0/24 62.68.82.0/24 62.72.64.0/19 62.72.70.0/24 @@ -224,6 +229,7 @@ 88.130.0.0/16 88.130.136.0/21 88.130.144.0/20 +88.130.172.0/22 88.130.176.0/21 88.130.192.0/23 88.130.194.0/23 @@ -242,14 +248,16 @@ 88.130.63.0/24 88.130.64.0/19 88.130.96.0/19 +89.187.24.0/24 +89.187.26.0/24 89.207.200.0/21 89.244.0.0/14 89.244.120.0/21 89.244.160.0/21 89.244.176.0/20 89.244.192.0/19 -89.244.224.0/20 -89.244.76.0/24 +89.244.224.0/19 +89.244.76.0/22 89.244.78.0/23 89.244.80.0/20 89.244.96.0/22 @@ -266,7 +274,6 @@ 89.245.64.0/19 89.245.96.0/20 89.246.0.0/19 -89.246.112.0/22 89.246.122.0/24 89.246.124.0/22 89.246.160.0/21 @@ -325,6 +332,8 @@ 92.117.248.0/21 92.117.64.0/19 92.117.96.0/19 +93.114.90.0/24 +93.114.91.0/24 94.134.0.0/15 94.134.0.0/18 94.134.112.0/22 @@ -350,6 +359,7 @@ 2001:1438:1:a00::/56 2001:1438:2000::/36 2001:1438:3000::/36 +2001:1438:300::/56 2001:1438:4000::/36 2001:1438::/32 2001:16b8:1000::/40 From 0adf14a2934fad72711071094e224aca003b5c6f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 10:15:00 +0100 Subject: [PATCH 056/181] bundles/infobeamer-cms: times are in UTC, please --- bundles/infobeamer-cms/metadata.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/infobeamer-cms/metadata.py b/bundles/infobeamer-cms/metadata.py index f340e01..4413d5a 100644 --- a/bundles/infobeamer-cms/metadata.py +++ b/bundles/infobeamer-cms/metadata.py @@ -1,4 +1,4 @@ -from datetime import datetime, timedelta +from datetime import datetime, timedelta, timezone assert node.has_bundle('redis') @@ -52,7 +52,7 @@ def nginx(metadata): 'infobeamer-cms/config/TIME_MIN', ) def event_times(metadata): - event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d') + event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d').replace(tzinfo=timezone.utc) event_duration = metadata.get('infobeamer-cms/event_duration_days', 4) event_end = event_start + timedelta(days=event_duration) From 1c1be571d8b53710fbbea3a0e51c595142e3092d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 13:41:24 +0100 Subject: [PATCH 057/181] update travelynx to 2.9.8 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6d90334..645a460 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -262,7 +262,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.6" +version = "2.9.8" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 158b091487066635202d988943fa09f485b93384 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 19:05:59 +0100 Subject: [PATCH 058/181] voc.infobeamer-cms: new sso setup --- nodes/voc/infobeamer-cms.py | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 023a589..2a743fa 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -29,21 +29,20 @@ nodes['voc.infobeamer-cms'] = { 'event_duration_days': 5, 'config': { 'ADMIN_USERS': [ - 'evilscientress', - 'hexchen', - 'jbeyerstedt', - 'jwacalex', - 'kunsi', - 'sophieschi', - 'v0tti', + 'github:evilscientress', + 'github:hexchen', + 'github:jbeyerstedt', + 'github:jwacalex', + 'github:sophieschi', + 'github:v0tti', ], 'NO_LIMIT_USERS': [ - 'stblassitude', + 'github:stblassitude', ], - 'GITHUB_CLIENT_ID': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), + 'DEFAULT_SSO_PROVIDER': 'github', + 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'SETUP_IDS': [ 255228, ], @@ -74,6 +73,16 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, + 'oauth2_providers': { + 'github': { + 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + }, + 'c3voc': { + 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', + 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), + }, + }, }, 'rooms': { 'Saal 1': 34430, # s1 From f06607df60329e1998c4871c75df51ea4503c7eb Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 23 Dec 2024 19:27:34 +0100 Subject: [PATCH 059/181] voc.infobeamer-cms: remove github admins of c3voc sso users --- nodes/voc/infobeamer-cms.py | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 2a743fa..e6de7d2 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -28,14 +28,7 @@ nodes['voc.infobeamer-cms'] = { 'event_start_date': '2024-12-26', 'event_duration_days': 5, 'config': { - 'ADMIN_USERS': [ - 'github:evilscientress', - 'github:hexchen', - 'github:jbeyerstedt', - 'github:jwacalex', - 'github:sophieschi', - 'github:v0tti', - ], + 'ADMIN_USERS': [], 'NO_LIMIT_USERS': [ 'github:stblassitude', ], From f3f78700e712b56a9d9779d8e920ed0b417eb0e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 24 Dec 2024 12:46:59 +0100 Subject: [PATCH 060/181] voc.infobeamer-cms: add 38c3 hub sso --- nodes/voc/infobeamer-cms.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index e6de7d2..e577141 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -67,14 +67,18 @@ nodes['voc.infobeamer-cms'] = { '''.strip(), }, 'oauth2_providers': { - 'github': { - 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), - }, + #'github': { + # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + # 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + #}, 'c3voc': { 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), }, + 'c3hub': { + 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', + 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), + }, }, }, 'rooms': { From 1c385514674a4326fd4b3de3bdb3a67cb47aa366 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 24 Dec 2024 13:39:38 +0100 Subject: [PATCH 061/181] voc.infobeamer-cms: set default sso provider --- nodes/voc/infobeamer-cms.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index e577141..043c7a5 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -34,8 +34,6 @@ nodes['voc.infobeamer-cms'] = { ], 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), - 'DEFAULT_SSO_PROVIDER': 'github', - 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'SETUP_IDS': [ 255228, ], @@ -66,6 +64,8 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, + 'DEFAULT_SSO_PROVIDER': 'c3hub', + 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'oauth2_providers': { #'github': { # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), From 1c8d2ccb665ea7234420aeb363cd0a54b5ec4db4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Dec 2024 09:59:14 +0100 Subject: [PATCH 062/181] home.nas: add time machine share for apfelcomputer --- nodes/home/nas.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index bf14b89..bcf1f80 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -195,7 +195,7 @@ nodes['home.nas'] = { '172.19.138.0/24', }, 'timemachine-shares': { - #'apfelcomputer', # hostname TBD + 'apfelcomputer', }, }, 'smartd': { From 9e2b36767f7361b96832516a3e2b0939a892fa1d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 27 Dec 2024 09:59:35 +0100 Subject: [PATCH 063/181] home.nas: remove inbox user --- nodes/home/nas.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index bcf1f80..ad18be3 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -252,11 +252,11 @@ nodes['home.nas'] = { 'enable_x_forwarding_for_admins': True, }, 'users': { - 'inbox': { - 'ssh_pubkey': { - #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', - }, - }, + #'inbox': { + # 'ssh_pubkey': { + # #'command="/usr/share/rsync/scripts/rrsync -wo /storage/inbox/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ', + # }, + #}, 'kunsi': { 'groups': { 'nas', From 81376c950c862a3201315bd463b41db3f4ede616 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 10:26:30 +0100 Subject: [PATCH 064/181] bundles/samba: increase time machine disk size --- bundles/samba/files/smb.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/samba/files/smb.conf b/bundles/samba/files/smb.conf index 22905ee..7c4ad0b 100644 --- a/bundles/samba/files/smb.conf +++ b/bundles/samba/files/smb.conf @@ -61,7 +61,7 @@ fruit:delete_empty_adfiles = yes fruit:metadata = stream fruit:posix_rename = yes fruit:time machine = yes -fruit:time machine max size = 750G +fruit:time machine max size = 2000G fruit:veto_appledouble = no fruit:wipe_intentionally_left_blank_rfork = yes % endfor From 3e6872c96b8c1c004ac2855685353ac8960f9310 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:05:17 +0100 Subject: [PATCH 065/181] add .envrc --- .envrc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .envrc diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..20da331 --- /dev/null +++ b/.envrc @@ -0,0 +1,3 @@ +layout python3 + + source_env_if_exists .envrc.local From 5afe534d9cf5dfa28864571fe4b88ce8936d8c00 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:32:27 +0100 Subject: [PATCH 066/181] scripts/update-ssh-client-config: add configurable extra line --- scripts/update-ssh-client-config | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/scripts/update-ssh-client-config b/scripts/update-ssh-client-config index 0c2f7fd..dc86661 100755 --- a/scripts/update-ssh-client-config +++ b/scripts/update-ssh-client-config @@ -12,10 +12,20 @@ BW_TABLE_STYLE=grep bw nodes -a hostname -- "lambda:not node.dummy" | \ while read node addr do + if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + then + echo "Host $addr" >>"$tmpfile" + echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" + echo "" >>"$tmpfile" + fi echo "Host $node" >>"$tmpfile" echo "HostName $addr" >>"$tmpfile" + if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + then + echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" + fi echo "" >>"$tmpfile" done - mv "$tmpfile" ~/.ssh/bwnodes + mv "$tmpfile" ~/.ssh/config.d/bwnodes ) & From 1c3768100c292100631c68ae73d528dddc295ff5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 12:34:37 +0100 Subject: [PATCH 067/181] update netbox to 4.1.10 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 645a460..4581a4b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -126,7 +126,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.9" +version = "v4.1.10" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From b84bfb909f80cc6bce577d45ce5847f41df996ed Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 17:22:21 +0100 Subject: [PATCH 068/181] fix update-ssh-client-config --- .gitignore | 2 ++ scripts/update-ssh-client-config | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index bbb5845..7a53a34 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ .secrets.cfg* __pycache__ *.swp +.direnv +.envrc.local diff --git a/scripts/update-ssh-client-config b/scripts/update-ssh-client-config index dc86661..ba5acde 100755 --- a/scripts/update-ssh-client-config +++ b/scripts/update-ssh-client-config @@ -12,7 +12,7 @@ BW_TABLE_STYLE=grep bw nodes -a hostname -- "lambda:not node.dummy" | \ while read node addr do - if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + if [[ -n "$BW_SSH_HOOK_EXTRA_LINE" ]] then echo "Host $addr" >>"$tmpfile" echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" @@ -20,7 +20,7 @@ fi echo "Host $node" >>"$tmpfile" echo "HostName $addr" >>"$tmpfile" - if [[ -z "$BW_SSH_HOOK_EXTRA_LINE" ]] + if [[ -n "$BW_SSH_HOOK_EXTRA_LINE" ]] then echo "$BW_SSH_HOOK_EXTRA_LINE" >>"$tmpfile" fi From 0b18ae0d1b7ae028f3b57b2531ddbb99c1907525 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 28 Dec 2024 17:26:55 +0100 Subject: [PATCH 069/181] add new ssh key for kunsi --- users.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/users.json b/users.json index 5d5b066..031215c 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,8 @@ }, "kunsi": { "ssh_pubkey": [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971" + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG56iljhXQfY0euup1tUtMaFTONGI022uq/kpFOmIQVXeuIClcVB2p4BjL+GwRV51NnpqH9J+qow0/XK3YQkiHY=", + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", "phone": "encrypt$gAAAAABfuXkP2GetSvTd9JJFz4V2v5r5NubihFRg2AB91mtvXpUVUiflzy1VHQJ_qbp6Rke5LEXbtlluNkAa3OOAr_c9L6Pstw==", @@ -19,7 +20,7 @@ }, "sophie": { "ssh_pubkey": [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7" ] } } From 68fced83d6610353b44fb231768e6bb10bbda06b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 09:30:46 +0000 Subject: [PATCH 070/181] htz-cloud.wireguard: replace vpn of kunsi-p14s with apfelcomputer --- nodes/htz-cloud/wireguard.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index df618ea..d7f97ff 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -101,12 +101,21 @@ nodes['htz-cloud.wireguard'] = { 'psk': vault.decrypt('encrypt$gAAAAABlbr26kyQ_DNIObVNtG31e1uSZkfDKH9Y1tzq8ZNSAMeuEh30cMJBZQskLLYqt5HUGd-YFwYQB_E7oa-WWbHmDh4vAxJ22Efr85tA0TWsgkc2KvKHqZrNo-GCXhxCqs7SqhW1C'), 'pubkey': vault.decrypt('encrypt$gAAAAABlbr27doNVsPXF7hMpAp93fP-h_jlW10zycZAHy05r4R7rOZrLqf5b-lhdamx_kQxypYtcW-jOCYgcqWNsId7RluEmFo3drFuUYKIa32YU_U0Pe5EjVRFz_tuf9NRPPugmHb22'), }, - 'kunsi-p14s': { + #'kunsi-p14s': { + # 'endpoint': None, + # 'exclude_from_monitoring': True, + # 'my_ip': '172.19.136.64', + # 'my_port': 1194, + # 'their_ip': '172.19.136.65', + #}, + 'apfelcomputer': { 'endpoint': None, 'exclude_from_monitoring': True, 'my_ip': '172.19.136.64', 'my_port': 1194, 'their_ip': '172.19.136.65', + 'psk': vault.decrypt('encrypt$gAAAAABnc7LZSHWmOOQJpbtnpMn9QuWnbiB-6rShwgqbilVd45GzkUwOfEHBw28P_TVm9XJgFiQPOIo12DdxPCzSxKRtcqzji72QCzTlze4ZYWjL-iHm7TydLcKzXOTCO42LKpkMPUgR'), + 'pubkey': vault.decrypt('encrypt$gAAAAABnc7LZpfAeig8yCdcZ-NegshXl-DmkJr0F2OlQR2fqhVnrfKPjgOu-5Cq09KnhdvhomGx_9ZtoFS_3OsVqcFHEasBh27aQN41xZPzEN5-qIPQRnmVoTHpufcU6tC-37Fq-PeAE'), }, }, }, From fed3d5dfdcf36c5289ef80976bcd31fbd68d36b6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 13:17:07 +0000 Subject: [PATCH 071/181] correct kunsi ssh key --- users.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.json b/users.json index 031215c..d422a05 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,7 @@ }, "kunsi": { "ssh_pubkey": [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG56iljhXQfY0euup1tUtMaFTONGI022uq/kpFOmIQVXeuIClcVB2p4BjL+GwRV51NnpqH9J+qow0/XK3YQkiHY=", + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxEkRuXD/83N6cB1/hz8e0VvwEbPDNvnA/NiEeKOtAI0s2AlluJ5VrQHzxmLkwpBca9SlZo56MskzSYNqN6AgI=", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", From d27c42d51ad6c2b6d218f3eae8c569e5462caf8e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 31 Dec 2024 13:17:25 +0000 Subject: [PATCH 072/181] home.nas: allow molly to coonect to mqtt --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index ad18be3..576aa3e 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -148,6 +148,7 @@ nodes['home.nas'] = { 'restrict-to': { '172.19.136.0/25', '172.19.138.0/24', + 'htz-cloud.molly-connector', }, }, 'nfs-server': { From f67de1ea1b3b78c7b38fb0a27f2072a97699f9b2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 5 Jan 2025 10:46:51 +0100 Subject: [PATCH 073/181] ihome.nas: disable ipv6 on avahi to try to mitigate intermittent problems --- bundles/avahi-daemon/files/avahi-daemon.conf | 4 ++-- bundles/avahi-daemon/metadata.py | 3 +++ nodes/home/nas.py | 3 +++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/bundles/avahi-daemon/files/avahi-daemon.conf b/bundles/avahi-daemon/files/avahi-daemon.conf index efdd222..0ad1412 100644 --- a/bundles/avahi-daemon/files/avahi-daemon.conf +++ b/bundles/avahi-daemon/files/avahi-daemon.conf @@ -1,7 +1,7 @@ [server] host-name=${node.name.split('.')[-1]} use-ipv4=yes -use-ipv6=yes +use-ipv6=${'yes' if node.metadata.get('avahi-daemon/use-ipv6') else 'no'} allow-interfaces=${','.join(sorted(node.metadata.get('interfaces', {}).keys()))} ratelimit-interval-usec=1000000 ratelimit-burst=1000 @@ -14,7 +14,7 @@ disable-publishing=no disable-user-service-publishing=no publish-hinfo=yes publish-workstation=no -publish-aaaa-on-ipv4=yes +publish-aaaa-on-ipv4=no publish-a-on-ipv6=no [reflector] diff --git a/bundles/avahi-daemon/metadata.py b/bundles/avahi-daemon/metadata.py index 0bb909f..f6c3ef5 100644 --- a/bundles/avahi-daemon/metadata.py +++ b/bundles/avahi-daemon/metadata.py @@ -5,4 +5,7 @@ defaults = { 'libnss-mdns': {}, }, }, + 'avahi-daemon': { + 'use-ipv6': True, + } } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 576aa3e..c1adeb1 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -56,6 +56,9 @@ nodes['home.nas'] = { # systemctl start yate }, }, + 'avahi-daemon': { + 'use-ipv6': False, # because having a dynamic address confuses the network somehow + }, 'backups': { 'paths': { '/storage/nas/Audiobooks', From 1a34555530953ed16a12f9637be22f5abb0fbfc8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:44:06 +0100 Subject: [PATCH 074/181] bundles/rspamd: use metadata.get() --- bundles/rspamd/items.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/rspamd/items.py b/bundles/rspamd/items.py index 0491d17..2f9aacb 100644 --- a/bundles/rspamd/items.py +++ b/bundles/rspamd/items.py @@ -96,7 +96,7 @@ if 'dkim' in node.metadata.get('rspamd', {}): }, } - dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata['rspamd']['dkim']) + dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata.get('rspamd/dkim')) actions = { 'rspamd_assure_dkim_key_permissions': { From 46c761a3c21617223650c976b51634e8b7f48ddc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:44:41 +0100 Subject: [PATCH 075/181] home.nas: more weird avahi fixups --- nodes/home/nas.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index c1adeb1..a5b904d 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -71,6 +71,11 @@ nodes['home.nas'] = { '/storage/nas/normen', }, }, + 'cron': { + 'jobs': { + 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', + }, + }, 'dm-crypt': { 'encrypted-devices': { '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { From 5df7bdf2da4f847b1020cee481a6e60f5a8fe8a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 19:46:13 +0100 Subject: [PATCH 076/181] fix kunsis ssh key (again) --- users.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.json b/users.json index d422a05..0dab537 100644 --- a/users.json +++ b/users.json @@ -11,7 +11,7 @@ }, "kunsi": { "ssh_pubkey": [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKxEkRuXD/83N6cB1/hz8e0VvwEbPDNvnA/NiEeKOtAI0s2AlluJ5VrQHzxmLkwpBca9SlZo56MskzSYNqN6AgI=", + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLpRRSFhzPC8xNorYiNDG37JivSSER+oUNjSFwJ+4Gn8QdcM5sjQZsokAEFs5AsAWl1i7d/qceA2JGG4jCwDBx0=", "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==" ], "email": "encrypt$gAAAAABfuXj1DQ3yUn0rEdN2koT1hzgHwCwNp00a0KkWoT_FTsild1zIBpfIiI07AmgIZ5FpyhKH5bSdCVLKc0p4rQuxLrLWpw==", From 0b09537ba4643c99c3d28d41ddc22738eb838755 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 6 Jan 2025 20:12:06 +0100 Subject: [PATCH 077/181] dismantle all arch infrastructure --- bundles/arch-with-gui/files/50-network.conf | 5 - bundles/arch-with-gui/files/autologin.conf | 3 - bundles/arch-with-gui/items.py | 110 -------- bundles/arch-with-gui/metadata.py | 124 --------- bundles/basic/items.py | 1 - bundles/bird/items.py | 9 +- bundles/bird/metadata.py | 9 - bundles/cron/items.py | 11 +- bundles/cron/metadata.py | 5 - bundles/icinga2/items.py | 16 -- bundles/ipmitool/metadata.py | 5 - bundles/letsencrypt/metadata.py | 9 - bundles/lldp/metadata.py | 11 - bundles/lm-sensors/metadata.py | 5 - bundles/nfs-client/items.py | 9 +- bundles/nfs-client/metadata.py | 5 - bundles/nftables/items.py | 7 +- bundles/nftables/metadata.py | 17 -- bundles/nginx/files/arch-override.conf | 9 - bundles/nginx/files/nginx.conf | 2 +- bundles/nginx/items.py | 22 +- bundles/nginx/metadata.py | 5 - bundles/openssh/items.py | 13 +- bundles/openssh/metadata.py | 5 - .../pacman/files/check_unattended_upgrades | 38 --- bundles/pacman/files/do-unattended-upgrades | 18 -- bundles/pacman/files/faillock.conf | 2 - bundles/pacman/files/pacman.conf | 40 --- bundles/pacman/files/upgrade-and-reboot | 49 ---- bundles/pacman/files/upgrade-and-reboot.conf | 3 - bundles/pacman/items.py | 109 -------- bundles/pacman/metadata.py | 55 ---- bundles/postfix/files/arch-override.conf | 6 - bundles/postfix/items.py | 19 +- bundles/postfix/metadata.py | 8 +- bundles/sshmon/items.py | 9 - bundles/sshmon/metadata.py | 8 - bundles/sudo/metadata.py | 5 - bundles/systemd-boot/files/entry | 13 - bundles/systemd-boot/files/loader.conf | 5 - bundles/systemd-boot/files/pacman_hook | 9 - bundles/systemd-boot/items.py | 32 --- bundles/telegraf/metadata.py | 10 - bundles/users/metadata.py | 5 - bundles/vmhost/items.py | 9 - bundles/vmhost/metadata.py | 9 - .../files/crs-runner.service | 16 -- bundles/voc-tracker-worker/files/environment | 6 - bundles/voc-tracker-worker/items.py | 56 ---- bundles/voc-tracker-worker/metadata.py | 52 ---- bundles/wireguard/metadata.py | 2 +- .../files/zfs-import-scan-override.service | 4 - bundles/zfs/items.py | 3 - bundles/zfs/metadata.py | 18 -- groups/os.py | 8 - hooks/test_zfs_consistency.py | 2 +- nodes/fkusei-locutus.py | 190 ------------- nodes/htz-cloud.aurto.toml | 59 ---- nodes/kunsi-p14s.py | 251 ------------------ 59 files changed, 21 insertions(+), 1524 deletions(-) delete mode 100644 bundles/arch-with-gui/files/50-network.conf delete mode 100644 bundles/arch-with-gui/files/autologin.conf delete mode 100644 bundles/arch-with-gui/items.py delete mode 100644 bundles/arch-with-gui/metadata.py delete mode 100644 bundles/nginx/files/arch-override.conf delete mode 100644 bundles/pacman/files/check_unattended_upgrades delete mode 100644 bundles/pacman/files/do-unattended-upgrades delete mode 100644 bundles/pacman/files/faillock.conf delete mode 100644 bundles/pacman/files/pacman.conf delete mode 100644 bundles/pacman/files/upgrade-and-reboot delete mode 100644 bundles/pacman/files/upgrade-and-reboot.conf delete mode 100644 bundles/pacman/items.py delete mode 100644 bundles/pacman/metadata.py delete mode 100644 bundles/postfix/files/arch-override.conf delete mode 100755 bundles/systemd-boot/files/entry delete mode 100755 bundles/systemd-boot/files/loader.conf delete mode 100644 bundles/systemd-boot/files/pacman_hook delete mode 100644 bundles/systemd-boot/items.py delete mode 100644 bundles/voc-tracker-worker/files/crs-runner.service delete mode 100644 bundles/voc-tracker-worker/files/environment delete mode 100644 bundles/voc-tracker-worker/items.py delete mode 100644 bundles/voc-tracker-worker/metadata.py delete mode 100644 nodes/fkusei-locutus.py delete mode 100644 nodes/htz-cloud.aurto.toml delete mode 100644 nodes/kunsi-p14s.py diff --git a/bundles/arch-with-gui/files/50-network.conf b/bundles/arch-with-gui/files/50-network.conf deleted file mode 100644 index 39c38f2..0000000 --- a/bundles/arch-with-gui/files/50-network.conf +++ /dev/null @@ -1,5 +0,0 @@ -context.exec = [ - { path = "pactl" args = "load-module module-native-protocol-tcp" } - { path = "pactl" args = "load-module module-zeroconf-discover" } - { path = "pactl" args = "load-module module-zeroconf-publish" } -] diff --git a/bundles/arch-with-gui/files/autologin.conf b/bundles/arch-with-gui/files/autologin.conf deleted file mode 100644 index 9398062..0000000 --- a/bundles/arch-with-gui/files/autologin.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Autologin] -User=${user} -Session=i3.desktop diff --git a/bundles/arch-with-gui/items.py b/bundles/arch-with-gui/items.py deleted file mode 100644 index 5a35931..0000000 --- a/bundles/arch-with-gui/items.py +++ /dev/null @@ -1,110 +0,0 @@ -from os import listdir -from os.path import join - -actions = { - 'fc-cache_flush': { - 'command': 'fc-cache -f', - 'triggered': True, - 'needs': { - 'pkg_pacman:fontconfig', - }, - }, - 'i3pystatus_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/i3pystatus/venv/', - 'unless': 'test -d /opt/i3pystatus/venv/', - 'needs': { - 'directory:/opt/i3pystatus/src', - 'pkg_pacman:python-virtualenv', - }, - }, - 'i3pystatus_install': { - 'command': ' && '.join([ - 'cd /opt/i3pystatus/src', - '/opt/i3pystatus/venv/bin/pip install --upgrade pip colour netifaces basiciw pytz', - '/opt/i3pystatus/venv/bin/pip install --upgrade -e .', - ]), - 'needs': { - 'action:i3pystatus_create_virtualenv', - }, - 'triggered': True, - }, -} - -directories = { - '/etc/sddm.conf.d': { - 'purge': True, - }, - '/opt/i3pystatus/src': {}, - '/usr/share/fonts/bundlewrap': { - 'purge': True, - 'triggers': { - 'action:fc-cache_flush', - }, - }, -} - -svc_systemd = { - 'avahi-daemon': { - 'needs': { - 'pkg_pacman:avahi', - }, - }, - 'sddm': { - 'needs': { - 'pkg_pacman:sddm', - }, - }, -} - -git_deploy = { - '/opt/i3pystatus/src': { - 'repo': 'https://github.com/enkore/i3pystatus.git', - 'rev': 'current', - 'triggers': { - 'action:i3pystatus_install', - }, - }, -} - -files['/etc/pipewire/pipewire-pulse.conf.d/50-network.conf'] = {} - -for filename in listdir(join(repo.path, 'data', 'arch-with-gui', 'files', 'fonts')): - if filename.startswith('.'): - continue - - if filename.endswith('.vault'): - # XXX remove this once we have a new bundlewrap release - # https://github.com/bundlewrap/bundlewrap/commit/2429b153dd1ca6781cf3812e2dec9c2b646a546b - from os import environ - if environ.get('BW_VAULT_DUMMY_MODE', '0') == '1': - continue - - font_name = filename[:-6] - attrs = { - 'content': repo.vault.decrypt_file_as_base64(join('arch-with-gui', 'files', 'fonts', filename)), - 'content_type': 'base64', - } - else: - font_name = filename - attrs = { - 'source': join('fonts', filename), - 'content_type': 'binary', - } - - files[f'/usr/share/fonts/bundlewrap/{font_name}'] = { - 'triggers': { - 'action:fc-cache_flush', - }, - **attrs, - } - -if node.metadata.get('arch-with-gui/autologin_as', None): - files['/etc/sddm.conf.d/autologin.conf'] = { - 'context': { - 'user': node.metadata.get('arch-with-gui/autologin_as'), - }, - 'content_type': 'mako', - 'before': { - 'svc_systemd:sddm', - }, - } diff --git a/bundles/arch-with-gui/metadata.py b/bundles/arch-with-gui/metadata.py deleted file mode 100644 index f1fa8d0..0000000 --- a/bundles/arch-with-gui/metadata.py +++ /dev/null @@ -1,124 +0,0 @@ -assert node.os == 'arch' - -defaults = { - 'backups': { - 'paths': { - '/etc/netctl', - }, - }, - 'icinga_options': { - 'exclude_from_monitoring': True, - }, - 'nftables': { - 'input': { - '50-avahi': { - 'udp dport 5353 accept', - 'udp sport 5353 accept', - }, - }, - }, - 'pacman': { - 'packages': { - # fonts - 'fontconfig': {}, - 'ttf-dejavu': { - 'needed_by': { - 'pkg_pacman:sddm', - }, - }, - - # login management - 'sddm': {}, - - # networking - 'avahi': {}, - 'netctl': {}, - 'util-linux': {}, # provides rfkill - 'wpa_supplicant': {}, - 'wpa_actiond': {}, - - # shell and other gui stuff - 'dunst': {}, - 'fish': {}, - 'kitty': {}, - 'libnotify': {}, # provides notify-send - 'light': {}, - 'redshift': {}, - 'rofi': {}, - - # sound - 'calf': {}, - 'easyeffects': {}, - 'lsp-plugins': {}, - 'pavucontrol': {}, - 'pipewire': {}, - 'pipewire-jack': {}, - 'pipewire-pulse': {}, - 'pipewire-zeroconf': {}, - 'qpwgraph': {}, - - # window management - 'i3-wm': {}, - 'i3lock': {}, - 'xss-lock': {}, - - # i3pystatus dependencies - 'iw': {}, - 'wireless_tools': {}, - - # Xorg - 'xf86-input-libinput': {}, - 'xf86-input-wacom': {}, - 'xorg-server': {}, - 'xorg-setxkbmap': {}, - 'xorg-xev': {}, - 'xorg-xinput': {}, - 'xorg-xset': {}, - - # all them apps - 'browserpass': {}, - 'browserpass-firefox': {}, - 'ffmpeg': {}, - 'firefox': {}, - 'gimp': {}, - 'imagemagick': {}, - 'inkscape': {}, - 'kdenlive': {}, - 'maim': {}, - 'mosh': {}, - 'mosquitto': {}, - 'mpv': {}, - 'pass': {}, - 'pass-otp': {}, - 'pdftk': {}, - 'pwgen': {}, - 'qpdfview': {}, - 'samba': {}, - 'shotcut': {}, - 'sipcalc': {}, - 'the_silver_searcher': {}, - 'tlp': {}, - 'virt-manager': {}, - 'xclip': {}, - 'xdotool': {}, # needed for maim window selection - }, - }, -} - -@metadata_reactor.provides( - 'backups/paths', -) -def backup_every_user_home(metadata): - paths = set() - - for user, config in metadata.get('users', {}).items(): - if config.get('delete', False): - continue - - paths.add(config.get('home', f'/home/{user}')) - - return { - 'backups': { - 'paths': paths, - }, - } diff --git a/bundles/basic/items.py b/bundles/basic/items.py index e0f9242..c2cdd49 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -24,7 +24,6 @@ files = { 'before': { 'action:', 'pkg_apt:', - 'pkg_pacman:', }, }, } diff --git a/bundles/bird/items.py b/bundles/bird/items.py index 38a1549..4c4b51c 100644 --- a/bundles/bird/items.py +++ b/bundles/bird/items.py @@ -1,10 +1,5 @@ -if node.os == 'arch': - filename = '/etc/bird.conf' -else: - filename = '/etc/bird/bird.conf' - files = { - filename: { + '/etc/bird/bird.conf': { 'content_type': 'mako', 'triggers': { 'svc_systemd:bird:reload', @@ -15,7 +10,7 @@ files = { svc_systemd = { 'bird': { 'needs': { - f'file:{filename}', + f'file:/etc/bird/bird.conf', }, }, } diff --git a/bundles/bird/metadata.py b/bundles/bird/metadata.py index bc6be9a..f6096a7 100644 --- a/bundles/bird/metadata.py +++ b/bundles/bird/metadata.py @@ -13,15 +13,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'bird': { - 'needed_by': { - 'svc_systemd:bird', - }, - }, - }, - }, 'sysctl': { 'options': { 'net.ipv4.conf.all.forwarding': '1', diff --git a/bundles/cron/items.py b/bundles/cron/items.py index 72e8711..577bb59 100644 --- a/bundles/cron/items.py +++ b/bundles/cron/items.py @@ -1,10 +1,3 @@ -if node.os == 'arch': - service_name = 'cronie' - package_name = 'pkg_pacman:cronie' -else: - service_name = 'cron' - package_name = 'pkg_apt:cron' - files = { '/etc/crontab': { 'content_type': 'mako', @@ -24,9 +17,9 @@ directories = { } svc_systemd = { - service_name: { + 'cron': { 'needs': { - package_name, + 'pkg_apt:cron', }, }, } diff --git a/bundles/cron/metadata.py b/bundles/cron/metadata.py index 66d612a..67b2b22 100644 --- a/bundles/cron/metadata.py +++ b/bundles/cron/metadata.py @@ -4,9 +4,4 @@ defaults = { 'cron': {}, }, }, - 'pacman': { - 'packages': { - 'cronie': {}, - }, - }, } diff --git a/bundles/icinga2/items.py b/bundles/icinga2/items.py index 804d920..6f8de54 100644 --- a/bundles/icinga2/items.py +++ b/bundles/icinga2/items.py @@ -401,22 +401,6 @@ for rnode in sorted(repo.nodes): DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', }, }) - elif ( - rnode.has_bundle('pacman') - and rnode.metadata.get('pacman/unattended-upgrades/is_enabled', False) - ): - day = rnode.metadata.get('pacman/unattended-upgrades/day') - hour = rnode.metadata.get('pacman/unattended-upgrades/hour') - minute = rnode.magic_number%30 - - downtimes.append({ - 'name': 'unattended-upgrades', - 'host': rnode.name, - 'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}', - 'times': { - DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}', - }, - }) files['/etc/icinga2/conf.d/groups.conf'] = { 'source': 'icinga2/groups.conf', diff --git a/bundles/ipmitool/metadata.py b/bundles/ipmitool/metadata.py index a340a7a..e908366 100644 --- a/bundles/ipmitool/metadata.py +++ b/bundles/ipmitool/metadata.py @@ -19,9 +19,4 @@ defaults = { '/usr/bin/ipmitool *', }, }, - 'pacman': { - 'packages': { - 'ipmitool': {}, - }, - }, } diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py index 09620c4..ffeb084 100644 --- a/bundles/letsencrypt/metadata.py +++ b/bundles/letsencrypt/metadata.py @@ -13,15 +13,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'dehydrated': { - 'needed_by': { - 'action:letsencrypt_update_certificates', - }, - }, - }, - }, } diff --git a/bundles/lldp/metadata.py b/bundles/lldp/metadata.py index 7a499dd..2f1875c 100644 --- a/bundles/lldp/metadata.py +++ b/bundles/lldp/metadata.py @@ -10,15 +10,4 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'lldpd': { - 'needed_by': { - 'directory:/etc/lldpd.d', - 'file:/etc/lldpd.conf', - 'svc_systemd:lldpd', - }, - }, - }, - }, } diff --git a/bundles/lm-sensors/metadata.py b/bundles/lm-sensors/metadata.py index ffd3900..01a6d1a 100644 --- a/bundles/lm-sensors/metadata.py +++ b/bundles/lm-sensors/metadata.py @@ -4,11 +4,6 @@ defaults = { 'lm-sensors': {}, }, }, - 'pacman': { - 'packages': { - 'lm_sensors': {}, - }, - }, 'telegraf': { 'input_plugins': { 'builtin': { diff --git a/bundles/nfs-client/items.py b/bundles/nfs-client/items.py index 918d02c..97cebc4 100644 --- a/bundles/nfs-client/items.py +++ b/bundles/nfs-client/items.py @@ -1,8 +1,3 @@ -if node.has_bundle('pacman'): - package = 'pkg_pacman:nfs-utils' -else: - package = 'pkg_apt:nfs-common' - for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): data['mount'] = mount data['mount_options'] = set(data.get('mount_options', set())) @@ -42,7 +37,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'file:/etc/systemd/system/{}.automount'.format(unitname), 'directory:{}'.format(data['mountpoint']), 'svc_systemd:systemd-networkd', - package, + 'pkg_apt:nfs-common', }, } else: @@ -58,7 +53,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'file:/etc/systemd/system/{}.mount'.format(unitname), 'directory:{}'.format(data['mountpoint']), 'svc_systemd:systemd-networkd', - package, + 'pkg_apt:nfs-common', }, } diff --git a/bundles/nfs-client/metadata.py b/bundles/nfs-client/metadata.py index c59ee60..93bf66e 100644 --- a/bundles/nfs-client/metadata.py +++ b/bundles/nfs-client/metadata.py @@ -4,11 +4,6 @@ defaults = { 'nfs-common': {}, }, }, - 'pacman': { - 'packages': { - 'nfs-utils': {}, - }, - }, } if node.has_bundle('telegraf'): diff --git a/bundles/nftables/items.py b/bundles/nftables/items.py index 9bbe11f..fc943d4 100644 --- a/bundles/nftables/items.py +++ b/bundles/nftables/items.py @@ -1,8 +1,3 @@ -if node.has_bundle('pacman'): - package = 'pkg_pacman:nftables' -else: - package = 'pkg_apt:nftables' - directories = { # used by other bundles '/etc/nftables-rules.d': { @@ -42,7 +37,7 @@ svc_systemd = { 'nftables': { 'needs': { 'file:/etc/nftables.conf', - package, + 'pkg_apt:nftables', }, }, } diff --git a/bundles/nftables/metadata.py b/bundles/nftables/metadata.py index 15f34d4..4fac791 100644 --- a/bundles/nftables/metadata.py +++ b/bundles/nftables/metadata.py @@ -10,23 +10,6 @@ defaults = { 'blocked_v4': repo.libs.firewall.global_ip4_blocklist, 'blocked_v6': repo.libs.firewall.global_ip6_blocklist, }, - 'pacman': { - 'packages': { - 'nftables': {}, -# https://github.com/bundlewrap/bundlewrap/issues/688 -# 'iptables': { -# 'installed': False, -# 'needed_by': { -# 'pkg_pacman:iptables-nft', -# }, -# }, - 'iptables-nft': { - 'needed_by': { - 'pkg_pacman:nftables', - }, - }, - }, - }, } if not node.has_bundle('vmhost') and not node.has_bundle('docker-engine'): diff --git a/bundles/nginx/files/arch-override.conf b/bundles/nginx/files/arch-override.conf deleted file mode 100644 index 5496fe6..0000000 --- a/bundles/nginx/files/arch-override.conf +++ /dev/null @@ -1,9 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf - -ExecReload= -ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" - -ExecStop= -ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 2c20144..7f7bd77 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -1,4 +1,4 @@ -user ${username}; +user www-data; worker_processes ${worker_processes}; pid /var/run/nginx.pid; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 53edc86..2928686 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -1,12 +1,5 @@ from datetime import datetime, timedelta -if node.has_bundle('pacman'): - package = 'pkg_pacman:nginx' - username = 'http' -else: - package = 'pkg_apt:nginx' - username = 'www-data' - directories = { '/etc/nginx/sites': { 'purge': True, @@ -24,9 +17,9 @@ directories = { }, }, '/var/log/nginx-timing': { - 'owner': username, + 'owner': 'www-data', 'needs': { - package, + 'pkg_apt:nginx', }, }, '/var/www': {}, @@ -40,7 +33,6 @@ files = { '/etc/nginx/nginx.conf': { 'content_type': 'mako', 'context': { - 'username': username, **node.metadata['nginx'], }, 'triggers': { @@ -69,21 +61,13 @@ files = { '/var/www/error.html': {}, '/var/www/not_found.html': {}, } -if node.has_bundle('pacman'): - files['/etc/systemd/system/nginx.service.d/bundlewrap.conf'] = { - 'source': 'arch-override.conf', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:nginx:restart', - }, - } svc_systemd = { 'nginx': { 'needs': { 'action:generate-dhparam', 'directory:/var/log/nginx-timing', - package, + 'pkg_apt:nginx', }, }, } diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 2715065..28395ff 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -33,11 +33,6 @@ defaults = { 'nginx': { 'worker_connections': 768, }, - 'pacman': { - 'packages': { - 'nginx': {}, - }, - }, } if node.has_bundle('telegraf'): diff --git a/bundles/openssh/items.py b/bundles/openssh/items.py index a93b873..0b9fa04 100644 --- a/bundles/openssh/items.py +++ b/bundles/openssh/items.py @@ -27,29 +27,22 @@ files = { }, } -if node.has_bundle('pacman'): - package = 'pkg_pacman:openssh' - service = 'sshd' -else: - package = 'pkg_apt:openssh-server' - service = 'ssh' - actions = { 'sshd_check_config': { 'command': 'sshd -T -C user=root -C host=localhost -C addr=localhost', 'triggered': True, 'triggers': { - 'svc_systemd:{}:restart'.format(service), + 'svc_systemd:ssh:restart', }, }, } svc_systemd = { - service: { + 'ssh': { 'needs': { 'file:/etc/systemd/system/ssh.service.d/bundlewrap.conf', 'file:/etc/ssh/sshd_config', - package, + 'pkg_apt:openssh-server', }, }, } diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py index 630b851..4db6d78 100644 --- a/bundles/openssh/metadata.py +++ b/bundles/openssh/metadata.py @@ -8,11 +8,6 @@ defaults = { 'openssh-sftp-server': {}, }, }, - 'pacman': { - 'packages': { - 'openssh': {}, - }, - }, } @metadata_reactor.provides( diff --git a/bundles/pacman/files/check_unattended_upgrades b/bundles/pacman/files/check_unattended_upgrades deleted file mode 100644 index 1cafab5..0000000 --- a/bundles/pacman/files/check_unattended_upgrades +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -statusfile="/var/tmp/unattended_upgrades.status" -if ! [[ -f "$statusfile" ]] -then - echo "Status file not found" - exit 3 -fi - -mtime=$(stat -c %Y $statusfile) -now=$(date +%s) -if (( $now - $mtime > 60*60*24*8 )) -then - echo "Status file is older than 8 days!" - exit 3 -fi - -exitcode=$(cat $statusfile) -case "$exitcode" in - abort_ssh) - echo "Upgrades skipped due to active SSH login" - exit 1 - ;; - 0) - if [[ -f /var/run/reboot-required ]] - then - echo "OK, but updates require a reboot" - exit 1 - else - echo "OK" - exit 0 - fi - ;; - *) - echo "Last exitcode was $exitcode" - exit 2 - ;; -esac diff --git a/bundles/pacman/files/do-unattended-upgrades b/bundles/pacman/files/do-unattended-upgrades deleted file mode 100644 index a04b5fc..0000000 --- a/bundles/pacman/files/do-unattended-upgrades +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -set -xeuo pipefail - -pacman -Syu --noconfirm --noprogressbar - -% for affected, restarts in sorted(restart_triggers.items()): -up_since=$(systemctl show "${affected}" | sed -n 's/^ActiveEnterTimestamp=//p' || echo 0) -up_since_ts=$(date -d "$up_since" +%s || echo 0) -now=$(date +%s) - -if [ $((now - up_since_ts)) -lt 3600 ] -then -% for restart in sorted(restarts): - systemctl restart "${restart}" || true -% endfor -fi -% endfor diff --git a/bundles/pacman/files/faillock.conf b/bundles/pacman/files/faillock.conf deleted file mode 100644 index 19c0ff3..0000000 --- a/bundles/pacman/files/faillock.conf +++ /dev/null @@ -1,2 +0,0 @@ -# just disable faillock. -deny = 0 diff --git a/bundles/pacman/files/pacman.conf b/bundles/pacman/files/pacman.conf deleted file mode 100644 index 7fb4e48..0000000 --- a/bundles/pacman/files/pacman.conf +++ /dev/null @@ -1,40 +0,0 @@ -[options] -Architecture = auto -CheckSpace -Color -HoldPkg = ${' '.join(sorted(node.metadata.get('pacman/ask_before_removal')))} -ILoveCandy -IgnorePkg = ${' '.join(sorted(node.metadata.get('pacman/ignore_packages', set())))} -LocalFileSigLevel = Optional -NoExtract=${' '.join(sorted(node.metadata.get('pacman/no_extract', set())))} -ParallelDownloads = ${node.metadata.get('pacman/parallel_downloads')} -SigLevel = Required DatabaseOptional -VerbosePkgLists - -% for line in sorted(node.metadata.get('pacman/additional_config', set())): -${line} -% endfor - -[core] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist - -[extra] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist - -[community] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist -% if node.metadata.get('pacman/enable_multilib', False): - -[multilib] -Server = ${node.metadata.get('pacman/repository')} -Include = /etc/pacman.d/mirrorlist -% endif -% if node.metadata.get('pacman/enable_aurto'): - -[aurto] -Server = https://aurto.kunbox.net/ -SigLevel = Optional TrustAll -% endif diff --git a/bundles/pacman/files/upgrade-and-reboot b/bundles/pacman/files/upgrade-and-reboot deleted file mode 100644 index 41973aa..0000000 --- a/bundles/pacman/files/upgrade-and-reboot +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -# With systemd, we can force logging to the journal. This is better than -# spamming the world with cron mails. You can then view these logs using -# "journalctl -rat upgrade-and-reboot". -if which logger >/dev/null 2>&1 -then - # Dump stdout and stderr to logger, which will then put everything - # into the journal. - exec 1> >(logger -t upgrade-and-reboot -p user.info) - exec 2> >(logger -t upgrade-and-reboot -p user.error) -fi - -. /etc/upgrade-and-reboot.conf - -echo "Starting upgrade-and-reboot for node $nodename ..." - -statusfile="/var/tmp/unattended_upgrades.status" -# Workaround, because /var/tmp is usually 1777 -[[ "$UID" == 0 ]] && chown root:root "$statusfile" - -logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon" && $1 != "nobody"') -if [[ -n "$logins" ]] -then - echo "Will abort now, there are active SSH logins: $logins" - echo "abort_ssh" > "$statusfile" - exit 1 -fi - -softlockdir=/var/lib/bundlewrap/soft-$nodename -mkdir -p "$softlockdir" -printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "items": ["*"], "user": "root@localhost"}\n' \ - $(date +%s) \ - $(date -d 'now + 30 mins' +%s) \ - >"$softlockdir"/UNATTENDED -trap 'rm -f "$softlockdir"/UNATTENDED' EXIT - -do-unattended-upgrades -ret=$? - -echo "$ret" > "$statusfile" -if (( $ret != 0 )) -then - exit 1 -fi - -systemctl reboot - -echo "upgrade-and-reboot for node $nodename is DONE" diff --git a/bundles/pacman/files/upgrade-and-reboot.conf b/bundles/pacman/files/upgrade-and-reboot.conf deleted file mode 100644 index ca71dce..0000000 --- a/bundles/pacman/files/upgrade-and-reboot.conf +++ /dev/null @@ -1,3 +0,0 @@ -nodename="${node.name}" -reboot_mail_to="${node.metadata.get('apt/unattended-upgrades/reboot_mail_to', '')}" -auto_reboot_enabled="${node.metadata.get('apt/unattended-upgrades/reboot_enabled', True)}" diff --git a/bundles/pacman/items.py b/bundles/pacman/items.py deleted file mode 100644 index fe4f605..0000000 --- a/bundles/pacman/items.py +++ /dev/null @@ -1,109 +0,0 @@ -from bundlewrap.exceptions import BundleError - -if not node.os == 'arch': - raise BundleError(f'{node.name}: bundle:pacman requires arch linux') - -files = { - '/etc/pacman.conf': { - 'content_type': 'mako', - }, - '/etc/upgrade-and-reboot.conf': { - 'content_type': 'mako', - }, - '/etc/security/faillock.conf': {}, - '/usr/local/sbin/upgrade-and-reboot': { - 'mode': '0700', - }, - '/usr/local/sbin/do-unattended-upgrades': { - 'content_type': 'mako', - 'mode': '0700', - 'context': { - 'restart_triggers': node.metadata.get('pacman/restart_triggers', {}), - } - }, - '/usr/local/share/icinga/plugins/check_unattended_upgrades': { - 'mode': '0755', - }, -} - -svc_systemd['paccache.timer'] = { - 'needs': { - 'pkg_pacman:pacman-contrib', - }, -} - -pkg_pacman = { - 'acpi_call-lts': {}, - 'at': {}, - 'autoconf': {}, - 'automake': {}, - 'bind': {}, - 'binutils': {}, - 'bison': {}, - 'bzip2': {}, - 'curl': {}, - 'dialog': {}, - 'diffutils': {}, - 'fakeroot': {}, - 'file': {}, - 'findutils': {}, - 'flex': {}, - 'fwupd': {}, - 'gawk': {}, - 'gcc': {}, - 'gettext': {}, - 'git': {}, - 'gnu-netcat': {}, - 'grep': {}, - 'groff': {}, - 'gzip': {}, - 'htop': {}, - 'jq': {}, - 'ldns': {}, - 'less': {}, - 'libtool': {}, - 'linux-lts': {}, - 'logrotate': {}, - 'lsof': {}, - 'm4': {}, - 'mailutils': {}, - 'make': {}, - 'man-db': {}, - 'man-pages': {}, - 'moreutils': {}, - 'mtr': {}, - 'ncdu': {}, - 'nmap': {}, - 'pacman-contrib': {}, - 'patch': {}, - 'pkgconf': {}, - 'python': {}, - 'python-setuptools': { - 'needed_by': { - 'pkg_pip:', - }, - }, - 'python-pip': { - 'needed_by': { - 'pkg_pip:', - }, - }, - 'python-virtualenv': {}, - 'rsync': {}, - 'run-parts': {}, - 'sed': {}, - 'tar': {}, - 'texinfo': {}, - 'tmux': {}, - 'tree': {}, - 'unzip': {}, - 'vim': {}, - 'wget': {}, - 'which': {}, - 'whois': {}, - 'zip': {}, -} - - -for pkg, config in node.metadata.get('pacman/packages', {}).items(): - pkg_pacman[pkg] = config diff --git a/bundles/pacman/metadata.py b/bundles/pacman/metadata.py deleted file mode 100644 index 1c60981..0000000 --- a/bundles/pacman/metadata.py +++ /dev/null @@ -1,55 +0,0 @@ -defaults = { - 'pacman': { - 'ask_before_removal': { - 'glibc', - 'pacman', - }, - 'enable_aurto': True, - 'no_extract': { - 'etc/cron.d/0hourly', - # don't install systemd-homed pam module. It produces a lot of spam in - # journal about systemd-homed not being active, so just get rid of it. - # Requires reinstall of systemd package, though - 'usr/lib/security/pam_systemd_home.so', - }, - 'parallel_downloads': 4, - 'repository': 'http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch', - 'unattended-upgrades': { - 'day': 5, - 'hour': 21, - }, - }, -} - - -@metadata_reactor.provides( - 'cron/jobs/upgrade-and-reboot', - 'icinga2_api/pacman/services', -) -def patchday(metadata): - if not metadata.get('pacman/unattended-upgrades/is_enabled', False): - return {} - - day = metadata.get('pacman/unattended-upgrades/day') - hour = metadata.get('pacman/unattended-upgrades/hour') - - return { - 'cron': { - 'jobs': { - 'upgrade-and-reboot': '{minute} {hour} * * {day} root /usr/local/sbin/upgrade-and-reboot'.format( - minute=node.magic_number % 30, - hour=hour, - day=day, - ), - }, - }, - 'icinga2_api': { - 'pacman': { - 'services': { - 'UNATTENDED UPGRADES': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_unattended_upgrades', - }, - }, - }, - }, - } diff --git a/bundles/postfix/files/arch-override.conf b/bundles/postfix/files/arch-override.conf deleted file mode 100644 index 3b3e46d..0000000 --- a/bundles/postfix/files/arch-override.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Service] -# arch postfix is not set up for chrooting by default -ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc -% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']: -ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file} -% endfor diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 5518c90..aeceed1 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -21,13 +21,12 @@ for identifier in node.metadata.get('postfix/mynetworks', set()): netmask = '128' mynetworks.add(f'[{ip6}]/{netmask}') -my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix' files = { '/etc/mailname': { 'content': node.metadata.get('postfix/myhostname'), 'before': { - my_package, + 'pkg_apt:postfix', }, 'triggers': { 'svc_systemd:postfix:restart', @@ -82,7 +81,7 @@ actions = { 'command': 'newaliases', 'triggered': True, 'needs': { - my_package, + 'pkg_apt:postfix', }, 'before': { 'svc_systemd:postfix', @@ -92,7 +91,7 @@ actions = { 'command': 'postmap hash:/etc/postfix/blocked_recipients', 'triggered': True, 'needs': { - my_package, + 'pkg_apt:postfix', }, 'before': { 'svc_systemd:postfix', @@ -105,17 +104,7 @@ svc_systemd = { 'needs': { 'file:/etc/postfix/master.cf', 'file:/etc/postfix/main.cf', - my_package, + 'pkg_apt:postfix', }, }, } - -if node.os == 'arch': - files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = { - 'source': 'arch-override.conf', - 'content_type': 'mako', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:postfix:restart', - }, - } diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 3c3be24..1ccf633 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -14,7 +14,7 @@ defaults = { 'postfix': { 'services': { 'POSTFIX PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix' + ('' if node.os == 'arch' else '@-'), + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-', }, 'POSTFIX QUEUE': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50', @@ -22,12 +22,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'postfix': {}, - 's-nail': {}, - }, - }, } if node.has_bundle('postfixadmin'): diff --git a/bundles/sshmon/items.py b/bundles/sshmon/items.py index 3250f39..be9a9a4 100644 --- a/bundles/sshmon/items.py +++ b/bundles/sshmon/items.py @@ -64,12 +64,3 @@ for check in { files["/usr/local/share/icinga/plugins/check_{}".format(check)] = { 'mode': "0755", } - - -if node.has_bundle('pacman'): - symlinks['/usr/lib/nagios/plugins'] = { - 'target': '/usr/lib/monitoring-plugins', - 'needs': { - 'pkg_pacman:monitoring-plugins', - }, - } diff --git a/bundles/sshmon/metadata.py b/bundles/sshmon/metadata.py index 2142623..3026479 100644 --- a/bundles/sshmon/metadata.py +++ b/bundles/sshmon/metadata.py @@ -36,14 +36,6 @@ defaults = { 'sshmon', }, }, - 'pacman': { - 'packages': { - 'gawk': {}, - 'perl-libwww': {}, - 'monitoring-plugins': {}, - 'python-requests': {}, - }, - }, } diff --git a/bundles/sudo/metadata.py b/bundles/sudo/metadata.py index 82b007d..e76edaf 100644 --- a/bundles/sudo/metadata.py +++ b/bundles/sudo/metadata.py @@ -4,9 +4,4 @@ defaults = { 'sudo': {}, }, }, - 'pacman': { - 'packages': { - 'sudo': {}, - }, - }, } diff --git a/bundles/systemd-boot/files/entry b/bundles/systemd-boot/files/entry deleted file mode 100755 index 00d3d8f..0000000 --- a/bundles/systemd-boot/files/entry +++ /dev/null @@ -1,13 +0,0 @@ -title ${config['title']} - -% if 'linux' in config: -linux ${config['linux']} -% for line in config['initrd']: -initrd ${line} -% endfor -% if config.get('options', set()): -options ${' '.join(sorted(config['options']))} -% endif -% else: -efi ${config['efi']} -% endif diff --git a/bundles/systemd-boot/files/loader.conf b/bundles/systemd-boot/files/loader.conf deleted file mode 100755 index b30de61..0000000 --- a/bundles/systemd-boot/files/loader.conf +++ /dev/null @@ -1,5 +0,0 @@ -auto-entries no -auto-firmware yes -console-mode keep -default ${config['default']} -timeout ${config.get('timeout', 5)} diff --git a/bundles/systemd-boot/files/pacman_hook b/bundles/systemd-boot/files/pacman_hook deleted file mode 100644 index d65c027..0000000 --- a/bundles/systemd-boot/files/pacman_hook +++ /dev/null @@ -1,9 +0,0 @@ -[Trigger] -Type = Package -Operation = Upgrade -Target = systemd - -[Action] -Description = Gracefully upgrading systemd-boot... -When = PostTransaction -Exec = /usr/bin/systemctl restart systemd-boot-update.service diff --git a/bundles/systemd-boot/items.py b/bundles/systemd-boot/items.py deleted file mode 100644 index 0f26d00..0000000 --- a/bundles/systemd-boot/items.py +++ /dev/null @@ -1,32 +0,0 @@ -assert node.os == 'arch' -assert node.metadata.get('systemd-boot/default') in node.metadata.get('systemd-boot/entries') - -files = { - '/etc/pacman.d/hooks/99-systemd-boot-update': { - 'source': 'pacman_hook', - }, - '/boot/loader/loader.conf': { - 'content_type': 'mako', - 'context': { - 'config': node.metadata.get('systemd-boot'), - }, - 'mode': None, - }, -} - -directories = { - '/boot/loader/entries': { - 'purge': True, - }, -} - -for entry, config in node.metadata.get('systemd-boot/entries').items(): - files[f'/boot/loader/entries/{entry}.conf'] = { - 'source': 'entry', - 'content_type': 'mako', - 'context': { - 'entry': entry, - 'config': config, - }, - 'mode': None, - } diff --git a/bundles/telegraf/metadata.py b/bundles/telegraf/metadata.py index 097750e..4af8190 100644 --- a/bundles/telegraf/metadata.py +++ b/bundles/telegraf/metadata.py @@ -25,14 +25,4 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'telegraf-bin': { - 'needed_by': { - 'svc_systemd:telegraf', - 'user:telegraf', - }, - }, - }, - }, } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index 48a8b72..e6f3498 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -7,11 +7,6 @@ defaults = { 'kitty-terminfo': {}, }, }, - 'pacman': { - 'packages': { - 'kitty-terminfo': {}, - }, - }, 'users': { 'root': { 'home': '/root', diff --git a/bundles/vmhost/items.py b/bundles/vmhost/items.py index e432a40..402e8ec 100644 --- a/bundles/vmhost/items.py +++ b/bundles/vmhost/items.py @@ -24,12 +24,3 @@ if node.has_bundle('nftables') and node.has_bundle('apt'): 'svc_systemd:nftables:reload', }, } - -if node.has_bundle('pacman'): - svc_systemd['libvirtd'] = { - 'running': None, # triggered via .socket - } - svc_systemd['virtlogd'] = { - 'running': None, # triggered via .socket - 'enabled': None, # triggered via .socket - } diff --git a/bundles/vmhost/metadata.py b/bundles/vmhost/metadata.py index 3aaa10e..79f9d8a 100644 --- a/bundles/vmhost/metadata.py +++ b/bundles/vmhost/metadata.py @@ -21,12 +21,6 @@ defaults = { }, }, }, - 'pacman': { - 'packages': { - 'edk2-ovmf': {}, - 'libvirt': {}, - }, - }, } if node.os == 'debian' and node.os_version[0] < 11: @@ -42,9 +36,6 @@ if node.has_bundle('nftables'): }, } -if node.has_bundle('arch-with-gui'): - defaults['pacman']['packages']['virt-manager'] = {} - @metadata_reactor.provides( 'users', diff --git a/bundles/voc-tracker-worker/files/crs-runner.service b/bundles/voc-tracker-worker/files/crs-runner.service deleted file mode 100644 index 1c85a33..0000000 --- a/bundles/voc-tracker-worker/files/crs-runner.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=CRS runner for ${script} -After=network.target - -[Service] -User=voc -Group=voc -EnvironmentFile=/etc/default/crs-worker -ExecStart=/opt/crs-scripts/bin/crs_run ${script} -WorkingDirectory=/opt/crs-scripts -Restart=on-failure -RestartSec=10 -SyslogIdentifier=crs-${worker} - -[Install] -WantedBy=crs-worker.target diff --git a/bundles/voc-tracker-worker/files/environment b/bundles/voc-tracker-worker/files/environment deleted file mode 100644 index 98f40ea..0000000 --- a/bundles/voc-tracker-worker/files/environment +++ /dev/null @@ -1,6 +0,0 @@ -CRS_TRACKER=${url} -CRS_TOKEN=${token} -CRS_SECRET=${secret} -% if use_vaapi: -CRS_USE_VAAPI=yes -% endif diff --git a/bundles/voc-tracker-worker/items.py b/bundles/voc-tracker-worker/items.py deleted file mode 100644 index 6f28a8b..0000000 --- a/bundles/voc-tracker-worker/items.py +++ /dev/null @@ -1,56 +0,0 @@ -paths = { # subpaths of /video - 'capture', - 'encoded', - 'fuse', - 'intros', - 'repair', - 'tmp', -} - -directories = { - '/opt/crs-scripts': {}, -} - -for path in paths: - directories[f'/video/{path}'] = { - 'owner': 'voc', - 'group': 'voc', - } - -git_deploy = { - '/opt/crs-scripts': { - 'repo': 'https://github.com/crs-tools/crs-scripts.git', - 'rev': 'master', - }, -} - -files = { - '/etc/default/crs-worker': { - 'content_type': 'mako', - 'source': 'environment', - 'context': node.metadata.get('voc-tracker-worker'), - }, -} - -for worker, script in { - 'recording-scheduler': 'script-A-recording-scheduler.pl', - 'mount4cut': 'script-B-mount4cut.pl', - 'cut-postprocessor': 'script-C-cut-postprocessor.pl', - 'encoding': 'script-D-encoding.pl', - 'postencoding': 'script-E-postencoding-auphonic.pl', - 'postprocessing': 'script-F-postprocessing-upload.pl', -}.items(): - files[f'/etc/systemd/system/crs-{worker}.service'] = { - 'content_type': 'mako', - 'source': 'crs-runner.service', - 'context': { - 'worker': worker, - 'script': script, - }, - 'needs': { - 'file:/etc/default/crs-worker', - }, - 'triggers': { - 'action:systemd-reload', - }, - } diff --git a/bundles/voc-tracker-worker/metadata.py b/bundles/voc-tracker-worker/metadata.py deleted file mode 100644 index 3a741a8..0000000 --- a/bundles/voc-tracker-worker/metadata.py +++ /dev/null @@ -1,52 +0,0 @@ -defaults = { - 'apt': { - 'packages': { - 'ffmpeg': {}, - 'fuse': {}, - 'fuse-ts': {}, - 'libboolean-perl': {}, - 'libconfig-inifiles-perl': {}, - 'libdatetime-perl': {}, - 'libfile-which-perl': {}, - 'libipc-run3-perl': {}, - 'libjson-perl': {}, - 'libmath-round-perl': {}, - 'libproc-processtable-perl': {}, - 'libwww-curl-perl': {}, - 'libxml-rpc-fast-perl': {}, - 'libxml-simple-perl': {}, - }, - }, - 'voc-tracker-worker': { - 'use_vaapi': False, - }, - 'users': { - 'voc': { - 'home': '/opt/voc', - }, - }, - 'pacman': { - 'packages': { - 'ffmpeg': {}, - 'fuse2': {}, - 'fuse3': {}, - # fuse-ts missing - 'perl-boolean': {}, # from aurto - 'perl-config-inifiles': {}, - 'perl-datetime': {}, - 'perl-file-which': {}, - 'perl-ipc-run3': {}, - 'perl-json': {}, - 'perl-math-round': {}, - 'perl-proc-processtable': {}, - 'perl-www-curl': {}, # from aurto - 'perl-xml-simple': {}, - }, - }, -} - -# Install manually from CPAN: -# IO::Socket::SSL -# LWP::Protocol::https -# Types::Serialiser::Error -# XML::RPC::Fast diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index c08d5ca..267be6a 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -283,7 +283,7 @@ def interface_ips(metadata): 'nftables/postrouting/10-wireguard', ) def snat(metadata): - if not node.has_bundle('nftables') or node.os == 'arch': + if not node.has_bundle('nftables'): raise DoNotRunAgain snat_ip = metadata.get('wireguard/snat_ip', None) diff --git a/bundles/zfs/files/zfs-import-scan-override.service b/bundles/zfs/files/zfs-import-scan-override.service index 3853425..9004ee2 100644 --- a/bundles/zfs/files/zfs-import-scan-override.service +++ b/bundles/zfs/files/zfs-import-scan-override.service @@ -3,8 +3,4 @@ ConditionPathExists= [Service] ExecStart= -% if node.os == 'arch': -ExecStart=/usr/bin/zpool import -aN -o cachefile=none -% else: ExecStart=/usr/sbin/zpool import -aN -o cachefile=none -% endif diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index 8b13f4b..c63250e 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -2,9 +2,6 @@ from json import dumps from bundlewrap.metadata import MetadataJSONEncoder -if node.has_bundle('pacman'): - assert node.metadata.get('pacman/enable_aurto'), f'{node.name}: bundle:zfs needs aurto for zfs-linux-lts package' - files = { '/etc/modprobe.d/zfs.conf': { 'source': 'zfs-modprobe.conf', diff --git a/bundles/zfs/metadata.py b/bundles/zfs/metadata.py index 4191834..3b63e0b 100644 --- a/bundles/zfs/metadata.py +++ b/bundles/zfs/metadata.py @@ -43,24 +43,6 @@ defaults = { }, }, }, - 'pacman': { - 'no_extract': { - 'etc/sudoers.d/zfs', - }, - 'packages': { - 'zfs-linux-lts': { - 'needed_by': { - 'zfs_dataset:', - 'zfs_pool:', - }, - }, - 'zfs-utils': { - 'needed_by': { - 'svc_systemd:zfs-zed', - }, - }, - }, - }, 'systemd-timers': { 'timers': { 'zfs-auto-snapshot-daily': { diff --git a/groups/os.py b/groups/os.py index a6fca0f..d6f1d6b 100644 --- a/groups/os.py +++ b/groups/os.py @@ -13,7 +13,6 @@ groups['raspberry'] = { groups['linux'] = { 'subgroups': { - 'arch', 'debian', 'raspberry', }, @@ -48,13 +47,6 @@ groups['linux'] = { 'pip_command': 'pip3', } -groups['arch'] = { - 'bundles': { - 'pacman', - }, - 'os': 'arch', -} - groups['debian'] = { 'subgroup_patterns': { '^debian-[a-z]+$', diff --git a/hooks/test_zfs_consistency.py b/hooks/test_zfs_consistency.py index 132afe3..d7231e5 100644 --- a/hooks/test_zfs_consistency.py +++ b/hooks/test_zfs_consistency.py @@ -25,7 +25,7 @@ def test_node(repo, node, **kwargs): pool_name = name.split('/', 1)[0] - if pool_name not in zfs_pools and node.os != 'arch': + if pool_name not in zfs_pools: raise BundleError('{n} zfs_dataset:{ds} wants zfs_pool:{pool}, which wasn\'t found'.format( n=node.name, ds=name, diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py deleted file mode 100644 index 23118bd..0000000 --- a/nodes/fkusei-locutus.py +++ /dev/null @@ -1,190 +0,0 @@ -nodes['fkusei-locutus'] = { - 'dummy': True, - 'hostname': '10.5.99.29', - 'bundles': { - 'arch-with-gui', - 'bird', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'wireguard', - 'voc-tracker-worker', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'fkunsmann', - }, - 'bird': { - 'bgp_neighbors': { - 'smedia': { - 'local_as': 4200128002, - 'local_ip': '10.200.128.2', - 'neighbor_as': 64900, - 'neighbor_ip': '10.200.128.1', - }, - }, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000/tcp': {'*'}, - }, - }, - 'interfaces': { - 'eth*': { - 'dhcp': True, - }, - # there is also wlan0, but that's managed by netctl - }, - 'location': 'home', # not actually true, but needed for static dhcp lease - 'nfs-client': { - 'mounts': { - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - }, - }, - 'pacman': { - 'packages': { - 'amd-ucode': {}, - 'xf86-video-amdgpu': {}, - - # all that other random stuff one needs - 'apachedirectorystudio': {}, - 'direnv': {}, - 'freerdp': {}, - 'sdl_ttf': {}, # for compiling testcard - 'thermald': {}, - }, - }, - 'sysctl': { - 'options': { - # accept RA even though forwarding is enabled - 'net.ipv4.conf.all.accept_ra': '2', - 'net.ipv4.conf.wlan0.accept_ra': '2', - }, - }, - 'systemd-boot': { - 'default': 'arch', - 'entries': { - 'arch': { - 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux', - 'initrd': [ - '/amd-ucode.img', - '/initramfs-linux.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - 'arch-fallback': { - 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux', - 'initrd': [ - '/initramfs-linux-fallback.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'fkunsmann': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - }, - }, - 'voc-tracker-worker': { - 'url': 'https://tracker.c3voc.de/rpc', - 'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'), - 'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'), - }, - 'wireguard': { - 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), - 'peers': { - 'smedia': { - 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', - 'their_ip': '10.200.128.1', - 'my_ip': '10.200.128.2/20', - 'my_port': 51820, - 'endpoint': '185.122.180.82:51820', - 'psk': vault.decrypt('smedia$NotViaThisRepository'), - 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), - }, - }, - }, - 'zfs': { - 'pools': { - 'zroot': { - 'when_creating': { - 'config': [], - }, - }, - }, - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': '/', - }, - 'zroot/user/fkunsmann': { - 'mountpoint': '/home/fkunsmann', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/fkunsmann': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/system/journal', - }, - }, - }, - }, - 'os': 'arch', -} diff --git a/nodes/htz-cloud.aurto.toml b/nodes/htz-cloud.aurto.toml deleted file mode 100644 index 16fbf9a..0000000 --- a/nodes/htz-cloud.aurto.toml +++ /dev/null @@ -1,59 +0,0 @@ -hostname = "2a01:4f9:c010:95fa::2" -bundles = ["backup-client"] -groups = [ - "arch", - "webserver", -] - -[metadata] -description = [ - "When adding packages to aurto, please also add those packages to ~/PACKAGES", - "Wenn Pakete zu aurto hinzugefügt werden, trage sie bitte auch in ~/PACKAGES ein", -] - -[metadata.icinga_options] -period = "daytime" - -[metadata.backups] -paths = [ - "/var/cache/pacman/aurto", -] - -[metadata.interfaces.enp1s0] -ips = ["2a01:4f9:c010:95fa::2/64"] -gateway6 = "fe80::1" - -[metadata.interfaces.enp7s0] -ips = ["172.19.137.4/32"] -gateway4 = "172.19.137.1" - -[metadata.nginx.vhosts.aurto] -domain = "aurto.kunbox.net" -webroot = "/var/cache/pacman/aurto" -extras = true - -[metadata.pacman] -enable_aurto = false -additional_config = [ - "Include = /etc/pacman.d/aurto", -] - -[metadata.pacman.unattended-upgrades] -is_enabled = true - -[metadata.sudo.extra_configs] -50_aurto_passwordless = [ - "%wheel ALL=(ALL) NOPASSWD: /usr/bin/arch-nspawn", - "%wheel ALL=(ALL) NOPASSWD: /usr/bin/pacsync aurto", - "%wheel ALL=(ALL) NOPASSWD:SETENV: /usr/bin/makechrootpkg", -] - -[metadata.users.aurto] -groups = ["wheel"] -ssh_pubkey = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA", # kunsi work - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw==", # kunsi privat -] - -[metadata.users.kunsi] -groups = ["wheel"] diff --git a/nodes/kunsi-p14s.py b/nodes/kunsi-p14s.py deleted file mode 100644 index 385cf3f..0000000 --- a/nodes/kunsi-p14s.py +++ /dev/null @@ -1,251 +0,0 @@ -nodes['kunsi-p14s'] = { - 'hostname': 'localhost', - 'bundles': { - 'arch-with-gui', - 'backup-client', - 'lldp', - 'lm-sensors', - 'nfs-client', - 'systemd-boot', - 'telegraf-battery-usage', - 'vmhost', - 'wireguard', - 'zfs', - }, - 'groups': { - 'arch', - }, - 'metadata': { - 'arch-with-gui': { - 'autologin_as': 'kunsi', - }, - 'backup-client': { - 'exclude_from_monitoring': False, - # only alert people if we're missing more than a week of backups - 'one_backup_every_hours': 7 * 24, - }, - 'firewall': { - 'port_rules': { - # obs websocket thingie - just allow all RFC1918 ips here - #'4444': { - # '10.0.0.0/8', - # '172.16.0.0/12', - # '192.168.0.0/16', - #}, - # For the occasional file-share using `python -m http.server` - '8000/tcp': {'*'}, - }, - }, - 'interfaces': { - 'br0': { - 'ips': {'10.73.100.112/16'}, - 'gateway4': '10.73.0.254', - 'dhcp': True, - }, - # there is also wlp3s0, but that's managed by netctl - }, - 'nfs-client': { - 'mounts': { - 'nas-scansnap': { - 'mountpoint': '/mnt/scansnap', - 'serverpath': '172.19.138.20:/srv/scansnap', - 'mount_options': { - 'retry=0', - 'rw', - }, - }, - 'nas-storage': { - 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/nas', - 'mount_options': { - 'retry=0', - 'ro', - }, - }, - }, - }, - 'nftables': { - 'forward': { - '50-routing': [ - 'ct state { related, established } accept', - 'oifname wlan0 accept', - ], - }, - 'postrouting': { - '50-routing': [ - 'oifname wlan0 masquerade', - ], - }, - }, - 'openssh': { - 'restrict-to': { - 'rfc1918', - }, - }, - 'pacman': { - 'no_extract': { - 'etc/sudoers.d/ctdb', # samba junk - }, - 'packages': { - # for hardware support - 'amd-ucode': {}, - 'mesa': {}, - - # various video drivers - 'libva-mesa-driver': {}, - 'mesa-vdpau': {}, - 'xf86-video-amdgpu': {}, - - # all that other random stuff one needs - #'abcde': {}, - 'claws-mail': {}, - 'claws-mail-themes': {}, - 'ferdium-bin': {}, - 'gumbo-parser': {}, # for claws litehtml - 'inkstitch': {}, # for RZL embroidery machine - 'obs-studio': {}, - #'perl-musicbrainz-discid': {}, # for abcde - #'perl-webservice-musicbrainz': {}, # for abcde - 'sdl_ttf': {}, # for compiling testcard - 'x32edit': {}, - }, - }, - 'systemd-boot': { - 'default': 'arch', - 'entries': { - 'arch': { - 'title': 'Arch Linux', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/amd-ucode.img', - '/initramfs-linux-lts.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - 'arch-fallback': { - 'title': 'Arch Linux (no ucode, fallback initramfs)', - 'linux': '/vmlinuz-linux-lts', - 'initrd': [ - '/initramfs-linux-lts-fallback.img', - ], - 'options': { - 'net.ifnames=0', - 'rw', - 'zfs=zroot/system/root', - }, - }, - }, - }, - 'sysctl': { - 'options': { - 'net.ipv4.conf.all.forwarding': '1', - }, - }, - 'systemd-networkd': { - 'bridges': { - 'br0': { - 'match': { - 'en*', - 'eth*', - }, - }, - }, - }, - 'timezone': 'Europe/Berlin', - 'users': { - 'kunsi': { - 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), - 'shell': '/usr/bin/fish', - }, - }, - 'wireguard': { - 'peers': { - 'htz-cloud.wireguard': { - 'auto_connection': False, - 'endpoint': 'wireguard.htz-cloud.kunbox.net:1194', - 'my_ip': '172.19.136.65', - 'my_port': 51819, - 'their_ip': '172.19.136.64', - 'routes': { - '10.73.0.0/16', - '172.19.128.0/20', - }, - }, - }, - }, - 'zfs': { - 'pools': { - 'zroot': { - 'when_creating': { - 'config': [{ - 'devices': [ - '/dev/disk/by-id/nvme-UMIS_RPETJ1T24MGE2QDQ_SS0L25218X3RC1BG1182-part2', - ], - }], - 'ashift': 12, - }, - }, - }, - 'datasets': { - # this is not a complete list, but we can't create that - # structure using bundlewrap anyway, so there's no point - # in adding it here. - 'zroot': { - 'compression': 'lz4', - 'relatime': 'on', - 'xattr': 'sa', - 'primarycache': 'metadata' - # encryption is enabled, too. - }, - 'zroot/movies': { - 'mountpoint': '/media/movies', - }, - 'zroot/nextcloud': { - 'mountpoint': '/home/kunsi/nextcloud', - }, - 'zroot/system/journal': { - 'mountpoint': '/var/log/journal', - 'acltype': 'posix', - }, - 'zroot/system/libvirt': { - 'mountpoint': '/var/lib/libvirt', - 'needed_by': { - 'bundle:vmhost', - }, - }, - 'zroot/system/video': { - 'mountpoint': '/video', - 'needed_by': { - 'bundle:voc-tracker-worker', - }, - }, - 'zroot/system/root': { - 'canmount': 'noauto', - 'mountpoint': 'legacy', - }, - 'zroot/user/kunsi': { - 'mountpoint': '/home/kunsi', - }, - }, - 'snapshots': { - 'retain_per_dataset': { - 'zroot/user/kunsi': { - # juuuuuuuust to be sure - 'hourly': 100, - }, - }, - 'snapshot_never': { - 'zroot/movies', - 'zroot/nextcloud', - 'zroot/system/journal', - 'zroot/system/video', - }, - }, - }, - }, - 'os': 'arch', -} From ecbb28d0ff0e7e85b9521d714ca568dd7376b1c7 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 12 Jan 2025 10:58:24 +0100 Subject: [PATCH 078/181] .envrc fix indentation --- .envrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.envrc b/.envrc index 20da331..5fd603a 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,3 @@ layout python3 - source_env_if_exists .envrc.local +source_env_if_exists .envrc.local From 767fc06b725cb803c3df1987985fc2368404a149 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 19:58:08 +0100 Subject: [PATCH 079/181] carlene: remove element-web --- nodes/carlene.toml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 4581a4b..9939076 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -6,7 +6,6 @@ groups = [ bundles = [ "check-mail-received", "dovecot", - "element-web", "forgejo", "matrix-media-repo", "matrix-stickerpicker", @@ -38,16 +37,6 @@ email = "franzi.kunsmann@t-online.de" imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" -[metadata.element-web] -url = "chat.franzi.business" -version = "v1.11.89" -[metadata.element-web.config] -default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business" -default_server_config.'m.homeserver'.server_name = "franzi.business" -brand = "franzi.business" -defaultCountryCode = "DE" -jitsi.preferredDomain = "meet.ffmuc.net" - [metadata.forgejo] version = "9.0.3" sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" From d27a047db2266aaeddd044b42b4f88a480e7720b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 19:58:32 +0100 Subject: [PATCH 080/181] remote bundle:matrix-registration --- bundles/matrix-registration/files/config.yaml | 40 ------------ .../files/matrix-registration.service | 14 ---- bundles/matrix-registration/items.py | 65 ------------------- bundles/matrix-registration/metadata.py | 25 ------- 4 files changed, 144 deletions(-) delete mode 100644 bundles/matrix-registration/files/config.yaml delete mode 100644 bundles/matrix-registration/files/matrix-registration.service delete mode 100644 bundles/matrix-registration/items.py delete mode 100644 bundles/matrix-registration/metadata.py diff --git a/bundles/matrix-registration/files/config.yaml b/bundles/matrix-registration/files/config.yaml deleted file mode 100644 index b3ad3a5..0000000 --- a/bundles/matrix-registration/files/config.yaml +++ /dev/null @@ -1,40 +0,0 @@ -server_location: 'http://[::1]:20080' -server_name: '${server_name}' -registration_shared_secret: '${reg_secret}' -admin_api_shared_secret: '${admin_secret}' -base_url: '${base_url}' -client_redirect: '${client_redirect}' -client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory -#db: 'sqlite:///opt/matrix-registration/data/db.sqlite3' -db: 'postgresql://${database['user']}:${database['password']}@localhost/${database['database']}' -host: 'localhost' -port: 20100 -rate_limit: ["100 per day", "10 per minute"] -allow_cors: false -ip_logging: false -logging: - disable_existing_loggers: false - version: 1 - root: - level: DEBUG - handlers: [console] - formatters: - brief: - format: '%(name)s - %(levelname)s - %(message)s' - handlers: - console: - class: logging.StreamHandler - level: INFO - formatter: brief - stream: ext://sys.stdout -# password requirements -password: - min_length: 8 -# username requirements -username: - validation_regex: [] #list of regexes that the selected username must match. Example: '[a-zA-Z]\.[a-zA-Z]' - invalidation_regex: #list of regexes that the selected username must NOT match. Example: '(admin|support)' - - '^abuse' - - 'admin' - - 'support' - - 'help' diff --git a/bundles/matrix-registration/files/matrix-registration.service b/bundles/matrix-registration/files/matrix-registration.service deleted file mode 100644 index bf6ace9..0000000 --- a/bundles/matrix-registration/files/matrix-registration.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=matrix-registration -After=network.target - -[Service] -User=matrix-registration -Group=matrix-registration -WorkingDirectory=/opt/matrix-registration/src -ExecStart=/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml serve -Restart=always -RestartSec=5 - -[Install] -WantedBy=multi-user.target diff --git a/bundles/matrix-registration/items.py b/bundles/matrix-registration/items.py deleted file mode 100644 index 05d8914..0000000 --- a/bundles/matrix-registration/items.py +++ /dev/null @@ -1,65 +0,0 @@ -actions['matrix-registration_create_virtualenv'] = { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/matrix-registration/venv/', - 'unless': 'test -d /opt/matrix-registration/venv/', - 'needs': { - # actually /opt/matrix-registration, but we don't create that - 'directory:/opt/matrix-registration/src', - }, -} - -actions['matrix-registration_install'] = { - 'command': ' && '.join([ - 'cd /opt/matrix-registration/src', - '/opt/matrix-registration/venv/bin/pip install psycopg2-binary', - '/opt/matrix-registration/venv/bin/pip install -e .', - ]), - 'needs': { - 'action:matrix-registration_create_virtualenv', - }, - 'triggered': True, -} - -users['matrix-registration'] = { - 'home': '/opt/matrix-registration', -} - -directories['/opt/matrix-registration/src'] = {} - -git_deploy['/opt/matrix-registration/src'] = { - 'repo': 'https://github.com/zeratax/matrix-registration.git', - 'rev': 'master', - 'triggers': { - 'action:matrix-registration_install', - 'svc_systemd:matrix-registration:restart', - }, -} - -files['/opt/matrix-registration/config.yaml'] = { - 'content_type': 'mako', - 'context': { - 'admin_secret': node.metadata.get('matrix-registration/admin_secret'), - 'base_url': node.metadata.get('matrix-registration/base_path', ''), - 'client_redirect': node.metadata.get('matrix-registration/client_redirect'), - 'database': node.metadata.get('matrix-registration/database'), - 'reg_secret': node.metadata.get('matrix-synapse/registration_shared_secret'), - 'server_name': node.metadata.get('matrix-synapse/server_name'), - }, - 'triggers': { - 'svc_systemd:matrix-registration:restart', - }, -} - -files['/usr/local/lib/systemd/system/matrix-registration.service'] = { - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:matrix-registration:restart', - }, -} - -svc_systemd['matrix-registration'] = { - 'needs': { - 'action:matrix-registration_install', - 'file:/opt/matrix-registration/config.yaml', - 'file:/usr/local/lib/systemd/system/matrix-registration.service', - }, -} diff --git a/bundles/matrix-registration/metadata.py b/bundles/matrix-registration/metadata.py deleted file mode 100644 index f5e4e7c..0000000 --- a/bundles/matrix-registration/metadata.py +++ /dev/null @@ -1,25 +0,0 @@ -defaults = { - 'bash_aliases': { - 'matrix-registration': '/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml', - }, - 'matrix-registration': { - 'admin_secret': repo.vault.password_for(f'{node.name} matrix-registration admin secret'), - 'database': { - 'user': 'matrix-registration', - 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), - 'database': 'matrix-registration', - }, - }, - 'postgresql': { - 'roles': { - 'matrix-registration': { - 'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'), - }, - }, - 'databases': { - 'matrix-registration': { - 'owner': 'matrix-registration', - }, - }, - }, -} From 774cdd65b97d6c3eb4b8bcacc9fbf94be574f93e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 14 Jan 2025 20:01:06 +0100 Subject: [PATCH 081/181] carlene: remove nodejs --- nodes/carlene.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9939076..2dbc16c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -15,7 +15,6 @@ bundles = [ "miniflux", "netbox", "nextcloud", - "nodejs", "ntfy", "oidentd", "php", From 037ec8e2305c1238d9853fd8d9aa10135a602a30 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Tue, 14 Jan 2025 21:30:22 +0100 Subject: [PATCH 082/181] miniserver: postgres and element update --- nodes/sophie/miniserver.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 7be112f..c9d3034 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.86", + "version": "v1.11.90", "config": { "default_server_config": { "m.homeserver": { @@ -217,7 +217,7 @@ nodes["htz-cloud.miniserver"] = { "allow_unauthorized_write": True, }, "postgresql": { - "version": "11", + "version": "13", }, "sysctl": { "options": { From d258a02d46398d7f87bf8d9246bda8de45e0f2f3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 26 Jan 2025 09:34:22 +0100 Subject: [PATCH 083/181] update travelynx to 2.9.18 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2dbc16c..ff16153 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.8" +version = "2.9.18" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 8a6c0d9e951157a7634c3f57c1d4ff8c65559dce Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 3 Feb 2025 20:52:38 +0100 Subject: [PATCH 084/181] rottenraptor-server new domain --- bundles/letsencrypt/items.py | 4 ++++ nodes/rottenraptor-server.toml | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index 585cf8e..dd0b9c2 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -12,6 +12,10 @@ actions = { 'needs': { 'svc_systemd:nginx', }, + 'after': { + 'svc_systemd:nginx:reload', + 'svc_systemd:nginx:restart', + }, }, } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 5e53f81..af8000f 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -23,8 +23,12 @@ ips = [ gateway4 = "91.198.192.193" gateway6 = "2001:67c:b54:1::1" +[metadata.nginx.vhosts.'rotten.city'.locations.'/'] +redirect = "https://www.rottenraptor.com/" +mode = 302 + [metadata.nginx.vhosts.immich] -domain = "rr-immich.franzi.business" +domain = "immich.rotten.city" [metadata.smartd] disks = [ From 97f6e8538f25cd33f72e9129700b16e7020c5037 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 6 Feb 2025 23:37:00 +0100 Subject: [PATCH 085/181] miniserver: element-web update --- nodes/sophie/miniserver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index c9d3034..5fd1c11 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.90", + "version": "v1.11.91", "config": { "default_server_config": { "m.homeserver": { From 0c1a96cb724ac1afa8c7390651001023051e010b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:16:16 +0100 Subject: [PATCH 086/181] carlene: new ssd --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ff16153..51b4f73 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ dkim = "uO4aNejDvVdw8BKne3KJIqAvCQMJ0416" [metadata.smartd] disks = [ - "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NF0W508470", + "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NF0W503350", "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] From 6d2aad20ba3bfbc94f89df265ac2bd2696bda93e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:20:30 +0100 Subject: [PATCH 087/181] update forgejo to 10.0.1 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 51b4f73..1936f4c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "9.0.3" -sha1 = "a04a8d5bee7321610d91da780a24e18f7407403c" +version = "10.0.1" +sha1 = "4bfe8cbe979ef8896e294ca662f4cf62af01531c" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 846f34b8556343a31e64f711d51f7f0b1564f14a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:20:52 +0100 Subject: [PATCH 088/181] update matrix-media-repo to 1.3.8 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 1936f4c..c361868 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -58,9 +58,9 @@ gateway6 = "2a0a:51c0:0:225::1" [metadata.matrix-media-repo] admins = ["@kunsi:franzi.business"] datastore_id = "3fff5da324ed784c771d638bb6be5917" -sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9" +sha1 = "453c12cfb9f2c44c509620b63f94f8a9e2d048ef" upload_max_mb = 500 -version = "v1.3.7" +version = "v1.3.8" [metadata.matrix-media-repo.homeservers.'franzi.business'] api = "synapse" domain = "http://[::1]:20080/" From 159701d7b8658f35911abe08725e0c8341fe239e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:21:27 +0100 Subject: [PATCH 089/181] update netbox to 4.2.3 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c361868..6a8c489 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,7 +114,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.1.10" +version = "v4.2.3" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 59596c08ae4e9fef085ae7bfd53c3c5ef1f22ad0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 11 Feb 2025 21:23:15 +0100 Subject: [PATCH 090/181] update paperless-ngx to 2.14.7 --- nodes/home/paperless.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 6297179..7a28c3d 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -48,7 +48,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.13.5', + 'version': 'v2.14.7', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 18b8c963ab7903bc36a96e09a9c0ae6aaae6b021 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:32:13 +0100 Subject: [PATCH 091/181] bundles/backup-server: support raid0-ing multiple raidz --- bundles/backup-server/metadata.py | 63 ++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 18 deletions(-) diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 3d78ed6..4be6390 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.exceptions import BundleError + defaults = { 'backup-server': { 'my_ssh_port': 22, @@ -69,25 +71,51 @@ def zfs_pool(metadata): return {} crypt_devices = {} - pool_devices = set() unlock_actions = set() - for number, (device, passphrase) in enumerate(sorted(metadata.get('backup-server/encrypted-devices', {}).items())): - crypt_devices[device] = { - 'dm-name': f'backup{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{number}') + devices = metadata.get('backup-server/encrypted-devices') - pool_opts = { - 'devices': pool_devices, - } + # TODO remove this once we have migrated all systems + if isinstance(devices, dict): + pool_devices = set() - if len(pool_devices) > 2: - pool_opts['type'] = 'raidz' - elif len(pool_devices) > 1: - pool_opts['type'] = 'mirror' + for number, (device, passphrase) in enumerate(sorted(devices.items())): + crypt_devices[device] = { + 'dm-name': f'backup{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{number}') + + pool_config = [{ + 'devices': pool_devices, + }] + + if len(pool_devices) > 2: + pool_config[0]['type'] = 'raidz' + elif len(pool_devices) > 1: + pool_config[0]['type'] = 'mirror' + + elif isinstance(devices, list): + pool_config = [] + + for idx, intended_pool in enumerate(devices): + pool_devices = set() + + for number, (device, passphrase) in enumerate(sorted(intended_pool.items())): + crypt_devices[device] = { + 'dm-name': f'backup{idx}-{number}', + 'passphrase': passphrase, + } + pool_devices.add(f'/dev/mapper/backup{idx}-{number}') + unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}') + + pool_config.append({ + 'devices': pool_devices, + 'type': 'raidz', + }) + else: + raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices') return { 'backup-server': { @@ -100,9 +128,8 @@ def zfs_pool(metadata): 'pools': { 'backups': { 'when_creating': { - 'config': [ - pool_opts, - ], + 'config': pool_config, + **metadata.get('backup-server/zpool_create_options', {}), }, 'needs': unlock_actions, # That's a bit hacky. We do it this way to auto-import From f0031ef847d52500ddb5648f86a426011e04ea64 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:33:13 +0100 Subject: [PATCH 092/181] rottenraptor-server: new disks --- nodes/rottenraptor-server.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index af8000f..1a28b6b 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,7 +5,7 @@ groups = [ ] bundles = [ "docker-engine", - "docker-immich", +# "docker-immich", "ipmitool", "redis", "smartd", @@ -32,8 +32,8 @@ domain = "immich.rotten.city" [metadata.smartd] disks = [ - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH726C", "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21133V800321", "/dev/disk/by-id/ata-WDC_WDS100T1R0A-68A4W0_21283J446103", "/dev/disk/by-id/nvme-TOSHIBA-RC100_58UPC29HPW5S", @@ -45,8 +45,8 @@ ashift = 12 [[metadata.zfs.pools.tank.when_creating.config]] type = "mirror" devices = [ - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0287704", - "/dev/disk/by-id/ata-WDC_WD30EZRX-00DC0B0_WD-WMC1T0387139", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", + "/dev/disk/by-id/ata-HUH721008ALN600_7SGH726C", ] [[metadata.zfs.pools.tank.when_creating.config]] From 22263eaf6f6dfddef6e3ebb10d935a2709496ace Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 19:33:52 +0100 Subject: [PATCH 093/181] add new backup server --- nodes/backup-kunsi.toml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 nodes/backup-kunsi.toml diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml new file mode 100644 index 0000000..276aa0a --- /dev/null +++ b/nodes/backup-kunsi.toml @@ -0,0 +1,34 @@ +hostname = "2001:67c:b54:1::f" +bundles = ["backup-server", "dm-crypt", "zfs"] +groups = ["debian-bookworm"] + +[metadata] +nameservers = ["2001:4860:4860::8888"] + +[metadata.apt.unattended-upgrades] +# requires manual apply to unlock disks +reboot_enabled = false + +[metadata.interfaces.ens18] +ips = ["2001:67c:b54:1::f/64"] +gateway6 = "2001:67c:b54:1::1" + +[metadata.backups] +# this is the backup server +exclude_from_backups = true + +[metadata.backup-server.zpool_create_options] +ashift = 12 + +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1" + +[[metadata.backup-server.encrypted-devices]] +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2" +"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2" + +[metadata.zfs] +scrub_when = "Wed 08:00 Europe/Berlin" From a7a59fd690fa08bd0c1e4bc36826dd9ae64eddaf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 14 Feb 2025 21:25:10 +0100 Subject: [PATCH 094/181] bundles/backups-server: read backup snapshot info from file instead of asking zfs every time --- .../backup-server/files/check_backup_for_node | 23 +++-------- .../files/check_backup_for_node-cron | 39 +++++++++++++++++++ bundles/backup-server/items.py | 3 ++ bundles/backup-server/metadata.py | 10 ++++- 4 files changed, 56 insertions(+), 19 deletions(-) create mode 100644 bundles/backup-server/files/check_backup_for_node-cron diff --git a/bundles/backup-server/files/check_backup_for_node b/bundles/backup-server/files/check_backup_for_node index b7866f8..bf57012 100644 --- a/bundles/backup-server/files/check_backup_for_node +++ b/bundles/backup-server/files/check_backup_for_node @@ -2,7 +2,6 @@ from datetime import datetime from json import load -from subprocess import check_output from sys import argv, exit from time import time @@ -18,29 +17,17 @@ try: with open(f'/etc/backup-server/config.json', 'r') as f: server_settings = load(f) - # get all existing snapshots for NODE - for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines(): - line = line.decode('UTF-8') + with open(f'/etc/backup-server/backups.json', 'r') as f: + backups = load(f) - if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)): - _, snapname = line.split('@', 1) - - if 'zfs-auto-snap' in snapname: - # migration from auto-snapshots, ignore - continue - - ts, bucket = snapname.split('-', 1) - snaps.add(int(ts)) - - if not snaps: + if NODE not in backups: print('No backups found!') exit(2) - last_snap = sorted(snaps)[-1] - delta = NOW - last_snap + delta = NOW - backups[NODE] print('Last backup was on {} UTC'.format( - datetime.fromtimestamp(last_snap).strftime('%Y-%m-%d %H:%M:%S'), + datetime.fromtimestamp(backups[NODE]).strftime('%Y-%m-%d %H:%M:%S'), )) # One day without backups is still okay. There may be fluctuations diff --git a/bundles/backup-server/files/check_backup_for_node-cron b/bundles/backup-server/files/check_backup_for_node-cron new file mode 100644 index 0000000..b82217d --- /dev/null +++ b/bundles/backup-server/files/check_backup_for_node-cron @@ -0,0 +1,39 @@ +#!/usr/bin/env python3 + +from json import load, dump +from subprocess import check_output +from shutil import move +from os import remove +from collections import defaultdict + +with open('/etc/backup-server/config.json', 'r') as f: + server_settings = load(f) + +snapshots = defaultdict(set) + +for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines(): + line = line.decode('UTF-8') + + if line.startswith('{}/'.format(server_settings['zfs-base'])): + dataset, snapname = line.split('@', 1) + + dataset = dataset.split('/')[-1] + ts, bucket = snapname.split('-', 1) + + if not ts.isdigit(): + # garbage, ignore + continue + + snapshots[dataset].add(int(ts)) + +backups = {} +for dataset, snaps in snapshots.items(): + backups[dataset] = sorted(snaps)[-1] + +with open('/etc/backup-server/backups.tmp.json', 'w') as f: + dump(backups, f) + +move( + '/etc/backup-server/backups.tmp.json', + '/etc/backup-server/backups.json', +) diff --git a/bundles/backup-server/items.py b/bundles/backup-server/items.py index bd4d12f..e872231 100644 --- a/bundles/backup-server/items.py +++ b/bundles/backup-server/items.py @@ -18,6 +18,9 @@ files = { '/usr/local/share/icinga/plugins/check_backup_for_node': { 'mode': '0755', }, + '/usr/local/share/icinga/plugins/check_backup_for_node-cron': { + 'mode': '0755', + }, } directories['/etc/backup-server/clients'] = { diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index 4be6390..aace61b 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -10,6 +10,14 @@ defaults = { 'c-*', }, }, + 'systemd-timers': { + 'timers': { + 'check_backup_for_node-cron': { + 'command': '/usr/local/share/icinga/plugins/check_backup_for_node-cron', + 'when': '*-*-* *:00/5:00', # every five minutes + } + }, + }, 'zfs': { # The whole point of doing backups is to keep them for a long # time, which eliminates the need for this check. @@ -183,7 +191,7 @@ def monitoring(metadata): continue services[f'BACKUPS FOR NODE {client}'] = { - 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format( + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format( client, config['one_backup_every_hours'], ), From 83730ccb6d106d35e67103bdf472478e780af4d2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 08:51:07 +0100 Subject: [PATCH 095/181] bundles/backup-server: ignore all non-digit snapshots when rotating --- bundles/backup-server/files/rotate-single-backup-client | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bundles/backup-server/files/rotate-single-backup-client b/bundles/backup-server/files/rotate-single-backup-client index ee49e26..c76c6b5 100644 --- a/bundles/backup-server/files/rotate-single-backup-client +++ b/bundles/backup-server/files/rotate-single-backup-client @@ -33,12 +33,11 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True) if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)): _, snapname = line.split('@', 1) + ts, bucket = snapname.split('-', 1) - if 'zfs-auto-snap' in snapname: - # migration from auto-snapshots, ignore + if not ts.isdigit(): continue - ts, bucket = snapname.split('-', 1) buckets.setdefault(bucket, set()).add(int(ts)) syslog(f'classified {line} as {bucket} from {ts}') From aae1e8397e06332c8f3358474e1de11ab49005fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 09:19:24 +0100 Subject: [PATCH 096/181] proxmox-backupstorage: new server, new checks --- nodes/htz-hel/proxmox-backupstorage.toml | 28 ------------------- nodes/proxmox-backupstorage.toml | 34 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 28 deletions(-) delete mode 100644 nodes/htz-hel/proxmox-backupstorage.toml create mode 100644 nodes/proxmox-backupstorage.toml diff --git a/nodes/htz-hel/proxmox-backupstorage.toml b/nodes/htz-hel/proxmox-backupstorage.toml deleted file mode 100644 index 0c6d7ac..0000000 --- a/nodes/htz-hel/proxmox-backupstorage.toml +++ /dev/null @@ -1,28 +0,0 @@ -hostname = "2a01:4f9:6b:2d99::c0ff:ee" -#dummy = true -bundles = ["sshmon", "smartd"] - -# How to install: -# - Get server at Hetzner (no IPv4) -# - Install latest proxmox compatible debian -# - RAID5 -# - 50G for system -# - leave rest unpartitioned -# - install zfs -# - create additional partitions for remaining disk space -# - create raidz on those partitions -# - enable ipv6 forwarding -# - install proxmox via apt - -# VM config: -# - IPv6 only -# - IP from the /64 hetzner gives us -# - Gateway is the host itself, to work around the MAC filter hetzner uses - -[metadata.smartd] -disks = [ - "/dev/sda", - "/dev/sdb", - "/dev/sdc", - "/dev/sdd", -] diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml new file mode 100644 index 0000000..7d58297 --- /dev/null +++ b/nodes/proxmox-backupstorage.toml @@ -0,0 +1,34 @@ +hostname = "192.168.100.31" +dummy = true + +[metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] +check_command = "sshmon" +"vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C695" + +[metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C6C8"] +check_command = "sshmon" +"vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06JV7"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06JV7" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06SLR"] +check_command = "sshmon" +"vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06SLR" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYQWR"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EYQWR" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYZQF"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EYZQF" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EZ0X5"] +check_command = "sshmon" +"vars.sshmon_command" = "ST8000NM0045-1RL112_ZA1EZ0X5" From 463443e1e3d4bcb16b1a3f26b62d296fd0c5afdc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 10:32:56 +0100 Subject: [PATCH 097/181] bundles/docker-engine: do not put containers on the host network --- bundles/docker-engine/files/docker-wrapper | 5 ++--- bundles/docker-engine/metadata.py | 13 +++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index c225ceb..20bf38d 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -18,6 +18,7 @@ PGID="$(id -g "docker-${name}")" if [ "$ACTION" == "start" ] then docker run -d \ + --rm \ --name "${name}" \ --env "PUID=$PUID" \ --env "PGID=$PGID" \ @@ -25,9 +26,8 @@ then % for k, v in sorted(environment.items()): --env "${k}=${v}" \ % endfor - --network host \ % for host_port, container_port in sorted(ports.items()): - --expose "127.0.0.1:${host_port}:${container_port}" \ + --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor % for host_path, container_path in sorted(volumes.items()): --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \ @@ -38,7 +38,6 @@ then elif [ "$ACTION" == "stop" ] then docker stop "${name}" - docker rm "${name}" else echo "Unknown action $ACTION" diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index fa55b5e..39cc92f 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -18,6 +18,19 @@ defaults = { '/var/opt/docker-engine', }, }, + 'nftables': { + 'forward': { + 'docker-engine': [ + 'ct state { related, established } accept', + 'iifname docker0 accept', + ], + }, + 'postrouting': { + 'docker-engine': [ + 'iifname docker0 masquerade', + ], + }, + }, 'hosts': { 'entries': { '172.17.0.1': { From 5af3fbe3e06de7ac32f5efdff89699bb8f674b81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 10:33:25 +0100 Subject: [PATCH 098/181] bundles/redis: support 'restrict-to' --- bundles/redis/metadata.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index cf15c20..dc0f23b 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { @@ -48,3 +50,16 @@ if node.has_bundle('telegraf'): }, }, } + + +@metadata_reactor.provides( + 'firewall/port_rules', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '6379/tcp': atomic(metadata.get('redis/restrict-to', {'*'})), + }, + }, + } From 932ae43621382ae0b0faf691d1e7b7870817911d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 11:06:09 +0100 Subject: [PATCH 099/181] bundles/docker-engine: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARGLLLLLLLLLLLLLLLLLLLLLLLLL networking is apparently hard --- bundles/docker-engine/files/docker-wrapper | 4 +++- bundles/docker-engine/items.py | 19 +++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index 20bf38d..adff8e4 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -17,8 +17,9 @@ PGID="$(id -g "docker-${name}")" if [ "$ACTION" == "start" ] then + docker rm "${name}" || true + docker run -d \ - --rm \ --name "${name}" \ --env "PUID=$PUID" \ --env "PGID=$PGID" \ @@ -26,6 +27,7 @@ then % for k, v in sorted(environment.items()): --env "${k}=${v}" \ % endfor + --network aaarghhh \ % for host_port, container_port in sorted(ports.items()): --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 9e52eca..941c766 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -28,6 +28,21 @@ files['/usr/local/share/icinga/plugins/check_docker_container'] = { 'mode': '0755', } +actions['docker_create_nondefault_network'] = { + # + # By default, containers inherit the DNS settings as defined in the + # /etc/resolv.conf configuration file. Containers that attach to the + # default bridge network receive a copy of this file. Containers that + # attach to a custom network use Docker's embedded DNS server. The embedded + # DNS server forwards external DNS lookups to the DNS servers configured on + # the host. + 'command': 'docker network create aaarghhh', + 'unless': 'docker network ls | grep -q -F aaarghhh', + 'needs': { + 'svc_systemd:docker', + }, +} + for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) @@ -54,8 +69,8 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): 'docker', }, 'after': { - # provides docker group - 'pkg_apt:docker-ce', + 'action:docker_create_nondefault_network', + 'svc_systemd:docker', }, } From 46381c63df883f9f22f29257922552782be7f56f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 11:07:11 +0100 Subject: [PATCH 100/181] rottenraptor-server: get immich working again --- bundles/docker-immich/metadata.py | 27 ++++++++++++++------------- nodes/rottenraptor-server.toml | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index b41ea36..4c57801 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -9,24 +9,29 @@ defaults = { 'image': 'ghcr.io/imagegenius/immich:latest', 'environment': { 'DB_DATABASE_NAME': 'immich', - 'DB_HOSTNAME': 'host.docker.internal', + 'DB_HOSTNAME': 'immich-postgresql', 'DB_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), 'DB_USERNAME': 'immich', - 'REDIS_HOSTNAME': 'host.docker.internal', + 'REDIS_HOSTNAME': 'immich-redis', }, 'volumes': { 'config': '/config', 'libraries': '/libraries', 'photos': '/photos', }, + 'ports': { + '8080': '8080', + }, 'needs': { - 'svc_systemd:docker-postgresql14', + 'svc_systemd:docker-immich-postgresql', + 'svc_systemd:docker-immich-redis', }, 'requires': { - 'docker-postgresql14.service', + 'docker-immich-postgresql.service', + 'docker-immich-redis.service', }, }, - 'postgresql14': { + 'immich-postgresql': { 'image': 'tensorchord/pgvecto-rs:pg14-v0.2.0', 'environment': { 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'), @@ -37,6 +42,9 @@ defaults = { 'database': '/var/lib/postgresql/data', }, }, + 'immich-redis': { + 'image': 'docker.io/redis:6.2-alpine', + }, }, }, 'nginx': { @@ -46,19 +54,12 @@ defaults = { '/': { 'target': 'http://127.0.0.1:8080/', 'websockets': True, - 'max_body_size': '500m', + 'max_body_size': '5000m', }, - #'/api/socket.io/': { - # 'target': 'http://127.0.0.1:8081/', - # 'websockets': True, - #}, }, }, }, }, - 'redis': { - 'bind': '0.0.0.0', - }, } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 1a28b6b..54a5fe1 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,7 +5,7 @@ groups = [ ] bundles = [ "docker-engine", -# "docker-immich", + "docker-immich", "ipmitool", "redis", "smartd", From 2257e9a863ccbe5ff4dae934b47fac07d6c314f0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 12:55:47 +0100 Subject: [PATCH 101/181] bundles/docker-immich: fix assers --- bundles/docker-immich/metadata.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 4c57801..5b73f70 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -1,6 +1,4 @@ assert node.has_bundle('docker-engine') -assert node.has_bundle('redis') -assert not node.has_bundle('postgresql') # docker container uses that port defaults = { 'docker-engine': { @@ -61,5 +59,3 @@ defaults = { }, }, } - - From 7df5570db8361662ea87e0aa1ba7d27237290abd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 12:59:49 +0100 Subject: [PATCH 102/181] bundles/redis: fix default for restrict-to --- bundles/redis/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index dc0f23b..db31a84 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -59,7 +59,7 @@ def firewall(metadata): return { 'firewall': { 'port_rules': { - '6379/tcp': atomic(metadata.get('redis/restrict-to', {'*'})), + '6379/tcp': atomic(metadata.get('redis/restrict-to', set())), }, }, } From 63779b6519658f36da05c5f5789a8c23cca573d3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 14:34:21 +0100 Subject: [PATCH 103/181] bundles/docker-engine: fix firewqall rules --- bundles/docker-engine/metadata.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index 39cc92f..2b9212f 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -22,22 +22,15 @@ defaults = { 'forward': { 'docker-engine': [ 'ct state { related, established } accept', - 'iifname docker0 accept', + 'ip saddr 172.16.0.0/12 accept', ], }, 'postrouting': { 'docker-engine': [ - 'iifname docker0 masquerade', + 'ip saddr 172.16.0.0/12 masquerade', ], }, }, - 'hosts': { - 'entries': { - '172.17.0.1': { - 'host.docker.internal', - }, - }, - }, 'docker-engine': { 'config': { 'iptables': False, From df469cc2e2289d199cfbfb38fd22a17e3aa2f1ea Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 15 Feb 2025 14:41:49 +0100 Subject: [PATCH 104/181] backup-kunsi: install qemu-guest-agent --- nodes/backup-kunsi.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml index 276aa0a..3e17bd7 100644 --- a/nodes/backup-kunsi.toml +++ b/nodes/backup-kunsi.toml @@ -5,6 +5,8 @@ groups = ["debian-bookworm"] [metadata] nameservers = ["2001:4860:4860::8888"] +[metadata.apt.packages.qemu-guest-agent] + [metadata.apt.unattended-upgrades] # requires manual apply to unlock disks reboot_enabled = false From b44c7097657605480cd10d03211a31786950f529 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 15:27:18 +0100 Subject: [PATCH 105/181] switch systems to new backup server --- groups/os.py | 2 +- nodes/voc/pretalx.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/groups/os.py b/groups/os.py index d6f1d6b..98dacfa 100644 --- a/groups/os.py +++ b/groups/os.py @@ -34,7 +34,7 @@ groups['linux'] = { }, 'metadata': { 'backup-client': { - 'target': 'htz-hel.backup-kunsi', + 'target': 'backup-kunsi', }, 'firewall': { 'port_rules': { diff --git a/nodes/voc/pretalx.py b/nodes/voc/pretalx.py index 376a5e6..f37a29c 100644 --- a/nodes/voc/pretalx.py +++ b/nodes/voc/pretalx.py @@ -17,7 +17,7 @@ nodes['voc.pretalx'] = { }, 'metadata': { 'backup-client': { - 'target': 'htz-hel.backup-kunsi', + 'target': 'backup-kunsi', }, 'check-mail-received': { 't-online': { From 79680e2119ecc7bc08f94dd123f0d48d32f35b74 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 16:09:51 +0100 Subject: [PATCH 106/181] home.r630: exclude from backups --- nodes/home.r630.toml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index cdfc4ba..408afb4 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -4,11 +4,7 @@ bundles = ["docker-engine", "nginx", "redis"] [metadata] icinga_options.exclude_from_monitoring = true - -[metadata.docker-engine.config] -# this is a dev machine, it's fine if docker does shenanigans with -# iptables -iptables = true +backups.exclude_from_backups = true [metadata.interfaces.eno3] ips = [ From 45c52c62ca73e0d58281a48b7e5907d1f6fc59b9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 16:14:56 +0100 Subject: [PATCH 107/181] bundles/docker-engine: turns out, filtering by name means getting everything where the name contains the filter ... --- bundles/docker-engine/files/check_docker_container | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bundles/docker-engine/files/check_docker_container b/bundles/docker-engine/files/check_docker_container index 2d8216a..ea94173 100644 --- a/bundles/docker-engine/files/check_docker_container +++ b/bundles/docker-engine/files/check_docker_container @@ -18,7 +18,13 @@ try: f'name={container_name}' ]) - containers = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]") + docker_json = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]") + + containers = [ + container + for container in docker_json + if container['Names'] == container_name + ] if not containers: print(f'CRITICAL: container {container_name} not found!') From e0903ffa50823bc7020b62c6534a26cdf8bbaa2c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 17:31:35 +0100 Subject: [PATCH 108/181] update mautrix-whatsapp to 0.11.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6a8c489..d738e4b 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -102,8 +102,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.2" -sha1 = "0bd8ebef237473989c4e9658c72595e9f7c09d44" +version = "v0.11.3" +sha1 = "f1daba15750313fe205f6d3af2594f11992f0a35" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From f04149b4a7aaab46870f4a9e13e99fa22607ffb2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 18:35:54 +0100 Subject: [PATCH 109/181] bundles/docker-engine: support different user, arbitrary mapped volumes, custom command --- bundles/docker-engine/files/docker-wrapper | 13 +++++++++++-- bundles/docker-engine/items.py | 21 ++++++++++++++------- 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index adff8e4..97c0d37 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -12,8 +12,8 @@ then exit 1 fi -PUID="$(id -u "docker-${name}")" -PGID="$(id -g "docker-${name}")" +PUID="$(id -u "${user}")" +PGID="$(id -g "${user}")" if [ "$ACTION" == "start" ] then @@ -32,10 +32,19 @@ then --publish "127.0.0.1:${host_port}:${container_port}" \ % endfor % for host_path, container_path in sorted(volumes.items()): +% if host_path.startswith('/'): + --volume "${host_path}:${container_path}" \ +% else: --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \ +% endif % endfor --restart unless-stopped \ +% if command: + "${image}" \ + "${command}" +% else: "${image}" +% endif elif [ "$ACTION" == "stop" ] then diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 941c766..7050197 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -45,16 +45,19 @@ actions['docker_create_nondefault_network'] = { for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) + user = config.get('user', f'docker-{app}') files[f'/opt/docker-engine/{app}'] = { 'source': 'docker-wrapper', 'content_type': 'mako', 'context': { + 'command': config.get('command'), 'environment': config.get('environment', {}), 'image': config['image'], 'name': app, 'ports': config.get('ports', {}), 'timezone': node.metadata.get('timezone'), + 'user': user, 'volumes': volumes, }, 'mode': '0755', @@ -63,8 +66,7 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): }, } - users[f'docker-{app}'] = { - 'home': f'/var/opt/docker-engine/{app}', + users[user] = { 'groups': { 'docker', }, @@ -73,6 +75,8 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): 'svc_systemd:docker', }, } + if user == f'docker-{app}': + users[user]['home'] = f'/var/opt/docker-engine/{app}' files[f'/usr/local/lib/systemd/system/docker-{app}.service'] = { 'source': 'docker-wrapper.service', @@ -95,20 +99,23 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): *deps, f'file:/opt/docker-engine/{app}', f'file:/usr/local/lib/systemd/system/docker-{app}.service', - f'user:docker-{app}', + f'user:{user}', 'svc_systemd:docker', *set(config.get('needs', set())), }, } for volume in volumes: - directories[f'/var/opt/docker-engine/{app}/{volume}'] = { - 'owner': f'docker-{app}', - 'group': f'docker-{app}', + if not volume.startswith('/'): + volume = f'/var/opt/docker-engine/{app}/{volume}' + + directories[volume] = { + 'owner': user, + 'group': user, 'needed_by': { f'svc_systemd:docker-{app}', }, # don't do anything if the directory exists, docker images # mangle owners - 'unless': f'test -d /var/opt/docker-engine/{app}/{volume}', + 'unless': f'test -d {volume}', } From d2a70632828ae8724da2a4eeb4a6fff0da567f32 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 16 Feb 2025 18:36:35 +0100 Subject: [PATCH 110/181] rottenraptor-server: add docker-goauthentik --- bundles/docker-goauthentik/metadata.py | 89 ++++++++++++++++++++++++++ nodes/rottenraptor-server.toml | 4 ++ 2 files changed, 93 insertions(+) create mode 100644 bundles/docker-goauthentik/metadata.py diff --git a/bundles/docker-goauthentik/metadata.py b/bundles/docker-goauthentik/metadata.py new file mode 100644 index 0000000..8cae899 --- /dev/null +++ b/bundles/docker-goauthentik/metadata.py @@ -0,0 +1,89 @@ +assert node.has_bundle('docker-engine') + +defaults = { + 'docker-engine': { + 'containers': { + 'goauthentik-server': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + 'media': '/media', + 'templates': '/templates', + }, + 'ports': { + '9000': '9000', + '9443': '9443', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-worker': { + 'image': 'ghcr.io/goauthentik/server:latest', + 'command': 'worker', + 'user': 'docker-goauthentik-server', + 'environment': { + 'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql', + 'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik', + 'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'AUTHENTIK_POSTGRESQL__USER': 'goauthentik', + 'AUTHENTIK_REDIS__HOST': 'goauthentik-redis', + 'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'), + }, + 'volumes': { + '/var/opt/docker-engine/goauthentik-server/media': '/media', + '/var/opt/docker-engine/goauthentik-server/certs': '/certs', + '/var/opt/docker-engine/doauthentik-server/templates': '/templates', + }, + 'needs': { + 'svc_systemd:docker-goauthentik-postgresql', + 'svc_systemd:docker-goauthentik-redis', + }, + 'requires': { + 'docker-goauthentik-postgresql.service', + 'docker-goauthentik-redis.service', + }, + }, + 'goauthentik-postgresql': { + 'image': 'docker.io/library/postgres:16-alpine', + 'environment': { + 'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'), + 'POSTGRES_USER': 'goauthentik', + 'POSTGRES_DB': 'goauthentik', + }, + 'volumes': { + 'database': '/var/lib/postgresql/data', + }, + }, + 'goauthentik-redis': { + 'image': 'docker.io/library/redis:alpine', + }, + }, + }, + 'nginx': { + 'vhosts': { + 'goauthentik': { + 'locations': { + '/': { + 'target': 'http://127.0.0.1:9000/', + 'websockets': True, + 'max_body_size': '5000m', + }, + }, + }, + }, + }, +} diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 54a5fe1..407bb70 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -5,6 +5,7 @@ groups = [ ] bundles = [ "docker-engine", + "docker-goauthentik", "docker-immich", "ipmitool", "redis", @@ -27,6 +28,9 @@ gateway6 = "2001:67c:b54:1::1" redirect = "https://www.rottenraptor.com/" mode = 302 +[metadata.nginx.vhosts.goauthentik] +domain = "sso.rotten.city" + [metadata.nginx.vhosts.immich] domain = "immich.rotten.city" From 8db6c73f2564eb468582d043b87630cc9a97d575 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 09:54:47 +0100 Subject: [PATCH 111/181] home.nas: back up entire NAS --- nodes/home/nas.py | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index a5b904d..831513a 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -61,14 +61,7 @@ nodes['home.nas'] = { }, 'backups': { 'paths': { - '/storage/nas/Audiobooks', - '/storage/nas/Bilder', - '/storage/nas/Bilder_Archiv', - '/storage/nas/Books', - '/storage/nas/Installer', - '/storage/nas/Musik', - '/storage/nas/Musikvideos', - '/storage/nas/normen', + '/storage/nas/', }, }, 'cron': { From 5bd406ae90b57e3989d0d42e865448c811e5c653 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 10:05:02 +0100 Subject: [PATCH 112/181] remove htz-hel.backup-kunsi --- nodes/htz-hel/backup-kunsi.py | 40 ----------------------------------- 1 file changed, 40 deletions(-) delete mode 100644 nodes/htz-hel/backup-kunsi.py diff --git a/nodes/htz-hel/backup-kunsi.py b/nodes/htz-hel/backup-kunsi.py deleted file mode 100644 index 50996fb..0000000 --- a/nodes/htz-hel/backup-kunsi.py +++ /dev/null @@ -1,40 +0,0 @@ -nodes['htz-hel.backup-kunsi'] = { - 'hostname': '2a01:4f9:6b:2d99::1337', - 'bundles': { - 'backup-server', - 'dm-crypt', - 'zfs', - }, - 'groups': { - 'debian-bullseye', - }, - 'metadata': { - 'apt': { - 'unattended-upgrades': { - # requires manual apply after reboot to unlock dm-crypt - # devices - 'reboot_enabled': False, - }, - }, - 'interfaces': { - 'ens18': { - 'ips': { - '2a01:4f9:6b:2d99::1337/64', - }, - 'gateway6': '2a01:4f9:6b:2d99::2', - }, - }, - 'backups': { - # This is the backup target. - 'exclude_from_backups': True, - }, - 'backup-server': { - 'encrypted-devices': { - '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1': bwpass.password('bw/backup-kunsi/encryption-passphrase'), - }, - }, - 'zfs': { - 'scrub_when': 'Wed 08:00 Europe/Berlin', - }, - }, -} From 7808d9b0ea5c1d733bdb277ea91dd41eb29eda81 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 17 Feb 2025 12:25:20 +0100 Subject: [PATCH 113/181] update travelynx to 2.10.0 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d738e4b..2237fdf 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ disks = [ ] [metadata.travelynx] -version = "2.9.18" +version = "2.10.0" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 77003a01d8cd262cad6ac202982d6eea3e8291a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 21 Feb 2025 19:24:10 +0100 Subject: [PATCH 114/181] rottenraptor-server: add vhost for dokuwiki --- .../files/extras/rottenraptor-server/dokuwiki | 33 +++++++++++++++++++ nodes/rottenraptor-server.toml | 17 ++++++++++ 2 files changed, 50 insertions(+) create mode 100644 data/nginx/files/extras/rottenraptor-server/dokuwiki diff --git a/data/nginx/files/extras/rottenraptor-server/dokuwiki b/data/nginx/files/extras/rottenraptor-server/dokuwiki new file mode 100644 index 0000000..2e9b682 --- /dev/null +++ b/data/nginx/files/extras/rottenraptor-server/dokuwiki @@ -0,0 +1,33 @@ + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg|svg)$ { + expires 365d; # browser caching + } + + location ~ /(install.php) { deny all; } + + location ~ /(\.ht|\.git|\.hg|\.svn|\.vs|data|conf|bin|inc|vendor|README|VERSION|SECURITY.md|COPYING|composer.json|composer.lock) { + #return 404; # https://www.dokuwiki.org/install:nginx?rev=1734102057#nginx_particulars + deny all; # Returns 403 + } + + # Support for X-Accel-Redirect + location ~ ^/data/ { + internal; + } + + location / { + try_files $uri $uri/ @dokuwiki; + + # This means; where $uri is 'path', if 'GET /path' doesnt exist, redirect + # client to 'GET /path/' directory. If neither, goto @dokuwiki rules. + } + + location @dokuwiki { + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; +# rewrite ^/tag/(.*) /doku.php?id=tag:$1&do=showtag&tag=tag:$1 last; #untested + rewrite ^/(.*) /doku.php?id=$1&$args last; + + # rewrites "doku.php/" out of the URLs if you set the userewrite + # setting to .htaccess in dokuwiki config page + } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 407bb70..1af14fb 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -8,6 +8,7 @@ bundles = [ "docker-goauthentik", "docker-immich", "ipmitool", + "php", "redis", "smartd", "zfs", @@ -28,12 +29,24 @@ gateway6 = "2001:67c:b54:1::1" redirect = "https://www.rottenraptor.com/" mode = 302 +[metadata.nginx.vhosts.dokuwiki] +domain = "wiki.rotten.city" +php = true +extras = true +webroot_config.owner = "www-data" + [metadata.nginx.vhosts.goauthentik] domain = "sso.rotten.city" [metadata.nginx.vhosts.immich] domain = "immich.rotten.city" +[metadata.php] +version = "8.2" +packages = [ + "xml", +] + [metadata.smartd] disks = [ "/dev/disk/by-id/ata-HUH721008ALN600_7SGH125C", @@ -43,6 +56,10 @@ disks = [ "/dev/disk/by-id/nvme-TOSHIBA-RC100_58UPC29HPW5S", ] +[metadata.vm] +cpu = 4 +ram = 8 + [metadata.zfs.pools.tank.when_creating] ashift = 12 From a7cb759bd2d5cfcadc9ffb1e1df725a1d625ed4e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 21 Feb 2025 19:29:35 +0100 Subject: [PATCH 115/181] bundles/docker-goauthentik: fix typo --- bundles/docker-goauthentik/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/docker-goauthentik/metadata.py b/bundles/docker-goauthentik/metadata.py index 8cae899..9d742fa 100644 --- a/bundles/docker-goauthentik/metadata.py +++ b/bundles/docker-goauthentik/metadata.py @@ -46,7 +46,7 @@ defaults = { 'volumes': { '/var/opt/docker-engine/goauthentik-server/media': '/media', '/var/opt/docker-engine/goauthentik-server/certs': '/certs', - '/var/opt/docker-engine/doauthentik-server/templates': '/templates', + '/var/opt/docker-engine/goauthentik-server/templates': '/templates', }, 'needs': { 'svc_systemd:docker-goauthentik-postgresql', From 349aaac56db74d251bcdaea75d5f6142119979db Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:01:16 +0100 Subject: [PATCH 116/181] data/ssl: bump *.home.kunbox.net --- data/ssl/_.home.kunbox.net.crt.pem | 36 +++++++++---------- .../_.home.kunbox.net.crt_intermediate.pem | 36 +++++++++---------- data/ssl/_.home.kunbox.net.key.pem.vault | 2 +- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/data/ssl/_.home.kunbox.net.crt.pem b/data/ssl/_.home.kunbox.net.crt.pem index 06ea249..4fb984a 100644 --- a/data/ssl/_.home.kunbox.net.crt.pem +++ b/data/ssl/_.home.kunbox.net.crt.pem @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDsDCCAzagAwIBAgISBGjVgPFJCHOuBJul17PsmUBlMAoGCCqGSM49BAMDMDIx +MIIDrTCCAzOgAwIBAgISAzN38KowyAxKJIRnBKR9SwXnMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDExMzAwOTM4MzNaFw0yNTAyMjgwOTM4MzJaMBoxGDAWBgNVBAMTD2hv -bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK+7B9tE5ejhYZWq -3gs8q4s6/A98pW5GGpkYl7iPsPM8ko0UvZ8tfBU+KuEavDmFoFa8W4ePEkPkypHo -gqRMhIm55/2wyTTh8/PnXp8vWCwMISmPHEqou2mphx0feLRAlqOCAiUwggIhMA4G +NTAeFw0yNTAyMjMwOTAyMzdaFw0yNTA1MjQwOTAyMzZaMBoxGDAWBgNVBAMTD2hv +bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCySMhuLfj3x+wjp +BFpNu+R3IRL0qsBazrTrz8jwA1Brs8jxFSlPZRGpKiycFFQDwX5dSDJu+usngNh7 +pAs1UsniV2d3yLYK6qTVB8C420Xc55jlqTsGW+cvv0Adeap8DaOCAiIwggIeMA4G A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD -VR0TAQH/BAIwADAdBgNVHQ4EFgQUicTvP+5xKDeHcAhxZi7CeD5xzCUwHwYDVR0j -BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG -AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 -Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC -D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQUGCisGAQQB -1nkCBAIEgfYEgfMA8QB3AM8RVu7VLnyv84db2Wkum+kacWdKsBfsrAHSW3fOzDsI -AAABk3ylPJIAAAQDAEgwRgIhAPf1V/hozFwCyj8rwHFrxslXPa77KFbbm1yrvikr -ypvZAiEAgsSapcCShSJcW21/Rig7MOjp8IjdirAzLDRnBcl4tooAdgB9WR4S4Xgq -exxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55uAAAAZN8pURGAAAEAwBHMEUCIBF42g56 -wBpQRx1aHM+tFrydhInIx+ji6o7d055uc7bAAiEA4bRrxTsQQIJ+5lY2XIYTpf5C -msc2KAHccsMqstH+ur8wCgYIKoZIzj0EAwMDaAAwZQIxAOTsntM8s/ik3N09mXq4 -fVm1XQk2B2jALeTZLZevUY8jUjhKwoXTNVXQlMr1ilnC9QIwCa7zOQJQ2Y7D8xMv -uKfu7TMSLJlWMDHhIsggdPeQDYtNm85jsOXqB1SjWeCR25Mn +VR0TAQH/BAIwADAdBgNVHQ4EFgQUDEclq7TWouOYtvpzzutWtxXmZB8wHwYDVR0j +BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG +AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6 +Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC +D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQIGCisGAQQB +1nkCBAIEgfMEgfAA7gB1AKLjCuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfn +AAABlTJA35QAAAQDAEYwRAIgK6RVpdOCgEWCLxyLM7P9LRYWmPJ9+oA8DQ6EhV1V +e+cCICAtK2lRg+vPuCXkqSGRFQEPqidmcT1NMrAstl6zOF3uAHUATnWjJ1yaEMM4 +W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVMkDfigAABAMARjBEAiBH2f88Uh6R +tPyyZzuKT5t6jcYLOsSQVkWbrerG34Z1xwIgXmW3tlmgKlUiTrRjCFbltLNJ12Tf +xA/QCmSHAyKUnHIwCgYIKoZIzj0EAwMDaAAwZQIxAKT8YobI9cF1LpSwF8esUwhX +M1oK0TVOnpFn3dyUgweqVS5sCn3V81626qP+wGrENgIwWlDcbKhT4j0G19O43pKp +6f9TqzcY4iH5+VAuKPjh7H5ag7B+qCn9No2p56SagQpv -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.crt_intermediate.pem b/data/ssl/_.home.kunbox.net.crt_intermediate.pem index 4652201..59039ae 100644 --- a/data/ssl/_.home.kunbox.net.crt_intermediate.pem +++ b/data/ssl/_.home.kunbox.net.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G -h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV -6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj -v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc -MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL -pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp -eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH -pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 -s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu -h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv -YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 -ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 -LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ -EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY -Ig46v9mFmBvyH04= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.kunbox.net.key.pem.vault b/data/ssl/_.home.kunbox.net.key.pem.vault index f5fa8b4..e17988a 100644 --- a/data/ssl/_.home.kunbox.net.key.pem.vault +++ b/data/ssl/_.home.kunbox.net.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABnSurPS00unDJP1C7wyToyZOzKrEruyT6itqZG1Bbv6IZPVrkdcbgyfPrXY8ViPSRwtdVJsju-X8pvLHZGSHXvxhpNlNrNQTas2_VCMwYIihGnp7VI6ovQXd_iVHON5sXaNpKURRwCsvnYhHQfn4qPGLSN8II2QdpJ4A4nDschZwN2u-8X9omGPOcC6zeivoew4UcpossYuJDskHeJnRnR3roGwrHuPWfEKRgRJ_eTHgij00uyoJZxhWGRV9nS_MnacbGUP6KBXfaZP_23DFJPMMq734qVfcLObhYa8nam9kLHh4TaloET2pK-IVqcb_FOorWiipiGBSNCw9EQr57d8AOLEFAwMmb_1fgPCjpchVZaSKD4OhdjPt1CU3unzR-zPkrjBdL-az0ci984vJnLolr4z8nMW6oR1SyJGyccJ-lmoMf34M3oI3zIlNg2GPdGcZMFa6GhvmLYwDb7r0PHil_GRA== \ No newline at end of file +encrypt$gAAAAABnuvHlF1U1dT-xIICT5GmDxxqm0hQAgshQSA46WrVoo18ypjyxQE1qRzPNdp0xHKPYwpGmAoT7ftX7U3X3sjIvH8W5DUNMEBPZk6Z2yPxsyMDqUbxqJUOkjsSjVf1GZ_n3R5kZfb-THJMjNQMy3tL5RwrSvZjsYeYT-NwBle5rUKZpgE_6sDr5jSr8xpNx87gJr1vqgnZIBPllU47CJQy7LHEsVcCvbKhpVoau02LlPAoApVt_iYYm1fL_E6jFGfnCwGoeiytMc2fl1DPWS8q8oauQ1pNVTWQ2BXnLiXoc8u3hgp93PpT2LubYgIrVXpY8iErNtghuXi_HmqL37btdN5h-p1Div-R_5uva1maXffduwutCd5xWJK__G_bhqiSoEaKEMvo_H47vqbi7Hvwi70ckYek9KD_bIb2W8zBEPl1Q2436Uz54B0muXv6X7OoZlTj51_gZUcT3cp8SDJqAWDpnWg== \ No newline at end of file From 5752ad3f0994e1ea8dd9ca6bee8d773b4c83191a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:07:59 +0100 Subject: [PATCH 117/181] rottenraptor-server: remove redis this runs in docker now --- nodes/rottenraptor-server.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 1af14fb..e88891a 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -9,7 +9,6 @@ bundles = [ "docker-immich", "ipmitool", "php", - "redis", "smartd", "zfs", ] From a54dceb3c6f7c0a1526bc9bd0c7329e3c96b3c88 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:37:29 +0100 Subject: [PATCH 118/181] bundles/radvd: better options for changing prefixes --- bundles/radvd/files/radvd.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/radvd/files/radvd.conf b/bundles/radvd/files/radvd.conf index c66c08f..ee40111 100644 --- a/bundles/radvd/files/radvd.conf +++ b/bundles/radvd/files/radvd.conf @@ -10,11 +10,13 @@ interface ${interface} AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; + AdvPreferredLifetime 600; + AdvValidLifetime 900; }; % if config.get('rdnss'): RDNSS ${' '.join(sorted(config['rdnss']))} { - AdvRDNSSLifetime 900; + AdvRDNSSLifetime 600; }; % endif }; From fab81145caceeda6c0b815d3e21dbb993f46ee9a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 11:40:47 +0100 Subject: [PATCH 119/181] update netbox to 4.2.4 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 2237fdf..6509140 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -114,7 +114,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.3" +version = "v4.2.4" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From fed5cbfc5228104d45c2b4f9aa6a1b75470e974b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 12:08:14 +0100 Subject: [PATCH 120/181] bundles/php: remove sury repo, use debian php version --- bundles/icinga2/metadata.py | 1 - bundles/nginx/items.py | 2 +- bundles/php/items.py | 2 +- bundles/php/metadata.py | 17 +++++++------ data/apt/files/gpg-keys/php.asc | 42 --------------------------------- nodes/carlene.toml | 1 - nodes/htz-cloud/pirmasens.py | 2 -- nodes/rottenraptor-server.toml | 1 - 8 files changed, 10 insertions(+), 58 deletions(-) delete mode 100644 data/apt/files/gpg-keys/php.asc diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 60d28fe..c25ca41 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -54,7 +54,6 @@ defaults = { 'setup-token': repo.vault.password_for(f'{node.name} icingaweb2 setup-token'), }, 'php': { - 'version': '8.2', 'packages': { 'curl', 'gd', diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 2928686..304dcd7 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -104,7 +104,7 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): 'context': { 'create_logs': config.get('create_logs', False), 'create_timing_log': config.get('timing_log', True), - 'php_version': node.metadata.get('php/version', ''), + 'php_version': node.metadata.get('php/__version', ''), 'security_txt': security_txt_enabled, 'vhost': vhost, **config, diff --git a/bundles/php/items.py b/bundles/php/items.py index b115c19..c836efa 100644 --- a/bundles/php/items.py +++ b/bundles/php/items.py @@ -1,4 +1,4 @@ -version = node.metadata.get('php/version') +version = node.metadata.get('php/__version') directories['/var/lib/php/sessions'] = { 'owner': 'www-data', diff --git a/bundles/php/metadata.py b/bundles/php/metadata.py index d14954e..edb8399 100644 --- a/bundles/php/metadata.py +++ b/bundles/php/metadata.py @@ -1,12 +1,11 @@ +OS_PHP_VERSION = { + 12: '8.2', + 13: '8.4', +} + defaults = { - 'apt': { - 'repos': { - 'php': { - 'items': { - 'deb https://packages.sury.org/php/ {os_release} main', - }, - }, - }, + 'php': { + '__version': OS_PHP_VERSION[node.os_version[0]], }, } @@ -15,7 +14,7 @@ defaults = { 'apt/packages', ) def php_packages_with_features(metadata): - version = metadata.get('php/version') + version = metadata.get('php/__version') packages = { f'php{version}': {}, diff --git a/data/apt/files/gpg-keys/php.asc b/data/apt/files/gpg-keys/php.asc deleted file mode 100644 index ba04e3c..0000000 --- a/data/apt/files/gpg-keys/php.asc +++ /dev/null @@ -1,42 +0,0 @@ ------BEGIN PGP ARMORED FILE----- -Comment: Use "gpg --dearmor" for unpacking - -mQGNBFyPb58BDADTDlJLrGJktWDaUT0tFohjFxy/lL2GcVYp4zB981MWIDC0aIQZ -ERfUZRaq/ov/LG3F0UhkvouCNrnXiFaKRCeNG52pQM0P/p3gmIOoPO4/jF0o3SK1 -Aapf/NaKTh3EgeYYCnVKuxdXGqyu1JT4qfztsmUGmODzxVr+/YJLP54jrCUgI3lj -4zEeTBDexQvnlVUF59U1/ipMq4iWqqth8/aMsoZl3Ztfcc87jBFbJIoeQMhZtNZk -Ik7L15aYIZXWY2byBy6LB42HPm9DwM99l2eY4EXGfAq/UQeYbDGonibBqrDURggH -rkLfG7ZfoexF67/9S2s6VYfS4npWVfw2SEPTfSBdibElbGncd+p9Wb6SovqapCPl -crkLgPhBAz/R9M7E/G3zedmiEhsV78pBF3bup+nQVvBVtV/NucN5N6LkAclT4O3F -flGZa1/mJcpgjVapT6duY0POXczfS6ts55x2BE0UfYtXfRnVnHtu2+j8kqYG3N1G -sfVnzRkwtTWBMxMAEQEAAbQxREVCLlNVUlkuT1JHIEF1dG9tYXRpYyBTaWduaW5n -IEtleSA8ZGViQHN1cnkub3JnPokB1AQTAQoAPgIbAwULCQgHAgYVCgkICwIEFgID -AQIeAQIXgBYhBBUFhQCgI12X9dEAY7GI4raVvUdDBQJgK4WHBQkJP7BoAAoJELGI -4raVvUdDQ/QL+wa0KQ8o8askks4elU1PSdUP/ywacroMtl6BV2d/di/PtquZl4zI -p/qAhUmcSJhUJMJBdGQ5S4uxCn0rEy2CBO8LhSTFuS01UGVHhjZQLA+GZEMunpS8 -KbPH5lWuwWwY1bbx9eCwpIxzz3Krctk8WGvja4EsqIWmRcaQ1z19JndbH8Ekfhf2 -U7noZNFZIhHIOHK51dOm4oaSdrJUhhd52zrwLf+lOtHh0kkOad+eCByah9XwmO9q -SAuHLquSv9BWfnLKSHfwRW+YeAHlkELui0Zi6zD2PYqcBAebZWNmyxiJUz0oHJPJ -H6DoXXxI6OsCdFDkqW5hP/IfVI97fbKMGY9g4RyasJmb/18F7eSFC1S7fj6hHCRn -HTKR5cO3PdzYndyICGfaQMUa+n0HsWZAw8mgWPnKZd3xXt4n+Exx/LBV3ZkOwHT7 -L9nTPALsoqqEtn0zjOo/eOt9fmaW9TcvL1V1oiRpEk3lejvF/Wt5zwkPOgys2ZCZ -Ttefx/lGoxC2lrkBjQRcj2+fAQwA4McaM/y2XQSHlJBSYR7yqZtHX/kZ8g9pnViq -kCEADz8XKCroEzvY1gaWtR6obtjaq8pF0g4KtAC65/gIOtsHvWg3OclrODPkXN+x -OM1LpXZGV6kwk+LXOrybtPhVZe3FtvDMW0MVZeHYi+soZ4tTQHkKjZUPAXZs3ZoZ -rWfE5ft447sCxzX+jxDwwlckkKqZ9sHYD0TV8Y5av3RsxiWBt+coch8jvw+1mDZ0 -zBjMO8ZRD8PuvP9UTKCNOIm0mW9A2cUfpkk/uAwo5hCnw4iljS81/KKGM/scwc5K -x6G3WWoAb8kajt0VFG/wYN2qjfjdhXtdu3ZxYtDdjA2UGGRbgkCsr+gRCnSTiuwv -LzCVZCz9WNzZjUMg6LFP2IrHned4Kdy4KjJo+g/weKJoxfKokZ/9vUYpw5OYx3UE -SUk3yHDN9r/JC4RJJ2tE2qkeggJ892RJGxUK/Lw3/7jIQKalO3Qx2zYUqnCYMC9g -PhQGH+F9kwSpGVwb0DKFT6gR9Pt3ABEBAAGJAbwEGAEKACYCGwwWIQQVBYUAoCNd -l/XRAGOxiOK2lb1HQwUCYCuFsQUJCT+wkgAKCRCxiOK2lb1HQ3icDADGRBYuqFNG -2mnAKH9W2qMKGJUBOMdEouUpFZELs5bgMfLH9/i5PNi+73IhHqsSsR3JIHRPuzt5 -nmifWYFPvsVV/8eu2O1UeyCbt+KK1v+aMfJbg3J38pCLgqOrMK1a3VxKZ6mHIy6A -5xEBLdl9HP6+lGYhYPdQd2kq5H+64DyF5zlpUX9biTpiri4ZiF3kUrXKLEupUtuS -aWf+n4hTreT2olThoQIsxWPj+YV/9irNRpATY+JrD74tA3HPI02nq3Xvaz0R0gVG -8HRUcw3ejXgn8SfSmY8p3JxVtYQJTUdsR3+qTgm+91LpFhWBBJZagjUoYrGb5/ZU -iCyr1kJMo+/PceVsGuiaH9r84fxi0VGZVl4P9rP3Dwx8QLosFrElkQBhX1YIYhJX -mo/XAlzVedQ37DyJu+/TZDUXu1q/4D+7z0s3oekWmUwziFI1HBxsNbwHRQyek/To -nirX97CSifEBg1L8BRRex7eUGWJ/YI/Zjf6CNaqUt5SIUBUv0zv1lFc= -=gNGr ------END PGP ARMORED FILE----- diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 6509140..a455063 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -176,7 +176,6 @@ ratelimit-exempt-hosts = [ ] [metadata.php] -version = "8.2" packages = [ 'gd', 'imagick', diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 655f325..908e85e 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -52,12 +52,10 @@ nodes['htz-cloud.pirmasens'] = { }, }, 'php': { - 'version': '7.4', 'packages': { 'gd', 'imap', 'intl', - 'json', 'mbstring', 'opcache', 'pgsql', diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index e88891a..96eb5fb 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -41,7 +41,6 @@ domain = "sso.rotten.city" domain = "immich.rotten.city" [metadata.php] -version = "8.2" packages = [ "xml", ] From 9edf9111a1283c685a425c0ba7bfa67f269cd49b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 13:16:52 +0100 Subject: [PATCH 121/181] bundles/docker-engine: exit "start" action early if container is running this happens on daemon restarts --- bundles/docker-engine/files/docker-wrapper | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index 97c0d37..fe2a010 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -17,7 +17,12 @@ PGID="$(id -g "${user}")" if [ "$ACTION" == "start" ] then - docker rm "${name}" || true + # just exit if the container is actually running already. + set +e + /usr/local/share/icinga/plugins/check_docker_container "${name}" && exit 0 + set -e + + docker rm "${name}" || true docker run -d \ --name "${name}" \ From ff2be8d58d55e299e3fa6208631121c834acd4bd Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 23 Feb 2025 13:17:54 +0100 Subject: [PATCH 122/181] bundles/docker-immich: add album-auto-share script --- .../files/immich-auto-album-share.py | 80 +++++++++++++++++++ bundles/docker-immich/items.py | 3 + bundles/docker-immich/metadata.py | 28 +++++++ nodes/rottenraptor-server.toml | 3 + 4 files changed, 114 insertions(+) create mode 100644 bundles/docker-immich/files/immich-auto-album-share.py create mode 100644 bundles/docker-immich/items.py diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py new file mode 100644 index 0000000..863f8b2 --- /dev/null +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 + +from json import loads +from os import environ +from subprocess import check_output +from sys import exit + +import psycopg2 + +PSQL_HOST = environ['DB_HOSTNAME'] +PSQL_USER = environ['DB_USERNAME'] +PSQL_PASS = environ['DB_PASSWORD'] +PSQL_DB = environ['DB_DATABASE_NAME'] + +docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) + +container_ip = None +# why the fuck is this a list of networks, even though we have to provide +# a network name to inspect ... +for network in docker_networks: + if network['Name'] != 'aaarghhh': + continue + + for _, container in network['Containers'].items(): + if container['Name'] == PSQL_HOST: + container_ip = container['IPv4Address'].split('/')[0] + +if not container_ip: + print(f'could not find ip address for container {PSQL_HOST=} in json') + print(docker_networks) + exit(1) + +print(f'{PSQL_HOST=} {container_ip=}') + +conn = psycopg2.connect( + dbname=PSQL_DB, + host=container_ip, + password=PSQL_PASS, + user=PSQL_USER, +) + +with conn: + with conn.cursor() as cur: + cur.execute('SELECT "id","ownerId","albumName" FROM albums;') + albums = { + i[0]: { + 'owner': i[1], + 'name': i[2], + } + for i in cur.fetchall() + } + + with conn.cursor() as cur: + cur.execute('SELECT "id","name" FROM users;') + users = { + i[0]: i[1] + for i in cur.fetchall() + } + +for album_id, album in albums.items(): + print(f'----- working on album: {album["name"]}') + with conn: + with conn.cursor() as cur: + cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) + album_shares = [i[0] for i in cur.fetchall()] + print(f' album is shared with {len(album_shares)} users: {album_shares}') + for user_id, user_name in users.items(): + if user_id == album['owner'] or user_id in album_shares: + continue + + print(f' sharing album with user {user_name} ... ', end='') + with conn.cursor() as cur: + cur.execute( + 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', + (album_id, user_id, 'viewer'), + ) + print('done') + print() + +conn.close() diff --git a/bundles/docker-immich/items.py b/bundles/docker-immich/items.py new file mode 100644 index 0000000..8c9d54e --- /dev/null +++ b/bundles/docker-immich/items.py @@ -0,0 +1,3 @@ +files['/usr/local/bin/immich-auto-album-share.py'] = { + 'mode': '0755', +} diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 5b73f70..288b7f1 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -1,6 +1,11 @@ assert node.has_bundle('docker-engine') defaults = { + 'apt': { + 'packages': { + 'python3-psycopg2': {}, + }, + }, 'docker-engine': { 'containers': { 'immich': { @@ -45,6 +50,9 @@ defaults = { }, }, }, + 'docker-immich': { + 'enable_auto_album_share': False, + }, 'nginx': { 'vhosts': { 'immich': { @@ -59,3 +67,23 @@ defaults = { }, }, } + + +@metadata_reactor.provides( + 'systemd-timers/timers/immich-auto-album-share', +) +def auto_album_share(metadata): + if not metadata.get('docker-immich/enable_auto_album_share'): + return {} + + return { + 'systemd-timers': { + 'timers': { + 'immich-auto-album-share': { + 'command': '/usr/local/bin/immich-auto-album-share.py', + 'environment': metadata.get('docker-engine/containers/immich/environment'), + 'when': 'minutely', + }, + }, + }, + } diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 96eb5fb..2ab03f8 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,6 +13,9 @@ bundles = [ "zfs", ] +[metadata.docker-immich] +enable_auto_album_share = true + [metadata.icinga_options] period = "daytime" From 02320e2488503b201a2774b6fa0bc1b202b43299 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Mar 2025 12:56:21 +0100 Subject: [PATCH 123/181] add boilerplate prometheus node --- nodes/htz-cloud.prometheus.toml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 nodes/htz-cloud.prometheus.toml diff --git a/nodes/htz-cloud.prometheus.toml b/nodes/htz-cloud.prometheus.toml new file mode 100644 index 0000000..6532493 --- /dev/null +++ b/nodes/htz-cloud.prometheus.toml @@ -0,0 +1,7 @@ +hostname = "138.199.210.112" +groups = ["debian-bookworm"] + +[metadata.interfaces.eth0] +ips = ["138.199.210.112/32", "2a01:4f8:1c1e:65e4::1/64"] +gateway4 = "172.31.1.1" +gateway6 = "fe80::1" From a60156f9ff859655702e3aa6d7981fff1ef669b1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 1 Mar 2025 12:56:56 +0100 Subject: [PATCH 124/181] voc.infobeamer-cms: WICMP25 --- nodes/voc/infobeamer-cms.py | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/nodes/voc/infobeamer-cms.py b/nodes/voc/infobeamer-cms.py index 043c7a5..55949e2 100644 --- a/nodes/voc/infobeamer-cms.py +++ b/nodes/voc/infobeamer-cms.py @@ -25,17 +25,15 @@ nodes['voc.infobeamer-cms'] = { }, 'infobeamer-cms': { 'domain': 'infobeamer.c3voc.de', - 'event_start_date': '2024-12-26', - 'event_duration_days': 5, + 'event_start_date': '2025-02-28', + 'event_duration_days': 3, 'config': { 'ADMIN_USERS': [], - 'NO_LIMIT_USERS': [ - 'github:stblassitude', - ], + 'NO_LIMIT_USERS': [], 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'SETUP_IDS': [ - 255228, + 258552, ], # 'EXTRA_ASSETS': [{ # 'type': "image", @@ -64,21 +62,21 @@ nodes['voc.infobeamer-cms'] = { or #info-beamer on the cccv rocketchat instance. '''.strip(), }, - 'DEFAULT_SSO_PROVIDER': 'c3hub', + 'DEFAULT_SSO_PROVIDER': 'github', 'DEFAULT_ADMIN_SSO_PROVIDER': 'c3voc', 'oauth2_providers': { - #'github': { - # 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), - # 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), - #}, + 'github': { + 'client_id': vault.decrypt('encrypt$gAAAAABiNwHfIu9PYFfJrF7qirn_9vdvvUlEhJnadoNSS5XlCDbI_aMyj21_ZYQxaCkc6_eVX6Cj1jEHZ7Vs6wM-XyQdW0nUOahtqG4uvnYCiM3GFKHW_wQ='), + 'client_secret': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'), + }, 'c3voc': { 'client_id': 'uqzN2mYeMq4vxnHL6HNmBC80hsvYcfhzniiczdqV', 'client_secret': vault.decrypt('encrypt$gAAAAABnaZ0z-hQ3yYf8P1g4gyLLvNHcNkiXVtIq7M11qswbzcVM4upfgtxCWBlCgwLN3v7CxwDFQbJnosEq0hbX4c0TEoOausV4upJD0-5zP_1U18gbMGicpZ0TCzYyEhOqvCye7UmFOWzOmplSX1fz43Pf7peDeaPxHjqmxjw0khyExzWw4JPOd1V7LhnesJmPCfGKXn5YHMDicrdYeqFf0FySN1yA5gfLNo7y-S1QMJ6-n6Jct7uuifF9t2OV-zyOj3cKK13B'), }, - 'c3hub': { - 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', - 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), - }, + #'c3hub': { + # 'client_id': '16oHBcVstcOKwt3EuX9E2urpYeVC0Dfo3Gzn2XhS', + # 'client_secret': vault.decrypt('encrypt$gAAAAABnaoRKbORUcceyKu3tda3lgMIFC-e0cG0AeMdDYJ--EnTRxp8QcULOTf2oBtKQUk17hgwfsafTFi4eZq1FrjNgq1h5gm83oJYWLQ6pp8Rsp9kjwgtAXf72jIU-AOQxx02SoFMU8r5pdEFEX4FkU_ksbU6s7xgBW8oxq_WO2CXAppTUX61TeB9me2nSLFdJc5-v6RDpQfDvVAm7yNS_PhMvMgVzfEZrFM-EWF_bl0S_q0ejf88o9zaXHIMJpzMruVZOXD0T'), + #}, }, }, 'rooms': { From d40efd219210b3e5cd4be33f00471d0698dd2f04 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:44:25 +0100 Subject: [PATCH 125/181] bundles/icinga2: add monitoring for ipmi interfaces --- .../icinga2/files/icinga2/hosts_template.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bundles/icinga2/files/icinga2/hosts_template.conf b/bundles/icinga2/files/icinga2/hosts_template.conf index 631fc8a..c28d8e4 100644 --- a/bundles/icinga2/files/icinga2/hosts_template.conf +++ b/bundles/icinga2/files/icinga2/hosts_template.conf @@ -23,6 +23,25 @@ object Host "${rnode.name}" { vars.notification.mail = true } +% if rnode._attributes.get('ipmi'): +object Host "IPMI ${rnode.name}" { + import "generic-host" + + address = "${rnode._attributes['ipmi']['hostname']}" + + vars.location = "${rnode.metadata.get('location', 'unknown')}" + vars.os = "ipmi" + + vars.pretty_name = "IPMI ${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))}" + vars.show_on_statuspage = false + + vars.period = "${rnode.metadata.get('icinga_options/period', '24x7')}" + + vars.notification.sms = ${str(rnode.metadata.get('icinga_options/vars.notification.sms', True)).lower()} + vars.notification.mail = true +} +% endif + % for depends_on_host in sorted(rnode.metadata.get('icinga_options/also_affected_by', set())): object Dependency "${rnode.name}_depends_on_${depends_on_host}" { parent_host_name = "${depends_on_host}" From 8135e4160f6bb2853781a3c3d000c608c66132a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:44:50 +0100 Subject: [PATCH 126/181] nodes.py: add demagify for ipmi data --- nodes.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes.py b/nodes.py index f47f004..1798613 100644 --- a/nodes.py +++ b/nodes.py @@ -12,6 +12,8 @@ for name, data in nodes.items(): if 'password' in data: data['password'] = vault.decrypt(data['password']) + if 'ipmi' in data: + data['ipmi'].update(libs.demagify.demagify(data['ipmi'], vault)) data['metadata'].update(libs.demagify.demagify(data['metadata'], vault)) for node in Path(join(repo_path, "nodes")).rglob("*.py"): From 7a5ca524b43831659b636f9001ef7b8d26a194a2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 17:49:30 +0100 Subject: [PATCH 127/181] add ipmi information to hosts which have ipmi --- nodes/home.r630-ipmi.toml | 6 ------ nodes/home.r630.toml | 6 ++++++ nodes/proxmox-backupstorage.toml | 6 ++++++ nodes/rottenraptor-server-ipmi.toml | 7 ------- nodes/rottenraptor-server.toml | 6 ++++++ 5 files changed, 18 insertions(+), 13 deletions(-) delete mode 100644 nodes/home.r630-ipmi.toml delete mode 100644 nodes/rottenraptor-server-ipmi.toml diff --git a/nodes/home.r630-ipmi.toml b/nodes/home.r630-ipmi.toml deleted file mode 100644 index f58012b..0000000 --- a/nodes/home.r630-ipmi.toml +++ /dev/null @@ -1,6 +0,0 @@ -dummy = true - -[metadata.interfaces.eth0] -ips = ["172.19.138.23"] -dhcp = true -mac = "50:9a:4c:ad:f9:c4" diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index 408afb4..ffd4c46 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,6 +2,12 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] +#[ipmi] +#hostname = "172.19.138.23" +#username = "root" +#password = "calvin" +#interface = "lanplus" + [metadata] icinga_options.exclude_from_monitoring = true backups.exclude_from_backups = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index 7d58297..8a9da36 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,6 +1,12 @@ hostname = "192.168.100.31" dummy = true +#[ipmi] +#hostname = "192.168.100.30" +#username = "root" +#password = "!bwpass:192.168.100.30/root" +#interface = "lanplus" + [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C695" diff --git a/nodes/rottenraptor-server-ipmi.toml b/nodes/rottenraptor-server-ipmi.toml deleted file mode 100644 index fdc76b9..0000000 --- a/nodes/rottenraptor-server-ipmi.toml +++ /dev/null @@ -1,7 +0,0 @@ -dummy = true - -[metadata.icinga_options] -period = "daytime" - -[metadata.interfaces.default] -ips = ["192.168.100.27/24"] diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 2ab03f8..529984a 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,6 +13,12 @@ bundles = [ "zfs", ] +#[ipmi] +#hostname = "192.168.100.27" +#username = "Administrator" +#password = "!bwpass:bw/rottenraptor-server/ipmi" +#interface = "lanplus" + [metadata.docker-immich] enable_auto_album_share = true From e9e25f8a1ea074788180448201f5ade1ccef1343 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 2 Mar 2025 19:01:23 +0100 Subject: [PATCH 128/181] bundles/docker-engine: pull image before starting it --- bundles/docker-engine/files/docker-wrapper | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/docker-engine/files/docker-wrapper b/bundles/docker-engine/files/docker-wrapper index fe2a010..2821d29 100644 --- a/bundles/docker-engine/files/docker-wrapper +++ b/bundles/docker-engine/files/docker-wrapper @@ -24,6 +24,8 @@ then docker rm "${name}" || true + docker pull "${image}" + docker run -d \ --name "${name}" \ --env "PUID=$PUID" \ From c0a436385df7b8e087120323ced5899cc576f8d6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 5 Mar 2025 21:26:35 +0100 Subject: [PATCH 129/181] update travelynx to 2.10.2 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index a455063..d936789 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -249,7 +249,7 @@ disks = [ ] [metadata.travelynx] -version = "2.10.0" +version = "2.10.2" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 4c6abb65eefa0484b154988e894cfb88dfb7d38f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 6 Mar 2025 20:03:37 +0100 Subject: [PATCH 130/181] groups.py: don't overwrite toml groups --- groups.py | 1 - 1 file changed, 1 deletion(-) diff --git a/groups.py b/groups.py index d99ced7..b5acfd9 100644 --- a/groups.py +++ b/groups.py @@ -3,7 +3,6 @@ from pathlib import Path from bundlewrap.utils import error_context -groups = {} for group in Path(join(repo_path, "groups")).rglob("*.py"): with error_context(filename=str(group)): with open(group, 'r') as f: From a376d980cbb3738856fef79e73aae39fa71a5ba8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 6 Mar 2025 20:32:31 +0100 Subject: [PATCH 131/181] add .bw_debug_history to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 7a53a34..8c736ec 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ __pycache__ *.swp .direnv .envrc.local +.bw_debug_history From 6d5ae359ebdd301229ab743f801cc6bbb772a7e2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:11:10 +0100 Subject: [PATCH 132/181] node: correct syntax for ipmi data --- nodes/home.r630.toml | 9 ++++----- nodes/proxmox-backupstorage.toml | 9 ++++----- nodes/rottenraptor-server.toml | 9 ++++----- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index ffd4c46..03e2f56 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,11 +2,10 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] -#[ipmi] -#hostname = "172.19.138.23" -#username = "root" -#password = "calvin" -#interface = "lanplus" +#ipmi_hostname = "172.19.138.23" +#ipmi_username = "root" +#ipmi_password = "calvin" +#ipmi_interface = "lanplus" [metadata] icinga_options.exclude_from_monitoring = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index 8a9da36..a061f7e 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,11 +1,10 @@ hostname = "192.168.100.31" dummy = true -#[ipmi] -#hostname = "192.168.100.30" -#username = "root" -#password = "!bwpass:192.168.100.30/root" -#interface = "lanplus" +#ipmi_hostname = "192.168.100.30" +#ipmi_username = "root" +#ipmi_password = "!bwpass:192.168.100.30/root" +#ipmi_interface = "lanplus" [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 529984a..964839c 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,11 +13,10 @@ bundles = [ "zfs", ] -#[ipmi] -#hostname = "192.168.100.27" -#username = "Administrator" -#password = "!bwpass:bw/rottenraptor-server/ipmi" -#interface = "lanplus" +#ipmi_hostname = "192.168.100.27" +#ipmi_username = "Administrator" +#ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" +#ipmi_interface = "lanplus" [metadata.docker-immich] enable_auto_album_share = true From 18207d2ae5303fd34d6b9f6552dc8ee4a51718e1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:13:37 +0100 Subject: [PATCH 133/181] bundles/icinga2: fix ipmi check --- bundles/icinga2/files/icinga2/hosts_template.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/icinga2/files/icinga2/hosts_template.conf b/bundles/icinga2/files/icinga2/hosts_template.conf index c28d8e4..ac56ef2 100644 --- a/bundles/icinga2/files/icinga2/hosts_template.conf +++ b/bundles/icinga2/files/icinga2/hosts_template.conf @@ -23,16 +23,16 @@ object Host "${rnode.name}" { vars.notification.mail = true } -% if rnode._attributes.get('ipmi'): -object Host "IPMI ${rnode.name}" { +% if rnode.ipmi_hostname: +object Host "${rnode.name} IPMI" { import "generic-host" - address = "${rnode._attributes['ipmi']['hostname']}" + address = "${rnode.ipmi_hostname}" vars.location = "${rnode.metadata.get('location', 'unknown')}" vars.os = "ipmi" - vars.pretty_name = "IPMI ${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))}" + vars.pretty_name = "${rnode.metadata.get('icinga_options/pretty_name', rnode.metadata.get('hostname'))} IPMI" vars.show_on_statuspage = false vars.period = "${rnode.metadata.get('icinga_options/period', '24x7')}" From 333873383b93ab74c24f7c777b46469e0ecbce2c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 8 Mar 2025 09:26:13 +0100 Subject: [PATCH 134/181] scripts/passwords_for: various improvements --- scripts/passwords-for | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/scripts/passwords-for b/scripts/passwords-for index 136ba99..d019e74 100755 --- a/scripts/passwords-for +++ b/scripts/passwords-for @@ -1,5 +1,7 @@ #!/usr/bin/env python3 + from os import environ +from os.path import abspath, dirname from sys import argv from bundlewrap.exceptions import FaultUnavailable @@ -7,13 +9,13 @@ from bundlewrap.metagen import NodeMetadataProxy from bundlewrap.repo import Repository from bundlewrap.utils import Fault -path = environ.get('BW_REPO_PATH', '.') -repo = Repository(path) +repo = Repository( + dirname(dirname(abspath(__file__))) +) def print_faults(dictionary, keypath=[]): for key, value in sorted(dictionary.items()): key = str(key) - if isinstance(value, Fault): try: resolved_fault = value.value @@ -27,12 +29,22 @@ def print_faults(dictionary, keypath=[]): elif isinstance(value, (dict, NodeMetadataProxy)): print_faults(value, keypath=keypath+[key]) + if len(argv) == 1: print('node name missing') exit(1) node = repo.get_node(argv[1]) +if node.username or node.password: + print_faults({ + 'username': node.username, + 'password': node.password, + }) +#if node.ipmi_username or node.ipmi_password: +# print_faults({ +# 'ipmi_username': node.ipmi_username, +# 'ipmi_password': node.ipmi_password, +# }) print_faults({ - 'password': node.password, 'metadata': node.metadata, }) From b5a9a502da053e0dabd93bb37a9b83bf390e3f81 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Wed, 19 Mar 2025 19:24:58 +0100 Subject: [PATCH 135/181] bw/ssl add new home wildcard --- data/ssl/_.home.sophies-kitchen.eu.crt.pem | 39 ++++++++++--------- ...me.sophies-kitchen.eu.crt_intermediate.pem | 36 ++++++++--------- .../_.home.sophies-kitchen.eu.key.pem.vault | 2 +- 3 files changed, 39 insertions(+), 38 deletions(-) diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt.pem b/data/ssl/_.home.sophies-kitchen.eu.crt.pem index c0e1bad..bc6c33e 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt.pem @@ -1,23 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDxzCCA02gAwIBAgISA1HOrGT03Yk2QXIKpt4i5P2mMAoGCCqGSM49BAMDMDIx +MIID9jCCA3ygAwIBAgISBaRtAN5dI7hI3l+MeuwXGm48MAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NjAeFw0yNDEyMTkwMTE2MTdaFw0yNTAzMTkwMTE2MTZaMCIxIDAeBgNVBAMTF2hv -bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEKI2X -YK5pxQUcBjOYQwH6OQBEaj2kVhtj1BgRXXrap/U3Zi9M1oKpDk22husbUDS4fACo -IFAsNYbFi15ayAwvkkcWEe4VkgYEdPVJes3XnkL1YOGzUpT9+eC6VbjCxjfdo4IC -NDCCAjAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQB7GGtPhw9dPLCx28NgPOq+Wa -jjAfBgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJ -MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcw -AoYWaHR0cDovL2U2LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w +NTAeFw0yNTAzMTkxNzI1NTVaFw0yNTA2MTcxNzI1NTRaMCIxIDAeBgNVBAMTF2hv +bWUuc29waGllcy1raXRjaGVuLmV1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMpwz +KfaRqcoUak1UJzHRmcy1Zz/9KmlEoja94JwEO7qqARCOJedwJ/MS8Zkz3ZkJvjv5 +iIXe9u6qbn/C8RS+/UqunvnCxTJeWMcXaI2p9M+DE7PlPQiIP1t/SPQ2QsIso4IC +YzCCAl8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSspYDX4yydAiYu+8XZw/Vu7IrW +xDAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LXDTBVBggrBgEFBQcBAQRJ +MEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxlbmNyLm9yZzAiBggrBgEFBQcw +AoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzA9BgNVHREENjA0ghkqLmhvbWUuc29w aGllcy1raXRjaGVuLmV1ghdob21lLnNvcGhpZXMta2l0Y2hlbi5ldTATBgNVHSAE -DDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKLjCuRF772t -m3447Udnd1PXgluElNcrXhssxLlQpEfnAAABk9yyNhIAAAQDAEgwRgIhAOsCeRvZ -GUN1z2lGajkrKcCtffuDhwNRPAIN2we+oXuzAiEA7XeLDROcGGcOYUMin5xKE+qr -XwitlCEyUejC5xKJm1QAdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwN -sAAAAZPcsjYwAAAEAwBGMEQCIFRahCu7PZCNkSF6+oyB3MAWoLQYmjlDXxeI91E0 -QfOkAiBGaToUTmM1n16nkX0hMVhNm7icCFojHkNCUzfSJ0wk8zAKBggqhkjOPQQD -AwNoADBlAjAgbshjfMt0K8pG2NzhVW1m/es3HJEtK4QGAe/BR5lgjLy1bJG/iLr9 -eXPh4xACg5wCMQDx7cF2C2T06e9ogshtJGODQSM9tGHbtt2rpAbUAzWNZgu+F3XL -mwaSjFAL7mBYSMM= +DDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5sZW5j +ci5vcmcvNjEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcATnWjJ1yaEMM4 +W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVr6ZJYgAABAMASDBGAiEA2TRwcna6 +vp3yZSUfXjd14SFvTZtXucSMJQQERKgwDekCIQCEppv+qukiFo4SjQBMQ50ptVXC +LMJZVy4A6VuMCmj3VQB1AOCSs/wMHcjnaDYf3mG5lk0KUngZinLWcsSwTaVtb1QE +AAABla+mSgEAAAQDAEYwRAIgXjJYEE32AFXfqx43ZOQrgP5cGdK5znOGCSxmjcMg +S/UCIBZNBTNVtJWGYKJQgS+bx7EbDDWobar7shNd1/jK0Kt3MAoGCCqGSM49BAMD +A2gAMGUCMQCoQeeM5wcNWCgtjoWPqduuEP/W0M4UrBydd2tVAAE7dbYb2Batj2Gg +qnaDMK2j/+ACMCNtwr4CWsgMAsK8HlDVM0UBvzEFOy2X+hkGzqOe0kfN+abHP0Sf +L0aZkl5gt8NcKg== -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem index 4652201..59039ae 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem +++ b/data/ssl/_.home.sophies-kitchen.eu.crt_intermediate.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw +MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G -h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV -6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw +RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK +a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO +VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD -ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj -v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB +ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw +i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu -Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc -MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL -pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp -eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH -pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 -s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu -h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv -YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 -ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 -LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ -EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY -Ig46v9mFmBvyH04= +Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C +2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+ +bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG +6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV +XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO +koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq +cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI +E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e +K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX +GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL +sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd +VQD9F6Na/+zmXCc= -----END CERTIFICATE----- diff --git a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault index 4b79230..8f76986 100644 --- a/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault +++ b/data/ssl/_.home.sophies-kitchen.eu.key.pem.vault @@ -1 +1 @@ -encrypt$gAAAAABnY4Ga6MmpudhHnOVKVh3j6R071y-Bs6es3e3hNHkZP7Tfj6IomEhTSxWb_oG9HYZmhkadw66cmVRQcxp1wGChWWLye-ykadgy0xUCxGW3YmBWp4t--Yesvbjamaa5OlvDFWQVG5Zt4fsY7BloXRdio8XUdPKBkbi2MV0quvpqsFfOqr_ZmIOOkjLlZojfw9HQ7odM9lSAm8cVS5NXimOhA1ks_gK6CzJbzwhpbekCOcx5_sGhdb8XFUxLN-VBtmQ2HGIncou66rE1P3mBg2hDSyqiXapVMkqMjNoVM71V_5lUnAF7Lxce3nG72SnOe2oITnxRNcnaavxDEgd0ffM5revuCd-XWlaUW1iQrgSyQzJyD6Ukv-mM2IRpuoq79JdTZK_LNJkAmJozrGBT0c5ZwGVNLmZEcjQ1dk8jyYslF5s7rK1lmNvcTUaHGpFToXc1p-qFY8NNWj_Iu-MLE8PNrIscDg== \ No newline at end of file +encrypt$gAAAAABn2wvcFmCiy7gpvvwJzRVNJSSxLvlld2ob9O2ivyekdR6y1_k90Q1xZhs7-ombGAIyez1D7lvuNhYQrnff5TqRa9wKbIVyqOOj4lc5qS2jJWyMl9BCr7Fu0mdW0_33Ke5nGpc3mAMjwTLCn8aw-I_I0kALuhKvZ_H31Oy0Mdjw9rau8TmeWGmJDiPMyHlg_C6s2Gvj2VKHVuGeSVg01frjlTveK-ZsJNGvKm7njCqvqGJytFeV6iHzWYyzMTk8-z_xtv-PKH82ME_IdGVv8YcgmCrXWzzA35A3YEaac7uKui1RFzqN6K5sYL1hsxU9rAyidNRd1fp0CRlpyJWgcf_ykoe2u3ManhFOdMmJdx_nrt2znNLaiQqcSHWuws7pGeSZtX72rGa5ZEBF5xeTruhRSQyjMUuBZrqi75QKyYnpmNSpgh0fDHqHUVmSQ5vInd8Tai2BWz3oqKhrkqJMIXlKQn35Jw== \ No newline at end of file From 544c889e82602297bacb6db01c59587428732122 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 20 Mar 2025 22:12:30 +0100 Subject: [PATCH 136/181] bump bw version, enable ipmi information --- nodes/home.r630.toml | 8 ++++---- nodes/proxmox-backupstorage.toml | 8 ++++---- nodes/rottenraptor-server.toml | 8 ++++---- requirements.txt | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/nodes/home.r630.toml b/nodes/home.r630.toml index 03e2f56..f41bb19 100644 --- a/nodes/home.r630.toml +++ b/nodes/home.r630.toml @@ -2,10 +2,10 @@ hostname = "172.19.138.22" groups = ["debian-bookworm"] bundles = ["docker-engine", "nginx", "redis"] -#ipmi_hostname = "172.19.138.23" -#ipmi_username = "root" -#ipmi_password = "calvin" -#ipmi_interface = "lanplus" +ipmi_hostname = "172.19.138.23" +ipmi_username = "root" +ipmi_password = "calvin" +ipmi_interface = "lanplus" [metadata] icinga_options.exclude_from_monitoring = true diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index a061f7e..eee0256 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -1,10 +1,10 @@ hostname = "192.168.100.31" dummy = true -#ipmi_hostname = "192.168.100.30" -#ipmi_username = "root" -#ipmi_password = "!bwpass:192.168.100.30/root" -#ipmi_interface = "lanplus" +ipmi_hostname = "192.168.100.30" +ipmi_username = "root" +ipmi_password = "!bwpass:192.168.100.30/root" +ipmi_interface = "lanplus" [metadata.icinga2_api.smartd.services."SMART STATUS CT480BX500SSD1_2314E6C5C695"] check_command = "sshmon" diff --git a/nodes/rottenraptor-server.toml b/nodes/rottenraptor-server.toml index 964839c..dadc232 100644 --- a/nodes/rottenraptor-server.toml +++ b/nodes/rottenraptor-server.toml @@ -13,10 +13,10 @@ bundles = [ "zfs", ] -#ipmi_hostname = "192.168.100.27" -#ipmi_username = "Administrator" -#ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" -#ipmi_interface = "lanplus" +ipmi_hostname = "192.168.100.27" +ipmi_username = "Administrator" +ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" +ipmi_interface = "lanplus" [metadata.docker-immich] enable_auto_album_share = true diff --git a/requirements.txt b/requirements.txt index 7e81327..6b2227f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -bundlewrap>=4.16.0 +bundlewrap>=4.22.0 PyNaCl bundlewrap-pass semver From 0e2d25281e0d1cd57b6c092ae723b3724fd2946d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 22 Mar 2025 19:46:35 +0100 Subject: [PATCH 137/181] voc.pretalx: remove fonts vhost --- data/nginx/files/extras/voc.pretalx/pretalx | 9 --------- 1 file changed, 9 deletions(-) diff --git a/data/nginx/files/extras/voc.pretalx/pretalx b/data/nginx/files/extras/voc.pretalx/pretalx index 1d1c718..8c82109 100644 --- a/data/nginx/files/extras/voc.pretalx/pretalx +++ b/data/nginx/files/extras/voc.pretalx/pretalx @@ -25,12 +25,3 @@ expires 365d; add_header Cache-Control "public"; } - - location /Uluagh8Oichai4Uk/ { - alias /var/www/pretalx/; - access_log off; - expires 365d; - add_header Cache-Control "public"; - autoindex on; - } - From 38ec7af32c68dd67efcc2e753a366460048b4e5d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 27 Mar 2025 10:09:09 +0100 Subject: [PATCH 138/181] matrix updates --- data/apt/files/gpg-keys/matrix.asc | 75 ++++++++++++------------------ nodes/sophie/miniserver.py | 2 +- 2 files changed, 32 insertions(+), 45 deletions(-) diff --git a/data/apt/files/gpg-keys/matrix.asc b/data/apt/files/gpg-keys/matrix.asc index 78f4114..41274cb 100644 --- a/data/apt/files/gpg-keys/matrix.asc +++ b/data/apt/files/gpg-keys/matrix.asc @@ -24,48 +24,35 @@ MT/11OWdhbRn5zxpg28KRhKcfTKOfeiObbDq5idDbAyhbzvKxyxTX6204q8fmUhh mq5EiRcBeKF5hQv9eyOyBcBsDnMJsV2+zEP8hVZleOncx8pn1uNNd1nWPX10/R5j BfgnlUSNNJWZ+YnPH1f71kduhn2iee58jbA1CXnVbFjPMI4c4p2yZsfBm74LziC1 PVrFtSd7WijWyP2rC3JoL7KQPvqyXJ53Yn4jGQx6brXFPY53lXicLoYTTByg7WK5 -nMfe+URZO54gAkGN7JLo+BhXiQJUBBMBCgA+FiEEqvmuhDp1hLWj5M0rz0WlEt4t -oFgFAly1EC0CGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQz0Wl -Et4toFhbAA//d00weP6G7o2fnzcfla5S5MYpvFvsuVaka1hV3mq3S2j9+RgSazeS -hgnlf4rvVu/zB62j5MrKFczXKhpUdP7K8CFAYDxf+OldSBCmYXjxzDW8oV/iC7D6 -FcyGv1O6JqV37uoSLqd4vFe3qSH6Ttz4x5kAnWOwps956EavMkkKNKtAd5iIr36S -vDmN+nAKkvcCqjrCuLNaXMFJwebFyQ9c9dVzrGwq1D8SwPx0ztzku4kDU1rbUfMZ -8WgxQ4MSDpuOnuu+zgatjgwbHuMkboTFhgCtWHivPLzYYlpXpI4ocuqhMzJV1LDe -DAvgugp19SK/3a+zNju6ffjrp6u4ty98cQDqNFiXsNrwKxv2h0VYWu5rUmj1OtP1 -1llQXGRI0NLBIdhPyqMIOg96aL3/lPXsRjyG1WMS/6kTuXfdI/UZRG9CFa+Dyt0k -scgtVPPA7PffLfQ4Y4apZX0/XCpx9t9ktzBkhfwdAIGbE9/j6Lxq6BecETNUh9QE -eHhIn6Z31Q0rlLHWthG9v8Sl3UZ6dCs6fk0mU2S2HJQEK8oN+sWq5blQNNbpM7KF -dybJxZwvaVIW55LWmwG2Ik14FaeHFzRzw4cZXnHcKqKBXJrmQUvj/jsDLuV2IZdD -MuXVHEIHEJrD7SwNspCUnHZvf9/jlX26RUriuYVWVR47VQuj92k6jVm5AY0EXLUR -XgEMAMiXBax8Hi1AgStFUdpsPU1Tq4Fcc2hcbfPVpyTIHIItJnMPmvgdsBx2B4CN -g9l0GfGu0CFeNzgnlnYhNmSriuIV9hVSy5qy2usVco7xfADt/wg+GgpUNFsmJGPR -LiESfDBPzIf9s7AmskRb3s64x4pDiRbR/OOD+J81XgLSBjOjuy44sTiVw4aD5zOb -I5etUwyW4GqweKF02ARTzge3/ek8Unuh9uBqAkfJxuL9Bl0i0QCRFaVc+XaTuI6H -uc0w0MwZ+cCH5I4Sqa7/V3/Tz83/D20VRXfb6gdOQBMAMXk6eecK4CAsbdY0Ego7 -IDU6/57RKYWTVKjWFT6YTrfj2/SundEulXZBEOsgByfrBQcuwSrJAECu9Y/5yDkm -48AthHdkESBqHna1KCc4ae9VbI88c2jRuEAVn1gZOgO4Teo9X653yo17idPuqxmj -g118V3cmAEdXoJpXB1Ey2S63xeOOa30OJVodLWGCL4wRMQwVd2HJcxLAUsfoMMXp -SfL0uwARAQABiQPyBBgBCgAmAhsCFiEEqvmuhDp1hLWj5M0rz0WlEt4toFgFAmQT -W7cFCQsgsVkBwAkQz0WlEt4toFjA9CAEGQEKAB0WIQRVhszAy7vvx6JYEa30c91E -czZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+MI7SNg1of/1ekeRXzvXc8 -m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+/8VaX9+7wm7UaGHWVmPF -kSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSUD3hiBgTQpu0CSMlcZIk6 -C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gEuVJPAFF86z39hiGNnYJc -ikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk+LAxwuQJpe5skvj1NrjD -3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvFRRb3hyRWTRtLQhhaMw3z -SwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al7+E0fmOfie93KYh+BV6F -uL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmCVxOxNM3lY7Jun1E/f/KE -6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkzIOQ/+NSYFQ3/+49nw+qogt2r/Rj8e -AQEwD2ZbqCE30lMuqpmr4QTADccPtJmRIZ4zJMOOCggfnefYE4xvCBk5dSVtwFxu -GIGbYf29hI1VDuM2ak+kS+T8UC438FFVLUGQ19AYHpu5jLY3IAgqi4229G9R7mZa -1CVYBl4J6y/yKQ7OrmTltb1sYvSKXNl+dMrXrmRrMEdMViwtaQ8ZbA7CCNLVm3Cm -+SqbwSn1FQWptiEeZzDaOLWdJTBRLEFjLH77zrhOjJalhp0Mf1oMp04BSFKSXe5f -ZF8Pw70bJQXpl3cnzh/StasaRx7z0y63jsQA65RG7KCCZC5Idb8b0bRnjgw6tDNR -z/1BD+e6aJ9YUpTUZ+3GV1x3St+cPJAVdLq0nBpg2MvIm5weEQmNvDopH33f03M1 -isQRehf6vbTohMX5Z3BHdLoTwG3eRgVKgdcTLpkt4coRQL8W3DN81O6zBNby9XRA -851jGlc9Xkj6QLqf7966MfyR6s23JLEp2pg9Fa2o1NH4X4U3AFRAefQaBJIalWJj -8G++sWlmjPLUouhsxdX0L99FxYhC06RI2TQvlw6cbIPLOCv1h5rKIkKag6Gt3eMM -fnfvKn49QzptFmGBZ5Fd+sKjr3/IlnKIeCUBjCVsvsFAlcaO38ghGnayOBJZviz9 -ZW94e89LdsmxP1kNAEo= -=QODj +nMfe+URZO54gAkGN7JLo+BhXuQGNBFy1EV4BDADIlwWsfB4tQIErRVHabD1NU6uB +XHNoXG3z1ackyByCLSZzD5r4HbAcdgeAjYPZdBnxrtAhXjc4J5Z2ITZkq4riFfYV +UsuastrrFXKO8XwA7f8IPhoKVDRbJiRj0S4hEnwwT8yH/bOwJrJEW97OuMeKQ4kW +0fzjg/ifNV4C0gYzo7suOLE4lcOGg+czmyOXrVMMluBqsHihdNgEU84Ht/3pPFJ7 +ofbgagJHycbi/QZdItEAkRWlXPl2k7iOh7nNMNDMGfnAh+SOEqmu/1d/08/N/w9t +FUV32+oHTkATADF5OnnnCuAgLG3WNBIKOyA1Ov+e0SmFk1So1hU+mE6349v0rp3R +LpV2QRDrIAcn6wUHLsEqyQBArvWP+cg5JuPALYR3ZBEgah52tSgnOGnvVWyPPHNo +0bhAFZ9YGToDuE3qPV+ud8qNe4nT7qsZo4NdfFd3JgBHV6CaVwdRMtkut8Xjjmt9 +DiVaHS1hgi+METEMFXdhyXMSwFLH6DDF6Uny9LsAEQEAAYkD8gQYAQoAJgIbAhYh +BKr5roQ6dYS1o+TNK89FpRLeLaBYBQJnxeuFBQkO4xMnAcDA9CAEGQEKAB0WIQRV +hszAy7vvx6JYEa30c91EczZd4QUCXLURXgAKCRD0c91EczZd4U5qC/wLYGzvpT+M +I7SNg1of/1ekeRXzvXc8m8JC/cHAhrBzUaI8z9LJ7xna2DGt27eqeTtu/Shtknn+ +/8VaX9+7wm7UaGHWVmPFkSt1Rs1x5Opxo6kabLc4HxGSc5buNx+awybFEt9VQdSU +D3hiBgTQpu0CSMlcZIk6C6xQHgmurSDj9AQ0xtLPqP1ZO/cOKk0A1tFjVGDdH9gE +uVJPAFF86z39hiGNnYJcikyVXogjwQPs5Od+3PdGQ19heZp8n+2rVkhl+9yZaCHk ++LAxwuQJpe5skvj1NrjD3bSJ47Hu7POSftJXcSmLct2GW7jTMZaCEpKccNfSApvF +RRb3hyRWTRtLQhhaMw3zSwekA8VjKSinTyOxnRPa3rc7/rOqb5b8ZUAIzpTLd7al +7+E0fmOfie93KYh+BV6FuL0KJ0RNHm7zrgaVZbjDoqNIgkHK73+3a9NnSefsgbmC +VxOxNM3lY7Jun1E/f/KE6dTY7VGPP6aTtQrcq49Zj1MwPc0SG7VlZkwJEM9FpRLe +LaBY9+YQAKXMKKOY7D+cJVKjVDbVuhknB+vLLRIN7Yx6GxRxM0Q6wPo42WmstDui +ex6u5MN0UjoA7+bPrC/vGBGOIr56sIMiaHkCqhoQoz7vwKayTJHa8McO/x8oRMr1 +aPtDgvUU78N7cdSv01wMW7zF/anCESEtbpfOzd5SM5V+XuYJoVzm3KtAdKQIxH0X +khOPvDa9Nn2bCsEvkp0pds0c5STKPWBeMSYSYuJzf48lcmoDilruPl2PaXPY1oxN +ciOGVuiCoT/XAdYuw2iynU5eC6h7W6b9EQZ1XPatFhkfGSucWtypObgCe+UGojOP +xZvqujcKnZBzECzawFu45Gp7TjPXnbsLmH5tv4GvJ9R0AeBnnHzTTpkduq7C7lO/ +X8VyxPpisJZII6s8pymSuw0/0CCNodf4wd1ar7ATCixcmJutWCJi8HLzvfoXEe8J +hE/ZjUEkVpWwxYIsM/U4ImWmrus81dMqBDVHowxwXoeJHsHNeUGTa8fKkPFo7i54 +Y/GhsNRDIk9nOHNqucV6xx3+WPs5p8eEcNFLalqjONcugfOB6Sfo/NaR3Jus7p+7 +kmwJ4YNxXYnogj4I24PT1/+BTFrrjYMXgbVs8s0yL68AHDlEo5MxHk3C82+ukeI6 +97uC8U9NZEpwVDk2mNb3ngwHWzp7InGGi3bwozHPj8bGIPuBaAlF +=3XJ/ -----END PGP PUBLIC KEY BLOCK----- diff --git a/nodes/sophie/miniserver.py b/nodes/sophie/miniserver.py index 5fd1c11..b852a35 100644 --- a/nodes/sophie/miniserver.py +++ b/nodes/sophie/miniserver.py @@ -61,7 +61,7 @@ nodes["htz-cloud.miniserver"] = { }, "element-web": { "url": "chat.sophies-kitchen.eu", - "version": "v1.11.91", + "version": "v1.11.96", "config": { "default_server_config": { "m.homeserver": { From a592de005ebcc06056ce4cf68b2321d933af0ae4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 13:37:45 +0100 Subject: [PATCH 139/181] bundles/docker-engine: fix backups and zfs dependencies --- bundles/docker-engine/items.py | 5 +++++ bundles/docker-engine/metadata.py | 21 ++++++++++++--------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/bundles/docker-engine/items.py b/bundles/docker-engine/items.py index 7050197..253daff 100644 --- a/bundles/docker-engine/items.py +++ b/bundles/docker-engine/items.py @@ -46,6 +46,10 @@ actions['docker_create_nondefault_network'] = { for app, config in node.metadata.get('docker-engine/containers', {}).items(): volumes = config.get('volumes', {}) user = config.get('user', f'docker-{app}') + directories[f'/var/opt/docker-engine/{app}'] = { + 'owner': user, + 'group': user, + } files[f'/opt/docker-engine/{app}'] = { 'source': 'docker-wrapper', @@ -97,6 +101,7 @@ for app, config in node.metadata.get('docker-engine/containers', {}).items(): svc_systemd[f'docker-{app}'] = { 'needs': { *deps, + f'directory:/var/opt/docker-engine/{app}', f'file:/opt/docker-engine/{app}', f'file:/usr/local/lib/systemd/system/docker-{app}.service', f'user:{user}', diff --git a/bundles/docker-engine/metadata.py b/bundles/docker-engine/metadata.py index 2b9212f..4600233 100644 --- a/bundles/docker-engine/metadata.py +++ b/bundles/docker-engine/metadata.py @@ -13,11 +13,6 @@ defaults = { }, }, }, - 'backups': { - 'paths': { - '/var/opt/docker-engine', - }, - }, 'nftables': { 'forward': { 'docker-engine': [ @@ -39,9 +34,7 @@ defaults = { }, 'zfs': { 'datasets': { - 'tank/docker-data': { - 'mountpoint': '/var/opt/docker-engine', - }, + 'tank/docker-data': {}, }, }, } @@ -72,6 +65,7 @@ def monitoring(metadata): @metadata_reactor.provides( + 'backups/paths', 'zfs/datasets', ) def zfs(metadata): @@ -79,10 +73,19 @@ def zfs(metadata): for app in metadata.get('docker-engine/containers', {}): datasets[f'tank/docker-data/{app}'] = { - 'mountpoint': f'/var/opt/docker-engine/{app}' + 'mountpoint': f'/var/opt/docker-engine/{app}', + 'needed_by': { + f'directory:/var/opt/docker-engine/{app}', + }, } return { + 'backups': { + 'paths': { + v['mountpoint'] + for v in datasets.values() + }, + }, 'zfs': { 'datasets': datasets, }, From 7cb8876231368337e29a7b51d0b5c369c1aeaea9 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 13:38:08 +0100 Subject: [PATCH 140/181] home.nas: add new samba share for watching c3voc streams --- nodes/home/nas.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 831513a..b98fb7d 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -180,6 +180,10 @@ nodes['home.nas'] = { }, 'samba': { 'shares': { + 'C3VOC': { + 'path': '/storage/nas/C3VOC', + 'force_group': 'nas', + }, 'TV': { 'path': '/storage/nas/TV', 'force_group': 'nas', From d71af7561ae72e2411b913e5569458c271f7d97f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:07:17 +0100 Subject: [PATCH 141/181] add support for debian trixie --- bundles/apt/files/sources.list-debian-trixie | 3 +++ bundles/apt/items.py | 1 + groups/os.py | 4 ++++ 3 files changed, 8 insertions(+) create mode 100644 bundles/apt/files/sources.list-debian-trixie diff --git a/bundles/apt/files/sources.list-debian-trixie b/bundles/apt/files/sources.list-debian-trixie new file mode 100644 index 0000000..6ac79f3 --- /dev/null +++ b/bundles/apt/files/sources.list-debian-trixie @@ -0,0 +1,3 @@ +deb http://deb.debian.org/debian/ trixie main non-free contrib non-free-firmware +deb http://security.debian.org/debian-security trixie-security main contrib non-free +deb http://deb.debian.org/debian/ trixie-updates main contrib non-free diff --git a/bundles/apt/items.py b/bundles/apt/items.py index 0f3f92d..ea988af 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -5,6 +5,7 @@ supported_os = { 10: 'buster', 11: 'bullseye', 12: 'bookworm', + 13: 'trixie', 99: 'unstable', }, } diff --git a/groups/os.py b/groups/os.py index 98dacfa..34f49b2 100644 --- a/groups/os.py +++ b/groups/os.py @@ -71,6 +71,10 @@ groups['debian-bookworm'] = { 'os_version': (12,) } +groups['debian-trixie'] = { + 'os_version': (13,) +} + groups['debian-sid'] = { 'os_version': (99,) } From e1d01d7bc6b15506ddc6d3df9c47aa8218c36ef0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:08:06 +0100 Subject: [PATCH 142/181] bundles/paperless-ng: fix PAPERLESS_FILENAME_FORMAT --- bundles/paperless-ng/files/paperless.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/paperless-ng/files/paperless.conf b/bundles/paperless-ng/files/paperless.conf index 0cbd054..d943063 100644 --- a/bundles/paperless-ng/files/paperless.conf +++ b/bundles/paperless-ng/files/paperless.conf @@ -12,7 +12,7 @@ PAPERLESS_CONSUMPTION_DIR=/mnt/paperless/consume PAPERLESS_DATA_DIR=/mnt/paperless/data PAPERLESS_MEDIA_ROOT=/mnt/paperless/media PAPERLESS_STATICDIR=/opt/paperless/src/paperless-ngx/static -PAPERLESS_FILENAME_FORMAT={created_year}/{created_month}/{correspondent}/{asn}_{title} +PAPERLESS_FILENAME_FORMAT={{ created_year }}/{{ created_month }}/{{ correspondent }}/{{ asn }}_{{ title }} # Security and hosting From 61d60b788242b516a310459a186945ae0a04ea48 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:08:34 +0100 Subject: [PATCH 143/181] home.paperless: upgrade to debian trixie --- data/proftpd/files/home.paperless.conf | 7 ------- nodes/home/paperless.py | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/data/proftpd/files/home.paperless.conf b/data/proftpd/files/home.paperless.conf index 4d861ad..49a9c5b 100644 --- a/data/proftpd/files/home.paperless.conf +++ b/data/proftpd/files/home.paperless.conf @@ -10,15 +10,9 @@ ServerType standalone DeferWelcome off DefaultServer on -ShowSymlinks on - -TimeoutNoTransfer 600 -TimeoutStalled 600 -TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true -ListOptions "-l" DenyFilter \*.*/ @@ -34,7 +28,6 @@ User proftpd Group nogroup Umask 022 022 -AllowOverwrite on TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 7a28c3d..654a79e 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -9,7 +9,7 @@ nodes['home.paperless'] = { 'proftpd', }, 'groups': { - 'debian-bookworm', + 'debian-trixie', 'webserver', }, 'metadata': { From da7928d0e6e384272a812dea83cecc1e2ca0e971 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:10:13 +0100 Subject: [PATCH 144/181] bundlespostfix: unit has changed since debian trixie --- bundles/postfix/metadata.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 1ccf633..f457b9b 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -14,7 +14,7 @@ defaults = { 'postfix': { 'services': { 'POSTFIX PROCESS': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-', + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix' + ('' if node.os_version >= (13,) else '@-'), }, 'POSTFIX QUEUE': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50', From 3bcf7ad714f86bf8dbc32ba9173f61a8c0cfdfc2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 29 Mar 2025 18:13:07 +0100 Subject: [PATCH 145/181] bunndles/sshmon: fix update checks --- bundles/sshmon/files/check_forgejo_for_new_release | 4 ++-- bundles/sshmon/files/check_github_for_new_release | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/sshmon/files/check_forgejo_for_new_release b/bundles/sshmon/files/check_forgejo_for_new_release index 3db5bcd..99dcd30 100644 --- a/bundles/sshmon/files/check_forgejo_for_new_release +++ b/bundles/sshmon/files/check_forgejo_for_new_release @@ -38,10 +38,10 @@ try: for i in releases: if i["tag_name"].startswith(tag_prefix): - if ( + if not (i["prerelease"] or i["draft"]) and ( newest_release is None or parse(i["tag_name"]) > parse(newest_release["tag_name"]) - ) and not (i["prerelease"] or i["draft"]): + ): newest_release = i assert newest_release is not None, "Could not determine latest release" diff --git a/bundles/sshmon/files/check_github_for_new_release b/bundles/sshmon/files/check_github_for_new_release index 3a50d94..ec510de 100644 --- a/bundles/sshmon/files/check_github_for_new_release +++ b/bundles/sshmon/files/check_github_for_new_release @@ -37,10 +37,10 @@ try: for i in releases: if i["tag_name"].startswith(tag_prefix): - if ( + if not (i["prerelease"] or i["draft"]) and ( newest_release is None or parse(i["tag_name"]) > parse(newest_release["tag_name"]) - ) and not (i["prerelease"] or i["draft"]): + ): newest_release = i assert newest_release is not None, "Could not determine latest release" From 7b51bb57f86d6a36d781f15c5199d1fbf3b178dc Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 08:59:41 +0200 Subject: [PATCH 146/181] bundles/docker-immich: only start auto-album-share when postgresql is actually running --- bundles/docker-immich/metadata.py | 3 +++ bundles/systemd-timers/files/template.service | 7 +++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/bundles/docker-immich/metadata.py b/bundles/docker-immich/metadata.py index 288b7f1..3952922 100644 --- a/bundles/docker-immich/metadata.py +++ b/bundles/docker-immich/metadata.py @@ -83,6 +83,9 @@ def auto_album_share(metadata): 'command': '/usr/local/bin/immich-auto-album-share.py', 'environment': metadata.get('docker-engine/containers/immich/environment'), 'when': 'minutely', + 'requisite': { + 'docker-immich-postgresql.service', + }, }, }, }, diff --git a/bundles/systemd-timers/files/template.service b/bundles/systemd-timers/files/template.service index 09c3080..271b756 100644 --- a/bundles/systemd-timers/files/template.service +++ b/bundles/systemd-timers/files/template.service @@ -7,8 +7,11 @@ [Unit] Description=Service for Timer ${timer} After=network.target -% if config.get('requires', ''): -Requires=${config['requires']} +% if config.get('requires', set()): +Requires=${' '.join(sorted(config['requires']))} +% endif +% if config.get('requisite', set()): +Requisite=${' '.join(sorted(config['requisite']))} % endif [Service] From 74ca0ad2bc3795e1e4ce81d48aa81fcb78b3ebe3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:01:13 +0200 Subject: [PATCH 147/181] bundles/nextcloud: only run cron if postgresql is running --- bundles/nextcloud/metadata.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/nextcloud/metadata.py b/bundles/nextcloud/metadata.py index 8081cbe..73c7264 100644 --- a/bundles/nextcloud/metadata.py +++ b/bundles/nextcloud/metadata.py @@ -45,6 +45,9 @@ defaults = { 'pwd': '/var/www/nextcloud', 'user': 'www-data', 'when': '*:00/5', + 'requisite': { + 'postgresql.service', + }, }, }, }, From accd2145769ab996694a10f5b0fd860ab6f95515 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:08:18 +0200 Subject: [PATCH 148/181] bundles/matrix-synapse: remove sliding sync --- bundles/matrix-synapse/items.py | 29 ----------------------------- bundles/matrix-synapse/metadata.py | 12 ------------ nodes/carlene.toml | 4 ---- 3 files changed, 45 deletions(-) diff --git a/bundles/matrix-synapse/items.py b/bundles/matrix-synapse/items.py index 47a9758..527cc5e 100644 --- a/bundles/matrix-synapse/items.py +++ b/bundles/matrix-synapse/items.py @@ -57,32 +57,3 @@ svc_systemd = { }, }, } - -if node.metadata.get('matrix-synapse/sliding_sync/version', None): - files['/usr/local/bin/matrix-sliding-sync'] = { - 'content_type': 'download', - 'source': 'https://github.com/matrix-org/sliding-sync/releases/download/{}/syncv3_linux_amd64'.format( - node.metadata.get('matrix-synapse/sliding_sync/version'), - ), - 'content_hash': node.metadata.get('matrix-synapse/sliding_sync/sha1', None), - 'mode': '0755', - 'triggers': { - 'svc_systemd:matrix-sliding-sync:restart', - }, - } - - files['/usr/local/lib/systemd/system/matrix-sliding-sync.service'] = { - 'content_type': 'mako', - 'triggers': { - 'action:systemd-reload', - 'svc_systemd:matrix-sliding-sync:restart', - }, - } - - svc_systemd['matrix-sliding-sync'] = { - 'needs': { - 'file:/usr/local/bin/matrix-sliding-sync', - 'file:/usr/local/lib/systemd/system/matrix-sliding-sync.service', - 'postgres_db:synapse', - }, - } diff --git a/bundles/matrix-synapse/metadata.py b/bundles/matrix-synapse/metadata.py index 7af43f0..eac3005 100644 --- a/bundles/matrix-synapse/metadata.py +++ b/bundles/matrix-synapse/metadata.py @@ -88,14 +88,6 @@ def nginx(metadata): if not node.has_bundle('nginx'): raise DoNotRunAgain - wellknown_client_sliding_sync = {} - if metadata.get('matrix-synapse/sliding_sync/version', None): - wellknown_client_sliding_sync = { - 'org.matrix.msc3575.proxy': { - 'url': 'https://{}'.format(metadata.get('matrix-synapse/baseurl')), - }, - } - wellknown = { '/.well-known/matrix/client': { 'content': dumps({ @@ -105,7 +97,6 @@ def nginx(metadata): 'm.identity_server': { 'base_url': metadata.get('matrix-synapse/identity_server', 'https://matrix.org'), }, - **wellknown_client_sliding_sync, **metadata.get('matrix-synapse/additional_client_config', {}), }, sort_keys=True), 'return': 200, @@ -134,9 +125,6 @@ def nginx(metadata): 'target': 'http://[::1]:20080', 'max_body_size': '50M', }, - '/_matrix/client/unstable/org.matrix.msc3575/sync': { - 'target': 'http://127.0.0.1:20070', - }, '/_synapse': { 'target': 'http://[::1]:20080', }, diff --git a/nodes/carlene.toml b/nodes/carlene.toml index d936789..0aae01f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -81,10 +81,6 @@ server_name = "franzi.business" trusted_key_servers = ["matrix.org", "161.rocks"] additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net" wellknown_also_on_vhosts = ["franzi.business"] -[metadata.matrix-synapse.sliding_sync] -version = "v0.99.15" -sha1 = "cecb371ff5f1dd528cfc490484a0967dcc28cd82" -secret = "!decrypt:encrypt$gAAAAABl9yJlbEZafJ2mumtg03rW0-440NIgFcgdWGMo3Axrypugwctacy9Cq7MYtCBGjnDyNvVLI5B2QMJ9ssCD46NCsFRN3-X4u9rDtxPhRZV7rls_LQ_Csc_GsffJfvpmHbn_wsljd3I74h4ouWlYhhEQUIKwb3eErSZ_VTZhu_bC4jTa0FY=" [metadata.mautrix-telegram] version = "v0.15.2" From 149d9af16bafb63f913dfb25a8ed2ace176a34aa Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:08:36 +0200 Subject: [PATCH 149/181] update forgejo to 10.0.3 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0aae01f..9df6f57 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "10.0.1" -sha1 = "4bfe8cbe979ef8896e294ca662f4cf62af01531c" +version = "10.0.3" +sha1 = "d1199c43de9e69f6bb8058c15290e79862913413" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From 0685c1a64f5c1d5ae9212f6f9f33faaf7bfe5b18 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:09:01 +0200 Subject: [PATCH 150/181] aupdate mautrix-whatsapp to 0.11.4 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9df6f57..c0e4a61 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.3" -sha1 = "f1daba15750313fe205f6d3af2594f11992f0a35" +version = "v0.11.4" +sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 11a9800906627e6b61e36af18f880388e2ea14a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 30 Mar 2025 09:09:24 +0200 Subject: [PATCH 151/181] update netbox to 4.2.6 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index c0e4a61..0eef421 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -110,7 +110,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.4" +version = "v4.2.6" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From 5e32a562ec41519b58702edcf904a851d9cb2fd3 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Apr 2025 17:17:18 +0200 Subject: [PATCH 152/181] bundles/nginx: fix error_log logging to file instead of being disabled --- bundles/nginx/files/nginx.conf | 2 +- nodes/home/nas.py | 1 + nodes/home/paperless.py | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index 7f7bd77..b020d3c 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -26,7 +26,7 @@ http { send_timeout 10; access_log off; - error_log off; + error_log /dev/null; client_body_buffer_size 16K; client_header_buffer_size 4k; diff --git a/nodes/home/nas.py b/nodes/home/nas.py index b98fb7d..fbc7bbd 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -168,6 +168,7 @@ nodes['home.nas'] = { 'nginx': { 'vhosts': { 'jellyfin': { + 'create_logs': True, 'domain': 'jellyfin.home.kunbox.net', 'ssl': '_.home.kunbox.net', }, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index 654a79e..caffb73 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -42,6 +42,7 @@ nodes['home.paperless'] = { 'nginx': { 'vhosts': { 'paperless': { + 'create_logs': True, 'ssl': '_.home.kunbox.net', }, }, From 5a4c3284b65a2cf90d721352afcea299e0ba27e5 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 3 Apr 2025 20:08:25 +0200 Subject: [PATCH 153/181] sophie/vmhost: new disksgit add sophie/vmhost.py git add sophie/vmhost.py --- nodes/sophie/vmhost.py | 56 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py index d6e56f3..3fa02ec 100644 --- a/nodes/sophie/vmhost.py +++ b/nodes/sophie/vmhost.py @@ -3,6 +3,7 @@ nodes['sophie.vmhost'] = { 'bundles': { 'backup-client', 'lm-sensors', + 'nfs-server', 'mosquitto', 'smartd', 'vmhost', @@ -12,6 +13,9 @@ nodes['sophie.vmhost'] = { 'debian-bookworm', }, 'metadata': { + 'groups': { + 'nas': {}, + }, 'interfaces': { 'br1': { 'ips': { @@ -49,11 +53,27 @@ nodes['sophie.vmhost'] = { '172.19.164.0/24', }, }, + 'nfs-server': { + 'shares': { + '/srv/nas': { + '172.19.164.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', + }, + }, + }, + 'smartd': { + 'disks': { + '/dev/nvme0', + + # nas disks + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', + }, + }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { - 'eno1', + 'enp1s0', }, }, 'br1': { @@ -63,6 +83,26 @@ nodes['sophie.vmhost'] = { }, }, }, + 'systemd-timers': { + 'timers': { + # Ensure every user is able to read and write to the NAS dataset. + 'nas_permissions': { + 'command': [ + 'chown -R :nas /srv/nas/', + r'find /srv/nas/ -type d -exec chmod 0775 {} \;', + r'find /srv/nas/ -type f -exec chmod 0664 {} \;', + ], + 'when': '*-*-* 02:00:00', + }, + }, + }, + 'users': { + 'sophie': { + 'groups': { + 'nas', + }, + }, + }, 'zfs': { 'pools': { 'storage': { @@ -73,12 +113,26 @@ nodes['sophie.vmhost'] = { }, }] } + }, + 'nas': { + 'when_creating': { + 'config': [{ + 'type': 'mirror', + 'devices': { + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7BHBQ', + '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', + }, + }] + } } }, "datasets": { "storage/libvirt": { "mountpoint": "/var/lib/libvirt", }, + "nas": { + "mountpoint": "/srv/nas", + }, }, }, }, From 1f120b9923b484a18edd6bc06597bc33959cd515 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 1 Apr 2025 19:52:34 +0200 Subject: [PATCH 154/181] bundles/samba: fix timemachine backups dependencies --- bundles/samba/items.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/samba/items.py b/bundles/samba/items.py index a9567b4..5c60c69 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -82,4 +82,7 @@ if timemachine_shares: 'owner': f'timemachine-{share_name}', 'group': f'timemachine-{share_name}', 'mode': '0700', + 'needs': { + f'zfs_dataset:tank/timemachine/{share_name}', + }, } From fd1ad352d0d56dae48a1f662fe10a0b5e3565fdf Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 15:00:05 +0200 Subject: [PATCH 155/181] add revision-dect-vpn --- libs/s2s.py | 2 +- nodes/htz-cloud/wireguard.py | 8 ++++++++ nodes/revision-dect-vpn.toml | 26 ++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 nodes/revision-dect-vpn.toml diff --git a/libs/s2s.py b/libs/s2s.py index d7c9e9f..fe0fc4e 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -5,7 +5,7 @@ AS_NUMBERS = { 'home': 4290000138, 'htz-cloud': 4290000137, 'ionos': 4290000002, - 'glauca': 4290207960, + 'revision': 4290000078, } WG_AUTOGEN_NODES = [ diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index d7f97ff..3ceaf2d 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -51,6 +51,7 @@ nodes['htz-cloud.wireguard'] = { '50-wireguard': [ 'udp dport 1194 accept', 'udp dport 51800 accept', + 'udp dport 51804 accept', # wg.c3voc.de 'udp dport 51801 ip saddr 185.106.84.42 accept', @@ -117,6 +118,13 @@ nodes['htz-cloud.wireguard'] = { 'psk': vault.decrypt('encrypt$gAAAAABnc7LZSHWmOOQJpbtnpMn9QuWnbiB-6rShwgqbilVd45GzkUwOfEHBw28P_TVm9XJgFiQPOIo12DdxPCzSxKRtcqzji72QCzTlze4ZYWjL-iHm7TydLcKzXOTCO42LKpkMPUgR'), 'pubkey': vault.decrypt('encrypt$gAAAAABnc7LZpfAeig8yCdcZ-NegshXl-DmkJr0F2OlQR2fqhVnrfKPjgOu-5Cq09KnhdvhomGx_9ZtoFS_3OsVqcFHEasBh27aQN41xZPzEN5-qIPQRnmVoTHpufcU6tC-37Fq-PeAE'), }, + 'revision-dect-vpn': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_port': 51804, + 'my_ip': '172.19.136.66', + 'their_ip': '172.19.136.67', + }, }, }, }, diff --git a/nodes/revision-dect-vpn.toml b/nodes/revision-dect-vpn.toml new file mode 100644 index 0000000..5789358 --- /dev/null +++ b/nodes/revision-dect-vpn.toml @@ -0,0 +1,26 @@ +hostname = "10.1.3.252" +bundles = ["bird", "wireguard"] +groups = ["debian-bookworm"] + +[metadata] +location = "revision" +icinga_options.exclude_from_monitoring = true + +[metadata.bird] +static_routes = [ + "10.1.3.0/24", +] + +[metadata.interfaces.ens18] +ips = ["10.1.3.252/24"] +gateway4 = "10.1.3.1" + +[metadata.nftables.postrouting] +"50-router" = [ + "oifname ens18 masquerade", +] + +[metadata.wireguard.peers."htz-cloud.wireguard"] +my_port = 51804 +my_ip = "172.19.136.67" +their_ip = "172.19.136.66" From e1548ff61ee5fff174e1a4b1dfc6f037b019fcac Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:17:11 +0200 Subject: [PATCH 156/181] bundles/samba: cannot have time machine and 'guest ok' shares on the same machine --- bundles/samba/items.py | 3 +++ nodes/home/nas.py | 18 ------------------ 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/bundles/samba/items.py b/bundles/samba/items.py index 5c60c69..2f5090e 100644 --- a/bundles/samba/items.py +++ b/bundles/samba/items.py @@ -66,6 +66,9 @@ for user, uconfig in node.metadata.get('users', {}).items(): if timemachine_shares: assert node.has_bundle('avahi-daemon'), f'{node.name}: samba needs avahi-daemon to publish time machine shares' + for share, share_config in node.metadata.get('samba/shares', {}).items(): + assert not share_config.get('guest_ok', True), f'{node.name} samba {share}: cannot have time machine shares and "guest ok" shares on the same machine' + files['/etc/avahi/services/timemachine.service'] = { 'content_type': 'mako', 'context': { diff --git a/nodes/home/nas.py b/nodes/home/nas.py index fbc7bbd..93fb47f 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -180,24 +180,6 @@ nodes['home.nas'] = { }, }, 'samba': { - 'shares': { - 'C3VOC': { - 'path': '/storage/nas/C3VOC', - 'force_group': 'nas', - }, - 'TV': { - 'path': '/storage/nas/TV', - 'force_group': 'nas', - }, - 'music': { - 'path': '/storage/nas/Musik', - 'force_group': 'nas', - }, - 'music_videos': { - 'path': '/storage/nas/Musikvideos', - 'force_group': 'nas', - }, - }, 'restrict-to': { '172.19.138.0/24', }, From 75e3ae91eab51b03a76fcab5bf7aed2d4b4b541b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:18:03 +0200 Subject: [PATCH 157/181] home.nas: add timemachine share for verrat --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 93fb47f..13694e6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -185,6 +185,7 @@ nodes['home.nas'] = { }, 'timemachine-shares': { 'apfelcomputer', + 'verrat', }, }, 'smartd': { From ad909120747f0a69ff41f27804ab8a6099bf6745 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 17:19:37 +0200 Subject: [PATCH 158/181] revision-dect-vpn: does not need to do backups --- nodes/revision-dect-vpn.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/revision-dect-vpn.toml b/nodes/revision-dect-vpn.toml index 5789358..1340297 100644 --- a/nodes/revision-dect-vpn.toml +++ b/nodes/revision-dect-vpn.toml @@ -4,6 +4,7 @@ groups = ["debian-bookworm"] [metadata] location = "revision" +backups.exclude_from_backups = true icinga_options.exclude_from_monitoring = true [metadata.bird] From d584fd88d781f382bb222381c056b3f70c6a775c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 4 Apr 2025 18:12:16 +0200 Subject: [PATCH 159/181] update travelynx to 2.11.13 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 0eef421..fb6d22a 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -245,7 +245,7 @@ disks = [ ] [metadata.travelynx] -version = "2.10.2" +version = "2.11.13" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From c905b7dc132f87565440461f06dbcb7db2a6aa5c Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 5 Apr 2025 20:15:50 +0200 Subject: [PATCH 160/181] bw/nfs close ports no longer needed for nfs4 --- bundles/nfs-server/metadata.py | 5 ++++- nodes/sophie/vmhost.py | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/bundles/nfs-server/metadata.py b/bundles/nfs-server/metadata.py index 73dc68a..d2f833c 100644 --- a/bundles/nfs-server/metadata.py +++ b/bundles/nfs-server/metadata.py @@ -33,7 +33,10 @@ def firewall(metadata): ips.add(share_target) rules = {} - for port in ('111', '2049', '1110', '4045', '35295'): + ports = ('111', '2049', '1110', '4045', '35295') + if metadata.get('nfs-server/version', 3) == 4: + ports = ('111', '2049') + for port in ports: for proto in ('/tcp', '/udp'): rules[port + proto] = atomic(ips) diff --git a/nodes/sophie/vmhost.py b/nodes/sophie/vmhost.py index 3fa02ec..aca520c 100644 --- a/nodes/sophie/vmhost.py +++ b/nodes/sophie/vmhost.py @@ -13,6 +13,11 @@ nodes['sophie.vmhost'] = { 'debian-bookworm', }, 'metadata': { + 'apt': { + 'packages': { + 'irqbalance': {}, + }, + }, 'groups': { 'nas': {}, }, @@ -54,6 +59,7 @@ nodes['sophie.vmhost'] = { }, }, 'nfs-server': { + 'version': 4, 'shares': { '/srv/nas': { '172.19.164.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', From a15740c89972723879463b4be67f6055e390ee13 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:02:18 +0200 Subject: [PATCH 161/181] bundles/backup-server: improve --- .../files/check_backup_for_node-cron | 15 +++--- bundles/backup-server/metadata.py | 53 ++++++------------- 2 files changed, 22 insertions(+), 46 deletions(-) diff --git a/bundles/backup-server/files/check_backup_for_node-cron b/bundles/backup-server/files/check_backup_for_node-cron index b82217d..ff1a368 100644 --- a/bundles/backup-server/files/check_backup_for_node-cron +++ b/bundles/backup-server/files/check_backup_for_node-cron @@ -15,16 +15,15 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True) line = line.decode('UTF-8') if line.startswith('{}/'.format(server_settings['zfs-base'])): - dataset, snapname = line.split('@', 1) + try: + dataset, snapname = line.split('@', 1) - dataset = dataset.split('/')[-1] - ts, bucket = snapname.split('-', 1) + dataset = dataset.split('/')[-1] + ts, bucket = snapname.split('-', 1) - if not ts.isdigit(): - # garbage, ignore - continue - - snapshots[dataset].add(int(ts)) + snapshots[dataset].add(int(ts)) + except Exception as e: + print(f"Exception while parsing snapshot name {line!r}: {e!r}") backups = {} for dataset, snaps in snapshots.items(): diff --git a/bundles/backup-server/metadata.py b/bundles/backup-server/metadata.py index aace61b..6714288 100644 --- a/bundles/backup-server/metadata.py +++ b/bundles/backup-server/metadata.py @@ -83,47 +83,24 @@ def zfs_pool(metadata): devices = metadata.get('backup-server/encrypted-devices') - # TODO remove this once we have migrated all systems - if isinstance(devices, dict): - pool_devices = set() + pool_devices = set() - for number, (device, passphrase) in enumerate(sorted(devices.items())): - crypt_devices[device] = { - 'dm-name': f'backup{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{number}') + for device, dconfig in devices.items(): + crypt_devices[dconfig['device']] = { + 'dm-name': f'backup-{device}', + 'passphrase': dconfig['passphrase'], + } + pool_devices.add(f'/dev/mapper/backup-{device}') + unlock_actions.add(f'action:dm-crypt_open_backup-{device}') - pool_config = [{ - 'devices': pool_devices, - }] + pool_config = [{ + 'devices': pool_devices, + }] - if len(pool_devices) > 2: - pool_config[0]['type'] = 'raidz' - elif len(pool_devices) > 1: - pool_config[0]['type'] = 'mirror' - - elif isinstance(devices, list): - pool_config = [] - - for idx, intended_pool in enumerate(devices): - pool_devices = set() - - for number, (device, passphrase) in enumerate(sorted(intended_pool.items())): - crypt_devices[device] = { - 'dm-name': f'backup{idx}-{number}', - 'passphrase': passphrase, - } - pool_devices.add(f'/dev/mapper/backup{idx}-{number}') - unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}') - - pool_config.append({ - 'devices': pool_devices, - 'type': 'raidz', - }) - else: - raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices') + if len(pool_devices) > 2: + pool_config[0]['type'] = 'raidz' + elif len(pool_devices) > 1: + pool_config[0]['type'] = 'mirror' return { 'backup-server': { From a34f3a8d980b8b69e8a3577a5d27c93e7a7eaf50 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:03:23 +0200 Subject: [PATCH 162/181] backup-kunsi: new disks --- nodes/backup-kunsi.toml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/nodes/backup-kunsi.toml b/nodes/backup-kunsi.toml index 3e17bd7..4a47ae4 100644 --- a/nodes/backup-kunsi.toml +++ b/nodes/backup-kunsi.toml @@ -22,15 +22,17 @@ exclude_from_backups = true [metadata.backup-server.zpool_create_options] ashift = 12 -[[metadata.backup-server.encrypted-devices]] -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1" +[metadata.backup-server.encrypted-devices.WVT0RNKF] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi4" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0RNKF" -[[metadata.backup-server.encrypted-devices]] -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2" -"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2" +[metadata.backup-server.encrypted-devices.WVT0V0NQ] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi5" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0V0NQ" + +[metadata.backup-server.encrypted-devices.WVT0W64H] +device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi6" +passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0W64H" [metadata.zfs] scrub_when = "Wed 08:00 Europe/Berlin" From af5a75e0656793e7f250c25f64f14f4963278842 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:03:53 +0200 Subject: [PATCH 163/181] home.nas: change storage layout --- nodes/home/downloadhelper.py | 2 +- nodes/home/nas.py | 99 ++++++++++++++---------------------- 2 files changed, 38 insertions(+), 63 deletions(-) diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index 4874561..4bd2f10 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -42,7 +42,7 @@ nodes['home.downloadhelper'] = { 'mounts': { 'storage': { 'mountpoint': '/mnt/nas', - 'serverpath': '172.19.138.20:/storage/download', + 'serverpath': '172.19.138.20:/mnt/download', 'mount_options': { 'retry=0', 'rw', diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 13694e6..2f210d6 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -5,7 +5,6 @@ nodes['home.nas'] = { 'bundles': { 'avahi-daemon', 'backup-client', - 'dm-crypt', 'jellyfin', 'lm-sensors', 'mixcloud-downloader', @@ -69,22 +68,6 @@ nodes['home.nas'] = { 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', }, }, - 'dm-crypt': { - 'encrypted-devices': { - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': { - 'dm-name': 'sam-S5SSNJ0X409404K', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'), - }, - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': { - 'dm-name': 'sam-S5SSNJ0X409845F', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'), - }, - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': { - 'dm-name': 'sam-S5SSNJ0X409870J', - 'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'), - }, - }, - }, 'groups': { 'nas': {}, }, @@ -154,7 +137,7 @@ nodes['home.nas'] = { }, 'nfs-server': { 'shares': { - '/storage/download': { + '/mnt/download': { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { @@ -192,7 +175,7 @@ nodes['home.nas'] = { 'disks': { '/dev/nvme0', - # old nas disks + # nas/timemachine disks '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', @@ -200,10 +183,9 @@ nodes['home.nas'] = { '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', - # encrypted disks - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K', - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F', - '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J', + # ssdpool disks + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', }, }, 'systemd-networkd': { @@ -258,6 +240,20 @@ nodes['home.nas'] = { 'zfs_arc_max_gb': 8, }, 'pools': { + 'ssdpool': { + 'when_creating': { + 'config': [ + { + 'type': 'mirror', + 'devices': { + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', + '/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', + }, + }, + ], + 'ashift': 12, + }, + }, 'tank': { 'when_creating': { 'config': [ @@ -276,67 +272,46 @@ nodes['home.nas'] = { 'ashift': 12, }, }, - 'encrypted': { - 'when_creating': { - 'config': [ - { - 'type': 'raidz', - 'devices': { - '/dev/mapper/sam-S5SSNJ0X409404K', - '/dev/mapper/sam-S5SSNJ0X409845F', - '/dev/mapper/sam-S5SSNJ0X409870J', - }, - }, - ], - 'ashift': 12, - }, - 'needs': { - 'action:dm-crypt_open_sam-S5SSNJ0X409404K', - 'action:dm-crypt_open_sam-S5SSNJ0X409845F', - 'action:dm-crypt_open_sam-S5SSNJ0X409870J', - }, - # see comment in bundle:backup-server - 'unless': 'zpool import encrypted', - }, }, 'datasets': { - 'encrypted': { + 'ssdpool': { 'primarycache': 'metadata', }, - 'encrypted/nas': { + 'ssdpool/yate': { + 'mountpoint': '/opt/yate', + }, + 'ssdpool/download': { + 'mountpoint': '/mnt/download', + 'quota': '858993459200', # 800 GB + }, + 'ssdpool/paperless': { + 'mountpoint': '/srv/paperless', + }, + 'tank': { + 'primarycache': 'metadata', + }, + 'tank/nas': { 'acltype': 'off', 'atime': 'off', 'compression': 'off', 'mountpoint': '/storage/nas', }, - 'tank': { - 'primarycache': 'metadata', - }, - 'tank/opt-yate': { - 'mountpoint': '/opt/yate', - }, - 'tank/download': { - 'mountpoint': '/storage/download', - }, - 'tank/paperless': { - 'mountpoint': '/srv/paperless', - }, }, 'snapshots': { 'retain_per_dataset': { - 'encrypted/nas': { + 'tank/nas': { # juuuuuuuust to be sure. 'daily': 14, 'weekly': 6, 'monthly': 12, }, - 'tank/download': { + 'ssdpool/download': { 'hourly': 48, 'daily': 0, 'weekly': 0, 'monthly': 0, }, - 'tank/paperless': { + 'ssdpool/paperless': { 'daily': 14, 'weekly': 6, 'monthly': 24, From 6f902c5c7b6c1e1852e086626b538964d59fac4d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:04:17 +0200 Subject: [PATCH 164/181] proxmox-backupstorage: more disks --- nodes/proxmox-backupstorage.toml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/nodes/proxmox-backupstorage.toml b/nodes/proxmox-backupstorage.toml index eee0256..7f10946 100644 --- a/nodes/proxmox-backupstorage.toml +++ b/nodes/proxmox-backupstorage.toml @@ -14,6 +14,18 @@ check_command = "sshmon" check_command = "sshmon" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0RNKF"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0RNKF" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0V0NQ"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0V0NQ" + +[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0W64H"] +check_command = "sshmon" +"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0W64H" + [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"] check_command = "sshmon" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W" From 80a5d3563a70bc8d423b82c48fc3ad48bd5c05db Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:07:18 +0200 Subject: [PATCH 165/181] htz-cloud.wireguard: also announce ip we're routing --- nodes/htz-cloud/wireguard.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index 3ceaf2d..e560667 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -37,6 +37,7 @@ nodes['htz-cloud.wireguard'] = { '172.19.137.0/24', '172.19.136.62/31', '172.19.136.64/31', + '172.19.136.66/31', '192.168.100.0/24', }, }, From 4bc94987a761aaba6cf778ce989c8242696edc59 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 16 Apr 2025 09:07:45 +0200 Subject: [PATCH 166/181] carlene: add 42c3 topic timer --- nodes/carlene.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index fb6d22a..3457ef6 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -244,6 +244,11 @@ disks = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", ] +[metadata.systemd-timers.timers.42c3-topic] +command = "/home/kunsi/42c3-topic.sh" +user = "kunsi" +when = "04:00:00 Europe/Berlin" + [metadata.travelynx] version = "2.11.13" mail_from = "travelynx@franzi.business" From 1af04b684657fae6e50e68c468540d9b10f777fe Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:56:17 +0200 Subject: [PATCH 167/181] update forgejo to 11.0.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3457ef6..ed051fb 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" [metadata.forgejo] -version = "10.0.3" -sha1 = "d1199c43de9e69f6bb8058c15290e79862913413" +version = "11.0.0" +sha1 = "3a12529ab21ca04f2b3e6cf7a6c91af18f00ee5d" domain = "git.franzi.business" enable_git_hooks = true install_ssh_key = true From a999071cca1c9c1a8d88dceb812af019979117a5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:56:34 +0200 Subject: [PATCH 168/181] update mautrix-whatsapp to 0.12.0 --- nodes/carlene.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index ed051fb..f98154c 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g "'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp] -version = "v0.11.4" -sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77" +version = "v0.12.0" +sha1 = "02094da0a164099d4d35e5edb4b87875ad694833" permissions."'@kunsi:franzi.business'" = "admin" [metadata.mautrix-whatsapp.homeserver] domain = "franzi.business" From 19d80513915cfc0810c3bbe60fd6216b5e8485e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:57:03 +0200 Subject: [PATCH 169/181] update netbox to 4.2.8 --- bundles/netbox/items.py | 4 ++-- nodes/carlene.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bundles/netbox/items.py b/bundles/netbox/items.py index f261641..9edbf0b 100644 --- a/bundles/netbox/items.py +++ b/bundles/netbox/items.py @@ -38,8 +38,8 @@ actions['netbox_install'] = { 'triggered': True, 'command': ' && '.join([ 'cd /opt/netbox/src', - '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn', - '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt', + '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager pip wheel setuptools django-auth-ldap gunicorn', + '/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager -r requirements.txt', ]), 'needs': { 'pkg_apt:build-essential', diff --git a/nodes/carlene.toml b/nodes/carlene.toml index f98154c..9c79e23 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -110,7 +110,7 @@ domain = "rss.franzi.business" [metadata.netbox] domain = "netbox.franzi.business" -version = "v4.2.6" +version = "v4.2.8" admins.kunsi = "hostmaster@kunbox.net" [metadata.nextcloud] From f72f701a5a92e1b24d8303132599320740f6ead0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:57:24 +0200 Subject: [PATCH 170/181] update paperless-ngx to 2.15.3 --- bundles/paperless-ng/files/paperless-webserver.service | 5 ++++- bundles/paperless-ng/metadata.py | 2 +- nodes/home/paperless.py | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/bundles/paperless-ng/files/paperless-webserver.service b/bundles/paperless-ng/files/paperless-webserver.service index 5d7f806..7c41aa7 100644 --- a/bundles/paperless-ng/files/paperless-webserver.service +++ b/bundles/paperless-ng/files/paperless-webserver.service @@ -8,8 +8,11 @@ Requires=redis.service User=paperless Group=paperless Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf +Environment=GRANIAN_PORT=22070 +Environment=GRANIAN_WORKERS=4 +Environment=GRANIAN_HOST=::1 WorkingDirectory=/opt/paperless/src/paperless-ngx/src -ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application +ExecStart=/opt/paperless/venv/bin/granian --interface asginl --ws "paperless.asgi:application" Restart=always RestartSec=10 SyslogIdentifier=paperless-webserver diff --git a/bundles/paperless-ng/metadata.py b/bundles/paperless-ng/metadata.py index 6746616..8db5342 100644 --- a/bundles/paperless-ng/metadata.py +++ b/bundles/paperless-ng/metadata.py @@ -99,7 +99,7 @@ def nginx(metadata): 'domain': metadata.get('paperless/domain'), 'locations': { '/': { - 'target': 'http://127.0.0.1:22070', + 'target': 'http://[::1]:22070', 'websockets': True, 'proxy_set_header': { 'X-Forwarded-Host': '$server_name', diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index caffb73..f7035a5 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -49,7 +49,7 @@ nodes['home.paperless'] = { }, 'paperless': { 'domain': 'paperless.home.kunbox.net', - 'version': 'v2.14.7', + 'version': 'v2.15.3', 'timezone': 'Europe/Berlin', }, 'postgresql': { From 3ec701b2b6dc0bc73174f76207247dcb6e90520c Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 10:58:10 +0200 Subject: [PATCH 171/181] add rottenraptor vpn --- libs/s2s.py | 1 + nodes/htz-cloud/wireguard.py | 8 ++++++++ nodes/rottenraptor-vpn.toml | 27 +++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 nodes/rottenraptor-vpn.toml diff --git a/libs/s2s.py b/libs/s2s.py index fe0fc4e..8372ec2 100644 --- a/libs/s2s.py +++ b/libs/s2s.py @@ -6,6 +6,7 @@ AS_NUMBERS = { 'htz-cloud': 4290000137, 'ionos': 4290000002, 'revision': 4290000078, + 'rottenraptor': 4290000030, } WG_AUTOGEN_NODES = [ diff --git a/nodes/htz-cloud/wireguard.py b/nodes/htz-cloud/wireguard.py index e560667..1139390 100644 --- a/nodes/htz-cloud/wireguard.py +++ b/nodes/htz-cloud/wireguard.py @@ -53,6 +53,7 @@ nodes['htz-cloud.wireguard'] = { 'udp dport 1194 accept', 'udp dport 51800 accept', 'udp dport 51804 accept', + 'udp dport 51805 accept', # wg.c3voc.de 'udp dport 51801 ip saddr 185.106.84.42 accept', @@ -126,6 +127,13 @@ nodes['htz-cloud.wireguard'] = { 'my_ip': '172.19.136.66', 'their_ip': '172.19.136.67', }, + 'rottenraptor-vpn': { + 'endpoint': None, + 'exclude_from_monitoring': True, + 'my_port': 51805, + 'my_ip': '172.19.136.68', + 'their_ip': '172.19.136.69', + }, }, }, }, diff --git a/nodes/rottenraptor-vpn.toml b/nodes/rottenraptor-vpn.toml new file mode 100644 index 0000000..342ce1c --- /dev/null +++ b/nodes/rottenraptor-vpn.toml @@ -0,0 +1,27 @@ +hostname = "172.30.17.53" +bundles = ["bird", "wireguard"] +groups = ["debian-bookworm"] + +[metadata] +location = "rottenraptor" +backups.exclude_from_backups = true +icinga_options.exclude_from_monitoring = true + +[metadata.bird] +static_routes = [ + "172.30.17.0/24", +] + +[metadata.interfaces.ens18] +ips = ["172.30.17.53/24"] +gateway4 = "172.30.17.1" + +[metadata.nftables.postrouting] +"50-router" = [ + "oifname ens18 masquerade", +] + +[metadata.wireguard.peers."htz-cloud.wireguard"] +my_port = 51804 +my_ip = "172.19.136.69" +their_ip = "172.19.136.68" From 3d643efe0fb7b455f1ab7dff1a26895a7c7957f1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 23 Apr 2025 11:05:48 +0200 Subject: [PATCH 172/181] bundles/zfs: fix dependencies --- bundles/zfs/items.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index c63250e..530d27f 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -67,6 +67,7 @@ svc_systemd = { 'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf', }, 'after': { + 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, 'before': { @@ -83,6 +84,7 @@ svc_systemd = { }, 'zfs-mount.service': { 'after': { + 'bundle:dm-crypt', # might unlock disks 'pkg_apt:', }, }, From f9e87bde9e660bf818c922b8950b5a9da494afa4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 24 Apr 2025 11:12:49 +0200 Subject: [PATCH 173/181] update travelynx to 2.11.23 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 9c79e23..3b53d0f 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ user = "kunsi" when = "04:00:00 Europe/Berlin" [metadata.travelynx] -version = "2.11.13" +version = "2.11.23" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From 57c1eb26056694b7ca1b25db256708fae337044f Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:32:20 +0200 Subject: [PATCH 174/181] bundles/docker-immich: database not existing should not error out the script after all, we have monitoring to ensure the database container runs --- .../files/immich-auto-album-share.py | 32 +++++++++++-------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index 863f8b2..2cac6c2 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -1,5 +1,6 @@ #!/usr/bin/env python3 +import logging from json import loads from os import environ from subprocess import check_output @@ -12,6 +13,8 @@ PSQL_USER = environ['DB_USERNAME'] PSQL_PASS = environ['DB_PASSWORD'] PSQL_DB = environ['DB_DATABASE_NAME'] +logging.basicConfig(level=logging.INFO) + docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) container_ip = None @@ -26,9 +29,9 @@ for network in docker_networks: container_ip = container['IPv4Address'].split('/')[0] if not container_ip: - print(f'could not find ip address for container {PSQL_HOST=} in json') - print(docker_networks) - exit(1) + logging.error(f'could not find ip address for container {PSQL_HOST=} in json') + logging.debug(f'{docker_networks=}') + exit(0) print(f'{PSQL_HOST=} {container_ip=}') @@ -49,6 +52,7 @@ with conn: } for i in cur.fetchall() } + logging.debug(f'{albums=}') with conn.cursor() as cur: cur.execute('SELECT "id","name" FROM users;') @@ -56,25 +60,27 @@ with conn: i[0]: i[1] for i in cur.fetchall() } + logging.debug(f'{users=}') for album_id, album in albums.items(): - print(f'----- working on album: {album["name"]}') + log = logging.getLogger(album["name"]) with conn: with conn.cursor() as cur: cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) album_shares = [i[0] for i in cur.fetchall()] - print(f' album is shared with {len(album_shares)} users: {album_shares}') + log.info(f'album is shared with {len(album_shares)} users: {album_shares}') for user_id, user_name in users.items(): if user_id == album['owner'] or user_id in album_shares: continue - print(f' sharing album with user {user_name} ... ', end='') - with conn.cursor() as cur: - cur.execute( - 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', - (album_id, user_id, 'viewer'), - ) - print('done') - print() + log.info(f'sharing album with user {user_name}') + try: + with conn.cursor() as cur: + cur.execute( + 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', + (album_id, user_id, 'viewer'), + ) + except Exception: + log.exception('failure while creating share') conn.close() From 29799a1d339a3e5d1a01446c79d795cf5ef284f0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:33:49 +0200 Subject: [PATCH 175/181] bundles/docker-immich; do not log all those user ids if we don't need them --- bundles/docker-immich/files/immich-auto-album-share.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index 2cac6c2..ad9aac7 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -68,7 +68,8 @@ for album_id, album in albums.items(): with conn.cursor() as cur: cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) album_shares = [i[0] for i in cur.fetchall()] - log.info(f'album is shared with {len(album_shares)} users: {album_shares}') + log.info(f'album is shared with {len(album_shares)} users') + log.debug(f'{album_shares=}') for user_id, user_name in users.items(): if user_id == album['owner'] or user_id in album_shares: continue From 2b0e559f6ce507c1d52840b1abbd5d411f5ab626 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 18:35:31 +0200 Subject: [PATCH 176/181] bundles/docker-immich: remove leftover print statement --- bundles/docker-immich/files/immich-auto-album-share.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/docker-immich/files/immich-auto-album-share.py b/bundles/docker-immich/files/immich-auto-album-share.py index ad9aac7..cafd32c 100644 --- a/bundles/docker-immich/files/immich-auto-album-share.py +++ b/bundles/docker-immich/files/immich-auto-album-share.py @@ -33,7 +33,7 @@ if not container_ip: logging.debug(f'{docker_networks=}') exit(0) -print(f'{PSQL_HOST=} {container_ip=}') +logging.debug(f'{PSQL_HOST=} {container_ip=}') conn = psycopg2.connect( dbname=PSQL_DB, From ae079764395f3b770e52134eaf5610a3693f52e4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 20:57:41 +0200 Subject: [PATCH 177/181] bundles/nfs-server: add avahi config --- bundles/nfs-server/files/avahi.service | 10 +++++ bundles/nfs-server/files/exports | 2 +- bundles/nfs-server/items.py | 51 +++++++++++++++++--------- nodes/home/nas.py | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 bundles/nfs-server/files/avahi.service diff --git a/bundles/nfs-server/files/avahi.service b/bundles/nfs-server/files/avahi.service new file mode 100644 index 0000000..394cdca --- /dev/null +++ b/bundles/nfs-server/files/avahi.service @@ -0,0 +1,10 @@ + + + + NFS ${path} on %h + + _nfs._tcp + 2049 + path=${path} + + diff --git a/bundles/nfs-server/files/exports b/bundles/nfs-server/files/exports index ad2ca4c..ac9c8f8 100644 --- a/bundles/nfs-server/files/exports +++ b/bundles/nfs-server/files/exports @@ -1,4 +1,4 @@ -% for path, shares in sorted(node.metadata['nfs-server']['shares'].items()): +% for path, shares in sorted(node.metadata.get('nfs-server/shares', {}).items()): % for share_target, share_options in sorted(shares.items()): % for ip_list in repo.libs.tools.resolve_identifier(repo, share_target).values(): % for ip in sorted(ip_list): diff --git a/bundles/nfs-server/items.py b/bundles/nfs-server/items.py index dacbc48..ce025cf 100644 --- a/bundles/nfs-server/items.py +++ b/bundles/nfs-server/items.py @@ -1,25 +1,40 @@ -files = { - '/etc/exports': { - 'content_type': 'mako', - 'triggers': { - 'action:nfs_reload_shares', - }, - }, - '/etc/default/nfs-kernel-server': { - 'source': 'etc-default', - 'triggers': { - 'svc_systemd:nfs-server:restart', - }, +from re import sub + +files['/etc/exports'] = { + 'content_type': 'mako', + 'triggers': { + 'action:nfs_reload_shares', }, } -actions = { - 'nfs_reload_shares': { - 'command': 'exportfs -a', - 'triggered': True, +files['/etc/default/nfs-kernel-server'] = { + 'source': 'etc-default', + 'triggers': { + 'svc_systemd:nfs-server:restart', }, } -svc_systemd = { - 'nfs-server': {}, +actions['nfs_reload_shares'] = { + 'command': 'exportfs -a', + 'triggered': True, } + +svc_systemd['nfs-server'] = {} + +if node.has_bundle('avahi-daemon'): + for path, shares in node.metadata.get('nfs-server/shares', {}).items(): + create_avahi_file = False + for share_target, share_options in shares.items(): + if ',insecure,' in f',{share_options},': + create_avahi_file = True + + if create_avahi_file: + share_name_normalized = sub('[^a-z0-9-_]+', '_', path) + + files[f'/etc/avahi/services/nfs{share_name_normalized}.service'] = { + 'source': 'avahi.service', + 'content_type': 'mako', + 'context': { + 'path': path, + }, + } diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 2f210d6..e98955c 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -141,7 +141,7 @@ nodes['home.nas'] = { 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', }, '/storage/nas': { - '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check', + '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check,insecure', }, '/srv/paperless': { 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', From cc94f10c2da1e8943246e6f3424697113f77d20e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 6 May 2025 20:58:33 +0200 Subject: [PATCH 178/181] remove mitel rfp35 --- nodes/home.mitel-rfp35.toml | 4 ---- nodes/home/nas.py | 3 --- 2 files changed, 7 deletions(-) delete mode 100644 nodes/home.mitel-rfp35.toml diff --git a/nodes/home.mitel-rfp35.toml b/nodes/home.mitel-rfp35.toml deleted file mode 100644 index 414658a..0000000 --- a/nodes/home.mitel-rfp35.toml +++ /dev/null @@ -1,4 +0,0 @@ -dummy = true - -[metadata.interfaces.default] -ips = ["172.19.138.41"] diff --git a/nodes/home/nas.py b/nodes/home/nas.py index e98955c..ebfdc2c 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -79,11 +79,9 @@ nodes['home.nas'] = { }, '5060/tcp': { # yate SIP 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, '5061/tcp': { # yate SIPS 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, # yate RTP uses some random UDP port. We cannot firewall # it, because for incoming calls the other side decides @@ -93,7 +91,6 @@ nodes['home.nas'] = { # to deal with randomly changing IPs here. '*/udp': { 'home.snom-wohnzimmer', - 'home.mitel-rfp35', }, }, }, From 2b69953d961e94e27821096eeff606b28a0ed419 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 May 2025 10:05:50 +0200 Subject: [PATCH 179/181] update travelynx to 2.11.24 --- nodes/carlene.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/carlene.toml b/nodes/carlene.toml index 3b53d0f..d5625d9 100644 --- a/nodes/carlene.toml +++ b/nodes/carlene.toml @@ -250,7 +250,7 @@ user = "kunsi" when = "04:00:00 Europe/Berlin" [metadata.travelynx] -version = "2.11.23" +version = "2.11.24" mail_from = "travelynx@franzi.business" domain = "travelynx.franzi.business" From afb6d21326ea053b04a0a7a0e8d5c91cb19e0a6b Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 May 2025 11:19:45 +0200 Subject: [PATCH 180/181] home.nas: backup /home/kunsi --- nodes/home/nas.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index ebfdc2c..d4a4211 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -60,6 +60,7 @@ nodes['home.nas'] = { }, 'backups': { 'paths': { + '/home/kunsi/', '/storage/nas/', }, }, From e47c8ce341125f67f07edcd1473b83571b7fd474 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 10 May 2025 11:20:07 +0200 Subject: [PATCH 181/181] bundles/travelynx: disable registration by default --- bundles/travelynx/files/travelynx.conf | 6 ++++++ bundles/travelynx/metadata.py | 9 +++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/bundles/travelynx/files/travelynx.conf b/bundles/travelynx/files/travelynx.conf index 46883cf..f73e85f 100644 --- a/bundles/travelynx/files/travelynx.conf +++ b/bundles/travelynx/files/travelynx.conf @@ -33,6 +33,12 @@ from => '${mail_from}', }, +% if not enable_registration: + registration => { + disabled => 1, + }, +% endif + ref => { issues => 'https://github.com/derf/travelynx/issues', source => 'https://github.com/derf/travelynx', diff --git a/bundles/travelynx/metadata.py b/bundles/travelynx/metadata.py index b7dadd6..630fd27 100644 --- a/bundles/travelynx/metadata.py +++ b/bundles/travelynx/metadata.py @@ -10,11 +10,12 @@ defaults = { 'password': repo.vault.password_for('{} postgresql travelynx'.format(node.name)), 'database': 'travelynx', }, - 'workers': 4, - 'spare_workers': 2, - 'mail_from': 'travelynx@{}'.format(node.hostname), - 'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)), 'additional_cookie_secrets': set(), + 'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)), + 'enable_registration': False, + 'mail_from': 'travelynx@{}'.format(node.hostname), + 'spare_workers': 2, + 'workers': 4, }, 'postgresql': { 'roles': {