kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Compare commits

base: kunsi:main
Branches Tags
kunsi:main
kunsi:hetzner-dyndns
kunsi:navidrome
kunsi:unbound-sophie
kunsi:miniserverupdates
kunsi:new-wildcard-sophies-kitchen
kunsi:updates
kunsi:update-miniserver
kunsi:vmhostumzug
kunsi:jhtoolz
kunsi:sophiesheomenetwork
kunsi:feature/kunsi-ipv6-only-vlan
kunsi:sophie-dimension-cleanup
kunsi:kunsi-woodpecker
kunsi:kunsi-junos
kunsi:loudness-monitoring-gstreamer
..
compare: kunsi:navidrome
Branches Tags
kunsi:main
kunsi:hetzner-dyndns
kunsi:navidrome
kunsi:unbound-sophie
kunsi:miniserverupdates
kunsi:new-wildcard-sophies-kitchen
kunsi:updates
kunsi:update-miniserver
kunsi:vmhostumzug
kunsi:jhtoolz
kunsi:sophiesheomenetwork
kunsi:feature/kunsi-ipv6-only-vlan
kunsi:sophie-dimension-cleanup
kunsi:kunsi-woodpecker
kunsi:kunsi-junos
kunsi:loudness-monitoring-gstreamer

No commits in common. "main" and "navidrome" have entirely different histories.
main ... navidrome

61 changed files with 264 additions and 7581 deletions
Download patch file Download diff file Expand all files Collapse all files

1
bundles/apt/items.py
View file

@ -138,7 +138,6 @@ pkg_apt = {
'tmux': {}, 'tmux': {},
'tree': {}, 'tree': {},
'unzip': {}, 'unzip': {},
'util-linux': {},
'vim': {}, 'vim': {},
'wget': {}, 'wget': {},
'whois': {}, 'whois': {},

15
bundles/backup-server/files/check_backup_for_node-cron
View file

@ -15,15 +15,16 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True)
line = line.decode('UTF-8') line = line.decode('UTF-8')
if line.startswith('{}/'.format(server_settings['zfs-base'])): if line.startswith('{}/'.format(server_settings['zfs-base'])):
try: dataset, snapname = line.split('@', 1)
dataset, snapname = line.split('@', 1)
dataset = dataset.split('/')[-1] dataset = dataset.split('/')[-1]
ts, bucket = snapname.split('-', 1) ts, bucket = snapname.split('-', 1)
snapshots[dataset].add(int(ts)) if not ts.isdigit():
except Exception as e: # garbage, ignore
print(f"Exception while parsing snapshot name {line!r}: {e!r}") continue
snapshots[dataset].add(int(ts))
backups = {} backups = {}
for dataset, snaps in snapshots.items(): for dataset, snaps in snapshots.items():

53
bundles/backup-server/metadata.py
View file

@ -83,24 +83,47 @@ def zfs_pool(metadata):
devices = metadata.get('backup-server/encrypted-devices') devices = metadata.get('backup-server/encrypted-devices')
pool_devices = set() # TODO remove this once we have migrated all systems
if isinstance(devices, dict):
pool_devices = set()
for device, dconfig in devices.items(): for number, (device, passphrase) in enumerate(sorted(devices.items())):
crypt_devices[dconfig['device']] = { crypt_devices[device] = {
'dm-name': f'backup-{device}', 'dm-name': f'backup{number}',
'passphrase': dconfig['passphrase'], 'passphrase': passphrase,
} }
pool_devices.add(f'/dev/mapper/backup-{device}') pool_devices.add(f'/dev/mapper/backup{number}')
unlock_actions.add(f'action:dm-crypt_open_backup-{device}') unlock_actions.add(f'action:dm-crypt_open_backup{number}')
pool_config = [{ pool_config = [{
'devices': pool_devices, 'devices': pool_devices,
}] }]
if len(pool_devices) > 2: if len(pool_devices) > 2:
pool_config[0]['type'] = 'raidz' pool_config[0]['type'] = 'raidz'
elif len(pool_devices) > 1: elif len(pool_devices) > 1:
pool_config[0]['type'] = 'mirror' pool_config[0]['type'] = 'mirror'
elif isinstance(devices, list):
pool_config = []
for idx, intended_pool in enumerate(devices):
pool_devices = set()
for number, (device, passphrase) in enumerate(sorted(intended_pool.items())):
crypt_devices[device] = {
'dm-name': f'backup{idx}-{number}',
'passphrase': passphrase,
}
pool_devices.add(f'/dev/mapper/backup{idx}-{number}')
unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}')
pool_config.append({
'devices': pool_devices,
'type': 'raidz',
})
else:
raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices')
return { return {
'backup-server': { 'backup-server': {

35
bundles/docker-immich/files/immich-auto-album-share.py
View file

@ -1,6 +1,5 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
import logging
from json import loads from json import loads
from os import environ from os import environ
from subprocess import check_output from subprocess import check_output
@ -13,8 +12,6 @@ PSQL_USER = environ['DB_USERNAME']
PSQL_PASS = environ['DB_PASSWORD'] PSQL_PASS = environ['DB_PASSWORD']
PSQL_DB = environ['DB_DATABASE_NAME'] PSQL_DB = environ['DB_DATABASE_NAME']
logging.basicConfig(level=logging.INFO)
docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh'])) docker_networks = loads(check_output(['docker', 'network', 'inspect', 'aaarghhh']))
container_ip = None container_ip = None
@ -29,11 +26,11 @@ for network in docker_networks:
container_ip = container['IPv4Address'].split('/')[0] container_ip = container['IPv4Address'].split('/')[0]
if not container_ip: if not container_ip:
logging.error(f'could not find ip address for container {PSQL_HOST=} in json') print(f'could not find ip address for container {PSQL_HOST=} in json')
logging.debug(f'{docker_networks=}') print(docker_networks)
exit(0) exit(1)
logging.debug(f'{PSQL_HOST=} {container_ip=}') print(f'{PSQL_HOST=} {container_ip=}')
conn = psycopg2.connect( conn = psycopg2.connect(
dbname=PSQL_DB, dbname=PSQL_DB,
@ -52,7 +49,6 @@ with conn:
} }
for i in cur.fetchall() for i in cur.fetchall()
} }
logging.debug(f'{albums=}')
with conn.cursor() as cur: with conn.cursor() as cur:
cur.execute('SELECT "id","name" FROM users;') cur.execute('SELECT "id","name" FROM users;')
@ -60,28 +56,25 @@ with conn:
i[0]: i[1] i[0]: i[1]
for i in cur.fetchall() for i in cur.fetchall()
} }
logging.debug(f'{users=}')
for album_id, album in albums.items(): for album_id, album in albums.items():
log = logging.getLogger(album["name"]) print(f'----- working on album: {album["name"]}')
with conn: with conn:
with conn.cursor() as cur: with conn.cursor() as cur:
cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,)) cur.execute('SELECT "usersId" FROM albums_shared_users_users WHERE "albumsId" = %s;', (album_id,))
album_shares = [i[0] for i in cur.fetchall()] album_shares = [i[0] for i in cur.fetchall()]
log.info(f'album is shared with {len(album_shares)} users') print(f' album is shared with {len(album_shares)} users: {album_shares}')
log.debug(f'{album_shares=}')
for user_id, user_name in users.items(): for user_id, user_name in users.items():
if user_id == album['owner'] or user_id in album_shares: if user_id == album['owner'] or user_id in album_shares:
continue continue
log.info(f'sharing album with user {user_name}') print(f' sharing album with user {user_name} ... ', end='')
try: with conn.cursor() as cur:
with conn.cursor() as cur: cur.execute(
cur.execute( 'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);',
'INSERT INTO albums_shared_users_users ("albumsId","usersId","role") VALUES (%s, %s, %s);', (album_id, user_id, 'viewer'),
(album_id, user_id, 'viewer'), )
) print('done')
except Exception: print()
log.exception('failure while creating share')
conn.close() conn.close()

6
bundles/hetzner-dyndns/items.py
View file

@ -1,6 +0,0 @@
directories['/opt/hetzner-dyndns/src'] = {}
git_deploy['/opt/hetzner-dyndns/src'] = {
'repo': 'https://git.franzi.business/sophie/hetzner-dyndns.git',
'rev': 'main',
}

26
bundles/hetzner-dyndns/metadata.py
View file

@ -1,26 +0,0 @@
defaults = {
'systemd-timers': {
'timers': {
'hetzner-dyndns-update': {
'when': 'hourly',
},
},
},
}
@metadata_reactor.provides(
'systemd-timers/timers/hetzner-dyndns-update',
)
def command_template(metadata):
empty_command = f'/usr/bin/python3 /opt/hetzner-dyndns/src/hetzner-api-dyndns.py --api_key {{}} --zone {node.metadata.get('hetzner-dyndns/zone')} --record {node.metadata.get('hetzner-dyndns/record')}'
return {
'systemd-timers': {
'timers': {
'hetzner-dyndns-update': {
'command': node.metadata.get('hetzner-dyndns/api_key').format_into(empty_command),
},
},
},
}

1
bundles/mautrix-telegram/files/config.yaml
View file

@ -46,7 +46,6 @@ bridge:
- username - username
- phone number - phone number
displayname_max_length: 100 displayname_max_length: 100
caption_in_message: true
allow_avatar_remove: false allow_avatar_remove: false
max_initial_member_sync: -1 max_initial_member_sync: -1
sync_channel_members: true sync_channel_members: true

10
bundles/navidrome/items.py
View file

@ -21,7 +21,9 @@ svc_systemd = {
} }
actions['navidrome_install'] = { actions['navidrome_install'] = {
'command': 'tar -C /opt/navidrome -xf /opt/navidrome/navidrome.tar.gz', 'command': ' && '.join([
'tar -C /opt/navidrome -xf /opt/navidrome/navidrome.tar.gz',
]),
'after': { 'after': {
'pkg_apt:', 'pkg_apt:',
}, },
@ -39,12 +41,6 @@ files = {
}, },
}, },
'/etc/systemd/system/navidrome.service': { '/etc/systemd/system/navidrome.service': {
'triggers': {
'action:systemd-reload',
},
'delete': True,
},
'/usr/local/lib/systemd/system/navidrome.service': {
'triggers': { 'triggers': {
'action:systemd-reload', 'action:systemd-reload',
'svc_systemd:navidrome:restart', 'svc_systemd:navidrome:restart',

35
bundles/navidrome/metadata.py
View file

@ -6,22 +6,17 @@ defaults = {
}, },
}, },
'backups': {
'paths': {
'/var/opt/navidrome',
},
},
'navidrome': { 'navidrome': {
'config': { 'config': {
'Address': '127.0.0.1',
'DataFolder': '/var/opt/navidrome', 'DataFolder': '/var/opt/navidrome',
'Address': '127.0.0.1',
'MusicFolder': '/mnt/music',
'EnableExternalServices': False, 'EnableExternalServices': False,
'EnableInsightsCollector': False,
'LastFM.Enabled': False, 'LastFM.Enabled': False,
'ListenBrainz.Enabled': False, 'ListenBrainz.Enabled': False,
'PasswordEncryptionKey': repo.vault.password_for('{} encryption navidrome'.format(node.name)), 'PasswordEncryptionKey': repo.vault.password_for('{} encryption navidrome'.format(node.name)),
'Port': 4533,
'Scanner.Schedule': '@every 72h', 'Scanner.Schedule': '@every 72h',
'Port': 4533,
}, },
}, },
'zfs': { 'zfs': {
@ -72,10 +67,6 @@ def nginx(metadata):
'locations': { 'locations': {
'/': { '/': {
'target': f'http://127.0.0.1:{metadata.get('navidrome/config/Port')}', 'target': f'http://127.0.0.1:{metadata.get('navidrome/config/Port')}',
# some requests take a loooooong time (for example,
# "delete all missing files" will wait until
# everything has been purged from the database)
'proxy_read_timeout': '1h',
}, },
}, },
'website_check_path': '/user/login', 'website_check_path': '/user/login',
@ -84,23 +75,3 @@ def nginx(metadata):
}, },
}, },
} }
@metadata_reactor.provides(
'icinga2_api/navidrome/services',
)
def icinga_check_for_new_release(metadata):
version = metadata.get('navidrome/version')
return {
'icinga2_api': {
'pretalx': {
'services': {
'NAVIDROME UPDATE': {
'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release navidrome/navidrome {}'.format(version),
'vars.notification.mail': True,
'check_interval': '60m',
},
},
},
},
}

4
bundles/netbox/items.py
View file

@ -38,8 +38,8 @@ actions['netbox_install'] = {
'triggered': True, 'triggered': True,
'command': ' && '.join([ 'command': ' && '.join([
'cd /opt/netbox/src', 'cd /opt/netbox/src',
'/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager pip wheel setuptools django-auth-ldap gunicorn', '/opt/netbox/venv/bin/pip install --upgrade pip wheel setuptools django-auth-ldap gunicorn',
'/opt/netbox/venv/bin/pip install --upgrade --upgrade-strategy=eager -r requirements.txt', '/opt/netbox/venv/bin/pip install --upgrade -r requirements.txt',
]), ]),
'needs': { 'needs': {
'pkg_apt:build-essential', 'pkg_apt:build-essential',

10
bundles/nfs-server/files/avahi.service
View file

@ -1,10 +0,0 @@
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">NFS ${path} on %h</name>
<service>
<type>_nfs._tcp</type>
<port>2049</port>
<txt-record>path=${path}</txt-record>
</service>
</service-group>

2
bundles/nfs-server/files/exports
View file

@ -1,4 +1,4 @@
% for path, shares in sorted(node.metadata.get('nfs-server/shares', {}).items()): % for path, shares in sorted(node.metadata['nfs-server']['shares'].items()):
% for share_target, share_options in sorted(shares.items()): % for share_target, share_options in sorted(shares.items()):
% for ip_list in repo.libs.tools.resolve_identifier(repo, share_target).values(): % for ip_list in repo.libs.tools.resolve_identifier(repo, share_target).values():
% for ip in sorted(ip_list): % for ip in sorted(ip_list):

51
bundles/nfs-server/items.py
View file

@ -1,40 +1,25 @@
from re import sub files = {
'/etc/exports': {
files['/etc/exports'] = { 'content_type': 'mako',
'content_type': 'mako', 'triggers': {
'triggers': { 'action:nfs_reload_shares',
'action:nfs_reload_shares', },
},
'/etc/default/nfs-kernel-server': {
'source': 'etc-default',
'triggers': {
'svc_systemd:nfs-server:restart',
},
}, },
} }
files['/etc/default/nfs-kernel-server'] = { actions = {
'source': 'etc-default', 'nfs_reload_shares': {
'triggers': { 'command': 'exportfs -a',
'svc_systemd:nfs-server:restart', 'triggered': True,
}, },
} }
actions['nfs_reload_shares'] = { svc_systemd = {
'command': 'exportfs -a', 'nfs-server': {},
'triggered': True,
} }
svc_systemd['nfs-server'] = {}
if node.has_bundle('avahi-daemon'):
for path, shares in node.metadata.get('nfs-server/shares', {}).items():
create_avahi_file = False
for share_target, share_options in shares.items():
if ',insecure,' in f',{share_options},':
create_avahi_file = True
if create_avahi_file:
share_name_normalized = sub('[^a-z0-9-_]+', '_', path)
files[f'/etc/avahi/services/nfs{share_name_normalized}.service'] = {
'source': 'avahi.service',
'content_type': 'mako',
'context': {
'path': path,
},
}

5
bundles/paperless-ng/files/paperless-webserver.service
View file

@ -8,11 +8,8 @@ Requires=redis.service
User=paperless User=paperless
Group=paperless Group=paperless
Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf Environment=PAPERLESS_CONFIGURATION_PATH=/opt/paperless/paperless.conf
Environment=GRANIAN_PORT=22070
Environment=GRANIAN_WORKERS=4
Environment=GRANIAN_HOST=::1
WorkingDirectory=/opt/paperless/src/paperless-ngx/src WorkingDirectory=/opt/paperless/src/paperless-ngx/src
ExecStart=/opt/paperless/venv/bin/granian --interface asginl --ws "paperless.asgi:application" ExecStart=/opt/paperless/venv/bin/gunicorn -c /opt/paperless/src/paperless-ngx/gunicorn.conf.py -b 127.0.0.1:22070 paperless.asgi:application
Restart=always Restart=always
RestartSec=10 RestartSec=10
SyslogIdentifier=paperless-webserver SyslogIdentifier=paperless-webserver

1
bundles/paperless-ng/files/paperless.conf
View file

@ -17,7 +17,6 @@ PAPERLESS_FILENAME_FORMAT={{ created_year }}/{{ created_month }}/{{ corresponden
# Security and hosting # Security and hosting
PAPERLESS_SECRET_KEY=${repo.vault.random_bytes_as_base64_for(f'{node.name} paperless secret key')} PAPERLESS_SECRET_KEY=${repo.vault.random_bytes_as_base64_for(f'{node.name} paperless secret key')}
PAPERLESS_CSRF_TRUSTED_ORIGINS=https://${node.metadata.get('paperless/domain')}
PAPERLESS_ALLOWED_HOSTS=${node.metadata.get('paperless/domain')} PAPERLESS_ALLOWED_HOSTS=${node.metadata.get('paperless/domain')}
PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('paperless/domain')},https://${node.metadata.get('paperless/domain')} PAPERLESS_CORS_ALLOWED_HOSTS=http://${node.metadata.get('paperless/domain')},https://${node.metadata.get('paperless/domain')}
#PAPERLESS_FORCE_SCRIPT_NAME= #PAPERLESS_FORCE_SCRIPT_NAME=

2
bundles/paperless-ng/metadata.py
View file

@ -99,7 +99,7 @@ def nginx(metadata):
'domain': metadata.get('paperless/domain'), 'domain': metadata.get('paperless/domain'),
'locations': { 'locations': {
'/': { '/': {
'target': 'http://[::1]:22070', 'target': 'http://127.0.0.1:22070',
'websockets': True, 'websockets': True,
'proxy_set_header': { 'proxy_set_header': {
'X-Forwarded-Host': '$server_name', 'X-Forwarded-Host': '$server_name',

43
bundles/powerdns/items.py
View file

@ -2,14 +2,13 @@ from datetime import datetime
from os import listdir from os import listdir
from os.path import isfile, join from os.path import isfile, join
from subprocess import check_output from subprocess import check_output
from textwrap import dedent
from bundlewrap.utils.ui import io from bundlewrap.utils.ui import io
zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones') zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones')
nameservers = set() nameservers = set()
for rnode in repo.nodes_in_group('dns'): for rnode in sorted(repo.nodes_in_group('dns')):
nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname'))) nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname')))
my_primary_servers = set() my_primary_servers = set()
@ -76,45 +75,25 @@ actions = {
} }
if node.metadata.get('powerdns/features/bind', False): if node.metadata.get('powerdns/features/bind', False):
try:
output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip()
serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M')
except Exception as e:
io.stderr(f"{node.name} Error while parsing commit time for powerdns zone serial: {e!r}")
serial = datetime.now().strftime('%y%m%d0000')
HEADER = dedent(f"""
$TTL 60
@ IN SOA ns-mephisto.kunbox.net. hostmaster.kunbox.net. (
{serial}
3600
600
86400
300
)
""").strip()
for ns in sorted(nameservers):
HEADER += f"\n@ IN NS {ns}."
primary_zones = set() primary_zones = set()
for zone in listdir(zone_path): for zone in listdir(zone_path):
if ( if not isfile(join(zone_path, zone)) or zone.startswith(".") or zone.startswith("_"):
not (
isfile(join(zone_path, zone))
or islink(join(zone_path, zone))
)
or zone.startswith(".")
or zone.startswith("_")
):
continue continue
try:
output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip()
serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M')
except Exception as e:
io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}")
serial = datetime.now().strftime('%y%m%d0000')
primary_zones.add(zone) primary_zones.add(zone)
files[f'/var/lib/powerdns/zones/{zone}'] = { files[f'/var/lib/powerdns/zones/{zone}'] = {
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
'HEADER': HEADER + f"\n$ORIGIN {zone}.", 'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})),
'SERIAL': serial,
'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []), 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []),
}, },
'source': f'bind-zones/{zone}', 'source': f'bind-zones/{zone}',

2
bundles/sysctl/items.py
View file

@ -20,7 +20,7 @@ files = {
}, },
} }
if node.os == 'debian' and node.os_version < (13,): if node.os == 'debian':
# debian insists on creating that file during almost every # debian insists on creating that file during almost every
# unattended-upgrades run. Make it known to bundlewrap, so # unattended-upgrades run. Make it known to bundlewrap, so
# it does not get removed during applies. # it does not get removed during applies.

6
bundles/travelynx/files/travelynx.conf
View file

@ -33,12 +33,6 @@
from => '${mail_from}', from => '${mail_from}',
}, },
% if not enable_registration:
registration => {
disabled => 1,
},
% endif
ref => { ref => {
issues => 'https://github.com/derf/travelynx/issues', issues => 'https://github.com/derf/travelynx/issues',
source => 'https://github.com/derf/travelynx', source => 'https://github.com/derf/travelynx',

9
bundles/travelynx/metadata.py
View file

@ -10,12 +10,11 @@ defaults = {
'password': repo.vault.password_for('{} postgresql travelynx'.format(node.name)), 'password': repo.vault.password_for('{} postgresql travelynx'.format(node.name)),
'database': 'travelynx', 'database': 'travelynx',
}, },
'additional_cookie_secrets': set(),
'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)),
'enable_registration': False,
'mail_from': 'travelynx@{}'.format(node.hostname),
'spare_workers': 2,
'workers': 4, 'workers': 4,
'spare_workers': 2,
'mail_from': 'travelynx@{}'.format(node.hostname),
'cookie_secret': repo.vault.password_for('{} travelynx cookie_secret'.format(node.name)),
'additional_cookie_secrets': set(),
}, },
'postgresql': { 'postgresql': {
'roles': { 'roles': {

2
bundles/zfs/items.py
View file

@ -67,7 +67,6 @@ svc_systemd = {
'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf', 'file:/etc/systemd/system/zfs-import-scan.service.d/bundlewrap.conf',
}, },
'after': { 'after': {
'bundle:dm-crypt', # might unlock disks
'pkg_apt:', 'pkg_apt:',
}, },
'before': { 'before': {
@ -84,7 +83,6 @@ svc_systemd = {
}, },
'zfs-mount.service': { 'zfs-mount.service': {
'after': { 'after': {
'bundle:dm-crypt', # might unlock disks
'pkg_apt:', 'pkg_apt:',
}, },
}, },

6
configs/netbox/home.switch-rack.json
View file

@ -231,7 +231,7 @@
"ips": [ "ips": [
"172.19.138.4/24" "172.19.138.4/24"
], ],
"mode": null, "mode": "",
"tagged_vlans": [], "tagged_vlans": [],
"type": "virtual", "type": "virtual",
"untagged_vlan": null "untagged_vlan": null
@ -240,7 +240,7 @@
"description": "", "description": "",
"enabled": true, "enabled": true,
"ips": [], "ips": [],
"mode": null, "mode": "",
"tagged_vlans": [], "tagged_vlans": [],
"type": "10gbase-x-sfpp", "type": "10gbase-x-sfpp",
"untagged_vlan": null "untagged_vlan": null
@ -249,7 +249,7 @@
"description": "", "description": "",
"enabled": true, "enabled": true,
"ips": [], "ips": [],
"mode": null, "mode": "",
"tagged_vlans": [], "tagged_vlans": [],
"type": "10gbase-x-sfpp", "type": "10gbase-x-sfpp",
"untagged_vlan": null "untagged_vlan": null

7003
data/apt/files/gpg-keys/tailscale.asc
View file

File diff suppressed because it is too large Load diff

36
data/nginx/files/extras/rottenraptor-server/radio
View file

@ -1,36 +0,0 @@
location / {
proxy_pass http://172.30.17.52:8000/;
# Ensure streams don't end after a short time.
proxy_read_timeout 7d;
# Disable request size limit, very important for uploading large files
client_max_body_size 0;
# Enable support `Transfer-Encoding: chunked`
chunked_transfer_encoding on;
# Disable request and response buffering, minimize latency to/from Icecast
proxy_buffering off;
proxy_request_buffering off;
# Icecast needs HTTP/1.1, not 1.0 or 2
proxy_http_version 1.1;
# Forward all original request headers
proxy_pass_request_headers on;
# Set some standard reverse proxy headers. Icecast server currently ignores these,
# but may support them in a future version so that access logs are more useful.
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Rotten City Eventradio";
auth_basic_user_file /etc/nginx/radio-htpasswd;
location /admin/ {
deny all;
}
}

2
data/powerdns/files/bind-zones/_mail_NULL
View file

@ -1,2 +0,0 @@
@ IN TXT "v=spf1 -all"
_dmarc IN TXT "v=DMARC1; p=reject"

11
data/powerdns/files/bind-zones/_mail_carlene
View file

@ -1,11 +0,0 @@
@ IN TXT "v=spf1 mx -all"
@ IN MX 10 mail.franzi.business.
_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@kunbox.net; ruf=mailto:dmarc@kunbox.net; fo=0:d:s; adkim=s; aspf=s"
_mta-sts IN TXT "v=STSv1;id=20201111;"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:tlsrpt@kunbox.net"
mta-sts IN CNAME carlene.kunbox.net.
2019._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
uo4anejdvvdw8bkne3kjiqavcqmj0416._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"

3
data/powerdns/files/bind-zones/_parked
View file

@ -1,3 +0,0 @@
${HEADER}
<%include file="bind-zones/_mail_NULL" />

6
data/powerdns/files/bind-zones/afra.berlin
View file

@ -1,6 +0,0 @@
${HEADER}
@ IN AAAA 2a0a:51c0:0:225::2
@ IN A 193.135.9.29
<%include file="bind-zones/_mail_NULL" />

1
data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org
View file

@ -1 +0,0 @@
_parked

1
data/powerdns/files/bind-zones/emails.sexy
View file

@ -1 +0,0 @@
_parked

3
data/powerdns/files/bind-zones/eskalation.jetzt
View file

@ -1,3 +0,0 @@
${HEADER}
<%include file="bind-zones/_mail_NULL" />

3
data/powerdns/files/bind-zones/felix-kunsmann.de
View file

@ -1,3 +0,0 @@
${HEADER}
<%include file="bind-zones/_mail_carlene" />

8
data/powerdns/files/bind-zones/flauschehorn.sexy
View file

@ -1,8 +0,0 @@
${HEADER}
@ IN AAAA 2a03:4000:4d:5e::1
@ IN A 194.36.145.49
<%include file="bind-zones/_mail_carlene" />
_acme-challenge IN CNAME 63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.ctu.cx.

29
data/powerdns/files/bind-zones/franzi.business
View file

@ -1,29 +0,0 @@
${HEADER}
@ IN AAAA 2a0a:51c0:0:225::2
@ IN A 193.135.9.29
<%include file="bind-zones/_mail_carlene" />
_atproto IN TXT "did=did:plc:d762mg6wvvmpeu66zojntlof"
_token._dnswl IN TXT "gg3mbwjx9bbuo5osvh7oz6bc881wcmc"
_matrix._tcp IN SRV 10 10 443 matrix.franzi.business.
; carlene
git IN CNAME carlene.kunbox.net.
irc IN CNAME carlene.kunbox.net.
mail IN CNAME carlene.kunbox.net.
matrix IN CNAME carlene.kunbox.net.
matrix-stickers IN CNAME carlene.kunbox.net.
netbox IN CNAME carlene.kunbox.net.
ntfy IN CNAME carlene.kunbox.net.
postfixadmin IN CNAME carlene.kunbox.net.
rss IN CNAME carlene.kunbox.net.
travelynx IN CNAME carlene.kunbox.net.
; icinga2
icinga IN CNAME icinga2.kunbox.net.
status IN CNAME icinga2.kunbox.net.
; pretix
tickets IN CNAME franzi-business.cname.pretix.eu.

15
data/powerdns/files/bind-zones/kunbox.net
View file

@ -1,4 +1,16 @@
${HEADER} $TTL 60
@ IN SOA ns-mephisto.kunbox.net. hostmaster.kunbox.net. (
${SERIAL}
3600
600
86400
300
)
${NAMESERVERS}
$ORIGIN kunbox.net.
; ends up on carlene.kunbox.net ; ends up on carlene.kunbox.net
@ IN A 193.135.9.29 @ IN A 193.135.9.29
@ -17,7 +29,6 @@ aurto IN CNAME aurto.htz-cloud
; stuff running at home ; stuff running at home
jellyfin.home IN CNAME nas.home jellyfin.home IN CNAME nas.home
navidrome.home IN CNAME nas.home
; Mail servers ; Mail servers
mta-sts IN CNAME carlene mta-sts IN CNAME carlene

1
data/powerdns/files/bind-zones/kunsi.scot
View file

@ -1 +0,0 @@
_parked

6
data/powerdns/files/bind-zones/kunsitracker.de
View file

@ -1,6 +0,0 @@
${HEADER}
@ IN AAAA 2a0a:51c0:0:225::2
@ IN A 193.135.9.29
<%include file="bind-zones/_mail_carlene" />

14
data/powerdns/files/bind-zones/kunsmann.eu
View file

@ -1,14 +0,0 @@
${HEADER}
@ IN AAAA 2a0a:51c0:0:225::2
@ IN A 193.135.9.29
<%include file="bind-zones/_mail_carlene" />
@ IN TXT "google-site-verification=Xl-OBZpTL1maD2Qr8QmQ2aKRXZLnCmvddpFdrTT8L34"
_token._dnswl IN TXT "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
git IN CNAME git.franzi.business.
grafana IN CNAME influxdb.htz-cloud.kunbox.net.
influxdb IN CNAME influxdb.htz-cloud.kunbox.net.

1
data/powerdns/files/bind-zones/raptor.events
View file

@ -1 +0,0 @@
_parked

1
data/powerdns/files/bind-zones/trans-agenda.de
View file

@ -1 +0,0 @@
_parked

1
data/powerdns/files/bind-zones/trans-agenda.eu
View file

@ -1 +0,0 @@
_parked

6
data/powerdns/files/bind-zones/warnochwas.de
View file

@ -1,6 +0,0 @@
${HEADER}
@ IN AAAA 2a0a:51c0:0:225::2
@ IN A 193.135.9.29
<%include file="bind-zones/_mail_carlene" />

1
data/powerdns/files/bind-zones/winkeeinhorn.de
View file

@ -1 +0,0 @@
_parked

36
data/ssl/_.home.kunbox.net.crt.pem
View file

@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDvDCCA0OgAwIBAgISBo2CjJbnK8A0cN9OMOLwENx3MAoGCCqGSM49BAMDMDIx MIIDrTCCAzOgAwIBAgISAzN38KowyAxKJIRnBKR9SwXnMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA1MjEyMDMwMjFaFw0yNTA4MTkyMDMwMjBaMBoxGDAWBgNVBAMTD2hv NTAeFw0yNTAyMjMwOTAyMzdaFw0yNTA1MjQwOTAyMzZaMBoxGDAWBgNVBAMTD2hv
bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABEDJ6ph3s2d7ZVer bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABCySMhuLfj3x+wjp
hT1E3gDWKEWTzfyp65nB6wTomd0fk02HPk2kZNa03zLuF7w5ixeCHDvtGGaJ/oTR BFpNu+R3IRL0qsBazrTrz8jwA1Brs8jxFSlPZRGpKiycFFQDwX5dSDJu+usngNh7
a4KitE+7wr5yG603t5/hBfrFYQer0RsJC49leQFMRpmdKOM2KKOCAjIwggIuMA4G pAs1UsniV2d3yLYK6qTVB8C420Xc55jlqTsGW+cvv0Adeap8DaOCAiIwggIeMA4G
A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUVTHSrsLErU3zaJr9R35Q5Bok+tQwHwYDVR0j VR0TAQH/BAIwADAdBgNVHQ4EFgQUDEclq7TWouOYtvpzzutWtxXmZB8wHwYDVR0j
BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwMgYIKwYBBQUHAQEEJjAkMCIGCCsG BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzAChhZodHRwOi8vZTYuaS5sZW5jci5vcmcvMC0GA1UdEQQmMCSCESouaG9t AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
ZS5rdW5ib3gubmV0gg9ob21lLmt1bmJveC5uZXQwEwYDVR0gBAwwCjAIBgZngQwB Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC
AgEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL2U2LmMubGVuY3Iub3JnLzEyMC5j D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQIGCisGAQQB
cmwwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDtPEvW6AbCpKIAV9vLJOI4Ad9R 1nkCBAIEgfMEgfAA7gB1AKLjCuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfn
L+3EhsVwDyDdtz4/4AAAAZb0v8oqAAAEAwBIMEYCIQDPMCZ/27O7ki58XOEXScxd AAABlTJA35QAAAQDAEYwRAIgK6RVpdOCgEWCLxyLM7P9LRYWmPJ9+oA8DQ6EhV1V
g5CTNBsfJ33xhiQ96Gy10gIhAIltz6edq7h8dFpnitREku9CAkLSRaM6FuA9H9FA e+cCICAtK2lRg+vPuCXkqSGRFQEPqidmcT1NMrAstl6zOF3uAHUATnWjJ1yaEMM4
tyzEAHYADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGW9L/Z0gAA W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVMkDfigAABAMARjBEAiBH2f88Uh6R
BAMARzBFAiBBit+rBWA9W3r3TRU0bnY37odvJuYbNSKKsYk0UVD5VAIhAMIZ0Lgw tPyyZzuKT5t6jcYLOsSQVkWbrerG34Z1xwIgXmW3tlmgKlUiTrRjCFbltLNJ12Tf
8Y6CZgqt9cKTyAaXfnF6oaXIr/Wwjpa4J+ZhMAoGCCqGSM49BAMDA2cAMGQCMHGs xA/QCmSHAyKUnHIwCgYIKoZIzj0EAwMDaAAwZQIxAKT8YobI9cF1LpSwF8esUwhX
qPfsaLfclD5WSkaSR1t7uRWwtqaDerwHuf4St3vIRD5iCk5zU3c9T9EvIFOArgIw M1oK0TVOnpFn3dyUgweqVS5sCn3V81626qP+wGrENgIwWlDcbKhT4j0G19O43pKp
erdi4GyW/W9j+0oEzIUNWODF//huulu2+Wd3wTYh/LFNVDtQICG7vi4uubHLyvg4 6f9TqzcY4iH5+VAuKPjh7H5ag7B+qCn9No2p56SagQpv
-----END CERTIFICATE----- -----END CERTIFICATE-----

36
data/ssl/_.home.kunbox.net.crt_intermediate.pem
View file

@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL 2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH 6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7 XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8 E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0 K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+ GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
Ig46v9mFmBvyH04= VQD9F6Na/+zmXCc=
-----END CERTIFICATE----- -----END CERTIFICATE-----

2
data/ssl/_.home.kunbox.net.key.pem.vault
View file

@ -1 +1 @@
encrypt$gAAAAABoLkWaAM6hx5Tl_6sPRVNmmcx9OmWYGmrNLIF4J-p7Xhj4O0fQuPcnph0ZFtmlBNWcfGb8G2ysTeEN1-Be2O4JQamvxUyGFT-Jste8GzAH6btiM6ef1E0FO6ovmzUxAiFZCbeXqKXF0opPz2B6rbDKiU-yTEZpid6-D-yz3uGuunhOjL3RpWJ1ArZRiOoX3DKPf5BXn51-71TEhB-lg41sDqnMfl4lo9_9xb5_2MBLsVZ9EYjcxvwgzq7qtdExtmpkWQ7pU6uPSP5w5wc8MFvRbiXNlOrFMLjslcGp7_cbfBMmA56UCVAe2n8HqWRcKHeYo_gNVUi1nDi2GjBmUYygA9yzFcUBqcV5ZUPK-7uwYxh2ZFbBcbwmTtvXYqEEvTLuZbsYwhV5mJR6b7L3MR81g--9D8pSulsKjbrUXXTZ373SWXz_aQoBLg5vOiL4zUo8T0isXIGcGMS8LUn-LvpQyptE-A== encrypt$gAAAAABnuvHlF1U1dT-xIICT5GmDxxqm0hQAgshQSA46WrVoo18ypjyxQE1qRzPNdp0xHKPYwpGmAoT7ftX7U3X3sjIvH8W5DUNMEBPZk6Z2yPxsyMDqUbxqJUOkjsSjVf1GZ_n3R5kZfb-THJMjNQMy3tL5RwrSvZjsYeYT-NwBle5rUKZpgE_6sDr5jSr8xpNx87gJr1vqgnZIBPllU47CJQy7LHEsVcCvbKhpVoau02LlPAoApVt_iYYm1fL_E6jFGfnCwGoeiytMc2fl1DPWS8q8oauQ1pNVTWQ2BXnLiXoc8u3hgp93PpT2LubYgIrVXpY8iErNtghuXi_HmqL37btdN5h-p1Div-R_5uva1maXffduwutCd5xWJK__G_bhqiSoEaKEMvo_H47vqbi7Hvwi70ckYek9KD_bIb2W8zBEPl1Q2436Uz54B0muXv6X7OoZlTj51_gZUcT3cp8SDJqAWDpnWg==

1
libs/s2s.py
View file

@ -6,7 +6,6 @@ AS_NUMBERS = {
'htz-cloud': 4290000137, 'htz-cloud': 4290000137,
'ionos': 4290000002, 'ionos': 4290000002,
'revision': 4290000078, 'revision': 4290000078,
'rottenraptor': 4290000030,
} }
WG_AUTOGEN_NODES = [ WG_AUTOGEN_NODES = [

18
nodes/backup-kunsi.toml
View file

@ -22,17 +22,15 @@ exclude_from_backups = true
[metadata.backup-server.zpool_create_options] [metadata.backup-server.zpool_create_options]
ashift = 12 ashift = 12
[metadata.backup-server.encrypted-devices.WVT0RNKF] [[metadata.backup-server.encrypted-devices]]
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi4" "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part1"
passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0RNKF" "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part1"
"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part1" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part1"
[metadata.backup-server.encrypted-devices.WVT0V0NQ] [[metadata.backup-server.encrypted-devices]]
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi5" "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06SLR-part2"
passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0V0NQ" "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi2-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV0686W-part2"
"/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3-part2" = "!bwpass:bw/backup-kunsi/ata-ST18000NM0092-3CX103_ZVV06JV7-part2"
[metadata.backup-server.encrypted-devices.WVT0W64H]
device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi6"
passphrase = "!bwpass:bw/backup-kunsi/ata-ST20000NM007D-3DJ103_WVT0W64H"
[metadata.zfs] [metadata.zfs]
scrub_when = "Wed 08:00 Europe/Berlin" scrub_when = "Wed 08:00 Europe/Berlin"

17
nodes/carlene.toml
View file

@ -37,8 +37,8 @@ imap_host = "secureimap.t-online.de"
imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap" imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap"
[metadata.forgejo] [metadata.forgejo]
version = "11.0.1" version = "10.0.3"
sha1 = "d9d0051275830ca2ed328a633e25d936d0a2386a" sha1 = "d1199c43de9e69f6bb8058c15290e79862913413"
domain = "git.franzi.business" domain = "git.franzi.business"
enable_git_hooks = true enable_git_hooks = true
install_ssh_key = true install_ssh_key = true
@ -98,8 +98,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g
"'@kunsi:franzi.business'" = "admin" "'@kunsi:franzi.business'" = "admin"
[metadata.mautrix-whatsapp] [metadata.mautrix-whatsapp]
version = "v0.12.1" version = "v0.11.4"
sha1 = "e453f41ab57d703fcac90483f7f0ff36b6127f54" sha1 = "71a064b82072d2cec3d655c8848af418c1f54c77"
permissions."'@kunsi:franzi.business'" = "admin" permissions."'@kunsi:franzi.business'" = "admin"
[metadata.mautrix-whatsapp.homeserver] [metadata.mautrix-whatsapp.homeserver]
domain = "franzi.business" domain = "franzi.business"
@ -110,7 +110,7 @@ domain = "rss.franzi.business"
[metadata.netbox] [metadata.netbox]
domain = "netbox.franzi.business" domain = "netbox.franzi.business"
version = "v4.3.1" version = "v4.2.6"
admins.kunsi = "hostmaster@kunbox.net" admins.kunsi = "hostmaster@kunbox.net"
[metadata.nextcloud] [metadata.nextcloud]
@ -244,13 +244,8 @@ disks = [
"/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380", "/dev/disk/by-id/nvme-SAMSUNG_MZVL22T0HBLB-00B00_S677NX0W114380",
] ]
[metadata.systemd-timers.timers.42c3-topic]
command = "/home/kunsi/42c3-topic.sh"
user = "kunsi"
when = "Mon 04:00:00 Europe/Berlin"
[metadata.travelynx] [metadata.travelynx]
version = "2.11.35" version = "2.11.13"
mail_from = "travelynx@franzi.business" mail_from = "travelynx@franzi.business"
domain = "travelynx.franzi.business" domain = "travelynx.franzi.business"

7
nodes/home.hass.toml
View file

@ -2,8 +2,9 @@ hostname = "172.19.138.25"
bundles = [ bundles = [
'homeassistant', 'homeassistant',
'nginx', 'nginx',
'pyenv',
] ]
groups = ["debian-trixie"] groups = ["debian-bookworm"]
[metadata.icinga_options] [metadata.icinga_options]
also_affected_by = ['home.nas'] also_affected_by = ['home.nas']
@ -23,5 +24,9 @@ ram = 2
domain = 'hass.home.kunbox.net' domain = 'hass.home.kunbox.net'
api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux' api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux'
[metadata.pyenv]
version = 'v2.4.23'
python_versions = ["3.13.1"]
[metadata.nginx.vhosts.homeassistant] [metadata.nginx.vhosts.homeassistant]
ssl = '_.home.kunbox.net' ssl = '_.home.kunbox.net'

4
nodes/home.mitel-rfp35.toml Normal file
View file

@ -0,0 +1,4 @@
dummy = true
[metadata.interfaces.default]
ips = ["172.19.138.41"]

2
nodes/home/downloadhelper.py
View file

@ -42,7 +42,7 @@ nodes['home.downloadhelper'] = {
'mounts': { 'mounts': {
'storage': { 'storage': {
'mountpoint': '/mnt/nas', 'mountpoint': '/mnt/nas',
'serverpath': '172.19.138.20:/mnt/download', 'serverpath': '172.19.138.20:/storage/download',
'mount_options': { 'mount_options': {
'retry=0', 'retry=0',
'rw', 'rw',

119
nodes/home/nas.py
View file

@ -5,11 +5,11 @@ nodes['home.nas'] = {
'bundles': { 'bundles': {
'avahi-daemon', 'avahi-daemon',
'backup-client', 'backup-client',
'dm-crypt',
'jellyfin', 'jellyfin',
'lm-sensors', 'lm-sensors',
'mixcloud-downloader', 'mixcloud-downloader',
'mosquitto', 'mosquitto',
'navidrome',
'nfs-server', 'nfs-server',
'rsyslogd', 'rsyslogd',
'samba', 'samba',
@ -61,7 +61,6 @@ nodes['home.nas'] = {
}, },
'backups': { 'backups': {
'paths': { 'paths': {
'/home/kunsi/',
'/storage/nas/', '/storage/nas/',
}, },
}, },
@ -70,6 +69,22 @@ nodes['home.nas'] = {
'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service', 'avahi-aruba-fixup': '17,47 * * * * root /usr/bin/systemctl restart avahi-daemon.service',
}, },
}, },
'dm-crypt': {
'encrypted-devices': {
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': {
'dm-name': 'sam-S5SSNJ0X409404K',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'),
},
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': {
'dm-name': 'sam-S5SSNJ0X409845F',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'),
},
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': {
'dm-name': 'sam-S5SSNJ0X409870J',
'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'),
},
},
},
'groups': { 'groups': {
'nas': {}, 'nas': {},
}, },
@ -81,9 +96,11 @@ nodes['home.nas'] = {
}, },
'5060/tcp': { # yate SIP '5060/tcp': { # yate SIP
'home.snom-wohnzimmer', 'home.snom-wohnzimmer',
'home.mitel-rfp35',
}, },
'5061/tcp': { # yate SIPS '5061/tcp': { # yate SIPS
'home.snom-wohnzimmer', 'home.snom-wohnzimmer',
'home.mitel-rfp35',
}, },
# yate RTP uses some random UDP port. We cannot firewall # yate RTP uses some random UDP port. We cannot firewall
# it, because for incoming calls the other side decides # it, because for incoming calls the other side decides
@ -93,6 +110,7 @@ nodes['home.nas'] = {
# to deal with randomly changing IPs here. # to deal with randomly changing IPs here.
'*/udp': { '*/udp': {
'home.snom-wohnzimmer', 'home.snom-wohnzimmer',
'home.mitel-rfp35',
}, },
}, },
}, },
@ -134,22 +152,13 @@ nodes['home.nas'] = {
'htz-cloud.molly-connector', 'htz-cloud.molly-connector',
}, },
}, },
'navidrome': {
'domain': 'navidrome.home.kunbox.net',
'version': '0.56.1',
'sha1': '5235cb11e5fa3fd1c0a5065dcf5529a96e629ce9',
'config': {
'MusicFolder': '/storage/nas/music',
'EnableSharing': True
},
},
'nfs-server': { 'nfs-server': {
'shares': { 'shares': {
'/mnt/download': { '/storage/download': {
'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check', 'home.downloadhelper': 'rw,all_squash,anonuid=65534,anongid=1012,no_subtree_check',
}, },
'/storage/nas': { '/storage/nas': {
'172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check,insecure', '172.19.138.0/24': 'ro,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
}, },
'/srv/paperless': { '/srv/paperless': {
'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check', 'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
@ -163,9 +172,6 @@ nodes['home.nas'] = {
'domain': 'jellyfin.home.kunbox.net', 'domain': 'jellyfin.home.kunbox.net',
'ssl': '_.home.kunbox.net', 'ssl': '_.home.kunbox.net',
}, },
'navidrome': {
'ssl': '_.home.kunbox.net',
},
}, },
}, },
'rsyslogd': { 'rsyslogd': {
@ -186,7 +192,7 @@ nodes['home.nas'] = {
'disks': { 'disks': {
'/dev/nvme0', '/dev/nvme0',
# nas/timemachine disks # old nas disks
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8GE15GR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJ406R',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8HJBTLR',
@ -194,9 +200,10 @@ nodes['home.nas'] = {
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
'/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL', '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V9JS5UYL',
# ssdpool disks # encrypted disks
'/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN', '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K',
'/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN', '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F',
'/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J',
}, },
}, },
'systemd-networkd': { 'systemd-networkd': {
@ -226,7 +233,6 @@ nodes['home.nas'] = {
'chown -R :nas /storage/nas/', 'chown -R :nas /storage/nas/',
r'find /storage/nas/ -type d -exec chmod 0775 {} \;', r'find /storage/nas/ -type d -exec chmod 0775 {} \;',
r'find /storage/nas/ -type f -exec chmod 0664 {} \;', r'find /storage/nas/ -type f -exec chmod 0664 {} \;',
'find /storage/nas/ -type f -name "._*" -delete',
], ],
'when': '*-*-* 02:00:00', 'when': '*-*-* 02:00:00',
}, },
@ -252,20 +258,6 @@ nodes['home.nas'] = {
'zfs_arc_max_gb': 8, 'zfs_arc_max_gb': 8,
}, },
'pools': { 'pools': {
'ssdpool': {
'when_creating': {
'config': [
{
'type': 'mirror',
'devices': {
'/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244001QU960CGN',
'/dev/disk/by-id/ata-INTEL_SSDSC2KB960G8_PHYF244002AS960CGN',
},
},
],
'ashift': 12,
},
},
'tank': { 'tank': {
'when_creating': { 'when_creating': {
'config': [ 'config': [
@ -284,46 +276,67 @@ nodes['home.nas'] = {
'ashift': 12, 'ashift': 12,
}, },
}, },
'encrypted': {
'when_creating': {
'config': [
{
'type': 'raidz',
'devices': {
'/dev/mapper/sam-S5SSNJ0X409404K',
'/dev/mapper/sam-S5SSNJ0X409845F',
'/dev/mapper/sam-S5SSNJ0X409870J',
},
},
],
'ashift': 12,
},
'needs': {
'action:dm-crypt_open_sam-S5SSNJ0X409404K',
'action:dm-crypt_open_sam-S5SSNJ0X409845F',
'action:dm-crypt_open_sam-S5SSNJ0X409870J',
},
# see comment in bundle:backup-server
'unless': 'zpool import encrypted',
},
}, },
'datasets': { 'datasets': {
'ssdpool': { 'encrypted': {
'primarycache': 'metadata', 'primarycache': 'metadata',
}, },
'ssdpool/yate': { 'encrypted/nas': {
'mountpoint': '/opt/yate',
},
'ssdpool/download': {
'mountpoint': '/mnt/download',
'quota': '858993459200', # 800 GB
},
'ssdpool/paperless': {
'mountpoint': '/srv/paperless',
},
'tank': {
'primarycache': 'metadata',
},
'tank/nas': {
'acltype': 'off', 'acltype': 'off',
'atime': 'off', 'atime': 'off',
'compression': 'off', 'compression': 'off',
'mountpoint': '/storage/nas', 'mountpoint': '/storage/nas',
}, },
'tank': {
'primarycache': 'metadata',
},
'tank/opt-yate': {
'mountpoint': '/opt/yate',
},
'tank/download': {
'mountpoint': '/storage/download',
},
'tank/paperless': {
'mountpoint': '/srv/paperless',
},
}, },
'snapshots': { 'snapshots': {
'retain_per_dataset': { 'retain_per_dataset': {
'tank/nas': { 'encrypted/nas': {
# juuuuuuuust to be sure. # juuuuuuuust to be sure.
'daily': 14, 'daily': 14,
'weekly': 6, 'weekly': 6,
'monthly': 12, 'monthly': 12,
}, },
'ssdpool/download': { 'tank/download': {
'hourly': 48, 'hourly': 48,
'daily': 0, 'daily': 0,
'weekly': 0, 'weekly': 0,
'monthly': 0, 'monthly': 0,
}, },
'ssdpool/paperless': { 'tank/paperless': {
'daily': 14, 'daily': 14,
'weekly': 6, 'weekly': 6,
'monthly': 24, 'monthly': 24,

2
nodes/home/paperless.py
View file

@ -49,7 +49,7 @@ nodes['home.paperless'] = {
}, },
'paperless': { 'paperless': {
'domain': 'paperless.home.kunbox.net', 'domain': 'paperless.home.kunbox.net',
'version': 'v2.16.2', 'version': 'v2.14.7',
'timezone': 'Europe/Berlin', 'timezone': 'Europe/Berlin',
}, },
'postgresql': { 'postgresql': {

9
nodes/htz-cloud/wireguard.py
View file

@ -37,7 +37,6 @@ nodes['htz-cloud.wireguard'] = {
'172.19.137.0/24', '172.19.137.0/24',
'172.19.136.62/31', '172.19.136.62/31',
'172.19.136.64/31', '172.19.136.64/31',
'172.19.136.66/31',
'192.168.100.0/24', '192.168.100.0/24',
}, },
}, },
@ -53,7 +52,6 @@ nodes['htz-cloud.wireguard'] = {
'udp dport 1194 accept', 'udp dport 1194 accept',
'udp dport 51800 accept', 'udp dport 51800 accept',
'udp dport 51804 accept', 'udp dport 51804 accept',
'udp dport 51805 accept',
# wg.c3voc.de # wg.c3voc.de
'udp dport 51801 ip saddr 185.106.84.42 accept', 'udp dport 51801 ip saddr 185.106.84.42 accept',
@ -127,13 +125,6 @@ nodes['htz-cloud.wireguard'] = {
'my_ip': '172.19.136.66', 'my_ip': '172.19.136.66',
'their_ip': '172.19.136.67', 'their_ip': '172.19.136.67',
}, },
'rottenraptor-vpn': {
'endpoint': None,
'exclude_from_monitoring': True,
'my_port': 51805,
'my_ip': '172.19.136.68',
'their_ip': '172.19.136.69',
},
}, },
}, },
}, },

12
nodes/proxmox-backupstorage.toml
View file

@ -14,17 +14,17 @@ check_command = "sshmon"
check_command = "sshmon" check_command = "sshmon"
"vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8" "vars.sshmon_command" = "CT480BX500SSD1_2314E6C5C6C8"
[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0RNKF"] [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV0686W"]
check_command = "sshmon" check_command = "sshmon"
"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0RNKF" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV0686W"
[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0V0NQ"] [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06JV7"]
check_command = "sshmon" check_command = "sshmon"
"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0V0NQ" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06JV7"
[metadata.icinga2_api.smartd.services."SMART STATUS ST20000NM007D-3DJ103_WVT0W64H"] [metadata.icinga2_api.smartd.services."SMART STATUS ST18000NM0092-3CX103_ZVV06SLR"]
check_command = "sshmon" check_command = "sshmon"
"vars.sshmon_command" = "ST20000NM007D-3DJ103_WVT0W64H" "vars.sshmon_command" = "ST18000NM0092-3CX103_ZVV06SLR"
[metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYQWR"] [metadata.icinga2_api.smartd.services."SMART STATUS ST8000NM0045-1RL112_ZA1EYQWR"]
check_command = "sshmon" check_command = "sshmon"

9
nodes/rottenraptor-server.toml
View file

@ -18,11 +18,6 @@ ipmi_username = "Administrator"
ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi" ipmi_password = "!bwpass:bw/rottenraptor-server/ipmi"
ipmi_interface = "lanplus" ipmi_interface = "lanplus"
[metadata.apt.repos.tailscale]
items = [
"deb https://pkgs.tailscale.com/stable/debian {os_release} main",
]
[metadata.docker-immich] [metadata.docker-immich]
enable_auto_album_share = true enable_auto_album_share = true
@ -53,10 +48,6 @@ domain = "sso.rotten.city"
[metadata.nginx.vhosts.immich] [metadata.nginx.vhosts.immich]
domain = "immich.rotten.city" domain = "immich.rotten.city"
[metadata.nginx.vhosts.radio]
domain = "eventradio.rotten.city"
extras = true
[metadata.php] [metadata.php]
packages = [ packages = [
"xml", "xml",

27
nodes/rottenraptor-vpn.toml
View file

@ -1,27 +0,0 @@
hostname = "172.30.17.53"
bundles = ["bird", "wireguard"]
groups = ["debian-bookworm"]
[metadata]
location = "rottenraptor"
backups.exclude_from_backups = true
icinga_options.exclude_from_monitoring = true
[metadata.bird]
static_routes = [
"172.30.17.0/24",
]
[metadata.interfaces.ens18]
ips = ["172.30.17.53/24"]
gateway4 = "172.30.17.1"
[metadata.nftables.postrouting]
"50-router" = [
"oifname ens18 masquerade",
]
[metadata.wireguard.peers."htz-cloud.wireguard"]
my_port = 51804
my_ip = "172.19.136.69"
their_ip = "172.19.136.68"

53
nodes/sophie/vmhost.py
View file

@ -2,13 +2,11 @@ nodes['sophie.vmhost'] = {
'hostname': '172.19.164.2', 'hostname': '172.19.164.2',
'bundles': { 'bundles': {
'backup-client', 'backup-client',
'hetzner-dyndns',
'lm-sensors', 'lm-sensors',
'mosquitto',
'nfs-server', 'nfs-server',
'mosquitto',
'smartd', 'smartd',
'vmhost', 'vmhost',
'wireguard',
'zfs', 'zfs',
}, },
'groups': { 'groups': {
@ -23,11 +21,6 @@ nodes['sophie.vmhost'] = {
'groups': { 'groups': {
'nas': {}, 'nas': {},
}, },
'hetzner-dyndns': {
'zone': 'sophies-kitchen.eu',
'record': 'router.home',
'api_key': vault.decrypt('encrypt$gAAAAABoABHrRTTyOAAFIsHK_g-bubDoNJidbAQ6_0VXyqfal8-wpVMuPPlrw-OtbI1AjNU6Rd1_gKTvwYtNYO9X6RuvuW3TCCH_eitpsoylVEQ0X6SDFNQAFfjkRlOgEiFl85oyTazl'),
},
'interfaces': { 'interfaces': {
'br1': { 'br1': {
'ips': { 'ips': {
@ -73,21 +66,6 @@ nodes['sophie.vmhost'] = {
}, },
}, },
}, },
'nftables': {
'forward': {
'50-router': [
'ct state { related, established } accept',
'oifname br1 accept',
],
},
'input': {
'50-wireguard': [
'udp dport 1194 accept',
'udp dport 10348 accept',
'udp dport 10349 accept',
],
},
},
'smartd': { 'smartd': {
'disks': { 'disks': {
'/dev/nvme0', '/dev/nvme0',
@ -97,12 +75,6 @@ nodes['sophie.vmhost'] = {
'/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP', '/dev/disk/by-id/ata-ST20000NM007D-3DJ103_ZVT7D6JP',
}, },
}, },
'sysctl': {
'options': {
'net.ipv4.conf.all.forwarding': '1',
'net.ipv6.conf.all.forwarding': '1',
},
},
'systemd-networkd': { 'systemd-networkd': {
'bridges': { 'bridges': {
'br0': { 'br0': {
@ -137,29 +109,6 @@ nodes['sophie.vmhost'] = {
}, },
}, },
}, },
'wireguard': {
'snat_ip': '172.19.137.2',
'peers': {
'thinkpad': {
'endpoint': None,
'exclude_from_monitoring': True,
'my_ip': '172.19.165.64',
'my_port': 10348,
'their_ip': '172.19.165.65',
'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
'pubkey': vault.decrypt('encrypt$gAAAAABoAUxlf048ovJebqo0MlLiLHcuuTCSmnCzhxSZPrFMjRaFLW0CvC3GnVed_4n7CjjZ6ygrORSl8xyBM5hvbN0-JM_56ZZFpn1UVkizctjHjb1u2XtpGAe2nMAnq2Cdg5swgH9S'),
},
'smartphone': {
'endpoint': None,
'exclude_from_monitoring': True,
'my_ip': '172.19.165.66',
'my_port': 10349,
'their_ip': '172.19.165.67',
'psk': vault.decrypt('encrypt$gAAAAABoAUy3lAHfn7d9Jn4ppiPRr6LOReFGyGS4HzWC5ACHNipDFnGttnOHNji2DGIYVITzj3PosZs7PRn8BvXmwumEXNNP-G0nDucuiNNzUKuOCP4YWaF9-I1tnpmT_td3nqsCDajH'),
'pubkey': vault.decrypt('encrypt$gAAAAABoAWD96YcEFsLzfOCzjS_4Hg7xX516OZ5RD_qFPSEZliaYSRMhY3uyNDtQ--e0dzEwdFHK_xGT3F7jQzYAvftH4iFtk9y3n3FNFVPxqsWckX4cJIX7ZZszbQCq8sfZZXGUR0C9'),
},
},
},
'zfs': { 'zfs': {
'pools': { 'pools': {
'storage': { 'storage': {

12
nodes/voc/infobeamer-cms.py
View file

@ -25,15 +25,15 @@ nodes['voc.infobeamer-cms'] = {
}, },
'infobeamer-cms': { 'infobeamer-cms': {
'domain': 'infobeamer.c3voc.de', 'domain': 'infobeamer.c3voc.de',
'event_start_date': '2025-06-19', 'event_start_date': '2025-02-28',
'event_duration_days': 4, 'event_duration_days': 3,
'config': { 'config': {
'ADMIN_USERS': [], 'ADMIN_USERS': [],
'NO_LIMIT_USERS': [], 'NO_LIMIT_USERS': [],
'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'), 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'),
'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1), 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key 38c3', words=1),
'SETUP_IDS': [ 'SETUP_IDS': [
262628, 258552,
], ],
# 'EXTRA_ASSETS': [{ # 'EXTRA_ASSETS': [{
# 'type': "image", # 'type': "image",
@ -80,9 +80,9 @@ nodes['voc.infobeamer-cms'] = {
}, },
}, },
'rooms': { 'rooms': {
'Medientheater': 34430, # s1 'Saal 1': 34430, # s1
'Vortragssaal': 37731, # s2 'Saal GLITCH': 37731, # s2
'Kubus': 26610, # s3 'Saal ZIGZAG': 26610, # s3
'Sendezentrum': 38641, # s4 'Sendezentrum': 38641, # s4
'Stage YELL': 38642, # s5 'Stage YELL': 38642, # s5
'Stage HUFF': 35042, # s6 'Stage HUFF': 35042, # s6

2
scripts/netbox-dump
View file

@ -34,7 +34,7 @@ QUERY_SITES = """{
}""" }"""
QUERY_DEVICES = """{ QUERY_DEVICES = """{
device_list(filters: {site_id: "SITE_ID", tags: {name: {exact: "bundlewrap"}}}) { device_list(filters: {tag: "bundlewrap", site_id: "SITE_ID"}) {
name name
id id
} }