voc.infobeamer-cms: add FAQ entries

Reviewed-on: #71

bundles/apt/files/sources.list-raspbian-buster

@@ -1 +0,0 @@
-deb http://raspbian.raspberrypi.org/raspbian/ buster main contrib non-free rpi

bundles/apt/items.py

@@ -7,9 +7,6 @@ supported_os = {
         12: 'bookworm',
         99: 'unstable',
     },
-    'raspbian': {
-        10: 'buster',
-    },
 }
 
 try:
@@ -27,6 +24,10 @@ actions = {
         'triggered': True,
         'cascade_skip': False,
     },
+    'apt_execute_update_commands': {
+        'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands', {'true'}))),
+        'triggered': True,
+    },
 }
 
 files = {

bundles/apt/metadata.py

@@ -21,6 +21,9 @@ defaults = {
     'cron/jobs/upgrade-and-reboot'
 )
 def patchday(metadata):
+    if not node.metadata.get('apt/unattended-upgrades/enabled', True):
+        return {}
+
     day = metadata.get('apt/unattended-upgrades/day')
     hour = metadata.get('apt/unattended-upgrades/hour')
 

bundles/arch-with-gui/metadata.py

@@ -33,7 +33,7 @@ defaults = {
             # networking
             'avahi': {},
             'netctl': {},
-            'rfkill': {},
+            'util-linux': {}, # provides rfkill
             'wpa_supplicant': {},
             'wpa_actiond': {},
 

bundles/backup-client/files/generate-backup

@@ -62,10 +62,13 @@ trap "on_exit" EXIT
 
 # redirect stdout and stderr to logfile
 prepare_and_cleanup_logdir
+if [[ -z "$DEBUG" ]]
+then
     logfile="$logdir/backup--$(date '+%F--%H-%M-%S')--$$.log.gz"
     echo "All log output will go to $logfile" | logger -it backup-client
     exec > >(gzip >"$logfile")
     exec 2>&1
+fi
 
 # this is where the real work starts
 ts_begin=$(date +%s)

bundles/backup-server/metadata.py

@@ -160,7 +160,7 @@ def monitoring(metadata):
                 client,
                 config['one_backup_every_hours'],
             ),
-            'vars.sshmon_timeout': 20,
+            'vars.sshmon_timeout': 40,
         }
 
     return {

bundles/c3voc-addons/items.py

@@ -7,9 +7,6 @@ supported_os = {
         12: 'bookworm',
         99: 'unstable',
     },
-    'raspbian': {
-        10: 'buster',
-    },
 }
 
 try:
@@ -82,6 +79,10 @@ actions = {
         'triggered': True,
         'cascade_skip': False,
     },
+    'apt_execute_update_commands': {
+        'command': ' && '.join(sorted(node.metadata.get('apt/additional_update_commands', {'true'}))),
+        'triggered': True,
+    },
 }
 
 directories = {

bundles/element-web/items.py

@@ -33,7 +33,7 @@ actions = {
             'yarn build',
         ]),
         'needs': {
-            'action:nodejs_install_yarn',
+            'action:apt_execute_update_commands',
             'pkg_apt:nodejs',
         },
         'triggered': True,

bundles/element-web/metadata.py

@@ -11,6 +11,26 @@ defaults = {
     },
 }
 
+@metadata_reactor.provides(
+    'nodejs/version',
+)
+def nodejs(metadata):
+    version = tuple([int(i) for i in metadata.get('element-web/version')[1:].split('.')])
+
+    if version >= (1, 11, 71):
+        return {
+            'nodejs': {
+                'version': 20,
+            },
+        }
+    else:
+        return {
+            'nodejs': {
+                'version': 18,
+            },
+        }
+
+
 @metadata_reactor.provides(
     'nginx/vhosts/element-web',
 )

bundles/grafana/metadata.py

@@ -43,6 +43,7 @@ def nginx(metadata):
                     'locations': {
                         '/': {
                             'target': 'http://127.0.0.1:21010',
+                            'websockets': True,
                         },
                         '/api/ds/query': {
                             'target': 'http://127.0.0.1:21010',

bundles/hedgedoc/items.py

@@ -72,7 +72,6 @@ actions = {
             'yarn build',
         ]),
         'needs': {
-            'action:nodejs_install_yarn',
             'file:/opt/hedgedoc/config.json',
             'git_deploy:/opt/hedgedoc',
             'pkg_apt:nodejs',

bundles/homeassistant/files/check_homeassistant_update

@@ -2,48 +2,42 @@
 
 from sys import exit
 
-import requests
 from packaging import version
+from requests import get
 
-bearer = "${bearer}"
-domain = "${domain}"
-OK = 0
-WARN = 1
-CRITICAL = 2
-UNKNOWN = 3
-
-status = 3
-message = "Unknown Update Status"
-
-
-domain = "hass.home.kunbox.net"
-
-s = requests.Session()
-s.headers.update({"Content-Type": "application/json"})
+API_TOKEN = "${token}"
+DOMAIN = "${domain}"
 
 try:
-    stable_version = version.parse(
-        s.get("https://version.home-assistant.io/stable.json").json()["homeassistant"][
-            "generic-x86-64"
-        ]
-    )
-    s.headers.update(
-        {"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"}
-    )
-    running_version = version.parse(
-        s.get(f"https://{domain}/api/config").json()["version"]
-    )
-    if running_version == stable_version:
-        status = 0
-        message = f"OK - running version {running_version} equals stable version {stable_version}"
-    elif running_version > stable_version:
-        status = 1
-        message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary."
-    else:
-        status = 2
-        message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}"
+    r = get("https://version.home-assistant.io/stable.json")
+    r.raise_for_status()
+    stable_version = r.json()["homeassistant"]["generic-x86-64"]
 except Exception as e:
-    message = f"{message}: {repr(e)}"
+    print(f"Could not get stable version information from home-assistant.io: {e!r}")
+    exit(3)
 
-print(message)
-exit(status)
+try:
+    r = get(
+        f"https://{DOMAIN}/api/config",
+        headers={"Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json"},
+    )
+    r.raise_for_status()
+    running_version = r.json()["version"]
+except Exception as e:
+    print(f"Could not get running version information from homeassistant: {e!r}")
+    exit(3)
+
+try:
+    if stable_version > running_version:
+        print(
+            f"There is a newer version available: {stable_version} (currently installed: {running_version})"
+        )
+        exit(2)
+    else:
+        print(
+            f"Currently running version {running_version} matches newest release on home-assistant.io"
+        )
+        exit(0)
+except Exception as e:
+    print(repr(e))
+    exit(3)

bundles/homeassistant/items.py

@@ -30,7 +30,7 @@ files = {
     '/usr/local/share/icinga/plugins/check_homeassistant_update': {
         'content_type': 'mako',
         'context': {
-            'bearer': repo.vault.decrypt(node.metadata.get('homeassistant/api_secret')),
+            'token': node.metadata.get('homeassistant/api_secret'),
             'domain': node.metadata.get('homeassistant/domain'),
         },
         'mode': '0755',

bundles/icinga2/files/check_spam_blocklist

@@ -50,17 +50,13 @@ def check_list(ip_list, blocklist, warn_ips):
         ]).decode().splitlines()
         for item in result:
             if item.startswith(';;'):
-                msgs.append('{} - {}'.format(
-                    blocklist,
-                    item,
-                ))
-            else:
+                continue
             msgs.append('{} listed in {} as {}'.format(
                 ip,
                 blocklist,
                 item,
             ))
-            if (item in warn_ips or item.startswith(';;')) and returncode < 2:
+            if item in warn_ips and returncode < 2:
                 returncode = 1
             else:
                 returncode = 2

bundles/icinga2/files/scripts/icinga_notification_wrapper

@@ -199,7 +199,7 @@ if __name__ == '__main__':
         notify_per_mail()
 
     if args.sms:
-        if args.service_name:
+        if not args.service_name:
             notify_per_sms()
         if CONFIG['ntfy']['user']:
             notify_per_ntfy()

bundles/infobeamer-cms/items.py

@@ -23,7 +23,7 @@ actions = {
 git_deploy = {
     '/opt/infobeamer-cms/src': {
         'rev': 'master',
-        'repo': 'https://github.com/sophieschi/36c3-cms.git',
+        'repo': 'https://github.com/voc/infobeamer-cms.git',
         'needs': {
             'directory:/opt/infobeamer-cms/src',
         },
@@ -96,14 +96,6 @@ files = {
     },
 }
 
-pkg_pip = {
-    'github-flask': {
-        'needed_by': {
-            'svc_systemd:infobeamer-cms',
-        },
-    },
-}
-
 svc_systemd = {
     'infobeamer-cms': {
         'needs': {

bundles/infobeamer-monitor/files/monitor.py

@@ -140,13 +140,12 @@ while True:
                         if device["is_online"]:
                             if device["maintenance"]:
                                 mqtt_out(
-                                    "maintenance required: {}".join(
+                                    "maintenance required: {}".format(' '.join(
                                         sorted(device["maintenance"])
-                                    ),
+                                    )),
                                     level="WARN",
                                     device=device,
                                 )
-                                must_dump_state = True
 
                         if (
                             device["is_synced"] != state[did]["is_synced"]

bundles/matrix-media-repo/files/config.yaml

@@ -3,6 +3,9 @@ repo:
   bindAddress: '${node.metadata.get('matrix-media-repo/listen-addr', '127.0.0.1')}'
   port: ${node.metadata.get('matrix-media-repo/port', 20090)}
   logDirectory: '-'
+  logColors: false
+  jsonLogs: false
+  logLevel: 'info'
   trustAnyForwardedAddress: false
   useForwardedHost: true
 
@@ -22,10 +25,13 @@ homeservers:
     csApi: "${config['domain']}"
     backoffAt: ${config.get('backoff_at', 10)}
     adminApiKind: "${config.get('api', 'matrix')}"
+%  if config.get('signing_key_path'):
+    signingKeyPath: "${config['signing_key_path']}"
+%  endif
 % endfor
 
 accessTokens:
-  maxCacheTimeSeconds: 0
+  maxCacheTimeSeconds: 10
   useLocalAppserviceConfig: false
 
 admins:
@@ -53,7 +59,9 @@ archiving:
 uploads:
   maxBytes: ${node.metadata.get('matrix-media-repo/upload_max_mb')*1024*1024}
   minBytes: 100
-  reportedMaxBytes: 0
+  #reportedMaxBytes: 0
+  maxPending: 5
+  maxAgeSeconds: 1800
   quotas:
     enabled: false
 
@@ -61,14 +69,6 @@ downloads:
   maxBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024}
   numWorkers: ${node.metadata.get('matrix-media-repo/workers')}
   failureCacheMinutes: 5
-  cache:
-    enabled: true
-    maxSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*10*1024*1024}
-    maxFileSizeBytes: ${node.metadata.get('matrix-media-repo/download_max_mb')*1024*1024}
-    trackedMinutes: 30
-    minDownloads: 5
-    minCacheTimeSeconds: 300
-    minEvictedTimeSeconds: 60
   expireAfterDays: 0
 
 urlPreviews:
@@ -137,8 +137,8 @@ thumbnails:
 
 rateLimit:
   enabled: true
-  requestsPerSecond: 10
-  burst: 50
+  requestsPerSecond: 100
+  burst: 5000
 
 identicons:
   enabled: true

bundles/matrix-media-repo/items.py

@@ -19,9 +19,6 @@ files = {
     '/opt/matrix-media-repo/config.yaml': {
         'owner': 'matrix-media-repo',
         'content_type': 'mako',
-        'triggers': {
-            'svc_systemd:matrix-media-repo:restart',
-        },
     },
     '/etc/systemd/system/matrix-media-repo.service': {
         'triggers': {

bundles/matrix-synapse/metadata.py

@@ -144,7 +144,8 @@ def nginx(metadata):
     }
 
     if node.has_bundle('matrix-media-repo'):
-        locations['/_matrix/media'] = {
+        for path in ('/_matrix/media', '/_matrix/client/v1/media', '/_matrix/federation/v1/media'):
+            locations[path] = {
                 'target': 'http://localhost:20090',
                 'max_body_size': '{}M'.format(metadata.get('matrix-media-repo/upload_max_mb')),
                 # matrix-media-repo needs this to be the

bundles/mixcloud-downloader/files/download.sh

@@ -1,11 +1,15 @@
 #!/bin/bash
 
-OPTS=""
+OPTS="--netrc"
+OPTS="$OPTS --netrc-location /opt/mixcloud-downloader/netrc"
+OPTS="$OPTS --retry-sleep linear=1::2"
+OPTS="$OPTS --retry-sleep fragment:exp=1:60"
+OPTS="$OPTS --extractor-retries 5"
 if [[ -n "$DEBUG" ]]
 then
     set -x
 else
-    OPTS="-q"
+    OPTS="$OPTS -q"
 fi
 
 set -euo pipefail

bundles/mixcloud-downloader/files/netrc

@@ -0,0 +1,3 @@
+% for domain, data in sorted(node.metadata.get('mixcloud-downloader/netrc', {}).items()):
+machine ${domain} login ${data['username']} password ${data['password']}
+% endfor

bundles/mixcloud-downloader/items.py

@@ -6,3 +6,9 @@ files['/opt/mixcloud-downloader/download.sh'] = {
 directories['/opt/mixcloud-downloader'] = {
     'owner': 'kunsi',
 }
+
+files['/opt/mixcloud-downloader/netrc'] = {
+    'content_type': 'mako',
+    'mode': '0400',
+    'owner': 'kunsi',
+}

bundles/mosquitto/items.py

@@ -5,12 +5,6 @@ files = {
             'svc_systemd:mosquitto:restart',
         },
     },
-    '/usr/local/bin/tasmota-telegraf-plugin': {
-        'mode': '0755',
-        'needs': {
-            'pkg_apt:python3-paho-mqtt',
-        },
-    },
 }
 
 svc_systemd = {
@@ -23,6 +17,12 @@ svc_systemd = {
 }
 
 if node.has_bundle('telegraf'):
-    files['/usr/local/bin/tasmota-telegraf-plugin']['triggers'] = {
+    files['/usr/local/bin/tasmota-telegraf-plugin'] = {
+        'mode': '0755',
+        'needs': {
+            'pkg_apt:python3-paho-mqtt',
+        },
+        'triggers': {
             'svc_systemd:telegraf:restart',
+        },
     }

bundles/mosquitto/metadata.py

@@ -5,7 +5,6 @@ defaults = {
         'packages': {
             'mosquitto': {},
             'mosquitto-clients': {},
-            'python3-paho-mqtt': {}, # for telegraf plugin
         },
     },
     'icinga2_api': {
@@ -24,6 +23,9 @@ defaults = {
     },
 }
 
+if node.has_bundle('telegraf'):
+    defaults['apt']['packages']['python3-paho-mqtt'] = {}
+
 
 @metadata_reactor.provides(
     'firewall/port_rules',

bundles/nftables/files/nftables.conf

@@ -23,9 +23,8 @@ table inet filter {
 
         icmp type timestamp-request drop
         icmp type timestamp-reply drop
-        ip protocol icmp accept
+        meta l4proto {icmp, ipv6-icmp} accept
 
-        ip6 nexthdr ipv6-icmp accept
 % for ruleset, rules in sorted(input.items()):
 
         # ${ruleset}

bundles/nginx/files/site_template

@@ -201,6 +201,8 @@ server {
         fastcgi_hide_header X-XSS-Protection;
 % endif
         fastcgi_hide_header Permissions-Policy;
+        fastcgi_request_buffering off;
+        proxy_buffering off;
     }
 %  if not max_body_size:
     client_max_body_size 5M;

bundles/nodejs/items.py

@@ -1,9 +0,0 @@
-actions = {
-    'nodejs_install_yarn': {
-        'command': 'npm install -g yarn@latest',
-        'unless': 'test -e /usr/lib/node_modules/yarn',
-        'after': {
-            'pkg_apt:',
-        },
-    },
-}

bundles/nodejs/metadata.py

@@ -1,54 +1,40 @@
 defaults = {
     'apt': {
         'additional_update_commands': {
-            # update npm to latest version
+            # update npm and yarn to latest version
+            'npm install -g npm@latest',
             'npm install -g yarn@latest',
         },
         'packages': {
-            'nodejs': {},
-        },
-    },
             'nodejs': {
-        'version': 18,
+                'triggers': {
+                    'action:apt_execute_update_commands',
+                },
+            },
+            'npm': {
+                'installed': False,
+                'triggers': {
+                    'action:apt_execute_update_commands',
+                },
+            },
+        },
     },
-}
-
-VERSIONS_SHIPPED_BY_DEBIAN = {
-    10: 10,
-    11: 12,
-    12: 18,
-    13: 18,
 }
 
 @metadata_reactor.provides(
     'apt/repos/nodejs/items',
-    'apt/additional_update_commands',
 )
 def nodejs_from_version(metadata):
     version = metadata.get('nodejs/version')
 
-    if version != VERSIONS_SHIPPED_BY_DEBIAN[node.os_version[0]]:
     return {
         'apt': {
-                'additional_update_commands': {
-                    # update npm to latest version
-                    'npm install -g npm@latest',
-                },
             'repos': {
                 'nodejs': {
                     'items': {
-                            f'deb https://deb.nodesource.com/node_{version}.x {{os_release}} main',
-                            f'deb-src https://deb.nodesource.com/node_{version}.x {{os_release}} main',
+                        f'deb https://deb.nodesource.com/node_{version}.x nodistro main',
                     },
                 },
             },
         },
     }
-    else:
-        return {
-            'apt': {
-                'packages': {
-                    'npm': {},
-                },
-            },
-        }

bundles/paperless-ng/metadata.py

@@ -33,6 +33,9 @@ defaults = {
             '/mnt/paperless',
         },
     },
+    'nodejs': {
+        'version': 18,
+    },
     'postgresql': {
         'roles': {
             'paperless': {

bundles/powerdns/items.py

@@ -65,7 +65,7 @@ svc_systemd = {
 actions = {
     'powerdns_reload_zones': {
         'triggered': True,
-        'command': 'pdns_control rediscover; pdns_control reload; pdns_control notify \*',
+        'command': r'pdns_control rediscover; pdns_control reload; pdns_control notify \*',
         'after': {
             'svc_systemd:pdns',
         },
@@ -160,7 +160,7 @@ if node.metadata.get('powerdns/features/pgsql', node.has_bundle('postgresql')):
 
     actions['powerdns_load_pgsql_schema'] = {
         'command': node.metadata.get('postgresql/roles/powerdns/password').format_into('PGPASSWORD={} psql -h 127.0.0.1 -d powerdns -U powerdns -w < /usr/share/pdns-backend-pgsql/schema/schema.pgsql.sql'),
-        'unless': 'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null',
+        'unless': r'sudo -u postgres psql -d powerdns -c "\dt" | grep domains 2>&1 >/dev/null',
         'needs': {
             'bundle:postgresql',
             'pkg_apt:pdns-backend-pgsql',

bundles/powerdnsadmin/items.py

@@ -71,8 +71,8 @@ actions = {
             'chown -R powerdnsadmin:powerdnsadmin /opt/powerdnsadmin/src/powerdnsadmin/static/',
         ]),
         'needs': {
-            'action:nodejs_install_yarn',
             'action:powerdnsadmin_install_deps',
+            'bundle:nodejs',
             'pkg_apt:',
         },
     },

bundles/powerdnsadmin/metadata.py

@@ -13,6 +13,9 @@ defaults = {
             'python3-wheel': {},
         },
     },
+    'nodejs': {
+        'version': 18,
+    },
     'users': {
         'powerdnsadmin': {
             'home': '/opt/powerdnsadmin',

bundles/pretalx/metadata.py

@@ -26,6 +26,9 @@ defaults = {
             },
         },
     },
+    'nodejs': {
+        'version': 18,
+    },
     'pretalx': {
         'database': {
             'user': 'pretalx',

bundles/proftpd/items.py

@@ -0,0 +1,13 @@
+files['/etc/proftpd/proftpd.conf'] = {
+    'source': f'{node.name}.conf',
+    'triggers': {
+        'svc_systemd:proftpd:restart',
+    },
+}
+
+svc_systemd['proftpd'] = {
+    'needs': {
+        'file:/etc/proftpd/proftpd.conf',
+        'pkg_apt:proftpd-core',
+    },
+}

bundles/proftpd/metadata.py

@@ -0,0 +1,26 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'proftpd-core': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'firewall/port_rules',
+)
+def firewall(metadata):
+    sources = atomic(metadata.get('mosquitto/restrict-to', set()))
+
+    return {
+        'firewall': {
+            'port_rules': {
+                '20/tcp': sources,
+                '21/tcp': sources,
+                '49152-50192/tcp': sources,
+            },
+        },
+    }

bundles/raspberrypi/files/config.txt

@@ -1,22 +1,30 @@
 disable_overscan=1
-hdmi_force_hotplug=1
-dtparam=spi=on
 dtparam=audio=on
-dtoverlay=vc4-fkms-v3d
+dtoverlay=vc4-kms-v3d
 max_framebuffers=2
-hdmi_drive=2
 force_turbo=1
 
-gpu_mem=${node.metadata['raspberrypi'].get('gpu_mem', 128)}
+gpu_mem=${node.metadata.get('raspberrypi/gpu_mem', 128)}
+
+% if node.metadata.get('raspberrypi/enable_display'):
+display_auto_detect=1
+% else:
+dtparam=i2c_arm=on
+dtparam=i2s=on
+dtparam=spi=on
+hdmi_drive=2
+hdmi_force_hotplug=1
+% endif
 
 % if node.os == 'debian':
 arm_64bit=1
 % endif
+arm_boost=1
 
-% for item in sorted(node.metadata['raspberrypi'].get('config.txt', set())):
+% for item in sorted(node.metadata.get('raspberrypi/config.txt', set())):
 ${item}
 % endfor
 
-% if node.metadata['raspberrypi'].get('camera', False):
-start_x=1
+% if node.metadata.get('raspberrypi/enable_camera', False):
+camera_auto_detect=1
 % endif

bundles/raspberrypi/items.py

@@ -15,11 +15,11 @@ actions = {
 }
 
 files = {
-    '/boot/cmdline.txt': {
+    '/boot/firmware/cmdline.txt': {
         'content': ' '.join(sorted(node.metadata['raspberrypi']['cmdline'])),
         **file_perms,
     },
-    '/boot/config.txt': {
+    '/boot/firmware/config.txt': {
         'content_type': 'mako',
         'context': node.metadata['raspberrypi'],
         **file_perms,

bundles/raspberrypi/metadata.py

@@ -1,5 +1,6 @@
 defaults = {
     'apt': {
+        'clean_old_kernels': False,
         'packages': {
             'dhcpcd5': {
                 'installed': False,
@@ -14,9 +15,16 @@ defaults = {
                 'installed': False,
             },
         },
+        'repos': {
+            'raspi': {
+                'install_gpg_key': False,
+                'items': {
+                    'deb http://archive.raspberrypi.org/debian/ {os_release} main',
+                },
+            },
+        },
     },
     'raspberrypi': {
-        'default-target': 'multi-user.target',
         'cmdline': {
             'console=tty1',
             'root=/dev/mmcblk0p2',
@@ -28,6 +36,8 @@ defaults = {
             'plymouth.ignore-serial-consoles',
             'net.ifnames=0',
         },
+        'default-target': 'multi-user.target',
+        'enable_display': False,
     },
     'systemd': {
         'journal': {
@@ -37,3 +47,19 @@ defaults = {
         },
     },
 }
+
+
+@metadata_reactor.provides(
+    'raspberrypi/cmdline',
+)
+def display(metadata):
+    if not metadata.get('raspberrypi/enable_display'):
+        return {}
+
+    return {
+        'raspberrypi': {
+            'cmdline': {
+                'video=DSI-1:800x480@60,rotate=180',
+            },
+        },
+    }

bundles/routeros/metadata.py

@@ -2,31 +2,8 @@ import re
 from json import load
 from os.path import join
 
-defaults = {
-    'icinga2_api': {
-        'routeros': {
-            'services': {
-                'TEMPERATURE': {
-                    'check_command': 'snmp',
-                    'vars.snmp_oid': '1.3.6.1.4.1.14988.1.1.3.11.0',
-                    'vars.snmp_version': '2c',
-                    'vars.snmp_community': 'public',
-                    'vars.warn': '@750:799',  # 1/10 °C
-                    'vars.crit': '@800:9999',
-                },
-            },
-        },
-    },
-}
 
-
-@metadata_reactor.provides(
-    'routeros/ips',
-    'routeros/ports',
-    'routeros/vlans',
-)
-def get_ports_from_netbox_dump(metadata):
-    with open(join(repo.path, 'configs', f'netbox_device_{node.name}.json')) as f:
+with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f:
     netbox = load(f)
 
 ips = {}
@@ -45,7 +22,7 @@ def get_ports_from_netbox_dump(metadata):
     for ip in conf['ips']:
         ips[ip] = {'interface': port}
 
-        if conf['type'] == 'VIRTUAL':
+    if conf['type'].lower() == 'virtual':
         # these are VLAN interfaces (for management IPs)
         if conf['ips']:
             # this makes management services available in the VLAN
@@ -77,6 +54,8 @@ def get_ports_from_netbox_dump(metadata):
         if conf.get('ips', []):
             ports[port]['ips'] = set(conf['ips'])
         if conf['type'] in (
+            '1000base-t',
+            '10gbase-x-sfpp',
             'A_1000BASE_T',
             'A_10GBASE_X_SFPP',
         ):
@@ -90,7 +69,7 @@ def get_ports_from_netbox_dump(metadata):
 
     # tagged
 
-        if conf['mode'] == 'TAGGED_ALL':
+    if conf['mode'] in ('TAGGED_ALL', 'tagged-all'):
         tagged = set(vlans.keys()) - {conf['untagged_vlan']}
     else:
         tagged = conf['tagged_vlans']
@@ -102,12 +81,26 @@ def get_ports_from_netbox_dump(metadata):
         if conf['ips']:
             vlans[vlan]['tagged'].add('bridge')
 
-    return {
+defaults = {
+    'icinga2_api': {
+        'routeros': {
+            'services': {
+                'TEMPERATURE': {
+                    'check_command': 'snmp',
+                    'vars.snmp_oid': '1.3.6.1.4.1.14988.1.1.3.11.0',
+                    'vars.snmp_version': '2c',
+                    'vars.snmp_community': 'public',
+                    'vars.warn': '@750:799',  # 1/10 °C
+                    'vars.crit': '@800:9999',
+                },
+            },
+        },
+    },
     'routeros': {
         'ips': ips,
         'ports': ports,
         'vlans': vlans,
-        }
+    },
 }
 
 

bundles/rsyslogd/metadata.py

@@ -6,6 +6,11 @@ defaults = {
             'rsyslog': {},
         },
     },
+    'backups': {
+        'paths': {
+            '/var/log/rsyslog',
+        },
+    },
     'icinga2_api': {
         'rsyslog': {
             'services': {

bundles/samba/files/override.conf

@@ -0,0 +1,3 @@
+[Service]
+RestartSec=10
+Restart=on-failure

bundles/samba/files/smb.conf

@@ -0,0 +1,39 @@
+[global]
+workgroup = KUNBOX
+server string = ${node.name} samba
+dns proxy = no
+max log size = 1000
+syslog = 1
+syslog only = 1
+panic action = /usr/share/samba/panic-action %d
+encrypt passwords = true
+passdb backend = tdbsam
+obey pam restrictions = yes
+map to guest = bad user
+load printers = no
+usershare allow guests = yes
+allow insecure wide links = yes
+% for name, opts in sorted(node.metadata.get('samba/shares', {}).items()):
+
+[${name}]
+browseable = yes
+comment = ${opts.get('comment', f'share of {opts["path"]}')}
+fake oplocks = yes
+force group = ${opts.get('force_group', 'nogroup')}
+force user = ${opts.get('force_user', 'nobody')}
+%  if opts.get('guest_ok', True):
+guest ok = yes
+%  else:
+guest ok = no
+%  endif
+locking = no
+path = ${opts['path']}
+printable = no
+read only = no
+vfs objects = catia fruit
+writable = ${'yes' if opts.get('writable', False) else 'no'}
+%  if opts.get('follow_symlinks', True):
+follow symlinks = yes
+wide links = yes
+%  endif
+% endfor

bundles/samba/items.py

@@ -0,0 +1,59 @@
+svc_systemd = {
+    'nmbd': {
+        'needs': {
+            'pkg_apt:samba',
+        },
+    },
+    'smbd': {
+        'needs': {
+            'pkg_apt:samba',
+        },
+    },
+}
+
+files = {
+    '/etc/samba/smb.conf': {
+        'content_type': 'mako',
+        'triggers': {
+            'svc_systemd:nmbd:restart',
+            'svc_systemd:smbd:restart',
+        },
+    },
+    '/etc/systemd/system/nmbd.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:nmbd:restart',
+        },
+    },
+    '/etc/systemd/system/smbd.service.d/bundlewrap.conf': {
+        'source': 'override.conf',
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:smbd:restart',
+        },
+    },
+}
+
+last_action = set()
+for user, uconfig in node.metadata.get('users', {}).items():
+    if (
+        'password' not in uconfig
+        or uconfig.get('delete')
+        or user in ('root',)
+    ):
+        continue
+
+    actions[f'smbpasswd_for_user_{user}'] = {
+        'command': f'smbpasswd -a -s {user}',
+        'unless': f'pdbedit -L | grep -E "^{user}:"',
+        'data_stdin': uconfig['password'] + '\n' + uconfig['password'],
+        'needs': {
+            'pkg_apt:samba',
+            f'user:{user}',
+        },
+        'after': last_action,
+    }
+    last_action = {
+        f'action:smbpasswd_for_user_{user}',
+    }

bundles/samba/metadata.py

@@ -0,0 +1,26 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'samba': {},
+            'samba-vfs-modules': {},
+        }
+    }
+}
+
+
+@metadata_reactor.provides(
+    'firewall/port_rules',
+)
+def firewall(metadata):
+    return {
+        'firewall': {
+            'port_rules': {
+                '137/udp': atomic(metadata.get('samba/restrict-to', set())),
+                '138/udp': atomic(metadata.get('samba/restrict-to', set())),
+                '139/tcp': atomic(metadata.get('samba/restrict-to', set())),
+                '445/tcp': atomic(metadata.get('samba/restrict-to', set())),
+            },
+        },
+    }

bundles/scansnap/files/ocr.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-DATE=$(date +%F_%H-%M-%S)
-
-cd "$1"
-
-convert *.tiff no_ocr.pdf
-ocrmypdf -l deu no_ocr.pdf has_ocr.pdf
-
-rm -f *.tiff
-rm -f no_ocr.pdf
-
-chown nobody:nogroup has_ocr.pdf
-
-mv has_ocr.pdf "/srv/scansnap/${DATE}.pdf"
-
-cd /
-
-rm -r "$1"

bundles/scansnap/files/scan.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-OUTFILE=$(mktemp -d)
-
-scanimage --source 'ADF Duplex' --format tiff --mode Color --brightness 23 --resolution 300 --page-width 210 --page-height 297.3 -x 210 -y 297.3 --batch=${OUTFILE}/p%04d.tiff
-
-/etc/scanbd/scripts/ocr.sh "$OUTFILE" &

bundles/scansnap/files/scanbd.conf

@@ -1,52 +0,0 @@
-global {
-        debug   = true
-        debug-level = 2
-
-        user    = saned
-        group   = scanner
-
-        saned   = "/usr/sbin/saned"
-        saned_opt  = {}
-        saned_env  = { "SANE_CONFIG_DIR=/etc/scanbd" }
-
-        scriptdir = /etc/scanbd/scripts
-
-        timeout = 500
-
-        pidfile = "/var/run/scanbd.pid"
-
-        environment {
-                device = "SCANBD_DEVICE"
-                action = "SCANBD_ACTION"
-        }
-
-        function function_knob {
-                filter = "^message.*"
-                desc   = "The value of the function knob / wheel / selector"
-                env    = "SCANBD_FUNCTION"
-        }
-        function function_mode {
-                filter = "^mode.*"
-                desc   = "Color mode"
-                env    = "SCANBD_FUNCTION_MODE"
-        }
-
-        multiple_actions = false
-        action scan {
-                filter = "^scan.*"
-                numerical-trigger {
-                        from-value = 0
-                        to-value   = 1
-                }
-                desc   = "Scan to file"
-                script = "scan.sh"
-        }
-}
-
-include(scanner.d/avision.conf)
-include(scanner.d/fujitsu.conf)
-include(scanner.d/hp.conf)
-include(scanner.d/pixma.conf)
-include(scanner.d/snapscan.conf)
-include(scanner.d/canon.conf)
-include(scanner.d/plustek.conf)

bundles/scansnap/items.py

@@ -1,39 +0,0 @@
-directories = {
-    '/etc/scanbd/scripts': {
-        'purge': True,
-    },
-    '/srv/scansnap': {
-        'owner': 'nobody',
-        'group': 'nogroup',
-    },
-}
-
-files = {
-    '/etc/scanbd/scanbd.conf': {
-        'triggers': {
-            'svc_systemd:scanbd:restart',
-        },
-    },
-    '/etc/scanbd/scripts/ocr.sh': {
-        'mode': '0755',
-        'needs': {
-            'directory:/srv/scansnap',
-        },
-    },
-    '/etc/scanbd/scripts/scan.sh': {
-        'mode': '0755',
-        'needs': {
-            'directory:/srv/scansnap',
-            'file:/etc/scanbd/scripts/ocr.sh',
-        },
-    },
-}
-
-svc_systemd = {
-    'scanbd': {
-        'needs': {
-            'file:/etc/scanbd/scanbd.conf',
-            'pkg_apt:scanbd',
-        },
-    },
-}

bundles/scansnap/metadata.py

@@ -1,22 +0,0 @@
-defaults = {
-    'apt': {
-        'packages': {
-            'sane-utils': {},
-            'scanbd': {},
-            'imagemagick': {},
-            'ocrmypdf': {},
-            'tesseract-ocr-deu': {},
-        },
-    },
-    'backups': {
-        'paths': {
-            '/srv/scansnap',
-        },
-    },
-    'cron': {
-        'jobs': {
-            # Automatically remove files which are older than 14 days
-            'scansnap_cleanup': '00 00 * * *    root    /usr/bin/find /srv/scansnap/ -mindepth 1 -mtime +14 -delete',
-        },
-    },
-}

bundles/sdm630_mqtt/files/sdm630_printout.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=SDM630 stats printout
+Conflicts=getty@tty1.service
+After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
+
+[Service]
+User=sdm630_mqtt
+Group=sdm630_mqtt
+ExecStart=/opt/sdm630_mqtt/venv/bin/python printout.py /opt/sdm630_mqtt/config.toml
+WorkingDirectory=/opt/sdm630_mqtt/src
+Restart=always
+RestartSec=10
+StandardInput=tty
+StandardOutput=tty
+StandardError=journal
+TTYPath=/dev/tty1
+TTYReset=yes
+TTYVHangup=yes
+
+[Install]
+WantedBy=multi-user.target

bundles/sdm630_mqtt/files/sdm630_to_mqtt.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=SDM630-to-MQTT bridge
+After=network.target
+
+[Service]
+User=sdm630_mqtt
+Group=sdm630_mqtt
+ExecStart=/opt/sdm630_mqtt/venv/bin/python sdm630_mqtt.py /opt/sdm630_mqtt/config.toml
+WorkingDirectory=/opt/sdm630_mqtt/src
+Restart=always
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target

bundles/sdm630_mqtt/items.py

@@ -0,0 +1,76 @@
+directories['/opt/sdm630_mqtt/src'] = {}
+
+git_deploy['/opt/sdm630_mqtt/src'] = {
+    'repo': 'https://git.franzi.business/kunsi/sdm630_mqtt.git',
+    'rev': 'main',
+    'triggers': {
+        'action:sdm630_mqtt_install_deps',
+    },
+}
+
+actions['sdm630_mqtt_create_virtualenv'] = {
+    'command': 'python3 -m virtualenv /opt/sdm630_mqtt/venv',
+    'unless': 'test -x /opt/sdm630_mqtt/venv/bin/python3',
+    'needs': {
+        'directory:/opt/sdm630_mqtt/src',
+    },
+}
+
+actions['sdm630_mqtt_install_deps'] = {
+    'command': 'cd /opt/sdm630_mqtt/src && /opt/sdm630_mqtt/venv/bin/pip install -r requirements.txt',
+    'triggered': True,
+    'needs': {
+        'action:sdm630_mqtt_create_virtualenv',
+    },
+}
+
+users['sdm630_mqtt'] = {
+    'home': '/opt/sdm630_mqtt',
+}
+
+files['/opt/sdm630_mqtt/config.toml'] = {
+    'content': repo.libs.faults.dict_as_toml(node.metadata.get('sdm630_mqtt/config')),
+    'triggers': set(),
+}
+
+if node.has_bundle('telegraf'):
+    files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:telegraf:restart')
+    git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:telegraf:restart')
+
+if node.metadata.get('sdm630_mqtt/enable_stats_collection', True):
+    files['/usr/local/lib/systemd/system/sdm630_to_mqtt.service'] = {
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:sdm630_to_mqtt:restart',
+        },
+    }
+
+    svc_systemd['sdm630_to_mqtt'] = {
+        'needs': {
+            'git_deploy:/opt/sdm630_mqtt/src',
+            'action:sdm630_mqtt_install_deps',
+            'file:/usr/local/lib/systemd/system/sdm630_to_mqtt.service',
+        },
+    }
+
+    files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:sdm630_to_mqtt:restart')
+    git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:sdm630_to_mqtt:restart')
+
+if node.metadata.get('sdm630_mqtt/enable_local_printout', False):
+    files['/usr/local/lib/systemd/system/sdm630_printout.service'] = {
+        'triggers': {
+            'action:systemd-reload',
+            'svc_systemd:sdm630_printout:restart',
+        },
+    }
+
+    svc_systemd['sdm630_printout'] = {
+        'needs': {
+            'git_deploy:/opt/sdm630_mqtt/src',
+            'action:sdm630_mqtt_install_deps',
+            'file:/usr/local/lib/systemd/system/sdm630_printout.service',
+        },
+    }
+
+    files['/opt/sdm630_mqtt/config.toml']['triggers'].add('svc_systemd:sdm630_printout:restart')
+    git_deploy['/opt/sdm630_mqtt/src']['triggers'].add('svc_systemd:sdm630_printout:restart')

bundles/sdm630_mqtt/metadata.py

@@ -0,0 +1,38 @@
+defaults = {
+    'sdm630_mqtt': {
+        'config': {
+            'modbus': {
+                'host': '127.0.0.1',
+                'port': 501,
+                'unit_id': 1,
+            },
+            'mqtt': {
+                'prefix': 'sdm630',
+                'host': '127.0.0.1',
+                'port': 1883,
+            },
+            'printout': {
+                'title': 'SDM630',
+            },
+            'telegraf': {
+                'identifier': 'unknown',
+            },
+        },
+    },
+    'telegraf': {
+        'input_plugins': {
+            'execd': {
+                'sdm630_mqtt': {
+                    'command': [
+                        '/opt/sdm630_mqtt/venv/bin/python',
+                        '/opt/sdm630_mqtt/src/telegraf.py',
+                        '/opt/sdm630_mqtt/config.toml',
+                    ],
+                    'signal': 'none',
+                    'restart_delay': '1s',
+                    'data_format': 'influx',
+                },
+            },
+        },
+    },
+}

bundles/sshmon/files/check_cpu_stats

@@ -4,27 +4,30 @@ from re import findall
 from subprocess import check_output
 from sys import exit
 
+ITERATIONS = 10
+
 try:
     top_output = None
 
-    for line in check_output(['top', '-b', '-n1', '-d1']).decode('UTF-8').splitlines():
-        if line.lower().strip().startswith('%cpu'):
-            top_output = line.lower().split(':', 2)[1]
-            break
-
-    if not top_output:
-        print('%cpu not found in top output')
-        exit(3)
+    top_output = check_output(rf"top -b -n{ITERATIONS} -d1 | grep -i '^%cpu'", shell=True).decode('UTF-8')
 
     cpu_usage = {}
-    for value, identifier in findall('([0-9\.\,]{3,5}) ([a-z]{2})', top_output):
-        cpu_usage[identifier] = float(value.replace(',', '.'))
+    for value, identifier in findall(r'([0-9\.\,]{3,5}) ([a-z]{2})', top_output):
+        if identifier not in cpu_usage:
+            cpu_usage[identifier] = 0.0
+        cpu_usage[identifier] += float(value.replace(',', '.'))
+
+    output = []
+    for identifier, value_added in cpu_usage.items():
+        value = value_added / ITERATIONS
+        output.append(f"{value:.2f} {identifier}")
+        cpu_usage[identifier] = value
+
+    print(f"Average over {ITERATIONS} seconds: " + ", ".join(output))
 
     warn = set()
     crit = set()
 
-    print(top_output)
-
     # steal
     if cpu_usage['st'] > 10:
         crit.add('CPU steal is {}% (>10%)'.format(cpu_usage['st']))

bundles/sshmon/files/check_https_certificate_at_url

@@ -19,7 +19,10 @@ crit_days=30
 case "$issuer_hash" in
     # 4f06f81d: issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
     # 8d33f237: issuer=C = US, O = Let's Encrypt, CN = R3
-    4f06f81d|8d33f237)
+    # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5
+    # 9aad238c: issuer=C = US, O = Let's Encrypt, CN = E6
+    # 31dfb39d: issuer=C = US, O = Let's Encrypt, CN = R11
+    4f06f81d|8d33f237|462422cf|9aad238c|31dfb39d)
         warn_days=10
         crit_days=3
         ;;

bundles/sshmon/metadata.py

@@ -19,6 +19,8 @@ defaults = {
             'services': {
                 'CPU': {
                     'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_cpu_stats',
+                    # takes samples over 10 seconds
+                    'vars.sshmon_timeout': 20
                 },
                 'LOAD': {
                     'command_on_monitored_host': '/usr/lib/nagios/plugins/check_load -r -w 4,2,1 -c 8,4,2',

bundles/systemd-networkd/files/template-bridge.network

@@ -3,3 +3,6 @@ Name=${' '.join(sorted(match))}
 
 [Network]
 Bridge=${bridge}
+
+[Link]
+ActivationPolicy=always-up

bundles/systemd-networkd/metadata.py

@@ -4,6 +4,9 @@ defaults = {
             'isc-dhcp-client': {
                 'installed': False,
             },
+            'network-manager': {
+                'installed': False,
+            },
             'resolvconf': {
                 'installed': False,
             },

bundles/telegraf/items.py

@@ -11,7 +11,19 @@ telegraf_config = {
         'quiet': False,
         'round_interval': False,
     },
-    'inputs': {
+    'outputs': {
+        'influxdb_v2': [{
+            'urls': [node.metadata.get('telegraf/influxdb_url', repo.libs.defaults.influxdb_url)],
+            'token': node.metadata.get('telegraf/influxdb_token', repo.vault.decrypt(repo.libs.defaults.influxdb_token)),
+            'organization': node.metadata.get('telegraf/influxdb_org', repo.vault.decrypt(repo.libs.defaults.influxdb_org)),
+            'bucket': node.metadata.get('telegraf/influxdb_bucket', repo.vault.decrypt(repo.libs.defaults.influxdb_bucket)),
+        }],
+    },
+    'inputs': {},
+}
+
+if node.metadata.get('telegraf/collect_default_metrics', True):
+    telegraf_config['inputs'] = {
         'cpu': [{
             'percpu': False,
             'totalcpu': True,
@@ -43,18 +55,10 @@ telegraf_config = {
         'nstat': [{}],
         'processes': [{}],
         'system': [{}],
-        **node.metadata.get('telegraf/input_plugins/builtin', {}),
-    },
-    'outputs': {
-        'influxdb_v2': [{
-            'urls': [node.metadata.get('telegraf/influxdb_url', repo.libs.defaults.influxdb_url)],
-            'token': node.metadata.get('telegraf/influxdb_token', repo.vault.decrypt(repo.libs.defaults.influxdb_token)),
-            'organization': node.metadata.get('telegraf/influxdb_org', repo.vault.decrypt(repo.libs.defaults.influxdb_org)),
-            'bucket': node.metadata.get('telegraf/influxdb_bucket', repo.vault.decrypt(repo.libs.defaults.influxdb_bucket)),
-        }],
-    },
     }
 
+telegraf_config['inputs'].update(node.metadata.get('telegraf/input_plugins/builtin', {}))
+
 # Bundlewrap can't merge lists. To work around this, telegraf/input_plugins/exec(d)
 # is a dict, of which we only use the value of it. This also allows us
 # to overwrite values set by metadata defaults/reactors in node and group

bundles/zfs/metadata.py

@@ -170,7 +170,7 @@ def scrub_timer(metadata):
         'systemd-timers': {
             'timers': {
                 'zfs-scrub': {
-                    'when': 'Sun 02:00:00 UTC',
+                    'when': metadata.get('zfs/scrub_when', 'Sun 02:00:00 UTC'),
                     'command': scrubs,
                 },
             },

configs/as3320.txt

@@ -1,5 +1,7 @@
 109.237.176.0/20
+109.72.116.0/24
 116.50.16.0/21
+128.65.164.0/22
 129.181.208.0/21
 129.181.216.0/22
 137.170.112.0/24
@@ -15,13 +17,12 @@
 139.12.4.0/24
 141.169.240.0/20
 141.77.0.0/16
-141.98.44.0/24
 143.99.213.0/24
 145.225.16.0/23
 146.247.58.0/24
-147.136.84.0/22
 147.161.22.0/24
 147.78.17.0/24
+147.79.8.0/21
 149.208.250.0/23
 149.208.252.0/24
 149.208.253.0/24
@@ -34,6 +35,7 @@
 149.249.244.0/22
 149.249.244.0/23
 149.249.246.0/23
+153.17.244.8/29
 153.17.249.0/24
 153.17.250.0/24
 153.17.251.0/24
@@ -46,7 +48,11 @@
 153.97.32.0/24
 158.116.231.0/24
 160.211.126.0/24
-163.5.168.0/24
+163.5.156.0/24
+163.5.170.0/24
+163.5.186.0/24
+163.5.220.0/24
+163.5.66.0/24
 164.133.10.0/24
 164.133.11.0/24
 164.133.150.0/24
@@ -60,11 +66,9 @@
 168.199.192.0/22
 168.199.212.0/22
 170.237.92.0/23
-171.25.178.0/24
-176.221.24.0/24
-176.221.25.0/24
 176.53.136.0/24
 176.53.137.0/24
+176.57.59.0/24
 185.100.160.0/22
 185.101.244.0/23
 185.101.246.0/23
@@ -76,45 +80,38 @@
 185.131.239.0/24
 185.133.12.0/22
 185.136.115.0/24
-185.149.25.0/24
-185.149.26.0/24
-185.149.27.0/24
 185.149.52.0/24
 185.157.101.0/24
 185.161.176.0/22
-185.162.72.0/23
 185.163.76.0/24
 185.163.77.0/24
 185.163.78.0/24
 185.163.79.0/24
-185.172.38.0/24
-185.172.39.0/24
 185.180.224.0/24
 185.183.212.0/23
 185.183.214.0/23
 185.188.64.0/24
+185.195.239.0/24
 185.198.13.0/24
 185.202.32.0/21
-185.203.148.0/22
 185.207.46.0/24
-185.235.71.0/24
+185.21.247.0/24
 185.237.0.0/24
 185.237.1.0/24
 185.237.2.0/24
-185.240.85.0/24
 185.242.224.0/24
 185.243.44.0/22
 185.243.44.0/24
 185.243.45.0/24
 185.243.46.0/24
 185.243.47.0/24
-185.250.42.0/23
 185.28.208.0/22
 185.39.12.0/22
 185.48.0.0/22
+185.57.231.0/24
 185.57.24.0/24
 185.82.160.0/23
-185.91.204.0/22
+188.214.139.0/24
 192.109.121.0/24
 192.109.122.0/24
 192.109.124.0/24
@@ -176,7 +173,6 @@
 193.110.102.0/23
 193.110.102.0/24
 193.110.103.0/24
-193.124.35.0/24
 193.138.91.0/24
 193.141.143.0/24
 193.141.180.0/23
@@ -243,7 +239,6 @@
 193.41.10.0/23
 193.47.164.0/24
 193.53.93.0/24
-193.56.21.0/24
 193.58.253.0/24
 193.84.136.0/22
 193.96.230.0/24
@@ -253,6 +248,7 @@
 193.98.224.0/24
 193.99.96.0/20
 194.0.151.0/24
+194.0.232.0/24
 194.110.133.0/24
 194.113.160.0/22
 194.113.20.0/23
@@ -295,6 +291,13 @@
 194.15.64.0/21
 194.15.72.0/22
 194.150.228.0/23
+194.152.128.0/24
+194.152.129.0/24
+194.152.132.0/24
+194.152.141.0/24
+194.152.142.0/24
+194.152.154.0/24
+194.152.155.0/24
 194.153.86.0/24
 194.156.128.0/22
 194.156.148.0/24
@@ -337,26 +340,20 @@
 194.39.63.0/24
 194.39.88.0/21
 194.39.97.0/24
-194.45.144.0/21
-194.49.110.0/24
 194.49.117.0/24
 194.49.118.0/23
 194.49.125.0/24
 194.49.48.0/24
 194.49.54.0/24
-194.49.72.0/24
 194.49.73.0/24
 194.49.74.0/23
 194.49.85.0/24
-194.55.158.0/24
 194.55.180.0/24
 194.55.183.0/24
 194.55.192.0/19
 194.55.63.0/24
 194.55.64.0/20
 194.55.87.0/24
-194.58.40.0/24
-194.58.56.0/23
 194.59.143.0/24
 194.59.150.0/24
 194.59.151.0/24
@@ -382,34 +379,22 @@
 194.76.52.0/24
 194.77.41.0/24
 194.77.42.0/24
-194.85.248.0/24
-194.85.251.0/24
-194.87.10.0/24
-194.87.17.0/24
-194.87.255.0/24
-194.87.77.0/24
-194.88.112.0/20
 194.88.16.0/21
 194.88.24.0/23
 194.88.26.0/24
 194.88.28.0/23
-194.88.96.0/21
 194.99.118.0/24
 194.99.34.0/24
 194.99.76.0/23
 194.99.83.0/24
 194.99.92.0/22
-195.133.20.0/24
-195.133.64.0/22
 195.133.7.0/24
-195.133.76.0/24
 195.137.216.0/23
 195.138.223.0/24
 195.144.15.0/24
 195.145.0.0/16
 195.149.79.0/24
 195.160.248.0/22
-195.178.132.0/22
 195.190.2.0/24
 195.192.254.0/24
 195.200.207.0/24
@@ -436,12 +421,14 @@
 198.40.90.0/24
 198.57.10.0/24
 2.160.0.0/12
+2.58.100.0/24
 2.58.102.0/24
+204.52.120.0/24
+204.52.121.0/24
 204.69.32.0/24
 205.142.63.0/24
 212.184.0.0/15
 212.185.0.0/16
-212.87.217.0/24
 213.145.90.0/23
 213.145.92.0/23
 213.173.0.0/19
@@ -450,6 +437,7 @@
 213.209.156.0/24
 217.0.0.0/13
 217.117.96.0/24
+217.198.189.0/24
 217.224.0.0/11
 217.24.32.0/20
 217.24.33.0/24
@@ -459,35 +447,21 @@
 31.224.0.0/11
 31.6.56.0/23
 37.143.0.0/22
-37.230.56.0/24
-37.230.57.0/24
-37.230.58.0/23
-37.230.60.0/24
-37.230.63.0/24
 37.46.11.0/24
 37.50.0.0/15
 37.80.0.0/12
-45.128.14.0/23
-45.132.217.0/24
 45.132.80.0/22
-45.140.208.0/24
-45.141.130.0/24
-45.142.236.0/24
-45.145.241.0/24
-45.145.243.0/24
+45.141.54.0/24
+45.145.16.0/24
 45.147.227.0/24
+45.155.77.0/24
 45.81.255.0/24
 45.83.136.0/22
-45.84.214.0/24
 45.93.186.0/23
-46.20.216.0/21
 46.250.224.0/21
 46.250.232.0/21
 46.78.0.0/15
 46.80.0.0/12
-5.10.208.0/24
-5.10.209.0/24
-5.10.220.0/24
 5.133.112.0/24
 5.249.188.0/22
 5.35.192.0/21
@@ -503,14 +477,11 @@
 64.137.119.0/24
 64.137.125.0/24
 64.137.127.0/24
-77.242.149.0/24
 77.47.152.0/22
 77.83.136.0/23
 77.83.138.0/23
-77.83.32.0/22
 77.90.156.0/24
 77.90.184.0/24
-79.139.52.0/22
 79.192.0.0/10
 80.128.0.0/11
 80.128.0.0/12
@@ -522,38 +493,47 @@
 80.157.8.0/21
 80.187.0.0/16
 80.187.160.0/20
+80.244.13.0/24
 80.64.240.0/22
 80.71.231.0/24
 80.71.233.0/24
 80.71.235.0/24
 80.71.236.0/24
 80.71.238.0/24
+80.83.80.0/21
 81.201.32.0/20
-81.30.96.0/20
-82.152.178.0/24
+81.31.210.0/23
+82.163.104.0/21
 82.163.60.0/22
 82.206.32.0/21
 82.206.40.0/21
+82.206.48.0/21
 82.215.70.0/24
-83.136.208.0/22
-83.147.36.0/22
 83.243.48.0/21
 84.128.0.0/10
-84.234.16.0/20
 84.246.108.0/24
 84.32.108.0/22
 84.32.48.0/22
+84.55.0.0/24
+84.55.1.0/24
+84.55.2.0/24
+84.55.3.0/24
+84.55.4.0/24
+84.55.5.0/24
+84.55.6.0/24
+84.55.7.0/24
 85.116.28.0/24
 85.116.29.0/24
 85.116.30.0/24
 85.116.31.0/24
 85.119.160.0/23
-85.204.160.0/22
+85.204.181.0/24
 85.208.248.0/24
 85.208.249.0/24
 85.208.250.0/24
 85.208.251.0/24
-85.237.76.0/22
+86.105.211.0/24
+86.107.164.0/24
 86.38.248.0/21
 86.38.37.0/24
 87.128.0.0/10
@@ -564,10 +544,40 @@
 88.216.60.0/22
 89.116.64.0/22
 89.213.186.0/23
-89.35.127.0/24
+89.39.97.0/24
 89.43.34.0/24
 91.0.0.0/10
 91.103.240.0/21
+91.124.135.0/24
+91.124.19.0/24
+91.124.20.0/24
+91.124.21.0/24
+91.124.22.0/24
+91.124.23.0/24
+91.124.24.0/24
+91.124.26.0/24
+91.124.27.0/24
+91.124.28.0/24
+91.124.31.0/24
+91.124.32.0/24
+91.124.33.0/24
+91.124.34.0/24
+91.124.36.0/24
+91.124.37.0/24
+91.124.38.0/24
+91.124.39.0/24
+91.124.40.0/24
+91.124.41.0/24
+91.124.42.0/24
+91.124.43.0/24
+91.124.44.0/24
+91.124.45.0/24
+91.124.46.0/24
+91.124.47.0/24
+91.124.50.0/24
+91.124.51.0/24
+91.124.6.0/24
+91.124.7.0/24
 91.189.192.0/21
 91.194.232.0/23
 91.198.113.0/24
@@ -592,19 +602,40 @@
 91.216.242.0/24
 91.216.45.0/24
 91.217.214.0/24
+91.221.12.0/23
 91.222.232.0/22
 91.227.98.0/23
-91.232.136.0/22
 91.232.54.0/24
+92.112.128.0/24
+92.112.155.0/24
+92.112.157.0/24
+92.112.16.0/22
+92.112.160.0/24
+92.112.162.0/24
+92.112.165.0/24
+92.112.167.0/24
+92.112.20.0/22
+92.112.48.0/24
+92.112.49.0/24
+92.112.52.0/24
+92.112.54.0/24
+92.112.59.0/24
+92.112.63.0/24
+92.112.64.0/24
+92.112.67.0/24
+92.112.79.0/24
+92.112.81.0/24
+92.112.83.0/24
+92.112.94.0/24
 92.114.44.0/22
 92.119.164.0/22
 92.119.208.0/24
 92.119.209.0/24
 92.119.210.0/24
 92.119.211.0/24
-93.119.184.0/21
+93.113.70.0/24
+93.119.201.0/24
 93.192.0.0/10
-93.95.119.0/24
 94.126.98.0/24
 94.26.110.0/23
 94.26.64.0/23
@@ -620,7 +651,6 @@
 2001:678:b38::/48
 2001:678:bdc::/48
 2001:678:d4c::/48
-2001:678:e9c::/48
 2001:678:ff0::/48
 2001:67c:11a4::/48
 2001:67c:14c4::/48
@@ -641,6 +671,7 @@
 2001:67c:b80::/48
 2001:67c:c84::/48
 2001:67c:c9c::/48
+2001:67c:ec0::/48
 2003:3c0::/28
 2003:3e0::/28
 2003:8:1800::/48
@@ -663,6 +694,8 @@
 2003::/19
 2003::/20
 2003::/23
+2a00:5c60:3::/48
+2a00:5c60:a::/48
 2a00:6680::/46
 2a01:598::/29
 2a01:8fa0::/32
@@ -694,8 +727,11 @@
 2a0d:480::/29
 2a0d:480::/30
 2a0d:484::/30
+2a0e:cbc4::/32
+2a0e:cbc5::/32
+2a0e:cbc6::/32
+2a0e:cbc7::/32
 2a0e:eb40::/32
-2a0f:15c0::/32
 2a10:cd80::/29
 2a11:7400:d1::/48
 2a12:6900:1000::/40

configs/as8881.txt

@@ -1,19 +1,13 @@
 104.151.0.0/17
 109.250.0.0/16
-109.250.0.0/20
+109.250.0.0/18
 109.250.128.0/19
-109.250.16.0/20
 109.250.160.0/19
 109.250.192.0/19
 109.250.224.0/19
-109.250.32.0/19
-109.250.64.0/19
-109.250.80.0/22
-109.250.84.0/22
-109.250.88.0/22
-109.250.92.0/22
-109.250.96.0/19
+109.250.64.0/18
 134.101.0.0/21
+14.102.90.0/24
 143.58.64.0/18
 149.233.32.0/19
 153.94.0.0/20
@@ -35,6 +29,7 @@
 185.151.201.0/24
 185.151.203.0/24
 185.158.48.0/22
+185.187.122.0/24
 185.199.205.0/24
 185.235.232.0/22
 185.8.230.0/23
@@ -45,13 +40,13 @@
 192.166.84.0/22
 192.166.87.0/24
 192.166.88.0/21
+192.189.14.0/24
 193.101.4.0/23
-193.101.5.0/24
+193.102.10.0/24
 193.111.212.0/22
 193.111.212.0/24
 193.163.13.0/24
-193.163.13.0/25
-193.163.13.128/25
+193.17.225.0/24
 193.219.15.0/24
 193.22.120.0/21
 193.22.120.0/24
@@ -92,7 +87,7 @@
 194.127.144.0/21
 194.127.203.0/24
 194.139.55.0/24
-194.145.230.0/24
+194.145.218.0/23
 194.156.216.0/21
 194.156.232.0/23
 194.156.233.0/24
@@ -115,24 +110,23 @@
 194.99.0.0/21
 195.149.80.0/23
 195.167.208.0/20
-195.191.20.0/23
 195.202.32.0/19
 195.226.160.0/19
 195.226.96.0/19
 195.234.139.0/24
 195.238.233.0/24
-195.244.10.0/23
+195.238.238.0/24
 195.64.176.0/23
 195.93.158.0/23
 202.71.128.0/20
+202.71.141.0/24
 212.204.0.0/19
 212.7.128.0/19
 212.8.0.0/19
 212.80.224.0/19
-212.80.224.0/20
-212.80.240.0/20
 212.93.0.0/19
 213.138.32.0/19
+213.138.35.0/24
 213.139.128.0/19
 213.182.128.0/19
 213.30.192.0/18
@@ -149,307 +143,155 @@
 45.13.15.0/24
 46.142.0.0/16
 46.142.0.0/19
-46.142.112.0/20
 46.142.128.0/19
 46.142.160.0/19
-46.142.194.0/24
 46.142.214.0/24
 46.142.224.0/19
-46.142.32.0/20
-46.142.48.0/20
+46.142.32.0/19
 46.142.64.0/19
+46.142.96.0/19
 46.142.96.0/20
 46.189.0.0/17
-46.189.116.0/24
 61.8.128.0/19
+61.8.128.0/22
+61.8.132.0/22
+61.8.136.0/22
+61.8.144.0/22
+61.8.152.0/22
+61.8.156.0/24
+61.8.157.0/24
 62.214.0.0/16
-62.214.213.0/24
 62.214.224.0/19
 62.217.32.0/19
 62.220.0.0/19
 62.68.82.0/24
 62.72.64.0/19
-62.72.88.0/22
-62.72.92.0/23
-62.72.94.0/24
+62.72.70.0/24
 77.74.136.0/21
 77.87.190.0/24
+80.241.192.0/20
 80.242.160.0/19
 82.119.160.0/19
 82.140.0.0/18
-82.140.2.0/23
-82.140.2.0/24
-82.140.3.0/24
-82.140.48.0/21
+82.140.48.0/20
 82.144.32.0/19
-82.144.34.0/24
-82.144.35.0/24
-82.144.36.0/24
-82.144.37.0/24
 82.145.0.0/19
 82.194.96.0/19
 82.207.128.0/17
 82.207.192.0/19
-82.207.224.0/21
-82.207.232.0/22
-82.207.236.0/24
-82.207.240.0/20
-82.207.244.0/24
-82.207.245.0/24
-82.207.246.0/24
-82.207.247.0/24
-82.207.248.0/24
-82.207.249.0/24
-82.207.250.0/24
-82.207.251.0/24
-82.207.252.0/24
-82.207.253.0/24
-82.207.254.0/24
-82.207.255.0/24
 83.135.0.0/16
-83.135.0.0/22
+83.135.0.0/20
 83.135.112.0/20
 83.135.128.0/19
-83.135.16.0/22
 83.135.160.0/21
-83.135.164.0/22
 83.135.168.0/21
 83.135.176.0/22
-83.135.180.0/22
 83.135.184.0/21
 83.135.192.0/20
-83.135.20.0/24
 83.135.208.0/20
-83.135.21.0/24
-83.135.22.0/24
 83.135.224.0/22
-83.135.23.0/24
-83.135.230.0/23
 83.135.232.0/21
-83.135.24.0/24
 83.135.240.0/22
-83.135.244.0/24
-83.135.245.0/24
-83.135.248.0/24
-83.135.249.0/24
-83.135.25.0/24
-83.135.250.0/24
-83.135.251.0/24
-83.135.252.0/24
-83.135.253.0/24
-83.135.254.0/24
-83.135.255.0/24
-83.135.26.0/24
-83.135.27.0/24
-83.135.28.0/24
-83.135.29.0/24
-83.135.30.0/24
-83.135.31.0/24
-83.135.32.0/19
-83.135.4.0/22
 83.135.64.0/19
-83.135.8.0/21
 83.135.96.0/20
 84.19.192.0/19
-84.19.192.0/20
-84.19.208.0/20
 87.122.0.0/15
-87.122.0.0/16
 87.122.0.0/20
 87.122.128.0/21
-87.122.136.0/22
 87.122.144.0/20
 87.122.16.0/20
 87.122.160.0/20
 87.122.176.0/21
-87.122.184.0/24
-87.122.185.0/24
-87.122.186.0/24
-87.122.187.0/24
-87.122.188.0/24
-87.122.189.0/24
-87.122.190.0/24
-87.122.191.0/24
 87.122.192.0/19
 87.122.224.0/19
 87.122.32.0/19
 87.122.64.0/19
 87.122.96.0/19
-87.123.0.0/16
 87.123.0.0/19
-87.123.112.0/20
 87.123.128.0/19
 87.123.160.0/20
 87.123.176.0/20
-87.123.192.0/20
-87.123.208.0/22
+87.123.194.0/24
+87.123.196.0/24
+87.123.203.0/24
 87.123.216.0/21
 87.123.224.0/20
-87.123.240.0/22
-87.123.244.0/22
-87.123.248.0/22
-87.123.252.0/24
-87.123.253.0/24
-87.123.254.0/24
-87.123.255.0/24
+87.123.240.0/21
 87.123.32.0/19
 87.123.64.0/20
 87.123.80.0/20
 87.123.96.0/19
-87.123.96.0/20
 88.130.0.0/16
-88.130.0.0/19
-88.130.130.0/23
-88.130.132.0/22
 88.130.136.0/21
-88.130.144.0/21
-88.130.152.0/24
-88.130.153.0/24
-88.130.154.0/24
-88.130.155.0/24
-88.130.156.0/22
-88.130.156.0/24
-88.130.157.0/24
-88.130.158.0/24
-88.130.159.0/24
-88.130.160.0/21
-88.130.172.0/22
+88.130.144.0/20
 88.130.176.0/21
-88.130.180.0/24
-88.130.181.0/24
-88.130.182.0/24
-88.130.183.0/24
-88.130.184.0/24
-88.130.185.0/24
-88.130.186.0/24
-88.130.187.0/24
-88.130.188.0/24
-88.130.189.0/24
-88.130.190.0/24
-88.130.191.0/24
-88.130.192.0/21
-88.130.200.0/21
-88.130.208.0/21
+88.130.192.0/23
+88.130.194.0/23
 88.130.216.0/21
-88.130.216.0/22
-88.130.220.0/24
-88.130.221.0/24
-88.130.222.0/24
-88.130.223.0/24
-88.130.32.0/20
 88.130.48.0/24
 88.130.49.0/24
 88.130.50.0/24
-88.130.51.0/24
 88.130.52.0/24
 88.130.53.0/24
-88.130.54.0/24
-88.130.55.0/24
+88.130.54.0/23
 88.130.56.0/24
 88.130.57.0/24
 88.130.58.0/24
 88.130.59.0/24
-88.130.60.0/24
 88.130.61.0/24
-88.130.62.0/24
 88.130.63.0/24
 88.130.64.0/19
 88.130.96.0/19
+89.207.200.0/21
 89.244.0.0/14
-89.244.0.0/16
-89.244.112.0/21
 89.244.120.0/21
-89.244.120.0/22
-89.244.124.0/24
-89.244.126.0/24
-89.244.127.0/24
 89.244.160.0/21
-89.244.164.0/22
-89.244.168.0/21
 89.244.176.0/20
 89.244.192.0/19
 89.244.224.0/20
-89.244.240.0/20
-89.244.64.0/21
-89.244.72.0/22
+89.244.76.0/24
+89.244.78.0/23
 89.244.80.0/20
-89.244.96.0/20
-89.245.0.0/16
+89.244.96.0/22
 89.245.0.0/20
+89.245.112.0/20
+89.245.158.0/24
+89.245.159.0/24
 89.245.16.0/20
 89.245.160.0/20
 89.245.176.0/21
-89.245.184.0/24
-89.245.185.0/24
-89.245.186.0/24
-89.245.187.0/24
-89.245.188.0/24
-89.245.189.0/24
-89.245.190.0/24
-89.245.191.0/24
 89.245.192.0/19
 89.245.224.0/19
 89.245.32.0/19
-89.245.32.0/20
-89.245.64.0/20
-89.245.80.0/20
+89.245.64.0/19
 89.245.96.0/20
-89.246.0.0/16
 89.246.0.0/19
-89.246.104.0/23
-89.246.106.0/24
-89.246.107.0/24
-89.246.108.0/24
-89.246.109.0/24
-89.246.110.0/24
-89.246.111.0/24
 89.246.112.0/22
-89.246.116.0/22
-89.246.120.0/24
-89.246.121.0/24
 89.246.122.0/24
-89.246.123.0/24
 89.246.124.0/22
-89.246.160.0/20
 89.246.160.0/21
-89.246.176.0/22
-89.246.180.0/22
 89.246.184.0/21
 89.246.192.0/19
-89.246.32.0/20
-89.246.48.0/21
-89.246.56.0/21
+89.246.32.0/19
 89.246.96.0/21
-89.247.0.0/16
 89.247.0.0/19
 89.247.112.0/21
+89.247.112.0/22
 89.247.120.0/22
-89.247.124.0/24
-89.247.125.0/24
-89.247.126.0/24
-89.247.127.0/24
 89.247.144.0/20
 89.247.160.0/20
+89.247.179.0/24
 89.247.192.0/20
-89.247.208.0/21
 89.247.216.0/22
-89.247.224.0/21
+89.247.228.0/22
 89.247.232.0/21
-89.247.232.0/22
 89.247.236.0/22
-89.247.240.0/21
-89.247.240.0/22
-89.247.252.0/24
-89.247.253.0/24
-89.247.254.0/24
-89.247.255.0/24
+89.247.252.0/22
 89.247.32.0/19
 89.247.32.0/20
 89.247.64.0/20
 89.247.80.0/20
-89.247.96.0/20
 89.27.128.0/17
-89.27.153.0/24
 91.194.180.0/23
 91.198.67.0/24
 91.199.158.0/24
@@ -468,8 +310,7 @@
 92.116.120.0/21
 92.116.128.0/18
 92.116.16.0/20
-92.116.192.0/19
-92.116.224.0/19
+92.116.192.0/18
 92.116.32.0/19
 92.116.64.0/18
 92.116.96.0/19
@@ -483,67 +324,34 @@
 92.117.240.0/21
 92.117.248.0/21
 92.117.64.0/19
+92.117.96.0/19
 94.134.0.0/15
 94.134.0.0/18
-94.134.100.0/22
-94.134.112.0/21
-94.134.120.0/24
-94.134.121.0/24
-94.134.122.0/24
-94.134.123.0/24
-94.134.124.0/24
-94.134.125.0/24
-94.134.126.0/24
-94.134.127.0/24
-94.134.128.0/20
+94.134.112.0/22
 94.134.144.0/20
 94.134.160.0/21
 94.134.168.0/22
 94.134.172.0/22
-94.134.176.0/20
 94.134.176.0/21
-94.134.192.0/20
-94.134.208.0/21
+94.134.192.0/22
 94.134.216.0/21
-94.134.224.0/19
-94.134.64.0/20
+94.134.64.0/22
+94.134.68.0/22
 94.134.80.0/22
-94.134.84.0/24
-94.134.85.0/24
-94.134.86.0/24
-94.134.87.0/24
-94.134.88.0/24
-94.134.89.0/24
-94.134.90.0/24
-94.134.91.0/24
-94.134.92.0/24
-94.134.93.0/24
-94.134.94.0/24
-94.134.95.0/24
+94.134.88.0/22
+94.134.94.0/23
 94.134.96.0/20
-94.134.96.0/22
 2001:1438:1000::/36
+2001:1438:1:100::/56
+2001:1438:1:200::/56
+2001:1438:1:300::/56
+2001:1438:1:400::/56
+2001:1438:1:900::/56
+2001:1438:1:a00::/56
 2001:1438:2000::/36
 2001:1438:3000::/36
 2001:1438:4000::/36
 2001:1438::/32
-2001:1438:f000::/36
-2001:1438:fff:10::/64
-2001:1438:fff:11::/64
-2001:1438:fff:12::/64
-2001:1438:fff:3::/64
-2001:1438:fff:4::/64
-2001:1438:fff:5::/64
-2001:1438:fff:6::/64
-2001:1438:fff:7::/64
-2001:1438:fff:8::/64
-2001:1438:fff:9::/64
-2001:1438:fff:a::/64
-2001:1438:fff:b::/64
-2001:1438:fff:c::/64
-2001:1438:fff:d::/64
-2001:1438:fff:e::/64
-2001:1438:fff:f::/64
 2001:16b8:1000::/40
 2001:16b8:100::/40
 2001:16b8:1100::/40
@@ -593,12 +401,14 @@
 2001:16b8:a000::/35
 2001:16b8:a00::/40
 2001:16b8:b00::/40
+2001:16b8:c000::/35
 2001:678:c74::/48
 2001:67c:27ac::/48
 2001:67c:2878::/48
 2001:67c:2e8c::/48
 2001:67c:660::/48
 2001:67c:888::/48
+2001:67c:ed8::/48
 2001:7b0::/32
 2001:9e8:2000::/35
 2001:9e8:4000::/35
@@ -615,10 +425,11 @@
 2a00:fb8:4000::/35
 2a00:fb8:6000::/35
 2a00:fb8::/29
-2a00:fb8::/32
 2a00:fb8::/35
 2a03:3fc0:2000::/48
 2a07:9400::/29
 2a0a:ed40::/29
+2a0b:9e80:1000::/36
 2a0d:240::/29
 2a0d:ad00::/29
+2a11:d00::/32

configs/netbox/home.switch-rack.json

@@ -4,225 +4,225 @@
             "description": "home.router (enp1s0)",
             "enabled": true,
             "ips": [],
-            "mode": "TAGGED_ALL",
+            "mode": "tagged-all",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": null
         },
         "ether10": {
             "description": "home.mitel-rfp35 (LAN)",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether11": {
             "description": "home.usv01 (LAN)",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether12": {
-            "description": "home.rechenmonster (IPMI)",
+            "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether13": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether14": {
-            "description": "home.rechenmonster (LAN)",
+            "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether15": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether16": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether17": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether18": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether19": {
             "description": "home.lgtv-wohnzimmer",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether2": {
             "description": "Fritz!Box (LAN1)",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.wan"
         },
         "ether20": {
             "description": "Franzi Laptop",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether21": {
-            "description": "Sophie Laptop",
+            "description": "",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether22": {
-            "description": "Sophie Desktop",
+            "description": "Arbeitsplatz Regal",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether23": {
             "description": "Wohnzimmer Kabel",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether24": {
             "description": "home.snom-wohnzimmer",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether3": {
             "description": "home.aruba325-schlafzimmer",
             "enabled": true,
             "ips": [],
-            "mode": "TAGGED",
+            "mode": "tagged",
             "tagged_vlans": [
                 "ffwi.client",
                 "home.v6only"
             ],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether4": {
             "description": "home.aruba325-wohnzimmer",
             "enabled": true,
             "ips": [],
-            "mode": "TAGGED",
+            "mode": "tagged",
             "tagged_vlans": [
                 "ffwi.client",
                 "home.v6only"
             ],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether5": {
             "description": "home.nas (eno1)",
             "enabled": true,
             "ips": [],
-            "mode": "TAGGED_ALL",
+            "mode": "tagged-all",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": null
         },
         "ether6": {
             "description": "home.aruba325-office",
             "enabled": true,
             "ips": [],
-            "mode": "TAGGED",
+            "mode": "tagged",
             "tagged_vlans": [
                 "ffwi.client",
                 "home.v6only"
             ],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether7": {
             "description": "RIPE-Probe #28280 (LAN)",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.dmz"
         },
         "ether8": {
-            "description": "home.drucker-sophie",
+            "description": "home.drucker-franzi",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "ether9": {
             "description": "info-beamer 12199 (LAN)",
             "enabled": true,
             "ips": [],
-            "mode": "ACCESS",
+            "mode": "access",
             "tagged_vlans": [],
-            "type": "A_1000BASE_T",
+            "type": "1000base-t",
             "untagged_vlan": "home.clients"
         },
         "home.clients": {
@@ -231,27 +231,27 @@
             "ips": [
                 "172.19.138.4/24"
             ],
-            "mode": null,
+            "mode": "",
             "tagged_vlans": [],
-            "type": "VIRTUAL",
+            "type": "virtual",
             "untagged_vlan": null
         },
         "sfp-sfpplus1": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": null,
+            "mode": "",
             "tagged_vlans": [],
-            "type": "A_10GBASE_X_SFPP",
+            "type": "10gbase-x-sfpp",
             "untagged_vlan": null
         },
         "sfp-sfpplus2": {
             "description": "",
             "enabled": true,
             "ips": [],
-            "mode": null,
+            "mode": "",
             "tagged_vlans": [],
-            "type": "A_10GBASE_X_SFPP",
+            "type": "10gbase-x-sfpp",
             "untagged_vlan": null
         }
     },

data/apt/files/gpg-keys/grafana.asc

@@ -1,4 +1,46 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQENBFiHXVIBCADr3VDEAGpq9Sg/xrPVu1GGqWGXdbnTbbNKeveCtFHZz7/GSATW
+iwiY1skvlAOBiIKCqJEji0rZZgd8WxuhdfugiCBk1hDTMWCpjI0P+YymV77jHjYB
+jHrKNlhb+aLjEd9Gf2EtbKUT1fvGUkzlVrcRGSX/XR9MBZlgja7NIyuVbn3uwZQ4
+jflWSNSlvMpohNxTFkrBFTRrCJXhbDLfCS46+so22CP3+1VQyqJ7/6RWK9v9KYdS
+AVNgILXMggSrMqha4WA1a/ktczVQXNtP8IuPxTdp9pNYsklOTmrFVeq3mXsvWh9Q
+lIhpYHIZlTZ5wVBq4wTRchsXC5MubIhz+ASDABEBAAG0GkdyYWZhbmEgPGluZm9A
+Z3JhZmFuYS5jb20+iQE4BBMBAgAiBQJYh11SAhsDBgsJCAcDAgYVCAIJCgsEFgID
+AQIeAQIXgAAKCRCMjDTFJAmMthxJB/9Id6JrwqRkJW+eSBb71FGQmRsJvNFR8J+3
+NPVhJNkTFFOM7TnjAMUIv+LYEURqGcceTNAN1aHq/7n/8ybXucCS0CnDYyNYpyVs
+tWJ3FOQK3jPrmziDCWPQATqMM/Z2auXVFWrDFqfh2xKZNjuix0w2nyuWB8U0CG2U
+89w+ksPJblGGU5xLPPzDQoAqyZXY3gpGGTkCuohMq2RWYbp/QJSQagYhQkKZoJhr
+XJlnw4At6R1A5UUPzDw6WJqMRkGrkieE6ApIgf1vZSmnLRpXkqquRTAEyGT8Pugg
+ee6YkD19/LK6ED6gn32StY770U9ti560U7oRjrOPK/Kjp4+qBtkQuQENBFiHXVIB
+CACz4hO1g/4fKO9QWLcbSWpB75lbNgt1kHXP0UcW8TE0DIgqrifod09lC85adIz0
+zdhs+00lLqckM5wNbp2r+pd5rRaxOsMw2V+c/y1Pt3qZxupmPc5l5lL6jzbEVR9g
+ygPaE+iabTk9Np2OZQ7Qv5gIDzivqK2mRHXaHTzoQn2dA/3xpFcxnen9dvu7LCpA
+CdScSj9/UIRKk9PHIgr2RJhcjzLx0u1PxN9MEqfIsIJUUgZOoDsr8oCs44PGGIMm
+cK1CKALLLiC4ZM58B56jRyXo18MqB6VYsC1X9wkcIs72thL3tThXO70oDGcoXzoo
+ywAHBH63EzEyduInOhecDIKlABEBAAGJAR8EGAECAAkFAliHXVICGwwACgkQjIw0
+xSQJjLbWSwf/VIM5wEFBY4QLGUAfqfjDyfGXpcha58Y24Vv3n6MwJqnCIbTAaeWf
+30CZ/wHg3NNIMB7I31vgmMOEbHQdv0LPTi9TG205VQeehcpNtZRZQ0D8TIetbxyi
+Emmn9osig9U3/7jaAWBabE/9bGx4TF3eLlEH9wmFrNYeXvgRqmyqVoqhIMCNAAOY
+REYyHyy9mzr9ywkwl0aroBqhzKIPyFlatZy9oRKllY/CCKO9RJy4DZidLphuwzqU
+ymdQ1sqe5nKvwG5GvcncPc3O7LMevDBWnpNNkgERnVxCqpm90TuE3ONbirnU4+/S
+tUsVU1DERc1fjOCnAm4pKIlNYphISIE7OQ==
+=0pMC
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iQE2BCABCgAgFiEETkDd9tduKEpKZ4DkjIw0xSQJjLYFAmO9q0cCHQIACgkQjIw0
+xSQJjLarJAf+JJU0CHTMSSs5WH6ohVy54HN+ev7p7vfcgvvFBAWZLTLrG5+eFUH0
+w0m9KegxAs+H/H/68ld1jY/P62fvkOR7WCWQ7HH+8ClKLwuWS4DpOHK9IOkHDK0w
+0pVJ6NBiwhv8/B7EmiBf9zndjMtYa/wf8JZYVOXb0XE0L+Ec0WZSRZH+/WGA1E1s
+MSgPwqDF7RKXDCJ65elYxi9CPZvXhj6RVldn/aRuHf5/SCDE/HmnDB9+v6ReEsWV
+r/Xis2J0pWphpF/xtYxGf+Iy5fAHwDd4z9uKs9mBHSR0aDisuAW/eHF6KvBzQ7y0
+Yf3KxEyDvLwuAA5NBi7Xsd2wSKdfBGUGcQ==
+=KTb+
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQGNBGO4aiUBDAC82zo3vUyQH3yTCabQ7ZpospBg/xXBbJWbQNksIbEP/+I12CjB
 zac1QcMFd27MJlyXpsTqqSo1ZHOisNy0Tmyl/WlqMyoMeChg+LmIHLNbvAK0jPOX
@@ -39,3 +81,59 @@ Fj8eP2CocfRC+Lqv0azQwyEVMkYSMKoFbhXmjiBZn9JxblndKnVbByA1/nMAa0Q7
 HTJC50jDJfpM9d1xQW/W5LBSQjd3czM6zlRXsliX
 =lSMJ
 -----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iQG2BCABCAAgFiEEDiLriOOeEid6d2CunkObECzzwMYFAmO4amECHQAACgkQnkOb
+ECzzwMYiDQv/bbRnEhrFhr5XyA2vnu6nTZezbMwArC/ZwtFxtnj2iAwGZYY/pbPx
+L8cHTpvK99I6J02SBHpmzthwHSindddPjuuQENdqH/TDlGvPH/mECJVTN9/kpjlg
+HtO0MVKAKyXGbij7fR8prfPMRqOFbo4Rn9nQZZ/eY9KwkKVKxKHymppNbUbvv1qQ
+NGfOi2QWkF+T8dbihbJHJgYpPb7uEmJ2EOX0KHu9nlYGX4jxtql+M3yeOi3juaXH
+hLFWqVn3FkQW7N4IV+bVTkYcxQg01rWqY/h7BvL88AiMoiUXhOvE5iAS4sJe+EVB
+bDfRaLr1Ju1CXYm5B+Q9b2pU0SWAbBNlVxYGs+NOeBh9YzwdGTFW2l/S/VLLv0bE
+hBYuLwOIs0BqrL4TWwlB1ucEikg+r3O7OZL8Dnw0mnBVBmQxKhl1p8dLcYtylG3B
+aEIbN6wHQe03xYvAmaHDdG0kjPiwhOlpZ+YU3ux8F2YnENXm9J+25GMyTXqybKQl
+ltTE4hHgRH2v
+=n71X
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGTnhmkBDADUE+SzjRRyitIm1siGxiHlIlnn6KO4C4GfEuV+PNzqxvwYO+1r
+mcKlGDU0ugo8ohXruAOC77Kwc4keVGNU89BeHvrYbIftz/yxEneuPsCbGnbDMIyC
+k44UOetRtV9/59Gj5YjNqnsZCr+e5D/JfrHUJTTwKLv88A9eHKxskrlZr7Un7j3i
+Ef3NChlOh2Zk9Wfk8IhAqMMTferU4iTIhQk+5fanShtXIuzBaxU3lkzFSG7VuAH4
+CBLPWitKRMn5oqXUE0FZbRYL/6Qz0Gt6YCJsZbaQ3Am7FCwWCp9+ZHbR9yU+bkK0
+Dts4PNx4Wr9CktHIvbypT4Lk2oJEPWjcCJQHqpPQZXbnclXRlK5Ea0NVpaQdGK+v
+JS4HGxFFjSkvTKAZYgwOk93qlpFeDML3TuSgWxuw4NIDitvewudnaWzfl9tDIoVS
+Bb16nwJ8bMDzovC/RBE14rRKYtMLmBsRzGYHWd0NnX+FitAS9uURHuFxghv9GFPh
+eTaXvc4glM94HBUAEQEAAbQmR3JhZmFuYSBMYWJzIDxlbmdpbmVlcmluZ0BncmFm
+YW5hLmNvbT6JAdQEEwEKAD4WIQS1Oud7rbYwpoMEYAWWP6J3EEWFRQUCZOeGaQIb
+AwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCWP6J3EEWFRUiADACa
+i+xytv2keEFJWjXNnFAx6/obnHRcXOI3w6nH/zL8gNI7YN5jcdQT2NYvKVYTb3fW
+GuMsjHWgat5Gq3AtJrOKABpZ6qeYNPk0Axn/dKtOTwXjZ4pKX3bbUYvVfs0fCEZv
+B0HHIj2wI9kgMpoTrkj22LE8layZTPOoQ+3/FbLzS8hN3CYZj25mHN7bpZq8EbV3
+8FW9EU0HM0tg6CvoxkRiVqAuAC0KnVIZAdhD4dlYKuncq64nMvT1A5wxSYbnE+uf
+mnWQQhhS6BOwRqN054yw1FrWNDFsvnOSHmr8dIiriv+aZYvx5JQFJ7oZP3LwdYyg
+ocQcAJA8HFTIk3P6uJiIF/zdDzocgdKs+IYDoId0hxX7sGCvqdrsveq8n3m7uQiN
+7FvSiV0eXIdV4F7340kc8EKiYwpuYSaZX0UWKLenzlUvD+W4pZCWtoXzPsW7PKUt
+q1xdW0+NY+AGLCvSJCc5F4S5kFCObfBAYBbldjwwJFocdq/YOvvWYTPyV7kJeJS5
+AY0EZOeGaQEMALNIFUricEIwtZiX7vSDjwxobbqPKqzdek8x3ud0CyYlrbGHy0k+
+FDEXstjJQQ1s9rjJSu3sv5wyg9GDAUH3nzO976n/ZZvKPti3p2XU2UFx5gYkaaFV
+D56yYxqGY0YU5ft6BG+RUz3iEPg3UBUzt0sCIYnG9+CsDqGOnRYIIa46fu2/H9Vu
+8JvvSq9xbsK9CfoQDkIcoQOixPuI4P7eHtswCeYR/1LUTWEnYQWsBCf57cEpzR6t
+7mlQnzQo9z4i/kp4S0ybDB77wnn+isMADOS+/VpXO+M7Zj5tpfJ6PkKch3SGXdUy
+3zht8luFOYpJr2lVzp7n3NwB4zW08RptTzTgFAaW/NH2JjYI+rDvQm4jNs08Dtsp
+nm4OQvBA9Df/6qwMEOZ9i10ixqk+55UpQFJ3nf4uKlSUM7bKXXVcD/odq804Y/K4
+y3csE059YVIyaPexEvYSYlHE2odJWRg2Q1VehmrOSC8Qps3xpU7dTHXD74ZpaYbr
+haViRS5v/lCsiwARAQABiQG8BBgBCgAmFiEEtTrne622MKaDBGAFlj+idxBFhUUF
+AmTnhmkCGwwFCQPCZwAACgkQlj+idxBFhUUNbQv8DCcfi3GbWfvp9pfY0EJuoFJX
+LNgci7z7smXq7aqDp2huYQ+MulnPAydjRCVW2fkHItF2Ks6l+2/8t5Xz0eesGxST
+xTyR31ARENMXaq78Lq+itZ+usOSDNuwJcEmJM6CceNMLs4uFkX2GRYhchkry7P0C
+lkLxUTiB43ooi+CqILtlNxH7kM1O4Ncs6UGZMXf2IiG9s3JDCsYVPkC5QDMOPkTy
+2ZriF56uPerlJveF0dC61RZ6RlM3iSJ9Fwvea0Oy4rwkCcs5SHuwoDTFyxiyz0QC
+9iqi3fG3iSbLvY9UtJ6X+BtDqdXLAT9Pq527mukPP3LwpEqFVyNQKnGLdLOu2YXc
+TWWWseSQkHRzBmjD18KTD74mg4aXxEabyT4snrXpi5+UGLT4KXGV5syQO6Lc0OGw
+9O/0qAIU+YW7ojbKv8fr+NB31TGhGYWASjYlN1NvPotRAK6339O0/Rqr9xGgy3AY
+SR+ic2Y610IM7xccKuTVAW9UofKQwJZChqae9VVZ
+=J9CI
+-----END PGP PUBLIC KEY BLOCK-----

data/apt/files/gpg-keys/nodejs.asc

@@ -1,52 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-Comment: GPGTools - https://gpgtools.org
 
-mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+
-W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs
-fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy
-qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7
-89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD
-Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7
-C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/
-G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc
-Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft
-qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm
-EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB
-tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2
-AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy
-jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ
-kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1
-GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm
-XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU
-VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka
-1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI
-IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc
-pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn
-xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y
-gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI
-AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ
-fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ
-Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh
-41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea
-JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD
-xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi
-vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/
-aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o
-QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK
-yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3
-QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek
-fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK
-CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec
-0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1
-PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh
-qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15
-ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac
-hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb
-DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4
-xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu
-G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd
-sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy
-/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g==
-=CLGF
+mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
+hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
+Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
+9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
+TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
+E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
+LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc
+NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o
+xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk
+Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4
+hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg
+BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5
+AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u
+JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu
+ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi
+0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp
+Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ
+YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb
+DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE
+IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet
+y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao
+x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2
+K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw
+FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa
+=MARt
 -----END PGP PUBLIC KEY BLOCK-----

data/proftpd/files/home.paperless.conf

@@ -0,0 +1,74 @@
+Include /etc/proftpd/modules.conf
+
+UseIPv6 on
+<IfModule mod_ident.c>
+    IdentLookups off
+</IfModule>
+
+ServerName "home.paperless"
+ServerType standalone
+DeferWelcome off
+
+DefaultServer on
+ShowSymlinks on
+
+TimeoutNoTransfer 600
+TimeoutStalled 600
+TimeoutIdle 1200
+
+DisplayLogin welcome.msg
+DisplayChdir .message true
+ListOptions "-l"
+
+DenyFilter \*.*/
+
+RequireValidShell off
+
+Port 21
+
+PassivePorts 49152 50192
+
+MaxInstances 30
+
+User proftpd
+Group nogroup
+
+Umask 022 022
+AllowOverwrite on
+
+TransferLog /var/log/proftpd/xferlog
+SystemLog /var/log/proftpd/proftpd.log
+
+<IfModule mod_quotatab.c>
+    QuotaEngine off
+</IfModule>
+
+<IfModule mod_ratio.c>
+    Ratios off
+</IfModule>
+
+<IfModule mod_delay.c>
+    DelayEngine on
+</IfModule>
+
+<IfModule mod_ctrls.c>
+    ControlsEngine off
+    ControlsMaxClients 2
+    ControlsLog /var/log/proftpd/controls.log
+    ControlsInterval 5
+    ControlsSocket /var/run/proftpd/proftpd.sock
+</IfModule>
+
+<IfModule mod_ctrls_admin.c>
+    AdminControlsEngine off
+</IfModule>
+
+<Anonymous /mnt/paperless/consume/>
+    User nobody
+    Group nogroup
+    UserAlias anonymous ftp
+
+    <Directory *>
+        AllowAll
+    </Directory>
+</Anonymous>

data/ssl/_.home.kunbox.net.crt.pem

@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDsDCCAzWgAwIBAgISBMRgrLMPa1cucom1daU3fmCaMAoGCCqGSM49BAMDMDIx
+MIIDsDCCAzWgAwIBAgISBIi3muU9O51f4fWWUXJHNgRHMAoGCCqGSM49BAMDMDIx
 CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
-NTAeFw0yNDA2MTExNDQyMzdaFw0yNDA5MDkxNDQyMzZaMBoxGDAWBgNVBAMTD2hv
-bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABGlCPITmq729xoLb
-DkSn6SYxnP7Mns9dBSqUv1WktnYjwbavlbXKN3Bz0yCGcXSCZA+Nq576DBK9L9X6
-tTeIvqG1akyNxY+1eDK3vhH4FKmZE6oOyh1jqfG2LY7dvLYCQKOCAiQwggIgMA4G
+NjAeFw0yNDA5MDQxNjA1MThaFw0yNDEyMDMxNjA1MTdaMBoxGDAWBgNVBAMTD2hv
+bWUua3VuYm94Lm5ldDB2MBAGByqGSM49AgEGBSuBBAAiA2IABA5vskMN8tWHCOsv
+aUojW+t8otSpRgcU0tLsONhzQ7GhG5tC5DQ5pN7HiG14eejONQE4hRWC4rkP/e47
+EVQd/rFK5m0lQesR68zogtW9KfQZUoINhlOuR4CxpBY1LrG5laOCAiQwggIgMA4G
 A1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
-VR0TAQH/BAIwADAdBgNVHQ4EFgQUt6i+27R0AAj+AUgSNg3Gmm5GzLYwHwYDVR0j
-BBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUHAQEESTBHMCEGCCsG
-AQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
-Ly9lNS5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC
+VR0TAQH/BAIwADAdBgNVHQ4EFgQU3iCazGKeVwzCa84zl+qckbspEmEwHwYDVR0j
+BBgwFoAUkydGmAOpUWiOmNbEQkjbI79YlNIwVQYIKwYBBQUHAQEESTBHMCEGCCsG
+AQUFBzABhhVodHRwOi8vZTYuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
+Ly9lNi5pLmxlbmNyLm9yZy8wLQYDVR0RBCYwJIIRKi5ob21lLmt1bmJveC5uZXSC
 D2hvbWUua3VuYm94Lm5ldDATBgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB
-1nkCBAIEgfUEgfIA8AB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7Wb
-AAABkAf3K9YAAAQDAEcwRQIhAPFpuj8ZoOmqhDNJDSuJ3BWyUuOUyY2QXjIVRHop
-dKyPAiAa2cwsyBFOjWOEYRCZ/7UgBA5axt8ZCrRYseefFwpvSQB2AN/hVuuqBa+1
-nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJcAAABkAf3LJ8AAAQDAEcwRQIhAL9+dxTj
-34moGhk32PnQZg2+nVNiVxLxYjDL9fk1R+bXAiAA7EjWqcZgktinTpt1pVQMmuUn
-FQ1IRh5AdycNn0lL2jAKBggqhkjOPQQDAwNpADBmAjEAubnofDBEyrcSJAiGxlqc
-EpUndlnkT/irfl/As8EUt0KMSPhnV3i7oEq89bi0KDghAjEA+XHccaWUi7BJEoV7
-nCUOCct64mb2LmXkvYiFVicsV9ubp4kVbziWjLgng6TC3HoM
+1nkCBAIEgfUEgfIA8AB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRu
+AAABkb3+C2AAAAQDAEcwRQIhAMwv6NjH3Ggd1WfeSVvyToVaM15glwfSJcAW8+40
+XbCKAiABUoDmQjhKi5VfwZ7e0WX5XjEmgBN2qTafK5RqlaCDJgB2AO7N0GTV2xrO
+xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABkb3+C3IAAAQDAEcwRQIgU9sxMGOG
+aP3npu7vw3G9TiFRxuZRCI96My34WVSCOcsCIQDhDjS9QhJGtNT68Z0sx6DJCcco
+L1AXGWwojxizcx48bTAKBggqhkjOPQQDAwNpADBmAjEA/SOZeiZrClB5EJlZFdQy
+hrt2qh4HC5zvHdSLTWI4GAxDy8xRg/ANO6fp0Sb7Q7jdAjEAhiQgQfgUln08i/tv
+3TGjVRIT/Y4A4QadodTROpfmFDH3QIsNwRPRhQUUSscBavK9
 -----END CERTIFICATE-----

data/ssl/_.home.kunbox.net.crt_intermediate.pem

@@ -1,27 +1,27 @@
 
 -----BEGIN CERTIFICATE-----
-MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
+MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
 TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
 WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
-a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
-VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
+RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
+h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
+6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
 gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
-ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
-i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
+ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
+v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
 AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
 BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
-Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
-2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
-bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
-6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
-XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
-koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
-cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
-E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
-K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
-GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
-sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
-VQD9F6Na/+zmXCc=
+Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
+MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
+pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
+eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
+pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
+s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
+h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
+YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
+ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
+LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
+EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
+Ig46v9mFmBvyH04=
 -----END CERTIFICATE-----

data/ssl/_.home.kunbox.net.key.pem.vault

@@ -1 +1 @@
-encrypt$gAAAAABmaHBwHXKZDN_8bEa47lNIX25-wvvW1RcC689Hod4HAsY2tT6fd9k7zdnbK8KWedRNopdRIlhQUkU0xBVh5J5maiYfn5R8Kp_VpkXiWY0LVY3XMWjB4oHmU29VEbl490oesAhUUH6hb7lwfvsbV4WTM_7aL0_sPfF1udxO89gg-9z2nbl-7zmTdSBY651fZQngd4SlwK17N1fedkHgYamGLdgE10oPZiRsOJKrUGv-Pxi4ICQ7J_AF6bO05PyZkeNqqUP19g2f5EsKNnT0bxQHCP5sbofvYzli-fU2bW-leuvm-VU8lV27t39lQZyF-WcWnB7626w0semrg7cCJ4qoHJVekEFWzJBLhagSNdCDWHAwdV2_MHzSgbXvyXz0maga8-1wBoa8Ueinp2oPQMPaUsVzy6NVX7mAsB6Rw9CXDSEf8WPSKWaz7324qhxKmhMHt0r68z0qM28mHb98F_vbS6geCw==
+encrypt$gAAAAABm2JL0vVqh3Zut-a1Gfn8iOtDZS8aBpGobV3-d3u8My0MPunYmbQ6kXUAw7U0Bu87AAPXNsmi1pxrxcu8vXvhw4uM445WwKj-UqaV5fmk-ZasHGq-O6K52YqEgK6wo-9u_sOBubbwJSwFVaHxT3gczLW_GVRHhFIFGgdnRlz4YoAz4NXcos_uNO9GMEOGhfGx9e2c2GOIg64vXkj_1LjXEDoV9HYMzy-2wLt4A6q-ZiZwCoKl8-lt8sY_rLk_yfmy3sMvzqg8JaE7T4sunmXDdf4HQlnvl_cu1uW33Rrsq4-080HKx6rKNsZQGhWD2yls016xBAYZvQbDjHd6-7bld1bs5RUF5tfEC3Kx567TBdMaf5C7-PnNB7O_MC4I6SkmUElGRdYyCHuP5HXf9dKtiGCtjHyfEzqTBrcI0xPt631_IGPWMNId7zyLqfLHpMFTPS9jgGVKoT1TXwKe4NSHaGxXO-A==

groups/locations.py

@@ -61,6 +61,9 @@ groups['home'] = {
 }
 
 groups['sophie'] = {
+    'supergroups': {
+        'linux',
+    },
     'member_patterns': {
         r"sophie\..*",
     },
@@ -68,6 +71,9 @@ groups['sophie'] = {
         'icinga_options': {
             'exclude_from_monitoring': True,
         },
+        'backup-client': {
+            'target': 'htz-hel.backup-sophie',
+        },
         'users': {
             'sophie': {},
         },

libs/s2s.py

@@ -17,7 +17,7 @@ WG_AUTOGEN_NODES = [
     'home.router',
     'htz-cloud.wireguard',
     'icinga2',
-    'daisy',
+    None, # daisy
 ]
 
 WG_AUTOGEN_SETTINGS = {

nodes/carlene.toml

@@ -40,7 +40,7 @@ imap_pass = "!bwpass_attr:t-online.de/franzi.kunsmann@t-online.de:imap"
 
 [metadata.element-web]
 url = "chat.franzi.business"
-version = "v1.11.69"
+version = "v1.11.78"
 [metadata.element-web.config]
 default_server_config.'m.homeserver'.base_url = "https://matrix.franzi.business"
 default_server_config.'m.homeserver'.server_name = "franzi.business"
@@ -49,8 +49,8 @@ defaultCountryCode = "DE"
 jitsi.preferredDomain = "meet.ffmuc.net"
 
 [metadata.forgejo]
-version = "7.0.4"
-sha1 = "2ca8a4b6d9abae666b84a3b03a5c017f4a774651"
+version = "8.0.3"
+sha1 = "a19aa24f26c1ff5a38cf12619b6a6064242d0cf2"
 domain = "git.franzi.business"
 enable_git_hooks = true
 install_ssh_key = true
@@ -59,7 +59,7 @@ lfs_secret_key = "!decrypt:encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76kl
 oauth_secret_key = "!decrypt:encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz"
 security_secret_key = "!decrypt:encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4="
 
-[metadata.interfaces.eno2]
+[metadata.interfaces.'eno*']
 ips = [
     "193.135.9.29/24",
     "2a0a:51c0:0:225::2/64",
@@ -70,12 +70,13 @@ gateway6 = "2a0a:51c0:0:225::1"
 [metadata.matrix-media-repo]
 admins = ["@kunsi:franzi.business"]
 datastore_id = "3fff5da324ed784c771d638bb6be5917"
-sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba"
+sha1 = "3e2bb7089b0898b86000243a82cc58ae998dc9d9"
 upload_max_mb = 500
-version = "v1.3.4"
+version = "v1.3.7"
 [metadata.matrix-media-repo.homeservers.'franzi.business']
 api = "synapse"
 domain = "http://[::1]:20080/"
+signing_key_path = "/etc/matrix-synapse/mmr.signing.key"
 
 [metadata.matrix-stickerpicker]
 # use this bot token: encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q
@@ -89,7 +90,7 @@ user_id = "@dimension:franzi.business"
 admin_contact = "mailto:hostmaster@kunbox.net"
 baseurl = "matrix.franzi.business"
 server_name = "franzi.business"
-trusted_key_servers = ["matrix.org", "finallycoffee.eu"]
+trusted_key_servers = ["matrix.org", "161.rocks"]
 additional_client_config.'im.vector.riot.jitsi'.preferredDomain = "meet.ffmuc.net"
 wellknown_also_on_vhosts = ["franzi.business"]
 [metadata.matrix-synapse.sliding_sync]
@@ -98,7 +99,7 @@ sha1 = "cecb371ff5f1dd528cfc490484a0967dcc28cd82"
 secret = "!decrypt:encrypt$gAAAAABl9yJlbEZafJ2mumtg03rW0-440NIgFcgdWGMo3Axrypugwctacy9Cq7MYtCBGjnDyNvVLI5B2QMJ9ssCD46NCsFRN3-X4u9rDtxPhRZV7rls_LQ_Csc_GsffJfvpmHbn_wsljd3I74h4ouWlYhhEQUIKwb3eErSZ_VTZhu_bC4jTa0FY="
 
 [metadata.mautrix-telegram]
-version = "v0.15.1"
+version = "v0.15.2"
 homeserver.domain = "franzi.business"
 homeserver.url = "https://matrix.franzi.business"
 telegram.api_id = "!decrypt:encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ=="
@@ -113,8 +114,8 @@ provisioning.shared_secret = "!decrypt:encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4g
 "'@kunsi:franzi.business'" = "admin"
 
 [metadata.mautrix-whatsapp]
-version = "v0.10.7"
-sha1 = "7ebfadc247c3fb4c6c9503f7c48234fcc976cadf"
+version = "v0.10.9"
+sha1 = "1619579ec6b9fca84fec085a94842d309d3f730c"
 permissions."'@kunsi:franzi.business'" = "admin"
 [metadata.mautrix-whatsapp.homeserver]
 domain = "franzi.business"
@@ -125,7 +126,7 @@ domain = "rss.franzi.business"
 
 [metadata.netbox]
 domain = "netbox.franzi.business"
-version = "v4.0.5"
+version = "v4.1.2"
 admins.kunsi = "hostmaster@kunbox.net"
 
 [metadata.nextcloud]
@@ -135,6 +136,10 @@ domain = "warnochwas.de"
 contact = "mailto:security@kunsmann.eu"
 Encryption = "https://franzi.business/gpg_hi-kunsmann.eu.asc"
 
+[metadata.nginx.vhosts.'afra.berlin'.locations.'/']
+redirect = "https://afra-berlin.de"
+mode = 302
+
 [metadata.nginx.vhosts.forgejo]
 domain_aliases = ["git.kunsmann.eu"]
 
@@ -255,7 +260,7 @@ disks = [
 ]
 
 [metadata.travelynx]
-version = "2.6.9"
+version = "2.8.40"
 mail_from = "travelynx@franzi.business"
 domain = "travelynx.franzi.business"
 

nodes/daisy.toml

@@ -1,23 +0,0 @@
-hostname = "2a11:f2c0:3:4::120"
-bundles = [
-    "bird",
-    "wireguard",
-]
-groups = [
-    "debian-bookworm",
-]
-
-[metadata]
-location = "glauca"
-nameservers = [
-    "2606:4700::1111",
-    "2606:4700:4700::1001",
-]
-backups.exclude_from_backups = true
-icinga_options.period = "daytime"
-
-[metadata.interfaces.ens18]
-ips = [
-    "2a11:f2c0:3:4::120/64",
-]
-gateway6 = "fe80::220:91ff:fe45:e19e"

nodes/home.appletv-wohnzimmer.toml

@@ -0,0 +1,9 @@
+dummy = true
+
+[metadata.interfaces.default]
+ips = ["172.19.138.73"]
+dhcp = true
+mac = "c0:95:6d:5e:82:47"
+
+[metadata.icinga_options]
+exclude_from_monitoring = true

nodes/home.encoder96.toml

@@ -3,7 +3,7 @@ dummy = true
 [metadata.interfaces.default]
 ips = ["172.19.138.99"]
 dhcp = true
-mac = "54:04:A6:EF:A8:01"
+mac = "6c:4b:90:5c:e3:6d"
 
 [metadata.icinga_options]
 exclude_from_monitoring = true

nodes/home.fujitsu-n7100.toml

@@ -0,0 +1,9 @@
+dummy = true
+
+[metadata.interfaces.default]
+ips = ["172.19.138.75"]
+dhcp = true
+mac = "00:01:29:59:a9:8c"
+
+[metadata.icinga_options]
+exclude_from_monitoring = true

nodes/home.hass.toml

@@ -6,6 +6,9 @@ bundles = [
 ]
 groups = ["debian-bookworm"]
 
+[metadata.icinga_options]
+also_affected_by = ['home.nas']
+
 [metadata.interfaces.enp1s0]
 ips = [
     "172.19.138.25/24",
@@ -19,7 +22,7 @@ ram = 2
 
 [metadata.homeassistant]
 domain = 'hass.home.kunbox.net'
-api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33YbjbkpELU2HGBzqiWX40J0hsaEbYJOnCHFk8gJ-Xt0vdqqbQ5vca_TGPNQHZPAS4qZoPTcUhmX_I-0EdT6ukhxejXFYBiYRZikTLjH3lcNM5qnckCm-H9NbRdjLb9hbCDIjbEglHmBl_g08S1_ukvX3dDSCIHIxgXXGsdK_Go1KxPJd8G22FL_MMhCfsTW-6ioIqoHSeSA1NGk3MZHEIM2errckiopKBxoBaROsacO9Uqk1zrrgXOs2NsgiTRtrbV1TNlFVaIX9mZdsUnMGZ'
+api_secret = '!decrypt:encrypt$gAAAAABm9lNg_mNhyzb4S6WRtVRDmQFBnPpoCwyqMnilRrAFUXc-EDvv-nYXPbSIbjTf7ZReTPtqr8k3WrGPqiuqhJ60LVv4A5DMqT5c6hTVr4WbhP4DPEIPgfd5aq6U9_-H9WDyQYHKjnunLJEYtEREzmhTq3XsYeQ05DyE7hfnQ-zVoBb0CsAK7GdhihRTdvhXv2N9M04_rigyBP-roRcUgCqwyHuWJc0IPAyn3R4Mr43ZqgR2fn6dNV_YUVKn9c0nWxIwRnYy6Ff_Te9NoGVmXxkiNUX-90bBLKFiCzrRAtizxrTiQb2SRipaWbgOlV6wbMy2KNux'
 
 [metadata.nginx]
 restrict-to = [

nodes/home.r630-ipmi.toml

@@ -0,0 +1,6 @@
+dummy = true
+
+[metadata.interfaces.eth0]
+ips = ["172.19.138.23"]
+dhcp = true
+mac = "50:9a:4c:ad:f9:c4"

nodes/home.r630.toml

@@ -0,0 +1,26 @@
+hostname = "172.19.138.22"
+groups = ["debian-bookworm"]
+
+[metadata]
+icinga_options.exclude_from_monitoring = true
+
+[metadata.interfaces.eno3]
+ips = [
+    "172.19.138.22/24",
+]
+gateway4 = "172.19.138.1"
+ipv6_accept_ra = true
+
+[metadata.nftable.forward]
+50-local-forward = [
+    'ct state { related, established } accept',
+    'iifname eno3 accept',
+    'ip6 nexthdr ipv6-icmp accept',
+]
+
+[metadata.users.molly]
+password = "!decrypt:dummy$no"
+
+[metadata.vm]
+cpu = 56
+ram = 128

nodes/home.winkeeinhorn-vm.toml

@@ -1,5 +1,8 @@
 dummy = true
 
+[metadata.icinga_options]
+also_affected_by = ['home.nas']
+
 [metadata.interfaces.default]
 ips = ["172.19.138.10"]
 dhcp = true

nodes/home/downloadhelper.py

@@ -8,6 +8,11 @@ nodes['home.downloadhelper'] = {
         'debian-bullseye',
     },
     'metadata': {
+        'icinga_options': {
+            'also_affected_by': {
+                'home.nas',
+            },
+        },
         'interfaces': {
             'enp1s0.3001': {
                 'dhcp': True,

nodes/home/nas.py

@@ -11,7 +11,7 @@ nodes['home.nas'] = {
         'mosquitto',
         'nfs-server',
         'rsyslogd',
-        'scansnap',
+        'samba',
         'smartd',
         'vmhost',
         'zfs',
@@ -69,21 +69,17 @@ nodes['home.nas'] = {
         },
         'dm-crypt': {
             'encrypted-devices': {
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part1': {
-                    'dm-name': 'sg-ZVV06JV7-1',
-                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-1'),
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K': {
+                    'dm-name': 'sam-S5SSNJ0X409404K',
+                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409404K'),
                 },
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7-part2': {
-                    'dm-name': 'sg-ZVV06JV7-2',
-                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06JV7-2'),
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F': {
+                    'dm-name': 'sam-S5SSNJ0X409845F',
+                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409845F'),
                 },
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part1': {
-                    'dm-name': 'sg-ZVV06SLR-1',
-                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-1'),
-                },
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR-part2': {
-                    'dm-name': 'sg-ZVV06SLR-2',
-                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/sg-ZVV06SLR-2'),
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J': {
+                    'dm-name': 'sam-S5SSNJ0X409870J',
+                    'passphrase': bwpass.password('bw/home.nas/dmcrypt/S5SSNJ0X409870J'),
                 },
             },
         },
@@ -116,9 +112,12 @@ nodes['home.nas'] = {
                 },
             },
         },
-        'jellyfin': {
-            'restrict-to': {
-                'home.lgtv-wohnzimmer',
+        'mixcloud-downloader': {
+            'netrc': {
+                'soundcloud': {
+                    'username': 'oauth',
+                    'password': bwpass.attr('soundcloud.com/hi@kunsmann.eu', 'oauth_token'),
+                },
             },
         },
         'mosquitto': {
@@ -161,9 +160,6 @@ nodes['home.nas'] = {
                 '/srv/paperless': {
                     'home.paperless': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
                 },
-                '/srv/scansnap': {
-                    '172.19.138.0/24': 'rw,all_squash,anonuid=65534,anongid=65534,no_subtree_check',
-                },
             },
         },
         'nginx': {
@@ -179,17 +175,25 @@ nodes['home.nas'] = {
                 'home',
             },
         },
+        'samba': {
+            'shares': {
+                'music': {
+                    'path': '/storage/nas/Musik',
+                    'force_group': 'nas',
+                },
+            },
+            'restrict-to': {
+                '172.19.138.0/24',
+            },
+        },
         'smartd': {
             'disks': {
                 '/dev/nvme0',
 
                 # encrypted disks
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06JV7',
-                '/dev/disk/by-id/ata-ST18000NM0092-3CX103_ZVV06SLR',
-
-                # ZFS cache disks
-                #'/dev/disk/by-id/ata-TS64GSSD370_B807810503',
-                #'/dev/disk/by-id/ata-TS64GSSD370_B807810527',
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409404K',
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409845F',
+                '/dev/disk/by-id/ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0X409870J',
             },
         },
         'systemd-networkd': {
@@ -204,6 +208,11 @@ nodes['home.nas'] = {
                         'br0.1138',
                     },
                 },
+                'br1139': {
+                    'match': {
+                        'br0.1139',
+                    },
+                },
             },
         },
         'systemd-timers': {
@@ -253,20 +262,6 @@ nodes['home.nas'] = {
                                     '/dev/disk/by-id/ata-WDC_WD6003FFBX-68MU3N0_V8J8ZKRR',
                                 },
                             },
-#                            {
-#                                'type': 'log',
-#                                'devices': {
-#                                    '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part1',
-#                                    '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part1',
-#                                },
-#                            },
-#                            {
-#                                'type': 'cache',
-#                                'devices': {
-#                                    '/dev/disk/by-id/ata-TS64GSSD370_B807810503-part2',
-#                                    '/dev/disk/by-id/ata-TS64GSSD370_B807810527-part2',
-#                                },
-#                            },
                         ],
                         'ashift': 12,
                     },
@@ -274,31 +269,21 @@ nodes['home.nas'] = {
                 'encrypted': {
                     'when_creating': {
                         'config': [
-                            # These are new and fancy "dual actuator"
-                            # drives, partitioned into two partitions
-                            # taking 50% of the disk each.
                             {
-                                'type': 'mirror',
+                                'type': 'raidz',
                                 'devices': {
-                                    '/dev/mapper/sg-ZVV06JV7-1',
-                                    '/dev/mapper/sg-ZVV06SLR-1',
-                                },
-                            },
-                            {
-                                'type': 'mirror',
-                                'devices': {
-                                    '/dev/mapper/sg-ZVV06JV7-2',
-                                    '/dev/mapper/sg-ZVV06SLR-2',
+                                    '/dev/mapper/sam-S5SSNJ0X409404K',
+                                    '/dev/mapper/sam-S5SSNJ0X409845F',
+                                    '/dev/mapper/sam-S5SSNJ0X409870J',
                                 },
                             },
                         ],
-                        'ashift': 12
+                        'ashift': 12,
                     },
                     'needs': {
-                        'action:dm-crypt_open_sg-ZVV06JV7-1',
-                        'action:dm-crypt_open_sg-ZVV06JV7-2',
-                        'action:dm-crypt_open_sg-ZVV06SLR-1',
-                        'action:dm-crypt_open_sg-ZVV06SLR-2',
+                        'action:dm-crypt_open_sam-S5SSNJ0X409404K',
+                        'action:dm-crypt_open_sam-S5SSNJ0X409845F',
+                        'action:dm-crypt_open_sam-S5SSNJ0X409870J',
                     },
                     # see comment in bundle:backup-server
                     'unless': 'zpool import encrypted',
@@ -308,11 +293,17 @@ nodes['home.nas'] = {
                 'encrypted': {
                     'primarycache': 'metadata',
                 },
+                'encrypted/download': {
+                    'mountpoint': '/media/download',
+                },
                 'encrypted/nas': {
                     'acltype': 'off',
                     'atime': 'off',
                     'compression': 'off',
-                    'mountpoint': '/media/nas',
+                    'mountpoint': '/storage/nas',
+                },
+                'encrypted/paperless': {
+                    'mountpoint': '/media/paperless',
                 },
                 'storage': {
                     'primarycache': 'metadata',
@@ -320,28 +311,38 @@ nodes['home.nas'] = {
                 'storage/opt-yate': {
                     'mountpoint': '/opt/yate',
                 },
-                'storage/f2k1de': {
-                    'mountpoint': '/storage/f2k1de',
-                },
                 'storage/download': {
                     'mountpoint': '/storage/download',
                 },
-                'storage/inbox': {
-                    'quota': str(1024*1024*1024*1024), # 1TB
-                    'mountpoint': '/storage/inbox',
-                },
                 'storage/nas': {
-                    'mountpoint': '/storage/nas',
+                    'acltype': 'off',
+                    'atime': 'off',
+                    'compression': 'off',
+                    'mountpoint': '/media/nas_old',
                 },
                 'storage/paperless': {
                     'mountpoint': '/srv/paperless',
                 },
-                'storage/scan': {
-                    'mountpoint': '/srv/scansnap',
-                },
             },
             'snapshots': {
                 'retain_per_dataset': {
+                    'encrypted/download': {
+                        'hourly': 6,
+                        'daily': 0,
+                        'weekly': 0,
+                        'monthly': 0,
+                    },
+                    'encrypted/nas': {
+                        # juuuuuuuust to be sure.
+                        'daily': 14,
+                        'weekly': 6,
+                        'monthly': 12,
+                    },
+                    'encrypted/paperless': {
+                        'daily': 14,
+                        'weekly': 6,
+                        'monthly': 24,
+                    },
                     'storage/download': {
                         'hourly': 48,
                         'daily': 0,
@@ -359,12 +360,6 @@ nodes['home.nas'] = {
                         'weekly': 6,
                         'monthly': 24,
                     },
-                    'storage/scan': {
-                        'hourly': 6,
-                        'daily': 0,
-                        'weekly': 0,
-                        'monthly': 0,
-                    },
                 },
             },
         },

nodes/home/paperless.py

@@ -6,12 +6,18 @@ nodes['home.paperless'] = {
         'redis',
         'postgresql',
         'paperless-ng',
+        'proftpd',
     },
     'groups': {
         'debian-bookworm',
         'webserver',
     },
     'metadata': {
+        'icinga_options': {
+            'also_affected_by': {
+                'home.nas',
+            },
+        },
         'interfaces': {
             'enp1s0': {
                 'ips': {
@@ -42,12 +48,17 @@ nodes['home.paperless'] = {
         },
         'paperless': {
             'domain': 'paperless.home.kunbox.net',
-            'version': 'v2.10.0',
+            'version': 'v2.12.1',
             'timezone': 'Europe/Berlin',
         },
         'postgresql': {
             'version': 15,
         },
+        'proftpd': {
+            'restrict-to': {
+                'home.fujitsu-n7100',
+            },
+        },
         'vm': {
             'cpu': 2,
             'ram': 2,

nodes/htz-cloud.afra.toml

@@ -1,99 +0,0 @@
-hostname = "91.107.203.234"
-bundles = [
-    "element-web",
-    "matrix-media-repo",
-    "matrix-registration",
-    "matrix-synapse",
-    "nodejs",
-    "postgresql",
-    "zfs",
-]
-groups = [
-    "debian-bookworm",
-    "webserver",
-]
-
-[metadata.icinga_options]
-pretty_name = "afra.berlin"
-
-[metadata.interfaces.eth0]
-ips = [
-    "91.107.203.234/32",
-    "2a01:4f8:c010:b0e1::1/64",
-]
-gateway4 = '172.31.1.1'
-gateway6 = 'fe80::1'
-
-[metadata.interfaces.ens10]
-ips = [
-    "172.19.137.7/32",
-]
-routes.'172.19.128.0/20'.via = "172.19.137.1"
-
-[metadata.element-web]
-url = "element.afra.berlin"
-version = "v1.11.69"
-
-[metadata.element-web.config]
-default_server_config.'m.homeserver'.base_url = "https://matrix.afra.berlin"
-default_server_config.'m.homeserver'.server_name = "afra.berlin"
-brand = "afra.berlin"
-defaultCountryCode = "DE"
-jitsi.preferredDomain = "meet.ffmuc.net"
-
-[metadata.matrix-media-repo]
-admins = ['@administress:afra.berlin']
-datastore_id = "e33b50474021fba9977f912414cdd7fe8890ed57"
-sha1 = "55d353b472894547c61b11567089eb2cf40ce5ba"
-upload_max_mb = 50
-version = "v1.3.4"
-
-[metadata.matrix-media-repo.homeservers.'afra.berlin']
-domain = "http://[::1]:20080/"
-api = "synapse"
-
-[metadata.matrix-registration]
-base_path = "/matrix"
-client_redirect = "https://element.afra.berlin"
-
-[metadata.matrix-synapse]
-server_name = "afra.berlin"
-baseurl = "matrix.afra.berlin"
-admin_contact = 'mailto:hostmaster@kunbox.net'
-trusted_key_servers = [
-    "matrix.org",
-    "franzi.business",
-]
-wellknown_also_on_vhosts = ["redirect"]
-
-[metadata.nginx.vhosts.redirect]
-domain = "afra.berlin"
-
-[metadata.nginx.vhosts.redirect.locations.'/']
-redirect = "https://afra-berlin.de"
-mode = 302
-
-#[metadata.nginx.vhosts.redirect.locations.'/.well-known/host-meta']
-#redirect = "https://fedi.afra.berlin/.well-known/host-meta"
-#mode = 301
-#[metadata.nginx.vhosts.redirect.locations.'/.well-known/nodeinfo']
-#redirect = "https://fedi.afra.berlin/.well-known/nodeinfo"
-#mode = 301
-#[metadata.nginx.vhosts.redirect.locations.'/.well-known/webfinger']
-#redirect = "https://fedi.afra.berlin/.well-known/webfinger"
-#mode = 301
-
-[metadata.nginx.vhosts.redirect.locations.'/matrix/']
-target = "http://127.0.0.1:20100/"
-
-[metadata.postgresql]
-version = "15"
-work_mem = 1024
-cache_size = 2048
-
-[[metadata.zfs.pools.tank.when_creating.config]]
-devices = ["/dev/disk/by-id/scsi-0HC_Volume_32207877"]
-
-[metadata.vm]
-cpu = 2
-ram = 8

nodes/htz-hel/backup-kunsi.py

@@ -32,22 +32,9 @@ nodes['htz-hel.backup-kunsi'] = {
             'encrypted-devices': {
                 '/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1': bwpass.password('bw/backup-kunsi/encryption-passphrase'),
             },
-            'clients': {
-                'kunsi-t470': {
-                    'user': 'kunsi-t470',
-                    'exclude_from_monitoring': True,
-                    'retain': {
-                        'daily': 30,
-                        'weekly': 6,
-                        'monthly': 12,
-                    },
-                },
-            },
-        },
-        'openssh': {
-            'allowed_users': {
-                'kunsi-t470', # backup user
         },
+        'zfs': {
+            'scrub_when': 'Wed 08:00 Europe/Berlin',
         },
     },
 }

nodes/htz-hel/proxmox-backupstorage.toml

@@ -1,5 +1,6 @@
 hostname = "2a01:4f9:6b:2d99::c0ff:ee"
-dummy = true
+#dummy = true
+bundles = ["sshmon", "smartd"]
 
 # How to install:
 # - Get server at Hetzner (no IPv4)
@@ -17,3 +18,11 @@ dummy = true
 # - IPv6 only
 # - IP from the /64 hetzner gives us
 # - Gateway is the host itself, to work around the MAC filter hetzner uses
+
+[metadata.smartd]
+disks = [
+    "/dev/sda",
+    "/dev/sdb",
+    "/dev/sdc",
+    "/dev/sdd",
+]

nodes/kunsi-p14s.py

@@ -101,7 +101,7 @@ nodes['kunsi-p14s'] = {
                 'apachedirectorystudio': {},
                 'claws-mail': {},
                 'claws-mail-themes': {},
-                'ferdi-bin': {},
+                'ferdium-bin': {},
                 'gumbo-parser': {}, # for claws litehtml
                 'inkstitch': {}, # for RZL embroidery machine
                 'obs-studio': {},

nodes/ns-mephisto.toml

@@ -11,11 +11,11 @@ groups = [
 
 [metadata.interfaces.ens192]
 ips = [
-    "82.165.52.168",
-    "2001:8d8:1801:7d4::1/64",
+    "82.165.52.168/32",
+    "2a01:239:31c:9b00::1/80"
 ]
-gateway4 = "10.255.255.1"
-gateway6 = "fe80::250:56ff:fea8:628f"
+gateway4 = "82.165.52.1"
+gateway6 = "fe80::1"
 
 [metadata.nginx.vhosts.powerdnsadmin]
 domain = "ns-mephisto.kunbox.net"

nodes/rottenraptor-stromdisplay.toml

@@ -0,0 +1,40 @@
+hostname = "192.168.1.252"
+os = "debian"
+os_version = [12,]
+bundles = [
+    "apt",
+    "basic",
+    "kernel-modules",
+    "openssh",
+    "raspberrypi",
+    "sdm630_mqtt",
+    "sudo",
+    "sysctl",
+    "systemd",
+    "systemd-networkd",
+    "users",
+]
+
+[metadata.apt.unattended-upgrades]
+enabled = false
+
+[metadata.icinga_options]
+exclude_from_monitoring = true
+
+[metadata.interfaces.eth0]
+ips = [
+    "192.168.1.252/24",
+]
+dhcp = true
+
+[metadata.raspberrypi]
+enable_display = true
+
+[metadata.sdm630_mqtt]
+enable_stats_collection = false
+enable_local_printout = true
+config.mqtt.host = "192.168.1.253"
+
+[metadata.users.kutscher]
+password = "!decrypt:encrypt$gAAAAABmqQgvrVuPqFJWJSu8Yxd9NV4ppo5STfCPFqUWn0KepLRdFCktEMla0EJPPxZR5HbNnD6K2Vp-c63raeWwahFUT24SUrAoBFeWfToYWaRDi5WeXJU="
+sudo_commands = ["ALL"]

nodes/rottenraptor-stromzaehler.toml

@@ -0,0 +1,46 @@
+hostname = "192.168.1.253"
+os = "debian"
+os_version = [12,]
+bundles = [
+    "apt",
+    "basic",
+    "kernel-modules",
+    "mosquitto",
+    "openssh",
+    "raspberrypi",
+    "sdm630_mqtt",
+    "sudo",
+    "sysctl",
+    "systemd",
+    "systemd-networkd",
+    "telegraf",
+    "users",
+]
+
+[metadata.apt.unattended-upgrades]
+enabled = false
+
+[metadata.icinga_options]
+exclude_from_monitoring = true
+
+[metadata.interfaces.eth0]
+ips = [
+    "192.168.1.253/24",
+]
+dhcp = true
+
+[metadata.sdm630_mqtt]
+enable_local_printout = true
+config.modbus.host = "192.168.1.254"
+config.modbus.port = 4196
+config.telegraf.identifier = 'rottenraptor_truck'
+
+[metadata.sysctl.options]
+'net.ipv6.conf.all.disable_ipv6' = '1'
+
+[metadata.telegraf]
+collect_default_metrics = false
+
+[metadata.users.kutscher]
+password = "!decrypt:encrypt$gAAAAABmqQgvrVuPqFJWJSu8Yxd9NV4ppo5STfCPFqUWn0KepLRdFCktEMla0EJPPxZR5HbNnD6K2Vp-c63raeWwahFUT24SUrAoBFeWfToYWaRDi5WeXJU="
+sudo_commands = ["ALL"]

nodes/sophie/miniserver.py

@@ -54,7 +54,6 @@ nodes['htz-cloud.miniserver'] = {
                     'echo \'core.weechat */layout store\' >> /home/sophie/.weechat/weechat_fifo\n' \
                     'echo \'core.weechat */save\' >> /home/sophie/.weechat/weechat_fifo\n',
             },
-            'target': "htz-hel.backup-sophie",
         },
         'backups': {
             'paths': {
@@ -63,7 +62,7 @@ nodes['htz-cloud.miniserver'] = {
         },
         'element-web': {
             'url': 'chat.sophies-kitchen.eu',
-            'version': 'v1.11.69',
+            'version': 'v1.11.76',
             'config': {
                 'default_server_config': {
                     'm.homeserver': {
@@ -111,13 +110,14 @@ nodes['htz-cloud.miniserver'] = {
             },
         },
         'matrix-media-repo': {
-            'version': 'v1.3.4',
+            'version': 'v1.3.7',
             'datastore_id': '99c09e24edc4e9be6c4c9486bc147e385bc87044',
-            'sha1': '55d353b472894547c61b11567089eb2cf40ce5ba',
+            'sha1': '3e2bb7089b0898b86000243a82cc58ae998dc9d9',
             'homeservers': {
                 'sophies-kitchen.eu': {
                     'domain': 'http://[::1]:20080/',
                     'api': 'synapse',
+                    'signing_key_path': "/etc/matrix-synapse/mmr.signing.key"
                 },
             },
             'admins': {
@@ -143,7 +143,7 @@ nodes['htz-cloud.miniserver'] = {
             },
         },
         'mautrix-telegram': {
-            'version': 'v0.15.1',
+            'version': 'v0.15.2',
             'homeserver': {
                 'domain': 'sophies-kitchen.eu',
                 'url': 'https://matrix.sophies-kitchen.eu',
@@ -205,7 +205,7 @@ nodes['htz-cloud.miniserver'] = {
             },
         },
         'nodejs': {
-            'version': 18,
+            'version': 20,
         },
         'ntfy': {
             'domain': 'ntfy.sophies-kitchen.eu',

nodes/sophie/vmhost.py

@@ -53,7 +53,7 @@ nodes['sophie.vmhost'] = {
             'bridges': {
                 'br0': {
                     'match': {
-                        'eno2',
+                        'eno1',
                     },
                 },
                 'br1': {

nodes/voc/infobeamer-cms.py

@@ -1,12 +1,12 @@
 nodes['voc.infobeamer-cms'] = {
-    'hostname': 'infobeamer-cms.c3voc.de',
+    'hostname': 'infobeamer.c3voc.de',
     'bundles': {
         'infobeamer-cms',
         'infobeamer-monitor',
         'redis',
     },
     'groups': {
-        'debian-bullseye',
+        'debian-bookworm',
         'webserver',
     },
     'metadata': {
@@ -25,8 +25,8 @@ nodes['voc.infobeamer-cms'] = {
         },
         'infobeamer-cms': {
             'domain': 'infobeamer.c3voc.de',
-            'event_start_date': '2024-05-29',
-            'event_duration_days': 5,
+            'event_start_date': '2024-10-03',
+            'event_duration_days': 4,
             'config': {
                 'ADMIN_USERS': [
                     'hexchen',
@@ -39,11 +39,6 @@ nodes['voc.infobeamer-cms'] = {
                 'GITHUB_CLIENT_SECRET': vault.decrypt('encrypt$gAAAAABiNwHtdZC2XQ8IjosL7vsmrxZMwDIM6AD5dUlLo996tJs4qV7KJETHgYYZil2aMzClwhcE6JmxdhARRp7IJQ4rQQibelTNmyYSzj_V4puVpvma7SU0UZkTIG95SdPpoHY--Zba'),
                 'HOSTED_API_KEY': vault.decrypt('encrypt$gAAAAABhxJPH2sIGMAibU2Us1HoCVlNfF0SQQnVl0eiod48Zu8webL_-xk3wDw3yXw1Hkglj-2usl-D3Yd095yTSq0vZMCv2fh-JWwSPdJewQ45x9Ai4vXVD4CNz5vuJBESKS9xQWXTc'),
                 'INTERRUPT_KEY': vault.human_password_for('infobeamer-cms interrupt key'),
-                'MQTT_MESSAGE': '{{"level":"info","component":"infobeamer-cms","msg":"{asset} uploaded by {user}. Check it at {url}"}}',
-                'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='),
-                'MQTT_SERVER': 'mqtt.c3voc.de',
-                'MQTT_TOPIC': '/voc/alert',
-                'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='),
                 'SETUP_IDS': [
                     250294,
                 ],
@@ -56,17 +51,32 @@ nodes['voc.infobeamer-cms'] = {
 #                    'x2': 110,
 #                    'y2': 1070,
 #                }],
+                'NOTIFIER': {
+                    'MQTT_PASSWORD': vault.decrypt('encrypt$gAAAAABhxakfhhwWn0vxhoO1FiMEpdCkomWvo0dHIuBrqDKav8WDpI6dXpb0hoXiWRsPV6p5m-8RlbfFbjPhz47AY-nFOOAAW6Yis3-IVD-U-InKJo9dvms='),
+                    'MQTT_HOST': 'mqtt.c3voc.de',
+                    'MQTT_TOPIC': '/voc/alert',
+                    'MQTT_USERNAME': vault.decrypt('encrypt$gAAAAABhxakKHC_kHmHP2mFHorb4niuNTH4F24w1D6m5JUxl117N7znlZA6fpMmY3_NcmBr2Ihw4hL3FjZr9Fm_1oUZ1ZQdADA=='),
+                },
+                'FAQ': {
+                    'SOURCE': 'https://github.com/voc/infobeamer-cms',
+                    'CONTACT': '''
+    Please use the <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#infobeamer">IRC
+    Channel #infobeamer on irc.hackint.org</a> (also
+    <a href="https://www.hackint.org/transport/matrix">bridged to matrix</a>)
+    or #info-beamer on the cccv rocketchat instance.
+                    '''.strip(),
+                },
             },
             'rooms': {
-                'Saal 1': 34430,
-                'Saal G': 26598,
-                'Saal Z': 26610,
-                'Saal E (SoS/Lightning-Talks)': 32814,
-                'Saal F (Sendezentrum/DLF)': 9717,
+#                'Saal 1': 34430,
+#                'Saal G': 26598,
+#                'Saal Z': 26610,
+#                'Saal E (SoS/Lightning-Talks)': 32814,
+#                'Saal F (Sendezentrum/DLF)': 9717,
             },
             'interrupts': {
-                'Questions': 'questions',
-                'Translations': 'translations',
+#                'Questions': 'questions',
+#                'Translations': 'translations',
             },
         },
         'infobeamer-monitor': {

nodes/voc/pretalx.py

@@ -49,7 +49,7 @@ nodes['voc.pretalx'] = {
             },
         },
         'pretalx': {
-            'version': 'v2024.1.0',
+            'version': 'v2024.2.1',
             'domain': 'pretalx.c3voc.de',
             'mail_from': 'pretalx@c3voc.de',
             'administrators-from-group-id': 1,
@@ -64,7 +64,7 @@ nodes['voc.pretalx'] = {
                 },
                 'halfnarp': {
                     'repo': 'https://github.com/seibert-media/pretalx-halfnarp.git',
-                    'rev': '1.1.0',
+                    'rev': '1.1.2',
                 },
                 'media.ccc.de': {
                     'repo': 'https://github.com/pretalx/pretalx-media-ccc-de.git',

scripts/netbox-dump

@@ -1,24 +1,48 @@
 #!/usr/bin/env python3
 
+from argparse import ArgumentParser
 from json import dump
-from os import environ
-from os.path import dirname, join
+from os import environ, makedirs, remove, scandir
+from os.path import abspath, dirname, join
 from sys import exit
 
 import bwpass
 from requests import post
 
-from bundlewrap.utils.text import validate_name
+from bundlewrap.utils.text import bold, red, validate_name
+from bundlewrap.utils.ui import io
 
 TOKEN = environ.get("NETBOX_AUTH_TOKEN")
+if not TOKEN:
+    try:
+        TOKEN = bwpass.attr("netbox.franzi.business/kunsi", "token")
+    except Exception:
+        print("NETBOX_AUTH_TOKEN missing")
+        exit(1)
 
-# editorconfig-checker-disable
-QUERY = """{
-  device_list(tag: "bundlewrap") {
+TARGET_PATH = join(dirname(dirname(abspath(__file__))), "configs", "netbox")
+
+QUERY_SITES = """{
+    site_list {
+        name
+        id
+        vlans {
+            name
+            vid
+        }
+    }
+}"""
+
+QUERY_DEVICES = """{
+    device_list(filters: {tag: "bundlewrap", site_id: "SITE_ID"}) {
         name
-    site {
         id
     }
+}"""
+
+QUERY_DEVICE_DETAILS = """{
+    device(id: DEVICE_ID) {
+        name
         interfaces {
             id
             name
@@ -59,23 +83,10 @@ QUERY = """{
             }
         }
     }
-  site_list {
-    id
-    vlans {
-      name
-      vid
-    }
-  }
 }"""
-# editorconfig-checker-enable
 
-if not TOKEN:
-    try:
-        TOKEN = bwpass.attr("netbox.franzi.business/kunsi", "token")
-    except Exception:
-        print("NETBOX_AUTH_TOKEN is missing")
-        exit(1)
 
+def graphql(query):
     r = post(
         "https://netbox.franzi.business/graphql/",
         headers={
@@ -83,27 +94,68 @@ r = post(
             "Authorization": f"Token {TOKEN}",
         },
         json={
-        "query": QUERY,
+            "query": query,
         },
     )
     r.raise_for_status()
+    return r.json()["data"]
 
-data = r.json()["data"]
 
-site_vlans = {site["id"]: site["vlans"] for site in data["site_list"]}
+def filter_results(results, filter_by):
+    if filter_by is None:
+        return results
 
-for device in data["device_list"]:
+    out = []
+    for result in results:
+        if str(result["id"]) in filter_by or result["name"] in filter_by:
+            out.append(result)
+    return out
+
+
+parser = ArgumentParser()
+parser.add_argument("--only-site", nargs="+", type=str)
+parser.add_argument("--only-device", nargs="+", type=str)
+args = parser.parse_args()
+
+try:
+    io.activate()
+    filenames_used = set()
+
+    with io.job("getting sites"):
+        sites = filter_results(
+            graphql(QUERY_SITES).get("site_list", []), args.only_site
+        )
+
+    io.stdout(f"Processing {len(sites)} sites in total")
+
+    for site in sites:
+        with io.job(f"{bold(site['name'])}  getting devices"):
+            devices = filter_results(
+                graphql(QUERY_DEVICES.replace("SITE_ID", site["id"])).get(
+                    "device_list", []
+                ),
+                args.only_device,
+            )
+        io.stdout(f"Site {bold(site['name'])} has {len(devices)} devices to process")
+
+        for device in devices:
             if not device["name"] or not validate_name(device["name"]):
                 # invalid node name, ignore
                 continue
 
+            with io.job(
+                f"{bold(site['name'])}  {bold(device['name'])}  getting interfaces"
+            ):
+                details = graphql(
+                    QUERY_DEVICE_DETAILS.replace("DEVICE_ID", device["id"])
+                )["device"]
+
                 result = {
                     "interfaces": {},
-        "vlans": site_vlans[device["site"]["id"]],
+                    "vlans": site["vlans"],
                 }
 
-    for interface in device["interfaces"]:
-        description = ""
+                for interface in details["interfaces"]:
                     peers = None
 
                     if interface["connected_endpoints"]:
@@ -135,19 +187,29 @@ for device in data["device_list"]:
                         "enabled": interface["enabled"],
                         "mode": interface["mode"],
                         "type": interface["type"],
-            "ips": sorted({i['address'] for i in interface['ip_addresses']}),
-            "untagged_vlan": interface["untagged_vlan"]["name"]
+                        "ips": sorted(
+                            {i["address"] for i in interface["ip_addresses"]}
+                        ),
+                        "untagged_vlan": (
+                            interface["untagged_vlan"]["name"]
                             if interface["untagged_vlan"]
-            else None,
-            "tagged_vlans": sorted({v["name"] for v in interface["tagged_vlans"]}),
+                            else None
+                        ),
+                        "tagged_vlans": sorted(
+                            {v["name"] for v in interface["tagged_vlans"]}
+                        ),
                     }
 
+            if result["interfaces"]:
+                filename = f"{device['name']}.json"
+                filenames_used.add(filename)
+                file_with_path = join(TARGET_PATH, filename)
+
+                with io.job(
+                    f"{bold(site['name'])}  {bold(device['name'])}  writing to {file_with_path}"
+                ):
                     with open(
-        join(
-            dirname(dirname(__file__)),
-            "configs",
-            "netbox_device_{}.json".format(device["name"]),
-        ),
+                        file_with_path,
                         "w+",
                     ) as f:
                         dump(
@@ -156,3 +218,23 @@ for device in data["device_list"]:
                             indent=4,
                             sort_keys=True,
                         )
+            else:
+                io.stdout(
+                    f"device {bold(device['name'])} has no interfaces, {red('not')} dumping!"
+                )
+
+    if not args.only_site and not args.only_device and filenames_used:
+        with io.job(f"cleaning leftover files from {TARGET_PATH}"):
+            for direntry in scandir(TARGET_PATH):
+                filename = direntry.name
+                if filename.startswith("."):
+                    continue
+                if not direntry.is_file():
+                    io.stderr(
+                        f"found non-file {filename} in {TARGET_PATH}, please check what's going on!"
+                    )
+                    continue
+                if filename not in filenames_used:
+                    remove(join(TARGET_PATH, filename))
+finally:
+    io.deactivate()