rottenraptor-server: add docker-goauthentik

bundles/docker-engine: support different user, arbitrary mapped volumes, custom command
update mautrix-whatsapp to 0.11.3
2025-02-16 18:36:35 +01:00 · 2025-02-16 18:35:54 +01:00 · 2025-02-16 17:31:35 +01:00 · 2025-02-16 16:14:56 +01:00 · 2025-02-16 16:09:51 +01:00 · 2025-02-16 15:27:18 +01:00
166 changed files with 2038 additions and 2912 deletions
--- a/.envrc
+++ b/.envrc
@ -0,0 +1,3 @@
+layout python3
+
+source_env_if_exists .envrc.local
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
 .secrets.cfg*
 __pycache__
 *.swp
+.direnv
+.envrc.local
--- a/bundles/arch-with-gui/files/50-network.conf
+++ b/bundles/arch-with-gui/files/50-network.conf
@ -1,5 +0,0 @@
-context.exec = [
-    { path = "pactl" args = "load-module module-native-protocol-tcp" }
-    { path = "pactl" args = "load-module module-zeroconf-discover" }
-    { path = "pactl" args = "load-module module-zeroconf-publish" }
-]
--- a/bundles/arch-with-gui/files/autologin.conf
+++ b/bundles/arch-with-gui/files/autologin.conf
@ -1,3 +0,0 @@
-[Autologin]
-User=${user}
-Session=i3.desktop
--- a/bundles/arch-with-gui/items.py
+++ b/bundles/arch-with-gui/items.py
@ -1,110 +0,0 @@
-from os import listdir
-from os.path import join
-
-actions = {
-    'fc-cache_flush': {
-        'command': 'fc-cache -f',
-        'triggered': True,
-        'needs': {
-            'pkg_pacman:fontconfig',
-        },
-    },
-    'i3pystatus_create_virtualenv': {
-        'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/i3pystatus/venv/',
-        'unless': 'test -d /opt/i3pystatus/venv/',
-        'needs': {
-            'directory:/opt/i3pystatus/src',
-            'pkg_pacman:python-virtualenv',
-        },
-    },
-    'i3pystatus_install': {
-        'command': ' && '.join([
-            'cd /opt/i3pystatus/src',
-            '/opt/i3pystatus/venv/bin/pip install --upgrade pip colour netifaces basiciw pytz',
-            '/opt/i3pystatus/venv/bin/pip install --upgrade -e .',
-        ]),
-        'needs': {
-            'action:i3pystatus_create_virtualenv',
-        },
-        'triggered': True,
-    },
-}
-
-directories = {
-    '/etc/sddm.conf.d': {
-        'purge': True,
-    },
-    '/opt/i3pystatus/src': {},
-    '/usr/share/fonts/bundlewrap': {
-        'purge': True,
-        'triggers': {
-            'action:fc-cache_flush',
-        },
-    },
-}
-
-svc_systemd = {
-    'avahi-daemon': {
-        'needs': {
-            'pkg_pacman:avahi',
-        },
-    },
-    'sddm': {
-        'needs': {
-            'pkg_pacman:sddm',
-        },
-    },
-}
-
-git_deploy = {
-    '/opt/i3pystatus/src': {
-        'repo': 'https://github.com/enkore/i3pystatus.git',
-        'rev': 'current',
-        'triggers': {
-            'action:i3pystatus_install',
-        },
-    },
-}
-
-files['/etc/pipewire/pipewire-pulse.conf.d/50-network.conf'] = {}
-
-for filename in listdir(join(repo.path, 'data', 'arch-with-gui', 'files', 'fonts')):
-    if filename.startswith('.'):
-        continue
-
-    if filename.endswith('.vault'):
-        # XXX remove this once we have a new bundlewrap release
-        # https://github.com/bundlewrap/bundlewrap/commit/2429b153dd1ca6781cf3812e2dec9c2b646a546b
-        from os import environ
-        if environ.get('BW_VAULT_DUMMY_MODE', '0') == '1':
-            continue
-
-        font_name = filename[:-6]
-        attrs = {
-            'content': repo.vault.decrypt_file_as_base64(join('arch-with-gui', 'files', 'fonts', filename)),
-            'content_type': 'base64',
-        }
-    else:
-        font_name = filename
-        attrs = {
-            'source': join('fonts', filename),
-            'content_type': 'binary',
-        }
-
-    files[f'/usr/share/fonts/bundlewrap/{font_name}'] = {
-        'triggers': {
-            'action:fc-cache_flush',
-        },
-        **attrs,
-    }
-
-if node.metadata.get('arch-with-gui/autologin_as', None):
-    files['/etc/sddm.conf.d/autologin.conf'] = {
-        'context': {
-            'user': node.metadata.get('arch-with-gui/autologin_as'),
-        },
-        'content_type': 'mako',
-        'before': {
-            'svc_systemd:sddm',
-        },
-    }
--- a/bundles/arch-with-gui/metadata.py
+++ b/bundles/arch-with-gui/metadata.py
@ -1,124 +0,0 @@
-assert node.os == 'arch'
-
-defaults = {
-    'backups': {
-        'paths': {
-            '/etc/netctl',
-        },
-    },
-    'icinga_options': {
-        'exclude_from_monitoring': True,
-    },
-    'nftables': {
-        'input': {
-            '50-avahi': {
-                'udp dport 5353 accept',
-                'udp sport 5353 accept',
-            },
-        },
-    },
-    'pacman': {
-        'packages': {
-            # fonts
-            'fontconfig': {},
-            'ttf-dejavu': {
-                'needed_by': {
-                    'pkg_pacman:sddm',
-                },
-            },
-
-            # login management
-            'sddm': {},
-
-            # networking
-            'avahi': {},
-            'netctl': {},
-            'util-linux': {}, # provides rfkill
-            'wpa_supplicant': {},
-            'wpa_actiond': {},
-
-            # shell and other gui stuff
-            'dunst': {},
-            'fish': {},
-            'kitty': {},
-            'libnotify': {}, # provides notify-send
-            'light': {},
-            'redshift': {},
-            'rofi': {},
-
-            # sound
-            'calf': {},
-            'easyeffects': {},
-            'lsp-plugins': {},
-            'pavucontrol': {},
-            'pipewire': {},
-            'pipewire-jack': {},
-            'pipewire-pulse': {},
-            'pipewire-zeroconf': {},
-            'qpwgraph': {},
-
-            # window management
-            'i3-wm': {},
-            'i3lock': {},
-            'xss-lock': {},
-
-            # i3pystatus dependencies
-            'iw': {},
-            'wireless_tools': {},
-
-            # Xorg
-            'xf86-input-libinput': {},
-            'xf86-input-wacom': {},
-            'xorg-server': {},
-            'xorg-setxkbmap': {},
-            'xorg-xev': {},
-            'xorg-xinput': {},
-            'xorg-xset': {},
-
-            # all them apps
-            'browserpass': {},
-            'browserpass-firefox': {},
-            'ffmpeg': {},
-            'firefox': {},
-            'gimp': {},
-            'imagemagick': {},
-            'inkscape': {},
-            'kdenlive': {},
-            'maim': {},
-            'mosh': {},
-            'mosquitto': {},
-            'mpv': {},
-            'pass': {},
-            'pass-otp': {},
-            'pdftk': {},
-            'pwgen': {},
-            'qpdfview': {},
-            'samba': {},
-            'shotcut': {},
-            'sipcalc': {},
-            'the_silver_searcher': {},
-            'tlp': {},
-            'virt-manager': {},
-            'xclip': {},
-            'xdotool': {}, # needed for maim window selection
-        },
-    },
-}
-
-@metadata_reactor.provides(
-    'backups/paths',
-)
-def backup_every_user_home(metadata):
-    paths = set()
-
-    for user, config in metadata.get('users', {}).items():
-        if config.get('delete', False):
-            continue
-
-        paths.add(config.get('home', f'/home/{user}'))
-
-    return {
-        'backups': {
-            'paths': paths,
-        },
-    }
--- a/bundles/avahi-daemon/files/avahi-daemon.conf
+++ b/bundles/avahi-daemon/files/avahi-daemon.conf
@ -0,0 +1,22 @@
+[server]
+host-name=${node.name.split('.')[-1]}
+use-ipv4=yes
+use-ipv6=${'yes' if node.metadata.get('avahi-daemon/use-ipv6') else 'no'}
+allow-interfaces=${','.join(sorted(node.metadata.get('interfaces', {}).keys()))}
+ratelimit-interval-usec=1000000
+ratelimit-burst=1000
+
+[wide-area]
+enable-wide-area=yes
+
+[publish]
+disable-publishing=no
+disable-user-service-publishing=no
+publish-hinfo=yes
+publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
+
+[reflector]
+
+[rlimits]
--- a/bundles/avahi-daemon/items.py
+++ b/bundles/avahi-daemon/items.py
@ -0,0 +1,18 @@
+directories['/etc/avahi/services'] = {
+    'purge': True,
+}
+
+files['/etc/avahi/avahi-daemon.conf'] = {
+    'content_type': 'mako',
+    'triggers': {
+        'svc_systemd:avahi-daemon:restart',
+    },
+}
+
+svc_systemd['avahi-daemon'] = {
+    'needs': {
+        'file:/etc/avahi/avahi-daemon.conf',
+        'pkg_apt:avahi-daemon',
+        'pkg_apt:libnss-mdns',
+    },
+}
--- a/bundles/avahi-daemon/metadata.py
+++ b/bundles/avahi-daemon/metadata.py
@ -0,0 +1,11 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'avahi-daemon': {},
+            'libnss-mdns': {},
+        },
+    },
+    'avahi-daemon': {
+        'use-ipv6': True,
+    }
+}
--- a/bundles/backup-server/files/check_backup_for_node
+++ b/bundles/backup-server/files/check_backup_for_node
@ -2,7 +2,6 @@

 from datetime import datetime
 from json import load
-from subprocess import check_output
 from sys import argv, exit
 from time import time

@ -18,29 +17,17 @@ try:
    with open(f'/etc/backup-server/config.json', 'r') as f:
        server_settings = load(f)

-    # get all existing snapshots for NODE
-    for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines():
-        line = line.decode('UTF-8')
+    with open(f'/etc/backup-server/backups.json', 'r') as f:
+        backups = load(f)

-        if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)):
-            _, snapname = line.split('@', 1)
-
-            if 'zfs-auto-snap' in snapname:
-                # migration from auto-snapshots, ignore
-                continue
-
-            ts, bucket = snapname.split('-', 1)
-            snaps.add(int(ts))
-
-    if not snaps:
+    if NODE not in backups:
        print('No backups found!')
        exit(2)

-    last_snap = sorted(snaps)[-1]
-    delta = NOW - last_snap
+    delta = NOW - backups[NODE]

    print('Last backup was on {} UTC'.format(
-        datetime.fromtimestamp(last_snap).strftime('%Y-%m-%d %H:%M:%S'),
+        datetime.fromtimestamp(backups[NODE]).strftime('%Y-%m-%d %H:%M:%S'),
    ))

    # One day without backups is still okay. There may be fluctuations
--- a/bundles/backup-server/files/check_backup_for_node-cron
+++ b/bundles/backup-server/files/check_backup_for_node-cron
@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+from json import load, dump
+from subprocess import check_output
+from shutil import move
+from os import remove
+from collections import defaultdict
+
+with open('/etc/backup-server/config.json', 'r') as f:
+    server_settings = load(f)
+
+snapshots = defaultdict(set)
+
+for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True).splitlines():
+    line = line.decode('UTF-8')
+
+    if line.startswith('{}/'.format(server_settings['zfs-base'])):
+        dataset, snapname = line.split('@', 1)
+
+        dataset = dataset.split('/')[-1]
+        ts, bucket = snapname.split('-', 1)
+
+        if not ts.isdigit():
+            # garbage, ignore
+            continue
+
+        snapshots[dataset].add(int(ts))
+
+backups = {}
+for dataset, snaps in snapshots.items():
+    backups[dataset] = sorted(snaps)[-1]
+
+with open('/etc/backup-server/backups.tmp.json', 'w') as f:
+    dump(backups, f)
+
+move(
+    '/etc/backup-server/backups.tmp.json',
+    '/etc/backup-server/backups.json',
+)
--- a/bundles/backup-server/files/rotate-single-backup-client
+++ b/bundles/backup-server/files/rotate-single-backup-client
@ -33,12 +33,11 @@ for line in check_output('LC_ALL=C zfs list -H -t snapshot -o name', shell=True)

    if line.startswith('{}/{}@'.format(server_settings['zfs-base'], NODE)):
        _, snapname = line.split('@', 1)
+        ts, bucket = snapname.split('-', 1)

-        if 'zfs-auto-snap' in snapname:
-            # migration from auto-snapshots, ignore
+        if not ts.isdigit():
            continue

-        ts, bucket = snapname.split('-', 1)
        buckets.setdefault(bucket, set()).add(int(ts))
        syslog(f'classified {line} as {bucket} from {ts}')

--- a/bundles/backup-server/items.py
+++ b/bundles/backup-server/items.py
@ -18,6 +18,9 @@ files = {
    '/usr/local/share/icinga/plugins/check_backup_for_node': {
        'mode': '0755',
    },
+    '/usr/local/share/icinga/plugins/check_backup_for_node-cron': {
+        'mode': '0755',
+    },
 }

 directories['/etc/backup-server/clients'] = {
--- a/bundles/backup-server/metadata.py
+++ b/bundles/backup-server/metadata.py
@ -1,3 +1,5 @@
+from bundlewrap.exceptions import BundleError
+
 defaults = {
    'backup-server': {
        'my_ssh_port': 22,
@ -8,6 +10,14 @@ defaults = {
            'c-*',
        },
    },
+    'systemd-timers': {
+        'timers': {
+            'check_backup_for_node-cron': {
+                'command': '/usr/local/share/icinga/plugins/check_backup_for_node-cron',
+                'when': '*-*-* *:00/5:00', # every five minutes
+            }
+        },
+    },
    'zfs': {
        # The whole point of doing backups is to keep them for a long
        # time, which eliminates the need for this check.
@ -69,10 +79,15 @@ def zfs_pool(metadata):
        return {}

    crypt_devices = {}
-    pool_devices = set()
    unlock_actions = set()

-    for number, (device, passphrase) in enumerate(sorted(metadata.get('backup-server/encrypted-devices', {}).items())):
+    devices = metadata.get('backup-server/encrypted-devices')
+
+    # TODO remove this once we have migrated all systems
+    if isinstance(devices, dict):
+        pool_devices = set()
+
+        for number, (device, passphrase) in enumerate(sorted(devices.items())):
            crypt_devices[device] = {
                'dm-name': f'backup{number}',
                'passphrase': passphrase,
@ -80,14 +95,35 @@ def zfs_pool(metadata):
            pool_devices.add(f'/dev/mapper/backup{number}')
            unlock_actions.add(f'action:dm-crypt_open_backup{number}')

-    pool_opts = {
+        pool_config = [{
            'devices': pool_devices,
-    }
+        }]

        if len(pool_devices) > 2:
-        pool_opts['type'] = 'raidz'
+            pool_config[0]['type'] = 'raidz'
        elif len(pool_devices) > 1:
-        pool_opts['type'] = 'mirror'
+            pool_config[0]['type'] = 'mirror'
+
+    elif isinstance(devices, list):
+        pool_config = []
+
+        for idx, intended_pool in enumerate(devices):
+            pool_devices = set()
+
+            for number, (device, passphrase) in enumerate(sorted(intended_pool.items())):
+                crypt_devices[device] = {
+                    'dm-name': f'backup{idx}-{number}',
+                    'passphrase': passphrase,
+                }
+                pool_devices.add(f'/dev/mapper/backup{idx}-{number}')
+                unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}')
+
+            pool_config.append({
+                'devices': pool_devices,
+                'type': 'raidz',
+            })
+    else:
+        raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices')

    return {
        'backup-server': {
@ -100,9 +136,8 @@ def zfs_pool(metadata):
            'pools': {
                'backups': {
                    'when_creating': {
-                        'config': [
-                            pool_opts,
-                        ],
+                        'config': pool_config,
+                        **metadata.get('backup-server/zpool_create_options', {}),
                    },
                    'needs': unlock_actions,
                    # That's a bit hacky. We do it this way to auto-import
@ -156,11 +191,11 @@ def monitoring(metadata):
            continue

        services[f'BACKUPS FOR NODE {client}'] = {
-            'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format(
+            'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format(
                client,
                config['one_backup_every_hours'],
            ),
-            'vars.sshmon_timeout': 20,
+            'vars.sshmon_timeout': 40,
        }

    return {
--- a/bundles/basic/items.py
+++ b/bundles/basic/items.py
@ -24,7 +24,6 @@ files = {
        'before': {
            'action:',
            'pkg_apt:',
-            'pkg_pacman:',
        },
    },
 }
--- a/bundles/bird/items.py
+++ b/bundles/bird/items.py
@ -1,10 +1,5 @@
-if node.os == 'arch':
-    filename = '/etc/bird.conf'
-else:
-    filename = '/etc/bird/bird.conf'
-
 files = {
-    filename: {
+    '/etc/bird/bird.conf': {
        'content_type': 'mako',
        'triggers': {
            'svc_systemd:bird:reload',
@ -15,7 +10,7 @@ files = {
 svc_systemd = {
    'bird': {
        'needs': {
-            f'file:{filename}',
+            f'file:/etc/bird/bird.conf',
        },
    },
 }
--- a/bundles/bird/metadata.py
+++ b/bundles/bird/metadata.py
@ -13,15 +13,6 @@ defaults = {
            },
        },
    },
-    'pacman': {
-        'packages': {
-            'bird': {
-                'needed_by': {
-                    'svc_systemd:bird',
-                },
-            },
-        },
-    },
    'sysctl': {
        'options': {
            'net.ipv4.conf.all.forwarding': '1',
--- a/bundles/cron/items.py
+++ b/bundles/cron/items.py
@ -1,10 +1,3 @@
-if node.os == 'arch':
-    service_name = 'cronie'
-    package_name = 'pkg_pacman:cronie'
-else:
-    service_name = 'cron'
-    package_name = 'pkg_apt:cron'
-
 files = {
    '/etc/crontab': {
        'content_type': 'mako',
@ -24,9 +17,9 @@ directories = {
 }

 svc_systemd = {
-    service_name: {
+    'cron': {
        'needs': {
-            package_name,
+            'pkg_apt:cron',
        },
    },
 }
--- a/bundles/cron/metadata.py
+++ b/bundles/cron/metadata.py
@ -4,9 +4,4 @@ defaults = {
            'cron': {},
        },
    },
-    'pacman': {
-        'packages': {
-            'cronie': {},
-        },
-    },
 }
--- a/bundles/docker-engine/files/check_docker_container
+++ b/bundles/docker-engine/files/check_docker_container
@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+from json import loads
+from subprocess import check_output
+from sys import argv
+
+try:
+    container_name = argv[1]
+
+    docker_ps = check_output([
+        'docker',
+        'container',
+        'ls',
+        '--all',
+        '--format',
+        'json',
+        '--filter',
+        f'name={container_name}'
+    ])
+
+    docker_json = loads(f"[{','.join([l for l in docker_ps.decode().splitlines() if l])}]")
+
+    containers = [
+        container
+        for container in docker_json
+        if container['Names'] == container_name
+    ]
+
+    if not containers:
+        print(f'CRITICAL: container {container_name} not found!')
+        exit(2)
+
+    if len(containers) > 1:
+        print(f'Found more than one container matching {container_name}!')
+        print(docker_ps)
+        exit(3)
+
+    if containers[0]['State'] != 'running':
+        print(f'WARNING: container {container_name} not "running"')
+        exit(2)
+
+    print(f"OK: {containers[0]['Status']}")
+except Exception as e:
+    print(repr(e))
+    exit(2)
--- a/bundles/docker-engine/files/docker-wrapper
+++ b/bundles/docker-engine/files/docker-wrapper
@ -0,0 +1,60 @@
+#!/bin/bash
+
+[[ -n "$DEBUG" ]] && set -x
+
+ACTION="$1"
+
+set -euo pipefail
+
+if [[ -z "$ACTION" ]]
+then
+    echo "Usage: $0 start|stop"
+    exit 1
+fi
+
+PUID="$(id -u "${user}")"
+PGID="$(id -g "${user}")"
+
+if [ "$ACTION" == "start" ]
+then
+   docker rm "${name}" || true
+
+    docker run -d \
+        --name "${name}" \
+        --env "PUID=$PUID" \
+        --env "PGID=$PGID" \
+        --env "TZ=${timezone}" \
+% for k, v in sorted(environment.items()):
+        --env "${k}=${v}" \
+% endfor
+        --network aaarghhh \
+% for host_port, container_port in sorted(ports.items()):
+        --publish "127.0.0.1:${host_port}:${container_port}" \
+% endfor
+% for host_path, container_path in sorted(volumes.items()):
+%  if host_path.startswith('/'):
+        --volume "${host_path}:${container_path}" \
+%  else:
+        --volume "/var/opt/docker-engine/${name}/${host_path}:${container_path}" \
+%  endif
+% endfor
+        --restart unless-stopped \
+% if command:
+        "${image}" \
+        "${command}"
+% else:
+        "${image}"
+% endif
+
+elif [ "$ACTION" == "stop" ]
+then
+    docker stop "${name}"
+
+else
+    echo "Unknown action $ACTION"
+    exit 1
+fi
+
+% if node.has_bundle('nftables'):
+systemctl reload nftables
+% endif
--- a/bundles/docker-engine/files/docker-wrapper.service
+++ b/bundles/docker-engine/files/docker-wrapper.service
@ -0,0 +1,14 @@
+[Unit]
+Description=docker-engine app ${name}
+After=network.target
+Requires=${' '.join(sorted(requires))}
+
+[Service]
+WorkingDirectory=/var/opt/docker-engine/${name}/
+ExecStart=/opt/docker-engine/${name} start
+ExecStop=/opt/docker-engine/${name} stop
+Type=simple
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
--- a/bundles/docker-engine/items.py
+++ b/bundles/docker-engine/items.py
@ -0,0 +1,121 @@
+from bundlewrap.metadata import metadata_to_json
+
+deps = {
+    'pkg_apt:docker-ce',
+    'pkg_apt:docker-ce-cli',
+}
+
+directories['/opt/docker-engine'] = {
+    'purge': True,
+}
+directories['/var/opt/docker-engine'] = {}
+
+files['/etc/docker/daemon.json'] = {
+    'content': metadata_to_json(node.metadata.get('docker-engine/config')),
+    'triggers': {
+        'svc_systemd:docker:restart',
+    },
+    # install config before installing packages to ensure the config is
+    # applied to the first start as well
+    'before': deps,
+}
+
+svc_systemd['docker'] = {
+    'needs': deps,
+}
+
+files['/usr/local/share/icinga/plugins/check_docker_container'] = {
+    'mode': '0755',
+}
+
+actions['docker_create_nondefault_network'] = {
+    # <https://docs.docker.com/engine/network/#dns-services>
+    # By default, containers inherit the DNS settings as defined in the
+    # /etc/resolv.conf configuration file. Containers that attach to the
+    # default bridge network receive a copy of this file. Containers that
+    # attach to a custom network use Docker's embedded DNS server. The embedded
+    # DNS server forwards external DNS lookups to the DNS servers configured on
+    # the host.
+    'command': 'docker network create aaarghhh',
+    'unless': 'docker network ls | grep -q -F aaarghhh',
+    'needs': {
+        'svc_systemd:docker',
+    },
+}
+
+for app, config in node.metadata.get('docker-engine/containers', {}).items():
+    volumes = config.get('volumes', {})
+    user = config.get('user', f'docker-{app}')
+
+    files[f'/opt/docker-engine/{app}'] = {
+        'source': 'docker-wrapper',
+        'content_type': 'mako',
+        'context': {
+            'command': config.get('command'),
+            'environment': config.get('environment', {}),
+            'image': config['image'],
+            'name': app,
+            'ports': config.get('ports', {}),
+            'timezone': node.metadata.get('timezone'),
+            'user': user,
+            'volumes': volumes,
+        },
+        'mode': '0755',
+        'triggers': {
+            f'svc_systemd:docker-{app}:restart',
+        },
+    }
+
+    users[user] = {
+        'groups': {
+            'docker',
+        },
+        'after': {
+            'action:docker_create_nondefault_network',
+            'svc_systemd:docker',
+        },
+    }
+    if user == f'docker-{app}':
+        users[user]['home'] = f'/var/opt/docker-engine/{app}'
+
+    files[f'/usr/local/lib/systemd/system/docker-{app}.service'] = {
+        'source': 'docker-wrapper.service',
+        'content_type': 'mako',
+        'context': {
+            'name': app,
+            'requires': {
+                *set(config.get('requires', set())),
+                'docker.service',
+            }
+        },
+        'triggers': {
+            'action:systemd-reload',
+            f'svc_systemd:docker-{app}:restart',
+        },
+    }
+
+    svc_systemd[f'docker-{app}'] = {
+        'needs': {
+            *deps,
+            f'file:/opt/docker-engine/{app}',
+            f'file:/usr/local/lib/systemd/system/docker-{app}.service',
+            f'user:{user}',
+            'svc_systemd:docker',
+            *set(config.get('needs', set())),
+        },
+    }
+
+    for volume in volumes:
+        if not volume.startswith('/'):
+            volume = f'/var/opt/docker-engine/{app}/{volume}'
+
+        directories[volume] = {
+            'owner': user,
+            'group': user,
+            'needed_by': {
+                f'svc_systemd:docker-{app}',
+            },
+            # don't do anything if the directory exists, docker images
+            # mangle owners
+            'unless': f'test -d {volume}',
+        }
--- a/bundles/docker-engine/metadata.py
+++ b/bundles/docker-engine/metadata.py
@ -0,0 +1,89 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'docker-ce': {},
+            'docker-ce-cli': {},
+            'docker-compose-plugin': {},
+        },
+        'repos': {
+            'docker': {
+                'items': {
+                    'deb https://download.docker.com/linux/debian {os_release} stable',
+                },
+            },
+        },
+    },
+    'backups': {
+        'paths': {
+            '/var/opt/docker-engine',
+        },
+    },
+    'nftables': {
+        'forward': {
+            'docker-engine': [
+                'ct state { related, established } accept',
+                'ip saddr 172.16.0.0/12 accept',
+            ],
+        },
+        'postrouting': {
+            'docker-engine': [
+                'ip saddr 172.16.0.0/12 masquerade',
+            ],
+        },
+    },
+    'docker-engine': {
+        'config': {
+            'iptables': False,
+            'no-new-privileges': True,
+        },
+    },
+    'zfs': {
+        'datasets': {
+            'tank/docker-data': {
+                'mountpoint': '/var/opt/docker-engine',
+            },
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'icinga2_api/docker-engine/services',
+)
+def monitoring(metadata):
+    services = {
+        'DOCKER PROCESS': {
+            'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -C dockerd -c 1:',
+        },
+    }
+
+    for app in metadata.get('docker-engine/containers', {}):
+        services[f'DOCKER CONTAINER {app}'] = {
+            'command_on_monitored_host': f'sudo /usr/local/share/icinga/plugins/check_docker_container {app}'
+        }
+
+    return {
+        'icinga2_api': {
+            'docker-engine': {
+                'services': services,
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'zfs/datasets',
+)
+def zfs(metadata):
+    datasets = {}
+
+    for app in metadata.get('docker-engine/containers', {}):
+        datasets[f'tank/docker-data/{app}'] = {
+            'mountpoint': f'/var/opt/docker-engine/{app}'
+        }
+
+    return {
+        'zfs': {
+            'datasets': datasets,
+        },
+    }
--- a/bundles/docker-goauthentik/metadata.py
+++ b/bundles/docker-goauthentik/metadata.py
@ -0,0 +1,89 @@
+assert node.has_bundle('docker-engine')
+
+defaults = {
+    'docker-engine': {
+        'containers': {
+            'goauthentik-server': {
+                'image': 'ghcr.io/goauthentik/server:latest',
+                'command': 'server',
+                'environment': {
+                    'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql',
+                    'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik',
+                    'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'),
+                    'AUTHENTIK_POSTGRESQL__USER': 'goauthentik',
+                    'AUTHENTIK_REDIS__HOST': 'goauthentik-redis',
+                    'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'),
+                },
+                'volumes': {
+                    'media': '/media',
+                    'templates': '/templates',
+                },
+                'ports': {
+                    '9000': '9000',
+                    '9443': '9443',
+                },
+                'needs': {
+                    'svc_systemd:docker-goauthentik-postgresql',
+                    'svc_systemd:docker-goauthentik-redis',
+                },
+                'requires': {
+                    'docker-goauthentik-postgresql.service',
+                    'docker-goauthentik-redis.service',
+                },
+            },
+            'goauthentik-worker': {
+                'image': 'ghcr.io/goauthentik/server:latest',
+                'command': 'worker',
+                'user': 'docker-goauthentik-server',
+                'environment': {
+                    'AUTHENTIK_POSTGRESQL__HOST': 'goauthentik-postgresql',
+                    'AUTHENTIK_POSTGRESQL__NAME': 'goauthentik',
+                    'AUTHENTIK_POSTGRESQL__PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'),
+                    'AUTHENTIK_POSTGRESQL__USER': 'goauthentik',
+                    'AUTHENTIK_REDIS__HOST': 'goauthentik-redis',
+                    'AUTHENTIK_SECRET_KEY': repo.vault.password_for(f'{node.name} goauthentik secret key'),
+                },
+                'volumes': {
+                    '/var/opt/docker-engine/goauthentik-server/media': '/media',
+                    '/var/opt/docker-engine/goauthentik-server/certs': '/certs',
+                    '/var/opt/docker-engine/doauthentik-server/templates': '/templates',
+                },
+                'needs': {
+                    'svc_systemd:docker-goauthentik-postgresql',
+                    'svc_systemd:docker-goauthentik-redis',
+                },
+                'requires': {
+                    'docker-goauthentik-postgresql.service',
+                    'docker-goauthentik-redis.service',
+                },
+            },
+            'goauthentik-postgresql': {
+                'image': 'docker.io/library/postgres:16-alpine',
+                'environment': {
+                    'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql goauthentik'),
+                    'POSTGRES_USER': 'goauthentik',
+                    'POSTGRES_DB': 'goauthentik',
+                },
+                'volumes': {
+                    'database': '/var/lib/postgresql/data',
+                },
+            },
+            'goauthentik-redis': {
+                'image': 'docker.io/library/redis:alpine',
+            },
+        },
+    },
+    'nginx': {
+        'vhosts': {
+            'goauthentik': {
+                'locations': {
+                    '/': {
+                        'target': 'http://127.0.0.1:9000/',
+                        'websockets': True,
+                        'max_body_size': '5000m',
+                    },
+                },
+            },
+        },
+    },
+}
--- a/bundles/docker-immich/metadata.py
+++ b/bundles/docker-immich/metadata.py
@ -0,0 +1,61 @@
+assert node.has_bundle('docker-engine')
+
+defaults = {
+    'docker-engine': {
+        'containers': {
+            'immich': {
+                'image': 'ghcr.io/imagegenius/immich:latest',
+                'environment': {
+                    'DB_DATABASE_NAME': 'immich',
+                    'DB_HOSTNAME': 'immich-postgresql',
+                    'DB_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'),
+                    'DB_USERNAME': 'immich',
+                    'REDIS_HOSTNAME': 'immich-redis',
+                },
+                'volumes': {
+                    'config': '/config',
+                    'libraries': '/libraries',
+                    'photos': '/photos',
+                },
+                'ports': {
+                    '8080': '8080',
+                },
+                'needs': {
+                    'svc_systemd:docker-immich-postgresql',
+                    'svc_systemd:docker-immich-redis',
+                },
+                'requires': {
+                    'docker-immich-postgresql.service',
+                    'docker-immich-redis.service',
+                },
+            },
+            'immich-postgresql': {
+                'image': 'tensorchord/pgvecto-rs:pg14-v0.2.0',
+                'environment': {
+                    'POSTGRES_PASSWORD': repo.vault.password_for(f'{node.name} postgresql immich'),
+                    'POSTGRES_USER': 'immich',
+                    'POSTGRES_DB': 'immich',
+                },
+                'volumes': {
+                    'database': '/var/lib/postgresql/data',
+                },
+            },
+            'immich-redis': {
+                'image': 'docker.io/redis:6.2-alpine',
+            },
+        },
+    },
+    'nginx': {
+        'vhosts': {
+            'immich': {
+                'locations': {
+                    '/': {
+                        'target': 'http://127.0.0.1:8080/',
+                        'websockets': True,
+                        'max_body_size': '5000m',
+                    },
+                },
+            },
+        },
+    },
+}
--- a/bundles/dovecot/files/dovecot.conf
+++ b/bundles/dovecot/files/dovecot.conf
@ -29,8 +29,8 @@ mail_location = maildir:/var/mail/vmail/%d/%n
 protocols = imap lmtp sieve

 ssl = required
-ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/fullchain.pem
-ssl_key =  </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/privkey.pem
+ssl_cert = </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/fullchain.pem
+ssl_key =  </var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/privkey.pem
 ssl_dh = </etc/ssl/certs/dhparam.pem
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
--- a/bundles/element-web/metadata.py
+++ b/bundles/element-web/metadata.py
@ -20,7 +20,7 @@ def nodejs(metadata):
    if version >= (1, 11, 71):
        return {
            'nodejs': {
-                'version': 20,
+                'version': 22,
            },
        }
    else:
--- a/bundles/forgejo/metadata.py
+++ b/bundles/forgejo/metadata.py
@ -100,7 +100,7 @@ def nginx(metadata):
                        },
                    },
                    'website_check_path': '/user/login',
-                    'website_check_string': 'Sign In',
+                    'website_check_string': 'Sign in',
                },
            },
        },
--- a/bundles/homeassistant/files/check_homeassistant_update
+++ b/bundles/homeassistant/files/check_homeassistant_update
@ -2,48 +2,42 @@

 from sys import exit

-import requests
-from packaging import version
+from packaging.version import parse
+from requests import get

-bearer = "${bearer}"
-domain = "${domain}"
-OK = 0
-WARN = 1
-CRITICAL = 2
-UNKNOWN = 3
-
-status = 3
-message = "Unknown Update Status"
-
-
-domain = "hass.home.kunbox.net"
-
-s = requests.Session()
-s.headers.update({"Content-Type": "application/json"})
+API_TOKEN = "${token}"
+DOMAIN = "${domain}"

 try:
-    stable_version = version.parse(
-        s.get("https://version.home-assistant.io/stable.json").json()["homeassistant"][
-            "generic-x86-64"
-        ]
-    )
-    s.headers.update(
-        {"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"}
-    )
-    running_version = version.parse(
-        s.get(f"https://{domain}/api/config").json()["version"]
-    )
-    if running_version == stable_version:
-        status = 0
-        message = f"OK - running version {running_version} equals stable version {stable_version}"
-    elif running_version > stable_version:
-        status = 1
-        message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary."
-    else:
-        status = 2
-        message = f"CRITICAL - update necessary, running version {running_version} is lower than stable version {stable_version}"
+    r = get("https://version.home-assistant.io/stable.json")
+    r.raise_for_status()
+    stable_version = parse(r.json()["homeassistant"]["generic-x86-64"])
 except Exception as e:
-    message = f"{message}: {repr(e)}"
+    print(f"Could not get stable version information from home-assistant.io: {e!r}")
+    exit(3)

-print(message)
-exit(status)
+try:
+    r = get(
+        f"https://{DOMAIN}/api/config",
+        headers={"Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json"},
+    )
+    r.raise_for_status()
+    running_version = parse(r.json()["version"])
+except Exception as e:
+    print(f"Could not get running version information from homeassistant: {e!r}")
+    exit(3)
+
+try:
+    if stable_version > running_version:
+        print(
+            f"There is a newer version available: {stable_version} (currently installed: {running_version})"
+        )
+        exit(2)
+    else:
+        print(
+            f"Currently running version {running_version} matches newest release on home-assistant.io"
+        )
+        exit(0)
+except Exception as e:
+    print(repr(e))
+    exit(3)
--- a/bundles/homeassistant/files/homeassistant.service
+++ b/bundles/homeassistant/files/homeassistant.service
@ -5,6 +5,8 @@ After=network-online.target
 [Service]
 Type=simple
 User=homeassistant
+Environment="VIRTUAL_ENV=/opt/homeassistant/venv"
+Environment="PATH=/opt/homeassistant/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 WorkingDirectory=/var/opt/homeassistant
 ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant"
 RestartForceExitStatus=100
--- a/bundles/homeassistant/items.py
+++ b/bundles/homeassistant/items.py
@ -30,7 +30,7 @@ files = {
    '/usr/local/share/icinga/plugins/check_homeassistant_update': {
        'content_type': 'mako',
        'context': {
-            'bearer': repo.vault.decrypt(node.metadata.get('homeassistant/api_secret')),
+            'token': node.metadata.get('homeassistant/api_secret'),
            'domain': node.metadata.get('homeassistant/domain'),
        },
        'mode': '0755',
--- a/bundles/icinga2/files/scripts/icinga_notification_wrapper
+++ b/bundles/icinga2/files/scripts/icinga_notification_wrapper
@ -129,11 +129,14 @@ def notify_per_ntfy():
            data=message_text,
            headers=headers,
            auth=(CONFIG['ntfy']['user'], CONFIG['ntfy']['password']),
+            timeout=10,
        )

        r.raise_for_status()
    except Exception as e:
        log_to_syslog('Sending a Notification failed: {}'.format(repr(e)))
+        return False
+    return True


 def notify_per_mail():
@ -199,7 +202,8 @@ if __name__ == '__main__':
        notify_per_mail()

    if args.sms:
-        if not args.service_name:
-            notify_per_sms()
+        ntfy_worked = False
        if CONFIG['ntfy']['user']:
-            notify_per_ntfy()
+            ntfy_worked = notify_per_ntfy()
+        if not args.service_name or not ntfy_worked:
+            notify_per_sms()
--- a/bundles/icinga2/items.py
+++ b/bundles/icinga2/items.py
@ -401,22 +401,6 @@ for rnode in sorted(repo.nodes):
                DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}',
            },
        })
-    elif (
-        rnode.has_bundle('pacman')
-        and rnode.metadata.get('pacman/unattended-upgrades/is_enabled', False)
-    ):
-        day = rnode.metadata.get('pacman/unattended-upgrades/day')
-        hour = rnode.metadata.get('pacman/unattended-upgrades/hour')
-        minute = rnode.magic_number%30
-
-        downtimes.append({
-            'name': 'unattended-upgrades',
-            'host': rnode.name,
-            'comment': f'Downtime for upgrade-and-reboot of node {rnode.name}',
-            'times': {
-                DAYS_TO_STRING[day%7]: f'{hour}:{minute}-{hour}:{minute+15}',
-            },
-        })

 files['/etc/icinga2/conf.d/groups.conf'] = {
    'source': 'icinga2/groups.conf',
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -17,7 +17,6 @@ defaults = {
            'icinga2': {},
            'icinga2-ido-pgsql': {},
            'icingaweb2': {},
-            'icingaweb2-module-monitoring': {},
            'python3-easysnmp': {},
            'python3-flask': {},
            'snmp': {},
--- a/bundles/infobeamer-cms/items.py
+++ b/bundles/infobeamer-cms/items.py
@ -23,7 +23,7 @@ actions = {
 git_deploy = {
    '/opt/infobeamer-cms/src': {
        'rev': 'master',
-        'repo': 'https://github.com/sophieschi/36c3-cms.git',
+        'repo': 'https://github.com/voc/infobeamer-cms.git',
        'needs': {
            'directory:/opt/infobeamer-cms/src',
        },
@ -96,14 +96,6 @@ files = {
    },
 }

-pkg_pip = {
-    'github-flask': {
-        'needed_by': {
-            'svc_systemd:infobeamer-cms',
-        },
-    },
-}
-
 svc_systemd = {
    'infobeamer-cms': {
        'needs': {
--- a/bundles/infobeamer-cms/metadata.py
+++ b/bundles/infobeamer-cms/metadata.py
@ -1,10 +1,13 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
+
+assert node.has_bundle('redis')

 defaults = {
    'infobeamer-cms': {
        'config': {
            'MAX_UPLOADS': 5,
            'PREFERRED_URL_SCHEME': 'https',
+            'REDIS_HOST': '127.0.0.1',
            'SESSION_COOKIE_NAME': '__Host-sess',
            'STATIC_PATH': '/opt/infobeamer-cms/static',
            'URL_KEY': repo.vault.password_for(f'{node.name} infobeamer-cms url key'),
@ -49,7 +52,7 @@ def nginx(metadata):
    'infobeamer-cms/config/TIME_MIN',
 )
 def event_times(metadata):
-    event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d')
+    event_start = datetime.strptime(metadata.get('infobeamer-cms/event_start_date'), '%Y-%m-%d').replace(tzinfo=timezone.utc)
    event_duration = metadata.get('infobeamer-cms/event_duration_days', 4)

    event_end = event_start + timedelta(days=event_duration)
--- a/bundles/infobeamer-monitor/files/monitor.py
+++ b/bundles/infobeamer-monitor/files/monitor.py
@ -1,9 +1,10 @@
 #!/usr/bin/env python3

 import logging
-from datetime import datetime, timezone
+from datetime import datetime
 from json import dumps
 from time import sleep
+from zoneinfo import ZoneInfo

 import paho.mqtt.client as mqtt
 from requests import RequestException, get
@ -24,7 +25,8 @@ logging.basicConfig(
 )

 LOG = logging.getLogger("main")
-MLOG = logging.getLogger("mqtt")
+TZ = ZoneInfo("Europe/Berlin")
+DUMP_TIME = "0900"

 state = None

@ -38,7 +40,10 @@ def mqtt_out(message, level="INFO", device=None):
    key = "infobeamer"
    if device:
        key += f"/{device['id']}"
+        if device["description"]:
            message = f"[{device['description']}] {message}"
+        else:
+            message = f"[{device['serial']}] {message}"

    client.publish(
        CONFIG["mqtt"]["topic"],
@ -61,14 +66,14 @@ def mqtt_dump_state(device):
        out.append("Location: {}".format(device["location"]))
    out.append("Setup: {} ({})".format(device["setup"]["name"], device["setup"]["id"]))
    out.append("Resolution: {}".format(device["run"].get("resolution", "unknown")))
-    if not device["is_synced"]:
-        out.append("syncing ...")

    mqtt_out(
        " - ".join(out),
        device=device,
    )

+def is_dump_time():
+    return datetime.now(TZ).strftime("%H%M") == DUMP_TIME

 mqtt_out("Monitor starting up")
 while True:
@ -81,15 +86,14 @@ while True:
            r.raise_for_status()
            ib_state = r.json()["devices"]
        except RequestException as e:
-            LOG.exception("Could not get data from info-beamer")
+            LOG.exception("Could not get device data from info-beamer")
            mqtt_out(
-                f"Could not get data from info-beamer: {e!r}",
+                f"Could not get device data from info-beamer: {e!r}",
                level="WARN",
            )
        else:
            new_state = {}
-            online_devices = set()
-            for device in ib_state:
+            for device in sorted(ib_state, key=lambda x: x["id"]):
                did = str(device["id"])

                if did in new_state:
@ -97,7 +101,8 @@ while True:
                    continue

                new_state[did] = device
-                must_dump_state = False
+                # force information output for every online device at 09:00 CE(S)T
+                must_dump_state = is_dump_time()

                if state is not None:
                    if did not in state:
@ -140,16 +145,15 @@ while True:
                        if device["is_online"]:
                            if device["maintenance"]:
                                mqtt_out(
-                                    "maintenance required: {}".format(' '.join(
-                                        sorted(device["maintenance"])
-                                    )),
+                                    "maintenance required: {}".format(
+                                        " ".join(sorted(device["maintenance"]))
+                                    ),
                                    level="WARN",
                                    device=device,
                                )

                        if (
-                            device["is_synced"] != state[did]["is_synced"]
-                            or device["location"] != state[did]["location"]
+                            device["location"] != state[did]["location"]
                            or device["setup"]["id"] != state[did]["setup"]["id"]
                            or device["run"].get("resolution")
                            != state[did]["run"].get("resolution")
@ -161,23 +165,52 @@ while True:
                else:
                    LOG.info("adding device {} to empty state".format(device["id"]))

-                if device["is_online"]:
-                    online_devices.add(
-                        "{} ({})".format(
-                            device["id"],
-                            device["description"],
-                        )
-                    )
-
            state = new_state

-            if (
-                datetime.now(timezone.utc).strftime("%H%M") == "1312"
-                and online_devices
-                and int(datetime.now(timezone.utc).strftime("%S")) < 30
-            ):
-                mqtt_out("Online Devices: {}".format(", ".join(sorted(online_devices))))
-        sleep(30)
+        try:
+            r = get(
+                "https://info-beamer.com/api/v1/account",
+                auth=("", CONFIG["api_key"]),
+            )
+            r.raise_for_status()
+            ib_account = r.json()
+        except RequestException as e:
+            LOG.exception("Could not get account data from info-beamer")
+            mqtt_out(
+                f"Could not get account data from info-beamer: {e!r}",
+                level="WARN",
+            )
+        else:
+            available_credits = ib_account["balance"]
+            if is_dump_time():
+                mqtt_out(f"Available Credits: {available_credits}")
+
+            if available_credits < 50:
+                mqtt_out(
+                    f"balance has dropped below 50 credits! (available: {available_credits})",
+                    level="ERROR",
+                )
+            elif available_credits < 100:
+                mqtt_out(
+                    f"balance has dropped below 100 credits! (available: {available_credits})",
+                    level="WARN",
+                )
+
+            for quota_name, quota_config in sorted(ib_account["quotas"].items()):
+                value = quota_config["count"]["value"]
+                limit = quota_config["count"]["limit"]
+                if value > limit * 0.9:
+                    mqtt_out(
+                        f"quota {quota_name} is over 90% (limit {limit}, value {value})",
+                        level="ERROR",
+                    )
+                elif value > limit * 0.8:
+                    mqtt_out(
+                        f"quota {quota_name} is over 80% (limit {limit}, value {value})",
+                        level="WARN",
+                    )
+
+        sleep(60)
    except KeyboardInterrupt:
        break

--- a/bundles/ipmitool/metadata.py
+++ b/bundles/ipmitool/metadata.py
@ -19,9 +19,4 @@ defaults = {
            '/usr/bin/ipmitool *',
        },
    },
-    'pacman': {
-        'packages': {
-            'ipmitool': {},
-        },
-    },
 }
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -12,6 +12,10 @@ actions = {
        'needs': {
            'svc_systemd:nginx',
        },
+        'after': {
+            'svc_systemd:nginx:reload',
+            'svc_systemd:nginx:restart',
+        },
    },
 }

--- a/bundles/letsencrypt/metadata.py
+++ b/bundles/letsencrypt/metadata.py
@ -13,15 +13,6 @@ defaults = {
            },
        },
    },
-    'pacman': {
-        'packages': {
-            'dehydrated': {
-                'needed_by': {
-                    'action:letsencrypt_update_certificates',
-                },
-            },
-        },
-    },
 }


--- a/bundles/lldp/metadata.py
+++ b/bundles/lldp/metadata.py
@ -10,15 +10,4 @@ defaults = {
            },
        },
    },
-    'pacman': {
-        'packages': {
-            'lldpd': {
-                'needed_by': {
-                    'directory:/etc/lldpd.d',
-                    'file:/etc/lldpd.conf',
-                    'svc_systemd:lldpd',
-                },
-            },
-        },
-    },
 }
--- a/bundles/lm-sensors/metadata.py
+++ b/bundles/lm-sensors/metadata.py
@ -4,11 +4,6 @@ defaults = {
            'lm-sensors': {},
        },
    },
-    'pacman': {
-        'packages': {
-            'lm_sensors': {},
-        },
-    },
    'telegraf': {
        'input_plugins': {
            'builtin': {
--- a/bundles/matrix-registration/files/config.yaml
+++ b/bundles/matrix-registration/files/config.yaml
@ -1,40 +0,0 @@
-server_location: 'http://[::1]:20080'
-server_name: '${server_name}'
-registration_shared_secret: '${reg_secret}'
-admin_api_shared_secret: '${admin_secret}'
-base_url: '${base_url}'
-client_redirect: '${client_redirect}'
-client_logo: 'static/images/element-logo.png' # use '{cwd}' for current working directory
-#db: 'sqlite:///opt/matrix-registration/data/db.sqlite3'
-db: 'postgresql://${database['user']}:${database['password']}@localhost/${database['database']}'
-host: 'localhost'
-port: 20100
-rate_limit: ["100 per day", "10 per minute"]
-allow_cors: false
-ip_logging: false
-logging:
-  disable_existing_loggers: false
-  version: 1
-  root:
-    level: DEBUG
-    handlers: [console]
-  formatters:
-    brief:
-      format: '%(name)s - %(levelname)s - %(message)s'
-  handlers:
-    console:
-      class: logging.StreamHandler
-      level: INFO
-      formatter: brief
-      stream: ext://sys.stdout
-# password requirements
-password:
-  min_length: 8
-# username requirements
-username:
-  validation_regex: [] #list of regexes that the selected username must match.        Example: '[a-zA-Z]\.[a-zA-Z]'
-  invalidation_regex:  #list of regexes that the selected username must NOT match.  Example: '(admin|support)'
-    - '^abuse'
-    - 'admin'
-    - 'support'
-    - 'help'
--- a/bundles/matrix-registration/files/matrix-registration.service
+++ b/bundles/matrix-registration/files/matrix-registration.service
@ -1,14 +0,0 @@
-[Unit]
-Description=matrix-registration
-After=network.target
-
-[Service]
-User=matrix-registration
-Group=matrix-registration
-WorkingDirectory=/opt/matrix-registration/src
-ExecStart=/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml serve
-Restart=always
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
--- a/bundles/matrix-registration/items.py
+++ b/bundles/matrix-registration/items.py
@ -1,65 +0,0 @@
-actions['matrix-registration_create_virtualenv'] = {
-    'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/matrix-registration/venv/',
-    'unless': 'test -d /opt/matrix-registration/venv/',
-    'needs': {
-        # actually /opt/matrix-registration, but we don't create that
-        'directory:/opt/matrix-registration/src',
-    },
-}
-
-actions['matrix-registration_install'] = {
-    'command': ' && '.join([
-        'cd /opt/matrix-registration/src',
-        '/opt/matrix-registration/venv/bin/pip install psycopg2-binary',
-        '/opt/matrix-registration/venv/bin/pip install -e .',
-    ]),
-    'needs': {
-        'action:matrix-registration_create_virtualenv',
-    },
-    'triggered': True,
-}
-
-users['matrix-registration'] = {
-    'home': '/opt/matrix-registration',
-}
-
-directories['/opt/matrix-registration/src'] = {}
-
-git_deploy['/opt/matrix-registration/src'] = {
-    'repo': 'https://github.com/zeratax/matrix-registration.git',
-    'rev': 'master',
-    'triggers': {
-        'action:matrix-registration_install',
-        'svc_systemd:matrix-registration:restart',
-    },
-}
-
-files['/opt/matrix-registration/config.yaml'] = {
-    'content_type': 'mako',
-    'context': {
-        'admin_secret': node.metadata.get('matrix-registration/admin_secret'),
-        'base_url': node.metadata.get('matrix-registration/base_path', ''),
-        'client_redirect': node.metadata.get('matrix-registration/client_redirect'),
-        'database': node.metadata.get('matrix-registration/database'),
-        'reg_secret': node.metadata.get('matrix-synapse/registration_shared_secret'),
-        'server_name': node.metadata.get('matrix-synapse/server_name'),
-    },
-    'triggers': {
-        'svc_systemd:matrix-registration:restart',
-    },
-}
-
-files['/usr/local/lib/systemd/system/matrix-registration.service'] = {
-    'triggers': {
-        'action:systemd-reload',
-        'svc_systemd:matrix-registration:restart',
-    },
-}
-
-svc_systemd['matrix-registration'] = {
-    'needs': {
-        'action:matrix-registration_install',
-        'file:/opt/matrix-registration/config.yaml',
-        'file:/usr/local/lib/systemd/system/matrix-registration.service',
-    },
-}
--- a/bundles/matrix-registration/metadata.py
+++ b/bundles/matrix-registration/metadata.py
@ -1,25 +0,0 @@
-defaults = {
-    'bash_aliases': {
-        'matrix-registration': '/opt/matrix-registration/venv/bin/matrix-registration --config-path /opt/matrix-registration/config.yaml',
-    },
-    'matrix-registration': {
-        'admin_secret': repo.vault.password_for(f'{node.name} matrix-registration admin secret'),
-        'database': {
-            'user': 'matrix-registration',
-            'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'),
-            'database': 'matrix-registration',
-        },
-    },
-    'postgresql': {
-        'roles': {
-            'matrix-registration': {
-                'password': repo.vault.password_for(f'{node.name} postgresql matrix-registration'),
-            },
-        },
-        'databases': {
-            'matrix-registration': {
-                'owner': 'matrix-registration',
-            },
-        },
-    },
-}
--- a/bundles/nfs-client/items.py
+++ b/bundles/nfs-client/items.py
@ -1,8 +1,3 @@
-if node.has_bundle('pacman'):
-    package = 'pkg_pacman:nfs-utils'
-else:
-    package = 'pkg_apt:nfs-common'
-
 for mount, data in node.metadata.get('nfs-client/mounts',{}).items():
    data['mount'] = mount
    data['mount_options'] = set(data.get('mount_options', set()))
@ -42,7 +37,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items():
                'file:/etc/systemd/system/{}.automount'.format(unitname),
                'directory:{}'.format(data['mountpoint']),
                'svc_systemd:systemd-networkd',
-                package,
+                'pkg_apt:nfs-common',
            },
        }
    else:
@ -58,7 +53,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items():
                'file:/etc/systemd/system/{}.mount'.format(unitname),
                'directory:{}'.format(data['mountpoint']),
                'svc_systemd:systemd-networkd',
-                package,
+                'pkg_apt:nfs-common',
            },
        }

--- a/bundles/nfs-client/metadata.py
+++ b/bundles/nfs-client/metadata.py
@ -4,11 +4,6 @@ defaults = {
            'nfs-common': {},
        },
    },
-    'pacman': {
-        'packages': {
-            'nfs-utils': {},
-        },
-    },
 }

 if node.has_bundle('telegraf'):
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@ -23,9 +23,8 @@ table inet filter {

        icmp type timestamp-request drop
        icmp type timestamp-reply drop
-        ip protocol icmp accept
+        meta l4proto {icmp, ipv6-icmp} accept

-        ip6 nexthdr ipv6-icmp accept
 % for ruleset, rules in sorted(input.items()):

        # ${ruleset}
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@ -1,8 +1,3 @@
-if node.has_bundle('pacman'):
-    package = 'pkg_pacman:nftables'
-else:
-    package = 'pkg_apt:nftables'
-
 directories = {
    # used by other bundles
    '/etc/nftables-rules.d': {
@ -42,7 +37,7 @@ svc_systemd = {
    'nftables': {
        'needs': {
            'file:/etc/nftables.conf',
-            package,
+            'pkg_apt:nftables',
        },
    },
 }
--- a/bundles/nftables/metadata.py
+++ b/bundles/nftables/metadata.py
@ -10,26 +10,9 @@ defaults = {
        'blocked_v4': repo.libs.firewall.global_ip4_blocklist,
        'blocked_v6': repo.libs.firewall.global_ip6_blocklist,
    },
-    'pacman': {
-        'packages': {
-            'nftables': {},
-# https://github.com/bundlewrap/bundlewrap/issues/688
-#            'iptables': {
-#                'installed': False,
-#                'needed_by': {
-#                    'pkg_pacman:iptables-nft',
-#                },
-#            },
-            'iptables-nft': {
-                'needed_by': {
-                    'pkg_pacman:nftables',
-                },
-            },
-        },
-    },
 }

-if not node.has_bundle('vmhost'):
+if not node.has_bundle('vmhost') and not node.has_bundle('docker-engine'):
    # see comment in bundles/vmhost/items.py
    defaults['apt']['packages']['iptables'] = {
        'installed': False,
--- a/bundles/nginx/files/arch-override.conf
+++ b/bundles/nginx/files/arch-override.conf
@ -1,9 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
-
-ExecReload=
-ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
-
-ExecStop=
-ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"
--- a/bundles/nginx/files/nginx.conf
+++ b/bundles/nginx/files/nginx.conf
@ -1,4 +1,4 @@
-user  ${username};
+user  www-data;
 worker_processes  ${worker_processes};

 pid        /var/run/nginx.pid;
@ -11,7 +11,7 @@ events {
 http {
    include       /etc/nginx/mime.types;
    types {
-        application/javascript js mjs;
+        application/javascript mjs;
    }
    default_type  application/octet-stream;
    charset UTF-8;
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -149,18 +149,18 @@ server {
 %   if 'target' in options:
        proxy_pass           ${options['target']};
        proxy_http_version   ${options.get('http_version', '1.1')};
-        proxy_set_header     Host ${domain};
+        proxy_set_header     Host ${options.get('proxy_pass_host', domain)};
 %    if options.get('websockets', False):
        proxy_set_header     Connection "upgrade";
        proxy_set_header     Upgrade $http_upgrade;
 %    endif
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto $scheme;
-        proxy_set_header     X-Forwarded-Host ${options.get('x_forwarded_host', domain)};
+        proxy_set_header     X-Forwarded-Host ${options.get('x_forwarded_host', options.get('proxy_pass_host', domain))};
 %    for option, value in options.get('proxy_set_header', {}).items():
        proxy_set_header     ${option} ${value};
 %    endfor
-%    if location != '/':
+%    if location != '/' and location != '= /':
        proxy_set_header     X-Script-Name ${location};
 %    endif
        proxy_buffering      off;
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -1,12 +1,5 @@
 from datetime import datetime, timedelta

-if node.has_bundle('pacman'):
-    package = 'pkg_pacman:nginx'
-    username = 'http'
-else:
-    package = 'pkg_apt:nginx'
-    username = 'www-data'
-
 directories = {
    '/etc/nginx/sites': {
        'purge': True,
@ -24,9 +17,9 @@ directories = {
        },
    },
    '/var/log/nginx-timing': {
-        'owner': username,
+        'owner': 'www-data',
        'needs': {
-            package,
+            'pkg_apt:nginx',
        },
    },
    '/var/www': {},
@ -40,7 +33,6 @@ files = {
    '/etc/nginx/nginx.conf': {
        'content_type': 'mako',
        'context': {
-            'username': username,
            **node.metadata['nginx'],
        },
        'triggers': {
@ -69,21 +61,13 @@ files = {
    '/var/www/error.html': {},
    '/var/www/not_found.html': {},
 }
-if node.has_bundle('pacman'):
-    files['/etc/systemd/system/nginx.service.d/bundlewrap.conf'] = {
-        'source': 'arch-override.conf',
-        'triggers': {
-            'action:systemd-reload',
-            'svc_systemd:nginx:restart',
-        },
-    }

 svc_systemd = {
    'nginx': {
        'needs': {
            'action:generate-dhparam',
            'directory:/var/log/nginx-timing',
-            package,
+            'pkg_apt:nginx',
        },
    },
 }
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -33,11 +33,6 @@ defaults = {
    'nginx': {
        'worker_connections': 768,
    },
-    'pacman': {
-        'packages': {
-            'nginx': {},
-        },
-    },
 }

 if node.has_bundle('telegraf'):
--- a/bundles/openssh/items.py
+++ b/bundles/openssh/items.py
@ -27,29 +27,22 @@ files = {
    },
 }

-if node.has_bundle('pacman'):
-    package = 'pkg_pacman:openssh'
-    service = 'sshd'
-else:
-    package = 'pkg_apt:openssh-server'
-    service = 'ssh'
-
 actions = {
    'sshd_check_config': {
        'command': 'sshd -T -C user=root -C host=localhost -C addr=localhost',
        'triggered': True,
        'triggers': {
-            'svc_systemd:{}:restart'.format(service),
+            'svc_systemd:ssh:restart',
        },
    },
 }

 svc_systemd = {
-    service: {
+    'ssh': {
        'needs': {
            'file:/etc/systemd/system/ssh.service.d/bundlewrap.conf',
            'file:/etc/ssh/sshd_config',
-            package,
+            'pkg_apt:openssh-server',
        },
    },
 }
--- a/bundles/openssh/metadata.py
+++ b/bundles/openssh/metadata.py
@ -8,11 +8,6 @@ defaults = {
            'openssh-sftp-server': {},
        },
    },
-    'pacman': {
-        'packages': {
-            'openssh': {},
-        },
-    },
 }

@metadata_reactor.provides(
--- a/bundles/pacman/files/check_unattended_upgrades
+++ b/bundles/pacman/files/check_unattended_upgrades
@ -1,38 +0,0 @@
-#!/bin/bash
-
-statusfile="/var/tmp/unattended_upgrades.status"
-if ! [[ -f "$statusfile" ]]
-then
-    echo "Status file not found"
-    exit 3
-fi
-
-mtime=$(stat -c %Y $statusfile)
-now=$(date +%s)
-if (( $now - $mtime > 60*60*24*8 ))
-then
-    echo "Status file is older than 8 days!"
-    exit 3
-fi
-
-exitcode=$(cat $statusfile)
-case "$exitcode" in
-    abort_ssh)
-        echo "Upgrades skipped due to active SSH login"
-        exit 1
-        ;;
-    0)
-        if [[ -f /var/run/reboot-required ]]
-        then
-            echo "OK, but updates require a reboot"
-            exit 1
-        else
-            echo "OK"
-            exit 0
-        fi
-        ;;
-    *)
-        echo "Last exitcode was $exitcode"
-        exit 2
-        ;;
-esac
--- a/bundles/pacman/files/do-unattended-upgrades
+++ b/bundles/pacman/files/do-unattended-upgrades
@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -xeuo pipefail
-
-pacman -Syu --noconfirm --noprogressbar
-
-% for affected, restarts in sorted(restart_triggers.items()):
-up_since=$(systemctl show "${affected}" | sed -n 's/^ActiveEnterTimestamp=//p' || echo 0)
-up_since_ts=$(date -d "$up_since" +%s || echo 0)
-now=$(date +%s)
-
-if [ $((now - up_since_ts)) -lt 3600 ]
-then
-% for restart in sorted(restarts):
-    systemctl restart "${restart}" || true
-% endfor
-fi
-% endfor
--- a/bundles/pacman/files/faillock.conf
+++ b/bundles/pacman/files/faillock.conf
@ -1,2 +0,0 @@
-# just disable faillock.
-deny = 0
--- a/bundles/pacman/files/pacman.conf
+++ b/bundles/pacman/files/pacman.conf
@ -1,52 +0,0 @@
-[options]
-Architecture = auto
-CheckSpace
-Color
-HoldPkg = ${' '.join(sorted(node.metadata.get('pacman/ask_before_removal')))}
-ILoveCandy
-IgnorePkg = ${' '.join(sorted(node.metadata.get('pacman/ignore_packages', set())))}
-LocalFileSigLevel = Optional
-NoExtract=${' '.join(sorted(node.metadata.get('pacman/no_extract', set())))}
-ParallelDownloads = ${node.metadata.get('pacman/parallel_downloads')}
-SigLevel    = Required DatabaseOptional
-VerbosePkgLists
-
-% for line in sorted(node.metadata.get('pacman/additional_config', set())):
-${line}
-% endfor
-
-[core]
-Server = ${node.metadata.get('pacman/repository')}
-Include = /etc/pacman.d/mirrorlist
-
-[extra]
-Server = ${node.metadata.get('pacman/repository')}
-Include = /etc/pacman.d/mirrorlist
-
-[community]
-Server = ${node.metadata.get('pacman/repository')}
-Include = /etc/pacman.d/mirrorlist
-% if node.metadata.get('pacman/enable_multilib', False):
-
-[multilib]
-Server = ${node.metadata.get('pacman/repository')}
-Include = /etc/pacman.d/mirrorlist
-% endif
-% if node.metadata.get('pacman/enable_aurto', True):
-
-[aurto]
-Server = https://aurto.kunbox.net/
-SigLevel = Optional TrustAll
-% endif
-% if node.has_bundle('zfs'):
-
-[archzfs]
-Server = http://archzfs.com/archzfs/x86_64
-
-%  if node.metadata.get('pacman/linux-lts', False):
-[zfs-linux-lts]
-%  else:
-[zfs-linux]
-%  endif
-Server = http://kernels.archzfs.com/$repo/
-% endif
--- a/bundles/pacman/files/upgrade-and-reboot
+++ b/bundles/pacman/files/upgrade-and-reboot
@ -1,49 +0,0 @@
-#!/bin/bash
-
-# With systemd, we can force logging to the journal. This is better than
-# spamming the world with cron mails. You can then view these logs using
-# "journalctl -rat upgrade-and-reboot".
-if which logger >/dev/null 2>&1
-then
-    # Dump stdout and stderr to logger, which will then put everything
-    # into the journal.
-    exec 1> >(logger -t upgrade-and-reboot -p user.info)
-    exec 2> >(logger -t upgrade-and-reboot -p user.error)
-fi
-
-. /etc/upgrade-and-reboot.conf
-
-echo "Starting upgrade-and-reboot for node $nodename ..."
-
-statusfile="/var/tmp/unattended_upgrades.status"
-# Workaround, because /var/tmp is usually 1777
-[[ "$UID" == 0 ]] && chown root:root "$statusfile"
-
-logins=$(ps h -C sshd -o euser | awk '$1 != "root" && $1 != "sshd" && $1 != "sshmon" && $1 != "nobody"')
-if [[ -n "$logins" ]]
-then
-    echo "Will abort now, there are active SSH logins: $logins"
-    echo "abort_ssh" > "$statusfile"
-    exit 1
-fi
-
-softlockdir=/var/lib/bundlewrap/soft-$nodename
-mkdir -p "$softlockdir"
-printf '{"comment": "UPDATE", "date": %s, "expiry": %s, "id": "UNATTENDED", "items": ["*"], "user": "root@localhost"}\n' \
-    $(date +%s) \
-    $(date -d 'now + 30 mins' +%s) \
-    >"$softlockdir"/UNATTENDED
-trap 'rm -f "$softlockdir"/UNATTENDED' EXIT
-
-do-unattended-upgrades
-ret=$?
-
-echo "$ret" > "$statusfile"
-if (( $ret != 0 ))
-then
-    exit 1
-fi
-
-systemctl reboot
-
-echo "upgrade-and-reboot for node $nodename is DONE"
--- a/bundles/pacman/files/upgrade-and-reboot.conf
+++ b/bundles/pacman/files/upgrade-and-reboot.conf
@ -1,3 +0,0 @@
-nodename="${node.name}"
-reboot_mail_to="${node.metadata.get('apt/unattended-upgrades/reboot_mail_to', '')}"
-auto_reboot_enabled="${node.metadata.get('apt/unattended-upgrades/reboot_enabled', True)}"
--- a/bundles/pacman/items.py
+++ b/bundles/pacman/items.py
@ -1,113 +0,0 @@
-from bundlewrap.exceptions import BundleError
-
-if not node.os == 'arch':
-    raise BundleError(f'{node.name}: bundle:pacman requires arch linux')
-
-files = {
-    '/etc/pacman.conf': {
-        'content_type': 'mako',
-    },
-    '/etc/upgrade-and-reboot.conf': {
-        'content_type': 'mako',
-    },
-    '/etc/security/faillock.conf': {},
-    '/usr/local/sbin/upgrade-and-reboot': {
-        'mode': '0700',
-    },
-    '/usr/local/sbin/do-unattended-upgrades': {
-        'content_type': 'mako',
-        'mode': '0700',
-        'context': {
-            'restart_triggers': node.metadata.get('pacman/restart_triggers', {}),
-        }
-    },
-    '/usr/local/share/icinga/plugins/check_unattended_upgrades': {
-        'mode': '0755',
-    },
-}
-
-svc_systemd['paccache.timer'] = {
-    'needs': {
-        'pkg_pacman:pacman-contrib',
-    },
-}
-
-pkg_pacman = {
-    'at': {},
-    'autoconf': {},
-    'automake': {},
-    'bind': {},
-    'binutils': {},
-    'bison': {},
-    'bzip2': {},
-    'curl': {},
-    'dialog': {},
-    'diffutils': {},
-    'fakeroot': {},
-    'file': {},
-    'findutils': {},
-    'flex': {},
-    'fwupd': {},
-    'gawk': {},
-    'gcc': {},
-    'gettext': {},
-    'git': {},
-    'gnu-netcat': {},
-    'grep': {},
-    'groff': {},
-    'gzip': {},
-    'htop': {},
-    'jq': {},
-    'ldns': {},
-    'less': {},
-    'libtool': {},
-    'logrotate': {},
-    'lsof': {},
-    'm4': {},
-    'mailutils': {},
-    'make': {},
-    'man-db': {},
-    'man-pages': {},
-    'moreutils': {},
-    'mtr': {},
-    'ncdu': {},
-    'nmap': {},
-    'pacman-contrib': {},
-    'patch': {},
-    'pkgconf': {},
-    'python': {},
-    'python-setuptools': {
-        'needed_by': {
-            'pkg_pip:',
-        },
-    },
-    'python-pip': {
-        'needed_by': {
-            'pkg_pip:',
-        },
-    },
-    'python-virtualenv': {},
-    'rsync': {},
-    'run-parts': {},
-    'sed': {},
-    'tar': {},
-    'texinfo': {},
-    'tmux': {},
-    'tree': {},
-    'unzip': {},
-    'vim': {},
-    'wget': {},
-    'which': {},
-    'whois': {},
-    'zip': {},
-}
-
-if node.metadata.get('pacman/linux-lts', False):
-    pkg_pacman['linux-lts'] = {}
-    pkg_pacman['acpi_call-lts'] = {}
-else:
-    pkg_pacman['linux'] = {}
-    pkg_pacman['acpi_call'] = {}
-
-for pkg, config in node.metadata.get('pacman/packages', {}).items():
-    pkg_pacman[pkg] = config
--- a/bundles/pacman/metadata.py
+++ b/bundles/pacman/metadata.py
@ -1,54 +0,0 @@
-defaults = {
-    'pacman': {
-        'ask_before_removal': {
-            'glibc',
-            'pacman',
-        },
-        'no_extract': {
-            'etc/cron.d/0hourly',
-            # don't install systemd-homed pam module. It produces a lot of spam in
-            # journal about systemd-homed not being active, so just get rid of it.
-            # Requires reinstall of systemd package, though
-            'usr/lib/security/pam_systemd_home.so',
-        },
-        'parallel_downloads': 4,
-        'repository': 'http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch',
-        'unattended-upgrades': {
-            'day': 5,
-            'hour': 21,
-        },
-    },
-}
-
-
-@metadata_reactor.provides(
-    'cron/jobs/upgrade-and-reboot',
-    'icinga2_api/pacman/services',
-)
-def patchday(metadata):
-    if not metadata.get('pacman/unattended-upgrades/is_enabled', False):
-        return {}
-
-    day = metadata.get('pacman/unattended-upgrades/day')
-    hour = metadata.get('pacman/unattended-upgrades/hour')
-
-    return {
-        'cron': {
-            'jobs': {
-                'upgrade-and-reboot': '{minute} {hour} * * {day}    root    /usr/local/sbin/upgrade-and-reboot'.format(
-                    minute=node.magic_number % 30,
-                    hour=hour,
-                    day=day,
-                ),
-            },
-        },
-        'icinga2_api': {
-            'pacman': {
-                'services': {
-                    'UNATTENDED UPGRADES': {
-                        'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_unattended_upgrades',
-                    },
-                },
-            },
-        },
-    }
--- a/bundles/paperless-ng/metadata.py
+++ b/bundles/paperless-ng/metadata.py
@ -34,7 +34,7 @@ defaults = {
        },
    },
    'nodejs': {
-        'version': 18,
+        'version': 22,
    },
    'postgresql': {
        'roles': {
--- a/bundles/postfix/files/arch-override.conf
+++ b/bundles/postfix/files/arch-override.conf
@ -1,6 +0,0 @@
-[Service]
-# arch postfix is not set up for chrooting by default
-ExecStartPre=-/usr/sbin/mkdir -p /var/spool/postfix/etc
-% for file in ['/etc/localtime', '/etc/nsswitch.conf', '/etc/resolv.conf', '/etc/services']:
-ExecStartPre=-/usr/sbin/cp -p ${file} /var/spool/postfix${file}
-% endfor
--- a/bundles/postfix/files/blocked_recipients
+++ b/bundles/postfix/files/blocked_recipients
@ -1,3 +1,5 @@
+devnull@${node.metadata.get('postfix/myhostname')} DISCARD DEV-NULL
+
 % for address in sorted(blocked):
 ${address} REJECT
 % endfor
--- a/bundles/postfix/files/main.cf
+++ b/bundles/postfix/files/main.cf
@ -3,7 +3,7 @@ biff = no
 append_dot_mydomain = no
 readme_directory = no
 compatibility_level = 2
-myhostname = ${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}
+myhostname = ${node.metadata.get('postfix/myhostname')}
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost
 mynetworks = ${' '.join(sorted(mynetworks))}
@ -25,7 +25,6 @@ inet_interfaces = 127.0.0.1
 % endif

 <%text>
-smtp_use_tls = yes
 smtp_tls_loglevel = 1
 smtp_tls_note_starttls_offer = yes
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
@ -38,8 +37,8 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 </%text>

 % if node.has_bundle('postfixadmin'):
-smtpd_tls_cert_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/fullchain.pem
-smtpd_tls_key_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname', node.metadata['hostname'])}/privkey.pem
+smtpd_tls_cert_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/fullchain.pem
+smtpd_tls_key_file = /var/lib/dehydrated/certs/${node.metadata.get('postfix/myhostname')}/privkey.pem
 <%text>
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
@ -48,7 +47,7 @@ smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
 smtpd_helo_required = yes
 smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
 smtpd_data_restrictions = reject_unauth_pipelining
-smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/blocked_recipients
+smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/blocked_recipients, permit_mynetworks
 smtpd_relay_before_recipient_restrictions = yes

 # https://ssl-config.mozilla.org/#server=postfix&version=3.7.10&config=intermediate&openssl=3.0.11&guideline=5.7
--- a/bundles/postfix/items.py
+++ b/bundles/postfix/items.py
@ -21,13 +21,12 @@ for identifier in node.metadata.get('postfix/mynetworks', set()):
            netmask = '128'
        mynetworks.add(f'[{ip6}]/{netmask}')

-my_package = 'pkg_pacman:postfix' if node.os == 'arch' else 'pkg_apt:postfix'

 files = {
    '/etc/mailname': {
-        'content': node.metadata.get('postfix/myhostname', node.metadata['hostname']),
+        'content': node.metadata.get('postfix/myhostname'),
        'before': {
-            my_package,
+            'pkg_apt:postfix',
        },
        'triggers': {
            'svc_systemd:postfix:restart',
@ -82,7 +81,7 @@ actions = {
        'command': 'newaliases',
        'triggered': True,
        'needs': {
-            my_package,
+            'pkg_apt:postfix',
        },
        'before': {
            'svc_systemd:postfix',
@ -92,7 +91,7 @@ actions = {
        'command': 'postmap hash:/etc/postfix/blocked_recipients',
        'triggered': True,
        'needs': {
-            my_package,
+            'pkg_apt:postfix',
        },
        'before': {
            'svc_systemd:postfix',
@ -105,17 +104,7 @@ svc_systemd = {
        'needs': {
            'file:/etc/postfix/master.cf',
            'file:/etc/postfix/main.cf',
-            my_package,
+            'pkg_apt:postfix',
        },
    },
 }
-
-if node.os == 'arch':
-    files['/etc/systemd/system/postfix.service.d/bundlewrap.conf'] = {
-        'source': 'arch-override.conf',
-        'content_type': 'mako',
-        'triggers': {
-            'action:systemd-reload',
-            'svc_systemd:postfix:restart',
-        },
-    }
--- a/bundles/postfix/metadata.py
+++ b/bundles/postfix/metadata.py
@ -14,7 +14,7 @@ defaults = {
        'postfix': {
            'services': {
                'POSTFIX PROCESS': {
-                    'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix' + ('' if node.os == 'arch' else '@-'),
+                    'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit postfix@-',
                },
                'POSTFIX QUEUE': {
                    'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_postfix_queue -w 20 -c 40 -d 50',
@ -22,12 +22,6 @@ defaults = {
            },
        },
    },
-    'pacman': {
-        'packages': {
-            'postfix': {},
-            's-nail': {},
-        },
-    },
 }

 if node.has_bundle('postfixadmin'):
@ -87,7 +81,7 @@ def letsencrypt(metadata):
    }

    result['domains'] = {
-        metadata.get('postfix/myhostname', metadata.get('hostname')): set(),
+        metadata.get('postfix/myhostname'): set(),
    }

    return {
@ -148,3 +142,14 @@ def icinga2(metadata):
            },
        },
    }
+
+
+@metadata_reactor.provides(
+    'postfix/myhostname',
+)
+def myhostname(metadata):
+    return {
+        'postfix': {
+            'myhostname': metadata.get('hostname'),
+        },
+    }
--- a/bundles/postgresql/items.py
+++ b/bundles/postgresql/items.py
@ -57,7 +57,7 @@ files = {
    },
 }

-if node.has_bundle('backup-client') and not node.has_bundle('zfs'):
+if node.has_bundle('backup-client'):
    files['/etc/backup-pre-hooks.d/90-postgresql-dump-all'] = {
        'source': 'backup-pre-hook',
        'content_type': 'mako',
@ -67,10 +67,6 @@ if node.has_bundle('backup-client') and not node.has_bundle('zfs'):
        'mode': '0700',
    }
    directories['/var/tmp/postgresdumps'] = {}
-else:
-    files['/var/tmp/postgresdumps'] = {
-        'delete': True,
-    }

 postgres_roles = {
    'root': {
--- a/bundles/postgresql/metadata.py
+++ b/bundles/postgresql/metadata.py
@ -11,6 +11,7 @@ defaults = {
    'backups': {
        'paths': {
            '/var/lib/postgresql',
+            '/var/tmp/postgresdumps',
        },
    },
    'bash_functions': {
@ -74,8 +75,6 @@ if node.has_bundle('zfs'):
            },
        },
    }
-else:
-    defaults['backups']['paths'].add('/var/tmp/postgresdumps')


@metadata_reactor.provides(
--- a/bundles/powerdns/items.py
+++ b/bundles/powerdns/items.py
@ -3,6 +3,8 @@ from os import listdir
 from os.path import isfile, join
 from subprocess import check_output

+from bundlewrap.utils.ui import io
+
 zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones')

 nameservers = set()
@ -79,9 +81,10 @@ if node.metadata.get('powerdns/features/bind', False):
            continue

        try:
-            output = check_output(['git', 'log', '-1', '--pretty=%ci', join(zone_path, zone)]).decode('utf-8').strip()
+            output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip()
            serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M')
-        except:
+        except Exception as e:
+            io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}")
            serial = datetime.now().strftime('%y%m%d0000')

        primary_zones.add(zone)
--- a/bundles/powerdnsadmin/items.py
+++ b/bundles/powerdnsadmin/items.py
@ -71,8 +71,8 @@ actions = {
            'chown -R powerdnsadmin:powerdnsadmin /opt/powerdnsadmin/src/powerdnsadmin/static/',
        ]),
        'needs': {
-            'action:nodejs_install_yarn',
            'action:powerdnsadmin_install_deps',
+            'bundle:nodejs',
            'pkg_apt:',
        },
    },
--- a/bundles/powerdnsadmin/metadata.py
+++ b/bundles/powerdnsadmin/metadata.py
@ -14,7 +14,7 @@ defaults = {
        },
    },
    'nodejs': {
-        'version': 18,
+        'version': 22,
    },
    'users': {
        'powerdnsadmin': {
--- a/bundles/pppd/files/dyndns
+++ b/bundles/pppd/files/dyndns
@ -7,7 +7,6 @@ from subprocess import check_output

 from requests import get

-
 UPDATE_URL = '${url}'
 USERNAME = '${username}'
 PASSWORD = '${password}'
--- a/bundles/pppd/files/dyndns_periodic
+++ b/bundles/pppd/files/dyndns_periodic
@ -5,7 +5,6 @@ from ipaddress import ip_address
 from json import loads
 from subprocess import check_output, run

-
 DOMAIN = '${domain}'

 # <%text>
--- a/bundles/pretalx/items.py
+++ b/bundles/pretalx/items.py
@ -1,5 +1,5 @@
 assert node.has_bundle('redis'), f'{node.name}: pretalx needs redis'
-assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild and regenerate_css step'
+assert node.has_bundle('nodejs'), f'{node.name}: pretalx needs nodejs for rebuild step'

 actions = {
    'pretalx_create_virtualenv': {
@ -53,17 +53,6 @@ actions = {
        },
        'triggered': True,
    },
-    'pretalx_regenerate-css': {
-        'command': 'sudo -u pretalx PRETALX_CONFIG_FILE=/opt/pretalx/pretalx.cfg /opt/pretalx/venv/bin/python -m pretalx regenerate_css',
-        'needs': {
-            'action:pretalx_migrate',
-            'directory:/opt/pretalx/data',
-            'directory:/opt/pretalx/static',
-            'file:/opt/pretalx/pretalx.cfg',
-            'bundle:nodejs',
-        },
-        'triggered': True,
-    },
 }

 users = {
@ -90,7 +79,6 @@ git_deploy = {
            'action:pretalx_install',
            'action:pretalx_migrate',
            'action:pretalx_rebuild',
-            'action:pretalx_regenerate-css',
            'svc_systemd:pretalx-web:restart',
            'svc_systemd:pretalx-worker:restart',
        },
@ -121,7 +109,6 @@ svc_systemd = {
            'action:pretalx_install',
            'action:pretalx_migrate',
            'action:pretalx_rebuild',
-            'action:pretalx_regenerate-css',
            'file:/etc/systemd/system/pretalx-web.service',
            'file:/opt/pretalx/pretalx.cfg',
        },
@ -130,6 +117,7 @@ svc_systemd = {
        'needs': {
            'action:pretalx_install',
            'action:pretalx_migrate',
+            'action:pretalx_rebuild',
            'file:/etc/systemd/system/pretalx-worker.service',
            'file:/opt/pretalx/pretalx.cfg',
        },
@ -204,7 +192,6 @@ for plugin_name, plugin_config in node.metadata.get('pretalx/plugins', {}).items
        'triggers': {
            'action:pretalx_migrate',
            'action:pretalx_rebuild',
-            'action:pretalx_regenerate-css',
            'svc_systemd:pretalx-web:restart',
            'svc_systemd:pretalx-worker:restart',
        },
--- a/bundles/pretalx/metadata.py
+++ b/bundles/pretalx/metadata.py
@ -27,7 +27,7 @@ defaults = {
        },
    },
    'nodejs': {
-        'version': 18,
+        'version': 22,
    },
    'pretalx': {
        'database': {
--- a/bundles/proftpd/items.py
+++ b/bundles/proftpd/items.py
@ -0,0 +1,13 @@
+files['/etc/proftpd/proftpd.conf'] = {
+    'source': f'{node.name}.conf',
+    'triggers': {
+        'svc_systemd:proftpd:restart',
+    },
+}
+
+svc_systemd['proftpd'] = {
+    'needs': {
+        'file:/etc/proftpd/proftpd.conf',
+        'pkg_apt:proftpd-core',
+    },
+}
--- a/bundles/proftpd/metadata.py
+++ b/bundles/proftpd/metadata.py
@ -0,0 +1,26 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'apt': {
+        'packages': {
+            'proftpd-core': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'firewall/port_rules',
+)
+def firewall(metadata):
+    sources = atomic(metadata.get('mosquitto/restrict-to', set()))
+
+    return {
+        'firewall': {
+            'port_rules': {
+                '20/tcp': sources,
+                '21/tcp': sources,
+                '49152-50192/tcp': sources,
+            },
+        },
+    }
--- a/bundles/redis/files/redis.conf
+++ b/bundles/redis/files/redis.conf
@ -48,3 +48,4 @@ tcp-keepalive 0
 timeout 0
 zset-max-ziplist-entries 128
 zset-max-ziplist-value 64
+protected-mode no
--- a/bundles/redis/metadata.py
+++ b/bundles/redis/metadata.py
@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
    'apt': {
        'packages': {
@ -48,3 +50,16 @@ if node.has_bundle('telegraf'):
            },
        },
    }
+
+
+@metadata_reactor.provides(
+    'firewall/port_rules',
+)
+def firewall(metadata):
+    return {
+        'firewall': {
+            'port_rules': {
+                '6379/tcp': atomic(metadata.get('redis/restrict-to', set())),
+            },
+        },
+    }
--- a/bundles/routeros/metadata.py
+++ b/bundles/routeros/metadata.py
@ -2,7 +2,6 @@ import re
 from json import load
 from os.path import join

-
 with open(join(repo.path, 'configs', 'netbox', f'{node.name}.json')) as f:
    netbox = load(f)

--- a/bundles/rspamd/files/local.d/dmarc.conf
+++ b/bundles/rspamd/files/local.d/dmarc.conf
@ -1,7 +1,7 @@
 reporting {
    enabled = true;
-    email = 'dmarc+${node.name.replace('.', '-')}@kunbox.net';
-    domain = '${node.metadata.get('hostname')}';
+    email = 'devnull@${node.metadata.get('postfix/myhostname')}';
+    domain = '${node.metadata.get('postfix/myhostname')}';
    org_name = 'kunbox.net';
    smtp = '127.0.0.1';
    smtp_port = 25;
--- a/bundles/rspamd/items.py
+++ b/bundles/rspamd/items.py
@ -96,7 +96,7 @@ if 'dkim' in node.metadata.get('rspamd', {}):
            },
        }

-    dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata['rspamd']['dkim'])
+    dkim_key = repo.libs.faults.ensure_fault_or_none(node.metadata.get('rspamd/dkim'))

    actions = {
        'rspamd_assure_dkim_key_permissions': {
--- a/bundles/rsyslogd/metadata.py
+++ b/bundles/rsyslogd/metadata.py
@ -6,6 +6,11 @@ defaults = {
            'rsyslog': {},
        },
    },
+    'backups': {
+        'paths': {
+            '/var/log/rsyslog',
+        },
+    },
    'icinga2_api': {
        'rsyslog': {
            'services': {
--- a/bundles/samba/files/smb.conf
+++ b/bundles/samba/files/smb.conf
@ -13,6 +13,13 @@ map to guest = bad user
 load printers = no
 usershare allow guests = yes
 allow insecure wide links = yes
+min protocol = SMB2
+% if timemachine:
+vfs objects = fruit
+fruit:aapl = yes
+fruit:copyfile = yes
+fruit:model = MacSamba
+% endif
 % for name, opts in sorted(node.metadata.get('samba/shares', {}).items()):

 [${name}]
@ -37,3 +44,24 @@ follow symlinks = yes
 wide links = yes
 %  endif
 % endfor
+% for name in sorted(timemachine):
+
+[timemachine-${name}]
+comment = Time Machine backup for ${name}
+available = yes
+browseable = yes
+guest ok = no
+read only = false
+valid users = timemachine-${name}
+path = /srv/timemachine/${name}
+durable handles = yes
+vfs objects = catia fruit streams_xattr
+
+fruit:delete_empty_adfiles = yes
+fruit:metadata = stream
+fruit:posix_rename = yes
+fruit:time machine = yes
+fruit:time machine max size = 2000G
+fruit:veto_appledouble = no
+fruit:wipe_intentionally_left_blank_rfork = yes
+% endfor
--- a/bundles/samba/files/timemachine.service
+++ b/bundles/samba/files/timemachine.service
@ -0,0 +1,21 @@
+<?xml version="1.0" standalone='no'?>
+<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
+<service-group>
+    <name replace-wildcards="yes">%h</name>
+    <service>
+        <type>_smb._tcp</type>
+        <port>445</port>
+    </service>
+    <service>
+        <type>_device-info._tcp</type>
+        <port>0</port>
+        <txt-record>model=RackMac1,2</txt-record>
+    </service>
+    <service>
+        <type>_adisk._tcp</type>
+% for idx, share_name in enumerate(sorted(shares)):
+        <txt-record>dk${idx}=adVN=timemachine-${share_name},adVF=0x82</txt-record>
+% endfor
+        <txt-record>sys=waMa=0,adVF=0x100</txt-record>
+    </service>
+</service-group>
--- a/bundles/samba/items.py
+++ b/bundles/samba/items.py
@ -11,9 +11,14 @@ svc_systemd = {
    },
 }

+timemachine_shares = node.metadata.get('samba/timemachine-shares', set())
+
 files = {
    '/etc/samba/smb.conf': {
        'content_type': 'mako',
+        'context': {
+            'timemachine': timemachine_shares,
+        },
        'triggers': {
            'svc_systemd:nmbd:restart',
            'svc_systemd:smbd:restart',
@ -57,3 +62,24 @@ for user, uconfig in node.metadata.get('users', {}).items():
    last_action = {
        f'action:smbpasswd_for_user_{user}',
    }
+
+if timemachine_shares:
+    assert node.has_bundle('avahi-daemon'), f'{node.name}: samba needs avahi-daemon to publish time machine shares'
+
+    files['/etc/avahi/services/timemachine.service'] = {
+        'content_type': 'mako',
+        'context': {
+            'shares': timemachine_shares,
+        },
+    }
+
+    for share_name in timemachine_shares:
+        users[f'timemachine-{share_name}'] = {
+            'home': f'/srv/timemachine/{share_name}',
+        }
+
+        directories[f'/srv/timemachine/{share_name}'] = {
+            'owner': f'timemachine-{share_name}',
+            'group': f'timemachine-{share_name}',
+            'mode': '0700',
+        }
--- a/bundles/samba/metadata.py
+++ b/bundles/samba/metadata.py
@ -24,3 +24,30 @@ def firewall(metadata):
            },
        },
    }
+
+
+@metadata_reactor.provides(
+    'zfs/datasets',
+)
+def timemachine_zfs(metadata):
+    shares = metadata.get('samba/timemachine-shares', set())
+
+    if not shares:
+        return {}
+
+    assert node.has_bundle('zfs'), f'{node.name}: time machine backups require zfs'
+
+    datasets = {
+        'tank/timemachine': {},
+    }
+
+    for share_name in shares:
+        datasets[f'tank/timemachine/{share_name}'] = {
+            'mountpoint': f'/srv/timemachine/{share_name}',
+        }
+
+    return {
+        'zfs': {
+            'datasets': datasets,
+        },
+    }
--- a/bundles/scansnap/files/ocr.sh
+++ b/bundles/scansnap/files/ocr.sh
@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-DATE=$(date +%F_%H-%M-%S)
-
-cd "$1"
-
-convert *.tiff no_ocr.pdf
-ocrmypdf -l deu no_ocr.pdf has_ocr.pdf
-
-rm -f *.tiff
-rm -f no_ocr.pdf
-
-chown nobody:nogroup has_ocr.pdf
-
-mv has_ocr.pdf "/srv/scansnap/${DATE}.pdf"
-
-cd /
-
-rm -r "$1"
--- a/bundles/scansnap/files/scan.sh
+++ b/bundles/scansnap/files/scan.sh
@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-OUTFILE=$(mktemp -d)
-
-scanimage --source 'ADF Duplex' --format tiff --mode Color --brightness 23 --resolution 300 --page-width 210 --page-height 297.3 -x 210 -y 297.3 --batch=${OUTFILE}/p%04d.tiff
-
-/etc/scanbd/scripts/ocr.sh "$OUTFILE" &
--- a/bundles/scansnap/files/scanbd.conf
+++ b/bundles/scansnap/files/scanbd.conf
@ -1,52 +0,0 @@
-global {
-        debug   = true
-        debug-level = 2
-
-        user    = saned
-        group   = scanner
-
-        saned   = "/usr/sbin/saned"
-        saned_opt  = {}
-        saned_env  = { "SANE_CONFIG_DIR=/etc/scanbd" }
-
-        scriptdir = /etc/scanbd/scripts
-
-        timeout = 500
-
-        pidfile = "/var/run/scanbd.pid"
-
-        environment {
-                device = "SCANBD_DEVICE"
-                action = "SCANBD_ACTION"
-        }
-
-        function function_knob {
-                filter = "^message.*"
-                desc   = "The value of the function knob / wheel / selector"
-                env    = "SCANBD_FUNCTION"
-        }
-        function function_mode {
-                filter = "^mode.*"
-                desc   = "Color mode"
-                env    = "SCANBD_FUNCTION_MODE"
-        }
-
-        multiple_actions = false
-        action scan {
-                filter = "^scan.*"
-                numerical-trigger {
-                        from-value = 0
-                        to-value   = 1
-                }
-                desc   = "Scan to file"
-                script = "scan.sh"
-        }
-}
-
-include(scanner.d/avision.conf)
-include(scanner.d/fujitsu.conf)
-include(scanner.d/hp.conf)
-include(scanner.d/pixma.conf)
-include(scanner.d/snapscan.conf)
-include(scanner.d/canon.conf)
-include(scanner.d/plustek.conf)
--- a/bundles/scansnap/items.py
+++ b/bundles/scansnap/items.py
@ -1,39 +0,0 @@
-directories = {
-    '/etc/scanbd/scripts': {
-        'purge': True,
-    },
-    '/srv/scansnap': {
-        'owner': 'nobody',
-        'group': 'nogroup',
-    },
-}
-
-files = {
-    '/etc/scanbd/scanbd.conf': {
-        'triggers': {
-            'svc_systemd:scanbd:restart',
-        },
-    },
-    '/etc/scanbd/scripts/ocr.sh': {
-        'mode': '0755',
-        'needs': {
-            'directory:/srv/scansnap',
-        },
-    },
-    '/etc/scanbd/scripts/scan.sh': {
-        'mode': '0755',
-        'needs': {
-            'directory:/srv/scansnap',
-            'file:/etc/scanbd/scripts/ocr.sh',
-        },
-    },
-}
-
-svc_systemd = {
-    'scanbd': {
-        'needs': {
-            'file:/etc/scanbd/scanbd.conf',
-            'pkg_apt:scanbd',
-        },
-    },
-}
--- a/bundles/scansnap/metadata.py
+++ b/bundles/scansnap/metadata.py
@ -1,22 +0,0 @@
-defaults = {
-    'apt': {
-        'packages': {
-            'sane-utils': {},
-            'scanbd': {},
-            'imagemagick': {},
-            'ocrmypdf': {},
-            'tesseract-ocr-deu': {},
-        },
-    },
-    'backups': {
-        'paths': {
-            '/srv/scansnap',
-        },
-    },
-    'cron': {
-        'jobs': {
-            # Automatically remove files which are older than 14 days
-            'scansnap_cleanup': '00 00 * * *    root    /usr/bin/find /srv/scansnap/ -mindepth 1 -mtime +14 -delete',
-        },
-    },
-}
--- a/bundles/smartd/metadata.py
+++ b/bundles/smartd/metadata.py
@ -43,30 +43,6 @@ if node.has_bundle('telegraf'):
    }


-@metadata_reactor.provides(
-    'smartd/disks',
-)
-def zfs_disks_to_metadata(metadata):
-    disks = set()
-
-    for config in metadata.get('zfs/pools', {}).values():
-        for option in config['when_creating']['config']:
-            if option.get('type', '') in {'log', 'cache'}:
-                continue
-
-            for disk in option['devices']:
-                if search(r'p([0-9]+)$', disk) or disk.startswith('/dev/mapper/'):
-                    continue
-
-                disks.add(disk)
-
-    return {
-        'smartd': {
-            'disks': disks,
-        },
-    }
-
-
@metadata_reactor.provides(
    'icinga2_api/smartd/services',
 )
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Franziska Kunsmann	d2a7063282	rottenraptor-server: add docker-goauthentik	2025-02-16 18:36:35 +01:00
Franziska Kunsmann	f04149b4a7	bundles/docker-engine: support different user, arbitrary mapped volumes, custom command	2025-02-16 18:35:54 +01:00
Franziska Kunsmann	e0903ffa50	update mautrix-whatsapp to 0.11.3	2025-02-16 17:31:35 +01:00
Franziska Kunsmann	45c52c62ca	bundles/docker-engine: turns out, filtering by name means getting everything where the name contains the filter ...	2025-02-16 16:14:56 +01:00
Franziska Kunsmann	79680e2119	home.r630: exclude from backups	2025-02-16 16:09:51 +01:00
Franziska Kunsmann	b44c709765	switch systems to new backup server	2025-02-16 15:27:18 +01:00
Franziska Kunsmann	df469cc2e2	backup-kunsi: install qemu-guest-agent	2025-02-15 14:41:49 +01:00
Franziska Kunsmann	63779b6519	bundles/docker-engine: fix firewqall rules	2025-02-15 14:34:21 +01:00
Franziska Kunsmann	7df5570db8	bundles/redis: fix default for restrict-to	2025-02-15 12:59:49 +01:00
Franziska Kunsmann	2257e9a863	bundles/docker-immich: fix assers	2025-02-15 12:55:47 +01:00
Franziska Kunsmann	46381c63df	rottenraptor-server: get immich working again	2025-02-15 11:07:11 +01:00
Franziska Kunsmann	932ae43621	bundles/docker-engine: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARGLLLLLLLLLLLLLLLLLLLLLLLLL networking is apparently hard	2025-02-15 11:06:46 +01:00
Franziska Kunsmann	5af3fbe3e0	bundles/redis: support 'restrict-to'	2025-02-15 10:33:25 +01:00
Franziska Kunsmann	463443e1e3	bundles/docker-engine: do not put containers on the host network	2025-02-15 10:32:56 +01:00
Franziska Kunsmann	aae1e8397e	proxmox-backupstorage: new server, new checks	2025-02-15 09:19:24 +01:00
Franziska Kunsmann	83730ccb6d	bundles/backup-server: ignore all non-digit snapshots when rotating	2025-02-15 08:51:07 +01:00
Franziska Kunsmann	a7a59fd690	bundles/backups-server: read backup snapshot info from file instead of asking zfs every time	2025-02-14 21:25:10 +01:00
Franziska Kunsmann	22263eaf6f	add new backup server	2025-02-14 19:33:52 +01:00
Franziska Kunsmann	f0031ef847	rottenraptor-server: new disks	2025-02-14 19:33:13 +01:00
Franziska Kunsmann	18b8c963ab	bundles/backup-server: support raid0-ing multiple raidz	2025-02-14 19:32:13 +01:00
Franziska Kunsmann	59596c08ae	update paperless-ngx to 2.14.7	2025-02-11 21:23:15 +01:00
Franziska Kunsmann	159701d7b8	update netbox to 4.2.3	2025-02-11 21:21:57 +01:00
Franziska Kunsmann	846f34b855	update matrix-media-repo to 1.3.8	2025-02-11 21:21:55 +01:00
Franziska Kunsmann	6d2aad20ba	update forgejo to 10.0.1	2025-02-11 21:21:53 +01:00
Franziska Kunsmann	0c1a96cb72	carlene: new ssd	2025-02-11 21:21:47 +01:00
Sophie Schiller	97f6e8538f	miniserver: element-web update	2025-02-06 23:37:00 +01:00
Franziska Kunsmann	8a6c0d9e95	rottenraptor-server new domain	2025-02-04 19:09:47 +01:00
Franziska Kunsmann	d258a02d46	update travelynx to 2.9.18	2025-01-26 09:38:30 +01:00
Sophie Schiller	037ec8e230	miniserver: postgres and element update	2025-01-14 21:30:22 +01:00
Franziska Kunsmann	774cdd65b9	carlene: remove nodejs	2025-01-14 20:01:06 +01:00
Franziska Kunsmann	d27a047db2	remote bundle:matrix-registration	2025-01-14 19:58:32 +01:00
Franziska Kunsmann	767fc06b72	carlene: remove element-web	2025-01-14 19:58:08 +01:00
Franziska Kunsmann	ecbb28d0ff	.envrc fix indentation	2025-01-12 10:58:24 +01:00
Franziska Kunsmann	0b09537ba4	dismantle all arch infrastructure	2025-01-06 20:25:38 +01:00
Franziska Kunsmann	5df7bdf2da	fix kunsis ssh key (again)	2025-01-06 19:46:13 +01:00
Franziska Kunsmann	46c761a3c2	home.nas: more weird avahi fixups	2025-01-06 19:44:41 +01:00
Franziska Kunsmann	1a34555530	bundles/rspamd: use metadata.get()	2025-01-06 19:44:06 +01:00
Franziska Kunsmann	f67de1ea1b	ihome.nas: disable ipv6 on avahi to try to mitigate intermittent problems	2025-01-05 10:46:51 +01:00
Franziska Kunsmann	d27c42d51a	home.nas: allow molly to coonect to mqtt	2024-12-31 13:17:25 +00:00
Franziska Kunsmann	fed3d5dfdc	correct kunsi ssh key	2024-12-31 13:17:07 +00:00
Franziska Kunsmann	68fced83d6	htz-cloud.wireguard: replace vpn of kunsi-p14s with apfelcomputer	2024-12-31 09:30:46 +00:00
Franziska Kunsmann	0b18ae0d1b	add new ssh key for kunsi	2024-12-28 17:26:55 +01:00
Franziska Kunsmann	b84bfb909f	fix update-ssh-client-config	2024-12-28 17:22:21 +01:00
Franziska Kunsmann	1c3768100c	update netbox to 4.1.10	2024-12-28 12:34:37 +01:00
Franziska Kunsmann	5afe534d9c	scripts/update-ssh-client-config: add configurable extra line	2024-12-28 12:34:25 +01:00
Franziska Kunsmann	3e6872c96b	add .envrc	2024-12-28 12:09:04 +01:00
Franziska Kunsmann	81376c950c	bundles/samba: increase time machine disk size	2024-12-28 10:26:30 +01:00
Franziska Kunsmann	9e2b36767f	home.nas: remove inbox user	2024-12-27 09:59:35 +01:00
Franziska Kunsmann	1c8d2ccb66	home.nas: add time machine share for apfelcomputer	2024-12-27 09:59:14 +01:00
Franziska Kunsmann	1c38551467	voc.infobeamer-cms: set default sso provider	2024-12-24 13:40:16 +01:00
Franziska Kunsmann	f3f78700e7	voc.infobeamer-cms: add 38c3 hub sso	2024-12-24 12:46:59 +01:00
Franziska Kunsmann	f06607df60	voc.infobeamer-cms: remove github admins of c3voc sso users	2024-12-23 19:27:34 +01:00
Franziska Kunsmann	158b091487	voc.infobeamer-cms: new sso setup	2024-12-23 19:06:19 +01:00
Franziska Kunsmann	1c1be571d8	update travelynx to 2.9.8	2024-12-23 13:41:24 +01:00
Franziska Kunsmann	0adf14a293	bundles/infobeamer-cms: times are in UTC, please	2024-12-23 10:15:00 +01:00
Franziska Kunsmann	0df4c8f75e	bump as3320 and as8881 routes	2024-12-23 09:56:55 +01:00
Franziska Kunsmann	c455718847	bundles/avahi-daemon: install more dependencies and limit to interfaces that are configured	2024-12-22 20:29:39 +01:00
Franziska Kunsmann	fe4cd98612	home.nas: prepare for time machine backups	2024-12-22 20:24:35 +01:00
Franziska Kunsmann	884c6f73af	home.nas: clean up some datasets	2024-12-22 20:24:20 +01:00
Franziska Kunsmann	ab717f62e7	bundles/samba: add code to show up as time machine backup target	2024-12-22 20:22:13 +01:00
Franziska Kunsmann	91432197e8	add bundle:avahi-daemon	2024-12-22 20:19:59 +01:00
Franziska Kunsmann	9395fcb7f5	home.nas: rename zpool	2024-12-22 20:01:26 +01:00
Franziska Kunsmann	17ff238b24	update postfixadmin to 3.3.15	2024-12-22 11:40:40 +01:00
Franziska Kunsmann	71705f8b23	update netbox to 4.1.9	2024-12-22 11:40:27 +01:00
Franziska Kunsmann	ca72edd775	update mautrix-whatsapp to 0.11.2	2024-12-22 11:40:06 +01:00
Franziska Kunsmann	c552dad9b4	update forgejo to 9.0.3	2024-12-22 11:39:53 +01:00
Franziska Kunsmann	54ccb5f44f	update element-web to 1.11.89	2024-12-22 11:39:37 +01:00
Franziska Kunsmann	4124e6788f	bundles/infobeamer-monitor: sort by device id	2024-12-22 11:32:35 +01:00
Franziska Kunsmann	9ba35569d6	home.hass: bump python version for home assistant	2024-12-22 05:25:44 +01:00
Franziska Kunsmann	6f6b1932e2	bundles/pretalx: fix syntax error	2024-12-22 05:03:54 +01:00
Franziska Kunsmann	958ea3c9e3	libs/tools: add option to only add private ips if system has only private ips	2024-12-22 04:59:55 +01:00
Franziska Kunsmann	12d179235e	bump nodejs versions	2024-12-22 04:59:29 +01:00
Franziska Kunsmann	6cd20c2e43	fix device names for s4, s5 and s6	2024-12-20 13:14:57 +01:00
Franziska Kunsmann	8f61fec65f	bundles/infobeamer-cms: ensure we have and use redis	2024-12-20 10:25:06 +01:00
Sophie Schiller	2f73aae13b	bw/ssl new cert for home.sophie	2024-12-19 03:15:27 +01:00
Franziska Kunsmann	58304bf5c6	voc.infobeamer-cms: add evilscientress and stblassitude	2024-12-18 10:44:10 +01:00
Franziska Kunsmann	bd2662b87a	update travelynx to 2.9.6	2024-12-12 11:02:14 +01:00
Franziska Kunsmann	316ba1c1c6	voc.infobeamer-cms: room names	2024-12-08 15:52:54 +01:00
Franziska Kunsmann	e55f32bfb6	use device serial if description is not set	2024-12-08 15:49:19 +01:00
Franziska Kunsmann	c084048905	home.nas: add samba share for various TV streams	2024-12-08 14:18:40 +01:00
Franziska Kunsmann	c03690fe88	bundles/pacman: always use linux-lts please	2024-12-08 14:10:59 +01:00
Franzi	3a8ea86aa1	Merge pull request 'sophie.unbound: new node' (#74 ) from unbound-sophie into main Reviewed-on: #74	2024-12-08 13:10:29 +00:00
Sophie Schiller	77b2d02e66	sophie.unbound: new node	2024-12-07 22:41:10 +01:00
Franziska Kunsmann	9c382ed8f5	bundles/systemd: move timezone information to metadata defaults	2024-12-02 20:18:32 +01:00
Sophie Schiller	3ad6a0fed8	miniserver: updates	2024-12-01 21:06:47 +01:00
Franziska Kunsmann	94868e726f	prepare for 38c3	2024-12-01 13:28:46 +01:00
Franzi	719b5f36ed	Merge pull request 'miniserverupdates' (#73 ) from miniserverupdates into main Reviewed-on: #73	2024-11-30 10:38:59 +00:00
Franziska Kunsmann	a6f29fe389	bump certificate for *.home.kunbox.net	2024-11-30 11:37:06 +01:00
Franziska Kunsmann	9be4ba75eb	update travelynx to 2.9.2	2024-11-30 11:35:05 +01:00
Franziska Kunsmann	49c5d0b1e3	update postfixadmin to 3.3.14	2024-11-30 11:34:53 +01:00
Franziska Kunsmann	19359f72e6	update netbox to 4.1.7	2024-11-30 11:34:39 +01:00
Franziska Kunsmann	ba1de350bb	update element-web to 1.11.85	2024-11-30 11:34:20 +01:00
Franziska Kunsmann	128a61706e	bundles/infobeamer-monitor: some more improvements in status display	2024-11-28 08:27:36 +01:00
Franziska Kunsmann	8e23747400	home.hass: remove nginx ip restriction	2024-11-28 08:27:17 +01:00
Franziska Kunsmann	3b608d95ec	add static ip reservation for mixer96 as well	2024-11-23 13:31:00 +01:00
Franziska Kunsmann	3a5db80843	bundles/icinga2: notify per sms if ntfy does not respond in time	2024-11-23 13:30:22 +01:00
Franziska Kunsmann	a9b16c18ad	bundles/postfix: remove smtp_use_tls option Log says: postconf: warning: /etc/postfix/main.cf: support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level"	2024-11-22 20:50:52 +01:00
Franziska Kunsmann	8f705fc8e3	update mautrix-whatsapp to 0.11.1	2024-11-17 11:48:08 +01:00
Franziska Kunsmann	b3070a8b8b	bundles/infobeamer-monitor: announce online devices at 09:00 CE(S)T	2024-11-16 14:14:05 +01:00
Franziska Kunsmann	6a203085b9	bundles/pretalx: we do not need to regenerate_css anymore	2024-11-16 13:35:24 +01:00
Franziska Kunsmann	669b28f6ed	voc.pretalx: update to 2023.3.1	2024-11-16 13:02:39 +01:00
Franziska Kunsmann	9884b703cd	update forgejo to 9.0.2	2024-11-16 12:11:01 +01:00
Franziska Kunsmann	fa63ad72d5	update paperless-ngx to 2.13.5	2024-11-15 10:24:42 +01:00
Franziska Kunsmann	3a56995ab1	update netbox to 4.1.6	2024-11-15 10:24:28 +01:00
Franziska Kunsmann	50b71bc8b8	update element-web to 1.11.85	2024-11-15 10:24:13 +01:00
Franziska Kunsmann	fcd097599d	home.nas: samba share for music videos	2024-11-15 10:17:37 +01:00
Franziska Kunsmann	563ba266ff	fix icinga2 bundle (gpg key / packages)	2024-11-10 18:56:35 +01:00
Franziska Kunsmann	209dedccf9	`isort` the whole repo	2024-11-08 06:39:59 +01:00
Franziska Kunsmann	e51c24f837	bundles/powerdns: use repo commit time instead of file commit time for serial	2024-11-08 06:39:05 +01:00
Franziska Kunsmann	72638e0856	bundles/infobeamer-monitor: add account data monitoring	2024-11-03 17:51:12 +01:00
Franziska Kunsmann	2c83a5c4fc	voc.infobeamer-cms: prepare for 38c3	2024-10-31 16:58:26 +01:00
Franziska Kunsmann	ec49c8d3ff	voc.infobeamer-cms: hackint changed their webirc service	2024-10-31 16:36:07 +01:00
Sophie Schiller	c1c3e1f928	miniserver: diverse updates	2024-10-30 20:41:42 +01:00
Sophie Schiller	6f5b862a38	sophies backupserver hostname	2024-10-30 20:41:13 +01:00
Franziska Kunsmann	46ec4cc2e7	bundles/postgresql: please also always do dumps	2024-10-28 16:55:10 +01:00
Franziska Kunsmann	e29a838fad	bundles/forgejo: fix website_check_string	2024-10-28 16:54:53 +01:00
Franziska Kunsmann	f6cb540007	update paperless-ngx to 2.13.0	2024-10-28 16:17:16 +01:00
Franziska Kunsmann	6eb2c6651b	update netbox to 4.1.4	2024-10-28 16:16:48 +01:00
Franziska Kunsmann	c006748165	update mautrix-whatsapp to 0.11.0	2024-10-28 16:16:36 +01:00
Franziska Kunsmann	1be5ab268b	update forgejo to 9.0.1	2024-10-28 16:16:24 +01:00
Franziska Kunsmann	12c735f4aa	update element-web to 1.11.82	2024-10-28 16:16:10 +01:00
Franziska Kunsmann	9b0e627274	bundles/homeassistant: ensure virtualenv is in PATH	2024-10-27 17:45:22 +01:00
Franziska Kunsmann	4f0ced4d9a	bundles/homeassistant: fix version check	2024-10-27 17:37:14 +01:00
Franzi	af78e959ae	Merge pull request 'new-wildcard-sophies-kitchen' (#72 ) from new-wildcard-sophies-kitchen into main Reviewed-on: #72	2024-10-27 10:40:32 +00:00
Franziska Kunsmann	58964cc10f	bundles/rspamd: send dmarc report emails from devnull address	2024-10-27 11:21:12 +01:00
Franziska Kunsmann	ec8af84fb1	bundles/postfix: add devnull@myhostname mail address	2024-10-27 11:19:42 +01:00
Franziska Kunsmann	9bfb531214	kunsi-p14s: clean up packages	2024-10-27 11:19:26 +01:00
Franziska Kunsmann	84867ff1e6	bundles/postfix: provide myhostname from reactor	2024-10-27 11:19:05 +01:00
Franziska Kunsmann	6647e71484	rottenraptor-server: add docker-immich	2024-10-26 16:28:09 +02:00
Franziska Kunsmann	2e8cbd6061	add bundle:docker-immich	2024-10-26 16:27:54 +02:00
Franziska Kunsmann	453d2a7889	home.r630: add docker, fix firewall	2024-10-26 16:27:16 +02:00
Franziska Kunsmann	4238eeb6d8	add bundle:docker-engine	2024-10-26 16:25:54 +02:00
Franziska Kunsmann	729b975b77	bundles/redis: ensure protected mode is off	2024-10-26 16:25:06 +02:00
Franziska Kunsmann	c4e3d0abc2	bundles/nginx: we need a type definition for .mjs	2024-10-26 16:24:47 +02:00
Franziska Kunsmann	078d52c075	carlene: rework kunsitracker	2024-10-26 08:20:01 +02:00
Franziska Kunsmann	a83b380490	bundles/nginx: more config options	2024-10-26 08:19:43 +02:00
Franziska Kunsmann	ed9607433d	rottenraptor-server: add smartd and zfs	2024-10-24 19:25:23 +02:00
Franziska Kunsmann	d1b369fb26	bundles/smartd: do not try to guess disk names	2024-10-24 19:25:00 +02:00
Franziska Kunsmann	07a44598d2	rottenraptor-server is in its colo now	2024-10-24 18:18:35 +02:00
Franziska Kunsmann	e35fbdd183	add rottenraptor-server	2024-10-10 19:40:01 +02:00
Franziska Kunsmann	c5fb1b8a28	htz-cloud.wireguard: add wg connection to fra-jana	2024-10-10 19:39:38 +02:00
Franziska Kunsmann	814b67a9d0	voc.infobeamer-cms add v0tti to admins	2024-10-05 16:58:50 +02:00
Franziska Kunsmann	3ff7db7d6d	bundles/sshmon: more letsencrypt issuer hashes	2024-10-03 22:43:25 +02:00
Franziska Kunsmann	b57f205696	voc.infobeamer-cms: prepare for mrmcd24	2024-10-02 17:45:58 +02:00
Franziska Kunsmann	ef8d3368c1	voc.infobeamer-cms: add FAQ entries	2024-10-01 11:03:50 +02:00
Franziska Kunsmann	a5ea87b4e9	voc.infobeamer-cms: fix mqtt config	2024-10-01 10:53:04 +02:00
Franziska Kunsmann	df69b876a9	voc.infobeamer-cms: prepare for mrmcd	2024-09-30 22:40:07 +02:00
Franziska Kunsmann	4fbbf83952	update infobeamer-cms to debian bookworm	2024-09-30 22:24:53 +02:00
Franziska Kunsmann	a1d1351411	update infobeamer-cms to current version	2024-09-30 22:24:34 +02:00
Franziska Kunsmann	e2b430fd0e	update travelynx to 2.8.40	2024-09-30 10:21:05 +02:00
Franziska Kunsmann	663f7eec9f	remove finallycoffee.eu from trusted key servers	2024-09-30 10:20:57 +02:00
Franziska Kunsmann	95860e978b	remove htz-cloud.afra	2024-09-29 16:17:48 +02:00
Franziska Kunsmann	52e891d3a7	move afra.berlin redirect to carlene	2024-09-29 16:17:10 +02:00
Franziska Kunsmann	8ba63e112c	bundles/sshmon: fix SyntaxWarning	2024-09-27 10:22:58 +02:00
Franziska Kunsmann	67f901c1c9	bundles/powerdnsadmin: fix dependencies	2024-09-27 10:19:01 +02:00
Franziska Kunsmann	8c28d612cb	groups/sophie: fix group conflict	2024-09-27 10:16:07 +02:00
Franziska Kunsmann	54f669313a	home.nas: nas dataset goes ssd	2024-09-27 10:15:50 +02:00
Franziska Kunsmann	7b6d811128	bundles/sshmon: better cpu check	2024-09-27 10:02:27 +02:00
Franziska Kunsmann	2564f416c2	update paperless to 2.12.1	2024-09-27 08:51:20 +02:00
Franziska Kunsmann	8a28886012	update netbox to 4.1.2	2024-09-27 08:51:08 +02:00
Franziska Kunsmann	c699f0d510	update element-web to 1.11.78	2024-09-27 08:50:52 +02:00
Franziska Kunsmann	4a28bc55c0	bundles/homeassistant: rework check_homeassistant_update	2024-09-27 08:42:58 +02:00
Franziska Kunsmann	abdc7f751e	update pretalx-halfnarp to 1.1.2	2024-09-25 21:45:52 +02:00
Franziska Kunsmann	423049667f	bundles/nftables: improve handling for icmp	2024-09-23 18:09:49 +02:00
Franziska Kunsmann	c6421c7bd4	update travelynx to 2.8.39	2024-09-20 15:34:14 +02:00
Franziska Kunsmann	95c5b28469	basic monitoring for proxmox-backupstorage	2024-09-20 15:34:12 +02:00
Sophie Schiller	7dc0afe299	Merge pull request 'miniserver: element-web update' (#71 ) from updates into main Reviewed-on: #71	2024-09-19 20:59:48 +00:00
Sophie Schiller	0d28883da3	fix name of backup server	2024-09-19 22:55:15 +02:00
Sophie Schiller	8980c05c74	new wildcard for sophie's home infra	2024-09-19 22:52:01 +02:00
Franziska Kunsmann	9415b281ce	update travelynx to 2.8.38	2024-09-15 13:33:23 +02:00
Franziska Kunsmann	64fb1906d1	htz-hel.backup-kunsi: move scrub to wednesday	2024-09-15 10:27:08 +02:00
Franziska Kunsmann	ce76b03fe7	bundles/zfs: configurable scrub time	2024-09-15 10:26:51 +02:00
Franziska Kunsmann	a712c098c6	update netbox to 4.1.1	2024-09-14 18:32:39 +02:00
Franziska Kunsmann	ec834f2a92	update element-web to 1.11.77	2024-09-14 18:32:27 +02:00
Franziska Kunsmann	aa30b78fcf	remove daisy	2024-09-14 18:29:55 +02:00
Franziska Kunsmann	be3a7a44d6	home.nas: new ssd-based pool	2024-09-12 19:58:15 +02:00
Franziska Kunsmann	2e72f107e9	update paperles to 2.12.0	2024-09-10 06:15:48 +02:00
Franziska Kunsmann	07f6fb99f2	bundles/backup-server: more time for monitoring please	2024-09-10 06:14:55 +02:00
Franziska Kunsmann	3f9f84f230	home.paperless: add proftpd for paperless ingest	2024-09-08 19:42:27 +02:00
Franziska Kunsmann	40fcaf56ee	add home.fujitsu-n7100	2024-09-08 19:42:15 +02:00
Franziska Kunsmann	06a94d7cba	home.nas: clean up nodefile	2024-09-08 17:19:13 +02:00
Franziska Kunsmann	6483f863ff	bundles/rsyslogd: add backups	2024-09-08 17:19:03 +02:00
Franziska Kunsmann	3a52cf55c4	remove bundle:scansnap	2024-09-08 17:17:25 +02:00
Franziska Kunsmann	455c5c5ce5	update as3320 and as8881	2024-09-07 13:01:37 +02:00
Franziska Kunsmann	5e55dc6fb9	update forgejo to 8.0.3	2024-09-07 09:09:03 +02:00
Franziska Kunsmann	d5881da154	fix sophie backup locations	2024-09-07 09:07:40 +02:00