From 1c0a3ee8e7883e67c32b040fc02cc0affac7fc79 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 16:50:38 +0100 Subject: [PATCH 01/42] bundles/postgresql: fix postgresql config path --- bundles/postgresql/items.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/postgresql/items.py b/bundles/postgresql/items.py index f1d2953..f48ad74 100644 --- a/bundles/postgresql/items.py +++ b/bundles/postgresql/items.py @@ -25,10 +25,10 @@ directories = { }, # This is needed so the above purge does not remove the version # currently installed. - '/etc/postgresql/{}'.format(postgresql_version): { - 'owner': None, - 'group': None, - 'mode': None, + '/etc/postgresql/{}/main'.format(postgresql_version): { + 'owner': 'postgres', + 'group': 'postgres', + 'mode': '0755', }, } -- 2.39.5 From 97a1b3ae855b387b7ec63f38ad615b55c71dc581 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 16:51:34 +0100 Subject: [PATCH 02/42] bundles/zfs: add comment to action:modprobe-zfs --- bundles/zfs/items.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/zfs/items.py b/bundles/zfs/items.py index ad09841..1322250 100644 --- a/bundles/zfs/items.py +++ b/bundles/zfs/items.py @@ -19,6 +19,7 @@ actions = { 'zfs_dataset:', 'zfs_pool:', }, + 'comment': 'If this fails, do a dist-upgrade, reinstall zfs-dkms, reboot', }, } -- 2.39.5 From ad5c8cc0ab63851287fbe5d0f523563577892ca8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 17:30:38 +0100 Subject: [PATCH 03/42] bundles/postfix: only get certificate if actually needed --- bundles/letsencrypt/files/domains.txt | 2 -- bundles/postfix/metadata.py | 11 ++++------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/bundles/letsencrypt/files/domains.txt b/bundles/letsencrypt/files/domains.txt index d9d7824..ea7e427 100644 --- a/bundles/letsencrypt/files/domains.txt +++ b/bundles/letsencrypt/files/domains.txt @@ -1,5 +1,3 @@ -${node.metadata['hostname']} - % for domain, aliases in sorted(node.metadata.get('letsencrypt/domains', {}).items()): ${domain} ${' '.join(sorted(aliases))} % endfor diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 4399e3b..9899988 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -49,7 +49,7 @@ else: 'letsencrypt/reload_after', ) def letsencrypt(metadata): - if not node.has_bundle('letsencrypt'): + if not node.has_bundle('letsencrypt') or not node.has_bundle('postfixadmin'): raise DoNotRunAgain result = { @@ -58,12 +58,9 @@ def letsencrypt(metadata): }, } - myhostname = metadata.get('postfix/myhostname', None) - - if myhostname and myhostname != metadata.get('hostname'): - result['domains'] = { - myhostname: set(), - } + result['domains'] = { + metadata.get('postfix/myhostname', metadata.get('hostname')): set(), + } return { 'letsencrypt': result, -- 2.39.5 From e2d7d057838f304b01a95f0c3abf5cdfb9b87ea5 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 17:35:45 +0100 Subject: [PATCH 04/42] bundles/systemd-networkd: manage apt packages via bundle:apt --- bundles/systemd-networkd/items.py | 6 ------ bundles/systemd-networkd/metadata.py | 11 +++++++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/bundles/systemd-networkd/items.py b/bundles/systemd-networkd/items.py index 6d068d4..aa2084c 100644 --- a/bundles/systemd-networkd/items.py +++ b/bundles/systemd-networkd/items.py @@ -1,11 +1,5 @@ assert node.has_bundle('systemd') -pkg_apt = { - 'resolvconf': { - 'installed': False, - }, -} - files = { '/etc/network/interfaces': { 'delete': True, diff --git a/bundles/systemd-networkd/metadata.py b/bundles/systemd-networkd/metadata.py index 54579e4..e8dff0e 100644 --- a/bundles/systemd-networkd/metadata.py +++ b/bundles/systemd-networkd/metadata.py @@ -1,3 +1,14 @@ +defaults = { + 'apt': { + 'packages': { + 'resolvconf': { + 'installed': False, + }, + }, + }, +} + + @metadata_reactor.provides( 'interfaces', ) -- 2.39.5 From 5433859a86ff45a495416b3facb95107a73986c8 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 17:38:11 +0100 Subject: [PATCH 05/42] bundles/letsencrypt: also check for chain.pem, nginx needs this --- bundles/letsencrypt/files/letsencrypt-ensure-some-certificate | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate index 45f474a..e0248cb 100644 --- a/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate +++ b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate @@ -6,7 +6,7 @@ just_check=$2 cert_path="/var/lib/dehydrated/certs/$domain" already_exists=false -if [ -f "$cert_path/privkey.pem" -a -f "$cert_path/fullchain.pem" ] +if [ -f "$cert_path/privkey.pem" -a -f "$cert_path/fullchain.pem" -a -f "$cert_path/chain.pem" ] then already_exists=true fi @@ -23,6 +23,7 @@ fi if [ "$already_exists" != true ] then + rm -r "$cert_path" mkdir -p "$cert_path" openssl req -x509 -newkey rsa:4096 -nodes -days 3650 -subj "/CN=$domain" -keyout "$cert_path/privkey.pem" -out "$cert_path/fullchain.pem" chmod 0600 "$cert_path/privkey.pem" -- 2.39.5 From 9b7454b57cf470f52b86c39f417b500d659ab89a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 18:06:20 +0100 Subject: [PATCH 06/42] nodes/htz.ex42-1048908: add pkg_apt:mosh --- nodes/htz/ex42-1048908.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 247534c..a408cf2 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -49,6 +49,7 @@ nodes['htz.ex42-1048908'] = { # No need to create a bundle just to install packages, # configs will be managed by users nevertheless. + 'mosh': {}, 'weechat': {}, 'weechat-core': {}, 'weechat-curses': {}, -- 2.39.5 From 1f3e7afb2c2cb7c50843cecc846ea4477b518bba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 16:53:35 +0100 Subject: [PATCH 07/42] bundles/pleroma: initial NON-WORKING version --- .editorconfig | 3 ++ PORT_MAP.md | 6 +-- bundles/pleroma/files/pleroma.config.exs | 44 +++++++++++++++++++ bundles/pleroma/items.py | 55 ++++++++++++++++++++++++ bundles/pleroma/metadata.py | 31 +++++++++++++ 5 files changed, 134 insertions(+), 5 deletions(-) create mode 100644 bundles/pleroma/files/pleroma.config.exs create mode 100644 bundles/pleroma/items.py create mode 100644 bundles/pleroma/metadata.py diff --git a/.editorconfig b/.editorconfig index 2b2153d..e09c9dd 100644 --- a/.editorconfig +++ b/.editorconfig @@ -11,6 +11,9 @@ insert_final_newline = true [*.yaml] indent_size = 2 +[*.exs] +indent_size = 2 + # possibly sql dumps [*.sql] indent_size = unset diff --git a/PORT_MAP.md b/PORT_MAP.md index 1111ee5..fe5117b 100644 --- a/PORT_MAP.md +++ b/PORT_MAP.md @@ -6,11 +6,6 @@ easily find available ports for other bundles. ## TCP Rule of thumb: keep ports below 10000 free for stuff that reserves ports. -| Port range | reserved for | -| ----------- | ------------ | -| 200.. | Matrix | -| 220.. | Generic Web services | - | Port | bundle | usage | | ----------- | -------------------- | ----- | | 22 | | sshd | @@ -38,6 +33,7 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports. | 20080 | matrix-synapse | client, federation | | 20081 | matrix-synapse | prometheus metrics | | 20090 | matrix-media-repo | media_repo | +| 21000 | pleroma | pleroma | | 22000 | gitea | gitea | | 22010 | jenkins-ci | Jenkins CI | | 22020 | travelynx | Travelynx Web | diff --git a/bundles/pleroma/files/pleroma.config.exs b/bundles/pleroma/files/pleroma.config.exs new file mode 100644 index 0000000..27564a8 --- /dev/null +++ b/bundles/pleroma/files/pleroma.config.exs @@ -0,0 +1,44 @@ +import Config + +config :pleroma, Pleroma.Web.Endpoint, + url: [host: "${node.metadata['pleroma']['url']}", scheme: "https", port: 443], + http: [port: 21000, ip: {127, 0, 0, 1}], + secret_key_base: "${node.metadata['pleroma']['secret_key']}", + secure_cookie_flag: true + +config :pleroma, :http_security, + enabled: false, + sts: true, + referrer_policy: "same-origin" + +config :pleroma, :instance, + name: "${node.metadata['pleroma']['title']}", + description: "${node.metadata['pleroma']['description']}", + email: "${node.metadata['pleroma']['admin_email']}", + limit: ${node.metadata['pleroma'].get('limit_chars', 500)}, + registrations_open: ${str(node.metadata['pleroma'].get('signup_enabled', False)).lower()}, + invites_enabled: ${str(node.metadata['pleroma'].get('invite_enabled', True)).lower()}, + static_dir: "/var/pleroma/static/" + +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.Local, + filters: [Pleroma.Upload.Filter.Dedupe] + +config :pleroma, Pleroma.Uploaders.Local, + uploads: "/var/pleroma/uploads/" + +config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + +# Configure your database +config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + password: "${node.metadata['postgresql']['roles']['pleroma']['password']}", + database: "pleroma", + hostname: "localhost", + pool_size: 10, + timeout: 60000, + pool_timeout: 60000 diff --git a/bundles/pleroma/items.py b/bundles/pleroma/items.py new file mode 100644 index 0000000..dac7c34 --- /dev/null +++ b/bundles/pleroma/items.py @@ -0,0 +1,55 @@ +version = node.metadata['pleroma']['version'] + +users = { + 'pleroma': { + 'home': '/opt/pleroma', + }, +} + +directories = { + '/opt/pleroma': {}, + '/var/pleroma': { + 'owner': 'pleroma', + }, + '/var/pleroma/uploads': { + 'owner': 'pleroma', + }, + '/var/pleroma/static': { + 'owner': 'pleroma', + }, + '/var/pleroma/static/emoji': { + 'owner': 'pleroma', + }, +} + +if node.has_bundle('zfs'): + directories['/var/pleroma']['needs'] = { + 'zfs_dataset:tank/pleroma-data', + } + +actions = { + 'pleroma_download_release': { + 'command': \ + 'cd /opt/pleroma/ && '\ + f'wget -O/opt/pleroma/pleroma.zip https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=amd64 && '\ + 'rm -rf release && '\ + 'unzip /opt/pleroma/pleroma.zip', + 'unless': f'[ "$(cat /opt/pleroma/.bundlewrap_installed_version)" = "{version}" ]', + 'needs': { + 'directory:/opt/pleroma', + }, + }, + 'pleroma_create_schema': { + 'triggered': True, + 'command': 'sudo -u pleroma /opt/pleroma/src/rel/files/bin/pleroma_ctl create', + 'triggered_by': { + 'postgres_db:pleroma', + }, + }. +} + +files = { + '/opt/pleroma/pleroma.config.exs': { + 'content_type': 'mako', + }, +} diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py new file mode 100644 index 0000000..d60250f --- /dev/null +++ b/bundles/pleroma/metadata.py @@ -0,0 +1,31 @@ +defaults = { + 'apt': { + 'packages': { + 'imagemagick': {}, + 'ffmpeg': {}, + 'libimage-exiftool-perl': {}, + }, + }, + 'zfs': { + 'datasets': { + 'tank/pleroma-data': { + 'mountpoint': '/var/pleroma', + }, + }, + }, + 'pleroma': { + 'admin_email': 'pleroma@{}'.format(node.hostname), + }, + 'postgresql': { + 'roles': { + 'pleroma': { + 'password': repo.vault.password_for(f'{node.name} postgresql pleroma'), + }, + }, + 'databases': { + 'pleroma': { + 'owner': 'pleroma', + }, + }, + }, +} -- 2.39.5 From 33fb9fb3f52bd6322c31afa29cf93bec36b114ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 16:53:59 +0100 Subject: [PATCH 08/42] nodes/htz-cloud.pleroma: introduce --- .../files/bind-zones/cybert-media.net | 7 +++ nodes/htz-cloud/pleroma.py | 51 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 data/powerdns/files/bind-zones/cybert-media.net create mode 100644 nodes/htz-cloud/pleroma.py diff --git a/data/powerdns/files/bind-zones/cybert-media.net b/data/powerdns/files/bind-zones/cybert-media.net new file mode 100644 index 0000000..1e50f26 --- /dev/null +++ b/data/powerdns/files/bind-zones/cybert-media.net @@ -0,0 +1,7 @@ +${header} + +$ORIGIN cybert-media.net. + +@ IN A 159.69.11.231 + IN AAAA 2a01:4f8:c2c:c410::1 + IN TXT "v=spf1 a ~all" diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py new file mode 100644 index 0000000..118b4d7 --- /dev/null +++ b/nodes/htz-cloud/pleroma.py @@ -0,0 +1,51 @@ +nodes['htz-cloud.pleroma'] = { + 'bundles': { + 'pleroma', + 'postgresql', + 'zfs', + }, + 'groups': { + 'debian-buster', + 'webserver', + }, + 'metadata': { + 'interfaces': { + 'eth0': { + 'ips': { + '159.69.11.231', + '2a01:4f8:c2c:c410::1/64', + }, + 'gateway4': '172.31.1.1', + 'gateway6': 'fe80::1', + }, + }, + 'backups': { + 'exclude_from_backups': True, + }, + 'nginx': { + 'vhosts': { + 'pleroma': { + 'domain': 'cybert-media.net', + }, + }, + }, + 'pleroma': { + 'version': '2.2.2', + 'url': 'cybert-media.net', + 'title': 'CYBERt Media', + 'description': '', + 'secret_key': vault.decrypt('encrypt$gAAAAABgMSibWavxv69eNmzAtQRSeFMtaXdkc1K2fklFMDsBJk2Rcmhak5tAVVqkemtnc96Q-Ad_FrdQM9wyuqUQnUEkIr1zScInJZsbf-QCoD02yX7Gktizmlc0aUjF1HO3rdtX9TeW'), + }, + 'vm': { + 'cpu': 1, + 'ram': 2, + }, + 'zfs': { + 'pools': { + 'tank': { + 'device': '/dev/sdb', + }, + }, + }, + }, +} -- 2.39.5 From f8c157ce502f3014718978293e3f187b45978343 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 19:37:33 +0100 Subject: [PATCH 09/42] bundles/pleroma: get it working --- bundles/pleroma/files/pleroma.config.exs | 3 +- bundles/pleroma/files/pleroma.service | 23 ++++++++++ bundles/pleroma/items.py | 45 ++++++++++++++++--- bundles/pleroma/metadata.py | 24 ++++++++++ .../files/extras/htz-cloud.pleroma/pleroma | 1 + nodes/htz-cloud/pleroma.py | 4 +- 6 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 bundles/pleroma/files/pleroma.service create mode 100644 data/nginx/files/extras/htz-cloud.pleroma/pleroma diff --git a/bundles/pleroma/files/pleroma.config.exs b/bundles/pleroma/files/pleroma.config.exs index 27564a8..f58705f 100644 --- a/bundles/pleroma/files/pleroma.config.exs +++ b/bundles/pleroma/files/pleroma.config.exs @@ -40,5 +40,4 @@ config :pleroma, Pleroma.Repo, database: "pleroma", hostname: "localhost", pool_size: 10, - timeout: 60000, - pool_timeout: 60000 + timeout: 60000 diff --git a/bundles/pleroma/files/pleroma.service b/bundles/pleroma/files/pleroma.service new file mode 100644 index 0000000..1fc7c0b --- /dev/null +++ b/bundles/pleroma/files/pleroma.service @@ -0,0 +1,23 @@ +[Unit] +Description=Pleroma social network +After=network.target +Requires=postgresql.service + +[Service] +User=pleroma +WorkingDirectory=/opt/pleroma +Environment="HOME=/opt/pleroma" +Environment="PLEROMA_CONFIG_PATH=/opt/pleroma/pleroma.config.exs" +Environment="PLUG_TMPDIR=/tmp/pleroma" +ExecStart=/opt/pleroma/release/bin/pleroma start +ExecStop=/opt/pleroma/release/bin/pleroma stop +Restart=on-failure + +PrivateTmp=true +ProtectHome=true +ProtectSystem=full +NoNewPrivileges=true +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target diff --git a/bundles/pleroma/items.py b/bundles/pleroma/items.py index dac7c34..a03b973 100644 --- a/bundles/pleroma/items.py +++ b/bundles/pleroma/items.py @@ -31,25 +31,58 @@ actions = { 'pleroma_download_release': { 'command': \ 'cd /opt/pleroma/ && '\ - f'wget -O/opt/pleroma/pleroma.zip https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=amd64 && '\ + f'wget -O/opt/pleroma/pleroma.zip https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/release/{version}/download?job=amd64 && '\ 'rm -rf release && '\ - 'unzip /opt/pleroma/pleroma.zip', + 'unzip /opt/pleroma/pleroma.zip && '\ + 'chown -R pleroma:pleroma /opt/pleroma/release && '\ + f'echo -n "{version}" > /opt/pleroma/.bundlewrap_installed_version', 'unless': f'[ "$(cat /opt/pleroma/.bundlewrap_installed_version)" = "{version}" ]', 'needs': { 'directory:/opt/pleroma', }, + 'preceded_by': { + 'svc_systemd:pleroma:stop', + }, + 'triggers': { + 'action:pleroma_migrate_database', + 'svc_systemd:pleroma:restart', + }, }, - 'pleroma_create_schema': { + 'pleroma_migrate_database': { 'triggered': True, - 'command': 'sudo -u pleroma /opt/pleroma/src/rel/files/bin/pleroma_ctl create', - 'triggered_by': { + 'command': \ + 'echo "CREATE EXTENSION IF NOT EXISTS citext;" | psql pleroma && '\ + 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm;" | psql pleroma && '\ + 'echo "CREATE EXTENSION IF NOT EXISTS \\\"uuid-ossp\\\";" | psql pleroma && '\ + 'sudo -u pleroma PLEROMA_CONFIG_PATH=/opt/pleroma/pleroma.config.exs /opt/pleroma/release/bin/pleroma_ctl create', + 'needs': { 'postgres_db:pleroma', }, - }. + }, } files = { + '/etc/systemd/system/pleroma.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:pleroma:restart', + }, + }, '/opt/pleroma/pleroma.config.exs': { 'content_type': 'mako', + 'triggers': { + 'svc_systemd:pleroma:restart', + }, + }, +} + +svc_systemd = { + 'pleroma': { + 'needs': { + 'action:pleroma_download_release', + 'action:pleroma_migrate_database', + 'file:/etc/systemd/system/pleroma.service', + 'file:/opt/pleroma/pleroma.config.exs', + }, }, } diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py index d60250f..1cf5a74 100644 --- a/bundles/pleroma/metadata.py +++ b/bundles/pleroma/metadata.py @@ -29,3 +29,27 @@ defaults = { }, }, } + + +@metadata_reactor.provides( + 'nginx/vhosts/pleroma', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'pleroma': { + 'domain': metadata.get('pleroma/url'), + 'proxy': { + '/': { + 'target': 'http://127.0.0.1:21000', + 'websockets': True, + }, + }, + }, + }, + }, + } diff --git a/data/nginx/files/extras/htz-cloud.pleroma/pleroma b/data/nginx/files/extras/htz-cloud.pleroma/pleroma new file mode 100644 index 0000000..05771c4 --- /dev/null +++ b/data/nginx/files/extras/htz-cloud.pleroma/pleroma @@ -0,0 +1 @@ + client_max_body_size 16m; diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index 118b4d7..a4d2afc 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -25,7 +25,7 @@ nodes['htz-cloud.pleroma'] = { 'nginx': { 'vhosts': { 'pleroma': { - 'domain': 'cybert-media.net', + 'extras': True, }, }, }, @@ -34,7 +34,7 @@ nodes['htz-cloud.pleroma'] = { 'url': 'cybert-media.net', 'title': 'CYBERt Media', 'description': '', - 'secret_key': vault.decrypt('encrypt$gAAAAABgMSibWavxv69eNmzAtQRSeFMtaXdkc1K2fklFMDsBJk2Rcmhak5tAVVqkemtnc96Q-Ad_FrdQM9wyuqUQnUEkIr1zScInJZsbf-QCoD02yX7Gktizmlc0aUjF1HO3rdtX9TeW'), + 'secret_key': vault.decrypt('encrypt$gAAAAABgMVXXclfxVY022fM0Fdf94Oh3sxVlK0lYyBO_CsQFEbZcMua3w1oJY8_9d1JcrCJSSeBRTDnt-ZkRCQ6xKoALo8Rl7s9DPxa7J0vHdkggeZ3IHaOyXBcBPdx8vILyKDLHRXacaynOUBOjy6RIl6Qf2wH1ASbphCcjD-Njricg4PG6Rcixm87fF60rLBjAAkRoz5ZQnXlut1rhjLj-z-7UpA68fkeyPVJXbroWBJdmvCUt92dwjuGARsku2XI22mVvjtJJ'), }, 'vm': { 'cpu': 1, -- 2.39.5 From 017c2c342139f8e2532367d670f4b5898b05ecd2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 20:02:26 +0100 Subject: [PATCH 10/42] bundles/pleroma: allow database configuration --- bundles/pleroma/files/pleroma.config.exs | 14 +++----------- bundles/pleroma/metadata.py | 8 +++++--- nodes/htz-cloud/pleroma.py | 3 --- 3 files changed, 8 insertions(+), 17 deletions(-) diff --git a/bundles/pleroma/files/pleroma.config.exs b/bundles/pleroma/files/pleroma.config.exs index f58705f..64c2c0b 100644 --- a/bundles/pleroma/files/pleroma.config.exs +++ b/bundles/pleroma/files/pleroma.config.exs @@ -1,23 +1,15 @@ import Config +config :pleroma, + configurable_from_database: true + config :pleroma, Pleroma.Web.Endpoint, url: [host: "${node.metadata['pleroma']['url']}", scheme: "https", port: 443], http: [port: 21000, ip: {127, 0, 0, 1}], secret_key_base: "${node.metadata['pleroma']['secret_key']}", secure_cookie_flag: true -config :pleroma, :http_security, - enabled: false, - sts: true, - referrer_policy: "same-origin" - config :pleroma, :instance, - name: "${node.metadata['pleroma']['title']}", - description: "${node.metadata['pleroma']['description']}", - email: "${node.metadata['pleroma']['admin_email']}", - limit: ${node.metadata['pleroma'].get('limit_chars', 500)}, - registrations_open: ${str(node.metadata['pleroma'].get('signup_enabled', False)).lower()}, - invites_enabled: ${str(node.metadata['pleroma'].get('invite_enabled', True)).lower()}, static_dir: "/var/pleroma/static/" config :pleroma, Pleroma.Upload, diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py index 1cf5a74..8ba5634 100644 --- a/bundles/pleroma/metadata.py +++ b/bundles/pleroma/metadata.py @@ -6,6 +6,11 @@ defaults = { 'libimage-exiftool-perl': {}, }, }, + 'backups': { + 'paths': { + '/var/pleroma', + }, + }, 'zfs': { 'datasets': { 'tank/pleroma-data': { @@ -13,9 +18,6 @@ defaults = { }, }, }, - 'pleroma': { - 'admin_email': 'pleroma@{}'.format(node.hostname), - }, 'postgresql': { 'roles': { 'pleroma': { diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index a4d2afc..add2d60 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -31,9 +31,6 @@ nodes['htz-cloud.pleroma'] = { }, 'pleroma': { 'version': '2.2.2', - 'url': 'cybert-media.net', - 'title': 'CYBERt Media', - 'description': '', 'secret_key': vault.decrypt('encrypt$gAAAAABgMVXXclfxVY022fM0Fdf94Oh3sxVlK0lYyBO_CsQFEbZcMua3w1oJY8_9d1JcrCJSSeBRTDnt-ZkRCQ6xKoALo8Rl7s9DPxa7J0vHdkggeZ3IHaOyXBcBPdx8vILyKDLHRXacaynOUBOjy6RIl6Qf2wH1ASbphCcjD-Njricg4PG6Rcixm87fF60rLBjAAkRoz5ZQnXlut1rhjLj-z-7UpA68fkeyPVJXbroWBJdmvCUt92dwjuGARsku2XI22mVvjtJJ'), }, 'vm': { -- 2.39.5 From ca857091e43ff5fce751d507be9a6bc478139315 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 20:45:53 +0100 Subject: [PATCH 11/42] nodes/htz-cloud.pleroma: auto activate users with work email address --- nodes/htz-cloud/pleroma.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index add2d60..352d9f3 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -22,6 +22,9 @@ nodes['htz-cloud.pleroma'] = { 'backups': { 'exclude_from_backups': True, }, + 'cron': { + 'auto-authorize-sm-users': '* * * * * root echo "UPDATE users SET approval_pending=false WHERE email LIKE \'\\%@seibert-media.net\' AND approval_pending=true;" | psql pleroma >/dev/null', + }, 'nginx': { 'vhosts': { 'pleroma': { @@ -31,6 +34,7 @@ nodes['htz-cloud.pleroma'] = { }, 'pleroma': { 'version': '2.2.2', + 'url': 'cybert-media.net', 'secret_key': vault.decrypt('encrypt$gAAAAABgMVXXclfxVY022fM0Fdf94Oh3sxVlK0lYyBO_CsQFEbZcMua3w1oJY8_9d1JcrCJSSeBRTDnt-ZkRCQ6xKoALo8Rl7s9DPxa7J0vHdkggeZ3IHaOyXBcBPdx8vILyKDLHRXacaynOUBOjy6RIl6Qf2wH1ASbphCcjD-Njricg4PG6Rcixm87fF60rLBjAAkRoz5ZQnXlut1rhjLj-z-7UpA68fkeyPVJXbroWBJdmvCUt92dwjuGARsku2XI22mVvjtJJ'), }, 'vm': { -- 2.39.5 From 9aeb6905899f9e2510834d5cd8ea4fb6fb729452 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 20:49:35 +0100 Subject: [PATCH 12/42] nodes/htz-cloud.pleroma: set postfix/myhostname to correct domain --- nodes/htz-cloud/pleroma.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index 352d9f3..2431bbd 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -37,6 +37,9 @@ nodes['htz-cloud.pleroma'] = { 'url': 'cybert-media.net', 'secret_key': vault.decrypt('encrypt$gAAAAABgMVXXclfxVY022fM0Fdf94Oh3sxVlK0lYyBO_CsQFEbZcMua3w1oJY8_9d1JcrCJSSeBRTDnt-ZkRCQ6xKoALo8Rl7s9DPxa7J0vHdkggeZ3IHaOyXBcBPdx8vILyKDLHRXacaynOUBOjy6RIl6Qf2wH1ASbphCcjD-Njricg4PG6Rcixm87fF60rLBjAAkRoz5ZQnXlut1rhjLj-z-7UpA68fkeyPVJXbroWBJdmvCUt92dwjuGARsku2XI22mVvjtJJ'), }, + 'postfix': { + 'myhostname': 'cybert-media.net', + }, 'vm': { 'cpu': 1, 'ram': 2, -- 2.39.5 From 8cb172a1c18321b0a3aad6eb3bc23a5c7da95e27 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 20:57:00 +0100 Subject: [PATCH 13/42] bundles/pleroma: remove NoNewPrivileges=true, interferes with mail delivery --- bundles/pleroma/files/pleroma.service | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/pleroma/files/pleroma.service b/bundles/pleroma/files/pleroma.service index 1fc7c0b..bca89ee 100644 --- a/bundles/pleroma/files/pleroma.service +++ b/bundles/pleroma/files/pleroma.service @@ -16,7 +16,6 @@ Restart=on-failure PrivateTmp=true ProtectHome=true ProtectSystem=full -NoNewPrivileges=true CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] -- 2.39.5 From b470fddc1296c66c7e2cf070071ddf1bbe06af50 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 21:11:12 +0100 Subject: [PATCH 14/42] bundles/nginx: add gdpr-compatible log format --- bundles/nginx/files/nginx.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/bundles/nginx/files/nginx.conf b/bundles/nginx/files/nginx.conf index b2fcf10..5943dee 100644 --- a/bundles/nginx/files/nginx.conf +++ b/bundles/nginx/files/nginx.conf @@ -35,5 +35,24 @@ http { '' close; } + # GDPR compatible IP smashinator 5000000 + map $remote_addr $ip_anonym1 { + default 0.0.0; + "~(?P(\d+)\.(\d+))\.(\d+)\.\d+" $ip; + "~(?P[^:]+:[^:]+):" $ip; + } + map $remote_addr $ip_anonym2 { + default .0.0; + "~(?P(\d+)\.(\d+)\.(\d+))\.\d+" .0.0; + "~(?P[^:]+:[^:]+):" ::; + } + map $ip_anonym1$ip_anonym2 $ip_anonymized { + default 0.0.0.0; + "~(?P.*)" $ip; + } + log_format gdpr '$ip_anonymized - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"" "$http_user_agent"'; + include /etc/nginx/sites/*; } -- 2.39.5 From fec26ab38ff71c0ebe484fd3522ac5cb0437c293 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 21:12:40 +0100 Subject: [PATCH 15/42] nodes/htz-cloud.pleroma: add debugging logs (gdpr-compatible) --- data/nginx/files/extras/htz-cloud.pleroma/pleroma | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/nginx/files/extras/htz-cloud.pleroma/pleroma b/data/nginx/files/extras/htz-cloud.pleroma/pleroma index 05771c4..3f9e6a0 100644 --- a/data/nginx/files/extras/htz-cloud.pleroma/pleroma +++ b/data/nginx/files/extras/htz-cloud.pleroma/pleroma @@ -1 +1,4 @@ client_max_body_size 16m; + + access_log /var/log/nginx/pleroma.log gdpr; + error_log /var/log/nginx/error.log; -- 2.39.5 From b3ad49ac8da816d92f34b535811e775637653d67 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 22:05:42 +0100 Subject: [PATCH 16/42] nodes/htz-cloud.pleroma: do backups --- data/backup/keys/htz-cloud.pleroma.key.vault | 1 + data/backup/keys/htz-cloud.pleroma.pub | 1 + nodes/htz-cloud/pleroma.py | 3 --- 3 files changed, 2 insertions(+), 3 deletions(-) create mode 100644 data/backup/keys/htz-cloud.pleroma.key.vault create mode 100644 data/backup/keys/htz-cloud.pleroma.pub diff --git a/data/backup/keys/htz-cloud.pleroma.key.vault b/data/backup/keys/htz-cloud.pleroma.key.vault new file mode 100644 index 0000000..06e6894 --- /dev/null +++ b/data/backup/keys/htz-cloud.pleroma.key.vault @@ -0,0 +1 @@ +encrypt$gAAAAABgMXllIGiB__clFctfOC6T4qRhFDrh_WJZU745-DZef2UpKCy0gz_2FlDAIqrNceL-Ahz1AXZrsdHUKPYAZ5AW4ne0b0G6uHQENYB0xv-ZqA3MZS26gzvNM7ejhyTCM1zO1j6ePgIxfZlaalNcuLIRAphuhu7KkJA8sGaoUMjdTqVWJUjj4Le8KHcS-s7PhB1XjkyHYxb0cKFgPxs1CgHWVjfCviVnl3yFAF1aLvYsbNcpzM_RGGIIA9YsO3yPQ8Mfk4B3truuNg1mdNaunpnhoTImF2cSNoI64f2mVaSNxxRXm1NG2qUJkZN8ZQlW8k7A1w_zUwHw9-JaimZejfPWrhew7krAbPQWEqOz7Km0RkQdbzFzxWECDIOQ_Z87n_yEFLSN3sAHA0eQ-a6oqj5Ybga5p9eeNNdOYAZyU_6KfSl9U6XSKT16brAXnsZevWQHk06ObdOPhJW5SMIQwk0TZXUOMZ11T0o0-2IMGBngOjoOxqt7gjZoiLFt4c8BkFcDkpTj25asyG2iF-2jWZ1cY91F5nDkIE3CSQzD7DYANyTI7ik9qACiY25bBYOwo9HS9TEcE-wDS2_jKolFFmEx5EFdxzIpSXdWB7EznbizgqAtu2eYubASKlBKILpeVZiqKZi8 \ No newline at end of file diff --git a/data/backup/keys/htz-cloud.pleroma.pub b/data/backup/keys/htz-cloud.pleroma.pub new file mode 100644 index 0000000..a699ae1 --- /dev/null +++ b/data/backup/keys/htz-cloud.pleroma.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7vz3CMmmHmnWZs4b+Ohh4wnUgcME8PvZscjgS+91Qd kunsi@kunsi-t470.kunbox.net diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index 2431bbd..549ac5c 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -19,9 +19,6 @@ nodes['htz-cloud.pleroma'] = { 'gateway6': 'fe80::1', }, }, - 'backups': { - 'exclude_from_backups': True, - }, 'cron': { 'auto-authorize-sm-users': '* * * * * root echo "UPDATE users SET approval_pending=false WHERE email LIKE \'\\%@seibert-media.net\' AND approval_pending=true;" | psql pleroma >/dev/null', }, -- 2.39.5 From 836f065382a5150d2e1c65d26a3a47a219463315 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 20 Feb 2021 22:11:19 +0100 Subject: [PATCH 17/42] bundles/pleroma: add website content check --- bundles/pleroma/metadata.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py index 8ba5634..0007ec2 100644 --- a/bundles/pleroma/metadata.py +++ b/bundles/pleroma/metadata.py @@ -51,6 +51,8 @@ def nginx(metadata): 'websockets': True, }, }, + 'website_check_path': '/main/all', + 'website_check_string': 'use Pleroma', }, }, }, -- 2.39.5 From 807b296078d93927bcd45e1cc99bb1a2fd46a153 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 21 Feb 2021 11:06:46 +0100 Subject: [PATCH 18/42] nodes/htz-cloud.pleroma: add www subdomain --- data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir | 1 + data/powerdns/files/bind-zones/cybert-media.net | 2 ++ nodes/htz-cloud/pleroma.py | 4 ++++ 3 files changed, 7 insertions(+) create mode 100644 data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir diff --git a/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir b/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir new file mode 100644 index 0000000..eefd814 --- /dev/null +++ b/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir @@ -0,0 +1 @@ + return 308 https://cybert-media.net$request_uri; diff --git a/data/powerdns/files/bind-zones/cybert-media.net b/data/powerdns/files/bind-zones/cybert-media.net index 1e50f26..9ce2544 100644 --- a/data/powerdns/files/bind-zones/cybert-media.net +++ b/data/powerdns/files/bind-zones/cybert-media.net @@ -5,3 +5,5 @@ $ORIGIN cybert-media.net. @ IN A 159.69.11.231 IN AAAA 2a01:4f8:c2c:c410::1 IN TXT "v=spf1 a ~all" + +www IN CNAME cybert-media.net. diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index 549ac5c..0d9b2ae 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -27,6 +27,10 @@ nodes['htz-cloud.pleroma'] = { 'pleroma': { 'extras': True, }, + 'pleroma-www-redir': { + 'domain': 'www.cybert-media.net', + 'extras': True, + }, }, }, 'pleroma': { -- 2.39.5 From 51ca74549e6d11c833ef5bcdd11af0da051069e0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Wed, 24 Feb 2021 19:24:56 +0100 Subject: [PATCH 19/42] bundles/basic: add htoprc --- bundles/basic/files/htoprc | 39 ++++++++++++++++++++++++++++++++++++++ bundles/basic/items.py | 3 +++ bundles/basic/metadata.py | 3 +++ 3 files changed, 45 insertions(+) create mode 100644 bundles/basic/files/htoprc diff --git a/bundles/basic/files/htoprc b/bundles/basic/files/htoprc new file mode 100644 index 0000000..5db430c --- /dev/null +++ b/bundles/basic/files/htoprc @@ -0,0 +1,39 @@ +# Beware! This file is rewritten by htop when settings are changed in the interface. +# The parser is also very primitive, and not human-friendly. +fields=0 48 17 18 38 39 40 2 46 47 49 1 +sort_key=46 +sort_direction=1 +tree_sort_key=0 +tree_sort_direction=1 +hide_kernel_threads=1 +hide_userland_threads=0 +shadow_other_users=0 +show_thread_names=0 +show_program_path=1 +highlight_base_name=1 +highlight_megabytes=0 +highlight_threads=1 +highlight_changes=0 +highlight_changes_delay_secs=5 +find_comm_in_cmdline=1 +strip_exe_from_cmdline=1 +show_merged_command=0 +tree_view=0 +tree_view_always_by_pid=0 +header_margin=1 +detailed_cpu_time=1 +cpu_count_from_one=1 +show_cpu_usage=1 +show_cpu_frequency=0 +show_cpu_temperature=0 +degree_fahrenheit=0 +update_process_names=0 +account_guest_in_cpu_meter=0 +color_scheme=0 +enable_mouse=0 +delay=10 +left_meters=Hostname Tasks LoadAverage Uptime Memory CPU LeftCPUs +left_meter_modes=2 2 2 2 1 1 1 +right_meters=DiskIO NetworkIO Load RightCPUs +right_meter_modes=2 2 3 1 +hide_function_bar=0 diff --git a/bundles/basic/items.py b/bundles/basic/items.py index 420d695..e37b684 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -10,6 +10,9 @@ files = { '/etc/hosts': { 'content_type': 'mako', }, + '/etc/htoprc.global': { + 'source': 'htoprc', + }, '/etc/locale.gen': { 'content_type': 'mako', 'triggers': { diff --git a/bundles/basic/metadata.py b/bundles/basic/metadata.py index b28a554..29d666e 100644 --- a/bundles/basic/metadata.py +++ b/bundles/basic/metadata.py @@ -1,4 +1,7 @@ defaults = { + 'bash_functions': { + 'h': 'cp /etc/htoprc.global ~/.htoprc; mkdir -p ~/.config/htop; cp /etc/htoprc.global ~/.config/htop/htoprc; htop', + }, 'locale': { 'default': 'en_US.UTF-8', 'installed': { -- 2.39.5 From 3adfb9779a5cd34022064a93de3908b96119133e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 Feb 2021 17:58:20 +0100 Subject: [PATCH 20/42] bundles/molly-guard: introduce, add to systems --- bundles/apt/items.py | 1 - .../files/10-check-unattended-upgrades | 9 ++++++ bundles/molly-guard/files/30-query-hostname | 29 +++++++++++++++++++ bundles/molly-guard/files/rc | 1 + bundles/molly-guard/items.py | 21 ++++++++++++++ bundles/molly-guard/metadata.py | 7 +++++ groups/os.py | 1 + 7 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 bundles/molly-guard/files/10-check-unattended-upgrades create mode 100644 bundles/molly-guard/files/30-query-hostname create mode 100644 bundles/molly-guard/files/rc create mode 100644 bundles/molly-guard/items.py create mode 100644 bundles/molly-guard/metadata.py diff --git a/bundles/apt/items.py b/bundles/apt/items.py index d148891..bfc8450 100644 --- a/bundles/apt/items.py +++ b/bundles/apt/items.py @@ -94,7 +94,6 @@ pkg_apt = { 'lsof': {}, 'mailutils': {}, 'manpages': {}, - 'molly-guard': {}, 'moreutils': {}, 'mount': {}, 'mtr': {}, diff --git a/bundles/molly-guard/files/10-check-unattended-upgrades b/bundles/molly-guard/files/10-check-unattended-upgrades new file mode 100644 index 0000000..6adafdb --- /dev/null +++ b/bundles/molly-guard/files/10-check-unattended-upgrades @@ -0,0 +1,9 @@ +#!/bin/bash + +# Checks wether upgrade-and-reboot is currently running. + +if [[ -f "/var/lib/bundlewrap/soft-${node.name}/UNATTENDED" ]] +then + echo "Sorry, can't $MOLLYGUARD_CMD now, upgrade-and-reboot is running" + exit 1 +fi diff --git a/bundles/molly-guard/files/30-query-hostname b/bundles/molly-guard/files/30-query-hostname new file mode 100644 index 0000000..3e4fc4c --- /dev/null +++ b/bundles/molly-guard/files/30-query-hostname @@ -0,0 +1,29 @@ +#!/bin/sh + +# This script will ask for the bundlewrap node name. This replaces the +# original script, which will ask for the hostname, which sometimes +# is not enough to properly identify the system. + +NODE_NAME="${node.name}" + +# If this is not a terminal, do nothing +test -t 0 || exit 0 + +sigh() +{ + echo "Sorry, input does not match. Won't $MOLLYGUARD_CMD $NODE_NAME ..." >&2 + exit 1 +} + +trap 'echo;sigh' 1 2 3 9 10 12 15 + +echo -n "Please enter the bundlewrap node name of this System to $MOLLYGUARD_CMD: " +read NODE_NAME_USER || : + +NODE_NAME_USER="$(echo "$NODE_NAME_USER" | tr '[:upper:]' '[:lower:]')" + +[ "$NODE_NAME_USER" = "$NODE_NAME" ] || sigh + +trap - 1 2 3 9 10 12 15 + +exit 0 diff --git a/bundles/molly-guard/files/rc b/bundles/molly-guard/files/rc new file mode 100644 index 0000000..4b6f808 --- /dev/null +++ b/bundles/molly-guard/files/rc @@ -0,0 +1 @@ +# currently unused diff --git a/bundles/molly-guard/items.py b/bundles/molly-guard/items.py new file mode 100644 index 0000000..e8d2b04 --- /dev/null +++ b/bundles/molly-guard/items.py @@ -0,0 +1,21 @@ +directories = { + '/etc/molly-guard/messages.d': { + 'purge': True, + }, + '/etc/molly-guard/run.d': { + 'purge': True, + }, +} + +files = { + '/etc/molly-guard/rc': {}, + + '/etc/molly-guard/run.d/10-check-unattended-upgrades': { + 'content_type': 'mako', + 'mode': '0755', + }, + '/etc/molly-guard/run.d/30-query-hostname': { + 'content_type': 'mako', + 'mode': '0755', + }, +} diff --git a/bundles/molly-guard/metadata.py b/bundles/molly-guard/metadata.py new file mode 100644 index 0000000..d8571e2 --- /dev/null +++ b/bundles/molly-guard/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'molly-guard': {}, + }, + }, +} diff --git a/groups/os.py b/groups/os.py index 85f794b..729a741 100644 --- a/groups/os.py +++ b/groups/os.py @@ -21,6 +21,7 @@ groups['linux'] = { 'backup-client', 'basic', 'cron', + 'molly-guard', 'openssh', 'postfix', 'sshmon', -- 2.39.5 From e435ae582aa789c2a90f613233f2dd9d006709e2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Mar 2021 15:36:29 +0100 Subject: [PATCH 21/42] bundles/icinga2: add monitoring for IdoPgsqlConnection --- bundles/icinga2/metadata.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index 149f111..6434909 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -42,6 +42,13 @@ defaults = { 'ICINGA STATUSMONITOR': { 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_systemd_unit icinga_statusmonitor', }, + 'IDO-PGSQL': { + 'check_command': 'ido', + 'vars.ido_type': 'IdoPgsqlConnection', + 'vars.ido_name': 'ido-pgsql', + 'vars.ido_pending_queries_warning': 25, + 'vars.ido_pending_queries_critical': 50, + }, }, }, }, -- 2.39.5 From 5f17afcbacdbb0b42fc724b04648c1303f1c1b90 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Mar 2021 15:41:03 +0100 Subject: [PATCH 22/42] nodes/htz.ex42-1048908: update element-web to 1.7.22 --- nodes/htz/ex42-1048908.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index a408cf2..353a261 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -90,7 +90,7 @@ nodes['htz.ex42-1048908'] = { }, 'element-web': { 'url': 'chat.franzi.business', - 'version': 'v1.7.21', + 'version': 'v1.7.22', 'config': { 'default_server_config': { 'm.homeserver': { -- 2.39.5 From 2adf3c6a72789248d4cbfa42ebf3cc418de28bad Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Mar 2021 15:42:45 +0100 Subject: [PATCH 23/42] bundles/sshmon: increase acceptable amount of cpu steal --- bundles/sshmon/files/check_cpu_stats | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/sshmon/files/check_cpu_stats b/bundles/sshmon/files/check_cpu_stats index 95be196..d774773 100644 --- a/bundles/sshmon/files/check_cpu_stats +++ b/bundles/sshmon/files/check_cpu_stats @@ -17,10 +17,10 @@ try: print(top_output) # steal - if cpu_usage['st'] > 5: - crit.add('CPU steal is {}% (>5%)'.format(cpu_usage['st'])) - elif cpu_usage['st'] > 2: - warn.add('CPU steal is {}% (>2%)'.format(cpu_usage['st'])) + if cpu_usage['st'] > 10: + crit.add('CPU steal is {}% (>10%)'.format(cpu_usage['st'])) + elif cpu_usage['st'] > 5: + warn.add('CPU steal is {}% (>5%)'.format(cpu_usage['st'])) # iowait if cpu_usage['wa'] > 60: -- 2.39.5 From 84ece2731c28fe2a25be3bbfbb3013fc43efb039 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 5 Mar 2021 07:20:08 +0100 Subject: [PATCH 24/42] did anyone say updates? --- nodes/htz-cloud/pirmasens.py | 2 +- nodes/htz/ex42-1048908.py | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 7df81de..437b009 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -56,7 +56,7 @@ nodes['htz-cloud.pirmasens'] = { 'message_size_limit_mb': 50, }, 'postfixadmin': { - 'version': '3.3.7', + 'version': '3.3.8', 'setup_password': vault.decrypt('encrypt$gAAAAABfpwn8NKxTztI39GzhGw66NNsWa72Wq7Sa_LoIG_L0ewCVPzhmw93xhWo3jfT8hCn9sqJgbArmPHtLMcLkSHdBPbQe0bLZMSib-mA9sEQD0wgKMyuRCPHIIMKSAoMaJaYnHSTO-mz1q7_tKzd6LkHF_AGsboS1vpQvg-CDth6e0msTwe8='), }, 'rspamd': { diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 353a261..3012fd6 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -113,8 +113,8 @@ nodes['htz.ex42-1048908'] = { }, }, 'gitea': { - 'version': '1.13.2', - 'sha256': '4d7d3fc63666cc9c94e32c1e70422c30c1ee8f905004eeb7cd812051721601cc', + 'version': '1.13.3', + 'sha256': '4eea66983e30cc3c202538e69e31a79cd626a4c61d28c9678b02840c8b63e1a0', 'domain': 'git.kunsmann.eu', # TODO find out if those secrets can be rotated without breaking stuff 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), @@ -148,7 +148,7 @@ nodes['htz.ex42-1048908'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.2', + 'version': 'v1.2.3', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', @@ -331,7 +331,7 @@ nodes['htz.ex42-1048908'] = { 'message_size_limit_mb': 50, }, 'postfixadmin': { - 'version': '3.3.7', + 'version': '3.3.8', 'setup_password': vault.decrypt('encrypt$gAAAAABfpwn8NKxTztI39GzhGw66NNsWa72Wq7Sa_LoIG_L0ewCVPzhmw93xhWo3jfT8hCn9sqJgbArmPHtLMcLkSHdBPbQe0bLZMSib-mA9sEQD0wgKMyuRCPHIIMKSAoMaJaYnHSTO-mz1q7_tKzd6LkHF_AGsboS1vpQvg-CDth6e0msTwe8='), }, 'radicale': { -- 2.39.5 From ebcf8e4445903fb232953c431411a9234c5cfe7d Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 5 Mar 2021 07:21:23 +0100 Subject: [PATCH 25/42] bundles/matrix-media-repo: also restart matrix-media-repo after updating --- bundles/matrix-media-repo/items.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/matrix-media-repo/items.py b/bundles/matrix-media-repo/items.py index b1b6b5f..cc35b47 100644 --- a/bundles/matrix-media-repo/items.py +++ b/bundles/matrix-media-repo/items.py @@ -41,6 +41,7 @@ git_deploy = { 'rev': node.metadata['matrix-media-repo']['version'], 'triggers': { 'action:matrix-media-repo_build', + 'svc_systemd:matrix-media-repo:restart', }, }, } -- 2.39.5 From 629922626b49be3e70f6759823a422714b2b47a4 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Mar 2021 09:45:54 +0100 Subject: [PATCH 26/42] nodes/htz.ex42-1048908: update matrix-media-repo to 1.2.4 --- nodes/htz/ex42-1048908.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 3012fd6..1fab136 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -148,7 +148,7 @@ nodes['htz.ex42-1048908'] = { }, }, 'matrix-media-repo': { - 'version': 'v1.2.3', + 'version': 'v1.2.4', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', -- 2.39.5 From 08d34b0e09b96df08b1de2a7aea9ae2f7af78509 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Mar 2021 09:55:32 +0100 Subject: [PATCH 27/42] nodes/kunsi-t470: change mode of /home/kunsi --- nodes/kunsi-t470.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes/kunsi-t470.py b/nodes/kunsi-t470.py index 133130b..143ff38 100644 --- a/nodes/kunsi-t470.py +++ b/nodes/kunsi-t470.py @@ -48,6 +48,8 @@ nodes['kunsi-t470'] = { 'kunsi': { 'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='), 'shell': '/usr/bin/fish', + # FIXME move qemu VMs out of /home/kunsi + 'home-mode': '0755', }, 'sophie': { 'delete': True, -- 2.39.5 From 7e57c0f03e3b334ad6e11f5b69b6098a47b37264 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Mar 2021 09:56:05 +0100 Subject: [PATCH 28/42] bundles/basic: current htop version in debian does not support DiskIO nor NetworkIO --- bundles/basic/files/htoprc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bundles/basic/files/htoprc b/bundles/basic/files/htoprc index 5db430c..fc3722b 100644 --- a/bundles/basic/files/htoprc +++ b/bundles/basic/files/htoprc @@ -32,8 +32,8 @@ account_guest_in_cpu_meter=0 color_scheme=0 enable_mouse=0 delay=10 -left_meters=Hostname Tasks LoadAverage Uptime Memory CPU LeftCPUs -left_meter_modes=2 2 2 2 1 1 1 -right_meters=DiskIO NetworkIO Load RightCPUs -right_meter_modes=2 2 3 1 +left_meters=Tasks LoadAverage Uptime Memory CPU LeftCPUs +left_meter_modes=2 2 2 1 1 1 +right_meters=Hostname Load RightCPUs +right_meter_modes=2 3 1 hide_function_bar=0 -- 2.39.5 From f214f70cd46412d4386b1433478b12ff70ecafe6 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Mar 2021 09:58:22 +0100 Subject: [PATCH 29/42] bundles/basic: add textual cpu stats to htop --- bundles/basic/files/htoprc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/basic/files/htoprc b/bundles/basic/files/htoprc index fc3722b..03e606a 100644 --- a/bundles/basic/files/htoprc +++ b/bundles/basic/files/htoprc @@ -32,8 +32,8 @@ account_guest_in_cpu_meter=0 color_scheme=0 enable_mouse=0 delay=10 -left_meters=Tasks LoadAverage Uptime Memory CPU LeftCPUs -left_meter_modes=2 2 2 1 1 1 +left_meters=Tasks LoadAverage Uptime Memory CPU LeftCPUs CPU +left_meter_modes=2 2 2 1 1 1 2 right_meters=Hostname Load RightCPUs right_meter_modes=2 3 1 hide_function_bar=0 -- 2.39.5 From 8b07fce738b478087e7c437d0d043466c1c28259 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sat, 6 Mar 2021 10:03:22 +0100 Subject: [PATCH 30/42] bundles/unbound: decrease statistics-interval until debian has 1.19 and we're actually able to use them --- bundles/unbound/files/unbound.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf index b9cd8c4..13842a2 100644 --- a/bundles/unbound/files/unbound.conf +++ b/bundles/unbound/files/unbound.conf @@ -5,8 +5,10 @@ server: verbosity: 0 % if node.has_bundle('netdata'): - statistics-interval: 1 - extended-statistics: yes +# FIXME reenable this once debian has 1.19 +# statistics-interval: 1 +# extended-statistics: yes + statistics-interval: 300 % else: statistics-interval: 300 % endif -- 2.39.5 From f57681b0986f770e223f1a4898cdb98307670e64 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 7 Mar 2021 14:39:04 +0100 Subject: [PATCH 31/42] nodes: move wireguard stuff to 172.19.136.0/25 --- nodes/home/router.py | 2 +- nodes/ovh/icinga2.py | 2 +- nodes/ovh/wireguard.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/home/router.py b/nodes/home/router.py index d48b4aa..8533bcd 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -172,7 +172,7 @@ nodes['home.router'] = { }, 'wireguard': { # TODO autogenerate? - 'my_ip': '172.19.137.2/32', + 'my_ip': '172.19.136.2/32', 'subnets': { '172.19.138.0/24', '172.19.139.0/24', diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index d2a4ae0..3517189 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -114,7 +114,7 @@ nodes['ovh.icinga2'] = { 'service_filter': '"checks_with_sms" in service.groups' }, 'wireguard': { - 'my_ip': '172.19.137.3/32', + 'my_ip': '172.19.136.3/32', 'peers': { 'ovh.wireguard': {}, }, diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py index c42b5e8..b1c9e12 100644 --- a/nodes/ovh/wireguard.py +++ b/nodes/ovh/wireguard.py @@ -25,12 +25,12 @@ nodes['ovh.wireguard'] = { }, 'wireguard': { 'network': '172.19.136.0/22', - 'my_ip': '172.19.137.1/32', + 'my_ip': '172.19.136.1/32', 'psk': vault.random_bytes_as_base64_for('ovh.icinga2 wireguard psk'), 'peers': { 'kunsi-oneplus3': { 'ips': { - '172.19.137.200/32', + '172.19.136.100/32', }, 'psk': vault.decrypt('encrypt$gAAAAABgKYeeuPfokbk7lSbbJX-52kap5Cs3tdCHpezkKcExV-yLTHPjszIcAh1T9wW1BtGElRdZea7VTikV3qEu3bupiSqEW4l2lmD5cn2ERYRfuVCoYSkOlmEGokHUX7Nja4G_A2_x'), 'pubkey': vault.decrypt('encrypt$gAAAAABgKYdTqLG3DcB13QqQadUxyzIjvSxwgZQNjorQi-ADSLsNdDbhikSAGQnSmGelLB74V175awIIir768WEnpLJUKX6nt_i2BxOP3JazvKZSQECkiK8G-IRn8wWWgKarfmtqRwh6'), -- 2.39.5 From bac372ae67d613e4f69625842540853ab09e7e68 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 7 Mar 2021 18:58:33 +0100 Subject: [PATCH 32/42] nodes/htz.ex42-1048908: update gitea to 1.13.4 --- nodes/htz/ex42-1048908.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 1fab136..a53c36c 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -113,8 +113,8 @@ nodes['htz.ex42-1048908'] = { }, }, 'gitea': { - 'version': '1.13.3', - 'sha256': '4eea66983e30cc3c202538e69e31a79cd626a4c61d28c9678b02840c8b63e1a0', + 'version': '1.13.4', + 'sha256': '7948a5ad2ec63d4cb1bf3f90925f444606bd00af4e242d467ae975ade4e330d7', 'domain': 'git.kunsmann.eu', # TODO find out if those secrets can be rotated without breaking stuff 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), -- 2.39.5 From c87611c2e210ad5fc83a31dc8ae83734a325c4d4 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Mon, 8 Mar 2021 21:06:25 +0100 Subject: [PATCH 33/42] bw/kodi add backports repo --- bundles/kodi/metadata.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bundles/kodi/metadata.py b/bundles/kodi/metadata.py index da35db4..c3367d3 100644 --- a/bundles/kodi/metadata.py +++ b/bundles/kodi/metadata.py @@ -3,7 +3,8 @@ defaults = { 'repos': { 'deb-multimedia': { 'items': { - 'deb https://ftp-stud.hs-esslingen.de/pub/Mirrors/debian-multimedia/ stable main', + 'deb https://ftp-stud.hs-esslingen.de/pub/Mirrors/debian-multimedia/ {os_release} main', + 'deb https://ftp-stud.hs-esslingen.de/pub/Mirrors/debian-multimedia/ {os_release}-backports main', }, }, }, @@ -12,6 +13,7 @@ defaults = { 'fonts-noto': {}, 'fonts-roboto': {}, 'kodi': {}, + 'kodi-inputstream-adaptive': {}, 'libasound2': {}, 'libcec4': {}, 'ttf-mscorefonts-installer': {}, -- 2.39.5 From f6ecf2a46569372620220731072ee302d43b3805 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 11 Mar 2021 15:23:47 +0100 Subject: [PATCH 34/42] bundles/nfs-client: support arch linux --- bundles/nfs-client/items.py | 9 +++++++-- bundles/nfs-client/metadata.py | 5 +++++ nodes/home/router.py | 1 - nodes/kunsi-t470.py | 13 +++++++++++++ 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/bundles/nfs-client/items.py b/bundles/nfs-client/items.py index df06881..b2d072a 100644 --- a/bundles/nfs-client/items.py +++ b/bundles/nfs-client/items.py @@ -1,3 +1,8 @@ +if node.has_bundle('pacman'): + package = 'pkg_pacman:nfs-utils' +else: + package = 'pkg_apt:nfs-common' + for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): data['mount'] = mount data['mount_options'] = set(data.get('mount_options', set())) @@ -34,7 +39,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'file:/etc/systemd/system/{}.mount'.format(unitname), 'file:/etc/systemd/system/{}.automount'.format(unitname), 'directory:{}'.format(data['mountpoint']), - 'pkg_apt:nfs-common', + package, }, } else: @@ -42,7 +47,7 @@ for mount, data in node.metadata.get('nfs-client/mounts',{}).items(): 'needs': { 'file:/etc/systemd/system/{}.mount'.format(unitname), 'directory:{}'.format(data['mountpoint']), - 'pkg_apt:nfs-common', + package, }, } diff --git a/bundles/nfs-client/metadata.py b/bundles/nfs-client/metadata.py index 00ffd00..13e4ed0 100644 --- a/bundles/nfs-client/metadata.py +++ b/bundles/nfs-client/metadata.py @@ -4,4 +4,9 @@ defaults = { 'nfs-common': {}, }, }, + 'pacman': { + 'packages': { + 'nfs-utils': {}, + }, + }, } diff --git a/nodes/home/router.py b/nodes/home/router.py index 8533bcd..ff91820 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -150,7 +150,6 @@ nodes['home.router'] = { 'kunsi': { 'ssh_pubkey': { # work laptop - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM68t1Ssf0c9dEkYOEXllUQ0aybPsW3aQAJuWpUHPlt', 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA', }, }, diff --git a/nodes/kunsi-t470.py b/nodes/kunsi-t470.py index 143ff38..cc55fee 100644 --- a/nodes/kunsi-t470.py +++ b/nodes/kunsi-t470.py @@ -5,6 +5,7 @@ nodes['kunsi-t470'] = { 'bundles': { 'basic', 'lldp', + 'nfs-client', 'pacman', 'openssh', 'sudo', @@ -36,6 +37,18 @@ nodes['kunsi-t470'] = { 'locale': { 'default': 'en_DK.UTF-8', }, + 'nfs-client': { + 'mounts': { + 'nas-storage': { + 'mountpoint': '/mnt/nas', + 'serverpath': '172.19.138.20:/storage/nas', + 'mount_options': { + 'retry=0', + 'ro', + }, + }, + }, + }, 'pacman': { 'packages': { 'fish': {}, -- 2.39.5 From 33be3a90d2bd6f69195e45dcff962e919dbc2cd2 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 20 Feb 2021 15:56:54 +0100 Subject: [PATCH 35/42] bw/htz-miniserver initial nodefile --- nodes/htz-cloud/miniserver.py | 47 +++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 nodes/htz-cloud/miniserver.py diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py new file mode 100644 index 0000000..b0fc738 --- /dev/null +++ b/nodes/htz-cloud/miniserver.py @@ -0,0 +1,47 @@ +# sophie's miniserver +# mostly unmanaged + +nodes['htz-cloud.miniserver'] = { + 'groups': { + 'debian-buster', + 'webserver', + }, + 'metadata': { + 'dummy': True, + 'interfaces': { + 'eth0': { + 'ips': { + '157.90.20.62', + '2a01:4f8:c2c:840f::1/64', + }, + 'gateway4': '172.31.1.1', + 'gateway6': 'fe80::1', + }, + }, + 'apt': { + 'packages': { + 'weechat': {}, + 'weechat-core': {}, + 'weechat-curses': {}, + 'weechat-perl': {}, + 'weechat-plugins': {}, + 'weechat-python': {}, + 'weechat-ruby': {}, + }, + }, + 'backups': { + 'exclude_from_backups': True, + }, + 'exclude_from_monitoring': True, + 'nginx': { + 'vhosts': { + 'i.sophies-kitchen.eu': { + }, + }, + }, + 'vm': { + 'cpu': 2, + 'ram': 4, + } + }, +} -- 2.39.5 From f8bea9675258d017d9ee5a8f2de4f45a2fea9320 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 20 Feb 2021 16:50:42 +0100 Subject: [PATCH 36/42] plagiarize weechat setup --- nodes/htz-cloud/miniserver.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index b0fc738..44e9c62 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -33,6 +33,22 @@ nodes['htz-cloud.miniserver'] = { 'exclude_from_backups': True, }, 'exclude_from_monitoring': True, + 'letsencrypt': { + 'concat_and_deploy': { + 'sophie-weechat': { + 'match_domain': 'i.sophies-kitchen.eu', + 'target': '/home/sophie/.weechat/ssl/relay.pem', + 'chown': 'sophie:sophie', + 'chmod': '0440', + 'commands': [ + 'echo \'core.weechat */relay sslcertkey\' >> /home/sophie/.weechat/weechat_fifo' + ], + }, + }, + 'domains': { + 'i.sophies-kitchen.eu': set(), + }, + }, 'nginx': { 'vhosts': { 'i.sophies-kitchen.eu': { -- 2.39.5 From 36b6e801e50698f64d35ceea5c9e31c844227655 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 20 Feb 2021 17:32:09 +0100 Subject: [PATCH 37/42] update bashrc --- data/users/files/bash/sophie.bashrc | 1 + data/users/files/tmux/sophie.conf | 2 +- nodes/htz-cloud/miniserver.py | 9 ++++++++- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 data/users/files/bash/sophie.bashrc diff --git a/data/users/files/bash/sophie.bashrc b/data/users/files/bash/sophie.bashrc new file mode 100644 index 0000000..3cd6aec --- /dev/null +++ b/data/users/files/bash/sophie.bashrc @@ -0,0 +1 @@ +export PS1='\[\e[1;34m\][\[\e[1;32m\]'"$__node_name"'\[\e[1;34m\]][\[\e[1;32m\]\u\[\e[1;34m\]@\[\e[1;32m\]\w\[\e[1;34m\]] $PRODWARNING> \[\e[0m\]' diff --git a/data/users/files/tmux/sophie.conf b/data/users/files/tmux/sophie.conf index 39d4ba8..d8c2819 100644 --- a/data/users/files/tmux/sophie.conf +++ b/data/users/files/tmux/sophie.conf @@ -32,7 +32,7 @@ set -g status-left-length 14 set -g status-right-length 140 #set -g status-left '#[default]〘 ' set -g status-left '#[fg=green,bright]#(uname -r | cut -c 1-8)#[default]〘' -set -g status-right "〙🔋 #(upower -i /org/freedesktop/UPower/devices/battery_BAT1 | grep time | awk '{print $4, $5}' | sed 's/hours/h/; s/minutes/m/; s/,/\./') #[fg=red,bg=default]⇑#(uptime -p |sed 's/\ week/w/; s/\ days/d/; s/\ day/d/; s/\ hours/h/; s/\ minutes/m/; s/\ minute/m/; s/,//g; s/up//') #[fg=green,bg=default]⎋ #(cat /proc/loadavg | awk '{print $1,$2,$3}') #[fg=blue]⌚ %Y-%m-%d #[fg=white,bg=default]⌚ %H:%M #[fg=green]⚼ #H" +set -g status-right "〙#[fg=red,bg=default]⇑#(uptime -p |sed 's/\ week/w/; s/\ days/d/; s/\ day/d/; s/\ hours/h/; s/\ minutes/m/; s/\ minute/m/; s/,//g; s/up//') #[fg=green,bg=default]⎋ #(cat /proc/loadavg | awk '{print $1,$2,$3}') #[fg=blue] %Y-%m-%d #[fg=white,bg=default] %H:%M #[fg=green] #H" # C-b is not acceptable -- Vim uses it set-option -g prefix C-a diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 44e9c62..601734c 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -32,7 +32,9 @@ nodes['htz-cloud.miniserver'] = { 'backups': { 'exclude_from_backups': True, }, - 'exclude_from_monitoring': True, + 'icinga_options': { + 'exclude_from_monitoring': True, + }, 'letsencrypt': { 'concat_and_deploy': { 'sophie-weechat': { @@ -52,6 +54,11 @@ nodes['htz-cloud.miniserver'] = { 'nginx': { 'vhosts': { 'i.sophies-kitchen.eu': { + 'webroot_config': { + 'owner': 'sophie', + 'group': 'sophie', + 'mode': '0755', + }, }, }, }, -- 2.39.5 From 718b7a9ce84b7d72456924de8b2d562c9e96b264 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 20 Feb 2021 18:12:17 +0100 Subject: [PATCH 38/42] add firewall --- nodes/htz-cloud/miniserver.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index 601734c..f250dd7 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -6,6 +6,9 @@ nodes['htz-cloud.miniserver'] = { 'debian-buster', 'webserver', }, + 'bundles': { + 'iptables', + }, 'metadata': { 'dummy': True, 'interfaces': { @@ -20,6 +23,7 @@ nodes['htz-cloud.miniserver'] = { }, 'apt': { 'packages': { + 'mosh': {}, 'weechat': {}, 'weechat-core': {}, 'weechat-curses': {}, @@ -28,6 +32,13 @@ nodes['htz-cloud.miniserver'] = { 'weechat-python': {}, 'weechat-ruby': {}, }, + 'repos': { + 'weechat': { + 'items': { + 'deb https://weechat.org/debian {os_release} main', + }, + }, + }, }, 'backups': { 'exclude_from_backups': True, @@ -35,6 +46,13 @@ nodes['htz-cloud.miniserver'] = { 'icinga_options': { 'exclude_from_monitoring': True, }, + 'iptables': { + 'custom_rules': [ + 'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh + 'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat + + ], + }, 'letsencrypt': { 'concat_and_deploy': { 'sophie-weechat': { -- 2.39.5 From a8fd397a3d517ac25d2c6fedc1551a7a9004f233 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 11 Mar 2021 22:27:30 +0100 Subject: [PATCH 39/42] add work ssh key --- nodes/htz-cloud/miniserver.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index f250dd7..cf58fb6 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -83,6 +83,13 @@ nodes['htz-cloud.miniserver'] = { 'vm': { 'cpu': 2, 'ram': 4, - } + }, + 'users': { + 'sophie': { + 'ssh_pubkey': [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDILcYrMQNRVXAm5L+7No1ZumqfCyRc1QZmTY3O7Q8hsE4+fCAvwsWm2aSMfLL3NnIl8Nm1Rixzic5jdYKYNIY3SlX1wvTB+MhGb2eyVSd7c/Y98aCLSlDkQ2sebjpdA1FoJOeGD3qxqDwj0+KckXU2ZaSSQY7CxVsjH65UxCHqVAg+6uLdNbj7j850s1B9NXVXef+sBQ5jUngXxnqQWwNh2Mn8auwumkeEG4SYf96wyFkLvmBitOng/GyLWl9YPnXXHHDnatcVipy7y34qw4CQ4P84anecbA+Bqr9IcxBW6qYmYgRKEnAcmEfjQd+BI1gCLB1BBEmb/qp+mVLd4tOh sophie@carbon" + ], + }, + }, }, } -- 2.39.5 From e8e513e6d467910fdc517db29a7b295a372652ec Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 13 Mar 2021 13:31:28 +0100 Subject: [PATCH 40/42] bw/miniserver new vhost --- .../extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu | 5 +++++ nodes/htz-cloud/miniserver.py | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu diff --git a/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu new file mode 100644 index 0000000..0fd618b --- /dev/null +++ b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu @@ -0,0 +1,5 @@ + location / + { + add_header Access-Control-Allow-Origin *; + } + diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index cf58fb6..a98ef77 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -67,16 +67,18 @@ nodes['htz-cloud.miniserver'] = { }, 'domains': { 'i.sophies-kitchen.eu': set(), + 'webdump.sophies-kitchen.eu': set(), }, }, 'nginx': { 'vhosts': { - 'i.sophies-kitchen.eu': { + 'webdump.sophies-kitchen.eu': { 'webroot_config': { 'owner': 'sophie', 'group': 'sophie', 'mode': '0755', }, + 'extras': True, }, }, }, -- 2.39.5 From c062c3897158e61db6873430232fe2ec2f5f4f12 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 13 Mar 2021 13:38:24 +0100 Subject: [PATCH 41/42] remove trailing whitespace --- .../files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu | 1 - 1 file changed, 1 deletion(-) diff --git a/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu index 0fd618b..83c5378 100644 --- a/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu +++ b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu @@ -2,4 +2,3 @@ { add_header Access-Control-Allow-Origin *; } - -- 2.39.5 From 800a4fc9566cd0b8d08f6e46ab466fa0285a8635 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 13 Mar 2021 13:39:59 +0100 Subject: [PATCH 42/42] remove trailing whitespace --- .../htz-cloud.miniserver/webdump.sophies-kitchen.eu | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu index 83c5378..65fb5a7 100644 --- a/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu +++ b/data/nginx/files/extras/htz-cloud.miniserver/webdump.sophies-kitchen.eu @@ -1,4 +1,4 @@ - location / - { - add_header Access-Control-Allow-Origin *; - } +location / +{ + add_header Access-Control-Allow-Origin *; +} -- 2.39.5