# To use the serial console in iRMC, set up grub as follows: # GRUB_TIMEOUT=30 # GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0,115200 console=tty0" # GRUB_TERMINAL=serial # GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" nodes['rx300'] = { 'hostname': '31.47.232.106', 'bundles': { 'check-mail-received', 'dovecot', #'element-web', 'gitea', 'ipmitool', 'jenkins-ci', 'jugendhackt_tools', 'lm-sensors', 'matrix-dimension', #'matrix-media-repo', #'matrix-synapse', #'mautrix-telegram', #'mautrix-whatsapp', 'miniflux', 'minecraft', #'mx-puppet-discord', 'netbox', 'nodejs', 'ntfy', 'oidentd', 'php', 'postfixadmin', 'postgresql', 'radicale', 'redis', 'rspamd', 'smartd', 'travelynx', 'unbound', 'vmhost', 'zfs', }, 'groups': { 'debian-bullseye', 'webserver', }, 'metadata': { 'interfaces': { 'br0': { 'ips': { '31.47.232.106/29', '2a00:f820:528::2/64', }, 'gateway4': '31.47.232.105', 'gateway6': '2a00:f820:528::1', }, }, 'apt': { 'packages': { # for franzi.business deployment 'ruby': {}, 'ruby-dev': {}, 'ruby-bundler': {}, # for `bw test` on jenkins 'bind9utils': {}, # used by user:kunsi 'mosh': {}, 'weechat': {}, 'weechat-core': {}, 'weechat-curses': {}, 'weechat-perl': {}, 'weechat-plugins': {}, 'weechat-python': {}, 'weechat-ruby': {}, # for weechat scripts 'libpod-parser-perl': {}, }, 'repos': { 'weechat': { 'items': { 'deb https://weechat.org/debian {os_release} main', }, }, }, }, 'backup-client': { 'pre-hooks': { 'kunsi-weechat': \ 'echo \'core.weechat */layout store\' >> /home/kunsi/.weechat/weechat_fifo\n' \ 'echo \'core.weechat */save\' >> /home/kunsi/.weechat/weechat_fifo\n', }, }, 'backups': { 'paths': { '/home/kunsi/.weechat', }, }, 'check-mail-received': { 't-online': { 'email': 'franzi.kunsmann@t-online.de', 'imap_host': 'secureimap.t-online.de', 'imap_pass': bwpass.attr('t-online.de/franzi.kunsmann@t-online.de', 'imap'), }, }, 'element-web': { 'url': 'chat.franzi.business', 'version': 'v1.11.35', 'config': { 'default_server_config': { 'm.homeserver': { 'base_url': 'https://matrix.franzi.business', 'server_name': 'franzi.business', }, }, 'brand': 'franzi.business', 'showLabsSettings': True, 'integrations_ui_url': 'https://dimension.franzi.business/riot', 'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar', 'integrations_widgets_urls': { 'https://dimension.franzi.business/widgets' }, 'default_theme': 'dark', 'defaultCountryCode': 'DE', 'jitsi': { 'preferredDomain': 'meet.ffmuc.net', }, }, }, 'gitea': { 'url': 'https://codeberg.org/attachments/8aac5e74-a26b-44c9-83b8-267f114af958', 'sha1': '4dda6dd09e75e38e4f564bd8249d8fc3dc4a334a', 'domain': 'git.franzi.business', 'email_domain_blocklist': { 'aol.com', 'bamibi.com', 'beezom.buzz', 'block521.com', 'cloud-mail.top', 'comcast.net', 'cox.net', 'cupbest.com', 'dakcans.com', 'fitshot.xyz', 'gmail.co', 'gmail.com', 'grabmail.club', 'hbehs.com', 'hotmail.com', 'msn.com', 'nycexercise.com', 'oceore.com', 'popcornfly.com', 'qqhow.com', 'runqx.com', 'spicethainj.com', 'spruzme.com', 'syswift.com', 'tagbert.com', 'teleg.eu', 'tempinbox.xyz', 'verizon.net', 'vusra.com', 'yahoo.com', }, 'enable_git_hooks': True, 'install_ssh_key': True, 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), }, 'icinga_options': { 'pretty_name': 'franzi.business', }, 'jenkins-ci': { 'install_ssh_key': True, 'domain': 'jenkins.franzi.business', 'writeable_paths': { '/var/www/franzi.business', # for deployment task }, }, 'jugendhackt_tools': { 'allowed_hosts': ['jh.franzi.business'], 'timezone': 'Europe/Berlin', }, 'letsencrypt': { 'concat_and_deploy': { 'kunsi-weechat': { 'match_domain': 'rx300.kunbox.net', 'target': '/home/kunsi/.weechat/ssl/relay.pem', 'chown': 'kunsi:kunsi', 'chmod': '0440', 'commands': [ 'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo' ], }, }, 'domains': { 'rx300.kunbox.net': set(), }, }, 'matrix-media-repo': { 'version': 'v1.2.13', 'sha1': '0915bdf7c461368859180419d1f66717969cbe32', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', 'api': 'synapse', }, }, 'admins': { '@kunsi:franzi.business', }, 'upload_max_mb': 500, }, 'matrix-dimension': { 'url': 'dimension.franzi.business', 'version': 'c6d047c', # XXX master is broken as of 2021-11-27 'homeserver': { 'name': 'franzi.business', 'clientServerUrl': 'https://matrix.franzi.business', 'accessToken': vault.decrypt('encrypt$gAAAAABg-wBmGbAy-Ou1mkG2w5UyoqWmWYzDr4ZavyUQdmG_VtrUSmwHjx-qcBGIz_7NniD3zKm9GGvzRZItDu5zYiojcudYr74TkWJKhdDrgFbcWlfJJ_m3bWzrSORaTYzBGRckp2Vz_8xHgDk1W03vpT6mdIPMDzjuINssIcPs0YDth25W942tMfPA2csvLADY50qVRMJpdBOVIWba55o0g6-mAAQLOz6Ld4cCvYqZsqXsxjT8JUytJv_uSG4zgCS_aX20JlAyJWpJgT8FQF5HzIbsko_-Z9-TwtY7yllJp5Ri3n0WaDaWoMmUfhLvkMJeymmOc32A4WJBAePQ_2F-_oUDE7t97A-m3ZiMVAEefDnH5MkoiQEJTfHrJsXRkdBT_BnJlY1CoAuXpRYDdvbVDwN_qZHHHtqsno437l9S6GgDK_-sKBiojYkYsfHcJCdSEqeFGuxT'), }, 'admins': [ '@kunsi:franzi.business', ], 'telegram': { # same as for mautrix-telegram 'botToken': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), }, }, 'matrix-synapse': { 'server_name': 'franzi.business', 'baseurl': 'matrix.franzi.business', 'admin_contact': 'mailto:hostmaster@kunbox.net', 'trusted_key_servers': { 'matrix.org', 'finallycoffee.eu', 'nyantec.com', }, 'additional_client_config': { 'im.vector.riot.jitsi': { 'preferredDomain': 'meet.ffmuc.net', }, }, 'wellknown_also_on_vhosts': { 'franzi.business', }, }, 'mautrix-telegram': { 'version': 'v0.14.1', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'provisioning': { 'enabled': True, 'shared_secret': vault.decrypt('encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4gGPym0oF6p4WSMdAveTpx-hFsZd2s7v9ubw99yIsyKx0dHOJI0UND7hV1rKZdvjy4Qa642abZ2wwW7SWTqvuP_qVtrf6-klc2QKTzeD9c_LVsyZ2dqz_JxRPq3MRXgkubZuWOZ6FmFlAlteTffoGfWE='), }, 'permissions': { "'*'": 'relaybot', 'nyantec.com': 'full', 'franzi.business': 'full', "'@kunsi:franzi.business'": 'admin', }, 'telegram': { 'api_id': vault.decrypt('encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ=='), 'api_token': vault.decrypt('encrypt$gAAAAABfVK5jHuUly1xr9Iku362k7oF4ZYRhLGzNJh3aJpiNrLfAy_DJpTwucx4FV_g45dyQF5boqG2rgdDfwsJN_Ab95es6T4SPGiXIxJOBlvIln1Torwh16pXKchhUTn_PQ077Ll1W'), # same as for matrix-dimension 'bot_token': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), }, }, 'mautrix-whatsapp': { 'version': 'v0.8.6', 'sha1': 'aa3c25aa2f8d2ddd241e2f73eea473ecdbaf295d', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'permissions': { "'@kunsi:franzi.business'": 'admin', }, }, 'miniflux': { 'domain': 'rss.franzi.business', }, 'minecraft': { 'heap_mb': 16*1024, 'sha1': '82be5e1bbdfd1bcb001644780562282fd42ee5a9', 'version': ('1.19.2', '261'), 'allowlist': { # use https://mcuuid.net/ 'kunsi': 'a2b93640-9dff-4c3c-a6c7-bd75329d8997', 'sophie': '7e593cbb-9d61-4d46-a416-6edbcf8a2109', }, 'ops': { 'kunsi': 'a2b93640-9dff-4c3c-a6c7-bd75329d8997', }, 'restrict-to': {'*'}, }, 'mx-puppet-discord': { 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'allowed-users': { '@.*:franzi\\\\.business', }, }, 'netbox': { 'domain': 'netbox.franzi.business', 'version': 'v3.5.6', 'changelog_retention_days': 360, 'admins': { 'kunsi': 'hostmaster@kunbox.net', }, }, 'nftables': { 'rules': { '50-kunsi-weechat': [ 'inet filter input udp dport { 60000-61000 } accept', 'inet filter input tcp dport 9001 accept', ], }, }, 'nginx': { 'security.txt': { 'contact': 'mailto:security@kunsmann.eu', 'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc', }, 'vhosts': { #'element-web': {'ssl': '_.franzi.business'}, 'forgejo': {'ssl': '_.franzi.business'}, 'jenkins-ci': {'ssl': '_.franzi.business'}, 'matrix-dimension': {'ssl': '_.franzi.business'}, #'matrix-synapse': {'ssl': '_.franzi.business'}, 'miniflux': {'ssl': '_.franzi.business'}, 'netbox': {'ssl': '_.franzi.business'}, 'ntfy': {'ssl': '_.franzi.business'}, 'radicale': {'ssl': '_.franzi.business'}, 'travelynx': {'ssl': '_.franzi.business'}, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': None, 'locations': { '/': { 'redirect': 'https://twitter.com/daskritzelt/status/1259167444373028864', 'mode': 302, }, }, }, 'franzi.business': { 'webroot': '/var/www/franzi.business/_site/', 'ssl': '_.franzi.business', 'extras': True, "locations": { "/.well-known/matrix/client": { "additional_config": [ "add_header Access-Control-Allow-Origin *", "default_type application/json" ], "content": "{\"im.vector.riot.jitsi\": {\"preferredDomain\": \"meet.ffmuc.net\"}, \"m.homeserver\": {\"base_url\": \"https://matrix.franzi.business\"}, \"m.identity_server\": {\"base_url\": \"https://matrix.org\"}}", "return": 200 }, "/.well-known/matrix/server": { "additional_config": [ "add_header Access-Control-Allow-Origin *", "default_type application/json" ], "content": "{\"m.server\": \"matrix.franzi.business:443\"}", "return": 200 } }, }, 'git.kunsmann.eu': { 'locations': { '/': { 'redirect': 'https://git.franzi.business$request_uri', }, }, }, 'jugendhackt_tools': { 'domain': 'jh.franzi.business', 'ssl': '_.franzi.business', 'locations': { '/': { 'target': 'http://127.0.0.1:22090/', }, '/static/': { 'alias': '/opt/jugendhackt_tools/src/static/', }, }, }, 'kunbox.net': {}, 'kunsmann.eu': { 'locations': { '/': { 'redirect': 'https://franzi.business$request_uri', }, '/.well-known/openpgpkey': { 'alias': '/var/www/kunsmann.eu/.well-known/openpgpkey/', 'additional_config': { 'default_type application/octet-stream', 'add_header Access-Control-Allow-Origin *', }, }, }, }, 'mta-sts': { 'domain': 'mta-sts.kunbox.net', 'domain_aliases': { 'mta-sts.franzi.business', 'mta-sts.kunsmann.eu', 'mta-sts.trans-agenda.eu', }, }, 'paste.franzi.business': { 'ssl': '_.franzi.business', 'extras': True, 'webroot_config': { 'owner': 'kunsi', }, }, 'postfixadmin': { 'domain': 'postfixadmin.franzi.business', 'ssl': '_.franzi.business', 'webroot': '/opt/postfixadmin/public/', 'php': True, 'locations': { '/rspamd/': { 'target': 'http://localhost:11334/', 'websockets': True, }, } }, 'wiki.franzi.business': { 'ssl': '_.franzi.business', 'extras': True, 'php': True, 'webroot_config': { 'owner': 'www-data', 'group': 'www-data', }, 'website_check_path': '/start?do=login', 'website_check_string': 'Username', }, }, 'worker_processes': 8, }, 'ntfy': { 'domain': 'ntfy.franzi.business', 'ratelimit-exempt-hosts': { 'ovh.icinga2', 'rx300', }, }, 'oidentd': { 'allows': { 'kunsi': { 'spoof', 'spoof_all', }, }, }, 'php': { 'version': '8.0', 'packages': { 'gd', 'imagick', 'imap', 'intl', 'mbstring', 'opcache', 'pgsql', 'readline', 'xml', 'yaml', }, }, 'postfix': { 'message_size_limit_mb': 75, 'mynetworks': { 'gce', 'ovh', }, }, 'postfixadmin': { 'version': '3.3.13', 'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='), }, 'postgresql': { 'version': '13', 'max_connections': 500, 'autovacuum_max_workers': 12, 'maintenance_work_mem': 2*1024, 'work_mem': 8*1024, 'cache_size': 32*1024, }, 'radicale': { 'domain': 'radicale.franzi.business', 'users': { 'kunsi': bwpass.password('radicale.franzi.business/kunsi'), }, }, 'rspamd': { 'ignore_spam_check_for_ips': { # entropia '45.140.180.32/27', # Entropia e. V. '45.140.180.112/28', # MicroPOC '2a0e:c5c0:0:201::/64', # Entropia e. V. '2a0e:c5c0:0:307::/64', # MicroPOC # c3kl '116.202.19.236', '2a01:4f8:1c17:cc52::/64', # ccc '212.12.55.65', '212.12.55.67', '2a00:14b0:4200:3000:23:55:0:65', # IN-Berlin mailman '130.133.8.35', '192.109.42.28', '192.109.42.122', '193.29.188.9', '217.197.80.23', '217.197.80.134', '2001:bf0:c000:a::2:134', # c3voc '185.106.84.32/26', '2001:67c:20a0:e::/64', # DENOG '195.20.121.100', '2001:1440:201:101::5', }, 'password': bwpass.password('bw/rx300/rspamd'), 'dkim': 'uO4aNejDvVdw8BKne3KJIqAvCQMJ0416', }, 'smartd': { 'disks': { '/dev/nvme0', }, }, 'systemd': { 'journal': { 'maxuse': '4G', }, }, 'systemd-networkd': { 'bridges': { 'br0': { 'match': { 'eno1', }, }, }, }, 'systemd-timers': { 'timers': { 'cleanup-paste.franzi.business': { 'command': '/usr/bin/find /var/www/paste.franzi.business/ -maxdepth 1 -type d -mtime +60 -exec rm -r {} \;', 'user': 'kunsi', 'when': 'daily', }, }, }, 'travelynx': { 'version': '1.32.0', 'mail_from': 'travelynx@franzi.business', 'domain': 'travelynx.franzi.business', }, 'unbound': { 'threads': 8, 'cache_slabs': 8, }, 'users': { 'kunsi': { 'enable_linger': True, }, }, 'zfs': { 'module_options': { 'zfs_arc_max_gb': 48, }, 'pools': { 'tank': { 'when_creating': { 'config': [{ 'type': 'raidz', 'devices': { '/dev/sda', '/dev/sdb', '/dev/sdc', '/dev/sdd', }, }], 'ashift': 12, }, }, }, 'datasets': { 'tank/libvirt': { 'mountpoint': '/var/lib/libvirt', 'compression': 'on', 'needed_by': { 'bundle:vmhost', }, }, 'tank/home-kunsi': { 'mountpoint': '/home/kunsi', 'needed_by': { 'directory:/home/kunsi', }, }, }, }, 'vm': { 'cpu': 32, 'ram': 256, }, }, }