nodes['htz.ex42-1048908'] = { 'bundles': { 'dovecot', 'element-web', 'gitea', 'jenkins-ci', 'matrix-media-repo', 'matrix-synapse', 'mautrix-telegram', 'mautrix-whatsapp', 'miniflux', 'mx-puppet-discord', 'nodejs', 'oidentd', 'php', 'postfixadmin', 'redis', 'rspamd', 'postgresql', 'radicale', 'unbound', 'smartd', 'travelynx', 'vmhost', }, 'groups': { 'debian-buster', 'webserver', }, 'metadata': { 'interfaces': { 'enp0s31f6': { 'ips': { '94.130.52.224/26', '2a01:4f8:10b:2a5f::02/64', '2a01:4f8:10b:2a5f::1337/64', }, 'gateway4': '94.130.52.193', 'gateway6': 'fe80::1', }, }, 'apt': { 'packages': { # TODO 'oidentd': {}, 'php-imagick': {}, # Jenkins build dependencies 'rustc': {}, # No need to create a bundle just to install packages, # configs will be managed by users nevertheless. 'mosh': {}, 'weechat': {}, 'weechat-core': {}, 'weechat-curses': {}, 'weechat-perl': {}, 'weechat-plugins': {}, 'weechat-python': {}, 'weechat-ruby': {}, }, 'repos': { 'backports': { 'install_gpg_key': False, # default debian signing key 'items': { 'deb http://deb.debian.org/debian {os_release}-backports main', }, }, 'weechat': { 'items': { 'deb https://weechat.org/debian {os_release} main', }, }, }, }, 'backup-client': { 'pre-hooks': { 'kunsi-weechat': \ 'echo \'core.weechat */layout store\' >> /home/kunsi/.weechat/weechat_fifo\n' \ 'echo \'core.weechat */save\' >> /home/kunsi/.weechat/weechat_fifo\n', }, }, 'backups': { 'paths': { '/home/kunsi/.weechat', '/opt/matrix/matrix-dimension', }, }, 'cron': { 'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * * root date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'), }, 'element-web': { 'url': 'chat.franzi.business', 'version': 'v1.7.26', 'config': { 'default_server_config': { 'm.homeserver': { 'base_url': 'https://matrix.franzi.business', 'server_name': 'franzi.business', }, }, 'brand': 'franzi.business', 'showLabsSettings': True, 'integrations_ui_url': 'https://dimension.franzi.business/riot', 'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar', 'integrations_widgets_urls': { 'https://dimension.franzi.business/widgets' }, 'default_theme': 'dark', 'defaultCountryCode': 'DE', 'jitsi': { 'preferredDomain': 'meet.ffmuc.net', }, }, }, 'gitea': { 'version': '1.14.1', 'sha256': 'b5c85105a0f98d4d1f7b7a7555d11efaa061966520c9410d6552c9f18a3dfc27', 'domain': 'git.kunsmann.eu', 'email_domain_blocklist': { 'gmail.com', 'yahoo.com', 'aol.com', 'comcast.net', 'verizon.net', 'hotmail.com', 'cox.net', 'msn.com', }, 'enable_git_hooks': True, 'install_ssh_key': True, 'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='), 'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'), 'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'), 'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='), }, 'iptables': { # TODO move to bundles 'custom_rules': [ 'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh 'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat # libvirt rules. These are also added by libvirt itself, # but they would be overridden by our own iptables # management. 'iptables -A INPUT -i virbr0 -p udp --dport 53 -j ACCEPT', 'iptables -A INPUT -i virbr0 -p tcp --dport 53 -j ACCEPT', 'iptables -A INPUT -i virbr0 -p udp --dport 67:68 -j ACCEPT', 'iptables -A INPUT -i virbr0 -p tcp --dport 67:68 -j ACCEPT', 'iptables -A FORWARD -i virbr0 -j ACCEPT', 'iptables -A FORWARD -o virbr0 -j ACCEPT', 'iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE', ], }, 'letsencrypt': { 'concat_and_deploy': { 'kunsi-weechat': { 'match_domain': 'part.of.the.trans-agenda.eu', 'target': '/home/kunsi/.weechat/ssl/relay.pem', 'chown': 'kunsi:kunsi', 'chmod': '0440', 'commands': [ 'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo' ], }, }, 'domains': { 'matrix.franzi.business': { 'franzi.business', }, 'part.of.the.trans-agenda.eu': set(), }, }, 'locale': { 'installed': { # legacy 'en_DK.UTF-8', }, }, 'matrix-media-repo': { 'version': 'v1.2.8', 'homeservers': { 'franzi.business': { 'domain': 'http://[::1]:20080/', 'api': 'synapse', }, }, 'admins': { '@kunsi:franzi.business', }, 'upload_max_mb': 500, }, 'matrix-synapse': { 'server_name': 'franzi.business', 'baseurl': 'matrix.franzi.business', 'admin_contact': 'mailto:hostmaster@kunbox.net', 'trusted_key_servers': { 'matrix.org', 'finallycoffee.eu', 'nyantec.com', }, }, 'mautrix-telegram': { 'version': 'v0.9.0', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'provisioning': { 'enabled': True, 'shared_secret': vault.decrypt('encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4gGPym0oF6p4WSMdAveTpx-hFsZd2s7v9ubw99yIsyKx0dHOJI0UND7hV1rKZdvjy4Qa642abZ2wwW7SWTqvuP_qVtrf6-klc2QKTzeD9c_LVsyZ2dqz_JxRPq3MRXgkubZuWOZ6FmFlAlteTffoGfWE='), }, 'permissions': { "'*'": 'relaybot', 'nyantec.com': 'full', 'franzi.business': 'full', "'@kunsi:franzi.business'": 'admin', }, 'telegram': { 'api_id': vault.decrypt('encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ=='), 'api_token': vault.decrypt('encrypt$gAAAAABfVK5jHuUly1xr9Iku362k7oF4ZYRhLGzNJh3aJpiNrLfAy_DJpTwucx4FV_g45dyQF5boqG2rgdDfwsJN_Ab95es6T4SPGiXIxJOBlvIln1Torwh16pXKchhUTn_PQ077Ll1W'), 'bot_token': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'), }, }, 'mautrix-whatsapp': { 'version': 'v0.1.6', 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'permissions': { "'@kunsi:franzi.business'": 100, }, }, 'miniflux': { 'domain': 'rss.kunsmann.eu', }, 'mx-puppet-discord': { 'homeserver': { 'domain': 'franzi.business', 'url': 'https://matrix.franzi.business', }, 'allowed-users': { '@.*:franzi\\\\.business', }, }, 'nginx': { 'vhosts': { # TODO maybe some of this can be moved to a bundle? 'dav.kunsmann.eu': { 'extras': True, }, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', 'ssl': False, # TODO enable ssl once domain transfer is done 'extras': True, }, 'dimension.franzi.business': { 'extras': True, 'do_not_set_content_security_headers': True, 'max_body_size': '50M', 'proxy': { '/': { 'target': 'http://127.0.0.1:8184', }, }, }, 'franzi.business': { 'webroot': '/var/www/franzi.business/_site/', 'extras': True, }, 'jenkins.kunsmann.eu': { 'proxy': { '/': { 'target': 'http://localhost:22010/', }, }, 'website_check_path': '/login', 'website_check_string': 'Welcome to Jenkins', }, 'kunbox.net': {}, 'kunsmann.eu': { 'extras': True, }, 'matrix.franzi.business': { 'extras': True, }, 'mta-sts': { 'domain': 'mta-sts.mx0.kunbox.net', 'domain_aliases': { 'mta-sts.franzi.business', 'mta-sts.kunbox.net', 'mta-sts.kunsmann.eu', 'mta-sts.trans-agenda.eu', }, }, 'paste.kunsmann.eu': { 'webroot_config': { 'owner': 'kunsi', 'group': 'kunsi', 'mode': '0755', }, 'extras': True, }, 'postfixadmin.mx0.kunbox.net': { 'webroot': '/opt/postfixadmin/public/', 'php': True, 'website_check_path': '/login.php', 'website_check_string': 'login', }, 'rspamd.mx0.kunbox.net': { 'proxy': { '/': { 'target': 'http://localhost:11334/', }, }, }, 'travelynx.franzi.business': { 'proxy': { '/': { 'target': 'http://127.0.0.1:22020', }, }, 'extras': True, }, 'unicornsden': { 'domain': 'unicornsden.franzi.business', 'webroot_config': { 'owner': 'kunsi', 'group': 'kunsi', 'mode': '0755', }, }, 'vliedel.random.franzi.business': { 'webroot_config': { 'mode': '0775', 'owner': 'vliedel', 'group': 'vliedel', }, }, 'webmail.mx0.kunbox.net': { 'php': True, 'website_check_path': '/', 'website_check_string': 'roundcube', }, 'wiki.franzi.business': { 'extras': True, 'php': True, 'webroot_config': { 'owner': 'www-data', 'group': 'www-data', }, 'website_check_path': '/start?do=login', 'website_check_string': 'Username', }, }, 'worker_processes': 4, }, 'oidentd': { 'allows': { 'kunsi': { 'spoof', 'spoof_all', }, }, }, 'php': { 'version': '7.4', 'packages': { 'gd', 'imap', 'intl', 'json', 'mbstring', 'opcache', 'pgsql', 'readline', 'xml', }, }, 'postfix': { 'myhostname': 'mx0.kunbox.net', 'message_size_limit_mb': 50, 'mynetworks': { 'ovh', }, }, 'postfixadmin': { 'version': '3.3.8', 'setup_password': vault.decrypt('encrypt$gAAAAABfpwn8NKxTztI39GzhGw66NNsWa72Wq7Sa_LoIG_L0ewCVPzhmw93xhWo3jfT8hCn9sqJgbArmPHtLMcLkSHdBPbQe0bLZMSib-mA9sEQD0wgKMyuRCPHIIMKSAoMaJaYnHSTO-mz1q7_tKzd6LkHF_AGsboS1vpQvg-CDth6e0msTwe8='), }, 'radicale': { 'users': { 'kunsi': vault.decrypt('encrypt$gAAAAABgJ3tp1DTK0ssglKSsHxlf7p3soDtdSPpgBqyABcHTFGPdnb7ym1an7WXK7idWhx1Tyqf_CLL0IcoMPPoOR-sgzGQJBKXKhPtib6JoPjCzAUphmbo='), }, }, 'rspamd': { 'ignore_spam_check_for_ips': { # entropia ## hetzner (legacy) '188.40.158.213', '188.40.158.214', '188.40.158.218', '2a01:4f8:221:2f83:2130::2', '2a01:4f8:221:2f83:2140::2', '2a01:4f8:221:2f83:2180::2', # yolocolo '45.140.180.32/27', # Entropia e. V. '45.140.180.112/28', # MicroPOC '2a0e:c5c0:0:201::/64', # Entropia e. V. '2a0e:c5c0:0:307::/64', # MicroPOC # ccc '212.12.55.65', '212.12.55.67', '2a00:14b0:4200:3000:23:55:0:65', # IN-Berlin mailman '130.133.8.35', '192.109.42.28', '192.109.42.122', '193.29.188.9', '217.197.80.23', '217.197.80.134', '2001:bf0:c000:a::2:134', }, 'password': vault.decrypt('encrypt$gAAAAABfp7qzym32R6Go1A6oax0NGQM7EBMckbEbnZC6-RSKx-klSJsL57XbSUTD-AJM-gBIPzlmor-3bfVxPWLRYXtO8uTVw6jNQ1yt15ReHkOTijVqV2ACk-LTDBG3p4YKBn0pQgNvvjXhWV_J1-Pgjywbl4sHXc0zqjCGZ6xtEn6ywj0Pd599JJjREF4QCIFVZVWuKvo1'), }, 'smartd': { 'disks': { '/dev/nvme0', '/dev/nvme1', }, }, 'systemd': { 'journal': { # should last about 9 days 'maxuse': '2G', }, }, 'travelynx': { 'version': '1.19.13', 'mail_from': 'travelynx@franzi.business', }, 'users': { 'kunsi': { 'groups': [ 'www-data', 'libvirt', ], }, 'vliedel': { 'ssh_pubkey': [ 'command="/usr/local/bin/rrsync /var/www/vliedel.random.franzi.business/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVOBnzs/QDzhvg70VK6xaV318Euaag1cWNjAJfsA266618UiZVx4xsHzNwYN960v0MhiVPMwnl3NoGWAT9/j/b5l3HAkihv4rEPYQkoGV0Mvtwee37dT5nCL8o54Kl+rhl4WPD4Ju5+iZ3AP84YMUJXUrETpZLRzQD1pKOWLaGxBSJolICjz5A7glDVNmvI8uH58EkzhA7q4lCPhzFLxfvFfJPRuEHdVViL2usvHpRnIDRQOCjLYF2fIpG3ULrvWGl4VZ+9cZCNqSN6ywjlH8U8e5Vc3Fi4sbqYh71LrBqs/lSJ+5BL9/rB3GZD1SVTbivyEDJGJu3HPDV4ahwYYKn minecraft@irc', 'command="/usr/local/bin/rrsync /var/www/vliedel.random.franzi.business/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVB179psVd1HMcqOvQm0BXzVELake6ZFCZeV6DnR2/6baLvRqne/PWtfMDQpT9joc0iZtjW7dhI96Wga89PccaG1OnjzBuHDU9xRQ9pKYn64czmJYiG3uDKCPAWUnzvuqzMU3Prq9JWdjURwkEIRkwE98dzaLcUvop3DdbWFluGgq6+btP4UBc0Dkkd/EjngQsbcs2bPE935ySEW7rHBfOm/1bMjmyNx/5tCqfJI6GblSLRvWRhXmJJmKJM1GjdoBOuFS68mhPgkvP6An+nTzlWBsiilYjokYlbL3avveqiQV/qySAKkwX2nsAnYhY+sjoohcWzlhTWX9yq7yk7N8dJAEKAhpHFaLAXTwhkKG6qeUma194Z/ADHnP4YaD645dq+FAjflKIl430JlKe4FxkT77mOIf90prLCFenYfrEl4f4/lazKBudcmauhX+8oa/FPfuw+Nhc4q5oIAZDoiKdOLRPYInT/2kPv2xkLioi124UDotkEMnS4FennCxaq3Rf13AXkyQfc945RClkjAzEp6dU+82B9Oy+civUnEOtWQZcbrWTAeNMo6sg7fJoS+md8PxhOZ5QWR+uc/388idpxeOlGJTRpFYGQDMTXcexey0caSJuK9r/Qee2shMOoIjUwn0Z8LOUtI3m5UCpF9jbAWcp/7KXRr4L/itgsVhN7Q== minecraft@asus-mini', ], }, }, 'vm': { 'cpu': 8, 'ram': 64, }, }, }