bundlewrap/nodes/htz/ex42-1048908.py
Franziska Kunsmann cbc0a1a927
All checks were successful
bundlewrap/pipeline/head This commit looks good
nodes/htz.ex42-1048908: fix X-Forwarded-For header for matrix-media-repo
2021-07-04 20:03:22 +02:00

572 lines
23 KiB
Python

nodes['htz.ex42-1048908'] = {
'bundles': {
'dovecot',
'element-web',
'gitea',
'jenkins-ci',
'lm-sensors',
'matrix-media-repo',
'matrix-synapse',
'mautrix-telegram',
'mautrix-whatsapp',
# 'miniflux',
'mx-puppet-discord',
'nodejs',
'oidentd',
'php',
'postfixadmin',
'redis',
'rspamd',
'postgresql',
'radicale',
'unbound',
'smartd',
# 'travelynx',
'vmhost',
},
'groups': {
'debian-buster',
'webserver',
},
'metadata': {
'interfaces': {
'enp0s31f6': {
'ips': {
'94.130.52.224/26',
'2a01:4f8:10b:2a5f::02/64',
'2a01:4f8:10b:2a5f::1337/64',
},
'gateway4': '94.130.52.193',
'gateway6': 'fe80::1',
},
},
'apt': {
'packages': {
# TODO
'php-imagick': {},
# Jenkins build dependencies
'rustc': {},
# No need to create a bundle just to install packages,
# configs will be managed by users nevertheless.
'mosh': {},
'weechat': {},
'weechat-core': {},
'weechat-curses': {},
'weechat-perl': {},
'weechat-plugins': {},
'weechat-python': {},
'weechat-ruby': {},
},
'repos': {
'backports': {
'install_gpg_key': False, # default debian signing key
'items': {
'deb http://deb.debian.org/debian {os_release}-backports main',
},
},
'weechat': {
'items': {
'deb https://weechat.org/debian {os_release} main',
},
},
},
},
'backup-client': {
'pre-hooks': {
'kunsi-weechat': \
'echo \'core.weechat */layout store\' >> /home/kunsi/.weechat/weechat_fifo\n' \
'echo \'core.weechat */save\' >> /home/kunsi/.weechat/weechat_fifo\n',
},
},
'backups': {
'paths': {
'/home/kunsi/.weechat',
'/opt/matrix/matrix-dimension',
},
},
'cron': {
'telekom_nervkram': vault.decrypt('encrypt$gAAAAABfqXi23M96wrSLhqlbhqgePYX06LjPXfyQU2y_07kqYYLztj_PhS1-dk4r5FiiL2Ofmx5iCKW1sZNqiQSuHj2uKaitH0GnwHqj5CI2JwkAS9HrFxw=').format_into('0 0 * * * root date | mail -s \'daily test mail \' -r postmaster@mx0.kunbox.net {}'),
},
'element-web': {
'url': 'chat.franzi.business',
'version': 'v1.7.30',
'config': {
'default_server_config': {
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
'server_name': 'franzi.business',
},
},
'brand': 'franzi.business',
'showLabsSettings': True,
'integrations_ui_url': 'https://dimension.franzi.business/riot',
'integrations_rest_url': 'https://dimension.franzi.business/api/v1/scalar',
'integrations_widgets_urls': {
'https://dimension.franzi.business/widgets'
},
'default_theme': 'dark',
'defaultCountryCode': 'DE',
'jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
},
},
'gitea': {
'version': '1.14.3',
'sha256': '50c25c094ae109f49e276cd00ddc48a0a240b7670e487ae1286cc116d4cdbcf2',
'domain': 'git.kunsmann.eu',
'email_domain_blocklist': {
'gmail.com',
'yahoo.com',
'aol.com',
'comcast.net',
'verizon.net',
'hotmail.com',
'cox.net',
'msn.com',
},
'enable_git_hooks': True,
'install_ssh_key': True,
'internal_token': vault.decrypt('encrypt$gAAAAABfPncYwCX-NdBr9LdxLyGqmjRJqhmwMnWsdZy6kVOWdKrScW78xaqbJ1tpL1J4qa2hcZ7TQj3l-2mkyJNJOenGzU3TsI-gYMj9vC4m8Bhur5zboxjD4dQXaJbD1WSyHJ9sPJYsWP3Gjg6I19xeq9xMlAI6xaS9vOfuoI8nZnnQPx1NjfQEj03Jxf8a0-3F20sfICst1xRa5K48bpq1PFkK_oRojg=='),
'lfs_secret_key': vault.decrypt('encrypt$gAAAAABfPnd1vgNDt86-91YhviQw8Z0djSp4f_tBt76klDv-ZcwxP1ryJzqJ7qnfaTe_6DYCfc82gEzvVDsyBlCoAkGpt1AI2_LCKetuSCnDPjtGvwdQl3A53lFEdG2UJl1uUiR7f8Vr'),
'oauth_secret_key': vault.decrypt('encrypt$gAAAAABfPnbfTISbldhS0WyxVKBHVVoOMcar7Kxmh1kkmiUGd-RzbbnNzzhEER_owjttPQcACPfGKZ6WklaSsXjLq8km4P6A9QmPbC06GmHbc91m0odCb1KiY7SZeUD35PiRiGSq50dz'),
'security_secret_key': vault.decrypt('encrypt$gAAAAABfPnc-R7pkDj4pQgHDb6pzlNYNJgiWdeBFsX7IsHSnCtNPbZxCdtSL8cHtQzVO1KbSxS7zCwssmgiR8Kj54Z-koD-FQbjpbKWoIPw8SsyeqBVlZhIeEzhw_1t7_7ZTvv1O8AePdNYel9JJb_TaAZ8Vx46ZfsEPy8zaaHrqOekHC6RAnB4='),
},
'icinga_options': {
'pretty_name': 'kunsmann.eu',
},
'letsencrypt': {
'concat_and_deploy': {
'kunsi-weechat': {
'match_domain': 'part.of.the.trans-agenda.eu',
'target': '/home/kunsi/.weechat/ssl/relay.pem',
'chown': 'kunsi:kunsi',
'chmod': '0440',
'commands': [
'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo'
],
},
},
'domains': {
'matrix.franzi.business': {
'franzi.business',
},
'part.of.the.trans-agenda.eu': set(),
},
},
'locale': {
'installed': {
# legacy
'en_DK.UTF-8',
},
},
'matrix-media-repo': {
'version': 'v1.2.8',
'homeservers': {
'franzi.business': {
'domain': 'http://[::1]:20080/',
'api': 'synapse',
},
},
'admins': {
'@kunsi:franzi.business',
},
'upload_max_mb': 500,
},
'matrix-synapse': {
'server_name': 'franzi.business',
'baseurl': 'matrix.franzi.business',
'admin_contact': 'mailto:hostmaster@kunbox.net',
'trusted_key_servers': {
'matrix.org',
'finallycoffee.eu',
'nyantec.com',
},
},
'mautrix-telegram': {
'version': 'v0.10.0',
'homeserver': {
'domain': 'franzi.business',
'url': 'https://matrix.franzi.business',
},
'provisioning': {
'enabled': True,
'shared_secret': vault.decrypt('encrypt$gAAAAABfVKflEMAi07C_QGP8cy97hF-4gGPym0oF6p4WSMdAveTpx-hFsZd2s7v9ubw99yIsyKx0dHOJI0UND7hV1rKZdvjy4Qa642abZ2wwW7SWTqvuP_qVtrf6-klc2QKTzeD9c_LVsyZ2dqz_JxRPq3MRXgkubZuWOZ6FmFlAlteTffoGfWE='),
},
'permissions': {
"'*'": 'relaybot',
'nyantec.com': 'full',
'franzi.business': 'full',
"'@kunsi:franzi.business'": 'admin',
},
'telegram': {
'api_id': vault.decrypt('encrypt$gAAAAABfVK5SmDDru-UQxitkE5VhPArnUBhaRbAqQPvAW2Fh3fd1XDrWxa3Qn4BSnJAPNWglH5wil_SXUMcIm95FMhPe8dVeMQ=='),
'api_token': vault.decrypt('encrypt$gAAAAABfVK5jHuUly1xr9Iku362k7oF4ZYRhLGzNJh3aJpiNrLfAy_DJpTwucx4FV_g45dyQF5boqG2rgdDfwsJN_Ab95es6T4SPGiXIxJOBlvIln1Torwh16pXKchhUTn_PQ077Ll1W'),
'bot_token': vault.decrypt('encrypt$gAAAAABfVK51ErJ6gfsOOkbRxSHDnVYmf7EihAQf7Uwj9og3TlAw64WRsA6ZVEgTSvOdLB3SMKZ-cTEhwkCOpbymq-_WLhes-hZALhN-H_oXHaxTQErJ0lARynKmjM-4ZhoGlUWlfh4Q'),
},
},
'mautrix-whatsapp': {
'version': 'v0.1.7',
'homeserver': {
'domain': 'franzi.business',
'url': 'https://matrix.franzi.business',
},
'permissions': {
"'@kunsi:franzi.business'": 100,
},
},
# 'miniflux': {
# 'domain': 'rss.kunsmann.eu',
# },
'mx-puppet-discord': {
'homeserver': {
'domain': 'franzi.business',
'url': 'https://matrix.franzi.business',
},
'allowed-users': {
'@.*:franzi\\\\.business',
},
},
'nftables': {
'rules': {
'input': {
'kunsi-weechat': [
'udp dport { 60000-61000 } accept',
'tcp dport 9001 accept',
],
'libvirt': [
'tcp dport 53 iif virbr0 accept',
'udp dport 53 iif virbr0 accept',
'udp dport { 67, 68 } iif virbr0 accept',
],
},
'forward': {
'libvirt': [
'iif virbr0 accept',
'oif virbr0 accept',
],
},
'nat_postrouting': {
'oif enp0s31f6 masquerade',
},
},
},
'nginx': {
'security.txt': {
'contact': 'mailto:security@kunsmann.eu',
'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc',
},
'vhosts': {
# TODO maybe some of this can be moved to a bundle?
'dav.kunsmann.eu': {
'locations': {
'/': {
'target': 'http://[::1]:22050',
'auth': {
'file': '/etc/radicale/htpasswd',
},
'proxy_set_header': {
'X-Remote-User': '$remote_user',
},
},
'/.web/': {
'target': 'http://[::1]:22050',
}
},
},
'daskritzelt-redirect': {
'domain': 'die-brontosaurier-waren-es.org',
'ssl': None,
'locations': {
'/': {
'redirect': 'https://twitter.com/daskritzelt/status/1259167444373028864',
},
},
},
'dimension.franzi.business': {
'extras': True,
'do_not_set_content_security_headers': True,
'max_body_size': '50M',
'locations': {
'/': {
'target': 'http://127.0.0.1:8184',
},
},
},
'franzi.business': {
'webroot': '/var/www/franzi.business/_site/',
'locations': {
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
},
'jenkins.kunsmann.eu': {
'locations': {
'/': {
'target': 'http://localhost:22010/',
},
},
'website_check_path': '/login',
'website_check_string': 'Welcome to Jenkins',
},
'kunbox.net': {},
'kunsmann.eu': {
'locations': {
'/': {
'redirect': 'https://franzi.business$request_uri',
},
'/.well-known/openpgpkey': {
'alias': '/var/www/kunsmann.eu/.well-known/openpgpkey/',
'additional_config': {
'default_type application/octet-stream',
'add_header Access-Control-Allow-Origin *',
},
},
},
},
'matrix.franzi.business': {
'locations': {
'/_matrix': {
'target': 'http://[::1]:20080',
},
'/_matrix/media': {
'target': 'http://localhost:20090',
'client_max_body_size': '500M',
# matrix-media-repo needs this to be the
# homeserver address.
'x_forwarded_host': 'franzi.business',
},
'/_synapse': {
'target': 'http://[::1]:20080',
},
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
},
'mta-sts': {
'domain': 'mta-sts.mx0.kunbox.net',
'domain_aliases': {
'mta-sts.franzi.business',
'mta-sts.kunbox.net',
'mta-sts.kunsmann.eu',
'mta-sts.trans-agenda.eu',
},
},
'paste.kunsmann.eu': {
'webroot_config': {
'owner': 'kunsi',
'group': 'kunsi',
'mode': '0755',
},
'extras': True,
},
'postfixadmin.mx0.kunbox.net': {
'webroot': '/opt/postfixadmin/public/',
'php': True,
'website_check_path': '/login.php',
'website_check_string': 'login',
},
'rspamd.mx0.kunbox.net': {
'locations': {
'/': {
'target': 'http://localhost:11334/',
},
},
},
# 'travelynx.franzi.business': {
# 'locations': {
# '/': {
# 'target': 'http://127.0.0.1:22020',
# },
# },
# 'extras': True,
# },
# 'unicornsden': {
# 'domain': 'unicornsden.franzi.business',
# 'webroot_config': {
# 'owner': 'kunsi',
# 'group': 'kunsi',
# 'mode': '0755',
# },
# },
'vliedel.random.franzi.business': {
'webroot_config': {
'mode': '0775',
'owner': 'vliedel',
'group': 'vliedel',
},
},
'webmail.mx0.kunbox.net': {
'php': True,
'website_check_path': '/',
'website_check_string': 'roundcube',
},
'wiki.franzi.business': {
'extras': True,
'php': True,
'webroot_config': {
'owner': 'www-data',
'group': 'www-data',
},
'website_check_path': '/start?do=login',
'website_check_string': 'Username',
},
},
'worker_processes': 4,
},
'oidentd': {
'allows': {
'kunsi': {
'spoof',
'spoof_all',
},
},
},
'php': {
'version': '7.4',
'packages': {
'gd',
'imap',
'intl',
'json',
'mbstring',
'opcache',
'pgsql',
'readline',
'xml',
},
},
'postfix': {
'myhostname': 'mx0.kunbox.net',
'message_size_limit_mb': 50,
'mynetworks': {
'ovh',
},
},
'postfixadmin': {
'version': '3.3.9',
'setup_password': vault.decrypt('encrypt$gAAAAABgnNGpAqUs--qBXII9ZPcHtxaELy9e2Dx9O44n4l0O4nMHPoIyaPW5HkvpQ2zWTlh5OfjjOgunRtE_voJuY0Kdtji37ixAnuL9ErOJ0LDY5QfMkNPUgPs5alwz1baqYq6rqJ7NDmB0gHraY46v5eG79R2EyQ=='),
},
'radicale': {
'users': {
'kunsi': bwpass.password('dav.kunsmann.eu/kunsi'),
},
},
'rspamd': {
'ignore_spam_check_for_ips': {
# entropia
## hetzner (legacy)
'188.40.158.213',
'188.40.158.214',
'188.40.158.218',
'2a01:4f8:221:2f83:2130::2',
'2a01:4f8:221:2f83:2140::2',
'2a01:4f8:221:2f83:2180::2',
# yolocolo
'45.140.180.32/27', # Entropia e. V.
'45.140.180.112/28', # MicroPOC
'2a0e:c5c0:0:201::/64', # Entropia e. V.
'2a0e:c5c0:0:307::/64', # MicroPOC
# ccc
'212.12.55.65',
'212.12.55.67',
'2a00:14b0:4200:3000:23:55:0:65',
# IN-Berlin mailman
'130.133.8.35',
'192.109.42.28',
'192.109.42.122',
'193.29.188.9',
'217.197.80.23',
'217.197.80.134',
'2001:bf0:c000:a::2:134',
},
'password': bwpass.password('rspamd.mx0.kunbox.net'),
},
'smartd': {
'disks': {
'/dev/nvme0',
'/dev/nvme1',
},
},
'systemd': {
'journal': {
# should last about 9 days
'maxuse': '2G',
},
},
# 'travelynx': {
# 'version': '1.20.1',
# 'mail_from': 'travelynx@franzi.business',
# },
'users': {
'kunsi': {
'groups': [
'www-data',
'libvirt',
],
},
'vliedel': {
'ssh_pubkey': [
'command="/usr/local/bin/rrsync /var/www/vliedel.random.franzi.business/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVOBnzs/QDzhvg70VK6xaV318Euaag1cWNjAJfsA266618UiZVx4xsHzNwYN960v0MhiVPMwnl3NoGWAT9/j/b5l3HAkihv4rEPYQkoGV0Mvtwee37dT5nCL8o54Kl+rhl4WPD4Ju5+iZ3AP84YMUJXUrETpZLRzQD1pKOWLaGxBSJolICjz5A7glDVNmvI8uH58EkzhA7q4lCPhzFLxfvFfJPRuEHdVViL2usvHpRnIDRQOCjLYF2fIpG3ULrvWGl4VZ+9cZCNqSN6ywjlH8U8e5Vc3Fi4sbqYh71LrBqs/lSJ+5BL9/rB3GZD1SVTbivyEDJGJu3HPDV4ahwYYKn minecraft@irc',
'command="/usr/local/bin/rrsync /var/www/vliedel.random.franzi.business/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVB179psVd1HMcqOvQm0BXzVELake6ZFCZeV6DnR2/6baLvRqne/PWtfMDQpT9joc0iZtjW7dhI96Wga89PccaG1OnjzBuHDU9xRQ9pKYn64czmJYiG3uDKCPAWUnzvuqzMU3Prq9JWdjURwkEIRkwE98dzaLcUvop3DdbWFluGgq6+btP4UBc0Dkkd/EjngQsbcs2bPE935ySEW7rHBfOm/1bMjmyNx/5tCqfJI6GblSLRvWRhXmJJmKJM1GjdoBOuFS68mhPgkvP6An+nTzlWBsiilYjokYlbL3avveqiQV/qySAKkwX2nsAnYhY+sjoohcWzlhTWX9yq7yk7N8dJAEKAhpHFaLAXTwhkKG6qeUma194Z/ADHnP4YaD645dq+FAjflKIl430JlKe4FxkT77mOIf90prLCFenYfrEl4f4/lazKBudcmauhX+8oa/FPfuw+Nhc4q5oIAZDoiKdOLRPYInT/2kPv2xkLioi124UDotkEMnS4FennCxaq3Rf13AXkyQfc945RClkjAzEp6dU+82B9Oy+civUnEOtWQZcbrWTAeNMo6sg7fJoS+md8PxhOZ5QWR+uc/388idpxeOlGJTRpFYGQDMTXcexey0caSJuK9r/Qee2shMOoIjUwn0Z8LOUtI3m5UCpF9jbAWcp/7KXRr4L/itgsVhN7Q== minecraft@asus-mini',
],
},
},
'vm': {
'cpu': 8,
'ram': 64,
},
},
}