From b442d54746d60d0cee7ef9f15a3ec64a13bb696a Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Mon, 3 Jan 2022 13:44:59 +0100 Subject: [PATCH 01/39] postfix: install postfix apt package via metadata default rather than via items.py --- bundles/postfix/items.py | 4 ---- bundles/postfix/metadata.py | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 bundles/postfix/metadata.py diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index ee26d26..6277212 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -1,7 +1,3 @@ -pkg_apt = { - 'postfix': {}, -} - svc_systemd = { 'postfix': { 'needs': ['pkg_apt:postfix', 'file:/etc/postfix/main.cf'], diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py new file mode 100644 index 0000000..266fcb1 --- /dev/null +++ b/bundles/postfix/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'postfix': {}, + }, + }, +} \ No newline at end of file From d67869aaf62790129304ff4aa65e444bb9397853 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Mon, 3 Jan 2022 13:47:07 +0100 Subject: [PATCH 02/39] postfix: update set formatting in items.py --- bundles/postfix/items.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/bundles/postfix/items.py b/bundles/postfix/items.py index 6277212..db856d0 100644 --- a/bundles/postfix/items.py +++ b/bundles/postfix/items.py @@ -1,6 +1,9 @@ svc_systemd = { 'postfix': { - 'needs': ['pkg_apt:postfix', 'file:/etc/postfix/main.cf'], + 'needs': [ + 'pkg_apt:postfix', + 'file:/etc/postfix/main.cf', + ], } } @@ -8,7 +11,9 @@ files = { '/etc/postfix/main.cf': { 'content_type': 'mako', 'needs': ['pkg_apt:postfix'], - 'triggers': ['svc_systemd:postfix:restart'], + 'triggers': [ + 'svc_systemd:postfix:restart', + ], }, } @@ -16,6 +21,8 @@ directories = { '/etc/postfix': { 'owner': 'root', 'mode': '1755', - 'needs': ['pkg_apt:postfix'], + 'needs': [ + 'pkg_apt:postfix', + ], }, } From edb49b9a09732176b317816c98f792394e4418c7 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:17:00 +0100 Subject: [PATCH 03/39] monit: add bundle with base config --- bundles/monit/files/monitrc | 45 +++++++++++++++++++++++++++++++++++++ bundles/monit/items.py | 38 +++++++++++++++++++++++++++++++ bundles/monit/metadata.py | 7 ++++++ 3 files changed, 90 insertions(+) create mode 100644 bundles/monit/files/monitrc create mode 100644 bundles/monit/items.py create mode 100644 bundles/monit/metadata.py diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc new file mode 100644 index 0000000..b94e503 --- /dev/null +++ b/bundles/monit/files/monitrc @@ -0,0 +1,45 @@ +set daemon 30 + with start delay 30 +set log syslog + +set mailserver localhost + +set mail-format { from: ${monit['from_address']} } +% for alert_address in monit['alert_addresses']: +set alert ${alert_address} +% endfor + +set httpd unixsocket /var/run/monit.sock + use address 127.0.0.1 + allow 127.0.0.1 + +check system $HOST + if cpu usage > 95% for 10 cycles then alert + if memory usage > 80% then alert + if swap usage > 25% then alert + +check filesystem rootfs with path / + if space usage > 80% for 5 times within 15 cycles then alert + if space usage > 90% then alert + if inode usage > 90% then alert + +check process cron matching "/usr/sbin/cron" + start program = "/usr/bin/systemctl start cron.service" + stop program = "/usr/bin/systemctl stop cron.service" + +% for systemd_service in ('systemd-timesyncd', 'systemd-networkd', 'systemd-journald'): +check process ${systemd_service} matching "/lib/systemd/${systemd_service}" + start program = "/usr/bin/systemctl start ${systemd_service}.service" + stop program = "/usr/bin/systemctl stop ${systemd_service}.service" +% endfor + +check process sshd matching "/usr/sbin/sshd" + start program = "/bin/systemctl start sshd.service" + stop program = "/bin/systemctl stop sshd.service" + if failed port 22 for 2 cycles then restart + if 3 restarts within 5 cycles then alert + +check process postfix matching "/usr/lib/postfix/sbin/master" + start program = "/bin/systemctl start postfix.service" + stop program = "/bin/systemctl stop postfix.service" + if failed port 25 protocol smtp for 5 cycles then restart diff --git a/bundles/monit/items.py b/bundles/monit/items.py new file mode 100644 index 0000000..e5f8a2b --- /dev/null +++ b/bundles/monit/items.py @@ -0,0 +1,38 @@ +svc_systemd = { + 'monit': { + 'needs': [ + 'pkg_apt:monit', + ], + }, +} + +files = { + '/etc/monit/monitrc': { + 'mode': '0400', + 'content_type': 'mako', + 'needs': [ + 'pkg_apt:monit', + ], + 'triggers': [ + 'svc_systemd:monit:restart', + ], + 'context': { + 'monit': node.metadata['monit'], + }, + }, +} + +directories = { + '/etc/monit/conf-enabled': { + 'purge': True, + }, + '/etc/monit/conf-available': { + 'purge': True, + }, + '/etc/monit/conf.d': { + 'purge': True, + }, + '/etc/monit/templates': { + 'purge': True, + }, +} diff --git a/bundles/monit/metadata.py b/bundles/monit/metadata.py new file mode 100644 index 0000000..499f943 --- /dev/null +++ b/bundles/monit/metadata.py @@ -0,0 +1,7 @@ +defaults = { + 'apt': { + 'packages': { + 'monit': {}, + }, + }, +} From e4fa31464e81492176ea87c2f6633bea4b3e2828 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:17:27 +0100 Subject: [PATCH 04/39] qzwi: add basic monit metadata --- nodes/qzwi.toml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index a580fc1..c069cd9 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -3,6 +3,7 @@ hostname = "31.47.232.108" bundles = [ "ldap-frontend", "letsencrypt", + "monit", "nginx", "nextcloud", "openldap", @@ -75,3 +76,9 @@ manage = [ [metadata.vm] cpu = 4 ram = 4 + +[metadata.monit] +from_address = "monit@qzwi.de" +alert_addresses = [ + "rico@qzwi.de", +] \ No newline at end of file From 84df834f07f0c10f977a7e4dd71d0ddb526f0161 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:26:39 +0100 Subject: [PATCH 05/39] monit: add option to add checks for various services --- bundles/monit/files/monitrc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index b94e503..55ce3f5 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -43,3 +43,10 @@ check process postfix matching "/usr/lib/postfix/sbin/master" start program = "/bin/systemctl start postfix.service" stop program = "/bin/systemctl stop postfix.service" if failed port 25 protocol smtp for 5 cycles then restart + +% for service,options in monit.get('services', {}).items(): +check process ${service} matching "${options['bin']}" + start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" + stop program = "/bin/systemctl stop ${options.get('systemd_unit', 'service')}.service" + +% endfor From d8765f63a54c83728ec4249ece7d30f40cbfb388 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:26:52 +0100 Subject: [PATCH 06/39] nginx: monitor service with monit --- bundles/nginx/metadata.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index f802ea7..ce949ab 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -18,6 +18,13 @@ defaults = { 'nginx': { 'worker_connections': 768, }, + 'monit': { + 'services': { + 'nginx': { + 'bin': '/usr/sbin/nginx', + }, + }, + }, } From 65871f1d13640baf8fadce593d6a3e093b91bb4a Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:41:08 +0100 Subject: [PATCH 07/39] monit: add option to check ports for a specific service --- bundles/monit/files/monitrc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 55ce3f5..10058fe 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -48,5 +48,8 @@ check process postfix matching "/usr/lib/postfix/sbin/master" check process ${service} matching "${options['bin']}" start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" stop program = "/bin/systemctl stop ${options.get('systemd_unit', 'service')}.service" +% for port,port_options in options.get('ports', {}).items(): + if failed port ${port} protocol ${port_options['protocol']} for ${port_options.get('cycles', '5')} cycles then restart +% endfor % endfor From 1cb94a0d32d47e2fc8531a7a548b9a666b0e35d3 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:41:21 +0100 Subject: [PATCH 08/39] nginx: check port 80 with monit! --- bundles/nginx/metadata.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index ce949ab..27a8bdb 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -22,6 +22,11 @@ defaults = { 'services': { 'nginx': { 'bin': '/usr/sbin/nginx', + 'ports': { + '80': { + 'protocol': 'http', + }, + }, }, }, }, From 8afbfeb1e79f42b55c7037ef46f1b36a79dc7fc6 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 11:59:44 +0100 Subject: [PATCH 09/39] monit: add option to check http connections for various services --- bundles/monit/files/monitrc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 10058fe..2682ad1 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -51,5 +51,16 @@ check process ${service} matching "${options['bin']}" % for port,port_options in options.get('ports', {}).items(): if failed port ${port} protocol ${port_options['protocol']} for ${port_options.get('cycles', '5')} cycles then restart % endfor +% for domain,http_options in options.get('http', {}).items(): + if failed host ${domain} +% if http_options['scheme'] == 'https': + port 443 + protocol https +% else: + port 80 + protocol http +% endif + then restart +% endfor % endfor From 18b2ebbcc0a965595a69719e6273a7b08d819676 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 12:00:15 +0100 Subject: [PATCH 10/39] nginx: check http/s connections with monit --- bundles/nginx/metadata.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 27a8bdb..1999cab 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -148,6 +148,33 @@ def monitoring(metadata): }, } +@metadata_reactor.provides( + 'monit/services/nginx/http', +) +def monithttp(metadata): + http = {} + + for vname, vconfig in metadata.get('nginx/vhosts', {}).items(): + domain = vconfig.get('domain', vname) + + if vconfig['ssl']: + scheme = 'https' + else: + scheme = 'http' + + http[domain] = { + 'scheme': scheme, + } + + return { + 'monit': { + 'services': { + 'nginx': { + 'http': http, + }, + }, + }, + } @metadata_reactor.provides( 'firewall/port_rules/80', From 210eb40aa6f4e0c9c43ffeba7506fa4b641ff073 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 12:00:50 +0100 Subject: [PATCH 11/39] nginx: do not check port 80 explicitely with monit --- bundles/nginx/metadata.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 1999cab..6ee402a 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -22,11 +22,6 @@ defaults = { 'services': { 'nginx': { 'bin': '/usr/sbin/nginx', - 'ports': { - '80': { - 'protocol': 'http', - }, - }, }, }, }, From 2960c1d5d8e9620f46a9886fd2c67b7daac55aa8 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 12:01:42 +0100 Subject: [PATCH 12/39] nginx: remove telegraf and icinga2 metadata reactors --- bundles/nginx/metadata.py | 72 +-------------------------------------- 1 file changed, 1 insertion(+), 71 deletions(-) diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 6ee402a..f2b2855 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -98,51 +98,6 @@ def index_files(metadata): } -@metadata_reactor.provides( - 'icinga2_api/nginx/services', -) -def monitoring(metadata): - services = {} - - for vname, vconfig in metadata.get('nginx/vhosts', {}).items(): - domain = vconfig.get('domain', vname) - - if vconfig['ssl']: - scheme = 'https' - else: - scheme = 'http' - - if 'website_check_path' in vconfig and 'website_check_string' in vconfig: - services['NGINX VHOST {} CONTENT'.format(vname)] = { - 'check_command': 'check_http_wget', - 'vars.http_wget_contains': vconfig['website_check_string'], - 'vars.http_wget_url': '{}://{}{}'.format(scheme, domain, vconfig['website_check_path']), - 'vars.notification.sms': True, - } - - if vconfig.get('check_ssl', vconfig['ssl']): - services['NGINX VHOST {} CERTIFICATE'.format(vname)] = { - 'check_command': 'check_https_cert_at_url', - 'vars.domain': domain, - 'vars.notification.mail': True, - } - - max_connections = metadata.get('nginx/worker_connections') * metadata.get('nginx/worker_processes') - connections_warn = int(max_connections * 0.8) - connections_crit = int(max_connections * 0.9) - - services['NGINX STATUS'] = { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_nginx_status --warn={},-1,-1 --critical={},-1,-1 -H 127.0.0.1:22999'.format(connections_warn, connections_crit), - } - - return { - 'icinga2_api': { - 'nginx': { - 'services': services, - }, - }, - } - @metadata_reactor.provides( 'monit/services/nginx/http', ) @@ -171,6 +126,7 @@ def monithttp(metadata): }, } + @metadata_reactor.provides( 'firewall/port_rules/80', 'firewall/port_rules/443', @@ -184,29 +140,3 @@ def firewall(metadata): }, }, } - - -@metadata_reactor.provides( - 'telegraf/input_plugins/tail', -) -def telegraf_anon_timing(metadata): - result = {} - - for vhost in metadata.get('nginx/vhosts', {}): - result[f'nginx-{vhost}'] = { - 'files': [f'/var/log/nginx-timing/{vhost}.log'], - 'from_beginning': False, - 'grok_patterns': ['%{LOGPATTERN}'], - 'grok_custom_patterns': 'LOGPATTERN \[%{HTTPDATE:ts:ts-httpd}\] %{NUMBER:request_time:float} (?:%{NUMBER:upstream_response_time:float}|-) "%{WORD:verb:tag} %{NOTSPACE:request} HTTP/%{NUMBER:http_version:float}" %{NUMBER:resp_code:tag}', - 'data_format': 'grok', - 'name_override': 'nginx_timing', - } - - return { - 'telegraf': { - 'input_plugins': { - 'tail': result, - }, - }, - } - From 917d2b9a2c2bb3ad9a1252eaf48c98675ddf3431 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:15:36 +0100 Subject: [PATCH 13/39] monit: remove postfix check; sort service items --- bundles/monit/files/monitrc | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 2682ad1..46a4960 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -39,19 +39,14 @@ check process sshd matching "/usr/sbin/sshd" if failed port 22 for 2 cycles then restart if 3 restarts within 5 cycles then alert -check process postfix matching "/usr/lib/postfix/sbin/master" - start program = "/bin/systemctl start postfix.service" - stop program = "/bin/systemctl stop postfix.service" - if failed port 25 protocol smtp for 5 cycles then restart - -% for service,options in monit.get('services', {}).items(): +% for service,options in sorted(monit.get('services', {}).items()): check process ${service} matching "${options['bin']}" start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" stop program = "/bin/systemctl stop ${options.get('systemd_unit', 'service')}.service" -% for port,port_options in options.get('ports', {}).items(): +% for port,port_options in sorted(options.get('ports', {}).items()): if failed port ${port} protocol ${port_options['protocol']} for ${port_options.get('cycles', '5')} cycles then restart % endfor -% for domain,http_options in options.get('http', {}).items(): +% for domain,http_options in sorted(options.get('http', {}).items()): if failed host ${domain} % if http_options['scheme'] == 'https': port 443 From 201487549e129809d71958e681569fe3cc0e015e Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:15:54 +0100 Subject: [PATCH 14/39] postfix: add monit integration --- bundles/postfix/metadata.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bundles/postfix/metadata.py b/bundles/postfix/metadata.py index 266fcb1..0e443ee 100644 --- a/bundles/postfix/metadata.py +++ b/bundles/postfix/metadata.py @@ -4,4 +4,16 @@ defaults = { 'postfix': {}, }, }, + 'monit': { + 'services': { + 'postfix': { + 'bin': '/usr/lib/postfix/sbin/master', + 'ports': { + '25': { + 'protocol': 'smtp', + }, + }, + }, + }, + }, } \ No newline at end of file From 00d9152007c46318d193bbec931b22ee6ad10b30 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:19:27 +0100 Subject: [PATCH 15/39] ldap-frontend: add monit integration --- bundles/ldap-frontend/metadata.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bundles/ldap-frontend/metadata.py b/bundles/ldap-frontend/metadata.py index 86b9212..819c9fa 100644 --- a/bundles/ldap-frontend/metadata.py +++ b/bundles/ldap-frontend/metadata.py @@ -17,5 +17,17 @@ defaults = { }, 'title': 'Usermanagement QZWI', }, + 'monit': { + 'services': { + 'ldap-frontend': { + 'bin': '/opt/ldap-frontend/venv/bin/python /opt/ldap-frontend/venv/bin/gunicorn', + 'ports': { + '23000': { + 'protocol': 'http', + }, + }, + }, + }, + }, } From 13805532bdda0a1ee2696dd47a0c4e0c5597de91 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:33:50 +0100 Subject: [PATCH 16/39] monit: add option to check a port without a specific protocol monit does not support all the protocol we use, e.g. ldaps. therefore we can only use a generic tcp check for some ports. --- bundles/monit/files/monitrc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 46a4960..89b0dd2 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -44,7 +44,12 @@ check process ${service} matching "${options['bin']}" start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" stop program = "/bin/systemctl stop ${options.get('systemd_unit', 'service')}.service" % for port,port_options in sorted(options.get('ports', {}).items()): - if failed port ${port} protocol ${port_options['protocol']} for ${port_options.get('cycles', '5')} cycles then restart + if failed port ${port} +% if port_options.get('protocol', {}): + protocol ${port_options['protocol']} +% endif + for ${port_options.get('cycles', '5')} cycles + then restart % endfor % for domain,http_options in sorted(options.get('http', {}).items()): if failed host ${domain} From 424e2948f8de3cbc8ba5fc36a1a6c1e0ddb4eefb Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:34:04 +0100 Subject: [PATCH 17/39] openldap: add monit integration --- bundles/openldap/metadata.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/bundles/openldap/metadata.py b/bundles/openldap/metadata.py index f1e5d6b..fdd07a1 100644 --- a/bundles/openldap/metadata.py +++ b/bundles/openldap/metadata.py @@ -29,6 +29,18 @@ defaults = { }, }, }, + 'monit': { + 'services': { + 'openldap': { + 'bin': '/usr/sbin/slapd', + 'systemd_unit': 'slapd', + 'ports': { + '389': {}, + '636': {}, + }, + }, + }, + }, 'openldap': { 'rootpw': repo.vault.password_for(f'{node.name} openldap rootpw'), }, From d5195f33552cffa8e7eb8b38f73b2d9f20bba8fb Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:37:24 +0100 Subject: [PATCH 18/39] monit: remove sshd monitoring --- bundles/monit/files/monitrc | 6 ------ 1 file changed, 6 deletions(-) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 89b0dd2..6fd724f 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -33,12 +33,6 @@ check process ${systemd_service} matching "/lib/systemd/${systemd_service}" stop program = "/usr/bin/systemctl stop ${systemd_service}.service" % endfor -check process sshd matching "/usr/sbin/sshd" - start program = "/bin/systemctl start sshd.service" - stop program = "/bin/systemctl stop sshd.service" - if failed port 22 for 2 cycles then restart - if 3 restarts within 5 cycles then alert - % for service,options in sorted(monit.get('services', {}).items()): check process ${service} matching "${options['bin']}" start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" From d317ef17d01b7bfff9fb77296eaab5848da1594e Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:37:32 +0100 Subject: [PATCH 19/39] openssh: add monit integration --- bundles/openssh/metadata.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py index c533fcb..7e5ef8b 100644 --- a/bundles/openssh/metadata.py +++ b/bundles/openssh/metadata.py @@ -1,5 +1,21 @@ from bundlewrap.metadata import atomic +defaults = { + 'monit': { + 'services': { + 'openssh': { + 'bin': '/usr/sbin/sshd', + 'systemd_unit': 'sshd', + 'ports': { + '22': { + 'protocol': 'ssh', + }, + }, + }, + }, + }, +} + @metadata_reactor.provides( 'firewall/port_rules/22', ) From 2cbe3e3b53863fc57abb884f440e6b8cdbc071ba Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:43:15 +0100 Subject: [PATCH 20/39] monit: fix service name definition --- bundles/monit/files/monitrc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bundles/monit/files/monitrc b/bundles/monit/files/monitrc index 6fd724f..9f5d35a 100644 --- a/bundles/monit/files/monitrc +++ b/bundles/monit/files/monitrc @@ -35,8 +35,8 @@ check process ${systemd_service} matching "/lib/systemd/${systemd_service}" % for service,options in sorted(monit.get('services', {}).items()): check process ${service} matching "${options['bin']}" - start program = "/bin/systemctl start ${options.get('systemd_unit', 'service')}.service" - stop program = "/bin/systemctl stop ${options.get('systemd_unit', 'service')}.service" + start program = "/bin/systemctl start ${options.get('systemd_unit', service)}.service" + stop program = "/bin/systemctl stop ${options.get('systemd_unit', service)}.service" % for port,port_options in sorted(options.get('ports', {}).items()): if failed port ${port} % if port_options.get('protocol', {}): From 082b1fa07ddfb7b31bfca9775e433211b1f7d686 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Tue, 4 Jan 2022 13:43:34 +0100 Subject: [PATCH 21/39] redis: add monit integration --- bundles/redis/metadata.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bundles/redis/metadata.py b/bundles/redis/metadata.py index ff33513..8298bd9 100644 --- a/bundles/redis/metadata.py +++ b/bundles/redis/metadata.py @@ -9,4 +9,14 @@ defaults = { '/var/lib/redis', }, }, + 'monit': { + 'services': { + 'redis': { + 'bin': '/usr/bin/redis-server', + 'ports': { + '6379': {}, + }, + }, + }, + }, } From 5a97e04eec5ffab6b4c3e7f064e80e19f055d5c2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Tue, 4 Jan 2022 19:23:26 +0100 Subject: [PATCH 22/39] add backupserver --- nodes/backupserver.toml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 nodes/backupserver.toml diff --git a/nodes/backupserver.toml b/nodes/backupserver.toml new file mode 100644 index 0000000..dc0e7b5 --- /dev/null +++ b/nodes/backupserver.toml @@ -0,0 +1,15 @@ +hostname = "2a01:4f9:6b:2d99:0:28:6:1969" +bundles = [] +groups = [ + "debian-bullseye", +] + +[metadata.interfaces.enp1s0] +ips = [ + "2a01:4f9:6b:2d99::28:6:1969/64", +] +gateway6 = "2a01:4f9:6b:2d99::2" + +[metadata.vm] +cpu = 4 +ram = 8 From 2e907264fdfa6823b77708036d66ed2478ef2e12 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Jan 2022 22:04:11 +0100 Subject: [PATCH 23/39] add bundle:elasticsearch --- bundles/elasticsearch/files/elasticsearch.yml | 18 +++++++++++ bundles/elasticsearch/items.py | 17 ++++++++++ bundles/elasticsearch/metadata.py | 14 +++++++++ data/apt/files/gpg-keys/elasticsearch.asc | 31 +++++++++++++++++++ nodes/qzwi.toml | 3 +- 5 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 bundles/elasticsearch/files/elasticsearch.yml create mode 100644 bundles/elasticsearch/items.py create mode 100644 bundles/elasticsearch/metadata.py create mode 100644 data/apt/files/gpg-keys/elasticsearch.asc diff --git a/bundles/elasticsearch/files/elasticsearch.yml b/bundles/elasticsearch/files/elasticsearch.yml new file mode 100644 index 0000000..a868c6f --- /dev/null +++ b/bundles/elasticsearch/files/elasticsearch.yml @@ -0,0 +1,18 @@ +% if node.metadata.get('elasticsearch/cluster-name', None): +cluster.name: ${node.metadata.get('elasticsearch/cluster-name')} +% endif +node.name: ${node.name} +path.data: /var/lib/elasticsearch +path.logs: /var/log/elasticsearch +bootstrap.memory_lock: true + + +# By default Elasticsearch is only accessible on localhost. Set a different +# address here to expose this node on the network: +# +#network.host: 192.168.0.1 +# +# By default Elasticsearch listens for HTTP traffic on the first free port it +# finds starting at 9200. Set a specific HTTP port here: +# +http.port: 9200 diff --git a/bundles/elasticsearch/items.py b/bundles/elasticsearch/items.py new file mode 100644 index 0000000..1239f5c --- /dev/null +++ b/bundles/elasticsearch/items.py @@ -0,0 +1,17 @@ +files = { + '/etc/elasticsearch/elasticsearch.yml': { + 'content_type': 'mako', + 'triggers': { + 'svc_systemd:elasticsearch:restart', + } + }, +} + +svc_systemd = { + 'elasticsearch': { + 'needs': { + 'file:/etc/elasticsearch/elasticsearch.yml', + 'pkg_apt:elasticsearch', + }, + }, +} diff --git a/bundles/elasticsearch/metadata.py b/bundles/elasticsearch/metadata.py new file mode 100644 index 0000000..d4df1ec --- /dev/null +++ b/bundles/elasticsearch/metadata.py @@ -0,0 +1,14 @@ +defaults = { + 'apt': { + 'repos': { + 'elasticsearch': { + 'items': { + 'deb https://artifacts.elastic.co/packages/7.x/apt stable main', + }, + }, + }, + 'packages': { + 'elasticsearch': {}, + }, + }, +} diff --git a/data/apt/files/gpg-keys/elasticsearch.asc b/data/apt/files/gpg-keys/elasticsearch.asc new file mode 100644 index 0000000..1b50dcc --- /dev/null +++ b/data/apt/files/gpg-keys/elasticsearch.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index c069cd9..08be668 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -1,6 +1,7 @@ #hostname = "2a00:f820:528::4" hostname = "31.47.232.108" bundles = [ + "elasticsearch", "ldap-frontend", "letsencrypt", "monit", @@ -81,4 +82,4 @@ ram = 4 from_address = "monit@qzwi.de" alert_addresses = [ "rico@qzwi.de", -] \ No newline at end of file +] From 4894dccd79f8b251eacd4a30982dbc5ae3beec08 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 9 Jan 2022 22:15:42 +0100 Subject: [PATCH 24/39] qzwi: add comment about how to use elasticsearch --- nodes/qzwi.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index 08be668..ef0b168 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -34,6 +34,8 @@ gateway6 = "2a00:f820:528::1" "NextCloud" = "https://cloud.qzwi.de/" [metadata.nextcloud] +# for elasticsearch to work, please install 'ingest-attachment' plugin: +# /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-attachment domain = "cloud.qzwi.de" sha1 = "0d496eb0808c292502479e93cd37fe2daf95786a" version = "23.0.0" From 421b27b6a715bada535d2eef6322fd5d7e78e284 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:04:15 +0100 Subject: [PATCH 25/39] bundles/basic: install kitty-terminfo instead of manually deploying a terminfo file --- bundles/basic/files/xterm-kitty | Bin 2217 -> 0 bytes bundles/basic/items.py | 2 +- bundles/users/metadata.py | 5 +++++ 3 files changed, 6 insertions(+), 1 deletion(-) delete mode 100644 bundles/basic/files/xterm-kitty diff --git a/bundles/basic/files/xterm-kitty b/bundles/basic/files/xterm-kitty deleted file mode 100644 index 4cc3982387fadf8b930f42974bfb033bec6b7ba0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2217 zcmb7EZ)hAv6o0d`ZEaDkpxC++5IUl1lkCp!-raVqXROw1n{bUro8%h$Cx0)wB-iAU zCb?Xr9~3D_KZqb`5rp6e{}u#AK}AsL2L;hDMMM-q`az_XQY*#ty_va73m2is&HMe{ zoA-V*J8yRHVRym3a69B#dEI%(tjbpV*IO!|JLU$ww~R}HnTg~7S_bJv1aD7 z1l!4~)ijRXEWniho>> zd~SVheWSb|(Ee!Rzt-og)eF|2)@AFO#rY$Uo&@@^kz4{QxMs)eoLnDlfZM>yiM%L!VlWm( zDF&x8;E$lmI61iwaX$`1ll8U7{5}Yh*WN9bTBd-g`lQ^Ejh!ie}KYL zl)Z{*5rfC@aGgWW05~a1)9oDuCrPd91d$fSNR;sC#SosOh@G5Ev4kkao`{J`q=BZM zDEeXv{iOB-q@kusq$v?&8#1s_HI%-muzmZE9W5=bt*(3I$kC(2!y_Z3qxt;U*!Xy% zFflPXIW<)*9zQ-kJu_1(&Cbrvoj5T+zp${lSS~LuRVpXxNc(W4lXPn7B%WY)56WWS zVmf#_-#r>sFX}g1|yBA zt>UPy(Ki@q^kQFY`&!%A+P=|Nr-#}aQwAfAsI5;IMa-FK3`|}eXzf622TGehDt;6P z5#F7C&kgY1>{JlmSI>C&3LI@*R6;)AzNin8{Nk88Z$xT8RrnKMjs2Q zta|nEl6#_@s)${p=XB-jRBF(4gFNYYD18xS{?( D)ZjIp diff --git a/bundles/basic/items.py b/bundles/basic/items.py index 71e5d81..42dfd23 100644 --- a/bundles/basic/items.py +++ b/bundles/basic/items.py @@ -20,7 +20,7 @@ files = { 'content': '', }, '/root/.terminfo/x/xterm-kitty': { - 'content_type': 'binary', + 'delete': True, }, } diff --git a/bundles/users/metadata.py b/bundles/users/metadata.py index 29006ff..0588193 100644 --- a/bundles/users/metadata.py +++ b/bundles/users/metadata.py @@ -2,6 +2,11 @@ from json import loads from os.path import join defaults = { + 'apt': { + 'packages': { + 'kitty-terminfo': {}, + }, + }, 'users': { 'root': { 'home': '/root', From 2e94aabfa6f562798cfea4c8b03837b3f84e385e Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:04:49 +0100 Subject: [PATCH 26/39] bundles/users: unset PROMPT_COMMAND --- bundles/users/files/bashrc | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/bundles/users/files/bashrc b/bundles/users/files/bashrc index c04fed1..4c8aab2 100644 --- a/bundles/users/files/bashrc +++ b/bundles/users/files/bashrc @@ -9,17 +9,7 @@ then else export PS1='\[\e[1;34m\][\[\e[1;32m\]'"$__node_name"'\[\e[1;34m\]][\[\e[1;32m\]\u\[\e[1;34m\]@\[\e[1;32m\]\w\[\e[1;34m\]] > \[\e[0m\]' fi -case $TERM in - xterm*|rxvt*) - export PROMPT_COMMAND='echo -ne "\a\e]0;'"$__node_name"':${PWD}\a"' - ;; - screen*) - export PROMPT_COMMAND='echo -ne "\a\ek'"$__node_name"':${PWD}\e\\"' - ;; - *) - unset PROMPT_COMMAND - ;; -esac +unset PROMPT_COMMAND if [[ -f "/etc/node.description" ]] then From 908a6420b3f1f2c75ff7af93b87bc22cc2d00533 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:05:05 +0100 Subject: [PATCH 27/39] bundles/users: set cascade_skip=False if user has a password set --- bundles/users/items.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/users/items.py b/bundles/users/items.py index 457c46a..f6075fc 100644 --- a/bundles/users/items.py +++ b/bundles/users/items.py @@ -32,6 +32,7 @@ for username, attrs in node.metadata['users'].items(): if 'password' in attrs: user['password'] = attrs['password'] + user['cascade_skip'] = False else: user['password_hash'] = 'x' if node.use_shadow_passwords else '*' From 5f5de3f10941a19f7fa1fe8634bb8744a8d982b0 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:10:47 +0100 Subject: [PATCH 28/39] bundles/elasticsearch: add override.conf --- bundles/elasticsearch/files/override.conf | 5 +++++ bundles/elasticsearch/items.py | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 bundles/elasticsearch/files/override.conf diff --git a/bundles/elasticsearch/files/override.conf b/bundles/elasticsearch/files/override.conf new file mode 100644 index 0000000..e39bd84 --- /dev/null +++ b/bundles/elasticsearch/files/override.conf @@ -0,0 +1,5 @@ +[Service] +ExecStart= + +# same as in original unit file, but without --quiet +ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid diff --git a/bundles/elasticsearch/items.py b/bundles/elasticsearch/items.py index 1239f5c..c70bcce 100644 --- a/bundles/elasticsearch/items.py +++ b/bundles/elasticsearch/items.py @@ -5,6 +5,12 @@ files = { 'svc_systemd:elasticsearch:restart', } }, + '/etc/systemd/system/elasticsearch.service.d/override.conf': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:elasticsearch:restart', + }, + }, } svc_systemd = { From d9da4345b2d11fd47f33002ff4135ea2e0eb428a Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:31:13 +0100 Subject: [PATCH 29/39] bundles/openldap: remove no longer required openldap schema --- data/openldap/files/qzwiperson.schema | 21 --------------------- nodes/qzwi.toml | 1 - 2 files changed, 22 deletions(-) delete mode 100644 data/openldap/files/qzwiperson.schema diff --git a/data/openldap/files/qzwiperson.schema b/data/openldap/files/qzwiperson.schema deleted file mode 100644 index 26d45ba..0000000 --- a/data/openldap/files/qzwiperson.schema +++ /dev/null @@ -1,21 +0,0 @@ -attributetype ( 1.3.6.1.4.1.0.1 - NAME 'externalMail' - DESC 'external mail address for communication outside the org' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} - SINGLE-VALUE ) - -objectclass ( 1.3.6.1.4.1.0.2 - NAME 'qzwiperson' - DESC 'own object schema to add custom values' - SUP top - AUXILIARY - MUST (cn $ sn $ uid $ externalMail) - MAY - ( displayName $ givenName $ homePhone $ homePostalAddress $ - mail $ mobile $ o $ photo $ userCertificate $ - x500uniqueIdentifier $ preferredLanguage $ - userSMIMECertificate $ userPKCS12 $ userPassword $ - telephoneNumber $ description ) ) - diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index ef0b168..6fe6252 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -57,7 +57,6 @@ backup = [ ] schemas = [ "openssh-lpk_openldap", - "qzwiperson", ] [metadata.ldap-frontend.template] From 30dc638ed2ceffc79da111d2bbb63f8c964aaca2 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 25 Feb 2022 15:36:51 +0100 Subject: [PATCH 30/39] qzwi: fix filters for ldap-frontend --- nodes/qzwi.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index 6fe6252..20dbe32 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -60,10 +60,10 @@ schemas = [ ] [metadata.ldap-frontend.template] -"group_admin" = "(&(objectclass=qzwiperson)(uid={})(memberOf=ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de))" -"group_members" = "(&(objectclass=qzwiperson)(memberOf=ou={},ou=Groups,dc=qzwi,dc=de))" -"group_nonmembers" = "(&(objectclass=qzwiperson)(!(memberOf=ou={},ou=Groups,dc=qzwi,dc=de)))" -"user_search" = "(&(objectclass=qzwiperson)(uid={}))" +"group_admin" = "(&(objectclass=inetOrgPerson)(uid={})(memberOf=ou=qzwi-admins,ou=Groups,dc=qzwi,dc=de))" +"group_members" = "(&(objectclass=inetOrgPerson)(memberOf=ou={},ou=Groups,dc=qzwi,dc=de))" +"group_nonmembers" = "(&(objectclass=inetOrgPerson)(!(memberOf=ou={},ou=Groups,dc=qzwi,dc=de)))" +"user_search" = "(&(objectclass=inetOrgPerson)(uid={}))" [metadata.openldap.access."ou=Users,dc=qzwi,dc=de"] manage = [ From 53c1568f80e46a557b50b53c6ea71c1fc39d3813 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sat, 5 Mar 2022 16:15:05 +0100 Subject: [PATCH 31/39] php: enable memcached apcu module in php.ini for php cli this is required for nextclouds occ tool --- bundles/php/files/8.0/php.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bundles/php/files/8.0/php.ini b/bundles/php/files/8.0/php.ini index c8ef0e9..c1a269a 100644 --- a/bundles/php/files/8.0/php.ini +++ b/bundles/php/files/8.0/php.ini @@ -12,6 +12,8 @@ ignore_user_abort = Off zend.enable_gc = On expose_php = Off +apc.enable_cli = 1 + max_execution_time = 30 max_input_time = 60 memory_limit = ${memory_limit}M From 9fe8a210befdc8dc1a88c3b2106631ccf39ba714 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sat, 5 Mar 2022 16:56:39 +0100 Subject: [PATCH 32/39] nginx: adjust nextcloud config to make sure basic checks pass --- data/nginx/files/extras/qzwi/nextcloud | 138 +++++++++++++------------ 1 file changed, 72 insertions(+), 66 deletions(-) diff --git a/data/nginx/files/extras/qzwi/nextcloud b/data/nginx/files/extras/qzwi/nextcloud index d470b99..b98381d 100644 --- a/data/nginx/files/extras/qzwi/nextcloud +++ b/data/nginx/files/extras/qzwi/nextcloud @@ -14,92 +14,98 @@ # always provides the desired behaviour. index index.php index.html /index.php$request_uri; - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - location = /robots.txt { allow all; log_not_found off; access_log off; } - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The rules in this block are an adaptation of the rules - # in `.htaccess` that concern `/.well-known`. - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; } - location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; } - - location /.well-known/pki-validation { try_files $uri $uri/ =404; } - - # Let Nextcloud's API for `/.well-known` URIs handle all other - # requests by passing them to the front-end controller. - return 301 /index.php$request_uri; + location ~ ^.+\.php { + include fpm.conf; + fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; } - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json + # last; - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + location ^~ /.well-known { + # The following 6 rules are borrowed from `.htaccess` - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + # Anything else is dynamically handled by Nextcloud + location ^~ /.well-known { return 301 /index.php$uri; } - try_files $fastcgi_script_name =404; + try_files $uri $uri/ =404; + } - include fastcgi.conf; - fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; + # Some headers to fix possible information leaks + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy no-referrer; + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + include fpm.conf; + fastcgi_pass unix:/var/run/php/php${php_version}-fpm.sock; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; fastcgi_intercept_errors on; fastcgi_request_buffering off; } - location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$ { - try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; } - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # Optional: Don't log access to assets + access_log off; } - # Rule borrowed from `.htaccess` - location /remote { - return 301 /remote.php$request_uri; - } - - location / { - try_files $uri $uri/ /index.php$request_uri; + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$uri$is_args$args; + # Optional: Don't log access to other assets + access_log off; } From 110f55291ee0a3251a849b2c9546434e030cae8a Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sat, 5 Mar 2022 17:08:17 +0100 Subject: [PATCH 33/39] nginx: add fpm.conf --- bundles/nginx/files/fpm.conf | 18 ++++++++++++++++++ bundles/nginx/items.py | 5 +++++ 2 files changed, 23 insertions(+) create mode 100644 bundles/nginx/files/fpm.conf diff --git a/bundles/nginx/files/fpm.conf b/bundles/nginx/files/fpm.conf new file mode 100644 index 0000000..94263e7 --- /dev/null +++ b/bundles/nginx/files/fpm.conf @@ -0,0 +1,18 @@ +fastcgi_split_path_info ^(.+\.php)(/.+)$; +if (!-f $document_root$fastcgi_script_name) { + return 404; +} + +fastcgi_index index.php; + +include fastcgi_params; + +fastcgi_param PATH_INFO $fastcgi_path_info; +fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param HTTP_AUTHORIZATION $http_authorization; + +fastcgi_buffers 8 16k; +fastcgi_buffer_size 32k; + +client_body_buffer_size 128k; diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py index 21d1895..677ed7a 100644 --- a/bundles/nginx/items.py +++ b/bundles/nginx/items.py @@ -50,6 +50,11 @@ files = { 'svc_systemd:nginx:restart', }, }, + '/etc/nginx/fpm.conf': { + 'triggers': { + 'svc_systemd:nginx:restart', + }, + }, '/etc/nginx/sites/stub_status': { 'triggers': { 'svc_systemd:nginx:restart', From 66984d135915f799f985955ae95cc5463dca399b Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Sat, 5 Mar 2022 18:24:57 +0100 Subject: [PATCH 34/39] letsencrypt: moved to rsa as key also some apps may not work with ECC certificates, e.g. some iOS apps --- bundles/letsencrypt/files/config | 1 + 1 file changed, 1 insertion(+) diff --git a/bundles/letsencrypt/files/config b/bundles/letsencrypt/files/config index 2d4b2b6..c551a28 100644 --- a/bundles/letsencrypt/files/config +++ b/bundles/letsencrypt/files/config @@ -3,3 +3,4 @@ BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges" DOMAINS_TXT="/etc/dehydrated/domains.txt" HOOK="/etc/dehydrated/hook.sh" +KEY_ALGO=rsa From acd35c1f5e0c82a6f84044179b828793361e785f Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 18 May 2022 15:03:07 +0200 Subject: [PATCH 35/39] update bundlewrap to 4.13.6 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f13eacb..5298eb7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -bundlewrap>=4.12.0 +bundlewrap==4.13.6 From 300e2b1506a4c9f2420cf4a0339b8109ba4cc07a Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 18 May 2022 15:51:11 +0200 Subject: [PATCH 36/39] add mariadb bundle --- bundles/mariadb/items.py | 7 +++++++ bundles/mariadb/metadata.py | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 bundles/mariadb/items.py create mode 100644 bundles/mariadb/metadata.py diff --git a/bundles/mariadb/items.py b/bundles/mariadb/items.py new file mode 100644 index 0000000..febb549 --- /dev/null +++ b/bundles/mariadb/items.py @@ -0,0 +1,7 @@ +svc_systemd = { + 'mariadb': { + 'needs': [ + 'pkg_apt:mariadb-server', + ], + }, +} diff --git a/bundles/mariadb/metadata.py b/bundles/mariadb/metadata.py new file mode 100644 index 0000000..1c6d7c6 --- /dev/null +++ b/bundles/mariadb/metadata.py @@ -0,0 +1,19 @@ +defaults = { + 'apt': { + 'packages': { + 'mariadb-server': {}, + }, + }, + 'backups': { + 'paths': { + '/var/lib/mysql', + }, + }, + 'monit': { + 'services': { + 'mariadb': { + 'bin': '/usr/sbin/mariadbd', + }, + }, + }, +} \ No newline at end of file From d6db3ac8caec47237629c8e77b5cfec5afcc02b7 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 18 May 2022 15:51:32 +0200 Subject: [PATCH 37/39] defaults.py: adjust email address for nginx security info --- libs/defaults.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/defaults.py b/libs/defaults.py index 4b1103d..d220ab8 100644 --- a/libs/defaults.py +++ b/libs/defaults.py @@ -1,4 +1,4 @@ -hostmaster_email = 'hostmaster@kunbox.net' +hostmaster_email = 'hostmaster@qzwi.de' security_email = f'mailto:{hostmaster_email}' security_lang = {'en', 'de'} From 4d9b52adf3993127c8a9cf5dea503d9ab3a51373 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 18 May 2022 15:51:43 +0200 Subject: [PATCH 38/39] nginx: add wordpress extras file for qzwi node --- data/nginx/files/extras/qzwi/wordpress | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 data/nginx/files/extras/qzwi/wordpress diff --git a/data/nginx/files/extras/qzwi/wordpress b/data/nginx/files/extras/qzwi/wordpress new file mode 100644 index 0000000..6807649 --- /dev/null +++ b/data/nginx/files/extras/qzwi/wordpress @@ -0,0 +1,35 @@ + location / { + # This is cool because no php is touched for static content. + # include the "?$args" part so non-default permalinks doesn't break when using query string + try_files $uri $uri/ /index.php?$args; + } + + location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { + expires max; + log_not_found off; + } + + location ~* /xmlrpc.php$ { + allow 127.0.0.1; + deny all; + } + + if ($request_method !~ ^(GET|POST)$ ) { + return 444; + } + + location ~ /\.(svn|git)/* { + deny all; + access_log off; + log_not_found off; + } + location ~ /\.ht { + deny all; + access_log off; + log_not_found off; + } + location ~ /\.user.ini { + deny all; + access_log off; + log_not_found off; + } From 3c26b789963330020d1988a0808ce22d4deb99f1 Mon Sep 17 00:00:00 2001 From: Rico Ullmann Date: Wed, 18 May 2022 15:52:14 +0200 Subject: [PATCH 39/39] qzwi: enable mariadb, add wordpress nginx vhost --- nodes/qzwi.toml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nodes/qzwi.toml b/nodes/qzwi.toml index 20dbe32..2f342db 100644 --- a/nodes/qzwi.toml +++ b/nodes/qzwi.toml @@ -4,11 +4,12 @@ bundles = [ "elasticsearch", "ldap-frontend", "letsencrypt", + "mariadb", "monit", "nginx", "nextcloud", "openldap", - "postfix", + #"postfix", "php", "postgresql", "redis", @@ -43,6 +44,12 @@ version = "23.0.0" [metadata.nginx.vhosts.nextcloud] ssl = "letsencrypt" +[metadata.nginx.vhosts.wordpress] +domain = "jackie.qzwi.de" +ssl = "letsencrypt" +php = true +extras = true + [metadata.nginx.vhosts.openldap] domain = "ldap.qzwi.de" ssl = "letsencrypt"