aboutsummaryrefslogtreecommitdiff
path: root/gerboweb/deploy
diff options
context:
space:
mode:
authorjaseg <git@jaseg.net>2020-12-30 13:12:06 +0100
committerjaseg <git@jaseg.net>2020-12-30 13:12:06 +0100
commitc6b1c2225d1ac4ac647950be8667b5709b0033a1 (patch)
tree8db7a14649a277d236791e1c731d98af03a0af88 /gerboweb/deploy
parente290ac758b02a9d03bacd511c87fc997db41d0a8 (diff)
downloadgerbolyze-master.tar.gz
gerbolyze-master.tar.bz2
gerbolyze-master.zip
remove ansible scripts, they are now in their own "infra" repoHEADmaster
Diffstat (limited to 'gerboweb/deploy')
-rw-r--r--gerboweb/deploy/.gitignore5
-rw-r--r--gerboweb/deploy/README.rst33
-rw-r--r--gerboweb/deploy/bootstrap_arch_container.yml63
-rw-r--r--gerboweb/deploy/cgit-favicon.icobin5430 -> 0 bytes
-rw-r--r--gerboweb/deploy/cgit-logo-orig.pngbin104376 -> 0 bytes
-rw-r--r--gerboweb/deploy/cgit-logo.pngbin42197 -> 0 bytes
-rw-r--r--gerboweb/deploy/cgitrc48
m---------gerboweb/deploy/checkouts/pogojig0
-rw-r--r--gerboweb/deploy/clippy-nspawn.service36
-rw-r--r--gerboweb/deploy/clippy.nspawn2
-rw-r--r--gerboweb/deploy/clippy.service.j29
-rw-r--r--gerboweb/deploy/credentials.ini.example3
-rw-r--r--gerboweb/deploy/dns.yml91
-rw-r--r--gerboweb/deploy/dyndns.py149
-rw-r--r--gerboweb/deploy/dyndns_config.py.j214
-rw-r--r--gerboweb/deploy/gerboweb-job-processor.service.j29
-rw-r--r--gerboweb/deploy/gerboweb.cfg.j24
-rw-r--r--gerboweb/deploy/gitolite.rc202
-rw-r--r--gerboweb/deploy/inventory.yml11
-rw-r--r--gerboweb/deploy/iptables.rules27
m---------gerboweb/deploy/library/inwx-collection0
-rw-r--r--gerboweb/deploy/mirrorlist474
-rw-r--r--gerboweb/deploy/nginx.conf458
-rw-r--r--gerboweb/deploy/nginx_nossl.conf59
-rw-r--r--gerboweb/deploy/notification_proxy.py179
-rw-r--r--gerboweb/deploy/notification_proxy_config.py.j29
-rw-r--r--gerboweb/deploy/nsd.conf372
-rw-r--r--gerboweb/deploy/playbook.yml166
-rw-r--r--gerboweb/deploy/pogojig-job-processor.service.j29
-rw-r--r--gerboweb/deploy/pogojig.cfg.j24
-rwxr-xr-xgerboweb/deploy/pogojig_generate.sh.j225
-rwxr-xr-xgerboweb/deploy/render.sh.j220
-rw-r--r--gerboweb/deploy/secure_download.cfg.j21
-rw-r--r--gerboweb/deploy/setup_clippy.yml85
-rw-r--r--gerboweb/deploy/setup_containers.yml17
-rw-r--r--gerboweb/deploy/setup_dyndns.yml80
-rw-r--r--gerboweb/deploy/setup_gerboweb.yml100
-rw-r--r--gerboweb/deploy/setup_git.yml134
-rw-r--r--gerboweb/deploy/setup_notification_proxy.yml61
-rw-r--r--gerboweb/deploy/setup_openjscad.yml9
-rw-r--r--gerboweb/deploy/setup_pogojig.yml125
-rw-r--r--gerboweb/deploy/setup_secure_download.yml57
-rw-r--r--gerboweb/deploy/setup_tracespace.yml9
-rw-r--r--gerboweb/deploy/setup_webserver.yml79
-rw-r--r--gerboweb/deploy/tmpfiles-gerboweb.conf.j21
-rw-r--r--gerboweb/deploy/tmpfiles-pogojig.conf.j21
-rw-r--r--gerboweb/deploy/tmpfiles-secure-download.conf.j21
-rw-r--r--gerboweb/deploy/uwsgi-app@.service16
-rw-r--r--gerboweb/deploy/uwsgi-app@.socket11
-rw-r--r--gerboweb/deploy/uwsgi-cgit.ini8
-rw-r--r--gerboweb/deploy/uwsgi-dyndns.ini10
-rw-r--r--gerboweb/deploy/uwsgi-gerboweb.ini10
-rw-r--r--gerboweb/deploy/uwsgi-notification-proxy.ini10
-rw-r--r--gerboweb/deploy/uwsgi-pogojig.ini10
-rw-r--r--gerboweb/deploy/uwsgi-secure-download.ini11
-rwxr-xr-xgerboweb/deploy/vector.sh.j218
56 files changed, 0 insertions, 3345 deletions
diff --git a/gerboweb/deploy/.gitignore b/gerboweb/deploy/.gitignore
deleted file mode 100644
index 2d2e2fc..0000000
--- a/gerboweb/deploy/.gitignore
+++ /dev/null
@@ -1,5 +0,0 @@
-*_secret.txt
-dyndns_secret_*.txt
-*_apikey.txt
-playbook.retry
-credentials.ini
diff --git a/gerboweb/deploy/README.rst b/gerboweb/deploy/README.rst
deleted file mode 100644
index d74418d..0000000
--- a/gerboweb/deploy/README.rst
+++ /dev/null
@@ -1,33 +0,0 @@
-Admin foo howto
-===============
-
-Ansible
--------
-
-Selectively run ansible playbooks for the git service and webserver setup:
-
-.. code-block::
-
- ansible-playbook -i inventory.yml -t git,www playbook.yml
-
-Gitolite/CGIT
--------------
-
-Remove ad-hoc repo from command line:
-
-.. code-block::
-
- ssh git@git.jaseg.de unlock sjandrakei/pub/usb-remote
- ssh git@git.jaseg.de D unlock sjandrakei/pub/usb-remote
-
-Set ad-hoc repo description from command line:
-
-.. code-block::
-
- ssh git@git.jaseg.de desc sjandrakei/pub/kochbuch Bringing analog recipe books into the interwebs
-
-Create ad-hoc repo from command line:
-
-.. code-block::
-
- git clone git@git.jaseg.de:sjandrakei/pub/repo-to-be-created.git
diff --git a/gerboweb/deploy/bootstrap_arch_container.yml b/gerboweb/deploy/bootstrap_arch_container.yml
deleted file mode 100644
index dfe677b..0000000
--- a/gerboweb/deploy/bootstrap_arch_container.yml
+++ /dev/null
@@ -1,63 +0,0 @@
----
-- name: Set local path facts
- set_fact:
- image: "/var/lib/machines/{{ container }}.img"
- root: "/var/lib/machines/{{ container }}"
- "{{container}}_root": "/var/lib/machines/{{ container }}"
-
-- name: Create container image file
- command: truncate -s 4G "{{image}}"
- args:
- creates: "{{image}}"
- register: create_container
-
-- name: Download arch bootstrap image
- get_url:
- url: http://mirror.rackspace.com/archlinux/iso/2020.03.01/archlinux-bootstrap-2020.03.01-x86_64.tar.gz
- dest: /tmp/arch-bootstrap.tar.xz
- checksum: sha256:49c7aa8718e48f5a4ec570624520fa50616ed3e044af101ec3aa16c155136f82
- when: create_container is changed
-
-- name: Create container image filesystem
- filesystem:
- dev: "{{image}}"
- fstype: btrfs
-
-- name: Create container image fstab entry
- mount:
- src: "{{image}}"
- path: "{{root}}"
- state: mounted
- fstype: btrfs
- opts: loop
-
-- name: Unpack bootstrap image
- unarchive:
- remote_src: yes
- src: /tmp/arch-bootstrap.tar.xz
- dest: "{{root}}"
- extra_opts: --strip-components=1
- creates: "{{root}}/etc"
-
-- name: Copy mirrorlist into container
- copy:
- src: mirrorlist
- dest: "{{root}}/etc/pacman.d/mirrorlist"
-
-- name: Initialize container pacman keyring
- shell: arch-chroot "{{root}}" pacman-key --init && arch-chroot "{{root}}" pacman-key --populate archlinux
- args:
- creates: "{{root}}/etc/pacman.d/gnupg"
-
-- name: Fixup pacman.conf for pacman to work in chroot without its own root fs
- lineinfile:
- path: "{{root}}/etc/pacman.conf"
- regexp: '^CheckSpace'
- line: '#CheckSpace'
-
-- name: Update container keyring
- shell: arch-chroot "{{root}}" pacman -Sy --noconfirm archlinux-keyring
-
-- name: Update container and install software
- shell: arch-chroot "{{root}}" pacman -Syu --noconfirm
-
diff --git a/gerboweb/deploy/cgit-favicon.ico b/gerboweb/deploy/cgit-favicon.ico
deleted file mode 100644
index c4ad2ef..0000000
--- a/gerboweb/deploy/cgit-favicon.ico
+++ /dev/null
Binary files differ
diff --git a/gerboweb/deploy/cgit-logo-orig.png b/gerboweb/deploy/cgit-logo-orig.png
deleted file mode 100644
index f781fdd..0000000
--- a/gerboweb/deploy/cgit-logo-orig.png
+++ /dev/null
Binary files differ
diff --git a/gerboweb/deploy/cgit-logo.png b/gerboweb/deploy/cgit-logo.png
deleted file mode 100644
index b1c0322..0000000
--- a/gerboweb/deploy/cgit-logo.png
+++ /dev/null
Binary files differ
diff --git a/gerboweb/deploy/cgitrc b/gerboweb/deploy/cgitrc
deleted file mode 100644
index eebcc09..0000000
--- a/gerboweb/deploy/cgitrc
+++ /dev/null
@@ -1,48 +0,0 @@
-css=/cgit.css
-logo=/cgit.png
-favicon=/favicon.png
-
-root-title=git.jaseg.de
-root-desc=jaseg's git repositories
-snapshots=tar.gz tar.bz2 zip
-
-clone-url=git@git.jaseg.de:$CGIT_REPO_URL https://git.jaseg.de/$CGIT_REPO_URL
-
-enable-http-clone=1
-robots=noindex, nofollow
-virtual-root=/
-
-readme=:README.rst
-readme=:readme.rst
-readme=:README.md
-readme=:readme.md
-readme=:README.txt
-readme=:readme.txt
-readme=:README.mkd
-readme=:readme.mkd
-readme=:README.htm
-readme=:readme.htm
-readme=:README.html
-readme=:readme.html
-readme=:README
-readme=:readme
-about-filter=/usr/libexec/cgit/filters/about-formatting.sh
-
-enable-index-links=1
-enable-commit-grpah=1
-enable-log-filecount=1
-enable-log-linecount=1
-enable-git-config=1
-
-source-filter=/usr/libexec/cgit/filters/syntax-highlighting.py
-
-project-list=/var/lib/gitolite3/projects.list
-scan-path=/var/lib/gitolite3/repositories
-
-mimetype.gif=image/gif
-mimetype.html=text/html
-mimetype.jpg=image/jpeg
-mimetype.jpeg=image/jpeg
-mimetype.pdf=application/pdf
-mimetype.png=image/png
-mimetype.svg=image/svg+xml
diff --git a/gerboweb/deploy/checkouts/pogojig b/gerboweb/deploy/checkouts/pogojig
deleted file mode 160000
-Subproject 13a57211f0d0feb34b452b3e19be83a095707ed
diff --git a/gerboweb/deploy/clippy-nspawn.service b/gerboweb/deploy/clippy-nspawn.service
deleted file mode 100644
index 8dbedbd..0000000
--- a/gerboweb/deploy/clippy-nspawn.service
+++ /dev/null
@@ -1,36 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1+
-#
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-
-[Unit]
-Description=Clippy container
-PartOf=machines.target
-Before=machines.target
-After=network.target systemd-resolved.service
-RequiresMountsFor=/var/lib/machines
-
-[Service]
-ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --ephemeral --boot -U --settings=override --machine=clippy
-KillMode=mixed
-Type=notify
-RestartForceExitStatus=133
-SuccessExitStatus=133
-WatchdogSec=3min
-Slice=machine.slice
-Delegate=yes
-TasksMax=512
-
-# Enforce a strict device policy, similar to the one nspawn configures when it
-# allocates its own scope unit. Make sure to keep these policies in sync if you
-# change them!
-DevicePolicy=closed
-DeviceAllow=/dev/net/tun rwm
-DeviceAllow=char-pts rw
-
-[Install]
-WantedBy=machines.target
diff --git a/gerboweb/deploy/clippy.nspawn b/gerboweb/deploy/clippy.nspawn
deleted file mode 100644
index dfe2935..0000000
--- a/gerboweb/deploy/clippy.nspawn
+++ /dev/null
@@ -1,2 +0,0 @@
-[Network]
-VirtualEthernet=no
diff --git a/gerboweb/deploy/clippy.service.j2 b/gerboweb/deploy/clippy.service.j2
deleted file mode 100644
index 22b3d7d..0000000
--- a/gerboweb/deploy/clippy.service.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=Clippy listener daemon
-
-[Service]
-WorkingDirectory=/var/lib/clippy.git
-ExecStart=/usr/bin/python3 clippy.py -s -x 60x30 -e
-
-[Install]
-WantedBy=multi-user.target
diff --git a/gerboweb/deploy/credentials.ini.example b/gerboweb/deploy/credentials.ini.example
deleted file mode 100644
index 9b87321..0000000
--- a/gerboweb/deploy/credentials.ini.example
+++ /dev/null
@@ -1,3 +0,0 @@
-[inwx]
-user=...
-pass=...
diff --git a/gerboweb/deploy/dns.yml b/gerboweb/deploy/dns.yml
deleted file mode 100644
index 0fd753a..0000000
--- a/gerboweb/deploy/dns.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-- name: Setup subdomain A records pointing to wendelstein
- inwx:
- domain: "{{item.partition('.')[2]}}"
- record: "{{item.partition('.')[0]}}"
- type: A
- value: "{{ hostvars['wendelstein']['ansible_default_ipv4']['address'] }}"
- loop: "{{subdomains}}"
-
-- name: Setup dyndns A record
- inwx:
- domain: jaseg.de
- record: ns
- type: A
- value: "{{ hostvars['wendelstein']['ansible_default_ipv4']['address'] }}"
-
-- name: Setup dyndns NS record
- inwx:
- domain: jaseg.de
- record: dyn
- type: NS
- value: 'ns.jaseg.de'
-
-- name: Setup subdomain AAAA records pointing to wendelstein
- inwx:
- domain: "{{item.partition('.')[2]}}"
- record: "{{item.partition('.')[0]}}"
- type: AAAA
- value: "{{ hostvars['wendelstein']['ansible_default_ipv6']['address'] }}"
- loop: "{{subdomains}}"
-
-- name: Setup jaseg.net subdomain MX records pointing to fastmail
- inwx:
- domain: "{{item.partition('.')[2]}}"
- record: "{{item.partition('.')[0]}}"
- type: MX
- priority: 10
- value: in1-smtp.messagingengine.com
- loop: "{{subdomains}}"
-
-- name: Setup jaseg.net subdomain MX records pointing to fastmail
- inwx:
- domain: "{{item.partition('.')[2]}}"
- record: "{{item.partition('.')[0]}}"
- type: MX
- priority: 20
- value: in2-smtp.messagingengine.com
- loop: "{{subdomains}}"
-
-- name: Setup sendgrid gateway
- inwx:
- domain: jaseg.de
- type: CNAME
- record: "{{item.split(' ')[0]}}"
- value: "{{item.split(' ')[1]}}"
- loop:
- - em6100.automation u14518136.wl137.sendgrid.net
- - s1._domainkey.automation s1.domainkey.u14518136.wl137.sendgrid.net
- - s2._domainkey.automation s2.domainkey.u14518136.wl137.sendgrid.net
-
-- name: Set fastmail DNS entry template
- set_fact:
- fastmail_dns_entries:
- - {rtype: MX, record: ".", prio: 10, value: in1-smtp.messagingengine.com}
- - {rtype: MX, record: ".", prio: 20, value: in2-smtp.messagingengine.com}
- - {rtype: MX, record: "*", prio: 10, value: in1-smtp.messagingengine.com}
- - {rtype: MX, record: "*", prio: 20, value: in2-smtp.messagingengine.com}
- - {rtype: TXT, record: ".", value: "v=spf1 include:spf.messagingengine.com ?all"}
- - {rtype: CNAME, record: mesmtp._domainkey, value: mesmtp.jaseg.de.dkim.fmhosted.com}
- - {rtype: CNAME, record: fm1._domainkey, value: fm1.jaseg.de.dkim.fmhosted.com}
- - {rtype: CNAME, record: fm2._domainkey, value: fm2.jaseg.de.dkim.fmhosted.com}
- - {rtype: CNAME, record: fm3._domainkey, value: fm3.jaseg.de.dkim.fmhosted.com}
- - {rtype: SRV, record: _submission._tcp, prio: 0, weight: 1, port: 587, value: smtp.fastmail.com}
- - {rtype: SRV, record: _imap._tcp, prio: 0, weight: 0, port: 0, value: "."}
- - {rtype: SRV, record: _imaps._tcp, prio: 0, weight: 1, port: 993, value: imap.fastmail.com}
- - {rtype: SRV, record: _pop3._tcp, prio: 0, weight: 0, port: 0, value: "."}
- - {rtype: SRV, record: _pop3s._tcp, prio: 10, weight: 1, port: 995, value: pop.fastmail.com}
- - {rtype: SRV, record: _jmap._tcp, prio: 0, weight: 1, port: 443, value: jmap.fastmail.com}
- - {rtype: SRV, record: _carddav._tcp, prio: 0, weight: 0, port: 0, value: "."}
- - {rtype: SRV, record: _carddavs._tcp, prio: 0, weight: 1, port: 443, value: carddav.fastmail.com}
-
-- name: Setup fastmail DNS entries
- inwx:
- domain: "{{ item[1] }}"
- type: "{{ item[0]['rtype'] }}"
- record: "{{ item[0]['record'] | regex_replace('\\.*$', '') }}"
- priority: "{{ item[0].get('prio') | int }}"
- port: "{{ item[0].get('port') | int}}"
- weight: "{{ item[0].get('weight') | int }}"
- value: "{{ item[0]['value'] }}"
- loop: "{{ fastmail_dns_entries | product(fastmail_domains) | list }}"
-
diff --git a/gerboweb/deploy/dyndns.py b/gerboweb/deploy/dyndns.py
deleted file mode 100644
index 2546dce..0000000
--- a/gerboweb/deploy/dyndns.py
+++ /dev/null
@@ -1,149 +0,0 @@
-#!/usr/bin/env python3
-
-import time
-from contextlib import contextmanager
-import re
-import os
-import os.path
-import random
-import string
-import subprocess
-import sqlite3
-import hmac
-from ipaddress import IPv4Address, IPv6Address
-
-from flask import Flask, request, abort
-import uwsgidecorators
-
-app = Flask(__name__)
-app.config.update(dict(
- RECORD_EXPIRY_S = 86400,
- NSD_CONTROL = 'nsd-control'
- ))
-app.config.from_pyfile('config.py')
-
-
-ZONEFILE_TEMPLATE = '''\
-; #################################################### ;
-; THIS FILE IS AUTOMATICALLY GENERATED! DO NOT MODIFY! ;
-; #################################################### ;
-
-$ORIGIN {zone}.
-$TTL 1800
-@ IN SOA {ns}. {mail}. (
- {serial} ; serial number
- 60 ; refresh
- 60 ; retry
- {expire} ; expire
- 60 ; ttl
- )
-; Name servers
- IN NS {ns}.
-
-; Additional A records from template
-; @ IN A 192.0.2.3
-; www IN A 192.0.2.3
-
-; Dynamically generated records
-{dynamic_records}
-'''
-
-db = sqlite3.connect(app.config['SQLITE_DB'], check_same_thread=False)
-with db as conn:
- conn.execute('''CREATE TABLE IF NOT EXISTS zone_versions (date TEXT)''')
- conn.execute('''CREATE TABLE IF NOT EXISTS records
- (name TEXT PRIMARY KEY, ipv4 TEXT, ipv6 TEXT, last_update INTEGER)''')
-
-def purge_expired_records():
- with db as conn:
- conn.execute('DELETE FROM records WHERE last_update < ?',
- (int(time.time()) - app.config['RECORD_EXPIRY_S'],))
-
-def update_record(record, ipv4=None, ipv6=None):
- with db as conn:
- old_v4, old_v6 = conn.execute('SELECT ipv4, ipv6 FROM records WHERE name=?', (record,)).fetchone() or (None, None)
- conn.execute('INSERT OR REPLACE INTO records VALUES (?, ?, ?, ?)', (record, ipv4, ipv6, int(time.time())))
- return ipv4 != old_v4 or ipv6 != old_v6
-
-@contextmanager
-def inplace_rewrite(filename, cleanup=True):
- print('Writing', filename)
- filename = os.path.abspath(filename)
- if cleanup:
- basename = os.path.basename(filename)
- for entry in os.scandir(os.path.dirname(filename)):
- if entry.name.startswith(basename) and re.match(r'\.tmp-[a-zA-Z0-9]{8}', entry.name[len(basename):]):
- os.remove(entry.path)
-
- tmp_fn = filename + f'.tmp-' + ''.join(random.choices(string.ascii_letters + string.digits, k=8))
- with open(tmp_fn, 'w') as tmp_f:
- yield tmp_f
- tmp_f.flush()
- os.fsync(tmp_f.fileno())
- os.rename(tmp_fn, filename)
-
-def write_zonefile():
- # Find the next free zonefile version number
- with db as conn:
- conn.execute('INSERT INTO zone_versions VALUES (DATE())')
- date, version_num, = conn.execute('SELECT zone_versions.date, COUNT(*) FROM zone_versions WHERE zone_versions.date = DATE()').fetchone()
- zone_version = f'{date.replace("-", "")}{version_num:02d}'
-
- # Generate dynamic record block
- with db as conn:
- records = db.execute('SELECT name, "A", ipv4 FROM records UNION SELECT name, "AAAA", ipv6 FROM records')
- dynamic_records = '\n'.join(f'{name:<20} IN {rtype:<4} {value}' for name, rtype, value in records if value is not None)
-
- # Template zone file content
- content = ZONEFILE_TEMPLATE.format(
- zone = app.config['ZONE'],
- ns = app.config['NAMESERVER'],
- mail = app.config['NAMESERVER_MAIL'].replace('@', '.'),
- serial = zone_version,
- dynamic_records = dynamic_records,
- expire = app.config['RECORD_EXPIRY_S']
- )
-
- with inplace_rewrite(app.config['ZONEFILE'], cleanup=True) as f:
- f.write(content)
-
-def kick_nsd():
- prog = app.config['NSD_CONTROL']
- if isinstance(prog, str):
- prog = [prog]
- subprocess.run([*prog, 'reload', app.config['ZONE']], check=True)
-
-@app.before_first_request
-@uwsgidecorators.timer(300)
-def update_zonefile():
- purge_expired_records()
- write_zonefile()
- kick_nsd()
-
-@app.route('/update', methods=['POST'])
-def route_update():
- if request.authorization is None:
- abort(403)
-
- record = request.authorization['username']
- record_config = app.config['DYNAMIC_RECORDS'].get(record)
- if record_config is None:
- abort(403)
-
- *supported_formats, password = record_config
- if not hmac.compare_digest(request.authorization['password'], password):
- abort(403)
-
- ipv4 = request.args.get('ipv4', '127.0.0.1')
- ipv6 = request.args.get('ipv6', '::1')
- ipv4 = str(IPv4Address(ipv4)) if 'v4' in supported_formats else None
- ipv6 = str(IPv6Address(ipv6)) if 'v6' in supported_formats else None
- if update_record(record, ipv4=ipv4, ipv6=ipv6):
- update_zonefile()
-
- return 'success'
-
-
-if __name__ == '__main__':
- app.run()
-
diff --git a/gerboweb/deploy/dyndns_config.py.j2 b/gerboweb/deploy/dyndns_config.py.j2
deleted file mode 100644
index 3212a1e..0000000
--- a/gerboweb/deploy/dyndns_config.py.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-
-SQLITE_DB = '{{dyndns_sqlite_dbfile}}'
-
-NAMESERVER = 'ns.jaseg.de'
-NAMESERVER_MAIL = 'dns@jaseg.de'
-ZONEFILE = 'dyn.jaseg.de.zone'
-ZONE = 'dyn.jaseg.de'
-NSD_CONTROL = 'sudo -u nsd nsd-control'.split()
-
-DYNAMIC_RECORDS = {
- 'bigdata': ('v6', '{{ lookup('password', 'dyndns_secret_bigdata.txt length=32') }}'),
- 'raspi': ('v6', '{{ lookup('password', 'dyndns_secret_raspi.txt length=32') }}'),
-}
-
diff --git a/gerboweb/deploy/gerboweb-job-processor.service.j2 b/gerboweb/deploy/gerboweb-job-processor.service.j2
deleted file mode 100644
index 517d8b8..0000000
--- a/gerboweb/deploy/gerboweb-job-processor.service.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=Gerboweb gerber job processor
-
-[Service]
-WorkingDirectory=/var/lib/gerboweb
-ExecStart=/usr/bin/python3 job_processor.py {{gerboweb_cache}}/job_queue.sqlite3
-
-[Install]
-WantedBy=uwsgi-app@gerboweb.service
diff --git a/gerboweb/deploy/gerboweb.cfg.j2 b/gerboweb/deploy/gerboweb.cfg.j2
deleted file mode 100644
index 994cd08..0000000
--- a/gerboweb/deploy/gerboweb.cfg.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-MAX_CONTENT_LENGTH=10000000
-SECRET_KEY="{{lookup('password', 'gerboweb_flask_secret.txt length=32')}}"
-UPLOAD_PATH="{{gerboweb_cache}}/upload"
-JOB_QUEUE_DB="{{gerboweb_cache}}/job_queue.sqlite3"
diff --git a/gerboweb/deploy/gitolite.rc b/gerboweb/deploy/gitolite.rc
deleted file mode 100644
index ad1d2bb..0000000
--- a/gerboweb/deploy/gitolite.rc
+++ /dev/null
@@ -1,202 +0,0 @@
-# configuration variables for gitolite
-
-# This file is in perl syntax. But you do NOT need to know perl to edit it --
-# just mind the commas, use single quotes unless you know what you're doing,
-# and make sure the brackets and braces stay matched up!
-
-# (Tip: perl allows a comma after the last item in a list also!)
-
-# HELP for commands can be had by running the command with "-h".
-
-# HELP for all the other FEATURES can be found in the documentation (look for
-# "list of non-core programs shipped with gitolite" in the master index) or
-# directly in the corresponding source file.
-
-%RC = (
-
- # ------------------------------------------------------------------
-
- # default umask gives you perms of '0700'; see the rc file docs for
- # how/why you might change this
- UMASK => 0027,
-
- # look for "git-config" in the documentation
- GIT_CONFIG_KEYS => 'core\.sharedRepository gitweb.owner gitweb.description gitweb.category',
-
- # comment out if you don't need all the extra detail in the logfile
- LOG_EXTRA => 1,
- # logging options
- # 1. leave this section as is for 'normal' gitolite logging (default)
- # 2. uncomment this line to log ONLY to syslog:
- # LOG_DEST => 'syslog',
- # 3. uncomment this line to log to syslog and the normal gitolite log:
- # LOG_DEST => 'syslog,normal',
- # 4. prefixing "repo-log," to any of the above will **also** log just the
- # update records to "gl-log" in the bare repo directory:
- # LOG_DEST => 'repo-log,normal',
- # LOG_DEST => 'repo-log,syslog',
- # LOG_DEST => 'repo-log,syslog,normal',
- # syslog 'facility': defaults to 'local0', uncomment if needed. For example:
- # LOG_FACILITY => 'local4',
-
- # roles. add more roles (like MANAGER, TESTER, ...) here.
- # WARNING: if you make changes to this hash, you MUST run 'gitolite
- # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
- ROLES => {
- READERS => 1,
- WRITERS => 1,
- },
-
- # enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
- # CACHE => 'Redis',
-
- # ------------------------------------------------------------------
-
- # rc variables used by various features
-
- # the 'info' command prints this as additional info, if it is set
- # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
-
- # the CpuTime feature uses these
- # display user, system, and elapsed times to user after each git operation
- # DISPLAY_CPU_TIME => 1,
- # display a warning if total CPU times (u, s, cu, cs) crosses this limit
- # CPU_TIME_WARN_LIMIT => 0.1,
-
- # the Mirroring feature needs this
- # HOSTNAME => "foo",
-
- # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
- # CACHE_TTL => 600,
-
- # ------------------------------------------------------------------
-
- # suggested locations for site-local gitolite code (see cust.html)
-
- # this one is managed directly on the server
- # LOCAL_CODE => "$ENV{HOME}/local",
-
- # or you can use this, which lets you put everything in a subdirectory
- # called "local" in your gitolite-admin repo. For a SECURITY WARNING
- # on this, see http://gitolite.com/gitolite/non-core.html#pushcode
- # LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
-
- # ------------------------------------------------------------------
-
- # List of commands and features to enable
-
- ENABLE => [
-
- # COMMANDS
-
- # These are the commands enabled by default
- 'help',
- 'desc',
- 'info',
- 'perms',
- 'writable',
-
- # Uncomment or add new commands here.
- # 'create',
- # 'fork',
- # 'mirror',
- # 'readme',
- # 'sskm',
- 'D',
-
- # These FEATURES are enabled by default.
-
- # essential (unless you're using smart-http mode)
- 'ssh-authkeys',
-
- # creates git-config entries from gitolite.conf file entries like 'config foo.bar = baz'
- 'git-config',
-
- # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
- 'daemon',
-
- # creates projects.list file; if you don't use gitweb, comment this out
- 'gitweb',
-
- # These FEATURES are disabled by default; uncomment to enable. If you
- # need to add new ones, ask on the mailing list :-)
-
- # user-visible behaviour
-
- # prevent wild repos auto-create on fetch/clone
- # 'no-create-on-read',
- # no auto-create at all (don't forget to enable the 'create' command!)
- # 'no-auto-create',
-
- # access a repo by another (possibly legacy) name
- # 'Alias',
-
- # give some users direct shell access. See documentation in
- # sts.html for details on the following two choices.
- # "Shell $ENV{HOME}/.gitolite.shell-users",
- # 'Shell alice bob',
-
- # set default roles from lines like 'option default.roles-1 = ...', etc.
- # 'set-default-roles',
-
- # show more detailed messages on deny
- # 'expand-deny-messages',
-
- # show a message of the day
- # 'Motd',
-
- # system admin stuff
-
- # enable mirroring (don't forget to set the HOSTNAME too!)
- # 'Mirroring',
-
- # allow people to submit pub files with more than one key in them
- # 'ssh-authkeys-split',
-
- # selective read control hack
- # 'partial-copy',
-
- # manage local, gitolite-controlled, copies of read-only upstream repos
- # 'upstream',
-
- # updates 'description' file instead of 'gitweb.description' config item
- # 'cgit',
-
- # allow repo-specific hooks to be added
- # 'repo-specific-hooks',
-
- # performance, logging, monitoring...
-
- # be nice
- # 'renice 10',
-
- # log CPU times (user, system, cumulative user, cumulative system)
- # 'CpuTime',
-
- # syntactic_sugar for gitolite.conf and included files
-
- # allow backslash-escaped continuation lines in gitolite.conf
- # 'continuation-lines',
-
- # create implicit user groups from directory names in keydir/
- # 'keysubdirs-as-groups',
-
- # allow simple line-oriented macros
- # 'macros',
-
- # Kindergarten mode
-
- # disallow various things that sensible people shouldn't be doing anyway
- # 'Kindergarten',
- ],
-
-);
-
-# ------------------------------------------------------------------------------
-# per perl rules, this should be the last line in such a file:
-1;
-
-# Local variables:
-# mode: perl
-# End:
-# vim: set syn=perl:
diff --git a/gerboweb/deploy/inventory.yml b/gerboweb/deploy/inventory.yml
deleted file mode 100644
index 913ea5f..0000000
--- a/gerboweb/deploy/inventory.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-all:
- hosts:
- wendelstein:
- ansible_host: wendelstein.jaseg.net
- ansible_ssh_identity_file: ~/.ssh/id_ed25519
- ansible_user: root
- ansible_python_interpreter: /usr/bin/python3
- localhost:
- ansible_connection: local
- ansible_python_interpreter: "{{ansible_playbook_python}}"
diff --git a/gerboweb/deploy/iptables.rules b/gerboweb/deploy/iptables.rules
deleted file mode 100644
index 620c4d3..0000000
--- a/gerboweb/deploy/iptables.rules
+++ /dev/null
@@ -1,27 +0,0 @@
-# Generated by iptables-save v1.8.0 on Thu Apr 4 11:06:33 2019
-*nat
-:PREROUTING ACCEPT [13:648]
-:INPUT ACCEPT [8:440]
-:OUTPUT ACCEPT [18:1260]
-:POSTROUTING ACCEPT [18:1260]
--A PREROUTING -i eth0 -p tcp -m tcp --dport 23 -j REDIRECT --to-ports 2342
-COMMIT
-# Completed on Thu Apr 4 11:06:33 2019
-# Generated by iptables-save v1.8.0 on Thu Apr 4 11:06:33 2019
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [360:761646]
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
--A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
--A INPUT -p tcp -m state --state NEW -m tcp --dport 2342 -j ACCEPT
--A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
--A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
--A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
--A INPUT -p udp --dport 53 -j ACCEPT
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
-# Completed on Thu Apr 4 11:06:33 2019
diff --git a/gerboweb/deploy/library/inwx-collection b/gerboweb/deploy/library/inwx-collection
deleted file mode 160000
-Subproject 2928298f35d66d265679e8188029ce5834b2898
diff --git a/gerboweb/deploy/mirrorlist b/gerboweb/deploy/mirrorlist
deleted file mode 100644
index a2fd58c..0000000
--- a/gerboweb/deploy/mirrorlist
+++ /dev/null
@@ -1,474 +0,0 @@
-##
-## Arch Linux repository mirrorlist
-## Generated on 2017-06-06
-##
-
-## Worldwide
-#Server = https://archlinux.surlyjake.com/archlinux/$repo/os/$arch
-#Server = http://mirrors.evowise.com/archlinux/$repo/os/$arch
-Server = http://mirror.rackspace.com/archlinux/$repo/os/$arch
-
-## Australia
-#Server = https://mirror.aarnet.edu.au/pub/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.digitalpacific.com.au/$repo/os/$arch
-#Server = http://ftp.iinet.net.au/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.internode.on.net/pub/archlinux/$repo/os/$arch
-#Server = http://ftp.swin.edu.au/archlinux/$repo/os/$arch
-#Server = http://archlinux.uberglobalmirror.com/$repo/os/$arch
-
-## Austria
-#Server = http://mirror.digitalnova.at/archlinux/$repo/os/$arch
-#Server = http://mirror.easyname.at/archlinux/$repo/os/$arch
-#Server = http://mirror1.htu.tugraz.at/archlinux/$repo/os/$arch
-
-## Belarus
-#Server = http://ftp.byfly.by/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.datacenter.by/pub/archlinux/$repo/os/$arch
-
-## Belgium
-#Server = http://archlinux.cu.be/$repo/os/$arch
-#Server = http://archlinux.mirror.kangaroot.net/$repo/os/$arch
-
-## Bosnia and Herzegovina
-#Server = http://burek.archlinux.ba/$repo/os/$arch
-#Server = http://archlinux.mirror.ba/$repo/os/$arch
-
-## Brazil
-#Server = http://br.mirror.archlinux-br.org/$repo/os/$arch
-#Server = http://archlinux.c3sl.ufpr.br/$repo/os/$arch
-#Server = http://linorg.usp.br/archlinux/$repo/os/$arch
-#Server = http://pet.inf.ufsc.br/mirrors/archlinux/$repo/os/$arch
-#Server = http://archlinux.pop-es.rnp.br/$repo/os/$arch
-
-## Bulgaria
-#Server = http://mirror.host.ag/archlinux/$repo/os/$arch
-#Server = http://mirrors.netix.net/archlinux/$repo/os/$arch
-#Server = http://mirror.telepoint.bg/archlinux/$repo/os/$arch
-#Server = http://mirrors.uni-plovdiv.net/archlinux/$repo/os/$arch
-#Server = https://mirrors.uni-plovdiv.net/archlinux/$repo/os/$arch
-
-## Canada
-#Server = http://mirror.cedille.club/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.colo-serv.net/$repo/os/$arch
-#Server = http://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
-#Server = https://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch
-#Server = http://mirror.frgl.pw/archlinux/$repo/os/$arch
-#Server = https://mirror.frgl.pw/archlinux/$repo/os/$arch
-#Server = http://mirror.its.dal.ca/archlinux/$repo/os/$arch
-#Server = http://muug.ca/mirror/archlinux/$repo/os/$arch
-#Server = https://muug.ca/mirror/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.rafal.ca/$repo/os/$arch
-
-## Chile
-#Server = http://mirror.archlinux.cl/$repo/os/$arch
-
-## China
-#Server = http://mirrors.163.com/archlinux/$repo/os/$arch
-#Server = http://mirror.lzu.edu.cn/archlinux/$repo/os/$arch
-#Server = http://mirrors.neusoft.edu.cn/archlinux/$repo/os/$arch
-#Server = https://mirrors.skyshe.cn/archlinux/$repo/os/$arch
-#Server = http://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
-#Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
-#Server = http://mirrors.ustc.edu.cn/archlinux/$repo/os/$arch
-#Server = https://mirrors.ustc.edu.cn/archlinux/$repo/os/$arch
-#Server = http://mirrors.xjtu.edu.cn/archlinux/$repo/os/$arch
-#Server = https://mirrors.xjtu.edu.cn/archlinux/$repo/os/$arch
-#Server = http://mirrors.zju.edu.cn/archlinux/$repo/os/$arch
-
-## Colombia
-#Server = http://mirror.edatel.net.co/archlinux/$repo/os/$arch
-#Server = http://mirror.upb.edu.co/archlinux/$repo/os/$arch
-
-## Croatia
-#Server = http://archlinux.iskon.hr/$repo/os/$arch
-
-## Czech Republic
-#Server = http://mirror.dkm.cz/archlinux/$repo/os/$arch
-#Server = https://mirror.dkm.cz/archlinux/$repo/os/$arch
-#Server = http://ftp.fi.muni.cz/pub/linux/arch/$repo/os/$arch
-#Server = http://ftp.linux.cz/pub/linux/arch/$repo/os/$arch
-#Server = http://gluttony.sin.cvut.cz/arch/$repo/os/$arch
-#Server = https://gluttony.sin.cvut.cz/arch/$repo/os/$arch
-#Server = http://mirrors.nic.cz/archlinux/$repo/os/$arch
-#Server = http://ftp.sh.cvut.cz/arch/$repo/os/$arch
-#Server = https://ftp.sh.cvut.cz/arch/$repo/os/$arch
-#Server = http://mirror.vpsfree.cz/archlinux/$repo/os/$arch
-
-## Denmark
-#Server = http://mirrors.dotsrc.org/archlinux/$repo/os/$arch
-#Server = https://mirrors.dotsrc.org/archlinux/$repo/os/$arch
-#Server = http://ftp.klid.dk/ftp/archlinux/$repo/os/$arch
-#Server = http://mirror.one.com/archlinux/$repo/os/$arch
-#Server = https://mirror.one.com/archlinux/$repo/os/$arch
-
-## Ecuador
-#Server = http://mirror.cedia.org.ec/archlinux/$repo/os/$arch
-#Server = http://mirror.espoch.edu.ec/archlinux/$repo/os/$arch
-#Server = http://mirror.uta.edu.ec/archlinux/$repo/os/$arch
-
-## Finland
-#Server = http://arch.mirror.far.fi/$repo/os/$arch
-
-## France
-#Server = http://archlinux.de-labrusse.fr/$repo/os/$arch
-#Server = http://mirror.archlinux.ikoula.com/archlinux/$repo/os/$arch
-#Server = http://archlinux.vi-di.fr/$repo/os/$arch
-#Server = https://archlinux.vi-di.fr/$repo/os/$arch
-#Server = http://mirror.armbrust.me/archlinux/$repo/os/$arch
-#Server = https://mirror.armbrust.me/archlinux/$repo/os/$arch
-#Server = https://archlinux.ec-tech.fr/$repo/os/$arch
-#Server = http://fooo.biz/archlinux/$repo/os/$arch
-#Server = https://fooo.biz/archlinux/$repo/os/$arch
-#Server = http://mirror.gerhard.re/archlinux/$repo/os/$arch
-#Server = http://mirror.ibcp.fr/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.lastmikoi.net/archlinux/$repo/os/$arch
-#Server = http://archlinux.mailtunnel.eu/$repo/os/$arch
-#Server = https://www.mailtunnel.eu/archlinux/$repo/os/$arch
-#Server = http://mir.archlinux.fr/$repo/os/$arch
-#Server = http://archlinux.mirrors.ovh.net/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.pkern.at/$repo/os/$arch
-#Server = https://archlinux.mirror.pkern.at/$repo/os/$arch
-#Server = http://archlinux.polymorf.fr/$repo/os/$arch
-#Server = http://mirrors.standaloneinstaller.com/archlinux/$repo/os/$arch
-#Server = http://arch.tamcore.eu/$repo/os/$arch
-#Server = http://mirror.tyborek.pl/arch/$repo/os/$arch
-#Server = https://mirror.tyborek.pl/arch/$repo/os/$arch
-#Server = http://ftp.u-strasbg.fr/linux/distributions/archlinux/$repo/os/$arch
-#Server = https://mirror.wormhole.eu/archlinux/$repo/os/$arch
-#Server = http://arch.yourlabs.org/$repo/os/$arch
-
-## Germany
-#Server = http://mirror.23media.de/archlinux/$repo/os/$arch
-#Server = https://arch.32g.eu/$repo/os/$arch
-#Server = http://artfiles.org/archlinux.org/$repo/os/$arch
-#Server = https://fabric-mirror.vps.hosteurope.de/archlinux/$repo/os/$arch
-#Server = https://mirror.bethselamin.de/$repo/os/$arch
-#Server = http://mirror.euserv.net/linux/archlinux/$repo/os/$arch
-#Server = http://mirror.f4st.host/archlinux/$repo/os/$arch
-#Server = https://mirror.f4st.host/archlinux/$repo/os/$arch
-#Server = http://ftp.fau.de/archlinux/$repo/os/$arch
-#Server = https://ftp.fau.de/archlinux/$repo/os/$arch
-#Server = http://mirror.fluxent.de/archlinux/$repo/os/$arch
-#Server = https://mirror.fluxent.de/archlinux/$repo/os/$arch
-#Server = http://mirror.gnomus.de/$repo/os/$arch
-#Server = http://www.gutscheindrache.com/mirror/archlinux/$repo/os/$arch
-#Server = http://ftp.gwdg.de/pub/linux/archlinux/$repo/os/$arch
-#Server = http://mirror.hactar.xyz/$repo/os/$arch
-#Server = https://mirror.hactar.xyz/$repo/os/$arch
-#Server = http://archlinux.honkgong.info/$repo/os/$arch
-#Server = http://ftp.hosteurope.de/mirror/ftp.archlinux.org/$repo/os/$arch
-#Server = http://ftp-stud.hs-esslingen.de/pub/Mirrors/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.iphh.net/$repo/os/$arch
-#Server = http://repo.itmettke.de/archlinux/$repo/os/$arch
-#Server = https://repo.itmettke.de/archlinux/$repo/os/$arch
-#Server = https://mirror.jankoppe.de/archlinux/$repo/os/$arch
-#Server = http://arch.jensgutermuth.de/$repo/os/$arch
-#Server = https://arch.jensgutermuth.de/$repo/os/$arch
-#Server = http://mirror.js-webcoding.de/pub/archlinux/$repo/os/$arch
-#Server = https://mirror.js-webcoding.de/pub/archlinux/$repo/os/$arch
-#Server = http://k42.ch/mirror/archlinux/$repo/os/$arch
-#Server = https://k42.ch/mirror/archlinux/$repo/os/$arch
-#Server = http://mirror.de.leaseweb.net/archlinux/$repo/os/$arch
-Server = https://mirror.de.leaseweb.net/archlinux/$repo/os/$arch
-#Server = http://mirror.loli.forsale/arch/$repo/os/$arch
-#Server = https://mirror.loli.forsale/arch/$repo/os/$arch
-#Server = http://mirror.metalgamer.eu/archlinux/$repo/os/$arch
-#Server = https://mirror.metalgamer.eu/archlinux/$repo/os/$arch
-#Server = http://mirror.michael-eckert.net/archlinux/$repo/os/$arch
-#Server = https://mirror.michael-eckert.net/archlinux/$repo/os/$arch
-#Server = http://mirrors.n-ix.net/archlinux/$repo/os/$arch
-#Server = https://mirrors.n-ix.net/archlinux/$repo/os/$arch
-#Server = http://mirror.netcologne.de/archlinux/$repo/os/$arch
-Server = https://mirror.netcologne.de/archlinux/$repo/os/$arch
-#Server = http://mirrors.niyawe.de/archlinux/$repo/os/$arch
-#Server = https://mirrors.niyawe.de/archlinux/$repo/os/$arch
-#Server = http://archlinux.nullpointer.io/$repo/os/$arch
-#Server = https://archlinux.nullpointer.io/$repo/os/$arch
-#Server = http://mirror.pseudoform.org/$repo/os/$arch
-#Server = https://mirror.pseudoform.org/$repo/os/$arch
-#Server = https://www.ratenzahlung.de/mirror/archlinux/$repo/os/$arch
-#Server = http://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch
-#Server = http://linux.rz.rub.de/archlinux/$repo/os/$arch
-#Server = http://mirror.selfnet.de/archlinux/$repo/os/$arch
-#Server = http://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch
-#Server = https://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch
-#Server = http://archlinux.thaller.ws/$repo/os/$arch
-#Server = https://archlinux.thaller.ws/$repo/os/$arch
-#Server = http://archlinux.thelinuxnetworx.rocks/$repo/os/$arch
-#Server = https://archlinux.thelinuxnetworx.rocks/$repo/os/$arch
-#Server = http://archmirror.tomforb.es/$repo/os/$arch
-#Server = https://archmirror.tomforb.es/$repo/os/$arch
-#Server = http://ftp.tu-chemnitz.de/pub/linux/archlinux/$repo/os/$arch
-#Server = http://mirror.ubrco.de/archlinux/$repo/os/$arch
-#Server = https://mirror.ubrco.de/archlinux/$repo/os/$arch
-#Server = http://ftp.uni-bayreuth.de/linux/archlinux/$repo/os/$arch
-#Server = http://ftp.uni-hannover.de/archlinux/$repo/os/$arch
-#Server = http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch
-#Server = http://mirror.united-gameserver.de/archlinux/$repo/os/$arch
-#Server = http://mirror.vfn-nrw.de/archlinux/$repo/os/$arch
-#Server = https://mirror.vfn-nrw.de/archlinux/$repo/os/$arch
-
-## Greece
-#Server = http://ftp.cc.uoc.gr/mirrors/linux/archlinux/$repo/os/$arch
-#Server = http://foss.aueb.gr/mirrors/linux/archlinux/$repo/os/$arch
-#Server = https://foss.aueb.gr/mirrors/linux/archlinux/$repo/os/$arch
-#Server = http://mirrors.myaegean.gr/linux/archlinux/$repo/os/$arch
-#Server = http://ftp.ntua.gr/pub/linux/archlinux/$repo/os/$arch
-#Server = http://ftp.otenet.gr/linux/archlinux/$repo/os/$arch
-
-## Hong Kong
-#Server = http://arch-mirror.wtako.net/$repo/os/$arch
-#Server = https://arch-mirror.wtako.net/$repo/os/$arch
-
-## Hungary
-#Server = http://ftp.energia.mta.hu/pub/mirrors/ftp.archlinux.org/$repo/os/$arch
-#Server = http://archmirror.hbit.sztaki.hu/archlinux/$repo/os/$arch
-
-## Iceland
-#Server = http://mirror.system.is/arch/$repo/os/$arch
-#Server = https://mirror.system.is/arch/$repo/os/$arch
-
-## India
-#Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
-#Server = http://ftp.iitm.ac.in/archlinux/$repo/os/$arch
-
-## Indonesia
-#Server = http://mirror.devilzc0de.org/archlinux/$repo/os/$arch
-#Server = http://mirror.poliwangi.ac.id/archlinux/$repo/os/$arch
-#Server = http://suro.ubaya.ac.id/archlinux/$repo/os/$arch
-
-## Iran
-#Server = http://repo.sadjad.ac.ir/arch/$repo/os/$arch
-#Server = https://repo.sadjad.ac.ir/arch/$repo/os/$arch
-
-## Ireland
-#Server = http://ftp.heanet.ie/mirrors/ftp.archlinux.org/$repo/os/$arch
-#Server = https://ftp.heanet.ie/mirrors/ftp.archlinux.org/$repo/os/$arch
-
-## Israel
-#Server = http://mirror.isoc.org.il/pub/archlinux/$repo/os/$arch
-
-## Italy
-#Server = http://archlinux.prometeolibero.eu/archlinux/$repo/os/$arch
-#Server = https://archlinux.prometeolibero.eu/archlinux/$repo/os/$arch
-#Server = https://archlinux.beccacervello.it/archlinux/$repo/os/$arch
-#Server = http://mi.mirror.garr.it/mirrors/archlinux/$repo/os/$arch
-#Server = http://mirrors.prometeus.net/archlinux/$repo/os/$arch
-#Server = http://archlinux.students.cs.unibo.it/$repo/os/$arch
-
-## Japan
-#Server = http://ftp.tsukuba.wide.ad.jp/Linux/archlinux/$repo/os/$arch
-Server = http://ftp.jaist.ac.jp/pub/Linux/ArchLinux/$repo/os/$arch
-
-## Kazakhstan
-#Server = http://mirror.neolabs.kz/archlinux/$repo/os/$arch
-
-## Latvia
-#Server = http://archlinux.koyanet.lv/archlinux/$repo/os/$arch
-
-## Lithuania
-#Server = http://mirrors.atviras.lt/archlinux/$repo/os/$arch
-#Server = https://mirrors.atviras.lt/archlinux/$repo/os/$arch
-
-## Luxembourg
-#Server = http://archlinux.mirror.root.lu/$repo/os/$arch
-
-## Macedonia
-#Server = http://arch.softver.org.mk/archlinux/$repo/os/$arch
-#Server = http://mirror.t-home.mk/archlinux/$repo/os/$arch
-#Server = https://mirror.t-home.mk/archlinux/$repo/os/$arch
-
-## Netherlands
-#Server = http://arch.apt-get.eu/$repo/os/$arch
-#Server = http://mirror.i3d.net/pub/archlinux/$repo/os/$arch
-#Server = https://mirror.i3d.net/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
-#Server = https://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
-#Server = http://mirror.netrouting.net/archlinux/$repo/os/$arch
-#Server = http://ftp.nluug.nl/os/Linux/distr/archlinux/$repo/os/$arch
-#Server = http://ftp.snt.utwente.nl/pub/os/linux/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirror.wearetriple.com/$repo/os/$arch
-#Server = https://archlinux.mirror.wearetriple.com/$repo/os/$arch
-
-## New Caledonia
-#Server = http://mirror.lagoon.nc/pub/archlinux/$repo/os/$arch
-#Server = http://archlinux.nautile.nc/archlinux/$repo/os/$arch
-
-## New Zealand
-#Server = https://mirror.smith.geek.nz/archlinux/$repo/os/$arch
-
-## Norway
-#Server = http://mirror.archlinux.no/$repo/os/$arch
-#Server = http://archlinux.uib.no/$repo/os/$arch
-#Server = http://mirror.neuf.no/archlinux/$repo/os/$arch
-#Server = https://mirror.neuf.no/archlinux/$repo/os/$arch
-
-## Philippines
-#Server = http://mirror.rise.ph/archlinux/$repo/os/$arch
-
-## Poland
-#Server = http://mirror.chmuri.net/archmirror/$repo/os/$arch
-#Server = http://arch.midov.pl/arch/$repo/os/$arch
-#Server = http://mirror.onet.pl/pub/mirrors/archlinux/$repo/os/$arch
-#Server = http://piotrkosoft.net/pub/mirrors/ftp.archlinux.org/$repo/os/$arch
-#Server = http://ftp.vectranet.pl/archlinux/$repo/os/$arch
-
-## Portugal
-#Server = http://glua.ua.pt/pub/archlinux/$repo/os/$arch
-#Server = https://glua.ua.pt/pub/archlinux/$repo/os/$arch
-#Server = http://ftp.rnl.tecnico.ulisboa.pt/pub/archlinux/$repo/os/$arch
-
-## Qatar
-#Server = http://mirror.qnren.qa/archlinux/$repo/os/$arch
-
-## Romania
-#Server = http://mirror.archlinux.ro/archlinux/$repo/os/$arch
-#Server = http://archlinux.mirrors.linux.ro/$repo/os/$arch
-#Server = http://mirrors.m247.ro/archlinux/$repo/os/$arch
-#Server = http://mirrors.pidginhost.com/arch/$repo/os/$arch
-
-## Russia
-#Server = http://mirror.aur.rocks/$repo/os/$arch
-#Server = https://mirror.aur.rocks/$repo/os/$arch
-#Server = http://mirror.rol.ru/archlinux/$repo/os/$arch
-#Server = https://mirror.rol.ru/archlinux/$repo/os/$arch
-#Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch
-#Server = https://mirror.yandex.ru/archlinux/$repo/os/$arch
-
-## Serbia
-#Server = http://mirror.pmf.kg.ac.rs/archlinux/$repo/os/$arch
-
-## Singapore
-#Server = http://mirror.0x.sg/archlinux/$repo/os/$arch
-#Server = http://download.nus.edu.sg/mirror/arch/$repo/os/$arch
-
-## Slovakia
-#Server = http://mirror.lnx.sk/pub/linux/archlinux/$repo/os/$arch
-#Server = https://mirror.lnx.sk/pub/linux/archlinux/$repo/os/$arch
-#Server = http://tux.rainside.sk/archlinux/$repo/os/$arch
-
-## Slovenia
-#Server = http://archimonde.ts.si/archlinux/$repo/os/$arch
-#Server = https://archimonde.ts.si/archlinux/$repo/os/$arch
-
-## South Africa
-#Server = http://za.mirror.archlinux-br.org/$repo/os/$arch
-#Server = http://ftp.wa.co.za/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.is.co.za/mirror/archlinux.org/$repo/os/$arch
-#Server = http://mirror.wbs.co.za/archlinux/$repo/os/$arch
-
-## South Korea
-#Server = http://ftp.kaist.ac.kr/ArchLinux/$repo/os/$arch
-#Server = http://mirror.premi.st/archlinux/$repo/os/$arch
-
-## Spain
-#Server = http://osl.ugr.es/archlinux/$repo/os/$arch
-#Server = http://sunsite.rediris.es/mirror/archlinux/$repo/os/$arch
-
-## Sweden
-#Server = http://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
-#Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch
-#Server = http://archlinux.dynamict.se/$repo/os/$arch
-#Server = https://archlinux.dynamict.se/$repo/os/$arch
-#Server = http://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch
-#Server = https://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch
-#Server = http://ftp.myrveln.se/pub/linux/archlinux/$repo/os/$arch
-#Server = https://ftp.myrveln.se/pub/linux/archlinux/$repo/os/$arch
-#Server = https://mirror.osbeck.com/archlinux/$repo/os/$arch
-#Server = http://ftp.portlane.com/pub/os/linux/archlinux/$repo/os/$arch
-
-## Switzerland
-#Server = http://pkg.adfinis-sygroup.ch/archlinux/$repo/os/$arch
-#Server = https://pkg.adfinis-sygroup.ch/archlinux/$repo/os/$arch
-#Server = http://archlinux.puzzle.ch/$repo/os/$arch
-
-## Taiwan
-#Server = http://archlinux.cs.nctu.edu.tw/$repo/os/$arch
-#Server = http://shadow.ind.ntou.edu.tw/archlinux/$repo/os/$arch
-#Server = http://ftp.tku.edu.tw/Linux/ArchLinux/$repo/os/$arch
-#Server = http://ftp.yzu.edu.tw/Linux/archlinux/$repo/os/$arch
-
-## Thailand
-#Server = http://mirror.adminbannok.com/archlinux/$repo/os/$arch
-#Server = http://mirror.kku.ac.th/archlinux/$repo/os/$arch
-#Server = https://mirror.kku.ac.th/archlinux/$repo/os/$arch
-
-## Turkey
-#Server = http://ftp.linux.org.tr/archlinux/$repo/os/$arch
-
-## Ukraine
-#Server = http://archlinux.ip-connect.vn.ua/$repo/os/$arch
-#Server = https://archlinux.ip-connect.vn.ua/$repo/os/$arch
-#Server = http://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch
-#Server = https://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch
-
-## United Kingdom
-#Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
-#Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
-#Server = http://www.mirrorservice.org/sites/ftp.archlinux.org/$repo/os/$arch
-#Server = http://arch.serverspace.co.uk/arch/$repo/os/$arch
-#Server = http://archlinux.mirrors.uk2.net/$repo/os/$arch
-
-## United States
-#Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
-#Server = http://mirrors.advancedhosters.com/archlinux/$repo/os/$arch
-#Server = http://mirrors.aggregate.org/archlinux/$repo/os/$arch
-#Server = http://ca.us.mirror.archlinux-br.org/$repo/os/$arch
-#Server = http://il.us.mirror.archlinux-br.org/$repo/os/$arch
-#Server = http://archlinux.surlyjake.com/archlinux/$repo/os/$arch
-#Server = http://arlm.tyzoid.com/$repo/os/$arch
-#Server = http://mirror.as65535.net/archlinux/$repo/os/$arch
-#Server = http://mirrors.cat.pdx.edu/archlinux/$repo/os/$arch
-#Server = http://mirror.cc.columbia.edu/pub/linux/archlinux/$repo/os/$arch
-#Server = http://arch.mirror.constant.com/$repo/os/$arch
-#Server = https://arch.mirror.constant.com/$repo/os/$arch
-#Server = http://cosmos.cites.illinois.edu/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
-#Server = http://mirror.cs.vt.edu/pub/ArchLinux/$repo/os/$arch
-#Server = http://mirror.epiphyte.network/archlinux/$repo/os/$arch
-#Server = https://mirror.epiphyte.network/archlinux/$repo/os/$arch
-#Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch
-#Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch
-#Server = http://mirror.grig.io/archlinux/$repo/os/$arch
-#Server = https://mirror.grig.io/archlinux/$repo/os/$arch
-#Server = http://www.gtlib.gatech.edu/pub/archlinux/$repo/os/$arch
-#Server = http://mirror1.hackingand.coffee/arch/$repo/os/$arch
-#Server = http://mirror2.hackingand.coffee/arch/$repo/os/$arch
-#Server = http://mirror3.hackingand.coffee/arch/$repo/os/$arch
-#Server = http://mirror.htnshost.com/archlinux/$repo/os/$arch
-#Server = http://mirror.jmu.edu/pub/archlinux/$repo/os/$arch
-#Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch
-#Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch
-#Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
-#Server = https://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
-#Server = http://il.mirrors.linaxe.net/archlinux/$repo/os/$arch
-#Server = http://mirrors.liquidweb.com/archlinux/$repo/os/$arch
-#Server = http://arch.localmsp.org/arch/$repo/os/$arch
-#Server = https://arch.localmsp.org/arch/$repo/os/$arch
-#Server = http://mirror.lty.me/archlinux/$repo/os/$arch
-#Server = https://mirror.lty.me/archlinux/$repo/os/$arch
-#Server = http://mirrors.lug.mtu.edu/archlinux/$repo/os/$arch
-#Server = https://mirrors.lug.mtu.edu/archlinux/$repo/os/$arch
-#Server = http://mirror.math.princeton.edu/pub/archlinux/$repo/os/$arch
-#Server = http://mirror.metrocast.net/archlinux/$repo/os/$arch
-#Server = http://mirror.kaminski.io/archlinux/$repo/os/$arch
-#Server = https://mirror.kaminski.io/archlinux/$repo/os/$arch
-#Server = http://mirror.nexcess.net/archlinux/$repo/os/$arch
-#Server = http://mirrors.ocf.berkeley.edu/archlinux/$repo/os/$arch
-#Server = https://mirrors.ocf.berkeley.edu/archlinux/$repo/os/$arch
-#Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
-#Server = http://arch.mirrors.pair.com/$repo/os/$arch
-#Server = http://mirrors.rit.edu/archlinux/$repo/os/$arch
-#Server = https://mirrors.rit.edu/archlinux/$repo/os/$arch
-#Server = http://mirrors.rutgers.edu/archlinux/$repo/os/$arch
-#Server = https://mirrors.rutgers.edu/archlinux/$repo/os/$arch
-#Server = https://mirrors.tuxns.net/archlinux/$repo/os/$arch
-#Server = http://mirror.umd.edu/archlinux/$repo/os/$arch
-#Server = http://mirror.vtti.vt.edu/archlinux/$repo/os/$arch
-#Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch
-#Server = http://mirror.yellowfiber.net/archlinux/$repo/os/$arch
-
-## Vietnam
-#Server = http://f.archlinuxvn.org/archlinux/$repo/os/$arch
-#Server = http://mirror-fpt-telecom.fpt.net/archlinux/$repo/os/$arch
-
diff --git a/gerboweb/deploy/nginx.conf b/gerboweb/deploy/nginx.conf
deleted file mode 100644
index f14f370..0000000
--- a/gerboweb/deploy/nginx.conf
+++ /dev/null
@@ -1,458 +0,0 @@
-# For more information on configuration, see:
-# * Official English Documentation: http://nginx.org/en/docs/
-# * Official Russian Documentation: http://nginx.org/ru/docs/
-
-user nginx;
-worker_processes auto;
-error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
-
-# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
-include /usr/share/nginx/modules/*.conf;
-
-events {
- worker_connections 1024;
-}
-
-http {
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 4096;
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- # Load modular configuration files from the /etc/nginx/conf.d directory.
- # See http://nginx.org/en/docs/ngx_core_module.html#include
- # for more information.
- include /etc/nginx/conf.d/*.conf;
-
- server {
- listen 80;
- listen [::]:80;
- server_name .jaseg.net;
- return 301 https://$host$request_uri;
- }
-
- server {
- listen 443 ssl http2 default_server;
- listen [::]:443 ssl http2 default_server;
- server_name gerbolyze.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location ^~ /static/ {
- root /var/lib/gerboweb;
- }
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/gerboweb.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name blog.jaseg.net;
-
- ssl_certificate "/etc/letsencrypt/live/blog.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- return 301 https://blog.jaseg.de$request_uri;
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name blog.jaseg.de;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/blog.jaseg.de/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/blog.jaseg.de/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- root /var/www/blog.jaseg.de;
- }
-
- location /d/ {
- access_log off;
- log_not_found off;
- rewrite ^/d/(.*)$ /$1 break;
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/secure-download.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name automation.jaseg.de;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/automation.jaseg.de/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/automation.jaseg.de/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/notification-proxy.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name kochbuch.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/kochbuch.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/kochbuch.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- auth_basic "blubb";
- auth_basic_user_file /etc/nginx/kochbuch.htpasswd;
- root /var/www/kochbuch.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name pogojig.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/pogojig.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/pogojig.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
- client_max_body_size 10M;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location ^~ /pogospace/ {
- root /var/lib/pogojig/pogospace;
- }
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/pogojig.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name tracespace.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/tracespace.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/tracespace.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- root /var/www/tracespace.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name openjscad.jaseg.net;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/openjscad.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/openjscad.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- root /var/www/openjscad.jaseg.net;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name git.jaseg.net;
-
- ssl_certificate "/etc/letsencrypt/live/git.jaseg.net/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/git.jaseg.net/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- return 301 https://git.jaseg.de$request_uri;
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name git.jaseg.de;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/git.jaseg.de/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/git.jaseg.de/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location ~ ^/(cgit.css|robots.txt) {
- root /usr/share/cgit;
- expires 30d;
- }
-
- location ~ ^/(cgit.png|favicon.png) {
- alias /var/www/git.jaseg.de/cgit.png;
- }
-
- location ~ ^/favicon.ico {
- alias /var/www/git.jaseg.de/favicon.ico;
- }
-
- location / {
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_pass unix:/run/uwsgi/cgit.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-
- server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name dyndns.jaseg.de;
- root /usr/share/nginx/html;
-
- ssl_certificate "/etc/letsencrypt/live/dyndns.jaseg.de/fullchain.pem";
- ssl_certificate_key "/etc/letsencrypt/live/dyndns.jaseg.de/privkey.pem";
- ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem";
- include /etc/letsencrypt/options-ssl-nginx.conf;
-
- ssl_stapling on;
- ssl_stapling_verify on;
-
- resolver 67.207.67.2 67.207.67.3 valid=300s;
- resolver_timeout 10s;
-
- add_header Strict-Transport-Security "max-age=86400";
-
- # Load configuration files for the default server block.
- include /etc/nginx/default.d/*.conf;
-
- location / {
- include uwsgi_params;
- uwsgi_pass unix:/run/uwsgi/dyndns.socket;
- }
-
- error_page 404 /404.html;
- location = /40x.html {
- root /usr/share/nginx/html;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
- }
-}
-
diff --git a/gerboweb/deploy/nginx_nossl.conf b/gerboweb/deploy/nginx_nossl.conf
deleted file mode 100644
index 87de478..0000000
--- a/gerboweb/deploy/nginx_nossl.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# For more information on configuration, see:
-# * Official English Documentation: http://nginx.org/en/docs/
-# * Official Russian Documentation: http://nginx.org/ru/docs/
-
-user nginx;
-worker_processes auto;
-error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
-
-# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
-include /usr/share/nginx/modules/*.conf;
-
-events {
- worker_connections 1024;
-}
-
-http {
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 4096;
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- # Load modular configuration files from the /etc/nginx/conf.d directory.
- # See http://nginx.org/en/docs/ngx_core_module.html#include
- # for more information.
- include /etc/nginx/conf.d/*.conf;
-
- server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name gerbolyze.jaseg.net;
- return 301 https://$host$request_uri;
- }
-
- server {
- listen 80;
- listen [::]:80;
- server_name blog.jaseg.net;
- return 301 https://$host$request_uri;
- }
-
- server {
- listen 80;
- listen [::]:80;
- server_name blog.jaseg.de;
- return 301 https://$host$request_uri;
- }
-}
-
diff --git a/gerboweb/deploy/notification_proxy.py b/gerboweb/deploy/notification_proxy.py
deleted file mode 100644
index 117f8e1..0000000
--- a/gerboweb/deploy/notification_proxy.py
+++ /dev/null
@@ -1,179 +0,0 @@
-import smtplib
-import ssl
-import email.utils
-import hmac
-from email.mime.text import MIMEText
-from datetime import datetime
-import time
-import functools
-import json
-import binascii
-import uwsgidecorators
-
-import sqlite3
-
-from flask import Flask, request, abort
-
-app = Flask(__name__)
-app.config.from_pyfile('config.py')
-
-db = sqlite3.connect(app.config['SQLITE_DB'], check_same_thread=False)
-with db as conn:
- conn.execute('''CREATE TABLE IF NOT EXISTS seqs_seen
- (route_name TEXT PRIMARY KEY,
- seq INTEGER)''')
- conn.execute('''CREATE TABLE IF NOT EXISTS time_seen
- (route_name TEXT PRIMARY KEY)''')
-
- conn.execute('''CREATE TABLE IF NOT EXISTS heartbeats_seen
- (route_name TEXT PRIMARY KEY,
- timestamp INTEGER,
- notified INTEGER)''')
- # Clear table on startup to avoid spurious notifications
- conn.execute('''DELETE FROM heartbeats_seen''')
-
-mail_routes = {}
-
-def mail_route(name, receiver, secret):
- def wrap(func):
- global routes
- mail_routes[name] = (receiver, func, secret)
- return func
- return wrap
-
-
-def authenticate(route_name, secret, clock_delta_tolerance:'s'=120):
- with db as conn:
- if not request.is_json:
- print('Rejecting notification: Incorrect content type')
- abort(400)
-
- if not 'auth' in request.json and 'payload' in request.json:
- print('Rejecting notification: signature or payload not found')
- abort(400)
-
- if not isinstance(request.json['auth'], str):
- print('Rejecting notification: signature is of incorrect type')
- abort(400)
- their_digest = binascii.unhexlify(request.json['auth'])
-
- our_digest = hmac.digest(secret.encode('utf-8'), request.json['payload'].encode('utf-8'), 'sha256')
- if not hmac.compare_digest(their_digest, our_digest):
- print('Rejecting notification: Incorrect signature')
- abort(403)
-
- try:
- payload = json.loads(request.json['payload'])
- except:
- print('Rejecting notification: Payload is not JSON')
- abort(400)
-
- last_seqnum = conn.execute('SELECT seq FROM seqs_seen WHERE route_name = ?', (route_name,)).fetchone() or 0
- # We can check for seq here: Only an attacker with knowledge of the secret would be able to remove
- # seq from a message. This means for a single key, only messages with or without seq may ever be used.
- if 'seq' in payload:
- seq = payload['seq']
- if not isinstance(seq, int):
- print('Rejecting notification: seq of wrong type')
- abort(400)
-
- if seq <= last_seqnum:
- print('Rejecting notification: seq out of order')
- abort(400)
-
- conn.execute('INSERT OR REPLACE INTO seqs_seen VALUES (?, ?)', (route_name, seq))
-
- elif last_seqnum:
- print('Rejecting notification: seq not included but past messages included seq')
- abort(400)
-
- msg_time = None
- if 'time' in payload:
- msg_time = payload['time']
- if not isinstance(msg_time, int):
- print('Rejecting notification: time of wrong type')
- abort(400)
-
- if abs(msg_time - int(time.time())) > clock_delta_tolerance:
- print('Rejecting notification: timestamp too far in the future or past')
- abort(400)
-
- conn.execute('INSERT OR REPLACE INTO time_seen VALUES (?)', (route_name,))
-
- elif conn.execute('SELECT * FROM time_seen WHERE route_name = ?', (route_name,)).fetchone():
- print('Rejecting notification: time not included but past messages included time')
- abort(400)
-
- if msg_time is None:
- msg_time = int(time.time())
-
- return msg_time, payload['scope'], payload['d']
-
-@mail_route('klingel', 'computerstuff@jaseg.de', app.config['SECRET_KLINGEL'])
-def klingel(classification='somewhere', rms=None, capture=None, **kwargs):
- return (f'It rang {classification}!',
- f'rms={rms}\ncapture={capture}\nextra_args={kwargs}')
-
-
-def send_mail(route_name, receiver, subject, body):
- try:
- context = ssl.create_default_context()
- smtp = smtplib.SMTP_SSL(app.config['SMTP_HOST'], app.config['SMTP_PORT'])
- smtp.login('apikey', app.config['SENDGRID_APIKEY'])
-
- sender = f'{route_name}@{app.config["DOMAIN"]}'
-
- msg = MIMEText(body)
- msg['Subject'] = subject
- msg['From'] = sender
- msg['To'] = receiver
- msg['Date'] = email.utils.formatdate()
-
- smtp.sendmail(sender, receiver, msg.as_string())
- finally:
- smtp.quit()
-
-@app.route('/v1/notify/<route_name>', methods=['POST'])
-def notify(route_name):
- receiver, func, secret = mail_routes[route_name]
- msg_time, scope, kwargs = authenticate(route_name, secret)
-
- if scope == 'default':
- # Exceptions will yield a 500 error
- subject, body = func(**kwargs)
- send_mail(route_name, receiver, subject, body or 'empty message')
-
- elif scope == 'info':
- send_mail(route_name, receiver, f'System info: {kwargs["info_msg"]}', f'Logged data: {kwargs}')
-
- elif scope == 'boot':
- formatted = datetime.utcfromtimestamp(msg_time).isoformat()
- send_mail(route_name, receiver, 'System startup', f'System powered up at {formatted}')
-
- elif scope == 'heartbeat':
- with db as conn:
- conn.execute('INSERT OR REPLACE INTO heartbeats_seen VALUES (?, ?, 0)', (route_name, int(time.time())))
-
- elif scope == 'error':
- print(f'Device error: {kwargs}')
-
- return 'success'
-
-@uwsgidecorators.timer(60)
-def heartbeat_timer(_uwsgi_signum):
- threshold = int(time.time()) - app.config['HEARTBEAT_TIMEOUT']
- with db as conn:
- for route, ts in db.execute(
- 'SELECT route_name, timestamp FROM heartbeats_seen WHERE timestamp <= ? AND notified == 0',
- (threshold,)).fetchall():
- print(f'Heartbeat expired for {route}: {ts} < {threshold}')
-
- receiver, *_ = mail_routes[route]
- last = datetime.utcfromtimestamp(ts).isoformat()
-
- send_mail(route, receiver, 'Heartbeat timeout', f'Last heartbeat at {last}')
- db.execute('UPDATE heartbeats_seen SET notified = ? WHERE route_name = ?', (int(time.time()), route))
-
-if __name__ == '__main__':
- app.run()
-
diff --git a/gerboweb/deploy/notification_proxy_config.py.j2 b/gerboweb/deploy/notification_proxy_config.py.j2
deleted file mode 100644
index 2ecf571..0000000
--- a/gerboweb/deploy/notification_proxy_config.py.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-
-SENDGRID_APIKEY = '{{lookup('file', 'notification_proxy_sendgrid_apikey.txt')}}'
-DOMAIN = 'automation.jaseg.de'
-SMTP_HOST = "smtp.sendgrid.net"
-SMTP_PORT = 465
-HEARTBEAT_TIMEOUT = 300
-SQLITE_DB = '{{notification_proxy_sqlite_dbfile}}'
-
-SECRET_KLINGEL = '{{lookup('password', 'notification_proxy_klingel_secret.txt length=32')}}'
diff --git a/gerboweb/deploy/nsd.conf b/gerboweb/deploy/nsd.conf
deleted file mode 100644
index d4b577f..0000000
--- a/gerboweb/deploy/nsd.conf
+++ /dev/null
@@ -1,372 +0,0 @@
-#
-# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
-#
-# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
-#
-# See LICENSE for the license.
-#
-
-# This is a comment.
-# Sample configuration file
-# include: "file" # include that file's text over here. Globbed, "*.conf"
-
-# options for the nsd server
-server:
- # Number of NSD servers to fork. Put the number of CPUs to use here.
- server-count: 1
-
- # uncomment to specify specific interfaces to bind (default are the
- # wildcard interfaces 0.0.0.0 and ::0).
- # For servers with multiple IP addresses, list them one by one,
- # or the source address of replies could be wrong.
- # Use ip-transparent to be able to list addresses that turn on later.
- # ip-address: 1.2.3.4
- # ip-address: 1.2.3.4@5678
- # ip-address: 12fe::8ef0
-
- # Allow binding to non local addresses. Default no.
- # ip-transparent: no
-
- # Allow binding to addresses that are down. Default no.
- # ip-freebind: no
-
- # use the reuseport socket option for performance. Default no.
- reuseport: yes
-
- # override maximum socket send buffer size. Default of 0 results in
- # send buffer size being set to 1048576 (bytes).
- # send-buffer-size: 1048576
-
- # override maximum socket receive buffer size. Default of 0 results in
- # receive buffer size being set to 1048576 (bytes).
- # receive-buffer-size: 1048576
-
- # enable debug mode, does not fork daemon process into the background.
- # debug-mode: no
-
- # listen on IPv4 connections
- # do-ip4: yes
-
- # listen on IPv6 connections
- # do-ip6: yes
-
- # port to answer queries on. default is 53.
- # port: 53
-
- # Verbosity level.
- # verbosity: 0
-
- # After binding socket, drop user privileges.
- # can be a username, id or id.gid.
- # username: nsd
-
- # Run NSD in a chroot-jail.
- # make sure to have pidfile and database reachable from there.
- # by default, no chroot-jail is used.
- # chroot: "/etc/nsd"
-
- # The directory for zonefile: files. The daemon chdirs here.
- zonesdir: "/etc/nsd"
-
- # the list of dynamically added zones.
- # zonelistfile: "/var/lib/nsd/zone.list"
-
- # the database to use
- # if set to "" then no disk-database is used, less memory usage.
- database: ""
-
- # log messages to file. Default to stderr and syslog (with
- # facility LOG_DAEMON). stderr disappears when daemon goes to bg.
- # logfile: "/var/log/nsd.log"
-
- # File to store pid for nsd in.
- # pidfile: "/run/nsd/nsd.pid"
-
- # The file where secondary zone refresh and expire timeouts are kept.
- # If you delete this file, all secondary zones are forced to be
- # 'refreshing' (as if nsd got a notify). Set to "" to disable.
- # xfrdfile: "/var/lib/nsd/ixfr.state"
-
- # The directory where zone transfers are stored, in a subdir of it.
- # xfrdir: "/tmp"
-
- # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
- hide-version: yes
-
- # don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
- hide-identity: yes
-
- # version string the server responds with for chaos queries.
- # default is 'NSD x.y.z' with the server's version number.
- # version: "NSD"
-
- # identify the server (CH TXT ID.SERVER entry).
- # identity: "unidentified server"
-
- # NSID identity (hex string, or "ascii_somestring"). default disabled.
- # nsid: "aabbccdd"
-
- # Maximum number of concurrent TCP connections per server.
- # tcp-count: 100
-
- # Accept (and immediately close) TCP connections after maximum number
- # of connections is reached to prevent kernel connection queue from
- # growing.
- # tcp-reject-overflow: no
-
- # Maximum number of queries served on a single TCP connection.
- # By default 0, which means no maximum.
- # tcp-query-count: 0
-
- # Override the default (120 seconds) TCP timeout.
- # tcp-timeout: 120
-
- # Maximum segment size (MSS) of TCP socket on which the server
- # responds to queries. Default is 0, system default MSS.
- # tcp-mss: 0
-
- # Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
- # Default is 0, system default MSS.
- # outgoing-tcp-mss: 0
-
- # Preferred EDNS buffer size for IPv4.
- # ipv4-edns-size: 4096
-
- # Preferred EDNS buffer size for IPv6.
- # ipv6-edns-size: 4096
-
- # statistics are produced every number of seconds. Prints to log.
- # Default is 0, meaning no statistics are produced.
- # statistics: 3600
-
- # Number of seconds between reloads triggered by xfrd.
- # xfrd-reload-timeout: 1
-
- # log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
- # log-time-ascii: yes
-
- # round robin rotation of records in the answer.
- round-robin: yes
-
- # minimal-responses only emits extra data for referrals.
- minimal-responses: yes
-
- # Do not return additional information if the apex zone of the
- # additional information is configured but does not match the apex zone
- # of the initial query.
- # confine-to-zone: no
-
- # refuse queries of type ANY. For stopping floods.
- refuse-any: yes
-
- # check mtime of all zone files on start and sighup
- # zonefiles-check: yes
-
- # write changed zonefiles to disk, every N seconds.
- # default is 0(disabled) or 3600(if database is "").
- # zonefiles-write: 3600
-
- # RRLconfig
- # Response Rate Limiting, size of the hashtable. Default 1000000.
- # rrl-size: 1000000
-
- # Response Rate Limiting, maximum QPS allowed (from one query source).
- # If set to 0, ratelimiting is disabled. Also set
- # rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
- # Default is on.
- # rrl-ratelimit: 200
-
- # Response Rate Limiting, number of packets to discard before
- # sending a SLIP response (a truncated one, allowing an honest
- # resolver to retry with TCP). Default is 2 (one half of the
- # queries will receive a SLIP response, 0 disables SLIP (all
- # packets are discarded), 1 means every request will get a
- # SLIP response. When the ratelimit is hit the traffic is
- # divided by the rrl-slip value.
- # rrl-slip: 2
-
- # Response Rate Limiting, IPv4 prefix length. Addresses are
- # grouped by netblock.
- # rrl-ipv4-prefix-length: 24
-
- # Response Rate Limiting, IPv6 prefix length. Addresses are
- # grouped by netblock.
- # rrl-ipv6-prefix-length: 64
-
- # Response Rate Limiting, maximum QPS allowed (from one query source)
- # for whitelisted types. Default is on.
- # rrl-whitelist-ratelimit: 2000
- # RRLend
-
- # Optional local server config
- include: "/etc/nsd/server.d/*.conf"
-
-# Include optional local configs.
-include: "/etc/nsd/conf.d/*.conf"
-
-# Fedora: DNSTAP not yet enabled
-# dnstap:
- # set this to yes and set one or more of dnstap-log-..-messages to yes.
- # dnstap-enable: no
- # dnstap-socket-path: "/var/run/dnstap.sock"
- # dnstap-send-identity: no
- # dnstap-send-version: no
- # dnstap-identity: ""
- # dnstap-version: ""
- # dnstap-log-auth-query-messages: no
- # dnstap-log-auth-response-messages: no
-
- # Service clients over TLS (on the TCP sockets), with plain DNS inside
- # the TLS stream. Give the certificate to use and private key.
- # Default is "" (disabled). Requires restart to take effect.
- # tls-service-key: "path/to/privatekeyfile.key"
- # tls-service-pem: "path/to/publiccertfile.pem"
- # tls-service-ocsp: "path/to/ocsp.pem"
- # tls-port: 853
-
-# Remote control config section.
-remote-control:
- # Enable remote control with nsd-control(8) here.
- # set up the keys and certificates with nsd-control-setup.
- control-enable: yes
-
- # what interfaces are listened to for control, default is on localhost.
- # with an absolute path, a unix local named pipe is used for control
- # (and key and cert files are not needed, use directory permissions).
- # control-interface: 127.0.0.1
- # control-interface: ::1
- control-interface: /run/nsd/nsd.ctl
-
- # port number for remote control operations (uses TLS over TCP).
- # control-port: 8952
-
- # nsd server key file for remote control.
- # server-key-file: "/etc/nsd/nsd_server.key"
-
- # nsd server certificate file for remote control.
- # server-cert-file: "/etc/nsd/nsd_server.pem"
-
- # nsd-control key file.
- # control-key-file: "/etc/nsd/nsd_control.key"
-
- # nsd-control certificate file.
- # control-cert-file: "/etc/nsd/nsd_control.pem"
-
-
-# Secret keys for TSIGs that secure zone transfers.
-# You could include: "secret.keys" and put the 'key:' statements in there,
-# and give that file special access control permissions.
-#
-# key:
- # The key name is sent to the other party, it must be the same
- #name: "keyname"
- # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
- #algorithm: sha256
- # secret material, must be the same as the other party uses.
- # base64 encoded random number.
- # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
- #secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
-
-
-# Patterns have zone configuration and they are shared by one or more zones.
-#
-# pattern:
- # name by which the pattern is referred to
- #name: "myzones"
- # the zonefile for the zones that use this pattern.
- # if relative then from the zonesdir (inside the chroot).
- # the name is processed: %s - zone name (as appears in zone:name).
- # %1 - first character of zone name, %2 second, %3 third.
- # %z - topleveldomain label of zone, %y, %x next labels in name.
- # if label or character does not exist you get a dot '.'.
- # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
- #zonefile: "%s.zone"
-
- # If no master and slave access control elements are provided,
- # this zone will not be served to/from other servers.
-
- # A master zone needs notify: and provide-xfr: lists. A slave
- # may also allow zone transfer (for debug or other secondaries).
- # notify these slaves when the master zone changes, address TSIG|NOKEY
- # IP can be ipv4 and ipv6, with @port for a nondefault port number.
- #notify: 192.0.2.1 NOKEY
- # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
- # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
- #provide-xfr: 192.0.2.0/24 my_tsig_key_name
- # set the number of retries for notify.
- #notify-retry: 5
-
- # uncomment to provide AXFR to all the world
- # provide-xfr: 0.0.0.0/0 NOKEY
- # provide-xfr: ::0/0 NOKEY
-
- # A slave zone needs allow-notify: and request-xfr: lists.
- #allow-notify: 2001:db8::0/64 my_tsig_key_name
- # By default, a slave will request a zone transfer with IXFR/TCP.
- # If you want to make use of IXFR/UDP use: UDP addr tsigkey
- # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
- #request-xfr: 192.0.2.2 the_tsig_key_name
- # Attention: You cannot use UDP and AXFR together. AXFR is always over
- # TCP. If you use UDP, we higly recommend you to deploy TSIG.
- # Allow AXFR fallback if the master does not support IXFR. Default
- # is yes.
- #allow-axfr-fallback: yes
- # set local interface for sending zone transfer requests.
- # default is let the OS choose.
- #outgoing-interface: 10.0.0.10
- # limit the refresh and retry interval in seconds.
- #max-refresh-time: 2419200
- #min-refresh-time: 0
- #max-retry-time: 1209600
- #min-retry-time: 0
-
- # Slave server tries zone transfer to all masters and picks highest
- # zone version available, for when masters have different versions.
- #multi-master-check: no
-
- # limit the zone transfer size (in bytes), stops very large transfers
- # 0 is no limits enforced.
- # size-limit-xfr: 0
-
- # if compiled with --enable-zone-stats, give name of stat block for
- # this zone (or group of zones). Output from nsd-control stats.
- # zonestats: "%s"
-
- # if you give another pattern name here, at this point the settings
- # from that pattern are inserted into this one (as if it were a
- # macro). The statement can be given in between other statements,
- # because the order of access control elements can make a difference
- # (which master to request from first, which slave to notify first).
- #include-pattern: "common-masters"
-
-
-# Fixed zone entries. Here you can config zones that cannot be deleted.
-# Zones that are dynamically added and deleted are put in the zonelist file.
-#
-# zone:
- # name: "example.com"
- # you can give a pattern here, all the settings from that pattern
- # are then inserted at this point
- # include-pattern: "master"
- # You can also specify (additional) options directly for this zone.
- # zonefile: "example.com.zone"
- # request-xfr: 192.0.2.1 example.com.key
-
- # RRLconfig
- # Response Rate Limiting, whitelist types
- # rrl-whitelist: nxdomain
- # rrl-whitelist: error
- # rrl-whitelist: referral
- # rrl-whitelist: any
- # rrl-whitelist: rrsig
- # rrl-whitelist: wildcard
- # rrl-whitelist: nodata
- # rrl-whitelist: dnskey
- # rrl-whitelist: positive
- # rrl-whitelist: all
- # RRLend
-
-zone:
- name: "dyn.jaseg.de"
- zonefile: "/var/lib/dyndns/dyn.jaseg.de.zone"
-
diff --git a/gerboweb/deploy/playbook.yml b/gerboweb/deploy/playbook.yml
deleted file mode 100644
index a34e8fe..0000000
--- a/gerboweb/deploy/playbook.yml
+++ /dev/null
@@ -1,166 +0,0 @@
-- name: DNS setup
- hosts: localhost
- tags: dns
- module_defaults:
- inwx:
- username: "{{lookup('ini', 'user section=inwx file=credentials.ini')}}"
- password: "{{lookup('ini', 'pass section=inwx file=credentials.ini')}}"
- vars:
- subdomains:
- - git.jaseg.net
- - git.jaseg.de
- - blog.jaseg.net
- - blog.jaseg.de
- - kochbuch.jaseg.net
- - gerbolyze.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
- - pogojig.jaseg.net
- - automation.jaseg.de
- - dyndns.jaseg.de
- fastmail_domains:
- - jaseg.net
- - jaseg.de
- tasks:
- - name: Gather wendelstein facts
- setup:
- delegate_to: wendelstein
- delegate_facts: True
-
- - name: Setup DNS
- include_tasks: dns.yml
-
-
-- name: Wendelstein setup
- hosts: wendelstein
- tasks:
- - name: Set hostname
- tags: setup
- hostname:
- name: wendelstein.jaseg.net
-
- - name: Install common admin tools
- tags: setup
- dnf:
- name: htop,tmux,fish,mosh,neovim,sqlite
- state: latest
-
- - name: Install host requisites
- tags: setup
- dnf:
- name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,python3-libselinux,git,iptables-services,python3-pycryptodomex,zip,python3-uwsgidecorators,nsd
- state: latest
-
- - name: Disable password-based root login
- tags: setup
- lineinfile:
- path: /etc/ssh/sshd_config
- regexp: '^PermitRootLogin'
- line: 'PermitRootLogin without-password'
- register: disable_root_pw_ssh
-
- - name: Restart sshd
- tags: setup
- systemd:
- name: sshd
- state: restarted
- when: disable_root_pw_ssh is changed
-
- - name: Configure iptables firewall service
- tags: setup
- copy:
- src: iptables.rules
- dest: /etc/sysconfig/iptables
- owner: root
- group: root
- mode: 0664
-
- - name: Enable iptables firewall service
- tags: setup
- systemd:
- name: iptables
- enabled: yes
- state: started
-
- - name: Create containers
- tags: setup
- include_tasks:
- file: setup_containers.yml
- apply:
- tags: setup
- vars:
- containers:
- - gerboweb
- - clippy
- - pogojig
-
- - name: Setup web server
- tags: www
- include_tasks:
- file: setup_webserver.yml
- apply:
- tags: www
-
- - name: Setup gerboweb
- tags: gerboweb
- include_tasks:
- file: setup_gerboweb.yml
- apply:
- tags: gerboweb
-
- - name: Setup clippy
- tags: clippy
- include_tasks:
- file: setup_clippy.yml
- apply:
- tags: clippy
-
- - name: Setup secure download
- tags: secure-download
- include_tasks:
- file: setup_secure_download.yml
- apply:
- tags: secure-download
-
- - name: Setup tracespace
- tags: pogojig
- include_tasks:
- file: setup_tracespace.yml
- apply:
- tags: pogojig
-
- - name: Setup openjscad
- tags: pogojig
- include_tasks:
- file: setup_openjscad.yml
- apply:
- tags: pogojig
-
- - name: Setup pogojig
- tags: pogojig
- include_tasks:
- file: setup_pogojig.yml
- apply:
- tags: pogojig
-
- - name: Setup notification proxy
- tags: notification-proxy
- include_tasks:
- file: setup_notification_proxy.yml
- apply:
- tags:
- notification-proxy
-
- - name: Setup semi-public git server
- tags: git
- include_tasks:
- file: setup_git.yml
- apply:
- tags: git
-
- - name: Setup private DynDNS service
- tags: dyndns
- include_tasks:
- file: setup_dyndns.yml
- apply:
- tags: dyndns
diff --git a/gerboweb/deploy/pogojig-job-processor.service.j2 b/gerboweb/deploy/pogojig-job-processor.service.j2
deleted file mode 100644
index 5ca9a8b..0000000
--- a/gerboweb/deploy/pogojig-job-processor.service.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[Unit]
-Description=Pogojig render job processor
-
-[Service]
-WorkingDirectory=/var/lib/pogojig
-ExecStart=/usr/bin/python3 job_processor.py {{pogojig_cache}}/job_queue.sqlite3
-
-[Install]
-WantedBy=uwsgi-app@pogojig.service
diff --git a/gerboweb/deploy/pogojig.cfg.j2 b/gerboweb/deploy/pogojig.cfg.j2
deleted file mode 100644
index 3dd7160..0000000
--- a/gerboweb/deploy/pogojig.cfg.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-MAX_CONTENT_LENGTH=10000000
-SECRET_KEY="{{lookup('password', 'pogojig_flask_secret.txt length=32')}}"
-UPLOAD_PATH="{{pogojig_cache}}/upload"
-JOB_QUEUE_DB="{{pogojig_cache}}/job_queue.sqlite3"
diff --git a/gerboweb/deploy/pogojig_generate.sh.j2 b/gerboweb/deploy/pogojig_generate.sh.j2
deleted file mode 100755
index c1cc023..0000000
--- a/gerboweb/deploy/pogojig_generate.sh.j2
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh
-
-[ $# != 1 ] && exit 1
-ID=$1
-egrep -x -q '^[-0-9A-Za-z]{36}$'<<<"$ID" || exit 2
-
-systemd-nspawn \
- -D {{pogojig_root}} \
- -x --bind={{pogojig_cache}}/upload/$ID:/mnt \
- /bin/sh -c "set -euo pipefail
-cd /mnt
-
-date; echo 'Cleaning up previous output'
-rm -rf pcb_shape.dxf jig.stl kicad kicad.zip sources.zip
-
-date; echo 'Rendering'
-cp -r /var/lib/pogojig_renderer sources
-cp input.svg sources/
-make -C sources
-
-date; echo 'Packing source bundle'
-cp -r sources/out/pcb_shape.dxf sources/out/jig.stl sources/out/kicad ./
-zip -r sources.zip sources
-zip -r kicad.zip kicad
-rm -rf sources"
diff --git a/gerboweb/deploy/render.sh.j2 b/gerboweb/deploy/render.sh.j2
deleted file mode 100755
index ceb837d..0000000
--- a/gerboweb/deploy/render.sh.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-[ $# != 1 ] && exit 1
-ID=$1
-egrep -x -q '^[-0-9A-Za-z]{36}$'<<<"$ID" || exit 2
-
-systemd-nspawn \
- -D {{gerboweb_root}} \
- -x --bind={{gerboweb_cache}}/upload/$ID:/mnt \
- /bin/sh -c "set -euo pipefail
-unzip -j -d /tmp/gerber /mnt/gerber.zip
-rm -f /mnt/render_top.png /mnt/render_bottom.png /mnt/render_top.small.png /mnt/render_bottom.small.png
-date; echo 'Rendering bottom layer'
-gerbolyze render top /tmp/gerber /mnt/render_top.png
-date; echo 'Scaling down'
-convert /mnt/render_top.png -resize 500x500 -negate -brightness-contrast 30x30 -colorspace gray /mnt/render_top.small.png
-date; echo 'Rendering top layer'
-gerbolyze render bottom /tmp/gerber /mnt/render_bottom.png
-date; echo 'Scaling down'
-convert /mnt/render_bottom.png -resize 500x500 -negate -brightness-contrast 30x30 -colorspace gray /mnt/render_bottom.small.png"
diff --git a/gerboweb/deploy/secure_download.cfg.j2 b/gerboweb/deploy/secure_download.cfg.j2
deleted file mode 100644
index 36d86c1..0000000
--- a/gerboweb/deploy/secure_download.cfg.j2
+++ /dev/null
@@ -1 +0,0 @@
-SERVE_PATH="{{secure_download_dir}}"
diff --git a/gerboweb/deploy/setup_clippy.yml b/gerboweb/deploy/setup_clippy.yml
deleted file mode 100644
index 26142b6..0000000
--- a/gerboweb/deploy/setup_clippy.yml
+++ /dev/null
@@ -1,85 +0,0 @@
----
-- name: Clone pixelterm git
- git:
- repo: https://github.com/jaseg/pixelterm
- dest: "{{clippy_root}}/var/lib/pixelterm.git"
-
-- name: Clone clippy git
- git:
- repo: https://github.com/jaseg/clippy
- dest: "{{clippy_root}}/var/lib/clippy.git"
-
-- name: Setup required packages for clippy
- command: arch-chroot "{{clippy_root}}" pacman -Syu --noconfirm python3 python-pip python-numpy python-pillow
-
-- name: Setup pixelterm
- command: arch-chroot "{{clippy_root}}" sh -c "cd /var/lib/pixelterm.git && python3 setup.py install"
-
-- name: Setup container clippy systemd service file
- template:
- src: clippy.service.j2
- dest: "{{clippy_root}}/etc/systemd/system/clippy.service"
- owner: root
- group: root
- mode: 0664
-
-- name: Enable systemd machines target
- systemd:
- name: machines.target
- enabled: yes
-
-- name: Copy over clippy container auto boot service file
- copy:
- src: clippy-nspawn.service
- dest: /etc/systemd/system/clippy-nspawn.service
- owner: root
- group: root
- mode: 0664
-
-- name: Create systemd-nspawn config dir
- file:
- path: /etc/systemd/nspawn
- state: directory
- owner: root
- group: root
- mode: 0775
-
-- name: Copy over clippy container config
- copy:
- src: clippy.nspawn
- dest: /etc/systemd/nspawn/clippy.nspawn
- owner: root
- group: root
- mode: 0664
-
-- name: Enable clippy container auto boot
- systemd:
- daemon-reload: yes
- name: clippy-nspawn.service
- enabled: yes
-
-- name: Restart clippy container
- shell: |
- systemctl stop clippy-nspawn
- sleep 1
- systemctl start clippy-nspawn
- for x in $(seq 0 30); do
- systemctl -M clippy is-system-running && exit
- sleep 1
- done
-
-- name: Enable clippy systemd service in container
- command: systemctl enable -M clippy clippy.service
-
-- name: Restart clippy systemd service in container
- command: systemctl restart -M clippy clippy.service
-
-#- name: Enable host networkd
-# systemd:
-# name: systemd-networkd
-# enabled: yes
-# state: started
-
-#- name: Enable clippy container networkd
-# command: systemctl enable -M clippy systemd-networkd
-
diff --git a/gerboweb/deploy/setup_containers.yml b/gerboweb/deploy/setup_containers.yml
deleted file mode 100644
index 8adb9da..0000000
--- a/gerboweb/deploy/setup_containers.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-- name: Install host requisites
- dnf:
- name: btrfs-progs,arch-install-scripts,systemd-container,python3-libselinux
- state: latest
-
-- name: Create individual containers
- include_tasks: bootstrap_arch_container.yml
- with_items: "{{ containers }}"
- loop_control:
- loop_var: container
-
-- name: Cleanup bootstrap image
- file:
- path: /tmp/arch-bootstrap.tar.xz
- state: absent
-
diff --git a/gerboweb/deploy/setup_dyndns.yml b/gerboweb/deploy/setup_dyndns.yml
deleted file mode 100644
index d9735c7..0000000
--- a/gerboweb/deploy/setup_dyndns.yml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-- name: Set local facts
- set_fact:
- dyndns_sqlite_dbfile: /var/lib/dyndns/db.sqlite3
-
-- name: Copy nsd config
- copy:
- src: nsd.conf
- dest: /etc/nsd/nsd.conf
- owner: root
- group: root
- mode: 0644
-
-- name: Enable and launch nsd systemd service
- systemd:
- name: nsd.service
- enabled: yes
- state: restarted
-
-- name: Create dyndns worker user and group
- user:
- name: uwsgi-dyndns
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Allow dyndns app to kick nsd
- lineinfile:
- path: /etc/sudoers
- line: 'uwsgi-dyndns ALL=(nsd) NOPASSWD: /usr/sbin/nsd-control reload dyn.jaseg.de'
-
-- name: Create webapp dir
- file:
- path: /var/lib/dyndns
- state: directory
- owner: uwsgi-dyndns
- group: nsd
- mode: 0750
-
-- name: Copy webapp sources
- copy:
- src: dyndns.py
- dest: /var/lib/dyndns/
- owner: uwsgi-dyndns
- group: uwsgi
- mode: 0440
-
-- name: Template webapp config
- template:
- src: dyndns_config.py.j2
- dest: /var/lib/dyndns/config.py
- owner: uwsgi-dyndns
- group: root
- mode: 0660
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-dyndns.ini
- dest: /etc/uwsgi.d/dyndns.ini
- owner: uwsgi-dyndns
- group: uwsgi
- mode: 0440
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@dyndns.socket
- enabled: yes
-
-- name: Create sqlite db file
- file:
- path: "{{dyndns_sqlite_dbfile}}"
- owner: uwsgi-dyndns
- group: uwsgi
- mode: 0660
- state: touch
-
-
diff --git a/gerboweb/deploy/setup_gerboweb.yml b/gerboweb/deploy/setup_gerboweb.yml
deleted file mode 100644
index 6a20eed..0000000
--- a/gerboweb/deploy/setup_gerboweb.yml
+++ /dev/null
@@ -1,100 +0,0 @@
----
-- name: Set local facts
- set_fact:
- gerboweb_cache: /var/cache/gerboweb
-
-- name: Copy render script
- template:
- src: render.sh.j2
- dest: /usr/local/sbin/gerbolyze_render.sh
- mode: ug+x
-
-- name: Copy vector script
- template:
- src: vector.sh.j2
- dest: /usr/local/sbin/gerbolyze_vector.sh
- mode: ug+x
-
-- name: Install packages into gerbolyze container
- shell: arch-chroot "{{gerboweb_root}}" pacman -Syu --noconfirm python3 opencv hdf5 gtk3 python-numpy python-pip imagemagick unzip zip
-
-- name: Workaround for cairoffi problem
- shell: arch-chroot "{{gerboweb_root}}" pip install -U --upgrade-strategy=eager wheel
-
- # TODO maybe install directly from local git checkout?
-- name: Install gerbolyze
- shell: arch-chroot "{{gerboweb_root}}" pip install -U --upgrade-strategy=eager gerbolyze
-
-- name: Copy webapp sources
- synchronize:
- # FIXME: make this path configurable
- src: ~/gerbolyze/gerboweb/
- dest: /var/lib/gerboweb/
- rsync_opts:
- - "--exclude=/deploy"
- group: no
- owner: no
-
-- name: Create uwsgi worker user and group
- user:
- name: uwsgi-gerboweb
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Template webapp config
- template:
- src: gerboweb.cfg.j2
- dest: /var/lib/gerboweb/gerboweb_prod.cfg
- owner: uwsgi-gerboweb
- group: root
- mode: 0660
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-gerboweb.ini
- dest: /etc/uwsgi.d/gerboweb.ini
- owner: uwsgi-gerboweb
- group: uwsgi
- mode: 0440
-
-- name: Copy job processor systemd service config
- template:
- src: gerboweb-job-processor.service.j2
- dest: /etc/systemd/system/gerboweb-job-processor.service
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@gerboweb.socket
- enabled: yes
-
-- name: Copy gerboweb cache dir tmpfiles.d config
- template:
- src: tmpfiles-gerboweb.conf.j2
- dest: /etc/tmpfiles.d/gerboweb.conf
- owner: root
- group: root
- mode: 0644
- register: tmpfiles_config
-
-- name: Kick systemd tmpfiles service to create cache dir
- command: systemd-tmpfiles --create
- when: tmpfiles_config is changed
-
-- name: Create job queue db
- file:
- path: "{{gerboweb_cache}}/job_queue.sqlite3"
- owner: root
- group: uwsgi
- mode: 0660
- state: touch
-
-- name: Enable and launch job processor
- systemd:
- name: gerboweb-job-processor.service
- enabled: yes
- state: restarted
-
diff --git a/gerboweb/deploy/setup_git.yml b/gerboweb/deploy/setup_git.yml
deleted file mode 100644
index 2f4c59f..0000000
--- a/gerboweb/deploy/setup_git.yml
+++ /dev/null
@@ -1,134 +0,0 @@
-- name: Install host requisites
- dnf:
- name: cgit,gitolite3,python3-pygments,python3-docutils,nodejs-markdown,python3-markdown
- state: latest
-
-- name: Copy cgit logo
- copy:
- src: cgit-logo.png
- dest: /var/www/git.jaseg.de/cgit.png
-
-- name: Copy cgit favicon
- copy:
- src: cgit-favicon.ico
- dest: /var/www/git.jaseg.de/favicon.ico
-
-- name: Create cgit instance config dir
- file:
- path: /var/lib/cgit
- state: directory
- mode: 0755
-
-- name: Copy cgit rc
- copy:
- src: cgitrc
- dest: /var/lib/cgit/cgitrc-gitolite-public
- mode: 0644
-
-- name: Create uwsgi worker user and group
- user:
- name: uwsgi-cgit
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-cgit.ini
- dest: /etc/uwsgi.d/cgit.ini
- owner: uwsgi-cgit
- group: uwsgi
- mode: 0440
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@cgit.socket
- enabled: yes
-
-- name: Check if gitolite ssh config exists
- stat:
- path: /var/lib/gitolite3/.ssh/authorized_keys
- register: gitolite_ssh_keys_stat
-
-- name: Gitolite admin key setup
- block:
- - name: Copy gitolite admin pubkey
- copy:
- src: ~/.ssh/id_ed25519.gitolite.pub
- dest: /tmp/jaseg-gitolite.pub
- owner: gitolite3
- group: gitolite3
-
- - name: Run gitolite initialization
- command: gitolite setup -pk /tmp/jaseg-gitolite.pub
- become: true
- become_method: su
- become_user: gitolite3
- become_flags: '-s /bin/sh'
- args:
- creates: /var/lib/gitolite3/projects.list
-
- - name: Remove leftover admin pubkey
- file:
- state: absent
- path: /tmp/jaseg-gitolite.pub
- when: not gitolite_ssh_keys_stat.stat.exists
-
-- name: Allow uwsgi group to access gitolite repo dir
- file:
- path: /var/lib/gitolite3
- state: directory
- owner: gitolite3
- group: uwsgi
-
-- name: Add cgit uwsgi user to gitolite group
- user:
- name: uwsgi-cgit
- groups: gitolite3
- append: yes
-
-- name: Allow cgit uwsgi user to access gitolite repos
- file:
- path: /var/lib/gitolite3/repositories
- mode: 0750
-
-- name: Allow cgit uwsgi user to gitolite repo list
- file:
- path: /var/lib/gitolite3/projects.list
- mode: 0640
-
-- name: Copy gitolite rc
- copy:
- src: gitolite.rc
- dest: /var/lib/gitolite3/.gitolite.rc
- owner: gitolite3
- group: gitolite3
- mode: 0600
-
-- name: Query system user account info
- getent:
- database: passwd
- key: gitolite3
-
-- name: Create git alias user
- user:
- name: git
- create_home: no
- group: gitolite3
- password: '!'
- comment: Alias for gitolite3 user
- shell: "{{ getent_passwd['gitolite3'][5] }}"
- system: yes
- non_unique: yes
- home: "{{ getent_passwd['gitolite3'][4] }}"
- uid: "{{ getent_passwd['gitolite3'][1] }}"
-
-- name: Hack to fix cgit handling for restructuredtext readmes
- file:
- src: /usr/bin/rst2html
- dest: /usr/bin/rst2html.py
- state: link
-
diff --git a/gerboweb/deploy/setup_notification_proxy.yml b/gerboweb/deploy/setup_notification_proxy.yml
deleted file mode 100644
index b47af05..0000000
--- a/gerboweb/deploy/setup_notification_proxy.yml
+++ /dev/null
@@ -1,61 +0,0 @@
----
-- name: Set local facts
- set_fact:
- notification_proxy_sqlite_dbfile: /var/lib/notification-proxy/db.sqlite3
-
-- name: Create notification proxy worker user and group
- user:
- name: uwsgi-notification-proxy
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Create webapp dir
- file:
- path: /var/lib/notification-proxy
- state: directory
- owner: uwsgi-notification-proxy
- group: uwsgi
- mode: 0750
-
-- name: Copy webapp sources
- copy:
- src: notification_proxy.py
- dest: /var/lib/notification-proxy/
- owner: uwsgi-notification-proxy
- group: uwsgi
- mode: 0440
-
-- name: Template webapp config
- template:
- src: notification_proxy_config.py.j2
- dest: /var/lib/notification-proxy/config.py
- owner: uwsgi-notification-proxy
- group: root
- mode: 0660
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-notification-proxy.ini
- dest: /etc/uwsgi.d/notification-proxy.ini
- owner: uwsgi-notification-proxy
- group: uwsgi
- mode: 0440
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@notification-proxy.socket
- enabled: yes
-
-- name: Create sqlite db file
- file:
- path: "{{notification_proxy_sqlite_dbfile}}"
- owner: uwsgi-notification-proxy
- group: uwsgi
- mode: 0660
- state: touch
-
-
diff --git a/gerboweb/deploy/setup_openjscad.yml b/gerboweb/deploy/setup_openjscad.yml
deleted file mode 100644
index dea4ad2..0000000
--- a/gerboweb/deploy/setup_openjscad.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Copy openjscad webapp sources
- synchronize:
- # FIXME: make this path configurable
- src: ~/openjscad_dist/
- dest: /var/www/openjscad.jaseg.net/
- group: no
- owner: no
-
diff --git a/gerboweb/deploy/setup_pogojig.yml b/gerboweb/deploy/setup_pogojig.yml
deleted file mode 100644
index cf49fbe..0000000
--- a/gerboweb/deploy/setup_pogojig.yml
+++ /dev/null
@@ -1,125 +0,0 @@
----
-- name: Set local facts
- set_fact:
- pogojig_cache: /var/cache/pogojig
-
-- name: Copy render script
- template:
- src: pogojig_generate.sh.j2
- dest: /usr/local/sbin/pogojig_generate.sh
- mode: ug+x
-
-- name: Install packages into pogojig container
- shell: arch-chroot "{{pogojig_root}}" pacman -Syu --noconfirm python3 python-pip imagemagick unzip zip openscad inkscape make python-lxml xorg-server-xvfb
-
-- name: Install python dependencies into pogojig container
- shell: arch-chroot "{{pogojig_root}}" pip install -U --upgrade-strategy=eager ezdxf xvfbwrapper
-
-- name: Install pogojig
- synchronize:
- # FIXME: make this path configurable
- src: checkouts/pogojig/renderer/
- dest: "{{pogojig_root}}/var/lib/pogojig_renderer"
- group: no
-
-- name: Copy webapp sources
- synchronize:
- # FIXME: make this path configurable
- src: checkouts/pogojig/webapp/
- dest: /var/lib/pogojig
- delete: true
- group: no
- owner: no
-
-- name: Pack makefile template zip
- archive:
- path: "{{pogojig_root}}/var/lib/pogojig_renderer"
- dest: /var/lib/pogojig/static/pogojig_makefile_template.zip
- format: zip
-
-- name: Create web home for modified tracespace
- file:
- path: /var/lib/pogojig/pogospace
- state: directory
- owner: nginx
- group: nginx
- mode: 0550
-
-- name: Unpack modified tracespace sources
- unarchive:
- src: resource/pogojig-tracespace.tar.gz
- dest: /var/lib/pogojig/pogospace
- extra_opts: [--strip-components=1]
- owner: nginx
- group: nginx
-
-- name: Create uwsgi worker user and group
- user:
- name: uwsgi-pogojig
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Template webapp config
- template:
- src: pogojig.cfg.j2
- dest: /var/lib/pogojig/pogojig_prod.cfg
- owner: uwsgi-pogojig
- group: root
- mode: 0660
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-pogojig.ini
- dest: /etc/uwsgi.d/pogojig.ini
- owner: uwsgi-pogojig
- group: uwsgi
- mode: 440
-
-- name: Copy job processor systemd service config
- template:
- src: pogojig-job-processor.service.j2
- dest: /etc/systemd/system/pogojig-job-processor.service
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@pogojig.socket
- enabled: yes
-
-# FIXME the socket doesn't seem to work properly
-- name: Enable uwsgi systemd service
- systemd:
- daemon-reload: yes
- name: uwsgi-app@pogojig.service
- enabled: yes
-
-- name: Copy pogojig cache dir tmpfiles.d config
- template:
- src: tmpfiles-pogojig.conf.j2
- dest: /etc/tmpfiles.d/pogojig.conf
- owner: root
- group: root
- mode: 0644
- register: pogojig_tmpfiles_config
-
-- name: Kick systemd tmpfiles service to create cache dir
- command: systemd-tmpfiles --create
- when: pogojig_tmpfiles_config is changed
-
-- name: Create job queue db
- file:
- path: "{{pogojig_cache}}/job_queue.sqlite3"
- owner: root
- group: uwsgi
- mode: 0660
- state: touch
-
-- name: Enable and launch job processor
- systemd:
- name: pogojig-job-processor.service
- enabled: yes
- state: restarted
-
diff --git a/gerboweb/deploy/setup_secure_download.yml b/gerboweb/deploy/setup_secure_download.yml
deleted file mode 100644
index aa94a53..0000000
--- a/gerboweb/deploy/setup_secure_download.yml
+++ /dev/null
@@ -1,57 +0,0 @@
----
-- name: Set local facts
- set_fact:
- secure_download_dir: /var/cache/secure_download
-
-- name: Copy webapp sources
- synchronize:
- # FIXME: make this path configurable
- src: ~/secure_download/
- dest: /var/lib/secure_download/
- group: no
- owner: no
-
-- name: Create secure download worker user and group
- user:
- name: uwsgi-secure-download
- create_home: no
- group: uwsgi
- password: '!'
- shell: /sbin/nologin
- system: yes
-
-- name: Template webapp config
- template:
- src: secure_download.cfg.j2
- dest: /var/lib/secure_download/secure_download_prod.cfg
- owner: uwsgi-secure-download
- group: root
- mode: 0660
-
-- name: Copy uwsgi config
- copy:
- src: uwsgi-secure-download.ini
- dest: /etc/uwsgi.d/secure-download.ini
- owner: uwsgi-secure-download
- group: uwsgi
- mode: 440
-
-- name: Enable uwsgi systemd socket
- systemd:
- daemon-reload: yes
- name: uwsgi-app@secure-download.socket
- enabled: yes
-
-- name: Copy server dir tmpfiles.d config
- template:
- src: tmpfiles-secure-download.conf.j2
- dest: /etc/tmpfiles.d/secure-download.conf
- owner: root
- group: root
- mode: 0644
- register: sec_dl_tmpfiles_config
-
-- name: Kick systemd tmpfiles service to create serve dir
- command: systemd-tmpfiles --create
- when: sec_dl_tmpfiles_config is changed
-
diff --git a/gerboweb/deploy/setup_tracespace.yml b/gerboweb/deploy/setup_tracespace.yml
deleted file mode 100644
index 2975967..0000000
--- a/gerboweb/deploy/setup_tracespace.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Copy tracespace webapp sources
- synchronize:
- # FIXME: make this path configurable
- src: ~/tracespace_dist/
- dest: /var/www/tracespace.jaseg.net/
- group: no
- owner: no
-
diff --git a/gerboweb/deploy/setup_webserver.yml b/gerboweb/deploy/setup_webserver.yml
deleted file mode 100644
index 4711ad0..0000000
--- a/gerboweb/deploy/setup_webserver.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-- name: Copy first stage nginx config
- copy:
- src: nginx_nossl.conf
- dest: /etc/nginx/nginx.conf
-
-- name: Add nginx user to uwsgi group for access to uwsgi socket
- user:
- name: nginx
- groups: uwsgi
- append: yes
-
-- name: Create subdomain content dirs
- file:
- path: /var/www/{{item}}
- state: directory
- owner: nginx
- group: nginx
- mode: 0550
- loop:
- - git.jaseg.de
- - blog.jaseg.de
- - kochbuch.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
- - automation.jaseg.de
-
-- name: Copy uwsgi systemd socket config
- copy:
- src: uwsgi-app@.socket
- dest: /etc/systemd/system/
-
-- name: Copy uwsgi systemd service config
- copy:
- src: uwsgi-app@.service
- dest: /etc/systemd/system/
-
-- name: Set SELinux to permissive mode # FIXME this is to let nginx talk to uwsgi
- selinux:
- state: permissive
- policy: targeted
-
-- name: Enable and launch nginx systemd service
- systemd:
- name: nginx.service
- enabled: yes
- state: restarted
-
-- name: Create subdomain letsencrypt certificates
- command: certbot --nginx certonly -d {{item}} -n --agree-tos --email {{item}}-letsencrypt@jaseg.de
- args:
- creates: /etc/letsencrypt/live/{{item}}/fullchain.pem
- loop:
- - git.jaseg.net
- - git.jaseg.de
- - blog.jaseg.net
- - blog.jaseg.de
- - kochbuch.jaseg.net
- - gerbolyze.jaseg.net
- - tracespace.jaseg.net
- - openjscad.jaseg.net
- - pogojig.jaseg.net
- - automation.jaseg.de
- - dyndns.jaseg.de
-
-- name: Copy final nginx config
- copy:
- src: nginx.conf
- dest: /etc/nginx/nginx.conf
-
-- name: Restart nginx to load new cert
- systemd:
- name: nginx.service
- state: restarted
-
-- name: Enable certbot renewal timer
- systemd:
- name: certbot-renew.timer
- enabled: yes
-
diff --git a/gerboweb/deploy/tmpfiles-gerboweb.conf.j2 b/gerboweb/deploy/tmpfiles-gerboweb.conf.j2
deleted file mode 100644
index 18469b7..0000000
--- a/gerboweb/deploy/tmpfiles-gerboweb.conf.j2
+++ /dev/null
@@ -1 +0,0 @@
-d {{gerboweb_cache}} 770 uwsgi-gerboweb uwsgi 2d
diff --git a/gerboweb/deploy/tmpfiles-pogojig.conf.j2 b/gerboweb/deploy/tmpfiles-pogojig.conf.j2
deleted file mode 100644
index 4e9fef1..0000000
--- a/gerboweb/deploy/tmpfiles-pogojig.conf.j2
+++ /dev/null
@@ -1 +0,0 @@
-d {{pogojig_cache}} 770 uwsgi-pogojig uwsgi 2d
diff --git a/gerboweb/deploy/tmpfiles-secure-download.conf.j2 b/gerboweb/deploy/tmpfiles-secure-download.conf.j2
deleted file mode 100644
index 84d7add..0000000
--- a/gerboweb/deploy/tmpfiles-secure-download.conf.j2
+++ /dev/null
@@ -1 +0,0 @@
-d {{secure_download_dir}} 770 uwsgi-download uwsgi 45d
diff --git a/gerboweb/deploy/uwsgi-app@.service b/gerboweb/deploy/uwsgi-app@.service
deleted file mode 100644
index bdae8fd..0000000
--- a/gerboweb/deploy/uwsgi-app@.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=%i uWSGI app
-After=syslog.target
-
-[Service]
-ExecStart=/usr/sbin/uwsgi \
- --ini /etc/uwsgi.d/%i.ini \
- --chmod-socket=660 \
- --socket=/run/uwsgi/%i.socket
-User=uwsgi-%i
-Group=uwsgi
-Restart=on-failure
-KillSignal=SIGQUIT
-Type=notify
-StandardError=syslog
-NotifyAccess=all
diff --git a/gerboweb/deploy/uwsgi-app@.socket b/gerboweb/deploy/uwsgi-app@.socket
deleted file mode 100644
index ae06d71..0000000
--- a/gerboweb/deploy/uwsgi-app@.socket
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=Socket for uWSGI app %i
-
-[Socket]
-ListenStream=/run/uwsgi/%i.socket
-SocketUser=uwsgi-%i
-SocketGroup=nginx
-SocketMode=0660
-
-[Install]
-WantedBy=sockets.target
diff --git a/gerboweb/deploy/uwsgi-cgit.ini b/gerboweb/deploy/uwsgi-cgit.ini
deleted file mode 100644
index 9a10350..0000000
--- a/gerboweb/deploy/uwsgi-cgit.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-[uwsgi]
-master = True
-plugins = cgi
-chdir = /var/lib/gitolite3
-processes = 1
-threads = 2
-cgi = /var/www/cgi-bin/cgit
-env = CGIT_CONFIG=/var/lib/cgit/cgitrc-gitolite-public
diff --git a/gerboweb/deploy/uwsgi-dyndns.ini b/gerboweb/deploy/uwsgi-dyndns.ini
deleted file mode 100644
index b62e2af..0000000
--- a/gerboweb/deploy/uwsgi-dyndns.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-[uwsgi]
-master = True
-cheap = True
-die-on-idle = False
-manage-script-name = True
-log-format = [pid: %(pid)|app: -|req: -/-] %(addr) (%(user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) [URI hidden] => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))
-plugins = python3
-chdir = /var/lib/dyndns
-mount = /=dyndns:app
-
diff --git a/gerboweb/deploy/uwsgi-gerboweb.ini b/gerboweb/deploy/uwsgi-gerboweb.ini
deleted file mode 100644
index 155d01a..0000000
--- a/gerboweb/deploy/uwsgi-gerboweb.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-[uwsgi]
-master = True
-cheap = True
-die-on-idle = False
-manage-script-name = True
-plugins = python3
-chdir = /var/lib/gerboweb
-mount = /=gerboweb:app
-env = GERBOWEB_SETTINGS=gerboweb_prod.cfg
-
diff --git a/gerboweb/deploy/uwsgi-notification-proxy.ini b/gerboweb/deploy/uwsgi-notification-proxy.ini
deleted file mode 100644
index aab2b5a..0000000
--- a/gerboweb/deploy/uwsgi-notification-proxy.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-[uwsgi]
-master = True
-cheap = True
-die-on-idle = False
-manage-script-name = True
-log-format = [pid: %(pid)|app: -|req: -/-] %(addr) (%(user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) [URI hidden] => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))
-plugins = python3
-chdir = /var/lib/notification-proxy
-mount = /=notification_proxy:app
-
diff --git a/gerboweb/deploy/uwsgi-pogojig.ini b/gerboweb/deploy/uwsgi-pogojig.ini
deleted file mode 100644
index 003702d..0000000
--- a/gerboweb/deploy/uwsgi-pogojig.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-[uwsgi]
-master = True
-cheap = True
-die-on-idle = False
-manage-script-name = True
-plugins = python3
-chdir = /var/lib/pogojig
-mount = /=pogojig:app
-env = POGOJIG_SETTINGS=pogojig_prod.cfg
-
diff --git a/gerboweb/deploy/uwsgi-secure-download.ini b/gerboweb/deploy/uwsgi-secure-download.ini
deleted file mode 100644
index 4a4aa65..0000000
--- a/gerboweb/deploy/uwsgi-secure-download.ini
+++ /dev/null
@@ -1,11 +0,0 @@
-[uwsgi]
-master = True
-cheap = True
-die-on-idle = False
-manage-script-name = True
-log-format = [pid: %(pid)|app: -|req: -/-] %(addr) (%(user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) [URI hidden] => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))
-plugins = python3
-chdir = /var/lib/secure_download
-mount = /=server:app
-env = SECURE_DOWNLOAD_SETTINGS=secure_download_prod.cfg
-
diff --git a/gerboweb/deploy/vector.sh.j2 b/gerboweb/deploy/vector.sh.j2
deleted file mode 100755
index b17116e..0000000
--- a/gerboweb/deploy/vector.sh.j2
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-[ $# != 2 ] && exit 1
-ID=$1
-egrep -x -q '^[-0-9A-Za-z]{36}$'<<<"$ID" || exit 2
-LAYER=$2
-egrep -x -q '^(top|bottom)$'<<<"$LAYER" || exit 2
-
-systemd-nspawn \
- -D {{gerboweb_root}} \
- -x --bind={{gerboweb_cache}}/upload/$ID:/mnt \
- /bin/sh -c "set -euo pipefail
-cd /tmp
-unzip -j -d gerber_in /mnt/gerber.zip
-gerbolyze vectorize $LAYER gerber_in gerber /mnt/overlay.png
-rm -f /mnt/gerber_out.zip
-zip -r /mnt/gerber_out.zip gerber"
-