Reorganization, automation and more

- More templating and inheritance
- New commands
+ rx_replace
+ rx_install
+ rx_cpkgdir
- More transparency with secrets being sourced as variables and replaced
- Modularization of configs
+ telegraf
+ nginx (partial)
+ fastd
+ wireguard
+ unbound
- Split of unbound configurations and bind zones
- Bumping of key versions (rolling keys)
+ ZSK/KSK
+ OpenDKIM
- Relaxed permission defaults
and other smaller tweaks...

.gitignore

@@ -1,14 +1,14 @@
 src/
 pkg/
-secrets
 .rootbld-repositories
-secret/nginx-httpauth
+
+secret/alpinepkg-httpauth/secret
 secret/letsencrypt/private.key
-secret/letsencrypt/public.pem
-config/murmur/murmur.ini
-config/transmission-daemon/settings.json
-config/wireguard/main.conf
-config/grafana/main.ini
-config/dovecot/pgsql.conf
-config/postfix/pgsql-aliases.cf
-config/postfix/pgsql-users.cf
+
+config/grafana/secret
+config/wireguard/secret
+config/murmur/secret
+config/dovecot/secret
+config/postfix/secret
+config/transmission/secret
+config/gitea/secret

APKBUILD.template

@@ -0,0 +1,48 @@
+pkgname=redxen                              # Prefix
+pkgver="$(date +'%Y.%m.%d')"                # Use current date as fallback
+url="https://git.redxen.eu/RedXen/aports"   # Upstream for all configs
+arch="noarch"                               # Most things aren't arch specific
+license="none"                              # Can you even license configs?
+options="!check"                            # Usually software doesn't provide tests
+builddir="$srcdir"                          # This should be a default, sadly isn't
+_rx_pkgname="${startdir##*/}"               # Usually the package name is the same as the directory
+_rx_installdir="/etc/redxen/$_rx_pkgname"   # The install dir follows this pattern
+
+rx_replace() {
+	sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
+}
+
+rx_cpkgdir() {
+	echo "${subpkgdir:-${pkgdir}}"
+}
+
+rx_install() {
+	_SRC="$1"
+	if [ ! -f "$_SRC" ]; then
+		if [ -f "$pkgdir/$_SRC" ]; then
+			_SRC="$pkgdir/$_SRC"
+		elif [ -f "$builddir/$_SRC" ]; then
+			_SRC="$builddir/$_SRC"
+		elif [ -f "$srcdir/$_SRC" ]; then
+			_SRC="$srcdir/$_SRC"
+		else
+			die "Install source $_SRC wasn't found"
+			return 1
+		fi
+	fi
+	install -D -m "${_rx_fperm:-444}" -- "$_SRC" "$(rx_cpkgdir)/${_rx_installdir}/${2:-${1##*/}}"
+}
+
+# Defaults
+
+rx_source_installall() {
+	for i in $source; do
+		rx_install "$i"
+	done
+}
+
+# Install every source file in a directory
+package() {
+	rx_source_installall
+}
+

HOST-SPLIT

@@ -0,0 +1,28 @@
+- Database host (rein)
+	- PostgreSQL
+	- Redis
+	- InfluxDB
+	- MoneroD
+- Communications host (chisa)
+	- Dovecot
+	- Postfix
+	- RSpamD
+	- OpenDKIM
+	- Murmur
+- Routing host (karu, lin)
+	- HAProxy
+	- Unbound
+	- FastD
+	- BIRD
+	- Wireguard
+- Game host (taro)
+	- Terraria
+	- Xonotic
+	- Minetest
+	- Minecraft
+- Misc host (masami)
+	- Packages
+	- Homepage
+	- Gitea
+	- Seedbox
+	- Grafana

PORT-ALLOCATION

@@ -24,7 +24,10 @@ Internal ports: 7500-7600
 	    SSH:        7571
 	Transmission:   7572
 	Mumble:         7573
-	NGINX:          7574
+	NGINX:
+	    Packages:   7574
+	    Homepage:   7575
+	    Seedbox:    7576
 	Grafana:        7577
 	Monerod:
 	    RPC:        7579

config/APKBUILD-config.common

@@ -1,27 +0,0 @@
-pkgname=redxen-config-$_svcname
-pkgver="$(date +'%Y.%m.%d')"
-url="https://git.redxen.eu/RedXen/aports"
-arch="noarch"
-license="none"
-pkgdesc="RedXen service config for $_svcname"
-options="!check"
-builddir="$srcdir"
-_cfgpath="${_configpath:-/etc/${_svcname}}"
-
-package_copy_configs() {
-	for i in ${1:-$source}; do
-		package_copy_cfg
-	done
-}
-
-package_copy_cfg() {
-	install -Dm"${COPYCFG_MASK:-${_cfgumask:-644}}" "${COPYCFG_SRC:-$i}" "${COPYCFG_DEST:-${pkgdir}/${_cfgpath}/${COPYCFG_FNAME_DEST:-$i}}"
-}
-
-package() {
-	package_copy_configs
-}
-
-replace_in_file() {
-	sed -i -- "s/$1/$(echo "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
-}

config/APKBUILD-config.template

@@ -0,0 +1,6 @@
+. ../../APKBUILD.template
+
+: ${pkgname:?"No package prefix provided"}
+
+pkgname="$pkgname-config-$_rx_pkgname"
+pkgdesc="RedXen configuration: $_rx_pkgname"

config/babeld/APKBUILD

@@ -1,11 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=babeld
-
-. ../APKBUILD-config.common
-
-pkgver=2021.02.25
-pkgrel=0
-source="redxen.conf"
-
-sha512sums="965149d9b246ec9d41ed1fb9edd9d7eaa72f284af5590b1897ba17babc71da3b293953d52555fd1b3acbfe8a9c9131e1873c494fbbe72866e82b6d2c84539517  redxen.conf"

config/babeld/redxen.conf

@@ -1,24 +0,0 @@
-diversity true
-interface crxn0 enable-timestamps true link-quality true
-
-#
-# Redistributions
-#
-
-redistribute local deny
-
-# Only learn CRXN routes
-in ip 10.0.0.0/8 ge 8 allow
-in ip 0.0.0.0/0 ge 0 deny
-
-in ip fd8a:6111:3b1a::/48 ge 48 allow
-in ip ::/0 ge 0 deny
-
-# Disable IPv4, range already taken by private network
-install ip 10.0.0.0/8 ge 8 deny
-
-# Redistribute all CRXN
-redistribute ip fd8a:6111:3b1a::/48 ge 48
-
-# Redistribute Freeloaders CRXN
-redistribute ip 2a04:5b81:2050::/44 ge 44

config/bird/APKBUILD

@@ -1,11 +1,12 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=bird
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.05.12
+pkgver=2021.06.01.03
 pkgrel=0
 source="redxen.conf"
 
-sha512sums="063c456c53d547ca5c96a2f89870e9e7e7569c04fad166fa9f3c7d589252cba1e3f801c14b367e106ee7b119bb3abb1d44c1059996d3704352023aefd4ed1184  redxen.conf"
+sha512sums="
+063c456c53d547ca5c96a2f89870e9e7e7569c04fad166fa9f3c7d589252cba1e3f801c14b367e106ee7b119bb3abb1d44c1059996d3704352023aefd4ed1184  redxen.conf
+"

config/dovecot/APKBUILD

@@ -1,23 +1,45 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=dovecot
-_configpath="/etc/dovecot/redxen"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.17
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 depends="dovecot-lmtpd dovecot-pgsql redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"
-install="$pkgname.pre-install"
-source="
+_rx_dovecot_base_src="
 	dovecot.conf
+"
+_rx_dovecot_pgsql_src="
 	pgsql.conf
 "
+source="
+	$_rx_dovecot_base_src
+	secret
+	$_rx_dovecot_pgsql_src
+"
 
-package() {
-	package_copy_configs
-	mkdir -p "$pkgdir"/var/mail
+build() {
+	. secret
+	: "${POSTGRESQL_PASSWORD:?'PostgreSQL database access password missing'}"
+
+	for i in $_rx_dovecot_pgsql_src; do
+		cp "$i" "$i".private
+		rx_replace "POSTGRESQL_PASSWORD" "$POSTGRESQL_PASSWORD" "$i".private
+	done
 }
 
-sha512sums="3ba2d75d7f548afe6b55ea1c97a0cbca46ef95de727c2ac919485d75f1724551b190897a718308af9f8dde8e8c8dda0d177325a66d297bcb914015e71042c85d  dovecot.conf
-d4646d31915b6fc0df7cc9c06d66c369f6a622f2f0c783fd9463a05a53d1b3b3ba2ebcbe32b2391f0e44fe2a67c6eeeef3b00d3067325152054e184ac67ff745  pgsql.conf"
+package() {
+	for i in $_rx_dovecot_base_src; do
+		rx_install "$i"
+	done
+	for i in $_rx_dovecot_pgsql_src; do
+		rx_install "$i".private "$i"
+	done
+	install -dm700 "$(rx_cpkgdir)"/var/mail
+}
+
+sha512sums="
+fdd1fa6072c77e297766582ef119da55b8d0bea435bfe7c890ca1ea2853a43936edd05ae0a08f001a335930276dcc0f7e160aa8d31ff3d8f4872e36cba37b48b  dovecot.conf
+3b28fdfdafaffe19e038b8fd3d3dfdeea51b68c68a148054a1daf618a5ed6e18bdfc58154f9fd32ce982eae9d03e50b3a63ea3a21f9a358e26e4d77164530151  secret
+5ed93cd8326a1fe604a91acb38da6864ee002877a069fa8f5b67fa10b7213d21966d7500b460cb14cedc063470b346002daf3031fc6be0d25d3bd864ff4b2f2f  pgsql.conf
+"

config/dovecot/dovecot.conf

@@ -10,8 +10,8 @@ protocols = imap lmtp
 
 # TLS stuff
 ssl = yes
-ssl_cert = </etc/ssl/redxen/letsencrypt/chain.crt
-ssl_key = </etc/ssl/redxen/letsencrypt/private.key
+ssl_cert = </etc/redxen/letsencrypt/chain.crt
+ssl_key = </etc/redxen/letsencrypt/private.key
 
 # Authentication
 auth_mechanisms = plain login
@@ -31,12 +31,12 @@ imap_capability = +SPECIAL-USE
 # PostgreSQL UserDB
 userdb {
 	driver = sql
-	args = /etc/dovecot/redxen/pgsql.conf
+	args = /etc/redxen/dovecot/pgsql.conf
 }
 
 passdb {
 	driver = sql
-	args = /etc/dovecot/redxen/pgsql.conf
+	args = /etc/redxen/dovecot/pgsql.conf
 }
 
 # Services

config/dovecot/pgsql.conf

@@ -0,0 +1,6 @@
+connect = host=postgresql.routinginfo.internal port=7550 dbname=mail user=dovecot password=POSTGRESQL_PASSWORD
+driver = pgsql
+default_pass_scheme = ARGON2I
+user_query = SELECT '8' AS uid, '12' AS gid FROM users WHERE userid = '%u' AND active = '1'
+password_query = SELECT userid AS user, password FROM users WHERE userid = '%u' AND active = '1'
+iterate_query = SELECT userid AS user FROM users

config/dovecot/redxen-config-dovecot.pre-install

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-adduser dovecot rxletsenc
-
-return 0

config/fastd/APKBUILD

@@ -1,13 +1,33 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=fastd
-_configpath="/etc/fastd/redxen"
-_cfgumask=600
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.02.09
-pkgrel=3
-source="fastd.conf"
+pkgver=2021.06.01.04
+pkgrel=0
+source="
+	fastd.conf
+"
+_peers="
+	deavmi
+"
+depends="redxen-secret-fastd-peerkey"
 
-sha512sums="8743f56c32dd827b76c27ff5f2c634e7a76b59e275891ee7850109b6b08a3c26cfa6f789e5659e6f1148a55857c992511195b337c5773b9480fac5e116232fe2  fastd.conf"
+for i in $_peers; do
+	subpackages="$subpackages $pkgname-peer-$i:_peer"
+	source="$source peers/$i"
+done
+
+package() {
+	rx_install fastd.conf
+}
+
+_peer() {
+	_peername="${subpkgname##*-peer-}"
+	_rx_installdir="$_rx_installdir/peers" rx_install "$_peername"
+}
+
+sha512sums="
+9ff7544ac46576897400eff389b1a458755482b44f5771adc0c04fae1c8b25311ea5ecfe78ecc23c83b89580ccdfa239506da273705880f1afa0c0c7f3109114  fastd.conf
+4d9291172657f4871dc77296f8e902facd00ddbea226fe8091ff860530fb9be1d8f5476e6b51bab745af2a62a492e2ddf7a562482d6c09cb468a67ca0082492f  deavmi
+"

config/fastd/fastd.conf

@@ -1,16 +1,14 @@
-interface "crxn0";
+interface "tunptp0";
 method "salsa2012+umac";
 bind any:2190;
-secret "";
+log to syslog level info;
 
+# TODO: Find a better way to define this (per-host /etc/network/interfaces?)
 on up "
-ip -6 addr add fd8a:6111:3b1a:dddd::X/64 scope global dev $INTERFACE
-ip -6 route add fd8a:6111:3b1a:dddd::X/64 dev $INTERFACE protocol static
+ip -6 addr add fd8a:6111:3b1a:dddd::1/64 scope global dev $INTERFACE
+ip -6 route add fd8a:6111:3b1a:dddd::1/64 dev $INTERFACE protocol static
 ip link set $INTERFACE up
 ";
 
-peer "peer0"
-{
-        remote ipv6 "" port 2190;
-        key "";
-}
+include "/etc/redxen/fastd-peerkey/secret.conf";
+include peers from "peers";

config/fastd/peers/deavmi

@@ -0,0 +1,2 @@
+remote ipv6 "2a04:5b80:300:3:0:c0ff:fe91:bf87" port 2190;
+key "5c717c5c7569a06f35beb617bb56a38d3aa0071bdcca3fda56a9b42db1e89804";

config/gitea/APKBUILD

@@ -1,32 +1,33 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=gitea
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.05.08
+pkgver=2021.06.01.03
 pkgrel=0
 depends="redxen-data-gitea-theme"
 source="
 	redxen.ini
-	secrets
+	secret
 "
 
 prepare() {
 	default_prepare
 	install -D "redxen.ini" "redxen-mod.ini"
-	. secrets
-	replace_in_file "POSTGRESQL_GITEA_PASSWORD" "$POSTGRESQL_GITEA_PASSWORD" "redxen-mod.ini"
-	replace_in_file "GITEA_SECRET_KEY" "$GITEA_SECRET_KEY" "redxen-mod.ini"
-	replace_in_file "GITEA_INTERNAL_TOKEN" "$GITEA_INTERNAL_TOKEN" "redxen-mod.ini"
-	replace_in_file "GITEA_MAILER_PASSWD" "$GITEA_MAILER_PASSWD" "redxen-mod.ini"
-	replace_in_file "GITEA_OAUTH_JWT_TOKEN" "$GITEA_OAUTH_JWT_TOKEN" "redxen-mod.ini"
+	. secret
+	rx_replace "POSTGRESQL_GITEA_PASSWORD" "$POSTGRESQL_GITEA_PASSWORD" "redxen-mod.ini"
+	rx_replace "GITEA_SECRET_KEY" "$GITEA_SECRET_KEY" "redxen-mod.ini"
+	rx_replace "GITEA_INTERNAL_TOKEN" "$GITEA_INTERNAL_TOKEN" "redxen-mod.ini"
+	rx_replace "GITEA_MAILER_PASSWD" "$GITEA_MAILER_PASSWD" "redxen-mod.ini"
+	rx_replace "GITEA_OAUTH_JWT_TOKEN" "$GITEA_OAUTH_JWT_TOKEN" "redxen-mod.ini"
 }
 
 package() {
-	COPYCFG_SRC="redxen-mod.ini" COPYCFG_FNAME_DEST="redxen.ini" package_copy_cfg
-	mkdir -p "$pkgdir"/var/lib/gitea
+	rx_install redxen-mod.ini redxen.ini
+	install -dm700 "$(rx_cpkgdir)"/var/lib/gitea
 }
 
-sha512sums="f530ec63e352f2daac6c66325f8ffc679c9fd3959750ccbc6f2f3e2456a0f8a8abe12ec14cdaa05507a6785f166d5d60c016f8b6a9751749c62223a9c0d8d436  redxen.ini
-012d489c5d71864cda4b99ec16b3d6edbf83d18ea14d2104afe70e320937f4dd223572e384fba040cb3d43ced8ca7267e434756e4a1cd8bd41bb6f9092ad4b9d  secrets"
+sha512sums="
+e220ce0d91065f7ff4e4705f2a632147aad844bd71898d2d4ccbfc16638521a4980d204a3bcf09baf4174ffa6eab88fbd39d37458098e098ceb8dc4ed472d675  redxen.ini
+012d489c5d71864cda4b99ec16b3d6edbf83d18ea14d2104afe70e320937f4dd223572e384fba040cb3d43ced8ca7267e434756e4a1cd8bd41bb6f9092ad4b9d  secret
+"

config/gitea/redxen.ini

@@ -31,7 +31,7 @@ CONTENT_PATH                    = lfs
 
 [database]
 DB_TYPE                         = postgres
-HOST                            = postgresql.routinginfo.redxen.localhost:7550
+HOST                            = postgresql.routinginfo.internal:7550
 NAME                            = gitea
 USER                            = gitea
 PASSWD                          = POSTGRESQL_GITEA_PASSWORD
@@ -51,11 +51,11 @@ REPO_INDEXER_TYPE               = bleve
 
 [queue.issue_indexer]
 TYPE                            = redis
-CONN_STR                        = redis://redis.routinginfo.redxen.localhost:7551/?db=7&pool_size=100&idle_timeout=180s
+CONN_STR                        = redis://redis.routinginfo.internal:7551/?db=7&pool_size=100&idle_timeout=180s
 
 [session]
 PROVIDER                        = redis
-PROVIDER_CONFIG                 = redis://redis.routinginfo.redxen.localhost:7551/?db=6&pool_size=100&idle_timeout=180s
+PROVIDER_CONFIG                 = redis://redis.routinginfo.internal:7551/?db=6&pool_size=100&idle_timeout=180s
 COOKIE_SECURE                   = true
 
 [picture]
@@ -94,7 +94,7 @@ MODE                            = console
 
 [cache]
 ADAPTER                         = redis
-HOST                            = redis://redis.routinginfo.redxen.localhost:7551/?db=5&pool_size=100&idle_timeout=180s
+HOST                            = redis://redis.routinginfo.internal:7551/?db=5&pool_size=100&idle_timeout=180s
 ITEM_TTL                        = 10m
 
 [oauth2]

config/grafana/APKBUILD

@@ -1,12 +1,30 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=grafana
-_cfgumask=400
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.13
-pkgrel=4
-source="main.ini"
+pkgver=2021.06.01.03
+pkgrel=0
+source="
+	secret
+	main.ini
+"
 
-sha512sums="90d7ac741be339613b325886ef485091c3f2662fc32e98a723935ef27838547ceea89ae4800d780b51411334264d5678c3431c3e4b3c34cfedd5373cba72ab62  main.ini"
+build() {
+	. secret
+	: "${POSTGRESQL_PASSWORD:?'PostgreSQL password is missing'}"
+	: "${SMTP_AUTH_PASSWORD:?'SMTP authentication password is missing'}"
+
+	cp "main.ini" "main.ini.private"
+	rx_replace "POSTGRESQL_PASSWORD" "$POSTGRESQL_PASSWORD" "main.ini.private"
+	rx_replace "SMTP_AUTH_PASSWORD" "$SMTP_AUTH_PASSWORD" "main.ini.private"
+}
+
+package() {
+	rx_install "main.ini.private" "main.ini"
+}
+
+sha512sums="
+9a0dee0934034685c2aba7ebb21283ee73fd240c4cee2aa1cfcec66ba5afc3ed3759b2c79e1facba3e3e0a38fe75f11a7f382d968798ba212c36072238c59190  secret
+8206984e9fb01cef0b06b366bd6af1cc74227d07404c68d50b0d59fadf409b2868fece46cf7931c78f2315d47385b85f4741cfb9eb397be8fbf4f0c75cb94242  main.ini
+"

config/grafana/main.ini

@@ -0,0 +1,67 @@
+## Server
+[server]
+protocol = 'http'
+http_addr = '0.0.0.0'
+http_port = '7577'
+domain = 'stats.redxen.eu'
+root_url = 'https://stats.redxen.eu'
+enable_gzip = 'false'
+
+## Database
+[database]
+type = 'postgres'
+host = 'postgresql.routinginfo.internal:7550'
+name = 'grafana'
+user = 'grafana'
+ssl_mode = "disable"
+password = "POSTGRESQL_PASSWORD"
+
+## Remote cache
+[remote_cache]
+type = 'database'
+
+## Security
+[security]
+cookie_secure = 'true'
+cookie_samesite = 'strict'
+
+## Users
+[users]
+allow_sign_up = 'false'
+
+## Anonymous auth
+[auth]
+disable_login_form = 'false'
+oauth_auto_login = 'false'
+
+[auth.anonymous]
+enabled = 'true'
+org_name = 'RedXen'
+org_role = 'Viewer'
+
+## LDAP Auth
+# [auth.ldap]
+# enabled = true
+# config_file = /etc/grafana/ldap.toml
+# allow_sign_up = true
+
+## Session (legacy)
+# session_provider = 'redis'
+# session_provider_config = 'addr=db_redis:6379,pool_size=100,db=grafana'
+# session_cookie_secure = 'true'
+
+## Snapshots
+[snapshots]
+external_enabled = 'false'
+
+## Alpha panels
+[panels]
+enable_alpha = 'true'
+
+[smtp]
+enabled = 'true'
+host = 'mail.redxen.eu:465'
+user = 'grafana'
+password = 'SMTP_AUTH_PASSWORD'
+from_address = 'grafana@redxen.eu'
+startTLS_policy = 'MandatoryStartTLS'

config/haproxy/APKBUILD

@@ -1,17 +1,19 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=haproxy
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.03.20
-pkgrel=4
+pkgver=2021.06.01.03
+pkgrel=0
 depends="redxen-secret-letsencrypt-full redxen-data-haproxy-errorpages"
-#checkdepends="haproxy"
+checkdepends="haproxy"
 source="main.cfg"
+options=""
 
-#check() {
-#	haproxy -c -f main.cfg # Certificates aren't readable by the building user
-#}
+check() {
+	haproxy -c -f main.cfg
+}
 
-sha512sums="dba35422a8a599a2c8d96899cdd57108f71af700b965a609953b079418efa0bb84b1955cc548e9802bda585a3bec16fd6d0d2e6f49214ee96f978fae0a19afdb  main.cfg"
+sha512sums="
+f61be8fa279ef56e7609c26fe9031a8d369563524925a419adde8e3367ceb1857dc1b407327fe9c2c80ff886e1ab2bc0b73e8be31bc5237c78c1f229f0a5932d  main.cfg
+"

config/haproxy/main.cfg

@@ -21,13 +21,13 @@ defaults
   timeout http-keep-alive 240s
   default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
 
-  errorfile 400 /etc/haproxy/errorpages/400.http
-  errorfile 403 /etc/haproxy/errorpages/403.http
-  errorfile 408 /etc/haproxy/errorpages/408.http
-  errorfile 500 /etc/haproxy/errorpages/500.http
-  errorfile 502 /etc/haproxy/errorpages/502.http
-  errorfile 503 /etc/haproxy/errorpages/503.http
-  errorfile 504 /etc/haproxy/errorpages/504.http
+  errorfile 400 /etc/redxen/haproxy/errorpages/400.http
+  errorfile 403 /etc/redxen/haproxy/errorpages/403.http
+  errorfile 408 /etc/redxen/haproxy/errorpages/408.http
+  errorfile 500 /etc/redxen/haproxy/errorpages/500.http
+  errorfile 502 /etc/redxen/haproxy/errorpages/502.http
+  errorfile 503 /etc/redxen/haproxy/errorpages/503.http
+  errorfile 504 /etc/redxen/haproxy/errorpages/504.http
 
 resolvers local
   nameserver unbound 127.0.0.1:53
@@ -43,19 +43,26 @@ listen git-gitea
   mode tcp
   bind ipv4@*:2442,ipv6@*:2442
   option tcp-check
-  server-template gitssh 1 _gitssh._tcp.routinginfo.redxen.localhost
+  server-template gitssh 1 _gitssh._tcp.routinginfo.internal
 
 frontend http
   mode http
-  bind ipv4@:443,ipv6@:443 ssl crt /etc/ssl/redxen/letsencrypt/full.crt alpn h2,http/1.1
+  bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1
   bind ipv4@:80,ipv6@:80
 
   acl root path /
-
   acl seedbox hdr_beg(host) -i seed.redxen
-  use_backend backend-transmission if seedbox
+
   redirect prefix /web code 302 if seedbox root
 
+  http-response set-header X-Forwarded-Proto https
+  http-response set-header X-XSS-Protection 1;\ mode=block
+  http-response set-header X-Content-Type-Options nosniff
+  http-response set-header Referrer-Policy no-referrer-when-downgrade
+  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
+
+  use_backend backend-transmission if seedbox
+
   use_backend backend-root if { hdr_beg(host) -i redxen }
   use_backend backend-grafana if { hdr_beg(host) -i stats.redxen }
 #  use_backend backend-pleroma if { hdr_beg(host) -i social.redxen }
@@ -64,46 +71,40 @@ frontend http
   use_backend backend-packages if { hdr_beg(host) -i packages.redxen }
   use_backend backend-monerod if { hdr_beg(host) -i monerod.redxen }
 
-  http-response set-header X-Forwarded-Proto https
-  http-response set-header X-XSS-Protection 1;\ mode=block
-  http-response set-header X-Content-Type-Options nosniff
-  http-response set-header Referrer-Policy no-referrer-when-downgrade
-  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
-
   backend backend-root
-    server-template root 1 _root._tcp.routinginfo.redxen.localhost
+    server-template root 1 _root._tcp.routinginfo.internal
     option httpchk HEAD / HTTP/1.1
     http-check send hdr Host redxen.eu
 
   backend backend-transmission
-    server-template transmission 1 _transmission._tcp.routinginfo.redxen.localhost
+    server-template transmission 1 _transmission._tcp.routinginfo.internal
 
   backend backend-grafana
-    server-template grafana 1 _grafana._tcp.routinginfo.redxen.localhost
+    server-template grafana 1 _grafana._tcp.routinginfo.internal
     option httpchk HEAD / HTTP/1.1
     http-check send hdr Host stats.redxen.eu
 
   backend backend-seedown
-    server-template seedown 1 _seedown._tcp.routinginfo.redxen.localhost
+    server-template seedown 1 _seedown._tcp.routinginfo.internal
     option httpchk HEAD / HTTP/1.1
     http-check send hdr Host sd.redxen.eu
 
   backend backend-packages
-    server-template packages 1 _packages._tcp.routinginfo.redxen.localhost
+    server-template packages 1 _packages._tcp.routinginfo.internal
     option httpchk HEAD / HTTP/1.1
     http-check send hdr Host packages.redxen.eu
 
 #  backend backend-pleroma
-#    server-template pleroma 1 _pleroma._tcp.routinginfo.redxen.localhost
+#    server-template pleroma 1 _pleroma._tcp.routinginfo.internal
 #    option httpchk HEAD / HTTP/1.1
 #    http-check send hdr Host social.redxen.eu
 
   backend backend-gitea
-    server-template gitea 1 _gitea._tcp.routinginfo.redxen.localhost
+    server-template gitea 1 _gitea._tcp.routinginfo.internal
     option httpchk HEAD / HTTP/1.1
     http-check send hdr Host gitea.redxen.eu
 
   backend backend-monerod
-    server-template monerod 1 _monerod._tcp.routinginfo.redxen.localhost
+    server-template monerod 1 _monerod._tcp.routinginfo.internal
     option httpchk POST /json_rpc HTTP/1.1
     http-check send body \{\"method\"\:\"get_version\"\} hdr Content-Type application/json

config/hitch/APKBUILD

@@ -1,16 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=hitch
-
-. ../APKBUILD-config.common
-
-pkgver=2020.12.07
-pkgrel=0
-source="main.conf"
-#checkdepends="hitch"
-
-#check() {
-#	hitch -t --config main.conf # Certificate not readable by the building user
-#}
-
-sha512sums="b830c09953bd4908fd9d69c5e386b0f314b87d44bf2c19dcfa2bb5f790a842d617888e4c47802eaab8bea676bd1d060bae47965ac0946bbb9b5dc95ca990d01d  main.conf"

config/hitch/main.conf

@@ -1,6 +0,0 @@
-alpn-protos = "h2,http/1.1"
-tls-protos = TLSv1.1 TLSv1.2
-ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
-pem-file = "/cert.pem"
-workers = 2
-write-proxy-v2 = on

config/influxdb/APKBUILD

@@ -1,16 +1,17 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=influxdb
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2020.12.29
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 source="redxen.conf"
 
 package() {
-	package_copy_configs
-	install -dm700 "$pkgdir"/var/lib/influxdb
+	rx_source_installall
+	install -dm700 "$(rx_cpkgdir)"/var/lib/influxdb
 }
 
-sha512sums="e251c8e25fb0d4a258f17425d277553d65a0b4b078c60ceec973bb421fdda42130d0e9cb38a70a85f5258407b02219ce9f79e551908a9f8e593a00852f5f81b4  redxen.conf"
+sha512sums="
+e251c8e25fb0d4a258f17425d277553d65a0b4b078c60ceec973bb421fdda42130d0e9cb38a70a85f5258407b02219ce9f79e551908a9f8e593a00852f5f81b4  redxen.conf
+"

config/ipset/APKBUILD

@@ -1,16 +1,16 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=ipset
-_configpath="/etc/ipset.d/redxen"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.28
-pkgrel=3
+pkgver=2021.06.01.03
+pkgrel=0
 source="
 	netwide4
 	netwide6
 "
 
-sha512sums="0c70b7b82c481ebcd755d4cf9a3c8d3490d1ea022158e32d1a4cf26152e9482858aeb09d7b68600e3d60312eba6d938a82bfa8012f2a19216dec69f05db4a250  netwide4
-dccd10b2fe5960bcf6466b27fabfbc5c80df40d33e744e84bd013c4b12e2fbb9fe4555568debb3cbbe851ff88f7b733ff19706073f2f29295d336a36efca4d07  netwide6"
+sha512sums="
+0c70b7b82c481ebcd755d4cf9a3c8d3490d1ea022158e32d1a4cf26152e9482858aeb09d7b68600e3d60312eba6d938a82bfa8012f2a19216dec69f05db4a250  netwide4
+dccd10b2fe5960bcf6466b27fabfbc5c80df40d33e744e84bd013c4b12e2fbb9fe4555568debb3cbbe851ff88f7b733ff19706073f2f29295d336a36efca4d07  netwide6
+"

config/iptables/APKBUILD

@@ -1,16 +1,17 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=iptables
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.28
-pkgrel=4
+pkgver=2021.06.01.03
+pkgrel=0
 depends="redxen-config-ipset"
 source="
 	rx-rules4
 	rx-rules6
 "
 
-sha512sums="c29f7f22fcabdd90fb3cd63f1e67ce340145be9a832c0ce23fadfd2a83e477c90373c052c6d750d3136dfeb951098c2bc7d05e1bfd6b7cb8f886a2e632587094  rx-rules4
-92b3c7dad3bcf9583ae9af4ba111b35ac5d0eae3ca50969be2941efc72270dd423689cceb93d55fe0286949a7b4a124a0e59bb170a99776bf99c835884da060c  rx-rules6"
+sha512sums="
+c29f7f22fcabdd90fb3cd63f1e67ce340145be9a832c0ce23fadfd2a83e477c90373c052c6d750d3136dfeb951098c2bc7d05e1bfd6b7cb8f886a2e632587094  rx-rules4
+92b3c7dad3bcf9583ae9af4ba111b35ac5d0eae3ca50969be2941efc72270dd423689cceb93d55fe0286949a7b4a124a0e59bb170a99776bf99c835884da060c  rx-rules6
+"

config/lighttpd/APKBUILD

@@ -1,23 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=lighttpd
-_configpath="/etc/lighttpd/redxen"
-
-. ../APKBUILD-config.common
-
-pkgver=2020.12.11
-pkgrel=2
-source="main.conf"
-options="" # Default options
-checkdepends="lighttpd"
-
-package() {
-	package_copy_configs
-	mkdir -p "$pkgdir"/http
-}
-
-check() {
-	lighttpd -f main.conf -t
-}
-
-sha512sums="c6157585741c20022f7cd520db0c1066aae9e6d59be165d49bfd9d3b57fdc1abed681ba067470d01f2b4f22c8c99da466976e4bf28d9d881811aac2d04494cca  main.conf"

config/lighttpd/main.conf

@@ -1,28 +0,0 @@
-var.basedir           = "/http"
-var.logdir            = "/var/log/lighttpd"
-var.statedir          = "/run/lighttpd"
-
-include "/etc/lighttpd/mime-types.conf"
-
-server.bind           = "[::]"
-server.modules        = ( "mod_access", "mod_deflate", "mod_webdav", "mod_dirlisting" )
-server.username       = "lighttpd"
-server.groupname      = "lighttpd"
-server.document-root  = var.basedir
-server.pid-file       = "/run/lighttpd.pid"
-server.indexfiles     = ("index.html")
-server.follow-symlink = "disable"
-server.event-handler  = "linux-sysepoll"
-server.chroot         = var.basedir
-server.port           = 7574
-server.upload-dirs    = ("")
-server.use-ipv6       = "enable"
-
-dir-listing.activate  = "enable"
-
-url.access-deny       = ("~")
-
-deflate.filetypes    = ("text/", "application/javascript")
-
-webdav.activate       = "enable"
-webdav.is-readonly    = "enable"

config/minetest/APKBUILD

@@ -1,12 +1,13 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=minetest
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.04.02
+pkgver=2021.06.01.03
 pkgrel=0
 source="redxen.conf"
 depends="$depends minetest-mineclone2"
 
-sha512sums="89477b45e3ee62e1eee1c7e3d0a4e9e4f69684c5b8d55fa9c109e890e94ca63acbc2ae2430ccca67a2c24d22c101c0aa29b1f0e4d3dba98d58b418fd006a7ff2  redxen.conf"
+sha512sums="
+c98321d2da35fdd58c5c4e8f493c34a0cfd87991e34d0cbd6d89000696bb9e16d76912d42a83c31367c48d2acc1c7b70b8a33cb447b76b1e46f76ecd1107deea  redxen.conf
+"

config/minetest/redxen.conf

@@ -61,34 +61,6 @@ strict_protocol_version_checking = false
 #    type: bool
 ipv6_server = true
 
-### Advanced
-
-#    Maximum number of blocks that are simultaneously sent per client.
-#    The maximum total count is calculated dynamically:
-#    max_total = ceil((#clients + max_users) * per_client / 4)
-#    type: int
-max_simultaneous_block_sends_per_client = 10
-max_simultaneous_block_sends_server_total = 50
-
-#    To reduce lag, block transfers are slowed down when a player is building something.
-#    This determines how long they are slowed down after placing or removing a node.
-#    type: float
-# full_block_send_enable_min_time_from_building = 2.0
-
-#    Maximum number of packets sent per send step, if you have a slow connection
-#    try reducing it, but don't reduce it to a number below double of targeted
-#    client number.
-#    type: int
-max_packets_per_iteration = 8192
-
-#    ZLib compression level to use when sending mapblocks to the client.
-#    -1 - Zlib's default compression level
-#    0 - no compresson, fastest
-#    9 - best compression, slowest
-#    (levels 1-3 use Zlib's "fast" method, 4-9 use the normal method)
-#    type: int min: -1 max: 9
-# map_compression_level_net = -1
-
 ## Game
 
 #    Default game when creating a new world.
@@ -103,7 +75,7 @@ motd = Welcome!
 
 #    Maximum number of players that can be connected simultaneously.
 #    type: int
- max_users = 100
+max_users = 100
 
 #    World directory (everything in the world is stored here).
 #    Not needed if starting from the main menu.
@@ -199,7 +171,7 @@ kick_msg_crash = This server has experienced an internal error. You will now be
 # ask_reconnect_on_crash = false
 
 #    From how far clients know about objects, stated in mapblocks (16 nodes).
-#    
+#
 #    Setting this larger than active_block_range will also cause the server
 #    to maintain active objects up to this distance in the direction the
 #    player is looking. (This can avoid mobs suddenly disappearing from view)
@@ -212,11 +184,11 @@ kick_msg_crash = This server has experienced an internal error. You will now be
 #    This is also the minimum range in which active objects (mobs) are maintained.
 #    This should be configured together with active_object_send_range_blocks.
 #    type: int
-active_block_range = 2
+# active_block_range = 2
 
 #    From how far blocks are sent to clients, stated in mapblocks (16 nodes).
 #    type: int
-max_block_send_distance = 8
+# max_block_send_distance = 8
 
 #    Maximum number of forceloaded mapblocks.
 #    type: int
@@ -267,7 +239,7 @@ movement_acceleration_air = 1.2
 #    Horizontal and vertical acceleration in fast mode,
 #    in nodes per second per second.
 #    type: float
- movement_acceleration_fast = 10
+movement_acceleration_fast = 10
 
 #    Walking and flying speed, in nodes per second.
 #    type: float
@@ -328,7 +300,7 @@ movement_gravity = 10.4
 
 #    Maximum number of statically stored objects in a block.
 #    type: int
-max_objects_per_block = 4096
+# max_objects_per_block = 4096
 
 #    See https://www.sqlite.org/pragma.html#pragma_synchronous
 #    type: enum values: 0, 1, 2
@@ -345,7 +317,7 @@ max_objects_per_block = 4096
 #    Length of a server tick and the interval at which objects are generally updated over
 #    network.
 #    type: float
-dedicated_server_step = 0.001
+# dedicated_server_step = 0.001
 
 #    Length of time between active block management cycles
 #    type: float
@@ -353,12 +325,12 @@ dedicated_server_step = 0.001
 
 #    Length of time between Active Block Modifier (ABM) execution cycles
 #    type: float
-abm_interval = 0.25
+# abm_interval = 0.25
 
 #    The time budget allowed for ABMs to execute on each step
 #    (as a fraction of the ABM Interval)
 #    type: float min: 0.1 max: 0.9
-abm_time_budget = 0.2
+# abm_time_budget = 0.2
 
 #    Length of time between NodeTimer execution cycles
 #    type: float
@@ -392,7 +364,7 @@ abm_time_budget = 0.2
 #    optimization.
 #    Stated in mapblocks (16 nodes).
 #    type: int min: 2
-block_send_optimize_distance = 4
+# block_send_optimize_distance = 4
 
 #    If enabled the server will perform map block occlusion culling based on
 #    on the eye position of the player. This can reduce the number of blocks

config/monerod/APKBUILD

@@ -1,18 +1,17 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=monerod
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.04.05
+pkgver=2021.06.01.03
 pkgrel=0
-source="
-	redxen.conf
-"
+source="redxen.conf"
 
 package() {
-	package_copy_configs
-	mkdir -p "$pkgdir"/var/lib/monerod
+	rx_source_installall
+	install -dm700 "$(rx_cpkgdir)"/var/lib/monerod
 }
 
-sha512sums="18a7fcff61513bc092c4d0cd358774684f519b9f2f106718a8d15d83100b660ac6ea9ee4c178a7e2cd60a5aae585b27e78d6e2bc45c5e1189a86985612f4aedf  redxen.conf"
+sha512sums="
+18a7fcff61513bc092c4d0cd358774684f519b9f2f106718a8d15d83100b660ac6ea9ee4c178a7e2cd60a5aae585b27e78d6e2bc45c5e1189a86985612f4aedf  redxen.conf
+"

config/murmur/APKBUILD

@@ -1,14 +1,31 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=murmur
-_cfgumask=400
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.30
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 depends="qt5-qtbase-postgresql redxen-secret-selfsigned-public redxen-secret-selfsigned-private"
-source="murmur.ini"
-install="$pkgname.pre-install"
+source="
+	secret
+	murmur.ini
+"
 
-sha512sums="9cbed968233867662e46ca116dcc7a271496a869b88f7826fbf16b2f9034344495f0f7326f2c852cdc743496b9d93148d66379d952b6bd119147e371db1c4426  murmur.ini"
+build() {
+	. secret
+	: "${MUMBLE_DATABASE_PASS:?'Database password is missing'}"
+	: "${MUMBLE_REGISTER_PASS:?'Registration password is missing'}"
+
+	cp murmur.ini murmur.ini.private
+	rx_replace "MUMBLE_DATABASE_PASS" "$MUMBLE_DATABASE_PASS" murmur.ini.private
+	rx_replace "MUMBLE_REGISTER_PASS" "$MUMBLE_REGISTER_PASS" murmur.ini.private
+}
+
+package() {
+	rx_install murmur.ini.private murmur.ini
+}
+
+sha512sums="
+5b754d97a9e6df9228c1ba96c959f3879c4e105af2785ce2fe5edf431a975e5f5bceb23cfa0c2b55dfc706d348d394a335cda32f6b5f66de1cac279f244426dc  secret
+dff6e85a191dc90aec33a18c71dcf6fa78c22b3a1543bb187a864ada3b057ebd890746d9f0ba2d23c3ddef2d6fecff1290b85e617b7da636709d3b9f29ccc384  murmur.ini
+"

config/murmur/murmur.ini

@@ -0,0 +1,32 @@
+database=murmur
+dbDriver=QPSQL
+dbUsername=murmur
+dbPassword=MUMBLE_DATABASE_PASS
+dbHost=postgresql.routinginfo.internal
+dbPort=7550
+registerName="[RedXen] No mumble no talk!"
+registerPassword=MUMBLE_REGISTER_PASS
+registerUrl=https://redxen.eu/
+registerHostname=redxen.eu
+registerLocation=DE
+host=
+uname=murmur
+pidfile=/run/murmur/murmur.pid
+opusthreshold=10
+bandwidth=130000
+sslCert=/etc/redxen/selfsigned/public.pem
+sslKey=/etc/redxen/selfsigned/private.key
+port=64738
+timeout=10
+users=500
+defaultchannel=1
+welcometext="
+<center><br />
+<h1>RedXen Community</h1><br />
+<a href="https://redxen.eu">[ Homepage ]</a> <a href="https://t.me/rxtelegram">[ Telegram ]</a> <a href="https://git.redxen.eu">[ Git ]</a> <a href="https://paypal.me/caskdrx">[ Support us! ]</a><br />
+Enjoy your stay!<br />
+Have a group that you want to represent or a question? Contact me at caskd@redxen.eu<br />
+This server is powered by Alpine Linux<br />
+</center>
+
+"

config/murmur/redxen-config-murmur.pre-install

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-adduser murmur rxselfsig
-
-return 0

config/nginx/APKBUILD

@@ -1,45 +1,46 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=nginx
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.05.03
+pkgver=2021.06.01.07
 pkgrel=0
 depends="nginx-mod-http-zip"
 checkdepends="nginx"
 subpackages="$pkgname-seedbox $pkgname-alpine $pkgname-homepage"
 source="
 	main.conf
-	modules/seedbox.conf
-	modules/alpine.conf
-	modules/homepage.conf
+	module/seedbox.conf
+	module/alpine.conf
+	module/homepage.conf
 "
 
 package() {
-	install -Dm400 main.conf "$pkgdir"/etc/nginx/redxen.conf
+	rx_install "main.conf"
 }
 
 seedbox() {
 	install_if="redxen-config-transmission-daemon"
-	install -Dm400 "$srcdir"/seedbox.conf "$subpkgdir"/etc/nginx/http.d/redxen/seedbox.conf
+	_rx_installdir="$_rx_installdir/module" rx_install seedbox.conf
 }
 
 alpine() {
-	install_if="redxen-secret-nginx-httpauth-alpine"
-	install -Dm400 "$srcdir"/alpine.conf "$subpkgdir"/etc/nginx/http.d/redxen/alpine.conf
+	install_if="redxen-secret-alpinepkg-httpauth"
+	_rx_installdir="$_rx_installdir/module" rx_install alpine.conf
 }
 
 homepage() {
 	install_if="redxen-data-homepage"
-	install -Dm400 "$srcdir"/homepage.conf "$subpkgdir"/etc/nginx/http.d/redxen/homepage.conf
+	_rx_installdir="$_rx_installdir/module" rx_install homepage.conf
 }
 
 check() {
 	nginx -p / -c main.conf -t
 }
 
-sha512sums="032fcb53d7c7fa848c67398e26d1b9d643c795c2c0c6061e58d79abc5168f6e2482172b14966a01513e5ea183a92150fdc6c0fcb581ad04668fd32e3409ef1ed  main.conf
-abba14b4ed423455d9a6993b48f44c3464e37dc6a05119b3084d0519bbc62c7551cee721c25f0543b67ed80425c71dbe0ef5d3f8c9436faf7706d6d18414b149  seedbox.conf
-a8e85e18ae1f8c7f6f35fe27d879cc8642133cc63a3a44c6fd8b875eb3a3f2ccc9e3de1d95691bee574d4ead375ef096585b807dd301bc02b2fad312bc74cf24  alpine.conf
-0b5e7a0bb935ee0aa20c72ab1e7eb4ff4dcce22564fb7b354d28574e15e23bc7661414936d23be47afc9d465f44b3e2a55f14f1bb14d009286196e8615c6f729  homepage.conf"
+sha512sums="
+15708a8662984cbfc3d78c3337aa35a0e82586e2e7ba1430c2b99b5b584468e63899b40b5c15f29d892af2901135d9dc5dfdf2ea7469dd7382e7f25a797253e2  main.conf
+1a330386c6119487a338d78a23a4e116983c333f82373faaa527e22518d71959a0f330968da764ca884dd4dea227c3cf4d2f6252b1dd7f3488ef08543712788d  seedbox.conf
+5ae68165edab56f41e51ad5b608a29121db878aed0309882927207d4ea9ec5e505a78b194bc8df8f943259130300edd4aa49b2e23a4ee705fa9ea761533fd133  alpine.conf
+2657b0bdfc001f94159a8cddc928e666cb20055b3df42dd0ec48146c6952c3c7b3957af52612d35d38199fde76ee0c96cb0ea39ed38e13bcc608088c88dc3a88  homepage.conf
+"

config/nginx/main.conf

@@ -13,13 +13,5 @@ http {
 	keepalive_timeout                         300;
 	include                                   /etc/nginx/mime.types;
 	default_type                              application/octet-stream;
-	server {
-		listen                            *:7574 reuseport so_keepalive=on;
-		listen                            [::]:7574 reuseport so_keepalive=on;
-		include                           http.d/redxen/*.conf;
-		
-		location = /telegram {
-			return 302 https://t.me/joinchat/RSK4t6hPtkJDLYBO;
-		}
-	}
+	include                                   module/*.conf;
 }

config/nginx/module/alpine.conf

@@ -0,0 +1,18 @@
+server {
+	listen                            *:7574 so_keepalive=on;
+	listen                            [::]:7574 so_keepalive=on;
+	
+	location / {
+		root                      /var/lib/alpine-packages;
+		autoindex                 on;
+
+		limit_except              GET HEAD {
+			deny              all;
+		}
+
+		location /redxen {
+			auth_basic                "RedXen Alpine Package Archive";
+			auth_basic_user_file      /etc/redxen/alpinepkg-httpauth/passwdfile;
+		}
+	}
+}

config/nginx/module/homepage.conf

@@ -0,0 +1,16 @@
+server {
+	listen                            *:7575 so_keepalive=on;
+	listen                            [::]:7575 so_keepalive=on;
+	
+	location / {
+		root                      /usr/share/redxen/homepage;
+		autoindex                 on;
+		limit_except              GET HEAD {
+			deny              all;
+		}
+	}
+
+	location = /telegram {
+		return 302 https://t.me/joinchat/RSK4t6hPtkJDLYBO;
+	}
+}

config/nginx/module/seedbox.conf

@@ -0,0 +1,12 @@
+server {
+	listen                            *:7576 so_keepalive=on;
+	listen                            [::]:7576 so_keepalive=on;
+	
+	location / {
+		root                      /seedbox;
+		autoindex                 on;
+		limit_except              GET HEAD {
+			deny              all;
+		}
+	}
+}

config/nginx/modules/alpine.conf

@@ -1,11 +0,0 @@
-location / {
-	root                      /var/lib/alpine-packages;
-	autoindex                 on;
-	limit_except              GET HEAD {
-		deny              all;
-	}
-	location /redxen {
-		auth_basic                "RedXen Alpine Package Archive";
-		auth_basic_user_file      /etc/nginx/httpauth-alpine;
-	}
-}

config/nginx/modules/homepage.conf

@@ -1,7 +0,0 @@
-location / {
-	root                      /usr/share/redxen/homepage;
-	autoindex                 on;
-	limit_except              GET HEAD {
-		deny              all;
-	}
-}

config/nginx/modules/seedbox.conf

@@ -1,7 +0,0 @@
-location / {
-	root                      /seedbox;
-	autoindex                 on;
-	limit_except              GET HEAD {
-		deny              all;
-	}
-}

config/opendkim/APKBUILD

@@ -1,11 +1,10 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=opendkim
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-_dkim_date="2021.03.28"
-pkgver=2021.03.28
+_dkim_date=2021.05.31.01
+pkgver=2021.06.01.03
 pkgrel=0
 depends="redxen-secret-opendkim~$_dkim_date"
 makedepends="opendkim-utils"
@@ -17,15 +16,17 @@ source="
 build() {
 	_selector="$_dkim_date-mail"
 	echo "*@redxen.eu $_selector._domainkey.redxen.eu" > signing_table
-	echo "$_selector._domainkey.redxen.eu redxen.eu:$_selector:/etc/opendkim/redxen/$_selector.private" > key_table
+	echo "$_selector._domainkey.redxen.eu redxen.eu:$_selector:$_rx_installdir/$_selector.private" > key_table
 }
 
 package() {
 	_files="$source signing_table key_table"
 	for i in $_files; do
-		install -Dm444 "$i" "$pkgdir"/etc/opendkim/redxen/"$i"
+		rx_install "$i"
 	done
 }
 
-sha512sums="6f23dfc823517db661cbe50b3f1f494a1b67e0c9928893f27a3fc5a8b74f0d1304933c79d1a8584be0f61ed0a40aa470fd524561a6b578ae0644bd9f05339952  trusted_hosts
-08be7b116306a86fac7cacd4771fa900a6e67ff2b8e33cf839ceecd24c8781763ee3b7b73b5a85da8758c17c62af3615cd0e570b161167c6a0fb13d83a1a90bc  opendkim.conf"
+sha512sums="
+6f23dfc823517db661cbe50b3f1f494a1b67e0c9928893f27a3fc5a8b74f0d1304933c79d1a8584be0f61ed0a40aa470fd524561a6b578ae0644bd9f05339952  trusted_hosts
+6cf9bbd8957f7ccd65ac2af63f68fc22578f23cc25e3c4279be1b76ba0f0b28d03b785726a9e1702fc4e467b87caf6273ca366b437646934d86f3c165fade0c4  opendkim.conf
+"

config/opendkim/opendkim.conf

@@ -3,9 +3,9 @@ UMask                   002
 
 Canonicalization        relaxed/simple
 
-InternalHosts           refile:/etc/opendkim/redxen/trusted_hosts
-KeyTable                refile:/etc/opendkim/redxen/key_table
-SigningTable            refile:/etc/opendkim/redxen/signing_table
+InternalHosts           refile:/etc/redxen/opendkim/trusted_hosts
+KeyTable                refile:/etc/redxen/opendkim/key_table
+SigningTable            refile:/etc/redxen/opendkim/signing_table
 
 Mode                    s
 PidFile                 /run/opendkim/opendkim.pid

config/openssh-sftp-seedbox/APKBUILD

@@ -1,23 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=openssh-sftp-seedbox
-
-. ../APKBUILD-config.common
-
-pkgver=2020.12.07
-pkgrel=1
-source="
-	seedbox-conf
-	allowed_keys
-"
-
-package() {
-	install -dm755 -o root -g root "$pkgdir"/sftp-chroot
-	install -Dm644 allowed_keys "$pkgdir"/etc/ssh/authorized_keys/seedbox
-	# NOTE: Inclusion of this file doesn't work in openssh
-	#       It has to be appended manually to /etc/ssh/sshd_config
-	install -Dm644 seedbox-conf "$pkgdir"/etc/ssh/sshd.conf.d/redxen/seedbox
-}
-
-sha512sums="29d0bc0a52bd87d7544ce1d369d676ac38dcc4c18dac24b43b6bb649b7097617d53747935b0b4304dfce161158f5e8f008436bf036899b4e857b64f3c7c11a58  seedbox-conf
-f87e66868b1315cb63e89a9d7f47e7ffb889b9ec19bcd82e307774169446c546e6d3d51a977df7bffd70b83889979151a557575dc13a9f1d3c08d158e1a5a8cc  allowed_keys"

config/openssh-sftp-seedbox/allowed_keys

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsD58tySBudDE7dw4aDttDv7rLWCqZ2c6N+GnrbSzqAxTcMxxn3GZeozXuz4pkl8NrGEKFk22AlB1hUl0gqnpAr0roL72mXE1WmjVc4EvEVYXLdHnm+rEi/FqvEK8D5mj1vs/ALGqtKGmY1363a8JRR7jSlBa45HkdC7IyJP0stpIkcriPS4kj/lEW0+J5KZ4NuKocjTbyVDoX67fLwBeu/YG4pz0ETKKU1/5xfBN+AxeD8brWvMMwrQzqJoAoRfLKCuD2yTSTPxek/Oa3lbNLUBF6o114gyxsc7zAWMpyNCPvstZoLCdQYqZ0sqVvcFGt0vmlrCtcQozkDVChz1E3 none

config/openssh-sftp-seedbox/seedbox-conf

@@ -1,7 +0,0 @@
-Match User seedbox
-AuthorizedKeysFile /etc/ssh/authorized_keys/seedbox
-ChrootDirectory /sftp-chroot
-ForceCommand internal-sftp
-AllowTcpForwarding no
-X11Forwarding no
-PasswordAuthentication no

config/postfix/APKBUILD

@@ -1,22 +1,49 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=postfix
-_configpath="/etc/postfix/redxen"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.03.09
+pkgver=2021.06.01.03
 pkgrel=0
 depends="postfix-pgsql redxen-secret-letsencrypt-chain redxen-secret-letsencrypt-private"
-install="$pkgname.pre-install"
-source="
-	master.cf
-	main.cf
+
+_rx_postfix_pgsql_source="
 	pgsql-aliases.cf
 	pgsql-users.cf
 "
+_rx_postfix_base_source="
+	master.cf
+	main.cf
+"
+source="
+	$_rx_postfix_base_source
+	secret
+	$_rx_postfix_pgsql_source
+"
 
-sha512sums="b43313dc2b00848bfbc6b14bdcee2c7a024aeeae5d2a46b6aaf370d55f58ac9f9a4cf992b7d75a8acf35b75fd00d04144626169ef153614b223de87677bfda21  master.cf
-a0fe63a10948fc5b83aa66779ec79eaff31eadd2d6791fc6f531719677692dbc1c24d9d20ddb5637a942f30cd47c6c47f53f0cbe840c56b17346cc9b7b82844c  main.cf
-a1778901dbc12de543d9d5897b9d50ee5ebe47b7ef6ed87a0087249657f146ff8493de455d32016660cca3c8d669592e0ea9fbe9b6696d92cac6f014277f29e5  pgsql-aliases.cf
-72c50fe20b4d1a7ea2e60fb2cac0164814ab41011eb7f0d67a8a5715a0cc43d3ad573f198a7933eb130f68ec5c25c558fad791300e5bb25e020ca76a4303db4c  pgsql-users.cf"
+build() {
+	. secret
+	: "${POSTGRESQL_PASSWORD:?'PostgreSQL database access password missing'}"
+
+	for i in $_rx_postfix_pgsql_source; do
+		cp "$i" "$i".private
+		rx_replace "POSTGRESQL_PASSWORD" "$POSTGRESQL_PASSWORD" "$i".private
+	done
+}
+
+package() {
+	for i in $_rx_postfix_base_source; do
+		rx_install "$i"
+	done
+	for i in $_rx_postfix_pgsql_source; do
+		rx_install "$i".private "$i"
+	done
+}
+
+sha512sums="
+b43313dc2b00848bfbc6b14bdcee2c7a024aeeae5d2a46b6aaf370d55f58ac9f9a4cf992b7d75a8acf35b75fd00d04144626169ef153614b223de87677bfda21  master.cf
+88b704d0cc54bf9f09a0f027d1b39677086cdb2be4c91132f5cb3c0717156e692f5a5241c77a2aad2b4e1c4e8b08e4098365a613605486809ccefbb1fc114f27  main.cf
+e2e2073b064a921a9eeed028e17617bcd2d1235517d908b4daadef45eb4cbb8686023c532d7938a779021cdd9548afe97f59d4c3232e7e01dca229e37e8c63ff  secret
+9c3ae0c3448710cb13e27cfd67864d27d364a3893ce70033df25ecd21cb0cc28a36f7d8aa9fe0cbdd0dc3516e78f34a5645a727387870d74ed8643078ec7e062  pgsql-aliases.cf
+939677c0733348509a26a9ee654bc57be6cf4ce760c40cac7d1cc802afc0f7ec4b53c3752f60e9482b78290f6e36c5c8eca98645b54b34ffbb51dfbf4080d916  pgsql-users.cf
+"

config/postfix/main.cf

@@ -1,3 +1,5 @@
+compatibility_level = 3.6
+
 # General
 smtpd_banner = $myhostname ESMTP RedXen Mail. DO NOT MESS WITH US OR WE WILL CUT YOUR BALLS OFF!
 mail_name = RedXen Mail Postfix
@@ -15,15 +17,14 @@ relayhost =
 relay_domains = $mydestination
 
 local_transport = local
-alias_maps = proxy:pgsql:/etc/postfix/redxen/pgsql-aliases.cf
-smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/redxen/pgsql-users.cf
+alias_maps = proxy:pgsql:/etc/redxen/postfix/pgsql-aliases.cf
+smtpd_sender_login_maps = proxy:pgsql:/etc/redxen/postfix/pgsql-users.cf
 local_recipient_maps = $smtpd_sender_login_maps $alias_maps
 
 biff = no
 append_dot_mydomain = no
 delay_warning_time = 1h
 readme_directory = no
-compatibility_level = 2
 mailbox_size_limit = 0
 recipient_delimiter = +
 notify_classes = resource, software, bounce
@@ -36,8 +37,8 @@ smtp_tls_security_level = may
 smtp_tls_note_starttls_offer = yes
 
 smtpd_use_tls = yes
-smtpd_tls_cert_file = /etc/ssl/redxen/letsencrypt/chain.crt
-smtpd_tls_key_file = /etc/ssl/redxen/letsencrypt/private.key
+smtpd_tls_cert_file = /etc/redxen/letsencrypt/chain.crt
+smtpd_tls_key_file = /etc/redxen/letsencrypt/private.key
 smtpd_tls_security_level = may
 smtpd_tls_protocols = !SSLv2, !SSLv3
 
@@ -70,5 +71,5 @@ milter_protocol = 6
 milter_default_action = tempfail
 internal_mail_filter_classes = bounce, notify
 
-non_smtpd_milters = inet:rspamd.routinginfo.redxen.localhost:7510
-smtpd_milters = inet:opendkim.routinginfo.redxen.localhost:7514 $non_smtpd_milters
+non_smtpd_milters = inet:rspamd.routinginfo.internal:7510
+smtpd_milters = inet:opendkim.routinginfo.internal:7514 $non_smtpd_milters

config/postfix/pgsql-aliases.cf

@@ -0,0 +1,5 @@
+hosts = postgresql.routinginfo.internal:7550
+dbname = mail
+user = postfix
+password = POSTGRESQL_PASSWORD
+query = SELECT target FROM aliases WHERE alias = '%u' AND active = '1'

config/postfix/pgsql-users.cf

@@ -0,0 +1,5 @@
+hosts = postgresql.routinginfo.internal:7550
+dbname = mail
+user = postfix
+password = POSTGRESQL_PASSWORD
+query = SELECT userid FROM users WHERE userid = '%u' AND active = '1'

config/postfix/redxen-config-postfix.pre-install

@@ -1,5 +0,0 @@
-#!/bin/sh
-
-adduser dovecot rxletsenc
-
-return 0

config/postgresql/APKBUILD

@@ -1,12 +1,10 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=postgresql
-_configpath="/etc/postgresql/redxen"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.13
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 depends="postgresql-contrib"
 source="
 	postgresql.conf
@@ -15,10 +13,12 @@ source="
 "
 
 package() {
-	package_copy_configs
-	mkdir -p "$pkgdir"/var/lib/postgresql
+	rx_source_installall
+	install -dm700 "$(rx_cpkgdir)"/var/lib/postgresql
 }
 
-sha512sums="ee33ef1dd1e2afaea8336e94fd754c3ed5eff7d312de233fbbbf8371d736b1bec03d8c436d8b9360e04048b4548c3d3d488ca940c63b8e5645d143298b9fce18  postgresql.conf
+sha512sums="
+ee33ef1dd1e2afaea8336e94fd754c3ed5eff7d312de233fbbbf8371d736b1bec03d8c436d8b9360e04048b4548c3d3d488ca940c63b8e5645d143298b9fce18  postgresql.conf
 fc4faccaf8d8a7e0a683e20b959a0ca1c6aa8b190ab1e5f1568deb9483329e82a43264ff676845eeafd4f6c8d812ce2648702ba3ea52de4eadff8dbafece274b  pg_hba.conf
-cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  pg_ident.conf"
+cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  pg_ident.conf
+"

config/redis/APKBUILD

@@ -1,16 +1,17 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=redis
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2020.12.29
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 source="redxen.conf"
 
 package() {
-	package_copy_configs
-	install -dm700 "$pkgdir"/var/lib/redis
+	rx_source_installall
+	install -dm700 "$(rx_cpkgdir)"/var/lib/redis
 }
 
-sha512sums="85b83fdec29dfe075aa2b4e79829b47ae42171a62878b3c69ca300a007d60e80634a92d62e646eb432aab5397c51c1f3ce406cfad3208d1e16cc5151711c4271  redxen.conf"
+sha512sums="
+35f292d3de4c7dfc9340ded312c4550431599c2704b5f036e62a758bd0a11bd8d3f5bad38680b0b7f54ccba725d3749232821d3c08cd954529ae1b2c2fccbd61  redxen.conf
+"

config/redis/redxen.conf

@@ -6,8 +6,8 @@ timeout 0
 tcp-keepalive 300
 
 #tls-port 7551
-#tls-cert-file /etc/ssl/redxen/selfsigned/public.pem
-#tls-key-file /etc/ssl/redxen/selfsigned/private.key
+#tls-cert-file /etc/redxen/selfsigned/public.pem
+#tls-key-file /etc/redxen/selfsigned/private.key
 #tls-ca-cert-dir /etc/ssl/certs
 # tls-auth-clients optional
 # tls-protocols "TLSv1.2 TLSv1.3"

config/rspamd/APKBUILD

@@ -1,11 +1,9 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=rspamd
-_configpath="/etc/rspamd/redxen"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.04.13
+pkgver=2021.06.01.03
 pkgrel=0
 _baseconf="
 	rspamd.conf
@@ -43,18 +41,21 @@ for i in $_modules; do
 done
 
 package() {
-	package_copy_configs "$_baseconf"
+	for i in $_baseconf; do
+		rx_install "$i"
+	done
 }
 
 _module() {
 	local module=${subpkgname##$pkgname-}
 	depends=""
-	install -Dm644 "$srcdir"/"$module".conf "$subpkgdir"/etc/rspamd/redxen/modules/"$module".conf
+	_rx_fperm=400 _rx_installdir="$_rx_installdir/modules" rx_install "$module".conf
 }
 
-sha512sums="99985993e5d7c525280020e7dc30106b3efbaa8ae2830a5069ad4270a8336d33efca74ed26103e1d2f5f341a0cffc4e0f77a2757fdeab27e3b492aa99ae7f977  spf.conf
+sha512sums="
+99985993e5d7c525280020e7dc30106b3efbaa8ae2830a5069ad4270a8336d33efca74ed26103e1d2f5f341a0cffc4e0f77a2757fdeab27e3b492aa99ae7f977  spf.conf
 96bb78e91c29a9d0e120e18b00ffe2a4d4b613b24e7da02f43994b1d150da00875339feda963f6e87c16002a6fc44e99462bde0070fec3026a2e2c7079be8ccc  spamtrap.conf
-d42a74d17771497960477878eedda2a00a434cbc1e994b015c21b4f631e24836cb6a7b14a24a2cb42ed15425b7758dc307a6cf602a770cfb0cc20b6f90064af9  redis.conf
+82554e0d5c955bf658f5093ed038eb66824eea0e6d0477a8e17600016a95da15bc9360b651c97c1345202a2164b0b6728323e64ea165d79a3acd6776d8d79d5b  redis.conf
 914c9800ae6195726fdbb8fe7fc403fdd346f082f77a0f6663e112518f2b19ab276371089d968e36340e50f8a52317606c598985fdf9318b2384e8e887005150  rbl.conf
 a753d136a21206cdc28a1554a38f51ad55e2eec842a31dbe1d151198bb8d9bb090e0f49b6b50cbc44e5011efb2ebeb2d2657a54df2f1a0c89ce3134fbd55220c  ratelimit.conf
 6ca83b91e70e43eff6de380065fc5591c6669a27497a47d74e5e096df68afea6269cfad41be982bb144f2dfb92fd5765a600cf9c4067c4612bd1aa1bf5e6ebfd  phishing.conf
@@ -69,8 +70,9 @@ dcec5c53bd29c345ed5c47727af9a8d11328cc8f69ae61064ba3b053ee306baa79b747067097b235
 eacbbe96fdfea9112b633bdf5471fcf8b2c297513685397759d588ad47905cf225dae3e4262dacb14477a2f52e6d3bf93b57abaf205719481f11a9ec8552fe07  arc.conf
 edcbb00d62662ec412adf8adc24fedb88a7b694ea1ac39c07539f84560c2f0c210fb7b8be1e2c041f9eadb4278a4a9a9cf80dea59e05c97233204c6f41b16597  rspamd.conf
 13b794a6eb95e672345b260e6a46d9ec95efd11159279af86c3ab3a9fea33e02807d67afad0d006597bf9b913927e6bff0cfc6d2cf6a5bd0bc993560cafb0951  composites.conf
-f88d7b2c78b8aa011cf7fd81214745b5c6af10f44482c6164b3001dd366d7bedcb96f7ab0e5b33839c1b82458e1e14ab04b75594856928bac6037698e2c82f7e  groups.conf
+91cdd4f25cd29b7524827683caa79efd37e1ef78698f7f0ce8c185773bd0e1fdf624215838b26165cb52151fe435b41a76714c9f0aa0ee341a473b468d4f5436  groups.conf
 78df39cbc6e09cdc5e01d27e123d82aa677a70a6f5d59ba0be8d0ce6af012c5311e4a2527e4fbc586f9cdd8da033e9f05e2371970fa23db60eaa8c16c8e85f05  logging.conf
 d5b99a03a86f35cb5b25cf0a1cf8be25a5a9158bc7f3a6362b35d6dc8e799613d03ade65b2673378fb1e2b5de67d48eb5e64a956551be9ef39c5d5d2ab2a3b36  statistic.conf
 301315c98f2816a9542a410352bf3eb7f025a57f8ccc37666f51a3371580cba06344197c2f2a4049d402472ba7c9a542a21e6938ac022030e95a472e8bba33b6  workers.conf
-2adbbed7442b2efad0c78aa735e562da68c992114b8b1b12258d39234cda66d198dddeaa5246f0b897b6174fc7b52430fada1bd1cd5870142b72d935c4f6e12f  spamtrap.map"
+2adbbed7442b2efad0c78aa735e562da68c992114b8b1b12258d39234cda66d198dddeaa5246f0b897b6174fc7b52430fada1bd1cd5870142b72d935c4f6e12f  spamtrap.map
+"

config/rspamd/groups.conf

@@ -274,7 +274,7 @@ group "rbl" {
 group "statistics" {
 	symbols = {
 		"BAYES_SPAM" {
-			weight = 5.1;
+			weight = 10;
 			description = "Message probably spam, probability: ";
 		}
 		"BAYES_HAM" {

config/rspamd/modules/redis.conf

@@ -1,4 +1,4 @@
 redis {
-	servers = "redis.routinginfo.redxen.localhost:7551";
+	servers = "redis.routinginfo.internal:7551";
 	db = 1;
 }

config/sysctl/APKBUILD

@@ -1,12 +1,11 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=sysctl
-_configpath="/etc/sysctl.d"
+_rx_installdir="/etc/sysctl.d"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2020.12.10
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 depends="busybox"
 source="
 	10-memory.conf
@@ -14,6 +13,8 @@ source="
 	30-kernel.conf
 "
 
-sha512sums="8043d419de52d0a8e75ed50643bd73ef3b3e2633d9064c6f6695b796834bc162f6b3c0e28082bb601e1a6c582e92ca90aa3dd626973c741c2ff0d3e1749521b1  10-memory.conf
+sha512sums="
+8043d419de52d0a8e75ed50643bd73ef3b3e2633d9064c6f6695b796834bc162f6b3c0e28082bb601e1a6c582e92ca90aa3dd626973c741c2ff0d3e1749521b1  10-memory.conf
 117648c1a0ee1a2d554eee2a0f8584097c66300dfda945a4ac0cb52f24160ae673abe3de964d419ddca4e0822a605c7b1d4f8d8e3f85d5f7c582b9803ffa21fc  20-network.conf
-a67a62adddcc0389eef167f390d948ce69488f5755fbd19ca16d9d626511229e7dd7f03fcf0f4731fa867a45417e9554f65b5ccca7fcacc2e51f056d4152031a  30-kernel.conf"
+a67a62adddcc0389eef167f390d948ce69488f5755fbd19ca16d9d626511229e7dd7f03fcf0f4731fa867a45417e9554f65b5ccca7fcacc2e51f056d4152031a  30-kernel.conf
+"

config/telegraf/APKBUILD

@@ -1,18 +1,72 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=telegraf
-_cfgumask=400
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2020.12.23
-pkgrel=2
-source="main.conf"
-checkdepends="telegraf"
+pkgver=2021.06.01.05
+pkgrel=0
 options=""
+checkdepends="telegraf"
+source="main.conf"
+_modules="
+	base
+	unbound
+	redis
+	haproxy
+	rspamd
+	wireguard
+"
+
+for i in $_modules; do
+	source="$source $i.conf"
+	subpackages="$subpackages $pkgname-$i"
+done
 
 check() {
-	telegraf --config main.conf --test >/dev/null
+	telegraf --config main.conf --config base.conf --test >/dev/null
 }
 
-sha512sums="3d342136225a8c060be6af63e0769da6fc870206471836cd4f414b9765c85930fe5a9fdb6b7a7acedb2d631264472849c53c2af7a4a387bd2c582bf1c1a0c97e  main.conf"
+package() {
+	rx_install main.conf
+}
+
+base() {
+	install_if="$pkgname"
+	_rx_installdir="$_rx_installdir/module" rx_install base.conf
+}
+
+unbound() {
+	install_if="$pkgname redxen-config-unbound-rctrl"
+	_rx_installdir="$_rx_installdir/module" rx_install unbound.conf
+}
+
+redis() {
+	install_if="$pkgname redxen-config-redis"
+	_rx_installdir="$_rx_installdir/module" rx_install redis.conf
+}
+
+haproxy() {
+	install_if="$pkgname redxen-config-haproxy"
+	_rx_installdir="$_rx_installdir/module" rx_install haproxy.conf
+}
+
+rspamd() {
+	install_if="$pkgname redxen-config-rspamd"
+	_rx_installdir="$_rx_installdir/module" rx_install rspamd.conf
+}
+
+wireguard() {
+	install_if="$pkgname redxen-config-wireguard"
+	_rx_installdir="$_rx_installdir/module" rx_install wireguard.conf
+}
+
+
+sha512sums="
+5a0f1dab5c4887700f7f29eeb0d1be28690737f1689a12e67861be4c0bb8276ece8fcb279983e6e3bc5484bd6aa932b663d6ff775c68e33c1190fcdbaa3b1889  main.conf
+532d6b79eafb7629ef3f2a16f2f9323369d93357b301e44c111661eab8108a3d09dae1fd2c7f8a4c3d832c66285e2098fcd7713f37b545b5616d7c9a749a2684  base.conf
+5a81b295f17189115fe93d1d68d94181aaab32dfcdd3e4d0480991c515d0cec57cb58bac354b893a5109a9e62d400a278489c9d64b997968ad8f326e02c7ddb1  unbound.conf
+a4bc80850c94291d00b2ad56e50216ab36515bcc176b3c5678b24c3d5a3740b9de9006df8e37e42942a50227e6b27321d267e27decffbf6d9a37755d3224121e  redis.conf
+f219fcd9c1aeb4503e813f00c51cc2a2ccb8c297727f3542e614c784b977ef6a32d492de750b8d4338f95172dfdc0e388a72662e80c92a890e2bfc7d34e3396d  haproxy.conf
+0e5e8282a77553cf75b3184367486d37f4dd6e6ed5a216f2ca5b94f4fe7b151565eb5d9fc35f5eadc154da41aa39f0f7979ded054be9da94b981326ca13c6b8f  rspamd.conf
+3f6d05082d4e01fb7498c82fb92fb479c5766148c9dcfd118d248ceaf6838f4794b940a8fcff0ec6020000806c6418f93e5aa60cbf32fd826fa4f9870f925ba7  wireguard.conf
+"

config/telegraf/base.conf

@@ -0,0 +1,21 @@
+[[outputs.influxdb]]
+	urls = ["http://influxdb.routinginfo.internal:7552"]
+	database = "telegraf"
+
+[[inputs.cpu]]
+	percpu = true
+	totalcpu = true
+	collect_cpu_time = true
+	report_active = true
+
+[[inputs.disk]]
+	ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"]
+
+[[inputs.diskio]]
+[[inputs.kernel]]
+[[inputs.kernel_vmstat]]
+[[inputs.mem]]
+[[inputs.processes]]
+[[inputs.swap]]
+[[inputs.system]]
+[[inputs.net]]

config/telegraf/haproxy.conf

@@ -0,0 +1,3 @@
+[[inputs.haproxy]]
+	servers = ["socket:/run/haproxy.sock"]
+	keep_field_names = true

config/telegraf/main.conf

@@ -1,33 +1,11 @@
 [agent]
-  interval = "10s"
-  round_interval = true
-  metric_batch_size = 1000
-  metric_buffer_limit = 10000
-  flush_interval = "10s"
-  precision = "10s"
-  debug = false
-  quiet = false
-  logfile = ""
-  omit_hostname = false
-
-[[outputs.influxdb]]
-  urls = ["http://influxdb.routinginfo.redxen.localhost:7552"]
-  database = "telegraf"
-
-[[inputs.cpu]]
-  percpu = true
-  totalcpu = true
-  collect_cpu_time = true
-  report_active = true
-
-[[inputs.disk]]
-  ignore_fs = ["tmpfs", "devtmpfs", "devfs", "overlay", "aufs", "squashfs"]
-
-[[inputs.diskio]]
-[[inputs.kernel]]
-[[inputs.kernel_vmstat]]
-[[inputs.mem]]
-[[inputs.processes]]
-[[inputs.swap]]
-[[inputs.system]]
-[[inputs.net]]
+	interval = "10s"
+	round_interval = true
+	metric_batch_size = 1000
+	metric_buffer_limit = 10000
+	flush_interval = "10s"
+	precision = "1s"
+	debug = false
+	quiet = false
+	logfile = ""
+	omit_hostname = false

config/telegraf/monerod.conf

@@ -0,0 +1,12 @@
+[[inputs.http]]
+	urls = ["http://localhost:7579/json_rpc"]
+	method = "POST"
+	data_format = "json"
+	content_encoding = "identity"
+	body = '{"method":"get_info"}'
+	json_query = "result"
+	headers = { "Content-Type" = "application/json", "Transfer-Encoding" = "identity" }
+	tag_keys = [
+		"nettype"
+	]
+	name_override = "monerod"

config/telegraf/redis.conf

@@ -0,0 +1,2 @@
+[[inputs.redis]]
+	servers = ["tcp://localhost:7551"]

config/telegraf/rspamd.conf

@@ -0,0 +1,8 @@
+[[inputs.http]]
+	urls = ["http://localhost:7512/stat"]
+	data_format = "json"
+	tag_keys = [
+		"config_id",
+		"version"
+	]
+	name_override = "rspamd"

config/telegraf/unbound.conf

@@ -0,0 +1,2 @@
+[[inputs.unbound]]
+	server = "localhost:8953"

config/telegraf/wireguard.conf

@@ -0,0 +1,2 @@
+[[inputs.wireguard]]
+	devices = ["rxmain"]

config/transmission-daemon/APKBUILD

@@ -1,18 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname="transmission-daemon"
-_configpath="/etc/transmission"
-_cfgumask=400
-
-. ../APKBUILD-config.common
-
-pkgver=2021.01.26
-pkgrel=2
-source="settings.json"
-
-package() {
-	package_copy_configs
-	mkdir -p "$pkgdir"/etc/transmission/resume "$pkgdir"/seedbox
-}
-
-sha512sums="6b6ca000655811ffdf1d51609cf0315f8516a7a7c0f602d97848071d6441bd13e053d896d9a56bc5c772b9c5ee600419480460db13dfdf03921e4d90a2a01887  settings.json"

config/transmission/APKBUILD

@@ -0,0 +1,35 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-config.template
+
+pkgver=2021.06.01.03
+pkgrel=0
+source="
+	secret
+	settings.json
+"
+depends="transmission-daemon"
+
+build() {
+	. secret
+	: "${TRANSMISSION_USERNAME:?'Transmission username is missing'}"
+	: "${TRANSMISSION_PASSWORD:?'Transmission password is missing'}"
+
+	cp "settings.json" "settings.json.private"
+	TRANSMISSION_PASS_SALT="$(cat /dev/urandom | tr -dc '[:alnum:]./' | head -c 8)"
+	TRANSMISSION_PASS_HASH="$(printf '%s%s' "$TRANSMISSION_PASSWORD" "$TRANSMISSION_PASS_SALT" | sha1sum)"
+	TRANSMISSION_PASS_SALTED="{${TRANSMISSION_PASS_HASH%% *}$TRANSMISSION_PASS_SALT"
+	rx_replace "TRANSMISSION_USERNAME" "$TRANSMISSION_USERNAME" settings.json.private
+	rx_replace "TRANSMISSION_PASSWORD" "$TRANSMISSION_PASS_SALTED" settings.json.private
+}
+
+package() {
+	rx_install "settings.json.private" "settings.json"
+	install -dm700 "$(rx_cpkgdir)"/"$_rx_installdir"/resume "$(rx_cpkgdir)"/seedbox
+}
+
+sha512sums="
+7435cdea2f9a63d09164c6c7cf6105e24a27316150bbebb7c2abda0a72c9ffcbd36632be1f9d77bccdc616fa8b84a9bfeaa4b5b32349d11a3d4f9c12ee884963  secret
+900829893fa4cd61c7950d640f8a4b043f33de90abce9007b8c5d76d464df3542e0ca2630deb93344d4a896f999f0da4f2474ad77cb7d628247c34c78aec515b  settings.json
+"

config/transmission/settings.json

@@ -0,0 +1,70 @@
+{
+    "alt-speed-down": 50,
+    "alt-speed-enabled": false,
+    "alt-speed-time-begin": 540,
+    "alt-speed-time-day": 127,
+    "alt-speed-time-enabled": false,
+    "alt-speed-time-end": 1020,
+    "alt-speed-up": 50,
+    "bind-address-ipv4": "0.0.0.0",
+    "bind-address-ipv6": "::",
+    "blocklist-enabled": true,
+    "blocklist-url": "https://github.com/sahsu/transmission-blocklist/releases/latest/download/blocklist.gz",
+    "cache-size-mb": 50,
+    "dht-enabled": true,
+    "download-dir": "/seedbox",
+    "download-queue-enabled": true,
+    "download-queue-size": 50,
+    "encryption": 2,
+    "idle-seeding-limit": 30,
+    "idle-seeding-limit-enabled": false,
+    "incomplete-dir": "/seedbox",
+    "incomplete-dir-enabled": true,
+    "lpd-enabled": false,
+    "message-level": 2,
+    "peer-congestion-algorithm": "",
+    "peer-id-ttl-hours": 1,
+    "peer-limit-global": 2000,
+    "peer-limit-per-torrent": 30,
+    "peer-port": 51413,
+    "peer-port-random-high": 65535,
+    "peer-port-random-low": 49152,
+    "peer-port-random-on-start": false,
+    "peer-socket-tos": "default",
+    "pex-enabled": true,
+    "port-forwarding-enabled": false,
+    "preallocation": 0,
+    "prefetch-enabled": true,
+    "queue-stalled-enabled": true,
+    "queue-stalled-minutes": 30,
+    "ratio-limit": 20,
+    "ratio-limit-enabled": false,
+    "rename-partial-files": true,
+    "rpc-authentication-required": true,
+    "rpc-bind-address": "0.0.0.0",
+    "rpc-enabled": true,
+    "rpc-host-whitelist": "127.0.0.1",
+    "rpc-host-whitelist-enabled": false,
+    "rpc-port": 7572,
+    "rpc-url": "/",
+    "rpc-username": "TRANSMISSION_USERNAME",
+    "rpc-password": "TRANSMISSION_PASSWORD",
+    "rpc-whitelist": "127.0.0.1",
+    "rpc-whitelist-enabled": false,
+    "scrape-paused-torrents-enabled": true,
+    "script-torrent-done-enabled": false,
+    "script-torrent-done-filename": "",
+    "seed-queue-enabled": false,
+    "seed-queue-size": 100,
+    "speed-limit-down": 100,
+    "speed-limit-down-enabled": false,
+    "speed-limit-up": 100,
+    "speed-limit-up-enabled": false,
+    "start-added-torrents": true,
+    "trash-original-torrent-files": false,
+    "umask": 18,
+    "upload-slots-per-torrent": 1000,
+    "utp-enabled": true,
+    "watch-dir": "/watch",
+    "watch-dir-enabled": false
+}

config/unbound/APKBUILD

@@ -1,102 +1,62 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=unbound
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-_dkim_date=2021.03.28
-_dnssec_date=2021.04.05
-pkgver=2021.04.29
-pkgrel=2
+pkgver=2021.06.01.04
+pkgrel=0
 depends="alpine-baselayout ca-certificates-bundle dns-root-hints dnssec-root"
-makedepends="redxen-secret-opendkim-dns~$_dkim_date bind-dnssec-tools redxen-secret-dnssec~$_dnssec_date"
-checkdepends="bind-tools unbound"
-subpackages="$pkgname-acl $pkgname-rctrl $pkgname-internal $pkgname-auth-rx:auth_rx $pkgname-auth-crxn:auth_crxn"
-source="
-	includes.conf
-	base.conf
-	acl.conf
-	rctrl.conf
-	internal.conf
-
-	auth-redxen.conf
-	auth-crxn.conf
-	zones/redxen.eu
-	zones/crxn
-"
+checkdepends="unbound"
 options="checkroot"
-builddir="$srcdir"
+_modules="
+	acl
+	rctrl
+	auth_redxen
+	auth_crxn
+	auth_internal
+"
+source="
+	base.conf
+"
 
-prepare() {
-	default_prepare
-	# Add everything dynamic
-	cat redxen.eu /etc/opendkim/redxen/dns-record /etc/dns/redxen.eu/*.key > redxen.eu-cat
-}
-
-# DNSSEC signing happens here
-build() {
-	msg "Signing redxen.eu zone"
-	dnssec-signzone -K /etc/dns/redxen.eu -f redxen.eu-signed -e "+90d" -o redxen.eu -t redxen.eu-cat
-}
+for i in $_modules; do
+	_authname="${i##auth_}"
+	if [ "${i%%_*}" = "auth" ]; then 
+		checkdepends="$checkdepends redxen-data-bindzone-$_authname"
+	fi
+	subpackages="$subpackages $pkgname-$i:_module_ins"
+	source="$source $i.conf"
+done
 
 check() {
 	msg "Checking configuration validity"
 	/usr/sbin/unbound-checkconf base.conf
-	/usr/sbin/unbound-checkconf acl.conf
-	/usr/sbin/unbound-checkconf rctrl.conf
-	/usr/sbin/unbound-checkconf internal.conf
 
-	# Cannot be checked because it expects files in a read-only path, not crucial
-	#/usr/sbin/unbound-checkconf auth-zones.conf
-	/usr/sbin/named-checkzone redxen.eu ./redxen.eu-signed
-	/usr/sbin/named-checkzone crxn ./crxn
+	for i in $_modules; do
+		/usr/sbin/unbound-checkconf "$i".conf
+	done
+
 }
 
 package() {
-	for i in includes.conf base.conf acl.conf rctrl.conf internal.conf auth-redxen.conf auth-crxn.conf; do
-		install -Dm644 "$i" "$pkgdir"/etc/unbound/"$i"
-	done
-	# Unsigned zones
-	for i in crxn; do
-		install -Dm644 "$i" "$pkgdir"/etc/unbound/zones/"$i"
-	done
-	# Signed zones
-	for i in redxen.eu; do
-		install -Dm644 "$i-signed" "$pkgdir"/etc/unbound/zones/"${i%%-signed}"
-		install -Dm644 "dsset-$i." "$pkgdir"/etc/dns/"$i"/"dsset-$i."
-	done
+	rx_install base.conf
 }
 
-acl() {
-	amove etc/unbound/acl.conf
+_module_ins() {
+	_modname="${subpkgname##${pkgname}-}"
+	_authname="${_modname##auth_}"
+	if [ "${_modname%%_*}" = "auth" ]; then 
+		msg "Matched auth zone $_authname, adding depends to bindzone"
+		depends="$depends redxen-data-bindzone-$_authname"
+	fi
+	_rx_installdir="$_rx_installdir/module" rx_install "$_modname".conf
 }
 
-rctrl() {
-	amove etc/unbound/rctrl.conf
-}
-
-internal() {
-	amove etc/unbound/internal.conf
-}
-
-auth_rx() {
-	amove etc/unbound/auth-redxen.conf
-	amove etc/unbound/zones/redxen.eu
-	# Zone is signed, include the DS key in the package
-	amove etc/dns/redxen.eu
-}
-
-auth_crxn() {
-	amove etc/unbound/auth-crxn.conf
-	amove etc/unbound/zones/crxn
-}
-
-sha512sums="428b251c4bdd8ca0cd6174b3c76d5fb6acf25734dc75325fd06ce5e867b2ba9c25ddd5d485f17562b7d8cdea62708e04bd44e854d028de9688298cb018b86d54  includes.conf
-d3754ced9d8055ff7f1d364a93c403bba3f220a60ea519bceee5e9c43112d6a00d20d15cf659fdd6ad6834cf14afd6ecb5d9e1497ff2932572fd970750655749  base.conf
+sha512sums="
+bcb4c8e66d185f56751cc8f44ced802622abbd91bad08bae38b549d0e38438cd876784ac432ddd30347c4f6e5f0c205aafb085beecb1a58224074b3ac2b8f817  base.conf
 75709787e0872197c83def93b343550934f6b2e4903873aaf72f357fb8b4a1d7c5b8ba84913f052ad01aeca03f58ca589a22bf867c1c2e40e01f9588c7c580c4  acl.conf
 d94ad338e2ea43c3ecdc62c861eddc0bb706807b738dd985309bcdf0b5fb435d7260bf272e2bbe40a774ec5b8fa49cbf23624c2c5213eea94f4f14aa3720abfa  rctrl.conf
-1eb7833b06f158f13b7c52ee14cd4e455acd9a8de344d6410092a5de98b1f4a62e209ce1e744cfc1a8afd588d3f54c5ce35a59ca31e3dd0fc16d517975fc6aa1  internal.conf
-28c917fe7f69643887097553312c4f1ffc747dffdbf150430e6c4b2e5833567922810716cb59a27887915664777ac3263be3c826956f504499f0ebdcc0b3aac5  auth-redxen.conf
-91847e65c48e585f298bb766b2b20c43f5380686b594233da3b722962b03f2f4c858bf299b745027dadd184408a87b1e85ebf03b027196756455afea69f79cf9  auth-crxn.conf
-44ffaafac7f0255218aaa1d32e496df3cfa051972b2817aaabe4db802aa1e209f6022546126f93d2b349d431e82380568cfb1f48f2610b9aae4cd047fa26e8d0  redxen.eu
-7a487f4f350310c2f1d3f7bf422352264b8ebe3dec1b5892685c59912aed8542711e253638d30f87e2b9b97144a12222de10ebe23ce6bb54a958ec7e5b35743d  crxn"
+a013d162067027aabde0ce0810bfa9ac7e329ad77a52c93afed2faa56f92c73f5933327b70c2ba5e0ef663852462185653aef5138c62da8043c19179cb3e2607  auth_redxen.conf
+e678f22aa89a9df3db35921a20225abd2b0408ff1e6815b12ec135a740d95bc8a0669aebae3d0945e29c3896f43a0da88375a1c241fabcd410a65e47466c1f6d  auth_crxn.conf
+b854e0d09875653676336ffc9e36690b2abe1a565f25fafd9cd0940cb5b6d8bb57e1d43a7a9b072c11fcadc9073e1dceceea9a517e4d55bee1d217fd1bd759e6  auth_internal.conf
+"

config/unbound/auth_crxn.conf

@@ -3,4 +3,4 @@ auth-zone:
 	fallback-enabled: no
 	for-downstream: yes
 	for-upstream: yes
-	zonefile: "/etc/unbound/zones/crxn"
+	zonefile: "/etc/redxen/bindzone/crxn"

config/unbound/auth_internal.conf

@@ -0,0 +1,6 @@
+auth-zone:
+	name: internal
+	fallback-enabled: no
+	for-downstream: yes
+	for-upstream: yes
+	zonefile: "/etc/redxen/bindzone/internal"

config/unbound/auth_redxen.conf

@@ -3,4 +3,4 @@ auth-zone:
 	fallback-enabled: no
 	for-downstream: yes
 	for-upstream: yes
-	zonefile: "/etc/unbound/zones/redxen.eu"
+	zonefile: "/etc/redxen/bindzone/redxen.eu"

config/unbound/base.conf

@@ -20,3 +20,5 @@ server:
 	serve-expired: yes
 	serve-expired-ttl: 86400
 	serve-expired-ttl-reset: yes
+
+include: "/etc/redxen/unbound/module/*.conf"

config/unbound/includes.conf

@@ -1,6 +0,0 @@
-include: "/etc/unbound/base.conf"
-#include: "/etc/unbound/acl.conf"
-#include: "/etc/unbound/rctrl.conf"
-#include: "/etc/unbound/internal.conf"
-#include: "/etc/unbound/auth-redxen.conf"
-#include: "/etc/unbound/auth-crxn.conf"

config/unbound/internal.conf

@@ -1,36 +0,0 @@
-server:
-	local-zone: "redxen.localhost." static
-
-	# Machines
-	local-data: "8101153.nbg1-dc3.hetzner.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805"
-	local-data: "8201371.fsn1-dc14.hetzner.redxen.localhost. 86400 IN AAAA 200:8656:aa4:dc68:888:d92c:914b:866b"
-	local-data: "9013723.fsn1-dc14.hetzner.redxen.localhost. 86400 IN AAAA 200:2749:8af:bdf9:f011:997e:7bbb:35f3"
-	local-data: "9227948.nbg1-dc3.hetzner.redxen.localhost. 86400 IN AAAA 201:3b84:3e03:9e0f:4885:fb55:45f6:ebbd"
-	local-data: "9804624.nbg1-dc3.hetzner.redxen.localhost. 86400 IN AAAA 205:bb23:5a95:218e:3943:a6e:254e:a347"
-
-	# Familiar names
-	local-data: "lain.nurnberg.hetzner.redxen.localhost. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.localhost."
-	local-data: "arisu.falkenstein.hetzner.redxen.localhost. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.localhost."
-	local-data: "chisa.falkenstein.hetzner.redxen.localhost. 86400 IN CNAME 9013723.fsn1-dc14.hetzner.redxen.localhost."
-	local-data: "masami.nurnberg.hetzner.redxen.localhost. 86400 IN CNAME 9227948.nbg1-dc3.hetzner.redxen.localhost."
-	local-data: "taro.nurnberg.hetzner.redxen.localhost. 86400 IN CNAME 9804624.nbg1-dc3.hetzner.redxen.localhost."
-	
-	# Services
-	local-data: "_grafana._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7577 8201371.fsn1-dc14.hetzner.redxen.localhost."
-	local-data: "_transmission._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7572 9013723.fsn1-dc14.hetzner.redxen.localhost."
-	local-data: "_gitea._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7570 9227948.nbg1-dc3.hetzner.redxen.localhost."
-	local-data: "_gitssh._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7571 9227948.nbg1-dc3.hetzner.redxen.localhost."
-	local-data: "_monerod._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7579 9804624.nbg1-dc3.hetzner.redxen.localhost."
-	# local-data: "_pleroma._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 8088 6051167.nbg1-dc3.hetzner.redxen.localhost."
-
-	# NGINX servers
-	local-data: "_root._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 8101153.nbg1-dc3.hetzner.redxen.localhost."
-	local-data: "_seedown._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 9013723.fsn1-dc14.hetzner.redxen.localhost."
-	local-data: "_packages._tcp.routinginfo.redxen.localhost. 60 IN SRV 0 5 7574 8201371.fsn1-dc14.hetzner.redxen.localhost."
-
-	# Services (no CNAME/SRV support)
-	local-data: "postgresql.routinginfo.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805"
-	local-data: "redis.routinginfo.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805"
-	local-data: "influxdb.routinginfo.redxen.localhost. 86400 IN AAAA 201:5d63:154:f0c6:9789:1899:6acb:1805"
-	local-data: "rspamd.routinginfo.redxen.localhost. 86400 IN AAAA 200:2749:8af:bdf9:f011:997e:7bbb:35f3"
-	local-data: "opendkim.routinginfo.redxen.localhost. 86400 IN AAAA 201:3b84:3e03:9e0f:4885:fb55:45f6:ebbd"

config/varnish/APKBUILD

@@ -1,11 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=varnish
-
-. ../APKBUILD-config.common
-
-pkgver=2020.12.07
-pkgrel=1
-source="main.vcl"
-
-sha512sums="6674a942017c0f1be2ff6eefb9f2a92a0f7d615e4ce367e880bceef0ec2646f3aac4180f2bb32557ac9ae8590b02882d05afbc7478bee9069a8138945e6835fc  main.vcl"

config/varnish/main.vcl

@@ -1,73 +0,0 @@
-vcl 4.1;
-import std;
-
-backend default {
-	.host                   = "127.0.0.1";
-	.port                   = "7500";
-	.max_connections        = 300;
-	.first_byte_timeout     = 240s;
-	.connect_timeout        = 10s;
-	.between_bytes_timeout  = 2s;
-}
-sub vcl_recv {
-	unset req.http.user-agent;
-	if (	req.method != "GET" &&
-		req.method != "HEAD" &&
-		req.method != "PUT" &&
-		req.method != "POST" &&
-		req.method != "TRACE" &&
-		req.method != "OPTIONS" &&
-		req.method != "PATCH" &&
-		req.method != "DELETE") {
-			return (pipe);
-	}
-	if (req.method == "GET" || req.method == "HEAD") {
-		return (hash);
-	}
-	return (pass);
-}
-sub vcl_hash {
-	hash_data(req.url);
-	hash_data(req.http.host);
-	if (req.http.cookie ~ "pleroma_key|gitea_incredible|grafana_session") {
-		hash_data(req.http.cookie);
-	}
-	if (req.http.authorization) {
-		hash_data(req.http.authorization);
-	}
-	return (lookup);
-}
-sub vcl_backend_response {
-	set beresp.do_stream = false;
-	set beresp.do_gzip = true;
-	if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) {
-		if (bereq.is_bgfetch){
-			return (abandon);
-		}
-		set beresp.uncacheable = true;
-		return (deliver);
-	}
-	if (beresp.http.Set-Cookie || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
-		set beresp.uncacheable = true;
-		return (deliver);
-	}
-	if (beresp.http.ETag || beresp.http.Last-Modified || bereq.http.If-Modified-Since) {
-		set beresp.grace = 1h;
-		set beresp.keep = 12h;
-	}
-	if (beresp.status == 301) {
-		set beresp.ttl = 24h;
-	}
-	return (deliver);
-}
-sub vcl_deliver {
-	if (req.proto ~ "HTTP/2.0" && resp.http.keep-alive) {
-		unset resp.http.keep-alive;
-	}
-	if (obj.hits > 0) {
-		set resp.http.X-Cache = "HIT";
-	} else {
-		set resp.http.X-Cache = "MISS";
-	}
-	return (deliver);
-}

config/wireguard/APKBUILD

@@ -1,25 +1,62 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=wireguard
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.05.17
-pkgrel=2
+pkgver=2021.06.01.03
+pkgrel=0
 subpackages="$pkgname-sysctl"
 source="
+	secret
 	main.conf
 	sysctl.conf
 "
+_users=""
+
+build() {
+	. secret
+	: "${WIREGUARD_PRIVATEKEY:?'Private key missing'}"
+
+	cp main.conf main.conf.private
+	rx_replace "WIREGUARD_PRIVATEKEY" "$WIREGUARD_PRIVATEKEY" main.conf.private
+	for i in $_users; do
+		msg "Added ${i#*::} as :${i%::*}"
+		printf "[Peer]\nPublicKey = %s\nAllowedIPs = 172.22.12.%s/32, fd42:42:42::2:%s/128\n" "${i#*::}" "${i%::*}" "${i%::*}" >> main.conf.private
+	done
+}
 
 package() {
-	install -Dm400 main.conf "$pkgdir"/etc/wireguard/rxmain.conf
+	rx_install main.conf.private rxmain.conf
 }
 
 sysctl() {
 	install_if="redxen-config-wireguard"
-	install -Dm644 "$srcdir"/sysctl.conf "$subpkgdir"/etc/sysctl.d/90-wireguard.conf
+	_rx_installdir="/etc/sysctl.d" rx_install sysctl.conf 90-wireguard.conf
 }
 
-sha512sums="e07fc910ad58d739066b05af3e7d7f0f0bfda3aeb06118d94a836a1cc122ded158e0fec6a9b68e256613aefba000e67e6435cf378e0bd88814273c4a7e5a07b2  main.conf
-b79ffbc64f2e193dc9402f7506b56b66892aa5387d13ac209ae344f9ce0f17aec3fdc503bf6855650d413dba3b66ffa3f937dd803850028579f5f5ed747c56b0  sysctl.conf"
+adduser() {
+	for i in $@; do
+		_users="$_users $i"
+	done
+}
+
+adduser   "2::Xb+ASR5NdnIB+dXWEA4H0V3d0LC0KocKeFeQDyqDqjk=" \
+          "3::kz9vLMnPtfka11n1EJpzHb4966ieJSo4BU1P2joHLXo=" # caskd <caskd@redxen.eu>
+adduser  "12::2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" # cherry <cherry@redxen.eu>
+adduser  "16::d459SqKVWko+wBhoFrU+yrFVM4BqI8FSmPtdrWepkw0=" # viggi <viggi@redxen.eu>
+adduser  "18::Fb8sYfZghohEpznWpt46x1cmmkymt2ksQL7fEBI6qlc=" # MartijnTim <martijntim@redxen.eu>
+adduser  "20::QHx0BCbRDKXX3OvdZwX9jYN2BMJPcPj4r/gYekkBTXY=" \
+         "21::THwCjbASYrGxjOiw/gvmiiXoQJpQF1LzLXbaEW8FVU4=" # Nova <novaburst@kalli.st>
+adduser  "24::zPg/v+EVJUhrSe1a3+ayzJuXakWUbgvcTgv3j4T11ks=" \
+         "25::ht/GLP/r7WWM2JP0Ya+vdA7+aigoy9tY8b4wOm2VAUg=" \
+         "26::PrGVHgZAM6vSK4I70QgYurIinKZE3b2Rrq5NQ8RDqS8=" # Shokara <shokara@snopyta.org>
+adduser  "30::S/4jSds8CNsyk1SjI03AxWtB3E9lhtW49dia+x9hoVs=" \
+         "31::SFPtaY7fn632wJXIkVYFtaPop7fGoX6pEkTkqZklHXM=" \
+         "32::g9hn9jKFUwU7cijAuleeDUL2EqiAOD8shY/pTAk0qTA=" \
+         "33::JlvGHLrhbce2yQAQEgbnIduXNwswTW9VIkDwvtOEiVQ=" # deavmi <deavmi@redxen.eu>
+
+sha512sums="
+72d9999cd7a0be1f334cdf4690c56dac591f6149176a74e70dda7f239d3a82e4c62077efb487e4f59d10b50e24a9d18e3afe0735e7418bf2a4b41623dabdeb87  secret
+77aafee9d5af31710cf3d85788b7e61883348a9e42cf13fde34b1c30a9f3c825e8180605647435cf59cf7de731c0b5d2c1d868dbf9011033fde53128e134d08e  main.conf
+b79ffbc64f2e193dc9402f7506b56b66892aa5387d13ac209ae344f9ce0f17aec3fdc503bf6855650d413dba3b66ffa3f937dd803850028579f5f5ed747c56b0  sysctl.conf
+"

config/wireguard/main.conf

@@ -0,0 +1,4 @@
+[Interface]
+Address = 172.22.12.1/24, fd42:42:42::2:1/120
+ListenPort = 51820
+PrivateKey = WIREGUARD_PRIVATEKEY

config/xonotic/APKBUILD

@@ -1,12 +1,12 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=xonotic
-_configpath="/etc/xonotic-server/redxen/data"
 
-. ../APKBUILD-config.common
+. ../APKBUILD-config.template
 
-pkgver=2021.01.30
-pkgrel=7
+pkgver=2021.06.01.03
+pkgrel=0
 source="server.cfg"
 
-sha512sums="f875dc170b46d25914e2a1a09b0b1867f43c5eeea105931e5dd209a248e1a562d36541fc9d7f844f856d98a3adfb4dd1c66ebe6911fb2f15d7f56b7f3553a08b  server.cfg"
+sha512sums="
+f875dc170b46d25914e2a1a09b0b1867f43c5eeea105931e5dd209a248e1a562d36541fc9d7f844f856d98a3adfb4dd1c66ebe6911fb2f15d7f56b7f3553a08b  server.cfg
+"

config/yggdrasil/APKBUILD

@@ -1,12 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_svcname=yggdrasil
-_cfgumask=600
-
-. ../APKBUILD-config.common
-
-pkgver=2020.12.10
-pkgrel=2
-source="redxen.conf"
-
-sha512sums="630d13a1256257b804c37e167a08fa96e622d393bca1b2ec2f8f6f60f286b00954fa3ff07cd215e5835b18ef7fc8bedfc1d881303af80625936302f5d72b6496  redxen.conf"

config/yggdrasil/redxen.conf

@@ -1,10 +0,0 @@
-{
-	Peers: [
-	]
-	Listen: [
-		tls://0.0.0.0:7521
-	]
-	MulticastInterfaces: []
-	AllowedEncryptionPublicKeys: [
-	]
-}

cron/APKBUILD-cron.common

@@ -1,8 +0,0 @@
-pkgname="redxen-cron-$_cronname"
-pkgdesc="Cronjob files for $_cronname"
-url="https://git.redxen.eu/RedXen/aports"
-arch="noarch"
-license="none"
-depends="dcron"
-options="!check"
-builddir="$srcdir"

cron/APKBUILD-cron.template

@@ -0,0 +1,14 @@
+. ../../APKBUILD.template
+
+: ${pkgname:?"No package prefix provided"}
+
+pkgname="$pkgname-cron-$_rx_pkgname"
+pkgdesc="RedXen cronjobs: $_rx_pkgname"
+depends="dcron"
+_rx_fperm=544
+
+package() {
+	for i in $source; do
+		_rx_installdir="/etc/periodic/$i" rx_install "$i" "$_rx_pkgname"
+	done
+}

cron/dovecot/APKBUILD

@@ -1,17 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_cronname=dovecot
-
-. ../APKBUILD-cron.common
-
-pkgver=2021.01.29
-pkgrel=0
-install_if="redxen-config-dovecot"
-source="cron-daily"
-
-package() {
-	mkdir -p "$pkgdir"/var/mail/snapshots
-	install -Dm544 cron-daily "$pkgdir"/etc/periodic/daily/snapshot-mail
-}
-
-sha512sums="f89295c25569d57bd5b52255d06036be3d5bd8e40c2f9eeb8f4d6468d2dd510e9c7382348936f47e075d64105888fba9c6a2245c419acea862cd20f6339b1d42  cron-daily"

cron/gitea/APKBUILD

@@ -1,17 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_cronname=gitea
-
-. ../APKBUILD-cron.common
-
-pkgver=2021.01.29
-pkgrel=0
-install_if="redxen-config-gitea"
-source="cron-daily"
-
-package() {
-	install -dm700 "$pkgdir"/gitea/snapshots
-	install -Dm544 cron-daily "$pkgdir"/etc/periodic/daily/snapshot-gitea
-}
-
-sha512sums="1628ddf15426b3f6aeb03d81e2f12d701925f943ddf77da2b9af0b44c10baaf5be6f1f8a9a2bff17d09242127dde54d9fdf06bdc3826fb8ff4e35ec28f3da644  cron-daily"

cron/influxdb/APKBUILD

@@ -1,17 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_cronname=influxdb
-
-. ../APKBUILD-cron.common
-
-pkgver=2021.01.29
-pkgrel=0
-install_if="redxen-config-influxdb"
-source="cron-daily"
-
-package() {
-	install -dm700 "$pkgdir"/var/lib/influxdb/snapshots
-	install -Dm544 cron-daily "$pkgdir"/etc/periodic/daily/snapshot-influxdb
-}
-
-sha512sums="11069cdc37181ec5e131164fad9a6215278fd50954ec4dace0eac059a5b665fc514e5285823191c27a76ce2a3215dbc10158c8e5dfcd01b6a3b04b0d5b3f1907  cron-daily"

cron/postgresql/APKBUILD

@@ -1,17 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_cronname=postgresql
-
-. ../APKBUILD-cron.common
-
-pkgver=2021.01.29
-pkgrel=0
-install_if="redxen-config-postgresql"
-source="cron-daily"
-
-package() {
-	install -dm700 "$pkgdir"/var/lib/postgresql/redxen_snapshots
-	install -Dm544 cron-daily "$pkgdir"/etc/periodic/daily/snapshot-postgresql
-}
-
-sha512sums="c6dfc277e98287d715651a3b54a9661c527dac4cc4be932a23888a5cfa659fc971ffa20982820c9a91064dad90968124b5764e9827a4ecf038b35b4cce5d430b  cron-daily"

cron/redis/APKBUILD

@@ -1,17 +0,0 @@
-# Contributor: Alex Denes <caskd@redxen.eu>
-# Maintainer: Alex Denes <caskd@redxen.eu>
-_cronname=redis
-
-. ../APKBUILD-cron.common
-
-pkgver=2021.01.29
-pkgrel=0
-install_if="redxen-config-redis"
-source="cron-daily"
-
-package() {
-	install -dm700 "$pkgdir"/var/lib/redis/snapshots
-	install -Dm544 cron-daily "$pkgdir"/etc/periodic/daily/snapshot-redis
-}
-
-sha512sums="216621fc0e36d2c86a808b3c855e04197c21a769b89f7d661eeee0661b2648a42cd453ac217f6f693a389f5bbfcee3dd990183c3b3a780977a83e97dfb836cd5  cron-daily"

cron/snapshot-dovecot/APKBUILD

@@ -0,0 +1,13 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-cron.template
+
+pkgver=2021.06.01.03
+pkgrel=0
+install_if="redxen-config-dovecot"
+source="daily"
+
+sha512sums="
+f89295c25569d57bd5b52255d06036be3d5bd8e40c2f9eeb8f4d6468d2dd510e9c7382348936f47e075d64105888fba9c6a2245c419acea862cd20f6339b1d42  daily
+"

cron/snapshot-gitea/APKBUILD

@@ -0,0 +1,13 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-cron.template
+
+pkgver=2021.06.01.03
+pkgrel=0
+install_if="redxen-config-gitea"
+source="daily"
+
+sha512sums="
+1628ddf15426b3f6aeb03d81e2f12d701925f943ddf77da2b9af0b44c10baaf5be6f1f8a9a2bff17d09242127dde54d9fdf06bdc3826fb8ff4e35ec28f3da644  daily
+"

cron/snapshot-influxdb/APKBUILD

@@ -0,0 +1,13 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-cron.template
+
+pkgver=2021.06.01.03
+pkgrel=0
+install_if="redxen-config-influxdb"
+source="daily"
+
+sha512sums="
+11069cdc37181ec5e131164fad9a6215278fd50954ec4dace0eac059a5b665fc514e5285823191c27a76ce2a3215dbc10158c8e5dfcd01b6a3b04b0d5b3f1907  daily
+"

cron/snapshot-postgresql/APKBUILD

@@ -0,0 +1,13 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-cron.template
+
+pkgver=2021.06.01.03
+pkgrel=0
+install_if="redxen-config-postgresql"
+source="daily"
+
+sha512sums="
+c6dfc277e98287d715651a3b54a9661c527dac4cc4be932a23888a5cfa659fc971ffa20982820c9a91064dad90968124b5764e9827a4ecf038b35b4cce5d430b  daily
+"