Fix typos

Signed-off-by: Micke Nordin <kano@sunet.se>

files/scriptreciver/sysctl-d-gofasta.conf

@@ -0,0 +1,6 @@
+net.core.rmem_max=67108864
+net.core.wmem_max=67108864
+net.ipv4.tcp_rmem=4096 87380 33554432
+net.ipv4.tcp_wmem=4096 87380 33554432
+net.core.default_qdisc=fq
+net.ipv4.tcp_congestion_control=bbr

manifests/app_type.pp

@@ -101,7 +101,24 @@ define sunetdrive::app_type (
       content => template('sunetdrive/application/get_containers'),
       mode    => '0744',
     }
-    if ($environment == 'test' and ($nodenumber == 3)) {
+    if ($nodenumber == 3) {
+      file { '/usr/lib/nagios/plugins/check_nextcloud_mounts.py':
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        content => template('sunetdrive/application/check_nextcloud_mounts.py'),
+        mode    => '0744',
+      }
+      sunet::sudoer {'nagios_run_nextcloud_mounts_command':
+        user_name    => 'nagios',
+        collection   => 'nrpe_nextcloud_mounts_check',
+        command_line => '/usr/lib/nagios/plugins/check_nextcloud_mounts.py'
+      }
+      sunet::nagios::nrpe_command {'check_nextcloud_mounts':
+        command_line => '/usr/bin/sudo /usr/lib/nagios/plugins/check_nextcloud_mounts.py'
+      }
+    }
+    if ($nodenumber == 3) {
       file { '/usr/local/bin/scan_external_mounts':
         ensure  => present,
         force   => true,
@@ -117,10 +134,6 @@ define sunetdrive::app_type (
         ok_criteria   => ['exit_status=0','max_age=2d'],
         warn_criteria => ['exit_status=1','max_age=3d'],
       }
-      cron { 'scan_external_mounts':
-        ensure  => absent,
-        command => 'true',
-      }
     }
     file { '/opt/nextcloud/cron.sh':
       ensure  => file,
@@ -392,5 +405,4 @@ define sunetdrive::app_type (
       }
     }
   }
-
 }

manifests/db_type.pp

@@ -15,6 +15,7 @@ define sunetdrive::db_type(
   $backup_password = safe_hiera('backup_password')
   $proxysql_password = safe_hiera('proxysql_password')
   $mysql_user_password = safe_hiera('mysql_user_password')
+  $roundcube_password = safe_hiera('roundcube_password')
   $mariadb_dir = '/etc/mariadb'
   $mycnf_path = 'sunetdrive/mariadb/my.cnf.erb'
   $server_id = 1000 + Integer($facts['networking']['hostname'][-1])
@@ -34,7 +35,7 @@ define sunetdrive::db_type(
   if $location =~ /^multinode/ {
     $from = $db_ip + $nextcloud_ip + $backup_ip + $backup_ipv6 + $db_ipv6 + $config['kube'] + $config['kube_v6']
   } elsif $location == 'sunet-test' or $location == 'sunet-prod' {
-    $from = $db_ip + $nextcloud_ip + $backup_ip + $backup_ipv6 + $db_ipv6 + $config['imap'] + $config['imap_v6'] + $config['smtp'] + $config['smtp_v6']
+    $from = $db_ip + $nextcloud_ip + $backup_ip + $backup_ipv6 + $db_ipv6 + $config['imap'] + $config['imap_v6'] + $config['smtp'] + $config['smtp_v6'] + $config['webmail'] + $config['webmail_v6']
   } else {
     $from = $db_ip + $nextcloud_ip + $backup_ip + $backup_ipv6 + $db_ipv6
   }
@@ -46,7 +47,7 @@ define sunetdrive::db_type(
   sunet::system_user {'mysql': username => 'mysql', group => 'mysql' }
 
 
-  $sql_files = ['02-backup_user.sql', '03-proxysql.sql', '04-nextcloud.sql']
+  $sql_files = ['02-backup_user.sql', '03-proxysql.sql', '04-nextcloud.sql', '05-roundcube.sql']
   $sql_files.each |$sql_file|{
     file { "${mariadb_dir}/init/${sql_file}":
       ensure  => present,

manifests/multinode.pp

@@ -46,26 +46,35 @@ class sunetdrive::multinode (
     content => template('sunetdrive/application/get_containers'),
     mode    => '0744',
   }
-  if ($environment == 'test') {
-    file { '/usr/local/bin/scan_external_mounts':
-      ensure  => present,
-      force   => true,
-      owner   => 'root',
-      group   => 'root',
-      content => template('sunetdrive/application/scan_external_mounts.sh'),
-      mode    => '0744',
-    }
-    sunet::scriptherder::cronjob { 'scriptherder_scan_external_mounts':
-      cmd           => '/usr/local/bin/scan_external_mounts',
-      hour          => '1',
-      minute        => '20',
-      ok_criteria   => ['exit_status=0','max_age=2d'],
-      warn_criteria => ['exit_status=1','max_age=3d'],
-    }
-    cron { 'scan_external_mounts':
-      ensure  => absent,
-      command => 'true',
-    }
+  file { '/usr/lib/nagios/plugins/check_nextcloud_mounts.py':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    content => template('sunetdrive/application/check_nextcloud_mounts.py'),
+    mode    => '0744',
+  }
+  sunet::sudoer {'nagios_run_nextcloud_mounts_command':
+    user_name    => 'nagios',
+    collection   => 'nrpe_nextcloud_mounts_check',
+    command_line => '/usr/lib/nagios/plugins/check_nextcloud_mounts.py'
+  }
+  sunet::nagios::nrpe_command {'check_nextcloud_mounts':
+    command_line => '/usr/bin/sudo /usr/lib/nagios/plugins/check_nextcloud_mounts.py'
+  }
+  file { '/usr/local/bin/scan_external_mounts':
+    ensure  => present,
+    force   => true,
+    owner   => 'root',
+    group   => 'root',
+    content => template('sunetdrive/application/scan_external_mounts.sh'),
+    mode    => '0744',
+  }
+  sunet::scriptherder::cronjob { 'scriptherder_scan_external_mounts':
+    cmd           => '/usr/local/bin/scan_external_mounts',
+    hour          => '1',
+    minute        => '20',
+    ok_criteria   => ['exit_status=0','max_age=2d'],
+    warn_criteria => ['exit_status=1','max_age=3d'],
   }
   file { '/usr/local/bin/nocc':
     ensure  => present,

manifests/multinode_db.pp

@@ -41,7 +41,10 @@ class sunetdrive::multinode_db(){
         group   => 'root',
         mode    => '0600',
       }
-      file { '/root/tasks/listusersbydep.sh':
+      file { '/root/tasks/':
+        ensure  => directory,
+      }
+      -> file { '/root/tasks/listusersbydep.sh':
         ensure  => file,
         content => template('sunetdrive/mariadb/listusersdep.sh.erb'),
         owner   => 'root',
@@ -55,7 +58,10 @@ class sunetdrive::multinode_db(){
         group   => 'root',
         mode    => '0700',
       }
-      file {'/opt/mariadb/statistics/custdata.json':
+      file {'/opt/mariadb/statistics/':
+        ensure      => directory,
+      }
+      -> file {'/opt/mariadb/statistics/custdata.json':
         ensure      => file,
         content     => template('sunetdrive/mariadb/custconfig.json.erb'),
         owner       => 'root',

manifests/scriptreceiver.pp

@@ -5,7 +5,19 @@ class sunetdrive::scriptreceiver()
   sunet::system_user {'script': username => 'script', group => 'script', managehome => true, shell => '/bin/bash' }
 
   # These tasks correspond to a ${task}.erb.sh template
-  $tasks = ['list_users', 'list_files_for_user', 'create_bucket', 'backup_db', 'purge_backups', 'maintenancemode', 'restart_sunet_service', 'start_sentinel', 'stop_sentinel', 'removeswap', 'backup_multinode_db']
+  $tasks = [
+    'list_users',
+    'list_files_for_user',
+    'create_bucket',
+    'backup_db',
+    'purge_backups',
+    'maintenancemode',
+    'restart_sunet_service',
+    'start_sentinel',
+    'stop_sentinel',
+    'removeswap',
+    'backup_multinode_db'
+  ]
 
   $environment = sunetdrive::get_environment()
   $config = hiera_hash($environment)
@@ -35,7 +47,9 @@ class sunetdrive::scriptreceiver()
     type   => 'ssh-ed25519',
     key    => $script_pub_key,
   }
-
+  file { '/etc/sysctl.d/gofasta.conf':
+    ensure  => 'absent',
+  }
   file { '/opt/rotate':
     ensure => directory,
     mode   => '0750',

manifests/sitemonitornaemon.pp

@@ -11,6 +11,9 @@ class sunetdrive::sitemonitornaemon() {
   $environment = sunetdrive::get_environment()
   $influx_passwd = safe_hiera('influx_passwd')
   $slack_url = safe_hiera('slack_url')
+  $extra_host_groups = {
+    node3_hosts => join($facts['configured_hosts_in_cosmos']['all'].filter |$host| { $host =~ /^node3\./ }, ',')
+  }
 
   file { '/usr/local/bin/slack_nagios.sh':
     ensure  => present,
@@ -45,6 +48,11 @@ class sunetdrive::sitemonitornaemon() {
     content => template('sunetdrive/monitor/sunetdrive_thruk_templates.conf.erb'),
     mode    => '0644',
   }
+  file { '/etc/naemon/conf.d/sunetdrive_extra_hostgroups.cfg':
+    ensure  => present,
+    content => template('sunetdrive/monitor/sunetdrive_extra_hostgroups.cfg.erb'),
+    mode    => '0644',
+  }
   nagioscfg::service {'check_scriptherder':
     hostgroup_name => ['sunetdrive::nrpe'],
     check_command  => 'check_nrpe_1arg_to300!check_scriptherder',
@@ -99,6 +107,12 @@ class sunetdrive::sitemonitornaemon() {
     description    => 'Status of sarimner interface',
     contact_groups => ['alerts']
   }
+  nagioscfg::service {'check_nextcloud_mounts':
+    hostgroup_name => ['node3_hosts','sunetdrive::multinode'],
+    check_command  => 'check_nrpe_1arg!check_nextcloud_mounts',
+    description    => 'S3 buckets with multiple Nextcloud mounts',
+    contact_groups => ['alerts']
+  }
 
 }
 

templates/application/check_nextcloud_mounts.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+from collections import Counter
+import json
+import shlex
+import subprocess
+import sys
+
+exit = 0
+base_message = "OK: no duplicate mounts"
+long_message = ""
+
+get_containers = subprocess.Popen('/usr/local/bin/get_containers', stdout=subprocess.PIPE).stdout.read()
+containers = get_containers.decode().splitlines()
+
+for i, container in enumerate(containers, start=1):
+    buckets = []
+    list_command = f"/usr/local/bin/nocc {container} files_external:list --all --show-password --output json"
+    command = shlex.split(list_command)
+    mount_data_byte = subprocess.Popen(command, stdout=subprocess.PIPE).stdout.read()
+    try:
+        mount_data = json.loads(mount_data_byte.decode())
+    except json.decoder.JSONDecodeError as err:
+        if i == 1 or i != len(containers):
+            base_message = "WARNING: invalid json"
+        long_message +=  f"\ncontainer: {container} - json decode error: {err}"
+#        lets do exit 0 for now
+#        exit = 1
+        continue
+    for items in mount_data:
+        buckets.append(items["configuration"]["bucket"])
+    bucket_count = dict(Counter(buckets))
+    for k, v in bucket_count.items():
+        if v > 1:
+            base_message = "WARNING: buckets with multiple mounts"
+            long_message += f"\ncontainer: {container} - bucket: {k} - {v}"
+#            lets do exit 0 for now
+#            exit = 1
+print(base_message)
+if long_message != "":
+    print(long_message.lstrip())
+sys.exit(exit)

templates/application/config.php.erb

@@ -16,6 +16,7 @@ $CONFIG = array (
     ),
   ),
   'appstoreenabled' => false,
+  'auth.bruteforce.protection.enabled' => false,
   'config_is_read_only' => true,
   'csrf.disabled' => true,
   'datadirectory' => '/var/www/html/data',
@@ -76,7 +77,7 @@ $CONFIG = array (
       'region' => 'us-east-1',
       'hostname' => '<%= @s3_host %>',
       'port' => '',
-      'useMultipartCopy' => false,
+      'useMultipartCopy' => true,
       'objectPrefix' => 'urn:oid:',
       'autocreate' => false,
       'use_ssl' => true,

templates/application/nocc.erb

@@ -15,7 +15,7 @@ if [[ "x${oc_list}" != "x" ]]; then
         done
 fi
 
-docker exec -ti ${MY_VARS} -u www-data ${container} php --define apc.enable_cli=1 /var/www/html/occ "$@"
+docker exec -i ${MY_VARS} -u www-data ${container} php --define apc.enable_cli=1 /var/www/html/occ "$@"
 exit 0
 
 

templates/application/remount_user_bucket_as_project.sh

@@ -52,7 +52,7 @@ echo '
             "region": "'${region}'",
             "secret": "'${secret}'",
             "storageClass": "",
-            "useMultipartCopy": false,
+            "useMultipartCopy": true,
             "use_path_style": true,
             "use_ssl": true
         },

templates/application/scan_external_mounts.sh

@@ -3,28 +3,32 @@
 error_ids=""
 # Only run if this is the only instance of this script running
 # note: since this script forks to run pgrep, we need -eq 2 here
-if [[ $(pgrep -f "${0}" | wc -l) -eq 2 ]]; then
+# shellcheck disable=SC2126
+if [[ $(pgrep -a -f "${0}" | grep -v scriptherder | wc -l) -eq 2 ]]; then
 	# We sleep a deterministic amount of time, which will be between 0 an 128 m and allways the same within
 	# a specific host, but will differ between hosts
 	sleep $((16#$(ip a | grep "link/ether" | head -1 | awk -F ':' '{print $6}' | awk '{print $1}') / 2))m
-	for container in $(get_containers); do
-    error_ids="${error_ids} ${container}: "
-		for id in $(nocc "${container}" files_external:list --all --output json | jq '.[].mount_id' | jq .); do
-			nocc "${container}" files_external:scan "${id}" | grep Error
-      # shellcheck disable=SC2181
-      if [[ ${?} -eq 0 ]]; then
-        error_ids="${error_ids} ${id}"
-      fi
+	errors=''
+	for container in $(/usr/local/bin/get_containers); do
+		error_ids="${error_ids} ${container}: "
+		for id in $(/usr/local/bin/nocc "${container}" files_external:list --all --output json | jq '.[].mount_id' | jq .); do
+			/usr/local/bin/nocc "${container}" files_external:scan "${id}" | grep Error
+			# shellcheck disable=SC2181
+			if [[ ${?} -eq 0 ]]; then
+				errors="${errors} ${id}"
+				error_ids="${error_ids} ${id}"
+			fi
 		done
 	done
 else
-  echo "Another instance of this script is already running, exiting"
-  pgrep -a -f "${0}"
-  exit 0
+	echo "Another instance of this script is already running, exiting"
+	pgrep -a -f "${0}" | grep -v scriptherder
+	exit 0
 fi
 
-if [[ -n "${error_ids}" ]]; then
-  echo "Errors found in the following mounts: ${error_ids}"
-  exit 1
+if [[ -n "${errors}" ]]; then
+	echo "Errors found in the following mounts: ${error_ids}"
+	exit 1
 fi
+echo "No errors found"
 exit 0

templates/mariadb/05-roundcube.sql.erb

@@ -0,0 +1,3 @@
+CREATE SCHEMA roundcubemail;
+CREATE USER 'roundcube'@'%' IDENTIFIED BY '<%= @roundcube_password %>';
+GRANT ALL PRIVILEGES ON roundcubemail.* TO 'roundcube'@'%' IDENTIFIED BY '<%= @roundcube_password %>';

templates/monitor/sunetdrive_extra_hostgroups.cfg.erb

@@ -0,0 +1,8 @@
+<% @extra_host_groups.each do |group, members| -%>
+# <%= group %>
+define hostgroup {
+  hostgroup_name <%= group %>
+  alias <%= group %>
+  members <%= members %>
+}
+<% end -%>

templates/script/listusers.erb.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-customer="${1}" 
-multinode="${2}" 
+customer="${1}"
+multinode="${2}"
 environment="<%= @environment %>"
 location="${customer}-${environment}"
-userjson=$(ssh "script@${multinode}" "sudo /home/script/bin/list_users.sh nextcloud-${customer}-app-1") 
+userjson=$(ssh -o StrictHostKeyChecking=no "script@${multinode}" "sudo /home/script/bin/list_users.sh nextcloud-${customer}-app-1")
 project="statistics"
 bucket="drive-server-coms"
 base_dir="${project}:${bucket}"

templates/script/makebuckets.erb.sh

@@ -43,9 +43,11 @@ for eppn in $(echo "${users}" | jq -r keys[]); do
   username=${eppn%@*}
   # Remove underscore from username
   user=${username//_/-}
+  # convert user to lower case for bucket naming rules
+  user_lower=${user,,}
 
   echo "$(date) - Check bucket status for ${eppn}"
-  bucketname="${user}-${site_name//./-}"
+  bucketname="${user_lower}-${site_name//./-}"
   if ! echo "${buckets}" | grep "${bucketname}" &> /dev/null; then
     echo "$(date) - ${eppn} has no mounts configured, adding bucket and mounts..."
     ${rclone} mkdir "${rcp}:${bucketname}"

templates/scriptreceiver/create_bucket.erb.sh

@@ -33,12 +33,12 @@ fi
 key=$(grep access_key_id "${rclone_config}" | awk '{print $3}')
 secret=$(grep secret_access_key "${rclone_config}"| awk '{print $3}')
 endpoint=$(grep endpoint "${rclone_config}" | awk '{print $3}')
-preexisting="$(docker exec -u www-data -i "${container}" php --define apc.enable_cli=1 /var/www/html/occ files_external:list --output json "${user}" | jq -r '.[] | .configuration.bucket' | grep "${bucket}")"
+preexisting="$(docker exec -u www-data -i "${container}" php --define apc.enable_cli=1 /var/www/html/occ files_external:list --output json --show-password "${user}" | jq -r '.[] | .configuration.bucket' | grep "${bucket}")"
 
 if [[ -z ${preexisting} ]]; then
 	docker exec -u www-data -i "${container}" php --define apc.enable_cli=1 /var/www/html/occ files_external:create "${user_bucket_name}" \
 		amazons3 -c bucket="${bucket}" -c key="${key}" -c secret="${secret}" -c hostname="${endpoint}" -c use_ssl=true -c use_path_style=true -c region=us-east-1 \
-		-c useMultipartCopy=false amazons3::accesskey --user ${user}
+		-c useMultipartCopy=true amazons3::accesskey --user ${user}
 	for shareid in $(docker exec -u www-data -i ${container} php --define apc.enable_cli=1 /var/www/html/occ files_external:export ${user} | jq -r '.[].mount_id'); do
 		docker exec -u www-data -i ${container} php --define apc.enable_cli=1 /var/www/html/occ files_external:option ${shareid} enable_sharing true
 	done

templates/scriptreceiver/create_bucket_without_question.sh

@@ -7,7 +7,7 @@ bucket=${4}
 user=${5}
 /usr/local/bin/occ files_external:create "${bucket}" \
 	amazons3 -c bucket="${bucket}" -c key="${key}" -c secret="${secret}" -c hostname="${endpoint}" -c use_ssl=true -c use_path_style=true -c region=us-east-1 \
-	-c useMultipartCopy=false amazons3::accesskey --user "${user}"
-for shareid in $(/usr/local/bin/occ files_external:export "${user}" | jq -r '.[].mount_id'); do
-	/usr/local/bin/occ files_external:option "${shareid}" enable_sharing true
+	-c useMultipartCopy=true amazons3::accesskey --user "${user}"
+for shareid in $(/usr/local/bin/nocc files_external:export "${user}" | jq -r '.[].mount_id'); do
+	/usr/local/bin/nocc files_external:option "${shareid}" enable_sharing true
 done