cleanup changes

freifunkMUC · Apr 21, 2024 · bc150ac · bc150ac
1 parent 531e4c9
commit bc150ac
Show file tree

Hide file tree

Showing 11 changed files with 29 additions and 26 deletions.
diff --git a/grafana/grafana.ini.tmpl b/grafana/grafana.ini.tmpl
@@ -415,3 +415,6 @@ concurrent_render_request_limit = 30
 
 [plugin.grafana-image-renderer]
 rendering_ignore_https_errors = true
+[feature_toggles]
+autoMigrateOldPanels = true
+
diff --git a/influxdb/influxdb.conf.tmpl b/influxdb/influxdb.conf.tmpl
@@ -249,6 +249,9 @@ reporting-disabled = true
   # The path of the unix domain socket.
   # bind-socket = "/var/run/influxdb.sock"
 
+  # Test Flux query language
+  flux-enabled = true
+
 ###
 ### [subscriber]
 ###

diff --git a/kvm/init.sls b/kvm/init.sls
@@ -12,9 +12,6 @@
 virt-pkgs:
   pkg.installed:
     - pkgs:
-      - qemu-kvm
-      - libvirt-daemon-system
-      - libvirt-clients
       - xmlstarlet
       - netcat-openbsd
       - ipmitool

diff --git a/nginx/domains/doh.ffmuc.net.conf b/nginx/domains/doh.ffmuc.net.conf
@@ -30,7 +30,7 @@ server {
         return 301 https://$host$request_uri;
     }
 
-    access_log /var/log/nginx/{{ domain }}_access.log json_normal;
+    access_log /var/log/nginx/{{ domain }}_access.log json_normal buffer=256k;
     error_log  /var/log/nginx/{{ domain }}_error.log;
 }
 server {
@@ -104,6 +104,6 @@ server {
     ssl_certificate     /etc/letsencrypt/live/ffmuc.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem;
 
-    access_log /var/log/nginx/{{ domain }}_access.log json_anonym;
+    access_log /var/log/nginx/{{ domain }}_access.log json_anonym buffer=256k;
     error_log /var/log/nginx/{{ domain }}_error.log;
 }
diff --git a/nginx/domains/meet.ffmuc.net.conf b/nginx/domains/meet.ffmuc.net.conf
@@ -28,7 +28,7 @@ server {
     server_name meet.ffmuc.net meet-test.ffmuc.net ffmeet.de *.ffmeet.de ffmeet.net *.ffmeet.net klassenkonferenz.de;
 
     add_header Strict-Transport-Security "max-age=31536000";
-    add_header X-Jitsi-Shard "shard1";
+    add_header X-Jitsi-Shard "shard1" always;
 
     ssl_certificate     /etc/letsencrypt/live/meet.ffmuc.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/meet.ffmuc.net/privkey.pem;

diff --git a/nginx/domains/streaming.ffmuc.net.conf → nginx/domains/silo.ffmuc.net.conf b/nginx/domains/streaming.ffmuc.net.conf → nginx/domains/silo.ffmuc.net.conf
@@ -1,30 +1,30 @@
-upstream streaming_backend {
-   server docker05.ov.ffmuc.net:8088;
+upstream silo_backend {
+   server 46.226.127.8:8080;
    keepalive 32;
 }
 
-proxy_cache_path /var/cache/nginx-streaming levels=1:2 keys_zone=streaming_cache:10m max_size=3g inactive=1h use_temp_path=off;
+proxy_cache_path /var/cache/nginx-silo levels=1:2 keys_zone=silo_cache:10m max_size=3g inactive=1h use_temp_path=off;
 
 server {
     listen 80;
     listen [::]:80;
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     server_name stream.ffmuc.net;
-    return 301 https://streaming.ffmuc.net$request_uri;
+    return 301 https://silo.ffmuc.net$request_uri;
 }
 
 server {
     listen 80;
     listen [::]:80;
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name streaming.ffmuc.net;
+    server_name silo.ffmuc.net;
 
     root /srv/www/{{ domain }};
 
     location ~ \.(ts)$ {
-        proxy_cache streaming_cache;
+        proxy_cache silo_cache;
         proxy_cache_revalidate on;
         proxy_cache_use_stale timeout;
         proxy_cache_lock on;
@@ -33,7 +33,7 @@ server {
         proxy_cache_valid 200 302 5m;
         proxy_cache_valid 404 3s;
         proxy_ignore_headers Cache-Control;
-        proxy_pass http://streaming_backend;
+        proxy_pass http://silo_backend;
     }
 
     location /socket.io {
@@ -53,20 +53,20 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
-        proxy_pass http://streaming_backend/socket.io;
+        proxy_pass http://silo_backend/socket.io;
     }
 
     location / {
-        proxy_set_header Host "streaming.ffmuc.net";
+        proxy_set_header Host "silo.ffmuc.net";
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Frame-Options SAMEORIGIN;
         sub_filter_once off;
         sub_filter_types text/html;
-        sub_filter "ejabberd" "streaming.ffmuc.net";
+        sub_filter "ejabberd" "silo.ffmuc.net";
         proxy_http_version 1.1;
-        proxy_pass http://streaming_backend;
+        proxy_pass http://silo_backend;
 
         proxy_connect_timeout 90;
         proxy_send_timeout 300;

diff --git a/nginx/domains/social.ffmuc.net.conf b/nginx/domains/social.ffmuc.net.conf
@@ -29,7 +29,6 @@ server {
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
   ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:10m;
   ssl_session_tickets off;
 
   # Uncomment these lines once you acquire a certificate:

diff --git a/nginx/files/nginx.conf.jinja b/nginx/files/nginx.conf.jinja
@@ -29,13 +29,11 @@ http {
 	sendfile_max_chunk 512k;
 	server_tokens off;
 
-	server_names_hash_bucket_size 64;
+	server_names_hash_bucket_size 128;
 	# server_name_in_redirect off;
 
 	include /etc/nginx/mime.types;
 	types {
-		# nginx's default mime.types doesn't include a mapping for wasm
-		application/wasm	wasm;
 		text/plain                 manifest;
 		application/manifest+json  webmanifest;
 		application/geo+json       geojson;
@@ -48,12 +46,11 @@ http {
 	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-	ssl_session_cache shared:ssl_session_cache:10m;
-	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:32m;
+	ssl_session_timeout 30m;
 	ssl_stapling on;
 	ssl_stapling_verify on;
 	resolver 1.1.1.1;
-
 	##
 	# Gzip Settings
 	##
@@ -87,7 +84,7 @@ http {
 		application/ecmascript application/json image/svg+xml;
 
 	# Set hint which webfrontend is used
-	add_header X-FFMuc-Edge "{{ grains.id.split('.')[0] }}";
+	add_header X-FFMuc-Edge "{{ grains.id.split('.')[0] }}" always;
 	map $http_upgrade $connection_upgrade {
 		default upgrade;
 		''      close;

diff --git a/pdns-recursor/recursor.conf b/pdns-recursor/recursor.conf
@@ -15,7 +15,10 @@ dnssec=validate
 query-local-address=0.0.0.0,::
 {%- set threads = [grains.num_cpus, 8] | min %}
 threads={{ threads }}
+distributor-threads=2
+pdns-distributes-queries=yes
 max-cache-entries=2000000
 version-string=dot.ffmuc.net
 server-id=dot.ffmuc.net
 edns-padding-from=0.0.0.0/0
+reuseport=yes
diff --git a/respondd/init.sls b/respondd/init.sls
@@ -28,6 +28,7 @@ python3-netifaces:
     - template: jinja
     - defaults:
         site: {{ site }}
+        prefix: {{ prefix }}
     - watch_in:
         - service: respondd@{{ site }}
 

diff --git a/yanic/yanic.conf.tmpl b/yanic/yanic.conf.tmpl
@@ -38,7 +38,7 @@ state_path    = "/srv/yanic/state.json"
 # that were inactive for longer than
 prune_after   = "7d"
 # Export nodes and graph periodically
-save_interval = "5s"
+save_interval = "30s"
 # Set node to offline if not seen within this period
 offline_after = "10m"