friwall/web/system.py

#!/usr/bin/python3

import collections
import email.message
import getpass
import multiprocessing
import os
import pathlib
import shutil
import smtplib
import socket
import subprocess
import syslog

import click
import flask
import flask.cli
import ldap3

from . import db

def mail(rcpt, subject, body):
    try:
        msg = email.message.EmailMessage()
        msg['Subject'] = f'friwall: {subject}'
        msg['From'] = f'{getpass.getuser()}@{socket.getfqdn()}'
        msg['To'] = rcpt
        msg.set_content(body)
        with smtplib.SMTP('localhost') as server:
            server.send_message(msg)
    except Exception as e:
        syslog.syslog(f'error sending mail: {e}')

def init_app(app):
    app.cli.add_command(generate)
    app.cli.add_command(push)

def run(fun, args=()):
    def task():
        if os.fork() == 0:
            os.setsid()
            fun(*args)
    multiprocessing.Process(target=task).start()

def ipset_add(ipsets, name, ip=None, ip6=None):
    ipsets[name].update(ip or ())
    ipsets[f'{name}/6'].update(ip6 or ())

def save_config():
    # Format strings for creating firewall config files.
    nft_set = 'set {name} {{\n    type ipv{family}_addr; flags interval; {elements}\n}}\n\n'
    nft_map = 'map {name} {{\n    type ipv4_addr : interval ipv4_addr; flags interval; {elements}\n}}\n\n'
    nft_forward = '# {index}. {name}\n{text}\n\n'
    wg_intf = '[Interface]\nListenPort = {port}\nPrivateKey = {key}\n\n'
    wg_peer = '# {user}\n[Peer]\nPublicKey = {key}\nAllowedIPs = {ips}\n\n'

    output = None
    try:
        # Just load the settings here but keep the database unlocked
        # while we load group memberships from LDAP.
        with db.locked():
            settings = db.read('settings')
            groups = db.read('groups')

        # For each user build a list of networks they have access to, based on
        # group membership in AD. Only query groups associated with at least one
        # network, and query each group only once.
        user_networks = collections.defaultdict(set)
        ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
                settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)

        # All of these must match to consider an LDAP object.
        ldap_query = [
            '(objectClass=user)', # only users
            '(objectCategory=person)', # that are people
            '(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts
        ]
        if group := settings.get('user_group'):
            ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively

        ldap.search(settings.get('ldap_base_dn', ''),
                    f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries
                    attributes=['userPrincipalName', 'memberOf'])
        for entry in ldap.entries:
            for group in entry.memberOf:
                if group in groups:
                    user_networks[entry.userPrincipalName.value].add(groups[group])

        # Now read the settings again and lock the database while generating
        # config files, then increment version before unlocking.
        with db.locked():
            settings = db.read('settings')
            version = settings['version'] = int(settings.get('version', 0)) + 1

            # Populate IP sets.
            ipsets = collections.defaultdict(set)
            # Sets corresponding to VLANs in NetBox. Prefixes for these sets are configured on firewall nodes with ansible.
            for name, network in db.read('networks').items():
                ipset_add(ipsets, name)
            # Sets defined by user in friwall app.
            for name, network in db.read('ipsets').items():
                ipset_add(ipsets, name, network.get('ip'), network.get('ip6'))

            # Add registered VPN addresses for each network based on
            # LDAP group membership.
            wireguard = db.read('wireguard')
            for ip, key in wireguard.items():
                ip4 = [f'{ip}/32']
                ip6 = [f'{key["ip6"]}'] if key.get('ip6') else None
                for network in user_networks.get(key.get('user', ''), ()):
                    ipset_add(ipsets, network, ip4, ip6)

            # Create config files.
            output = pathlib.Path.home() / 'config' / f'{version}'
            shutil.rmtree(output, ignore_errors=True)
            os.makedirs(output / 'etc/nftables.d', exist_ok=True)
            os.makedirs(output / 'etc/wireguard', exist_ok=True)

            # Print version.
            with open(output / 'version', 'w', encoding='utf-8') as f:
                f.write(f'{version}')

            # Print nftables sets.
            with open(output / 'etc/nftables.d/sets.nft', 'w', encoding='utf-8') as f:
                for name, ips in ipsets.items():
                    f.write(nft_set.format(
                        name=name,
                        family='6' if name.endswith('/6') else '4',
                        elements=f'{"" if ips else "# "}elements = {{ {", ".join(ips)} }}'))

            # Print static NAT (1:1) rules.
            with open(output / 'etc/nftables.d/netmap.nft', 'w', encoding='utf-8') as f:
                netmap = db.read('netmap') # { private range: public range… }
                if netmap:
                    f.write(nft_map.format(
                        name='netmap-out',
                        elements='elements = {' + ',\n'.join(f'{a}: {b}' for a, b in netmap.items()) + '}'))
                    f.write(nft_map.format(
                        name='netmap-in',
                        elements='elements = {' + ',\n'.join(f'{b}: {a}' for a, b in netmap.items()) + '}'))

            # Print dynamic NAT rules.
            with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
                nat = db.read('nat') # { network name: public range… }
                for network, address in nat.items():
                    if address:
                        f.write(f'iif @inside oif @outside ip saddr @{network} snat to {address}\n')

            # Print forwarding rules.
            with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
                for index, rule in enumerate(db.read('rules')):
                    if rule.get('enabled') and rule.get('text'):
                        f.write(nft_forward.format(index=index, name=rule.get('name', ''), text=rule['text']))

            # Print wireguard config.
            with open(output / 'etc/wireguard/wg.conf', 'w', encoding='utf-8') as f:
                f.write(wg_intf.format(
                    port=settings.get('wg_port', 51820),
                    key=settings.get('wg_key')))
                for ip, data in wireguard.items():
                    f.write(wg_peer.format(
                        user=data.get('user'),
                        key=data.get('key'),
                        ips=', '.join(filter(None, [ip, data.get('ip6')]))))

            # Make a config archive in a temporary place, so we don’t send incomplete tars.
            tar_file = shutil.make_archive(f'{output}-tmp', 'gztar', root_dir=output, owner='root', group='root')

            # Move config archive to the final destination.
            os.rename(tar_file, f'{output}.tar.gz')

            # If we get here, write settings with the new version.
            db.write('settings', settings)
            return True

    except Exception as e:
        import traceback
        e.add_note(f'exception while generating config: {e}')
        msg = traceback.format_exc()
        if rcpt := settings.get('admin_mail'):
            mail(rcpt, 'error generating config', msg)
        # TODO this doesn’t seem to work
        #syslog.syslog(msg)
        return False

    finally:
        # Remove temporary directory.
        if output:
            shutil.rmtree(output, ignore_errors=True)

@click.command('generate')
@flask.cli.with_appcontext
def generate():
    save_config()

@click.command('push')
@click.option('--version', '-v', type=click.INT, default=None, help="Config version to push")
@flask.cli.with_appcontext
def push(version=None):
    try:
        with db.locked('nodes'):
            if version is None:
                version = db.load('settings').get('version', 0)

            nodes = db.read('nodes')
            tar_file = pathlib.Path.home() / 'config' / f'{version}.tar.gz'

            errors = []
            for node, node_version in nodes.items():
                if node_version != version:
                    try:
                        # Push config tarfile to node. There sshd runs a forced command that
                        # reads in a tarball, copies files to /etc and reloads services.
                        syslog.syslog(f'updating config for {node} from v{node_version} to v{version}')
                        result = subprocess.run(['/usr/bin/ssh', '-T', '-o', 'ConnectTimeout=10', f'root@{node}'],
                                                stdin=open(tar_file), capture_output=True, text=True)
                        if result.returncode == 0:
                            nodes[node] = version
                            db.write('nodes', nodes)
                            syslog.syslog(f'successfully updated config for {node} to v{version}')
                        else:
                            raise RuntimeError(f'error updating config to v{version}: {result.stderr}')
                    except (FileNotFoundError, RuntimeError) as e:
                        e.add_note(f'error while updating node {node}')
                        errors.append(e)
            if errors:
                raise ExceptionGroup('errors while updating nodes', errors)

    except Exception as e:
        import traceback
        msg = traceback.format_exc()
        if rcpt := db.load('settings').get('admin_mail'):
            mail(rcpt, 'error updating nodes', msg)
        syslog.syslog(msg)
Make a squash 2022-01-03 10:33:02 +00:00			`#!/usr/bin/python3`

			`import collections`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`import email.message`
			`import getpass`
Make a squash 2022-01-03 10:33:02 +00:00			`import multiprocessing`
			`import os`
Store generated configs in $HOME And move app to ~/app. 2023-04-07 11:42:01 +00:00			`import pathlib`
Make a squash 2022-01-03 10:33:02 +00:00			`import shutil`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`import smtplib`
			`import socket`
Make a squash 2022-01-03 10:33:02 +00:00			`import subprocess`
			`import syslog`

			`import click`
			`import flask`
			`import flask.cli`
			`import ldap3`

			`from . import db`

Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`def mail(rcpt, subject, body):`
Handle exceptions when sending mail 2023-07-07 07:04:17 +00:00			`try:`
			`msg = email.message.EmailMessage()`
			`msg['Subject'] = f'friwall: {subject}'`
			`msg['From'] = f'{getpass.getuser()}@{socket.getfqdn()}'`
			`msg['To'] = rcpt`
			`msg.set_content(body)`
			`with smtplib.SMTP('localhost') as server:`
			`server.send_message(msg)`
			`except Exception as e:`
			`syslog.syslog(f'error sending mail: {e}')`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`def init_app(app):`
			`app.cli.add_command(generate)`
			`app.cli.add_command(push)`

			`def run(fun, args=()):`
			`def task():`
			`if os.fork() == 0:`
			`os.setsid()`
			`fun(*args)`
			`multiprocessing.Process(target=task).start()`

Generate ipsets for network groups Like office and server. 2023-10-03 11:21:53 +00:00			`def ipset_add(ipsets, name, ip=None, ip6=None):`
			`ipsets[name].update(ip or ())`
			`ipsets[f'{name}/6'].update(ip6 or ())`

Make a squash 2022-01-03 10:33:02 +00:00			`def save_config():`
Clean up save_config 2023-12-10 11:08:30 +00:00			`# Format strings for creating firewall config files.`
			`nft_set = 'set {name} {{\n type ipv{family}_addr; flags interval; {elements}\n}}\n\n'`
			`nft_map = 'map {name} {{\n type ipv4_addr : interval ipv4_addr; flags interval; {elements}\n}}\n\n'`
			`nft_forward = '# {index}. {name}\n{text}\n\n'`
			`wg_intf = '[Interface]\nListenPort = {port}\nPrivateKey = {key}\n\n'`
			`wg_peer = '# {user}\n[Peer]\nPublicKey = {key}\nAllowedIPs = {ips}\n\n'`

Make a squash 2022-01-03 10:33:02 +00:00			`output = None`
			`try:`
Simplify database locking Use a single lock for everything to ensure we don’t go inconsistent. One exception is the firewall nodes table which is only accessed when pushing updated config. 2023-05-19 07:30:28 +00:00			`# Just load the settings here but keep the database unlocked`
			`# while we load group memberships from LDAP.`
			`with db.locked():`
			`settings = db.read('settings')`
			`groups = db.read('groups')`
Make a squash 2022-01-03 10:33:02 +00:00
Rework NAT settings Support static NAT for L2 server networks. Also some other minor tweaks. 2023-04-25 15:06:31 +00:00			`# For each user build a list of networks they have access to, based on`
			`# group membership in AD. Only query groups associated with at least one`
			`# network, and query each group only once.`
			`user_networks = collections.defaultdict(set)`
Make a squash 2022-01-03 10:33:02 +00:00			`ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),`
			`settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)`
system: support LDAP queries with no user_group set Though it might be better to allow multiple groups. On the other hand the main filter is in the group→ipset settings file anyway; any VPN user not in one of those groups will not get forwarded to anywhere. 2024-04-22 08:43:50 +00:00
			`# All of these must match to consider an LDAP object.`
			`ldap_query = [`
			`'(objectClass=user)', # only users`
			`'(objectCategory=person)', # that are people`
			`'(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts`
			`]`
			`if group := settings.get('user_group'):`
			`ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively`

Improve LDAP lookup of user groups 2023-09-07 12:59:57 +00:00			`ldap.search(settings.get('ldap_base_dn', ''),`
system: support LDAP queries with no user_group set Though it might be better to allow multiple groups. On the other hand the main filter is in the group→ipset settings file anyway; any VPN user not in one of those groups will not get forwarded to anywhere. 2024-04-22 08:43:50 +00:00			`f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries`
Improve LDAP lookup of user groups 2023-09-07 12:59:57 +00:00			`attributes=['userPrincipalName', 'memberOf'])`
			`for entry in ldap.entries:`
			`for group in entry.memberOf:`
			`if group in groups:`
			`user_networks[entry.userPrincipalName.value].add(groups[group])`
Make a squash 2022-01-03 10:33:02 +00:00
			`# Now read the settings again and lock the database while generating`
			`# config files, then increment version before unlocking.`
Simplify database locking Use a single lock for everything to ensure we don’t go inconsistent. One exception is the firewall nodes table which is only accessed when pushing updated config. 2023-05-19 07:30:28 +00:00			`with db.locked():`
Make a squash 2022-01-03 10:33:02 +00:00			`settings = db.read('settings')`
			`version = settings['version'] = int(settings.get('version', 0)) + 1`

Add form for editing NAT addresses 2023-07-06 15:18:10 +00:00			`# Populate IP sets.`
Make a squash 2022-01-03 10:33:02 +00:00			`ipsets = collections.defaultdict(set)`
Do not configure prefixes defined in NetBox Push them to firewall nodes with ansible instead, as they will only change in NetBox. Also don’t mess around with ipset “groups” based on hyphenation, which was probably a bad idea. With more data included in NetBox I am thinking we should configure NAT and other stuff with ansible also, but let’s start small. 2024-03-18 16:33:12 +00:00			`# Sets corresponding to VLANs in NetBox. Prefixes for these sets are configured on firewall nodes with ansible.`
Generate ipsets for network groups Like office and server. 2023-10-03 11:21:53 +00:00			`for name, network in db.read('networks').items():`
Do not configure prefixes defined in NetBox Push them to firewall nodes with ansible instead, as they will only change in NetBox. Also don’t mess around with ipset “groups” based on hyphenation, which was probably a bad idea. With more data included in NetBox I am thinking we should configure NAT and other stuff with ansible also, but let’s start small. 2024-03-18 16:33:12 +00:00			`ipset_add(ipsets, name)`
			`# Sets defined by user in friwall app.`
Rename networks.json to ipsets.json Getting ready for some changes. 2023-07-06 14:28:15 +00:00			`for name, network in db.read('ipsets').items():`
Generate ipsets for network groups Like office and server. 2023-10-03 11:21:53 +00:00			`ipset_add(ipsets, name, network.get('ip'), network.get('ip6'))`
Rework NAT settings again 2023-05-18 13:44:10 +00:00
			`# Add registered VPN addresses for each network based on`
			`# LDAP group membership.`
Simplify database locking Use a single lock for everything to ensure we don’t go inconsistent. One exception is the firewall nodes table which is only accessed when pushing updated config. 2023-05-19 07:30:28 +00:00			`wireguard = db.read('wireguard')`
Make a squash 2022-01-03 10:33:02 +00:00			`for ip, key in wireguard.items():`
Generate ipsets for network groups Like office and server. 2023-10-03 11:21:53 +00:00			`ip4 = [f'{ip}/32']`
vpn: assign an IPv6 subnet instead of a single address We are limited by the size of IPv4 pool (/18), so why not give everyone an IPv4-internetful of IPv6 addresses. 2023-12-12 18:26:55 +00:00			`ip6 = [f'{key["ip6"]}'] if key.get('ip6') else None`
Rework NAT settings Support static NAT for L2 server networks. Also some other minor tweaks. 2023-04-25 15:06:31 +00:00			`for network in user_networks.get(key.get('user', ''), ()):`
Generate ipsets for network groups Like office and server. 2023-10-03 11:21:53 +00:00			`ipset_add(ipsets, network, ip4, ip6)`
Make a squash 2022-01-03 10:33:02 +00:00
			`# Create config files.`
Store generated configs in $HOME And move app to ~/app. 2023-04-07 11:42:01 +00:00			`output = pathlib.Path.home() / 'config' / f'{version}'`
Make a squash 2022-01-03 10:33:02 +00:00			`shutil.rmtree(output, ignore_errors=True)`
Clean up save_config 2023-12-10 11:08:30 +00:00			`os.makedirs(output / 'etc/nftables.d', exist_ok=True)`
			`os.makedirs(output / 'etc/wireguard', exist_ok=True)`
Make a squash 2022-01-03 10:33:02 +00:00
Add version number to config tarballs Preparing to rework the updater script. 2023-06-26 16:26:35 +00:00			`# Print version.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'version', 'w', encoding='utf-8') as f:`
			`f.write(f'{version}')`
Add version number to config tarballs Preparing to rework the updater script. 2023-06-26 16:26:35 +00:00
Support IPv6 sets Also some unrelated cleanups in system.save_config. 2023-05-29 10:59:57 +00:00			`# Print nftables sets.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'etc/nftables.d/sets.nft', 'w', encoding='utf-8') as f:`
Rename some bound variables 2023-04-07 20:51:38 +00:00			`for name, ips in ipsets.items():`
Clean up save_config 2023-12-10 11:08:30 +00:00			`f.write(nft_set.format(`
			`name=name,`
			`family='6' if name.endswith('/6') else '4',`
			`elements=f'{"" if ips else "# "}elements = {{ {", ".join(ips)} }}'))`
Rework NAT settings Support static NAT for L2 server networks. Also some other minor tweaks. 2023-04-25 15:06:31 +00:00
Rework NAT settings again 2023-05-18 13:44:10 +00:00			`# Print static NAT (1:1) rules.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'etc/nftables.d/netmap.nft', 'w', encoding='utf-8') as f:`
Support IPv6 sets Also some unrelated cleanups in system.save_config. 2023-05-29 10:59:57 +00:00			`netmap = db.read('netmap') # { private range: public range… }`
Rework NAT settings Support static NAT for L2 server networks. Also some other minor tweaks. 2023-04-25 15:06:31 +00:00			`if netmap:`
Clean up save_config 2023-12-10 11:08:30 +00:00			`f.write(nft_map.format(`
			`name='netmap-out',`
			`elements='elements = {' + ',\n'.join(f'{a}: {b}' for a, b in netmap.items()) + '}'))`
			`f.write(nft_map.format(`
			`name='netmap-in',`
			`elements='elements = {' + ',\n'.join(f'{b}: {a}' for a, b in netmap.items()) + '}'))`
Make a squash 2022-01-03 10:33:02 +00:00
Rework NAT settings again 2023-05-18 13:44:10 +00:00			`# Print dynamic NAT rules.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:`
Support IPv6 sets Also some unrelated cleanups in system.save_config. 2023-05-29 10:59:57 +00:00			`nat = db.read('nat') # { network name: public range… }`
Rework NAT settings again 2023-05-18 13:44:10 +00:00			`for network, address in nat.items():`
Add form for editing NAT addresses 2023-07-06 15:18:10 +00:00			`if address:`
Clean up save_config 2023-12-10 11:08:30 +00:00			`f.write(f'iif @inside oif @outside ip saddr @{network} snat to {address}\n')`
Rework NAT settings again 2023-05-18 13:44:10 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`# Print forwarding rules.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:`
Add support for managing forwarding rules 2023-05-29 10:24:21 +00:00			`for index, rule in enumerate(db.read('rules')):`
			`if rule.get('enabled') and rule.get('text'):`
Clean up save_config 2023-12-10 11:08:30 +00:00			`f.write(nft_forward.format(index=index, name=rule.get('name', ''), text=rule['text']))`
Make a squash 2022-01-03 10:33:02 +00:00
			`# Print wireguard config.`
Clean up save_config 2023-12-10 11:08:30 +00:00			`with open(output / 'etc/wireguard/wg.conf', 'w', encoding='utf-8') as f:`
			`f.write(wg_intf.format(`
			`port=settings.get('wg_port', 51820),`
			`key=settings.get('wg_key')))`
Rework NAT settings Support static NAT for L2 server networks. Also some other minor tweaks. 2023-04-25 15:06:31 +00:00			`for ip, data in wireguard.items():`
Clean up save_config 2023-12-10 11:08:30 +00:00			`f.write(wg_peer.format(`
			`user=data.get('user'),`
			`key=data.get('key'),`
			`ips=', '.join(filter(None, [ip, data.get('ip6')]))))`

			`# Make a config archive in a temporary place, so we don’t send incomplete tars.`
Store generated configs in $HOME And move app to ~/app. 2023-04-07 11:42:01 +00:00			`tar_file = shutil.make_archive(f'{output}-tmp', 'gztar', root_dir=output, owner='root', group='root')`
Make a squash 2022-01-03 10:33:02 +00:00
			`# Move config archive to the final destination.`
Store generated configs in $HOME And move app to ~/app. 2023-04-07 11:42:01 +00:00			`os.rename(tar_file, f'{output}.tar.gz')`
Make a squash 2022-01-03 10:33:02 +00:00
			`# If we get here, write settings with the new version.`
			`db.write('settings', settings)`
			`return True`

			`except Exception as e:`
			`import traceback`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`e.add_note(f'exception while generating config: {e}')`
			`msg = traceback.format_exc()`
			`if rcpt := settings.get('admin_mail'):`
			`mail(rcpt, 'error generating config', msg)`
			`# TODO this doesn’t seem to work`
			`#syslog.syslog(msg)`
Make a squash 2022-01-03 10:33:02 +00:00			`return False`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`finally:`
			`# Remove temporary directory.`
			`if output:`
			`shutil.rmtree(output, ignore_errors=True)`

			`@click.command('generate')`
			`@flask.cli.with_appcontext`
			`def generate():`
			`save_config()`

			`@click.command('push')`
			`@click.option('--version', '-v', type=click.INT, default=None, help="Config version to push")`
			`@flask.cli.with_appcontext`
			`def push(version=None):`
			`try:`
			`with db.locked('nodes'):`
Fix locking Or maybe break it further. 2023-04-06 08:04:30 +00:00			`if version is None:`
			`version = db.load('settings').get('version', 0)`

Make a squash 2022-01-03 10:33:02 +00:00			`nodes = db.read('nodes')`
Store generated configs in $HOME And move app to ~/app. 2023-04-07 11:42:01 +00:00			`tar_file = pathlib.Path.home() / 'config' / f'{version}.tar.gz'`
Make a squash 2022-01-03 10:33:02 +00:00
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`errors = []`
Make a squash 2022-01-03 10:33:02 +00:00			`for node, node_version in nodes.items():`
			`if node_version != version:`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`try:`
			`# Push config tarfile to node. There sshd runs a forced command that`
			`# reads in a tarball, copies files to /etc and reloads services.`
			`syslog.syslog(f'updating config for {node} from v{node_version} to v{version}')`
			`result = subprocess.run(['/usr/bin/ssh', '-T', '-o', 'ConnectTimeout=10', f'root@{node}'],`
			`stdin=open(tar_file), capture_output=True, text=True)`
			`if result.returncode == 0:`
			`nodes[node] = version`
			`db.write('nodes', nodes)`
			`syslog.syslog(f'successfully updated config for {node} to v{version}')`
			`else:`
			`raise RuntimeError(f'error updating config to v{version}: {result.stderr}')`
			`except (FileNotFoundError, RuntimeError) as e:`
			`e.add_note(f'error while updating node {node}')`
			`errors.append(e)`
			`if errors:`
			`raise ExceptionGroup('errors while updating nodes', errors)`
Make a squash 2022-01-03 10:33:02 +00:00
			`except Exception as e:`
			`import traceback`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`msg = traceback.format_exc()`
			`if rcpt := db.load('settings').get('admin_mail'):`
			`mail(rcpt, 'error updating nodes', msg)`
			`syslog.syslog(msg)`