- Install Node.js 20.x LTS from official NodeSource repository
- Install latest npm and configure with save-exact
- Install Yarn package manager (optional, configurable)
- Idempotent installation with version checking
- Adds npm global bin to system PATH
- Configurable version (LTS, major, or specific version)
- GPG-signed packages from official sources
- Support for custom npm global prefix
- Optional global npm package installation
Features:
- Removes old NodeSource repos before upgrade
- Adds NodeSource GPG key securely via HTTPS
- Creates npm global directory with proper permissions
- Template for /etc/profile.d/npm_global.sh
- Verification output showing installed versions
Variables:
- nodejs_version: "20.x" (default, can be 18.x, 22.x, or specific version)
- install_yarn: true (can be disabled)
- add_npm_to_path: true (adds npm bin to PATH)
- npm_config_prefix: "/usr/local/lib/npm"
- global_npm_packages: [] (optional list of packages)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add dovecot user to mail group for proper permissions
- Install dovecot-core package (alongside dovecot-imapd)
- Maintains existing dovecot configuration via templates
- Idempotent user module for group management
Configuration:
- Existing templates for dovecot.conf, 10-mail.conf, 10-auth.conf, 10-ssl.conf, 10-master.conf
- Service management with systemd
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Install dovecot packages (dovecot-core, dovecot-imapd) alongside chasquid
- Create support user with secure home directory and nologin shell
- Add chasquid user to mail group for proper permissions
- Set cap_net_bind_service capability on chasquid binary
- Disable socket-based activation services (socket, smtp, submission, submission_tls)
- Disable IPv6 system-wide via sysctl
- Add custom systemd service template with security hardening:
* Standalone mode (Type=simple)
* CAP_NET_BIND_SERVICE for port binding
* ProtectSystem, ProtectHome, PrivateTmp, NoNewPrivileges
* Automatic restart on failure
- Convert systemd service to Jinja2 template for variable support
- Add email test configuration variables (domain, SMTP settings, test recipients)
- Add swaks email test task with variable-based configuration
- Create reboot handler for IPv6 changes
- Add reload systemd daemon handler
Security:
- Binary capabilities instead of running as root
- Comprehensive systemd security features
- NoNewPrivileges to prevent escalation
- Private temporary directory
Testing:
- Automated swaks email sending test
- Display DNS records with DKIM key information
- Configurable email credentials via variables
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- removed legacy `pull_save_scp_image.sh`
- added separate scripts for arm64 and x86
- updated `images.txt` and `deploy_deepflow_agent.sh`
- adjusted OpenResty config templates (`artifact.conf.j2`, `nginx.conf.j2`)
