From 2c175a324b660a474f4d6be4b74a74a127c02715 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Wed, 16 Aug 2023 22:31:22 +0200 Subject: [PATCH] add web-01 host --- fleet.nix | 4 + hosts/web-01.cloonar.com/configuration.nix | 60 ++++++++ hosts/web-01.cloonar.com/fleet.nix | 1 + .../hardware-configuration.nix | 9 ++ hosts/web-01.cloonar.com/secrets.yaml | 22 +++ .../sites/api.optiprot.cloonar.dev.nix | 34 +++++ .../sites/api.optiprot.eu.nix | 34 +++++ .../sites/autoconfig.cloonar.com.nix | 39 +++++ hosts/web-01.cloonar.com/sites/autoconfig.nix | 89 +++++++++++ .../web-01.cloonar.com/sites/cloonar.com.nix | 60 ++++++++ .../web-01.cloonar.com/sites/cloonar.dev.nix | 60 ++++++++ .../sites/diabetes-austria.cloonar.dev.nix | 141 ++++++++++++++++++ .../sites/gbv-aktuell.at.nix | 39 +++++ .../sites/gbv-aktuell.cloonar.dev.nix | 38 +++++ .../sites/gbv.cloonar.dev.nix | 71 +++++++++ .../sites/matomo.cloonar.com.nix | 117 +++++++++++++++ .../mehr-leistbaren-wohnraum-schaffen.at.nix | 65 ++++++++ ...istbaren-wohnraum-schaffen.cloonar.dev.nix | 60 ++++++++ .../sites/optiprot.cloonar.dev.nix | 15 ++ .../web-01.cloonar.com/sites/optiprot.eu.nix | 15 ++ .../sites/paraclub.cloonar.dev.nix | 71 +++++++++ hosts/web-01.cloonar.com/utils | 1 + 22 files changed, 1045 insertions(+) create mode 100644 hosts/web-01.cloonar.com/configuration.nix create mode 120000 hosts/web-01.cloonar.com/fleet.nix create mode 100644 hosts/web-01.cloonar.com/hardware-configuration.nix create mode 100644 hosts/web-01.cloonar.com/secrets.yaml create mode 100644 hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix create mode 100644 hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix create mode 100644 hosts/web-01.cloonar.com/sites/autoconfig.nix create mode 100644 hosts/web-01.cloonar.com/sites/cloonar.com.nix create mode 100644 hosts/web-01.cloonar.com/sites/cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix create mode 100644 hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix create mode 100644 hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix create mode 100644 hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix create mode 100644 hosts/web-01.cloonar.com/sites/optiprot.eu.nix create mode 100644 hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix create mode 120000 hosts/web-01.cloonar.com/utils diff --git a/fleet.nix b/fleet.nix index bfbcdba..84a0992 100644 --- a/fleet.nix +++ b/fleet.nix @@ -24,6 +24,10 @@ username = "home-assistant.cloonar.com"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnmAkeiyZo0KepL8LBUP91L2jEckc173JFa1x1WjOYwH+mXjaguZGO8yTIdxcq7GM8v/yK9v22MRkXUuPfoTOUKqQ8dlFLT2UJQPCdAG/I8vqS8b5lnhTrudklYLoF9X3TJ20bee/8ospRC5xGfUrDMPze4oSviatyMtKWkPLuj5pQGWl3WUj1lL2vwDvaZW+1CfJMnOADijDJAFtuqL0rXrN00KMif74DHH1hW1SvuW3hBpGkfhKUgtckhvdkv2n4le0yQJOB6lBGaHPB4Z/EQxydiwqcwml3RXjXMR8x+cupWybnJ8BB9BLEBDD5Qqrplr0bIExN22FyEwV1afoma1AqZg0HwJx4fise7Dvh6Dp9PSzx8RGwbTpGyZPwx/ZfaAgSOI5R69LrKGDWONcl4jrGykZWw4XbNJewujOMtDoxOoKYvqsCW2xv8sEGJlo0Q9QzdxgorOb3ND2QZ9OUwm+hMuwiOSECvhiMdqBo5t9qdjRuQTgr8qIBT607M6M= root@home-assistant"; } + { + username = "web-01.cloonar.com"; + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl7cvUGMmtpVfJ3PB4Rco7V8z83nivst77SgBn+Z3cHgcDJDu9l3L4Q6rv9b6thmEX+Xf0ri6UwDI8UuJro4F9qpCXsTkHres3f/pDZokgfO7bvU2l7ujq6NnAx0qJWdB6oku36x3t2wBnvkDijXLtGPeQbd6c33hECEwA7QszvoBbGi0yFiGsqR5W7o0kiju/LMzCkExeaspFV6DBtEW0qZVMYx+lBIK5Hi/g3vBjbhFdWGz8T2AITcAnGI9n6f+dg3dlMPEHXnF9KRod1EVDnYMxbEp49i98m65F1xAFwOo35WSg48LlV1PK1VusboE3pHgE2VEFmW1J+PVQZ+z0JAaRBv/wSVN0YzuCLfLtUr10K1W23YbT1UVm7FusKpT1KElZ9adfbk6SXVhXnru40VcwqgYfw7naQJzT8aDI9Tnci+z4xCCxrdUF/psDBPD5sfjMPbjdPbt6Jnx1H9ZodiC/sQUtbn6MMbenMSf/AmuUC9xzpXlqCtPmN1dSC+8= root@web-01"; + } ]; in { imports = builtins.map create_users users; diff --git a/hosts/web-01.cloonar.com/configuration.nix b/hosts/web-01.cloonar.com/configuration.nix new file mode 100644 index 0000000..f90dc93 --- /dev/null +++ b/hosts/web-01.cloonar.com/configuration.nix @@ -0,0 +1,60 @@ +{ ... }: { + imports = [ + ./utils/bento.nix + + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + ./utils/modules/mysql.nix + ./utils/modules/nginx.nix + ./utils/modules/bitwarden/default.nix + ./utils/modules/zammad/default.nix + # ./utils/modules/autoupgrade.nix + + ./utils/modules/borgbackup.nix + ./utils/modules/netdata.nix + ./hardware-configuration.nix + + ./utils/modules/services/web/typo3.nix + ./utils/modules/services/web/stack.nix + + ./sites/autoconfig.cloonar.com.nix + + ./sites/api.optiprot.eu.nix + ./sites/cloonar.com.nix + ./sites/gbv-aktuell.at.nix + ./sites/matomo.cloonar.com.nix + ./sites/optiprot.eu.nix + + ./sites/api.optiprot.cloonar.dev.nix + ./sites/cloonar.dev.nix + ./sites/diabetes-austria.cloonar.dev.nix + ./sites/paraclub.cloonar.dev.nix + ./sites/gbv.cloonar.dev.nix + ./sites/gbv-aktuell.cloonar.dev.nix + ./sites/optiprot.cloonar.dev.nix + ./sites/mehr-leistbaren-wohnraum-schaffen.at.nix + ./sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix + ]; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + nix.gc.options = "--delete-older-than 60d"; + + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "web-01"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + ]; + + # backups + borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg"; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + system.stateVersion = "22.05"; +} diff --git a/hosts/web-01.cloonar.com/fleet.nix b/hosts/web-01.cloonar.com/fleet.nix new file mode 120000 index 0000000..5b16de1 --- /dev/null +++ b/hosts/web-01.cloonar.com/fleet.nix @@ -0,0 +1 @@ +../../fleet.nix \ No newline at end of file diff --git a/hosts/web-01.cloonar.com/hardware-configuration.nix b/hosts/web-01.cloonar.com/hardware-configuration.nix new file mode 100644 index 0000000..f67b9f4 --- /dev/null +++ b/hosts/web-01.cloonar.com/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/web-01.cloonar.com/secrets.yaml b/hosts/web-01.cloonar.com/secrets.yaml new file mode 100644 index 0000000..917350f --- /dev/null +++ b/hosts/web-01.cloonar.com/secrets.yaml @@ -0,0 +1,22 @@ +borg-passphrase: ENC[AES256_GCM,data:g85FvdFhbmBR5Gvh+7/qusK5Md66+7OPL2VRQu8R4E96LhsCjvpgDMQF9puO6wWNuIw3CsvrkYzQnU6/zo4BnA==,iv:Drv0wiZuZbaenZYx2m+QW85TaLIdpHbN0v6/3exP9gs=,tag:v6BNQFfphAMLyyXGZlo9Pg==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:aE/MiD2fSxG0B8C0e4UYWtqToj+3cGIDZTYMGZRDWr4S3535CvtG2j9W9/wG6zKnsDX/EUGTOYretk6/RsThYI+p/iZRntwvZ0PG5lSfg4Y/7EA+tuRWxLekO1u05h4aYOJsRtJEl9/dRwOAjwxyeGvWV9bvtlMoZaOrbujAU7h0VabW/yC7L/D8c0CzR+Whx04ecnNhSz+aSdydHhTvCJKt0vtk3Qdo11MpQm3Hig3zltrhz9EwBm/Oq4Z+FCe3bYrqJI3kb+C15JTaOydHURrspwWIHB2WNJ/jChyM51M8GCx4SJGiOdbV2pYIF8v/mGoioUbemqG5yeq9tdqEnOqh/LYLREfZCvIVJ08BDLCllV0ajveiggynbdKWIJDMl2z9EsdQMIZYc+3wd3H8/FnpAVEJ0dw62vrmogw9xhQ6zQwpC2QyxY0b37QcsHX1IGI+u+Sn9zG+Ihmbo9BhSBWD2b22kt9JjaPgrN42kVWLUbmJhRySipeqShwH0dkcNHwMf+pF/9OzpYd8cUhBXCpTf/nkKSduxLmj6CsuUCVA/99D0TQg/X6e6qXcGRgXEr79iRyYlC6KKBNu1JLuQU2GqKhzs2wbIUjzCYalVZXL5abxoxatV7hO0YL9U8mmqoJtzHBSD1urKkn+mQcbrm95e3/kPZhQNQKcDyT3Cp3UpGiSG4fcUTXx2fZuPxyMJPE882UagTBM56g3fpAbWKGHeFaxxJoprWtjgYKT0oKFQuyYdVGt+HeGW27vzArObpRP84LSnhpWTNK+iqGMtF6hxZOjWZwmzKatIydCBx15ScH+N0NkIXdN7DxdmhCDie1e9N0DfWCJZn9RbGo/36ksfdc/sirYSxKCZ3gUIveirvzH2ovyC11WJTf56evudYU6LahJQzOg3KTTntNKV221OvuelRj+NKLCkbKE/Pi00cDQ5WTMCX3PUdb5fk2ZdqXfLD8vJWzy0G+7vkrsJtNvzzcXZcQms5knSgX8qwrnGKJ5nxlFaYLzHmSV9GINH0SYZV4S6EwF7Y2Vi3IGkkNGP7VPRcJS8MSoZXYcLdaHBO8DwMPfB9Wi3j4qC6OCiUK79iCRyO8bAG0Q9CFH29qVciesdXnV5t9gaeXeGXUkVUM8THW3sq89mV+iuPbQLaTr5To9NWC1+Loq6DOrgWf/6VqcuIy0p2Akfieey1REThE6Bf1fui5sr2tHD5n2yrTC3XiG5RVPee9Kkdr8JaMd/SYsoTHzYkqSr9HnGW8C1SR5PsAxZsnMx/B96LPHlh5BfXoNUlyRrAs6I0B316xQh9q1zGanMyl4pLGfR17P4CEQU6SX7nr24k/PMKfdMn3etumbXOgoKEeZKtwGeEUVhSUB18/+HBnKT+4N8+I3ekTsonz5X8poXio6yVJ7SlH8gjNAaq7siM9eIE63001EQLZzappJYWEB/LAfYcHfjyASzLTT+FNUN/CiaMUIIiuRPltvnDbBvvj3L/eaDg/yfiMGXZcl/2J96tRyzkuKwzmmaTMy8VQfqHC3ODcjibECIpj7ODtpqqsjB3rjosUKT7dL7Xe7rHFltLjt4aYYtay9WdCWEv1yl2WcQc6coyKwmwM3Cr1i6opzlZ7+bfIGDW3hRN+1GOr+UfViyhJbbczeuhIWTv9toFtsXWSLu31OBWntIDRsdLCOUQvfP2gj0aaR5LxsBdYo6Hm/qSSMXWsPLD3K0SgXZMJdX+JAz6pgYMTt/OJaFfn5hYiSCNRrbNmnTIB8r/9AJNjfpWtJwtIJj/d5tZr0F4J+ax16OCQAfL/zBhn1opHNtxhdHq3hFWH+DAEglBepnJt85I/h/RBQZs5MqlqDPzKRE7clPzkEB3dViQtrkrmOUCtWpGXhHslo7A3CDGoQ/0KCMLniGM8A+Ig6iffry2xuYzf78V81DM+Wq93XaOUhVn9ztJR22T5bWb2zK4W2PirMj0Zb8Oh7ihJW0OSavhllfrpnvdDU5aWzcQ8GaVRh6BwYS+sOctEvQxmYfFXHill9BMxyCW5OWXd3K7gQOLLewFcOHwNu1chBrDSamB1C7Zaf6HoZdGvCZRn9NMYi7vdc15uJMaoIbKF45QBaldspe6dUTMEM3AXtJyzONhGRINiYaMPfGEn4J2YHToyOyLEOsIb+zKU9iqxbvyLX46IVO8CyIeWNm4Nwo/C4hSPFVzHqmGPPL3lKrJIZwaucDPUTiveE/6AUodBPxDLGmqjx5k4mPQFyelrTUAF5VfWcTJlot99R32FGTuRIM3kN0MBE0JhI93rg/o25rLf1y2oHhkcAXlzTE+KWP030iiy8yhpgWeE5NAwPDlVQvSOnaUefEurCqAfalVylxBs8TNWw4qPv6NXDBVsjdHh4YQxlXG++YKnTZy9TG4N4p0HI6I1XDB7jwVyBsDAj1WhWmNeEdIZVBbfQmZ+wibLhIm0msDSoU2WlRwFC2BMBYvUJVLYGlLrcn00yCa1xuus6rycx80WhNoyUswlIUMhsGMmMnaU5coSt6X8Y2NuuA1DzLy+P1BHmwhtiZp6kvGBkqVLhToVbpOILaIFDqRfejsR6GgHYHqrw6dBn4IMZyZrxICPvPQVx3Wu6nsWskjlqbCILpGyt35CkyHe7lRdKZvQuAx5WhErj3T2KywElPH/TADy6oQ4KBKASjFEnDa5k38Ro6j0yaN5nFZqeNBG05oVZW7xD05C6BcyS9RqdqCMhlAmmN0YFvSm4QJv3BRmoX5x9PiLvbJP3n00FtG5kyrErA0IoKiG3yJyIj6ZKXMXs5v1MrkL1QlXt5+J9sKe2r5CETmwVZWBJg6Ou8R+yMVkEEvwx8h+Ngvu01borhECJVQdEci50ZTEaEt3+Ef6n7uMpwHll1LYlTfPenPyBR4zYeKb1Pipb+taFEvDZVshL9q/GwFLjC7+swKz8oRY2N381j7s2zSJdutMWCa/NbSgwPdQT4kla/jN7AeATEC/VJbXLGvdW2LVOuz/1VWb7MNCOxNM0uyv27jhdCfYecUDRYDR273GV/ia5WVtM9cx8DLLG6SgalBvyH1wqDgXvUuYC6ci/hV0ekfKyeobXs4unTeKG0bQTozcDnY7gr/6eclsyOSOK7kddjAHxFY+oLbBb3iQBv0vMYL5++YxE71LNn9Ql6mm+K1J5sRY05Gr2nbb4cqF7HcGP476O1hbiXf9cuGJN53CotGqHrdYhMcPW0wRO5o3z2jh7/9g8gebtUYkYmgKDdmPlFi9DQ1demdBmeszWF1/I9nS3aFdBSVbwa0pbKmLUzH6eu1eu7lxY9z+t70MNtcJxHUUQqLCOLW6qhi5BlDu+RqlyfdNWrMg01+FOZVH60Qi5jCIiWzhmwoeawa3++kxkVSX2wbNQXC2qdU5cjg9ighHnWw8K45JbUxVcI+NAc7AHPZEcLft4/jxYfPiB1zWQvQ5mtWh6PP3viZxCrrw/7MnXP1AofA==,iv:UkU0lvcPJVWqIRdM3isrr+JJP0xz7cf2CYeBynpa0ws=,tag:6UkLgdb6kIsWT8qFe5G+KQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVG04UDJWY3NQZ0hqc3FE + cE1wRDBMQzloeFlYclMyUEhTREdiNUcwVHpzCnp4UnpYYll6dVpTZ0dpcGlRbFgw + dTY3N2hRM2JCWWN6R0xZc003aW84MGMKLS0tIGorOW9LRmVrMmxWSEpia0owZk5p + eENYMyt1Qy9Ea29MemZwSnlsYnR1S1UKLC6KyS8tBX6new4iJTtYUl/Do5V2j+y7 + +xALI95vVi93pRI0/T9agKkI4m5PqlZoUfo41csnTlcQEWDBcTEbGQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-31T11:41:18Z" + mac: ENC[AES256_GCM,data:2lQzO+BwvBnozb07+eQoCN3mDhVIivOo2RH9SI94xmFkWcit0o1RiWAsu6GDduqxa4DGpY25EV+yjnZJSGc01OyU3e11ycxpwfP6wLA9w62Dh87rM7bzQOmo01u2Dy4k1HUluVIkTgIfl4JZNJtG3iboSi5qlAN9dfiOGYPrSZs=,iv:ZYJ2TT01QKh+7mOpIcohzB8jWSa5F7gUwt8XbhdLr1w=,tag:AXCezSwoIfIcAuluHlIC+w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix new file mode 100644 index 0000000..ed6ca7f --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.optiprot.cloonar.dev" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php80.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix b/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix new file mode 100644 index 0000000..4eed907 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.optiprot.eu" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php80.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix new file mode 100644 index 0000000..fc74e8a --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix @@ -0,0 +1,39 @@ +{ pkgs, lib, config, ... }: +let + domain = "autoconfig.cloonar.com"; +in +{ + services.go-autoconfig = { + enable = true; + settings = { + service_addr = ":1323"; + domain = domain; + imap = { + server = "imap.cloonar.com"; + port = 993; + }; + smtp = { + server = "mail.cloonar.com"; + port = 587; + starttls = true; + }; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:1323/"; + }; + }; + services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = '' + return 301 https://autoconfig.cloonar.com$request_uri; + ''; + services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = '' + return 301 https://autoconfig.cloonar.com$request_uri; + ''; + services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = '' + return 301 https://autoconfig.cloonar.com$request_uri; + ''; +} diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.nix b/hosts/web-01.cloonar.com/sites/autoconfig.nix new file mode 100644 index 0000000..984990e --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/autoconfig.nix @@ -0,0 +1,89 @@ +{ pkgs, lib, config, ... }: +let + domains = [ + "cloonar.com" + "ghetto.at" + "optiprot.eu" + ]; + + vhostConfig = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "/var/www/autoconfig"; + + # MS Outlook + locations."~* ^/autodiscover/autodiscover.xml".extraConfig = '' + root /var/www/autoconfig; + try_files /autodiscover.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # Thunderbird + locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = '' + root /var/www/autoconfig; + try_files /config-v1.1.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # Apple devices + locations."/apple/get-mobileconfig".extraConfig = '' + root /var/www/autoconfig; + try_files /apple.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # disable logging for Apple Touch Icons + locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = '' + log_not_found off; + access_log off; + ''; + }; +in +{ + services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig; + services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig; + services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig; + services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig; + + systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."autoconfig" = { + user = "autoconfig"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.php; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + + users.users."autoconfig" = { + #isSystemUser = true; + isNormalUser = true; + createHome = true; + home = "/var/www/autoconfig"; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" + ]; + }; + users.groups.autoconfig = {}; +} diff --git a/hosts/web-01.cloonar.com/sites/cloonar.com.nix b/hosts/web-01.cloonar.com/sites/cloonar.com.nix new file mode 100644 index 0000000..27621de --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/cloonar.com.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "cloonar.com"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-01.cloonar.com/sites/cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/cloonar.dev.nix new file mode 100644 index 0000000..50cb7d3 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/cloonar.dev.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix new file mode 100644 index 0000000..417341d --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix @@ -0,0 +1,141 @@ +{ pkgs, lib, config, ... }: +let + domain = "diabetes-austria.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.nur.repos.izorkin.php74; + phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}/public"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + # TYPO3 - Rule for versioned static files, configured through: + # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename'] + # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename'] + + extraConfig = '' + if (!-e $request_filename) { + rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; + } + ''; + + # TYPO3 - Block access to composer files + locations."~* composer\.(?:json|lock)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to flexform files + locations."~* flexform[^.]*\.xml".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to language files + locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to static typoscript files + locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to miscellaneous protected files + locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to recycler and temporary directories + locations."~ _(?:recycler|temp)_/".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to configuration files stored in fileadmin + locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to libraries, source and temporary compiled data + locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to protected extension directories + locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = '' + deny all; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + # TYPO3 Backend URLs + locations."/typo3$".extraConfig = '' + rewrite ^ /typo3/; + ''; + + locations."/typo3/".extraConfig = '' + try_files $uri /typo3/index.php$is_args$args; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + }; + users.users."${domain}" = { + #isSystemUser = true; + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" + ]; + }; + users.groups.${domain} = {}; + + services.mysqlBackup.databases = [ "diabetes_austria" ]; +} diff --git a/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix b/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix new file mode 100644 index 0000000..744e886 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix @@ -0,0 +1,39 @@ +{ pkgs, lib, config, ... }: +{ + services.typo3.instances."gbv-aktuell.at" = { + domainAliases = [ "www.gbv-aktuell.at" ]; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E=" + ]; + phpPackage = pkgs.php81; + }; + + services.awstats = { + enable = true; + updateAt = "daily"; + configs."gbv-aktuell.at" = { + webService = { + enable = true; + hostname = "gbv-aktuell.at"; + }; + logFile = "/var/log/nginx/access.log"; + extraConfig = { + # ShowDaysOfWeekStats = "0"; + # ShowHoursStats = "0"; + # ShowDomainsStats = "0"; + # ShowHostsStats = "0"; + # "ShowRobotsStats" = "0"; + # "ShowFileTypesStats" = "0"; + # "ShowDownloadsStats" = "0"; + # "ShowPagesStats" = "0"; + # "ShowOSStats" = "0"; + # "ShowBrowsersStats" = "0"; + # "ShowOriginStats" = "0"; + # "ShowKeyphrasesStats" = "0"; + # "ShowKeywordsStats" = "0"; + # "ShowMiscStats" = "0"; + # "ShowHTTPErrorsStats" = "0"; + }; + }; + }; +} diff --git a/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix new file mode 100644 index 0000000..62d19fb --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, config, ... }: +{ + services.typo3.instances."gbv-aktuell.cloonar.dev" = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E=" + ]; + phpPackage = pkgs.php81; + }; + + services.awstats = { + enable = true; + updateAt = "daily"; + configs."gbv-aktuell.cloonar.dev" = { + webService = { + enable = true; + hostname = "gbv-aktuell.cloonar.dev"; + }; + logFile = "/var/log/nginx/access.log"; + extraConfig = { + # ShowDaysOfWeekStats = "0"; + # ShowHoursStats = "0"; + # ShowDomainsStats = "0"; + # ShowHostsStats = "0"; + # "ShowRobotsStats" = "0"; + # "ShowFileTypesStats" = "0"; + # "ShowDownloadsStats" = "0"; + # "ShowPagesStats" = "0"; + # "ShowOSStats" = "0"; + # "ShowBrowsersStats" = "0"; + # "ShowOriginStats" = "0"; + # "ShowKeyphrasesStats" = "0"; + # "ShowKeywordsStats" = "0"; + # "ShowMiscStats" = "0"; + # "ShowHTTPErrorsStats" = "0"; + }; + }; + }; +} diff --git a/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix new file mode 100644 index 0000000..5aa6971 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix @@ -0,0 +1,71 @@ +{ pkgs, lib, config, ... }: +let + domain = "gbv.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "/var/log/$pool.error.log"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[display_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.nur.repos.izorkin.php74; + phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + }; + users.users."${domain}" = { + isSystemUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + }; + users.groups.${domain} = {}; + + services.mysqlBackup.databases = [ "gbv_stage" ]; +} diff --git a/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix b/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix new file mode 100644 index 0000000..bb94e4a --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix @@ -0,0 +1,117 @@ +{ pkgs, lib, config, ... }: +let + domain = "matomo.cloonar.com"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "/var/log/$pool.php.error.log"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[display_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.php81; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php81 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."~* ^.+\\.php$".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + + ## serve all other files normally + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + ## disable all access to the following directories + locations."~ ^/(config|tmp|core|lang)".extraConfig = '' + deny all; + return 403; # replace with 404 to not show these directories exist + ''; + + locations."~ /\\.ht".extraConfig = '' + deny all; + return 403; + ''; + + locations."~ js/container_.*_preview\\.js$".extraConfig = '' + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + ''; + + locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = '' + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + ''; + + locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = '' + deny all; + return 403; + ''; + + ## properly display textfiles in root directory + locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = '' + default_type text/plain; + ''; + + }; + users.users."${domain}" = { + isSystemUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + }; + users.groups.${domain} = {}; + + systemd.services."matomo-archive" = { + startAt = "*-*-* 23:00:00"; + serviceConfig = { + Type = "oneshot"; + User = "${domain}"; + ExecStart = "${pkgs.php81}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive"; + }; + }; + + services.mysqlBackup.databases = [ "matomo" ]; +} diff --git a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix new file mode 100644 index 0000000..214f9bd --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, ... }: +let + domain = "mehr-leistbaren-wohnraum-schaffen.at"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."www.${domain}" = { + enableACME = true; + forceSSL = true; + globalRedirect = domain; + }; + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."mehr-leistbaren-wohnraum" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix new file mode 100644 index 0000000..fdba151 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."mehr-leistbaren-wohnraum-dev" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix new file mode 100644 index 0000000..ebd841a --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."optiprot.cloonar.dev" = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" + ]; + locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /en/products/index.php?$args; + ''; + locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /de/produkte/index.php?$args; + ''; + phpPackage = pkgs.php81; + }; +} diff --git a/hosts/web-01.cloonar.com/sites/optiprot.eu.nix b/hosts/web-01.cloonar.com/sites/optiprot.eu.nix new file mode 100644 index 0000000..e5295c0 --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/optiprot.eu.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."optiprot.eu" = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" + ]; + locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /en/products/index.php?$args; + ''; + locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /de/produkte/index.php?$args; + ''; + phpPackage = pkgs.php81; + }; +} diff --git a/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix new file mode 100644 index 0000000..61d862e --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix @@ -0,0 +1,71 @@ +{ pkgs, lib, config, ... }: +let + domain = "paraclub.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "/var/log/$pool.error.log"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[display_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.nur.repos.izorkin.php74; + phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + }; + users.users."${domain}" = { + isSystemUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + }; + users.groups.${domain} = {}; + + services.mysqlBackup.databases = [ "paraclub" ]; +} diff --git a/hosts/web-01.cloonar.com/utils b/hosts/web-01.cloonar.com/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/web-01.cloonar.com/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file