add web-01 host

hosts/web-01.cloonar.com/configuration.nix

@@ -0,0 +1,60 @@
+{ ... }: {
+  imports = [
+    ./utils/bento.nix
+
+    ./utils/modules/sops.nix
+    ./utils/modules/lego/lego.nix
+    ./utils/modules/mysql.nix
+    ./utils/modules/nginx.nix
+    ./utils/modules/bitwarden/default.nix
+    ./utils/modules/zammad/default.nix
+    # ./utils/modules/autoupgrade.nix
+
+    ./utils/modules/borgbackup.nix
+    ./utils/modules/netdata.nix
+    ./hardware-configuration.nix
+
+    ./utils/modules/services/web/typo3.nix
+    ./utils/modules/services/web/stack.nix
+
+    ./sites/autoconfig.cloonar.com.nix
+
+    ./sites/api.optiprot.eu.nix
+    ./sites/cloonar.com.nix
+    ./sites/gbv-aktuell.at.nix
+    ./sites/matomo.cloonar.com.nix
+    ./sites/optiprot.eu.nix
+
+    ./sites/api.optiprot.cloonar.dev.nix
+    ./sites/cloonar.dev.nix
+    ./sites/diabetes-austria.cloonar.dev.nix
+    ./sites/paraclub.cloonar.dev.nix
+    ./sites/gbv.cloonar.dev.nix
+    ./sites/gbv-aktuell.cloonar.dev.nix
+    ./sites/optiprot.cloonar.dev.nix
+    ./sites/mehr-leistbaren-wohnraum-schaffen.at.nix
+    ./sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix
+  ];
+
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.defaultSopsFile = ./secrets.yaml;
+  nix.gc.options = "--delete-older-than 60d";
+
+  boot.cleanTmpDir = true;
+  zramSwap.enable = true;
+  networking.hostName = "web-01";
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+  ];
+
+  # backups
+  borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg";
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 80 443 ];
+  };
+
+  system.stateVersion = "22.05";
+}

hosts/web-01.cloonar.com/fleet.nix

@@ -0,0 +1 @@
+../../fleet.nix

hosts/web-01.cloonar.com/hardware-configuration.nix

@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  
+}

hosts/web-01.cloonar.com/secrets.yaml

@@ -0,0 +1,22 @@
+borg-passphrase: ENC[AES256_GCM,data:g85FvdFhbmBR5Gvh+7/qusK5Md66+7OPL2VRQu8R4E96LhsCjvpgDMQF9puO6wWNuIw3CsvrkYzQnU6/zo4BnA==,iv:Drv0wiZuZbaenZYx2m+QW85TaLIdpHbN0v6/3exP9gs=,tag:v6BNQFfphAMLyyXGZlo9Pg==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:aE/MiD2fSxG0B8C0e4UYWtqToj+3cGIDZTYMGZRDWr4S3535CvtG2j9W9/wG6zKnsDX/EUGTOYretk6/RsThYI+p/iZRntwvZ0PG5lSfg4Y/7EA+tuRWxLekO1u05h4aYOJsRtJEl9/dRwOAjwxyeGvWV9bvtlMoZaOrbujAU7h0VabW/yC7L/D8c0CzR+Whx04ecnNhSz+aSdydHhTvCJKt0vtk3Qdo11MpQm3Hig3zltrhz9EwBm/Oq4Z+FCe3bYrqJI3kb+C15JTaOydHURrspwWIHB2WNJ/jChyM51M8GCx4SJGiOdbV2pYIF8v/mGoioUbemqG5yeq9tdqEnOqh/LYLREfZCvIVJ08BDLCllV0ajveiggynbdKWIJDMl2z9EsdQMIZYc+3wd3H8/FnpAVEJ0dw62vrmogw9xhQ6zQwpC2QyxY0b37QcsHX1IGI+u+Sn9zG+Ihmbo9BhSBWD2b22kt9JjaPgrN42kVWLUbmJhRySipeqShwH0dkcNHwMf+pF/9OzpYd8cUhBXCpTf/nkKSduxLmj6CsuUCVA/99D0TQg/X6e6qXcGRgXEr79iRyYlC6KKBNu1JLuQU2GqKhzs2wbIUjzCYalVZXL5abxoxatV7hO0YL9U8mmqoJtzHBSD1urKkn+mQcbrm95e3/kPZhQNQKcDyT3Cp3UpGiSG4fcUTXx2fZuPxyMJPE882UagTBM56g3fpAbWKGHeFaxxJoprWtjgYKT0oKFQuyYdVGt+HeGW27vzArObpRP84LSnhpWTNK+iqGMtF6hxZOjWZwmzKatIydCBx15ScH+N0NkIXdN7DxdmhCDie1e9N0DfWCJZn9RbGo/36ksfdc/sirYSxKCZ3gUIveirvzH2ovyC11WJTf56evudYU6LahJQzOg3KTTntNKV221OvuelRj+NKLCkbKE/Pi00cDQ5WTMCX3PUdb5fk2ZdqXfLD8vJWzy0G+7vkrsJtNvzzcXZcQms5knSgX8qwrnGKJ5nxlFaYLzHmSV9GINH0SYZV4S6EwF7Y2Vi3IGkkNGP7VPRcJS8MSoZXYcLdaHBO8DwMPfB9Wi3j4qC6OCiUK79iCRyO8bAG0Q9CFH29qVciesdXnV5t9gaeXeGXUkVUM8THW3sq89mV+iuPbQLaTr5To9NWC1+Loq6DOrgWf/6VqcuIy0p2Akfieey1REThE6Bf1fui5sr2tHD5n2yrTC3XiG5RVPee9Kkdr8JaMd/SYsoTHzYkqSr9HnGW8C1SR5PsAxZsnMx/B96LPHlh5BfXoNUlyRrAs6I0B316xQh9q1zGanMyl4pLGfR17P4CEQU6SX7nr24k/PMKfdMn3etumbXOgoKEeZKtwGeEUVhSUB18/+HBnKT+4N8+I3ekTsonz5X8poXio6yVJ7SlH8gjNAaq7siM9eIE63001EQLZzappJYWEB/LAfYcHfjyASzLTT+FNUN/CiaMUIIiuRPltvnDbBvvj3L/eaDg/yfiMGXZcl/2J96tRyzkuKwzmmaTMy8VQfqHC3ODcjibECIpj7ODtpqqsjB3rjosUKT7dL7Xe7rHFltLjt4aYYtay9WdCWEv1yl2WcQc6coyKwmwM3Cr1i6opzlZ7+bfIGDW3hRN+1GOr+UfViyhJbbczeuhIWTv9toFtsXWSLu31OBWntIDRsdLCOUQvfP2gj0aaR5LxsBdYo6Hm/qSSMXWsPLD3K0SgXZMJdX+JAz6pgYMTt/OJaFfn5hYiSCNRrbNmnTIB8r/9AJNjfpWtJwtIJj/d5tZr0F4J+ax16OCQAfL/zBhn1opHNtxhdHq3hFWH+DAEglBepnJt85I/h/RBQZs5MqlqDPzKRE7clPzkEB3dViQtrkrmOUCtWpGXhHslo7A3CDGoQ/0KCMLniGM8A+Ig6iffry2xuYzf78V81DM+Wq93XaOUhVn9ztJR22T5bWb2zK4W2PirMj0Zb8Oh7ihJW0OSavhllfrpnvdDU5aWzcQ8GaVRh6BwYS+sOctEvQxmYfFXHill9BMxyCW5OWXd3K7gQOLLewFcOHwNu1chBrDSamB1C7Zaf6HoZdGvCZRn9NMYi7vdc15uJMaoIbKF45QBaldspe6dUTMEM3AXtJyzONhGRINiYaMPfGEn4J2YHToyOyLEOsIb+zKU9iqxbvyLX46IVO8CyIeWNm4Nwo/C4hSPFVzHqmGPPL3lKrJIZwaucDPUTiveE/6AUodBPxDLGmqjx5k4mPQFyelrTUAF5VfWcTJlot99R32FGTuRIM3kN0MBE0JhI93rg/o25rLf1y2oHhkcAXlzTE+KWP030iiy8yhpgWeE5NAwPDlVQvSOnaUefEurCqAfalVylxBs8TNWw4qPv6NXDBVsjdHh4YQxlXG++YKnTZy9TG4N4p0HI6I1XDB7jwVyBsDAj1WhWmNeEdIZVBbfQmZ+wibLhIm0msDSoU2WlRwFC2BMBYvUJVLYGlLrcn00yCa1xuus6rycx80WhNoyUswlIUMhsGMmMnaU5coSt6X8Y2NuuA1DzLy+P1BHmwhtiZp6kvGBkqVLhToVbpOILaIFDqRfejsR6GgHYHqrw6dBn4IMZyZrxICPvPQVx3Wu6nsWskjlqbCILpGyt35CkyHe7lRdKZvQuAx5WhErj3T2KywElPH/TADy6oQ4KBKASjFEnDa5k38Ro6j0yaN5nFZqeNBG05oVZW7xD05C6BcyS9RqdqCMhlAmmN0YFvSm4QJv3BRmoX5x9PiLvbJP3n00FtG5kyrErA0IoKiG3yJyIj6ZKXMXs5v1MrkL1QlXt5+J9sKe2r5CETmwVZWBJg6Ou8R+yMVkEEvwx8h+Ngvu01borhECJVQdEci50ZTEaEt3+Ef6n7uMpwHll1LYlTfPenPyBR4zYeKb1Pipb+taFEvDZVshL9q/GwFLjC7+swKz8oRY2N381j7s2zSJdutMWCa/NbSgwPdQT4kla/jN7AeATEC/VJbXLGvdW2LVOuz/1VWb7MNCOxNM0uyv27jhdCfYecUDRYDR273GV/ia5WVtM9cx8DLLG6SgalBvyH1wqDgXvUuYC6ci/hV0ekfKyeobXs4unTeKG0bQTozcDnY7gr/6eclsyOSOK7kddjAHxFY+oLbBb3iQBv0vMYL5++YxE71LNn9Ql6mm+K1J5sRY05Gr2nbb4cqF7HcGP476O1hbiXf9cuGJN53CotGqHrdYhMcPW0wRO5o3z2jh7/9g8gebtUYkYmgKDdmPlFi9DQ1demdBmeszWF1/I9nS3aFdBSVbwa0pbKmLUzH6eu1eu7lxY9z+t70MNtcJxHUUQqLCOLW6qhi5BlDu+RqlyfdNWrMg01+FOZVH60Qi5jCIiWzhmwoeawa3++kxkVSX2wbNQXC2qdU5cjg9ighHnWw8K45JbUxVcI+NAc7AHPZEcLft4/jxYfPiB1zWQvQ5mtWh6PP3viZxCrrw/7MnXP1AofA==,iv:UkU0lvcPJVWqIRdM3isrr+JJP0xz7cf2CYeBynpa0ws=,tag:6UkLgdb6kIsWT8qFe5G+KQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaVG04UDJWY3NQZ0hqc3FE
+            cE1wRDBMQzloeFlYclMyUEhTREdiNUcwVHpzCnp4UnpYYll6dVpTZ0dpcGlRbFgw
+            dTY3N2hRM2JCWWN6R0xZc003aW84MGMKLS0tIGorOW9LRmVrMmxWSEpia0owZk5p
+            eENYMyt1Qy9Ea29MemZwSnlsYnR1S1UKLC6KyS8tBX6new4iJTtYUl/Do5V2j+y7
+            +xALI95vVi93pRI0/T9agKkI4m5PqlZoUfo41csnTlcQEWDBcTEbGQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-31T11:41:18Z"
+    mac: ENC[AES256_GCM,data:2lQzO+BwvBnozb07+eQoCN3mDhVIivOo2RH9SI94xmFkWcit0o1RiWAsu6GDduqxa4DGpY25EV+yjnZJSGc01OyU3e11ycxpwfP6wLA9w62Dh87rM7bzQOmo01u2Dy4k1HUluVIkTgIfl4JZNJtG3iboSi5qlAN9dfiOGYPrSZs=,iv:ZYJ2TT01QKh+7mOpIcohzB8jWSa5F7gUwt8XbhdLr1w=,tag:AXCezSwoIfIcAuluHlIC+w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix

@@ -0,0 +1,34 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.optiprot.cloonar.dev" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php80.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+}

hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix

@@ -0,0 +1,34 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.optiprot.eu" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php80.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+}

hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix

@@ -0,0 +1,39 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "autoconfig.cloonar.com";
+in
+{
+  services.go-autoconfig = {
+    enable = true;
+    settings = {
+      service_addr = ":1323";
+      domain = domain;
+      imap = {
+        server = "imap.cloonar.com";
+        port = 993;
+      };
+      smtp = {
+        server = "mail.cloonar.com";
+        port = 587;
+        starttls = true;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:1323/";
+    };
+  };
+  services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+  services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+  services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+}

hosts/web-01.cloonar.com/sites/autoconfig.nix

@@ -0,0 +1,89 @@
+{ pkgs, lib, config, ... }:
+let
+  domains = [
+    "cloonar.com"
+    "ghetto.at"
+    "optiprot.eu"
+  ];
+
+  vhostConfig = {
+      forceSSL = true;
+      enableACME = true;
+      acmeRoot = null;
+      root = "/var/www/autoconfig";
+
+      # MS Outlook
+      locations."~* ^/autodiscover/autodiscover.xml".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /autodiscover.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # Thunderbird
+      locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /config-v1.1.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # Apple devices
+      locations."/apple/get-mobileconfig".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /apple.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # disable logging for Apple Touch Icons
+      locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = ''
+          log_not_found off;
+          access_log off;
+      '';
+  };
+in
+{
+  services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig;
+
+  systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."autoconfig" = {
+    user = "autoconfig";
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.php;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+  };
+
+  users.users."autoconfig" = {
+    #isSystemUser = true;
+    isNormalUser = true;
+    createHome = true;
+    home = "/var/www/autoconfig";
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
+    ];
+  };
+  users.groups.autoconfig = {};
+}

hosts/web-01.cloonar.com/sites/cloonar.com.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "cloonar.com";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/cloonar.dev.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix

@@ -0,0 +1,141 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "diabetes-austria.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}/public";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    # TYPO3 - Rule for versioned static files, configured through:
+    # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
+    # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
+
+    extraConfig = ''
+      if (!-e $request_filename) {
+        rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
+      }
+    '';
+
+    # TYPO3 - Block access to composer files
+    locations."~* composer\.(?:json|lock)".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to flexform files
+    locations."~* flexform[^.]*\.xml".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to language files
+    locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to static typoscript files
+    locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to miscellaneous protected files
+    locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to recycler and temporary directories
+    locations."~ _(?:recycler|temp)_/".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to configuration files stored in fileadmin
+    locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to libraries, source and temporary compiled data
+    locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to protected extension directories
+    locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = ''
+      deny all;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    # TYPO3 Backend URLs
+    locations."/typo3$".extraConfig = ''
+      rewrite ^ /typo3/;
+    '';
+    
+    locations."/typo3/".extraConfig = ''
+        try_files $uri /typo3/index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    #isSystemUser = true;
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
+    ];
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "diabetes_austria" ];
+}

hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix

@@ -0,0 +1,39 @@
+{ pkgs, lib, config, ... }:
+{
+  services.typo3.instances."gbv-aktuell.at" = {
+    domainAliases = [ "www.gbv-aktuell.at" ];
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E="
+    ];
+    phpPackage = pkgs.php81;
+  };
+
+  services.awstats = {
+      enable = true;
+      updateAt = "daily";
+      configs."gbv-aktuell.at" = {
+        webService = {
+          enable = true;
+          hostname = "gbv-aktuell.at";
+        };
+        logFile = "/var/log/nginx/access.log";
+        extraConfig = {
+          # ShowDaysOfWeekStats = "0";
+          # ShowHoursStats = "0";
+          # ShowDomainsStats = "0";
+          # ShowHostsStats = "0";
+          # "ShowRobotsStats" = "0";
+          # "ShowFileTypesStats" = "0";
+          # "ShowDownloadsStats" = "0";
+          # "ShowPagesStats" = "0";
+          # "ShowOSStats" = "0";
+          # "ShowBrowsersStats" = "0";
+          # "ShowOriginStats" = "0";
+          # "ShowKeyphrasesStats" = "0";
+          # "ShowKeywordsStats" = "0";
+          # "ShowMiscStats" = "0";
+          # "ShowHTTPErrorsStats" = "0";
+        };
+      };
+    };
+}

hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix

@@ -0,0 +1,38 @@
+{ pkgs, lib, config, ... }:
+{
+  services.typo3.instances."gbv-aktuell.cloonar.dev" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E="
+    ];
+    phpPackage = pkgs.php81;
+  };
+
+  services.awstats = {
+      enable = true;
+      updateAt = "daily";
+      configs."gbv-aktuell.cloonar.dev" = {
+        webService = {
+          enable = true;
+          hostname = "gbv-aktuell.cloonar.dev";
+        };
+        logFile = "/var/log/nginx/access.log";
+        extraConfig = {
+          # ShowDaysOfWeekStats = "0";
+          # ShowHoursStats = "0";
+          # ShowDomainsStats = "0";
+          # ShowHostsStats = "0";
+          # "ShowRobotsStats" = "0";
+          # "ShowFileTypesStats" = "0";
+          # "ShowDownloadsStats" = "0";
+          # "ShowPagesStats" = "0";
+          # "ShowOSStats" = "0";
+          # "ShowBrowsersStats" = "0";
+          # "ShowOriginStats" = "0";
+          # "ShowKeyphrasesStats" = "0";
+          # "ShowKeywordsStats" = "0";
+          # "ShowMiscStats" = "0";
+          # "ShowHTTPErrorsStats" = "0";
+        };
+      };
+    };
+}

hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix

@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "gbv.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "gbv_stage" ];
+}

hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix

@@ -0,0 +1,117 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "matomo.cloonar.com";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.php.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.php81;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.php81 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."~* ^.+\\.php$".extraConfig = ''
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      if (!-f $document_root$fastcgi_script_name) {
+          return 404;
+      }
+      include ${pkgs.nginx}/conf/fastcgi_params;
+      include ${pkgs.nginx}/conf/fastcgi.conf;
+      fastcgi_buffer_size 32k;
+      fastcgi_buffers 8 16k;
+      fastcgi_connect_timeout 240s;
+      fastcgi_read_timeout 240s;
+      fastcgi_send_timeout 240s;
+      fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+      fastcgi_index        index.php;
+    '';
+
+    ## serve all other files normally
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    ## disable all access to the following directories
+    locations."~ ^/(config|tmp|core|lang)".extraConfig = ''
+      deny all;
+      return 403; # replace with 404 to not show these directories exist
+    '';
+
+    locations."~ /\\.ht".extraConfig = ''
+      deny  all;
+      return 403;
+    '';
+
+    locations."~ js/container_.*_preview\\.js$".extraConfig = ''
+      expires off;
+      add_header Cache-Control 'private, no-cache, no-store';
+    '';
+
+    locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = ''
+      allow all;
+      ## Cache images,CSS,JS and webfonts for an hour
+      ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+      expires 1h;
+      add_header Pragma public;
+      add_header Cache-Control "public";
+    '';
+
+    locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = ''
+      deny all;
+      return 403;
+    '';
+
+    ## properly display textfiles in root directory
+    locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = ''
+      default_type text/plain;
+    '';
+
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  systemd.services."matomo-archive" = {
+    startAt = "*-*-* 23:00:00";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "${domain}";
+      ExecStart = "${pkgs.php81}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive";
+    };
+  };
+
+  services.mysqlBackup.databases = [ "matomo" ];
+}

hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix

@@ -0,0 +1,65 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "mehr-leistbaren-wohnraum-schaffen.at";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."www.${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = domain;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."mehr-leistbaren-wohnraum" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."mehr-leistbaren-wohnraum-dev" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."optiprot.cloonar.dev" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
+    ];
+    locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /en/products/index.php?$args;
+    '';
+    locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /de/produkte/index.php?$args;
+    '';
+    phpPackage = pkgs.php81;
+  };
+}

hosts/web-01.cloonar.com/sites/optiprot.eu.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."optiprot.eu" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
+    ];
+    locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /en/products/index.php?$args;
+    '';
+    locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /de/produkte/index.php?$args;
+    '';
+    phpPackage = pkgs.php81;
+  };
+}

hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix

@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "paraclub.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "paraclub" ];
+}

hosts/web-01.cloonar.com/utils

@@ -0,0 +1 @@
+../../utils