add web-01 host

hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix

@@ -0,0 +1,34 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.optiprot.cloonar.dev" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php80.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+}

hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix

@@ -0,0 +1,34 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.optiprot.eu" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php80.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+}

hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix

@@ -0,0 +1,39 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "autoconfig.cloonar.com";
+in
+{
+  services.go-autoconfig = {
+    enable = true;
+    settings = {
+      service_addr = ":1323";
+      domain = domain;
+      imap = {
+        server = "imap.cloonar.com";
+        port = 993;
+      };
+      smtp = {
+        server = "mail.cloonar.com";
+        port = 587;
+        starttls = true;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:1323/";
+    };
+  };
+  services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+  services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+  services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = ''
+    return 301 https://autoconfig.cloonar.com$request_uri;
+  '';
+}

hosts/web-01.cloonar.com/sites/autoconfig.nix

@@ -0,0 +1,89 @@
+{ pkgs, lib, config, ... }:
+let
+  domains = [
+    "cloonar.com"
+    "ghetto.at"
+    "optiprot.eu"
+  ];
+
+  vhostConfig = {
+      forceSSL = true;
+      enableACME = true;
+      acmeRoot = null;
+      root = "/var/www/autoconfig";
+
+      # MS Outlook
+      locations."~* ^/autodiscover/autodiscover.xml".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /autodiscover.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # Thunderbird
+      locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /config-v1.1.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # Apple devices
+      locations."/apple/get-mobileconfig".extraConfig = ''
+          root /var/www/autoconfig;
+          try_files /apple.php =404;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+          fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
+      '';
+
+      # disable logging for Apple Touch Icons
+      locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = ''
+          log_not_found off;
+          access_log off;
+      '';
+  };
+in
+{
+  services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig;
+
+  systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."autoconfig" = {
+    user = "autoconfig";
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.php;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+  };
+
+  users.users."autoconfig" = {
+    #isSystemUser = true;
+    isNormalUser = true;
+    createHome = true;
+    home = "/var/www/autoconfig";
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
+    ];
+  };
+  users.groups.autoconfig = {};
+}

hosts/web-01.cloonar.com/sites/cloonar.com.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "cloonar.com";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/cloonar.dev.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix

@@ -0,0 +1,141 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "diabetes-austria.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}/public";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    # TYPO3 - Rule for versioned static files, configured through:
+    # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
+    # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
+
+    extraConfig = ''
+      if (!-e $request_filename) {
+        rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
+      }
+    '';
+
+    # TYPO3 - Block access to composer files
+    locations."~* composer\.(?:json|lock)".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to flexform files
+    locations."~* flexform[^.]*\.xml".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to language files
+    locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to static typoscript files
+    locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to miscellaneous protected files
+    locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to recycler and temporary directories
+    locations."~ _(?:recycler|temp)_/".extraConfig = ''
+      deny all;
+    '';
+
+    # TYPO3 - Block access to configuration files stored in fileadmin
+    locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to libraries, source and temporary compiled data
+    locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = ''
+      deny all;
+    '';
+
+
+    # TYPO3 - Block access to protected extension directories
+    locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = ''
+      deny all;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    # TYPO3 Backend URLs
+    locations."/typo3$".extraConfig = ''
+      rewrite ^ /typo3/;
+    '';
+    
+    locations."/typo3/".extraConfig = ''
+        try_files $uri /typo3/index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    #isSystemUser = true;
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
+    ];
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "diabetes_austria" ];
+}

hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix

@@ -0,0 +1,39 @@
+{ pkgs, lib, config, ... }:
+{
+  services.typo3.instances."gbv-aktuell.at" = {
+    domainAliases = [ "www.gbv-aktuell.at" ];
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E="
+    ];
+    phpPackage = pkgs.php81;
+  };
+
+  services.awstats = {
+      enable = true;
+      updateAt = "daily";
+      configs."gbv-aktuell.at" = {
+        webService = {
+          enable = true;
+          hostname = "gbv-aktuell.at";
+        };
+        logFile = "/var/log/nginx/access.log";
+        extraConfig = {
+          # ShowDaysOfWeekStats = "0";
+          # ShowHoursStats = "0";
+          # ShowDomainsStats = "0";
+          # ShowHostsStats = "0";
+          # "ShowRobotsStats" = "0";
+          # "ShowFileTypesStats" = "0";
+          # "ShowDownloadsStats" = "0";
+          # "ShowPagesStats" = "0";
+          # "ShowOSStats" = "0";
+          # "ShowBrowsersStats" = "0";
+          # "ShowOriginStats" = "0";
+          # "ShowKeyphrasesStats" = "0";
+          # "ShowKeywordsStats" = "0";
+          # "ShowMiscStats" = "0";
+          # "ShowHTTPErrorsStats" = "0";
+        };
+      };
+    };
+}

hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix

@@ -0,0 +1,38 @@
+{ pkgs, lib, config, ... }:
+{
+  services.typo3.instances."gbv-aktuell.cloonar.dev" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMglRMPCWQv8t67o6U8bU87HF34MPSaXZXAJZPdvtsYqXj8Z2/Xc47DQK98pAPHAFekjG9JK2m97FaV+h9E6uEF0Tg0sjWmqf9ApCNFA5igZgxJvlOTI4AJlQ4PtUY8dBGdiFFEdHf92RLg/FrsROLV5p4GTebpBxxBgQ/gbsZe3Dknfh8LuCUS/awN85j05T36dwp37Z1txly1NpkLsoToqeDBCTrvCZGyyOasVnp2SKPnQID8KgfU2sbzluUJz2lvIYEvfrDaB1jrkhDhhfoIRkJpzyB0Y1p9fuI2P9xKhharxVJ5soiIrvNPSk+Ytld6YhfKGDx/DwIzKiVm18+yGWLy3BOnm2ILugU1hq2H2/qPMa8yShcXp/STXZfdfPxiHfdYjOD4vu1fPNt1qs955vQCR+lO+HBP46QCszrebKvxGo1Qh5nRddU/6DjKrE24aDMbSfQxwiufYklZRFZjhLggs0qE/sMAanhDqfl5cXuFFYoQ8anfHplS40S84E="
+    ];
+    phpPackage = pkgs.php81;
+  };
+
+  services.awstats = {
+      enable = true;
+      updateAt = "daily";
+      configs."gbv-aktuell.cloonar.dev" = {
+        webService = {
+          enable = true;
+          hostname = "gbv-aktuell.cloonar.dev";
+        };
+        logFile = "/var/log/nginx/access.log";
+        extraConfig = {
+          # ShowDaysOfWeekStats = "0";
+          # ShowHoursStats = "0";
+          # ShowDomainsStats = "0";
+          # ShowHostsStats = "0";
+          # "ShowRobotsStats" = "0";
+          # "ShowFileTypesStats" = "0";
+          # "ShowDownloadsStats" = "0";
+          # "ShowPagesStats" = "0";
+          # "ShowOSStats" = "0";
+          # "ShowBrowsersStats" = "0";
+          # "ShowOriginStats" = "0";
+          # "ShowKeyphrasesStats" = "0";
+          # "ShowKeywordsStats" = "0";
+          # "ShowMiscStats" = "0";
+          # "ShowHTTPErrorsStats" = "0";
+        };
+      };
+    };
+}

hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix

@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "gbv.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "gbv_stage" ];
+}

hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix

@@ -0,0 +1,117 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "matomo.cloonar.com";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.php.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.php81;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.php81 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."~* ^.+\\.php$".extraConfig = ''
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      if (!-f $document_root$fastcgi_script_name) {
+          return 404;
+      }
+      include ${pkgs.nginx}/conf/fastcgi_params;
+      include ${pkgs.nginx}/conf/fastcgi.conf;
+      fastcgi_buffer_size 32k;
+      fastcgi_buffers 8 16k;
+      fastcgi_connect_timeout 240s;
+      fastcgi_read_timeout 240s;
+      fastcgi_send_timeout 240s;
+      fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+      fastcgi_index        index.php;
+    '';
+
+    ## serve all other files normally
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    ## disable all access to the following directories
+    locations."~ ^/(config|tmp|core|lang)".extraConfig = ''
+      deny all;
+      return 403; # replace with 404 to not show these directories exist
+    '';
+
+    locations."~ /\\.ht".extraConfig = ''
+      deny  all;
+      return 403;
+    '';
+
+    locations."~ js/container_.*_preview\\.js$".extraConfig = ''
+      expires off;
+      add_header Cache-Control 'private, no-cache, no-store';
+    '';
+
+    locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = ''
+      allow all;
+      ## Cache images,CSS,JS and webfonts for an hour
+      ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+      expires 1h;
+      add_header Pragma public;
+      add_header Cache-Control "public";
+    '';
+
+    locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = ''
+      deny all;
+      return 403;
+    '';
+
+    ## properly display textfiles in root directory
+    locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = ''
+      default_type text/plain;
+    '';
+
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  systemd.services."matomo-archive" = {
+    startAt = "*-*-* 23:00:00";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "${domain}";
+      ExecStart = "${pkgs.php81}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive";
+    };
+  };
+
+  services.mysqlBackup.databases = [ "matomo" ];
+}

hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix

@@ -0,0 +1,65 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "mehr-leistbaren-wohnraum-schaffen.at";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."www.${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = domain;
+  };
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."mehr-leistbaren-wohnraum" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."mehr-leistbaren-wohnraum-dev" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
+    ];
+  };
+  users.groups.${domain} = {};
+}

hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."optiprot.cloonar.dev" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
+    ];
+    locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /en/products/index.php?$args;
+    '';
+    locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /de/produkte/index.php?$args;
+    '';
+    phpPackage = pkgs.php81;
+  };
+}

hosts/web-01.cloonar.com/sites/optiprot.eu.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."optiprot.eu" = {
+    authorizedKeys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
+    ];
+    locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /en/products/index.php?$args;
+    '';
+    locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
+      try_files $uri $uri/ /de/produkte/index.php?$args;
+    '';
+    phpPackage = pkgs.php81;
+  };
+}

hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix

@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "paraclub.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
+
+  services.phpfpm.pools."${domain}" = {
+    user = domain;
+    settings = {
+      "listen.owner" = config.services.nginx.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.max_requests" = 500;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 5;
+      "php_admin_value[error_log]" = "/var/log/$pool.error.log";
+      "php_admin_flag[log_errors]" = true;
+      "php_admin_value[display_errors]" = true;
+      "catch_workers_output" = true;
+      "access.log" = "/var/log/$pool.access.log";
+    };
+    phpPackage = pkgs.nur.repos.izorkin.php74;
+    phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.php index.html;
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+        fastcgi_connect_timeout 240s;
+        fastcgi_read_timeout 240s;
+        fastcgi_send_timeout 240s;
+        fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
+        fastcgi_index        index.php;
+    '';
+  };
+  users.users."${domain}" = {
+    isSystemUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+  };
+  users.groups.${domain} = {};
+
+  services.mysqlBackup.databases = [ "paraclub" ];
+}