From 3990566fe5fddbd1661c0f1503272e6865901caa Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Fri, 1 Aug 2025 19:48:49 +0200 Subject: [PATCH] feat: many changes --- hosts/fw/modules/dnsmasq.nix | 5 +- hosts/fw/modules/foundry-vtt.nix | 7 +- hosts/fw/modules/home-assistant/light.nix | 136 ++++++++++-------- .../fw/modules/home-assistant/multimedia.nix | 10 -- hosts/fw/modules/home-assistant/sleep.nix | 63 +++----- hosts/fw/modules/phpldapadmin.nix | 2 +- hosts/nb/configuration.nix | 1 + hosts/nb/modules/desktop/bitwarden.nix | 74 +++++++++- hosts/nb/modules/desktop/default.nix | 1 + hosts/nb/modules/development/default.nix | 4 + hosts/nb/modules/printer.nix | 17 +++ hosts/nb/users/configs/project_history | 1 + hosts/nb/users/dominik.nix | 1 + hosts/web-arm/configuration.nix | 4 + hosts/web-arm/modules/authelia/default.nix | 8 +- hosts/web-arm/modules/grafana/default.nix | 60 ++------ hosts/web-arm/sites/vcard.cloonar.com.nix | 38 +++++ hosts/web-arm/sites/vcard.cloonar.dev.nix | 38 +++++ todos.md | 4 + utils/modules/borgbackup.nix | 2 + utils/modules/ldap-auth.nix | 57 ++++++++ 21 files changed, 363 insertions(+), 170 deletions(-) create mode 100644 hosts/web-arm/sites/vcard.cloonar.com.nix create mode 100644 hosts/web-arm/sites/vcard.cloonar.dev.nix create mode 100644 utils/modules/ldap-auth.nix diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index 80a1eeb..a855244 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -66,9 +66,9 @@ ]; dhcp-host = [ - "30:05:5c:56:62:37,${config.networkPrefix}.96.100,brn30055c566237" "24:df:a7:b1:1b:74,${config.networkPrefix}.96.101,rmproplus-b1-1b-74" + "30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237" "1a:c4:04:6e:29:bd,${config.networkPrefix}.97.2,omada" "02:00:00:00:00:04,${config.networkPrefix}.97.6,matrix" "ea:db:d4:c1:18:ba,${config.networkPrefix}.97.50,git" @@ -79,7 +79,6 @@ "f0:2f:9e:d4:3b:21,${config.networkPrefix}.99.11,firetv-living" "e4:2a:ac:32:3f:79,${config.networkPrefix}.99.13,xbox" "f0:2f:9e:c1:74:72,${config.networkPrefix}.99.21,firetv-bedroom" - "30:05:5c:56:62:37,${config.networkPrefix}.99.100,brn30055c566237" "fc:ee:28:03:63:e9,${config.networkPrefix}.100.148,k1c" "cc:50:e3:bc:27:64,${config.networkPrefix}.100.112,Nuki_Bridge_1A753F72" @@ -100,7 +99,7 @@ "/feeds.cloonar.com/188.34.191.144" "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112" "/allywatch.cloonar.com/${config.networkPrefix}.97.5" - "/brn30055c566237.cloonar.com/${config.networkPrefix}.96.100" + "/brn30055c566237.cloonar.multimedia/${config.networkPrefix}.99.100" "/stage.wsw.at/10.254.235.22" "/prod.wsw.at/10.254.217.23" diff --git a/hosts/fw/modules/foundry-vtt.nix b/hosts/fw/modules/foundry-vtt.nix index ef63e9f..8018d8c 100644 --- a/hosts/fw/modules/foundry-vtt.nix +++ b/hosts/fw/modules/foundry-vtt.nix @@ -38,6 +38,7 @@ in { address = "${hostConfig.networkPrefix}.96.1"; interface = "eth0"; }; + firewall.enable = false; nameservers = [ "${hostConfig.networkPrefix}.97.1" ]; }; systemd.services.foundry-vtt = { @@ -66,12 +67,6 @@ in { gid = cids.gids.foundry-vtt; }; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 30000 ]; - }; - - system.stateVersion = "24.05"; }; }; diff --git a/hosts/fw/modules/home-assistant/light.nix b/hosts/fw/modules/home-assistant/light.nix index cb5b718..03e218f 100644 --- a/hosts/fw/modules/home-assistant/light.nix +++ b/hosts/fw/modules/home-assistant/light.nix @@ -274,46 +274,88 @@ }; }; }; - "automation bed_button_1" = { - alias = "bed_button_1"; - trigger = { - platform = "event"; - event_type = "shelly.click"; - event_data = { - device = "shellybutton1-E8DB84AA196D"; - }; - }; + "automation bedroom light" = { + alias = "bedroom light"; + trigger = [ + { + platform = "event"; + event_type = "button_pressed"; + event_data = { + id = [ 254 207 162 105 ]; + which = 1; + onoff = 1; + pushed = 1; + }; + } + { + platform = "event"; + event_type = "shelly.click"; + event_data = { + device = "shellybutton1-E8DB84AA136D"; + click_type = "double"; + }; + } + ]; action = [ { - choose = [ - { - conditions = [ "{{ trigger.event.data.click_type == \"single\" }}" ]; - sequence = [ - { - service = "light.toggle"; - entity_id = "light.bed_reading_1"; - } - ]; - } - { - conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ]; - sequence = [ - { - service = "light.toggle"; - entity_id = "light.bedroom_lights"; - } - ]; - } - { - conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ]; - sequence = [ - { - service = "light.toggle"; - entity_id = "light.bedroom_bed"; - } - ]; - } - ]; + service = "light.toggle"; + target = { + entity_id = "light.bedroom_lights"; + }; + } + ]; + }; + "automation bed light" = { + alias = "bed light"; + trigger = [ + { + platform = "event"; + event_type = "button_pressed"; + event_data = { + id = [ 254 207 162 105 ]; + which = 0; + onoff = 1; + pushed = 1; + }; + } + { + platform = "event"; + event_type = "shelly.click"; + event_data = { + device = "shellybutton1-E8DB84AA136D"; + click_type = "triple"; + }; + } + ]; + action = [ + { + service = "light.toggle"; + target = { + entity_id = "light.bedroom_bed"; + }; + } + ]; + }; + "automation reading 1 light" = { + alias = "reading 1 light"; + trigger = [ + { + platform = "event"; + event_type = "button_pressed"; + event_data = { + id = [ 254 207 162 105 ]; + which = 0; + onoff = 0; + pushed = 1; + }; + } + ]; + action = [ + { + service = "light.toggle"; + target = { + entity_id = "light.bed_reading_1"; + }; } ]; }; @@ -338,24 +380,6 @@ } ]; } - { - conditions = [ "{{ trigger.event.data.click_type == \"double\" }}" ]; - sequence = [ - { - service = "light.toggle"; - entity_id = "light.bedroom_lights"; - } - ]; - } - { - conditions = [ "{{ trigger.event.data.click_type == \"triple\" }}" ]; - sequence = [ - { - service = "light.toggle"; - entity_id = "light.bedroom_bed"; - } - ]; - } ]; } ]; diff --git a/hosts/fw/modules/home-assistant/multimedia.nix b/hosts/fw/modules/home-assistant/multimedia.nix index 4c932e1..3b1980b 100644 --- a/hosts/fw/modules/home-assistant/multimedia.nix +++ b/hosts/fw/modules/home-assistant/multimedia.nix @@ -290,16 +290,6 @@ command = "b64:JgDaAAABKZMUERMSExITEhMSExETEhMSExITEhMSExETNxQ2ExITEhMSEzcTNxM3ExITEhM3ExITNxMSEhITEhM3EzcTEhM3EwAFyAABKJQUERMSEhITEhMSExITEhMSEhITEhMSExITNxM3ExITEhMREzcTNxQ3EhITEhM3ExITNxMSExITEhM3EzcTEhM3EwAFyAABKJQUERMSExETEhMSExITEhMSExETEhMSExITNxM3ExITEhMREzcTOBI4ExETEhM3ExITNxMSExITEhM3EzcTEhM3E5IGAA0FAAAAAAAAAAAAAAAAAAA="; }; } - { - delay = 30; - } - # turn off tv switch - { - service = "switch.turn_off"; - target = { - entity_id = "switch.tv_switch"; - }; - } ]; }; "automation all_multimedia_on" = { diff --git a/hosts/fw/modules/home-assistant/sleep.nix b/hosts/fw/modules/home-assistant/sleep.nix index 0e5a708..bedd2f7 100644 --- a/hosts/fw/modules/home-assistant/sleep.nix +++ b/hosts/fw/modules/home-assistant/sleep.nix @@ -7,10 +7,6 @@ at = "input_datetime.wakeup"; }; action = [ - { - service = "switch.turn_on"; - entity_id = "switch.coffee"; - } { delay = 1700; } @@ -27,34 +23,21 @@ trigger = [ { platform = "event"; - event_type = "shelly.click"; + event_type = "button_pressed"; event_data = { - device = "shellybutton1-E8DB84AA196D"; - }; - } - { - platform = "event"; - event_type = "shelly.click"; - event_data = { - device = "shellybutton1-E8DB84AA136D"; + id = [ 254 207 162 105 ]; + which = 1; + onoff = 0; + pushed = 1; }; } ]; action = [ { - choose = [ - { - conditions = [ "{{ trigger.event.data.click_type == \"long\" }}" ]; - sequence = [ - { - service = "script.turn_on"; - target = { - entity_id = "script.turn_off_everything"; - }; - } - ]; - } - ]; + service = "script.turn_on"; + target = { + entity_id = "script.turn_off_everything"; + }; } ]; }; @@ -65,22 +48,18 @@ service = "light.turn_off"; entity_id = "all"; } - { - service = "switch.turn_off"; - entity_id = "switch.coffee"; - } - { - service = "switch.turn_off"; - entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; - } - { - service = "switch.turn_off"; - entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe"; - } - { - service = "switch.turn_off"; - entity_id = "switch.hallway_circuit"; - } + # { + # service = "switch.turn_off"; + # entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; + # } + # { + # service = "switch.turn_off"; + # entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe"; + # } + # { + # service = "switch.turn_off"; + # entity_id = "switch.hallway_circuit"; + # } # TODO: needs to stay on because phone is not loading otherwise # { # service = "switch.turn_off"; diff --git a/hosts/fw/modules/phpldapadmin.nix b/hosts/fw/modules/phpldapadmin.nix index 3c68837..07d3279 100644 --- a/hosts/fw/modules/phpldapadmin.nix +++ b/hosts/fw/modules/phpldapadmin.nix @@ -4,7 +4,7 @@ virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.containers = { phpldapadmin = { - image = "phpldapadmin/phpldapadmin:latest"; + image = "phpldapadmin/phpldapadmin:2.2.2"; autoStart = true; ports = [ "80:8087/tcp" diff --git a/hosts/nb/configuration.nix b/hosts/nb/configuration.nix index 59307d2..baa3b22 100644 --- a/hosts/nb/configuration.nix +++ b/hosts/nb/configuration.nix @@ -21,6 +21,7 @@ in { ./modules/appimage.nix ./modules/desktop ./modules/development + ./modules/printer.nix # ./modules/cyberghost.nix ./utils/modules/autoupgrade.nix ./modules/puppeteer.nix diff --git a/hosts/nb/modules/desktop/bitwarden.nix b/hosts/nb/modules/desktop/bitwarden.nix index 4fa141d..ea145a5 100644 --- a/hosts/nb/modules/desktop/bitwarden.nix +++ b/hosts/nb/modules/desktop/bitwarden.nix @@ -1,9 +1,42 @@ { config, pkgs, ... }: - +let + polkitAgent = pkgs.lxqt.lxqt-policykit; +in { + #### Fingerprint stack ####################################################### + services.fprintd.enable = true; + services.fprintd.tod.enable = true; + # Change the driver if your sensor isn’t Goodix. + services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix; + + #### Polkit (needed for Bitwarden’s “system authentication” prompt) ########### + security.polkit.enable = true; + services.dbus.enable = true; + + systemd.user.services.polkit-agent = { + description = "Polkit authentication agent"; + after = [ "graphical-session.target" ]; + wantedBy = [ "graphical-session.target" ]; + serviceConfig.ExecStart = "${polkitAgent}/bin/lxqt-policykit-agent"; + serviceConfig.Restart = "on-failure"; + }; + + #### Autostart Bitwarden desktop in your user session ######################## + systemd.user.services.bitwarden = { + description = "Bitwarden Desktop"; + after = [ "graphical-session.target" ]; + wantedBy = [ "graphical-session.target" ]; + serviceConfig.ExecStart = "${pkgs.bitwarden}/bin/bitwarden"; + serviceConfig.Restart = "on-abort"; + }; + + #### Handy tools ############################################################# environment.systemPackages = with pkgs; [ + goldwarden bitwarden bitwarden-cli + fprintd + lxqt.lxqt-policykit ]; environment.shellAliases = { @@ -14,4 +47,43 @@ environment.shellInit = '' mkdir -p ~/.config/bitwarden-cli-epicenter ~/.config/bitwarden-cli-cloonar ''; + + # environment.systemPackages = with pkgs; [ + # bitwarden + # bitwarden-cli + # (runCommand "bitwarden-polkit-policy" {} '' + # mkdir -p $out/share/polkit-1/actions + # cat > $out/share/polkit-1/actions/com.bitwarden.Bitwarden.policy <<'EOF' + # + # + # + # + # Unlock Bitwarden + # Authenticate to unlock Bitwarden + # + # no + # no + # auth_self + # + # + # + # EOF + # '') + # ]; + + # systemd.user.services.polkit-gnome-authentication-agent-1 = { + # description = "polkit-gnome-authentication-agent-1"; + # wantedBy = [ "graphical-session.target" ]; + # wants = [ "graphical-session.target" ]; + # after = [ "graphical-session.target" ]; + # serviceConfig = { + # Type = "simple"; + # ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1"; + # Restart = "on-failure"; + # RestartSec = 1; + # TimeoutStopSec = 10; + # }; + # }; } diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index b42f598..1e10d4b 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -19,6 +19,7 @@ in { freecad firefox openscad + orca-slicer (where-is-my-sddm-theme.override { themeConfig.General = { diff --git a/hosts/nb/modules/development/default.nix b/hosts/nb/modules/development/default.nix index 670ec19..9ac16a1 100644 --- a/hosts/nb/modules/development/default.nix +++ b/hosts/nb/modules/development/default.nix @@ -21,7 +21,11 @@ in { git git-filter-repo glib + gnumake + + air go + jq mkcert mqttui diff --git a/hosts/nb/modules/printer.nix b/hosts/nb/modules/printer.nix index b368646..2b8b347 100644 --- a/hosts/nb/modules/printer.nix +++ b/hosts/nb/modules/printer.nix @@ -1,5 +1,22 @@ { lib, pkgs, ... }: let + printerFix = pkgs.writeShellApplication { + name = "printer-fix"; + runtimeInputs = [ pkgs.cups ]; + text = '' + lpadmin -p 'Cloonar' -E \ + -v 'ipp://brn30055c566237.cloonar.multimedia/ipp/print' \ + -m 'everywhere' + + lpadmin -d 'epicenter.works' + ''; + }; + + printerFixDesktopItem = pkgs.makeDesktopItem { + name = "printer-fix"; + desktopName = "Printer Fix"; + exec = "printer-fix"; + }; in { services.printing.enable = true; diff --git a/hosts/nb/users/configs/project_history b/hosts/nb/users/configs/project_history index d36ca39..71b170d 100644 --- a/hosts/nb/users/configs/project_history +++ b/hosts/nb/users/configs/project_history @@ -10,6 +10,7 @@ /home/dominik/projects/cloonar/updns /home/dominik/projects/cloonar/mcp-servers-nix /home/dominik/projects/cloonar/ldap2vcard +/home/dominik/projects/accessowl/ao-domainscraping /home/dominik/projects/cloonar/flow/flow-docs /home/dominik/projects/cloonar/flow/flow-user-service diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix index fd0f830..5972806 100644 --- a/hosts/nb/users/dominik.nix +++ b/hosts/nb/users/dominik.nix @@ -607,6 +607,7 @@ in git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null + git clone gitea@git.cloonar.com:AccessOwl/ao-domainscraping.git ${persistHome}/projects/accessowl/ao-domainscraping 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index 077bd81..d6b5186 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -23,6 +23,7 @@ ./utils/modules/autoupgrade.nix ./utils/modules/promtail ./utils/modules/borgbackup.nix + # ./utils/modules/ldap-auth.nix ./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel ./hardware-configuration.nix @@ -35,6 +36,9 @@ ./sites/autoconfig.cloonar.com.nix ./sites/feeds.cloonar.com.nix + ./sites/vcard.cloonar.dev.nix + ./sites/vcard.cloonar.com.nix + ./sites/cloonar.com.nix ./sites/gbv-aktuell.at.nix ./sites/matomo.cloonar.com.nix diff --git a/hosts/web-arm/modules/authelia/default.nix b/hosts/web-arm/modules/authelia/default.nix index 57b345d..6216b67 100644 --- a/hosts/web-arm/modules/authelia/default.nix +++ b/hosts/web-arm/modules/authelia/default.nix @@ -177,7 +177,7 @@ in { public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; - pre_configured_consent_duration = "1y"; + consent_mode = "implicit"; scopes = [ "openid" "profile" @@ -194,7 +194,7 @@ in { redirect_uris = [ "https://nextcloud.cloonar.com/apps/oidc_login/oidc" ]; - pre_configured_consent_duration = "1y"; + consent_mode = "implicit"; scopes = [ "openid" "profile" @@ -210,7 +210,7 @@ in { public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; - pre_configured_consent_duration = "1y"; + consent_mode = "implicit"; scopes = [ "openid" "profile" @@ -226,7 +226,7 @@ in { public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ]; - pre_configured_consent_duration = "1y"; + consent_mode = "implicit"; token_endpoint_auth_method = "client_secret_post"; scopes = [ "openid" diff --git a/hosts/web-arm/modules/grafana/default.nix b/hosts/web-arm/modules/grafana/default.nix index db3286b..75d7113 100644 --- a/hosts/web-arm/modules/grafana/default.nix +++ b/hosts/web-arm/modules/grafana/default.nix @@ -28,13 +28,12 @@ let in { imports = [ - # Individual alert files removed, now handled by alerting/system/default.nix - ./alerting/system/default.nix # Added: Imports the consolidated system alerts module - ./alerting/service/default.nix # Added: Imports the new service alerts module - ./alerting/websites/default.nix # Added: Imports the new websites alerts module - # ... other rule files can be added here ... + ./alerting/system/default.nix + ./alerting/service/default.nix + ./alerting/websites/default.nix + ./datasources/victoriametrics.nix - ./datasources/loki.nix # Add Loki datasource + ./datasources/loki.nix ]; systemd.services.grafana.script = lib.mkBefore '' @@ -97,15 +96,15 @@ in }; provision = { alerting = { - rules.settings.groups = lib.mkMerge []; # Allows rule groups to be merged (including the one from system/default.nix) + rules.settings.groups = lib.mkMerge []; contactPoints = { settings = { - apiVersion = 1; # As per Grafana provisioning API + apiVersion = 1; contactPoints = [{ orgId = 1; name = "cp_dominik"; receivers = [{ - uid = "dominik_pushover_cp_receiver"; # Made UID even more specific + uid = "dominik_pushover_cp_receiver"; type = "pushover"; settings = { apiToken = "\${PUSHOVER_API_TOKEN}"; @@ -125,49 +124,16 @@ in }; }; - policies = { # Corrected from notificationPolicies to policies + policies = { settings = { - apiVersion = 1; # As per Grafana provisioning API - - # Grafana's new unified alerting expects a single policy tree per org. - # For OrgID 1 (default), this defines the root of that tree. - # The NixOS module should translate this into the correct YAML structure. - # The `policies` attribute within `settings` usually takes a list of policy trees. - # For a single default organization, we define one policy tree. - # Grafana's own YAML examples show a top-level 'route' for the default policy, - # or a list under 'policies' if you're managing multiple policy sets (less common for basic setup). - # Given the NixOS option `services.grafana.provision.alerting.policies.settings.policies`, - # it's likely expecting a list here. - policies = [{ # This outer list corresponds to the `policies` option - # orgId = 1; # Usually implicit for the default policy file, but can be specified - receiver = "cp_dominik"; # This sets the default receiver for the root route - - # The actual routing tree starts here. - # For a simple setup where all alerts go to one receiver, - # just setting the top-level 'receiver' is often enough. - # If more complex routing is needed, 'routes' would be defined here. - # Example: - # route = { - # receiver = "cp_dominik"; - # group_by = [ "alertname", "job" ]; - # # ... other root route settings - # routes = [ - # { - # matcher_re = { severity = "critical" }; - # receiver = "critical_alerts_receiver"; # Another contact point - # continue = false; - # }, - # # ... other specific routes - # ]; - # }; - # For the simplest case, just defining the receiver at this level should work - # as the root policy for the default organization. + apiVersion = 1; + policies = [{ + receiver = "cp_dominik"; }]; - # resetPolicies = false; # Default, set to true to remove existing policies not in this config. }; }; }; - datasources.settings.datasources = lib.mkMerge []; # Allows datasources to be merged + datasources.settings.datasources = lib.mkMerge []; }; }; diff --git a/hosts/web-arm/sites/vcard.cloonar.com.nix b/hosts/web-arm/sites/vcard.cloonar.com.nix new file mode 100644 index 0000000..1a9648a --- /dev/null +++ b/hosts/web-arm/sites/vcard.cloonar.com.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."vcard.cloonar.com" = { + enableDefaultLocations = false; + enableMysql = false; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkN2nAB8RIJqeYl/d20P0viXmKsGDIrUIl5N+HAN99b" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + phpOptions = '' + opcache.enable=1 + opcache.memory_consumption=128 + opcache.validate_timestamps=0 + opcache.revalidate_path=0 + ''; + }; +} diff --git a/hosts/web-arm/sites/vcard.cloonar.dev.nix b/hosts/web-arm/sites/vcard.cloonar.dev.nix new file mode 100644 index 0000000..c842b10 --- /dev/null +++ b/hosts/web-arm/sites/vcard.cloonar.dev.nix @@ -0,0 +1,38 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."vcard.cloonar.dev" = { + enableDefaultLocations = false; + enableMysql = false; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzlgVs4/MCCU/Mw3nXsZquSXZ2x8h4uXjBEWLEvdQgV" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + phpOptions = '' + opcache.enable=1 + opcache.memory_consumption=128 + opcache.validate_timestamps=0 + opcache.revalidate_path=0 + ''; + }; +} diff --git a/todos.md b/todos.md index 80be43f..f8d3483 100644 --- a/todos.md +++ b/todos.md @@ -3,3 +3,7 @@ change sddm theme add yubikey change playmouth theme look into secure boot + + +## chache server +https://github.com/zhaofengli/attic diff --git a/utils/modules/borgbackup.nix b/utils/modules/borgbackup.nix index 8b3a257..9459c58 100644 --- a/utils/modules/borgbackup.nix +++ b/utils/modules/borgbackup.nix @@ -77,6 +77,8 @@ in { "/var/cache" "/var/tmp" "/var/log" + "var/lib/microvms" + "/var/lib/nixos-containers" ]; environment.BORG_RSH = "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}"; repo = repo; diff --git a/utils/modules/ldap-auth.nix b/utils/modules/ldap-auth.nix new file mode 100644 index 0000000..7a5aba1 --- /dev/null +++ b/utils/modules/ldap-auth.nix @@ -0,0 +1,57 @@ +{ lib, config, pkgs, ... }: +let + ldapAuthorizedKeys = + pkgs.writeShellScript "ldap-authorized-keys" '' + exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \ + -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \ + -y ${config.sops.secrets.linuxbind-password.path} \ + -b "ou=users,dc=cloonar,dc=com" \ + "(uid=$1)" sshPublicKey \ + | sed -n 's/^sshPublicKey: //p' + ''; +in +{ + environment.systemPackages = with pkgs; [ openldap ]; + + users.ldap = { + enable = true; + daemon.enable = true; + base = "ou=users,dc=cloonar,dc=com"; + server = "ldap://ldap.cloonar.com/"; + useTLS = true; + bind = { + policy = "soft"; + distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com"; + passwordFile = config.sops.secrets.linuxbind-password.path; + }; + loginPam = true; + extraConfig = '' + ldap_version 3 + # pam_password ssha + pam_filter objectClass=posixAccount + pam_login_attribute uid + pam_member_attribute gidNumber + ''; + }; + + security.pam.services.login.makeHomeDir = true; + security.pam.services.systemd-user.makeHomeDir = true; + systemd.services.nslcd = { + after = [ "Network-Manager.service" ]; + }; + + # evil, horrifying hack for dysfunctional nss_override_attribute_value + systemd.tmpfiles.rules = [ + "L /bin/bash - - - - /run/current-system/sw/bin/bash" + ]; + + services.openssh = { + settings = { + AuthorizedKeysCommand = ldapAuthorizedKeys; + AuthorizedKeysCommandUser = "nslcd"; # default is “nobody” :contentReference[oaicite:0]{index=0} + PubkeyAuthentication = "yes"; + }; + }; + + sops.secrets.linuxbind-password.owner = "nslcd"; +}