remove old hosts

hosts/fw-new/modules/web/default.nix

@@ -1,113 +0,0 @@
-{ lib, nixpkgs, pkgs, ... }: let
-  hostname = "web-02";
-  json = pkgs.formats.json { };
-  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
-in {
-  microvm.vms = {
-    web = {
-      config = {
-        microvm = {
-          mem = 4096;
-          # hypervisor = "cloud-hypervisor";
-          shares = [
-            {
-              source = "/nix/store";
-              mountPoint = "/nix/.ro-store";
-              tag = "ro-store";
-              proto = "virtiofs";
-            }
-            {
-              source = "/var/lib/microvms/persist/web-02";
-              mountPoint = "/persist";
-              tag = "persist";
-              proto = "virtiofs";
-            }
-          ];
-          volumes = [
-            {
-              image = "rootfs.img";
-              mountPoint = "/";
-              size = 102400;
-            }
-          ];
-          interfaces = [
-            {
-              type = "tap";
-              id = "vm-${hostname}";
-              mac = "02:00:00:00:00:03";
-            }
-          ];
-        };
-
-        imports = [
-          "${impermanence}/nixos.nix"
-          ../../utils/modules/sops.nix
-          ../../utils/modules/lego/lego.nix
-          # ../../utils/modules/borgbackup.nix
-
-          # ./zammad.nix
-          ./proxies.nix
-        ];
-
-        time.timeZone = "Europe/Vienna";
-
-        systemd.network.networks."10-lan" = {
-          matchConfig.PermanentMACAddress = "02:00:00:00:00:03";
-          address = [ "10.42.97.5/24" ];
-          gateway = [ "10.42.97.1" ];
-          dns = [ "10.42.97.1" ];
-        };
-
-        fileSystems."/persist".neededForBoot = lib.mkForce true;
-        environment.persistence."/persist-local" = {
-          directories = [
-            "/var/lib/zammad"
-            "/var/lib/postgresql"
-            "/var/log"
-            "/var/lib/systemd/coredump"
-          ];
-        };
-
-        environment.systemPackages = with pkgs; [
-          vim                 # my preferred editor
-        ];
-
-        networking.hostName = hostname;
-
-        services.openssh = {
-          enable = true;
-          hostKeys = [
-             {
-               path = "/persist/etc/ssh/ssh_host_ed25519_key";
-               type = "ed25519";
-             }
-             {
-               path = "/persist/etc/ssh/ssh_host_rsa_key";
-               type = "rsa";
-               bits = 4096;
-             }
-           ];
-        };
-        users.users.root.openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
-        ];
-
-        # backups
-        # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
-
-
-        sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
-        sops.defaultSopsFile = ./secrets.yaml;
-
-        networking.firewall = {
-          enable = true;
-          allowedTCPPorts = [ 22 80 443 ];
-        };
-
-
-        system.stateVersion = "22.05";
-      };
-    };
-  };
-}

hosts/fw-new/modules/web/proxies.nix

@@ -1,10 +0,0 @@
-{ ... }: {
-  services.nginx.virtualHosts."git.cloonar.com" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-    locations."/" = {
-      proxyPass = "https://git.cloonar.com/";
-    };
-  };
-}

hosts/fw-new/modules/web/secrets.yaml

@@ -1,32 +0,0 @@
-borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
-borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
-zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr
-            VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI
-            K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH
-            bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj
-            jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw
-            bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz
-            bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3
-            Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
-            SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-16T11:12:23Z"
-    mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1

hosts/fw-new/modules/web/zammad.nix

@@ -1,120 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.zammad = {
-    enable = true;
-    port = 3010;
-    secretKeyBaseFile = config.sops.secrets.zammad-key-base.path;
-    database = {
-      createLocally = true;
-    };
-  };
-  
-  services.nginx.enable = true;
-  services.nginx.virtualHosts."support.cloonar.com" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-
-    extraConfig = ''
-      # Virtual endpoint created by nginx to forward auth requests.
-      location /authelia {
-        internal;
-        set $upstream_authelia https://auth.cloonar.com/api/verify;
-        proxy_pass_request_body off;
-        proxy_pass $upstream_authelia;    
-        proxy_set_header Content-Length "";
-
-        # Timeout if the real server is dead
-        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
-
-        # [REQUIRED] Needed by Authelia to check authorizations of the resource.
-        # Provide either X-Original-URL and X-Forwarded-Proto or
-        # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
-        # Those headers will be used by Authelia to deduce the target url of the     user.
-        # Basic Proxy Config
-        client_body_buffer_size 128k;
-        proxy_set_header Host $host;
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr; 
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-Uri $request_uri;
-        proxy_set_header X-Forwarded-Ssl on;
-        proxy_redirect  http://  $scheme://;
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-        proxy_cache_bypass $cookie_session;
-        proxy_no_cache $cookie_session;
-        proxy_buffers 4 32k;
-
-        # Advanced Proxy Config
-        send_timeout 5m;
-        proxy_read_timeout 240;
-        proxy_send_timeout 240;
-        proxy_connect_timeout 240;
-      }
-    '';
-
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:3010";
-      proxyWebsockets = true;
-      extraConfig =
-        "proxy_set_header X-Forwarded-Proto 'https';" +
-        "proxy_set_header X-Forwarded-Ssl on;" +
-        "proxy_connect_timeout  300;" +
-        "proxy_send_timeout     300;" +
-        "proxy_read_timeout     300;" +
-        "send_timeout           300;"
-      ;
-    };
-    locations."/auth/sso" = {
-      proxyPass = "http://127.0.0.1:3010";
-      proxyWebsockets = true;
-
-      extraConfig = ''
-        # Basic Authelia Config
-        # Send a subsequent request to Authelia to verify if the user is authenticated
-        # and has the right permissions to access the resource.
-        auth_request /authelia;
-        # Set the `target_url` variable based on the request. It will be used to build the portal
-        # URL with the correct redirection parameter.
-        auth_request_set $target_url $scheme://$http_host$request_uri;
-        # Set the X-Forwarded-User and X-Forwarded-Groups with the headers
-        # returned by Authelia for the backends which can consume them.
-        # This is not safe, as the backend must make sure that they come from the
-        # proxy. In the future, it's gonna be safe to just use OAuth.
-        auth_request_set $user $upstream_http_remote_user;
-        auth_request_set $groups $upstream_http_remote_groups;
-        auth_request_set $name $upstream_http_remote_name;
-        auth_request_set $email $upstream_http_remote_email;
-        proxy_set_header Remote-User $user;
-        proxy_set_header Remote-Groups $groups;
-        proxy_set_header Remote-Name $name;
-        proxy_set_header Remote-Email $email;
-        # If Authelia returns 401, then nginx redirects the user to the login portal.
-        # If it returns 200, then the request pass through to the backend.
-        # For other type of errors, nginx will handle them as usual.
-        error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
-      '';
-    };
-    locations."/ws" = {
-      proxyPass = "http://127.0.0.1:6042";
-      proxyWebsockets = true;
-      extraConfig =
-        "proxy_set_header X-Forwarded-Proto 'https';" +
-        "proxy_set_header X-Forwarded-Ssl on;" +
-        "proxy_read_timeout     86400;" +
-        "send_timeout           300;"
-      ;
-    };
-  };
-
-  sops.secrets = {
-    zammad-key-base.owner = "zammad";
-  };
-
-  services.postgresqlBackup.enable = true;
-  services.postgresqlBackup.databases = [ "zammad" ];
-}