feat: many changes

2025-07-11 11:19:42 +02:00
parent da95b2fa71
commit 7f01dc4cac
15 changed files with 107 additions and 110 deletions
--- a/hosts/fw/modules/dnsmasq.nix
+++ b/hosts/fw/modules/dnsmasq.nix
@@ -91,7 +91,7 @@
        "/fw.cloonar.com/${config.networkPrefix}.97.1"
        "/omada.cloonar.com/${config.networkPrefix}.97.2"
        "/web-02.cloonar.com/${config.networkPrefix}.97.5"
-        "/phpldapadmin.cloonar.com/${config.networkPrefix}.97.5"
+        "/pla.cloonar.com/${config.networkPrefix}.97.5"
        "/home-assistant.cloonar.com/${config.networkPrefix}.97.20"
        "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
        "/snapcast.cloonar.com/${config.networkPrefix}.97.21"
@@ -100,6 +100,7 @@
        "/feeds.cloonar.com/188.34.191.144"
        "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
        "/allywatch.cloonar.com/${config.networkPrefix}.97.5"
+        "/brn30055c566237.cloonar.com/${config.networkPrefix}.96.100"

        "/stage.wsw.at/10.254.235.22"
        "/prod.wsw.at/10.254.217.23"
--- a/hosts/fw/modules/foundry-vtt.nix
+++ b/hosts/fw/modules/foundry-vtt.nix
@@ -35,7 +35,7 @@ in {
        hostName = "foundry-vtt";
        useHostResolvConf = false;
        defaultGateway = {
-          address = "${hostConfig.networkPrefix}.97.1";
+          address = "${hostConfig.networkPrefix}.96.1";
          interface = "eth0";
        };
        nameservers = [ "${hostConfig.networkPrefix}.97.1" ];
--- a/hosts/fw/modules/home-assistant/scenes/date.nix
+++ b/hosts/fw/modules/home-assistant/scenes/date.nix
@@ -4,6 +4,7 @@
    scene = [
      {
        name = "Date Night";
+        icon = "mdi:heart";
        entities = {
          "light.livingroom_showcase" = {
            state     = "on";
--- a/hosts/fw/modules/phpldapadmin.nix
+++ b/hosts/fw/modules/phpldapadmin.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers = {
+    phpldapadmin = {
+      image = "phpldapadmin/phpldapadmin:latest";
+      autoStart = true;
+      ports = [
+        "80:8087/tcp"
+      ];
+      environmentFiles = [
+        config.sops.secrets.phpldapadmin.path
+      ];
+    };
+  };
+
+  systemd.timers."restart-phpldapadmin" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 3:00:00";
+        Unit = "restart-phpldapadmin.service";
+      };
+  };
+
+  systemd.services."restart-phpldapadmin" = {
+    script = ''
+      set -eu
+      if ${pkgs.systemd}/bin/systemctl is-active --quiet podman-phpldapadmin.service; then
+          ${pkgs.systemd}/bin/systemctl restart podman-phpldapadmin.service
+      fi
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+    };
+  };
+
+  sops.secrets.phpldapadmin = {};
+}
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -54,7 +54,7 @@ in {
          ../../utils/modules/lego/lego.nix
          # ../../utils/modules/borgbackup.nix

-          # ./phpldapadmin.nix
+          ./phpldapadmin.nix
          ./zammad.nix
          ./proxies.nix
          ./matrix.nix
--- a/hosts/fw/modules/web/phpldapadmin.nix
+++ b/hosts/fw/modules/web/phpldapadmin.nix
@@ -2,94 +2,51 @@

 with lib;

-let
-  phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {};
-  fpm = config.services.phpfpm.pools.phpldapadmin;
-  stateDir = "/var/lib/phpldapadmin";
-  domain = "phpldapadmin.cloonar.com";
-in
 {
-
-  users.users.phpldapadmin = {
-    description = "PHPLdapAdmin Service";
-    home = stateDir;
-    useDefaultShell = true;
-    group = "phpldapadmin";
-    isSystemUser = true;
+  virtualisation.oci-containers.backend = "podman";
+  virtualisation.oci-containers.containers = {
+    phpldapadmin = {
+      image = "phpldapadmin/phpldapadmin:latest";
+      autoStart = true;
+      ports = [
+        "8087:8080/tcp"
+      ];
+      environmentFiles = [
+        config.sops.secrets.phpldapadmin.path
+      ];
+    };
  };

-  users.groups.phpldapadmin = { };
-
-  sops.secrets.phpldapadmin.owner = "phpldapadmin";
-
-  environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path;
-
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "${domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        acmeRoot = null;
-        root = stateDir;
-        locations."/" = {
-          root = "${phpldapadmin}/public";
-          index = "index.php";
-          extraConfig = ''
-            location ~* \.php(/|$) {
-              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${fpm.socket};
-
-              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-              fastcgi_param PATH_INFO       $fastcgi_path_info;
-
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              include ${pkgs.nginx}/conf/fastcgi.conf;
-            }
-          '';
-        };
+  systemd.timers."restart-phpldapadmin" = {
+    wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "*-*-* 3:00:00";
+        Unit = "restart-phpldapadmin.service";
      };
+  };
+
+  services.nginx.virtualHosts."pla.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "http://localhost:8087";
+      proxyWebsockets = true;
    };
  };

-  environment.etc.nginx_allowed_groups = {
-    text = "employees";
-    mode = "0444";
-  };
-
-  security.pam.services.nginx.text = ''
-    # auth    required     pam_listfile.so \
-    #                      item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups
-    auth    required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
-    account required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
-  '';
-  
-  services.phpfpm.pools.phpldapadmin = {
-    user = "phpldapadmin";
-    phpOptions = ''
-      error_log = 'stderr'
-      log_errors = on
+  systemd.services."restart-phpldapadmin" = {
+    script = ''
+      set -eu
+      if ${pkgs.systemd}/bin/systemctl is-active --quiet podman-phpldapadmin.service; then
+          ${pkgs.systemd}/bin/systemctl restart podman-phpldapadmin.service
+      fi
    '';
-    settings = mapAttrs (name: mkDefault) {
-      "listen.owner" = "nginx";
-      "listen.group" = "nginx";
-      "listen.mode" = "0660";
-      "pm" = "dynamic";
-      "pm.max_children" = 75;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 20;
-      "pm.max_requests" = 500;
-      "catch_workers_output" = true;
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
    };
-    phpEnv."PATH" = pkgs.lib.makeBinPath [
-      pkgs.which
-      phpldapadmin
-    ];
  };

-  systemd.tmpfiles.rules = [
-    "d '${stateDir}' 0750 phpldapadmin phpldapadmin - -"
-  ];
-
+  sops.secrets.phpldapadmin = {};
 }
--- a/hosts/fw/modules/web/secrets.yaml
+++ b/hosts/fw/modules/web/secrets.yaml
@@ -3,7 +3,7 @@ borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXx
 zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
 dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str]
 matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:CJBFQfi0qJmPQcxPcneHcXFsIku0a+xdv7rmrKzC0XsBcn3N/dP8cGBbkC/GcH2OWBhRWFNFm0GOEALbJa/1z/hFxbxn1QJlfglglaXHNjiwJqND51GmNzd+5GJ39RHR7w06fVABgCrDM60DChJLy0Iql/eCITYhZUGpoLd4I+fKXy9zggVIzAA3tTYziJNuaBQuMe/i8V8AIt0DBefrEBITyl3wi/+Y4utLXiEUPOWPGCYfS+Xp7LcHiTJ2rZzwKJjYPiPs+7UYx2IsT2+ksJtSHR0+ibUHXNzebBTmAZ3+YBoyeBvdw2VmsgJeCUTC2SLnBAsR4J3AoSDQcZ0XrHq2oIzZC/Mf5g==,iv:iHx495CM8LHqrsiNPwzFXZQxWJZ5kCgWYvgwirjy7Uw=,tag:c7FvYuYzYjqH/Bqs7FbMzA==,type:str]
+phpldapadmin: ENC[AES256_GCM,data:bAc0KJibudGod9isX/A9vQApAwT6vMFJq3JL0RwP+mMfGDXhw0TwnB1Sg+DR9khDb9iilII+mDzkS3PacLJwrNe/ZS9Vy8as/9f5uMHQTUlqk6vK7ElQiknsda9dcOQrr3cZNT13CAAEuYxPEeWcLaLf1s/XxcKdTDgKHy9w+KnOuEqShEYjFskRq8wQvixicwVI9n0rSSc0oRwSmCmTh8//VI8MGkyaXrQLVrxBz8nSFVuMx32YuEuALndmYh92gkSX50UFagyiwjmGIt2bpisRq8JibIf82F9gqc7FDSQqwIknP43N/Jc=,iv:MU92wZQn6mzLalbtulC08DZ7asxR5kQZnf0IV3sB09E=,tag:Qpj/JhoYT1VIMhn0KhaW6A==,type:str]
 sops:
    age:
        - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
@@ -42,7 +42,7 @@ sops:
            WDdHb1I5dVFCcHJ0ejVhOXFIb1pKRlUKkCS05OVL7xvkZ1oh16GTCnateuXao9ZK
            6sMZ7/c9tafLH52psnjeUEJK15Bw8DihFjFctyIh242j8TtXXqxBYg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-10T11:35:59Z"
-    mac: ENC[AES256_GCM,data:1r8IFSyvVmwSR9j9DROAbN6GmnQo8cg+Z1wCvg2hv/lql5FbeLgFUvVHYQvPGJK6cRUTM+7T010AZOZSWKJM2K3KqiinWLdVVM1G1Bvhv8T4epL2RHq65OgMd5jJFrMLYoyJmHUp3AkzlPeYJDtrvxGCB5B88H1L+ifZtV0pKJQ=,iv:uOnWxuPiPJkmc+wBf4EYihTLeugcyM4MX4AkYncfAFg=,tag:HWHGROye6YMR/cLm/C2G1Q==,type:str]
+    lastmodified: "2025-07-07T12:53:46Z"
+    mac: ENC[AES256_GCM,data:dPvsaQ1xx+k4onugBVZhm2Pb97cX1f3qf5j68dqBmv585HwnS96eaOxvr/8JFnYejAoP3CPBGlM2sPnzJ5ic3UyGsyDvxX2oCnpioA/WQV/Itrx3U7r0oeT0kpvQ9YjfTYZIa4DNM3W7Qi3Efw3tskNJmLztBpzrajizTwB6oPE=,iv:LaBKX3M0piBpfPVtM4/21UMxi5eLHmMka8NVOvmS84o=,tag:lggS7bHmnK3nhCtsgzF+dw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2