Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changes

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-10-16 20:24:40 +02:00
parent b7bfb0f62a
commit c681eb3139
110 changed files with 2924 additions and 720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.sops.yaml
View File

@@ -3,6 +3,7 @@
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example. # for a more complex example.
keys: keys:
- &bitwarden age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 # nixos age key
- &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
- &dominik2 age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - &dominik2 age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
- &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 - &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58
@@ -14,56 +15,80 @@ keys:
- &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3
- &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 - &ldap-server-arm age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
- &fw age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df - &fw age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
- &fw-new age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
- &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
creation_rules: creation_rules:
- path_regex: ^[^/]+\.yaml$ - path_regex: ^[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- path_regex: hosts/nb-01.cloonar.com/[^/]+\.yaml$ - path_regex: hosts/nb-01.cloonar.com/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- path_regex: hosts/nb-new.cloonar.com/[^/]+\.yaml$ - path_regex: hosts/nb-new.cloonar.com/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$ - path_regex: hosts/fw.cloonar.com/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *fw - *fw
- path_regex: hosts/fw-new/[^/]+\.yaml$
key_groups:
- age:
- *bitwarden
- *dominik
- *dominik2
- *fw-new
- path_regex: hosts/fw.cloonar.com/modules/web/[^/]+\.yaml$ - path_regex: hosts/fw.cloonar.com/modules/web/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *web-02 - *web-02
- path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$ - path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *web-01-server - *web-01-server
- path_regex: hosts/web-arm/[^/]+\.yaml$ - path_regex: hosts/web-arm/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *web-arm - *web-arm
- path_regex: hosts/mail.cloonar.com/[^/]+\.yaml$ - path_regex: hosts/mail.cloonar.com/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *ldap-server-arm - *ldap-server-arm
- *ldap-server-test - *ldap-server-test
- path_regex: hosts/mail.social-grow.tech/[^/]+\.yaml$
key_groups:
- age:
- *bitwarden
- *dominik
- *dominik2
- *mail.social-grow.tech
- path_regex: utils/modules/lego/[^/]+\.yaml$ - path_regex: utils/modules/lego/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *git-server - *git-server
@@ -76,27 +101,32 @@ creation_rules:
- *testmodules - *testmodules
- *netboot - *netboot
- *fw - *fw
- *fw-new
- path_regex: hosts/web-01.cloonar.com/modules/bitwarden/[^/]+\.yaml$ - path_regex: hosts/web-01.cloonar.com/modules/bitwarden/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *web-01-server - *web-01-server
- path_regex: hosts/web-01.cloonar.com/modules/zammad/[^/]+\.yaml$ - path_regex: hosts/web-01.cloonar.com/modules/zammad/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *web-01-server - *web-01-server
- path_regex: utils/modules/plausible/[^/]+\.yaml$ - path_regex: utils/modules/plausible/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *web-01-server - *web-01-server
- path_regex: utils/modules/promtail/[^/]+\.yaml$ - path_regex: utils/modules/promtail/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *git-server - *git-server
@@ -108,9 +138,11 @@ creation_rules:
- *testmodules - *testmodules
- *netboot - *netboot
- *fw - *fw
- *fw-new
- path_regex: utils/modules/victoriametrics/[^/]+\.yaml$ - path_regex: utils/modules/victoriametrics/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bitwarden
- *dominik - *dominik
- *dominik2 - *dominik2
- *git-server - *git-server
@@ -122,3 +154,4 @@ creation_rules:
- *testmodules - *testmodules
- *netboot - *netboot
- *fw - *fw
- *fw-new

1
fömi-tool.md Normal file
View File

@@ -0,0 +1 @@
dialogmail löscht personen die in keiner gruppe sind nach 2 wochen automatisch

169
hosts/fw-new.cloonar.com/modules/gitea-vm.nix
View File

@@ -1,169 +0,0 @@
{ nixpkgs, pkgs, ... }: let
hostname = "git-02";
json = pkgs.formats.json { };
in {
microvm.vms = {
# gitea = {
# config = {
# microvm = {
# hypervisor = "cloud-hypervisor";
# shares = [
# {
# source = "/nix/store";
# mountPoint = "/nix/.ro-store";
# tag = "ro-store";
# proto = "virtiofs";
# }
# {
# source = "/var/lib/acme/git.cloonar.com";
# mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
# tag = "ro-cert";
# proto = "virtiofs";
# }
# ];
# interfaces = [
# {
# type = "tap";
# id = "vm-${hostname}";
# mac = "02:00:00:00:00:01";
# }
# ];
# };
#
# imports = [
# ../fleet.nix
# ];
#
# environment.systemPackages = with pkgs; [
# vim # my preferred editor
# ];
#
# networking = {
# hostName = hostname;
# firewall = {
# enable = true;
# allowedTCPPorts = [ 22 80 443 ];
# };
# };
#
# services.nginx.enable = true;
# services.nginx.virtualHosts."${hostname}.cloonar.com" = {
# sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
# sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
# sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3001/";
# };
# };
#
# services.gitea = {
# enable = true;
# appName = "Cloonar Gitea server"; # Give the site a name
# settings = {
# server = {
# ROOT_URL = "https://${hostname}.cloonar.com/";
# HTTP_PORT = 3001;
# DOMAIN = "${hostname}.cloonar.com";
# };
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# ENABLE_OPENID_SIGNUP = true;
# WHITELISTED_URIS = "auth.cloonar.com";
# };
# service = {
# DISABLE_REGISTRATION = true;
# ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
# SHOW_REGISTRATION_BUTTON = false;
# };
# actions.ENABLED=true;
# };
# };
#
# services.openssh.enable = true;
# users.users.root.openssh.authorizedKeys.keys = [
# "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
# ];
#
# system.stateVersion = "22.05";
# };
# };
gitea-runner = {
config = {
microvm = {
mem = 12288;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-gitea-runner";
mac = "02:00:00:00:00:02";
}
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = "gitea-runner";
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.vm = {
enable = true;
url = "https://git.cloonar.com";
name = "vm";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "podman";
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
};
sops.secrets.gitea-runner-token = {};
environment = {
systemPackages = [
pkgs.qemu
pkgs.quickemu
];
};
}

1
hosts/fw-new/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-23.11

68
hosts/fw-new.cloonar.com/configuration.nix → hosts/fw-new/configuration.nix
View File

@@ -1,4 +1,5 @@
{ lib, pkgs, ... }: { { lib, pkgs, ... }: {
imports = [ imports = [
./fleet.nix ./fleet.nix
./utils/bento.nix ./utils/bento.nix
@@ -9,20 +10,20 @@
./utils/modules/autoupgrade.nix ./utils/modules/autoupgrade.nix
./utils/modules/promtail ./utils/modules/promtail
./utils/modules/borgbackup.nix # ./utils/modules/borgbackup.nix
# ./utils/modules/netdata.nix # ./utils/modules/netdata.nix
# fw # fw
./modules/networking.nix ./modules/networking.nix
./modules/firewall.nix ./modules/firewall.nix
./modules/dhcp4.nix # ./modules/dhcp4.nix
./modules/unbound.nix ./modules/unbound.nix
./modules/avahi.nix ./modules/avahi.nix
./modules/openconnect.nix ./modules/openconnect.nix
./modules/wireguard.nix ./modules/wireguard.nix
./modules/podman.nix ./modules/podman.nix
./modules/omada.nix ./modules/omada.nix
./modules/ddclient.nix # ./modules/ddclient.nix
# ./modules/wol.nix # ./modules/wol.nix
# microvm # microvm
@@ -33,30 +34,26 @@
./modules/web ./modules/web
# git # git
./modules/gitea.nix # ./modules/gitea.nix
./modules/fwmetrics.nix ./modules/fwmetrics.nix
# ./modules/firefox-sync.nix # ./modules/firefox-sync.nix
# home assistant # home assistant
./modules/home-assistant ./modules/home-assistant
./modules/deconz.nix # ./modules/deconz.nix
# ./modules/mopidy.nix # ./modules/mopidy.nix
# ./modules/mosquitto.nix ./modules/mosquitto.nix
./modules/snapserver.nix ./modules/snapserver.nix
# gaming # gaming
./modules/palworld.nix # ./modules/palworld.nix
# ./modules/ark-survival-evolved.nix # ./modules/ark-survival-evolved.nix
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
nixpkgs.overlays = [
(import ./utils/overlays/packages.nix)
];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w" "openssl-1.1.1w"
]; ];
@@ -67,13 +64,11 @@
time.timeZone = "Europe/Vienna"; time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bento # bento
conntrack-tools # view network connection states conntrack-tools # view network connection states
ethtool # manage NIC settings (offload, NIC feeatures, ...) ethtool # manage NIC settings (offload, NIC feeatures, ...)
git git
@@ -89,36 +84,15 @@
options = "--delete-older-than 60d"; options = "--delete-older-than 60d";
}; };
services.auto-cpufreq.enable = true; # services.auto-cpufreq.enable = true;
services.auto-cpufreq.settings = { # services.auto-cpufreq.settings = {
charger = { # charger = {
governor = "powersave"; # governor = "powersave";
turbo = "auto"; # turbo = "auto";
}; # };
}; # };
boot = { # zramSwap.enable = true;
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
kernelParams = [
"rootwait"
"earlycon" # enable early console, so we can see the boot messages via serial port / HDMI
"consoleblank=0" # disable console blanking(screen saver)
"console=ttyS2,1500000" # serial port
"console=tty1" # HDMI
# docker optimizations
"cgroup_enable=cpuset"
"cgroup_memory=1"
"cgroup_enable=memory"
"swapaccount=1"
];
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "fw-new"; networking.hostName = "fw-new";
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
@@ -126,8 +100,10 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
]; ];
services.logind.extraConfig = "RuntimeDirectorySize=8G";
# backups # backups
borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

0
hosts/fw-new.cloonar.com/fleet.nix → hosts/fw-new/fleet.nix
View File

18
hosts/fw-new.cloonar.com/hardware-configuration.nix → hosts/fw-new/hardware-configuration.nix
View File

@@ -4,19 +4,19 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot = { boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
kernel.sysctl = {
"kernel.printk" = "1 4 1 7";
};
supportedFilesystems = lib.mkForce [ "vfat" "fat32" "exfat" "ext4" "btrfs" ]; supportedFilesystems = lib.mkForce [ "vfat" "fat32" "exfat" "ext4" "btrfs" ];
initrd.includeDefaultModules = lib.mkForce false; initrd.includeDefaultModules = lib.mkForce false;
initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "usbhid" "hid" "input_leds" ]; initrd.availableKernelModules = lib.mkForce [ "nvme" "mmc_block" "hid" "dm_mod" "dm_crypt" "input_leds" ];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {});
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd # kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd
kernelParams = [ kernelParams = [
@@ -43,7 +43,7 @@
]; ];
}; };
enableRedistributableFirmware = true; enableRedistributableFirmware = lib.mkForce true;
firmware = [ firmware = [
(pkgs.callPackage ./pkgs/orangepi-firmware {}) (pkgs.callPackage ./pkgs/orangepi-firmware {})
]; ];

0
hosts/fw-new.cloonar.com/modules/ark-survival-evolved.nix → hosts/fw-new/modules/ark-survival-evolved.nix
View File

0
hosts/fw-new.cloonar.com/modules/avahi.nix → hosts/fw-new/modules/avahi.nix
View File

1
hosts/fw-new.cloonar.com/modules/ddclient.nix → hosts/fw-new/modules/ddclient.nix
View File

@@ -13,6 +13,7 @@
"vpn.cloonar.com" "vpn.cloonar.com"
"git.cloonar.com" "git.cloonar.com"
"palworld.cloonar.com" "palworld.cloonar.com"
"matrix.cloonar.com"
]; ];
}; };

0
hosts/fw-new.cloonar.com/modules/deconz.nix → hosts/fw-new/modules/deconz.nix
View File

110
hosts/fw-new.cloonar.com/modules/dhcp4.nix → hosts/fw-new/modules/dhcp4.nix
View File

@@ -23,15 +23,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.96.100 - 10.42.96.240"; pool = "10.42.112.100 - 10.42.112.240";
} }
]; ];
subnet = "10.42.96.0/24"; subnet = "10.42.112.0/24";
interface = "lan"; interface = "lan";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.96.1"; data = "10.42.112.1";
} }
{ {
name = "domain-name"; name = "domain-name";
@@ -43,18 +43,18 @@
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "10.42.96.1"; data = "10.42.112.1";
} }
]; ];
reservations = [ reservations = [
{ {
hw-address = "04:7c:16:d5:63:5e"; hw-address = "04:7c:16:d5:63:5e";
ip-address = "10.42.96.5"; ip-address = "10.42.112.5";
server-hostname = "omada.cloonar.com"; server-hostname = "omada.cloonar.com";
} }
{ {
hw-address = "30:05:5c:56:62:37"; hw-address = "30:05:5c:56:62:37";
ip-address = "10.42.96.100"; ip-address = "10.42.112.100";
server-hostname = "brn30055c566237.cloonar.com"; server-hostname = "brn30055c566237.cloonar.com";
} }
]; ];
@@ -62,15 +62,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.97.100 - 10.42.97.240"; pool = "10.42.113.100 - 10.42.113.240";
} }
]; ];
subnet = "10.42.97.0/24"; subnet = "10.42.113.0/24";
interface = "server"; interface = "server";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.97.1"; data = "10.42.113.1";
} }
{ {
name = "domain-name"; name = "domain-name";
@@ -78,33 +78,33 @@
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "10.42.97.1"; data = "10.42.113.1";
} }
]; ];
reservations = [ reservations = [
{ {
hw-address = "1a:c4:04:6e:29:bd"; hw-address = "1a:c4:04:6e:29:bd";
ip-address = "10.42.97.2"; ip-address = "10.42.113.2";
server-hostname = "omada.cloonar.com"; server-hostname = "omada.cloonar.com";
} }
{ {
hw-address = "02:00:00:00:00:03"; hw-address = "02:00:00:00:00:03";
ip-address = "10.42.97.5"; ip-address = "10.42.113.5";
server-hostname = "web-02.cloonar.com"; server-hostname = "web-02.cloonar.com";
} }
{ {
hw-address = "ea:db:d4:c1:18:ba"; hw-address = "ea:db:d4:c1:18:ba";
ip-address = "10.42.97.50"; ip-address = "10.42.113.50";
server-hostname = "git.cloonar.com"; server-hostname = "git.cloonar.com";
} }
{ {
hw-address = "c2:4f:64:dd:13:0c"; hw-address = "c2:4f:64:dd:13:0c";
ip-address = "10.42.97.20"; ip-address = "10.42.113.20";
server-hostname = "home-assistant.cloonar.com"; server-hostname = "home-assistant.cloonar.com";
} }
{ {
hw-address = "1a:c4:04:6e:29:02"; hw-address = "1a:c4:04:6e:29:02";
ip-address = "10.42.97.25"; ip-address = "10.42.113.25";
server-hostname = "deconz.cloonar.com"; server-hostname = "deconz.cloonar.com";
} }
]; ];
@@ -112,15 +112,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.101.100 - 10.42.101.240"; pool = "10.42.117.100 - 10.42.117.240";
} }
]; ];
subnet = "10.42.101.0/24"; subnet = "10.42.117.0/24";
interface = "infrastructure"; interface = "infrastructure";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.101.1"; data = "10.42.117.1";
} }
{ {
name = "domain-name"; name = "domain-name";
@@ -128,12 +128,12 @@
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "10.42.101.1"; data = "10.42.117.1";
} }
{ {
name = "capwap-ac-v4"; name = "capwap-ac-v4";
code = 138; code = 138;
data = "10.42.97.2"; data = "10.42.117.2";
} }
]; ];
reservations = [ reservations = [
@@ -142,15 +142,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.99.100 - 10.42.99.240"; pool = "10.42.115.100 - 10.42.115.240";
} }
]; ];
subnet = "10.42.99.0/24"; subnet = "10.42.115.0/24";
interface = "multimedia"; interface = "multimedia";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.99.1"; data = "10.42.115.1";
} }
{ {
name = "domain-name"; name = "domain-name";
@@ -158,43 +158,43 @@
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "10.42.99.1"; data = "10.42.115.1";
} }
]; ];
reservations = [ reservations = [
{ {
hw-address = "c4:a7:2b:c7:ea:30"; hw-address = "c4:a7:2b:c7:ea:30";
ip-address = "10.42.99.10"; ip-address = "10.42.115.10";
hostname = "metz.cloonar.multimedia"; hostname = "metz.cloonar.multimedia";
} }
{ {
hw-address = "f0:2f:9e:d4:3b:21"; hw-address = "f0:2f:9e:d4:3b:21";
ip-address = "10.42.99.11"; ip-address = "10.42.115.11";
hostname = "firetv-living"; hostname = "firetv-living";
} }
{ {
hw-address = "bc:33:29:ed:24:f0"; hw-address = "bc:33:29:ed:24:f0";
ip-address = "10.42.99.12"; ip-address = "10.42.115.12";
hostname = "ps5"; hostname = "ps5";
} }
{ {
hw-address = "e4:2a:ac:32:3f:79"; hw-address = "e4:2a:ac:32:3f:79";
ip-address = "10.42.99.13"; ip-address = "10.42.115.13";
hostname = "xbox"; hostname = "xbox";
} }
{ {
hw-address = "98:b6:e9:b6:ef:f4"; hw-address = "98:b6:e9:b6:ef:f4";
ip-address = "10.42.99.14"; ip-address = "10.42.115.14";
hostname = "switch"; hostname = "switch";
} }
{ {
hw-address = "f0:2f:9e:c1:74:72"; hw-address = "f0:2f:9e:c1:74:72";
ip-address = "10.42.99.21"; ip-address = "10.42.115.21";
hostname = "firetv-bedroom"; hostname = "firetv-bedroom";
} }
{ {
hw-address = "30:05:5c:56:62:37"; hw-address = "30:05:5c:56:62:37";
ip-address = "10.42.99.100"; ip-address = "10.42.115.100";
server-hostname = "brn30055c566237"; server-hostname = "brn30055c566237";
} }
]; ];
@@ -202,15 +202,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.254.10 - 10.42.254.254"; pool = "10.42.127.10 - 10.42.127.254";
} }
]; ];
subnet = "10.42.254.0/24"; subnet = "10.42.127.0/24";
interface = "guest"; interface = "guest";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.254.1"; data = "10.42.127.1";
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
@@ -221,15 +221,15 @@
{ {
pools = [ pools = [
{ {
pool = "10.42.100.100 - 10.42.100.240"; pool = "10.42.116.100 - 10.42.116.240";
} }
]; ];
subnet = "10.42.100.0/24"; subnet = "10.42.116.0/24";
interface = "smart"; interface = "smart";
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = "10.42.100.1"; data = "10.42.116.1";
} }
{ {
name = "domain-name"; name = "domain-name";
@@ -237,7 +237,7 @@
} }
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = "10.42.100.1"; data = "10.42.116.1";
} }
]; ];
reservations = [ reservations = [
@@ -282,89 +282,89 @@
{ {
hw-address = "60:a4:23:97:4a:ec"; hw-address = "60:a4:23:97:4a:ec";
ip-address = "10.42.100.21"; ip-address = "10.42.116.21";
server-hostname = "shellymotionsensor-60A423974AEC"; server-hostname = "shellymotionsensor-60A423974AEC";
} }
{ {
hw-address = "8c:aa:b5:61:6f:e2"; hw-address = "8c:aa:b5:61:6f:e2";
ip-address = "10.42.100.103"; ip-address = "10.42.116.103";
server-hostname = "ShellyBulbDuo-8CAAB5616FE2"; server-hostname = "ShellyBulbDuo-8CAAB5616FE2";
} }
{ {
hw-address = "8c:aa:b5:61:6e:9e"; hw-address = "8c:aa:b5:61:6e:9e";
ip-address = "10.42.100.104"; ip-address = "10.42.116.104";
server-hostname = "ShellyBulbDuo-8CAAB5616E9E"; server-hostname = "ShellyBulbDuo-8CAAB5616E9E";
} }
{ {
hw-address = "cc:50:e3:bc:27:64"; hw-address = "cc:50:e3:bc:27:64";
ip-address = "10.42.100.112"; ip-address = "10.42.116.112";
server-hostname = "Nuki_Bridge_1A753F72"; server-hostname = "Nuki_Bridge_1A753F72";
} }
{ {
hw-address = "e8:db:84:a9:ea:be"; hw-address = "e8:db:84:a9:ea:be";
ip-address = "10.42.100.117"; ip-address = "10.42.116.117";
server-hostname = "ShellyBulbDuo-E8DB84A9EABE"; server-hostname = "ShellyBulbDuo-E8DB84A9EABE";
} }
{ {
hw-address = "e8:db:84:a9:d1:8b"; hw-address = "e8:db:84:a9:d1:8b";
ip-address = "10.42.100.119"; ip-address = "10.42.116.119";
server-hostname = "shellycolorbulb-E8DB84A9D18B"; server-hostname = "shellycolorbulb-E8DB84A9D18B";
} }
{ {
hw-address = "3c:61:05:e5:96:e0"; hw-address = "3c:61:05:e5:96:e0";
ip-address = "10.42.100.120"; ip-address = "10.42.116.120";
server-hostname = "shellycolorbulb-3C6105E596E0"; server-hostname = "shellycolorbulb-3C6105E596E0";
} }
{ {
hw-address = "e8:db:84:a9:d7:ef"; hw-address = "e8:db:84:a9:d7:ef";
ip-address = "10.42.100.121"; ip-address = "10.42.116.121";
server-hostname = "shellycolorbulb-E8DB84A9D7EF"; server-hostname = "shellycolorbulb-E8DB84A9D7EF";
} }
{ {
hw-address = "e8:db:84:aa:51:aa"; hw-address = "e8:db:84:aa:51:aa";
ip-address = "10.42.100.122"; ip-address = "10.42.116.122";
server-hostname = "shellycolorbulb-E8DB84AA51AA"; server-hostname = "shellycolorbulb-E8DB84AA51AA";
} }
{ {
hw-address = "34:94:54:79:bc:57"; hw-address = "34:94:54:79:bc:57";
ip-address = "10.42.100.130"; ip-address = "10.42.116.130";
server-hostname = "shellycolorbulb-34945479bc57"; server-hostname = "shellycolorbulb-34945479bc57";
} }
{ {
hw-address = "48:55:19:d9:a1:b2"; hw-address = "48:55:19:d9:a1:b2";
ip-address = "10.42.100.131"; ip-address = "10.42.116.131";
server-hostname = "shellycolorbulb-485519d9a1b2"; server-hostname = "shellycolorbulb-485519d9a1b2";
} }
{ {
hw-address = "48:55:19:d9:ae:95"; hw-address = "48:55:19:d9:ae:95";
ip-address = "10.42.100.132"; ip-address = "10.42.116.132";
server-hostname = "shellycolorbulb-485519d9ae95"; server-hostname = "shellycolorbulb-485519d9ae95";
} }
{ {
hw-address = "48:55:19:d9:4a:28"; hw-address = "48:55:19:d9:4a:28";
ip-address = "10.42.100.133"; ip-address = "10.42.116.133";
server-hostname = "shellycolorbulb-485519d94a28"; server-hostname = "shellycolorbulb-485519d94a28";
} }
{ {
hw-address = "48:55:19:da:6b:6a"; hw-address = "48:55:19:da:6b:6a";
ip-address = "10.42.100.134"; ip-address = "10.42.116.134";
server-hostname = "shellycolorbulb-485519da6b6a"; server-hostname = "shellycolorbulb-485519da6b6a";
} }
{ {
hw-address = "48:55:19:d9:e0:18"; hw-address = "48:55:19:d9:e0:18";
ip-address = "10.42.100.135"; ip-address = "10.42.116.135";
server-hostname = "shellycolorbulb-485519d9e018"; server-hostname = "shellycolorbulb-485519d9e018";
} }
{ {
hw-address = "34:6f:24:f3:af:ad"; hw-address = "34:6f:24:f3:af:ad";
ip-address = "10.42.100.137"; ip-address = "10.42.116.137";
server-hostname = "daikin86604"; server-hostname = "daikin86604";
} }
{ {
hw-address = "34:6f:24:c1:f8:54"; hw-address = "34:6f:24:c1:f8:54";
ip-address = "10.42.100.139"; ip-address = "10.42.116.139";
server-hostname = "daikin53800"; server-hostname = "daikin53800";
} }
]; ];

0
hosts/fw-new.cloonar.com/modules/firefox-sync.nix → hosts/fw-new/modules/firefox-sync.nix
View File

38
hosts/fw-new.cloonar.com/modules/firewall.nix → hosts/fw-new/modules/firewall.nix
View File

@@ -32,13 +32,13 @@
iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic" iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
iifname "lan" tcp dport 5931 counter accept comment "Spice" iifname "lan" tcp dport 5931 counter accept comment "Spice"
iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" iifname { "wan", "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
# Accept mDNS for avahi reflection # Accept mDNS for avahi reflection
iifname "server" ip saddr 10.42.97.20/32 tcp dport { llmnr } counter accept iifname "server" ip saddr 10.42.113.20/32 tcp dport { llmnr } counter accept
iifname "server" ip saddr 10.42.97.20/32 udp dport { mdns, llmnr } counter accept iifname "server" ip saddr 10.42.113.20/32 udp dport { mdns, llmnr } counter accept
# Allow all returning traffic # Allow all returning traffic
ct state { established, related } counter accept ct state { established, related } counter accept
@@ -81,15 +81,15 @@
iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept iifname "multimedia" oifname "server" tcp dport { 1704, 1705 } counter accept
iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept iifname "lan" oifname "server" udp dport { 5000, 5353, 6001 - 6011 } counter accept
# avahi # avahi
iifname "server" ip saddr 10.42.97.20/32 oifname { "lan" } counter accept iifname "server" ip saddr 10.42.113.20/32 oifname { "lan" } counter accept
# smart home coap # smart home coap
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 udp dport { 5683 } counter accept iifname "smart" oifname "server" ip daddr 10.42.113.20/32 udp dport { 5683 } counter accept
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept iifname "smart" oifname "server" ip daddr 10.42.113.20/32 tcp dport { 1883 } counter accept
# Forward to git server # Forward to git server
oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept oifname "server" ip daddr 10.42.113.50 tcp dport { 22 } counter accept
oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept oifname "server" ip daddr 10.42.113.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any # lan and vpn to any
# TODO: disable wan when finished # TODO: disable wan when finished
@@ -101,11 +101,11 @@
# accept palword server # accept palword server
iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld" iifname { "wan", "lan" } oifname "podman0" udp dport { 8211, 27015 } counter accept comment "palworld"
# forward to ark server # forward to ark server
oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved" oifname "server" ip daddr 10.42.113.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved" oifname "server" ip daddr 10.42.113.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
# firefox-sync # firefox-sync
oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync" oifname "server" ip daddr 10.42.113.51 tcp dport { 5000 } counter accept comment "firefox-sync"
# allow all established, related # allow all established, related
ct state { established, related } accept comment "Allow established traffic" ct state { established, related } accept comment "Allow established traffic"
@@ -137,20 +137,20 @@
chain prerouting { chain prerouting {
type nat hook prerouting priority filter; policy accept; type nat hook prerouting priority filter; policy accept;
iifname "server" ip daddr 10.42.96.255 udp dport { 9 } dnat to 10.42.96.255 iifname "server" ip daddr 10.42.96.255 udp dport { 9 } dnat to 10.42.96.255
iifname "wan" tcp dport { 22 } dnat to 10.42.97.50 # iifname "wan" tcp dport { 22 } dnat to 10.42.113.50
iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5 iifname "wan" tcp dport { 80, 443 } dnat to 10.42.113.5
iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51 iifname "wan" tcp dport { 5000 } dnat to 10.42.113.51
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201 iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.113.201
iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201 iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.113.201
} }
# Setup NAT masquerading on external interfaces # Setup NAT masquerading on external interfaces
chain postrouting { chain postrouting {
type nat hook postrouting priority filter; policy accept; type nat hook postrouting priority filter; policy accept;
oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.51 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade iifname { "wan", "wg_cloonar" } ip daddr 10.42.113.201 masquerade
} }
''; '';
}; };

0
hosts/fw-new.cloonar.com/modules/fwmetrics.nix → hosts/fw-new/modules/fwmetrics.nix
View File

175
hosts/fw-new/modules/gitea-vm.nix Normal file
View File

@@ -0,0 +1,175 @@
{ config, nixpkgs, pkgs, ... }: let
hostname = "git";
json = pkgs.formats.json { };
pkgs-with-gitea = import (builtins.fetchGit {
name = "new-gitea";
url = "https://github.com/nixos/nixpkgs/";
rev = "159be5db480d1df880a0135ca0bfed84c2f88353";
}) {};
in {
microvm.vms = {
gitea = {
config = {
microvm = {
hypervisor = "cloud-hypervisor";
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/var/lib/acme/git.cloonar.com";
mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
tag = "ro-cert";
proto = "virtiofs";
}
];
interfaces = [
{
type = "tap";
id = "vm-${hostname}";
mac = "02:00:00:00:00:01";
}
];
};
imports = [
../fleet.nix
];
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking = {
hostName = hostname;
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."${hostname}.cloonar.com" = {
sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
services.gitea = {
enable = true;
package = pkgs-with-gitea.gitea;
appName = "Cloonar Gitea server"; # Give the site a name
settings = {
server = {
ROOT_URL = "https://${hostname}.cloonar.com/";
HTTP_PORT = 3001;
DOMAIN = "${hostname}.cloonar.com";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.cloonar.com";
};
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
actions.ENABLED=true;
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
gitea-runner = {
config = {
microvm = {
mem = 12288;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-gitea-runner";
mac = "02:00:00:00:00:02";
}
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = "gitea-runner";
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.vm = {
enable = true;
url = "https://git.cloonar.com";
name = "vm";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "podman";
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
};
sops.secrets.gitea-runner-token = {};
environment = {
systemPackages = [
pkgs.qemu
pkgs.quickemu
];
};
}

0
hosts/fw-new.cloonar.com/modules/gitea.nix → hosts/fw-new/modules/gitea.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/3dprinter.nix → hosts/fw-new/modules/home-assistant/3dprinter.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/ac.nix → hosts/fw-new/modules/home-assistant/ac.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/battery.nix → hosts/fw-new/modules/home-assistant/battery.nix
View File

54
hosts/fw-new.cloonar.com/modules/home-assistant/default.nix → hosts/fw-new/modules/home-assistant/default.nix
View File

@@ -1,6 +1,12 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
domain = "home-assistant.cloonar.com"; domain = "home-assistant.cloonar.com";
release2405 = import <nixos-24.05> { config = config.nixpkgs.config; };
pkgs-with-home-assistant = import (builtins.fetchGit {
name = "new-home-assistant";
url = "https://github.com/nixos/nixpkgs/";
rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088";
}) {};
in in
{ {
users.users.hass = { users.users.hass = {
@@ -30,26 +36,26 @@ in
ephemeral = false; ephemeral = false;
privateNetwork = true; privateNetwork = true;
hostBridge = "server"; hostBridge = "server";
hostAddress = "10.42.97.1"; hostAddress = "10.42.113.1";
localAddress = "10.42.97.20/24"; localAddress = "10.42.113.20/24";
extraFlags = [ extraFlags = [
"--capability=CAP_NET_ADMIN" "--capability=CAP_NET_ADMIN"
]; ];
allowedDevices = [ # allowedDevices = [
{ # {
modifier = "rwm"; # modifier = "rwm";
node = "char-usb_device"; # node = "char-usb_device";
} # }
{ # {
modifier = "rwm"; # modifier = "rwm";
node = "char-ttyUSB"; # node = "char-ttyUSB";
} # }
]; # ];
bindMounts = { bindMounts = {
"/dev/ttyUSB0" = { # "/dev/ttyUSB0" = {
hostPath = "/dev/ttyUSB0"; # hostPath = "/dev/ttyUSB0";
isReadOnly = false; # isReadOnly = false;
}; # };
"/etc/localtime" = { "/etc/localtime" = {
hostPath = "/etc/localtime"; hostPath = "/etc/localtime";
}; };
@@ -104,6 +110,7 @@ in
environment.systemPackages = [ environment.systemPackages = [
pkgs.wol pkgs.wol
pkgs.mariadb
]; ];
services.nginx.enable = true; services.nginx.enable = true;
@@ -127,6 +134,7 @@ in
}; };
services.home-assistant = { services.home-assistant = {
package = pkgs-with-home-assistant.home-assistant;
enable = true; enable = true;
}; };
@@ -140,6 +148,17 @@ in
"tplink_omada" "tplink_omada"
]; ];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "hass" ];
};
services.mysqlBackup = {
enable = true;
databases = [ "hass" ];
};
services.home-assistant.config = services.home-assistant.config =
let let
hiddenEntities = [ hiddenEntities = [
@@ -148,6 +167,9 @@ in
]; ];
in in
{ {
recorder = {
db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock";
};
homeassistant = { homeassistant = {
name = "Home"; name = "Home";
latitude = "!secret home_latitude"; latitude = "!secret home_latitude";

0
hosts/fw-new.cloonar.com/modules/home-assistant/electricity.nix → hosts/fw-new/modules/home-assistant/electricity.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/enocean.nix → hosts/fw-new/modules/home-assistant/enocean.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/ldap.nix → hosts/fw-new/modules/home-assistant/ldap.nix
View File

18
hosts/fw-new.cloonar.com/modules/home-assistant/light.nix → hosts/fw-new/modules/home-assistant/light.nix
View File

@@ -370,6 +370,7 @@
{ {
platform = "group"; platform = "group";
name = "Livingroom Lights"; name = "Livingroom Lights";
all = true;
entities = [ entities = [
"light.livingroom_switch" "light.livingroom_switch"
"light.living_bulb_1" "light.living_bulb_1"
@@ -380,6 +381,23 @@
"light.living_bulb_6" "light.living_bulb_6"
]; ];
} }
{
platform = "switch";
name = "Bedroom Switch";
entity_id = "switch.bedroom_switch";
}
{
platform = "group";
name = "Bedroom Lights";
all = true;
entities = [
"light.bedroom_switch"
"light.bedroom_bulb_1"
"light.bedroom_bulb_2"
"light.bedroom_bulb_3"
"light.bedroom_bulb_4"
];
}
]; ];
}; };
} }

0
hosts/fw-new.cloonar.com/modules/home-assistant/locks.nix → hosts/fw-new/modules/home-assistant/locks.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/multimedia.nix → hosts/fw-new/modules/home-assistant/multimedia.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/music.nix → hosts/fw-new/modules/home-assistant/music.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/notify.nix → hosts/fw-new/modules/home-assistant/notify.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/pc.nix → hosts/fw-new/modules/home-assistant/pc.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/presense.nix → hosts/fw-new/modules/home-assistant/presense.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/pushover.nix → hosts/fw-new/modules/home-assistant/pushover.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/roborock.nix → hosts/fw-new/modules/home-assistant/roborock.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/scene-switch.nix → hosts/fw-new/modules/home-assistant/scene-switch.nix
View File

24
hosts/fw-new.cloonar.com/modules/home-assistant/shelly.nix → hosts/fw-new/modules/home-assistant/shelly.nix
View File

@@ -7,17 +7,21 @@ let
{ name = "Living Bulb 4"; id = "485519D94A28"; } { name = "Living Bulb 4"; id = "485519D94A28"; }
{ name = "Living Bulb 5"; id = "485519DA6B6A"; } { name = "Living Bulb 5"; id = "485519DA6B6A"; }
{ name = "Living Bulb 6"; id = "485519D9E018"; } { name = "Living Bulb 6"; id = "485519D9E018"; }
{ name = "Bedroom Bulb 1"; id = "08f9e06f4eb4"; }
{ name = "Bedroom Bulb 2"; id = "485519ee0ed9"; }
{ name = "Bedroom Bulb 3"; id = "08f9e06fe779"; }
{ name = "Bedroom Bulb 4"; id = "485519ee00a0"; }
]; ];
switches = [ switches = [];
{ name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; }
{ name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; }
];
proswitches = [ proswitches = [
{ name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; } { name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; } { name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; } { name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; }
{ name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; }
]; ];
in { in {
services.home-assistant.extraComponents = [ services.home-assistant.extraComponents = [
@@ -45,14 +49,14 @@ in {
in { in {
name = switch.name; name = switch.name;
unique_id = unique_id; unique_id = unique_id;
state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}"; state_topic = "shellies/${switch.id}/status/switch:${switch.relay}";
value_template = "{{ value_json.output }}"; value_template = "{{ value_json.output }}";
state_on = true; state_on = true;
state_off = false; state_off = false;
command_topic = "shellies/shellypro3-c8f09e894448/rpc"; command_topic = "shellies/${switch.id}/rpc";
payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}"; payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}";
payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}"; payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}";
availability_topic = "shellies/shellypro3-${switch.id}/online"; availability_topic = "shellies/${switch.id}/online";
payload_available = "true"; payload_available = "true";
payload_not_available = "false"; payload_not_available = "false";
} }

0
hosts/fw-new.cloonar.com/modules/home-assistant/sleep.nix → hosts/fw-new/modules/home-assistant/sleep.nix
View File

0
hosts/fw-new.cloonar.com/modules/home-assistant/snapcast.nix → hosts/fw-new/modules/home-assistant/snapcast.nix
View File

0
hosts/fw-new.cloonar.com/modules/microvm.nix → hosts/fw-new/modules/microvm.nix
View File

0
hosts/fw-new.cloonar.com/modules/mopidy.nix → hosts/fw-new/modules/mopidy.nix
View File

0
hosts/fw-new.cloonar.com/modules/mosquitto.nix → hosts/fw-new/modules/mosquitto.nix
View File

54
hosts/fw-new.cloonar.com/modules/networking.nix → hosts/fw-new/modules/networking.nix
View File

@@ -11,13 +11,9 @@
wait-online.anyInterface = true; wait-online.anyInterface = true;
links = { links = {
"10-wan" = { "10-wan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1"; matchConfig.PermanentMACAddress = "c0:74:2b:fd:9a:7f";
linkConfig.Name = "wan"; linkConfig.Name = "wan";
}; };
"20-lan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2";
linkConfig.Name = "lan";
};
}; };
netdevs = { netdevs = {
"30-server".netdevConfig = { "30-server".netdevConfig = {
@@ -40,48 +36,42 @@
nameservers = [ "10.42.97.1" ]; nameservers = [ "10.42.97.1" ];
# resolvconf.enable = false; # resolvconf.enable = false;
vlans = { vlans = {
infrastructure = { lan = {
id = 101; id = 95;
interface = "enp5s0"; interface = "enP3p49s0";
}; };
vserver = { vserver = {
id = 97; id = 97;
interface = "enp5s0"; interface = "enP3p49s0";
}; };
multimedia = { multimedia = {
id = 99; id = 98;
interface = "enp5s0"; interface = "enP3p49s0";
}; };
smart = { smart = {
id = 100; id = 99;
interface = "enp5s0"; interface = "enP3p49s0";
};
infrastructure = {
id = 100;
interface = "enP3p49s0";
}; };
guest = { guest = {
id = 254; id = 111;
interface = "enp5s0"; interface = "enP3p49s0";
}; };
}; };
# macvlans.server = {
# interface = "vserver";
# mode = "bridge";
# };
# bridges = {
# server = {
# interfaces = [ "vserver" ];
# };
# };
interfaces = { interfaces = {
# Don't request DHCP on the physical interfaces # Don't request DHCP on the physical interfaces
lan.useDHCP = false; lan.useDHCP = false;
enp4s0.useDHCP = false; enP3p49s0.useDHCP = false;
enp5s0.useDHCP = false;
# Handle the VLANs # Handle the VLANs
wan.useDHCP = true; wan.useDHCP = true;
lan = { lan = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "10.42.96.1"; address = "10.42.95.1";
prefixLength = 24; prefixLength = 24;
}]; }];
}; };
@@ -91,19 +81,19 @@
prefixLength = 24; prefixLength = 24;
}]; }];
}; };
infrastructure = { multimedia = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "10.42.101.1"; address = "10.42.98.1";
prefixLength = 24; prefixLength = 24;
}]; }];
}; };
multimedia = { smart = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "10.42.99.1"; address = "10.42.99.1";
prefixLength = 24; prefixLength = 24;
}]; }];
}; };
smart = { infrastructure = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "10.42.100.1"; address = "10.42.100.1";
prefixLength = 24; prefixLength = 24;
@@ -111,7 +101,7 @@
}; };
guest = { guest = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "10.42.254.1"; address = "10.42.111.1";
prefixLength = 24; prefixLength = 24;
}]; }];
}; };

0
hosts/fw-new.cloonar.com/modules/omada.nix → hosts/fw-new/modules/omada.nix
View File

0
hosts/fw-new.cloonar.com/modules/openconnect.nix → hosts/fw-new/modules/openconnect.nix
View File

0
hosts/fw-new.cloonar.com/modules/palworld.nix → hosts/fw-new/modules/palworld.nix
View File

0
hosts/fw-new.cloonar.com/modules/podman.nix → hosts/fw-new/modules/podman.nix
View File

0
hosts/fw-new.cloonar.com/modules/postgresql.nix → hosts/fw-new/modules/postgresql.nix
View File

0
hosts/fw-new.cloonar.com/modules/snapserver.nix → hosts/fw-new/modules/snapserver.nix
View File

0
hosts/fw-new.cloonar.com/modules/staticids.nix → hosts/fw-new/modules/staticids.nix
View File

0
hosts/fw-new.cloonar.com/modules/sysbox.nix → hosts/fw-new/modules/sysbox.nix
View File

150
hosts/fw-new.cloonar.com/modules/unbound.nix → hosts/fw-new/modules/unbound.nix
View File

@@ -259,81 +259,81 @@ in {
enable = true; enable = true;
settings = cfg; settings = cfg;
}; };
systemd.services.unbound-sync = { # systemd.services.unbound-sync = {
enable = true; # enable = true;
path = with pkgs; [ unbound inotify-tools ]; # path = with pkgs; [ unbound inotify-tools ];
script = '' # script = ''
function readFile() { # function readFile() {
if [[ "''\$2" == "A" ]] ; then # if [[ "''\$2" == "A" ]] ; then
cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context # cat "''\$1" | tail -n +2 | while IFS=, read -r address hwaddr client_id valid_lifetime expire subnet_id fqdn_fwd fqdn_rev hostname state user_context
do # do
echo "''\${address},''\${hostname}" # echo "''\${address},''\${hostname}"
done # done
else # else
cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source # cat "''\$1" | tail -n +2 | while IFS=, read -r address duid valid_lifetime expire subnet_id pref_lifetime lease_type iaid prefix_len fqdn_fwd fqdn_rev hostname hwaddr state user_context hwtype hwaddr_source
do # do
echo "''\${address},''\${hostname}" # echo "''\${address},''\${hostname}"
done # done
fi # fi
} # }
#
function readFileUnique() { # function readFileUnique() {
readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname # readFile "''\$1" ''\$2 | uniq | while IFS=, read -r address hostname
do # do
if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then # if echo "''\${1}" | grep -Eq '.*\.(cloonar.com|cloonar.multimedia|cloonar.smart)'; then
echo ''\${hostname} ''\$2 ''\${address} # echo ''\${hostname} ''\$2 ''\${address}
unbound-control local_data ''\${hostname} ''\$2 ''\${address} # unbound-control local_data ''\${hostname} ''\$2 ''\${address}
if [[ "''\$2" == "A" ]] ; then # if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do # do
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done # done
fi # fi
else # else
if [[ "''\$2" == "A" ]] ; then # if [[ "''\$2" == "A" ]] ; then
echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3 # echo ''\${address} | while IFS=. read -r ip0 ip1 ip2 ip3
do # do
if [[ "''\${hostname}" != "" ]]; then # if [[ "''\${hostname}" != "" ]]; then
domain=cloonar.com # domain=cloonar.com
if [[ "''\${ip2}" == 99 ]]; then # if [[ "''\${ip2}" == 99 ]]; then
domain=cloonar.multimedia # domain=cloonar.multimedia
fi # fi
if [[ "''\${ip2}" == 100 ]]; then # if [[ "''\${ip2}" == 100 ]]; then
domain=cloonar.smart # domain=cloonar.smart
fi # fi
if [[ "''\${hostname}" != *. ]]; then # if [[ "''\${hostname}" != *. ]]; then
unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address} # unbound-control local_data ''\${hostname}.''\${domain} ''\$2 ''\${address}
else # else
unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address} # unbound-control local_data ''\${hostname}''\${domain} ''\$2 ''\${address}
fi # fi
#
fi # fi
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.ip4.arpa. PTR ''\${hostname}
unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname} # unbound-control local_data ''\${ip3}.''\${ip2}.''\${ip1}.''\${ip0}.in-addr.arpa. PTR ''\${hostname}
done # done
fi # fi
fi # fi
done # done
} # }
#
function syncFile() { # function syncFile() {
# readFileUnique "''\$1" "''\$2" # # readFileUnique "''\$1" "''\$2"
while true; do # while true; do
readFileUnique "''\$1" "''\$2" # readFileUnique "''\$1" "''\$2"
sleep 10 # sleep 10
done # done
} # }
#
syncFile "/var/lib/kea/dhcp4.leases" A & # syncFile "/var/lib/kea/dhcp4.leases" A &
# syncFile "/var/lib/kea/dhcp6.leases" AAAA & # # syncFile "/var/lib/kea/dhcp6.leases" AAAA &
wait # wait
''; # '';
wants = [ "network-online.target" "unbound.service" ]; # wants = [ "network-online.target" "unbound.service" ];
after = [ "network-online.target" "unbound.service" ]; # after = [ "network-online.target" "unbound.service" ];
partOf = [ "unbound.service" ]; # partOf = [ "unbound.service" ];
wantedBy = [ "multi-user.target" ]; # wantedBy = [ "multi-user.target" ];
}; # };
networking.firewall.allowedUDPPorts = [ 53 5353 ]; networking.firewall.allowedUDPPorts = [ 53 5353 ];
} }

0
hosts/fw-new.cloonar.com/modules/update-containers.nix → hosts/fw-new/modules/update-containers.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/default.nix → hosts/fw-new/modules/web/default.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/proxies.nix → hosts/fw-new/modules/web/proxies.nix
View File

0
hosts/fw-new.cloonar.com/modules/web/secrets.yaml → hosts/fw-new/modules/web/secrets.yaml
View File

0
hosts/fw-new.cloonar.com/modules/web/zammad.nix → hosts/fw-new/modules/web/zammad.nix
View File

6
hosts/fw-new.cloonar.com/modules/wireguard.nix → hosts/fw-new/modules/wireguard.nix
View File

@@ -8,18 +8,18 @@
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg_cloonar = { wg_cloonar = {
ips = [ "10.42.98.1/24" ]; ips = [ "10.42.114.1/24" ];
listenPort = 51820; listenPort = 51820;
# publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q= # publicKey: TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=
privateKeyFile = config.sops.secrets.wg_cloonar_key.path; privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
peers = [ peers = [
{ # Notebook { # Notebook
publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8="; publicKey = "YdlRGsjh4hS3OMJI+t6SZ2eGXKbs0wZBXWudHW4NyS8=";
allowedIPs = [ "10.42.98.201/32" ]; allowedIPs = [ "10.42.114.201/32" ];
} }
{ # iPhone { # iPhone
publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0="; publicKey = "nkm10abmwt2G8gJXnpqel6QW5T8aSaxiqqGjE8va/A0=";
allowedIPs = [ "10.42.98.202/32" ]; allowedIPs = [ "10.42.114.202/32" ];
} }
]; ];
}; };

0
hosts/fw-new.cloonar.com/modules/wol.nix → hosts/fw-new/modules/wol.nix
View File

0
hosts/fw-new.cloonar.com/pkgs/kernel/rk35xx_vendor_config → hosts/fw-new/pkgs/kernel/rk35xx_vendor_config
View File

8
hosts/fw-new.cloonar.com/pkgs/kernel/vendor.nix → hosts/fw-new/pkgs/kernel/vendor.nix
View File

@@ -15,13 +15,19 @@
}: }:
(linuxManualConfig rec { (linuxManualConfig rec {
modDirVersion = "6.1.43"; modDirVersion = "6.1.43";
# modDirVersion = "5.10.65";
version = "${modDirVersion}-xunlong-rk3588"; version = "${modDirVersion}-xunlong-rk3588";
extraMeta.branch = "6.1"; extraMeta.branch = "6.1";
# extraMeta.branch = "5.10";
# https://github.com/orangepi-xunlong/linux-orangepi/tree/orange-pi-6.1-rk35xx # https://github.com/orangepi-xunlong/linux-orangepi/tree/orange-pi-6.1-rk35xx
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "orangepi-xunlong"; owner = "orangepi-xunlong";
repo = "linux-orangepi"; repo = "linux-orangepi";
# rev = "122b41d84d018af909a766e48f3f90cbea9868e0";
# hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0=";
# rev = "eb1c681e5184e51d8ce1f351559d149d17f48b57";
# hash = "sha256-kOhxDP1hbrrIriOXizgZoB0I+3/JWOPcOCdNeXcPJV0=";
rev = "752c0d0a12fdce201da45852287b48382caa8c0f"; rev = "752c0d0a12fdce201da45852287b48382caa8c0f";
hash = "sha256-tVu/3SF/+s+Z6ytKvuY+ZwqsXUlm40yOZ/O5kfNfUYc="; hash = "sha256-tVu/3SF/+s+Z6ytKvuY+ZwqsXUlm40yOZ/O5kfNfUYc=";
}; };
@@ -41,5 +47,5 @@
}) })
.overrideAttrs (old: { .overrideAttrs (old: {
name = "k"; # dodge uboot length limits name = "k"; # dodge uboot length limits
nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools]; # nativeBuildInputs = old.nativeBuildInputs ++ [ubootTools];
}) })

0
hosts/fw-new.cloonar.com/pkgs/mali-firmware/default.nix → hosts/fw-new/pkgs/mali-firmware/default.nix
View File

0
hosts/fw-new.cloonar.com/pkgs/orangepi-firmware/default.nix → hosts/fw-new/pkgs/orangepi-firmware/default.nix
View File

32
hosts/fw-new.cloonar.com/secrets.yaml → hosts/fw-new/secrets.yaml
View File

@@ -23,29 +23,29 @@ sops:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpalJkZWNhUzRJdTdhaElh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1YlN0a1M2cStpbUtMMWFZ
VlNGd3AzaW5ha1d4ekVESStQSC9mTnBGRzFRCmszVHVBMjFRZjRuejRjenhvdGZl RzQrMGZmbkN2c01yOHhvbllwQUVpcWhmU3lrCkQxeHNQb2pKa3pOYnB3aEFjTGl1
RkMxMmowbWdndDZvcHc5RDZBNGh2THcKLS0tIFVuU0ZIOXlpZEE1alVGaXhnbWhQ c1IvSnZnTS9JMFJ1L1E0cXRybEJ6KzQKLS0tIDdPNTNwZDdMRzhyVzNzdXRESlZO
T1BiZitwUHEvRGx2ZkdTTWJZQzJpOU0KH035L5mbJ1fDjmuNbmfCGZdJ/4eE9FeI TkRXeUsxTWpodWtIT3Mza3o3SlZGdUkK/U6+p4rYGLhTWSHPOysau+iCoWseiLht
qM5/d51C3fP1uRjeLJFxObNlu/QG9MKql80fYF0NUboVGIUzHwv9gw== oT8a2hp9dSh1ofseyBfgeDeBN7Td9Z9FTBXBgcM911Sdq3VffQJHgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdm01UEx6OFZkOW5QTnp3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheVYzaDRndjhXMmhYaGdC
bUpuczZUUFdhRnhBbUxabGNFY0Rzd3pDdGp3CnRZMk9JRTV5Q1Jwa1J5Q1dtd0lM ZFcyUlZNd28wbFdsUEk2OWt5aEYwSzBsWVFrCnZjOHg2bXFPNlgwa3E3NkZlOXpJ
YzZKVzVRNldEa3JEL3h6TURPcHc4MWMKLS0tIGVEQnJ3N3c1ZHJ1Nitta2JRWDZP T2llSXJLNmcwWVVYdDdJY24xV1laWmMKLS0tIFhwTFdKaHk4NG91L2Y3OUZ4eHhD
VFZ3Qm5SYzRyVitTV2JkN2hWNEVMSDAKwHMncahsEQTsahAXr9VJFgsahUJ4yrOD V000QkdMWUhBV3E3dklnbTgvQVFUVG8KRkTaCoXdzF6+di4o9MoZIVUtM7YCxfiF
E1x6RAAI+2q8v3hPO8Rd8i6i/sELyM+NdK81WRrGwn8FHR8yZC7zoA== 3PP2lurWxmSmGDhD7OwIgM+EQ0sKViDbcvGs6Oo8BKClgSx7i9kvPg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYWozckZEcGJRK0NoTEcr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbUMxNy9VTkJkMkszcUdx
N0JsUG9UMGV1NTNxa0RmK3QyYVp0Wm04S25vCkxsSnpWQ3NGaGZMalEreUZkZVZE MjJlRDk4TnoxMVEzSDdIK3J5dktWWHl5MHl3CmtjS013OXlqSjNhTlNBWURTRmht
ZUk4R1M3cDdaU0NBa21Hc2lTaXFhdGcKLS0tIFcwRGJZU0hmUW5aRHZsNG1NZ25n eFVLRU1Kbm5OdUtHRm5Nb3NGdzBwWHMKLS0tIE51M2tnaEUzMlRIeDEzZjhxV3RH
ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw clE0QWFvRit2N1hsaDlUcUpDbFdhUlEKA+8ukUbm61s2B7XzbBclbmL1G+cHP9DO
tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA== XGOzmtpNm/kPKZCj9CuMBB3Ze4pEQglv66YQPafzQhmP4LMoWrOQrA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T22:57:14Z" lastmodified: "2024-08-02T22:57:14Z"
mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str] mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]

0
hosts/fw-new.cloonar.com/utils → hosts/fw-new/utils
View File

60
hosts/fw.cloonar.com/configuration.nix
View File

@@ -49,6 +49,9 @@
./modules/palworld.nix ./modules/palworld.nix
# ./modules/ark-survival-evolved.nix # ./modules/ark-survival-evolved.nix
# setup network
./modules/setupnetwork.nix
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@@ -84,37 +87,42 @@
inotify-tools inotify-tools
]; ];
nix.gc = { nix = {
automatic = true; settings.auto-optimise-store = true;
options = "--delete-older-than 60d"; gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 60d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
}; };
services.auto-cpufreq.enable = true; services.tlp = {
services.auto-cpufreq.settings = { enable = true;
charger = { settings = {
governor = "powersave"; CPU_SCALING_GOVERNOR_ON_AC = "powersave"; # powersave or performance
turbo = "auto"; CPU_ENERGY_PERF_POLICY_ON_AC = "power"; # power or performance
# CPU_MIN_PERF_ON_AC = 0;
# CPU_MAX_PERF_ON_AC = 100; # max 100
}; };
}; };
boot = { systemd.services = {
kernelPackages = pkgs.linuxPackagesFor (pkgs.callPackage ./pkgs/kernel/vendor.nix {}); powertop = {
wantedBy = [ "multi-user.target" ];
# kernelParams copy from Armbian's /boot/armbianEnv.txt & /boot/boot.cmd after = [ "multi-user.target" ];
kernelParams = [ description = "Powertop tunings";
"rootwait" path = [ pkgs.kmod ];
serviceConfig = {
"earlycon" # enable early console, so we can see the boot messages via serial port / HDMI Type = "oneshot";
"consoleblank=0" # disable console blanking(screen saver) RemainAfterExit = "yes";
"console=ttyS2,1500000" # serial port ExecStart = "${pkgs.powertop}/bin/powertop --auto-tune && for dev in /sys/class/net/*; do echo on > \"$dev/device/power/control\"; done'";
"console=tty1" # HDMI };
};
# docker optimizations
"cgroup_enable=cpuset"
"cgroup_memory=1"
"cgroup_enable=memory"
"swapaccount=1"
];
}; };
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;

5
hosts/fw.cloonar.com/hardware-configuration.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, modulesPath, ... }: { lib, config, modulesPath, ... }:
{ {
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot = {
enable = true;
configurationLimit = 5;
};
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" "kvm-intel" ]; boot.initrd.kernelModules = [ "nvme" "kvm-intel" ];

1
hosts/fw.cloonar.com/modules/ddclient.nix
View File

@@ -13,6 +13,7 @@
"vpn.cloonar.com" "vpn.cloonar.com"
"git.cloonar.com" "git.cloonar.com"
"palworld.cloonar.com" "palworld.cloonar.com"
"matrix.cloonar.com"
]; ];
}; };

5
hosts/fw.cloonar.com/modules/dhcp4.nix
View File

@@ -92,6 +92,11 @@
ip-address = "10.42.97.5"; ip-address = "10.42.97.5";
server-hostname = "web-02.cloonar.com"; server-hostname = "web-02.cloonar.com";
} }
{
hw-address = "02:00:00:00:00:04";
ip-address = "10.42.97.6";
server-hostname = "matrix.cloonar.com";
}
{ {
hw-address = "ea:db:d4:c1:18:ba"; hw-address = "ea:db:d4:c1:18:ba";
ip-address = "10.42.97.50"; ip-address = "10.42.97.50";

8
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -33,7 +33,7 @@
iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic" iifname "wan" tcp dport 9273 counter accept comment "Prometheus traffic"
iifname "lan" tcp dport 5931 counter accept comment "Spice" iifname "lan" tcp dport 5931 counter accept comment "Spice"
iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "multimedia", "smart", "infrastructure", "podman0", "setup" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
# Accept mDNS for avahi reflection # Accept mDNS for avahi reflection
@@ -92,10 +92,9 @@
oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any # lan and vpn to any
# TODO: disable wan when finished iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar", "guest", "setup" } counter accept
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter log prefix "basic forward allow rule" accept
iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
iifname { "infrastructure" } oifname { "server", "vserver" } counter accept iifname { "infrastructure", "setup" } oifname { "server", "vserver" } counter accept
iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"
# accept palword server # accept palword server
@@ -121,6 +120,7 @@
"wg_cloonar", "wg_cloonar",
"podman*", "podman*",
"guest", "guest",
"setup",
"vb-*", "vb-*",
"vm-*", "vm-*",
} oifname { } oifname {

62
hosts/fw.cloonar.com/modules/home-assistant/default.nix
View File

@@ -1,6 +1,11 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
domain = "home-assistant.cloonar.com"; domain = "home-assistant.cloonar.com";
pkgs-with-home-assistant = import (builtins.fetchGit {
name = "new-home-assistant";
url = "https://github.com/nixos/nixpkgs/";
rev = "268bb5090a3c6ac5e1615b38542a868b52ef8088";
}) {};
in in
{ {
users.users.hass = { users.users.hass = {
@@ -35,21 +40,21 @@ in
extraFlags = [ extraFlags = [
"--capability=CAP_NET_ADMIN" "--capability=CAP_NET_ADMIN"
]; ];
allowedDevices = [ # allowedDevices = [
{ # {
modifier = "rwm"; # modifier = "rwm";
node = "char-usb_device"; # node = "char-usb_device";
} # }
{ # {
modifier = "rwm"; # modifier = "rwm";
node = "char-ttyUSB"; # node = "char-ttyUSB";
} # }
]; # ];
bindMounts = { bindMounts = {
"/dev/ttyUSB0" = { # "/dev/ttyUSB0" = {
hostPath = "/dev/ttyUSB0"; # hostPath = "/dev/ttyUSB0";
isReadOnly = false; # isReadOnly = false;
}; # };
"/etc/localtime" = { "/etc/localtime" = {
hostPath = "/etc/localtime"; hostPath = "/etc/localtime";
}; };
@@ -104,6 +109,7 @@ in
environment.systemPackages = [ environment.systemPackages = [
pkgs.wol pkgs.wol
pkgs.mariadb
]; ];
services.nginx.enable = true; services.nginx.enable = true;
@@ -127,6 +133,7 @@ in
}; };
services.home-assistant = { services.home-assistant = {
package = pkgs-with-home-assistant.home-assistant;
enable = true; enable = true;
}; };
@@ -140,6 +147,30 @@ in
"tplink_omada" "tplink_omada"
]; ];
services.home-assistant.extraPackages = ps: with ps; [
mysqlclient
];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "hass" ];
ensureUsers = [
{
name = "hass";
ensurePermissions = {
"hass.*" = "ALL PRIVILEGES";
};
}
];
};
services.mysqlBackup = {
enable = true;
databases = [ "hass" ];
};
services.home-assistant.config = services.home-assistant.config =
let let
hiddenEntities = [ hiddenEntities = [
@@ -148,6 +179,9 @@ in
]; ];
in in
{ {
recorder = {
db_url = "mysql://hass@localhost/hass?unix_socket=/var/run/mysqld/mysqld.sock";
};
homeassistant = { homeassistant = {
name = "Home"; name = "Home";
latitude = "!secret home_latitude"; latitude = "!secret home_latitude";

32
hosts/fw.cloonar.com/modules/home-assistant/light.nix
View File

@@ -370,6 +370,7 @@
{ {
platform = "group"; platform = "group";
name = "Livingroom Lights"; name = "Livingroom Lights";
all = true;
entities = [ entities = [
"light.livingroom_switch" "light.livingroom_switch"
"light.living_bulb_1" "light.living_bulb_1"
@@ -380,6 +381,37 @@
"light.living_bulb_6" "light.living_bulb_6"
]; ];
} }
{
platform = "switch";
name = "Kitchen Switch";
entity_id = "switch.kitchen_switch";
}
{
platform = "group";
name = "Kitchen Lights";
all = true;
entities = [
"light.kitchen_switch"
"light.kitchen"
];
}
{
platform = "switch";
name = "Bedroom Switch";
entity_id = "switch.bedroom_switch";
}
{
platform = "group";
name = "Bedroom Lights";
all = true;
entities = [
"light.bedroom_switch"
"light.bedroom_bulb_1"
"light.bedroom_bulb_2"
"light.bedroom_bulb_3"
"light.bedroom_bulb_4"
];
}
]; ];
}; };
} }

2
hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix
View File

@@ -48,7 +48,7 @@
friendly_name = "Any multimedia device on"; friendly_name = "Any multimedia device on";
device_class = "connectivity"; device_class = "connectivity";
value_template = '' value_template = ''
{% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float > 5)) %} {% if is_state('binary_sensor.ps5', 'on') or is_state('binary_sensor.xbox', 'on') or (states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'off' and states('media_player.fire_tv_firetv_living_cloonar_multimedia') != 'unavailable') or (is_state('binary_sensor.steamdeck', 'on') and (states('sensor.steamdeck_power') | float(default=0) > 5)) %}
on on
{% else %} {% else %}
off off

21
hosts/fw.cloonar.com/modules/home-assistant/shelly.nix
View File

@@ -7,17 +7,22 @@ let
{ name = "Living Bulb 4"; id = "485519D94A28"; } { name = "Living Bulb 4"; id = "485519D94A28"; }
{ name = "Living Bulb 5"; id = "485519DA6B6A"; } { name = "Living Bulb 5"; id = "485519DA6B6A"; }
{ name = "Living Bulb 6"; id = "485519D9E018"; } { name = "Living Bulb 6"; id = "485519D9E018"; }
{ name = "Bedroom Bulb 1"; id = "08F9E06F4EB4"; }
{ name = "Bedroom Bulb 2"; id = "485519EE0ED9"; }
{ name = "Bedroom Bulb 3"; id = "08F9E06FE779"; }
{ name = "Bedroom Bulb 4"; id = "485519EE00A0"; }
]; ];
switches = [ switches = [
{ name = "Kitchen Switch"; id = "483FDA8274C2"; relay = "0"; }
{ name = "Livingroom Switch"; id = "483FDA8274C2"; relay = "1"; }
]; ];
proswitches = [ proswitches = [
{ name = "Hallway Circuit"; id = "c8f09e894448"; relay = "0"; } { name = "Livingroom Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "c8f09e894448"; relay = "1"; } { name = "Kitchen Switch"; id = "shellyplus2pm-e86beae5d5d8"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "c8f09e894448"; relay = "2"; } { name = "Bedroom Switch"; id = "shelly1pmminig3-34b7da933fe0"; relay = "0"; }
{ name = "Hallway Circuit"; id = "shellypro3-c8f09e894448"; relay = "0"; }
{ name = "Bathroom Circuit"; id = "shellypro3-c8f09e894448"; relay = "1"; }
{ name = "Kitchen Circuit"; id = "shellypro3-c8f09e894448"; relay = "2"; }
]; ];
in { in {
services.home-assistant.extraComponents = [ services.home-assistant.extraComponents = [
@@ -45,14 +50,14 @@ in {
in { in {
name = switch.name; name = switch.name;
unique_id = unique_id; unique_id = unique_id;
state_topic = "shellies/shellypro3-${switch.id}/status/switch:${switch.relay}"; state_topic = "shellies/${switch.id}/status/switch:${switch.relay}";
value_template = "{{ value_json.output }}"; value_template = "{{ value_json.output }}";
state_on = true; state_on = true;
state_off = false; state_off = false;
command_topic = "shellies/shellypro3-c8f09e894448/rpc"; command_topic = "shellies/${switch.id}/rpc";
payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}"; payload_on = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":true}}";
payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}"; payload_off = "{\"id\":${switch.relay}, \"src\":\"homeassistant\", \"method\":\"Switch.Set\", \"params\":{\"id\":${switch.relay}, \"on\":false}}";
availability_topic = "shellies/shellypro3-${switch.id}/online"; availability_topic = "shellies/${switch.id}/online";
payload_available = "true"; payload_available = "true";
payload_not_available = "false"; payload_not_available = "false";
} }

16
hosts/fw.cloonar.com/modules/home-assistant/sleep.nix
View File

@@ -14,6 +14,14 @@
{ {
delay = 1700; delay = 1700;
} }
{
service = "switch.turn_on";
entity_id = "switch.hallway_circuit";
}
{
service = "switch.turn_on";
entity_id = "switch.bathroom_circuit";
}
{ {
service = "switch.turn_on"; service = "switch.turn_on";
entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; # livingroom entity_id = "switch.78_8c_b5_fe_41_62_port_2_poe"; # livingroom
@@ -64,6 +72,14 @@
service = "switch.turn_off"; service = "switch.turn_off";
entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe"; entity_id = "switch.78_8c_b5_fe_41_62_port_3_poe";
} }
{
service = "switch.turn_off";
entity_id = "switch.hallway_circuit";
}
{
service = "switch.turn_off";
entity_id = "switch.bathroom_circuit";
}
]; ];
} }
]; ];

58
hosts/fw.cloonar.com/modules/setupnetwork.nix Normal file
View File

@@ -0,0 +1,58 @@
{ ... }: {
networking = {
vlans = {
setup = {
id = 110;
interface = "enp5s0";
};
};
interfaces = {
setup = {
ipv4.addresses = [{
address = "10.42.110.1";
prefixLength = 24;
}];
};
};
};
services.kea.dhcp4 = {
settings = {
interfaces-config = {
interfaces = [
"setup"
];
};
subnet4 = [
{
pools = [
{
pool = "10.42.110.100 - 10.42.110.240";
}
];
subnet = "10.42.110.0/24";
interface = "setup";
option-data = [
{
name = "routers";
data = "10.42.110.1";
}
{
name = "domain-name";
data = "cloonar.com";
}
{
name = "domain-search";
data = "cloonar.com";
}
{
name = "domain-name-servers";
data = "10.42.97.1";
}
];
}
];
};
};
}

9
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -23,9 +23,9 @@ let
cfg = { cfg = {
remote-control.control-enable = true; remote-control.control-enable = true;
server = { server = {
include = [ # include = [
"\"${adblockLocalZones}\"" # "\"${adblockLocalZones}\""
]; # ];
interface = [ "0.0.0.0" "::0" ]; interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes"; interface-automatic = "yes";
access-control = [ access-control = [
@@ -56,6 +56,7 @@ let
"\"snapcast.cloonar.com IN A 10.42.97.21\"" "\"snapcast.cloonar.com IN A 10.42.97.21\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\"" "\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"web-02.cloonar.com IN A 10.42.97.5\"" "\"web-02.cloonar.com IN A 10.42.97.5\""
"\"matrix.cloonar.com IN A 10.42.97.5\""
"\"support.cloonar.com IN A 10.42.97.5\"" "\"support.cloonar.com IN A 10.42.97.5\""
"\"git.cloonar.com IN A 10.42.97.50\"" "\"git.cloonar.com IN A 10.42.97.50\""
"\"sync.cloonar.com IN A 10.42.97.51\"" "\"sync.cloonar.com IN A 10.42.97.51\""
@@ -73,6 +74,7 @@ let
"\"mieterhilfe.at IN A 10.254.240.109\"" "\"mieterhilfe.at IN A 10.254.240.109\""
"\"wohnpartner-wien.at IN A 10.254.240.109\"" "\"wohnpartner-wien.at IN A 10.254.240.109\""
"\"new.wohnberatung-wien.at IN A 10.254.240.109\"" "\"new.wohnberatung-wien.at IN A 10.254.240.109\""
"\"new.wohnpartner-wien.at IN A 10.254.240.109\""
"\"wohnberatung-wien.at IN A 10.254.240.109\"" "\"wohnberatung-wien.at IN A 10.254.240.109\""
"\"wienbautvor.at IN A 10.254.240.109\"" "\"wienbautvor.at IN A 10.254.240.109\""
"\"wienwohntbesser.at IN A 10.254.240.109\"" "\"wienwohntbesser.at IN A 10.254.240.109\""
@@ -94,6 +96,7 @@ let
"\"b.stage.mieterhilfe.at IN A 10.254.240.110\"" "\"b.stage.mieterhilfe.at IN A 10.254.240.110\""
"\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\"" "\"b.stage.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.new.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.new.wohnpartner-wien.at IN A 10.254.240.110\""
"\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\"" "\"b.stage.wohnberatung-wien.at IN A 10.254.240.110\""
"\"b.stage.wienbautvor.at IN A 10.254.240.110\"" "\"b.stage.wienbautvor.at IN A 10.254.240.110\""
"\"b.stage.wienwohntbesser.at IN A 10.254.240.110\"" "\"b.stage.wienwohntbesser.at IN A 10.254.240.110\""

19
hosts/fw.cloonar.com/modules/web/default.nix
View File

@@ -1,10 +1,18 @@
{ lib, nixpkgs, pkgs, ... }: let { lib, pkgs, config, ... }: let
hostname = "web-02"; hostname = "web-02";
json = pkgs.formats.json { }; json = pkgs.formats.json { };
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
in { in {
microvm.vms = { microvm.vms = {
web = { web = {
pkgs = import pkgs.path {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
config = { config = {
microvm = { microvm = {
mem = 4096; mem = 4096;
@@ -47,6 +55,7 @@ in {
# ./zammad.nix # ./zammad.nix
./proxies.nix ./proxies.nix
./matrix.nix
]; ];
time.timeZone = "Europe/Vienna"; time.timeZone = "Europe/Vienna";
@@ -93,6 +102,14 @@ in {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
]; ];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
# backups # backups
# borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";

484
hosts/fw.cloonar.com/modules/web/matrix.nix Normal file
View File

@@ -0,0 +1,484 @@
{ pkgs, lib, config, ... }:
let
hostname = "matrix";
fqdn = "${hostname}.cloonar.com";
baseUrl = "https://matrix.cloonar.com";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.secrets.matrix-shared-secret = {
};
sops.secrets.dendrite-private-key = {
};
services.postgresql = {
enable = true;
ensureDatabases = [ "dendrite" ];
ensureUsers = [
{
name = "dendrite";
}
];
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "dendrite" ];
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = ''
return 404;
'';
locations."/_dendrite".proxyPass = "http://[::1]:8008";
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
services.dendrite = {
enable = true;
settings = {
global = {
server_name = "cloonar.com";
private_key = "$CREDENTIALS_DIRECTORY/private_key";
database.connection_string = "postgresql:///dendrite?host=/run/postgresql";
};
client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
app_service_api.config_files = [
"$CREDENTIALS_DIRECTORY/whatsapp_registration"
"$CREDENTIALS_DIRECTORY/signal_registration"
"$CREDENTIALS_DIRECTORY/discord_registration"
];
app_service_api.database.connection_string = "";
federation_api.database.connection_string = "";
key_server.database.connection_string = "";
relay_api.database.connection_string = "";
media_api.database.connection_string = "";
room_server.database.connection_string = "";
sync_api.database.connection_string = "";
user_api.account_database.connection_string = "";
user_api.device_database.connection_string = "";
mscs.database.connection_string = "";
};
loadCredential = [
"private_key:${config.sops.secrets.dendrite-private-key.path}"
"whatsapp_registration:/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
"signal_registration:/var/lib/mautrix-signal/signal-registration.yaml"
"discord_registration:/var/lib/mautrix-discord/discord-registration.yaml"
];
environmentFile = config.sops.secrets.matrix-shared-secret.path;
};
users.users.mautrix-whatsapp = {
isSystemUser = true;
group = "mautrix-whatsapp";
home = "/var/lib/mautrix-whatsapp";
description = "Mautrix-WhatsApp bridge user";
};
users.groups.mautrix-whatsapp = {};
systemd.services.mautrix-whatsapp = let
dataDir = "/var/lib/mautrix-whatsapp";
registrationFile = "${dataDir}/whatsapp-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29318;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "${dataDir}/mautrix-whatsapp.db";
id = "whatsapp";
bot.username = "whatsappbot";
bot.displayname = "WhatsApp Bridge Bot";
as_token = "";
hs_token = "";
};
bridge = {
username_template = "whatsapp_{{.}}";
displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";
double_puppet_server_map = {};
login_shared_secret_map = {};
command_prefix = "!wa";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
history_sync.request_full_sync = false;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]' '${settingsFile}' '${registrationFile}' \
> '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-whatsapp";
Group = "mautrix-whatsapp";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
--config='${settingsFile}' \
--registration='${registrationFile}' \
--ignore-unsupported-server
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
users.users.mautrix-signal = {
isSystemUser = true;
group = "mautrix-signal";
home = "/var/lib/mautrix-signal";
description = "Mautrix-Signal bridge user";
};
users.groups.mautrix-signal = {};
systemd.services.mautrix-signal = let
pkgswithsignal = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/fd698a4ab779fb7fb95425f1b56974ba9c2fa16c.tar.gz") {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
dataDir = "/var/lib/mautrix-signal";
registrationFile = "${dataDir}/signal-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-signal-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29328;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "file:${dataDir}/mautrix-signal.db?_txlock=immediate";
id = "signal";
bot = {
username = "signalbot";
displayname = "Signal Bridge Bot";
};
as_token = "";
hs_token = "";
};
bridge = {
username_template = "signal_{{.}}";
displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
double_puppet_server_map = { };
login_shared_secret_map = { };
command_prefix = "!signal";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-Signal Service - A Signal bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]
| if env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET else . end' \
'${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-signal";
Group = "mautrix-signal";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgswithsignal.mautrix-signal}/bin/mautrix-signal \
--config='${settingsFile}' \
--registration='${registrationFile}' \
--ignore-unsupported-server
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
users.users.mautrix-discord = {
isSystemUser = true;
group = "mautrix-discord";
home = "/var/lib/mautrix-discord";
description = "Mautrix-Discord bridge user";
};
users.groups.mautrix-discord = {};
systemd.services.mautrix-discord = let
pkgswithdiscord = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/5ed627539ac84809c78b2dd6d26a5cebeb5ae269.tar.gz") {
config = {
permittedInsecurePackages = [
# needed for matrix
"olm-3.2.16"
];
};
};
dataDir = "/var/lib/mautrix-discord";
registrationFile = "${dataDir}/discord-registration.yaml";
settingsFile = "${dataDir}/config.json";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-discord-config-unsubstituted.json" defaultConfig;
settingsFormat = pkgs.formats.json {};
appservicePort = 29329;
defaultConfig = {
homeserver = {
address = "http://[::1]:8008";
domain = "cloonar.com";
};
appservice = {
hostname = "[::]";
port = appservicePort;
database.type = "sqlite3";
database.uri = "file:${dataDir}/mautrix-discord.db?_txlock=immediate";
id = "discord";
bot = {
username = "discordbot";
displayname = "Discord Bridge Bot";
};
as_token = "";
hs_token = "";
};
bridge = {
username_template = "discord_{{.}}";
displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
double_puppet_server_map = { };
login_shared_secret_map = { };
command_prefix = "!discord";
permissions."*" = "relay";
permissions."cloonar.com" = "user";
relay.enabled = true;
encryption = {
allow = true;
default = true;
require = true;
};
};
logging = {
min_level = "info";
writers = lib.singleton {
type = "stdout";
format = "pretty-colored";
time_format = " ";
};
};
};
in {
description = "Mautrix-Discord Service - A Discord bridge for Matrix";
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
preStart = ''
test -f '${settingsFile}' && rm -f '${settingsFile}'
old_umask=$(umask)
umask 0177
${pkgs.envsubst}/bin/envsubst \
-o '${settingsFile}' \
-i '${settingsFileUnsubstituted}'
umask $old_umask
# generate the appservice's registration file if absent
if [ ! -f '${registrationFile}' ]; then
${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
--generate-registration \
--config='${settingsFile}' \
--registration='${registrationFile}'
fi
chmod 640 ${registrationFile}
umask 0177
${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
| .[0].appservice.hs_token = .[1].hs_token
| .[0]
| if env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET then .bridge.login_shared_secret_map.[.homeserver.domain] = env.MAUTRIX_DISCORD_BRIDGE_LOGIN_SHARED_SECRET else . end' \
'${settingsFile}' '${registrationFile}' > '${settingsFile}.tmp'
mv '${settingsFile}.tmp' '${settingsFile}'
umask $old_umask
'';
serviceConfig = {
User = "mautrix-discord";
Group = "mautrix-discord";
# EnvironmentFile = cfg.environmentFile;
StateDirectory = baseNameOf dataDir;
WorkingDirectory = dataDir;
ExecStart = ''
${pkgswithdiscord.mautrix-discord}/bin/mautrix-discord \
--config='${settingsFile}' \
--registration='${registrationFile}'
'';
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
Restart = "on-failure";
RestartSec = "30s";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 0027;
};
restartTriggers = [settingsFileUnsubstituted];
};
}

6
hosts/fw.cloonar.com/modules/web/secrets.yaml
View File

@@ -1,6 +1,8 @@
borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str] borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str] borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str] zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -25,8 +27,8 @@ sops:
Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw== SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-16T11:12:23Z" lastmodified: "2024-10-14T16:53:41Z"
mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str] mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

1
hosts/fw.cloonar.com/modules/web/zammad.nix
View File

@@ -10,7 +10,6 @@
}; };
}; };
services.nginx.enable = true;
services.nginx.virtualHosts."support.cloonar.com" = { services.nginx.virtualHosts."support.cloonar.com" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

5
hosts/fw.cloonar.com/secrets.yaml
View File

@@ -11,6 +11,7 @@ gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxU
drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str] drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str] home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str] home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str]
matrix-shared-secret: ENC[AES256_GCM,data:67imd3m6WBeGP/5Msmjy8B6sP983jMyWzRIzWgNVV5jZslX+GBJyEYzm3OTDs1iTZf4ScvuYheTH0QFPfw==,iv:7ElCpESWumbIHmmFaedcpkFm5M58ZT3vW9wb9e1Sbh4=,tag:wr4FIymtJBtCerVqae+Xlw==,type:str]
palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str] palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str]
ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str] ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str]
firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str] firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str]
@@ -47,8 +48,8 @@ sops:
ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA== tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-02T22:57:14Z" lastmodified: "2024-10-13T22:30:43Z"
mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str] mac: ENC[AES256_GCM,data:sEySfQaBevydqFBOab7RPCse8fOwiix6GIsXeR9paBCCCHOxDZDusdn0/k97wLeWzvHi0SJB/8+g8qlqXtRuJ/3mT1vJxfWwoJk3gz2WD+d8recG+KkdtkSGu04addHgBZQqGqhOfkRHYypVW3GaBfLteY08nvob4/yjaHCtGig=,iv:lsHvIovstgHmY6OrV3CO0tju2OQb1AcWgMov8klkSqA=,tag:zcvCoCwTgeZhhS1MOvH3HA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

0
hosts/fw-new.cloonar.com/channel → hosts/mail.social-grow.tech/channel
View File

49
hosts/mail.social-grow.tech/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
imports = [
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/lego/lego.nix
# ./modules/self-service-password.nix
./modules/rspamd.nix
./modules/openldap.nix
./modules/dovecot.nix
./modules/postfix.nix
./utils/modules/borgbackup.nix
./utils/modules/promtail
./utils/modules/victoriametrics
./utils/modules/netdata.nix
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
networking.hostName = "mail";
networking.domain = "cloonar.com";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
borgbackup.repo = "u149513-sub7@u149513-sub7.your-backup.de:borg";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
};
system.stateVersion = "22.11";
}

15
hosts/mail.social-grow.tech/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,15 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
configurationLimit = 2;
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/105A-0CC0"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

266
hosts/mail.social-grow.tech/modules/dovecot.nix Normal file
View File

@@ -0,0 +1,266 @@
{ pkgs
, config
, ...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
ldapConfig = pkgs.writeText "dovecot-ldap.conf" ''
hosts = ldap.cloonar.com
tls = yes
dn = "cn=vmail,ou=system,ou=users,dc=cloonar,dc=com"
dnpass = "@ldap-password@"
auth_bind = no
ldap_version = 3
base = ou=users,dc=%Dd
user_filter = (&(objectClass=mailAccount)(mail=%u))
user_attrs = \
quota=quota_rule=*:bytes=%$, \
=home=/var/vmail/%d/%n/, \
=mail=maildir:/var/vmail/%d/%n/Maildir
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u))
iterate_attrs = =user=%{ldap:mail}
iterate_filter = (objectClass=mailAccount)
scope = subtree
default_pass_scheme = CRYPT
'';
doveSync = pkgs.writeShellScriptBin "dove-sync.sh" ''
#!/usr/bin/env bash
SERVER=''${1}
if [ -z "$SERVER" ]; then
echo "use as dove-sync.sh host.example.com"
exit 1
fi
doveadm user *@cloonar.com | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@optiprot.eu | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@superbros.tv | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@ghetto.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@szaku-consulting.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@korean-skin.care | while read user; do
doveadm -v sync -u $user $SERVER
done
'';
quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''
#!/usr/bin/env bash
PERCENT=''${1}
USER=''${2}
cat << EOF | /usr/lib/dovecot/deliver -d ''${USER} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict"
From: no-reply@$(hostname -f)
Subject: Warning: Your mailbox is now ''${PERCENT}% full.
Your mailbox is now ''${PERCENT}% full, please clean up some mails for further incoming mails.
EOF
if [ ''${PERCENT} -ge 95 ]; then
DOMAIN="$(echo ''${USER} | awk -F'@' '{print $2}')"
cat << EOF | /usr/lib/dovecot/deliver -d postmaster@''${DOMAIN} -o "plugin/quota=dict:User quota::noenforcing:proxy::quotadict"
From: no-reply@$(hostname -f)
Subject: Mailbox Quota Warning: ''${PERCENT}% full, ''${USER}
Mailbox (''${USER}) is now ''${PERCENT}% full, please clean up some mails for
further incoming mails.
EOF
fi
'';
in
{
environment.systemPackages = with pkgs; [
doveSync
];
services.dovecot2 = {
enable = true;
enableImap = true;
enableLmtp = true;
enablePAM = false;
mailLocation = "maildir:/var/vmail/%d/%n/Maildir";
mailUser = "vmail";
mailGroup = "vmail";
extraConfig = ''
ssl = yes
ssl_cert = </var/lib/acme/imap.${domain}/fullchain.pem
ssl_key = </var/lib/acme/imap.${domain}/key.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_dh=<${config.security.dhparams.params.dovecot2.path}
mail_plugins = virtual fts fts_lucene quota acl
service lmtp {
user = vmail
unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service doveadm {
inet_listener {
port = 4170
ssl = yes
}
}
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_acl
}
protocol lmtp {
postmaster_address=postmaster@${domain}
hostname=mail.cloonar.com
mail_plugins = $mail_plugins sieve
}
service auth {
unix_listener auth-userdb {
mode = 0640
user = vmail
group = vmail
}
# Postfix smtp-auth
unix_listener /var/lib/postfix/queue/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
userdb {
args = /run/dovecot2/ldap.conf
driver = ldap
}
passdb {
args = /run/dovecot2/ldap.conf
driver = ldap
}
service imap-login {
client_limit = 1000
service_count = 0
inet_listener imaps {
port = 993
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
service quota-warning {
executable = script ${quotaWarning}/bin/quota-warning.sh
unix_listener quota-warning {
user = vmail
group = vmail
mode = 0660
}
}
service quota-status {
# '-p <protocol>'. Currently only 'postfix' protocol is supported.
executable = quota-status -p postfix
client_limit = 1
inet_listener {
address = 127.0.0.1
port = 12340
}
}
protocol sieve {
managesieve_logout_format = bytes ( in=%i : out=%o )
}
plugin {
sieve_dir = /var/vmail/%d/%n/sieve/scripts/
sieve = /var/vmail/%d/%n/sieve/active-script.sieve
sieve_extensions = +vacation-seconds +editheader
sieve_vacation_min_period = 1min
fts = lucene
fts_lucene = whitespace_chars=@.
quota_warning = storage=100%% quota-warning 100 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=90%% quota-warning 90 %u
quota_warning4 = storage=85%% quota-warning 85 %u
quota_grace = 10%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
}
# If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers:
imapc_features = $imapc_features fetch-headers
# Read multiple mails in parallel, improves performance
mail_prefetch_count = 20
'';
modules = [
pkgs.dovecot_pigeonhole
];
protocols = [
"sieve"
];
};
users.users.vmail = {
home = "/var/vmail";
createHome = true;
isSystemUser = true;
uid = 1000;
shell = "/run/current-system/sw/bin/nologin";
};
security.dhparams = {
enable = true;
params.dovecot2 = { };
};
sops.secrets.dovecot-ldap-password = { };
systemd.services.dovecot2.preStart = ''
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${ldapConfig} > /run/dovecot2/ldap.conf
'';
systemd.services.dovecot2 = {
wants = [ "acme-imap.${domain}.service" ];
after = [ "acme-imap.${domain}.service" ];
};
users.groups.acme.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."imap.${domain}" = {
extraDomainNames = [
"imap-test.${domain}"
"imap-02.${domain}"
];
postRun = "systemctl restart dovecot2.service";
};
networking.firewall.allowedTCPPorts = [
143 # imap
993 # imaps
4190 # sieve
];
}

508
hosts/mail.social-grow.tech/modules/openldap.nix Normal file
View File

@@ -0,0 +1,508 @@
{
pkgs,
config,
...
}:
let
domain = config.networking.domain;
# domain = "cloonar.com";
in {
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldaps:///" ];
settings.attrs = {
olcLogLevel = "-1";
olcTLSCACertificateFile = "/var/lib/acme/ldap.${domain}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/ldap.${domain}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/ldap.${domain}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcSecurity = "tls=1";
};
settings.children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
"${pkgs.openldap}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=cloonar,dc=com";
olcRootDN = "cn=admin,dc=cloonar,dc=com";
olcRootPW.path = config.sops.secrets.openldap-rootpw.path;
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to attrs=loginShell
by self write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{3}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by dn="cn=admin,dc=cloonar,dc=com" write
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
];
};
"olcOverlay=memberof,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={1}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
# "olcOverlay=syncprov,olcDatabase={1}mdb".attrs = {
# objectClass = ["olcOverlayConfig" "olcSyncProvConfig"];
# olcOverlay = "syncprov";
# olcSpSessionLog = "100";
# };
"olcDatabase={2}monitor".attrs = {
olcDatabase = "{2}monitor";
objectClass = ["olcDatabaseConfig" "olcMonitorConfig"];
olcAccess = [
''
{0}to *
by dn.exact="cn=netdata,ou=system,ou=users,dc=cloonar,dc=com" read
by * none
''
];
};
"olcDatabase={3}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{3}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=ghetto,dc=at";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={3}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={4}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{4}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=superbros,dc=tv";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
"olcOverlay=memberof,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
olcOverlay = "memberof";
olcMemberOfRefint = "TRUE";
};
"olcOverlay=ppolicy,olcDatabase={4}mdb".attrs = {
objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
olcOverlay = "ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcDatabase={6}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{6}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=szaku-consulting,dc=at";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={6}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={7}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{7}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=myhidden,dc=life";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "olcOverlay=memberof,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
# olcOverlay = "memberof";
# olcMemberOfRefint = "TRUE";
# };
# "olcOverlay=ppolicy,olcDatabase={7}mdb".attrs = {
# objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
# olcOverlay = "ppolicy";
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={8}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{8}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=korean-skin,dc=care";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "cn=module{0},cn=config" = {
# attrs = {
# objectClass = "olcModuleList";
# cn = "module{0}";
# olcModuleLoad = "ppolicy.la";
# };
# };
"cn={3}cloonar,cn=schema" = {
attrs = {
cn = "{1}cloonar";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser'
SUP (mailAccount) AUXILIARY
DESC 'Cloonar Account'
MAY (sshPublicKey $ ownCloudQuota $ quota))
''
];
};
};
"cn={2}postfix,cn=schema".attrs = {
cn = "{2}postfix";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)''
''
(1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
''
''
(1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount'
SUP top AUXILIARY
DESC 'Mail account objects'
MUST ( mail $ userPassword )
MAY ( cn $ description $ quota))
''
''
(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
SUP top STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop )
MAY ( cn $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
SUP domain STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( dc )
MAY ( postfixTransport $ description ))
''
''
(1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster'
SUP top AUXILIARY
DESC 'Added to a mailAlias to create a postmaster entry'
MUST roleOccupant)
''
];
};
"cn={1}openssh,cn=schema".attrs = {
cn = "{1}openssh";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey'
SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MUST ( sshPublicKey $ uid ))
''
];
};
"cn={1}nextcloud,cn=schema".attrs = {
cn = "{1}nextcloud";
objectClass = "olcSchemaConfig";
olcAttributeTypes = [
''
(1.3.6.1.4.1.39430.1.1.1
NAME 'ownCloudQuota'
DESC 'User Quota (e.g. 15 GB)'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15')
''
];
olcObjectClasses = [
''
(1.3.6.1.4.1.39430.1.2.1
NAME 'ownCloud'
DESC 'ownCloud LDAP Schema'
AUXILIARY
MUST ( mail $ userPassword )
MAY ( ownCloudQuota ))
''
];
};
"cn={1}gogs,cn=schema".attrs = {
cn = "{1}gogs";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
( 1.3.6.1.4.1.28293.1.2.4 NAME 'gitlab'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow gitlab access'
MUST (mail))
''
];
};
"cn={1}homeAssistant,cn=schema".attrs = {
cn = "{1}homeAssistant";
objectClass = "olcSchemaConfig";
olcObjectClasses = [
''
(1.3.6.1.4.1.28297.1.2.4 NAME 'homeAssistant'
SUP uidObject AUXILIARY
DESC 'Added to an account to allow home-assistant access'
MUST (mail) )
''
];
};
# "cn={1}ttrss,cn=schema".attrs = {
# cn = "{1}ttrss";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28294.1.2.4 NAME 'ttrss'
# SUP top AUXILIARY
# DESC 'Added to an account to allow tinytinyrss access'
# MUST ( mail $ userPassword ))
# ''
# ];
# };
# "cn={1}prometheus,cn=schema".attrs = {
# cn = "{1}prometheus";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28296.1.2.4
# NAME 'prometheus'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow prometheus access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}loki,cn=schema".attrs = {
# cn = "{1}loki";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# ( 1.3.6.1.4.1.28299.1.2.4
# NAME 'loki'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow loki access'
# MUST (mail))
# ''
# ];
# };
# "cn={1}flood,cn=schema".attrs = {
# cn = "{1}flood";
# objectClass = "olcSchemaConfig";
# olcObjectClasses = [
# ''
# (1.3.6.1.4.1.28300.1.2.4 NAME 'flood'
# SUP uidObject AUXILIARY
# DESC 'Added to an account to allow flood access'
# MUST (mail))
# ''
# ];
# };
};
};
/* ensure openldap is launched after certificates are created */
systemd.services.openldap = {
wants = [ "acme-${domain}.service" ];
after = [ "acme-${domain}.service" ];
};
users.groups.acme.members = [ "openldap" ];
/* trigger the actual certificate generation for your hostname */
security.acme.certs."ldap.${domain}" = {
extraDomainNames = [
"ldap-test.${domain}"
"ldap-02.${domain}"
];
postRun = "systemctl restart openldap.service";
};
sops.secrets.openldap-rootpw.owner = "openldap";
networking.firewall.allowedTCPPorts = [ 389 636 ];
}

246
hosts/mail.social-grow.tech/modules/postfix.nix Normal file
View File

@@ -0,0 +1,246 @@
{ pkgs
, lib
, config
, ...
}:
let
domain = config.networking.domain;
ldapServer = "ldap.cloonar.com";
# domain = "cloonar.com";
domains = pkgs.writeText "domains.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=domains,dc=cloonar,dc=com
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = one
query_filter = (&(dc=%s)(objectClass=mailDomain))
result_attribute = postfixTransport
debuglevel = 0
'';
mailboxes = pkgs.writeText "mailboxes.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=users,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (&(uid=%u)(objectClass=mailAccount))
result_attribute = mail
debuglevel = 0
'';
senderLoginMaps = pkgs.writeText "sender_login_maps.cf" ''
server_host = ldap://${ldapServer}
search_base = dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (|(&(objectClass=mailAccount)(uid=%u))(&(objectClass=mailAlias)(mail=%s)))
result_attribute = maildrop, mail
debuglevel = 0
'';
accountsmap = pkgs.writeText "accountsmap.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=users,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = sub
query_filter = (&(objectClass=mailAccount)(uid=%u))
result_attribute = mail
debuglevel = 0
'';
aliases = pkgs.writeText "aliases.cf" ''
server_host = ldap://${ldapServer}
search_base = ou=aliases,dc=%2,dc=%1
version = 3
bind = yes
start_tls = yes
bind_dn = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
bind_pw = @ldap-password@
scope = one
query_filter = (&(objectClass=mailAlias)(mail=%s))
result_attribute = maildrop
debuglevel = 0
'';
helo_access = pkgs.writeText "helo_access" ''
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
cloonar.com REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
ghetto.at REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (''${1})
'';
in
{
services.postfix = {
enable = true;
enableSubmission = true;
hostname = "mail.${domain}";
domain = "cloonar.com";
masterConfig."465" = {
type = "inet";
private = false;
command = "smtpd";
args = [
"-o smtpd_client_restrictions=permit_sasl_authenticated,reject"
"-o syslog_name=postfix/smtps"
"-o smtpd_tls_wrappermode=yes"
"-o smtpd_sasl_auth_enable=yes"
"-o smtpd_tls_security_level=none"
"-o smtpd_reject_unlisted_recipient=no"
"-o smtpd_recipient_restrictions="
"-o smtpd_relay_restrictions=permit_sasl_authenticated,reject"
"-o milter_macro_daemon_name=ORIGINATING"
];
};
mapFiles."helo_access" = helo_access;
config = {
# debug_peer_list = "10.42.96.190";
# smtp_bind_address = config.networking.eve.ipv4.address;
# smtp_bind_address6 = "2a01:4f9:2b:1605::1";
mailbox_transport = "lmtp:unix:private/dovecot-lmtp";
virtual_mailbox_domains = "ldap:/run/postfix/domains.cf";
virtual_mailbox_maps = "ldap:/run/postfix/mailboxes.cf";
virtual_alias_maps = "ldap:/run/postfix/accountsmap.cf,ldap:/run/postfix/aliases.cf";
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
smtpd_sender_login_maps = "ldap:/run/postfix/sender_login_maps.cf";
# Do not display the name of the recipient table in the "User unknown" responses.
# The extra detail makes trouble shooting easier but also reveals information
# that is nobody elses business.
show_user_unknown_table_name = "no";
compatibility_level = "2";
# bigger attachement size
mailbox_size_limit = "202400000";
message_size_limit = "51200000";
smtpd_helo_required = "yes";
smtpd_delay_reject = "yes";
strict_rfc821_envelopes = "yes";
# send Limit
smtpd_error_sleep_time = "1s";
smtpd_soft_error_limit = "10";
smtpd_hard_error_limit = "20";
smtpd_use_tls = "yes";
smtp_tls_note_starttls_offer = "yes";
smtpd_tls_security_level = "may";
smtpd_tls_auth_only = "yes";
smtp_dns_support_level = "dnssec";
smtp_tls_security_level = "dane";
smtpd_tls_cert_file = "/var/lib/acme/mail.cloonar.com/full.pem";
smtpd_tls_key_file = "/var/lib/acme/mail.cloonar.com/key.pem";
smtpd_tls_CAfile = "/var/lib/acme/mail.cloonar.com/fullchain.pem";
smtpd_tls_dh512_param_file = config.security.dhparams.params.postfix512.path;
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix2048.path;
smtpd_tls_session_cache_database = ''btree:''${data_directory}/smtpd_scache'';
smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1";
smtpd_tls_mandatory_ciphers = "medium";
tls_medium_cipherlist = "AES128+EECDH:AES128+EDH";
# authentication
smtpd_sasl_auth_enable = "yes";
smtpd_sasl_local_domain = "$mydomain";
smtpd_sasl_security_options = "noanonymous";
smtpd_sasl_tls_security_options = "$smtpd_sasl_security_options";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "/var/lib/postfix/queue/private/auth";
smtpd_relay_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination";
smtpd_client_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unknown_client,
permit";
smtpd_helo_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
warn_if_reject reject_unknown_hostname,
permit";
smtpd_recipient_restrictions = "
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_unknown_client,
permit";
smtpd_sender_restrictions = "
reject_non_fqdn_sender,
reject_unlisted_sender,
reject_authenticated_sender_login_mismatch,
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_unknown_client_hostname,
reject_unknown_address";
smtpd_etrn_restrictions = "permit_mynetworks, reject";
smtpd_data_restrictions = "reject_unauth_pipelining, reject_multi_recipient_bounce, permit";
};
};
systemd.tmpfiles.rules = [ "d /run/postfix 0750 postfix postfix -" ];
systemd.services.postfix.preStart = ''
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${domains} > /run/postfix/domains.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${mailboxes} > /run/postfix/mailboxes.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${accountsmap} > /run/postfix/accountsmap.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${aliases} > /run/postfix/aliases.cf
sed -e "s/@ldap-password@/$(cat ${config.sops.secrets.dovecot-ldap-password.path})/" ${senderLoginMaps} > /run/postfix/sender_login_maps.cf
'';
security.dhparams = {
enable = true;
params.postfix512.bits = 512;
params.postfix2048.bits = 1024;
};
security.acme.certs."mail.${domain}" = {
extraDomainNames = [
"mail-test.${domain}"
"mail-02.${domain}"
];
postRun = "systemctl restart postfix.service";
group = "postfix";
};
networking.firewall.allowedTCPPorts = [
25 # smtp
465 # smtps
587 # submission
];
}

131
hosts/mail.social-grow.tech/modules/rspamd.nix Normal file
View File

@@ -0,0 +1,131 @@
{ pkgs
, config
, ...
}:
let
domain = config.networking.domain;
localConfig = pkgs.writeText "local.conf" ''
logging {
level = "notice";
}
classifier "bayes" {
autolearn = true;
}
dkim_signing {
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "default";
allow_username_mismatch = true;
}
arc {
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector = "default";
allow_username_mismatch = true;
}
milter_headers {
use = ["authentication-results", "x-spam-status"];
authenticated_headers = ["authentication-results"];
}
replies {
action = "no action";
}
url_reputation {
enabled = true;
}
phishing {
openphish_enabled = true;
# too much memory
#phishtank_enabled = true;
}
neural {
enabled = true;
}
neural_group {
symbols = {
"NEURAL_SPAM" {
weight = 3.0; # sample weight
description = "Neural network spam";
}
"NEURAL_HAM" {
weight = -3.0; # sample weight
description = "Neural network ham";
}
}
}
'';
sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
in
{
services.rspamd = {
enable = true;
extraConfig = ''
.include(priority=1,duplicate=merge) "${localConfig}"
'';
postfix.enable = true;
workers.controller = {
extraConfig = ''
count = 1;
static_dir = "''${WWWDIR}";
password = "$2$7rb4gnnw8qbcy3x3m7au8c4mezecfjim$da4ahtt3gnjtbj7ni6bt1q8jwgqtzxp5ck6941m6prjxsz3udfgb";
enable_password = "$2$xo1qdd1zgozwto8yazr1o35zbarbzcgp$u8mx6hcsb1qdscejb4zadcb3iucmm4mw6btgmim9h6e5d8cpy5ib";
'';
};
};
services.dovecot2 = {
mailboxes.Spam = {
auto = "subscribe";
specialUse = "Junk";
};
extraConfig = ''
protocol imap {
mail_plugins = $mail_plugins imap_sieve
}
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
# From elsewhere to Spam folder
imapsieve_mailbox1_name = Spam
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/report-spam.sieve
# From Spam folder to elsewhere
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/report-ham.sieve
# Move Spam emails to Spam folder
sieve_before = /var/lib/dovecot/sieve/move-to-spam.sieve
sieve_pipe_bin_dir = ${sieve-spam-filter}/bin
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}
'';
};
services.nginx.enable = true;
services.nginx.virtualHosts."rspamd.${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = ''
proxy_pass http://localhost:11334;
'';
};
# systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
systemd.services.dovecot2.preStart = ''
mkdir -p /var/lib/dovecot/sieve/
for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
dest="/var/lib/dovecot/sieve/$(basename $i)"
cp "$i" "$dest"
${pkgs.dovecot_pigeonhole}/bin/sievec "$dest"
done
chown -R "${config.services.dovecot2.mailUser}:${config.services.dovecot2.mailGroup}" /var/lib/dovecot/sieve
'';
}

28
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{ stdenv
, makeWrapper
, rspamd
,
}:
stdenv.mkDerivation {
name = "sieve-rspamd-filter";
nativeBuildInputs = [ makeWrapper ];
src = ./src;
installPhase = ''
for sieve in $src/*.sieve; do
install -D "$sieve" "$out/share/sieve-rspamd-filter/$(basename $sieve)"
done
mkdir $out/bin
cat > $out/bin/learn-spam.sh <<'EOF'
#!/bin/sh
exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_spam
EOF
cat > $out/bin/learn-ham.sh <<'EOF'
#!/bin/sh
exec ${rspamd}/bin/rspamc -h /run/rspamd.sock learn_ham
EOF
chmod +x $out/bin/*.sh
'';
}

5
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/move-to-spam.sieve Normal file
View File

@@ -0,0 +1,5 @@
require ["fileinto"];
if header :is "X-Spam" "Yes" {
fileinto "Spam";
}

15
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-ham.sieve Normal file
View File

@@ -0,0 +1,15 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.mailbox" "*" {
set "mailbox" "${1}";
}
if string "${mailbox}" "Trash" {
stop;
}
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "learn-ham.sh" [ "${username}" ];

7
hosts/mail.social-grow.tech/pkgs/sieve-spam-filter/src/report-spam.sieve Normal file
View File

@@ -0,0 +1,7 @@
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
if environment :matches "imap.user" "*" {
set "username" "${1}";
}
pipe :copy "learn-spam.sh" [ "${username}" ];

52
hosts/mail.social-grow.tech/secrets.yaml Normal file
View File

@@ -0,0 +1,52 @@
borg-passphrase: ENC[AES256_GCM,data:D6+ZedxUQ7m/m0YkM5m/B4kFsNySJjFyh8Gmhn3Mpe+mqEzzMRjAbwmGzx9i9Lnr1dTjRElUOgevnnvW5J2KRA==,iv:cG4w1KsEm1SOTni9bsbSW1+ypzjjs2Q42I+4xvcCAu0=,tag:WkkNVa27Uy5nFpmXaIH6ww==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:T/EPWSuY9Ocj6D8nL2pfPg7r/lN4TyS7SiAqhQhkr10Y3R2mzfgMrOZTg/MrYv3/uNCt5h9TBDxwmiAwSmBzBSms0T5qD8aSxLgbmc6MAG7FSm7cGFf6x/7fMgVn7DAlwMz+4t/PkVk1iCRG4IwzimXwBvq73yIZuAiIARq0Azin7YAoSKjxnZ8ACkyRVCecf45pk7ModRmPLSDK8MZcT7bcHpZt6gQKx72OXSCJTD5FRUX180miUaywf7SxF1goEGRSmwtFDhyVs8iThiqyz0IsElB/dPGR+vYQwlFNWOFUshfAifz5tHXkvaKt08EJKyVV2TUqEsUETfFEqQW+8YNym3wBvrlnXm05DrHnfjz9GOEeUr35d9ESNgS+J5SzWVDitK29ca7QiaQ+YfaDn4/4mOGKSbPUnqOgRBoqXhJMV4ddV0lTKgBrg9isBVPgaye2prcHGjtUkVw2Kyh1omT3RKv6y7X+jfOpeOWOiByN73PCsZF7g+FFlP0K5jcfm4y4yaD8y6NlEaozrabuCIpY2ZUdZ/aH11vzLAk+LB8XE6lJ5MKMNPjNRftErJ9iE3OaOyan1ovTzaGqzaEwGtx/MZpk5hWNUwcSrJvZDqDuKO4+OhwMedvCCRKtNFIbEZ49EJrtp326Y1EelhfWgls5nJFPXukHo/C17ybsP4uFySFz/M13RVTIRntn7WKoh0bH7na2XgVGtXmI2plqVA5zppCbVTzr9+pAAD9RvXTX7t12gA1iNmdxM8alOeoZ41JXHd6BDF4bvDLVMhFhlslDLZ3wNV/QPWcSczinpJlvEQ13/WFN/NTO25Y16p+oxY9g8QD3pNEkAVLOMYjnEUlV6+DQcZbxzU8RCfpEzfVsOqbztTihDgHD5ldWt/VpN4ncm/WCVCWBlT33iiTxufC8htY3SjXt8JULEt0049HNIbNwj1awZwqTgT4z06okf7sz0m8Y/U8D5MCu8uNpt7QJBftVHxCKSUmQ4NJRicMDhlrpEJklQYlRtsvKlL/ntnyf5ZoUnkX03AoG0zh4Dh0LydGKC9RsKfwJeU+684d3opBI9eIYL6Rp/XB60LKcUA6Q+m7BgB7Tjck2YbG8nFPLaV3PdmIejlE0agICJ8Hef8rnqdU/r6X92gCEBvGXNbuqsKJvDTYPafQP8U6rXc7Tq+g68zfCOijIuHyKjkzdtIom8KMi5MUdFBSXK22xB1q4ye+QaCaAdN/1Xe6KDxWiafPG+BkpExh7hXbqZU1MyiTYMExpilY30e+CmPXMdxAWmygOxwUk+mPbuWrF0oh16DYN0dS38gUbo2Z4fjRvYIoZea1pu8niQRfhTVgLZVpEN07pYPu2farsPCPIXPalXVcijVO/yi2Dg4uhTsjzW/aRZ6XDIoXRd59v5hG+L27l7gTIXfTx1+htwClRJjYxFy6hTL+ZjcKdNrz/jezXPrR7kRHNEEfJM/ysv8d/7Ghpt+wITgc22bdnxKJv9rWnoKDEQ/FRGm6Y/eMisOttUFFlznQi2lqShOxPXnnuOnpndklcxPM8FowlL4FMDN7QUW3kdXJ2j0GgN4o34oKhqvXjtjf9Dk5r5KB+GTeOhf3SJXgeR4llaSAQXjzGdZqk0g34YTa3qb8rVxDSBKEHOnKs+Cr/4H09k62S/3SzZfrBIaaZ6Ey1b+bFfnbJJlD/Y/1Hwd5IhNbMHj7bfOKC8VabieeHwMbWfkGdnnmdY5LLJqXAwANrCIYZrEpm38pYJiKes5GrAz8caK2rPIhAPShURwkjCsvowmadTvnEbO/KoaUIcqk40wYdM6NAlVme6dLXxeVN7Y3K6UAWFIIZtYarAog0Axncs30shIoy1CGd6dN87tuK+/twO/jr458fJInumXSMRy2X2K0MKPLONF9FcP/EWENa+H43Zcfo1y42HkoYxI70R2YqOlpbtJUk8/8PqVSlJBrbgpBZNzAMCbsIjhrBevISerf8Sa8X6WC/KjwswjfGJ7h+FEnrPutKJg/ajDywAI+RZ3H+5zWm/CZxBYT6k4w6gAWZva0Nlx6jWQExONGQfUBkrRrRfIHhWl3c+k5VrhyzwW9fmAB9XmT1iYbk9T+ZNU/O8HY1bAZWufS4G7GaHchbPIvz3edMvP+zrGBZXPPJE3abls9oUcVZ223NFU1RPMZwG7LqL0fzfHXl4zx82TEXn14dAIBBVr67RAejz5xOGf8I2MpYQ6RAxvfhc7bjWY9/FU1RU09ob7usJCZphm51oa4TR7kz0AH1HxSOGfCJKLdYjBxbylR1GxY1bUTokLVWEYHalCr6d4lyEmUHM3+1vBUQQ6aq81njW33yGvwclUvhWj4sB51WPaREcYQsPkYnftN/dRSKVQoEZckgmIvML3lUwiVMLGlXlcUViyQpktnWAWxXgw5GH6KXMqoI43jRmxTeR3KrVyZRJBlDj/AnGWOD37fndGuMdpmAIGX/1fZnUUCxNhhuou20LvOr8BnjcHP9pBjtRPxu4o9fFmnzNCt43SC2ivMDOLxL/Uq6batacYrRnLtK4XnNqzfpCqe1bkfBsmTbRGnwPIJrA7TThfHH322DLy/GueYiddIa5spqdIH2jI8nfjKq4SxLtwsNZ4GUG/z83YQEg0Z8I/CQhYh3Y8Gcjb4ZUrOg9n84iLADDOn2j9CI1QfsyJAt+qLEDPRJ9yMRefmq7BAxvGbNq+4YUbj4Fo6K2FwaO2quUVl7RpfVgT/WvXTJS4pAndPJt4PrG03X56ra3yOTtlZqPvGR+XGjp56hG5I5AtQ27JmB6S30EncH9sDLDPucNtEzn57cY90kAZSdDYjBkJ5/lC3xJOB4UiAs582UgyIiVlL/mvjXd1kajAcchfUYnjEUkgFuOoRysWDO/rq8aDFYg/jokUNOn4ent7xXzlfEXkpMZ00coZ7gi+CjKOf29+/ZE1wCfbRhBds/mCmAerWJo24vb632lTCWKImbHo36WuBAvKqofFNpVyMRQ+OKm9Bzr2jQD7W4+1CUk/ZatGVWJHCPsEGWt/L0Fj8K3NzF135c9d8aZ9HqC9XNqOKTZpNe9QSMc5S+tD1ZUxHVrDHny0fOKaWGVHtgyNkcyte0l16wet1z+xZcPCKr8ieMSqh+HgfT2/kWjpb1hlmyEDFmPnnbmhCDD2QWstX8vCa9JTdd0OLb3rTgPMlbxPPIiWQGSBc6tig7X3mZbebweRz5ktqrdMvK3ter9bVC9T2TF6EiCktxw+IdS9MONajvoGAaR2k1nGbfKDSVIKk1ialfv1FGJu1gUA8J0pvXqbrTJfSPOH4iuJrWJut0UpJeHrUuh0ODguNriBivobZeaRamUA/PPNvM5KCSUQUtefDnVINsJSoT4yXn55fkRwvb2957AfHI8yMRg9KtNIYj8i5KsEsw4gE53Lr+NU7Wq2O08+v2mUSNjP0REWgu0Dw0M4/Q9eykLV/ZRnhRcbUZyA==,iv:yA1CkRMapP1S3zMwu6Tj0/0/HHpwD1yRAm/qrZx/kPs=,tag:SYg2IoXeD9fMYb35J/AJ1Q==,type:str]
netdata-claim-token: ENC[AES256_GCM,data:ECx8zLnU/dj08vfA76oVbVzL3JG9MLBoFmxSjtjiFbSiFtdaHtG/8u5FEuyQ1bQMQntV91xj7x1kY8fAp7VNbWyC13pOEOrt6rvJYch14eM3bqNvfGeqgJsHmAaRbY6mBrxJBkiRJBLYVil4e1oDNZVnzFQ4ditXZbMGtAV2063K1MRI/48p,iv:viE84mOp5KSdj8vdK5XxR0W9A54oPxQO5ahnpPLeAdE=,tag:WjzKjGXRRAc7vlzreFHbng==,type:str]
openldap-rootpw: ENC[AES256_GCM,data:W0em1Dffg+IUoynwwPD4NjFksR38ZO4mhWFI83ALvYcwYIplxw/gDRLGCqbSt6TR5C65CKr1sOUiU+4Xq3UWmw==,iv:BHQhISTIYuwSM3KiSb0mEEo3BMNo6FXEDXoIvI3SZrU=,tag:tX8gfnk1JYnaNionk/jrLg==,type:str]
dovecot-ldap-password: ENC[AES256_GCM,data:JYAt8/WggwclNEPO9CaWfQsvQBA8DDJCU2km93HpowoVwIdvQ/0lQHeXndPYe1EmJGJ3vLErie+Zn2kDINIMqQ==,iv:HR0QJ0GgQks3NzhfXwjHupCKcPOekkiTcp5Jxbz7CxI=,tag:19m7F6TjGUPOuHQJuUq2pw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRWdBcmEvQkQrOXZ0SDJW
eFpFSlBxbjlUbFlDVEZzS3dLSXN6MnBFT3lnCkZ1RGhoQjhtcGxEY1E1QlBvNUl0
RWxnbzNldHBHUjhiZldYQm9iYWppcncKLS0tIG12WFdYSVdDYVZUaEFzUFhJS3A2
Q0I2b2h4aFlkNkV1a1BFamhyd0ZBWTgKZwxpdydc1lgs3u9gkh2Krs8PGfcKwJTv
n7BV0FNa242wOT4Tu28O9SN7VR1zZR52iOgV7gWsCnhkNDk9kwiLHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSHFtMUczc0tXaDZoQllM
eHFpYTFmcnpyYitwT1U2eGNuQm5MQms3YUdJCmpVS2hOVjFmUlVUZy9MZTZxQVlq
SU8xcmd2a0tvWlBMc2M1Wm5XV3ZQZTAKLS0tIG9qa2pQbDFIbFArejM1d1VRRVFY
VjJwdC8yQ1hweEllcGhYclNwTWFyZ1UKDKv14nnVx3FeL87FYFqZMU+niHBOvxHz
3L3hBMEgpR/uMSuPmF4/NLVJTsktOonW9NKOzm37KsY2HNRXbuHoQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjY2JOWTA0a3pGL0dYc2t4
aE8vTUNMNDVML2ZOSW9xeHlFRDQ5K1BLR3l3ClN4a25QZTEzaFk5bnVUYkk2dnRr
SWxNTklrZGM4enJ0WXBKaEJ6UDZUMzAKLS0tIDJudGtSVTVTV3ZrWWh6VnZFdEs3
UFVlWE9wd3hRS0d3VEg5di9kNHBIeUEKov+NZ0pt4BUd5xXX9cTFSJF355Kg0ios
Va/kbzgG2SMvxMorNFDp+yJgGXM9rOycMJ1ajemKBM3r2QMcsIiMWA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVVRBY1RVdmdkTGxkT3N0
YjJUdXU5blY3T1R2NFQwQ2MvUitTRjZOUGpjCkNMTUJOaCtGR0s4SGxENXRRd1lQ
cE9RbFUvL1RVZnZ1a3RlZ0YxbmFtOGsKLS0tIE8vMmE1YkZCM210SXEzRFZJeWZL
eC80bWxndE85RlZGRUFTcDdaZ2J1VE0KZ0FERlT1kdUE+WxSi57YowqDQtA9BoV1
MZoPePwGkRr27MHnPYIhoniUXC7mhQ4rqvcbFy6i1n4r1CqkRFBM3g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-08T11:20:50Z"
mac: ENC[AES256_GCM,data:GPUwpSAz6fj7mRxX1ebEb2sLAMLkQLuKPXk+B3+zZmA6+D7gAKrrBGUWHqYA9DMMY0r32OZSccGRmeKqdA7sWmzdIJTcBu8EyER1nJqVFJiXcOOdTkCLdOM4xW969YE0lBKpIAQ40E7YXYYwkI1JINneIBTuXkvIBmSQ3Bt2+ak=,iv:VEPNQxDLzxyTxkn8dI6xNDe9ESk2RojSNYYEwT+Ggas=,tag:cfUEKU3arSJl+lEOa+4iRA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
hosts/mail.social-grow.tech/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils

3
hosts/nb-new.cloonar.com/configuration.nix
View File

@@ -70,6 +70,8 @@ in {
CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
START_CHARGE_THRESH_BAT0 = 60;
STOP_CHARGE_THRESH_BAT0 = 80;
}; };
}; };
@@ -215,6 +217,7 @@ in {
}; };
}; };
nix = { nix = {
settings.auto-optimise-store = true; settings.auto-optimise-store = true;
settings.experimental-features = [ "nix-command" "flakes" ]; settings.experimental-features = [ "nix-command" "flakes" ];

4
hosts/nb-new.cloonar.com/modules/sway/sway.conf
View File

@@ -5,7 +5,7 @@
# i3 config file (v4) # i3 config file (v4)
# font for window titles and bar # font for window titles and bar
font pango:Source Sans Pro 15 font pango:Source Sans Pro 10
# use win key # use win key
set $mod Mod4 set $mod Mod4
@@ -314,7 +314,7 @@ exec 'sleep 2; swaymsg workspace "$ws8"; swaymsg layout tabbed'
exec mako --default-timeout=5000 exec mako --default-timeout=5000
# wallpaper # wallpaper
output eDP-1 scale 1 output eDP-1 scale 1.5 scale_filter linear
output eDP-1 bg #282a36 solid_color output eDP-1 bg #282a36 solid_color
output eDP-1 bg ~/.wallpaper.png center output eDP-1 bg ~/.wallpaper.png center
output DP-4 bg #282a36 solid_color output DP-4 bg #282a36 solid_color

6
hosts/nb-new.cloonar.com/modules/sway/sway.nix
View File

@@ -81,9 +81,7 @@ in {
quickemu quickemu
brave brave
chromium
firefox firefox
vivaldi
# unstable.cura # unstable.cura
freecad freecad
@@ -106,10 +104,13 @@ in {
variants = ["qt5"]; variants = ["qt5"];
}) })
kdePackages.neochat
dbus-sway-environment dbus-sway-environment
ddev ddev
dracula-theme dracula-theme
foot foot
fractal
gcc gcc
git git
glib glib
@@ -125,6 +126,7 @@ in {
libreoffice libreoffice
mako mako
mqttui mqttui
moonlight-qt
netflix netflix
networkmanagerapplet networkmanagerapplet
nextcloud-client nextcloud-client

2
hosts/nb-new.cloonar.com/modules/sway/waybar.css
View File

@@ -1,5 +1,5 @@
* { * {
font-size: 24px; font-size: 16px;
font-family: monospace; font-family: monospace;
} }

2
hosts/nb-new.cloonar.com/users/configs/project_history
View File

@@ -1,3 +1,4 @@
/home/dominik/projects/cloonar/renovate-config
/home/dominik/projects/cloonar/bento /home/dominik/projects/cloonar/bento
/home/dominik/projects/cloonar/freescout /home/dominik/projects/cloonar/freescout
/home/dominik/projects/cloonar/support-invoiced /home/dominik/projects/cloonar/support-invoiced
@@ -17,6 +18,7 @@
/home/dominik/projects/socialgrow.tech/sgt-api /home/dominik/projects/socialgrow.tech/sgt-api
/home/dominik/projects/epicenter.works/ewcampaign /home/dominik/projects/epicenter.works/ewcampaign
/home/dominik/projects/epicenter.works/epicenter.works /home/dominik/projects/epicenter.works/epicenter.works
/home/dominik/projects/epicenter.works/epicenter.works-website
/home/dominik/projects/epicenter.works/epicenter-nixos /home/dominik/projects/epicenter.works/epicenter-nixos
/home/dominik/projects/epicenter.works/spenden.akvorrat.at /home/dominik/projects/epicenter.works/spenden.akvorrat.at
/home/dominik/projects/epicenter.works/dearmep-website /home/dominik/projects/epicenter.works/dearmep-website

108
hosts/nb-new.cloonar.com/users/dominik.nix
View File

@@ -10,12 +10,11 @@ let
"calendar.alarms.showmissed" = false; "calendar.alarms.showmissed" = false;
"mail.uidensity" = 2; "mail.uidensity" = 2;
"mail.inline_attachments" = false; "mail.inline_attachments" = false;
"mail.folder.views.version" = 1; "mail.folder.views.version" = 1; "calendar.list.sortOrder" = "cloonar-personal";
"calendar.list.sortOrder" = "cloonar-personal";
"calendar.ui.version" = 3; "calendar.ui.version" = 3;
"calendar.timezone.local" = "Europe/Vienna"; "calendar.timezone.local" = "Europe/Vienna";
"calendar.week.start" = 1; "calendar.week.start" = 1;
"layout.css.devPixelsPerPx" = "1"; # "layout.css.devPixelsPerPx" = "1";
}; };
thunderbirdCalendarPersonal = { thunderbirdCalendarPersonal = {
@@ -139,6 +138,8 @@ let
privacy-badger privacy-badger
ublock-origin ublock-origin
]; ];
persistHome = "/home/dominik";
in in
{ {
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
@@ -192,6 +193,50 @@ in
}; };
}; };
systemd.user.services = {
signald = {
Unit = {
Description = "Signal-cli daemon";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {
ExecStart = "${pkgs.signal-cli}/bin/signal-cli daemon";
Restart = "always";
};
};
};
programs.chromium = {
enable = true;
commandLineArgs = [
"--enable-features=WebUIDarkMode"
"--force-dark-mode"
];
dictionaries = [
pkgs.hunspellDictsChromium.en_US
pkgs.hunspellDictsChromium.de_DE
];
extensions = [
{
# Ublock
id = "epcnnfbjfcgphgdmggkamkmgojdagdnn";
}
{
# Privacy Badger
id = "pkehgijcmpdhfbdbbnkijodmdjhbjlgp";
}
{
# Bitwarden
id = "nngceckbapebfimnlniiiahkandclblb";
}
];
};
programs.git = { programs.git = {
enable = true; enable = true;
@@ -368,14 +413,14 @@ in
id = 0; id = 0;
isDefault = true; isDefault = true;
settings = firefoxSettings; settings = firefoxSettings;
userChrome = firefoxUserChrome; # userChrome = firefoxUserChrome;
search = firefoxSearchSettings; search = firefoxSearchSettings;
extensions = firefoxExtensions; extensions = firefoxExtensions;
}; };
social = { social = {
id = 1; id = 1;
settings = firefoxSettings; settings = firefoxSettings;
userChrome = firefoxUserChrome; # userChrome = firefoxUserChrome;
search = firefoxSearchSettings; search = firefoxSearchSettings;
containersForce = true; containersForce = true;
containers = { containers = {
@@ -418,32 +463,34 @@ in
set +eu set +eu
ssh-keygen -R git.cloonar.com ssh-keygen -R git.cloonar.com
ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts ssh-keyscan git.cloonar.com >> ~/.ssh/known_hosts
git clone git@github.com:dpolakovics/bento.git /nix/persist/user/dominik/cloonar/bento 2>/dev/null git clone gitea@git.cloonar.com:renovate/renovate-config.git ${persistHome}/cloonar/renovate-config 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/freescout.git /nix/persist/user/dominik/projects/cloonar/freescout 2>/dev/null git clone git@github.com:dpolakovics/bento.git ${persistHome}/cloonar/bento 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git /nix/persist/user/dominik/projects/cloonar/support-invoiced 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/freescout.git ${persistHome}/projects/cloonar/freescout 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/nixos.git /nix/persist/user/dominik/projects/cloonar/cloonar-nixos 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/support-invoiced.git ${persistHome}/projects/cloonar/support-invoiced 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/website.git /nix/persist/user/dominik/projects/cloonar/cloonar-website 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/nixos.git ${persistHome}/projects/cloonar/cloonar-nixos 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git /nix/persist/user/dominik/projects/cloonar/wohnservice-wien 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/website.git ${persistHome}/projects/cloonar/cloonar-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git /nix/persist/user/dominik/projects/cloonar/gbv-aktuell 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/wohnservice-wien-typo3.git ${persistHome}/projects/cloonar/wohnservice-wien 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/api.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-api 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/gbv-aktuell.git ${persistHome}/projects/cloonar/gbv-aktuell 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/frontend.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null git clone gitea@git.cloonar.com:Paraclub/api.git ${persistHome}/projects/cloonar/paraclub/paraclub-api 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/website.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-website 2>/dev/null git clone gitea@git.cloonar.com:Paraclub/frontend.git ${persistHome}/projects/cloonar/paraclub/paraclub-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Paraclub/module.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-module 2>/dev/null git clone gitea@git.cloonar.com:Paraclub/website.git ${persistHome}/projects/cloonar/paraclub/paraclub-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-api.git /nix/persist/user/dominik/projects/cloonar/amz/amz-api 2>/dev/null git clone gitea@git.cloonar.com:Paraclub/module.git ${persistHome}/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/amz-api.git ${persistHome}/projects/cloonar/amz/amz-api 2>/dev/null
git clone gitea@git.cloonar.com:hilgenberg/website.git /nix/persist/user/dominik/projects/cloonar/hilgenberg-website 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git ${persistHome}/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git /nix/persist/user/dominik/projects/cloonar/korean-skin.care 2>/dev/null git clone gitea@git.cloonar.com:hilgenberg/website.git ${persistHome}/projects/cloonar/hilgenberg-website 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git ${persistHome}/projects/cloonar/korean-skin.care 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git ${persistHome}/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git /nix/persist/user/dominik/projects/socialgrow.tech/sgt-api 2>/dev/null git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git ${persistHome}/projects/socialgrow.tech/sgt-api 2>/dev/null
ssh-keygen -R gitlab.epicenter.works ssh-keygen -R gitlab.epicenter.works
ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts
git clone git@github.com:AKVorrat/ewcampaign.git /nix/persist/user/dominik/projects/epicenter.works/ewcampaign 2>/dev/null git clone git@github.com:AKVorrat/ewcampaign.git ${persistHome}/projects/epicenter.works/ewcampaign 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null git clone git@gitlab.epicenter.works:epicenter.works/website.git ${persistHome}/projects/epicenter.works/epicenter.works 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null git clone git@github.com:AKVorrat/epicenter.works-website.git ${persistHome}/projects/epicenter.works/epicenter.works-website 2>/dev/null
git clone git@github.com:AKVorrat/spenden.akvorrat.at.git /nix/persist/user/dominik/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null git clone git@gitlab.epicenter.works:epicenter.works/nixos.git ${persistHome}/projects/epicenter.works/epicenter-nixos 2>/dev/null
git clone git@github.com:AKVorrat/dearmep-website.git /nix/persist/user/dominik/projects/epicenter.works/dearmep-website 2>/dev/null git clone git@github.com:AKVorrat/spenden.akvorrat.at.git ${persistHome}/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null
git clone git@github.com:AKVorrat/dearmep-website.git ${persistHome}/projects/epicenter.works/dearmep-website 2>/dev/null
set -eu set -eu
''; '';
@@ -507,6 +554,13 @@ in
TERM = "xterm-256color"; TERM = "xterm-256color";
}; };
}; };
"*.social-grow.tech" = {
user = "root"; # prod
identityFile = "~/.ssh/social-grow.tech_id_ed25519";
setEnv = {
TERM = "xterm-256color";
};
};
"amz-websrv-01.amz.at" = { "amz-websrv-01.amz.at" = {
user = "ebs"; user = "ebs";
}; };

5
hosts/web-arm/modules/web/typo3.nix
View File

@@ -173,7 +173,6 @@ in
}; };
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance; domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
@@ -189,6 +188,10 @@ in
serverAliases = instanceOpts.domainAliases; serverAliases = instanceOpts.domainAliases;
extraConfig = '' extraConfig = ''
if ($host != '${domain}') {
return 301 $scheme://${domain}$request_uri;
}
if (!-e $request_filename) { if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
} }

Some files were not shown because too many files have changed in this diff Show More