Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add web.social-grow.tech

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-10-24 00:26:32 +02:00
parent ef8f774f4f
commit d8db7df64e
22 changed files with 1670 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/web.social-grow.tech/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-24.05

62
hosts/web.social-grow.tech/configuration.nix Normal file
View File

@@ -0,0 +1,62 @@
{ lib, pkgs, ... }: {
imports = [
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/lego/lego.nix
./modules/mysql.nix
./utils/modules/nginx.nix
./modules/authelia
./modules/collabora.nix
./modules/nextcloud
./utils/modules/autoupgrade.nix
./utils/modules/borgbackup.nix
./hardware-configuration.nix
./modules/web/stack.nix
];
environment.systemPackages = with pkgs; [
vim
davfs2
screen
ucommon
php
php83
];
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "web";
networking.domain = "social-grow.tech";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC9YODKEKu5bOC61qkpPd8QeZxbNPCQKgfh8xUFMdV0" # dominik
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
borgbackup.repo = "u428777-sub3@u428777.your-storagebox.de:borg";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
system.stateVersion = "22.05";
}

1
hosts/web.social-grow.tech/fleet.nix Symbolic link
View File

@@ -0,0 +1 @@
../../fleet.nix

14
hosts/web.social-grow.tech/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,14 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
configurationLimit = 5;
};
fileSystems."/boot" = { device = "/dev/sda15"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

251
hosts/web.social-grow.tech/modules/authelia/default.nix Normal file
View File

@@ -0,0 +1,251 @@
{ config, lib, ... }:
let
domain = config.networking.domain;
components = lib.strings.splitString "." domain;
dcComponents = map (x: "dc=" + x) components;
ldapPath = builtins.concatStringsSep "," dcComponents;
in {
sops.secrets.authelia-jwt-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-backend-ldap-password = {
owner = "authelia-main";
};
sops.secrets.authelia-storage-encryption-key = {
owner = "authelia-main";
};
sops.secrets.authelia-session-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
owner = "authelia-main";
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
};
environmentVariables = {
"AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
"AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
};
settings = {
theme = "dark";
default_redirection_url = "https://${domain}";
server = {
host = "127.0.0.1";
port = 9091;
};
# log = {
# level = "debug";
# format = "text";
# };
authentication_backend = {
ldap = {
url = "ldaps://ldap.${domain}";
base_dn = ldapPath;
additional_users_dn = "OU=users";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
username_attribute = "mail";
mail_attribute = "mail";
display_name_attribute = "cn";
additional_groups_dn = "OU=groups";
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
group_name_attribute = "cn";
permit_referrals = false;
permit_unauthenticated_bind = false;
user = "cn=authelia,ou=system,ou=users,${ldapPath}";
};
};
webauthn = {
disable = false;
display_name = "Authelia";
attestation_conveyance_preference = "indirect";
user_verification = "preferred";
timeout = "60s";
};
totp = {
disable = false;
issuer = "auth.${domain}";
algorithm = "sha1";
digits = 6;
period = 30;
skew = 1;
secret_size = 32;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.${domain}"];
policy = "bypass";
}
{
domain = ["*.${domain}"];
policy = "two_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me_duration = "1M";
domain = domain;
# todo: enable with 4.38
# cookies = [
# {
# domain = "${domain}";
# }
# ];
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
# mysql = {
# host = "/run/mysqld/mysqld.sock'";
# port = 3306;
# database = "authelia_main";
# username = "authelia_main";
# password = "socket_auth";
# timeout = "5s";
# };
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
smtp = {
host = "mail.${domain}";
port = 25;
username = "authelia@${domain}";
sender = "Authelia <authelia@${domain}>";
};
};
identity_providers = {
oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
# authorization_policies = {
# support = {
# default_policy = "deny";
# rules = [
# {
# policy = "two_factor";
# subject = "group:support"; # Deny access to users of services group
# }
# {
# policy = "two_factor";
# subject = "group:admin"; # Deny access to users of services group
# }
# ];
# };
# };
clients = [
{
id = "nextcloud";
description = "Nextcloud";
secret = "$pbkdf2-sha512$310000$P/kCFCL7FPwrZORA7KLIcg$HfC4qdmCJclSICHBjCltyT2Q1B4hiq.h75U1V1pfM4UbUu9kqll100I4/tdxjCBcPDePPXq8OFTQedNLsp.feA";
public = false;
authorization_policy = "one_factor";
redirect_uris = [
"https://cloud.${domain}/apps/oidc_login/oidc"
];
pre_configured_consent_duration = "1y";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
];
};
};
};
};
services.nginx.virtualHosts."auth.${domain}" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations."/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
allow 127.0.0.1;
allow 49.12.244.139;
allow 77.119.230.30;
deny all;
'';
};
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
}

45
hosts/web.social-grow.tech/modules/authelia/secrets.yaml Normal file
View File

@@ -0,0 +1,45 @@
authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str]
authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str]
authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str]
authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:yyqauvp+/8ufhCaZ1o0DWn4Nx1rdTW8C1HRVAtyCRuBaQA/yFVmZkwFVbnIDC3TrmuEMc2MXzVCREbdDsEqkGm6LJAB4Eq31NyhhbAtKufeqKHhMgEF4d41K71V//FJn2/ZBY6CaR1Ke0rX3p/Rpwk0rwddikkUmdJ7i7w9ayP8=,iv:ONBU0uWEUeQxQCGmHtGOySuLmTnJlAx//lQcK32i1Gs=,tag:Tk2BbYZSqbJRc/2cj8yxHQ==,type:str]
authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:oQwBKE0VjTIKYWOGKFtLwkOkjTh16gf5lJvMEEVs3Sy/+gmyGGmnDHm+xv9aT7Mmq9wSM7SVBe39yT5K9bUd0vGXO2Ze5V55B+B+9bAPKUL4rPNQAeSy3QCJPh6EoG3urDD/HUklV8QCprgTlokdgVgY3fv3be2Y1oOdiZDvbacol6OlcRXSi8ZqMro+f15e44j8NGhzsSahhzOLtmiRGLr5zWnzk8b221HZWtjSdG4rLrtcCZ1UjvvUX5pf8J5PI/9X4S6J7pglG+IlI0WGSHvQ9BXGQqWgmWky/3+hnC/B3ZPm3bz5CqMHzsdx/QmiCtQQf08GOoan/3rgp3pAu5J5TPDldnzEQkWPjciOMp4ewlu4nC1AViat7DH8wFtV9IpixEZm3fMidpPBpkTTRZMCy6AstNlPMvvvRDN/6nJypN++gvkBw3OJac2xBdtbdF5uC9nIrZqWENLnOn4623/C8yJJ8a2l1W1FF95hHiZDQKua+kB4CfFJSFxhtcWj3vcCzv7QIGHZPTIVn+aCozb4CdOegLswCuY9g5ncHfOnqIhSCY3Bc2xbd5GO7kVRvqT79abwHsAdArdDJAE4Fq3mNJG9/fy0N31GW4qKMTb3W5EgEt/2OtfsUn8MwHJV9BGPMeZhpn9hdzkXo9vmakVMKNoK4SEgZmFiKCj/uwhwdvJfYMRvl/n1DSpy8mxzKWt1IO9FD5HRUhkKeas6spOSyzbi4FTJJmJb9NQ5gzAcfTXs8C49S/DSocRwUHvQMvRIRZzBejxFKdnwGxwIJiVDY/04FWAjMR4HgxkCBvo9x+CxajnCw/S9g02uY85vxW1ZURi9wUK9Q9nbEyMu1IGWadhVO6fKvqWr9rVZ6tqqJ7FP81LKca80nkY+6Elec6l6u01Lzb4pLA6MFLyJbCE97+Vmoh056N73RNapWP6G3Txs2CvtzqWdup0J4xpwAxoEqVlnkBQ61abucZH9veMoq4gvxM90S+bBX7c6A+FYRha/PXovRL/SZWEfuKlVDeLQyb2IwQ==,iv:jhnNkcLXN3pHx6S8g78+R6X+ckhOF35QK615zcH2gqI=,tag:JSHDo9nbBbhpiQFSrLuDdg==,type:str]
authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:Et0DaniERibvBeRBmJR5zsBXRpB4yAjQpLRlJc/8+sSZ1RymDelD689/7ETe1QwBZzOxJf35dMbjBmUjcpcxl7iLiujVtd4DR8hirAwYv1HTk4WLbrTOuVhX9O/yWcdfnrn4e4MlBme54HLkeKt5F9xQ+/XvRPkuY+E+zlVd9K2rgdKuPRB4GSkW8AH55P10ts4ICN7hayFLfKWRNjs2LR3JtE/cRppe6Gse61/CG7HWlAlcTYddpYUbIGIaB9yrW3QcV11sTuJ9KpuU/jE6i/0dOosYqPLVUfShMjjnnpnk1wYmaL7F5Ibljk9g1Fzqm1Vwl/S98PYYgt98zOAuMo9djogORpI7in5tV+JoT5V/Lk3Uq3MvkalpdHJShVHUuuJPMMaFjlONS0y2ZYTyWasrwGI9KUYoKtWq5oqrHJkjtWNSagJqRMPBNK/RRtiIxBWwsWMpIlUcks/rZF+CiHKnm/Zb6a+dNsdhqz3qVCI33ry5Wmy6YdTaDBPWv3iFXLz0skVMXCN5vV7PQ86c6yRbEo5HzGdJxxdIacTZ7JLzECPS2MuWGoTKH0VwQgx3qvuMyi0r7/1VwCBGjZkO6vxie5yYlMA1AveepE+8zxCSbLuUMzC5DDVYk98SH2qNL5BZXm2mkRXxBXkQ37SOtnONNqYwvRD9wNWpSBkIumgRG3k3NEcwPwLnrCgNAlev4sXG+DUDgHy4SZ518shGkafUNncst9odQaGvx5EeSD3ItjRptFuPSU554ZZy8bV3wau8enzRP2R47sSg7jW+y0NslCwdVam2SpiXrgqeghplQCNP8uS1Py3DFf8pDOIy/9gV3kjPEOs/RNbv/2bIS20lQbEoMOotk8BHeM5/QytrArnkDcfB4d7FPWRT/Sw2imLQ8A7Q7PidhwEuugfWI6HjSW2bsW+zSf/gdG30ragEgkW9WpTAD6rbLdLdYMYa233zs9b/K6qYAoqEVjJWc+OnCTZ6PTr76Gq/kaIrJ3UlWNJadgCSNMkVs7vNYnczwGQJiaqTnAaB2yuXkIAsC6QIf83G6Z9nw5kFoyWZR5Eytfl/uU9lxv4TrvLtfEqJrdaaYXdAfefpZKmFrQJMeyoJj3ven0j61qmIiBDbkoYkNaBWQJl/mOy+lJ8J2ZaQ62cqVQCFkpcrAWdaxEHCrTu1djfCOGVqQ5d5o1E/GQiAAVgRBQtgv94PCIeCurAUtoWumfBF1wi0h1HMdJd8yZ6MgGXpPoOIZcWc1SRGkNVuoiobdfXO4fyNcJAM+XnOfJ4xO17PhnwBbaM5ECX1TRKbEyc5V36QfD5Fo/VaVOFIDt0KfxIHUxydxa83RpEYV4s13C0I+/hoULtNIDl9KNxaaT4Klq/6HL2jIaCwlRNlb1mc1lhkgaJobXygi/8iW2yyPIoSZQJKsYZhlildGTBlxrlhSDZ+3Dy1RAIRO+cvSr5/eM44xgV8DUs+z9nb+j3Kefl7qn4QBNIEWZkTcLokw/qp58O1EK/h4vays37A1628wfuCDOBSBOPZjtuX9jFg64tcZWZ6rwlVRd5RsMq9iW9MoGcfHvN6DAYTifEs7yiwZdng50OHu1k6/UJ1/LI1mVx7r+//S3rd88fQa76uosBuN5XqDrQiK+iPj3E8rThMJkeR7Hh0yUrkGBAJCs140yFTJeSt+vr6CsqSLy2RR7tb1C2wNm40F7N37Vi1rHm5jzSakm4TPd6aY3kqis6nXavnxUQHO3BKnx0ceQVoz8jqIiy1mjzVwafAn6s/ap6Fzv+sNc/zs++Mod59YnGyqKaeOkoAcmVuWgV7l4VHf1Q/K3o5ri14CHpSqkjBlL9zD3Lh1B0cQNCwHJeIKAgm+1rCpuzx45QeV/MAwWJ6/o8PjHVPm9dQG5nXEPFJA0X4lNKGkRb5wwMsXRf6RC41vvhvbD6pFZ5TCrMX/IW2ym0hOm9Trswm6SlnyLsPtAYB4SdVJxuwqy8gqPpogCm+vgsobIcs4cVAeK3ZW4ikWnSNowXJFeqjQY7ZuO42Anzddn+dodVw923KfVKJTBDK4lDQp5QrWjukbYFK33AIE2vaeJ3mqkJxzmJ027L4w0gQeaUuxh9sOKgxG7xCkzkG0HbIMuIA9E6yBCHNSwj0daB3SRrbxIEMF7F0DI3Lw0dlS4SxJ9ucJoySD1pBENuVm7bgWcY+pL5iJlkKAbVJOEk3cGJ+37XgXDkQHsNF/mxNaIxZ2losxv8GQEuldAxjCXM2hGgOF+64ccxSdH4T/OZtAmAprcB377/tJMuOXrsjMknT77FShgtRfyIzX0cJTPvuvhnswcFj9gr/1REkTkz5XL4fQx8ik4MEbEN3jiDdZEwSW5wjKuuHIZhDt+AnTqHIQZq2SdJ9g2P/36UMzWKfweRe8i7yJ/FRyqVDn63mimyxb12ZB1CkNuNe64yEVsRQvZZpYVLVhzcJrG+nNZXnCne2rFLxl3jRG2y2dgcvl1hmxYGSEFSh1scVt+d0gUmfi0u2MxX0swBpzTFlMwx2hz6pFvnl7jMCeZSitQVRw0VSaaqGeH6ZQIyEKkk8myovbV/PWn3gqcMs5L8Grm6myluBbxuaH/F7xMQadleGSft6iE0/EXoNfLWwQqNj20uuPVmF/UIehUYApHoGpYujFPFKGEdjjCGcdRYpGtlmGmaCPfc4oWJ4GjeLI6VePVhRhM+iyb+zPv8V4SltDfqih/Txs6kfsnOQ0KpjnMSobLX70xV1tm/sxAtqAzJ5I4QtX8EQaWR/rb5VIikAxuQ8yJCii/RFcSd0ss4+4vhGlOHAT1t7+lH0bnTaiUWfm169l+B01JJO8Cz3muJVC/f+PIJUNP5VHgNDUeMDB35USCxnU/0bLlxEuYHtTMLqSabU/bv6YchKZFjSlFHGFXdAEDgQ2HYi9FY1F657dvNqrGO2AwHVdeX8RSiorRlNyeb80NqyASsx6MSWPDWYtVjpD7zHXVlWDLcMVkGwvX4RtJZF8wlXR/iEur8iC+v8g2w7iG2hZD1TFmkJsn/ira4UYLzPxYNAzl4BH5sB5BUJ8GCZrHwV8dny/FTQAwtYNq7TwnAi+2dwhWF7DgX0T6fVD/utyLK19+Aash6h4TX8Y1U345l4r+ADfUfQ3d/B0m6wFEgSD60kOv6wnnYbJEbFAZ2BZEwhzeyEacQjxHceyQg256GiCvRDHX4jonyZm3Vu6kCUNWYaRCKQJY5OyL9zRF9pFsCqqkNEfvDqmjPUjXcO/xarkjjdQz4y4gsPqovhtVi0GuExxhfT1KcJk6uzS1NiX0yBi/s22cI4WLmO/QNHXeUoi0Lbw/XUwj6krNMYrvqofUOqM5tK7BpmplxzMFJeB+mhDXLfpyWAS7Yq1RfHLmnA0OBYu7MQ3UB/zZ7zGcpnAT42MlQ20M7bXCpEBaAaPzlXky9bogNEVkwoOMtVHYzQnucTAKRYzb1PnlA+GMBQpxL27IAn2EbwXNLRwSVh0lgRQFb/94J4TV09CeR5hkKMi5WaCFy50utlLL4gHDg11oNGbu0vseB1AmxzbRExW5qJ87a0A0/ECLOoo2vlgnMJECB6MYNe2na1aTOiOUpI8rArj2fUjVjAlNrUpFWIug2C+b2/I43K8Sg4Tc3ZHcrywHQ4xt2IQeeysUP8C9lHEQW2q4sF7iMujSD1Kzu8bYyCzW2AJuTJCj5psbwlag4ezwmgXpJGsC+yLrCuA/BHzrUDadoBuofNQq7tFKTGDWlN+IfkI0PY5sxMVSbm/5NSWBR060QLDq6XdKOYnzR4oI3mm1NXY4+OrVEJBXqD6zAa7ECLKo+sHBt9uL4CfEfLVNhAi2bmfauPzBZ3NiNeqoneoU16AjGNHiADLyrdRQHmWLzm1xnVmCjtpn3hPnF4AwPYKSf2ALkqHR0UpMWCzRztJGLuRG1EUpD39DgbJOQujyNLU/2g+YdZbixeD6oJ5j+l0gG7+CaumkHGsj2uhEpV1Hq8TKHV/O8I3LkF634Zu7NGaX5xP+8cOYfk3Kqm/V/u2AmMKOCU3AXHK43KhIZvEZYhTRfkICFCbdYE5co6zcvQ6Irn+wSlc5J0ozSrm0fQcFdQAMbf0odwe5VoMb66m6EngoL/VAYRJZtrmPBKUZLELRIcOXv/Nvz4oiEw+NV5u5MyKKJA2Tb6FxOPZdAf339oMCMmN/sUA9fBJ6dvzuDkVNCH5qZzlKWVq/DkZZr3TGA3cbU9FKLNKPrBpBaCdCtrjbaw2YB3HWAky/Qcmx97dRRZGcn7HvMtRnZfBbbFxYVGtgoGcaVZYyz/J4zuibpZcxdNLhu4jeJpMkX4,iv:PWdVLhu0BPx7sXMzow9wl+cqDXD2Y5J5lfVSX3tNCMg=,tag:P4vHogedMdAUeIh4XHlmdw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWkRuWXdaQ1RUbkF1d2p0
elZkbnFVSW9tVjdqSHFvbjFiL202cW1tWjJ3ClpDUEFIMDFteFA1QTdTVmtVWHI0
OFRuU1Fockh4aTBwa3l3ZjdiMFFYSm8KLS0tIGdCZjZNVXNVZWV3ZlJzY3ZyZXhr
WFp1eVZna1VWUUZuTVY4Q2h2c0Y2ZDAKcglSV3UBoZ65+SsM+zRFJmjIH61jXbT0
rpeJ8/0i4THmVpbZY+NOIh2zECmzBkAA06jv0jMoftL40h2wsdgncg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna282T2hYcDl4UWFISDVL
eE42MjVxZndUVEU5bjJwUzdHU2xHNXVNRW13CmZwUmdCWDFNVmdDbktwOXBIbzNZ
eGgrZHQwMEdRSG11aWpoSllrcjBBY2cKLS0tIFBZRUdYVUhsbFZYV0w5T3RYc0Ez
RDJZcjA4VFNadEZCUmpOVWRBdGNKMzQKhhQCbeRxDvhFVsF3G+OoXo4i+koqqgrV
o/esYoxA1ZNsS9mhFbfMw1C2YO43iPtaWChAO5zUABDALD6dJ1Rf1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZUJuMnNwTGpSdVA4UXV5
bkdGTWJsRjliMGJWcXBKekc3WDZiN0FWV0MwCmZIVld4M0xaWWhmUDVqSGcwbGpz
S0kzQy9scDRObS82WkMzYUw2dVBaWXMKLS0tIGpkeFZqdXIrY0lFdUgwekNJeDN4
eFhnWGdoTzdyZmtjZDJBc3FveTRaN0EKBj2hSr6qDxwW+k5hox47P5uyoHQAzCjH
+TplhMUd5p8/ud3U4lixLezGu1qftVSKtz/4SAXrSC5DYZJF1w7tDQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-17T01:43:14Z"
mac: ENC[AES256_GCM,data:zcCKk+VAddbb4vZltdC6hKPAnoo4rvcLcmIsKATQekbVo9OUk5Q5JnxglgAxXyj/YMZ7tIY/IXoWdSW4Kw673vthVnWpGLnuHtXJFGslkQ+GEkIt0z/oepr33gXErsEolZ3rIx02CVsIK5tb38ol0DhAe+6dUihsi23HruMJNog=,iv:2RVGRBTgqR9YLrRpoxuN72NOcXvRlZVTaPNiU7l75w0=,tag:lr4/sBBE9F27II289OWUNQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

68
hosts/web.social-grow.tech/modules/collabora.nix Normal file
View File

@@ -0,0 +1,68 @@
{ config, ... }:
let
domain = config.networking.domain;
in {
#Collabora Containers
virtualisation.oci-containers.containers.collabora = {
image = "docker.io/collabora/code:latest";
ports = [ "9980:9980/tcp" ];
environment = {
server_name = "code.${domain}";
aliasgroup1 = "https://cloud.${domain}:443";
dictionaries = "en_US";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
};
extraOptions = [
"--pull=newer"
];
};
services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
}

80
hosts/web.social-grow.tech/modules/mysql.nix Normal file
View File

@@ -0,0 +1,80 @@
{ pkgs, ... }:
let
mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" ''
#!/usr/bin/env bash
if [ $# -lt 2 ]
then
echo "Usage: $0 <database> <host>"
exit 1
fi
if ! [ $EUID -eq 0 ]
then
echo "Must be root!" >&2
exit 1
fi
DB="$1"
HOST="$2"
PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"
cat <<EOF | mysql --host localhost --user root
create database $DB;
grant usage on $DB.* to '$DB'@'$HOST' identified by '$PASSWORD';
grant all privileges on $DB.* to '$DB'@'$HOST';
EOF
echo
echo "Password for user $DB is:"
echo
echo $PASSWORD
echo
'';
mysqlDeleteDatabase = pkgs.writeShellScriptBin "mysql-delete-database" ''
#!/usr/bin/env bash
if [ $# -lt 1 ]
then
echo "Usage: $0 <database>"
exit 1
fi
if ! [ $EUID -eq 0 ]
then
echo "Must be root!" >&2
exit 1
fi
DB="$1"
PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"
cat <<EOF | mysql --host localhost --user root
drop database $DB;
drop user '$DB';
EOF
echo
echo "Dropped database $DB!"
echo
'';
in {
environment.systemPackages = [
mysqlCreateDatabase
mysqlDeleteDatabase
];
services.mysql = {
enable = true;
package = pkgs.mariadb;
settings = {
mysqld = {
max_allowed_packet = "64M";
transaction_isolation = "READ-COMMITTED";
binlog_format = "ROW";
};
};
};
services.mysqlBackup.enable = true;
services.mysqlBackup.databases = [ "mysql" ];
}

108
hosts/web.social-grow.tech/modules/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,108 @@
{ pkgs, config, ... }:
let
domain = config.networking.domain;
in {
imports = [
./ldap.nix
];
sops.secrets.nextcloud-smb-credentials = {};
sops.secrets.nextcloud-adminpass.owner = "nextcloud";
sops.secrets.nextcloud-secrets.owner = "nextcloud";
services.nextcloud = {
enable = true;
hostName = "cloud.${domain}";
https = true;
package = pkgs.nextcloud29;
# Instead of using pkgs.nextcloud27Packages.apps,
# we'll reference the package version specified above
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) calendar contacts deck forms groupfolders richdocuments;
oidc_login = pkgs.fetchNextcloudApp rec {
url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.1.1/oidc_login.tar.gz";
sha256 = "sha256-EVHDDFtz92lZviuTqr+St7agfBWok83HpfuL6DFCoTE=";
license = "gpl3";
};
guests = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/guests/releases/download/v4.0.0/guests-v4.0.0.tar.gz";
sha256 = "sha256-dM2BmckOGZpcFDVs2oYVDqPafyBtLFB3ZCcsnOflteM=";
license = "gpl3";
};
files_accesscontrol = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud/files_accesscontrol/archive/refs/tags/v1.20.1.tar.gz";
sha256 = "sha256-3vcnXiLsmUnt3GiF8H9Mw8jOwAmIn1cqr13SBgvdm+g=";
license = "gpl3";
};
appointments = pkgs.fetchNextcloudApp rec {
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.1.12/build/artifacts/appstore/appointments.tar.gz";
sha256 = "sha256-hMLimaBz5RBRzkEwpWJ9ZUrNY0oRTbPeYFCvH8hl1YE=";
license = "gpl3";
};
};
autoUpdateApps.enable = true;
extraAppsEnable = true;
database.createLocally = true;
caching.apcu = true;
configureRedis = true;
phpOptions."opcache.interned_strings_buffer" = "23";
config = {
adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
dbtype = "mysql";
};
secretFile = config.sops.secrets.nextcloud-secrets.path;
settings = {
log_type = "file";
log_level = 0;
allow_user_to_change_display_name = false;
maintenance_window_start = 1;
lost_password_link = "disabled";
sharing.enable_share_mail = true;
oidc_login_provider_url = "https://auth.${domain}";
oidc_login_client_id = "nextcloud";
oidc_login_button_text = "Log in with Authelia";
oidc_login_auto_redirect = false;
oidc_login_proxy_ldap = true;
oidc_login_attributes = {
id = "preferred_username";
name = "name";
mail = "email";
groups = "groups";
ldap_uid = "email";
};
oidc_login_scope = "openid profile email groups";
default_phone_region = "AT";
};
};
environment.systemPackages = [ pkgs.cifs-utils ];
fileSystems."/var/lib/nextcloud/data" = {
device = "//u428777.your-storagebox.de/u428777-sub2/";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users,file_mode=0770,dir_mode=0770";
in ["${automount_opts},credentials=${config.sops.secrets.nextcloud-smb-credentials.path},uid=992,gid=992"];
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
};
services.mysql = {
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "nextcloud" ];
};
services.mysqlBackup.databases = [ "nextcloud" ];
}

24
hosts/web.social-grow.tech/modules/nextcloud/ldap.nix Normal file
View File

@@ -0,0 +1,24 @@
{ config, pkgs, ... }:
let
updateLdapSettings = pkgs.writeText "nextcloud-update-ldap-settings.sql" (builtins.readFile ./update-ldap-settings.sql);
in {
sops.secrets.nextcloud-ldap-password.owner = "nextcloud";
systemd.services."nextcloud-update-ldap-settings" = {
enable = true;
description = "My custom service";
after = [ "nextcloud-setup.service" ];
script = let
updateLdapSettings = pkgs.writeText "nextcloud-update-ldap-settings.sql" (builtins.readFile ./update-ldap-settings.sql);
in ''
ldappass=$(base64 -w 0 ${config.sops.secrets.nextcloud-ldap-password.path})
${pkgs.mysql}/bin/mysql -u nextcloud -e "INSERT INTO oc_appconfig (appid, configkey, configvalue, type, lazy) VALUES ('user_ldap', 's01ldap_agent_password', '$ldappass', 2, 0) ON DUPLICATE KEY UPDATE configvalue = '$ldappass';" nextcloud
${pkgs.mysql}/bin/mysql -u nextcloud nextcloud < ${updateLdapSettings}
'';
serviceConfig = {
Type = "exec";
User = "nextcloud";
};
};
}

39
hosts/web.social-grow.tech/modules/nextcloud/secrets.yaml Normal file
View File

@@ -0,0 +1,39 @@
nextcloud-adminpass: ENC[AES256_GCM,data:WJA7+5XqLK2eYefCviHqvHwqYPy9yfN+/3j5RTF0edrw41oB/wC5JWYejK2FzMkjkXZM0BUQ6waE3PCal3Ebqvzt/ZyC8Pwm8Z+PuMuXFx/6fQLJDxHALXH03GWAzNhUZpcZUYoNtu+uwaROg/4ZVNRu3IXxw+b2DWN65EaMO48=,iv:arkUgibmZQuaiCwYg6NBrMHZXUCLY2y/XiuVjB450ag=,tag:RH6r8nJPU24qq/EUC3jQ/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VmR4THNkUGpvVHB6WWtw
WkQ1dlc3R0FWaXpVZ29Sd2g1ZWJzYUFQWHdFCndkUWxqZEdIQlBnSDluN2NEWmZG
VndCbXlqV3p0ZnYwcFhjeGZVa09xcW8KLS0tIHVnc2RPWTF1b2NvWVp3OEFwVDZk
V0FWOXhSbXQyd0JmVEVpdG9IeXlsQ1UKFxGluq+uOgkA7UUa6/4ZErEPRgQQ5cXS
PdB5Et5f02RWBRAUtGEE0UrLiINlIFvFAIr3PKctNVc8/Ovf/jGojg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RnRPK0Y4ekRiYS9xdGs0
ZE5oT1FIWmlySERMbDAyQXlHNDJnQ2Q2dkVvCjNQSGlyQXlzUXAzV0wrNHppUFY4
a3k4Y2VtQ1Z4UjVqcnQ4MXhjSzJoM0UKLS0tIHBORnVoSHlJVnpjcmdZVTA1NHhF
dHVTWnpXTnNNc0l1M3J6enFBdUwwNWcK80nKzyIrrKaEa0naFsnuie+732hMZQUg
IAU9V7/bZiDItTUVdATDjjNBiXnMgDB73SqHhuyIDD+VhDkVUBhjWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdDduRUZOS2VEUldmRFRS
QUVxeUVWRERSQ2ZkdnV1ekw4SVVFSzZvUFN3CkQrRnBQQzlnL2xtcFpVd0xiQmda
NFZnQmhxcm1xUnVZY3l2eHp6Sjl4a0UKLS0tIG1maDNiRW44VmJDSlk2eWRQcHB2
ZHpwQURoNGhuOWJPUkFpc0RSaHFBM0UKW4lMlcxC5+Hpm6DO3wwco41kJsfuWP33
+2qhmnwt8mXWxAVxNreQQ0YQDliBnQR3uUny7hWyfrIkeQzOBLBrOw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-18T17:47:34Z"
mac: ENC[AES256_GCM,data:bm/lHsobqvZSzk9crPmf8vc2idN3h/HOpQab7n7N6vtEY0QpMTv+6K7YERBD7T9oIxSNtcLNOcw6Rr2w9Cd1cq+W0azPA2dxd6/crq6rbhAgld/MipemP+YfdENxRrdyastk7P3FWyHZzhKlhem/ft0lpeiJg5NWRjA8IkLSDZc=,iv:W4cYC/e1CO5nsLx5yOaH0vGJ7fAx5bAH9acJShciHcI=,tag:whYqwogQMPPklHqoyhuL8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

83
hosts/web.social-grow.tech/modules/nextcloud/update-ldap-settings.sql Normal file
View File

@@ -0,0 +1,83 @@
INSERT IGNORE INTO oc_appconfig (appid, configkey, configvalue, type, lazy)
VALUES
("user_ldap", "background_sync_interval", "43200", 2, 0),
("user_ldap", "background_sync_offset", "0", 2, 0),
("user_ldap", "background_sync_prefix", "s01", 2, 0),
("user_ldap", "cleanUpJobOffset", "0", 2, 0),
("user_ldap", "enabled", "yes", 2, 0),
("user_ldap", "installed_version", "1.20.0", 2, 0),
("user_ldap", "types", "authentication", 2, 0),
("user_ldap", "s01_lastChange", "1729585245", 2, 0),
("user_ldap", "s01has_memberof_filter_support", "1", 2, 0),
("user_ldap", "s01home_folder_naming_rule", "", 2, 0),
("user_ldap", "s01last_jpegPhoto_lookup", "0", 2, 0),
("user_ldap", "s01ldap_admin_group", "admin_2", 2, 0),
("user_ldap", "s01ldap_attr_address", "", 2, 0),
("user_ldap", "s01ldap_attr_biography", "", 2, 0),
("user_ldap", "s01ldap_attr_fediverse", "", 2, 0),
("user_ldap", "s01ldap_attr_headline", "", 2, 0),
("user_ldap", "s01ldap_attr_organisation", "", 2, 0),
("user_ldap", "s01ldap_attr_phone", "", 2, 0),
("user_ldap", "s01ldap_attr_role", "", 2, 0),
("user_ldap", "s01ldap_attr_twitter", "", 2, 0),
("user_ldap", "s01ldap_attr_website", "", 2, 0),
("user_ldap", "s01ldap_attributes_for_group_search", "", 2, 0),
("user_ldap", "s01ldap_attributes_for_user_search", "", 2, 0),
("user_ldap", "s01ldap_background_host", "", 2, 0),
("user_ldap", "s01ldap_background_port", "", 2, 0),
("user_ldap", "s01ldap_backup_host", "", 2, 0),
("user_ldap", "s01ldap_backup_port", "636", 2, 0),
("user_ldap", "s01ldap_base", "dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_base_groups", "cn=cloud,ou=groups,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_base_users", "ou=users,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_cache_ttl", "600", 2, 0),
("user_ldap", "s01ldap_configuration_active", "1", 2, 0),
("user_ldap", "s01ldap_connection_timeout", "15", 2, 0),
("user_ldap", "s01ldap_default_ppolicy_dn", "", 2, 0),
("user_ldap", "s01ldap_display_name", "cn", 2, 0),
("user_ldap", "s01ldap_dn", "cn=cloud,ou=system,ou=users,dc=social-grow,dc=tech", 2, 0),
("user_ldap", "s01ldap_dynamic_group_member_url", "", 2, 0),
("user_ldap", "s01ldap_email_attr", "mail", 2, 0),
("user_ldap", "s01ldap_experienced_admin", "0", 2, 0),
("user_ldap", "s01ldap_expert_username_attr", "mail", 2, 0),
("user_ldap", "s01ldap_expert_uuid_group_attr", "", 2, 0),
("user_ldap", "s01ldap_expert_uuid_user_attr", "mail", 2, 0),
("user_ldap", "s01ldap_ext_storage_home_attribute", "", 2, 0),
("user_ldap", "s01ldap_gid_number", "gidNumber", 2, 0),
("user_ldap", "s01ldap_group_display_name", "cn", 2, 0),
("user_ldap", "s01ldap_group_filter", "(objectClass=groupOfNames)", 2, 0),
("user_ldap", "s01ldap_group_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_group_member_assoc_attribute", "member", 2, 0),
("user_ldap", "s01ldap_groupfilter_groups", "", 2, 0),
("user_ldap", "s01ldap_groupfilter_objectclass", "", 2, 0),
("user_ldap", "s01ldap_host", "ldaps://ldap.social-grow.tech", 2, 0),
("user_ldap", "s01ldap_login_filter", "(&(objectclass=inetOrgPerson)(owncloudQuota=*)(mail=%uid))", 2, 0),
("user_ldap", "s01ldap_login_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_loginfilter_attributes", "", 2, 0),
("user_ldap", "s01ldap_loginfilter_email", "0", 2, 0),
("user_ldap", "s01ldap_loginfilter_username", "1", 2, 0),
("user_ldap", "s01ldap_mark_remnants_as_disabled", "0", 2, 0),
("user_ldap", "s01ldap_matching_rule_in_chain_state", "unknown", 2, 0),
("user_ldap", "s01ldap_nested_groups", "0", 2, 0),
("user_ldap", "s01ldap_override_main_server", "", 2, 0),
("user_ldap", "s01ldap_paging_size", "500", 2, 0),
("user_ldap", "s01ldap_port", "636", 2, 0),
("user_ldap", "s01ldap_quota_attr", "owncloudQuota", 2, 0),
("user_ldap", "s01ldap_quota_def", "1GB", 2, 0),
("user_ldap", "s01ldap_tls", "0", 2, 0),
("user_ldap", "s01ldap_turn_off_cert_check", "0", 2, 0),
("user_ldap", "s01ldap_turn_on_pwd_change", "0", 2, 0),
("user_ldap", "s01ldap_user_avatar_rule", "default", 2, 0),
("user_ldap", "s01ldap_user_display_name_2", "", 2, 0),
("user_ldap", "s01ldap_user_filter_mode", "1", 2, 0),
("user_ldap", "s01ldap_userfilter_groups", "", 2, 0),
("user_ldap", "s01ldap_userfilter_objectclass", "person", 2, 0),
("user_ldap", "s01ldap_userlist_filter", "(&(objectclass=inetOrgPerson)(owncloudQuota=*))", 2, 0),
("user_ldap", "s01use_memberof_to_detect_membership", "1", 2, 0)
ON DUPLICATE KEY UPDATE
appid = VALUES(appid),
configkey = VALUES(configkey),
configvalue = VALUES(configvalue),
type = VALUES(type),
lazy = VALUES(lazy);

320
hosts/web.social-grow.tech/modules/prometheus.nix Normal file
View File

@@ -0,0 +1,320 @@
{ config, ... }:
{
sops.secrets.alertmanager = { };
sops.secrets.hass-token.owner = "prometheus";
# imports = [
# ./matrix-alertmanager.nix
# ./irc-alertmanager.nix
# ./rules.nix
# ];
services.prometheus = {
webExternalUrl = "https://prometheus.cloonar.com";
alertmanagers = [
{
static_configs = [
{
targets = [ "localhost:9093" ];
}
];
}
];
rules = [
''
ALERT node_down
IF up == 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Node is down.",
description = "{{$labels.alias}} has been down for more than 5 minutes."
}
ALERT node_systemd_service_failed
IF node_systemd_unit_state{state="failed"} == 1
FOR 4m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
}
ALERT node_filesystem_full_90percent
IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
}
ALERT node_filesystem_full_in_4h
IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
}
ALERT node_filedescriptors_full_in_3h
IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
FOR 20m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.",
description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours"
}
ALERT node_load1_90percent
IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Running on high load.",
description = "{{$labels.alias}} is running with > 90% total load for at least 1h."
}
ALERT node_cpu_util_90percent
IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: High CPU utilization.",
description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h."
}
ALERT node_ram_using_90percent
IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1
FOR 30m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Using lots of RAM.",
description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.",
}
ALERT node_swap_using_80percent
IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8
FOR 10m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Running out of swap soon.",
description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now."
}
ALERT homeassistant = {
IF homeassistant_entity_available{domain="persistent_notification", entity!~"persistent_notification.http_login|persistent_notification.recorder_database_migration"} >= 0
ANNOTATIONS {
description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}"
}
ALERT gitea
IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3
ANNOTATIONS {
description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes"
}
''
];
scrapeConfigs = [
{
job_name = "telegraf";
scrape_interval = "60s";
metrics_path = "/metrics";
static_configs = [
{
targets = [
"web-01.cloonar.com:9273"
];
labels.host = "web-01.cloonar.com";
}
{
targets = [
"web-arm.cloonar.com:9273"
];
labels.host = "web-arm.cloonar.com";
}
{
targets = [
"fw.cloonar.com:9273"
];
labels.host = "fw.cloonar.com";
}
{
targets = [
"mail.cloonar.com:9273"
];
labels.host = "mail.cloonar.com";
}
{
targets = [
"git.cloonar.com:9273"
];
labels.host = "git.cloonar.com";
}
{
targets = [
"home-assistant.cloonar.com:9273"
];
labels.host = "home-assistant.cloonar.com";
}
{
targets = map (host: "${host}.cloonar.com:9273") [
"web-01"
"web-arm"
"fw"
"mail"
"git"
"home-assistant"
];
labels.org = "cloonar";
}
];
}
{
job_name = "homeassistant";
scrape_interval = "60s";
metrics_path = "/api/prometheus";
authorization.credentials_file = config.sops.secrets.hass-token.path;
scheme = "https";
static_configs = [
{
targets = [
"home-assistant.cloonar.com:443"
];
}
];
}
{
job_name = "gitea";
scrape_interval = "60s";
metrics_path = "/metrics";
scheme = "https";
static_configs = [
{
targets = [
"git.cloonar.com:443"
];
}
];
}
];
};
# services.prometheus.alertmanager = {
# enable = true;
# environmentFile = config.sops.secrets.alertmanager.path;
# webExternalUrl = "https://alertmanager.cloonar.com";
# listenAddress = "[::1]";
# configuration = {
# global = {
# # The smarthost and SMTP sender used for mail notifications.
# smtp_smarthost = "mail.cloonar.com:587";
# smtp_from = "alertmanager@cloonar.com";
# smtp_auth_username = "alertmanager@cloonar.com";
# smtp_auth_password = "$SMTP_PASSWORD";
# };
# route = {
# receiver = "default";
# routes = [
# {
# group_by = [ "host" ];
# match_re.org = "krebs";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "krebs";
# }
# {
# group_by = [ "host" ];
# match_re.org = "nix-community";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "nix-community";
# }
# {
# group_by = [ "host" ];
# match_re.org = "clan-lol";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "clan-lol";
# }
# {
# group_by = [ "host" ];
# group_wait = "30s";
# group_interval = "2m";
# repeat_interval = "2h";
# receiver = "all";
# }
# ];
# };
# receivers = [
# {
# name = "krebs";
# webhook_configs = [
# {
# url = "http://127.0.0.1:9223/";
# max_alerts = 5;
# }
# ];
# }
# #{
# # name = "numtide";
# # slack_configs = [
# # {
# # token = "$SLACK_TOKEN";
# # api_url = "https://";
# # }
# # ];
# #}
# {
# name = "nix-community";
# webhook_configs = [
# {
# url = "http://localhost:9088/alert";
# max_alerts = 5;
# }
# ];
# }
# {
# name = "clan-lol";
# webhook_configs = [
# # TODO
# #{
# # url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
# # max_alerts = 5;
# #}
# ];
# }
# {
# name = "all";
# pushover_configs = [
# {
# user_key = "$PUSHOVER_USER_KEY";
# token = "$PUSHOVER_TOKEN";
# priority = "0";
# }
# ];
# }
# {
# name = "default";
# }
# ];
# };
# };
}

39
hosts/web.social-grow.tech/modules/rustdesk.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, ... }:
{
virtualisation = {
podman.enable = true;
oci-containers.containers = {
rustdesk-server = {
image = "rustdesk/rustdesk-server-s6:1";
volumes = [ "/var/lib/rustdesk-server:/data" ];
environment = {
RELAY = "rustdesk.cloonar.com:21117";
};
ports = [
"21115:21115"
"21116:21116"
"21116:21116/udp"
"21118:21118"
"21117:21117"
"21119:21119"
];
};
};
};
users.users.rustdesk-server = {
isSystemUser = true;
group = "rustdesk-server";
home = "/var/lib/rustdesk-server";
createHome = true;
};
users.groups.rustdesk-server = { };
users.groups.docker.members = [ "rustdesk-server" ];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 5000 21115 21116 21117 21118 21119 ];
allowedUDPPorts = [ 21116 ];
};
}

43
hosts/web.social-grow.tech/modules/victoriametrics.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, ... }:
let
configure_prom = builtins.toFile "prometheus.yml" ''
scrape_configs:
- job_name: 'server'
stream_parse: true
static_configs:
- targets:
- ${config.networking.hostName}:9100
'';
in {
services.prometheus.exporters.node.enable = true;
sops.secrets.victoria-nginx-password.owner = "nginx";
services.victoriametrics = {
enable = true;
extraOptions = [
"-promscrape.config=${configure_prom}"
];
};
services.nginx.virtualHosts."victoria-server.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyWebsockets = true;
extraConfig = ''
auth_basic "Victoria password";
auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path};
proxy_read_timeout 1800s;
proxy_redirect off;
proxy_connect_timeout 1600s;
access_log off;
proxy_pass http://127.0.0.1:8428;
'';
};
};
}

328
hosts/web.social-grow.tech/modules/web/stack.nix Normal file
View File

@@ -0,0 +1,328 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.webstack;
instanceOpts = { name, ... }:
{
options = {
user = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
User of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Domain of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domainAliases = mkOption {
type = types.listOf types.str;
default = [];
example = [ "www.example.org" "example.org" ];
description = lib.mdDoc ''
Additional domains served by this typo3 instance.
'';
};
phpPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.php";
description = lib.mdDoc ''
Which PHP package to use in this typo3 instance.
'';
};
phpOptions = mkOption {
type = types.lines;
default = "";
description = ''
"Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool."
'';
};
enableMysql = mkEnableOption (lib.mdDoc "MySQL Database");
enableDefaultLocations = mkEnableOption (lib.mdDoc "Create default nginx location directives") // { default = true; };
authorizedKeys = mkOption {
type = types.listOf types.str;
default = null;
description = lib.mdDoc ''
Authorized keys for the typo3 instance ssh user.
'';
};
extraConfig = mkOption {
type = types.lines;
default = ''
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
'';
description = lib.mdDoc ''
These lines go to the end of the vhost verbatim.
'';
};
locations = mkOption {
type = types.attrsOf (types.submodule (import <nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix> {
inherit lib config;
}));
default = {};
example = literalExpression ''
{
"/" = {
proxyPass = "http://localhost:3000";
};
};
'';
description = lib.mdDoc "Declarative location config";
};
};
};
in
{
options.services.webstack = {
dataDir = mkOption {
type = types.path;
default = "/var/www";
description = lib.mdDoc ''
The data directory for MySQL.
::: {.note}
If left as the default value of `/var/www` this directory will automatically be created before the web
server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.
:::
'';
};
instances = mkOption {
type = types.attrsOf (types.submodule instanceOpts);
default = {};
description = lib.mdDoc "Create vhosts for typo3";
example = literalExpression ''
{
"typo3.example.com" = {
domain = "example.com";
domainAliases = [ "www.example.com" ];
phpPackage = pkgs.php81;
authorizedKeys = [
"ssh-rsa AZA=="
];
};
};
'';
};
};
config = {
systemd.services = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
in
nameValuePair "phpfpm-${domain}" {
serviceConfig = {
ProtectHome = lib.mkForce "tmpfs";
BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}";
};
}
) cfg.instances;
services.phpfpm.pools = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
user = user;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "syslog";
"php_admin_value[max_execution_time]" = 240;
"php_admin_value[max_input_vars]" = 1500;
"access.log" = "/var/log/$pool.access.log";
};
phpOptions = instanceOpts.phpOptions;
phpPackage = instanceOpts.phpPackage;
phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ];
}
) cfg.instances;
};
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = cfg.dataDir + "/" + domain + "/public";
locations = lib.mkMerge [
instanceOpts.locations
(mkIf instanceOpts.enableDefaultLocations {
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
# Cache.appcache, your document html and data
"~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = ''
expires -1;
# access_log logs/static.log; # I don't usually include a static log
'';
"~* \\.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
# Cache Media: images, icons, video, audio, HTC
"~* \\.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
# Feed
"~* \\.(?:rss|atom)$".extraConfig = ''
expires 1h;
add_header Cache-Control "public";
'';
# Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts
"~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
"/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
})
{
"~ [^/]\\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
}
];
extraConfig = instanceOpts.extraConfig;
# locations = mapAttrs' (location: locationOpts:
# nameValuePair location locationOpts) instanceOpts.locations;
}
) cfg.instances;
config.users.users = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair user {
isNormalUser = true;
createHome = true;
home = "/var/www/" + domain;
homeMode= "770";
group = config.services.nginx.group;
openssh.authorizedKeys.keys = instanceOpts.authorizedKeys;
}
) cfg.instances;
config.users.groups = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in nameValuePair user {}) cfg.instances;
config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql {
name = user;
ensurePermissions = {
"${user}.*" = "ALL PRIVILEGES";
};
}) cfg.instances;
config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql user
) cfg.instances;
config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql user
) cfg.instances;
}

60
hosts/web.social-grow.tech/secrets.yaml Normal file
View File

@@ -0,0 +1,60 @@
borg-passphrase: ENC[AES256_GCM,data:CnaF4M/fSHNrNUJ7LwZRVp+RpUWpE2Pr1t9edCvkQ8c+ParvFgAcGQOGTpLtAbunUaPZCH2I32qhwgoABVr5TQ==,iv:ZII4SoivJEVHBD5iEHom7MbjeSDqgFUnNNr2T2UGL74=,tag:+O2B+pYl369y+MExxLL20Q==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:vhcDNj5m3Ly9YxB7m1m1TFlFegND1K9cPgPFtIGBCHYJnsoYMNYaVoZMekZIyXZkP9UR4aps6pbcQEXcggYiRbUwucdKClJRoRnbYHaS5UVRN1wKhih7iwCaos+OOtnYEP7TxkNwczOyoq2C7iakBUD0tLTkLlyAkBSR/s+BQiq8ad/P09zM9vTK/LDHZPY+TAYLuSmOJyZM+pwzxgvhs15gcAwrio8t3nuZoDXsAsjFKVNfGE4s3cQTPzWIkJ4MJkIkRD3S/avXiXWfUExNggPGigQpa9TJ6OMEeCglu2f4CW+FnlZKP6qfVKR0FOcRuNJkwsZRpDmNHcrEd+l30UbLxbtmVRo+LQIXL8LqPZRyyyTFa0yvQ76jGHtzlGqSHUG8z5oclW4+j+QIjh6SmeBhXGGLanghTRJpi0SOkvp9OAH+gikMDiLU84Aw5udMAMvRiYj0LyfOnPGEotJsbD3c7DZeBy1QtEqbuGNq51mrKF91RjPccdh1b4lo6ScKHQELyc6C8OVvjfVMEo7f,iv:PHVop1XIKvPrhlAt2Kk+NrhQWw0qmkF2wDydwyu6s88=,tag:7vm+Fzf/FyZODCccEgfgXg==,type:str]
authelia-jwt-secret: ENC[AES256_GCM,data:txm7218ZPwx14WHvULbT0Wwb/41Zu/uEM7NyNlZPBrp6ahn7cW4DRhV2i3NAQ8pw796mMCsfpDHH2na9uOBmSQ==,iv:f0XCDp+qnS9oU8LiILScVUmUpyj8wDIZYh8ZphtsmqY=,tag:4rHEiAiMurd5yKvnCXnWbA==,type:str]
authelia-backend-ldap-password: ENC[AES256_GCM,data:HmPF/BgTH36H0tMry0E0q5YNevsmQc4GnAaHj+D4wScVtoR/6Y/j0XavaLy5VYsVLoNtMX3dJ6UZQ8ECmEkVGQ==,iv:w0p22wo7hgXXpqIV+UqM1+8S4v34Wf2aBPLA68MMrVQ=,tag:QXUbz7kqdL4XhOMfq+6xUw==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:pYhnvNK8yzX97zLQ9sbNMDsICjOZYmunYwb4zIKv+mgMMqZwMtPEnzz42xZEYo0xxoSrXwrr3eqG1dB7isgP+vP7rQF9pbjnVIDOw+vwlDyvnkB2S9+/oeCf7g0FOtLolwV3febdo+0dO2nHIdD4oBAUrhUq64vsft8P3QCkAWc=,iv:Eu28tFG1i/Qj/GtW7EXzqeFPwawxthrc74xqSvpkGHw=,tag:ZK8zbTdyakHddHqorcZ4nQ==,type:str]
authelia-session-secret: ENC[AES256_GCM,data:6AhdM13jdD3eEOTdztm8TLBpgqfl4b9R9fvz52wkgIONHRNswuXxRRATlgWS0IFbkWO9O/RC/+dhMUd36R78bNRIdyx33Rsj7g9JOkdLldJe3ofLtn4IL2bsNwHc+9cF5J4VCYSqo4q33FSkqGOpVyf8sQxuWKC6gC5UUqkG7P4=,iv:GqZhovL5eAVYDM/nM2eKcRBamw/E60nIHnT4muJQ1b4=,tag:OZQjy8GGzgkTMR2aqJZlyw==,type:str]
authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:ljswWCWEemDzFugrt2wZikqmSE7+tTbGiMzfN8rufd0ec/AsZq3CoHNuCcLpBT99/PlUts32XPY0GLvbq4i7vA==,iv:h2RZs4AyrHCnxybe/MNZHRGXHmLvrTFy8J15CUdjpXE=,tag:JbPSKt5YNfnRgd2NKm1rWA==,type:str]
authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:lgECf58ywXRdOjd7nka357tr0LImBTgPrtTfaSfA17sxTHsoo9yi8ViIpGlWt0IvFsoflau5J9/9UZRqkSFxURyIrbIhOdGLEJdXb6Cf5BkFP4uS6qxOC6zmOiaftW+iev6pvrqfVbF9Mf+F+g6Gz5U1bSL7nxJRuLsglGChZXA1TWIAX/C4Xz0hrd/cfanu7fZxll/aaPRktf58/bia3k8VPosp0Dion1va3/wkF6/eb6mxtsp7KK6IxdjyN5VebduwanwNQqDFq/gxwUqBDE1EYmldQRx7kHy7zZZ/c05K6k3RcUgCZZ4M/N5/juVQq/SQhj/SVim1Kf5944c5z9z5LmtIrXstxE+XR0mqY7gRjUBv7dxI1jvBKe+9z8ess21PR8cNu8gvi6yZwRo8pUQN8L9bhohVxRDq1dzcxeKWY8Fj2tgdUsLPTqUHTBA1w2x6ig4E2YmZ4rRBrt5mJQyJKN2WMr4HwI7koye904rB4KLhqW5LV5ZrtR6ccJodcBEwOMlwu+xLajrAOGlBV3CJTFRVyTnY9cOj9e4DRHCRezr7rR5+2tztsXpyGD2yU8kLREal30Z0hHaXQD3rrd1PsK2vt/hL3cYL5anheQawE9CWLU1liO/lYBGY9UThpNRxgxUsOJRfvF6pL7nU3kHa8La5Mmf4v/ivJqrMeFpoFyD53ayfC2NPKUd+OlWABN0XUaN3GMEi0cJIK6hC1xk1KdEHito5Cw5NDSm8NowAV4UztdXIZB504PMH0lP4+1wFR1bfMv0g9rj+dwIJ2tieI2eyC5n14yacvLRbqLvkWnBm3t4ec/pWnsjgHPXr60KIxY/2BCh1b/gsjcxD56GVyjFbNF6ZkY+MlLXp7Ki1QE071bunYgUXAJQOPqV57efzdplc8h2Rcsp/bHJoiKxTldpA24sE4usGlYVMXsEKQ2IBjLz2bXG7zwFORcYR3Kc3SNfcgq3nmNeMMQWKOGBwuCZIsyBPGpKK4316sg3ZOI4UnDb7jZTnc6Z9dqoHntp8Ry+R3uUgyaD8LMCLLqA1DQk+OvSCoEcRcUeMu9aqCbIYNPswKyHMJF+qw9G7ZJWGEkvR3/SnBXplgZXYom+Wd9Pd+8OhmpD3p9H9rmUIIAnp7XWdOEMT1uwvcV6tqzkykBfIiH2qMwMg+L20jl4vkGPKK3jS4RNb9wpvb9oIte5C7b2EBz8KBdWRyZwzkltvSBN/cLLcLdVWpeGgUdGsSiKGs3Y5o1xR/3xCHzidHi39BE7BIWrBgfbAmzVPOyQ20Tv9yfzkTTPQ3HFXgRIh4itfS6+HyngnAVKKyxUt+dRHdG9lNwxIBw69ubfJVhga4qYpNnJpVouq1TYfBic636lCWbkN+g1TtLtCBSbOKIKJ8DfsJxRohTjX1rPX7GUGpd6dDAfAXAaV3R+jm/kK48qWuuXGFUHcdmgeuGIVi/Bx8eGh9x8gYSaDTSuiNMSvKvsMhS8vOXqHYgnlLUmbQ2/OJmEooDP4ZJghAof42zqg3QnTUck17OmWwOCCj2NA74mes1f+/t6PuSJmUKmpQWZcff6ur2hwWBAACuQMt6r2SyfVFRuiEVUvac7jUKmmsZxnY5F978FnB80XB+y1BTNlXJ1xDDNtBe+PAdeWt1rLvO2iKUTX/wuvS7Sh7Bq1rhen8OWAx0pFcqPzMOormNA9k/srHbf17kFic9+3Jvp0WbwTEMFckWcuyATtPRAD/VO3sUGsG2fUe936CEa2gBdqVGvXlsCsG81owQjmplkeZ9pQKXHyGq/bXpN5TQTnCke3NYKUwzHxjKgUcf2y98or4xbIxDJoT6hQ/E4ezSA6qw+YfpbTh+vDB8C5ysGDhq8QNyoAg7qAqEWkvvY1ovA/TFNyDq7RcIHjfQKBh0QBIt8XoPEnTU8sXCKHXaoQNAA3QxhMI2eGDO10Wyuiepsvr69xNoXBNFvB/v0dLa55405LPWo4UD7GgjeXpo2vhSsB7FoyAaUczOb9kIDaXedtG7Om8yI45BX8PmlBJQTujY9ZBeI8YeZTGf/3iOSa/tCvherAD2hveUqMCynNcoMT8Ir6xBqUpn8uKFuZGsHaq4fmHTFepmZdUM5S/Hic584SZaF/uut7Uo4nY3BctSg71aTtIjO3sJZ1mAF995KvhN3dTGbnYgCmjRMwAeMiAKYQa2el2lTi2cpf7Fk5J7bQT/Fao2nWfvdlpKC8y4ICWVwsWWHvSRFFzjeqgkF+gwfYsqpWV6d0uxwOyDxJhva83NNYkR+8a+fu6DcQU+rWvonun/iqCvQLvo+0ZcNeGhwhSPwqyHtOps7ozn2tjq6+ORtzw9K4GPwZAxW5RJLL0YALhqIbrRkYhFQE0JQ2cm5/nwIHW+yHVxn45AkK2lKBgdnnT4TtvodMGwiVi6jxg6gmgUgCpkHEGl4ktZ0jNo3Ru2e0DK3jzOb82F4ZTF/Xxc8xA+oFLX49IfOt4h5SvvPFbhQ9RchZ12/cfBaOYJYAINr/B3BJpf7plWgHY9sP6u8pffhZ4aUhCKQagRVAoZmzdd9t1Y9413lm9Bn/KCE67kbdwEzraK1xW/hcVA==,iv:n0ybHvyZCIDufdJ6VDT+0txXqFKEJg8BX3LvoBvkpmU=,tag:Pdy+Gl2177yVkXNwoLCmzw==,type:str]
authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:SWVTYvjgU3SCXfonEkzU4/38AIWferd2/0pDssScj4mJCCBZv5+ZAsc4KtWLZHcv8PlacGn4+mt8BeQLS/QC2Olxt7SPfR0xsJPA9OJWy+Vl3Xdf/RPZzOdQBB2HqH2IPXl7r2n9e3IO60nP6n38FpHQ3JvvitAMVF6nbf3B1tlCKEofqU7efnCOuU1iWWepof2xGnIut6As6EXE0v0aV2fwrZSz7c6vFTs/MtNwfNcsgkUXPOSqDXtotLjblKyTmARMHyP6YDinm+4s2TnHjsrxcXhXEX0VQkzNpLzMivXSKExooymeG/c6zW802hoxjrD9mDJoptlzqT8VkxrWrUtwgznZHcZXyueFyfscBY+3J8s/33WOhnaQ9OEL+ID40dxMDTisVOK3TvTObb2hMFikW3HqcTJQ7eAd+5bZzoFwe+k2SfV5cUSdSAJb6p9LKT4dYT6kKCAABeGEFOxetSt+eyU82kHcYpXwFzuXSrzzLlG260lb8orjOPMRpjq/joblPoBXcw3kUxhkIWKeEmtc7NBnCfdN/Ut0p3EZRinjO6Ms4+4blXhuQPZvHGgdDpPun6EkmrozHGgcIkWDegBOKyMnlV5elXZKW0lJqSc5TpLEIBRN8YcRZOfG3xH+pxrRXqt60OCjLoU27Kd6XqrruTGjnXtr7lEvkBQBgw+jQhCkQ/FFzcNOdKvU4RE5UxhSA0ZnDmn3c5g7r8kqN33+H33EMvU69kA/OQVUle2ttwKfRm3vShVq5V8/gJBFviHaCti3ZyFC6UNragKsR3cWptWvWul905khhn9pVDcey1Y0ycUdmK1voyyrwoD2bjswhq554gbffsHrn4LrccQC33Ei1IUoqVhnNtbpA1Q15qK0AHcWsCdkZz3kFsGVHKqW2xjFBdju59UqbObNU0aAlTSd++jPf5xfSqeMBHuV7/qTBXLkkQsZrrqGYMlb6OpfC/2fXgkwpjGQ3Zp/qh0VYnbspRJvyvX6TbhHNhDKDjrFeOU39NudqqwCl58NXST92WavDeD1nTXXP2S78XrCjZjEZkUaO5r0lztv7eMcrUQca3DQ9ucBRXIc/idX+dFrFnK9+ChT/kvSncK+/Tz4EbwkRNz7OJDjDN6yTxFkvbelUlifE0pj5q1Qd9XsJvoi6tB5j8An2ABZJZluv2Gy8gxo3eY7wmCdia3a0Preizx0U10TMHZY5NEj4FjRSwKkndsXchHOw+VuBcJynEpzu60gEanNDJFCWdctFhJUu0yas4rwRrzeMn5gXGmO4luLiCzXHeFCAmSA8CQQKQ0SMaZ8e8bptj89RFaiaE91YvEw/cpWwYevdvi40hVhOhIqGd4bjOl7tw13nkuPAqUAqCv+wZ8UAUfZEOH+/c5eXspgTd/Y4MAo2JgVQogSiUTZrbkG3mBPq/QLTywMHXBjVVRdI10bHtgN38ljkC1SGw+dbHuZZytMHC2tXa7RiFKX0ko1DG0Jn0U0QyrMoqwUW5wld6QNMIVV9GpqGj7PMHQA4GVfKDgiGfAuEwf9/2cq1cM1dXOTbszYFGuHDuv0GNyQL6vv9A8mqrQF3VaJPM9ipyl3gXlfCN2qrDUi0BatS3qeOcllXHXPpE7xkYNoChtj+xxUKqhbPvoIT8M0Jxgy7D1VQjUBcX/hCbuICkDfWF4vEIX04DOP+BzNvm3Z6zU+6GuhkU/gCZhvoiYZc+mK45YHvKcxQcftiOPwJUAt99OjXbZXBospM14dFnCGi+b9Vh4zj9XlNj46afQc60aCG/dm9l0I/2PnaQikIQdFEnwOgY2lQ7Z1M2VH8AE5AwNn7BYTF6qoCMrMpM5F56KfmysY0yF3E7pjZDkrbLDWhvkafbSdYjyqG/K0eO32X57NVNNro75J/YtacbnaSrnZrHmEAZYRxy2YWdqVhtJ47gc0sg4EebGR5nlU2hBAW9PavlHuCyxl0TMwHB4rrOBpWGt31eQzV6MBFvX1KKFIy1JlCF986+W4v6tN9oUqS132rYp+B9IjAvGkNbreGi1GTJ06tyXdX8ZNAOyRrxo5uDdBey6XrEArJIoXD/jpC6NoQ25EKdfhomw8JnobXk+thyQNGJeQ3W4LQQDeaTGKGhlNzuI0tzAHS0T8nC9abKtuEXyLSRmXhTt1ALgSX6/bgeVH+mXUr2Z3NcCOIRsBkRO7ejlvuh7uPRJbQBvnS+Wz5GSoY1QOxhZvL0/2zYLpejsMkb4Sq0pv9YAFDWDZGS3GZ15e9jIZo3k37YvrUzjbFaNeICBu0R9mr9oNAgM0WAR2JdOeH1UsDEbaUiRjqhUZAvYQJvwcm5fdIRbndkV1OXcLGaIIJAHYla0m8eQGFX09ye5rVwICXOlDIwIMC6fn3mFovXwizOgGG38rmSPKkckzrYcLAdJC4822hRoohzpdDbQNMnX9Mbe64yaR1HV+Ds4Ni+aOXxtotwmMlb6UIQ4gFzkkrHTyvpE4yxp7JiskuvmSgHFOU4IbaohKaqFUZHcrP8Q70ih/cNYRbCMEn4HjFPT0Vl+Fpjnnn0Asq3gHRPCDUU+m9apjFjPSheBAOsz/OFlVVulvtOYRHH9lTyqeoBNb6pxhi3S3+tM8zuJTs85U6gaI2vI9Ih/9BMdpa9HsXM+/UOPwk8mjE57FgiDqcYQNPEXuk5fAK1wvGq38kUlf1BN0e6mJESxgG8j1Oox5+hzGoOemnpbCOBI9Wsbmb8bLQ7zye5NYAMldet/uuD4Jxq7YdlOni0S+V7iEQKpqDRme2kwC8ZjXDLKlRYalVGyz5JpCj7dv+BGDdae1LeD9XHca/NwE+N/t3UAcYGAYBafrVO3q9la4hvvAQtoaQra9yVgJ2C3+lsdWoUepoOuQISXZ12gZl423EWF946UAtr/Pixyb563j4YOLLOAgRBjTJPbUYWqfiMUXHP6FPgWs2rcxqdWY4SRCgqXWP3y82cm4mXMH8K8IEL9edp5Ty6piZuOiC7YWfycvHtzzoki7Zr7tzVHjxFCcSn0SmRYl6vo1nAzg4V8GOO3rzeT9PUPBHmVQDGyAE9igIv6zadAZkk5i64co32XO7OPwDThFgBvOrEB02YRMfSOQ5PfJ7hXLolmnGr+mqGk5yg0+FVT4E7ypT0hFqN6KS/8L8acbrqsivOTimPN/wTMyWK0e6xYYc8I/0LfNZySPCbA1gqNOa+mPx98UtQDlFi93h+rtlBMrmiFYMpR7qJFTlBOesTFisUlpYE0yrrmeDOTuz7eetZ0u7PS3iL6iLEKyYRW9COY3bOKtDZPuhANwV5lXVIK76XQe37/lVKgKuBbx96AzKIKBgi1QjZhQLntKRf/RW9lAHFRGNpgoV+PO3Ydt59Olzl8WNUTgAWszI7AL9FZikoIQKrtUi1c1uvEt6oKgeM+X6nVLAyhlS+5HbEBEVHLNOi1t98i0cV+sNWsOqE4Y9LPqJCHIWX71/PEFFfaYpOL2kI1NdyXksKfuiDr6P9ZTkA/pMO9rjsBaei0IKqSmV9z4UE28U7NIzYW7Il4aZlIXdt9O3h+u8aMwRhU1RkcFnaX+EZGSXxWMz69iwbdRYAJhLBNfkz0RZKnMkTpJL1/w2wWRGt15kmOrOnuSqmHECpOfX9Jxs8TRGdgMo+De/c6P8XW7TgyeGm778c5+CempFX/hRY1jie6G7A9pNm6IYBLiEI8l5ldR/HXydCg8ZGEm0cLyqEosDjs30h77+OMBmqMDvUflZ765UPp4bH064/KrmHLibXXh0pbVrU4JDcGZQUBkXsN/RaRwwMq/JUgjUmq/UQsWXvwmGvHTVEHtMlozl8A8QR156XvhCbS121f2Z7JAdSxlU/XePlNiIkTsV4kd6n7VI+doWjDeUa8KVA1Mcm0yWtul0cafJ4Q/scfBYY6mZ+G7X3qTZ8k79o/+YtOGOvAOM1ensSY/B0JOdsED6Rzeb9hNmqRrNXV0xYPO5MORwjzcz50QFy1ijP60WzAubSusPQWV3OVJiJysX2qWzcCagCgkt+EHkC6qriFsWBcC2kqWox4tyc4q+t0vrN9tGjAyoEodyc72u8YyicBPaNx8rYu0VrUTquZHcmDdu8tbzvVVdddzkbw1IxNZ6bAkQq75bMFjRi+tA+GA9NM+ANU5LeInWIu9KdMK8L2rRDm/3VTK65D1glI4kQU1HzQf54Le3k4FAguve13VgimsEuYEh+c5toKBJDMXR1lpQ9ppX5+IR2jJj9c22fnvqTGcnJolq3/UYa9i9R6CPpprSXa081AVSfzpYqLqBK7QiAwJDIuvLZasCrndO/oSVisQiJfrHaw8xJumfisAYajs7HeOTU/k0bH/Qr6CeAiwbS0Pz58L6At/8Bw=,iv:ybaZfw0o4MYwUn+QZCydeJtrEgwCC5/hKm/MTqJ1ny4=,tag:bNxCYKTtrBTxb/REaCwZJg==,type:str]
nextcloud-ldap-password: ENC[AES256_GCM,data:PTURzI/Nu23LZo/ICxFRNURPD4oZwT0150CYs98KQ4GAAVzycboIocUXr8WRiu3O8/+kZkHO/7QV9Pa//i2ipw==,iv:4rW/SDZ+4LkTa2auVGvXHGQXPqHJmUStZoLlI+yFUdk=,tag:TQSDoxzvD036M6z91w9YDw==,type:str]
nextcloud-adminpass: ENC[AES256_GCM,data:4j80ZLynFjJDy9egCPZUbusPhlsi1iTCpN6+EeBoA8ph3wQRaRzolqRnrgrvpsr2HEAfLEf6ErmLlMdT8jQGiQ==,iv:oQjyxf0EDwzLhgIujpnxbQ2vnXZFJgT99YdMo8w1jpM=,tag:f4AOoZZp8v1JL3vycU9dxg==,type:str]
nextcloud-secrets: ENC[AES256_GCM,data:iyLYZWUnMcejvO4iXf6dyJfAiYtCoIrCjafRJzycRqVVxwpHK2o0xetkkymFvWCiWQKFZUpV7v8u4L1pnD/Zwmbvwlvyasstfvj10NztpZ9tFFGLUqgcs+AOSw5rqhWqo3pewHpRUpskyuZPCg==,iv:Z+AATaNqI4LpCkFPD5+skL2fUeM9Oz/krVPW31vMl1s=,tag:OKpnYN/IXP7e/m620XzHAg==,type:str]
nextcloud-smb-credentials: ENC[AES256_GCM,data:jmFV1dVq6dThe2BlSb28YAKwGayBn10f98tc2jjibpAa5oAVzD04NpAtpcTQThtY,iv:SJADE393kJH5VgPd919ZH2UKS0GBCaelo+/Xyb9kFAY=,tag:n/UApNtPS8esGfkx5dIwzw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFR5UzNXWDlCU3Y5bWQ4
VUl2akE1Ym1jWlFaU3BTb2FDYW15aEJRZ1JJClRhOWNDUTZTZzhwVmN1TG9PTUNs
SHN5b0pQMGhyNmtDdGwvVUlNU29RVGMKLS0tIEJpNnE4KzM4bkxuNlhhR1FRbTZ4
ekZUdjlSSG5OQXoySkZ2WEZ1dWFIQkkKB1lM2FdslIg+JzllHyilnMH3EqvHRImD
Qi3M64gKr3s6ulIU0k0HjCetILONUdX6VRXIMozDaGZCz7f+yXHkwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ3A3SkovZUtpS20vcVVH
SUJKMnU3Z21oN2tqZ05nTUhFTEZZK3JLeFFVCkZadVAyUEhFaGVRalJUOTJ5N1JV
Qi85dStiajErSndtV3BFVXBRS0w1N2cKLS0tIHRIbGlZMmtYdDRMQm5WRXFBWUpF
VjlVaDh2K1FGdmVwSWVqYmNES2hLYTQKTpO9nN+gD/EohH9Yo1+bkM4hncWrpfIG
Vyv7Rfval0QWGHU52VO6xlTieOse4NzrYQ9NQ3m/UROBpSmdiBWiBg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUXNXM1Y3eTljcm9OUGpY
c0hTa0F0THhiZHNQSWNoUDgxNmMzbks1amlVCmFsUGtuQzNKeDVxZ1hMYytEZnlP
bUd0bTZnM0xPMTl2ajB4K0F5cWF0eWMKLS0tIE1jNnRXRG9UaUU1TXBWdVdpaUlx
RE1xeHFpNFF2QkRKYzl5YUxiZjJtU2cKou/P1Aw9h2by7FoyQF4fyXu3IwxqVEHq
c97KVXI+MoHm6sq1OTJ94XsKB/h+VjiUk8KEl3kmnC0twzd56qsb4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1md4kkdf08zmagqv0yzza8h75f80c9j8np2p6eqea6fpa94szd5lsltz9va
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWFHUTI1Q2hMa1RaM2Fz
M0djcUIzendUUnlaY2N1SnJVM3JuMDZSZ0hzCndNbHJoN3o0ODl5SGhDVzJpS0c3
Q1dxMEFSOEJwUGRBQlhOUkRBV3hBTkUKLS0tIFhOSWphVVV4QS9jaDFza3VOdVps
T09oTGJjaU1kUlM4TTV4NmRjMHFyNEkKRdunkGCAOXtfhAxp/baX1GH6JI09jSRf
jK4gPmuNTcxQRSRoKigX04LdKr1YjYvyfeejIzNZEDd22EYj1ISS/w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T21:04:42Z"
mac: ENC[AES256_GCM,data:D+FJiH4CLfiYcsFHpW1Lf6V7Ej9AFzVhTpM97mkd0rsDIVCFb+4PQmwQ8aF3SQvpuVmo49G7MmHhgC4WJPMyCVGs87E1J5QgNzaj/uBvEze42YRkC0rsePsoq/CyG+3DPFPE7DoPtijNqT+vTQk0Ku2245vTejk6oF2JdbzQ3u8=,iv:3tWsnBgmceqqhb01fGfBBqLD5F3bD8J9M4NIcdxNzgY=,tag:caeRk/lvI1ymHv91N85c4g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

1
hosts/web.social-grow.tech/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils