diff --git a/fleet.nix b/fleet.nix index 1f6b57e..f121d03 100644 --- a/fleet.nix +++ b/fleet.nix @@ -27,35 +27,26 @@ username = "web-arm"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJRWe8hsqAVnGSjPrcheloteWMzORoQ5Gj4IfhCROF"; } + { + username = "mail"; + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfEuRazRv8zKWJSq+T3SssgOrkBFu6y/t6uoMNrD3P9WHowRDejo2rBsWFgPszhfgxLpWHiuSZFMG8z+07k5fVTdmbUwx0vXI1lmQ7AxB/CPwBef2Vpb7b8Rq6geejvP8X6UjQWP0rsCMtoX2SeBDTG8bDlyq1U3vYxVY4hery6a9Wu57OI5VbSIHhqQvExo7euz8V7ORsLyT8gi9x3r8gNaKJmvssB6QXXZ7U2sJaAUjhV/BmrZJD5qR9EwqwiMPJ2+SkZ0Vz6CFG6GLyB/ngXPEfclLKK7AzookJy7WepqojjFTzmOBMH903oR+MIpjDECKxgaFtW4xY0A/tj8ZDCBPtP8AKjediOASkAi7eUMPseQKDE0BNLSidC0hlQUe0aPaMeA8b1U86PblzpgF8ntkUPbxhO0AgHKq9fPN+f58f75fryNbhgPRRkeLet1q3hxguEMg2MIg/EqIw862YPWPtGRk0wJHwQU7jx+9BbjdptAVTJo/Cj9vM7mpZphE= root@mail"; + } { username = "mail.cloonar.com"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfEuRazRv8zKWJSq+T3SssgOrkBFu6y/t6uoMNrD3P9WHowRDejo2rBsWFgPszhfgxLpWHiuSZFMG8z+07k5fVTdmbUwx0vXI1lmQ7AxB/CPwBef2Vpb7b8Rq6geejvP8X6UjQWP0rsCMtoX2SeBDTG8bDlyq1U3vYxVY4hery6a9Wu57OI5VbSIHhqQvExo7euz8V7ORsLyT8gi9x3r8gNaKJmvssB6QXXZ7U2sJaAUjhV/BmrZJD5qR9EwqwiMPJ2+SkZ0Vz6CFG6GLyB/ngXPEfclLKK7AzookJy7WepqojjFTzmOBMH903oR+MIpjDECKxgaFtW4xY0A/tj8ZDCBPtP8AKjediOASkAi7eUMPseQKDE0BNLSidC0hlQUe0aPaMeA8b1U86PblzpgF8ntkUPbxhO0AgHKq9fPN+f58f75fryNbhgPRRkeLet1q3hxguEMg2MIg/EqIw862YPWPtGRk0wJHwQU7jx+9BbjdptAVTJo/Cj9vM7mpZphE= root@mail"; } { - username = "nb-01.cloonar.com"; - key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"; - } - { - username = "nb-new.cloonar.com"; + username = "nb"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1dDoAJUY58I+4SSfDAkO5kInsMcJT/r/mW+MYXLQVR"; } { - username = "fw.cloonar.com"; + username = "fw"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDtxpJAFohRtBaET9e7EE4I6UmeUT/h1ZTD1zeOHFiWB/AT71ooDT4/QukJOA3LqklDjtDQHH+qjGY50Wa8/oGTA/X3aBDPg5GAHN+U+kYO2UTC69VVjh4TTS35ijg+AdgegtMI4c0VIUMZB24tthV9KEbD20w6XnTzy2Q6PjbBrwsOeHYr9pkygJZDU65ZeKmLyR6yLaadHzXX1I7V2SwiakPEebhQaGipm540d+tAbirKCHcmiORkpd++e3dfwi25hC9bCQ7b3bdaFPAmuhhFEid4jpCt79X+l0qqpClgRLziBjYykNJDFKAljFBJA11/3ofPCuaBCDUuJVhAH044gtT3sbvJq1prd8ElZy6L1yc5YbfFgDMwi71Y2hef780NmDs5Opk9xUCKqdl1YfLyUDgdiiaZ8uhUMd2Ai9BAxJAXtcz/V41ngt3YkUVyGTZdTAODIKk44blGIkgs7JO4yam4UB1curbD0faIZnWLyS5pdFQ+FI05YVjoHXJdme8="; } { username = "fw-new"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnb9todh2b+c3iCmEz72smRwL37aZf3Xs3voT7+PLTP"; } - - { - username = "mail.social-grow.tech"; - key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1K4mhBji1kMGnO55OOFaDknBf2Q6wgm7DaMYKip+S5"; - } - { - username = "web.social-grow.tech"; - key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIw4lHUd/+rHIWP2WBAj9smo2CkeHEOHhTqZzacmxMcC"; - } ]; in { imports = builtins.map create_users users; diff --git a/hosts/fw.cloonar.com/channel b/hosts/fw/channel similarity index 100% rename from hosts/fw.cloonar.com/channel rename to hosts/fw/channel diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw/configuration.nix similarity index 99% rename from hosts/fw.cloonar.com/configuration.nix rename to hosts/fw/configuration.nix index cbe9390..e2ad07c 100644 --- a/hosts/fw.cloonar.com/configuration.nix +++ b/hosts/fw/configuration.nix @@ -4,7 +4,6 @@ ./utils/bento.nix ./utils/modules/sops.nix ./utils/modules/lego/lego.nix - ./utils/modules/nginx.nix ./utils/modules/autoupgrade.nix diff --git a/hosts/fw.cloonar.com/fleet.nix b/hosts/fw/fleet.nix similarity index 100% rename from hosts/fw.cloonar.com/fleet.nix rename to hosts/fw/fleet.nix diff --git a/hosts/fw.cloonar.com/hardware-configuration.nix b/hosts/fw/hardware-configuration.nix similarity index 100% rename from hosts/fw.cloonar.com/hardware-configuration.nix rename to hosts/fw/hardware-configuration.nix diff --git a/hosts/fw.cloonar.com/modules/ark-survival-evolved.nix b/hosts/fw/modules/ark-survival-evolved.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/ark-survival-evolved.nix rename to hosts/fw/modules/ark-survival-evolved.nix diff --git a/hosts/fw.cloonar.com/modules/avahi.nix b/hosts/fw/modules/avahi.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/avahi.nix rename to hosts/fw/modules/avahi.nix diff --git a/hosts/fw.cloonar.com/modules/ddclient.nix b/hosts/fw/modules/ddclient.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/ddclient.nix rename to hosts/fw/modules/ddclient.nix diff --git a/hosts/fw.cloonar.com/modules/deconz.nix b/hosts/fw/modules/deconz.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/deconz.nix rename to hosts/fw/modules/deconz.nix diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw/modules/dhcp4.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/dhcp4.nix rename to hosts/fw/modules/dhcp4.nix diff --git a/hosts/fw.cloonar.com/modules/firefox-sync.nix b/hosts/fw/modules/firefox-sync.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/firefox-sync.nix rename to hosts/fw/modules/firefox-sync.nix diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw/modules/firewall.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/firewall.nix rename to hosts/fw/modules/firewall.nix diff --git a/hosts/fw.cloonar.com/modules/foundry-vtt.nix b/hosts/fw/modules/foundry-vtt.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/foundry-vtt.nix rename to hosts/fw/modules/foundry-vtt.nix diff --git a/hosts/fw.cloonar.com/modules/fwmetrics.nix b/hosts/fw/modules/fwmetrics.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/fwmetrics.nix rename to hosts/fw/modules/fwmetrics.nix diff --git a/hosts/fw.cloonar.com/modules/gitea-vm.nix b/hosts/fw/modules/gitea-vm.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/gitea-vm.nix rename to hosts/fw/modules/gitea-vm.nix diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw/modules/gitea.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/gitea.nix rename to hosts/fw/modules/gitea.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/3dprinter.nix b/hosts/fw/modules/home-assistant/3dprinter.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/3dprinter.nix rename to hosts/fw/modules/home-assistant/3dprinter.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/ac.nix b/hosts/fw/modules/home-assistant/ac.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/ac.nix rename to hosts/fw/modules/home-assistant/ac.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/battery.nix b/hosts/fw/modules/home-assistant/battery.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/battery.nix rename to hosts/fw/modules/home-assistant/battery.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/custom-components/bermuda.nix b/hosts/fw/modules/home-assistant/custom-components/bermuda.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/custom-components/bermuda.nix rename to hosts/fw/modules/home-assistant/custom-components/bermuda.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/custom-components/hacs.nix b/hosts/fw/modules/home-assistant/custom-components/hacs.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/custom-components/hacs.nix rename to hosts/fw/modules/home-assistant/custom-components/hacs.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/custom-components/lovelace-scheduler.nix b/hosts/fw/modules/home-assistant/custom-components/lovelace-scheduler.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/custom-components/lovelace-scheduler.nix rename to hosts/fw/modules/home-assistant/custom-components/lovelace-scheduler.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/custom-components/scheduler.nix b/hosts/fw/modules/home-assistant/custom-components/scheduler.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/custom-components/scheduler.nix rename to hosts/fw/modules/home-assistant/custom-components/scheduler.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/default.nix b/hosts/fw/modules/home-assistant/default.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/default.nix rename to hosts/fw/modules/home-assistant/default.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/electricity.nix b/hosts/fw/modules/home-assistant/electricity.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/electricity.nix rename to hosts/fw/modules/home-assistant/electricity.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/enocean.nix b/hosts/fw/modules/home-assistant/enocean.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/enocean.nix rename to hosts/fw/modules/home-assistant/enocean.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/ldap.nix b/hosts/fw/modules/home-assistant/ldap.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/ldap.nix rename to hosts/fw/modules/home-assistant/ldap.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/light.nix b/hosts/fw/modules/home-assistant/light.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/light.nix rename to hosts/fw/modules/home-assistant/light.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/locks.nix b/hosts/fw/modules/home-assistant/locks.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/locks.nix rename to hosts/fw/modules/home-assistant/locks.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix b/hosts/fw/modules/home-assistant/multimedia.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix rename to hosts/fw/modules/home-assistant/multimedia.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/music.nix b/hosts/fw/modules/home-assistant/music.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/music.nix rename to hosts/fw/modules/home-assistant/music.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/notify.nix b/hosts/fw/modules/home-assistant/notify.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/notify.nix rename to hosts/fw/modules/home-assistant/notify.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/pc.nix b/hosts/fw/modules/home-assistant/pc.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/pc.nix rename to hosts/fw/modules/home-assistant/pc.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/power-saving.nix b/hosts/fw/modules/home-assistant/power-saving.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/power-saving.nix rename to hosts/fw/modules/home-assistant/power-saving.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/presense.nix b/hosts/fw/modules/home-assistant/presense.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/presense.nix rename to hosts/fw/modules/home-assistant/presense.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/pushover.nix b/hosts/fw/modules/home-assistant/pushover.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/pushover.nix rename to hosts/fw/modules/home-assistant/pushover.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/remote.nix b/hosts/fw/modules/home-assistant/remote.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/remote.nix rename to hosts/fw/modules/home-assistant/remote.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/roborock.nix b/hosts/fw/modules/home-assistant/roborock.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/roborock.nix rename to hosts/fw/modules/home-assistant/roborock.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/scene-switch.nix b/hosts/fw/modules/home-assistant/scene-switch.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/scene-switch.nix rename to hosts/fw/modules/home-assistant/scene-switch.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/shelly.nix b/hosts/fw/modules/home-assistant/shelly.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/shelly.nix rename to hosts/fw/modules/home-assistant/shelly.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/sleep.nix b/hosts/fw/modules/home-assistant/sleep.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/sleep.nix rename to hosts/fw/modules/home-assistant/sleep.nix diff --git a/hosts/fw.cloonar.com/modules/home-assistant/snapcast.nix b/hosts/fw/modules/home-assistant/snapcast.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/home-assistant/snapcast.nix rename to hosts/fw/modules/home-assistant/snapcast.nix diff --git a/hosts/fw.cloonar.com/modules/microvm.nix b/hosts/fw/modules/microvm.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/microvm.nix rename to hosts/fw/modules/microvm.nix diff --git a/hosts/fw.cloonar.com/modules/mopidy.nix b/hosts/fw/modules/mopidy.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/mopidy.nix rename to hosts/fw/modules/mopidy.nix diff --git a/hosts/fw.cloonar.com/modules/mosquitto.nix b/hosts/fw/modules/mosquitto.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/mosquitto.nix rename to hosts/fw/modules/mosquitto.nix diff --git a/hosts/fw.cloonar.com/modules/networking.nix b/hosts/fw/modules/networking.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/networking.nix rename to hosts/fw/modules/networking.nix diff --git a/hosts/fw.cloonar.com/modules/omada.nix b/hosts/fw/modules/omada.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/omada.nix rename to hosts/fw/modules/omada.nix diff --git a/hosts/fw.cloonar.com/modules/openconnect.nix b/hosts/fw/modules/openconnect.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/openconnect.nix rename to hosts/fw/modules/openconnect.nix diff --git a/hosts/fw.cloonar.com/modules/palworld.nix b/hosts/fw/modules/palworld.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/palworld.nix rename to hosts/fw/modules/palworld.nix diff --git a/hosts/fw.cloonar.com/modules/podman.nix b/hosts/fw/modules/podman.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/podman.nix rename to hosts/fw/modules/podman.nix diff --git a/hosts/fw.cloonar.com/modules/postgresql.nix b/hosts/fw/modules/postgresql.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/postgresql.nix rename to hosts/fw/modules/postgresql.nix diff --git a/hosts/fw.cloonar.com/modules/setupnetwork.nix b/hosts/fw/modules/setupnetwork.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/setupnetwork.nix rename to hosts/fw/modules/setupnetwork.nix diff --git a/hosts/fw.cloonar.com/modules/snapserver.nix b/hosts/fw/modules/snapserver.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/snapserver.nix rename to hosts/fw/modules/snapserver.nix diff --git a/hosts/fw.cloonar.com/modules/staticids.nix b/hosts/fw/modules/staticids.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/staticids.nix rename to hosts/fw/modules/staticids.nix diff --git a/hosts/fw.cloonar.com/modules/sysbox.nix b/hosts/fw/modules/sysbox.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/sysbox.nix rename to hosts/fw/modules/sysbox.nix diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw/modules/unbound.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/unbound.nix rename to hosts/fw/modules/unbound.nix diff --git a/hosts/fw.cloonar.com/modules/update-containers.nix b/hosts/fw/modules/update-containers.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/update-containers.nix rename to hosts/fw/modules/update-containers.nix diff --git a/hosts/fw.cloonar.com/modules/web/default.nix b/hosts/fw/modules/web/default.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/web/default.nix rename to hosts/fw/modules/web/default.nix diff --git a/hosts/fw.cloonar.com/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/web/matrix.nix rename to hosts/fw/modules/web/matrix.nix diff --git a/hosts/fw.cloonar.com/modules/web/proxies.nix b/hosts/fw/modules/web/proxies.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/web/proxies.nix rename to hosts/fw/modules/web/proxies.nix diff --git a/hosts/fw.cloonar.com/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml similarity index 100% rename from hosts/fw.cloonar.com/modules/web/secrets.yaml rename to hosts/fw/modules/web/secrets.yaml diff --git a/hosts/fw.cloonar.com/modules/web/zammad.nix b/hosts/fw/modules/web/zammad.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/web/zammad.nix rename to hosts/fw/modules/web/zammad.nix diff --git a/hosts/fw.cloonar.com/modules/wireguard.nix b/hosts/fw/modules/wireguard.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/wireguard.nix rename to hosts/fw/modules/wireguard.nix diff --git a/hosts/fw.cloonar.com/modules/wol.nix b/hosts/fw/modules/wol.nix similarity index 100% rename from hosts/fw.cloonar.com/modules/wol.nix rename to hosts/fw/modules/wol.nix diff --git a/hosts/fw.cloonar.com/pkgs/foundry-vtt/FoundryVTT-12.331.zip b/hosts/fw/pkgs/foundry-vtt/FoundryVTT-12.331.zip similarity index 100% rename from hosts/fw.cloonar.com/pkgs/foundry-vtt/FoundryVTT-12.331.zip rename to hosts/fw/pkgs/foundry-vtt/FoundryVTT-12.331.zip diff --git a/hosts/fw.cloonar.com/pkgs/foundry-vtt/default.nix b/hosts/fw/pkgs/foundry-vtt/default.nix similarity index 100% rename from hosts/fw.cloonar.com/pkgs/foundry-vtt/default.nix rename to hosts/fw/pkgs/foundry-vtt/default.nix diff --git a/hosts/fw.cloonar.com/secrets.yaml b/hosts/fw/secrets.yaml similarity index 100% rename from hosts/fw.cloonar.com/secrets.yaml rename to hosts/fw/secrets.yaml diff --git a/hosts/fw.cloonar.com/utils b/hosts/fw/utils similarity index 100% rename from hosts/fw.cloonar.com/utils rename to hosts/fw/utils diff --git a/hosts/mail.cloonar.com/channel b/hosts/mail/channel similarity index 100% rename from hosts/mail.cloonar.com/channel rename to hosts/mail/channel diff --git a/hosts/mail.cloonar.com/configuration.nix b/hosts/mail/configuration.nix similarity index 100% rename from hosts/mail.cloonar.com/configuration.nix rename to hosts/mail/configuration.nix diff --git a/hosts/mail.cloonar.com/hardware-configuration.nix b/hosts/mail/hardware-configuration.nix similarity index 100% rename from hosts/mail.cloonar.com/hardware-configuration.nix rename to hosts/mail/hardware-configuration.nix diff --git a/hosts/mail.cloonar.com/modules/dovecot.nix b/hosts/mail/modules/dovecot.nix similarity index 100% rename from hosts/mail.cloonar.com/modules/dovecot.nix rename to hosts/mail/modules/dovecot.nix diff --git a/hosts/mail.cloonar.com/modules/openldap.nix b/hosts/mail/modules/openldap.nix similarity index 100% rename from hosts/mail.cloonar.com/modules/openldap.nix rename to hosts/mail/modules/openldap.nix diff --git a/hosts/mail.cloonar.com/modules/postfix.nix b/hosts/mail/modules/postfix.nix similarity index 100% rename from hosts/mail.cloonar.com/modules/postfix.nix rename to hosts/mail/modules/postfix.nix diff --git a/hosts/mail.cloonar.com/modules/rspamd.nix b/hosts/mail/modules/rspamd.nix similarity index 100% rename from hosts/mail.cloonar.com/modules/rspamd.nix rename to hosts/mail/modules/rspamd.nix diff --git a/hosts/mail.cloonar.com/pkgs/sieve-spam-filter/default.nix b/hosts/mail/pkgs/sieve-spam-filter/default.nix similarity index 100% rename from hosts/mail.cloonar.com/pkgs/sieve-spam-filter/default.nix rename to hosts/mail/pkgs/sieve-spam-filter/default.nix diff --git a/hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/move-to-spam.sieve b/hosts/mail/pkgs/sieve-spam-filter/src/move-to-spam.sieve similarity index 100% rename from hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/move-to-spam.sieve rename to hosts/mail/pkgs/sieve-spam-filter/src/move-to-spam.sieve diff --git a/hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/report-ham.sieve b/hosts/mail/pkgs/sieve-spam-filter/src/report-ham.sieve similarity index 100% rename from hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/report-ham.sieve rename to hosts/mail/pkgs/sieve-spam-filter/src/report-ham.sieve diff --git a/hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/report-spam.sieve b/hosts/mail/pkgs/sieve-spam-filter/src/report-spam.sieve similarity index 100% rename from hosts/mail.cloonar.com/pkgs/sieve-spam-filter/src/report-spam.sieve rename to hosts/mail/pkgs/sieve-spam-filter/src/report-spam.sieve diff --git a/hosts/mail.cloonar.com/secrets.yaml b/hosts/mail/secrets.yaml similarity index 100% rename from hosts/mail.cloonar.com/secrets.yaml rename to hosts/mail/secrets.yaml diff --git a/hosts/mail.cloonar.com/utils b/hosts/mail/utils similarity index 100% rename from hosts/mail.cloonar.com/utils rename to hosts/mail/utils diff --git a/hosts/nb-new.cloonar.com/cachix.nix b/hosts/nb/cachix.nix similarity index 100% rename from hosts/nb-new.cloonar.com/cachix.nix rename to hosts/nb/cachix.nix diff --git a/hosts/nb-new.cloonar.com/cachix/nix-community.nix b/hosts/nb/cachix/nix-community.nix similarity index 100% rename from hosts/nb-new.cloonar.com/cachix/nix-community.nix rename to hosts/nb/cachix/nix-community.nix diff --git a/hosts/nb-new.cloonar.com/channel b/hosts/nb/channel similarity index 100% rename from hosts/nb-new.cloonar.com/channel rename to hosts/nb/channel diff --git a/hosts/nb-new.cloonar.com/configuration.nix b/hosts/nb/configuration.nix similarity index 99% rename from hosts/nb-new.cloonar.com/configuration.nix rename to hosts/nb/configuration.nix index 95cf617..ab75a8c 100644 --- a/hosts/nb-new.cloonar.com/configuration.nix +++ b/hosts/nb/configuration.nix @@ -7,6 +7,7 @@ let unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) { config = { allowUnfree = true; }; }; + impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; in { nixpkgs.config.allowUnfree = true; diff --git a/hosts/nb-new.cloonar.com/hardware-configuration.nix b/hosts/nb/hardware-configuration.nix similarity index 100% rename from hosts/nb-new.cloonar.com/hardware-configuration.nix rename to hosts/nb/hardware-configuration.nix diff --git a/hosts/nb-new.cloonar.com/modules/appimage.nix b/hosts/nb/modules/appimage.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/appimage.nix rename to hosts/nb/modules/appimage.nix diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/bufferline.lua b/hosts/nb/modules/nvim/config/bufferline.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/bufferline.lua rename to hosts/nb/modules/nvim/config/bufferline.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/copilot.lua b/hosts/nb/modules/nvim/config/copilot.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/copilot.lua rename to hosts/nb/modules/nvim/config/copilot.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/icons.lua b/hosts/nb/modules/nvim/config/icons.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/icons.lua rename to hosts/nb/modules/nvim/config/icons.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/init.lua b/hosts/nb/modules/nvim/config/init.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/init.lua rename to hosts/nb/modules/nvim/config/init.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/keymappings.lua b/hosts/nb/modules/nvim/config/keymappings.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/keymappings.lua rename to hosts/nb/modules/nvim/config/keymappings.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/lspconfig.lua b/hosts/nb/modules/nvim/config/lspconfig.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/lspconfig.lua rename to hosts/nb/modules/nvim/config/lspconfig.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/nvim-cmp.lua b/hosts/nb/modules/nvim/config/nvim-cmp.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/nvim-cmp.lua rename to hosts/nb/modules/nvim/config/nvim-cmp.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/project.lua b/hosts/nb/modules/nvim/config/project.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/project.lua rename to hosts/nb/modules/nvim/config/project.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/telescope.lua b/hosts/nb/modules/nvim/config/telescope.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/telescope.lua rename to hosts/nb/modules/nvim/config/telescope.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/terminal.lua b/hosts/nb/modules/nvim/config/terminal.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/terminal.lua rename to hosts/nb/modules/nvim/config/terminal.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/theming.lua b/hosts/nb/modules/nvim/config/theming.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/theming.lua rename to hosts/nb/modules/nvim/config/theming.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/treesitter-textobjects.lua b/hosts/nb/modules/nvim/config/treesitter-textobjects.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/treesitter-textobjects.lua rename to hosts/nb/modules/nvim/config/treesitter-textobjects.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/treesitter.lua b/hosts/nb/modules/nvim/config/treesitter.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/treesitter.lua rename to hosts/nb/modules/nvim/config/treesitter.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/utils.lua b/hosts/nb/modules/nvim/config/utils.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/utils.lua rename to hosts/nb/modules/nvim/config/utils.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/config/which-key.lua b/hosts/nb/modules/nvim/config/which-key.lua similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/config/which-key.lua rename to hosts/nb/modules/nvim/config/which-key.lua diff --git a/hosts/nb-new.cloonar.com/modules/nvim/default.nix b/hosts/nb/modules/nvim/default.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/nvim/default.nix rename to hosts/nb/modules/nvim/default.nix diff --git a/hosts/nb-new.cloonar.com/modules/printer.nix b/hosts/nb/modules/printer.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/printer.nix rename to hosts/nb/modules/printer.nix diff --git a/hosts/nb-new.cloonar.com/modules/steam.nix b/hosts/nb/modules/steam.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/steam.nix rename to hosts/nb/modules/steam.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/directory-studio-nix b/hosts/nb/modules/sway/directory-studio-nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/directory-studio-nix rename to hosts/nb/modules/sway/directory-studio-nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/foot.ini b/hosts/nb/modules/sway/foot.ini similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/foot.ini rename to hosts/nb/modules/sway/foot.ini diff --git a/hosts/nb-new.cloonar.com/modules/sway/parsec.nix b/hosts/nb/modules/sway/parsec.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/parsec.nix rename to hosts/nb/modules/sway/parsec.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/rustdesk.nix b/hosts/nb/modules/sway/rustdesk.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/rustdesk.nix rename to hosts/nb/modules/sway/rustdesk.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/sddm-theme.conf b/hosts/nb/modules/sway/sddm-theme.conf similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/sddm-theme.conf rename to hosts/nb/modules/sway/sddm-theme.conf diff --git a/hosts/nb-new.cloonar.com/modules/sway/signal-work.nix b/hosts/nb/modules/sway/signal-work.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/signal-work.nix rename to hosts/nb/modules/sway/signal-work.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/social.nix b/hosts/nb/modules/sway/social.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/social.nix rename to hosts/nb/modules/sway/social.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.conf b/hosts/nb/modules/sway/sway.conf similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/sway.conf rename to hosts/nb/modules/sway/sway.conf diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.nix b/hosts/nb/modules/sway/sway.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/sway.nix rename to hosts/nb/modules/sway/sway.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/thunderbird.nix b/hosts/nb/modules/sway/thunderbird.nix similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/thunderbird.nix rename to hosts/nb/modules/sway/thunderbird.nix diff --git a/hosts/nb-new.cloonar.com/modules/sway/waybar.conf b/hosts/nb/modules/sway/waybar.conf similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/waybar.conf rename to hosts/nb/modules/sway/waybar.conf diff --git a/hosts/nb-new.cloonar.com/modules/sway/waybar.css b/hosts/nb/modules/sway/waybar.css similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/waybar.css rename to hosts/nb/modules/sway/waybar.css diff --git a/hosts/nb-new.cloonar.com/modules/sway/wofi.css b/hosts/nb/modules/sway/wofi.css similarity index 100% rename from hosts/nb-new.cloonar.com/modules/sway/wofi.css rename to hosts/nb/modules/sway/wofi.css diff --git a/hosts/nb-new.cloonar.com/secrets.yaml b/hosts/nb/secrets.yaml similarity index 100% rename from hosts/nb-new.cloonar.com/secrets.yaml rename to hosts/nb/secrets.yaml diff --git a/hosts/nb-new.cloonar.com/users/configs/cryptomator.json b/hosts/nb/users/configs/cryptomator.json similarity index 100% rename from hosts/nb-new.cloonar.com/users/configs/cryptomator.json rename to hosts/nb/users/configs/cryptomator.json diff --git a/hosts/nb-new.cloonar.com/users/configs/project_history b/hosts/nb/users/configs/project_history similarity index 100% rename from hosts/nb-new.cloonar.com/users/configs/project_history rename to hosts/nb/users/configs/project_history diff --git a/hosts/nb-new.cloonar.com/users/configs/wallpaper.jpg b/hosts/nb/users/configs/wallpaper.jpg similarity index 100% rename from hosts/nb-new.cloonar.com/users/configs/wallpaper.jpg rename to hosts/nb/users/configs/wallpaper.jpg diff --git a/hosts/nb-new.cloonar.com/users/configs/wallpaper.png b/hosts/nb/users/configs/wallpaper.png similarity index 100% rename from hosts/nb-new.cloonar.com/users/configs/wallpaper.png rename to hosts/nb/users/configs/wallpaper.png diff --git a/hosts/nb-new.cloonar.com/users/default.nix b/hosts/nb/users/default.nix similarity index 100% rename from hosts/nb-new.cloonar.com/users/default.nix rename to hosts/nb/users/default.nix diff --git a/hosts/nb-new.cloonar.com/users/dominik.nix b/hosts/nb/users/dominik.nix similarity index 100% rename from hosts/nb-new.cloonar.com/users/dominik.nix rename to hosts/nb/users/dominik.nix diff --git a/hosts/nb-new.cloonar.com/utils b/hosts/nb/utils similarity index 100% rename from hosts/nb-new.cloonar.com/utils rename to hosts/nb/utils diff --git a/hosts/web-01.cloonar.com/channel b/hosts/web-01.cloonar.com/channel deleted file mode 100644 index 425c774..0000000 --- a/hosts/web-01.cloonar.com/channel +++ /dev/null @@ -1 +0,0 @@ -https://channels.nixos.org/nixos-24.05 diff --git a/hosts/web-01.cloonar.com/configuration.nix b/hosts/web-01.cloonar.com/configuration.nix deleted file mode 100644 index dc667f8..0000000 --- a/hosts/web-01.cloonar.com/configuration.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ pkgs, ... }: { - imports = [ - ./utils/bento.nix - ./utils/modules/sops.nix - ./utils/modules/lego/lego.nix - - - ./modules/mysql.nix - ./utils/modules/nginx.nix - ./modules/bitwarden - ./modules/zammad - ./modules/authelia - ./modules/collabora.nix - # ./modules/nextcloud - ./modules/rustdesk.nix - ./modules/postgresql.nix - ./modules/grafana.nix - ./modules/loki.nix - ./modules/victoriametrics.nix - - ./utils/modules/autoupgrade.nix - ./utils/modules/promtail - ./utils/modules/borgbackup.nix - ./utils/modules/netdata.nix - - ./hardware-configuration.nix - - ./modules/web/typo3.nix - ./modules/web/stack.nix - - ./sites/autoconfig.cloonar.com.nix - - # ./sites/api.optiprot.eu.nix - ./sites/cloonar.com.nix - ./sites/gbv-aktuell.at.nix - ./sites/matomo.cloonar.com.nix - # ./sites/optiprot.eu.nix - # ./sites/paraclub.at.nix - # ./sites/api.paraclub.at.nix - # ./sites/tandem.paraclub.at.nix - # ./sites/module.paraclub.at.nix - - ./sites/cloonar.dev.nix - ./sites/paraclub.cloonar.dev.nix - ./sites/api.paraclub.cloonar.dev.nix - ./sites/tandem.paraclub.cloonar.dev.nix - ./sites/module.paraclub.cloonar.dev.nix - ./sites/gbv-aktuell.cloonar.dev.nix - ./sites/stage.myhidden.life.nix - ./sites/stage.korean-skin.care.nix - ]; - - nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1v" - "openssl-1.1.1w" - ]; - - environment.systemPackages = with pkgs; [ - wkhtmltopdf-bin - ]; - - - time.timeZone = "Europe/Vienna"; - - services.logind.extraConfig = "RuntimeDirectorySize=2G"; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.defaultSopsFile = ./secrets.yaml; - - nix.gc = { - automatic = true; - options = "--delete-older-than 60d"; - }; - - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - networking.hostName = "web-01"; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" - ]; - - # backups - borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg"; - - networking.firewall = { - enable = true; - allowedTCPPorts = [ 22 80 443 ]; - }; - - system.stateVersion = "22.05"; -} diff --git a/hosts/web-01.cloonar.com/fleet.nix b/hosts/web-01.cloonar.com/fleet.nix deleted file mode 120000 index 5b16de1..0000000 --- a/hosts/web-01.cloonar.com/fleet.nix +++ /dev/null @@ -1 +0,0 @@ -../../fleet.nix \ No newline at end of file diff --git a/hosts/web-01.cloonar.com/hardware-configuration.nix b/hosts/web-01.cloonar.com/hardware-configuration.nix deleted file mode 100644 index f67b9f4..0000000 --- a/hosts/web-01.cloonar.com/hardware-configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - -} diff --git a/hosts/web-01.cloonar.com/modules/authelia/default.nix b/hosts/web-01.cloonar.com/modules/authelia/default.nix deleted file mode 100644 index 70ff56a..0000000 --- a/hosts/web-01.cloonar.com/modules/authelia/default.nix +++ /dev/null @@ -1,281 +0,0 @@ -{ config, ... }: - -{ - sops.secrets.authelia-jwt-secret = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-backend-ldap-password = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-storage-encryption-key = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-session-secret = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-identity-providers-oidc-hmac-secret = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - sops.secrets.authelia-identity-providers-oidc-issuer-private-key = { - owner = "authelia-main"; - sopsFile = ./secrets.yaml; - }; - - services.authelia.instances.main = { - enable = true; - secrets = { - jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; - storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; - sessionSecretFile = config.sops.secrets.authelia-session-secret.path; - oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path; - oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path; - }; - environmentVariables = { - "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; - "AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; - }; - settings = { - theme = "dark"; - default_redirection_url = "https://cloonar.com"; - - server = { - host = "127.0.0.1"; - port = 9091; - }; - - # log = { - # level = "debug"; - # format = "text"; - # }; - - authentication_backend = { - ldap = { - url = "ldaps://ldap.cloonar.com"; - base_dn = "DC=cloonar,DC=com"; - additional_users_dn = "OU=users"; - users_filter = "(&({username_attribute}={input})(objectClass=person))"; - username_attribute = "mail"; - mail_attribute = "mail"; - display_name_attribute = "cn"; - additional_groups_dn = "OU=groups"; - groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; - group_name_attribute = "cn"; - permit_referrals = false; - permit_unauthenticated_bind = false; - user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; - }; - }; - - webauthn = { - disable = false; - display_name = "Authelia"; - attestation_conveyance_preference = "indirect"; - user_verification = "preferred"; - timeout = "60s"; - }; - - totp = { - disable = false; - issuer = "auth.cloonar.com"; - algorithm = "sha1"; - digits = 6; - period = 30; - skew = 1; - secret_size = 32; - }; - - access_control = { - default_policy = "deny"; - rules = [ - { - domain = ["auth.cloonar.com"]; - policy = "bypass"; - } - { - domain = ["*.cloonar.com"]; - policy = "two_factor"; - } - ]; - }; - - session = { - name = "authelia_session"; - expiration = "12h"; - inactivity = "45m"; - remember_me_duration = "1M"; - domain = "cloonar.com"; - # todo: enable with 4.38 - # cookies = [ - # { - # domain = "cloonar.com"; - # } - # { - # domain = "cloonar.dev"; - # } - # { - # domain = "gbv-aktuell.at"; - # same_site = "strict"; - # } - # ]; - }; - - regulation = { - max_retries = 3; - find_time = "5m"; - ban_time = "15m"; - }; - - storage = { - # mysql = { - # host = "/run/mysqld/mysqld.sock'"; - # port = 3306; - # database = "authelia_main"; - # username = "authelia_main"; - # password = "socket_auth"; - # timeout = "5s"; - # }; - local = { - path = "/var/lib/authelia-main/db.sqlite3"; - }; - }; - - notifier = { - disable_startup_check = false; - # filesystem = { - # filename = "/var/lib/authelia-main/notification.txt"; - # }; - smtp = { - host = "mail.cloonar.com"; - port = 25; - username = "authelia@cloonar.com"; - sender = "Authelia "; - }; - }; - identity_providers = { - oidc = { - ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. - ## See: https://www.authelia.com/c/oidc - clients = [ - { - id = "gitea"; - description = "Gitea"; - secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; - public = false; - authorization_policy = "one_factor"; - redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; - pre_configured_consent_duration = "1y"; - scopes = [ - "openid" - "profile" - "email" - ]; - userinfo_signing_algorithm = "none"; - } - { - id = "nextcloud"; - description = "Nextcloud"; - secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw"; - public = false; - authorization_policy = "one_factor"; - redirect_uris = [ - "https://nextcloud.cloonar.com/apps/oidc_login/oidc" - "https://cloud.cloonar.com/apps/user_oidc/code" - ]; - pre_configured_consent_duration = "1y"; - scopes = [ - "openid" - "profile" - "email" - "groups" - ]; - userinfo_signing_algorithm = "none"; - } - { - id = "grafana"; - description = "Grafana"; - secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; - public = false; - authorization_policy = "one_factor"; - redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; - pre_configured_consent_duration = "1y"; - scopes = [ - "openid" - "profile" - "email" - "groups" - ]; - userinfo_signing_algorithm = "none"; - } - ]; - }; - }; - }; - }; - services.nginx.virtualHosts."auth.cloonar.com" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - - locations."/api/verify" = { - proxyPass = "http://127.0.0.1:9091"; - proxyWebsockets = true; - - extraConfig = '' - allow 127.0.0.1; - allow 49.12.244.139; - allow 77.119.230.30; - deny all; - ''; - }; - - locations."/" = { - proxyPass = "http://127.0.0.1:9091"; - proxyWebsockets = true; - - extraConfig = '' - client_body_buffer_size 128k; - - #Timeout if the real server is dead - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - # Advanced Proxy Config - send_timeout 5m; - proxy_read_timeout 360; - proxy_send_timeout 360; - proxy_connect_timeout 360; - - # Basic Proxy Config - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - - # If behind reverse proxy, forwards the correct IP - set_real_ip_from 10.0.0.0/8; - set_real_ip_from 172.0.0.0/8; - set_real_ip_from 192.168.0.0/16; - set_real_ip_from fc00::/7; - real_ip_header X-Forwarded-For; - real_ip_recursive on; - ''; - }; - }; -} diff --git a/hosts/web-01.cloonar.com/modules/authelia/secrets.yaml b/hosts/web-01.cloonar.com/modules/authelia/secrets.yaml deleted file mode 100644 index 8b3893b..0000000 --- a/hosts/web-01.cloonar.com/modules/authelia/secrets.yaml +++ /dev/null @@ -1,45 +0,0 @@ -authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str] -authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str] -authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str] -authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str] -authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:yyqauvp+/8ufhCaZ1o0DWn4Nx1rdTW8C1HRVAtyCRuBaQA/yFVmZkwFVbnIDC3TrmuEMc2MXzVCREbdDsEqkGm6LJAB4Eq31NyhhbAtKufeqKHhMgEF4d41K71V//FJn2/ZBY6CaR1Ke0rX3p/Rpwk0rwddikkUmdJ7i7w9ayP8=,iv:ONBU0uWEUeQxQCGmHtGOySuLmTnJlAx//lQcK32i1Gs=,tag:Tk2BbYZSqbJRc/2cj8yxHQ==,type:str] -authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:oQwBKE0VjTIKYWOGKFtLwkOkjTh16gf5lJvMEEVs3Sy/+gmyGGmnDHm+xv9aT7Mmq9wSM7SVBe39yT5K9bUd0vGXO2Ze5V55B+B+9bAPKUL4rPNQAeSy3QCJPh6EoG3urDD/HUklV8QCprgTlokdgVgY3fv3be2Y1oOdiZDvbacol6OlcRXSi8ZqMro+f15e44j8NGhzsSahhzOLtmiRGLr5zWnzk8b221HZWtjSdG4rLrtcCZ1UjvvUX5pf8J5PI/9X4S6J7pglG+IlI0WGSHvQ9BXGQqWgmWky/3+hnC/B3ZPm3bz5CqMHzsdx/QmiCtQQf08GOoan/3rgp3pAu5J5TPDldnzEQkWPjciOMp4ewlu4nC1AViat7DH8wFtV9IpixEZm3fMidpPBpkTTRZMCy6AstNlPMvvvRDN/6nJypN++gvkBw3OJac2xBdtbdF5uC9nIrZqWENLnOn4623/C8yJJ8a2l1W1FF95hHiZDQKua+kB4CfFJSFxhtcWj3vcCzv7QIGHZPTIVn+aCozb4CdOegLswCuY9g5ncHfOnqIhSCY3Bc2xbd5GO7kVRvqT79abwHsAdArdDJAE4Fq3mNJG9/fy0N31GW4qKMTb3W5EgEt/2OtfsUn8MwHJV9BGPMeZhpn9hdzkXo9vmakVMKNoK4SEgZmFiKCj/uwhwdvJfYMRvl/n1DSpy8mxzKWt1IO9FD5HRUhkKeas6spOSyzbi4FTJJmJb9NQ5gzAcfTXs8C49S/DSocRwUHvQMvRIRZzBejxFKdnwGxwIJiVDY/04FWAjMR4HgxkCBvo9x+CxajnCw/S9g02uY85vxW1ZURi9wUK9Q9nbEyMu1IGWadhVO6fKvqWr9rVZ6tqqJ7FP81LKca80nkY+6Elec6l6u01Lzb4pLA6MFLyJbCE97+Vmoh056N73RNapWP6G3Txs2CvtzqWdup0J4xpwAxoEqVlnkBQ61abucZH9veMoq4gvxM90S+bBX7c6A+FYRha/PXovRL/SZWEfuKlVDeLQyb2IwQ==,iv:jhnNkcLXN3pHx6S8g78+R6X+ckhOF35QK615zcH2gqI=,tag:JSHDo9nbBbhpiQFSrLuDdg==,type:str] -authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:Et0DaniERibvBeRBmJR5zsBXRpB4yAjQpLRlJc/8+sSZ1RymDelD689/7ETe1QwBZzOxJf35dMbjBmUjcpcxl7iLiujVtd4DR8hirAwYv1HTk4WLbrTOuVhX9O/yWcdfnrn4e4MlBme54HLkeKt5F9xQ+/XvRPkuY+E+zlVd9K2rgdKuPRB4GSkW8AH55P10ts4ICN7hayFLfKWRNjs2LR3JtE/cRppe6Gse61/CG7HWlAlcTYddpYUbIGIaB9yrW3QcV11sTuJ9KpuU/jE6i/0dOosYqPLVUfShMjjnnpnk1wYmaL7F5Ibljk9g1Fzqm1Vwl/S98PYYgt98zOAuMo9djogORpI7in5tV+JoT5V/Lk3Uq3MvkalpdHJShVHUuuJPMMaFjlONS0y2ZYTyWasrwGI9KUYoKtWq5oqrHJkjtWNSagJqRMPBNK/RRtiIxBWwsWMpIlUcks/rZF+CiHKnm/Zb6a+dNsdhqz3qVCI33ry5Wmy6YdTaDBPWv3iFXLz0skVMXCN5vV7PQ86c6yRbEo5HzGdJxxdIacTZ7JLzECPS2MuWGoTKH0VwQgx3qvuMyi0r7/1VwCBGjZkO6vxie5yYlMA1AveepE+8zxCSbLuUMzC5DDVYk98SH2qNL5BZXm2mkRXxBXkQ37SOtnONNqYwvRD9wNWpSBkIumgRG3k3NEcwPwLnrCgNAlev4sXG+DUDgHy4SZ518shGkafUNncst9odQaGvx5EeSD3ItjRptFuPSU554ZZy8bV3wau8enzRP2R47sSg7jW+y0NslCwdVam2SpiXrgqeghplQCNP8uS1Py3DFf8pDOIy/9gV3kjPEOs/RNbv/2bIS20lQbEoMOotk8BHeM5/QytrArnkDcfB4d7FPWRT/Sw2imLQ8A7Q7PidhwEuugfWI6HjSW2bsW+zSf/gdG30ragEgkW9WpTAD6rbLdLdYMYa233zs9b/K6qYAoqEVjJWc+OnCTZ6PTr76Gq/kaIrJ3UlWNJadgCSNMkVs7vNYnczwGQJiaqTnAaB2yuXkIAsC6QIf83G6Z9nw5kFoyWZR5Eytfl/uU9lxv4TrvLtfEqJrdaaYXdAfefpZKmFrQJMeyoJj3ven0j61qmIiBDbkoYkNaBWQJl/mOy+lJ8J2ZaQ62cqVQCFkpcrAWdaxEHCrTu1djfCOGVqQ5d5o1E/GQiAAVgRBQtgv94PCIeCurAUtoWumfBF1wi0h1HMdJd8yZ6MgGXpPoOIZcWc1SRGkNVuoiobdfXO4fyNcJAM+XnOfJ4xO17PhnwBbaM5ECX1TRKbEyc5V36QfD5Fo/VaVOFIDt0KfxIHUxydxa83RpEYV4s13C0I+/hoULtNIDl9KNxaaT4Klq/6HL2jIaCwlRNlb1mc1lhkgaJobXygi/8iW2yyPIoSZQJKsYZhlildGTBlxrlhSDZ+3Dy1RAIRO+cvSr5/eM44xgV8DUs+z9nb+j3Kefl7qn4QBNIEWZkTcLokw/qp58O1EK/h4vays37A1628wfuCDOBSBOPZjtuX9jFg64tcZWZ6rwlVRd5RsMq9iW9MoGcfHvN6DAYTifEs7yiwZdng50OHu1k6/UJ1/LI1mVx7r+//S3rd88fQa76uosBuN5XqDrQiK+iPj3E8rThMJkeR7Hh0yUrkGBAJCs140yFTJeSt+vr6CsqSLy2RR7tb1C2wNm40F7N37Vi1rHm5jzSakm4TPd6aY3kqis6nXavnxUQHO3BKnx0ceQVoz8jqIiy1mjzVwafAn6s/ap6Fzv+sNc/zs++Mod59YnGyqKaeOkoAcmVuWgV7l4VHf1Q/K3o5ri14CHpSqkjBlL9zD3Lh1B0cQNCwHJeIKAgm+1rCpuzx45QeV/MAwWJ6/o8PjHVPm9dQG5nXEPFJA0X4lNKGkRb5wwMsXRf6RC41vvhvbD6pFZ5TCrMX/IW2ym0hOm9Trswm6SlnyLsPtAYB4SdVJxuwqy8gqPpogCm+vgsobIcs4cVAeK3ZW4ikWnSNowXJFeqjQY7ZuO42Anzddn+dodVw923KfVKJTBDK4lDQp5QrWjukbYFK33AIE2vaeJ3mqkJxzmJ027L4w0gQeaUuxh9sOKgxG7xCkzkG0HbIMuIA9E6yBCHNSwj0daB3SRrbxIEMF7F0DI3Lw0dlS4SxJ9ucJoySD1pBENuVm7bgWcY+pL5iJlkKAbVJOEk3cGJ+37XgXDkQHsNF/mxNaIxZ2losxv8GQEuldAxjCXM2hGgOF+64ccxSdH4T/OZtAmAprcB377/tJMuOXrsjMknT77FShgtRfyIzX0cJTPvuvhnswcFj9gr/1REkTkz5XL4fQx8ik4MEbEN3jiDdZEwSW5wjKuuHIZhDt+AnTqHIQZq2SdJ9g2P/36UMzWKfweRe8i7yJ/FRyqVDn63mimyxb12ZB1CkNuNe64yEVsRQvZZpYVLVhzcJrG+nNZXnCne2rFLxl3jRG2y2dgcvl1hmxYGSEFSh1scVt+d0gUmfi0u2MxX0swBpzTFlMwx2hz6pFvnl7jMCeZSitQVRw0VSaaqGeH6ZQIyEKkk8myovbV/PWn3gqcMs5L8Grm6myluBbxuaH/F7xMQadleGSft6iE0/EXoNfLWwQqNj20uuPVmF/UIehUYApHoGpYujFPFKGEdjjCGcdRYpGtlmGmaCPfc4oWJ4GjeLI6VePVhRhM+iyb+zPv8V4SltDfqih/Txs6kfsnOQ0KpjnMSobLX70xV1tm/sxAtqAzJ5I4QtX8EQaWR/rb5VIikAxuQ8yJCii/RFcSd0ss4+4vhGlOHAT1t7+lH0bnTaiUWfm169l+B01JJO8Cz3muJVC/f+PIJUNP5VHgNDUeMDB35USCxnU/0bLlxEuYHtTMLqSabU/bv6YchKZFjSlFHGFXdAEDgQ2HYi9FY1F657dvNqrGO2AwHVdeX8RSiorRlNyeb80NqyASsx6MSWPDWYtVjpD7zHXVlWDLcMVkGwvX4RtJZF8wlXR/iEur8iC+v8g2w7iG2hZD1TFmkJsn/ira4UYLzPxYNAzl4BH5sB5BUJ8GCZrHwV8dny/FTQAwtYNq7TwnAi+2dwhWF7DgX0T6fVD/utyLK19+Aash6h4TX8Y1U345l4r+ADfUfQ3d/B0m6wFEgSD60kOv6wnnYbJEbFAZ2BZEwhzeyEacQjxHceyQg256GiCvRDHX4jonyZm3Vu6kCUNWYaRCKQJY5OyL9zRF9pFsCqqkNEfvDqmjPUjXcO/xarkjjdQz4y4gsPqovhtVi0GuExxhfT1KcJk6uzS1NiX0yBi/s22cI4WLmO/QNHXeUoi0Lbw/XUwj6krNMYrvqofUOqM5tK7BpmplxzMFJeB+mhDXLfpyWAS7Yq1RfHLmnA0OBYu7MQ3UB/zZ7zGcpnAT42MlQ20M7bXCpEBaAaPzlXky9bogNEVkwoOMtVHYzQnucTAKRYzb1PnlA+GMBQpxL27IAn2EbwXNLRwSVh0lgRQFb/94J4TV09CeR5hkKMi5WaCFy50utlLL4gHDg11oNGbu0vseB1AmxzbRExW5qJ87a0A0/ECLOoo2vlgnMJECB6MYNe2na1aTOiOUpI8rArj2fUjVjAlNrUpFWIug2C+b2/I43K8Sg4Tc3ZHcrywHQ4xt2IQeeysUP8C9lHEQW2q4sF7iMujSD1Kzu8bYyCzW2AJuTJCj5psbwlag4ezwmgXpJGsC+yLrCuA/BHzrUDadoBuofNQq7tFKTGDWlN+IfkI0PY5sxMVSbm/5NSWBR060QLDq6XdKOYnzR4oI3mm1NXY4+OrVEJBXqD6zAa7ECLKo+sHBt9uL4CfEfLVNhAi2bmfauPzBZ3NiNeqoneoU16AjGNHiADLyrdRQHmWLzm1xnVmCjtpn3hPnF4AwPYKSf2ALkqHR0UpMWCzRztJGLuRG1EUpD39DgbJOQujyNLU/2g+YdZbixeD6oJ5j+l0gG7+CaumkHGsj2uhEpV1Hq8TKHV/O8I3LkF634Zu7NGaX5xP+8cOYfk3Kqm/V/u2AmMKOCU3AXHK43KhIZvEZYhTRfkICFCbdYE5co6zcvQ6Irn+wSlc5J0ozSrm0fQcFdQAMbf0odwe5VoMb66m6EngoL/VAYRJZtrmPBKUZLELRIcOXv/Nvz4oiEw+NV5u5MyKKJA2Tb6FxOPZdAf339oMCMmN/sUA9fBJ6dvzuDkVNCH5qZzlKWVq/DkZZr3TGA3cbU9FKLNKPrBpBaCdCtrjbaw2YB3HWAky/Qcmx97dRRZGcn7HvMtRnZfBbbFxYVGtgoGcaVZYyz/J4zuibpZcxdNLhu4jeJpMkX4,iv:PWdVLhu0BPx7sXMzow9wl+cqDXD2Y5J5lfVSX3tNCMg=,tag:P4vHogedMdAUeIh4XHlmdw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWkRuWXdaQ1RUbkF1d2p0 - elZkbnFVSW9tVjdqSHFvbjFiL202cW1tWjJ3ClpDUEFIMDFteFA1QTdTVmtVWHI0 - OFRuU1Fockh4aTBwa3l3ZjdiMFFYSm8KLS0tIGdCZjZNVXNVZWV3ZlJzY3ZyZXhr - WFp1eVZna1VWUUZuTVY4Q2h2c0Y2ZDAKcglSV3UBoZ65+SsM+zRFJmjIH61jXbT0 - rpeJ8/0i4THmVpbZY+NOIh2zECmzBkAA06jv0jMoftL40h2wsdgncg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna282T2hYcDl4UWFISDVL - eE42MjVxZndUVEU5bjJwUzdHU2xHNXVNRW13CmZwUmdCWDFNVmdDbktwOXBIbzNZ - eGgrZHQwMEdRSG11aWpoSllrcjBBY2cKLS0tIFBZRUdYVUhsbFZYV0w5T3RYc0Ez - RDJZcjA4VFNadEZCUmpOVWRBdGNKMzQKhhQCbeRxDvhFVsF3G+OoXo4i+koqqgrV - o/esYoxA1ZNsS9mhFbfMw1C2YO43iPtaWChAO5zUABDALD6dJ1Rf1A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZUJuMnNwTGpSdVA4UXV5 - bkdGTWJsRjliMGJWcXBKekc3WDZiN0FWV0MwCmZIVld4M0xaWWhmUDVqSGcwbGpz - S0kzQy9scDRObS82WkMzYUw2dVBaWXMKLS0tIGpkeFZqdXIrY0lFdUgwekNJeDN4 - eFhnWGdoTzdyZmtjZDJBc3FveTRaN0EKBj2hSr6qDxwW+k5hox47P5uyoHQAzCjH - +TplhMUd5p8/ud3U4lixLezGu1qftVSKtz/4SAXrSC5DYZJF1w7tDQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-17T01:43:14Z" - mac: ENC[AES256_GCM,data:zcCKk+VAddbb4vZltdC6hKPAnoo4rvcLcmIsKATQekbVo9OUk5Q5JnxglgAxXyj/YMZ7tIY/IXoWdSW4Kw673vthVnWpGLnuHtXJFGslkQ+GEkIt0z/oepr33gXErsEolZ3rIx02CVsIK5tb38ol0DhAe+6dUihsi23HruMJNog=,iv:2RVGRBTgqR9YLrRpoxuN72NOcXvRlZVTaPNiU7l75w0=,tag:lr4/sBBE9F27II289OWUNQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/web-01.cloonar.com/modules/bitwarden/default.nix b/hosts/web-01.cloonar.com/modules/bitwarden/default.nix deleted file mode 100644 index f9ce977..0000000 --- a/hosts/web-01.cloonar.com/modules/bitwarden/default.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ - pkgs, - config, - ... -}: let - ldapConfig = { - vaultwarden_url = "https://bitwarden.cloonar.com"; - vaultwarden_admin_token = "@ADMIN_TOKEN@"; - ldap_host = "ldap.cloonar.com"; - ldap_ssl = true; - ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com"; - ldap_bind_password = "@LDAP_PASSWORD@"; - ldap_search_base_dn = "ou=users,dc=cloonar,dc=com"; - ldap_search_filter = "(&(objectClass=cloonarUser))"; - ldap_sync_interval_seconds = 3600; - }; - - ldapConfigFile = - pkgs.runCommand "config.toml" - { - buildInputs = [pkgs.remarshal]; - preferLocalBuild = true; - } '' - remarshal -if json -of toml \ - < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \ - > $out - ''; -in { - imports = [ - ../../utils/modules/nur.nix - ]; - - environment.systemPackages = with pkgs; [ - nur.repos.mic92.vaultwarden_ldap - ]; - - services.vaultwarden = { - enable = true; - dbBackend = "mysql"; - config = { - domain = "https://bitwarden.cloonar.com"; - signupsAllowed = false; - rocketPort = 3011; - enableDbWal = "false"; - websocketEnabled = true; - smtpHost = "mail.cloonar.com"; - smtpFrom = "bitwarden@cloonar.com"; - smtpUsername = "bitwarden@cloonar.com"; - }; - }; - - systemd.services.vaultwarden.serviceConfig = { - EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path]; - }; - - systemd.services.vaultwarden_ldap = { - wantedBy = ["multi-user.target"]; - - preStart = '' - sed \ - -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \ - -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \ - ${ldapConfigFile} \ - > /run/vaultwarden_ldap/config.toml - ''; - - serviceConfig = { - Restart = "on-failure"; - RestartSec = "2s"; - ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap"; - Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml"; - - RuntimeDirectory = ["vaultwarden_ldap"]; - User = "vaultwarden_ldap"; - }; - }; - - services.nginx.virtualHosts."bitwarden.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - extraConfig = '' - client_max_body_size 128M; - ''; - locations."/" = { - proxyPass = "http://localhost:3011"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://localhost:3012"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://localhost:3011"; - proxyWebsockets = true; - }; - }; - - sops.secrets = { - bitwarden-admin-token.owner = "vaultwarden_ldap"; - bitwarden-ldap-password.owner = "vaultwarden_ldap"; - bitwarden-db-password.owner = "vaultwarden"; - bitwarden-smtp-password.owner = "vaultwarden"; - }; - - users.users.vaultwarden_ldap = { - isSystemUser = true; - group = "vaultwarden_ldap"; - }; - - users.groups.vaultwarden_ldap = {}; - - services.mysqlBackup.databases = [ "bitwarden" ]; -} diff --git a/hosts/web-01.cloonar.com/modules/bitwarden/secrets.yaml b/hosts/web-01.cloonar.com/modules/bitwarden/secrets.yaml deleted file mode 100644 index 4b4c3ca..0000000 --- a/hosts/web-01.cloonar.com/modules/bitwarden/secrets.yaml +++ /dev/null @@ -1,42 +0,0 @@ -bitwarden-admin-token: ENC[AES256_GCM,data:nCj7kwQHTwezG3hh5J+c2MmUXwlGpdNjeh4A4SK/wgdBroAAghMSTuT6B7sjPgX5PmyBpzspdI3XqVUoBHzL6g==,iv:11C/ScaTqI1VlBSd71TA2cZNAu/wSbOs6rnDTlKlPsI=,tag:8eD0VkJn/KZ49yMe4D/MrA==,type:str] -bitwarden-db-password: ENC[AES256_GCM,data:4l3ntOHX4pdiUzfSqOwzObgMRp9eS5fjze6rJu1h3kKr/g/lsESLWiIHUoguixaNmoPU2zy42jEDvhXII6R+1g==,iv:mEMGGGyWerJaAvo7ymNfkR1YgTG1ieB3n40BB6L+UM4=,tag:iRd88BjFMMht9Ku9K34SXQ==,type:str] -bitwarden-ldap-password: ENC[AES256_GCM,data:g6tp0NzXk3ZJTGKHSzFxVZs4DhauzPS6SGW99WFX/CO0Wprgp9lh/evI6T56g2YhIv/3jqNSmi+p1FwdOzValw==,iv:mHMlhJx2aKLLkrPy+Z+/6plS/uMiK+xhYk/PF5m7+wQ=,tag:BgRNstiVnN95/pSX0DYfSw==,type:str] -bitwarden-smtp-password: ENC[AES256_GCM,data:4ruP8yMeTG5A19Oyvv2MBTj2LwecwwYc8BBU1xDT2i757orCNrQHJd0VLtzynluS9ge4vAU7G8islKwR/IIDGsEq74//CxJIyXyH9XLBfc5Jb2Rs1uz/Nz2uCWOCqm1AZ2/8uxXOPPNVhKcs3wxOLbLnA3Yzh+VFKsKIO753FkKllpFbeZanhfD2/N4fAGU4C5F+0HcrLBLBGC3X/CfQyPUSio1uwWPxRJR94DlRdPq+ir4YXHW48Mw/33lJZ+HqApk1Nf+gmTff7XTib1d44ac4JR8m20D8qOQ2Y9vfqJOxD7/PdgeqRLXN3K1PaSDE7JkWoiE0dM3vJ0q+Pqf47tm/xT4qaJvqI0jLXMwqmUg=,iv:TiZrLMPx9UbUf/4zKmRWTERM8phtyTX7Q3dCFqn+Ew4=,tag:55tuxMBWu6WpT4BllKV+pA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVzQvK0VkUzh2MDhzSm5Z - TWlYVHNQQk9sbTkxT2JtUVFTQ01xam1FSFJBCjh3QUN1VGhCakJlR3QrZCtkdWpk - RGtGbEM0c2xUTlJiWktrczA0eVlFMm8KLS0tIFNnM0JpcHNrdFBadkpLZTZaY3VQ - ckYzWldIN01TZ3dKYmhIU1ZqK3NGWE0KvVTpNRg7RN0jKBDEDf0U+52I17+A3Gkl - 1VGxCmO87cBPcxmfnxoAdpabqCV9l784YHkQsW3Z0gicr0392m78Rw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdURKWGg1dFk2MEFzVS9q - NkNReXU3RkNHaUUvZ0RMTXNVbkI5bDBwbHdzCjY2Rm1PMitteVBZQW1xMGxYMlFH - djJLSGtFUElsaTBETk5EZzgzMGh2TmMKLS0tIENJUUlWTmhMT1dlVWRpdmYwQnFi - cW02R1F0M2djcExEeVRUalp4cnRzY28KoFN3BS4C/xqoHeD3Is0AfRJlWRJQ/i5z - rFV9USYsD23M+tdirbVgCfaSBl5RZXB4SpNFiG3QjhmQ04JuIxuHQg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0b1pReWNGenpEZ1RtVkZz - dGIrQ1NYdzdlNTNacXFkNkY4eUVSUzJ4NjNnCmYxdlFYRm9VYlRnRS9GU28xSita - cVNadTBBNmF0TjkwZnhPdHVvUWVhdXMKLS0tIGJ0MS9qOXJhVEtoSUd2TWtCUmFq - dGxUQ1RmVkhXZDVRMGx5dUFDZUlTMkEKHwwCPamlcJoiJGIOVtLdcftMm3D5DgN/ - yijIfsBySzUfU1dfFp6GMpazL+81L4+8AEp3ZW7z2BBwwE7tm1yVzg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-28T21:53:06Z" - mac: ENC[AES256_GCM,data:jZq4UzkxyX/UhrmeKO7sFQpTlMB13lyi5/duXA0s2XX3W0U9g+TSZm21WiRGPjKmteJg0w2OhFsNk/y0uvD/oPE1ttLz/YRgiinuCoyufoX51AgQqS0KFxNBkTaDzoaKk3z1j8nEhAY2U0YS4fpOCNAkMsKdVZeTVOitcp/UeIE=,iv:5EzYCqUZri1VmD9wqQGxpypZe4F2h8W3D8a7mYbBBrg=,tag:iEFJBFmRJVw4YP5/V+21dQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/web-01.cloonar.com/modules/collabora.nix b/hosts/web-01.cloonar.com/modules/collabora.nix deleted file mode 100644 index da679af..0000000 --- a/hosts/web-01.cloonar.com/modules/collabora.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, ... }: -{ - #Collabora Containers - virtualisation.oci-containers.containers.collabora = { - image = "docker.io/collabora/code:latest"; - ports = [ "9980:9980/tcp" ]; - environment = { - server_name = "code.cloonar.com"; - aliasgroup1 = "https://cloud.cloonar.com:443"; - dictionaries = "en_US"; - extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; - }; - extraOptions = [ - "--pull=newer" - ]; - }; - - services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = { - enableACME = true; - forceSSL = true; - - extraConfig = '' - # static files - location ^~ /browser { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - # WOPI discovery URL - location ^~ /hosting/discovery { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - # Capabilities - location ^~ /hosting/capabilities { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - # main websocket - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_read_timeout 36000s; - } - - # download, presentation and image upload - location ~ ^/(c|l)ool { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - # Admin Console websocket - location ^~ /cool/adminws { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_read_timeout 36000s; - } - ''; - }; -} diff --git a/hosts/web-01.cloonar.com/modules/grafana.nix b/hosts/web-01.cloonar.com/modules/grafana.nix deleted file mode 100644 index c8edf0a..0000000 --- a/hosts/web-01.cloonar.com/modules/grafana.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ lib, pkgs, config, ...}: -let - ldap = pkgs.writeTextFile { - name = "ldap.toml"; - text = '' - [[servers]] - host = "ldap.cloonar.com" - port = 636 - use_ssl = true - bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com" - bind_password = "$__file{/run/secrets/grafana-ldap-password}" - search_filter = "(&(objectClass=cloonarUser)(mail=%s))" - search_base_dns = ["ou=users,dc=cloonar,dc=com"] - - [servers.attributes] - name = "givenName" - surname = "sn" - username = "uid" - email = "mail" - member_of = "memberOf" - - [[servers.group_mappings]] - group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com" - org_role = "Admin" - grafana_admin = true # Available in Grafana v5.3 and above - ''; - }; -in -{ - systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)"; - services.grafana = { - enable = true; - settings = { - analytics.reporting_enabled = false; - # "auth.ldap".enabled = true; - # "auth.ldap".config_file = toString ldap; - - "auth.generic_oauth" = { - enabled = true; - name = "Authelia"; - icon = "signin"; - client_id = "grafana"; - scopes = "openid profile email groups"; - empty_scopes = false; - auth_url = "https://auth.cloonar.com/api/oidc/authorization"; - token_url = "https://auth.cloonar.com/api/oidc/token"; - api_url = "https://auth.cloonar.com/api/oidc/userinfo"; - login_attribute_path = "preferred_username"; - groups_attribute_path = "groups"; - name_attribute_path = "name"; - use_pkce = true; - }; - - "auth.anonymous".enabled = true; - "auth.anonymous".org_name = "Cloonar e.U."; - "auth.anonymous".org_role = "Viewer"; - - server = { - root_url = "https://grafana.cloonar.com"; - domain = "grafana.cloonar.com"; - enforce_domain = true; - enable_gzip = true; - http_addr = "0.0.0.0"; - http_port = 3001; - }; - - smtp = { - enabled = true; - host = "mail.cloonar.com:587"; - user = "grafana@cloonar.com"; - password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}"; - fromAddress = "grafana@cloonar.com"; - }; - - database = { - type = "postgres"; - name = "grafana"; - host = "/run/postgresql"; - user = "grafana"; - }; - - security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}"; - }; - }; - - services.nginx.virtualHosts."grafana.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/".extraConfig = "proxy_pass http://localhost:3001;"; - }; - - services.postgresql.ensureUsers = [ - { - name = "grafana"; - ensureDBOwnership = true; - } - ]; - services.postgresql.ensureDatabases = [ "grafana" ]; - services.postgresqlBackup.databases = [ "grafana" ]; - - sops.secrets = { - grafana-admin-password.owner = "grafana"; - grafana-ldap-password.owner = "grafana"; - grafana-oauth-secret.owner = "grafana"; - }; -} diff --git a/hosts/web-01.cloonar.com/modules/loki.nix b/hosts/web-01.cloonar.com/modules/loki.nix deleted file mode 100644 index 9652286..0000000 --- a/hosts/web-01.cloonar.com/modules/loki.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ config, pkgs, ... }: -let - rulerConfig = { - groups = [ - { - name = "general"; - rules = [ - { - alert = "Coredumps"; - # filter out failed build gitlab CI runner, users or nix build sandboxes - expr = ''sum by (host) (count_over_time({unit=~"systemd-coredump.*"} !~ "(/runner/_work|/home|/build|/scratch)" |~ "core dumped"[10m])) > 0''; - for = "10s"; - annotations.description = ''{{ $labels.instance }} {{ $labels.coredump_unit }} core dumped in last 10min.''; - } - ]; - } - ]; - }; - - rulerDir = pkgs.writeTextDir "ruler/ruler.yml" (builtins.toJSON rulerConfig); -in -{ - systemd.tmpfiles.rules = [ - "d /var/lib/loki 0700 loki loki - -" - "d /var/lib/loki/ruler 0700 loki loki - -" - ]; - services.loki = { - enable = true; - configuration = { - # Basic stuff - auth_enabled = false; - server = { - http_listen_port = 3100; - log_level = "warn"; - }; - - # Distributor - distributor.ring.kvstore.store = "inmemory"; - - # Ingester - ingester = { - lifecycler.address = "0.0.0.0"; - lifecycler.ring = { - kvstore.store = "inmemory"; - replication_factor = 1; - }; - chunk_encoding = "snappy"; - # Disable block transfers on shutdown - }; - - # Storage - storage_config = { - boltdb.directory = "/var/lib/loki/boltdb"; - boltdb_shipper = { - active_index_directory = "/var/lib/loki/index"; - cache_location = "/var/lib/loki/boltdb-cache"; - }; - tsdb_shipper = { - active_index_directory = "/var/lib/loki/tsdb-index"; - cache_location = "/var/lib/loki/tsdb-cache"; - - }; - filesystem.directory = "/var/lib/loki/storage"; - - }; - - limits_config.retention_period = "48h"; - - # Table manager - table_manager = { - retention_deletes_enabled = true; - retention_period = "48h"; - }; - - compactor = { - retention_enabled = true; - compaction_interval = "10m"; - working_directory = "/var/lib/loki/compactor"; - retention_delete_delay = "2h"; - retention_delete_worker_count = 150; - delete_request_store = "filesystem"; - }; - - # Schema - schema_config.configs = [ - { - from = "2020-11-08"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index.prefix = "index_"; - index.period = "24h"; - } - { - from = "2024-04-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index.prefix = "index_"; - index.period = "24h"; - } - ]; - - limits_config.ingestion_burst_size_mb = 16; - - # ruler = { - # storage = { - # type = "local"; - # local.directory = rulerDir; - # }; - # rule_path = "/var/lib/loki/ruler"; - # alertmanager_url = "http://alertmanager.cloonar.com"; - # ring.kvstore.store = "inmemory"; - # }; - - query_range.cache_results = true; - query_range.parallelise_shardable_queries = false; - limits_config.split_queries_by_interval = "24h"; - }; - }; - - sops.secrets.promtail-nginx-password.owner = "nginx"; - - services.nginx.virtualHosts."loki.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyWebsockets = true; - extraConfig = '' - auth_basic "Loki password"; - auth_basic_user_file ${config.sops.secrets.promtail-nginx-password.path}; - - proxy_read_timeout 1800s; - proxy_redirect off; - proxy_connect_timeout 1600s; - - access_log off; - proxy_pass http://127.0.0.1:3100; - ''; - }; - locations."/ready" = { - proxyWebsockets = true; - extraConfig = '' - auth_basic off; - access_log off; - proxy_pass http://127.0.0.1:3100; - ''; - }; - }; -} diff --git a/hosts/web-01.cloonar.com/modules/mysql.nix b/hosts/web-01.cloonar.com/modules/mysql.nix deleted file mode 100644 index 84578ea..0000000 --- a/hosts/web-01.cloonar.com/modules/mysql.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ pkgs, ... }: - -let - mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" '' - #!/usr/bin/env bash - if [ $# -lt 2 ] - then - echo "Usage: $0 " - exit 1 - fi - - if ! [ $EUID -eq 0 ] - then - echo "Must be root!" >&2 - exit 1 - fi - - DB="$1" - HOST="$2" - PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" - - cat <" - exit 1 - fi - - if ! [ $EUID -eq 0 ] - then - echo "Must be root!" >&2 - exit 1 - fi - - DB="$1" - PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" - - cat <= node_filefd_maximum - FOR 20m - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", - description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" - } - ALERT node_load1_90percent - IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: Running on high load.", - description = "{{$labels.alias}} is running with > 90% total load for at least 1h." - } - ALERT node_cpu_util_90percent - IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 - FOR 1h - LABELS { - severity="page" - } - ANNOTATIONS { - summary = "{{$labels.alias}}: High CPU utilization.", - description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." - } - ALERT node_ram_using_90percent - IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 - FOR 30m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Using lots of RAM.", - description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", - } - ALERT node_swap_using_80percent - IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 - FOR 10m - LABELS { - severity="page" - } - ANNOTATIONS { - summary="{{$labels.alias}}: Running out of swap soon.", - description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." - } - ALERT homeassistant = { - IF homeassistant_entity_available{domain="persistent_notification", entity!~"persistent_notification.http_login|persistent_notification.recorder_database_migration"} >= 0 - ANNOTATIONS { - description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}" - } - - ALERT gitea - IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3 - ANNOTATIONS { - description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes" - } - '' - ]; - scrapeConfigs = [ - { - job_name = "telegraf"; - scrape_interval = "60s"; - metrics_path = "/metrics"; - static_configs = [ - { - targets = [ - "web-01.cloonar.com:9273" - ]; - labels.host = "web-01.cloonar.com"; - } - { - targets = [ - "mail.cloonar.com:9273" - ]; - labels.host = "mail.cloonar.com"; - } - { - targets = [ - "git.cloonar.com:9273" - ]; - labels.host = "git.cloonar.com"; - } - { - targets = [ - "home-assistant.cloonar.com:9273" - ]; - labels.host = "home-assistant.cloonar.com"; - } - { - targets = map (host: "${host}.cloonar.com:9273") [ - "web-01" - "mail" - "git" - "home-assistant" - ]; - - labels.org = "cloonar"; - } - ]; - } - { - job_name = "homeassistant"; - scrape_interval = "60s"; - metrics_path = "/api/prometheus"; - - authorization.credentials_file = config.sops.secrets.hass-token.path; - - scheme = "https"; - static_configs = [ - { - targets = [ - "home-assistant.cloonar.com:443" - ]; - } - ]; - } - { - job_name = "gitea"; - scrape_interval = "60s"; - metrics_path = "/metrics"; - - scheme = "https"; - static_configs = [ - { - targets = [ - "git.cloonar.com:443" - ]; - } - ]; - } - ]; - }; - # services.prometheus.alertmanager = { - # enable = true; - # environmentFile = config.sops.secrets.alertmanager.path; - # webExternalUrl = "https://alertmanager.cloonar.com"; - # listenAddress = "[::1]"; - # configuration = { - # global = { - # # The smarthost and SMTP sender used for mail notifications. - # smtp_smarthost = "mail.cloonar.com:587"; - # smtp_from = "alertmanager@cloonar.com"; - # smtp_auth_username = "alertmanager@cloonar.com"; - # smtp_auth_password = "$SMTP_PASSWORD"; - # }; - # route = { - # receiver = "default"; - # routes = [ - # { - # group_by = [ "host" ]; - # match_re.org = "krebs"; - # group_wait = "5m"; - # group_interval = "5m"; - # repeat_interval = "4h"; - # receiver = "krebs"; - # } - # { - # group_by = [ "host" ]; - # match_re.org = "nix-community"; - # group_wait = "5m"; - # group_interval = "5m"; - # repeat_interval = "4h"; - # receiver = "nix-community"; - # } - # { - # group_by = [ "host" ]; - # match_re.org = "clan-lol"; - # group_wait = "5m"; - # group_interval = "5m"; - # repeat_interval = "4h"; - # receiver = "clan-lol"; - # } - # { - # group_by = [ "host" ]; - # group_wait = "30s"; - # group_interval = "2m"; - # repeat_interval = "2h"; - # receiver = "all"; - # } - # ]; - # }; - # receivers = [ - # { - # name = "krebs"; - # webhook_configs = [ - # { - # url = "http://127.0.0.1:9223/"; - # max_alerts = 5; - # } - # ]; - # } - # #{ - # # name = "numtide"; - # # slack_configs = [ - # # { - # # token = "$SLACK_TOKEN"; - # # api_url = "https://"; - # # } - # # ]; - # #} - # { - # name = "nix-community"; - # webhook_configs = [ - # { - # url = "http://localhost:9088/alert"; - # max_alerts = 5; - # } - # ]; - # } - # { - # name = "clan-lol"; - # webhook_configs = [ - # # TODO - # #{ - # # url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"; - # # max_alerts = 5; - # #} - # ]; - # } - # { - # name = "all"; - # pushover_configs = [ - # { - # user_key = "$PUSHOVER_USER_KEY"; - # token = "$PUSHOVER_TOKEN"; - # priority = "0"; - # } - # ]; - # } - # { - # name = "default"; - # } - # ]; - # }; - # }; - -} diff --git a/hosts/web-01.cloonar.com/modules/rustdesk.nix b/hosts/web-01.cloonar.com/modules/rustdesk.nix deleted file mode 100644 index 047aa1b..0000000 --- a/hosts/web-01.cloonar.com/modules/rustdesk.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, pkgs, ... }: - -{ - virtualisation = { - podman.enable = true; - oci-containers.containers = { - rustdesk-server = { - image = "rustdesk/rustdesk-server-s6:1"; - volumes = [ "/var/lib/rustdesk-server:/data" ]; - environment = { - RELAY = "rustdesk.cloonar.com:21117"; - }; - ports = [ - "21115:21115" - "21116:21116" - "21116:21116/udp" - "21118:21118" - "21117:21117" - "21119:21119" - ]; - }; - }; - }; - - users.users.rustdesk-server = { - isSystemUser = true; - group = "rustdesk-server"; - home = "/var/lib/rustdesk-server"; - createHome = true; - }; - users.groups.rustdesk-server = { }; - users.groups.docker.members = [ "rustdesk-server" ]; - - networking.firewall = { - enable = true; - allowedTCPPorts = [ 5000 21115 21116 21117 21118 21119 ]; - allowedUDPPorts = [ 21116 ]; - }; -} diff --git a/hosts/web-01.cloonar.com/modules/victoriametrics.nix b/hosts/web-01.cloonar.com/modules/victoriametrics.nix deleted file mode 100644 index a2788e7..0000000 --- a/hosts/web-01.cloonar.com/modules/victoriametrics.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, ... }: -let - configure_prom = builtins.toFile "prometheus.yml" '' - scrape_configs: - - job_name: 'server' - stream_parse: true - static_configs: - - targets: - - ${config.networking.hostName}:9100 - ''; -in { - services.prometheus.exporters.node.enable = true; - - sops.secrets.victoria-nginx-password.owner = "nginx"; - - services.victoriametrics = { - enable = true; - extraOptions = [ - "-promscrape.config=${configure_prom}" - ]; - }; - - services.nginx.virtualHosts."victoria-server.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyWebsockets = true; - extraConfig = '' - auth_basic "Victoria password"; - auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path}; - - proxy_read_timeout 1800s; - proxy_redirect off; - proxy_connect_timeout 1600s; - - access_log off; - proxy_pass http://127.0.0.1:8428; - ''; - }; - }; - -} diff --git a/hosts/web-01.cloonar.com/modules/web/stack.nix b/hosts/web-01.cloonar.com/modules/web/stack.nix deleted file mode 100644 index e588cf3..0000000 --- a/hosts/web-01.cloonar.com/modules/web/stack.nix +++ /dev/null @@ -1,328 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.webstack; - - instanceOpts = { name, ... }: - { - options = { - user = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - User of the typo3 instance. Defaults to attribute name in instances. - ''; - example = "example.org"; - }; - - domain = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Domain of the typo3 instance. Defaults to attribute name in instances. - ''; - example = "example.org"; - }; - - domainAliases = mkOption { - type = types.listOf types.str; - default = []; - example = [ "www.example.org" "example.org" ]; - description = lib.mdDoc '' - Additional domains served by this typo3 instance. - ''; - }; - - phpPackage = mkOption { - type = types.package; - example = literalExpression "pkgs.php"; - description = lib.mdDoc '' - Which PHP package to use in this typo3 instance. - ''; - }; - - phpOptions = mkOption { - type = types.lines; - default = ""; - description = '' - "Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool." - ''; - }; - - enableMysql = mkEnableOption (lib.mdDoc "MySQL Database"); - enableDefaultLocations = mkEnableOption (lib.mdDoc "Create default nginx location directives") // { default = true; }; - - authorizedKeys = mkOption { - type = types.listOf types.str; - default = null; - description = lib.mdDoc '' - Authorized keys for the typo3 instance ssh user. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = '' - if (!-e $request_filename) { - rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; - } - ''; - description = lib.mdDoc '' - These lines go to the end of the vhost verbatim. - ''; - }; - - locations = mkOption { - type = types.attrsOf (types.submodule (import { - inherit lib config; - })); - default = {}; - example = literalExpression '' - { - "/" = { - proxyPass = "http://localhost:3000"; - }; - }; - ''; - description = lib.mdDoc "Declarative location config"; - }; - - }; - }; -in - -{ - options.services.webstack = { - dataDir = mkOption { - type = types.path; - default = "/var/www"; - description = lib.mdDoc '' - The data directory for MySQL. - - ::: {.note} - If left as the default value of `/var/www` this directory will automatically be created before the web - server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. - ::: - ''; - }; - - instances = mkOption { - type = types.attrsOf (types.submodule instanceOpts); - default = {}; - description = lib.mdDoc "Create vhosts for typo3"; - example = literalExpression '' - { - "typo3.example.com" = { - domain = "example.com"; - domainAliases = [ "www.example.com" ]; - phpPackage = pkgs.php81; - authorizedKeys = [ - "ssh-rsa AZA==" - ]; - }; - }; - ''; - }; - }; - - config = { - systemd.services = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - in - nameValuePair "phpfpm-${domain}" { - serviceConfig = { - ProtectHome = lib.mkForce "tmpfs"; - BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; - }; - } - ) cfg.instances; - - services.phpfpm.pools = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair domain { - user = user; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "syslog"; - "php_admin_value[max_execution_time]" = 240; - "php_admin_value[max_input_vars]" = 1500; - "access.log" = "/var/log/$pool.access.log"; - }; - phpOptions = instanceOpts.phpOptions; - phpPackage = instanceOpts.phpPackage; - phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ]; - } - ) cfg.instances; - - }; - - - config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair domain { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = cfg.dataDir + "/" + domain + "/public"; - - locations = lib.mkMerge [ - instanceOpts.locations - (mkIf instanceOpts.enableDefaultLocations { - "/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - # Cache.appcache, your document html and data - "~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = '' - expires -1; - # access_log logs/static.log; # I don't usually include a static log - ''; - - "~* \\.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - # Cache Media: images, icons, video, audio, HTC - "~* \\.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' - expires 1y; - access_log off; - add_header Cache-Control "public"; - ''; - - # Feed - "~* \\.(?:rss|atom)$".extraConfig = '' - expires 1h; - add_header Cache-Control "public"; - ''; - - # Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts - "~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' - expires 1y; - access_log off; - add_header Cache-Control "public"; - ''; - - "/".extraConfig = '' - index index.php index.html; - try_files $uri $uri/ /index.php$is_args$args; - ''; - }) - { - "~ [^/]\\.php(/|$)".extraConfig = '' - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_buffer_size 32k; - fastcgi_buffers 8 16k; - fastcgi_connect_timeout 240s; - fastcgi_read_timeout 240s; - fastcgi_send_timeout 240s; - fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - fastcgi_index index.php; - ''; - } - ]; - - extraConfig = instanceOpts.extraConfig; - - - # locations = mapAttrs' (location: locationOpts: - # nameValuePair location locationOpts) instanceOpts.locations; - - } - ) cfg.instances; - - config.users.users = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair user { - isNormalUser = true; - createHome = true; - home = "/var/www/" + domain; - homeMode= "770"; - group = config.services.nginx.group; - openssh.authorizedKeys.keys = instanceOpts.authorizedKeys; - } - ) cfg.instances; -config.users.groups = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in nameValuePair user {}) cfg.instances; - - config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - mkIf instanceOpts.enableMysql { - name = user; - ensurePermissions = { - "${user}.*" = "ALL PRIVILEGES"; - }; - }) cfg.instances; - - config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - mkIf instanceOpts.enableMysql user - ) cfg.instances; - config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - mkIf instanceOpts.enableMysql user - ) cfg.instances; -} - diff --git a/hosts/web-01.cloonar.com/modules/web/typo3.nix b/hosts/web-01.cloonar.com/modules/web/typo3.nix deleted file mode 100644 index e564382..0000000 --- a/hosts/web-01.cloonar.com/modules/web/typo3.nix +++ /dev/null @@ -1,445 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.typo3; - - instanceOpts = { name, ... }: - { - options = { - user = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - User of the typo3 instance. Defaults to attribute name in instances. - ''; - example = "example.org"; - }; - - domain = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - Domain of the typo3 instance. Defaults to attribute name in instances. - ''; - example = "example.org"; - }; - - domainAliases = mkOption { - type = types.listOf types.str; - default = []; - example = [ "www.example.org" "example.org" ]; - description = lib.mdDoc '' - Additional domains served by this typo3 instance. - ''; - }; - - phpPackage = mkOption { - type = types.package; - example = literalExpression "pkgs.php"; - description = lib.mdDoc '' - Which PHP package to use in this typo3 instance. - ''; - }; - - authorizedKeys = mkOption { - type = types.listOf types.str; - default = null; - description = lib.mdDoc '' - Authorized keys for the typo3 instance ssh user. - ''; - }; - }; - }; -in - -{ - options.services.typo3 = { - dataDir = mkOption { - type = types.path; - default = "/var/www"; - description = lib.mdDoc '' - The data directory for MySQL. - - ::: {.note} - If left as the default value of `/var/www` this directory will automatically be created before the web - server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. - ::: - ''; - }; - - instances = mkOption { - type = types.attrsOf (types.submodule instanceOpts); - default = {}; - description = lib.mdDoc "Create vhosts for typo3"; - example = literalExpression '' - { - "typo3.example.com" = { - domain = "example.com"; - domainAliases = [ "www.example.com" ]; - phpPackage = pkgs.php82; - authorizedKeys = [ - "ssh-rsa AZA==" - ]; - }; - }; - ''; - }; - }; - - config = { - # systemd.services = mapAttrs' (instance: instanceOpts: - # let - # domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - # in - # nameValuePair "phpfpm-${domain}" { - # serviceConfig = { - # ProtectHome = lib.mkForce "tmpfs"; - # BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; - # }; - # } - # ) cfg.instances; - - systemd.timers = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair ("typo3-cron-" + domain) { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "05:00"; - Unit = "typo3-cron-" + domain + ".service"; - }; - } - ) cfg.instances; - systemd.services = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair ("typo3-cron-" + domain) { - script = '' - set -eu - ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 scheduler:run - ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 ke_search:indexing - ''; - serviceConfig = { - Type = "oneshot"; - User = user; - }; - } - ) cfg.instances; - - services.phpfpm.pools = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair domain { - user = user; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "syslog"; - "php_admin_value[max_execution_time]" = 240; - "php_admin_value[max_input_vars]" = 1500; - "php_admin_value[upload_max_filesize]" = "256M"; - "php_admin_value[post_max_size]" = "256M"; - "access.log" = "/var/log/$pool.access.log"; - }; - phpOptions = '' - opcache.enable=1 - opcache.memory_consumption=128 - opcache.validate_timestamps=0 - opcache.revalidate_path=0 - ''; - phpPackage = instanceOpts.phpPackage; - phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ]; - } - ) cfg.instances; - - }; - - - config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair domain { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = cfg.dataDir + "/" + domain + "/public"; - serverAliases = instanceOpts.domainAliases; - - extraConfig = '' - if (!-e $request_filename) { - rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; - } - - # Virtual endpoint created by nginx to forward auth requests. - location /authelia { - internal; - set $upstream_authelia http://127.0.0.1:9091/api/verify; - proxy_pass_request_body off; - proxy_pass $upstream_authelia; - proxy_set_header Content-Length ""; - - # Timeout if the real server is dead - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - # [REQUIRED] Needed by Authelia to check authorizations of the resource. - # Provide either X-Original-URL and X-Forwarded-Proto or - # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. - # Those headers will be used by Authelia to deduce the target url of the user. - # Basic Proxy Config - client_body_buffer_size 128k; - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - - # Advanced Proxy Config - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - } - ''; - - # locations."/typo3/login" = { - # extraConfig = '' - # # Basic Authelia Config - # # Send a subsequent request to Authelia to verify if the user is authenticated - # # and has the right permissions to access the resource. - # auth_request /authelia; - # # Set the `target_url` variable based on the request. It will be used to build the portal - # # URL with the correct redirection parameter. - # auth_request_set $target_url $scheme://$http_host$request_uri; - # # Set the X-Forwarded-User and X-Forwarded-Groups with the headers - # # returned by Authelia for the backends which can consume them. - # # This is not safe, as the backend must make sure that they come from the - # # proxy. In the future, it's gonna be safe to just use OAuth. - # auth_request_set $user $upstream_http_remote_user; - # auth_request_set $groups $upstream_http_remote_groups; - # auth_request_set $name $upstream_http_remote_name; - # auth_request_set $email $upstream_http_remote_email; - # proxy_set_header Remote-User $user; - # proxy_set_header Remote-Groups $groups; - # proxy_set_header Remote-Name $name; - # proxy_set_header Remote-Email $email; - # # If Authelia returns 401, then nginx redirects the user to the login portal. - # # If it returns 200, then the request pass through to the backend. - # # For other type of errors, nginx will handle them as usual. - # error_page 401 =302 https://auth.cloonar.com/?rd=$target_url; - # - # fastcgi_param REMOTE_USER $user; - # - # include ${pkgs.nginx}/conf/fastcgi.conf; - # fastcgi_buffer_size 32k; - # fastcgi_buffers 8 16k; - # fastcgi_connect_timeout 240s; - # fastcgi_read_timeout 240s; - # fastcgi_send_timeout 240s; - # fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - # fastcgi_param SCRIPT_FILENAME ${cfg.dataDir}/${domain}/public/typo3/index.php; - # ''; - # }; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - # TYPO3 - Block access to composer files - locations."~* composer\\.(?:json|lock)".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to flexform files - locations."~* flexform[^.]*\\.xml".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to language files - locations."~* locallang[^.]*\\.(?:xml|xlf)$".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to static typoscript files - locations."~* ext_conf_template\\.txt|ext_typoscript_constants\\.txt|ext_typoscript_setup\\.txt".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to miscellaneous protected files - locations."~* /.*\\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = '' - deny all; - ''; - # locations."~* /.*\.(?:bak|cfg|co?nf|ya?ml|ts)$".extraConfig = '' - # deny all; - # ''; - - # TYPO3 - Block access to recycler and temporary directories - locations."~ _(?:recycler|temp)_/".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to configuration files stored in fileadmin - locations."~ fileadmin/(?:templates)/.*\\.(?:txt|ts|typoscript)$".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to libraries, source and temporary compiled data - locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to protected extension directories - locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = '' - deny all; - ''; - - # Cache.appcache, your document html and data - locations."~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = '' - expires -1; - # access_log logs/static.log; # I don't usually include a static log - ''; - - # Cache Media: images, icons, video, audio, HTC - locations."~* \\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' - expires 1y; - access_log off; - add_header Cache-Control "public"; - ''; - - # Feed - locations."~* \\.(?:rss|atom)$".extraConfig = '' - expires 1h; - add_header Cache-Control "public"; - ''; - - # Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts - locations."~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' - expires 1y; - access_log off; - add_header Cache-Control "public"; - ''; - - locations."/".extraConfig = '' - index index.php index.html; - try_files $uri $uri/ /index.php$is_args$args; - ''; - - # TYPO3 Backend URLs - locations."/typo3$".extraConfig = '' - rewrite ^ /typo3/; - ''; - - locations."/typo3/".extraConfig = '' - try_files $uri /typo3/index.php$is_args$args; - ''; - - locations."~ [^/]\\.php(/|$)".extraConfig = '' - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_buffer_size 32k; - fastcgi_buffers 8 16k; - fastcgi_connect_timeout 240s; - fastcgi_read_timeout 240s; - fastcgi_send_timeout 240s; - fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - fastcgi_index index.php; - ''; - } - ) cfg.instances; - - config.users.users = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - nameValuePair user { - isNormalUser = true; - createHome = true; - home = "/var/www/" + domain; - homeMode= "770"; - group = config.services.nginx.group; - openssh.authorizedKeys.keys = instanceOpts.authorizedKeys; - } - ) cfg.instances; - config.users.groups = mapAttrs' (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in nameValuePair user {}) cfg.instances; - - config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - { - name = user; - ensurePermissions = { - "${user}.*" = "ALL PRIVILEGES"; - }; - }) cfg.instances; - - config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - user - ) cfg.instances; - config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts: - let - domain = if instanceOpts.domain != null then instanceOpts.domain else instance; - user = if instanceOpts.user != null - then instanceOps.user - else builtins.replaceStrings ["." "-"] ["_" "_"] domain; - in - user - ) cfg.instances; -} diff --git a/hosts/web-01.cloonar.com/modules/zammad/default.nix b/hosts/web-01.cloonar.com/modules/zammad/default.nix deleted file mode 100644 index 43ea290..0000000 --- a/hosts/web-01.cloonar.com/modules/zammad/default.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.zammad = { - enable = true; - port = 3010; - secretKeyBaseFile = config.sops.secrets.zammad-key-base.path; - database = { - createLocally = true; - }; - }; - - services.nginx.enable = true; - services.nginx.virtualHosts."support.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - - extraConfig = '' - # Virtual endpoint created by nginx to forward auth requests. - location /authelia { - internal; - set $upstream_authelia http://127.0.0.1:9091/api/verify; - proxy_pass_request_body off; - proxy_pass $upstream_authelia; - proxy_set_header Content-Length ""; - - # Timeout if the real server is dead - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; - - # [REQUIRED] Needed by Authelia to check authorizations of the resource. - # Provide either X-Original-URL and X-Forwarded-Proto or - # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. - # Those headers will be used by Authelia to deduce the target url of the user. - # Basic Proxy Config - client_body_buffer_size 128k; - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Uri $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - - # Advanced Proxy Config - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - } - ''; - - locations."/" = { - proxyPass = "http://127.0.0.1:3010"; - proxyWebsockets = true; - extraConfig = - "proxy_connect_timeout 300;" + - "proxy_send_timeout 300;" + - "proxy_read_timeout 300;" + - "send_timeout 300;" - ; - }; - locations."/auth/sso" = { - proxyPass = "http://127.0.0.1:3010"; - proxyWebsockets = true; - - extraConfig = '' - # Basic Authelia Config - # Send a subsequent request to Authelia to verify if the user is authenticated - # and has the right permissions to access the resource. - auth_request /authelia; - # Set the `target_url` variable based on the request. It will be used to build the portal - # URL with the correct redirection parameter. - auth_request_set $target_url $scheme://$http_host$request_uri; - # Set the X-Forwarded-User and X-Forwarded-Groups with the headers - # returned by Authelia for the backends which can consume them. - # This is not safe, as the backend must make sure that they come from the - # proxy. In the future, it's gonna be safe to just use OAuth. - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - proxy_set_header Remote-User $user; - proxy_set_header Remote-Groups $groups; - proxy_set_header Remote-Name $name; - proxy_set_header Remote-Email $email; - # If Authelia returns 401, then nginx redirects the user to the login portal. - # If it returns 200, then the request pass through to the backend. - # For other type of errors, nginx will handle them as usual. - error_page 401 =302 https://auth.cloonar.com/?rd=$target_url; - ''; - }; - locations."/ws" = { - proxyPass = "http://127.0.0.1:6042"; - proxyWebsockets = true; - extraConfig = - "proxy_read_timeout 86400;" + - "send_timeout 300;" - ; - }; - }; - - sops.secrets = { - zammad-db-password.sopsFile = ./secrets.yaml; - zammad-key-base.owner = "zammad"; - }; - - services.postgresqlBackup.enable = true; - services.postgresqlBackup.databases = [ "zammad" ]; -} diff --git a/hosts/web-01.cloonar.com/modules/zammad/secrets.yaml b/hosts/web-01.cloonar.com/modules/zammad/secrets.yaml deleted file mode 100644 index 7d5ceb0..0000000 --- a/hosts/web-01.cloonar.com/modules/zammad/secrets.yaml +++ /dev/null @@ -1,40 +0,0 @@ -zammad-db-password: ENC[AES256_GCM,data:FFsTnwQcL8V1ZWvZ9a15FWcHnsrC7nuDW155reSmfg/IRhRfrtnvbCDQ0N3AMh7TBiyG3x5za/6orV04CplUgQ==,iv:inQXkwlTbGaKgU3nfOtIYMcheBdGv8xa7dCad8WrGEc=,tag:fxjNRCUpS6RMipk4D08new==,type:str] -zammad-key-base: ENC[AES256_GCM,data:z2v1GrjRFoaDY9tPaAsUJPVRHZhSOrXWCZhhm5E6rmH4s6QWU1EW7aY4PPgditdcathLRWkDlBT5c3SQ8Cd2DPLp/SVn9Xd8w8g/lrplhNC2sJXUyB+CUgdEnBBN0XPMsFWNx9EIrqGrF/A8js5eKtQON9fCNytaHMOsCCc0rNE=,iv:oHKiXE9U0h846XVpCrcD/dFJ1MAXCYrnM80CwaWgALc=,tag:W88DsRWvdudMscH+UBPy/Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUc0RlQUt4VHU1eWZrdlF5 - UFhjSU5TWFlGbTIwbzVlaStHaWRTdS92d0YwCkJQRlh0eWVNRW9SdUFXQUZzNFYw - dktoSmFqbWxDbXR0dDNTNy8zTHYwQUEKLS0tIFFwQkdvK2QvSmFGaVRBaVFMeEFi - YUZ6b1dzUGZkL2t4aU5tTjA4UC9KU3cKmhugvvIexQqpVtGp7aLKU7WSQNxk0cTO - +8MWF1v0mztJlGbiWk5OOzT9L8TO7GDGXfi8GyMVgVBvaA7tFF709w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZGRWbnVxVUdHWndEanlk - Wmp4WS8yUjdrVSsxTHFNcjFUWm5IZytaZVRzCmorZTJRSnBRTE5qK2xiZGtYNXZH - RjBDdWE5NjE3ZWtXRU5Fc2FaVFkzNUEKLS0tIGwvUjVBL2NpdTFsY04zbktJRGxF - QWo1Vm56dnZWQ2l1K3hzVlZDL3BaTHMKw9CjtbS9hyW42prUhlTIcmcb4Z6OaxRr - T7RJZxXefEr4myJYI5B3pqbXlBpSLLwS4lgtoqHmmYuSNjL8/xoksw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicStLZGZvdGJyMyszMkFo - S2xTeUM5ZEIrbUxqbXBxQTUyeHhJVTAzUm40Ck5KbngvdWYvVk5VYTRCUWhZeFkw - eFJKVEZ3VnpuL3BmOFVQdCs2K3hoTUUKLS0tIEhFRXZyRlpPZUpEanFMU1oweVJ2 - RVJjc0FUb0NFMHk2M3gxTmhMYjlrTDgKR0tfq1CWU8OdeeigOsKqNx2sszVtPWjH - yXcqe/jLAnvS/Ut/afEyfGYEiyyzJXLp9TGjV1fAp9y2K2noD8/TwQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-29T10:54:56Z" - mac: ENC[AES256_GCM,data:OX49RTucGWdH1RkbXfkiMLH2Lj65v554WSfJxkCkIu/dFagCH90QSRiX/15HTsI//ffwKVurDivC6H6OByK2eWdaeCYTEn2029GjdL4RhJhXy0RLXEq5D/KVRu73O9Xe6M36asc/OenzPcmbHAvddD14y9vaOsVTL0H15ydVrwg=,iv:+uBt1Mvj+WMM4CvAOwmOXhZJVZBXVDCXA8iSXpdjktU=,tag:AeipsBJ8PA22OfUxXA8bIA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/web-01.cloonar.com/secrets.yaml b/hosts/web-01.cloonar.com/secrets.yaml deleted file mode 100644 index 53a25ea..0000000 --- a/hosts/web-01.cloonar.com/secrets.yaml +++ /dev/null @@ -1,59 +0,0 @@ -borg-passphrase: ENC[AES256_GCM,data:V77hfP5jk/DXcvRiZKu6RLAqsJhlIelkQwA6ClYJKNmMtvAXG+g6794YJ+ooof1h8qcnMoctEWMUcsBetjaguA==,iv:OyJF/dftfEaGUnmbzrcn0P0tvnUZX4l6Vk0Qf0NwwfE=,tag:AAkRMD+jq01BPq2LSYPQGA==,type:str] -borg-ssh-key: ENC[AES256_GCM,data:7F7uUlTP3ZKkpySj6/AGfH3K1/8/GzIdfp+ch1hU55zX51KgRs/KuGmj+yKyH9ua41oR4FR94MoiTb3u3MRpUj6dqO4VjVm6fRgJFNXOBhTUcelRR98Nq2QClkRqcNmPiHQC4bxjyW9C1tZfCA52AIILGh9O1Q9XnYAz2q8JwbrY+eTXS/U/1Fh1D+0Y9q1n+oingehal2huHzeVsLxFlip3TmGJx8QBlnAbANABKrMFxkHAlkvAVCrF1MULzeDeeWscHi5T80OvJfOZBSonNEZosw6QJVscMYxh047Yyl6YJ/sxIJjZjC7GiLuG/FC0FCLKRhD8PkZFjrDt/6xwrqePxIb7yIKZRpsvNVCplDDdVOB/V0AqRWAeZh3z813Zi+tnjynHPYaphso/qY2r/HZKlGInzW+QCUBdPVifhVL+y2TKytCWcp4A+c/3Dc2Ut59sfO+hqE946nYGl2S+kpNASHhBa7o6cnaMtfz8NT6rVtYN/3l1snlxeOUZo85XAuYCIerGsMkdVENg5RIJwIzwM0oaGwNzruq8cul5MfAf8hFMXpoLggYECynHk9TNdhsNtUzmsS9cXAyPnnzZT6HGI2/5cgU1weCHbbXAq+ZU9WZwOT41Fpwda/WrNJuMJYFCOFer2hcSLEyxsCfqmPSdwpYRRSYHiaCuVghV6lWyi1IVV5EsX9H6hD+Uetux1SEN95ga8edME16W2dubA0yukcOq+XHI7PMEHAs20H+dybsmVx1XjIsiV/XBWkrooFBXQp950p93XOK49vwNmHNohhCvmERkH0dczGQ5vTAMXwIYqydTqXWERDRzJVvK+pbzKiecEzhFHFge345poUKQS7BWNsv+eehgBAH4HEddtzzzjcPGYMHAhafAm1VqO2BvKg2r3XnzElUCjxWlGfrMkU+LhIgAjom8Mk9+Kha+OD84+iZnuoq73TjpqaUgC0TbkxLAm0DPgk8LsLE9XfJaroftKnrE7P7kyNGSQZfGYcl7ssLck5LJA07dTvDtytlL1Kk8RJe4FwFNPLtdiAnCVvKBe0kcClvCWrrxRt1QT85b+9IwG1yhRxlxheleePX1Fwlg/d2xj6AB3Cz7kAVO2phGPAF16Ke/UQeMxhbOIcy20g7RoiCpfx9jvdwExhDmbmUR7cleL1seFH+wgAM6uQwh80+q8IDJWPNyeXOwiA2siPwexb20xN+n1kIMa03U5Bn+lBqYoh0xXhlDHP3FiKew6xjSducNUtzyKm24kQaWSOfYIqTxYFRTI0bDgRu6xWGmZL37VSMWqDj3TIWOMBoLy0JBsRl6Jj07keJ0CwaNEa4cCWZ0s6nu49mp04JfJWF2r9ksX+2OVeDjSgX5JBB/V79j3I8iu4Nlp0pjyBKPlST/FUDAl1jT12X1grkYjXO8UyJ9AQqqnqK5lM+KYVR15Ui1lBb/vISPqiiw45bcUyHfVAAt7hcFpYLaYB0om3mernccN2fi26lawhhambRd7FGkILKA3byE9ytqGvDQ2CxtjA30kbGxeqXVFsyzROahR0c3KdKlnuCO9Uar4J5VEXgv2obNlNUfSMa9uleWDuhveBaE+2jtKUJd2P4wIIzF/VJGxgWGSge/ji0EV36EFfMg/Tyizdw5wtv4rQF0M+Uu6j/n/l62SmHnT/30H8IFCFuXWmtEo1xcssMymY4ricU3kJIgjGO9h+DrBP1GBczj7yVjLHTpEhRF0yP790xgsJrP4IQB2lOtGf5MCXLrBDYkOZ5xM3+Rq5ZNH0SAHRU/qtFUmLtfkcidjkPiwdqJ0e1LUtLwmSlsot1CkPs7hKORassyUrug7dCtv9QjRMDbtW61PlIbXqa59Aimql4IUcWyUybx12E8wRqmgcX5kG2wGfd9ZFUj6mXhQINFqChsTjXSavQw3u3m8kvd1mJXfjKS12ajr2X1e5wPDUEpLzc3wTOvVgZizGeykKTcKG+GXSjPXLR61ueAO26rboYiDAeSd73shFX/vvut/aB47kZobMOooljGVtnfZjVGY8dWzdNeGvBeLws7vnFrH1u/WXPxpktGz2/eJ0L8ANJd+BZ2+wC+R3OnHeDiXHfofm3dZJTncgxYPqboKKCXRzMviSCWB3poQTm5vEltsQOR6Lj17UmHu5MX7os7t7TrfW/op4Qko9ViWT5vtrUrCZzVqJS+d8hq4lm6ANMhi3Ql+nIMIxK+hjGZNBuKZEyKY+r+Lhz9E/xdOBGVB8QH4g32DWsYvaHfpcvJC8CkGO1nRIGFyrMc10lrv++XQYtiZ1Z4a0oOtQGAXaPGQTJB4KzwlGWc0+kguV+lK4h0QIvHvuorghYC4EJerNdRUviRxZB5mTDyJc1gGq6YgMr4d/a4tyXwoEzPbPGc/3YJATZPYLXOMaGDo0rd2961CFfrsneElNIZ71DWoy41P1fJG7qrfN0gLjU0aSC1vVnzDM8GQvoJGV35cONT7N7u+hjjFBFciLBNEE1DKge156EnP6VbR2LSptWrHeq3zOe9fN3FFR1WWor+lOl+SFztt7uVHCLuWxYPV+csOeBLQi6OhFnh9r4mLTc43wjPkbuci2jqEVM6Bf5gXQoEGzybhDb/3HfQK00NXovru5uEdREYDaj5NVyzyBhOT29JuOvqX7wEMNDqE//Me6Tx8bU12cuUM7Lne7grgYQMbYfLs3gKzRbeuYCqGCIz6KQMDOZvTR38EXqJxysrPb/HuiPfoSGHoAIHviJeIsy6bF7hKA8BikrMmoNc4762pKNKNzBGR+/HeQ1trDBCbYrTmlqoXPJaeANUZlD9NdwiopTJCBzjP/F61s5bpurAiJF6Ymx5yUHljZGVPFOH/ZawfhEcfYGvMUnAOup+EJCih5WQsrn2vodbVYFJ5GNMrDH9//uMi/cwqFWlBqnKGgnGdyqzXlLYTTMlv7fuh3XxkjRRTh6ZVuLyBqEBnXzSWwlcLOUdw3r/48JJ0JC2/rTLVnb+R7T2/+7uXVQISIrBx1ijtRCzFwaFWAPqsL+nMevAHnjpWl9NvanNWKIPIQ6cHGywxdi/7ynEnCYlY13fyIpagFKrgywsHcHuez8cyNtGLpg6hwbSEeN2wZYld+DQc5UH9pqPvvTuNHu3J62WJHZlkc6yBs/hiZBT/sEZUrL2Bf3SNFjzt/IcNSjlVbpP6dd6HpIH6tuN+lQJNypRe//TgKviHBkN0mzmw7IuRIDz1tcVA28COCo8NkzyD194zxDJ8yYKfKH/YwN5q8/R/r/EuUcY4qbeAokaS7XcIkOp/QFKHVM6AYKZ3SPyB5ZjkHFoHBG7YNDrx8AHDNemG+WUev/flmsEv3ykgTztgOoCmTqH/rduS+BGcKwsNW0iMwni9mUiJfuNdYLqhWohGLWb/mkUVoTgycXtsJ8x5BGkk4wSuGSwGCur8yVel7+Fr6CzsVGiPJOa0RHO6sN+Y9jnSMPIVm+mx16j3Q==,iv:ZGV3C0nvqdEnukiPkeMxDD66OjeXQF4anQLkALmBno8=,tag:ELar6NeP5bjL5L/Z5m7Piw==,type:str] -bitwarden-admin-token: ENC[AES256_GCM,data:WWkkhaSwJA423FSeSoEmssACB6qjyM2usKFQhGqzP+es5bIbr4SxpC1vhWHoS3om+OndVsWzQe4NZ9bNvWAefw==,iv:S/JBDXLZDaCG6EvFigIdSv6GvmFAL8w0BJZFYoGgkl8=,tag:bc7bjJUlcyHEsO3AEd4sxQ==,type:str] -bitwarden-db-password: ENC[AES256_GCM,data:ues1754DstLekOtmjbi1LgpA4nV+4i9xUcUH05xPQSa1osvig1prh3JVnyYxJpy2zOqeRF0adZuRyb7/P/SLpA==,iv:AZG8FGPrcgfgNCtYjCVvIEHI3bkIjWVf82QRJ+qQdRA=,tag:IHnlKpWdyAjrgrzYaJtYiA==,type:str] -bitwarden-ldap-password: ENC[AES256_GCM,data:gz8ntl7mwA9f2I8LjTR2lBky7J3xYYTyQwXBrunF8/6eEgAme0zxeA5u3DTUrQ4BNfUqPfxHOIX38IxiLKRyzg==,iv:5J+KIER7R+93wdaiK7FAfS5+m8qFDruyTYh2a3n6PIg=,tag:dsT7s2TKWKcwgl3yOE3I5g==,type:str] -bitwarden-smtp-password: ENC[AES256_GCM,data:og0n7HJhplyAUDY45iuKtjnOOwmW9wD2UUwrt7/Mf/DgWbhLiYJH/NVPiUhSERMimZjTkjuHHp3bNGiIPRojX0ukJTbfiX01/BipDon1TVleLNq/tYB+VjL9KDoYi5Og5gg2ZG0DfXu8IKYshF0UD9gpYHmmxDWlZ+ZTi19cDKkiVErj44ov3Bia7hs22FHqg2J946PmWJbWDTuYKRqyynAoOtfwmrSXVW+Q+xmHNYIfOiNHo/33V1xj0Ldl49g3ry3nFBP9OGnPKOOYmekv14ehJ4eixDuZQT9gpU5m2zdHRAcapW3T8TGZIibOGlMeYRbPzBoISOr+q419bsAuB90lzpGLZfkvriHxuxtpGSg=,iv:WTvc7i4hrDi5aSc+PCL+gTuf4KKZehwk6WfgXumnRPE=,tag:TOHJsAJi2t6L9ahrikS67Q==,type:str] -authelia-jwt-secret: ENC[AES256_GCM,data:sr3+B5UPtPsAYq8Dwqrbb/hXKuY49nWKhkQ11DGfSSgdIEOnDHP7jnyDCB1Mt536djovmrl1AlOG6/JKyxvakQ==,iv:r/LtU4sef4bwSY+T9TFccZq+bKrcdZ/lPsY9QInQ3xk=,tag:GNC4kVLRuxxShLwIPGKZmg==,type:str] -authelia-backend-ldap-password: ENC[AES256_GCM,data:36qJ5r/ddjgxzq82/EkvYVM8VAKoHpNUbIKlimm7eABk2FkEw+U/7h5ZLjFPmKtKkbOUSI7R48xY0cKkodKwuA==,iv:jG0rXAX8Yi2okp1Y6ZSiGgSSAVFJakKEI781EpVgOLc=,tag:cPd4wmAaF81KbVsnmIy+NQ==,type:str] -authelia-storage-encryption-key: ENC[AES256_GCM,data:A0w+CuVEUZZruXYbPiM3Mv7DcsXlu0+PvzLUS0oX71YAX7jnYBrJBFQ+sg7Y19JhQOvugCn2VJoSkcXErPq7Fg==,iv:p90bnFfoXOVEZ+BalN+Qs6PMWG8cIAqHE8jGQAaJAJU=,tag:1yp9z6UyrasKPYHHTRyHlA==,type:str] -authelia-session-secret: ENC[AES256_GCM,data:/x+cq/QsYyev30mnFiWSd1N+WCKBI4zgAczEfv9TVO1M3NHECv7J1qI3Lw1OBmBki2yIaXeNTKvsoPy1jscYqA==,iv:yjy0Gp9XDl9ePhWk3X7ATVlAO6j0wxrwddBJ06zxP6A=,tag:vXo7+TwfEIpRipDleM1Ztw==,type:str] -authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:LWLWRJqhL3qA5w53KVVB1vPUgSVhWrnoaVvD2kqIXmfZXduqj3HYRyWnGuhBsJOrVtw9gX10VT9zADkZtuYjihMEgRF4h6BWhg/nmt2l3ancAkcnn+wkzGhfY/MWwRU74j3DFN4fNMgBRXpv54tzEzoSy5kN3VriYp8f80OsEtM=,iv:V1bzLRB4/Hg+wm/YAoPRVUkAzzRiKZPnBYWVtJ47qN0=,tag:jjgB/Ja2+A7pkASl1+dGRQ==,type:str] -authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:gS6YDrngIePu4Uzio/y5JiJYDOJB+HWUlPgoP1jryvsPstfsw7YiksOYENn+ZgbSvjbk0VISSbGo+UH89r441+XBiCPqIVMLPAuSRnyEkVfG2RCSH9zF+SzrpGQreeg0q1TDDJF3YKoVotDKiq5qbagcd11VoNmbilCsrsjSV5wYdBQ3ahRm+283OBF3Coq5XcuF0mwpLuiDLsd9hEmPtaNlb/vd1c5bVMpgSEbPAG5RHaYJIr2zjt5HLNtZbldUbm4QWn4MZnvLHjtcZesTBpC7nvsKR65KJFBNDv7Ymdv3EODxo8J/RJrKVUaS09MfsW1wKIis3n3e+CSfTasRaFGlx1xC5o9b41+6BH18/+rchqivSUWnSikb4SNtKIFZTm9TklhVORWFgDrhthau5bluBGeUDdTOfuro0/bvIw8oKPsCoP5aXEzJDGugJRGCTAgI+qXBBSsLaTRlbDCQKcOozy0OQw7NvZGctOcQNvDzJfVkAPMc2Pph5ItaTWYh3MK9bEqmtCTtp7d/dWdSGjUly4EjhihxXdhbNX+BcaDdziZ/zQuxoTyKMdphAM65yYuAPyq35JnX37Z1i1Zis6lODZA9jxdUki8HTacNCh3Zd54nFD10RejErvXiXgsi0ilzBIaIe8xctPmWbwahabO+efKZ5MEixH2WX3+gb8l6gmEAYE75XfnWV0+QcL9ZvLkY8pUfNP1ZuN23NWNelT4JLPhdNip+l7DvxNVpIMxFmd0sTH452pslGKj/ESyyGl4c9ktwlJCc4+MFGLEIt7y2ZoEdddmO18bFs0TP+JY9GiSwoIQGt7ZnOSebG0MJLWLoVWi26V0QqaG06Ni1/XNHEBJuZD3vP+6sRL+0jMM5irIc5MNE8BkU5zyepaDPSC945ey8VyqDGI7HS5gL034nONvhALh/Lc+WW5uVAZKVSKBrtYUrXa+yyO0vzb42yr+9M5/r6UFW+4DrKtpked3RarakLhafwH4AQXE+ZohZYmVXl7XfD49MqwhWa04atOci5Hc3ZQ==,iv:dPslR8NX+8G8uLIo+wFT46U6XAR8ao2z6/rqzJRlEr4=,tag:Wbo1guFW/ggtZjLLNSoo7Q==,type:str] -authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:AmefiXFJ7zEY0AHj7n61f0Ja/FqOf4Gj5WFb0SEf9ozXIlxXj3inayOPd5JB94VcVjNJ33u5XJhTzGwnN0v6QnF/iXdMBosXHdye7+v9H2GjUMFk1CKnsXgq4xEb2hHkYKdT+WBmZFksdjGw7Hl4ySGIWsFwBE3HHTNfQUFhtoEU19jQej8roFnAPIOCLHvskQ7V1OlKfMVdvIwnwep9qsuyNCMSuASjGvv8TDPQARk/1E7IJiROL/jvoTVKL1orcVNx3ibt7+HNsXCR3+g8ra4bKLRbPlKC6tQtdw98171xV83JlTtEEIPztzae0A+O9F7LMveSQveaqiBf/0YURueKQj/sH3nABGBSselO4tEQvudfrxJrQckFaQ4GB0/HoJlnRJsv6XJE5FDdcscIYFfzn6QGCookHhzITvwx/D7kubyZ/mZe/FMrp4Lv5XicUupaCTu1pflrhCpOwxh97Fiun02Ne4snWUAgVKlp7G7EhqDJV4KnNUbrCvpHvW09nNC2V71mkZm4LjLOg+jO0VazVGCzX8pgLm/Li4Tg7PhqQkQDsmgMw6tuxhRCDmzYytowAi4MmIQyewmAos3+TLoaaDb+DDSOhw3SqOX2FdCdEjvk7CY4NTCephvIFOtVpHTdmEX2UU3WNvMnC6/v1wmgQ2WsQQqp3IUvQrLlneAJ2tnBT9MdXvR8tYOBnInvwPzhE/FF1yh+eL/ujhHZ8d5RW8OfO/sIipQsMn+FsMqonbY8DJwQTOzwIa4AfNebeNeZnI/Y2XH149Ot+n2nbrf0stPyMo9xUPo5UBIBd8hsQq4cioEJKFJX2iWxJ7Cna2HxM0GC4FAKpFFrRCf6N8fFJ4U/PUNWX3sCJYvsI1Oq5oDxBmjl/r3SZ5vLumCxeDr9nulg72xxvUyzTA4cAOw5PRDk7Pvqm84Edoz+DzEdonRo4m+j8CU9JLrRS6jWLNDmenZvE4b5jEn6jthxoGzEm5cCoCT0G4BvrEqONq7CmETnGqqDs666qF3vP5UPrTMBwodeGmiPb6no70wuCs4wFSq+Cl6UxbqTPi2oIKSSS/P3XII1xTKIo7FXU4hniUs52awgQD27LfOM85MsibxPl3rp9SQndOmP56BwcE9d21iuEgRrZRhgZppK/rF3g6gyoPqJZGir/Sz50yHpf7DLZ9qiq71t32w/QODCzfMt3s9IvzR0T9xH4UvMauKNZO4+q0InahUNIqks1nUJnKW7a/+Q1nNPOcSDaRFJGOZUR25yaHBsXfOHcyemfIjJ+20gId6v52HBOPqWfIvAvRhNz46i/DUiwpeDSBmGxgQUMM97ruaJidCv6w1BCM4B4A0s9012Ksd4+UnQQEKX8oJ0TZtZbo8lqUyBk3GUOMFKtwMbn8k3CkQMIWTC4WftDXgAp2+jAu3hEV4rxm/+8uYjfNh8+/tTiOvCgJ8jQazJhan/+VDSDg0fk1DjEQBPP5ZAUl3vxw+pw1o5AnjvUOC+1KNBBUc6iUmGZ66NkjflJE5Zo7NC8MLc7D/YADmLQIYe3WwOAZsxg1AqsRkXUqRVAMhipv2RlKesCNpckivyzg3GbZlvcZjQS/bnZHZd8AuORpFnE2JvFD5QydlyFKvL3UdRVA/NkvWHPbQh/JrMCFLXlq5WNnZicx2ib6862B4JtEbNwZYjGKEvYkDXmfBgOx2AeetpO/C9rNNWJfa4SNGJC5D9+UFpoqIWv9YO6aDZ1S4flD+AXUzfoLKFBeLNsOswjwo67n/raQ//Upfpv2qKHYSY7KkWkam7So0uEZlVtrvGM0mkQSyNWY3KWdhII2gAvMzJ2C2iiJH+Geesi+E+29qCePFWJwyxCtf9jVXoR8E25UteMTvzyPRN/gjbRe/Zrbjj85sEQ9s2bDl77gpdC/+xKkZ56UiWA3ZceOG0Aij8yHP0Y+maY9+9Lh2T48LNPmuF9Qt7/IK0iixWZx0O0fzNrzY7HwQN9oFyYMiTILgYK3iVnSy3vIkDqgWfYdtNRurtAviFrSTRNefzvSah5D7TxoNbLqDcNJOMIMcRpxrHhygnP3yb+AFtpUZPiK0zfpybmgAePxWNk3Our7rSil03PXP71R9wwdwO+9N3kMuc4JS2ZnZ/Umz2zXf2tOfBnpkUqMF79VvcLBCVNa7IUucwBSIOkjdpW1f6Yu0b68gMFhBpAM2QNNnV7SL67HTt08rr0Y/k0hJDrXmTQarAb8Io+kSauegWdDyQaGbo71jTJQdIhG2Q4EfyuBGlXZ+rdC3jbbM1sjl/CKSujkSldBMEa2vp6a6aq+Ykt4qz+LN1pa0Oz4GZODY9s5iBoNgByYr++Kc+R0yRayaciZlhm27jALPyq1dBl0NG0F4ldE+KQciMPvpoPF8RBFIxviZrvpMU2ql/3dctoKkvpMXgSblX6iTyAxEeNwkmhDBfZyObrRIyTsDI2rUD3j9LQ+jTEk299cw8P2SGCQFNkl1itSxTyWoefZIEilL3YEgyxuIyDBzPLpmQzyMk4zrOu+zmJYFBm184Wk2Tt6e5b7VzfGurxnPhk/KpaPwJeTJPM44n9UQo/fpnNra89XUqty0fYg8fb2d4XnyMVc2ooZE6vmn8pi6QHwOr6vKhO6LEcok7f3MGafjPs/BW8J8aqGvLoKpEelSEEvhVhBlHQlxoulWZYG6sowGJdLcA95o0hsZmxvL7tB4OpS1ZFjN6Um+0wa0yj3yl1XNuYKmjV1IfXjwowgZ/Lb1tRRxAcxoT2mycr6d2wrbfS7huhTUNZBCHQizOiQcuoRlHeTvu/f8owAwuBb6r0wSGHyDhVmw5Ga73Fk4LkavAEKD1MW+tWeZtioIQT+PKrmVCrbqnx50xVaRmUAvpX5BRnznu06pWKna5Wa6gfjBz48IPGzgaPyRIzw4sdz1AB8ScUd2lT8Ihb/FTZAWOPzSR4CZeIyDvCWuQG89xgeq6bhlZxr7YA3jRIGxUqGq5h3s08k1zG6uCg/1LkythiRUp9rZPiHVVPWlpZl8W1YWhyJVGJVu5aQTgtRZRLlCg+pJvOmKzFLbJSRNv5xdXdTfEp0HTkVWDc+G58nONTz8oygyRIvw7OhSQeOKQtcr6Bzkt1LVIM5vloFGSr0gaI32Db43hiWv90v4mEXWdWDtsSLXyGipVyH8MpeghyMgm6Vps7ogujJVCEJrW2JLbcAvlnlXEDoVSx4qQMOqOFrhwfzDClBuXy7LEZ2bcWsVuNebOA0oZoEkfWkbNO3QX6vp/jUrPWhMu2orm0ZGNeaebXqauc0ueI8IbnBfSI/6DOoVd9MU4fyiApQvRL5jbAcDLHowIKWaSYpV/obVy8U6IvoaFpRJPiaeAo6yFLLEUemt3OrGiPhKrbuHSkHaNyUF5ywSf2Oz8a9eH1MWaSgFjdqLmBtmAogsHS+I1NIfVmytcKNQodPEk6LZjRKbiJ46U3D5/d6j8O7qZ0M6FbuEawTb98Mctx7O3RJJhJiaqdTfL9sS2Oxix5dY39e724iJQ5P1/96T3vGTnX3rV6VQ5/G9X1tfFBSobV0h6iQccH3aUQUPyiRCquxhzRDuo8jkzYIv4TLLFF9Z1mE/FAFkOrNJfIaJ0kppQmAN9JkVdoIvmKBinn1fjK+vGgeOHEdMboSZhbeioW2qRMxkdNQhOMWOUEQ7BHLzxpKUyQiOFmPPnCUEUja5KCvIw/AgTN7p0Ep+WtWmnVedIKG3CZory2a91lFzF574PAAbf4buITM9N4FG/vqoe1k1iLW0WGRgMCYAhUJ9J+ZkV1VHJD86E+ZnAKtM5oEfCs4/eRnOxG/nY4iL+0KIZn47LoEAyFpWuJN9yATT+GwFWXvswDbMD9xm0v3SCL6fjSFIzPzy1WBAKpd5HT2FBElVru5Gk2r4nPA1In6T+Ke7qkcK8bbiyNJSNcLNJfYC8J4NWxV7cTjShOv2RoAV5m9dnB5RZW5/DMQL+aOzfjm178lmuzDfWGa30vRwc6qXxEYsV+tdo7ATldTzAjzuTDMg+M+6NTYNIlLAwQKxs0oHEuqwuhKXjQSw3ZVFRST9oYf6sNFoRMkrWkkV10uvch0NRRCSMR8KtnvfGDrvSqWfVZINEzWZLgtwXvyQ/1TFF203RdeUXzW6pj24R2FNKyMGKHaRyHnrnyNtMEskMuvMiN9nr34o+Tt6hCj/R4bMT42USeTI3oRyRI+vq+fuJADZ03JBXXEC7TJp+K6XGSUowLD8fJxclnTypbHa9rI9dHngxTkkeMxsRwPsYYVT8HCB5D38IsNI15ONRWI9K/kFfVyMEQq/KQ7/Uc5VuhfgXoG64vX73,iv:F/oBMW+PX6ogxHSYMWRS7liolMOc5rqwIJbwYj+J9DM=,tag:7HpCNkBWKFCGoNCq2iK3YQ==,type:str] -grafana-ldap-password: ENC[AES256_GCM,data:hNB6CRtXW98yqUqInD3LsZ75sA+lVfmbooehni0UKL60qE/XCZm5B9JVO9pjxbIYZN6Eu/RFX+9L9cJVa5jnEo2MVeLS4CSjqC8BHLArlOuEdA5v8vqqJofBpBfXXN5Ca5xeUDJKz2HgtoTg7G5nTkegGZPGrmj5QQiL1xzco38=,iv:ViQAPTGxEWnjLkJlGCdCq5wW+fbr/O9er8/71VjL/GE=,tag:+Mow4cw7tvtkXvV2iSHeQw==,type:str] -grafana-admin-password: ENC[AES256_GCM,data:365efRy8xD7SHBnVz6ZJO3l8/lfiZ5vZPZZbxnUmjKKJTMeebLY+P54moStY0wsbU9vk7sCKATCxrS5xy+FQJSgKLoajfz50OMA4+1k3Shl+skbeIikHKwFxqrljFa6HRQ2HTW6KLDPu6Z5Agkima5xdfrtc5R1SnOFg5b6D5NU=,iv:0yZGZVQd35Itj66Ff5hDfDYYx5xsNs/wc887bgMV1MY=,tag:9t8Iffg7kxSjE5eo7iv/RQ==,type:str] -grafana-oauth-secret: ENC[AES256_GCM,data:OXsKChjgnDEKG58LarUpdJlDy4FJTrs1lrHH9I4wO+OGb+XdOPokyXSq0Om7aYhp2g40rBcQzfj5tQcgjmvZ27He93HfgxST,iv:pSiu/2G+D/wd2+FormfGiXMm2Ps/5iDDHqUnsIJ37EY=,tag:UN2IZ6/aJJSEcTmXeD9CAQ==,type:str] -promtail-nginx-password: ENC[AES256_GCM,data:zk/Wq+Nss6Md0GdhoOcysPrDBqfoAobmqb4LMDkJBjpCn/mdP3/HPiIYdZnZ0vV0JmYpQVqgVFPMlA==,iv:TA19kKllw0Vco6RRlbW4eUqeGQ0SQJRr/TATmyZBMrs=,tag:10/87/svXdL1hpUcTOtY0w==,type:str] -victoria-nginx-password: ENC[AES256_GCM,data:+rKDzML5eQX47JF1i/ZU9jwdeLgRXPyzwSCt+iDzsCx8RKSn+omTESs/P4lj9dBPO0zjo6w=,iv:o4JW6EIwTMt3SAqhGscnc9iQBwWr6VYFSIA5sc86+pc=,tag:OvupW1Py8pCu5IAemdc81w==,type:str] -nextcloud-adminpass: ENC[AES256_GCM,data:/vt17v+aaucz8sq/uYUA0hlj1urKNYcmCN0LbgGAMhWoTiTwzYr5FzrygOuZWZBeaAFH1pWItTZRXj74OX8XqutLPlYDg/jZqLszU0/9HgSBoHb5ZnPUpzIjNI9dpMttPphpo5TVrYKoh/vR3OWjJa3ObcpGLdvMQc1r8ABEvvg=,iv:0xW7++80CwZy0O4J3bFElqp0ZMC+RpO5kcczshM1pzg=,tag:PJj5PHfkoHE8jRbS4mpq6Q==,type:str] -zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str] -zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWSDhvdG5QTWhJQ21OaXZD - N1NoekVJZDd3NlR4TW1SWWdvZWlybFYveWkwClRGSUNKVTlMY2Q0TkpXczREcFpU - R3RRdzBoTm1YRzg2VUl6RnFPQzFhSU0KLS0tIHVCdzE5aWtPc0lvT3J4K1BWWGxz - TEMyc3hMd2tFZG1mNE05MzFacGRKTXcKPqa44l/h/pQI9dOfPyiyX708tQUkCecQ - QoGBmeLOgKanvcOVz1zcqWDjdZgatU6v4aiAteDDXGK3pO8a8lZFcg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTZRRjZDRFdNaDN0NFhK - WkJMTlJWcjNSK1pKOVlIZXBCQWVpOVJqM21rCjJlcW1jRktoNnErVTc1eDlkS25p - MDc2ZzY2UDE1ZFZta09HNG52RG5RUFkKLS0tIDNOVVNBUXRBYll2d05SRkNkeFov - MDBoQitqNlJvV1lORW5NTkR3czh0U1kKOZGSpU9xkWe3RbRs1ws10cCvtzVdQSJI - W9t29UySisMUZmJw+I+bEBBc2IpCKjNb+d60qBK7Qw/AbT76gaksjQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycWVwY0xjZ1ZKOGtQaksv - QXNPcUR0S0g1YVUzK2loRlBCKzlPb3ROajA0CllJVlQ4YTdRRmUrbUpmMmhnbStn - NFlRQzlxa2dSdDJSZzBHTEtQbVBVL00KLS0tIFVvT0M1STJkc2pFWXN0OWpEeGpt - cEwvR1NSbzlsamErb1BYVFVrUzE3bVUKT2SQJTJVvBMVjOV1nw2Gs3hLiVlVlqxr - dF8+Xk8jUazeb/5Ptj7GnB/PTLiHF41PO8L3tuZgOxXO3HvtYJF70Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-19T12:12:46Z" - mac: ENC[AES256_GCM,data:W7MGnXfVxBgS/AQ5Xl6PcK3P4rH+1OjbWGBJBlz7KaG3uZXf8rnZGb7OUgYadu1KjhWZIJf8i3iyOBSqPTnBbd2xYKRMmxJj1qMlGY6dx8eGv4Zlvahs4pzT0iGqhC9Ce0+mc1QQwiD7paq0PSgNAy8q2XudITCS6iIL9woc+CM=,iv:SyTmDoG49wp1WPYUsnjw6u28Ch4N8a3T6EFncCgel5I=,tag:xJk//KA/Zhq3bjy1GG1L3g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix deleted file mode 100644 index 6ee0b0a..0000000 --- a/hosts/web-01.cloonar.com/sites/api.optiprot.cloonar.dev.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."api.optiprot.cloonar.dev" = { - enableDefaultLocations = false; - enableMysql = true; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" - ]; - extraConfig = '' - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - index index.php - - charset utf-8; - - error_page 404 /index.php; - ''; - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php$is_args$args; - ''; - phpPackage = pkgs.php82.withExtensions ({ enabled, all }: - enabled ++ [ all.imagick ]); - }; -} diff --git a/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix b/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix deleted file mode 100644 index 968fbcc..0000000 --- a/hosts/web-01.cloonar.com/sites/api.optiprot.eu.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."api.optiprot.eu" = { - enableDefaultLocations = false; - enableMysql = true; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" - ]; - extraConfig = '' - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - index index.php - - charset utf-8; - - error_page 404 /index.php; - ''; - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php$is_args$args; - ''; - phpPackage = pkgs.php82.withExtensions ({ enabled, all }: - enabled ++ [ all.imagick ]); - }; -} diff --git a/hosts/web-01.cloonar.com/sites/api.paraclub.at.nix b/hosts/web-01.cloonar.com/sites/api.paraclub.at.nix deleted file mode 100644 index 409e1cc..0000000 --- a/hosts/web-01.cloonar.com/sites/api.paraclub.at.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."api.paraclub.at" = { - enableDefaultLocations = false; - enableMysql = true; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" - ]; - extraConfig = '' - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - index index.php - - charset utf-8; - - error_page 404 /index.php; - ''; - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php$is_args$args; - ''; - phpPackage = pkgs.php82.withExtensions ({ enabled, all }: - enabled ++ [ all.imagick ]); - }; -} diff --git a/hosts/web-01.cloonar.com/sites/api.paraclub.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/api.paraclub.cloonar.dev.nix deleted file mode 100644 index 151ea09..0000000 --- a/hosts/web-01.cloonar.com/sites/api.paraclub.cloonar.dev.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."api.paraclub.cloonar.dev" = { - enableDefaultLocations = false; - enableMysql = true; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtMqcJDygWT16b7wF0qaagWUHj1+s6whMq0YRv47WA5" - ]; - extraConfig = '' - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - index index.php - - charset utf-8; - - error_page 404 /index.php; - ''; - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php$is_args$args; - ''; - phpPackage = pkgs.php82.withExtensions ({ enabled, all }: - enabled ++ [ all.imagick ]); - }; -} diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix deleted file mode 100644 index 8b40ad0..0000000 --- a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "autoconfig.cloonar.com"; -in -{ - services.go-autoconfig = { - enable = true; - settings = { - service_addr = ":1323"; - domain = domain; - imap = { - server = "imap.cloonar.com"; - port = 993; - }; - smtp = { - server = "mail.cloonar.com"; - port = 587; - starttls = true; - }; - }; - }; - - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:1323/"; - }; - }; - services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = '' - return 301 https://autoconfig.cloonar.com$request_uri; - ''; - services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = '' - return 301 https://autoconfig.cloonar.com$request_uri; - ''; -} diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.nix b/hosts/web-01.cloonar.com/sites/autoconfig.nix deleted file mode 100644 index 963d2b8..0000000 --- a/hosts/web-01.cloonar.com/sites/autoconfig.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domains = [ - "cloonar.com" - "ghetto.at" - "optiprot.eu" - ]; - - vhostConfig = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "/var/www/autoconfig"; - - # MS Outlook - locations."~* ^/autodiscover/autodiscover.xml".extraConfig = '' - root /var/www/autoconfig; - try_files /autodiscover.php =404; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; - ''; - - # Thunderbird - locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = '' - root /var/www/autoconfig; - try_files /config-v1.1.php =404; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; - ''; - - # Apple devices - locations."/apple/get-mobileconfig".extraConfig = '' - root /var/www/autoconfig; - try_files /apple.php =404; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; - ''; - - # disable logging for Apple Touch Icons - locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = '' - log_not_found off; - access_log off; - ''; - }; -in -{ - services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig; - services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig; - services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig; - services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig; - services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig; - - systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false; - - services.phpfpm.pools."autoconfig" = { - user = "autoconfig"; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - "access.log" = "/var/log/$pool.access.log"; - }; - phpPackage = pkgs.php; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - - users.users."autoconfig" = { - #isSystemUser = true; - isNormalUser = true; - createHome = true; - home = "/var/www/autoconfig"; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" - ]; - }; - users.groups.autoconfig = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/cloonar.com.nix b/hosts/web-01.cloonar.com/sites/cloonar.com.nix deleted file mode 100644 index 27621de..0000000 --- a/hosts/web-01.cloonar.com/sites/cloonar.com.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "cloonar.com"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/cloonar.dev.nix deleted file mode 100644 index 50cb7d3..0000000 --- a/hosts/web-01.cloonar.com/sites/cloonar.dev.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix deleted file mode 100644 index 417341d..0000000 --- a/hosts/web-01.cloonar.com/sites/diabetes-austria.cloonar.dev.nix +++ /dev/null @@ -1,141 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "diabetes-austria.cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; - - services.phpfpm.pools."${domain}" = { - user = domain; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - "access.log" = "/var/log/$pool.access.log"; - }; - phpPackage = pkgs.nur.repos.izorkin.php74; - phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; - }; - - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}/public"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - # TYPO3 - Rule for versioned static files, configured through: - # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename'] - # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename'] - - extraConfig = '' - if (!-e $request_filename) { - rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; - } - ''; - - # TYPO3 - Block access to composer files - locations."~* composer\.(?:json|lock)".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to flexform files - locations."~* flexform[^.]*\.xml".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to language files - locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to static typoscript files - locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to miscellaneous protected files - locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to recycler and temporary directories - locations."~ _(?:recycler|temp)_/".extraConfig = '' - deny all; - ''; - - # TYPO3 - Block access to configuration files stored in fileadmin - locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to libraries, source and temporary compiled data - locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = '' - deny all; - ''; - - - # TYPO3 - Block access to protected extension directories - locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = '' - deny all; - ''; - - locations."/".extraConfig = '' - index index.php index.html; - try_files $uri $uri/ /index.php$is_args$args; - ''; - - # TYPO3 Backend URLs - locations."/typo3$".extraConfig = '' - rewrite ^ /typo3/; - ''; - - locations."/typo3/".extraConfig = '' - try_files $uri /typo3/index.php$is_args$args; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_buffer_size 32k; - fastcgi_buffers 8 16k; - fastcgi_connect_timeout 240s; - fastcgi_read_timeout 240s; - fastcgi_send_timeout 240s; - fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - fastcgi_index index.php; - ''; - }; - users.users."${domain}" = { - #isSystemUser = true; - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" - ]; - }; - users.groups.${domain} = {}; - - services.mysqlBackup.databases = [ "diabetes_austria" ]; -} diff --git a/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix b/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix deleted file mode 100644 index df92214..0000000 --- a/hosts/web-01.cloonar.com/sites/gbv-aktuell.at.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.typo3.instances."gbv-aktuell.at" = { - domainAliases = [ "www.gbv-aktuell.at" ]; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYyLbVv9l/LhpNhmE3QO0f9Lg8d2Y8JiDdn/cNcmyfO" - ]; - phpPackage = pkgs.php81; - }; - - services.awstats = { - enable = true; - updateAt = "daily"; - configs."gbv-aktuell.at" = { - webService = { - enable = true; - hostname = "gbv-aktuell.at"; - }; - logFile = "/var/log/nginx/access.log"; - extraConfig = { - # ShowDaysOfWeekStats = "0"; - # ShowHoursStats = "0"; - # ShowDomainsStats = "0"; - # ShowHostsStats = "0"; - # "ShowRobotsStats" = "0"; - # "ShowFileTypesStats" = "0"; - # "ShowDownloadsStats" = "0"; - # "ShowPagesStats" = "0"; - # "ShowOSStats" = "0"; - # "ShowBrowsersStats" = "0"; - # "ShowOriginStats" = "0"; - # "ShowKeyphrasesStats" = "0"; - # "ShowKeywordsStats" = "0"; - # "ShowMiscStats" = "0"; - # "ShowHTTPErrorsStats" = "0"; - }; - }; - }; -} diff --git a/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix deleted file mode 100644 index 9943432..0000000 --- a/hosts/web-01.cloonar.com/sites/gbv-aktuell.cloonar.dev.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.typo3.instances."gbv-aktuell.cloonar.dev" = { - domainAliases = [ "typo3-gbv-aktuell.cloonar.com" ]; - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcDedq/yqC2ROzvZGTyR/tDSnTcL3LB32O2QhkgQmfn" - ]; - phpPackage = pkgs.php81; - }; -} diff --git a/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix deleted file mode 100644 index 5aa6971..0000000 --- a/hosts/web-01.cloonar.com/sites/gbv.cloonar.dev.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "gbv.cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; - - services.phpfpm.pools."${domain}" = { - user = domain; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "/var/log/$pool.error.log"; - "php_admin_flag[log_errors]" = true; - "php_admin_value[display_errors]" = true; - "catch_workers_output" = true; - "access.log" = "/var/log/$pool.access.log"; - }; - phpPackage = pkgs.nur.repos.izorkin.php74; - phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; - }; - - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.php index.html; - try_files $uri $uri/ /index.php$is_args$args; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_buffer_size 32k; - fastcgi_buffers 8 16k; - fastcgi_connect_timeout 240s; - fastcgi_read_timeout 240s; - fastcgi_send_timeout 240s; - fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - fastcgi_index index.php; - ''; - }; - users.users."${domain}" = { - isSystemUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - }; - users.groups.${domain} = {}; - - services.mysqlBackup.databases = [ "gbv_stage" ]; -} diff --git a/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix b/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix deleted file mode 100644 index 5f03a88..0000000 --- a/hosts/web-01.cloonar.com/sites/matomo.cloonar.com.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "matomo.cloonar.com"; - dataDir = "/var/www/${domain}"; -in { - systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; - - services.phpfpm.pools."${domain}" = { - user = domain; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "/var/log/$pool.php.error.log"; - "php_admin_flag[log_errors]" = true; - "php_admin_value[display_errors]" = true; - "catch_workers_output" = true; - "access.log" = "/var/log/$pool.access.log"; - }; - phpPackage = pkgs.php83; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php83 ]; - }; - - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."~* ^.+\\.php$".extraConfig = '' - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_buffer_size 32k; - fastcgi_buffers 8 16k; - fastcgi_connect_timeout 240s; - fastcgi_read_timeout 240s; - fastcgi_send_timeout 240s; - fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; - fastcgi_index index.php; - ''; - - ## serve all other files normally - locations."/".extraConfig = '' - index index.php index.html; - try_files $uri $uri/ /index.php$is_args$args; - ''; - - ## disable all access to the following directories - locations."~ ^/(config|tmp|core|lang)".extraConfig = '' - deny all; - return 403; # replace with 404 to not show these directories exist - ''; - - locations."~ /\\.ht".extraConfig = '' - deny all; - return 403; - ''; - - locations."~ js/container_.*_preview\\.js$".extraConfig = '' - expires off; - add_header Cache-Control 'private, no-cache, no-store'; - ''; - - locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = '' - allow all; - ## Cache images,CSS,JS and webfonts for an hour - ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade - expires 1h; - add_header Pragma public; - add_header Cache-Control "public"; - ''; - - locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = '' - deny all; - return 403; - ''; - - ## properly display textfiles in root directory - locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = '' - default_type text/plain; - ''; - - }; - users.users."${domain}" = { - isSystemUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - }; - users.groups.${domain} = {}; - - systemd.services."matomo-archive" = { - startAt = "*-*-* 23:00:00"; - serviceConfig = { - Type = "oneshot"; - User = "${domain}"; - ExecStart = "${pkgs.php83}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive"; - }; - }; - - services.mysqlBackup.databases = [ "matomo" ]; -} diff --git a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix deleted file mode 100644 index 214f9bd..0000000 --- a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.at.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "mehr-leistbaren-wohnraum-schaffen.at"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."www.${domain}" = { - enableACME = true; - forceSSL = true; - globalRedirect = domain; - }; - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."mehr-leistbaren-wohnraum" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix deleted file mode 100644 index fdba151..0000000 --- a/hosts/web-01.cloonar.com/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."mehr-leistbaren-wohnraum-dev" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/module.paraclub.at.nix b/hosts/web-01.cloonar.com/sites/module.paraclub.at.nix deleted file mode 100644 index cf17b07..0000000 --- a/hosts/web-01.cloonar.com/sites/module.paraclub.at.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "module.paraclub.at"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/module.paraclub.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/module.paraclub.cloonar.dev.nix deleted file mode 100644 index 94a93ac..0000000 --- a/hosts/web-01.cloonar.com/sites/module.paraclub.cloonar.dev.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "module.paraclub.cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM=" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0j0teJ1v7Ke2NYVWlHOd4sYBiE8uLHAtY+Myi7g267" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix deleted file mode 100644 index ebd841a..0000000 --- a/hosts/web-01.cloonar.com/sites/optiprot.cloonar.dev.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."optiprot.cloonar.dev" = { - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" - ]; - locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' - try_files $uri $uri/ /en/products/index.php?$args; - ''; - locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' - try_files $uri $uri/ /de/produkte/index.php?$args; - ''; - phpPackage = pkgs.php81; - }; -} diff --git a/hosts/web-01.cloonar.com/sites/optiprot.eu.nix b/hosts/web-01.cloonar.com/sites/optiprot.eu.nix deleted file mode 100644 index e5295c0..0000000 --- a/hosts/web-01.cloonar.com/sites/optiprot.eu.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."optiprot.eu" = { - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" - ]; - locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' - try_files $uri $uri/ /en/products/index.php?$args; - ''; - locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' - try_files $uri $uri/ /de/produkte/index.php?$args; - ''; - phpPackage = pkgs.php81; - }; -} diff --git a/hosts/web-01.cloonar.com/sites/paraclub.at.nix b/hosts/web-01.cloonar.com/sites/paraclub.at.nix deleted file mode 100644 index e5a4ba3..0000000 --- a/hosts/web-01.cloonar.com/sites/paraclub.at.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "paraclub.at"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs=" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix deleted file mode 100644 index a18d6b3..0000000 --- a/hosts/web-01.cloonar.com/sites/paraclub.cloonar.dev.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "paraclub.cloonar.dev"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${domain}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs=" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6QT0k58R90NrmDIjP1bNalHnwr9Y++tOhV9kRUVivI" - ]; - }; - users.groups.${domain} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix b/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix deleted file mode 100644 index 03b73ef..0000000 --- a/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ pkgs, lib, config, ... }: -let - user = "stage_korean_skin_care"; - domain = "stage.korean-skin.care"; - dataDir = "/var/www/${domain}"; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - ''; - - locations."~* \.(jpe?g|png)$".extraConfig = '' - set $red Z; - - if ($http_accept ~* "webp") { - set $red A; - } - - if (-f $document_root/webp/$request_uri.webp) { - set $red "''${red}B"; - } - - if ($red = "AB") { - add_header Vary Accept; - rewrite ^ /webp/$request_uri.webp; - } - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${user}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG" - ]; - }; - users.groups.${user} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/stage.myhidden.life.nix b/hosts/web-01.cloonar.com/sites/stage.myhidden.life.nix deleted file mode 100644 index 1596040..0000000 --- a/hosts/web-01.cloonar.com/sites/stage.myhidden.life.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.webstack.instances."stage.myhidden.life" = { - enableDefaultLocations = false; - enableMysql = true; - authorizedKeys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW5N11DiAUBfjPFCcFX3CRzF6zAWD2sxMC1+IGC73/2" - ]; - extraConfig = '' - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - index index.php - - charset utf-8; - - error_page 404 /index.php; - ''; - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - locations."/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php$is_args$args; - ''; - phpPackage = pkgs.php82.withExtensions ({ enabled, all }: - enabled ++ [ all.imagick ]); - - phpOptions = '' - upload_max_filesize = 50M - post_max_size = 50M - ''; - }; - - systemd.services."stage-myhidden-life-schedule" = { - startAt = "*:0/1:0"; - serviceConfig = { - Type = "oneshot"; - User = "stage_myhidden_life"; - ExecStart = "${pkgs.php83}/bin/php /var/www/stage.myhidden.life/artisan schedule:run"; - }; - }; -} diff --git a/hosts/web-01.cloonar.com/sites/tandem.paraclub.at.nix b/hosts/web-01.cloonar.com/sites/tandem.paraclub.at.nix deleted file mode 100644 index 362b359..0000000 --- a/hosts/web-01.cloonar.com/sites/tandem.paraclub.at.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "tandem.paraclub.at"; - dataDir = "/var/www/${domain}"; - user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${user}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M=" - ]; - }; - users.groups.${user} = {}; -} diff --git a/hosts/web-01.cloonar.com/sites/tandem.paraclub.cloonar.dev.nix b/hosts/web-01.cloonar.com/sites/tandem.paraclub.cloonar.dev.nix deleted file mode 100644 index c7af300..0000000 --- a/hosts/web-01.cloonar.com/sites/tandem.paraclub.cloonar.dev.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, lib, config, ... }: -let - domain = "tandem.paraclub.cloonar.dev"; - dataDir = "/var/www/${domain}"; - user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; -in { - services.nginx.virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - root = "${dataDir}"; - - locations."/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - locations."/".extraConfig = '' - index index.html; - try_files $uri $uri/ /index.html$is_args$args; - ''; - - locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' - expires 365d; - add_header Pragma "public"; - add_header Cache-Control "public"; - ''; - - locations."~ [^/]\.php(/|$)".extraConfig = '' - deny all; - ''; - }; - users.users."${user}" = { - isNormalUser = true; - createHome = true; - home = dataDir; - homeMode= "770"; - #home = "/home/${domain}"; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M=" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILamV0WQER05HbpFlKjMBSv/mN3d1kzS0Jxf8O5p/T1L" - ]; - }; - users.groups.${user} = {}; -} diff --git a/hosts/web-01.cloonar.com/utils b/hosts/web-01.cloonar.com/utils deleted file mode 120000 index 6b18391..0000000 --- a/hosts/web-01.cloonar.com/utils +++ /dev/null @@ -1 +0,0 @@ -../../utils \ No newline at end of file